[libst2205] HighBox Apache 2.4" hack problems

Hi,
I'm trying to hack a new DPF. It's a HighBox Apache 2.4".
It looks like Perl one, but is was a different different.

Hardware detection

user@ubuntu:~/st2205u/libst2205$ dmesg
(...)
[3261252.416745] usb 2-1.2: new full-speed USB device number 45 using ehci-pci
[3261252.510865] usb 2-1.2: New USB device found, idVendor=1403, idProduct=0001
[3261252.510869] usb 2-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[3261252.510872] usb 2-1.2: Product: Flash Disk      
[3261252.510874] usb 2-1.2: Manufacturer: USB     
[3261252.511246] scsi6 : usb-storage 2-1.2:1.0
[3261253.510902] scsi 6:0:0:0: Direct-Access     SITRONIX MULTIMEDIA       0.09 PQ: 0 ANSI: 0 CCS
[3261253.511452] sd 6:0:0:0: Attached scsi generic sg2 type 0
[3261253.514525] sd 6:0:0:0: [sdb] 4096 512-byte logical blocks: (2.09 MB/2.00 MiB)
[3261253.515781] sd 6:0:0:0: [sdb] Write Protect is off
[3261253.515785] sd 6:0:0:0: [sdb] Mode Sense: 0b 00 00 08
[3261253.516764] sd 6:0:0:0: [sdb] No Caching mode page found
[3261253.516767] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[3261253.519760] sd 6:0:0:0: [sdb] No Caching mode page found
[3261253.519763] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[3261253.540772]  sdb: unknown partition table
[3261253.545806] sd 6:0:0:0: [sdb] No Caching mode page found
[3261253.545810] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[3261253.545813] sd 6:0:0:0: [sdb] Attached SCSI removable disk

user@ubuntu:~/st2205u/libst2205$ lsusb
(...)
Bus 002 Device 004: ID 1403:0001 Sitronix Digital Photo Frame

Software detection
I'm using last version of libst2205, from GitHub.
I have to modify main.c, inspired by Picframe Wiki , to bypass "cmd 1" error.

user@ubuntu:~/st2205u/libst2205$ ./phack -m "baks r ok" /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
Message written.

I think I have a problem with bpp calculation...
Maybe I'll check this later.

//get image size
sendcmd(f,CMD_GET_PIC_INFO,0,0,0);
read_data(f,buff,0x200);
int xsize = (buff[0]<<8)+buff[1];
int ysize = (buff[2]<<8)+buff[3];
int bpp = buff[4]+0x80;
printf("Xres: %i, Yres%i, bpp: %i\n",xsize,ysize,bpp);

Curiously, phack reports 1.5Mb of memory, but dmesg indicates 2Mb.

//get memory size
buff=malloc_aligned(0x10000);
sendcmd(f,1,0,0,0);
read_data(f,buff,0x200);
flash_size=(buff[0]*128*1024)/512;
printf("Found device with %i kb memory\n",flash_size);

Extracting Firmware
I have tried to extract firmware as a 1.5Mb device, replacing

for (x=((2048-64)/32); x<(2048/32); x++)

With

flash_size=(buff[0]*128*1024)/512;
for (x=((flash_size-64)/32); x<(flash_size/32); x++)

I got nothing (extracted firmware contains only 0xFF).
So, I revert this change back, considering my device really have 2Mb.
Now, I can extract the firmware correctly.

user@ubuntu:~/st2205u/libst2205$ ./phack -d memimage.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..............................................................
Memory dumped.

user@ubuntu:~/st2205u/libst2205$ ./phack -df fwimage.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..
Firmware dumped.

Hacking Firmware

user@ubuntu:~/st2205u/libst2205$ perl ./generate-hack.pl /dev/sdb hack/m_apache

The script ends with

(...)
Warning! multiple matches (2) - will use the first one after SEND_CSW location

Guessing CTRTYPE...
Eeek! expected single match but found 0 - dont know what to do!

So, I'm using generate-hack.pl source code, and newhack.txt for hack it manually.
I found everything except CTRTYPE.

I have created this spec file, using first SEND_CSW found and leaving CTRTYPE to 0.
I will change it to 1 later if needed.

;Spec-file for Apache.
;Please keep the way the adresses are entered ($ to indicate a hex number,
;adresses in 4 digits) intact or the hackfw.sh script won't work anymore.
;Adresses here refer to file-adresses; in runtime these are loaded $4000
;bytes higher but that's accounted for in the hack-code itself.

CMP_VAR1=$037A
CMP_VAR2=$037B
PATCH_AT=$2D93
EMPTY_AT=$2F38
SEND_CSW=$2C5B
LEN0=$36C
LEN1=$36D
LEN2=$36E
LEN3=$36F
CONF_XRES=320
CONF_YRES=240
CONF_BPP=24
CONF_PROTO=0

CTRTYPE=0 ;PCF8833
OFFX=4
OFFY=4

Flashing hacked Firmware
Finally, I'm trying to flash this new firmware.
Everything works correctly (no error), but the firware seems to not be flashed :
setpic ends with

Unable to get parm_block
Open failed!

I dump the firmware and the entire memory again

user@ubuntu:~/st2205u/libst2205$ ./phack -d memimage_new.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..............................................................
Memory dumped.

user@ubuntu:~/st2205u/libst2205$ ./phack -df fwimage_new.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..
Firmware dumped.

New firmware and original one are identical.
It suggests that flash doesn't works.

But, searching "H4CK" sequence in memimage_new.bin give me 2 locations.

For now, I'm stuck here... I don't know what to do...

Quote
BMD_Online
But, searching "H4CK" sequence in memimage_new.bin
give me 2 locations.

Searching "H4CK" in memimage_new.bin gives me these two positions :
0x23001
0x123001

I have tried to split my image into two files :
first one from start to 0x0FFFFF
second one from 0x100000 to the end.

They are excatly the same... except the end :
- First one contains 64k firmware.
- Second one is smallest from 64k.

It seems that I have a crappy DPF memory, with only 1Mb, but displaying more.

If I update phack to use 1Mb instead of 2Mb...

        flash_size = 1024;
(...)
        for (x=((flash_size-64)/32); x<(flash_size/32); x++) {

... I can extract memory and firmware correctly, but It changes nothing when flashing.

I will continue my investigations.

News from today :
I confirm my device have only 1Mb (nothing is specified on the box).

Using patched phack (forcing flash_size = 1024) :
- I can flash memory correctly, but firmware flash doesn't works.

I'm trying several methods inspired from picframe wiki.
Then it extract entire memory and analyse it.

Flashing fw using original method
I have corrected sendcmd(f,2,x|0x80000000,0x8000,0); instruction.

for (x=0; x<2; x++) {
    sendcmd(f,3,x|0x80000000,0x8000,0);
    y=read(o,buff,0x8000);
    write_data(f,buff,0x8000);
    sendcmd(f,2,x|0x80000000,0x8000,0); //sendcmd(f,2|0x80000000,x,0x8000,0);
    read_data(f,buff,0x200);
    sendcmd(f,3,x|0x1f40,0x8000,0);
    write_data(f,buff,0x8000);
    if (y!=0x8000) {
        printf("Premature file end. Hope everything still works OK.\n");
        x=9999;
    }
    fprintf(stderr,".");
}

The firmware is written in memory, from position 0x20000 to 0x2FFFF.
The real firmware isn't updated.

I have tried a variant :
- I remove sendcmd(f,3,x|0x1f40,0x8000,0); instruction.
- And I add sendcmd(f,21,0x42494F53,0x55504458,0); // BIOSUPDX at the end, after the loop.

Results are same as above.

Flashing fw using alternate method

for (x=0; x<2; x++) {
    sendcmd(f,3,x|0x80000000,0x8000,0); //get ready for writting at 0x80000000 or 0x80000001
    y=read(o,buff,0x8000);
    write_data(f,buff,0x8000); //write data
    sendcmd(f,2,x|0x80000000,0x8000,0); //buffer at '''0x80000000''' is ready
    //sendcmd(f,0,0x8000XX,0x04008300,0x2a040083); //x=0 XX=2B x=1 XX=10 ...probably arg1,arg2,arg3 means nothing
    if (x==0)  {
        sendcmd(f,0,0x80002B,0x04008300,0x2a040083); //x=0
    } else {
        sendcmd(f,0,0x800010,0x04008300,0x2a040083); //x=1
    }
    sendcmd(f,3,x|0x80000000,0x8000,0); //dot it again.... on '''0x80000000'''
    write_data(f,buff,0x8000);
    if (y!=0x8000) {
    printf("Premature file end. Hope everything still works OK.\n");
    x=9999;
    }
    fprintf(stderr,".");
}

Same result here, but flash takes more time than first method :
The firmware is written in memory, from position 0x20000 to 0x2FFFF.
The real firmware isn't updated.

Update mode
I have tried to reset my device, pressing one or several buttons.
When I press menu during reset, a screen with a lot of ascii characters appears.
Then, buttons have no effect.

I have tried to flash here, but no changes.


What position 0x20000 to 0x2FFFF means ?
Is it possible that firmware is read-only ?
Can I try another method for flashing ?

I give up : I will return this DPF and will buy another one.

Reporting here because I also get "unable to get parm_block" after a ./generate-hack.pl (strange thing is, my device is a TOM-TEC keychain from before 2008, but it has the same issue in reporting it has 2MB, while it only has one, it's an AMIC A29L800ATV-70F). I am guessing the generate-hack doesn't quite work for this one.