| Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
videos:020:notes [2019/10/15 18:08]
joel |
videos:020:notes [2019/11/08 14:08]
joel [LKV373 Project Update - Building IT9919 Software with GCC] |
| * [[https://github.com/jhol/otl-lkv373a-tools/tree/master/smazdec|smazdec Tool]] | ====== LKV373 Project Update - Building IT9919 Software with GCC ====== |
| | <html><iframe width="854" height="480" src="https://www.youtube.com/embed/ogEaNfTOc2k" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe></html> |
| | |
| | <panel title="Summary" subtitle="Now 7, 2019"> |
| | <panel-body>In this series I have been hacking around with the IT9919 media processor that powers the Lenkeng LKV373 HDMI Extender Device and the EZCAP 283S which were reviewed in previous videos. |
| | |
| | In this video we look at some of the latest of discoveries, and demonstrate how we can now compile code for the device using GCC.</panel-body> |
| | <list-group> |
| | * [[https://youtu.be/ogEaNfTOc2k|YouTube]] |
| | * [[https://peertube.social/videos/watch/d8605b11-6416-4ce7-9dd3-b50b80b478ed|PeerTube]] |
| | </list-group> |
| | </panel> |
| | |
| | ===== Links ===== |
| | * [[https://github.com/jhol/otl-lkv373a-tools|Project Git Repository]] |
| | * [[https://github.com/jhol/otl-lkv373a-tools/tree/master/smazdec|smazdec Tool]] |
| | * or1k GCC Demo Software: [[https://github.com/jhol/otl-lkv373a-tools/tree/master/or1k-hello-world|or1k-hello-world]] |
| | * or1k GCC Tool-chain build script: [[https://github.com/jhol/otl-lkv373a-tools/blob/master/make-tool-chain.sh|make-tool-chain.sh]] |
| | * IRC Channel: #lkv373a on [[https://freenode.net/|FreeNode]] |
| | * [[https://github.com/v3l0c1r4pt0r/lkv-wiki/wiki|lkv-wiki]] |
| | |
| | ===== Known SDK Repositories ===== |
| | * <del>http://219.87.84.106/tree/~bsp2%2Fbr06p.git/br06p</del> |
| | * https://github.com/MindyWei/20171003_Doorbell_SDK_v1.2.3.1_758862 |
| | * https://github.com/bill611/ite-sdk |
| | * https://github.com/kennydeng/CtrlBoard_SDK |
| | * https://github.com/kennydeng/controlboard |
| | * https://github.com/kennydeng/Midea_Hsg_SDK_V2281 |
| | * https://github.com/KennyOP2 |
| | ===== Newlib ===== |
| | * [[https://www.sourceware.org/newlib/|Newlib]] |
| | * [[https://www.sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;a=blob;f=newlib/libc/stdio/puts.c|puts.c]] |
| | * [[https://www.sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;a=tree;f=libgloss/or1k|libgloss: or1k]] |
| | * [[https://www.sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;a=blob;f=libgloss/or1k/syscalls.c|syscalls.c]] |
| | ===== Finding ''__sfv_write_r'' ===== |
| | I used my call-graph script from the previous video to dump out the call-graph of the whole of the Lenkeng upgrader software. I then used the ''networkx'' graph library in python to isolate the sub-graph of functions called by ''puts()'' which I knew the address of from previous experiments, which gave this diagram: |
| | |
| | {{:videos:020:20191002-puts-printf-subgraph.dot.png?800|}} |
| | |
| | From various other hints in the strings, I suspected the software contained a build of newlib of whatever vintage. |
| | |
| | I then used the or1k disassembler to try and piece together a plausible theory for the number and type arguments to the various functions called by ''puts''. |
| | |
| | Still quite uncertain, I decided to take a punt on ''0xa512c'' being the correct address, and voila - it worked! |
| | |
| | In future jobs like this will be a bit easier, because //v3l0c1r4pt0r// has written a [[https://github.com/v3l0c1r4pt0r/radare2-or1k|patch]] for radare2 that adds support for or1k. |
| | |