miracast icon indicating copy to clipboard operation
miracast copied to clipboard

Published 20 hours ago β€’ verified publisher icon c3c

USB capture of AM8251 firmware update

Open floe opened this issue 9 years ago β€’ 11 comments

I did a bit of experimentation with my AM8251-based HDMI streaming adapter, and captured a firmware update over USB using libpcap on a Windows VM. It's rather large (~100 MB), so I thought I'd ask first if anybody would be interested in looking at the dump file? I think it should be possible to reverse-engineer the ADFU protocol from that, or at least get a decent start... /cc @ao2

floe avatar Mar 24 '15 14:03 floe

@floe thanks for keeping me in the loop, however I don't have any of such devices so I don't think I am going to do any serious work on that. I might take a peek just to see if there is anything familiar, but no promises.

ao2 avatar Mar 24 '15 15:03 ao2

Well, I was thinking that maybe the AM7xxx series uses the same protocol, so it might still be useful for you. I'm also pretty sure that the USB dump contains a sequence where parts of the firmware are read from the device (to check version numbers), so that may offer an easy way to dump firmware from more than one different Actions Micro device. In any case, for anyone interested, here's the link to the PCAP file: http://floe.butterbrot.org/external/usb.pcap

floe avatar Mar 24 '15 19:03 floe

Hey Florian, There's a backup.zip in this repository that contains am7x libraries. You have probably already come across it also, but the firmware dump tools provided by the s1mp3 project may be helpful. On Mar 24, 2015 8:34 PM, "Florian Echtler" [email protected] wrote:

Well, I was thinking that maybe the AM7xxx series uses the same protocol, so it might still be useful for you. I'm also pretty sure that the USB dump contains a sequence where parts of the firmware are read from the device (to check version numbers), so that may offer an easy way to dump firmware from more than one different Actions Micro device. In any case, for anyone interested, here's the link to the PCAP file: http://floe.butterbrot.org/external/usb.pcap

β€” Reply to this email directly or view it on GitHub https://github.com/c3c/miracast/issues/1#issuecomment-85661877.

c3c avatar Mar 24 '15 20:03 c3c

Yes, IIRC I checked the s1mp3 tools, but the endpoints of the ADFU mode on AM8251 don't match those expected by the s1mp3 protocol.

floe avatar Mar 24 '15 20:03 floe

Ah, just for the records, the am7xxx USB projector I've got does not even use USB mass storage, so I don't think It can use the same SCSI protocol I see in the dump, some other am7xxx devices might tho.

When reversing the protocol of my projector I also looked at the disassembled windows binaries to get hints about the data formats, maybe this can be useful in your case too.

BTW I wonder if it'd be easier to handle this protocol at the SCSI level with the "sg" driver http://sg.danny.cz/sg/ and letting the USB Mass storage layer take care of the USB details (USBC, USBS, etc.), rather than talking USB directly with the device using libusb. The sg driver should allow custom SCSI commands, but I never tried.

Ciao, Antonio

ao2 avatar Mar 26 '15 18:03 ao2

That looks promising, although I'm not sure if the protocol is just accidentally decoded as SCSI. At least, none of the standard Linux SCSI drivers (including sg) bind to it, and the interface class is 0xFF...

floe avatar Mar 26 '15 18:03 floe

I've seen that there are some other devices perform firmware updates over a SCSI-like protocol, but they are actually SCSI devices so I don't know how similar this is; anyway here is where I saw it: https://github.com/scanlime/coastermelt/blob/master/doc/update-ts01-notes.txt

ao2 avatar Apr 08 '15 08:04 ao2

Interesting, good find... maybe @scanlime would like to have a look at the present PCAP dump sometime?

floe avatar Apr 08 '15 11:04 floe

Hi guys !

Please look at the Comments thread where I was directed from, by the very clever and helpful author, Hauke 😁😁

https://projects.webvoss.de/2019/03/23/le-potato-media-center-german-iptv-re-revisited/?unapproved=213&moderation-hash=9524af25c6720bad11da0b67ad02aa77#comment-213

So:

  1. Any update ? Apparently from XDA post, ezcast.com updated the ROM in Aug 2015, after declining to engage with Checkpoint !

  2. I am looking to use a regular cheap IR TV remote control to control the incoming DLNA stream to the ezcast, from a media server like TVheadend, Plex, VLC which don't have native LIRC or remote control support.

Do you think the ezcast already has LIRC to which such a IR RC could directly input keystroke codes, or LIRC could be installed?

Any help with this using SSH or other access method I would greatly appreciate ! After all hacking is what advances the state of art 🐡🐡🐡

siliconhippy avatar Apr 08 '19 01:04 siliconhippy

I looked at the update application and I can tell you that pretty much similar to what is described here with some commands added; I can tell you that the dump follows the USB mass storage bulk only transfer (a little explanation here).

There is also a project that is doing the same with a board with a similar processor here.

gipi avatar Apr 15 '19 08:04 gipi

Appreciate that. πŸ˜€Heard of Linaro.

siliconhippy avatar Apr 15 '19 08:04 siliconhippy