1

(15 replies, posted in Firmware)

kaiserb wrote:

It seems, that MT625A is more secured - it needs authentication file (0xE2 command) and 0x80 bytes RSA signature, generated from 0x10 bytes response of 0xE3 command.


And the next bad thing - loaders must be signed too.

For now I can't experiment with custom loader.

2

(15 replies, posted in Firmware)

It seems, that MT625A is more secured - it needs authentication file (0xE2 command) and 0x80 bytes RSA signature, generated from 0x10 bytes response of 0xE3 command.

3

(15 replies, posted in Firmware)

Today I managed to run all on Ubuntu.

Unfortunately first loader wasn't loaded:

:/home/projects/ferny/fernly# ./build/fernly-usb-loader -s /dev/fernvale ./build/usb-loader.bin ./build/firmware.bin
Setting serial port parameters... Ok
Initiating communication... Ok
Getting hardware version... 0xca01
Getting chip ID... 0x625a
Getting boot config (low)... 0x0000
Getting boot config (high)... 0x0000
Getting hardware subcode... 0x8000
Getting hardware version (again)... 0xca01
Getting chip firmware version... 0x0001
Getting security version... v 5
Enabling security (?!)... Ok
Reading ME... 00000000 5a c2 9e 20 c9 5d 9c 31  24 e4 fb e3 8e dd b5 b3  |Z.. .].1$.......|
Disabling WDT... Ok
Reading RTC Baseband Power Up (0xa0710000)... 0x0001
Reading RTC Power Key 1 (0xa0710050)... 0xa357
Reading RTC Power Key 2 (0xa0710054)... 0x67d2
Setting seconds... Ok
Disabling alarm IRQs... Ok
Disabling RTC IRQ interval... Ok
Enabling transfers from core to RTC... Ok
Reading RTC Baseband Power Up (0xa0710000)... 0x0001
Getting security configuration... Unable to read from Sec Conf buffer: Success
Getting PSRAM mapping... 0x0000
Disabling PSRAM -> ROM remapping... Ok
Checking PSRAM mapping... 0x0002
Checking on PSRAM mapping again... 0x0002
Updating PSRAM mapping again for some reason... Ok
Reading some fuses... 0x00000007
Enabling UART... 0x0000
Loading Fernly USB loader... !! First response is 0x1d0d, not 0 !!

I tried several times and the result is the same.
What could be the reason ?

Kind regards.

I was trying to decompress VIVA from https://github.com/Seeed-Studio/LinkIt-ONE-
IDE/tree/master/hardware/tools/mtk/firmware/LinkIt_ONE/1.0.42, using 7-Zip, but without success.

Did someone manage to decompress it ?


Regards.

5

(15 replies, posted in Firmware)

haiqu wrote:

You'd have to build it under the Cygwin environment. Big and complex to set up.

Hi, if someone can share loaders as binary files, will be enough.

Regards.

pfalcon wrote:

Ok, that reminds me that I had some unpushed memory map changes, now submitted: https://github.com/xobs/fernly/pull/27/files

And yes, MT62xx line has hw crypto engine, capabilities vary model by model, but generally DES, 3DES, and AES are among supported algos.


Thank you.

Regards.

7

(15 replies, posted in Firmware)

Hi,

does it exist version for Windows users?

At least usb-loader.bin and firmware.bin?

Kind regards.

8

(6 replies, posted in Hardware)

Where I can buy Fernvale board?

Regards.

pfalcon wrote:

Perhaps you either should tell why you're interested, hoping to spark an interest in others, or just look in the source, like everyone else does when they want to know, but too busy to elaborate why.

Well, I have a phone, based on MT6250 chipset. And it looks similar to MT6260.

It has ROM, VIVA (and ALICE) , but also has SECURE_RO_ME (some fundamental configuration region).

############################################################################################################
#
#  Control Block Region Setting
#
############################################################################################################         

control_block_region:
  rom:
    - file: SECURE_RO_ME

This region is encrypted. From my experience it's encrypted by blocks of 8 bytes and looks like DES or 3DES. But I haven't find any references to it in firmware.  In some other forums I read, that decryption is done by MCU.

That's why I asked if someone have more info.


Kind regards.

Thanks for the info, but I'm asking about  symmetric-key algorithms, realized in MCU hardware.

Kind regards.

There is a rumor, that these MTK MCU's ( MT6250, MT6260 ...) have built-in symmetric  encrypting / decrypting algorithm.

May be someone know more about that?

Does someone decompressed VIVA image f.e?

Regards.

Does someone know how to rich LZMA decompression engine in MTK6260 ?

Does someone know if MTK6260 has DES or 3DES engine built in ?

Kind regards.