Link to this comparison view

Next revision
Previous revision
videos:020:notes [2019/09/08 06:25]
joel created
videos:020:notes [2021/01/13 14:21] (current)
joel [LKV373 Project Update - Building IT9919 Software with GCC]
Line 1: Line 1:
-{{:videos:020:20190908-mkrom-ghidra.png?400|}}+====== LKV373 Project Update - Building IT9919 Software with GCC ====== 
 +<html><iframe width="854" height="480" src="https://www.youtube.com/embed/ogEaNfTOc2k" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></html> 
 + 
 +<panel title="Summary" subtitle="Nov 7, 2019"> 
 +<panel-body>In this series I have been hacking around with the IT9919 media processor that powers the Lenkeng LKV373 HDMI Extender Device and the EZCAP 283S which were reviewed in previous videos. 
 + 
 +In this video we look at some of the latest of discoveries, and demonstrate how we can now compile code for the device using GCC.</panel-body> 
 +<list-group> 
 +  * [[https://odysee.com/@OpenTechLab:f/otl-020-it9919-update:0|odysee]] 
 +  * [[https://youtu.be/ogEaNfTOc2k|YouTube]] 
 +  * [[https://peertube.social/videos/watch/d8605b11-6416-4ce7-9dd3-b50b80b478ed|PeerTube]] 
 +</list-group> 
 +</panel> 
 + 
 +===== Links ===== 
 +  * [[https://github.com/jhol/otl-lkv373a-tools|Project Git Repository]] 
 +    * [[https://github.com/jhol/otl-lkv373a-tools/tree/master/smazdec|smazdec Tool]] 
 +    * or1k GCC Demo Software: [[https://github.com/jhol/otl-lkv373a-tools/tree/master/or1k-hello-world|or1k-hello-world]] 
 +    * or1k GCC Tool-chain build script: [[https://github.com/jhol/otl-lkv373a-tools/blob/master/make-tool-chain.sh|make-tool-chain.sh]] 
 +  * IRC Channel: #lkv373a on [[https://freenode.net/|FreeNode]] 
 +  * [[https://github.com/v3l0c1r4pt0r/lkv-wiki/wiki|lkv-wiki]] 
 + 
 +===== Known SDK Repositories ===== 
 +  * <del>http://219.87.84.106/tree/~bsp2%2Fbr06p.git/br06p</del> 
 +  * https://github.com/MindyWei/20171003_Doorbell_SDK_v1.2.3.1_758862 
 +  * https://github.com/bill611/ite-sdk 
 +  * https://github.com/kennydeng/CtrlBoard_SDK 
 +  * https://github.com/kennydeng/controlboard 
 +  * https://github.com/kennydeng/Midea_Hsg_SDK_V2281 
 +  * https://github.com/KennyOP2 
 +===== Newlib ===== 
 +  * [[https://www.sourceware.org/newlib/|Newlib]] 
 +    * [[https://www.sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;a=blob;f=newlib/libc/stdio/puts.c|puts.c]] 
 +    * [[https://www.sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;a=tree;f=libgloss/or1k|libgloss: or1k]] 
 +      * [[https://www.sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;a=blob;f=libgloss/or1k/syscalls.c|syscalls.c]] 
 +===== Finding ''__sfv_write_r'' ===== 
 +I used my call-graph script from the previous video to dump out the call-graph of the whole of the Lenkeng upgrader software. I then used the ''networkx'' graph library in python to isolate the sub-graph of functions called by ''puts()'' which I knew the address of from previous experiments, which gave this diagram: 
 + 
 +{{:videos:020:20191002-puts-printf-subgraph.dot.png?800|}} 
 + 
 +From various other hints in the strings, I suspected the software contained a build of newlib of whatever vintage. 
 + 
 +I then used the or1k disassembler to try and piece together a plausible theory for the number and type arguments to the various functions called by ''puts''
 + 
 +Still quite uncertain, I decided to take a punt on ''0xa512c'' being the correct address, and voila - it worked! 
 + 
 +In future jobs like this will be a bit easier, because //v3l0c1r4pt0r// has written a [[https://github.com/v3l0c1r4pt0r/radare2-or1k|patch]] for radare2 that adds support for or1k. 
 +