Top Rating
- Top Contributors
  Discover the Top Open Source contributors by country or by language
- Interviews
  Discover real stories from Open Source developers
Discover

Discover your Favorite Language
Discover the top trending repositories and projects on Github. Explore the latest trends in your preferred languages.

MATLAB

Perl

Kotlin

Swift

C++

Dart

Jupyter Notebook

OCaml

More Languages
Awesome

Awesome repositories
Discover the most awesome repositories and projects of your favorite languages. Inspired by the Awesome-* lists trend in GitHub.

Elm

Ada

C

Perl

Go

Groovy

Ruby

Nix

More Languages
By Country

Rankings by Country
Discover the community of talented open source contributors in each country.

🇾🇪 Yemen

🇳🇵 Nepal

🇴🇲 Oman

🇲🇾 Malaysia

🇬🇷 Greece

🇳🇦 Namibia

🇰🇷 South Korea

🇬🇱 Greenland

All Countries Compare Countries

nucular/raspi-keygen

Stars
132
Rank 274,205 (Top 6 %)
Language
Assembly
License
The Unlicense
Created over 6 years ago
Updated almost 3 years ago

nucular/raspi-keygen

nucular

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Reverse-engineering efforts to generate license keys for Raspberry Pi hardware video decoding

raspi-keygen

This is an effort to reverse-engineer the Raspberry Pi license key check for MPEG-2 and VC-1 hardware video encoding.

Patch

A patch for start.elf, a firmwware blob for the VideoCore IV processor used by all Raspberry Pi models, was posted to reddit by /u/fuck_the_mpeg_la on 03-03-2017:

cd /boot
cp start.elf start.elf_backup && \
 perl -pne 's/\x47\xE9362H\x3C\x18/\x47\xE9362H\x3C\x1F/g' < start.elf_backup > start.elf

Applying it to a 4.14.44 start.elf (latest as of time of writing) results in the following diff:

$ diff <(xxd -e start.elf_backup) <(xxd -e start.elf)
38340c38340
< 00095c30: 400703a4 40161799 3633e947 183c4832  ...@[email protected]<.
---
> 00095c30: 400703a4 40161799 3633e947 1f3c4832  ...@[email protected]<.

$ md5sum start.elf_backup start.elf
8327a0720f806814b677efaeb94a7671  start.elf_backup
fe55537c71b22e8f8c1a92257da2c45b  start.elf

Some initial analysis was done by q3k on Hacker News:

Yes, it seems to patch a licensing function at 0xEC95FD4 [1] to always return 1, by patching the jump at 0xEC95FE2 (that should be only taken for the always-allowed H263 codec) to always be taken, thus always allowing all codecs.

Reverse-engineering

The initial entry point is disassembled using the VideoCore IV plugin for IDA Pro 6 by hermanhermitage.

After loading and analyzing start.elf, we can find the is_licensed routine at address 0xEC96290 by jumping to the file offset given to us by xxd beforehand. The relevant code sections are available in sub_EC96290.asm and is_licensed.asm.

not_WMV9:				; CODE XREF: is_licensed+56�j
		cmp	r7, 'MPG2'
		cmpeq	r6, 0
		bne	not_MPG2
		ld	r1, 0x1DC0(gp) ; XREF 0xEE86680	dword_EE86680
		addcmpbne r1, 0, 0, return_1

not_MPG2:				; CODE XREF: is_licensed+68�j
		cmp	r7, 'WVC1'
		cmpeq	r6, 0
		bne	deny
		ld	r2, 0x2120(gp) ; XREF 0xEE869E0	dword_EE869E0
		addcmpbeq r2, 0, 0, deny

Here, two memory locations (0xEE86680 for MPEG-2 and 0xEE869E0 for VC-1) that point to the .bss segment are checked to determine the return value of is_licensed. There are no other obvious references to these locations in start.elf, so memory-breakpoint debugging (TBD) is probably needed.

sfxrlua

A port of the sfxr sound effect synthesizer to Lua

mmpi-2

An implementation of the MMPI-2 (Minnesota Multiphasic Personality Inventory rev. 2)

tcclua

LuaJIT FFI bindings for the Tiny C Compiler

icedrop

HTML5 audio visualization and station selector for Icecast servers

jsbp

A web-based BytePusher VM written in JavaScript, intended as a Chrome experiment

art

OpenCL raytracing pipeline as a LuaJIT library

hedgecam-mirror

Git mirror of HedgeCam 2 by Caddish Hedgehog aka alexxxx82

sdvx-emulator

A basic Sound Voltex emulator with support for K-Shoot MANIA maps, written in Lua using LÖVE

dbp

A little implementation of the BytePusher virtual machine, written in the D language and using the Derelict SDL 2 bindings.

powder-djs

An ironic attempt at a powder/particle-based game

equatio

An interactive canvas-based experiment inspired by IBNIZ and derivatives

oxy

XY-Oscilloscope visualization for JACK

fullmoviefinder

Web utility that searches the FullMoviesOnX subreddits for a movie title and embeds the matching player

stuff

Things I made that don't deserve their own repo

wkill

Xkill for Windows

gofigure

An IRC statistics generator that actually works! (hopefully, once it's actually written)

jsparty

Multiplayer JavaScript console mayhem

kirei

A basic open-source osu! skin, built from the ground up in SVG

aiotpt

Server for The Powder Toy written in Python

bloodagar

A reimplementation of the Agar.io client

Js141

[DEFUNCT] Emulator of the Busicom 141PF, including the Intel 4004 CPU

tipstatbot

Node.js IRC bot that provides interesting statistics about public Doger tips

reactor

[DEFUNCT] Multi-language graphical element generator for The Powder Toy and an alternative GUI library

Moeterial

An online skin editor for osu!

0x20hues

A port of 0x40 Hues to the Lua LÖVE engine