Need help with DFU creation

More
01 Jan 2013 22:13 #4486 by PhracturedBlue
Need help with DFU creation was created by PhracturedBlue
Today, the only way to install Deviation is with the Walkera DFuSe tool. This is not-ideal for Mac/Linux users. the reason is that the Walkera DFuSe tool modifies the dfu file before transmitting it, and I'm trying to understand how that is done. I have a feeling that it is not static per-model, but instead is unique to every Tx.

I need more samples from Devo6, Devo8, or Devo10 radios to make sense of it.

What I need are USB traces of uploading a DFU file.

In WinXP I used to use usbsnoop:
www.pcausa.com/Utilities/UsbSnoop/
But it does not work in Win7

In Win7, it is theoretically possible to use logman:
blogs.msdn.com/b/usbcoreblog/archive/200...-usb-core-stack.aspx
But while I could capture the logs, I couldn't seem to capture the actual data transfer (which is what I need)

In the end, I used the demo version of USBTrace:
www.sysnucleus.com/usbtrace_download.html
which worked fine on my Win7 x-64 machine

You could also, likely use Wireshark in Linux running a Windows virtual-machine, though I didn't get around to trying that.

I would like a couple of folks who can install a usb snooper to capture the start of the dfuse tool (Tx in program mode, and plugged in, start DFuSe tool), and the installation of a dfu file (Upgrade).

I recommend taking a snapshot before installing a usbsnooper, as it is theoretically possible for it to mess up USB detection if something goes wrong.

Please Log in or Create an account to join the conversation.

More
02 Jan 2013 02:44 - 02 Jan 2013 03:25 #4497 by sbstnp
Replied by sbstnp on topic Need help with DFU creation
First attachment is a simple comversation capture using logman.

Second is the same conversation capture done in Linux.

Third attachment is a full capture using logman.

Captures done with logman can be filtered, by Vendor Id for example:
ContainsBin(FrameData, hex, "83 04")

Note: usbtrace evaluation has a capture size limit which I hit during DFU upload.

PS: can't seem to be able to attach *.cap files, so I renamed to .txt

File Attachment:

File Name: devo10.txt
File Size:32 KB

File Attachment:

File Name: devo10-linux.txt
File Size:4 KB

File Attachment:

File Name: devo10-full.zip
File Size:226 KB

Devo 10 + 4in1
Spektrum Dx9
FrSky Taranis + TBS Crossfire
Attachments:
Last edit: 02 Jan 2013 03:25 by sbstnp.

Please Log in or Create an account to join the conversation.

More
02 Jan 2013 02:51 - 02 Jan 2013 17:39 #4498 by RugWarrior
Replied by RugWarrior on topic Need help with DFU creation
I will try USBlyzer as it can make full logs even as trial.
Last edit: 02 Jan 2013 17:39 by RugWarrior.

Please Log in or Create an account to join the conversation.

More
02 Jan 2013 04:07 #4500 by PhracturedBlue
Replied by PhracturedBlue on topic Need help with DFU creation
The problem is that the logman logs don't seem to provide the actual data in the packet. There should be 1024bytes per packet during transfer, but I don't see that data in the .cap file.
the linux logs look ok (though there are no data packets in the initialization (that is expected), and if I recall I had a similar issue with linux truncating the data when I used it way back when)

Anyhow, with more investigation, I think the changes added by DFuSe are actually based on the contents of the firmware, not the Tx, so If I can figure out which bytes are used to compute the modified 'checksum' I'll be one step closer. It also means I probably don't need any more log captures at this time.

Please Log in or Create an account to join the conversation.

More
02 Jan 2013 04:30 #4501 by sbstnp
Replied by sbstnp on topic Need help with DFU creation
I was expecting my captures to contain nothing of value. I've played some more with USBtrace and I'm seeing the same problem on my side, no actual data is captured.

I hope you can do without these though, good luck.

Devo 10 + 4in1
Spektrum Dx9
FrSky Taranis + TBS Crossfire

Please Log in or Create an account to join the conversation.

  • rbe2012
  • rbe2012's Avatar
  • Offline
  • So much to do, so little time...
More
02 Jan 2013 11:11 - 02 Jan 2013 11:11 #4514 by rbe2012
Replied by rbe2012 on topic Need help with DFU creation
If you are right and there is no dependency from the tx would it be helpful to get logs with special dfu files where only one byte or one bit is changed / appended...?
When I understood right then we have not to fear to install a senseless dfu on our tx, we can always cure this with a correct (this can only be deViation) dfu.
Last edit: 02 Jan 2013 11:11 by rbe2012. Reason: (Typo)

Please Log in or Create an account to join the conversation.

More
02 Jan 2013 17:41 - 02 Jan 2013 17:46 #4523 by RugWarrior
Replied by RugWarrior on topic Need help with DFU creation
I made a log with USBlyzer with my Devo 8S flashing the official deviation-devo8-v2.1.0.dfu

And one with the latest commit...

If this is of any use than I can make more if wanted...
Attachments:
Last edit: 02 Jan 2013 17:46 by RugWarrior.

Please Log in or Create an account to join the conversation.

More
02 Jan 2013 17:58 #4525 by PhracturedBlue
Replied by PhracturedBlue on topic Need help with DFU creation
Thanks. I think I found the 'key' I need. It appears that it is transmitter specific.
Every tranmsitter has a unique serial number (in the MCU), and this is the value that is used to build the final DFU sent to the transmitter.

I'm not sure exactly why they do this except to ensure that the transmitter can only work in conjunction with the Walkera Dfuse tool. It does not in any way that I see help to secure their firmware (indeed we've been loading Deviation onto radios for 6 months without being aware of anything more than a keep-out region)

They use a different algorithm for each model, but the math is relatively simple. Again, I have no idea why they bother with all of this.

Please Log in or Create an account to join the conversation.

More
02 Jan 2013 18:26 - 02 Jan 2013 18:26 #4526 by sbstnp
Replied by sbstnp on topic Need help with DFU creation
And one capture using same software, btw, good catch RW. Flashed 2.1.0 on my Devo 10. Hope it helps.

File Attachment:

File Name: devo10-2.1...ture.zip
File Size:181 KB

Devo 10 + 4in1
Spektrum Dx9
FrSky Taranis + TBS Crossfire
Attachments:
Last edit: 02 Jan 2013 18:26 by sbstnp.

Please Log in or Create an account to join the conversation.

More
02 Jan 2013 21:17 #4533 by RugWarrior
Replied by RugWarrior on topic Need help with DFU creation
Interesting why they do something like this to "secure" writing to the tx...

Who knows :silly:

sbstnp I had a look at your dump and mine... and thank god we have devs like PB... I do not get the point comparing the dumps :P

Please Log in or Create an account to join the conversation.

More
03 Jan 2013 07:49 #4554 by Tom_ate
Replied by Tom_ate on topic Need help with DFU creation

RugWarrior wrote: ...Interesting why they do something like this to "secure" writing to the tx...


Sorry, RW, but I think this is not the real point.

I have the same opinion as PB wrote earlier int this threat: With this checksum they have done nothing to securve writing to the TX - they have done it to prevent that the TX is written to with anything else than their own Dfuse-tool.

Kind regards,

Matthias

Please Log in or Create an account to join the conversation.

More
03 Jan 2013 14:30 #4598 by PhracturedBlue
Replied by PhracturedBlue on topic Need help with DFU creation

Tom_ate wrote: I have the same opinion as PB wrote earlier int this threat: With this checksum they have done nothing to securve writing to the TX - they have done it to prevent that the TX is written to with anything else than their own Dfuse-tool.

The thing I don't understand is why they went as far as they did. Ensuring only their dfuse tool could write to the Tx would have been very simple: change the dfuse format slightly. Instead you have a unique ID and different algorithms for different models. The latter could be useful to prevent loading a devo8 firmware onto a devo10, but since it is rebuilt by dfuse every time you load, you lose any such benefit.

There are a lot of 'security' measures in the Devo (like scrambling the DFU) but it turns out that every single one is poorly implemented (which is a good thing for us, as otherwise, the effort to install Deviation would be much higher)

Please Log in or Create an account to join the conversation.

Time to create page: 0.057 seconds
Powered by Kunena Forum