Author Topic: [SOLVED] Looking for a NXP XA-G30 Dissasembler  (Read 397 times)

0 Members and 1 Guest are viewing this topic.

Offline sixtimesseven

  • Frequent Contributor
  • **
  • Posts: 304
  • Country: ch
  • EE
    • Flickr
[SOLVED] Looking for a NXP XA-G30 Dissasembler
« on: July 13, 2019, 10:17:36 pm »
I have a chroma 16502 which needs calibration, unfortunatly the cal. menu is pasword locked  |O

I got the firmware of the eeprom, see attached zip for the bin file.

However, the microcontroller is a NXP PXAG30KBA which they describe as XA-G30 family.
I could not find much regarding this old, obsolete chip but I was wondering if sombody has a disassembler for it?
« Last Edit: July 14, 2019, 02:37:57 pm by sixtimesseven »
 

Offline GromBeestje

  • Regular Contributor
  • *
  • Posts: 136
  • Country: nl
  • AndrevS @ IRC
Re: Looking for a NXP XA-G30 Dissasembler
« Reply #1 on: July 13, 2019, 10:41:38 pm »
From a quick glance at the datasheet, it looks like its architecture is an extended version of the 8051. Therefore I would try to see what a 8051 decompiler makes of it. I suggest to load the file into radare2, select 8051 architecture and see what happens.
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 6813
Re: Looking for a NXP XA-G30 Dissasembler
« Reply #2 on: July 14, 2019, 02:02:17 am »
It's not an 8051. The claims of 8051 compatibiilty are like saying that the 8086 is compatible with the 8080/8085.

https://www.ceibo.com/eng/datasheets/Philips-XA-User-Guide.pdf

The password is probably stored in EEPROM. Do you want to actually reverse the algorithm, or find which byte(s) to patch in the ROM to bypass it?

Either way, if you don't find something, let me know and I can write a disassembler. The above doc has all the necessary information.
 

Offline sixtimesseven

  • Frequent Contributor
  • **
  • Posts: 304
  • Country: ch
  • EE
    • Flickr
Re: Looking for a NXP XA-G30 Dissasembler
« Reply #3 on: July 14, 2019, 10:24:53 am »
It's not an 8051. The claims of 8051 compatibiilty are like saying that the 8086 is compatible with the 8080/8085.

https://www.ceibo.com/eng/datasheets/Philips-XA-User-Guide.pdf

The password is probably stored in EEPROM. Do you want to actually reverse the algorithm, or find which byte(s) to patch in the ROM to bypass it?

Either way, if you don't find something, let me know and I can write a disassembler. The above doc has all the necessary information.

Nice thank you!

I'm not so much interested in the firmware, just knowing which bytes to flip would be plenty.

However, I had another idea. I noticed that there is no max number of passwords. And the max input frequency for the keys is pretty high (>40Hz). There are 9 different keys with a five position pasword makes 5^9= 1953125 combinations which should take about 3 days to brute force >:D
 

Offline sixtimesseven

  • Frequent Contributor
  • **
  • Posts: 304
  • Country: ch
  • EE
    • Flickr
Re: Looking for a NXP XA-G30 Dissasembler
« Reply #4 on: July 14, 2019, 12:59:59 pm »
Sooo ... Turns out Chroma cannot implement a halfway decent password  :-DD

I wired up an arduino to trigger each switch, but before going trough with the 5^9 combinations I figured I test the simpler 5^4 or 5^5 combinations in case they used F1-F4 or the navigation keys exclusivly.
Turns out they have... Password is pretty trivial, should have gotten it by trying obvious ones hand:

It is: [ArrowUp, ArrowDown, ArrowLeft, ArrowRight, Trigger]  :-DD

« Last Edit: July 14, 2019, 01:16:49 pm by sixtimesseven »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf