[X]Assistant

[Redscorpio]

SoChip 8600/9800 device firmware

The topic discusses the issues of creating and modifying firmware on SoChip 8600/9800 devices and their analogues

Now the market has a lot of devices built on the basis of SoChip 8600/9800 and their analogues (e-books, mobile and stationary portable players). Unfortunately, the manufacturer did not open the SDK and the firmware of these devices is a “black box”. It is proposed in this topic to jointly collect information and develop techniques that will improve the firmware.
!!! AvailableDiPal SDK !!!

I. Attention. Important information for "experimenters"

1.If the device does not show signs of life after flashing or is cyclically overloaded (does not want to flash), do not panic:
- Instruction 1
- Instruction 2
- Instruction 3
2.It is strongly not recommended for repacking disk images to useWinimage. This may lead to the inoperability of the firmware. Use for exampleUltraISO. But it is most preferable to use the program.dragonfrom the "utility manufacturer" kit (see "Tools")
3.If you have problems with the firmware of your device and you want to use the help of members of the forum, use the programDebugview

Losber @ 12/10/2011, 17:46

Download DebugView and run it, let it work. Flush LiveSuit with a problem repackaged firmware, you get an error. Then go to the program DebugView, save to the file what happened and attach it in the message on the forum.

Ii. Analogs

SoChip SC8600 == BoxChip F15 == Teclast T7200
SoChip SC9800 == BoxChip F10 == Teclast T8100

Iii. Information- links to posts in the topic

1.Specifications:
1.1 SoChip SC9800 Specification
1.2 F16 Specification
1.3 F20 Specification
2.Core guideARM926EJ-S
3. Firmware file structure(further links)
4. The sequence of the start of the device
5. Work with language resources
6. "Student Computer" (H3 / H5)
7. Answers on questions:
- What is the core?
- What OS?
- Is it possible to install Android?
Once again about Android, againandstill
8. Instructions for beginners
9. Assigning drivers and system files in firmware
10. BMP file format in resource file
11. Reassigning device buttons in the keyboard driver
12. Reassigning the remote control buttons in the keyboard driver
13.Replacing drivers in firmware(1)and(2)
14. Instructions for editing executable files to run on another firmware
15. Abandoned project for SC8600 with sources
16. DWARF
17.Device diagrams(1), (2)and(3)
18. Samples of firmware demonstrating wits252 UI SDK
19. Identification of ARM chips
20.Sources of games for our devices(1), (2)and(3)
21. How to change Cyrillic text in applications.

III +. Additional Information

1. UCos GUI (?) Sources
2. UCos GUI SDK
3. BoxChip A10 processor sdk
4. Allwinner A10 Specification and Additional Information

Iv. Instruments- links to posts in the topic

1. A set of utilities from the manufacturer
- Instruction 1
- Instruction 2(creaturerootfs)
- Instruction 3(creatureramdisk.iso)
2. Sdkby dipal
3. imgRePacker- LiveSuit firmware unpacker / packager (* .img)
4. imgDecoder- decryptor / encryptor of LiveSuit firmware (* .img)
5. Program to facilitate editing touchtheme.bin
6. Building utilities for working with firmware
7. Original (Chinese) assembly of SoChip Modding Tools

Additions

7.1Alternativeazxmagic_add.exefromFlasher-11
7.2Alternativeazxmagic_del.exefromFlasher-11
7.3Alternativeverify_corr.exefromFlasher-11
7.4 GUIfromlosber

8. unPackerfromnullpix
9. GNU_readELF- tool for parsing ELF character information
10. AXF_beautification_tool- utility for working with graphic resources (in some * .axf and * .bin files)
11. PhoenixPro- A utility that allows you to simultaneously flash up to 127 devices (no more than 7 is recommended). As stated, when working simultaneously with 7 devices, firmware of about 100MB in size is loaded in 10s (the key is inside the archive).Again
12. Phoenixcard- utility to prepare microSD for automatic firmware.One more time withinstruction
13. LiveSuitin a convenient "package".Again
14. Drivers(32 and 64 bits) andagain
15. ARMu- A tool to view and edit the ARM binaries
16. SCelfAutoPatcher- program for automatic correction of addresses of imported functions in executable files (* .axf)
17. SYMTAB_extractor- program for extracting symbolic information from executable files (ELF)

V. Programs for devices on SC8600 / 9800 - links to messages in the topic

1. Game Console EmulatorSegafromDipal.
- Game collections(1)and(2)
2. Reg converter<->inifromlosber

Vi. useful links

1.Products webpageSoChip(eng.)
2.Products webpageSoChip(whale.)
3.Products webpageALLWINNER TECHNOLOGY(whale.)
4.Allwinner Pageon ARM website
5.Related forum onpleer.ru
6.Just interesting links fromlosber

VII. Profile Topics

1. Effire ColorBook TR401
2. Effire ColorBook TR701
3. iconBIT HDB700LED
4. iconBIT HMP705HDMI
5. Lexand LT-115
6. Lexand LT-117
7. Ritmix RBK-430
8. Ritmix RBK-450
9. Ritmix RBK-470
10. Ritmix RP-400HD
11. Ritmix RP-430HD
12. Ritmix RP-500HD
13. Nexx NRM-51 LED
14. Teclast TL-C700
15. teXet TB-431HD
16. teXet TB-710HD
17. teXet TB-740HD
18. Wexler Book T7005

Please note:
1. Before asking questionsread the topic content(especially with messages on the links in the header)
2. Here are discussedgeneral questions onlycreate and modify firmware. For firmware specific devices, please contact the relevant forum topics.
3. Any useful information is welcome (will be filtered).
_"Cleaners"

Post has been editedRedscorpio - 17.03.13, 17:54

[losber]

myst_nomadAll the necessary unpacking / packing steps are encoded in the SoChip_img_pack.bat and SoChip_img_unpack.bat bat-scripts.
To unpack, run the command line "SoChip_img_unpack.bat firmware_name.img"
Assembling tools for working with SoChip 8600/9800 firmware.
As for the rest, everything has already been discussed and more than once on player.ru in the topic "SoChip Firmware".

Post has been editedRedscorpio - 20.01.12, 22:45

Reason for editing: Build link changed

[dimonp25]

to losber, well, for example, how I found this time: I have a player and not an email. the book, then in the apps folder I found epdf.axf, in this elf all functions are already designated (both internal and downloaded from other firmware files). Specifically, here is the timer function as indicated by me: $ Ven $ AA $ L $$ GUI_SetTimer. I myself have this function in the orange.mod file (the address of the function is e1883a10). And accordingly, finding links (by simple search bytes) for this function in * .axf files I found in movie.axf the address (a) of the call function $ Ven $ AA $ L $$ GUI_SetTimer, and then everything is simple, you see what is loaded into registers before calling this function and changing it (for example, I loaded the number 0x5dc in r2 register, in decimal ss it is 1500 mS, I changed to 350 (15e)).

[KudryashovDA]

myst_nomad

myst_nomad @ 12/01/2011, 20:01

2) Is the contents of the .img file of the firmware, unpacked by the utility, the final view of the OS, as it lies on the system disk of the reader, or, after cramming onto it, is there an additional unpacking?

When you open the firmware file, the livesuit program "slightly" unpacks the firmware, figuring out the hardware parameters to which it will be flooded. Then, when the book is connected, the program sends a command to the book to be ready for the firmware, it reboots and waits for the bootloader - the livesuite sends it a bootloader pulled from the same firmware (fes-1 and fes-2) - they prepare the book for loading the main part - packed root file system. The image was loaded and reported livesuite about the successful download. Then, in the book itself, the unpacking of the file system begins (a circle is spinning on the screen at that moment). Then you can read, watch, listen :)
All stages can be viewed by running the DbgView program on the PC during the firmware.

[Redscorpio]

Assembling tools for working with SoChip 8600/9800 firmware

Allows:
1. Unpack / pack firmware(SoChip Modding Tools + own developments)
Note:Currently recommendedimgRePacker
2. Enable Debug modewithout repacking the firmware (ImgDecrypt.exe).Instruction
Note:Currently recommendedimgDecoder
3. Modify Resource Files(res_theme folder)

Changes

2012.01.17
~ Chinese utilities are “torn out” from under packers (there was a triple package) - now antiviruses should not be intimidated;
~ rootcr / rootpk replaced by own (verified);
2011.12.27
~ 7z.exe call is excluded from batch files. Now only usedlzma.exe. 7z.exe and 7z.dll excluded from the build
2011.12.12
~ The call verifycalc.exe is excluded from batch files. It works nowverify.exe(== verifycalc.exe + verify_corr.exe)
2011.12.08
~ Increased buffer for azxmagic_add.exe and azxmagic_del.exe (theoretically should work faster).
~ Changed disk image storage path
~ Changed the logic of working with paths. Now batch files can be run from any place on the disk, the firmware name should be specified with
~ Attention.Removed parentheses in the directory name (nowSoChip_Modding_Tools_Repack_RedScorpio)
- Refused to store the name of the firmware in the file img_name.txt. Now the name of the firmware is formed from the name of the directory with files<firmware_name>.dump
2011.12.06
+ The scripts that complement the SoChip Modding Tools are rewritten to C, the command files are changed. Checked on 2011.12.07
2011.12.05
~ In scriptazxmagic_add.vbsAdded auto-under OS. If he cannot find the settings, then the batch file will report this and stop its work. In this case, use alternative methods. For example, use the utilityazxmagic_add.exe(see in the cap)

Ps. Special thanksKudryashovDAandlosberfor support, ideas and testing

Additionally laid out the original (Chinese) assemblySoChip Modding Tools

Attached files

SoChip_Modding_Tools.7z(1.17 MB)
SoChip_Utils.rar(521.23 KB)


Post has been editedRedscorpio - 20.04.12, 21:59

Reason for editing: New version

[Redscorpio]

Instructions on how to enable debugging of devices on SoChip SC9800 (debugenable = 1)
Opening the system disk for "picking"

1. Stocking up the firmware file * .img (hereinafter we will callfirmware.img ).
2. Run the program ImgDecrypt.exe.
3. Press the "Decode" button.
4. Choose a filefirmware.img.
5. Click the "OK" button next to the "Decode".
6. In the menu "Save As .." we make a new name.firmware_DE_unpand press the "Save" button
7. We wait for some time and get a window with the message "Done !!!". Click the "OK" button. Next to the filefirmware.imgwe now have a filefirmware_DE_unp.img
8. In any HEX editor (for example, WinHex) open the file.firmware_DE_unp.imgand replacedebugenable = 0 on debugenable = 1 (or rather, 0 on 1 ). Be careful and attentive, changing only 1 (one) byte.
If you do not understand this item, firsttake a lookand then think again: do you need it?
9. In the ImgDecrypt.exe program, click the "Encode" button.
10. Select the filefirmware_DE_unp.img.
11. Click the "OK" button next to "Encode".
12. In the menu "Save As .." we make a new name.firmware_deand press the "Save" button
13. We wait for some time and again get a window with the message "Done !!!". Click the "OK" button. Next to the filesfirmware.imgandfirmware_DE_unp.imgwe have a filefirmware_DE.img
14. Sew onfirmware_DE.img.

The author of the instruction does not bear any responsibility for the killed wards.

Ps. Who does not believe in the program can decrypt the firmware and, without changing anything, encrypt it back. I tried, matches byte-by-byte.
Pps. Program taken fromChinese forum. I only changed resources in it so that it was clear which buttons to press.
PPPS. Disabling debug mode - in reverse order.

Attention . The utility is included in tool assembly

[email protected]

By the way, I completely forgot about the debugenable = 1 mode, which Chinese comrades so seriously use to create modified firmware.

Post has been editedRedscorpio - 20.04.12, 22:00

[Redscorpio]

Firmware file structure .img
Knowledge is incomplete: we save gradually, we will supplement

1. Header block ( format description ). All headers are the same size = 0x0400 (1 kB). First goes Base.hdr (it has its own format), after that the headers of all the firmware files
2. File block with the alignment of each file on the block boundary by the addition of the required number of bytes 0xCD

Firmware is encoded . The encryption / decryption algorithm is based on a 176-byte key (generated on the basis of 2 bytes). 3 keys are applied sequentially.
- for base.hdr
- for block headers
- for file block
Algorithms obtained in the studySochip Modding Tools, ImgDecode.dll and ImgDecrypt.exe .

The most common composition / order of files

COMMON _SYS_CONFIG000000Configuration
COMMON _SPLIT_0000000000
RFSFAT16_ROOTFS_000000000The root file system (we are interested infirmware ) + pictures that appear on the device screen during the firmware change (4 pcs.)
RFSFAT16_VERIFY_000000000Check file
RFSFAT16_BOOTFS_000000000
BOOT _BOOT0_0000000000
BOOT _BOOT1_0000000000
PXTOOLS _xxxxxxxxxxxxxxxx
FES _FES_1-1000000000
FES _FES_1-2000000000
FES _FES_200000000000
FES _FES_000000000000
FES _FES_H00000000000
FET _HW_SCAN_00000000
FET _UPDATE_BOOT0_000
FET _UPDATE_BOOT1_000
FET _FET_RESTORE_0000
FET _MAGIC_CRC_START_
FET _MAGIC_CRC_EN_000
FET _MAGIC_DE_START_0
FET _MAGIC_DE_END_000
FED _FED_NAND_0000000
12345678_1234567890cardtl
12345678_1234567890script
12345678_1234567890boot_0
12345678_1234567890boot_1
12345678_1234567890__dram

Composition / order of header files same

Post has been editedRedscorpio - 20.04.12, 22:06

[Redscorpio]

Sunsvision @ 02.12.2011, 11:37

Is it possible to enable debugging of devices on the SoChip SC8600

I can not answer this question, I do not own such a device. If the information that debugenable = 1 at 8600 does not affect anything, is confirmed - I will bring it to the header

[Redscorpio]

RFSFAT16_ROOTFS_000000000

Composite:
1. Header block. The first is Base.hdr, then the file headers
2. Block files.

Composition (do not forget the headings):
ZDISKIMG_Rootfs000000.lza
ZDISKIMG_StartupPic01.bmp
ZDISKIMG_StartupPic02.bmp
ZDISKIMG_StartupPic03.bmp
ZDISKIMG_StartupPic04.bmp


ZDISKIMG_Rootfs000000.lzais an archive (.lza) of a system disk image (.iso) with a modified title.
The remaining 4 files- pictures that are cyclically displayed (rotation of the circle and blinking) when flashing

Those. The process is:
system disk image ->packing (lzma.exe e -d14 -a0) ->header change (you can view the algorithm in azxmagic_add.vbs) ->combining all the header files and the files themselves into one file ->encryption (encryption algorithm is different from the encryption algorithm of the entire firmware)

Note. The stage of changing the header of the packed file is not used for the old packaging algorithm (used earlier for the SC8600)

Post has been editedRedscorpio - 15.03.12, 12:27

[Redscorpio]

RFSFAT16_VERIFY_000000000

Check file for file RFSFAT16_ROOTFS_000000000.

I quote

DiPal download

from the forumpleer.ru

Dipal

Oh, how I was tormented with him, that I just did not calculate ...
And then disassembled sochip modding tools and was very upset ...
The banal sum DW

Note. You need to count the RFSFAT16_ROOTFS_000000000 file before encryption.

Post has been editedRedscorpio - 20.01.12, 22:52

[Redscorpio]

Header File Format .hdr

Base hdr

struct sBaseHdr {// 20x4
char ImgID [8]; // "IMAGEWTY"
unsigned long int DW_01; // 0x00000100
unsigned long int DW_02; // 0x00000050
unsigned long int DW_03; // 0x04D00000
unsigned long int DW_04; // 0x00100234
unsigned long int checkSize;
unsigned long int DW_06; // 0x00000400
unsigned long int DW_07; // 0x00001234
unsigned long int DW_08; // 0x00008743
unsigned long int DW_09; // 0x00000100
unsigned long int DW_10; // 0x00000100
unsigned long int Type; // ZDISK = 0x00000000; Img = 0x00000001
unsigned long int DW_12; // 0x00000400
unsigned long int fileCount;
unsigned long int DW_14; // 0x00000400
unsigned long int DW_15; // 0x00000000
unsigned long int DW_16; // 0x00000000
unsigned long int DW_17; // 0x00000000
unsigned long int DW_18; // 0x00000000
// Next trash
char AddTo1024 [944];
} BaseHdr;

File hdr

struct sFileHdr {// 77x4
unsigned long int DW_01; // 0x00000100
unsigned long int DW_02; // 0x00000400
char type [8];
char SubType [16];
unsigned long int DW_03; // 0x00000000
unsigned long int ImgFSize;
unsigned long int OrigFSize;
unsigned long int FOffset;
unsigned long int DW_04; // 0x00000000
char OrigLongFName [256];
long int arrInt64 [179];
} FileHdr;

I quoteDipalfrom the forumpleer.ru

Dipal

/*
0 dw
4 dw
8 2dw = string_short
0x10 4dw = string long
0x20 dw
0x24 dw
0x28 dw = image_size
0x2c dw = image_offset
0x30 dw
0x34 string with file name
*/

Post has been editedRedscorpio - 15.03.12, 12:40

[nullpix]

Thanks to everyone who took part in creating the "unpacker / packer" underSoChip 8600/9800! Everything is working!

dimonp25 @ 12/02/2011, 00:29

I found epdf.axf in the apps folder, in this elf all functions are already indicated (both internal and downloaded from other firmware files). Specifically, here is the timer function as indicated by me: $ Ven $ AA $ L $$ GUI_SetTimer.

Respecteddimonp25, could you tell me which version of id will openepdf.axfand with what settings?
Opened with different versions, but I can’t find the name of the function "$ Ven $ AA $ L $$ GUI_SetTimer"the function names look likesub_0, sub_1240maybe it should be, I'm new anddisassemblingSign very superficially, tell me where to dig?
If you have time and desire, could you, write a small manual, or write a video, so that there would be no such questions! Thank you for your attention and patience: thank_you:

Post has been editednullpix - 02.12.11, 12:38

Reason for editing: added screen

[dimonp25]

First, did you open it as an elf file? (there at the very beginning a window appears with a choice of processor, download addresses, etc.). And then you can look (call) in the names or exported functions tab (after a full analysis of the file ida). If there are no clear names there, it means there is no additional debug info in this elf. See others. Or lay out the archivist with the internal content of the firmware, I myself will look.

[nullpix]

dimonp25Yes, I opened it as an elf file. Maybe there processor settings you need to specify special?

In the archive firmware without resource files, where there are all sorts of pictures, to save space. Thank you for spending your precious time on me!
img.rar(6.68 MB)

[Picnik]

M

Redscorpioappointed curator of the topic.

[dimonp25]

to nullpix, here is the archiver with the bases from IDA 6.1, your functions are designated in calendar.axf. For example, thanks to this elf, I found functions related to a timer in orange.mod. Similarly, other useful functions are searched in orange.mod. And now you can also find the same functions in * .axf files, which are designated in orange.mod.

Attached files

1.rar(1.97 MB)

[dimonp25]

I spread what I’ve dug (almost all the functions from uC / GUI) in the orange.mod file. + uCos GUI source files themselves - it seems we have used this OS.

Attached files

orange.rar(1.98 MB)

[zaq2]

myst_nomad @ 02.12.2011, 22:32

The question arose, inside the firmware is the image of epos.img
Is this file a regular img file, only encrypted?
If so, approximately what can be unpacked?

Well, based on the fact that herehttp://www.the-ebook.org/?p=9570in the comments it is written,

Epos - Embedded Parallel Operating System. This is a system that fits in a small electronic chip.
butepos.imgThis is the image of the operating system

Post has been editedRedscorpio - 17.05.12, 23:12

[losber]

New reworked version of GUIhereFirmware devices on SoChip 8600/9800 (Post # 10229579)

Dipal

losber, dimonp25
ida determines everything is normal for all files in the firmware (for all elves).
Only epos.img needs to be loaded in sections (roughly immediately you can in C2000000).
All code in ARM, not thumb.
Disassemble DWARF from files where it is (I can send SVC names, but they are always there).

Post has been editedlosber - 17.12.11, 01:50

[KudryashovDA]

Daniilshapkin @ 12/03/2011, 11:02

does effire pull djvu support and plug into texet?

It is possible, but in practice you need to edit a lot of code (ARM) in Windows Explorer and possibly other files.

Daniilshapkin @ 12/03/2011, 11:02

better to edit files with the extension axf?

I open files in IDA Pro Advanced 6.1 (from the torrent which)

[Flasher-11]

I post new versions tested on RBK-430.
azxmagic_del.rar(265.05 KB)
Example: azxmagic_del.exe% image% .dump \ RFSFAT16_ROOTFS_000000000.out.dump \ ZDISKIMG_Rootfs000000.lza
azxmagic_add.rar(265.24 KB)
Example: azxmagic_add.exe% image% .dump \ RFSFAT16_ROOTFS_000000000.out.dump \ ZDISKIMG_Rootfs000000.lza.iso.lza% image% .dump \ RFSFAT16_ROOTFS_000000000.out.dump \ ZDISKIMGRM16

Examples are provided for bat'nikov.
Ps. I make a new post, because I can not edit and update the old one.