Personal View site logo

User Tools

Site Tools


sony-hack:fwupdateprocess

This is an early work in progress, as far as i can tell this is correct however needs a lot more information and testing before it can be considered safe

After spending a fair amount of time reversing the update utility i have found the following information about the firmware update process.

The firmware update process uses DirectIOControl with SCSI_PASS_THROUGH_DIRECT in order to send scsi commands directly to a seemingly hidden scsi targetID, therefore as far as i can tell this is unable to be done on linux as you are unable to specify a different targetID in any of the SCSI API's for linux.

The FU uses a storage property to find out the size of the window available for sending data and then proceeds to send a 12-byte SCSI CMB this contains the opcode 0x7A and as far as i can tell only contains all 0's apart from the opcode.

The 0x7A opcode is technically in a reserved range so is potentially being abused in this situation as technically they should be using the Vendor codes.

Along with this it sends a command which is what is shown in the log files that are produced by the FU. These are always a minimum of 32 bytes which appears to be some sort of header,

the command header appears to be: (all little-endian)

  • 0x00(4) Length of additional data (not including the 32-byte header)
  • 0x04(2) something to do with mpunct:do_frac_digits (this always appears to be 0x1)
  • 0x06(2) Command (detailed below)
  • 0x08(1) Direction (1 == device→host ; 0 == host→device)
  • 0x09(1) Unknown (always 0?)
  • 0x0A(2) Sequence (this starts at 0 and increases for each packet that is sent resetting at 0x10000) the rest of the bytes always appear to be 0x00 so i am unsure what they are required to do

The following commands are handled in libupdaterufp.so

The Commands are:

  • 0x0001 Init
  • 0x0010 Check Guard
  • 0x0020 Query Version
  • 0x0030 Switch Mode
  • 0x0040 Write Firmware
  • 0x0100 Complete
  • 0x0200 Get State
sony-hack/fwupdateprocess.txt · Last modified: 2015/08/10 18:40 by vitaliy_kiselev