October 10th, 2016, 17:01
October 10th, 2016, 17:20
October 10th, 2016, 19:11
October 11th, 2016, 6:33
* Please analyze the firmware updating procedure. I would need a firmware change that has the first
4 bytes changed to an endless loop, so that I can reliably debug the initialisation of the firmware.
My current guess is that there is a 16 or 32 bit checksum at the end of the firmware header which
protects the whole firmware. Please analyze the checksum algorithm and develop a tool to calculate
the checksum for a firmware file and write the calculated checksum into the file.
October 11th, 2016, 8:28
October 12th, 2016, 6:39
The thing at 0x000001FC-0x000001FF in the firmware looked like a CRC to me too, what do you think?
Are you still working on a EXT0BB6Q case? EXT0CB6Q has been on the market for quite some time now ...
Anything else besides the private key you are interested in?
November 16th, 2016, 18:12
November 16th, 2016, 19:07
sourcerer wrote:@fzabkar: Wrong guess, the ABS part is a I2C temperature sensor, not a SPI flash rom.
April 25th, 2017, 18:03
April 26th, 2017, 10:37
April 26th, 2017, 15:29
April 27th, 2017, 3:45
April 27th, 2017, 6:19
Now regarding the status register [2038000C]: When everything is ok, it has the value
0xFFFF0000. When you have read a sector it often gets the value 0x7FFF8000, which needs to be
acknowledged by writing 0x7FFF8000 again (or more or less whichever value it had in it). When
the register has the value 0x7FFF000 after any request, then the Channel seems to be dead.
void WaitAndClearInterrupt(int aBank, int aCmdBufEntry)
int Offset; // r0@1
int Bit; // r2@1
Offset = ((aBank & 3) << 0x10) + 0x20380000;
Bit = 1 << aCmdBufEntry;
while ( !(Bit & (*(_DWORD *)(Offset + 0xC) >> 0x10)) )
if ( (unsigned __int16)*(_DWORD *)(Offset + 0xC) & (unsigned __int16)Bit )
*(_DWORD *)(Offset + 0xC) = *(_DWORD *)(Offset + 0xC) & 0xFFFF0000 | (unsigned __int16)Bit;
Powered by phpBB © phpBB Group.