This is an effort to reverse-engineer the Raspberry Pi license key check forMPEG-2 and VC-1 hardware video encoding.
Patch
A patch for
start.elf
, a firmwware blob for the VideoCore IV processor used byall Raspberry Pi models, was posted toredditby /u/fuck_the_mpeg_laon 03-03-2017:Mar 08, 2015 Raspberry Pi 2: In this video, I go over MPEG 2 decoding on the Raspberry Pi 2 with and without the MPEG 2 License Key. I also go over installing the key on Raspberry Pi. This is an effort to reverse-engineer the Raspberry Pi license key check for MPEG-2 and VC-1 hardware video encoding.
Applying it to a4.14.44
start.elf
(latest as of time of writing) results in the following diff:Some initial analysis was done by q3kon Hacker News:
Yes, it seems to patch a licensing function at 0xEC95FD4 [1] to always return 1,by patching the jump at 0xEC95FE2 (that should be only taken for the always-allowed H263 codec)to always be taken, thus always allowing all codecs.
Reverse-engineering
The initial entry point is disassembled using theVideoCore IV pluginfor IDA Pro 6 by hermanhermitage.
After loading and analyzing
start.elf
, we can find the is_licensed
routineat address 0xEC96290
by jumping to the file offset given to us by xxd
beforehand. The relevant code sections are available insub_EC96290.asm and is_licensed.asm.Here, two memory locations (
0xEE86680
for MPEG-2 and 0xEE869E0
for VC-1)that point to the .bss
segment are checked to determine the return value ofis_licensed
. There are no other obvious references to these locations instart.elf
, so memory-breakpoint debugging (TBD) is probably needed.