MAC-577IF2-E RealTek rtl8195a – part 1
Most of them use melcloud (or melview)
This isnt the purpose of this research
Wich is to reverse the firmware to find some clues.
https://blog.dest-unreach.be/2022/06/04/mitsubishi-wifi-adapter/#mitsubishi-wifi-adapter https://github.com/ncaunt/meldec/issues/2#issuecomment-2024296139 https://jmswrnr.com/blog/hacking-a-smart-home-device https://github.com/jeatheak/Mitsubishi-WF-RAC-Integration
https://github.com/mongoose-os-libs/mel-ac
https://sites.google.com/myuba.be/homeassistant/home/melcloud
Firmware (10048f04 char data_10048f04[0x9] = « MAC567IF », 0)
NOTE: Signature “81958711” is mean latest updated version : OTA Firmware)
C:\sdk-ameba-v4.0c\component\common\mbed\targets\hal\rtl8195a
/config user:fmptf5pyvg -> Base64 Encode -> HTTP Header Authorization Basic dXNlcjpmbXB0ZjVweXZn
Found 401 Unauthorized string at address 0x3001E0E0
Function 0x3001DE94 references 401 Unauthorized string
int __fastcall HTML_check_Authorization_Basic_401_Unauthorized_300288F4(httpd_conn *conn)
Check boot type form eFuse
SPI Initial
Image1 length: 0x3a98, Image Addr: 0x10000bc8
Image1 Validate OK, Going jump to Image1
BOOT from Flash:YES
===== Enter Image 1 ====
load NEW fw 1
Flash Image2:Addr 0x80000, Len 326896, Load to SRAM 0x10006000
No Image3
Img2 Sign: RTKWin, InfaStart @ 0x10006059
===== Enter Image 2 ====
#0 web.c :267 web param=0 2
Start LOG SERVICE MODE
RTL8195A[HAL]: ISR 8 had been allocated!!!
Period = 0x00004e20WdgScalar = 0x0000ad9c==
WdgCunLimit = 0x00000003
# help
WLAN AT COMMAND SET:
============================1. Wlan Scan for Network Access Point
# ATWS
2. Connect to an AES AP
# ATW0=SSID
# ATW1=PASSPHRASE
# ATWC
3. Create an AES AP
# ATW3=SSID
# ATW4=PASSPHRASE
# ATW5=CHANNEL
# ATWA4. Ping
# ATWI=xxx.xxx.xxx.xxx
[MEM] After do cmd, available heap 33624
# ATS?
[ATS?]: _AT_SYSTEM_HELP_
[ATS?]: COMPILE TIME: 2016/08/02-18:30:30
[MEM] After do cmd, available heap 33624
=========================================================ROM Version: 0.3
Build ToolChain Version: gcc version 4.8.3 (Realtek ASDK-4.8.3p1 Build 2003)
=========================================================
Check boot type form eFuse
SPI Initial
Image1 length: 0x3a98, Image Addr: 0x10000bc8
Image1 Validate OK, Going jump to Image1
BOOT from Flash:YES
===== Enter Image 1 ====
load OLD fw 0
Flash Image2:Addr 0xb000, Len 263652, Load to SRAM 0x10006000
No Image3
Img2 Sign: RTKWin, InfaStart @ 0x10006049
===== Enter Image 2 ====
This is version 1
interface 0 is initialized
interface 1 is initialized
Initializing WIFI ...
WIFI initialized
WiFi is not connected. Try to connect to *********
RTL8195A[Driver]: set ssid [*********]
RTL8195A[Driver]: start auth to **:**:**:**:**:**
RTL8195A[Driver]: auth success, start assoc
RTL8195A[Driver]: association success(res=3)
RTL8195A[Driver]: set pairwise key to hw: alg:4(WEP40-1 WEP104-5 TKIP-2 AES-4)
RTL8195A[Driver]: set group key to hw: alg:4(WEP40-1 WEP104-5 TKIP-2 AES-4) keyid:1
Interface 0 IP address : 192.168.1.122
Connected...
Pin1: PC_1
FlashInfo: 0xb000[0x405e4], 0x4b5f4[0x0], 0x80000
Wait for client
Client connected. IP:192.168.1.2 port:10452
Read OTA info...
Start download 438272 bytes
OTA success
=========================================================
ROM Version: 0.3
Build ToolChain Version: gcc version 4.8.3 (Realtek ASDK-4.8.3p1 Build 2003)
=========================================================
Check boot type form eFuse
SPI Initial
Image1 length: 0x3a98, Image Addr: 0x10000bc8
Image1 Validate OK, Going jump to Image1
BOOT from Flash:YES
===== Enter Image 1 ====
load NEW fw 1
Flash Image2:Addr 0x80000, Len 326896, Load to SRAM 0x10006000
No Image3
Img2 Sign: RTKWin, InfaStart @ 0x10006059
===== Enter Image 2 ====
#0 web.c :267 web param=0 2
Start LOG SERVICE MODE
RTL8195A[HAL]: ISR 8 had been allocated!!!
Period = 0x00004e20
WdgScalar = 0x0000ad9c
WdgCunLimit = 0x00000003
ram_all.bin format
The 16th byte and onwards are the code and data for the SDRAM area.
The format is binary
0x0000-0x7FFF is the bootloader area called Image1. Copy the contents of ram_1.p.bin included in the sdk to this area.
0x8000-0x8FFF Reserved area padded with 0xFF
0x9000-0x9FFF is padded with 0xFF. This area of flash contains configuration data such as the MAC address. When writing firmware, this area is not rewritten in order to preserve the configuration data.
0xA000-0xAFFF is padded with 0xFF. This area of flash contains the RF tuning values for the WLAN. As above, do not rewrite it.
The area from 0xB000 onwards is the firmware area called Image 2. The firmware includes two areas: SRAM and SDRAM.
The first 16 bytes of 0xB000 are the header
4 bytes is the size of the SRAM area
4 bytes is the address when placing the SRAM area on the ARM memory map (0x100060000)
The 8 bytes are the signature. The default signature is the string « 81958711 ».
The 16th byte and onwards are the code and data for the SRAM area.
4 bytes is the size of the SDRAM area
4 bytes is the address when placing the SDRAM area on the ARM memory map (0x300000000)
8 bytes padded with 0xff