Reverse engineering the TM9154 firmware

Status

CRCinAU

Programmer
Joined
May 7, 2012
Messages
78
Ok, so further from my work on the SFE keys and protocol, I've got some further info and I'm hoping someone will be able to take this further.

Attached is v6.09.01 of the firmware for the TM9154. These are converted to binary files and cannot be loaded into a radio.

QMA3F_A00_6.09.01.0001.Srec.bin = Torso firmware
QCA4F_A00_6.09.01.0001.Srec.bin = Control head?
QMA3A_A01_6.09.00.0001.Srec.bin = Boot loader?

The SFE keys are processed within QMA3F_A00_6.09.01.0001.Srec.bin. The source for this file seems to be:
TaitTerm_DataServices/Torso/FeatureEnabler/private/syften_Sfe.c​

I don't believe this file changes between firmware versions - as it would cause all previously validated SFE keys to expire - or at least cause issues in the SFE key issuing.

The CPU that seems to be emulated on an Altera FPGA is "Leon Sumo Processor Core" and the dev environment for this seems to be available at Taits Open Source site. The file cpu\tech_altera.vhd within the processor core download is contributed by Tait for the purposes of their radio.

The RealTime OS used on top of the processor core is eCos. Tait's modifications can also be downloaded from the Tait site as part of the eCos package provided.

So far, from the codes I have been able to deduce, we're down to the following layout:
Code:
00XXXXXXXXXXXXXXXXYYZZZZZZZSS0CC
This translates roughly to:
X = Authentication code??
Y = [URL="http://www.crc.id.au/apco25/sfe.html#3"]feature code (in HEX!)[/URL]
Z = serial number? (We can get this by reading ANY key in the radio)
S = Sequence number
C = Checksum

So, we're now down to 8 bytes. The X's. 16 values from 0-F that hold the key.

We have a few theories. That it may be a DES encrypted block. A checksum of a string.

The reason for looking at the radio firmware is that the SFE keys come from Tait directly - and Tait keep a database of issued keys. These keys are ONLY verified in the actual radio - probably in syften_Sfe.c - and either enabled or rejected based on what that does.

So, I need help here. We have the architecture, and the firmware. Now I need some guidance on how to start looking at the big picture on how all this fits together to get some real debugging going :p
 

Attachments

  • v6.09.01.zip
    903.5 KB · Views: 29
Last edited:

mpron

Contributing Member
Joined
May 8, 2012
Messages
77
If its any help, I have firmware for all 9000 series and some 8000 series dating back to 6.something to 9.something
 
OP
CRCinAU

CRCinAU

Programmer
Joined
May 7, 2012
Messages
78
Everything is good!

You can upload anonymously to ftp.crc.id.au/incoming :)
 

Motorobber

Prolific Contributor
Joined
May 16, 2012
Messages
109
If you do get some fresh firmware, any chance you can add it to your webpage CRCinAU??
 
OP
CRCinAU

CRCinAU

Programmer
Joined
May 7, 2012
Messages
78
Possibly. It depends on what the persons wishes that leak the firmware to me. I will honour what that person requests.
 
G

gaztolmie

Guest
Mr. Moderator, please excuse me for being a drunken dick ( I have just worked a full shift of 12 hour days so some excuse ) the last post was meant for [h=3]Tait Feature Keys - TM9100 series[/h]Could you repost please?

Gaz
 
Status