Dumping Calypso DSP ROM for archiving

Das Signal das.signal at freecalypso.org
Tue Oct 29 12:59:37 UTC 2019

Hi Mychaela,

> instructions to populate them on two FCDEV3B boards.  Thus hopefully
> later this week I will have a board or two with this rare Calypso DSP
> ROM version for experimentation.

Awesome :)

> Whoever did that work in the OBB camp (was it Sylvain Munaut?) found
> these two exploitable instruction sequences in the ROM:

I can confirm it was indeed Sylvain Munaut. It is worth noting that
before him another person also managed the same feat, as described here:

Quoting g3gg0:

>>> I'm still trying to figure out how AlexD managed to get it...
>> well, he is a good hacker
>> the DSP didnt allow to read the protected ROM addresses from a not protected
>> address (MCU-DSP shared RAM, where DSP code gets uploaded).
>> see TMS datasheet for mor info.
>> but he found a routine that is in the ROM area (but in readable area)
>> which did the "memcpy" stuff from protected ROM to RAM without further checks.
>> that way he was able to dump the protected ROM
>> he did nice work :)"

Incidentally I believe a very similar trick was using to dump the ARM7 ROM of the
Nintendo DS:


More information about the Community mailing list