Virus TI Hardware Firmware

After reading this blog:

https://github.com/foxx/foxx.github.io/blob/master/_posts/2012-10-26-access-virus-ti-firmware-reverse.markdown

I decided to take it one step further and try to find out more information about the firmware.

Though I’m not sure how Cal was able to extract the DSP firmware.

Having extracted the firmware.bin file, we are able to obtain: vti.bin, vti2.bin and vti_snow.bin. I assume these are for the Virus TI, Virus TI 2 and Virus TI Snow.

These files are not the DSP firmware directly. They are in actually a collection of 32kByte files.

Here is the first few bytes of one of the files.
Yellow – Number of bytes in this file (0x336B44)
Red – Memory Section Identified (“S002”)
Blue – Number of bytes in this Memory Section (0x00008C02)
Green – Memory Section Id in Hex (0x82)
Purple – The byte offset of the preceeding section in Cyan.
Cyan – 32 bytes of Actual Data

These sections are repeated until the end of the file.

We can see in the next section in Green that (82 00 20) represents Memory Section 0x82 offset at 0x20 as the proceeding section had the first 32 bytes.

DataFormat

Use the code at:

https://github.com/AdrianGin/misc/tree/master/dspcode/VirusFW

To extract all the chunks of data. In this case I have extracted the vti_snow.bin. This is actually made up of around 52x32kbyte files.

Extract.JPG

It seems that there are (P)’PatchFiles’ (S)’Init/MultiFiles’ and (F) Firmware Files.Although all the files are 32kbytes long, a lot of data is uninitialised to 0xFF.

After doing some analysis of the files, it turns out that F35,F34 contain some interesting pieces of firmware. F35.JPG

F34

These look to have been generated with the inputs ‘fvds102.lod’ ‘wvds119.lod’. I did the same with the vti.bin and vti2.bin and these differ slightly and have the identifiers

‘fvd102.lod’ and ‘wvd119.lod’ – without the ‘snow’ ‘s’ in them.

I’ve done some DSP56k work before (Novation Circuit uses a dual core DSP56724) and the DSP56k toolchain has the process of:
1. ASM files get compiled into object files
2. Object files get linked to form a single CLD file.
3. CLD file can get converted to a LOD file.

I believe this is what these LOD files represent. However these LOD files are not able to be parsed by the an Interactive Disassembler, IDA. These files could also represent some sort of wavedata too.

IDA still fails to recognise these bin files and it seems there is still more to decipher.

The other bin files have strings, 512byte patches amongst other things. Also available are:

The (Snow Only) tpkt038.bin 06/09/09-17:58:42< file located in F060 and F061, these are both identical.

The tusb037.bin files which are only in the vti/2.bin and not in snow. I guess this firmware can be used to update the Texas Instruments tusb3200ac streaming usb controller.

 

 

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s