MicroHacker Forum

Online community for electronics and microcontroller reverse engineering
https://microhacker.denkdose.de/

disassembling travelpilot fx firmware system.elf file

https://microhacker.denkdose.de/viewtopic.php?t=121

Page 1 of 3

disassembling travelpilot fx firmware system.elf file

Posted: 13 Jan 2020, 20:40
by tomy75
hello

in file system.elf there are many interesting things, ghidra better disassemblig as IDApro

shows many functions that are not visible in IDA

im found interesting function in system.elf


void FUN_9012a358(int param_1)

{
int iVar1;
char *pcVar2;
int iVar3;
uint uVar4;
char *pcVar5;
char *local_3c;
undefined auStack56 [12];
undefined2 local_2c;
int local_28;
int local_24;
int local_20;
int local_1c;
int local_18;

FUN_90164608(auStack56,"vCalulatePaths",7,0x7ba);
pcVar5 = (char *)0x0;
iVar1 = FUN_901641dc();
if (iVar1 != 0) {
pcVar5 = "/f_ls_rvc";
}
iVar1 = FUN_901641a0();
if (iVar1 != 0) {
pcVar5 = "/sgm710";
}
iVar1 = FUN_901641c8();
if (iVar1 != 0) {
pcVar5 = "/f_hs_rvc";
}
iVar1 = FUN_901641b4();
if (iVar1 != 0) {
pcVar5 = "/vw_ll_nf";
}
if (pcVar5 == (char *)0x0) {
pcVar5 = "/f_hs_rvc";
FUN_9013b414(0x1a8,0,7,0x7c6);
}
local_3c = (char *)0x0;
iVar1 = FUN_901641dc();
if (iVar1 != 0) {
local_3c = "/ford_lsr";
}
iVar1 = FUN_901641a0();
if (iVar1 != 0) {
local_3c = "/sgm710";
}
iVar1 = FUN_901641c8();
if (iVar1 != 0) {
local_3c = "/ford_hs2";
}
iVar1 = FUN_901641b4();
if (iVar1 != 0) {
local_3c = "/vw_ll_nf";
}
if (pcVar5 == (char *)0x0) {
local_3c = "/ford_hs2";
FUN_9013b414(0x1a8,0,7,0x7ce);
}
*(undefined4 *)(param_1 + 0x13d8) = 0;
iVar1 = *(int *)(param_1 + 0x13dc);
pcVar2 = "/dev/cdrom";
if (iVar1 != 1) {
if (iVar1 == 3) {
pcVar2 = "/dev/cd1";
}
else {
if (iVar1 == 4) {
pcVar2 = "/dev/cryptcard";
}
else {
if (iVar1 != 6) {
*(undefined4 *)(param_1 + 0x13d8) = 0x901693a0;
FUN_9013b414(0xb0,iVar1,7,0x7d9);
goto LAB_9012a44c;
}
pcVar2 = "/dev/usb_dnl";
}
}
}
*(char **)(param_1 + 0x13d8) = pcVar2;
LAB_9012a44c:
local_18 = param_1 + 0x94;
FUN_90001dd2(local_18,0,0xaf0);
uVar4 = 0;
do {
local_1c = uVar4 * 100 + param_1 + 0x94;
FUN_900ed508(local_1c,*(undefined4 *)(param_1 + 0x13d8));
pcVar2 = pcVar5;
if (((uVar4 == 0) || (uVar4 == 1)) || (uVar4 == 0xb)) {
FUN_900ed430(local_1c,"/dnl/bin/nav");
if (uVar4 != 0) {
iVar1 = local_1c;
if (uVar4 == 1) {
iVar1 = param_1 + 0xf8;
pcVar2 = local_3c;
}
goto LAB_9012a4a4;
}
}
else {
FUN_900ed430(local_1c,"/dnl/bin/system/arion");
iVar1 = local_1c;
LAB_9012a4a4:
FUN_900ed430(iVar1,pcVar2);
}
uVar4 = uVar4 + 1;
} while (uVar4 < 0x1c);
FUN_900ed430(param_1 + 0xf8,"/navarreg.uli");
FUN_900ed430(param_1 + 0x4e0,"/SPECIAL/navarreg.uli");
FUN_900ed430(local_18,"/common/navfx001.uli");
FUN_900ed430(param_1 + 0x15c,"/system.elf");
FUN_900ed430(param_1 + 0x1c0,"/system.bin");
FUN_900ed430(param_1 + 0x224,"/bootload.bin");
FUN_900ed430(param_1 + 0x418,"/plattapp.uli");
FUN_900ed430(param_1 + 0x47c,"/plattreg.uli");
FUN_900ed430(param_1 + 0x5a8,"/dsp.bin");
FUN_900ed430(param_1 + 0x6d4,"/basereg.uli");
FUN_900ed430(param_1 + 0x800,"/chinsi.elf");
FUN_900ed430(param_1 + 0x864,"/chinreg.uli");
FUN_900ed430(param_1 + 0x350,"/radio.dnl");
FUN_900ed430(param_1 + 0x92c,"/sdsapp.uli");
FUN_900ed430(param_1 + 0x990,"/sdsreg.uli");
FUN_900ed430(param_1 + 0x8c8,"/main_ver.bin");
FUN_900ed430(param_1 + 0x3b4,"/testman.bin");
local_20 = param_1 + 0x60c;
FUN_900ed430(local_20,"/ttslib.elf");
iVar1 = 0;
local_24 = param_1 + 0x670;
do {
FUN_90124e74();
iVar3 = FUN_90125290();
if (iVar3 == 2) {
pcVar2 = "/SEAT_fgs.dnl";
LAB_9012a6f2:
FUN_900ed430(local_24,pcVar2);
break;
}
FUN_90124e74();
iVar3 = FUN_90125290();
if (iVar3 == 1) {
pcVar2 = "/SKODA_fgs.dnl";
goto LAB_9012a6f2;
}
FUN_900ed430(local_24,"/fgs.dnl");
iVar1 = iVar1 + 1;
} while (iVar1 == 0);
if (DAT_9035fbc0 != '\0') {
FUN_900ed508(local_20,&DAT_9035fbc0);
iVar1 = FUN_9011ca92(0x2203,5);
if (iVar1 == 1) {
FUN_9011cb24(0x2203,5,1,5);
}
}
FUN_90001dd2(param_1 + 0xb84,0,2000);
uVar4 = 0;
do {
local_28 = uVar4 * 100 + param_1 + 0xb84;
FUN_900ed508(local_28,*(undefined4 *)(param_1 + 0x13d8));
if ((uVar4 != 1) && (uVar4 != 2)) {
FUN_900ed430(local_28,"/dnl/bin/system/arion");
FUN_900ed430(local_28,pcVar5);
}
uVar4 = uVar4 + 1;
} while (uVar4 < 0x14);
FUN_900ed430(param_1 + 0xbe8,&DAT_9012a8c0);
FUN_900ed430(param_1 + 0xc4c,&DAT_9012a8c8);
FUN_900ed430(param_1 + 0xcb0,"/erase.ffs");
FUN_900ed430(param_1 + 0x1160,"/permi.tmo");
FUN_900ed430(param_1 + 0xd14,"/force.nav");
FUN_900ed430(param_1 + 0xd78,"/force.sys");
FUN_900ed430(param_1 + 0xddc,"/force_ej.ect");
FUN_900ed430(param_1 + 0xe40,"/never_ej.ect");
FUN_900ed430(param_1 + 0xea4,"/ffsnand.bat");
FUN_900ed430(param_1 + 0xf08,"/ffsbat.ena");
FUN_900ed430(param_1 + 0xf6c,"/ffsbatdata");
FUN_900ed430(param_1 + 0xfd0,"/upgrade.btl");
FUN_900ed430(param_1 + 0x1034,"/dwngrade.btl");
FUN_900ed430(param_1 + 0x1098,"/replace.btl");
FUN_900ed430(param_1 + 0x10fc,"/ignore.btl");
FUN_900ed430(param_1 + 0x11c4,"/noreset.fgs");
FUN_900ed430(param_1 + 0x1228,"/noreset.850");
FUN_900ed430(param_1 + 0x12f0,"/cfgdev.fgs");
FUN_900ed508(param_1 + 0x128c,*(undefined4 *)(param_1 + 0x13d8));
FUN_900ed430(param_1 + 0x128c,"/ONLYSOP1.DAT");
local_2c = 0x856;
FUN_90164638(auStack56);
return;
}

Screenshot (38).png
memory map
Screenshot (39).png

Re: disassembling travelpilot fx firmware system.elf file

Posted: 13 Jan 2020, 20:56
by tomy75
Ghidra project with system.elf file disassembling
ghidra travelpilof FX system.elf.rar

Re: disassembling travelpilot fx firmware system.elf file

Posted: 13 Jan 2020, 22:01
by Go4IT
You find those functions with IDA also, but need a bit more effort as you must "scan" for them, because IDAs approach is to follow the execution paths. It cannot find code which is outside this path. Anyway, i don't see where IDA has not found anything in the system.elf. The function you found is here also:

Code: Select all

int __fastcall sub_9012A358(int a1)
{
  int v1; // r4
  int v2; // r0
  const char *v3; // r6
  int v4; // r1
  const char *v5; // r0
  unsigned int v6; // r7
  int v7; // r1
  int v8; // r0
  int v9; // r0
  const char *v10; // r1
  int v11; // r7
  int v12; // r0
  const char *v13; // r1
  int v14; // r0
  unsigned int v15; // r7
  int v16; // r1
  int v17; // r1
  int v18; // r4
  char v20; // [sp+30h] [bp-38h]
  __int16 v21; // [sp+3Ch] [bp-2Ch]
  unsigned int v22; // [sp+40h] [bp-28h]
  int v23; // [sp+44h] [bp-24h]
  int v24; // [sp+48h] [bp-20h]
  unsigned int v25; // [sp+4Ch] [bp-1Ch]
  int v26; // [sp+50h] [bp-18h]

  v1 = a1;
  v2 = sub_901645E4(&v20, "vCalulatePaths", 7, 1973, 0);
  v3 = 0;
  if ( sub_901641B8(v2) )
    v3 = "/ford_lsr";
  if ( sub_9016417C() )
    v3 = "/sgm710";
  if ( ((int (*)(void))sub_901641A4)() )
    v3 = "/ford_hsr";
  if ( sub_90164190() )
    v3 = "/vw_ll_nf";
  if ( !v3 )
  {
    v3 = "/ford_hsr";
    sub_9013B3F0(424, 0, 7, 1985);
  }
  *(_DWORD *)(v1 + 5080) = 0;
  v4 = *(_DWORD *)(v1 + 5084);
  v5 = "/dev/cdrom";
  if ( v4 != 1 )
  {
    switch ( v4 )
    {
      case 3:
        v5 = "/dev/cd1";
        break;
      case 4:
        v5 = "/dev/cryptcard";
        break;
      case 6:
        v5 = "/dev/usb_dnl";
        break;
      default:
        *(_DWORD *)(v1 + 5080) = "/dev/cdrom";
        sub_9013B3F0(176, v4, 7, 1995);
        goto LABEL_20;
    }
  }
  *(_DWORD *)(v1 + 5080) = v5;
LABEL_20:
  v26 = v1 + 148;
  ((void (*)(void))sub_90001DD2)();
  v6 = 0;
  do
  {
    v7 = *(_DWORD *)(v1 + 5080);
    v25 = 100 * v6 + v1 + 148;
    ((void (*)(void))sub_900ED508)();
    if ( v6 && v6 != 1 && v6 != 11 )
    {
      sub_900ED430(v25, "/dnl/bin/system/arion");
LABEL_26:
      v8 = sub_900ED430(v25, v3);
      goto LABEL_27;
    }
    v8 = sub_900ED430(v25, "/dnl/bin/nav");
    if ( v6 && v6 != 1 )
      goto LABEL_26;
LABEL_27:
    v9 = sub_901641A4(v8);
    if ( !v9 && v6 == 1 )
      v9 = sub_900ED430(v1 + 248, v3);
    ++v6;
  }
  while ( v6 < 0x1C );
  if ( sub_901641A4(v9) )
    v10 = "/ford_hs2/navarreg.uli";
  else
    v10 = "/navarreg.uli";
  sub_900ED430(v1 + 248, v10);
  sub_900ED430(v1 + 1248, "/SPECIAL/navarreg.uli");
  sub_900ED430(v26, "/common/navfx001.uli");
  sub_900ED430(v1 + 348, "/system.elf");
  sub_900ED430(v1 + 448, "/system.bin");
  sub_900ED430(v1 + 548, "/bootload.bin");
  sub_900ED430(v1 + 1048, "/plattapp.uli");
  sub_900ED430(v1 + 1148, "/plattreg.uli");
  sub_900ED430(v1 + 1448, "/dsp.bin");
  sub_900ED430(v1 + 1748, "/basereg.uli");
  sub_900ED430(v1 + 2048, "/chinsi.elf");
  sub_900ED430(v1 + 2148, "/chinreg.uli");
  sub_900ED430(v1 + 848, "/radio.dnl");
  sub_900ED430(v1 + 2348, "/sdsapp.uli");
  sub_900ED430(v1 + 2448, "/sdsreg.uli");
  sub_900ED430(v1 + 2248, "/main_ver.bin");
  sub_900ED430(v1 + 948, "/testman.bin");
  v24 = v1 + 1548;
  sub_900ED430(v1 + 1548, "/ttslib.elf");
  v11 = 0;
  v23 = v1 + 1648;
  while ( 1 )
  {
    v12 = sub_90124E74();
    if ( sub_90125290(v12) == 2 )
    {
      v13 = "/SEAT_fgs.dnl";
      goto LABEL_40;
    }
    v14 = sub_90124E74();
    if ( sub_90125290(v14) == 1 )
      break;
    sub_900ED430(v23, "/fgs.dnl");
    if ( ++v11 )
      goto LABEL_42;
  }
  v13 = "/SKODA_fgs.dnl";
LABEL_40:
  sub_900ED430(v23, v13);
LABEL_42:
  if ( byte_9035FB78 )
  {
    sub_900ED508(v24, &byte_9035FB78);
    if ( sub_9011CA92(8707, 5) == 1 )
      sub_9011CB24(8707, 5, 1, 5, 3, 5, 3, 7, 3, 2090, 5, 14, 7, v24, 0);
  }
  sub_90001DD2(v1 + 2948, 0, 2000);
  v15 = 0;
  do
  {
    v16 = *(_DWORD *)(v1 + 5080);
    v22 = 100 * v15 + v1 + 2948;
    sub_900ED508(v22, v16);
    if ( v15 != 1 && v15 != 2 )
    {
      sub_900ED430(v22, -1877568513);
      sub_900ED430(v22, v3);
    }
    ++v15;
  }
  while ( v15 < 0x14 );
  sub_900ED430(v1 + 3048, "/DNL");
  sub_900ED430(v1 + 3148, "/dnl");
  sub_900ED430(v1 + 3248, "/erase.ffs");
  sub_900ED430(v1 + 4448, "/permi.tmo");
  sub_900ED430(v1 + 3348, "/force.nav");
  sub_900ED430(v1 + 3448, "/force.sys");
  sub_900ED430(v1 + 3548, "/force_ej.ect");
  sub_900ED430(v1 + 3648, "/never_ej.ect");
  sub_900ED430(v1 + 3748, "/ffsnand.bat");
  sub_900ED430(v1 + 3848, "/ffsbat.ena");
  sub_900ED430(v1 + 3948, "/ffsbatdata");
  sub_900ED430(v1 + 4048, "/upgrade.btl");
  sub_900ED430(v1 + 4148, "/dwngrade.btl");
  sub_900ED430(v1 + 4248, "/replace.btl");
  sub_900ED430(v1 + 4348, "/ignore.btl");
  sub_900ED430(v1 + 4548, "/noreset.fgs");
  sub_900ED430(v1 + 4648, "/noreset.850");
  sub_900ED430(v1 + 4848, "/cfgdev.fgs");
  v17 = *(_DWORD *)(v1 + 5080);
  v18 = v1 + 4748;
  sub_900ED508(v18, v17);
  sub_900ED430(v18, "/ONLYSOP1.DAT");
  v21 = 2130;
  return sub_90164614(&v20);
}
But i definitively should give Ghidra a try as it looks very sorted, also the disassembling!

So, do you understand what this function does?
This "/dev/usb_dnl" puzzles me, as it looks like there is some kind of USB update possibility inside. I found USB connections leading out to the service connector and even the quadlock (hidden, as the pins are cutted).

I also wonder where to get all those debug messages from, we find inside the image.

Re: disassembling travelpilot fx firmware system.elf file

Posted: 13 Jan 2020, 22:21
by tomy75
[quote=Go4IT

I also wonder where to get all those debug messages from, we find inside the image.
[/quote]

Screenshot (40).png

Re: disassembling travelpilot fx firmware system.elf file

Posted: 14 Jan 2020, 07:46
by Go4IT
That are only strings, not hard to find. What i mean is how to get the runtime messages, if it's enabled anyhow. I see some nullsubs inside, maybe the debug message output code was just stripped from the binary. Would be great to have some port (Serial, USB, JTAG, SWD, or whatever) to see those messages when they appear.

But again, Ghidra seem to have all the same functionalty as IDA Pro, and costs nothing!

Re: disassembling travelpilot fx firmware system.elf file

Posted: 16 Jan 2020, 09:34
by tomy75
So, do you understand what this function does?
This "/dev/usb_dnl" puzzles me, as it looks like there is some kind of USB update possibility inside. I found USB connections leading out to the service connector and even the quadlock (hidden, as the pins are cutted).

Where you found USB connections ?
Can you send me picture?

Thenx

Re: disassembling travelpilot fx firmware system.elf file

Posted: 27 Jan 2020, 21:51
by Stevebe
tomy75 wrote: 13 Jan 2020, 20:56 Ghidra project with system.elf file disassembling

ghidra travelpilof FX system.elf.rar
how do i open as its locked to you i need to share or somthing
first time i use Ghidra

Re: disassembling travelpilot fx firmware system.elf file

Posted: 28 Jan 2020, 03:08
by Stevebe
tomy75 wrote: 13 Jan 2020, 20:56 Ghidra project with system.elf file disassembling

ghidra travelpilof FX system.elf.rar
I did try to look at your .elf but your project is not set ap a a share can we use git hub

Re: disassembling travelpilot fx firmware system.elf file

Posted: 07 Feb 2020, 10:38
by oscarboiro
Today, followin the wiring diagrams, i connect a FX to usb and my PC recognized a Blaupunkt.
Only connect de Data+ and Data- but the problem comes wit the driver.

i take a screen shot of my device manager:
Blaupunkt multi purpose device.jpg
next step is found a driver, but i think so hard to fount it.

Re: disassembling travelpilot fx firmware system.elf file

Posted: 07 Feb 2020, 11:06
by tomy75
Great work :)
We need found driver
All times are UTC
Page 1 of 3

Powered by phpBB® Forum Software © phpBB Limited