SV1000_V0331P_Charlie&Beverly_Fixed 8/29/2008
Like the sv4k files this is NEC processor code. MIPSb type code.
SFBOOTLD installs at bfc00000 in flash
SFBOOT01 installs at bfc02000
SFMAINSW at bfc20000 but contents are un-packed to RAM at 80020000
"SFSATINF" 0xBFD90000
SFCHNINF 0xBFDA0000 ?0x3BE00 bytes?
key data @ 0xBFD60000
Search for "SV1000_P.bin", select from the "PK" just before that string to end of file and save the selected part of .bin as a .zip file and then use un-zip program to extract the contents.
01EC09 to 125AEe gives an extracted 25D6b0 sized file. That file should be loaded to IDA Pro at base addr of 0x80020000.
Same span of file as above simple sum is 089b9fd6 then XOR 19450815 = 11DE97C3 as seen at 0x1ebed (0xc bytes into SFMAINSW)
Disassemble @8002087C ?does a big chunk of the code at start of file?
But hit c at 80044008 to really kick off main code diassembly. This is just before an NEC copyright notice BTW.
Using the sv4k IDC with start addr changed to 80044494 gives more complete disassembly of the code.
note needed to manually kick off at 800F2F94 too--need to make that addiu search better!!
note settings for gp and sp registers:
ROM:80020034 la $sp, unk_80043058
ROM:8002003C la $gp, unk_8003CCD8
end of file @8027D6AF
80142190 # Zmodem init (2a 2a 18)
80143D3C # init zmodem xfer (0x18.....\r)
80141CE8 # send null terminated string out serial port
80141A9C # send byte out serial port
80141AE0 # 2nd send byte out serial port
80141D40 # send hex format byte to serial port
801423C4 # send 2a 18 to serial port using 2nd routine
8014410C # check the file extension
80144CC4 # do "dxmain.rom"
8015C9B0 # send "VX" serial message
8015CA30 # serial send "........-" file header and VX message
800DE95C # display msg on screen
801D631C # memset
801D6224 # memcpy
801D8310 # memcmp?--string compare
80145434 # test for file header like "SFMAINSW"
8015CE7C # "Software Downloading..." and flash update
8015E13C # read file from serial port
8015D8A4 # "Data Uploading..."
800BEB10 # do ui main
800BBD7C # install task
800BE02C # install ui
8009229C # install a task handler?
80162770 # save CWs? based on 0/1 even/odd
8015F6DC # NAGR_ProcessEcmData
8016383C # nagra2_ecm
80164B2C # NAGRA2ECM
8016AC60 # N2ECMNew
80167C50 # nagra2_newecm
800BC490 # read sw version stuff in flash--bfc02010, bfd90010
800BC598 # S2010F test
80145A80 # header checksum--uses 0x19450815
80145ED8 # mainsw transfer
80145914 # sw update callback?
800BAF44 # delay?
80188BBC # flash block erase?
800D0CAC # 0xbfd80000
800B435C # enter PIN code OSD
800DC688 # OSD "Channel is locked"
?possible PIN codes? 0x7530 (30000), 0xEA60 (60000), 0x11170 (70000), 0x13880 (80000), 0x15F90, 0x15F91
main PIN? 0x8C2 (2242)--yep, see it in lots of places
in ui main:
ROM:800BEE60 li $t9, 0x8C2
800E132C # OSD "turn off after" "min"
800D75F8 # OSD "AUDIO" "STEREO"
801292D4 # OSD "MOVE" RESIZE ZOOM"
801D83FC # strcmp?
8017FC08 # year/mo/day?
8016CE68 # RSAmod load for EMMs?
8016F428 # idea/RSA steps
80163DA4 # ?autoroll?
80182170 # "sc_cass_process" EMM handling?
80181D58 # "sc_cass_process" ECM handling?
8010F6A0 # OSD "Stand-by mode AutoRoll"
8010DFD0 # OSD "Auto Dolby Select" "No Template Loaded !"
8010B944 # OSD "TV Type" "AV Settings"
800C83F8 # something to do with chinf? 0x3BE00 bytes
800CF03C # copy chinf from flash
800E07CC # Edit CHINFO and save
8015DAF0 # set up sat and ch info for send to PC?
8015DCDC # send sat and ch info?
80188D2C # erase bfda0000 area
80074D34 # low level serial port routine. note B2001000 register use
8007485C # Read? low level serial port routine. note B2001000 register use
80076A9C # send n bytes out serial port?
(handle?port?, buffer/location ,n) port usually = 1
800769BC # read n bytes from serial port w/timeout
(port#, buffer, n, timeout)
8015CE0C # serial port task handler--installed as "ui_beep"?
------------------------------------------
IR custom code 7d 37 (125 55) NEC1--Hum lirc and other sv-1000 jp1 file shows 00 FF
801B0550 # "PIN_HISR" task
801B0584 # "REM_CBT" task
801B22E0 # "RTC_CBT"
801AF8F4 # "GPIO_CBQ"
8019E260 # "GRP_RGA"
800740B0 # install Uart RX/TX
80076C88 # "VENCDRVA"
8009C9F8 # "TunerTask" install
800B3F80 # CC on/off OSD
800BB1B4 # "APP_SEM"
800BB284 # "APP_Q"
800F0B74 # part of un-zip?
801261D4 # something about volume /view
8012B5D4 # something about volume and multipicture
80128B28 # multipicture OSD
8010CAD8 # Version info OSD
80174A38 # select dump of card
801D6F24 # sprintf
ROM:8006E420--?part of remote look up table?
8008544C # get a waiting AMES?
80085AC0 # get waiting HISR
800EA9F0 # part of EPG OSD?--has CC ON/OFF step
800C79C8 # box init: move CH data from flash to RAM and test for proper header
800BE6A8 # get button pressed code?
800AB8FC # delete/save OSD
800D93DC # edit sat OSD
800A4BE4 # put a menu OSD on screen w/ title
800D8BB4 # fav sat OSD
800DAAC4 # another sat OSD
800DF094 # select lang OSD
800E22D8 # previous ch OSD
800E3D90 # EPG reminder OSD
800E5C1C # channel list edit
800FDBC8 # another ch edit OSD--includes the FTA/CAS menu
801120EC # dish settings OSD
80117398 # transponder edit
8011E568 # sort OSD
801201DC # channel guide OSD
801464CC # data transfer OSD
8014BF34 # dish settings/blind scanning OSD
80151934 # event timer/sleep/mode OSD
801523E8 # another channel list OSD?
8015ADA0 # Catagory OSD
80105A60 # FTA/CAS OSD
800FABD0 # OSD includes FTA/CAS--not called?
8011A188 # send cmd by index
800D13B0 # menu system
80131920 # Tetris game
8012EDA8 # Hexa game
8012F360 # "Sokoban" game
80105DB8 # "User Settings"
800F2F94 # dish setting TAB OSD
800DCAE8 # "Factory Reset"
800A064C # put on-screen menu title string
800B0A88 # put a string at a "line" on the screen
800A99B8 # Debug message?
800BDFD8 # get user response code
8012ED34 # game over message