0xdevalias · June 26, 2022 03:04
diff --git a/!HackingMadCatzStrike7 b/!HackingMadCatzStrike7
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 See http://strike7.proboards.com/thread/155/hacking-info-firmware-usb-chips for more information/discussion.

 **I don't expect anything, but if you would like to donate/tip via BTC (bitcoin): 14ab53HryRsD1VLRtmperwKDtQrQPbVA4B**
diff --git a/!SomeDLLFunctions b/!SomeDLLFunctions
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 .NET Reflector

 7dd18c88_ccc8_4fe7_ae24_17fcb414aa53.dll
  Strike7
    Launcher
      Event_ApplyButton_Click(Object, RoutedEventArgs) : Void
      Event_fileTransfer_Connected(Object, EventArgs) : Void
      Event_fileTransfer_Disconnected(Object, EventArgs) : Void
      Event_fileTransfer_Rejected(Object, EventArgs) : Void
      LoadProgramming() : Void
      SaveProgramming() : Void
      SetupFileTransferSystem() : Void
      Thread_SendFile() : Void
      FileTransferTo : String (private const string FileTransferTo = "/mnt/data/programlaunch.xml";)

 MadCommLib.dll
  MadCommLib
    Mcp
      CopyFile(String, String) : Void
      GetFile(String, String) : Void
      SendFile(String, String) : Void
      IsConnected : Boolean
    McpBase
    MCPFileDescription
    MCPPacket
    McpReceiver
    McpSender
      MaxPacketLength : Int32
        private const int MaxPacketLength = 0x1000;
    McpStream
      send(Stream, UInt16) : Void
      send(Stream, String, UInt16) : Void
      sendStream(UInt16, Stream, UInt16) : Void
      setup(String, UInt32, UInt16) : UInt16
diff --git a/Controllers-dlls.txt b/Controllers-dlls.txt
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 06416ece_7ce2_4176_b4fc_01ebd7e7b58a.dll P880_P2500_P3000
 12ecdcf4_82ac_4c37_9262_bcdd948ba1e4.dll PP22_Pad
 19e5398a_a82a_4b7b_90fd_c08f190b5037.dll RudderPedals
 1f732691_3bc6_41ec_a977_c5bf0b03a3dc.dll X52Pro
 23e2a81c_5f45_4f0e_bb62_350688d7f883.dll CyborgRAT_5Button
 24e74f72_099d_43a2_91ba_8b19e146c678.dll CyborgX
 25a4f72c_5a88_4168_809a_55bf002dc6b1.dll X65
 2b9d5817_37df_47e1_a1f9_3186682b4263.dll Throttle Quadrant
 35695d7f_dae2_42ac_b38b_78ec2e576581.dll GamersKeyboard
 3ac4311b_05b6_43c2_8622_c2eb1168ad21.dll GM2400
 3f5b4777_c340_4271_be78_4f067ce8fe12.dll P2600
 4220f4fc_220c_48a8_a04a_46c6b4f8450c.dll CyborgRumblePas
 4966f44d_59df_4a61_8fd0_7ac23cff1c88.dll Cyborg_V3_Pad
 49A934CF_79AF_4AD0_8971_84735CEC20E1.dll eclipse litetouch Keyboard
 4a484820_55c2_40ac_96c2_fa361656b233.dll CyborgRAT_15Button
 4ae960ae_0df5_4cf5_8d9a_f90a660afa73.dll Strike 5 Keyboard
 52adf75b_8888_4006_9fd2_196fe465e1b1.dll CyborgMouse
 5c6c51f1_9884_4166_b06e_5bb174f169ae.dll CyborgKeyboard
 62c03415_a024_4eb2_b66f_67c9f82962fe.dll ST290Pro
 6a1ca17e_fb49_4b02_aaad_0ba6619568ef.dll P990_P2900
 771bc0c8_ed85_46e1_9413_8aaabaa85d3e.dll ThrottlePitchMixture
 7b2c9a90_0140_45d5_a956_50e3f28383df.dll ProFlightYokeSystem
 7dd18c88_ccc8_4fe7_ae24_17fcb414aa53.dll Cyborg Strike 7 Keyboard
 7fb9c64e_c015_4c88_9126_6abf82beee9c.dll AV8R
 975f632f_f9c5_4e3f_ad2c_f13a97f85393.dll OfficeLaserMouse_M100V
 a7b46733_fbf3_466a_b4e1_9575558097eb.dll ProFlightCessnaYoke
 c080cd49_e613_47d4_899c_87375b5aefe8.dll CyborgEvo
 c265e53d_8e01_4623_82df_a6f16047a580.dll BIP
 c2c49663_a49d_4ca3_a208_7bae2166e4e2.dll ST290
 c9e4beb7_9967_4ce8_8fbc_02ca04f453d8.dll CyborgRAT_7Button
 ca4ae256_badb_427e_a4bd_7691d48a0c9b.dll X45
 ccb88344_c0d5_4ad2_b35d_70ebf6e80171.dll GM3200
 d109a886_d146_4a52_8454_bd28490c7fa0.dll TrimWheel
 d18fc94d_3015_4345_adbc_a68ccf585dd1.dll Cyborg_V1_Keyboard
 d6b3b59d_38a9_4808_90c5_16f35a85e651.dll P3200
 Default.dll                              Default
 e81d998b_c604_4d71_be97_35ca01439c7e.dll X52
 e9d64f2f_f022_466a_afce_5d77af14be2c.dll CyborgRumblePadXbox360
 f224d27e_fafa_4621_9cbb_b766807a0596.dll GamingMouse
 f4472a58_9884_4d01_868f_866a2d229c35.dll ProGamerCommandUnit
 f6295dbe_a666_49ed_ba2c_123bbe7ee467.dll Cyborg_V1_stick
diff --git a/etc-passwd b/etc-passwd
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 root:x:0:0:root:/root:/bin/sh
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 adm:x:3:4:adm:/var/adm:/sbin/nologin
 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 halt:x:7:0:halt:/sbin:/sbin/halt
 mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
 news:x:9:13:news:/var/spool/news:
 uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
 operator:x:11:0:operator:/root:/sbin/nologin
 games:x:12:100:games:/usr/games:/sbin/nologin
 gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
 ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
 nobody:x:99:99:Nobody:/:/sbin/nologin
 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
 mailnull:x:47:47::/var/spool/mqueue:/dev/null
 xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
 ntp:x:38:38::/etc/ntp:/sbin/nologin
 rpc:x:32:32:Portmapper RPC user:/:/bin/false
 gdm:x:42:42::/var/gdm:/sbin/nologin
 rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
 nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
 nscd:x:28:28:NSCD Daemon:/:/bin/false
 ident:x:98:98:pident user:/:/sbin/nologin
 radvd:x:75:75:radvd user:/:/bin/false
 postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
 apache:x:48:48:Apache:/var/www:/bin/false
 squid:x:23:23::/var/spool/squid:/dev/null
 named:x:70:70:Named:/var/named:/bin/false
 pcap:x:77:77::/var/arpwatch:/bin/nologin
 amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
 junkbust:x:73:73::/etc/junkbuster:/bin/bash
 mailman:x:41:41:GNU Mailing List Manager:/var/mailman:/bin/false
 mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
 ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
 pvm:x:24:24::/usr/share/pvm3:/bin/bash
 user:x:500:500:Linux User,,,:/home/user:/bin/sh
 messagebus:x:1000:1000:Linux User,,,:/home/messagebus:/bin/sh
 haldaemon:x:1001:1001:Linux User,,,:/home/haldaemon:/bin/sh
diff --git a/etc-rc.d-rc.conf b/etc-rc.d-rc.conf
 all_services="mount-proc-sys mdev udev hostname devfsd depmod modules filesystems syslog network inetd portmap dropbear sshd boa smb dhcpd settime fslgnome watchdog bluetooth gtk2 pango"
 all_services_r="pango gtk2 bluetooth watchdog fslgnome settime dhcpd smb boa sshd dropbear portmap inetd network syslog filesystems modules depmod devfsd hostname udev mdev mount-proc-sys"

 cfg_services="mount-proc-sys  udev hostname  depmod modules filesystems syslog network inetd            "

 cfg_services_r="            inetd network syslog filesystems modules depmod  hostname udev  mount-proc-sys"

 export HOSTNAME="madcatz"
 export NTP_SERVER=""
 export MODLIST=""
 export RAMDIRS=""
 export TMPFS="tmpfs"
 export TMPFS_SIZE="512k"
 export READONLY_FS=""
 export INETD_ARGS=""
 export BOA_ARGS=""
 export SMBD_ARGS=""
 export NMBD_ARGS=""
 export DHCP_ARG=""
 export DEPLOYMENT_STYLE="RAMDISK"
 export SYSCFG_DHCPC_CMD="udhcpc -b -i "
 export DROPBEAR_ARGS=""
diff --git a/etc-rc.d-rc.madcatz b/etc-rc.d-rc.madcatz
 #!/bin/sh

 # Daemons to start at init, order is important for the multiplexer and its children
 DAEMONS="HidDaemon KeyboardDaemon VendorDaemon multiplexer dateTime mcp"
 TS_CALIB=/mnt/data/config/pointercal
 KEYMAP_FILE=/sys/kernel/strike7_kb/strike7_kb_api/keymap
 KEYMAP_SAVE=/mnt/data/keymap
 QMAP_FILE=""


 if [ "$1" = "stop" -o "$1" = "restart" ]
 then
 	echo "Stopping Strike Services..."
 	exit 0
 fi

 #
 # Starting Services...
 #

 # Check for backup directory
 if [ ! -d /mnt/data/config ]
 then
 	mkdir -p /mnt/data/config
 fi

 #
 # Check keymap
 #
 KEYMAP=`cat $KEYMAP_FILE`

 # Save keymap data if it is supported
 if [ -n "${KEYMAP}" ]
 then
 	if [ ${KEYMAP} -ne "0" ]
 	then
 		# valid data, save it
 		echo "Keymap; saving keymap savefile"
 		echo "${KEYMAP}" > ${KEYMAP_SAVE}
 	else
 		# Test value in Save file
 		echo "Keymap; reading keymap savefile"
 		if [[ -e ${KEYMAP_SAVE} ]]
 		then
 			KEYMAP=`cat $KEYMAP_SAVE`
 		fi
 	fi
 else
 # null string
 	# Test value in Save file
 	if [[ ! -e ${KEYMAP_SAVE} || ! -s ${KEYMAP_SAVE} ]]
 	then
 		echo "Keymap; null - setting to 0"
 		KEYMAP="0";
 	else
 		echo "Keymap; null - reading keymap savefile"
 		KEYMAP=`cat $KEYMAP_SAVE`
 	fi
 fi

 # Check that the Qmaps exist - they should now be pre-built
 #if [ ! -e "/etc/qt" ]
 #then
 #	echo "Building QMap files"
 #	mkdir /etc/qt
 #	
 #	cd /etc/kmap
 #	for FILE in *
 #	do
 #		/root/kmap2qmap "$FILE" "/etc/qt/$FILE.qmap"
 #	done
 #fi

 # Assing the Keymap
 echo "Keymap - ${KEYMAP}"
 if [ $KEYMAP -eq "1" ]
 then
 	echo "Keymap UK"
 	QMAP_FILE="/etc/qt/gb.qmap"
 elif [ $KEYMAP -eq "2" ]
 then
 	echo "Keymap US"
 # This is the default mapping
 	QMAP_FILE=""
 elif [ $KEYMAP -eq "3" ]
 then
 	echo "Keymap Germany"
 	QMAP_FILE="/etc/qt/de.qmap"
 elif [ $KEYMAP -eq "4" ]
 then
 	echo "Keymap France"
 	QMAP_FILE="/etc/qt/fr.qmap"
 elif [ $KEYMAP -eq "5" ]
 then
 	echo "Keymap Sweden"
 	QMAP_FILE="/etc/qt/se.qmap"
 elif [ $KEYMAP -eq "6" ]
 then
 	echo "Keymap Spain"
 	QMAP_FILE="/etc/qt/es.qmap"
 elif [ $KEYMAP -eq "7" ]
 then
 	echo "Keymap Japan"
 	QMAP_FILE="/etc/qt/jp.qmap"
 elif [ $KEYMAP -eq "8" ]
 then
 	echo "Keymap Czech"
 	QMAP_FILE="/etc/qt/cz.qmap"
 elif [ $KEYMAP -eq "9" ]
 then
 	echo "Keymap Italian"
 	QMAP_FILE="/etc/qt/it.qmap"
 elif [ $KEYMAP -eq "10" ]
 then
 	echo "Keymap Russian"
 	QMAP_FILE="/etc/qt/ru.qmap"
 elif [ $KEYMAP -eq "11" ]
 then
 	echo "Keymap Swiss"
 	QMAP_FILE="/etc/qt/ch.qmap"
 else
 	echo "Keymap Unknown"
 	QMAP_FILE=""
 fi

 #
 # Watchdog
 #
 if [ -x /sbin/watchdog ]
 then
 	echo "Starting watchdog"
 	/sbin/watchdog -T 15 -t 5 /dev/watchdog
 else
 	echo "watchdog is not executable!"
 fi

 # TOUCH SCREEN
 # Fixup the Touch screen interface
 export TSLIB_TSDEVICE="/dev/input/ts0"
 export TSLIB_CALIBFILE=$TS_CALIB
 export TSLIB_CONFFILE="/etc/ts.conf"
 export TSLIB_PLUGINDIR="/usr/lib/ts"
 export TSLIB_FBDEVICE="/dev/fb0"

 if [[ -f "$TS_CALIB" && -s "$TS_CALIB" ]]
 then
 	echo "Touch Screen calibrated"
 else
 	# Remove file if it exists
 	if [ -f "$TS_CALIB" ]
 	then
 		rm "$TS_CALIB"
 	fi

 	echo "Calibrating Touch Screen ..."
 	/usr/bin/ts_calibrate
 fi

 # Start DAEMON(s)
 for daemon in $DAEMONS
 do
 	if [ -x /usr/bin/$daemon ]
 	then
 		echo "Starting $daemon"
 		/usr/bin/$daemon -d
 	else
 		echo "$daemon is not executable!"
 	fi
 done

 # QT STRIKE APPLICATION
 if [ -x /usr/bin/Strike ]
 then
 	export QWS_MOUSE_PROTO=tslib:/dev/input/ts0
 	#export QWS_DISPLAY="transformed:rot90:0"
 	export POINTERCAL_FILE=$TS_CALIB

 	# Check QMAP file
 	if [[ -n "${QMAP_FILE}" && -e "${QMAP_FILE}" ]]
 	then
 		export QWS_KEYBOARD="LinuxInput:/dev/input/event0:disable-zap:keymap=${QMAP_FILE}"
 	else
 		export QWS_KEYBOARD="LinuxInput:/dev/input/event0:disable-zap"
 	fi

 	/usr/bin/Strike -qws &
 else
 	echo "Strike (Qt) not executable"
 fi

diff --git a/etc-rc.d-rcS b/etc-rc.d-rcS
 #!/bin/sh

 # minimal startup script, will work with msh (this is best available in
 # MMUless format).

 # load the configuration information
 . /etc/rc.d/rc.conf
 mode=${1:-start}
 if [ $mode = "start" ]
 then
    services=$cfg_services
 else
    services=$cfg_services_r
 fi
 cfg_services=${2:-$services}

 # run the configured sequence
 for i in $cfg_services
 do
    if [ -x /etc/rc.d/init.d/$i ]
    then                                                                        
        /etc/rc.d/init.d/$i $mode
    fi                                                                          
 done

 if [ $# -ge 2 ]
 then 
    exit 0
 fi
 # show all kernel log messages
 #echo 8 >  /proc/sys/kernel/printk

 # run rc.local if present and executable
 if [ -x /etc/rc.d/rc.local ]
 then 
    /etc/rc.d/rc.local $mode
 fi

 if [ -x /etc/rc.d/rc.madcatz ]
 then
 	echo "Running STRIKE services..."
 	/etc/rc.d/rc.madcatz $mode
 else
 	echo "/etc/rc.d/rc.madcatz is not executable!"
 fi

diff --git a/etc-shadow b/etc-shadow
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 root::11851:0:99999:7:::
 bin:*:11851:0:99999:7:::
 daemon:*:11851:0:99999:7:::
 adm:*:11851:0:99999:7:::
 lp:*:11851:0:99999:7:::
 sync:*:11851:0:99999:7:::
 shutdown:*:11851:0:99999:7:::
 halt:*:11851:0:99999:7:::
 mail:*:11851:0:99999:7:::
 news:*:11851:0:99999:7:::
 uucp:*:11851:0:99999:7:::
 operator:*:11851:0:99999:7:::
 games:*:11851:0:99999:7:::
 gopher:*:11851:0:99999:7:::
 ftp:*:11851:0:99999:7:::
 nobody:*:11851:0:99999:7:::
 sshd:!!:11851:0:99999:7:::
 mailnull:!!:11851:0:99999:7:::
 xfs:!!:11851:0:99999:7:::
 ntp:!!:11851:0:99999:7:::
 rpc:!!:11851:0:99999:7:::
 gdm:!!:11851:0:99999:7:::
 rpcuser:!!:11851:0:99999:7:::
 nfsnobody:!!:11851:0:99999:7:::
 nscd:!!:11851:0:99999:7:::
 ident:!!:11851:0:99999:7:::
 radvd:!!:11851:0:99999:7:::
 postgres:!!:11851:0:99999:7:::
 apache:!!:11851:0:99999:7:::
 squid:!!:11851:0:99999:7:::
 named:!!:11851:0:99999:7:::
 pcap:!!:11851:0:99999:7:::
 amanda:!!:11851:0:99999:7:::
 junkbust:!!:11851:0:99999:7:::
 mailman:!!:11851:0:99999:7:::
 mysql:!!:11851:0:99999:7:::
 ldap:!!:11851:0:99999:7:::
 pvm:!!:11851:0:99999:7:::
 user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7:::
 messagebus:!:15:0:99999:7:::
 haldaemon:!:15:0:99999:7:::
diff --git a/player.ini b/player.ini
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 [PROFILE]
 PLAYER=MX23 Linux Update
 VERSION=2

 [OPERATIONS]
 UTP_UPDATE=OS Firmware,120,1

 [OS Firmware]
 UCL_INSTALL_SECTION=Singlechip NAND
diff --git a/Resources-dll.txt b/Resources-dll.txt
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 0106A368-C9E3-4EFC-AADA-144FED720C83.dll S a i t e k   C y b o r g   3 D   R u m b l e
 02A0DB55-B1EB-4B83-B5BD-3050FA2ECA54.dll M a d   C a t z   R . A . T . 5   M o u s e
 0839B3FA-E3AE-40B3-BA24-2DF2E2C9C9F5.dll M a d   C a t z   R . A . T . 9   M o u s e
 0F98C1CC-9561-4968-96D3-93188ED5A0C9.dll C y b o r g   V . 3   P a d
 14F77A73-1E44-4CD4-86F3-4AABD1DB018A.dll C y b o r g   P a d   -   X B o x   3 6 0
 18D74164-8B1D-4DDD-B9CE-28239D1C8DC9.dll C y b o r g   K e y b o a r d
 1C7F1EC4-4D7A-48AA-945A-8595191CA60A.dll T h r o t t l e   P i t c h   a n d   M i x t u r e   S y s t e m
 1F1967C3-2852-4312-9EE7-2B2144B14457.dll S a i t e k   A v i a t o r   S t i c k
 1F3F8912-ADAA-459E-9D68-A7B5292FD109.dll S a i t e k   C y b o r g   C o m m a n d   U n i t
 1F80B81E-E7C2-4EA7-8C3B-CD29EFBE7DCE.dll S a i t e k   G a m i n g   M o u s e
 2490C186-24F0-4415-8386-3CE127668223.dll C y b o r g   M . M . O . 7   C o n t a g i o n
 27B450F2-C4A5-4174-AFEB-79E7F4FBC2E9.dll S a i t e k   S T 2 9 0
 2E2BD570-B641-4BE2-B24D-0292A6ECB68E.dll C y b o r g   V . 5   P a d
 2E6CEC68-F3B2-4870-8E35-6AB2D817AF9A.dll C y b o r g   M o u s e
 2F3358AE-43C4-4A02-9F10-C812F41D72E9.dll C y b o r g   M . M . O . 7
 2F5BFA24-2EF9-4CB1-BECB-3FBDC054962B.dll C y b o r g   R . A . T . 7   C o n t a g i o n
 330F06C3-F6C5-11D4-9775-00A0CC61AECB.dll S a i t e k   C y b o r g   3 D   F o r c e
 33ED8FFE-BA2B-4ae0-AE6F-9801EABB395B.dll S a i t e k   P r o   G a m e r   C o m m a n d   U n i t
 34584B18-F56A-479C-BD9A-32FB25E84DB3.dll C y b o r g   V . 3   M o u s e
 37D6EB8C-03A3-4C5D-8F6C-896F31BBE98D.dll C o m b a t   R u d d e r   P e d a l s
 390E3043-470C-40F8-836A-BB02A2D3B563.dll U n k n o w n   D e v i c e
 447D7623-0A5B-48BA-8BB1-F608CE4D4CA4.dll C y b o r g   R . A . T . 3   M o u s e
 48FA7494-A60B-4238-B32F-043129BA03C5.dll C y b o r g   X (256kb!)
 49BEA0EA-70C3-4DD7-972D-FE515858164B.dll M a d   C a t z   V . 5   K e y b o a r d (268kb!)
 49ECC75B-2A50-4FD8-8E85-E724F454C3B1.dll M a d   C a t z   M . M . O . 7
 4DF4F6F5-D2EA-4CE6-A686-1C65E67FDF96.dll M a d   C a t z   V . 1   S t i c k
 5159D4CE-D926-4A60-8B1A-92BA10E1A045.dll S a i t e k   P 2 9 0 0   W i r e l e s s   P a d
 52DE43C5-1AA9-4729-AD6D-B9CE8BDD8FEF.dll e c l i p s e   l i t e t o u c h   k e y b o a r d   ( w i r e l e s s )
 58CF827B-13D4-42AA-AAB9-9130D438AECA.dll C y b o r g   V . 1   P a d
 59BEA7DB-4D7D-45A2-A64E-304307061E05.dll C y b o r g   R . A . T . 7   I n f e c t i o n
 5DF93ED5-F922-46BE-9B05-BECA5D2D333C.dll S a i t e k   P S 1 0 0 0   P a d
 5E0173F9-2A49-44EE-840E-9B238819695B.dll P r o   F l i g h t   C e s s n a   T r i m   W h e e l
 601A4842-0FE2-4A66-A24F-A2ACDE70D011.dll S a i t e k   G M 2 4 0 0   G a m i n g   M o u s e
 67D281E3-6A23-4AA5-8551-CC66E26DB6EF.dll M a d   C a t z   V 7   K e y b o a r d
 7030F477-B915-4466-952D-A0B209E413EE.dll S a i t e k   O f f i c e   L a s e r   M o u s e
 75BB6CC8-FB40-4BE1-BF2B-4B10397A98A8.dll S a i t e k   X 5 2 P r o   F l i g h t   C o n t r o l l e r
 7748F4B5-3F39-48B0-AAA0-CD862AC8A98F.dll C y b o r g   R . A . T . 5   M o u s e
 7B27B621-5A6D-4A99-8E59-096FA6439D58.dll S a i t e k   P 2 6 0 0   R u m b l e   P a d
 7C516467-75AE-4D8E-B52F-18DB72B8D751.dll S a i t e k   C y b o r g   E v o
 7D2B9A04-6165-4347-81F4-14C122C1560B.dll P r o   F l i g h t   C e s s n a   R u d d e r   P e d a l s
 7DF6F720-CE98-436D-A73D-B2777D9B3A82.dll S a i t e k   P r o   F l i g h t   R u d d e r   P e d a l s
 7EF980A4-0727-47F8-857C-8D67979DA1E2.dll C y b o r g   R . A . T . 3   M o u s e
 7FAF063C-AB2D-445C-90DD-E9A1588ACE7F.dll S a i t e k   P 3 2 0 0   P a d   -   X B o x   3 6 0
 80205D18-DAE9-432B-B8B8-4271294CEFE2.dll F . L . Y . 5 (256kb!)
 80937975-9440-4a57-B5EE-33E7AA6FB3B7.dll S a i t e k   P r o   F l i g h t   Y o k e
 81CCB64C-CF54-431C-886D-D101762FDC62.dll C y b o r g   R . A . T . 9   M o u s e
 86C19909-59E2-4F34-8269-4CB11C955864.dll S a i t e k   P 9 9 0   P a d
 8BCB5851-4DE6-4631-9EAA-C5E9C4B12FED.dll P r o   F l i g h t   C e s s n a   Y o k e
 8EFDCDF6-8466-440E-A349-9682D900BAD6.dll C a l l   O f   D u t y :   B l a c k   O p s   -   S t e a l t h   P a d
 9089E681-30AB-4A7F-901B-20E9634CE580.dll C y b o r g   R . A . T . 5   M o u s e
 91600663-2DD5-4E99-BAFE-2862648EE5BC.dll e c l i p s e   l i t e t o u c h   k e y b o a r d
 92DD6D76-858B-4408-A8AE-89376599E0B7.dll M a d   C a t z   S . T . R . I . K . E . 5   K e y b o a r d
 949A1EC1-F75B-11D4-9775-00A0CC61AECB.dll S a i t e k   X 4 5   F l i g h t   C o n t r o l l
 99542E39-B29A-43CC-83DD-D576DE170BA2.dll B I P (??)
 9A81C564-ED3F-41E0-B03E-5AF8A9EB1148.dll S a i t e k   G a m e r s   K e y b o a r d
 A14F7A98-E8C4-42E9-9A94-8A21EFF2AAF1.dll S a i t e k   P S 2 7 0 0   P a d
 A3ACAC5D-573C-412E-B7FE-42B1EE5437C2.dll C y b o r g   V . 1   K e y b o a r d (270kb!)
 A8020A45-78A7-4A6F-9A6B-AB51793091DD.dll M a d   C a t z   R . A . T . 3   M o u s e
 AD4560DB-1749-405C-A571-B09790FD7FC4.dll C y b o r g   R . A . T . 9   M o u s e
 B2A6C52E-4E2B-41B7-B7A8-1AF348A21993.dll C y b o r g   V . 1   S t i c k
 B6CA1DFF-2D5A-40DB-A847-91CA7D17E550.dll S a i t e k   R 6 6 0   F o r c e   W h e e l
 B822F88B-0CAC-40C6-8D2F-4C99A5EA30CA.dll S a i t e k   S T 2 9 0 P r o
 BBFD3DED-F37C-4F35-B782-E532044F3129.dll C y b o r g   V . 5   K e y b o a r d (268kb!)
 C0793304-7A8C-47D1-8EE2-975FFF656C2F.dll S a i t e k   C y b o r g   E v o   F o r c e
 C19A7A60-CF1B-4ABA-884E-0CE192D4FA73.dll S a i t e k   P r o   F l i g h t   T h r o t t l e   Q u a d r a n t
 C47931CE-E58A-4C54-AADB-BA2F3E5659A5.dll S a i t e k   P a c i f i c   A v i a t o r   S t i c k
 C7719F41-F667-4514-BBB4-3F38C9E4D05A.dll S a i t e k   X 5 2   F l i g h t   C o n t r o l l e r
 CBE74543-4508-462F-85B3-6E55F23781CA.dll S a i t e k   X 6 5   F l i g h t   C o n t r o l l e r
 CDAFC361-948A-4973-989A-29AFFDEF280F.dll C a l l   O f   D u t y :   B l a c k   O p s   -   S t e a l t h   M o u s e
 DA3647E1-282E-443E-9C36-BDCF4F2D2424.dll C y b o r g   S t r i k e   7   K e y b o a r d
 E035F32E-0437-4096-A26B-04FCC4A203A9.dll M o d e r n   W a r f a r e   2   P a d (135kb!)
 E5893414-1FDC-4FA3-BBBD-2C81CA30253D.dll S a i t e k   G M 3 2 0 0   M o u s e
 EB42C7F6-6DBF-4697-A334-DDD114EF50F5.dll M a d   C a t z   R . A . T . 7   M o u s e
 EBD1EFF2-E21C-4E06-B8AE-B1B96E38BBCB.dll C y b o r g   R . A . T . 7   A l b i n o
 ECF12411-4C28-47CE-9CC1-E3C29D0ED825.dll C y b o r g   R . A . T . 7   M o u s e
 ED4547F0-F3AC-468C-8E4A-49C4B100C167.dll M a d   C a t z   S t r i k e   7   K e y b o a r d
 EFD31026-2D58-477D-9BC0-136C46F8C4D1.dll S a i t e k   C y b o r g   R u m b l e   P a d
 FA5BD368-039F-4360-882D-6AAE5D56557E.dll C y b o r g   R . A . T . 7   M o u s e
 FDB18F33-ADC1-4f25-BB3A-7469F0CF5536.dll S a i t e k   C y b o r g   E v o   W i r e l e s s
diff --git a/Strike-run b/Strike-run
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 root@netherpi:/usr/lib# /home/alias/Strike
 QWSSocket::connectToLocalFile could not connect:: No such file or directory
 QWSSocket::connectToLocalFile could not connect:: No such file or directory
 QWSSocket::connectToLocalFile could not connect:: No such file or directory
 QWSSocket::connectToLocalFile could not connect:: No such file or directory
 QWSSocket::connectToLocalFile could not connect:: No such file or directory
 QWSSocket::connectToLocalFile could not connect:: No such file or directory
 No Qt for Embedded Linux server appears to be running.
 If you want to run this program as a server,
 add the "-qws" command-line option.

 root@netherpi:/usr/lib# /home/alias/Strike -qws
 QFontDatabase: Cannot find font directory /usr/local/Trolltech/QtEmbedded-4.7.4-arm/lib/fonts - is Qt installed correctly?
 Aborted
diff --git a/strike7-lsusb.txt b/strike7-lsusb.txt
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 lsusb -vv

 Bus 001 Device 004: ID 0738:1109 Mad Catz, Inc. 
 Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x0738 Mad Catz, Inc.
  idProduct          0x1109 
  bcdDevice            1.09
  iManufacturer           1 Mad Catz
  iProduct                2 Mad Catz S.T.R.I.K.E.7
  iSerial                 3 0123456789
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength          107
    bNumInterfaces          4
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xc0
      Self Powered
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      1 Keyboard
      iInterface              4 Mad Catz S.T.R.I.K.E.7 Keys
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      62
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               4
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      1 Keyboard
      iInterface              5 Mad Catz S.T.R.I.K.E.7 Numpad
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      62
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               4
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 No Subclass
      bInterfaceProtocol      0 None
      iInterface              6 Mad Catz S.T.R.I.K.E.7 Keyboard
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      70
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               4
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        3
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              7 Mad Catz S.T.R.I.K.E.7 V.E.N.O.M
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               4
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               4
 Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  bNumConfigurations      1
 Device Status:     0x0001
  Self Powered
diff --git a/strike7-venom-usb-fuzzer.py b/strike7-venom-usb-fuzzer.py
 # Created By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 # Note: This is a hacky work in progress/playground, so it may not do what you expect, or even work. You've been warned.

 import usb.core
 import usb.util
 import usb.legacy
 #import usb
 import sys

 # export PYUSB_DEBUG_LEVEL=debug

 # Ref: http://learn.adafruit.com/hacking-the0kinect/fuzzing
 # Ref: http://pyusb.sourceforge.net/docs/1.0/tutorial.html

 # mount -t debugfs none_debugs /sys/kernel/debug
 # modprobe usbmon
 # ls /sys/kernel/debug/usb/usbmon/

 # lsusb -vv

 # Find device (Mad Catz, Strike7)
 VENDOR_ID=0x0738
 PRODUCT_ID=0x1109
 INTERFACE_KEYS=(0,0)
 #      bInterfaceClass         3 Human Interface Device
 #      bInterfaceSubClass      1 Boot Interface Subclass
 #      bInterfaceProtocol      1 Keyboard
 #      iInterface              4 Mad Catz S.T.R.I.K.E.7 Keys
 INTERFACE_NUMPAD=(1,0)
 #      bInterfaceClass         3 Human Interface Device
 #      bInterfaceSubClass      1 Boot Interface Subclass
 #      bInterfaceProtocol      1 Keyboard
 #      iInterface              5 Mad Catz S.T.R.I.K.E.7 Numpad
 INTERFACE_KEYBOARD=(2,0)
 #      bInterfaceClass         3 Human Interface Device
 #      bInterfaceSubClass      0 No Subclass
 #      bInterfaceProtocol      0 None
 #      iInterface              6 Mad Catz S.T.R.I.K.E.7 Keyboard
 INTERFACE_VENOM=(3,0)
 #      bNumEndpoints           2
 #      bInterfaceClass       255 Vendor Specific Class
 #      bInterfaceSubClass      0 
 #      bInterfaceProtocol      0 
 #      iInterface              7 Mad Catz S.T.R.I.K.E.7 V.E.N.O.M

 dev = usb.core.find(idVendor=VENDOR_ID, idProduct=PRODUCT_ID)

 if dev is None:
  raise ValueError('Device not found')
 else:
  print 'Device found'

 # set the active configuration. With no arguments, the first
 # configuration will be the active one
 print "Setting active configuration.."
 try:
  dev.set_configuration()
 except usb.USBError as e:
  print "  [USBError] %s. Continuing.." % e

 # get an endpoint instance
 cfg = dev.get_active_configuration()
 intf = cfg[INTERFACE_VENOM]
 interface_number = intf.bInterfaceNumber
 #alternate_settting = usb.control.get_interface(dev, interface_number)
 #print alternate_setting
 intf = usb.util.find_descriptor(cfg, bInterfaceNumber = interface_number)

 for cfg in dev:
    sys.stdout.write('Config: ' + str(cfg.bConfigurationValue) + '\n')
    for intf in cfg:
            sys.stdout.write('\tInterface: ' + \
                             str(intf.bInterfaceNumber) + \
                             ',' + \
                             str(intf.bAlternateSetting) + \
                             '\n')
            for ep in intf:
                sys.stdout.write('\t\tEndpoint: ' + \
                                 str(ep.bEndpointAddress) + \
                                 '\n')

 ep = usb.util.find_descriptor(
    intf,
    # match the first OUT endpoint
    custom_match = \
    lambda e: \
        usb.util.endpoint_direction(e.bEndpointAddress) == \
        usb.util.ENDPOINT_OUT
 )

 print "EndpointAddress: %s (%s)" % (ep.bEndpointAddress, hex(ep.bEndpointAddress))

 #data = ep.read(1)
 #data = dev.read(ep.bEndpointAddress)
 #print data


 print intf.iInterface
 print cfg[INTERFACE_VENOM].iInterface
 print interface_number

 #data = dev.read(0x80,0x0040,INTERFACE_VENOM)
 #print data

 # [7][6][5][4][3][2][1][0]
 # 7 = direction (0 write to device, 1 read from device)
 # 6,5 = type of message (0 = standard, 1 = class, 2 = vendor, 3= reserved/unused)
 # 4,3,2 = Unused
 # 1,0 = Recipient for message (0 = device, 1 = interface, 2 = endpoint, 3 = other)
 #bmRequestType = int('11000010',2)
 bmRequestType = int('10000001',2)
 #bmRequestType = int('10000010',2)

 wIndex = int('1000001',2)

 # http://pydoc.net/Python/pyusb/1.0.0a3/usb.util/
 #    The direction parameter can be CTRL_OUT or CTRL_IN.
 #    The type parameter can be CTRL_TYPE_STANDARD, CTRL_TYPE_CLASS,
 #    CTRL_TYPE_VENDOR or CTRL_TYPE_RESERVED values.
 #    The recipient can be CTRL_RECIPIENT_DEVICE, CTRL_RECIPIENT_INTERFACE,
 #    CTRL_RECIPIENT_ENDPOINT or CTRL_RECIPIENT_OTHER.
 #bmRequestType = usb.util.build_request_type(usb.util.CTRL_IN, usb.util.CTRL_TYPE_VENDOR, usb.util.CTRL_RECIPIENT_INTERFACE)
 print "bmRequestType %s (%s)" % (bmRequestType, hex(bmRequestType))



 for bRequest in range(0,255):
  try:
    #ctrl_transfer(self, bmRequestType, bRequest, wValue=0, wIndex=0,
    #        data_or_wLength = None, timeout = None):
    #ret = dev.ctrl_transfer(bmRequestType, bRequest, 0, wIndex, 0x0040)
    #ret = dev.read(ep.bEndpointAddress,1,intf,1000)
    ret = usb.legacy.DeviceHandle(dev).bulkRead(ep,64,1000)
    print "bRequest %s" % bRequest
    print ret
  except usb.core.USBError as e:
    print " bRequest %d %s" % (bRequest, e)
 #  except:
    pass
diff --git a/ucl.xml b/ucl.xml
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 <!--
 * The CFG element contains a list of recognized usb devices.
 * DEV elements provide a name, class, vid and pid for each device.
 *
 * Each LIST element contains a list of update instructions.
 * "Install" - Erase media and install firmware.
 * "Update" - Update firmware only.
 *
 * Each CMD element contains one update instruction of attribute type.
 * "pull" - Does UtpRead(body, file) transaction.
 * "push" - Does UtpWrite(body, file) transaction.
 * "drop" - Does UtpCommand(body) then waits for device to disconnect.
 * "boot" - Finds configured device, forces it to "body" device and downloads "file".
 * "find" - Waits for the "body" device to connect.
 * "show" - Parse and show device info in "file".
 -->


 <UCL>
 <CFG>
 <STATE name="Recovery" dev="IMX233"/>
 <STATE name="Updater" dev="Updater" /> 
 <DEV name="IMX233" vid="066F" pid="3780"/>
 <DEV name="Updater" vid="066F" pid="37FF" />
 </CFG>
 <LIST name="Singlechip NAND" desc="Install on singlechip NAND">
 <CMD type="boot" body="Recovery" file="updater.sb" timeout="60">Booting update firmware.</CMD>
 <CMD type="find" body="Updater" timeout="180"/>
 <CMD type="push" body="mknod class/mtd,mtd0,/dev/mtd0"/>
 <CMD type="push" body="mknod class/mtd,mtd1,/dev/mtd1"/>
 <CMD type="push" body="mknod class/misc,ubi_ctrl,/dev/ubi_ctrl"/>

 <CMD type="push" body="$ flash_eraseall /dev/mtd0">Erasing rootfs partition - mtd0</CMD>
 <CMD type="push" body="$ flash_eraseall /dev/mtd1">Erasing rootfs partition - mtd1</CMD>

 <CMD type="push" body="send" file="files/imx23_linux.sb">Sending firmware - kernel</CMD>
 <CMD type="push" body="$ kobs-ng init $FILE">Flashing firmware - kernel</CMD>

 <CMD type="push" body="$ ubiattach /dev/ubi_ctrl -m 1 -d 0">Attaching UBI partition - control</CMD>
 <CMD type="push" body="mknod class/ubi,ubi0,/dev/ubi0"/>
 <CMD type="push" body="$ ubimkvol /dev/ubi0 -n 0 -N rootfs0 -s 80MiB">Creating UBI volumes - rootfs0</CMD>
 <CMD type="push" body="$ ubimkvol /dev/ubi0 -n 1 -N data -m">Creating UBI volumes - data</CMD>

 <CMD type="push" body="$ mkdir -p /mnt/ubi0; mount -t ubifs ubi0_0 /mnt/ubi0" />
 <CMD type="push" body="$ mkdir -p /mnt/ubi1; mount -t ubifs ubi0_1 /mnt/ubi1" />
 <!-- <CMD type="push" body="pipe tar -jxv -C /mnt/ubi0" file="files/big_rootfs.tar.bz2">Transfer rootfs0</CMD> -->
 <CMD type="push" body="send" file="files/big_rootfs.tar.bz2" timeout="180">Sending firmware - rootfs</CMD>
 <CMD type="push" body="$ cd /mnt/ubi0; tar -xjf $FILE; cd /" timeout="300">Updating firmware - rootfs</CMD>

 <CMD type="push" body="send" file="files/data.tar.bz2" timeout="180">Sending firmware - data</CMD>
 <CMD type="push" body="$ cd /mnt/ubi1; tar -xjf $FILE; cd /" timeout="180">Updating firmware - data</CMD>
 <CMD type="push" body="frf">Finish Flashing NAND</CMD>
 <CMD type="push" body="$ umount /mnt/ubi0">Unmounting - ubi0</CMD>
 <CMD type="push" body="$ umount /mnt/ubi1">Unmounting - ubi1</CMD>
 <CMD type="push" body="$ echo Update Complete!">Done</CMD>
 <!--
 The below commands will trigger reboot
 <CMD type="push" body="!3">Done</CMD>
 -->


 </LIST>
 <LIST name="SD" desc="Install to SD card">
 <CMD type="boot" body="Recovery" file="updater.sb">Booting update firmware</CMD>
 <CMD type="find" body="Updater" timeout="180"/>
 <CMD type="push" body="mknod block,mmcblk0,/dev/mmcblk0,block"/>
 <CMD type="push" body="send" file="fdisk-u.input">Sending fdisk input</CMD>
 <CMD type="push" body="$ fdisk -u /dev/mmcblk0 < $FILE">Partitioning SD card</CMD>
 <CMD type="push" body="mknod block/mmcblk0,mmcblk0p1,/dev/mmcblk0p1,block"/>
 <CMD type="push" body="mknod block/mmcblk0,mmcblk0p2,/dev/mmcblk0p2,block"/>
 <CMD type="push" body="mknod block/mmcblk0,mmcblk0p3,/dev/mmcblk0p3,block"/>
 <CMD type="push" body="send" file="files/imx23_linux.sb">Sending u-boot image</CMD>
 <CMD type="push" body="$ dd if=$FILE of=/dev/mmcblk0p2 bs=512 seek=4 conv=sync,notrunc">Writing Linux Kernel</CMD>
 <CMD type="push" body="$ mkfs.ext3 -j /dev/mmcblk0p3">Formatting rootfs partition</CMD>
 <CMD type="push" body="$ mkdir -p /mnt/mmcblk0p3"/> 
 <CMD type="push" body="$ mount /dev/mmcblk0p3 /mnt/mmcblk0p3"/>
 <CMD type="push" body="pipe tar -jxv -C /mnt/mmcblk0p3" file="files/big_rootfs.tar.bz2">Sending and writting rootfs</CMD>
 <CMD type="push" body="frf">Finishing rootfs write</CMD>
 <CMD type="push" body="$ umount /mnt/mmcblk0p3">Unmounting rootfs partition</CMD>
 <CMD type="push" body="$ echo Update Complete!">Done</CMD>
 <!--
 The below commands will trigger reboot
 <CMD type="push" body="!3">Done</CMD>
 -->
 </LIST>
 </UCL>

 Read more: http://strike7.proboards.com/thread/155/hacking-info-firmware-usb-chips#ixzz2liUGtaSg
diff --git a/xxBbcodeBackupOfPost1 b/xxBbcodeBackupOfPost1
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 Came across this site last night while seeing if there was anything more useful I could do with my $300 keyboard, seems not really.. :S

 Figured it might be useful to do some digging and see if there wasn't some useful info that could be turned up, maybe get some ideas started/etc. 

 [b]Before I post anything though, I want to make it clear that this is all provided without any sort of warranty at all. ANYTHING YOU DO IS AT YOUR OWN RISK!!! If you try and flash your device and brick it, thats on you, not me.

 [/b]Now with formalities out of the way, let's get started.

 There are 3 areas I decided to take a bit of a look at (not to any huge amount of depth mind you): The firmware, the profile editor and the USB interface on the keyboard itself.

 [b]Profile Editor[/b]

 (Edit: You can also see these lists of dll's over at Github:&nbsp;https://gist.github.com/alias1/7652064)

 In my setup, installed to&nbsp;[i]C:\Program Files\SmartTechnology\Software[/i]
 [ul type="disc"][li][i]Controllers/[/i] - These seem to be related to specific madcatz hardware devices, probably dealing with the specifics of interacting with them or similar. These seem to be .NET dlls.[/li][/ul][div]
 [code]06416ece_7ce2_4176_b4fc_01ebd7e7b58a.dll P880_P2500_P3000
 12ecdcf4_82ac_4c37_9262_bcdd948ba1e4.dll PP22_Pad
 19e5398a_a82a_4b7b_90fd_c08f190b5037.dll RudderPedals
 1f732691_3bc6_41ec_a977_c5bf0b03a3dc.dll X52Pro
 23e2a81c_5f45_4f0e_bb62_350688d7f883.dll CyborgRAT_5Button
 24e74f72_099d_43a2_91ba_8b19e146c678.dll CyborgX
 25a4f72c_5a88_4168_809a_55bf002dc6b1.dll X65
 2b9d5817_37df_47e1_a1f9_3186682b4263.dll Throttle Quadrant
 35695d7f_dae2_42ac_b38b_78ec2e576581.dll GamersKeyboard
 3ac4311b_05b6_43c2_8622_c2eb1168ad21.dll GM2400
 3f5b4777_c340_4271_be78_4f067ce8fe12.dll P2600
 4220f4fc_220c_48a8_a04a_46c6b4f8450c.dll CyborgRumblePas
 4966f44d_59df_4a61_8fd0_7ac23cff1c88.dll Cyborg_V3_Pad
 49A934CF_79AF_4AD0_8971_84735CEC20E1.dll eclipse litetouch Keyboard
 4a484820_55c2_40ac_96c2_fa361656b233.dll CyborgRAT_15Button
 4ae960ae_0df5_4cf5_8d9a_f90a660afa73.dll Strike 5 Keyboard
 52adf75b_8888_4006_9fd2_196fe465e1b1.dll CyborgMouse
 5c6c51f1_9884_4166_b06e_5bb174f169ae.dll CyborgKeyboard
 62c03415_a024_4eb2_b66f_67c9f82962fe.dll ST290Pro
 6a1ca17e_fb49_4b02_aaad_0ba6619568ef.dll P990_P2900
 771bc0c8_ed85_46e1_9413_8aaabaa85d3e.dll ThrottlePitchMixture
 7b2c9a90_0140_45d5_a956_50e3f28383df.dll ProFlightYokeSystem
 7dd18c88_ccc8_4fe7_ae24_17fcb414aa53.dll Cyborg Strike 7 Keyboard
 7fb9c64e_c015_4c88_9126_6abf82beee9c.dll AV8R
 975f632f_f9c5_4e3f_ad2c_f13a97f85393.dll OfficeLaserMouse_M100V
 a7b46733_fbf3_466a_b4e1_9575558097eb.dll ProFlightCessnaYoke
 c080cd49_e613_47d4_899c_87375b5aefe8.dll CyborgEvo
 c265e53d_8e01_4623_82df_a6f16047a580.dll BIP
 c2c49663_a49d_4ca3_a208_7bae2166e4e2.dll ST290
 c9e4beb7_9967_4ce8_8fbc_02ca04f453d8.dll CyborgRAT_7Button
 ca4ae256_badb_427e_a4bd_7691d48a0c9b.dll X45
 ccb88344_c0d5_4ad2_b35d_70ebf6e80171.dll GM3200
 d109a886_d146_4a52_8454_bd28490c7fa0.dll TrimWheel
 d18fc94d_3015_4345_adbc_a68ccf585dd1.dll Cyborg_V1_Keyboard
 d6b3b59d_38a9_4808_90c5_16f35a85e651.dll P3200
 Default.dll                              Default
 e81d998b_c604_4d71_be97_35ca01439c7e.dll X52
 e9d64f2f_f022_466a_afce_5d77af14be2c.dll CyborgRumblePadXbox360
 f224d27e_fafa_4621_9cbb_b766807a0596.dll GamingMouse
 f4472a58_9884_4d01_868f_866a2d229c35.dll ProGamerCommandUnit
 f6295dbe_a666_49ed_ba2c_123bbe7ee467.dll Cyborg_V1_stick[/code]

 [/div][ul type="disc"][li][i]cs/, de/, en/, en-US/[/i], etc - These seem to contain localized resources for the different languages (Pr0fileEditor_Forms.resources.dll,&nbsp;SaiEditRes.resources.dll)[/li][li][i]ManuExtensionDLLs/[/i] - Only one dll, at a guess I would say this is what determines when an app is launched (AppLaunchEventDll.dll)[/li][li][i]Resources/[/i] - These are all quite small, and they don't seem to be .NET dll's. Viewing them in a hex editor, they kind of look like they're .rsrc resource files, probably with 1 image per .dll?[/li][/ul][div]
 They might be skins actually..[/div][div]
 [code]private string ResolveSkinId(string skinId)
 {
    string str = "_Strike7";
    if (string.Compare("da3647e1-282e-443e-9c36-bdcf4f2d2424", skinId, true) == 0)
    {
        str = "_Strike7";
    }
    return str;
 }[/code]

 [code]0106A368-C9E3-4EFC-AADA-144FED720C83.dll S a i t e k   C y b o r g   3 D   R u m b l e
 02A0DB55-B1EB-4B83-B5BD-3050FA2ECA54.dll M a d   C a t z   R . A . T . 5   M o u s e
 0839B3FA-E3AE-40B3-BA24-2DF2E2C9C9F5.dll M a d   C a t z   R . A . T . 9   M o u s e
 0F98C1CC-9561-4968-96D3-93188ED5A0C9.dll C y b o r g   V . 3   P a d
 14F77A73-1E44-4CD4-86F3-4AABD1DB018A.dll C y b o r g   P a d   -   X B o x   3 6 0
 18D74164-8B1D-4DDD-B9CE-28239D1C8DC9.dll C y b o r g   K e y b o a r d
 1C7F1EC4-4D7A-48AA-945A-8595191CA60A.dll T h r o t t l e   P i t c h   a n d   M i x t u r e   S y s t e m
 1F1967C3-2852-4312-9EE7-2B2144B14457.dll S a i t e k   A v i a t o r   S t i c k
 1F3F8912-ADAA-459E-9D68-A7B5292FD109.dll S a i t e k   C y b o r g   C o m m a n d   U n i t
 1F80B81E-E7C2-4EA7-8C3B-CD29EFBE7DCE.dll S a i t e k   G a m i n g   M o u s e
 2490C186-24F0-4415-8386-3CE127668223.dll C y b o r g   M . M . O . 7   C o n t a g i o n
 27B450F2-C4A5-4174-AFEB-79E7F4FBC2E9.dll S a i t e k   S T 2 9 0
 2E2BD570-B641-4BE2-B24D-0292A6ECB68E.dll C y b o r g   V . 5   P a d
 2E6CEC68-F3B2-4870-8E35-6AB2D817AF9A.dll C y b o r g   M o u s e
 2F3358AE-43C4-4A02-9F10-C812F41D72E9.dll C y b o r g   M . M . O . 7
 2F5BFA24-2EF9-4CB1-BECB-3FBDC054962B.dll C y b o r g   R . A . T . 7   C o n t a g i o n
 330F06C3-F6C5-11D4-9775-00A0CC61AECB.dll S a i t e k   C y b o r g   3 D   F o r c e
 33ED8FFE-BA2B-4ae0-AE6F-9801EABB395B.dll S a i t e k   P r o   G a m e r   C o m m a n d   U n i t
 34584B18-F56A-479C-BD9A-32FB25E84DB3.dll C y b o r g   V . 3   M o u s e
 37D6EB8C-03A3-4C5D-8F6C-896F31BBE98D.dll C o m b a t   R u d d e r   P e d a l s
 390E3043-470C-40F8-836A-BB02A2D3B563.dll U n k n o w n   D e v i c e
 447D7623-0A5B-48BA-8BB1-F608CE4D4CA4.dll C y b o r g   R . A . T . 3   M o u s e
 48FA7494-A60B-4238-B32F-043129BA03C5.dll C y b o r g   X (256kb!)
 49BEA0EA-70C3-4DD7-972D-FE515858164B.dll M a d   C a t z   V . 5   K e y b o a r d (268kb!)
 49ECC75B-2A50-4FD8-8E85-E724F454C3B1.dll M a d   C a t z   M . M . O . 7
 4DF4F6F5-D2EA-4CE6-A686-1C65E67FDF96.dll M a d   C a t z   V . 1   S t i c k
 5159D4CE-D926-4A60-8B1A-92BA10E1A045.dll S a i t e k   P 2 9 0 0   W i r e l e s s   P a d
 52DE43C5-1AA9-4729-AD6D-B9CE8BDD8FEF.dll e c l i p s e   l i t e t o u c h   k e y b o a r d   ( w i r e l e s s )
 58CF827B-13D4-42AA-AAB9-9130D438AECA.dll C y b o r g   V . 1   P a d
 59BEA7DB-4D7D-45A2-A64E-304307061E05.dll C y b o r g   R . A . T . 7   I n f e c t i o n
 5DF93ED5-F922-46BE-9B05-BECA5D2D333C.dll S a i t e k   P S 1 0 0 0   P a d
 5E0173F9-2A49-44EE-840E-9B238819695B.dll P r o   F l i g h t   C e s s n a   T r i m   W h e e l
 601A4842-0FE2-4A66-A24F-A2ACDE70D011.dll S a i t e k   G M 2 4 0 0   G a m i n g   M o u s e
 67D281E3-6A23-4AA5-8551-CC66E26DB6EF.dll M a d   C a t z   V 7   K e y b o a r d
 7030F477-B915-4466-952D-A0B209E413EE.dll S a i t e k   O f f i c e   L a s e r   M o u s e
 75BB6CC8-FB40-4BE1-BF2B-4B10397A98A8.dll S a i t e k   X 5 2 P r o   F l i g h t   C o n t r o l l e r
 7748F4B5-3F39-48B0-AAA0-CD862AC8A98F.dll C y b o r g   R . A . T . 5   M o u s e
 7B27B621-5A6D-4A99-8E59-096FA6439D58.dll S a i t e k   P 2 6 0 0   R u m b l e   P a d
 7C516467-75AE-4D8E-B52F-18DB72B8D751.dll S a i t e k   C y b o r g   E v o
 7D2B9A04-6165-4347-81F4-14C122C1560B.dll P r o   F l i g h t   C e s s n a   R u d d e r   P e d a l s
 7DF6F720-CE98-436D-A73D-B2777D9B3A82.dll S a i t e k   P r o   F l i g h t   R u d d e r   P e d a l s
 7EF980A4-0727-47F8-857C-8D67979DA1E2.dll C y b o r g   R . A . T . 3   M o u s e
 7FAF063C-AB2D-445C-90DD-E9A1588ACE7F.dll S a i t e k   P 3 2 0 0   P a d   -   X B o x   3 6 0
 80205D18-DAE9-432B-B8B8-4271294CEFE2.dll F . L . Y . 5 (256kb!)
 80937975-9440-4a57-B5EE-33E7AA6FB3B7.dll S a i t e k   P r o   F l i g h t   Y o k e
 81CCB64C-CF54-431C-886D-D101762FDC62.dll C y b o r g   R . A . T . 9   M o u s e
 86C19909-59E2-4F34-8269-4CB11C955864.dll S a i t e k   P 9 9 0   P a d
 8BCB5851-4DE6-4631-9EAA-C5E9C4B12FED.dll P r o   F l i g h t   C e s s n a   Y o k e
 8EFDCDF6-8466-440E-A349-9682D900BAD6.dll C a l l   O f   D u t y :   B l a c k   O p s   -   S t e a l t h   P a d
 9089E681-30AB-4A7F-901B-20E9634CE580.dll C y b o r g   R . A . T . 5   M o u s e
 91600663-2DD5-4E99-BAFE-2862648EE5BC.dll e c l i p s e   l i t e t o u c h   k e y b o a r d
 92DD6D76-858B-4408-A8AE-89376599E0B7.dll M a d   C a t z   S . T . R . I . K . E . 5   K e y b o a r d
 949A1EC1-F75B-11D4-9775-00A0CC61AECB.dll S a i t e k   X 4 5   F l i g h t   C o n t r o l l
 99542E39-B29A-43CC-83DD-D576DE170BA2.dll B I P (??)
 9A81C564-ED3F-41E0-B03E-5AF8A9EB1148.dll S a i t e k   G a m e r s   K e y b o a r d
 A14F7A98-E8C4-42E9-9A94-8A21EFF2AAF1.dll S a i t e k   P S 2 7 0 0   P a d
 A3ACAC5D-573C-412E-B7FE-42B1EE5437C2.dll C y b o r g   V . 1   K e y b o a r d (270kb!)
 A8020A45-78A7-4A6F-9A6B-AB51793091DD.dll M a d   C a t z   R . A . T . 3   M o u s e
 AD4560DB-1749-405C-A571-B09790FD7FC4.dll C y b o r g   R . A . T . 9   M o u s e
 B2A6C52E-4E2B-41B7-B7A8-1AF348A21993.dll C y b o r g   V . 1   S t i c k
 B6CA1DFF-2D5A-40DB-A847-91CA7D17E550.dll S a i t e k   R 6 6 0   F o r c e   W h e e l
 B822F88B-0CAC-40C6-8D2F-4C99A5EA30CA.dll S a i t e k   S T 2 9 0 P r o
 BBFD3DED-F37C-4F35-B782-E532044F3129.dll C y b o r g   V . 5   K e y b o a r d (268kb!)
 C0793304-7A8C-47D1-8EE2-975FFF656C2F.dll S a i t e k   C y b o r g   E v o   F o r c e
 C19A7A60-CF1B-4ABA-884E-0CE192D4FA73.dll S a i t e k   P r o   F l i g h t   T h r o t t l e   Q u a d r a n t
 C47931CE-E58A-4C54-AADB-BA2F3E5659A5.dll S a i t e k   P a c i f i c   A v i a t o r   S t i c k
 C7719F41-F667-4514-BBB4-3F38C9E4D05A.dll S a i t e k   X 5 2   F l i g h t   C o n t r o l l e r
 CBE74543-4508-462F-85B3-6E55F23781CA.dll S a i t e k   X 6 5   F l i g h t   C o n t r o l l e r
 CDAFC361-948A-4973-989A-29AFFDEF280F.dll C a l l   O f   D u t y :   B l a c k   O p s   -   S t e a l t h   M o u s e
 DA3647E1-282E-443E-9C36-BDCF4F2D2424.dll C y b o r g   S t r i k e   7   K e y b o a r d
 E035F32E-0437-4096-A26B-04FCC4A203A9.dll M o d e r n   W a r f a r e   2   P a d (135kb!)
 E5893414-1FDC-4FA3-BBBD-2C81CA30253D.dll S a i t e k   G M 3 2 0 0   M o u s e
 EB42C7F6-6DBF-4697-A334-DDD114EF50F5.dll M a d   C a t z   R . A . T . 7   M o u s e
 EBD1EFF2-E21C-4E06-B8AE-B1B96E38BBCB.dll C y b o r g   R . A . T . 7   A l b i n o
 ECF12411-4C28-47CE-9CC1-E3C29D0ED825.dll C y b o r g   R . A . T . 7   M o u s e
 ED4547F0-F3AC-468C-8E4A-49C4B100C167.dll M a d   C a t z   S t r i k e   7   K e y b o a r d
 EFD31026-2D58-477D-9BC0-136C46F8C4D1.dll S a i t e k   C y b o r g   R u m b l e   P a d
 FA5BD368-039F-4360-882D-6AAE5D56557E.dll C y b o r g   R . A . T . 7   M o u s e
 FDB18F33-ADC1-4f25-BB3A-7469F0CF5536.dll S a i t e k   C y b o r g   E v o   W i r e l e s s
 [/code]
 [/div]
 Makes use of a LOT of .dll's. Some of these appear to be native win32, but a lot bunch of them seem to be .NET. I believe the profile editor itself is written in .NET too. Haven't spent much time looking into the functions each dll exports, but I see a couple of possibilities here.
 [ol type="decimal"][li]Modify/create new dll's to provide functionality that doesnt currently exist (be it actual functionality, or just resources such as images/etc)[/li][li]Analyse the current functionality of the profile editor/etc to determine how it communicates with the keyboard[/li][/ol][div]
 For the USB communication/interface, I would probably start looking at&nbsp;MadCommLib.dll,&nbsp;Saitek.Multiplexer.dll,&nbsp;Saitek.Pipes.dll and Saitek.Devices.dll&nbsp;(and anything that calls/uses them)[/div]
 [b]USB Interface[/b]

 I have a bunch of info on this (from [i]lsusb -vv[/i]), but it's on my laptop. In short, an internal USB hub, 4 devices (buttons, keyboard, numpad, venom screen). Venom has 2 endpoints (read/write) in bulk mode.

 Got a lot of details, but didn't get so far with actually communicating with the device (using pyusb)

 Having seen some of the info/details in&nbsp;MadCommLib I think it would be much easier to come up with a working standalone solution. (Hint: Strike7.Launcher ->&nbsp;Event_ApplyButton_Click,&nbsp;Thread_SendFile(),&nbsp;/mnt/data/programlaunch.xml, etc) From what i've seen, it looks like you should be able to send/overwrite(?)/maybe read arbitrary files to/from the venom.

 [b]Firmware[/b]

 This was done with&nbsp;[i]Strike_7_Firmware_r37.exe[/i]

 Ran it, let it extract to temp then cancelled the update: [i]C:\Windows\temp\MadCatz\Cyborg_Strike_7_Firmware_SD7_32And64Bits_Firmware\00000037[/i]

 [ul type="disc"][li][i]MCFU.exe[/i]&nbsp;- This is the flashing utility that runs when you run the installer. May be some interesting stuff in it, maybe not.[/li][li][i]Profiles/[/i][/li][li][ul type="disc"][li][i]0x11a9/ - [/i]Not sure of the differences between these 2 folders, the look more or less the same. I assume one is 32bit and the other 64bit[/li][li][i]0x1109/ -&nbsp;[/i]Not sure of the differences between these 2 folders, the look more or less the same. I assume one is 32bit and the other 64bit[/li][/ul]
 [/li][/ul][div]Inside 0x11a9 &amp;&amp; 0x1109
 [ul type="disc"][li][i]player.ini[/i][/li][li][code][PROFILE]
 PLAYER=MX23 Linux Update
 VERSION=2

 [OPERATIONS]
 UTP_UPDATE=OS Firmware,120,1

 [OS Firmware]
 UCL_INSTALL_SECTION=Singlechip NAND[/code]
 [/li][li][i]OS Firmware/[/i]
 [ul type="disc"][li style="font-style:italic;"]files/[/li][li][ul type="disc"][li style="font-style:italic;"]big_rootfs.tar.bz2 - The bulk of the linux os filesystem (bin, dev, etc)[/li][li][ul type="disc"][li][i][b]/usr/bin/Strike [/b]-[/i]&nbsp;16mb file, relevant sounding name, titlecased when all others are lowercase. My guess would be this is the main program running the interface/etc. Would need to extract it and run it on a linux machine and/or reverse it to be sure.

 [i]/etc/busybox.conf -[/i]&nbsp;Not sure of the relevance, but may be useful?
 [code][SUID]
 su = ssx root.root
 passwd = ssx root.root
 [/code]
 [/li][li][i]/etc/passwd - [/i]List of user accounts (only shown the one with a password in the shadow file)
 [code]user:x:500:500:Linux User,,,:/home/user:/bin/sh[/code][/li][li][span style="font-style:italic;"]/etc/shadow - [/span]List of hashed passwords (only 1 account has a password associated/is unlocked)
 [code]user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7:::

 [/code]
 [/li][/ul][/li][li][span style="font-style:italic;"]data.tar.bz2 - [/span]Not sure exactly what/how the files are used&nbsp;[/li][li][ul type="disc"][li][i]keyboard_backlight[/i]&nbsp;- First 2 columns could be hex color codes?
 [code style="font-style:italic;"]ff0000 ff0000 3f 00
 0000ff 0000ff 3f 00
 ff00ff ff00ff 3f 00
 [/code][/li][li][i]screen_backlight
 [code]50 0
 stop
 [/code][/i][/li][/ul][/li][li][i]imx23_linux.sb - [/i]I'm pretty sure this is the bootloader/kernel (see&nbsp;https://github.com/thomas41546/Olinuxino-Micro-Bootlets)[/li][/ul][/li][li][span style="font-style:italic;"]fdisk-u.input[/span] - Not sure what this is for[/li][li][span style="font-style:italic;"]ucl.xml - [/span]This appears to be where the main logic of the flashing process happens. Be careful if you're going to hack any of this stuff, as if you don't know what you're doing it's quite likely you'll brick your keyboard.
 [code style="font-style:italic;"]<!--
 * The CFG element contains a list of recognized usb devices.
 *  DEV elements provide a name, class, vid and pid for each device.
 *
 * Each LIST element contains a list of update instructions.
 *  "Install" - Erase media and install firmware.
 *  "Update" - Update firmware only.
 *
 * Each CMD element contains one update instruction of attribute type.
 *  "pull" - Does UtpRead(body, file) transaction.
 *  "push" - Does UtpWrite(body, file) transaction.
 *  "drop" - Does UtpCommand(body) then waits for device to disconnect.
 *  "boot" - Finds configured device, forces it to "body" device and downloads "file".
 *  "find" - Waits for the "body" device to connect.
 *  "show" - Parse and show device info in "file".
 -->


 <UCL>
 <CFG>
    <STATE name="Recovery" dev="IMX233"/>
    <STATE name="Updater" dev="Updater" />  
    <DEV name="IMX233" vid="066F" pid="3780"/>
    <DEV name="Updater" vid="066F" pid="37FF" />
 </CFG>
 <LIST name="Singlechip NAND" desc="Install on singlechip NAND">
 <CMD type="boot" body="Recovery" file="updater.sb" timeout="60">Booting update firmware.</CMD>
 <CMD type="find" body="Updater" timeout="180"/>
 <CMD type="push" body="mknod class/mtd,mtd0,/dev/mtd0"/>
 <CMD type="push" body="mknod class/mtd,mtd1,/dev/mtd1"/>
 <CMD type="push" body="mknod class/misc,ubi_ctrl,/dev/ubi_ctrl"/>

 <CMD type="push" body="$ flash_eraseall /dev/mtd0">Erasing rootfs partition - mtd0</CMD>
 <CMD type="push" body="$ flash_eraseall /dev/mtd1">Erasing rootfs partition - mtd1</CMD>

 <CMD type="push" body="send" file="files/imx23_linux.sb">Sending firmware - kernel</CMD>
 <CMD type="push" body="$ kobs-ng init $FILE">Flashing firmware - kernel</CMD>

 <CMD type="push" body="$ ubiattach /dev/ubi_ctrl -m 1 -d 0">Attaching UBI partition - control</CMD>
 <CMD type="push" body="mknod class/ubi,ubi0,/dev/ubi0"/>
 <CMD type="push" body="$ ubimkvol /dev/ubi0 -n 0 -N rootfs0 -s 80MiB">Creating UBI volumes - rootfs0</CMD>
 <CMD type="push" body="$ ubimkvol /dev/ubi0 -n 1 -N data -m">Creating UBI volumes - data</CMD>

 <CMD type="push" body="$ mkdir -p /mnt/ubi0; mount -t ubifs ubi0_0 /mnt/ubi0" />
 <CMD type="push" body="$ mkdir -p /mnt/ubi1; mount -t ubifs ubi0_1 /mnt/ubi1" />
 <!-- <CMD type="push" body="pipe tar -jxv -C /mnt/ubi0" file="files/big_rootfs.tar.bz2">Transfer rootfs0</CMD> -->
 <CMD type="push" body="send" file="files/big_rootfs.tar.bz2" timeout="180">Sending firmware - rootfs</CMD>
 <CMD type="push" body="$ cd /mnt/ubi0; tar -xjf $FILE; cd /" timeout="300">Updating firmware - rootfs</CMD>

 <CMD type="push" body="send" file="files/data.tar.bz2" timeout="180">Sending firmware - data</CMD>
 <CMD type="push" body="$ cd /mnt/ubi1; tar -xjf $FILE; cd /" timeout="180">Updating firmware - data</CMD>
 <CMD type="push" body="frf">Finish Flashing NAND</CMD>
 <CMD type="push" body="$ umount /mnt/ubi0">Unmounting - ubi0</CMD>
 <CMD type="push" body="$ umount /mnt/ubi1">Unmounting - ubi1</CMD>
 <CMD type="push" body="$ echo Update Complete!">Done</CMD>
 <!--
    The below commands will trigger reboot
 	<CMD type="push" body="!3">Done</CMD>
 -->


 </LIST>
 <LIST name="SD" desc="Install to SD card">
    <CMD type="boot" body="Recovery" file="updater.sb">Booting update firmware</CMD>
    <CMD type="find" body="Updater" timeout="180"/>
    <CMD type="push" body="mknod block,mmcblk0,/dev/mmcblk0,block"/>
    <CMD type="push" body="send" file="fdisk-u.input">Sending fdisk input</CMD>
    <CMD type="push" body="$ fdisk -u /dev/mmcblk0 < $FILE">Partitioning SD card</CMD>
    <CMD type="push" body="mknod block/mmcblk0,mmcblk0p1,/dev/mmcblk0p1,block"/>
    <CMD type="push" body="mknod block/mmcblk0,mmcblk0p2,/dev/mmcblk0p2,block"/>
    <CMD type="push" body="mknod block/mmcblk0,mmcblk0p3,/dev/mmcblk0p3,block"/>
    <CMD type="push" body="send" file="files/imx23_linux.sb">Sending u-boot image</CMD>
    <CMD type="push" body="$ dd if=$FILE of=/dev/mmcblk0p2 bs=512 seek=4 conv=sync,notrunc">Writing Linux Kernel</CMD>
    <CMD type="push" body="$ mkfs.ext3 -j /dev/mmcblk0p3">Formatting rootfs partition</CMD>
    <CMD type="push" body="$ mkdir -p /mnt/mmcblk0p3"/> 
    <CMD type="push" body="$ mount /dev/mmcblk0p3 /mnt/mmcblk0p3"/>
    <CMD type="push" body="pipe tar -jxv -C /mnt/mmcblk0p3" file="files/big_rootfs.tar.bz2">Sending and writting rootfs</CMD>
    <CMD type="push" body="frf">Finishing rootfs write</CMD>
    <CMD type="push" body="$ umount /mnt/mmcblk0p3">Unmounting rootfs partition</CMD>
    <CMD type="push" body="$ echo Update Complete!">Done</CMD>
 <!--
    The below commands will trigger reboot
    <CMD type="push" body="!3">Done</CMD>
 -->
 </LIST>
 </UCL>
 [/code]
 [/li][li][span style="font-style:italic;"]updater.sb - [/span]Updater firmware.[/li][/ul]
 [/li][/ul][/div]
 [b]Miscellaneous Info

 [/b]For the sake of keeping things together, I will list here the miscellaneous other info I or others have gathered/metnioned as I come across it.
 [ul type="disc"][li][CPU] xeonic: http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=i.MX233 Nov 24, 2013 at 10:55am[/li][/ul]
 [b]Moving forward[/b]

 Depending how my interest holds I might continue working on this project, or I might put it to the side. Either way, this should serve as a decent'ish starting ground for anyone wanting to dig in and have a go.

 Happy hacking!!

 - Glenn /devalias (http://www.devalias.net/)
diff --git a/xxBbcodeBackupOfPost2 b/xxBbcodeBackupOfPost2
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 No worries :) Glad to help out!

 Been having a bit more of a look around, won't post the full files here (adding them to&nbsp;https://gist.github.com/alias1/7652064 where appropriate), but a few more things of interest:

 /etc/rc.d/rcS
 [code]if [ -x /etc/rc.d/rc.madcatz ]
 then
 	echo "Running STRIKE services..."
 	/etc/rc.d/rc.madcatz $mode
 else
 	echo "/etc/rc.d/rc.madcatz is not executable!"
 fi[/code]
 /etc/rc.d/rc.madcatz
 [code]# Daemons to start at init, order is important for the multiplexer and its children
 DAEMONS="HidDaemon KeyboardDaemon VendorDaemon multiplexer dateTime mcp"
 TS_CALIB=/mnt/data/config/pointercal
 KEYMAP_FILE=/sys/kernel/strike7_kb/strike7_kb_api/keymap
 KEYMAP_SAVE=/mnt/data/keymap
 QMAP_FILE=""

 ...<snip>...

 # Check for backup directory
 if [ ! -d /mnt/data/config ]
 then
 	mkdir -p /mnt/data/config
 fi

 ...<snip>...

 # Assing the Keymap
 echo "Keymap - ${KEYMAP}"
 if [ $KEYMAP -eq "1" ]
 then
 	echo "Keymap UK"
 	QMAP_FILE="/etc/qt/gb.qmap"
 elif [ $KEYMAP -eq "2" ]
 then
 	echo "Keymap US"
 # This is the default mapping
 	QMAP_FILE=""
 elif [ $KEYMAP -eq "3" ]

 ...<snip>...

 #
 # Watchdog
 #
 if [ -x /sbin/watchdog ]
 then
 	echo "Starting watchdog"
 	/sbin/watchdog -T 15 -t 5 /dev/watchdog
 else
 	echo "watchdog is not executable!"
 fi

 # TOUCH SCREEN
 # Fixup the Touch screen interface
 export TSLIB_TSDEVICE="/dev/input/ts0"
 export TSLIB_CALIBFILE=$TS_CALIB
 export TSLIB_CONFFILE="/etc/ts.conf"
 export TSLIB_PLUGINDIR="/usr/lib/ts"
 export TSLIB_FBDEVICE="/dev/fb0"

 if [[ -f "$TS_CALIB" &amp;&amp; -s "$TS_CALIB" ]]
 then
 	echo "Touch Screen calibrated"
 else
 	# Remove file if it exists
 	if [ -f "$TS_CALIB" ]
 	then
 		rm "$TS_CALIB"
 	fi

 	echo "Calibrating Touch Screen ..."
 	/usr/bin/ts_calibrate
 fi

 ...<snip>...

 # QT STRIKE APPLICATION
 if [ -x /usr/bin/Strike ]
 then
 	export QWS_MOUSE_PROTO=tslib:/dev/input/ts0
 	#export QWS_DISPLAY="transformed:rot90:0"
 	export POINTERCAL_FILE=$TS_CALIB

 	# Check QMAP file
 	if [[ -n "${QMAP_FILE}" &amp;&amp; -e "${QMAP_FILE}" ]]
 	then
 		export QWS_KEYBOARD="LinuxInput:/dev/input/event0:disable-zap:keymap=${QMAP_FILE}"
 	else
 		export QWS_KEYBOARD="LinuxInput:/dev/input/event0:disable-zap"
 	fi

 	/usr/bin/Strike -qws &amp;
 else
 	echo "Strike (Qt) not executable"
 fi
 [/code]
 /etc/rc.d/reboot_recovery

 [code]...<snip>...

 #
 # Working
 # For working we can not print out debug as we are probably being called
 # from a daemon with no stdin/stdout/stderr.
 #
 killall watchdog
 echo -n 1 > "/sys/devices/platform/mxs-persistent.0/FORCE_RECOVERY"
 /sbin/reboot

 [/code]
 /usr/bin/Strike

 Strike is an ARM compiled program ([i]file Strike[/i] output: Strike: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), not stripped), moved it across to my raspi to play around with.

 Requirements:

 [code]libjpeg.so.62
 libtiff.so.3
 libts-1.0.so.0
 libpng.so.3
 QtEmbedded-4.7.4 (technically just the folder structure and arial.ttf)[/code]
 So one possible solution would be:

 [code]apt-get install libjpeg62 libts-0.0-0 libpng3
 cd /usr/lib &amp;&amp; ln -s /usr/lib/arm-linux-gnueabihf/libtiff.so.4 libtiff.so.3
 cd /usr/lib &amp;&amp; ln -s /usr/lib/arm-linux-gnueabihf/libts-0.0-so.0 libts-1.0-so.0
 mkdir -p /usr/local/Trolltech/QtEmbedded-4.7.4-arm/lib/fonts
 <copy arial.ttf into above folder (eg. using scp or similar)>[/code]
 Alternately, these could probably all be ripped out of the image file for use.

 Anyway, this all finally got me to the following:
 [code]./Strike: relocation error: ./Strike: symbol powf, version GLIBCxx_3.4 not defined in file libstdc++.so.6 with link time reference[/code]
 &nbsp;A little googling seems to imply this might be due to an outdated/incompativle libstdc++. Decided to call it on this one for now. Technically none of this should matter with regards to getting something running on the VENOM, though thought it might be cool to get the Strike program running on a seperate device (and could make debugging/analysing the program/protocol potentially easier) May look at this aspect again later.



diff --git a/xxBbcodeBackupOfPost3 b/xxBbcodeBackupOfPost3
 # Researched By: Glenn 'devalias' Grant (http://devalias.net)
 # License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

 Had a little bit of a look into usbmuxd (used for ssh to iphone over usb), but doesn't look like it'll apply/work in this case.

 Ran the passwd/shadow files through a password cracker (john)
 [ul type="disc"][li][i]root[/i]&nbsp;has no password[/li][li][i]user[/i]&nbsp;has password [i]user[/i][/li][/ul]
 Next step would be to either manually flash a file onto the venom, or investigate the .NET usb interfacing stuff (as it appears to be able to write/potentially read arbitrary files from the venom filesystem)

 (Might get delayed a bit since windows has decided to stop recognising my keyboard now too.. :S Works fine on everything else, so must have screwed up the usb drivers with some of the stuff I was playing with for usb packet capturing)
diff --git a/xxBbcodeBackupOfPost4 b/xxBbcodeBackupOfPost4
 So, it looks like flashing files across should work fine. Tried executing a bash script to give a hello world, but doesn't seem to want to work :( (so much for easy wins!)

 Strike seems to be a static compiled qt-embedded application for ARM. Been playing around a little trying to setup a build/cross compile environment to put together a little test app, but not an area i'm experienced in particularly, so haven't got anything to share in that aspect at this stage. Bonus of using qt-embedded though is it pretty much handles all of the keyboard/touchscreen stuff automagically.

 Not sure at this stage what handles the keyboard passthrough to the computer, and what lets the keyboard work on the VENOM only. It should be controllable somehow from the VENOM &nbsp;as the note taking app let's you write directly into it (unless it's actually sending the keystrokes to the computer and then back down to the Strike software, which is a possibility)

 Haven't spent any time looking into the .NET reversing and putting together a test program for 'talking' to the keyboard, but that will probably be my next step (as this cross compiling/qt stuff is a little draining :p)

 (PS: I saw there was some talk of donations/etc type stuff. I definitely don't expect anything for this, the challenge, getting my name out and helping the community is more than enough. Though, that being said, i am human, and won't turn down $$ :p I setup a bitcoin wallet for it if anyone feels so inclined: 14ab53HryRsD1VLRtmperwKDtQrQPbVA4B)
	# Researched By: Glenn 'devalias' Grant (http://devalias.net)
	# License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

	See http://strike7.proboards.com/thread/155/hacking-info-firmware-usb-chips for more information/discussion.

	I don't expect anything, but if you would like to donate/tip via BTC (bitcoin): 14ab53HryRsD1VLRtmperwKDtQrQPbVA4B
	# Researched By: Glenn 'devalias' Grant (http://devalias.net)
	# License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

	.NET Reflector

	7dd18c88_ccc8_4fe7_ae24_17fcb414aa53.dll
	Strike7
	Launcher
	Event_ApplyButton_Click(Object, RoutedEventArgs) : Void
	Event_fileTransfer_Connected(Object, EventArgs) : Void
	Event_fileTransfer_Disconnected(Object, EventArgs) : Void
	Event_fileTransfer_Rejected(Object, EventArgs) : Void
	LoadProgramming() : Void
	SaveProgramming() : Void
	SetupFileTransferSystem() : Void
	Thread_SendFile() : Void
	FileTransferTo : String (private const string FileTransferTo = "/mnt/data/programlaunch.xml";)

	MadCommLib.dll
	MadCommLib
	Mcp
	CopyFile(String, String) : Void
	GetFile(String, String) : Void
	SendFile(String, String) : Void
	IsConnected : Boolean
	McpBase
	MCPFileDescription
	MCPPacket
	McpReceiver
	McpSender
	MaxPacketLength : Int32
	private const int MaxPacketLength = 0x1000;
	McpStream
	send(Stream, UInt16) : Void
	send(Stream, String, UInt16) : Void
	sendStream(UInt16, Stream, UInt16) : Void
	setup(String, UInt32, UInt16) : UInt16
	# Researched By: Glenn 'devalias' Grant (http://devalias.net)
	# License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

	06416ece_7ce2_4176_b4fc_01ebd7e7b58a.dll P880_P2500_P3000
	12ecdcf4_82ac_4c37_9262_bcdd948ba1e4.dll PP22_Pad
	19e5398a_a82a_4b7b_90fd_c08f190b5037.dll RudderPedals
	1f732691_3bc6_41ec_a977_c5bf0b03a3dc.dll X52Pro
	23e2a81c_5f45_4f0e_bb62_350688d7f883.dll CyborgRAT_5Button
	24e74f72_099d_43a2_91ba_8b19e146c678.dll CyborgX
	25a4f72c_5a88_4168_809a_55bf002dc6b1.dll X65
	2b9d5817_37df_47e1_a1f9_3186682b4263.dll Throttle Quadrant
	35695d7f_dae2_42ac_b38b_78ec2e576581.dll GamersKeyboard
	3ac4311b_05b6_43c2_8622_c2eb1168ad21.dll GM2400
	3f5b4777_c340_4271_be78_4f067ce8fe12.dll P2600
	4220f4fc_220c_48a8_a04a_46c6b4f8450c.dll CyborgRumblePas
	4966f44d_59df_4a61_8fd0_7ac23cff1c88.dll Cyborg_V3_Pad
	49A934CF_79AF_4AD0_8971_84735CEC20E1.dll eclipse litetouch Keyboard
	4a484820_55c2_40ac_96c2_fa361656b233.dll CyborgRAT_15Button
	4ae960ae_0df5_4cf5_8d9a_f90a660afa73.dll Strike 5 Keyboard
	52adf75b_8888_4006_9fd2_196fe465e1b1.dll CyborgMouse
	5c6c51f1_9884_4166_b06e_5bb174f169ae.dll CyborgKeyboard
	62c03415_a024_4eb2_b66f_67c9f82962fe.dll ST290Pro
	6a1ca17e_fb49_4b02_aaad_0ba6619568ef.dll P990_P2900
	771bc0c8_ed85_46e1_9413_8aaabaa85d3e.dll ThrottlePitchMixture
	7b2c9a90_0140_45d5_a956_50e3f28383df.dll ProFlightYokeSystem
	7dd18c88_ccc8_4fe7_ae24_17fcb414aa53.dll Cyborg Strike 7 Keyboard
	7fb9c64e_c015_4c88_9126_6abf82beee9c.dll AV8R
	975f632f_f9c5_4e3f_ad2c_f13a97f85393.dll OfficeLaserMouse_M100V
	a7b46733_fbf3_466a_b4e1_9575558097eb.dll ProFlightCessnaYoke
	c080cd49_e613_47d4_899c_87375b5aefe8.dll CyborgEvo
	c265e53d_8e01_4623_82df_a6f16047a580.dll BIP
	c2c49663_a49d_4ca3_a208_7bae2166e4e2.dll ST290
	c9e4beb7_9967_4ce8_8fbc_02ca04f453d8.dll CyborgRAT_7Button
	ca4ae256_badb_427e_a4bd_7691d48a0c9b.dll X45
	ccb88344_c0d5_4ad2_b35d_70ebf6e80171.dll GM3200
	d109a886_d146_4a52_8454_bd28490c7fa0.dll TrimWheel
	d18fc94d_3015_4345_adbc_a68ccf585dd1.dll Cyborg_V1_Keyboard
	d6b3b59d_38a9_4808_90c5_16f35a85e651.dll P3200
	Default.dll Default
	e81d998b_c604_4d71_be97_35ca01439c7e.dll X52
	e9d64f2f_f022_466a_afce_5d77af14be2c.dll CyborgRumblePadXbox360
	f224d27e_fafa_4621_9cbb_b766807a0596.dll GamingMouse
	f4472a58_9884_4d01_868f_866a2d229c35.dll ProGamerCommandUnit
	f6295dbe_a666_49ed_ba2c_123bbe7ee467.dll Cyborg_V1_stick
	# Researched By: Glenn 'devalias' Grant (http://devalias.net)
	# License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

	root:x:0:0:root:/root:/bin/sh
	bin:x:1:1:bin:/bin:/sbin/nologin
	daemon:x:2:2:daemon:/sbin:/sbin/nologin
	adm:x:3:4:adm:/var/adm:/sbin/nologin
	lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
	sync:x:5:0:sync:/sbin:/bin/sync
	shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
	halt:x:7:0:halt:/sbin:/sbin/halt
	mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
	news:x:9:13:news:/var/spool/news:
	uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
	operator:x:11:0:operator:/root:/sbin/nologin
	games:x:12:100:games:/usr/games:/sbin/nologin
	gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
	ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
	nobody:x:99:99:Nobody:/:/sbin/nologin
	sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
	mailnull:x:47:47::/var/spool/mqueue:/dev/null
	xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
	ntp:x:38:38::/etc/ntp:/sbin/nologin
	rpc:x:32:32:Portmapper RPC user:/:/bin/false
	gdm:x:42:42::/var/gdm:/sbin/nologin
	rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
	nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
	nscd:x:28:28:NSCD Daemon:/:/bin/false
	ident:x:98:98:pident user:/:/sbin/nologin
	radvd:x:75:75:radvd user:/:/bin/false
	postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
	apache:x:48:48:Apache:/var/www:/bin/false
	squid:x:23:23::/var/spool/squid:/dev/null
	named:x:70:70:Named:/var/named:/bin/false
	pcap:x:77:77::/var/arpwatch:/bin/nologin
	amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
	junkbust:x:73:73::/etc/junkbuster:/bin/bash
	mailman:x:41:41:GNU Mailing List Manager:/var/mailman:/bin/false
	mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
	ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
	pvm:x:24:24::/usr/share/pvm3:/bin/bash
	user:x:500:500:Linux User,,,:/home/user:/bin/sh
	messagebus:x:1000:1000:Linux User,,,:/home/messagebus:/bin/sh
	haldaemon:x:1001:1001:Linux User,,,:/home/haldaemon:/bin/sh
	all_services="mount-proc-sys mdev udev hostname devfsd depmod modules filesystems syslog network inetd portmap dropbear sshd boa smb dhcpd settime fslgnome watchdog bluetooth gtk2 pango"
	all_services_r="pango gtk2 bluetooth watchdog fslgnome settime dhcpd smb boa sshd dropbear portmap inetd network syslog filesystems modules depmod devfsd hostname udev mdev mount-proc-sys"

	cfg_services="mount-proc-sys udev hostname depmod modules filesystems syslog network inetd "

	cfg_services_r=" inetd network syslog filesystems modules depmod hostname udev mount-proc-sys"

	export HOSTNAME="madcatz"
	export NTP_SERVER=""
	export MODLIST=""
	export RAMDIRS=""
	export TMPFS="tmpfs"
	export TMPFS_SIZE="512k"
	export READONLY_FS=""
	export INETD_ARGS=""
	export BOA_ARGS=""
	export SMBD_ARGS=""
	export NMBD_ARGS=""
	export DHCP_ARG=""
	export DEPLOYMENT_STYLE="RAMDISK"
	export SYSCFG_DHCPC_CMD="udhcpc -b -i "
	export DROPBEAR_ARGS=""
	#!/bin/sh

	# Daemons to start at init, order is important for the multiplexer and its children
	DAEMONS="HidDaemon KeyboardDaemon VendorDaemon multiplexer dateTime mcp"
	TS_CALIB=/mnt/data/config/pointercal
	KEYMAP_FILE=/sys/kernel/strike7_kb/strike7_kb_api/keymap
	KEYMAP_SAVE=/mnt/data/keymap
	QMAP_FILE=""


	if [ "$1" = "stop" -o "$1" = "restart" ]
	then
	echo "Stopping Strike Services..."
	exit 0
	fi

	#
	# Starting Services...
	#

	# Check for backup directory
	if [ ! -d /mnt/data/config ]
	then
	mkdir -p /mnt/data/config
	fi

	#
	# Check keymap
	#
	KEYMAP=`cat $KEYMAP_FILE`

	# Save keymap data if it is supported
	if [ -n "${KEYMAP}" ]
	then
	if [ ${KEYMAP} -ne "0" ]
	then
	# valid data, save it
	echo "Keymap; saving keymap savefile"
	echo "${KEYMAP}" > ${KEYMAP_SAVE}
	else
	# Test value in Save file
	echo "Keymap; reading keymap savefile"
	if [[ -e ${KEYMAP_SAVE} ]]
	then
	KEYMAP=`cat $KEYMAP_SAVE`
	fi
	fi
	else
	# null string
	# Test value in Save file
	if [[ ! -e ${KEYMAP_SAVE} \|\| ! -s ${KEYMAP_SAVE} ]]
	then
	echo "Keymap; null - setting to 0"
	KEYMAP="0";
	else
	echo "Keymap; null - reading keymap savefile"
	KEYMAP=`cat $KEYMAP_SAVE`
	fi
	fi

	# Check that the Qmaps exist - they should now be pre-built
	#if [ ! -e "/etc/qt" ]
	#then
	# echo "Building QMap files"
	# mkdir /etc/qt
	#
	# cd /etc/kmap
	# for FILE in *
	# do
	# /root/kmap2qmap "$FILE" "/etc/qt/$FILE.qmap"
	# done
	#fi

	# Assing the Keymap
	echo "Keymap - ${KEYMAP}"
	if [ $KEYMAP -eq "1" ]
	then
	echo "Keymap UK"
	QMAP_FILE="/etc/qt/gb.qmap"
	elif [ $KEYMAP -eq "2" ]
	then
	echo "Keymap US"
	# This is the default mapping
	QMAP_FILE=""
	elif [ $KEYMAP -eq "3" ]
	then
	echo "Keymap Germany"
	QMAP_FILE="/etc/qt/de.qmap"
	elif [ $KEYMAP -eq "4" ]
	then
	echo "Keymap France"
	QMAP_FILE="/etc/qt/fr.qmap"
	elif [ $KEYMAP -eq "5" ]
	then
	echo "Keymap Sweden"
	QMAP_FILE="/etc/qt/se.qmap"
	elif [ $KEYMAP -eq "6" ]
	then
	echo "Keymap Spain"
	QMAP_FILE="/etc/qt/es.qmap"
	elif [ $KEYMAP -eq "7" ]
	then
	echo "Keymap Japan"
	QMAP_FILE="/etc/qt/jp.qmap"
	elif [ $KEYMAP -eq "8" ]
	then
	echo "Keymap Czech"
	QMAP_FILE="/etc/qt/cz.qmap"
	elif [ $KEYMAP -eq "9" ]
	then
	echo "Keymap Italian"
	QMAP_FILE="/etc/qt/it.qmap"
	elif [ $KEYMAP -eq "10" ]
	then
	echo "Keymap Russian"
	QMAP_FILE="/etc/qt/ru.qmap"
	elif [ $KEYMAP -eq "11" ]
	then
	echo "Keymap Swiss"
	QMAP_FILE="/etc/qt/ch.qmap"
	else
	echo "Keymap Unknown"
	QMAP_FILE=""
	fi

	#
	# Watchdog
	#
	if [ -x /sbin/watchdog ]
	then
	echo "Starting watchdog"
	/sbin/watchdog -T 15 -t 5 /dev/watchdog
	else
	echo "watchdog is not executable!"
	fi

	# TOUCH SCREEN
	# Fixup the Touch screen interface
	export TSLIB_TSDEVICE="/dev/input/ts0"
	export TSLIB_CALIBFILE=$TS_CALIB
	export TSLIB_CONFFILE="/etc/ts.conf"
	export TSLIB_PLUGINDIR="/usr/lib/ts"
	export TSLIB_FBDEVICE="/dev/fb0"

	if [[ -f "$TS_CALIB" && -s "$TS_CALIB" ]]
	then
	echo "Touch Screen calibrated"
	else
	# Remove file if it exists
	if [ -f "$TS_CALIB" ]
	then
	rm "$TS_CALIB"
	fi

	echo "Calibrating Touch Screen ..."
	/usr/bin/ts_calibrate
	fi

	# Start DAEMON(s)
	for daemon in $DAEMONS
	do
	if [ -x /usr/bin/$daemon ]
	then
	echo "Starting $daemon"
	/usr/bin/$daemon -d
	else
	echo "$daemon is not executable!"
	fi
	done

	# QT STRIKE APPLICATION
	if [ -x /usr/bin/Strike ]
	then
	export QWS_MOUSE_PROTO=tslib:/dev/input/ts0
	#export QWS_DISPLAY="transformed:rot90:0"
	export POINTERCAL_FILE=$TS_CALIB

	# Check QMAP file
	if [[ -n "${QMAP_FILE}" && -e "${QMAP_FILE}" ]]
	then
	export QWS_KEYBOARD="LinuxInput:/dev/input/event0:disable-zap:keymap=${QMAP_FILE}"
	else
	export QWS_KEYBOARD="LinuxInput:/dev/input/event0:disable-zap"
	fi

	/usr/bin/Strike -qws &
	else
	echo "Strike (Qt) not executable"
	fi
	#!/bin/sh

	# minimal startup script, will work with msh (this is best available in
	# MMUless format).

	# load the configuration information
	. /etc/rc.d/rc.conf
	mode=${1:-start}
	if [ $mode = "start" ]
	then
	services=$cfg_services
	else
	services=$cfg_services_r
	fi
	cfg_services=${2:-$services}

	# run the configured sequence
	for i in $cfg_services
	do
	if [ -x /etc/rc.d/init.d/$i ]
	then
	/etc/rc.d/init.d/$i $mode
	fi
	done

	if [ $# -ge 2 ]
	then
	exit 0
	fi
	# show all kernel log messages
	#echo 8 > /proc/sys/kernel/printk

	# run rc.local if present and executable
	if [ -x /etc/rc.d/rc.local ]
	then
	/etc/rc.d/rc.local $mode
	fi

	if [ -x /etc/rc.d/rc.madcatz ]
	then
	echo "Running STRIKE services..."
	/etc/rc.d/rc.madcatz $mode
	else
	echo "/etc/rc.d/rc.madcatz is not executable!"
	fi
	# Researched By: Glenn 'devalias' Grant (http://devalias.net)
	# License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

	root::11851:0:99999:7:::
	bin:*:11851:0:99999:7:::
	daemon:*:11851:0:99999:7:::
	adm:*:11851:0:99999:7:::
	lp:*:11851:0:99999:7:::
	sync:*:11851:0:99999:7:::
	shutdown:*:11851:0:99999:7:::
	halt:*:11851:0:99999:7:::
	mail:*:11851:0:99999:7:::
	news:*:11851:0:99999:7:::
	uucp:*:11851:0:99999:7:::
	operator:*:11851:0:99999:7:::
	games:*:11851:0:99999:7:::
	gopher:*:11851:0:99999:7:::
	ftp:*:11851:0:99999:7:::
	nobody:*:11851:0:99999:7:::
	sshd:!!:11851:0:99999:7:::
	mailnull:!!:11851:0:99999:7:::
	xfs:!!:11851:0:99999:7:::
	ntp:!!:11851:0:99999:7:::
	rpc:!!:11851:0:99999:7:::
	gdm:!!:11851:0:99999:7:::
	rpcuser:!!:11851:0:99999:7:::
	nfsnobody:!!:11851:0:99999:7:::
	nscd:!!:11851:0:99999:7:::
	ident:!!:11851:0:99999:7:::
	radvd:!!:11851:0:99999:7:::
	postgres:!!:11851:0:99999:7:::
	apache:!!:11851:0:99999:7:::
	squid:!!:11851:0:99999:7:::
	named:!!:11851:0:99999:7:::
	pcap:!!:11851:0:99999:7:::
	amanda:!!:11851:0:99999:7:::
	junkbust:!!:11851:0:99999:7:::
	mailman:!!:11851:0:99999:7:::
	mysql:!!:11851:0:99999:7:::
	ldap:!!:11851:0:99999:7:::
	pvm:!!:11851:0:99999:7:::
	user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7:::
	messagebus:!:15:0:99999:7:::
	haldaemon:!:15:0:99999:7:::
	# Researched By: Glenn 'devalias' Grant (http://devalias.net)
	# License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

	[PROFILE]
	PLAYER=MX23 Linux Update
	VERSION=2

	[OPERATIONS]
	UTP_UPDATE=OS Firmware,120,1

	[OS Firmware]
	UCL_INSTALL_SECTION=Singlechip NAND
	# Researched By: Glenn 'devalias' Grant (http://devalias.net)
	# License: The MIT License (MIT) - Copyright (c) 2013 Glenn 'devalias' Grant (see http://choosealicense.com/licenses/mit/ for full license text)

	0106A368-C9E3-4EFC-AADA-144FED720C83.dll S a i t e k C y b o r g 3 D R u m b l e
	02A0DB55-B1EB-4B83-B5BD-3050FA2ECA54.dll M a d C a t z R . A . T . 5 M o u s e
	0839B3FA-E3AE-40B3-BA24-2DF2E2C9C9F5.dll M a d C a t z R . A . T . 9 M o u s e
	0F98C1CC-9561-4968-96D3-93188ED5A0C9.dll C y b o r g V . 3 P a d
	14F77A73-1E44-4CD4-86F3-4AABD1DB018A.dll C y b o r g P a d - X B o x 3 6 0
	18D74164-8B1D-4DDD-B9CE-28239D1C8DC9.dll C y b o r g K e y b o a r d
	1C7F1EC4-4D7A-48AA-945A-8595191CA60A.dll T h r o t t l e P i t c h a n d M i x t u r e S y s t e m
	1F1967C3-2852-4312-9EE7-2B2144B14457.dll S a i t e k A v i a t o r S t i c k
	1F3F8912-ADAA-459E-9D68-A7B5292FD109.dll S a i t e k C y b o r g C o m m a n d U n i t
	1F80B81E-E7C2-4EA7-8C3B-CD29EFBE7DCE.dll S a i t e k G a m i n g M o u s e
	2490C186-24F0-4415-8386-3CE127668223.dll C y b o r g M . M . O . 7 C o n t a g i o n
	27B450F2-C4A5-4174-AFEB-79E7F4FBC2E9.dll S a i t e k S T 2 9 0
	2E2BD570-B641-4BE2-B24D-0292A6ECB68E.dll C y b o r g V . 5 P a d
	2E6CEC68-F3B2-4870-8E35-6AB2D817AF9A.dll C y b o r g M o u s e
	2F3358AE-43C4-4A02-9F10-C812F41D72E9.dll C y b o r g M . M . O . 7
	2F5BFA24-2EF9-4CB1-BECB-3FBDC054962B.dll C y b o r g R . A . T . 7 C o n t a g i o n
	330F06C3-F6C5-11D4-9775-00A0CC61AECB.dll S a i t e k C y b o r g 3 D F o r c e
	33ED8FFE-BA2B-4ae0-AE6F-9801EABB395B.dll S a i t e k P r o G a m e r C o m m a n d U n i t
	34584B18-F56A-479C-BD9A-32FB25E84DB3.dll C y b o r g V . 3 M o u s e
	37D6EB8C-03A3-4C5D-8F6C-896F31BBE98D.dll C o m b a t R u d d e r P e d a l s
	390E3043-470C-40F8-836A-BB02A2D3B563.dll U n k n o w n D e v i c e
	447D7623-0A5B-48BA-8BB1-F608CE4D4CA4.dll C y b o r g R . A . T . 3 M o u s e
	48FA7494-A60B-4238-B32F-043129BA03C5.dll C y b o r g X (256kb!)
	49BEA0EA-70C3-4DD7-972D-FE515858164B.dll M a d C a t z V . 5 K e y b o a r d (268kb!)
	49ECC75B-2A50-4FD8-8E85-E724F454C3B1.dll M a d C a t z M . M . O . 7
	4DF4F6F5-D2EA-4CE6-A686-1C65E67FDF96.dll M a d C a t z V . 1 S t i c k
	5159D4CE-D926-4A60-8B1A-92BA10E1A045.dll S a i t e k P 2 9 0 0 W i r e l e s s P a d
	52DE43C5-1AA9-4729-AD6D-B9CE8BDD8FEF.dll e c l i p s e l i t e t o u c h k e y b o a r d ( w i r e l e s s )
	58CF827B-13D4-42AA-AAB9-9130D438AECA.dll C y b o r g V . 1 P a d
	59BEA7DB-4D7D-45A2-A64E-304307061E05.dll C y b o r g R . A . T . 7 I n f e c t i o n
	5DF93ED5-F922-46BE-9B05-BECA5D2D333C.dll S a i t e k P S 1 0 0 0 P a d
	5E0173F9-2A49-44EE-840E-9B238819695B.dll P r o F l i g h t C e s s n a T r i m W h e e l
	601A4842-0FE2-4A66-A24F-A2ACDE70D011.dll S a i t e k G M 2 4 0 0 G a m i n g M o u s e
	67D281E3-6A23-4AA5-8551-CC66E26DB6EF.dll M a d C a t z V 7 K e y b o a r d
	7030F477-B915-4466-952D-A0B209E413EE.dll S a i t e k O f f i c e L a s e r M o u s e
	75BB6CC8-FB40-4BE1-BF2B-4B10397A98A8.dll S a i t e k X 5 2 P r o F l i g h t C o n t r o l l e r
	7748F4B5-3F39-48B0-AAA0-CD862AC8A98F.dll C y b o r g R . A . T . 5 M o u s e
	7B27B621-5A6D-4A99-8E59-096FA6439D58.dll S a i t e k P 2 6 0 0 R u m b l e P a d
	7C516467-75AE-4D8E-B52F-18DB72B8D751.dll S a i t e k C y b o r g E v o
	7D2B9A04-6165-4347-81F4-14C122C1560B.dll P r o F l i g h t C e s s n a R u d d e r P e d a l s
	7DF6F720-CE98-436D-A73D-B2777D9B3A82.dll S a i t e k P r o F l i g h t R u d d e r P e d a l s
	7EF980A4-0727-47F8-857C-8D67979DA1E2.dll C y b o r g R . A . T . 3 M o u s e
	7FAF063C-AB2D-445C-90DD-E9A1588ACE7F.dll S a i t e k P 3 2 0 0 P a d - X B o x 3 6 0
	80205D18-DAE9-432B-B8B8-4271294CEFE2.dll F . L . Y . 5 (256kb!)
	80937975-9440-4a57-B5EE-33E7AA6FB3B7.dll S a i t e k P r o F l i g h t Y o k e
	81CCB64C-CF54-431C-886D-D101762FDC62.dll C y b o r g R . A . T . 9 M o u s e
	86C19909-59E2-4F34-8269-4CB11C955864.dll S a i t e k P 9 9 0 P a d
	8BCB5851-4DE6-4631-9EAA-C5E9C4B12FED.dll P r o F l i g h t C e s s n a Y o k e
	8EFDCDF6-8466-440E-A349-9682D900BAD6.dll C a l l O f D u t y : B l a c k O p s - S t e a l t h P a d
	9089E681-30AB-4A7F-901B-20E9634CE580.dll C y b o r g R . A . T . 5 M o u s e
	91600663-2DD5-4E99-BAFE-2862648EE5BC.dll e c l i p s e l i t e t o u c h k e y b o a r d
	92DD6D76-858B-4408-A8AE-89376599E0B7.dll M a d C a t z S . T . R . I . K . E . 5 K e y b o a r d
	949A1EC1-F75B-11D4-9775-00A0CC61AECB.dll S a i t e k X 4 5 F l i g h t C o n t r o l l
	99542E39-B29A-43CC-83DD-D576DE170BA2.dll B I P (??)
	9A81C564-ED3F-41E0-B03E-5AF8A9EB1148.dll S a i t e k G a m e r s K e y b o a r d
	A14F7A98-E8C4-42E9-9A94-8A21EFF2AAF1.dll S a i t e k P S 2 7 0 0 P a d
	A3ACAC5D-573C-412E-B7FE-42B1EE5437C2.dll C y b o r g V . 1 K e y b o a r d (270kb!)
	A8020A45-78A7-4A6F-9A6B-AB51793091DD.dll M a d C a t z R . A . T . 3 M o u s e
	AD4560DB-1749-405C-A571-B09790FD7FC4.dll C y b o r g R . A . T . 9 M o u s e
	B2A6C52E-4E2B-41B7-B7A8-1AF348A21993.dll C y b o r g V . 1 S t i c k
	B6CA1DFF-2D5A-40DB-A847-91CA7D17E550.dll S a i t e k R 6 6 0 F o r c e W h e e l
	B822F88B-0CAC-40C6-8D2F-4C99A5EA30CA.dll S a i t e k S T 2 9 0 P r o
	BBFD3DED-F37C-4F35-B782-E532044F3129.dll C y b o r g V . 5 K e y b o a r d (268kb!)
	C0793304-7A8C-47D1-8EE2-975FFF656C2F.dll S a i t e k C y b o r g E v o F o r c e
	C19A7A60-CF1B-4ABA-884E-0CE192D4FA73.dll S a i t e k P r o F l i g h t T h r o t t l e Q u a d r a n t
	C47931CE-E58A-4C54-AADB-BA2F3E5659A5.dll S a i t e k P a c i f i c A v i a t o r S t i c k
	C7719F41-F667-4514-BBB4-3F38C9E4D05A.dll S a i t e k X 5 2 F l i g h t C o n t r o l l e r
	CBE74543-4508-462F-85B3-6E55F23781CA.dll S a i t e k X 6 5 F l i g h t C o n t r o l l e r
	CDAFC361-948A-4973-989A-29AFFDEF280F.dll C a l l O f D u t y : B l a c k O p s - S t e a l t h M o u s e
	DA3647E1-282E-443E-9C36-BDCF4F2D2424.dll C y b o r g S t r i k e 7 K e y b o a r d
	E035F32E-0437-4096-A26B-04FCC4A203A9.dll M o d e r n W a r f a r e 2 P a d (135kb!)
	E5893414-1FDC-4FA3-BBBD-2C81CA30253D.dll S a i t e k G M 3 2 0 0 M o u s e
	EB42C7F6-6DBF-4697-A334-DDD114EF50F5.dll M a d C a t z R . A . T . 7 M o u s e
	EBD1EFF2-E21C-4E06-B8AE-B1B96E38BBCB.dll C y b o r g R . A . T . 7 A l b i n o
	ECF12411-4C28-47CE-9CC1-E3C29D0ED825.dll C y b o r g R . A . T . 7 M o u s e
	ED4547F0-F3AC-468C-8E4A-49C4B100C167.dll M a d C a t z S t r i k e 7 K e y b o a r d
	EFD31026-2D58-477D-9BC0-136C46F8C4D1.dll S a i t e k C y b o r g R u m b l e P a d
	FA5BD368-039F-4360-882D-6AAE5D56557E.dll C y b o r g R . A . T . 7 M o u s e
	FDB18F33-ADC1-4f25-BB3A-7469F0CF5536.dll S a i t e k C y b o r g E v o W i r e l e s s