-
Notifications
You must be signed in to change notification settings - Fork 5
Cracking Open the Propeller Chip
Chip Gracey (Parallax) : Can anyone out there figure out how to get the proper binary image of the current Spin interpreter from ROM?
Harley Shanko : Did I just hear a challenge?
Chip : Yep! Maybe it hasn't been pursued, out of consideration to Parallax, but if someone posts the correct binary, I'll post the original source code.
Original thread : here
The Spin Interpreter along with the bootloader is stored in ROM, according to the Propeller Memory Map between byte addresses $F002 and $FFFF. Although this ROM area can be easily read by a Spin or PASM program ( as other data in ROM can be, character bitmaps and trigonomic tables ), the data returned is encrypted. This data is decrypted by on-chip and unknown hardware as it is loaded into a Cog for execution. As Chip has written ...
"The booter is at $F800 and the interpreter is at $F004. You will not be able to disassemble these programs, though, since the data is scrambled and only gets unscrambled by the HUB during launching. This is the only 'code protection' that the chip has and it's designed to slow down others from making me-too Propeller-like chip products".
Original thread : here
After a flurry of activity the Propeller was cracked open and the interpreter revealed. True to his word Chip released the original source code of the Interpreter and Bootloader.
The 'cracking' process as it evolved and interpreter source can be found here
The key to reverse engineering turned out to be embraced in Chip's description that the data was "scrambled" rather than "encrypted". The mechanism used was simple bit swapping of data. Although simple, it had been good enough to kept people away from attempting to decode the data or, if they tried, from doing so. Had Chip not thrown down the challenge, and suggested it was perhaps more possible than people were thinking it would be, then it may have remained unencoded.
Even knowing the mechanism used it wasn't a simple and straight forward process to decode the entire interpreter. Various approaches were taken, brute force, 'good guessing' and statistical analysis.
The full source code for INTERPRETER, BOOTER, and RUNNER was released by Chip here
This page has been updated to reflect the release of the interprter source code, the original page discussing possible approaches and useful help can be found at the link here : Original Page
Copy of http://propeller.wikispaces.com/ (reformatted to allow proper formatting with github wiki)