Custom Sylvania ROM development

[tfurrows]

One more CRC calculator to try, this one has a few more options: CRC calculation

For what it's worth, be flexible as you look for the right checksum- I had a project where the checksum matched Kermit CRC-CCITT except that the two bytes were flipped...

Do you have the header, data and checksums positively identified?

 

[cfrockit]

You can download my resv.img (mtdblock2 partition), from the following link.

SYTAB10MT
Hardware ID: 11.6.3.1
Kernel: 2.6.32.9
Android: DG2.2.1-10a2

mtdblock2 ("resv") image file: http://jozhaus.com/files/resv.img

It was retrieved simply by using 'cat /dev/block/mtdblock2 > ./resv.img' on my SD card. I have inspected it with Pspad HEX, nothing further.

tfurrows's resv.img is a complete multi-part 11.6.3.1.2.0 InfoTM Update Wrap (.ius) file, however it fails to open in IUW.exe Verison 1.2 but it will open in vio's Ius Editor.

This confirms the mtd2 "/dev/block/mtdblock2" is in some way a Recovery partition containing a complete InfoTM Update Wrap file which could be dumped and saved to use in case the device needs to be manually updated. We just need to ensure we keep the update file in tack so it can be used with IUW.exe.

tfurrows, could you attempt to dump it again but use this command and then post the result for inspection?

dd if=/dev/mtd/mtd2 of=/sdcard/mtd2.img bs=4096

What is still missing is where is the zSYS.img saved on the device which is used during the factory reset (three finger method)?

 

[tfurrows]

When I purchased my SYTAB10MT, I ran the update tool successfully (only would work via WIFI, would not complete over Ethernet). This may be what loaded the image into mtdblock2 (infotm inject).

Answering my own previous question about the checksum, I see that the IUS Edit tool pulls out the 8-byte checksum.

I'll dump using dd and post a link.

 

[cfrockit]

When I purchased my SYTAB10MT, I ran the update tool successfully (only would work via WIFI, would not complete over Ethernet). This may be what loaded the image into mtdblock2 (infotm inject).

This makes sense, the automatic update process moves (infoup inject) the downloaded .ius from /local in to mtd2 "resv" partition for what ever it does (expand, unpack, burn, etc.) to update the tablet. Therefore, those who could never get the automatic process to work and manually burned the update would not have anything in this partition thus all padding 0xfff but they are able to factory reset (three finger method) still leading me to believe there is a zSYS.img burned/saved from the .ius for recovery.

 

[tfurrows]

Do we know what the "cache" partition is used for? Swap? I ran the "recovery" binary via SSH (which killed my status bar on the android screen but did not kill ADWLauncher); I interrupted it with CTRL-C, and it appears to have created /cache/recovery/ with a log file (empty), the log file was deleted on reboot.

In /proc/mtd, cache is mtd5, size is 04000000 (64mb). When I dump it, it is not empty.

Just throwing out random thoughts here... if there is a zSYS.img file stored, it has to live somewhere. Doesn't appear to be on any mounted FS right?

 

[tfurrows]

Here is another copy of my "resv" partition (mtdblock2), created this time with dd as per your instructions:

http://jozhaus.com/files/mtd2.img

 

[cfrockit]

Do we know what the "cache" partition is used for? Swap? I ran the "recovery" binary via SSH (which killed my status bar on the android screen but did not kill ADWLauncher); I interrupted it with CTRL-C, and it appears to have created /cache/recovery/ with a log file (empty), the log file was deleted on reboot.

Caution: Fortunately, you interrupted since it's been reported without being able to do the Factory reset (three finger method) and prior to the manual update process the tablet was effectively bricked with no way to recover.

In /proc/mtd, cache is mtd5, size is 04000000 (64mb). When I dump it, it is not empty.

This partition would be a little small for some of the zSYS.img images that I see included in the current InfoTM Update Wrap files. Can you post your dump for inspection as well?

Just throwing out random thoughts here... if there is a zSYS.img file stored, it has to live somewhere. Doesn't appear to be on any mounted FS right?

Always, thought it was like an Android phone and it would be a mounted image but except for the discovery of the raw data of the .ius being in mtd2 no other recovery image has been located.

 

[tfurrows]

I just reviewed the cache img in a hex editor, and there is text in there from various installed apps- and duh, it's mounted at /cache. Sorry, I'm guessing it won't be useful at all to review.

 

[cfrockit]

Here is another copy of my "resv" partition (mtdblock2), created this time with dd as per your instructions:

http://jozhaus.com/files/mtd2.img

This dump of the mtd2 partition "resv" (mtdblock2) using the following command opened perfectly in IUW.exe Version 1.2 pictured below. Thanks for confirming.

dd if=/dev/mtd/mtd2 of=/sdcard/mtd2.img bs=4096

 

[vio]

Do you have the header, data and checksums positively identified?

Good question! Since I don't have the source code of the burning app, I can't be 100% sure what each part is. I am suspecting that the bytes 24-31 from the IUS file are a checksum (or, more probably, 2 different checksum values) used to validate the file.

Visual inspection of the U0 image suggests that there are 2 different CRC: "header crc" and "data crc".

Since we know that the IUS file is composed of a 512 bytes header followed by actual images, I assumed that "data" is the part of the file obtained by skipping the first 512 bytes. Of course, there are other possibilities, like skipping also U0 image, taking only the user data partition and so on.

The "header" part is a little trickier... since the checksum is part of the first 512 bytes, the "header" cannot be the whole block. It could be the first part (bytes 0-23), the last part (bytes 32-511) or a subset of these.

In order to be sure what each part is, we should find a way to decompile the burning app and to understand the validation algorithm, using reverse engineering to recreate the checksum.

 

[tfurrows]

Yeah, without knowing what they are running the CRC calculation on, there's no way to generate our own checksum. Has anyone decompiled the app yet? Preferably someone with asm experience

 

[cfrockit]

Yeah, without knowing what they are running the CRC calculation on, there's no way to generate our own checksum. Has anyone decompiled the app yet? Preferably someone with asm experience

I'm old enough to have the assembly experience but haven't found a non-commercial application to decompile IUW.exe.

$ file IUW.exe
IUW.exe: PE32 executable (GUI) Intel 80386, for MS Windows

So my approach was to dump the ELF application "infoup" that is utilized by the automatic update process as it should have the same checks.

ELF Header
  Class:      CLASS32 (1)
  Encoding:   Little endian
  ELFVersion: Current (1)
  Type:       0x0002
  Machine:    0x0028
  Version:    0x00000001
  Entry:      0x00008730
  Flags:      0x05000002

Section headers:
  [Nr] Name                 Type     Addr     Size   ES Flg Lk Inf  Al
  [ 0]                      NULL     00000000 000000 00     00 0000 00
  [ 1] .interp              PROGBITS 000080f4 000013 00 A   00 0000 01
  [ 2] .hash                HASH     00008108 0000dc 04 A   03 0000 04
  [ 3] .dynsym              DYNSYM   000081e4 000240 10 A   04 0000 04
  [ 4] .dynstr              STRTAB   00008424 000164 00 A   00 0000 01
  [ 5] .rel.got             REL      00008588 000020 08 A   03 0011 04
  [ 6] .rel.plt             REL      000085a8 000090 08 A   03 0007 04
  [ 7] .plt                 PROGBITS 00008638 0000ec 04 AX  00 0000 04
  [ 8] .text                PROGBITS 00008730 000428 00 AX  00 0000 10
  [ 9] .rodata              PROGBITS 00008b58 0001d8 01 A   00 0000 04
  [ a] .ARM.extab           PROGBITS 00008d30 000018 00 A   00 0000 04
  [ b] .ARM.exidx           UNKNOWN  00008d48 000020 00 A   08 0000 04
  [ c] .preinit_array       UNKNOWN  00009000 000008 00 WA  00 0000 01
  [ d] .init_array          UNKNOWN  00009008 000008 00 WA  00 0000 01
  [ e] .fini_array          UNKNOWN  00009010 000008 00 WA  00 0000 01
  [ f] .ctors               PROGBITS 00009018 000008 00 WA  00 0000 01
  [10] .dynamic             DYNAMIC  00009020 0000e0 08 WA  04 0000 04
  [11] .got                 PROGBITS 00009100 000064 04 WA  00 0000 04
  [12] .bss                 NOBITS   00009164 000008 00 WA  00 0000 04
  [13] .ARM.attributes      UNKNOWN  00000000 00002b 00     00 0000 01
  [14] .shstrtab            STRTAB   00000000 0000ab 00     00 0000 01
Key to Flags: W (write), A (alloc), X (execute)

Segment headers:
  [Nr] Type       VirtAddr PhysAddr FileSize Mem.Size Flags    Align
  [ 0] UNKNOWN    00008d48 00008d48 00000020 00000020 00000004 00000004
  [ 1] PT_PHDR    00008034 00008034 000000c0 000000c0 00000005 00000004
  [ 2] PT_INTERP  000080f4 000080f4 00000013 00000013 00000004 00000001
  [ 3] PT_LOAD    00008000 00008000 00000d68 00000d68 00000005 00001000
  [ 4] PT_LOAD    00009000 00009000 00000164 0000016c 00000006 00001000
  [ 5] PT_DYNAMIC 00009020 00009020 000000e0 000000e0 00000006 00000004

Symbol table (.dynsym)
     Name                                      Value    Size     Bind Type Sect
                                               00000000 00000000 0000 0000 0000
putchar                                        0000864c 00000000 0001 0002 0000
ioctl                                          00008658 00000000 0001 0002 0000
printf                                         00008664 00000000 0001 0002 0000
__exidx_end                                    00008d68 00000000 0001 0000 fff1
__stack_chk_guard                              00000000 00000000 0001 0001 0000
__aeabi_unwind_cpp_pr0                         00000000 00000000 0001 0002 0000
_bss_end__                                     0000916c 00000000 0001 0000 fff1
nand_size                                      00009164 00000004 0001 0001 0012
puts                                           00008670 00000000 0001 0002 0000
__bss_start__                                  00009164 00000000 0001 0000 fff1
fflush                                         0000867c 00000000 0001 0002 0000
__exidx_start                                  00008d48 00000000 0001 0000 fff1
lseek                                          00008688 00000000 0001 0002 0000
__stack_chk_fail                               00008694 00000000 0001 0002 0000
__reboot                                       000086a0 00000000 0001 0002 0000
__libc_init                                    000086ac 00000000 0001 0002 0000
write                                          000086b8 00000000 0001 0002 0000
__bss_end__                                    0000916c 00000000 0001 0000 fff1
setgid                                         000086c4 00000000 0001 0002 0000
read                                           000086d0 00000000 0001 0002 0000
__sF                                           00000000 00000000 0001 0001 0000
__bss_start                                    00009164 00000000 0001 0000 fff1
__aeabi_uidiv                                  000086dc 00000000 0001 0002 0000
__end__                                        0000916c 00000000 0001 0000 fff1
strcmp                                         000086e8 00000000 0001 0002 0000
_edata                                         00009164 00000000 0001 0000 fff1
_end                                           0000916c 00000000 0001 0000 fff1
exit                                           000086f4 00000000 0001 0002 0000
blk_size                                       00009168 00000004 0001 0001 0012
__aeabi_unwind_cpp_pr1                         00000000 00000000 0001 0002 0000
open                                           00008700 00000000 0001 0002 0000
_stack                                         00080000 00000000 0001 0000 fff1
__data_start                                   00009164 00000000 0001 0000 0012
setuid                                         0000870c 00000000 0001 0002 0000
close                                          00008718 00000000 0001 0002 0000

ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           ARM
  Version:                           0x1
  Entry point address:               0x8730
  Start of program headers:          52 (bytes into file)
  Start of section headers:          4668 (bytes into file)
  Flags:                             0x5000002, has entry point, Version5 EABI
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         6
  Size of section headers:           40 (bytes)
  Number of section headers:         21
  Section header string table index: 20

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .interp           PROGBITS        000080f4 0000f4 000013 00   A  0   0  1
  [ 2] .hash             HASH            00008108 000108 0000dc 04   A  3   0  4
  [ 3] .dynsym           DYNSYM          000081e4 0001e4 000240 10   A  4   0  4
  [ 4] .dynstr           STRTAB          00008424 000424 000164 00   A  0   0  1
  [ 5] .rel.got          REL             00008588 000588 000020 08   A  3  17  4
  [ 6] .rel.plt          REL             000085a8 0005a8 000090 08   A  3   7  4
  [ 7] .plt              PROGBITS        00008638 000638 0000ec 04  AX  0   0  4
  [ 8] .text             PROGBITS        00008730 000730 000428 00  AX  0   0 16
  [ 9] .rodata           PROGBITS        00008b58 000b58 0001d8 01 AMS  0   0  4
  [10] .ARM.extab        PROGBITS        00008d30 000d30 000018 00   A  0   0  4
  [11] .ARM.exidx        ARM_EXIDX       00008d48 000d48 000020 00  AL  8   0  4
  [12] .preinit_array    PREINIT_ARRAY   00009000 001000 000008 00  WA  0   0  1
  [13] .init_array       INIT_ARRAY      00009008 001008 000008 00  WA  0   0  1
  [14] .fini_array       FINI_ARRAY      00009010 001010 000008 00  WA  0   0  1
  [15] .ctors            PROGBITS        00009018 001018 000008 00  WA  0   0  1
  [16] .dynamic          DYNAMIC         00009020 001020 0000e0 08  WA  4   0  4
  [17] .got              PROGBITS        00009100 001100 000064 04  WA  0   0  4
  [18] .bss              NOBITS          00009164 001164 000008 00  WA  0   0  4
  [19] .ARM.attributes   ARM_ATTRIBUTES  00000000 001164 00002b 00      0   0  1
  [20] .shstrtab         STRTAB          00000000 00118f 0000ab 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  EXIDX          0x000d48 0x00008d48 0x00008d48 0x00020 0x00020 R   0x4
  PHDR           0x000034 0x00008034 0x00008034 0x000c0 0x000c0 R E 0x4
  INTERP         0x0000f4 0x000080f4 0x000080f4 0x00013 0x00013 R   0x1
      [Requesting program interpreter: /system/bin/linker]
  LOAD           0x000000 0x00008000 0x00008000 0x00d68 0x00d68 R E 0x1000
  LOAD           0x001000 0x00009000 0x00009000 0x00164 0x0016c RW  0x1000
  DYNAMIC        0x001020 0x00009020 0x00009020 0x000e0 0x000e0 RW  0x4

 Section to Segment mapping:
  Segment Sections...
   00     .ARM.exidx 
   01     
   02     .interp 
   03     .interp .hash .dynsym .dynstr .rel.got .rel.plt .plt .text .rodata .ARM.extab .ARM.exidx 
   04     .preinit_array .init_array .fini_array .ctors .dynamic .got .bss 
   05     .dynamic 

Dynamic section at offset 0x1020 contains 23 entries:
  Tag        Type                         Name/Value
 0x00000001 (NEEDED)                     Shared library: [libc.so]
 0x00000001 (NEEDED)                     Shared library: [libstdc++.so]
 0x00000001 (NEEDED)                     Shared library: [libm.so]
 0x00000020 (PREINIT_ARRAY)              0x9000
 0x00000021 (PREINIT_ARRAYSZ)            0x8
 0x00000019 (INIT_ARRAY)                 0x9008
 0x0000001b (INIT_ARRAYSZ)               8 (bytes)
 0x0000001a (FINI_ARRAY)                 0x9010
 0x0000001c (FINI_ARRAYSZ)               8 (bytes)
 0x00000004 (HASH)                       0x8108
 0x00000005 (STRTAB)                     0x8424
 0x00000006 (SYMTAB)                     0x81e4
 0x0000000a (STRSZ)                      356 (bytes)
 0x0000000b (SYMENT)                     16 (bytes)
 0x00000015 (DEBUG)                      0x0
 0x00000003 (PLTGOT)                     0x9100
 0x00000002 (PLTRELSZ)                   144 (bytes)
 0x00000014 (PLTREL)                     REL
 0x00000017 (JMPREL)                     0x85a8
 0x00000011 (REL)                        0x8588
 0x00000012 (RELSZ)                      32 (bytes)
 0x00000013 (RELENT)                     8 (bytes)
 0x00000000 (NULL)                       0x0

Relocation section '.rel.got' at offset 0x588 contains 4 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
00009154  00000515 R_ARM_GLOB_DAT    00000000   __stack_chk_guard
00009158  00000815 R_ARM_GLOB_DAT    00009164   nand_size
0000915c  00001515 R_ARM_GLOB_DAT    00000000   __sF
00009160  00001d15 R_ARM_GLOB_DAT    00009168   blk_size

Relocation section '.rel.plt' at offset 0x5a8 contains 18 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0000910c  00000116 R_ARM_JUMP_SLOT   0000864c   putchar
00009110  00000216 R_ARM_JUMP_SLOT   00008658   ioctl
00009114  00000316 R_ARM_JUMP_SLOT   00008664   printf
00009118  00000916 R_ARM_JUMP_SLOT   00008670   puts
0000911c  00000b16 R_ARM_JUMP_SLOT   0000867c   fflush
00009120  00000d16 R_ARM_JUMP_SLOT   00008688   lseek
00009124  00000e16 R_ARM_JUMP_SLOT   00008694   __stack_chk_fail
00009128  00000f16 R_ARM_JUMP_SLOT   000086a0   __reboot
0000912c  00001016 R_ARM_JUMP_SLOT   000086ac   __libc_init
00009130  00001116 R_ARM_JUMP_SLOT   000086b8   write
00009134  00001316 R_ARM_JUMP_SLOT   000086c4   setgid
00009138  00001416 R_ARM_JUMP_SLOT   000086d0   read
0000913c  00001716 R_ARM_JUMP_SLOT   000086dc   __aeabi_uidiv
00009140  00001916 R_ARM_JUMP_SLOT   000086e8   strcmp
00009144  00001c16 R_ARM_JUMP_SLOT   000086f4   exit
00009148  00001f16 R_ARM_JUMP_SLOT   00008700   open
0000914c  00002216 R_ARM_JUMP_SLOT   0000870c   setuid
00009150  00002316 R_ARM_JUMP_SLOT   00008718   close

Unwind table index '.ARM.exidx' at offset 0xd48 contains 4 entries:

0x8760: 0x8007aab0
  Compact model 0
  0x07      vsp = vsp + 32
  0xaa      pop {r4, r5, r6r14}
  0xb0      finish

0x87c4: @0x8d30
  Compact model 1
  0xb2 0x90 0x07 vsp = vsp + 4164
  0x80 0xf0 pop {r8, r9, r10, r11}
  0xab      pop {r4, r5, r6, r7r14}

0x89cc: @0x8d3c
  Compact model 1
  0x02      vsp = vsp + 12
  0x80 0x50 pop {r8, r10}
  0xab      pop {r4, r5, r6, r7r14}
  0xb0      finish
  0xb0      finish

0x8a50: 0x80b108ab
  Compact model 0
  0xb1 0x08 pop {r3}
  0xab      pop {r4, r5, r6, r7r14}


Symbol table '.dynsym' contains 36 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND 
     1: 0000864c     0 FUNC    GLOBAL DEFAULT  UND putchar
     2: 00008658     0 FUNC    GLOBAL DEFAULT  UND ioctl
     3: 00008664     0 FUNC    GLOBAL DEFAULT  UND printf
     4: 00008d68     0 NOTYPE  GLOBAL DEFAULT  ABS __exidx_end
     5: 00000000     0 OBJECT  GLOBAL DEFAULT  UND __stack_chk_guard
     6: 00000000     0 FUNC    GLOBAL DEFAULT  UND __aeabi_unwind_cpp_pr0
     7: 0000916c     0 NOTYPE  GLOBAL DEFAULT  ABS _bss_end__
     8: 00009164     4 OBJECT  GLOBAL DEFAULT   18 nand_size
     9: 00008670     0 FUNC    GLOBAL DEFAULT  UND puts
    10: 00009164     0 NOTYPE  GLOBAL DEFAULT  ABS __bss_start__
    11: 0000867c     0 FUNC    GLOBAL DEFAULT  UND fflush
    12: 00008d48     0 NOTYPE  GLOBAL DEFAULT  ABS __exidx_start
    13: 00008688     0 FUNC    GLOBAL DEFAULT  UND lseek
    14: 00008694     0 FUNC    GLOBAL DEFAULT  UND __stack_chk_fail
    15: 000086a0     0 FUNC    GLOBAL DEFAULT  UND __reboot
    16: 000086ac     0 FUNC    GLOBAL DEFAULT  UND __libc_init
    17: 000086b8     0 FUNC    GLOBAL DEFAULT  UND write
    18: 0000916c     0 NOTYPE  GLOBAL DEFAULT  ABS __bss_end__
    19: 000086c4     0 FUNC    GLOBAL DEFAULT  UND setgid
    20: 000086d0     0 FUNC    GLOBAL DEFAULT  UND read
    21: 00000000     0 OBJECT  GLOBAL DEFAULT  UND __sF
    22: 00009164     0 NOTYPE  GLOBAL DEFAULT  ABS __bss_start
    23: 000086dc     0 FUNC    GLOBAL DEFAULT  UND __aeabi_uidiv
    24: 0000916c     0 NOTYPE  GLOBAL DEFAULT  ABS __end__
    25: 000086e8     0 FUNC    GLOBAL DEFAULT  UND strcmp
    26: 00009164     0 NOTYPE  GLOBAL DEFAULT  ABS _edata
    27: 0000916c     0 NOTYPE  GLOBAL DEFAULT  ABS _end
    28: 000086f4     0 FUNC    GLOBAL DEFAULT  UND exit
    29: 00009168     4 OBJECT  GLOBAL DEFAULT   18 blk_size
    30: 00000000     0 FUNC    GLOBAL DEFAULT  UND __aeabi_unwind_cpp_pr1
    31: 00008700     0 FUNC    GLOBAL DEFAULT  UND open
    32: 00080000     0 NOTYPE  GLOBAL DEFAULT  ABS _stack
    33: 00009164     0 NOTYPE  GLOBAL DEFAULT   18 __data_start
    34: 0000870c     0 FUNC    GLOBAL DEFAULT  UND setuid
    35: 00008718     0 FUNC    GLOBAL DEFAULT  UND close

Histogram for bucket list length (total of 17 buckets):
 Length  Number     % of total  Coverage
      0  1          (  5.9%)
      1  7          ( 41.2%)     20.0%
      2  2          ( 11.8%)     31.4%
      3  4          ( 23.5%)     65.7%
      4  3          ( 17.6%)    100.0%

No version information found in this file.
Attribute Section: aeabi
File Attributes
  Tag_CPU_name: "6"
  Tag_CPU_arch: v6
  Tag_ARM_ISA_use: Yes
  Tag_THUMB_ISA_use: Thumb-1
  Tag_ABI_PCS_wchar_t: 4
  Tag_ABI_FP_denormal: Needed
  Tag_ABI_FP_exceptions: Needed
  Tag_ABI_FP_number_model: IEEE 754
  Tag_ABI_align8_needed: Yes
  Tag_ABI_align8_preserved: Yes, except leaf SP
  Tag_ABI_enum_size: int
  Tag_ABI_HardFP_use: SP and DP
  Tag_ABI_optimization_goals: Aggressive Size

 

[tfurrows]

I like your approach, the command-line tool likely will be a lot easier to understand. Have a look at this though, from RecStudio4

Decompiled, and at 00401B60 found what appears to possibly related to crc calculation or lookup (I'm not much of an ASM guy, but I see some math in there that might be what we're looking for):

L00401B60(_unknown_ r1, char* r2, _unknown_ r9)
{
    _unknown_ r4;
    _unknown_ r5;
    _unknown_ r6;
    _unknown_ _t49;
    _unknown_ _t50;
    char* _t51;
    char* _t52;
    char* _t53;
    char* _t54;
    char* _t55;
    char* _t56;
    char* _t57;
    _unknown_ _t83;
    _unknown_ _t84;
    signed int _t85;
    signed int _t86;
    _unknown_ _t88;
    _unknown_ _t89;


    _t88 = __eflags;
    _t51 = __ecx;
    _push(_t85);
    _push(_t83);
    _t84 = 32;
    _t86 = _t85 | 255;
    __ebp = _t84 - 28;
do {
        _t52 = _t51 + 1;
        _t29 = _t86 >> 8 ^  *((intOrPtr*)(4509488 + (( *_t51 & 255 ^ _t86) & 255) * 4));
        _t31 = (_t86 >> 8 ^  *((intOrPtr*)(4509488 + (( *_t51 & 255 ^ _t86) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *_t52 & 255 ^ _t29) & 255) * 4));
        _t53 = _t52 + 1;
        _t33 = ((_t86 >> 8 ^  *((intOrPtr*)(4509488 + (( *_t51 & 255 ^ _t86) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *_t52 & 255 ^ _t29) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t52 + 1) & 255 ^ _t31) & 255) * 4));
        _t54 = _t53 + 1;
        _t35 = (((_t86 >> 8 ^  *((intOrPtr*)(4509488 + (( *_t51 & 255 ^ _t86) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *_t52 & 255 ^ _t29) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t52 + 1) & 255 ^ _t31) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t53 + 1) & 255 ^ _t33) & 255) * 4));
        _t55 = _t54 + 1;
        _t37 = ((((_t86 >> 8 ^  *((intOrPtr*)(4509488 + (( *_t51 & 255 ^ _t86) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *_t52 & 255 ^ _t29) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t52 + 1) & 255 ^ _t31) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t53 + 1) & 255 ^ _t33) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t54 + 1) & 255 ^ _t35) & 255) * 4));
        _t56 = _t55 + 1;
        _t39 = (((((_t86 >> 8 ^  *((intOrPtr*)(4509488 + (( *_t51 & 255 ^ _t86) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *_t52 & 255 ^ _t29) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t52 + 1) & 255 ^ _t31) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t53 + 1) & 255 ^ _t33) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t54 + 1) & 255 ^ _t35) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t55 + 1) & 255 ^ _t37) & 255) * 4));
        _t57 = _t56 + 1;
        _t41 = ((((((_t86 >> 8 ^  *((intOrPtr*)(4509488 + (( *_t51 & 255 ^ _t86) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *_t52 & 255 ^ _t29) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t52 + 1) & 255 ^ _t31) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t53 + 1) & 255 ^ _t33) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t54 + 1) & 255 ^ _t35) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t55 + 1) & 255 ^ _t37) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t56 + 1) & 255 ^ _t39) & 255) * 4));
        _t51 = _t57 + 1 + 1;
        _t84 = _t84 - 8;
        __ebp = __ebp - 1;
        _t86 = (((((((_t86 >> 8 ^  *((intOrPtr*)(4509488 + (( *_t51 & 255 ^ _t86) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *_t52 & 255 ^ _t29) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t52 + 1) & 255 ^ _t31) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t53 + 1) & 255 ^ _t33) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t54 + 1) & 255 ^ _t35) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t55 + 1) & 255 ^ _t37) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t56 + 1) & 255 ^ _t39) & 255) * 4))) >> 8 ^  *((intOrPtr*)(4509488 + (( *(_t57 + 1) & 255 ^ _t41) & 255) * 4));
    } while(_t88 != 0);
    while(_t89 != 0) {
        _t86 = _t86 >> 8 ^  *((intOrPtr*)(4509488 + (( *_t51 & 255 ^ _t86) & 255) * 4));
        _t51 = _t51 + 1;
        _t84 = _t84 - 1;
    }
    _pop(__edi);
    _pop(__esi);
    return  !_t86;
}

_t86 looks like the crc accumulator, and "((intOrPtr*)(4509488 + (( *_t51 & 255 ^ _t86) & 255) * 4))" in this case appears to be the data. Maybe a wild shot in the dark, but it looked interesting.

I'd be interested to see what you make of the command line tool though.

 

[vio]

Interesting stuff... the method looks like some checksum calculator indeed. I will try to put some order into it and see what gives.

In the meantime, does anyone knows what "u-boot-nand.bin" contains? It's an ELF executable or something similar? The error messages dumped by cfrockit seems to suggest that at least part of it is executable code. Maybe that's the place where we should look for the calculation part?

 

[cfrockit]

In the meantime, does anyone knows what "u-boot-nand.bin" contains? It's an ELF executable or something similar? The error messages dumped by cfrockit seems to suggest that at least part of it is executable code. Maybe that's the place where we should look for the calculation part?

It's NAND Flash image which contains the u-boot and integrated bootloader. It is built specifically for the board therefore, the various Hardware ID's "hwver" to identify the different boards put in to production devices. When the tablet is connected to the PC via USB cable to the OTG port it also controls the communication. For more common tablets/boards developers have created their own test board environment to make the changes to the configuration file and the board-specific directory in support of their device. Unfortunately, we're dealing with a "Other Minor Android Tablet Brand" which doesn't have that base of developers. We are really appreciating the interest so far to make this even more useful for the price. Thanks!