TL866 II PLUS/Bootloader: Difference between revisions
(→Report) |
m (→Commands) |
||
Line 32: | Line 32: | ||
| unknown, maybe just a fixed key? Set statically in the official client. | | unknown, maybe just a fixed key? Set statically in the official client. | ||
|} | |} | ||
=== Report === | === Report === | ||
Line 104: | Line 103: | ||
| 1 || ''unknown'' || 7 || || | | 1 || ''unknown'' || 7 || || | ||
|} | |} | ||
=== Write Block === | === Write Block === |
Revision as of 23:42, 26 August 2018
The TL866 II PLUS has a bootloader installed at the start of the internal flash which is used to update the firmware. The hardware reset vector (the instruction at 0000h) points to the bootloader. On each boot the bootloader inspects various state (TBD) and determines whether it should execute itself to allow firmware updates or jump into the main firmware.
The process of reverse engineering the bootloader is still ongoing.
Commands
Reset
Command 3F seems to be used to reset the device. When used from the stock firmware the device resets into the bootloader, and when used from the bootloader the device resets to the stock firmware.
Offset | Field | Size | Value | Description |
---|---|---|---|---|
0 | command | 1 | 3F | the command identifier |
1 | reserved | 7 | 0 | reserved, set to zero |
When resetting from the stock firmware, another command is transmitted first. This may be some kind of key required to permit reset? Unknown until the firmware is dumped and analyzed.
Offset | Field | Size | Value | Description |
---|---|---|---|---|
0 | command | 1 | 3D | the command identifier |
1 | reserved | 3 | 0 | reserved, set to zero |
4 | key? | 4 | 86 B9 78 A5 | unknown, maybe just a fixed key? Set statically in the official client. |
Report
The report command requests that the firmware identify itself.
Offset | Field | Size | Value | Description |
---|---|---|---|---|
0 | bCommand | 1 | 00 | the command identifier |
1 | reserved | 7 | 0 | reserved, set to zero |
The device will respond with a 41-byte structure:
Offset | Field | Size | Value | Description |
---|---|---|---|---|
0 | bCommand | 1 | 00 | the command, echoed |
1 | bStatus | 1 | 01 | no longer used? |
2 | unknown | 2 | ||
4 | bFwVersionMinor | 1 | firmware version minor part: 00.0.xx | |
5 | bFwVersionMajor | 1 | firmware version major part: 00.x.00 | |
6 | bModel | 1 | 05 | device model: 05 is the TL866II-Plus, 06 is the XGecu T500 |
7 | unknown | 1 | ||
8 | sDeviceCode | 8 | ISO 8859-1 string (no zero terminator) | |
16 | sSerialNumber | 20 | ISO 8859-1 string (no zero terminator) | |
36 | unknown | 4 | ||
40 | bDeviceVersion | 1 | firmware version device part: xx.0.00 |
In versions of the TL866 A/CS firmware 03.2.82 and earlier, the bStatus field was used to indicate whether the device was currently running the stock firmware (value 01) or the bootloader (value 02). A/CS firmware 03.2.85 and the TL866II-Plus appear to always return 01. The only difference in the report output between the stock firmware and the bootloader on the TL866II-Plus is the version number, for which the bootloader always returns 1.0.
Erase
The erase command erases the firmware area of the internal flash (i.e. everything but the bootloader).
Offset | Field | Size | Value | Description |
---|---|---|---|---|
0 | bCommand | 1 | 3C | the command identifier |
1 | reserved | 7 | 0 | reserved, set to zero |
The device responds with an 8-byte acknowledgement.
Offset | Field | Size | Value | Description |
---|---|---|---|---|
0 | bCommand | 1 | 3C | the command, echoed |
1 | unknown | 7 |
Write Block
The write block command receives an encrypted data block, decrypts it, and writes the cleartext to the flash. As with all commands, it has an 8-byte header. The encrypted data is sent after the command header.
Offset | Field | Size | Value | Description |
---|---|---|---|---|
0 | bCommand | 1 | 3B | the command identifier |
1 | bUnknown1 | 1 | Copied from the block in the update file. Purpose unknown. | |
2 | wBlockSize | 2 | The size in bytes of the encrypted data to be sent. | |
4 | bUnknown2 | 4 | Some kind of checksum? Computed from the block in the update file and a key from the file header. |
The device does not send a response to the write block command. Instead, another command is sent to retrieve the status.
Offset | Field | Size | Value | Description |
---|---|---|---|---|
0 | bCommand | 1 | 39 | the command identifier |
1 | reserved | 7 | 0 | reserved, set to zero |
The device responds with a 32-byte packet. The unknown parts of the structure have only ever been observed to be all zeroes.
Offset | Field | Size | Value | Description |
---|---|---|---|---|
0 | unknown | 1 | ||
1 | bStatus | 1 | 00 on success; any other value indicates error | |
2 | unknown | 30 |