[libst2205] HighBox Apache 2.4" hack problems
January 10, 2014 06:11AM
Hi,
I'm trying to hack a new DPF. It's a HighBox Apache 2.4".
It looks like Perl one, but is was a different different.

Hardware detection
user@ubuntu:~/st2205u/libst2205$ dmesg
(...)
[3261252.416745] usb 2-1.2: new full-speed USB device number 45 using ehci-pci
[3261252.510865] usb 2-1.2: New USB device found, idVendor=1403, idProduct=0001
[3261252.510869] usb 2-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[3261252.510872] usb 2-1.2: Product: Flash Disk      
[3261252.510874] usb 2-1.2: Manufacturer: USB     
[3261252.511246] scsi6 : usb-storage 2-1.2:1.0
[3261253.510902] scsi 6:0:0:0: Direct-Access     SITRONIX MULTIMEDIA       0.09 PQ: 0 ANSI: 0 CCS
[3261253.511452] sd 6:0:0:0: Attached scsi generic sg2 type 0
[3261253.514525] sd 6:0:0:0: [sdb] 4096 512-byte logical blocks: (2.09 MB/2.00 MiB)
[3261253.515781] sd 6:0:0:0: [sdb] Write Protect is off
[3261253.515785] sd 6:0:0:0: [sdb] Mode Sense: 0b 00 00 08
[3261253.516764] sd 6:0:0:0: [sdb] No Caching mode page found
[3261253.516767] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[3261253.519760] sd 6:0:0:0: [sdb] No Caching mode page found
[3261253.519763] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[3261253.540772]  sdb: unknown partition table
[3261253.545806] sd 6:0:0:0: [sdb] No Caching mode page found
[3261253.545810] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[3261253.545813] sd 6:0:0:0: [sdb] Attached SCSI removable disk

user@ubuntu:~/st2205u/libst2205$ lsusb
(...)
Bus 002 Device 004: ID 1403:0001 Sitronix Digital Photo Frame

Software detection
I'm using last version of libst2205, from GitHub.
I have to modify main.c, inspired by Picframe Wiki , to bypass "cmd 1" error.
user@ubuntu:~/st2205u/libst2205$ ./phack -m "baks r ok" /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
Message written.

I think I have a problem with bpp calculation...
Maybe I'll check this later.
//get image size
sendcmd(f,CMD_GET_PIC_INFO,0,0,0);
read_data(f,buff,0x200);
int xsize = (buff[0]<<8)+buff[1];
int ysize = (buff[2]<<8)+buff[3];
int bpp = buff[4]+0x80;
printf("Xres: %i, Yres%i, bpp: %i\n",xsize,ysize,bpp);

Curiously, phack reports 1.5Mb of memory, but dmesg indicates 2Mb.
//get memory size
buff=malloc_aligned(0x10000);
sendcmd(f,1,0,0,0);
read_data(f,buff,0x200);
flash_size=(buff[0]*128*1024)/512;
printf("Found device with %i kb memory\n",flash_size);

Extracting Firmware
I have tried to extract firmware as a 1.5Mb device, replacing
for (x=((2048-64)/32); x<(2048/32); x++)
With
flash_size=(buff[0]*128*1024)/512;
for (x=((flash_size-64)/32); x<(flash_size/32); x++)

I got nothing (extracted firmware contains only 0xFF).
So, I revert this change back, considering my device really have 2Mb.
Now, I can extract the firmware correctly.
user@ubuntu:~/st2205u/libst2205$ ./phack -d memimage.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..............................................................
Memory dumped.

user@ubuntu:~/st2205u/libst2205$ ./phack -df fwimage.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..
Firmware dumped.

Hacking Firmware
user@ubuntu:~/st2205u/libst2205$ perl ./generate-hack.pl /dev/sdb hack/m_apache

The script ends with
(...)
Warning! multiple matches (2) - will use the first one after SEND_CSW location

Guessing CTRTYPE...
Eeek! expected single match but found 0 - dont know what to do!

So, I'm using generate-hack.pl source code, and newhack.txt for hack it manually.
I found everything except CTRTYPE.

I have created this spec file, using first SEND_CSW found and leaving CTRTYPE to 0.
I will change it to 1 later if needed.
;Spec-file for Apache.
;Please keep the way the adresses are entered ($ to indicate a hex number,
;adresses in 4 digits) intact or the hackfw.sh script won't work anymore.
;Adresses here refer to file-adresses; in runtime these are loaded $4000
;bytes higher but that's accounted for in the hack-code itself.

CMP_VAR1=$037A
CMP_VAR2=$037B
PATCH_AT=$2D93
EMPTY_AT=$2F38
SEND_CSW=$2C5B
LEN0=$36C
LEN1=$36D
LEN2=$36E
LEN3=$36F
CONF_XRES=320
CONF_YRES=240
CONF_BPP=24
CONF_PROTO=0

CTRTYPE=0 ;PCF8833
OFFX=4
OFFY=4

Flashing hacked Firmware
Finally, I'm trying to flash this new firmware.
Everything works correctly (no error), but the firware seems to not be flashed :
setpic ends with
Unable to get parm_block
Open failed!

I dump the firmware and the entire memory again
user@ubuntu:~/st2205u/libst2205$ ./phack -d memimage_new.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..............................................................
Memory dumped.

user@ubuntu:~/st2205u/libst2205$ ./phack -df fwimage_new.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..
Firmware dumped.

New firmware and original one are identical.
It suggests that flash doesn't works.

But, searching "H4CK" sequence in memimage_new.bin give me 2 locations.

For now, I'm stuck here... I don't know what to do...
Re: [libst2205] HighBox Apache 2.4" hack problems
January 10, 2014 01:22PM
Quote
BMD_Online
But, searching "H4CK" sequence in memimage_new.bin
give me 2 locations.

Searching "H4CK" in memimage_new.bin gives me these two positions :
0x23001
0x123001

I have tried to split my image into two files :
first one from start to 0x0FFFFF
second one from 0x100000 to the end.

They are excatly the same... except the end :
- First one contains 64k firmware.
- Second one is smallest from 64k.

It seems that I have a crappy DPF memory, with only 1Mb, but displaying more.

If I update phack to use 1Mb instead of 2Mb...
        flash_size = 1024;
(...)
        for (x=((flash_size-64)/32); x<(flash_size/32); x++) {

... I can extract memory and firmware correctly, but It changes nothing when flashing.

I will continue my investigations.
Re: [libst2205] HighBox Apache 2.4" hack problems
January 11, 2014 09:53AM
News from today :
I confirm my device have only 1Mb (nothing is specified on the box).

Using patched phack (forcing flash_size = 1024) :
- I can flash memory correctly, but firmware flash doesn't works.

I'm trying several methods inspired from picframe wiki.
Then it extract entire memory and analyse it.

Flashing fw using original method
I have corrected sendcmd(f,2,x|0x80000000,0x8000,0); instruction.
for (x=0; x<2; x++) {
    sendcmd(f,3,x|0x80000000,0x8000,0);
    y=read(o,buff,0x8000);
    write_data(f,buff,0x8000);
    sendcmd(f,2,x|0x80000000,0x8000,0); //sendcmd(f,2|0x80000000,x,0x8000,0);
    read_data(f,buff,0x200);
    sendcmd(f,3,x|0x1f40,0x8000,0);
    write_data(f,buff,0x8000);
    if (y!=0x8000) {
        printf("Premature file end. Hope everything still works OK.\n");
        x=9999;
    }
    fprintf(stderr,".");
}
The firmware is written in memory, from position 0x20000 to 0x2FFFF.
The real firmware isn't updated.

I have tried a variant :
- I remove sendcmd(f,3,x|0x1f40,0x8000,0); instruction.
- And I add sendcmd(f,21,0x42494F53,0x55504458,0); // BIOSUPDX at the end, after the loop.

Results are same as above.

Flashing fw using alternate method
for (x=0; x<2; x++) {
    sendcmd(f,3,x|0x80000000,0x8000,0); //get ready for writting at 0x80000000 or 0x80000001
    y=read(o,buff,0x8000);
    write_data(f,buff,0x8000); //write data
    sendcmd(f,2,x|0x80000000,0x8000,0); //buffer at '''0x80000000''' is ready
    //sendcmd(f,0,0x8000XX,0x04008300,0x2a040083); //x=0 XX=2B x=1 XX=10 ...probably arg1,arg2,arg3 means nothing
    if (x==0)  {
        sendcmd(f,0,0x80002B,0x04008300,0x2a040083); //x=0
    } else {
        sendcmd(f,0,0x800010,0x04008300,0x2a040083); //x=1
    }
    sendcmd(f,3,x|0x80000000,0x8000,0); //dot it again.... on '''0x80000000'''
    write_data(f,buff,0x8000);
    if (y!=0x8000) {
    printf("Premature file end. Hope everything still works OK.\n");
    x=9999;
    }
    fprintf(stderr,".");
}

Same result here, but flash takes more time than first method :
The firmware is written in memory, from position 0x20000 to 0x2FFFF.
The real firmware isn't updated.

Update mode
I have tried to reset my device, pressing one or several buttons.
When I press menu during reset, a screen with a lot of ascii characters appears.
Then, buttons have no effect.

I have tried to flash here, but no changes.


What position 0x20000 to 0x2FFFF means ?
Is it possible that firmware is read-only ?
Can I try another method for flashing ?
Re: [libst2205] HighBox Apache 2.4" hack problems
January 13, 2014 06:06AM
I give up : I will return this DPF and will buy another one.
PePa
Re: [libst2205] HighBox Apache 2.4" hack problems
November 09, 2014 09:18PM
Reporting here because I also get "unable to get parm_block" after a ./generate-hack.pl (strange thing is, my device is a TOM-TEC keychain from before 2008, but it has the same issue in reporting it has 2MB, while it only has one, it's an AMIC A29L800ATV-70F). I am guessing the generate-hack doesn't quite work for this one.
Author:

Your Email:


Subject:


Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.
Message: