1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Reading flash contents?

Discussion in 'HD/HDR-FOX T2 Customised Firmware' started by matbl, Apr 20, 2012.

  1. matbl

    matbl Member

    Hi

    Is it possible to read the flash contents from linux while the box is running? Or is the flash encrypted or otherwise blocked from reading?
     
  2. Ezra Pound

    Ezra Pound Well-Known Member

    There is some Flash info. inthe Wiki HERE
     
  3. af123

    af123 Administrator Staff Member

    You can use dd on the mtd devices to extract the contents. I haven't checked to see if you get something sensible out but can do later.
     
  4. matbl

    matbl Member

    af123:
    If possible, please do so I know if there's any point in trying to flash the uk firmware on a swedish box.
     
  5. xyz321

    xyz321 Well-Known Member

    Some time ago I used dd to copy from the kernel partition in the mtdblock device. It did match up with the kernel contents in the HDF file (except for the length).
     
  6. matbl

    matbl Member

    Can someone please check if the same is true for the cfe bootloader? On a HDR-FOX T2 if possible.
    It's probably possible to protect certain flash areas...
     
  7. xyz321

    xyz321 Well-Known Member

    The bootloader appears to be totally different.
     
  8. matbl

    matbl Member

    Different compared to what?
    And what data do you get? Do you get scrambled data or just zeros or just ones or what?
     
  9. af123

    af123 Administrator Staff Member

    On my HD model the CFE flash section seems to contain something similar to what was in the last update that included a bootloader upgrade but not identical.

    File from the last update HDF:

    Code:
    0f02 0010 0000 0000 6e02 0010 0000 0000  ........n.......
    9c02 0010 0000 0000 9a02 0010 0000 0000  ................
    9802 0010 0000 0000 9602 0010 0000 0000  ................
    9402 0010 0000 0000 9202 0010 0000 0000  ................
    9002 0010 0000 0000 8e02 0010 0000 0000  ................
    8c02 0010 0000 0000 8a02 0010 0000 0000  ................
    8802 0010 0000 0000 8602 0010 0000 0000  ................
    8402 0010 0000 0000 8202 0010 0000 0000  ................
    8002 0010 0000 0000 7e02 0010 0000 0000  ........~.......
    7c02 0010 0000 0000 7a02 0010 0000 0000  |.......z.......
    7802 0010 0000 0000 7602 0010 0000 0000  x.......v.......
    7402 0010 0000 0000 7202 0010 0000 0000  t.......r.......
    7002 0010 0000 0000 6e02 0010 0000 0000  p.......n.......
    6c02 0010 0000 0000 6a02 0010 0000 0000  l.......j.......
    6802 0010 0000 0000 6602 0010 0000 0000  h.......f.......
    6402 0010 0000 0000 6202 0010 0000 0000  d.......b.......
    6002 0010 0000 0000 5e02 0010 0000 0000  `.......^.......
    5c02 0010 0000 0000 5a02 0010 0000 0000  \.......Z.......
    5802 0010 0000 0000 5602 0010 0000 0000  X.......V.......
    5402 0010 0000 0000 5202 0010 0000 0000  T.......R.......
    5002 0010 0000 0000 4e02 0010 0000 0000  P.......N.......
    4c02 0010 0000 0000 4a02 0010 0000 0000  L.......J.......
    4802 0010 0000 0000 4602 0010 0000 0000  H.......F.......
    4402 0010 0000 0000 4202 0010 0000 0000  D.......B.......
    4002 0010 0000 0000 3e02 0010 0000 0000  @.......>.......
    3c02 0010 0000 0000 3a02 0010 0000 0000  <.......:.......
    3802 0010 0000 0000 3602 0010 0000 0000  8.......6.......
    3402 0010 0000 0000 3202 0010 0000 0000  4.......2.......
    3002 0010 0000 0000 2e02 0010 0000 0000  0...............
    2c02 0010 0000 0000 2a02 0010 0000 0000  ,.......*.......
    2802 0010 0000 0000 2602 0010 0000 0000  (.......&.......
    2402 0010 0000 0000 2202 0010 0000 0000  $.......".......
    2202 0010 0002 1a24 1e02 0010 0000 0000  "......$........
    
    and from the flash:

    Code:
    0000000: c0bf 0b3c 3008 6b35 0800 6001 0000 0000  ...<0.k5..`.....
    0000010: 2143 aaab 0000 0101 7502 0010 0000 0000  !C......u.......
    0000020: 7302 0010 0000 0000 7102 0010 0000 0000  s.......q.......
    0000030: 6f02 0010 0000 0000 6d02 0010 0000 0000  o.......m.......
    0000040: 6b02 0010 0000 0000 6902 0010 0000 0000  k.......i.......
    0000050: 6702 0010 0000 0000 6502 0010 0000 0000  g.......e.......
    0000060: 6302 0010 0000 0000 6102 0010 0000 0000  c.......a.......
    0000070: 5f02 0010 0000 0000 5d02 0010 0000 0000  _.......].......
    0000080: 5b02 0010 0000 0000 5902 0010 0000 0000  [.......Y.......
    0000090: 5702 0010 0000 0000 5502 0010 0000 0000  W.......U.......
    00000a0: 5302 0010 0000 0000 5102 0010 0000 0000  S.......Q.......
    00000b0: 4f02 0010 0000 0000 4d02 0010 0000 0000  O.......M.......
    00000c0: 4b02 0010 0000 0000 4902 0010 0000 0000  K.......I.......
    00000d0: 4702 0010 0000 0000 4502 0010 0000 0000  G.......E.......
    00000e0: 4302 0010 0000 0000 4102 0010 0000 0000  C.......A.......
    00000f0: 3f02 0010 0000 0000 3d02 0010 0000 0000  ?.......=.......
    0000100: 3b02 0010 0000 0000 3902 0010 0000 0000  ;.......9.......
    0000110: 3702 0010 0000 0000 3502 0010 0000 0000  7.......5.......
    0000120: 3302 0010 0000 0000 3102 0010 0000 0000  3.......1.......
    0000130: 2f02 0010 0000 0000 2d02 0010 0000 0000  /.......-.......
    0000140: 2b02 0010 0000 0000 2902 0010 0000 0000  +.......).......
    0000150: 2702 0010 0000 0000 2502 0010 0000 0000  '.......%.......
    0000160: 2302 0010 0000 0000 2102 0010 0000 0000  #.......!.......
    0000170: 1f02 0010 0000 0000 1d02 0010 0000 0000  ................
    
    No idea if that's of any use though.
     
  10. matbl

    matbl Member

    Strange.
    And yes, it's useful because it means that the flash isn't encrypted...
    Do you mind dumping the entire cfe bootloader to a file and publish it somewhere? Or email it to me or something?
    I thought you had a HDR by the way?
     
  11. Black Hole

    Black Hole Felonius Gru

    He got both!
     
  12. matbl

    matbl Member

    I need more data for anything useful since this is more or less only the interrupt vectors.
    A complete dump of the HDR loader from flash would be good...


    This is the beginning of both from what you quoted:

    From hdf:
    Code:
    ROM:00000000 .text # ROM
    ROM:00000000 b 0x840
    ROM:00000004 nop
    ROM:00000008 # ---------------------------------------------------------------------------
    ROM:00000008 b 0x9C4
    ROM:0000000C nop
    ROM:00000010 # ---------------------------------------------------------------------------
    ROM:00000010 b 0xA84
    ROM:00000014 nop
    ROM:00000018 # ---------------------------------------------------------------------------
    ROM:00000018 b 0xA84
    ROM:0000001C nop
    ROM:00000020 # ---------------------------------------------------------------------------
    ROM:00000020 b 0xA84
    ROM:00000024 nop
    ROM:00000028 # ---------------------------------------------------------------------------
    ROM:00000028 b 0xA84
    ROM:0000002C nop
    
    From flash:
    Code:
    ROM:00000000 # Segment type: Pure code
    ROM:00000000 .text # ROM
    ROM:00000000 li $t3, 0xBFC00830
    ROM:00000008 jr $t3
    ROM:0000000C nop
    ROM:00000010 # ---------------------------------------------------------------------------
    ROM:00000010 swl $t2, 0x4321($sp)
    ROM:00000014 sll $zero, $at, 0
    ROM:00000018 b 0x9F0
    ROM:0000001C nop
    ROM:00000020 # ---------------------------------------------------------------------------
    ROM:00000020 b 0x9F0
    ROM:00000024 nop
    ROM:00000028 # ---------------------------------------------------------------------------
    ROM:00000028 b 0x9F0
    ROM:0000002C nop
    
     
  13. af123

    af123 Administrator Staff Member

    As BH said, I have both but as far as I know Humax have never published a boot loader for the HDR which is why I looked at the HD. I'll upload it somewhere for you later tonight. It includes my device serial number and MAC address so I'll zero that area first.