Winging it

Capsure Hacking #3  Third post on this topic, see also post 1(JTAG connections) - and post 2 (USB decoding) .    So after the Capsure USB hacking , and with a little more knowledge (which can be a dangerous thing*) (*see later) what can we do with access to the flash memory? The bootloader has a built in "view NAND" tool (see end of last post ), in there we can see the contents but there's no direct download/upload option, *but* we now have a JTAG connector on this board added in the first post . How hard can it be?  I pull out a full memory dump, I *think* this means I've got a copy of everything. (*see earlier 'danerous thing' comment) so blunder ahead.   Where's the memory  We have a little bit of knowledge from the datasheet which I've been poring over: So what can we change? What effect will it have? I'd been intrigued by that QC firmware I'd accidentally installed earlier which complained about FW incompatibility, and looking at the full...

After my initial tinkering and playing with the RM200 Capsure colorimeter  I wanted to be able to experiment with firmware tweaks, also having to use the X-Rite Windows app, using fiddler to hack the packets connecting to their servers each time I switched firmwares wasn't ideal, so it was time to try to decode the interface to see if it's possible to talk to the handset directly without the app and server connection... So fire up Wireshark, run the sync app, connect the device, and wade through the data, and we can see the packets going backwards and forwards. I run a full re-sync and firmware update and have a chunky log to decode later. Here we can see URB_BULK in and out, here is a two byte command 0x78 0x12 going out, on endpoint 0x02. On the return we then have:   A chunk of info coming back. I try writing the same using python but figure out that there's a step before where it sends an URB_CONTROL message: So once this is figured out (it takes the length of th...