Reverse Engineering Hints

From Openlgtv
Jump to: navigation, search


It is recommended to use IDA Pro for disassembling RELEASE executable. See for more information. You may use the freeware version of IDA Pro... The symbol file RELEASE.sym from lgres partition of the tv contains function and label names of the RELEASE executable. It can be converted to IDC script file by using epk2extract tool. After conversion you can import it into IDA for better understanding of the disassembly. This must be done before the RELEASE executable was analyzed by IDA.

MIPS processor instruction set reference

Both MStar and Broadcom based SOC's for LG tv's owns microprocessor with MIPS architecture. When reverse engineering the RELEASE executable it is usefull to know the exact instruction set behaviour. The following document is a good starting point for this type of information:

Function calls & parameter passing

When reverse engineering an assembly usually you have to track parameter passing through multiple nested function calls. So for reversing RELEASE you have to know how function calls and parameter passing are technically realized in MIPS assembler.

When you want to call a function in MIPS assembler this is done with a jump or branch instruction. One special behaviour you have to pay attention for is the automatic execution of the instruction that directly follows the jump/branch instruction itself. This is done BEFORE the actual jump/branch instruction is executed. This direct following instruction is called 'branch delay slot'. When the jump/branch instruction is conditional then the branch delay slot is executed only if the condition is true. Otherwise the branch delay slot is completely ignored.

Function parameters are passed normally by using registers. For example integer parameters are passed in general by using registers a0, a1, a2 and a3. Integer results are passed back to the caller via register v0 for example. But this is only a recommendation and may vary from function call to function call. A completely other way for parameter passing is realized via the stack. The following document explains this technique in detail:

Understanding the MIPS stack:

Both techniques can be combined in a single function call.

Analyze RELEASE internals

It can be useful to Enable debug logging to understand RELEASE internals. Additonally sometimes it is useful to know Remote Keycodes.