pioneer-x-smc55-s micro system

Pioneer X-SMC55-S Reverse Engineering

Enable telnet command line interface:
http://<ip>/service_term_sw_nmp.asp
select TELNET, then Apply
now you can power off/on and "telnet <ip> 9000"

Enable tftp bootloader console:
power on device
http://<ip>/1000/firmware_update_start.asp
press Start
telnet <ip> 5001

Memory dump:
sys memdump 0x00400000 0x0000fa00 ; system code, contains code chunk from 0x60000000 and stack
sys memdump 0x00500000 0x0000fa00 ; same as 0x00400000 but non-cached
sys memdump 0x60000000 0x0aa80000 ; code
sys memdump 0x60aa8000 0x01458000 ; heap & stack
sys memdump 0x71f00000 0x00100000 ; heap & stack

Firmware file encryption (BCD or bCoD) looks like Blowfish ECB, but password and initialization vector from dump didn't match maybe non-standard s-boxes

Name		Name	Last commit message	Last commit date
Latest commit History 39 Commits
LICENSE		LICENSE
README.md		README.md
bootlog.txt		bootlog.txt
firmware_download.py		firmware_download.py
links.md		links.md
read_memdump_from_log.c		read_memdump_from_log.c
tech_details.md		tech_details.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LICENSE

LICENSE

README.md

README.md

bootlog.txt

bootlog.txt

firmware_download.py

firmware_download.py

links.md

links.md

read_memdump_from_log.c

read_memdump_from_log.c

tech_details.md

tech_details.md

Repository files navigation

pioneer-x-smc55-s micro system

About

Releases

Packages

Languages

License

loop333/pioneer-x-smc55

Folders and files

Latest commit

History

Repository files navigation

pioneer-x-smc55-s micro system

About

Topics

Resources

License

Stars

Watchers

Forks

Languages