SamyGO

Samsung TV Firmware on the GO
http://forum.samygo.tv/

Video AR Fix v2 for everyone!

http://forum.samygo.tv/viewtopic.php?t=272

Page 1 of 1

Video AR Fix v2 for everyone!

Posted: Sat Jan 09, 2010 8:19 pm
by erdem_ua
I am trying to implement automatic VideoAR Fix v2 patcher, as its version 1 that available at python Firmware Patcher Script. I don't want to use KEIL Arm tools because it's really hard to get those.
Current SamyGO Firmware Patcher Script can extract exeDSP and could read symbol table of that already.
Only thing that I want that updating the required sections of exeDSP, independent from exeDSP version. I mean one program fix them all approach is better.
Again there could be different code for CI+ devices. I think they use slightly different compiler options.

I investigate the exeDSP 2004.1 and v2 Patched exeDSP 2004.1, their differences...

Code: Select all

death@triQuad:/SamyGO> python filediff.py SamyGO.exeDSP.2004.1 SamyGO.exeDSP.2004.1_v2.elf 
Offset: 0xF8E80C  to 0xF8E838
  Orginal: 0x020050e36c00000a030050e36100000a010050e32d00000a0030a0e35c708de560608de558308de554308de5
  VideoAR: 0x0a10a0e10820a0e1d03443eb0810a0e10a20a0e100a8a0e12aa8a0e12088a0e1650000ea0180a0e102a0a0e1
Offset: 0xF8E9F4  to 0xF8E9F5
  Orginal: 0x8f
  VideoAR: 0x8d
Offset: 0x1352790  to 0x135279C
  Orginal: 0x010053e30100000a020053e3
  VideoAR: 0x0300a0e1d12434eb030000ea
Offset: 0x1352A68  to 0x1352A69
  Orginal: 0x10
  VideoAR: 0x30
Offset: 0x1352A74  to 0x1352AA8
  Orginal: 0x0030a0e3013064e50600a0e30410a0e128d7dbeb000050e30c00000a1730dde5010053e3013083021730cd050200000a020053e3
  VideoAR: 0x0150a0e10030a0e3013064e50600a0e30410a0e127d7dbeb000050e30b00000a1700dde50510a0e11c2434eb1700cde5010000ea
Offset: 0x1352ACC  to 0x1352ACD
  Orginal: 0x10
  VideoAR: 0x30
Offset: 0x205BAE0  to 0x205BF0B
  Orginal: 0x4800......
  VideoAR: 0x0e00......
Last chunk of codes that started at offset 0x205BAE0 is not branch outside. So it's safe to write that chunk to anywhere in the ".text" area and that is not require to change some addresses in that code. So we have 6 chunks (which 3 of them is a 1 byte change.) If we don't count those, only 3 data chunks needed to place to have this patch. This changes are as those:
#1

Code: Select all

.text:00F9680C                 MOV     R1, R10
.text:00F96810                 MOV     R2, R8
.text:00F96814                 BL      sub_2063B5C
.text:00F96818                 MOV     R1, R8
.text:00F9681C                 MOV     R2, R10
.text:00F96820                 MOV     R10, R0,LSL#16
.text:00F96824
.text:00F96824 loc_F96824                              ; CODE XREF: CMovieCore::CalculateDisplaySize(TDiMpeg::TDAVDec_VideoInfo_t)...
.text:00F96824                                         ; CMovieCore::CalculateDisplaySize(TDiMpeg::TDAVDec_VideoInfo_t)...
.text:00F96824                 MOV     R10, R10,LSR#16
.text:00F96828                 MOV     R8, R0,LSR#16
.text:00F9682C                 B       loc_F969C8
.text:00F96830 ; ---------------------------------------------------------------------------
.text:00F96830
.text:00F96830 loc_F96830                              ; CODE XREF: CMovieCore::CalculateDisplaySize(TDiMpeg::TDAVDec_VideoInfo_t)+...
.text:00F96830                 MOV     R8, R1
.text:00F96834                 MOV     R10, R2
#2

Code: Select all

.text:00F969F4                 B       loc_F96830
#3

Code: Select all

.text:0135A790                 MOV     R0, R3
.text:0135A794                 BL      sub_2063AE0
.text:0135A798                 B       loc_135A7AC
#4

Code: Select all

.text:0135AA68                 STMFD   SP!, {R4,R5,LR}
#5

Code: Select all

.text:0135AA74                 MOV     R5, R1
.text:0135AA78                 MOV     R3, #0
.text:0135AA7C                 STRB    R3, [R4,#-1]!
.text:0135AA80                 MOV     R0, #6
.text:0135AA84                 MOV     R1, R4
.text:0135AA88                 BL      _ZN16CMMPlayerWrapper13GetMmpProfileEiPh ; CMMPlayerWrapper::GetMmpProfile(int,uchar *)
.text:0135AA8C                 CMP     R0, #0
.text:0135AA90                 BEQ     loc_135AAC4
.text:0135AA94                 LDRB    R0, [SP,#0x24+var_D]
.text:0135AA98                 MOV     R1, R5
.text:0135AA9C                 BL      sub_2063B14
.text:0135AAA0                 STRB    R0, [SP,#0x24+var_D]
.text:0135AAA4                 B       loc_135AAB0
#6

Code: Select all

.text:0135AACC                 LDMFD   SP!, {R4,R5,PC}
So I needed to place this codes into exeDSP and needed to vary addresses that in the sections.
I think I chose the hard way, But I think it's work when it finished. If you want to help you want to implement some p?eces of

Code: Select all

def VideoARFix_v2_patch_auto( FileTarget ):
so you can help at here, or you can just give a hint :)

Re: Video AR Fix v2 for everyone!

Posted: Wed Jan 27, 2010 11:57 pm
by erdem_ua
mraibo wrote:Any progress?
I am busy with PVR Application this days. :)

Re: Video AR Fix v2 for everyone!

Posted: Thu Jul 01, 2010 10:57 am
by erdem_ua
Nope. I don't work on this. I am leaving idea to change exeDSP statically. Since we could load Content library hacks via gdb attaching, automatically at startup, We do not have to inject code statically at patching time. Downside of this B550 & B6000 series. If we could load Content Library hacks to those TV's, than we don't have to touch exeDSP... But if we couldn't add content library games to B550 series, than some one needed to implement this hack to Firmware Patcher.
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited