I am newbie at reversing (8-bit so can I try to quest what are you going to do?
So first you need to find what MCU/CPU pins are used as SPI interface because that
is how you find part of opcode, is that right?
Second, you need to find from datasheet of LMH6518 combination of data that limit
BW to 100MHz (or what ever).
Third, in "somewhere" your are going to search for opcode and data sequnce that
change parameters of LMH6518. That is how you are going to find what to change.
Am I close? Am I close? Am I close? Am I close? Ooooo boy am I at least a bit close?
What is hzlib (i find what zlib is), oob, bsdl? What is JTAG used for (yes I am that newbie ?
Is it possible that they have used some sort of packer and that packer is in zlib?
1 - find JTAG on PCBhttp://en.wikipedia.org/wiki/Joint_Test_Action_Group
2 - dump firmware from whatever memory on PCB.
In case of NAND flash dump OOB blockshttp://wiki.openmoko.org/wiki/NAND_bad_blocks#NAND_page
3 - quick analyze firmware - is the code looking good? (i'm actually opening with hex editor only to see if the content looks good for me) If yes continue, if not sure solder empty NAND, restore backup and check if device is booting up.
4 - analyze hardware to quick understand what the hardware is suppose to do, read datasheets to find
function which can be used to achieve target (in this case bw hack)
5 - use Boundary Scan http://en.wikipedia.org/wiki/Boundary_scan
or just a continuity checker (when possible not) to find interessting/data flow pins (like the pins connected to LM6518)
6 - read S3C2416 data sheet and user manual to learn GPIO addressing, this is what you need to know
to be able to find a write sequence to specific GPIO pin or port (e.g. SPI)
7 - deep analyze firmware, look for control sequences. This is actually the part which takes the most time.
There can be always a kind of protection, the first step is to patch something simple like a string to see
what influence it have on the firmware protection - when this works change part of code to do something,
good example is change keypres code to do e.g. init or beep or whatever. Here on Owon this is a bit
more complex, but still these are first steps. When there is protection you have to localize it and remove first.
8 - build a test system - this is optional step, sometimes you can use dev boards from a specific chip to run dumped firmware
without any risk for DUT. In this case you could buy on ebay a cheap S3C2416 board, restore firmware dump to NAND
and analyze changes to firmware - to solder wires directly to PCB might be sometimes dangerous, so test system
9 - test changes on DUT, when everything works you almost done.
10 - investigate what will happens in case of firmware update - when still possible and all changes you made will
still works you done with hack - when not think about ways to autopatch during firmware update.
So that's all about reversing.
Now these hzlib, this can be crc table or it can be also chinese characters table
I will see it during step 7
As for now the firmware is already dumped to separate files, i have also table of content (to be able to reflash changed parts into right sections), disasm (1st run )cleaned up (data, code) - however i don't like the result so i will have to get manualy
through code and re-analyze.
One important question is already answered "is Owon using LHM6518 to reduce bandwidth?" - the answer is YES.
This is a part of menu (some items hidden from user) :
aMenu_bandlimit DCB "menu_bandLimit",0
aMenu_20m DCB "menu_20M",0
aMenu_100m DCB "menu_100M",0
aMenu_200m DCB "menu_200M",0
aMenu_350m DCB "menu_350M",0
aMenu_650m DCB "menu_650M",0
aMenu_750m DCB "menu_750M",0
aMenu_fullband DCB "menu_fullband",0
which is exact what LMH6518 can do, so that's the confirmation.
Now the hack could be maybe something like "unhide menu", however there will be for sure a part
which is setting up 100MHz as defualt when "bandlimit" off so this need to be hacked too.
Another option is just to hack all 100MHz code parts to let say 350MHz.
I'm not sure if i can do everything in time, you have to know i loan Owon from someone and in principle
i have to send it back tomorrow (or buy it). However the work i doing now should be at least a good
preparation for future hacks, so someone else can continue in case i will be not ready in time.