Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
./gxemul.exe -J -vvv -V -M 0 -Q -E testsmp86xx 0xb0800000:zboot.bin
tar xzf lzmaloader.tar.gz
cd lzmaloader
make -C lzma/C/7zip/Compress/LZMA_Alone -f makefile.gcc
lzma/C/7zip/Compress/LZMA_Alone/lzma e /path/to/linux-2.6.15/arch/mips/boot/vmlinux.bin src/vmlinux.lzma -lc1 -lp2 -pb2
cd src
make
net init; load -b tftp://192.168.2.3/path/to/lzma.bin 0x91400000; go
after bootloader:
register 0x00: 01110000 (0x70)
register 0x01: 01010000 (0x50)
register 0x02: 00011111 (0x1f)
register 0x03: 00100111 (0x27)
register 0x04: 10010001 (0x91)
register 0x05: 01111111 (0x7f)
register 0x06: 00000000 (0x00)
register 0x07: 10001101 (0x8d)
register 0x08: 00000000 (0x00)
tv2client running, tv:
register 0x00: 01110000 (0x70)
register 0x01: 01000000 (0x40)
register 0x02: 00011111 (0x1f)
register 0x03: 00100111 (0x27)
register 0x04: 10001001 (0x89)
register 0x05: 01111111 (0x7f)
register 0x06: 00000000 (0x00)
register 0x07: 00001101 (0x0d)
register 0x08: 00000000 (0x00)
chip standby:
register 0x00: 00000001 (0x01)
register 0x01: 11110000 (0xf0)
register 0x02: 00010001 (0x11)
register 0x03: 00010100 (0x14)
register 0x04: 00000000 (0x00)
register 0x05: 00000000 (0x00)
register 0x06: 00000000 (0x00)
register 0x07: 00000000 (0x00)
register 0x08: 00110000 (0x30)
after chip standby:
register 0x00: 00000000 (0x00)
register 0x01: 01000000 (0x40)
register 0x02: 00011111 (0x1f)
register 0x03: 00100111 (0x27)
register 0x04: 10001001 (0x89)
register 0x05: 01111111 (0x7f)
register 0x06: 00000000 (0x00)
register 0x07: 00001101 (0x0d)
register 0x08: 00000000 (0x00)
Low Block Controller
SYS_gpio_dir: 0x38
SYS_gpio_data: 0xf57
SYS_gpio_int: 0a09080d
High Block Controller
GPIO_DIR2: 0x0
GPIO_DATA2: 0x0
// xrpcfinder.cpp : Defines the entry point for the console application.
//
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
//#include <tchar.h>
#include <string.h>
#include <malloc.h>
#define XRPC_HIDESIZE (256*1024)
#define XRPC_MAXSIZE (10*1024*1024)
#define XRPC_CALLERID_IGNORED 0
#define XRPC_CALLERID_SIGMA_SER 0xffffffff
#define XRPC_ID_GETSERIAL 0 // return chip serial number to param0..3
//whats 1 ? -> dvi.bin
#define XRPC_ID_GETRANDOM 2 // return 32bit of true random to param0
#define XRPC_ID_BONDINGCOMMENT 3 // return the bonding comment to param0..1
#define XRPC_ID_SHA1XOS 4 // outputs SHA-1 of burnt signablearea-xosMxy.bin to param0..4
#define XRPC_ID_XLOAD 5
#define XRPC_ID_XOSSELFUPDATE 9
#define XRPC_ID_IH_LOAD 13 //interrupthandler
#define XRPC_ID_DRAM 15 /* --- deprecated in xosMa0 */
#define XRPC_ID_XUNLOAD 17
#define XRPC_ID_CACHEDUMP 18 // not implemented in release build
#define XRPC_ID_REBOOT 19
#define XRPC_ID_XBIND 20 // bind/unbind certificate to xload.
#define XRPC_ID_XSTART 21 // start xtask
#define XRPC_ID_XKILL 22 // signal or stop xtask
#define XRPC_ID_GETPROTECTION 23 // Get protection registers
#define XRPC_ID_GETBINDING 24 // Get binding hash
#define XRPC_ID_GETOWNER 25 // Get sector ownership hash
#define XRPC_ID_SETENHANCEDMODE 26 // enhanced mode
#define XRPC_ID_VERSION 27 // Get XOS build version string (!= sha1)
#define XLOAD_CERTTYPE_CPU 0x1
#define XLOAD_CERTTYPE_XTASK1 0x2
#define XLOAD_CERTTYPE_UCODE_VIDEO 0x3
#define XLOAD_CERTTYPE_UCODE_AUDIO 0x4
#define XLOAD_CERTTYPE_UCODE_DEMUX 0x5
#define XLOAD_CERTTYPE_IH 0x6
#define XLOAD_CERTTYPE_XTASK2 0x7
#define XLOAD_CERTTYPE_XTASK3 0x8
#define XLOAD_CERTTYPE_XTASK4 0x9
#define XLOAD_CERTTYPE_XOSU 0xff
struct xrpc_block_header {
unsigned int callerid; // deprecated field, put XRPC_CALLERID_IGNORED
unsigned int xrpcid;
// parameters (input and output)
unsigned int param0;
unsigned int param1;
unsigned int param2;
unsigned int param3;
unsigned int param4;
unsigned int headerandblocksize;
//stuff
unsigned short certid;
unsigned char certtype;
unsigned char securityID;
unsigned char PayloadSignCert[0x100];
unsigned char SignedCertSig[0x100];
unsigned char PayloadSig[0x100];
//unsigned char RecordData[(headerandblocksize-32)-0x304];
};
int main(int argc, char* argv[])
{
//search for XRPC_CALLERID_IGNORED+XRPC_ID_XLOAD
const char header[] = "\x00\x00\x00\x00\x05\x00\x00\x00";//better : int32 anything, int32 0< XRPC_ID < 28 - > 0, fuck off, getserial..
unsigned int len=9;
unsigned long ulFileSize=0;
if(!argv[1])
return 0;
FILE* datei = fopen(argv[1], "rb");
if (!datei)return 0;
fseek(datei,0,SEEK_END);
ulFileSize=ftell(datei);
fseek(datei,0,SEEK_SET);
if (!ulFileSize)return 0;;
if (len>ulFileSize)return 0;;
char* lpBuffer=(char*)malloc(ulFileSize);
fread(lpBuffer,1,ulFileSize,datei);
if (!lpBuffer) return 0;;
//printf("file: %s\n", argv[1]);
unsigned long ulCurrentPosition=0;
char string[100];
unsigned int file_number = 0, strpos = 0, fnamepos =0;
while(*(argv[1]+strpos) != 0x0) {
if( *(argv[1]+strpos) == '\\')
fnamepos = strpos;
strpos++;
}
while (ulCurrentPosition<ulFileSize-(len-1))
{
if (!memcmp(lpBuffer+ulCurrentPosition,header,len-1))
//if ((*(unsigned int*)(lpBuffer+ulCurrentPosition) == 0L) && (*(unsigned int*)(lpBuffer+ulCurrentPosition+4) > 0) && (*(unsigned int*)(lpBuffer+ulCurrentPosition+4) < 28))
{
xrpc_block_header* hdr = (xrpc_block_header*)(lpBuffer+ulCurrentPosition);
//not too big, small, or at 0x104 (PE Header, )
if( ((ulCurrentPosition+hdr->headerandblocksize) > ulFileSize) //too big for file
|| (hdr->headerandblocksize == 0) // cant be size 0
|| (hdr->headerandblocksize > XRPC_MAXSIZE) //too big for xrpc
|| ((hdr->certtype > 0x9) && (hdr->certtype !=0xff)) // certid wrong (unknown?)
|| (hdr->certtype == 0x0)
|| (ulCurrentPosition<=0x104)) {// PE header
ulCurrentPosition++;
continue;
}
printf("file: %s pos: %#0.8x (%0.10u), size: %#0.8x (%0.10u), hdr: 0x%.8x certtype 0x%.2x\n",
argv[1], ulCurrentPosition, ulCurrentPosition,
hdr->headerandblocksize, hdr->headerandblocksize, hdr->xrpcid, hdr->certtype );
ulCurrentPosition += hdr->headerandblocksize-1;
sprintf( string, "%s_xrpc_%x_%d.bin", (argv[1]+fnamepos+1), hdr->certtype, file_number );
FILE* outfile = fopen( string, "wb" );
if(outfile)
fwrite(hdr, 1, hdr->headerandblocksize, outfile);
fclose(outfile);
file_number++;
//break;
}
ulCurrentPosition++;
}
fclose(datei);
free(lpBuffer);
return 0;
}
cl.exe /EHsc wrappit.cpp kompilieren, per dumpbin /exports zieldllname.dll > exports.txt die Exports der Ziel-DLL dumpen, und dann per wrappit.exe <zieldllname> <exports.txt> __stdcall <proxydllname> <cppname.cpp> <defname.def> den code und eine def-Datei generieren.TV2SecureCore Initialization Diagnostics (0x00000000, Success)
Successful initialization.
Server Authentication is enabled
Low level initialization diagnostics
Sigma XPU Security Core initialized and ready.
Session Key Registers : 8
Boundary Key Registers : 16
Public Key Registers : 6
XtaskLoadImage : \Hard Disk\XTLApp_1.2_XosE0.bin
XtaskUnloadImage : \Hard Disk\XTUApp_1.2_XosE0.bin
[...bootloader blabla..]
Windows CE Kernel for MIPS Built on Mar 29 2005 at 14:00:54
Kiss_Hal_InitBoardConfig()
*** OALPCIInit: USE TLB
+OEMInit: cpu_frequency 297000000
+OEMInit: dram_config e34111ba
+OEMInit: dram_delay 00096455
WARN: OALKitlInit: KITL Disabled
Kiss_Hal_InitWatchDog()
+Mapping DRAM@0x20000000 to 0x0C000000
+Adding DRAM@8e700000 size 00de3000 as extension
+Adding DRAM@917c4000 size 0063c000 as extension
+Adding DRAM@93a00000 size 003bb000 as extension
OEMIoControl: Unsupported Code 0x10100b4 - device 0x0101 func 45
OEMIoControl: Unsupported Code 0x101008c - device 0x0101 func 35
OEMIoControl: Unsupported Code 0x10100cc - device 0x0101 func 51
OEMIoControl: Unsupported Code 0x10100d0 - device 0x0101 func 52
OEMIoControl: Unsupported Code 0x10100f8 - device 0x0101 func 62
Loading library 'iptvhal_300.dll'
CheckDll: NDIS.Dll returns TRUE
CheckDll: CXPORT.dll returns TRUE
CheckDll: NDIS.dll returns TRUE
CheckDll: tcpstk.dll returns TRUE
CheckDll: NDIS.dll returns TRUE
CheckDll: CXPORT.dll returns TRUE
DeviceFolder::LoadDevice!Enumerate Found deprecated load instructions at (Drivers\BuiltIn\AFD). Driver cannot be unloaded.
CheckDll: AFD.Dll returns TRUE
CheckDll: CXPORT.dll returns TRUE
CheckDll: CXPORT.dll returns TRUE
CheckDll: NDIS.dll returns TRUE
CheckDll: tcpstk returns TRUE
*** TV2/Offload-enabled TcpStack ***
CheckDll: afd.dll returns TRUE
CheckDll: CXPORT.dll returns TRUE
CheckDll: tcpstk.dll returns TRUE
CheckDll: tcpstk.dll returns TRUE
CheckDll: tcpstk returns TRUE
CheckDll: TcpStk.dll returns TRUE
[ConfigLBA48] Device supports 48-bit LBA
[ConfigLBA48] Max LBA Address = 0x0000000012a19eb0DeviceFolder::LoadDevice!Enumerate Found deprecated load instructions at (Drivers\BuiltIn\PPP). Driver cannot be unloaded.
CheckDll: tcpstk.dll returns TRUE
CheckDll: NDIS.dll returns TRUE
[TIMESVC DST] Notifying kernel that we are in Standard time. GetTimeZoneInformation currently thinks we are in Standard time.
DwXfer!ReadSettings: Dump Settings CRC or size failure!, Expected CRC=0xC5452B1F, Actual CRC=0x0001E1EC, Expected Size=1068, Actual Size=0
DwXfer!ReadSettings: Using default values for dump settings
DwXfer!FValidateAndCreatePath: Cannot create a root path (\Hard Disk2).
DwXfer!CreateDumpDirectory: FValidateAndCreatePath failed creating dump directory, hRes=0x80070057
DwXfer!TransferRegistrySettings: CreateDumpDirectory failed creating dump directory, hRes=0x80070057
[TIMESVC DST] Set TimeChange Event for 4/6/2003 at 2:00
[TIMESVC DST] Waiting...
GPEFlat: configured screen mode is -1, using internal mode 0
OEMIoControl: Unsupported Code 0x10100fc - device 0x0101 func 63
Loading library 'iptvhal_300.dll'
[BooterCE] Found large (>128GB) disk with at least one large partition -- no reformat needed
Igmp V3, DefaultTOSValue=96
CheckDll: MAC86XX.dll returns TRUE
CheckDll: NDIS.dll returns TRUE
Loading library 'iptvhal_300.dll'
MAX86XX ***Thin version*** started!
[MPInitialize]
Exception 002 Thread=93c2acc8 Proc=33d7086a 'device.exe'
AKY=00000089 PC=03db26e4(ceddk.dll+0x000026e4) RA=9341e67c(mac86xx.dll+0x0004367c) BVA=00000000
Exception 018 Thread=93c2acc8 Proc=33d7086a 'device.exe'
AKY=00000089 PC=03f74f94(coredll.dll+0x00024f94) RA=91e0cc90(NK.EXE+0x0000cc90) BVA=00000000
DwXfer!CreateDumpFile: Creating Dump File=\Hard Disk2\TV2ClientCrashLogs\Ce010103-02\Ce010103-02.kdmp
DwXfer!TransferDumpFile: Dump file transfered to local file system, Size=0x00013500, Name=\Hard Disk2\TV2ClientCrashLogs\Ce010103-02\Ce010103-02.kdmp
DwXfer!TransferDumpFile: Error launching upload client '', Error=0x00000002
Failed to find default network adapter!
Failed to initialize network wizard!
Adapter not present.
Adapter not present.
Adapter not present.
Adapter not present.
Adapter not present.
Adapter not present.
[..usw..]
[HKEY_LOCAL_MACHINE\Drivers\Console]
"OutputTo"=dword:00000001
"COMSpeed"=dword:0001c200 und los geht der Spass.