Updater EXEs are packed (RWX sections, near-random entropy) with anti-debug
protection (IsDebuggerPresent/SoftICE check). Bypassed by running under plain
Wine and reading /proc/PID/mem with elevated privileges.
SW1 v2.13.x updater contains 3 firmware variants (likely .1/.2/.3):
- All use LJMP 0x170D entry, 9322-9377 bytes, 10 C2 records each
- FW2 vs FW3 differ by 1525 bytes (most similar pair)
Rev.2 v2.10.4 updater contains 1 firmware image:
- PID=0x0202 (vs SW1's 0x0203), LJMP 0x155F, 8843 bytes, 9 C2 records
All images use standard Cypress C2 EEPROM format with entry at 0xE600 (CPUCS).
Previous RAM dumps via 0xA0 vendor request turned out to be live FIFO
data, not firmware - the Genpix FX2 firmware overrides the standard
0xA0 handler. Discovered that I2C_READ (0x84) with wValue=0x51 and
wIndex=offset reads the boot EEPROM directly.
EEPROM contents (Cypress C2 format):
- VID:PID 09C0:0203, config 0x40 (400kHz I2C)
- 9,472 bytes of 8051 firmware in 10 load records
- Code range 0x0000-0x24FF, entry at LJMP 0x188D
- Ghidra auto-analysis finds 61 functions
Tools: eeprom_dump.py (full dump), eeprom_probe.py (I2C protocol discovery)
Dumped 8KB internal RAM and 64KB external RAM from SkyWalker-1
serial #00857 via Cypress FX2 vendor request 0xA0. Device reports
FW v2.06.4 (build 2007-07-13). Tool also scans all vendor USB
commands and probes device status registers.
Includes original BDA driver source (headers, C++ implementation, INF
installer files), DiSEqC implementation PDF with extracted markdown
and SVG vector graphics.
