SamyGO

Posted: **Sat Nov 20, 2010 10:32 am**

Ok! Yes really it is a hard work! Changes tried to import, all worked?
I now try to find hash check in ?530/?550 but while such successes aren't present.

Posted: **Sat Nov 20, 2010 1:38 pm**

Hi,

so far very impressing work!

nice to get some understandings in how the BL is working or what it?s doing

Regards

Posted: **Tue Nov 23, 2010 10:58 am**

Proceeding from your corrected message simply we remove a procedure call j_memcmp, perfectly!
From an example on C++ I have found at myself here this place.

Code: Select all

if (*0x67440000==0xFAFEF0F0) /*FAFEF0F0 is my signature of the key.bin partition (BML11) It is read to 0x67440000 */
{
if (kernel_check_hash()==0) 
{
return 0;// HASH OK
}
else
{
printf("2.SYSTEM DOWN\r\n");
halt();
}
}

if (*0x67400000==0xBAB0BAB0) /*BAB0BAB0 is some other signature which I have not seen yet */
{
/..to be analyzed 
}

But all the same something isn't correct.

Code: Select all

ROM:80A02718                         sub_80A02718:                            # CODE XREF: ROM:80A02FD8p
ROM:80A02718                                                                  # sub_80A031AC+A0p
ROM:80A02718
ROM:80A02718                         arg_24          =  0x24
ROM:80A02718                         arg_2C          =  0x2C
ROM:80A02718                         arg_30          =  0x30
ROM:80A02718                         arg_34          =  0x34
ROM:80A02718                         arg_38          =  0x38
ROM:80A02718                         arg_3C          =  0x3C
ROM:80A02718
ROM:80A02718 0C 28 4C FC                             jal     sub_80A133F0
ROM:80A0271C 24 06 00 3C                             li      $a2, 0x3C
ROM:80A02720 8E B0 00 00                             lw      $s0, 0($s5)
ROM:80A02724 3C 02 FA FE 34 42 F0 F0                 li      $v0, 0xFAFEF0F0
ROM:80A0272C 16 02 00 12                             bne     $s0, $v0, loc_80A02778
ROM:80A02730 3C 02 BA B0                             lui     $v0, 0xBAB0                //BAB0BAB0 
ROM:80A02734 3C 04 80 A1                             lui     $a0, 0x80A1
ROM:80A02738 0C 28 51 EC                             jal     kernel_check_hash      // kernel_check_hash() ???  It is not assured!
ROM:80A0273C 24 84 70 48                             la      $a0, (aSehci_submit_j+8)                 //Error String "sehci_submit_job" shift  + 0x08
ROM:80A02740 27 B0 00 3C                             addiu   $s0, $sp, arg_3C
ROM:80A02744
ROM:80A02744                         loc_80A02744:                            # CODE XREF: ROM:80A0316Cp
ROM:80A02744 27 B1 00 24                             addiu   $s1, $sp, arg_24
ROM:80A02748 26 44 00 04                             addiu   $a0, $s2, 4
ROM:80A0274C 24 05 00 10                             li      $a1, 0x10
ROM:80A02750 02 00 30 21                             move    $a2, $s0
ROM:80A02754 0C 28 56 9E                             jal     sub_80A15A78
ROM:80A02758 02 20 38 21                             move    $a3, $s1
ROM:80A0275C 02 00 20 21                             move    $a0, $s0
ROM:80A02760 24 05 00 10                             li      $a1, 0x10
ROM:80A02764 02 80 30 21                             move    $a2, $s4
ROM:80A02768 0C 28 56 9E                             jal     sub_80A15A78
ROM:80A0276C 02 20 38 21                             move    $a3, $s1
ROM:80A02770 08 28 08 00                             j       sub_80A02000
ROM:80A02774 02 80 20 21                             move    $a0, $s4
ROM:80A02778                          # ---------------------------------------------------------------------------
ROM:80A02778
ROM:80A02778                         loc_80A02778:                            # CODE XREF: sub_80A02718+14j
ROM:80A02778 34 42 BA B0                             ori     $v0, 0xBAB0                             //BAB0BAB0 
ROM:80A0277C 16 02 00 1B                             bne     $s0, $v0, loc_80A027EC
ROM:80A02780 00 00 00 00                             nop
ROM:80A02784 3C 04 80 A1                             lui     $a0, 0x80A1
ROM:80A02788 0C 28 51 EC                             jal     kernel_check_hash
ROM:80A0278C 24 84 70 50                             li      $a0, 0x80A17050
ROM:80A02790 3C 02 7D 7F 34 42 78 78                 li      $v0, 0x7D7F7878
ROM:80A02798 AF A2 00 2C                             sw      $v0, arg_2C($sp)
ROM:80A0279C AF B0 00 30                             sw      $s0, arg_30($sp)
ROM:80A027A0 3C 02 EB FB 34 42 C3 C0                 li      $v0, 0xEBFBC3C0
ROM:80A027A8 AF A2 00 34                             sw      $v0, arg_34($sp)
ROM:80A027AC 3C 02 EA C2 34 42 EA C0                 li      $v0, 0xEAC2EAC0
ROM:80A027B4 AF A2 00 38                             sw      $v0, arg_38($sp)
ROM:80A027B8 26 B0 00 04                             addiu   $s0, $s5, 4
ROM:80A027BC 26 44 00 04                             addiu   $a0, $s2, 4
ROM:80A027C0 27 A5 00 2C                             addiu   $a1, $sp, arg_2C
ROM:80A027C4 02 00 30 21                             move    $a2, $s0
ROM:80A027C8 0C 28 0A E3                             jal     sub_80A02B8C
ROM:80A027CC 24 07 00 10                             li      $a3, 0x10
ROM:80A027D0 02 00 20 21                             move    $a0, $s0
ROM:80A027D4 24 05 00 10                             li      $a1, 0x10
ROM:80A027D8 02 80 30 21                             move    $a2, $s4
ROM:80A027DC 0C 28 56 D0                             jal     sub_80A15B40
ROM:80A027E0 27 A7 00 24                             addiu   $a3, $sp, arg_24
ROM:80A027E4 08 28 08 00                             j       sub_80A02000
ROM:80A027E8 02 80 20 21                             move    $a0, $s4
ROM:80A027EC                          # ---------------------------------------------------------------------------
ROM:80A027EC
ROM:80A027EC                         loc_80A027EC:                            # CODE XREF: sub_80A02718+64j
ROM:80A027EC 3C 04 80 A1                             lui     $a0, 0x80A1
ROM:80A027F0 0C 28 51 EC                             jal     kernel_check_hash
ROM:80A027F4 24 84 70 58                             la      $a0, (aQh_urb_transac+4)         //Error String "qh_urb_transaction" shift  + 0x04
ROM:80A027F8 08 28 07 FE                             j       loc_80A01FF8
ROM:80A027FC 00 00 00 00                             nop
ROM:80A027FC                          # End of function sub_80A02718

Prompt as it will be hooked for function kernel_check_hash???

Posted: **Tue Nov 23, 2010 3:33 pm**

Hi,

does anyone arround here have knowledge about gdb ?

Probably with gbd it would be easier to get info?s about how everything is working at the TV ?
As I talked with a friend who is well used to reverse engineering, he said it probably would be an option to start gdbserver at the TV and connect gdb via remote to the gbdserver at the TV.
He also meant that it?s eventually possible to find a completely initialised bootloader at the lower memory area. It also would be possible to see what the ExeDSP is doing step by step.

Probably it is worth to give it a try ?

Regards

SamyGO

LE40C750 bootloader disassembly thread

Re: LE40C750 bootloader disassembly thread

Re: LE40C750 bootloader disassembly thread

Re: LE40C750 bootloader disassembly thread

Re: LE40C750 bootloader disassembly thread