Page 1 of 55 123451151 ... LastLast
Results 1 to 10 of 549

Thread: ALi3602 Firmware disasm

  1. #1
    Join Date
    Nov 2011
    Posts
    32
    Thanks
    1
    Thanked 6 Times in 5 Posts

    Smile ALi3602 Firmware disasm

    Ok, as jvvh said, better starting with an ALi related thread, where everyone (i hope) can post their experencies and discover related to ALi3602. I'm pretty a newbie, but i want share my (poor) knowledge with the others, because i'm continously learning from the net, and i desire to write on the net what i've learned...i don't like having debts
    Well, ALi 3602 it's a mips32-like mpu, so the core, the cache, the instructions set etc.etc. are inherited from the mips32 architecture. If you are at the beginning, like me, better to download the three volumes from mips technologies, where everything (but not all) is explained. The firmware is compiled using a gcc toolchain, know as gcc-t2-mips, and with a bunch of utilities that turn around a very simple IDE. I've to say that the entire sdk (i'm talking about the 1.6.3 SDK, founded online with google, size around 110Mb) resemble the ST20 (but this last one it's far better IMHO), and the philosophy is the same.
    The compiler need config file too, and third party utilities are used to compress and assemble the chunks who the firmware are made of.
    The new .ABS firmware, usually 4Mb in size, is composed by chunks, and for the ALi3602 i've found that the structure it's slighty modified since the old chunck structure used, as example, for the ALi m33xx chips. This it's what i've discovered:

    Code:
    typedef struct chunk{
    	unsigned long		ChunkID;
    	unsigned long		ChunkSize;
    	unsigned long		NextChunkOffs;
    	unsigned long		CRC; // NCRC stand for 'Not using CRC'
    	char			ChunkName[16];
    	char			CompilerNameVersion[16];
    	char			CompileDate[16];
    } CHUNK, *P_CHUNK;
    The names of the fields are self-explanatory, but for the 'ChunkID' i've to say other:

    Code:
    #define BOOTLOADER_ID	0x23010010
    #define MAINCODE_ID	0x01fe0101
    #define RADIOBACK_ID	0x02fd0100
    #define BOOTBACK_ID	0x02fd0200
    #define UPGCODE_ID	0x05fa0100
    #define DEFAULTDB_ID	0x03fc0100
    #define USERDB_ID	0x04fb0100
    
    #define NCRC		0x4e435243
    These are all the ChunkID i've found into my (and others) firmware ALi3602 related, all ok but the first ID, the bootloader id, it's not only an ID but also the coding of a MIPS instruction, here it is:

    Code:
    ROM:8FC00000  b       RealEntry        # RA = PC + 8; PC = PC31:28::ADDR28
    ....
    ....
    ....
    0490 RealEntry:                       
    ROM:8FC00490                 jal     nullsub_1        # RA = PC + 8; PC = PC31:28::ADDR28
    ROM:8FC00494                 nop
    ROM:8FC00498                 lui     $t0, 1           # RD = CONST16 << 16 ;
    ROM:8FC0049C
    it's a relative jump to an offset that is 0x490 bytes far away from the start point.
    I've decided to put the firmware in mem starting from this address, 0x8fc00000, but i'm note sure about this addr, because searching here and there in the manuals i haven't already understood the boot process of this kind of mcu. For the ST20 was easy, everything was clearly explained in the manuals, for the mips-like ALi processor there isn't a boot vector to point...question: How ALi mcu do the boot ?! When the processor is 'turn on' what happen 'under the hood' ?! But let's go ahead, i've also wrote a simple program for scan all the chunks header in the .abs firmware, but just for exercise nothing more, i'll attach it in another post if someone of you is interested in.
    The Bootloader used it's 'STM 1.0.0' that i've discovered to be a standard bootloader (SantMartin or something much similiar to this name...) recompiled for the mips processor, slighty modified to suit the necessities of initiliazing the system and other things that i've still to discover, i'm still studying this piece of assembler, expecially the part related to decoding and decompression of the 'maincode' chunk. That maincode it's not only compressed with lzma, as usually done in the ALi firmwares, but it's also encrypted with XTEA, as say someone on the net. XTEA is a well know (and really fast) encrypt algo, you can easily found the code everywhere. It's based over a 128bit key not so difficult to bruteforce, this should be an idea for an attack....maybe. But the problem is if the algo uses the 64-round scheme or...what number of rounds are used in the decrypt algo? Is the decrypt algo into the bootloader or it's into another dedicated chip? (as someone say on the net).The bootloader use 'libcore' a compact library that contain a lot of useful functions for init a lot of things, manage the chip, initialize the system as so on.
    Inside the rar archive of ALiSdk there is also a 'patch source to metronics', where you can find a 'libcore.a' file, the library in object format, ready to be linked to your projects, but it's not the same used in STM1.0.0 bootloader, because this last one is compiled for ALi3602, the other it's for ALi m33xx instead....what a pity
    Following the path of this libcore.a you can understand something more in the code, expecially around the init of the cache, and the settings of the interrupts.
    Inside this kind of box (INetBoxHDs12/OpenBox/OpticumX403p and others clone) there should be a linux os, my objective is to obtain a telnet prompt, but for the moment i haven't a real plan about how to attack this box. Someone have ideas or can point me in the right direction?
    If someone is interested and want to post something more, everything will be appreciated.
    If you have read 'till here...thank you so much for the patience

  2. #2
    Join Date
    Aug 2010
    Posts
    41
    Thanks
    8
    Thanked 14 Times in 7 Posts
    Hi MrCode,
    it can be a lot easier to work on a compressed(lzma) but not encrypted maincode like this:
    AMIKO_STHD-8800_1.4.42_emu.abs
    Code:
    #...........NCRCbootloader......M3602A 1.1.6....2009-12-29......
    Code:
    .....!...$...Oaqmaincode(AV)....06000A001442....2012-01-09 .....................................................................
    Code:
    01FE0100002106810024FD80E44F61716D61696E636F64652841562900FFFFFF30363030304130303134343200FFFFFF323031322D30312D30392000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    you can find it @ sat-support.org (look for Amiko STHD-8800 Combo in the download section).
    Another good firmware here: _http://www.dvbstand.com/swd.php?id=945&mark=1


    here is a clones list
    Code:
    ( STB ID ) Bootloader M3602A
    (06000100)- Yumatu Full HD 
    (06000100)- Baff 2000 HD 
    (06000200)- Opticum X755/XT755/XTS755 
    (06000300)- Truman TM-909 HD 
    (06000300)- Startec HD 
    (06030300)- Truman TM 9090 HD 
    (06000400)- Dynavision DAVINCI 
    (06000400)- Dynavision Maxtech 
    (06030400)- Sanyogold HD 97 97x 
    (06030400)- Sanyogold HD 96 96x 
    (06030400)- Delta 362HD 
    (06030400)- Samsat HD 
    (06030400)- Goldsat HD 
    (06030500)- Star Track SRT 2015 HD 
    (06000700)- Golden Media Uni-Box 9060 / 9080 
    (06000700)- Truman TM-300 HD 
    (06000800)- Edision Argus Mini (IP) 
    (06000900)- V-Tech Z6010 HD Combo 
    (06000900)- On-Lien 4070 HD Combo 
    (06000900)- Digitalbox HDTS 1200 
    (06000900)- Venex 3602 HD Combo 
    (06000A00)- Amiko STHD-8800 
    (06000B00)- Galaxy Innovations S6199/S6699/ST7199/ST7699
    Code:
    ( STB ID ) Bootloader M3602B
    (06020100)- Yumatu HD 
    (06020200)- Opticum HD X402p 
    (06020200)- Opticum HD X403p 
    (06020400)- Dynavision PICASO HD PVR 
    (06020400)- Dynavision DAVINCI HD PVR 
    (06020700)- Golden Media Uni-Box 9060 Class 
    (06020800)- Edision Argus Piccollo 
    (06020A00)- Amiko SHD-7900 & SHD-8000 
    (06020A00)- AB CryptoBox 300HD & 350 HD
    It already exists a software that shows firmware's sections or chunks ...
    Scindeur.exe also known as "partes del firmware" or "Ariva Dekompresor".

    It will be very useful also "ALi_Universal-Fixer_v1.4b.exe" ...
    open the abs file, unpack (extractor tab) and uncompress ... than you can find
    (same folder as .abs file) the uncompressed maincode firmwarename_maincode(AV)_Lzma-Unpack.BIN

    Regards

  3. #3
    Join Date
    Jul 2006
    Location
    land of steady habits
    Posts
    2,251
    Thanks
    15
    Thanked 496 Times in 314 Posts
    the smt---1.0.0 bootloader always says just that,and the date is always the same.This is not correct,since there are variations in the bootloader that apparently aren't reflected in the bootloader rev or date.I first discovered this looking for plaintext to compress to attack firmware that was in an encrypted zip file.Altho billed as a linux receiver,it is said to use ali TDS2 rtos.
    The ali universal fixer will extract and decompress azbox bravo firmware.
    The pansat 9500hdx firmware will boot on a openbox s10,so it may have hardware close enough to get hacked for s10 use.

  4. #4
    Join Date
    Jul 2006
    Location
    land of steady habits
    Posts
    2,251
    Thanks
    15
    Thanked 496 Times in 314 Posts

    Lightbulb upgrade tool

    for playing with different firmware on m3602 based receivers,use the upgrade tool v2.0.0c.This will let you load firmware via rs232 even if the bootloader section of flash is corrupt or missing.Then switch over to using the newer v2.0.0f,then you can dump the individual chunks of flash to pc for analysis even tho the receiver appears completely dead.
    I also encourage people to look at their mainboard for any numbers silk screened on it.
    As an example, my s10 says M41320
    HD632SMB v1.0
    They say you can't brick a m3602 receiver,so far so good.

  5. #5
    Join Date
    Nov 2011
    Posts
    32
    Thanks
    1
    Thanked 6 Times in 5 Posts
    Thank you lutz, so it's time to search this 'upgrade tool', but i think that it will not be enough for my purpose, because, if i've correctly understood, by means of the serial line you can online retrieve the entire firmware or pieces (chunks) of it, but non in the decoded form.
    I think that for this task i will need EJTAG to make a full dump of the memory where the uncompressed (and decrypted!) maincode lives. If i'm wrong ad i've misunderstood please correct me. I've also found around the web (i don't remember where) some post where someone say that it's impossible to retrieve this dump because inside the maincode there is a anti-ejtag trick, but i prefere to make an ejtag and verify by myself. I decided to follow your advice and open the box looking for serials or whatever kind of info's on the mainboard, when i'll open (to connect the jtag, i've to open it anyway ) i'll post here the infos.
    Some news about the coldstart: everything is inside VOL3. pag22
    Everything into MIPS is (luckly) vectored, and at that page you can found the standard vectors used by a MIPS32 compliant processor (or mcu).
    At coldstart the instruction at 0xBFC00000 is fetched and executed, so now are explained the reasons behind the choice of the bootloader ID (a jump 0x490 bytes forward).
    At 0xBFC00480 there is the EJTAG Debug vector, that point at the routine that manage this kind of exception.
    I'm still studying the bootloader code, i'll post again when i'll discover something interesting enough.
    I've already tried to use ali_universal_fixer to decompress the maincode, but as i said before, this kind of maincode is different, it's not only packed with lzma, but also crypted with some form of crypting algo, so ALi_u_fix it's not able to manage it (i don't know if an utility exists that can manage this kind of crypto-compression, but at moment i've found nothing). InetHD s12 is close enough to openbox s10, i know for sure that the firmware for openbox s10 currently run without flaws over s12, so if pansat 9500hdx firmwares can be succesfull executed over openbox, can be executed also over inethd.
    Now lutz, i have a dubt....may be that this box, sold as linux-stb, is another tds2 clone as you said? Sadness
    Please, could you tell me where can i found a 9500hdx firm? thank you so much.
    ...today my english is worse than ever...
    Last edited by mrcode; 01-19-2012 at 03:35 PM.

  6. #6
    Join Date
    Jul 2006
    Location
    land of steady habits
    Posts
    2,251
    Thanks
    15
    Thanked 496 Times in 314 Posts

    Wink ejtag

    ejtag may be a problem,since most newer m3602 based receivers don't have a jtag port.
    You may want to look into the loader anyway,you will notice an eromclient.abs that gets loaded into memory somewhere in the process.This .abs is different for different processors/ram size.The older loaders actually made you manually select the proper .abs and sdram.ini to match your receiver for proper functioning.The sdram.ini may be a clue to loading ram with say a loader that would dump ram out the serial port instead of relying on jtag.Another possibility is what they call the cam slot,a connector with the same number of pins as an old pc pcmcia card.Maybe lots of fun if we can figure out how euro cams are wired and what data is available on them.Some old euro schematics had pinouts for the cam slots,but we would need a newer schematic with the m3602.Maybe you could cannibalize an old pcmcia card to get interfaced.
    I would post the pansat firm here,but sad to say not all my attachments get posted.Try pansatusa.com for the latest firmware.Probably tds2 also.

  7. #7
    Join Date
    Jul 2006
    Location
    land of steady habits
    Posts
    2,251
    Thanks
    15
    Thanked 496 Times in 314 Posts

    Wink eromclient

    If the eromclient.abs for the loader isn't encrypted,that may be the way to get in.The s10 has a 4meg flash,but only about 1/2 is being used.Plenty of extra room.

  8. #8
    Join Date
    Jul 2006
    Location
    land of steady habits
    Posts
    2,251
    Thanks
    15
    Thanked 496 Times in 314 Posts

    Lightbulb lodi

    the ali sdk might even have a section on making the loader,even if it was the old sdk for 3329c it should be close enough to figure out what the eromclient.abs is doing.

  9. #9
    Join Date
    Jul 2006
    Location
    land of steady habits
    Posts
    2,251
    Thanks
    15
    Thanked 496 Times in 314 Posts

    Post maincode

    9500hdx maincode mentions security chip,this may be why certain menus don't work when loaded on the s10.Just enough works to be a tease.
    At least it isn't encrypted(yet)just lzma.
    m3602 has ali ice usb jtag,those .abs and ini files may be of some use.

  10. #10
    Join Date
    Nov 2011
    Posts
    32
    Thanks
    1
    Thanked 6 Times in 5 Posts
    You gave me a lot of infos lutz, thank you very much!!
    I've downloaded the pansat 9500hdx firmw from their main website, as you told me the maincode it's only packed with lzma and can be analyzed, this is a good thing
    Now there is some chance to better understand the original maincode, as soon as i procure the adapter for the strange rs232 in the rear of INetHD s12, i'll try to flash the pansat firmw over it, just to see what happen... who knows?
    Thank you again, now it's time to study hard for me!

Page 1 of 55 123451151 ... LastLast

Similar Threads

  1. Firmware is not available now?
    By stormy45 in forum K-BOX Discussion
    Replies: 5
    Last Post: 06-21-2009, 01:20 AM
  2. Arm Firmware AE
    By TV addict#2 in forum General ATMEGA/Armulator Files
    Replies: 0
    Last Post: 05-08-2009, 07:14 PM
  3. Arm Firmware AD
    By TV addict#2 in forum General ATMEGA/Armulator Files
    Replies: 0
    Last Post: 05-02-2009, 09:09 PM
  4. Arm firmware AC
    By TV addict#2 in forum General ATMEGA/Armulator Files
    Replies: 0
    Last Post: 04-17-2009, 05:28 AM
  5. What is Firmware?
    By KBAC in forum TSOP (Reading/Writing/Box Key) Discussion
    Replies: 0
    Last Post: 05-01-2004, 09:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •