https://gorgias.me/ Recent content on Gorgias' Blog Hugo -- gohugo.io en-us 2015 - 2026 Gorgias' Blog. Mon, 08 Sep 2025 02:23:48 +0800 https://gorgias.me/posts/igs-arcade-re-4/ Mon, 08 Sep 2025 02:23:48 +0800 https://gorgias.me/posts/igs-arcade-re-4/ <h1 id="embedded-architecture-analysis">Embedded Architecture Analysis</h1> <p>IGS’s anti-piracy technology isn’t particularly hard, but it’s extremely weird—probably because the code quality is terrible.</p> <p>IGS E2000 is essentially a combination of <strong>PC + game baseboard</strong> (designed by Advantech). It has to consider both <strong>anti-piracy</strong> and software reusability. The ASIC is basically a closed-box computational module: putting the game’s key logic inside it both improves performance and makes cracking harder.</p> <p><img loading="lazy" src="diagram.png" alt="diagram"/></p> <h2 id="main-executable-flow-analysis">Main Executable Flow Analysis</h2> <p>The main game executable allocates a stack frame of <code>0x200034</code>, where the buffer alone takes <code>0x200000</code>. And after allocating this stack, it never restores it. This causes IDA Pro to fail to decompile—no idea if this is intentional.</p> <p><img loading="lazy" src="main.png" alt="main"/></p> <p>The workaround is to patch the buffer size, shrink the function stack frame, undefine the function, and then re-identify it; then it can be decompiled successfully.</p> <p><img loading="lazy" src="edit_func.png" alt="edit_func"/></p> <ol> <li>During <code>mount_root</code> in the kernel and when the game starts, it verifies BIOS version info. The developer claimed it was “getting a CRC result”, but I searched everywhere CRC appears and couldn’t find any CRC computation logic related to anti-piracy at all.</li> <li>If BIOS validation fails, it then checks PCI driver information. If that fails, it seems to do nothing—but many identical validation stubs are inserted elsewhere, and failure there will block execution.</li> <li>System initialization: display, audio, graphics, text, language, ASIC, timer, PLXPCI, game, music, controllers, camera, bookkeeping, control, coin, mixer, etc.</li> <li>Refresh the ASIC 4 times, why???</li> <li>Load the base action file (TSGROM format); each load refreshes the ASIC once.</li> <li>Game version validation, show the first screen, load fonts, load sounds.</li> <li>Load the card reader.</li> <li>Game loop: 4 states (Game, Test, Setting, Demo), controllable via the ASIC.</li> </ol> <p><img loading="lazy" src="main_loop.png" alt="main_loop"/></p> <p>The game was developed with SDL 1.2.7. SDL (Simple DirectMedia Layer) is a cross-platform multimedia development library, mainly providing low-level access to audio, input devices (keyboard/mouse/gamepad), and graphics hardware. However, its performance is relatively low and is only suitable for 2D games. Percussion Master 2008 is a 2D game. Speed Driver 2 is a 3D game, so the difference between the two may be significant.</p> <p>At every place in the main executable where it interacts with the ASIC, the developer inserted a stub; I’ll temporarily call it <code>RealTimeEvent</code>. It should be a unified event handler: every logic change and animation change requires refreshing events. It’s used to implement various complex control functions and also bundles some anti-piracy behavior. Honestly, the code quality is awful—each call does a lot of computation, performance is poor, and it feels like building a SPA in pure JS + HTML.</p> <p>Logic of the state-check stub:</p> <ol> <li>Update clock</li> <li>Timer check</li> <li>Action handling</li> <li>Music handling</li> <li>Audio handling</li> <li>Key status and control input</li> <li>Bookkeeping</li> <li>Coin handling</li> <li>PLX PCI status handling</li> <li>SDL event handling</li> <li>Draw dynamic pentagon animation</li> <li>PCI control write</li> <li>ASIC 27 command write</li> <li>PCI data read</li> <li>Graphics refresh</li> </ol> <h3 id="region-initialization">Region Initialization</h3> <p>Percussion Master 2008 supports 7 regions and 3 languages: Simplified Chinese, Traditional Chinese, and English.</p> <p><img loading="lazy" src="location_table.png" alt="location_table"/></p> <h2 id="roio-bios-info-verification">ROIO BIOS Info Verification</h2> <p>The kernel runs a driver <code>/dev/roio</code>. The game compares it against a built-in version info table to perform validation. Both the kernel and the game embed tables. The likely workflow is that the developer parsed BIOS information using some tooling and then hard-coded physical offsets into both the game and the kernel.</p> <p><img loading="lazy" src="bios_table.png" alt="bios_table"/></p> <p>The BIOS info table structure differs slightly between kernel and main executable. The kernel uses 4-byte alignment, but the underlying idea is the same.</p> <p>Game BIOS table:</p> <pre tabindex="0"><code>struct bios_item { unsigned int index; // index unsigned char table_cmp_max_count; unsigned int value_addr; // base addr 0xC0000000 unsigned char char_cmp_max_count; unsigned int name_addr; } </code></pre><p>Kernel BIOS table:</p> <pre tabindex="0"><code>struct bios_item { unsigned int index; // index unsigned int table_cmp_max_count; unsigned int value_addr; // base addr 0xC0000000 unsigned int char_cmp_max_count; unsigned int name_addr; } </code></pre><p>The comparison logic is also very simple:</p> <p>Step 1: iterate the program’s built-in BIOS table to get the version string address, the target string physical address, iteration counts, etc.<br> Step 2: perform an IOCTL call to <code>/dev/roio</code> to compare the specified offset within System ROM against the program’s built-in string. If <strong>any single character</strong> matches, it passes. That’s unbelievably dumb.</p> <p>This kernel only allows running on 4 motherboard variants, but the game allows running on more devices, so it needs to validate whether the main executable, kernel, and motherboard match. This is an anti-piracy mechanism—just patch it out.</p> <p>Based on my analysis, the addresses and version strings are as follows; all addresses start from <code>0x0f0000</code>.</p> <pre tabindex="0"><code># Kernel + Game 0x0F086E i852-W83627HF 0x0FEC7C i852-W83627HF 0x0FEC8A 6A69YILTC-00 0x0FECDE Ph6A69YILT # Game 0x0FE0C1 L4S5MG3 0x0FEC84 6A6IXE19C-00 0x0FECDF I6A6IXE19 0x0FE0C1 L4S5MG/651+ 0x0F006D nVidia-nForce 0x0FECDE Ph6A61BPA9 0x0FEC8A 6A61B_00C-00 0x0FECDE Ph6A61B_00 </code></pre><p>Next is the ROIO driver. Most of its code has hidden anti-copy stubs and uses XOR. The performance impact is minimal, and it prevents copying game A’s program into game B’s system.</p> <ul> <li>Input mask: <code>0x1FB8408E</code></li> <li>Return mask: <code>0xC2E83AB8</code></li> </ul> <p><img loading="lazy" src="roio_0xfc.png" alt="ioctl_0xfc"/></p> <p>ROIO has three magic numbers:</p> <ul> <li><code>0xfc</code>: read 32-bit value at target address, little-endian</li> <li><code>0xfd</code>: read 32-bit value at target address, big-endian</li> <li><code>0xfe</code>: read 8-bit value at target address</li> </ul> <p>Finally, XOR with <code>0xC2E83AB8</code>.</p> <p><img loading="lazy" src="roio_ioctl_dispatcher.png" alt="roio_ioctl_dispatcher"/></p> <p>Here <code>data</code> is used as an offset. The base is <code>0xc0000000</code>, and it adds the BIOS info value because x86 uses paging, so CPU memory access goes through virtual addresses. Linux i386 virtual address offset definitions are:</p> <pre tabindex="0"><code>#define __PAGE_OFFSET (0xC0000000) #define __pa(x) ((unsigned long) (x) - PAGE_OFFSET) #define __va(x) ((void *)((unsigned long) (x) + PAGE_OFFSET)) </code></pre><p>From IOMEM mapping, you can also see the BIOS info address is located in System ROM:</p> <pre tabindex="0"><code># cat /proc/iomem 00000000-0009fbff : System RAM 0009fc00-0009ffff : reserved 000a0000-000bffff : Video RAM area 000c0000-000c7fff : Video ROM 000f0000-000fffff : System ROM 00100000-1feeffff : System RAM 00100000-0050aab5 : Kernel code 0050aab6-006f8f27 : Kernel data 1fef0000-1fefffff : reserved 1ff00000-1ff003ff : Intel Corp. 82801DB Ultra ATA Storage Controller d0000000-dfffffff : PCI Bus #01 d0000000-dfffffff : PCI device 10de:0221 (nVidia Corporation) e0000000-e7ffffff : Intel Corp. 82852/855GM Host Bridge e8000000-eaffffff : PCI Bus #01 e8000000-e8ffffff : PCI device 10de:0221 (nVidia Corporation) e8000000-e8ffffff : nvidia e9000000-e9ffffff : PCI device 10de:0221 (nVidia Corporation) eb000000-eb01ffff : PLX Technology, Inc. PCI &lt;-&gt; IOBus Bridge Hot Swap eb020000-eb02007f : PLX Technology, Inc. PCI &lt;-&gt; IOBus Bridge Hot Swap eb021000-eb0213ff : PLX Technology, Inc. PCI &lt;-&gt; IOBus Bridge Hot Swap eb022000-eb022fff : Intel Corp. 82801BD PRO/100 VE (CNR) Ethernet Controller eb022000-eb022fff : e100 eb100000-eb1003ff : Intel Corp. 82801DB USB2 eb100000-eb1003ff : ehci_hcd eb101000-eb1011ff : Intel Corp. 82801DB AC&#39;97 Audio Controller eb101000-eb1011ff : Intel 82801DB-ICH4 eb102000-eb1020ff : Intel Corp. 82801DB AC&#39;97 Audio Controller eb102000-eb1020ff : Intel 82801DB-ICH4 fec00000-ffffffff : reserved </code></pre><p>The BIOS chip package is PLCC 32, and it was successfully dumped with RT809H.</p> <p><img loading="lazy" src="PLCC32_BIOS.jpg" alt="PLCC32_BIOS"/></p> <p>After the system boots, some BIOS ROM data is parsed into memory—not a 1:1 copy—with an offset address of <code>0xF0000</code>.</p> <p><img loading="lazy" src="bios_version.png" alt="bios_version"/></p> <h2 id="pccard-random-value-check">PCCard Random Value Check</h2> <p>I truly don’t understand what the purpose of this code is. There’s a “SPY” keyword in the driver code; maybe it’s a hidden stub intended for anti-sniffing? It’s triggered when launching the program, initializing the game, and printing logs. If the BIOS check above fails, this check is also triggered. It requests <code>/dev/pccard0</code> via ioctl—either to obtain the result or to not obtain it.</p> <p><img loading="lazy" src="pccard_random_value_check1.png" alt="pccard_random_value_check1"/></p> <p>Request 0 list, used for comparing results. The list has 4 members corresponding to related offsets. It randomly selects one of the four, attaches a random number in the range <code>[17, 768]</code>, computes locally, sends it to the driver to “execute”, and receives it back. In fact, PCI doesn’t truly participate.</p> <pre tabindex="0"><code>0x64 基址：0xC8000000 设置 SPY_FLAG spy_fixec_func 0x6e 基址：0xD0000000 设置 SPY_FLAG spy_quit_func 0x96 基址：0xA8000000 设置 SPY_FLAG 0xa0 基址：0xB0000000 设置 SPY_FLAG </code></pre><p>Request 1 list, length 17:</p> <pre tabindex="0"><code>0xfe,0xc8,0xfd,0xa0,0x96,0x6e,0x64,0xdd,0xde,0xdf,0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6 </code></pre><p>It checks whether a value in <code>[1, 255]</code> hits an entry in the list. It tries 5–30 times. If it hits, it decrements the attempt count by 1 and tries again. If it doesn’t hit, it requests via ioctl the offset corresponding to the random value (parameter <code>[17, 768]</code>), and the “magic number” is the matched value. My guess is it might be used to initialize the driver, but I can’t think of any other purpose. Why make it so complicated?</p> <p><img loading="lazy" src="pccard_random_value_check.png" alt="pccard_random_value_check"/></p> <p>Somewhere in the main game executable, I found leftover code. The XOR constant is <code>0xD4AA268A</code>. In Percussion Master 2008 I didn’t find any trigger logic; it should be a hidden stub for another game. This makes it more certain that this functionality is for anti-piracy (even though the design is awful).</p> <p><img loading="lazy" src="pccard_random_value_check2.png" alt="pccard_random_value_check2"/></p> <h2 id="asic-27-protocol">ASIC 27 Protocol</h2> <h3 id="a27-initialization">A27 Initialization</h3> <p>Communication between the main game executable and the I/O board goes through the PLX PCI 9030 chip and exchanges data via shared memory.</p> <p>After game startup and before ASIC 27 initialization, it loads the PCI 9030 driver and allocates a buffer specifically used to store the ASIC buffer, containing various state data. The developer calls it CommandPort.</p> <p><img loading="lazy" src="pci9030_init.png" alt="pci9030_init"/></p> <p>Next is initializing ASIC 27. It first updates a checksum: it accumulates values such as key sensitivity, key input, light status, system mode, and buffer size located in the buffer, then stores the checksum in two locations in the buffer. Every subsequent ASIC 27 request recalculates the checksum.</p> <p>It first writes <code>0x2024</code> bytes to ASIC 27 with command <code>0xfe</code>, i.e., directly copying the buffer data into shared memory. After ASIC processing, the shared memory is refreshed, and it will change <code>sm</code> from <code>0x1c</code> to other values to indicate processing completion.</p> <p>ASIC will synchronize the game configuration to the OS for updating game settings. It updates the following files:</p> <pre tabindex="0"><code>./pm2_data/storename.dat ./pm2_data/soundset.bin ./pm2_data/gameset.bin </code></pre><p>Then it sets <code>sm</code> to <code>0</code>, updates the checksum once more, and sends it to A27.</p> <h3 id="system-mode">System Mode</h3> <p>From analysis, the modes are:</p> <ul> <li><code>0x0</code>: default mode</li> <li><code>0x1</code>: ASIC test data read</li> <li><code>0x2</code>: key test</li> <li><code>0x3</code>: buzzer test</li> <li><code>0x4</code>: light board test</li> <li><code>0x5</code>: coin test</li> <li><code>0x6</code>: trackball test</li> <li><code>0x7</code>: SelMode, IGS Logo</li> <li><code>0x8</code>: Teammark</li> <li><code>0xc</code>: Coin Page</li> <li><code>0xf</code>: option</li> <li><code>0x14</code>: Photo</li> <li><code>0x10</code>: Song Play</li> <li><code>0x1a</code>: CCD</li> <li><code>0x1d</code>: adjust volume</li> </ul> <h3 id="a27-system-mode-write-state-machine">A27 System Mode Write State Machine</h3> <p>Pre-processing before sending data to ASIC. When <code>sm</code> is one of the following values, there is no processing logic and it returns 1:</p> <pre tabindex="0"><code>0x0,0x2,0x3,0x6,0x9,0xa,0xb,0x11,0x12,0x15,0x16,0x17,0x18,0x19,0x1b,0x1c,0x1e </code></pre><ul> <li><code>0x1</code>: test data write</li> <li><code>0x4</code>: light test</li> <li><code>0x5</code>: coin test</li> <li><code>0x7</code>: SelMode</li> <li><code>0x8</code>: Teammark</li> <li><code>0xc</code>: code removed</li> <li><code>0xe</code>: code removed</li> <li><code>0xf</code>: code removed</li> <li><code>0x10</code>: Song</li> <li><code>0x13</code>: code removed</li> <li><code>0x14</code>: code removed</li> <li><code>0x1a</code>: camera test</li> <li><code>0x1d</code>: adjust volume</li> </ul> <p>Other values trigger an assert.</p> <h3 id="a27-system-mode-analysis-state-machine">A27 System Mode Analysis State Machine</h3> <p>Data returned by ASIC is handled by the main game executable. When <code>sm</code> is one of the following values, there is no processing logic and it returns 1:</p> <pre tabindex="0"><code>0x0,0x6,0x9,0xa,0xa,0xb,0x11,0x12,0x15,0x16,0x17,0x18,0x19,0x1b,0x1c,0x1d,0x1e </code></pre><p>System Mode handling:</p> <ul> <li><code>0x1</code>: ASIC test data read</li> <li><code>0x2</code>: enter key test</li> <li><code>0x3</code>: enter buzzer test</li> <li><code>0x4</code>: enter light board test</li> <li><code>0x5</code>: coin test</li> <li><code>0x7</code>: load IGS LOGO</li> <li><code>0x8</code>: load Teammark data</li> <li><code>0xC</code>: code removed</li> <li><code>0xE</code>: code removed</li> <li><code>0xF</code>: code removed</li> <li><code>0x10</code>: Song</li> <li><code>0x13</code>: code removed</li> <li><code>0x14</code>: code removed</li> <li><code>0x1a</code>: CCD info</li> </ul> <p>Other values trigger an assert.</p> <h3 id="key-state-machine">Key State Machine</h3> <pre tabindex="0"><code> press ┌──────────────────────┐ │ │ ┌────▼─────┐ release ┌──┴─────┐ │ Idle │────────────►│Released│ │ (0) │ │ (3) │ └────▲─────┘ └──▲─────┘ │ │ │ press │ release │ │ ┌────┴─────┐ long press ┌──┴─────┐ │ Pressed │────────────►│Holding │ │ (1) │ │ (2) │ keep holding, counter++ └──────────┘ └────────┘ </code></pre><h3 id="buffer-struct-analysis">Buffer Struct Analysis</h3> <p>The maximum length of the buffer is 8192.</p> <p>The response header format:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">g_rBufferRead</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">_dwBufferSize</span><span class="p">;</span> <span class="c1">// 数据大小 </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">system_mode</span><span class="p">;</span> <span class="c1">// 系统模式 </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">coin_inserted</span><span class="p">;</span> <span class="c1">// 投币了 </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">a27_error_flag</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">short</span> <span class="n">error_number</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">key_io_list</span><span class="p">[</span><span class="mi">6</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">int8</span> <span class="n">key_channels</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">pc0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">pc1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">int16</span> <span class="n">area_code</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">int16</span> <span class="n">padding_1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">in_rom_version_name</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">ext_rom_version_name</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">int16</span> <span class="n">inet_password_data</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">int16</span> <span class="n">a27_has_message</span><span class="p">;</span> <span class="c1">// 决定 a27_message 是否携带数据 </span></span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">is_light_io_reset</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">pci_card_version</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">bCheckSum1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">bCheckSum2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">a27_message</span><span class="p">[</span><span class="mi">40</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">asic27_buffer</span><span class="p">[</span><span class="n">unknown</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>The request header format:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">g_rBufferWrite</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">_dwBufferSize</span><span class="p">;</span> <span class="c1">// 数据大小 </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">system_mode</span><span class="p">;</span> <span class="c1">// 系统模式 </span></span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">key_input</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">int16</span> <span class="n">trackball_data</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">bCheckSum1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">bCheckSum2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">lightdisable</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">key_sensitivity</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">lightstate</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">lightpattern</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">data</span><span class="p">[</span><span class="n">unknown</span><span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h3 id="a27-response-checksum">A27 Response Checksum</h3> <p>ASIC 27 responses also carry a checksum, which the main executable verifies. It is computed by summing the following fields:</p> <p><code>a27_has_message + inet_password_data + rd_is_light_io_reset + error_number + asic27_error + coin_inserted + system_mode[0] + buffer_size</code></p> <h3 id="buffer-obfuscation-analysis">Buffer Obfuscation Analysis</h3> <p>Compared to the older version, Percussion Master 2008 added a simple obfuscation layer. The goal is anti-piracy: to avoid running a copied ROM directly. When copying from the buffer into the ASIC 27 buffer, the data is obfuscated.</p> <p>The obfuscation is triggered only when System Mode matches the following values. Coincidentally, the data for these modes is not pre-processed by the Write state machine.</p> <ul> <li><code>0x7</code>: SelMode, IGS Logo</li> <li><code>0x8</code>: Teammark</li> <li><code>0xc</code>: Coin Page</li> <li><code>0xd</code>:</li> <li><code>0xe</code>:</li> <li><code>0xf</code>: Option</li> <li><code>0x13</code>:</li> <li><code>0x14</code>: Photo</li> <li><code>0x15</code>:</li> </ul> <p>During obfuscation, the program copies <code>asic27_buffer</code> data into <code>dest</code>. Using <code>dest</code> as the source, it processes in blocks. Each block is <code>0x500 = 1280</code> bytes. It takes a block, computes a perturbation value based on the first 4 bytes (block header) plus <code>mask_table</code>, and then performs a cyclic reordering of the block data according to that value, finally writing back to the buffer.</p> <pre tabindex="0"><code>v3 = mask_table[v1[0]]; v3 ^= mask_table[v1[1]]; v3 ^= mask_table[v1[2]]; v3 ^= mask_table[v1[3]]; </code></pre><p>Use <code>v3</code> to compute an offset. If remaining data is less than <code>0x500</code>, use <code>v3 % (remaining_length-4) + 4</code>. Otherwise use a fixed <code>v3 % 0x4FC + 4</code>, ensuring the offset range is <code>[4, 0x4FF]</code>.</p> <p>It first copies <code>[v3, end]</code> into the destination, then copies <code>[4, v3)</code>. The result is a “rotated” block. The first 4 bytes (header) are not copied in order; instead, they are skipped and then reassembled.</p> <p>I asked an AI to write a Python implementation.</p> <pre tabindex="0"><code>import random # size: 0x400 mask_table = [0x00, 0x00, 0x00, 0x00, 0x39, 0x4E, 0xC1, 0xE6, 0x02, 0x19, 0xB1, 0xB9, 0x63, 0xCB, 0xC7, 0x9E, 0xE4, 0xCD, 0x76, 0xE7, 0x23, 0x8D, 0xB3, 0x6B, 0x3F, 0xDA, 0x89, 0xF5, 0x4D, 0xCB, 0x56, 0xB5, 0xD3, 0xA9, 0xBC, 0x2E, 0xA0, 0xE0, 0x80, 0xD6, 0x92, 0x62, 0xDE, 0xC9, 0xFD, 0x24, 0x04, 0x06, 0x4B, 0x70, 0xB2, 0x21, 0x26, 0xD1, 0xB1, 0xAF, 0xA0, 0x29, 0x29, 0x9D, 0x0C, 0x5E, 0x59, 0x09, 0xA2, 0xC9, 0xF3, 0x67, 0x4F, 0xE6, 0xCD, 0x6E, 0xF3, 0x97, 0xF1, 0xF9, 0xD1, 0xE1, 0xCD, 0x26, 0x62, 0x0D, 0xF4, 0x7A, 0x72, 0x98, 0x3C, 0x9B, 0xE2, 0x43, 0xCE, 0x54, 0xF4, 0x44, 0xE9, 0xF5, 0x22, 0xC4, 0x3F, 0xD0, 0x38, 0x5F, 0x96, 0xAD, 0x05, 0xB7, 0x18, 0x47, 0xFE, 0x00, 0x14, 0xED, 0x5B, 0x75, 0x3B, 0xF2, 0x08, 0xA2, 0x44, 0x1E, 0xE5, 0x59, 0x68, 0x4A, 0x36, 0x9E, 0xF6, 0x87, 0x74, 0xAA, 0x70, 0x68, 0x6A, 0x1B, 0xED, 0x84, 0xE9, 0xB2, 0x35, 0xC5, 0x54, 0x83, 0xE8, 0x5B, 0x05, 0xD9, 0x77, 0x9A, 0xD6, 0x20, 0xD9, 0x48, 0xA9, 0x59, 0x18, 0x40, 0xB1, 0x5A, 0x81, 0xC1, 0x96, 0x7B, 0xC7, 0x1F, 0xD5, 0x5A, 0xB1, 0x01, 0x9E, 0xA8, 0x67, 0x52, 0xF4, 0x7A, 0x39, 0x51, 0x80, 0x18, 0xC9, 0x61, 0xEE, 0x01, 0xEC, 0x19, 0x2F, 0x25, 0xBC, 0x74, 0x85, 0x6A, 0x99, 0x92, 0x6A, 0x28, 0x13, 0xF6, 0x9A, 0xED, 0x02, 0x26, 0xF4, 0x69, 0x9F, 0x1E, 0xED, 0xC3, 0x18, 0x0E, 0xBD, 0x32, 0x1F, 0x47, 0x4F, 0x55, 0x8B, 0x91, 0x75, 0xEC, 0x66, 0xC8, 0x83, 0xED, 0x2E, 0x1B, 0x0F, 0xB0, 0x65, 0xEC, 0x87, 0xD3, 0xE0, 0xE2, 0x2B, 0x16, 0xCB, 0x0A, 0x0F, 0x70, 0x64, 0x52, 0xBA, 0x38, 0x6B, 0x5C, 0xEA, 0xFD, 0xA9, 0xB1, 0x8D, 0x8F, 0x26, 0x4B, 0xD9, 0xD3, 0x40, 0x4A, 0x66, 0x33, 0xBB, 0x01, 0xCE, 0x3C, 0x3C, 0x56, 0x14, 0xAE, 0xFD, 0x05, 0x7A, 0x8F, 0x4D, 0x4D, 0x79, 0x29, 0xCC, 0x81, 0xCD, 0x07, 0x43, 0x68, 0x57, 0x0C, 0xDA, 0xDE, 0x79, 0x1D, 0xE0, 0x01, 0x8D, 0x91, 0x17, 0x55, 0x4F, 0xF8, 0x25, 0x60, 0xCE, 0x11, 0x34, 0x3F, 0x3F, 0x03, 0xA3, 0xEF, 0xFA, 0xF5, 0x13, 0xE5, 0xEA, 0x75, 0x6A, 0xD7, 0xE1, 0x65, 0x94, 0x90, 0x42, 0xC9, 0x1D, 0x7F, 0x66, 0xDB, 0x68, 0xB8, 0x18, 0x18, 0x8B, 0x22, 0x49, 0x70, 0x71, 0x88, 0x2D, 0xD9, 0x96, 0x29, 0x4B, 0xAC, 0x7F, 0x58, 0x50, 0x57, 0x0F, 0xDC, 0x4D, 0xB9, 0x53, 0x81, 0x65, 0xD9, 0xB7, 0x85, 0x10, 0xF0, 0xCE, 0x4B, 0x2B, 0xAA, 0x7F, 0x7C, 0x75, 0xBA, 0xB2, 0x01, 0x64, 0x13, 0x07, 0x0A, 0x5E, 0x3F, 0xEF, 0xFA, 0x00, 0x8B, 0x31, 0x89, 0x6A, 0xE9, 0x17, 0x81, 0xC1, 0x4D, 0xEE, 0x31, 0x8C, 0xF0, 0x3A, 0xFD, 0x77, 0x90, 0xDF, 0x7C, 0x83, 0xDF, 0xF9, 0x99, 0xE4, 0xC0, 0xE5, 0x82, 0x22, 0xBD, 0x46, 0xBC, 0xF8, 0x23, 0xE1, 0xDD, 0x48, 0xF3, 0xE1, 0xB0, 0x66, 0x13, 0x93, 0x85, 0xB8, 0xEC, 0x9B, 0xCE, 0x0C, 0xEA, 0xDD, 0x14, 0x42, 0xDF, 0x45, 0x50, 0xAE, 0xC0, 0x60, 0xB2, 0xB7, 0x16, 0xB1, 0xAD, 0x2A, 0x2E, 0x1D, 0xC8, 0xE8, 0xE9, 0xAF, 0x0F, 0x44, 0x5D, 0xC5, 0x80, 0xA6, 0xB2, 0x01, 0xCF, 0xDB, 0x96, 0x49, 0x52, 0xC2, 0xBA, 0x97, 0x36, 0xB0, 0x33, 0x59, 0x88, 0x1D, 0x5A, 0x22, 0xAD, 0xA5, 0x9C, 0xD7, 0x5B, 0x59, 0xCA, 0x83, 0x7D, 0x7B, 0xFA, 0x84, 0x22, 0x65, 0x64, 0x7C, 0xDF, 0xF3, 0xA6, 0x41, 0x49, 0x14, 0x81, 0xED, 0x3B, 0x0C, 0x0A, 0xDF, 0xF6, 0x35, 0x79, 0x98, 0xDC, 0x6A, 0x5D, 0x0E, 0x94, 0x8B, 0x87, 0x5D, 0x0A, 0xEC, 0xFA, 0xC1, 0x6C, 0xE5, 0x01, 0xFD, 0x1E, 0x54, 0x29, 0xB7, 0xC6, 0x26, 0x33, 0x49, 0x60, 0x92, 0x44, 0xD2, 0x0C, 0x1E, 0x84, 0x03, 0x2B, 0x67, 0x82, 0xC3, 0x75, 0x7E, 0x2E, 0x2B, 0xC6, 0x96, 0x6E, 0x8A, 0x5D, 0x27, 0x7A, 0x62, 0x8C, 0xFE, 0x00, 0xCA, 0xFB, 0xFA, 0xD0, 0x9A, 0xB4, 0x60, 0xD1, 0x52, 0xC8, 0xB8, 0x7A, 0x83, 0xA9, 0xAE, 0x2A, 0x14, 0xFE, 0x33, 0xB1, 0x0F, 0xA2, 0x89, 0x25, 0xC1, 0xD5, 0x3A, 0xDE, 0xED, 0x09, 0xE1, 0x49, 0x4A, 0xD7, 0x9F, 0x49, 0xF1, 0x28, 0x88, 0xD1, 0x50, 0x2C, 0x24, 0x4C, 0x09, 0x36, 0x3F, 0x15, 0xD3, 0x1D, 0xA8, 0x1F, 0xE8, 0xAD, 0xC5, 0x5F, 0x95, 0x04, 0xFE, 0x2C, 0x6E, 0xB6, 0x0E, 0xF6, 0x47, 0x4A, 0xF6, 0xAC, 0x5C, 0xBA, 0xD9, 0x35, 0xEA, 0x27, 0x41, 0xF8, 0x84, 0xF2, 0xF8, 0x74, 0x2F, 0xE4, 0xEF, 0x69, 0xC6, 0xC7, 0x4B, 0xEC, 0xD7, 0xEB, 0x83, 0x47, 0xE3, 0x82, 0x74, 0x06, 0xD2, 0x64, 0x1D, 0xEB, 0xCD, 0x7C, 0x74, 0xFC, 0xF2, 0xC9, 0x3F, 0x90, 0x14, 0xDE, 0x1B, 0x25, 0xF8, 0x52, 0xE8, 0x9D, 0xB9, 0x11, 0x0A, 0xEC, 0xA5, 0x59, 0xEA, 0x5C, 0x7E, 0x7D, 0x33, 0x79, 0xEA, 0x26, 0xF6, 0x06, 0x23, 0x4D, 0x67, 0x26, 0x88, 0x12, 0xFE, 0x13, 0x9A, 0xE9, 0x66, 0x5A, 0x4F, 0x67, 0xB1, 0xBD, 0xA2, 0x89, 0x02, 0x40, 0x01, 0x7E, 0xF2, 0x4D, 0x0E, 0x98, 0x2C, 0x40, 0x8F, 0x8F, 0x90, 0x1B, 0x9F, 0x4D, 0x84, 0xB3, 0x9A, 0x03, 0x6E, 0x71, 0x24, 0x03, 0xFC, 0xD3, 0x23, 0x14, 0x3C, 0xA8, 0x90, 0x11, 0x54, 0x07, 0xDA, 0x3A, 0xDB, 0x19, 0x94, 0xC2, 0x6E, 0x7A, 0x92, 0x9F, 0x0C, 0x0C, 0x0F, 0x7D, 0xFA, 0xA4, 0x3A, 0x9B, 0xA0, 0xBB, 0xC4, 0x5C, 0xDA, 0xCE, 0x74, 0x78, 0x88, 0x8E, 0x83, 0xD8, 0xEE, 0x21, 0x31, 0x9E, 0x75, 0xC0, 0x2E, 0x2B, 0xE9, 0x17, 0x31, 0x46, 0x39, 0xD8, 0x85, 0xBC, 0xA9, 0xF8, 0x57, 0xCA, 0xA3, 0xE0, 0x59, 0xC5, 0xF2, 0x0D, 0x52, 0x73, 0x95, 0x40, 0x7C, 0xAF, 0xB2, 0xAF, 0x14, 0x99, 0xD1, 0x62, 0xCE, 0xB3, 0xAD, 0x17, 0x5E, 0x95, 0x26, 0x8F, 0xF0, 0x2A, 0x92, 0xBF, 0xF1, 0xA1, 0x77, 0xE0, 0xF4, 0x6D, 0x62, 0xCF, 0xCE, 0x15, 0x74, 0xFD, 0x7A, 0xA5, 0xD0, 0x90, 0x75, 0x4B, 0xFE, 0xE0, 0x63, 0x5A, 0xBA, 0x8B, 0x09, 0x8B, 0xE6, 0x12, 0x71, 0xB7, 0xD4, 0xD9, 0x29, 0x1E, 0xFD, 0xEB, 0x93, 0x14, 0x0D, 0xD4, 0xA7, 0x5F, 0x04, 0x85, 0x7D, 0xDA, 0x26, 0xE4, 0x63, 0x94, 0xEC, 0x49, 0x0D, 0x21, 0xF1, 0x42, 0x20, 0x18, 0x66, 0x9F, 0xF6, 0x64, 0x5F, 0x57, 0xCE, 0x33, 0x43, 0xB2, 0x38, 0xFA, 0xF0, 0x5C, 0x1D, 0x4F, 0x65, 0xE8, 0x85, 0x1E, 0xC6, 0x9B, 0xDF, 0x85, 0x9B, 0x9D, 0xAD, 0x17, 0x81, 0x7C, 0xD5, 0x5C, 0xA8, 0xF8, 0x81, 0x40, 0x13, 0x38, 0xF0, 0x00, 0x5B, 0x73, 0xD3, 0xF0, 0x2D, 0x38, 0x00, 0xD7, 0x87, 0x47, 0x82, 0x81, 0xAF, 0xA5, 0xC8, 0x2D, 0x0C, 0xCC, 0x52, 0x2C, 0x5A, 0x09, 0x07, 0x38, 0xAB, 0x4D, 0x01, 0x4B, 0x11, 0x8C, 0xAF, 0x63, 0x25, 0x00, 0x82, 0x25, 0xA2, 0x77, 0x71, 0x07, 0x7B, 0x71, 0x95, 0x14, 0xD1, 0x23, 0x3D, 0x6C, 0x4E, 0xD7, 0x0C, 0x61, 0x7D, 0xFA, 0xC6, 0xCB, 0x6F, 0x6C, 0x97, 0x65, 0x57, 0x23, 0xEB, 0x7E, 0xCF, 0x89, 0x37, 0x69, 0x52, 0x19, 0x7F, 0xED, 0x1F, 0x96, 0xAD, 0xC6, 0x3C, 0x04, 0x31, 0x42, 0x31, 0xCD, 0xBB, 0xB5, 0xD9, 0x5D, 0xF2, 0xE5, 0xF4, 0x77, 0x21, 0xAF, 0xE8, 0x3E, 0xA5, 0x20, 0x2B, 0xFC, 0xE1, 0xDC, 0x5A, 0x2F, 0xEA, 0x5B, 0x85, 0x96, 0xBA, 0x97, 0xE1, 0x48, 0xA1, 0xC0] BLOCK_SIZE = 0x500 def obfuscate_block(block: bytes) -&gt; bytes: &#34;&#34;&#34;Obfuscate a single 0x500 byte block&#34;&#34;&#34; if len(block) &lt; 4: return block block_header = block[:4] obfs_value = mask_table[block_header[0]] for i in range(1, 4): obfs_value ^= mask_table[block_header[i]] # Calculate offset (range 4 ~ 0x4FF) obfs_value = obfs_value % 0x4FC + 4 # Data reordering: # [obfs_value:end] + [4:obfs_value] part1 = block[obfs_value:] # From obfs_value to end part2 = block[4:obfs_value] # From 4 to obfs_value new_block = part1 + part2 return new_block def deobfuscate_block(block: bytes, header: bytes) -&gt; bytes: &#34;&#34;&#34;Deobfuscate a single 0x500 byte block, requires original header&#34;&#34;&#34; if len(block) &lt; 4: return block # Re-calculate perturbation value (must use original header) obfs_value = mask_table[header[0]] for i in range(1, 4): obfs_value ^= mask_table[header[i]] obfs_value = obfs_value % 0x4FC + 4 # The block arrangement rule is: # new_block = block[obfs_value:] + block[4:obfs_value] # We need to reverse this to reconstruct the original part1_len = len(block) - (obfs_value - 4) # Corresponds to obfs_value ~ end part1 = block[:part1_len] part2 = block[part1_len:] # Restore to [0:4] + [4:obfs_value] + [obfs_value:end] original = header + part2 + part1 return original def obfuscate(data: bytes) -&gt; bytes: out = bytearray() for i in range(0, len(data), BLOCK_SIZE): block = data[i:i+BLOCK_SIZE] out.extend(obfuscate_block(block)) return bytes(out) def deobfuscate(data: bytes, headers: list[bytes]) -&gt; bytes: out = bytearray() for idx, i in enumerate(range(0, len(data), BLOCK_SIZE)): block = data[i:i+BLOCK_SIZE] header = headers[idx] out.extend(deobfuscate_block(block, header)) return bytes(out) if __name__ == &#34;__main__&#34;: data = bytearray() headers = [] for blk in range(3): header = bytes([blk, blk+1, blk+2, blk+3]) headers.append(header) body = bytes([blk]* (BLOCK_SIZE - 4)) data.extend(header + body) print(&#34;First 32 bytes of original data:&#34;, data[:32]) obfs = obfuscate(data) print(&#34;First 32 bytes of obfuscated data:&#34;, obfs[:32]) deobfs = deobfuscate(obfs, headers) print(&#34;First 32 bytes of deobfuscated data:&#34;, deobfs[:32]) print(&#34;Deobfuscation correct:&#34;, deobfs == data) </code></pre><h2 id="tsgrom-parsing">TSGROM Parsing</h2> <p>TSGROM is the game’s multimedia resource file, containing scripts and textures—similar to Unity’s assets.</p> <p>The TSGROM version supported by PM2008 is at least <code>00.0000.0004</code>, consistent with PM1. The code is crude and brute-force—full of <code>while(1)</code>.</p> <p><img loading="lazy" src="tsgrom_parse.png" alt="tsgrom_parse"/></p> <p>Some ROMs don’t carry version information, and I’m not sure what they’re for—for example, <code>biglogo.rom</code>. It has a lot of LZSS image data, but it doesn’t match the color format in the code, so it’s likely historical baggage.</p> <p><img loading="lazy" src="biglogo.png" alt="biglogo"/></p> <p>TSGROM can be loaded from a file or from RAM. After the first load, it’s stored in RAM, so subsequent operations don’t need to touch the file again.</p> <p>PM2008 supports TGA, BMP, and PCX graphics. The TSGROM format is long and boring; it’s not worth expanding into a full analysis. I wrote a script to parse TSGROM: <a href="https://github.com/gorgiaxx/igs-toolkits/tree/master/tsgrom_loader"target="_blank" rel="noopener noreferrer">igs-toolkits tsgrom_loader</a></p> <pre tabindex="0"><code>(base) ➜ tsgrom_loader git:(master) ✗ python ./tsgrom_loader.py -f ./test/resultl.rom -o ./test/resultl --format png TSGROM Header: Header: TSGROM01 Version: 00.0000.0004 Length: 0 Data Zones: 2276 Data Type Counts: SOUND: 1 ACTBLOCK: 531 ACTINDEX: 1 ACT_DATA: 60 ACT_POOL: 531 ACT_STEP: 975 BASEDATA: 1 BMP_OPSS: 18 MTV_INAC: 1 PALETTE1: 1 TGA_OPSS: 156 Found 174 image data zones </code></pre><p>Taking IGS Logo as an example, after extraction you get each frame image of the animation.</p> <p><img loading="lazy" src="tsgrom_extracted.png" alt="tsgrom_extracted"/></p> <h3 id="action-parser">Action Parser</h3> <p>IGS’s TSGROM defines various graphical behaviors of the game and calls them actions. The main executable implements functionality by parsing actions. If you want to run the main game executable on a PC, various game events are related to the A27 protocol, so you need to reverse the corresponding actions. But I want to try the most “perfect” cracking approach: dump the ASIC ROM and run it in an emulator. I don’t want to analyze this pile of spaghetti code.</p> <ul> <li>ACT BLOCK: number of data blocks</li> <li>ACT INDEX: ACT index</li> <li>ACT DATA: action data</li> <li>ACT POOL: action data</li> <li>ACT STEP: animation frames</li> </ul> <p>The main executable is stripped, so analysis is time-consuming. Here are brief notes:</p> <p>When loading a TSGROM, the program loads <code>act_data</code> into memory; based on the number of <code>act_pool</code>, it also loads pool data into memory. Each TSGROM gets an independent Group ID. The action-related functions distinguish by Group ID. There can be up to <code>0x80</code> action groups, each group length is <code>0x2AA4</code>. Each group also has a corresponding index; action index size is <code>0xaa9</code>, and the list length is also <code>0x80</code>.</p> <p>Before loading tsgrom, it first creates action objects: a total of 1024 <code>action_data</code> instances, each <code>action_data</code> is <code>0x8D</code> bytes.</p> <p>Then it calls <code>ActionUse</code> to initialize <code>act_data</code> and allocate graphics display resources. It uses <code>ActionFace</code>, <code>ActionShow</code>, etc. to configure graphics display control, and finally calls <code>RealTimeEvent</code> to refresh the screen in a unified way.</p> <p><img loading="lazy" src="actions.png" alt="actions"/></p> <h3 id="tsg-rom-hidden-stub">TSG ROM Hidden Stub</h3> <p>IGS intentionally corrupts certain blocks in the resource files. They must be dynamically repaired via the ASIC chip. This is also IGS’s anti-piracy mechanism, preventing crackers from modifying animation files to reskin games.</p> <p>IGS Logo:</p> <p><img loading="lazy" src="tsgrom_extracted_broken.png" alt="tsgrom_extracted_broken"/></p> <p>Teammark:</p> <p><img loading="lazy" src="tsgrom_extracted_broken1.png" alt="tsgrom_extracted_broken1"/></p> <p>Taking IGS Logo as an example: when a marker field in the buffer matches 1, it indicates the packet type is resource repair. When iterating to a specific block (7 in this case), it appends <code>0x400</code> bytes from ASIC 27 to the corresponding corrupted region, completing the resource repair.</p> <p><img loading="lazy" src="load_igslogolc_to_memory.png" alt="load_igslogolc_to_memory"/></p> <h2 id="closing-notes">Closing Notes</h2> <p>IGS tightly couples the game’s main executable with hardware. Porting the game to another platform requires a significant amount of effort.</p> <p>The game framework and song charts are implemented as state machines and are relatively complex; they’re not within my cracking target.</p> <p>Documenting reverse engineering in blog posts feels even more exhausting than the work itself. When reversing for yourself, you only need to record some data; but to make it into an article, you have to write it in a way others can understand.</p> <p>Next topic: IGS Arcade Reverse Engineering Series (5) - ASIC27 Protocol Hooking and Main Executable Patching</p> <p>Commemorating the Blood Moon. Praise the Lady.</p> https://gorgias.me/posts/igs-arcade-re-3/ Mon, 23 Jun 2025 23:03:18 +0800 https://gorgias.me/posts/igs-arcade-re-3/ <p>I’ve made quite a bit of progress lately, but I’ve hit a bottleneck. There are probably about three more posts’ worth of material. I’ve been very busy recently, so I’m publishing part three first.</p> <p>I peeled off the chip sticker and did a detailed analysis. The direction of the hardware analysis in part one was basically correct; I updated the chip description for IGS. The code in part two had some bugs, and I’ve updated that as well.</p> <ul> <li> <p><a href="https://gorgias.me/posts/igs_arcade_re_1">IGS Arcade Reverse Engineering Series (1) - E2000 Platform Analysis</a></p> </li> <li> <p><a href="https://gorgias.me/posts/igs_arcade_re_2">IGS Arcade Reverse Engineering Series (2) - Game File Recovery</a></p> </li> </ul> <p>To analyze the game main executable efficiently, it’s best to do dynamic debugging on the device, which means getting shell access first. Aside from the CF card and I/O ports, I currently have almost no way to input anything into this device.</p> <p>If I go the serial-debug route, the first step is finding the hardware debug port, and the next step is modifying the kernel’s built-in boot command. It’s a hassle, requires repacking everything back, and isn’t elegant.</p> <p>The CF card has two partitions I can write to directly: one is the boot partition where the kernel lives, and the other is a partition for logs and temporary files. That second one might be able to get a shell, but “pwning” this hardware isn’t my goal.</p> <h2 id="repacking-igs-cramfs">Repacking IGS CRAMFS</h2> <p>Previously, based on the characteristics of IGS’s heavily modified cramfs, I extended <code>cramfs-tools</code> a second time—but it could only unpack, not repack. It wasn’t perfect, and I’m a bit of a perfectionist; I want it to be a real toolkit.</p> <p>IGS modified cramfs structures. They added a checksum field into <code>cramfs_inode</code>, meaning the inode is verified on every read.</p> <pre tabindex="0"><code>struct cramfs_super { unsigned int magic1; unsigned int future; /* future = CRAMFS_MAGIC ^ IGS_MAGIC_MASK2 ^ IGS_MAGIC_MASK1 */ char igs_info[64]; unsigned int size; unsigned int magic2; unsigned int flags; unsigned int padding; struct cramfs_info fsid; char name[64]; struct cramfs_inode root; }; struct cramfs_inode { u32 inode_magic; u32 namelen:CRAMFS_NAMELEN_WIDTH, offset:CRAMFS_OFFSET_WIDTH; u32 size:CRAMFS_SIZE_WIDTH, gid:CRAMFS_GID_WIDTH; u32 mode:CRAMFS_MODE_WIDTH, uid:CRAMFS_UID_WIDTH; }; struct cramfs_info { u32 crc; u32 edition; u32 blocks; u32 files; }; </code></pre><p>In <code>get_cramfs_inode</code>, there’s a hidden check: it XORs <code>inode_magic</code> with the root inode’s magic and checks whether the result equals <code>0x705DE1</code>. If not, it aborts. It’s simple, but it differs per game, and doing the same patch over and over is annoying.</p> <p>The screenshot below looks readable because I spent some time on it. In fact, IDA’s decompilation was initially wrong and didn’t match the assembly at all. You have to reconstruct the struct first so the branches become correct; otherwise a lot of code gets lost.</p> <p><img loading="lazy" src="./get_inode.png" alt="get_inode"/></p> <p>I’ve implemented repacking for IGS cramfs: <a href="https://github.com/gorgiaxx/igs-toolkits/tree/master/"target="_blank" rel="noopener noreferrer">igs-toolkits cramfs-tools</a></p> <p>Unpack</p> <pre tabindex="0"><code>sudo ./igs-toolkits/cramfs-tools/cramfsck -v -x./out ./test.img </code></pre><p>Repack</p> <pre tabindex="0"><code>sudo ./igs-toolkits/cramfs-tools/mkcramfs ./out test.img </code></pre><h2 id="fixing-the-shell-environment">Fixing the shell environment</h2> <p>In the newer PM2008 versions, IGS added many anti-cracking measures. This kernel is very old, and I spent a lot of time solving compatibility problems. After testing many combinations of OS / toolchains / source versions repeatedly, I finally found a stable build environment.</p> <h3 id="fixing-agetty">Fixing agetty</h3> <p>After initialization, there is no tty shell, because IGS removed <code>agetty</code>. This component is in <code>util-linux</code>. It needs to be rebuilt with static linking.</p> <pre tabindex="0"><code>CC=&#34;/opt/gcc_3.2.2/bin/gcc&#34; LDFLAGS=&#34;-static&#34; DESTDIR=/root/build-linux-utils export LDFLAGS CC DESTDIR ./configure --enable-static make make install </code></pre><p>Then add the following line to <code>/etc/inittab</code>. It looks like there is serial output at 115200; I still haven’t tried via COM. Since I’m researching in my bedroom and space is limited, I prefer more elegant debugging methods.</p> <pre tabindex="0"><code>1:4:respawn:/sbin/agetty ttyS1 115200 vt102 </code></pre><h3 id="fixing-ssh-services">Fixing SSH services</h3> <p>IGS removed the SSH service. I originally wanted to use an off-the-shelf <code>dropbear</code>, but none of them could run. I spent a lot of time finding a compatible <code>dropbear</code> 0.53 and doing a static build (fixing many errors). Many features are hardcoded in the code; I even made some patches, but weird issues still occurred.</p> <p>So I had to switch to OpenSSH. Newer SSH clients have deprecated old crypto algorithms, and when connecting to an old SSH server you have to explicitly specify algorithms. So I chose a relatively newer <code>openssh</code> and <code>openssl</code>.</p> <p>After building, generate key pairs. Because algorithms and formats differ, keys must be regenerated.</p> <pre tabindex="0"><code>ssh-keygen -q -t rsa -f ssh_host_key ssh-keygen -q -t rsa -f ssh_host_rsa_key </code></pre><p><code>sshd_config</code> needs these to be configured manually:</p> <pre tabindex="0"><code>HostKey /home/ssh_host_key HostKey /home/ssh_host_rsa_key SyslogFacility AUTHPRIV LogLevel INFO PermitRootLogin yes AuthorizedKeysFile .ssh/authorized_keys PermitEmptyPasswords yes X11Forwarding yes Subsystem sftp /home/sftp-server </code></pre><p>Finally, you need to fix <code>sshd</code>’s privilege separation setup, otherwise it will error.</p> <pre tabindex="0"><code>mkdir /var/empty echo &#34;sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin&#34; &gt;&gt; /etc/passwd </code></pre><p>Add the SSH startup command into the boot script mentioned earlier:</p> <pre tabindex="0"><code>/home/sshd -f /home/sshd_config -h /home/ssh_host_rsa_key -p 22 -E /PM2008v2/pm2_data/sshd.log &gt; /PM2008v2/pm2_data/sshd_run.log 2&gt;&amp;1 </code></pre><h3 id="fixing-ifconfig-and-enabling-networking">Fixing ifconfig and enabling networking</h3> <p>IGS disabled network connectivity. I saw in the game code that networking is possible: the game has an <code>OnlineMode</code>. Early versions had global rankings, but the current version doesn’t support it and the code has obvious traces of modification. There’s no place to trigger entering <code>OnlineMode</code>.</p> <p><img loading="lazy" src="./nullsub.png" alt="nullsub"/></p> <p>The system even has a DHCP service. The IP configuration logic is written in code.</p> <p><img loading="lazy" src="./network_enable.png" alt="network_enable"/></p> <p><code>ifconfig</code> was stripped down—probably also modified—so I rebuilt my own.</p> <pre tabindex="0"><code>/home/ifconfig eth0 up mtu 1500 &gt;&gt; /PM2008v2/pm2_data/game_stdout.log 2&gt;&amp;1 /home/ifconfig eth0 192.168.2.128 netmask 255.255.255.0 broadcast 192.168.2.255 &gt;&gt; /PM2008v2/pm2_data/game_stdout.log 2&gt;&amp;1 </code></pre><p>With that, it can connect to an external network.</p> <p>I also built a version of <code>busybox</code>. I ran into a lot of compatibility issues, made some patches, and spent a long time before it finally compiled successfully. The binaries can be downloaded here:</p> <p><a href="https://github.com/gorgiaxx/igs-toolkits/tree/master/E2000_binaries"target="_blank" rel="noopener noreferrer">https://github.com/gorgiaxx/igs-toolkits/tree/master/E2000_binaries</a></p> <p>Put these files into the specified directory, repack, write to the CF card, reboot the device, and then the SSH service can be accessed directly.</p> <p>Because there is no echo, I could only redirect stdout to <code>rdisk4s4</code>, i.e. the ext3 partition, then dump/mount it to view output. It took a lot of time to get this working; I ran these two commands countless times.</p> <pre tabindex="0"><code>sudo dd if=/dev/rdisk4s4 of=./rdisk4s4.img bs=1M &amp;&amp; rm -rf ./part4 &amp;&amp; 7z x ./rdisk4s4.img -o./part4 </code></pre><pre tabindex="0"><code>sudo ../igs-toolkits/cramfs-tools/mkcramfs ./out test.img &amp;&amp; sudo dd if=./test.img of=/dev/rdisk4s2 bs=1M </code></pre><h2 id="game-environment-analysis">Game environment analysis</h2> <p>The E2000 host has two I/O interfaces. Control commands come from outside, so even if you get root you still can’t play the game.</p> <h3 id="game-main-executable">Game main executable</h3> <p>The main game executable actually runs at <code>/exec/PM2008v2</code> and starts three processes.</p> <p><img loading="lazy" src="./shell.png" alt="shell"/></p> <p>From the memory map you can tell this executable runs under X11 with OpenGL rendering. It can also control the card reader. It calls <code>/dev/plx/Pci9030-0</code>, accessing it via DMA to a virtual address—this should be the game’s physical I/O.</p> <pre tabindex="0"><code>[IGS_Linux]root ~# cat /proc/120/maps 08048000-084b6000 r-xp 00000000 00:08 98 /exec/PM2008v2 084b6000-084cb000 rw-p 0046e000 00:08 98 /exec/PM2008v2 084cb000-0b044000 rwxp 00000000 00:00 0 40000000-40013000 r-xp 00000000 16:02 11153856 /lib/ld-2.3.2.so 40013000-40014000 rw-p 00012000 16:02 11153856 /lib/ld-2.3.2.so 40014000-40015000 rw-p 00000000 00:00 0 40015000-4001d000 r-xp 00000000 16:02 57643504 /usr/sbin/cardread/lib/libcasmcard.so 4001d000-4001e000 rw-p 00007000 16:02 57643504 /usr/sbin/cardread/lib/libcasmcard.so 4001e000-40020000 rwxp 00000000 00:0b 2217 /dev/zero 40020000-4002d000 r-xp 00000000 16:02 12504408 /lib/libpthread-0.10.so 4002d000-4002e000 rw-p 0000d000 16:02 12504408 /lib/libpthread-0.10.so 4002e000-40070000 rw-p 00000000 00:00 0 40070000-40072000 r-xp 00000000 16:02 11995640 /lib/libdl-2.3.2.so 40072000-40073000 rw-p 00001000 16:02 11995640 /lib/libdl-2.3.2.so 40073000-400de000 r-xp 00000000 16:02 28323568 /usr/X11R6/lib/libGL.so.1.0.8762 400de000-400f7000 rwxp 0006b000 16:02 28323568 /usr/X11R6/lib/libGL.so.1.0.8762 400f7000-400f8000 rwxp 00000000 00:00 0 400f8000-400f9000 rw-p 00000000 00:00 0 400f9000-4021e000 r-xp 00000000 16:02 11262808 /lib/libc-2.3.2.so 4021e000-40223000 rw-p 00124000 16:02 11262808 /lib/libc-2.3.2.so 40223000-40225000 rw-p 00000000 00:00 0 40225000-40246000 r-xp 00000000 16:02 12066128 /lib/libm-2.3.2.so 40246000-40247000 rw-p 00020000 16:02 12066128 /lib/libm-2.3.2.so 40247000-40254000 r-xp 00000000 16:02 34514852 /usr/X11R6/lib/libXext.so.6.4 40254000-40255000 rw-p 0000c000 16:02 34514852 /usr/X11R6/lib/libXext.so.6.4 40255000-40331000 r-xp 00000000 16:02 33143504 /usr/X11R6/lib/libX11.so.6.2 40331000-40334000 rw-p 000db000 16:02 33143504 /usr/X11R6/lib/libX11.so.6.2 40334000-40342000 r-xp 00000000 16:02 57803624 /usr/sbin/cardread/lib/libpcsclite.so.0.0.1 40342000-40343000 rw-p 0000d000 16:02 57803624 /usr/sbin/cardread/lib/libpcsclite.so.0.0.1 40343000-40344000 rw-p 00000000 00:00 0 40344000-40ad2000 r-xp 00000000 16:02 28719620 /usr/X11R6/lib/libGLcore.so.1.0.8762 40ad2000-40b02000 rwxp 0078d000 16:02 28719620 /usr/X11R6/lib/libGLcore.so.1.0.8762 40b02000-40b06000 rwxp 00000000 00:00 0 40b06000-40b07000 rw-p 00000000 00:00 0 40b07000-40b08000 r-xp 00000000 16:02 40614972 /usr/X11R6/lib/libnvidia-tls.so.1.0.8762 40b08000-40b09000 rw-p 00000000 16:02 40614972 /usr/X11R6/lib/libnvidia-tls.so.1.0.8762 40b09000-40b6b000 rw-p 00000000 00:00 0 40b6b000-40b6c000 rw-s 00000000 00:0b 2004 /dev/plx/Pci9030-0 40b6c000-40b8c000 rw-s 00000000 00:0b 2004 /dev/plx/Pci9030-0 40b8c000-40b8d000 rw-s 00000000 00:0b 2004 /dev/plx/Pci9030-0 40b8d000-4158e000 rw-p 00000000 00:00 0 4158e000-41596000 r-xp 00000000 16:02 34498192 /usr/X11R6/lib/libXcursor.so.1.0 41596000-41597000 rw-p 00007000 16:02 34498192 /usr/X11R6/lib/libXcursor.so.1.0 41597000-4159e000 r-xp 00000000 16:02 37237160 /usr/X11R6/lib/libXrender.so.1.2 4159e000-4159f000 rw-p 00006000 16:02 37237160 /usr/X11R6/lib/libXrender.so.1.2 4159f000-415a0000 rw-s e8001000 00:0b 1990 /dev/nvidia0 415a0000-415a1000 rw-s e8c02000 00:0b 1990 /dev/nvidia0 415a1000-415aa000 r-xp 00000000 16:02 12388932 /lib/libnss_files-2.3.2.so 415aa000-415ab000 rw-p 00008000 16:02 12388932 /lib/libnss_files-2.3.2.so 415ab000-415c2000 rw-s 00000000 00:04 0 /SYSV00000000 (deleted) 415c2000-416ee000 rw-s d0000000 00:0b 1990 /dev/nvidia0 416ee000-41750000 rw-p 00000000 00:0b 2217 /dev/zero 41750000-41791000 rw-p 00000000 00:00 0 41791000-41893000 rw-s e0011000 00:0b 1990 /dev/nvidia0 41893000-41894000 rw-s 16fc2000 00:0b 1990 /dev/nvidia0 41894000-41895000 rw-s 17027000 00:0b 1990 /dev/nvidia0 41895000-41896000 rw-s df93b000 00:0b 1990 /dev/nvidia0 41896000-4189a000 rw-s 17025000 00:0b 1990 /dev/nvidia0 4189a000-4189b000 rw-s df939000 00:0b 1990 /dev/nvidia0 4189b000-4189c000 rw-s 17021000 00:0b 1990 /dev/nvidia0 4189c000-4199c000 rw-s e0114000 00:0b 1990 /dev/nvidia0 4199c000-4199d000 rw-s 00000000 00:04 98305 /SYSV00000000 (deleted) 4199d000-4199e000 rw-s 00000000 00:04 131074 /SYSV00000000 (deleted) 4199e000-41a56000 rw-p 00000000 00:00 0 41a56000-41a57000 ---p 00000000 00:00 0 41a57000-41c56000 rwxp 00001000 00:00 0 41c56000-43096000 rw-p 00003000 00:00 0 43096000-43097000 r--s 00000000 00:07 2709 /tmp/pcsc/.pcscpub 43097000-43098000 r--s 00001000 00:07 2709 /tmp/pcsc/.pcscpub 43098000-43099000 r--s 00002000 00:07 2709 /tmp/pcsc/.pcscpub 43099000-4309a000 r--s 00003000 00:07 2709 /tmp/pcsc/.pcscpub 4309a000-4309b000 r--s 00004000 00:07 2709 /tmp/pcsc/.pcscpub 4309b000-4309c000 r--s 00005000 00:07 2709 /tmp/pcsc/.pcscpub 4309c000-4309d000 r--s 00006000 00:07 2709 /tmp/pcsc/.pcscpub 4309d000-4309e000 r--s 00007000 00:07 2709 /tmp/pcsc/.pcscpub 4309e000-4309f000 r--s 00008000 00:07 2709 /tmp/pcsc/.pcscpub 4309f000-430a0000 r--s 00009000 00:07 2709 /tmp/pcsc/.pcscpub 430a0000-430a1000 r--s 0000a000 00:07 2709 /tmp/pcsc/.pcscpub 430a1000-430a2000 r--s 0000b000 00:07 2709 /tmp/pcsc/.pcscpub 430a2000-430a3000 r--s 0000c000 00:07 2709 /tmp/pcsc/.pcscpub 430a3000-430a4000 r--s 0000d000 00:07 2709 /tmp/pcsc/.pcscpub 430a4000-430a5000 r--s 0000e000 00:07 2709 /tmp/pcsc/.pcscpub 430a5000-430a6000 r--s 0000f000 00:07 2709 /tmp/pcsc/.pcscpub 430a6000-4352f000 rw-p 00000000 00:00 0 43530000-441c9000 rw-p 0048a000 00:00 0 4423c000-44322000 rw-p 01196000 00:00 0 443a7000-444b0000 rw-p 01301000 00:00 0 bfde2000-c0000000 rwxp ffde3000 00:00 0 </code></pre><p>The game executable itself contains a lot of strings that look like encoded data. Before this, I had never dealt with Big5 encoding. I just asked DeepSeek to write a script to identify it.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">chardet</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">encodings.aliases</span> <span class="kn">import</span> <span class="n">aliases</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">try_all_encodings</span><span class="p">(</span><span class="n">hex_str</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">all_encodings</span> <span class="o">=</span> <span class="nb">set</span><span class="p">(</span><span class="n">aliases</span><span class="o">.</span><span class="n">values</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="n">byte_data</span> <span class="o">=</span> <span class="nb">bytes</span><span class="o">.</span><span class="n">fromhex</span><span class="p">(</span><span class="n">hex_str</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">&#34; &#34;</span><span class="p">,</span> <span class="s2">&#34;&#34;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;原始16进制数据: </span><span class="si">{</span><span class="n">hex_str</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;字节长度: </span><span class="si">{</span><span class="nb">len</span><span class="p">(</span><span class="n">byte_data</span><span class="p">)</span><span class="si">}</span><span class="s2"> bytes</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">detected</span> <span class="o">=</span> <span class="n">chardet</span><span class="o">.</span><span class="n">detect</span><span class="p">(</span><span class="n">byte_data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;自动检测结果: </span><span class="si">{</span><span class="n">detected</span><span class="p">[</span><span class="s1">&#39;encoding&#39;</span><span class="p">]</span><span class="si">}</span><span class="s2"> (置信度: </span><span class="si">{</span><span class="n">detected</span><span class="p">[</span><span class="s1">&#39;confidence&#39;</span><span class="p">]</span><span class="si">:</span><span class="s2">.2%</span><span class="si">}</span><span class="s2">)&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">common_encodings</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;gbk&#39;</span><span class="p">,</span> <span class="s1">&#39;gb18030&#39;</span><span class="p">,</span> <span class="s1">&#39;gb2312&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;utf-8&#39;</span><span class="p">,</span> <span class="s1">&#39;utf-16&#39;</span><span class="p">,</span> <span class="s1">&#39;big5&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;hz&#39;</span><span class="p">,</span> <span class="s1">&#39;iso-2022-jp&#39;</span><span class="p">,</span> <span class="s1">&#39;euc-kr&#39;</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">=== 常见编码测试 ===&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">enc</span> <span class="ow">in</span> <span class="n">common_encodings</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">decoded</span> <span class="o">=</span> <span class="n">byte_data</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="n">enc</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[</span><span class="si">{</span><span class="n">enc</span><span class="o">.</span><span class="n">upper</span><span class="p">()</span><span class="si">}</span><span class="s2">]: </span><span class="si">{</span><span class="n">decoded</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">pass</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">=== 完整编码测试 ===&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">enc</span> <span class="ow">in</span> <span class="nb">sorted</span><span class="p">(</span><span class="n">all_encodings</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">decoded</span> <span class="o">=</span> <span class="n">byte_data</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="n">enc</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">decoded</span><span class="o">.</span><span class="n">isprintable</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[</span><span class="si">{</span><span class="n">enc</span><span class="si">}</span><span class="s2">]: </span><span class="si">{</span><span class="n">decoded</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">hex_data</span> <span class="o">=</span> <span class="s2">&#34;C2 F7 B6 7D 3A A6 50 AE C9 BA 56 C0 BB 31 50 A4 CE 32 50 B9 AA AD B1&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">try_all_encodings</span><span class="p">(</span><span class="n">hex_data</span><span class="p">)</span> </span></span></code></pre></div><p>The game was developed in Taiwan and uses Traditional Chinese. IDA can’t recognize it automatically, so it needs to be added manually.</p> <p>Option -&gt; Strings -&gt; Default(8-bit) -&gt; Insert(Right Click) -&gt; Big5</p> <p><img loading="lazy" src="./big5.png" alt="big5"/></p> <p>Since it’s non-ASCII and there isn’t a great automatic way to detect it, I’ll just follow the same “fix strings” approach from the previous post.</p> <p><img loading="lazy" src="./strings.png" alt="strings"/></p> <p>When running the main game executable, it only prints these logs:</p> <pre tabindex="0"><code>[IGS_Linux]root /proc/sys# /exec/PM2008v2 Device Handle 4 Version Major 4,Minor 3,Rev 0 Get Virtual address!! [CommandPortAddresss]=0x40b8c000,[ShareRAMAddress]=0x40b6c000 Clear CommandPort Complete. start </code></pre><p>The <code>dprintf</code> logic was removed in the code, so it won’t print logs.</p> <h2 id="bottleneck">Bottleneck</h2> <p>I’ve hit a bottleneck: for rhythm games, hit detection is handled by the ASIC, and the ASIC passes the judgments to the CPU. The main executable contains no judgment logic. I’ve already analyzed the ASIC27 protocol; writing my own judgment logic would be fine, but that’s no longer “cracking”. Only by cracking the ASIC can you perfectly emulate these games. Next I need to dump the ASIC firmware, which is very difficult—I’m not sure I can finish it this year.</p> <p>There are two more posts’ worth of work already done; I’ll write them when I have time.</p> <ul> <li>IGS Arcade Reverse Engineering Series (4) - ASIC27 Protocol and TSGROM Static Analysis</li> <li>IGS Arcade Reverse Engineering Series (5) - ASIC27 Protocol Hooking and Main Executable Patching</li> </ul> <h2 id="rant-hexo">Rant: Hexo</h2> <p>Last month my Linux PC’s CPU basically cooked itself. The cause was long-term operation and poor cooling. I spent a lot of time troubleshooting, migrating tools, and then moved the blog environment to a new computer.</p> <p>I used to write posts by using <code>nvm</code> to switch to an old Node version and running the Hexo framework to generate static pages. I hadn’t touched that setup for 8 years. Ever since then, Hexo’s dependencies have been a mess—updates always break something—so I didn’t dare to upgrade.</p> <p>The old environment was very hard to run on macOS. Neither building from source nor using Homebrew worked. I don’t understand why a Node.js project needs Python 3.8.</p> <p>With that pile of messy dependencies, even the latest Hexo wouldn’t work; lots of themes were incompatible. I’m already using <code>asdf</code>, how is it still like this? I dropped Hexo completely and spent a lot of time migrating the blog to Hugo.</p> https://gorgias.me/posts/igs-arcade-re-2/ Sun, 25 May 2025 20:37:31 +0800 https://gorgias.me/posts/igs-arcade-re-2/ <p>In the previous post, I mentioned that the game has a protection mechanism that destroys partitions. In this post, we’ll dig deeper into it.</p> <p>For a game released in 2007, its hardening/protection is relatively outdated. It mainly relies on things like concatenation and signature-tweaking. It doesn’t have the “modern app hardening arms race” vibe. The annoying part is that there are many stages in the protection flow, and each game does it differently. On top of that, some development traits (compiler optimizations, coding style) make reverse engineering more difficult.</p> <p>Extracting the game itself is actually straightforward: once the game is running, you can dump it via a shell from memory or from the filesystem (if the files are written to disk). But if you want to extract multiple different games, that becomes a hassle—so let’s start with static analysis.</p> <p>All in all, this reversing process feels like solving a CTF Misc challenge: it requires quite a bit of logical deduction.</p> <h2 id="reverse-engineering-traps">Reverse Engineering Traps</h2> <p>In general, when analyzing filesystem contents, you rarely start from the kernel. Usually you start with init-related files.</p> <p>The first step is typically checking <code>/etc/inittab</code>. The script starts <code>rc</code> first, and then starts the graphical interface:</p> <pre tabindex="0"><code># Begin /etc/inittab id:4:initdefault: si::sysinit:/etc/rc.d/init.d/rc x:4:respawn:/etc/X11/IGS &amp;&gt; /dev/null # End /etc/inittab </code></pre><h3 id="etcrcdinitdrc"><code>/etc/rc.d/init.d/rc</code></h3> <pre tabindex="0"><code>#!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin export PATH mount -n -o remount,rw / mount -n -t ramfs tmp /tmp mount -n -t proc proc /proc mount -n -t usbdevfs usbdevfs /proc/bus/usb #echo &#34;copy for etc&#34; cp -a /etc/* /tmp mount -n -t ramfs etc /etc cp -a /tmp/* /etc rm -rf /tmp/* #echo &#34;copy for dev&#34; cp -a /dev/* /tmp mount -n -t ramfs dev /dev cp -a /tmp/* /dev rm -rf /tmp/* mount -n -t devpts pts /dev/pts mount -n -t tmpfs shm /dev/shm #echo &#34;copy for var&#34; cp -a /var/* /tmp mount -n -t ramfs var /var cp -a /tmp/* /var rm -rf /tmp/* #echo &#34;copy for root&#34; cp -a /root/.b* /tmp mount -n -t ramfs root /root cp -a /tmp/.b* /root rm -rf /tmp/.b* /sbin/hdparm -c1 -d1 -k1 -Xudma4 /dev/hdc &amp;&gt; /dev/null </code></pre><h3 id="etcx11igs"><code>/etc/X11/IGS</code></h3> <p>This script sets environment variables, starts X, then starts the card reader, and finally launches the game. Aside from the loop (which is a bit unusual), everything else looks normal. At this point, you’d definitely conclude <code>/PM2008v2/PM2008v2</code> is the game binary.</p> <pre tabindex="0"><code>#!/bin/sh TZ=&#34;UCT&#34; TERM=&#34;xterm&#34; TempFile=&#34;/tmp/XTemp&#34; HZ=&#34;100&#34; PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin LD_LIBRARY_PATH=/usr/X11R6/lib:/usr/X11R6/lib/modules/extensions DISPLAY=:0 export PATH LD_LIBRARY_PATH DISPLAY TERM HZ TZ ps -A | grep XFree86 | ( while read pid tty time command; do kill -9 $pid; done ) XFree86 &amp;&gt; /dev/null&amp; mwm &amp;&gt; /dev/null &amp; /usr/X11R6/bin/xsetroot -cursor /usr/X11R6/bitmaps/empty_ptr /usr/X11R6/bitmaps/empty_ptr if [ -f $TempFile ];then rm -rf $TempFile sleep 10 exit 0 else touch $TempFile fi /etc/rc.d/init.d/cardreader &amp;&gt; /dev/null&amp; export TZ=&#34;CST&#34; #Run Game cd /PM2008v2 while [ 1 ] do ./PM2008v2 &amp;&gt; /dev/null sleep 5 done </code></pre><p>Next, I analyzed <code>PM2008v2</code>. At first glance, it contains a lot of “executable loader” style code. Combined with the fact that many files previously had no magic bytes, I guessed it might be dynamically loading code and reconstructing ELF binaries. Later, Nova told me this thing is not the game at all—only then did I realize how abnormal it is. This file has a lot of glibc fingerprints and feels like a statically linked glibc executable.</p> <p>For convenience in reversing and later porting the game, I needed to confirm the GCC and glibc versions. <code>PM2008v2</code> shows <code>GCC: (GNU) 3.3.1</code>, but has no glibc version string.</p> <p>So I went straight to the system <code>libc.so</code> and tentatively treated it as glibc 2.3.2. It’s hard to build on modern Linux; even in Docker I ran into issues.</p> <h2 id="analyzing-the-fake-game-executable">Analyzing the “Fake Game” Executable</h2> <h3 id="building-gcc-331">Building GCC 3.3.1</h3> <p>The target kernel is i686, so I built it on CentOS 4 running in VMware. To keep the optimized assembly as consistent as possible, I wanted the same GCC version and build settings. Building this environment also helps future analysis of other games on this platform—more upfront work means fewer detours later.</p> <pre tabindex="0"><code>wget http://mirrors.aliyun.com/gnu/gcc/gcc-3.3.1/gcc-3.3.1.tar.gz </code></pre><p>Using Aliyun’s <a href="https://mirrors.aliyun.com/centos-vault/"target="_blank" rel="noopener noreferrer">CentOS vault repos</a>, install development dependencies first:</p> <pre tabindex="0"><code>yum groupinstall &#34;Development Tools&#34; </code></pre><p>Configure like this, target i686. With old GCC versions it’s better not to compile in parallel—sometimes it breaks (3.3.1 was fine, 3.2.2 wasn’t). Then remove the system GCC and install this one:</p> <pre tabindex="0"><code>../gcc-3.3.1/configure --prefix=/opt/gcc_3.3.1 --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --host=i686-pc-gnu-linux --build=i686-pc-linux-gnu --target=i686-pc-linux-gnu make -j8 yum remove gcc make install </code></pre><h3 id="building-glibc-232">Building glibc 2.3.2</h3> <pre tabindex="0"><code>wget http://mirrors.aliyun.com/gnu/glibc/glibc-2.3.2.tar.gz wget http://mirrors.aliyun.com/gnu/glibc/glibc-linuxthreads-2.3.2.tar.gz </code></pre><p><code>linuxthreads</code> needs to be extracted into the glibc directory:</p> <pre tabindex="0"><code>tar -zxvf glibc-2.3.2.tar.gz cd glibc-2.3.2 tar -zxvf ../glibc-linuxthreads-2.3.2.tar.gz </code></pre><p>When building glibc 2.3.2 you may hit some bugs and need patches. Conveniently, the E2000 platform’s Linux is also an LFS-based system, so you can download patches from <a href="https://www.linuxfromscratch.org/patches/downloads/glibc/"target="_blank" rel="noopener noreferrer">LFS glibc patches</a>.</p> <pre tabindex="0"><code>patch -p1 &lt; ../patches/glibc-2.3.2-sscanf-1.patch patch -p1 &lt; ../patches/glibc-2.3.2-inlining_fixes-2.patch  patch -p1 &lt; ../patches/glibc-2.3.2-test_lfs-1.patch </code></pre><p>Next, configure build options. For now I’ll keep it like this, because even with fine-grained optimization flags, the final assembly differs a lot from the target binary.</p> <pre tabindex="0"><code>CC=/opt/gcc_3.3.1/bin/gcc CFLAGS=&#34;-march=pentium4 -O2&#34; ../glibc-2.3.2/configure --prefix=/lib --disable-profile --enable-add-ons --libexecdir=/usr/lib --with-headers=/usr/include </code></pre><p>Main differences:</p> <ol> <li>Stack frame: most functions in the target binary return with <code>0xC9 leave</code>, while my build typically does <code>mov esp, ebp</code> then <code>pop ebp</code>.</li> <li>Inlining: calls inside some medium-length functions in the target binary are optimized into inline code.</li> </ol> <p>Even if I set optimization to O3, it barely changes. Manually tweaking <code>-fomit-frame-pointer</code>, <code>-finline-limit=n</code>, etc. also didn’t help. Maybe it needs <code>__inline__</code> somewhere; I didn’t have time to verify.</p> <p>With this situation, generating FLIRT signatures with FLAIR barely recovers symbols for functions that still contain internal calls.</p> <p>After analysis, <code>PM2008v2</code> is basically just a <code>killdisk</code> function, statically linked with glibc.</p> <p><img loading="lazy" src="killdisk.png" alt="killdisk.png"/></p> <p>Therefore, if you execute <code>inittab</code> directly, it’s impossible to launch the actual game.</p> <h2 id="system-initialization-analysis">System Initialization Analysis</h2> <h3 id="community-reverse-engineering-notes">Community Reverse Engineering Notes</h3> <p>Nova told me some information earlier. But honestly, from these notes alone I can’t infer the exact loading flow. I can only tell the file header needs to be restored, <code>rc0.d</code> is actually an ELF and will be executed at boot. Also, the Submarine Crisis game files differ somewhat from my PM2008 game files.</p> <p><img loading="lazy" src="notes_for_hwtest.png" alt="notes_for_hwtest.png"/></p> <p><a href="https://github.com/batteryshark/igstools/blob/main/scripts/igs_rofsv1_dumpexec.py"target="_blank" rel="noopener noreferrer">https://github.com/batteryshark/igstools/blob/main/scripts/igs_rofsv1_dumpexec.py</a></p> <p>This script is used to recover game files. I tried it and it can produce an ELF, but importing it into IDA causes errors. I didn’t know how the generated file is supposed to run, so I still needed to analyze it myself.</p> <h3 id="analyzing-the-kernel-boot-flow">Analyzing the Kernel Boot Flow</h3> <p>By analyzing dependencies and other environment variables, I still couldn’t find any path that launches the game. In the previous post, I analyzed filesystem mounting; after mounting, there’s a whole series of operations. IDA may fail to decompile extremely large functions, but that’s not a big problem—the real pain point isn’t here.</p> <p><img loading="lazy" src="call_usermodehelper.png" alt="call_usermodehelper.png"/></p> <p>In the previous post, since I was analyzing a filesystem that’s a modified fork of open-source code, I could compare against the original, so not recovering other symbols was fine. This kernel is 2.4; the <code>bzImage</code> doesn’t carry a symbol table. A lot of code here is developed by IGS themselves; some syscalls aren’t invoked via <code>int</code>. When syscalls are involved and symbols aren’t recovered, analysis is still annoying. If you want to use BinDiff, you’d need IDA 8, and I didn’t have time to port it to macOS. Linux has a syscall table; if IGS didn’t customize syscalls, you can directly transplant syscall symbols from your own built kernel.</p> <p>Also, IDA 9 doesn’t parse this old Linux 2.4 kernel very well. Many xrefs and instructions aren’t recognized and need manual fixing.</p> <h3 id="fixing-immediate-value-xrefs">Fixing Immediate-Value Xrefs</h3> <pre tabindex="0"><code>import ida_ida import ida_bytes import ida_ua import idautils def find_immediate_values_and_convert_to_offset(start_range, end_range): converted_count = 0 checked_count = 0 min_ea = ida_ida.inf_get_min_ea() max_ea = ida_ida.inf_get_max_ea() print(f&#34;EA range: 0x{start_range:X} - 0x{end_range:X}&#34;) print(f&#34;Immediate Value Range：0x{min_ea:X} - 0x{max_ea:X}&#34;) for ea in idautils.Heads(): if not ida_bytes.is_code(ida_bytes.get_flags(ea)): continue insn = ida_ua.insn_t() if ida_ua.decode_insn(insn, ea) == 0: continue if start_range &lt;= ea and ea &lt;= end_range: for op_num in range(ida_ida.UA_MAXOP): op = insn.ops[op_num] if op.type == ida_ua.o_void: break if op.type == ida_ua.o_imm: imm_value = op.value if op.value &gt; 0xFFFFFFFF: imm_value = (0xFFFFFFFF &amp; op.value) checked_count += 1 if min_ea &lt;= imm_value and imm_value &lt;= max_ea: if idc.op_offset(ea, op_num, REF_OFF32): converted_count += 1 else: print(f&#34; -&gt; Convert Failed: 0x{ea:X}[{op_num}]&#34;) print(f&#34;Immediate Value: {checked_count}, Converted: {converted_count}&#34;) </code></pre><h3 id="fixing-string-data">Fixing String Data</h3> <p>Possibly because xrefs aren’t fully recognized, string recognition often misses a few bytes at the beginning. You need to manually fix strings.</p> <pre tabindex="0"><code>def get_the_firsstr_ea(ea): addr = ea - 1 last_byte = ida_bytes.get_byte(addr) if 32 &lt; last_byte and last_byte &lt; 127: ea = get_the_firsstr_ea(addr) return ea def find_str_address(start_ea, end_ea): current_ea = start_ea found_count = 0 while current_ea &lt; end_ea: if current_ea == ida_idaapi.BADADDR: break address_flags = ida_bytes.get_flags(current_ea) if ida_bytes.is_strlit(address_flags): str_size = ida_bytes.get_item_size(current_ea) the_first_str_addr = get_the_firsstr_ea(current_ea) if the_first_str_addr != current_ea: len = current_ea - the_first_str_addr + str_size ida_bytes.create_strlit(the_first_str_addr, len, 0) print(f&#34;Fix str at 0x{current_ea:X}, before: {str_size}, after: {len}&#34;) current_ea += ida_bytes.get_item_size(current_ea) continue </code></pre><h3 id="kernel-thread">Kernel Thread</h3> <p><img loading="lazy" src="call_usermodehelper1.png" alt="call_usermodehelper1.png"/></p> <p>From the code above, we can see the first step of game initialization is to run <code>/bin/zsh</code> with these parameters:</p> <pre tabindex="0"><code>export HOME=/ export TERM=linux export PATH=/bin:/usr/bin:/sbin:/usr/sbin /bin/zsh /etc/rc.d/rc0.d __KERNEL__ -no-print -PM2008v2 </code></pre><p>The next step is running <code>/mnt/GECA</code>:</p> <pre tabindex="0"><code>export HOME=/ export TERM=linux export PATH=/bin:/usr/bin:/sbin:/usr/sbin /mnt/GECA /etc/rc.d/rc0.d __KERNEL__ -no-print -PM2008v2 </code></pre><p>Finally, it tries these:</p> <pre tabindex="0"><code>if ( execute_command ) run_init_process((const char *)execute_command); run_init_process(&#34;/sbin/init&#34;); // 存在 run_init_process(&#34;/etc/init&#34;); // 不存在 run_init_process(&#34;/bin/init&#34;); // 不存在 run_init_process(&#34;/bin/sh&#34;); // 指向bash </code></pre><p>The kernel cmdline can be found in <code>parse_cmdline_early</code>, and is not controlled by LILO.</p> <p>If you set an external boot cmdline, there’s a backdoor that checks whether the bootloader parameter equals “JBoot”. If it doesn’t, it goes into an infinite loop.</p> <p><img loading="lazy" src="jboot.png" alt="jboot.png"/></p> <p>Does this “JBoot” stand for a bootloader written by someone named James? 👀</p> <pre tabindex="0"><code>bootloader=JBoot </code></pre><p>The built-in kernel boot args:</p> <pre tabindex="0"><code>root=/dev/hdc2 ro console=ttyS1,115200 BOOT_IMAGE=PM2008v2 </code></pre><p>It doesn’t set <code>init=</code>, so it will definitely execute <code>/sbin/init</code>, and then <code>/etc/inittab</code>.</p> <h3 id="getting-stuck-restoring-zsh-symbols">Getting Stuck Restoring ZSH Symbols</h3> <p>The trail leads to <code>/bin/zsh</code>. Its entry point looks the same as <code>PM2008v2</code>, so I assumed it’s also based on some modified glibc. But after importing a FLIRT signature, only the innermost functions were recognized—likely due to the same optimization issue.</p> <pre tabindex="0"><code>/Applications/IDA\ Professional\ 9.1.app/Contents/MacOS/tools/flair/sigmake ~/RE/igs/libc.pat ~/RE/igs/libc2.3.2.o2.sig /Applications/IDA\ Professional\ 9.1.app/Contents/MacOS/tools/flair/pelf ~/RE/igs/libc.a ~/RE/igs/libc.pat </code></pre><p><img loading="lazy" src="zsh.png" alt="zsh.png"/></p> <p>At this point I still don’t know exactly which GCC and glibc it was based on. Considering that many executables later may also use glibc, I need to pin down the version and see if there’s a fast way to recover symbols.</p> <h4 id="dependency-analysis">Dependency analysis</h4> <p>Using YAFAF (a tool I wrote five years ago), I can quickly find relevant dependencies. <code>rc*.d</code> should be game code.</p> <p><img loading="lazy" src="gcc_glibc.png" alt="gcc_glibc.png"/></p> <p><code>rc0.d</code></p> <pre tabindex="0"><code>GLIBC_2.1 GLIBC_2.0 GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) </code></pre><p><code>rc2.d</code></p> <pre tabindex="0"><code>GCC_3.0 GLIBC_2.0 GLIBC_2.1 GLIBC_2.2.3 GLIBC_2.1.3 GLIBC_2.3 GLIBC_2.2 GLIBC_2.3.2 GLIBC_2.0 GLIBC_2.1 GLIBCPP_3.2 GLIBC_2.2 GLIBC_2.1.3 GLIBC_2.3 GLIBC_2.3.2 </code></pre><p><code>rc9</code></p> <pre tabindex="0"><code>GCC: (GNU) 3.3.1 GCC: (GNU) 3.2.1 20021207 (Red Hat Linux 8.0 3.2.1-2) GCC: (GNU) 3.2.1 20030202 (Red Hat Linux 8.0 3.2.1-7) GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-4) GCC: (GNU) 3.2.2 20030222 (Red Hat Linux 3.2.2-5) </code></pre><p>From these fingerprints, these files look like fragments stitched together from ELF files built in multiple different environments.</p> <p>And <code>/sbin/init</code> also appears to be based on glibc 2.3.x, so I tried building glibc 2.3.2 with GCC 3.2.2. On CentOS 3, parallel compilation fails for this GCC version. Luckily, I’d seen similar errors when building OpenWrt in the past—otherwise I would’ve been stuck for a long time with zero search results about the root cause.</p> <pre tabindex="0"><code>../gcc-3.2.2/configure --prefix=/opt/gcc_3.2.2 --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit make make install </code></pre><p>When building glibc, whether O2 or O3, it almost never inlines functions. I still don’t understand why, can’t find answers, and asking LLMs didn’t help either.</p> <pre tabindex="0"><code>CC=/opt/gcc_3.2.2/bin/gcc CFLAGS=&#34;-march=pentium4 -O2&#34; ../glibc-2.3.2/configure --prefix=/lib --disable-profile --enable-add-ons --libexecdir=/usr/lib --with-headers=/usr/include CC=/opt/gcc_3.2.2/bin/gcc CFLAGS=&#34;-O3&#34; ../glibc-2.3.2/configure --prefix=/lib --disable-profile --enable-add-ons --libexecdir=/usr/lib --with-headers=/usr/include </code></pre><h3 id="recovering-zsh-symbols">Recovering ZSH Symbols</h3> <p>I don’t like doing repetitive mechanical work. If I had to reverse zsh directly, I’d be bored to death.</p> <p>This IDA version isn’t great at recognizing instructions; many places require manual recovery. After using the script below, the next step is to recover function entry points (I had a similar script in the previous post).</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">find_and_make_instrument</span><span class="p">(</span><span class="n">start_ea</span><span class="p">,</span> <span class="n">end_ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">image_base</span> <span class="o">=</span> <span class="n">idaapi</span><span class="o">.</span><span class="n">get_imagebase</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span> <span class="o">=</span> <span class="n">start_ea</span> </span></span><span class="line"><span class="cl"> <span class="n">found_count</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="n">current_ea</span> <span class="o">&lt;</span> <span class="n">end_ea</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">current_ea</span> <span class="o">==</span> <span class="n">ida_idaapi</span><span class="o">.</span><span class="n">BADADDR</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="n">address_flags</span> <span class="o">=</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">get_flags</span><span class="p">(</span><span class="n">current_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">is_code</span><span class="p">(</span><span class="n">address_flags</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span> <span class="o">+=</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">get_item_size</span><span class="p">(</span><span class="n">current_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">del_items</span><span class="p">(</span><span class="mh">0x8052606</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">can_decode</span><span class="p">(</span><span class="n">current_ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Decode instruments at 0x</span><span class="si">{:X}</span><span class="s2">&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">current_ea</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">insn_size</span> <span class="o">=</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">decode_insn</span><span class="p">(</span><span class="n">ida_ua</span><span class="o">.</span><span class="n">insn_t</span><span class="p">(),</span> <span class="n">current_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">del_items</span><span class="p">(</span><span class="n">current_ea</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">insn_size</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">offset</span> <span class="o">=</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">create_insn</span><span class="p">(</span><span class="n">current_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">offset</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">found_count</span> <span class="o">+=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">idc</span><span class="o">.</span><span class="n">get_func_flags</span><span class="p">(</span><span class="n">current_ea</span><span class="p">)</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span> <span class="o">+=</span> <span class="n">offset</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Decode instruments failed at 0x</span><span class="si">{:X}</span><span class="s2">&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">current_ea</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Create instruments failed at 0x</span><span class="si">{:X}</span><span class="s2">&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">current_ea</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span> <span class="o">+=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Search finished, </span><span class="si">{}</span><span class="s2"> instruments created&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">found_count</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">find_and_make_instrument</span><span class="p">(</span><span class="mh">0x080480B4</span><span class="p">,</span> <span class="mh">0x0808F000</span><span class="p">)</span> </span></span></code></pre></div><p>Since there’s no way to use a glibc signature here, I came up with a somewhat naive approach—but it’s faster than invoking MCP-based analysis.</p> <p>First, fully recover glibc strings from file A (my self-compiled one) and recover function entry points. For file B, first fix function entry points, then fix immediate-value offsets, fix strings, deduplicate, remove overly short strings, then match strings one-by-one against file A and filter results.</p> <p>Then traverse xrefs from the filtered results, and pick those that are not duplicated and are functions:</p> <ol> <li>If those functions in file A have symbols, apply them to file B.</li> <li>For functions where strings are pushed as arguments, find all calls in the current function’s scope; if the callee address has no symbol, use this method to recover symbols for argument-pushed callees.</li> <li>Recursively apply symbols (e.g., after recovering a callee, scan inside it for other callees). This feels unnecessary because it quickly runs into many edge cases.</li> </ol> <h4 id="ida-pro-script-extract-strings-and-function-xrefs-from-target-a">IDA Pro script: extract strings and function xrefs from target A</h4> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/env python3</span> </span></span><span class="line"><span class="cl"><span class="c1"># -*- coding: utf-8 -*-</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">json</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_funcs</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_name</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_bytes</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_xref</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_idaapi</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_ua</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_segment</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">idautils</span> </span></span><span class="line"><span class="cl"><span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="kn">import</span> <span class="nn">ida_allins</span> </span></span><span class="line"><span class="cl"> <span class="n">HAS_ALLINS</span> <span class="o">=</span> <span class="kc">True</span> </span></span><span class="line"><span class="cl"><span class="k">except</span> <span class="ne">ImportError</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">HAS_ALLINS</span> <span class="o">=</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">find_target_function</span><span class="p">(</span><span class="n">xref_ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">insn</span> <span class="o">=</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">insn_t</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">decode_insn</span><span class="p">(</span><span class="n">insn</span><span class="p">,</span> <span class="n">xref_ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> <span class="n">current_func</span> <span class="o">=</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">get_func</span><span class="p">(</span><span class="n">xref_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">search_ea</span> <span class="o">=</span> <span class="n">xref_ea</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="n">search_ea</span> <span class="o">&lt;</span> <span class="n">current_func</span><span class="o">.</span><span class="n">end_ea</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">search_ea</span> <span class="o">=</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">next_head</span><span class="p">(</span><span class="n">search_ea</span><span class="p">,</span> <span class="n">ida_idaapi</span><span class="o">.</span><span class="n">BADADDR</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">search_ea</span> <span class="o">==</span> <span class="n">ida_idaapi</span><span class="o">.</span><span class="n">BADADDR</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">decode_insn</span><span class="p">(</span><span class="n">insn</span><span class="p">,</span> <span class="n">search_ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">insn</span><span class="o">.</span><span class="n">itype</span> <span class="ow">in</span> <span class="p">[</span><span class="n">ida_allins</span><span class="o">.</span><span class="n">NN_call</span><span class="p">,</span> <span class="n">ida_allins</span><span class="o">.</span><span class="n">NN_callfi</span><span class="p">,</span> <span class="n">ida_allins</span><span class="o">.</span><span class="n">NN_callni</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="n">target_ea</span> <span class="o">=</span> <span class="n">insn</span><span class="o">.</span><span class="n">ops</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">addr</span> <span class="k">if</span> <span class="n">insn</span><span class="o">.</span><span class="n">ops</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">type</span> <span class="o">==</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">o_near</span> <span class="k">else</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">target_ea</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">target_func_name</span> <span class="o">=</span> <span class="n">ida_name</span><span class="o">.</span><span class="n">get_name</span><span class="p">(</span><span class="n">target_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">target_func_name</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">target_func_name</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">func</span> <span class="o">=</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">get_func</span><span class="p">(</span><span class="n">target_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">func</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">get_func_name</span><span class="p">(</span><span class="n">func</span><span class="o">.</span><span class="n">start_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">get_string_xrefs_with_functions</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> 获取IDAPro中所有字符串及其交叉引用信息 </span></span></span><span class="line"><span class="cl"><span class="s2"> 返回JSON格式数据，包含字符串地址、内容、长度和引用它的函数名 </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">results</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 初始化字符串列表</span> </span></span><span class="line"><span class="cl"> <span class="n">strings</span> <span class="o">=</span> <span class="n">idautils</span><span class="o">.</span><span class="n">Strings</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">strings</span><span class="o">.</span><span class="n">setup</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;[+] 开始扫描字符串...&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">string_item</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">strings</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取字符串基本信息</span> </span></span><span class="line"><span class="cl"> <span class="n">str_ea</span> <span class="o">=</span> <span class="n">string_item</span><span class="o">.</span><span class="n">ea</span> </span></span><span class="line"><span class="cl"> <span class="n">str_length</span> <span class="o">=</span> <span class="n">string_item</span><span class="o">.</span><span class="n">length</span> </span></span><span class="line"><span class="cl"> <span class="n">str_type</span> <span class="o">=</span> <span class="n">string_item</span><span class="o">.</span><span class="n">strtype</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取字符串内容</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">str_content</span> <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">string_item</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">str_content</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取段信息</span> </span></span><span class="line"><span class="cl"> <span class="n">seg</span> <span class="o">=</span> <span class="n">ida_segment</span><span class="o">.</span><span class="n">getseg</span><span class="p">(</span><span class="n">str_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">seg</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_start</span> <span class="o">=</span> <span class="n">seg</span><span class="o">.</span><span class="n">start_ea</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_name</span> <span class="o">=</span> <span class="n">ida_segment</span><span class="o">.</span><span class="n">get_segm_name</span><span class="p">(</span><span class="n">seg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">seg_name</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_name</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">&#34;seg_</span><span class="si">{</span><span class="n">seg_start</span><span class="si">:</span><span class="s2">08X</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_start</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_name</span> <span class="o">=</span> <span class="s2">&#34;unknown&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 收集所有引用该字符串的地址</span> </span></span><span class="line"><span class="cl"> <span class="n">xref_functions</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取段信息</span> </span></span><span class="line"><span class="cl"> <span class="n">seg</span> <span class="o">=</span> <span class="n">ida_segment</span><span class="o">.</span><span class="n">getseg</span><span class="p">(</span><span class="n">str_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">seg</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_start</span> <span class="o">=</span> <span class="n">seg</span><span class="o">.</span><span class="n">start_ea</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_name</span> <span class="o">=</span> <span class="n">ida_segment</span><span class="o">.</span><span class="n">get_segm_name</span><span class="p">(</span><span class="n">seg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">seg_name</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_name</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">&#34;seg_</span><span class="si">{</span><span class="n">seg_start</span><span class="si">:</span><span class="s2">08X</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_start</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_name</span> <span class="o">=</span> <span class="s2">&#34;unknown&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">target_functions</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># 存储目标函数名</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 使用XrefsTo获取所有引用</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">xref</span> <span class="ow">in</span> <span class="n">idautils</span><span class="o">.</span><span class="n">XrefsTo</span><span class="p">(</span><span class="n">str_ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">xref_ea</span> <span class="o">=</span> <span class="n">xref</span><span class="o">.</span><span class="n">frm</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取引用地址所在的函数</span> </span></span><span class="line"><span class="cl"> <span class="n">func</span> <span class="o">=</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">get_func</span><span class="p">(</span><span class="n">xref_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">func</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取函数名</span> </span></span><span class="line"><span class="cl"> <span class="n">func_name</span> <span class="o">=</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">get_func_name</span><span class="p">(</span><span class="n">func</span><span class="o">.</span><span class="n">start_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">func_name</span> <span class="ow">and</span> <span class="n">func_name</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">xref_functions</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">xref_functions</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">func_name</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 分析目标函数</span> </span></span><span class="line"><span class="cl"> <span class="n">target_func</span> <span class="o">=</span> <span class="n">find_target_function</span><span class="p">(</span><span class="n">xref_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">target_func</span> <span class="ow">and</span> <span class="n">target_func</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">target_functions</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">target_functions</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">target_func</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># else:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># # 如果不在函数中，尝试获取该地址的名称</span> </span></span><span class="line"><span class="cl"> <span class="c1"># name = ida_name.get_name(xref_ea)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if name and name not in xref_functions:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># xref_functions.append(f&#34;@{name}&#34;)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># else:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># # 如果没有名称，使用地址</span> </span></span><span class="line"><span class="cl"> <span class="c1"># addr_name = f&#34;addr_0x{xref_ea:X}&#34;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if addr_name not in xref_functions:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># xref_functions.append(addr_name)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 添加数据引用</span> </span></span><span class="line"><span class="cl"> <span class="c1"># for xref_ea in idautils.DataRefsTo(str_ea):</span> </span></span><span class="line"><span class="cl"> <span class="c1"># func = ida_funcs.get_func(xref_ea)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if func:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># func_name = ida_funcs.get_func_name(func.start_ea)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if func_name and func_name not in xref_functions:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># xref_functions.append(func_name)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># # 分析目标函数</span> </span></span><span class="line"><span class="cl"> <span class="c1"># target_func = find_target_function(xref_ea)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if target_func and target_func not in target_functions:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># target_functions.append(target_func)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># else:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># name = ida_name.get_name(xref_ea)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if name and name not in xref_functions:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># xref_functions.append(f&#34;@{name}&#34;)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># else:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># addr_name = f&#34;addr_0x{xref_ea:X}&#34;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># if addr_name not in xref_functions:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># xref_functions.append(addr_name)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 创建结果条目</span> </span></span><span class="line"><span class="cl"> <span class="n">string_info</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;ea&#34;</span><span class="p">:</span> <span class="n">str_ea</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;str&#34;</span><span class="p">:</span> <span class="n">str_content</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;len&#34;</span><span class="p">:</span> <span class="n">str_length</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;seg_addr&#34;</span><span class="p">:</span> <span class="n">seg_start</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;seg_name&#34;</span><span class="p">:</span> <span class="n">seg_name</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;xrefs&#34;</span><span class="p">:</span> <span class="n">xref_functions</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;target_func_name&#34;</span><span class="p">:</span> <span class="n">target_functions</span> <span class="c1"># 新增字段</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">results</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">string_info</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">%</span> <span class="mi">100</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[+] 已处理 </span><span class="si">{</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="si">}</span><span class="s2"> 个字符串...&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[+] 总共找到 </span><span class="si">{</span><span class="nb">len</span><span class="p">(</span><span class="n">results</span><span class="p">)</span><span class="si">}</span><span class="s2"> 个字符串&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">results</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取并保存字符串信息</span> </span></span><span class="line"><span class="cl"> <span class="n">strings_data</span> <span class="o">=</span> <span class="n">get_string_xrefs_with_functions</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">unique_data</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">string_info</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">strings_data</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">duplicated</span> <span class="o">=</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">string_info</span><span class="p">[</span><span class="s1">&#39;str&#39;</span><span class="p">])</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="ow">and</span> <span class="n">string_info</span><span class="p">[</span><span class="s1">&#39;seg_name&#39;</span><span class="p">]</span> <span class="o">==</span> <span class="s1">&#39;.rodata&#39;</span> <span class="ow">and</span> <span class="n">string_info</span><span class="p">[</span><span class="s1">&#39;xrefs&#39;</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">j</span><span class="p">,</span> <span class="n">string_info1</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">strings_data</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">string_info1</span><span class="p">[</span><span class="s1">&#39;str&#39;</span><span class="p">]</span> <span class="o">==</span> <span class="n">string_info</span><span class="p">[</span><span class="s1">&#39;str&#39;</span><span class="p">]</span> <span class="ow">and</span> <span class="n">string_info</span><span class="p">[</span><span class="s1">&#39;ea&#39;</span><span class="p">]</span> <span class="o">!=</span> <span class="n">string_info1</span><span class="p">[</span><span class="s1">&#39;ea&#39;</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;</span><span class="se">\n</span><span class="si">{</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="si">}</span><span class="s2">. 重复内容地址: 0x</span><span class="si">{</span><span class="n">string_info</span><span class="p">[</span><span class="s1">&#39;ea&#39;</span><span class="p">]</span><span class="si">:</span><span class="s2">08X</span><span class="si">}</span><span class="s2"> 0x</span><span class="si">{</span><span class="n">string_info1</span><span class="p">[</span><span class="s1">&#39;ea&#39;</span><span class="p">]</span><span class="si">:</span><span class="s2">08X</span><span class="si">}</span><span class="s2"> 字符串: </span><span class="si">{</span><span class="nb">repr</span><span class="p">(</span><span class="n">string_info1</span><span class="p">[</span><span class="s1">&#39;str&#39;</span><span class="p">])</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">duplicated</span> <span class="o">=</span> <span class="kc">True</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">duplicated</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">unique_data</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">string_info</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="s2">&#34;strings_with_xrefs.json&#34;</span><span class="p">,</span> <span class="s2">&#34;w&#34;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">json</span><span class="o">.</span><span class="n">dump</span><span class="p">(</span><span class="n">unique_data</span><span class="p">,</span> <span class="n">f</span><span class="p">,</span> <span class="n">ensure_ascii</span><span class="o">=</span><span class="kc">False</span><span class="p">,</span> <span class="n">indent</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">[+] 分析完成! 总共发现 </span><span class="si">{</span><span class="nb">len</span><span class="p">(</span><span class="n">unique_data</span><span class="p">)</span><span class="si">}</span><span class="s2"> 个字符串&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><h4 id="ida-pro-script-apply-xref-symbols-from-a-to-b">IDA Pro script: apply xref symbols from A to B</h4> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/env python</span> </span></span><span class="line"><span class="cl"><span class="c1"># -*- coding: utf-8 -*-</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">json</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_bytes</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_name</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_funcs</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_xref</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_kernwin</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_segment</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">idautils</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_idaapi</span> </span></span><span class="line"><span class="cl"><span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="kn">import</span> <span class="nn">ida_allins</span> </span></span><span class="line"><span class="cl"> <span class="n">HAS_ALLINS</span> <span class="o">=</span> <span class="kc">True</span> </span></span><span class="line"><span class="cl"><span class="k">except</span> <span class="ne">ImportError</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">HAS_ALLINS</span> <span class="o">=</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">find_target_function</span><span class="p">(</span><span class="n">xref_ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">insn</span> <span class="o">=</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">insn_t</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">decode_insn</span><span class="p">(</span><span class="n">insn</span><span class="p">,</span> <span class="n">xref_ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> <span class="n">current_func</span> <span class="o">=</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">get_func</span><span class="p">(</span><span class="n">xref_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">search_ea</span> <span class="o">=</span> <span class="n">xref_ea</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="n">search_ea</span> <span class="o">&lt;</span> <span class="n">current_func</span><span class="o">.</span><span class="n">end_ea</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">search_ea</span> <span class="o">=</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">next_head</span><span class="p">(</span><span class="n">search_ea</span><span class="p">,</span> <span class="n">ida_idaapi</span><span class="o">.</span><span class="n">BADADDR</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">search_ea</span> <span class="o">==</span> <span class="n">ida_idaapi</span><span class="o">.</span><span class="n">BADADDR</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">decode_insn</span><span class="p">(</span><span class="n">insn</span><span class="p">,</span> <span class="n">search_ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">insn</span><span class="o">.</span><span class="n">itype</span> <span class="ow">in</span> <span class="p">[</span><span class="n">ida_allins</span><span class="o">.</span><span class="n">NN_call</span><span class="p">,</span> <span class="n">ida_allins</span><span class="o">.</span><span class="n">NN_callfi</span><span class="p">,</span> <span class="n">ida_allins</span><span class="o">.</span><span class="n">NN_callni</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="n">target_ea</span> <span class="o">=</span> <span class="n">insn</span><span class="o">.</span><span class="n">ops</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">addr</span> <span class="k">if</span> <span class="n">insn</span><span class="o">.</span><span class="n">ops</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">type</span> <span class="o">==</span> <span class="n">ida_ua</span><span class="o">.</span><span class="n">o_near</span> <span class="k">else</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">target_ea</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">target_func_name</span> <span class="o">=</span> <span class="n">ida_name</span><span class="o">.</span><span class="n">get_name</span><span class="p">(</span><span class="n">target_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">target_func_name</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">target_func_name</span><span class="p">,</span> <span class="n">target_ea</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">func</span> <span class="o">=</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">get_func</span><span class="p">(</span><span class="n">target_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">func</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">get_func_name</span><span class="p">(</span><span class="n">func</span><span class="o">.</span><span class="n">start_ea</span><span class="p">),</span> <span class="n">func</span><span class="o">.</span><span class="n">start_ea</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">None</span><span class="p">,</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">process_string_data</span><span class="p">(</span><span class="n">json_file_path</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> 从JSON文件读取字符串数据，在rodata段搜索字符串， </span></span></span><span class="line"><span class="cl"><span class="s2"> 跳转到第一个交叉引用的函数，并根据需要重命名函数 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> 参数: </span></span></span><span class="line"><span class="cl"><span class="s2"> json_file_path: JSON文件路径 </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 读取JSON文件</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">json_file_path</span><span class="p">,</span> <span class="s1">&#39;r&#39;</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">string_data_list</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;成功读取JSON文件，包含 </span><span class="si">{</span><span class="nb">len</span><span class="p">(</span><span class="n">string_data_list</span><span class="p">)</span><span class="si">}</span><span class="s2"> 个字符串条目&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取.rodata段</span> </span></span><span class="line"><span class="cl"> <span class="n">rodata_seg</span> <span class="o">=</span> <span class="kc">None</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">seg</span> <span class="ow">in</span> <span class="n">idautils</span><span class="o">.</span><span class="n">Segments</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">seg_name</span> <span class="o">=</span> <span class="n">ida_segment</span><span class="o">.</span><span class="n">get_segm_name</span><span class="p">(</span><span class="n">ida_segment</span><span class="o">.</span><span class="n">getseg</span><span class="p">(</span><span class="n">seg</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">seg_name</span> <span class="o">==</span> <span class="s2">&#34;.rodata&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">rodata_seg</span> <span class="o">=</span> <span class="n">ida_segment</span><span class="o">.</span><span class="n">getseg</span><span class="p">(</span><span class="n">seg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">rodata_seg</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;错误：无法找到.rodata段&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;找到.rodata段: 0x</span><span class="si">{</span><span class="n">rodata_seg</span><span class="o">.</span><span class="n">start_ea</span><span class="si">:</span><span class="s2">X</span><span class="si">}</span><span class="s2"> - 0x</span><span class="si">{</span><span class="n">rodata_seg</span><span class="o">.</span><span class="n">end_ea</span><span class="si">:</span><span class="s2">X</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 处理每个字符串条目</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">idx</span><span class="p">,</span> <span class="n">item</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">string_data_list</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="c1"># print(f&#34;\n[{idx + 1}/{len(string_data_list)}] 处理字符串: &#39;{item[&#39;str&#39;]}&#39;&#34;)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 在rodata段搜索字符串</span> </span></span><span class="line"><span class="cl"> <span class="n">string_to_search</span> <span class="o">=</span> <span class="n">item</span><span class="p">[</span><span class="s1">&#39;str&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">found_ea</span> <span class="o">=</span> <span class="n">search_string_in_segment</span><span class="p">(</span><span class="n">string_to_search</span><span class="p">,</span> <span class="n">rodata_seg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">found_ea</span> <span class="o">==</span> <span class="n">ida_idaapi</span><span class="o">.</span><span class="n">BADADDR</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># print(f&#34; 未在.rodata段找到字符串 &#39;{string_to_search}&#39;&#34;)</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取字符串的交叉引用</span> </span></span><span class="line"><span class="cl"> <span class="n">xrefs</span> <span class="o">=</span> <span class="n">get_xrefs_to_address</span><span class="p">(</span><span class="n">found_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">xrefs</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34; 字符串在 0x</span><span class="si">{</span><span class="n">found_ea</span><span class="si">:</span><span class="s2">X</span><span class="si">}</span><span class="s2"> 没有交叉引用&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34; 找到 </span><span class="si">{</span><span class="nb">len</span><span class="p">(</span><span class="n">xrefs</span><span class="p">)</span><span class="si">}</span><span class="s2"> 个交叉引用&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取第一个交叉引用</span> </span></span><span class="line"><span class="cl"> <span class="n">first_xref</span> <span class="o">=</span> <span class="n">xrefs</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 找到包含该交叉引用的函数</span> </span></span><span class="line"><span class="cl"> <span class="n">func</span> <span class="o">=</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">get_func</span><span class="p">(</span><span class="n">first_xref</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">func</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34; 0x</span><span class="si">{</span><span class="n">first_xref</span><span class="si">:</span><span class="s2">X</span><span class="si">}</span><span class="s2"> 不在任何函数中&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">target_func_name</span><span class="p">,</span> <span class="n">target_func_ea</span> <span class="o">=</span> <span class="n">find_target_function</span><span class="p">(</span><span class="n">first_xref</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">target_func_name</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">target_func_name</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="s1">&#39;sub_&#39;</span><span class="p">)</span> <span class="ow">and</span> <span class="n">item</span><span class="p">[</span><span class="s1">&#39;target_func_name&#39;</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="n">rename_function</span><span class="p">(</span><span class="n">target_func_ea</span><span class="p">,</span> <span class="n">item</span><span class="p">[</span><span class="s1">&#39;target_func_name&#39;</span><span class="p">][</span><span class="mi">0</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">func_ea</span> <span class="o">=</span> <span class="n">func</span><span class="o">.</span><span class="n">start_ea</span> </span></span><span class="line"><span class="cl"> <span class="n">current_func_name</span> <span class="o">=</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">get_func_name</span><span class="p">(</span><span class="n">func_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34; 目标函数地址: 0x</span><span class="si">{</span><span class="n">func_ea</span><span class="si">:</span><span class="s2">X</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34; 当前函数名: </span><span class="si">{</span><span class="n">current_func_name</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 检查函数是否有自定义名称</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">is_auto_generated_name</span><span class="p">(</span><span class="n">current_func_name</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 使用JSON中提供的xrefs第一项作为新的函数名</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="s1">&#39;xrefs&#39;</span> <span class="ow">in</span> <span class="n">item</span> <span class="ow">and</span> <span class="n">item</span><span class="p">[</span><span class="s1">&#39;xrefs&#39;</span><span class="p">]</span> <span class="ow">and</span> <span class="nb">len</span><span class="p">(</span><span class="n">item</span><span class="p">[</span><span class="s1">&#39;xrefs&#39;</span><span class="p">])</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">new_name</span> <span class="o">=</span> <span class="n">item</span><span class="p">[</span><span class="s1">&#39;xrefs&#39;</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">rename_function</span><span class="p">(</span><span class="n">func_ea</span><span class="p">,</span> <span class="n">new_name</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34; ✓ 函数重命名为: </span><span class="si">{</span><span class="n">new_name</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34; ✗ 函数重命名失败&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34; 未提供xrefs信息，跳过重命名&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34; 函数已有自定义名称，跳过重命名&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 跳转到函数</span> </span></span><span class="line"><span class="cl"> <span class="n">ida_kernwin</span><span class="o">.</span><span class="n">jumpto</span><span class="p">(</span><span class="n">func_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34; 已跳转到函数 0x</span><span class="si">{</span><span class="n">func_ea</span><span class="si">:</span><span class="s2">X</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">处理完成！共处理了 </span><span class="si">{</span><span class="nb">len</span><span class="p">(</span><span class="n">string_data_list</span><span class="p">)</span><span class="si">}</span><span class="s2"> 个字符串条目&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="ne">FileNotFoundError</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;错误：无法找到文件 </span><span class="si">{</span><span class="n">json_file_path</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="n">json</span><span class="o">.</span><span class="n">JSONDecodeError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;错误：JSON文件格式错误 - </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;错误：处理过程中出现异常 - </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">search_string_in_segment</span><span class="p">(</span><span class="n">target_string</span><span class="p">,</span> <span class="n">segment</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> 在指定段中搜索字符串 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> 参数: </span></span></span><span class="line"><span class="cl"><span class="s2"> target_string: 要搜索的字符串 </span></span></span><span class="line"><span class="cl"><span class="s2"> segment: 目标段 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> 返回: </span></span></span><span class="line"><span class="cl"><span class="s2"> 找到的地址，如果未找到则返回BADADDR </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">start_ea</span> <span class="o">=</span> <span class="n">segment</span><span class="o">.</span><span class="n">start_ea</span> </span></span><span class="line"><span class="cl"> <span class="n">end_ea</span> <span class="o">=</span> <span class="n">segment</span><span class="o">.</span><span class="n">end_ea</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 尝试搜索字符串</span> </span></span><span class="line"><span class="cl"> <span class="n">found_ea</span> <span class="o">=</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">find_string</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">target_string</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">start_ea</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">range_end</span><span class="o">=</span><span class="n">end_ea</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">flags</span><span class="o">=</span><span class="n">ida_bytes</span><span class="o">.</span><span class="n">BIN_SEARCH_FORWARD</span> <span class="o">|</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">BIN_SEARCH_NOSHOW</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 如果在段范围内找到，返回地址</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">found_ea</span> <span class="o">!=</span> <span class="n">ida_idaapi</span><span class="o">.</span><span class="n">BADADDR</span> <span class="ow">and</span> <span class="n">start_ea</span> <span class="o">&lt;=</span> <span class="n">found_ea</span> <span class="o">&lt;</span> <span class="n">end_ea</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">found_ea</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">ida_idaapi</span><span class="o">.</span><span class="n">BADADDR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">get_xrefs_to_address</span><span class="p">(</span><span class="n">ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> 获取指向指定地址的所有交叉引用 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> 参数: </span></span></span><span class="line"><span class="cl"><span class="s2"> ea: 目标地址 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> 返回: </span></span></span><span class="line"><span class="cl"><span class="s2"> 交叉引用地址列表 </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">xrefs</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取数据引用</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">xref</span> <span class="ow">in</span> <span class="n">idautils</span><span class="o">.</span><span class="n">DataRefsTo</span><span class="p">(</span><span class="n">ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">xrefs</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">xref</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取代码引用</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">xref</span> <span class="ow">in</span> <span class="n">idautils</span><span class="o">.</span><span class="n">CodeRefsTo</span><span class="p">(</span><span class="n">ea</span><span class="p">,</span> <span class="mi">0</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">xrefs</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">xref</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">xrefs</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">is_auto_generated_name</span><span class="p">(</span><span class="n">func_name</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> 检查函数名是否为自动生成的名称 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> 参数: </span></span></span><span class="line"><span class="cl"><span class="s2"> func_name: 函数名 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> 返回: </span></span></span><span class="line"><span class="cl"><span class="s2"> True 如果是自动生成的名称，False 否则 </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># IDA自动生成的函数名通常以sub_、loc_、unk_等开头</span> </span></span><span class="line"><span class="cl"> <span class="n">auto_prefixes</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;sub_&#39;</span><span class="p">,</span> <span class="s1">&#39;loc_&#39;</span><span class="p">,</span> <span class="s1">&#39;unk_&#39;</span><span class="p">,</span> <span class="s1">&#39;nullsub_&#39;</span><span class="p">,</span> <span class="s1">&#39;j_&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">prefix</span> <span class="ow">in</span> <span class="n">auto_prefixes</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">func_name</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="n">prefix</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">True</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">rename_function</span><span class="p">(</span><span class="n">func_ea</span><span class="p">,</span> <span class="n">new_name</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> 重命名函数 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> 参数: </span></span></span><span class="line"><span class="cl"><span class="s2"> func_ea: 函数地址 </span></span></span><span class="line"><span class="cl"><span class="s2"> new_name: 新函数名 </span></span></span><span class="line"><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="cl"><span class="s2"> 返回: </span></span></span><span class="line"><span class="cl"><span class="s2"> True 如果重命名成功，False 否则 </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 使用ida_name.set_name设置函数名</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">ida_name</span><span class="o">.</span><span class="n">set_name</span><span class="p">(</span><span class="n">func_ea</span><span class="p">,</span> <span class="n">new_name</span><span class="p">,</span> <span class="n">ida_name</span><span class="o">.</span><span class="n">SN_CHECK</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">result</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;重命名函数时出错: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="cl"><span class="s2"> 主函数 - 提示用户选择JSON文件并开始处理 </span></span></span><span class="line"><span class="cl"><span class="s2"> &#34;&#34;&#34;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 获取JSON文件路径</span> </span></span><span class="line"><span class="cl"> <span class="n">json_file</span> <span class="o">=</span> <span class="n">ida_kernwin</span><span class="o">.</span><span class="n">ask_file</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="s2">&#34;*.json&#34;</span><span class="p">,</span> <span class="s2">&#34;选择包含字符串数据的JSON文件&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">json_file</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;开始处理文件: </span><span class="si">{</span><span class="n">json_file</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">process_string_data</span><span class="p">(</span><span class="n">json_file</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;未选择文件，操作取消&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><p>These scripts are still rough and need polishing, but they’re “good enough” for now. And they might not even matter much: after these fixes, it becomes obvious that these ELF files aren’t based on a modified glibc—they’re just statically linked. They all use <code>__libc_start_main</code> to enter <code>main</code>.</p> <h3 id="fixing-geca-and-rc0d">Fixing <code>GECA</code> and <code>rc0.d</code></h3> <p>Read <code>0x400</code> bytes from <code>/dev/hdc1</code> at offset <code>0x1B44 * 512</code>. This is an ELF header, and it’s written into <code>/mnt/head</code>.</p> <p>IGS likely hid this ELF header in unused space inside the FAT partition. Because the partitions are contiguous, you can’t easily spot hidden content from the partition layout alone.</p> <p>Read <code>0x400</code> bytes from the end of <code>/bin/arch</code> and write it to <code>/mnt/GECA</code>.</p> <p>Then append <code>/etc/init.d/rc0.d</code> to the end of <code>/mnt/GECA</code>.</p> <h3 id="recovering-game-files">Recovering Game Files</h3> <p>Before I started my analysis, Nova shared findings from BatteryShark. BatteryShark had already reconstructed the ELF for Speed Driver 2, but the ELF still had issues and couldn’t be used for other games such as Percussion Master 2008.</p> <p><a href="https://github.com/batteryshark/igstools/blob/main/scripts/igs_rofsv1_dumpexec.py"target="_blank" rel="noopener noreferrer">IGS Dump EXEC</a></p> <p>So I still had to do it myself, and I also wanted to reverse the code that reconstructs the game files anyway.</p> <p>During kernel boot, after <code>GECA</code> is repaired by zsh, it is immediately executed with the same environment variables and arguments.</p> <p>The concatenation order of <code>rc*</code> is configured by a string variable, and it differs per game.</p> <p><img loading="lazy" src="geca_params.png" alt="geca_params.png"/></p> <p>These digits correspond exactly to the file order under <code>/etc/rc.d</code>:</p> <pre tabindex="0"><code>2 1 3 5 8 4 7 6 9 </code></pre><p>GECA’s execution flow: it cuts fragments under <code>/etc/rc.d</code> according to the specified order (with different cut sizes), and writes the outputs to <code>/mnt</code>.</p> <pre tabindex="0"><code>dd if=/etc/rc.d/rc2.d of=/mnt/rc2 bs=1K count=[file_size / 1024 - 400] &amp;&gt; /dev/null dd if=/etc/rc.d/rc1.d of=/mnt/rc1 bs=1K count=[file_size / 1024 - 400 + 7] &amp;&gt; /dev/null dd if=/etc/rc.d/rc3.d of=/mnt/rc3 bs=1K count=[file_size / 1024 - 400 + 14] &amp;&gt; /dev/null dd if=/etc/rc.d/rc5.d of=/mnt/rc5 bs=1K count=[file_size / 1024 - 400 + 21] &amp;&gt; /dev/null dd if=/etc/rc.d/rc8.d of=/mnt/rc8 bs=1K count=[file_size / 1024 - 400 + 28] &amp;&gt; /dev/null dd if=/etc/rc.d/rc4.d of=/mnt/rc4 bs=1K count=[file_size / 1024 - 400 + 35] &amp;&gt; /dev/null dd if=/etc/rc.d/rc7.d of=/mnt/rc7 bs=1K count=[file_size / 1024 - 400 + 42] &amp;&gt; /dev/null dd if=/etc/rc.d/rc6.d of=/mnt/rc6 bs=1K count=[file_size / 1024 - 400 + 49] &amp;&gt; /dev/null dd if=/etc/rc.d/rc9.d of=/mnt/rc9 bs=1 count=[file_size - 400 * 1024] &amp;&gt; /dev/null </code></pre><p>Then it mounts a ramfs at <code>/exec</code>, concatenates these files into the real game binary, and replaces the original disk-destruction executable.</p> <p>After that, the boot process matches what we saw earlier in <code>/etc/X11/IGS</code>.</p> <pre tabindex="0"><code>mount -n -t ramfs GameExecution /exec &amp;&gt; /dev/null cat /mnt/head /mnt/rc2 /mnt/rc1 /mnt/rc3 /mnt/rc5 /mnt/rc8 /mnt/rc4 /mnt/rc7 /mnt/rc6 /mnt/rc9 &gt; /exec/PM2008v2 &amp;&amp; chmod 777 /exec/PM2008v2 &amp;&gt; /dev/null # 删除临时文件 umount /mnt &amp;&gt;/dev/null rm -rf /mnt &amp;&gt;/dev/null </code></pre><p>You can write a script to replicate this process:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/env python3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">argparse</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">ArgumentParser</span><span class="p">(</span><span class="n">description</span><span class="o">=</span><span class="s1">&#39;Recover game from IGS E2000 platform&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span><span class="s1">&#39;head_file&#39;</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="nb">str</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="s1">&#39;head file to read&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span><span class="s1">&#39;rc_dir&#39;</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="nb">str</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="s1">&#39;game parts dir to read&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span><span class="s1">&#39;game_file&#39;</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="nb">str</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="s1">&#39;game file to write&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">args</span> <span class="o">=</span> <span class="n">parser</span><span class="o">.</span><span class="n">parse_args</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">rc_order</span> <span class="o">=</span> <span class="s2">&#34;213584769&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">rc_order_len</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">rc_order</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">block_num</span> <span class="o">=</span> <span class="mi">400</span> </span></span><span class="line"><span class="cl"> <span class="n">ignore_count</span> <span class="o">=</span> <span class="mi">7</span> </span></span><span class="line"><span class="cl"> <span class="n">step_type</span> <span class="o">=</span> <span class="mi">2</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">head</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">args</span><span class="o">.</span><span class="n">head_file</span><span class="p">,</span> <span class="s1">&#39;rb&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">args</span><span class="o">.</span><span class="n">game_file</span><span class="p">,</span> <span class="s1">&#39;wb&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">game_fd</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">game_fd</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">head</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">rc_order_len</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">rc_file_path</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">args</span><span class="o">.</span><span class="n">rc_dir</span><span class="p">,</span> <span class="sa">f</span><span class="s2">&#34;rc</span><span class="si">{</span><span class="n">rc_order</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="si">}</span><span class="s2">.d&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">rc_data</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">rc_file_path</span><span class="p">,</span> <span class="s1">&#39;rb&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">rc_data_size</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">rc_data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">write_size</span> <span class="o">=</span> <span class="n">rc_data_size</span> <span class="o">-</span> <span class="n">block_num</span> <span class="o">*</span> <span class="mi">1024</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;rc</span><span class="si">{</span><span class="n">rc_order</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="si">}</span><span class="s2">.d size: 0x</span><span class="si">{</span><span class="n">rc_data_size</span><span class="si">:</span><span class="s2">08X</span><span class="si">}</span><span class="s2">, write 0x</span><span class="si">{</span><span class="n">write_size</span><span class="si">:</span><span class="s2">08X</span><span class="si">}</span><span class="s2"> bytes to game file, write block </span><span class="si">{</span><span class="nb">int</span><span class="p">(</span><span class="n">write_size</span><span class="o">/</span><span class="mi">1024</span><span class="p">)</span><span class="si">}</span><span class="s2"> skip block_num: </span><span class="si">{</span><span class="n">block_num</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># head = head + rc_data[0:write_size]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">step_type</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">block_num</span> <span class="o">-=</span> <span class="n">ignore_count</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">block_num</span> <span class="o">+=</span> <span class="n">ignore_count</span> </span></span><span class="line"><span class="cl"> <span class="n">game_fd</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">rc_data</span><span class="p">[</span><span class="mi">0</span><span class="p">:</span><span class="n">write_size</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></div><pre tabindex="0"><code>(base) ➜ python ./recover_game.py ./head.img ./part2/etc/rc.d ./pm2008_game rc2.d size: 0x00080000, write 0x0001C000 bytes to game file, write block 112 skip block_num: 400 rc1.d size: 0x00080000, write 0x0001DC00 bytes to game file, write block 119 skip block_num: 393 rc3.d size: 0x00080000, write 0x0001F800 bytes to game file, write block 126 skip block_num: 386 rc5.d size: 0x00080000, write 0x00021400 bytes to game file, write block 133 skip block_num: 379 rc8.d size: 0x00080000, write 0x00023000 bytes to game file, write block 140 skip block_num: 372 rc4.d size: 0x00080000, write 0x00024C00 bytes to game file, write block 147 skip block_num: 365 rc7.d size: 0x00080000, write 0x00026800 bytes to game file, write block 154 skip block_num: 358 rc6.d size: 0x00080000, write 0x00028400 bytes to game file, write block 161 skip block_num: 351 rc9.d size: 0x003CA6D8, write 0x003746D8 bytes to game file, write block 3537 skip block_num: 344 </code></pre><p>After recovery, although we avoid multi-version glibc fingerprints, the ELF might still have issues. Each game’s main binary recovery algorithm differs slightly. PM2008’s recovery logic takes two more parameters than SD2, so I’ll focus on PM2008 first.</p> <p>I still need to do dynamic analysis to understand how the in-memory ELF is loaded. But I’ve noticed that plugging in an Ethernet cable or a keyboard causes the cabinet to crash immediately—no idea whether that’s a protection mechanism. In the next post, I’ll analyze how to do dynamic debugging on the device.</p> https://gorgias.me/posts/igs-arcade-re-1/ Sat, 17 May 2025 22:34:31 +0800 https://gorgias.me/posts/igs-arcade-re-1/ <h1 id="preface">Preface</h1> <p>2010 was the golden era of arcades. As mobile devices and home consoles became widespread, the arcade industry gradually declined. Although some policies were introduced domestically to encourage the amusement gaming equipment industry, the sector has long been out of favor with investors. The 2020 pandemic dealt an even heavier blow to the arcade business.</p> <p>Back then, 100 RMB might only buy 50 credits; now 100 RMB can buy 200 credits.</p> <p>I like racing games. Wangan Midnight, Initial D, and Speed Driver have been the hottest games in arcades in recent years, because they have accounts and thus a social component. Some time ago, when I was cracking the player app for Speed Driver 5, I learned that IGS (International Games System) is the company behind the Knights of Valour arcade game I played as a kid and Journey to the West. IGS’s anti-cracking is top-tier across the entire industry, and the Speed Driver series is even known as “uncrackable.”</p> <p>Last month, the “Super Player” arcade near my home shut down. I felt that sooner or later the Speed Driver series might disappear, so I decided to challenge myself to crack it.</p> <p>The release order of the IGS Speed Driver series is as follows:</p> <table> <thead> <tr> <th>Game</th> <th>Device Model</th> <th>Year</th> </tr> </thead> <tbody> <tr> <td>Speed Driver: Evolution</td> <td></td> <td>2004</td> </tr> <tr> <td>Speed Driver 2</td> <td>E2000</td> <td>2007</td> </tr> <tr> <td>Speed Driver 3</td> <td>E3000, E3100</td> <td>2010</td> </tr> <tr> <td>Speed Driver 4</td> <td>E3000, E3100, S3000</td> <td>2013</td> </tr> <tr> <td>Speed Driver 5</td> <td>S3000</td> <td>2019</td> </tr> </tbody> </table> <p>I planned to start with the E2000 platform. The difficulty should definitely be lower than PGM (PolyGame Master) because it’s PC-based: there’s no need to emulate a sound card or GPU. The hardware has almost no physical protection, the CPU ISA is x86, the OS is Linux, there’s no anti-debugging, and no VMP—this is basically a tutorial level.</p> <p>In Asia, the Speed Driver series has influence comparable to Wangan Midnight, Initial D, and Storm Racer G (all of which have been cracked). IGS’s anti-cracking is the most successful: throughout the entire product lifecycle, it was never cracked.</p> <h1 id="hardware-analysis">Hardware analysis</h1> <p>In <a href="https://github.com/shizmob/arcade-docs/"target="_blank" rel="noopener noreferrer">Arcade-docs</a>, you can look up the hardware information of each device and the games it supports. Leveraging my “skill” at scavenging e-waste, I managed to get an E2000 host. There are quite a few enthusiasts abroad buying them too, so the price has gone up.</p> <h2 id="external-interface-analysis">External interface analysis</h2> <p>On the front there are two RS-485 ports, and the CF card can be removed externally.</p> <p><img loading="lazy" src="e2000_shield_1.jpeg" alt=""/></p> <p>Back-side ports, with the very “millennium PC” vibe:</p> <ul> <li>12V DC</li> <li>2 x DB9 COM</li> <li>4 x USB 2.0</li> <li>RJ45 LAN</li> <li>3.5mm Audio Out</li> <li>25pin + 30pin I/O connector</li> </ul> <p><img loading="lazy" src="e2000_shield_2.jpg" alt=""/></p> <h2 id="mainboard-analysis">Mainboard analysis</h2> <p>Given that cracking this doesn’t seem hard, I’m not going to analyze the other components whose silkscreen is covered by stickers—it’s too annoying.</p> <p>The host I bought came with the game Percussion Master 2008 installed, but Speed Driver 2 also runs.</p> <ul> <li>Mainboard model: I-JOIN E2000-V256 IH-02 (Advantech)</li> <li>A - CPU: Celeron M 370 (1.5 GHz)</li> <li>B - Northbridge: unknown</li> <li>C - GPU: NVIDIA GeForce 6200 (256 MB, GDDR2)</li> <li>D - 2 x DDR 333 256MB</li> <li>E - Chipset: Intel 852GME (ICH4-M)</li> <li>F - PCI9030, a GPIO chip, likely used for transmitting controller signals.</li> <li>G - I/O controller with an LPC interface</li> <li>H - A11 BIOS chip SST 49LF004B (PLCC32)</li> <li>I - IH-C02 ALTERA EPM3032ALC44-10N CPLD (PLCC44), controller; contains ROM, purpose unknown</li> <li>J - IGS EV29LV640-90PCR 8MB EEPROM, DIP 48-pin package, an IGS custom chip. This chip has a label with the game name on it, suggesting the BIOS ROM is also game-related. There may be content related to the V21 chip.</li> <li>K - V21, IGS036E, maybe an FPGA or ASIC used to encrypt/process the input/output of control signals</li> <li>L - 64K x 16 HIGH-SPEED CMOS STATIC RAM x3</li> <li>M - CF card: ADATA 2GB (266X)</li> <li>N - IDE HDD connector</li> </ul> <p>I have many ways to get a root shell on the hardware, but I’m more interested in the game loading process. So let’s start with software reverse engineering.</p> <p><img loading="lazy" src="e2000_board.jpg" alt=""/></p> <h2 id="io-board-analysis">I/O board analysis</h2> <p>These boards are also called control boards. They should be used to connect game controllers such as the steering wheel, brake/throttle, coin acceptor, etc.</p> <p>They communicate via the 25pin + 30pin I/O connector to the mainboard.</p> <p>The price may even be higher than the host itself.</p> <p>In theory, you could use a logic analyzer to capture these sensor signals and then implement control functionality. But I’ve heard the control signals are handled by the V21 chip (ASIC) and may be encrypted. I also don’t plan to clone a control board. These arcade racing games aren’t as fun as Forza Horizon 5. Arcades are cheap these days—if you really want to play, just pay to play at an arcade, or buy a steering wheel setup and play at home.</p> <p><img loading="lazy" src="sd2_io.jpg" alt=""/></p> <p><img loading="lazy" src="sd2_io2.jpg" alt=""/></p> <h1 id="filesystem-analysis">Filesystem analysis</h1> <p>Dump the CF card directly. The file size is 2GB. The <code>file</code> command output is:</p> <pre tabindex="0"><code>DOS/MBR boot sector, LInux i386 boot LOader; partition 1 : ID=0x1, active, start-CHS (0x0,1,1), end-CHS (0x2,63,63), startsector 63, 12033 sectors; partition 2 : ID=0x83, start-CHS (0x3,0,1), end-CHS (0x22,63,63), startsector 12096, 129024 sectors; partition 3 : ID=0x83, start-CHS (0x62,0,1), end-CHS (0x399,63,63), startsector 395136, 3322368 sectors; partition 4 : ID=0x83, start-CHS (0x23,0,1), end-CHS (0x61,63,63), startsector 141120, 254016 sectors </code></pre><p>Boot process: LILO is used as the MBR, installed directly in the first sector to boot Linux.</p> <pre tabindex="0"><code>+----------------------------------------+ | Master Boot Record Operating system | |----------------------------------------| | LILO ---------------&gt; Linux | | ---&gt; other OS | +----------------------------------------+ </code></pre><p>View the partition information via <code>fdisk</code>. This is a Linux OS with four partitions, contiguous from start to end. Everything after the last partition is <code>0x00</code>, so there is no hidden partition.</p> <pre tabindex="0"><code>Disk ./percussion_master_2008.img: 1.77 GiB, 1903878144 bytes, 3718512 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x6e4a3fef Device Boot Start End Sectors Size Id Type ./percussion_master_2008.img1 * 63 12095 12033 5.9M 1 FAT12 ./percussion_master_2008.img2 12096 141119 129024 63M 83 Linux ./percussion_master_2008.img3 395136 3717503 3322368 1.6G 83 Linux ./percussion_master_2008.img4 141120 395135 254016 124M 83 Linux </code></pre><p>One notable trait of the E2000 platform layout is that partition 3 and partition 4 are in “reverse” order.</p> <p>Partition 2 and partition 4 cannot be fully extracted by 7z. <code>binwalk</code> can identify some compressed regions, so it is very likely a heavily modified filesystem.</p> <p>The purpose of each partition is as follows (later I found the original filesystem types for partitions 2 and 4):</p> <pre tabindex="0"><code>Partition 1: Ext2, Bootloader, kernel Partition 2: IGS CRAMFS, RootFS Partition 3: Ext3, Log Data Partition 4: IGS SquashFS, Game Data </code></pre><h2 id="kernel-reversing">Kernel reversing</h2> <p>So far I have not found the rootfs or the game executable; they are most likely located in partition 2 and partition 4. I think reversing the kernel can save a lot of detours. Without relying on the kernel, you could also directly reverse the filesystem format from the raw data, but that’s boring. And whatever extractor you end up writing won’t beat open-source filesystem unpacking tools anyway. First, look at partition 1: it contains a loader and a kernel. The kernel version is shown, but it may not be the correct one.</p> <pre tabindex="0"><code>SD2: LILO (LInux LOder) SD2-OS-61P: Linux kernel x86 boot executable, bzImage, version 2.4.31-IGS_V0.5a (james@Code_Server.linnet.net.tw) #1 Thu Aug 30 19:06:24 CST 2007, RO-rootFS, root_dev 0X305, Normal VGA, setup size 512*6, syssize 0x3b88, jump 0x230 0xe800040000000000 instruction, protocol 2.3 </code></pre><p>LILO has been customized by IGS. It shows “IGS Loader v2.0 Boot Menu 2007/04”, which indicates the base version is <code>lilo-22.8</code>.</p> <p>There’s nothing interesting to analyze here. Start extracting <code>vmlinux</code>. The kernel file is in <code>bzImage</code> format and needs to be decompressed.</p> <pre tabindex="0"><code>7z x ./SD2-OS-61P -okernel.decomped </code></pre><p>Next is standard kernel reversing. The first step is to determine the image base. There are many ways to do that; you can refer to my other posts.</p> <p>Here, after looking twice, you can basically guess it: <code>0xC0100000</code>.</p> <p>With the base configured correctly, IDA can automatically identify some xrefs; the rest needs manual recovery. IDA 9.0 changed some APIs, so I had to rewrite some scripts again.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_bytes</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_segment</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_funcs</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">ida_ida</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">find_and_make_function</span><span class="p">(</span><span class="n">start_ea</span><span class="p">,</span> <span class="n">end_ea</span><span class="p">,</span> <span class="n">pattern_str</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">image_base</span> <span class="o">=</span> <span class="n">idaapi</span><span class="o">.</span><span class="n">get_imagebase</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">pattern</span> <span class="o">=</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">compiled_binpat_vec_t</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">err</span> <span class="o">=</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">parse_binpat_str</span><span class="p">(</span><span class="n">pattern</span><span class="p">,</span> <span class="n">image_base</span><span class="p">,</span> <span class="n">pattern_str</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">err</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span> <span class="o">=</span> <span class="n">start_ea</span> </span></span><span class="line"><span class="cl"> <span class="n">found_count</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="n">current_ea</span> <span class="o">&lt;</span> <span class="n">end_ea</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span><span class="p">,</span> <span class="n">index</span> <span class="o">=</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">bin_search</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">end_ea</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">pattern</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">BIN_SEARCH_FORWARD</span> <span class="o">|</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">BIN_SEARCH_NOSHOW</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">current_ea</span> <span class="o">==</span> <span class="n">ida_idaapi</span><span class="o">.</span><span class="n">BADADDR</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">current_ea</span> <span class="o">%</span> <span class="mi">4</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span> <span class="o">+=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">get_flags</span><span class="p">(</span><span class="n">current_ea</span><span class="p">)</span> <span class="o">&amp;</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">FF_CODE</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">idc</span><span class="o">.</span><span class="n">get_func_flags</span><span class="p">(</span><span class="n">current_ea</span><span class="p">)</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span> <span class="o">+=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">seg</span> <span class="o">=</span> <span class="n">ida_segment</span><span class="o">.</span><span class="n">getseg</span><span class="p">(</span><span class="n">current_ea</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">seg</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span> <span class="o">+=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">ida_funcs</span><span class="o">.</span><span class="n">add_func</span><span class="p">(</span><span class="n">current_ea</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Create function failed at 0x</span><span class="si">{:X}</span><span class="s2">&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">current_ea</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">found_count</span> <span class="o">+=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">current_ea</span> <span class="o">+=</span> <span class="mi">4</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Search finished, </span><span class="si">{}</span><span class="s2"> functions created&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">found_count</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">find_and_make_function</span><span class="p">(</span><span class="mh">0xC0100000</span><span class="p">,</span> <span class="mh">0xC0508000</span><span class="p">,</span> <span class="s2">&#34;55 89 E5&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># You can define function entry opcodes based on your case</span> </span></span></code></pre></div><p>Of course, even at this point, not all xrefs are fully recognized. In the data segment, some strings and offsets are not recovered well either, but it doesn’t matter much. If you’re completely stuck, recovering those bits may lead to new discoveries.</p> <p>Next is to find an entry point for analysis. There’s honestly not much technical content here—I have many approaches, for example starting from filesystem characteristics. But writing everything out would be pedantic and unnecessary.</p> <p>We can confirm the kernel version is 2.4.31, and the IGS version is v1.0, not v0.5 as shown by the <code>bzImage</code> banner.</p> <p><img loading="lazy" src="igs_strings.png" alt="igs_strings"/></p> <p>From the following strings, we can determine which upstream filesystem versions correspond to IGS’s modified filesystems:</p> <ul> <li>rofs: cramfs</li> <li>shfs: squashfs 2.2</li> </ul> <p><img loading="lazy" src="rofs_strings.png" alt="rofs_strings"/></p> <p>Linux 2.4.31 does not include squashfs. So I directly looked for a squashfs patch. IGS’s modified SHFS is based on squashfs 2.2. <a href="https://master.dl.sourceforge.net/project/squashfs/OldFiles/squashfs2.2r2.tar.gz"target="_blank" rel="noopener noreferrer">https://master.dl.sourceforge.net/project/squashfs/OldFiles/squashfs2.2r2.tar.gz</a></p> <p>Linux 2.4 doesn’t support <code>kallsyms</code>, so symbols need to be recovered manually. Some functions like <code>printf</code>, <code>memcpy</code>, <code>str*</code> can be recognized quickly by eye, but I wanted to analyze the system boot process, so I needed to recover some kernel-specific symbols.</p> <p>For such old devices, cross-compiling on a modern Linux is not feasible. I installed a 32-bit CentOS 5.10 VM, built it successfully, and extracted <code>System.map</code> and <code>vmlinux</code>, making it easier to compare what parts were modified by IGS.</p> <p><img loading="lazy" src="symbols.png" alt="symbols"/></p> <p>For firmware where you can’t find a ramdisk or rootfs, the first step is definitely to locate <code>sys_mount</code> and the boot parameters in the kernel.</p> <pre tabindex="0"><code>root=/dev/hdc2 ro console=ttyS1,115200 sys_mount(&#34;/dev/hdc3&#34;, &#34;/PM2008v2&#34;, &#34;shfs&#34;, flag, data) sys_mount(&#34;/dev/hdc4&#34;, &#34;/PM2008v2/pm2_data&#34;, &#34;ext3&#34;, flag, data) </code></pre><p>From this, we can determine the rootfs should be partition 2, and the game data is in partition 3.</p> <p>The logic for mounting the ramdisk is located here:</p> <pre tabindex="0"><code>prepare_namespace -&gt;rd_load_disk -&gt;rd_load_image -&gt;identify_ramdisk_image </code></pre><p>Here we can confirm IGS supports ramdisks in squashfs and IGS ROFS formats, and we can also identify their magic numbers.</p> <p><img loading="lazy" src="identify_ramdisk_image.png" alt="identify_ramdisk_image"/></p> <p>I won’t record the full analysis process. They modified the FS header, which makes the analysis somewhat nasty 🤢.</p> <h2 id="extracting-the-filesystem">Extracting the filesystem</h2> <p>I analyzed the headers of three custom filesystems on the E2000 platform; the contents are as follows.</p> <h3 id="igs-shfs-v1-header">IGS SHFS V1 Header</h3> <pre tabindex="0"><code>struct squashfs_super_block_22_v1 { unsigned int s_magic; // 0xD4AA2682 unsigned int block_size_1:16; unsigned int block_log:16; unsigned int major_number; unsigned int minor_number; unsigned int inodes; unsigned int bytes_used; unsigned int uid_start; unsigned int guid_start; unsigned int inode_table_start; unsigned int directory_table_start; unsigned int flags:8; unsigned int no_uids:8; unsigned int no_guids:8; int mkfs_time /* time of filesystem creation */; squashfs_inode root_inode; unsigned int block_size; unsigned int fragments; unsigned int fragment_table_start; } __attribute__ ((packed)); </code></pre><h3 id="igs-shfs-v2-header">IGS SHFS V2 Header</h3> <p>Using Percussion Master 2008 as an example:</p> <pre tabindex="0"><code>struct squashfs_super_block_22_v2 { unsigned int s_magic; // 0xD4AA2682 char igs_info[64]; // banner unsigned int block_size_1:16; unsigned int block_log:16; unsigned int igs_fs_version_major; // 59 17 23 96 unsigned int igs_fs_version_minor; // E1 5D 70 00 unsigned int major_number; // 31 64 52 E5 unsigned int minor_number; // 92 2C 03 68 unsigned int inodes; unsigned int bytes_used; unsigned int uid_start; unsigned int guid_start; unsigned int inode_table_start; unsigned int directory_table_start; unsigned int flags:8; unsigned int no_uids:8; unsigned int no_guids:8; int mkfs_time /* time of filesystem creation */; squashfs_inode root_inode; unsigned int block_size; unsigned int fragments; unsigned int fragment_table_start; } __attribute__ ((packed)); </code></pre><h3 id="igs-rofs-v1-header">IGS ROFS V1 Header</h3> <pre tabindex="0"><code>struct cramfs_inode { unsigned int inode_magic; unsigned int namelen:6, offset:26; unsigned int size:24, gid:8; unsigned int mode:16, uid:16; }; struct cramfs_info { unsigned int crc; unsigned int edition; unsigned int blocks; unsigned int files; }; struct igs_rofs_super_block { unsigned int magic1; // 0x81006e6a unsigned int future; char igs_info[64]; unsigned int size; unsigned int magic2; // 0xD4AA2682 unsigned int flags; unsigned int padding; cramfs_info fsid; char name[64]; cramfs_inode root[2]; }; igs_rofs_super_block File; </code></pre><p>By porting the headers above into <code>cramfs-tools</code> and <code>squashfs-tools</code>, you can extract the filesystem perfectly, and you can also detect whether files are corrupted. I have uploaded the code to GitHub: <a href="https://github.com/gorgiaxx/igs-toolkits"target="_blank" rel="noopener noreferrer">https://github.com/gorgiaxx/igs-toolkits</a></p> <p>This version is not hard to extract, but the next version (E3000) introduces encryption.</p> <p><img loading="lazy" src="extracted_files.png" alt="extracted_files"/></p> <p>Player @novacosmic00 previously asked me to help extract files for GoGoBall. He said he had already decrypted files from other games, but GoGoBall was the only one he couldn’t decrypt. I tried extracting with my modified tools and found the file CRC was wrong, but most files could still be extracted.</p> <p>After I finished extracting the firmware and talked with @novacosmic00, I learned that someone had researched this two years ago and wrote extraction scripts.</p> <p><a href="https://github.com/batteryshark/igstools/tree/main/scripts"target="_blank" rel="noopener noreferrer">https://github.com/batteryshark/igstools/tree/main/scripts</a></p> <p>The author may have inferred the structs by analyzing filesystem contents and reverse-engineering address patterns. That’s also a valid approach, but the downside is that extracted files can be messy, and you can’t detect CRC errors.</p> <h2 id="shadow-">shadow-</h2> <p>The <code>shadow</code> file clears the root password by default.</p> <pre tabindex="0"><code>root:x:13130:0:99999:7::: test::13074:0:99999:7::: </code></pre><p>This is the original file:</p> <pre tabindex="0"><code>root:$1$qAw/5vcb$x9rPCAwLMdRBQXwlq1zG70:13130:0:99999:7::: test:$1$JjP1oLAJ$xilZIedv3S3jbs8oTZAad1:13074:0:99999:7::: </code></pre><h2 id="anti-cracking">Anti-cracking</h2> <p><code>/PM2008v2/PM2008v2</code> has stripped symbols, and from string patterns it also looks like a normal loader.</p> <p><img loading="lazy" src="pitch_symbols.png" alt="pitch_symbols"/></p> <p>But in reality, if you run it on your own computer, it will overwrite the first 512k of your partition with zeros. I actually ran it back then—thankfully I didn’t run as root, and my disk was NVMe. Who would have thought this 18-year-old game still had this trick 🙈. I had never touched this field before; apparently arcade anti-cracking often includes many “suicidal” logics.</p> <p><img loading="lazy" src="kill_disk.png" alt="kill_disk"/></p> <p>The next post will analyze the in-game protection mechanism.</p> <h1 id="references">References</h1> <p><a href="https://zh.moegirl.org.cn/Speed_Driver%E7%B3%BB%E5%88%97"target="_blank" rel="noopener noreferrer">Moegirl Wiki - Speed Driver series</a></p> <p><a href="https://github.com/shizmob/arcade-docs/"target="_blank" rel="noopener noreferrer">https://github.com/shizmob/arcade-docs/</a></p> https://gorgias.me/posts/vw-id4-vehicle-control-analysis/ Thu, 26 Dec 2024 22:04:11 +0800 https://gorgias.me/posts/vw-id4-vehicle-control-analysis/ <h2 id="preface">Preface</h2> <p>In 2021, while working at 360, I built a test bench for the VW ID.4. I was close to getting significant results—I had internal ODIS access and root privileges on ICAS3—but I was abruptly reassigned to build a demo vehicle during a business trip, which disrupted my follow-up plans. During that period, a combination of professional obligations and personal challenges forced me to pause the research.</p> <p>You could call this a &ldquo;regret project&rdquo;—an unfinished endeavor I wish I had completed. By coincidence, I revisited the vehicle control logic of the ID.4’s ICAS1 this past May. Another such project is CAN-Pick NG, which I partially wrote before shelving. I am unsure if I will be able to finish it in 2025.</p> <p>The ID.4 is based on Volkswagen’s MEB platform. Its EE (Electrical/Electronic) architecture features two primary domain controllers: ICAS1 and ICAS3. ICAS1 (J533) is responsible for body control.</p> <p>The figure below shows the location of J533 at position 13. By mounting a drive-by-wire module here, you can monitor and control body functions.</p> <p><img loading="lazy" src="./icas1.png" alt="icas1"/></p> <h2 id="in-vehicle-ecu-topology">In-Vehicle ECU Topology</h2> <ul> <li><strong>Classic CAN:</strong> 500 kbps</li> <li><strong>CAN-FD:</strong> Arbitration phase 500 kbps, Data phase 2 Mbps. (For CAN-FD analysis, ZLG devices are highly recommended).</li> </ul> <p>Analyzing the ELSA wiring diagrams and internal VW training materials revealed inconsistent bus naming. Reorganizing this information is necessary to derive the correct CAN topology.</p> <p>The J533 gateway manages a total of 9 CAN buses and 4 LIN buses (LIN is not utilized in this analysis). The key ECUs are as follows:</p> <ul> <li><strong>Running-Gear CAN (CAN-FD)</strong> <ul> <li>J104 - ABS</li> <li>J500 - EPS (Electric Power Steering control unit)</li> <li>NX6 - Brake Controller (Brake Booster)</li> </ul> </li> <li><strong>Powertrain CAN (CAN-FD)</strong> <ul> <li>J623 - Engine/Motor Control Module</li> <li>J841/J944 - Electric Drive Unit</li> <li>J234 - Airbag (Do not fuzz this; it is dangerous)</li> </ul> </li> <li><strong>Driver Assistance CAN (CAN-FAS) (CAN-FD)</strong> <ul> <li>J428 - Distance Control Unit</li> <li>J446 - Parking Radar Control Unit</li> <li>J769/J770 - Lane Change Assist Control Units</li> <li>J928 - Surround-View Camera Control Unit</li> </ul> </li> <li><strong>Convenience CAN (Classic)</strong> <ul> <li>J527 - Steering Column Electronics Control Module (Shift-by-wire module)</li> <li>J605 - Tailgate Control Unit</li> <li>J764 - Steering Column Lock</li> <li>&hellip;and other body controls</li> </ul> </li> <li><strong>CAN-EV (CAN-FD)</strong> <ul> <li>J979 - Heater and Air Conditioning Control Module</li> </ul> </li> </ul> <p><img loading="lazy" src="./topicdiagram.png" alt="topicdiagram"/></p> <h2 id="j533-connector-t40a-definition">J533 Connector T40a Definition</h2> <p>The following table details the T40a connector pinout.</p> <p><img loading="lazy" src="./T40a_datasheet.png" alt="T40a_datasheet"/></p> <p><img loading="lazy" src="./T40a.png" alt="T40a"/></p> <h2 id="bus-security-strategy">Bus Security Strategy</h2> <h3 id="gateway-isolation">Gateway Isolation</h3> <p>Multifunction steering wheel control signals originate on the Convenience CAN, but ECUs on the Chassis CAN can also observe them. However, the J533 gateway blocks any steering wheel control signals originating from the Chassis CAN, preventing them from reaching their target ECUs.</p> <h2 id="crc-check">CRC Check</h2> <p>Observing the CAN bus traffic reveals a pattern in most messages: the first byte appears random, while the second byte increments regularly. The first byte is the CRC (Cyclic Redundancy Check), and the second byte is a counter.</p> <h3 id="crc-seeds">CRC Seeds</h3> <p><strong>Reference:</strong> <a href="https://github.com/commaai/opendbc"target="_blank" rel="noopener noreferrer">OpenDBC github</a> <code>/opendbc/can/common.cc</code> <code>volkswagen_mqb_checksum</code></p> <p>While checksum seeds for the VW MQB platform are available, the ID.4 introduces many new CRC seeds. I reverse-engineered them and listed them below.</p> <p>Most control signals include both a CRC and a counter. ECUs typically skip CRC validation for non-critical functions (e.g., sunroof, windows, horn) but enforce it for safety-critical functions such as EPS, tailgate operation, and wipers.</p> <table> <thead> <tr> <th style="text-align: left">Signal</th> <th style="text-align: left">CAN ID</th> <th style="text-align: left">CRC Seed</th> </tr> </thead> <tbody> <tr> <td style="text-align: left">AAA_01</td> <td style="text-align: left">0x12DD5502</td> <td style="text-align: left">0x62,0x14,0x7c,0xa1,0x49,0x95,0x43,0x04,0x78,0x46,0x74,0x19,0x39,0x17,0x9f,0x1c</td> </tr> <tr> <td style="text-align: left">ACC_18</td> <td style="text-align: left">0x14D</td> <td style="text-align: left">0x1a,0x65,0x81,0x96,0xc0,0xdf,0x11,0x92,0xd3,0x61,0xc6,0x95,0x8c,0x29,0x21,0xb5</td> </tr> <tr> <td style="text-align: left">Airbag_01</td> <td style="text-align: left">0x040</td> <td style="text-align: left">0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40</td> </tr> <tr> <td style="text-align: left">Airbag_02</td> <td style="text-align: left">0x520</td> <td style="text-align: left">0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44</td> </tr> <tr> <td style="text-align: left">APS_Master</td> <td style="text-align: left">0x380</td> <td style="text-align: left">0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13,0x13</td> </tr> <tr> <td style="text-align: left">AWV_03</td> <td style="text-align: left">0x0DB</td> <td style="text-align: left">0x09,0xfa,0xca,0x8e,0x62,0xd5,0xd1,0xf0,0x31,0xa0,0xaf,0xda,0x4d,0x1a,0x0a,0x97</td> </tr> <tr> <td style="text-align: left">BEM_06</td> <td style="text-align: left">0x48B</td> <td style="text-align: left">0x54,0xaf,0x8a,0xfb,0x0d,0x87,0x6a,0x0f,0x47,0x78,0x31,0x4f,0x35,0x28,0x82,0x6d</td> </tr> <tr> <td style="text-align: left">Blinkmodi_02</td> <td style="text-align: left">0x366</td> <td style="text-align: left">0xa9,0xbd,0xfb,0x3c,0x95,0x0f,0x75,0x3a,0x4f,0x19,0x59,0x6d,0xb2,0xe9,0xd1,0x97</td> </tr> <tr> <td style="text-align: left">EA_01</td> <td style="text-align: left">0x1A4</td> <td style="text-align: left">0x69,0xbb,0x54,0xe6,0x4e,0x46,0x8d,0x7b,0xea,0x87,0xe9,0xb3,0x63,0xce,0xf8,0xbf</td> </tr> <tr> <td style="text-align: left">EA_02</td> <td style="text-align: left">0x1F0</td> <td style="text-align: left">0x2f,0x3c,0x22,0x60,0x18,0xeb,0x63,0x76,0xc5,0x91,0x0f,0x27,0x34,0x04,0x7f,0x02</td> </tr> <tr> <td style="text-align: left">ELV_01</td> <td style="text-align: left">0x656</td> <td style="text-align: left">0xab,0x2f,0xd3,0x39,0x6f,0x37,0xfa,0x59,0xa4,0x70,0xce,0x11,0x54,0x82,0x62,0x56</td> </tr> <tr> <td style="text-align: left">EM1_01</td> <td style="text-align: left">0x0C0</td> <td style="text-align: left">0x2f,0x44,0x72,0xd3,0x07,0xf2,0x39,0x09,0x8d,0x6f,0x57,0x20,0x37,0xf9,0x9b,0xfa</td> </tr> <tr> <td style="text-align: left">EML_02</td> <td style="text-align: left">0x1A555541</td> <td style="text-align: left">0x3e,0xb4,0x25,0xc1,0x31,0x1f,0xf1,0xd7,0xb1,0xbe,0xcc,0xe0,0x0f,0x46,0x51,0xb2</td> </tr> <tr> <td style="text-align: left">EML_06</td> <td style="text-align: left">0x20A</td> <td style="text-align: left">0x9d,0xe8,0x36,0xa1,0xca,0x3b,0x1d,0x33,0xe0,0xd5,0xbb,0x5f,0xae,0x3c,0x31,0x9f</td> </tr> <tr> <td style="text-align: left">ESC_50</td> <td style="text-align: left">0x102</td> <td style="text-align: left">0xd7,0x12,0x85,0x7e,0x0b,0x34,0xfa,0x16,0x7a,0x25,0x2d,0x8f,0x04,0x8e,0x5d,0x35</td> </tr> <tr> <td style="text-align: left">ESC_51</td> <td style="text-align: left">0x0FC</td> <td style="text-align: left">0x77,0x5c,0xa0,0x89,0x4b,0x7c,0xbb,0xd6,0x1f,0x6c,0x4f,0xf6,0x20,0x2b,0x43,0xdd</td> </tr> <tr> <td style="text-align: left">ESP_10</td> <td style="text-align: left">0x116</td> <td style="text-align: left">0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac,0xac</td> </tr> <tr> <td style="text-align: left">ESP_20</td> <td style="text-align: left">0x65D</td> <td style="text-align: left">0xac,0xb3,0xab,0xeb,0x7a,0xe1,0x3b,0xf7,0x73,0xba,0x7c,0x9e,0x06,0x5f,0x02,0xd9</td> </tr> <tr> <td style="text-align: left">ESP_21</td> <td style="text-align: left">0x0FD</td> <td style="text-align: left">0xb4,0xef,0xf8,0x49,0x1e,0xe5,0xc2,0xc0,0x97,0x19,0x3c,0xc9,0xf1,0x98,0xd6,0x61</td> </tr> <tr> <td style="text-align: left">ESP_24</td> <td style="text-align: left">0x31B</td> <td style="text-align: left">0x67,0x8a,0xae,0x22,0x4d,0xd0,0x51,0x80,0x5c,0xb9,0xce,0x1e,0xdf,0x02,0x2d,0xd4</td> </tr> <tr> <td style="text-align: left">Getriebe_11</td> <td style="text-align: left">0x0AD</td> <td style="text-align: left">0x3f,0x69,0x39,0xdc,0x94,0xf9,0x14,0x64,0xd8,0x6a,0x34,0xce,0xa2,0x55,0xb5,0x2c</td> </tr> <tr> <td style="text-align: left">GRA_ACC_01</td> <td style="text-align: left">0x12B</td> <td style="text-align: left">0x6a,0x38,0xb4,0x27,0x22,0xef,0xe1,0xbb,0xf8,0x80,0x84,0x49,0xc7,0x9e,0x1e,0x2b</td> </tr> <tr> <td style="text-align: left">HCA_01</td> <td style="text-align: left">0x126</td> <td style="text-align: left">0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda,0xda</td> </tr> <tr> <td style="text-align: left">HVL_01</td> <td style="text-align: left">0x12DD553D</td> <td style="text-align: left">0x1d,0x82,0x7b,0x79,0xa5,0xee,0x3a,0xb9,0xb7,0xf9,0xe4,0x67,0x7f,0x97,0x11,0xad</td> </tr> <tr> <td style="text-align: left">IPA_01</td> <td style="text-align: left">0x138</td> <td style="text-align: left">0x77,0x4e,0x14,0x87,0xf2,0xf8,0xb2,0x61,0xf6,0xa4,0x52,0x94,0xd4,0x81,0x2a,0xb1</td> </tr> <tr> <td style="text-align: left">IPA_02</td> <td style="text-align: left">0x16A9545F</td> <td style="text-align: left">0xc6,0x7f,0x85,0xb6,0xe6,0xae,0xf8,0x26,0xb0,0x8c,0x19,0x10,0x5b,0x33,0x64,0x6c</td> </tr> <tr> <td style="text-align: left">Klemmen_Status_01</td> <td style="text-align: left">0x3C0</td> <td style="text-align: left">0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3,0xc3</td> </tr> <tr> <td style="text-align: left">LH_EPS_02</td> <td style="text-align: left">0x11D</td> <td style="text-align: left">0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c,0x1c</td> </tr> <tr> <td style="text-align: left">LH_EPS_03</td> <td style="text-align: left">0x09F</td> <td style="text-align: left">0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5,0xf5</td> </tr> <tr> <td style="text-align: left">Licht_Anf_01</td> <td style="text-align: left">0x3D5</td> <td style="text-align: left">0xc5,0x39,0xc7,0xf9,0x92,0xd8,0x24,0xce,0xf1,0xb5,0x7a,0xc4,0xbc,0x60,0xe3,0xd1</td> </tr> <tr> <td style="text-align: left">LWI_01</td> <td style="text-align: left">0x086</td> <td style="text-align: left">0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86,0x86</td> </tr> <tr> <td style="text-align: left">Motor_14</td> <td style="text-align: left">0x3BE</td> <td style="text-align: left">0x1f,0x28,0xc6,0x85,0xe6,0xf8,0xb0,0x19,0x5b,0x64,0x35,0x21,0xe4,0xf7,0x9c,0x24</td> </tr> <tr> <td style="text-align: left">Motor_51</td> <td style="text-align: left">0x10B</td> <td style="text-align: left">0x77,0x5c,0xa0,0x89,0x4b,0x7c,0xbb,0xd6,0x1f,0x6c,0x4f,0xf6,0x20,0x2b,0x43,0xdd</td> </tr> <tr> <td style="text-align: left">Motor_54</td> <td style="text-align: left">0x14C</td> <td style="text-align: left">0x16,0x35,0x59,0x15,0x9a,0x2a,0x97,0xb8,0x0e,0x4e,0x30,0xcc,0xb3,0x07,0x01,0xad</td> </tr> <tr> <td style="text-align: left">Motor_Code_01</td> <td style="text-align: left">0x641</td> <td style="text-align: left">0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47</td> </tr> <tr> <td style="text-align: left">Parken_01</td> <td style="text-align: left">0x206</td> <td style="text-align: left">0x09,0xfa,0xca,0x8e,0x62,0xd5,0xd1,0xf0,0x31,0xa0,0xaf,0xda,0x4d,0x1a,0x0a,0x97</td> </tr> <tr> <td style="text-align: left">PLA_04</td> <td style="text-align: left">0x407</td> <td style="text-align: left">0xef,0x60,0x04,0xa8,0x0c,0x1c,0xda,0x07,0x36,0xd7,0x28,0x92,0xa9,0x88,0x2c,0x4a</td> </tr> <tr> <td style="text-align: left">QFK_01</td> <td style="text-align: left">0x13D</td> <td style="text-align: left">0x20,0xca,0x68,0xd5,0x1b,0x31,0xe2,0xda,0x08,0x0a,0xd4,0xde,0x9c,0xe4,0x35,0x5b</td> </tr> <tr> <td style="text-align: left">RCTA_01</td> <td style="text-align: left">0x2B7</td> <td style="text-align: left">0x5e,0xc7,0x04,0x11,0x4d,0x27,0x0d,0x31,0x91,0xb8,0x62,0x76,0x64,0x09,0xeb,0xec</td> </tr> <tr> <td style="text-align: left">SAL_01</td> <td style="text-align: left">0x12DD54C9</td> <td style="text-align: left">0xde,0xa9,0x83,0x0b,0x0c,0x64,0x79,0x44,0x0f,0xf6,0xc6,0xc7,0x05,0x45,0xb7,0x59</td> </tr> <tr> <td style="text-align: left">SAM_01</td> <td style="text-align: left">0x205</td> <td style="text-align: left">0x19,0x36,0xd4,0x1e,0x80,0x22,0xf4,0xb8,0xad,0x41,0x0b,0x3f,0x87,0x42,0x25,0x40</td> </tr> <tr> <td style="text-align: left">SMLS_01</td> <td style="text-align: left">0x3D4</td> <td style="text-align: left">0xc3,0x79,0xbf,0xdb,0xe9,0x11,0x46,0x86,0x69,0xb6,0x9b,0x29,0x15,0x9c,0x45,0x0d</td> </tr> <tr> <td style="text-align: left">TA_01</td> <td style="text-align: left">0x26B</td> <td style="text-align: left">0xce,0xcc,0xbd,0x69,0xa1,0x3c,0x18,0x76,0x0f,0x04,0xf2,0x3a,0x93,0x24,0x19,0x51</td> </tr> <tr> <td style="text-align: left">TSG_FT_02</td> <td style="text-align: left">0x3E5</td> <td style="text-align: left">0xc4,0x6a,0x69,0x30,0xcf,0x61,0x58,0x51,0x1b,0x86,0x99,0xd3,0xf6,0x1d,0x9a,0x37</td> </tr> <tr> <td style="text-align: left">VMM_01</td> <td style="text-align: left">0x105</td> <td style="text-align: left">0xde,0x0e,0xa7,0x1d,0xc3,0x83,0xbd,0x82,0x8c,0xa2,0x0c,0x7b,0x4d,0x3c,0x58,0x79</td> </tr> <tr> <td style="text-align: left">VMM_02</td> <td style="text-align: left">0x139</td> <td style="text-align: left">0xed,0x03,0x1c,0x13,0xc6,0x23,0x78,0x7a,0x8b,0x40,0x14,0x51,0xbf,0x68,0x32,0xba</td> </tr> </tbody> </table> <h3 id="crc-algorithm">CRC Algorithm</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">MEB_Kennungsfolge</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># LWI_01 Steering Angle</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x86</span><span class="p">:</span> <span class="p">[</span><span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="c1"># LH_EPS_03 Electric Power Steering</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x9F</span><span class="p">:</span> <span class="p">[</span><span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="c1"># HCA_01 Heading Control Assist</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x126</span><span class="p">:</span> <span class="p">[</span><span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="c1"># GRA_ACC_01 Steering wheel controls for ACC</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x12B</span><span class="p">:</span> <span class="p">[</span><span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">gen_crc_lookup_table_8</span><span class="p">(</span><span class="n">poly</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">crc_lut</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">*</span> <span class="mi">256</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">256</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="n">i</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">8</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">crc</span> <span class="o">&amp;</span> <span class="mh">0x80</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="p">(</span><span class="n">crc</span> <span class="o">&lt;&lt;</span> <span class="mi">1</span><span class="p">)</span> <span class="o">^</span> <span class="n">poly</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">&lt;&lt;=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="n">crc_lut</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">crc</span> <span class="o">&amp;</span> <span class="mh">0xFF</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">crc_lut</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">volkswagen_mqb_checksum</span><span class="p">(</span><span class="n">address</span><span class="p">,</span> <span class="n">data</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">crc8_lut_8h2f</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="mh">0xFF</span> <span class="c1"># CRC8 8H2F/AUTOSAR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="n">crc</span> <span class="o">^</span> <span class="n">data</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="c1"># print(hex(crc), hex(i))</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="n">crc8_lut_8h2f</span><span class="p">[</span><span class="n">crc</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">counter</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0x0F</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">address</span> <span class="ow">in</span> <span class="n">MEB_Kennungsfolge</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">^=</span> <span class="n">MEB_Kennungsfolge</span><span class="p">[</span><span class="n">address</span><span class="p">][</span><span class="n">counter</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># No validation required</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">^=</span> <span class="p">[</span><span class="mh">0x00</span><span class="p">]</span> <span class="o">*</span> <span class="mi">16</span> <span class="c1"># Return all 0s by default</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="n">crc8_lut_8h2f</span><span class="p">[</span><span class="n">crc</span><span class="p">]</span> <span class="c1"># Standard CRC8 8H2F/AUTOSAR final XOR</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">crc</span> <span class="o">^</span> <span class="mh">0xFF</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">can_id</span> <span class="o">=</span> <span class="mh">0x126</span> </span></span><span class="line"><span class="cl"><span class="n">data</span> <span class="o">=</span> <span class="nb">bytearray</span><span class="p">(</span><span class="nb">bytes</span><span class="p">(</span><span class="mi">8</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="n">crc8_lut_8h2f</span> <span class="o">=</span> <span class="n">gen_crc_lookup_table_8</span><span class="p">(</span><span class="mh">0x2f</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">crc</span> <span class="o">=</span> <span class="n">volkswagen_mqb_checksum</span><span class="p">(</span><span class="n">can_id</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">data</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">crc</span> </span></span></code></pre></div><h2 id="can-signals">CAN Signals</h2> <p>The Convenience CAN carries the signal traffic listed below. It allows for state monitoring and control of most body functions, including HVAC, front/rear lights, horn, wipers, windows, door locks, and various vehicle status updates.</p> <pre tabindex="0"><code>0x12B GRA_ACC_01 Adaptive Cruise Control (GRA/ACC) 0x1F0 EA_02 Emergency Assist 0x205 SAM_01 Switches and Execution Module 0x2B7 RCTA_01 Rear Cross Traffic Alert 0x31B ESP_24 0x366 Blinkmodi_02 Blinking Mode (Turn Signals) 0x397 LDW_02 Lane Departure Warning System 0x3BE Motor_14 Motor Control 0x3C0 Klemmen_Status_01 Terminal Status (Clamp Status) 0x3CE TSG_HFS_01 Rear Door Window Function System (Left?) 0x3CF TSG_HBFS_01 Rear Door Window Function System (Right?) 0x3D0 TSG_FT_01 Front Door Function System 0x3D4 SMLS_01 Steering Column Switch Module 0x3D5 Licht_Anf_01 Light Request 0x3D6 Licht_hinten_01 Rear Light Status 0x3DC Gateway_73 Gateway Info (System alerts, safety warnings, fault diagnosis, signal updates) 0x48B BEM_06 Low Voltage Energy Management 0x520 Airbag_02 Airbag 2 0x551 WFS_01 Immobilizer 0x582 HDSG_01 Trunk Management Status 0x583 ZV_02 Central Locking System 0x585 Systeminfo_01 Diagnostic and Production Mode Settings 0x592 Kessy_04 Smart Key System (Kessy) / Remote Parking Status/Control 0x5A0 RLS_01 Light and Rain Sensor 0x5A7 TM_01 Telematics 0x5F0 Dimmung_01 Dimming 0x5F4 Innenlicht_11 Interior Lighting 0x641 Motor_Code_01 Motor Coding 0x643 Einheiten_01 Unit Settings 0x656 ELV_01 Electronic Steering Column Lock 0x658 Licht_vorne_01 Front Light Status 0x65D ESP_20 0x668 Klima_12 Air Conditioning System 0x670 Motor_18 0x6AE Spiegel_01 Mirrors 0x6AF Rear_View_01 Rear View Camera 0x6B2 Diagnose_01 0x6B4 VIN_01 0x12DD54C9 SAL_01 Lighting Module </code></pre><h2 id="other-signals">Other Signals</h2> <p>While the DBC has been analyzed, it is not currently published.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">0x184 </span></span><span class="line"><span class="cl">1. Lock Vehicle </span></span><span class="line"><span class="cl"> 1. Byte 2: Mirror Open (0x20 Open) </span></span><span class="line"><span class="cl"> 2. Byte 3: Mirror Close (0x40 Close) </span></span><span class="line"><span class="cl">2. Windows </span></span><span class="line"><span class="cl"> 1. Byte 6: Window Control - 04 Front Left Down, 02 Front Left Up, 40 Rear Left Down, 08 Front Right Up, 10 Front Right Down </span></span><span class="line"><span class="cl"> 2. Byte 7: 01 Rear Right Down </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">0x185 </span></span><span class="line"><span class="cl">1. Window Control (10, 20 Up; 40, 80 Down) </span></span><span class="line"><span class="cl"> 1. Byte 1: Front Row </span></span><span class="line"><span class="cl"> 2. Byte 2: Rear Row </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">0x598 </span></span><span class="line"><span class="cl">1. Sunroof Control </span></span><span class="line"><span class="cl"> 1. Byte 3: 0x20 None, 0x21 Tap, 0x22 Slide, 0x25 Long Press </span></span><span class="line"><span class="cl"> 2. Byte 7: 04 Close Once, 08 Close Cont., 0C Open Once, 10 Open Cont., 14/1C Others </span></span></code></pre></div><h2 id="steering-control">Steering Control</h2> <p>The vehicle must be in Gear D/B or R. The following five signals can be used to control the steering wheel:</p> <ul> <li><strong>LWI_01:</strong> Steering Angle Sensor</li> <li><strong>LH_EPS_03:</strong> Electric Power Steering (Steering Assist)</li> <li><strong>HCA_01:</strong> Heading Control Assist</li> <li><strong>GRA_ACC_01:</strong> Adaptive Cruise Control</li> <li><strong>PLA_05:</strong> Park Lane Assist</li> </ul> <p><strong>Notes:</strong></p> <ul> <li>Combining signals 0x86, 0x9f, 0x126, 0x12b, and 0x302 on the <strong>CAN-FAS</strong> bus allows for parking steering actuation.</li> <li>Combining signals 0x86, 0x9f, and 0x302 on the <strong>Gear-Running CAN</strong> can also actuate the steering wheel.</li> <li>Both 0x9f (LH_EPS_03) and 0x302 (PLA_05) can directly control the steering wheel.</li> <li>Since 0x302 (PLA_05) lacks a CRC check, it offers a simpler method for steering control compared to 0x9f.</li> </ul> <h3 id="demo">DEMO</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">create_pla_control</span><span class="p">(</span><span class="n">sendestatus</span><span class="p">,</span> <span class="n">positive</span><span class="p">,</span> <span class="n">degree</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="nb">bytearray</span><span class="p">(</span><span class="nb">bytes</span><span class="p">(</span><span class="mi">24</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x40</span> </span></span><span class="line"><span class="cl"> <span class="c1"># PLA_QFK_Spuerb</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xFA</span> </span></span><span class="line"><span class="cl"> <span class="c1"># PLA_QFK_KruemmSoll</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">degree</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">15</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># PLA_QFK_KruemmSoll_VZ</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">positive</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># PLA_05_Sendestatus</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">sendestatus</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">74</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">74</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">data</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">hca_01_counter</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="n">degree</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">20</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="c1"># data = create_steering_control(10 * i, 1)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># meb_can_send(0x126, 0.1, data)</span> </span></span><span class="line"><span class="cl"> <span class="n">degree</span> <span class="o">+=</span> <span class="mh">0x10</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">create_pla_control</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="n">degree</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">can_send</span><span class="p">(</span><span class="mh">0x302</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span></code></pre></div><h3 id="rpi-can-hat">RPi CAN HAT</h3> <p>This steering control demo only makes the steering wheel move. To implement true remote driving, you need a solid understanding of vehicle dynamics and must design a proper control algorithm.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">can</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">time</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">can0</span> <span class="o">=</span> <span class="n">can</span><span class="o">.</span><span class="n">interface</span><span class="o">.</span><span class="n">Bus</span><span class="p">(</span><span class="n">channel</span> <span class="o">=</span> <span class="s1">&#39;can0&#39;</span><span class="p">,</span> <span class="n">bustype</span> <span class="o">=</span> <span class="s1">&#39;socketcan&#39;</span><span class="p">,</span> <span class="n">fd</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> <span class="n">bitrate</span><span class="o">=</span><span class="mi">500000</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># msg = can.Message(is_extended_id=False, arbitration_id=0x123, data=[0, 1, 2, 3, 4, 5, 6, 7])</span> </span></span><span class="line"><span class="cl"><span class="c1"># can0.send(msg)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">MEB_Kennungsfolge</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># LWI_01 Steering Angle</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x86</span><span class="p">:</span> <span class="p">[</span><span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">,</span> <span class="mh">0x86</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="c1"># LH_EPS_03 Electric Power Steering</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x9F</span><span class="p">:</span> <span class="p">[</span><span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">,</span> <span class="mh">0xF5</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="c1"># HCA_01 Heading Control Assist</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x126</span><span class="p">:</span> <span class="p">[</span><span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">,</span> <span class="mh">0xDA</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="c1"># GRA_ACC_01 Steering wheel controls for ACC</span> </span></span><span class="line"><span class="cl"> <span class="mh">0x12B</span><span class="p">:</span> <span class="p">[</span><span class="mh">0x6A</span><span class="p">,</span> <span class="mh">0x38</span><span class="p">,</span> <span class="mh">0xB4</span><span class="p">,</span> <span class="mh">0x27</span><span class="p">,</span> <span class="mh">0x22</span><span class="p">,</span> <span class="mh">0xEF</span><span class="p">,</span> <span class="mh">0xE1</span><span class="p">,</span> <span class="mh">0xBB</span><span class="p">,</span> <span class="mh">0xF8</span><span class="p">,</span> <span class="mh">0x80</span><span class="p">,</span> <span class="mh">0x84</span><span class="p">,</span> <span class="mh">0x49</span><span class="p">,</span> <span class="mh">0xC7</span><span class="p">,</span> <span class="mh">0x9E</span><span class="p">,</span> <span class="mh">0x1E</span><span class="p">,</span> <span class="mh">0x2B</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">volkswagen_mqb_checksum</span><span class="p">(</span><span class="n">address</span><span class="p">,</span> <span class="n">data</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">crc8_lut_8h2f</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="mh">0xFF</span> <span class="c1"># CRC8 8H2F/AUTOSAR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="n">crc</span> <span class="o">^</span> <span class="n">data</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="c1"># print(hex(crc), hex(i))</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="n">crc8_lut_8h2f</span><span class="p">[</span><span class="n">crc</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">counter</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0x0F</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">address</span> <span class="ow">in</span> <span class="n">MEB_Kennungsfolge</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">^=</span> <span class="n">MEB_Kennungsfolge</span><span class="p">[</span><span class="n">address</span><span class="p">][</span><span class="n">counter</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Attempt to CRC check undefined Volkswagen message 0x</span><span class="si">%02X</span><span class="s2">&#34;</span> <span class="o">%</span> <span class="n">address</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">^=</span> <span class="p">[</span><span class="mh">0x00</span><span class="p">]</span> <span class="o">*</span> <span class="mi">16</span> <span class="c1"># Return all 0s by default</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="n">crc8_lut_8h2f</span><span class="p">[</span><span class="n">crc</span><span class="p">]</span> <span class="c1"># Standard CRC8 8H2F/AUTOSAR final XOR</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">crc</span> <span class="o">^</span> <span class="mh">0xFF</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">gen_crc_lookup_table_8</span><span class="p">(</span><span class="n">poly</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">crc_lut</span> <span class="o">=</span> <span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">*</span> <span class="mi">256</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">256</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="n">i</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">8</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">crc</span> <span class="o">&amp;</span> <span class="mh">0x80</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="p">(</span><span class="n">crc</span> <span class="o">&lt;&lt;</span> <span class="mi">1</span><span class="p">)</span> <span class="o">^</span> <span class="n">poly</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">&lt;&lt;=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="n">crc_lut</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">crc</span> <span class="o">&amp;</span> <span class="mh">0xFF</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">crc_lut</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">meb_can_send</span><span class="p">(</span><span class="n">can_id</span><span class="p">,</span> <span class="n">interval</span><span class="p">,</span> <span class="n">data</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">global</span> <span class="n">hca_01_counter</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">|</span> <span class="n">hca_01_counter</span> </span></span><span class="line"><span class="cl"> <span class="n">crc</span> <span class="o">=</span> <span class="n">volkswagen_mqb_checksum</span><span class="p">(</span><span class="n">can_id</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">crc</span> </span></span><span class="line"><span class="cl"> <span class="n">hca_01_counter</span> <span class="o">+=</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="nb">hex</span><span class="p">(</span><span class="n">j</span><span class="p">),</span> <span class="n">end</span><span class="o">=</span><span class="s2">&#34;, &#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">time</span><span class="o">.</span><span class="n">sleep</span><span class="p">(</span><span class="n">interval</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">msg</span> <span class="o">=</span> <span class="n">can</span><span class="o">.</span><span class="n">Message</span><span class="p">(</span><span class="n">is_extended_id</span><span class="o">=</span><span class="kc">False</span><span class="p">,</span> <span class="n">arbitration_id</span><span class="o">=</span><span class="n">can_id</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">,</span> <span class="n">is_fd</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">can0</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">can_send</span><span class="p">(</span><span class="n">can_id</span><span class="p">,</span> <span class="n">interval</span><span class="p">,</span> <span class="n">data</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">time</span><span class="o">.</span><span class="n">sleep</span><span class="p">(</span><span class="n">interval</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">msg</span> <span class="o">=</span> <span class="n">can</span><span class="o">.</span><span class="n">Message</span><span class="p">(</span><span class="n">is_extended_id</span><span class="o">=</span><span class="kc">False</span><span class="p">,</span> <span class="n">arbitration_id</span><span class="o">=</span><span class="n">can_id</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">,</span> <span class="n">is_fd</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">can0</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">crc8_lut_8h2f</span> <span class="o">=</span> <span class="n">gen_crc_lookup_table_8</span><span class="p">(</span><span class="mh">0x2f</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">start_pos</span><span class="p">,</span> <span class="n">value_length</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">end_pos</span> <span class="o">=</span> <span class="n">start_pos</span> <span class="o">+</span> <span class="n">value_length</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">bit_index</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="n">start_pos</span><span class="p">,</span> <span class="n">end_pos</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">byte_index</span> <span class="o">=</span> <span class="n">bit_index</span> <span class="o">//</span> <span class="mi">8</span> </span></span><span class="line"><span class="cl"> <span class="n">bit_offset</span> <span class="o">=</span> <span class="n">bit_index</span> <span class="o">%</span> <span class="mi">8</span> </span></span><span class="line"><span class="cl"> <span class="n">bit_value</span> <span class="o">=</span> <span class="p">(</span><span class="n">value</span> <span class="o">&gt;&gt;</span> <span class="p">(</span><span class="n">bit_index</span> <span class="o">-</span> <span class="n">start_pos</span><span class="p">))</span> <span class="o">&amp;</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="c1"># print(&#34;\n&#34;)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># print(&#34;index&#34;, bit_index, start_pos, end_pos, &#34;byte_index:&#34;, byte_index, &#34;bit_offset:&#34;, bit_offset, &#34;v:&#34;, bit_value)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">bit_value</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span><span class="p">[</span><span class="n">byte_index</span><span class="p">]</span> <span class="o">|=</span> <span class="mi">1</span> <span class="o">&lt;&lt;</span> <span class="n">bit_offset</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span><span class="p">[</span><span class="n">byte_index</span><span class="p">]</span> <span class="o">&amp;=</span> <span class="o">~</span><span class="p">(</span><span class="mi">1</span> <span class="o">&lt;&lt;</span> <span class="n">bit_offset</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># for i in data:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># print(bin(i), end=&#34;,&#34;)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">data</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">set_bit</span><span class="p">(</span><span class="n">b</span><span class="p">,</span> <span class="n">bit</span><span class="p">,</span> <span class="n">bit_index</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">bit_index</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="ow">or</span> <span class="n">bit_index</span> <span class="o">&gt;</span> <span class="mi">7</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">raise</span> <span class="ne">ValueError</span><span class="p">(</span><span class="s2">&#34;bit_index must be between 0 and 7&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">mask</span> <span class="o">=</span> <span class="mi">1</span> <span class="o">&lt;&lt;</span> <span class="n">bit_index</span> </span></span><span class="line"><span class="cl"> <span class="n">flipped_byte</span> <span class="o">=</span> <span class="n">b</span> <span class="o">^</span> <span class="n">mask</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">flipped_byte</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">create_steering_control</span><span class="p">(</span><span class="n">apply_steer</span><span class="p">,</span> <span class="n">lkas_enabled</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="nb">bytearray</span><span class="p">(</span><span class="nb">bytes</span><span class="p">(</span><span class="mi">8</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">lkas_enabled</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># HCA_01_Sendestatus</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># HCA_01_Status_HCA</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="c1"># HCA_01_Sendestatus</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># HCA_01_Status_HCA</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># HCA_01_LM_Offset</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;create_steering_control&#34;</span><span class="p">,</span> <span class="n">apply_steer</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="nb">abs</span><span class="p">(</span><span class="n">apply_steer</span><span class="p">),</span> <span class="mi">16</span><span class="p">,</span> <span class="mi">9</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># HCA_01_LM_OffSign</span> </span></span><span class="line"><span class="cl"> <span class="n">v</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">apply_steer</span> <span class="o">&lt;</span> <span class="mi">0</span> <span class="k">else</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">v</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># HCA_01_Vib_Freq</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># HCA_01_Vib_Amp</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">36</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">data</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">create_pla_control</span><span class="p">(</span><span class="n">sendestatus</span><span class="p">,</span> <span class="n">positive</span><span class="p">,</span> <span class="n">degree</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="nb">bytearray</span><span class="p">(</span><span class="nb">bytes</span><span class="p">(</span><span class="mi">24</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x40</span> </span></span><span class="line"><span class="cl"> <span class="c1"># PLA_QFK_Spuerb</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xFA</span> </span></span><span class="line"><span class="cl"> <span class="c1"># PLA_QFK_KruemmSoll</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">degree</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">15</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># PLA_QFK_KruemmSoll_VZ</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">positive</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># PLA_05_Sendestatus</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">sendestatus</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">74</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">set_value</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">74</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">data</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">hca_01_counter</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="n">degree</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">20</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="c1"># data = create_steering_control(10 * i, 1)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># meb_can_send(0x126, 0.1, data)</span> </span></span><span class="line"><span class="cl"> <span class="n">degree</span> <span class="o">+=</span> <span class="mh">0x10</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">create_pla_control</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="n">degree</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">can_send</span><span class="p">(</span><span class="mh">0x302</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span></code></pre></div><h2 id="notes">Notes</h2> <ol> <li><strong>Ensure the CAN bus enters sleep mode before leaving the vehicle</strong>; otherwise, it may drain the battery considerably.</li> <li><strong>Do not fuzz the Powertrain and Running Gear CAN buses.</strong> This poses a direct risk of physical injury and may trigger abnormal ECU behavior or introduce hidden hazards (e.g., turn signal failure, mirrors not unfolding).</li> </ol> https://gorgias.me/posts/qnx7-password-hash-analysis-and-hashcat-module/ Thu, 14 Sep 2023 22:04:11 +0800 https://gorgias.me/posts/qnx7-password-hash-analysis-and-hashcat-module/ <h2 id="preface">Preface</h2> <p>Back in 2021, while attempting to crack QNX hashes, I discovered that Hashcat lacked support for QNX 6.6.0. Although there was an existing issue requesting this feature, I was too occupied to implement it at the time.</p> <p>It wasn&rsquo;t until the grueling &ldquo;solo&rdquo; phase of the MIIT vehicle-to-everything (V2X) offensive/defensive exercise in September 2023 that I encountered QNX 7 hashes. Surprisingly, after all these years, support was still missing.</p> <p>To avoid facing this same roadblock in the future, I dedicated some time to studying the QNX libraries and Hashcat&rsquo;s architecture. I also took a few detours along the way while developing the Hashcat module.</p> <p><img loading="lazy" src="qnxhash.png" alt="qnxhash.png"/></p> <h2 id="qnx-etcshadow-hash-algorithm-analysis">QNX <code>/etc/shadow</code> hash algorithm analysis</h2> <p>According to the official documentation <a href="https://www.qnx.com/developers/docs/7.0.0/index.html#com.qnx.doc.neutrino.user_guide/topic/accounts_etc_shadow.html"target="_blank" rel="noopener noreferrer">QNX 700 docs: accounts_etc_shadow</a>, the hash format is:</p> <pre tabindex="0"><code>@digest@hash@salt @digest,iterations@hash@salt </code></pre><p>The hash uses <code>@</code> as a delimiter. Uppercase <code>S</code> indicates SHA-512, while lowercase <code>s</code> refers to SHA-256. If a comma followed by a number is present, it specifies the iteration count. This is followed by the Base64-encoded hash and the Base64-encoded salt.</p> <p>Reading the official documentation, it seemed deceptively simple. My initial thought, looking at Hashcat&rsquo;s QNX 6 module (<code>-m 19200</code>), was whether I could simply adjust the iteration count and format.</p> <p>I attempted to clone the QNX 6 module to minimize effort, but after adapting it to match the documented format, the Hashcat self-tests repeatedly failed. Analyzing <code>/src/OpenCL/m19200.cl</code>, I noticed it referenced code from John the Ripper and contained some inelegant hacks. Suspecting bugs in the OpenCL code, I decided to analyze how QNX 7 actually generates its hashes.</p> <p>The hash generation logic is in <code>/usr/lib/pam.qnx.so</code>.</p> <p>After analyzing the logic and comparing it with <code>m19200.cl</code>, I discovered the issue: the round logic in the old OpenCL code was incorrect. The first round performed a SHA calculation on <code>salt || password</code>, but the resulting digest wasn&rsquo;t XORed with the previous result as expected. It wasn&rsquo;t just a simple Base64 encoding issue.</p> <p><img loading="lazy" src="pam_qnx.png" alt="pam_qnx.png"/></p> <p>In reality, the new hash generation logic employs the standard PBKDF2 (Password-Based Key Derivation Function) algorithm, widely used by products like Adobe, macOS, and Cisco. While higher iteration counts reduce cracking efficiency, they improve security. QNX’s documentation vague reference to only “SHA-512” without explicitly mentioning PBKDF2 somewhat obscures the implementation details for security researchers.</p> <p><img loading="lazy" src="pbkdf2.png" alt="PBKDF2"/></p> <p>You can verify it with CyberChef:</p> <pre tabindex="0"><code>https://gchq.github.io/CyberChef/#recipe=Derive_PBKDF2_key(%7B&#39;option&#39;:&#39;UTF8&#39;,&#39;string&#39;:&#39;hashcat&#39;%7D,512,4096,&#39;SHA512&#39;,%7B&#39;option&#39;:&#39;Base64&#39;,&#39;string&#39;:&#39;NDY2MDEwNjk3YjBjYzM2MzliMzc3Mzc0ZTNiMTAzNzE%3D&#39;%7D)&amp;input=dm0ybkJHSGVzNlFrWHJhMGY3NFhtb3VTaVJ6allEM3IvMHB5K3R4djBLcjhBNGhDUE1HRkhvWnFyNDFKRmlZY0pQUE9lSWhlcUZzZU15THl3LzE1UHc9PQ </code></pre><h2 id="writing-a-hashcat-module">Writing a Hashcat module</h2> <p>Refer to the official documentation:</p> <p><a href="https://github.com/hashcat/hashcat/blob/master/docs/hashcat-plugin-development-guide.md"target="_blank" rel="noopener noreferrer">https://github.com/hashcat/hashcat/blob/master/docs/hashcat-plugin-development-guide.md</a></p> <p>Initially, I considered writing new OpenCL code. However, once I realized it was a standard algorithm (PBKDF2), I abandoned that idea and looked for a suitable existing module to modify.</p> <pre tabindex="0"><code>./hashcat -hh | grep PBKDF2 11900 | PBKDF2-HMAC-MD5 | Generic KDF 12000 | PBKDF2-HMAC-SHA1 | Generic KDF 10900 | PBKDF2-HMAC-SHA256 | Generic KDF 12100 | PBKDF2-HMAC-SHA512 | Generic KDF 2500 | WPA-EAPOL-PBKDF2 | Network Protocol 22000 | WPA-PBKDF2-PMKID+EAPOL | Network Protocol 16800 | WPA-PMKID-PBKDF2 | Network Protocol 12800 | MS-AzureSync PBKDF2-HMAC-SHA256 | Operating System 9200 | Cisco-IOS $8$ (PBKDF2-SHA256) | Operating System 7100 | macOS v10.8+ (PBKDF2-SHA512) | Operating System </code></pre><p>Hashcat runs self-tests on every module at startup, using <code>ST_HASH</code> and <code>ST_PASS</code> as test vectors. I set <code>KERN_TYPE</code> to 7100 and prepared to debug iteratively—but to my surprise, it worked on the first attempt.</p> <p>Since Hashcat is open-source and the pull request merge process can be lengthy, I have included the source code below.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/** </span></span></span><span class="line"><span class="cl"><span class="cm"> * Author......: See docs/credits.txt </span></span></span><span class="line"><span class="cl"><span class="cm"> * License.....: MIT </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&#34;common.h&#34;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&#34;types.h&#34;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&#34;modules.h&#34;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&#34;bitops.h&#34;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&#34;convert.h&#34;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&#34;shared.h&#34;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&#34;emu_inc_hash_sha512.h&#34;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"><span class="cp">#include</span> <span class="cpf">&#34;memory.h&#34;</span><span class="cp"> </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u32</span> <span class="n">ATTACK_EXEC</span> <span class="o">=</span> <span class="n">ATTACK_EXEC_OUTSIDE_KERNEL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u32</span> <span class="n">DGST_POS0</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u32</span> <span class="n">DGST_POS1</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u32</span> <span class="n">DGST_POS2</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u32</span> <span class="n">DGST_POS3</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u32</span> <span class="n">DGST_SIZE</span> <span class="o">=</span> <span class="n">DGST_SIZE_8_16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u32</span> <span class="n">HASH_CATEGORY</span> <span class="o">=</span> <span class="n">HASH_CATEGORY_OS</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">HASH_NAME</span> <span class="o">=</span> <span class="s">&#34;QNX 7 /etc/shadow (SHA512)&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u64</span> <span class="n">KERN_TYPE</span> <span class="o">=</span> <span class="mi">7100</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u32</span> <span class="n">OPTI_TYPE</span> <span class="o">=</span> <span class="n">OPTI_TYPE_ZERO_BYTE</span> </span></span><span class="line"><span class="cl"> <span class="o">|</span> <span class="n">OPTI_TYPE_USES_BITS_64</span> </span></span><span class="line"><span class="cl"> <span class="o">|</span> <span class="n">OPTI_TYPE_SLOW_HASH_SIMD_LOOP</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u64</span> <span class="n">OPTS_TYPE</span> <span class="o">=</span> <span class="n">OPTS_TYPE_STOCK_MODULE</span> </span></span><span class="line"><span class="cl"> <span class="o">|</span> <span class="n">OPTS_TYPE_PT_GENERATE_LE</span> </span></span><span class="line"><span class="cl"> <span class="o">|</span> <span class="n">OPTS_TYPE_ST_BASE64</span> </span></span><span class="line"><span class="cl"> <span class="o">|</span> <span class="n">OPTS_TYPE_HASH_COPY</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="n">u32</span> <span class="n">SALT_TYPE</span> <span class="o">=</span> <span class="n">SALT_TYPE_EMBEDDED</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">ST_PASS</span> <span class="o">=</span> <span class="s">&#34;hashcat&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">ST_HASH</span> <span class="o">=</span> <span class="s">&#34;@S@vm2nBGHes6QkXra0f74XmouSiRzjYD3r/0py+txv0Kr8A4hCPMGFHoZqr41JFiYcJPPOeIheqFseMyLyw/15Pw==@NDY2MDEwNjk3YjBjYzM2MzliMzc3Mzc0ZTNiMTAzNzE=&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">u32</span> <span class="nf">module_attack_exec</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ATTACK_EXEC</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">u32</span> <span class="nf">module_dgst_pos0</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">DGST_POS0</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">u32</span> <span class="nf">module_dgst_pos1</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">DGST_POS1</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">u32</span> <span class="nf">module_dgst_pos2</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">DGST_POS2</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">u32</span> <span class="nf">module_dgst_pos3</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">DGST_POS3</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">u32</span> <span class="nf">module_dgst_size</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">DGST_SIZE</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">u32</span> <span class="nf">module_hash_category</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">HASH_CATEGORY</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="nf">module_hash_name</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">HASH_NAME</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">u64</span> <span class="nf">module_kern_type</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">KERN_TYPE</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">u32</span> <span class="nf">module_opti_type</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">OPTI_TYPE</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">u64</span> <span class="nf">module_opts_type</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">OPTS_TYPE</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="n">u32</span> <span class="nf">module_salt_type</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">SALT_TYPE</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="nf">module_st_hash</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ST_HASH</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="nf">module_st_pass</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">ST_PASS</span><span class="p">;</span> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> <span class="n">pbkdf2_sha512</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">u32</span> <span class="n">salt_buf</span><span class="p">[</span><span class="mi">64</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="kt">pbkdf2_sha512_t</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> <span class="n">pbkdf2_sha512_tmp</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">u64</span> <span class="n">ipad</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">u64</span> <span class="n">opad</span><span class="p">[</span><span class="mi">8</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">u64</span> <span class="n">dgst</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">u64</span> <span class="n">out</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="kt">pbkdf2_sha512_tmp_t</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">u64</span> <span class="nf">module_esalt_size</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="n">u64</span> <span class="n">esalt_size</span> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="n">u64</span><span class="p">)</span> <span class="k">sizeof</span> <span class="p">(</span><span class="kt">pbkdf2_sha512_t</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">esalt_size</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">u64</span> <span class="nf">module_tmp_size</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_t</span> <span class="o">*</span><span class="n">user_options</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">user_options_extra_t</span> <span class="o">*</span><span class="n">user_options_extra</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="n">u64</span> <span class="n">tmp_size</span> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="n">u64</span><span class="p">)</span> <span class="k">sizeof</span> <span class="p">(</span><span class="kt">pbkdf2_sha512_tmp_t</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">tmp_size</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="kt">int</span> <span class="n">ROUNDS_QNX</span> <span class="o">=</span> <span class="mi">4096</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">static</span> <span class="k">const</span> <span class="kt">int</span> <span class="n">HASH_SIZE</span> <span class="o">=</span> <span class="mi">64</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">module_hash_decode</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="kt">void</span> <span class="o">*</span><span class="n">digest_buf</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="kt">salt_t</span> <span class="o">*</span><span class="n">salt</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="kt">void</span> <span class="o">*</span><span class="n">esalt_buf</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="kt">void</span> <span class="o">*</span><span class="n">hook_salt_buf</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="kt">hashinfo_t</span> <span class="o">*</span><span class="n">hash_info</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">line_buf</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">int</span> <span class="n">line_len</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">u64</span> <span class="o">*</span><span class="n">digest</span> <span class="o">=</span> <span class="p">(</span><span class="n">u64</span> <span class="o">*</span><span class="p">)</span> <span class="n">digest_buf</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">pbkdf2_sha512_t</span> <span class="o">*</span><span class="n">pbkdf2_sha512</span> <span class="o">=</span> <span class="p">(</span><span class="kt">pbkdf2_sha512_t</span> <span class="o">*</span><span class="p">)</span> <span class="n">esalt_buf</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">hc_token_t</span> <span class="n">token</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span> <span class="p">(</span><span class="o">&amp;</span><span class="n">token</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span> <span class="p">(</span><span class="kt">hc_token_t</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">token_cnt</span> <span class="o">=</span> <span class="mi">4</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// @digest@hash@salt </span></span></span><span class="line"><span class="cl"> <span class="c1">// @digest,iterations@hash@salt </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">sep</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;@&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">len</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">attr</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">TOKEN_ATTR_FIXED_LENGTH</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">sep</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;@&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">len_min</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">len_max</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="mi">8</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">attr</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">TOKEN_ATTR_VERIFY_LENGTH</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">sep</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;@&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">len_min</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="mi">64</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">len_max</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="mi">100</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">attr</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="n">TOKEN_ATTR_VERIFY_LENGTH</span> <span class="o">|</span> <span class="n">TOKEN_ATTR_VERIFY_BASE64A</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">sep</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="sc">&#39;@&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">len_min</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="mi">32</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">len_max</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="mi">60</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="p">.</span><span class="n">attr</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="n">TOKEN_ATTR_VERIFY_LENGTH</span> <span class="o">|</span> <span class="n">TOKEN_ATTR_VERIFY_BASE64A</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">int</span> <span class="n">rc_tokenizer</span> <span class="o">=</span> <span class="nf">input_tokenizer</span> <span class="p">((</span><span class="k">const</span> <span class="n">u8</span> <span class="o">*</span><span class="p">)</span> <span class="n">line_buf</span><span class="p">,</span> <span class="n">line_len</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">token</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">rc_tokenizer</span> <span class="o">!=</span> <span class="n">PARSER_OK</span><span class="p">)</span> <span class="k">return</span> <span class="p">(</span><span class="n">rc_tokenizer</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// check hash type </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">token</span><span class="p">.</span><span class="n">buf</span><span class="p">[</span><span class="mi">1</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="o">!=</span> <span class="sc">&#39;S&#39;</span><span class="p">)</span> <span class="k">return</span> <span class="p">(</span><span class="n">PARSER_SIGNATURE_UNMATCHED</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// check iter </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">u32</span> <span class="n">iter</span> <span class="o">=</span> <span class="n">ROUNDS_QNX</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">token</span><span class="p">.</span><span class="n">len</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">token</span><span class="p">.</span><span class="n">buf</span><span class="p">[</span><span class="mi">1</span><span class="p">][</span><span class="mi">1</span><span class="p">]</span> <span class="o">!=</span> <span class="sc">&#39;,&#39;</span><span class="p">)</span> <span class="k">return</span> <span class="p">(</span><span class="n">PARSER_SEPARATOR_UNMATCHED</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">iter</span> <span class="o">=</span> <span class="nf">hc_strtoul</span> <span class="p">((</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="p">)</span> <span class="n">token</span><span class="p">.</span><span class="n">buf</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mi">2</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// iter++; the additional round is added in the init kernel </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">salt</span><span class="o">-&gt;</span><span class="n">salt_iter</span> <span class="o">=</span> <span class="n">iter</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="n">u8</span> <span class="o">*</span><span class="n">hash_pos</span> <span class="o">=</span> <span class="n">token</span><span class="p">.</span><span class="n">buf</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">int</span> <span class="n">hash_len</span> <span class="o">=</span> <span class="n">token</span><span class="p">.</span><span class="n">len</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">decoded_len</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">u8</span> <span class="n">tmp_buf</span><span class="p">[</span><span class="mi">512</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span> <span class="p">(</span><span class="n">tmp_buf</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span> <span class="p">(</span><span class="n">tmp_buf</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">decoded_len</span> <span class="o">=</span> <span class="nf">base64_decode</span> <span class="p">(</span><span class="n">base64_to_int</span><span class="p">,</span> <span class="n">hash_pos</span><span class="p">,</span> <span class="n">hash_len</span><span class="p">,</span> <span class="n">tmp_buf</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">decoded_len</span> <span class="o">!=</span> <span class="n">HASH_SIZE</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="n">PARSER_SALT_LENGTH</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span> <span class="p">(</span><span class="n">digest</span><span class="p">,</span> <span class="n">tmp_buf</span><span class="p">,</span> <span class="mi">64</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">digest</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="nf">byte_swap_64</span> <span class="p">(</span><span class="n">digest</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">digest</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="nf">byte_swap_64</span> <span class="p">(</span><span class="n">digest</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">digest</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="nf">byte_swap_64</span> <span class="p">(</span><span class="n">digest</span><span class="p">[</span><span class="mi">2</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">digest</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="nf">byte_swap_64</span> <span class="p">(</span><span class="n">digest</span><span class="p">[</span><span class="mi">3</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">digest</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">=</span> <span class="nf">byte_swap_64</span> <span class="p">(</span><span class="n">digest</span><span class="p">[</span><span class="mi">4</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">digest</span><span class="p">[</span><span class="mi">5</span><span class="p">]</span> <span class="o">=</span> <span class="nf">byte_swap_64</span> <span class="p">(</span><span class="n">digest</span><span class="p">[</span><span class="mi">5</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">digest</span><span class="p">[</span><span class="mi">6</span><span class="p">]</span> <span class="o">=</span> <span class="nf">byte_swap_64</span> <span class="p">(</span><span class="n">digest</span><span class="p">[</span><span class="mi">6</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="n">digest</span><span class="p">[</span><span class="mi">7</span><span class="p">]</span> <span class="o">=</span> <span class="nf">byte_swap_64</span> <span class="p">(</span><span class="n">digest</span><span class="p">[</span><span class="mi">7</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// salt </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="n">u8</span> <span class="o">*</span><span class="n">salt_pos</span> <span class="o">=</span> <span class="n">token</span><span class="p">.</span><span class="n">buf</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">int</span> <span class="n">salt_len</span> <span class="o">=</span> <span class="n">token</span><span class="p">.</span><span class="n">len</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">memset</span> <span class="p">(</span><span class="n">tmp_buf</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span> <span class="p">(</span><span class="n">tmp_buf</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">decoded_len</span> <span class="o">=</span> <span class="nf">base64_decode</span> <span class="p">(</span><span class="n">base64_to_int</span><span class="p">,</span> <span class="n">salt_pos</span><span class="p">,</span> <span class="n">salt_len</span><span class="p">,</span> <span class="n">tmp_buf</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">decoded_len</span> <span class="o">&lt;</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="n">PARSER_SALT_LENGTH</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">memcpy</span> <span class="p">(</span><span class="n">pbkdf2_sha512</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">,</span> <span class="n">tmp_buf</span><span class="p">,</span> <span class="n">decoded_len</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">salt</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">pbkdf2_sha512</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">salt</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">pbkdf2_sha512</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">salt</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="n">pbkdf2_sha512</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">salt</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="n">pbkdf2_sha512</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">salt</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">=</span> <span class="n">pbkdf2_sha512</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">salt</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">5</span><span class="p">]</span> <span class="o">=</span> <span class="n">pbkdf2_sha512</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">5</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">salt</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">6</span><span class="p">]</span> <span class="o">=</span> <span class="n">pbkdf2_sha512</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">6</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">salt</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">7</span><span class="p">]</span> <span class="o">=</span> <span class="n">pbkdf2_sha512</span><span class="o">-&gt;</span><span class="n">salt_buf</span><span class="p">[</span><span class="mi">7</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">salt</span><span class="o">-&gt;</span><span class="n">salt_len</span> <span class="o">=</span> <span class="n">decoded_len</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="p">(</span><span class="n">PARSER_OK</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">int</span> <span class="nf">module_hash_encode</span> <span class="p">(</span><span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashconfig_t</span> <span class="o">*</span><span class="n">hashconfig</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="n">digest_buf</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">salt_t</span> <span class="o">*</span><span class="n">salt</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="n">esalt_buf</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="n">hook_salt_buf</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">hashinfo_t</span> <span class="o">*</span><span class="n">hash_info</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">line_buf</span><span class="p">,</span> <span class="n">MAYBE_UNUSED</span> <span class="k">const</span> <span class="kt">int</span> <span class="n">line_size</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">snprintf</span> <span class="p">(</span><span class="n">line_buf</span><span class="p">,</span> <span class="n">line_size</span><span class="p">,</span> <span class="s">&#34;%s&#34;</span><span class="p">,</span> <span class="n">hash_info</span><span class="o">-&gt;</span><span class="n">orighash</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="nf">module_init</span> <span class="p">(</span><span class="kt">module_ctx_t</span> <span class="o">*</span><span class="n">module_ctx</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_context_size</span> <span class="o">=</span> <span class="n">MODULE_CONTEXT_SIZE_CURRENT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_interface_version</span> <span class="o">=</span> <span class="n">MODULE_INTERFACE_VERSION_CURRENT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_attack_exec</span> <span class="o">=</span> <span class="n">module_attack_exec</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_benchmark_esalt</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_benchmark_hook_salt</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_benchmark_mask</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_benchmark_charset</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_benchmark_salt</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_build_plain_postprocess</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_deep_comp_kernel</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_deprecated_notice</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_dgst_pos0</span> <span class="o">=</span> <span class="n">module_dgst_pos0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_dgst_pos1</span> <span class="o">=</span> <span class="n">module_dgst_pos1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_dgst_pos2</span> <span class="o">=</span> <span class="n">module_dgst_pos2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_dgst_pos3</span> <span class="o">=</span> <span class="n">module_dgst_pos3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_dgst_size</span> <span class="o">=</span> <span class="n">module_dgst_size</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_dictstat_disable</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_esalt_size</span> <span class="o">=</span> <span class="n">module_esalt_size</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_extra_buffer_size</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_extra_tmp_size</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_extra_tuningdb_block</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_forced_outfile_format</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_binary_count</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_binary_parse</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_binary_save</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_decode_postprocess</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_decode_potfile</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_decode_zero_hash</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_decode</span> <span class="o">=</span> <span class="n">module_hash_decode</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_encode_status</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_encode_potfile</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_encode</span> <span class="o">=</span> <span class="n">module_hash_encode</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_init_selftest</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_mode</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_category</span> <span class="o">=</span> <span class="n">module_hash_category</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hash_name</span> <span class="o">=</span> <span class="n">module_hash_name</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hashes_count_min</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hashes_count_max</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hlfmt_disable</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hook_extra_param_size</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hook_extra_param_init</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hook_extra_param_term</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hook12</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hook23</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hook_salt_size</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_hook_size</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_jit_build_options</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_jit_cache_disable</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_kernel_accel_max</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_kernel_accel_min</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_kernel_loops_max</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_kernel_loops_min</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_kernel_threads_max</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_kernel_threads_min</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_kern_type</span> <span class="o">=</span> <span class="n">module_kern_type</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_kern_type_dynamic</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_opti_type</span> <span class="o">=</span> <span class="n">module_opti_type</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_opts_type</span> <span class="o">=</span> <span class="n">module_opts_type</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_outfile_check_disable</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_outfile_check_nocomp</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_potfile_custom_check</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_potfile_disable</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_potfile_keep_all_hashes</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_pwdump_column</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_pw_max</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_pw_min</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_salt_max</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_salt_min</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_salt_type</span> <span class="o">=</span> <span class="n">module_salt_type</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_separator</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_st_hash</span> <span class="o">=</span> <span class="n">module_st_hash</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_st_pass</span> <span class="o">=</span> <span class="n">module_st_pass</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_tmp_size</span> <span class="o">=</span> <span class="n">module_tmp_size</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_unstable_warning</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">module_ctx</span><span class="o">-&gt;</span><span class="n">module_warmup_disable</span> <span class="o">=</span> <span class="n">MODULE_DEFAULT</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h2 id="references">References</h2> <p><a href="https://news.sophos.com/fr-fr/2013/11/21/stocker-mots-de-passe-en-securite/"target="_blank" rel="noopener noreferrer">Serious Security : stocker vos mots de passe en toute sécurité</a></p> <p><a href="https://github.com/openwall/john/blob/bleeding-jumbo/src/sha2.c#L578-L595"target="_blank" rel="noopener noreferrer">https://github.com/openwall/john/blob/bleeding-jumbo/src/sha2.c#L578-L595</a></p> <p><a href="https://github.com/hashcat/hashcat"target="_blank" rel="noopener noreferrer">https://github.com/hashcat/hashcat</a></p> https://gorgias.me/posts/general-firmware-reversing-tips/ Mon, 15 Aug 2022 21:39:11 +0800 https://gorgias.me/posts/general-firmware-reversing-tips/ <h2 id="preface">Preface</h2> <p>These notes were originally compiled years ago as a quick reference. They are somewhat fragmented and do not provide step-by-step procedures, but I continue to update them over time.</p> <p>In this context, &ldquo;firmware&rdquo; refers to raw dumps extracted from storage chips or vendor upgrade packages.</p> <p><strong>Characteristics of reversing raw firmware:</strong></p> <ul> <li><strong>Acquisition difficulty:</strong> Firmware files can be hard to obtain.</li> <li><strong>Limited resources:</strong> There are few public write-ups; you mostly rely on experience and exploration.</li> <li><strong>No direction execution:</strong> You cannot run the firmware directly, making debugging difficult.</li> <li><strong>Missing symbols:</strong> Most symbols are stripped; you often need to manually define code regions for disassembly.</li> <li><strong>Low obfuscation:</strong> Code obfuscation is rarely applied.</li> </ul> <h2 id="firmware-categories">Firmware Categories</h2> <p>Based on system architecture, firmware can be broadly categorized into <strong>SoC firmware</strong> and <strong>MCU firmware</strong>.</p> <ul> <li><strong>SoC Firmware:</strong> Typically consists of a processing unit plus peripherals. The processor&rsquo;s built-in BootROM loads a bootloader from external Flash; the data in that external Flash is what we consider the firmware. SoC devices typically use SPI NOR flash, NAND flash, or eMMC. SPI flash often stores the bootloader, while NAND flash stores the system kernel and filesystem. For the latter, extraction of the filesystem is key; for the former, the focus is on the boot process. Firmware in SPI flash is often composed of multiple distinct parts, so you cannot simply load a raw dump into IDA Pro and expect it to work.</li> <li><strong>MCU Firmware:</strong> Usually monolithic or split into very few regions. For MCUs using only internal storage, the layout is generally Loader + Application. For MCUs with external storage, you will see an internal Loader + Application, and the external Flash is typically not heavily partitioned.</li> </ul> <h2 id="extracting-firmware">Extracting Firmware</h2> <p>For NAND flash or other specialized storage media, extraction can require significant effort. Firmware from niche or proprietary MCUs can also be notoriously difficult to extract.</p> <h2 id="finding-the-load-base-address">Finding the Load Base Address</h2> <p>When reversing firmware, the first step is usually to determine the <strong>load base address</strong>. Once the correct base is established, IDA can automatically resolve many cross-references, including strings and jump tables (jpt).</p> <p>(These are rough notes; ignore them if they don&rsquo;t apply to your specific case.)</p> <p><strong>Methods to determine the load base address:</strong></p> <ol> <li><strong>Chip Datasheet:</strong> Use the memory map and boot-mode pin configuration to locate the base address.</li> <li><strong>Public Code:</strong> Find open-source code for the chip (e.g., a compatible bootloader) and infer the base address from linker scripts or definitions.</li> <li><strong>Previous-Stage Loader:</strong> Reverse the previous-stage loader to find where it loads the next stage (e.g., U-Boot environment variables or code often contain base address info).</li> <li><strong>Vector Table (IVT):</strong> Interrupt vectors often contain absolute addresses; use them to make an educated guess.</li> <li><strong>String References:</strong> If there is no interrupt vector table, look for pointers to strings that use absolute addresses.</li> <li><strong>Brute-Force Analysis:</strong> Extract all strings, then find all potential reference sites in the code. The base address that yields the most valid cross-references is likely correct.</li> <li><strong>Runtime Dump:</strong> If you have debug access (JTAG/SWD/UART), dump the memory at runtime and see where the firmware header resides.</li> <li><strong>Pattern Matching:</strong> Consider &ldquo;round&rdquo; addresses like <code>0x????0000</code>. Compare the destination addresses of pointers/jumps with the distribution of strings in the file. If the lower bits match, the difference reveals the offset between the current base and the real base.</li> <li><strong>IDA Trick:</strong> If the last 4 hex digits of an address offset match the last 4 hex digits of a generic pointer (DCD) value, then the high bits of that pointer value likely represent the base address&rsquo;s high bits.</li> </ol> <h2 id="analyzing-layout">Analyzing Layout</h2> <p>Start with <code>hexdump</code> to visualize the data distribution, then use <code>binwalk</code> to identify the CPU instruction set architecture (ISA) and opcode distribution. If it remains unclear, use a hex editor to analyze byte-frequency distribution.</p> <p>If the data appears compressed (e.g., high entropy), look for specific markers. For example, Lempel-Ziv-Welch (LZW) compression often produces many <code>0x9D</code> bytes. Check the bytes following <code>0x9D</code> to see if the stream matches the LZW structure. Reference: <a href="https://en.wikipedia.org/wiki/List_of_file_signatures"target="_blank" rel="noopener noreferrer">List of file signatures</a>.</p> <p><strong>Other techniques:</strong></p> <ul> <li><strong>Endianness:</strong> Search for continuous strings sequences like <code>0123456789abcdefg</code>. Some systems (e.g., certain printers) use dual flash chips where one holds &ldquo;1267&rdquo; and the other &ldquo;3489&rdquo;. You may need to interleave and reconstruct the binary using the smallest byte block size.</li> <li><strong>Magic Values:</strong> If source code is available, search for magic values from the source code within the firmware to reconstruct the layout.</li> <li><strong>Differential Analysis:</strong> Compare firmware across different versions, or compare the same version with slightly different contents (control-variable method).</li> <li><strong>Block Similarity:</strong> If you only have a single firmware sample, analyze block similarity to locate magic numbers and infer the system structure.</li> </ul> <h3 id="avoiding-duplicate-regions">Avoiding Duplicate Regions</h3> <p>I developed a firmware security tool called <strong>UFA - Universal Firmware Analysis</strong> to help with this.</p> <p><img loading="lazy" src="./ufa.png" alt=""/></p> <p>(Note: I implemented this feature in late 2020.)</p> <p>Some firmware images contain redundant system copies (e.g., for A/B updates). With UFA (or other tools that visualize entropy), you can quickly identify duplicated regions and avoid analyzing the same code twice.</p> <p><img loading="lazy" src="./entropy2.png" alt=""/></p> <h3 id="continuous-files--partially-compressed-files">Continuous Files &amp; Partially Compressed Files</h3> <p>Partially compressed systems present significant challenges. In day-to-day reversing, you might extract a binary and try to analyze it directly. You see some strings and symbols, but IDA fails to analyze the code flow properly. An entropy graph might reveal that parts of the file are code, while others are compressed data, interspersed with constants (like SHA-512 constants).</p> <p>Normal compressed data has a constantly high entropy (close to 1). In system firmware, it is unusual to see large sections of readable strings separated by large blocks of compressed data if it were a standard file system. By analyzing the previous-stage loader, you can often confirm if the binary is a <strong>continuous file</strong> with <strong>partial compression</strong>.</p> <p><img loading="lazy" src="./entropy3.png" alt=""/></p> <h3 id="partial-encryption-vs-partial-compression">Partial Encryption vs. Partial Compression</h3> <p>When partial encryption and partial compression are combined, analysis becomes extremely confusing.</p> <p>IoT devices are often resource-constrained. To balance security and user experience (boot time), vendors may use <strong>partial encryption</strong>. For example, a SquashFS image might fail to unpack. An inexperienced reverser might assume the file is corrupted. A clearer analysis might reveal a decryption routine; however, even after decryption, unpacking might still fail. Since SquashFS is compressed by definition, &ldquo;partial encryption&rdquo; is harder to spot visually because both look like high-entropy noise.</p> <p>However, partial encryption differs from full encryption:</p> <ul> <li><strong>Partial Compression/Encryption:</strong> Compressed data entropy usually fluctuates within a high range. Regions with fluctuations might indicate &ldquo;unencrypted leftovers&rdquo; or metadata inside an otherwise partially encrypted area. (See below)</li> </ul> <p><img loading="lazy" src="./entropy4.png" alt=""/></p> <ul> <li><strong>Full Encryption:</strong> Fully encrypted data tends to have consistently high randomness, often appearing as a flat, high line on the entropy graph.</li> </ul> <p><img loading="lazy" src="./entropy5.png" alt=""/></p> <h2 id="identifying-functions">Identifying Functions</h2> <p>If the base address is incorrect, IDA often cannot accurately detect code regions or function prologues. In such cases, you can try to blindly recover potential functions to get a foothold.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">remake_func</span><span class="p">(</span><span class="n">opcodes</span><span class="p">,</span> <span class="n">lastbytes</span><span class="p">,</span> <span class="n">end_ea</span> <span class="o">=</span> <span class="n">ida_ida</span><span class="o">.</span><span class="n">inf_get_max_ea</span><span class="p">()):</span> </span></span><span class="line"><span class="cl"> <span class="n">ea</span> <span class="o">=</span> <span class="mh">0x0</span> </span></span><span class="line"><span class="cl"> <span class="n">lastbytes_len</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">lastbytes</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span><span class="n">ea</span> <span class="o">&gt;=</span> <span class="mi">0</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">ea</span> <span class="o">=</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">bin_search</span><span class="p">(</span><span class="n">ea</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">end_ea</span><span class="p">,</span> <span class="n">opcodes</span><span class="p">,</span> <span class="kc">None</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">BIN_SEARCH_FORWARD</span> <span class="o">|</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">BIN_SEARCH_NOBREAK</span> <span class="o">|</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">BIN_SEARCH_NOSHOW</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">ea</span> <span class="o">==</span> <span class="n">BADADDR</span> <span class="p">:</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;get_bytes: &#34;</span><span class="p">,</span> <span class="nb">hex</span><span class="p">(</span><span class="n">ea</span><span class="o">-</span><span class="n">lastbytes_len</span><span class="p">),</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">get_bytes</span><span class="p">((</span><span class="n">ea</span><span class="o">-</span><span class="n">lastbytes_len</span><span class="p">),</span> <span class="n">lastbytes_len</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">ida_bytes</span><span class="o">.</span><span class="n">get_bytes</span><span class="p">((</span><span class="n">ea</span><span class="o">-</span><span class="n">lastbytes_len</span><span class="p">),</span> <span class="n">lastbytes_len</span><span class="p">)</span> <span class="o">==</span> <span class="n">lastbytes</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">add_func</span><span class="p">(</span><span class="n">ea</span><span class="p">,</span> <span class="n">BADADDR</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;0x</span><span class="si">{:x}</span><span class="s2">: </span><span class="si">{}</span><span class="s2">&#34;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">ea</span><span class="p">,</span> <span class="n">GetDisasm</span><span class="p">(</span><span class="n">ea</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Example usage: Searching for common function prologues/epilogues</span> </span></span><span class="line"><span class="cl"><span class="n">remake_func</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x55\x89\xe5</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\xc3</span><span class="s1">&#39;</span><span class="p">,</span> <span class="mh">0xFF000000</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">remake_func</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x55\x31\xC0</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\xc3</span><span class="s1">&#39;</span><span class="p">,</span> <span class="mh">0xFF000000</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">remake_func</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x55\x89\xe5</span><span class="s1">&#39;</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\xc2\x04\x00</span><span class="s1">&#39;</span><span class="p">,</span> <span class="mh">0xFF000000</span><span class="p">)</span> </span></span></code></pre></div><h2 id="recovering-common-functions">Recovering Common Functions</h2> <p>Proprietary MCU firmware rarely uses standard external libraries; most functionality is statically linked or implemented from scratch. You should first identify frequently used standard functions to build a map of the firmware&rsquo;s logic:</p> <ul> <li><code>memcpy</code></li> <li><code>memset</code></li> <li><code>memcmp</code></li> <li><code>mmap</code></li> <li><code>printf</code></li> <li><code>strcpy</code></li> <li><code>kfree</code> / <code>malloc</code></li> </ul> <p>For firmware based on open-source projects, you can use source-based signatures.</p> <p><strong>Script to find the most-referenced functions:</strong></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">idaapi</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="n">funcs</span> <span class="o">=</span> <span class="n">Functions</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="n">funcs</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">name</span> <span class="o">=</span> <span class="n">Name</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">func_xref_amount</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="nb">list</span><span class="p">(</span><span class="n">XrefsTo</span><span class="p">(</span><span class="n">f</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">func_xref_amount</span> <span class="o">&gt;</span> <span class="mi">30</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s2">&#34;</span><span class="si">%s</span><span class="s2"> </span><span class="si">%d</span><span class="s2">&#34;</span> <span class="o">%</span> <span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">func_xref_amount</span><span class="p">)</span> </span></span></code></pre></div><p>For open-source MCU firmware, compile your own build using the same toolchain and version if possible. Generate a MAP file or symbols, use FLIRT to create signatures, and then match them against the target firmware to recover function names.</p> <h3 id="finding-functions-with-string-references">Finding Functions with String References</h3> <p>For firmware where the base address is not aligned to a standard boundary (like <code>0x1000</code>), guessing the base is difficult. A useful trick involves inspecting string global variables.</p> <p>First, look at the list of strings in IDA and note the sequence of their offsets.</p> <p><img loading="lazy" src="./strings.png" alt=""/></p> <p>On x86 architectures, arguments for static variables are often pushed onto the stack. Searching for <code>push</code> instructions is often more effective than searching for <code>mov</code>. In IDA, perform a binary search for the opcode <code>push 0x...</code> (or search for the immediate values). Filter for values ending with specific patterns derived from the string offsets (e.g., <code>0x********62</code>, <code>0x********97</code>).</p> <p>As shown below, if the regularity of the immediate values in the code matches the distance between the strings, the correct base address becomes obvious.</p> <p><img loading="lazy" src="./push.png" alt=""/></p> <p><strong>Base calculation example:</strong> <code>0xFEFA5762</code> (Immediate Value) - <code>0x22F62</code> (String Offset) = <code>0xFEF82800</code> (Base Address)</p> <h2 id="fixing-function-cross-references">Fixing Function Cross-References</h2> <p>If you cannot identify the caller of a function, it may be referenced via a jump table. Globally search for immediate values equal to the function&rsquo;s address.</p> <ul> <li><strong>Note:</strong> Sometimes addresses are stored as relative offsets; you must subtract the base address to find the stored value.</li> <li><strong>Split Addresses:</strong> Sometimes a 32-bit address is constructed from high 16 bits and low 16 bits:</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-asm" data-lang="asm"><span class="line"><span class="cl"><span class="nf">MOV</span> <span class="no">Rx</span><span class="p">,</span> <span class="c1">#HighAddr </span></span></span><span class="line"><span class="cl"><span class="nf">MOVT</span> <span class="no">Rx</span><span class="p">,</span> <span class="c1">#LowAddr </span></span></span></code></pre></div><h2 id="niche-architectures">Niche Architectures</h2> <p>IDA Pro is excellent at disassembling machine code and generating call graphs for common architectures. However, for niche architectures like NEC V850, you often need to manually identify function entry points. Many cross-references will not be automatically recognized and must be created manually.</p> <p>Another challenge is chip-specific register layouts: RAM, peripheral buses, interface registers, interrupt controllers, etc.</p> <ul> <li><strong>Solution:</strong> Consult the datasheet. If the datasheet is not public, look for Board Support Packages (BSPs) or scatter files code for similar chips.</li> <li><strong>IDA Config:</strong> Add platform-specific configurations to IDA Pro&rsquo;s <code>cfg</code> files (address map, register names, etc.) to aid analysis.</li> </ul> <h2 id="reversing-by-comparing-with-source">Reversing by Comparing with Source</h2> <p>If you cannot understand a specific piece of code, find an open-source project with similar functionality. Compile it for the same platform, load the result into IDA Pro, and compare the assembly against your target. This comparative analysis often clarifies the code&rsquo;s intent.</p> <h2 id="emulation">Emulation</h2> <p>If you face complex obfuscated or mathematical code but only need the input/output behavior, emulate it using <strong>Unicorn Engine</strong>. It supports common architectures like ARM, MIPS, and PPC, allowing you to execute the code slice in isolation.</p> <h2 id="reversing-specific-features">Reversing Specific Features</h2> <p>Crypto libraries often rely on specific constant tables (S-boxes, initialization vectors). By searching for these constants, you can identify the algorithms used (AES, SHA, CRC) and locate the functions that use them. Encryption, hashing, and checksum routines are critical checkpoints commonly found during boot, firmware upgrade, and communication phases.</p> <ul> <li><strong>Tools:</strong> Use the <strong>FindCrypt</strong> plugin to quickly locate these constants.</li> <li><strong>Protocols:</strong> For SD/SATA protocols, search for specific Command (CMD) values.</li> <li><strong>Vehicle Networks:</strong> For CAN bus analysis, search for the memory-mapped addresses of CAN registers.</li> </ul> <h2 id="ida-pro-problems-tips">IDA Pro &ldquo;Problems&rdquo; Tips</h2> <p>In IDA Pro, navigate to <strong>View &gt; Open subviews &gt; Problems</strong>, and look for:</p> <ul> <li><strong>NONAME</strong></li> <li><strong>BOUNDS</strong></li> </ul> <p>These items often indicate an instruction using an immediate value that points outside the defined internal segments. These values could be:</p> <ol> <li>Peripheral register addresses.</li> <li>Valid memory addresses if the firmware base address were set correctly.</li> <li>Addresses belonging to an <strong>external binary</strong> (common in bootloaders or multi-stage firmwares).</li> </ol> <p><strong>Tip:</strong> If Firmware A&rsquo;s base is unknown, but you see references to addresses that look like they belong to Firmware A (whose range you know from a different stage), references in Firmware B can help you calculate Firmware A&rsquo;s base.</p> <h3 id="case-study">Case Study</h3> <p>Consider an x86 firmware with an unknown base.</p> <ol> <li>Check the <strong>Problems</strong> view and filter for <strong>BOUNDS</strong>.</li> <li>You see many <code>call</code> instructions using relative addressing (e.g., <code>near ptr</code>).</li> <li>Address <code>0x7A10A</code> appears. If the file size is smaller than <code>0x40000</code>, <code>0x7A10A</code> is clearly invalid as a raw offset—it implies a base address is missing.</li> </ol> <p><img loading="lazy" src="./problem_bounds_relative.png" alt=""/></p> <ol start="4"> <li>Clicking one instance reveals that <code>0xFEF84DE0</code> is passed as an argument to the function at <code>0x7A10A</code>. This is likely a global variable address, not a register.</li> </ol> <p><img loading="lazy" src="./problem_bounds_relative_case.png" alt=""/></p> <ol start="5"> <li>Using the <strong>String Reference</strong> trick (described earlier), you determine the base is <code>0xFEF82800</code>.</li> <li>After rebasing, IDA identifies more functions.</li> <li>The address <code>0x7A10A</code> updates to <code>0xFEFFC90A</code>. If this is still outside the file&rsquo;s mapped memory, it likely points to an external binary (e.g., a shared library or common boot code).</li> <li>If you know from another binary that <code>printf</code> is at <code>0xFEFFC90A</code>, you can map that external binary into your current IDA database.</li> </ol> <p><strong>Adding a Segment in IDA:</strong> Be careful; the UI can be tricky.</p> <ol> <li>Press <code>Shift+F7</code> to open the <strong>Segments</strong> window.</li> <li>Right-click -&gt; <strong>Add segment</strong>.</li> <li>Set the <strong>Start address</strong> to the external binary&rsquo;s base.</li> </ol> <p><img loading="lazy" src="./add_segment.png" alt=""/></p> <ol start="4"> <li>Verify there are no overlaps with existing segments.</li> </ol> <p><img loading="lazy" src="./segment.png" alt=""/></p> <ol start="5"> <li>Load the external binary: <strong>File -&gt; Load file -&gt; Additional binary file&hellip;</strong></li> <li>Set the <strong>Loading offset</strong> to the base address of the new segment.</li> </ol> <p><img loading="lazy" src="./load_bin.png" alt=""/></p> https://gorgias.me/posts/bypass-jvmti-encryption-protection/ Mon, 28 Jun 2021 21:39:11 +0800 https://gorgias.me/posts/bypass-jvmti-encryption-protection/ <h2 id="research-process">Research Process</h2> <p>While researching a specific vehicle recently, I encountered a Windows application used to connect to a dealer intranet.</p> <p>After installation, the application directory contained both <code>.jar</code> files and an <code>.exe</code> executable.</p> <p><img loading="lazy" src="./files.png" alt="files"/></p> <p>Upon executing <code>start.exe</code>, I observed two Java processes launching:</p> <p><img loading="lazy" src="./winpe.png" alt="winpe"/></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-cmd" data-lang="cmd"><span class="line"><span class="cl">C<span class="p">:</span><span class="nl">\LC\Elsapro\lib\jre\bin\java.exe</span><span class="c1"> -agentlib:C:\LC\Elsapro\lib\jna\jvmprotect -Djava.library.path=C:\LC\Elsapro\lib\jna -Dfile.encoding=utf-8 -classpath C:\LC\Elsapro -cp C:\LC\Elsapro\ElsaPro.jar com.qqw.lcst.softp.superc.v5.app.epweb.gui.OptGui </span> </span></span></code></pre></div><p>I surmised that the second process was likely an embedded browser to display the UI, while the first process contained the core logic I was interested in.</p> <p>Opening the main JAR file with <strong>jd-gui</strong>, I found that many classes displayed an <strong>Internal Error</strong>, and key classes appeared to be missing. Other Java decompilers yielded similar results.</p> <p><img loading="lazy" src="./jdgui.png" alt="jdgui"/></p> <p>A quick analysis of <code>start.exe</code> suggested it primarily functioned as a custom <code>ClassLoader</code>, likely handling tasks such as online updates.</p> <p>From the startup parameters, I noticed the <code>-agentlib</code> flag pointing to <code>jvmprotect</code>. Loading <code>jvmprotect</code> into IDA Pro, I confirmed it functions as a <strong>JVMTI</strong> agent, leading me to suspect it serves as the decryption module.</p> <p>JVMTI (Java Virtual Machine Tool Interface) supports a wide range of analytical tools, including those for forensics, debugging, monitoring, thread analysis, and code coverage.</p> <p>Skimming the JVMTI documentation, I identified three primary export functions that serve as excellent entry points for reverse engineering:</p> <ul> <li><code>Agent_OnLoad</code> (Called at startup)</li> <li><code>Agent_OnAttach</code> (Called when attaching to a running VM)</li> <li><code>Agent_OnUnload</code> (Called when the agent is unloaded)</li> </ul> <p>I loaded the agent into IDA Pro, identifying <code>Agent_OnLoad</code> as the entry point. Analyzing raw JNI and JVMTI code can be cumbersome, so I imported a consolidated <code>jvmti_all.h</code> header file to aid the reversing process (though it helped only marginally here, as the callback logic was straightforward and didn&rsquo;t utilize complex features).</p> <p><img loading="lazy" src="./onload.png" alt="onload"/></p> <p>During startup, the agent calls <code>SetEventCallbacks</code>. Subsequently, as classes are loaded, <code>ClassFileLoadHook</code> events are triggered. Each class file content is passed to the registered callback, which decrypts the bytecode and prints logs.</p> <p><img loading="lazy" src="./eventcallback.png" alt="eventcallback"/></p> <p>Instead of reverse-engineering the custom decryption algorithm—which can be time-consuming—I decided to dump the decrypted classes directly from memory using a Java Agent.</p> <p>After reading <a href="http://www.fanyilun.me/2017/07/18/%E8%B0%88%E8%B0%88Java%20Intrumentation%E5%92%8C%E7%9B%B8%E5%85%B3%E5%BA%94%E7%94%A8/"target="_blank" rel="noopener noreferrer">Talking about Java Instrumentation and related applications</a> by Yilun Fan, I learned that the Instrumentation API is based on JVMTI, meaning it sits at the same layer and can access the modified (decrypted) classes.</p> <p><img loading="lazy" src="./agent_related_tools.jpg" alt="agent_related_tools"/></p> <p>Referring to the article <a href="https://www.cnblogs.com/yougewe/p/9651555.html"target="_blank" rel="noopener noreferrer">How to get dynamically generated class files in Java runtime?</a>, I packaged a custom agent named <code>ClazzDumpAgent.jar</code>.</p> <p>The parameters used are:</p> <ul> <li><code>-d</code>: Specifies the dump output path.</li> <li><code>-f</code>: Matches the class path prefix to extract.</li> <li><code>-r</code>: Indicates the specific package name to filter.</li> </ul> <p><strong>Crucial Note:</strong> The order of <code>-agentlib</code> and <code>-javaagent</code> is critical. You must allow the native agent to <strong>decrypt</strong> the classes before the Java agent attempts to <strong>dump</strong> them.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-cmd" data-lang="cmd"><span class="line"><span class="cl">C<span class="p">:</span><span class="nl">\LC\Elsapro\lib\jre\bin\java.exe</span><span class="c1"> -Xms256m -Xmx512m -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=512m -agentlib:C:\LC\Elsapro\lib\jna\JvmtiCry -Djava.library.path=C:\LC\Elsapro\lib\jna -javaagent:C:\LC\Elsapro\ClazzDumpAgent.jar=-d=C:\LC\Elsapro\clazzDump\;-f=com/qqw/lcst;-r=lcst -Dfile.encoding=utf-8 -classpath C:\LC\Elsapro -cp C:\LC\Elsapro\ElsaPro.jar com.qqw.lcst.softp.superc.v5.app.epweb.gui.OptGui</span> </span></span></code></pre></div><p>Upon executing this command, you can see the classes being dumped immediately after they are decrypted by the protection module.</p> <p><img loading="lazy" src="./decryption_cmd.png" alt="decryption_cmd.png"/></p> <p>I then packaged the dumped directory into a zip file and opened it with a Java decompiler. In comparison to the initial attempt, the previously <code>null</code> or missing classes were now visible. However, some classes that initially showed <strong>Internal Error</strong> were still missing. This is because <strong>classes are only decrypted when they are loaded/executed</strong>.</p> <p>By proactively traversing the application&rsquo;s functionality (i.e., clicking through the UI), I triggered the loading of those specific classes, allowing them to be decrypted and captured in real-time.</p> <p><img loading="lazy" src="./jdgui2.png" alt="jdgui2"/></p> <p>I recommend using <strong>CFR</strong> for decompilation as it generally handles modern Java features better and produces fewer errors than older tools.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cfrd -jar ./decypted.zip ./out </span></span></code></pre></div><h2 id="surprise">Surprise</h2> <p><img loading="lazy" src="./intranet.png" alt="intranet.png"/></p> <h2 id="references">References</h2> <p><a href="https://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html"target="_blank" rel="noopener noreferrer">JDPA Architecture</a></p> <p><a href="https://docs.oracle.com/javase/8/docs/platform/jvmti/jvmti.html"target="_blank" rel="noopener noreferrer">JVMTI Documentation</a></p> <p><a href="http://www.fanyilun.me/2017/07/18/%E8%B0%88%E8%B0%88Java%20Intrumentation%E5%92%8C%E7%9B%B8%E5%85%B3%E5%BA%94%E7%94%A8/"target="_blank" rel="noopener noreferrer">Talking about Java Instrumentation and related applications</a></p> <p><a href="https://www.cnblogs.com/yougewe/p/9651555.html"target="_blank" rel="noopener noreferrer">How to get dynamically generated class files in Java runtime?</a></p> <p><a href="https://mega.nz/folder/C9oEFBDJ#KVpF5qunEq_e44R7VglDgg"target="_blank" rel="noopener noreferrer">JVMTI.h and ClazzDumpAgent Download</a></p> https://gorgias.me/posts/firmware-extraction-series-firmware-media/ Sat, 28 Dec 2019 21:39:11 +0800 https://gorgias.me/posts/firmware-extraction-series-firmware-media/ <h2 id="what-is-firmware">What is Firmware?</h2> <p>Firmware, sometimes referred to as a <em>firmware image</em> (or simply &ldquo;ROM&rdquo; in mobile communities), resides in <strong>Non-Volatile Memory (NVM)</strong> and can be both read and written. In embedded systems, the most common NVM types are <strong>ROM</strong> (Read-Only Memory) and <strong>Flash memory</strong>. While strictly speaking, &ldquo;ROM&rdquo; includes Mask ROM, PROM, EPROM, and EEPROM, modern &ldquo;mainstream ROM&rdquo; usually refers to EEPROM integrated within an MCU. Flash memory typically serves as the primary external storage.</p> <p>In embedded devices, beyond standard NAND or NOR flash chips, you may also encounter <strong>eMMC</strong>. For expandable storage, devices might use SD cards, CF cards, USB drives, or HDDs. These storage solutions generally follow a <em>controller + storage</em> architecture: a controller bridges the host and the storage medium. As long as you can interact with the controller, you can read or write to the underlying storage.</p> <p>Devices like eMMC, SD cards, and HDDs expose standard external interfaces, allowing them to be read using standard card readers or programming sockets. In contrast, raw flash chips are managed directly by the SoC (System on Chip) via specific drivers; they lack a generic external interface. However, because these chips are memory-mapped peripherals, you can interact with them if you can access their address space. This is the principle behind techniques like <strong>reading firmware via JTAG</strong>, <strong>IAP (In-Application Programming)</strong>, or <strong>bootloaders (like U-Boot)</strong>. Theoretically, even if the device&rsquo;s main controller is non-functional, the firmware can still be recovered directly from the storage chip.</p> <p>For the purpose of this series, I define &ldquo;firmware&rdquo; as the original files containing the operating system and data stored on these media. In embedded security research, firmware extraction is almost always the first—and most critical—step. Without the firmware, further research often hits a dead end. This series aims to systematically share the knowledge and techniques I&rsquo;ve accumulated over years of performing firmware extraction.</p> <h2 id="eeprom-vs-nor-vs-nand-flash">EEPROM vs. NOR vs. NAND Flash</h2> <p><strong>EEPROM</strong> typically offers much higher endurance (erase/write cycles) than Flash memory. Combined with small package sizes and low write/erase power consumption, EEPROM is often the preferred choice for storing configuration data, particularly in automotive applications.</p> <p>For high-performance storage, <strong>Flash memory</strong> is the standard. There are two main types:</p> <ul> <li><strong>NOR Flash:</strong> Supports <strong>XIP (eXecute In Place)</strong> and offers fast read speeds, but provides slower write and erase operations. It supports <strong>random access</strong>, making it ideal for code execution.</li> <li><strong>NAND Flash:</strong> Accessed in <strong>blocks</strong> rather than randomly. It offers significantly higher capacity, higher throughput, and lower cost per bit, but generally has lower reliability and requires complex management.</li> </ul> <p>To communicate with these media, you must speak their protocols:</p> <ul> <li><strong>EEPROM:</strong> Typically uses <strong>I2C</strong> or <strong>SPI</strong> (Serial Peripheral Interface).</li> <li><strong>NOR Flash:</strong> Serial NOR usually uses <strong>SPI</strong>; Parallel NOR uses a parallel bus. Protocol standards include <strong>JEDEC SFDP (JESD216)</strong> for SPI and <strong>JEDEC CFI (JESD68)</strong> for parallel NOR.</li> <li><strong>NAND Flash:</strong> Uses the <strong>Raw NAND</strong> protocol, with most modern devices adhering to the <strong>ONFI</strong> (Open NAND Flash Interface) standard.</li> </ul> <p><em>Note: JEDEC (Joint Electron Device Engineering Council) defines standards that allow software to query a Flash chip&rsquo;s manufacturer and device IDs to determine its size and capabilities. However, not all chips strictly adhere to these standards.</em></p> <h2 id="nor-flash-packages">NOR Flash Packages</h2> <p>NOR flash is available in parallel and serial variants.</p> <ul> <li><strong>Serial NOR:</strong> Commonly packaged as <strong>SOP</strong> (Small Outline Package) and uses SPI.</li> <li><strong>Parallel NOR:</strong> Typically uses <strong>TSOP</strong> (Thin Small Outline Package) like TSOP-56, or BGA (Ball Grid Array) like TFBGA-56 and LFBGA-64.</li> </ul> <h2 id="nor-flash-pin-assignment">NOR Flash Pin Assignment</h2> <p>Because NOR flash supports random access, it functions similarly to SRAM. Below is the pinout for a parallel NOR flash chip. Manually wiring these (using &ldquo;flying leads&rdquo;) can be tedious due to the high pin count.</p> <table> <thead> <tr> <th style="text-align: left">Symbol</th> <th style="text-align: left">Pin Name</th> <th style="text-align: left">Function</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><strong>A[MAX:0]</strong></td> <td style="text-align: left">Address</td> <td style="text-align: left">Address bits for read/write operations</td> </tr> <tr> <td style="text-align: left"><strong>DQ[7:0]</strong></td> <td style="text-align: left">Data I/O</td> <td style="text-align: left">Inputs/Outputs for commands and data</td> </tr> <tr> <td style="text-align: left"><strong>DQ[14:8]</strong></td> <td style="text-align: left">Data I/O</td> <td style="text-align: left">Inputs/Outputs for commands and data</td> </tr> <tr> <td style="text-align: left"><strong>DQ15/A-1</strong></td> <td style="text-align: left">Data I/O</td> <td style="text-align: left">Data or address input (for x8/x16 mode switching)</td> </tr> <tr> <td style="text-align: left"><strong>BYTE#</strong></td> <td style="text-align: left">Byte/Word Select</td> <td style="text-align: left">Selects 8-bit or 16-bit data organization</td> </tr> <tr> <td style="text-align: left"><strong>CE#</strong></td> <td style="text-align: left">Chip Enable</td> <td style="text-align: left">Activates the device</td> </tr> <tr> <td style="text-align: left"><strong>RE#</strong></td> <td style="text-align: left">Read Enable</td> <td style="text-align: left">Data is valid on the falling edge of this pulse</td> </tr> <tr> <td style="text-align: left"><strong>OE#</strong></td> <td style="text-align: left">Output Enable</td> <td style="text-align: left">Drives data onto the bus when LOW; high-impedance when HIGH</td> </tr> <tr> <td style="text-align: left"><strong>WE#</strong></td> <td style="text-align: left">Write Enable</td> <td style="text-align: left">Triggers write operations</td> </tr> <tr> <td style="text-align: left"><strong>WP#</strong></td> <td style="text-align: left">Write Protect</td> <td style="text-align: left">Prevents unintended program/erase operations when LOW</td> </tr> <tr> <td style="text-align: left"><strong>RST#</strong></td> <td style="text-align: left">Reset</td> <td style="text-align: left">Resets the device</td> </tr> <tr> <td style="text-align: left"><strong>RY/BY#</strong></td> <td style="text-align: left">Read/Busy</td> <td style="text-align: left">Output LOW during operations; HIGH when ready. Requires a pull-up resistor (open-drain).</td> </tr> <tr> <td style="text-align: left"><strong>Vcc</strong></td> <td style="text-align: left">Power</td> <td style="text-align: left">Supply Voltage (typically 3.3V or 1.8V)</td> </tr> <tr> <td style="text-align: left"><strong>Vss</strong></td> <td style="text-align: left">Ground</td> <td style="text-align: left">Ground</td> </tr> <tr> <td style="text-align: left"><strong>NC</strong></td> <td style="text-align: left">No Connection</td> <td style="text-align: left">Unconnected pin</td> </tr> </tbody> </table> <p><strong>TSOP-56 Pinout:</strong></p> <p><img loading="lazy" src="./TSOP56.png" alt="TSOP-56"/></p> <h2 id="nand-flash">NAND Flash</h2> <p>NAND flash is a type of non-volatile storage optimized for high density. Embedded devices commonly use <strong>SLC (Single Level Cell)</strong> NAND, which stores 1 bit per cell.</p> <p>Flash memory uses a <strong>floating-gate</strong> transistor structure. Electrons are trapped in an insulated floating gate to store data. A key characteristic of Flash is that it <strong>cannot support in-place overwrites</strong>. Writing involves capturing electrons, but &ldquo;erasing&rdquo; involves releasing them. To erase, a high voltage is applied to pull electrons from the floating gate. Because the source connections are grouped, <strong>erasure must happen in large blocks</strong>, not individual bytes.</p> <h2 id="nand-packages">NAND Packages</h2> <p>The ONFI standard defines several common packages for NAND flash, typically using SMT (Surface Mount Technology).</p> <p><strong>TSOP-48:</strong></p> <p><img loading="lazy" src="./TSOP48.png" alt="TSOP-48"/></p> <p><strong>BGA-63:</strong></p> <p><img loading="lazy" src="./BGA63.png" alt="BGA-63"/></p> <h2 id="nand-flash-pin-assignment">NAND Flash Pin Assignment</h2> <p>NAND flash uses a multiplexed parallel I/O interface, typically 8-bit (x8). Pins marked with <code>#</code> are <strong>active-low</strong> and usually require pull-up resistors.</p> <table> <thead> <tr> <th style="text-align: left">Symbol</th> <th style="text-align: left">Pin Name</th> <th style="text-align: left">Function</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><strong>I/O x</strong></td> <td style="text-align: left">Data I/O</td> <td style="text-align: left">Used for command, address, and data input/output. High-impedance when disabled.</td> </tr> <tr> <td style="text-align: left"><strong>CLE</strong></td> <td style="text-align: left">Command Latch Enable</td> <td style="text-align: left">When HIGH, commands are latched on the rising edge of WE#.</td> </tr> <tr> <td style="text-align: left"><strong>ALE</strong></td> <td style="text-align: left">Address Latch Enable</td> <td style="text-align: left">When HIGH, addresses are latched on the rising edge of WE#.</td> </tr> <tr> <td style="text-align: left"><strong>CE#</strong></td> <td style="text-align: left">Chip Enable</td> <td style="text-align: left">Activates the device. When marked high, the device enters standby.</td> </tr> <tr> <td style="text-align: left"><strong>RE#</strong></td> <td style="text-align: left">Read Enable</td> <td style="text-align: left">Data is driven onto the bus on the falling edge of this pulse.</td> </tr> <tr> <td style="text-align: left"><strong>WE#</strong></td> <td style="text-align: left">Write Enable</td> <td style="text-align: left">Latches data/address/commands on the rising edge.</td> </tr> <tr> <td style="text-align: left"><strong>WP#</strong></td> <td style="text-align: left">Write Protect</td> <td style="text-align: left">Hardware write protection.</td> </tr> <tr> <td style="text-align: left"><strong>R/B#</strong></td> <td style="text-align: left">Read/Busy</td> <td style="text-align: left">Indicates device status. LOW = Busy; HIGH = Ready. Open-drain output (requires pull-up).</td> </tr> <tr> <td style="text-align: left"><strong>Vcc</strong></td> <td style="text-align: left">Power</td> <td style="text-align: left">Supply Voltage (3.3V / 1.8V)</td> </tr> <tr> <td style="text-align: left"><strong>Vss</strong></td> <td style="text-align: left">Ground</td> <td style="text-align: left">Ground</td> </tr> <tr> <td style="text-align: left"><strong>NC</strong></td> <td style="text-align: left">No Connection</td> <td style="text-align: left">Unconnected</td> </tr> </tbody> </table> <p><img loading="lazy" src="./block_diagram.png" alt="block_diagram"/></p> <h2 id="array-organization">Array Organization</h2> <p>NAND is organized hierarchically. Below is the organization of an 8-bit NAND chip from ESMT:</p> <ul> <li><strong>Page:</strong> 2048 bytes (Data) + 64 bytes (Spare/OOB)</li> <li><strong>Block:</strong> 64 Pages</li> <li><strong>Device:</strong> 1024 Blocks</li> <li><strong>Total Capacity:</strong> 1056 Mbits (128 MB Data + 4 MB Spare)</li> </ul> <p><img loading="lazy" src="./array_organization.png" alt="array_oragnization"/></p> <h2 id="tools-for-reading-firmware">Tools for Reading Firmware</h2> <p>For non-expandable storage (soldered chips), reading methods fall into three categories:</p> <ol> <li><strong>Chip-off (Offline):</strong> Desolder the chip and read it using a dedicated programmer and socket. <ul> <li><em>Pros:</em> Direct access, works if the device is dead.</li> <li><em>Cons:</em> Higher cost (hardware), potential for damage, requires handling ECC/bad blocks manually.</li> </ul> </li> <li><strong>In-System / In-Circuit (Online):</strong> Connect external tools to the PCB to read the chip without desoldering. <ul> <li><em>Methods:</em> SoC debug interfaces (JTAG/SWD) or clamping directly to the storage chip pins (e.g., using a test clip).</li> <li><em>Tools:</em> J-Link, USBDM, Bus Pirate, or custom harnesses.</li> </ul> </li> <li><strong>Internal Backup (Software):</strong> Gain shell access (e.g., via UART or partial exploit) and use system tools (<code>dd</code>, <code>cat</code>, <code>nanddump</code>) to dump the firmware partitions.</li> </ol> <p><em>Tip: You don&rsquo;t always need expensive programmers. For common protocols, a microcontroller (STM32, AVR) or a Raspberry Pi can often be repurposed as a dumper.</em></p> <h2 id="architecture-how-embedded-devices-use-flash">Architecture: How Embedded Devices Use Flash</h2> <p><strong>NOR Flash</strong> is similar to standard RAM: it supports random access. This enables <strong>XIP (eXecute In Place)</strong>, allowing the CPU to fetch and execute instructions directly from the flash memory. This makes NOR ideal for storing the <strong>bootloader</strong> or BIOS, which must run immediately upon power-up.</p> <p><strong>NAND Flash</strong>, by contrast, does <strong>not</strong> support XIP. The CPU cannot execute code directly from NAND. Therefore, the very first stage of boot code cannot reside solely on NAND.</p> <p><strong>Historical Context (The &ldquo;NOR-less&rdquo; Shift):</strong> Early devices (like feature phones) used both NOR and NAND: NOR for the bootloader/kernel (XIP) and NAND for the filesystem (storage). Samsung later popularized the &ldquo;NOR-less&rdquo; concept. By embedding a small ROM inside the SoC capable of loading a bootloader from the first page of NAND into internal RAM, they eliminated the need for expensive NOR chips. This reduced cost and complexity, making NOR rare in modern high-volume consumer electronics like smartphones.</p> <p><strong>Managed Flash &amp; FTL:</strong> NAND is susceptible to <strong>bit flips</strong> and <strong>bad blocks</strong>. It requires a complex software management layer called the <strong>FTL (Flash Translation Layer)</strong> to handle:</p> <ul> <li>Error Correction Codes (ECC)</li> <li>Bad Block Management</li> <li>Wear Leveling</li> <li>Garbage Collection</li> </ul> <p>Depending on where this FTL resides, flash is categorized as:</p> <ul> <li><strong>Raw Flash:</strong> The FTL is implemented in the OS driver (software).</li> <li><strong>Managed Flash (eMMC, SD, UFS):</strong> The FTL is implemented in a hardware controller inside the storage package.</li> </ul> <p><strong>Implications for Extraction:</strong> When reading <strong>Raw NAND</strong>, you get the raw data including bit errors and OOB (Out-Of-Band) metadata. You must manually handle ECC algorithms (e.g., Hamming, BCH) and descrambling to reconstruct a valid binary. Since these algorithms are often vendor-specific and not standard, this is the most challenging part of raw firmware extraction.</p> <p>Advanced topics on reconstructing firmware from raw dumps will be covered in future posts.</p> <h2 id="references">References</h2> <p><a href="http://aturing.umcs.maine.edu/~meadow/courses/cos335/Toshiba%20NAND_vs_NOR_Flash_Memory_Technology_Overviewt.pdf"target="_blank" rel="noopener noreferrer">NAND vs. NOR Flash Memory Technology Overview</a></p> <p><a href="https://flashdba.com/2014/06/20/understanding-flash-blocks-pages-and-program-erases/"target="_blank" rel="noopener noreferrer">Understanding Flash: Blocks, Pages and Program / Erases</a></p> <p><a href="https://zhuanlan.zhihu.com/p/26745577"target="_blank" rel="noopener noreferrer">UEFI Blog 杂谈闪存二：NOR和NAND Flash</a></p> <p><a href="https://www.design-reuse.com/articles/24503/nand-flash-memory-embedded-systems.html"target="_blank" rel="noopener noreferrer">NAND Flash memory in embedded systems</a></p> <p><a href="https://www.jedec.org/"target="_blank" rel="noopener noreferrer">JEDEC</a></p> <p><a href="http://www.onfi.org/"target="_blank" rel="noopener noreferrer">ONFI</a></p> https://gorgias.me/posts/firmware-extraction-series-ubi-extract-and-repack/ Sat, 28 Dec 2019 21:39:11 +0800 https://gorgias.me/posts/firmware-extraction-series-ubi-extract-and-repack/ <h2 id="preface">Preface</h2> <p>I originally wrote this post last year but accidentally set the GitHub repository to private and lost the README. After re-uploading, the context felt slightly dated, but the technical content remains relevant.</p> <p>UBI (Unsorted Block Images) is a volume management system for raw flash devices designed by IBM. It can manage multiple logical volumes on a single physical device and supports wear leveling. It is widely used in embedded devices.</p> <p>Speaking of raw flash, we should first explain what MTD (Memory Technology Device) is. MTD is a Linux subsystem used to access memory devices (especially flash devices). It serves as an abstraction layer between hardware and filesystems. Taking NAND flash as an example, MTD encapsulates NAND operations and provides abstract interfaces to upper-layer filesystem drivers. An MTD device consists of eraseblocks. The MTD driver provides read, write, and erase operations—but before modifying any block, you must erase it first.</p> <p><img loading="lazy" src="./MTD_subsystem.png" alt="MTD_subsystem"/></p> <h2 id="ubi-layout">UBI Layout</h2> <p>UBI shares similarities with LVM (Logical Volume Management). While LVM maps logical sectors to physical sectors, UBI maps <strong>Logical Erase Blocks (LEBs)</strong> to <strong>Physical Erase Blocks (PEBs)</strong>. Fundamentally, UBI operates at the eraseblock level.</p> <p>At the beginning of each UBI block (excluding bad blocks), there are two 64-byte headers:</p> <ul> <li>EC header (erase counter header), which contains per-PEB information (VID header offset, data offset).</li> <li>VID header (volume identifier header), which contains the volume ID and the PEB number corresponding to a given LEB.</li> </ul> <p>In the Linux source tree under <code>linux/drivers/mtd/ubi/</code>, <code>ubi-media.h</code> defines both the EC header and VID header.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">ubi_ec_hdr</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">magic</span><span class="p">;</span> <span class="c1">// UBI# </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">version</span><span class="p">;</span> <span class="c1">// 01 </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">padding1</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">__be64</span> <span class="n">ec</span><span class="p">;</span> <span class="cm">/* Warning: the current limit is 31-bit anyway! */</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">vid_hdr_offset</span><span class="p">;</span> <span class="c1">// VID Header 的偏移 </span></span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">data_offset</span><span class="p">;</span> <span class="c1">// 数据的偏移 </span></span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">image_seq</span><span class="p">;</span> <span class="c1">// 物理块序号 </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">padding2</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">hdr_crc</span><span class="p">;</span> <span class="c1">// CRC32 </span></span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">__packed</span><span class="p">;</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* </span></span></span><span class="line"><span class="cl"><span class="cm"> * UBI volume type constants. </span></span></span><span class="line"><span class="cl"><span class="cm"> * </span></span></span><span class="line"><span class="cl"><span class="cm"> * @UBI_DYNAMIC_VOLUME: dynamic volume </span></span></span><span class="line"><span class="cl"><span class="cm"> * @UBI_STATIC_VOLUME: static volume </span></span></span><span class="line"><span class="cl"><span class="cm"> */</span> </span></span><span class="line"><span class="cl"><span class="k">enum</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">UBI_DYNAMIC_VOLUME</span> <span class="o">=</span> <span class="mi">3</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">UBI_STATIC_VOLUME</span> <span class="o">=</span> <span class="mi">4</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">ubi_vid_hdr</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">magic</span><span class="p">;</span> <span class="c1">// UBI! </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">version</span><span class="p">;</span> <span class="c1">// 1 </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">vol_type</span><span class="p">;</span> <span class="c1">// 一般是UBI_DYNAMIC_VOLUME </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">copy_flag</span><span class="p">;</span> <span class="c1">// 是否从另一个物理块拷贝过来的(wear-leveling) </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">compat</span><span class="p">;</span> <span class="c1">// 卷兼容性 </span></span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">vol_id</span><span class="p">;</span> <span class="c1">// 卷ID </span></span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">lnum</span><span class="p">;</span> <span class="c1">// LEB编号 </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">padding1</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">data_size</span><span class="p">;</span> <span class="c1">// 数据大小 </span></span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">used_ebs</span><span class="p">;</span> <span class="c1">// 用户LEB数量 </span></span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">data_pad</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">data_crc</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">padding2</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">__be64</span> <span class="n">sqnum</span><span class="p">;</span> <span class="c1">// 序号 </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">padding3</span><span class="p">[</span><span class="mi">12</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">hdr_crc</span><span class="p">;</span> <span class="c1">// CRC32 </span></span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">__packed</span><span class="p">;</span> </span></span></code></pre></div><p>The volume with ID <code>UBI_INTERNAL_VOL_START</code> is dedicated to storing volume table records.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#define UBI_INTERNAL_VOL_START (0x7FFFFFFF - 4096) </span></span></span></code></pre></div><p>It contains the volume name:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">ubi_vtbl_record</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">reserved_pebs</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">alignment</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">data_pad</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">vol_type</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">upd_marker</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">__be16</span> <span class="n">name_len</span><span class="p">;</span> <span class="c1">// 卷名长度 </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">name</span><span class="p">[</span><span class="n">UBI_VOL_NAME_MAX</span><span class="o">+</span><span class="mi">1</span><span class="p">];</span> <span class="c1">// 卷名 </span></span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">flags</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">__u8</span> <span class="n">padding</span><span class="p">[</span><span class="mi">23</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">__be32</span> <span class="n">crc</span><span class="p">;</span> <span class="c1">// CRC32 </span></span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">__packed</span><span class="p">;</span> </span></span></code></pre></div><p>On a typical MTD device, the initial sectors are reserved for the bootloader, while the subsequent regions are allocated for UBI. The figure below provides a simplified example; in practice, multiple UBI volumes and other partitions may be interleaved. UBI employs a mechanism called &ldquo;fastmap&rdquo; to map LEBs onto non-contiguous PEBs, providing an abstraction layer for UBIFS.</p> <p><img loading="lazy" src="./UBI_map.png" alt="UBI_map"/></p> <h2 id="mounting-ubifs">Mounting UBIFS</h2> <p>MTD provides user-space tools for directly operating on UBI: <strong>mtd-utils</strong></p> <p><a href="http://git.infradead.org/mtd-utils.git"target="_blank" rel="noopener noreferrer">http://git.infradead.org/mtd-utils.git</a></p> <ul> <li>ubinfo - provides information about UBI devices and volumes found in the system;</li> <li>ubiattach - attaches MTD devices (which describe raw flash) to UBI and creates corresponding UBI devices;</li> <li>ubidetach - detaches MTD devices from UBI devices (the opposite to what ubiattach does);</li> <li>ubimkvol - creates UBI volumes on UBI devices;</li> <li>ubirmvol - removes UBI volumes from UBI devices;</li> <li>ubiblock - manages block interfaces for UBI volumes. See here for more information;</li> <li>ubiupdatevol - updates UBI volumes; this tool uses the UBI volume update feature which leaves the volume in &ldquo;corrupted&rdquo; state if the update was interrupted; additionally, this tool may be used to wipe out UBI volumes;</li> <li>ubicrc32 - calculates CRC-32 checksum of a file with the same initial seed as UBI would use;</li> <li>ubinize - generates UBI images;</li> <li>ubiformat - formats empty flash, erases flash and preserves erase counters, flashes UBI images to MTD devices;</li> <li>mtdinfo - reports information about MTD devices found in the system.</li> </ul> <p>While the above tools operate on UBI, standard PCs lack native MTD devices. To analyze a raw flash firmware dump from an embedded device on a PC, you must <strong>simulate an MTD device</strong>. The most common tool for this is <strong>NANDSim</strong>.</p> <ul> <li>mtdram which simulates NOR flash in RAM;</li> <li>nandsim which simulates NAND flash in RAM;</li> <li>block2mtd which simulates NOR flash on top of a block device;</li> </ul> <p>First, examine NANDSim’s parameters. Given the large number of options, correct configuration is key.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">$ modinfo nandsim </span></span><span class="line"><span class="cl">filename: /lib/modules/4.18.10-arch1-1-ARCH/kernel/drivers/mtd/nand/raw/nandsim.ko.xz </span></span><span class="line"><span class="cl">description: The NAND flash simulator </span></span><span class="line"><span class="cl">author: Artem B. Bityuckiy </span></span><span class="line"><span class="cl">license: GPL </span></span><span class="line"><span class="cl">srcversion: D2FD00330F9BE30A9B28365 </span></span><span class="line"><span class="cl">depends: mtd,nand </span></span><span class="line"><span class="cl">retpoline: Y </span></span><span class="line"><span class="cl">intree: Y </span></span><span class="line"><span class="cl">name: nandsim </span></span><span class="line"><span class="cl">vermagic: 4.18.10-arch1-1-ARCH SMP preempt mod_unload modversions </span></span><span class="line"><span class="cl">sig_id: PKCS#7 </span></span><span class="line"><span class="cl">signer: </span></span><span class="line"><span class="cl">sig_key: </span></span><span class="line"><span class="cl">sig_hashalgo: md4 </span></span><span class="line"><span class="cl">signature: </span></span><span class="line"><span class="cl">parm: id_bytes:The ID bytes returned by NAND Flash &#39;read ID&#39; command (array of byte) </span></span><span class="line"><span class="cl">parm: first_id_byte:The first byte returned by NAND Flash &#39;read ID&#39; command (manufacturer ID) (obsolete) (byte) </span></span><span class="line"><span class="cl">parm: second_id_byte:The second byte returned by NAND Flash &#39;read ID&#39; command (chip ID) (obsolete) (byte) </span></span><span class="line"><span class="cl">parm: third_id_byte:The third byte returned by NAND Flash &#39;read ID&#39; command (obsolete) (byte) </span></span><span class="line"><span class="cl">parm: fourth_id_byte:The fourth byte returned by NAND Flash &#39;read ID&#39; command (obsolete) (byte) </span></span><span class="line"><span class="cl">parm: access_delay:Initial page access delay (microseconds) (uint) </span></span><span class="line"><span class="cl">parm: programm_delay:Page programm delay (microseconds (uint) </span></span><span class="line"><span class="cl">parm: erase_delay:Sector erase delay (milliseconds) (uint) </span></span><span class="line"><span class="cl">parm: output_cycle:Word output (from flash) time (nanoseconds) (uint) </span></span><span class="line"><span class="cl">parm: input_cycle:Word input (to flash) time (nanoseconds) (uint) </span></span><span class="line"><span class="cl">parm: bus_width:Chip&#39;s bus width (8- or 16-bit) (uint) </span></span><span class="line"><span class="cl">parm: do_delays:Simulate NAND delays using busy-waits if not zero (uint) </span></span><span class="line"><span class="cl">parm: log:Perform logging if not zero (uint) </span></span><span class="line"><span class="cl">parm: dbg:Output debug information if not zero (uint) </span></span><span class="line"><span class="cl">parm: parts:Partition sizes (in erase blocks) separated by commas (array of ulong) </span></span><span class="line"><span class="cl">parm: badblocks:Erase blocks that are initially marked bad, separated by commas (charp) </span></span><span class="line"><span class="cl">parm: weakblocks:Weak erase blocks [: remaining erase cycles (defaults to 3)] separated by commas e.g. 113:2 means eb 113 can be erased only twice before failing (charp) </span></span><span class="line"><span class="cl">parm: weakpages:Weak pages [: maximum writes (defaults to 3)] separated by commas e.g. 1401:2 means page 1401 can be written only twice before failing (charp) </span></span><span class="line"><span class="cl">parm: bitflips:Maximum number of random bit flips per page (zero by default) (uint) </span></span><span class="line"><span class="cl">parm: gravepages:Pages that lose data [: maximum reads (defaults to 3)] separated by commas e.g. 1401:2 means page 1401 can be read only twice before failing (charp) </span></span><span class="line"><span class="cl">parm: overridesize:Specifies the NAND Flash size overriding the ID bytes. The size is specified in erase blocks and as the exponent of a power of two e.g. 5 means a size of 32 erase blocks (uint) </span></span><span class="line"><span class="cl">parm: cache_file:File to use to cache nand pages instead of memory (charp) </span></span><span class="line"><span class="cl">parm: bbt:0 OOB, 1 BBT with marker in OOB, 2 BBT with marker in data area (uint) </span></span><span class="line"><span class="cl">parm: bch:Enable BCH ecc and set how many bits should be correctable in 512-byte blocks (uint) </span></span></code></pre></div><p>To understand NANDSim’s implementation, one can examine the kernel driver source code. Briefly, <code>nandsim.c</code> calls <code>nand_scan_ident</code> in <code>nand_base.c</code>. During <code>nand_detect</code>, a Read ID operation is performed: <code>nand_readid_op</code> sends <code>0x90,0x00</code> to the NAND device. Subsequently, <code>nand_get_manufacturer</code> matches the manufacturer ID. Finally, <code>nand_scan_tail</code> initializes the NAND chip and sets the appropriate properties.</p> <p>The NAND chip datasheet specifies the ID bytes in detail.</p> <p>Therefore, we must set the ID correctly. This allows the driver to automatically configure the capacity, page size, and other parameters. For NANDSim, only the first four ID parameters are required.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">static</span> <span class="n">u_char</span> <span class="n">id_bytes</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">CONFIG_NANDSIM_FIRST_ID_BYTE</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">CONFIG_NANDSIM_SECOND_ID_BYTE</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="n">CONFIG_NANDSIM_THIRD_ID_BYTE</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="n">CONFIG_NANDSIM_FOURTH_ID_BYTE</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span><span class="mi">4</span> <span class="p">...</span> <span class="mi">7</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xFF</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></div><p>If you need to tune the NAND simulation parameters, use the datasheet table to choose appropriate values.</p> <p><img loading="lazy" src="./manufacturer_id_a.png" alt="manufacturer_id_a"/> <img loading="lazy" src="./manufacturer_id_b.png" alt="manufacturer_id_b"/></p> <p>Typically, an embedded device stores the bootloader and other partitions on the same chip as the system partition. Consequently, partitioning NANDSim is necessary. In this example, the eraseblock size is 128KB (<code>0x20000</code>).</p> <p>Write a script to locate UBI regions in the dump:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/env python3</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">sys</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">binascii</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">struct</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">1</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Usage: find_ubi_header.py NAND.bin&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">raw_file_path</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">ubi_header</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;UBI#&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">out_of_ubi</span> <span class="o">=</span> <span class="kc">True</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="n">raw_file_path</span><span class="p">,</span> <span class="s1">&#39;rb&#39;</span><span class="p">)</span> <span class="k">as</span> <span class="n">raw_file</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">rawbin</span> <span class="o">=</span> <span class="n">raw_file</span><span class="o">.</span><span class="n">read</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">rawbin</span><span class="p">),</span> <span class="mh">0x20000</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">magic</span> <span class="o">=</span> <span class="n">rawbin</span><span class="p">[</span><span class="n">x</span><span class="p">:</span><span class="n">x</span><span class="o">+</span><span class="mi">4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">magic</span> <span class="o">==</span> <span class="n">ubi_header</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">out_of_ubi</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">out_of_ubi</span> <span class="o">=</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">UBI offset start:&#34;</span><span class="p">,</span> <span class="nb">hex</span><span class="p">(</span><span class="n">x</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">out_of_ubi</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;UBI offset stop:&#34;</span><span class="p">,</span> <span class="nb">hex</span><span class="p">(</span><span class="n">x</span><span class="p">),</span> <span class="s2">&#34;</span><span class="se">\n</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">out_of_ubi</span> <span class="o">=</span> <span class="kc">True</span> </span></span><span class="line"><span class="cl"> <span class="n">raw_file</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ python find_ubi_header.py NAND.bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">UBI offset start: 0x2e60000 </span></span><span class="line"><span class="cl">UBI offset stop: 0x6900000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">UBI offset start: 0x7700000 </span></span><span class="line"><span class="cl">UBI offset stop: 0x81c0000 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">UBI offset start: 0x8200000 </span></span><span class="line"><span class="cl">UBI offset stop: 0x20000000 </span></span></code></pre></div><p>512MB = 4096 * 128 KB, so this chip has 4K blocks.</p> <table> <thead> <tr> <th>PN</th> <th>SA</th> <th>EA</th> <th>EC</th> </tr> </thead> <tbody> <tr> <td>xxx</td> <td>0x00000000</td> <td>0x02E60000</td> <td>371</td> </tr> <tr> <td>ubi1</td> <td>0x02E60000</td> <td>0x06900000</td> <td>469</td> </tr> <tr> <td>foo</td> <td>0x06900000</td> <td>0x069C0000</td> <td>6</td> </tr> <tr> <td>recovery</td> <td>0x069C0000</td> <td>0x07700000</td> <td>106</td> </tr> <tr> <td>ubi2</td> <td>0x07700000</td> <td>0x081C0000</td> <td>86</td> </tr> <tr> <td>sec</td> <td>0x081C0000</td> <td>0x08200000</td> <td>2</td> </tr> <tr> <td>ubi3</td> <td>0x08200000</td> <td>0x20000000</td> <td>3056</td> </tr> </tbody> </table> <p>Load the MTD modules and the NANDSim module:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo modprobe mtd </span></span><span class="line"><span class="cl">sudo modprobe mtdblock </span></span><span class="line"><span class="cl">sudo modprobe nandsim <span class="nv">first_id_byte</span><span class="o">=</span>0x2c <span class="nv">second_id_byte</span><span class="o">=</span>0xac <span class="nv">third_id_byte</span><span class="o">=</span>0x90 <span class="nv">fourth_id_byte</span><span class="o">=</span>0x15 <span class="nv">parts</span><span class="o">=</span>371,469,6,106,86,2,3056 </span></span></code></pre></div><p>Verify the MTD device information to ensure the partitions were created successfully.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ mtdinfo -a </span></span><span class="line"><span class="cl">Count of MTD devices: <span class="m">8</span> </span></span><span class="line"><span class="cl">Present MTD devices: mtd0, mtd1, mtd2, mtd3, mtd4, mtd5, mtd6, mtd7 </span></span><span class="line"><span class="cl">Sysfs interface supported: yes </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mtd0 </span></span><span class="line"><span class="cl">Name: NAND 512MiB 1,8V 8-bit </span></span><span class="line"><span class="cl">Type: nand </span></span><span class="line"><span class="cl">Eraseblock size: <span class="m">131072</span> bytes, 128.0 KiB </span></span><span class="line"><span class="cl">Amount of eraseblocks: <span class="m">4096</span> <span class="o">(</span><span class="m">536870912</span> bytes, 512.0 MiB<span class="o">)</span> </span></span><span class="line"><span class="cl">Minimum input/output unit size: <span class="m">2048</span> bytes </span></span><span class="line"><span class="cl">Sub-page size: <span class="m">512</span> bytes </span></span><span class="line"><span class="cl">OOB size: <span class="m">64</span> bytes </span></span><span class="line"><span class="cl">Character device major/minor: 90:0 </span></span><span class="line"><span class="cl">Bad blocks are allowed: <span class="nb">true</span> </span></span><span class="line"><span class="cl">Device is writable: <span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mtd1 </span></span><span class="line"><span class="cl">Name: NAND simulator partition <span class="m">0</span> </span></span><span class="line"><span class="cl">Type: nand </span></span><span class="line"><span class="cl">Eraseblock size: <span class="m">131072</span> bytes, 128.0 KiB </span></span><span class="line"><span class="cl">Amount of eraseblocks: <span class="m">371</span> <span class="o">(</span><span class="m">48627712</span> bytes, 46.4 MiB<span class="o">)</span> </span></span><span class="line"><span class="cl">Minimum input/output unit size: <span class="m">2048</span> bytes </span></span><span class="line"><span class="cl">Sub-page size: <span class="m">512</span> bytes </span></span><span class="line"><span class="cl">OOB size: <span class="m">64</span> bytes </span></span><span class="line"><span class="cl">Character device major/minor: 90:2 </span></span><span class="line"><span class="cl">Bad blocks are allowed: <span class="nb">true</span> </span></span><span class="line"><span class="cl">Device is writable: <span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mtd2 </span></span><span class="line"><span class="cl">Name: NAND simulator partition <span class="m">1</span> </span></span><span class="line"><span class="cl">Type: nand </span></span><span class="line"><span class="cl">Eraseblock size: <span class="m">131072</span> bytes, 128.0 KiB </span></span><span class="line"><span class="cl">Amount of eraseblocks: <span class="m">469</span> <span class="o">(</span><span class="m">61472768</span> bytes, 58.6 MiB<span class="o">)</span> </span></span><span class="line"><span class="cl">Minimum input/output unit size: <span class="m">2048</span> bytes </span></span><span class="line"><span class="cl">Sub-page size: <span class="m">512</span> bytes </span></span><span class="line"><span class="cl">OOB size: <span class="m">64</span> bytes </span></span><span class="line"><span class="cl">Character device major/minor: 90:4 </span></span><span class="line"><span class="cl">Bad blocks are allowed: <span class="nb">true</span> </span></span><span class="line"><span class="cl">Device is writable: <span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mtd3 </span></span><span class="line"><span class="cl">Name: NAND simulator partition <span class="m">2</span> </span></span><span class="line"><span class="cl">Type: nand </span></span><span class="line"><span class="cl">Eraseblock size: <span class="m">131072</span> bytes, 128.0 KiB </span></span><span class="line"><span class="cl">Amount of eraseblocks: <span class="m">6</span> <span class="o">(</span><span class="m">786432</span> bytes, 768.0 KiB<span class="o">)</span> </span></span><span class="line"><span class="cl">Minimum input/output unit size: <span class="m">2048</span> bytes </span></span><span class="line"><span class="cl">Sub-page size: <span class="m">512</span> bytes </span></span><span class="line"><span class="cl">OOB size: <span class="m">64</span> bytes </span></span><span class="line"><span class="cl">Character device major/minor: 90:6 </span></span><span class="line"><span class="cl">Bad blocks are allowed: <span class="nb">true</span> </span></span><span class="line"><span class="cl">Device is writable: <span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mtd4 </span></span><span class="line"><span class="cl">Name: NAND simulator partition <span class="m">3</span> </span></span><span class="line"><span class="cl">Type: nand </span></span><span class="line"><span class="cl">Eraseblock size: <span class="m">131072</span> bytes, 128.0 KiB </span></span><span class="line"><span class="cl">Amount of eraseblocks: <span class="m">106</span> <span class="o">(</span><span class="m">13893632</span> bytes, 13.2 MiB<span class="o">)</span> </span></span><span class="line"><span class="cl">Minimum input/output unit size: <span class="m">2048</span> bytes </span></span><span class="line"><span class="cl">Sub-page size: <span class="m">512</span> bytes </span></span><span class="line"><span class="cl">OOB size: <span class="m">64</span> bytes </span></span><span class="line"><span class="cl">Character device major/minor: 90:8 </span></span><span class="line"><span class="cl">Bad blocks are allowed: <span class="nb">true</span> </span></span><span class="line"><span class="cl">Device is writable: <span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mtd5 </span></span><span class="line"><span class="cl">Name: NAND simulator partition <span class="m">4</span> </span></span><span class="line"><span class="cl">Type: nand </span></span><span class="line"><span class="cl">Eraseblock size: <span class="m">131072</span> bytes, 128.0 KiB </span></span><span class="line"><span class="cl">Amount of eraseblocks: <span class="m">86</span> <span class="o">(</span><span class="m">11272192</span> bytes, 10.8 MiB<span class="o">)</span> </span></span><span class="line"><span class="cl">Minimum input/output unit size: <span class="m">2048</span> bytes </span></span><span class="line"><span class="cl">Sub-page size: <span class="m">512</span> bytes </span></span><span class="line"><span class="cl">OOB size: <span class="m">64</span> bytes </span></span><span class="line"><span class="cl">Character device major/minor: 90:10 </span></span><span class="line"><span class="cl">Bad blocks are allowed: <span class="nb">true</span> </span></span><span class="line"><span class="cl">Device is writable: <span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mtd6 </span></span><span class="line"><span class="cl">Name: NAND simulator partition <span class="m">5</span> </span></span><span class="line"><span class="cl">Type: nand </span></span><span class="line"><span class="cl">Eraseblock size: <span class="m">131072</span> bytes, 128.0 KiB </span></span><span class="line"><span class="cl">Amount of eraseblocks: <span class="m">2</span> <span class="o">(</span><span class="m">262144</span> bytes, 256.0 KiB<span class="o">)</span> </span></span><span class="line"><span class="cl">Minimum input/output unit size: <span class="m">2048</span> bytes </span></span><span class="line"><span class="cl">Sub-page size: <span class="m">512</span> bytes </span></span><span class="line"><span class="cl">OOB size: <span class="m">64</span> bytes </span></span><span class="line"><span class="cl">Character device major/minor: 90:12 </span></span><span class="line"><span class="cl">Bad blocks are allowed: <span class="nb">true</span> </span></span><span class="line"><span class="cl">Device is writable: <span class="nb">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">mtd7 </span></span><span class="line"><span class="cl">Name: NAND simulator partition <span class="m">6</span> </span></span><span class="line"><span class="cl">Type: nand </span></span><span class="line"><span class="cl">Eraseblock size: <span class="m">131072</span> bytes, 128.0 KiB </span></span><span class="line"><span class="cl">Amount of eraseblocks: <span class="m">3056</span> <span class="o">(</span><span class="m">400556032</span> bytes, 382.0 MiB<span class="o">)</span> </span></span><span class="line"><span class="cl">Minimum input/output unit size: <span class="m">2048</span> bytes </span></span><span class="line"><span class="cl">Sub-page size: <span class="m">512</span> bytes </span></span><span class="line"><span class="cl">OOB size: <span class="m">64</span> bytes </span></span><span class="line"><span class="cl">Character device major/minor: 90:14 </span></span><span class="line"><span class="cl">Bad blocks are allowed: <span class="nb">true</span> </span></span><span class="line"><span class="cl">Device is writable: <span class="nb">true</span> </span></span></code></pre></div><p>You can also check <code>dmesg</code> for detailed load info, including chip and partition info.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">$ dmesg </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">[13202.334289] nand: device found, Manufacturer ID: 0x2c, Chip ID: 0xac </span></span><span class="line"><span class="cl">[13202.334290] nand: Micron NAND 512MiB 1,8V 8-bit </span></span><span class="line"><span class="cl">[13202.334291] nand: 512 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64 </span></span><span class="line"><span class="cl">[13202.334299] flash size: 512 MiB </span></span><span class="line"><span class="cl">[13202.334299] page size: 2048 bytes </span></span><span class="line"><span class="cl">[13202.334300] OOB area size: 64 bytes </span></span><span class="line"><span class="cl">[13202.334300] sector size: 128 KiB </span></span><span class="line"><span class="cl">[13202.334301] pages number: 262144 </span></span><span class="line"><span class="cl">[13202.334301] pages per sector: 64 </span></span><span class="line"><span class="cl">[13202.334302] bus width: 8 </span></span><span class="line"><span class="cl">[13202.334302] bits in sector size: 17 </span></span><span class="line"><span class="cl">[13202.334302] bits in page size: 11 </span></span><span class="line"><span class="cl">[13202.334303] bits in OOB size: 6 </span></span><span class="line"><span class="cl">[13202.334304] flash size with OOB: 540672 KiB </span></span><span class="line"><span class="cl">[13202.334304] page address bytes: 5 </span></span><span class="line"><span class="cl">[13202.334304] sector address bytes: 3 </span></span><span class="line"><span class="cl">[13202.334305] options: 0x8 </span></span><span class="line"><span class="cl">[13202.334779] Scanning device for bad blocks </span></span><span class="line"><span class="cl">[13202.358806] Creating 7 MTD partitions on &#34;NAND 512MiB 1,8V 8-bit&#34;: </span></span><span class="line"><span class="cl">[13202.358810] 0x000000000000-0x000002e60000 : &#34;NAND simulator partition 0&#34; </span></span><span class="line"><span class="cl">[13202.360129] 0x000002e60000-0x000006900000 : &#34;NAND simulator partition 1&#34; </span></span><span class="line"><span class="cl">[13202.360835] 0x000006900000-0x0000069c0000 : &#34;NAND simulator partition 2&#34; </span></span><span class="line"><span class="cl">[13202.361180] 0x0000069c0000-0x000007700000 : &#34;NAND simulator partition 3&#34; </span></span><span class="line"><span class="cl">[13202.363506] 0x000007700000-0x0000081c0000 : &#34;NAND simulator partition 4&#34; </span></span><span class="line"><span class="cl">[13202.365146] 0x0000081c0000-0x000008200000 : &#34;NAND simulator partition 5&#34; </span></span><span class="line"><span class="cl">[13202.366440] 0x000008200000-0x000020000000 : &#34;NAND simulator partition 6&#34; </span></span></code></pre></div><p>You can also view the MTD partition table via:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sudo cat /proc/mtd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">dev: size erasesize name </span></span><span class="line"><span class="cl">mtd0: <span class="m">20000000</span> <span class="m">00020000</span> <span class="s2">&#34;NAND 512MiB 1,8V 8-bit&#34;</span> </span></span><span class="line"><span class="cl">mtd1: 02e60000 <span class="m">00020000</span> <span class="s2">&#34;NAND simulator partition 0&#34;</span> </span></span><span class="line"><span class="cl">mtd2: 03aa0000 <span class="m">00020000</span> <span class="s2">&#34;NAND simulator partition 1&#34;</span> </span></span><span class="line"><span class="cl">mtd3: 000c0000 <span class="m">00020000</span> <span class="s2">&#34;NAND simulator partition 2&#34;</span> </span></span><span class="line"><span class="cl">mtd4: 00d40000 <span class="m">00020000</span> <span class="s2">&#34;NAND simulator partition 3&#34;</span> </span></span><span class="line"><span class="cl">mtd5: 00ac0000 <span class="m">00020000</span> <span class="s2">&#34;NAND simulator partition 4&#34;</span> </span></span><span class="line"><span class="cl">mtd6: <span class="m">00040000</span> <span class="m">00020000</span> <span class="s2">&#34;NAND simulator partition 5&#34;</span> </span></span><span class="line"><span class="cl">mtd7: 17e00000 <span class="m">00020000</span> <span class="s2">&#34;NAND simulator partition 6&#34;</span> </span></span></code></pre></div><p><code>mtd0</code> represents the entire MTD device. Write the extracted firmware into this device; since the simulation runs in RAM, the operation is extremely fast.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dd <span class="k">if</span><span class="o">=</span>NAND.bin <span class="nv">of</span><span class="o">=</span>/dev/mtd0 <span class="nv">bs</span><span class="o">=</span>512M <span class="nv">count</span><span class="o">=</span><span class="m">1</span> </span></span></code></pre></div><p>Examining the <code>ubi</code> module parameters reveals an <code>mtd</code> parameter. However, using this may fail if the default VID header offset (512) does not match the target image.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo modprobe ubi <span class="nv">mtd</span><span class="o">=</span><span class="m">0</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ dmesg </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429799<span class="o">]</span> ubi0: attaching mtd5 </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429924<span class="o">]</span> ubi0 error: validate_ec_hdr <span class="o">[</span>ubi<span class="o">]</span>: bad VID header offset 2048, expected <span class="m">512</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429937<span class="o">]</span> ubi0 error: validate_ec_hdr <span class="o">[</span>ubi<span class="o">]</span>: bad EC header </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429944<span class="o">]</span> Erase counter header dump: </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429946<span class="o">]</span> magic 0x55424923 </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429948<span class="o">]</span> version <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429950<span class="o">]</span> ec <span class="m">5</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429952<span class="o">]</span> vid_hdr_offset <span class="m">2048</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429953<span class="o">]</span> data_offset <span class="m">4096</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429955<span class="o">]</span> image_seq <span class="m">34870392</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>38418.429957<span class="o">]</span> hdr_crc 0x11db9c17 </span></span></code></pre></div><p>Instead, load the <code>ubi</code> module first, then use <code>ubiattach</code> from <code>mtd-utils</code> to specify the parameters explicitly:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo modprobe ubi </span></span><span class="line"><span class="cl">sudo ubiattach /dev/ubi_ctrl -m <span class="m">2</span> -O <span class="m">2048</span> </span></span></code></pre></div><p>You should then see attach success messages:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>43880.484837<span class="o">]</span> ubi0: default fastmap pool size: <span class="m">20</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.484841<span class="o">]</span> ubi0: default fastmap WL pool size: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.484843<span class="o">]</span> ubi0: attaching mtd2 </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.486802<span class="o">]</span> ubi0: attached by fastmap </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.486806<span class="o">]</span> ubi0: fastmap pool size: <span class="m">20</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.486808<span class="o">]</span> ubi0: fastmap WL pool size: <span class="m">10</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.491518<span class="o">]</span> ubi0: attached mtd2 <span class="o">(</span>name <span class="s2">&#34;NAND simulator partition 1&#34;</span>, size <span class="m">58</span> MiB<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.491521<span class="o">]</span> ubi0: PEB size: <span class="m">131072</span> bytes <span class="o">(</span><span class="m">128</span> KiB<span class="o">)</span>, LEB size: <span class="m">126976</span> bytes </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.491523<span class="o">]</span> ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size <span class="m">512</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.491525<span class="o">]</span> ubi0: VID header offset: <span class="m">2048</span> <span class="o">(</span>aligned 2048<span class="o">)</span>, data offset: <span class="m">4096</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.491527<span class="o">]</span> ubi0: good PEBs: 469, bad PEBs: 0, corrupted PEBs: <span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.491529<span class="o">]</span> ubi0: user volume: 1, internal volumes: 1, max. volumes count: <span class="m">128</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.491532<span class="o">]</span> ubi0: max/mean erase counter: 14/5, WL threshold: 4096, image sequence number: <span class="m">1328192</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.491534<span class="o">]</span> ubi0: available PEBs: 0, total reserved PEBs: 469, PEBs reserved <span class="k">for</span> bad PEB handling: <span class="m">80</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>43880.491617<span class="o">]</span> ubi0: background thread <span class="s2">&#34;ubi_bgt0d&#34;</span> started, PID <span class="m">25777</span> </span></span></code></pre></div><p>Next, mount the UBIFS volume to access the filesystem contents.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ mkdir /tmp/modem </span></span><span class="line"><span class="cl">$ sudo mount -t ubifs ubi0_0 /tmp/modem </span></span><span class="line"><span class="cl">$ ls /tmp/image </span></span><span class="line"><span class="cl">bdwlan30.bin mba.b03 mba.mdt modem.b03 modem.b08 modem.b12 modem.b16 modem.b22 otp30.bin </span></span><span class="line"><span class="cl">mba.b00 mba.b04 modem.b00 modem.b05 modem.b09 modem.b13 modem.b19 modem.b23 qwlan30.bin </span></span><span class="line"><span class="cl">mba.b01 mba.b05 modem.b01 modem.b06 modem.b10 modem.b14 modem.b20 modem.b24 utf30.bin </span></span><span class="line"><span class="cl">mba.b02 mba.mbn modem.b02 modem.b07 modem.b11 modem.b15 modem.b21 modem.mdt </span></span></code></pre></div><p>In some cases, SquashFS runs on top of UBI, which causes standard UBIFS mounts to fail:</p> <pre tabindex="0"><code>[ 214.800087] UBIFS error (ubi0:0 pid 3848): ubifs_read_node [ubifs]: bad node type (1 but expected 6) [ 214.800093] UBIFS error (ubi0:0 pid 3848): ubifs_read_node [ubifs]: bad node at LEB 0:0, LEB mapping status 1 [ 214.800094] Not a node, first 24 bytes: [ 214.800095] 00000000: 68 73 71 73 46 0c 00 00 5a 9c 25 5d 00 00 02 00 ac 00 00 00 01 00 11 00 hsqsF </code></pre><p>The <code>hsqs</code> magic bytes identify this as a SquashFS image. It can be extracted directly as SquashFS:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo dd <span class="k">if</span><span class="o">=</span>/dev/ubi0_0 <span class="nv">of</span><span class="o">=</span>./ubi0_0 </span></span><span class="line"><span class="cl">unsquashfs ./ubi0_0 </span></span></code></pre></div><p>Detach/unload:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo umount MOUNTED_DIR </span></span><span class="line"><span class="cl">sudo ubidetach /dev/ubi_ctrl -m <span class="m">0</span> </span></span><span class="line"><span class="cl">sudo modprobe -r ubi </span></span><span class="line"><span class="cl">sudo modprobe -r nandsim </span></span></code></pre></div><h2 id="reading-with-ubi-reader">Reading with UBI Reader</h2> <p>Install via pip (or download): <a href="https://github.com/jrspruitt/ubi_reader"target="_blank" rel="noopener noreferrer">https://github.com/jrspruitt/ubi_reader</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo pip install ubi_reader </span></span></code></pre></div><p>First, check whether it correctly identifies UBI metadata:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ubireader_display_info <span class="o">[</span>options<span class="o">]</span> path/to/file </span></span></code></pre></div><p>Extract all files (but it will fail if another filesystem is present):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ubireader_extract_files <span class="o">[</span>options<span class="o">]</span> path/to/file </span></span></code></pre></div><p>It is recommended to first restore PEBs to LEBs before analyzing individual volumes:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ubireader_extract_images <span class="o">[</span>options<span class="o">]</span> path/to/file </span></span></code></pre></div><h2 id="repacking-ubi">Repacking UBI</h2> <p>After mounting UBIFS, modification and repacking might be required. Direct use of <code>dd</code> is not suitable for this task.</p> <p>First, pay attention to the output from <code>ubiattach</code>—it prints LEB information:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ sudo ubiattach /dev/ubi_ctrl -m <span class="m">7</span> -O <span class="m">2048</span> </span></span><span class="line"><span class="cl">UBI device number 0, total <span class="m">240</span> LEBs <span class="o">(</span><span class="m">30474240</span> bytes, 29.1 MiB<span class="o">)</span>, available <span class="m">0</span> LEBs <span class="o">(</span><span class="m">0</span> bytes<span class="o">)</span>, LEB size <span class="m">126976</span> bytes <span class="o">(</span>124.0 KiB<span class="o">)</span> </span></span></code></pre></div><p>There are 240 LEBs in total, with each LEB being 126976 bytes. These parameters must be passed to <code>mkfs.ubifs</code> to build the UBIFS image:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># mtd5</span> </span></span><span class="line"><span class="cl">sudo mkfs.ubifs -m <span class="m">2048</span> -e <span class="m">126976</span> -c <span class="m">240</span> -F -r ./UBI_1 rootfs.img </span></span><span class="line"><span class="cl"><span class="c1"># mtd9</span> </span></span><span class="line"><span class="cl">sudo mkfs.ubifs -m <span class="m">2048</span> -e <span class="m">126976</span> -c <span class="m">240</span> -F -r ./UBI_2 rootfs.img </span></span><span class="line"><span class="cl">sudo mkfs.ubifs -m <span class="m">2048</span> -e <span class="m">126976</span> -c <span class="m">240</span> -R <span class="m">1</span> -x lzo -r ./UBI_1 rootfs.img </span></span><span class="line"><span class="cl">sudo mkfs.ubifs -m <span class="m">2048</span> -e <span class="m">126976</span> -c <span class="m">240</span> -x lzo -r ./rootfs rootfs.img </span></span></code></pre></div><p>Create <code>ubi_config.ini</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">vi ubi_config.ini </span></span></code></pre></div><p>The <code>vol_size</code> must match the image size. Additionally, the file must end with an empty line to avoid the following error: <code>ubinize: error!: cannot load the input ini file &quot;ubi_config.ini&quot;</code></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[rootfs]</span> </span></span><span class="line"><span class="cl"><span class="na">mode</span><span class="o">=</span><span class="s">ubi</span> </span></span><span class="line"><span class="cl"><span class="na">image</span><span class="o">=</span><span class="s">rootfs.img</span> </span></span><span class="line"><span class="cl"><span class="na">vol_id</span><span class="o">=</span><span class="s">0</span> </span></span><span class="line"><span class="cl"><span class="na">vol_size</span><span class="o">=</span><span class="s">9904128</span> </span></span><span class="line"><span class="cl"><span class="na">vol_type</span><span class="o">=</span><span class="s">dynamic</span> </span></span><span class="line"><span class="cl"><span class="na">vol_name</span><span class="o">=</span><span class="s">rootfs</span> </span></span><span class="line"><span class="cl"><span class="na">vol_alignment</span><span class="o">=</span><span class="s">1</span> </span></span><span class="line"><span class="cl"><span class="na">vol_flags</span><span class="o">=</span><span class="s">autoresize</span> </span></span></code></pre></div><p>Finally, use <code>ubinize</code> to generate the UBI image:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo ubinize -o rootfs.ubi -p <span class="m">131072</span> -m <span class="m">2048</span> -s <span class="m">512</span> -e <span class="m">2</span> -Q <span class="m">0</span> -O <span class="m">2048</span> -x1 ubi_config.ini </span></span></code></pre></div><p>Where:</p> <ul> <li><code>-e</code>: Number of eraseblocks (default is 0). This can be quickly verified with <code>binwalk</code>.</li> <li><code>-Q</code>: Image sequence number, viewable with <code>ubi_display_info</code>.</li> <li><code>-x</code>: UBI version (default is 1).</li> <li><code>-s</code>: Sub-page size. Not all NAND flash supports sub-pages. Typically, SLC NAND with 2048-byte pages uses 4 sub-pages of 512 bytes, whereas MLC usually does not have sub-pages.</li> <li><code>-m</code>: Page size.</li> <li><code>-p</code>: Physical eraseblock size. A physical block usually consists of 64 pages; refer to the NAND datasheet for specifics.</li> </ul> <p>Below is an example of flashing <code>rootfs.ubi</code> to <code>mtd7</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo ubinize -v -o rootfs.ubi -p <span class="m">131072</span> -m <span class="m">2048</span> -s <span class="m">512</span> -O <span class="m">2048</span> ubi_config.ini </span></span><span class="line"><span class="cl">sudo ubiformat /dev/mtd7 -O <span class="m">2048</span> -s <span class="m">512</span> -f rootfs.ubi </span></span></code></pre></div><p>For SquashFS filesystems, building UBIFS is unnecessary. After modifying the contents, simply repack SquashFS using <code>mksquashfs</code>. Ensure that ownership and permissions are correct (e.g., if the target system runs as root, pack as root). Then, use <code>ubinize</code> to wrap it into a UBI image.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo mksquashfs ./squashfs-root/* rootfs.squashfs </span></span></code></pre></div><p><img loading="lazy" src="./UBIFS.png" alt="UBIFS"/></p> <h2 id="reference">Reference</h2> <p><a href="http://www.linux-mtd.infradead.org/"target="_blank" rel="noopener noreferrer">Memory Technology Devices</a></p> <p><a href="http://www.linux-mtd.infradead.org/doc/ubidesign/ubidesign.pdf"target="_blank" rel="noopener noreferrer">UBI - Unsorted Block Images</a></p> <p><a href="https://baurine.netlify.com/"target="_blank" rel="noopener noreferrer">Mounting and Rebuilding UBI Images</a></p>