warehack.ing/skywalker-1
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6 Commits 1 Branch 0 Tags
Commit Graph

6 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ryan Malloy
ec4bdb8493 Add Rev.2 v2.10.4 64K Ghidra image for 8051 analysis 
Parsed C2 EEPROM format (9 records, 8843 bytes) into flat 64K image.
Ghidra analysis found 107 functions - most of any firmware version.
Entry point: LJMP 0x155F, SP=0x4F, 27 vendor commands (0x80-0x9A).
INT0 ISR uses inline optimization spanning 5 unused vector slots.
 2026-02-11 10:27:05 -07:00
Ryan Malloy
2e00a054e8 Add comparative firmware analysis reports from Ghidra 8051 reverse engineering 
Two detailed reports from analyzing all firmware variants loaded into Ghidra:

1. v2.06 vs v2.13 FW1 comparative analysis:
   - Complete vendor command dispatch table mapping (0x80-0x9D)
   - 3 new commands in v2.13: GET_DEMOD_STATUS (0x99), INIT_DEMOD (0x9A), DELAY_COMMAND (0x9C)
   - DiSEqC architecture change: GPIO bit-bang -> I2C controller
   - INT0 repurposed from USB re-enumeration to demodulator polling
   - Hardware revision detection via descriptor byte

2. v2.13 sub-variant comparison (FW1/FW2/FW3):
   - FW1: I2C-connected demodulator (original SkyWalker-1 hardware)
   - FW2: Parallel-bus demodulator via P0/P1 GPIO
   - FW3: Enhanced parallel-bus with dual-phase read and OR accumulation
   - All three support identical modulation types, differ only in hardware interface
 2026-02-11 06:44:26 -07:00
Ryan Malloy
4447d2c0e7 Extract firmware from official Genpix updater EXEs via Wine memory dump 
Updater EXEs are packed (RWX sections, near-random entropy) with anti-debug
protection (IsDebuggerPresent/SoftICE check). Bypassed by running under plain
Wine and reading /proc/PID/mem with elevated privileges.

SW1 v2.13.x updater contains 3 firmware variants (likely .1/.2/.3):
  - All use LJMP 0x170D entry, 9322-9377 bytes, 10 C2 records each
  - FW2 vs FW3 differ by 1525 bytes (most similar pair)

Rev.2 v2.10.4 updater contains 1 firmware image:
  - PID=0x0202 (vs SW1's 0x0203), LJMP 0x155F, 8843 bytes, 9 C2 records

All images use standard Cypress C2 EEPROM format with entry at 0xE600 (CPUCS).
 2026-02-11 06:05:13 -07:00
Ryan Malloy
ba37105e2a Extract real FX2 firmware from I2C EEPROM 
Previous RAM dumps via 0xA0 vendor request turned out to be live FIFO
data, not firmware - the Genpix FX2 firmware overrides the standard
0xA0 handler. Discovered that I2C_READ (0x84) with wValue=0x51 and
wIndex=offset reads the boot EEPROM directly.

EEPROM contents (Cypress C2 format):
- VID:PID 09C0:0203, config 0x40 (400kHz I2C)
- 9,472 bytes of 8051 firmware in 10 load records
- Code range 0x0000-0x24FF, entry at LJMP 0x188D
- Ghidra auto-analysis finds 61 functions

Tools: eeprom_dump.py (full dump), eeprom_probe.py (I2C protocol discovery)
 2026-02-11 05:08:20 -07:00
Ryan Malloy
757da08987 Add FX2 firmware dumps and USB probe tool 
Dumped 8KB internal RAM and 64KB external RAM from SkyWalker-1
serial #00857 via Cypress FX2 vendor request 0xA0. Device reports
FW v2.06.4 (build 2007-07-13). Tool also scans all vendor USB
commands and probes device status registers.
 2026-02-11 04:51:34 -07:00
Ryan Malloy
f1674c21a3 Initial commit: Genpix SkyWalker-1 DVB-S driver source and DiSEqC docs 
Includes original BDA driver source (headers, C++ implementation, INF
installer files), DiSEqC implementation PDF with extracted markdown
and SVG vector graphics.
 2026-02-11 04:22:13 -07:00