Now Reading
Gprobe :: ZeroMips

Gprobe :: ZeroMips

2023-11-24 04:23:23

My very first encounter with Lukas F. Hartmann was over on the hen website.
I hadn’t heard about MNT Analysis or the Reform. I solely noticed a publish the place he
was speaking about doing a design with the STDP2600 HDMI to DisplayPort converter
and I instructed him that this in all probability meant bother.

My earlier job was at Guntermann and Drunck,
a german producer of excessive finish KVM (that means Keyboard Video Mouse) gear.
I labored there from 2002 to 2019 and we did some superior merchandise utilizing bleeding
edge expertise. There I additionally did my first design with the Freescale QorIQ P1022
Communication Processor, the PowerPC ancestor of the NXP LS1028A that’s obtainable
for the Reform at present.

The Video half in KVM meant, that we needed to cope with numerous particular goal
ICs implementing completely different video requirements. For DisplayPort 1.2a we had the
STDP4320, at the moment the IP was owned by MegaChips. That chip actually brought on
numerous headache for us. We had a custom-made firmware from MegaChips that also had
some bugs. It was actually laborious to speak with them and get issues mounted.

At one level we have been determined sufficient to start out investigating if we may do one thing
about this ourselves. We had heard that the STDP line of merchandise had an embedded
x86 core of some variety. So we began loading the firmware file into Radare2,
a reverse engineering framework. We may disassemble elements, however as quickly as there
have been calls into different segments, issues didn’t make sense anymore.
Doing much more analysis we discovered the MonitorDarkly exploit
that was introduced at DEFCON 24 by Pink Balloon Safety.
From their presentation we realized, that the x86 was actually a Turbo186 core with very particular
section addressing. In x86 actual mode, a section handle is the 16 most important bits
of a 20 bit handle, so it’s shifted 4 bits left. The Turbo186 makes use of 24 bit addressing,
so it’s a 16 bit handle that will get shifted 8 bits to the left.
We did adjustments to Radare2 to assist that (there’s now a asm.seggrn parameter that
is 4 by commonplace and might be set to eight).
The firmware itself will get written to SPI-NOR-Flash, the place the Turbo186 can entry it.
There’s additionally some vendor tooling to speak with the core for programming
and debugging functions by way of UART. Fortunately the protocol – Gprobe – is properly documented,
although obtainable underneath NDA solely. So we carried out the protocol as a Radare2 plugin
and will straight learn and write the RAM of the Turbo186. As we had all of the tooling
in place, MegaChips lastly addressed the firmware bugs and delivered a model
working correctly. So issues settled mud.

Till Lukas began taking part in round with the STDP2600. And positive sufficient, it meant
. Fortunately Kinetic Applied sciences
as the brand new proprietor of the IP appears to be rather more approachable and helped Lukas with
firmware and documentation. I additionally may contribute one tip or the opposite. So
the adapter lastly began working.

Once more, issues settled mud, till one evening:

Cursed instruments

At Guntermann and Drunck I had been lacking the documentation and the Turbo186
flash loader code to implement this within the Radare2 plugin. However Kinetic
Applied sciences was pleasant sufficient to offer all this to Lukas.
So Lukas despatched me a MNT RHDP module and I may begin hacking.

See Also

Hacking gear

All it wanted was an influence provide with 5 and three.3 Volts, a USB to serial converter
and a logic analyzer. Relating to this I can extremely suggest the AZ-Supply one
proven within the photograph that by unusual coincidence is suitable with the Saleae
software program.

Serial protocol analyzer

Whereas implementing the gprobe instructions for flashing I additionally discovered some bugs in my
unique implementation that I may repair on the best way. The Radare2 maintainer, pancake,
additionally kindly contributed some enhancements for the ihex plugin, so it might probably now be
used along with the intel hex file of the flasher. The implementation is
already merged, documentation might be discovered right here:

This was actually a enjoyable journey to the previous for me and I may even make the
Reform2 ecosystem a little bit bit extra open. For the subsequent RHDP manufacturing
run there might be no extra digital machines and cursed vendor instruments required.

Source Link

What's Your Reaction?
In Love
Not Sure
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top