|
|
|
hughes sd-hbh dump 7 Months, 4 Weeks ago
|
Karma: 3
|
4meg flash dump from a hughes sd-hbh sti5516 based receiver with rid chip.
I did a jkeys dump as a first step towards making a toolset based jtag program.
I xx'ed out the receiver serial number and receiver id,it is near the end of the dump
in the bootstrap section I assume. |
|
|
|
|
|
|
The administrator has disabled public write access.
|
9u4rk (User)
Expert Boarder
Posts: 112
|
|
Re:hughes sd-hbh dump 7 Months, 3 Weeks ago
|
Karma: 0
|
Hi guys.
Well done, @slugworth! 
Best regards. |
|
|
|
|
|
|
The administrator has disabled public write access.
|
9u4rk (User)
Expert Boarder
Posts: 112
|
|
Re:hughes sd-hbh dump 7 Months, 3 Weeks ago
|
Karma: 0
|
|
Hi guys.
I'd like to have a look at your dump @slugworth and I'm thinking on using IDA.
Looking at the STi5516 memory map I'd say that flash's base start address would be 0x40000000 but if we have a look at any jKeys.def we realise that it should be 0x7FC00000, when we're dealing with a 4MB flash.
Am I correct, base start address = 0x7FC00000?
If so, does it mean flash size is always subtracted from Region 3 (STi5516 datasheet) top address?
Thx in advance.
Best regards.
|
|
|
|
|
|
|
The administrator has disabled public write access.
|
|
|
|
Re:hughes sd-hbh dump 7 Months, 3 Weeks ago
|
Karma: 3
|
|
I never used ida,but the ram may be at 40000000 and firmware may be relocated
to ram and run,just a guess.There were other st20 disassemblers that people
used on the sti5518,I will have to dig through my archives to retrieve those.
The code may be similar.
|
|
|
|
|
|
|
The administrator has disabled public write access.
|
|
|
|
Re:hughes sd-hbh dump 7 Months, 3 Weeks ago
|
Karma: 3
|
|
If jkeys doesn't burp I may be able to dump ram also.
|
|
|
|
|
|
|
The administrator has disabled public write access.
|
|
|
|
Re:hughes sd-hbh dump 7 Months, 3 Weeks ago
|
Karma: 3
|
jkeys def to autodetect the receiver.
Naturally you can only dump flash,but with this you don't have to guess
at the jkeys settings.
| Code: |
Micro, 14, 1, "STi5516FWC", 0xD41D041, 0xfffffff
IRD, 13, "SD-HBH", 14, 1, 1, 1, 2, 2, 0, 0, 0, 0, 0x7fff005f , 0, "HBH", 5, 4
IRDFlash, 13, "Flash 1(M29W320DB)", 0x22CB, 0x7FC00000, 0x400000, 2, 2, 0
IRDFlash, 13, "Flash 2(28F320J3A)", 0x16, 0x7FC00000, 0x400000, 2, 2, 0
IRDFlash, 13, "Flash 3(M28W320CB)", 0x88BB, 0x7FC00000, 0x400000, 2, 2, 0
|
 |
|
|
|
|
|
|
The administrator has disabled public write access.
|
|
|
|
Re:hughes sd-hbh dump 7 Months, 3 Weeks ago
|
Karma: 3
|
|
jkeys uses an ascii string to try to determine the receiver type.
You search a dump for a 3 letter string that is the same in all
receivers of that type and adjust the jkeys .def string accordingly.
|
|
|
|
|
|
|
The administrator has disabled public write access.
|
|
|
|
Re:hughes sd-hbh dump 7 Months, 3 Weeks ago
|
Karma: 3
|
|
I tried to do a ram dump @4000 0000 but it came back all zeroes.
The ram must be at C000 0000 instead.
|
|
|
|
|
|
|
The administrator has disabled public write access.
|
|
|
|
ram it 7 Months, 3 Weeks ago
|
Karma: 3
|
ram starts at address 0xC000 0000
An interesting snip
| Code: |
00000000 2D4F 522D 0000 0000 0000 0000 506C 6561 -OR-........Plea
00000010 7365 2069 6E73 6572 7420 796F 7572 2041 se insert your A
00000020 6363 6573 7320 4361 7264 2E0A 5265 6365 ccess Card..Rece
00000030 6976 6572 3D25 7300 466F 7220 6F72 6465 iver=%s.For orde
00000040 7269 6E67 2069 6E66 6F72 6D61 7469 6F6E ring information
00000050 2C0A 706C 6561 7365 2063 616C 6C20 6375 ,.please call cu
00000060 7374 6F6D 6572 2073 6572 7669 6365 2C20 stomer service,
00000070 6578 742E 2037 3232 2E00 0000 466F 7220 ext. 722....For
00000080 6F72 6465 7269 6E67 2069 6E66 6F72 6D61 ordering informa
00000090 7469 6F6E 2C0A 706C 6561 7365 2063 616C tion,.please cal
000000A0 6C20 6375 7374 6F6D 6572 2073 6572 7669 l customer servi
000000B0 6365 2C20 6578 742E 2037 3435 2E00 0000 ce, ext. 745....
000000C0 596F 7572 2041 6363 6573 7320 4361 7264 Your Access Card
000000D0 2069 7320 6675 6C6C 2E0A 506C 6561 7365 is full..Please
000000E0 2063 616C 6C20 6375 7374 6F6D 6572 2073 call customer s
000000F0 6572 7669 6365 2C20 6578 742E 2037 3331 ervice, ext. 731
00000100 2E00 0000 466F 7220 6F72 6465 7269 6E67 ....For ordering
00000110 2069 6E66 6F72 6D61 7469 6F6E 2C0A 706C information,.pl
00000120 6561 7365 2063 616C 6C20 6375 7374 6F6D ease call custom
00000130 6572 2073 6572 7669 6365 2C20 6578 742E er service, ext.
00000140 2037 3332 2E00 0000 596F 7520 6861 7665 732....You have
00000150 2069 6E73 6572 7465 6420 7468 6520 7772 inserted the wr
00000160 6F6E 6720 6361 7264 2E0A 4361 7264 3D25 ong card..Card=%
00000170 7320 5263 7672 3D25 7300 0000 466F 7220 s Rcvr=%s...For
00000180 6F72 6465 7269 6E67 2069 6E66 6F72 6D61 ordering informa
00000190 7469 6F6E 2C0A 706C 6561 7365 2063 616C tion,.please cal
000001A0 6C20 6375 7374 6F6D 6572 2073 6572 7669 l customer servi
000001B0 6365 2C20 6578 742E 2037 3333 2E00 0000 ce, ext. 733....
000001C0 5468 6973 2041 6363 6573 7320 4361 7264 This Access Card
000001D0 2069 7320 6E6F 206C 6F6E 6765 7220 7661 is no longer va
000001E0 6C69 642E 0A50 6C65 6173 6520 696E 7365 lid..Please inse
000001F0 7274 2079 6F75 7220 6E65 7720 4163 6365 rt your new Acce
00000200 7373 2043 6172 642E 0000 0000 5468 6973 ss Card.....This
00000210 2073 686F 7769 6E67 2069 7320 6E6F 206C showing is no l
00000220 6F6E 6765 7220 6176 6169 6C61 626C 652E onger available.
00000230 0A43 6865 636B 2047 7569 6465 2066 6F72 .Check Guide for
00000240 206F 7468 6572 2073 686F 7774 696D 6573 other showtimes
00000250 2E00 0000 546F 2072 6571 7565 7374 2050 ....To request P
00000260 5056 2063 6170 6162 696C 6974 792C 0A70 PV capability,.p
00000270 6C65 6173 6520 6361 6C6C 2063 7573 746F lease call custo
00000280 6D65 7220 7365 7276 6963 652C 2065 7874 mer service, ext
00000290 2E20 3733 342E 0000 596F 7520 6172 6520 . 734...You are
000002A0 6175 7468 6F72 697A 6564 2066 6F72 2074 authorized for t
000002B0 6869 7320 7072 6F67 7261 6D2E 0000 0000 his program.....
000002C0 0A50 6C65 6173 6520 696E 7365 7274 2061 .Please insert a
000002D0 2076 616C 6964 2041 6363 6573 7320 4361 valid Access Ca
000002E0 7264 2E00 596F 7520 6861 7665 2061 6C72 rd..You have alr
000002F0 6561 6479 2070 7572 6368 6173 6564 2074 eady purchased t
00000300 6869 7320 7072 6F67 7261 6D2E 0000 0000 his program.....
00000310 506C 6561 7365 2074 7279 2061 6761 696E Please try again
00000320 2C0A 6F72 2063 616C 6C20 6375 7374 6F6D ,.or call custom
00000330 6572 2073 6572 7669 6365 2C20 6578 742E er service, ext.
00000340 2037 3431 2E00 0000 466F 7220 6F72 6465 741....For orde
00000350 7269 6E67 2069 6E66 6F72 6D61 7469 6F6E ring information
00000360 2C0A 706C 6561 7365 2063 616C 6C20 6375 ,.please call cu
00000370 7374 6F6D 6572 2073 6572 7669 6365 2C20 stomer service,
00000380 6578 742E 2037 3433 2E00 0000 0A54 6861 ext. 743.....Tha
00000390 6E6B 2079 6F75 2E20 456E 6A6F 7920 796F nk you. Enjoy yo
000003A0 7572 2070 726F 6772 616D 2E00 596F 7572 ur program..Your
000003B0 2070 7572 6368 6173 6520 7761 7320 7375 purchase was su
000003C0 6363 6573 7366 756C 6C79 2063 616E 6365 ccessfully cance
000003D0 6C65 642E 0000 0000 556E 6162 6C65 2074 led.....Unable t
000003E0 6F20 7065 7266 6F72 6D20 7468 6973 206F o perform this o
000003F0 7065 7261 7469 6F6E 0A61 7420 7468 6973 peration.at this
00000400 2074 696D 652E 0000 506C 6561 7365 2074 time...Please t
00000410 7279 2061 6761 696E 2C0A 6F72 2063 616C ry again,.or cal
00000420 6C20 6375 7374 6F6D 6572 2073 6572 7669 l customer servi
00000430 6365 2C20 6578 742E 2037 3432 2E00 0000 ce, ext. 742....
00000440 466F 7220 6F72 6465 7269 6E67 2069 6E66 For ordering inf
00000450 6F72 6D61 7469 6F6E 2C0A 706C 6561 7365 ormation,.please
00000460 2063 616C 6C20 6375 7374 6F6D 6572 2073 call customer s
00000470 6572 7669 6365 2C20 6578 742E 2037 3434 ervice, ext. 744
|
|
|
|
|
|
|
|
The administrator has disabled public write access.
|
9u4rk (User)
Expert Boarder
Posts: 112
|
|
Re:hughes sd-hbh dump 7 Months, 3 Weeks ago
|
Karma: 0
|
Hi guys.
Very good job @slugworth. Nice code snippet... 
One question, though: - How did you get jKeys to do it? Any unusual configuration or is it a matter of giving the right start and end addresses?
Best regards. |
|
|
|
|
|
|
The administrator has disabled public write access.
|
|
|
|
Re:hughes sd-hbh dump 7 Months, 3 Weeks ago
|
Karma: 3
|
|
Just select user defined address and give it a range of 200000 hex for a 2meg
dump.Then hit the save mem button.I didn't get any dcu peek errors.
|
|
|
|
|
|
|
The administrator has disabled public write access.
|
|
|
|
Re:hughes sd-hbh dump 7 Months, 3 Weeks ago
|
Karma: 3
|
another interesting chunk of ram.
| Code: |
00000000 4156 4841 4C2D 5245 4C5F 322E 312E 3120 AVHAL-REL_2.1.1
00000010 4558 5045 5249 4D45 4E54 414C 2053 5469 EXPERIMENTAL STi
00000020 3535 3136 4200 2020 7122 2420 2F2F 59D2 5516B. q"$ //Y.
|
|
|
|
|
|
|
|
The administrator has disabled public write access.
|
9u4rk (User)
Expert Boarder
Posts: 112
|
|
Re:hughes sd-hbh dump 7 Months, 2 Weeks ago
|
Karma: 0
|
Hi guys.
slugworth wrote:
QUOTE:
I never used ida,but the ram may be at 40000000 and firmware may be relocated
to ram and run,just a guess.There were other st20 disassemblers that people
used on the sti5518 [...]
Couldn't we use ST20 ToolSet to debug/disassemble firmware? I've been reading the manual but there are quite a fair amount of pages and it takes time to digest it...
Best regards. |
|
|
|
|
|
|
The administrator has disabled public write access.
|
|
|
|
Re:hughes sd-hbh dump 7 Months, 2 Weeks ago
|
Karma: 3
|
|
I think you would need a dedicated disassembler,it may be too different
from the sti5518 based ones.
Not a factor at this stage of the game anyway.
Once you can jtag I would leave that up to somebody higher up on the food chain.
|
|
|
|
|
|
|
Last Edit: 2010/01/26 22:09 By slugworth.
|
|
|
The administrator has disabled public write access.
|
|
TOOLS :
Favoured: 0
