This article is part of series about reverse-engineering LKV373A HDMI extender. Other parts are available at:
- Part 1: Firmware image format
- Part 2: Identifying processor architecture
- Part 3: Reverse engineering instruction set architecture
- Part 4: Crafting ELF
- Part 5: Porting objdump
- Part 6: State of the reverse engineering
- Part 7: radare2 plugin for easier reverse engineering of OpenRISC 1000 (or1k)
For quite a long time I did not do anything about LKV373A. During that time the guy nicknamed jhol did fantastic job on my wiki, reversing almost complete instruction set for the encoder’s processor. Beside that nothing new was appearing. This has changed few days ago, when jhol published videos about the device. After that, someone found SDK that seems to match more or less the one used to produce LKV373A firmware. At the time of writing it was not available anymore. Although it provided a lot of useful information and what is important here, it gave a possibility to identify processor architecture. It turned out to be OpenRISC 1000 (or1k). Because it is known, I compiled binutils for that architecture. Unfortunately objdump, which is part of binutils is not the best tool for reverse engineering. Lack of hacks I made for my variant of binutils, which allowed me to follow data references, was making things even worse.
The conclusion was that I need some real reverse engineering tool for or1k architecture. Unfortunately, neither IDA Pro, nor Ghidra, nor radare2 does not have support for it, which is not so surprising, if I heard about it for the first time, when somebody identified LKV373A to have such core. Only few days later, I encountered good tutorial, explaining how to add support for new architecture. I didn’t need anything else.
I am not going to explain how to write disassembly plugin (called asm) for radare2. There are enough resources available. If one wants to try, my repository is quite nice place to start (notice template branch there).
Out of source build and installation
In radare2, it is possible to build plugins out of source. To do that in case of or1k plugins, repository has to be cloned first with usual git clone:
git clone https://github.com/v3l0c1r4pt0r/radare2-or1k.git
Then, inside of radare2-or1k, simply type make.
You should get two .so files in directory asm and anal. You can load them with r2 switch -l or from inside interface using:
L ./asm/asm_or1k.so L ./anal/anal_or1k.so
Be sure to load both plugins, as lack of anal plugin leads to noisy warning shown with every analyzed opcode.
Final result should look more or less like below. This is the beginning of jedi.rom file:
0x00000000 00000000 l.j 0x0
0x00000004 15000002 invalid
0x00000008 9c200011 l.addi r1, r0, 0x11
0x0000000c b4610000 l.mfspr r3, r1, 0x0
0x00000010 9c80ffef l.addi r4, r0, 0xffef
0x00000014 e0432003 invalid
0x00000018 c0011000 l.mtspr r1, r2, 0x0
0x0000001c 18206030 invalid
0x00000020 a8210088 l.ori r1, r1, 0x88
0x00000024 9c400001 l.addi r2, r0, 0x1
0x00000028 d4011000 l.sw r1, r2, 0x0
0x0000002c 15000168 invalid
0x00000030 15000168 invalid
0x00000034 15000168 invalid
0x00000038 15000168 invalid
0x0000003c 00000031 l.j 0x100
0x00000040 15000000 invalid
That’s it. Good luck with reverse engineering!