disassembling travelpilot fx firmware system.elf file

[tomy75]

hello

in file system.elf there are many interesting things, ghidra better disassemblig as IDApro

shows many functions that are not visible in IDA

im found interesting function in system.elf


void FUN_9012a358(int param_1)

{
int iVar1;
char *pcVar2;
int iVar3;
uint uVar4;
char *pcVar5;
char *local_3c;
undefined auStack56 [12];
undefined2 local_2c;
int local_28;
int local_24;
int local_20;
int local_1c;
int local_18;

FUN_90164608(auStack56,"vCalulatePaths",7,0x7ba);
pcVar5 = (char *)0x0;
iVar1 = FUN_901641dc();
if (iVar1 != 0) {
pcVar5 = "/f_ls_rvc";
}
iVar1 = FUN_901641a0();
if (iVar1 != 0) {
pcVar5 = "/sgm710";
}
iVar1 = FUN_901641c8();
if (iVar1 != 0) {
pcVar5 = "/f_hs_rvc";
}
iVar1 = FUN_901641b4();
if (iVar1 != 0) {
pcVar5 = "/vw_ll_nf";
}
if (pcVar5 == (char *)0x0) {
pcVar5 = "/f_hs_rvc";
FUN_9013b414(0x1a8,0,7,0x7c6);
}
local_3c = (char *)0x0;
iVar1 = FUN_901641dc();
if (iVar1 != 0) {
local_3c = "/ford_lsr";
}
iVar1 = FUN_901641a0();
if (iVar1 != 0) {
local_3c = "/sgm710";
}
iVar1 = FUN_901641c8();
if (iVar1 != 0) {
local_3c = "/ford_hs2";
}
iVar1 = FUN_901641b4();
if (iVar1 != 0) {
local_3c = "/vw_ll_nf";
}
if (pcVar5 == (char *)0x0) {
local_3c = "/ford_hs2";
FUN_9013b414(0x1a8,0,7,0x7ce);
}
*(undefined4 *)(param_1 + 0x13d8) = 0;
iVar1 = *(int *)(param_1 + 0x13dc);
pcVar2 = "/dev/cdrom";
if (iVar1 != 1) {
if (iVar1 == 3) {
pcVar2 = "/dev/cd1";
}
else {
if (iVar1 == 4) {
pcVar2 = "/dev/cryptcard";
}
else {
if (iVar1 != 6) {
*(undefined4 *)(param_1 + 0x13d8) = 0x901693a0;
FUN_9013b414(0xb0,iVar1,7,0x7d9);
goto LAB_9012a44c;
}
pcVar2 = "/dev/usb_dnl";
}
}
}
*(char **)(param_1 + 0x13d8) = pcVar2;
LAB_9012a44c:
local_18 = param_1 + 0x94;
FUN_90001dd2(local_18,0,0xaf0);
uVar4 = 0;
do {
local_1c = uVar4 * 100 + param_1 + 0x94;
FUN_900ed508(local_1c,*(undefined4 *)(param_1 + 0x13d8));
pcVar2 = pcVar5;
if (((uVar4 == 0) || (uVar4 == 1)) || (uVar4 == 0xb)) {
FUN_900ed430(local_1c,"/dnl/bin/nav");
if (uVar4 != 0) {
iVar1 = local_1c;
if (uVar4 == 1) {
iVar1 = param_1 + 0xf8;
pcVar2 = local_3c;
}
goto LAB_9012a4a4;
}
}
else {
FUN_900ed430(local_1c,"/dnl/bin/system/arion");
iVar1 = local_1c;
LAB_9012a4a4:
FUN_900ed430(iVar1,pcVar2);
}
uVar4 = uVar4 + 1;
} while (uVar4 < 0x1c);
FUN_900ed430(param_1 + 0xf8,"/navarreg.uli");
FUN_900ed430(param_1 + 0x4e0,"/SPECIAL/navarreg.uli");
FUN_900ed430(local_18,"/common/navfx001.uli");
FUN_900ed430(param_1 + 0x15c,"/system.elf");
FUN_900ed430(param_1 + 0x1c0,"/system.bin");
FUN_900ed430(param_1 + 0x224,"/bootload.bin");
FUN_900ed430(param_1 + 0x418,"/plattapp.uli");
FUN_900ed430(param_1 + 0x47c,"/plattreg.uli");
FUN_900ed430(param_1 + 0x5a8,"/dsp.bin");
FUN_900ed430(param_1 + 0x6d4,"/basereg.uli");
FUN_900ed430(param_1 + 0x800,"/chinsi.elf");
FUN_900ed430(param_1 + 0x864,"/chinreg.uli");
FUN_900ed430(param_1 + 0x350,"/radio.dnl");
FUN_900ed430(param_1 + 0x92c,"/sdsapp.uli");
FUN_900ed430(param_1 + 0x990,"/sdsreg.uli");
FUN_900ed430(param_1 + 0x8c8,"/main_ver.bin");
FUN_900ed430(param_1 + 0x3b4,"/testman.bin");
local_20 = param_1 + 0x60c;
FUN_900ed430(local_20,"/ttslib.elf");
iVar1 = 0;
local_24 = param_1 + 0x670;
do {
FUN_90124e74();
iVar3 = FUN_90125290();
if (iVar3 == 2) {
pcVar2 = "/SEAT_fgs.dnl";
LAB_9012a6f2:
FUN_900ed430(local_24,pcVar2);
break;
}
FUN_90124e74();
iVar3 = FUN_90125290();
if (iVar3 == 1) {
pcVar2 = "/SKODA_fgs.dnl";
goto LAB_9012a6f2;
}
FUN_900ed430(local_24,"/fgs.dnl");
iVar1 = iVar1 + 1;
} while (iVar1 == 0);
if (DAT_9035fbc0 != '\0') {
FUN_900ed508(local_20,&DAT_9035fbc0);
iVar1 = FUN_9011ca92(0x2203,5);
if (iVar1 == 1) {
FUN_9011cb24(0x2203,5,1,5);
}
}
FUN_90001dd2(param_1 + 0xb84,0,2000);
uVar4 = 0;
do {
local_28 = uVar4 * 100 + param_1 + 0xb84;
FUN_900ed508(local_28,*(undefined4 *)(param_1 + 0x13d8));
if ((uVar4 != 1) && (uVar4 != 2)) {
FUN_900ed430(local_28,"/dnl/bin/system/arion");
FUN_900ed430(local_28,pcVar5);
}
uVar4 = uVar4 + 1;
} while (uVar4 < 0x14);
FUN_900ed430(param_1 + 0xbe8,&DAT_9012a8c0);
FUN_900ed430(param_1 + 0xc4c,&DAT_9012a8c8);
FUN_900ed430(param_1 + 0xcb0,"/erase.ffs");
FUN_900ed430(param_1 + 0x1160,"/permi.tmo");
FUN_900ed430(param_1 + 0xd14,"/force.nav");
FUN_900ed430(param_1 + 0xd78,"/force.sys");
FUN_900ed430(param_1 + 0xddc,"/force_ej.ect");
FUN_900ed430(param_1 + 0xe40,"/never_ej.ect");
FUN_900ed430(param_1 + 0xea4,"/ffsnand.bat");
FUN_900ed430(param_1 + 0xf08,"/ffsbat.ena");
FUN_900ed430(param_1 + 0xf6c,"/ffsbatdata");
FUN_900ed430(param_1 + 0xfd0,"/upgrade.btl");
FUN_900ed430(param_1 + 0x1034,"/dwngrade.btl");
FUN_900ed430(param_1 + 0x1098,"/replace.btl");
FUN_900ed430(param_1 + 0x10fc,"/ignore.btl");
FUN_900ed430(param_1 + 0x11c4,"/noreset.fgs");
FUN_900ed430(param_1 + 0x1228,"/noreset.850");
FUN_900ed430(param_1 + 0x12f0,"/cfgdev.fgs");
FUN_900ed508(param_1 + 0x128c,*(undefined4 *)(param_1 + 0x13d8));
FUN_900ed430(param_1 + 0x128c,"/ONLYSOP1.DAT");
local_2c = 0x856;
FUN_90164638(auStack56);
return;
}

Screenshot (38).png

memory map

Screenshot (39).png

[tomy75]

Ghidra project with system.elf file disassembling

ghidra travelpilof FX system.elf.rar

[Go4IT]

You find those functions with IDA also, but need a bit more effort as you must "scan" for them, because IDAs approach is to follow the execution paths. It cannot find code which is outside this path. Anyway, i don't see where IDA has not found anything in the system.elf. The function you found is here also:

Code: Select all

int __fastcall sub_9012A358(int a1)
{
  int v1; // r4
  int v2; // r0
  const char *v3; // r6
  int v4; // r1
  const char *v5; // r0
  unsigned int v6; // r7
  int v7; // r1
  int v8; // r0
  int v9; // r0
  const char *v10; // r1
  int v11; // r7
  int v12; // r0
  const char *v13; // r1
  int v14; // r0
  unsigned int v15; // r7
  int v16; // r1
  int v17; // r1
  int v18; // r4
  char v20; // [sp+30h] [bp-38h]
  __int16 v21; // [sp+3Ch] [bp-2Ch]
  unsigned int v22; // [sp+40h] [bp-28h]
  int v23; // [sp+44h] [bp-24h]
  int v24; // [sp+48h] [bp-20h]
  unsigned int v25; // [sp+4Ch] [bp-1Ch]
  int v26; // [sp+50h] [bp-18h]

  v1 = a1;
  v2 = sub_901645E4(&v20, "vCalulatePaths", 7, 1973, 0);
  v3 = 0;
  if ( sub_901641B8(v2) )
    v3 = "/ford_lsr";
  if ( sub_9016417C() )
    v3 = "/sgm710";
  if ( ((int (*)(void))sub_901641A4)() )
    v3 = "/ford_hsr";
  if ( sub_90164190() )
    v3 = "/vw_ll_nf";
  if ( !v3 )
  {
    v3 = "/ford_hsr";
    sub_9013B3F0(424, 0, 7, 1985);
  }
  *(_DWORD *)(v1 + 5080) = 0;
  v4 = *(_DWORD *)(v1 + 5084);
  v5 = "/dev/cdrom";
  if ( v4 != 1 )
  {
    switch ( v4 )
    {
      case 3:
        v5 = "/dev/cd1";
        break;
      case 4:
        v5 = "/dev/cryptcard";
        break;
      case 6:
        v5 = "/dev/usb_dnl";
        break;
      default:
        *(_DWORD *)(v1 + 5080) = "/dev/cdrom";
        sub_9013B3F0(176, v4, 7, 1995);
        goto LABEL_20;
    }
  }
  *(_DWORD *)(v1 + 5080) = v5;
LABEL_20:
  v26 = v1 + 148;
  ((void (*)(void))sub_90001DD2)();
  v6 = 0;
  do
  {
    v7 = *(_DWORD *)(v1 + 5080);
    v25 = 100 * v6 + v1 + 148;
    ((void (*)(void))sub_900ED508)();
    if ( v6 && v6 != 1 && v6 != 11 )
    {
      sub_900ED430(v25, "/dnl/bin/system/arion");
LABEL_26:
      v8 = sub_900ED430(v25, v3);
      goto LABEL_27;
    }
    v8 = sub_900ED430(v25, "/dnl/bin/nav");
    if ( v6 && v6 != 1 )
      goto LABEL_26;
LABEL_27:
    v9 = sub_901641A4(v8);
    if ( !v9 && v6 == 1 )
      v9 = sub_900ED430(v1 + 248, v3);
    ++v6;
  }
  while ( v6 < 0x1C );
  if ( sub_901641A4(v9) )
    v10 = "/ford_hs2/navarreg.uli";
  else
    v10 = "/navarreg.uli";
  sub_900ED430(v1 + 248, v10);
  sub_900ED430(v1 + 1248, "/SPECIAL/navarreg.uli");
  sub_900ED430(v26, "/common/navfx001.uli");
  sub_900ED430(v1 + 348, "/system.elf");
  sub_900ED430(v1 + 448, "/system.bin");
  sub_900ED430(v1 + 548, "/bootload.bin");
  sub_900ED430(v1 + 1048, "/plattapp.uli");
  sub_900ED430(v1 + 1148, "/plattreg.uli");
  sub_900ED430(v1 + 1448, "/dsp.bin");
  sub_900ED430(v1 + 1748, "/basereg.uli");
  sub_900ED430(v1 + 2048, "/chinsi.elf");
  sub_900ED430(v1 + 2148, "/chinreg.uli");
  sub_900ED430(v1 + 848, "/radio.dnl");
  sub_900ED430(v1 + 2348, "/sdsapp.uli");
  sub_900ED430(v1 + 2448, "/sdsreg.uli");
  sub_900ED430(v1 + 2248, "/main_ver.bin");
  sub_900ED430(v1 + 948, "/testman.bin");
  v24 = v1 + 1548;
  sub_900ED430(v1 + 1548, "/ttslib.elf");
  v11 = 0;
  v23 = v1 + 1648;
  while ( 1 )
  {
    v12 = sub_90124E74();
    if ( sub_90125290(v12) == 2 )
    {
      v13 = "/SEAT_fgs.dnl";
      goto LABEL_40;
    }
    v14 = sub_90124E74();
    if ( sub_90125290(v14) == 1 )
      break;
    sub_900ED430(v23, "/fgs.dnl");
    if ( ++v11 )
      goto LABEL_42;
  }
  v13 = "/SKODA_fgs.dnl";
LABEL_40:
  sub_900ED430(v23, v13);
LABEL_42:
  if ( byte_9035FB78 )
  {
    sub_900ED508(v24, &byte_9035FB78);
    if ( sub_9011CA92(8707, 5) == 1 )
      sub_9011CB24(8707, 5, 1, 5, 3, 5, 3, 7, 3, 2090, 5, 14, 7, v24, 0);
  }
  sub_90001DD2(v1 + 2948, 0, 2000);
  v15 = 0;
  do
  {
    v16 = *(_DWORD *)(v1 + 5080);
    v22 = 100 * v15 + v1 + 2948;
    sub_900ED508(v22, v16);
    if ( v15 != 1 && v15 != 2 )
    {
      sub_900ED430(v22, -1877568513);
      sub_900ED430(v22, v3);
    }
    ++v15;
  }
  while ( v15 < 0x14 );
  sub_900ED430(v1 + 3048, "/DNL");
  sub_900ED430(v1 + 3148, "/dnl");
  sub_900ED430(v1 + 3248, "/erase.ffs");
  sub_900ED430(v1 + 4448, "/permi.tmo");
  sub_900ED430(v1 + 3348, "/force.nav");
  sub_900ED430(v1 + 3448, "/force.sys");
  sub_900ED430(v1 + 3548, "/force_ej.ect");
  sub_900ED430(v1 + 3648, "/never_ej.ect");
  sub_900ED430(v1 + 3748, "/ffsnand.bat");
  sub_900ED430(v1 + 3848, "/ffsbat.ena");
  sub_900ED430(v1 + 3948, "/ffsbatdata");
  sub_900ED430(v1 + 4048, "/upgrade.btl");
  sub_900ED430(v1 + 4148, "/dwngrade.btl");
  sub_900ED430(v1 + 4248, "/replace.btl");
  sub_900ED430(v1 + 4348, "/ignore.btl");
  sub_900ED430(v1 + 4548, "/noreset.fgs");
  sub_900ED430(v1 + 4648, "/noreset.850");
  sub_900ED430(v1 + 4848, "/cfgdev.fgs");
  v17 = *(_DWORD *)(v1 + 5080);
  v18 = v1 + 4748;
  sub_900ED508(v18, v17);
  sub_900ED430(v18, "/ONLYSOP1.DAT");
  v21 = 2130;
  return sub_90164614(&v20);
}

But i definitively should give Ghidra a try as it looks very sorted, also the disassembling!

So, do you understand what this function does?
This "/dev/usb_dnl" puzzles me, as it looks like there is some kind of USB update possibility inside. I found USB connections leading out to the service connector and even the quadlock (hidden, as the pins are cutted).

I also wonder where to get all those debug messages from, we find inside the image.

[tomy75]

[quote=Go4IT

I also wonder where to get all those debug messages from, we find inside the image.
[/quote]

Screenshot (40).png

[Go4IT]

That are only strings, not hard to find. What i mean is how to get the runtime messages, if it's enabled anyhow. I see some nullsubs inside, maybe the debug message output code was just stripped from the binary. Would be great to have some port (Serial, USB, JTAG, SWD, or whatever) to see those messages when they appear.

But again, Ghidra seem to have all the same functionalty as IDA Pro, and costs nothing!

[tomy75]

So, do you understand what this function does?
This "/dev/usb_dnl" puzzles me, as it looks like there is some kind of USB update possibility inside. I found USB connections leading out to the service connector and even the quadlock (hidden, as the pins are cutted).

Where you found USB connections ?
Can you send me picture?

Thenx

[Stevebe]

Ghidra project with system.elf file disassembling

ghidra travelpilof FX system.elf.rar

how do i open as its locked to you i need to share or somthing
first time i use Ghidra

[Stevebe]

Ghidra project with system.elf file disassembling

ghidra travelpilof FX system.elf.rar

I did try to look at your .elf but your project is not set ap a a share can we use git hub

[oscarboiro]

Today, followin the wiring diagrams, i connect a FX to usb and my PC recognized a Blaupunkt.
Only connect de Data+ and Data- but the problem comes wit the driver.

i take a screen shot of my device manager:

Blaupunkt multi purpose device.jpg

next step is found a driver, but i think so hard to fount it.

[tomy75]

Great work
We need found driver