[libst2205] HighBox Apache 2.4" hack problems

Hi,
I'm trying to hack a new DPF. It's a HighBox Apache 2.4".
It looks like Perl one, but is was a different different.

Hardware detection

user@ubuntu:~/st2205u/libst2205$ dmesg
(...)
[3261252.416745] usb 2-1.2: new full-speed USB device number 45 using ehci-pci
[3261252.510865] usb 2-1.2: New USB device found, idVendor=1403, idProduct=0001
[3261252.510869] usb 2-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[3261252.510872] usb 2-1.2: Product: Flash Disk      
[3261252.510874] usb 2-1.2: Manufacturer: USB     
[3261252.511246] scsi6 : usb-storage 2-1.2:1.0
[3261253.510902] scsi 6:0:0:0: Direct-Access     SITRONIX MULTIMEDIA       0.09 PQ: 0 ANSI: 0 CCS
[3261253.511452] sd 6:0:0:0: Attached scsi generic sg2 type 0
[3261253.514525] sd 6:0:0:0: [sdb] 4096 512-byte logical blocks: (2.09 MB/2.00 MiB)
[3261253.515781] sd 6:0:0:0: [sdb] Write Protect is off
[3261253.515785] sd 6:0:0:0: [sdb] Mode Sense: 0b 00 00 08
[3261253.516764] sd 6:0:0:0: [sdb] No Caching mode page found
[3261253.516767] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[3261253.519760] sd 6:0:0:0: [sdb] No Caching mode page found
[3261253.519763] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[3261253.540772]  sdb: unknown partition table
[3261253.545806] sd 6:0:0:0: [sdb] No Caching mode page found
[3261253.545810] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[3261253.545813] sd 6:0:0:0: [sdb] Attached SCSI removable disk

user@ubuntu:~/st2205u/libst2205$ lsusb
(...)
Bus 002 Device 004: ID 1403:0001 Sitronix Digital Photo Frame

Software detection
I'm using last version of libst2205, from GitHub.
I have to modify main.c, inspired by Picframe Wiki , to bypass "cmd 1" error.

user@ubuntu:~/st2205u/libst2205$ ./phack -m "baks r ok" /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
Message written.

I think I have a problem with bpp calculation...
Maybe I'll check this later.

//get image size
sendcmd(f,CMD_GET_PIC_INFO,0,0,0);
read_data(f,buff,0x200);
int xsize = (buff[0]<<8)+buff[1];
int ysize = (buff[2]<<8)+buff[3];
int bpp = buff[4]+0x80;
printf("Xres: %i, Yres%i, bpp: %i\n",xsize,ysize,bpp);

Curiously, phack reports 1.5Mb of memory, but dmesg indicates 2Mb.

//get memory size
buff=malloc_aligned(0x10000);
sendcmd(f,1,0,0,0);
read_data(f,buff,0x200);
flash_size=(buff[0]*128*1024)/512;
printf("Found device with %i kb memory\n",flash_size);

Extracting Firmware
I have tried to extract firmware as a 1.5Mb device, replacing

for (x=((2048-64)/32); x<(2048/32); x++)

With

flash_size=(buff[0]*128*1024)/512;
for (x=((flash_size-64)/32); x<(flash_size/32); x++)

I got nothing (extracted firmware contains only 0xFF).
So, I revert this change back, considering my device really have 2Mb.
Now, I can extract the firmware correctly.

user@ubuntu:~/st2205u/libst2205$ ./phack -d memimage.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..............................................................
Memory dumped.

user@ubuntu:~/st2205u/libst2205$ ./phack -df fwimage.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..
Firmware dumped.

Hacking Firmware

user@ubuntu:~/st2205u/libst2205$ perl ./generate-hack.pl /dev/sdb hack/m_apache

The script ends with

(...)
Warning! multiple matches (2) - will use the first one after SEND_CSW location

Guessing CTRTYPE...
Eeek! expected single match but found 0 - dont know what to do!

So, I'm using generate-hack.pl source code, and newhack.txt for hack it manually.
I found everything except CTRTYPE.

I have created this spec file, using first SEND_CSW found and leaving CTRTYPE to 0.
I will change it to 1 later if needed.

;Spec-file for Apache.
;Please keep the way the adresses are entered ($ to indicate a hex number,
;adresses in 4 digits) intact or the hackfw.sh script won't work anymore.
;Adresses here refer to file-adresses; in runtime these are loaded $4000
;bytes higher but that's accounted for in the hack-code itself.

CMP_VAR1=$037A
CMP_VAR2=$037B
PATCH_AT=$2D93
EMPTY_AT=$2F38
SEND_CSW=$2C5B
LEN0=$36C
LEN1=$36D
LEN2=$36E
LEN3=$36F
CONF_XRES=320
CONF_YRES=240
CONF_BPP=24
CONF_PROTO=0

CTRTYPE=0 ;PCF8833
OFFX=4
OFFY=4

Flashing hacked Firmware
Finally, I'm trying to flash this new firmware.
Everything works correctly (no error), but the firware seems to not be flashed :
setpic ends with

Unable to get parm_block
Open failed!

I dump the firmware and the entire memory again

user@ubuntu:~/st2205u/libst2205$ ./phack -d memimage_new.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..............................................................
Memory dumped.

user@ubuntu:~/st2205u/libst2205$ ./phack -df fwimage_new.bin /dev/sdb
Expected response 8 on cmd 1, got 0x6!
Found device with 1536 kb memory
Xres: 320, Yres240, bpp: 272
ver: 261 (320)
..
Firmware dumped.

New firmware and original one are identical.
It suggests that flash doesn't works.

But, searching "H4CK" sequence in memimage_new.bin give me 2 locations.

For now, I'm stuck here... I don't know what to do...