Click here to go to the forum index Click here for the home page
 
Author Message

<  TAP and patch development  ~  Original firmware

Page 2 of 2
Goto page Previous  1, 2
sunstealer
Posted: Sat Aug 27, 2005 12:02 am Reply with quote
Forum moderator Joined: 31 Mar 2005 Posts: 325
Rowan,

I wasn't aware that Darkmatter had written a memory dump TAP and I can't find it in the TAPs section of the site. Assuming he would have no objections, could you email it to me - I would like to compare it with mine to see what he did differently?

Thanks.

Ps - I should have a dump of the original firmware somewhere in one of the memory dump files I took soon after the Toppy was released. If I find it, I will let you know.

PPS - Simon - when you say that you "commented out" a call in the firmware - does that mean that you were successful in recompiling a disassembled version of the firmware? or did you do as I would do and drop an NOP hexcode into the firmware file? I never had any luck trying to get a recompiled firmware to run on the Toppy - always crashed. I have always use IDA Pro for disassembly though not disasmips


Last edited by sunstealer on Sat Aug 27, 2005 12:06 am; edited 1 time in total
View user's profile Send private message
simonc
Posted: Sat Aug 27, 2005 12:06 am Reply with quote
Frequent contributor Joined: 12 Apr 2005 Posts: 5639 Location: Cheltenham
I'm out of action on this for the weekend, guests, family, social life for once!
The approach I'd take is to avoid complete memory diffs, there's going to be too many other things going on at the same time, even for a toppy on channel 704. The diff needs to be done on the code areas rather than the data. The hook into this is to get the call stack - find the address that the processor returns to after each function exits, starting with the return address for a tap's TAP_EventHandler method. Once you have this you can look at what's going on, possibly ask a nice tf5000 owner to do the same, and compare the firmware code to try and dig out the the mapping function.
View user's profile Send private message Visit poster's website
simonc
Posted: Sat Aug 27, 2005 12:25 am Reply with quote
Frequent contributor Joined: 12 Apr 2005 Posts: 5639 Location: Cheltenham
Reply to edit

Ah, worked out who you are now Wink It's just a bunch of NOPs inserted at TAP startup rather than a recompile, and any memory dump prior to 11th May will do just fine

[edit 2]
TAP_SystemProc has been suggested as another way into the problem by peteru. Much easier.
View user's profile Send private message Visit poster's website
sunstealer
Posted: Sat Aug 27, 2005 12:43 am Reply with quote
Forum moderator Joined: 31 Mar 2005 Posts: 325
Oh well,

That is what I would have done too. I hoped for a moment that you'd got the holy grail - an assembly sourcecode that recompiles successfully would make reverse engineering / adapting the firmware a whole lot easier.

I will try and find a dump file from back then - if I do, I will send it to you.

By the way - when I wrote the AutoDST TAP, I found the 2 bytes that were involved in the date setting by adjusting the value up and down several times and taking a series of whole memory dumps. I then used a trick from my signal processing armoury (coherent averaging). If you imagine the code dump is like a sampled signal with a lot of noise but in each case there is a consistent underlying pattern, then averaging together reduces the noise and reveals the underlying "pattern". You can use this sort of approach to track down bits of memory if you can predict how the same area of memory will change between dumps. I just set the date up and down between dumps and then looked for values that went up or down as predicted from previous values. The first 2 dumps, I made no change in the menu to exclude any areas that were changing for other reasons then after (I think) averaging 4 dumps, I had found the right address. I took this approach as I had no idea how the dates were stored (how many bytes) or in what form - all I knew for sure was that the values would increase or decrease with a change in the menu.
View user's profile Send private message
simonc
Posted: Sat Aug 27, 2005 12:15 pm Reply with quote
Frequent contributor Joined: 12 Apr 2005 Posts: 5639 Location: Cheltenham
Ahem, sorry, looks like it was you Embarassed

Memdump original is here http://www.toppy.org.uk/downloads/1-memdump.zip

I've adapted it a little to wait 30 seconds. Source code here http://simonc.sitesled.com/memdump.c
View user's profile Send private message Visit poster's website
sunstealer
Posted: Sat Aug 27, 2005 12:50 pm Reply with quote
Forum moderator Joined: 31 Mar 2005 Posts: 325
Smile - that's fine - That link is to my memdump TAP - it was Rowan who mentioned another one by Darkmatter which peaked my curiosity as I didn't know he'd made one and was curious to see what he had done. I am happy to be mixed up with Darkmatter as long as he is!

Out of curiosity - have you any evidence that waiting 30 secs is beneficial?

Cheers
View user's profile Send private message
ROWANMOOR
Posted: Sat Aug 27, 2005 6:57 pm Reply with quote
Frequent contributor Joined: 31 Mar 2005 Posts: 741 Location: Redhill, Surrey
A quick look at the code shows it was yours and not Darkmatters. How these runours propogate...

I'm unlikely to get much of a chance to look at it over the weekend, but I shall be looking into the TAP_SystemProc suggestion when I get a chance.

_________________
Cheers,
Rowan.


Toppy: TF5800pvrt Remote: Harmony 885
F/W: MS6 Recommended F/W 12/9/2009 -EpVr+CbCfCtDDsEgEmEvEzFpFsHsIMPePfPsScUUaUuUyVbVcVdWfZ
TAPs: SecCache (UK) v0.4; EIT Sub (Game) v0.6; EPG2MEI v0.96; TAP Commander 1.34; Font Manager 1.0d; Extend v1.7; MHEG Control B2.1; QuickJump 1.72; MyStuff 6.4; TF5000 Display v1.53; MyInfo B5.5;
Sig generated by MyInfo on 8/7/11
View user's profile Send private message
sunstealer
Posted: Sun Aug 28, 2005 2:12 am Reply with quote
Forum moderator Joined: 31 Mar 2005 Posts: 325
No worries Rowan,

It's hardly an opus! I was just worried I had ballsed something up and darkmatter had done a proper job!

Cheers
View user's profile Send private message
ROWANMOOR
Posted: Tue Aug 30, 2005 1:02 pm Reply with quote
Frequent contributor Joined: 31 Mar 2005 Posts: 741 Location: Redhill, Surrey
To update you with where things are at. DeadBeef has managed to find a way to get a TAP to distinguish between the arrow keys and Vol/Ch/+/-. It also returns the IR Command used for the non-standard commands you can send from Programmable remotes.

However, it is still at the experimental stages. We are discussing it on the Austrailian forums...

_________________
Cheers,
Rowan.


Toppy: TF5800pvrt Remote: Harmony 885
F/W: MS6 Recommended F/W 12/9/2009 -EpVr+CbCfCtDDsEgEmEvEzFpFsHsIMPePfPsScUUaUuUyVbVcVdWfZ
TAPs: SecCache (UK) v0.4; EIT Sub (Game) v0.6; EPG2MEI v0.96; TAP Commander 1.34; Font Manager 1.0d; Extend v1.7; MHEG Control B2.1; QuickJump 1.72; MyStuff 6.4; TF5000 Display v1.53; MyInfo B5.5;
Sig generated by MyInfo on 8/7/11
View user's profile Send private message

Display posts from previous:  

All times are GMT + 1 Hour
Page 2 of 2
Goto page Previous  1, 2

Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum