Announcement

**tom66** · 09-22-2018, 02:36 AM

Re: Emulating a main board CPU.

Be aware that these decompressors can be fooled if the file "looks" like something else.
Sometimes the firmware is encrypted or compressed in a proprietary manner.

**lookimback** · 09-22-2018, 03:03 AM

Re: Emulating a main board CPU.

That's what I was thinking. It says its a PARity archive file, but I searched for the below signatures in a hex editor but they aren't there.

A Par1 file starts with the following byte sequence:

50 41 52 00 00 00 00 00

This corresponds to the ASCII text string PAR, followed by 5 null bytes.

A Par2 file starts with the bytes:

50 41 52 32 00 50 4B 54

This corresponds to ASCII text string PAR2, followed by a null byte and the text string PKT.

Finally, a Par3 file can be identified by the following 4-byte sequence:

50 41 33 00

**lookimback** · 09-22-2018, 04:32 PM

Re: Emulating a main board CPU.

binwalk -I shows me that there's a whole lot that it isn't able to identify. This is't going to be as easy as I first thought.

**lookimback** · 09-23-2018, 04:30 PM

Re: Emulating a main board CPU.

I'm not getting anywhere with this. Some of it probably comes down to not knowing all the available firmware analysis tools, and/or how to use them. Not going to give up though. Since we know the UART pinout from the image I posted previously, I'm going to try connecting to it to see what useful information I can get.

As a side note, based on this post, and the results from a binwalk entropy scan, the Chi square distribution, and Monte Carlo pi approximation both of which were obtained by using ENT, I'm pretty sure the firmware image is compressed and not encrypted.

**lookimback** · 09-23-2018, 11:20 PM

Re: Emulating a main board CPU.

I tried accessing the SoC over UART. Interestingly, the baudrate is 115200 when on, and 38400 when powered off. Doesn't respond to anything.

When the board powers on, I get this.
Eden: BD_CVT_P85A
SPI BOOT
Console Initial OK

65
[23456789A][123456789A]
0065

BIST_0 PASS.

MIU Initial OK
SBOOT:AC ON
then some gibberish.

With power off, I get this.

Hello Eden standby mode

Console Initial OK (PM)

g_u8PowerKeyADCLevel:0x32
Enter EDEN PM Standby

[EDEN PM]

[EDEN PM]

**tom66** · 09-24-2018, 12:27 AM

Re: Emulating a main board CPU.

It's either locked or there's some alternate way to enter, like a key sequence.
Disassembling the firmware may be the only way to tell for sure.

**lookimback** · 09-24-2018, 10:59 AM

Re: Emulating a main board CPU.

I did extract and decompress the LZMA part. Pretty sure the file system is in there. How does the SoC know how to extract it? Could there be an OS programmed into it that's separate from the firmware image on the eeprom?

**Th3_uN1Qu3** · 09-24-2018, 11:57 AM

Re: Emulating a main board CPU.

Originally posted by lookimback View Post

I finally got Ubuntu installed. I wanted to install it alongside of Windows on my desktop, but the HD is 9 years old. I ran CrystalDiskInfo and it said its healthy, but with over 17000 hours, I think it could fail at any time.

At work we retired a 1TB Western Digital HDD in the data recovery machine that had over 41.000 hours. Still zero bad sectors but it was used to store backups so we decided to take it offline.

I think I saved a screenshot of the SMART parameters of that drive, will put it up sometime. Sorry for thread hijack btw.

**lookimback** · 09-24-2018, 12:17 PM

Re: Emulating a main board CPU.

Originally posted by Th3_uN1Qu3 View Post

At work we retired a 1TB Western Digital HDD in the data recovery machine that had over 41.000 hours. Still zero bad sectors but it was used to store backups so we decided to take it offline.

I think I saved a screenshot of the SMART parameters of that drive, will put it up sometime. Sorry for thread hijack btw.

My tower, which I use as a network server, has 34000 hours. It's working fine, but I'm going to replace it soon with an enterprise HD. The data on it is crucial to my business and if it went down, I'd be screwed.

BTW, I already hijacked my own thread. This went from emulating a CPU to hacking firmware.

**lookimback** · 09-24-2018, 12:21 PM

Re: Emulating a main board CPU.

Found something interesting with the strings command. This line 'cpu/risc32/eden/interrupt.c' I guess would indicate that it's a risc32 architecture.

**lookimback** · 09-24-2018, 12:29 PM

Re: Emulating a main board CPU.

Could this mean something? FW address must be 128 byte alignment
and this JPD Firmware load code address must be 2048 byte alignment!

**tom66** · 09-24-2018, 12:53 PM

Re: Emulating a main board CPU.

Not really it's just page alignment for the flash chip.

**lookimback** · 09-24-2018, 01:18 PM

Re: Emulating a main board CPU.

RISC32 would make it ARM right?

**tom66** · 09-24-2018, 02:39 PM

Re: Emulating a main board CPU.

Originally posted by lookimback View Post

RISC32 would make it ARM right?

No, otherwise it would be called ARM.

RISC32 is probably related to Risc-V which is a rather unusual architecture. I would expect MIPS or ARM to be honest so not sure what to make of this.

**lookimback** · 09-24-2018, 03:16 PM

Re: Emulating a main board CPU.

Originally posted by tom66 View Post

No, otherwise it would be called ARM.

I guess that makes sense. Lol

**lookimback** · 09-25-2018, 06:39 AM

Re: Emulating a main board CPU.

I decided to ask for help at StackExchange. They're going to take a look at it. I'm sure it just comes down to experience and knowledge of the available tools. I'm anxious to find if there's a way to do a factory reset via UART and if that would fix the problem.

**lookimback** · 09-26-2018, 04:25 AM

Re: Emulating a main board CPU.

At this point, I'm thinking the binary must be obfuscated. Somehow, I need to find the bootloader and figure out how it handles the de-obfuscation.

**tom66** · 09-26-2018, 02:46 PM

Re: Emulating a main board CPU.

Originally posted by lookimback View Post

At this point, I'm thinking the binary must be obfuscated. Somehow, I need to find the bootloader and figure out how it handles the de-obfuscation.

It is possible but unlikely. If you find cleartext in it, it is probably not obfuscated or encrypted.

But it takes years of experience to even know where to start with this.

**lookimback** · 09-26-2018, 03:32 PM

Re: Emulating a main board CPU.

I think I just figured something out. Run strings on this image. I started doing math, trying to figure out areas in the binary I could exclude, thinking I could narrow it down some. It didn't add up right. All that copyright stuff comes after the jpg, but adding the size of the jpg and the offset equals the size of the binary. I don't know if they've embed code into the jpg, or if the extraction just doesn't stop at the end of the image. I tried binwalk --exclude 'jpeg' file.bin, but that just skips over it. I'm going to try changing the signature so it won't recognize it and see if it then finds something else.

Attached Files

**lookimback** · 09-26-2018, 05:17 PM

Re: Emulating a main board CPU.

Well, I wasn't exactly right. It's not embedded. I just didn't specify a limit when I extracted it. The image file is actually only 41kb. That means I have another 1.9mb to look through.

Announcement

Emulating a main board CPU.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment