Topic: MTK firmware jargon: VIVA, ALICE - what are they?

Typical MT62xx/MT25x firmware as shipped consists of 4 parts: initial botloader, ExtBootloader, ROM, and VIVA. This can be easily seen e.g. in LinkIt ONE firmware: https://github.com/Seeed-Studio/LinkIt- … ONE/1.0.42 . There's also ALICE, but it doesn't seem to be top-level firmware component according to scatter flash file, SEEED02A_DEMO_BB.cfg. Instead, if you grep LinkIt ONE firmware, you'll see it's included in VIVA. If you grep other firmwares, you may find it included in ROM instead.

So, initial and ext bootloader are more or less known, thanks to existing Fernvale work. But what are ROM, VIVA, ALICE?

2 (edited by pfalcon 2015-04-04 06:56:53)

Re: MTK firmware jargon: VIVA, ALICE - what are they?

"GFH" can be added to the list too.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

GFH is the name of the header format.  I initially called it the "Delicious" format, because it has the magic sequence "MMM" all over the place, but I think internally it's called GFH.  You can find some descriptions of the header in various versions of U-Boot, but the struct more-or-less is defined at https://github.com/xobs/fernly/blob/mas … ader.c#L62

I'm not sure about ROM, VIVA, or ALICE.  I'm guessing ALICE is their codename for the Nucleus port of Arduino.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Yes, GFH is "general file header". fernly-usb-loader.c indeed contains those structures, but they aren't commented even with signature values, so don't stick to memory - patch is coming.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Ok, looking at the particular firmware, VIVA consists of: ZIMAGE, DCM (dynamic code management), and ALICE. All of these files are LZMA-compressed. Thus, VIVA appears to be just name of partition which contains compressed code, which is uncompressed into RAM to be run. On the other hand, ROM partition is not compressed and (apparently) executed in place from flash. Of course, execution from flash is slower, which warrants existence of mechanism to execute subset of code from RAM.

Partitioning between ZIMAGE and ALICE is unclear so far, but as mentioned above, quite a few firmwares don't have ZIMAGE, so it's optional. Indeed, config from Wiko code mentioned in teh otehr thread says:

ZIMAGE_SUPPORT = FALSE
  # Description:
  #   Please refer to CR MAUI_02832638 which was applied to 10AW1041OFD_53EL_SLIM
  # Option Values:
  #   TRUE: Enable code compression to utilize the free RAM space and save ROM space
  #   FALSE: Disable code compression mechanism

Re: MTK firmware jargon: VIVA, ALICE - what are they?

The MT6260 appears to have an XIP-decompression engine, so some LZMA-compressed code may actually be run XIP.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

xobs wrote:

The MT6260 appears to have an XIP-decompression engine, so some LZMA-compressed code may actually be run XIP.

Interesting. Do you have a reference to "XIP-decompression engine" in MT6260, or anything like that existing for LZ compression at all? Techniques for XIP of Huffman-compressed code are known and were used in >1 (research?) VMs. But Lempel-Ziv? How would that work at all? Break code in reasonably sized chunks, decompress that chunk to a cache, allow local jumps within that chunk, and on any outside jump go stop-the-world until another chunk is decompressed? Or maybe compress just basic blocks? Doing something like that and measuring how that sucks would be an interesting topic for a thesis, but Google says nobody did that.

So, unless proven otherwise, let's keep assuming that MT6260 has "LZMA decompression engine", which has nothing to do with XIP, and just decompresses one memory chunk into another.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

You're correct.  It looks like it's not in-place.  I was mistaken.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Does someone know how to rich LZMA decompression engine in MTK6260 ?

Does someone know if MTK6260 has DES or 3DES engine built in ?

Kind regards.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

I think we answered this via email, but it does not have a DES engine.  The ROM checks a byte to determine the type of hash to use.  If it's 0, it doesn't use a hash.  For 1, I believe RSA is used.  2 means SHA256.

I'm not sure how to use the LZMA decompression engine, either.

11 (edited by kaiserb 2015-06-09 00:58:12)

Re: MTK firmware jargon: VIVA, ALICE - what are they?

There is a rumor, that these MTK MCU's ( MT6250, MT6260 ...) have built-in symmetric  encrypting / decrypting algorithm.

May be someone know more about that?

Does someone decompressed VIVA image f.e?

Regards.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

The crypto algorithms are at least MD5, RC4 and SHA1
The header files can be found here:
https://mtktest.googlecode.com/svn/trun … ngine/che/

13 (edited by kaiserb 2015-06-09 18:36:31)

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Thanks for the info, but I'm asking about  symmetric-key algorithms, realized in MCU hardware.

Kind regards.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

kaiserb wrote:

Thanks for the info, but I'm asking about  symmetric-key algorithms, realized in MCU hardware.

Perhaps you either should tell why you're interested, hoping to spark an interest in others, or just look in the source, like everyone else does when they want to know, but too busy to elaborate why.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

pfalcon wrote:

Perhaps you either should tell why you're interested, hoping to spark an interest in others, or just look in the source, like everyone else does when they want to know, but too busy to elaborate why.

Well, I have a phone, based on MT6250 chipset. And it looks similar to MT6260.

It has ROM, VIVA (and ALICE) , but also has SECURE_RO_ME (some fundamental configuration region).

############################################################################################################
#
#  Control Block Region Setting
#
############################################################################################################         

control_block_region:
  rom:
    - file: SECURE_RO_ME

This region is encrypted. From my experience it's encrypted by blocks of 8 bytes and looks like DES or 3DES. But I haven't find any references to it in firmware.  In some other forums I read, that decryption is done by MCU.

That's why I asked if someone have more info.


Kind regards.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Ok, that reminds me that I had some unpushed memory map changes, now submitted: https://github.com/xobs/fernly/pull/27/files

And yes, MT62xx line has hw crypto engine, capabilities vary model by model, but generally DES, 3DES, and AES are among supported algos.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

pfalcon wrote:

Ok, that reminds me that I had some unpushed memory map changes, now submitted: https://github.com/xobs/fernly/pull/27/files

And yes, MT62xx line has hw crypto engine, capabilities vary model by model, but generally DES, 3DES, and AES are among supported algos.


Thank you.

Regards.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

I was trying to decompress VIVA from https://github.com/Seeed-Studio/LinkIt-ONE-
IDE/tree/master/hardware/tools/mtk/firmware/LinkIt_ONE/1.0.42, using 7-Zip, but without success.

Did someone manage to decompress it ?


Regards.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

You of course can't take entire VIVA feed it to 7zip and expect it to be decompressed. You need extract a proper LZMA stream first (it has signature of 0x5c or something - don't trust me, double-check).

But then, there's another gotcha - LZMA as used by MTK appears to be hacked-up version. I saw streams which, being run thru 7z: a) decompress correctly; b) decompress without errors, but not matching original content; c) error out during decompression.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Coming back to this topic half-year later, I decided to put my speculations on MTK image formats on wiki: https://github.com/mtek-hack-hack/docs/ … ageFormats

Take with a grain of salt. Do your own research and point to the errors.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

New link to old repo.

https://github.com/honda-kazuhisa/LinkI … ONE/1.0.34

Re: MTK firmware jargon: VIVA, ALICE - what are they?

xobs wrote:

I think we answered this via email, but it does not have a DES engine.  The ROM checks a byte to determine the type of hash to use.  If it's 0, it doesn't use a hash.  For 1, I believe RSA is used.  2 means SHA256.

I'm not sure how to use the LZMA decompression engine, either.

LZMA decoder is simple. But PPMd decoder is complex. LZMA2 is better than LZMA. LZMA2 compression does not replace (supersede) LZMA compression, but LZMA2 is merely an additional "wrapper" around LZMA. With LZMA2, data is split into blocks, but each block is still compressed by "normal" LZMA. Because individula blocks are compressed separately, processing the blocks can be parallelized, which allows for multi-threading. LZMA2 also allows "uncompressed" blocks, to better deal with "already compressed" inputs.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

I'm trying to unpack a VIVA image for an MT6261. I have dumped the flash (4MB) using flashrom and fernly, and have also dumped the internal ROM (~34KB).

Has anyone successfully unpacked a VIVA image? I am trying to find out where the decompression code might be by disassembling the flash images and internal ROM. I have read in other forums (I think it was gsmhosting or xda-dev) that the VIVA is LZMA compressed with a proprietary train file (not sure what that means exactly) some have claimed to have unpacked VIVAs, but for whatever reason are not open to sharing their code.

If anyone has any pointers it would be greatly appreciated!

24

Re: MTK firmware jargon: VIVA, ALICE - what are they?

@donnm

VIVA contains ZIMAGE_ER and ZIMAGE_ER is decompressed and compressed with trained LZMA.
To decompress and compress ZIMAGE_ER you have to find the so called train file.

The first thing to do is to decompress ALICE!!!!
ALICE is decompressed by MCU with unknown decompression algo

can you send me the flashrom and internal ROM?

oxa@gmx.de

Regards
OXA

Re: MTK firmware jargon: VIVA, ALICE - what are they?

I've started hacking up an unpacker for ALICE_2 along with some other tools for reading information from Mediatek firmware blobs:

https://github.com/donnm/mtk_fw_tools