Skip to content
Hector Martin edited this page Jan 13, 2021 · 1 revision

This seems to be a built-in debugging USB interface.

Commands via EP 0x01, replies via 0x81, 0x82 unknown

RE notes trying to send it random stuff:

First 3 bytes are ignored? Fourth byte matters.
First 5 bytes are echoed at the beginning of replies
Replies seem to follow a uniform format

> 00000000 000c8000 00000000 00000000
             OOLLLL

Reads LLLL bytes (rounded to dword) starting from dword register OO.

Returns:
00000000 00000000 <u32:payload len> <data words>* <u32:data size> <u32:status=4?>

> 00000000 02000000 00000000 00000000 00000000 00

Returns:
    00000000 02000000 08458400

And then keeps flooding [a0030000] repeated forever

Seems to be an insane length. Bug?

Register dump:

00000000  a0 03 00 00 91 00 06 10  91 00 81 08 09 22 00 00  |............."..|
00000010  03 10 00 00 00 00 30 3d  02 00 00 00 0f 0f 00 00  |......0=........|
00000020  15 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000080  00 01 00 04 01 01 0b 08  02 06 fe 40 00 00 00 00  |...........@....|
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000100  00 0a 00 00 01 03 00 00  02 04 00 00 03 08 00 00  |................|
00000110  04 00 00 00 05 00 00 00  06 00 00 00 07 00 00 00  |................|
00000120  08 00 00 00 09 00 00 00  0a 00 00 00 0b 00 00 00  |................|
00000130  0c 00 00 00 0d 00 00 00  0e 00 00 00 0f 00 00 00  |................|
00000140  10 00 00 00 11 00 00 00  12 00 00 00 13 00 00 00  |................|
00000150  14 00 00 00 15 00 00 00  16 00 00 00 17 00 00 00  |................|
00000160  18 00 00 00 19 00 00 00  1a 00 00 00 1b 00 00 00  |................|
00000170  1c 00 00 00 1d 00 00 00  1e 00 00 00 1f 20 00 00  |............. ..|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
Clone this wiki locally