Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
videos:020:notes [2019/09/08 06:25]
joel created
videos:020:notes [2019/11/08 14:08] (current)
joel [LKV373 Project Update - Building IT9919 Software with GCC]
Line 1: Line 1:
-{{:​videos:​020:​20190908-mkrom-ghidra.png?400|}}+====== LKV373 Project Update - Building IT9919 Software with GCC ====== 
 +<​html><​iframe width="​854"​ height="​480"​ src="​https://​www.youtube.com/​embed/​ogEaNfTOc2k"​ frameborder="​0"​ allow="​accelerometer;​ autoplay; encrypted-media;​ gyroscope; picture-in-picture"​ allowfullscreen></​iframe></​html>​ 
 + 
 +<panel title="​Summary"​ subtitle="​Now 7, 2019">​ 
 +<​panel-body>​In this series I have been hacking around with the IT9919 media processor that powers the Lenkeng LKV373 HDMI Extender Device and the EZCAP 283S which were reviewed in previous videos. 
 + 
 +In this video we look at some of the latest of discoveries,​ and demonstrate how we can now compile code for the device using GCC.</​panel-body>​ 
 +<​list-group>​ 
 +  * [[https://​youtu.be/​ogEaNfTOc2k|YouTube]] 
 +  * [[https://​peertube.social/​videos/​watch/​d8605b11-6416-4ce7-9dd3-b50b80b478ed|PeerTube]] 
 +</​list-group>​ 
 +</​panel>​ 
 + 
 +===== Links ===== 
 +  * [[https://​github.com/​jhol/​otl-lkv373a-tools|Project Git Repository]] 
 +    * [[https://​github.com/​jhol/​otl-lkv373a-tools/​tree/​master/​smazdec|smazdec Tool]] 
 +    * or1k GCC Demo Software: [[https://​github.com/​jhol/​otl-lkv373a-tools/​tree/​master/​or1k-hello-world|or1k-hello-world]] 
 +    * or1k GCC Tool-chain build script: [[https://​github.com/​jhol/​otl-lkv373a-tools/​blob/​master/​make-tool-chain.sh|make-tool-chain.sh]] 
 +  * IRC Channel: #lkv373a on [[https://​freenode.net/​|FreeNode]] 
 +  * [[https://​github.com/​v3l0c1r4pt0r/​lkv-wiki/​wiki|lkv-wiki]] 
 + 
 +===== Known SDK Repositories ===== 
 +  * <​del>​http://​219.87.84.106/​tree/​~bsp2%2Fbr06p.git/​br06p</​del>​ 
 +  * https://​github.com/​MindyWei/​20171003_Doorbell_SDK_v1.2.3.1_758862 
 +  * https://​github.com/​bill611/​ite-sdk 
 +  * https://​github.com/​kennydeng/​CtrlBoard_SDK 
 +  * https://​github.com/​kennydeng/​controlboard 
 +  * https://​github.com/​kennydeng/​Midea_Hsg_SDK_V2281 
 +  * https://​github.com/​KennyOP2 
 +===== Newlib ===== 
 +  * [[https://​www.sourceware.org/​newlib/​|Newlib]] 
 +    * [[https://​www.sourceware.org/​git/​gitweb.cgi?​p=newlib-cygwin.git;​a=blob;​f=newlib/​libc/​stdio/​puts.c|puts.c]] 
 +    * [[https://​www.sourceware.org/​git/​gitweb.cgi?​p=newlib-cygwin.git;​a=tree;​f=libgloss/​or1k|libgloss:​ or1k]] 
 +      * [[https://​www.sourceware.org/​git/​gitweb.cgi?​p=newlib-cygwin.git;​a=blob;​f=libgloss/​or1k/​syscalls.c|syscalls.c]] 
 +===== Finding ''​__sfv_write_r''​ ===== 
 +I used my call-graph script from the previous video to dump out the call-graph of the whole of the Lenkeng upgrader software. I then used the ''​networkx''​ graph library in python to isolate the sub-graph of functions called by ''​puts()''​ which I knew the address of from previous experiments,​ which gave this diagram: 
 + 
 +{{:​videos:​020:​20191002-puts-printf-subgraph.dot.png?800|}} 
 + 
 +From various other hints in the strings, I suspected the software contained a build of newlib of whatever vintage. 
 + 
 +I then used the or1k disassembler to try and piece together a plausible theory for the number and type arguments to the various functions called by ''​puts''​. 
 + 
 +Still quite uncertain, I decided to take a punt on ''​0xa512c''​ being the correct address, and voila - it worked! 
 + 
 +In future jobs like this will be a bit easier, because //​v3l0c1r4pt0r//​ has written a [[https://​github.com/​v3l0c1r4pt0r/​radare2-or1k|patch]] for radare2 that adds support for or1k. 
 +