Jump to content


Photo

Repacking UPDATA.APP (was New version of split_updata.pl)

* * * * * 1 votes

  • Please log in to reply
202 replies to this topic

#141
Speckles

Speckles

    Diehard

  • Members
  • PipPipPipPip
  • 340 posts
  • Devices:Galaxy S, Pulse, SPV 500 :)
Ok, this is how I think it works:

A function is called (functionA), passed with 128 bytes of data (I'm not sure where this data comes from - I'm assuming the MD5 section) and another buffer which I'm going to call "Buffer B".
Another function is called, passed an unknown amount of data. It's second parameters is a buffer I'm going to call "Buffer C". This function uses constants known to be used by the MD5 digest algorithm.
A third function is called, passed with Buffer B and Buffer C. It returns 0 if the buffers match and 1 if they don't. The size of the compare is 16-bytes (standard MD5 digest size)

FunctionA does a LOT of work, calling many functions, including searching nand for text strings such as "OEM_INFO" and magic constants like I've pasted in a previous post.

I'd LOVE to know what FunctionA returns, but I can't run it in it's native environment, and it accesses hardware on the phone directly (doesn't use drivers).

  • 0

#142
anegin

anegin

    Newbie

  • Members
  • Pip
  • 47 posts
  • Devices:Huawei U8230
Any news about packing updata.app?..

  • 0

#143
ZeBadger

ZeBadger

    Regular

  • Members
  • PipPip
  • 90 posts
  • Gender:Male
  • Devices:Nexus 4

Any news about packing updata.app?..


Not really looked into it since I got stuck with this md5 certificate thing. Decompiling the updating app is where to go, but I don't think I would be able to get that sorted... although as said above it seems to be referencing the private key from the phone not from the update app. So the only possible way of getting over that would be to open the phone up and physically read the data bus while the update process is in progress, similar to how some consoles were hacked, but that is a little over the top.

  • 0

#144
McSpoon

McSpoon

    Enthusiast

  • PipPipPip
  • 280 posts
  • Gender:Male
  • Location:England
  • Devices:Galaxy Tab 10.1
I found some instructions on how the updata.app is packaged. It lists the commands they use for generating the CRCs but unfortunately we don't have their software so it isn't much help. I posted the commands in another thread but I figure it's worth mentioning them here just for the sake of keeping all of the CRC references together.

The seccode looks intriguing but I've no idea what it is.
I'm guessing their crc.mbn is our file02.mbn
The 'addr0x**000000' parameters must be the file sequence identifier (the fileHash array in our Perl script).
...Trying to unravel this makes my head hurt.

1. Eliminate old upgrade package
@if exist dload\updata.app del /f /a dload\updata.app

2. Calculate CRC of all files
..\tools\CRCgen -ibin BINs\header\boothd.img BINs\boot.img BINs\header\systemhd.img BINs\system.img BINs\header\userdatahd.img BINs\userdata.img BINs\header\recoveryhd.img BINs\recovery.img -o crc.mbn

3. Making CRC files into a package module
..\tools\bin2app -F -iBin crc.mbn addr0xF4000000 seccode0x48575538323230FF descinput -o crc_v.bin descHUAWEI_U8220_CRC_BEIJING

4. Making boothd.img into a package module
..\tools\bin2app -F -iBin BINs\header\boothd.img addr0xF5000000 seccode0x48575538323230FF descinput -o boothd_v.bin descHUAWEI_U8220_CRC_BEIJING

5. Making boot.img into a module
..\tools\bin2app -F -iBin BINs\boot.img addr0x30000000 seccode0x48575538323230FF descinput -o boot_v.bin descHUAWEI_U8220_CRC_BEIJING

6. Making CRC module and boothd.img module into a package together,creating a temporary file temp13.bin
..\tools\bin2app -F -iAPP crc_v.bin boothd_v.bin -o temp13.bin descHUAWEI_U8220_BEIJING

7. Making temporary files temp14.bin and boot.img together,creating temporary file temp14.bin
..\tools\bin2app -F -iAPP temp13.bin boot_v.bin -o temp14.bin descHUAWEI_U8220_BEIJING

8. Repeat the same operation as step 4 to 7,making system,userdata and recovery together, finally creating dload\UPDATA.APP.
..\tools\bin2app -F -iAPP temp19.bin recovery_v.bin dload/updata.app descHUAWEI_U8220_BEIJING


  • 0

#145
Speckles

Speckles

    Diehard

  • Members
  • PipPipPipPip
  • 340 posts
  • Devices:Galaxy S, Pulse, SPV 500 :)
We could probably do it by reflashing the portion of nand which contains the update executable from recovery, but if you get it wrong - bricked phone. If you get it right, it'll work until the next update reflashes the updater again.

It would also be confusing for people, as they would have to ensure they have the special updater before trying to flash a user-created updata.app.

Or we could build another recovery app that can parse updata.app's and doesn't care about the signature. However, we could only flash the sections we understand, in which case, you might as well just use fastboot.

  • 0

#146
Speckles

Speckles

    Diehard

  • Members
  • PipPipPipPip
  • 340 posts
  • Devices:Galaxy S, Pulse, SPV 500 :)
McSpoon: Very interesting, can you post that PDF?

seccode is just "HWU8220" in hex.

I'm thinking the file sequence id was misnamed - it is actually a flash address 0xF5000000 etc

Edited by Speckles, 07 September 2010 - 09:35 PM.

  • 0

#147
McSpoon

McSpoon

    Enthusiast

  • PipPipPip
  • 280 posts
  • Gender:Male
  • Location:England
  • Devices:Galaxy Tab 10.1

McSpoon: Very interesting, can you post that PDF?

Sure. PDF attached.

Attached Files


  • 0

#148
ZeBadger

ZeBadger

    Regular

  • Members
  • PipPip
  • 90 posts
  • Gender:Male
  • Devices:Nexus 4

I'm thinking the file sequence id was misnamed - it is actually a flash address 0xF5000000 etc


Possible... I made up the file sequence id name as they were unique per file.

  • 0

#149
ZeBadger

ZeBadger

    Regular

  • Members
  • PipPip
  • 90 posts
  • Gender:Male
  • Devices:Nexus 4

8. Repeat the same operation as step 4 to 7,making system,userdata and recovery together, finally creating dload\UPDATA.APP.
..\tools\bin2app -F -iAPP temp19.bin recovery_v.bin dload/updata.app descHUAWEI_U8220_BEIJING


This might just do exactly what we want. We could much more easily reverse engineer bin2app (if we even need to!)

Edited by ZeBadger, 07 September 2010 - 10:14 PM.

  • 0

#150
Speckles

Speckles

    Diehard

  • Members
  • PipPipPipPip
  • 340 posts
  • Devices:Galaxy S, Pulse, SPV 500 :)

Possible... I made up the file sequence id name as they were unique per file.

I'm not knocking your idea, it's still the best way to decide what each file in the archive is.

  • 0

#151
Speckles

Speckles

    Diehard

  • Members
  • PipPipPipPip
  • 340 posts
  • Devices:Galaxy S, Pulse, SPV 500 :)

This might just do exactly what we want. We could much more easily reverse engineer bin2app (if we even need to!)

So, all we need now is bin2app :P

  • 0

#152
ZeBadger

ZeBadger

    Regular

  • Members
  • PipPip
  • 90 posts
  • Gender:Male
  • Devices:Nexus 4

So, all we need now is bin2app :P

Is it not in the zip file? I'm downloading, but it's very slow and I'm off to bed :/

  • 0

#153
McSpoon

McSpoon

    Enthusiast

  • PipPipPip
  • 280 posts
  • Gender:Male
  • Location:England
  • Devices:Galaxy Tab 10.1

seccode is just "HWU8220" in hex.

Ah, good catch on seccode being HWU8220. I completely missed that.

Is it not in the zip file? I'm downloading, but it's very slow and I'm off to bed :/

Unfortunately it doesn't include them.
The S7 firmware zip just contains an updata.app and that PDF.
Documented in the PDF is a link to a Windows usb-driver but I couldn't find the tools in that either (although I'm using Linux so I couldn't install it)

  • 0

#154
anegin

anegin

    Newbie

  • Members
  • Pip
  • 47 posts
  • Devices:Huawei U8230
From chinese community of huaweidevice .com))

The tools for UPDATA.APP need the special computer to use it, and it will not open to user for safty.
In our company, there are few computers can be used to build the updata.app file.
I don't know why. And someone tell me these computers are special, may be some special operations did on these computers.
I don't know the format of updata.app either, may be I can ask this question to fellow.


  • 0

#155
uttec.com

uttec.com

    Newbie

  • Members
  • Pip
  • 7 posts

Ah, good catch on seccode being HWU8220. I completely missed that.
Unfortunately it doesn't include them.
The S7 firmware zip just contains an updata.app and that PDF.
Documented in the PDF is a link to a Windows usb-driver but I couldn't find the tools in that either (although I'm using Linux so I couldn't install it)


if we could unpark the update.app,the package-making script may in \data\cdrom\autorun.iso

  • 0

#156
anegin

anegin

    Newbie

  • Members
  • Pip
  • 47 posts
  • Devices:Huawei U8230
what's da f...?

  • 0

#157
Speckles

Speckles

    Diehard

  • Members
  • PipPipPipPip
  • 340 posts
  • Devices:Galaxy S, Pulse, SPV 500 :)

From chinese community of huaweidevice .com))

That figures. We know it's really easy to produce UPDATA.APP files, but it's almost impossible to sign them without Huawei's private key. If Huawei take security seriously, this key will only be installed on a few PCs, so the above comment about a 'special computer' makes sense. If they installed it on every PC, it would be too easy for the key to be leaked.

  • 0

#158
anegin

anegin

    Newbie

  • Members
  • Pip
  • 47 posts
  • Devices:Huawei U8230
and what does it mean? we have no chances?(((

  • 0

#159
alechy

alechy

    Newbie

  • Members
  • Pip
  • 11 posts
  • Devices:Imate SPL

I've been working on examining UPDATA.APP and have pretty much got most of the file format identified.

I've modified the original split_updata.pl to extract the correct filenames out every time (based on McSpoon's filenames) and also CRC check the extracted file.

Script is here
It needs this crc checking binary to be in the same directory (linux only, until I get time to convert the c code to perl)

Actions that I think need to be done... anyone can help out here :rolleyes:

  • Identify what the 2 byte Something2 is and how to calculate it... if that is even relevant (see my later posts)
  • Identify what files are actually needed for an UPDATA.APP (the Huawei "time machine" one only had 6 files)
  • Write code to repack the UPDATA.APP
  • Convert the CRC c code into Perl
  • Write Perl script to repack
  • Write a windows app to repack
I'm editing this post to be up-to-date, so some of the below posts might not make much sense!



I have a file named updata.app.
In China,it use to open GSM to HUAWEI C8600.

a small file.

我有一个updata.app是用来开启华为C8600手机的GSM应用的
它很小,应该更加好分析。

Attached Files


  • 0

#160
nizarovich

nizarovich

    Regular

  • Members
  • PipPip
  • 52 posts
  • Devices:u8230
somebody can unpack U8230-Tmobile-Rom- for me and-share it !!

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users