Where does a custom firmware project begin?

AI7FL
Posts: 8
Joined: Sun Mar 28, 2021 4:46 am

Where does a custom firmware project begin?

Post by AI7FL » Mon Mar 29, 2021 1:43 am

Hello! I'm interested in learning how to make alterations to device firmware.

First a little background, while I don't do coding myself, my dad was a firmware engineer before he retired and my brother dove way into it in high school and college. So I have an idea what I'm getting into. It's just been about 10 years since so I know in theory how it works, but my knowledge is dated.

Where would a person like me start if they just want to make some firmware alterations (UI tweeks for instance) to a radio like an Anyone 878? What development tools would I need?

Thanks!

ok1pt
Posts: 167
Joined: Mon Jul 20, 2020 3:38 am

Re: Where does a custom firmware project begin?

Post by ok1pt » Mon Mar 29, 2021 4:28 am

Hi AI7FL!
So... You probably know what are you asking about, according to your post, but in a very short form:
To make an "alteration" to the firmware (i.e. not to develop a brand new firmware, as is (with exception of binary part with the AMBE codec) the OpenGD-77,
you should decompile the original firmware first, which means you should download a copy for flashing the radio and decrypt it. It means to know the algorithm and to have the keys. For GD-77, there was some weak point in the encryption alogirtm, so it was cracked. But it's a question about other producers, if they use stronger algorithms or avoid these weak points, even this first step may be undoable.
The second step is the decompilation itself. You have to translate the machine code to the assembly source, find data blobs and avoid their decompilation, understand the program flow and finally find the part in the code which you want to change.
The third step would be to write the patch, i.e. to write an extension of the program with your new functionality, place it in into a free space in the Flash ROM (first you must discover such a place) and jump into it from the proper place in the original code and jump back to the original code from your patch.
To debug this, you will probably need a hardware debugger connected to debug pins of the CPU. But, say, that you are really good and even the first attempt will be successful, so you won't need the debugger..
Finaly, you should pack your modified image to the format acceptable by the radio bootloader i.e. reencrypt it, and it may be impossible if the images are digitally signed, as you don't have the signing key, load it to the radio, and use it :-).
To write a brand new firmware (like OpenGD-77) you need a complete HW documentation - schematics, chip specs etc., then you need the SDK for the platform used in the radio, and then you can write it in some higher-level language (C, C++...)
I don't see anything from the list written above to be reasonalby easy to start with such a project :-).
With regards, Pavel
P.S. I have a bit of experience in this field, as I wrote a new firmware to the the old NMT phone (Nokia Talkman MD59CS), converting it to the 70cm HAM radio, but I started on an already existing open project, I just modified it and added some bells and whistles :-) . But it was 30 lets ago and things were much, much simpler than today...

AI7FL
Posts: 8
Joined: Sun Mar 28, 2021 4:46 am

Re: Where does a custom firmware project begin?

Post by AI7FL » Mon Mar 29, 2021 4:56 am

Hey, thanks for the reply! Definitely sounds complex. Someone told me that the firmware on the Anytone radios is not encrypted and can be opened easily, but I haven't got as far as trying yet. You almost make it sound easier to start from scratch, but that's definitely not something I'm up for tackling myself.

ok1pt
Posts: 167
Joined: Mon Jul 20, 2020 3:38 am

Re: Where does a custom firmware project begin?

Post by ok1pt » Mon Mar 29, 2021 5:14 am

AI7FL wrote:
Mon Mar 29, 2021 4:56 am
Hey, thanks for the reply! Definitely sounds complex. Someone told me that the firmware on the Anytone radios is not encrypted and can be opened easily, but I haven't got as far as trying yet. You almost make it sound easier to start from scratch, but that's definitely not something I'm up for tackling myself.
Hi Ai7FL !
OK, if Anytone doesn't encrypt their firmwares, it's definitely much easier, and if you are good in reverse engineering of machine code binary, some changes, which don't go too deeply to the radio OS, may be doable.
With regards,
Pavel OK1PT

G4EML
Posts: 919
Joined: Sat Nov 16, 2019 10:01 am

Re: Where does a custom firmware project begin?

Post by G4EML » Mon Mar 29, 2021 11:21 am

I agree with Pavel’s comments.

The biggest problem with modern firmware is that it will most likely have been originally written in a high level language like C, and probably using a specific real time operating system. None of the variable or function names or original C keywords will be recoverable so the best that you can hope for when disassembling the firmware is a mass of very difficult to understand assembly code. Whilst it might make sense at an instruction by instruction level it is extremely difficult to determine what the code is actually doing.

Whilst it is possible to work like this the amount of effort required for even a small change is massive.

Colin G4EML.

ok1pt
Posts: 167
Joined: Mon Jul 20, 2020 3:38 am

Re: Where does a custom firmware project begin?

Post by ok1pt » Mon Mar 29, 2021 12:22 pm

AI7FL wrote:
Mon Mar 29, 2021 4:56 am
Hey, thanks for the reply! Definitely sounds complex. Someone told me that the firmware on the Anytone radios is not encrypted and can be opened easily, but I haven't got as far as trying yet. You almost make it sound easier to start from scratch, but that's definitely not something I'm up for tackling myself.
Hi1
... and you are right! The .CDD file which contains the firmware itself isn't neither compressed nor encrypted. It's full of printable strings, so probably the code sections can be disassembled as well. So, it really simplifies the process. Nice to know.

AI7FL
Posts: 8
Joined: Sun Mar 28, 2021 4:46 am

Re: Where does a custom firmware project begin?

Post by AI7FL » Mon Mar 29, 2021 3:46 pm

So the hard part is not having the original source code because reverse compiling it won't restore the notes and structure that higher level languages use to make it understandable by humans. Makes sense.

Too bad it's unlikely the manufacturer couldn't be sweat talked into making the source code available for hams. It certainly wouldn't cut into their sales of hardware, in fact, I thing the opposite. More GD77/1801s have been sold because of OpenGD77 than would have without it. And commercial sales would be unaffected since only the original manufacturer firmware would be part 90 certified.

G4EML
Posts: 919
Joined: Sat Nov 16, 2019 10:01 am

Re: Where does a custom firmware project begin?

Post by G4EML » Mon Mar 29, 2021 4:43 pm

From what we have learnt about the Chinese radios we suspect that the radio manufacturers do not actually write the firmware themselves but buy it in from a separate company, possibly the company that makes the DMR Chip. So the manufacturers probably do not have the rights to the source code.

Even if they did it is unlikely that they would be willing to release it. An open source DMR radio for amateur use would be great but the market is probably too small to make it commercially viable.

AI7FL
Posts: 8
Joined: Sun Mar 28, 2021 4:46 am

Re: Where does a custom firmware project begin?

Post by AI7FL » Mon Mar 29, 2021 5:46 pm

So the bottom line is that a ground up firmware build is the way to go. Massive undertaking initially, but once the foundation is complete building more features on top it becomes easier. To build new firmware for existing hardware you would need datasheets for all the major components of the hardware and then disect a radio and analyze all the data that passes from one component to another in operation with the stock firmware to reverse engineer as much as possible for the foundation of the new firmware. Am I on the right track?

G4EML
Posts: 919
Joined: Sat Nov 16, 2019 10:01 am

Re: Where does a custom firmware project begin?

Post by G4EML » Mon Mar 29, 2021 6:36 pm

Pretty much correct. That is what has been done to produce the OpenGD77 firmware.
It is still a lot of work especially as the data available for some of the major chips is very limited or not available. The Chinese chip manufacturers often do not release publicly available datasheets.

Post Reply