exeDSP reverse engeneering
exeDSP reverse engeneering
Is there any information regarding exeDSP reverse engineering? As far as I see - "SamyConsole (v2.1).zip", "Audio Stream Switcher (v0.2).zip" and other modules dynamically import and hook different exeDSP functions. Can their authors share all the information they have? I think that there would be lots of similar functions in exeDSP for ARM (A and B models) ans MIPS (C models) TVs.
I've currently started to reverse engineer exeDSP of LExxC550 with T-TDT5DEUC_1021 firmware. I've found how to draw on the onscreen overlay. Overlay is implemented by "/dev/hidtv2dge" driver, it responds to FBIOGET_FSCREENINFO IOCTL, image size is always 960*540 pixels (4 bytes per pixel, RGBA, big endian of cause). Here is a source code and a compiled test program - http://www.multiupload.com/A2H8Z1Y8PL
Update: found that this framebuffer is already used here and here
The test should be run on "hacked" C550 with trident CPU (hack instruction for C5x0 would be published here in a few days)
For those who are interested in compiling apps for TDT under Windows - here is a compiled GCC for CygWin. Uncompress archive to /usr/local directory in CyGwin (?:\Cygwin\usr\local) and use.
I've currently started to reverse engineer exeDSP of LExxC550 with T-TDT5DEUC_1021 firmware. I've found how to draw on the onscreen overlay. Overlay is implemented by "/dev/hidtv2dge" driver, it responds to FBIOGET_FSCREENINFO IOCTL, image size is always 960*540 pixels (4 bytes per pixel, RGBA, big endian of cause). Here is a source code and a compiled test program - http://www.multiupload.com/A2H8Z1Y8PL
Update: found that this framebuffer is already used here and here
The test should be run on "hacked" C550 with trident CPU (hack instruction for C5x0 would be published here in a few days)
For those who are interested in compiling apps for TDT under Windows - here is a compiled GCC for CygWin. Uncompress archive to /usr/local directory in CyGwin (?:\Cygwin\usr\local) and use.
-
- Official SamyGO Developer
- Posts: 47
- Joined: Tue Nov 23, 2010 2:13 pm
- Location: Lisbon, Portugal
Re: exeDSP reverse engeneering
Did you manage to get more information about the framebuffer? (e.g. how to activate the hardware acceleration)
Re: exeDSP reverse engeneering
After incorrect editing of scripts in /mtd_rwarea partition I've got non-working USB. Only yesterday I've found a way to format /mtd_rwarea, so now I have a working USB and can continue my tests. I own LE40C550, without Internet@TV, so it took a week to find a working method.dksoul wrote:Did you manage to get more information about the framebuffer? (e.g. how to activate the hardware acceleration)
By the way, I've compiled GDB 7.1 for MIPS target and Windows host, so there would be easier to reverse engineer it. I'll publish it later after I'll be sure that it works as expected.
Unfortunately IDA 5.5 has a major bug on MIPS target - it assumes that GP register has the same value over the whole program, and this is incorrect for huge files like exeDSP. And IDA 6.0 is not stolen yet (I can't afford 1K$ for buying advanced version, even if Ilfak would start to sell it in Russia).
-
- Official SamyGO Developer
- Posts: 47
- Joined: Tue Nov 23, 2010 2:13 pm
- Location: Lisbon, Portugal
Re: exeDSP reverse engeneering
I have written a (very limited) Trident framebuffer interface for the SDL library, only to later realize that it is painfully slow to draw things on screen..mamaich wrote:After incorrect editing of scripts in /mtd_rwarea partition I've got non-working USB. Only yesterday I've found a way to format /mtd_rwarea, so now I have a working USB and can continue my tests. I own LE40C550, without Internet@TV, so it took a week to find a working method.dksoul wrote:Did you manage to get more information about the framebuffer? (e.g. how to activate the hardware acceleration)
By the way, I've compiled GDB 7.1 for MIPS target and Windows host, so there would be easier to reverse engineer it. I'll publish it later after I'll be sure that it works as expected.
Unfortunately IDA 5.5 has a major bug on MIPS target - it assumes that GP register has the same value over the whole program, and this is incorrect for huge files like exeDSP. And IDA 6.0 is not stolen yet (I can't afford 1K$ for buying advanced version, even if Ilfak would start to sell it in Russia).
I'm hoping that you find a way to speed things up while reversing exeDSP!
Re: exeDSP reverse engeneering
I've compiled it too. Speed is not so bad as you are telling. SDL example "testpalette" gave 54.94 fps, "testblitspeed" gave 83 fps, "testsprite" gave 16.72 fps. All examples were compiled without modifications, so there was a conversion from 8 bit color to 32 bit and I assume that here we a limited with CPU speed - only 350 Mhz here on trident per core, and we can run code only on one core.dksoul wrote:I have written a (very limited) Trident framebuffer interface for the SDL library, only to later realize that it is painfully slow to draw things on screen..
edited:
had to add double buffering due to buggy programs that trash the alpha channel. So speed halved.
-
- Official SamyGO Developer
- Posts: 47
- Joined: Tue Nov 23, 2010 2:13 pm
- Location: Lisbon, Portugal
Re: exeDSP reverse engeneering
Then I must be doing something wrong (hope so!), because when I use framebuffer directly (no SDL nor double buffering) just to draw some colors, the speed I get is really bad.
I used your program to do this very simple test: http://bit.ly/h3iplt
I used your program to do this very simple test: http://bit.ly/h3iplt
Re: exeDSP reverse engeneering
I've made a tool that hooks HDMI button on remote, displays my own menu and allows launching of custom applications from USB drive. If I'll have time - it may grow to something really powerful
http://www.multiupload.com/4V3GP4YP93
This would work only on TV sets with T-TDT5DEUC firmware (big endian MIPS CPU), i.e. new LExxC550 models. As I don't own a different samsung TV - I can't port it to any other CPU, but volunteers are welcomed.
To use - extract archive to USB drive formatted with FAT32, insert it into TV and run loadso.sh. This would inject my SO file into exeDSP process.
Then press any button on remote (this would initialize my hook). Then press HDMI button, this would bring a menu.
Select there "Run Program" submenu, it would output a list of files in "programs" dir. There is a precompiled "testsprite" test from SDL distribution, just to see the overall graphics speed. And a digger game, sources taken from http://www.digger.org.
SDL port is unfinished - no sound and not all remote buttons are mapped to SDL keys (for example you cannot shoot in digger as F1 key is not mapped to anything). F10 is mapped to "record" key on the remote, ESC to "exit", use these keys to exit test and digger apps.
Pressing "Power" button would force my tool to "release" IR Remote hook, so you can power off TV or change channels, but it would not terminate the running app, so you'll get garbage on screen.
The tool creates /tmp/log.txt file in the case of problems.
http://www.multiupload.com/4V3GP4YP93
This would work only on TV sets with T-TDT5DEUC firmware (big endian MIPS CPU), i.e. new LExxC550 models. As I don't own a different samsung TV - I can't port it to any other CPU, but volunteers are welcomed.
To use - extract archive to USB drive formatted with FAT32, insert it into TV and run loadso.sh. This would inject my SO file into exeDSP process.
Then press any button on remote (this would initialize my hook). Then press HDMI button, this would bring a menu.
Select there "Run Program" submenu, it would output a list of files in "programs" dir. There is a precompiled "testsprite" test from SDL distribution, just to see the overall graphics speed. And a digger game, sources taken from http://www.digger.org.
SDL port is unfinished - no sound and not all remote buttons are mapped to SDL keys (for example you cannot shoot in digger as F1 key is not mapped to anything). F10 is mapped to "record" key on the remote, ESC to "exit", use these keys to exit test and digger apps.
Pressing "Power" button would force my tool to "release" IR Remote hook, so you can power off TV or change channels, but it would not terminate the running app, so you'll get garbage on screen.
The tool creates /tmp/log.txt file in the case of problems.
- erdem_ua
- SamyGO Admin
- Posts: 3125
- Joined: Thu Oct 01, 2009 6:02 am
- Location: Istanbul, Turkey
- Contact:
Re: exeDSP reverse engeneering
Good. Will you release source codes too?
Re: exeDSP reverse engeneering
Yes, of course. I plan to play with TV this weekend (fix SDL keyboard, etc), and then I'll publish sources.erdem_ua wrote:Good. Will you release source codes too?
Re: exeDSP reverse engeneering
as I've promised - here is source code of my loader: http://www.multiupload.com/Z4UX7ZHS78
and source code of my SDL port - http://www.multiupload.com/DPQ0IZ614S
For keyboard to work in SDL - you need to start a program that uses it from a custom menu created by "loader". This would hook all necessary functions in exeDSP and create a pipe that SDL would read as its keyboard. SDL uses double buffering - so speed is 2 times lower than I've wrote in the first post. Edit dummy videodriver sources, read comments there to enable direct videomem access to gain full speed.
Loader would work only on Big Endian MIPS TVs (T-TDT* firmware).
Please share all the code that would be based on mainplugin or loader sources. Currently they are not GPL-based, but probably they should be.
I'd recommend to create additional plugins, as "mainplugin" should only provide API and simple user interface for other addons.
Those who are interested may use this MIPS BigEndian GDB 7.2 port: http://www.multiupload.com/7AIQ095RWT
Archive contains both native (can be run directly on TV) and CygWin build (can be used remotely with gdbserver running on TV).
and source code of my SDL port - http://www.multiupload.com/DPQ0IZ614S
For keyboard to work in SDL - you need to start a program that uses it from a custom menu created by "loader". This would hook all necessary functions in exeDSP and create a pipe that SDL would read as its keyboard. SDL uses double buffering - so speed is 2 times lower than I've wrote in the first post. Edit dummy videodriver sources, read comments there to enable direct videomem access to gain full speed.
Loader would work only on Big Endian MIPS TVs (T-TDT* firmware).
Please share all the code that would be based on mainplugin or loader sources. Currently they are not GPL-based, but probably they should be.
I'd recommend to create additional plugins, as "mainplugin" should only provide API and simple user interface for other addons.
Those who are interested may use this MIPS BigEndian GDB 7.2 port: http://www.multiupload.com/7AIQ095RWT
Archive contains both native (can be run directly on TV) and CygWin build (can be used remotely with gdbserver running on TV).
Last edited by mamaich on Mon Dec 20, 2010 3:05 am, edited 1 time in total.