Some useful function address mapping for V3 firmware

[tywtyw2002]

I did some dig for V3 firmware.

The address map results for functions in https://github.com/piotr022/UV_K5_playground/blob/main/libs/k5_uv_system/system.hpp are listed below.

sub_d4_IRQ_RESET
sub_128_IntDivide
sub_1be4_BK4819ConfigureAndStartTxFsk
sub_8310_PrintFrequency
sub_8454_PrintSmallDigits
sub_8494_PrintTextOnScreen
sub_9fbc_UpdateStatusBar
sub_a128_AdcReadout
sub_a6d4_AirCopyFskSetup
sub_a7e0_BK4819ConfigureAndStartRxFsk
sub_a820_AirCopy72
sub_a914_BK4819SetGpio
sub_a93c_BK4819Reset
sub_aac0_BK4819Read
sub_ac00_BK4819WriteFrequency
sub_ac18_BK4819SetPaGain
sub_affc_BK4819Write
sub_b194_PollKeyboard
sub_b6d4_FlushFramebufferToScreen
sub_b73c_FlushStatusbarBufferToScreen
sub_bcd8_WriteSerialData
sub_bef4_SomeAmStuff
sub_c0e8_IRQ_SYSTICK
sub_c2a0_FormatString
sub_cc8c_DelayMs
sub_cc9c_DelayUs

Fonts address https://github.com/amnemonic/Quansheng_UV-K5_Firmware/issues/67

[tywtyw2002]

.pDisplayBuffer 0x20000648
.pSmallDigs 0xd1a0
.pSmallLeters 0xCED0
.p8FlashLightStatus =  0x200002fb,
.pStatusBarData =  0x200005c8,
.p16Voltage =  0x2000034e,

[rogerclarkmelbourne]

What are you using to find these addresses e.g. Ghidra, and if so , did you share your Ghidra project somewhere eg. on GitHub

[Tunas1337]

What are you using to find these addresses e.g. Ghidra, and if so , did you share your Ghidra project somewhere eg. on GitHub

I've been sharing mine on Telegram as I got further and further into it. It's reasonably complete right now. It's attached here:k5_v2.01.26_dexor_cut.bin.zip

[rogerclarkmelbourne]

Thanks

[tywtyw2002]

What are you using to find these addresses e.g. Ghidra, and if so , did you share your Ghidra project somewhere eg. on GitHub @rogerclarkmelbourne

Here is pseudo_c version of v3 firmware(the most functions are decode correctly, but the big data block(ie sound, fonts..) are not decode correctly) and the unzip password is 0x20000648

You can download at https://0x0.st/H_VI.c.7z , file expires in 7 days.

[rogerclarkmelbourne]

OK.

Isn't address 0x00000000 the vector table for the bootloader ? Rather than a function?

BTW.

You can make data for ghidra so it knows what the hardware peripheral register addresses are.

I did this a long time ago for the STM32F4 but accidently deleted it all when I updated my PC :-( And the data would be useless for the DP32 as its hardware register addresses are totally different to the STM devices, including the STM32G030 which this MCU appears to be similar to

I've not had time to compare the hardware register bit patterns etc with the STM32G030 to see if perhaps the hardware interface is similar to the STM32G030, or whether this MCU is quite different except for its part number

[tywtyw2002]

The 0x0 from fw.dec.bin is a function, if you unpack the firmware use qsfirm.py the program fw.dec.bin will not include the bootloader.

I cross reference the v26 functions addresses and the v26 decode, there are match.

[rogerclarkmelbourne]

But even the application code has vector table before the start of its own functions

Possibly your address 0x000000 is actually the code above the application vector table

Is it normal to decompile a binary that does not contain the vector table, because you can't see how the ISR vectors call into the application

[tywtyw2002]

Since most people use Ghidra for RE, I did some rough work for merged binary RE form IDA to Ghidra.

Link https://0x0.st/H_E1.gzf.7z expired in 48hrs.

password is 0x2000034e

@rogerclarkmelbourne

[rogerclarkmelbourne]

Thanks

[troilus]

你好，在这个基础上，可以给v3的固件增加“精简版”s表的功能吗？ 我尝试了下精简v26的s表，使其仅仅显示信号强度值，是可以的，并且节约了不少空间

[tywtyw2002]

你好，在这个基础上，可以给v3的固件增加“精简版”s表的功能吗？ 我尝试了下精简v26的s表，使其仅仅显示信号强度值，是可以的，并且节约了不少空间

Compared to the V2 firmware, the V3 firmware only adds support for Chinese and a new menu style. However, it uses many kbs of ROMs space for displaying the Chinese menu (font and menu title).

Since the open source V2 firmware has already been created, I assume that nobody wants to work on V3.