Thread: no2chem nueROM Thread
View Single Post
  #19 (permalink)  
Old 11-15-2007, 02:46 PM
no2chem's Avatar
no2chem
Retired Staff
Offline
Threadstarter 		 
Join Date: May 2007
Posts: 1,168
Reputation: 11628
no2chem can't get a higher reputation levelno2chem can't get a higher reputation levelno2chem can't get a higher reputation levelno2chem can't get a higher reputation levelno2chem can't get a higher reputation levelno2chem can't get a higher reputation levelno2chem can't get a higher reputation levelno2chem can't get a higher reputation levelno2chem can't get a higher reputation levelno2chem can't get a higher reputation levelno2chem can't get a higher reputation level
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quote:
Originally Posted by dcd View Post
ya know, i hadnt thought about it, but im sure you're right that this would reintroduce the alarm issues. i guess atm were stuck choosing between the lesser of 2 problems. ill take another stab at xip porting tonight and maybe this time, i can save you the time
maybe I should do a little write-up on how to port xip. essentially:

don't dump with rommaster (manually extract the rom)
to do this, first nbsplit, then on payload...
run imgfsfromnb. write down the imgfs start location.
open os.nb.payload with hex editor. go to the imgfs start location, and delete to end. go to the beginning of the file, and search for FE 03 00 EA (unconditional branch to 00 03 FE), and find the second / last occurance. (this is the second xip).
delete everything from the beginning to just before the second branch.
save this as your xip.bin

open xipport. press dump xip.bin. move stuff around, checking the maps between the donor xip and your xip. when you're done, press realloc p, and write maps. if any area shows !!!, fix it. (usually, modify realaddress[r] in imageinfo.txt, where r is the xipregion).

technically, you might need to check the nk.exe pointer in S000 of nk.exe, but i think realloc p fixes that (maybe). if you're worried, from the old map of the xip (not from the donor, but your device), search for the rom_00 header, look at where it starts, check if it matches with the new map If it doesn't you'll have to do this: if the old start address is 8ABCDEF9, search S000 of nk.exe for F9 DE BC 8A (just an example), because of the endianess of arm. replace with new start address, be sure to reverse it as well.

once you're done, write xipout.bin, and write it to os.nb.payload at the right xip2 address (for the titan, its 3200000) (sleepy and not sure if i put the right amount of zeros, but the default is 3100000, so change the 1 to a 2.)

hopefully everything boots up after this. I've used this technique to change everything except nk.exe... which is device dependent, so you'll have to do other stuff...

http://www.airscanner.com/pubs/fogieDC11.pdf is a good reference for arm assembly opcodes
Reply With Quote