On 10/17/19 12:08 PM, Sean Young wrote:
Hi Antti,

I have a Logilink VG0022A device which is an af9035.c type device (with
ITE 9xxx frontned). The probe of the si2146 tuner fails and returns 0xffs.

Now I would like to work on fixing this. Mauro suggested the firmware might
be incorrect. Any tips on extracting the firmware? I can try and dump
usb traffic from Windows and see what firmware is being used there. How did
you extract the firmware?

Any other suggestions for this device? You might be able to save me a lot
of time since you have experience with these types of devices, I do not.

Extracting firmware is done almost always by following steps:
1) take sniffs from the some bus (usb/i2c)
2) identify firmware download section, detect it starting point and ending point ~few first and last bytes
3) find that firmware binary located inside of binary driver
 * grep, hexeditor, etc
 * example LANG=C grep -obUaP "\x08\x05\x00" driver.sys
4) use dd command to copy firmware blob from binary driver to separate file (you need to know firmware location and length inside binary)

It is also possible to dump firmware to file from bus sniffs too, but it requires writing some simple script. Dumping it from the binary driver is usually still most easiest way.

At some point I downloaded bunch of drivers to find out multiple firmware versions for si2168 and made simple script to ease things. Script is attached.

After all, I suspect root of issue may be still be buggy i2c...


#!/usr/bin/env python
# Silicon Labs Si2168 firmware extractor.
# Copyright (C) 2015 Antti Palosaari <cr...@iki.fi>
# Usage: si2168_extract_firmware.py binary_driver_name.sys

import sys
import struct
import md5

fread = file(sys.argv[1], 'rb')
binary = fread.read()
offset = 0

# Known firmware md5 and its version
fw_ver_tab = {
    '02c9b1e751f362621c649ea831410b61' : '4.0.7',
    'b2670d8ae5e3369fc71edbb98cdd8f6e' : '4.0.11',
    '8dfc2483d90282bbb05817fbbc282376' : '4.0.19',
    'c8e089c351e9834060e962356f8697b8' : '4.0.25',

while True:
    # Match 17-byte firmware header
    # 04 01 00 00 00 00 9a 41 05 1b af 33 02 1b 3e 7d 2a | A20 (not supported)
    # 08 05 00 xx xx xx xx xx xx 00 00 00 00 00 00 00 00 | B40
    offset = binary.find('\x08\x05\x00', offset)
    if offset == -1:
        print "Done"

    if (binary[offset + 9:offset + 17] != '\x00\x00\x00\x00\x00\x00\x00\x00'):
        offset = offset + 1

    print "Possible 17-byte Si2168-B40 firmware header found at 0x%x" % (offset)

    fw_filename = 'dvb-demod-si2168-b40-01.fw_' + str(offset)
    fw_write = open(fw_filename, 'wb')
    fw_md5 = md5.new()

    while True:
        fields = struct.unpack("B", binary[offset])
        fw_data_len = fields[0]
        # Firmware chunk first byte tells bytes to upload - 16 is max
        if fw_data_len == 0 or fw_data_len > 16:

        # Check remaining (unused) bytes on firmware 17-byte chunk are all zero
        data_valid = True
        for x in range(offset + fw_data_len + 1, offset + 17):
            if (binary[x] != '\x00'):
                data_valid = False

        if data_valid == False:

        # Firmware chunk validated, write it to file
        fw_write.write(binary[offset + 0:offset + 17])
        fw_md5.update(binary[offset + 0:offset + 17])
        offset = offset + 17


    if fw_md5.hexdigest() in fw_ver_tab:
        fw_ver = fw_ver_tab[fw_md5.hexdigest()]
        fw_ver = '<unknown>'

    print "Firmware md5 '%s'" % (fw_md5.hexdigest())
    print "Firmware version '%s'" % (fw_ver)
    print "Firmware stored to file '%s'" % (fw_filename)

    offset = offset + 1


Reply via email to