Repacking UPDATA.APP (was New version of split_updata.pl)

[Guest Speckles]

This might just do exactly what we want. We could much more easily reverse engineer bin2app (if we even need to!)

So, all we need now is bin2app :P

[Guest ZeBadger]

So, all we need now is bin2app :P

Is it not in the zip file? I'm downloading, but it's very slow and I'm off to bed :/

[Guest McSpoon]

seccode is just "HWU8220" in hex.

Ah, good catch on seccode being HWU8220. I completely missed that.

Is it not in the zip file? I'm downloading, but it's very slow and I'm off to bed :/

Unfortunately it doesn't include them.

The S7 firmware zip just contains an updata.app and that PDF.

Documented in the PDF is a link to a Windows usb-driver but I couldn't find the tools in that either (although I'm using Linux so I couldn't install it)

[Guest anegin]

From chinese community of huaweidevice .com))

The tools for UPDATA.APP need the special computer to use it, and it will not open to user for safty.

In our company, there are few computers can be used to build the updata.app file.

I don't know why. And someone tell me these computers are special, may be some special operations did on these computers.

I don't know the format of updata.app either, may be I can ask this question to fellow.

[Guest uttec.com]

Ah, good catch on seccode being HWU8220. I completely missed that.

Unfortunately it doesn't include them.

The S7 firmware zip just contains an updata.app and that PDF.

Documented in the PDF is a link to a Windows usb-driver but I couldn't find the tools in that either (although I'm using Linux so I couldn't install it)

if we could unpark the update.app，the package-making script may in \data\cdrom\autorun.iso

[Guest anegin]

what's da f...?

[Guest Speckles]

From chinese community of huaweidevice .com))

That figures. We know it's really easy to produce UPDATA.APP files, but it's almost impossible to sign them without Huawei's private key. If Huawei take security seriously, this key will only be installed on a few PCs, so the above comment about a 'special computer' makes sense. If they installed it on every PC, it would be too easy for the key to be leaked.

[Guest anegin]

and what does it mean? we have no chances?(((

[Guest alechy]

I've been working on examining UPDATA.APP and have pretty much got most of the file format identified.

I've modified the original split_updata.pl to extract the correct filenames out every time (based on McSpoon's filenames) and also CRC check the extracted file.

Script is here

It needs this crc checking binary to be in the same directory (linux only, until I get time to convert the c code to perl)

Actions that I think need to be done... anyone can help out here :rolleyes:

• Identify what the 2 byte Something2 is and how to calculate it... if that is even relevant (see my later posts)
  
• Identify what files are actually needed for an UPDATA.APP (the Huawei "time machine" one only had 6 files)
  
• Write code to repack the UPDATA.APP
  • Convert the CRC c code into Perl
    
  • Write Perl script to repack
    
  • Write a windows app to repack
    

I'm editing this post to be up-to-date, so some of the below posts might not make much sense!

I have a file named updata.app.

In China,it use to open GSM to HUAWEI C8600.

a small file.

我有一个updata.app是用来开启华为C8600手机的GSM应用的

它很小，应该更加好分析。

______GMS______dload_android2.1update1_.rar

[Guest nizarovich]

somebody can unpack U8230-Tmobile-Rom- for me and-share it !!

[Guest AntonioPT]

This guy says he's got bin2app (posted here)! Isn't that all that was missing for us to repack UPDATA.APP?

Believe it or not I have Bin2App.exe :)

What I miss is CRCGEN !

If anyone has it, contact me!

Bin2App.exe  [-F] -iAPP ╬─╝■├√1  ╬─╝■├√2 -o ║╧▓ó║≤╡─╬─╝■

		-iBin  Name:╬─╝■├√:╥╗╕÷╢■╜°╓╞╬─╝■


		Addr:  ╡╪╓╖


		SecCode: ░▓╚½┬δ


		Desc: ╢╘╙ª╡─╧╘╩╛├√(┐╔╤í)


		-o: ╥¬╫¬╗╗╬¬╡─App╬─╝■├√


		Desc: App╬─╝■╧╘╩╛├√(┐╔╤í)


		-iApp  ╬─╝■├√1 ╬─╝■├√2: ╨Φ╥¬║╧▓ó╡─2╕÷╬─╝■

Does anybody know how to setup the CMD console so to read chinese characters? I tried many codepages.. without apparent success..

[Guest mr.a]

im not a coder but i may have found something related to app2bin

it can be found here:

http://hg.sourceforge.jp/view/reseapj/Main...ca5b70393ea6212

[Guest Zibri]

seccode is just "HWU8220" in hex.

Hmm.. no it's not :) there is an FF

[Guest Zibri]

im not a coder but i may have found something related to app2bin

it can be found here:

http://hg.sourceforge.jp/view/reseapj/Main...ca5b70393ea6212

Yep.. it's related as much as a monkey is related to a donkey... they are both animals :)

Don't worry I am now coding an APP creator... I hope I can release it soon.

[Guest anegin]

Zibri, it's good news! Waiting for your tool.

[Guest Zibri]

Zibri, it's good news! Waiting for your tool.

I just finished writing the main program. It's better than bin2app :)

Now I need to figure out the 1024 bit signature and I'm done.

[Guest thom@cn]

I just finished writing the main program. It's better than bin2app :(

Now I need to figure out the 1024 bit signature and I'm done.

Hi, Zirbi, could you post the analysis of updata or bin2app?

of course, source code of bin2app is much better.

Thanks for your hard work of damn huawei updata.

[Guest leo001]

I just finished writing the main program. It's better than bin2app :(

Now I need to figure out the 1024 bit signature and I'm done.

IT

Novità Zibri?

EN

any news?

[Guest thom@cn]

I think it's no need to reengineer 0xe2000000.

Think a bit, we can upgrade in the phone it's self, by settings -> sd card update.

after reengineer the Settings.apk (apktool is a good tool, you may need framework-res-hwext.apk)

i find all the upgrade process will call updateModemandApp, and it's in libandroid_runtime.so (/system/lib/)

so we can disassemble it, and then find out..

I'm doing it, but i'm not familiar with arm instruction.

I've tracked the above message down in the updater app. It's caused by this routine returning zero:

ROM:00019738 var_20		  = -0x20

ROM:00019738

ROM:00019738				 STMFD   SP!, {R3-R9,LR}

ROM:0001973C				 MOV	 R7, R0

ROM:00019740				 MOV	 R0, #0

ROM:00019744				 LDR	 R8, =(loc_FFFC+3)

ROM:00019748				 MOV	 R6, R2

ROM:0001974C				 MOV	 R4, R1

ROM:00019750				 STR	 R0, [SP,#0x20+var_20]

ROM:00019754				 B	   loc_1979C

ROM:00019758; ---------------------------------------------------------------------------

ROM:00019758

ROM:00019758 loc_19758							 ; CODE XREF: sub_19738+68j

ROM:00019758				 LDRB	R0, [R6]

ROM:0001975C				 CMP	 R4, #0x1000; 4096

ROM:00019760				 MOVLS   R5, R4

ROM:00019764				 STRB	R0, [SP,#0x20+var_20]

ROM:00019768				 LDRB	R0, [R6,#1]

ROM:0001976C				 MOVHI   R5, #0x1000; 4096

ROM:00019770				 AND	 R1, R8, R5,LSL#3

ROM:00019774				 STRB	R0, [SP,#0x20+var_20+1]

ROM:00019778				 MOV	 R0, R7

ROM:0001977C				 BL	  sub_184AC

ROM:00019780				 LDRH	R1, [SP,#0x20+var_20]

ROM:00019784				 SUB	 R4, R4, R5

ROM:00019788				 ADD	 R7, R7, R5

ROM:0001978C				 CMP	 R1, R0

ROM:00019790				 MOVNE   R0, #0; If compare fail, set return status to zero (failure)

ROM:00019794				 ADD	 R6, R6, #2

ROM:00019798				 BNE	 locret_197A8; and abort

ROM:0001979C

ROM:0001979C loc_1979C							 ; CODE XREF: sub_19738+1Cj

ROM:0001979C				 CMP	 R4, #0; else go and have another loop if we have more bytes to check

ROM:000197A0				 BNE	 loc_19758

ROM:000197A4				 MOV	 R0, #1; success return code! 

ROM:000197A8

ROM:000197A8 locret_197A8						  ; CODE XREF: sub_19738+60j

ROM:000197A8				 LDMFD   SP!, {R3-R9,PC}

ROM:000197A8; End of function sub_19738

Does that look familiar to you? I thought it might :D The "184AC" routine is like the following:

ROM:000184AC sub_184AC							 ; CODE XREF: sub_19738+44p

ROM:000184AC									; sub_2C2F4+98p ...

ROM:000184AC				 LDR	 R2, =(loc_FFFC+3)

ROM:000184B0				 LDR	 R12, =0x9495E4

ROM:000184B4

ROM:000184B4 loc_184B4							 ; CODE XREF: sub_184AC+34j

ROM:000184B4				 CMP	 R1, #8

ROM:000184B8				 BCC	 loc_184E4

ROM:000184BC				 LDRB	R3, [R0],#1

ROM:000184C0				 SUB	 R1, R1, #8

ROM:000184C4				 MOV	 R1, R1,LSL#16

ROM:000184C8				 EOR	 R3, R3, R2

ROM:000184CC				 AND	 R3, R3, #0xFF

ROM:000184D0				 ADD	 R3, R12, R3,LSL#1

ROM:000184D4				 LDRH	R3, [R3]

ROM:000184D8				 MOV	 R1, R1,LSR#16

ROM:000184DC				 EOR	 R2, R3, R2,LSR#8

ROM:000184E0				 B	   loc_184B4

ROM:000184E4; ---------------------------------------------------------------------------

ROM:000184E4

ROM:000184E4 loc_184E4							 ; CODE XREF: sub_184AC+Cj

ROM:000184E4				 CMP	 R1, #0

ROM:000184E8				 BEQ	 loc_18524

ROM:000184EC				 LDRB	R0, [R0]

ROM:000184F0				 MOV	 R0, R0,LSL#8

ROM:000184F4				 B	   loc_18510

ROM:000184F8; ---------------------------------------------------------------------------

ROM:000184F8

ROM:000184F8 loc_184F8							 ; CODE XREF: sub_184AC+74j

ROM:000184F8				 EOR	 R3, R2, R0

ROM:000184FC				 TST	 R3, #1

ROM:00018500				 MOV	 R2, R2,LSR#1

ROM:00018504				 EORNE   R2, R2, #0x8400

ROM:00018508				 EORNE   R2, R2, #8

ROM:0001850C				 MOV	 R0, R0,LSR#1

ROM:00018510

ROM:00018510 loc_18510							 ; CODE XREF: sub_184AC+48j

ROM:00018510				 MOVS	R3, R1

ROM:00018514				 SUB	 R1, R1, #1

ROM:00018518				 MOV	 R1, R1,LSL#16

ROM:0001851C				 MOV	 R1, R1,LSR#16

ROM:00018520				 BNE	 loc_184F8

ROM:00018524

ROM:00018524 loc_18524							 ; CODE XREF: sub_184AC+3Cj

ROM:00018524				 MVN	 R0, R2

ROM:00018528				 MOV	 R0, R0,LSL#16

ROM:0001852C				 MOV	 R0, R0,LSR#16

ROM:00018530				 BX	  LR

ROM:00018530; End of function sub_184AC

I don't know about you, but that smells of a crc check to me.

[Guest goodoane]

Is this project still alive...

I own a tablet Huawei s7 that use the same updata.app for upgrade.

It will be great to have some tools for the future developement.

Thank you.

Keep it up.

[Guest Brandaman717]

I installed this UPDATA.APP (http://www.huaweidevice.com/tcpsdownload/downLoadCenter?category=&flay=software&fileName=100919112518.zip&attachmentName=V845%20V100R001NZLC02B233SP01(New%20Zealand%20Vodafone).zip) to my T-Mobile Comet, just playing around, and it will not let install the original UPDATE.APP that you can download from "http://www.huaweidevice.com/worldwide/downloadCenter.do?method=downloadFile&flay=software&fileName=37047&attachmentName=U8150V100R001C85B823SP01.zip". Does anybody know how i can get this phone back the way it was or am i just stuck in this small hole. Cause all it does now when i boot it up is show a small hourglass as it is booting up but it still works it's just that i wish to see the T-Mobile screen again if i could?

Thanks for any replies on this issue!!!!

[Guest TJ Style]

in this link http://people.freedesktop.org/~hadess/huaw...%9B%98/release/ there is have the bin2app.exe but there is not have crcgen.

maybe it's usefull for future development

[Guest ZeBadger]

I've completely forgotten where we are with this.

The only thing I think we needed to do to progress out of the stuck part was work out the md5 certificate creation. Which means we need their private key... or an inordinate amount of time to crack it.

I'll re-read the whole thread :/

but there is not have crcgen

I have worked the crcgen part out myself.

With

8. Repeat the same operation as step 4 to 7,making system,userdata and recovery together, finally creating dload\UPDATA.APP.

..\tools\bin2app -F -iAPP temp19.bin recovery_v.bin dload/updata.app descHUAWEI_U8220_BEIJING

and

So, all we need now is bin2app :D

We appear to now have it, there's no references to including private keys in the above command. Are we there I wonder?

Edited March 26, 2011 by ZeBadger

[Guest TJ Style]

I've completely forgotten where we are with this.

The only thing I think we needed to do to progress out of the stuck part was work out the md5 certificate creation. Which means we need their private key... or an inordinate amount of time to crack it.

I'll re-read the whole thread :/

I have worked the crcgen part out myself.

With

and

We appear to now have it, there's no references to including private keys in the above command. Are we there I wonder?

I track the download page of huawei (bruteforce), but still can't find the sd_packer (bin2app & crcgen) utility.

and i test your split_updata is not working to on Huawei U8800 Firmware.

Edited March 26, 2011 by TJ Style

[Guest McSpoon]

I track the download page of huawei (bruteforce), but still can't find the sd_packer (bin2app & crcgen) utility.

and i test your split_updata is not working to on Huawei U8800 Firmware.

Yes it looks like they've changed the format for the U8800 slightly. There seems to be some extra data before each file (I briefly looked into it but gave up). I just hope they haven't been modifying bin2app.exe for different devices.