Calypso DSP reverse engineering front ...
Sylvain Munaut
246tnt at gmail.com
Thu Mar 11 01:18:06 CET 2010
Hi,
I've been slowly working on the DSP code for some time now and I
tought I'd post a status here in case other people are interested.
The ultimate point of this is to add support for things the DSP isn't
supposed to do. Like receiving the raw demodulated data without the
deciphering / fire code / whatever. Or dealing with raw speech data
... sending other type of burts like SCH / FCCH, or receiving other
type of bursts like RACH, ...
The DSP ROM dumper has been present for a while but there was no way
to really use the output efficiently.
For that, I've written a parser that takes the console log output and
converts it into a COFF file that you can load in your favorite
disassembler.
I've been working with IDA 5.6 mostly and I made several enhancement
to it to support the calypso better (the tms320c54 module is part of
the SDK and can be modded and recompiled) :
- Add support for memory mappings so that the same memory zone can
'appear' at several place in the address space (to handle data & code
overlay)
- Fix the section handling when loading a file:
. to set XPC properly,
. to not override section name
. to support more than 2 sections
- Fix a bug in cross reference detection when dealing with section
having selectors != 0
- Add stub support for the type system. This allows loading of a .h
header file with the NDB structure definition
- Add definition for the IO ports so that they are symbolically displayed
Here's a sample results of what it looks like now (without much manual
fixups, just loading the files and declaring a couple addresses as
being structures) :
http://www.246tnt.com/files/calypso_dsp_ida_sample.png
It becomes clear what function does what :)
I'll try to push a maximum in my dsp branch tomorrow. I can't put the
IDA processor module modification because even just the patch contains
some hex-rays code, so I guess I'll have to ask them permission on a
case by case basis to distribute it. (just ask me privately and we'll
work it out)
Cheers,
Sylvain
More information about the baseband-devel
mailing list