Modifying LG Renesas firmware

vbimport

#1

Hi all,

I’m new to this forum and to DVD drive modification and have a slightly off-topic question.

Can anyone help me in the right direction to modify a LG DVD drive such that I can control the sled and other motors directly? While I could connect a microcontroller to the hardware, I figured a lot of cool control logic is already in the drive that I may reuse.

I’ve got a lot of experience in reverse engineering, but DVD drives and their SCSI commands etc are quite new to me. As is the Renesas H8 chip. I realize that this would mean sending commands to the DSP or otherwise driving the control loops etc.

Luckily devilsclaw has done amazing work already on this drive and firmware so I have a big head start, but still have difficulty finding my way around the firmware. I currently have extracted and imported the main and core firmware in IDA and also the 0x100000 area. Found some of the structs with what seem like command sets of sled in, laser on etc. Found the 4 main entry points at the start etc.

What I miss is where is the main command parsing loop from what comes in on the SATA bus such as the MMC commands devilsclaw figured out. I cannot seem to locate that.

If anyone has any pointers or tips on understanding the Renesas chipset or firmware it is highly appreciated. I’d be happy to report back when I get further.

Thanks, yopper

Drives I have: GH22NS50 BH08LS20


#2

[QUOTE=yopper;2476733]What I miss is where is the main command parsing loop from what comes in on the SATA bus such as the MMC commands devilsclaw figured out. I cannot seem to locate that.
[/QUOTE]
Apply the MCSE RPC2 autoreset patch, see what is changed and go the way up to find the main dispatcher which calls the RPC2 functions.


#3

[QUOTE=ala42;2476764]Apply the MCSE RPC2 autoreset patch, see what is changed and go the way up to find the main dispatcher which calls the RPC2 functions.[/QUOTE]

Thanks! I already applied this earlier for a diff, so I will work from there. Thanks for the fast response


#4

Hi,

Here some results for anyone that wants to pursue something similar. Thanks to the feedback from [B]ala42.[/B]

For my firmware (GH22NS50 TN01) there is a list of 256 function pointers at [B]00447C62. [/B]These pointers are handlers for each of the SCSI commands, They are easy to recognize (point roughly between 0049xxxx and 004Cxxxx). It is quite easy to find the handler for A4 (REPORT KEY), but also ones I’m interested in such as Eject and Seek.

yopper


Chipset comparisons and differences?