Digifusion FVRT100/145/150/200 Tweaking

!! WARNING !!

All files and advice on this site are provided in good faith,
but you use them at your own risk.

Nothing provided here comes with any warranty or guarantee.

ST20 Disassembler and Patch Development Utility

Introduction

st20dis is a command-line disassembler for the SGS-Thomson ST20 C2/C4 instruction set which includes additional functions to assist with development of patches to existing binaries. A manual page is available.

Features

Multiple platform support - currently Windows, MacOSX, Solaris;
Extremely fast - disassembles a Digifusion firmware file (2MiB) in ~5 seconds;
Detects strings and repeated bytes;
Detects subroutines and jump locations;
Detects objects - M2V frames, PNGs, Font files, palletes and (thanks to Shoog over at Digital Spy) raw BMPs
Derive and label function arguments, variables and ldpi targets;
Can disassemble specific portions of a file;
Can disassemble specific subroutines when given an address contained therein;
Allows disassembling at a specific offset so that sense can be made of absolute jumps;
Supports patching at runtime to see the effect of changing bytes within the source file - aids patch development;
Supports the application of DigiFusion patch files (.fpt);
Can load a map file to use named labels for memory locations or to force memory to be identified as a string or other object;
HTML output;
Option to display brief help on assembler instructions;
It's in active development.

Planned Features

Patch generation;
Automatic offset detection;
Decompilation (represent selected parts as C pseudo-code);
...

Comments are welcome - send them to af123@jeamland.org, post to the Digital Spy Digifusion Forum or PM af123 there. I'm interested in experiences with st20dis, problems you encountered, proposals for enhancements, etc.

Licence

Usage of st20dis is free of charge for private, educational and commercial use. No responsiblity is taken for any damage caused by using st20dis.

Commercial distribution of either the original or modified versions of st20dis or including st20dis into commercial products is only allowed if explicitly permitted by the original author.

Usage Examples

Each example is followed by an indication of what would be found in the output file.

Disassembling a firmware file

C:\>st20dis -o <output file> <firmware file>

00000000: 60 be                 sub_0:       ajw #-2
00000002: 23 46                              ldc #36
00000004: 21 fb                              ldpi

Without addresses or hex

C:\>st20dis -b -o <output file> <firmware file>

sub_0:       ajw #-2
             ldc #36
             ldpi

With full opcode help

C:\>st20dis -b -A -o <output file> <firmware file>

sub_0:       ajw #-2          ; adjust workspace - Move workspace pointer
             ldc #36          ; load constant - A = n, B=A, C=B
             ldpi             ; Load pointer to instruction - A = next instruction + A

Focusing on a subroutine and testing a patch

One of the things that the noscenes patch for the DigiFusion software does is change the byte at location 0xa57b to 0x02 from 0xa2. Disassemble this subroutine:

C:\>st20dis -S a57b <firmware file>

0000a546: 60 be                 sub_a546:    ajw #-2
0000a548: 11                                 ldlp #1
0000a549: 73                                 ldl #3
...

Note that the subroutine actually starts at 0xa546. Look at the bytes around 0xa57b:

C:\>st20dis -s a57a -e +4 <firmware file>

0000a57a: 70                    loc_a57a:    ldl #0
0000a57b: a2                                 cj loc_a57e
0000a57c: 62 0f                              j loc_a55d

And try the patch:

C:\>st20dis -s a57a -e +4 -p a57b=2 <firmware file>

0000a57a: 70                    loc_a57a:    ldl #0
0000a57b: 02                                 j loc_a57e
0000a57c: 62 0f                              j loc_a55d

The conditional jump has been changed to an unconditional one.

Read the man page for full details.

Download

Version 1.0.3 - released 03/08/2010

Microsoft Windows, Intel.

Sun Solaris 10, SPARC, 64-bit.

Sun Solaris 10 (or OpenSolaris), x86, 32/64-bit.

MacOSX Snow Leopard, Intel.
other platforms coming soon

Continue dissassembly attempt even if checksum doesn't match.
Improved string detection.
Option (-R) to output all references instead of just the first 16.
Option (-q) to supress the printing of padding bytes.
Extended map file format to support adding comments above detected objects.

Version 1.0.2 - released 22/04/2008

Microsoft Windows, Intel.

Sun Solaris 10, SPARC, 64-bit.

Sun OpenSolaris 11, Intel.

MacOSX Leopard, Intel.

Fix HTML output on Windows and Linux platforms.
Include detected strings on HTML index page.

Version 1.0.1 - released 25/03/2008

Optionally create output in HTML format;
Option to transmit final firmware over serial device (UNIX platforms);
Support negative offsets in map files (offset from end of code);
Fix bug in sub-routine reference counting;
Fix BMP padding calculation (thanks to Shoog);
New map-file tag to define range as binary;
Add Linux version.

Version 1.0.0 - released 09/03/2008

Support application of .fpt patch files (-P option).
Option to write out modified firmware files (following patching; -w option).
Option to disable subroutines (-B option).

Version 0.0.2 - released 26/2/2008

Add repeated byte detection;
Fix run-away instruction handling;
Improve string detection;
Fix output of negative values;
Record number of times each subroutine referenced;
Label local variables and subroutine arguments;
Derive the memory location loaded to A by 'ldpi' instructions.
Support reading compressed DigiFusion files.

Version 0.0.1 - released 22/2/2008