MIB2 STD ZR Firmware Upgrade

Overview

Upgrade MIB2 STD ZR Firmware (without Navigation)

About

This repository contains some scripts and documentation how to upgrade the MIB2 firmware to a different HW train (e.g.: 02xx -> 03xx, 04xx). The documentation is for the Technisat MIB2 STD unit without navigation. It describes how to patch the swdownload binary, that the unit accepts updates for a higher HW train.
In addition to this repository it's required to have access to the MIB Solutions folder on MEGA.nz (Link can be found in various forums and is changing from time to time. Just google for it). There you find the firmware updates and tools to patch the swdownload binary. Such an update is was not intended by the manufacturer.
You will loose your warranty and there is a chance to brick your device. Everything you do is by your own risk.

Limitations of the MIB2 STD without navigation

For MIB2 without navigation it's currently not possible to patch the swdownload binary with the Update-Approval_SOP4_signed method, because of the different CPU (cpuplus instead of cpu). To patch the swdownload you have to dump the eMMC, exchange the binary and write everything back to the unit.
The eMMC of the MIB2 with navigation can be read with an adapter from the second SD card reader. For the model without navigation the only way to read the eMMC is to connect to the through-hole plating on the PCB. This can be done by soldering very thin wires to the holes or contact them with probes.

Upgrade procedure

  1. Connect a SD card reader to the eMMC through-hole plating (soldering or probes). For me the connection was only stable with DATA0 connected and DATA1-3 unconnected (-> slow read & write)

    • eMMC pinout:
      alt text
    • See this image for a SD card pinout
    • example of probes soldered to a USB SD card reader (alternative pinout) alt text
  2. Dump the eMMC content to your Linux Host and convert it to a *.vmdk file. Execute this script to do it.

  3. Start your QNX VM (image can be found in the MEGA folder) and add the vmdk file as virtual hard disk.

  4. Copy the swdownload binary from the vmdk file to your host. In the QNX VM you find it under following path /fs/hd1-qnx6/tsd/bin/swdownload/tsd.mibstd2.system.swdownload. You can use SSH to copy it from QNX VM to your host.

  5. Patch the swdownload binary with the python scripts or SWDLPatcher.exe from the MIB Solutions folder on MEGA.

  6. Rename the patched swdownload binary to the origin name, copy it the QNX VM and overwrite the origin one in the vmdk.

  7. Shutdown the QNX VM.

  8. Convert the vmdk file back to a raw disk dump and write it to the eMMC. Execute this script to do it.

  9. Get the CPU ID of your MIB2 unit.

    • Power it up, press menu button for 10 sec., select FW -> version -> current version -> cpu or cpuplus.
    • The CPU ID is the number in braces.
  10. Take the firmware to which you like to update and patch the metainfo2.txt file.

    • In this file you have to add links to your CPU ID and set RequiredVersionOfDM to RequiredVersionOfDM = "0"
    • Find a section which starts with cpu and get the used CPU ID in that firmware (e.g.:[cpu\audioservice\36\default\Application] --> CPU ID: 36)
    • Execute this python script to patch the metainfo2.txt file. (e.g.: your CPU ID: 18; target firmware CPU ID: 36 --> python3 metainfo_parser.py metainfo2.txt metainfo2_patched.txt 36 18
  11. Rename the patched metainfo2.txt file to the origin name and overwrite the one in the firmware folder.

  12. Format a SD card with FAT32 and copy the firmware to it (metainfo2.txt must be in top level on the SD card).

  13. Put the SD card in your MIB2 card reader and start the update.

Maybe you will get a SVM Error after the update. Follow this instructions to remove it with VCDS or OBD11.

Useful References

You might also like...
Piotr - IoT firmware emulation instrumentation for training and research

Piotr: Pythonic IoT exploitation and Research Introduction to Piotr Piotr is an emulation helper for Qemu that provides a convenient way to create, sh

Alternative firmware for ESP8266 with easy configuration using webUI, OTA updates, automation using timers or rules, expandability and entirely local control over MQTT, HTTP, Serial or KNX. Full documentation at

Alternative firmware for ESP8266/ESP32 based devices with easy configuration using webUI, OTA updates, automation using timers or rules, expandability

Simple plug-and-play installer for users who want to LineageOS from stock firmware, or from another custom ROM.

LineageOS for the Teracube 2e Simple plug-and-play installer for users who want to LineageOS from stock firmware, or from another custom ROM. Dependen

EMBArk - The firmware security scanning environment

Embark is being developed to provide the firmware security analyzer emba as a containerized service and to ease accessibility to emba regardless of system and operating system.

Tools and documentation to aid in modifying the ADI ADALM Pluto firmware

Pluto firmware modifications This repository contains tools and documentation to aid in modifying the ADI ADALM Pluto firmware. Extraction of the Plut

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.
FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

FIRM-AFL FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it

Emulation and Feedback Fuzzing of Firmware with Memory Sanitization
Emulation and Feedback Fuzzing of Firmware with Memory Sanitization

BaseSAFE This repository contains the BaseSAFE Rust APIs, introduced by "BaseSAFE: Baseband SAnitized Fuzzing through Emulation". The example/ directo

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.
FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing

Airspy-Utils is a small software collection to help with firmware related operations on Airspy HF+ devices.

Airspy-Utils Airspy-Utils is a small software collection to help with firmware related operations on Airspy HF+ devices on Linux (and other free syste

Python drivers for YeeNet firmware

yeenet-router-driver-python Python drivers for YeeNet firmware This repo is under heavy development. Many or all of these scripts are not likely to wo

Monitor an EnvisaLink alarm module running Honeywell firmware, and set a Nest device to Home/Away depending on whether the alarm is Disarmed/Away.

Nestalarm Monitor an EnvisaLink alarm module running Honeywell firmware, and set a Nest device to Home/Away depending on whether the alarm is Disarmed

Brogrammer-keyboard - FIrmware for the Brogrammer Keyboard v1.0
Brogrammer-keyboard - FIrmware for the Brogrammer Keyboard v1.0

Brogrammer Keyboard Firmware The package contains the firmware that runs on the Brogrammer Keyboard v1.0 See https://imgur.com/a/oY5QZ14 This keyboard

Fuzzware is a project for automated, self-configuring fuzzing of firmware images
Fuzzware is a project for automated, self-configuring fuzzing of firmware images

Fuzzware Fuzzware is a project for automated, self-configuring fuzzing of firmware images. The idea of this project is to configure the memory ranges

FirmWire is a full-system baseband firmware emulation platform for fuzzing, debugging, and root-cause analysis of smartphone baseband firmwares
Comments
  • Documentation improvement

    Documentation improvement

    Just wanted to point out that aparrently not all SD readers seem to support the mentioned operration with only one data line. I have tried out 4 usb ones and one notebook internal one and only one was working (old one from csl that I can't find anywhere online anymore) the other ones were giving strange output in dmesg or just did not read/write. Also it seems to be necessary to connect both vdd lines. As a last note with my unit it was very hard (almost impossible) to solder to the vias (oxidation, huge copper planes pulling away the heat). Maybe you wanna add these information to the readme.

    opened by OlisCode 3
Owner
Fabian
Fabian
Script for resizing MTD partitions on a QNAP device in order to be available to upgrade from buster to bullseye

QNAP partitions resize for kirkwood devices. As explained by Marin Michlmayr, Debian bullseye support on kirkwood QNAP devices was dropped due to [mai

Arnaud Mouiche 26 Jan 5, 2023
Simple plug-and-play installer for users who want to LineageOS from stock firmware, or from another custom ROM.

LineageOS for the Teracube 2e Simple plug-and-play installer for users who want to LineageOS from stock firmware, or from another custom ROM. Dependen

Gagan Malvi 5 Mar 31, 2022
🗽 Like yarn outdated/upgrade, but for pip. Upgrade all your pip packages and automate your Python Dependency Management.

pipupgrade The missing command for pip Table of Contents Features Quick Start Usage Basic Usage Docker Environment Variables FAQ License Features Upda

Achilles Rasquinha 529 Dec 31, 2022
Modi2-firmware-updater - MODI+ Firmware Updater With Python

MODI+ Firmware Updater 실행 준비 python3(파이썬3.9 혹은 그 이상의 버전)를 컴퓨터에 설치 python3 -m pip

LUXROBO 1 Feb 4, 2022
A tool (and pre-commit hook) to automatically upgrade syntax for newer versions of the language.

pyupgrade A tool (and pre-commit hook) to automatically upgrade syntax for newer versions of the language. Installation pip install pyupgrade As a pre

Anthony Sottile 2.4k Jan 8, 2023
Script for resizing MTD partitions on a QNAP device in order to be available to upgrade from buster to bullseye

QNAP partitions resize for kirkwood devices. As explained by Marin Michlmayr, Debian bullseye support on kirkwood QNAP devices was dropped due to [mai

Arnaud Mouiche 26 Jan 5, 2023
A tool to upgrade dependencies to the latest versions

pip-check-updates A tool to upgrade dependencies to the latest versions, inspired by npm-check-updates Install From PyPi pip install pip-check-updates

Zeheng Li 12 Jan 6, 2023
Spam the buzzer and upgrade automatically - Selenium

CookieClicker Usage: Let's check your chrome navigator version : Consequently, you have to : download the right chromedriver in the follow link : http

Iliam Amara 1 Nov 22, 2021
Ansible Automation Example: JSNAPY PRE/POST Upgrade Validation

Ansible Automation Example: JSNAPY PRE/POST Upgrade Validation Overview This example will show how to validate the status of our firewall before and a

Calvin Remsburg 1 Jan 7, 2022
Python interface for SmartRF Sniffer 2 Firmware

#TI SmartRF Packet Sniffer 2 Python Interface TI Makes available a nice packet sniffer firmware, which interfaces to Wireshark. You can see this proje

Colin O'Flynn 3 May 18, 2021