26 (edited by pfalcon 2017-12-02 21:55:20)

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Sounds cool. I definitely wrote some dump tools too, but apparently I didn't push them to public git. Something available is at https://github.com/mtek-hack-hack/mtk-open-tools (but that deals with parsing download agent bundles it seems).

P.S. Whenever possible, I'd suggest to write such tools in Python, that makes hacking on them much easier.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

I agree Python would be better, but I'm reversing from assembly and C is easiest for this at the moment.

PS if anyone knows what compression algorithm (or variant) we're dealing with here (ALICE_2), speak up and save me some time!

28 (edited by pfalcon 2017-12-03 04:47:20)

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Btw, lately I stumbled upon the image below. It's due to Mi81 from 4pda.ru. Some writings are in Russian. I don't think it would be of much use in general, but maybe could give some hints/ideas. (He did not decompress the stuff btw.)

https://i.imgur.com/i7s9Xvy.jpg

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Btw, I hope everyone knows about some "romdz09" tool written in Java, it kinda can split the stuff around from a flat ROM dump (so they say).

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Haven't seen that table, but it confirms a lot! Thanks!

Does romdz09 work with the ALICE part at all do you know?

Re: MTK firmware jargon: VIVA, ALICE - what are they?

As far as I know, it just splits the raw ROM dump into more or less high-level parts. It seems to be mostly used by folks who want to hack on resources, e.g. change a watchface. So, I'd assume it just splits out ALICE as a separate chunk, don't do anything to it. But I didn't play with it.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

I just tried it. Yeah it seems like a resource editor, and doesn't touch ALICE.

Re: MTK firmware jargon: VIVA, ALICE - what are they?

I've made progress with unpacking compressed ALICE_2 images. Here's what I've discovered about how it is encoded.

The ALICE.exe compressor reads the instructions from ALICE.bin, translates the addresses of BL/BLX instructions, adds the instructions to a binary tree which is then traversed to create a dictionary. The dictionary is a histogram of instruction frequencies in sorted in descending order (it is still unclear how instructions of the same frequency are sorted). Using the histogram, range registers are calculated and the instructions falling into these ranges are range encoded to reduce their size. Since the most frequent instructions are reduced the most, this is where we see the most compression. The most infrequent instructions (those comprising the tail of the histogram), are in fact encoded to be larger than their original size.

The range encoded instructions are then bitpacked into the final compressed ALICE in blocks of a set size (e.g., 64 bytes, 32 instructions). The start of a block is byte addressed and referenced by a mapping table, so bit padding (0s) is added to the end of a block when necessary.

Postprocessing involves prepending a 40 byte header which includes the compressed offset, mapping table offset, and dictionary offset. The mapping table follows the compressed ALICE body, followed by the dictionary (truncated to the last range register).

The code (rewritten in python) is available here available under GPL:

https://github.com/donnm/mtk_fw_tools

You will need python3 and the bitstring package.

The encoder is not currently working because I do not know how instructions of the same frequency are sorted in the histogram. Once this is clear, the encoder will be working.

I am interested in testing various compressed ALICE components, particularly if you have the corresponding original uncompressed ALICE.bin. Submit an issue to the github project and attach a link to the files you are using if you find any problems.

34 (edited by Mi81 2018-01-07 21:18:15)

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Unfortunately, the proposed solution decodes correctly only the first eight bytes.

See Issues at GitHub

Re: MTK firmware jargon: VIVA, ALICE - what are they?

donnm, great news! I knew that people would hack on stuff on holidays, I actually picked up a watch to join the fun too, but due to circumstance, instead hacked on my cute decompiler.

I also appreciate giving a try to rewriting tools in Python. Yup, it's a bit slow, but much easier hackability by many more people is fully worth it imho. And using PyPy, your tool runs really fast.

Posted a ticket/a patch on github too.

Thanks!

Re: MTK firmware jargon: VIVA, ALICE - what are they?

As an update, donnm's great tool now seems to handle whatever someone threw it at it, which is definitely cool, but that's unlikely much, we need more people to participate ;-). Interested parties also advised to look at the tickets on github, including closed: https://github.com/donnm/mtk_fw_tools/i … s%3Aissue+

37 (edited by Mi81 2018-01-17 00:24:38)

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Excellent, Donnm! Now the decompression is correct. smile

38 (edited by yoriqulov.miroqil 2019-04-26 14:12:14)

Re: MTK firmware jargon: VIVA, ALICE - what are they?

Hi!
How to extract execution ARM instruction FROM CAKE file(unaliced)?

Thanks for your answers