Firmware Structure Analysis

[thephenakist]

Using the script below, I plotted the data from one of my firmwares onto a graph for analysis. What I discovered was 12 discrete chunks of what visually looks like sound data, separated by sharp triangular transitions which I'm guessing would be tones to indicate things like changing light colors, or progressing the projector to the next slide. I also noticed that the majority of the firmware is unused (FF FF FF FF's for at least half of the file) with the exception of 16 bytes starting at location 0x0FFF80 (108448). Search for 04 F1 in your firmware, and follow it down 8556 to the 4E 0E that's just before all of the FF's. Those 8556 bytes are identical in each of the firmwares I've inspected. My hypothesis is that those 8556 bytes contain a digital signal processor (DSP) which can convert the waveforms back into actual sound files, which then get played on the speaker.

So the structure of the firmware seems to be:
A) Chapter Map
B) Chapter
C) Transition
D) Chapter
E) Transtion
... (repeat for number of chapters in cassette) ...
F) 8556 bytes of code, common across all chip dumps
G) Empty space (FF FF FF FF...)
H) 16 byte chip ID and/or key (or possibly the chapter marks)
I) FF's to end of file

Script:

import numpy as np, matplotlib.pyplot as plt
d = np.fromfile('firmware.bin', dtype=np.uint8)
plt.plot(d)
plt.show()

[mtkimmins]

This is a great breakdown! Appreciate the identification of the last similar chunk before the sea of "FF" bytes.

[mtkimmins]

I have verified that this is terminal part of the data does indeed match the last 8556 bytes prior to the empty residue of the chip.

[jayseet]

Has anyone been able to dump the data from the memory chip in the dream machine itself yet?

[mtkimmins]

Talking with Jon (GainSec), I know he was sniffing the main chip in the projector as it ran a while ago. Here is his blog post on the subject.

[jayseet]

Thanks. I'm thinking of picking up a second projector or finding a used one and a test clip to get a dump from the P25D40SM in the projector itself to see if that sheds any light. I've enjoyed reading your progress and gleaning what you've learned along the way.

[j-te]

I've come to the conclusion all of the files in the structure are compressed using the same algorithm due to a similar signature. We need the huff table key from the projector chip. Attached is my READ of Big Shark Little Shark Goes to School. XGecu T48 was used with a clip (no soldering required).

BSLSGTS_P25D80SH_SOP8.zip

[mtkimmins]

Looks similar to my copies (I have not purified these dumps for this book yet, so I would trust yours over mine for this). Another confirmation that we are getting the right data.
That'll be my next target, the table key.