TL866 II PLUS/Bootloader
TL866 II PLUS/BootloaderThe TL866 II PLUS has a bootloader installed at the start of the internal flash which is used to update the firmware. The hardware reset vector (the instruction at 0000h) points to the bootloader. On each boot the bootloader inspects various state (TBD) and determines whether it should execute itself to allow firmware updates or jump into the main firmware.
The process of reverse engineering the bootloader is still ongoing.
USB ProtocolThe bootloader and the stock firmware communicate with the host via a simple custom USB protocol. It uses three bidirectional bulk endpoints on Interface 0. Endpoint 1 Out is used to send commands and Endpoint 1 In is used to read status responses. For commands that transfer large amounts of data the payload is split evenly between Endpoint 2 and Endpoint 3, presumably to increase transfer speed.
When sending a command, the first 8 bytes are always the command header and are written to Endpoint 1. The behavior for the payload — the data, if any, to be sent after the command header — depends on its size. If the payload plus the 8-byte header fit in a single 64-byte packet, the payload is sent in the same packet as the header on Endpoint 1. If the payload is exactly 64 bytes, it's sent in a single packet on Endpoint 2. Otherwise, the payload is split between Endpoint 2 and Endpoint 3. If the total size of the payload is less than 128 bytes, each endpoint gets exactly half, with Endpoint 2 first. Otherwise, the data is split into 64-byte blocks. The first half of the blocks are sent to Endpoint 2 and the other half to Endpoint 3. If there are an odd number of whole blocks Endpoint 3 gets the extra one. If the final block is partial, it is always sent to Endpoint 3.
ResetThe reset command asks the device to reboot. When used from the stock firmware the device resets into the bootloader, and when used from the bootloader the device resets to the stock firmware.
OffsetFieldSizeValueDescription
0command13Fthe command identifier
1reserved70reserved, set to zero
When resetting from the stock firmware, another command is transmitted first. This may be some kind of key required to permit reset. If this command isn't sent first, the reset command appears to succeed but the device reboots to the stock firmware, not the bootloader.
OffsetFieldSizeValueDescription
0command13Dthe command identifier
1reserved30reserved, set to zero
4key?486 B9 78 A5unknown, maybe just a fixed key? Set statically in the official client.
ReportThe report command requests that the firmware identify itself.
OffsetFieldSizeValueDescription
0bCommand100the command identifier
1reserved70reserved, set to zero
The device will respond with a 41-byte structure:
OffsetFieldSizeValueDescription
0bCommand100the command, echoed
1bStatus101no longer used?
2unknown2
4bFwVersionMinor1
firmware version minor part: 00.0.xx
5bFwVersionMajor1
firmware version major part: 00.x.00
6bModel105device model: 05 is the TL866II-Plus, 06 is the XGecu T500
7unknown1
8sDeviceCode8
ISO 8859-1 string (no zero terminator)
16sSerialNumber20
ISO 8859-1 string (no zero terminator)
36unknown4
40bDeviceVersion1
firmware version device part: xx.0.00
In versions of the TL866 A/CS firmware 03.2.82 and earlier, the bStatus field was used to indicate whether the device was currently running the stock firmware (value 01) or the bootloader (value 02). A/CS firmware 03.2.85 and the TL866II-Plus appear to always return 01. The only difference in the report output between the stock firmware and the bootloader on the TL866II-Plus is the version number, for which the bootloader always returns 1.0.
EraseThe erase command erases the firmware area of the internal flash (i.e. everything but the bootloader).
OffsetFieldSizeValueDescription
0bCommand13Cthe command identifier
1reserved70reserved, set to zero
The device responds with an 8-byte acknowledgement.
OffsetFieldSizeValueDescription
0bCommand13Cthe command, echoed
1unknown7
Write BlockThe write block command receives an encrypted data block, decrypts it, and writes the cleartext to the flash. As with all commands, it has an 8-byte header. The encrypted data is sent after the command header.
OffsetFieldSizeValueDescription
0bCommand13Bthe command identifier
1bKeyOffset1
An offset into the XOR table used for decryption by the bootloader.
2wBlockSize2
The size in bytes of the encrypted data to be sent.
4dAddress4
The program memory address of the start of the block.
The device does not send a response to the write block command. Instead, another command is sent to retrieve the status.
OffsetFieldSizeValueDescription
0bCommand139the command identifier
1reserved70reserved, set to zero
The device responds with a 32-byte packet. The unknown parts of the structure have only ever been observed to be all zeroes.
OffsetFieldSizeValueDescription
0unknown1
1bStatus1
00 on success; any other value indicates error
2unknown30
Mark,最近在研究tl886? 看不懂。顶起来 厉害,这都有人破了。 这是破解了,还是内部资料留出来了? 俺先补习英文,再来学习。 看不懂,谁来翻译一下, 看不懂。。。。。。。 Mark,最近在研究tl886?
看不懂,谁来翻译一下,
页:
[1]
2