Philips DIT9719 (BT Vision) bootloader dumped :)

[CJ205]

Hi,

Sorry to drag up this fairly old topic with my first post.  But I think my wuestion is relevant to this thread.

I have dumped my BTVision bootloader.  It is slightly different to Mick's based on a hex file comparison, appear it may be a later version.  What is the entry point for the IDA analysis?  Actually the correct setting for ROM/RAM would also be useful to confirm.

I set base address of RAM as 0x93600000
Processor - mipsl
Length - I assume 1meg based on the file size of the dump.

Cheers
Chris

[Herman]

its mips ii iirc and i think it detects its entrypoint.

is it 7421 by chance as well ?

[CJ205]

its mips ii iirc and i think it detects its entrypoint.

is it 7421 by chance as well ?

Hmm, I have the following options for MIPS, is there an additional proc lib to laod for mipsii?

mipsb
mipsl
mipsr
mipsrl

It is a DIT9719/05, maybe the differences are to be expected i.e. unique to each box?

Cheers
Chris

[is0-mick]

if you do a hex compare are the differences at the end of the file?
Each box has a different certificate which is at the end of the bootloader.

Mick

[CJ205]

Yes, the differences at the end, so that would exlain it.

Can you tell me th esetting so I can analyse the file myself?

Thanks
Chris

[Herman]

apols cpu is mipsii but for ida purposes mipsl is used
RAM:93600000  # Processor       : mipsl
RAM:93600000  # Target assembler: GNU assembler
RAM:93600000  # Byte sex        : Little endian
RAM:93600000

[CJ205]

Thanks, but with mipsl I still get the error :-

IDA Pro can't identify the entry point automatically as there is no standard if binaries.

Please move to what you think is the netry point and press C to start the auto analysis.

Do I need to add something to IDA to help with the analysis?

Chris

[is0-mick]

What you have is correct.
When you load a .bin file IDA has no way of knowing where to load the file or where the entry point is.

Tell it to load the file into RAM, and set the ram start address at 0x93600000


I also set a mapping, to get the strings to display correctly.
To do this, select Options, then analysis.
Click Processor specific options, add a mapping.

From should be set to 0x0
set TO to 0x93600000
leave size as it is already set.


RAM:93632C78 Main_Entry_Point:                        # Memory reference trap address low bits
Scroll down to that point, and press C.



Mick

[CJ205]

RAM:93632C78 Main_Entry_Point:                        # Memory reference trap address low bits

Thanks,  that's what I wanted to know! 

However, analysis (even on your dump) stops after a few lines?? 

RAM:93632C78                 mtc0    $0, WatchLo      # Memory reference trap address low bits
RAM:93632C7C                 mtc0    $0, WatchHi      # Memory reference trap address high bits
RAM:93632C80                 mtc0    $0, Count        # Timer Count
RAM:93632C84                 li      $t0, 0xFFFFFFFF
RAM:93632C88                 mtc0    $t0, Compare     # Timer Compare
RAM:93632C8C                 mtc0    $0, Cause        # Cause of last exception
RAM:93632C90                 mtc0    $0, Config       # Configuration register
RAM:93632C94                 li      $k0, 0xA006F010
RAM:93632C9C                 lui     $k1, 0x4800
RAM:93632CA0                 sw      $k0, 0x48000000
RAM:93632CA4                 la      $t0, unk_93650684
RAM:93632CAC                 lui     $t1, 0xA000
RAM:93632CB0                 or      $t0, $t1
RAM:93632CB4                 la      $ra, unk_93632CC4
RAM:93632CBC                 jr      $t0
RAM:93632CC0                 nop

Error is then - RAM:93632CA0: Can't find name (hint: use manual arg)

Everything else remains as raw.

Chris