How to recover bricked Convers+ (SOLVED)

[Go4IT]

I tried to disassemble the SBL part of the update files. For this i removed the binary part from VBF file. In IDA i set Kernel options to "ARMv4" instruction set (which forces ARM mode, not Thumb) gave a RAM section located at 0x4000 0000 with size of 0x8000 and a ROM section at 0x0000 0000 where i load the SBL code (which only has size of 0x6CC).

This is set inside the VBF, but as 16 bit address and call, whereas the other parts are given as 32 bit addresses. Strange... Also i don't really believe that it goes at start of program flash. From all i read and the address i would think it is transferred to data flash of MAC, which is only 48 kb in size and therefore uses 16 bit addresses. Also there is a boot mode for the chip to boot from data flash.

But most of all i would believe it just resides in RAM and 0x0000 is an alias for "put and execute anywhere, or at start of RAM".

Anyway, IDA cannot interpret the first 4 bytes as an valid ARM instruction so a little help would be fine here

[Ursadon]

I’m certainly not a JTAG-guru, but can you reset the PVIOL bit in CFMUSTAT register by writing 0xFF to 0xFC0F0020?
Can you read registers via JTAG?

[Go4IT]

Good thoughts, but besides i tried it, i already knew that it work. As i described above, in the current locked state of the chip, it is not possible to even connect to it by JTAG. Only if set to "extended mode" (set MODB to HIGH via the testpoint on the board) i can connect, but in this mode there is no access to the internal Flash. Also because the chip is still locked, it seem that the only JTAG commands it accepts are the unlock procedure in which the flash get's erased. I would do this, but then i miss the bootloader and the chip won't even start any software. Maybe it won't occupy the whole first 0x5000 bytes, but i don't know if the SBL from the firmware package is really this bootloader. Also i have no idea whats inside the data flash of the chip, which get's erased also. What i need to have is a install package for a virgin chip to program. The firmware updates are made for chips already programmed with some software. It's like the update for the satnav units. They contain only the parts to change, not the whole system. So it is not possible to recover a totally cleaned satnav from only the Servicepack files.

The only way to recover the Convers into a good state would be to have the unlock-key (8 byte password) which needs to be written with a special unlock procedure after reset. As far as i understand the docs, there is not try count for it, so in theory it could be brute-forced. But even if you manage to create one try per millisecond, it would take nearly 600 million years to try all combinations.

[Ursadon]

Up.
Did you unlock the kernel? I want to try connect via jtag to my board, but i'm afraid

What caused the blocking? Have you tried to read whole memory?
SBL have no key. It seems like that SBL just mapping requests to write. There is no code for CAN direct access.

Here is IDA 7.0 project:

7M2T-14C025-AA.zip

[Go4IT]

I'm not shure what you mean with "unlock the kernel" ?
What i did was to identify the JTAG-Signals by tracing the MAC7116 pins (after downloading the datasheet) to the header pins. Then i connected using my Segger J-Link and connect worked. Next i used J-Flash and tried to read all the flashes. First it worked but soon aborted. After that, i switched off power of Convers and want to try again, but it never came up since then. After that i digged into the datasheet and found that there can be read-protection which locks down the chip by writing some flag to an internal flash or eeprom. When the processor starts up and see this flag, he halts. To remove the flag one need to execute a recovery-procedure, where you need an 8 byte long security password. Then you are able to get it up and running again. The other method would be to erase the whole program and data flash and write new software on it. But i can't, because no one have this software (IBL, initial bootloader).

[Ursadon]

I've dumped first 0x5000 bytes of memory.
It seems like that first 0x400 is i2c eeprom.
Actually, there is no QNX kernel (wich must be in first 0x400 bytes), but it have some "core" functions, like:

Semihosting:

1.png

Or setting CAN addresses

2.png

Also i possibly found calibration name for Primary Bootloader: VP8M2F-14D025-CA

pbl.zip

[Go4IT]

Great job! But i can't access the firmware file using the usual gateways, e.g. http://www.ucdsys.ru/calibration/ gives: "VP8M2F-14D025-CA file not found or error"

How did you manage to dump this?

I will try to reprogram my bricked IPC with it, maybe it works!

[Ursadon]

Great job! But i can't access the firmware file using the usual gateways, e.g. http://www.ucdsys.ru/calibration/ gives: "VP8M2F-14D025-CA file not found or error"

How did you manage to dump this?

I will try to reprogram my bricked IPC with it, maybe it works!

I readed this using UDS procedures.
Anyway, if you reprogram with this, you will fail. There is no vector table in my dump.
Also, 0x414 = 0x02000080
So flash is locked and no security key. How you plan to reflash?

And it seems like there is no code between 0x1f - 0xfff. Just jump from 0x00000000 to 0x1000+4 to start main thread

[Go4IT]

Thanks for the advice Ursadon! If i understood the manual, there is a JTAG recovery procedure where you send an NEXUS-ACCESS code into IR and commands to FULL ERASE the chips internal Flashes (data and program). After that one must perform a BLANK CHECK command and after that, the chip is unsecured until the next reset.
In this stage one should be able to program the flash and also set the CFM security registers to permanently keep it unpocked.
BUT, this is pure theory... hopefully there is a NEXUS programming software which is able to handle all those steps. I'm not shure if the Segger Jlink is sufficuent for that.

I did not found what you have extracted in any of the firmware files, not could i find the firmware file for the partnumber anywhere.

[Ursadon]

I did not found what you have extracted in any of the firmware files, not could i find the firmware file for the partnumber anywhere.

It seems like that this calibration file doesnt exist anymore.

Here is vector table:
0x00000000 EA 00 04 04 EA 00 14 BF EA 00 14 BF EA 00 14 BF
0x00000010 EA 00 14 BF EA 00 14 BF EA 00 14 BF EA 00 14 BF

reset vector points to 0x1018:

vect.png

So just combine vectors (@0x00000000-1F)+ PBL (@0x00001000-4FFF)+ MAINFW (*-CE.vbf, @0x00005000-FFFFF) and you will get the MAC7116 firmware