Dumping Calypso DSP ROM for archiving
das.signal at freecalypso.org
Tue Oct 29 12:59:37 UTC 2019
> instructions to populate them on two FCDEV3B boards. Thus hopefully
> later this week I will have a board or two with this rare Calypso DSP
> ROM version for experimentation.
> Whoever did that work in the OBB camp (was it Sylvain Munaut?) found
> these two exploitable instruction sequences in the ROM:
I can confirm it was indeed Sylvain Munaut. It is worth noting that
before him another person also managed the same feat, as described here:
>>> I'm still trying to figure out how AlexD managed to get it...
>> well, he is a good hacker
>> the DSP didnt allow to read the protected ROM addresses from a not protected
>> address (MCU-DSP shared RAM, where DSP code gets uploaded).
>> see TMS datasheet for mor info.
>> but he found a routine that is in the ROM area (but in readable area)
>> which did the "memcpy" stuff from protected ROM to RAM without further checks.
>> that way he was able to dump the protected ROM
>> he did nice work :)"
Incidentally I believe a very similar trick was using to dump the ARM7 ROM of the
More information about the Community