exeDSP reverse engeneering

Here is information about customize your C series firmware..:!:This forum is NOT FOR DUMMY USERS questions or problems but DEVELOPER.

mamaich
Official SamyGO Developer
Posts: 65
Joined: Sun Nov 21, 2010 4:15 am

exeDSP reverse engeneering

Post by mamaich »

Is there any information regarding exeDSP reverse engineering? As far as I see - "SamyConsole (v2.1).zip", "Audio Stream Switcher (v0.2).zip" and other modules dynamically import and hook different exeDSP functions. Can their authors share all the information they have? I think that there would be lots of similar functions in exeDSP for ARM (A and B models) ans MIPS (C models) TVs.

I've currently started to reverse engineer exeDSP of LExxC550 with T-TDT5DEUC_1021 firmware. I've found how to draw on the onscreen overlay. Overlay is implemented by "/dev/hidtv2dge" driver, it responds to FBIOGET_FSCREENINFO IOCTL, image size is always 960*540 pixels (4 bytes per pixel, RGBA, big endian of cause). Here is a source code and a compiled test program - http://www.multiupload.com/A2H8Z1Y8PL
Update: found that this framebuffer is already used here and here
The test should be run on "hacked" C550 with trident CPU (hack instruction for C5x0 would be published here in a few days)

For those who are interested in compiling apps for TDT under Windows - here is a compiled GCC for CygWin. Uncompress archive to /usr/local directory in CyGwin (?:\Cygwin\usr\local) and use.

dksoul
Official SamyGO Developer
Posts: 47
Joined: Tue Nov 23, 2010 2:13 pm
Location: Lisbon, Portugal

Re: exeDSP reverse engeneering

Post by dksoul »

Did you manage to get more information about the framebuffer? (e.g. how to activate the hardware acceleration)

mamaich
Official SamyGO Developer
Posts: 65
Joined: Sun Nov 21, 2010 4:15 am

Re: exeDSP reverse engeneering

Post by mamaich »

dksoul wrote:Did you manage to get more information about the framebuffer? (e.g. how to activate the hardware acceleration)
After incorrect editing of scripts in /mtd_rwarea partition I've got non-working USB. Only yesterday I've found a way to format /mtd_rwarea, so now I have a working USB and can continue my tests. I own LE40C550, without Internet@TV, so it took a week to find a working method.
By the way, I've compiled GDB 7.1 for MIPS target and Windows host, so there would be easier to reverse engineer it. I'll publish it later after I'll be sure that it works as expected.

Unfortunately IDA 5.5 has a major bug on MIPS target - it assumes that GP register has the same value over the whole program, and this is incorrect for huge files like exeDSP. And IDA 6.0 is not stolen yet (I can't afford 1K$ for buying advanced version, even if Ilfak would start to sell it in Russia).

dksoul
Official SamyGO Developer
Posts: 47
Joined: Tue Nov 23, 2010 2:13 pm
Location: Lisbon, Portugal

Re: exeDSP reverse engeneering

Post by dksoul »

mamaich wrote:
dksoul wrote:Did you manage to get more information about the framebuffer? (e.g. how to activate the hardware acceleration)
After incorrect editing of scripts in /mtd_rwarea partition I've got non-working USB. Only yesterday I've found a way to format /mtd_rwarea, so now I have a working USB and can continue my tests. I own LE40C550, without Internet@TV, so it took a week to find a working method.
By the way, I've compiled GDB 7.1 for MIPS target and Windows host, so there would be easier to reverse engineer it. I'll publish it later after I'll be sure that it works as expected.

Unfortunately IDA 5.5 has a major bug on MIPS target - it assumes that GP register has the same value over the whole program, and this is incorrect for huge files like exeDSP. And IDA 6.0 is not stolen yet (I can't afford 1K$ for buying advanced version, even if Ilfak would start to sell it in Russia).
I have written a (very limited) Trident framebuffer interface for the SDL library, only to later realize that it is painfully slow to draw things on screen..
I'm hoping that you find a way to speed things up while reversing exeDSP! ;)

mamaich
Official SamyGO Developer
Posts: 65
Joined: Sun Nov 21, 2010 4:15 am

Re: exeDSP reverse engeneering

Post by mamaich »

dksoul wrote:I have written a (very limited) Trident framebuffer interface for the SDL library, only to later realize that it is painfully slow to draw things on screen..
I've compiled it too. Speed is not so bad as you are telling. SDL example "testpalette" gave 54.94 fps, "testblitspeed" gave 83 fps, "testsprite" gave 16.72 fps. All examples were compiled without modifications, so there was a conversion from 8 bit color to 32 bit and I assume that here we a limited with CPU speed - only 350 Mhz here on trident per core, and we can run code only on one core.

edited:
had to add double buffering due to buggy programs that trash the alpha channel. So speed halved.

dksoul
Official SamyGO Developer
Posts: 47
Joined: Tue Nov 23, 2010 2:13 pm
Location: Lisbon, Portugal

Re: exeDSP reverse engeneering

Post by dksoul »

Then I must be doing something wrong (hope so!), because when I use framebuffer directly (no SDL nor double buffering) just to draw some colors, the speed I get is really bad.
I used your program to do this very simple test: http://bit.ly/h3iplt

mamaich
Official SamyGO Developer
Posts: 65
Joined: Sun Nov 21, 2010 4:15 am

Re: exeDSP reverse engeneering

Post by mamaich »

I've made a tool that hooks HDMI button on remote, displays my own menu and allows launching of custom applications from USB drive. If I'll have time - it may grow to something really powerful :)
http://www.multiupload.com/4V3GP4YP93
This would work only on TV sets with T-TDT5DEUC firmware (big endian MIPS CPU), i.e. new LExxC550 models. As I don't own a different samsung TV - I can't port it to any other CPU, but volunteers are welcomed.

To use - extract archive to USB drive formatted with FAT32, insert it into TV and run loadso.sh. This would inject my SO file into exeDSP process.
Then press any button on remote (this would initialize my hook). Then press HDMI button, this would bring a menu.
Select there "Run Program" submenu, it would output a list of files in "programs" dir. There is a precompiled "testsprite" test from SDL distribution, just to see the overall graphics speed. And a digger game, sources taken from http://www.digger.org.
SDL port is unfinished - no sound and not all remote buttons are mapped to SDL keys (for example you cannot shoot in digger as F1 key is not mapped to anything). F10 is mapped to "record" key on the remote, ESC to "exit", use these keys to exit test and digger apps.
Pressing "Power" button would force my tool to "release" IR Remote hook, so you can power off TV or change channels, but it would not terminate the running app, so you'll get garbage on screen.
The tool creates /tmp/log.txt file in the case of problems.

User avatar
erdem_ua
SamyGO Admin
Posts: 3109
Joined: Thu Oct 01, 2009 6:02 am
Location: Istanbul, Turkey
Contact:

Re: exeDSP reverse engeneering

Post by erdem_ua »

Good. Will you release source codes too?

mamaich
Official SamyGO Developer
Posts: 65
Joined: Sun Nov 21, 2010 4:15 am

Re: exeDSP reverse engeneering

Post by mamaich »

erdem_ua wrote:Good. Will you release source codes too?
Yes, of course. I plan to play with TV this weekend (fix SDL keyboard, etc), and then I'll publish sources.

mamaich
Official SamyGO Developer
Posts: 65
Joined: Sun Nov 21, 2010 4:15 am

Re: exeDSP reverse engeneering

Post by mamaich »

as I've promised - here is source code of my loader: http://www.multiupload.com/Z4UX7ZHS78
and source code of my SDL port - http://www.multiupload.com/DPQ0IZ614S

For keyboard to work in SDL - you need to start a program that uses it from a custom menu created by "loader". This would hook all necessary functions in exeDSP and create a pipe that SDL would read as its keyboard. SDL uses double buffering - so speed is 2 times lower than I've wrote in the first post. Edit dummy videodriver sources, read comments there to enable direct videomem access to gain full speed.

Loader would work only on Big Endian MIPS TVs (T-TDT* firmware).

Please share all the code that would be based on mainplugin or loader sources. Currently they are not GPL-based, but probably they should be.
I'd recommend to create additional plugins, as "mainplugin" should only provide API and simple user interface for other addons.

Those who are interested may use this MIPS BigEndian GDB 7.2 port: http://www.multiupload.com/7AIQ095RWT
Archive contains both native (can be run directly on TV) and CygWin build (can be used remotely with gdbserver running on TV).
Last edited by mamaich on Mon Dec 20, 2010 3:05 am, edited 1 time in total.

Post Reply

Return to “[C] Firmware”