Reverse engineer Opel Touch&Connect (Bosch 7 612 830 130) dump

[Go4IT]

Lately i managed to get my hands on an dumpfile of this satnav and try to analyze what's inside. Here is what i found so far:
The full mainboard dump is 64 MBytes in size and the unit has nearly the same parts as an NX (OMAP5948 driven).

First i did a short "binwalk" over the image (Look what i found in the textfile attached for the output).

What attracts my attention where those ELF images that binwalk found inside:

Code: Select all

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1310804       0x140054        ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
...
7471188       0x720054        ELF, 32-bit LSB executable, ARM, version 1 (SYSV)

A short "dd" and "readelf" gives us even more details:

Code: Select all

root@host:~ dd bs=1 skip=$((0x140054)) if=OPEL-TC_7612830130_CM0130B1962659_S29GL512.bin of=elf_1.bin
root@host:~ readelf -a elf_1.bin
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           ARM
  Version:                           0x1
  Entry point address:               0x90000000
  Start of program headers:          6102988 (bytes into file)
  Start of section headers:          6101748 (bytes into file)
  Flags:                             0x4000016, Version4 EABI, <unknown>
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         1
  Size of section headers:           40 (bytes)
  Number of section headers:         31
  Section header string table index: 30

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] SDRAM_INIT        PROGBITS        90000000 000034 000040 00  AX  0   0  8
  [ 2] SDRAM_RO          PROGBITS        90000040 000074 188b70 00  AX  0   0  8
  [ 3] PADDING1          PROGBITS        90188bb0 188be4 001000 00  WA  0   0  1
  [ 4] DOE_SDRAM_RO      PROGBITS        90189bb0 189be4 08b6b4 00  AX  0   0  4
  [ 5] PADDING2          PROGBITS        90215264 215298 001000 00  WA  0   0  1
  [ 6] SDRAM_RW          PROGBITS        90216264 216298 057f24 00  WA  0   0  8
  [ 7] SDRAM_ZI          NOBITS          9026e188 26e1bc 21fc38 00  WA  0   0  8
  [ 8] RAMDISK_NOINIT    PROGBITS        9048ddc0 26e1bc 000110 00  WA  0   0  4
  [ 9] DOE_SDRAM_RW      PROGBITS        9048ded0 26e2cc 002a14 00  WA  0   0  8
  [10] DOE_SDRAM_ZI      NOBITS          904908e4 270ce0 172cfc 00  WA  0   0  4
  [11] SDRAM_STACK_ZI    NOBITS          906035e0 270ce0 00e02c 00  WA  0   0  8
  [12] DSP_IMAGE_RO      PROGBITS        a0000000 270ce0 0a8c7c 00  AX  0   0  4
  [13] TESTCODE_RO       PROGBITS        a1000000 31995c 01b5e8 00  AX  0   0  4
  [14] PADDING_TESTCODE  PROGBITS        a101b5e8 334f44 001000 00  WA  0   0  1
  [15] TESTCODE_RW       PROGBITS        a101c5e8 335f44 003e18 00  WA  0   0  8
  [16] TESTCODE_ZI       NOBITS          a1020400 339d5c 03a2e4 00  WA  0   0  8
  [17] BB_DSP_ZCLD_ZI    NOBITS          9e000004 339d5c 000010 00  WA  0   0  4
  [18] CC_DSP_SHARED_POO NOBITS          9e000014 339d5c 000c00 00  WA  0   0  4
  [19] DD_DSP_SHARED_SEM NOBITS          9e000c14 339d5c 016000 00  WA  0   0  4
  [20] FF_DSP_SHARED_ZCL PROGBITS        9e016c14 339d5c 000004 00  WA  0   0  4
  [21] GG_DSP_SHARED_POO PROGBITS        9e020000 339d60 000004 00  WA  0   0  2
  [22] HH_DSP_SHARED_SPE NOBITS          9e120000 339d64 00c350 00  WA  0   0  1
  [23] POWER_MODE        PROGBITS        20004000 339d64 000188 00  AX  0   0  4
  [24] IDLE_ENTRY        PROGBITS        20003000 339eec 0001ec 00  AX  0   0  4
  [25] RADIOLIB_RO_N     PROGBITS        d0000000 33a0d8 06aaac 00  AX  0   0  4
  [26] RADIOLIB_RW_N     PROGBITS        d0080000 3a4b84 000494 00  WA  0   0  8
  [27] RADIOLIB_ZI_N     NOBITS          d00c0000 3a5018 003c6c 00  WA  0   0  4
  [28] .note             NOTE            00000000 3a5018 00007c 00      0   0  4
  [29] .comment          PROGBITS        00000000 3a5094 22c8c0 00      0   0  0
  [30] .shstrtab         STRTAB          00000000 5d1954 00019e 00      0   0  0
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  y (purecode), p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000034 0x90000000 0x90000000 0x3a4fe4 0x7a67f4 RWE 0x8

 Section to Segment mapping:
  Segment Sections...
   00     SDRAM_INIT SDRAM_RO PADDING1 DOE_SDRAM_RO PADDING2 SDRAM_RW SDRAM_ZI RAMDISK_NOINIT DOE_SDRAM_RW DOE_SDRAM_ZI SDRAM_STACK_ZI

There is no dynamic section in this file.

There are no relocations in this file.

There are no unwind sections in this file.

No version information found in this file.

Displaying notes found in: .note
  Owner                Data size        Description
  ARM                  0x0000006c       Unknown note type: (0x40000000)
   description data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Code: Select all

root@host:~dd bs=1 skip=$((0x720054)) if=OPEL-TC_7612830130_CM0130B1962659_S29GL512.bin of=elf_2.bin
root@host:~ readelf -a elf_2.bin

Gives the same result as above, so it's just a copy inside the flash... a "diff" shows that both ELF images are equal. We come to this later...

The goods of ELF are that we know the this ELF is loaded at 0x9000 0000 and also executed from there (Entry Point Address). At this location we find the segment "SDRAM_INIT" (ha, who had thought this?!

Now load it into IDA Pro at 0x9000 0000 and see what IDA can do with it. IDA starts analyzing, which takes a while.

[Go4IT]

Whats also very enliteningh are those lines from the binwalk.

This gives us a hint of the development environment/libraries used to build the software:

Code: Select all

1606832       0x1884B0        Copyright string: "Copyright (c) 2003 - 2005 Datalight, Inc."

Also Datalight (see https://en.wikipedia.org/wiki/Datalight for more information) has made a special bullet-proof filesystem for Flash-chips called "Reliance" (https://www.datalight.com/products/embe ... e-systems/) and from all i see inside the upper Flash area, there are something like that used. Maybe a very old version, so we need to dig in archives of Datalight to get specs and tools. As there are definetly some interesting parts in the FS, it will be worth looking into it.

Here we find information about the Core-OS used called "Nucleus" from "Mentor Graphics Corporation":

Code: Select all

2825385       0x2B1CA9        Copyright string: "Copyright MGC 2003 - Nucleus PLUS v. 1.14.5 - ARM926T TI OMAP5912 RVCT 2.0.1"

An interesting short of Nucleus comes from the papers: "Nucleus PLUS is a real-time, preemptive, multitasking kernel designed for time-critical
embedded applications. Approximately 95% of Nucleus PLUS is written in ANSI C. Because of this, Nucleus PLUS is extremely portable and is currently available for use with most microprocessor families.
Nucleus PLUS is typically implemented as a C library. Real-time Nucleus PLUS applications are linked with the Nucleus PLUS library. The resulting object may be downloaded to the target or placed in ROM. In a typical target environment, the binary image of the Nucleus PLUS instruction area, assuming all services are used, requires roughly 20 Kbytes of memory."

So we now should be pretty shure the Kernel which is located in the first area of the Flash an get's loaded on boot is a Nucleus Kernel and the ELF is linked to it's libraries.

This CRC32 table binwalk has found, could be handy at some point because it should enable us to calculate CRC of own changes made where this is used to enshure integrity of data/program:

Code: Select all

2825688       0x2B1DD8        CRC32 polynomial table, little endian

It seems that the ELF creates Unix like device-links to communicate with the periphals on the board:

Code: Select all

/dev/i2c/tda7564 => Interface to the amplifier-chip TDA7564 which has an I2C serial interface

/dev/fgs/system => The FGS is the Front-Graphics-System, the graphicsboard.
/dev/fgs/download => Maybe a hook to program the Flash on the FGS without desoldering?
/dev/fgs/dim => Could be used for handling the backlight of the LCD-screen?

/dev/ffs/dnl/basereg.uli => The FFS should be "Flash-File-System", where to put data into, read, change, store them
/dev/ffs/DfuFirmware.dfu => Interesting, it has a DFU (Device Firmware Upgrade) file somewhere in filesystem
/dev/ffs2/FC_SPM_ENG.dat => "ffs2" could be just another Flash filesystem emulation (SD-Card?)
/dev/ffs2/myPOIs/ => POIs store for navigation
/dev/ffd/CD_PARAM => "ffd"

/dev/cd1/dnl/bin => Devicelink to access CD-ROM drive
/dev/cd1/Track 01.mp3 => Also used for playing music

/dev/usbms/dnl/bin => Access to USB-Port (this unit has one without need of external module)
/dev/usbms/Club/01_king_of_house-billie_jean__club_mix-mtc.mp3 => Seems to be used ;-)

/dev/cradle/phone

/dev/file/dld/thread.log => This could be interesting, a logfile?

/dev/cryptcard/RT2/RT3.TXT => "cryptcard" maybe a virtual interface for the SD-Card reader