Logilink VG0022A firmware/si2157 probe

Logilink VG0022A firmware/si2157 probe

[Sean Young]

Hi Antti,

I have a Logilink VG0022A device which is an af9035.c type device (with
ITE 9xxx frontned). The probe of the si2146 tuner fails and returns 0xffs.

Now I would like to work on fixing this. Mauro suggested the firmware might
be incorrect. Any tips on extracting the firmware? I can try and dump
usb traffic from Windows and see what firmware is being used there. How did
you extract the firmware?

Any other suggestions for this device? You might be able to save me a lot
of time since you have experience with these types of devices, I do not.

Thanks
Sean

Re: Logilink VG0022A firmware/si2157 probe

[Antti Palosaari]

[-- Attachment #1: Type: text/plain, Size: 1570 bytes --]

Hello,

On 10/17/19 12:08 PM, Sean Young wrote:
> Hi Antti,
> 
> I have a Logilink VG0022A device which is an af9035.c type device (with
> ITE 9xxx frontned). The probe of the si2146 tuner fails and returns 0xffs.
> 
> Now I would like to work on fixing this. Mauro suggested the firmware might
> be incorrect. Any tips on extracting the firmware? I can try and dump
> usb traffic from Windows and see what firmware is being used there. How did
> you extract the firmware?
> 
> Any other suggestions for this device? You might be able to save me a lot
> of time since you have experience with these types of devices, I do not.

Extracting firmware is done almost always by following steps:
1) take sniffs from the some bus (usb/i2c)
2) identify firmware download section, detect it starting point and 
ending point ~few first and last bytes
3) find that firmware binary located inside of binary driver
  * grep, hexeditor, etc
  * example LANG=C grep -obUaP "\x08\x05\x00" driver.sys
4) use dd command to copy firmware blob from binary driver to separate 
file (you need to know firmware location and length inside binary)


It is also possible to dump firmware to file from bus sniffs too, but it 
requires writing some simple script. Dumping it from the binary driver 
is usually still most easiest way.

At some point I downloaded bunch of drivers to find out multiple 
firmware versions for si2168 and made simple script to ease things. 
Script is attached.


After all, I suspect root of issue may be still be buggy i2c...


regards
Antti

-- 
http://palosaari.fi/

[-- Attachment #2: si2168_extract_firmware.py --]
[-- Type: text/x-python, Size: 2258 bytes --]

#!/usr/bin/env python
# Silicon Labs Si2168 firmware extractor.
# Copyright (C) 2015 Antti Palosaari <crope@iki.fi>
# Usage: si2168_extract_firmware.py binary_driver_name.sys

import sys
import struct
import md5

fread = file(sys.argv[1], 'rb')
binary = fread.read()
offset = 0

# Known firmware md5 and its version
fw_ver_tab = {
    '02c9b1e751f362621c649ea831410b61' : '4.0.7',
    'b2670d8ae5e3369fc71edbb98cdd8f6e' : '4.0.11',
    '8dfc2483d90282bbb05817fbbc282376' : '4.0.19',
    'c8e089c351e9834060e962356f8697b8' : '4.0.25',
}

while True:
    # Match 17-byte firmware header
    # 04 01 00 00 00 00 9a 41 05 1b af 33 02 1b 3e 7d 2a | A20 (not supported)
    # 08 05 00 xx xx xx xx xx xx 00 00 00 00 00 00 00 00 | B40
    offset = binary.find('\x08\x05\x00', offset)
    if offset == -1:
        print "Done"
        break

    if (binary[offset + 9:offset + 17] != '\x00\x00\x00\x00\x00\x00\x00\x00'):
        offset = offset + 1
        continue

    print "Possible 17-byte Si2168-B40 firmware header found at 0x%x" % (offset)

    fw_filename = 'dvb-demod-si2168-b40-01.fw_' + str(offset)
    fw_write = open(fw_filename, 'wb')
    fw_md5 = md5.new()

    while True:
        fields = struct.unpack("B", binary[offset])
        fw_data_len = fields[0]
        # Firmware chunk first byte tells bytes to upload - 16 is max
        if fw_data_len == 0 or fw_data_len > 16:
            break

        # Check remaining (unused) bytes on firmware 17-byte chunk are all zero
        data_valid = True
        for x in range(offset + fw_data_len + 1, offset + 17):
            if (binary[x] != '\x00'):
                data_valid = False
                break

        if data_valid == False:
            break

        # Firmware chunk validated, write it to file
        fw_write.write(binary[offset + 0:offset + 17])
        fw_md5.update(binary[offset + 0:offset + 17])
        offset = offset + 17

    fw_write.close()

    if fw_md5.hexdigest() in fw_ver_tab:
        fw_ver = fw_ver_tab[fw_md5.hexdigest()]
    else:
        fw_ver = '<unknown>'

    print "Firmware md5 '%s'" % (fw_md5.hexdigest())
    print "Firmware version '%s'" % (fw_ver)
    print "Firmware stored to file '%s'" % (fw_filename)

    offset = offset + 1

fread.close()

Re: Logilink VG0022A firmware/si2157 probe

[JP]

Hi there,

On 10/17/19 2:15 PM, Antti Palosaari wrote:
> Hello,
>
> On 10/17/19 12:08 PM, Sean Young wrote:
>> Hi Antti,
>>
>> I have a Logilink VG0022A device which is an af9035.c type device (with
>> ITE 9xxx frontned). The probe of the si2146 tuner fails and returns 
>> 0xffs.
>>
>> Now I would like to work on fixing this. Mauro suggested the firmware 
>> might
>> be incorrect. Any tips on extracting the firmware? I can try and dump
>> usb traffic from Windows and see what firmware is being used there. 
>> How did
>> you extract the firmware?
If the receiver has onboard firmware, isn't that the right one? Then the 
windows
driver has no need to load one. Or am I missing the point here?
>>
>>
>> Any other suggestions for this device? You might be able to save me a 
>> lot
>> of time since you have experience with these types of devices, I do not.
>
> Extracting firmware is done almost always by following steps:
> 1) take sniffs from the some bus (usb/i2c)
> 2) identify firmware download section, detect it starting point and 
> ending point ~few first and last bytes
> 3) find that firmware binary located inside of binary driver
>  * grep, hexeditor, etc
>  * example LANG=C grep -obUaP "\x08\x05\x00" driver.sys
> 4) use dd command to copy firmware blob from binary driver to separate 
> file (you need to know firmware location and length inside binary)
>
>
> It is also possible to dump firmware to file from bus sniffs too, but 
> it requires writing some simple script. Dumping it from the binary 
> driver is usually still most easiest way.
>
> At some point I downloaded bunch of drivers to find out multiple 
> firmware versions for si2168 and made simple script to ease things. 
> Script is attached.
>
>
> After all, I suspect root of issue may be still be buggy i2c...
Me too.


Jan Pieter.

Re: Logilink VG0022A firmware/si2157 probe

[Antti Palosaari]

On 10/17/19 4:46 PM, JP wrote:
> Hi there,
> 
> On 10/17/19 2:15 PM, Antti Palosaari wrote:
>> Hello,
>>
>> On 10/17/19 12:08 PM, Sean Young wrote:
>>> Hi Antti,
>>>
>>> I have a Logilink VG0022A device which is an af9035.c type device (with
>>> ITE 9xxx frontned). The probe of the si2146 tuner fails and returns 
>>> 0xffs.
>>>
>>> Now I would like to work on fixing this. Mauro suggested the firmware 
>>> might
>>> be incorrect. Any tips on extracting the firmware? I can try and dump
>>> usb traffic from Windows and see what firmware is being used there. 
>>> How did
>>> you extract the firmware?
> If the receiver has onboard firmware, isn't that the right one? Then the 
> windows
> driver has no need to load one. Or am I missing the point here?

Actually I am not even 100% sure what are used chips of that device, but 
I expect those are:
usb-interface: IT9303, needs firmware, cannot be loaded from the eeprom IIRC
demodulator: Si2168 (revision B or C?), chip has rom that contains 
firmware, but usually it is replaced newer by downloading
tuner: Si2157 or same family, similar firmware solution than Si2168. 
Si2157 I originally used didn't uploaded firmware update at all, later 
there was added more and more Silabs tuner versions and firmware 
downloading.

Si2168B could be started (and it worked at the time I tested) with 
default rom firmware by using that kind of stub firmware:

$ hexdump -C dvb-demod-si2168-b40-01.fw
00000000  05 00 00 00 00 00 00 00                           |........|
00000008

Not sure if that works any other than just Si2168B.

>>>
>>>
>>> Any other suggestions for this device? You might be able to save me a 
>>> lot
>>> of time since you have experience with these types of devices, I do not.
>>
>> Extracting firmware is done almost always by following steps:
>> 1) take sniffs from the some bus (usb/i2c)
>> 2) identify firmware download section, detect it starting point and 
>> ending point ~few first and last bytes
>> 3) find that firmware binary located inside of binary driver
>>  * grep, hexeditor, etc
>>  * example LANG=C grep -obUaP "\x08\x05\x00" driver.sys
>> 4) use dd command to copy firmware blob from binary driver to separate 
>> file (you need to know firmware location and length inside binary)
>>
>>
>> It is also possible to dump firmware to file from bus sniffs too, but 
>> it requires writing some simple script. Dumping it from the binary 
>> driver is usually still most easiest way.
>>
>> At some point I downloaded bunch of drivers to find out multiple 
>> firmware versions for si2168 and made simple script to ease things. 
>> Script is attached.
>>
>>
>> After all, I suspect root of issue may be still be buggy i2c...
> Me too.
> 
> 
> Jan Pieter.

It could be interesting to see from the sniffs what kind of firmwares 
windows driver downloads to different chips AND if i2c communication is 
working properly.

regards
Antti

-- 
http://palosaari.fi/