phone-side
/
quectel-experiments
13
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
quectel-experiments/update-ec20
History
Holger Hans Peter Freyther bd82bb4fef Add utility to build a delta file with a single insert 
For hijacking build a complete delta for a single insert. Need to
externalize the parameters. It could work for multiple files too.
 		2016-12-18 12:30:26 +01:00
..
data Add crashing example 2016-12-17 19:15:24 +01:00
README.ascii Further document the format and produce a rogue system update 2016-12-17 18:50:08 +01:00
build_diff.py Add utility to build a delta file with a single insert 2016-12-18 12:30:26 +01:00
dissect.py Figure out where the first lzma data will start... 2016-12-13 11:58:50 +01:00

README.ascii 

Handling of EC20 FOTA updates
=============================

See https://osmocom.org/projects/quectel-modems/wiki/EC20_DFOTA
for general information. This is a script to dissect and maybe
re-assemble the system.diff file. Let's see how far we get.


After the header is a table of data.. before the first LZMA
compressed update. The size of that area seems to be computed
as:
	8 * num_diffs (maybe two CRC32?)
	4 * num_insert (maybe a single CRC32)?
	followed by lzma... TOC of size compress_sz
	LZMA again.. depends on the TOC.. delta_pos contains addr


LZMA needs to be compressed in 'alone' format and needs to have
the decompressed size in the header! 0xFF... leads to parse error
xz -F alone demo.sh

LZMA: https://github.com/nobled/xz/commit/7d17818cec8597f847b0a2537fde991bbc3d9e96
removed uncompressed_size support. So an plder version is needed..
or use the original lzma SDK


0x0000d084 in is_expected_sig ()
r10            0x29079d54	688364884
r11            0x2e4c8	189640
r12            0xd4184197	-736607849

r10 / r12 in is_expected_sig compares crc32.. r10 is result,
r12 is expecation..


LDR     R0, [SP,#0xA0+var_48]
LDR     R1, [SP,#0xA0+var_54]
LDR     R2, [SP,#0xA0+var_60]
ADD     R3, SP, #0xA0+var_2C
BL      _RB_LzmaDecode

int LzmaDecode(CLzmaDecoderState *vs,
    #ifdef _LZMA_IN_CB
    ILzmaInCallback *InCallback,
    #else
    const unsigned char *inStream, SizeT inSize, SizeT *inSizeProcessed,
    #endif
    unsigned char *outStream, SizeT outSize, SizeT *outSizeProcessed)

So mpst likely InCallback, outStream, outSize, outSizeProcessed...


int LzmaDecoderInit(
    unsigned char *buffer, UInt32 bufferSize,
    int lc, int lp, int pb,
    unsigned char *dictionary, UInt32 dictionarySize,
    #ifdef _LZMA_IN_CB
    ILzmaInCallback *inCallback
    #else
    unsigned char *inStream, UInt32 inSize
    #endif
    )



Breakpoint 16, 0x0001b938 in _RB_LzmaDecoderInit ()
(gdb) info registers
r0             0x40989240	1083740736		buffer
r1             0x3ec0	16064				bufferSize
r2             0x3	3				lc
r3             0x0	0				lp
r4             0x2	2				pb
r5             0x407ffaac	1082129068		dictionary
r6             0x0	0				dictsize
r7             0x2f6c0	194240				CB
r8             0x1	1
r9             0x40987e54	1083735636
r10            0x0	0
r11            0x3	3
r12            0x13ec	5100
sp             0x407ffa20	0x407ffa20
lr             0x17bb4	97204
pc             0x1b938	0x1b938 <_RB_LzmaDecoderInit>
cpsr           0x60000010	1610612752