|
Post by Admin on Dec 23, 2016 16:32:58 GMT
Interrupt Vector RESET:
code:00004000 D2 28 setb RAM_25.0 code:00004002 22 ret
Interrupt Vector IE0(External interrupt 0):
code:00004003 02 AA A3 ljmp code_AAA3
code:0000AAA3 C0 E0 push ACC ; Accumulator code:0000AAA5 C0 83 push DPH ; Data Pointer, High Byte code:0000AAA7 C0 82 push DPL ; Data Pointer, Low Byte code:0000AAA9 C0 D0 push PSW ; Program Status Word Register code:0000AAAB 75 D0 00 mov PSW, #0 ; Program Status Word Register code:0000AAAE C0 00 push RAM_0 code:0000AAB0 90 F0 01 mov DPTR, #0xF001 code:0000AAB3 E0 movx A, @DPTR code:0000AAB4 F5 1E mov RAM_1E, A code:0000AAB6 53 1E 09 anl RAM_1E, #9 code:0000AAB9 E5 1E mov A, RAM_1E code:0000AABB 30 E0 1F jnb ACC.0, code_AADD ; Accumulator code:0000AABE 74 01 mov A, #1 code:0000AAC0 F0 movx @DPTR, A code:0000AAC1 90 24 00 mov DPTR, #0x2400 code:0000AAC4 78 7C mov R0, #0x7C ; '|' code:0000AAC6 12 8D F2 lcall code_8DF2 code:0000AAC9 78 79 mov R0, #0x79 ; 'y' code:0000AACB F6 mov @R0, A code:0000AACC A3 inc DPTR code:0000AACD 18 dec R0 code:0000AACE 12 8D F2 lcall code_8DF2 code:0000AAD1 18 dec R0 code:0000AAD2 12 8D F3 lcall code_8DF3 code:0000AAD5 18 dec R0 code:0000AAD6 F6 mov @R0, A code:0000AAD7 90 F0 00 mov DPTR, #0xF000 code:0000AADA 74 04 mov A, #4 code:0000AADC F0 movx @DPTR, A code:0000AADD code:0000AADD code_AADD: ; CODE XREF: code_AAA3+18j code:0000AADD E5 1E mov A, RAM_1E code:0000AADF 60 02 jz code_AAE3 code:0000AAE1 C2 A8 clr IEN0.0 ; Interrupt Enable Register 0 code:0000AAE3 code:0000AAE3 code_AAE3: ; CODE XREF: code_AAA3+3Cj code:0000AAE3 D0 00 pop RAM_0 code:0000AAE5 D0 D0 pop PSW ; Program Status Word Register code:0000AAE7 D0 82 pop DPL ; Data Pointer, Low Byte code:0000AAE9 D0 83 pop DPH ; Data Pointer, High Byte code:0000AAEB D0 E0 pop ACC ; Accumulator code:0000AAED 32 reti
code:00008DF2 E0 movx A, @DPTR
code:00008DF3 F6 mov @R0, A code:00008DF4 A3 inc DPTR code:00008DF5 E0 movx A, @DPTR code:00008DF6 18 dec R0 code:00008DF7 F6 mov @R0, A code:00008DF8 A3 inc DPTR code:00008DF9 E0 movx A, @DPTR code:00008DFA 22 ret
|
|
|
Post by Admin on Dec 23, 2016 16:41:02 GMT
Interrupt Vector TF0 (Timer 0 overflow):
code:0000400B 02 A3 B0 ljmp code_A3B0
code:0000A3B0 C0 E0 push ACC ; Accumulator code:0000A3B2 C0 83 push DPH ; Data Pointer, High Byte code:0000A3B4 C0 82 push DPL ; Data Pointer, Low Byte code:0000A3B6 C0 D0 push PSW ; Program Status Word Register code:0000A3B8 75 D0 00 mov PSW, #0 ; Program Status Word Register code:0000A3BB C0 07 push RAM_7 code:0000A3BD C2 8C clr TCON.4 ; Timer Control Register code:0000A3BF 90 F1 23 mov DPTR, #0xF123 code:0000A3C2 E0 movx A, @DPTR code:0000A3C3 25 E0 add A, ACC ; Accumulator code:0000A3C5 FF mov R7, A code:0000A3C6 90 F1 22 mov DPTR, #0xF122 code:0000A3C9 E0 movx A, @DPTR code:0000A3CA 30 E5 04 jnb ACC.5, code_A3D1 ; Accumulator code:0000A3CD 74 20 mov A, #0x20 ; ' ' code:0000A3CF 2F add A, R7 code:0000A3D0 FF mov R7, A code:0000A3D1 code:0000A3D1 code_A3D1: ; CODE XREF: code_A3B0+1Aj code:0000A3D1 EF mov A, R7 code:0000A3D2 90 AE 19 mov DPTR, #0xAE19 code:0000A3D5 93 movc A, @A+DPTR code:0000A3D6 F5 8C mov TH0, A ; Timer 0, High Byte code:0000A3D8 EF mov A, R7 code:0000A3D9 A3 inc DPTR code:0000A3DA 93 movc A, @A+DPTR code:0000A3DB F5 8A mov TL0, A ; Timer 0, Low Byte code:0000A3DD D2 8C setb TCON.4 ; Timer Control Register code:0000A3DF 05 66 inc RAM_66 code:0000A3E1 05 69 inc RAM_69 code:0000A3E3 E5 69 mov A, RAM_69 code:0000A3E5 C3 clr C code:0000A3E6 94 0A subb A, #0xA code:0000A3E8 40 24 jc code_A40E code:0000A3EA 75 69 00 mov RAM_69, #0 code:0000A3ED E5 6B mov A, RAM_6B code:0000A3EF D3 setb C code:0000A3F0 94 1E subb A, #0x1E code:0000A3F2 40 07 jc code_A3FB code:0000A3F4 D2 91 setb P1.1 ; Port 1 code:0000A3F6 75 6B 00 mov RAM_6B, #0 code:0000A3F9 80 13 sjmp code_A40E code:0000A3FB ; --------------------------------------------------------------------------- code:0000A3FB code:0000A3FB code_A3FB: ; CODE XREF: code_A3B0+42j code:0000A3FB E5 6B mov A, RAM_6B code:0000A3FD C3 clr C code:0000A3FE 94 0A subb A, #0xA code:0000A400 40 06 jc code_A408 code:0000A402 B2 91 cpl P1.1 ; Port 1 code:0000A404 05 6B inc RAM_6B code:0000A406 80 06 sjmp code_A40E code:0000A408 ; --------------------------------------------------------------------------- code:0000A408 code:0000A408 code_A408: ; CODE XREF: code_A3B0+50j code:0000A408 E5 6B mov A, RAM_6B code:0000A40A 60 02 jz code_A40E code:0000A40C B2 91 cpl P1.1 ; Port 1 code:0000A40E code:0000A40E code_A40E: ; CODE XREF: code_A3B0+38j code:0000A40E ; code_A3B0+49j code:0000A40E ; code_A3B0+56j code:0000A40E ; code_A3B0+5Aj code:0000A40E D0 07 pop RAM_7 code:0000A410 D0 D0 pop PSW ; Program Status Word Register code:0000A412 D0 82 pop DPL ; Data Pointer, Low Byte code:0000A414 D0 83 pop DPH ; Data Pointer, High Byte code:0000A416 D0 E0 pop ACC ; Accumulator code:0000A418 32 reti
Interrupt Vector IE1 (External interrupt 1):
code:00004013 02 B7 8B ljmp code_B78B
code:0000B78B C0 E0 push ACC ; Accumulator code:0000B78D C0 83 push DPH ; Data Pointer, High Byte code:0000B78F C0 82 push DPL ; Data Pointer, Low Byte code:0000B791 90 F0 21 mov DPTR, #0xF021 code:0000B794 E0 movx A, @DPTR code:0000B795 F5 1D mov RAM_1D, A code:0000B797 F0 movx @DPTR, A code:0000B798 53 1D 0A anl RAM_1D, #0xA code:0000B79B E5 1D mov A, RAM_1D code:0000B79D 60 02 jz code_B7A1 code:0000B79F C2 AA clr IEN0.2 ; Interrupt Enable Register 0 code:0000B7A1 code:0000B7A1 code_B7A1: ; CODE XREF: code_B78B+12j code:0000B7A1 D0 82 pop DPL ; Data Pointer, Low Byte code:0000B7A3 D0 83 pop DPH ; Data Pointer, High Byte code:0000B7A5 D0 E0 pop ACC ; Accumulator code:0000B7A7 32 reti
|
|
|
Post by Admin on Dec 23, 2016 16:52:57 GMT
Interrupt Vector TF1 (Timer 1 overflow):
code:0000401B 02 B9 9C ljmp code_B99C
code:0000B99C C2 8E clr TCON.6 ; Timer Control Register code:0000B99E 85 67 8D mov TH1, RAM_67 ; Timer 1, High Byte code:0000B9A1 85 68 8B mov TL1, RAM_68 ; Timer 1, Low Byte code:0000B9A4 05 6A inc RAM_6A code:0000B9A6 D2 8E setb TCON.6 ; Timer Control Register code:0000B9A8 32 reti
Interrupt RI0_TI0 (Serial channel 0):
code:00004023 02 40 1A ljmp code_401A
code:0000401A 32 reti
Interrupt Vector TF2_EXF2 (Timer 2 overflow/ext. reload):
code:0000402B 02 40 20 ljmp code_4020
code:00004020 32 reti
Interrupt Vector IADC (A/D converter):
code:00004043 02 B9 07 ljmp code_B907
code:0000B907 C0 E0 push ACC ; Accumulator code:0000B909 C0 83 push DPH ; Data Pointer, High Byte code:0000B90B C0 82 push DPL ; Data Pointer, Low Byte code:0000B90D 90 F1 41 mov DPTR, #0xF141 code:0000B910 E0 movx A, @DPTR code:0000B911 D0 82 pop DPL ; Data Pointer, Low Byte code:0000B913 D0 83 pop DPH ; Data Pointer, High Byte code:0000B915 D0 E0 pop ACC ; Accumulator code:0000B917 32 reti
|
|
|
Post by Admin on Dec 24, 2016 22:11:46 GMT
Here an example how we can reverse an address about the USB handling, the USB buffer location. First the C code from psychson:
static void SendCSW() { usb_buffer[0] = 'U'; usb_buffer[1] = 'S'; usb_buffer[2] = 'B'; usb_buffer[3] = 'S'; usb_buffer[4] = scsi_tag[0]; usb_buffer[5] = scsi_tag[1]; ...
that in ida:
code:00000540 90 00 00 mov DPTR, #0 ; Move (Op1 <- Op2) code:00000543 74 55 mov A, #0x55 ; 'U' ; Move (Op1 <- Op2) code:00000545 F0 movx @DPTR, A ; Move from/to external RAM code:00000546 90 00 01 mov DPTR, #1 ; Move (Op1 <- Op2) code:00000549 74 53 mov A, #0x53 ; 'S' ; Move (Op1 <- Op2) code:0000054B F0 movx @DPTR, A ; Move from/to external RAM code:0000054C 90 00 02 mov DPTR, #2 ; Move (Op1 <- Op2) code:0000054F 74 42 mov A, #0x42 ; 'B' ; Move (Op1 <- Op2) code:00000551 F0 movx @DPTR, A ; Move from/to external RAM code:00000552 90 00 03 mov DPTR, #3 ; Move (Op1 <- Op2) code:00000555 74 53 mov A, #0x53 ; 'S' ; Move (Op1 <- Op2) code:00000557 F0 movx @DPTR, A ; Move from/to external RAM code:00000558 90 00 04 mov DPTR, #4 ; Move (Op1 <- Op2) code:0000055B E5 2E mov A, RAM_2E ; Move (Op1 <- Op2) code:0000055D F0 movx @DPTR, A ; Move from/to external RAM code:0000055E 90 00 05 mov DPTR, #5 ; Move (Op1 <- Op2) code:00000561 E5 2F mov A, RAM_2F ; Move (Op1 <- Op2) code:00000563 F0 movx @DPTR, A ; Move from/to external RAM ...
the same code from the firmware in ida:
code:00009B2A 90 26 00 mov DPTR, #seg001_2600 ; Move (Op1 <- Op2) code:00009B2D 74 55 mov A, #0x55 ; 'U' ; Move (Op1 <- Op2) code:00009B2F F0 movx @DPTR, A ; Move from/to external RAM code:00009B30 A3 inc DPTR ; Increment Operand code:00009B31 74 53 mov A, #0x53 ; 'S' ; Move (Op1 <- Op2) code:00009B33 F0 movx @DPTR, A ; Move from/to external RAM code:00009B34 A3 inc DPTR ; Increment Operand code:00009B35 74 42 mov A, #0x42 ; 'B' ; Move (Op1 <- Op2) code:00009B37 F0 movx @DPTR, A ; Move from/to external RAM code:00009B38 A3 inc DPTR ; Increment Operand code:00009B39 74 53 mov A, #0x53 ; 'S' ; Move (Op1 <- Op2) code:00009B3B F0 movx @DPTR, A ; Move from/to external RAM code:00009B3C 90 22 9C mov DPTR, #seg001_229C ; Move (Op1 <- Op2) code:00009B3F E0 movx A, @DPTR ; Move from/to external RAM code:00009B40 90 26 04 mov DPTR, #seg001_2604 ; Move (Op1 <- Op2) code:00009B43 F0 movx @DPTR, A ; Move from/to external RAM
from the initialization of the data pointer DPTR we can deduct, that for psychson code that resolves to 0x0000 and here to 0x2600
code:00000540 90 00 00 mov DPTR, #0 vs code:00009B2A 90 26 00 mov DPTR, #seg001_2600
|
|
|
Post by Admin on Dec 25, 2016 15:51:50 GMT
yay, I found an exploit that lets us dump small areas of the memory from anywhere! remember the USB command to get the Vendor Info? well it has to copy the "FW BURNER" string into the USB Buffer, as we already know where the USB buffer is located we can look who accesses it ... //Here the buffer get filled at various position... code:00007393 90 26 46 mov DPTR, #(USB_BUFFER+0x46) ; Move (Op1 <- Op2) code:00007396 EF mov A, R7 ; Move (Op1 <- Op2) code:00007397 F0 movx @DPTR, A ; Move from/to external RAM code:00007398 90 88 8C mov DPTR, #code_888C ; Move (Op1 <- Op2) code:0000739B E4 clr A ; Clear Operand (0) code:0000739C 93 movc A, @A+DPTR ; Move code byte relative to second op to Acc code:0000739D 90 26 47 mov DPTR, #(USB_BUFFER+0x47) ; Move (Op1 <- Op2) code:000073A0 F0 movx @DPTR, A ; Move from/to external RAM //Here a memcpy function is used! code:000073A1 78 36 mov R0, #0x36 ; '6' ; Move (Op1 <- Op2) code:000073A3 7A 88 mov R2, #0x88 ; 'ê' ; Move (Op1 <- Op2) code:000073A5 79 8D mov R1, #0x8D ; 'ì' ; Move (Op1 <- Op2) code:000073A7 12 7B F0 lcall code_7BF0 ; Long Subroutine Call
here we can see a memcpy function is used, where R0 is the position in the buffer and R2 + R1 make the loading address (R2 = High Byte, R1 = Low Byte) where the data is loaded from. well... what if we change those opcode bytes "7A 88" and "79 " to "7A XX 79 XX" and lookup any address? like, could we verify if we got loaded to 0x4000 for real, with "7A 40 79 00"? turns out we can! this gives us a total of 24 bytes that we can read from anywhere! greetz WV
|
|
|
Post by Admin on Dec 25, 2016 18:32:02 GMT
this allowed me to dump the bootloader memory of the stick! I made this into an exploit, see github... now it uploads an edited burner image each time you unplug/replug the device (slow, but stable) with an slightly different address to leak bytes from. so each try it leaks 0x74 bytes, so it needs just 36 tries to dump a 0x1000 region. well I already dumped 0x0000-0x3FFF this way for you Download BL68.zipgreetz WV
|
|
|
Post by Admin on Dec 26, 2016 13:29:27 GMT
ok, after some more trial an error it seems I figured out the GPIO address: GPIODIR = 0xF14D GPIOVAL = 0xF14C DIR is set to 0x0F and VAL is either 0x7F (full brightness) or 0x0F (lowest brightness) so I came up with following assembler code to toggle it in intervals: code:00004100 ; =============== S U B R O U T I N E ======================================= code:00004100 code:00004100 code:00004100 code_4100: ; CODE XREF: code:00004000j code:00004100 ; code:00004003j ... code:00004100 90 F1 4D mov DPTR, #0xF14D ; Move (Op1 <- Op2) code:00004103 74 0F mov A, #0xF ; Move (Op1 <- Op2) code:00004105 F0 movx @DPTR, A ; Move from/to external RAM code:00004106 90 F1 4C mov DPTR, #0xF14C ; Move (Op1 <- Op2) code:00004109 74 7F mov A, #0x7F ; '' ; Move (Op1 <- Op2) code:0000410B F0 movx @DPTR, A ; Move from/to external RAM code:0000410C E4 clr A ; Clear Operand (0) code:0000410D FD mov R5, A ; Move (Op1 <- Op2) code:0000410E code:0000410E code_410E: ; CODE XREF: code_4100+19j code:0000410E FE mov R6, A ; Move (Op1 <- Op2) code:0000410F code:0000410F code_410F: ; CODE XREF: code_4100+15j code:0000410F FF mov R7, A ; Move (Op1 <- Op2) code:00004110 code:00004110 code_4110: ; CODE XREF: code_4100+11j code:00004110 0F inc R7 ; Increment Operand code:00004111 BF FA FC cjne R7, #0xFA, code_4110 ; '·' ; Compare Operands and JNE code:00004114 0E inc R6 ; Increment Operand code:00004115 BE FA F7 cjne R6, #0xFA, code_410F ; '·' ; Compare Operands and JNE code:00004118 0D inc R5 ; Increment Operand code:00004119 BD 0A F2 cjne R5, #0xA, code_410E ; Compare Operands and JNE code:0000411C 90 F1 4C mov DPTR, #0xF14C ; Move (Op1 <- Op2) code:0000411F 74 0F mov A, #0xF ; Move (Op1 <- Op2) code:00004121 F0 movx @DPTR, A ; Move from/to external RAM code:00004122 E4 clr A ; Clear Operand (0) code:00004123 FD mov R5, A ; Move (Op1 <- Op2) code:00004124 code:00004124 code_4124: ; CODE XREF: code_4100+2Fj code:00004124 FE mov R6, A ; Move (Op1 <- Op2) code:00004125 code:00004125 code_4125: ; CODE XREF: code_4100+2Bj code:00004125 FF mov R7, A ; Move (Op1 <- Op2) code:00004126 code:00004126 code_4126: ; CODE XREF: code_4100+27j code:00004126 0F inc R7 ; Increment Operand code:00004127 BF FA FC cjne R7, #0xFA, code_4126 ; '·' ; Compare Operands and JNE code:0000412A 0E inc R6 ; Increment Operand code:0000412B BE FA F7 cjne R6, #0xFA, code_4125 ; '·' ; Compare Operands and JNE code:0000412E 0D inc R5 ; Increment Operand code:0000412F BD 0A F2 cjne R5, #0xA, code_4124 ; Compare Operands and JNE code:00004132 02 41 00 ljmp code_4100 ; Long Jump code:00004132 ; End of function code_4100 as the clockspeed is very high, I used a tripple loop as delay of 250*250*10 interation this results in following opcode hex bytes: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000200 02 41 00 02 41 00 00 00 00 00 00 02 41 00 00 00 .A..A.......A... 00000210 00 00 00 02 41 00 00 00 00 00 00 02 41 00 00 00 ....A.......A... 00000220 00 00 00 02 41 00 00 00 00 00 00 02 41 00 00 00 ....A.......A... 00000230 00 00 00 02 41 00 00 00 00 00 00 02 41 00 00 00 ....A.......A... 00000240 00 00 00 02 41 00 00 00 00 00 00 02 41 00 00 00 ....A.......A... 00000250 00 00 00 02 41 00 00 00 00 00 00 02 41 00 00 00 ....A.......A... 00000260 00 00 00 02 41 00 00 00 00 00 00 02 41 00 00 00 ....A.......A... 00000270 00 00 00 02 41 00 00 00 00 00 00 02 41 00 00 00 ....A.......A... 00000280 00 00 00 02 41 00 00 00 00 00 00 02 41 00 00 00 ....A.......A... 00000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000300 90 F1 4D 74 0F F0 90 F1 4C 74 7F F0 E4 FD FE FF .ñMt.ð.ñLt.ðäýþÿ 00000310 0F BF FA FC 0E BE FA F7 0D BD 0A F2 90 F1 4C 74 .¿úü.¾ú÷.½.ò.ñLt 00000320 0F F0 E4 FD FE FF 0F BF FA FC 0E BE FA F7 0D BD .ðäýþÿ.¿úü.¾ú÷.½ 00000330 0A F2 02 41 00 .ò.A.
I put jumps into all interrupt vector addresses, but I could have left them as 0x00 (NOP) so the MCU would have just walked through all NOPs until it hits 0x4100. now an image has to be multiple of 0x1000 so lets fill up the rest with 0x00 and add the image header from the normal bootloader. Let see what happends: Downloadgreetz WV
|
|
|
Post by Admin on Dec 26, 2016 17:53:29 GMT
next up, converting the LED example into C code for easier use: defs.h: #ifndef DEFS_H #define DEFS_H
#define MSB(word) (BYTE)(((WORD)(word) >> 8) & 0xff) #define LSB(word) (BYTE)((WORD)(word) & 0xff)
#define XVAL(addr) (*( __xdata volatile unsigned char *)(addr)) #define IVAL(addr) (*( __idata volatile unsigned char *)(addr))
typedef unsigned char BYTE; typedef unsigned short WORD; typedef unsigned long DWORD; #define TRUE 1 #define FALSE 0
__sfr __at (0x80) P0 ; __sfr __at (0x90) P1 ; __sfr __at (0xA0) P2 ; __sfr __at (0xB0) P3 ; __sfr __at (0xD0) PSW ; __sfr __at (0xE0) ACC ; __sfr __at (0xF0) B ; __sfr __at (0x81) SP ; __sfr __at (0x82) DPL ; __sfr __at (0x83) DPH ; __sfr __at (0x87) PCON; __sfr __at (0x88) TCON; __sfr __at (0x89) TMOD; __sfr __at (0x8A) TL0 ; __sfr __at (0x8B) TL1 ; __sfr __at (0x8C) TH0 ; __sfr __at (0x8D) TH1 ; __sfr __at (0xA8) IE ; __sfr __at (0xB8) IP ; __sfr __at (0x98) SCON; __sfr __at (0x99) SBUF;
/* BIT Register */ /* PSW */ __sbit __at (0xD7) CY ; __sbit __at (0xD6) AC ; __sbit __at (0xD5) F0 ; __sbit __at (0xD4) RS1 ; __sbit __at (0xD3) RS0 ; __sbit __at (0xD2) OV ; __sbit __at (0xD0) P ; /* TCON */ __sbit __at (0x8F) TF1 ; __sbit __at (0x8E) TR1 ; __sbit __at (0x8D) TF0 ; __sbit __at (0x8C) TR0 ; __sbit __at (0x8B) IE1 ; __sbit __at (0x8A) IT1 ; __sbit __at (0x89) IE0 ; __sbit __at (0x88) IT0 ; /* IE */ __sbit __at (0xAF) EA ; __sbit __at (0xAC) ES ; __sbit __at (0xAB) ET1 ; __sbit __at (0xAA) EX1 ; __sbit __at (0xA9) ET0 ; __sbit __at (0xA8) EX0 ; /* IP */ __sbit __at (0xBC) PS ; __sbit __at (0xBB) PT1 ; __sbit __at (0xBA) PX1 ; __sbit __at (0xB9) PT0 ; __sbit __at (0xB8) PX0 ; /* P3 */ __sbit __at (0xB7) RD ; __sbit __at (0xB6) WR ; __sbit __at (0xB5) T1 ; __sbit __at (0xB4) T0 ; __sbit __at (0xB3) INT1; __sbit __at (0xB2) INT0; __sbit __at (0xB1) TXD ; __sbit __at (0xB0) RXD ;
/* SCON */ __sbit __at (0x9F) SM0 ; __sbit __at (0x9E) SM1 ; __sbit __at (0x9D) SM2 ; __sbit __at (0x9C) REN ; __sbit __at (0x9B) TB8 ; __sbit __at (0x9A) RB8 ; __sbit __at (0x99) TI ; __sbit __at (0x98) RI ;
__xdata __at 0xF000 volatile BYTE REGBANK; __xdata __at 0xF14C volatile BYTE GPIO0OUT;
#endif
and main.c #include "defs.h"
void wait(void) { BYTE a,b,c; for(a=0; a<10; a++) for(b=0; b<250; b++) for(c=0; c<250; c++); }
void blinkLED(void) { GPIO0OUT = 0x7F; wait(); GPIO0OUT = 0x0F; wait(); }
void main(void) { GPIO0OUT = 0x7F; while(TRUE) blinkLED(); }
void _RESET(void) __naked __interrupt 16 { main(); } it seems the RESET vector at 0x4000 isnt used, instead code starts at 0x4083, so I added an handler there to jump to main Download example project heregreetz WV
|
|
|
Post by strannic1924 on Feb 2, 2017 13:54:18 GMT
|
|
|
Post by Sc0rpi0n3 on Apr 18, 2017 18:24:09 GMT
Hello! And I need the firmware for Phison PS2251-68 with flash ID: 983A98A3 7651 (Toshiba TC58TEG7THL eD3.16k)
|
|
|
Post by Admin on May 31, 2017 19:57:35 GMT
this is a research thread, unless you have a phison microcontroller and the fitting firmware, there is no need to post here, because this is about reversing the firmware and producing new one, not for sharing firmware blobs. But I will make a "request" sub forum where you can post these request to others, ok?
greetz WV
|
|
|
Post by H@ on Aug 31, 2017 3:18:35 GMT
Hello! From the datasheet, this may have INTERRUPT Endpoint, “ Endpoint 3 : 8 Bytes INTERRUPT transfer for IN transaction”, did you find him?
|
|
|
Post by Admin on Sept 20, 2017 4:03:03 GMT
well sorry, I havent looked into this any further, im not sure how I would start to look for it, I just looked for known interrupt places and where the code made sense to it. What datasheet are you referring to? if you wanna chat, pm me on reddit
greetz WV
|
|
|
Post by davod amirajam on Dec 6, 2017 15:19:34 GMT
if you able to dump firmware fw68 5.2.53 5.0.53 5.0.55 or any ed3 15nm tlc plase help people and share firmware file
we have mpall 5 and we have bn68 v5 just need some one dump firmware
thankyou
|
|