It is a 20MHz REA, if you want more info you'll have to wait until my notes are more organized
I have been doing this for 13 years, cheers.
GRE Scanner firmware dump
- Thread starter benbur27
- Start date
- Status
It is a 20MHz REA, if you want more info you'll have to wait until my notes are more organized
I have been doing this for 13 years, cheers.DonS
Member
I'm not familiar with "REA". Where can I find datasheets on those processors?
DonS
Member
And which GRE-made scanner are we talking about? (There are several whose firmware can be updated via an EXE.)
Am I seeing this right, the chunk of actual FW appears to be from 0041A509 to 00457920 in IDA? (looking at a pro-197 updater exe)
DonS
Member
That probably depends on what EXE you're loading into IDA. All of the GRE scanners should have different upgrade EXEs, and therefore different addresses in those EXEs.
DonS
Member
Cheers, newbie
(I've been doing embedded development since '83. I brought up my first board, a little Z80-based machine that I hand-coded in binary (no compiler or assembler; just a datasheet and an EEPROM programmer), with a 2-channel analog 'scope.)
DonS
Member
Good, we need all the experience we can get. Writing for embedded is 1/2 the battle, I too write for VXWorks and others. Being able to read the assembly, document the jump points, stub calls where needed to allow for custom assembly injection, etc is entirely different.
We are dealing with a very, very basic MCU. The good news is I have my GRE apart at the moment, and will take some detailed pics to aide in the reversing. I can also tell you it has a 512k Hitachi EEPROM with a serial interface.
This is actually going to be a ton of fun Once I have this beast reversed we can see what all can be done.
We are dealing with a very, very basic MCU. The good news is I have my GRE apart at the moment, and will take some detailed pics to aide in the reversing. I can also tell you it has a 512k Hitachi EEPROM with a serial interface.
This is actually going to be a ton of fun
Once I have this beast reversed we can see what all can be done.DonS
Member
Being able to list the first instruction of executable code would be a good first step.
With all due respect, I doubt that you're yet looking at the microcontroller's executable binary. You haven't even posted a link to the processor's data sheet, much less described the very first instruction of executable code.
EDIT: Very first step: tell us what scanner you're working with. GRE makes several.
Last edited:
I cant do all the work for you
I already have the MCU data sheet, EEPROM, low speed data filter and PLL data sheets up. Pull up the GRE "CPU updater" executable of your choice (MFC C++). Find the section with compressed data (they padding and stripped the header out), extract to a new IDA session. Add in the proper ARJ or header and decompress.
Take the now complete grecom mcu binary and run it back through IDA or your dissasembler of choice. Start documenting as needed, run hex rays to create some C, etc.
DonS
Member
Those steps don't do me any good if I don't know what microcontroller is used in the scanner. The extracted data may as well be random garbage if I don't know how to interpret it (i.e. MCU's object code format).
They use a variety of MCU's. Of the 7 GRE/RS scanners I have now, the MCU I am targeting is the one in my 310, a Renesas M16C/60 (M3062LFGPGP#U5C). Datasheet is below.
http://documentation.renesas.com/eng/products/mpumcu/rej09b0137_m16csm.pdf
If you need a little device specific assembly help:
http://www.glyn.de/data/glyn/media/doc/rej05b0085_m16cap.pdf
Ok, another step. Now I need to find a M16C toolset I can use to make documenting much easier.
If enough can be reversed one could just write a new OS using the info gained from reversing and a lot of effort.
http://documentation.renesas.com/eng/products/mpumcu/rej09b0137_m16csm.pdf
If you need a little device specific assembly help:
http://www.glyn.de/data/glyn/media/doc/rej05b0085_m16cap.pdf
Ok, another step. Now I need to find a M16C toolset I can use to make documenting much easier.
If enough can be reversed one could just write a new OS using the info gained from reversing and a lot of effort.
some disclaimers might be appropriate at this point.
Surely, what did you have in mind? Updating the existing firmware may cause instability in the radio, but given the hardware bricking it is fairly impossible (even according to GRE). I will donate my 310 to the cause.
benbur27, my comment wasn't directed to you.
DonS
Member
Hell no!
People need to figure things out for themselves, using the search feature on this forum.
I'll give one disclosure: the O.P. obviously doesn't know what he's talking about (M16C/60???? WRONG!!!)
Hell no!
People need to figure things out for themselves, using the search feature on this forum.
I'll give one disclosure: the O.P. obviously doesn't know what he's talking about (M16C/60???? WRONG!!!)
Unless GRE filed inaccurate information with the FCC (https://gullfoss2.fcc.gov/eas/GetApplicationAttachment.html?id=1326504) then built them...
Hell no!
People need to figure things out for themselves, using the search feature on this forum.
:lol:
Previous link was not good: https://gullfoss2.fcc.gov/oetcf/eas...me=N&application_id=538637&fcc_id='ADV0713902
Digikey sells the MCU here: http://parts.digikey.com/1/parts/555237-ic-m16c-62p-mcu-flash-100lqfp-m3062lfgpgp-u5c.html
Digikey sells the MCU here: http://parts.digikey.com/1/parts/555237-ic-m16c-62p-mcu-flash-100lqfp-m3062lfgpgp-u5c.html
- Status
Similar threads
