So the USB device provided by the unit when booting in recovery mode is an Actions device, vid: 0x10d6, pid: 0x10d6.
It appears to mimic the USB Mass Storage protocol, but a little loosely.
It doesn't follow any of the SCSI commands, instead it appears to have its own command interface.
Commands 0x05, 0x10, and 0xCC were as far as I know found by
https://twitter.com/hissorii_com , so props to him. He's attempted to do a little disassembling, but didn't look to go too far before getting bored and giving up. I'll delve in to 0xCC in a different post.
The following have all been disassembled from the x86 linux firmware writing program provided by Actions, from the CMipsDrm class (they left symbols in, awesome!). The x64 version, and the windows versions differ slightly, some fill out the 0x08-0x0B bytes a bit more, some write more zeroes in to bytes, but they're mostly the same. There's also a CDrm class, I may disassemble those too in the future.
Any byte filled with a period hasn't been written to explicitly by one of the routines, but are zeroed out initially. Any byte filled with 0x00 has been explicitly zeroed by a routine, on top of the initial zeroing.
Note regarding the "certificates", I have no idea what these are, they are quite confusing. Each command appears to fetch a different 16bit integer and call it a "certificate".
ADFU Write Type=0x05 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | length | 0x00 | . | 0x10 | 0x05 |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18* | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| address | length | . & 0x7F | . | . | . | . | . | . |
0x18* : the code AND's 0x7F at offset 0x18 on top of zeroed memory |
ADFU Write Type=0x08 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | length | 0x00 | . | 0x10 | 0x08 |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18* | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| address | address4 | . | length >> 9 | . & 0x7F | . | . | . | . | . | . |
0x18* : the code AND's 0x7F at offset 0x18 on top of zeroed memory |
ADFU Write Type=0xB0 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | length | 0x00 | . | 0x10 | 0xB0 |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| address | 0x7F & address4 | . | length >> 9 | certificate | . | . | . | . | . |
ADFU Write Type=0xB0,0x7F |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A* | 0x0B* | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | length | 0x00 | . | 0x10 | 0xB0 |
Offset: | 0x10* | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| . & 0x7F | . | . | . | . | . | length >> 9 | certificate | . | . | . | . | . |
0x0A,0x0B* : bytes at offset 0x0A and 0x0B had 0x00 written to it before the length
0x10* : for some reason the code AND's 0x7F at offset 0x10 on top of the zeroed memory |
ADFU Write Type=0xC9,0xF0 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | length | 0x00 | . | 0x10 | 0xC9 |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| 0xF0 | . | . | . | . | . | length | . | . | . | . | . | . | . |
ADFU Write Type=0xC9,0xF2 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | length | 0x00 | . | 0x10 | 0xC9 |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| 0xF2 | . | . | . | . | . | length | . | . | . | . | . | . | . |
ADFU Write Type=0xC9,0xF3 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | length | 0x00 | . | 0x10 | 0xC9 |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| 0xF3 | . | . | . | . | . | length | . | . | . | . | . | . | . |
ADFU Write Type=0xC9,0xF4 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | length | 0x00 | . | 0x10 | 0xC9 |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| 0xF4 | . | . | . | . | . | length | . | . | . | . | . | . | . |
ADFU Read Type=0x05 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | . | . | . | . | 0x80 | 0x00 | 0x0C | 0x05 |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18* | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| address | length | . | 0x80 | . | . | . | . | . | . |
0x18* : 0x80 is OR'd on top of the zeroed memory |
ADFU Read Type=0xB0 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | . | . | . | . | 0x80 | 0x00 | 0x0C | 0xB0 |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| address | 0x80 | address4 | . | length >> 9 | certificate | . | . | . | . | . |
ADFU Read Type=0xCA,0xF0 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | . | . | . | . | 0x80 | 0x00 | 0x0C | 0xCA |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| 0xF0 | . | . | . | . | . | length | . | . | . | . | . | . | . |
ADFU Read Type=0xCA,0xF1 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | length | 0x00 | 0x00 | 0x80 | 0x00 | 0x0C | 0xCA |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| 0xF1 | . | . | . | . | . | length | . | . | . | . | . | . | . |
ADFU Read Type=0xCA,0xF5 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | . | . | . | . | 0x80 | 0x00 | 0x0C | 0xCA |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| 0xF5 | . | . | . | . | . | length | . | . | . | . | . | . | . |
ADFU Read Type=0xCA,0xF6 |
Offset: | 0x00 | 0x01 | 0x02 | 0x03 | 0x04 | 0x05 | 0x06 | 0x07 | 0x08 | 0x09 | 0x0A | 0x0B | 0x0C | 0x0D | 0x0E | 0x0F |
| 'U' | 'S' | 'B' | 'C' | . | . | . | . | . | . | . | . | 0x80 | 0x00 | 0x0C | 0xCA |
Offset: | 0x10 | 0x11 | 0x12 | 0x13 | 0x14 | 0x15 | 0x16 | 0x17 | 0x18 | 0x19 | 0x1A | 0x1B | 0x1C | 0x1D | 0x1E |
| 0xF6 | . | . | . | . | . | length | . | . | . | . | . | . | . |
No comments:
Post a Comment