diff --git a/pics/IDC_connector_end_view.png b/pics/IDC_connector_end_view.png deleted file mode 100644 index dcc0b77..0000000 Binary files a/pics/IDC_connector_end_view.png and /dev/null differ diff --git a/pics/README.md b/pics/README.md deleted file mode 100644 index 8020e75..0000000 --- a/pics/README.md +++ /dev/null @@ -1 +0,0 @@ -Pics for Wiki diff --git a/pics/Tag-Connector_end_view.png b/pics/Tag-Connector_end_view.png deleted file mode 100644 index 76f6c4b..0000000 Binary files a/pics/Tag-Connector_end_view.png and /dev/null differ diff --git a/pics/battery_custom1.jpg b/pics/battery_custom1.jpg deleted file mode 100644 index fac73ac..0000000 Binary files a/pics/battery_custom1.jpg and /dev/null differ diff --git a/pics/battery_custom2.jpg b/pics/battery_custom2.jpg deleted file mode 100644 index f3c5759..0000000 Binary files a/pics/battery_custom2.jpg and /dev/null differ diff --git a/pics/battery_custom3.jpg b/pics/battery_custom3.jpg deleted file mode 100644 index f7744ef..0000000 Binary files a/pics/battery_custom3.jpg and /dev/null differ diff --git a/pics/battery_custom_compare.jpg b/pics/battery_custom_compare.jpg deleted file mode 100644 index f899d9c..0000000 Binary files a/pics/battery_custom_compare.jpg and /dev/null differ diff --git a/pics/debug_port_pin_out.png b/pics/debug_port_pin_out.png deleted file mode 100644 index 31a302c..0000000 Binary files a/pics/debug_port_pin_out.png and /dev/null differ diff --git a/pics/powersupply_station.jpg b/pics/powersupply_station.jpg deleted file mode 100644 index e01e530..0000000 Binary files a/pics/powersupply_station.jpg and /dev/null differ diff --git a/pics/sd_extension_cable.jpg b/pics/sd_extension_cable.jpg deleted file mode 100644 index 64a3304..0000000 Binary files a/pics/sd_extension_cable.jpg and /dev/null differ diff --git a/pics/sd_extension_cable_removed_resistor.jpg b/pics/sd_extension_cable_removed_resistor.jpg deleted file mode 100644 index 3cf30e9..0000000 Binary files a/pics/sd_extension_cable_removed_resistor.jpg and /dev/null differ diff --git a/pics/toniebox_pcb_debug_port.png b/pics/toniebox_pcb_debug_port.png deleted file mode 100644 index e7599df..0000000 Binary files a/pics/toniebox_pcb_debug_port.png and /dev/null differ diff --git a/wiki/Audio-file-format.md b/wiki/Audio-file-format.md deleted file mode 100644 index 94caf8e..0000000 --- a/wiki/Audio-file-format.md +++ /dev/null @@ -1,76 +0,0 @@ -# SD card structure -Every box contains a SD card which is used to store the tonies audio data. - -## downloaded audio files -The downloaded audio files for tonies are stored on the SD card in a directory for every tonie. - -Directories are named by the last 4 bytes of the tonie ISO15693 UID in hex format, e.g. \DEADBEEF. -Within that folder there is a file named by the first 4 bytes of the UID. -Both hex values represent the tag's UID, but in reverse order. - -So a tonie with the UID E00403500D0D3F47 has the audio content stored in the file \CONTENT\473F0D0D\500304E0. - -## predefined files -Upon initalization the box extracts the content of the flash-internal sfx.bin into two directories with several audio files: - - 00000000\000000* - 00000001\000000* - -# Audio file format -In general the audio files are just OGG files with some custom header - -So the files are structured like this: - - ::=
-
::= - - where: - length of in big endian uint32, usually 0x00000FFC - protobuf coded info fields like SHA1 hash, audio length, etc - Ogg audio file - -# Header format - -The file header is coded using protobuf and contains these fields: - - 1. [string] Audio data SHA-1 hash - 2. [variant] Audio data length in bytes - 3. [variant] Audio-ID of OGG audio file, which is the unix time stamp of file creation - 4. [string] [array of variant] Ogg page numbers for Chapters - 5. [string] fill bytes „00“ up to - -To decode the protobuf content, you can use the online decoder at https://protogen.marcgravell.com/decode - -Encoding is a bit more tricky, as the tested encoder did not produce the correct data for the 4th field. -Here the protobuf field type should be "string" and the content should be an array of multiple variants. -One variant coded page number for every chapter in the file, starting with a zero for the first chapter. - -The encoder produced either multiple variant fields with the same field number, or the correct string field -except for files with only one chapter where it generated only a variant field. -Long story short, the best choice was to build a custom protobuf encoder. - -# Audio data - -The container format for the audio data is Ogg, which packetizes the data into so called "pages". -Pages contain metadata like the time granule (timestamp) for playback, sequence number, checksum etc. and -the real audio data in segments within the page. -See https://en.wikipedia.org/wiki/Ogg_page - -The tonie files are encoded using an opus coder with around 96-116 kbps in VBR mode. (opus header say 96 kbps) -The encoder was set up to produce Ogg pages that perfectly fit into a 4k (0x1000) byte sized page. -As the box seems to read the data from SD into a 4k byte sized buffer, pages are only -allowed to start at 4k-boundaries and must end at the end of the page. Pages can not cross the 4k boundary, -else the file is treaten as invalid and gets re-downloaded. - -There is no (to me known) way of "padding" data in a page so that the box would accept the data as valid. -Thus the encoder must be configured in CBR mode with a certain bit rate, such that Ogg page header plus segments -build up 4k sized blocks starting at 4k-offsets and ending at 4k-offsets. -For sure there is a way to tell the opus coder "now please produce a segment with n bytes" which can be -used to fill up the page until it's 4k end. -But the in experiments used encoder did not have an obvious feature to do this. - -**We have developed a tool called [teddy](https://github.com/toniebox-reverse-engineering/teddy) to encode and decode these files.** - -# Audio file extraction with Linux OS -- Remove Header of the file with ´dd bs=4092 skip=1 if=500304E0 of=trim.ogg´ -- then just use ffmpeg to convert it into mp3 ´ffmpeg -i trim.ogg done.mp3´ diff --git a/wiki/Battery-pack-&-power-supply.md b/wiki/Battery-pack-&-power-supply.md deleted file mode 100644 index 9933712..0000000 --- a/wiki/Battery-pack-&-power-supply.md +++ /dev/null @@ -1,75 +0,0 @@ -# Battery -* Voltage: 3.6V -* Chemistry: NiMH -* Cells: 3 -* Size: AA - -## NTC (Thermistor) white cable -* 22°C - 10kOhm -* 35°C - 6kOhm -* 5°C - 30kOhm -* MF58 10kOhm 3950K (Confirmed by Boxine) - -## Plug -* JST PH 2mm 3pin - -## Cable Length for custom battery packs -* Black: 17cm -* Red: 15cm -* White: 15cm - -## ADC Voltage Map -| Box ID | User | voltage in V | ADC raw | charging| original battery | notes | -| -- | -- | -- | -- | -- | -- | -- | -| B-Dev Blue | SciLor | 3.975 | 2701 | 0 | 1 | | -| B-Dev Blue | SciLor | 4.16 | 2824 | 0 | 1 | | -| B-Dev Blue | SciLor | 4.25 | 2882 | 0 | 1 | Max | -| B-Dev Blue | SciLor | 4.39 | 3188 | 1 | 1 | | -| B-Dev Blue | SciLor | 4.44 | 3195 | 1 | 1 | Max | -| Lila | SciLor | 3.686 | 2489 | 0 | 0 | | -| Lila | SciLor | 3.659 | 2478 | 0 | 0 | Shut Off Message | -| Lila | SciLor | 4.26 | 2870 | 0 | 0 | Max | -| Lila | SciLor | 4.47 | 3180 | 1 | 0 | Max | -| Red | SciLor | 3.641 | 2456 | 0 | 0 | | -| Red | SciLor | 3.540 | 2400 | 0 | 0 | Shut Off Message | - -Voltage measurement TP38 -``` -from machine import Pin -from machine import ADC -p_charger = Pin('GP17', mode=Pin.IN) -p_charger.value() -adc = ADC() -p_battery = adc.channel(pin='GP5') -p_battery.value() -``` - -### Voltage calculation -From the data above following calculation can be used: -``` -voltage = adc * 100/67690; //charger disconnected -voltage = adc * 100/71907; //charger connected -``` -The OFW uses a slightly different formula: -``` -voltage = ((adc * (40000/26173)) - 89) / 1000 -adc = ((1000 * voltage) + 89) * (26173/40000) -``` -The OFW uses the value 3,601v or adc=2297 as low battery voltage (0xE11). As shutoff voltage 3,299v / 3,300v or adc=2099/2100 are used (0xCE3/0xCE4). - - - - -## Photos (Custom Battery Pack) -![](https://raw.githubusercontent.com/toniebox-reverse-engineering/toniebox/master/pics/battery_custom_compare.jpg) -![](https://raw.githubusercontent.com/toniebox-reverse-engineering/toniebox/master/pics/battery_custom1.jpg) -![](https://raw.githubusercontent.com/toniebox-reverse-engineering/toniebox/master/pics/battery_custom2.jpg) -![](https://raw.githubusercontent.com/toniebox-reverse-engineering/toniebox/master/pics/battery_custom3.jpg) - -# Power supply -* Voltage: 9V -* Current: 1.5A -* Plug 5.5x2.1mm (+9V inner side) - -## Photo -![](https://raw.githubusercontent.com/toniebox-reverse-engineering/toniebox/master/pics/powersupply_station.jpg) diff --git a/wiki/Boot-process b/wiki/Boot-process deleted file mode 100644 index 9a41639..0000000 --- a/wiki/Boot-process +++ /dev/null @@ -1,12 +0,0 @@ -# Boot Process - -## Introduction -When the CC3200 is started the integrated bootloader is loading /sys/mcuimg.bin from flash to the memory address 0x20004000. The SRAM is located at 0x20000000 to 0x2003FFFF. If you want to implement a second stage bootloader you would usally implement a relocator that moves your bootloader to 0x2000000. If it bootloader smaller than 16kB (0x4000) you then may load your desired firmware from SD or Flash to 0x20004000 as the integrated bootloader would do. The toniebox's (seconds stage) bootloader is bigger than 16kB. So loading it to 0x20000000 wouldn't work. - -## Relocator -The original firmware bootloader has a relocator which loads the bootloader to memory address 0x20038000, which 32kB before the very end of the memory. - -## OFW bootloader -The bootloader loads a file called "/sys/mcubootinfo.bin" that contains the id of the firmware to load. - -To verify the integrity of the firmware, a sha256 hash is appended to the end of each firmware file. The bootloader checks it. \ No newline at end of file diff --git a/wiki/Debug-Port-&-Extract-Firmware.md b/wiki/Debug-Port-&-Extract-Firmware.md deleted file mode 100644 index 712a6eb..0000000 --- a/wiki/Debug-Port-&-Extract-Firmware.md +++ /dev/null @@ -1,110 +0,0 @@ -# Debug Port -## Position of debug port on Toniebox-PCB - -![https://github.com/toniebox-reverse-engineering/toniebox/blob/master/pics/toniebox_pcb_debug_port.png](https://github.com/toniebox-reverse-engineering/toniebox/blob/master/pics/toniebox_pcb_debug_port.png) - -The debug port runs on `3.3 V` - -## Layout debug port -``` - 10 9 8 7 6 - 1 2 3 4 5 -``` - -![https://github.com/toniebox-reverse-engineering/toniebox/blob/master/pics/debug_port_pin_out.png](https://github.com/toniebox-reverse-engineering/toniebox/blob/master/pics/debug_port_pin_out.png) - - -| Pin | Function | Comment | -| --- | -------- | --------------------- | -| 1 | TX | 55 | -| 2 | RX | 57 | -| 3 | VCC | 3.3V | -| 4 | RST | 32 | -| 5 | GND | | -| 6 | ? | 45 | -| 7 | TCK | 19 | -| 8 | TMS | 20 | -| 9 | SOP2 | 21 (indirect SOP0 35) | -| 10 | ? | U3 | - -# Tag-Connector for debug port - -To connect to the debug port a Tag-Connector can be used. - -Datasheet: [Tag Connect TC2050-IDC-NL](https://www.tag-connect.com/wp-content/uploads/bsk-pdf-manager/TC2050-IDC-NL_Datasheet_8.pdf) - -Available at: [Tag Connect TC2050-IDC-NL](https://www.tag-connect.com/product/tc2050-idc-nl-10-pin-no-legs-cable-with-ribbon-connector) - -Alternative (cheaper): [PCB Clip 1.27mm 5 Pin Double Row](https://a.aliexpress.com/_BSuEeo) - -# Boot Mode -The CC3200 device implements a sense-on-power (SoP) scheme to switch between two modes that are available within the Tonie project. (To switch between the boot modes a restart of the device is needed.) [CC3200 datasheet 5.9.3](http://www.ti.com/lit/ds/symlink/cc3200.pdf) -## SWD Mode -SOP2 (pin 9) low (standard) will activate the functional mode with a 2-wire SWD mapped to TCK (pin 7) and TMS (pin 8) of the debug port. -## UART mode -SOP2 (pin 9) high will activate the UART load mode to flash the system during development and in OEM assembly line - -# Extract Firmware -## Introduction -Grab your favourite USB-UART **3.3V** interface, recommending those with DTR or RTS port to automate board reset. You may also use a CC3200 Launchpad, but then you will need to reset it by hand. SOP2 need to be pulled high while reset to set the cc3200 into UART-Mode. - -## Toolset -Use [cc3200tool](https://github.com/toniebox-reverse-engineering/cc3200tool) to extract the firmware. Just download it to your favorite location. -You will need to install python3 (including pip3). The [cc3200tool](https://github.com/toniebox-reverse-engineering/cc3200tool) needs the package pyserial (which can be automatically installed via the setup.py). You may install it manually via `pip3 install pyserial`. To make the process easier, we just call the cc.py within the `cc3200tool/` directory. - -## Connection -Please connect the toniebox to your power supply and/or battery. Please double check your UART that its VCC is 3.3V and not 5.0V. If your UART is missing DTR you will need to connect the Toniebox RST to GND for a moment before each command to reset the box. If you reset the box it should glow green all the time without booting and playing its startup jingle. - -| Toniebox | Toniebox | UART | -| -------- | ------- | ---- | -| GND | | GND | -| TX | | RX | -| RX | | TX | -| RST | | DTR | -| VCC | SOP2* | | -| SOP2 | VCC* | | - -*Pin SOP2 of the Toniebox should be bridged with the VCC of the Toniebox. - -If you have got problems [check out the known problems and fixes](Known-Problems-and-Fixes#cc3200tool-related). - -## Example commands -You may replace COM3 with the right port on your computer (linux ex. /dev/ttyUSB0). Please add `--reset dtr` to each command (see 6.) if you have RST connected to DTR for auto reset. In addition, if you got connection issues, you may try to connect SOP2 to the RTS pin directly and add `--sop2 ~rts` to each command. - -| | Descriptiion | Command | -| - | - | - | -| 1 | List files in FatFS (useful to check the connection) | `python cc.py -p COM3 list_filesystem` | -| 2 | Extract full firmware | `python cc.py -p COM3 read_flash firmware.dmp` | -| 3 | Extract all files | `python cc.py -p COM3 read_all_files ./target_dir` | -| 4 | Extract singe files | `python cc.py -p COM3 read_file /sys/mcuimg.bin ./sys/mcuimg.bin` | -| 5 | Extract firmware and files | `python cc.py -p COM3 read_flash firmware.dmp read_all_files ./target_dir` | -| 6 | List files in FatFS with DTR auto reset | `python cc.py -p COM3 --reset dtr list_filesystem` | -| 7 | List files in FatFS with DTR/RTS auto reset/sop2 | `python cc.py -p COM3 --reset dtr --sop2 ~rts list_filesystem` | - -If you are done, either disconnect the box from the charger and battery or remove SOP2 from VCC and connect the Toniebox RST to GND for a moment to reset the box. - -# Log output -The original bootloader and the original firmware do some logging to the serial port with baudrate 921600 -ex. Linux: "screen /dev/ttyUSB0 921600" or under Windows with PuTTY. - -## bootloader -``` -CC3200 bootloader v1472818501 (09c6374) build: Fri Sep 2 14:15:01 CEST 2016 dl:1.2.0 sl:1.0.1.6 hw:tb-smt-16:1:13 -loaded battery critical level = 3600 -battery_level = 4823 -``` -## original firmware -``` -QO (�72-�3�]FWc041b2f13 Nov 17:47E�3�]Jc041b2f0. (�2EU_V3.0.5-0E�3�]Jc041b2f<: (�2EU_V3.0.5_stable_branchE�3�]Jc041b2f+) (�92E�3�]& (#2E�3�]]Jc041b (2SPE�3�]%#E�3�� 2� - SP���E�3�]#! � - (�/�E�3�]20 � - (<2�E�3�]20 � (=2� -2%�80USDS�(�5\E�3�]#!E�3� (�9-�z[E�3�] � (�72E�3�]@> � (� -94E36D679CD9E�3�]#! � (�/��E�3�]#!E�� (�/��E�3�]/�E�� (�02�E�3�]2�3�� #(�02-E�3�]#! � (�/�E�3�]#! � (�/�E�3�]#! � (�/��E�3�]#! �! !(�0E�3�]#! �" !(�0E�3�] �# (�2E�3�] �$ (�02E�3�] �% (�&2�E�3�] �& (�&2;E�3�] �' (�&2�)E�3�]! �( (�&2�)NE�3�] �) (�&2�E�3�] �* (�&E�3�]#! �+ (�&@'|E�3�] �, #(�02-E�3�] �- (�72E�3�]#! �. (�5`E�3�] �/ (�2E�3�];9 �0 (� -1 (�22"content/00000001/00000000\���E�3�]#! 2 (�u��WE�3�]#! 3 (�9\�E�3�]'% 4 (�52E�3�] 5 (�52E�3�]#!2 E6 (�5u��WE�3�] ;7 (�62�E�3�] �8 (�%2E�3�]<: 9 (�2!prod.de.tbs.toys49�E�3�];9 �: (� - 2 E�3�] �; (�2E�3�] �< (�52E�3�] = (�22\ - E�3�] ]> (�22E�3�]#! ]? (�/�E�3�]/- ]@ (�/2�E�3�] ^A (�2E�3�]#! ^B (�/��E�3�] �C (�%2E�3�]20 �D (Z2E�3�]20 �E (<2� -/E�3�]20 �F (=2� - E�3�]MK (G (�22SPGETprod.de.tbs.toys�/v1/ota/4?cv=33545114E�3�]86 �H %(�2rtnl.bxcl.de�L8�E�3�]EC �I (h2+prod.de.tbs.toys�/v1/ota/4?cv=33545114E�3�] �J (�82�E�3�]#! 0K (�8�JE�3�]53 L (�>2Fritz!Box 75905037E1B7F880����E�3�]'% "-M %(�:2QE�3�]QO #-N(�72-�3�]FWc041b2f13 Nov 17:47E�3�]Jc041b2f0. $-O(�2EU_V3.0.5-0E�3�]Jc041b2f<: %-P(�2EU_V3.0.5_stable_branchE�3�]Jc041b2f+) &-Q �� 8�E�3�].,(�02/qT (�02_B$ 8�E�3�].,�020qU (�02_�� 8�E�3�]0. 1qV (� - 2D8�E�3�] -``` diff --git a/wiki/Firmware-Format.md b/wiki/Firmware-Format.md deleted file mode 100644 index 113523a..0000000 --- a/wiki/Firmware-Format.md +++ /dev/null @@ -1,377 +0,0 @@ -# Important Toniebox firmware files -|File|Description| -|-|-| -|/cert/ca.der|Contains the Certificate Authority to check the https connection for the api| -|/cert/private.der|Private key of the box, don't share, it is used to identificate agains the cloud| -|/cert/client.der|Public key of the box, don't share| -|/sys/mcuimg.bin|Original bootloader| -|/sys/mcuimg1.bin|First original firmware slot| -|/sys/mcuimg2.bin|Second original firmware slot| -|/sys/mcuimg3.bin|Third original firmware slot| -|/sys/mcubootinfo.bin|Decides which firmware slot to boot| - -# Analysing the Toniebox firmware image format - -The Toniebox uses the image structure just like in the cc3200-sdk from ti. -So from to-sdl/1.5.0/flc/flc.h see the following header: - -```{C} -#ifndef FAST_BOOT -#define IMG_BOOT_INFO "/sys/mcubootinfo.bin" -#define IMG_FACTORY_DEFAULT "/sys/mcuimg1.bin" -#define IMG_USER_1 "/sys/mcuimg2.bin" -#define IMG_USER_2 "/sys/mcuimg3.bin" -#else -#define IMG_BOOT_INFO "/sys/mcureserved.bin" -#define IMG_USER_1 "/sys/mcuimg.bin" -#define IMG_USER_2 "/sys/mcuflpatch.bin" -#endif - -/****************************************************************************** - Image status -*******************************************************************************/ -#define IMG_STATUS_TESTING 0x12344321 -#define IMG_STATUS_TESTREADY 0x56788765 -#define IMG_STATUS_NOTEST 0xABCDDCBA - -/****************************************************************************** - Active Image -*******************************************************************************/ -#define IMG_ACT_FACTORY 0 -#define IMG_ACT_USER1 1 -#define IMG_ACT_USER2 2 -``` -As we can see they are using 4 images. First one is the mcubootinfo.bin. Next one is the mcuimg1.bin and the next two images -are indented to be used for OTA updates while the first one is inteded to be the factory reset/default image kind of backup. - -## Format of Toniebox Bootinfo reversed with radare2 - -Let's check the mcubootinfo.bin first, so open it with radare2. - -```{shell} -% r2 mcubootinfo.bin - -- Run your own r2 scripts in awk using the r2awk program. -[0x00000000]> x -- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF -0x00000000 02d8 0320 badc cdab ffff ffff ffff ffff ... ............ -0x00000010 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x00000020 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x00000030 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x00000040 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x00000050 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x00000060 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x00000070 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x00000080 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x00000090 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x000000a0 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x000000b0 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x000000c0 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x000000d0 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x000000e0 ffff ffff ffff ffff ffff ffff ffff ffff ................ -0x000000f0 ffff ffff ffff ffff ffff ffff ffff ffff ................ -[0x00000000]> -``` - -As we can see it is only a 8 byte big file. - -```{shell} - % ls -lisa mcubootinfo.bin -8632122446 8 -rw-r--r-- 1 kai staff 8 18 Feb 22:35 mcubootinfo.bin -``` - -First of all we need to find the correct matches for the defines IMG_STATUS_TESTING, IMG_STATUS_TESTREADY, IMG_STATUS_NOTEST. -Remember ARM is little endian based, that means 0xABCDDCBA will become 0xBADCCDAB in our binary. - -```{shell} -% r2 mcubootinfo.bin - -- A C program is like a fast dance on a newly waxed dance floor by people carrying razors - Waldi Ravens -[0x00000000]> /x badccdab -Searching 4 bytes in [0x0-0x8] -hits: 1 -0x00000004 hit4_0 badccdab -[0x00000000]> -``` - -And of course we get a macht for this byte. So in this case we will boot our image in NOTEST mode. The selected Image is 0x02 beacuse the first byte is read from the bootloader due to flc.c: - -```{shell} -[0x00000000]> x 4 -- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF -0x00000000 02d8 0320 -``` - -So agian we need to rememeber it is little endian and it is 4 byte aligned so only 0x02 is used, the other bytes seen should be just garbage due to the 4 byte alignment. - -Examples for other modes an images can look like this: - -TESTREADY: -```{shell} -- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF -0x00000000 02d8 0320 6587 7856 -``` - -TESTING mit Image 0x01: -```{shell} -- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF -0x00000000 01d8 0320 2143 3412 -``` - -## Format of Toniebox OFW Image reversed with radare2 - -First of all let's start with the interesting informations at the end of the files. -```{shell} - % r2 mcuimg2.bin - -- A git pull a day keeps the segfault away -[0x00000000]> sG -[0x000266e6]> s -2 -[0x000266e4]> x -220 -- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF -0x00026608 0300 0000 4555 5f56 332e 302e 365f 4246 ....EU_V3.0.6_BF -0x00026618 312d 3000 4555 5f56 332e 302e 365f 7374 1-0.EU_V3.0.6_st -0x00026628 6162 6c65 5f62 7261 6e63 6800 0500 acbe able_branch..... -0x00026638 0000 0000 bb1b 4c5e 0000 0000 6161 3232 ......L^....aa22 -0x00026648 6236 3200 3138 2046 6562 2031 383a 3135 b62.18 Feb 18:15 -0x00026658 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00026668 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00026678 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00026688 0001 0200 0100 010d 0000 0000 0000 0000 ................ -0x00026698 0200 0000 0000 0000 0500 acbe 3131 6661 ............11fa -0x000266a8 3362 3832 3733 6237 6530 6439 3837 3131 3b8273b7e0d98711 -0x000266b8 3566 6136 6263 3630 3031 6131 6166 3163 5fa6bc6001a1af1c -0x000266c8 6339 3433 3562 3330 3338 3831 3132 3436 c9435b3038811246 -0x000266d8 6232 3030 3663 6565 6539 3866 b2006ceee98f -f[0x000266e4]> -``` - -It seems we have a creation date, a version number and an hash as well as an git shorthash in the file end. -Let's proof the hash algorithm, assuming we have sha256 because of the given length. - - -```{shell} - % r2 mcuimg2.bin - -- Finnished a beer -[0x00000000]> sG -[0x000266e6]> s -2 -[0x000266e4]> x -160 -- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF -0x00026644 6161 3232 6236 3200 3138 2046 6562 2031 aa22b62.18 Feb 1 -0x00026654 383a 3135 0000 0000 0000 0000 0000 0000 8:15............ -0x00026664 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00026674 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00026684 0000 0000 0001 0200 0100 010d 0000 0000 ................ -0x00026694 0000 0000 0200 0000 0000 0000 0500 acbe ................ -0x000266a4 3131 6661 3362 3832 3733 6237 6530 6439 11fa3b8273b7e0d9 -0x000266b4 3837 3131 3566 6136 6263 3630 3031 6131 87115fa6bc6001a1 -0x000266c4 6166 3163 6339 3433 3562 3330 3338 3831 af1cc9435b303881 -0x000266d4 3132 3436 6232 3030 3663 6565 6539 3866 1246b2006ceee98f -[0x000266e4]> s 0 -[0x00000000]> ph sha256 0x000266a4 -11fa3b8273b7e0d987115fa6bc6001a1af1cc9435b3038811246b2006ceee98f -``` - -Rocks, seems that we have found everything to calculate an valid toniebox hash by our own. -So we can found the following ofsets, relativly to EOF: - -- from -160 to -153 the git shorthash -- from -152 to -140 the creation date -- from -64 to EOF the SHA256 hash of the file - -Unfortunately the version string isn't so fix and differs in it's length -see 3.0.6 for example in comparison to version 3.0.7. and 3.0.8 - -```{shell} - % r2 mcuimg2.bin - -- Documentation is for weak people. -[0x00000000]> sG -[0x000266e6]> s -2 -[0x000266e4]> x -220 -- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF -0x00026608 0300 0000 4555 5f56 332e 302e 365f 4246 ....EU_V3.0.6_BF -0x00026618 312d 3000 4555 5f56 332e 302e 365f 7374 1-0.EU_V3.0.6_st -0x00026628 6162 6c65 5f62 7261 6e63 6800 0500 acbe able_branch..... -0x00026638 0000 0000 bb1b 4c5e 0000 0000 6161 3232 ......L^....aa22 -0x00026648 6236 3200 3138 2046 6562 2031 383a 3135 b62.18 Feb 18:15 -0x00026658 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00026668 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00026678 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00026688 0001 0200 0100 010d 0000 0000 0000 0000 ................ -0x00026698 0200 0000 0000 0000 0500 acbe 3131 6661 ............11fa -0x000266a8 3362 3832 3733 6237 6530 6439 3837 3131 3b8273b7e0d98711 -0x000266b8 3566 6136 6263 3630 3031 6131 6166 3163 5fa6bc6001a1af1c -0x000266c8 6339 3433 3562 3330 3338 3831 3132 3436 c9435b3038811246 -0x000266d8 6232 3030 3663 6565 6539 3866 b2006ceee98f -f[0x000266e4]> -``` - -```{shell} -% r2 mcuimg1.bin - -- Select your character: RBin Wizard, Master Anal Paladin, or Assembly Warrior -[0x00000000]> sG -[0x0002841a]> s -2 -[0x00028418]> x -220 -- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF -0x0002833c 0100 0000 0002 0000 5044 5f56 332e 302e ........PD_V3.0. -0x0002834c 372d 3000 5044 5f56 332e 302e 375f 7374 7-0.PD_V3.0.7_st -0x0002835c 6162 6c65 5f62 7261 6e63 6800 0500 acbe able_branch..... -0x0002836c 0000 0000 33a2 c75f 0000 0000 3339 6133 ....3.._....39a3 -0x0002837c 6166 3700 3032 2044 6563 2031 353a 3138 af7.02 Dec 15:18 -0x0002838c 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x0002839c 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x000283ac 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x000283bc 0001 0200 0100 010e 0000 0000 0000 0000 ................ -0x000283cc 0300 0000 0000 0000 0500 acbe 6233 3565 ............b35e -0x000283dc 3665 3233 6238 3539 6662 3332 6565 3930 6e23b859fb32ee90 -0x000283ec 3838 6562 6231 6130 3961 6165 3363 6163 88ebb1a09aae3cac -0x000283fc 3163 3933 3032 3365 3636 6166 6635 3336 1c93023e66aff536 -0x0002840c 6463 6561 3664 3564 3439 3862 dcea6d5d498b -[0x00028418]> -``` - -```{shell} -% r2 mcuimg3.bin - -- This is an unregistered copy. -[0x00000000]> sG -[0x00027cab]> s -2 -[0x00027ca9]> x -220 -- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF -0x00027bcd 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00027bdd 0000 00aa aaaa aa45 555f 5633 2e30 2e38 .......EU_V3.0.8 -0x00027bed 2d30 0033 2e30 2e38 5f45 5500 0500 acbe -0.3.0.8_EU..... -0x00027bfd 0000 0000 fb19 875f 0000 0000 3333 6434 ......._....33d4 -0x00027c0d 6633 6100 3134 204f 6374 2031 373a 3332 f3a.14 Oct 17:32 -0x00027c1d 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00027c2d 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00027c3d 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00027c4d 0001 0200 0100 010e 0000 0000 0000 0000 ................ -0x00027c5d 0200 0000 0000 0000 0500 acbe 6632 6565 ............f2ee -0x00027c6d 3433 3365 3036 3330 6135 3632 3433 3234 433e0630a5624324 -0x00027c7d 3237 3764 3736 3363 6533 6337 6165 6131 277d763ce3c7aea1 -0x00027c8d 3633 3061 3961 3037 6134 6239 3831 3766 630a9a07a4b9817f -0x00027c9d 3039 3535 3066 3235 6665 3536 09550f25fe56 -[0x00027ca9]> -``` - -But every version string seems to have the pattern _V included, lets try to build -an regular expression for it and every version string is followed by the bytes -0500 acbe so far, we could use that to find an start point for our search. - -Another very interessting observation are the bytes 0xBEAC0005 at the end of the file just -right before the SHA256 hash. - -## Format of Toneibox original bootloader reversed with radare2 - -```{shell} -% r2 mcuimg.bin - -- AHHHHH!!!! ASSEMBLY CODE!!!!!! HOLD ME I'M SCARED!!!!!!!!!! -[0x00000000]> sG -[0x000051de]> s -2 -[0x000051dc]> x -250 -- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF -0x000050e2 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x000050f2 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00005102 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00005112 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00005122 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x00005132 0000 0000 0000 0000 0000 0000 0000 93c7 ................ -0x00005142 0320 b4c7 0320 fac7 0320 e1c7 0320 1dc7 . ... ... ... .. -0x00005152 0320 a6c7 0320 a1c7 0320 8fc7 0320 c6c7 . ... ... ... .. -0x00005162 0320 d9c7 0320 99c7 0320 0500 acbe 0000 . ... ... ...... -0x00005172 0000 456d c957 0000 0000 3039 6336 3337 ..Em.W....09c637 -0x00005182 3400 4672 6920 5365 7020 2032 2031 343a 4.Fri Sep 2 14: -0x00005192 3135 3a30 3120 4345 5354 2032 3031 3600 15:01 CEST 2016. -0x000051a2 0000 0000 0000 0000 0000 0000 0000 0000 ................ -0x000051b2 0000 0000 0000 0000 0000 0000 0000 0001 ................ -0x000051c2 0200 0100 0106 0000 0000 100e 0000 0000 ................ -0x000051d2 0000 2c01 1000 0500 acbe ..,....... -[0x000051dc]> -``` - -So as we can see we get the same EOF indicator as within the mcuimgX.bin images. -But it seems like there is no hash stored within the bootloader itself. Won't make -sense at all, because the is no bootstage that could verify the correct hash of the BL. -But we get an git shorthash and an timestamp again. - -## Python tool for extracting all this information by your own - -During the reversing of all this cool there was a python tool developped for extracting all this information by your own -if you are afraid for hex editors. It has some nice features like recursive mode, csv and json export so you can extract this informations from any folder you like. For the toniebox users out there who have a big collection of firmware images :) - -Find the tool here: [Firmware Information Extractor](https://github.com/toniebox-reverse-engineering/toniebox/blob/master/tools/firmware_info.py) - -It is almost self explaining and has a help menue: - -```{shell} -%% ./firmware_info.py -r testfolder/foo - - -Filename: testfolder/foo/mcuimg2.bin -Firmware Version: EU_V3.0.6_BF1-0 -Firmware Version: EU_V3.0.6_stable_branch - -Creation Date: 18 Feb 18:15 - -Read SHA256: 11fa3b8273b7e0d987115fa6bc6001a1af1cc9435b3038811246b2006ceee98f -Calculated SHA256: 11fa3b8273b7e0d987115fa6bc6001a1af1cc9435b3038811246b2006ceee98f -GIT Shorthash: aa22b62 - - -Filename: testfolder/foo/mcuimg3.bin -Firmware Version: EU_V3.0.8-0 -Firmware Version: 3.0.8_EU - -Creation Date: 14 Oct 17:32 - -Read SHA256: f2ee433e0630a5624324277d763ce3c7aea1630a9a07a4b9817f09550f25fe56 -Calculated SHA256: f2ee433e0630a5624324277d763ce3c7aea1630a9a07a4b9817f09550f25fe56 -GIT Shorthash: 33d4f3a - - -Filename: testfolder/foo/mcuimg1.bin -Firmware Version: PD_V3.0.7-0 -Firmware Version: PD_V3.0.7_stable_branch - -Creation Date: 02 Dec 15:18 - -Read SHA256: b35e6e23b859fb32ee9088ebb1a09aae3cac1c93023e66aff536dcea6d5d498b -Calculated SHA256: b35e6e23b859fb32ee9088ebb1a09aae3cac1c93023e66aff536dcea6d5d498b -GIT Shorthash: 39a3af7 -% ./firmware_info.py -jr testfolder/ -Found bootinfo file skipped for JSON-Output: -Slot: [b'\x02'] -Mode: [0] -[ - { - "Filename": "testfolder/mcuimg2.bin", - "FWInfo": [ - "EU_V3.0.6_BF1-0", - "EU_V3.0.6_stable_branch" - ], - "creationDate": "18 Feb 18:15", - "git shorthash": "aa22b62", - "sha256": "11fa3b8273b7e0d987115fa6bc6001a1af1cc9435b3038811246b2006ceee98f", - "calculatedHash": "11fa3b8273b7e0d987115fa6bc6001a1af1cc9435b3038811246b2006ceee98f" - }, - { - "Filename": "testfolder/mcuimg3.bin", - "FWInfo": [ - "EU_V3.0.8-0", - "3.0.8_EU" - ], - "creationDate": "14 Oct 17:32", - "git shorthash": "33d4f3a", - "sha256": "f2ee433e0630a5624324277d763ce3c7aea1630a9a07a4b9817f09550f25fe56", - "calculatedHash": "f2ee433e0630a5624324277d763ce3c7aea1630a9a07a4b9817f09550f25fe56" - }, - { - "Filename": "testfolder/mcuimg1.bin", - "FWInfo": [ - "PD_V3.0.7-0", - "PD_V3.0.7_stable_branch" - ], - "creationDate": "02 Dec 15:18", - "git shorthash": "39a3af7", - "sha256": "b35e6e23b859fb32ee9088ebb1a09aae3cac1c93023e66aff536dcea6d5d498b", - "calculatedHash": "b35e6e23b859fb32ee9088ebb1a09aae3cac1c93023e66aff536dcea6d5d498b" - } -] -``` diff --git a/wiki/Hardware-Overview.md b/wiki/Hardware-Overview.md deleted file mode 100644 index 54224cc..0000000 --- a/wiki/Hardware-Overview.md +++ /dev/null @@ -1,35 +0,0 @@ -# Pictures (r1) -## Board -![](https://d3nevzfk7ii3be.cloudfront.net/igi/d4ypF2sLF5VkOXXv.medium) - -Detail pictures see [iFixit Teardown](https://de.ifixit.com/Teardown/Toniebox+Teardown/106148) - -# Parts -## Processor [TI CC3200](http://www.ti.com/lit/ds/symlink/cc3200.pdf) -[Technical Information](http://www.ti.com/lit/ug/swru367d/swru367d.pdf) -Cortex-M4 arm7e-m thumb - -I suggest to get a [CC3200 Launchpad](http://www.ti.com/tool/CC3200-LAUNCHXL) for first contact. - -![](http://www.ti.com/diagrams/cc3200-launchxl_cc3200-launchxl_no_bg_resize.jpg) - -Various useful pins (SOP2, TCK, TMS, GND, RST, GND, RX0, TX0) are available through the onboard debug pins. -## Flash 4MB [ISSI IS25LQ032B](http://www.issi.com/WW/pdf/25LQ080B-016B-032B.pdf) -Firmware is stored in a TI propiertery FatFS but can easily be read over the RX/TX lines of the mainboard when the CC3200 is in flash-mode. - -## Audio DAC [TI TLV320DAC3100](http://www.ti.com/lit/ds/symlink/tlv320dac3100.pdf) -I2C address should be 0x18. -## RFID Reader [TI TRF7962A](http://www.ti.com/lit/ds/symlink/trf7962a.pdf) -Reading MiFare Classic is not possible without using the chips direct mode which means more work. -1.2 http://www.ti.com/lit/an/sloa248b/sloa248b.pdf -http://www.ti.com/tool/TRF796X_TRF7970X_MIFARE_12_2013 - -Firmware TRF7970ABP: http://www.ti.com/lit/zip/sloc297 -Example Salae Logic SPI http://www.ti.com/lit/zip/sloc240 -## Acceleration Sensor [NXP MMA8451Q](https://www.nxp.com/docs/en/data-sheet/MMA8451Q.pdf) -[Arduino Library](https://github.com/sparkfun/SparkFun_MMA8452Q_Arduino_Library) exists. -I2C address is 0x1D -## RGB LEDs -### Green PIN 21 (SOP2) -### Red PIN 19 (TCK) -### Blue PIN 17 (TDO) \ No newline at end of file diff --git a/wiki/Home.md b/wiki/Home.md index 050a02a..4b203c7 100644 --- a/wiki/Home.md +++ b/wiki/Home.md @@ -1,7 +1,2 @@ -Welcome to the toniebox wiki! - -This wiki contains all toniebox related information we gathered. - -Attention, do not edit the wiki directly. It is generated automatically from the master branch! - -[The wiki of the custom firmware is found here.](https://github.com/toniebox-reverse-engineering/hackiebox_cfw/wiki) \ No newline at end of file +# Wiki has been moved +[moved here](https://toniebox-reverse-engineering.github.io/docs/wiki/) diff --git a/wiki/Known-Firmwares.md b/wiki/Known-Firmwares.md deleted file mode 100644 index 74dd288..0000000 --- a/wiki/Known-Firmwares.md +++ /dev/null @@ -1,34 +0,0 @@ -# List of known firmware versions - -## Normal firmwares -|Version|Branch|Creation Date|Year|git short hash|Comments|hash| -|-|-|-|-|-|-|-| -|PD_V3.1.0_BF4-0|master|27 May 10:33|2021|d8481fc||ea9dee23fe4f9967cb0ca232a31734d059fd0c4591c95e53722188b86ed2dd44| -|EU_V3.1.0_BF2-0|3.1.0_BF2_EU|06 May 20:21|2021|2640c1f||36ef76a6937a128d3bf125d7f08c0c120387e44f7b0d346203a7171f828dafbe| -|EU_V3.1.0_BF1-0|3.1.0_BF1_EU|30 Mar 23:49|2021|e73e1fb||e871f228e93563981f7dc433b11b4a09f90b64b0879909b19f12bf2083ad8fc3| -|EU_V3.0.8-0|3.0.8_EU|14 Oct 17:32|2020|33d4f3a||f2ee433e0630a5624324277d763ce3c7aea1630a9a07a4b9817f09550f25fe56| -|EU_V3.0.7-0|EU_V3.0.7_stable_branch|17 Jul 09:49|2020|ba7a7b5||14ae54febb0f08cc055e64a0ca29243fa5ce51b5d7f9ce2aab3a5671d276be3b| -|PD_V3.0.6_BF6-0|3.0.6_PD_BF6|19 Jun 18:08|2020|6fee560||be2918f9ab17f813c7c6aef553c929ae89d48f4621f5db1843851af4aa8a8ddb| -|PD_V3.0.6_BF1-0|PD_V3.0.6_stable_branch|27 Apr 14:27|2020|af9d2fb||fd781d30e9cae3f5ea562e2752b491b59f1e18fa3694bfb148a59698ee08bef7| -|EU_V3.0.6_BF1-0|EU_V3.0.6_stable_branch|18 Feb 18:15|2020|aa22b62||11fa3b8273b7e0d987115fa6bc6001a1af1cc9435b3038811246b2006ceee98f| -|EU_V3.0.5_BF1-0|EU_V3.0.5_stable_branch|05 Dec 16:07|2019|880c667||be16f7e3107f1e47a106a8cb0c28e43ffa7cde01ee909a5a22e4cebfa4fa99c5| -|EU_V3.0.5-0|EU_V3.0.5_stable_branch|13 Nov 17:47|2019|c041b2f||089a06b69b92d1b4389062e780fb0484d645c7d282ee9886391ea431fb5b857b| -|||24 May 15:52||cf13516||78026fdd45ff5cfae374e056c88815aa8d0b4cd70012d31d21be439b86d1ea99| -|||30 Nov 12:17||ef99190||266ff836930677257f9b63f1d499f3df81c713c88f345669c0bff0f8685842e6| -|||31 Jan 12:22||b54a780||3cd31494852dd87214044d3dd361878f6b9008963cb3db05d54cdfba8e7ba89a| -|||31 Aug 19:58||2da9d24||d032a38253223e03adb6b904da8ae7433780b6304bbdab66f135fd472da2247a| -|||18 Jul 14:55||6c8c96b||a9672b6c747f90286466d680ef2c8a0aeebff244b9169ccf96ff48ce127f3238| -|||26 Jul 16:01||0930acd||71b0a665e9c97fedf351d3059ebbda21c8266d70915d49c945c1966dbf150ecc| -|||04 May 16:24||1096f77||a0ffb8e424775cf132e7fd2236f516a7614c18f89560832eb1bb78a5f82040af| - -## Special firmwares -|Version|Branch|Creation Date|Year|git short hash|Comments|hash| -|-|-|-|-|-|-|-| -||||||Factory Image?|16abb09640ff6010af5b825c4a262b616b98f6006b23377ad3e510dabee5d4cf| - -## Demo firmwares -|Version|Branch|Creation Date|Year|git short hash|Comments|hash| -|-|-|-|-|-|-|-| -|EUD_V3.0.7-0|EUD_stable_branch|04 Dec 14:19|2020|75b4627||67fbe98d9d8dfb99e037590909ee4d5009b6677b26a79148aed5cbecee54bbce| -|||Oct 26 16:21||0e3009e|UK Demobox Firmware|eeca1bfff7baf9ebe73bddb6911333e25c708373e6499eec181749ffc9786391| -|||Oct 24 16:00||2485fa1|UK Demobox Firmware|7510936b12cde75e9a389952437c6d8a2c07959620c8d00791eba9d72b6ea068| diff --git a/wiki/Known-Problems-and-Fixes.md b/wiki/Known-Problems-and-Fixes.md deleted file mode 100644 index 62ef688..0000000 --- a/wiki/Known-Problems-and-Fixes.md +++ /dev/null @@ -1,53 +0,0 @@ -# Toniebox related -## Box has a wifi password -### Checks -Does "www.wipy.io" or "TeamRevvoX" work? You may remove the password by connecting to the Box' WiFi, go to http://192.168.1.1/main.html "Device Config" - "Access Point config", set the security type to "Open" and hit apply. Now the password should be removed. - -## Box only works on the charger -### Checks -* Battery plugged in? -* Battery defect? - -## Hitting the box for skipping tracks doesn't work -### Checks -* Disabled in the cloud? -* Other? - -## Box gets (very) hot on the charger, works on battery (if still charged) -### Checks -* Diode near the power connector defect? (D4) -### Reason -The box was plugged into power supply with more than 9V. - -## Box detects no figures -### Checks -* XTAL X2 defect? - -## Weak WiFi Signal -### Checks - -## Box doesn't have a voice, only sounds -### Checks -* microSD defect? - -## Blinks red when woken up or a tonie is placed on -### Checks -* microSD defect? - -# cc3200tool related -## raise CC3200Error("rx csum failed") -### Checks -* Ground ok? -* Toniebox is getting enought power (an UART 3.3V might not be an apropiate power source for it.) -### Solutions -* Power the toniebox via its battery and/or charger and disconnect the 3.3V connection. -* Use shorter wires (Jumpers and/or USB) -* Use a different USB port (possibly without an USB-hub) - -## read_all_files only dumps a few files / list_filesystem has no filenames -If list_filesystem doesn't show the filenames for several or all files on the flash, the tool cannot dump the files automatically with the command read_all_files. -### Solutions -* Dump every [important file](https://github.com/toniebox-reverse-engineering/toniebox/wiki/Firmware-Format#Important-Toniebox-firmware-files) one by one using the read_file command. You may need to create a **cert/** and **sys/** subdirectory in your target dir. -``` -python cc.py -p COM3 read_file /cert/ca.der cert/ca.der read_file /cert/private.der cert/private.der read_file /cert/client.der cert/client.der read_file /sys/mcuimg.bin sys/mcuimg.bin read_file /sys/mcuimg1.bin sys/mcuimg1.bin read_file /sys/mcuimg2.bin sys/mcuimg2.bin read_file /sys/mcuimg3.bin sys/mcuimg3.bin read_file /sys/mcubootinfo.bin sys/mcubootinfo.bin -``` \ No newline at end of file diff --git a/wiki/Protocol-Analysis.md b/wiki/Protocol-Analysis.md deleted file mode 100644 index aa4b2b8..0000000 --- a/wiki/Protocol-Analysis.md +++ /dev/null @@ -1,154 +0,0 @@ -# prod.de.tbs.toys -## Basics -The communication is based on HTTPS (TLS over HTTP). The box authenticates with a client certificate (private.der/client.der) to the server. The cc3200 based boxed may use an outdated sha1 based algorithm that may lead to problems with modern OpenSSL versions. - -### Request -Every request contains a user-agent header with information about the current running firmware and the box' hardware. -There may be additional headers such as a content-length or authoritation if needed. - -#### Example -| Variable | Description | Example | -|---|---|---| -| sp | 8-digit-number | | -| hw | 7-digit-number | | -| firmware-ts | unix-timestamp | 1640950635 | -| box-color | Box' color (only esp32) | RoseRed | -##### cc3200 - GET https://prod.de.tbs.toys/%path% HTTP/1.1 - Host: prod.de.tbs.toys - User-Agent: TB/%firmware-ts% SP/%sp% HW/%hw% -##### cc3235 - GET https://prod.de.tbs.toys/%path% HTTP/1.1 - Host: prod.de.tbs.toys - User-Agent: TB/%firmware-ts% SP/%sp% HW/%hw% -##### esp32 - GET https://prod.de.tbs.toys/%path% HTTP/1.1 - Host: prod.de.tbs.toys - User-Agent: %box-color% TB/%firmware-ts% - -### Response -| Variable | Description | Example | -|---|---|---| -| http-code | http standard code | 200 OK | -| request-id | 20-alphanumeric id | Ff2n6tTjF-fJz5Ai-2Ts | -| content-len | integer for the content length | 0 | - -#### Example - HTTP/1.1 %http-code% - Server: openresty - Date: Mon, 30 Jan 2023 17:40:04 GMT - Content-Length: %content-len% - Connection: keep-alive - cache-control: max-age=0, private, must-revalidate - x-request-id: %request-id% - -## Endpoints -### v1-time (GET /v1/time) -Receive the time in unix time format. May be needed for the TLS-certificates. - -#### Response-Headers -| Header | Description | Example | -|---|---|---| -| Content-Length | integer | 10 | -| Content-Type | | text/plain; charset=utf-8 | -#### Response - 1675100403 -#### This value would correspond to - Mon Jan 30 2023 17:40:03 GMT+0000 - -### v1-ota (GET /v1/ota/%file-id%?cv=%file-ts%) -Updates several files within the box. - -Responses with HTTP 304 Not Modified if file is already up to date otherwise with the content of the file and a HTTP 200 OK. - -#### Variables -| Variable | Description | Example | -|---|---|---| -| file-id | one-digit number (2-6)| 3 | -| file-ts | unix-timestamp of the | 1640950635 | -#### Files -| File ID | Name | Description | -|---|---|---| -| 2 | PD-Firmware | | -| 3 | EU-Firmware | | -| 4 | Service Pack (cc3200) | | -| 5 | HTML | | -| 6 | SFX | | - -### v1-freshness-check (POST /v1/freshness-check) -Sends all Audio-IDs and UIDs of the content on box to the cloud in protobof. The result contains the UIDs of the files that should be marked hidden. In addition several settings (volume / skipping) - -#### Request-Headers -| Header | Description | Example | -|---|---|---| -| Content-Length | integer | 400 | -#### Request-Protobuf - message TonieFreshnessCheckRequest { - repeated TonieFCInfo tonie_infos = 1; - } - - message TonieFCInfo { - required fixed64 uid = 1; - required fixed32 audio_id = 2; - } -#### Response-Headers -| Header | Description | Example | -|---|---|---| -| Content-Length | integer | 23 | -| Content-Type | | application/octet-stream; charset=utf-8 | -#### Response-Protobuf - message TonieFreshnessCheckResponse { - repeated fixed64 tonie_marked = 1; - required int32 field2 = 2; - required int32 max_vol_spk = 3; #0-3 - required int32 slap_en = 4; #1=on, 0=off - required int32 slap_dir = 5; #1=back-left_forw-right, 0=forw-left_back-right - required int32 field6 = 6; - required int32 max_vol_hdp = 7; #0-3 - required int32 led = 8; #0=on, 1=off, 2=dimmed - } - -### v2-content (GET /v2/content/%uid-rev%) -Gets the content by uid and a password. If the content is know it sent back via HTTP 200 OK. The box may try to get a partial file. Then the answer is a HTTP 206 Partial Content (TODO). - -#### Variables -| Variable | Description | Example | -|---|---|---| -| uid-rev | 8-Byte UID reversed | 3e3a1aa3500304e0 | -| content-pass | Memory-content of the tag (32-byte hex) | 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef | -#### Request-Headers -| Header | Description | Example | -|---|---|---| -| Authorization | Contains the "password" for the content to download | BD: %content-pass% | -#### Response-Headers -| Header | Description | Example | -|---|---|---| -| Content-Length | integer | 23232 | -| Content-Type | | binary/octet-stream | - -### v1-claim (GET /v1/claim/%uid-rev%) - -#### Variables -| Variable | Description | Example | -|---|---|---| -| uid-rev | 8-Byte UID reversed | 3e3a1aa3500304e0 | -| content-pass | Memory-content of the tag (32-byte hex) | 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef | -#### Request-Headers -| Header | Description | Example | -|---|---|---| -| Authorization | Contains the "password" for the content | BD %content-pass% | -#### Response-Headers -| Header | Description | Example | -|---|---|---| -| Content-Length | integer | 0 | - -# rtnl.bxcl.de -## Basics -The communication is based on a TLS stream and **protobuf** and is unidirectional towards boxine. It's (nearly) identical to the output via UART. -## Tool -[RTNL Decoder](https://github.com/toniebox-reverse-engineering/toniebox/blob/master/tools/rtnl_decoder.py) -## Bytes -### AP SSID -### SD Directory -### Firmware version / Update -### MAC diff --git a/wiki/Toniebox-CC3200-Pinout.md b/wiki/Toniebox-CC3200-Pinout.md deleted file mode 100644 index 5ec1d30..0000000 --- a/wiki/Toniebox-CC3200-Pinout.md +++ /dev/null @@ -1,66 +0,0 @@ -| Pin ID | Pin Name | Toniebox usage | Target | Notes | -| -- | -- | -- | -- | -- | -| 01 | GPIO10 | SD_CLK | SD | | -| 02 | GPIO11 | SD_CMD | SD | | -| 03 | GPIO12 | I2C_SCL | MMA + DAC | | -| 04 | GPIO13 | I2C_SDA | MMA + DAC | | -| 05 | GPIO14 | GSPI_CLK | RFID | | -| 06 | GPIO15 | GSPI_MISO | RFID | | -| 07 | GPIO16 | GSPI_MOSI | RFID | | -| 08 | GPIO17 | Charger | Battery | 2.4V when on charger| -| 09 | VDD_DIG1 | | | | -| 10 | VINIO1 | | | | -| 11 | FLASH_SPI_CLK | | | | -| 12 | FLASH_SPI_DOUT | | | | -| 13 | FLASH_SPI_DIN | | | | -| 14 | FLASH_SPI_CS | | | | -| 15 | GPIO22 | MMA INT1 | MMA | | -| 16 | TDI (GPIO23) | CS | RFID | | -| 17 | TDO (GPIO24) | Blue LED | LED | | -| 18 | GPIO28 | RFID IRQ | RFID | | -| 19 | TCK | Red LED | LED | PWM? / SWD | -| 20 | TMS (GPIO29) | | | SWD | -| 21 | SOP2 (GPIO25) | Green LED | LED | | -| 22 | WLAN_XTAL_N | | | | -| 23 | WLAN_XTAL_P | | | | -| 24 | VDD_PLL | | | | -| 25 | LDO_IN2 | | | | -| 26 | NC | | | | -| 27 | NC | | | | -| 28 | NC | | | | -| 29 | ANTSEL1 | | | | -| 30 | ANTSEL2 | | | | -| 31 | RF_BG | | | | -| 32 | nRESET | | | | -| 33 | VDD_PA_IN | | | | -| 34 | SOP1 | | | | -| 35 | SOP0 | | | | -| 36 | LDO_IN1 | | | | -| 37 | VIN_DCDC_ANA | | | | -| 38 | DCDC_ANA_SW | | | | -| 39 | VIN_DCDC_PA | | | | -| 40 | DCDC_PA_SW_P | | | | -| 41 | DCDC_PA_SW_N | | | | -| 42 | DCDC_PA_OUT | | | | -| 43 | DCDC_DIG_SW | | | | -| 44 | VIN_DCDC_DIG | | | | -| 45 | DCDC_ANA2_SW_P (GPIO31) | | | | -| 46 | DCDC_ANA2_SW_N | | | | -| 47 | VDD_ANA2 | | | | -| 48 | VDD_ABA1 | | | | -| 49 | VDD_RAM | | | | -| 50 | GPIO00 | I2S Data0 (DIN) | DAC | | -| 51 | RTC_XTAL_P | | | | -| 52 | RTC_XTAL_N (GPIO32) | | | | -| 53 | GPIO30 | I2S ClockO (BCLK) | DAC | | -| 54 | VIN_IO2 | | | | -| 55 | GPIO01 | DAC Headphone detection | DAC+UART | TX0 | -| 56 | VDD_DIG2 | | | | -| 57 | GPIO02 | BTN01 | Ears | RX0 / big ear| -| 58 | GPIO03 | Power | SD | Low = Power on | -| 59 | GPIO04 | BTN02 | Ears | small ear | -| 60 | GPIO05 | ADC | Battery | Battery level analog pin | -| 61 | GPIO06 | Power | MMA + DAC | High = Power on | -| 62 | GPIO07 | DAC Reset / RFID EN | DAC / RFID | 10ns Low for Reset | -| 63 | GPIO08 | I2S Frame Sync (WCLK) | DAC | | -| 64 | GPIO09 | SD_D0 | SD | | \ No newline at end of file diff --git a/wiki/Toniebox-ESP32-Pinout.md b/wiki/Toniebox-ESP32-Pinout.md deleted file mode 100644 index 66e2d55..0000000 --- a/wiki/Toniebox-ESP32-Pinout.md +++ /dev/null @@ -1,61 +0,0 @@ -| Pin ID | Pin Name | Toniebox usage | Target | Notes | -| -- | -- | -- | -- | -- | -| 01 | LNA_IN | | | | -| 02 | VDD3P3 | | | | -| 03 | VDD3P3 | | | | -| 04 | CHIP_PU | | | | -| 05 | GPIO0 | Boot | | J100 | -| 06 | GPIO1 | SS | TRF7962A | | -| 07 | GPIO2 | MOSI | TRF7962A | | -| 08 | GPIO3 | MISO | TRF7962A | | -| 09 | GPIO4 | SCLK | TRF7962A | -| 10 | GPIO5 | I2C_SDA | LIS + DAC | -| 11 | GPIO6 | I2C_SCL | LIS + DAC | | -| 12 | GPIO7 | button pressed or charger present | | wake up (1=no button/no charger) | -| 13 | GPIO8 | ADC_charg | R75/R72, 100kΩ/100kΩ divider (div 2) U300 LM3485, 5V buck, charger | | -| 14 | GPIO9 | ADC_Vbatt | R57/R58, 100kΩ/33kΩ divider (div 4) right before U320 "BW93" boost? | | -| -- | -- | -- | -- | -- | -| 15 | GPIO10 | DIN | DAC3100 | | -| 16 | GPIO11 | BCLK | DAC3100 | | -| 17 | GPIO12 | WCLK | DAC3100 | | -| 18 | GPIO13 | IRQ | TRF7962A | | -| 19 | GPIO14 | IRQ | LIS3DH | | -| 20 | VDD3P3_RTC | | | | -| 21 | XTAL_32K_P | | | | -| 22 | XTAL_32K_N | | | | -| 23 | GPIO17 | Blue-LED | LED | | -| 24 | GPIO18 | Green-LED | LED | | -| 25 | GPIO19 | Red-LED | LED | | -| 26 | GPIO20 | Ear left, big | | active low | -| 27 | GPIO21 | Ear right, small | | active low | -| 28 | GPIO26 / SPICS1 | RESET (active high) | DAC3100 | | -| -- | -- | -- | -- | -- | -| 29 | VDD_SPI | | | | -| 30 | SPIHD | RS | SPI flash | via 100Ω | -| 31 | SPIWP | WP | SPI flash | via 100Ω | -| 32 | SPICS0 | SCS | SPI flash | via 22Ω | -| 33 | SPIHCLK | SCK | SPI flash | via 22Ω | -| 34 | SPIQ | SO | SPI flash | via 22Ω | -| 35 | SPID | SI | SPI flash | via 22Ω | -| 36 | GPIO48 / SPICLK_N | GPIO1 | DAC3100 | | -| 37 | GPIO47 / SPICLK_P | Power | SD | Low = Power on | -| 38 | GPIO33 | DAT2 | SD | | -| 39 | GPIO34 | DAT3 | SD | | -| 40 | GPIO35 | CLK | SD | | -| 41 | GPIO36 | DAT0 | SD | | -| 42 | GPIO37 | DAT1 | SD | | -| -- | -- | -- | -- | -- | -| 43 | GPIO38 | CMD | SD | | -| 44 | MTCK | TCK | JTAG | | -| 45 | MTDO | TD0 | JTAG | | -| 46 | VDD3P3_CPU | | | | -| 47 | MTDI | TDI | JTAG | | -| 48 | MTMS | TMS | JTAG | | -| 49 | U0TXD | TX | UART | J103 | -| 50 | U0RXD | RX | UART | J103 | -| 51 | GPIO45 | Power | LIS + DAC + Blue-LED | High = Power on | -| 52 | GPIO46 | | | J101 | -| 53 | XTAL_N | | | | -| 54 | XTAL_P | | | | -| 55 | VDDA | | | | -| 56 | VDDA | | | | diff --git a/wiki/Traffic-Sniffing.md b/wiki/Traffic-Sniffing.md deleted file mode 100644 index c606d7b..0000000 --- a/wiki/Traffic-Sniffing.md +++ /dev/null @@ -1,123 +0,0 @@ -# Summary -The toniebox communicates over https with its servers. It uses its Certificate Authority certifcate (flash:/cert/ca.der) to verify the tls connection. The box authenticates itself with a client certificate (flash:/cert/client.der) + private rsa key (flash:/cert/private.der). The communication is based on https and protobuf. - -## Known domains -* prod.de.tbs.toys -* rtnl.bxcl.de - -# Attention! -Your certificate may be banned if you send to many wrong requests to the Boxine servers. - -# Using mitmproxy -The Toniebox can be man-in-the-middled by replacing the CA of the box with one you can control. You need to use [mitmproxy v8.0.0](https://github.com/mitmproxy/mitmproxy/releases/tag/v8.0.0) and use the [mitmproxy-validity addon](https://github.com/toniebox-reverse-engineering/mitmproxy-toniebox). -You should prepare a system for [transparent proxing with mitmproxy](https://docs.mitmproxy.org/stable/howto-transparent/). The easiest way in my opinion to use an VM and set up the DHCP for the WiFi the way that the Toniebox gets the VM as gateway. - -## Don't use the latest mitmproxy - -Don't use mitmproxy v9 as it doesn't support the needed sha-1 signature algoritms! Stick to 8.0.0 until further notice! -``` -(OpenSSL Error([('SSL routines', '', 'no shared signature algorithms')])) -``` - -## Create **CA** -mitmproxy creates its CA on first run (/root/.mitmproxy/). I suggest to start it with the tool faketime or change your systems date to 2015-11-04. (It may work without, but no warranty) Don't forget to run it as root. - -## Conversion to **DER**-format -Afterwards you need convert the mitmproxy-ca-cert.cer into the **DER**-format -``` -openssl x509 -inform PEM -outform DER -in mitmproxy-ca-cert.cer -out mitmproxy-ca-cert.der -``` -## Backup original files -Afterwards you'll need to **backup the Toniebox' CA** and its **client.der/private.der** -``` -cc3200tool read_file /cert/ca.der ca.der read_file /cert/client.der client.der read_file /cert/private.der private.der -``` -## Upload **mitmproxy CA** to the Toniebox -``` -cc3200tool write_file mitmproxy-ca-cert.der /cert/ca.der -``` -## Convert **client certificate** to **PEM**-format -``` -openssl x509 -inform DER -outform PEM -in client.der -out client.cer -openssl rsa -inform DER -outform PEM -in private.der -out private.key -cat client.cer private.key > client.pem -``` -## Dump SSL-keys -I suggest you to set the SSLKEYLOGFILE enviroment variable so you can record your traffic with Wireshark and decrypt it afterwards (Edit-Preferences-Protocols-TLS-(Pre)-Master-Secret log filename) -``` -export SSLKEYLOGFILE=/root/keylogfile.txt -``` - -## Run mitmproxy / mitmweb / mitmdump -You can use mitmproxy, mitmweb or mitmdump. I prefered mitmweb -``` -./mitmweb --verbose --web-host 0.0.0. --mode transparent --set client_certs=/root/client.pem --ssl-insecure -s /root/toniebox.cert-validity.py -``` - -## Using wireshark over ssh -You'll need to install tcpdump on you target system. I also disabled password auth for sudoing tcpdump. -``` -$ nano /etc/sudoers.d/tcpdump - -%pcap ALL=NOPASSWD: /usr/bin/tcpdump -``` -Attach pcap-group to tcpdump -``` -sudo chgrp pcap /usr/bin/tcpdump -sudo chmod 750 /usr/bin/tcpdump -``` -I suggest you to ssh once into your machine to confirm the signature. Then you can run wireshark over the command and then enter the password to start tcpdump -``` -ssh user@hackiebox sudo tcpdump -i ens19 -U -s0 -w - 'not port 22' | wireshark -k -i - -``` - -# Certificates helpers (just for legacy reasons!) -## Certificate conversion -To use the certificates and the rsa key with most tools you will need to convert it from DER to PEM -``` -openssl x509 -inform DER -outform PEM -in ca.der -out ca.cer -openssl x509 -inform DER -outform PEM -in client.der -out client.cer -openssl rsa -inform DER -outform PEM -in private.der -out private.key -``` - -## Generate self signed root CA -``` -openssl genrsa -out ca.key 4096 -faketime '2015-11-04 00:00:00' openssl req -new -x509 -key ca.key -out ca.cer -days 9000 -subj '/C=DE/ST=NW/L=Duesseldorf/O=Boxine GmbH/CN=Boxine CA' -``` - -## Generate domains certificates -``` -openssl req -new -key ca.key -out rtnl.bxcl.de.req -subj '/C=DE/ST=NW/L=Duesseldorf/O=Boxine GmbH/CN=rtnl.bxcl.de' -openssl req -new -key ca.key -out prod.de.tbs.toys.req -subj '/C=DE/ST=NW/L=Duesseldorf/O=Boxine GmbH/CN=prod.de.tbs.toys' -faketime '2015-11-05 00:00:00' openssl x509 -req -in rtnl.bxcl.de.req -CA ca.cer -CAkey ca.key -set_serial 101 -days 10950 -outform PEM -out rtnl.bxcl.de.cer -faketime '2015-11-05 00:00:00' openssl x509 -req -in prod.de.tbs.toys.req -CA ca.cer -CAkey ca.key -set_serial 101 -days 10950 -outform PEM -out prod.de.tbs.toys.cer -``` - -## Generate client certificate -``` -openssl genrsa -out private.key 2048 -openssl req -utf8 -new -key private.key -out client.req -subj '/C=DE/ST=NRW/L=Düsseldorf/O=Boxine GmbH' -openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -set_serial 101 -extensions client -days 10950 -outform PEM -out client.cer - -``` - -## Certificate conversion -To use your generated certificates/ley for the toniebox you will have to convert it back to DER format. -``` -openssl x509 -inform PEM -outform DER -in ca.cer -out ca.der -openssl x509 -inform PEM -outform DER -in client.cer -out client.der -openssl rsa -inform PEM -outform DER -in private.key -out private.der -``` - -## Certificate upload -``` -cc.py -p COM6 write_file z:\fakessl\box_fake\client.der /cert/client.der write_file z:\fakessl\box_fake\private.der /cert/private.der write_file z:\fakessl\fake\ca.der /cert/ca.der -``` - -## Concat certificates to PEM -``` -cat ca.key ca.cer > ca.pem -cat ca.key rtnl.bxcl.de.cer > rtnl.bxcl.de.pem -cat ca.key prod.de.tbs.toys.cer > prod.de.tbs.toys.pem -``` diff --git a/wiki/Useful-Links.md b/wiki/Useful-Links.md deleted file mode 100644 index 144814d..0000000 --- a/wiki/Useful-Links.md +++ /dev/null @@ -1,3 +0,0 @@ -https://github.com/micropython/micropython-infineon/blob/master/cc3200/Makefile -https://media.ccc.de/v/36c3-108-hacking-an-nfc-toy-with-the-chameleonmini -https://github.com/g3gg0/proxmark3/commit/24ee0f8de3d2ac75cce6707d9a4c86d550cffaff \ No newline at end of file diff --git a/wiki/microSD-cards.md b/wiki/microSD-cards.md deleted file mode 100644 index 6e1356a..0000000 --- a/wiki/microSD-cards.md +++ /dev/null @@ -1,34 +0,0 @@ -Here you find a list of working microSD cards for the box. It seems to be very particular. Be sure you format your microSD with fat32. - -# Working -## SanDisk -* 128GB SanDisk Ultra microSDXC I 1 A1 -* 64GB SanDisk Ultra microSDXC I 1 -* 16GB SanDisk Ultra microSDXC I 1 -* 8GB SanDisk EDGE microSDHC I 4 -* 2GB SanDisk microSD -* 32GB Micron microSDHC I 1 -* 32GB Perciron microSD (noname Aliexpress) - -# Not Working -## Samsung -* 512GB SanDisk Ultra microSDXC I 1 Class 10 U1 A1 -* 32GB Samsung EVO Plus microSDHC I 1 -* Intenso microSDHC 8GB Class 10 - -# SD card extension -For convenience a SD extension cable can be used to place the card in a better accessible way. A 25 cm cable is recommend. - -You can use both types of cables: - -* microSD card – microSD card -* microSD card – SD card - -![](https://raw.githubusercontent.com/toniebox-reverse-engineering/toniebox/master/pics/sd_extension_cable.jpg) - -## Cable modification -Out-of-the box the cable is not working because of the resistor between VDD (3.3 V) and CLK. The reason for that is unclear. - -It is necessary to remove this resistor. - -![](https://raw.githubusercontent.com/toniebox-reverse-engineering/toniebox/master/pics/sd_extension_cable_removed_resistor.jpg)