Image Map Image Map
View RSS Feed

Chuck(G)

GoTek Floppy Emulator, Part III - Try to crack the nut, first try

Rating: 3 votes, 5.00 average.
So what's in the firmware for this thing? I can guess, based on the operation--and having done one myself, but it'd be nice to get the firmware from the unit itself.

So, there's that header near the power pins that I was talking about. I've identified the connections to the MCU USART and noted from that there's a serial boot utility that's present in the chip. All that's needed is a level converter for 3.3V logic to RS232C and a terminal emulator running on a PC (I really like Realterm).

Jumper the pins that connect the BOOT0 pin to 3.3V, hook up the serial interface, and then short the RESET pins. Setting the terminal to 1200 bps, 8E1 and sending out an 7Fh character, we get a 79h back, which is the "ACK" response from the debugger, telling us that it's identified the bit rate and is ready.

So, the next thing to send is is the "Get" command, which is 00h, followed by a check byte, FFh. We get the following string back:
Code:
790B22000102112131436373829279
Which means:
  • An "ACK" followed by the message length; in this case it's 11 bytes (0Bh).
  • The version of the bootloader (2.2)
  • The commands supported by this bootloader:
    00 01 02 11 21 31 43 63 73 82 92
  • And an "ACK".

So then, we issue a "Get version and read protection status", 01h FEh and we get back (less the ACKs)
Code:
 220004
.
Which says that we're version 2.2 (but we knew that); read protection was disabled 00 times and enabled 04 times.

Uh oh--The flash ROM is protected. Indeed, if we issue the bytes 11h EEh, we promptly get a 1FH back right away--that's a "NAK" and it says that the flash is indeed protected.

It's possible to disable the protection, but only after erasing the flash. Fat lot of good that does.

So that's a dead end. The next job is working up a circuit diagram and perhaps cutting our own code after observing some of the operational characteristics of the thing.

But we now know that it's possible to program the chip using a simple serial interface. That may come in handy later... I wonder if a dump program could be written to internal SRAM and used to get the flash contents that way...Nope--access to flash isn't allowed if read protection is enabled...

And the beat goes on...

Submit "GoTek Floppy Emulator, Part III - Try to crack the nut, first try" to Digg Submit "GoTek Floppy Emulator, Part III - Try to crack the nut, first try" to del.icio.us Submit "GoTek Floppy Emulator, Part III - Try to crack the nut, first try" to StumbleUpon Submit "GoTek Floppy Emulator, Part III - Try to crack the nut, first try" to Google

Updated January 17th, 2013 at 12:37 AM by Chuck(G)

Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

  1. tingo's Avatar
    Hmm, try looking for backdoors in the serial bootloader?
  2. Chuck(G)'s Avatar
    I'm not the first to be bamboozled by this one. There are plenty of posts around for ways to get around it, all with no success. ST Micro has posted assurances that the bootloader is unbreakable. Sigh.

    However, I did run across this page and in particular:

    All these chinese devices are copies of some original that nobody knows where it came from.
    Now that's interesting. Last night I started browsing one of the Chinese websites. There's a lot of software available for download, but the descriptions are all in Mandarin, so it's slow going. I suspect that the prototype firmware is available somewhere--after all, all of those copies had to get their software from somewhere. I'll give the effort to find it a few days, just to see if anything turns up.
  3. RickNel's Avatar
    I'd infer that the orgin was the Indian Go-Tek company, aimed squarely at keeping India's ageing textile industry machinery ticking over. Their website indicates that they expect to make their money by developing custom firmware for clients, so no surprise they put a premium on firmware security. The Chinese cloners must have got access to Go-Tek's servers. They have plenty of form in that area.
  4. Chuck(G)'s Avatar
    The first time I saw these boxes being offered was from a place in, of all places, Vietnam. Embroidery machines are big throughout the East, including Vietnam, India, Singapore and China.

    It's odd that Winchip/Nanjing Qinheng Electronics has the description of the box on their site--and the qhsfd.com maps to a directory on the NQE server. And qhsfd offers a slimline version.

    I suspect that the Indians may have had the box produced in China. Like all good IP, the Chinese believe that imitation is the sincerest form of flattery. But the qhsfd.com site links to embnm.cn, a big embroidery machinery site.

    So who knows? At any rate, qhsfd.com, got started around at least by March, 2009. If you believe the wayback machine, Gotek.in only dates to 2010-2011 or so. It's more likely that the common source is probably neither.

    I've been trying to unravel that one for some time...

    But the Qinheng site says that they've been in the floppy emulation business since 2005 and they're the ones who have had their IP pirated. Note the photo of the old-style emulator on the same page.

    By the way, I did a download of all of the public files from the NQE server (a bash script and curl)--there's a ton of stuff there--datasheets, PCB layouts (Protel format), schematics, programs--all for USB-oriented products. Some interesting stuff there, if you have the patience to wade through a bunch of Mandarin. I wonder if that's how the floppy emulator stuff was ripped off.
    Updated January 18th, 2013 at 10:49 PM by Chuck(G)