请选择 进入手机版 | 继续访问电脑版

DIY编程器网

 找回密码
 注册

QQ登录

只需一步,快速开始

扫一扫,访问微社区

查看: 472|回复: 5

TL866 II PLUS/Bootloader

[复制链接]
发表于 2020-5-25 12:14:10 | 显示全部楼层 |阅读模式
TL866 II PLUS/Bootloader                       
The TL866 II PLUS has a bootloader installed at the start of the internal flash which is used to update the firmware. The hardware reset vector (the instruction at 0000h) points to the bootloader. On each boot the bootloader inspects various state (TBD) and determines whether it should execute itself to allow firmware updates or jump into the main firmware.
The process of reverse engineering the bootloader is still ongoing.


USB ProtocolThe bootloader and the stock firmware communicate with the host via a simple custom USB protocol. It uses three bidirectional bulk endpoints on Interface 0. Endpoint 1 Out is used to send commands and Endpoint 1 In is used to read status responses. For commands that transfer large amounts of data the payload is split evenly between Endpoint 2 and Endpoint 3, presumably to increase transfer speed.
When sending a command, the first 8 bytes are always the command header and are written to Endpoint 1. The behavior for the payload — the data, if any, to be sent after the command header — depends on its size. If the payload plus the 8-byte header fit in a single 64-byte packet, the payload is sent in the same packet as the header on Endpoint 1. If the payload is exactly 64 bytes, it's sent in a single packet on Endpoint 2. Otherwise, the payload is split between Endpoint 2 and Endpoint 3. If the total size of the payload is less than 128 bytes, each endpoint gets exactly half, with Endpoint 2 first. Otherwise, the data is split into 64-byte blocks. The first half of the blocks are sent to Endpoint 2 and the other half to Endpoint 3. If there are an odd number of whole blocks Endpoint 3 gets the extra one. If the final block is partial, it is always sent to Endpoint 3.
ResetThe reset command asks the device to reboot. When used from the stock firmware the device resets into the bootloader, and when used from the bootloader the device resets to the stock firmware.
OffsetFieldSizeValueDescription
0command13Fthe command identifier
1reserved70reserved, set to zero
When resetting from the stock firmware, another command is transmitted first. This may be some kind of key required to permit reset. If this command isn't sent first, the reset command appears to succeed but the device reboots to the stock firmware, not the bootloader.
OffsetFieldSizeValueDescription
0command13Dthe command identifier
1reserved30reserved, set to zero
4key?486 B9 78 A5unknown, maybe just a fixed key? Set statically in the official client.
ReportThe report command requests that the firmware identify itself.
OffsetFieldSizeValueDescription
0bCommand100the command identifier
1reserved70reserved, set to zero
The device will respond with a 41-byte structure:
OffsetFieldSizeValueDescription
0bCommand100the command, echoed
1bStatus101no longer used?
2unknown2

4bFwVersionMinor1
firmware version minor part: 00.0.xx
5bFwVersionMajor1
firmware version major part: 00.x.00
6bModel105device model: 05 is the TL866II-Plus, 06 is the XGecu T500
7unknown1

8sDeviceCode8
ISO 8859-1 string (no zero terminator)
16sSerialNumber20
ISO 8859-1 string (no zero terminator)
36unknown4

40bDeviceVersion1
firmware version device part: xx.0.00
In versions of the TL866 A/CS firmware 03.2.82 and earlier, the bStatus field was used to indicate whether the device was currently running the stock firmware (value 01) or the bootloader (value 02). A/CS firmware 03.2.85 and the TL866II-Plus appear to always return 01. The only difference in the report output between the stock firmware and the bootloader on the TL866II-Plus is the version number, for which the bootloader always returns 1.0.
EraseThe erase command erases the firmware area of the internal flash (i.e. everything but the bootloader).
OffsetFieldSizeValueDescription
0bCommand13Cthe command identifier
1reserved70reserved, set to zero
The device responds with an 8-byte acknowledgement.
OffsetFieldSizeValueDescription
0bCommand13Cthe command, echoed
1unknown7

Write BlockThe write block command receives an encrypted data block, decrypts it, and writes the cleartext to the flash. As with all commands, it has an 8-byte header. The encrypted data is sent after the command header.
OffsetFieldSizeValueDescription
0bCommand13Bthe command identifier
1bKeyOffset1
An offset into the XOR table used for decryption by the bootloader.
2wBlockSize2
The size in bytes of the encrypted data to be sent.
4dAddress4
The program memory address of the start of the block.
The device does not send a response to the write block command. Instead, another command is sent to retrieve the status.
OffsetFieldSizeValueDescription
0bCommand139the command identifier
1reserved70reserved, set to zero
The device responds with a 32-byte packet. The unknown parts of the structure have only ever been observed to be all zeroes.
OffsetFieldSizeValueDescription
0unknown1

1bStatus1
00 on success; any other value indicates error
2unknown30


发表于 2020-5-27 07:25:06 来自手机 | 显示全部楼层
Mark,最近在研究tl886?
发表于 2020-5-29 19:19:22 | 显示全部楼层
看不懂。顶起来
发表于 2020-6-1 07:02:20 来自手机 | 显示全部楼层
厉害,这都有人破了。
发表于 2020-6-29 19:49:07 | 显示全部楼层
这是破解了,还是内部资料留出来了?
发表于 2020-6-30 06:24:53 | 显示全部楼层
俺先补习英文,再来学习。
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|文字版|手机版|DIY编程器网 ( 桂ICP备14005565号-1 )

GMT+8, 2020-7-15 13:37 , 耗时 0.194789 秒, 26 个查询请求 , Gzip 开启.

各位嘉宾言论仅代表个人观点,非属DIY编程器网立场。

桂公网安备 45031202000115号

DIY编程器群(超员):41210778 DIY编程器
DIY编程器群1:3044634 DIY编程器1

Email:libyoufer@sina.com

QQ:28000622

本站由桂林市临桂区技兴电子商务经营部独家赞助。旨在技术交流,请自觉遵守国家法律法规,一旦发现将做封号删号处理。

快速回复 返回顶部 返回列表