Revo K101 Plus

(逆向工程) 20140422(PID00620601)


雖然司徒曾經要求周哥提供Revo K101的韌體程式碼,藉此可以讓更多熱心的掌機愛好者一起討論研究,或許可以讓K101延續A320的開源樂趣,這是司徒的初衷,比較可惜的是,周哥並沒有回應司徒,造就司徒想要逆向K101的韌體檔案,當然司徒的目地並不是為了商業利益,司徒只是希望可以讓K101的NES、PC Engine可以有更好的模擬效果。

基本上,想要完全逆向出原始碼並加以改進是不太可能的,比較有可能的是小幅度Binary Patch修改,畢竟K101的韌體更新檔案不太像是傳統ARM Binary檔案

; +--------------------------------------------------------------------+
;
; Input  MD5   :  2AD55B0B74D2F515D8B7B3C43322924E
; Input  CRC32 :  5B1C15D8

; File Name   :  C:\steward\k101_fw_20140422(pid00620601)\K_FW.BIN
; Format      :  Binary file
; Base Address:  0000h Range: 0000h - 1905DBh Loaded length: 1905DBh

; Processor    : ARM
; Target assembler: Generic assembler for ARM
; Byte sex    : Little endian
; ======================================================================
; Segment type:  Pure code
    AREA ROM, CODE,  READWRITE, ALIGN=0
    CODE32
    DCB 0xF7
    DCB 0xBF ; 
    DCB 0xFF
    DCB 0xFF
    DCB 0xFF
    DCB 0xFF
    DCB 0xFF
    DCB 0xFF
    DCB 0x90 ;
    DCB 0x60 ; 
    DCB 0x3C ; <
    DCB    6
    DCB    0
    DCB    0
    DCB 0x80 ;
    DCB 0x10
    DCB 0xE0 ; 
    DCB  0xF
    DCB 0x80 ; 
    DCB 0x10
    DCB    0
    DCB    0
    DCB 0x80 ; 
    DCB 0x10
    DCB 0x20
    DCB    0
    DCB    0
    DCB    0
    DCB    0
    DCB    0
    DCB    0
    DCB    0
    DCB 0x40 ; 
    DCB 0x16
    DCB 0xA0 ;  
    DCB 0xE3 ; 
    DCB  0xD
    DCB    0
    DCB 0x81 ; 
    DCB 0xE2 ; 
    DCB 0x11
    DCB  0xF
    DCB    9
    DCB 0xEE ; 
    DCB 0x40 ; 
    DCB 0xDD ; 
    DCB 0x81 ; 
    DCB 0xE2 ; 
    DCB 0x5D ; 
    DCB    3
    DCB    0
    DCB 0xEB ; 
    DCB    0
    DCB 0x70 ; 
    DCB 0xA0 ;  
    DCB 0xE1 ; 
    DCB    0
    DCB    0
    DCB 0xA0 ;  
    DCB 0xE3 ; 
    DCB    0
    DCB 0xF0 ; 
    DCB 0xA0 ;  
    DCB 0xE1 ; 
; =============== S U B  R O U T  I N E =================================
sub_40          ; CODE XREF: sub_40+Cj  sub_27C+7Cp ...
    CMP  R0, #0
    MOVNE  R0, R0
    SUBNE  R0, R0,  #1
    BNE  sub_40
    BX  LR
; End of function sub_40

從開頭的幾個Bytes看來,似乎不是傳統的ARM Binary,這個更新韌體檔應該的有包裝過,不過,這樣也好,增加逆向困難度。

那司徒下一步怎麼走呢?先來看看這個檔案的字串好了,看看有什麼線索可以跟進的

ROM:0005824A 00000021 C ----- Supported File Type ------
ROM:0005830A 00000021 C -------- Machine Info ----------
ROM:00058143 00000021 C ------------ Hotkey ------------
ROM:0005AAE5 0000000F C 7  27-Jun-2009
ROM:00051394 00000018 C : Heap memory corrupted
ROM:00013FB8 0000000C C A:Yes  B:No                       
ROM:00012838 00000014 C A:\\KSYSTEM\\GamePic\\            
ROM:00012C34 00000012 C A:\\KSYSTEM\\bg.jpg               
ROM:0001BFC4 0000001F C A:\\KSYSTEM\\cheat\\%s\\%s%c%c.zip
ROM:0001BF9C 0000001C C A:\\KSYSTEM\\cheat\\GameID.bin    
ROM:00017D5C 00000018 C A:\\KSYSTEM\\userlogo.jpg         
ROM:00012C28 0000000A C A:\\bg.jpg                        
ROM:00017D48 00000010 C A:\\userlogo.jpg                  
ROM:0005A05A 00000020 C ALIGN_TYPE is wrong, please fix
ROM:00057DE1 00000019 C AUDIO_DEFAULT=audio_arm 
ROM:00066564 00000015 C Abnormal termination
ROM:00017BE4 0000001A C B:  Abort & test firmware
ROM:0005A72C 0000001C C Backing store not supported
ROM:000581A9 00000012 C Backup save to TF
ROM:0005A3B7 0000002B C Buffer passed to JPEG library is too small
ROM:0005A3FE 00000025 C CCIR601 sampling not implemented yet
ROM:00025AD8 00000011 C CRC check failed
ROM:00017B58 0000001F C Cannot load firmware from SD !
ROM:0005AF5E 00000019 C Closed temporary file %s
ROM:00057D9E 00000026 C Copyright (C) 2000-2004 Robert Leslie               
ROM:0005B605 00000034 C Copyright (C) 2000-2004 Underbit Technologies, Inc. 
ROM:0005AAB0 00000035 C Copyright (C) 2009, Thomas G. Lane, Guido Vollbeding
ROM:00037794 00000031 C D:\\work\\ARM\\K1_Shell\\MAD\\libmad-0.15.1b\\layer3.c
ROM:00025E88 00000030 C D:\\work\\ARM\\K1_Shell\\MAD\\libmad-0.15.1b\\timer.c 
ROM:00057C34 0000004C C E:\\gamework\\K100\\software\\publicver\\Gboot_Release\\Sources\\madplay\\madplay.c
ROM:00057CF8 0000004B C E:\\gamework\\K100\\software\\publicver\\Gboot_Release\\Sources\\madplay\\player.c 
ROM:0005A95F 00000023 C Failed to create temporary file %s
ROM:00017B88 00000022 C Firmware is not for this device !
ROM:0005907D 0000000C C First delay                      
ROM:00058273 00000009 C GBA game  
ROM:000582C0 00000009 C GBC game  
ROM:0005826B 00000008 C GBA,GBK   
ROM:000582B5 0000000B C GBC,GB,SGB
ROM:0005A933 0000002C C Invalid JPEG file structure: SOS before SOF           
ROM:0005A8AC 00000030 C Invalid JPEG file structure: missing SOS marker       
ROM:0005A87F 0000002D C Invalid JPEG file structure: two SOF markers          
ROM:0005A906 0000002D C Invalid JPEG file structure: two SOI markers          
ROM:00051348 00000012 C Invalid Operation                                     
ROM:0005B242 0000002B C Invalid SOS parameters for sequential JPEG            
ROM:0005A69B 00000027 C Invalid color quantization mode change                
ROM:0005A0B9 0000001F C Invalid component ID %d in SOS                        
ROM:0005A0D8 00000015 C Invalid crop request                                  
ROM:0005A241 0000001C C Invalid memory pool code %d                           
ROM:0005A280 00000018 C Invalid progressive para                              
ROM:0005A2B7 00000037 C Invalid progressive parameters at scan script entry %d
ROM:0005A305 00000020 C Invalid scan script at entry %d                       
ROM:0005ACB3 00000035 C JFIF APP0 marker: version %d.%02d, density %dx%d  %d             
ROM:0005AF90 00000042 C JFIF extension marker: JPEG-compressed thumbnail image, length %u
ROM:0005B00C 00000036 C JFIF extension marker: RGB thumbnail image, length %u            
ROM:0005AFD2 0000003A C JFIF extension marker: palette thumbnail image, length %u        
ROM:0005AD24 0000002E C JFIF extension marker: type 0x%02x, length %u                    
ROM:0005A76D 00000022 C JPEG datastream contains no image                                           
ROM:0005A34F 0000004D C JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
ROM:000592FE 0000000F C LCD brightness
ROM:00058166 0000000F C LCD brightness
ROM:0005928D 0000000C C LCD scaling  
ROM:000581C4 0000000E C LCD/TV switch
ROM:00058B79 0000000F C Loading failed        
ROM:0005983B 00000011 C Loading game ...      
ROM:0005992E 00000017 C Loading game cheat ...
ROM:00058BDE 00000014 C Loading gescheitert   
ROM:0000D158 0000000F C Lowpass Filter        
ROM:000582CD 0000000A C MP3 music                                     
ROM:00010620 00000013 C MPEG Audio Decoder                            
ROM:0005B5E4 00000021 C MPEG Audio Decoder 0.15.1 (beta)              
ROM:0000C738 0000002F C MPEG_BUFSZ - input->length >= MAD_BUFFER_GUARD
ROM:00017BD0 00000014 C New firmware loaded
ROM:0005A6C2 00000014 C Not implemented yet
ROM:0005AF77 00000019 C Opened temporary file %s
ROM:0006661C 00000013 C Out of heap memory                            
ROM:00058C9E 0000000E C Out of memory                                 
ROM:0005A541 0000002F C Output file write error --- out of disk space?
ROM:0005828D 0000000F C PC-Engine game
ROM:00057DC4 0000001D C Robert Leslie <rob@mars.org>
ROM:000587C7 0000001C C SD-Card is not responding !
ROM:00017C00 0000001F C START:  Update firmware to SPI
ROM:0005A211 00000030 C Sampling factors too large for interleaved scan
ROM:000147FC 00000005 C Save                                           
ROM:000596E0 0000000E C Save settings                                  
ROM:00058C12 0000000E C Saving failed                                  
ROM:0005A674 00000027 C Scan script does not transmit all data         
ROM:000581F8 00000014 C Screen aspect-ratio                            
ROM:00057DFC 0000031D C This program is free software; you can redistribute it and/or modify it\nunder the terms of the GNU General Public License as published by the\nFree Software Foundation; either version 2 of the License, or (at your\noption) any later version.\n\nThis program is distributed in the hope that it will be useful, but\nWITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\nGeneral Public License for more details.\n\nYou should have received a copy of the GNU General Public License along\nwith this program; if not, write to the Free Software Foundation, Inc.,\n59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\n\nSome portions of this program may be licensable under different terms.\nTo inquire about alternate licensing, contact: %s\n
ROM:0005A25D 00000023 C Unsupported JPEG data precision %d       
ROM:0005A8DC 0000002A C Unsupported JPEG process: SOF type 0x%02x
ROM:0005A449 00000025 C Unsupported color conversion request     
ROM:0005AA1E 0000001F C Unsupported marker type 0x%02x           
ROM:0005ACE8 0000003C C Warning: thumbnail image size does not match data length %u
ROM:0005B1C1 0000002E C Warning: unknown JFIF revision number %d.%02d              
ROM:0005A9BE 00000036 C Write failed on temporary file --- out of disk space?
ROM:0005A4F6 00000014 C Write to EMS failed                                  
ROM:0005AA9C 00000014 C Write to XMS failed                                  
ROM:0005A1D4 0000003D C Wrong JPEG library version: library is %d, caller expects %d
ROM:00025C70 00000019 C bad Huffman table select      
ROM:00025C58 00000016 C bad audio data length         
ROM:00025BD8 00000015 C bad big_values count          
ROM:00025BF0 0000001D C bad bitrate/mode combination  
ROM:00025C10 00000011 C bad frame length              
ROM:00025BBC 0000001C C bad main_data_begin pointer   
ROM:000259DC 00000016 C bad scalefactor index         
ROM:00025C38 0000001F C bad scalefactor selection info
ROM:0000E598 0000001F C cannot resample %u Hz to %u Hz
ROM:00058354 00000018 C http://kteam.ys168.com 
ROM:0005833A 0000001A C maxzhou88`s gamer version
ROM:00025A5C 00000012 C not enough memory                              
ROM:0000FC6C 00000026 C not enough memory to allocate filters          
ROM:0000ECFC 0000002B C not enough memory to allocate input buffer     
ROM:0000E200 00000030 C not enough memory to allocate resampling buffer
ROM:0000F990 0000002C C not enough memory to allocate sample buffer    
ROM:0005AB40 00000034 C rker: version %d, flags 0x%04x 0x%04x, transform %d
ROM:0000E1C8 00000032 C sample frequency %u Hz not available; using %u Hz
ROM:00057BC9 0000000C C sample-rate

可以看到存取SDCard的相關路徑

ROM:00012838 00000014 C A:\\KSYSTEM\\GamePic\\            
ROM:00012C34 00000012 C A:\\KSYSTEM\\bg.jpg               
ROM:0001BFC4 0000001F C A:\\KSYSTEM\\cheat\\%s\\%s%c%c.zip
ROM:0001BF9C 0000001C C A:\\KSYSTEM\\cheat\\GameID.bin    
ROM:00017D5C 00000018 C A:\\KSYSTEM\\userlogo.jpg         
ROM:00012C28 0000000A C A:\\bg.jpg                        
ROM:00017D48 00000010 C A:\\userlogo.jpg                  
ROM:00037794 00000031 C D:\\work\\ARM\\K1_Shell\\MAD\\libmad-0.15.1b\\layer3.c
ROM:00025E88 00000030 C D:\\work\\ARM\\K1_Shell\\MAD\\libmad-0.15.1b\\timer.c 
ROM:00057C34 0000004C C E:\\gamework\\K100\\software\\publicver\\Gboot_Release\\Sources\\madplay\\madplay.c
ROM:00057CF8 0000004B C E:\\gamework\\K100\\software\\publicver\\Gboot_Release\\Sources\\madplay\\player.c 

再往下一看,可以發現有韌體的相關訊息

ROM:00017B88 00000022 C Firmware is not for this device !
ROM:00017B58 0000001F C Cannot load firmware from SD !
ROM:00017BD0 00000014 C New firmware loaded
ROM:00017BE4 0000001A C B:  Abort & test firmware
ROM:00017C00 0000001F C START:  Update firmware to SPI


返回上一頁