Hell Guys, here I come again need some help on embeded systems.

I wanna purchase a USM Go (Ultrasonic Flaw Detector - GE) and I noticed that they have the upgradeable fimware for download on their site (http://www.gesensinginspection.com/en/ultrasound/portable-flaw-detectors/usm-go.html).

This product comes in 4 different versions, from the cheapest to the more expensive, and there is only one firmware for all. Yes, thats right, you can change your version by writing a serial number code and you can make the expensive functions work.
So I want to reverse it.

After download the file you can see a .sdu file that its a S-record Motorola file.
But it seems that there are 2 .s19 files merged into one.
And the header on the file is not a standard .s19.



I also don't know that is the device's processor.

After transforming it to binary code using the srec_cat (googleit), I can find the strings that I'm interested (ex: INVALID CODE - CODE INCORRECT, TRY AGAIN).

What can I do to start reversing it?

It's a PowerPC, my guess would be one of Freescale MCP cores.

How do you have identified as PowerPC?


If I patch I need to recalculate the CRC in order to USMGo accept it.

Is it possible to emulate this ROM somehow?

Thanks

S-record -> motorola -> freescale -> most likely one of HCS12/68K/PPC -> 32-bit addresses = PPC. Loaded up in IDA - bingo.

For the interested I found a very nice ppt regarding firmwares, how to identify them, etc.

Yes, its really a powerpc firmware. But I cant make the link between strings and the functions.
Anybody knows how to do it?


http://www.hexblog.com/?p=130

Recon 2010: Intro to Embedded Reverse Engineering for PC reversers
Posted on August 24, 2010 by Igor Skochinsky

In July I had the honor to speak at the Recon conference in Montreal, Canada. It was my first conference but I really liked the experience. I hope I’ll be able to attend it in future.
The presentations were recorded and hopefully will appear on the Recon site soon but for now you can check out the slides (ODP, PDF). I have also uploaded some of the tools I mentioned, most notably various filesystem extractors compiled for Win32 (download).

Guys, I've disassembled the complete code, but still stuck.
Is is possible to referer strings to asm code on .s19 fileformat? I got all the strings and beautfuly asm code but cannot referer strings on them.

Its PowerPC processor.
http://imageshack.us/photo/my-594/idausmgo.png/

In the past when I've seen this sort of thing, it's been a sign that I entered the base address incorrectly. (Maybe the ROM image doesn't start at 0?)

Another thing that I've done is convert the hex file into a binary file, find the start of a string, and search the ROM image for references to that.

(Assuming a flat address space which I THINK PPC has, this might work for you as well).

it's a rather expensive stuff for sure (i noticed about $2k above in google). dwelving into the binary sea, i see noticeable remarks such as sqlite queries and jpegs handler. higher end address looks to be language resources.



clearly it's a Power PC processor.

i don't know about powerpc asm, but from reading the opcode, it somewhat similar to mips. i don't see any hardcoded 32bit value xrefing to strings too. loaded at lowest address possible FF840000. if you can get some common libs for powerpc, maybe you can flair them and see the results.