Author Topic: New Firmware / New Features  (Read 59628 times)

0 Members and 1 Guest are viewing this topic.

Offline phatchicken

  • A few posts under my belt.
  • *
  • Posts: 19
New Firmware / New Features
« on: November 20, 2007, 08:09:55 pm »
I was wondering if there has been any work done to add support to currently unsupported head units, or if there has been any work done to add features to existing PhatBox firmwares.  For example, I have a PhatBox in my Volvo, and I use the Honda firmware.  It works great and I love it, but my head unit has a Pause button and the firmware does not appear to support this feature.:'(  I would like to change the firmware.pac file to add support for this.  Apparently, my Volvo's head unit uses the "Alpine M-Bus" changer protocol.

Any ideas or suggestions?

Offline VorTechS

  • Administrator
  • Veteran.
  • *****
  • Posts: 1678
  • PhatHack Media Manager & DMS Tools Wizard Author
Re: New Firmware / New Features
« Reply #1 on: November 20, 2007, 11:36:47 pm »
The firmware pac files is currently encrypted in a manner that we've not yet found out.  Until this happens, there's no way we can extend the PhatBox support.
Kenwood KDC-W7031 | Kenwood KHD-CX910 | 250GB DMS | PhatHack Media Manager v1.1.4 (Alpha) | VIOT

Catch me weekdays 8am-4pm GMT on IRC @ irc.freenode.net on channel #phathack (aka the chat link!!)

Offline phatchicken

  • A few posts under my belt.
  • *
  • Posts: 19
Re: New Firmware / New Features
« Reply #2 on: November 21, 2007, 04:52:53 am »
Is there any interest in doing so?  If yes, what is the progress of this effort?

Offline VorTechS

  • Administrator
  • Veteran.
  • *****
  • Posts: 1678
  • PhatHack Media Manager & DMS Tools Wizard Author
Re: New Firmware / New Features
« Reply #3 on: November 21, 2007, 07:36:41 am »
Yes there is interest in doing so.  AFAIK the progress is zilch, zero, nadda, not a lot.

If you've ever seen the 'bizarro_scramble' routine in the signing code (for SIG files) you'll understand why.  PhatNoise never really adopted standard encryption, which was probably a sensible thing.

Actually the issue might not be encryption - we just don't know what the format of the file is, or the protocols etc...

But if you think you can crack it.... we'd all be very happy if/when you do :)
« Last Edit: November 21, 2007, 08:45:33 am by VorTechS »
Kenwood KDC-W7031 | Kenwood KHD-CX910 | 250GB DMS | PhatHack Media Manager v1.1.4 (Alpha) | VIOT

Catch me weekdays 8am-4pm GMT on IRC @ irc.freenode.net on channel #phathack (aka the chat link!!)

Offline phatchicken

  • A few posts under my belt.
  • *
  • Posts: 19
Re: New Firmware / New Features
« Reply #4 on: November 21, 2007, 09:45:57 pm »
First, maybe we could compare different firmware.pac files to see if there are any similarities?

Second, we know that 8052 code is what runs on the microcontroller, so that is what the decrypted pac file should contain.

Offline sbingner

  • Administrator
  • Veteran.
  • *****
  • Posts: 1301
Re: New Firmware / New Features
« Reply #5 on: November 21, 2007, 09:47:38 pm »
I haven't been able to get a disassembler to be able to read it...

Offline phatchicken

  • A few posts under my belt.
  • *
  • Posts: 19
Re: New Firmware / New Features
« Reply #6 on: November 21, 2007, 11:16:08 pm »
First, maybe we could compare different firmware.pac files to see if there are any similarities?

I took a look at the available firmwares and I decided to start with Audi, because it was the first one in the list.  I started with just the first portion of the Audi firmware.pac files.

Version 2.00:   39 50 02 0f fd 19 48 fb e4 93 07 c6 25 36 f2 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 3.00:   39 50 02 0f fd 19 a0 fb e4 93 07 c6 25 36 f2 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 4.00:   39 50 04 0f fd 19 88 6d fd a6 02 a5 98 99 fd 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 4.01:   39 50 04 0f fd 19 88 6d fd a6 02 a5 98 99 fd 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 5.01:   39 50 05 0f fd 1b 20 50 55 72 09 cf 33 e7 ef 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 5.02:   39 50 05 0f fd 1b 40 0a 7c 0d 54 8d c8 76 7b 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 6.00:   39 50 06 0f fd 1e d8 9a 36 e0 87 3e f3 67 6d 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 7.00:   39 50 07 0f fd 21 e8 93 79 0c 10 91 cd 60 72 84 88 4a 8c c5 ac 7b 25 6f e6 4d 0b 60 20 45 a6 4b
Version 7.02:   39 50 07 0f fd 22 b0 93 79 0c 10 91 cd 60 72 84 88 4a 8c c5 ac 7b 25 6f e6 4d 0b 60 20 45 a6 4b


I noticed right off the bat that the third byte corresponds with the version number, and that there are several sequences that are the same.
« Last Edit: November 21, 2007, 11:17:45 pm by phatchicken »

Offline VorTechS

  • Administrator
  • Veteran.
  • *****
  • Posts: 1678
  • PhatHack Media Manager & DMS Tools Wizard Author
Firmware disassembled....?
« Reply #7 on: November 22, 2007, 07:59:33 am »
Okay, I tried something really really stupid, completely random which leaves me to claim that I got it 'disassembled'. 
Or at least, I got an 8052 disassembler to generate something.

Perhaps this means something to you 'low level' guys?

Disassembled Kenwood Firmware

This is the Kenwood 13.01 firmware file.

To disassemble:

Copy firmware.pac to firmware.bin

Run this command line disassembler: 8052 Disassembler using the following command line:

d52 firmware -b

It'll then generate firmware.d52 which is just a text file.
« Last Edit: November 22, 2007, 08:32:13 am by VorTechS »
Kenwood KDC-W7031 | Kenwood KHD-CX910 | 250GB DMS | PhatHack Media Manager v1.1.4 (Alpha) | VIOT

Catch me weekdays 8am-4pm GMT on IRC @ irc.freenode.net on channel #phathack (aka the chat link!!)

Offline VorTechS

  • Administrator
  • Veteran.
  • *****
  • Posts: 1678
  • PhatHack Media Manager & DMS Tools Wizard Author
Re: New Firmware / New Features
« Reply #8 on: November 22, 2007, 08:46:16 am »
I also tried 6 other firmware.pac files for other head units and they all disassembled without error.

To be sure the disassembler wasn't just making stuff up, I tried disassembling random files and got a bunch of errors.
Kenwood KDC-W7031 | Kenwood KHD-CX910 | 250GB DMS | PhatHack Media Manager v1.1.4 (Alpha) | VIOT

Catch me weekdays 8am-4pm GMT on IRC @ irc.freenode.net on channel #phathack (aka the chat link!!)

Offline sbingner

  • Administrator
  • Veteran.
  • *****
  • Posts: 1301
Re: New Firmware / New Features
« Reply #9 on: November 22, 2007, 09:21:07 am »
All the HU disassemblies are at http://downloads.phathack.com/firmware/disasm

You can find which is for a HU by looking at http://downloads.phathack.com/firmware and seeing the filename of headunit.zip -- that will correspond to the .txt

Offline sbingner

  • Administrator
  • Veteran.
  • *****
  • Posts: 1301
Re: New Firmware / New Features
« Reply #10 on: November 22, 2007, 09:28:24 am »
I took a look at the available firmwares and I decided to start with Audi, because it was the first one in the list.  I started with just the first portion of the Audi firmware.pac files.

Version 2.00:   39 50 02 0f fd 19 48 fb e4 93 07 c6 25 36 f2 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 3.00:   39 50 02 0f fd 19 a0 fb e4 93 07 c6 25 36 f2 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 4.00:   39 50 04 0f fd 19 88 6d fd a6 02 a5 98 99 fd 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 4.01:   39 50 04 0f fd 19 88 6d fd a6 02 a5 98 99 fd 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 5.01:   39 50 05 0f fd 1b 20 50 55 72 09 cf 33 e7 ef 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 5.02:   39 50 05 0f fd 1b 40 0a 7c 0d 54 8d c8 76 7b 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 6.00:   39 50 06 0f fd 1e d8 9a 36 e0 87 3e f3 67 6d 84 88 4a 8c c5 ac 7b 25 0c 04 a3 4d 40 b5 23 a1 4b
Version 7.00:   39 50 07 0f fd 21 e8 93 79 0c 10 91 cd 60 72 84 88 4a 8c c5 ac 7b 25 6f e6 4d 0b 60 20 45 a6 4b
Version 7.02:   39 50 07 0f fd 22 b0 93 79 0c 10 91 cd 60 72 84 88 4a 8c c5 ac 7b 25 6f e6 4d 0b 60 20 45 a6 4b


I noticed right off the bat that the third byte corresponds with the version number, and that there are several sequences that are the same.

Yea... they correspond to this as well (beginning of a level-10 logfile):
09.39:51d  :parse_pac : PAC file summary
09.39:51d  :parse_pac :     firmware name h: 22
09.39:51d  :parse_pac :     firmware name l: 00
09.39:51d  :parse_pac :     firmware ver   : 08
09.39:51d  :parse_pac :     firmware base h: 0f
09.39:51d  :parse_pac :     firmware base l: fd
09.39:51d  :parse_pac :     firmware size h: 15
09.39:51d  :parse_pac :     firmware size l: 60

This is obtained from the first 7 bytes of the file, which SHOULD be just a header.  It is in the order listed above... so for your "4" it would be:

name h: 39
name l:50
ver: 04
base h: 0f
base l: fd
size h: 19
size l: 88
« Last Edit: November 22, 2007, 09:40:12 am by sbingner »

Offline sbingner

  • Administrator
  • Veteran.
  • *****
  • Posts: 1301
Re: New Firmware / New Features
« Reply #11 on: November 22, 2007, 09:47:35 am »
phatchicken, you should catch us in IRC so we can talk this thru a little...

Offline phatchicken

  • A few posts under my belt.
  • *
  • Posts: 19
Re: New Firmware / New Features
« Reply #12 on: November 25, 2007, 06:34:40 pm »
OK.  What times are good for going into IRC?

Offline phatchicken

  • A few posts under my belt.
  • *
  • Posts: 19
Re: New Firmware / New Features
« Reply #13 on: November 26, 2007, 08:18:54 pm »
I found a web-based IRC interface so I don't need to install a client like mIRC.  I can be in the #phathack channel during the day -- just let me know a good time.

Offline VorTechS

  • Administrator
  • Veteran.
  • *****
  • Posts: 1678
  • PhatHack Media Manager & DMS Tools Wizard Author
Re: New Firmware / New Features
« Reply #14 on: November 27, 2007, 07:38:15 am »
sbingner is away for a few days, possibly the week.

He's usually around 8am-12pm (GMT) or from the looks of recent activity 7pm (ish GMT)
Kenwood KDC-W7031 | Kenwood KHD-CX910 | 250GB DMS | PhatHack Media Manager v1.1.4 (Alpha) | VIOT

Catch me weekdays 8am-4pm GMT on IRC @ irc.freenode.net on channel #phathack (aka the chat link!!)

Offline phatchicken

  • A few posts under my belt.
  • *
  • Posts: 19
Re: New Firmware / New Features
« Reply #15 on: November 28, 2007, 07:35:46 pm »
Well, I am in California, so what would be a good time to meet up in IRC?  You guys are in the UK?


Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: New Firmware / New Features
« Reply #16 on: November 29, 2007, 04:37:04 am »
Vortech is in the UK and Sam is in Hawaii

Offline VorTechS

  • Administrator
  • Veteran.
  • *****
  • Posts: 1678
  • PhatHack Media Manager & DMS Tools Wizard Author
Re: New Firmware / New Features
« Reply #17 on: November 29, 2007, 06:02:51 am »
As judb says I'm UK, and as my signature says I'm on IRC between 8am and 4pm GMT.  However, I am not the person to talk to about ASM programming!

The GMT times I gave for Sam (sbingner) are based on the activity I've seen on the channel, given that I am in the UK. ;)
Kenwood KDC-W7031 | Kenwood KHD-CX910 | 250GB DMS | PhatHack Media Manager v1.1.4 (Alpha) | VIOT

Catch me weekdays 8am-4pm GMT on IRC @ irc.freenode.net on channel #phathack (aka the chat link!!)

Offline phatchicken

  • A few posts under my belt.
  • *
  • Posts: 19
Re: New Firmware / New Features
« Reply #18 on: November 29, 2007, 07:55:19 pm »
All the HU disassemblies are at http://downloads.phathack.com/firmware/disasm

You can find which is for a HU by looking at http://downloads.phathack.com/firmware and seeing the filename of headunit.zip -- that will correspond to the .txt

Heh.  I really think these pac files are encrypted somehow; they cannot be plaintext.  If you take the disassembly from VorTech or http://downloads.phathack.com/firmware/disasm/, and then try to assemble those files, you will get a bunch of errors.  Plus, if you look at the disassembled code, there are many POPs without PUSHes, and vice versa -- a real good way to screw with the stack pointer.

If they are encrypted, how will we decrypt them?

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: New Firmware / New Features
« Reply #19 on: November 29, 2007, 09:57:58 pm »
They are encrypted

the other part of this is that they are loaded into the 8052 encrypted. its one of the main features of that particular chip.

The reason we haven't made any headway is we don't have any idea how to hack the inner workings of that chip.

As I understand it, the code stored in the 64k eeprom inside the chip is stored encrypted so even using a jtag dump wouldn't gain us anything, or at least thats how I understand it from the spec docs on that chip.