Quote:
Originally Posted by Sprite_tm";p="
What I did is create a game to read out the complete 24000000 range out of the serial port, and stick IDA to that. You can then even see what value variables have at the moment the game loads  Contact me if you want the code for it, I should have it still lying around.
Mmmm, 0x3c = non-cachable 0x24? I should keep that in mind.
The wiki should be online, but it could take a day or two for the dns-entry to propagate. You should be able to access it now or tomorrow. |
I started reversing in a different place then you did (or rather, from the other end). I patched the firmware, and added a small bootloader (check the wiki, I'll upload it soon) that accepts binary files through XModem. I also added some memory stuff. You should check out the 0x2D... memory range, or at least the first few kb of it. It contains some executable data that I can't find back from the main firmware (probably embedded in the CPU somewhere),and is marked as the iTCM region. (Tightly Coupled Memory, read the ARM926EJ-S documentation). 0x2E is the dTCM region that goes with it.
Edit:
I've been trying to trace back the get_keys OS call to the IO register, without much luck.
I've gotten it down to:
*((int*)0x24287138) = *((int*) *((int*)0x24286130) + 4)
With 0x24287138 being the address the keys are stored for the get_keys call. Unfortunatly, I don't have a running dump, and tracing back the 0x24268130 address is almost impossible. You wouldn't happen to be able to trace this back to a 0x100... address, would you?