MTK firmware jargon: VIVA, ALICE - what are they? (Page 1 of 2)

GFH is the name of the header format.  I initially called it the "Delicious" format, because it has the magic sequence "MMM" all over the place, but I think internally it's called GFH.  You can find some descriptions of the header in various versions of U-Boot, but the struct more-or-less is defined at https://github.com/xobs/fernly/blob/mas … ader.c#L62

I'm not sure about ROM, VIVA, or ALICE.  I'm guessing ALICE is their codename for the Nucleus port of Arduino.

Ok, looking at the particular firmware, VIVA consists of: ZIMAGE, DCM (dynamic code management), and ALICE. All of these files are LZMA-compressed. Thus, VIVA appears to be just name of partition which contains compressed code, which is uncompressed into RAM to be run. On the other hand, ROM partition is not compressed and (apparently) executed in place from flash. Of course, execution from flash is slower, which warrants existence of mechanism to execute subset of code from RAM.

Partitioning between ZIMAGE and ALICE is unclear so far, but as mentioned above, quite a few firmwares don't have ZIMAGE, so it's optional. Indeed, config from Wiko code mentioned in teh otehr thread says:

ZIMAGE_SUPPORT = FALSE
  # Description:
  #   Please refer to CR MAUI_02832638 which was applied to 10AW1041OFD_53EL_SLIM
  # Option Values:
  #   TRUE: Enable code compression to utilize the free RAM space and save ROM space
  #   FALSE: Disable code compression mechanism

Interesting. Do you have a reference to "XIP-decompression engine" in MT6260, or anything like that existing for LZ compression at all? Techniques for XIP of Huffman-compressed code are known and were used in >1 (research?) VMs. But Lempel-Ziv? How would that work at all? Break code in reasonably sized chunks, decompress that chunk to a cache, allow local jumps within that chunk, and on any outside jump go stop-the-world until another chunk is decompressed? Or maybe compress just basic blocks? Doing something like that and measuring how that sucks would be an interesting topic for a thesis, but Google says nobody did that.

So, unless proven otherwise, let's keep assuming that MT6260 has "LZMA decompression engine", which has nothing to do with XIP, and just decompresses one memory chunk into another.

Does someone know how to rich LZMA decompression engine in MTK6260 ?

Does someone know if MTK6260 has DES or 3DES engine built in ?

Kind regards.

There is a rumor, that these MTK MCU's ( MT6250, MT6260 ...) have built-in symmetric  encrypting / decrypting algorithm.

May be someone know more about that?

Does someone decompressed VIVA image f.e?

Regards.

Thanks for the info, but I'm asking about  symmetric-key algorithms, realized in MCU hardware.

Kind regards.

Well, I have a phone, based on MT6250 chipset. And it looks similar to MT6260.

It has ROM, VIVA (and ALICE) , but also has SECURE_RO_ME (some fundamental configuration region).

############################################################################################################
#
#  Control Block Region Setting
#
############################################################################################################         

control_block_region:
  rom:
    - file: SECURE_RO_ME

This region is encrypted. From my experience it's encrypted by blocks of 8 bytes and looks like DES or 3DES. But I haven't find any references to it in firmware.  In some other forums I read, that decryption is done by MCU.

That's why I asked if someone have more info.

Kind regards.

Thank you.

Regards.

You of course can't take entire VIVA feed it to 7zip and expect it to be decompressed. You need extract a proper LZMA stream first (it has signature of 0x5c or something - don't trust me, double-check).

But then, there's another gotcha - LZMA as used by MTK appears to be hacked-up version. I saw streams which, being run thru 7z: a) decompress correctly; b) decompress without errors, but not matching original content; c) error out during decompression.

New link to old repo.

https://github.com/honda-kazuhisa/LinkI … ONE/1.0.34

I'm trying to unpack a VIVA image for an MT6261. I have dumped the flash (4MB) using flashrom and fernly, and have also dumped the internal ROM (~34KB).

Has anyone successfully unpacked a VIVA image? I am trying to find out where the decompression code might be by disassembling the flash images and internal ROM. I have read in other forums (I think it was gsmhosting or xda-dev) that the VIVA is LZMA compressed with a proprietary train file (not sure what that means exactly) some have claimed to have unpacked VIVAs, but for whatever reason are not open to sharing their code.

If anyone has any pointers it would be greatly appreciated!