Skip to main content

Messages

This section allows you to view all Messages made by this member. Note that you can only see Messages made in areas you currently have access to.

Messages - surfrock66

4
Bus Pirate Support / Re: Can the Bus Pirate be used to read the eeprom from this
Ok, running those.

The "r2 -a 8051 chipdump1" command is just sitting at the following; I don't know if it's thinking or not, it's pretty low CPU:

Code: [Select]
surfrock66@sr66-blade:~/Downloads$ r2 -a 8051 chipdump1
 -- Too old to crash
[0x00000000]>

I tried googling that output but it's pretty dry.

The other command spit out a big file dump of hex and decimal info, which I'm going through...not too sure of what to look for in it, but I've made it available here: http://www.surfrock66.com/rafind2.dump.txt

I'm crawling through that looking for anything interesting; I'm also reading the radare2 documentation to see if I can figure out what I'm doing.

EDIT: JUST KIDDING that is just regular error output, I'm researching:

Code: [Select]
surfrock66@sr66-blade:~/Downloads$ r2 -a 8051 chipdump1
 -- Too old to crash
[0x00000000]> q
surfrock66@sr66-blade:~/Downloads$ r2 -a 8051 chipdump1
 -- WASTED
[0x00000000]> q
surfrock66@sr66-blade:~/Downloads$ r2 -a 8051 chipdump1
 -- The '?' command can be used to evaluate math expressions. Like this: '? (0x34+22)*4'
[0x00000000]> q
surfrock66@sr66-blade:~/Downloads$ r2 -a 8051 chipdump1
 -- Run your own r2 scripts in awk using the r2awk program.
[0x00000000]>
6
Bus Pirate Support / Re: Can the Bus Pirate be used to read the eeprom from this
-Y doesn't work for me...not sure why.  I can't reboot this laptop because I'm currently running "binwalk -MreIZX chipdump1"

Entropy graph attached.

I haven't tried 8051 yet; I assume you mean the disassembler on the first one?  The issue is it's MSDOS only, and I have no windows computers, only Linux :/

I have MCU 8051 IDE installed.  I'm not sure what to do with it, a lot of options are greyed out.  I see some things in Utilities about converting bin->hex or sim->bin, but not sure how to proceed.
7
Bus Pirate Support / Re: Can the Bus Pirate be used to read the eeprom from this
So, I'm kind of stumped.  I've actually used binwalk before on some router firmwares, but I think this is a different beast.

Initially when I ran it against the extracted fileset, I got nothing. 

Finally, I ran and got this:

Code: [Select]
surfrock66@sr66-darter:~/Downloads$ binwalk -Z chipdump1

DECIMAL      HEXADECIMAL    DESCRIPTION
--------------------------------------------------------------------------------
1044734      0xFF0FE        Raw LZMA compression stream, properties: 0xA2 [pb: 3, lp: 3, lc: 0], dictionary size: 65536

Here's a list of things I've run, which have extracted MANY a file, none of which seem to be usable:

Code: [Select]
binwalk -e chipdump1
binwalk -b -I -B chipdump1
binwalk -Me chipdump1
binwalk -B -E chipdump1
binwalk -W chipdump1
binwalk -X chipdump1
binwalk --deflate chipdump1
binwalk -Z chipdump1
binwalk -X -Z chipdump1
binwalk --offset=0xFF0FE --lzma -M -e chipdump1
binwalk -Z -X -M -e 2B396.7z
binwalk -Z -X -M -e 42BE.7z

Those last 3 have been running for days, and may have been incredibly stupid.  Oh well, I have the CPU cycles to run this.

I have read the documentation and searched a ton about binwalk, but most of what I found references nicely packaged firmware files, and not chip dumps.  I figure asking here is a better shot at finding someone with experience pulling info out of a chip like this.
8
Bus Pirate Support / Re: Can the Bus Pirate be used to read the eeprom from this
That did it.  Took your advice, used flashrom:

Code: [Select]
sudo flashrom -p buspirate_spi:dev=/dev/ttyACM0 -r chipdump1

Worked!  The one trick I had to make sure to do was to tie the 3.3V to pins 7,8, and 3. 

I need to figure out what to do with this now...I assume it's some sort of compiled/obfuscated thing, either that or compressed and loaded into ram.  I tried to use "strings" on it...nothing.  Any tips are appreciated, but I'll figure it out eventually.
10
Bus Pirate Support / Re: Can the Bus Pirate be used to read the eeprom from this
So, I soldered it all up to a breadboard so I have easy pins (I've not desoldered the chip, just put wires from the chip to the breadboard).  Tested everything with a multimeter...interestingly enough, pins 3/7/8 were shorted before I even started (/WP, /HOLD, and VCC).  Nevertheless, I plugged it in, got to SPI mode, hit "W"...

Code: [Select]
SPI>W
VREG too low, is there a short?
Power supplies OFF

I unplugged it all, checked my connections again, wired it up...same.  Interestingly enough, in rewiring it up...I ran the same command with the header to the bus pirate disconnected...same thing.  Weird?  I ran a self-test and everything is fine.  Thoughts?
11
Bus Pirate Support / Re: Can the Bus Pirate be used to read the eeprom from this
So I may be lucky...the device I'm disassembling had a daughter board I ignored, which as it turns out has a "Winbond 25Q80dvsig" on it.  That's an 8MB flash chip:

https://www.winbond.com/resource-files/ ... ebsite.pdf

I'm looking at this:

Quote
Read Data (03h)

The Read Data instruction allows one or more data bytes to be sequentially read from the memory. The

instruction is initiated by driving the /CS pin low and then shifting the instruction code “03h” followed
by a 24-bit address (A23-A0) into the DI pin. The code and address bits are latched on the rising edge
of the CLK pin. After the address is received, the data byte of the addressed memory location will be
shifted out on the DO pin at the falling edge of CLK with most significant bit (MSB) first. The address is
automatically incremented to the next higher address after each byte of data is shifted out allowing for
a continuous stream of data. This means that the entire memory can be accessed with a single
instruction as long as the clock continues. The instruction is completed by driving /CS high.

The Read Data instruction sequence is shown in figure 9. If a Read Data instruction is issued while an
Erase, Program or Write cycle is in process (BUSY=1) the instruction is ignored and will not have any
effects on the current cycle. The Read Data instruction allows clock rates from D.C. to a maximum of fR
(see AC Electrical Characteristics).

I may be in luck...
12
Bus Pirate Support / Re: Can the Bus Pirate be used to read the eeprom from this
I have a crappy translation:

Page 126:
Quote
Online Programming (the ISP)
ONProgram
Memory and Internal Data Memory Chip Programming and Hardware Support Online Programming (the ISP). Hardware's Programming in Production at Programming Programmer, IT CAN the reduce cost and at The Time. HOWEVER, IF at The Product Development at The Stage or in need at The Product to Update Firmware, Of Convenient TOO, use the ISP MODE, the make the this Process Becomes Easy. N79E815A / 814A / 813A / 8132A Support the ISP MODE android.permission Software Procedures Updating. The Update at The file aDppD5li.c5aVti o=n 3 r.e0qVu i.red Voltage: V
Not the ISP does need to Executive BE removed from at The System Controller Board. At The Common Way IS MOST through the UART at The Implementation of the Code. That IS the PC Via Serial Transmission at The new new APROM Codes, LDROM Firmware accepted and reprogrammed in APROM Command Via the ISP.
Provides the ISP Firmware The Nuvoton, Go to 'bit Microcontrollers 8The
Nuvoton at The following Website. The Select "The Nuvoton the ISP by ICPProgrammer

The ISP 20.1 the bootloader
Operation of RealTime
that Unlike at The Register, Update Data Memory Takes A Long Time. THUS, the Timing Control Complex at The need for IS ERASED, written, N79E815A / 814A / 813A / 8132A Provides A mechanism of Convenient to the Users Help Update. By Setting ISPEN (CHPCON.0 protected by TA) Enabled
After the ISP, the user can easily write 16bit
destination address ISPAH and ISPAL, ISPFD to write data to ISPCN write command, and then
Trigger ISPGO at The SET (ISPTRG.0) READY to the Perform the ISP. Note ISPTRG Also protected by at The TA.
ISPGO the Setting (ISPTRG.0), Started the ISP. Note ISPTRG Also protected by at The TA. At the this Time, the CPU to the Keep at The Program counter, the ISP Builtin
Exalted Voltage Control Power Supply's Internal, and the Timing Control Signal. The After the ISP IS Operation Completed, at The Instruction Program Continues to counter Cleared the Automatically. The If you need the ISP to the Perform Operation Again, the Users only need to REPEAT at The above Steps, the this through the User Program RAM.
Here is the ISP register.

Code: [Select]
Place        Name      Description
6              ISPF        The ISP the Error Sign In Flag ( the Read Only )
                              When these conditions are met, the hardware sets this bit:
                              1. The following access is not allowed, such as,
                              (A) When APROM code at runtime, erased or programmed APROM itself.
                              (B) when APROM code at runtime, but LDUEN 0, erasing or programming LDROM.
                              (C) When APROM code at runtime, erase, program or read CONFIG bytes.
                              (D) When LDROM code at runtime, erased or programmed LDROM.
                              (E) access over the region of its size.
                              2. ISP is done by the internal program space into the external program space.
                              This bit is cleared by software
5              LDUEN    The Update LDROM Enabled
                              0 = When APROM code at runtime, prohibited from being erased or programmed LDROM, LDROM remain readonly.
                              1 = APROM code at runtime, allowing access LDROM.
4: 2          -            Retention
1              BS          Select Start
                              This bit is written or read in different ways.
                              write:
                              After resetting MCU defines the start blocks.
                              From the time you start APROM 0 = under.
                              From the time you start LDROM 1 = lower.
                              read:
                              After defining the starting blocks last reset MCU.
                              0 = last start from APROM.
                              1 = previous boot from LDROM.
0              ISPEN      The ISP the Enable
                              0 = ISP function.
                              1 = disable ISP.
                              Will the enable function at The Internal the ISP 22.1184MHz the RC Oscillator Clock. The ISP Operations SHOULD BE the Clear ISPEN
                              After the last instruction, which can stop the internal RC to reduce power consumption.

Page 131:
Quote
The ISP 20.4 the User Guide
ISP users can easily update the contents of the memory, however, the user must follow certain restrictions to ensure that the ISP is performed properly, it may cause
A Result AS, Damage to the even at The Device. Meanwhile, at The segment IS Useful for correct at The Implementation of the ISP.
(1) Not have have AN the ISP, the User of MUST at The ISPEN the Clear (CHPCON.0) of 0. The IS It Prevents Accidental at The System in Triggering from the ISP.
The RC Oscillator 22.1184MHz. The If you SELECT External Clock at The Source at The STOP IS Prohibited Will the ISP Internal 22.1184MHz the RC, CAN Achieve Note ISPEN protected by the TA.
(2) only the when CONFIG byte code at The LDROM Startup CAN BE Full Access the ISP. The After All RESET, the except bits of the CBS, new new
All bytes are activated CONFIG. The After All Software RESET RESETS the except Outside, the CBS 'bit at The new new IS activated.
(3) When the LOCK bit (CONFIG0.1) is activated, ISP read, write or erase still valid.
(4) at The the ISDPD= W 3o.0rkVin 5g. 5OVN. V
(5) APROM and LDROM own content can be read by ISP method.
Their own the Users CAN Start the Notes the ISP Program, in the Order to Protect Data Security, and Program ERASE CONFIG byte at The Last of MUST BE STEP.

Page 156/157:
Quote
the InCircuit Programming (by ICP)
ICP (In Circuit Programming) model is another way to access the EPROM memory, requires only three pins execution ICP functions, one is / RST input lead
During at The Work of MUST by ICP Foot BE pulled to the GND, the INPUT A Clock, and P1.7 Reuse, at The Device Receives AN External Serial Clock. Another IS I / O pins multiplexed with P1.6 external ICP programming at P1.7 through P1.6 pin synchronous clock data into N79E815A / 814A / 813A / 8132A memory EPROM.

By ICP at The MODE Entering the when, Will All pins quasiBidirectional BE SET MODE, at The Output IS "1." N79E815A / 814A / 813A / 8132A Memory Support
The EPROM (16K / 8K / 4K bytes APROM the EPROM), Data Memory (Page 128 bytes) and LDROM Programming. The Userselectable is Programming APROM, data memory and LDROM.

The NOTE :
1. When using the ICP update the code, /RST,P1.6 and P1.7 must be disconnected from the system board load.
2. After the ICP program, the proposed power off the system removed ICP tool, and then connect the power.
3. recommends that customers continuously erasing and editing configuration bits in two steps, do not break.
13
Bus Pirate Support / Re: Can the Bus Pirate be used to read the eeprom from this
That was my assessment as well.  The firmwares for the rest of these devices have ranged from 4-16MB, and they've simply dropped the 107KB .jar file onto the filesystem.

I'm a pretty big noob here...the only other time I used the bus pirate, I had a pretty thorough guide.  I've accessed solder points on pins 2,3,4,5,8,9,11,12,18,19 and 20, I'm trying to find solder points I can hit for the rest.  If you have any tips on how I'd dump the eeprom, it'd be appreciated.
14
Bus Pirate Support / Re: Can the Bus Pirate be used to read the eeprom from this
My original thought was the OS was stored on the eeprom, but now I'm wondering if the 2nd chip is actually a small storage chip. 

I have the board; photos below:
[attachment=1]

[attachment=0]

I've also wired connections to the 8 pins on the smaller chip. 

We are analyzing 3 generations of products; gen 1 (which is confirmed to be using the java code in question without attribution on a small embedded linux), gen 2 wifi (which is confirmed to be using an alternate bit of code also on a small embedded linux), then gen 2 NON wifi which communicates with a small dedicated device over a 2.4GhZ radio which is not wifi or bluetooth.  This is the device we are trying to analyze; I believe it's likely they're still using an embedded linux, and in this case it'd be likely they are still using the java code in question.
15
Bus Pirate Support / Re: Can the Bus Pirate be used to read the eeprom from this
HMM...that link makes me think that the chip I'm looking at is NOT storage.  I guess my only other recourse is the 8-pin chip, the 8101 RYI.  I can't find ANYTHING on it.  I know the ground pin...also pin 7 on the 8101 is the same as pin 18 on the first chip.  Is there a good guide to reverse engineering a total mystery chip?

( ! ) Fatal error: Uncaught exception 'Elk_Exception' with message 'Please try again. If you come back to this error screen, report the error to an administrator.' in /var/www/dangerousprototypes/forum/sources/database/Db-mysql.class.php on line 696
( ! ) Elk_Exception: Please try again. If you come back to this error screen, report the error to an administrator. in /var/www/dangerousprototypes/forum/sources/database/Db-mysql.class.php on line 696
Call Stack
#TimeMemoryFunctionLocation
10.01572460104session_write_close ( )...(null):0
20.01602591728ElkArte\sources\subs\SessionHandler\DatabaseHandler->write( )...(null):0
30.01602592504Database_MySQL->query( ).../DatabaseHandler.php:119
40.06092731264Database_MySQL->error( ).../Db-mysql.class.php:273