Thread: Discussion Walkera DEVO Tx Hacking
View Single Post
Old Apr 06, 2012, 08:14 PM
rcH4x0r is offline
Find More Posts by rcH4x0r
Registered User
Joined Jun 2010
125 Posts
Hmmm, SadSack was right...

Here's the bootloader code that starts the application code, a number of checks are made before the code jumps thru the ptr at 0x08000004. Needs more study...

ROM:08002800 StartApplication                        ; CODE XREF: sub_8000138+2j
ROM:08002800                                         ; DATA XREF: sub_8000138o ...
ROM:08002800 var_48          = -0x48
ROM:08002800 var_44          = -0x44
ROM:08002800 var_40          = -0x40
ROM:08002800 var_3C          = -0x3C
ROM:08002800 var_38          = -0x38
ROM:08002800 var_34          = -0x34
ROM:08002800 var_30          = -0x30
ROM:08002800 var_2C          = -0x2C
ROM:08002800 var_28          = -0x28
ROM:08002800 var_24          = -0x24
ROM:08002800 var_20          = -0x20
ROM:08002800 var_1C          = -0x1C
ROM:08002800                 PUSH.W  {R4-R8,LR}
ROM:08002804                 SUB     SP, SP, #0x30
ROM:08002806                 BL      sub_8000674
ROM:0800280A                 BL      sub_8000484
ROM:0800280E                 MOVS    R0, #0
ROM:08002810                 MOVW    R1, #0x2710
ROM:08002814 loc_8002814                             ; CODE XREF: StartApplication+1Aj
ROM:08002814                 ADDS    R0, R0, #1      ; Delay(0x2710)
ROM:08002816                 UXTH    R0, R0
ROM:08002818                 CMP     R0, R1
ROM:0800281A                 BCC     loc_8002814
ROM:0800281C                 BL      sub_80004F8
ROM:08002820                 LDR     R6, =0x20000018
ROM:08002822                 CMP     R0, #0
ROM:08002824                 BEQ     StartDFUMode    ; if(EXT button presed? GPIO Port E) StartDFUMode
ROM:08002826                 LDR.W   R8, =0x8004000
ROM:0800282A                 LDR.W   R0, [R8]
ROM:0800282E                 LDR     R1, =0x2FFE0000
ROM:08002830                 ANDS    R0, R1
ROM:08002832                 CMP.W   R0, #0x20000000
ROM:08002836                 BNE     StartDFUMode    ; if(Invalid SP at 0x08004000) StartDFUMode
ROM:08002838                 LDR     R0, =0x1FFFF7E8
ROM:0800283A                 LDR     R1, [R0]
ROM:0800283C                 STR     R1, [SP,#0x48+var_34]
ROM:0800283E                 LDR     R1, [R0,#4]
ROM:08002840                 MOVS    R5, #8
ROM:08002842                 STR     R1, [SP,#0x48+var_30]
ROM:08002844                 LDR     R0, [R0,#8]
ROM:08002846                 STR     R0, [SP,#0x48+var_2C]
ROM:08002848                 LDR     R0, [SP,#0x48+var_34]
ROM:0800284A                 LDR     R1, [SP,#0x48+var_30]
ROM:0800284C                 ADD     R0, R1
ROM:0800284E                 STR     R0, [SP,#0x48+var_28]
ROM:08002850                 LDR     R0, [SP,#0x48+var_34]
ROM:08002852                 LDR     R1, [SP,#0x48+var_30]
ROM:08002854                 EORS    R0, R1
ROM:08002856                 STR     R0, [SP,#0x48+var_24]
ROM:08002858                 LDR     R0, [SP,#0x48+var_34]
ROM:0800285A                 LDR     R1, [SP,#0x48+var_2C]
ROM:0800285C                 ADD     R0, R1
ROM:0800285E                 STR     R0, [SP,#0x48+var_20]
ROM:08002860                 LDR     R0, [SP,#0x48+var_34]
ROM:08002862                 LDR     R1, [SP,#0x48+var_2C]
ROM:08002864                 EORS    R0, R1
ROM:08002866                 STR     R0, [SP,#0x48+var_1C]
ROM:08002868                 LDR     R1, =0x8005000
ROM:0800286A                 LDR     R0, [R1]
ROM:0800286C                 STR     R0, [SP,#0x48+var_48]
ROM:0800286E                 LDR     R0, [R1,#4]
ROM:08002870                 STR     R0, [SP,#0x48+var_44]
ROM:08002872                 LDR     R2, [R1,#8]
ROM:08002874                 MOVS    R0, #0
ROM:08002876                 STR     R2, [SP,#0x48+var_40]
ROM:08002878                 LDR     R2, [R1,#0xC]
ROM:0800287A                 STR     R2, [SP,#0x48+var_3C]
ROM:0800287C                 LDR     R1, [R1,#0x10]
ROM:0800287E                 STR     R1, [SP,#0x48+var_38] ; CRC @ 0x8005000 + 0x10
ROM:08002880                 ADD     R1, SP, #0x48+var_34
ROM:08002882                 MOV     R2, SP
ROM:08002884 loc_8002884                             ; CODE XREF: StartApplication+98j
ROM:08002884                 ADD.W   R3, R1, R0,LSL#2
ROM:08002888                 LDR     R3, [R3,#0xC]
ROM:0800288A                 LDR.W   R4, [R2,R0,LSL#2]
ROM:0800288E                 CMP     R3, R4
ROM:08002890                 BNE     StartDFUMode
ROM:08002892                 ADDS    R0, R0, #1
ROM:08002894                 UXTH    R0, R0
ROM:08002896                 CMP     R0, #4
ROM:08002898                 BCC     loc_8002884
ROM:0800289A                 MOVS    R7, #0
ROM:0800289C                 MOVS    R1, #1
ROM:0800289E                 MOVS    R0, #0x40
ROM:080028A0                 BL      sub_800184C
ROM:080028A4                 BL      ResetCRC
ROM:080028A8                 MOVS    R4, #0
ROM:080028AA                 B       loc_80028BA
ROM:080028AC ; ---------------------------------------------------------------------------
ROM:080028AC loc_80028AC                             ; CODE XREF: StartApplication+BCj
ROM:080028AC                 MOVS    R1, #7
ROM:080028AE                 ADD     R0, SP, #0x48+var_34
ROM:080028B0                 BL      CalculateCRC    ; R0 - Buffer
ROM:080028B0                                         ; R1 - Number of bytes
ROM:080028B4                 ADDS    R4, R4, #1
ROM:080028B6                 MOV     R7, R0
ROM:080028B8                 UXTH    R4, R4
ROM:080028BA loc_80028BA                             ; CODE XREF: StartApplication+AAj
ROM:080028BA                 CMP     R4, R5
ROM:080028BC                 BCC     loc_80028AC
ROM:080028BE                 LDR     R0, [SP,#0x48+var_38]
ROM:080028C0                 CMP     R0, R7
ROM:080028C2                 BNE     StartDFUMode    ; if(bad CRC) StartDFUMode
ROM:080028C4                 LDR.W   R0, [R8,#4]
ROM:080028C8                 STR     R0, [R6,#8]
ROM:080028CA                 STR     R0, [R6,#4]
ROM:080028CC                 LDR.W   R0, [R8]
ROM:080028D0                 BL      sub_8000156
ROM:080028D4                 LDR     R0, [R6,#4]
ROM:080028D6                 BLX     R0              ; Jump to *0x08004004 - reset vector in application
ROM:080028D8 StartDFUMode                            ; CODE XREF: StartApplication+24j
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote