====== IT9919 Hacking - part 4 - Diving into the boot ROM ======
<html><iframe width="854" height="480" src="https://www.youtube.com/embed/SYksf7Cbp-Q" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></html>

<panel title="Summary" subtitle="Aug 25, 2019">
<panel-body>In this series I will be hacking around with the IT9919 media processor that powers the Lenkeng LKV373 HDMI Extender Device and the EZCAP 283S which were reviewed in previous videos.

In this video I investigate the booting mechanism to try and uncover the mystery of the SMAZ compressions scheme and checksum.</panel-body>
<list-group>
  * [[https://odysee.com/@OpenTechLab:f|odysee]]
  * [[https://youtu.be/SYksf7Cbp-Q|YouTube]]
  * [[https://peertube.social/videos/watch/d9a0cff6-0047-4dc0-8352-5d9cc6042d85|PeerTube]]
</list-group>
</panel>

===== Tools =====
  * [[https://github.com/jhol/otl-lkv373a-tools|Project Git Repository]]
    * [[https://github.com/jhol/otl-lkv373a-tools/tree/master/smedia|Work-in-progress SMEDIA/SMAZ decoder]]
    * [[https://github.com/jhol/otl-lkv373a-tools/issues/1|Discussion: Towards SMAZ decompression]]
===== Source Information =====
  * [[https://blog.danman.eu/new-version-of-lenkeng-hdmi-over-ip-extender-lkv373a/|Danman's Original Blog Post]]
  * v3l0c1r4pt0r: Reverse Engineering the LKV373A
      - [[https://re-ws.pl/2017/09/importlkv373a-hdmi-to-ethernet-converter-firmware-image-format/|Firmware image format]]
      - [[https://re-ws.pl/2017/09/identifying-processor-architecture/|Identifying processor architecture]]
      - [[https://re-ws.pl/2017/09/lkv373a-reverse-engineering-instruction-set-architecture/|Reverse engineering instruction set architecture]]
      - [[https://re-ws.pl/2017/11/lkv373a-crafting-elf/|Crafting ELF]]
      - [[https://re-ws.pl/2017/12/lkv373a-porting-objdump/|Porting objdump]]
      - [[https://re-ws.pl/2018/01/lkv373a-state-of-the-reverse-engineering/|State of the reverse engineering]]
  * [[https://github.com/v3l0c1r4pt0r/lkv-wiki/wiki|lkv-wiki]]
    * [[https://github.com/v3l0c1r4pt0r/lkv-wiki/wiki/Instruction-Set-Architecture|Instruction Set Architecture]]
  * [[https://github.com/gyrex/CrystalVideo/tree/master/Docs/Parts/ITE%20IT9910%20(H.264%20Encoder)|Leaked IT9910 Data Sheet]]
  * [[https://drive.google.com/drive/u/0/folders/0B3mWuDyxrXyKZkxwYi1JNllENXc|Daniel Kucera's Repository]] (includes upgrade files, and other captured information).
  * {{ :videos:016:ith_defs.h.txt |ith_defs.h}}

===== Firmware Backups =====
  * Backups of the original content of the flash chips: {{ :videos:016:20181226-lkv-373a-backups.zip |}}

===== Boot Rom =====

  * Internal Bootloader ROM: {{ :videos:016:20190318-rom.zip |}}

==== Call Graph ====

Functions are labelled with: address, number of instructions, presence of SMED(IA02) and SMAZ comparisons, and register accesses.
{{:videos:016:20190411-call-graph.png?600|}}

==== Flash Loader Function ====
  * Annotated disassembly: {{ :videos:016:20190520-ssi-loader.txt |}}

===== SMAZ Decoding =====
{{ :videos:019:20190830-corpus.tar.bz2 |}}