[016] IT9919 Hacking - part 1 - Reading firmware with flashrom
Vložit
- čas přidán 31. 05. 2024
- In this series I will be hacking around with the IT9919 media processor that powers the Lenkeng LKV373 HDMI Extender Device and the EZCAP 283S which were reviewed in previous videos.
In this video I will show some tools and techniques for reading and writing to flash chips with the flashrom open-source flash-reader software and “Blue Pill” STM32F103 board
Show Notes: opentechlab.org.uk/videos:016...
Twitter: @OpenTechLabChan
Mastadon: @opentechlab@mstdn.io
SubscribeStar: www.subscribestar.com/opentec...
PayPal: www.paypal.me/opentechlab
Bitcoin: 18CU9LxwRuiLHy9HsuMj2vzobbW4J3QVC2 - Věda a technologie
![[017] IT9919 Hacking - part 2 - Hunting for Checksums](http://i.ytimg.com/vi/YMI6hiksRxE/mqdefault.jpg)
![[017] IT9919 Hacking - part 2 - Hunting for Checksums](/img/tr.png)
Thanks for this good tutorial!
On the STM32 bluepill you do not need to first remove the 10K resistor - just solder a 1K8 resistor on top of it. The parallel resistance then comes to 1K5. This gives less risk of damaging the board.
I still think that this series had some of the most lucid reverse engineering information I've ever seen on CZcams.
One trick you can use to read flash in circuit is to keep on board processor in reset state. When in reset most of the pins are in high impedance state, and obviously application processor will not interfere.
That's a good idea. I never tried that before
Can you please tell me how to do it? a tutorial for example. Thanks
YEY! welcome back. At work now but can't wait to see it!
Have to love it when you talk for 30 minutes about a device and 5 boards all of which I have lying around. Instead of a hoarder I now feel 1337 :)
The only thing that's missing from mine is the mod wire. Don't know which one to buy, I assume there must be something like 32AWG single-strand, but there are just so many to choose from. Would love a link or a description from some AliExpress item.
I'm so pleased you're back, I really love your channel and was worried you had given up on YT. Another interesting video btw, like the rest.
I really enjoy your videos. So well presented and clear structure. And also so many Open Source ideas and lots of tools for our toolbox. Didn't know about that serial firmware, never thought something like that would even exist. Looking forward to any progress on this very cool project.
ooh, fascinating! can't wait to see how this goes
also, welcome back
I never clicked so quick! Where have you been?? How dare you have a real life! ;-)
Thanks! Yeah real life has been busy. And as you will see in the coming videos, this project turned into a massive tar-pit.
This channel is a gold mine
Great stuff man! It'll be interesting to see what the outcome will be - especially when you introduce a fpga into the mix (that's worth a whole mini-series on it's own,btw)
Thanks for posting this brainfood mate!
Welcome Back! I am learning a lot. Keep up your good work.
you are alive. i found your channel a few weeks ago. its really interesing
Good to have you back. Waiting to see how this goes.
Very interesting project. Love the separation of the Winbond. Code is a little bit of a hurtle for me but taking it like a hot bath. Your interpretation is key! Regards.
As always great tips and links to interesting firmware! Blue Pills rock!
Nice to see you back , last week i went thru my subscriptions to see if i not accidently deleted you.
I've just come back for a re-watching.... I was looking for you flashing a blue pill over serial.... found the right vid first guess...
But it's also interesting, having seen the whole series, realising how little you and "the blogs" knew at this early stage and where you got to from there....
11:19 Just FYI, most computers don't care about that 10K resistor and work just fine with a vanilla blue pill. I'd recommend trying it out and only swapping the resistor if you really need to.
Or try sticking a USB hub in between too.
Exited to see this, one of my favorite channels.
Great to have a new OpenTechLab video!
Interestingly I was able to make a dump (and later restore this after a brick with a dodgy upgrade file!) of the LKV373's flash chip using `flashrom`via the Raspberry Pi's SPI interface without having to extract the flash chip.
Yeah with no series resistors it becomes a battle of drive-strengths. It's sometimes worth trying just to see if it will work - even if it's very marginal. But there's always a risk of damaging the board.
Hi, nice to see your work again!
Cheers.
Oooh... tweezer soldering iron, A? I've been putting off an appointment with some evil 0402 links for rather too long now.... maybe a tweezer iron could help me out.
That was great stuff... I'm not that interested in HDMI capture meself... but you covered SO many other subjects on the way there had to be something for all of us.
And I learned a new and very useful technical term today: "spew".
Welcome back!!!! ........ Your cat's a lovely colour.
I'm 8 minutes in and I'm still gobsmacked that a company (ITE) believes that making their product/chips 100% opaque to anyone that is not a customer is a good way of interfacing with the world. Who cares if non customers know what your ISA is? Why be this secretive? It's even more amazing that a customer would signup to this kind of secrecy. But what do I know?
Fascinating video for sure!
They are probably using a lot of someone else's IP in their silicon so they have to be secretive about it in order to not get sued.
@@evghenim1955 Yes, that did occur to me. You're probably 100% correct. I could go as far as guessing that "their" risc core could be something from opencores.org which are under a GPL license. RISC V maybe ?
@@vincei4252 Isnt RISC-V a relatevely new thing? In the firmware, I see datecodes going back to 2009. I would guess its something more like MicroBlaze of sorts in there.
@@evghenim1955 ok
Maybe the chip is used in for example settop boxes and thereby contractually kept secret to make it harder to reverse engineer. I saw there is also a security processor...
Thank you for interesting video. Keep your board in the vise.
So glad you’re back :)
Great! Next upload. We've spoken some time ago, nice to see you again
You are back. That’s great!
@OpenTechLab: The compression algorithm could be the "Softdisk Library Format" seems to be used from time to time in firmware
I *KNEW* I was in for a treat when OpenTechLab rose from the grave*. Didn't disappoint!
*) Altered Beast reference.
1. Welcome back! This video a quintessence of hacking and a hacker mindset and it makes me think how far we can go with a bit of curiosity and some knowledge, also, it shows how vast the value of free software and open hardware is.
2. Is there a specific reason why you avoided using a flash/SPI programmer based on CH341A (there are compatibility patchwork for flashrom)? It might have been much easier to read from the soldered SPI chips using something like that along with the alligator clip.
Nothing against the CH341A's - though I didn't have any at the time. Overall they're not bad chips, though I would like them more if they were a bit more capable and flexible. The price is good though.
I like the Blue Pills - although it took me a while to explain how to program them in this video, in reality it's a 30-minute job to bring one into service if you do it regularly, and they're a lot more flexible. They can serve as any USB 2.0 Full Speed USB device: JTAG adaptor, GPIO controller, stepper motor controller, Arduino etc. etc., so I think it's worth spreading awareness about them.
OMG he is back!
Yes! You're back!
Great spelunking! btw you should totally make the inverse of the soic adapter for soldering in place of the chip on the original board, similar those game console easy-solder mod boards! Where there are little solder cups/U shaped cutouts.
Welcome back !
Hey, welcome back!
Quality soldering tip !
this first time I watch your videos and I sub from first 10s
Helpful video 👍 I like it
WELCOME BACK!!!
Yayyyyy OpenTechLab is back!!!
Woop! Welcome back!!
this is awsome. Thank you!
Good Video! You made a working board :)
you can desolder the ground leg and raise it off the pad, then hook everything else up normally and since the ground is only connected on the ROM but not the board, you should be able to get a better signal.
Amazing!!👍👍
just noticed at 21.50 left bottom corner chip, two pins are soldered together, is that common practice ..... ? great clip informative thanks
The FT232R can also be used with OpenGDB, for example for in-circuit debugging of the ESP32. Maybe that's part of a future video.
Do you mean OpenOCD? It got some expose in video [011]
@@OpenTechLab Yes :)
Can you load a bad checksum image into the main eeprom, then monitor the addresses being accessed from the eeprom and the on board backup. I feel that at some point the main processor will need to make a decision that the checksum was bad and then reach out to the backup to do a re-image of the eeprom. This could tell you which bytes of the main eeprom are related to the decision the processor needs to make for the checksum and potentially give you a subset of the whole eeprom that would be interesting, and which would contain the checksum byte, even its location.
You are my hero!
I wonder if holding the main ASIC in reset at power up would tri-state the SPI bus, allowing you to read out the firmware without desoldering.
Yes - you're not the first to point that out. I didn't think to try that, but I'll keep it in mind for next time.
SOIC or SOP which one is it now or does it work for both?
I think that the location in the SMAZ for those strings is the dictionary table. Basically all lossless compression algorithms use a dictionary, that is created on the fly as the compressor compresses. The compressed output will have the dictionary and the references (the compressed data) to dictionary.
It is quite probably the hash/crc check do not pass on the edited data you uploaded, and it is very interesting that the board has a secondary storage for known last firmware, pretty cool. It avoids the problem of converting the device into a paper weight if upgrade does not go thru as expected.
The w25q32 chips has a write protect pin. I wonder, if you re upload modified code, then disable write via pin, and boot it? Maybe the code will just try to write, and assume it went thru, and reload, and then maybe it will apply? maybe it will go into a loop? no idea, but will give more details on how it works.
In regard to the WP pin - you are correct it would reboot loop.
In regard to the SMAZ structure... we'll get to that
The dump clearly shows a crc. All compression algorithms have a dictionary. Most if not all compilers afaik, make a constants table to all constants in the source and then links to them. It's not just strings but ints, floats, books, or any base data type. Crocs have a broken 2nd order resistance collision, and I believe a pre image collision. Find the crc.
What shell are you using/what is your configuration? I've just broken away from the standard unchanged bash, and I'm weighing up my options. Yours looks cool, especially with the knowledge of git branches, etc.
I'm using zsh, with oh-my-zsh, which support many themes. I use the agnoster theme. You will need Powerline Fonts installed.
@@OpenTechLab Thanks! I
32:54... Perhaps it's time for a Tip Cleaning Solder Sponge and perhaps a new Tip....:/
Yup - I ordered a new tip straight after filming that sequence. The new one is so much better.
Great video - the first I've sen from you but not the last. I had a thought about reading the SPI Flash more conveniently than removing it from the system. Could you just isolate the power pin? That way when you drive it from your external setup none of the rest of the host board is powered and so might be less intrusive, and when you power it from the host board it's back home. You could have a 2-way switch to select. Just a thought.
If the SPI pins are high impedence when the reset of the board is unpowered, this would work well. If not there's it's possible to end up feeding power in through the SPI lines going into the clamp diodes of the processor.
Can you link to the blogs mentioned in the description? Thanks!
Sorry I forgot to add the link to the description. Here it is: opentechlab.org.uk/videos:016:notes
Need firmware for hard disk ST350413AS JC66 firmware as bios ic is corrupted
In the video you mention, danman? Is this correct and is a CZcams channel? Excuse me if 'danman' is the wrong spelling
I am interested at reverse engineering my marantz sr5600 home theater receiver. To reduce noise. To increase amplifier output. To modify speaker impedance on the multiroom channels. Add hdmi 2.2 ports. Add usb 3.2 input, bluetooth input, 1.5mm. Adding the newest dolby digital encoding, adding 4k encoding and upscaling.
What about modifying an older Asus wifi router running opensource firmware and upgrading it to 802.11ax and any newer security features/ programming?
How about reverse engineering a Roku or Firestick 4k to run solely off of Linux?
Why not simply stack a resistor on top, i.e. in parallel? That's usually an easier operation than removing a resistor...
how you make your terminal look like that at 14:24 ?
edit: not only on 14:24, all the video. how you make the prompt look like a blue arrow?
Google for "powerline fonts".
I'm using zsh as my shell with oh-my-zsh to control the theming
use bmd Capture Card for SDI, and BMD UpDownCross if you have HDMI Signal. work fine without any Problem. feel free to ask.
what can i do if i cant order from amazon bause the delivery is more than the product in price.
also im totally new to this how can i understand the video better?
ATXpert - this is fairly advanced stuff and so you will need to build up your knowledge before it will make much sense. Good news is that lots of other videos on CZcams will get you started. Good luck!
@@ghwizz I have no idea where to start
Great video! You should get some proper chisel type soldering tip. It's way better than this one you are using.
The main issue is that that tip was very badly corroded. It was the first outing of a rather nice OKi soldering station I rescued from being scrapped. After filming this video I ordered a new tip, and I've been very happy with it since.
Awesome video but please improve your audio feed. You have allot of noise maybe ground loop or radiation.
Is that a duct tape band-aid?
that soldering iron
Yup... it's actually quite a nice OKi soldering station. I inherited free when my old company closed its office. It got its first outing while I was filming the video, and it became clear how bad the tip was. So I ordered a new one, and it's been perfect ever since.
Couldn't you hot air desolder the ram and get a read on it then?
Edit: should have watched the whole video before asking.
Disable writing to the eeprom from the controller... perhaps it will just drop through after it thinks it has re written it.
As I discovered later, that would send it into a reboot loop.
@@OpenTechLab Darn!
@@OpenTechLab Bate and switch then? Have two eeproms or emulated and swap eeprom after initial check? (timing will be very important)
Stahp eet it's illeeeeghul
Using duck tape as a band aid 28:44
I need some answers
"This would be easier if I had this in a vise"
*AvE wants to know your location.*
What's that about? Does he do merch with vices?
@@OpenTechLab Lol. No, it's an AvE meme. He usually ends his videos with "don't stick your dick in a vise" :)
Words to live by
It's from the Canadian saying "keep your stick on the ice" (with reference to paying due attention during an ice hockey game) which he translates into "keep your dick in a vice".
@@edgeeffect As a Canadian, couldn't be more proud XD
Why not use a black pill?
No reason other than that the Blue Pills are more well known, and I happen to have a bag full of them
Best answer I hear for "why do you use XYZ"..... "'cus I've got a sackfull of 'em"
SMAZ - github.com/antirez/smaz
I can help you dissolve some chinese problems in the future, if you like to.
imagine for a moment that that Chip was sentient(as in high sentient)......
we are the aliens who has no abducted it and is probing it up the arse...... to understand how it ticks
am i the only one with these weird imaginations ? i need to have a word with my weed guy!!!!
I wonder if this is the same SMAZ? github.com/antirez/smaz
Could this be the SMAZ you are looking for? github.com/antirez/smaz
You might be interested in qspimux: felixheld.de/projects/qspimux/
Surely yourself and others have seen this, but I was doing some random googling and found: github.com/antirez/smaz
Is this related at all?
#ShamefulSoldering
So shameful. But... as the saying goes "it's not stupid if it works"
flux, flux flux.....
absolutely zero soldering skills...0603 piece of cake for me... i could do it with my eyes closed!