Results 1 to 16 of 16

Thread: SmartRIB...Upgrade Firmware? (n00b question)

  1. #1
    Join Date
    Aug 24, 2012
    Location
    Somewhere down there...
    Posts
    55
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Default SmartRIB...Upgrade Firmware? (n00b question)

    Is there such a thing?

    I got asked about this the other day, so I'd thought I'd embarrass myself and ask you guys


  2. #2
    Join Date
    Dec 21, 2011
    Posts
    4,130
    Thanks
    2,772
    Thanked 4,928 Times in 1,468 Posts
    Country: Canada

    Default

    Good question. As far as I know (and understand), the SRIB acts as a "buffer" for radio firmware, from the MTS/MCS/ASTRO lineup of radios. When you flash, it works like this:

    (CPS, iButton refresh key, SmartRIB, flash cable all attached and ready)

    Firmware upgrade---> Flashes SRIB flash ROMs with the HOST/DSP firmware to be programmed in remote radio. Once SRIB is flashed, it begins a flash of the radio.

    Once complete, you may connect another radio from the same platform (If you flashed a XTS3000 with R07.71.07/N08.03.05 firmware, 3600bps trunking) and it will flash directly from the stored firmware in the SRIB, rather than go through the process of flashing the SRIB again. This saves a lot of time.

    I'm not sure if the SRIB has its own firmware. The schematic/service manual for the SRIB is posted in our Service Manual sub-forum if you want to read up on it.

  3. #3
    Join Date
    Aug 24, 2012
    Location
    Somewhere down there...
    Posts
    55
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Default

    Mars....You're the man!!

    It just got me thinking IF the SmartRIB had its own firmware.....so I thought I'd ask.

    Thanks for the informative reply!!

  4. #4
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,539
    Thanks
    550
    Thanked 1,112 Times in 579 Posts
    Country: Christmas Island

    Default

    Actually the SRIB does have it's own firmware, but the RSS or CPS automatically flashes the SRIB before use. The software checks the internal firmware present in the SRIB and if tie RSS/CPS has a newer file it will automatically upgrade the SRIB before it sends the HOST/DSP code to it for subsequent flashing to the radio. The SRIB firmware file is called SRIB.ENC located in the UPGRADE or SRIB directory of the old RSS. Wth CPS the file is internal to the .EXE or a .DLL file, I think... But anyway the upgrade is seamless, transparent and automatic when doing normal flash upgrading.

    To just upgrade the SRIB, try the "Flashport->Read Radio Configuration" which will upgrade the SRIB if necessary, then read the radio non-destructively using the SRIB codeplug access routines.

  5. #5
    Join Date
    Aug 24, 2012
    Location
    Somewhere down there...
    Posts
    55
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Default

    Thanks for the Alpha and Mars.

    Appreciate the in depth reply, very interesting.

    Now I can go back to my friend and go, "Told you so!!!" (with proof )


    Quote Originally Posted by Alpha View Post
    Actually the SRIB does have it's own firmware, but the RSS or CPS automatically flashes the SRIB before use. The software checks the internal firmware present in the SRIB and if tie RSS/CPS has a newer file it will automatically upgrade the SRIB before it sends the HOST/DSP code to it for subsequent flashing to the radio. The SRIB firmware file is called SRIB.ENC located in the UPGRADE or SRIB directory of the old RSS. Wth CPS the file is internal to the .EXE or a .DLL file, I think... But anyway the upgrade is seamless, transparent and automatic when doing normal flash upgrading.

    To just upgrade the SRIB, try the "Flashport->Read Radio Configuration" which will upgrade the SRIB if necessary, then read the radio non-destructively using the SRIB codeplug access routines.

  6. #6
    Join Date
    Apr 14, 2012
    Location
    Melbourne
    Posts
    50
    Thanks
    0
    Thanked 5 Times in 3 Posts

    Default

    Hi all I have a question do you need to have a flash key to load the Srib with the CVN firmware file?
    Why I ask is it possible to load the CVN's File to the Srib with out the Flash key
    So then you could you extracted the unencrypted CVN's firmware file from the flash memory from the Srib then use the unencrypted CVN's to program A New Blank Flash memory to re-solder to a control board ?




    thanks

    A K

  7. #7
    Join Date
    Dec 21, 2011
    Posts
    4,130
    Thanks
    2,772
    Thanked 4,928 Times in 1,468 Posts
    Country: Canada

    Default

    Hi k101

    That would be way too much work.

    The firmware files you are after (binary images) are posted in the file download section of the forum.

  8. #8
    Join Date
    Sep 23, 2012
    Posts
    123
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    Quote Originally Posted by Mars View Post
    Hi k101

    That would be way too much work.

    The firmware files you are after (binary images) are posted in the file download section of the forum.
    Just a thought here.

    I have noticed that sometimes contents of the cvn files differ slightly from the flash dumps posted here. Maybe files were mixed up or moto has more variations than are known.

    Also to get at the original question Alpha almost got it. In addition to the srib.enc there is also mask rom in the srib which provides most of the functions. So if you simply decrypt srib.enc it will not make much sense to you because it is full of calls to the mask rom.

  9. #9
    Join Date
    Dec 21, 2011
    Posts
    4,130
    Thanks
    2,772
    Thanked 4,928 Times in 1,468 Posts
    Country: Canada

    Default

    Quote Originally Posted by kw71 View Post
    Just a thought here.

    I have noticed that sometimes contents of the cvn files differ slightly from the flash dumps posted here. Maybe files were mixed up or moto has more variations than are known.
    The CVN files are encrypted; the dumps are not. That would explain the differences if you're viewing them with a Hex editor and coming to this conclusion.

  10. #10
    Join Date
    Sep 23, 2012
    Posts
    123
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    I decrypt them before I compare.

  11. #11
    Join Date
    Dec 21, 2011
    Posts
    4,130
    Thanks
    2,772
    Thanked 4,928 Times in 1,468 Posts
    Country: Canada

    Default

    The firmware is byte-for-byte the same as what's in a CVN, except for a few bytes which will contain the iButton serial number.Perhaps this is what you are seeing.

  12. #12
    Join Date
    Sep 23, 2012
    Posts
    123
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    Aha! Maybe that's it. About 12 bytes or so, in the radio host code firmware, were blank (FF) in the cvn, but had some data in the .bin I have.

    One of the dsp files came out identical.

    The other dsp file came out of the cvn that looked like a different version that I expected based on the .bin I have. I saw the same differences comparing portable and mobile dsp files in the past. Largely this is sometimes value 80 appears in many places that are 00 in the other version.

    Do you know if the radio cares about this tracking data in the host flash?

  13. #13
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,201
    Thanks
    274
    Thanked 314 Times in 152 Posts
    Country: United States

    Default

    Quote Originally Posted by kw71 View Post
    I decrypt them before I compare.
    Care to share any details on that one? Like algo and or key used?

  14. #14
    Join Date
    Sep 23, 2012
    Posts
    123
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    Sure. The file format for the astro saber and astro spectra is different to the ones for the newer lines. I have an astro spectra, so that's what I looked at.

    Inside the cvn/enc there is a header for each file contained inside. Here is the key data and some metadata.

    The key data is actually sent to the srib along with the file. So if you sit with an analyzer and simply watch this traffic to the srib you will not recover the plaintext material.

    Thinking about 8 bit micros is like watching Flintstones when it comes to cryptography. So, it's impossible for the process to be very complex. Indeed it is simple xor. But there is an sbox too so it's a difficult challenge.

    I will certainly help you examine cvn files that you are interested in. Is there a legitimate need among radio service people for a tool to do this?

  15. #15
    Join Date
    Dec 21, 2011
    Posts
    4,130
    Thanks
    2,772
    Thanked 4,928 Times in 1,468 Posts
    Country: Canada

    Default

    Just for the record:

    This conversation about reverse engineering the CVNs IS permitted, so long as the discussion does not go in the direction of how to modify CPS to bypass the requirement of a refresh key (iButton). Motorola sells firmware refreshes and any conversation about how to circumvent the iButton could be seen as loss of revenue/fraud.

    But so far, so good.

  16. #16
    Join Date
    Sep 23, 2012
    Posts
    123
    Thanks
    0
    Thanked 1 Time in 1 Post

    Default

    I will never have a smartrib unless I build my own so my goal is to read and write these memories without one. I think that it can be done using an ft232 or small micro like msp430. The smartrib is needless waste with its uart hanging on and giant memories. F that noise!!

    ... maybe the BUS PIRATE can do it!!