Results 1 to 6 of 6

Thread: Reverse engineering the TM9154 firmware

  1. #1
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Question Reverse engineering the TM9154 firmware

    Ok, so further from my work on the SFE keys and protocol, I've got some further info and I'm hoping someone will be able to take this further.

    Attached is v6.09.01 of the firmware for the TM9154. These are converted to binary files and cannot be loaded into a radio.

    QMA3F_A00_6.09.01.0001.Srec.bin = Torso firmware
    QCA4F_A00_6.09.01.0001.Srec.bin = Control head?
    QMA3A_A01_6.09.00.0001.Srec.bin = Boot loader?

    The SFE keys are processed within QMA3F_A00_6.09.01.0001.Srec.bin. The source for this file seems to be:
    TaitTerm_DataServices/Torso/FeatureEnabler/private/syften_Sfe.c

    I don't believe this file changes between firmware versions - as it would cause all previously validated SFE keys to expire - or at least cause issues in the SFE key issuing.

    The CPU that seems to be emulated on an Altera FPGA is "Leon Sumo Processor Core" and the dev environment for this seems to be available at Taits Open Source site. The file cpu\tech_altera.vhd within the processor core download is contributed by Tait for the purposes of their radio.

    The RealTime OS used on top of the processor core is eCos. Tait's modifications can also be downloaded from the Tait site as part of the eCos package provided.

    So far, from the codes I have been able to deduce, we're down to the following layout:
    Code:
    00XXXXXXXXXXXXXXXXYYZZZZZZZSS0CC
    This translates roughly to:
    X = Authentication code??
    Y = feature code (in HEX!)
    Z = serial number? (We can get this by reading ANY key in the radio)
    S = Sequence number
    C = Checksum
    So, we're now down to 8 bytes. The X's. 16 values from 0-F that hold the key.

    We have a few theories. That it may be a DES encrypted block. A checksum of a string.

    The reason for looking at the radio firmware is that the SFE keys come from Tait directly - and Tait keep a database of issued keys. These keys are ONLY verified in the actual radio - probably in syften_Sfe.c - and either enabled or rejected based on what that does.

    So, I need help here. We have the architecture, and the firmware. Now I need some guidance on how to start looking at the big picture on how all this fits together to get some real debugging going
    Attached Files Attached Files
    Last edited by CRCinAU; Jun 28, 2012 at 11:31 PM.


  2. #2
    Join Date
    May 08, 2012
    Location
    Pioneer Valley Rim
    Posts
    53
    Thanks
    7
    Thanked 15 Times in 6 Posts
    Country: Lithuania

    Default

    If its any help, I have firmware for all 9000 series and some 8000 series dating back to 6.something to 9.something

  3. #3
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    Everything is good!

    You can upload anonymously to ftp.crc.id.au/incoming

  4. #4
    Join Date
    May 16, 2012
    Location
    New Zealand
    Posts
    98
    Thanks
    4
    Thanked 19 Times in 10 Posts
    Country: New Zealand

    Default

    If you do get some fresh firmware, any chance you can add it to your webpage CRCinAU??

  5. #5
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    Possibly. It depends on what the persons wishes that leak the firmware to me. I will honour what that person requests.

  6. #6
    gaztolmie No Longer Registered

    Default

    Mr. Moderator, please excuse me for being a drunken dick ( I have just worked a full shift of 12 hour days so some excuse ) the last post was meant for Tait Feature Keys - TM9100 series

    Could you repost please?

    Gaz