Port to TYT UV380/UV390

VK3KYY
Posts: 3027
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia
Contact:

Re: Port to TYT UV380/UV390

Post by VK3KYY » Sun Apr 19, 2020 5:08 am

IU2KIN wrote:
Sat Mar 28, 2020 8:52 am
Hi ZL1GW,
I'm catching up with this post, we managed to craft a firmware which can be flashed
and loaded from the TYT recovery.
For the flashing part we were lucky and my radio is compatible with the "wrapping"
scripts from md380tools, however booting the thing was non trivial.
In the end we cracked it, as IU2KWO discovered the TYT recovery is basically the
STM32 USB DFU example, with a few modifications. Before jumping in the firmware,
it checks if two buttons are pressed and performs a bit mask check on the stack
address.
Hope you can crack your shitty encryption soon, we'll start working on the display
and keyboards and seems that we can share the effort there! ;)
Niccolo

Is the firmware encryption the same on the UV-380 / RT3S as the MD-380

IU2KIN
Posts: 20
Joined: Mon Mar 23, 2020 11:10 am

Re: Port to TYT UV380/UV390

Post by IU2KIN » Wed Apr 22, 2020 9:39 am

ZL1GW wrote:
Fri Mar 27, 2020 11:14 pm
Ok, so I've tried to use the code from Travis for the MD380 tools to work with the firmware images.

My first assumption was wrong (overlooked something). The MD2017 and MD380 use similar images, but not identical (and not the same key).

Looks like it's pretty easy to adapt though.

The MD2017 code seems to decode the image, unfortunately it's gibberish. Turns out the MD2017 code just doesn't validate the headers are sane, unlike the MD380 code. So it blindly decodes it.

So some reverse engineering will need to be done to figure the firmware image format/keys out.

I do suspect it's the same scheme, so very similar. So hopefully it won't be far of a reach from the examples we have in that code.

I have yet to test a connection to the radio with those tools, will try that next.
Hi Roger,
according to ZL1GW the encryption should be similar but the key are probably different. Right now the tools are not compatible.
Unfortunately I don't have an RT3s/MD-UV380, although I'd love to have one since we have gone pretty far in supporting the MCU,
and working on that radio would spare us the effort of reverse-engineering the baseband...for a while.
If anybody with the radio wants to join the effort, I can contribute in helping adapt the wrapping/unwrapping code, and give support
on the hardware side, but we really need another developer equipped with an RT3s.

Cheers,

Niccolò IU2KIN

VK3KYY
Posts: 3027
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia
Contact:

Re: Port to TYT UV380/UV390

Post by VK3KYY » Wed Apr 22, 2020 9:48 am

IU2KIN wrote:
Wed Apr 22, 2020 9:39 am
Hi Roger,
according to ZL1GW the encryption should be similar but the key are probably different. Right now the tools are not compatible.
Unfortunately I don't have an RT3s/MD-UV380, although I'd love to have one since we have gone pretty far in supporting the MCU,
and working on that radio would spare us the effort of reverse-engineering the baseband...for a while.
If anybody with the radio wants to join the effort, I can contribute in helping adapt the wrapping/unwrapping code, and give support
on the hardware side, but we really need another developer equipped with an RT3s.

Cheers,

Niccolò IU2KIN
OK.

I don't think I'd like to buy a UV-380 until we are certain the encryption is broken already or can be broken easily.

Because breaking the encryption took Kai a very long time.

IU2KIN
Posts: 20
Joined: Mon Mar 23, 2020 11:10 am

Re: Port to TYT UV380/UV390

Post by IU2KIN » Wed Apr 22, 2020 1:11 pm

I will look into that, it would be very easy if some owner of the radio could solder some wires on the SWD pins of the radio,
so that we can dump the unwrapped firmware from the radio and have a plaintext/ciphertext pair.
Otherwise doing it blindly and looking for strings would be a slower and more painful operation.
Once the SWD pins are in place, obtaining a full dump is quite straightforward and requires just an ST-Link v2 (or another SWD interface).

VK3KYY
Posts: 3027
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia
Contact:

Re: Port to TYT UV380/UV390

Post by VK3KYY » Wed Apr 22, 2020 9:17 pm

IU2KIN wrote:
Wed Apr 22, 2020 1:11 pm
I will look into that, it would be very easy if some owner of the radio could solder some wires on the SWD pins of the radio,
so that we can dump the unwrapped firmware from the radio and have a plaintext/ciphertext pair.
Otherwise doing it blindly and looking for strings would be a slower and more painful operation.
Once the SWD pins are in place, obtaining a full dump is quite straightforward and requires just an ST-Link v2 (or another SWD interface).
The MCU is read protected, so it’s not possible to dump the firmware

Travis was able to only dump the bootloader because of a bug in the codeplug comms in the main firmware.

Perhaps someone can dump the UV-380 bootloader using the MD-380 Toolz

IU2KIN
Posts: 20
Joined: Mon Mar 23, 2020 11:10 am

Re: Port to TYT UV380/UV390

Post by IU2KIN » Sun May 03, 2020 8:32 am

VK3KYY wrote:
Wed Apr 22, 2020 9:17 pm
The MCU is read protected, so it’s not possible to dump the firmware

Travis was able to only dump the bootloader because of a bug in the codeplug comms in the main firmware.

Perhaps someone can dump the UV-380 bootloader using the MD-380 Toolz
Are you referring to this code?

I use the same code on macOS to dump the recovery initially, are there any chances that the same code works on the UV-380?

VK3KYY
Posts: 3027
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia
Contact:

Re: Port to TYT UV380/UV390

Post by VK3KYY » Sun May 03, 2020 10:08 am

I hope someone can try this with the UV-380, but I don't know anyone with this radio, who also can install Python etc

IU2KIN
Posts: 20
Joined: Mon Mar 23, 2020 11:10 am

Re: Port to TYT UV380/UV390

Post by IU2KIN » Mon May 04, 2020 11:29 am

What we did with the MD380, and what KC3AWN is doing with the CS800 is to disassemble the radio, connect BOOT0 to Vcc,
the radio will boot into the STM32 DFU mode, from that you still won't be able to read the firmware but you'll be able to read and write the recovery.
Then the recovery can be easily patched like Travis originally described in his article to remove the read protection on the flash.
Then flash the patched recovery, flash again the firmware, reboot, bridge BOOT0...et voilà, the firmware will no more be read protected.
We need someone willing to bridge the BOOT0 pad with the Vcc pad on its radio, for science.

VK3KYY
Posts: 3027
Joined: Sat Nov 16, 2019 3:25 am
Location: Melbourne, Australia
Contact:

Re: Port to TYT UV380/UV390

Post by VK3KYY » Mon May 04, 2020 11:41 am

I presume you are pulling Boot0 high to prevent the CPU from starting because the normal bootloader disables SWD

There is another method which does not require Boot0 to be pulled high.

With a STLink, it has a function called "Connect under reset"

If you select this, when the radio is turned off, and then immediatly turn the radio on, the STLink will connect before the bootloader has disabled the SWD pins, and you can then erase the MCU and install the recovery bootloader

You can do the same thing by pulling nReset low, then using Connect under reset, and then release nReset, so it floats high again.

IU2KIN
Posts: 20
Joined: Mon Mar 23, 2020 11:10 am

Re: Port to TYT UV380/UV390

Post by IU2KIN » Thu May 07, 2020 8:53 am

VK3KYY wrote:
Mon May 04, 2020 11:41 am
I presume you are pulling Boot0 high to prevent the CPU from starting because the normal bootloader disables SWD

There is another method which does not require Boot0 to be pulled high.

With a STLink, it has a function called "Connect under reset"

If you select this, when the radio is turned off, and then immediatly turn the radio on, the STLink will connect before the bootloader has disabled the SWD pins, and you can then erase the MCU and install the recovery bootloader

You can do the same thing by pulling nReset low, then using Connect under reset, and then release nReset, so it floats high again.
Yes, that could be a way, but more simply, if you pull up BOOT0 the radio starts in STM32 DFU mode, and that enables the use of all the
STM32 standard DFU commands, which can be used to read and write the memory, provided that it's not read protected (which can be achieved).
Note that this is simpler for a beginner because you don't need to solder the SWD wires into the radio, you just use the standard USB programming cable.

Post Reply