Rockbox Development > New Ports
Sandisk Clip Sport
wzdd:
Okay, I've decrypted the 1.22 firmware. It is here: http://wikisend.com/download/409764/upgrade-1.22.raw.gz
It is missing its BREC, which seems to be the first code to run which can be changed. I'll look into dumping that as well later. (The BREC seems do to flash initialisation, or at least contain flash initialisation parameters, which may mean that it is stored on the atj2127 instead of the flash?)
I did this by running the ucos firmware upgrade routine on a MIPS emulator. Next step will be to rewrite it in C to figure out how it works. I'll upload the code tomorrow (it's late here).
The missing key data is part of FWDec.al -- I had just converted it wrong the first time. It's 32 bytes starting at file offset 0x282c and beginning 0xa2, 0x6e, 0x14, 0x42. These seem to form an initial state for the decryption, which I don't recognise (the function starts at file offset 0x268c). The state is combined with the ciphertext using xor, but there is some (very small amount) of mixing involved so the blocks must be decrypted in order.
This is largely academic at this point because it is much easier to figure out the adfu protocol and send unencrypted data, but it's interesting to see what is going on -- and it will make reflashing the device as simple as copying a file across, which is quite nice.
wzdd:
I also discovered that the Philips GoGear Muse firmware contains the same firmware upgrade module, but apparently compiled with debugging symbols enabled. Also, the file is in ELF format rather than ucos format, and appears to be compiled with a different (and much worse) compiler. I got this firmware by following pmaury's firmware finding formula on the wiki -- the filename is sa4mus08kf_12_hf1_eng.zip.
wodz:
I bet compiler is the same i.e some flavor of gcc. The files for atj213x I've studied use different optimization level hovewer. With -O0 gcc produce terrible code while higher levels are rather well optimized (and considerably harder to follow in disassembly).
BTW. Which mips simulator did you use?
wzdd:
Just qemu. You're probably right about the optimisation levels.
This is the code: https://github.com/nfd/atj2127decrypt
Next step will be to convert the mips32 asm to C, so it doesn't require a MIPS system to run!
wodz:
On github you state that MBREC is not correctly decoded. It well may be that MBREC is additionally scrambled/crypted. Have you tried to sniff usb traffic during recovery with PC tool? It should be fairly easy to map usb payload to the unpacked files. On atj213x the first stage image needs to be scrambled (descrambling is handled by code in boot rom). AFAIK MBREC sits at the very beginning of NAND.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version