Mighty impressive. Apart from looking forward to running custom sw on my device, I've just learned a whole lot. As an EE dabbling in embedded this is fantastic.
You're piecing this instruction set together like I'm watching the process. Half of what you say here is Chinese to me, but the more I watch the more puzzle pieces find their way home. Thanks for another epic upload. -Jake
Awesome, awesome! Thanks for the link to that polish bloke's website (which I will be digesting in a wee moment) and for that binview site too. Just had a moment where I had to scrape away a substantial amount of cobwebs - the last time I used assembler was on my old amiga, but all's gravy now :) Watching this has triggered a productive brainfart which is actually productive procrastination, if there is such a thing (an excuse to sit infront of a screen for hours)....thanks mate! This weekend has now taken a turn for the best. Until the next one and thanks for uploading!
The problem I discovered is it's not a checksum computation - just a memcmp on whether the data was correctly written to flash. The flasher then triggers a reboot, and the checksum is checked by the real system checksum checker - which we will look at in the next video
@@OpenTechLab Very interesting, but where is the code safed for the checksum calculation? (I am pretty sure you will explain it in your 4th video, but I am not that far yet haha)
(@7:37) - You may be looking at interleaved code here, where alternate instructions are loaded into the instruction pipeline; this is common on Intel architectures. If this were a SISD (like the old 8-bit micros), you would expect the instructions to load the value 0x000b9f7d to immediately follow one another, otherwise, the problem is that the “call $pc+(30796*4)” might modify register 3. Given that the chip (as seen from video 1 in this series) has 3 cores (a main core, an a/v core, and a security core), this may even be a 3-way interleave, but this is just a guess.
Not so, the video encode/decode blocks can't really be repurposed for any other use. And keep in mind even a Raspberry Pi has many times the compute power.
Is there a good community like Discord, IRC, or Forum to talk to people to learn more about how to modify hardware and put your own firmware on it like you are doing in this series? I'm interested in taking old hardware like DVRs, printers, scanners, smartphones, dongles etc into stuff like open linux machines, plotters, reusing smartphones in the place of Arduinos, etc
just make the checksum-comparition function to always return "true" or correct firmware, so the you can change anything you like in the rest of the file and it wont be overwritten on boot.
One ideea and probably I'm way off, but since we are seeing references to other Atmel chips in the text section , is it possible one of those has a known architecture and by finding the corresponding firmware we could then break it down for a known architecture first?
I didn't check, but I think they're all the ids of different flash chips, not processors. If you have a hunch about something, though, be my guest to follow it up!
@@OpenTechLab OK - I thought you were looking at the firmware bootstrap, not the flash upgrade. NOPping out the firmware integrity checks is something I've done in the past :D
Yeah I actually tried something along those lines, but of course even if the flasher software is tricked into thinks a hacked firmware image is valid, it won't make any difference to the boot-loader which will load the firmware after rebooting
It would appear ive fallen down the wrong rabbit hole and now im lost and confused. Im very far from your level of knowledge and understanding but it has brought light to the reason I never throw electronics away. I have for years looked at boards similar and well just about every board ever made and wished I could command it to well be my bitch. LOL Gld ive found your channel its very intresting.
![[019] IT9919 Hacking - part 4 - Diving into the boot-ROM](http://i.ytimg.com/vi/SYksf7Cbp-Q/mqdefault.jpg)
![[019] IT9919 Hacking - part 4 - Diving into the boot-ROM](/img/tr.png)
![[016] IT9919 Hacking - part 1 - Reading firmware with flashrom](http://i.ytimg.com/vi/j7JRosD_ua8/mqdefault.jpg)
![[011] USB Debugging with sigrok](http://i.ytimg.com/vi/4FOkJLp_PUw/mqdefault.jpg)
really enjoying the series
Mighty impressive. Apart from looking forward to running custom sw on my device, I've just learned a whole lot. As an EE dabbling in embedded this is fantastic.
I'm wondering what keywords are triggering these scam bots
Wow, this part is the most impressive development yet!
And there's more still to come!
This is a great series. Listening to you go through your thought process and research steps is a great learning experience.
Can't wait for the next part! I'm addicted!
You're piecing this instruction set together like I'm watching the process. Half of what you say here is Chinese to me, but the more I watch the more puzzle pieces find their way home.
Thanks for another epic upload.
-Jake
It's really, really enjoyable and educational to follow your work.
Thank you for letting us look over your shoulder and learn from and with you!
It would be awesome to see a custom fw running on this platform.
Awesome, awesome! Thanks for the link to that polish bloke's website (which I will be digesting in a wee moment) and for that binview site too.
Just had a moment where I had to scrape away a substantial amount of cobwebs - the last time I used assembler was on my old amiga, but all's gravy now :)
Watching this has triggered a productive brainfart which is actually productive procrastination, if there is such a thing (an excuse to sit infront of a screen for hours)....thanks mate! This weekend has now taken a turn for the best.
Until the next one and thanks for uploading!
This is really interesting... looking forward to seeing how far you can get with this
cool video series. im already excited for episode 4 :)
Since you can modify the flasher, why dont you just bypass the checksum computation? Redirect the CPU to Checksum-OK directly.
The problem I discovered is it's not a checksum computation - just a memcmp on whether the data was correctly written to flash. The flasher then triggers a reboot, and the checksum is checked by the real system checksum checker - which we will look at in the next video
OpenTechLab coool, looking forward.
@@OpenTechLab Very interesting, but where is the code safed for the checksum calculation? (I am pretty sure you will explain it in your 4th video, but I am not that far yet haha)
I wonder if some of the Kaitai Struct tooling would help with the workflow of visualizing things in-place
im really diggin this series, please continue afterwards with more cheap devices :-)
(@7:37) - You may be looking at interleaved code here, where alternate instructions are loaded into the instruction pipeline; this is common on Intel architectures. If this were a SISD (like the old 8-bit micros), you would expect the instructions to load the value 0x000b9f7d to immediately follow one another, otherwise, the problem is that the “call $pc+(30796*4)” might modify register 3. Given that the chip (as seen from video 1 in this series) has 3 cores (a main core, an a/v core, and a security core), this may even be a 3-way interleave, but this is just a guess.
i can be wrong but.. it looks like a "C-SKY" architecture..
Wow - great find! There are certainly some striking similarities: github.com/c-sky/csky-doc/blob/master/CSKY%20Architecture%20user_guide.pdf
@@OpenTechLab I found an instruction set list at github.com/c-sky/tools/blob/master/gx6605s/CK610_spec.pdf but I'm not sure it actually lines up.
So now even hdmi extenders could start mining crypto currencies.
:) - I think the hash rate might be rather disappointing
Not so, the video encode/decode blocks can't really be repurposed for any other use. And keep in mind even a Raspberry Pi has many times the compute power.
Lol. Is it me or can I hear a cat needing attention in the background? At first I thought it was one of my cats :-) 🐈🐈🐈🐈
Yeah she was getting a bit frantic while I was trying to record. She doesn't like being shut out
Is there a good community like Discord, IRC, or Forum to talk to people to learn more about how to modify hardware and put your own firmware on it like you are doing in this series? I'm interested in taking old hardware like DVRs, printers, scanners, smartphones, dongles etc into stuff like open linux machines, plotters, reusing smartphones in the place of Arduinos, etc
just make the checksum-comparition function to always return "true" or correct firmware, so the you can change anything you like in the rest of the file and it wont be overwritten on boot.
Fantastic
You big bloody tease.
One ideea and probably I'm way off, but since we are seeing references to other Atmel chips in the text section , is it possible one of those has a known architecture and by finding the corresponding firmware we could then break it down for a known architecture first?
I didn't check, but I think they're all the ids of different flash chips, not processors. If you have a hunch about something, though, be my guest to follow it up!
I think your cat had some thoughts at 14.17....
Forgive me for stating the obvious, but can you not just NOP out the call to the checksum check?
Unfortunately not... because it's not actually a checksum check. Just a memcmp that checks the flash upgrade did its job correctly
@@OpenTechLab OK - I thought you were looking at the firmware bootstrap, not the flash upgrade. NOPping out the firmware integrity checks is something I've done in the past :D
Yeah I actually tried something along those lines, but of course even if the flasher software is tricked into thinks a hacked firmware image is valid, it won't make any difference to the boot-loader which will load the firmware after rebooting
@@OpenTechLab Just out of curiosity - did you check out the function at 82bac? The function you've called "unknown_func()". There be dragons? :)
Not yet, no. There's a lot of unknowns to explore
MediaDSP3200/MediaDSP3201 (or MD32 for short) architecture:
slideplayer.com/slide/15233183/
person.zju.edu.cn/person/attachments/2017-09/07-1506579034-711542.ppt
edit: r-type encoding seems different...
Wow! Nice find. Amazing
It would appear ive fallen down the wrong rabbit hole and now im lost and confused. Im very far from your level of knowledge and understanding but it has brought light to the reason I never throw electronics away. I have for years looked at boards similar and well just about every board ever made and wished I could command it to well be my bitch. LOL Gld ive found your channel its very intresting.
Could it be a Tensilica core?
As in Xtensa? Looking at the ISA, I don't think that one's a match. The other guy suggest "C-SKY" - which seems closer
Probably I've found compression library. Same name, BSD license and It might be it. github.com/antirez/smaz