N8609I 校验码破解

来自IPTV爱好者
跳转至: 导航搜索

MIPS指令说明

 http://www.mrc.uidaho.edu/mrc/people/jff/digital/MIPSir.html

反汇编码

 ROM:87003D14  # =============== S U B R O U T I N E =======================================  
 ROM:87003D14
 ROM:87003D14  # Attributes: noreturn
 ROM:87003D14
 ROM:87003D14 sub_87003D14:
 ROM:87003D14
 ROM:87003D14 var_10          = -0x10
 ROM:87003D14 var_C           = -0xC
 ROM:87003D14 var_8           = -8
 ROM:87003D14
 ROM:87003D14                 lw      $v0, -0x7FC4($gp)
 ROM:87003D18                 addiu   $sp, -0x20
 ROM:87003D1C                 addu    $a0, $v0         # a1 = *gp[XXXXX]
 ROM:87003D20                 addiu   $a1, $a0, 0x8A   # a1 = a0 + 0x8a
 ROM:87003D24                 sltu    $v0, $a1, $a0    # 这句要查手册
 ROM:87003D28                 sw      $ra, 0x20+var_8($sp)
 ROM:87003D2C                 sw      $s1, 0x20+var_C($sp)
 ROM:87003D30                 sw      $s0, 0x20+var_10($sp)
 ROM:87003D34                 move    $t0, $0          # a3=t0 = 0
 ROM:87003D38                 move    $a3, $0
 ROM:87003D3C                 bnez    $v0, LB_CHECKSUM_FAILED  # a2 = a0
 ROM:87003D40                 move    $a2, $a0         # if( v0 != 0 ) goto LB_CHECKSUM_FAILED
 ROM:87003D44
 ROM:87003D44 LB_EVAL_LOOP:                            # CODE XREF: sub_87003D14+50�j
 ROM:87003D44                 lhu     $v0, 0($a2)      # v0.h = *a2
 ROM:87003D48                 lbu     $v1, 0($a2)      # v1.h = *a2
 ROM:87003D4C                 srl     $v0, 8           # v0 >>= 8;
 ROM:87003D50                 addu    $v0, $a3, $v0    # v0 += a3
 ROM:87003D54                 andi    $a3, $v0, 0xFF   # a3 = v0 & 0xff
 ROM:87003D58                 addiu   $a2, 2           # a2+=2
 ROM:87003D5C                 addu    $v1, $a3, $v1    # v1 += a3
 ROM:87003D60                 sltu    $v0, $a1, $a2    # 这句要查手册
 ROM:87003D64                 beqz    $v0, LB_EVAL_LOOP  # a3 = a1 & 0xff
 ROM:87003D68                 andi    $a3, $v1, 0xFF   # if( v0 == 0 ) goto LB_EVAL_LOOP
 ROM:87003D6C
 ROM:87003D6C LB_CHECKSUM_FAILED:                      # CODE XREF: sub_87003D14+28�j
 ROM:87003D6C                 lhu     $v1, 0($a0)
 ROM:87003D70                 lbu     $a1, 2($a0)
 ROM:87003D74                 andi    $v0, $v1, 0xFF
 ROM:87003D78                 sll     $v0, 16
 ROM:87003D7C                 andi    $v1, 0xFF00
 ROM:87003D80                 lbu     $a0, 0($a2)
 ROM:87003D84                 or      $v0, $v1
 ROM:87003D88                 beq     $a3, $a0, LB_INVALID_IMAGE
 ROM:87003D8C                 or      $s1, $v0, $a1
 ROM:87003D90                 lui     $a0, 0x8708
 ROM:87003D94                 la      $v0, unk_8700635C
 ROM:87003D9C                 jalr    $v0
 ROM:87003DA0                 la      $a0, aFlashChecksumF  # "FLASH CHECKSUM FAILED.\n"
 ROM:87003DA4                 li      $t0, 0xFFFFFFFF
 ROM:87003DA8
 ROM:87003DA8 LB_INVALID_IMAGE:                        # CODE XREF: sub_87003D14+74�j
 ROM:87003DA8                 lui     $v0, 9
 ROM:87003DAC                 lui     $v1, 9
 ROM:87003DB0                 li      $v0, 0x97455
 ROM:87003DB4                 xor     $v0, $s1, $v0
 ROM:87003DB8                 li      $v1, 0x97401
 ROM:87003DBC                 xor     $v1, $s1, $v1
 ROM:87003DC0                 sltu    $v0, $0, $v0
 ROM:87003DC4                 movz    $v0, $0, $v1
 ROM:87003DC8                 beqz    $v0, loc_87003DF4
 ROM:87003DCC                 lui     $a0, 0x8708
 ROM:87003DD0                 la      $s0, unk_8700635C
 ROM:87003DD8                 jalr    $s0
 ROM:87003DDC                 la      $a0, aInvalidFlashIm  # "INVALID FLASH IMAGE\n"
 ROM:87003DE0                 la      $a0, aWrongBoardType  # "Wrong board type (0x%X).\n"
 ROM:87003DE8                 jalr    $s0
 ROM:87003DEC                 move    $a1, $s1
 ROM:87003DF0                 li      $t0, 0xFFFFFFFF
 ROM:87003DF4
 ROM:87003DF4 loc_87003DF4:                            # CODE XREF: sub_87003D14+B4�j
 ROM:87003DF4                 lw      $ra, 0x20+var_8($sp)
 ROM:87003DF8                 lw      $s1, 0x20+var_C($sp)
 ROM:87003DFC                 lw      $s0, 0x20+var_10($sp)
 ROM:87003E00                 move    $v0, $t0
 ROM:87003E04                 jr      $ra
 ROM:87003E08                 addiu   $sp, 0x20
 ROM:87003E08  # End of function sub_87003D14

核心代码的C代码

 for( t0 = 0 , a3 = 0 , a2 = a0 ; a1 >= a2 ; a2 +=2 , a3 = v1 & 0xff ){
    v0.h = *a2;
    v1.h = *a2;
    v0 >>= 8 ;
    v0 += a3 ; 
    a3 = v0 & 0xff ;
 }

核心代码的C代码第二版

 for( v0 = v1 = a3 = 0 ; a1>=a2 ; a2 +=2 ){
   v0 = *(byte*)a2;
   v1 = *((byte*)a2[1]);
   a3 += v0 ; a3 &= 0xff;
   a3 += v1 ; a3 &= 0xff;
 }

C代码第三版

 a3 = 0 ;
 a2 = a0;
 while( a2 < a1 ){
   a3 += *a2 ;a3 &= 0xff;
   a3 += a2[1]; a3 &=0xff;
   a2++;
 }
 a0:00 01 02 03 
 v1 = 0001;
 a1 = 02;
 v0 = v1 & 0xff;
 v0 <<= 16 ; //00010000
 v1 = v1 & 0xff00; // 0000
 a0 = *(byte*)a2;
 v0 != v1 ;
 s1 = v0 | a1 
 if( a3 != a0 )出错
 v0 = 0x97455
 v1 = 0x97401
 v0 = s1 ^ v0 ;
 v1 = s1 ^ v1 ;
 if(v0>=0 && v1 == 0 )ok
 出错

C代码第四版

 check_kernel( byte * base ){
 	int skip_flag = gp[-7FC4];
 	base += skip_flag;
 	end = base + 0x8a ;
 	skip_flag = (end<base)?1:0;
 	byte *  pointer = base;
 	if( end >= base  ){
 		for( temp = 0 ; pointer < end ; pointer +=2 ){
 			skip_flag = *pointer;
 			byte b2 = pointer[1];
 			skip_flag >>=8 ;
 			skip_flag += temp;
 			temp = skip_flag & 0xff ;
 			b2 += temp ;
 		}
 	}
 	if( temp != *pointer ) FLASH_CHECKSUM_FAILED;
 
 	skip_flag = base[0] | base[1];
 	s1 = skip_flag |  *((word)&base[2]);
 	
 	w1 = s1 ^ 0x97455;
 	w2 = s1 ^ 0x97401;
 	if( w1 > 0 )INVALID FLASH IMAGE;
 	if( w2 > 0 )INVALID FLASH IMAGE;
 }