LKV373 Project Update - Building IT9919 Software with GCC

• Project Git Repository
  • smazdec Tool
  • or1k GCC Demo Software: or1k-hello-world
  • or1k GCC Tool-chain build script: make-tool-chain.sh
• IRC Channel: #lkv373a on FreeNode
• lkv-wiki

• http://219.87.84.106/tree/~bsp2%2Fbr06p.git/br06p
• https://github.com/MindyWei/20171003_Doorbell_SDK_v1.2.3.1_758862
• https://github.com/bill611/ite-sdk
• https://github.com/kennydeng/CtrlBoard_SDK
• https://github.com/kennydeng/controlboard
• https://github.com/kennydeng/Midea_Hsg_SDK_V2281
• https://github.com/KennyOP2

• Newlib
  • puts.c
  • libgloss: or1k
    • syscalls.c

I used my call-graph script from the previous video to dump out the call-graph of the whole of the Lenkeng upgrader software. I then used the networkx graph library in python to isolate the sub-graph of functions called by puts() which I knew the address of from previous experiments, which gave this diagram:

From various other hints in the strings, I suspected the software contained a build of newlib of whatever vintage.

I then used the or1k disassembler to try and piece together a plausible theory for the number and type arguments to the various functions called by puts.

Still quite uncertain, I decided to take a punt on 0xa512c being the correct address, and voila - it worked!

In future jobs like this will be a bit easier, because v3l0c1r4pt0r has written a patch for radare2 that adds support for or1k.