Talk:RCA DSB772WE Streaming Media Player

From eLinux.org
Jump to: navigation, search

The LG BD5xx players seem to have also had similar internals as the RCA-DSB and ST6xx media players. I came across these instructions on getting a terminal from a defunct BD5xx hacking site, still listed on archive.org

As terminal software can be used PuTTY. COM1 - 115200 8 N 1. After connecting the converter and runnig PuTTY you should power on player and quickly press Ctrl+C. You can see on the screen:


BCM76300010
Setting NAND Params
CFE starting from ROM
Chip specific init
TLB init
Board init
Starting memory configuration 
Valid memory config = D3128256
Disable refresh - set byte lane 8
Setting up PLL
Setting up memory controller
Enable DDR encryption
SoooooooooooooooR
Preparing to copy code to RAM
Prepare for NAND loading
Starting code in RAM
Booting Secured CFE...
BCM97630 B0-SEC-lg8_100126r0  CFE v2.11.10 (CFE core v2.11, BSP_REV 10), Endian Mode: Little
Build Date: 2010. 01. 26. (í) 11:36:34 KST (khy2766@nexus)
Copyright (C) Broadcom Corporation.
*jjc* PROD_REVISION is 0x76300010
*jjc* is 7630
DDR                        : Bank0:128MB@667MHz | Bank1:256MB@667MHz
NAND Boot                  : FlashSize 256MB on CS0, BlkSize 128KB, PgSize 2048B
NAND vendor timing         : 98da9015 Toshiba TC58NVG1S3ETA00 SLC  t1(33535233) t2(80000b98)
Secure boot                : Enabled
Port lock                  : Enabled
doupdatecheck: nothing new and no try_count
Timestamp started ...
booting ARM...
Reading flash0.ofefw.1 to V:0x80000000 from offset 0 len 1048576
validating ofe fw_ldt@0x800fffb0 ...
parsed fw_ldt@800fffb0 : ws0_sadr=0xc0000 ws0_eadr=0xdffff prodid:BD READER R02
parsed fw_ws @800c0000 : vendor: LGH08SAN prodid: LG H08SAN BC7630
Reading flash0.ofews.1 to V:0x80100000 from offset 0 len 131072
parsed  WS@80100000 :  Vendor:LGH08SAN Prodid:LG H08SAN BC7630
updating fw_ws@800c0000 with flash0.ofews.1
ws was updated in the fw image succesfully
booting ARM...ofefw@0x2fd00000
done
Elapsed time  263mS (263280 uS)
Automatic startup canceled via Ctrl-C
CFE> ^C

You can use some CFE commands to see some important information. First try to type HELP <ENTER>

CFE> help
Available commands:
info                Show CFE configuration information
splashsd            Load's and Display's yuv:422 Splash Screen image
splash              Load's and Display's yuv:422 Splash Screen image
loop                Loop a command
dir                 List the directory of a FAT file system
macprog             Program MAC addresses.
macprog2            Program a specific MAC address.
initadv7622         Initialze adv7622 for HDMI showing CFE Logo
tstamp              Time stamp utility
flashmarkbb         Marks a specified block bad
flasherase          Erases a flash partition
flasheeprom         Update the EEPROM device on board
flash               Update a flash memory device
memtest             Test memory.
f                   Fill contents of memory. 
e                   Modify contents of memory.
d                   Dump memory.
u                   Disassemble instructions.
reboot              Invoke hardware reboot.
batch               Load a batch file into memory and execute it
go                  Start a previously loaded program.
load                Load an executable file into memory without executing it
save                Save a region of memory to a remote file via TFTP
boot                Load an executable file into memory and execute it
ping                Ping a remote IP host.
ifconfig            Configure the Ethernet interface
sleep               Sleep for specified milliseconds.
show heap           Display information about CFE's heap
show memory         Display the system physical memory map.
show devices        Display information about the installed devices.
unsetenv            Delete an environment variable.
printenv            Display the environment variables
setenv              Set an environment variable.
help                Obtain help for CFE commands
For more information about a command, enter 'help command-name'
*** command status = 0
CFE> 
 

INFO command shows information about CFE.


CFE> info
========================================================================
DDR                        : Bank0:128MB@667MHz | Bank1:256MB@667MHz
NAND Boot                  : FlashSize 256MB on CS0, BlkSize 128KB, PgSize 2048B
NAND vendor timing         : 98da9015 Toshiba TC58NVG1S3ETA00 SLC  t1(33535233) t2(80000b98)
Secure boot                : secure boot enabled, BSECK locked
Port lock                  : Enabled
Total memory used by CFE:  0x87000000 - 0x870936E4 (603876)
Initialized Data:          0x8708F860 - 0x87092C00 (13216)
BSS Area:                  0x87092D00 - 0x870936E4 (2532)
Local Heap:                0x87093800 - 0x87893800 (8388608)
Stack Area:                0x87893800 - 0x87895800 (8192)
Text (code) segment:       0x87000000 - 0x87023E18 (146968)
CFE driver build information:
LDR:   ELF   1; BIN   1; SREC  1
UI:    LEVEL 3; MIN   0
FS:    FAT   1; FAT32 1
NET:   STACK 1; ENET  1; TCP   0
USB:   STACK 0; ETH   1; DISK  1; SERIAL   1; HID 1
FLASH: NAND
p starts at b152a004, ends at b152a004
Total mem_sys_init write to register 0 times
Step    Address         Value
=====================================
*** command status = 0
CFE>

Important command PRINTENV shows information about system STARTUP. Don't try to change anything here using SETENV command!!!


CFE> printenv
Variable Name        Value
-------------------- --------------------------------------------------
       BOOT_CONSOLE uart0
        ETH0_HWADDR E8:5B:5B:A1:48:0D
            STARTUP splash -576p; boot -z -elf flash0.kernel: 'root=/dev/romblock10 ro rootfstype=squashfs videotype=PAL memcfg=384 
                    OFE_SB=y quiet console=0,115200n8'
        CFE_VERSION 2.11.19
      CFE_BOARDNAME BCM97630 B0-SEC-RDEN400
     CFE_MEMORYSIZE 128
*** command status = 0
CFE>
 

If you want to get an access to ROOT of operating system and see BOOT process you need to use command below:

splash -576p; boot -z -elf flash0.kernel: 'root=/dev/romblock10 ro rootfstype=squashfs videotype=PAL memcfg=384 OFE_SB=y verbose debug console=0,115200n8 single ro'


CFE> splash -576p; boot -z -elf flash0.kernel: 'root=/dev/romblock10 ro rootfstype=squashfs videotype=PAL memcfg=384 OFE_SB=y verbose 
console=0,115200n8 single ro'
Display splash screen
Using valid user input parameters - Resolution 576p on Component
[ Default Video ] :  Current Video Output : Component @ Resolution : 576p
Loading PAL SD image to 0x06646c00 size 829440 bytes
Reading flash0.splash to V:0xa6646c00 from offset 4838400 len 829440
Done displaying splash screen
Reading flash0.splash to V:0xa6e00000 from offset 5667840 len 44
Loader:elf Filesys:raw Dev:flash0.kernel File: Options:root=/dev/romblock10 ro rootfstype=squashfs videotype=PAL memcfg=384 OFE_SB=y 
verbose console=0,115200n8 single ro
Loading: 0x80008000/5427744 0x80535220/1327744
Successfully loaded secure elf image....
Entry address is 0x8000c330
Starting program at 0x8000c330
[    0.000000] -- DDR Bank 0: 128 MB
[    0.000000] -- DDR Bank 1: 256 MB
[    0.000000] Linux version 2.6.28.9 (ykhong@hyori) (gcc version 4.2.0 20070124 (prerelease) - BRCM 10ts-20080721) #189 Thu Jan 28 
18:54:14 KST 2010
[    0.000000] Kernel command line: root=/dev/romblock10 ro rootfstype=squashfs videotype=PAL memcfg=384 OFE_SB=y verbose 
console=0,115200n8 single ro
[4294667.366000] DIGSIG: no valid key, digsig security disabled
[4294667.389000] checker_0 control 0x00000008 addr low 0x00001000 hi 0x003be000
[4294667.396000] read rights _0 0xffffffff _1 0xffffffff write rights _0 0x00000000 _1 0x00000000
[4294667.405000] checker_1 control 0x00000008 addr low 0x003bf000 hi 0x027fff80
[4294667.412000] read rights _0 0xffffffff _1 0xffffffff write rights _0 0x00000000 _1 0x00e4f8a0
[4294667.421000] checker_2 control 0x00000008 addr low 0x20000000 hi 0x238fff80
[4294667.428000] read rights _0 0xffffffff _1 0xffffffff write rights _0 0x00000000 _1 0x00e4f8a0
[4294667.437000] checker_3 control 0x00000010 addr low 0x2fd00000 hi 0x2fdfff80
[4294667.444000] read rights _0 0xffffffff _1 0xffffffff write rights _0 0x00000000 _1 0x00010000
[4294667.466000] Driver 'sd' needs updating - please use bus_type methods
[4294667.473000] Driver 'sr' needs updating - please use bus_type methods
[4294667.487000] scsi 0:0:0:0: CD-ROM            LGH08SAN LG H08SAN BC7630 0591 PQ: 0 ANSI: 5
[4294667.497000] sr 0:0:0:0: Attached scsi generic sg0 type 5
[4294667.544000] brcmnand_probe: Found SLC device TOSHIBA SLC TC58NVG1S3ETA00
[4294667.550000] brcmnand_probe() oobSize: 16,  pageSize : 2048, blockSize: 131072<7>Writing nand config register 0x01402848 with 
0x16152300 
[4294667.585000] Creating 20 MTD partitions on "bcm7xxx-nand":
[4294667.591000] 0x00000000-0x00100000 : "cfe"
[4294667.596000] 0x00100000-0x00700000 : "splash"
[4294667.601000] 0x00700000-0x00700090 : "macadr"
[4294667.606000] mtd: partition "macadr" doesn't end on an erase block -- force read-only
[4294667.614000] 0x00700090-0x00700800 : "nvram"
[4294667.619000] mtd: partition "nvram" doesn't start on an erase block boundary -- force read-only
[4294667.628000] 0x00700800-0x00800000 : "virtual"
[4294667.633000] mtd: partition "virtual" doesn't start on an erase block boundary -- force read-only
[4294667.642000] 0x00800000-0x00900000 : "bct"
[4294667.647000] 0x00900000-0x00b00000 : "dbg" 
[4294667.652000] 0x00b00000-0x00f00000 : "kernel1"
[4294667.657000] 0x00f00000-0x01300000 : "kernel"
[4294667.662000] 0x01300000-0x07900000 : "rootfs1"
[4294667.668000] 0x07900000-0x0df00000 : "rootfs"
[4294667.674000] 0x0df00000-0x0e000000 : "drmregion"
[4294667.679000] 0x0e000000-0x0e100000 : "eeprom"
[4294667.684000] 0x0e100000-0x0f900000 : "setup"
[4294667.689000] 0x0f900000-0x0fb00000 : "ofefw.0"
[4294667.695000] 0x0fb00000-0x0fc00000 : "ofews.0"
[4294667.700000] 0x0fc00000-0x0fe00000 : "ofefw.1"
[4294667.705000] 0x0fe00000-0x0ff00000 : "ofews.1"
[4294667.710000] 0x00700000-0x00800000 : "config"
[4294667.715000] 0x00000000-0x0ff00000 : "all"
#

You have an ROOT access of uCLinux in single mode

# cat /etc/fstab
none    /dev/pts        devpts  gid=5,mode=620  0 0
none    /sys            sysfs   defaults        0 0
none    /proc           proc    defaults        0 0
none    /proc/bus/usb   usbfs   defaults        0 0
none    /usr/vfs        ramfs   size=5m         0 0
none    /filecache      ramfs   size=72m        0 0
none    /tmp            tmpfs   size=60m        0 0
none    /var            tmpfs   size=32k        0 0
# 
 

Kernel and Rootfs dump procedure is decribed below assuming that TFTP server has address 192.168.1.150 and player address is 192.168.1.200.[msg] means a Linux reply.

          1. start as ROOT #####
mount -t proc none /proc
mount -t /dev/sda1 /tmp
cd /tmp
ls
cat /proc/mtd
[msg] dev:    size   erasesize  name
[msg] mtd0: 00100000 00020000 "cfe"
[msg] mtd1: 00600000 00020000 "splash"
[msg] mtd2: 00000090 00020000 "macadr"
[msg] mtd3: 00000770 00020000 "nvram"
[msg] mtd4: 000ff800 00020000 "virtual"
[msg] mtd5: 00100000 00020000 "bct"
[msg] mtd6: 00200000 00020000 "dbg"
[msg] mtd7: 00400000 00020000 "kernel1"
[msg] mtd8: 00400000 00020000 "kernel"  <----- THIS
[msg] mtd9: 06600000 00020000 "rootfs1"
[msg] mtd10: 06600000 00020000 "rootfs" <----- THIS
[msg] mtd11: 00100000 00020000 "drmregion"
[msg] mtd12: 00100000 00020000 "eeprom"
[msg] mtd13: 01800000 00020000 "setup"
[msg] mtd14: 00200000 00020000 "ofefw.0"
[msg] mtd15: 00100000 00020000 "ofews.0"
[msg] mtd16: 00200000 00020000 "ofefw.1"
[msg] mtd17: 00100000 00020000 "ofews.1"
[msg] mtd18: 00100000 00020000 "config"
[msg] mtd19: 0ff00000 00020000 "all"
ifconfig eth0 192.168.1.200 netmask 255.255.255.0 up
nanddump /dev/mtd8 -f kernel.gz
[msg] Block size 131072, page size 2048, OOB size 64
[msg] Dumping data starting at 0x00000000 and ending at 0x00400000...
tftp -p 192.168.1.150 -l kernel.gz
ls
[msg] kernel.gz
rm kernel.gz 
nanddump /dev/mtd10 -s 0 -l 53477375 -f rootfs_1.bin
[msg] Block size 131072, page size 2048, OOB size 64
[msg] Dumping data starting at 0x00000000 and ending at 0x032fffff...
tftp -p 192.168.1.150 -l rootfs_1.bin 
ls
[msg] rootfs_1.bin
rm rootfs_1.bin
nanddump /dev/mtd10 -s 53477376 -l 53477376 -f rootfs_2.bin
[msg] Block size 131072, page size 2048, OOB size 64
[msg] Dumping data starting at 0x03300000 and ending at 0x06600000...
tftp -p 192.168.1.150 -l rootfs_2.bin
ls
[msg] rootfs_2.bin
rm rootfs_2.bin
          1. End of DUMP procedure #####


The dump of rootfs was made in two parts which were concatenated into one file. Files to download:

kernel 8.31.231C.gz   - 4 MB
rootfs 8.31.231C.rar  - 67,9 MB 

<begin>

We will dump mtds' data directly to remote NFS mount - by Aleksey

[Preparations (if you don't already have modified rootfs with telnet)]

1. Prepare NFS share on PC, which have enough freespace (~600 Mb for full dump). Assuming you doing it at linux.

  Owner of the shared folder: root
  Access mode: rwx for all (chmod u+rwx,o+rwx,g+rwx /path/to/share)

2. Boot BD560 in verbose & single mode.

3. Run partially /etc/init.d/rcS:

  export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
  export LD_LIBRARY_PATH=.:/usr/local/lib
  mount -a
  echo /sbin/hotplug > /proc/sys/kernel/hotplug 
  cat /proc/sys/kernel/sched_rt_period_us > /proc/sys/kernel/sched_rt_runtime_us
  echo 131071 > /proc/sys/net/core/rmem_max
  echo 131071 > /proc/sys/net/core/wmem_max
  echo "4096 87380 2080768" > /proc/sys/net/ipv4/tcp_rmem
  echo "4096 16384 2080768" > /proc/sys/net/ipv4/tcp_wmem
  mkdir /var/lock /var/log /var/run /var/tmp
  touch /var/run/utmp /var/log/wtmp
  chgrp utmp /var/run/utmp /var/log/wtmp
  chmod 0664 /var/run/utmp /var/log/wtmp
  ifconfig lo 127.0.0.1 netmask 255.0.0.0 up
  date 080100002010
  portmap

4. Up the network: ifconfig eth0 192.168.1.254 (ip is example, use any you like/can)

5. Mount remote fs: mount your_pc_ip:/path/to/share /mnt/nfs

[Dumping]

1. List mtds you have (useful): cat /proc/mtd

2. Chdir to /mnt/nfs

3. This is simple inline script for dumping all mtds (type at '#' prompt):

  for n in `seq 0 19`; do nanddump -f mtd$n.dump /dev/mtd$n; done

4. You should got 20 files in your shared folder:

  leshij[/home/share/nand/new]$ ls -l 
 -rw-r--r-- 1 nobody nogroup   1048576 2010-10-17 13:43 mtd0.dump
 -rw-r--r-- 1 nobody nogroup 106954752 2010-10-17 13:45 mtd10.dump
 -rw-r--r-- 1 nobody nogroup   1048576 2010-10-17 13:45 mtd11.dump
 -rw-r--r-- 1 nobody nogroup   1048576 2010-10-17 13:45 mtd12.dump
 ...etc...


[Restoring] - WARNING WARNING - this can be dangerous step. You should know what you're doing. Of course you have second partition with kernel and rootfs and you can restore system but you must be careful :)

1. Assuming you still at /mnt/nfs and there is located mtdX.dump you want to write to NAND partition mtdX.

2. Even simplier:

  nandwrite -e /dev/mtdX mtdX.dump

3. This will flash all acontents of mtdX with erasing first (-e key).

There are no threads on this page yet.