..::: .
April 2013
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

Astrid [userpic]
Sucking out firmware through a curly straw

I'm currently working on cracking a Definity PBX I bought on ebay. It came with a license for using the software installed on it, but you need a support contract to actually make it go. As I'm using it for personal research and don't ever intend to run a business on it, a multi-thousand-dollars support contract is not in the cards. So, I have to crack it instead.

First step is dumping the firmware. I couldn't find a copy anywhere online, which isn't a huge surprise — only Lucent is supposed to be able to make upgrades happen, and it's a rather old release anyway.

First I looked into getting it directly off the board. As it turned out, that would require dumping 4 TSOPs and figuring out how they interleave. Seems reasonable, but my local hackerspace only had SOIC test clips, and TSOP test clips are a very limited availability specialty item, and would cost around $150 for an attempt. Strike one.

My second approach centered around a set of cryptic commands I'd seen poking around the command completion results in the inads account — rp, rva, wp, and wva. A bit of experimentation showed me that they stood for, respectively, read physical, read virtual address, write physical, and write virtual address. That and a few ugly shell commands later, I'm in business hex-dumping the physical memory — 80 bytes at a time.

In one terminal:

$ seq 0 128 16777216 | xargs printf 'rp byte d %x c 80\r\n' > addresses-for-dumping
$ cat addresses-for-dumping | while read line ; do echo $line > /dev/ttyS0 ; sleep 3 ; done

In a second terminal:

$ cat /dev/ttyS0 | sed -ure 's/^[\[..?;..?H/ /g' | fgrep -u '0x' | tee romdump.hex

When done:

$ cat firmware.hex | sed -e 's/^ 0x//;s/    / /' > fw_clean.hex
$ xxd -r fw_clean.hex firmware.bin

I'll see about posting an update in 4 days when this dump is done...