Quote:

Originally Posted by rcH4x0r

It doesn't quite work like that. You need IDA Pro 6 and then I can give you a dbase file that combined with the correct dfu file will let you examine the dissembly plus my comments so far

If IDA can't do a text dump, the database will do. I found a program which can load it...

http://dl.dropbox.com/u/59258955/ida-6.rar

I don't think it's setup quite right yet, some code seems to be at the wrong addresses. I'm hoping to figure that out with the real HW and ST-LINK. Until then it's hard to to see much benefit in going further.

Some things to note:
-ROM is at 0x08000000
-RAM is at 0x20000000
-Exception vector table is at 0x08000000, initial SP is in RAM (good!) and reset vector points to 0x8004147 (LSB is set == THUMB mode, code starts at 0x8004146)
-There are a few bytes that don't disassemble correctly, it's weird since Cortex M3 is definitely ARMv7m instruction set. Maybe binutils will solve the mystery...

Quote:

Originally Posted by rcH4x0r

http://dl.dropbox.com/u/59258955/ida-6.rar

I don't think it's setup quite right yet, some code seems to be at the wrong addresses. I'm hoping to figure that out with the real HW and ST-LINK. Until then it's hard to to see much benefit in going further.

Some things to note:
-ROM is at 0x08000000
-RAM is at 0x20000000
-Exception vector table is at 0x08000000, initial SP is in RAM (good!) and reset vector points to 0x8004147 (LSB is set == THUMB mode, code starts at 0x8004146)
-There are a few bytes that don't disassemble correctly, it's weird since Cortex M3 is definitely ARMv7m instruction set. Maybe binutils will solve the mystery...

Thanks!

There are some resources in the fw too, so that might cause some problem too...

Not sure if it helps you guys but the devo 7 has a jtag port but no usb. us devo 7 owners are unable to update our devo 7 soetware even though there is an update. Walkera has emailed me telling me that the ub-02 dongle for the update will be available soon.

Can someone use the dvo 7 to hack easier?

Quote:

Originally Posted by rcH4x0r

http://dl.dropbox.com/u/59258955/ida-6.rar

I don't think it's setup quite right yet, some code seems to be at the wrong addresses. I'm hoping to figure that out with the real HW and ST-LINK. Until then it's hard to to see much benefit in going further.

Some things to note:
-ROM is at 0x08000000
-RAM is at 0x20000000
-Exception vector table is at 0x08000000, initial SP is in RAM (good!) and reset vector points to 0x8004147 (LSB is set == THUMB mode, code starts at 0x8004146)
-There are a few bytes that don't disassemble correctly, it's weird since Cortex M3 is definitely ARMv7m instruction set. Maybe binutils will solve the mystery...

for folks trying this themselves from scratch:
the load offset is 0x125 of the dfu file, the processor type is 'ARM'. You can use IDA Standard.
You can't use the freeware version of IDA, as it doesn't support Armv7 as far as I know. you need IDA 5.2 or newer at a minimum. You won't be able to use the idb file supplied by rch4x0r unless you have ida 6.0 or newer, but getting going isn't too hard as long as you have an IDA version that supports Armv7.

Once you've got the dfu loaded, at 8000000 press alt-g , and set 'T' and type '1' into the box to set thumb-mode
convert the first several bytes to quad-words (this is the jump table)
the 2nd one (8000004) should convert to loc_8004147
click there, go back a byte to 4146. press alt-g to make sure it is still in thumb mode, and press 'C'. this is the start of the reset code. You can do this for each entry in the jump table (the last entry is at 0x80000dc)

If you haven't worked with IDA before, I recommend using a tutorial.
Here are the relevant manuals for the STM32F103VCT6 processor:
http://www.st.com/internet/mcu/produ...errer=70032480
Data Sheet: http://www.st.com/internet/com/TECHN...CD00191185.pdf
Reference Manual: http://www.st.com/internet/com/TECHN...CD00171190.pdf
Programming Manual: http://www.st.com/internet/com/TECHN...CD00228163.pdf

Quote:

Originally Posted by mescalinedream

Not sure if it helps you guys but the devo 7 has a jtag port but no usb. us devo 7 owners are unable to update our devo 7 soetware even though there is an update. Walkera has emailed me telling me that the ub-02 dongle for the update will be available soon.

Can someone use the dvo 7 to hack easier?

There's an SWD (Single Wire Debug) on the Devo8 too. My plan is hook up an ST-LINK HW debugger if and when the 8S I ordered arrives. That should make it a lot easier to understand what the code is doing.

I like shiny stuff and the 8 has a nice LCD I want to play with SadSack might get his game of Doom yet....

PhracturedBlue: +1

Quote:

Originally Posted by FDR_

If IDA can't do a text dump, the database will do. I found a program which can load it...

FYI, IDA can do a text dump, but this is only useful once you've actually managed to disassemble most of the code. There is still a bunch of code that rch4x0r hasn't managed to disassemble yet (sorry, I haven't had time to look at it in anything more than a cursory fashion)

even then, IDA is so much more useful compared to a text dump for complex code like this due to all the value-added features.

Quote:

Originally Posted by PhracturedBlue

FYI, IDA can do a text dump, but this is only useful once you've actually managed to disassemble most of the code. There is still a bunch of code that rch4x0r hasn't managed to disassemble yet (sorry, I haven't had time to look at it in anything more than a cursory fashion)

even then, IDA is so much more useful compared to a text dump for complex code like this due to all the value-added features.

Yes, I fully understand, just cannot justify the min $2779 for a starter license with ARM decompile, not to mention the professional with even more options...
For that money Walkera would do a customised Tx for me...

Quote:

Originally Posted by FDR_

Yes, I fully understand, just cannot justify the min $2779 for a starter license with ARM decompile, not to mention the professional with even more options...
For that money Walkera would do a customised Tx for me...

Understood. It is too bad the free version doesn't support arm7.

You might try this:
http://digital.codewaves.com/?p=10
I haven't given it a shot myself but it was built for precisely this purpose

Alternatively, a cross-compiled gnu toolchain can disassemble with objdump, but in my experience it is very fragile, and it takes a lot of patience to get full disassembly out of it (experience was not specifically with ARM, so I have no idea how it works with Thumb code, or the specifics of ArmV7)

Quote:

Originally Posted by PhracturedBlue

Understood. It is too bad the free version doesn't support arm7.

You might try this:
http://digital.codewaves.com/?p=10
I haven't given it a shot myself but it was built for precisely this purpose

Alternatively, a cross-compiled gnu toolchain can disassemble with objdump, but in my experience it is very fragile, and it takes a lot of patience to get full disassembly out of it (experience was not specifically with ARM, so I have no idea how it works with Thumb code, or the specifics of ArmV7)

Rofl I used that program and piped the output to a .asm file and got 4 megs of assembly... hrm

Ok assembly is pretty above me, if it was C I could figure this out :P

I just realized that it makes perfect sense that the Devo 6/8/12 can receive telemetry from short range. The radios can already communicate wirelessly with each other to share model data.

Quote:

Originally Posted by Atomic Skull

I just realized that it makes perfect sense that the Devo 6/8/12 can receive telemetry from short range. The radios can already communicate wirelessly with each other to share model data.

My Devo 6 (10mw version as I live in Japan) with 6s firmware can receive telemetry data at least 50m distance. I would have gone further away, but the mini cp was getting too small to see.

Quote:

Originally Posted by Atomic Skull

I just realized that it makes perfect sense that the Devo 6/8/12 can receive telemetry from short range. The radios can already communicate wirelessly with each other to share model data.

My devo 6 & devo 12 can't share data in either way...send or received

Quote:

Originally Posted by NorCalMatCat

Rofl I used that program and piped the output to a .asm file and got 4 megs of assembly... hrm

I just played with mdisasam, and it does seem to work, though it would take a lot of post-processing to convert it to something useful.

If you want to use it:
take the 1st 0x125 files off the dfu file (that is 293 bytes). I did it using:
dd if="DEVO-8 FWDT v0.6B.dfu" bs=1 skip=293 > DEVO-8-FWDT.bin
now you can disassemble but you can't do the entire file at once. The reason is that there seem to be non-code sections that confuse the byte-parser.

But if you do:
mdisasm -a 0x8000000 -o 0x4146 DEVO-8-FWDT.bin

it will properly disassemble the reset code.
If someone has some minimal coding skills, they could probably use this to make a crude version of what IDA does by following branch pointers and running mdisasm on each section to build the 'full' disassembly.

I'm not sure of the value compared to just waiting for someone to post a disassembled IDA dump, but if you want free, and are willing to do a bit of leg work, this could get you going.

That's about all for me though. However, if it is helpful, here are the subroutine code-locations identified so far:

Code:

sub_8000134          ROM 08000134 00000004 R . . . . . .
sub_8000138          ROM 08000138 00000004 R . . . . . .
sub_8000174          ROM 08000174 0000000A R . . . . . .
sub_8000184          ROM 08000184 00000010 R . . . . . .
sub_8000194          ROM 08000194 0000000E R . . . . . .
sub_80001A2          ROM 080001A2 00000004 R . . . . . .
sub_80001A6          ROM 080001A6 00000004 R . . . . . .
sub_80001BE          ROM 080001BE 00000010 R . . . . . .
sub_80001CE          ROM 080001CE 0000000C R . . . . . .
sub_80001F2          ROM 080001F2 00000010 R . . . . . .
sub_8000212          ROM 08000212 0000001C R . . . . . .
sub_80002B2          ROM 080002B2 0000000E R . . . . . .
sub_80002C6          ROM 080002C6 00000010 R . . . . . .
sub_80002E6          ROM 080002E6 00000072 R . . . . . .
sub_80003E6          ROM 080003E6 00000032 R . . . . . .
sub_8000418          ROM 08000418 00000030 R . . . . . .
sub_8000448          ROM 08000448 00000024 R . . . . . .
sub_80004BC          ROM 080004BC 00000010 R . . . . . .
sub_800058E          ROM 0800058E 0000001E R . . . . . .
sub_8000A86          ROM 08000A86 0000000A R . . . . . .
sub_8000AB0          ROM 08000AB0 00000014 R . . . . . .
sub_8000C20          ROM 08000C20 00000016 R . . . . . .
sub_8000C36          ROM 08000C36 00000014 R . . . . . .
sub_8000C4A          ROM 08000C4A 00000018 R . . . . . .
sub_8000D70          ROM 08000D70 00000010 R . . . . . .
WritePortBitClearReg ROM 08000FFA 00000004 R . . . . . .
sub_8001006          ROM 08001006 0000000C R . . . . . .
Init_something       ROM 080012F4 0000001C R . . . . . .
sub_80016E8          ROM 080016E8 00000014 R . . . . . .
sub_8001F00          ROM 08001F00 00000010 R . . . . . .
sub_8002078          ROM 08002078 00000048 R . . . . . .
sub_80021AC          ROM 080021AC 00000010 R . . . . . .
sub_8002584          ROM 08002584 0000000A R . . . . . .
sub_8002598          ROM 08002598 00000012 R . . . . . .
sub_80027E0          ROM 080027E0 00000012 R . . . . . .
sub_8002AF4          ROM 08002AF4 0000005E R . . . . . .
sub_8002B94          ROM 08002B94 00000010 R . . . . . .
sub_80031CC          ROM 080031CC 00000018 R . . . . . .
sub_800329C          ROM 0800329C 00000018 R . . . . . .
sub_80036DC          ROM 080036DC 00000012 R . . . . . .
sub_8003D58          ROM 08003D58 00000010 R . . . . . .
sub_8003E64          ROM 08003E64 00000010 R . . . . . .
sub_8003F14          ROM 08003F14 00000054 R . . . . . .
sub_8003FF8          ROM 08003FF8 00000010 R . . . . . .
sub_8004418          ROM 08004418 00000014 R . . . . . .
sub_800473C          ROM 0800473C 00000010 R . . . . . .
sub_80047D0          ROM 080047D0 0000020E R . . . . . .
sub_8004E7C          ROM 08004E7C 00000012 R . . . . . .
sub_80051E0          ROM 080051E0 00000010 R . . . . . .
sub_8005340          ROM 08005340 00000012 R . . . . . .
sub_800567C          ROM 0800567C 00000022 R . . . . . .
sub_80056C4          ROM 080056C4 00000014 R . . . . . .
sub_80058A4          ROM 080058A4 00000010 R . . . . . .
sub_800597C          ROM 0800597C 00000022 R . . . . . .
sub_8005A8C          ROM 08005A8C 00000010 R . . . . . .
sub_8005B48          ROM 08005B48 00000030 R . . . . . .
sub_8005DA8          ROM 08005DA8 00000010 R . . . . . .
sub_8006024          ROM 08006024 00000010 R . . . . . .
sub_8006064          ROM 08006064 00000010 R . . . . . .
sub_80060EC          ROM 080060EC 0000005A R . . . . . .
sub_8006264          ROM 08006264 0000003E R . . . . . .
sub_800669C          ROM 0800669C 00000038 R . . . . . .
sub_80067D0          ROM 080067D0 00000010 R . . . . . .
sub_800687C          ROM 0800687C 00000010 R . . . . . .
sub_80069B0          ROM 080069B0 00000014 R . . . . . .
sub_8006B08          ROM 08006B08 00000022 R . . . . . .
sub_8007274          ROM 08007274 00000010 R . . . . . .
sub_8007368          ROM 08007368 00000010 R . . . . . .
sub_80073BC          ROM 080073BC 00000020 R . . . . . .
sub_8007518          ROM 08007518 00000028 R . . . . . .
sub_800771C          ROM 0800771C 00000056 R . . . . . .
sub_80094D8          ROM 080094D8 0000000C R . . . . . .
sub_800C7A8          ROM 0800C7A8 00000004 R . . . . . .
sub_800EC00          ROM 0800EC00 00000036 R . . . . . .
sub_800FAB4          ROM 0800FAB4 0000001A R . . . . . .
sub_8010140          ROM 08010140 00000032 R . . . . . .
sub_8011D58          ROM 08011D58 00000010 R . . . . . .
sub_8011E9C          ROM 08011E9C 00000010 R . . . . . .
sub_8012068          ROM 08012068 00000016 R . . . . . .
sub_8012090          ROM 08012090 00000140 R . . . . . .
sub_801250C          ROM 0801250C 0000000E R . . . . . .
sub_8012520          ROM 08012520 00000010 R . . . . . .
sub_80125FC          ROM 080125FC 0000008A R . . . . . .
sub_8012C0C          ROM 08012C0C 00000086 R . . . . . .
sub_801346C          ROM 0801346C 00000008 R . . . . . .
sub_8013474          ROM 08013474 00000006 R . . . . . .
sub_801347A          ROM 0801347A 00000004 R . . . . . .
WritePortBitSetReg   ROM 0801347E 00000004 R . . . . . .
sub_8013514          ROM 08013514 0000000A R . . . . . .
sub_8014FBC          ROM 08014FBC 00000014 R . . . . . .
sub_8015014          ROM 08015014 0000001A R . . . . . .
sub_8015168          ROM 08015168 00000010 R . . . . . .
sub_8015214          ROM 08015214 00000018 R . . . . . .
sub_80153C8          ROM 080153C8 0000000A R . . . . . .
sub_80153D8          ROM 080153D8 00000006 R . . . . . .
sub_801543A          ROM 0801543A 00000010 R . . . . . .
sub_801544A          ROM 0801544A 00000026 R . . . . . .
sub_801559C          ROM 0801559C 0000002E R . . . . . .
sub_80155D4          ROM 080155D4 0000001C R . . . . . .
sub_8015AD4          ROM 08015AD4 00000014 R . . . . . .
sub_8015B68          ROM 08015B68 00000010 R . . . . . .
sub_8015BF4          ROM 08015BF4 00000010 R . . . . . .
sub_8015D70          ROM 08015D70 00000010 R . . . . . .
sub_80160F4          ROM 080160F4 00000010 R . . . . . .
sub_801611C          ROM 0801611C 0000001A R . . . . . .
sub_80162AC          ROM 080162AC 00000010 R . . . . . .
sub_8016358          ROM 08016358 00000008 R . . . . . .
sub_8016490          ROM 08016490 00000010 R . . . . . .
sub_8017AAC          ROM 08017AAC 00000010 R . . . . . .
sub_8018D88          ROM 08018D88 00000026 R . . . . . .
sub_801DEE0          ROM 0801DEE0 00000266 R . . . . . .
sub_80230C4          ROM 080230C4 00000010 R . . . . . .
sub_802351C          ROM 0802351C 00000010 R . . . . . .
ReadSPIDataReg       ROM 0802384C 00000004 R . . . . . .
sub_80239A0          ROM 080239A0 00000004 R . . . . . .
nullsub_1            ROM 080239A4 00000004 R . . . . . .
sub_80239A8          ROM 080239A8 00000010 R . . . . . .
sub_8024A2C          ROM 08024A2C 00000006 R . . . . . .
sub_8024A32          ROM 08024A32 00000006 R . . . . . .
sub_8024A50          ROM 08024A50 0000001E R . . . . . .
sub_8024CC4          ROM 08024CC4 00000014 R . . . . . .
sub_8024CD8          ROM 08024CD8 00000006 R . . . . . .
sub_8024CEE          ROM 08024CEE 00000004 R . . . . . .
sub_8024CF2          ROM 08024CF2 00000004 R . . . . . .
sub_8024CF6          ROM 08024CF6 00000004 R . . . . . .
sub_8024CFA          ROM 08024CFA 00000006 R . . . . . .
sub_8024E54          ROM 08024E54 00000016 R . . . . . .
sub_8024ED0          ROM 08024ED0 00000008 R . . . . . .
sub_8025588          ROM 08025588 00000004 R . . . . . .
sub_8025768          ROM 08025768 000006EA . . . . . . .
sub_8025E90          ROM 08025E90 00000010 . . . . . . .
sub_8025ECC          ROM 08025ECC 0000004C R . . . B . .