TL866II Plus & TL866A/CS open source software (OEM software has malware)

[alkmar]

I had purchased a TL866II+ programmer about six months ago, upon scanning the included disc using VirusTotal.com it was fund to have malware by six scanning engines.  I recently tried to download the software directly from the OEM's website (autoelectric), and this too has malware. 

Lucky I ran across an open source solutions for using a TL866II+ or TL866A/CS which save this device from becoming eWaste. 

MiniPro (https://gitlab.com/DavidGriffith/minipro) application is a command-line Linux/Mac application which works for these programmers. 

This software can also update the firmware on these programmers, but you have to obtain the firmware file update.dat (A/CS) or updateII.dat (II+) from somewhere else.  One some what safe way is to download the programming application from autoelectric (but dont open or execute it).  I then used https://extract.me/ to unarvcive the RAR file and then again to compress the .EXE.  This allowed me to access only the update.dat or updateII.dat files needed for firmware updating.  Even their archive for the old A/CS version have malware!

Then you can use the open source MiniPro application along with the extracted update*.dat file to update your programmer to the latest version.  Its highly recommend that you do not try to uncompress a .RAR file from a untrusted source on your computer.  There are serious vulnerabilities in many RAR applications.

It's really a shame AutoElectric would seem support malware, as its hard to see how they wouldn't know its been in their distribution for awhile. 

All said, I hope the information can be helpful to others... Cheers! 

[mcovington]

How sure are we that the TL866 software actually contains malware?  Windows Defender does not find any malware in it.  Some virus scanners do give false alarms.  Has anything that came in with the TL866 software actually been observed doing harm?

[alkmar]

You are correct to point out that ever so often scanning engines will miss-attribute a behavior or sequence of bytes as a signature of malware.  That said VirusTotal scans items uploaded with 50+ engines, one I could attribute to an errant engine.  However then it gets flagged by six separate engines it gives me enough pause to seek another application/source. 

All said I don't have a proper sandbox setup to analyze what it's actually doing.  So I figured it was at least a good idea to warn others of the potential, in addition to let everyone know of a Unix solution too.

[james_s]

This is probably the most popular device programmer on the market and has been for around a decade. The software is far from great, but I think if it contained malware there would be an uproar by now. Most of the users are technical types, so somebody would have figured that out.

[mcovington]

Here is some background on VirusTotal:  https://en.wikipedia.org/wiki/VirusTotal

VirusTotal aggregates the results of many, many antivirus programs, not all of which are equally reliable.

Which of those antivirus programs say there is malware in the TL866 software, and what do they say about it?

Actually confirming the presence of malware would be very important.  But at this point that doesn't seem to have been done.

[rsjsouza]

To me, six AVs captured issues on the latest version 6.85


The older version 6.50 triggered only three AVs

[SparkyFX]

And these were obtained from the autoelectric.cn website?

[rsjsouza]

Yes. Version 6.50 I downloaded in 2016 (the executable is from 2015) and version 6.85 I downloaded about two months ago.

If you ask me, I think it is a false positive.

[JohnnyBerg]

I use this programmer for quite some time, dowloaded version 8.something from http://www.xgecu.com/en/

Never had a problem with it.

[rsjsouza]

Never had a problem with it.

As james_s also corroborated, I don't think the hundreds (thousands?) had a virus/trojan/spyware problem with the programmer software per se. I bought mine in 2014 or 2015 and it has been installed in more than one system without any shred of problems.

Interesting; I just uploaded one of our small (173kB) full custom command-line applications (not scanned regularly at all) and it took quite some time going through all the AV scanners. However, several other scans were absolutely instantaneous, thus this hints of cached information. I really couldn't find a way to re-scan.

(edit) there is a button to re-scan, which takes a given amount of time to complete. The results are the same. However, the detected threats vary wildly across the different engines. I wouldn't worry about this. Their heuristic algorithm and their database are being fooled.

[SparkyFX]

They don't seem to scan the file at all, they calculate it's checksum (hash) and compare it against various databases.

[macboy]

They don't seem to scan the file at all, they calculate it's checksum (hash) and compare it against various databases.

The hash is computed, and if the file hasn't been scanned before then it is scanned, which takes time (and resources). Otherwise cached scan results are used and the result is returned immediately. Obviously this is the only reasonable way to handle the workload.

[SparkyFX]

There is nothing wrong with the method of hashing the file and comparing that, as hash collisions are very unlikely. It is just that changes in the constantly improving detection algorithms will not be resolved by doing so. Database entries might outdate with updates of the scan engines and Virustotal seems to give no indication on if that could have been the case.

Scans for the V9.00 archive only shows a heuristic match, which is what it is. Unpacking the installer and then unpacking the installer executable gives you the folder structure. Individual scans of the included executables gives nothing but one "Grayware"-Detection for the UsbDriverIntall.exe (probably for displaying web content during install?).

[janoc]

To me, six AVs captured issues on the latest version 6.85
(Attachment Link)

The older version 6.50 triggered only three AVs
(Attachment Link)

That looks very much like a false positive - clues:

- Very different problem description by each antivirus (e.g. Sality is a executable infecting malware/rootkit/botnet, Powershell trojan is a script-based malware, i.e. a very different thing).

- It has been obviously found by heuristic scanning (which is notoriously unreliable and prone to false positives) and not by signature matching (generic/no problem description, one antivirus even says it is a result of the heuristics).

- None of the actual large reputable programs (e.g. Avast, NOD32, AVG, F-Prot) has found anything wrong there, only a few minor players. Of course it is possible that e.g. BitDefender or ClamAV have some secret sauce that the major players don't or maybe someone like Avast could be in cahoots with the malware author, but that is, frankly, extremely unlikely - versus a crap result from a poor antivirus program.

- Some of the antivirus programs listed are known for being junk - e.g. McAfee or Comodo and you are probably better off with just the basic Defender or even nothing at all.


In short, I wouldn't worry too much about it. It is most likely due to the antivirus software being triggered by some techniques the Minipro USB driver installer or the driver itself uses and the antivirus flags it.

However, if you are concerned, you can always run the software in a VM to limit the possible damage. That's how I do it (using VirtualBox), even though in my case it is because I don't want to reboot to Windows whenever I need the programmer.

And re open source software - there is some as well:

https://gitlab.com/DavidGriffith/minipro/ (most recent)

https://github.com/wd5gnr/qtl866
https://github.com/wd5gnr/minipro

I have tried the WD5GNR one's back in the day, they worked but they don't seem to be maintained, so the selection of chips may be lacking.

[alkmar]

I also recently received a TL866CS (I needed the higher voltage programming ability for legacy eproms).  This software showed the following on VirtusTotal (see attached picture).  This package contained the professionally pressed (not burned) mini-CD with the software. 

I don't have a sandbox to run this stuff safely for testing (however I do trust results including FireEye, Palo Alto Networks, Sophos).  It was my intent to let others know in case there is some distributions containing malware.  If someone has a "sandbox" and is welling try using the files located on autoelectric.cn (these downloads get the same results). 

[janoc]

That's the same as above. Very likely a false positive due to inaccurate heuristic analysis. If you are worried, install Virtual Box and run it in there.

[alkmar]

Actually I have been successful with compiling and using the open source MiniPro programming software from David Griffith.  This allows me to use it on Unix via command line which is fairly handy.  So, ill continue using the open source code.  You suggestion of a virtualization layer is a good one too.

So far I have been able to programed the following:

D27C64-1
20UTINY85
SST39SF040-70-4C-PHE
ATF16V8B-15PU

Its a good and inexpensive little programmer, that's very handy when messing around with retro style computers.

[jesuscf]

The CLI for the TL866 (https://gitlab.com/DavidGriffith/minipro) now compiles and runs natively on Windows.  I used the gcc that comes with strawberry perl:

Code: [Select]

D:\Source\minipro>gcc --version
gcc (x86_64-posix-seh, Built by strawberryperl.com project) 8.3.0
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Run make:

Code: [Select]

D:\Source\minipro>make
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o xml.o xml.c
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o jedec.o jedec.c
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o ihex.o ihex.c
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o srec.o srec.c
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o database.o database.c
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o minipro.o minipro.c
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o tl866a.o tl866a.c
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o tl866iiplus.o tl866iiplus.c
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o version.o version.c
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o usb_win.o usb_win.c
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o main.o main.c
gcc xml.o jedec.o ihex.o srec.o database.o minipro.o tl866a.o tl866iiplus.o version.o usb_win.o main.o -lsetupapi -lwinusb -o minipro


Test:

Code: [Select]

D:\Source\minipro>minipro -p 2764A@DIP28 -w total.hex
Found TL866II+ 04.2.123 (0x27b)
Warning: Firmware is newer than expected.
  Expected  04.2.122 (0x27a)
  Found     04.2.123 (0x27b)

VPP=12V, VDD=5.5V, VCC=5V, Pulse=1000us
Chip ID OK: 0x8908
Found Intel hex file.
Writing Code...  28.98Sec  OK
Reading Code...  0.21Sec  OK
Verification OK


[avrkris]

The CLI for the TL866 (https://gitlab.com/DavidGriffith/minipro) now compiles and runs natively on Windows.  I used the gcc that comes with strawberry perl:

Code: [Select]

D:\Source\minipro>gcc --version
gcc (x86_64-posix-seh, Built by strawberryperl.com project) 8.3.0
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Run make:

Code: [Select]

D:\Source\minipro>make
gcc -g -O0 -Wall -std=c99 -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o xml.o xml.c


[code]
D:\Source\minipro>minipro -p 2764A@DIP28 -w total.hex
Found TL866II+ 04.2.123 (0x27b)
Warning: Firmware is newer than expected.
  Expected  04.2.122 (0x27a)
  Found     04.2.123 (0x27b)

VPP=12V, VDD=5.5V, VCC=5V, Pulse=1000us
Chip ID OK: 0x8908
Found Intel hex file.
Writing Code...  28.98Sec  OK
Reading Code...  0.21Sec  OK
Verification OK


hmm my compile under windows fails on jedec.o ... so something has changed:

C:\Users\Kris\Documents\MiniPro\minipro>make
process_begin: CreateProcess(NULL, which git, ...) failed.
Makefile:31: pipe: No error
process_begin: CreateProcess(NULL, which git, ...) failed.
Makefile:188: pipe: No error
"Creating version.h"
"#define GIT_BRANCH \""ormat:D | sed s/^.*\>\\s*//\"" >> version.h
"#define GIT_HASH \""ormat:H\"" >> version.h
"#define GIT_HASH_SHORT \""ormat:h\"" >> version.h
"#define GIT_DATE \""ormat:ci\"" >> version.h
"Creating version.c"
gcc -g -O0 -Wall -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o xml.o xml.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="\"/usr/local/share/minipro\""   -c -o jedec.o jedec.c
In file included from jedec.c:25:
version.h:1:1: error: expected identifier or '(' before string constant
 "/*"
 ^~~~

C:\Users\Kris\Documents\MiniPro\minipro>gcc --version
gcc (x86_64-posix-seh, Built by strawberryperl.com project) 8.3.0
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.


Any chance you can share the compiled binary?

thanks
Kris

[rsjsouza]

I never tried to build this but, usually when there is an error such as the one below, it indicates there is a utility or a path that cannot be found. I would check any spaces or special characters in paths, as well as any missing utility or even the actual path to GCC utilities (gcc, ar, etc.)

process_begin: CreateProcess(NULL,

[avrkris]

thanks, yeah I will need to spend some more time trying to figure it out, but wouldn't mind grabbing a compiled binary for windows if anyone has it already...

[jesuscf]

thanks, yeah I will need to spend some more time trying to figure it out, but wouldn't mind grabbing a compiled binary for windows if anyone has it already...

Once again I fall for the trickery of 'make'!  When make runs on Windows it looks for a Linux/Unix shell in the path; if it finds it, it will use it instead of the 'cmd' of Windows.  It so happens that I have Cygwin installed, so make uses that shell (I think is 'bash') where all the wonderful commands used by the 'makefile' all located.  That is why the 'makefile' worked so nicely in my system. Try running the attached .bat file (rename from .txt to .bat as .bat files are not permitted in this forum).  It creates the two version files (version.h and version.c) compiles all the source files using GCC, and links to minipro.exe.  I think it just needs GCC installed.  This is the output:

Code: [Select]

D:\Source\minipro2>makeminipro
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o xml.o xml.c
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o jedec.o jedec.c
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o ihex.o ihex.c
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o srec.o srec.c
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o database.o database.c
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o minipro.o minipro.c
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o tl866a.o tl866a.c
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o tl866iiplus.o tl866iiplus.c
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o version.o version.c
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o usb_win.o usb_win.c
D:\Source\minipro2>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o main.o main.c
D:\Source\minipro2>gcc xml.o jedec.o ihex.o srec.o database.o minipro.o tl866a.o tl866iiplus.o version.o usb_win.o main.o -lsetupapi -lwinusb -o minipro

This is the batch file, based on the source collected from the repository the day of this posting:

Code: [Select]

:: Create version.c
@echo /* > version.c
@echo  * This file is automatically generated.  Do not edit. >> version.c
@echo */ >> version.c
@echo #include "minipro.h" >> version.c
@echo #include "version.h" >> version.c

:: Create version.h
@echo /* > version.h
@echo  * This file is automatically generated.  Do not edit. >> version.h
@echo  */ >> version.h
@echo #define VERSION "0.5"  >> version.h
@echo #define GIT_BRANCH " master, refs/keep-around/f5d979a215b4c44e8f23dce918b283a9d7db4d72" >> version.h
@echo #define GIT_HASH "f5d979a215b4c44e8f23dce918b283a9d7db4d72"  >> version.h
@echo #define GIT_HASH_SHORT "f5d979a" >> version.h
@echo #define GIT_DATE "2021-01-03 14:04:08 -0800" >> version.h

gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o xml.o xml.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o jedec.o jedec.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o ihex.o ihex.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o srec.o srec.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o database.o database.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o minipro.o minipro.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o tl866a.o tl866a.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o tl866iiplus.o tl866iiplus.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o version.o version.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o usb_win.o usb_win.c
gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o main.o main.c
gcc xml.o jedec.o ihex.o srec.o database.o minipro.o tl866a.o tl866iiplus.o version.o usb_win.o main.o -lsetupapi -lwinusb -o minipro


avrkris if you try this, please let us know how it goes.  I hadn't check if 'minipro.exe' actually works (I need to find my TL866II first!)

UPDATE: it works:

Code: [Select]

D:\Source\minipro2>minipro -p 2764A@DIP28 -w total.hex
Found TL866II+ 04.2.123 (0x27b)

VPP=12V, VDD=5.5V, VCC=5V, Pulse=1000us
Chip ID OK: 0x8908
Found Intel hex file.
Writing Code...  28.78Sec  OK
Reading Code...  0.19Sec  OK
Verification OK

D:\Source\minipro2>where minipro.exe
D:\Source\minipro2\minipro.exe


[avrkris]

your batch file made the magic:

C:\Users\Kris\Documents\MiniPro\minipro>makeminipro.bat
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o xml.o xml.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o jedec.o jedec.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o ihex.o ihex.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o srec.o srec.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o database.o database.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o minipro.o minipro.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o tl866a.o tl866a.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o tl866iiplus.o tl866iiplus.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o version.o version.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o usb_win.o usb_win.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc -g -O0 -Wall -DSHARE_INSTDIR="." -c -o main.o main.c
C:\Users\Kris\Documents\MiniPro\minipro>gcc xml.o jedec.o ihex.o srec.o database.o minipro.o tl866a.o tl866iiplus.o version.o usb_win.o main.o -lsetupapi -lwinusb -o minipro
C:\Users\Kris\Documents\MiniPro\minipro>minipro.exe --presence_check
tl866a: TL866CS

So, yes it works now. Thank you for your help, that was super useful.

[kripton2035]

for the records, I compiled it on my mac and it works fine
for now it let me program an eeprom on a graphic card, directly on the board without desoldering it.
I also programmed a 16f628 pic but on the zif, it did not let me program it with icsp (or may be my icsp hardware is wrong I must investigate this)

[brufnus]

One thing to consider is the the fact that many EPROM burning software tools pretty much resembles programs for flashing a computer BIOS. However, since it's not entirely the same code as, say, Asus or Award BIOS flash utilities, some scanners may get the false impression that this is malware, designed to corrupt the computer BIOS.
It's not an ordinary spreadsheet or poker game, but a flashing utility. Thus, the malware/virus scanners could very well be more harsh in their opinion about this program. So yes, it might very well be a false positive.