Rockbox Development > New Ports

SanDisk Sansa c200v2, m200v4, clipv1, clipv2, clip+, and fuzev2

<< < (33/386) > >>

funman:

--- Quote from: tobi-lu on August 01, 2008, 04:52:21 AM ---I've been experimenting quite a lot now... My result is that it's NOT possible to access anything outside the firmware block using this method. The very last thing I can access is the 00 00 00 00 at 0x1DE18, which is right at the beginning of the first library.
I think the library starts exactly at 0x1de1c, and not at 0x1de00 as calculated by 0x400 + 0x200 * firmware_size_multiplier.

--- End quote ---

Maybe it is possible on the CLIP and not on other models, I will test again this evening to be sure I didn't misinterpret the results.

I don't understand well what you mean : from 0x1de00 to 0x1de18 (well - 0x400) you can see:
0x38220100 0x00000d30 0x70220e30 .. etc ?

tobi-lu:

--- Quote from: funman on August 01, 2008, 09:33:12 AM ---I don't understand well what you mean : from 0x1de00 to 0x1de18 (well - 0x400) you can see:
0x38220100 0x00000d30 0x70220e30 .. etc ?

--- End quote ---
I came to the conclusion that 0x1de1b still belongs to the firmware, because when i used the 00 00 00 00 as magicval and 0x1de18 - 0x400 = 0x1da18 as magicoff, i didn't have to wait 5sec. When i used the next word, i had to wait, so it couldn't be accessed.

But I could be wrong here...

atomikpunk:
Hi,

great job guys :)

Maybe it would be wise that everyone share which firmware version their working on so to be clear...

Tobi-lu, did you try to read those just before 0x1de18? Something like 0x1de14?

funman:
Tobi that value could also be 0x00000000 for other reasons
Try checking 3 or more consecutive values to be sure

I am using only the CLIP 01.01.29 firmware for now, I pasted the link to download it on anythingbutipod.

EDIT:
I tried again reading past the firmware block and my tests failed, I tried with the .S file I posted here so I think I was very tired and imagined that the test had succeeded :/

NEWS:
atomic_punk has likely found the function for scanning keypad:
The function is at 0x32B4 (+0x400) on the m200 firmware of atomik_punk
A very similar function is at 0x35CC (+0x400) on my clip firmware

Unfortunately we couldn't find one on the e200 firmware of daniel_at, this is sad because he has the hability to recover from bricked state ;)

See you soon for updates ;)

EDIT2:
As discussed with the hackers, it would be wise to execute our code after some stuff has been initialized.

EDIT3: /!\ DO NOT USE /!\ I HAVE BRICKED MY CLIP /!\

The firmware works this way currently:
0x0 LDR PC, somewhere
0xsomewhere LDR PC, do_stuff
0xdo_stuff
....
0xOFFSET1 BL main


The current mkamsboot.c will replace the code at 0x0 by LDR PC, OUR_CODE, and make the last instruction of OUR_CODE be LDR PC, somewhere, so it branches back to the OF.

I modified mkamsboot.c to do this:
at OFFSET1 it becomes LDR PC, OUR_CODE
and the last instruction of OUR_CODE be BL main

WARNING WARNING
The code executed at theorical offset 0xdo_stuff has hardcoded absolute offsets to the end of firmware, so the code you put in here will be modified before it is ran.
It's an efficient way to brick your Sansa, just like I did


I attach the patch to utils/AMS/hacking/mkamsboot.c
EDIT: use a correct mask when writing the relative offset of BL instruction.

Note: this is experimental code (and NOT TESTED yet on the Sansa), it assumes that there is a BL instruction just after our 1st jump, and wil read all the firmware to find one.

Your test.S file must begin with an instruction, not with .word 0.


Also I took the conversion code to translate instructions in utils/disassembler/arm/disasm_arm.c but I may have forgotten something, so double check with a disassembler that your new firmware does what you want !!

Now to you hackers to write some wise code to be executed :P

tobi-lu:
OK I just read this a few times, now I think I understand what you have done with mkamsboot.

But what do you mean by this:

--- Quote from: funman on August 01, 2008, 12:02:44 PM ---Also I took the conversion code to translate instructions in utils/disassembler/arm/disasm_arm.c

--- End quote ---
What's the purpose of disasm_arm.c? And what did you use it for?


--- Quote from: funman on August 01, 2008, 12:02:44 PM ---As discussed with the hackers, it would be wise to execute our code after some stuff has been initialized.

--- End quote ---
Do you think you can access other parts of the firmware file then? Or access the buttons easier?
Hm, I'd like to understand it, could someone perhaps send me a chatlog?


Thanks
Tobi

Navigation

[0] Message Index

[#] Next page

[*] Previous page