Plextor PX-B920SA Firmware from DriveUpdater container

pm12 · **Joined:** Sun Jul 06, 2008 11:59 pm **Posts:** 8

I would like to take a look at the firmware of this drive. Currently i have "only" the DriveUpdater Container - an executable file which contains the firmware and i would need to extract it from that container. Some of you have already done this but i can't find any tutorial.

Driveupdater: http://www.plextor.be/download/ftp1/B920SA101.exe

MediaCodeSpeedEdit won't let me save/export the firmware: "The input file is just supported in read only mode, changes can not be saved". But I don't want to edit anything. I guess i have to try the debug/memdump approach. :roll:

pm12 · **Joined:** Sun Jul 06, 2008 11:59 pm **Posts:** 8

The debug/memdump approach worked. Quick howto:

1. get MediaCodeSpeedEdit (i used version 1.1.0.16)
2. unpack the binary of MediaCodeSpeedEdit with RL!deUPX 1.X-2.X
3. get SegDump plugin from Dennis Elser
4. recompile the plugin with the sdk for your ida version and put it in the plugin/ folder of your ida installation
5. load MediaCodeSpeedEdit in ida (i used v5.2)
6. look for:

Code:

seg023:0041E990 loc_41E990:                             ; CODE XREF: sub_41E880+123j
seg023:0041E990 mov     bl, [esi]
seg023:0041E992 imul    eax, 6C078965h
seg023:0041E998 mov     edx, eax
seg023:0041E99A shr     edx, 18h
seg023:0041E99D xor     bl, dl
seg023:0041E99F mov     [esi], bl
seg023:0041E9A1 inc     esi
seg023:0041E9A2 dec     ecx
seg023:0041E9A3 jnz     short loc_41E990

^ after that section is executed (the loop runs over 2million cycles) the image is decrypted in ram. it is basically doing this:

Code:

a = 1;

for (i=0; i<len; i++)
{
  b = data[i];
  a = a * 0x6C078965;
  b = b % (a >> 24);
  data[i] = b;
}

7. follow the ESI address "pointer" to find the section where the image is written to and identify the section (should be fairly large ~ 2MB)
8. use the segdump plugin to dump that section and cut it

ala42 · **Posted:** Mon Jul 07, 2008 5:20 pm

What you have now is still a bit packed and not the plain flashrom image.

pm12 · **Joined:** Sun Jul 06, 2008 11:59 pm **Posts:** 8

ala42 wrote:

What you have now is still a bit packed and not the plain flashrom image.

You mean a few bytes at the tail of the file? Does the firmware include some hits about the instruction set being used?

ala42 · **Posted:** Mon Jul 07, 2008 6:02 pm

No, larger areas of 00 bytes are excluded from the data. I'll send you some stuff when I am home. The cpu is a H8-300S or so, have to lookup the exact name.

pm12 · **Joined:** Sun Jul 06, 2008 11:59 pm **Posts:** 8

I've had a short look at the pcb:

Renesas A
R8J32702SFPV

MX - T074020
29LV160CBTC-70G
2W468600

7J4T00M
R2A35007FT
Japan

...

I can't find any documentation about the R8J32 :roll:

ala42 · **Posted:** Mon Jul 07, 2008 11:53 pm

pm12 wrote:

I can't find any documentation about the R8J32 :roll:

... which is no real surprise. The cpu type posted before is ok, IDA likes it as h8s300a.

pm12 · **Joined:** Sun Jul 06, 2008 11:59 pm **Posts:** 8

Great i can confirm that the code seems to make sense with the h8s300a setting. Thank you!

You don't happen to know the entry point too? How can i get the full firmware image like it is stored in the eeprom (with those empty spaces)? You suggtested "TraceSPTI" which i haven't used before and it looks to me like it does output the data in the "%08X: %02X [...] %02X %c [...] %c" format and does not produce a plain binary. So i would need to convert the logfile manually afterwards. Is that right?

ala42 · **Posted:** Tue Jul 08, 2008 12:26 am

Just read your PM.

The Firmware Page

Plextor PX-B920SA Firmware from DriveUpdater container

Who is online