Different SBI version?

[matdoslb]

Hello!
Recently picked up an old VX820 from a friend who closed down his store. My VX has the exact same os version as yours, however, my SBI is on v02_85.

I developed a simple "brute-forcing" script that:

• makes a stub of 24-byte XDL headers, 0x30 of padding, a single thumb BL, 2 bytes of padding to round to 64B
• builds the stub for each potential shell address as a 64b stub with a BL at offset 0x30.

This is all in hopes that I stumble upon the shell address and can then dump full SBI to make a patched .bin for my SBI version.

I'm wondering if you have any insight on the way you were able to find the correct prompt() jump to then be able to dump SBI.

I'm able to send .bins using XDL and the VX does acknowledge them,I've tried to send .bins that give me any sort of UART output or anything to know that I am correctly executing them, yet I never get any sign whatsoever, and have yet to find the shell.

To be honest, I'm pretty ready to get a chip programmer and clip it onto the flash chip of the board itself ;)))

And yes, all this to run doom!!! I saw your speech from '22 a few months ago, and I've been reverse engineering things for as long as I can remember, and so I thought to myself "why not?"

[ThomasRinsma]

Hi!

You're not the first trying to get 02_85 to work. It must be relatively common as well, sadly I don't own a device with it myself.

So to bootstrap things, I "cheated" by looking at the screenshots in the POSWorld paper which show addresses for 03_04. Not sure how they obtained the binary to start with, maybe from the SDK or an update file.

Your strategy seems solid, but it will be quite time consuming to try all offsets (I sort of binary-searched things for 03_10 but it was still painful). Maybe it might be worth developing a mini memdump payload (would indeed need figuring out of the uart peripheral, or any of the peripherals that allow outputting bits) to make things easier and bypass the need for brute forcing.

Good luck in any case!

[matdoslb]

Your strategy seems solid, but it will be quite time consuming to try all offsets (I sort of binary-searched things for 03_10 but it was still painful). Maybe it might be worth developing a mini memdump payload (would indeed need figuring out of the uart peripheral, or any of the peripherals that allow outputting bits) to make things easier and bypass the need for brute forcing.

Yes, my current plan is to make a small memdump payload via ram, the only thing I seem to have trouble with is actually receiving the dump via UART. I have been assuming that the UART address did not change and was the same as in SBI 03_04, but I think what I'll have to do now is perhaps try a stub to poll UART_FR for each potential address, in hopes of receiving anything that can give me a clue.

EDIT: if you're able to help me get UART output I would be extremely grateful, because I won't be able to dump anything without proper UART output :))

[NatanGrygiel]

Hi, I have a VX680 with the exact same SBI version. I will be more than happy to help cracking this puzzle. I have access to both a COM port as well as USB, which could be useful. I have tried my own hand at crafting the payload but I'm more or less at the same stage as you.
Sincerely,
Natan

[matdoslb]

Hi, I have a VX680 with the exact same SBI version. I will be more than happy to help cracking this puzzle. I have access to both a COM port as well as USB, which could be useful. I have tried my own hand at crafting the payload but I'm more or less at the same stage as you. Sincerely, Natan

Nice! First time i've been able to get in contact with someone who also has SBI 02_85. Is there anywhere else where I can contact you instead of Github Issues ? (X, Email etc..). Had a look at your website too, pretty cool ;)

In terms of where I am so far:

• I did a full re-read of the POSWorld document and found some pretty interesting info, including the T:SHELL.OUT app, which gave me a shell of some sorts into the VX, but there honestly isn't much you can do in the shell. The DUMP command returns a "not found" error, and the RUN command (at least for me) most of the time just returns a

• run()>=-1 <- I may have gotten that wrong, but its something along those lines.

In POSWorld's document, I noticed that they seemed to have found a) a stack overflow potential in the run() (RUN) command, which in some way could allow to cause strategic and specific overflows giving us access into other system apps (though this probably wouldn't work)

Or, I also noticed an AUTH command in the shell, perhaps related to one of the signature signing apps on the device (i remember seeing a function to check signatures and sign apps)

I've gotten as far as attempting to create a .OUT app that basically signs another app, and another .OUT app that attempts to use the XDL headers that the OS looks for ( in check_bootHeader() ) and run a small memory dumper, but still, nothing has worked.

I also own a VX520 running SBI 03_04, and have already thought of using it to create a signature file for a memory dumper payload, and then extract it from the VX520 and load it onto my VX820, but unfortunately that wont be possible as, from what I understand, when signing apps, the SBI uses HMAC (Hash-based Message Authentication Code) from the OTP (One-Time-Programmable Memory) of the device, meaning that if you were to load the file with one device's key, they wont load on your other device.

Please let me know where you're up to, and we can work together to see what we can do. Unfortunately, I'm having a hard time finding anyone else on the same SBI version as me, and so making progress is hard.

Ultimately, what needs to be done is: dump SBI, patch SBI, done. Easier said than done, Especially when using different SBI versions.

EDIT: I'm now wondering if there is a possibility of completely wiping SBI and re-flashing 03_04 to devices with other SBI versions ? Would probably require hardware intervention of the actual chip.

[NatanGrygiel]

Is there anywhere else where I can contact you instead of Github Issues ? (X, Email etc..).

Telegram is my preferred way of communication, but I'm open to Discord if that's a problem. You can send where to contact you via email. My address is natan@natangrygiel.pl .

Looking forward to it