├── README.md ├── forensics ├── README.md └── snapshot.jpg ├── hardware ├── README.md └── imgs │ ├── Website-Photo.png │ ├── antenna-back.png │ ├── antenna-front.png │ ├── green-back.png │ ├── green-front1.png │ ├── green-front2.png │ ├── nanopineo-back.png │ ├── nanopineo-front.png │ ├── overview.png │ └── wild-test.jpg ├── nanopi-neo ├── README.md └── imgs │ ├── NEO_pinout.jpg │ └── NanoPi-NEO-layout.jpg ├── networking ├── README.md └── imgs │ ├── nanopi_usb.jpg │ ├── otg_cable.png │ └── wifi_ssh.png ├── operations ├── README.md ├── boot.log ├── imgs │ ├── rotated_screen.jpg │ ├── thermal_h3.png │ ├── thermal_screen.png │ └── uart1.png └── shutdown.log ├── proxmark3 ├── README.md ├── bootrom.bin ├── client_linux_unofficial │ └── proxmark3-804fef2ab ├── client_nanopi-neo │ ├── libbz2.so.1.0 │ ├── libgcc_s.so.1 │ ├── libreadline.so.6 │ ├── libstdc++.so.6 │ ├── libtinfo.so.5 │ ├── proxmark3 │ └── qemu_proxmark3.sh ├── client_windows_client-exe │ └── client.exe ├── client_windows_tzwps-exe │ ├── bootrom.bin │ ├── bootrom.elf │ ├── fullimage.bin │ ├── fullimage.elf │ └── tzwps.exe ├── flashdump.bin ├── fpga_felica.bit ├── fpga_hf.bit ├── fpga_lf.bit ├── fullimage.bin └── memdump.bin ├── software ├── README.md ├── app.py ├── conf.ini ├── icopy.service └── ipk_starter.py ├── stm32 ├── README.md ├── flash_0x08000000_0x10000.bin ├── flash_0x08000000_0x10000.bin.asm ├── flash_0x08000000_0x10000.bin.c ├── sram_0x20000000_0x5000.bin └── stm32_swd.jpg ├── stm32_commands └── README.md ├── tags └── README.md └── w25q80 ├── README.md ├── electroniccoloringbook.png ├── w25q80.bin ├── w25q80_charged.png ├── w25q80_charging.png ├── w25q80_flash.png ├── w25q80_logo.png └── w25q80_logo_patched.png /README.md: -------------------------------------------------------------------------------- 1 | # iCopy-X Teardown, *Ongoing* 2 | 3 | Some *ongoing* notes trying to understand what the iCopy-X is made of, what's the current state and what could be done once the software gets fully open-sourced. 4 | 5 |

6 | 7 | I want to warmly thank @gator96100 for sharing his own finding that are being merged over time in this repo as well! 8 | 9 | ## Official links 10 | 11 | Links mentioned in the documentation and in social networks 12 | 13 | * [iCopy-X on Facebook](https://www.facebook.com/RFIDiCopyX/) 14 | * [iCopy-X on Twitter](https://twitter.com/icopy_x) 15 | * iCopy-X on WeChat ?? Cannot find it. 16 | * [iCopy-X on Kickstarter](https://www.kickstarter.com/projects/nikola-lab/icopy-x-0) 17 | * https://icopy-x.com/ 18 | * https://www.icopy-x.com/warranty (not yet online as of 06/2021) 19 | * https://www.icopy-x.com/support (not yet online as of 06/2021) 20 | * https://www.icopy-x.com/updates a form where you need to provide your serial number as apparently firmwares are diversified per device. => https://www.icopy-x.com/otasys/ 21 | * team@icopy-x.com => product level 22 | * [Nikola T. Lab Youtube channel](https://www.youtube.com/channel/UCI0js55nP1E7nIMZNaQGqZQ) 23 | * [Nikola T. Lab on TikTok](https://www.tiktok.com/@nikolat.lab) 24 | * [Nikola T. Lab on Twitter](https://twitter.com/LabNikola) 25 | * [Nikola T. Lab on GitHub](https://github.com/Nikola-Lab) 26 | * https://www.nikola-lab.com/ (not yet online as of 06/2021) 27 | * https://nikola-lab.com/registration 28 | * team@nikola-lab.com => distributorship 29 | 30 | ## TL;DR 31 | 32 | ---- 33 | **2021-08 UPDATE** 34 | 35 | Source of Hardware blueprints, schematics, STM32 firmware, Proxmark3 modifications and new FGPA support have been recently released. 36 | Parts are now merged in the official Proxmark3/RRG repo. 37 | 38 | See [all details here](https://github.com/iCopy-X-Community/icopyx-upstream). 39 | 40 | We're still missing the Python application details to be able to develop on the iCopy-X interface. 41 | 42 | Most teardown observations predate the source releases. 43 | 44 | ---- 45 | 46 | So far, major observations are the following. 47 | 48 | iCopy-X is based on Proxmark3 and a NanoPi NEO embedded Linux to run the client side. 49 | It contains an additional Python wrapper to provide a user interface with LCD and buttons. 50 | 51 | * Proxmark3 has an external flash like RDV4 but no smartcard reader 52 | * Proxmark3 FPGA is a larger model XC3S100E than the usual XC2S30 53 | * Proxmark3 runs a modified version of RRG/Iceman repo circa September 2020 (forked from 29c8b3aa4ee8cb3d66a1542d95740d996abe201f) 54 | * ARM firmware got modified at least to deal with the new FPGA image and to remove version information 55 | * FPGA image got modified to merge lf, hf and felica images 56 | * `fpga_compress` got modified to allow larger image (`#define FPGA_CONFIG_SIZE 72864L`) 57 | * client for NanoPi got modified at least to return error codes, to deactivate history and logs and to remove version information 58 | * client for Windows got modified at least to return error codes and to remove version information 59 | * UPDATE: [full diff here](https://github.com/iCopy-X-Community/icopyx-upstream/blob/master/proxmark3/2021-07-02-09-41-01-766-cleaned.diff) 60 | 61 | 62 | ## [Hardware](hardware/README.md) 63 | 64 | ## [Proxmark3](proxmark3/README.md) 65 | 66 | ## [STM32](stm32/README.md) 67 | 68 | ## [W25Q80](w25q80/README.md) 69 | 70 | ## [NanoPi NEO](nanopi-neo/README.md) 71 | 72 | ## [Software](software/README.md) 73 | 74 | ## [Operations](operations/README.md) 75 | 76 | ## [STM32 commands](stm32_commands/README.md) 77 | 78 | ## [Networking](networking/README.md) 79 | 80 | ## [Tags](tags/README.md) 81 | 82 | ## [Forensics](forensics/README.md) 83 | 84 | ## Open Questions 85 | 86 | * How firmwares are tied to serial numbers? cf version.so 87 | * Is the antenna LED drivable? 88 | * LED screen drivable by both STM32 and NanoPi? 89 | * Non-PC Mode: is there any usage of /dev/ttyACM0 when untied to ? 90 | 91 | ## Desired changes 92 | 93 | * Open most of the Python application such that it could be properly maintained up to date with the RRG/Iceman and its GUI maintained properly as well 94 | * Bind the UART-to-USB bridge to the Linux Debug console when in non-PC-Mode, it's much more convenient than using the inner UART1 95 | -------------------------------------------------------------------------------- /forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics 2 | 3 | Finding more information than in the intended pieces of software... 4 | 5 | * `userdata/root/root/.bash_history` 6 | * upgrade, install, serial auto-login?, USB gadget tests 7 | * PC-mode script 8 | * commands for icopy app 9 | * systemctl restart icopy 10 | * systemctl stop icopy 11 | * xinit /home/pi/ipk_app_main/app.py 12 | * `userdata/root/home/pi/.bash_history` 13 | * `userdata/root/etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf` not present anymore 14 | * `ICOPY-X/Backup_of_CLIENT_X86.zip -> CLIENT_X86/.proxmark3/logs/` show logs during development, including the path to the preferences file, e.g.: 15 | * J:/我的文档/RFID监听调试器/固件版本列表/固件直刷/PM3-RRG-Compiled-20200921(手持机私有固件)-改读卡阈值保留嗅探阈值临时测试(手持机公版)/CLIENT_X86/.proxmark3/preferences.json 16 | == J:/My document/RFID listener/firmware version list/firmware direct brush/PM3-RRG-Compiled-20200921 (Handheld Private Firmware) - Recovering Card Threshold Retention Sniff Threshold Temporary Test (Handheld Genuine)/Client_x86/.proxmark3/preferences.json 17 | * J:/我的文档/RFID监听调试器/固件版本列表/固件直刷/PM3-RRG-Compiled-20200921(手持机私有固件)-改阈值改嗅探Q值临时测试/CLIENT_X86/.proxmark3/preferences.json 18 | == J:/My document/RFID listener/firmware version list/firmware direct brush/PM3-RRG-Compiled-20200921 (Handheld Private Firmware) - Change Threshold Change Sniffing Q Value Temporary Test/Client_x86/.proxmark3/preferences.json 19 | * extundelete on userdata partition: nothing interesting 20 | * testdisk on ICOPY-X partition: 21 | * Empty file `11-Feb-2016 15:29 sn==12345678.txt` (with 12345678 corresponding to the iCopy-X serial number) 22 | * `2624591872 30-Mar-2020 10:13 Altium_Designer_Public_20.0.13_Build_296 (2).iso`, maybe the tool used to make the PCBs... 23 | * photorec on ICOPY-X partition: find several AVI, probably from a dashcam. 24 | 25 |

26 | 27 | * userdata/root/usr/sbin/pcmode -> /home/pi/PC-mode ? 28 | * userdata/root/usr/bin/pcmode -> /home/pi/app/script/PC-mode ? 29 | 30 | * paths in Cython app 31 | /home/tcwg-buildslave/workspace/tcwg-make-release_1/snapshots/gcc.git~linaro-7.5-2019.12/libgcc 32 | /home/tcwg-buildslave/workspace/tcwg-make-release_1/snapshots/glibc.git~release~2.25~master 33 | C:\Users\usertest\AppData\Local\Temp\tmpXXXXXXXX 34 | d:/dxl/arm-gcc/bin/../arm-linux-gnueabihf 35 | D:\DXL\arm-gcc\include_py/objimpl.h 36 | E:\\PM3\\proxmark3-20201026 37 | -------------------------------------------------------------------------------- /forensics/snapshot.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/forensics/snapshot.jpg -------------------------------------------------------------------------------- /hardware/README.md: -------------------------------------------------------------------------------- 1 | # Hardware 2 | 3 | Open it from the top first. 4 | 5 |

6 | 7 | * Casing with a speaker in the top part 8 | * Battery LiPo 604060 3.7V 7.4Wh 2000mAh 9 | * a [NanoPi NEO V1.4](../nanopi-neo/README.md) PCB 10 | 11 |

35 |

36 | 37 | ## Manual BoM 38 | 39 | This is an ongoing short BoM of the ICs started from visual inspection of the PCBs. 40 | 41 | |Visual ID|Package|#Pins|Reference|Description| 42 | |-|-|-|-|-| 43 | |701|SOT-6|6|?|?| 44 | |8C7I5|USON2x3|8|W25Q80BLUXIG|Flash 8Mbit SPI| 45 | |A7|SOT23|3|BAV99|fast switching diode (2 diodes)| 46 | |BZS 18I A11L|?|6|TPS61170DRVR|1.2A Switch, High Voltage Boost Converter in 2x2mm QFN Package| 47 | |C55|SOT-23-6|6|OPA355NA| 2.5V, 200MHz GBW, CMOS Single Op Amp With Shutdown| 48 | |C7F DCK-6| SOT-23-6|6|SN74LVC2G17DCKR|Dual Schmitt-Trigger Buffer| 49 | |DL8a|SOT-25|5|XC9236B38DMR| PWM/PFM, step-down, 3.8V±2%, 600mA, 3MHz, Vin>2V, HSST, CL| 50 | |GS8722 TE29BA|MSOP8|8|GS8722|11MHZ CMOS Rail-to-Rail IO Opamps (2 opamps)| 51 | |IP5305|?|?|IP5305|Fully-integrated power bank System-On-Chip with 1.2A charger, 1.0A boost converter| 52 | |JS|SOD232|2|?| high voltage switching diode| 53 | |K318|BGA|?|Audio Amplifier Code Chip K318 for Redmi 4A Ringing IC Redmi NOTE 4X| 54 | |ODT|SC-70-5|5|TLV70012DCKT| 200mA, Low IQ, Low Dropout Regulator for Portables| 55 | |QTP|SC-70-5|5|TLV70025DCKT 200mA, Low IQ, Low Dropout Regulator for Portables| 56 | |RS2105 MS26102|MSOP-10|10|RS2105|Ultra Low ON-Resistance, Low Voltage, Dual, SPDT Analog Switch| 57 | |RS2299 QJ3D139|QFN-3x3-16L|16|RS2299|4.5Ω Quad SPDT Analog Switch 4-Channel 2:1 Multiplexer – Demultiplexer With Two Controls| 58 | |Y5510 78T A1JH|TSSOP24|24|TLC5510IPW| 8-Bit, 20 MSPS ADC Single Ch., Internal S&H, Low Power| 59 | |X1ZX 1S| ??|||| 60 | ## Interconnections 61 | 62 | ### Green PCB <> NanoPi NEO 63 | 64 | #### NanoPi 20 & 24-pin headers 65 | 66 | Actually only 14 pins are used: 67 | 68 | |NanoPi NEO|Pm3 ARM7|STM32|Misc|Comment| 69 | |-|-|-|-|-| 70 | |USB1.DM1|56 - DDM|||USB D-| 71 | |USB1.DP1|57 - DDP|||USB D+| 72 | |SPI0.CS|||LED?|? 73 | |SPI0.MOSI0|||LED?|? 74 | |SPI0.MISO0|||LED?|? 75 | |SPI0.CLK0|||LED?|? 76 | |UART0.TX||pin31||? 77 | |UART0.RX||pin30||? 78 | |LL|||Audio amp -> speaker|lineout left 79 | |GND *2| 80 | |5V||||? 81 | |5Vout||||? 82 | |PA1/UART2.RX| |||? 83 | 84 | #### 4-pin FPC 85 | 86 | For USB connection with the host via the USB-C connector on the green PCB, wired to the NanoPi NEO Micro USB footprint. 87 | 88 | |Green PCB|NanoPi NEO MicroUSB|Comments| 89 | |-|-|-| 90 | ||Shield|GND 91 | ||1|GND 92 | |4|2|CC/ID 93 | |2|3|D+ 94 | |3|4|D- 95 | |1|5|VBus (*) 96 | 97 | (*) Not directly the VBus of USB-C, it goes via some regulator 98 | 99 | ### Antenna PCB <> Green PCB 100 | 101 | Connected via a 8-pin FPC 102 | 103 | ## Proxmark3 104 | 105 | * AT91SAM7S512 106 | * JTAG not routed 107 | * JTAG disabled 108 | * with another unlabeled FPGA, possibly a Spartan 3 109 | * External 256kb Flash 110 | * (no SIM slot) 111 | 112 | ## STM32F103 113 | 114 | See [STM32F103](../stm32/README.md) section. 115 | -------------------------------------------------------------------------------- /hardware/imgs/Website-Photo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/hardware/imgs/Website-Photo.png -------------------------------------------------------------------------------- /hardware/imgs/antenna-back.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/hardware/imgs/antenna-back.png -------------------------------------------------------------------------------- /hardware/imgs/antenna-front.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/hardware/imgs/antenna-front.png -------------------------------------------------------------------------------- /hardware/imgs/green-back.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/hardware/imgs/green-back.png -------------------------------------------------------------------------------- /hardware/imgs/green-front1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/hardware/imgs/green-front1.png -------------------------------------------------------------------------------- /hardware/imgs/green-front2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/hardware/imgs/green-front2.png -------------------------------------------------------------------------------- /hardware/imgs/nanopineo-back.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/hardware/imgs/nanopineo-back.png -------------------------------------------------------------------------------- /hardware/imgs/nanopineo-front.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/hardware/imgs/nanopineo-front.png -------------------------------------------------------------------------------- /hardware/imgs/overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/hardware/imgs/overview.png -------------------------------------------------------------------------------- /hardware/imgs/wild-test.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/hardware/imgs/wild-test.jpg -------------------------------------------------------------------------------- /nanopi-neo/README.md: -------------------------------------------------------------------------------- 1 | # NanoPi NEO 2 | 3 | ## Links 4 | 5 | * [wiki](https://wiki.friendlyarm.com/wiki/index.php/NanoPi_NEO) 6 | * [NanoPi NEO firmware images and tools](https://drive.google.com/drive/folders/1MngjJtyoJbw91LC_qsL0Pc6ve4aXirGt) 7 | 8 |

9 | 10 |

11 | 12 | ## iCopy-X version 13 | 14 | Kind of OEM version without the Ethernet and USB-A connectors. 15 | 16 | Advertised as the 256MB version. 17 | 18 | ## SD Card 19 | 20 | ``` 21 | Units: sectors of 1 * 512 = 512 bytes 22 | Sector size (logical/physical): 512 bytes / 512 bytes 23 | I/O size (minimum/optimal): 512 bytes / 512 bytes 24 | Disklabel type: dos 25 | Disk identifier: 0xcabe25b6 26 | 27 | Device Boot Start End Sectors Size Id Type 28 | /dev/sda1 49152 131071 81920 40M b W95 FAT32 => boot (FAT) 29 | /dev/sda2 131072 3612672 3481601 1.7G 83 Linux => rootfs (ext4) 30 | /dev/sda3 4589568 7802879 3213312 1.5G 83 Linux => userdata (ext4) 31 | /dev/sda4 7802880 30949375 23146496 11G 83 Linux => ICOPY-X (FAT) 32 | ``` 33 | 34 | ### boot partition 35 | 36 | U-Boot 37 | 38 | `/dev/mmcblk0p1` on NanoPi NEO 39 | 40 | Version comparison: 41 | 42 | * U-Boot SPL 2017.11 (Dec 19 2019 - 16:43:16) icode-x 43 | * U-Boot SPL 2017.11 (Apr 25 2021 - 09:46:57) nanopi-neo_sd_friendlycore-xenial_4.14_armhf_20210425 44 | 45 | Probably a `nanopi-neo_sd_friendlycore-xenial_4.14_armhf_20191219.img` but that image is not available anymore on the manufacturer site. 46 | 47 | Diffs: 48 | * In `filesystem_icopy-x/boot/uEnv.txt` Debug port is moved to `/dev/ttyS1` (which is on rx1/tx1 pins, see [Operations](../operations/README.md#uart1)) 49 | ```diff 50 | -debug_port=ttyS0,115200 51 | +debug_port=ttyS1,115200 52 | ``` 53 | * In `*dtb` Sitronix ST7789V LCD Driver is activated (disabled->okay) 54 | * In `rootfs.cpio.z` -> `init` 55 | ```diff 56 | -[ -d /tmp ] || mkdir -m 1777 /tmp 57 | +[ -d /tmp ] || mkdir /tmp 58 | ``` 59 | This change is probably just a fix in the later nanopi-neo_sd_friendlycore-xenial_4.14_armhf_20210425 60 | 61 | Resources: 62 | 63 | * https://wiki.friendlyarm.com/wiki/index.php/Building_U-boot_and_Linux_for_H5/H3/H2%2B 64 | 65 | ### rootfs partition 66 | 67 | ext4 68 | 69 | rootfs seems to be an out-of-the-box image for NanoPi NEO: [*rootfs_friendlycore_4.14*](https://drive.google.com/file/d/1mFQ5zVdXpZ57ej2zSXdISC--VaORczmb/view?usp=sharing) except for kernel modules. 70 | 71 | Probably a `nanopi-neo_sd_friendlycore-xenial_4.14_armhf_20191219.img` but that image is not available anymore on the manufacturer site. 72 | 73 | Comparison of kernel modules compilation date: 74 | * 19/12/2019 official `rootfs_friendlycore_4.14.tgz` 75 | * 03/12/2020 icode-x 76 | * 25/04/2021 `nanopi-neo_sd_friendlycore-xenial_4.14_armhf_20210425` 77 | 78 | ### userdata partition 79 | 80 | ext4 81 | 82 | It implements an overlayfs, so all changes made on `rootfs` are stored separately on `userdata`. 83 | 84 | Resources: 85 | 86 | * https://github.com/friendlyarm/sd-fuse_h3 87 | * https://wiki.friendlyarm.com/wiki/index.php/How_to_use_overlayfs_on_Linux 88 | 89 | ### Consolidated view 90 | 91 | ``` 92 | apt install fuse-overlayfs 93 | mkdir -p /tmp/mnt 94 | sudo fuse-overlayfs -o ro -o upperdir=userdata/root -o lowerdir=rootfs -o workdir=userdata/work -o squash_to_uid=1000 -o squash_to_gid=1000 /tmp/mnt 95 | ... 96 | fusermount -u /tmp/mnt 97 | ``` 98 | 99 | ### ICOPY-X partition 100 | 101 | FAT 102 | 103 | This is the exposed partition when iCopy-X is mounted in PC-Mode on the host. In non-PC-mode, it's mounted at `/mnt/upan`. 104 | 105 | It contains 106 | 107 | 108 | * a Windows client for PC-Mode 109 | * `Backup_of_CLIENT_X86.zip` 110 | * `CLIENT_X86/` 111 | * `run.bat` 112 | * a Windows client specific for hardnested attack 113 | * `Backup_of_AUTO-Hardnest.zip` 114 | * `AUTO-Hardnest.exe` 115 | * `Skins/Office2007 Black.asz` ? 116 | * `Client.{20D04FE0-3AEA-1069-A2D8-08002B30309D}/`, another Windows client for Proxmark3 117 | * `dump/` 118 | * `keys/mf1/mf_user_key.dic` 119 | * a file to update the application following the naming convention `01234567.ipk` where `01234567` is the numeric serial number of the device printed on the back. 120 | 121 | See [Software](../software/README.md) section. 122 | 123 | -------------------------------------------------------------------------------- /nanopi-neo/imgs/NEO_pinout.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/nanopi-neo/imgs/NEO_pinout.jpg -------------------------------------------------------------------------------- /nanopi-neo/imgs/NanoPi-NEO-layout.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/nanopi-neo/imgs/NanoPi-NEO-layout.jpg -------------------------------------------------------------------------------- /networking/README.md: -------------------------------------------------------------------------------- 1 | # Networking 2 | 3 | ## Internal USB socket 4 | 5 | One can add a USB-A female socket wired to the NanoPi NEO and use it to plug network adapters. 6 | 7 |

8 | 9 | Tested with a RT2870 dongle. 10 | 11 |

12 | 13 | ## USB-C OTG 14 | 15 | The iCopy-X USB-C port has OTG support so one can directly plug a network adapter without opening the iCopy-X! 16 | 17 | It's easier to just use an Ethernet dongle at first as it doesn't require messing with the firmware update mechanism to configure a Wi-Fi interface without access to UART1. 18 | 19 | I had many USB instabilities when using OTG, possibly due to my rewiring of the FPC between green PCB & NanoPi. 20 | 21 | Using a USB-C Y-cable and an external power supply solved all these issues (and allows to charge the iCopy-X as well...). 22 | 23 |

24 | 25 | So, in short, to root the device without opening it, use an Ethernet dongle on the USB-C interface, possibly with a Y-cable and extra power supply. Then SSH on the allocated IP address. 26 | 27 | ## Ethernet 28 | 29 | Cheap USB-Ethernet dongles based on Realtek RTL8153 or ASIX AX88772A work fine. 30 | 31 | I believe soldering an Ethernet female socket on the NanoPi NEO Ethernet pinouts would work too. 32 | 33 | ## Wi-Fi 34 | 35 | See [here](https://wiki.friendlyarm.com/wiki/index.php/NanoPi_NEO#USB_WiFi) which Wi-Fi chipsets are working out of the box and how to use Network Manager from the command line. 36 | 37 | ``` 38 | nmcli dev 39 | nmcli dev wifi 40 | nmcli dev wifi connect "SSID" password "PASSWORD" 41 | # or: nmcli dev wifi connect "SSID" password "PASSWORD" ifname 42 | ``` 43 | 44 | ## Replacing NanoPi NEO by NanoPi NEO Air 45 | 46 | A more radical move done by @gator96100 is to replace entirely the NanoPi NEO by the Air version, embedding a Wi-Fi module. 47 | 48 | *Details will come soon*. 49 | -------------------------------------------------------------------------------- /networking/imgs/nanopi_usb.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/networking/imgs/nanopi_usb.jpg -------------------------------------------------------------------------------- /networking/imgs/otg_cable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/networking/imgs/otg_cable.png -------------------------------------------------------------------------------- /networking/imgs/wifi_ssh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/networking/imgs/wifi_ssh.png -------------------------------------------------------------------------------- /operations/README.md: -------------------------------------------------------------------------------- 1 | # Operations 2 | 3 | ## Proxmark3 antennas 4 | 5 | * `lf tune`: 46V 6 | * `hf tune`: 37V 7 | 8 | ## Power Consumption 9 | 10 | Consumption measured over the 5V USB-C 11 | 12 | * 325mA when idle and not charging the battery 13 | * 411mA `lf tune` 14 | * 450mA `hf tune` 15 | 16 | ## Temperature 17 | 18 | H3 on NanoPi NEO and LCD become quite hot... 19 | 20 | ### NanoPi H3 21 | 22 |

23 | 24 | ### iCopy-X LCD 25 | 26 |

27 | 28 | ## Upgrade 29 | 30 | Official way to upgrade is 31 | 32 | * Get the serial written on the device, e.g. 01234567 33 | * Email it to team@icopy-x.com or fill it in https://www.icopy-x.com/updates and get back a `01234567.ipk` file. 34 | * Set the device into PC-Mode, connect to a PC and drop `01234567.ipk` at the root 35 | * Go to About / Go down to next page / Update firmware 36 | 37 | This will update the Python frontend and the proxmark3 client running on the NanoPi NEO. 38 | 39 | It is maybe possible to upgrade the internal Proxmark3 (ARM, FPGA) in PC-Mode via the exposed com port as usual. 40 | 41 | Beware proxmark3 client, firmware and FPGA image are all specific versions, don't use RRG/Iceman on them. 42 | 43 | ## non PC-Mode 44 | 45 | ``` 46 | usb 1-2.3: New USB device found, idVendor=0525, idProduct=a4a5, bcdDevice= 4.14 47 | usb 1-2.3: New USB device strings: Mfr=3, Product=4, SerialNumber=0 48 | usb 1-2.3: Product: Mass Storage Gadget 49 | usb 1-2.3: Manufacturer: Linux 4.14.111 with musb-hdrc 50 | usb-storage 1-2.3:1.0: USB Mass Storage device detected 51 | usb-storage 1-2.3:1.0: Quirks match for vid 0525 pid a4a5: 10000 52 | scsi host2: usb-storage 1-2.3:1.0 53 | usbcore: registered new interface driver usb-storage 54 | usbcore: registered new interface driver uas 55 | scsi 2:0:0:0: Direct-Access Linux File-Stor Gadget 0414 PQ: 0 ANSI: 2 56 | scsi 2:0:0:0: Attached scsi generic sg0 type 0 57 | sd 2:0:0:0: Power-on or device reset occurred 58 | sd 2:0:0:0: [sda] 81920 512-byte logical blocks: (41.9 MB/40.0 MiB) 59 | sd 2:0:0:0: [sda] Write Protect is off 60 | sd 2:0:0:0: [sda] Mode Sense: 0f 00 00 00 61 | sd 2:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA 62 | sda: 63 | sd 2:0:0:0: [sda] Attached SCSI disk 64 | usb 1-2.3: USB disconnect, device number 36 65 | sd 2:0:0:0: [sda] Synchronizing SCSI cache 66 | sd 2:0:0:0: [sda] Synchronize Cache(10) failed: Result: hostbyte=DID_NO_CONNECT driverbyte=DRIVER_OK 67 | usb 1-2.3: new high-speed USB device number 37 using xhci_hcd 68 | usb 1-2.3: New USB device found, idVendor=0525, idProduct=a4a7, bcdDevice= 4.14 69 | usb 1-2.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0 70 | usb 1-2.3: Product: Gadget Serial v2.4 71 | usb 1-2.3: Manufacturer: Linux 4.14.111 with musb-hdrc 72 | cdc_acm 1-2.3:2.0: ttyACM0: USB ACM device 73 | ``` 74 | 75 | So it appears briefly as Mass Storage under VID/PID 0525:a4a5 then as UART bridge under VID/PID 0525:a4a7 76 | 77 | ## Interface 78 | 79 | On some screens, e.g. when reading a tag, Proxmark3 console output can be displayed by pressing *Right* button. Font size can be modified by pressing the 2 top unlabeled buttons. 80 | 81 | ## PC-Mode 82 | 83 | ``` 84 | usb 1-2.3: New USB device found, idVendor=1d6b, idProduct=0106, bcdDevice= 4.14 85 | usb 1-2.3: New USB device strings: Mfr=3, Product=4, SerialNumber=0 86 | usb 1-2.3: Product: Composite Gadget (ACM + MS) 87 | usb 1-2.3: Manufacturer: Linux 4.14.111 with musb-hdrc 88 | cdc_acm 1-2.3:1.0: ttyACM0: USB ACM device 89 | usb-storage 1-2.3:1.2: USB Mass Storage device detected 90 | scsi host2: usb-storage 1-2.3:1.2 91 | scsi 2:0:0:0: Direct-Access Linux File-Stor Gadget 0414 PQ: 0 ANSI: 2 92 | sd 2:0:0:0: Attached scsi generic sg0 type 0 93 | sd 2:0:0:0: Power-on or device reset occurred 94 | sd 2:0:0:0: [sda] 23146496 512-byte logical blocks: (11.9 GB/11.0 GiB) 95 | sd 2:0:0:0: [sda] Write Protect is off 96 | sd 2:0:0:0: [sda] Mode Sense: 0f 00 00 00 97 | sd 2:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA 98 | sda: 99 | sd 2:0:0:0: [sda] Attached SCSI removable disk 100 | ``` 101 | 102 | Mass Storage makes ICOPY-X partition visible. 103 | 104 | `/dev/ttyACM0` allows to communicate directly with the Proxmark3. It is twice slower than a regular Proxmark3. 105 | It goes via a `socat` bridge in the NanoPi NEO: 106 | 107 | ``` 108 | /bin/sh -c sudo socat /dev/ttyGS0,raw,echo=0 /dev/ttyACM0,raw,echo=0 109 | ``` 110 | 111 | It is not identified as a Proxmark3 so if you're using another client than their official one, you can't use the `pm3` script but you have to tell explicitly your client to use the right port, cf [Compiling our client](../proxmark3/README.md#compiling-our-client) section. 112 | 113 | ## UART1 114 | 115 | ### Connect 116 | 117 | On NanoPi NEO pins rx1 and tx1 (UART1 3v3) at 115200 bauds, the Debug console is available (pi/pi, fa/fa and root/fa, sudo is also available) 118 | 119 |

120 | 121 | Internally, it corresponds to `/dev/ttyS1` 122 | 123 | ## Boot & Shutdown 124 | 125 | cf [boot.log](boot.log) and [shutdown.log](shutdown.log) 126 | 127 | ``` 128 | cat /proc/cmdline 129 | console=ttyS1,115200 earlyprintk root=/dev/mmcblk0p2 rootfstype=ext4 rw rootwait fsck.repair=yes panic=10 fbcon=map:0 data=/dev/mmcblk0p3 snd-soc-core.pmdown_time=3600000 130 | ``` 131 | 132 | ## Mount 133 | physical partitions: 134 | ``` 135 | /dev/mmcblk0p1 on /boot type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro) 136 | overlay on / type overlay (rw,relatime,lowerdir=/root,upperdir=/data/root,workdir=/data/work) 137 | /dev/mmcblk0p4 on /mnt/upan type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro) 138 | ``` 139 | ## Processes 140 | ``` 141 | /usr/bin/sudo /usr/bin/xinit /etc/icopy.d/ipk_starter.py 142 | /bin/sh -c sudo /home/pi/ipk_app_main/app.py 143 | /bin/sh -c sudo -s /home/pi/ipk_app_main/pm3/proxmark3 /dev/ttyACM0 -w --flush 144 | ``` 145 | ## Explore app.py 146 | 147 | ```python 148 | $ python3 -i 149 | >>> import sys, inspect 150 | >>> sys.path.append("main") 151 | >>> sys.path.append("lib") 152 | 153 | >>> from lib import version 154 | >>> version.SERIAL_NUMBER 155 | '12345678' 156 | >>> version.getSN() 157 | '12345678' 158 | >>> version.UID 159 | ... Some 78 base64-encoded bytes 160 | 161 | >>> from lib import commons 162 | >>> commons.getFlashID() 163 | **************************************************************** 164 | 开始执行命令 b'Nikola.D.CMD = mem info\r\n' 165 | 命令发送成功，开始进入接收 166 | 检测到通信结束协议字符，通信完成: 167 | 168 | [=] --- Flash memory Information --------- 169 | ... Dump of the "mem info" command execution on Proxmark3 170 | 171 | 命令执行时间(ms): 97.3889729976654 172 | 执行命令完成 173 | **************************************************************** 174 | '0102030405060708' 175 | 176 | >>> commons.startPlatformCMD('ls') 177 | app.py main nikola res lib pm3 178 | 179 | >>> from lib import games 180 | >>> str(inspect.signature(games.GreedySnake)) 181 | "(canvas, block_size=10, default_len=3, default_xy=(28, 129), default_border=(4, 40, 240, 240), default_direction='UP')" 182 | ``` 183 | 184 | ## Install packages 185 | 186 | ``` 187 | apt-cache show strace | egrep '(Depends|Filename)' 188 | Depends: libc6 (>= 2.15) 189 | Filename: pool/main/s/strace/strace_4.11-1ubuntu3_armhf.deb 190 | # Now from host: 191 | # wget http://ports.ubuntu.com/pool/main/s/strace/strace_4.11-1ubuntu3_armhf.deb 192 | # => ICOPY-X 193 | sudo dpkg -i /mnt/upan/packages/strace_4.11-1ubuntu3_armhf.deb 194 | 195 | ``` 196 | ## Trace proxmark3 calls 197 | 198 | First install strace as seen above 199 | 200 | ``` 201 | strace -p$(pgrep proxmark3) -s9999 -e write|sed -u 's/^[^"]*"//;s/"[^"]*$//;s/\\n$//;s/\\n/\n/g;s/\\t/\t/g;s/\\r/\r/g' 202 | strace: Process 1234 attached 203 | ``` 204 | Now whenever `app.py` executes commands with the `proxmark3` client, we'll see them as if it was our client. 205 | ``` 206 | [usb|script] pm3 --> hf 14a info 207 | 208 | Nikola.D: 0 209 | [usb|script] pm3 --> lf sea 210 | 211 | [=] NOTE: some demods output possible binary 212 | [=] if it finds something that looks like a tag 213 | [=] False Positives ARE possible 214 | [=] 215 | [=] Checking for known tags... 216 | [=] 217 | [+] Indala - len 64, Raw: a0000000a0002021 218 | [+] Fmt 26 FC: 1 Card: 2 checksum: 01 219 | [+] Possible de-scramble patterns 220 | [+] Printed | __0000__ [0x0] 221 | [+] Internal ID | 536879137 222 | [+] Heden-2L | 320 223 | 224 | [+] Valid Indala ID found! 225 | 226 | Couldn't identify a chipset 227 | 228 | Nikola.D: 0 229 | 230 | ``` 231 | 232 | Diagnosis: 233 | ``` 234 | hf tune 235 | lf tune 236 | lf sea 237 | mem spiffs load f /tmp/test_pm3_mem.nikola o test_pm3_mem.nikola 238 | mem spiffs wipe 239 | ``` 240 | 241 | ## STM32 commands over UART0 242 | 243 | See [STM32 Commands](../stm32_commands/README.md) 244 | 245 | ## Networking 246 | 247 | We can add some network to the iCopy-X, see [Networking](../networking/README.md) 248 | 249 | ## Rotated screen 250 | 251 | During operations it happened to us that the screen got rotated. 252 | 253 |

254 | 255 | The situation occurs when the NanoPi reboots without coordination with the STM32. E.g. a simple `sudo shutdown -r now` triggers it. 256 | 257 | To fix it, power off the device and unplug external USB-C power supply. 258 | -------------------------------------------------------------------------------- /operations/boot.log: -------------------------------------------------------------------------------- 1 | [ 0.000000] Booting Linux on physical CPU 0x0 2 | [ 0.000000] Linux version 4.14.111 (h3@h3-virtual-machine) (gcc version 4.9.3 (ctng-1.21.0-229g-FA)) #13 SMP Mon Jan 25 19:42:05 CST 2021 3 | [ 0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=30c5387d 4 | [ 0.000000] CPU: div instructions available: patching division code 5 | [ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache 6 | [ 0.000000] OF: fdt: Machine model: FriendlyElec NanoPi-NEO 7 | [ 0.000000] Memory policy: Data cache writealloc 8 | [ 0.000000] Reserved memory: created CMA memory pool at 0x000000004bc00000, size 64 MiB 9 | [ 0.000000] OF: reserved mem: initialized node linux,cma, compatible id shared-dma-pool 10 | [ 0.000000] psci: probing for conduit method from DT. 11 | [ 0.000000] psci: Using PSCI v0.1 Function IDs from DT 12 | [ 0.000000] percpu: Embedded 17 pages/cpu @cfd1b000 s37120 r8192 d24320 u69632 13 | [ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 64960 14 | [ 0.000000] Kernel command line: console=ttyS1,115200 earlyprintk root=/dev/mmcblk0p2 rootfstype=ext4 rw rootwait fsck.repair=yes panic=10 fbcon=map:0 data=/dev/mmcblk0p3 snd-soc-core.pmdown_time=3600000 15 | [ 0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes) 16 | [ 0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes) 17 | [ 0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes) 18 | [ 0.000000] Memory: 170216K/262144K available (10240K kernel code, 391K rwdata, 2080K rodata, 2048K init, 303K bss, 26392K reserved, 65536K cma-reserved, 0K highmem) 19 | [ 0.000000] Virtual kernel memory layout: 20 | [ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB) 21 | [ 0.000000] fixmap : 0xffc00000 - 0xfff00000 (3072 kB) 22 | [ 0.000000] vmalloc : 0xd0800000 - 0xff800000 ( 752 MB) 23 | [ 0.000000] lowmem : 0xc0000000 - 0xd0000000 ( 256 MB) 24 | [ 0.000000] pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB) 25 | [ 0.000000] modules : 0xbf000000 - 0xbfe00000 ( 14 MB) 26 | [ 0.000000] .text : 0xc0008000 - 0xc0c00000 (12256 kB) 27 | [ 0.000000] .init : 0xc1000000 - 0xc1200000 (2048 kB) 28 | [ 0.000000] .data : 0xc1200000 - 0xc1261f00 ( 392 kB) 29 | [ 0.000000] .bss : 0xc126a884 - 0xc12b6850 ( 304 kB) 30 | [ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1 31 | [ 0.000000] Hierarchical RCU implementation. 32 | [ 0.000000] RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=4. 33 | [ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4 34 | [ 0.000000] NR_IRQS: 16, nr_irqs: 16, preallocated irqs: 16 35 | [ 0.000000] GIC: Using split EOI/Deactivate mode 36 | [ 0.000000] clocksource: timer: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 79635851949 ns 37 | [ 0.000000] arch_timer: cp15 timer(s) running at 24.00MHz (phys). 38 | [ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x588fe9dc0, max_idle_ns: 440795202592 ns 39 | [ 0.000007] sched_clock: 56 bits at 24MHz, resolution 41ns, wraps every 4398046511097ns 40 | [ 0.000019] Switching to timer-based delay loop, resolution 41ns 41 | [ 0.000217] Console: colour dummy device 80x30 42 | [ 0.000252] Calibrating delay loop (skipped), value calculated using timer frequency.. 48.00 BogoMIPS (lpj=120000) 43 | [ 0.000267] pid_max: default: 32768 minimum: 301 44 | [ 0.000432] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) 45 | [ 0.000447] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) 46 | [ 0.001174] CPU: Testing write buffer coherency: ok 47 | [ 0.001639] CPU0: update cpu_capacity 1024 48 | [ 0.001650] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000 49 | [ 0.002026] Setting up static identity map for 0x40200000 - 0x40200060 50 | [ 0.002156] Hierarchical SRCU implementation. 51 | [ 0.002731] smp: Bringing up secondary CPUs ... 52 | [ 0.013522] CPU1: update cpu_capacity 1024 53 | [ 0.013529] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001 54 | [ 0.024412] CPU2: update cpu_capacity 1024 55 | [ 0.024417] CPU2: thread -1, cpu 2, socket 0, mpidr 80000002 56 | [ 0.035210] CPU3: update cpu_capacity 1024 57 | [ 0.035216] CPU3: thread -1, cpu 3, socket 0, mpidr 80000003 58 | [ 0.035301] smp: Brought up 1 node, 4 CPUs 59 | [ 0.035331] SMP: Total of 4 processors activated (192.00 BogoMIPS). 60 | [ 0.035338] CPU: All CPU(s) started in HYP mode. 61 | [ 0.035343] CPU: Virtualization extensions available. 62 | [ 0.036034] devtmpfs: initialized 63 | [ 0.042742] random: get_random_u32 called from bucket_table_alloc+0xf0/0x240 with crng_init=0 64 | [ 0.043371] VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5 65 | [ 0.043649] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 9556302231375000 ns 66 | [ 0.043672] futex hash table entries: 1024 (order: 4, 65536 bytes) 67 | [ 0.046378] xor: measuring software checksum speed 68 | [ 0.095037] arm4regs : 1372.800 MB/sec 69 | [ 0.145093] 8regs : 769.600 MB/sec 70 | [ 0.195146] 32regs : 850.400 MB/sec 71 | [ 0.245203] neon : 1283.200 MB/sec 72 | [ 0.245211] xor: using function: arm4regs (1372.800 MB/sec) 73 | [ 0.245229] pinctrl core: initialized pinctrl subsystem 74 | [ 0.246226] NET: Registered protocol family 16 75 | [ 0.247887] DMA: preallocated 256 KiB pool for atomic coherent allocations 76 | [ 0.248687] cpuidle: using governor ladder 77 | [ 0.248727] cpuidle: using governor menu 78 | [ 0.249154] hw-breakpoint: found 5 (+1 reserved) breakpoint and 4 watchpoint registers. 79 | [ 0.249164] hw-breakpoint: maximum watchpoint size is 8 bytes. 80 | [ 0.267871] SCSI subsystem initialized 81 | [ 0.268283] usbcore: registered new interface driver usbfs 82 | [ 0.268327] usbcore: registered new interface driver hub 83 | [ 0.268416] usbcore: registered new device driver usb 84 | [ 0.268574] media: Linux media interface: v0.10 85 | [ 0.268616] Linux video capture interface: v2.00 86 | [ 0.268744] pps_core: LinuxPPS API ver. 1 registered 87 | [ 0.268751] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti 88 | [ 0.268770] PTP clock support registered 89 | [ 0.269077] Advanced Linux Sound Architecture Driver Initialized. 90 | [ 0.270687] clocksource: Switched to clocksource arch_sys_counter 91 | [ 0.270860] VFS: Disk quotas dquot_6.6.0 92 | [ 0.270942] VFS: Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) 93 | [ 0.271108] FS-Cache: Loaded 94 | [ 0.278305] NET: Registered protocol family 2 95 | [ 0.278953] TCP established hash table entries: 2048 (order: 1, 8192 bytes) 96 | [ 0.278990] TCP bind hash table entries: 2048 (order: 2, 16384 bytes) 97 | [ 0.279026] TCP: Hash tables configured (established 2048 bind 2048) 98 | [ 0.279141] UDP hash table entries: 256 (order: 1, 8192 bytes) 99 | [ 0.279183] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes) 100 | [ 0.279387] NET: Registered protocol family 1 101 | [ 0.279884] RPC: Registered named UNIX socket transport module. 102 | [ 0.279897] RPC: Registered udp transport module. 103 | [ 0.279903] RPC: Registered tcp transport module. 104 | [ 0.279908] RPC: Registered tcp NFSv4.1 backchannel transport module. 105 | [ 0.280154] Unpacking initramfs... 106 | [ 0.578769] Freeing initrd memory: 5744K 107 | [ 0.579288] kvm [1]: 8-bit VMID 108 | [ 0.579995] kvm [1]: vgic interrupt IRQ16 109 | [ 0.580094] kvm [1]: Hyp mode initialized successfully 110 | [ 0.583011] workingset: timestamp_bits=14 max_order=16 bucket_order=2 111 | [ 0.587673] zbud: loaded 112 | [ 0.589269] FS-Cache: Netfs 'nfs' registered for caching 113 | [ 0.589796] NFS: Registering the id_resolver key type 114 | [ 0.589835] Key type id_resolver registered 115 | [ 0.589842] Key type id_legacy registered 116 | [ 0.589858] nfs4filelayout_init: NFSv4 File Layout Driver Registering... 117 | [ 0.589875] Installing knfsd (copyright (C) 1996 okir@monad.swb.de). 118 | [ 0.590887] fuse init (API version 7.26) 119 | [ 0.596388] async_tx: api initialized (async) 120 | [ 0.596497] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 246) 121 | [ 0.596654] io scheduler noop registered (default) 122 | [ 0.596664] io scheduler deadline registered 123 | [ 0.596858] io scheduler cfq registered 124 | [ 0.596868] io scheduler mq-deadline registered 125 | [ 0.596998] io scheduler bfq registered 126 | [ 0.597683] sun4i-usb-phy 1c19400.phy: Couldn't request ID GPIO, pinctrl may not init 127 | [ 0.601485] sun8i-h3-pinctrl 1c20800.pinctrl: initialized sunXi PIO driver 128 | [ 0.603001] sun8i-h3-r-pinctrl 1f02c00.pinctrl: initialized sunXi PIO driver 129 | [ 0.608415] Serial: 8250/16550 driver, 8 ports, IRQ sharing disabled 130 | [ 0.630420] 1c28000.serial: ttyS0 at MMIO 0x1c28000 (irq = 44, base_baud = 1500000) is a U6_16550A 131 | [ 0.653233] 1c28400.serial: ttyS1 at MMIO 0x1c28400 (irq = 45, base_baud = 1500000) is a U6_16550A 132 | [ 1.421111] console [ttyS1] enabled 133 | [ 1.426853] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013). 134 | [ 1.433497] [drm] No driver support for vblank timestamp query. 135 | [ 1.448851] sun4i-drm display-engine: bound 1100000.mixer (ops 0xc0c51ba8) 136 | [ 1.455939] sun4i-drm display-engine: No panel or bridge found... RGB output disabled 137 | [ 1.463787] sun4i-drm display-engine: bound 1c0c000.lcd-controller (ops 0xc0c508ac) 138 | [ 1.595791] sun8i-dw-hdmi 1ee0000.hdmi: Detected HDMI TX controller v1.32a with HDCP (sun8i_dw_hdmi_phy) 139 | [ 1.605669] sun8i-dw-hdmi 1ee0000.hdmi: registered DesignWare HDMI I2C bus driver 140 | [ 1.613440] sun4i-drm display-engine: bound 1ee0000.hdmi (ops 0xc0c51f28) 141 | [ 1.620301] [drm] Cannot find any crtc or sizes - going 1920x1080 142 | [ 1.667611] Console: switching to colour frame buffer device 240x67 143 | [ 1.698491] sun4i-drm display-engine: fb0: frame buffer device 144 | [ 1.704887] [drm] Initialized sun4i-drm 1.0.0 20150629 for display-engine on minor 0 145 | [ 1.721761] loop: module loaded 146 | [ 1.741255] st: Version 20160209, fixed bufsize 32768, s/g segs 256 147 | [ 1.747629] osst :I: Tape driver with OnStream support version 0.99.4 148 | [ 1.747629] osst :I: $Id: osst.c,v 1.73 2005/01/01 21:13:34 wriede Exp $ 149 | [ 1.760984] SCSI Media Changer driver v0.25 150 | [ 1.767067] libphy: Fixed MDIO Bus: probed 151 | [ 1.771211] tun: Universal TUN/TAP device driver, 1.6 152 | [ 1.776465] CAN device driver interface 153 | [ 1.780820] dwmac-sun8i 1c30000.ethernet: PTP uses main clock 154 | [ 1.786614] dwmac-sun8i 1c30000.ethernet: No regulator found 155 | [ 1.792323] dwmac-sun8i 1c30000.ethernet: Will use internal PHY 156 | [ 1.798443] dwmac-sun8i 1c30000.ethernet: Chain mode enabled 157 | [ 1.804114] dwmac-sun8i 1c30000.ethernet: No HW DMA feature register supported 158 | [ 1.811336] dwmac-sun8i 1c30000.ethernet: Normal descriptors 159 | [ 1.817001] dwmac-sun8i 1c30000.ethernet: RX Checksum Offload Engine supported 160 | [ 1.824223] dwmac-sun8i 1c30000.ethernet: COE Type 2 161 | [ 1.829194] dwmac-sun8i 1c30000.ethernet: TX Checksum insertion supported 162 | [ 1.836549] libphy: stmmac: probed 163 | [ 1.846019] PPP generic driver version 2.4.2 164 | [ 1.850523] PPP BSD Compression module registered 165 | [ 1.855244] PPP Deflate Compression module registered 166 | [ 1.860340] PPP MPPE Compression module registered 167 | [ 1.865138] NET: Registered protocol family 24 168 | [ 1.869690] usbcore: registered new interface driver qmi_wwan 169 | [ 1.875473] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver 170 | [ 1.882010] ehci-platform: EHCI generic platform driver 171 | [ 1.887521] ehci-platform 1c1a000.usb: EHCI Host Controller 172 | [ 1.893141] ehci-platform 1c1a000.usb: new USB bus registered, assigned bus number 1 173 | [ 1.901281] ehci-platform 1c1a000.usb: irq 28, io mem 0x01c1a000 174 | [ 1.920704] ehci-platform 1c1a000.usb: USB 2.0 started, EHCI 1.00 175 | [ 1.926994] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002 176 | [ 1.933794] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 177 | [ 1.941019] usb usb1: Product: EHCI Host Controller 178 | [ 1.945903] usb usb1: Manufacturer: Linux 4.14.111 ehci_hcd 179 | [ 1.951479] usb usb1: SerialNumber: 1c1a000.usb 180 | [ 1.956553] hub 1-0:1.0: USB hub found 181 | [ 1.960332] hub 1-0:1.0: 1 port detected 182 | [ 1.964968] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver 183 | [ 1.971193] ohci-platform: OHCI generic platform driver 184 | [ 1.976627] ohci-platform 1c1a400.usb: Generic Platform OHCI controller 185 | [ 1.983278] ohci-platform 1c1a400.usb: new USB bus registered, assigned bus number 2 186 | [ 1.991229] ohci-platform 1c1a400.usb: irq 29, io mem 0x01c1a400 187 | [ 2.059839] usb usb2: New USB device found, idVendor=1d6b, idProduct=0001 188 | [ 2.066646] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1 189 | [ 2.073874] usb usb2: Product: Generic Platform OHCI controller 190 | [ 2.079798] usb usb2: Manufacturer: Linux 4.14.111 ohci_hcd 191 | [ 2.085375] usb usb2: SerialNumber: 1c1a400.usb 192 | [ 2.092806] hub 2-0:1.0: USB hub found 193 | [ 2.096602] hub 2-0:1.0: 1 port detected 194 | [ 2.101234] usbcore: registered new interface driver cdc_acm 195 | [ 2.106909] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters 196 | [ 2.114958] usbcore: registered new interface driver usblp 197 | [ 2.120479] usbcore: registered new interface driver cdc_wdm 198 | [ 2.126188] usbcore: registered new interface driver uas 199 | [ 2.131593] usbcore: registered new interface driver usb-storage 200 | [ 2.137687] usbcore: registered new interface driver usbserial 201 | [ 2.143565] usbcore: registered new interface driver usbserial_generic 202 | [ 2.150123] usbserial: USB Serial support registered for generic 203 | [ 2.156166] usbcore: registered new interface driver option 204 | [ 2.161767] usbserial: USB Serial support registered for GSM modem (1-port) 205 | [ 2.168875] usbcore: registered new interface driver qcserial 206 | [ 2.174658] usbserial: USB Serial support registered for Qualcomm USB modem 207 | [ 2.182434] mousedev: PS/2 mouse device common for all mice 208 | [ 2.188506] sun6i-rtc 1f00000.rtc: rtc core: registered rtc-sun6i as rtc0 209 | [ 2.195306] sun6i-rtc 1f00000.rtc: RTC enabled 210 | [ 2.199825] i2c /dev entries driver 211 | [ 2.205183] lirc_dev: IR Remote Control driver registered, major 244 212 | [ 2.211566] IR NEC protocol handler initialized 213 | [ 2.216104] IR RC5(x/sz) protocol handler initialized 214 | [ 2.221158] IR RC6 protocol handler initialized 215 | [ 2.225692] IR JVC protocol handler initialized 216 | [ 2.230215] IR Sony protocol handler initialized 217 | [ 2.234834] IR SANYO protocol handler initialized 218 | [ 2.239541] IR Sharp protocol handler initialized 219 | [ 2.244248] IR MCE Keyboard/mouse protocol handler initialized 220 | [ 2.250081] IR LIRC bridge handler initialized 221 | [ 2.254527] IR XMP protocol handler initialized 222 | [ 2.259949] thermal thermal_zone0: failed to read out thermal zone (-16) 223 | [ 2.267212] sunxi-wdt 1c20ca0.watchdog: Watchdog enabled (timeout=16 sec, nowayout=0) 224 | [ 2.275525] device-mapper: ioctl: 4.37.0-ioctl (2017-09-20) initialised: dm-devel@redhat.com 225 | [ 2.325756] sunxi-mmc 1c0f000.mmc: initialized, max. request size: 16384 KB 226 | [ 2.334692] ledtrig-cpu: registered to indicate activity on CPUs 227 | [ 2.342957] hidraw: raw HID events driver (C) Jiri Kosina 228 | [ 2.348524] usbcore: registered new interface driver usbhid 229 | [ 2.354108] usbhid: USB HID core driver 230 | [ 2.358257] fbtft_of_value: buswidth = 8 231 | [ 2.362200] fbtft_of_value: debug = 0 232 | [ 2.365870] fbtft_of_value: rotate = 0 233 | [ 2.369614] fbtft_of_value: fps = 60 234 | [ 2.402802] mmc0: host does not support reading read-only switch, assuming write-enable 235 | [ 2.412614] mmc0: new high speed SDHC card at address 59b4 236 | [ 2.418570] mmcblk0: mmc0:59b4 SD 14.8 GiB 237 | [ 2.424546] mmcblk0: p1 p2 p3 p4 238 | [ 2.496001] random: fast init done 239 | [ 2.525009] graphics fb1: fb_st7789v frame buffer, 240x240, 112 KiB video memory, 4 KiB buffer memory, fps=66, spi0.0 at 40 MHz 240 | [ 2.549371] sun4i-codec 1c22c00.codec: Codec <-> 1c22c00.codec mapping ok 241 | [ 2.559354] Initializing XFRM netlink socket 242 | [ 2.564240] NET: Registered protocol family 10 243 | [ 2.586142] Segment Routing with IPv6 244 | [ 2.589915] NET: Registered protocol family 17 245 | [ 2.594404] NET: Registered protocol family 15 246 | [ 2.598866] can: controller area network core (rev 20170425 abi 9) 247 | [ 2.605216] NET: Registered protocol family 29 248 | [ 2.609675] can: raw protocol (rev 20170425) 249 | [ 2.613949] can: broadcast manager protocol (rev 20170425 t) 250 | [ 2.619618] can: netlink gateway (rev 20170425) max_hops=1 251 | [ 2.625624] Key type dns_resolver registered 252 | [ 2.630225] Registering SWP/SWPB emulation handler 253 | [ 2.636405] registered taskstats version 1 254 | [ 2.648470] Key type encrypted registered 255 | [ 2.658479] vcc1v2: supplied by vcc5v0 256 | [ 2.662618] vcc-dram: supplied by vcc5v0 257 | [ 2.666889] vdd-cpux-en: supplied by vcc5v0 258 | [ 2.672820] ehci-platform 1c1b000.usb: EHCI Host Controller 259 | [ 2.678453] ehci-platform 1c1b000.usb: new USB bus registered, assigned bus number 3 260 | [ 2.686833] ehci-platform 1c1b000.usb: irq 30, io mem 0x01c1b000 261 | [ 2.705706] ehci-platform 1c1b000.usb: USB 2.0 started, EHCI 1.00 262 | [ 2.712004] usb usb3: New USB device found, idVendor=1d6b, idProduct=0002 263 | [ 2.718803] usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1 264 | [ 2.726032] usb usb3: Product: EHCI Host Controller 265 | [ 2.730916] usb usb3: Manufacturer: Linux 4.14.111 ehci_hcd 266 | [ 2.736492] usb usb3: SerialNumber: 1c1b000.usb 267 | [ 2.741641] hub 3-0:1.0: USB hub found 268 | [ 2.745426] hub 3-0:1.0: 1 port detected 269 | [ 2.750091] ehci-platform 1c1c000.usb: EHCI Host Controller 270 | [ 2.755714] ehci-platform 1c1c000.usb: new USB bus registered, assigned bus number 4 271 | [ 2.763814] ehci-platform 1c1c000.usb: irq 32, io mem 0x01c1c000 272 | [ 2.780701] ehci-platform 1c1c000.usb: USB 2.0 started, EHCI 1.00 273 | [ 2.786959] usb usb4: New USB device found, idVendor=1d6b, idProduct=0002 274 | [ 2.793758] usb usb4: New USB device strings: Mfr=3, Product=2, SerialNumber=1 275 | [ 2.800983] usb usb4: Product: EHCI Host Controller 276 | [ 2.805866] usb usb4: Manufacturer: Linux 4.14.111 ehci_hcd 277 | [ 2.811441] usb usb4: SerialNumber: 1c1c000.usb 278 | [ 2.816524] hub 4-0:1.0: USB hub found 279 | [ 2.820304] hub 4-0:1.0: 1 port detected 280 | [ 2.824883] ehci-platform 1c1d000.usb: EHCI Host Controller 281 | [ 2.830491] ehci-platform 1c1d000.usb: new USB bus registered, assigned bus number 5 282 | [ 2.838539] ehci-platform 1c1d000.usb: irq 34, io mem 0x01c1d000 283 | [ 2.855698] ehci-platform 1c1d000.usb: USB 2.0 started, EHCI 1.00 284 | [ 2.861939] usb usb5: New USB device found, idVendor=1d6b, idProduct=0002 285 | [ 2.868736] usb usb5: New USB device strings: Mfr=3, Product=2, SerialNumber=1 286 | [ 2.875963] usb usb5: Product: EHCI Host Controller 287 | [ 2.880846] usb usb5: Manufacturer: Linux 4.14.111 ehci_hcd 288 | [ 2.886420] usb usb5: SerialNumber: 1c1d000.usb 289 | [ 2.891423] hub 5-0:1.0: USB hub found 290 | [ 2.895198] hub 5-0:1.0: 1 port detected 291 | [ 2.899759] ohci-platform 1c1b400.usb: Generic Platform OHCI controller 292 | [ 2.906414] ohci-platform 1c1b400.usb: new USB bus registered, assigned bus number 6 293 | [ 2.914401] ohci-platform 1c1b400.usb: irq 31, io mem 0x01c1b400 294 | [ 2.979837] usb usb6: New USB device found, idVendor=1d6b, idProduct=0001 295 | [ 2.986638] usb usb6: New USB device strings: Mfr=3, Product=2, SerialNumber=1 296 | [ 2.993863] usb usb6: Product: Generic Platform OHCI controller 297 | [ 2.999787] usb usb6: Manufacturer: Linux 4.14.111 ohci_hcd 298 | [ 3.005363] usb usb6: SerialNumber: 1c1b400.usb 299 | [ 3.010806] hub 6-0:1.0: USB hub found 300 | [ 3.014586] hub 6-0:1.0: 1 port detected 301 | [ 3.019135] ohci-platform 1c1c400.usb: Generic Platform OHCI controller 302 | [ 3.025791] ohci-platform 1c1c400.usb: new USB bus registered, assigned bus number 7 303 | [ 3.033774] ohci-platform 1c1c400.usb: irq 33, io mem 0x01c1c400 304 | [ 3.099851] usb usb7: New USB device found, idVendor=1d6b, idProduct=0001 305 | [ 3.106654] usb usb7: New USB device strings: Mfr=3, Product=2, SerialNumber=1 306 | [ 3.113880] usb usb7: Product: Generic Platform OHCI controller 307 | [ 3.119803] usb usb7: Manufacturer: Linux 4.14.111 ohci_hcd 308 | [ 3.125380] usb usb7: SerialNumber: 1c1c400.usb 309 | [ 3.130407] hub 7-0:1.0: USB hub found 310 | [ 3.134208] hub 7-0:1.0: 1 port detected 311 | [ 3.138735] ohci-platform 1c1d400.usb: Generic Platform OHCI controller 312 | [ 3.145380] ohci-platform 1c1d400.usb: new USB bus registered, assigned bus number 8 313 | [ 3.153359] ohci-platform 1c1d400.usb: irq 35, io mem 0x01c1d400 314 | [ 3.219841] usb usb8: New USB device found, idVendor=1d6b, idProduct=0001 315 | [ 3.226640] usb usb8: New USB device strings: Mfr=3, Product=2, SerialNumber=1 316 | [ 3.233864] usb usb8: Product: Generic Platform OHCI controller 317 | [ 3.239787] usb usb8: Manufacturer: Linux 4.14.111 ohci_hcd 318 | [ 3.245365] usb usb8: SerialNumber: 1c1d400.usb 319 | [ 3.250339] hub 8-0:1.0: USB hub found 320 | [ 3.254147] hub 8-0:1.0: 1 port detected 321 | [ 3.258733] usb_phy_generic usb_phy_generic.3.auto: usb_phy_generic.3.auto supply vcc not found, using dummy regulator 322 | [ 3.269796] musb-hdrc musb-hdrc.4.auto: MUSB HDRC host driver 323 | [ 3.275572] musb-hdrc musb-hdrc.4.auto: new USB bus registered, assigned bus number 9 324 | [ 3.283542] usb usb9: New USB device found, idVendor=1d6b, idProduct=0002 325 | [ 3.290348] usb usb9: New USB device strings: Mfr=3, Product=2, SerialNumber=1 326 | [ 3.297575] usb usb9: Product: MUSB HDRC host driver 327 | [ 3.302544] usb usb9: Manufacturer: Linux 4.14.111 musb-hcd 328 | [ 3.308120] usb usb9: SerialNumber: musb-hdrc.4.auto 329 | [ 3.313520] hub 9-0:1.0: USB hub found 330 | [ 3.317315] hub 9-0:1.0: 1 port detected 331 | [ 3.324431] asoc-simple-card soc:sound: i2s-hifi <-> 1c22800.i2s mapping ok 332 | [ 3.333684] input: r_gpio_keys as /devices/platform/r_gpio_keys/input/input0 333 | [ 3.341451] sun6i-rtc 1f00000.rtc: setting system clock to 1970-01-01 00:00:09 UTC (9) 334 | [ 3.349762] vcc3v0: disabling 335 | [ 3.352748] vcc5v0: disabling 336 | [ 3.355723] usb0-vbus: disabling 337 | [ 3.358949] ALSA device list: 338 | [ 3.361923] #0: Dummy 1 339 | [ 3.364539] #1: Loopback 1 340 | [ 3.367423] #2: H3 Audio Codec 341 | [ 3.370646] #3: allwinner,hdmi 342 | [ 3.376360] Freeing unused kernel memory: 2048K 343 | Loading, please wait... 344 | starting version 237 345 | Begin: Loading essential drivers ... done. 346 | Begin: Running /scripts/init-premount ... done. 347 | Begin: Mounting root file system ... Begin: Running /scripts/local-top ... done. 348 | Begin: Running /scripts/local-premount ... done. 349 | [ 4.146546] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null) 350 | Begin: Will now check userdata file system ... fsck from util-linux 2.31.1 351 | [/sbin/fsck.ext4 (1) -- /dev/mmcblk0p3] fsck.ext4 -y -C0 /dev/mmcblk0p3 352 | e2fsck 1.44.1 (24-Mar-2018) 353 | userdata: recovering journal 354 | userdata has been mounted 10 times without being checked, check forced. 355 | Pass 1: Checking inodes, blocks, and sizes 356 | Pass 2: Checking directory structure 357 | Pass 3: Checking directory connectivity 358 | Pass 4: Checking reference counts 359 | Pass 5: Checking group summary information 360 | Free blocks count wrong (166204, counted=165901). 361 | Fix? yes 362 | 363 | Free inodes count wrong (65588, counted=65572). 364 | Fix? yes 365 | 366 | 367 | userdata: ***** FILE SYSTEM WAS MODIFIED ***** 368 | userdata: 28444/94016 files (0.2% non-contiguous), 235763/401664 blocks 369 | fsck exited with status code 1 370 | done. 371 | [ 5.996122] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: (null) 372 | [ 6.017068] EXT4-fs (mmcblk0p3): re-mounted. Opts: data=ordered 373 | done. 374 | Begin: Running /scripts/local-bottom ... done. 375 | Begin: Running /scripts/init-bottom ... done. 376 | [ 6.397504] systemd[1]: System time before build time, advancing clock. 377 | [ 6.494158] random: systemd: uninitialized urandom read (16 bytes read) 378 | [ 6.503434] random: systemd: uninitialized urandom read (16 bytes read) 379 | [ 6.516515] systemd[1]: systemd 229 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN) 380 | [ 6.535392] systemd[1]: Detected architecture arm. 381 | 382 | Welcome to Ubuntu 16.04.2 LTS! 383 | 384 | [ 6.569477] systemd[1]: Set hostname to . 385 | [ 6.619308] random: systemd-cryptse: uninitialized urandom read (16 bytes read) 386 | [ 6.923778] systemd[1]: Listening on /dev/initctl Compatibility Named Pipe. 387 | [ OK ] Listening on /dev/initctl Compatibility Named Pipe. 388 | [ 6.945983] systemd[1]: Reached target Encrypted Volumes. 389 | [ OK ] Reached target Encrypted Volumes. 390 | [ 6.966296] systemd[1]: Started Forward Password Requests to Wall Directory Watch. 391 | [ OK ] Started Forward Password Requests to Wall Directory Watch. 392 | [ 6.985869] systemd[1]: Reached target Swap. 393 | [ OK ] Reached target Swap. 394 | [ 7.006122] systemd[1]: Listening on Journal Socket (/dev/log). 395 | [ OK ] Listening on Journal Socket (/dev/log). 396 | [ 7.026619] systemd[1]: Created slice System Slice. 397 | [ OK ] Created slice System Slice. 398 | [ 7.046253] systemd[1]: Started Dispatch Password Requests to Console Directory Watch. 399 | [ OK ] Started Dispatch Password Requests to Console Directory Watch. 400 | [ OK ] Reached target Paths. 401 | [ OK ] Reached target Remote File Systems (Pre). 402 | [ OK ] Created slice system-serial\x2dgetty.slice. 403 | [ OK ] Created slice User and Session Slice. 404 | [ OK ] Reached target Slices. 405 | [ OK ] Listening on udev Kernel Socket. 406 | [ OK ] Listening on udev Control Socket. 407 | [ OK ] Listening on Journal Socket. 408 | Starting Journal Service... 409 | Starting Create list of required st... nodes for the current kernel... 410 | Starting Remount Root and Kernel File Systems... 411 | Mounting POSIX Message Queue File System... 412 | Mounting Debug File System... 413 | Starting Load Kernel Modules... 414 | Starting Set console keymap... 415 | [ OK ] Reached target Remote File Systems. 416 | [ OK ] Mounted Debug File System. 417 | [ 7.387813] Mass Storage Function, version: 2009/09/11 418 | [ 7.394366] LUN: removable file: (no medium) 419 | [ 7.399000] LUN: file: /dev/mmcblk0p1 420 | [ 7.402768] Number of LUNs=1 421 | [ 7.406022] g_mass_storage gadget: Mass Storage Gadget, version: 2009/09/11 422 | [ 7.413117] g_mass_storage gadget: userspace failed to provide iSerialNumber 423 | [ 7.413136] g_mass_storage gadget: g_mass_storage ready 424 | [ OK ] Mounted POSIX Message Queue File System. 425 | [ OK ] Started Create list of required sta...ce nodes for the current kernel. 426 | [ OK ] Started Remount Root and Kernel File Systems. 427 | [ OK ] Started Journal Service. 428 | [ 7.538978] 8821cu: loading out-of-tree module taints kernel. 429 | [ 7.570578] usbcore: registered new interface driver rtl8821cu 430 | [ OK ] Started Set console keymap. 431 | Starting Load/Save Random Seed... 432 | Starting udev Coldplug all Devices... 433 | [ 7.725508] usbcore: registered new interface driver rtl88xxau 434 | Starting Flush Journal to Persistent Storage... 435 | Starting Create Static Device Nodes in /dev... 436 | [ OK ] Started Load/Save Random Seed. 437 | [ OK ] Started Load Kernel Modules. 438 | [ OK ] Started Create Static Device Nodes in /dev. 439 | [ 7.985563] systemd-journald[227]: Received request to flush runtime journal from PID 1 440 | [ OK ] Started Flush Journal to Persistent Storage. 441 | Starting udev Kernel Device Manager... 442 | [ OK ] Reached target Local File Systems (Pre). 443 | Starting Apply Kernel Variables... 444 | [ 8.107786] g_mass_storage gadget: high-speed config #1: Linux File-Backed Storage 445 | Mounting FUSE Control File System... 446 | Mounting Configuration File System... 447 | [ OK ] Mounted Configuration File System. 448 | [ OK ] Mounted FUSE Control File System. 449 | [ OK ] Started udev Coldplug all Devices. 450 | [ OK ] Started Apply Kernel Variables. 451 | [ OK ] Started udev Kernel Device Manager. 452 | [ OK ] Reached target Sound Card. 453 | [ OK ] Found device /dev/ttyS1. 454 | [ OK ] Found device /dev/mmcblk0p1. 455 | Mounting /boot... 456 | [ OK ] Mounted /boot. 457 | [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. 458 | [ OK ] Reached target Local File Systems. 459 | Starting Create Volatile Files and Directories... 460 | Starting Raise network interfaces... 461 | Starting Set console font and keymap... 462 | [ OK ] Created slice system-systemd\x2dbacklight.slice. 463 | Starting Load/Save Screen Backlight...tness of backlight:fb_st7789v... 464 | [ OK ] Started Create Volatile Files and Directories. 465 | [ OK ] Started Load/Save Screen Backlight Brightness of backlight:fb_st7789v. 466 | Starting Update UTMP about System Boot/Shutdown... 467 | [ OK ] Reached target System Time Synchronized. 468 | [ OK ] Started Update UTMP about System Boot/Shutdown. 469 | [ OK ] Reached target System Initialization. 470 | [ OK ] Started Daily Cleanup of Temporary Directories. 471 | [ OK ] Started Daily apt download activities. 472 | [ OK ] Started Daily apt upgrade and clean activities. 473 | [ OK ] Reached target Timers. 474 | [ OK ] Listening on D-Bus System Message Bus Socket. 475 | [ OK ] Reached target Sockets. 476 | [ OK ] Reached target Basic System. 477 | Starting LSB: select system audio output at first boot... 478 | Starting brcm_patchram_plus... 479 | [ OK ] Started Regular background program processing daemon. 480 | Starting Save/Restore Sound Card State... 481 | Starting LSB: sync_ntp_rtc... 482 | Starting Permit User Sessions... 483 | Starting LSB: Set the CPU Frequency Scaling governor to "ondemand"... 484 | Starting Login Service... 485 | Starting Restore /etc/resolv.conf i...re the ppp link was shut down... 486 | [ OK ] Started D-Bus System Message Bus. 487 | Starting Network Manager... 488 | [ OK ] Started Set console font and keymap. 489 | [ OK ] Started LSB: select system audio output at first boot. 490 | [ OK ] Started brcm_patchram_plus. 491 | [ OK ] Started LSB: sync_ntp_rtc. 492 | [ OK ] Started Permit User Sessions. 493 | [ OK ] Started Restore /etc/resolv.conf if...fore the ppp link was shut down. 494 | [ OK ] Started Save/Restore Sound Card State. 495 | [ OK ] Started Raise network interfaces. 496 | [ OK ] Started LSB: Set the CPU Frequency Scaling governor to "ondemand". 497 | Starting Set console scheme... 498 | [ OK ] Created slice system-getty.slice. 499 | [ OK ] Started Set console scheme. 500 | [ OK ] Started Login Service. 501 | [ OK ] Started Network Manager. 502 | Starting Network Manager Script Dispatcher Service... 503 | Starting Network Manager Wait Online... 504 | [ OK ] Reached target Network. 505 | Starting OpenBSD Secure Shell server... 506 | [ OK ] Started The ctrl service for ICopy. 507 | [ OK ] Started Network Manager Script Dispatcher Service. 508 | Starting Hostname Service... 509 | [ OK ] Started Hostname Service. 510 | [ OK ] Started OpenBSD Secure Shell server. 511 | Starting Authenticate and Authorize Users to Run Privileged Tasks... 512 | [ OK ] Started Authenticate and Authorize Users to Run Privileged Tasks. 513 | [ OK ] Started Network Manager Wait Online. 514 | [ OK ] Reached target Network is Online. 515 | Starting /etc/rc.local Compatibility... 516 | Starting LSB: disk temperature monitoring daemon... 517 | Starting LSB: Start NTP daemon... 518 | [ OK ] Started /etc/rc.local Compatibility. 519 | [ OK ] Started LSB: disk temperature monitoring daemon. 520 | [ OK ] Started Serial Getty on ttyS1. 521 | [ OK ] Started Getty on tty1. 522 | [ OK ] Reached target Login Prompts. 523 | [ OK ] Started LSB: Start NTP daemon. 524 | [ OK ] Reached target Multi-User System. 525 | [ OK ] Reached target Graphical Interface. 526 | Starting Update UTMP about System Runlevel Changes... 527 | [ OK ] Started Update UTMP about System Runlevel Changes. 528 | 529 | Ubuntu 16.04.2 LTS NanoPi-NEO ttyS1 530 | 531 | NanoPi-NEO login: [ 16.919961] gs_console_connect: port num [0] is not support console 532 | -------------------------------------------------------------------------------- /operations/imgs/rotated_screen.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/operations/imgs/rotated_screen.jpg -------------------------------------------------------------------------------- /operations/imgs/thermal_h3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/operations/imgs/thermal_h3.png -------------------------------------------------------------------------------- /operations/imgs/thermal_screen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/operations/imgs/thermal_screen.png -------------------------------------------------------------------------------- /operations/imgs/uart1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/operations/imgs/uart1.png -------------------------------------------------------------------------------- /operations/shutdown.log: -------------------------------------------------------------------------------- 1 | Stopping User Manager for UID 1000... 2 | [ OK ] Stopped target Sound Card. 3 | Stopping Session c1 of user pi. 4 | Stopping Authenticate and Authorize Users to Run Privileged Tasks... 5 | [ OK ] Stopped target Timers. 6 | [ OK ] Stopped target Graphical Interface. 7 | [ OK ] Stopped target Multi-User System. 8 | Stopping brcm_patchram_plus... 9 | Stopping The ctrl service for ICopy.. Stopping Serial Getty on ttyS1... 10 | Stopping Session c2 of user pi. 11 | Stopping LSB: disk temperature monitoring daemon... 12 | Stopping LSB: sync_ntp_rtc... 13 | Stopping LSB: Start NTP daemon... 14 | Stopping Regular background program processing daemon... 15 | [ OK ] Stopped Daily Cleanup of Temporary Directories. 16 | Stopping Save/Restore Sound Card State... 17 | [ OK ] Stopped Daily apt upgrade and clean activities. 18 | [ OK ] Stopped Daily apt download activities. 19 | [ OK ] Stopped target System Time Synchronized. 20 | [ OK ] Stopped Regular background program processing daemon. 21 | [ OK ] Stopped OpenBSD Secure Shell server. 22 | [ OK ] Stopped Authenticate and Authorize Users to Run Privileged Tasks. 23 | [ OK ] Stopped Serial Getty on ttyS1. 24 | [ OK ] Stopped Getty on tty1. 25 | [ OK ] Stopped User Manager for UID 1000. 26 | [ OK ] Stopped Session c1 of user pi. 27 | [ OK ] Stopped brcm_patchram_plus. 28 | [ OK ] Stopped LSB: select system audio output at first boot. 29 | [ OK ] Stopped Session c2 of user pi. 30 | [ OK ] Stopped LSB: sync_ntp_rtc. 31 | [ OK ] Stopped Save/Restore Sound Card State. 32 | [ OK ] Stopped The ctrl service for ICopy. 33 | [ OK ] Stopped LSB: disk temperature monitoring daemon. 34 | [ OK ] Stopped LSB: Set the CPU Frequency Scaling governor to "ondemand". 35 | [ OK ] Stopped LSB: Start NTP daemon. 36 | [ OK ] Removed slice User Slice of pi. 37 | Stopping Login Service... 38 | [ OK ] Removed slice system-getty.slice. 39 | [ OK ] Stopped /etc/rc.local Compatibility. 40 | [ OK ] Stopped target Network is Online. 41 | [ OK ] Stopped Network Manager Wait Online. 42 | [ OK ] Removed slice system-serial\x2dgetty.slice. 43 | Stopping Permit User Sessions... 44 | [ OK ] Stopped target Network. 45 | Stopping Network Manager... 46 | Stopping Raise network interfaces... 47 | [ OK ] Stopped Login Service. 48 | [ OK ] Stopped Permit User Sessions. 49 | [ OK ] Stopped target Remote File Systems. 50 | [ OK ] Stopped target Remote File Systems (Pre). 51 | [ OK ] Stopped Network Manager. 52 | [ OK ] Stopped Raise network interfaces. 53 | Stopping D-Bus System Message Bus... 54 | [ OK ] Stopped D-Bus System Message Bus. 55 | [ OK ] Stopped target Basic System. 56 | [ OK ] Stopped target Slices. 57 | [ OK ] Removed slice User and Session Slice. 58 | [ OK ] Stopped target Paths. 59 | [ OK ] Stopped Forward Password Requests to Wall Directory Watch. 60 | [ OK ] Stopped Dispatch Password Requests to Console Directory Watch. 61 | [ OK ] Stopped target Sockets. 62 | [ OK ] Closed D-Bus System Message Bus Socket. 63 | [ OK ] Stopped target System Initialization. 64 | Stopping Load/Save Screen Backlight...tness of backlight:fb_st7789v... 65 | Stopping Load/Save Random Seed... 66 | [ OK ] Stopped target Encrypted Volumes. 67 | [ OK ] Stopped target Swap. 68 | [ OK ] Stopped Apply Kernel Variables. 69 | [ OK ] Stopped Load Kernel Modules. 70 | [ OK ] Stopped Create Volatile Files and Directories. 71 | [ OK ] Stopped target Local File Systems. 72 | Unmounting /mnt/upan... 73 | Unmounting /run/user/1000... 74 | Unmounting /boot... 75 | [ OK ] Stopped Load/Save Screen Backlight Brightness of backlight:fb_st7789v. 76 | [ OK ] Stopped Load/Save Random Seed. 77 | [ OK ] Unmounted /run/user/1000. 78 | [ OK ] Unmounted /boot. 79 | [ OK ] Removed slice system-systemd\x2dbacklight.slice. 80 | [ OK ] Unmounted /mnt/upan. 81 | [ OK ] Reached target Unmount All Filesystems. 82 | [ OK ] Stopped target Local File Systems (Pre). 83 | [ OK ] Stopped Create Static Device Nodes in /dev. 84 | [ OK ] Stopped Remount Root and Kernel File Systems. 85 | [ OK ] Reached target Shutdown. 86 | [80288.611892] systemd-journald[228]: Failed to send WATCHDOG=1 notification message: Connection refused 87 | [80288.856238] reboot: System halted 88 | -------------------------------------------------------------------------------- /proxmark3/README.md: -------------------------------------------------------------------------------- 1 | # Proxmark3 2 | 3 | ## External Flash 4 | 5 | 256kb SPI flash, as for RDV4 6 | 7 | `mem info` 8 | => no signature of the flash ID 9 | 10 | `mem dump` 11 | => [memdump.bin](memdump.bin) 12 | 13 | ## ARM 14 | 15 | `flashdump.sh` 16 | => [flashdump.bin](flashdump.bin) 17 | 18 | ``` 19 | dd if=flashdump.bin bs=$((0x2000)) skip=1 of=fullimage.bin 20 | dd if=flashdump.bin bs=$((0x2000)) count=1 of=bootrom.bin 21 | ``` 22 | 23 | * [bootrom.bin](bootrom.bin) 24 | * [fullimage.bin](fullimage.bin) 25 | 26 | ## FPGA 27 | 28 | 29 | From client: 30 | ``` 31 | LF image built for 2s30vq100 on 2020-04-27 at 06:32:07 32 | HF image built for 2s30vq100 on 2020-08-13 at 15:34:17 33 | HF FeliCa image built for 2s30vq100 on 2020-04-27 at 08:02:36 34 | ``` 35 | 36 | FPGA is an unmarked VQFP100 but larger than the usual XC2S30 VQ100. Maybe XC3S50 ? (or XC3S200 ?) 37 | 38 | From `flashdump.bin`: 39 | 40 | ``` 41 | dd if=flashdump.bin bs=1 skip=$((0x35D36)) of=fpga_all.bit.z 42 | ./fpga_compress -d fpga_all.bit.z fpga_lf.bit fpga_hf.bit fpga_felica.bit 43 | uncompressed 303818 input bytes to 218592 output bytes 44 | ``` 45 | * [fpga_lf.bit](fpga_lf.bit) 88 bytes 46 | * [fpga_hf.bit](fpga_hf.bit) 72753 bytes 47 | * [fpga_felica.bit](fpga_felica.bit) 99 bytes 48 | 49 | `fpga_lf.bit` and `fpga_felica.bit` are empty and probably unused. As the FPGA is larger than the usual Proxmark3 FPGA, all functions are available in the `fpga_hf.bit`. 50 | 51 | This requires `fpga_compress` to be modified to allow larger images (`#define FPGA_CONFIG_SIZE 72864L`). 52 | 53 | Still, the three images are created, interleaved and compressed with `fpga_compress`, which ends up in larger compressed image... 54 | 55 | * their `fpga_all.bit.z`: 27772 bytes 56 | * with `fpga_hf.bit` only: 25127 bytes 57 | 58 | During operations, the Proxmark3 doesn't lose time when swapping between LF & HF operations but it still reports a change of LF or HF image in `hw status`. So probably the code was hacked quickly to support the new FPGA rather than doing things cleanly... 59 | 60 | # Client 61 | 62 | ## proxmark3 client in NanoPi NEO 63 | 64 | In `userdata/root`, there is a [/home/pi/ipk_app_main/pm3/proxmark3](client_nanopi-neo/proxmark3) 65 | 66 | It can be run from the host with QEMU (and the required libraries) and it can connect to the Proxmark3 with iCopy-X set in PC-Mode, cf [qemu_proxmark3.sh](client_nanopi-neo/qemu_proxmark3.sh): 67 | 68 | ```sh 69 | LD_LIBRARY_PATH=. qemu-arm -L /usr/arm-linux-gnueabihf/ ./proxmark3 $* 70 | ``` 71 | 72 | `pm3_version()` has been emptied in the client binary. Compiler string: `GCC: (Ubuntu/Linaro 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609` 73 | 74 | The binary contains strings from v4.9237-1186-g39b2896e7 2020-09-20 75 | but not strings from v4.9237-1242-g610b456a9 2020-09-23 76 | 77 | Note that provided dict is missing keys from v4.9237-929-gb1b4bac5e 2020-08-31 78 | 79 | An extra status report has been added to the main loop to print `Nikola.D: %d`. 80 | 81 | ## client.exe in ICOPY-X 82 | 83 | In ICOPY-X FAT, there is a [CLIENT_X86/client.exe](client_windows_client-exe/client.exe) PE32 x86. 84 | 85 | It seems that here too `pm3_version()` has been emptied: 86 | ``` 87 | wine client.exe -v 88 | ``` 89 | 90 | Its version is v4.9237-1183-g35e276f8e 2020-09-20 11:12 or v4.9237-1184-g1e19a7216 2020-09-20 12:59 91 | 92 | An extra status report has been added to the main loop to print `Nikola.D: %d`. 93 | 94 | ## tzwps.exe in ICOPY-X 95 | 96 | In ICOPY-X FAT, there is a [Client.{20D04FE0-3AEA-1069-A2D8-08002B30309D}/tzwps.exe](client_windows_tzwps-exe/tzwps.exe) PE32+ x86-64 which seems to be a genuine client (not tested). 97 | 98 | `{20D04FE0-3AEA-1069-A2D8-08002B30309D}` refers to Windows Desktop... 99 | 100 | ``` 101 | wine tzwps.exe -v 102 | Client: RRG/Iceman/master/release (git) compiled with MinGW-w64 10.1.0 OS:Windows (64b) ARCH:x86_64 103 | ``` 104 | 105 | No `Nikola.D: %d` here. 106 | 107 | It contains also a [bootrom.elf](client_windows_tzwps-exe/bootrom.elf) and a [fullimage.elf](client_windows_tzwps-exe/fullimage.elf) with version strings intact: 108 | 109 | `RRG/Iceman/master/v4.9237-1230-g804fef2a` from 2020-09-21 14:54:31 110 | 111 | So these are *not* the firmware images flashed in the Proxmark3. 112 | 113 | Converting them to compare them with the extracted images: 114 | ``` 115 | arm-none-eabi-objcopy -O binary bootrom.elf bootrom.bin 116 | arm-none-eabi-objcopy -O binary fullimage.elf fullimage.bin 117 | ``` 118 | 119 | * [bootrom.bin](client_windows_tzwps-exe/bootrom.bin) 120 | * [fullimage.bin](client_windows_tzwps-exe/fullimage.bin) 121 | 122 | 123 | ## Compiling our client 124 | 125 | To interact with a Linux client, as the only client provided by iCode-X is for Windows and with an unknown version, we compile the [Linux client](client_linux_unofficial/proxmark3-804fef2ab) of `RRG/Iceman/master/v4.9237-1230-g804fef2a` and connect to the inner Proxmark3 via PC-Mode. 126 | 127 | ``` 128 | ./proxmark3-804fef2ab -p /dev/ttyACM0 129 | [=] Session log /home/phil/.proxmark3/logs/log_20210607.txt 130 | [+] loaded from JSON file /home/phil/.proxmark3/preferences.json 131 | [=] Using UART port /dev/ttyACM0 132 | [=] Communicating with PM3 over USB-CDC 133 | 134 | 135 | ██████╗ ███╗ ███╗█████╗. 136 | ██╔══██╗████╗ ████║╚═══██╗ 137 | ██████╔╝██╔████╔██║ ████╔╝ 138 | ██╔═══╝ ██║╚██╔╝██║ ╚══██╗ 139 | ██║ ██║ ╚═╝ ██║█████╔╝. 140 | ╚═╝ ╚═╝ ╚═╝╚════╝ ❄ ️ bleeding edge ☕ 141 | 142 | https://github.com/rfidresearchgroup/proxmark3/ 143 | 144 | 145 | [ Proxmark3 RFID instrument ] 146 | 147 | [ CLIENT ] 148 | client: RRG/Iceman/HEAD/v4.9237-1230-g804fef2ab 2021-06-08 00:55:15 149 | compiled with GCC 10.2.1 20210110 OS:Linux ARCH:x86_64 150 | 151 | [ PROXMARK3 RDV4 ] 152 | external flash: present 153 | smartcard reader: absent 154 | 155 | [ PROXMARK3 RDV4 Extras ] 156 | FPC USART for BT add-on support: absent 157 | 158 | [ ARM ] 159 | bootrom: RRG/Iceman/master/release (git). 160 | os: RRG/Iceman/master/release (git). 161 | compiled with GCC 9.2.1 20191025 (release) [ARM/arm-9-branch revision 277599] 162 | 163 | [ FPGA ]. 164 | LF image built for 2s30vq100 on 2020-04-27 at 06:32:07 165 | HF image built for 2s30vq100 on 2020-08-13 at 15:34:17 166 | HF FeliCa image built for 2s30vq100 on 2020-04-27 at 08:02:36 167 | 168 | [ Hardware ] 169 | --= uC: AT91SAM7S512 Rev A 170 | --= Embedded Processor: ARM7TDMI 171 | --= Nonvolatile Program Memory Size: 512K bytes, Used: 248344 bytes (47%) Free: 275944 bytes (53%) 172 | --= Second Nonvolatile Program Memory Size: None 173 | --= Internal SRAM Size: 64K bytes 174 | --= Architecture Identifier: AT91SAM7Sxx Series 175 | --= Nonvolatile Program Memory Type: Embedded Flash Memory 176 | ``` 177 | ``` 178 | [usb] pm3 --> hw status 179 | [#] Memory 180 | [#] BigBuf_size.............42248 181 | [#] Available memory........42248 182 | [#] Tracing 183 | [#] tracing ................1 184 | [#] traceLen ...............0 185 | [#] dma8 memory.............-2111920 186 | [#] dma16 memory............-2111920 187 | [#] toSend memory...........-2111920 188 | [#] Current FPGA image 189 | [#] mode.................... HF image built for 2s30vq100 on 2020-08-13 at 15:34:17 190 | [#] Flash memory 191 | [#] Baudrate................24 MHz 192 | [#] Init....................OK 193 | [#] Device ID............... --> Unknown <-- 194 | [#] Unique ID...............0xXXXXXXXXXXXXXXXX 195 | [#] Smart card module (ISO 7816) 196 | [#] version.................FAILED 197 | [#] LF Sampling config 198 | [#] [q] divisor.............95 ( 125.00 kHz ) 199 | [#] [b] bits per sample.....8 200 | [#] [d] decimation..........1 201 | [#] [a] averaging...........Yes 202 | [#] [t] trigger threshold...0 203 | [#] [s] samples to skip.....0 204 | [#] LF Sampling Stack 205 | [#] Max stack usage.........3944 / 8480 bytes 206 | [#] LF T55XX config 207 | [#] [r] [a] [b] [c] [d] [e] [f] [g] 208 | [#] mode |start|write|write|write| read|write|write 209 | [#] | gap | gap | 0 | 1 | gap | 2 | 3 210 | [#] ---------------------------+-----+-----+-----+-----+-----+-----+------ 211 | [#] fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A | 212 | [#] long leading reference | 29 | 17 | 15 | 47 | 15 | N/A | N/A | 213 | [#] leading zero | 29 | 17 | 15 | 40 | 15 | N/A | N/A | 214 | [#] 1 of 4 coding reference | 29 | 17 | 15 | 31 | 15 | 47 | 63 | 215 | [#] 216 | [#] HF 14a config 217 | [#] [a] Anticol override......0: No (follow standard) 218 | [#] [b] BCC override..........0: No (follow standard) 219 | [#] [2] CL2 override..........0: No (follow standard) 220 | [#] [3] CL3 override..........0: No (follow standard) 221 | [#] [r] RATS override.........0: No (follow standard) 222 | [#] Transfer Speed 223 | [#] Sending packets to client... 224 | [#] Time elapsed............500ms 225 | [#] Bytes transferred.......309760 226 | [#] Transfer Speed PM3 -> Client = 619520 bytes/s 227 | [#] Various 228 | [#] Max stack usage.........4088 / 8480 bytes 229 | [#] DBGLEVEL................1 ( ERROR ) 230 | [#] ToSendMax...............-1 231 | [#] ToSend BUFFERSIZE.......2308 232 | [#] Slow clock..............31589 Hz 233 | [#] Installed StandAlone Mode 234 | [#] HF - Reading Visa cards & Emulating a Visa MSD Transaction(ISO14443) - (Salvador Mendoza) 235 | [#] Flash memory dictionary loaded 236 | ``` 237 | The default standalone mode of Salva is installed. It could be triggered by `hw standalone` but it's probably not used at all by iCopy-X. 238 | -------------------------------------------------------------------------------- /proxmark3/bootrom.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/bootrom.bin -------------------------------------------------------------------------------- /proxmark3/client_linux_unofficial/proxmark3-804fef2ab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_linux_unofficial/proxmark3-804fef2ab -------------------------------------------------------------------------------- /proxmark3/client_nanopi-neo/libbz2.so.1.0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_nanopi-neo/libbz2.so.1.0 -------------------------------------------------------------------------------- /proxmark3/client_nanopi-neo/libgcc_s.so.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_nanopi-neo/libgcc_s.so.1 -------------------------------------------------------------------------------- /proxmark3/client_nanopi-neo/libreadline.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_nanopi-neo/libreadline.so.6 -------------------------------------------------------------------------------- /proxmark3/client_nanopi-neo/libstdc++.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_nanopi-neo/libstdc++.so.6 -------------------------------------------------------------------------------- /proxmark3/client_nanopi-neo/libtinfo.so.5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_nanopi-neo/libtinfo.so.5 -------------------------------------------------------------------------------- /proxmark3/client_nanopi-neo/proxmark3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_nanopi-neo/proxmark3 -------------------------------------------------------------------------------- /proxmark3/client_nanopi-neo/qemu_proxmark3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Need 4 | # rootfs/lib/arm-linux-gnueabihf/libbz2.so.1.0 . 5 | # rootfs/lib/arm-linux-gnueabihf/libreadline.so.6 . 6 | # rootfs/usr/lib/arm-linux-gnueabihf/libstdc++.so.6 . 7 | # rootfs/lib/arm-linux-gnueabihf/libgcc_s.so.1 . 8 | # rootfs/lib/arm-linux-gnueabihf/libtinfo.so.5 . 9 | 10 | LD_LIBRARY_PATH=. qemu-arm -L /usr/arm-linux-gnueabihf/ ./proxmark3 $* 11 | -------------------------------------------------------------------------------- /proxmark3/client_windows_client-exe/client.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_windows_client-exe/client.exe -------------------------------------------------------------------------------- /proxmark3/client_windows_tzwps-exe/bootrom.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_windows_tzwps-exe/bootrom.bin -------------------------------------------------------------------------------- /proxmark3/client_windows_tzwps-exe/bootrom.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_windows_tzwps-exe/bootrom.elf -------------------------------------------------------------------------------- /proxmark3/client_windows_tzwps-exe/fullimage.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_windows_tzwps-exe/fullimage.bin -------------------------------------------------------------------------------- /proxmark3/client_windows_tzwps-exe/fullimage.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_windows_tzwps-exe/fullimage.elf -------------------------------------------------------------------------------- /proxmark3/client_windows_tzwps-exe/tzwps.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/client_windows_tzwps-exe/tzwps.exe -------------------------------------------------------------------------------- /proxmark3/flashdump.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/flashdump.bin -------------------------------------------------------------------------------- /proxmark3/fpga_felica.bit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/fpga_felica.bit -------------------------------------------------------------------------------- /proxmark3/fpga_hf.bit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/fpga_hf.bit -------------------------------------------------------------------------------- /proxmark3/fpga_lf.bit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/fpga_lf.bit -------------------------------------------------------------------------------- /proxmark3/fullimage.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/fullimage.bin -------------------------------------------------------------------------------- /proxmark3/memdump.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/proxmark3/memdump.bin -------------------------------------------------------------------------------- /software/README.md: -------------------------------------------------------------------------------- 1 | # Software 2 | 3 | ## system 4 | 5 | * ModemManaged disabled 6 | 7 | ### icopy.service 8 | 9 | [userdata/root/etc/systemd/system/icopy.service](icopy.service) 10 | => `/usr/bin/sudo /usr/bin/xinit /etc/icopy.d/ipk_starter.py` 11 | 12 | ### ipk_starter.py 13 | 14 | [userdata/root/etc/icopy.d/ipk_starter.py](ipk_starter.py) 15 | 16 | Comments translation: 17 | 18 | Launcher tool script 19 | Use this script: 20 | 1. You can install a self-starting launcher and turn on the monitoring and control broadcast 21 | 2. You can uninstall the launcher and stop monitoring and controlling the broadcast 22 | 23 | Control broadcast includes: 24 | 1. Start the entry component to control the broadcast 25 | 2. Turn off the entrance component to control the broadcast 26 | 3. Restart the entry component to control the broadcast 27 | 28 | start(): 29 | 30 | Start the component, here I need to search and start the program entry 31 | The ipk launcher by default starts the program from a path name similar to /home/pi/ipk_xxx 32 | 33 | Among them, ipk_xxx_bak is limited to the backup path of the app. If it exists and the main program fails to start, it will try to start from the bak program 34 | Among them, ipk_xxx_main is limited to the main installation path of the app, if it exists, this path will be the startup path 35 | Among them, ipk_xxx_new is limited to the update waiting path of the app. If it exists, bak will be deleted, and main will be renamed bak, and new will be renamed to main, and start 36 | 37 | If the startup fails, the bak reuse logic will be automatically performed 38 | 39 | ## 01234567.ipk 40 | 41 | Actually a zip to update the application. Its files are the same as the ones deployed at `/home/pi/ipk_app_main`. 42 | 43 | The deployed version has an extra [userdata/root/home/pi/ipk_app_main/data/conf.ini](conf.ini) to store backlight and volume settings. 44 | 45 | ### app.py 46 | 47 | [userdata/root/home/pi/ipk_app_main/app.py](app.py) 48 | 49 | Chinese comments translation: 50 | 51 | Simple launcher for starting all components 52 | 53 | Remember, the app is the basic startup script!!! 54 | It must also be a basic startup script 55 | 56 | When starting with app.py, the default working directory is the directory where the app file is located at this time: 57 | 1. The lib directory is at the same level as app.py 58 | 2. The res directory is at the same level as app.py 59 | 3. The xxx directory is at the same level as app.py 60 | If you don’t follow the package specification, you won’t be able to start 61 | 62 | ### main/ & lib/ 63 | 64 | Cython compiled application components 65 | 66 | `lib/version.so` is personalized with the specific serial number (01234567 in our example). 67 | 68 | Compiler: `GCC: (Linaro GCC 7.5-2019.12) 7.5.0` 69 | 70 | ### pm3/ 71 | 72 | Contains 3 dicts and the proxmark3 client compiled for ARM, see below. 73 | 74 | * `key1.dic`, corresponds to Proxmark3 `iclass_default_keys.dic` but with only the `AA1` key 75 | * `key3.dic`, corresponds to Proxmark3 `t55xx_default_pwds.dic` 76 | * `key4.dic`, corresponds to Proxmark3 `mfc_default_keys.dic` 77 | 78 | See [Proxmark3](../proxmark3/README.md) section. 79 | 80 | ### res/audio/ 81 | 82 | 54 WAV files, PCM, 16 bit, mono 16000 Hz 83 | 84 | ### res/font/ 85 | 86 | * mononoki-Regular.ttf 87 | * monozhwqy.ttf 88 | * font_install.txt : 89 | Chinese comments 90 | ``` 91 | ##################################### 92 | # 93 | # Nikola D team member of development department 94 | # Write, date 2021511 95 | # Please do not modify, so as not to quote this file in other places, 96 | # If you encounter any questions, please submit the transaction to the workflow 97 | # Thank you for your cooperation! 98 | # 99 | ##################################### 100 | 101 | # 1. Find the font path that needs to be installed 102 | # 2. Store in /usr/share/fonts/ 103 | # 3. Update cache: sudo fc-cache -fsv 104 | 105 | # Project specific realization: 106 | INSTALL: sudo cp /home/pi/ipk_app_main/res/font/{installed fonts}.ttf /usr/share/fonts/ 107 | UPDATE: sudo fc-cache -fsv 108 | ``` 109 | 110 | ### res/img/ 111 | 112 | Icons for the screen. 113 | 114 | ### Diffing .ipk 115 | 116 | Comparing two .ipk for two different serials, the only different files are: 117 | 118 | * lib/hficlass.so 119 | * lib/version.so 120 | -------------------------------------------------------------------------------- /software/app.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | """ 4 | 简单的启动器，用于启动所有的组件 5 | 6 | 请记住，app是基础启动脚本！！！ 7 | 也必须是基础启动脚本 8 | 9 | 以app.py启动时，默认工作目录时app文件所在目录 10 | 此时： 11 | 1、lib目录跟app.py同级 12 | 2、res目录跟app.py同级 13 | 3、xxx目录跟app.py同级 14 | 如果不遵循包规范，将无法启动 15 | 16 | @: Author nikola.kd 17 | @: Date 2020/12/07 18 | @: python >= 3.5 19 | @: memory >= 256 20 | """ 21 | import sys 22 | 23 | if __name__ == '__main__': 24 | # 添加环境目录 25 | sys.path.append("main") 26 | sys.path.append("lib") 27 | 28 | try: 29 | # 导入入口模块 30 | from main import main 31 | 32 | # 启动主程序 33 | main.main() 34 | except Exception as e: 35 | print("启动脚本无法启动程序，出现异常: ", e) 36 | exit(44) 37 | -------------------------------------------------------------------------------- /software/conf.ini: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | backlight = 2 3 | volume = 1 4 | 5 | -------------------------------------------------------------------------------- /software/icopy.service: -------------------------------------------------------------------------------- 1 | 2 | [Unit] 3 | Description=The ctrl service for ICopy 4 | After=network.target 5 | 6 | [Service] 7 | User=pi 8 | Type=simple 9 | Environment=DISPLAY=:0 10 | ExecStart=/usr/bin/sudo /usr/bin/xinit /etc/icopy.d/ipk_starter.py 11 | Restart=always 12 | 13 | [Install] 14 | WantedBy=multi-user.target 15 | -------------------------------------------------------------------------------- /software/ipk_starter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | """ 4 | 启动器工具脚本 5 | 使用此脚本： 6 | 1、你可以安装自启启动器，并且开启监听控制广播 7 | 2、你可以卸载启动器，并且停止监听控制广播 8 | 9 | 控制广播包括： 10 | 1、启动入口组件控制广播 11 | 2、关闭入口组件控制广播 12 | 3、重启入口组件控制广播 13 | """ 14 | import os 15 | import shutil 16 | import subprocess 17 | import sys 18 | 19 | # 启动器存放的位置 20 | STARTER_PATH = "/etc/icopy.d" 21 | STARTER_NAME = "ipk_starter.py" 22 | STARTER_ETC_FILE = os.path.join(STARTER_PATH, STARTER_NAME) 23 | 24 | # 控制参数定义 25 | CTL_START = "start" 26 | CTL_STOP = "stop" 27 | CTL_RESTART = "restart" 28 | CTL_INSTALL = "install" 29 | 30 | # 退出码，此码代表了不可自动修复的异常情况 31 | # 遇到此退出码时，服务将不会自动重启程序 32 | EXIT_CODE_ERR = 44 33 | 34 | # 自启动服务脚本，我们可以 35 | # 1、将此内容写入文件，提交到systemctl控制 36 | SERVICE_NAME = "icopy.service" 37 | SERVICE_PATH = "/etc/systemd/system/" 38 | SERVICE_FILE = os.path.join(SERVICE_PATH, SERVICE_NAME) 39 | SERVICE_SCRIPT = f""" 40 | [Unit] 41 | Description=The ctrl service for ICopy 42 | After=network.target 43 | 44 | [Service] 45 | User=pi 46 | Type=simple 47 | Environment=DISPLAY=:0 48 | ExecStart=/usr/bin/sudo /usr/bin/xinit {STARTER_ETC_FILE} 49 | Restart=always 50 | 51 | [Install] 52 | WantedBy=multi-user.target 53 | """ 54 | 55 | HOME_DIR = "/home/pi/" 56 | 57 | 58 | def search(path, name): 59 | print("本次搜索的文件名: ", name) 60 | for root, dirs, files in os.walk(path): # path 为根目录 61 | print("\n搜索安装包文件迭代信息: ", root, dirs, files) 62 | if name in files: 63 | # root = str(root) 64 | # dirs = str(dirs) 65 | return os.path.join(root, name) 66 | return None 67 | 68 | 69 | def start(): 70 | """ 71 | 启动组件，此处我需要进行程序入口搜索与启动 72 | ipk启动器默认从 /home/pi/ipk_xxx 类似的路径名称启动程序 73 | 74 | 其中，ipk_xxx_bak 被限定为app的备份路径，如果存在，并且主程序启动失败，将尝试从bak程序启动 75 | 其中,ipk_xxx_main 被限定为app的主安装路径，如果存在，将以此路径为启动路径 76 | 其中，ipk_xxx_new 被限定为app的更新等待路径，如果存在，将删除bak，并且将main更名为bak，并且将new更名为main，并且启动 77 | 78 | 如果启动失败，将自动进行bak的复用逻辑 79 | :return: 80 | """ 81 | try: 82 | # 在用户目录下先搜索程序的入口包 83 | home_pi_dirs = os.listdir(HOME_DIR) 84 | ipk_dir_list = list() 85 | 86 | # 迭代查询规范内的ipk文件夹 87 | for dir_name in home_pi_dirs: 88 | dir_path = os.path.join(HOME_DIR, dir_name) 89 | if dir_name.startswith("ipk") and os.path.isdir(dir_path): 90 | ipk_dir_list.append(dir_name) 91 | 92 | app_pkg_bak = "" 93 | app_pkg_new = "" 94 | app_pkg_main = "" 95 | 96 | has_bak = False 97 | has_new = False 98 | has_main = False 99 | 100 | # 然后进行筛选，将一些必要的规范内的文件夹进行选择出来 101 | for dir_name in ipk_dir_list: 102 | 103 | # 筛选备份程序包 104 | if dir_name.endswith("_bak"): 105 | app_pkg_bak = os.path.join(HOME_DIR, dir_name) 106 | has_bak = True 107 | continue 108 | 109 | # 筛选更新程序包 110 | if dir_name.endswith("_new"): 111 | app_pkg_new = os.path.join(HOME_DIR, dir_name) 112 | has_new = True 113 | continue 114 | 115 | # 筛选主程序包 116 | if dir_name.endswith("_main"): 117 | app_pkg_main = os.path.join(HOME_DIR, dir_name) 118 | has_main = True 119 | continue 120 | 121 | if has_bak and has_new and has_main: 122 | # 三个包都查到了，我们一般情况下不需要做其他的操作了 123 | break 124 | 125 | # 进行主要的启动逻辑 126 | # 首先，我们需要先看看，有没有更新包的存在 127 | # 如果有，我们需要将new包替换为main包，并且删除bak包（如果存在） 128 | if has_new: 129 | 130 | # 删除可能存在的bak包 131 | if has_bak: shutil.rmtree(app_pkg_bak, True) 132 | 133 | # 如果有main包，就将main包替换为bak包 134 | if has_main: 135 | # 此处我们需要确保bak包的存在 136 | if not has_bak: app_pkg_bak = app_pkg_main.replace("_main", "_bak") 137 | os.rename(app_pkg_main, app_pkg_bak) 138 | else: 139 | app_pkg_main = app_pkg_new.replace("_new", "_main") 140 | 141 | # 然后，最终我们需要将new包转为main包 142 | os.rename(app_pkg_new, app_pkg_main) 143 | 144 | has_bak = app_pkg_bak is not None and os.path.isdir(app_pkg_bak) 145 | has_main = app_pkg_main is not None and os.path.isdir(app_pkg_main) 146 | 147 | # 判断是否需要删除备份包 148 | if has_bak: 149 | # 具有删除文件包的需求的APP包会在APP根目录下存在delete文件 150 | if "disallow_backup" in os.listdir(app_pkg_bak): 151 | print("发现了需要删除的程序包: ", app_pkg_bak) 152 | shutil.rmtree(app_pkg_bak, ignore_errors=True) 153 | has_bak = False 154 | 155 | # 然后最终启动 156 | if not has_main: 157 | exit(EXIT_CODE_ERR) 158 | 159 | def run_main(path): 160 | """ 161 | 运行主程序并且尝试获得返回值 162 | :param path: 163 | :return: 164 | """ 165 | # 此处开始扫描app.py文件，并且执行其 166 | app_main_py = search(path, "app.py") 167 | if app_main_py is None: 168 | return -1 169 | # 开始执行主入口程序 170 | cmd = f"sudo {app_main_py}" 171 | cwd = os.path.dirname(app_main_py) 172 | ret_code = subprocess.run(cmd, shell=True, cwd=cwd).returncode 173 | print("启动器启动主程序的程序返回码: ", ret_code) 174 | return ret_code 175 | 176 | # 尝试在主包运行程序 177 | ret = run_main(app_pkg_main) 178 | if ret == 0: 179 | return True 180 | else: 181 | # 不正常的退出，我们需要查询是否有bak，有的话我们需要复用bak 182 | # 没有bak的话，则彻底无法启动程序，此时控制器已经无法处理此异常了 183 | # 只能返厂维修，重新构建中控系统 184 | if not has_bak: 185 | exit(EXIT_CODE_ERR) 186 | else: 187 | # 如果 188 | ret = run_main(app_pkg_bak) 189 | if ret == 0: 190 | return True 191 | else: 192 | exit(EXIT_CODE_ERR) 193 | 194 | except Exception as e: 195 | print("启动异常: ", e) 196 | return False 197 | return False 198 | 199 | 200 | def install(): 201 | """ 202 | 安装组件 203 | :return: 204 | """ 205 | try: 206 | print("\n# ************ 安装启动器") 207 | os.makedirs(STARTER_PATH, exist_ok=True) 208 | with open(STARTER_ETC_FILE, mode="w+") as fd_target: 209 | with open(__file__) as fd_this: 210 | fd_target.write(fd_this.read()) 211 | print("# ************ 安装启动器完成\n") 212 | os.chmod(STARTER_ETC_FILE, 0o777) 213 | # -------------------------------------------------------- 214 | 215 | print("# ************ 安装服务") 216 | with open(SERVICE_FILE, mode="w+") as fd: 217 | fd.write(SERVICE_SCRIPT) 218 | # 然后重新加载守护进程 219 | os.system("sudo systemctl daemon-reload") 220 | # 然后开启 221 | os.system("sudo systemctl enable icopy") 222 | print("# ************ 服务安装完成\n") 223 | 224 | # -------------------------------------------------------- 225 | 226 | except Exception as e: 227 | print(e) 228 | 229 | 230 | def print_help(): 231 | """ 232 | 打印帮助 233 | :return: 234 | """ 235 | print(f""" 236 | 使用帮助： 237 | --help 打印此帮助 238 | 239 | {CTL_START} 启动组件 240 | {CTL_INSTALL} 安装组件 241 | """) 242 | 243 | 244 | if __name__ == '__main__': 245 | argv = sys.argv 246 | act_map = { 247 | CTL_START: start, 248 | # CTL_STOP: stop, 249 | # CTL_RESTART: restart, 250 | CTL_INSTALL: install, 251 | "--help": print_help, 252 | } 253 | print("传入参数: ", argv) 254 | if len(argv) > 1: 255 | for arg in argv: 256 | if arg in act_map: 257 | if act_map[arg](): 258 | exit(0) 259 | else: 260 | exit(1) 261 | else: 262 | print("不带参数执行启动器，将默认以启动行为执行。") 263 | if act_map[CTL_START](): 264 | exit(0) 265 | else: 266 | exit(1) 267 | -------------------------------------------------------------------------------- /stm32/README.md: -------------------------------------------------------------------------------- 1 | # STM32F103C8T6 2 | 3 | ## Pinouts 4 | 5 | |STM32|Misc|Comment| 6 | |-|-|-| 7 | pin30|NanoPi NEO UART0.RX| 8 | pin31|NanoPi NEO UART0.TX| 9 | pin34|SWD DIO|header 10 | pin37|SWD CLK|header 11 | 8,23,35,43,46|GND 12 | 9,24,36,48|3v3 13 | todo| 14 | 15 | ## Protection 16 | 17 | In RDP1, SRAM readable via ST-Link/V2 18 | 19 | Connect to power via USB-C 20 | 21 | Connect ST-Link/V2 via small unpopulated header on green PCB near the antenna: GND, CLK, DIO (don't connect the 3V3) 22 | 23 |

24 | 25 | ``` 26 | $ st-info --probe 27 | flash: 26230784 (pagesize: 1024) 28 | sram: 20480 29 | chipid: 0x0410 30 | descr: F1 Medium-density device 31 | 32 | $ st-flash read out.bin 0x8000000 0x1904000 33 | st-flash 1.4.0-52-ge059ea7 34 | 2021-06-06T16:07:56 INFO common.c: Loading device parameters.... 35 | 2021-06-06T16:07:56 INFO common.c: Device connected is: F1 Medium-density device, id 0x20036410 36 | 2021-06-06T16:07:56 INFO common.c: SRAM size: 0x5000 bytes (20 KiB), Flash: 0x1904000 bytes (25616 KiB) in pages of 1024 bytes 37 | 38 | $ st-flash read sram.bin 0x20000000 0x5000 39 | ``` 40 | 41 | * [sram_0x20000000_0x5000.bin](sram_0x20000000_0x5000.bin) 42 | 43 | ## Partial firmware dump 44 | 45 | Thanks @gheilles and @virtualabs for the discussions and help on this part! 46 | 47 | Using attack [Exception(al) Failure - Breaking the STM32F1 Read-Out Protection](https://blog.zapb.de/stm32f1-exceptional-failure/), it's possible to extract about 89% of the firmware. 48 | 49 | To run the attack in-place, the iCopy-X needs to be powered, the JTAG probe is not sufficient. Therefore I modified https://gitlab.zapb.de/zapb/stm32f1-firmware-extractor to use soft resets. 50 | 51 | ```diff 52 | diff --git a/main.py b/main.py 53 | --- a/main.py 54 | +++ b/main.py 55 | @@ -73,7 +73,7 @@ UNDEF_INST_ADDR = 0x20000006 56 | INACCESSIBLE_EXC_NUMBERS = [0, 1, 7, 8, 9, 10, 13] 57 | 58 | def generate_exception(openocd, vt_address, exception_number): 59 | - openocd.send('reset halt') 60 | + openocd.send('soft_reset_halt') 61 | 62 | # Relocate vector table. 63 | openocd.write_memory(VTOR_ADDR, [vt_address]) 64 | @@ -161,6 +161,7 @@ def determine_num_ext_interrupts(openocd): 65 | 66 | # The ARMv7-M architecture supports up to 496 external interrupts. 67 | for i in range(0, 496): 68 | + openocd.send('soft_reset_halt') 69 | openocd.send('reset init') 70 | 71 | register_offset = (i // 32) * WORD_SIZE 72 | @@ -256,10 +257,10 @@ if __name__ == '__main__': 73 | address, num_exceptions) 74 | 75 | if address == 0x00000000: 76 | - oocd.send('reset halt') 77 | + oocd.send('soft_reset_halt') 78 | recovered_value = oocd.read_register(Register.SP) 79 | elif address == 0x00000004: 80 | - oocd.send('reset halt') 81 | + oocd.send('soft_reset_halt') 82 | recovered_value = recover_pc(oocd) 83 | elif exception_number in INACCESSIBLE_EXC_NUMBERS: 84 | recovered_value = None 85 | ``` 86 | 87 | * [flash_0x08000000_0x10000.bin](flash_0x08000000_0x10000.bin) 88 | * [flash_0x08000000_0x10000.bin.asm](flash_0x08000000_0x10000.bin.asm) 89 | * [flash_0x08000000_0x10000.bin.c](flash_0x08000000_0x10000.bin.c) 90 | 91 | Note that by the nature of the attack, the firmware is not complete and some words are not extractible, so the asm and decompiled c are purely informative and are incomplete/wrong. 92 | 93 | The firmware contains strings like "W25QXX Error!", referring to some external EEPROM chip. 94 | 95 | See [W25Q80](../w25q80/README.md) section. 96 | -------------------------------------------------------------------------------- /stm32/flash_0x08000000_0x10000.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/stm32/flash_0x08000000_0x10000.bin -------------------------------------------------------------------------------- /stm32/flash_0x08000000_0x10000.bin.c: -------------------------------------------------------------------------------- 1 | /* This file was generated by the Hex-Rays decompiler. 2 | Copyright (c) 2007-2020 Hex-Rays 3 | 4 | Detected compiler: Visual C++ 5 | */ 6 | 7 | #include 8 | 9 | 10 | //------------------------------------------------------------------------- 11 | // Function declarations 12 | 13 | int __fastcall sub_15C(_DWORD, _DWORD, _DWORD, _DWORD); // weak 14 | void __fastcall sub_44A(int a1, int a2); 15 | void sub_474(); 16 | int __fastcall sub_6A4(int result, unsigned int a2, int a3, unsigned int a4, int a5, int a6, int a7, int a8); 17 | int __fastcall sub_88A(int result, int a2, int a3, unsigned int a4, int a5, int a6, int a7, int a8); 18 | int __fastcall sub_978(int a1, int a2, int a3); 19 | void __spoils sub_988(); 20 | int sub_998(); 21 | int sub_9AC(); 22 | int sub_9C0(); 23 | int __fastcall sub_9D4(int a1, int a2, int a3); 24 | int __fastcall sub_9E8(int a1, int a2, int a3); 25 | unsigned int __fastcall sub_A4C(unsigned int a1, int a2); 26 | int __fastcall sub_A8C(unsigned __int8 *a1); 27 | void __noreturn sub_A9C(); 28 | void __fastcall sub_B38(int a1, int a2, int a3, int a4, int a5, int a6); 29 | int __fastcall sub_B94(unsigned __int8 a1); 30 | void sub_C40(); 31 | int sub_C90(); 32 | void sub_CA8(); 33 | int sub_CC0(); 34 | void __fastcall sub_103C(int a1, int a2, int a3, int a4, int a5, int a6); 35 | int __fastcall sub_1164(char a1); 36 | int __fastcall sub_1268(char a1); 37 | void __fastcall sub_149C(int a1, int a2); 38 | int __fastcall sub_1540(int result, char a2); 39 | int __fastcall sub_1576(int result); 40 | BOOL __fastcall sub_1594(int a1); 41 | int __fastcall sub_15C2(int result); 42 | int __fastcall sub_17D6(int a1); 43 | int *__fastcall sub_185A(int *result, unsigned __int8 a2); 44 | unsigned __int8 __fastcall sub_1878(unsigned __int8 result); 45 | unsigned __int16 __fastcall sub_1898(unsigned __int16 result, unsigned __int16 a2); 46 | int __fastcall sub_18D0(unsigned __int16 a1); 47 | unsigned int *__fastcall sub_1A78(unsigned int *result, unsigned int *a2); 48 | _DWORD *__fastcall sub_1B48(_DWORD *result, char a2); 49 | int __fastcall sub_1B80(int result, unsigned __int16 a2); 50 | BOOL __fastcall sub_1B9C(int a1); 51 | int __fastcall sub_1C58(int result); 52 | void sub_1C88(); 53 | BOOL sub_1D80(); 54 | int sub_1DB0(); 55 | BOOL __fastcall sub_1FC0(int a1, unsigned __int16 a2); 56 | void sub_200E(); 57 | void sub_210C(); 58 | unsigned __int8 __fastcall sub_213C(unsigned __int8 result); 59 | void sub_215C(); 60 | unsigned __int8 __fastcall sub_2194(unsigned __int8 result); 61 | int __fastcall sub_21B4(int result, int a2); 62 | int sub_2248(); 63 | int __fastcall sub_2264(int result); 64 | int __fastcall sub_229C(int result); 65 | char __fastcall sub_2344(char result); 66 | int __fastcall sub_2568(int result, char a2); 67 | int __fastcall sub_25A4(int result, char a2); 68 | int __fastcall sub_2754(int result, __int16 a2, char a3); 69 | int __fastcall sub_279A(int result, __int16 a2); 70 | int __fastcall sub_27B6(int a1); 71 | _WORD *__fastcall sub_2C40(_WORD *result, char a2); 72 | int __fastcall sub_2C7E(int result, char a2); 73 | int __fastcall sub_2D44(int result, __int16 a2); 74 | int __fastcall sub_2D60(int result, __int16 a2); 75 | BOOL __fastcall sub_2D7C(int a1, unsigned __int16 a2); 76 | _DWORD *__fastcall sub_32CC(_DWORD *a1); 77 | int sub_3498(); 78 | int sub_34A4(); 79 | int sub_34BC(); 80 | int __fastcall sub_3676(int a1, unsigned __int16 a2, unsigned __int16 a3, int a4, int a5, int a6); 81 | void __fastcall __noreturn sub_3D40(int a1, int a2); 82 | void __fastcall sub_3E88(__int16 a1, int a2, __int64 a3); 83 | void sub_5648(); 84 | void sub_56AC(); 85 | int __fastcall sub_56C4(int a1, int a2, int a3, int a4, int a5); 86 | int __fastcall sub_5B6C(unsigned __int16 a1, unsigned __int16 a2, unsigned __int8 a3, unsigned __int16 a4); 87 | void sub_5CF0(); 88 | int __fastcall sub_618C(__int16 a1, int a2, _BYTE *a3, unsigned __int16 a4, unsigned __int16 a5, unsigned __int8 a6, unsigned __int8 a7); 89 | int __fastcall sub_639C(int result); 90 | int __fastcall sub_63BC(unsigned __int8 a1); 91 | int __fastcall sub_6464(unsigned __int8 a1); 92 | int __fastcall sub_64A4(unsigned __int16 a1, unsigned __int16 a2, unsigned __int16 a3, unsigned __int16 a4); 93 | int __fastcall sub_674C(unsigned __int8 a1); 94 | int sub_6848(); 95 | int sub_6994(); 96 | int __fastcall sub_69B0(int result); 97 | int __fastcall sub_6A98(int result); 98 | int sub_7B44(); 99 | int __fastcall sub_7C5C(_WORD *a1, int a2, int a3, unsigned __int16 a4, _BYTE *a5); 100 | void sub_7D58(); 101 | int sub_8144(); 102 | int sub_815C(); 103 | void sub_8314(); 104 | void __noreturn sub_8550(); 105 | _WORD *sub_855E(); 106 | void sub_8650(); 107 | void __noreturn sub_8660(); 108 | void sub_8798(); 109 | _BYTE *__fastcall sub_894C(int a1, __int16 a2, __int16 a3); 110 | _DWORD *__fastcall sub_89A0(int a1, int a2); 111 | void sub_89CC(); 112 | int sub_89D8(); 113 | int sub_89F0(); 114 | _DWORD *__fastcall sub_8A6C(_DWORD *a1); 115 | int __fastcall sub_8B36(_DWORD); // weak 116 | int __fastcall nullsub_2(_DWORD); // weak 117 | _BYTE *__fastcall sub_8B58(_BYTE *result, char a2, int a3); 118 | int __fastcall sub_8B68(int result, int a2); 119 | int __fastcall sub_8CB4(int a1); 120 | void sub_8DC0(); 121 | int __fastcall sub_8DD0(_DWORD *a1, int a2); 122 | int __fastcall sub_8EB6(unsigned __int8 *a1, int a2, int a3); 123 | int __fastcall sub_8F80(_DWORD *a1, int a2, int a3, int a4); 124 | int __fastcall sub_90A0(_DWORD *a1); 125 | void sub_918C(); 126 | int sub_9198(); 127 | int __fastcall sub_945C(int a1, int a2, _DWORD *a3); 128 | int __fastcall sub_9486(int a1, _DWORD *a2, unsigned __int8 *a3, int a4); 129 | int __fastcall sub_9A38(_DWORD *a1); 130 | int __fastcall sub_9A5C(_DWORD *a1); 131 | int __fastcall sub_9A80(_DWORD *a1); 132 | unsigned __int8 *__fastcall sub_9AA0(unsigned __int8 *a1, unsigned __int8 a2, int a3); 133 | unsigned int __fastcall sub_9ABC(unsigned int result, char *a2, int a3); 134 | int __fastcall sub_9B3C(int a1, int a2); 135 | int sub_9B4C(); 136 | int sub_9B5C(); 137 | int sub_9B6C(); 138 | int sub_9B7C(); 139 | int sub_9B8C(); 140 | int __fastcall sub_9B9C(int a1); 141 | int __fastcall sub_B54C(int result); 142 | int sub_B65C(); 143 | _WORD *sub_B674(); 144 | char __fastcall sub_B76C(char result); 145 | int sub_B84C(); 146 | int sub_B86C(); 147 | void __fastcall sub_B8D0(int a1, int a2); 148 | int __fastcall sub_B944(int result, int a2, unsigned __int16 a3); 149 | int __fastcall sub_BA40(int a1, int a2, unsigned __int16 a3); 150 | int sub_BD60(); 151 | int __fastcall sub_BD7C(int result); 152 | unsigned __int16 __fastcall sub_BE64(unsigned __int16 result, unsigned __int16 a2); 153 | _DWORD *__fastcall sub_C090(_DWORD *result); 154 | int __fastcall sub_C16C(int result); 155 | int __fastcall sub_C1A0(int result); 156 | int sub_C338(); 157 | int __fastcall sub_C38C(int a1); 158 | int __fastcall sub_C548(int result, unsigned __int16 a2); 159 | int __fastcall sub_C564(int result, unsigned __int16 a2); 160 | unsigned __int8 __fastcall sub_C580(unsigned __int8 result); 161 | unsigned __int8 __fastcall sub_C5A0(unsigned __int8 result); 162 | int sub_C654(); 163 | int __fastcall sub_C670(int result); 164 | int __fastcall sub_C6A8(int result); 165 | int __fastcall sub_C884(int result, char a2); 166 | int __fastcall sub_C8C0(int result, char a2); 167 | int __fastcall sub_C938(int result, char a2); 168 | int __fastcall sub_C974(int result, char a2); 169 | _WORD *__fastcall sub_CAAA(_WORD *result, char a2); 170 | int __fastcall sub_CB4A(int a1); 171 | BOOL __fastcall sub_CB62(int a1, unsigned __int16 a2); 172 | int __fastcall sub_CB98(int a1); 173 | _WORD *__fastcall sub_CEBC(_WORD *result, char a2); 174 | int __fastcall sub_CF40(int result, __int16 a2); 175 | int __fastcall sub_CFAE(int result, __int16 a2); 176 | int __fastcall sub_D144(int result, char a2); 177 | int __fastcall sub_D182(int result, __int16 a2); 178 | BOOL __fastcall sub_D1A4(_WORD *a1, unsigned __int16 a2); 179 | int sub_D1DA(); 180 | _WORD *sub_D258(); 181 | _WORD *sub_D2D6(); 182 | int __fastcall sub_D348(int result, unsigned int a2); 183 | BOOL __fastcall sub_D660(unsigned __int8 a1); 184 | BOOL __fastcall sub_D694(BOOL result); 185 | int __fastcall sub_D758(unsigned int a1); 186 | void sub_D790(); 187 | int sub_DA40(); 188 | int __fastcall sub_DC38(int a1, int a2); 189 | int __fastcall sub_DC6A(unsigned __int8 a1); 190 | 191 | //------------------------------------------------------------------------- 192 | // Data declarations 193 | 194 | int dword_7 = 8816127; // weak 195 | int dword_B = 8818952; // weak 196 | int dword_18 = 134252213; // weak 197 | int dword_1F = -1; // weak 198 | int dword_23 = -1; // weak 199 | int dword_28 = -1; // weak 200 | int dword_2C = 134252219; // weak 201 | int dword_30 = 134252231; // weak 202 | int dword_64 = 134220513; // weak 203 | _UNKNOWN loc_8FC; // weak 204 | _UNKNOWN loc_D18; // weak 205 | _UNKNOWN loc_15E0; // weak 206 | _UNKNOWN loc_160E; // weak 207 | _UNKNOWN loc_1644; // weak 208 | _UNKNOWN loc_17F0; // weak 209 | int dword_1828 = -1; // weak 210 | _UNKNOWN loc_1E48; // weak 211 | _UNKNOWN loc_1FF2; // weak 212 | int dword_211C[4] = { -1, -1, -1, -1 }; // weak 213 | _UNKNOWN loc_252C; // weak 214 | _UNKNOWN loc_27CE; // weak 215 | int dword_2804 = -1; // weak 216 | void *off_2A30 = (void *)0xB085B480; // weak 217 | _UNKNOWN loc_2CC8; // weak 218 | int dword_581C[4] = { -1, -1, -1, -1 }; // weak 219 | _UNKNOWN loc_594C; // weak 220 | int dword_6424[2] = { -1, -1 }; // weak 221 | _UNKNOWN loc_64FC; // weak 222 | _UNKNOWN loc_67C0; // weak 223 | _UNKNOWN loc_6814; // weak 224 | _UNKNOWN loc_6910; // weak 225 | _UNKNOWN loc_69D4; // weak 226 | int dword_7928 = -1; // weak 227 | _UNKNOWN loc_7BDC; // weak 228 | _UNKNOWN loc_7CEC; // weak 229 | _UNKNOWN loc_7DAC; // weak 230 | int dword_8104 = -1; // weak 231 | int dword_8220[3] = { -1, -1, -1 }; // weak 232 | _UNKNOWN loc_831A; // weak 233 | _UNKNOWN loc_8378; // weak 234 | _UNKNOWN loc_8730; // weak 235 | char byte_8928[2] = { '\xFF', '\xFF' }; // weak 236 | _UNKNOWN loc_89FC; // weak 237 | int dword_8C00[2] = { -1, -1 }; // weak 238 | _UNKNOWN loc_94AC; // weak 239 | _UNKNOWN loc_B5A0; // weak 240 | _UNKNOWN loc_B6F8; // weak 241 | _UNKNOWN loc_B818; // weak 242 | _UNKNOWN loc_B8FE; // weak 243 | _UNKNOWN loc_B9C8; // weak 244 | _UNKNOWN loc_BDA0; // weak 245 | int dword_C11C[4] = { -1, -1, -1, -1 }; // weak 246 | int dword_C324 = -1; // weak 247 | _UNKNOWN loc_C3D0; // weak 248 | _UNKNOWN loc_C8FC; // weak 249 | int dword_CA24 = -1; // weak 250 | _UNKNOWN loc_CBFE; // weak 251 | _UNKNOWN loc_CDC4; // weak 252 | _UNKNOWN loc_CEFA; // weak 253 | _UNKNOWN loc_D5EC; // weak 254 | _UNKNOWN loc_D7FE; // weak 255 | 256 | 257 | //----- (0000044A) -------------------------------------------------------- 258 | void __fastcall sub_44A(int a1, int a2) 259 | { 260 | int v6; // r11 261 | _DWORD *v7; // r1 262 | 263 | v7 = (_DWORD *)(a2 & 0x7FFFFFFF); 264 | if ( _ZF ) 265 | __asm { SVCEQ 0xF091 } 266 | if ( _NF ) 267 | *v7 = v6; 268 | MEMORY[0xFEC482A4](a1, v7); 269 | if ( _NF != _VF ) 270 | __asm { SVCLT 0x8F381 } 271 | JUMPOUT(0x2A4); 272 | } 273 | // 2A0: control flows out of bounds to 2A4 274 | // 294: variable '_ZF' is possibly undefined 275 | // 298: variable '_NF' is possibly undefined 276 | // 298: variable 'v6' is possibly undefined 277 | // 2A0: variable '_VF' is possibly undefined 278 | 279 | //----- (00000474) -------------------------------------------------------- 280 | void sub_474() 281 | { 282 | JUMPOUT(0x242); 283 | } 284 | // 48E: control flows out of bounds to 242 285 | 286 | //----- (000006A4) -------------------------------------------------------- 287 | int __fastcall sub_6A4(int result, unsigned int a2, int a3, unsigned int a4, int a5, int a6, int a7, int a8) 288 | { 289 | bool v8; // cf 290 | int v9; // r4 291 | int v10; // r12 292 | bool v11; // zf 293 | int v12; // r5 294 | bool v13; // zf 295 | bool v14; // zf 296 | 297 | v11 = v9 == v10; 298 | v12 = v10 & (a4 >> 20); 299 | if ( v9 != v10 ) 300 | v11 = v12 == v10; 301 | if ( v11 ) 302 | { 303 | v14 = (result | (2 * a2)) == 0; 304 | if ( result | (2 * a2) ) 305 | { 306 | v14 = (a3 | (2 * a4)) == 0; 307 | } 308 | else 309 | { 310 | result = a3; 311 | a2 = a4; 312 | } 313 | if ( !v14 && (v9 != v10 || !(result | (a2 << 12))) && (v12 != v10 || !(a3 | (a4 << 12))) ) 314 | JUMPOUT(0x700); 315 | __asm { POP {R4-R6,PC} } 316 | } 317 | v13 = (result | (2 * a2)) == 0; 318 | if ( result | (2 * a2) ) 319 | v13 = (a3 | (2 * a4)) == 0; 320 | if ( v13 ) 321 | JUMPOUT(0x6C0); 322 | if ( v9 ) 323 | goto LABEL_28; 324 | while ( 1 ) 325 | { 326 | v8 = __CFSHL__(result, 1); 327 | result *= 2; 328 | a2 += v8 + a2; 329 | if ( (a2 & 0x100000) != 0 ) 330 | break; 331 | --v9; 332 | } 333 | if ( !v12 ) 334 | { 335 | LABEL_28: 336 | while ( 1 ) 337 | { 338 | v8 = __CFSHL__(a3, 1); 339 | a3 *= 2; 340 | a4 += v8 + a4; 341 | if ( (a4 & 0x100000) != 0 ) 342 | break; 343 | --v12; 344 | } 345 | } 346 | return result; 347 | } 348 | // 6BE: control flows out of bounds to 6C0 349 | // 6FC: control flows out of bounds to 700 350 | // 6A4: variable 'v9' is possibly undefined 351 | // 6A4: variable 'v10' is possibly undefined 352 | 353 | //----- (0000088A) -------------------------------------------------------- 354 | int __fastcall sub_88A(int result, int a2, int a3, unsigned int a4, int a5, int a6, int a7, int a8) 355 | { 356 | bool v8; // cf 357 | int v9; // r4 358 | int v10; // r12 359 | int v11; // r5 360 | bool v12; // zf 361 | bool v13; // zf 362 | 363 | v11 = v10 & (a4 >> 20); 364 | v12 = v9 == v10; 365 | if ( v9 == v10 ) 366 | v12 = v11 == v10; 367 | if ( v12 ) 368 | LABEL_27: 369 | __asm { POP {R4-R6,PC} } 370 | if ( v9 == v10 ) 371 | { 372 | if ( result | (a2 << 12) || v11 == v10 ) 373 | goto LABEL_27; 374 | LABEL_26: 375 | JUMPOUT(0x700); 376 | } 377 | if ( v11 == v10 ) 378 | { 379 | if ( a3 | (a4 << 12) ) 380 | goto LABEL_27; 381 | goto LABEL_25; 382 | } 383 | v13 = (result | (2 * a2)) == 0; 384 | if ( result | (2 * a2) ) 385 | v13 = (a3 | (2 * a4)) == 0; 386 | if ( v13 ) 387 | { 388 | if ( result | (2 * a2) ) 389 | goto LABEL_26; 390 | if ( !(a3 | (2 * a4)) ) 391 | goto LABEL_27; 392 | LABEL_25: 393 | __asm { POP {R4-R6,PC} } 394 | } 395 | if ( v9 ) 396 | goto LABEL_30; 397 | while ( 1 ) 398 | { 399 | v8 = __CFSHL__(result, 1); 400 | result *= 2; 401 | a2 += v8 + a2; 402 | if ( (a2 & 0x100000) != 0 ) 403 | break; 404 | --v9; 405 | } 406 | if ( !v11 ) 407 | { 408 | LABEL_30: 409 | while ( 1 ) 410 | { 411 | v8 = __CFSHL__(a3, 1); 412 | a3 *= 2; 413 | a4 += v8 + a4; 414 | if ( (a4 & 0x100000) != 0 ) 415 | break; 416 | --v11; 417 | } 418 | } 419 | return result; 420 | } 421 | // 6FC: control flows out of bounds to 700 422 | // 88A: variable 'v10' is possibly undefined 423 | // 88E: variable 'v9' is possibly undefined 424 | 425 | //----- (00000978) -------------------------------------------------------- 426 | int __fastcall sub_978(int a1, int a2, int a3) 427 | { 428 | int result; // r0 429 | 430 | result = a3; 431 | sub_988(); 432 | return result; 433 | } 434 | 435 | //----- (00000988) -------------------------------------------------------- 436 | void __spoils sub_988() 437 | { 438 | ((void (*)(void))loc_8FC)(); 439 | } 440 | 441 | //----- (00000998) -------------------------------------------------------- 442 | int sub_998() 443 | { 444 | char v0; // zf 445 | int result; // r0 446 | 447 | sub_988(); 448 | if ( v0 ) 449 | result = 1; 450 | else 451 | result = 0; 452 | return result; 453 | } 454 | // 9A0: variable 'v0' is possibly undefined 455 | 456 | //----- (000009AC) -------------------------------------------------------- 457 | int sub_9AC() 458 | { 459 | char v0; // cf 460 | int result; // r0 461 | 462 | sub_988(); 463 | if ( v0 ) 464 | result = 0; 465 | else 466 | result = 1; 467 | return result; 468 | } 469 | // 9B4: variable 'v0' is possibly undefined 470 | 471 | //----- (000009C0) -------------------------------------------------------- 472 | int sub_9C0() 473 | { 474 | char v0; // cf 475 | char v1; // zf 476 | int result; // r0 477 | 478 | sub_988(); 479 | if ( !v1 & v0 ) 480 | result = 0; 481 | else 482 | result = 1; 483 | return result; 484 | } 485 | // 9C8: variable 'v1' is possibly undefined 486 | // 9C8: variable 'v0' is possibly undefined 487 | 488 | //----- (000009D4) -------------------------------------------------------- 489 | int __fastcall sub_9D4(int a1, int a2, int a3) 490 | { 491 | char v3; // cf 492 | char v4; // zf 493 | int result; // r0 494 | 495 | sub_978(a1, a2, a3); 496 | if ( !v4 & v3 ) 497 | result = 0; 498 | else 499 | result = 1; 500 | return result; 501 | } 502 | // 9DC: variable 'v4' is possibly undefined 503 | // 9DC: variable 'v3' is possibly undefined 504 | 505 | //----- (000009E8) -------------------------------------------------------- 506 | int __fastcall sub_9E8(int a1, int a2, int a3) 507 | { 508 | char v3; // cf 509 | int result; // r0 510 | 511 | sub_978(a1, a2, a3); 512 | if ( v3 ) 513 | result = 0; 514 | else 515 | result = 1; 516 | return result; 517 | } 518 | // 9F0: variable 'v3' is possibly undefined 519 | 520 | //----- (00000A4C) -------------------------------------------------------- 521 | unsigned int __fastcall sub_A4C(unsigned int a1, int a2) 522 | { 523 | int v2; // r2 524 | bool v3; // cf 525 | int v4; // r2 526 | int v5; // r2 527 | 528 | v2 = 2 * a2; 529 | if ( __CFSHL__(a2, 1) ) 530 | return 0; 531 | v3 = __CFADD__(v2, 0x200000); 532 | v4 = v2 + 0x200000; 533 | if ( !v3 ) 534 | { 535 | if ( v4 < 0 ) 536 | { 537 | v5 = -993 - (v4 >> 21); 538 | if ( v5 >= 0 ) 539 | return ((a2 << 11) | 0x80000000 | (a1 >> 21)) >> v5; 540 | return -1; 541 | } 542 | return 0; 543 | } 544 | if ( !(a1 | (a2 << 12)) ) 545 | return -1; 546 | return 0; 547 | } 548 | 549 | //----- (00000A8C) -------------------------------------------------------- 550 | int __fastcall sub_A8C(unsigned __int8 *a1) 551 | { 552 | unsigned __int8 *v1; // r3 553 | 554 | v1 = a1; 555 | while ( *v1++ ) 556 | ; 557 | return v1 - a1 - 1; 558 | } 559 | 560 | //----- (00000A9C) -------------------------------------------------------- 561 | void __noreturn sub_A9C() 562 | { 563 | int i; // r1 564 | unsigned int j; // r2 565 | 566 | for ( i = 0; (unsigned int)(i + 0x20000000) < 0x200002D8; i += 4 ) 567 | *(_DWORD *)(i + 0x20000000) = *(_DWORD *)(i + 134259756); 568 | for ( j = 536871640; j < 0x20001494; j += 4 ) 569 | *(_DWORD *)j = 0; 570 | ((void (*)(void))loc_8730)(); 571 | sub_8550(); 572 | } 573 | 574 | //----- (00000B38) -------------------------------------------------------- 575 | void __fastcall sub_B38(int a1, int a2, int a3, int a4, int a5, int a6) 576 | { 577 | int v6; // r7 578 | 579 | *(_BYTE *)(v6 + 20) = 1; 580 | sub_149C(1073816576, v6 + 4); 581 | sub_1540(1073816576, 1); 582 | sub_1576(1073816576); 583 | ((void (__fastcall *)(int))loc_7CEC)(10); 584 | while ( sub_1594(1073816576) ) 585 | ; 586 | sub_15C2(1073816576); 587 | while ( ((int (__fastcall *)(int))loc_15E0)(1073816576) ) 588 | ; 589 | ((void (__fastcall *)(int))loc_17F0)(1); 590 | __asm { POP {R7,PC} } 591 | } 592 | // B3A: variable 'v6' is possibly undefined 593 | 594 | //----- (00000B94) -------------------------------------------------------- 595 | int __fastcall sub_B94(unsigned __int8 a1) 596 | { 597 | ((void (__fastcall *)(int, _DWORD, int, int))loc_1644)(1073816576, a1, 1, 7); 598 | ((void (__fastcall *)(int, int))loc_160E)(1073816576, 1); 599 | while ( !((int (__fastcall *)(int, int))dword_1828)(1073816576, 2) ) 600 | ; 601 | sub_185A((int *)0x40012400, 2u); 602 | sub_185A((int *)0x40012400, 0x10u); 603 | return sub_17D6(1073816576); 604 | } 605 | // 1828: using guessed type int dword_1828; 606 | 607 | //----- (00000C40) -------------------------------------------------------- 608 | void sub_C40() 609 | { 610 | __int16 v0; // [sp+4h] [bp+4h] BYREF 611 | char v1; // [sp+6h] [bp+6h] 612 | char v2; // [sp+7h] [bp+7h] 613 | 614 | ((void (__fastcall *)(int, int))loc_252C)(17, 1); 615 | ((void (__fastcall *)(int))dword_211C[0])(1); 616 | sub_2344(0); 617 | sub_1878(0); 618 | v0 = 0x2000; 619 | v2 = 16; 620 | v1 = 2; 621 | ((void (__fastcall *)(int, __int16 *))loc_1E48)(1073811456, &v0); 622 | sub_200E(); 623 | } 624 | // 211C: using guessed type int dword_211C[4]; 625 | 626 | //----- (00000C90) -------------------------------------------------------- 627 | int sub_C90() 628 | { 629 | return ((int (__fastcall *)(int, int))loc_1FF2)(1073811456, 0x2000); 630 | } 631 | 632 | //----- (00000CA8) -------------------------------------------------------- 633 | void sub_CA8() 634 | { 635 | sub_200E(); 636 | } 637 | 638 | //----- (00000CC0) -------------------------------------------------------- 639 | int sub_CC0() 640 | { 641 | unsigned __int8 i; // [sp+7h] [bp+7h] 642 | 643 | for ( i = 1; ; ++i ) 644 | { 645 | if ( i > 0xCu ) 646 | { 647 | if ( ((int (__fastcall *)(int))loc_D18)(101) != 1 ) 648 | JUMPOUT(0xD00); 649 | JUMPOUT(0xD02); 650 | } 651 | if ( ((int (__fastcall *)(_DWORD))loc_D18)(i) != 1 ) 652 | break; 653 | } 654 | return 0; 655 | } 656 | // CFE: control flows out of bounds to D00 657 | // CFC: control flows out of bounds to D02 658 | 659 | //----- (0000103C) -------------------------------------------------------- 660 | void __fastcall sub_103C(int a1, int a2, int a3, int a4, int a5, int a6) 661 | { 662 | if ( sub_1FC0(1073809408, 0x8000u) 663 | && sub_1FC0(1073810432, 0x10u) 664 | && sub_1FC0(1073809408, 0x1000u) 665 | && sub_1FC0(1073810432, 0x20u) 666 | && sub_1FC0(1073810432, 8u) 667 | && sub_1FC0(1073810432, 0x40u) 668 | && sub_1FC0(1073809408, 0x800u) 669 | && sub_1FC0(1073810432, 0x400u) 670 | && !sub_1FC0(1073810432, 0x80u) ) 671 | { 672 | MEMORY[0x20000230] = 1; 673 | } 674 | __asm { POP {R7,PC} } 675 | } 676 | 677 | //----- (00001164) -------------------------------------------------------- 678 | int __fastcall sub_1164(char a1) 679 | { 680 | if ( a1 ) 681 | { 682 | MEMORY[0x20001024] = 0; 683 | MEMORY[0x200002FC] = 0; 684 | } 685 | if ( sub_1FC0(1073809408, 0x8000u) ) 686 | { 687 | if ( sub_1FC0(1073809408, 0x8000u) ) 688 | { 689 | MEMORY[0x20001024] = 0; 690 | MEMORY[0x200002FC] = 0; 691 | } 692 | return 0; 693 | } 694 | ((void (__fastcall *)(int))loc_7CEC)(5); 695 | if ( sub_1FC0(1073809408, 0x8000u) ) 696 | return 0; 697 | MEMORY[0x200002FC] = MEMORY[0x20001024]; 698 | return MEMORY[0x20001024]; 699 | } 700 | 701 | //----- (00001268) -------------------------------------------------------- 702 | int __fastcall sub_1268(char a1) 703 | { 704 | if ( a1 ) 705 | { 706 | MEMORY[0x20001030] = 0; 707 | MEMORY[0x20000300] = 0; 708 | } 709 | if ( sub_1FC0(1073809408, 0x1000u) ) 710 | { 711 | if ( sub_1FC0(1073809408, 0x1000u) ) 712 | { 713 | MEMORY[0x20001030] = 0; 714 | MEMORY[0x20000300] = 0; 715 | } 716 | return 0; 717 | } 718 | ((void (__fastcall *)(int))loc_7CEC)(5); 719 | if ( sub_1FC0(1073809408, 0x1000u) ) 720 | return 0; 721 | MEMORY[0x20000300] = MEMORY[0x20001030]; 722 | return MEMORY[0x20001030]; 723 | } 724 | 725 | //----- (0000149C) -------------------------------------------------------- 726 | void __fastcall sub_149C(int a1, int a2) 727 | { 728 | *(_DWORD *)(a1 + 4) = (*(unsigned __int8 *)(a2 + 4) << 8) | *(_DWORD *)a2 | *(_DWORD *)(a1 + 4) & 0xFFF0FEFF; 729 | JUMPOUT(0x1500); 730 | } 731 | // 14FE: control flows out of bounds to 1500 732 | 733 | //----- (00001540) -------------------------------------------------------- 734 | int __fastcall sub_1540(int result, char a2) 735 | { 736 | if ( a2 ) 737 | *(_DWORD *)(result + 8) |= 1u; 738 | else 739 | *(_DWORD *)(result + 8) &= 0xFFFFFFFE; 740 | return result; 741 | } 742 | 743 | //----- (00001576) -------------------------------------------------------- 744 | int __fastcall sub_1576(int result) 745 | { 746 | *(_DWORD *)(result + 8) |= 8u; 747 | return result; 748 | } 749 | 750 | //----- (00001594) -------------------------------------------------------- 751 | BOOL __fastcall sub_1594(int a1) 752 | { 753 | return (*(_DWORD *)(a1 + 8) & 8) != 0; 754 | } 755 | 756 | //----- (000015C2) -------------------------------------------------------- 757 | int __fastcall sub_15C2(int result) 758 | { 759 | *(_DWORD *)(result + 8) |= 4u; 760 | return result; 761 | } 762 | 763 | //----- (000017D6) -------------------------------------------------------- 764 | int __fastcall sub_17D6(int a1) 765 | { 766 | return (unsigned __int16)*(_DWORD *)(a1 + 76); 767 | } 768 | 769 | //----- (0000185A) -------------------------------------------------------- 770 | int *__fastcall sub_185A(int *result, unsigned __int8 a2) 771 | { 772 | *result = ~a2; 773 | return result; 774 | } 775 | 776 | //----- (00001878) -------------------------------------------------------- 777 | unsigned __int8 __fastcall sub_1878(unsigned __int8 result) 778 | { 779 | MEMORY[0x420D8600] = result; 780 | return result; 781 | } 782 | 783 | //----- (00001898) -------------------------------------------------------- 784 | unsigned __int16 __fastcall sub_1898(unsigned __int16 result, unsigned __int16 a2) 785 | { 786 | *(_DWORD *)(result + 0x40006C00) = a2; 787 | return result; 788 | } 789 | 790 | //----- (000018D0) -------------------------------------------------------- 791 | int __fastcall sub_18D0(unsigned __int16 a1) 792 | { 793 | return *(unsigned __int16 *)(a1 + 0x40006C00); 794 | } 795 | 796 | //----- (00001A78) -------------------------------------------------------- 797 | unsigned int *__fastcall sub_1A78(unsigned int *result, unsigned int *a2) 798 | { 799 | *result = a2[10] | a2[2] | a2[8] | a2[4] | a2[5] | a2[6] | a2[7] | a2[9] | *result & 0xFFFF800F; 800 | result[1] = a2[3]; 801 | result[2] = *a2; 802 | result[3] = a2[1]; 803 | return result; 804 | } 805 | 806 | //----- (00001B48) -------------------------------------------------------- 807 | _DWORD *__fastcall sub_1B48(_DWORD *result, char a2) 808 | { 809 | if ( a2 ) 810 | *result |= 1u; 811 | else 812 | *result &= 0xFFFEu; 813 | return result; 814 | } 815 | 816 | //----- (00001B80) -------------------------------------------------------- 817 | int __fastcall sub_1B80(int result, unsigned __int16 a2) 818 | { 819 | *(_DWORD *)(result + 4) = a2; 820 | return result; 821 | } 822 | 823 | //----- (00001B9C) -------------------------------------------------------- 824 | BOOL __fastcall sub_1B9C(int a1) 825 | { 826 | int v2; // [sp+8h] [bp+8h] 827 | 828 | if ( (a1 & 0x10000000) != 0 ) 829 | v2 = MEMORY[0x40020400]; 830 | else 831 | v2 = MEMORY[0x40020000]; 832 | return (a1 & v2) != 0; 833 | } 834 | 835 | //----- (00001C58) -------------------------------------------------------- 836 | int __fastcall sub_1C58(int result) 837 | { 838 | MEMORY[0x40022000] &= 0xFFFFFFEF; 839 | MEMORY[0x40022000] |= result; 840 | return result; 841 | } 842 | 843 | //----- (00001C88) -------------------------------------------------------- 844 | void sub_1C88() 845 | { 846 | MEMORY[0x40022004] = -839939669; 847 | } 848 | 849 | //----- (00001D80) -------------------------------------------------------- 850 | BOOL sub_1D80() 851 | { 852 | return (MEMORY[0x4002201C] & 2) != 0; 853 | } 854 | 855 | //----- (00001DB0) -------------------------------------------------------- 856 | int sub_1DB0() 857 | { 858 | return 4; 859 | } 860 | 861 | //----- (00001FC0) -------------------------------------------------------- 862 | BOOL __fastcall sub_1FC0(int a1, unsigned __int16 a2) 863 | { 864 | return (a2 & *(_DWORD *)(a1 + 8)) != 0; 865 | } 866 | 867 | //----- (0000200E) -------------------------------------------------------- 868 | void sub_200E() 869 | { 870 | JUMPOUT(0x201C); 871 | } 872 | // 201A: control flows out of bounds to 201C 873 | 874 | //----- (0000210C) -------------------------------------------------------- 875 | void sub_210C() 876 | { 877 | __wfi(); 878 | } 879 | 880 | //----- (0000213C) -------------------------------------------------------- 881 | unsigned __int8 __fastcall sub_213C(unsigned __int8 result) 882 | { 883 | MEMORY[0x420E00A0] = result; 884 | return result; 885 | } 886 | 887 | //----- (0000215C) -------------------------------------------------------- 888 | void sub_215C() 889 | { 890 | MEMORY[0x40007000] |= 4u; 891 | MEMORY[0x40007000] |= 2u; 892 | MEMORY[0xE000ED10] |= 4u; 893 | sub_210C(); 894 | } 895 | 896 | //----- (00002194) -------------------------------------------------------- 897 | unsigned __int8 __fastcall sub_2194(unsigned __int8 result) 898 | { 899 | MEMORY[0x42420000] = result; 900 | return result; 901 | } 902 | 903 | //----- (000021B4) -------------------------------------------------------- 904 | int __fastcall sub_21B4(int result, int a2) 905 | { 906 | MEMORY[0x40021004] = a2 | result | MEMORY[0x40021004] & 0xFFC0FFFF; 907 | return result; 908 | } 909 | 910 | //----- (00002248) -------------------------------------------------------- 911 | int sub_2248() 912 | { 913 | return MEMORY[0x40021004] & 0xC; 914 | } 915 | 916 | //----- (00002264) -------------------------------------------------------- 917 | int __fastcall sub_2264(int result) 918 | { 919 | MEMORY[0x40021004] = result | MEMORY[0x40021004] & 0xFFFFFF0F; 920 | return result; 921 | } 922 | 923 | //----- (0000229C) -------------------------------------------------------- 924 | int __fastcall sub_229C(int result) 925 | { 926 | MEMORY[0x40021004] = result | MEMORY[0x40021004] & 0xFFFFF8FF; 927 | return result; 928 | } 929 | 930 | //----- (00002344) -------------------------------------------------------- 931 | char __fastcall sub_2344(char result) 932 | { 933 | MEMORY[0x40021020] = 0; 934 | if ( result == 1 ) 935 | { 936 | MEMORY[0x40021020] = 1; 937 | } 938 | else if ( result == 4 ) 939 | { 940 | MEMORY[0x40021020] = 5; 941 | } 942 | return result; 943 | } 944 | 945 | //----- (00002568) -------------------------------------------------------- 946 | int __fastcall sub_2568(int result, char a2) 947 | { 948 | if ( a2 ) 949 | MEMORY[0x4002101C] |= result; 950 | else 951 | MEMORY[0x4002101C] &= ~result; 952 | return result; 953 | } 954 | 955 | //----- (000025A4) -------------------------------------------------------- 956 | int __fastcall sub_25A4(int result, char a2) 957 | { 958 | if ( a2 ) 959 | MEMORY[0x4002100C] |= result; 960 | else 961 | MEMORY[0x4002100C] &= ~result; 962 | return result; 963 | } 964 | 965 | //----- (00002754) -------------------------------------------------------- 966 | int __fastcall sub_2754(int result, __int16 a2, char a3) 967 | { 968 | if ( a3 ) 969 | *(_WORD *)(result + 4) |= a2; 970 | else 971 | *(_WORD *)(result + 4) &= ~a2; 972 | return result; 973 | } 974 | 975 | //----- (0000279A) -------------------------------------------------------- 976 | int __fastcall sub_279A(int result, __int16 a2) 977 | { 978 | *(_WORD *)(result + 12) = a2; 979 | return result; 980 | } 981 | 982 | //----- (000027B6) -------------------------------------------------------- 983 | int __fastcall sub_27B6(int a1) 984 | { 985 | return *(unsigned __int16 *)(a1 + 12); 986 | } 987 | 988 | //----- (00002C40) -------------------------------------------------------- 989 | _WORD *__fastcall sub_2C40(_WORD *result, char a2) 990 | { 991 | if ( a2 ) 992 | *result |= 1u; 993 | else 994 | *result &= 0xFFFEu; 995 | return result; 996 | } 997 | 998 | //----- (00002C7E) -------------------------------------------------------- 999 | int __fastcall sub_2C7E(int result, char a2) 1000 | { 1001 | if ( a2 ) 1002 | *(_WORD *)(result + 68) = ~((unsigned int)~(*(unsigned __int16 *)(result + 68) << 17) >> 17); 1003 | else 1004 | *(_WORD *)(result + 68) &= 0x7FFFu; 1005 | return result; 1006 | } 1007 | 1008 | //----- (00002D44) -------------------------------------------------------- 1009 | int __fastcall sub_2D44(int result, __int16 a2) 1010 | { 1011 | *(_WORD *)(result + 36) = a2; 1012 | return result; 1013 | } 1014 | 1015 | //----- (00002D60) -------------------------------------------------------- 1016 | int __fastcall sub_2D60(int result, __int16 a2) 1017 | { 1018 | *(_WORD *)(result + 52) = a2; 1019 | return result; 1020 | } 1021 | 1022 | //----- (00002D7C) -------------------------------------------------------- 1023 | BOOL __fastcall sub_2D7C(int a1, unsigned __int16 a2) 1024 | { 1025 | return (a2 & *(_WORD *)(a1 + 16)) != 0 && (a2 & *(_WORD *)(a1 + 12)) != 0; 1026 | } 1027 | 1028 | //----- (000032CC) -------------------------------------------------------- 1029 | _DWORD *__fastcall sub_32CC(_DWORD *a1) 1030 | { 1031 | sub_1B48(a1, 0); 1032 | sub_1B80(1073872944, MEMORY[0x20001048]); 1033 | return sub_1B48(a1, 1); 1034 | } 1035 | 1036 | //----- (00003498) -------------------------------------------------------- 1037 | int sub_3498() 1038 | { 1039 | return sub_C90(); 1040 | } 1041 | 1042 | //----- (000034A4) -------------------------------------------------------- 1043 | int sub_34A4() 1044 | { 1045 | sub_2568(402653184, 1); 1046 | return ((int (__fastcall *)(int))dword_211C[0])(1); 1047 | } 1048 | // 211C: invalid function type has been ignored 1049 | // 211C: using guessed type int dword_211C[4]; 1050 | 1051 | //----- (000034BC) -------------------------------------------------------- 1052 | int sub_34BC() 1053 | { 1054 | int v0; // r0 1055 | 1056 | v0 = ((int (*)(void))loc_64FC)(); 1057 | return ((int (__fastcall *)(int))loc_67C0)(v0); 1058 | } 1059 | 1060 | //----- (00003676) -------------------------------------------------------- 1061 | int __fastcall sub_3676(int a1, unsigned __int16 a2, unsigned __int16 a3, int a4, int a5, int a6) 1062 | { 1063 | return ((int (__fastcall *)(int, int, _DWORD))loc_6910)(a1, a6 * a2 + a5, a3); 1064 | } 1065 | 1066 | //----- (00003D40) -------------------------------------------------------- 1067 | void __fastcall __noreturn sub_3D40(int a1, int a2) 1068 | { 1069 | sub_15C(0, 0, a1, a2); 1070 | } 1071 | // 15C: using guessed type int __fastcall sub_15C(_DWORD, _DWORD, _DWORD, _DWORD); 1072 | 1073 | //----- (00003E88) -------------------------------------------------------- 1074 | void __fastcall sub_3E88(__int16 a1, int a2, __int64 a3) 1075 | { 1076 | char v3; // nf 1077 | int v4; // r7 1078 | 1079 | if ( !v3 ) 1080 | { 1081 | *(_WORD *)(a2 + v4) = a1; 1082 | *(_WORD *)(v4 + 251) = a1; 1083 | JUMPOUT(0x3E98); 1084 | } 1085 | *(_QWORD *)v4 = a3; 1086 | sub_3D40(*(_DWORD *)v4, *(_DWORD *)(v4 + 4)); 1087 | } 1088 | // 3E96: control flows out of bounds to 3E98 1089 | // 3E88: variable 'v3' is possibly undefined 1090 | // 3E8A: variable 'v4' is possibly undefined 1091 | 1092 | //----- (00005648) -------------------------------------------------------- 1093 | void sub_5648() 1094 | { 1095 | sub_8DC0(); 1096 | (*(void (__fastcall **)(_DWORD))byte_8928)(*(_DWORD *)(MEMORY[0x20000274] + 8)); 1097 | sub_200E(); 1098 | sub_CA8(); 1099 | sub_2568(402653184, 1); 1100 | sub_213C(1u); 1101 | MEMORY[0x40021000] &= 0xFFFEFFFF; 1102 | MEMORY[0x40021000] &= 0xFFFBFFFF; 1103 | sub_215C(); 1104 | } 1105 | 1106 | //----- (000056AC) -------------------------------------------------------- 1107 | void sub_56AC() 1108 | { 1109 | MEMORY[0x20000307] = 1; 1110 | } 1111 | 1112 | //----- (000056C4) -------------------------------------------------------- 1113 | int __fastcall sub_56C4(int a1, int a2, int a3, int a4, int a5) 1114 | { 1115 | return a4 + (a5 - a4) * (a1 - a2) / (unsigned int)(a3 - a2); 1116 | } 1117 | 1118 | //----- (00005B6C) -------------------------------------------------------- 1119 | int __fastcall sub_5B6C(unsigned __int16 a1, unsigned __int16 a2, unsigned __int8 a3, unsigned __int16 a4) 1120 | { 1121 | int i; // [sp+10h] [bp+10h] 1122 | int v9; // [sp+14h] [bp+14h] 1123 | int v10; // [sp+18h] [bp+18h] 1124 | int v11; // [sp+1Ch] [bp+1Ch] 1125 | 1126 | v11 = 0; 1127 | v10 = a3; 1128 | v9 = 3 - 2 * a3; 1129 | while ( v11 <= v10 ) 1130 | { 1131 | for ( i = v11; i > 0; --i ) 1132 | { 1133 | ((void (__fastcall *)(_DWORD, _DWORD, _DWORD))dword_581C[0])( 1134 | (unsigned __int16)(a1 + v10), 1135 | (unsigned __int16)(a2 - i), 1136 | a4); 1137 | ((void (__fastcall *)(_DWORD, _DWORD, _DWORD))dword_581C[0])( 1138 | (unsigned __int16)(a1 - i), 1139 | (unsigned __int16)(a2 + v10), 1140 | a4); 1141 | } 1142 | if ( v10 > 0 ) 1143 | JUMPOUT(0x5C00); 1144 | ++v11; 1145 | if ( v9 >= 0 ) 1146 | v9 += 4 * (v11 - v10--) + 10; 1147 | else 1148 | v9 += 4 * v11 + 6; 1149 | } 1150 | return ((int (__fastcall *)(_DWORD, _DWORD, _DWORD))dword_581C[0])(a1, a2, a4); 1151 | } 1152 | // 5BFE: control flows out of bounds to 5C00 1153 | // 581C: using guessed type int dword_581C[4]; 1154 | 1155 | //----- (00005CF0) -------------------------------------------------------- 1156 | void sub_5CF0() 1157 | { 1158 | JUMPOUT(0x5D00); 1159 | } 1160 | // 5CFE: control flows out of bounds to 5D00 1161 | 1162 | //----- (0000618C) -------------------------------------------------------- 1163 | int __fastcall sub_618C(__int16 a1, int a2, _BYTE *a3, unsigned __int16 a4, unsigned __int16 a5, unsigned __int8 a6, unsigned __int8 a7) 1164 | { 1165 | int v8; // [sp+0h] [bp-10h] 1166 | int v9; // [sp+4h] [bp-Ch] 1167 | int v10; // [sp+8h] [bp-8h] 1168 | 1169 | while ( *a3 ) 1170 | { 1171 | v10 = a7; 1172 | v9 = a6; 1173 | v8 = a5; 1174 | sub_5CF0(); 1175 | a1 += a6 >> 1; 1176 | ++a3; 1177 | } 1178 | return ((int (__fastcall *)(_DWORD, _DWORD, _DWORD, int, int, int, int))loc_594C)(0, 0, a4, 1, v8, v9, v10); 1179 | } 1180 | // 61EA: variable 'v8' is possibly undefined 1181 | // 61EA: variable 'v9' is possibly undefined 1182 | // 61EA: variable 'v10' is possibly undefined 1183 | 1184 | //----- (0000639C) -------------------------------------------------------- 1185 | int __fastcall sub_639C(int result) 1186 | { 1187 | int v2; // [sp+4h] [bp+4h] 1188 | 1189 | v2 = result; 1190 | while ( v2-- ) 1191 | ; 1192 | return result; 1193 | } 1194 | 1195 | //----- (000063BC) -------------------------------------------------------- 1196 | int __fastcall sub_63BC(unsigned __int8 a1) 1197 | { 1198 | while ( !((int (__fastcall *)(int, int))loc_27CE)(1073819648, 2) ) 1199 | ; 1200 | sub_279A(1073819648, a1); 1201 | return sub_639C(1); 1202 | } 1203 | 1204 | //----- (00006464) -------------------------------------------------------- 1205 | int __fastcall sub_6464(unsigned __int8 a1) 1206 | { 1207 | sub_200E(); 1208 | sub_200E(); 1209 | sub_63BC(a1); 1210 | ((void (__fastcall *)(int, int))loc_1FF2)(1073809408, 8); 1211 | return ((int (__fastcall *)(int, int))loc_1FF2)(1073809408, 16); 1212 | } 1213 | 1214 | //----- (000064A4) -------------------------------------------------------- 1215 | int __fastcall sub_64A4(unsigned __int16 a1, unsigned __int16 a2, unsigned __int16 a3, unsigned __int16 a4) 1216 | { 1217 | sub_6464(0x2Au); 1218 | ((void (__fastcall *)(_DWORD))dword_6424[0])(a1); 1219 | ((void (__fastcall *)(_DWORD))dword_6424[0])(a3); 1220 | sub_6464(0x2Bu); 1221 | ((void (__fastcall *)(_DWORD))dword_6424[0])(a2); 1222 | ((void (__fastcall *)(_DWORD))dword_6424[0])(a4); 1223 | return sub_6464(0x2Cu); 1224 | } 1225 | // 6424: using guessed type int dword_6424[2]; 1226 | 1227 | //----- (0000674C) -------------------------------------------------------- 1228 | int __fastcall sub_674C(unsigned __int8 a1) 1229 | { 1230 | char v4; // [sp+Fh] [bp+Fh] 1231 | char v5; // [sp+Fh] [bp+Fh] 1232 | 1233 | v4 = 0; 1234 | while ( !((int (__fastcall *)(int, int))loc_27CE)(1073819648, 2) ) 1235 | { 1236 | if ( (unsigned __int8)++v4 > 0xC8u ) 1237 | return 0; 1238 | } 1239 | sub_279A(1073819648, a1); 1240 | v5 = 0; 1241 | while ( !((int (__fastcall *)(int, int))loc_27CE)(1073819648, 1) ) 1242 | { 1243 | if ( (unsigned __int8)++v5 > 0xC8u ) 1244 | return 0; 1245 | } 1246 | return (unsigned __int8)sub_27B6(1073819648); 1247 | } 1248 | 1249 | //----- (00006848) -------------------------------------------------------- 1250 | int sub_6848() 1251 | { 1252 | unsigned __int16 v0; // r0 1253 | unsigned __int16 v2; // [sp+6h] [bp+6h] 1254 | 1255 | MEMORY[0x42218188] = 0; 1256 | sub_674C(0x90u); 1257 | sub_674C(0); 1258 | sub_674C(0); 1259 | sub_674C(0); 1260 | v2 = (unsigned __int16)sub_674C(0xFFu) << 8; 1261 | v0 = sub_674C(0xFFu); 1262 | MEMORY[0x42218188] = 1; 1263 | return v2 | v0; 1264 | } 1265 | 1266 | //----- (00006994) -------------------------------------------------------- 1267 | int sub_6994() 1268 | { 1269 | int result; // r0 1270 | 1271 | do 1272 | result = ((int (*)(void))loc_6814)(); 1273 | while ( (result & 1) == 1 ); 1274 | return result; 1275 | } 1276 | 1277 | //----- (000069B0) -------------------------------------------------------- 1278 | int __fastcall sub_69B0(int result) 1279 | { 1280 | MEMORY[0xE000ED0C] = result | 0x5FA0000; 1281 | return result; 1282 | } 1283 | 1284 | //----- (00006A98) -------------------------------------------------------- 1285 | int __fastcall sub_6A98(int result) 1286 | { 1287 | if ( result == 4 ) 1288 | MEMORY[0xE000E010] |= 4u; 1289 | else 1290 | MEMORY[0xE000E010] &= 0xFFFFFFFB; 1291 | return result; 1292 | } 1293 | 1294 | //----- (00007B44) -------------------------------------------------------- 1295 | int sub_7B44() 1296 | { 1297 | return ((int (__fastcall *)(int))dword_7928)(536875136); 1298 | } 1299 | // 7928: using guessed type int dword_7928; 1300 | 1301 | //----- (00007C5C) -------------------------------------------------------- 1302 | int __fastcall sub_7C5C(_WORD *a1, int a2, int a3, unsigned __int16 a4, _BYTE *a5) 1303 | { 1304 | if ( ((int (__fastcall *)(_WORD *, int, int, _DWORD))loc_7BDC)(a1, a2, a3, a4) ) 1305 | return 0; 1306 | *a5 = *(_BYTE *)(a3 + (unsigned __int16)*a1); 1307 | *a1 = *a1 + 1 - a4 * (((unsigned __int16)*a1 + 1) / a4); 1308 | return 1; 1309 | } 1310 | 1311 | //----- (00007D58) -------------------------------------------------------- 1312 | void sub_7D58() 1313 | { 1314 | if ( MEMORY[0x20000260] == 61203 ) 1315 | MEMORY[0x200002F4] = (unsigned __int8)((int (*)(void))loc_7DAC)() == 254; 1316 | else 1317 | MEMORY[0x200002F4] = 0; 1318 | } 1319 | 1320 | //----- (00008144) -------------------------------------------------------- 1321 | int sub_8144() 1322 | { 1323 | return MEMORY[0x2000100C]; 1324 | } 1325 | 1326 | //----- (0000815C) -------------------------------------------------------- 1327 | int sub_815C() 1328 | { 1329 | char v2[4]; // [sp+4h] [bp+4h] BYREF 1330 | 1331 | ((void (__fastcall *)(char *, _DWORD, int))dword_8104)(v2, MEMORY[0x2000100C], 1); 1332 | if ( MEMORY[0x2000100C] >= MEMORY[0x20000270] ) 1333 | return 255; 1334 | ++MEMORY[0x2000100C]; 1335 | v2[3] = v2[0]; 1336 | return (unsigned __int8)v2[0]; 1337 | } 1338 | // 8104: using guessed type int dword_8104; 1339 | 1340 | //----- (00008314) -------------------------------------------------------- 1341 | void sub_8314() 1342 | { 1343 | ((void (*)(void))((char *)&loc_831A + 2))(); 1344 | JUMPOUT(0x831E); 1345 | } 1346 | // 831A: control flows out of bounds to 831E 1347 | 1348 | //----- (00008550) -------------------------------------------------------- 1349 | void __noreturn sub_8550() 1350 | { 1351 | sub_8314(); 1352 | while ( 1 ) 1353 | ((void (*)(void))loc_8378)(); 1354 | } 1355 | 1356 | //----- (0000855E) -------------------------------------------------------- 1357 | _WORD *sub_855E() 1358 | { 1359 | __int16 v1[6]; // [sp+4h] [bp+4h] BYREF 1360 | char v2[6]; // [sp+10h] [bp+10h] BYREF 1361 | __int16 v3; // [sp+16h] [bp+16h] 1362 | 1363 | v3 = 1000; 1364 | sub_2568(1, 1); 1365 | ((void (__fastcall *)(int))dword_2804)(0x40000000); 1366 | v1[1] = 0; 1367 | v1[3] = 0; 1368 | v1[2] = 999; 1369 | v1[0] = 63; 1370 | ((void (__fastcall *)(int, __int16 *))off_2A30)(0x40000000, v1); 1371 | v2[0] = 28; 1372 | v2[1] = 10; 1373 | v2[2] = 0; 1374 | v2[3] = 1; 1375 | ((void (__fastcall *)(char *))loc_69D4)(v2); 1376 | sub_2D44(0x40000000, 0); 1377 | ((void (__fastcall *)(int, int, int))loc_2CC8)(0x40000000, 1, 1); 1378 | return sub_2C40((_WORD *)0x40000000, 1); 1379 | } 1380 | // 2804: using guessed type int dword_2804; 1381 | // 2A30: using guessed type void *off_2A30; 1382 | 1383 | //----- (00008650) -------------------------------------------------------- 1384 | void sub_8650() 1385 | { 1386 | __dsb(0xFu); 1387 | } 1388 | 1389 | //----- (00008660) -------------------------------------------------------- 1390 | void __noreturn sub_8660() 1391 | { 1392 | MEMORY[0xE000ED0C] = MEMORY[0xE000ED0C] & 0x700 | 0x5FA0004; 1393 | sub_8650(); 1394 | while ( 1 ) 1395 | ; 1396 | } 1397 | 1398 | //----- (00008798) -------------------------------------------------------- 1399 | void sub_8798() 1400 | { 1401 | ; 1402 | } 1403 | 1404 | //----- (0000894C) -------------------------------------------------------- 1405 | _BYTE *__fastcall sub_894C(int a1, __int16 a2, __int16 a3) 1406 | { 1407 | _BYTE *result; // r0 1408 | 1409 | *(_DWORD *)a1 = 0; 1410 | *(_DWORD *)(a1 + 4) = 0; 1411 | *(_DWORD *)(a1 + 16) = 0; 1412 | *(_DWORD *)(a1 + 20) = 0; 1413 | *(int *)((char *)&dword_7 + a1 + 1) = 0; 1414 | *(_WORD *)((char *)&dword_B + a1 + 1) = a2; 1415 | *(int *)((char *)&dword_64 + a1) = 0; 1416 | *(_WORD *)((char *)&dword_B + a1 + 3) = a3; 1417 | *(int *)((char *)&dword_18 + a1) = 0; 1418 | result = sub_8B58((_BYTE *)(a1 + 92), 0, 8); 1419 | *(int *)((char *)&dword_1F + a1 + 1) = a1; 1420 | *(int *)((char *)&dword_23 + a1 + 1) = 134254129; 1421 | *(int *)((char *)&dword_28 + a1) = 134254163; 1422 | *(int *)((char *)&dword_2C + a1) = 134254219; 1423 | *(int *)((char *)&dword_30 + a1) = 134254255; 1424 | return result; 1425 | } 1426 | // 7: using guessed type int dword_7; 1427 | // B: using guessed type int dword_B; 1428 | // 18: using guessed type int dword_18; 1429 | // 1F: using guessed type int dword_1F; 1430 | // 23: using guessed type int dword_23; 1431 | // 28: using guessed type int dword_28; 1432 | // 2C: using guessed type int dword_2C; 1433 | // 30: using guessed type int dword_30; 1434 | // 64: using guessed type int dword_64; 1435 | 1436 | //----- (000089A0) -------------------------------------------------------- 1437 | _DWORD *__fastcall sub_89A0(int a1, int a2) 1438 | { 1439 | int v2; // r5 1440 | _DWORD *v4; // r0 1441 | _DWORD *v5; // r4 1442 | _BYTE *v6; // r0 1443 | 1444 | v2 = 104 * (a2 - 1); 1445 | v4 = (_DWORD *)((int (__fastcall *)(int, int))dword_8C00[0])(a1, v2 + 116); 1446 | v5 = v4; 1447 | if ( v4 ) 1448 | { 1449 | *v4 = 0; 1450 | v4[1] = a2; 1451 | v6 = v4 + 3; 1452 | v5[2] = v6; 1453 | sub_8B58(v6, 0, v2 + 104); 1454 | } 1455 | return v5; 1456 | } 1457 | // 8C00: using guessed type int dword_8C00[2]; 1458 | 1459 | //----- (000089CC) -------------------------------------------------------- 1460 | void sub_89CC() 1461 | { 1462 | JUMPOUT(0x8B38); 1463 | } 1464 | // 89CE: control flows out of bounds to 8B38 1465 | // 8B36: using guessed type int sub_8B36(); 1466 | 1467 | //----- (000089D8) -------------------------------------------------------- 1468 | int sub_89D8() 1469 | { 1470 | return nullsub_2(536876174); 1471 | } 1472 | // 8B3A: using guessed type int __fastcall nullsub_2(_DWORD); 1473 | 1474 | //----- (000089F0) -------------------------------------------------------- 1475 | int sub_89F0() 1476 | { 1477 | return nullsub_2(536876169); 1478 | } 1479 | // 8B3A: using guessed type int __fastcall nullsub_2(_DWORD); 1480 | 1481 | //----- (00008A6C) -------------------------------------------------------- 1482 | // local variable allocation has failed, the output may be wrong! 1483 | _DWORD *__fastcall sub_8A6C(_DWORD *a1) 1484 | { 1485 | int v2; // r6 1486 | int *v3; // r6 1487 | int v4; // r3 OVERLAPPED 1488 | _DWORD *v5; // r4 OVERLAPPED 1489 | int v6; // r5 1490 | 1491 | sub_89CC(); 1492 | v2 = MEMORY[0x800A3D4]; 1493 | if ( !*(_DWORD *)(MEMORY[0x800A3D4] + 24) ) 1494 | ((void (__fastcall *)(_DWORD))loc_89FC)(MEMORY[0x800A3D4]); 1495 | v3 = (int *)(v2 + 72); 1496 | while ( 2 ) 1497 | { 1498 | *(_QWORD *)&v4 = *(_QWORD *)(v3 + 1); 1499 | while ( --v4 >= 0 ) 1500 | { 1501 | v6 = *((__int16 *)v5 + 6); 1502 | if ( !*((_WORD *)v5 + 6) ) 1503 | { 1504 | v5[3] = -65535; 1505 | v5[25] = v6; 1506 | sub_8B36(v5 + 22); 1507 | sub_89D8(); 1508 | v5[1] = v6; 1509 | v5[2] = v6; 1510 | v5[4] = v6; 1511 | v5[5] = v6; 1512 | *v5 = v6; 1513 | v5[6] = v6; 1514 | sub_8B58((_BYTE *)v5 + 92, v6, 8); 1515 | v5[13] = v6; 1516 | v5[14] = v6; 1517 | v5[18] = v6; 1518 | v5[19] = v6; 1519 | return v5; 1520 | } 1521 | v5 += 26; 1522 | } 1523 | if ( *v3 || (v5 = sub_89A0((int)a1, 4), (*v3 = (int)v5) != 0) ) 1524 | { 1525 | v3 = (int *)*v3; 1526 | continue; 1527 | } 1528 | break; 1529 | } 1530 | sub_89D8(); 1531 | *a1 = 12; 1532 | return v5; 1533 | } 1534 | // 8A6C: variables would overlap: r3.4 and r3.8 1535 | // 8A6C: variables would overlap: r4.4 and r3.8 1536 | // 8B36: using guessed type int __fastcall sub_8B36(_DWORD); 1537 | 1538 | //----- (00008B58) -------------------------------------------------------- 1539 | _BYTE *__fastcall sub_8B58(_BYTE *result, char a2, int a3) 1540 | { 1541 | _BYTE *v3; // r3 1542 | _BYTE *v4; // r2 1543 | 1544 | v3 = result; 1545 | v4 = &result[a3]; 1546 | while ( v3 != v4 ) 1547 | *v3++ = a2; 1548 | return result; 1549 | } 1550 | 1551 | //----- (00008B68) -------------------------------------------------------- 1552 | int __fastcall sub_8B68(int result, int a2) 1553 | { 1554 | _DWORD *v2; // r5 1555 | int v3; // r3 1556 | int *v4; // r4 1557 | int *v5; // r3 1558 | int *v6; // r2 1559 | int *v7; // r0 1560 | int v8; // r1 1561 | int v9; // r0 1562 | int v10; // r3 1563 | int v11; // r1 1564 | 1565 | v2 = (_DWORD *)result; 1566 | if ( a2 ) 1567 | { 1568 | v3 = *(_DWORD *)(a2 - 4); 1569 | v4 = (int *)(a2 - 4); 1570 | if ( v3 < 0 ) 1571 | v4 = (int *)((char *)v4 + v3); 1572 | sub_918C(); 1573 | v5 = (int *)MEMORY[0x2000103C]; 1574 | if ( MEMORY[0x2000103C] ) 1575 | { 1576 | if ( MEMORY[0x2000103C] <= (unsigned int)v4 ) 1577 | { 1578 | do 1579 | { 1580 | v6 = v5; 1581 | v5 = (int *)v5[1]; 1582 | } 1583 | while ( v5 && v5 <= v4 ); 1584 | v7 = (int *)((char *)v6 + *v6); 1585 | if ( v7 == v4 ) 1586 | { 1587 | v8 = *v6 + *v4; 1588 | *v6 = v8; 1589 | if ( v5 == (int *)((char *)v6 + v8) ) 1590 | { 1591 | v9 = *v5; 1592 | v10 = v5[1]; 1593 | *v6 = v8 + v9; 1594 | v6[1] = v10; 1595 | } 1596 | } 1597 | else if ( v7 <= v4 ) 1598 | { 1599 | if ( v5 == (int *)((char *)v4 + *v4) ) 1600 | { 1601 | v11 = *v5; 1602 | v5 = (int *)v5[1]; 1603 | *v4 += v11; 1604 | } 1605 | v4[1] = (int)v5; 1606 | v6[1] = (int)v4; 1607 | } 1608 | else 1609 | { 1610 | *v2 = 12; 1611 | } 1612 | } 1613 | else 1614 | { 1615 | if ( (int *)MEMORY[0x2000103C] == (int *)((char *)v4 + *v4) ) 1616 | { 1617 | v5 = *(int **)(MEMORY[0x2000103C] + 4); 1618 | *v4 += *MEMORY[0x2000103C]; 1619 | } 1620 | v4[1] = (int)v5; 1621 | MEMORY[0x2000103C] = v4; 1622 | } 1623 | } 1624 | else 1625 | { 1626 | v4[1] = MEMORY[0x2000103C]; 1627 | MEMORY[0x2000103C] = v4; 1628 | } 1629 | result = sub_9198(); 1630 | } 1631 | return result; 1632 | } 1633 | 1634 | //----- (00008CB4) -------------------------------------------------------- 1635 | int __fastcall sub_8CB4(int a1) 1636 | { 1637 | int v1; // r4 1638 | 1639 | v1 = MEMORY[0x20000274]; 1640 | if ( MEMORY[0x20000274] && !*(_DWORD *)(MEMORY[0x20000274] + 24) ) 1641 | ((void (__fastcall *)(_DWORD))loc_89FC)(MEMORY[0x20000274]); 1642 | return ((int (__fastcall *)(int, _DWORD, int))loc_94AC)(v1, *(_DWORD *)(v1 + 8), a1); 1643 | } 1644 | 1645 | //----- (00008DC0) -------------------------------------------------------- 1646 | void sub_8DC0() 1647 | { 1648 | JUMPOUT(0x8CE4); 1649 | } 1650 | // 8DC6: control flows out of bounds to 8CE4 1651 | 1652 | //----- (00008DD0) -------------------------------------------------------- 1653 | int __fastcall sub_8DD0(_DWORD *a1, int a2) 1654 | { 1655 | int result; // r0 1656 | 1657 | MEMORY[0x20001490] = 0; 1658 | result = sub_9B9C(a2); 1659 | if ( result == -1 ) 1660 | { 1661 | if ( MEMORY[0x20001490] ) 1662 | *a1 = MEMORY[0x20001490]; 1663 | } 1664 | return result; 1665 | } 1666 | 1667 | //----- (00008EB6) -------------------------------------------------------- 1668 | int __fastcall sub_8EB6(unsigned __int8 *a1, int a2, int a3) 1669 | { 1670 | int v3; // r1 1671 | unsigned __int8 *v4; // r4 1672 | int v5; // r3 1673 | int v6; // t1 1674 | int v7; // r2 1675 | int v8; // t1 1676 | 1677 | if ( !a3 ) 1678 | return 0; 1679 | v3 = a2 - 1; 1680 | v4 = &a1[a3]; 1681 | do 1682 | { 1683 | v6 = *a1++; 1684 | v5 = v6; 1685 | v8 = *(unsigned __int8 *)++v3; 1686 | v7 = v8; 1687 | } 1688 | while ( v5 == v8 && a1 != v4 && v5 ); 1689 | return v5 - v7; 1690 | } 1691 | 1692 | //----- (00008F80) -------------------------------------------------------- 1693 | int __fastcall sub_8F80(_DWORD *a1, int a2, int a3, int a4) 1694 | { 1695 | int result; // r0 1696 | 1697 | MEMORY[0x20001490] = 0; 1698 | result = ((int (__fastcall *)(int, int, int))dword_8220[0])(a2, a3, a4); 1699 | if ( result == -1 ) 1700 | { 1701 | if ( MEMORY[0x20001490] ) 1702 | *a1 = MEMORY[0x20001490]; 1703 | } 1704 | return result; 1705 | } 1706 | // 8220: using guessed type int dword_8220[3]; 1707 | 1708 | //----- (000090A0) -------------------------------------------------------- 1709 | int __fastcall sub_90A0(_DWORD *a1) 1710 | { 1711 | int result; // r0 1712 | 1713 | MEMORY[0x20001490] = 0; 1714 | result = sub_9B7C(); 1715 | if ( result == -1 ) 1716 | { 1717 | if ( MEMORY[0x20001490] ) 1718 | *a1 = MEMORY[0x20001490]; 1719 | } 1720 | return result; 1721 | } 1722 | 1723 | //----- (0000918C) -------------------------------------------------------- 1724 | void sub_918C() 1725 | { 1726 | JUMPOUT(0x8B38); 1727 | } 1728 | // 918E: control flows out of bounds to 8B38 1729 | // 8B36: using guessed type int sub_8B36(); 1730 | 1731 | //----- (00009198) -------------------------------------------------------- 1732 | int sub_9198() 1733 | { 1734 | return nullsub_2(536876170); 1735 | } 1736 | // 8B3A: using guessed type int __fastcall nullsub_2(_DWORD); 1737 | 1738 | //----- (0000945C) -------------------------------------------------------- 1739 | int __fastcall sub_945C(int a1, int a2, _DWORD *a3) 1740 | { 1741 | int v3; // r3 1742 | _BYTE *v4; // r3 1743 | 1744 | v3 = a3[2] - 1; 1745 | a3[2] = v3; 1746 | if ( v3 < 0 && (v3 < a3[6] || a2 == 10) ) 1747 | JUMPOUT(0x8EDC); 1748 | v4 = (_BYTE *)(*a3)++; 1749 | *v4 = a2; 1750 | return a2; 1751 | } 1752 | // 9474: control flows out of bounds to 8EDC 1753 | 1754 | //----- (00009486) -------------------------------------------------------- 1755 | int __fastcall sub_9486(int a1, _DWORD *a2, unsigned __int8 *a3, int a4) 1756 | { 1757 | unsigned __int8 *v6; // r4 1758 | unsigned __int8 *v7; // r5 1759 | int result; // r0 1760 | int v9; // t1 1761 | 1762 | v6 = a3; 1763 | v7 = &a3[a4]; 1764 | while ( v6 != v7 ) 1765 | { 1766 | v9 = *v6++; 1767 | result = sub_945C(a1, v9, a2); 1768 | if ( result == -1 ) 1769 | return result; 1770 | } 1771 | return 0; 1772 | } 1773 | 1774 | //----- (00009A38) -------------------------------------------------------- 1775 | int __fastcall sub_9A38(_DWORD *a1) 1776 | { 1777 | int result; // r0 1778 | 1779 | MEMORY[0x20001490] = 0; 1780 | result = sub_9B8C(); 1781 | if ( result == -1 ) 1782 | { 1783 | if ( MEMORY[0x20001490] ) 1784 | *a1 = MEMORY[0x20001490]; 1785 | } 1786 | return result; 1787 | } 1788 | 1789 | //----- (00009A5C) -------------------------------------------------------- 1790 | int __fastcall sub_9A5C(_DWORD *a1) 1791 | { 1792 | int result; // r0 1793 | 1794 | MEMORY[0x20001490] = 0; 1795 | result = sub_9B5C(); 1796 | if ( result == -1 ) 1797 | { 1798 | if ( MEMORY[0x20001490] ) 1799 | *a1 = MEMORY[0x20001490]; 1800 | } 1801 | return result; 1802 | } 1803 | 1804 | //----- (00009A80) -------------------------------------------------------- 1805 | int __fastcall sub_9A80(_DWORD *a1) 1806 | { 1807 | int result; // r0 1808 | 1809 | MEMORY[0x20001490] = 0; 1810 | result = sub_9B6C(); 1811 | if ( result == -1 ) 1812 | { 1813 | if ( MEMORY[0x20001490] ) 1814 | *a1 = MEMORY[0x20001490]; 1815 | } 1816 | return result; 1817 | } 1818 | 1819 | //----- (00009AA0) -------------------------------------------------------- 1820 | unsigned __int8 *__fastcall sub_9AA0(unsigned __int8 *a1, unsigned __int8 a2, int a3) 1821 | { 1822 | unsigned __int8 *v3; // r3 1823 | unsigned __int8 *v4; // r2 1824 | unsigned __int8 *result; // r0 1825 | int v6; // r4 1826 | 1827 | v3 = a1; 1828 | v4 = &a1[a3]; 1829 | while ( 1 ) 1830 | { 1831 | result = v3; 1832 | if ( v3 == v4 ) 1833 | break; 1834 | v6 = *v3++; 1835 | if ( v6 == a2 ) 1836 | return result; 1837 | } 1838 | return 0; 1839 | } 1840 | 1841 | //----- (00009ABC) -------------------------------------------------------- 1842 | unsigned int __fastcall sub_9ABC(unsigned int result, char *a2, int a3) 1843 | { 1844 | char *v3; // r4 1845 | char *v4; // r3 1846 | unsigned int v5; // r3 1847 | char v6; // t1 1848 | int i; // r2 1849 | char v8; // t1 1850 | 1851 | v3 = &a2[a3]; 1852 | if ( result > (unsigned int)a2 && (v4 = &a2[a3], (unsigned int)v3 > result) ) 1853 | { 1854 | for ( i = a3 + result; i != result; --i ) 1855 | { 1856 | v8 = *--v4; 1857 | *(_BYTE *)(i - 1) = v8; 1858 | } 1859 | } 1860 | else 1861 | { 1862 | v5 = result - 1; 1863 | while ( a2 != v3 ) 1864 | { 1865 | v6 = *a2++; 1866 | *(_BYTE *)++v5 = v6; 1867 | } 1868 | } 1869 | return result; 1870 | } 1871 | 1872 | //----- (00009B3C) -------------------------------------------------------- 1873 | int __fastcall sub_9B3C(int a1, int a2) 1874 | { 1875 | int v2; // r3 1876 | int result; // r0 1877 | 1878 | v2 = *(_DWORD *)(a2 - 4); 1879 | result = v2 - 4; 1880 | if ( v2 < 0 ) 1881 | result += *(_DWORD *)(a2 + result); 1882 | return result; 1883 | } 1884 | 1885 | //----- (00009B4C) -------------------------------------------------------- 1886 | int sub_9B4C() 1887 | { 1888 | int result; // r0 1889 | 1890 | result = -1; 1891 | MEMORY[0x20001490] = 88; 1892 | return result; 1893 | } 1894 | 1895 | //----- (00009B5C) -------------------------------------------------------- 1896 | int sub_9B5C() 1897 | { 1898 | int result; // r0 1899 | 1900 | result = -1; 1901 | MEMORY[0x20001490] = 88; 1902 | return result; 1903 | } 1904 | 1905 | //----- (00009B6C) -------------------------------------------------------- 1906 | int sub_9B6C() 1907 | { 1908 | int result; // r0 1909 | 1910 | result = 0; 1911 | MEMORY[0x20001490] = 88; 1912 | return result; 1913 | } 1914 | 1915 | //----- (00009B7C) -------------------------------------------------------- 1916 | int sub_9B7C() 1917 | { 1918 | int result; // r0 1919 | 1920 | result = -1; 1921 | MEMORY[0x20001490] = 88; 1922 | return result; 1923 | } 1924 | 1925 | //----- (00009B8C) -------------------------------------------------------- 1926 | int sub_9B8C() 1927 | { 1928 | int result; // r0 1929 | 1930 | result = -1; 1931 | MEMORY[0x20001490] = 88; 1932 | return result; 1933 | } 1934 | 1935 | //----- (00009B9C) -------------------------------------------------------- 1936 | int __fastcall sub_9B9C(int a1) 1937 | { 1938 | int v1; // r3 1939 | 1940 | v1 = MEMORY[0x20001044]; 1941 | if ( !MEMORY[0x20001044] ) 1942 | v1 = 536876180; 1943 | MEMORY[0x20001044] = a1 + v1; 1944 | return v1; 1945 | } 1946 | 1947 | //----- (0000B54C) -------------------------------------------------------- 1948 | int __fastcall sub_B54C(int result) 1949 | { 1950 | _R3 = result; 1951 | __asm { MSR.W MSP, R3 } 1952 | return result; 1953 | } 1954 | 1955 | //----- (0000B65C) -------------------------------------------------------- 1956 | int sub_B65C() 1957 | { 1958 | ((void (__fastcall *)(int, int))loc_C8FC)(402653184, 1); 1959 | return sub_C580(1u); 1960 | } 1961 | 1962 | //----- (0000B674) -------------------------------------------------------- 1963 | _WORD *sub_B674() 1964 | { 1965 | __int16 v1[10]; // [sp+0h] [bp+0h] BYREF 1966 | __int16 v2; // [sp+14h] [bp+14h] BYREF 1967 | char v3; // [sp+16h] [bp+16h] 1968 | char v4; // [sp+17h] [bp+17h] 1969 | 1970 | sub_C8C0(4096, 1); 1971 | sub_C8C0(4, 1); 1972 | v2 = 224; 1973 | v3 = 3; 1974 | v4 = 24; 1975 | ((void (__fastcall *)(int, __int16 *))loc_C3D0)(1073809408, &v2); 1976 | sub_C548(1073809408, 0xA0u); 1977 | v1[0] = 0; 1978 | v1[1] = 260; 1979 | v1[2] = 0; 1980 | v1[3] = 0; 1981 | v1[4] = 0; 1982 | v1[5] = 512; 1983 | v1[6] = 8; 1984 | v1[7] = 0; 1985 | v1[8] = 7; 1986 | ((void (__fastcall *)(int, __int16 *))dword_CA24)(1073819648, v1); 1987 | return sub_CAAA((_WORD *)0x40013000, 1); 1988 | } 1989 | // CA24: using guessed type int dword_CA24; 1990 | 1991 | //----- (0000B76C) -------------------------------------------------------- 1992 | char __fastcall sub_B76C(char result) 1993 | { 1994 | MEMORY[0x40013000] &= 0xFFC7u; 1995 | MEMORY[0x40013000] |= 8 * (result & 7); 1996 | MEMORY[0x40013000] |= 0x40u; 1997 | return result; 1998 | } 1999 | 2000 | //----- (0000B84C) -------------------------------------------------------- 2001 | int sub_B84C() 2002 | { 2003 | int result; // r0 2004 | 2005 | MEMORY[0x42218188] = 0; 2006 | result = ((int (__fastcall *)(int))loc_B6F8)(6); 2007 | MEMORY[0x42218188] = 1; 2008 | return result; 2009 | } 2010 | 2011 | //----- (0000B86C) -------------------------------------------------------- 2012 | int sub_B86C() 2013 | { 2014 | unsigned __int16 v0; // r0 2015 | unsigned __int16 v2; // [sp+6h] [bp+6h] 2016 | 2017 | MEMORY[0x42218188] = 0; 2018 | ((void (__fastcall *)(int))loc_B6F8)(144); 2019 | ((void (__fastcall *)(_DWORD))loc_B6F8)(0); 2020 | ((void (__fastcall *)(_DWORD))loc_B6F8)(0); 2021 | ((void (__fastcall *)(_DWORD))loc_B6F8)(0); 2022 | v2 = (unsigned __int16)((int (__fastcall *)(int))loc_B6F8)(255) << 8; 2023 | v0 = ((int (__fastcall *)(int))loc_B6F8)(255); 2024 | MEMORY[0x42218188] = 1; 2025 | return v2 | v0; 2026 | } 2027 | 2028 | //----- (0000B8D0) -------------------------------------------------------- 2029 | void __fastcall sub_B8D0(int a1, int a2) 2030 | { 2031 | MEMORY[0x42218188] = 0; 2032 | ((void (__fastcall *)(int))loc_B6F8)(3); 2033 | ((void (__fastcall *)(_DWORD))loc_B6F8)(BYTE2(a2)); 2034 | ((void (__fastcall *)(_DWORD))((char *)&loc_B8FE + 2))(BYTE1(a2)); 2035 | JUMPOUT(0xB902); 2036 | } 2037 | // B8FE: control flows out of bounds to B902 2038 | 2039 | //----- (0000B944) -------------------------------------------------------- 2040 | int __fastcall sub_B944(int result, int a2, unsigned __int16 a3) 2041 | { 2042 | int v5; // [sp+Ch] [bp+Ch] 2043 | 2044 | v5 = result; 2045 | if ( a3 ) 2046 | { 2047 | sub_BD60(); 2048 | MEMORY[0x42218188] = 0; 2049 | ((void (__fastcall *)(int))loc_B6F8)(11); 2050 | ((void (__fastcall *)(_DWORD))loc_B6F8)(BYTE2(a2)); 2051 | ((void (__fastcall *)(_DWORD))loc_B6F8)(BYTE1(a2)); 2052 | ((void (__fastcall *)(_DWORD))loc_B6F8)((unsigned __int8)a2); 2053 | ((void (__fastcall *)(int))loc_B6F8)(255); 2054 | ((void (__fastcall *)(int, _DWORD))loc_B5A0)(v5, a3); 2055 | while ( !((int (__fastcall *)(int))dword_C11C[0])(32) ) 2056 | ; 2057 | sub_C16C(32); 2058 | MEMORY[0x42218188] = 1; 2059 | result = sub_BD60(); 2060 | } 2061 | return result; 2062 | } 2063 | // C11C: using guessed type int dword_C11C[4]; 2064 | 2065 | //----- (0000BA40) -------------------------------------------------------- 2066 | int __fastcall sub_BA40(int a1, int a2, unsigned __int16 a3) 2067 | { 2068 | int result; // r0 2069 | unsigned __int16 v4; // [sp+6h] [bp+6h] 2070 | int v5; // [sp+8h] [bp+8h] 2071 | unsigned __int16 v7; // [sp+16h] [bp+16h] 2072 | 2073 | v5 = a2; 2074 | v4 = a3; 2075 | v7 = 256 - (unsigned __int8)a2; 2076 | if ( a3 <= (unsigned int)v7 ) 2077 | v7 = a3; 2078 | while ( 1 ) 2079 | { 2080 | result = ((int (__fastcall *)(int, int, _DWORD))loc_B9C8)(a1, v5, v7); 2081 | if ( v4 == v7 ) 2082 | break; 2083 | a1 += v7; 2084 | v5 += v7; 2085 | v4 -= v7; 2086 | if ( v4 <= 0x100u ) 2087 | v7 = v4; 2088 | else 2089 | v7 = 256; 2090 | } 2091 | return result; 2092 | } 2093 | 2094 | //----- (0000BD60) -------------------------------------------------------- 2095 | int sub_BD60() 2096 | { 2097 | int result; // r0 2098 | 2099 | do 2100 | result = ((int (*)(void))loc_B818)(); 2101 | while ( (result & 1) == 1 ); 2102 | return result; 2103 | } 2104 | 2105 | //----- (0000BD7C) -------------------------------------------------------- 2106 | int __fastcall sub_BD7C(int result) 2107 | { 2108 | MEMORY[0xE000ED0C] = result | 0x5FA0000; 2109 | return result; 2110 | } 2111 | 2112 | //----- (0000BE64) -------------------------------------------------------- 2113 | unsigned __int16 __fastcall sub_BE64(unsigned __int16 result, unsigned __int16 a2) 2114 | { 2115 | *(_DWORD *)(result + 0x40006C00) = a2; 2116 | return result; 2117 | } 2118 | 2119 | //----- (0000C090) -------------------------------------------------------- 2120 | _DWORD *__fastcall sub_C090(_DWORD *result) 2121 | { 2122 | *result = 0; 2123 | result[1] = 0; 2124 | result[2] = 0; 2125 | result[3] = 0; 2126 | result[4] = 0; 2127 | result[5] = 0; 2128 | result[6] = 0; 2129 | result[7] = 0; 2130 | result[8] = 0; 2131 | result[9] = 0; 2132 | result[10] = 0; 2133 | return result; 2134 | } 2135 | 2136 | //----- (0000C16C) -------------------------------------------------------- 2137 | int __fastcall sub_C16C(int result) 2138 | { 2139 | if ( (result & 0x10000000) != 0 ) 2140 | MEMORY[0x40020404] = result; 2141 | else 2142 | MEMORY[0x40020004] = result; 2143 | return result; 2144 | } 2145 | 2146 | //----- (0000C1A0) -------------------------------------------------------- 2147 | int __fastcall sub_C1A0(int result) 2148 | { 2149 | MEMORY[0x40022000] = result | MEMORY[0x40022000] & 0x38; 2150 | return result; 2151 | } 2152 | 2153 | //----- (0000C338) -------------------------------------------------------- 2154 | int sub_C338() 2155 | { 2156 | if ( (MEMORY[0x4002200C] & 1) == 1 ) 2157 | return 1; 2158 | if ( (MEMORY[0x4002200C] & 4) != 0 ) 2159 | return 2; 2160 | if ( (MEMORY[0x4002200C] & 0x10) != 0 ) 2161 | return 3; 2162 | return 4; 2163 | } 2164 | 2165 | //----- (0000C38C) -------------------------------------------------------- 2166 | int __fastcall sub_C38C(int a1) 2167 | { 2168 | unsigned __int8 v3; // [sp+Fh] [bp+Fh] 2169 | 2170 | v3 = sub_C338(); 2171 | while ( v3 == 1 && a1 ) 2172 | { 2173 | v3 = sub_C338(); 2174 | --a1; 2175 | } 2176 | if ( !a1 ) 2177 | v3 = 5; 2178 | return v3; 2179 | } 2180 | 2181 | //----- (0000C548) -------------------------------------------------------- 2182 | int __fastcall sub_C548(int result, unsigned __int16 a2) 2183 | { 2184 | *(_DWORD *)(result + 16) = a2; 2185 | return result; 2186 | } 2187 | 2188 | //----- (0000C564) -------------------------------------------------------- 2189 | int __fastcall sub_C564(int result, unsigned __int16 a2) 2190 | { 2191 | *(_DWORD *)(result + 20) = a2; 2192 | return result; 2193 | } 2194 | 2195 | //----- (0000C580) -------------------------------------------------------- 2196 | unsigned __int8 __fastcall sub_C580(unsigned __int8 result) 2197 | { 2198 | MEMORY[0x420E0020] = result; 2199 | return result; 2200 | } 2201 | 2202 | //----- (0000C5A0) -------------------------------------------------------- 2203 | unsigned __int8 __fastcall sub_C5A0(unsigned __int8 result) 2204 | { 2205 | MEMORY[0x42420000] = result; 2206 | return result; 2207 | } 2208 | 2209 | //----- (0000C654) -------------------------------------------------------- 2210 | int sub_C654() 2211 | { 2212 | return MEMORY[0x40021004] & 0xC; 2213 | } 2214 | 2215 | //----- (0000C670) -------------------------------------------------------- 2216 | int __fastcall sub_C670(int result) 2217 | { 2218 | MEMORY[0x40021004] = result | MEMORY[0x40021004] & 0xFFFFFF0F; 2219 | return result; 2220 | } 2221 | 2222 | //----- (0000C6A8) -------------------------------------------------------- 2223 | int __fastcall sub_C6A8(int result) 2224 | { 2225 | MEMORY[0x40021004] = result | MEMORY[0x40021004] & 0xFFFFF8FF; 2226 | return result; 2227 | } 2228 | 2229 | //----- (0000C884) -------------------------------------------------------- 2230 | int __fastcall sub_C884(int result, char a2) 2231 | { 2232 | if ( a2 ) 2233 | MEMORY[0x40021014] |= result; 2234 | else 2235 | MEMORY[0x40021014] &= ~result; 2236 | return result; 2237 | } 2238 | 2239 | //----- (0000C8C0) -------------------------------------------------------- 2240 | int __fastcall sub_C8C0(int result, char a2) 2241 | { 2242 | if ( a2 ) 2243 | MEMORY[0x40021018] |= result; 2244 | else 2245 | MEMORY[0x40021018] &= ~result; 2246 | return result; 2247 | } 2248 | 2249 | //----- (0000C938) -------------------------------------------------------- 2250 | int __fastcall sub_C938(int result, char a2) 2251 | { 2252 | if ( a2 ) 2253 | MEMORY[0x4002100C] |= result; 2254 | else 2255 | MEMORY[0x4002100C] &= ~result; 2256 | return result; 2257 | } 2258 | 2259 | //----- (0000C974) -------------------------------------------------------- 2260 | int __fastcall sub_C974(int result, char a2) 2261 | { 2262 | if ( a2 ) 2263 | MEMORY[0x40021010] |= result; 2264 | else 2265 | MEMORY[0x40021010] &= ~result; 2266 | return result; 2267 | } 2268 | 2269 | //----- (0000CAAA) -------------------------------------------------------- 2270 | _WORD *__fastcall sub_CAAA(_WORD *result, char a2) 2271 | { 2272 | if ( a2 ) 2273 | *result |= 0x40u; 2274 | else 2275 | *result &= 0xFFBFu; 2276 | return result; 2277 | } 2278 | 2279 | //----- (0000CB4A) -------------------------------------------------------- 2280 | int __fastcall sub_CB4A(int a1) 2281 | { 2282 | return *(unsigned __int16 *)(a1 + 12); 2283 | } 2284 | 2285 | //----- (0000CB62) -------------------------------------------------------- 2286 | BOOL __fastcall sub_CB62(int a1, unsigned __int16 a2) 2287 | { 2288 | return (a2 & *(_WORD *)(a1 + 8)) != 0; 2289 | } 2290 | 2291 | //----- (0000CB98) -------------------------------------------------------- 2292 | int __fastcall sub_CB98(int a1) 2293 | { 2294 | int result; // r0 2295 | 2296 | switch ( a1 ) 2297 | { 2298 | case 1073818624: 2299 | sub_C938(2048, 1); 2300 | result = sub_C938(2048, 0); 2301 | break; 2302 | case 1073741824: 2303 | sub_C974(1, 1); 2304 | result = sub_C974(1, 0); 2305 | break; 2306 | case 1073742848: 2307 | sub_C974(2, 1); 2308 | result = sub_C974(2, 0); 2309 | break; 2310 | case 1073743872: 2311 | ((void (__fastcall *)(int, int))((char *)&loc_CBFE + 2))(4, 1); 2312 | JUMPOUT(0xCC02); 2313 | case 1073744896: 2314 | sub_C974(8, 1); 2315 | JUMPOUT(0xCC1C); 2316 | default: 2317 | JUMPOUT(0xCC26); 2318 | } 2319 | return result; 2320 | } 2321 | // CBFE: control flows out of bounds to CC02 2322 | // CC18: control flows out of bounds to CC1C 2323 | // CC12: control flows out of bounds to CC26 2324 | 2325 | //----- (0000CEBC) -------------------------------------------------------- 2326 | _WORD *__fastcall sub_CEBC(_WORD *result, char a2) 2327 | { 2328 | if ( a2 ) 2329 | *result |= 1u; 2330 | else 2331 | *result &= 0xFFFEu; 2332 | return result; 2333 | } 2334 | 2335 | //----- (0000CF40) -------------------------------------------------------- 2336 | int __fastcall sub_CF40(int result, __int16 a2) 2337 | { 2338 | *(_WORD *)(result + 36) = a2; 2339 | return result; 2340 | } 2341 | 2342 | //----- (0000CFAE) -------------------------------------------------------- 2343 | int __fastcall sub_CFAE(int result, __int16 a2) 2344 | { 2345 | *(_WORD *)(result + 16) = ~a2; 2346 | return result; 2347 | } 2348 | 2349 | //----- (0000D144) -------------------------------------------------------- 2350 | int __fastcall sub_D144(int result, char a2) 2351 | { 2352 | if ( a2 ) 2353 | *(_WORD *)(result + 12) |= 0x2000u; 2354 | else 2355 | *(_WORD *)(result + 12) &= 0xDFFFu; 2356 | return result; 2357 | } 2358 | 2359 | //----- (0000D182) -------------------------------------------------------- 2360 | int __fastcall sub_D182(int result, __int16 a2) 2361 | { 2362 | *(_WORD *)(result + 4) = a2 & 0x1FF; 2363 | return result; 2364 | } 2365 | 2366 | //----- (0000D1A4) -------------------------------------------------------- 2367 | BOOL __fastcall sub_D1A4(_WORD *a1, unsigned __int16 a2) 2368 | { 2369 | return (a2 & *a1) != 0; 2370 | } 2371 | 2372 | //----- (0000D1DA) -------------------------------------------------------- 2373 | int sub_D1DA() 2374 | { 2375 | return sub_BD7C(1536); 2376 | } 2377 | 2378 | //----- (0000D258) -------------------------------------------------------- 2379 | _WORD *sub_D258() 2380 | { 2381 | __int16 v1[6]; // [sp+4h] [bp+4h] BYREF 2382 | char v2[6]; // [sp+10h] [bp+10h] BYREF 2383 | __int16 v3; // [sp+16h] [bp+16h] 2384 | 2385 | v3 = 1000; 2386 | ((void (__fastcall *)(int, int))loc_C8FC)(1, 1); 2387 | sub_CB98(0x40000000); 2388 | v1[1] = 0; 2389 | v1[3] = 0; 2390 | v1[2] = 999; 2391 | v1[0] = 63; 2392 | ((void (__fastcall *)(int, __int16 *))loc_CDC4)(0x40000000, v1); 2393 | v2[0] = 28; 2394 | v2[1] = 10; 2395 | v2[2] = 0; 2396 | v2[3] = 1; 2397 | ((void (__fastcall *)(char *))loc_BDA0)(v2); 2398 | sub_CF40(0x40000000, 0); 2399 | ((void (__fastcall *)(int, int, int))loc_CEFA)(0x40000000, 1, 1); 2400 | return sub_CEBC((_WORD *)0x40000000, 1); 2401 | } 2402 | 2403 | //----- (0000D2D6) -------------------------------------------------------- 2404 | _WORD *sub_D2D6() 2405 | { 2406 | ((void (__fastcall *)(int, int, _DWORD))loc_CEFA)(0x40000000, 1, 0); 2407 | return sub_CEBC((_WORD *)0x40000000, 0); 2408 | } 2409 | 2410 | //----- (0000D348) -------------------------------------------------------- 2411 | int __fastcall sub_D348(int result, unsigned int a2) 2412 | { 2413 | int v2; // r3 2414 | int v4; // [sp+8h] [bp+8h] 2415 | int v5; // [sp+Ch] [bp+Ch] 2416 | unsigned int v6; // [sp+10h] [bp+10h] 2417 | unsigned int i; // [sp+14h] [bp+14h] 2418 | 2419 | v6 = 1000000000; 2420 | v5 = 0; 2421 | v4 = 0; 2422 | for ( i = 0; i <= 9; ++i ) 2423 | { 2424 | v2 = v5++; 2425 | *(_BYTE *)(v2 + result) = a2 / v6 + 48; 2426 | a2 -= v6 * (a2 / v6); 2427 | v6 /= 0xAu; 2428 | if ( v4 == 0 && *(_BYTE *)(v5 - 1 + result) == 48 ) 2429 | v5 = 0; 2430 | else 2431 | ++v4; 2432 | } 2433 | return result; 2434 | } 2435 | 2436 | //----- (0000D660) -------------------------------------------------------- 2437 | BOOL __fastcall sub_D660(unsigned __int8 a1) 2438 | { 2439 | BOOL result; // r0 2440 | 2441 | sub_D182(1073821696, a1); 2442 | do 2443 | result = sub_D1A4((_WORD *)0x40013800, 0x80u); 2444 | while ( !result ); 2445 | return result; 2446 | } 2447 | 2448 | //----- (0000D694) -------------------------------------------------------- 2449 | BOOL __fastcall sub_D694(BOOL result) 2450 | { 2451 | unsigned __int8 *i; // [sp+4h] [bp+4h] 2452 | 2453 | for ( i = (unsigned __int8 *)result; *i; ++i ) 2454 | result = sub_D660(*i); 2455 | return result; 2456 | } 2457 | 2458 | //----- (0000D758) -------------------------------------------------------- 2459 | int __fastcall sub_D758(unsigned int a1) 2460 | { 2461 | int v2; // [sp+Ch] [bp+Ch] 2462 | 2463 | if ( (a1 & 0x3FF) != 0 ) 2464 | v2 = (a1 >> 10) + 1; 2465 | else 2466 | v2 = a1 >> 10; 2467 | return v2; 2468 | } 2469 | 2470 | //----- (0000D790) -------------------------------------------------------- 2471 | void sub_D790() 2472 | { 2473 | BOOL v0; // r0 2474 | 2475 | MEMORY[0x20000064] = (unsigned int)(MEMORY[0x20000018] - 0x8000000) >> 12; 2476 | MEMORY[0x20000068] = -(1 << ((unsigned int)(MEMORY[0x20000018] - 0x8000000) >> 12)); 2477 | MEMORY[0x2000006C] = (((int (*)(void))dword_C324)() & MEMORY[0x20000068]) != MEMORY[0x20000068]; 2478 | while ( 1 ) 2479 | { 2480 | while ( !MEMORY[0x20000070] ) 2481 | { 2482 | sub_D694(134276664); 2483 | MEMORY[0x20000070] = 1; 2484 | } 2485 | if ( MEMORY[0x20000070] == 1 ) 2486 | { 2487 | v0 = sub_D694(134276680); 2488 | ((void (__fastcall *)(BOOL))((char *)&loc_D7FE + 2))(v0); 2489 | JUMPOUT(0xD802); 2490 | } 2491 | } 2492 | } 2493 | // D7FE: control flows out of bounds to D802 2494 | // C324: using guessed type int dword_C324; 2495 | 2496 | //----- (0000DA40) -------------------------------------------------------- 2497 | int sub_DA40() 2498 | { 2499 | __int16 v1; // [sp+4h] [bp+4h] BYREF 2500 | char v2; // [sp+6h] [bp+6h] 2501 | char v3; // [sp+7h] [bp+7h] 2502 | 2503 | sub_C8C0(8, 1); 2504 | v3 = 16; 2505 | v2 = 3; 2506 | v1 = 256; 2507 | ((void (__fastcall *)(int, __int16 *))loc_C3D0)(1073810432, &v1); 2508 | sub_C564(1073810432, 0x100u); 2509 | v1 = 2048; 2510 | ((void (__fastcall *)(int, __int16 *))loc_C3D0)(1073810432, &v1); 2511 | sub_C548(1073810432, 0x800u); 2512 | v1 = 0x2000; 2513 | ((void (__fastcall *)(int, __int16 *))loc_C3D0)(1073810432, &v1); 2514 | return sub_C548(1073810432, 0x2000u); 2515 | } 2516 | 2517 | //----- (0000DC38) -------------------------------------------------------- 2518 | int __fastcall sub_DC38(int a1, int a2) 2519 | { 2520 | while ( a2-- ) 2521 | { 2522 | if ( ((int (__fastcall *)(int))loc_D5EC)(a1) == 1 ) 2523 | return 0; 2524 | } 2525 | return -1; 2526 | } 2527 | 2528 | //----- (0000DC6A) -------------------------------------------------------- 2529 | int __fastcall sub_DC6A(unsigned __int8 a1) 2530 | { 2531 | sub_D660(a1); 2532 | return 0; 2533 | } 2534 | 2535 | // nfuncs=178 queued=174 decompiled=174 lumina nreq=0 worse=0 better=0 2536 | // ALL OK, 174 function(s) have been successfully decompiled 2537 | -------------------------------------------------------------------------------- /stm32/sram_0x20000000_0x5000.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/stm32/sram_0x20000000_0x5000.bin -------------------------------------------------------------------------------- /stm32/stm32_swd.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/stm32/stm32_swd.jpg -------------------------------------------------------------------------------- /stm32_commands/README.md: -------------------------------------------------------------------------------- 1 | # STM32 commands 2 | 3 | STM32 and NanoPi are commuicating over a UART at 57600 bauds. 4 | 5 | On NanoPi it's reusing what is normally the debug UART, `/dev/ttyS0`. 6 | 7 | ## Tracing /dev/ttyS0 activity 8 | 9 | Sniffing RX0 & TX0 with a logic analyzer 10 | 11 | ``` 12 | > FROM_CHG_GO_INTO_MAIN!\r\n 13 | > CHG_PWRON_BAT_VOL 4376!\r\n 14 | 15 | << ! NanoPi NEO communicating at 115200 bauds 16 | < \r\n 17 | < U-Boot SPL 2017.11 (Dec 19 2019 - 16:43:16)\r\n 18 | < DRAM: 256 MiB(408MHz)\r\n 19 | < CPU Freq: 408MHz\r\n 20 | < memory test: 1\r\n 21 | < Pattern 55aa Writing...Reading...OK\r\n 22 | < Trying to boot from MMC1\r\n 23 | < Boot device: sd\r\n 24 | < \r\n 25 | < \r\n 26 | < U-Boot 2017.11 (Dec 19 2019 - 16:43:16 +0800) Allwinner Technology\r\n 27 | < \r\n 28 | < CPU: Allwinner H3 (SUN8I 1680)\r\n 29 | < Model: FriendlyElec NanoPi H3\r\n 30 | < DRAM: 256 MiB\r\n 31 | < CPU Freq: 1008MHz\r\n 32 | < MMC: SUNXI SD/MMC: 0COMMA SUNXI SD/MMC: 1\r\n 33 | < *** Warning - bad CRCCOMMA using default environment\r\n 34 | < \r\n 35 | < In: serial\r\n 36 | < Out: serial\r\n 37 | < Err: serial\r\n 38 | < Net: No ethernet found.\r\n 39 | < BOARD: nanopi-neo\r\n 40 | < starting USB...\r\n 41 | < No controllers found\r\n 42 | < Hit any key to stop autoboot: 2 \b\b\b 1 \b\b\b 0 \r\n 43 | < reading boot.scr\r\n 44 | < 1478 bytes read in 18 ms (80.1 KiB/s)\r\n 45 | < ## Executing script at 43100000\r\n 46 | < running boot.scr\r\n 47 | < reading uEnv.txt\r\n 48 | < 969 bytes read in 18 ms (51.8 KiB/s)\r\n 49 | < reading zImage\r\n 50 | < 5901432 bytes read in 295 ms (19.1 MiB/s)\r\n 51 | < reading rootfs.cpio.gz\r\n 52 | < 5880768 bytes read in 290 ms (19.3 MiB/s)\r\n 53 | < reading sun8i-h3-nanopi-neo.dtb\r\n 54 | < 34459 bytes read in 25 ms (1.3 MiB/s)\r\n 55 | < overlays is empty\r\n 56 | < reading overlays/sun8i-h3-fixup.scr\r\n 57 | < 4109 bytes read in 33 ms (121.1 KiB/s)\r\n 58 | < ## Executing script at 44500000\r\n 59 | < ## Flattened Device Tree blob at 48000000\r\n 60 | < Booting using the fdt blob at 0x48000000\r\n 61 | < Loading Ramdisk to 49a64000COMMA end 49fffbc0 ... OK\r\n 62 | < reserving fdt memory region: addr=48000000 size=6e000\r\n 63 | < Loading Device Tree to 499f3000COMMA end 49a63fff ... OK\r\n 64 | < \r\n 65 | < Starting kernel ...\r\n 66 | < \r\n 67 | 68 | << ! NanoPi NEO communicating at 57600 bauds 69 | < h3start\r\n 70 | > \r\n 71 | > -> CMD ERR, try: help\r\n 72 | > \r\n 73 | 74 | < h3start\r\n 75 | > \r\n 76 | > -> OK\r\n 77 | 78 | < givemelcd\r\n 79 | > \r\n 80 | > -> OK\r\n 81 | 82 | < setbaklightBdA\r\n 83 | > \r\n 84 | > -> OK\r\n 85 | 86 | < restartpm3\r\n 87 | > \r\n 88 | > -> OK\r\n 89 | 90 | < pctbat\r\n 91 | > #batpct:110\r\n 92 | > -> OK\r\n 93 | 94 | < charge\r\n 95 | > #charge:1\r\n 96 | > -> OK\r\n 97 | 98 | < pctbat\r\n 99 | > #batpct:110\r\n 100 | > -> OK\r\n 101 | 102 | < charge\r\n 103 | > #charge:1\r\n 104 | > -> OK\r\n 105 | 106 | # Pressing top left and top right button 107 | 108 | > KEYM1_PRES!\r\n 109 | > KEYM2_PRES!\r\n 110 | 111 | # Pressing directions and OK buttons 112 | 113 | > KEYUP_PRES!\r\n 114 | > KEYDOWN_PRES!\r\n 115 | > KEYLEFT_PRES!\r\n 116 | > KEYRIGHT_PRES!\r\n 117 | > KEYOK_PRES!\r\n 118 | 119 | # Pressing C/Power and S-R/W buttons 120 | 121 | > KEY_PWR_CAN_PRES!\r\n 122 | > KEY_ALL_PRES!\r\n 123 | 124 | # Pressing power button long 125 | 126 | > KEY_PWR_CAN_PRES!\r\n 127 | > SHUTDOWN H3!\r\n 128 | > ARE YOU OK?\r\n 129 | 130 | < giveyoulcd\r\n 131 | > \r\n 132 | > -> OK \r\n 133 | 134 | < I'm alive\r\n 135 | > \r\n 136 | > -> OK\r\n 137 | 138 | < shutdowning\r\n 139 | > \r\n 140 | > -> OK\r\n 141 | > ARE YOU OK?\r\n 142 | > ARE YOU OK?\r\n 143 | > ARE YOU OK?\r\n 144 | > ARE YOU OK?\r\n 145 | > ARE YOU OK?\r\n 146 | > ARE YOU OK?\r\n 147 | > OK! You are died\r\n 148 | > Prepare to SHUTDOWN!\r\n 149 | > Bye!\r\n 150 | ``` 151 | 152 | Some commands found in the binaries: 153 | 154 | ``` 155 | charge 156 | fillscreen + param? 157 | fillsquare + param? 158 | givemelcd 159 | giveyoulcd 160 | gotobl 161 | h3start 162 | idid 163 | i'm alive 164 | ledpm3 165 | multicmd + param? 166 | pctbat 167 | plan2shutdown 168 | presspm3 169 | restartpm3 170 | setbaklight + param? 171 | showpicture + param? 172 | showsimbol + param? 173 | showstring + param? 174 | shutdowning 175 | turnoffpm3 176 | turnonpm3 177 | version 178 | volbat 179 | volvcc 180 | ``` 181 | -------------------------------------------------------------------------------- /tags/README.md: -------------------------------------------------------------------------------- 1 | # iCopy-X Tags 2 | 3 | 4 | ## iCE 5 | 6 | an iClass Elite locked with password `2020666666668888` 7 | 8 | ``` 9 | [usb] pm3 --> hf iclass rdbl -b 1 -k 2020666666668888 --elite 10 | 11 | [+] block 1/0x01 : 12 FF FF FF 7F 1F FF 3C 12 | 13 | [usb] pm3 --> hf iclass info 14 | 15 | [=] --------------------- Tag Information ---------------------- 16 | [+] CSN: 20 59 A7 02 F8 FF 12 E0 uid 17 | [+] Config: 12 FF FF FF 7F 1F FF 3C card configuration 18 | [+] E-purse: FF FF FF FF F9 FF FF FF Card challenge, CC 19 | [+] Kd: 00 00 00 00 00 00 00 00 debit key, hidden 20 | [+] Kc: 00 00 00 00 00 00 00 00 credit key, hidden 21 | [+] AIA: FF FF FF FF FF FF FF FF application issuer area 22 | [=] -------------------- card configuration -------------------- 23 | [=] Raw: 12 FF FF FF 7F 1F FF 3C 24 | [=] 12..................... app limit 25 | [=] FFFF ( 65535 )...... OTP 26 | [=] FF............ block write lock 27 | [=] 7F......... chip 28 | [=] 1F...... mem 29 | [=] FF... EAS 30 | [=] 3C fuses 31 | [=] Fuses: 32 | [+] mode......... Application (locked) 33 | [+] coding....... ISO 14443-2 B / 15693 34 | [+] crypt........ Secured page, keys not locked 35 | [=] RA........... Read access not enabled 36 | [=] -------------------------- Memory -------------------------- 37 | [=] 2 KBits/2 App Areas ( 256 bytes ) 38 | [=] AA1 blocks 13 { 0x06 - 0x12 (06 - 18) } 39 | [=] AA2 blocks 18 { 0x13 - 0x1F (19 - 31) } 40 | [=] ------------------------- KeyAccess ------------------------ 41 | [=] * Kd, Debit key, AA1 Kc, Credit key, AA2 * 42 | [=] Read A....... debit or credit 43 | [=] Read B....... debit or credit 44 | [=] Write A...... credit 45 | [=] Write B...... credit 46 | [=] Debit........ debit or credit 47 | [=] Credit....... credit 48 | [=] ------------------------ Fingerprint ----------------------- 49 | [+] CSN.......... HID range 50 | [+] Credential... iCLASS legacy 51 | [+] Card type.... PicoPass 2K 52 | ``` 53 | 54 | What it does when making a copy, here itself: (beware, old proxmark3 syntax) 55 | ``` 56 | hf iclass rdbl b 01 k AFA785A7DAB33378 57 | hf iclass rdbl b 01 k AFA785A7DAB33378 58 | hf iclass rdbl b 01 k 2020666666668888 59 | hf iclass rdbl b 01 k 2020666666668888 e 60 | hf iclass info 61 | hf iclass dump k 2020666666668888 f /mnt/upan/dump/iclass/Iclass-Elite_2059A702F8FF12E0_1 e 62 | 63 | # swapping cards 64 | 65 | hf iclass wrbl b 06 d 030303030003E017 k 2020666666668888 e 66 | hf iclass wrbl b 07 d 74C6C5EAF5DF3065 k 2020666666668888 e 67 | hf iclass wrbl b 08 d 2AD4C8211F996871 k 2020666666668888 e 68 | hf iclass wrbl b 09 d 2AD4C8211F996871 k 2020666666668888 e 69 | hf iclass wrbl b 0a d FFFFFFFFFFFFFFFF k 2020666666668888 e 70 | hf iclass wrbl b 0b d FFFFFFFFFFFFFFFF k 2020666666668888 e 71 | hf iclass wrbl b 0c d FFFFFFFFFFFFFFFF k 2020666666668888 e 72 | hf iclass wrbl b 0d d FFFFFFFFFFFFFFFF k 2020666666668888 e 73 | hf iclass wrbl b 0e d FFFFFFFFFFFFFFFF k 2020666666668888 e 74 | hf iclass wrbl b 0f d FFFFFFFFFFFFFFFF k 2020666666668888 e 75 | hf iclass wrbl b 10 d FFFFFFFFFFFFFFFF k 2020666666668888 e 76 | hf iclass wrbl b 11 d FFFFFFFFFFFFFFFF k 2020666666668888 e 77 | hf iclass wrbl b 12 d FFFFFFFFFFFFFFFF k 2020666666668888 e 78 | hf iclass calcnewkey o 2020666666668888 n 2020666666668888 ee 79 | hf iclass wrbl b 03 d 0000000000000000 k 2020666666668888 e 80 | hf iclass rdbl b 01 k 2020666666668888 e 81 | hf iclass rdbl b 06 k 2020666666668888 e 82 | hf iclass rdbl b 07 k 2020666666668888 e 83 | hf iclass rdbl b 08 k 2020666666668888 e 84 | hf iclass rdbl b 09 k 2020666666668888 e 85 | hf iclass rdbl b 0a k 2020666666668888 e 86 | hf iclass rdbl b 0b k 2020666666668888 e 87 | hf iclass rdbl b 0c k 2020666666668888 e 88 | hf iclass rdbl b 0d k 2020666666668888 e 89 | hf iclass rdbl b 0e k 2020666666668888 e 90 | hf iclass rdbl b 0f k 2020666666668888 e 91 | hf iclass rdbl b 10 k 2020666666668888 e 92 | hf iclass rdbl b 11 k 2020666666668888 e 93 | hf iclass rdbl b 12 k 2020666666668888 e 94 | ``` 95 | 96 | Note that FW 1.0.3 is buggy, FW 1.0.7 is working fine 97 | 98 | To reuse an iCopy-X iCE, it must be set back to the initial key, e.g. 99 | 100 | ``` 101 | hf iclass calcnewkey --old AFA785A7DAB33378 --new 2020666666668888 --elite2 102 | Xor div key......... B3 56 7D DF 3E 64 E6 D7 103 | hf iclass wrbl -b 3 -d B3567DDF3E64E6D7 -k AFA785A7DAB33378 --elite 104 | ``` 105 | ## iCL 106 | 107 | an iClass Legacy locked with password `2020666666668888` 108 | 109 | ``` 110 | [usb] pm3 --> hf iclass rdbl -b 1 -k 2020666666668888 111 | [+] block 1/0x01 : 12 FF FF FF 7F 1F FF 3C 112 | 113 | [usb] pm3 --> hf iclass info 114 | 115 | [=] --------------------- Tag Information ---------------------- 116 | [+] CSN: 80 71 A7 02 F8 FF 12 E0 uid 117 | [+] Config: 12 FF FF FF 7F 1F FF 3C card configuration 118 | [+] E-purse: FF FF FF FF FB FF FF FF Card challenge, CC 119 | [+] Kd: 00 00 00 00 00 00 00 00 debit key, hidden 120 | [+] Kc: 00 00 00 00 00 00 00 00 credit key, hidden 121 | [+] AIA: FF FF FF FF FF FF FF FF application issuer area 122 | [=] -------------------- card configuration -------------------- 123 | [=] Raw: 12 FF FF FF 7F 1F FF 3C 124 | [=] 12..................... app limit 125 | [=] FFFF ( 65535 )...... OTP 126 | [=] FF............ block write lock 127 | [=] 7F......... chip 128 | [=] 1F...... mem 129 | [=] FF... EAS 130 | [=] 3C fuses 131 | [=] Fuses: 132 | [+] mode......... Application (locked) 133 | [+] coding....... ISO 14443-2 B / 15693 134 | [+] crypt........ Secured page, keys not locked 135 | [=] RA........... Read access not enabled 136 | [=] -------------------------- Memory -------------------------- 137 | [=] 2 KBits/2 App Areas ( 256 bytes ) 138 | [=] AA1 blocks 13 { 0x06 - 0x12 (06 - 18) } 139 | [=] AA2 blocks 18 { 0x13 - 0x1F (19 - 31) } 140 | [=] ------------------------- KeyAccess ------------------------ 141 | [=] * Kd, Debit key, AA1 Kc, Credit key, AA2 * 142 | [=] Read A....... debit or credit 143 | [=] Read B....... debit or credit 144 | [=] Write A...... credit 145 | [=] Write B...... credit 146 | [=] Debit........ debit or credit 147 | [=] Credit....... credit 148 | [=] ------------------------ Fingerprint ----------------------- 149 | [+] CSN.......... HID range 150 | [+] Credential... iCLASS legacy 151 | [+] Card type.... PicoPass 2K 152 | ``` 153 | 154 | What it does when making a copy, here itself: (beware, old proxmark3 syntax) 155 | ``` 156 | hf iclass rdbl b 01 k AFA785A7DAB33378 157 | hf iclass rdbl b 01 k AFA785A7DAB33378 158 | hf iclass rdbl b 01 k 2020666666668888 159 | hf iclass info 160 | hf iclass dump k 2020666666668888 f /mnt/upan/dump/iclass/Iclass-Legacy_8071A702F8FF12E0_1 161 | 162 | # swapping cards 163 | 164 | hf iclass wrbl b 06 d 000000000000E014 k 2020666666668888 165 | hf iclass wrbl b 07 d FFFFFFFFFFFFFFFF k 2020666666668888 166 | hf iclass wrbl b 08 d FFFFFFFFFFFFFFFF k 2020666666668888 167 | hf iclass wrbl b 09 d FFFFFFFFFFFFFFFF k 2020666666668888 168 | hf iclass wrbl b 0a d FFFFFFFFFFFFFFFF k 2020666666668888 169 | hf iclass wrbl b 0b d FFFFFFFFFFFFFFFF k 2020666666668888 170 | hf iclass wrbl b 0c d FFFFFFFFFFFFFFFF k 2020666666668888 171 | hf iclass wrbl b 0d d FFFFFFFFFFFFFFFF k 2020666666668888 172 | hf iclass wrbl b 0e d FFFFFFFFFFFFFFFF k 2020666666668888 173 | hf iclass wrbl b 0f d FFFFFFFFFFFFFFFF k 2020666666668888 174 | hf iclass wrbl b 10 d FFFFFFFFFFFFFFFF k 2020666666668888 175 | hf iclass wrbl b 11 d FFFFFFFFFFFFFFFF k 2020666666668888 176 | hf iclass wrbl b 12 d FFFFFFFFFFFFFFFF k 2020666666668888 177 | hf iclass calcnewkey o 2020666666668888 n 2020666666668888 178 | hf iclass wrbl b 03 d 0000000000000000 k 2020666666668888 179 | hf iclass rdbl b 01 k 2020666666668888 180 | hf iclass rdbl b 06 k 2020666666668888 181 | hf iclass rdbl b 07 k 2020666666668888 182 | hf iclass rdbl b 08 k 2020666666668888 183 | hf iclass rdbl b 09 k 2020666666668888 184 | hf iclass rdbl b 0a k 2020666666668888 185 | hf iclass rdbl b 0b k 2020666666668888 186 | hf iclass rdbl b 0c k 2020666666668888 187 | hf iclass rdbl b 0d k 2020666666668888 188 | hf iclass rdbl b 0e k 2020666666668888 189 | hf iclass rdbl b 0f k 2020666666668888 190 | hf iclass rdbl b 10 k 2020666666668888 191 | hf iclass rdbl b 11 k 2020666666668888 192 | hf iclass rdbl b 12 k 2020666666668888 193 | ``` 194 | 195 | Note that FW 1.0.3 is buggy, FW 1.0.7 is working fine 196 | 197 | To reuse an iCopy-X iCL, it must be set back to the initial key, e.g. 198 | 199 | ``` 200 | hf iclass calcnewkey --old AFA785A7DAB33378 --new 2020666666668888 201 | Xor div key......... 1E 1E 03 6C C9 5A 76 4E 202 | hf iclass wrbl -b 3 -d 1E1E036CC95A764E -k AFA785A7DAB33378 203 | ``` 204 | 205 | ## iCS 206 | 207 | An iClass Legacy locked with password `6666202066668888` 208 | 209 | ``` 210 | [usb] pm3 --> hf iclass rdbl -b 1 -k 6666202066668888 211 | 212 | [+] block 1/0x01 : 12 FF FF FF 7F 1F FF 3C 213 | 214 | [usb] pm3 --> hf iclass info 215 | 216 | [=] --------------------- Tag Information ---------------------- 217 | [+] CSN: 95 F0 6C 01 F9 FF 12 E0 uid 218 | [+] Config: 12 FF FF FF 7F 1F FF 3C card configuration 219 | [+] E-purse: FA FF FF FF FF FF FF FF Card challenge, CC 220 | [+] Kd: 00 00 00 00 00 00 00 00 debit key, hidden 221 | [+] Kc: 00 00 00 00 00 00 00 00 credit key, hidden 222 | [+] AIA: FF FF FF FF FF FF FF FF application issuer area 223 | [=] -------------------- card configuration -------------------- 224 | [=] Raw: 12 FF FF FF 7F 1F FF 3C 225 | [=] 12..................... app limit 226 | [=] FFFF ( 65535 )...... OTP 227 | [=] FF............ block write lock 228 | [=] 7F......... chip 229 | [=] 1F...... mem 230 | [=] FF... EAS 231 | [=] 3C fuses 232 | [=] Fuses: 233 | [+] mode......... Application (locked) 234 | [+] coding....... ISO 14443-2 B / 15693 235 | [+] crypt........ Secured page, keys not locked 236 | [=] RA........... Read access not enabled 237 | [=] -------------------------- Memory -------------------------- 238 | [=] 2 KBits/2 App Areas ( 256 bytes ) 239 | [=] AA1 blocks 13 { 0x06 - 0x12 (06 - 18) } 240 | [=] AA2 blocks 18 { 0x13 - 0x1F (19 - 31) } 241 | [=] ------------------------- KeyAccess ------------------------ 242 | [=] * Kd, Debit key, AA1 Kc, Credit key, AA2 * 243 | [=] Read A....... debit or credit 244 | [=] Read B....... debit or credit 245 | [=] Write A...... credit 246 | [=] Write B...... credit 247 | [=] Debit........ debit or credit 248 | [=] Credit....... credit 249 | [=] ------------------------ Fingerprint ----------------------- 250 | [+] CSN.......... HID range 251 | [+] Credential... iCLASS legacy 252 | [+] Card type.... PicoPass 2K 253 | ``` 254 | 255 | To reuse an iCopy-X iCS, it must be set back to the initial key, e.g. 256 | 257 | ``` 258 | [usb] pm3 --> hf iclass calcnewkey --old AEA684A6DAB23278 --new 6666202066668888 259 | [+] CSN E1 64 6D 01 F9 FF 12 E0 260 | [+] epurse FF FF FF FF FB FF FF FF 261 | [+] Old div key......... 7B F6 4D 4C 5E 95 07 EA 262 | [+] New div key......... 40 DD 85 E0 B5 A8 66 93 263 | [+] Xor div key......... 3B 2B C8 AC EB 3D 61 79 264 | 265 | [usb] pm3 --> hf iclass wrbl -b 3 -d 3B2BC8ACEB3D6179 -k AEA684A6DAB23278 266 | [+] Wrote block 3/0x03 successful 267 | ``` 268 | 269 | 270 | ## ICODE 271 | 272 | A magic ICODE card. 273 | 274 | ``` 275 | [usb] pm3 --> hf 15 info 276 | 277 | [+] UID: E0 04 01 50 00 00 69 25 278 | [+] TYPE: NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX) ICS2602(SLIX2) 279 | [+] Using UID... E0 04 01 50 00 00 69 25 280 | 281 | [=] --- Tag Information --------------------------- 282 | [=] ------------------------------------------------------------- 283 | [+] TYPE: NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX) ICS2602(SLIX2) 284 | [+] UID: E0 04 01 50 00 00 69 25 285 | [+] SYSINFO: 00 0F 25 69 00 00 50 01 04 E0 00 00 1B 03 01 286 | [+] - DSFID supported [0x00] 287 | [+] - AFI supported [0x00] 288 | [+] - IC reference supported [0x01] 289 | [+] - Tag provides info on memory layout (vendor dependent) 290 | [+] 4 (or 3) bytes/blocks x 28 blocks 291 | ``` 292 | 293 | 294 | What it does when making a copy, here itself: (beware, old proxmark3 syntax) 295 | 296 | ``` 297 | hf sea 298 | hf 15 dump f /mnt/upan/dump/icode/ICODE_E004015000006925_1 299 | 300 | # swapping cards 301 | 302 | hf 15 csetuid E004015000006925 303 | hf 15 restore f /mnt/upan/dump/icode/ICODE_E004015000006925_1.bin 304 | hf sea 305 | ``` 306 | 307 | ## ID1 308 | 309 | It's a T5577 locked with password `20206666`. 310 | ``` 311 | lf t55xx detect -p 20206666 312 | lf t55xx dump -p 20206666 --override 313 | ``` 314 | 315 | The iCopy-X accepts to make copies on ordinary T5577 tags and will lock them with the same password. 316 | 317 | What it does when making a copy, here an Indala: (beware, old proxmark3 syntax) 318 | ``` 319 | lf t55xx wipe p 20206666 320 | lf t55xx detect 321 | lf lf indala clone -r a0000000a0002021 322 | lf t55xx detect 323 | # Block0 : 0x00081040 324 | lf t55xx write b 7 d 20206666 325 | lf t55xx write b 0 d 00081050 326 | lf t55xx detect p 20206666 327 | lf sea 328 | lf indala read 329 | ``` 330 | 331 | To recover a locked tag: 332 | ``` 333 | lf t55xx wipe -p 20206666 334 | lf t55xx detect 335 | ``` 336 | 337 | ## M1-4b (L1) 338 | 339 | MIFARE Classic 1k Gen1a / UID 340 | 341 | First sector A & B keys are `E00000000000`. XS version doesn't verify that key. 342 | 343 | ``` 344 | hf 14a info 345 | hf mf cload b /mnt/upan/dump/mf1/M1-1K-4B_11223344_1.bin 346 | ``` 347 | 348 | Note that by default iCopy-X is also sending commands attempting to lock a UFUID, cf "M1-4b (L3)" 349 | 350 | ## M1-4b (L2) 351 | 352 | MIFARE Classic 1k Gen2 / CUID / DirectWrite 353 | 354 | First sector A & B keys are `E00000000000`. XS version doesn't verify that key. 355 | 356 | ``` 357 | hf 14a info 358 | hf mf cgetblk 0 359 | hf mf fchk 1 /tmp/.keys/mf_tmp_keys 360 | hf mf rdbl 63 A ffffffffffff 361 | hf mf wrbl 60 A ffffffffffff 00000000000000000000000000000000 362 | hf mf wrbl 61 A ffffffffffff 00000000000000000000000000000000 363 | hf mf wrbl 62 A ffffffffffff 00000000000000000000000000000000 364 | hf mf wrbl 56 A ffffffffffff 00000000000000000000000000000000 365 | ... 366 | hf mf wrbl 0 A e00000000000 A43498DED688040047C1252785001906 367 | hf mf wrbl 1 A e00000000000 140103E103E103E103E103E103E103E1 368 | hf mf wrbl 2 A e00000000000 03E103E103E103E103E103E103E103E1 369 | hf mf wrbl 63 A ffffffffffff D3F7D3F7D3F77F078840FFFFFFFFFFFF 370 | hf mf wrbl 59 A ffffffffffff D3F7D3F7D3F77F078840FFFFFFFFFFFF 371 | ... 372 | hf mf wrbl 3 A e00000000000 A0A1A2A3A4A5787788C1FFFFFFFFFFFF 373 | ``` 374 | 375 | ## M1-4b (L3) 376 | 377 | MIFARE Classic 1k Gen1a / UFUID 378 | 379 | Same as MIFARE Classic Gen1a (L1), but block0 can be locked with special command. 380 | 381 | First sector A & B keys are `E00000000000`. XS version doesn't verify that key. 382 | 383 | ``` 384 | hf mf cload b /mnt/upan/dump/mf1/M1-1K-4B_11223344_1.bin 385 | hf 14a raw -p -a -b 7 40 386 | hf 14a raw -p -a 43 387 | hf 14a raw -c -p -a e000 388 | hf 14a raw -c -p -a e100 389 | hf 14a raw -c -p -a 85000000000000000000000000000008 390 | hf 14a raw -c -a 5000 391 | ``` 392 | 393 | ## M1-7b 394 | 395 | MIFARE Classic 1k 7b-UID Gen2 / CUID / DirectWrite 396 | 397 | All default keys. 398 | 399 | Usage: cf "M1-4b (L2)" 400 | 401 | ## M4-4b 402 | 403 | MIFARE Classic 4k Gen2 / CUID / DirectWrite 404 | 405 | All default keys. 406 | 407 | Usage: cf "M1-4b (L2)" 408 | 409 | ## M4-7b 410 | 411 | MIFARE Classic 4k 7b-UID Gen2 / CUID / DirectWrite 412 | 413 | All default keys. 414 | 415 | Usage: cf "M1-4b (L2)" 416 | 417 | ## NTAG 418 | 419 | A NTAG21x 420 | 421 | ``` 422 | [usb] pm3 --> hf mfu info 423 | 424 | [=] --- Tag Information -------------------------- 425 | [=] ------------------------------------------------------------- 426 | [+] TYPE: NTAG 216 888bytes (NT2H1611G0DU) ( magic ) 427 | [+] UID: 11 22 33 55 66 77 88 428 | [+] UID[0]: 11, Emosyn-EM Microelectronics USA 429 | BCC0: 44, crc should be 88 430 | BCC1: FF, crc should be CC 431 | [+] Internal: FF (not default) 432 | [+] Lock: FF FF - // 433 | [+] OneTimePad: E1 10 6D 00 - @�0 434 | 435 | [=] --- NDEF Message 436 | [+] Capability Container: E1 10 6D 00 437 | [+] E1: NDEF Magic Number 438 | [+] 10: version 0.1 supported by tag 439 | [+] : Read access granted without any security / Write access granted without any security 440 | [+] 6D: Physical Memory Size: 872 bytes 441 | [+] 6D: NDEF Memory Size: 872 bytes 442 | [+] Additional feature information 443 | [+] 00 444 | [+] 00000000 445 | [+] xxx - 00: RFU (ok) 446 | [+] x - 00: don't support special frame 447 | [+] x - 00: don't support lock block 448 | [+] xx - 00: RFU (ok) 449 | [+] x - 00: IC don't support multiple block reads 450 | 451 | [=] --- Tag Counter 452 | [=] [02]: FF FF FF 453 | [+] - 00 tearing ( fail ) 454 | 455 | [=] --- Tag Signature 456 | [=] Elliptic curve parameters: NID_secp128r1 457 | [=] TAG IC Signature: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 458 | [+] Signature verification ( fail ) 459 | 460 | [=] --- Tag Version 461 | [=] Raw bytes: 00 04 04 02 01 00 13 03 462 | [=] Vendor ID: 04, NXP Semiconductors Germany 463 | [=] Product type: 04, NTAG 464 | [=] Product subtype: 02, 50pF 465 | [=] Major version: 01 466 | [=] Minor version: 00 467 | [=] Size: 13, (1024 <-> 512 bytes) 468 | [=] Protocol type: 03, ISO14443-3 Compliant 469 | 470 | [=] --- Tag Configuration 471 | [=] cfg0 [227/0xE3]: 00 00 00 FF 472 | [=] - strong modulation mode disabled 473 | [=] - pages don't need authentication 474 | [=] cfg1 [228/0xE4]: 00 05 00 00 475 | [=] - Unlimited password attempts 476 | [=] - NFC counter disabled 477 | [=] - NFC counter not protected 478 | [=] - user configuration writeable 479 | [=] - write access is protected with password 480 | [=] - 05, Virtual Card Type Identifier is default 481 | [=] PWD [229/0xE5]: FF FF FF FF - (cannot be read) 482 | [=] PACK [230/0xE6]: FF FF - (cannot be read) 483 | [=] RFU [230/0xE6]: FF FF - (cannot be read) 484 | 485 | [+] --- Known EV1/NTAG passwords 486 | [+] Found default password FF FF FF FF pack FF FF 487 | [=] ------------------------ Fingerprint ----------------------- 488 | [=] Reading tag memory... 489 | [=] ------------------------------------------------------------ 490 | 491 | [usb] pm3 --> script run hf_mfu_magicwrite -c 492 | [+] executing lua /home/usr/local/bin/../share/proxmark3/luascripts/hf_mfu_magicwrite.lua 493 | [+] args '-c' 494 | ---------------------------------------- 495 | ---------------------------------------- 496 | 497 | Magic NTAG 21* Configuration 498 | - Type NTAG 216 (genuine cardtype) 499 | - Password FFFFFFFF 500 | - Pack 0000 501 | - Version 0004040201000F03 502 | - Signature 9739523E684347A7DB9B6B16CB61D4BAE6C7616AD529496DC68158F6FFB73404 503 | 504 | [+] finished hf_mfu_magicwrite 505 | ``` 506 | 507 | What it does when making a copy, here itself: (beware, old proxmark3 syntax) 508 | ``` 509 | hf 14a info 510 | hf mf cgetblk 0 511 | hf mfu info 512 | hf mfu dump f /mnt/upan/dump/mfu/NTAG216_11223355667788_1 513 | 514 | # swapping cards 515 | 516 | hf mfu restore s e f /mnt/upan/dump/mfu/NTAG216_11223355667788_1.bin 517 | [-] Failed convert on load to new Ultralight/NTAG format 518 | hf mf cgetblk 0 519 | 520 | ``` 521 | 522 | ## UL 523 | 524 | ``` 525 | [usb] pm3 --> hf mfu info 526 | 527 | [=] --- Tag Information -------------------------- 528 | [=] ------------------------------------------------------------- 529 | [+] TYPE: Unknown 000000 530 | [+] UID: 00 00 00 00 00 00 00 531 | [+] UID[0]: 00, no tag-info available 532 | BCC0: 00, crc should be 88 533 | [+] BCC1: 00 (ok) 534 | [+] Internal: 00 (not default) 535 | [+] Lock: 00 00 - 00 536 | [+] OneTimePad: 00 00 00 00 - 0000 537 | [=] ------------------------ Fingerprint ----------------------- 538 | [=] Reading tag memory... 539 | [=] ------------------------------------------------------------ 540 | ``` 541 | 542 | What it does when making a copy, here itself: (beware, old proxmark3 syntax) 543 | ``` 544 | hf 14a info 545 | hf mf cgetblk 0 546 | hf mfu info 547 | hf mfu dump f /mnt/upan/dump/mfu/M0-UL_00000000000000_1 548 | 549 | # swapping cards 550 | 551 | hf mfu restore s e f /mnt/upan/dump/mfu/M0-UL_00000000000000_1.bin 552 | [-] Failed convert on load to new Ultralight/NTAG format 553 | ``` 554 | 555 | on another card: 556 | 557 | ``` 558 | hf mfu restore s e f /mnt/upan/dump/mfu/M0-UL_044762415B2380_1.bin 559 | [!] failed to write block ... 560 | ``` 561 | 562 | ## UL-C 563 | 564 | ``` 565 | [usb] pm3 --> hf mfu info 566 | 567 | [=] --- Tag Information -------------------------- 568 | [=] ------------------------------------------------------------- 569 | [+] TYPE: MIFARE Ultralight C (MF0ULC) 570 | [+] UID: 00 00 00 00 00 00 00 571 | [+] UID[0]: 00, no tag-info available 572 | BCC0: 00, crc should be 88 573 | [+] BCC1: 00 (ok) 574 | [+] Internal: 00 (not default) 575 | [+] Lock: 00 00 - 00 576 | [+] OneTimePad: 00 00 00 00 - 0000 577 | 578 | --- UL-C Configuration 579 | Higher Lockbits [40/0x28]: 00 00 00 00 - 00 580 | Counter [41/0x29]: 00 00 00 00 - 00 581 | Auth0 [42/0x2A]: 00 00 00 00 default 582 | Auth1 [43/0x2B]: 00 00 00 00 read and write access restricted 583 | [=] Trying some default 3des keys 584 | [#] failed authentication 585 | [#] Authentication failed 586 | [+] Found default 3des key: 587 | [=] deskey1 [44/0x2C]: 00 00 00 00 [....] 588 | [=] deskey1 [45/0x2D]: 00 00 00 00 [....] 589 | [=] deskey2 [46/0x2E]: 00 00 00 00 [....] 590 | [=] deskey2 [47/0x2F]: 00 00 00 00 [....] 591 | [=] 3des key: 00000000000000000000000000000000 592 | ``` 593 | 594 | What it does when making a copy, here itself: (beware, old proxmark3 syntax) 595 | ``` 596 | hf 14a info 597 | hf mf cgetblk 0 598 | hf mfu info 599 | hf mfu dump f /mnt/upan/dump/mfu/M0-UL-C_00000000000000_1 600 | 601 | # swapping cards 602 | 603 | hf mfu restore s e f /mnt/upan/dump/mfu/M0-UL-C_00000000000000_1.bin 604 | [-] Failed convert on load to new Ultralight/NTAG format 605 | ``` 606 | 607 | on another card: 608 | 609 | ``` 610 | hf mfu restore s e f /mnt/upan/dump/mfu/M0-UL-C_0430B001B02780_1.bin 611 | hf 14a info 612 | hf mf cgetblk 0 613 | hf mfu info 614 | ``` 615 | 616 | ## UL Ev1 617 | 618 | A NTAG21x configured as UL Ev1 619 | 620 | ``` 621 | [usb] pm3 --> script run hf_mfu_magicwrite -c 622 | [+] executing lua /home/usr/local/bin/../share/proxmark3/luascripts/hf_mfu_magicwrite.lua 623 | [+] args '-c' 624 | ---------------------------------------- 625 | ---------------------------------------- 626 | 627 | Magic NTAG 21* Configuration 628 | - Type NTAG 213 (genuine cardtype) 629 | - Password FFFFFFFF 630 | - Pack FFFF 631 | - Version 0004030101000B03 (UL EV1 48b) 632 | - Signature FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 633 | 634 | [+] finished hf_mfu_magicwrite 635 | ``` 636 | -------------------------------------------------------------------------------- /w25q80/README.md: -------------------------------------------------------------------------------- 1 | # W25Q80 2 | 3 | ## Connections with STM32F103 4 | 5 | A close look of the green PCB allowed to spot a "8C715" wired to STM32 SPI1 in a way matching W25Q chips: 6 | 7 | |W25Q|8C715|STM32|STM32 functions 8 | |-|-|-|-| 9 | |/cs|1|20|PB2 10 | |DO |2|16|PA6 = SPI1_MISO 11 | |/WP|3|22|PB11 12 | |GND|4|GND| 13 | |DI |5|17|PA7 = SPI1_MOSI 14 | |CLK|6|15|PA5 = SPI1_SCK 15 | |/H |7|22|PB11 16 | |Vcc|8|22|PB11 17 | 18 | 19 | @gator96100 identified it as a W25Q80BLUXIG 8Mbit. 20 | 21 | ## Dumping EEPROM 22 | 23 | Wiring it in-place to a CH341a via some DIP8 breakout (skipping /H as it's wired to Vcc) 24 | 25 | ``` 26 | ch341prog -r w25q80.bin 27 | Device reported its revision [4.03] 28 | Manufacturer ID: ef 29 | Memory Type: 4014 30 | No CFI structure found, trying to get capacity from device ID. Set manually if detection fails. 31 | Capacity: 14 32 | Chip capacity is 1048576 bytes 33 | Read started! 34 | ``` 35 | 36 | * [w25q80.bin](w25q80.bin) 37 | 38 | ## Investigating EEPROM 39 | 40 | Using my [ElectronicColoringBook.py](https://doegox.github.io/ElectronicColoringBook/) on it reveals it contains the charging and booting screens (and probably animation): 41 | 42 | ``` 43 | ./ElectronicColoringBook.py -c255 -b2 -p2 -x240 -o80 -S w25q80.bin 44 | ``` 45 | 46 |

78 | 79 | ## Converting images back 80 | 81 | If you want to modify it in Gimp, export it as BMP / no color space info / 16 bit R5 G6 B5 then process it with this crude `bmp2data.py` script. 82 | 83 | ```python 84 | #!/usr/bin/env python3 85 | 86 | import sys 87 | w=240 88 | data = open(sys.argv[1], "rb").read() 89 | # skip BMP header 90 | data=data[70:] 91 | # swap 16b words 92 | dataswap=b'' 93 | for i in range(0, len(data), 2): 94 | dataswap+=data[i+1:i+2]+data[i:i+1] 95 | # reorder lines 96 | datainv=b'' 97 | for i in range(len(dataswap) - (2*w), 0, -(2*w)): 98 | datainv+=dataswap[i:i+(2*w)] 99 | datainv+=dataswap[:2*w] 100 | open(sys.argv[2], "wb").write(datainv) 101 | ``` 102 | ``` 103 | python3 bmp2data.py w25q80_logo_patched.bmp w25q80_logo_patched.data 104 | ``` 105 | 106 | Note that we can directly convert a PNG to the expected RGB565 with Ffmpeg, but it introduces some artefacts: `ffmpeg -vcodec png -i w25q80_logo_patched.png -vcodec rawvideo -f rawvideo -pix_fmt rgb565be w25q80_logo_patched.data` 107 | 108 | Then reconstruct the EEPROM image. Here we modified the logo image. 109 | 110 | ``` 111 | cp w25q80.bin w25q80patched.bin 112 | dd if=w25q80_logo_patched.data of=w25q80patched.bin bs=1 seek=$((0x222ac)) conv=notrunc 113 | ``` 114 | 115 | ## Flashing EEPROM 116 | 117 | We can flash the EEPROM with our modified image. For this part I had quite some difficulties to flash it in-place with a CH341A and https://github.com/setarcos/ch341prog 118 | ``` 119 | ch341prog -e 120 | ch341prog -w w25q80patched.bin 121 | ``` 122 | I had better success with Flashrom, but still after a few attempts: 123 | ``` 124 | /usr/sbin/flashrom -p ch341a_spi -c "W25Q80.V" -w w25q80patched.bin -V 125 | ``` 126 | 127 |

128 | -------------------------------------------------------------------------------- /w25q80/electroniccoloringbook.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/w25q80/electroniccoloringbook.png -------------------------------------------------------------------------------- /w25q80/w25q80.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/w25q80/w25q80.bin -------------------------------------------------------------------------------- /w25q80/w25q80_charged.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/w25q80/w25q80_charged.png -------------------------------------------------------------------------------- /w25q80/w25q80_charging.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/w25q80/w25q80_charging.png -------------------------------------------------------------------------------- /w25q80/w25q80_flash.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/w25q80/w25q80_flash.png -------------------------------------------------------------------------------- /w25q80/w25q80_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/w25q80/w25q80_logo.png -------------------------------------------------------------------------------- /w25q80/w25q80_logo_patched.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iCopy-X-Community/icopyx-teardown/30c7d23932810d77cc4053374e594b80559ea14a/w25q80/w25q80_logo_patched.png --------------------------------------------------------------------------------