Cobra USB Protocol: Difference between revisions
initial dolsendusb |
|||
| Line 26: | Line 26: | ||
| HandshakeOut1 || TO GC || 15 (0Fh) || COBRASEND15[4x var] || 43h 4Fh 42h 52h 41h 53h 45h 4Eh 44h 31h 35h [XXh XXh XXh XXh] | | HandshakeOut1 || TO GC || 15 (0Fh) || COBRASEND15[4x var] || 43h 4Fh 42h 52h 41h 53h 45h 4Eh 44h 31h 35h [XXh XXh XXh XXh] | ||
|- | |- | ||
| HandshakeIn1 || FROM GC || 8 (08h) || | | HandshakeIn1 || FROM GC || 8 (08h) || || [XXh XXh XXh XXh][YYh YYh YYh YYh] | ||
|- | |- | ||
| HandshakeOut2 || TO GC || 8 (08h) || | | HandshakeOut2 || TO GC || 8 (08h) || || [YYh YYh YYh YYh][CMh CMh CMh CMh] | ||
|} | |} | ||
==Sending DOL files== | ==Sending DOL files== | ||
The command from DolSendUSB is "00h 00h 14h A0h". Cobra goes into USB mode. | |||
Then it switches something in the USB connection (''I assume enabling bulk transfer, but this has to be clarified...'') and uploads a small helper program (~5kb). | |||
The uploaded program will then provide additional functions (relocate dol, jump to entry point). | |||
{| class="wikitable" | |||
|- | |||
! function !! direction !! length !! data ascii !! data hex | |||
|- | |||
| HandshakeSendDol || TO GC || 8 (08h) || || [YYh YYh YYh YYh][00h 00h 14h A0h] | |||
|} | |||
[[Category:Hacks]] | [[Category:Hacks]] | ||
Revision as of 13:53, 3 September 2011
Reversing the cobra 1.5+ USB protocol
Introduction
This page will show you my findings while sniffing the USB protocol of the cobra bios 1.5 up to 2.1.
The information provided here, will be used in my open source vua-access library, that can be used to interfere with the viper usb adapter.
The library and associated programs aim to provide the features of the original programs inluded with cobra and will eventually add additional features to them.
All of this is mainly written due to the lack of linux support in the original library and programs provided.
Establishing a connection
After the driver is initialized, the program tells cobra to flush the FIFO buffer.
Then it sends the first part of the handshake. The last 4 bytes are variable.
Cobra answers with the second part of the handshake. The first 4 bytes will be the same as the last 4 in HandshakeOut1. The second 4 bytes are variable.
The program answers with the third part of the handshake. The first 4 bytes will be the same as the last 4 in HandshakeIn1. The second 4 bytes are variable and contain a command for cobra.
| function | direction | length | data ascii | data hex |
|---|---|---|---|---|
| FlushFIFO | TO GC | 50 (32h) | [50x A] | [50x 41h] |
| HandshakeOut1 | TO GC | 15 (0Fh) | COBRASEND15[4x var] | 43h 4Fh 42h 52h 41h 53h 45h 4Eh 44h 31h 35h [XXh XXh XXh XXh] |
| HandshakeIn1 | FROM GC | 8 (08h) | [XXh XXh XXh XXh][YYh YYh YYh YYh] | |
| HandshakeOut2 | TO GC | 8 (08h) | [YYh YYh YYh YYh][CMh CMh CMh CMh] |
Sending DOL files
The command from DolSendUSB is "00h 00h 14h A0h". Cobra goes into USB mode. Then it switches something in the USB connection (I assume enabling bulk transfer, but this has to be clarified...) and uploads a small helper program (~5kb).
The uploaded program will then provide additional functions (relocate dol, jump to entry point).
| function | direction | length | data ascii | data hex |
|---|---|---|---|---|
| HandshakeSendDol | TO GC | 8 (08h) | [YYh YYh YYh YYh][00h 00h 14h A0h] |