devilsclaw

These devices are clone airstash devices, firmware format is the same and versioning is the same. content is not the same though. well not exatly

So I did more research on the CPU, the default bootloader that comes on these things is designed use something they call BatchISP as the programmer to load on the application. They also state the to reprogram the bootloader they need to use the JTAGICE MkII, Since I dont see any JTAG pins or open test points, I am guessing the default bootloader is still there and that they are using what AVR considers an app to be loaded. Now the problem is the fuses as what they call them but there non volatile bits that are used to configure the boot process a bit. If a particular bit is set, then the application is call in all cases of the boots, which basically blocks us from using the bootloader to program it. So that leaves us with either figuring out how to get a JTAG device connected and changing the fuse bits to boot off the bootloader and reading the code out of the device if possible, or nothing. I might be possible that part of the update is unencrypted or all of it but I would have to look up how to disassemble AVS 32bit code.

Well I decompiled the APK a couple days ago and I looked through it a bit, still looking, but Im just guessing that it uploads the file to the root of the device just like manually updating works. Especially since they tell you to power off the divice and power it back on to update.

I guess it could of been booted off the sdcard slot, I forgot about that. Infact that migth explain why there is a 16Mbyte unformatted partition on the sdcard, which appears to of been wiped or unitialized.

After looking at the USB/Battery Charger documentation and the RT1 resistors and lack of, It seems the ones that are not stuffed, would be used to configure how the USB Charger works, so its not for debugging. I am also not seeing anything that looks like possible JTAG points. I have to look at the CPU documentation about boot order but its possible that the external flash is preloaded and then they flash the device via that, because I am not really seeing any programming, points, unless that is on the battery side or under the sdcard slot.

First off the external flash looks to be the same size, which is where the main firmware is stored. the internal flash is not the same size 128 vs 256 Kb. The less space your have means the less you can implement, but I am still guessing that the internal flash is either the boot loader or the first stage boot loader and then the second stage would be in the external flash. The latter is starting to feel more likely since if you hex compare the two firmwares you will notices that one section is exactly the same, which I am guessing is the second stage boot loader. It also points to if there is encryption that both devices are using the same encryption key.

Based off the picture the only difference that jumps out at me is the CPU AT32UC3A4128S , which has smaller internal flash, which is why there are two different firmwares.

I found out more about the processor: AT32UC3A4256S which is a 100pin (FBGA) and that is has 256kilibits of internal flash that can be protected. The internal flash must have the boot loader which then loads the rest of the firmware from the 2MB flash chip. the CPU also supports AES encryption at the hardware level which is most most likely what the firmware is encrypted with. If the internal flash is protected then there most likely is no way to read out the boot loader, which would mean, no way to decrypt the main flash. if that is the case which I will try to figure out, then the only option would but to create a new firmware from scratch and replace the internal firmware, and the main. only time will tell.

I took some highres picture of the 64Gig version: https://imgur.com/a/rK0rV

First step to popping off the case is popping off the usb shield. You will notice on the on the slider rail for the usb cover, are legs, I used a small flat head screw driver that fit width wise in the rail. with the usb cover fully hiding the usb plug, I push the flat head under one side and unseated it, then I held it in the unseated state and did the same on the other side. Now the plastic cover needs to be popped open from the side of the usb plug , gently, you have to do both sides of the plug, now, the bottom half (the top being the side with the button) where the sliding rails are gently push the flat head to the bottom side, of the case, both sides, now you need to use the flat head and push with more pressure being on the bottom half of the case in the case split, and pop open parts of the case all around the device. this will get the device open. BTW: here is the documentation on the USB Lithium-Ion battery charger. Part Number: CDU TI 42i http://www.ti.com/lit/ds/symlink/bq24072.pdf when you pop open your case you will see a set of resistors that are not populated, I am guessing at the moment that if they are configured differently that It will power up the device in a different state that might allow direct programing of the device, they have to get the firmware on there initially some how, either via a chip programmer before its stuffed on the the device or with it fully intact. I'm guessing the latter.

FCC: documents http://fccid.net/number.php?fcc=R4V-SDWS2&id=426668

WIFI: http://www.datasheet4u.com/datasheet-pdf/Atheros/AR6103/pdf.php?id=833053 CPU: http://www.atmel.com/products/microcontrollers/avr/32-bitavruc3.aspx FLASH: http://pdf1.alldatasheet.com/datasheet-pdf/view/207651/EON/EN25P16-50FC.html

It has a 16Mbit flash chip 25p16 (vdfn) , which is 2Mbytes in size, which is consistent with the flash file size that is on the 64gig version I think the 32gig version has a smaller flash chip, which might be why it does not have exfat.

This part is not true "FCC pictures which show an AR9K chip" , just re-looked and the picture was upside down and my mind converted it for me. thanks mind

So I was able to finally get mine apart with out breaking the case. the wireless card is an Atheros AR6103G-BM2D, at first when I looked at the FCC pictures which show an AR9K chip, I thought that the CPU (Central Processing Unit) for this device might be the Atheros chip as well as a SOC (System on Chip) but its not. The CPU looks to be the Atmel 32UCA. I'm guessing due to that, there is no Linux but an RTOS (Real Time Operating System), that is running this device. Now I am going to see if there is a flash(NOR/NAND) chip the stores the firmware or if it goes directly on the chip. also I need to figure out if the firmware is encrypted which I am guessing that it is, but hoping not.