How to recover bricked Convers+ (SOLVED)

[Go4IT]

Extremely cool, Ursadon! How did you manage to extract this?

Ok, now i'm preparing for the unlock. There are some issues to solve, still looking for a good way to do this... or maybe a software (Lauterbach tool) to assist. In order to execute the Lockout recovery i need to bring the chip into the "Secured Single-Chip Mode", as this has "boot from program Flash" and "JTAG lockout recovery available".

[Ursadon]

I've just connected to IPC via jlink
Vectors i have dumped via jtag. PBL - via UDS procedures.
And i cant imagine, how you bricked it. Maybe wrong init script (in jflash)

[Go4IT]

Also, 0x414 = 0x02000080
So flash is locked and no security key. How you plan to reflash?

Are you shure about the content of this CFM mirror dword?
Binary it is 0b 0000 0010 0000 0000 0000 0000 1000 0000

From this DWORD the Bits 31–30 (red) are KEYEN for backdoor key access state, and 00 means disabled.
Bit 29 (blue) is SECSTAT Flash memory security status, and 0 means that Flash security is disabled.
Bits 28–16 (orange) are reserved, so it have no meaning for security.
Bits 15–2 (green) are NV, the Non-volatile flags. The NV bits are available as user-defined flags.
Bits 1–0 (yellow) is SEC, the Security state. Define the security state of the Flash array and 0x means "Flash memory is secured".

So this means, no backdoor available, and Flash security is not used, bit flash is currently secured, which determines the boot mode of the MCU. As MODA and MODB are set to GND, it is "Secured Single-Chip Mode" and "Boots from internal flash".

[Go4IT]

I've just connected to IPC via jlink
Vectors i have dumped via jtag. PBL - via UDS procedures.
And i cant imagine, how you bricked it. Maybe wrong init script (in jflash)

I've tried to readout the whole flash, and this is what locked the chip.
Would you share your init script to check, please?

[Ursadon]

Also, 0x414 = 0x02000080
So flash is locked and no security key. How you plan to reflash?

Are you shure about the content of this CFM mirror dword?
Binary it is 0b 0000 0010 0000 0000 0000 0000 1000 0000

From this DWORD the Bits 31–30 (red) are KEYEN for backdoor key access state, and 00 means disabled.
Bit 29 (blue) is SECSTAT Flash memory security status, and 0 means that Flash security is disabled.
Bits 28–16 (orange) are reserved, so it have no meaning for security.
Bits 15–2 (green) are NV, the Non-volatile flags. The NV bits are available as user-defined flags.
Bits 1–0 (yellow) is SEC, the Security state. Define the security state of the Flash array and 0x means "Flash memory is secured".

So this means, no backdoor available, and Flash security is not used, bit flash is currently secured, which determines the boot mode of the MCU. As MODA and MODB are set to GND, it is "Secured Single-Chip Mode" and "Boots from internal flash".

Sorry, it was been little-endian format
Muste be 0x80000020

[Go4IT]

Here is IDA 7.0 project:
7M2T-14C025-AA.zip

I can't load the *.idb file from within this ZIP into my IDA Pro 7.0 (64 Bit). It don't recognize this extension.

[Go4IT]

reset vector points to 0x1018:
vect.png

What IDA options did you set to disassemble correctly? I choose ARM (no thumb) 32 Bit, Little Endian, but did not get those results.

[Go4IT]

So just combine vectors (@0x00000000-1F)+ PBL (@0x00001000-4FFF)+ MAINFW (*-CE.vbf, @0x00005000-FFFFF) and you will get the MAC7116 firmware

Your PBL bin file is 0x5010 bytes long, so it does not fit into 0x1000 - 0x4FFF, it is 0x1010 bytes too long.

Also the branch-destination 0x1018 starts at 0x2018 if i concat like you said. I guess your disasm above is made only with PBL file loaded into IDA, right? But if i concat the files, there is no code (0xEF) at 0x1018.

[Go4IT]

What i found out about the MAC7116 was:

* CPU: ARM7
* Core: ARM7TDMI-S:
* 32 Bit Big-Endian
* ARMv4T Instruction-Set
* 50 MHz Clock
* 8kb unified cache
* Memory Management Unit (MMU)
* EmbeddedICE macrocell consists of on-chip logic to support debug operations via JTAG-Interface
* The core is implemented to support big-endian memory systems.
* Quartz: 8 MHz
* Program Flash: 1 MByte
* Data Flash: 32 KByte
* SRAM: 48 KByte

[Go4IT]

Sorry, it was been little-endian format
Muste be 0x80000020

Ok, it should be big endian, right. So it's binary represenation is:
1000 0000 0000 0000 0000 0000 0010 0000
Which means: Backdoor key access enabled, Flash security is disabled, Flash memory secured.

Still don't get where you read those values from? Manual tell that it is containted in program flash at the given address, but you said that data between 0x0020 and 0x0FFF seems to be empty.