TM2X

From MultimediaWiki
Revision as of 07:01, 19 March 2016 by Kostya (talk | contribs)
Jump to navigation Jump to search

Duck TrueMotion 2X is believed to be related to Duck TrueMotion 2.

Frame structure

Each frame consists of chunks with the following structure:

 0-2 always 0xA0 0x00 0x01
 3      chunk identifier
 4-7 chunk size (big-endian)
 8-... chunk payload

Analyzed frames have chunks in the following order:

  • 0x06 (usually takes more than a half of coded frame)
  • 0x15- small, variable size
  • 0x09- 3 bytes long, seems to be some initialisation data
  • 0x02- two chunks of variable size
  • 0x0B- there are always 16 of them with size=4. Maybe for some Huffman tables?
  • 0x0A- variable size

In order to ease reverse-engineering Duck seemed to used pseudo-encryption on data. Pseudo-encryption means XORing some chunks with parts of LFSR which may be updated before some chunks. Register data is stored as big-endian number and looks like first 4 bytes of 0x06 chunk are used to initialize it (it also seems to be that chunk size minus four bytes).

LSFR update algorithm:

 calculate sum by modulo 2 of bits 31, 21, 3 and inverted bit 0
 shift register contents left by one bit and store new sum in LSB
 repeat 4 times

0xA0000102

There should be up to two chunks.

First byte gives the chunk number (0 or 1).

Second byte tells how many 16-bit words of actual dat this chunk has (up to 128).

The rest of chunk is 16-bit words.

0xA0000103

First byte - ID?

Seems to be similar to 0xA000010B

0xA0000106

First 32-bit word is used to initialise LSFR key.

0xA0000109

Byte 0 - ? Byte 1 - ? Byte 2 - ?

0xA000010B

First byte - chunk ID.

0xA000010E

Also seems to be related to 0xA000010B

First byte - chunk ID.


0xA0000112

This represents some 2D array.

First byte is number of elements per line. Second byte seems to be padding. Following 16-bit word is number of lines.

The rest of chunk is 16-bit words forming some 2D array.

0xA0000119

Another extended form of 0xA000010B?