Page 1 of 2 12 LastLast
Results 1 to 25 of 34

Thread: smartrib 1015d firmware

  1. #1
    Join Date
    Jun 12, 2013
    Posts
    49
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Default smartrib 1015d firmware

    Hi all,

    Has anyone done any investigation into the smartrib design/functionality? It seems to be regarded as a small, scary, expensive black box that does magic things that nothing else can...

    By my understanding the 1015D is no longer supported, as it uses the older "dongle" (flashkey) method, rather than the current method using dallas ibuttons.

    Looking at the 1015d service manual, it seems that the firmware is stored in a couple of places, a 2 megabyte flash rom (in an irritating 44 pin soic package soldered in), and inside the MC68HC11K4 micro (32k (or 24k) of "core" code in rom (or eprom)). 32k pages of the flash rom are mapped into the lower 32k of address space using output lines from the micro to drive the upper address lines into the flash.

    My question is whether anyone has been able to dump the firmware from a smartrib yet? I ask purely from academic interest, as i believe that it is theoretically possible to do without removing the surface mounted hc11 and flash rom for reading. I imagine that this could be done by using the hc11K4 micro's built-in bootloader mode, modifying the 1015d circuit slightly to allow connection of ttl(not rs232) level async serial txd and rxd to the micro, disabling the sb9600 bus rx line from driving the K4's rxd line, and pulling the MODA and MODB lines low. By using a ttl to rs232 converter and suitable hc11 loader program on a pc, then resetting the hc11 micro, it should be possible to read the k4's contents, and page 0 of the flash rom. Reading the other pages of flash would require modding the boot up code sent from the pc to the k4, but should be quite doable.

    Regarding the serial comms, I had at first hoped that the 1015d's built-in 9 pin rs232 serial port could be used to access the HC11's bootloader mode, however this port interfaces to a separate/discrete uart, not the K4's built-in one, which is needed for bootloader use.

    The flashkey dongles seem to use i2c comms from the micro (using pins on the db25 connector not normally used for radio comms) to access a small secure serial eeprom, i.e. one that needs a key to unlock read or write access.

    I hope this post is of some interest.

    Cheers,

    Pete


  2. #2
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    Hello, Pete. Welcome to the forum here!

    It sounds like you've done a lot of research on the SRIB. Yes they supported the old FlashKey's originally, but now with CPS, they still use the bootloader (for the radio) switching circuits when flash upgrading the radio firmware, but they read options, etc from an iButton-based flashkey on the parallel port or a USB key. The older flashkey was custom made by Motorola, and went between the SRIB and the radio. It had a "FlashPort" logo on it, and was potted or encapsulated in a rubbery sort of epoxy or something. It probably used a Dallas/Maxim 1-wire or it2c device to hold the information about the model number/flashcode info and counters that would control a number of upgrades. The SRIB would load the firmware image from the PC side then the SRIB would take over reading the FlashKey to get and verify the options and flashcode if required and then would write to the flash in the radio.

    So, anyway, the only things the SRIB is used for now is to buffer the flash image about to be flashed into the radio, and the bootloader circuit to put the radio into boot load mode.

  3. #3
    Join Date
    Jun 12, 2013
    Posts
    49
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Default

    Quote Originally Posted by Alpha View Post
    Hello, Pete. Welcome to the forum here!

    It sounds like you've done a lot of research on the SRIB. Yes they supported the old FlashKey's originally, but now with CPS, they still use the bootloader (for the radio) switching circuits when flash upgrading the radio firmware, but they read options, etc from an iButton-based flashkey on the parallel port or a USB key. The older flashkey was custom made by Motorola, and went between the SRIB and the radio. It had a "FlashPort" logo on it, and was potted or encapsulated in a rubbery sort of epoxy or something. It probably used a Dallas/Maxim 1-wire or it2c device to hold the information about the model number/flashcode info and counters that would control a number of upgrades. The SRIB would load the firmware image from the PC side then the SRIB would take over reading the FlashKey to get and verify the options and flashcode if required and then would write to the flash in the radio.

    So, anyway, the only things the SRIB is used for now is to buffer the flash image about to be flashed into the radio, and the bootloader circuit to put the radio into boot load mode.
    Thanks for the welcome, this forum looks most interesting, esp compared to RR

    Now I see how the ibutton hooks into things. I figured it must be some new hardware to support it directly on the srib, but using one on the pc itself makes more sense.

    After poking around a bit, I am fairly sure that the flashkey uses a xicor X76f041 secure i2c serial memory, read by the srib.

    Still, it sounds like the smartrib doesnt have much use/interest any more...?

    Cheers,

    Pete

    PS, I've been trying to pm MattSR, but dont seem to have permission, is this something you can fix, or perhaps pm mattsr for me and ask him to pm me?

  4. #4
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,232
    Thanks
    359
    Thanked 370 Times in 178 Posts
    Country: United States

    Default

    You will be able to PM after you have more posts. The smartrib is still used for flash upgrades on the MTS/MCS2000's and the Astro series. Nothing newer uses it.
    "Don't worry about what I am, cause I'm a state agent so what you need to do is make sure your doing the right thing **** boy" -J. Dewitte

  5. #5
    Join Date
    Sep 24, 2012
    Posts
    123
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    Quote Originally Posted by ogoun View Post
    Looking at the 1015d service manual, it seems that the firmware is stored in a couple of places, a 2 megabyte flash rom (in an irritating 44 pin soic package soldered in), and inside the MC68HC11K4 micro (32k (or 24k) of "core" code in rom (or eprom)). 32k pages of the flash rom are mapped into the lower 32k of address space using output lines from the micro to drive the upper address lines into the flash.

    My question is whether anyone has been able to dump the firmware from a smartrib yet? I ask purely from academic interest, as i believe that it is theoretically possible to do without removing the surface mounted hc11 and flash rom for reading. I imagine that this could be done by using the hc11K4 micro's built-in bootloader mode, modifying the 1015d circuit slightly to allow connection of ttl(not rs232) level async serial txd and rxd to the micro, disabling the sb9600 bus rx line from driving the K4's rxd line, and pulling the MODA and MODB lines low. By using a ttl to rs232 converter and suitable hc11 loader program on a pc, then resetting the hc11 micro, it should be possible to read the k4's contents, and page 0 of the flash rom. Reading the other pages of flash would require modding the boot up code sent from the pc to the k4, but should be quite doable.
    Hi!

    I've looked at this.

    Yes the ROM is extractable from the hc11, but I have not seen anyone do it in circuit (my colleague had a broken srib so removed it.)

    The internal rom sits "high" and starts at $e000 or $f000 - I can't remember which right now.

    The "application" is resident at $4000. This is the 'srib code' included with cps and inside cvn/tvn files. It makes many calls to the internal rom.

    I haven't looked very hard at the srib, it was potentially a source of information, but all the information can be found elsewhere and deduced more easily.

    Cheers

  6. #6
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    If you have a dump of that ROM it might be interesting to have a look at. It also might give insight as to how the "application" portion is encoded on the PC by having a cleartext dump of it, I am assuming that's the SMARTRIB.ENC file from the old RSS's.

    As you said this is mostly academic, since it's obsolete equipment now. I doubt anyone wants to go full hard-core on it and disassemble the HC11 code, but examining the data structures might be amusing.

  7. #7
    Join Date
    Sep 24, 2012
    Posts
    123
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    I have to get these files from another machine. The 'encoding' has already been solved! I will be happy to unencode any of these files that you are curious about.

  8. #8
    Join Date
    Jun 12, 2013
    Posts
    49
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Default

    Hi kw71,

    If you could find those rom files, I would be very appreciative of a copy. It would save me a lot of effort, having to mod and hack on my srib. PM me if you want to chat off forum.

    Cheers,

    Pete

  9. #9
    Join Date
    Jun 12, 2013
    Posts
    49
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Default

    Quote Originally Posted by Alpha View Post
    If you have a dump of that ROM it might be interesting to have a look at. It also might give insight as to how the "application" portion is encoded on the PC by having a cleartext dump of it, I am assuming that's the SMARTRIB.ENC file from the old RSS's.

    As you said this is mostly academic, since it's obsolete equipment now. I doubt anyone wants to go full hard-core on it and disassemble the HC11 code, but examining the data structures might be amusing.
    Wanna bet on that?

    HC11 dis isnt too hard. ida is your friend

    Cheers,

    Pete

  10. #10
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    Well, I admire your enthusiasm... If you want to get Medieval on it, go for it

    Such knowledge might be useful to emulate it with pure serial since they are obsolete and damn expensive when you can find them, usually $400 - plus or so.

    One of our Senior members here has built a flash-mode "McRIB", by adding the bootstrap logic to a regular RIB it becomes something known as a "passthru SRIB". That won't buffer the CVN data, but it will put the radio into bootstrap mode for bootcode download. I don't know if that was his original design or something from Batlabs, but maybe I can get more info on it, we shall see. It would be a nice alternative for some to buying an actual SmartRIB but without some custom serial software it won't do anyone any good. Yet...

  11. #11
    Join Date
    Jun 12, 2013
    Posts
    49
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Default

    @alpha:
    I had in mind something like a pic32 based controller that integrates the whole rib/smartrib functionality into one small board... Could possibly be done by actual emulation of the hc11 core... The pic32 has heaps of flash and ram, and runs at 80mhz, so 8 bit core emulation is a viable option.

    BTW.. I've been looking for the service manual, or even just the schematic for the older diu3000 enc modules... Any chanced you (or anyone else) might have such a thing, and be willing to share?

    Cheers,

    Pete

  12. #12
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    The DIU service manuals are already posted somewhere here, I believe. I am not sure if there was a separate manual for the EMC's or not, if they exist they should be called out in the "related publications" section of the DIU manual, one would hope.

    If anyone out there has them and they aren't already here, of course sharing would be MOST appreciated...

  13. #13
    Join Date
    Jun 12, 2013
    Posts
    49
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Default

    Quote Originally Posted by Alpha View Post
    The DIU service manuals are already posted somewhere here, I believe. I am not sure if there was a separate manual for the EMC's or not, if they exist they should be called out in the "related publications" section of the DIU manual, one would hope.

    If anyone out there has them and they aren't already here, of course sharing would be MOST appreciated...
    no joy.. There is a manual here for the later version, but not the earlier one. Part number i'm looking for (t5372b diu enc cart) is something like 68p81090e85 or e95

    Cheers,

    Pete

  14. #14
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,232
    Thanks
    359
    Thanked 370 Times in 178 Posts
    Country: United States

    Default

    The McRIB is actually a normal RIB modified into a European flashrib for teh euro Jedi which don't use the CVN's.
    "Don't worry about what I am, cause I'm a state agent so what you need to do is make sure your doing the right thing **** boy" -J. Dewitte

  15. #15
    PRC148 No Longer Registered

    Default

    Trying not to get too far off topic here, but how do you pull the rom files from an HC type processor? I have a few that I would like to get an image from. They are processors from special modded frequency hopping radios. They are (I think) 44 pin HC68 types.

    Also, that code from the SRIB would definitely be something interesting to look at. I agree that a PIC or Arduino or Netduino should work fine to emulate one.

  16. #16
    Join Date
    Sep 24, 2012
    Posts
    123
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    There are some device programmers that can do it in one-step.

    Basically you power the chip with the mode a/b pins pulled to the combination that equals "bootloader." The cpu will accept a bootloader upload from the uart. Sometimes, if there is eeprom inside the chip, booting it this way erases the eeprom. (however some device programmers can somehow dump without hurting the eeprom.)

    In our radios with flashport there is some analog circuitry that flips some muxes and mode a/b pins when vpp is seen.

  17. #17
    PRC148 No Longer Registered

    Default

    I thought the memory could be protected from reading as well to protect IP. Is that correct? I would like to read one of these but don't want to damage it.

    Also how would you go about disassembling the code to something readable or usable?

  18. #18
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    I know with some of the earlier 68HC05 processors, the predecessor to the HC11, that they had a "security" bit, which when set, would disallow reading the internal EPROM. Because of this they used the chip as a security element in Video Games back in the mid 1980's to early 1990's because it was essentially un-copyable.

    The chip came in a "programmable mode" where you could boot the IC into a mode where it would read/write like an EPROM or could talk to an attached programming master EPROM and program itself. Once that was done, it set the "security" bit where it would only then boot from the internal EPROM and could no longer be read externally. The only way to reset that condition would be a UV-erase, which would clear the security bit and also erase the internal EPROM as well, of course. Attempting to read the "locked" chip would not destroy it, but would not read the data successfully, either. This may have changed with the HC11, but I kind of doubt it.

    There were some models that could also be used with an external EPROM or EEPROM as well. In which case, there was no "security" as the external program memory could easily be read out of circuit.

    Once you get a valid dump of the program code, then there are public domain 68HC11 disassemblers out there to help analyze the code with.

  19. #19
    PRC148 No Longer Registered

    Default

    Interesting Thanks. I have been wanting to learn to work with these but haven't known exactly where to start. The ones I referred to are used with external memory. I have a sleeve of new ones too I wood like to do something with.

  20. #20
    Join Date
    Sep 24, 2012
    Posts
    123
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    Ok!

    Here are my thoughts: analysis of this is not a very good use of time.

    The extra connections to the radio on the SRIB vs the RIB aren't very complex. Mode select and vpp control.

    Additionally, any processes that use the original srib are security encumbered with ibuttons or other crap.

    Emulating the SRIB will require emulation of the HC11 because some processes upload their own code for execution in the srib.

    Therefore, this is not a great solution to any problem.

    Consider these:
    We know how to bootload the radios, due to hints in service manual and HC11 documentation
    We have the bootloaders, they are in CPS and the CVN files
    The bootloaders are much easier to analyze
    Other secrets of the srib such as AuthCode generation are not exclusive to the SRIB. TO use the AuthCode example, the code that checks this is part of radio firmware, and we know where in the radio it's stored. So, it won't be difficult to analyze the radio firmware and find out how the authcode is validated, and this can be reversed to find how to generate it.

    To me, it looks like creating a tool to run on the PC to replicate the processes using cheaper hardware is a better idea.
    Attached Files Attached Files

  21. The Following User Says Thank You to kw71 For This Useful Post:

    Alpha (Dec 06, 2019)

  22. #21
    Join Date
    Jun 12, 2013
    Posts
    49
    Thanks
    1
    Thanked 4 Times in 4 Posts

    Default

    @kw71: Thanks for this, it looks interesting. Looks like a fair bit of it is stored in the external flash rom.. Any luck with reading this? If not, I'll have a look at the posted code and see if there is a way to convince it via its own serial protocol to cough up the contents...

    I agree with the points that you make, however my interest is purely for learning's sake, besides, every now and then, one finds something overlooked or missed by a quick inspection...

    Cheers,

    Pete

  23. #22
    Yaesu No Longer Registered

    Default

    Quote Originally Posted by kw71 View Post
    Ok!

    Here are my thoughts: analysis of this is not a very good use of time.

    The extra connections to the radio on the SRIB vs the RIB aren't very complex. Mode select and vpp control.

    Additionally, any processes that use the original srib are security encumbered with ibuttons or other crap.

    Emulating the SRIB will require emulation of the HC11 because some processes upload their own code for execution in the srib.

    Therefore, this is not a great solution to any problem.

    Consider these:
    We know how to bootload the radios, due to hints in service manual and HC11 documentation
    We have the bootloaders, they are in CPS and the CVN files
    The bootloaders are much easier to analyze
    Other secrets of the srib such as AuthCode generation are not exclusive to the SRIB. TO use the AuthCode example, the code that checks this is part of radio firmware, and we know where in the radio it's stored. So, it won't be difficult to analyze the radio firmware and find out how the authcode is validated, and this can be reversed to find how to generate it.

    To me, it looks like creating a tool to run on the PC to replicate the processes using cheaper hardware is a better idea.
    The bootloader for the radio is not in the CVN, but rather in the "upgrade" directory. It's called astrobc. enc.

    The bootloader for sRib is in the sRib directory called smartrib.enc.

    There is an undocumented (AFAIK) feature in the sRib, a pass through mode that doesn't buffer the data first to the sRib ram first.

  24. #23
    Yaesu No Longer Registered

    Default

    Quote Originally Posted by Yaesu View Post

    The bootloader for the radio is not in the CVN, but rather in the "upgrade" directory. It's called astrobc. enc.

    The bootloader for sRib is in the sRib directory called smartrib.enc.

    There is an undocumented (AFAIK) feature in the sRib, a pass through mode that doesn't buffer the data first to the sRib ram first.
    Also AuthCode only applies to Jedi series radios and toolproofing. Wonder why Moto didn't use toolproofing on their later series Astro then Astro 25. Toolproofing seemed to stop most of the hacking of the Jedi radios that implemented it.

  25. #24
    Join Date
    Sep 24, 2012
    Posts
    123
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    Quote Originally Posted by ogoun View Post
    @kw71: Thanks for this, it looks interesting. Looks like a fair bit of it is stored in the external flash rom.. Any luck with reading this?
    Yes! I have luck with it and will share it with you. Give me the "smartrib.enc" that you want and I will turn it into plain binary.

  26. #25
    Join Date
    Sep 24, 2012
    Posts
    123
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    Quote Originally Posted by Yaesu View Post
    The bootloader for the radio is not in the CVN, but rather in the "upgrade" directory. It's called astrobc. enc.
    Each astro portable and astro mobile CVN also contains a bootloader. You already know the file has multiple parts, for the host and the dsp. There is a bootloader in each one too.

    Quote Originally Posted by Yaesu View Post
    The bootloader for sRib is in the sRib directory called smartrib.enc.
    This is not a bootloader, it is more like an application update that replaces/adds to some of the routines in the masked rom.

    Quote Originally Posted by Yaesu View Post
    There is an undocumented (AFAIK) feature in the sRib, a pass through mode that doesn't buffer the data first to the sRib ram first.
    Yes the SRIB does this until it gets this SB9600 packet:

    1A 12 1A 06 DB

    I hope you like this information.

  27. The Following User Says Thank You to kw71 For This Useful Post:

    Alpha (Dec 06, 2019)