View Full Version : [DEV] Reversing the compiled scripts

02-11-2012, 03:17 AM
The A10 platforms bootloader (a small built-in pre-boot-loader, in Brom) does not contain any hardware information and identical on every board. Thus, the boot process needs a file what tells where to look for what (so no time is spent with mostly meaningless interface pings). The definition files are located in the bootfs, or /dev/block/nanda (mount it as vfat), and called Script.bin (plus same file just different name, Script0.bin). This is just a "compiled" configuration file, so it has the values encoded.

I'm developing for the device Pioneer Aurora F1 (the tablet A710), and as it had no config file in the released kit, I need to use the only one released binary, what is pretty annoying as I'm trying to put a whole source tree together, with every device, etc etc.

For that, I would need help with disassembling and reversing two tools from the released Ainol firmware making kit: script.exe and update_23.exe. These two first compile the script into binary format, then merge it with the three loaders (nand, usb and mmc).

The ultimate goal is to have a tool what can recreate the original sys_config1.fex from the Script.bin files.

I've began working on it with IDA, but as I really lack the knowledge of Assembly language, I can't really do much. If there's anyone who knows generic x86 Assembly, and would like to help, it would be a great improvement for the tools we have!

02-11-2012, 05:31 AM

I have written a simple utility to decompile a bin file to the fex format

02-11-2012, 11:33 AM
No problem, may I ask where did you get that exe? If we have sources of script.exe, or any other tools (mostly edragonex), it would come handy. I'm trying to remake the whole process in C#, in an easier way.

Roberto M
02-11-2012, 12:00 PM
I have no sources of any tools.

The source of my utility is in the jar file. :-)
C source - https://github.com/allwinner/linux-2.6.36/tree/lichee-dev/arch/arm/mach-sun4i/pin

Nacho Troncha Nachas
02-11-2012, 02:04 PM
I have good news for you. While trying to mod new firmwares onto the Ainol Novo 7, I reverse-engineered the format of script.bin, which is actually pretty simpler and easier than disassemblying the script tool.

So, here is a tool I made to convert script.bin back to the .fex file:


Happy hacking :D

EDIT: LOL, now this is luck. A6PAMOB posted his tool while I was posting mine. Oh well :)

02-11-2012, 03:28 PM
I haven't modified LiveSuite (that would be madness!)

I wanted to understand what crane_pack did to get everything working but I failed :p , so I used a different approach this morning which seemed to work fine :)

Here is the link (http://dl.dropbox.com/u/28680222/Slatedroid/ImageSuite_GB.zip) to the modified ImageSuite.

02-11-2012, 05:30 PM
I was banned by a band of douchebags, but don't care about them really...
If you can help out with the script and dragonex/unimg part, it would be really helpful (for now I can't really get why eDragonEx fucks up the whole image creation process)

joe fielding
02-11-2012, 08:34 PM
No problem, the more tools the better :-D
I'm not too good in Ruby, could you post the exact way how to extract it? Want to examine it further!

shaun marion
02-11-2012, 09:51 PM
I'm trying to get your C# code working, but I've never used Visual C# Studio before. How do I use this? I've absolutely no idea about what needs to be in my main method.

02-12-2012, 12:11 AM
Yes I saw your source. And thanks for the source of script.exe, it will definitely come handy :D

02-12-2012, 05:46 AM
To run the script just execute: ./script2fex.rb script.bin > script.fex

The format of the file can be seen on an hex editor. First there is the number of sections in the file, then 1, 2, and all of the sections with the number of elements on them (and what I guess is the offset, but I don't use it), then all of the elements with their size and type of variable (int, string or port), and finally all of the data in the same order. (the size is multiplied by 4 bytes, I guess offsets are too). All ints are little-endian.

I just read everything in order and assume the sizes are correct, ignoring the offsets. (they aren't really needed for getting back the .fex).

I checked and the script'ed .bin from the output of the script is the same as the original one, so I guess it works fine.

Joe Squire
02-12-2012, 11:05 AM
Dammit, unimg.exe has a repacking function? How come I did not spot that? O.o

Nikki N
02-12-2012, 08:17 PM
As I said, it's a C# library. Not a command line tool. You have to build your app around it - add a new project, called ConfigLib, add a new class called Script, and copy my code into that.
Then edit your app to have ConfigLib in references, add it as a used one ("using ConfigLib.Script;" before the namespace of the given app's code), and then simply use the command Decompile(input bin, output script), "input bin" and "output script" both being paths to the input/output file. Then run the app.

02-13-2012, 01:36 AM

I'm sorry to tell you but found a bug in your code. There are a few values, what aren't used as normal int values, but hex formatted addresses. Their extraction isn't perfect.

See this:
extracted code

ctp_twi_addr = 85

input code

ctp_twi_addr = 0x85

Any way to have an automatized part of the script, what transforms every the value of every field what got "_addr" in its name into hex format? Basically it's just adding "0x" to the int :D

Laura M
02-13-2012, 06:37 AM
Okay, tried yours, but it won't create a flashable package, LiveSuit dies with the following error:

Upgrade fails : 0x163 ةŐдʧ°ـ3

Samantha C
02-13-2012, 06:53 AM
Thanks for the explanation! As soon as I get home I'll take a look at it!

* B.T.S. *
02-13-2012, 10:51 AM
Strange. I only get that error when the verification files don't contain a valid checksum. At the moment I'm succesfully running modified 2.0T firmware on my Bmorn V11 (modified build.prop so everything is in English instead of Chinese and removed some Live Wallpapers).

The Hitman
02-13-2012, 05:31 PM
1. Create misc.fex:
ctp_twi_addr = 0x85
2. script.exe misc.fex
3. unscript.bat misc.bin
4. the output:
ctp_twi_addr = 133

Could you plese send my your original fex and bin file ...

In my last version I'm trying convert to hex a values more then 0xFFFF.
Yes I can that do with a value of every field with "_addr" in its name.

02-13-2012, 08:10 PM
It works! Hero!
It's dead simple actually, but I guess I'm more of a Java person.

02-13-2012, 09:00 PM
Could you extend your script with offset-reading, so there won't be any problem for sure?

Can you tell me which script.exe did you add to your package? What I've got Ainol tools for image-making have two (script.exe and script_old.exe), but neither matches the one in your zip!

♫Spaghetti Cat♫
02-13-2012, 11:46 PM
Weird, verification files here are all correct. Will go deeper.


Wouldn't the header files cause problem, given that they have checksums?

02-14-2012, 05:17 AM
I only modified RFSFAT16_LSYSTEMFS_000000, haven't tried to modify the recovery or any of the other file systems.

But I'm having another problem at the moment. :p Decoding script.bin with the tool in this thread seems to work fine, but after compiling it again (with 'script.exe sys_config1.fex') the resulting file is only 37KB, while the original is 40KB. Replacing script.bin in /dev/block/nandb with the recompiled one results in a bricked tablet that can only be revived using the LiveSuite.

But why does it work on mine without changing the headers? Which version of the LiveSuite do you use? I'm still using v1.05.

02-14-2012, 05:40 PM
fonix232, this file from crane-win-v2\pctools\mod_update in tools.rar (http://dl.dbank.com/c0bazkwbh5)

02-14-2012, 05:43 PM
You'll see that Java isn't that different from C# ;D Actually 99% of the classes and commands are the same (except 3rd party stuff). I only had to change a few tidbits, like, the trimming part (base C# trim is for trimming space bar (0x20), and not empty (0x00)).

Any news about the image encryption? I could not find anything related, and most of the ainol tools suggest there isn't one. Yet both flashing tools refuse to load my image.

02-14-2012, 09:13 PM
Just made some further progress on the ultimate A10 tool, now (I think) we can create the bootloader/bootfs FAT images :D

02-14-2012, 10:33 PM
It might be LiveSuit. Could you link me that 1.05 release? I'd like to try it with that too.

script.bin needs additional stuff too. Check the crane_tools bat, what it does, as it apparently adds two bootloaders to this code.

02-15-2012, 02:34 AM
Nice! Is the C# code in the post above the latest version or are there any more recent updates? :)

02-15-2012, 06:53 AM
I think I'm almost there. I'm not entirely sure :p

02-15-2012, 07:59 AM
Ehh sure. My script only converts lines what got _addr in the key name - your values apparently have no.
We will have to collect all fields with hex values, so I can modify my code.

02-15-2012, 08:56 AM
I've got the same package, and your script.exe is 36864b in size, mine are 20480 and 24576!

02-15-2012, 01:58 PM
Figured it out. Adjusted some of the code, compared the values with the original script.bin extracted from the Bmorn V11 stock firmware and bingo! ICS ROM from the Novo7 Advanced fully working on the Bmorn :D

02-15-2012, 05:20 PM
Mind to share your changes? :D

Rock and Roll Cowboy
02-15-2012, 05:41 PM
Here (http://dl.dropbox.com/u/28680222/Slatedroid/LiveSuitePlusImage.7z) you go :) I've also included the modified Bmorn V11 image.

Checked it, but it's updating the boot loaders not the sys_config1.bin (sys_config1.bin compiled from standard files in crane_pack is also 40KB - without executing boot code commands).

02-15-2012, 06:38 PM
Yes! Modified LiveSuite firmware succesfully repacked and flashed! I'll share in a minute :)

Jonathan E
02-15-2012, 11:35 PM
I did not really change the script decompiling part, but added a new class for BootFS/bootloaderfs handling. Also it's me (ainolmodder) from SLD ;D

02-16-2012, 02:04 AM
Okay, but I'd be more interested in crane_pack's signing method ;) Create a valid signed image instead of kanging every flasher they release, I'd say!

02-16-2012, 06:55 AM
I didn't expect that!
Going to sharpen my C# skills to get this thing working (shouldn't be too difficult :) )

02-16-2012, 07:38 AM
My mistake, the size of script.exe must be 24576 bytes.
I have reuploaded the unscript.zip.

Mobius 1
02-16-2012, 02:36 PM
I'm still not sure why eDragonEx doesn't work :/
But Roman2025 (on SLD) will probably be very happy that he can finally create his own firmware.

Zpider 20-0
02-16-2012, 03:34 PM

Is there somewhere (forum, wiki, download, etc.) an English description of what each the tools in the novo7 sdk does? Or should I google-translate the crane-docs and hope for the best?

02-16-2012, 03:54 PM
Thanks for that :D Will try ASAP!

Dunno then, apparently the tool is working as we get a proper config script, so I don't really know what's different.

Late edit, but fixed it up. Now anything can flash mah files :D

02-17-2012, 09:06 AM
Guessing so :D
Can you tell me what did you modify in LiveSuite? I've got hold on the latest release (1.09), and would gladly mod it and make a release with yours :D (dunno what's new, apart from version)

02-17-2012, 02:21 PM
Managed to create in image using a self-built kernel and self-built android. I also put up a tutorial about them here:

[TUTORIAL/DEV]Build AOSP Android 2.3.7 for Allwinner A10 tablets (Teclast P76Ti) - xda-developers (http://forum.xda-developers.com/showthread.php?t=1490886)

Curtis M
02-17-2012, 03:43 PM
Well, that's the problem. We don't get a proper config script. Look at this:


Left: decompiled sys_config1.fex
Right: original sys_config1.fex

Andrew J
02-17-2012, 10:46 PM
I didn't change much. This is the int section:

if (nameSub.Contains("_addr"))
aValue = ToHex(readInt(offsetSub)).ToString().TrimEnd('\0') ;
// [dram_para]
else if (nameSub.Contains("dram_baseaddr") || nameSub.Contains("dram_zq") || nameSub.Contains("dram_tpr") || nameSub.Contains("dram_emr"))
aValue = ToHex(readInt(offsetSub)).ToString().TrimEnd('\0') ;
// [g2d_para]
else if (nameSub.Contains("g2d_size"))
aValue = ToHex(readInt(offsetSub)).ToString().TrimEnd('\0') ;
// [lcd0_para]
else if (nameSub.Contains("lcd_srgb") || nameSub.Contains("lcd_io_cfg0") || nameSub.Contains("lcd_gamma_tbl_1") || nameSub.Contains("lcd_gamma_tbl_255"))
aValue = ToHex(readInt(offsetSub)).ToString().TrimEnd('\0') ;
if (aValue.Equals("0x0"))
aValue = "0";
// [usb_feature]
else if (nameSub.Contains("vendor_id") || nameSub.Contains("mass_storage_id") || nameSub.Contains("adb_id"))
aValue = ToHex(readInt(offsetSub)).ToString().TrimEnd('\0') ;
// other values
aValue = readInt(offsetSub).ToString().TrimEnd('\0');