Stefan Gloor
✧✦Catherine✦✧i heckin love looking at firmware. send me firmware pls
"firmware for what" Yes.
flacs@whitequark what about FPGA bitstreams?
@flacs these have very limited, albeit nonzero, reverse engineering potential
Val Packett 🧉@whitequark https://github.com/valpackett/firmware-dell-qcom/blob/trunk/qcom/x1e80100/dell/latitude-7455/qcadsp8380.mbn.zst
do you have binja ultimate 3k dollar edition? because this is hexagon :D
@valpackett i do yeah
Urja@whitequark A long time ago I got bored reversing the firmware to my "Digital Microscope DM4" (a cheap LCD+camera-style "microscope" from ebay)
https://a64box.urja.dev/DM4-microscope-flash.bin.zst
(I also seem to have this file around... i'm not sure if i got this "bl1" from the SPI flash dump or if it was the internal boot ROM of the SoC ...
https://a64box.urja.dev/dm4_bl1.bin
)
I think the most fun i found out was that the microscope firmware has a boot-up sound. The device has no speaker :P
(I kinda wanted the device to do usb-webcam while having the LCD active, but it doesnt... otherwise it's great for what it is.)
Ge0rG@whitequark
Somebody collected the still available firmware files for Samsung's WiFi enabled cameras (compact and mirrorless NX system): https://nxfiles.nx.tc/
I mirrored them (some 40GB including OSS dumps) and pulled some strings on the firmware files at https://op-co.de/blog/posts/samsung_nx_archaeology/ and https://op-co.de/blog/posts/samsung_wifi_cameras/
A specific open mystery is how https://nxfiles.nx.tc/files/Compact/SH100/Firmware/ interacts with the /social/columbus/login/direct API endpoint in order to login to F*book.
tranzystorekk@whitequark *sends feebleware instead*
Graham Sutherland / Polynomial@whitequark ... I wonder if I kept the firmware images for my DALSA industrial line camera. will check later. I bet there's some funky stuff in there.
Andy Price@whitequark Are you following @hughsie :)
Richard Hughes@andyprice @whitequark I have so much firmware it can make your eyes bleed. What specifically you looking for?
Mini@whitequark interested in a firmware update blob? sent over usb, not sure of the address offset its loaded at, but i know the chip it's for
the blob is sent to the device partially obscured (xored with some bytes earlier in the payload it sends)
the sdk is public and the device is marketed as a BLE sniffer, i kept meaning to go back and figure out address offset the fw blob is loaded at (presuming it doesn't do anything super freaky) but kept getting distracted by other projects 😭
@whitequark COOoL!! hope its fun if have a go :3
https://gist.github.com/mini-ninja-64/65696609d24fa1fb2b7fb13e63fcd79e
i think that covers what I know, incldued is the latest firmware blob, there are older versions, I can provide if usefukl!
ummmmm oh some things to note, the sdk has some examples of uploading firmware blobs for updates, but they dont do any wierd xor etc. and iirc I tried it at the SDKs default memory address for firmware uploads but it didnt look right (could be misremembering)
Ignas Kiela@whitequark I might have some WD SSD drive firmware somewhere, if you want that? (in update blob form)
Pim de Groot@whitequark I do have the firmware of my first badge: https://github.com/AnesidoraCorporation/hh2023firmwareupdate/blob/b2b7d683a8a7744639e90b555312860ea188287b/hh2023latest.uf2 which has some puzzles to solve
ftg@whitequark
Sepura / Simoco SRM1000 TETRA radio firmware upgrade file (CLEAR, so likely no crypto stuff)
https://limewire.com/d/HiMpB#TVdPOyRfvg
I also have some firmware .BIN's for Ericsson P25 and P42 (model, not mode) handheld radios. Directly dumped from their 27C256 firmware EPROM's. But we have figured out the channel programming for the radios already. But maybe some HD6303 code might be interesting?
https://prkele.prk.tky.fi/~ftg/files/moppe/Ericsson/P42_nokeypad/
Ret@ftg @whitequark don’t mind if I do 👀
@ret @whitequark
I have some 410 - 430 MHz and one 380 - 400 MHz band models of these for playing around.
But they absolutely don't like going out of band.
For example to the 432 - 438 MHz amateur radio band here.
If you mod the CPS to accept channels above 430 and program in, say 433.350 MHz to the the radio, it just boot loops.
Thankfully recoverable by programming in some in-band channels.
I have some 410 - 430 MHz and one 380 - 400 MHz band models of these for playing around.
But they absolutely don't like going out of band.
For example to the 432 - 438 MHz amateur radio band here.
If you mod the CPS to accept channels above 430 and program in, say 433.350 MHz to the the radio, it just boot loops.
Thankfully recoverable by programming in some in-band channels.
@ftg @whitequark I’ve got a few 380-400 units here. Most won’t boot. Never got around to investigating out of band use but that does not sound promising :/ did get one running and attached to the test set. Unsure if they can do direct mode even.
@ret @whitequark
All of mine can do DMO.
I have the 410 - 430 one's on a 417/427 commercial pair for hobby use.
My plan for the 380 - 400 is to stuff up and down converters in it and see if it works for 70cm DMO.
All of mine can do DMO.
I have the 410 - 430 one's on a 417/427 commercial pair for hobby use.
My plan for the 380 - 400 is to stuff up and down converters in it and see if it works for 70cm DMO.
doragasu@whitequark I can send you my own firmware and get a free security audit 😆 (just joking 😅)
hdhoang@whitequark old custom fw for an old keyboard https://github.com/ah-/anne-key
we have the manufacturer original files in the discord, because they have gone away after a rebrand.
perhaps this works https://web.archive.org/web/*/http://www.obins.net/app/anne_pro_fw/*
