Informaci?n DVI 3000

JTAG on DVI3000.

Moderator: elkora

Locked
haute
Junior Member
Posts: 80
Joined: Mon Jan 09, 2006 9:31 am

Informaci?n DVI 3000

Post by haute »

Hello, Hola examinando varios volcados de flashes de estos decos he podido llegar a esta conclusion de la estructura de la flash.

Test:
Name=DVI3000
Memory=Ram,0,0x80000000,0x1000000
Memory=Code,1,0x9FC00000,0x400000,0x20000
Memory=Boot,1,0x9FC00000,0x1DC00
Memory=Ua,1,0x9FC1DC00,0x2400
Memory=NVRAM,0,0x1F000000,0x40000
Memory=Sys,0,0xFFFE0000,0x8000
Programram=0x80100000
Endian=Little
IRLength=5
Init=0xfffe072c,0
Protocol=EJTAG
DMA=Yes
ProbTrap=1

El firm empieza en 0x9fc20000 , normalemente la compa?ia cambia cada poco la version del firmware y actualmente he comprobado que es posible escribir el firmware con el usbjtag.
Pero lo que interesa es poder cambiar los datos de la zona Ua que es donde esta la Mac y la UA que identifica a cada deco. La Ua seria como la Mac de los modems. Y actualmente no es posible escribir en este rango de memoria de la flash asi como tampoco la del Boot.
El boot no lo cambian, siempre es el mismo, que yo conozca hay dos versiones del boot 03.05 y 03.06. De versiones de firmwares hay una porrada de ellos, pero hay uno que biene de fabrica con los decos sin activar es la version 0.00, cosa curiosa.
A ver si usbdm podria modificar de alguna manera el soft para poder programar este rango, esto no seria tan complicado como crear una tool para modificar la nvram de estos decos que seria una cosa mucho mas laboriosa.
Tambien habria que desemsamblar el boot, porque seguramente se pueda acceder al deco por ethernet de alguna manera. Si alguien sabe algo que lo diga plz.
Si alguien pueda traducir este mensaje en ingles para que lo entienda usbdm y mas gente estaria mejor.
Un saludo a todos y Felices Fiestas....
dagra82
Junior Member
Posts: 108
Joined: Fri Apr 07, 2006 1:27 pm

Post by dagra82 »

Hola ,? Has podido leer todo el firware??no has tenido problema con el watchdog(perro gurdian de la flash?
dagra82
Junior Member
Posts: 108
Joined: Fri Apr 07, 2006 1:27 pm

Post by dagra82 »

Hi examining several turned over of flashes of these Dvi3000 have can reach to this conclusion of the structure of the flash

Test:
Name=DVI3000
Memory=Ram,0,0x80000000,0x1000000
Memory=Code,1,0x9FC00000,0x400000,0x20000
Memory=Boot,1,0x9FC00000,0x1DC00
Memory=Ua,1,0x9FC1DC00,0x2400
Memory=NVRAM,0,0x1F000000,0x40000
Memory=Sys,0,0xFFFE0000,0x8000
Programram=0x80100000
Endian=Little
IRLength=5
Init=0xfffe072c,0
Protocol=EJTAG
DMA=Yes
ProbTrap=1



The firm begins in 0x9fc20000, normally the manufacturer exchanges each little the |version| of the firmware and at present have verified that it is possible to write the firmware with the |usbjtag|.
But which is of interest is can exchange the data of the zone or that it is where this the Mac and the OR that identifies to each say-so. The or serious like the Mac of the modems. and at present it is not possible to write in this rank of memory of the flash as neither those of the Boot.
The boot doesn't exchange it, always it is the same, that I know there is two versions of the |boot| 03.05 and 03.06. Of versions of firmwares there is a blow of them/it, but there is one that to go of manufacturing with the dvi3000 without activating is the |version| 0.00, sews curious.
to see if |usbdm| can modify of some way the |soft| to program this rank, this not serious so complicated as create a |tool| to modify the |nvram| of these |decos| that serious a thing a lot of but laborious.
Tambien |habria| that |desemsamblar| the |boot|, because surely it can be accedes to the say-so for |ethernet| of some way. If somebody knows somewhat that says it |plz|.
If somebody can translate this message in groins in order that understands it |usbdm| and but better i will be people.
A salute to all and happy feasts
haute
Junior Member
Posts: 80
Joined: Mon Jan 09, 2006 9:31 am

Post by haute »

Leerlo nunca ha sido el problema, tanto con el blackcat como con el usbjtag.

Pero solamente con el usbjtag he consigo cambiar el firmware por otra vesion, pero no puedo hacerlo con el boot ni con la zona donde esta la Ua.

Me gustaria hacer una peticion de si alguien ha conseguido hacer algo por ethernet y de que manera o tambien por cable serial, cual seria su conector en la placa base y los 4 pines.

Un saludo...
tasss
Junior Member
Posts: 4
Joined: Fri Sep 29, 2006 1:43 am

Post by tasss »

que tal compa?ero podrias pasarme el esquema de conexion para usarlo con el blackat o usbjtag.

un saludo....
haute
Junior Member
Posts: 80
Joined: Mon Jan 09, 2006 9:31 am

Post by haute »

En este mismo foro, en el hilo DVI3000 forum created tienes los pines del deco y donde conectarlo tanto para el blackcat como para el usbjtag.
usbbdm
Junior Member
Posts: 8994
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

I use script and I can stop the CPU at BFC007B8 but the watchdog trigger the CPU at about 10-20 seconds. So it is for sure a hardware watchdog.
haute
Junior Member
Posts: 80
Joined: Mon Jan 09, 2006 9:31 am

we have 10-20 seconds to program.

Post by haute »

I have been able to program the firmware in blocks of 20000 bytes before then watchdog stoped.
I think it is possible to program the boot (1DC00 lenght) and the UA block ( 2400 lenght).
You can activate the writing in that rank of memory? (000000 to 20000).
usbbdm
Junior Member
Posts: 8994
Joined: Mon Jul 18, 2005 9:33 pm

Re: we have 10-20 seconds to program.

Post by usbbdm »

haute wrote:I have been able to program the firmware in blocks of 20000 bytes before then watchdog stoped.
I think it is possible to program the boot (1DC00 lenght) and the UA block ( 2400 lenght).
You can activate the writing in that rank of memory? (000000 to 20000).
The boot block is protected on purpose. If we change the chip select we should be able to write the boot block.
Good idea to program in blocks. I will have a try.
haute
Junior Member
Posts: 80
Joined: Mon Jan 09, 2006 9:31 am

Post by haute »

you mean that the flash memory has an internal fuse, and that no longer is possible to write in that zone of the flash?
And the only possibility of changing the UA would be changing the chip of the flash?.
haute
Junior Member
Posts: 80
Joined: Mon Jan 09, 2006 9:31 am

Special Firmware

Post by haute »

Hello, i have a special firmware, if you examine it, you can see this special function to change UA for example.
The firmware is only 90.000 bytes, it is posible to upload in flash in 5 bloks of 20.000 bytes.
Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

00546304 00 00 00 FF 50 52 4F 47 52 41 4D 20 50 52 4F 54 ...?PROGRAM PROT
00546320 45 43 54 45 44 20 46 4C 41 53 48 00 50 72 6F 67 ECTED FLASH.Prog
00546336 72 61 6D 20 55 6E 69 74 20 41 64 64 72 65 73 73 ram Unit Address
00546352 3A 00 00 00 44 61 74 61 20 69 6E 20 44 65 63 69 :...Data in Deci
00546368 6D 61 6C 20 66 6F 72 6D 61 74 20 28 33 20 64 69 mal format (3 di
00546384 67 69 74 73 20 70 65 72 29 00 00 00 45 58 3A 20 gits per)...EX:
00546400 30 30 30 30 31 37 32 35 35 30 30 31 31 32 30 00 000017255001120.
00546416 45 4E 53 55 52 45 20 50 52 4F 54 45 43 54 45 44 ENSURE PROTECTED
00546432 20 46 4C 41 53 48 20 50 49 4E 20 49 53 20 48 49 FLASH PIN IS HI
00546448 47 48 00 00 3E 20 00 00 46 61 69 6C 65 64 20 50 GH..> ..Failed P
00546464 72 6F 67 72 61 6D 6D 69 6E 67 21 00 4F 4B 20 55 rogramming!.OK U
00546480 41 20 69 6E 20 46 6C 61 73 68 20 3D 20 00 00 00 A in Flash = ...
00546496 25 30 32 78 00 00 00 00 74 45 73 74 00 00 00 00 %02x....tEst....
00546512 4E 4F 54 20 31 35 20 44 49 47 49 54 53 21 00 00 NOT 15 DIGITS!..

I think it have a serial port, ?activate it?

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

000A68A0 F0 DF 00 80 10 E0 00 80 84 DF 00 80 44 75 6D 70 ??.?.?.???.?Dump
000A68B0 20 74 6F 20 53 65 72 69 61 6C 20 50 6F 72 74 20 to Serial Port
000A68C0 20 20 20 00 43 68 61 6E 67 65 20 53 74 61 72 74 .Change Start
000A68D0 20 41 64 64 72 65 73 73 20 20 20 00 43 68 61 6E Address .Chan
000A68E0 67 65 20 42 79 74 65 20 20 20 20 20 20 20 20 20 ge Byte
000A68F0 20 20 20 00 50 72 6F 67 72 61 6D 20 50 72 6F 74 .Program Prot
000A6900 65 63 74 65 64 20 46 6C 61 73 68 00 46 69 6C 6C ected Flash.Fill
000A6910 20 52 65 67 69 6F 6E 20 20 20 20 20 20 20 20 20 Region
000A6920 20 20 20 00 43 6F 70 79 20 52 65 67 69 6F 6E 20 .Copy Region
000A6930 20 20 20 20 20 20 20 20 20 20 20 00 43 6F 6D 6D .Comm
000A6940 61 6E 64 20 4C 69 6E 65 20 20 20 20 20 20 20 20 and Line
000A6950 20 20 20 00 44 69 73 70 6C 61 79 20 4D 6F 64 65 .Display Mode
000A6960 20 20 20 20 20 20 20 20 20 20 20 00 4E 4F 52 4D .NORM
000A6970 41 4C 20 00 43 20 53 54 59 4C 45 00 55 43 48 41 AL .C STYLE.UCHA
000A6980 52 00 00 00 55 57 4F 52 44 00 00 00 55 4C 4F 4E R...UWORD...ULON
000A6990 47 00 00 00 73 74 61 72 74 00 00 00 63 6F 70 79 G...start...copy
000A69A0 00 00 00 00 66 69 6C 6C 00 00 00 00 62 79 74 65 ....fill....byte
000A69B0 00 00 00 00 64 75 6D 70 00 00 00 00 70 72 6F 67 ....dump....prog
000A69C0 72 61 6D 00 6D 6F 64 65 00 00 00 00 4E 4F 20 41 ram.mode....NO A
000A69D0 53 43 49 49 00 00 00 00 41 53 43 49 49 20 20 20 SCII....ASCII
000A69E0 00 00 00 00 25 30 38 58 00 00 00 00 25 73 00 00 ....%08X....%s..
000A69F0 2A 2A 2A 2A 2A 2A 2A 2A 00 00 00 00 25 30 32 58 ********....%02X
000A6A00 3A 25 73 20 25 73 20 25 73 20 25 73 00 00 00 00 :%s %s %s %s....
000A6A10 2A 2A 2A 2A 00 00 00 00 25 30 32 58 3A 25 73 20 ****....%02X:%s
000A6A20 25 73 20 7C 20 25 73 25 73 20 20 20 20 20 20 20 %s | %s%s
000A6A30 00 00 00 00 4D 45 4D 4F 52 59 20 44 45 42 55 47 ....MEMORY DEBUG
000A6A40 47 45 52 00 41 44 44 52 20 52 41 4E 47 45 3A 20 GER.ADDR RANGE:
000A6A50 25 30 38 58 3A 25 30 38 58 00 00 00 4D 4F 44 45 %08X:%08X...MODE
000A6A60 3A 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 :...
000A6A70 20 00 00 00 41 43 54 49 4F 4E 53 3A 00 00 00 00 ...ACTIONS:....
000A6A80 53 54 41 52 54 3A 20 30 78 00 00 00 41 64 64 72 START: 0x...Addr
000A6A90 65 73 73 3A 20 30 78 00 30 78 25 30 38 58 20 20 ess: 0x.0x%08X
000A6AA0 00 00 00 00 42 59 54 45 3A 20 30 78 00 00 00 00 ....BYTE: 0x....
000A6AB0 45 4E 44 3A 20 30 78 00 53 4F 55 52 43 45 20 53 END: 0x.SOURCE S
000A6AC0 54 41 52 54 3A 20 30 78 00 00 00 00 53 4F 55 52 TART: 0x....SOUR
000A6AD0 43 45 20 45 4E 44 3A 20 30 78 00 00 44 45 53 54 CE END: 0x..DEST
000A6AE0 20 41 44 44 52 3A 20 30 78 00 00 00 65 78 69 74 ADDR: 0x...exit
000A6AF0 00 00 00 00 20 00 00 00 20 20 20 20 20 20 20 20 .... ...


but I cannot find the communication port
haute
Junior Member
Posts: 80
Joined: Mon Jan 09, 2006 9:31 am

Conection ethernet dvi3000

Post by haute »

It possible to comunicate by ethernet to dvi3000.
The router assigns an automatic IP to the decoder by dhcp.

Login:agentsmith101

Password:v612qaY=dc7@42

DVi Telnet Server
Motorola Broadband Communications Sector, Inc.
Copyright 2002
All Rights Reserved

Connected to Unit: xx.xx.xx.xx.xx
Connected from IP: 192.168.1.2
Activity is logged


DVi>help

Invalid Command: help

DVi>dir

The Login and the password are possible to be seen in firmware.

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

003A5FD0 64 20 43 6C 69 65 6E 74 20 4E 75 6D 20 25 64 2E d Client Num %d.
003A5FE0 20 49 50 3A 20 25 64 2E 25 64 2E 25 64 2E 25 64 IP: %d.%d.%d.%d
003A5FF0 0A 00 00 00 61 67 65 6E 74 73 6D 69 74 68 31 30 ....agentsmith10
003A6000 31 00 00 00 76 36 31 32 71 61 59 3D 64 63 37 40 1...v612qaY=dc7@
003A6010 34 32 00 00 0D 0A 0A 44 56 69 20 54 65 6C 6E 65 42.....DVi Telne


The commands of telnet are disactived i supossed.
the telnet session does not respond to any command.

**** UPDATE ******
I discover the telnet commands and password enable supervisor mode with help of my friends.
cipher
Junior Member
Posts: 381
Joined: Fri Oct 28, 2005 8:43 am

Post by cipher »

Excelent discovery haute, you have revealed a significant security weakness in the code.
haute
Junior Member
Posts: 80
Joined: Mon Jan 09, 2006 9:31 am

Post by haute »

Yes, but i think is much important discover the serial port. To change settings.
andornot
Junior Member
Posts: 32
Joined: Wed Nov 01, 2006 7:34 am

Post by andornot »

Los mismos resultados en un dv* 3020

Memory Ram direccion ->0x00000000 longuitud ->0x1000000


00536ca0 64 20 43 6C 69 65 6E 74 20 4E 75 6D 20 25 64 2E d Client Num %d.
00536cb0 20 49 50 3A 20 25 64 2E 25 64 2E 25 64 2E 25 64 IP: %d.%d.%d.%d
00536cc0 0A 00 00 00 61 67 65 6E 74 73 6D 69 74 68 31 30 ....agentsmith10
00536cd0 31 00 00 00 76 36 31 32 71 61 59 3D 64 63 37 40 1...v612qaY=dc7@
00536ce0 34 32 00 00 0D 0A 0A 44 56 69 20 54 65 6C 6E 65 42.....DVi Telne
Locked

Who is online

Users browsing this forum: No registered users and 3 guests