HobbyKing.com New Products Flash Sale
Reply
Thread Tools
Old Apr 06, 2012, 07:50 AM
Registered User
Joined Jan 2012
677 Posts
Quote:
Originally Posted by rcH4x0r View Post
Y, but you still need to get R4 off the stack or it's going to be out of sync once the function returns
R4 is never getting put on the stack in my code. Its current value is going to be the original starting address. they copy r4->r0, and run CopyModelData. CopyModelData preserves R4-R8, LR, does its thing, then restores the registers at the end. That is what I'm doing i think. At the end of my routine, R4 should contain the starting address of the model data.

However, my code doesn't seem to work. Assuming that a shutdown saves the model data, then something is wrong, because it says 'Saving...' and shuts down normally, but the config is unchanged.

And congrats on having your DEVO!

Edit: I also tried renaming and copying models, but while those functions work, they didn't write the ROM to SPIFlash
PhracturedBlue is offline Find More Posts by PhracturedBlue
Last edited by PhracturedBlue; Apr 06, 2012 at 07:56 AM.
Reply With Quote
Sign up now
to remove ads between posts
Old Apr 06, 2012, 07:56 AM
Registered User
Joined Jun 2010
118 Posts
It's not your code that's pushing the value onto the stack, it's something above us in the call stack. It doesnt matter if you touch R4 or not, when you pop a value of the stack the stack pointer moves. If you don't pop both registers off the stack when your code returns the stack pointer will be wrong and other, later code will crash/misbehave

It's an 8S Gonna rip it apart, photograph it and reverse the HW. Fun
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 06, 2012, 08:01 AM
Registered User
Joined Jun 2010
118 Posts
Quote:
Originally Posted by PhracturedBlue View Post
However, my code doesn't seem to work. Assuming that a shutdown saves the model data, then something is wrong, because it says 'Saving...' and shuts down normally, but the config is unchanged.
Maybe a model reset? There is a string "MODEL%2d".....
rcH4x0r is offline Find More Posts by rcH4x0r
Last edited by rcH4x0r; Apr 06, 2012 at 08:10 AM. Reason: My bad, it's the reset code!
Reply With Quote
Old Apr 06, 2012, 08:13 AM
Registered User
Joined Jan 2012
677 Posts
Quote:
Originally Posted by rcH4x0r View Post
Maybe a model reset? There is a string "MODEL %d".....
I'll try. I noticed my code had an end addr of 0x80000800 which is a bit too big. had the code ever executed, I would have had a major buffer overflow and crash, so I'm sure I haven't triggered it yet. Lucky I caught it 1st.
I see the 'POP {R4, PC}' but I don't see how it can work, as we pushed 5 registers onto the stack and only took 2 off. I must be missing something
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 06, 2012, 08:19 AM
Registered User
Joined Jun 2010
118 Posts
You don't have to pop the same number of registers as you push, compilers do a lot of work in the background.

Here's a better analysis of the calling code (I'm 100% it's the model reset code)

ROM:08027E4E MOV R4, R0
ROM:08027E50 MOV R5, R1
ROM:08027E52 LDR R0, =0x38305644 ; "DV08
ROM:08027E54 STR R0, [R4]
ROM:08027E56 MOVS R1, #9
ROM:08027E58 ADDS R0, R4, #4 ; R0, ="MODEL%2d",0
ROM:08027E5A BL loc_80041B6 ; sprintf? Can we find the parameter?
ROM:08027E5E ; ---------------------------------------------------------------------------
ROM:08027E5E ADDS R2, R5, #1
ROM:08027E60 ADD R1, SP, #0x28
ROM:08027E62 ADDS R0, R4, #4
ROM:08027E64 BL loc_802959C
ROM:08027E68 ; ---------------------------------------------------------------------------
ROM:08027E68 MOVS R0, #0
ROM:08027E6A STRB R0, [R4,#0xD]
ROM:08027E6C MOV R0, R4
ROM:08027E6E BL ResetModelData ; R0 - Buffer
ROM:08027E72 MOVS R0, #0
ROM:08027E74 STRB.W R0, [R12,#0x38F]
ROM:08027E78 STR.W R0, [R12,#0x390] ; Zero out CRC
ROM:08027E7C MOV R0, R4
ROM:08027E7E BL WriteModelData_Maybe ; R0 Buffer
ROM:08027E82 ; ---------------------------------------------------------------------------
ROM:08027E82 STR.W R0, [R12,#0x394]
ROM:08027E86 STMIA R5, {R4-R6}
ROM:08027E86 ; ---------------------------------------------------------------------------
ROM:08027E88 dword_8027E88 DCD 0x38305644 ; DATA XREF: ROM:08027E52r
ROM:08027E88 ; TX Model Type
ROM:08027E8C aModel2d DCB "MODEL%2d",0


If we can find the param to the sprintf we have the index we need to dump all the chunks....
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 06, 2012, 08:29 AM
Registered User
Joined Jan 2012
677 Posts
Well, I think I'm close. I was able to store this in the 1st 4 bytes of the model:
Code:
0004 0020
looks like the SP initialization that I'd expect at 0x08000000
The rest of the data doesn't seem to have been captured though.
You were right that 'reset' seems to be the key. I didn't add the 'pop' you suggested, and it didn't go off into lala land, so I don't think it is needed (stack corruption is usually violent)...then again the code doesn't actually work as I expected either.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 06, 2012, 08:40 AM
Registered User
Joined Jun 2010
118 Posts
Hey, cool! That's the initial stack pointer alright!

Stack corruption is a subtle & unpleasant bug that can trigger seemingly at random. I don't want to get bogged down in that argument tho, we're here to hack the Tx after all

I think I'm close to finding the model slot index I have also noticed that the code is loading each model slot in turn and checking for the magic DV08. If the magic is missing the reset code is called We could probably use this to our advantage and make it very easy to dump the whole bootloader in one go

Congrats again, great progress
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 06, 2012, 08:44 AM
Registered User
Joined Jun 2010
118 Posts
Quote:
Originally Posted by PhracturedBlue View Post
Here is the replacement code I came up with for CopyModelData:
Code:
Copy_Model_Data:
   LDR    R1, =startaddr
   LDR    R2, =endaddr
Loop:
   LDR    R3, [R1]
   STR    R3, [R0]
   ADD    R1, R1, #4
   ADD    R0, R0, #4
   CMP    R1, R2
   BNE    Loop
   MOV    PC, LR

.equ startaddr, 0x08000000
.equ endaddr,   0x08000800
Is this the latest?
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 06, 2012, 08:48 AM
Registered User
Joined Jan 2012
677 Posts
Quote:
Originally Posted by rcH4x0r View Post
Is this the latest?
yep
R0 has the store addr
R1 is the addr to read
R2 is the end addr

I still don't see why it doesn't work as expected though
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 06, 2012, 09:17 AM
Registered User
Joined Jun 2010
118 Posts
Can you try corrupting all 12 models and the upload to flash? Maybe fill it with 0s or FF? That should trigger a reset on each slot and might give us some clues - how many slots complete, what is actually being written

Q's:
-Have you disassembled the hacked file to make sure it's correct?
-Have you removed the PUSH.W {R4-R8,LR}?
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 06, 2012, 09:30 AM
Registered User
Joined Jan 2012
677 Posts
Quote:
Originally Posted by rcH4x0r View Post
Can you try corrupting all 12 models and the upload to flash? Maybe fill it with 0s or FF? That should trigger a reset on each slot and might give us some clues - how many slots complete, what is actually being written

Q's:
-Have you disassembled the hacked file to make sure it's correct?
-Have you removed the PUSH.W {R4-R8,LR}?
I am out of time, as I now need to go to work. But I realized we already have the index. It is in the model name.

So we can do:
load_addr = ((ptr[10] - '1') << 12) + 0x08000000

That should let us load 4k into each of the 1st 4 models. (assuming ptr starts with 'DV08MODEL##)


I loaded the code I specified at the beginning of CopyModelData, so yes I removed the PUSH

EDIT: And yes, i disassembled it to make sure it was the same as what it should be. I have to manually slice the code, so I wanted to be careful to verify it
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 06, 2012, 09:35 AM
Registered User
Joined May 2011
654 Posts
Quote:
Originally Posted by PhracturedBlue View Post
I am out of time, as I now need to go to work. But I realized we already have the index. It is in the model name.

So we can do:
load_addr = ((ptr[10] - '1') << 12) + 0x08000000

That should let us load 4k into each of the 1st 4 models. (assuming ptr starts with 'DV08MODEL##)


I loaded the code I specified at the beginning of CopyModelData, so yes I removed the PUSH

EDIT: And yes, i disassembled it to make sure it was the same as what it should be. I have to manually slice the code, so I wanted to be careful to verify it
No, just the 'DV08' part is fix, then begins the model name, which you can change, so it might not be in the 'MODELxx' format...
FDR_ is offline Find More Posts by FDR_
Reply With Quote
Old Apr 06, 2012, 09:36 AM
Registered User
Joined Jan 2012
677 Posts
Quote:
Originally Posted by FDR_ View Post
No, just the 'DV08' part is fix, then begins the model name, which you can change, so it might not be in the 'MODELxx' format...
But we're using the reset code, so we know it has been initialized to MODEL## before we fill in the data
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 06, 2012, 09:38 AM
Registered User
Joined May 2011
654 Posts
Quote:
Originally Posted by PhracturedBlue View Post
But we're using the reset code, so we know it has been initialized to MODEL## before we fill in the data
My bad, than yes of course...

Edit: It's quite hard even to follow you guys!
FDR_ is offline Find More Posts by FDR_
Reply With Quote
Old Apr 06, 2012, 09:47 AM
Registered User
Joined May 2011
654 Posts
Quote:
Originally Posted by PhracturedBlue View Post
Well, I think I'm close. I was able to store this in the 1st 4 bytes of the model:
Code:
0004 0020
looks like the SP initialization that I'd expect at 0x08000000
The rest of the data doesn't seem to have been captured though.
You were right that 'reset' seems to be the key. I didn't add the 'pop' you suggested, and it didn't go off into lala land, so I don't think it is needed (stack corruption is usually violent)...then again the code doesn't actually work as I expected either.
Actually I'm quite surprised to see the same 4 bytes at 0x08000000, that are at the beginnind of the fw at 0x08004000! Why is that?
FDR_ is offline Find More Posts by FDR_
Reply With Quote
Reply


Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
Wanted Broken Walkera Devo and Spektrum tx itsmillertime Aircraft - General - Radio Equipment (FS/W) 1 Mar 20, 2012 04:37 AM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - General - Radio Equipment (FS/W) 0 Oct 06, 2011 12:33 PM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - Electric - Helis (FS/W) 0 Oct 05, 2011 11:38 AM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz Radios 2 May 08, 2011 11:38 PM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz XHeli 0 May 05, 2011 11:19 PM