Thursday, September 27, 2018

ADFU ops

So the USB device provided by the unit when booting in recovery mode is an Actions device, vid: 0x10d6, pid: 0x10d6.
It appears to mimic the USB Mass Storage protocol, but a little loosely.
It doesn't follow any of the SCSI commands, instead it appears to have its own command interface.

Commands 0x05, 0x10, and 0xCC were as far as I know found by https://twitter.com/hissorii_com , so props to him. He's attempted to do a little disassembling, but didn't look to go too far before getting bored and giving up. I'll delve in to 0xCC in a different post.

The following have all been disassembled from the x86 linux firmware writing program provided by Actions, from the CMipsDrm class (they left symbols in, awesome!). The x64 version, and the windows versions differ slightly, some fill out the 0x08-0x0B bytes a bit more, some write more zeroes in to bytes, but they're mostly the same. There's also a CDrm class, I may disassemble those too in the future.

Any byte filled with a period hasn't been written to explicitly by one of the routines, but are zeroed out initially. Any byte filled with 0x00 has been explicitly zeroed by a routine, on top of the initial zeroing.

Note regarding the "certificates", I have no idea what these are, they are quite confusing. Each command appears to fetch a different 16bit integer and call it a "certificate".

ADFU Write Type=0x05
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'....length0x00.0x100x05
Offset:0x100x110x120x130x140x150x160x170x18*0x190x1A0x1B0x1C0x1D0x1E
addresslength. & 0x7F......
0x18* : the code AND's 0x7F at offset 0x18 on top of zeroed memory

ADFU Write Type=0x08
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'....length0x00.0x100x08
Offset:0x100x110x120x130x140x150x160x170x18*0x190x1A0x1B0x1C0x1D0x1E
addressaddress4.length >> 9. & 0x7F......
0x18* : the code AND's 0x7F at offset 0x18 on top of zeroed memory

ADFU Write Type=0xB0
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'....length0x00.0x100xB0
Offset:0x100x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
address0x7F & address4.length >> 9certificate.....

ADFU Write Type=0xB0,0x7F
Offset:0x000x010x020x030x040x050x060x070x080x090x0A*0x0B*0x0C0x0D0x0E0x0F
'U''S''B''C'....length0x00.0x100xB0
Offset:0x10*0x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
. & 0x7F.....length >> 9certificate.....
0x0A,0x0B* : bytes at offset 0x0A and 0x0B had 0x00 written to it before the length
0x10* : for some reason the code AND's 0x7F at offset 0x10 on top of the zeroed memory

ADFU Write Type=0xC9,0xF0
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'....length0x00.0x100xC9
Offset:0x100x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
0xF0.....length.......

ADFU Write Type=0xC9,0xF2
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'....length0x00.0x100xC9
Offset:0x100x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
0xF2.....length.......

ADFU Write Type=0xC9,0xF3
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'....length0x00.0x100xC9
Offset:0x100x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
0xF3.....length.......

ADFU Write Type=0xC9,0xF4
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'....length0x00.0x100xC9
Offset:0x100x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
0xF4.....length.......

ADFU Read Type=0x05
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'........0x800x000x0C0x05
Offset:0x100x110x120x130x140x150x160x170x18*0x190x1A0x1B0x1C0x1D0x1E
addresslength. | 0x80......
0x18* : 0x80 is OR'd on top of the zeroed memory

ADFU Read Type=0xB0
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'........0x800x000x0C0xB0
Offset:0x100x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
address0x80 | address4.length >> 9certificate.....

ADFU Read Type=0xCA,0xF0
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'........0x800x000x0C0xCA
Offset:0x100x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
0xF0.....length.......

ADFU Read Type=0xCA,0xF1
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'....length0x000x000x800x000x0C0xCA
Offset:0x100x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
0xF1.....length.......

ADFU Read Type=0xCA,0xF5
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'........0x800x000x0C0xCA
Offset:0x100x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
0xF5.....length.......

ADFU Read Type=0xCA,0xF6
Offset:0x000x010x020x030x040x050x060x070x080x090x0A0x0B0x0C0x0D0x0E0x0F
'U''S''B''C'........0x800x000x0C0xCA
Offset:0x100x110x120x130x140x150x160x170x180x190x1A0x1B0x1C0x1D0x1E
0xF6.....length.......

No comments:

Post a Comment

All ADFURead commands