- Posts: 4403
Need help with DFU creation
- PhracturedBlue
-
Topic Author
- Offline
Less
More
01 Jan 2013 22:13 #4486
by PhracturedBlue
Need help with DFU creation was created by PhracturedBlue
Today, the only way to install Deviation is with the Walkera DFuSe tool. This is not-ideal for Mac/Linux users. the reason is that the Walkera DFuSe tool modifies the dfu file before transmitting it, and I'm trying to understand how that is done. I have a feeling that it is not static per-model, but instead is unique to every Tx.
I need more samples from Devo6, Devo8, or Devo10 radios to make sense of it.
What I need are USB traces of uploading a DFU file.
In WinXP I used to use usbsnoop:
www.pcausa.com/Utilities/UsbSnoop/
But it does not work in Win7
In Win7, it is theoretically possible to use logman:
blogs.msdn.com/b/usbcoreblog/archive/200...-usb-core-stack.aspx
But while I could capture the logs, I couldn't seem to capture the actual data transfer (which is what I need)
In the end, I used the demo version of USBTrace:
www.sysnucleus.com/usbtrace_download.html
which worked fine on my Win7 x-64 machine
You could also, likely use Wireshark in Linux running a Windows virtual-machine, though I didn't get around to trying that.
I would like a couple of folks who can install a usb snooper to capture the start of the dfuse tool (Tx in program mode, and plugged in, start DFuSe tool), and the installation of a dfu file (Upgrade).
I recommend taking a snapshot before installing a usbsnooper, as it is theoretically possible for it to mess up USB detection if something goes wrong.
I need more samples from Devo6, Devo8, or Devo10 radios to make sense of it.
What I need are USB traces of uploading a DFU file.
In WinXP I used to use usbsnoop:
www.pcausa.com/Utilities/UsbSnoop/
But it does not work in Win7
In Win7, it is theoretically possible to use logman:
blogs.msdn.com/b/usbcoreblog/archive/200...-usb-core-stack.aspx
But while I could capture the logs, I couldn't seem to capture the actual data transfer (which is what I need)
In the end, I used the demo version of USBTrace:
www.sysnucleus.com/usbtrace_download.html
which worked fine on my Win7 x-64 machine
You could also, likely use Wireshark in Linux running a Windows virtual-machine, though I didn't get around to trying that.
I would like a couple of folks who can install a usb snooper to capture the start of the dfuse tool (Tx in program mode, and plugged in, start DFuSe tool), and the installation of a dfu file (Upgrade).
I recommend taking a snapshot before installing a usbsnooper, as it is theoretically possible for it to mess up USB detection if something goes wrong.
- sbstnp
-
- Offline
Less
More
- Posts: 649
02 Jan 2013 02:44 - 02 Jan 2013 03:25 #4497
by sbstnp
Devo 10 + 4in1
Spektrum Dx9
FrSky Taranis + TBS Crossfire
Replied by sbstnp on topic Need help with DFU creation
First attachment is a simple comversation capture using logman.
Second is the same conversation capture done in Linux.
Third attachment is a full capture using logman.
Captures done with logman can be filtered, by Vendor Id for example:
Note: usbtrace evaluation has a capture size limit which I hit during DFU upload.
PS: can't seem to be able to attach *.cap files, so I renamed to .txt
Second is the same conversation capture done in Linux.
Third attachment is a full capture using logman.
Captures done with logman can be filtered, by Vendor Id for example:
ContainsBin(FrameData, hex, "83 04")Note: usbtrace evaluation has a capture size limit which I hit during DFU upload.
PS: can't seem to be able to attach *.cap files, so I renamed to .txt
Devo 10 + 4in1
FrSky Taranis + TBS Crossfire
Last edit: 02 Jan 2013 03:25 by sbstnp.
- RugWarrior
-
- Offline
Less
More
- Posts: 59
02 Jan 2013 02:51 - 02 Jan 2013 17:39 #4498
by RugWarrior
Replied by RugWarrior on topic Need help with DFU creation
I will try
USBlyzer
as it can make full logs even as trial.
Last edit: 02 Jan 2013 17:39 by RugWarrior.
- PhracturedBlue
-
Topic Author
- Offline
Less
More
- Posts: 4403
02 Jan 2013 04:07 #4500
by PhracturedBlue
Replied by PhracturedBlue on topic Need help with DFU creation
The problem is that the logman logs don't seem to provide the actual data in the packet. There should be 1024bytes per packet during transfer, but I don't see that data in the .cap file.
the linux logs look ok (though there are no data packets in the initialization (that is expected), and if I recall I had a similar issue with linux truncating the data when I used it way back when)
Anyhow, with more investigation, I think the changes added by DFuSe are actually based on the contents of the firmware, not the Tx, so If I can figure out which bytes are used to compute the modified 'checksum' I'll be one step closer. It also means I probably don't need any more log captures at this time.
the linux logs look ok (though there are no data packets in the initialization (that is expected), and if I recall I had a similar issue with linux truncating the data when I used it way back when)
Anyhow, with more investigation, I think the changes added by DFuSe are actually based on the contents of the firmware, not the Tx, so If I can figure out which bytes are used to compute the modified 'checksum' I'll be one step closer. It also means I probably don't need any more log captures at this time.
- sbstnp
-
- Offline
Less
More
- Posts: 649
02 Jan 2013 04:30 #4501
by sbstnp
Devo 10 + 4in1
Spektrum Dx9
FrSky Taranis + TBS Crossfire
Replied by sbstnp on topic Need help with DFU creation
I was expecting my captures to contain nothing of value. I've played some more with USBtrace and I'm seeing the same problem on my side, no actual data is captured.
I hope you can do without these though, good luck.
I hope you can do without these though, good luck.
Devo 10 + 4in1
FrSky Taranis + TBS Crossfire
- rbe2012
-
- Offline
- So much to do, so little time...
Less
More
- Posts: 1433
02 Jan 2013 11:11 - 02 Jan 2013 11:11 #4514
by rbe2012
Replied by rbe2012 on topic Need help with DFU creation
If you are right and there is no dependency from the tx would it be helpful to get logs with special dfu files where only one byte or one bit is changed / appended...?
When I understood right then we have not to fear to install a senseless dfu on our tx, we can always cure this with a correct (this can only be deViation) dfu.
When I understood right then we have not to fear to install a senseless dfu on our tx, we can always cure this with a correct (this can only be deViation) dfu.
Last edit: 02 Jan 2013 11:11 by rbe2012. Reason: (Typo)
- RugWarrior
-
- Offline
Less
More
- Posts: 59
02 Jan 2013 17:41 - 02 Jan 2013 17:46 #4523
by RugWarrior
Replied by RugWarrior on topic Need help with DFU creation
I made a log with
USBlyzer
with my Devo 8S flashing the official deviation-devo8-v2.1.0.dfu
And one with the latest commit...
If this is of any use than I can make more if wanted...
And one with the latest commit...
If this is of any use than I can make more if wanted...
Last edit: 02 Jan 2013 17:46 by RugWarrior.
- PhracturedBlue
-
Topic Author
- Offline
Less
More
- Posts: 4403
02 Jan 2013 17:58 #4525
by PhracturedBlue
Replied by PhracturedBlue on topic Need help with DFU creation
Thanks. I think I found the 'key' I need. It appears that it is transmitter specific.
Every tranmsitter has a unique serial number (in the MCU), and this is the value that is used to build the final DFU sent to the transmitter.
I'm not sure exactly why they do this except to ensure that the transmitter can only work in conjunction with the Walkera Dfuse tool. It does not in any way that I see help to secure their firmware (indeed we've been loading Deviation onto radios for 6 months without being aware of anything more than a keep-out region)
They use a different algorithm for each model, but the math is relatively simple. Again, I have no idea why they bother with all of this.
Every tranmsitter has a unique serial number (in the MCU), and this is the value that is used to build the final DFU sent to the transmitter.
I'm not sure exactly why they do this except to ensure that the transmitter can only work in conjunction with the Walkera Dfuse tool. It does not in any way that I see help to secure their firmware (indeed we've been loading Deviation onto radios for 6 months without being aware of anything more than a keep-out region)
They use a different algorithm for each model, but the math is relatively simple. Again, I have no idea why they bother with all of this.
- sbstnp
-
- Offline
Less
More
- Posts: 649
02 Jan 2013 18:26 - 02 Jan 2013 18:26 #4526
by sbstnp
Devo 10 + 4in1
Spektrum Dx9
FrSky Taranis + TBS Crossfire
Replied by sbstnp on topic Need help with DFU creation
And one capture using same software, btw, good catch RW. Flashed 2.1.0 on my Devo 10. Hope it helps.
Devo 10 + 4in1
FrSky Taranis + TBS Crossfire
Last edit: 02 Jan 2013 18:26 by sbstnp.
- RugWarrior
-
- Offline
Less
More
- Posts: 59
02 Jan 2013 21:17 #4533
by RugWarrior
Replied by RugWarrior on topic Need help with DFU creation
Interesting why they do something like this to "secure" writing to the tx...
Who knows
sbstnp I had a look at your dump and mine... and thank god we have devs like PB... I do not get the point comparing the dumps
Who knows
sbstnp I had a look at your dump and mine... and thank god we have devs like PB... I do not get the point comparing the dumps
- Tom_ate
-
- Offline
Less
More
- Posts: 15
03 Jan 2013 07:49 #4554
by Tom_ate
Sorry, RW, but I think this is not the real point.
I have the same opinion as PB wrote earlier int this threat: With this checksum they have done nothing to securve writing to the TX - they have done it to prevent that the TX is written to with anything else than their own Dfuse-tool.
Kind regards,
Matthias
Replied by Tom_ate on topic Need help with DFU creation
RugWarrior wrote: ...Interesting why they do something like this to "secure" writing to the tx...
Sorry, RW, but I think this is not the real point.
I have the same opinion as PB wrote earlier int this threat: With this checksum they have done nothing to securve writing to the TX - they have done it to prevent that the TX is written to with anything else than their own Dfuse-tool.
Kind regards,
Matthias
- PhracturedBlue
-
Topic Author
- Offline
Less
More
- Posts: 4403
03 Jan 2013 14:30 #4598
by PhracturedBlue
There are a lot of 'security' measures in the Devo (like scrambling the DFU) but it turns out that every single one is poorly implemented (which is a good thing for us, as otherwise, the effort to install Deviation would be much higher)
Replied by PhracturedBlue on topic Need help with DFU creation
The thing I don't understand is why they went as far as they did. Ensuring only their dfuse tool could write to the Tx would have been very simple: change the dfuse format slightly. Instead you have a unique ID and different algorithms for different models. The latter could be useful to prevent loading a devo8 firmware onto a devo10, but since it is rebuilt by dfuse every time you load, you lose any such benefit.Tom_ate wrote: I have the same opinion as PB wrote earlier int this threat: With this checksum they have done nothing to securve writing to the TX - they have done it to prevent that the TX is written to with anything else than their own Dfuse-tool.
There are a lot of 'security' measures in the Devo (like scrambling the DFU) but it turns out that every single one is poorly implemented (which is a good thing for us, as otherwise, the effort to install Deviation would be much higher)
Time to create page: 0.403 seconds
-
Home
-
Forum
-
General
-
General Discussions
- Need help with DFU creation