HOME ARTICLES DOWNLOADS CONTACT
Openschemes Feed

  Subscribe in a Reader

Subscribe via Email

Main Menu
Openschemes Articles
Categories
Site Sponsors
Site Hits
Total Hits
« SPMP8k Development - Hello World, parasitic version
Building SPMP8k OS Images. »

SPMP8k NAND Overview and NAND File Dump Tool - beta

QRCode

Tags: , , , , , ,

Filed under: MP5 | January 29, 2010 @ 8:37 am (Views: 497)

As you probably know, we’ve been busy dumping the raw NAND page data of the SPMP8k to see what mysteries it holds.  The answer is, surprisingly: not many!  But that’s a good thing - mysteries deep in the ROM are not a good thing.

One interesting note is that there are three filesystems on the flash:

BOOTFS: Bootcode (2nd stage) and Redboot.  Starts at page 0.
RO(M)FS: System Software.  Starts at page 0×2000
FAT: The Mass storage you can see over USB.   Takes up the rest of the flash.

The first fielsystem is BOOTFS - this is our name by the way, just calling it the first thing that comes into mind.  This filesystem resides in the first few pages of flash.  It consists of several one-page (4k) functions and then the RedBoot binary.  This is what you’d find in the firmware files such as BOOT_V15.IMG.

The ROM bootstrapper (+++MMP RomCode…) searches the first few NAND pages to try to find the magic bytes 33 CC AA 55.  This signifies the start of a set of very crude allocation tables which point to two binary files responsible for initializing the DRAM, and the RedBoot binary.

Bootstrapper loads and executes the DRAM_Init() from flash, and once it has 16MB of DRAM, it load RedBoot into that and hands off control.

RedBoot either gets interrupted by you for nefarious purposes, or it loads a script which tells it to boot /IMAGE/8000_MMI.RAP.   Woo, directories - now we’re getting fancy!
This second filesystem is called ROMFS (we saw ROFS somewhere too) but it does not seem to be compliant with the actual ROMFS that was around long before the SPMP.  It’s still a fairly simple filesystem though, and can be explored through RedBoot by mounting the device /dev/nf2 and using the ls commands as we’re sure you’ve already done.

ROFS/ROMFS seems to be the whole kit & kaboodle of the eCos platform, containing executables, codecs and emulators as well as tons of XML files for configuration.  This filesystem is what is contained in the big (>50MB) software files generated by the SKLOGO tool.

But SKLOGO simply takes different binary chunks and pastes them together - other than hex editing (which seems to work pretty well ala Jaime) it is difficult to make significant changes to the file system.  And that’s something that you KNOW we’re going to want to do.

In order to have free reign over the filesystem, it is easiest to unpack the entire ROFS filesystem to it’s individual files and directories and modify it at well.  Then, it’s pretty easy to use the Sunplus tools to repack and reflash your new filesystem to the device.

SIDE NOTE:

We were very disappointed/entertained to see the following entries in the directory dump:

/IMAGE/GAME/GAME_CONFIG.TXT 22963
/IMAGE/GAME/GBA_BIOS.BIN 16384
/IMAGE/GAME/GPSP.BIN 776004

Because it means that not only has Sunplus ripped off GNU/eCos, they have also ripped off Exophase as well as Nintendo.  I mean, couldn’t you have changed it to data.dat1 and data.dat2?  No shame..  Still a nice IC tho, so we’re happy to continue plugging along in the hopes of getting SOMETHING legal onto this little device. :)

The bright side is that we’ve invented a new game: Take a shot whenever you find something pirated, stolen, or used without permission in the Sunplus ‘8k PMP.  We’ve been hammered for days.

OK, OK - on to the dump tool..   Let us preface this with the warning that if you already have a copy of your firmware, there are much easier ways to extract it’s goods than the following tool.  This tool is a glorified console script that can also convert ASCII to bin.  Downloading the entire software will take time.  (5.25*Size)/115.2kbaud as a rough estimate, where 5.25 is a rough multiplier based on the ascii conversion and overhead.

We’re talking hours, folks.  About 6-7h if your RS-232 port is reliable.  If you’re like us and want an exact copy of one device to another, then this is a little faster than a nand dump so it might be a viable option.  A more likely use would be to download all the XML config data for your device to merge into a resource directory of another firmware.  But IMO, letting an inanimate object work itself to death all night while we sleep is not a big deal.

If you’re not scared off yet, then please

Continue to Next Page…   Jump to Page 2

Bookmark and Share

Pages: 1 2


Related Posts:
  • Fun with AES-128. Example Encryption with AES Trainer (March 3, 2010)
  • Nandoori - SPMP8k Raw USB NAND Dumper (February 16, 2010)
  • SPMP8k FRMorp v1.1 - Improved the Linux side (February 9, 2010)
  • SPMP8k FRMorp - USB IMG dumper (February 8, 2010)
  • SPMP8k Serial Port Pinout (February 4, 2010)

    • Metadata:

    RSS feed for comments on this post.
    TrackBack URI

    12 Comments

    1. Comment by Reed:
      January 29, 2010 @ 1:46 pm

      This is very exciting! I still haven’t got serial communication over Arduino working yet (I can only read, no send). Is there a way to get this working over Arduino, or do I need to build a special FT232 board?

    2. Comment by openschemes:
      January 29, 2010 @ 11:57 pm

      Reed: One simple test you can do is to connect RX and TX of the arduino together and try typing in your terminal program. It should display what you typed if the connection is good. If you don’t see what you typed when RX and TX are connected, there is something wrong with your Arduino code or your arduino serial port is damaged. I hope that’s not the case!

      If that test passes, but transmit is still buggy… It may be that the ground of your PMP device is not exactly the same as the ground of your RS232 port. Here, that would be the ground of the Arduino board.

      If your Arduino board passed the loopback test above, then perhaps this would help: Try plugging a USB cable into the PMP and with alligator clips, connect the metal shield of the usb connector to the GND of the Arduino board.

    3. Comment by Reed:
      January 30, 2010 @ 1:06 pm

      It turned out that my Arduino Mega’s serial port was tied up with the USB communications. Fortunately the Mega has 4 hardware serial ports so I moved to another port and now it’s working. But I still haven’t been able to get into RedBoot. I’ve tried ctrl-c in normal power on without success. With USB boot in ISP mode, the PMP stops booting with only this:

      KEY is pressed & USB connected
      Enter ISP mode
      NAND_TYPE: SAMSUNG
      prPyld_LDWORD=b655d7ec
      prPyld_HDWORD=7855d778
      u16PageNoPerBlk=128
      u16PageSize=4224
      u16PyldLen=4096
      u16ReduntLen=64
      u16SpareLen=64
      u16TotalBlkNo=8192
      Id=d643abf1

    4. Comment by openschemes:
      January 30, 2010 @ 2:41 pm

      Reed: Great, glad to hear the port is working now.

      “KEY is pressed” means that you are holding down a button to go into ISP programing mode. In our case, this is the up button.

      Start up the device with no keys held down - then it should continue booting into normal mode and you will be able to hit the RedBoot console.

    5. Comment by Reed:
      January 31, 2010 @ 3:11 am

      I try hitting ctrl-c before I get to this:

      == Executing boot script in 0.010 seconds - enter ^C to abort
      RedBoot> go -c 0×280040

      But no matter if I press fast or slow, early or late, I never am able to abort.

    6. Comment by openschemes:
      January 31, 2010 @ 4:05 am

      Reed: Right before the PMP displays that message, there is a short delay as RedBoot loads the OS from flash. This is what you see during that time:
      g_PageSize:4096
      pdisk->magic:0×526f6d2e
      pdisk->nodecount:0×3a1
      sizeof(romfs_node):32
      page count:8

      Hit Ctrl-C right when you see this. 60% of the time, it works every time! Just kidding - it’s very reliable for us, I don’t have a good idea why your device would not be sending the ^C if you are typing it.

      Try the loopback test (typing with RX and TX connected together) and hit Ctrl-C a few times. Hyperterminal will display a heart to tell you that it loves the fact that you want to hit the bootloader.

      Do you get the heart? If not, our only other guess is that the Arduino is somehow stripping bits. Is there any way to tap into the RX/TX of the FT232 chip instead of using the AVR?

    7. Comment by Reed:
      January 31, 2010 @ 4:17 am

      Yes, I’m getting a heart in Hyperterminal. I tried using PuTTY and Realterm also. I’m not sure of a way to tap into the FT232 chip.

    8. Comment by Reed:
      January 31, 2010 @ 4:29 am

      I got it working! Thanks so much. It turned out I had soldered to the wrong pad. In case anyone else has the JXD 921, here are the pinouts:
      http://i.imgur.com/0h9Rk.jpg
      (Ignore the question marks after the TX, that is in fact the correct pad)

    9. Comment by openschemes:
      January 31, 2010 @ 7:12 pm

      Great - congratulations!

    10. Comment by Ahmed:
      February 3, 2010 @ 2:47 pm

      I have an copy of my firmware can you please tell witch which program can Iopen my .img data.

    11. Comment by openschemes:
      February 4, 2010 @ 6:27 pm

      Ahmed: Sounds good!

      The sprdump tool can extract your IMG to files:
      http://www.openschemes.com/modules/wo … lding-spmp8k-os-images/2/

      And there is a new tool called sUNpack that is still in beta, but can browse the files.
      http://mp4nation.net/forum/viewtopic.php?f=24&t=16915&start=0

    12. Comment by luis:
      February 8, 2010 @ 6:18 pm

      hi , im looking for the firmware of a h802_v3 board , help!

      thx a lot

    Leave a comment

    Contact Openschemes


    Copyright © 2003 by Openschemes  |   |  Design by 7dana.com