donnm / mtk_fw_tools Goto Github PK

Uncompressed ALICE.bin and compressed ALICE is here: https://github.com/Seeed-Studio/Arduino_IDE_for_RePhone/tree/master/hardware/tools/mtk/firmware/LinkIt_Device/RePhone/W15.19.p2-uart

Note that MT2501/MT2502 seems to use ALICE_1.

A bit of offtopic, but I wonder if you, @donnm, or other readers would be interested to help testing ARM disassembly support for my interactive disassembler: https://github.com/pfalcon/ScratchABit .

https://www.kosagi.com/forums/viewtopic.php?pid=3249#p3249

I will try to describe the algorithm for calculating the values of registers.

The header of ALICE file after dictionary start address contains data about bit-length.
For example: 0x04, 0x06, 0x07, 0x09, x0A, 0x0B, 0x0C ( as L1, L2, L3 ... L7 )

r0 = 0 (аlways)
r1 = r0 + bL1 + 1 , where bL1 = binary number in which the L1 lower digits contain one, ie 0b1111 = 0x0F. Thus we obtain r1 = 0 + 0b1111 + 1 = 0x10
r2 = r1 + bL2 + 1, ie r2 = 0x10 + 0b111111 + 1 = 0x50
r3 = r2 + 0b1111111 + 1 = 0xD0
r4 = r3 + 0b111111111 +1 = 0x2D0
r5 = r4 + 0b1111111111 + 1 = 0x6D0
r6 = r5 + 0b11111111111 +1 = 0xED0
r7 = r6 + 0b111111111111 +1 = 0x1ED0

Hi @donnm thanks for the tool. I came here while searching about information about VIVA and unpacking it. You and @pfalcon did amazing job on opensource tools.
ref: https://www.kosagi.com/forums/viewtopic.php?id=158

I wanted to edit VIVA to modify port settings for taking dump on a different port. These port settings are defined in a structure named "NVRAM_EF_CUSTOM_PORT_SETTING_DEFAULT" (got this information from sym and lis) file of firmware that I have provided by modem vendor. They refused to change these settings so I thought I might modify the structure in code. but I am not able to locate it in the firmware.

This structure goes inside the ZIMAGE region of VIVA(probably?) which I am not able to decode/unpack.
ref(listing):

Load Region ZIMAGE (Base: 0x101a6b5c, Size: 0x001ca5f4, Max: 0xffffffff, ABSOLUTE)
...
0xf03b047c   0x00000028   Data   RO          277    .constdata          custom_port_setting.obj(custom.lib)

ref(symbol file)
0xf03b047c D NVRAM_EF_CUSTOM_PORT_SETTING_DEFAULT

So I came here if you or @pfalcon can help me somehow to identify how can I unpack and repack VIVA. I would also appreciate if I can get any sort of pointers to what possibly can be done regarding this.

Thanks in advance! 👍

unalice.py successfully unpacked an ALICE_2 firmware blob for me, but what is the resulting file supposed to be? You say ALICE is the non-kernel part of the firmware, but I couldn't find anything in it like photos or whatnot.

Only first 8 bytes :(
ALICE.zip
This is original CAKE & ALICE_2 from MTK firmware project.
Encode: ALICE.exe -chip MT6261 -iBin A.bin -oBin AA.bin -oDict dd -cBase 0x101B6A6C -dBase 0x100A0000 -cBlock 64 -statistics stat.txt -debugLevel 3

Just my notes on how to find load addresses of ALICE partition, if you have a full firmware folder for flash tool. Could be useful for the very first step to reverse-engineer the firmware.

• First load ROM partition to 0x1000A000 address.
• Then search for "memory_dump_off" string in HEX editor of ROM partition. About 0x100-0x130 bytes before the string, there would be several "HpG" (48 80 47) strings, this is actually a code. Look for first or second 0x10xxxxxx address near HpG's, this is the ALICE loading address.
  
• CACHED_EXTSRAM data is also stored in ROM file. To find it, search for "00 00 00 00 00 0C 00 00 F4 F3 F2 F1" (hex) in ROM, the 4 bytes BEFORE this data is the beginning of CACHED_EXTSRAM partition (there should be the address to 0x10xxxxxx, it's a pointer).
  
• CACHED_EXTSRAM load address could be found in the very beginning of ALICE CAKE. Switch to Thumb code mode (alt+g in IDA), press "C" to make code right after first "CAKE" bytes of the ALICE partition. The address which is getting loaded to R0 is CACHED_EXTSRAM load address.