supplierdeeply

Both 40D LEDs Found and Multiple Blinks

  • 6 Replies
  • 2577 Views
*

ASalina

  • Publish
    Both 40D LEDs Found and Multiple Blinks
    « on: 02 / June / 2008, 15:39:17 »
    Advertisements
    Ok, I've found the location of both the "Direct Print" LED and the "Drive Activity" LED. I've also gotten them to blink multiple times (confirming that data can be blinked out through them).

    The Drive Activity LED (red) is at 0xC0220038
    and the Direct Print LED (blue) is at 0xC022003A

    EDIT: owerlord was right!

    Drive Activity LED is at 0xC02200E0
    and Direct Print LED is at 0xC02200E8


    0x46 turns them on and I can't yet say for sure what value turns them off because I'm still just replacing the value that was found there. I guess the first real use of this program is to blink out what was found at those addresses.

    Where is that code for blinking out hex digits?:-)
    « Last Edit: 02 / June / 2008, 15:49:31 by ASalina »

  • Publish
    Re: Both 40D LEDs Found and Multiple Blinks
    « Reply #1 on: 02 / June / 2008, 15:46:42 »
    hate to say it again, but I think its:
    0xC02200E0
    0xC02200E8

    0x38 blinks means: 0x38*sizeof(int) = 0xE0

    NEW: I used a very simple transfer protocol - just 0 - short delay, 1 long delay, and begin of string very long delay, so it looks like:
    led on, very long delay, led off, bit, led on, bit, led off, bit, led on ....
    In my program is like: long is 2*short, and very long is 4*short.
    « Last Edit: 02 / June / 2008, 15:49:47 by owerlord »

    *

    ASalina

  • Publish
    Re: Both 40D LEDs Found and Multiple Blinks
    « Reply #2 on: 02 / June / 2008, 15:54:28 »

    hate to say it again, but I think its:
    0xC02200E0
    0xC02200E8

    0x38 blinks means: 0x38*sizeof(int) = 0xE0

    Yes. See my edit. :-)
    Quote

    NEW: I used a very simple transfer protocol - just 0 - short delay, 1 long delay, and begin of string very long delay, so it looks like:
    led on, very long delay, led off, bit, led on, bit, led off, bit, led on ....
    In my program is like: long is 2*short, and very long is 4*short.

    Kind of like Morse Code...

    *

    ASalina

  • Publish
    Re: Both 40D LEDs Found and Multiple Blinks
    « Reply #3 on: 02 / June / 2008, 16:06:48 »
    Does anyone know how to write to the CF card yet, like udumper does?

    That would be so much easier than blinking.


  • Publish
    Re: Both 40D LEDs Found and Multiple Blinks
    « Reply #4 on: 02 / June / 2008, 16:10:30 »
    I got a good news for you. there is a usable CF-code in the bootloader. You can dump that by led, and then start to analyse it and find how to write to CF.

    Code: [Select]
    #define LEDSPEED (1<<ledspeed)
    #define LEDWSPEED (1<<ledwspeed)

    #define LED ((int*) 0xC02200A0)
    #define LEDBLUE ((int*) 0xC0220000)
    #define LEDLONG delay(LEDSPEED<<1)
    #define LEDSHORT delay(LEDSPEED)
    #define LEDWLONG delay(LEDWSPEED)
    #define LEDON  *LED = 0x46
    #define LEDOFF *LED = 0x44
    #define LEDBIT(x) if (c & x) LEDLONG; else LEDSHORT;

    int send_string(char* str)
    {
     char c;
     LEDON;
     LEDWLONG;
     for (; *str; str++)
     { c=*str;
      LEDOFF;
      LEDBIT(0x80);
      LEDON;
      LEDBIT(0x40);
      LEDOFF;
      LEDBIT(0x20);
      LEDON;
      LEDBIT(0x10);
      LEDOFF;
      LEDBIT(0x08);
      LEDON;
      LEDBIT(0x04);
      LEDOFF;
      LEDBIT(0x02);
      LEDON;
      LEDBIT(0x01);
     }
      LEDOFF;
      LEDSHORT;
    }

    char *base64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="

    int send_base64(char* start,int len)
    {char base[78];
     base[76] = '\n';
     base[77] = 0;
     char* end = start + len;
     unsigned int mask;
     unsigned int b, i=0;
     for (; start < end; start+=3)
     {
       b = ((*start)<<16)+((*(start+1))<<8)+(*(start+2));
       base[i+3] = base64[b & 0x3F];
       b = b>>6;
       base[i+2] = base64[b & 0x3F];
       b = b>>6;
       base[i+1] = base64[b & 0x3F];
       b = b>>6;
       base[i  ] = base64[b & 0x3F];
       i += 4;
       if (i >= 76)
       { send_string(base);
         i=0;
       }
     }
     if (i) {
      for (; i<76; i++) base[i]='=';
      send_string(base);
     }
    }

    int delay(int i)
    {
      while (i--)
      {
        asm("NOP");    asm("NOP");    asm("NOP");    asm("NOP");
        asm("NOP");    asm("NOP");    asm("NOP");    asm("NOP");
        asm("NOP");    asm("NOP");    asm("NOP");    asm("NOP");
        asm("NOP");    asm("NOP");    asm("NOP");    asm("NOP");
      }
    }

    the ledspeed and ledwspeed are to set (expotential).
    « Last Edit: 02 / June / 2008, 16:14:35 by owerlord »

    *

    ASalina

  • Publish
    Re: Both 40D LEDs Found and Multiple Blinks
    « Reply #5 on: 02 / June / 2008, 23:42:07 »
    A little interesting thing. The original values stored in the LED ports is 0x48, not 0x44. So 0x48 is the "off" value.

    I blinked this out using:

    blue_val = *(BLUE_LED);


    (0x00000F & blue_val)

    and

    (0x00000F & (blue_val >> 4))

    as the test in a for() loop. Same thing with the red LED.

    I think I have an old mouse with a photodiode in it, so I'm going to try blinking out some data directly to the computer.

    How much data (from the firmware section) would be needed to reverse the encryption of the payload in the firmware update?

    Or can I try to get the hash tables from memory? Any suggestions?

    *

    Offline mx3

    • ****
    • 372
  • Publish
    Re: Both 40D LEDs Found and Multiple Blinks
    « Reply #6 on: 02 / June / 2008, 23:51:08 »
    How much data (from the firmware section) would be needed to reverse the encryption of the payload in the firmware update?

    flasher has decryption routine.
    i don't think you need ROM-dump for this
    skype: max_dtc. ICQ: 125985663, email: win.drivers(at)gmail, eVB decompiler

     

    Related Topics