radiomanV/TL866
1
Fork 0
mirror of https://github.com/radiomanV/TL866.git synced 2025-06-18 14:25:38 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update firmware dumper

Browse Source
This commit is contained in:
radiomanV 2018-08-14 18:12:21 +03:00
parent 67487e2cd6
commit 828a672da5
1 changed files with 602 additions and 630 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

160
FirmwareDumper/main.c
View File

@ -99,34 +99,29 @@ void low_ISR(void);
#pragma code REMAPPED_RESET_VECTOR = REMAPPED_RESET_VECTOR_ADDRESS
void _reset(void)
{
void _reset(void) {
_asm goto _startup _endasm
}
#pragma code REMAPPED_HIGH_INTERRUPT_VECTOR = REMAPPED_HIGH_INTERRUPT_VECTOR_ADDRESS
void Remapped_High_ISR(void)
{
void Remapped_High_ISR(void) {
_asm goto high_ISR _endasm
}
#pragma code REMAPPED_LOW_INTERRUPT_VECTOR = REMAPPED_LOW_INTERRUPT_VECTOR_ADDRESS
void Remapped_Low_ISR(void)
{
void Remapped_Low_ISR(void) {
_asm goto low_ISR _endasm
}
#pragma code HIGH_INTERRUPT_VECTOR = 0x08
void High_ISR(void)
{
void High_ISR(void) {
_asm goto REMAPPED_HIGH_INTERRUPT_VECTOR_ADDRESS _endasm
}
#pragma code LOW_INTERRUPT_VECTOR = 0x18
void Low_ISR(void)
{
void Low_ISR(void) {
_asm goto REMAPPED_LOW_INTERRUPT_VECTOR_ADDRESS _endasm
}
#pragma code
@ -195,10 +190,10 @@ far rom unsigned char config_bytes[] = {
#pragma udata big_buffer
unsigned char buffer[0x400]; //1Kbyte data buffer
#pragma udata USB_VARIABLES=0x500
DATA_PACKET rxdatapacket;//USB receive buffer
unsigned char txdatapacket[USBGEN_EP_SIZE];//USB transmit buffer
DATA_PACKET rxdatapacket; //USB receive buffer
unsigned char txdatapacket[USBGEN_EP_SIZE]; //USB transmit buffer
#pragma udata CONTEXT_SWITCH=0x700
unsigned long int reset_switch;//Here is the RAM context switch location
unsigned long int reset_switch; //Here is the RAM context switch location
#pragma udata
@ -218,8 +213,8 @@ void ReadProgMem(void);
void ProcessIo(void);
//Global variables
const far rom unsigned short* crc16Table = (const far rom void*) 0x1FD50;//Pointer to crc16 table in ROM
const far rom unsigned short* infoTable = (const far rom void*) 0x1FD00;//Pointer to encrypted info area (80bytes) in ROM
const far rom unsigned short* crc16Table = (const far rom void*) 0x1FD50; //Pointer to crc16 table in ROM
const far rom unsigned short* infoTable = (const far rom void*) 0x1FD00; //Pointer to encrypted info area (80bytes) in ROM
USB_HANDLE USBOutHandle;
USB_HANDLE USBInHandle;
volatile WORD led_cnt;
@ -227,8 +222,7 @@ unsigned char info[80];
#pragma interruptlow high_ISR
void high_ISR(void)
{
void high_ISR(void) {
#if defined(USB_INTERRUPT)
// Perform USB device tasks
USBDeviceTasks();
@ -237,12 +231,10 @@ void high_ISR(void)
#pragma interruptlow low_ISR
void low_ISR(void)
{
void low_ISR(void) {
}
void DeviceReset(void)
{
void DeviceReset(void) {
UCONbits.USBEN = 0;
Delay10KTCYx(255);
Delay10KTCYx(255);
@ -251,8 +243,7 @@ void DeviceReset(void)
// crc16 CCITT
unsigned short crc16(unsigned char *data, unsigned short len)
{
unsigned short crc16(unsigned char *data, unsigned short len) {
unsigned short crc = 0;
while (len--)
crc = ((crc >> 8) ^ crc16Table[(crc ^ *data++) & 0xFF]);
@ -261,88 +252,76 @@ unsigned short crc16(unsigned char *data, unsigned short len)
//decrypt info array
void decrypt_serial(unsigned char version)
{
int i, index = 0x0A;
unsigned char o1, o2;
void decrypt_serial(unsigned char version) {
int i;
unsigned char index;
const far rom unsigned char* xorTableptr = (version == VERSION_A ? &A_Table[0] : &CS_Table[0]);
//first step, xoring each element from table with a random value from xortable. Starting index is 0x0A. Index is incremented modulo 256
for (i = 0; i < sizeof(info); i++) {
//Step 1, xoring each element from table with a random value from xortable. Starting index is 0x0A. Index is incremented modulo 256
index = 0x0A;
for (i = 0; i < sizeof (info); i++) {
info[i] ^= xorTableptr[index++];
index &= 0xFF;
}
/*next step, right shift whole array by 3 bits. Because anding with 0x1F, the last byte from info table must be always <0x20 in the encryption step, greater values will be trimmed at decryption step;
this is why the crc16 must be 0x1FFF max., the last byte from info table is MSB of crc16.
*/
for (i = 0; i < sizeof(info) - 1; i++) {
o1 = (info[sizeof(info) - i - 1] >> 3) & 0x1F;
o2 = info[sizeof(info) - i - 2] << 5;
info[sizeof(info) - i - 1] = o1 | o2;
//Step 2 right rotate the whole array by 3 bits.
index = info[sizeof (info) - 1] << 5;
for (i = sizeof (info) - 1; i > 0; i--) {
info[i] = info[i] >> 3 & 0x1F | info[i - 1] << 5;
}
info[0] >>= 3;
info[0] &= 0x1F;
//Last step, descrambling data; we put each element in the right position. At the end we have the decrypted serial and devcode ;)
for (i = 0; i < sizeof(info) / 2; i += 4) {
o1 = info[i];
info[i] = info[sizeof(info) - i - 1];
info[sizeof(info) - i - 1] = o1;
info[0] = info[0] >> 3 & 0x1F | index;
//Step 3, descrambling data; we put each element in the right position. At the end we have the decrypted serial and devcode ;)
for (i = 0; i < sizeof (info) / 2; i += 4) {
index = info[i];
info[i] = info[sizeof (info) - i - 1];
info[sizeof (info) - i - 1] = index;
}
}
//encrypt the info array, ready to be inserted in TL866 firmware.
void encrypt_serial(unsigned char version)
{
int i, index = 0x0A;
unsigned char o1, o2;
void encrypt_serial(unsigned char version) {
int i;
unsigned char index;
unsigned short crc;
const far rom unsigned char* xorTableptr = (version == VERSION_A ? A_Table : CS_Table);
/* compute the right crc16. The last two bytes in the info table is the crc16 in little-endian order
* and must be max. 0x1FFF otherwise the decryption will be wrong.
*/
do {
//Fill the info array[32-77] with random values until the crc16 match the criteria crc<0x2000
//Fill the info array[32-77] with random values.
for (i = 32; i < 78; i++) {
info[i] = (unsigned char) rand() % 0x100;
}
info[34] = 0;
for (i = 5; i < 34; i++)
info[34] += info[i];
crc = crc16(info, sizeof(info) - 2);
} while (crc > 0x1FFF);
info[sizeof(info) - 1] = crc >> 8 & 0x1F; //yes, 0x1F
info[sizeof(info) - 2] = crc & 0xFF;
crc = crc16(info, sizeof (info) - 2);
info[sizeof (info) - 1] = crc >> 8;
info[sizeof (info) - 2] = crc & 0xFF;
/*Data scrambling. We swap the first byte with the last, the fourth from the beginning with the fourth from the end and so on.
So we have the following 10 swaps:(0-79),(4-75),(8-71),(12-67),(16-63),(20-59),(24-55),(28-51),(32-47),(36-43).
*/
for (i = 0; i < sizeof(info) / 2; i += 4) {
o1 = info[i];
info[i] = info[sizeof(info) - i - 1];
info[sizeof(info) - i - 1] = o1;
for (i = 0; i < sizeof (info) / 2; i += 4) {
index = info[i];
info[i] = info[sizeof (info) - i - 1];
info[sizeof (info) - i - 1] = index;
//printf("(%d-%d),",i,s-i-1);
}
//Next step, left shift whole array by 3 bits .
for (i = 0; i < sizeof(info) - 1; i++) {
o1 = (info[i] << 3) & 0xF8;
o2 = info[i + 1] >> 5;
info[i] = o2 | o1;
/*
* Step 2, Left rotate the whole array by 3 bits.
*/
index = info[0] >> 5;
for (i = 0; i < sizeof (info) - 1; i++) {
info[i] = info[i] << 3 & 0xF8 | info[i + 1] >> 5;
}
info[sizeof(info) - 1] <<= 3;
info[sizeof(info) - 1] &= 0xF8;
info[sizeof (info) - 1] = info[sizeof (info) - 1] << 3 & 0xF8 | index;
//Last step, xoring each info table value with a random number from xortable. The start index in this table is 0x0A. Index is incremented modulo 256
for (i = 0; i < sizeof(info); i++) {
index = 0x0A;
for (i = 0; i < sizeof (info); i++) {
info[i] ^= xorTableptr[index++];
index &= 0xFF;
}
}
//Erase flash page
void FlashErase(unsigned long address)
{
void FlashErase(unsigned long address) {
TBLPTR = address;
EECON1 = 0b00010100;
INTCONbits.GIE = 0;
@ -355,8 +334,7 @@ void FlashErase(unsigned long address)
//Write a 64 byte block of data
void WriteBlock(unsigned long address, unsigned char* buffer)
{
void WriteBlock(unsigned long address, unsigned char* buffer) {
unsigned char i;
TBLPTR = address;
EECON1 = 0b00000100;
@ -375,8 +353,8 @@ void WriteBlock(unsigned long address, unsigned char* buffer)
//Write 1Kbyte buffer to flash
void WriteBuffer(unsigned long address)
{
void WriteBuffer(unsigned long address) {
unsigned char i;
unsigned char *buffer_ptr = &buffer[0];
@ -388,8 +366,8 @@ void WriteBuffer(unsigned long address)
}
//Rewrite bootloader
void WriteBootloader(unsigned char version)
{
void WriteBootloader(unsigned char version) {
unsigned char i;
unsigned long addr = 0;
WriteConfig(version);
@ -406,8 +384,8 @@ void WriteBootloader(unsigned char version)
}
//Rewrite config area
void WriteConfig(unsigned char version)
{
void WriteConfig(unsigned char version) {
unsigned char t;
unsigned long addr = 0x1FC00;
const far rom unsigned char* xorTableptr = (version == VERSION_A ? &A_Table[0] : &CS_Table[0]);
@ -423,8 +401,8 @@ void WriteConfig(unsigned char version)
}
//Rewrite Info
void WriteInfo(unsigned char *info_ptr)
{
void WriteInfo(unsigned char *info_ptr) {
unsigned char t;
unsigned long addr = 0x1FC00;
memcpypgm2ram(&t, (const far rom void*) DEVICE_TYPE_LOCATION, 1);
@ -437,8 +415,7 @@ void WriteInfo(unsigned char *info_ptr)
}
/* Test routine */
void load_shiftregister(unsigned char value)
{
void load_shiftregister(unsigned char value) {
unsigned char i;
for (i = 0; i <= 7; i++) {
SR_DAT = (value & 0x80) ? 1 : 0;
@ -450,8 +427,7 @@ void load_shiftregister(unsigned char value)
}
}
void config_io()
{
void config_io() {
OSCTUNEbits.PLLEN = 1; //Enable the PLL and wait 2+ms until the PLL locks before enabling USB module
Delay10KTCYx(20);
WDTCONbits.ADSHR = 1; // Select alternate SFR location to access ANCONx registers
@ -509,16 +485,14 @@ void config_io()
LED_PIN = 0;
}
void ReadProgMem(void)
{
void ReadProgMem(void) {
memcpypgm2ram(&txdatapacket[0], (const far rom void*) rxdatapacket.pAdr, rxdatapacket.len);
}
// Process USB commands
void ProcessIo(void)
{
void ProcessIo(void) {
static unsigned char count = 0;
if (USBSuspendControl == 1) {
@ -856,8 +830,7 @@ void ProcessIo(void)
// USB callback function handler
BOOL USER_USB_CALLBACK_EVENT_HANDLER(int event, void *pdata, WORD size)
{
BOOL USER_USB_CALLBACK_EVENT_HANDLER(int event, void *pdata, WORD size) {
switch (event) {
case EVENT_CONFIGURED:
//Enable the application endpoints
@ -870,8 +843,7 @@ BOOL USER_USB_CALLBACK_EVENT_HANDLER(int event, void *pdata, WORD size)
return TRUE;
}
void main()
{
void main() {
USBOutHandle = 0;
USBInHandle = 0;
led_cnt = 1;