Page 1 of 2
					
				exeDSP reverse engeneering
				Posted: Tue Nov 30, 2010 12:25 pm
				by mamaich
				Is there any information regarding exeDSP reverse engineering? As far as I see - "SamyConsole (v2.1).zip", "Audio Stream Switcher (v0.2).zip" and other modules dynamically import and hook different exeDSP functions. Can their authors share all the information they have? I think that there would be lots of similar functions in exeDSP for ARM (A and B models) ans MIPS (C models) TVs.
I've currently started to reverse engineer exeDSP of LExxC550 with T-TDT5DEUC_1021 firmware. I've found how to draw on the onscreen overlay. Overlay is implemented by "/dev/hidtv2dge" driver, it responds to FBIOGET_FSCREENINFO IOCTL, image size is always 960*540 pixels (4 bytes per pixel, RGBA, big endian of cause). Here is a source code and a compiled test program - 
http://www.multiupload.com/A2H8Z1Y8PL 
Update: found that this framebuffer is already used 
here and 
here
The test should be run on "hacked" C550 with trident CPU (hack instruction for C5x0 would be published 
here in a few days)
For those who are interested in compiling apps for TDT under Windows - 
here is a compiled GCC for CygWin. Uncompress archive to /usr/local directory in CyGwin (?:\Cygwin\usr\local) and use.
 
			
					
				Re: exeDSP reverse engeneering
				Posted: Fri Dec 10, 2010 2:50 pm
				by dksoul
				Did you manage to get more information about the framebuffer? (e.g. how to activate the hardware acceleration)
			 
			
					
				Re: exeDSP reverse engeneering
				Posted: Sat Dec 11, 2010 4:12 am
				by mamaich
				dksoul wrote:Did you manage to get more information about the framebuffer? (e.g. how to activate the hardware acceleration)
After incorrect editing of scripts in /mtd_rwarea partition I've got non-working USB. Only yesterday I've found a way to format /mtd_rwarea, so now I have a working USB and can continue my tests. I own LE40C550, without Internet@TV, so it took a week to find a working method.
By the way, I've compiled GDB 7.1 for MIPS target and Windows host, so there would be easier to reverse engineer it. I'll publish it later after I'll be sure that it works as expected.
Unfortunately IDA 5.5 has a major bug on MIPS target - it assumes that GP register has the same value over the whole program, and this is incorrect for huge files like exeDSP. And IDA 6.0 is not stolen yet (I can't afford 1K$ for buying advanced version, even if Ilfak would start to sell it in Russia).
 
			
					
				Re: exeDSP reverse engeneering
				Posted: Sun Dec 12, 2010 1:18 am
				by dksoul
				mamaich wrote:dksoul wrote:Did you manage to get more information about the framebuffer? (e.g. how to activate the hardware acceleration)
After incorrect editing of scripts in /mtd_rwarea partition I've got non-working USB. Only yesterday I've found a way to format /mtd_rwarea, so now I have a working USB and can continue my tests. I own LE40C550, without Internet@TV, so it took a week to find a working method.
By the way, I've compiled GDB 7.1 for MIPS target and Windows host, so there would be easier to reverse engineer it. I'll publish it later after I'll be sure that it works as expected.
Unfortunately IDA 5.5 has a major bug on MIPS target - it assumes that GP register has the same value over the whole program, and this is incorrect for huge files like exeDSP. And IDA 6.0 is not stolen yet (I can't afford 1K$ for buying advanced version, even if Ilfak would start to sell it in Russia).
 
I have written a (very limited) Trident framebuffer interface for the SDL library, only to later realize that it is painfully slow to draw things on screen.. 
I'm hoping that you find a way to speed things up while reversing exeDSP!  

 
			
					
				Re: exeDSP reverse engeneering
				Posted: Mon Dec 13, 2010 10:37 am
				by mamaich
				dksoul wrote:I have written a (very limited) Trident framebuffer interface for the SDL library, only to later realize that it is painfully slow to draw things on screen.. 
I've compiled it too. Speed is not so bad as you are telling. SDL example "testpalette" gave 54.94 fps, "testblitspeed" gave 83 fps, "testsprite" gave 16.72 fps. All examples were compiled without modifications, so there was a conversion from 8 bit color to 32 bit and I assume that here we a limited with CPU speed - only 350 Mhz here on trident per core, and we can run code only on one core.
edited:
had to add double buffering due to buggy programs that trash the alpha channel. So speed halved.
 
			
					
				Re: exeDSP reverse engeneering
				Posted: Mon Dec 13, 2010 1:51 pm
				by dksoul
				Then I must be doing something wrong (hope so!), because when I use framebuffer directly (no SDL nor double buffering) just to draw some colors, the speed I get is really bad.
I used your program to do this very simple test: 
http://bit.ly/h3iplt 
			
					
				Re: exeDSP reverse engeneering
				Posted: Wed Dec 15, 2010 12:48 am
				by mamaich
				I've made a tool that hooks HDMI button on remote, displays my own menu and allows launching of custom applications from USB drive. If I'll have time - it may grow to something really powerful 
 http://www.multiupload.com/4V3GP4YP93
http://www.multiupload.com/4V3GP4YP93
This would work only on TV sets with T-TDT5DEUC firmware (big endian MIPS CPU), i.e. new LExxC550 models. As I don't own a different samsung TV - I can't port it to any other CPU, but volunteers are welcomed.
To use - extract archive to USB drive formatted with FAT32, insert it into TV and run loadso.sh. This would inject my SO file into exeDSP process.
Then press any button on remote (this would initialize my hook). Then press HDMI button, this would bring a menu. 
Select there "Run Program" submenu, it would output a list of files in "programs" dir. There is a precompiled "testsprite" test from SDL distribution, just to see the overall graphics speed. And a digger game, sources taken from 
http://www.digger.org. 
SDL port is unfinished - no sound and not all remote buttons are mapped to SDL keys (for example you cannot shoot in digger as F1 key is not mapped to anything). F10 is mapped to "record" key on the remote, ESC to "exit", use these keys to exit test and digger apps.
Pressing "Power" button would force my tool to "release" IR Remote hook, so you can power off TV or change channels, but it would not terminate the running app, so you'll get garbage on screen.
The tool creates /tmp/log.txt file in the case of problems.
 
			
					
				Re: exeDSP reverse engeneering
				Posted: Wed Dec 15, 2010 11:30 pm
				by erdem_ua
				Good. Will you release source codes too?
			 
			
					
				Re: exeDSP reverse engeneering
				Posted: Thu Dec 16, 2010 3:33 am
				by mamaich
				erdem_ua wrote:Good. Will you release source codes too?
Yes, of course. I plan to play with TV this weekend (fix SDL keyboard, etc), and then I'll publish sources.
 
			
					
				Re: exeDSP reverse engeneering
				Posted: Mon Dec 20, 2010 2:34 am
				by mamaich
				as I've promised - here is source code of my loader: 
http://www.multiupload.com/Z4UX7ZHS78
and source code of my SDL port - 
http://www.multiupload.com/DPQ0IZ614S
For keyboard to work in SDL - you need to start a program that uses it from a custom menu created by "loader". This would hook all necessary functions in exeDSP and create a pipe that SDL would read as its keyboard. SDL uses double buffering - so speed is 2 times lower than I've wrote in the first post. Edit dummy videodriver sources, read comments there to enable direct videomem access to gain full speed.
Loader would work only on Big Endian MIPS TVs (T-TDT* firmware).
Please share all the code that would be based on mainplugin or loader sources. Currently they are not GPL-based, but probably they should be.
I'd recommend to create additional plugins, as "mainplugin" should only provide API and simple user interface for other addons.
Those who are interested may use this MIPS BigEndian GDB 7.2 port: 
http://www.multiupload.com/7AIQ095RWT
Archive contains both native (can be run directly on TV) and CygWin build (can be used remotely with gdbserver running on TV).