Re: Smart watch with an MT6260

Ah wait, I need to capture a new pcap, sorry I forgot that this was from the non-working one. Also for some reason I think USBpcap groups my keyboard with the virtual com ... so hopefully there's not too much garbage there.
I've also "stumbled" across the source code for the Mediatek flashing app ( older version though with no MT6261 support ) which I can probably use to see exactly what it uses to test the RAM.
I'm beginning to understand how this works ... it seems the Flasher ( which is writen in Borland C++ Builder 6 ) is using brom.dll to communicate with the target. On the target it uploads the MTKloader which then talks directly to brom.dll. Sadly I haven't "stumbled" across the source code from brom.dll but I think I saw some code for an old MTK loader ...

Re: Smart watch with an MT6260

OK now I seem to have gotten what's needed. I looked with Wireshark and it says the protocol is ethernet or something. I've attached 2 captures of the same thing, reading RAM:

http://speedy.sh/T9FzG/mt6261.pcap

http://speedy.sh/sApuR/mt6261-1.pcap

Re: Smart watch with an MT6260

Fantastic!

Yes, Wireshark doesn't know how to decode the USB packets, but it will happily display them.  You can decode them by hand.  Just ignore the first 27 bytes.  Bytes 24 and 25 indicate the packet size, but Wireshark already includes that.  For example, here is a packet sending a one-byte command 0xd4, numbered as packet 570 in the first pcap file you sent:

1b001050e5e600e0ffff0000000009000106000100810301000000d4

You can reassemble the program it's loading into RAM by piecing together the 1051-byte packets and stripping off the first 27 bytes.  You can follow the pcap file starting with the command 0xd7 at packet #599, and compare it to fernly-usb-loader.c's implementation of the same thing at https://github.com/xobs/fernly/blob/mas … der.c#L345

54 (edited by mforce2 2015-10-24 04:29:55)

Re: Smart watch with an MT6260

Thanks for that info. I think I get it now, I'll take a look. I think in the Mediatek app the brom.dll handles these ... maybe I can also find a way to extract some info from there ... that would be useful also.

I've finally used the USB analyzer by Eltima which is really nice ( still in trial ) which presents the data in a very nice way.
Here's what I think I've found.

D7 is sent, then 4 bytes ( 70 00 70 00  ) would the be the address in Big Endian format, then another 4 bytes (  00 00 04 34  ), the size of what follows ( 1076 bytes ) and then another 4 ( 00 00 01 00  ) maybe the signature. After that there are indeed 1024 + 56 bytes that are sent to the device.
Now comes the interesting part because another D7 is sent followed by 10 02 00 00  ( is this an address ? ) then 00 01 b4 a8 ( 109 KB ? ) that seems like a reasonable size for the RAM reading program and then probably the signature, 00 00 01 00. After that it begins to send chunks of 1024 bytes from the MTK_AllInOne_DA.bin file , 108 x 1024 and then some extra stuff... after that some other commands follow and then it all ends.

It might be because I'm using the download without batter option.

OK I'm pretty sure I can now find those 109 KB which it sends to the device now. Not sure where in there is the needed address though but I guess I can open that with IDA.

55 (edited by mforce2 2015-10-25 09:01:56)

Re: Smart watch with an MT6260

I think I've found what I was looking for. This is what Flashtool sends from the MTK_AllInOne_DA.bin file ( according to the USB captures ) :
http://speedy.sh/9BJ2f/full1.bin

I'm not sure how to get the needed address from here but I'm looking at stuff from brom.dll right now to find some clues. I've already found out that it seems the 'Z' or 0x5A command seems to be for the download without battery mode.

Oh and btw not that I mind the excersize but can this forum not ask me these question about bits and stuff, they were fun at first but it's starting to get annoying.

And I think I might just have found it:

It says:

ROM:00004770                 ADR             R1, aEnteringComman ; "Entering command loop..."

and then

ROM:0000478A                 LDR             R0, =0x1003703C
ROM:0000478C                 LDR             R0, [R0,#4]
ROM:0000478E                 BL              sub_13F18
ROM:00004792                 MOVS            R5, R0

where sub_13F18 is just  BX              R0

a bit later it looks at R5 during this command loop:

ROM:0000479C                 CMP             R5, #0x51 ; 'Q'
ROM:0000479E                 BNE             loc_47C0

If I'd have to guess I'd say the read function address is stored at 0x1003703C + 4  ( if my ARM instrcutions decoding is right ).
I've also found that it seems like the write function address is stored at  0x1003703C + 10.

Pretty strang though, I'm not sure what's at 0x100....  . On the MT6260 there's the SPI chip I thing but here that's clearly not the case, maybe the BROM is there, I keep seeing hardcoded refs to this types of adrress in this loader that gets uploaded via USB.

Re: Smart watch with an MT6260

It's possible that the code you're looking at is loaded at 0x10000000, not 0x0.  It's possible to change where SRAM/RAM is mapped (and by extension where SPI is mapped, they can swap places with a single bit flip,) and I seem to recall that is taken care of by one of the programs it loads.  If you adjust your load offset, you should get a much better disassembly.

Re: Smart watch with an MT6260

Well I tried relocating to 0x10000000 but then it was out of range. Also I noticed it jumps to

ROM:00000014                 MOV             R1, #0x7000AFFC
ROM:00000024                 MOV             SP, R1
ROM:00000028                 BL              sub_1B8
ROM:0000002C                 LDR             R3, =0x100243E3
ROM:00000030                 BX              R3

0x100243E3 in the beginning to I tried relocating to 0x10020000 but that didn't really yield any results that seems valid. I keep however seeing accesses to 0x1003786C  and 0x100243E3 type addresses so maybe there's some bootrom or something there.

Re: Smart watch with an MT6260

The wireshark dump you sent sends 0x0434 bytes to address 0x00700070.  It then sends 0x0001b4a8 bytes to 0x0210.  This is probably the start of the 2bl.  After the second program is sent, it looks like all communication is with that program and not with the boot ROM anymore.

Shortly before the first program is written, the program sends write32(0xa0510000, 1), which updates the PSRAM mapping.  I'm not sure what it's updating it /with/.

So try setting your offset to 0x0210 and seeing if that doesn't help at all.

Re: Smart watch with an MT6260

Thanks, yes it uploads a progam, the one I attached above and then all communication is with that one.

60 (edited by mforce2 2015-10-28 05:56:55)

Re: Smart watch with an MT6260

By loading at 0x10020000
I've found what seems be some sort of writechar ( write to host ):

ROM:10026BC2                 LDR             R1, =dword_1003703C
ROM:10026BC4                 MOVS            R0, #0xA5
ROM:10026BC6                 LDR             R1, [R1,#(dword_1003704C - 0x1003703C)]

ROM:1003704C dword_1003704C  DCD 0xF993F001          ; DATA XREF: sub_1002369A+1E6r

I'm going to try to do a bump to 0xF993F001 ( after setting R0 ) , it looks like it could be something valid.
Yeah just found the NOR testing routine which outputs 0x69 ( wrong NOR signature ) and 0x5A ( NOR signature match ) and that seems to set R0 to the char and then jump to  0xF993F001.

I tried running this however:

.text

.global _start
_start:
disable_interrupts:
    mrs    r0, cpsr
    mov    r1, #0xc0
    orr    r0, r0, r1
    msr    cpsr_cxsf, r0

relocate_stack:
    ldr     r0, =0x7000affc // stack_start
    mov     sp, r0

print_test:
     MOVS            R0, #0x69
     LDR             R1,=0xF993F001
     BX                 R1

with the loader doing this:

    cmd_begin("Executing Ferly USB loader");
    ASSERT(fernvale_cmd_jump(serfd, FERNLY_USB_LOADER_ADDR));
    cmd_end();

    cmd_begin("Reading 1 byte response");
    uint8_t byteRec = fernvale_get_int8(serfd);
    printf("received %c", byteRec);

but it just got stuck, I received nothing from the USB.... It's a pity that all the loader debugging is disabled in the loaded code too.
Maybe I did something wrong ( my ARM asm is crappy ) or I missed something or maybe there's a driver needed... I saw some mentions of a driver in the code ...
Do you have the loaded code for MT6260 ? Maybe looking at that and comparing will result in some similarities so I can figure out how this works on the MT6261....

Re: Smart watch with an MT6260

One thing you can try right off the bat is sending "1e ff 2f e1", which is just the opcode "bx lr".  If that works, you should get a response.  Or at least be able to send more data.

I added a program to parse some of the pcap file, at least enough to extract the 0xd7 command files and write them out to disk.  That should give you something interesting to look at.

It's up at https://github.com/xobs/fernly/tree/master/pcap-parse along with your pcap file.

Re: Smart watch with an MT6260

Thank you very much, this should really help.

Any change you can somehow get these datasheets ? I've tried really hard to get the but for some reason I just can't ... maybe you can do it or you know someone who can :

http://www.16rd.com/forum.php?mod=viewt … ght=mt6261

http://www.16rd.com/forum.php?mod=viewt … ght=mt6261

I think they'd help a lot.

Re: Smart watch with an MT6260

Those require "rd credits", which you get either by buying them, or by uploading other manuals.  This is a common technique to make money for the people running those sites, and to encourage people to upload files.  Kind of like Stackexchange, I suppose.

The good news is that they're out there somewhere, you just have to be tenacious enough to look for them.

64 (edited by mforce2 2015-10-30 20:01:45)

Re: Smart watch with an MT6260

Well I did respond to those posts and I got some RD credits ( I think I did at least ? ) but it still didn't work ... I'd pay for them damn it but I'm not sure how and I have no Chinese connections.
I looked everywhere for these ( using those names and others ) but so far I couldn't find anything.
I dunno, if someone wants to make $10 or something I'd pay for these smile I guess I'll adevertise this somewhere.

Later edit:

Posted the job on upwork and here are the files that a Chinese guy got for me:

https://drive.google.com/folderview?id= … sp=sharing

Re: Smart watch with an MT6260

mforce2 wrote:

Well I did respond to those posts and I got some RD credits ( I think I did at least ? ) but it still didn't work ... I'd pay for them damn it but I'm not sure how and I have no Chinese connections.
I looked everywhere for these ( using those names and others ) but so far I couldn't find anything.
I dunno, if someone wants to make $10 or something I'd pay for these smile I guess I'll adevertise this somewhere.

Later edit:

Posted the job on upwork and here are the files that a Chinese guy got for me:

https://drive.google.com/folderview?id= … sp=sharing

Good job!

66 (edited by mforce2 2015-10-31 06:31:07)

Re: Smart watch with an MT6260

It seems the MT6261A has just 4 MB of RAM embedded while the MT6261DA and MT6261M have both 4 MB of RAM and 4 MB of ( NOR ) flash.
I'm a little disappointed to not find a clear memory map in these datasheets... but I guess at least for some addresse we should know the meaning now.
It also seems there are other documents that complement these datasheets which sadly I've not found anywhere so far.

Re: Smart watch with an MT6260

xobs wrote:

Those require "rd credits", which you get either by buying them, or by uploading other manuals.  This is a common technique to make money for the people running those sites, and to encourage people to upload files.

Not really. That's attempt to spur community collaboration and keep leaches away - because indeed, to get credit, you don't need to buy it, just participate in discussions. Of course, folks who set that stuff up are poor psychologists and knowers of human nature (no wonder - they are young geeks, see how 16rd forum for example besides tech sections has a section with photos of young Chinese ladies (fully clad for cynics among us)). So the effects are opposite - 16rd is vivid leech galore, drowning in nonsense "me too" posts to get credit and folks constantly reuploading same old docs under new names again and again for the same reason.

The only question why such sites are popular in China, while they're visible deterioration of "community" idea (that's why it's not popular in Western world, at least not in such vulgar form). Perhaps, Bunnie could make a blog post on that ;-).

68 (edited by pfalcon 2016-07-10 20:00:27)

Re: Smart watch with an MT6260

mforce2 wrote:

I'm a little disappointed to not find a clear memory map in these datasheets...

Really? It seems that you are not too long in "reading Chinese datasheet" business ;-). Indeed, "publicly available" (in gonkai sense) datasheets are usually not worth those $10, and while giving some insight, are very far away from allowing reader to do anything useful with a chip.


It also seems there are other documents that complement these datasheets which sadly I've not found anywhere so far.

Yep, but bosses apparently don't let them into hands of young altruistic engineers who then post them on forums.

It seems the MT6261A has just 4 MB of RAM embedded while the MT6261DA and MT6261M have both 4 MB of RAM and 4 MB of ( NOR ) flash.

Well, I have good news for you (I hope it's still news, even though it's pretty old): https://github.com/Seeed-Studio/LinkIt- … load_Agent

There can be 2 explanations why "6261" is written there:

1. Pretty extreme sloppiness (even accounting for Western bias - it's well known that Chinese folks aren't sloppy, they just do things differently). Like, instead of writing "2502" there, they wrote other random digits, which also happened to match name of their other MCU.

2. MT6261 is actually closer sibling of MT2501/MT2502, than MT6260.

My bet is on point 2. And that's good news, because MT250x both have more stuff available, and being a current product, with MT6260 already being pretty much legacy.

Re: Smart watch with an MT6260

So, over the summer, I monitored fernvale project on github, and it barely got 2 new stars over this time, which is pretty sad and I thought the project is essentially dead, so I even skipped checking forum.

I'm glad people still trying to hack "RTOS"-based Mediatek devices, that's good news. Bad news is that there's essentially one new guy, and when he gives up on it too, there will be noone again. Other good news is that is that xobs replies here - seeing no commits on github, I thought he's too busy with Novena anyway.

So, seeing all those bright things, I got motivated to put aside my other stuff for couple of hours and do some rants here (what I already started, per messages above). So:

1. Mentioning of Mediatek Download Agent (DA) in this thread, reminded me a question I wanted to ask xobs before, but was too shy to: don't you think that one of the way to ensure that fernly actually does something useful and is not lost in sands of time is to turn it into direction of universal bootloader/flasher for any Mediatek chip? First step into that direction would be to take control of DAs as provided by mediatek. Yes, that won't be completely open-source solution, but it will be the solution which scales. And just to clarify what exactly I mean: there seem to be people who're eager to run just anything thru IDA. Perhaps giving them direction would help, like telling them that it's actually interesting and important to understand how to extract, load, run, and communicate with existing DA.

2. While I think that hacking DA is actually more beneficial than anything else, trying to boot fernly directly on MT6261 isn't bad too, per previous message, as it makes a path towards supporting MT250x, without which the project is already dead.

3. And last shy question - did you guys order RePhone? It's of course very far from really open system. But they promise ability to install and run multiple user apps. That's far more than any other MT626x/MT250x platform offer (well, I mentioned that Simcom modules allow to install/run custom code). And you can hack from 2 sides - from low level and high level.

Re: Smart watch with an MT6260

Per datasheets, one of the differences between MT6260 and MT6261 is that the latter lacks GPT3 timer:

"Note: GPT3 is removed for achieving lower cost."

Re: Smart watch with an MT6260

Yes but the rest seems to be pretty much there. From what I can see even the addresses for registers are the same so an USB driver for the MT6260 should work on the MT6261, at least I think it could.
This got me thinking, I've been trying hard to get the buit-in ROM adresses for print to USB, read from USB functions but what if in the case of the MT6261 this isn't how it works anymore ?
I've seen that the loader has some strings mentioning an USB driver so maybe the loader has the USB driver and print to USB, read from USB functions and these aren't in the boot ROM anymore.
I'm sure the 0x70007000 is the built in SRAM which is probably initialized by the boot ROM but after that it seems this small piece of code initializes the buit-in RAM ( located at 0x02100000 or something like that ). The small piece of code in the SRAM just initializes the built-in RAM after which the larger code in the built-in RAM deals with the NAND, NOR and USB ... it receives commands from the host ( brom.dll ) and executes them.

Re: Smart watch with an MT6260

mforce2 wrote:

This got me thinking, I've been trying hard to get the buit-in ROM adresses for print to USB, read from USB functions but what if in the case of the MT6261 this isn't how it works anymore ?

I actually tried to see where Bunnie/xobs could get those addresses from for MT6260, and I couldn't find them anywhere in MT6260 DA.

All in all, I'd bet on follow process: learn how to use MTK DA (load it, run it, communicate with it), then try to use it to dump bootrom.


it receives commands from the host ( brom.dll ) and executes them.

Mind the link I gave above - there's no brom.dll and other crap for linkit one, it's all much simpler, with a single ~100K executable. If you think about reversing it, that would be simpler. Of course, you may need to have linkit one to see it running first.

Re: Smart watch with an MT6260

I actually tried to see where Bunnie/xobs could get those addresses from for MT6260, and I couldn't find them anywhere in MT6260 DA.

All in all, I'd bet on follow process: learn how to use MTK DA (load it, run it, communicate with it), then try to use it to dump bootrom.

Well why looking at the DA from flash my tools I noticed that here are quite a few debug messages. Sadly these are all send to a function that just returns ( BX LR ). I think depending on how this is compiled that function might contain a printf or something but there's probably and ifdef ... I'll check if I can find another flash tool....

Mind the link I gave above - there's no brom.dll and other crap for linkit one, it's all much simpler, with a single ~100K executable. If you think about reversing it, that would be simpler. Of course, you may need to have linkit one to see it running first.

Well brom.dll is quite nice actually, it's pretty easy to debug using IDA and it has comments for what it does ... like sending command for ... or stuff like that.
I kind of know how to load the DA and communicate with it but the DA won't dump anything other than the flash I think. It does some address bound checking I think ... maybe if I hacked that ... but I need to find where the DA does that. I also don't really know the boot ROM is on ( the address ) on the MT6261.

Re: Smart watch with an MT6260

mforce2 wrote:

I kind of know how to load the DA and communicate with it

If you know how to use it, please describe it (in separate topic here, somewhere on wiki, ...), so other can go on from there and there was a chance to actually make some progress on all this stuff.

Re: Smart watch with an MT6260

I will .... Though I doubt it's of any use to people with that limit on dumping only things from the Flash.