Welcome to the Fortify Labs blog

/ by Fortify Labs

Komatsu Satellite Telematics Module - Firmware Strings Analysis

← Back to Teardown Post

A strings analysis of the firmware extracted from the ORBCOMM KX-G7101 provides significant clues about the device’s functionality.

  • Right away we saw a block of interesting hits. From the following we can surmise that the firmware appears to contain a built-in recovery and update mechanism, where a field technician could connect a laptop via serial cable and load new firmware using a simple file transfer protocol called XMODEM.

  • Under normal operation this update system likely sits dormant, only activating under specific conditions such as a hardware configuration change or a corrupt firmware detection. The presence of a JP1 jumper reference elsewhere in the firmware suggests some form of hardware-selectable configuration exists on the board, though its precise function would require further investigation to confirm.

Illegal 1st Loader Sum.
Illegal 2nd Loader Header Sum.
Bad 2nd Loader Code.
Bad 2nd Loader Datatype.
Illegal 2nd Loader Address.
Illegal 2nd Loader Sum.
Illegal 2nd Loader Length.
Transmission was canceled by User.
*** 2nd Loader Software Installation Mode ***      Enter Command.
XMODEM Protocol Starts. Start Sending 2nd Loader Software within 10sec.
Installation of 2nd Loader Software was Completed.
Installation of 2nd Loader Software was not Completed.
  • Next we see strings that appear to represent a firmware version of X2C1F-002 as well as a build timestamp of 1999/08/24 - 20:58:18. This lines up with the chip manufacturing timestamp of 9914 printed on the Fujitsu flash chip (14th week of 1999 - Early April 1999).
X2C1F-002
1999/08/24 - 20:58:18
  • Next we see identifiers that appear related to the communication of information, some of which can be seen below:

# GPS position reporting, confirming integrated GPS functionality
@GPS_MSG, @POS_MSG, @POS_RPT 

# Battery status monitoring
@BATT_MSG 

# Self diagnostics reporting
@SELF_DIAG — self diagnostics reporting
  • These strings reveal three data sources the module coordinates in normal operation — a GPS receiver for position and timing, the host machine for telemetry data, and the ORBCOMM satellite network for transmission — with a serial operator interface for diagnostics and control.

# UTC synchronization was critical for ORBCOMM's satellite network
NO UTC PULSE 

# GPS has not yet acquired a fix, or the GPS receiver isn't responding.
NO POSITION DATA 

# DTE stands for Data Terminal Equipment, which is the RS-232 term for the connected host device. This suggests the module sits between the machine and the satellite network, polling the host for data to transmit.
NO DATA FROM DTE 

# Suggests support for an interactive operator interface
Now transferring. Do you want to abort the current communication? <y/n>

# Suggests possible commands are available to dump memory or buffer information
Dump Start / Dump End
  • The following strings represent possible internal message type identifiers of the ORBCOMM protocol implementation, potentially describing stages of satellite communication.

# Request Immediate (priority transmission request)
RQIMT

# Status Enquiry
STENQ

# Burst Transmission Mode
BURST

# Uplink Report
ULRPT

# Store Ready (buffer ready to transmit)
STRRDY

# Store/Stack Acknowledgement
STACK

# State Machine Enquiry
STMENQ

# Inbound Message
IBMSG

# Inbound Datagram
IBDGRM

# Outbound Message Acknowledgement
OBMACK

# Condition Report
CNDRPT

# Position Report
POSRPT

# Inbound Assignment
IBASGN

# Inbound Message Acknowledgement
IBMACK

# Inbound Datagram Acknowledgement
IBDACK

# Inbound Clear
IBCLR

# System Level Message
SYSTEM

# User Acknowledgement
USRACK

# User Negative Acknowledgement
USRNAK

# Immediate Response Acknowledgement
IMRACK

# Outbound Assignment
OBASGN

# Outbound Message
OBMSG

# Outbound Datagram
OBDGRM

# Network Control Centre Enquiry
NCCENQ

# Polling (gateway polling the terminal)
POLLNG

# Report Acknowledgement
RPTACK

# Slot Assignment (TDMA time slot allocation)
SLTASN

# Uplink Information
ULINFO

# Downlink Information
DLINFO

# Network Control Centre Information
NCCINF

# Idle Segment
IDLSEG

# Ephemeris Data (satellite orbital positions for pass prediction)
EPHEM

# Position Determination
POSDET

# Satellite Plane (orbital plane tracking)
SPLANE

# Satellite Orbit
SORBIT

# Outbound Link
OBLINK

# Outbound Scan
OBSCAN

# Hybrid Mode (combined GPS and ORBCOMM operation)
HYBRID
  • The following strings reveal a numbered diagnostic status display consistent with a user accessible menu options which appear to show display the state of communication parameters such as uplink and downlink channels, network synchronization, ephemeris validity and gateway assignment.

# Uplink Channel
1:UL CH

# Downlink Channel
2:DL CH

# Network Control Centre identifier/status
3:NCC

# Ephemeris data loaded/valid flag
4:EPHEM

# Synchronization status
5:SYNC

# Gateway status
6:GW

# POssible Orbital plane status
7:PLANE

# Port (serial or communication port configuration)
8:PORT

# Unsure, possibly Slot Assignment / Service Area
9:SA
  • Strings found suggesting the existence of a Service Mode as well as a possible user message reflecting a change to RS-232 configuration settings.

# RS-232C serial interface configuration
Change rs232c -> Baud rate:4800bps/Parity:None/Stop bit:1/Data LEN:8

# Service mode activation string
Service mode

  • The following strings reveal the possible Komatsu message protocol layer, with message identifiers prefixed KX followed by a category letter and two-digit type number. It appears to follow structured printf style format defining the data fields.

  • The buffer status strings KXIB : OK, KXOB : OK and KXCB : OK might indicate three buffers for inbound, outbound and possibly control message handling.

  • The format strings themselves:

    • %u: unsigned integer field
    • %+d: signed integer with explicit sign
    • %s: string field
KXS54=%u,%+d,%u,
KXS63=%u,%+d,%u,%u,%u,%u,%u
KXS15=%u,%u
KXS15=%u
KXS23=
KXS30=%u,%u,%u,%u,
KXS35=%u,%u,%u,%u
KXS43=%u,%u,%u,%u
KXS54=%u,%+d,%u,
KXS55=
KXS56=%s,
KXS57=
KXS58=%u,%u
KXS63=%u,%+d,%u,%u,%u,%u,%u
KXS71=
KXS73=%u,
KXS73=%s
KXS85=%u,%u
KXS85=
KXS86=
KXD01=%u,%u,%u,%u
KXM01=
KXA01=%u,%+d,%u,%u,%u,%u
KXB01=%u,%+d,%u,%u,%u,%u,%u
KXA01=%u,%+d,%u,%u,%u,%u
KXB01=%u,%+d,%u,%u,%u,%u,%u
KXA02=%+d,%u,%u,%u,%u,%u
KXB02=%+d,%u,%u,%u,%u,%u,%u
KXA03=%u,%u
KXB03=%u,%u,%u
KXA04=%u,%u,
KXA05=%u,%u,%u
KXA05=%u,%u,%u
KXA06=%u
KXB06=%u
KXA00=0
KXA00=0
KXA01=%u,%+d,%u,%u,%u,%u
KXA02=%+d,%u,%u,%u,%u,%u
KXA03=%u,%u
KXA04=%u,%u,
KXA05=%u,%u,%u
KXB00=0
KXB00=0
KXB01=%u,%+d,%u,%u,%u,%u,%u
KXB02=%+d,%u,%u,%u,%u,%u,%u
KXB03=%u,%u,%u
KXIB : OK
KXOB : OK
KXCB : OK
KXD01=%u,%u,%u,%u
KXD01=%u,%u
KXD01=%u,%u
KXD01=%u,%u,%u
  • These appear to be machine telemetry data fields being collected from the Komatsu machinery, possibly the information that gets packed into the KX messages above and transmitted via satellite. This is consistent with what Komatsu’s Komtrax remote monitoring system is reported to monitor.

# Possible operating mode of the machine
WORK_MODE

# Machine caution/warning flag 1
CAUTION1

# Machine caution/warning flag 2
CAUTION2

# Battery voltage
BTT_VOLT

# Engine water temperature (coolant temperature)
ENG_W_TMP

# Engine RPM
ENG_REV

# Possible pump pressure
PMP_PRES

# Error flag
ERR_FLG

# System error
SYS_ERR
  • This appears to be consistent with a debug menu. Consistent with what you’d see if you connected to a serial terminal when debug mode is activated, which is a structured diagnostic display with multiple log views selectable by keypress.

# [GENERAL] - Top level status: connection state, acquisition state, satellite visibility
--------------- [ ] GENERAL -------------------

# [1] SAT_LOG_1 - Satellite tracking log page 1, GPS PRN numbers 8-19
--------------- [1] SAT_LOG_1 -----------------

# [2] SAT_LOG_2 - Satellite tracking log page 2, GPS PRN numbers 20-7
--------------- [2] SAT_LOG_2 -----------------

# [3] NCC_LOG - Network Control Centre communication log
--------------- [3] NCC_LOG -------------------

# [4] NCC_RX - Raw inbound NCC traffic
--------------- [4] NCC_RX --------------------

# [5] NCC_TX - Raw outbound NCC traffic
--------------- [5] NCC_TX --------------------

# [6] SYS,GN_DATA - System and general data
--------------- [6] SYS,GN_DATA ---------------

# [7] SVC,MAP,_SLP - Service, map and sleep mode data
--------------- [7] SVC, MAP,_SLP -------------

# [8] ER,SPC_DATA - Error and special data
--------------- [8] ER,SPC_DATA ---------------

# [9] GPS_DATA - Raw GPS receiver output
--------------- [9] GPS_DATA ------------------
GPS =

# [&] SYSTEM - System internals: state machine counters and flags
--------------- [&] SYSTEM --------------------
sy/in[
], sd/ib[
], io/vat/ins[
], er/lck[
], itm[

# ['] AI_u,sa,sb,@,_byte - Other internal diagnostic information
--------------- ['] AI_u,sa,sb, @,_byte -------
, ib2=
, ib3=
, ib4=
, ib5=
, sum=

# [(] GENERAL_LOG - General event log
--------------- [(] GENERAL_LOG ---------------

# [)] GPS_LOG,_CHS,DIS - Possible GPS movement log: cumulative distance, geofence area, position history
--------------- [)] GPS_LOG,_CHS, DIS ---------
move=[
]m chase=[
]m area=[
]m prv/now=[
] wait/cnt=[

# [!] OB_DATA - Possible Outbound message data inspection
--------------- [!] OB_DATA -------------------

# [''] IB_DATA - Possible Inbound message data inspection
--------------- [''] IB_DATA ------------------

# [#] VARIABLE DATA - Possible memory inspection by address and byte (basic memory viewer)
--------------- [#] VARIABLE DATA -------------
address =
  byte =

# [%] ERR_QUAN,_DATA - Possible error related information
--------------- [%] ERR_QUAN,_DATA ------------
  Some Rx_dt Timer_6 Restart.
  Time Over Tm_6 Restart.
  Rx_data num < 30,
  • These appear to be the boot/initialisation sequence strings. What might get printed to the serial terminal when the device powers up.

# Entry point of the main() function (O_MAIN = ORBCOMM Main)
--- O_MAIN() START ---

# Clearing user RAM message
    USER_RAM CLEAR

# User memory clear message
*** USER_MEM CLEAR ***

# Version string, possibly: ORBCOMM protocol version, header version, communications version
    Ver orb[
]  hed[
]  com[

# KXS data structure initialisation error flag
*** KXS ERROR! FLG =

# Day of week display strings
 (SUN)
 (MON)
 (TUE)
 (WED)
 (THU)
 (FRI)
 (SAT)

# Error status messages
    ERR!! status =
    ERR!! qual =

Conclusion

The strings analysis alone reveals that this likely provides satellite communication and collects machine telemetry from Komatsu machinery. It appears to have the functionality to transmit this date via the ORBCOMM network, with integrated GPS, a serial diagnostic interface, and a field-serviceable firmware update mechanism.

← Back to Teardown Post