GRE Scanner firmware dump

Status
Not open for further replies.

benbur27

Member
Premium Subscriber
Joined
Dec 21, 2011
Messages
50
Location
Sacramento, Ca
I was reading that some of the GRE scanners have little to no ongoing FW development from GRE.

Has anyone tried to dump the firmware from either the scanner itself or the firmware updater? I had a look at the updater and the actual FW is embedded and looks fairly easy to extract. After that we could RE to add features as needed.
 

mancow

Member
Database Admin
Joined
Feb 19, 2003
Messages
5,935
Location
N.E. Kansas
You would have to parse it out and decode it somehow. How would that be done without a roadmap of how it all breaks down?
 

benbur27

Member
Premium Subscriber
Joined
Dec 21, 2011
Messages
50
Location
Sacramento, Ca
Update, I was able to locate and extract the firmware bin from the exe GRE provides. Next is identifying what the scanner is running, I have a hunch it is VXWorks in which case I will be able to do quite a bit with it. Even if it isn't some modifications can be made with good old assembly.

To answer your question: It really depends on what this firmware image is, if it is VXWorks it will be a cinch. If not, it will depend on a few things such as whether or not they compiled with debug symbols enabled :)

After that I will test a simple op modification to their firmware image, load it back into the exe and see if there are any checksums to keep us from being able to flash the scanner using their tool. If there is, that will require a little work as well. In any case we wont need to open the scanner up to flash.
 

benbur27

Member
Premium Subscriber
Joined
Dec 21, 2011
Messages
50
Location
Sacramento, Ca
You would have to parse it out and decode it somehow. How would that be done without a roadmap of how it all breaks down?
Also, a tried and true method would be to RE to C methods and manually inspect and add comments. Again if debug symbols exist this is made many times easier.
 

OCO

Member
Premium Subscriber
Joined
Jul 17, 2011
Messages
923
Location
Central Michigan
GRE may take some interest in what you're doing, especially in what you publish....... I'm sure you know that the code is all proprietary and protected by copyright.

Ever wonder where DSDAuthor went ?? Think that he might have heard from DVSI about some of the code used in DSD? Hopefully DSDAuthor was a pseudonym used by one of our other regulars and not the result of a midnight visit (I now, I know, tinfoil hats all around..) never to be heard from again.:wink:
 

mancow

Member
Database Admin
Joined
Feb 19, 2003
Messages
5,935
Location
N.E. Kansas
Excellent project. Is there anything that can be done with regular tools or do you need some proprietary VX works software to do any of this?
 

benbur27

Member
Premium Subscriber
Joined
Dec 21, 2011
Messages
50
Location
Sacramento, Ca
Excellent project. Is there anything that can be done with regular tools or do you need some proprietary VX works software to do any of this?
Yes, a few ways.

1.) One can use a free dissasembler or the trial of IDA, and any free assembly editor. This would be for simple feature edits or inserting custom code into the existing binary

2.) Any free c++ compiler linked to the proper libraries, I have already turned the firmware into an ugly C code base. This may not be the best way to do it, we will see.

I am not at all concerned, if one was to publish all you would do is create a patch. This way you are not distributing any software that does not belong to you.

My goal would be to add features, enable difference behaviors etc. One good note is that their radios have two firmwares. One running and one failsafe. If you completely brick the radio with a bad firmware flash it will reload the failsafe and you are back up and running.

Stay tuned, anyone with assembly/C experience is welcome to dig in. I plan on commenting some of the jump points first to get the ball rolling.
 

blantonl

Founder and CEO
Staff member
Joined
Dec 9, 2000
Messages
9,274
Location
San Antonio, TX
One feature that would be awesome would be to enable tracking of EDACS digital calls (i.e. ProVoice). In fact, the best way would be to track the talkgroup but mute the speaker, so the discriminator output has the ProVoice digital signal which can be fed to DSD, but the scanner is muted for digital calls but still tracks and monitors analog calls.
 

wwhitby

Member
Premium Subscriber
Joined
Jan 10, 2003
Messages
1,048
Location
Autauga County, Alabama
One feature that would be awesome would be to enable tracking of EDACS digital calls (i.e. ProVoice). In fact, the best way would be to track the talkgroup but mute the speaker, so the discriminator output has the ProVoice digital signal which can be fed to DSD, but the scanner is muted for digital calls but still tracks and monitors analog calls.
+100

As well as allowing ProVoice ICalls to display.

I've suspected for a while that GRE won't be releasing any new updates for the PSR-500/600. I've thought for quite some time that the future for scanning is a software defined scanner.

Warren
 

SCPD

QRT
Joined
Feb 24, 2001
Messages
65,126
Location
Virginia
Patches are a good start but why stop there?

Once youve figured out how to control the PLL, preselector, keypad and display, you can command the radio to do whatever you want (with no copyright issues I might add).
 

Thayne

Member
Premium Subscriber
Joined
May 1, 2002
Messages
2,130
I am keeping my fingers crossed and even a toe that was broken once---:p
 

benbur27

Member
Premium Subscriber
Joined
Dec 21, 2011
Messages
50
Location
Sacramento, Ca
Patches are a good start but why stop there?

Once youve figured out how to control the PLL, preselector, keypad and display, you can command the radio to do whatever you want (with no copyright issues I might add).
Yes ,once you get that far it is possible. You can make a classic snake game or implement anything you wish with the receiver.
 

DonS

Member
Joined
Jun 17, 2003
Messages
4,105
Location
Franktown, CO
I have already turned the firmware into an ugly C code base.
...
anyone with assembly/C experience is welcome to dig in.
I have a bit of embedded C/assembly experience.

I'd be curious about progress on this effort. For example, how did you convert the extracted "firmware bin" to assembly or object code, so that you could then turn it into [ugly] C?
 

benbur27

Member
Premium Subscriber
Joined
Dec 21, 2011
Messages
50
Location
Sacramento, Ca
I have a bit of embedded C/assembly experience.

I'd be curious about progress on this effort. For example, how did you convert the extracted "firmware bin" to assembly or object code, so that you could then turn it into [ugly] C?
Once I unpacked it properly used Hex Rays to create "ugly" C code. I am going both routes (ASM edits to poke around, and C reversal).
 

DonS

Member
Joined
Jun 17, 2003
Messages
4,105
Location
Franktown, CO
Once I unpacked it properly used Hex Rays to create "ugly" C code. I am going both routes (ASM edits to poke around, and C reversal).
I guess my main questions have to do with how you a) "unpacked it properly", then b) figured out how to disassemble it.
 

benbur27

Member
Premium Subscriber
Joined
Dec 21, 2011
Messages
50
Location
Sacramento, Ca
I guess my main questions have to do with how you a) "unpacked it properly", then b) figured out how to disassemble it.
Have a look at the firmware installer in IDA or Binwalk and you'll see the magic bytes quickly. They tried to obfuscate the bin file by padding BOTH sides.
 

DonS

Member
Joined
Jun 17, 2003
Messages
4,105
Location
Franktown, CO
What microprocessor do they use (first step in disassembling)?

What are the first few instructions (opcodes and/or disassembled)?

EDIT: More importantly, which GRE scanner are you talking about?
 
Last edited:
Status
Not open for further replies.
Top