Found some old linkit sdk with the FOTA_MAGIC_HEADER on github.com.
File header
Size | Type | Info |
---|---|---|
4 bytes | uint32 | FOTA_MAGIC_HEADER |
4 bytes | uint32 | number of binaries |
128 bytes | Binary info |
Binary info
Size | Type | Info |
---|---|---|
4 bytes | uint32 | binary offset |
4 bytes | uint32 | binary start address |
4 bytes | uint32 | binary length |
4 bytes | uint32 | partition length |
4 bytes | uint32 | signature offset |
4 bytes | uint32 | signature length |
4 bytes | uint32 | is lzma compressed |
4 bytes | uint32 | reserved |
$ xxd -l 20 RNNR_HW01_0.0.18/update/mtk/fw.rom
00000000: 4d4d 4d00 0100 0000 9c00 0000 0000 0108 MMM.............
00000010: 1ac8 0700
$ xxd -l 20 RNNR_HW06_1.57.8/update/mtk/fw.rom
00000000: 4d4d 4d00 0100 0000 9c00 0000 0000 0108 MMM.............
00000010: 252f 1400
Name | 0.0.18 | 1.57.8 | Note |
---|---|---|---|
binary offset | 0x0000_009c = 156 | 0x0000_009c = 156 | |
binary start address | 0x0801_0000 | 0x0801_0000 | use this address in ghidra |
binary length | 0x0007_c81a = 509978 | 0x0014_2f25 = 1322789 | |
$ dd if=RNNR_HW01_0.0.18/update/mtk/fw.rom of=fw-0.0.18.bin.lzma bs=1 skip=156 count=509978
$ unlzma fw-0.0.18.bin.lzma
$ dd if=RNNR_HW06_1.57.8/update/mtk/fw.rom of=fw-1.57.8.bin.lzma bs=1 skip=156 count=1322789
$ unlzma fw-1.57.8.bin.lzma
$ strings fw-1.57.8.bin | grep Happy
Load the binary with Ghidra.
- set the Language to
ARM:LE:32:Cortex:default
- click on the dots and search for cortex. Pick the one with little endian.
- click on options and set the Base Address to the
binary start address
0x08010000
.