This is an effort to reverse-engineer the Raspberry Pi license key check for MPEG-2 and VP1 hardware video encoding.
cd /boot cp start.elf start.elf_backup && \ perl -pne 's/\x47\xE9362H\x3C\x18/\x47\xE9362H\x3C\x1F/g' < start.elf_backup > start.elf
Applying it to a
(latest as of time of writing) results in the following diff:
$ diff <(xxd -e start.elf_backup) <(xxd -e start.elf) 38340c38340 < 00095c30: 400703a4 40161799 3633e947 183c4832 ...@...@G.362H<. --- > 00095c30: 400703a4 40161799 3633e947 1f3c4832 ...@...@G.362H<.
$ md5sum start.elf_backup start.elf 8327a0720f806814b677efaeb94a7671 start.elf_backup fe55537c71b22e8f8c1a92257da2c45b start.elf
Yes, it seems to patch a licensing function at 0xEC95FD4  to always return 1, by patching the jump at 0xEC95FE2 (that should be only taken for the always-allowed H263 codec) to always be taken, thus always allowing all codecs.
After loading and analyzing
start.elf, we can find the
0xEC96290 by jumping to the file offset given to us by
beforehand. The relevant code sections are available in
sub_EC96290.asm and is_licensed.asm.
not_WMV9: ; CODE XREF: is_licensed+56�j cmp r7, 'MPG2' cmpeq r6, 0 bne not_MPG2 ld r1, 0x1DC0(gp) ; XREF 0xEE86680 dword_EE86680 addcmpbne r1, 0, 0, return_1 not_MPG2: ; CODE XREF: is_licensed+68�j cmp r7, 'WVC1' cmpeq r6, 0 bne deny ld r2, 0x2120(gp) ; XREF 0xEE869E0 dword_EE869E0 addcmpbeq r2, 0, 0, deny
Here, two memory locations (
0xEE86680 for MPEG-2 and
0xEE869E0 for VP1)
that point to the
.bss segment are checked to determine the return value of
is_licensed. There are no other obvious references to these locations in
start.elf, so memory-breakpoint debugging (TBD) is probably needed.