Dumping Calypso DSP ROM for archiving

Das Signal das.signal at freecalypso.org
Tue Oct 29 12:59:37 UTC 2019


Hi Mychaela,

> instructions to populate them on two FCDEV3B boards.  Thus hopefully
> later this week I will have a board or two with this rare Calypso DSP
> ROM version for experimentation.

Awesome :)

> Whoever did that work in the OBB camp (was it Sylvain Munaut?) found
> these two exploitable instruction sequences in the ROM:

I can confirm it was indeed Sylvain Munaut. It is worth noting that
before him another person also managed the same feat, as described here:
http://forum.gsmhosting.com/vbb/f83/alexd-made-nokia-5110-rom4-dump-288554/

Quoting g3gg0:

>>> I'm still trying to figure out how AlexD managed to get it...
>> well, he is a good hacker
>> the DSP didnt allow to read the protected ROM addresses from a not protected
>> address (MCU-DSP shared RAM, where DSP code gets uploaded).
>> see TMS datasheet for mor info.
>> but he found a routine that is in the ROM area (but in readable area)
>> which did the "memcpy" stuff from protected ROM to RAM without further checks.
>> that way he was able to dump the protected ROM
>> he did nice work :)"

Incidentally I believe a very similar trick was using to dump the ARM7 ROM of the
Nintendo DS:
https://raw.githubusercontent.com/Epicpkmn11/NitroHax3DS/master/BootLoader/source/read_bios.s

--DS


More information about the Community mailing list