Talk:RCA DSB772WE Streaming Media Player

The LG BD5xx players seem to have also had similar internals as the RCA-DSB and ST6xx media players. I came across these instructions on getting a terminal from a defunct BD5xx hacking site, still listed on archive.org

As terminal software can be used PuTTY. COM1 - 115200 8 N 1. After connecting the converter and runnig PuTTY you should power on player and quickly press Ctrl+C. You can see on the screen: BCM76300010 Setting NAND Params CFE starting from ROM Chip specific init TLB init Board init Starting memory configuration Valid memory config = D3128256 Disable refresh - set byte lane 8 Setting up PLL Setting up memory controller Enable DDR encryption SoooooooooooooooR Preparing to copy code to RAM Prepare for NAND loading Starting code in RAM Booting Secured CFE... BCM97630 B0-SEC-lg8_100126r0 CFE v2.11.10 (CFE core v2.11, BSP_REV 10), Endian Mode: Little Build Date: 2010. 01. 26. (í) 11:36:34 KST (khy2766@nexus) Copyright (C) Broadcom Corporation. *jjc* PROD_REVISION is 0x76300010 *jjc* is 7630 DDR                       : Bank0:128MB@667MHz | Bank1:256MB@667MHz NAND Boot                 : FlashSize 256MB on CS0, BlkSize 128KB, PgSize 2048B NAND vendor timing        : 98da9015 Toshiba TC58NVG1S3ETA00 SLC  t1(33535233) t2(80000b98) Secure boot               : Enabled Port lock                 : Enabled doupdatecheck: nothing new and no try_count Timestamp started ... booting ARM... Reading flash0.ofefw.1 to V:0x80000000 from offset 0 len 1048576 validating ofe fw_ldt@0x800fffb0 ... parsed fw_ldt@800fffb0 : ws0_sadr=0xc0000 ws0_eadr=0xdffff prodid:BD READER R02 parsed fw_ws @800c0000 : vendor: LGH08SAN prodid: LG H08SAN BC7630 Reading flash0.ofews.1 to V:0x80100000 from offset 0 len 131072 parsed WS@80100000 :  Vendor:LGH08SAN Prodid:LG H08SAN BC7630 updating fw_ws@800c0000 with flash0.ofews.1 ws was updated in the fw image succesfully booting ARM...ofefw@0x2fd00000 done Elapsed time 263mS (263280 uS) Automatic startup canceled via Ctrl-C CFE> ^C

You can use some CFE commands to see some important information. First try to type HELP  CFE> help Available commands: info               Show CFE configuration information splashsd           Load's and Display's yuv:422 Splash Screen image splash             Load's and Display's yuv:422 Splash Screen image loop               Loop a command dir                List the directory of a FAT file system macprog            Program MAC addresses. macprog2           Program a specific MAC address. initadv7622        Initialze adv7622 for HDMI showing CFE Logo tstamp             Time stamp utility flashmarkbb        Marks a specified block bad flasherase         Erases a flash partition flasheeprom        Update the EEPROM device on board flash              Update a flash memory device memtest            Test memory. f                  Fill contents of memory. e                  Modify contents of memory. d                  Dump memory. u                  Disassemble instructions. reboot             Invoke hardware reboot. batch              Load a batch file into memory and execute it go                  Start a previously loaded program. load               Load an executable file into memory without executing it save                Save a region of memory to a remote file via TFTP boot               Load an executable file into memory and execute it ping                Ping a remote IP host. ifconfig           Configure the Ethernet interface sleep              Sleep for specified milliseconds. show heap          Display information about CFE's heap show memory        Display the system physical memory map. show devices       Display information about the installed devices. unsetenv           Delete an environment variable. printenv           Display the environment variables setenv             Set an environment variable. help               Obtain help for CFE commands For more information about a command, enter 'help command-name' *** command status = 0 CFE>

INFO command shows information about CFE. CFE> info ======================================================================== DDR                       : Bank0:128MB@667MHz | Bank1:256MB@667MHz NAND Boot                 : FlashSize 256MB on CS0, BlkSize 128KB, PgSize 2048B NAND vendor timing        : 98da9015 Toshiba TC58NVG1S3ETA00 SLC  t1(33535233) t2(80000b98) Secure boot               : secure boot enabled, BSECK locked Port lock                 : Enabled Total memory used by CFE: 0x87000000 - 0x870936E4 (603876) Initialized Data:         0x8708F860 - 0x87092C00 (13216) BSS Area:                 0x87092D00 - 0x870936E4 (2532) Local Heap:               0x87093800 - 0x87893800 (8388608) Stack Area:               0x87893800 - 0x87895800 (8192) Text (code) segment:      0x87000000 - 0x87023E18 (146968) CFE driver build information: LDR:  ELF   1; BIN   1; SREC  1 UI:   LEVEL 3; MIN   0 FS:   FAT   1; FAT32 1 NET:  STACK 1; ENET  1; TCP   0 USB:  STACK 0; ETH   1; DISK  1; SERIAL   1; HID 1 FLASH: NAND p starts at b152a004, ends at b152a004 Total mem_sys_init write to register 0 times Step   Address         Value ===================================== *** command status = 0 CFE>

Important command PRINTENV shows information about system STARTUP. Don't try to change anything here using SETENV command!!! CFE> printenv Variable Name       Value --       BOOT_CONSOLE uart0 ETH0_HWADDR E8:5B:5B:A1:48:0D STARTUP splash -576p; boot -z -elf flash0.kernel: 'root=/dev/romblock10 ro rootfstype=squashfs videotype=PAL memcfg=384 OFE_SB=y quiet console=0,115200n8' CFE_VERSION 2.11.19 CFE_BOARDNAME BCM97630 B0-SEC-RDEN400 CFE_MEMORYSIZE 128 *** command status = 0 CFE> If you want to get an access to ROOT of operating system and see BOOT process you need to use command below:

splash -576p; boot -z -elf flash0.kernel: 'root=/dev/romblock10 ro rootfstype=squashfs videotype=PAL memcfg=384 OFE_SB=y verbose debug console=0,115200n8 single ro' CFE> splash -576p; boot -z -elf flash0.kernel: 'root=/dev/romblock10 ro rootfstype=squashfs videotype=PAL memcfg=384 OFE_SB=y verbose console=0,115200n8 single ro' Display splash screen Using valid user input parameters - Resolution 576p on Component [ Default Video ] : Current Video Output : Component @ Resolution : 576p Loading PAL SD image to 0x06646c00 size 829440 bytes Reading flash0.splash to V:0xa6646c00 from offset 4838400 len 829440 Done displaying splash screen Reading flash0.splash to V:0xa6e00000 from offset 5667840 len 44 Loader:elf Filesys:raw Dev:flash0.kernel File: Options:root=/dev/romblock10 ro rootfstype=squashfs videotype=PAL memcfg=384 OFE_SB=y verbose console=0,115200n8 single ro Loading: 0x80008000/5427744 0x80535220/1327744 Successfully loaded secure elf image.... Entry address is 0x8000c330 Starting program at 0x8000c330 [   0.000000] -- DDR Bank 0: 128 MB [    0.000000] -- DDR Bank 1: 256 MB [    0.000000] Linux version 2.6.28.9 (ykhong@hyori) (gcc version 4.2.0 20070124 (prerelease) - BRCM 10ts-20080721) #189 Thu Jan 28 18:54:14 KST 2010 [   0.000000] Kernel command line: root=/dev/romblock10 ro rootfstype=squashfs videotype=PAL memcfg=384 OFE_SB=y verbose console=0,115200n8 single ro [4294667.366000] DIGSIG: no valid key, digsig security disabled [4294667.389000] checker_0 control 0x00000008 addr low 0x00001000 hi 0x003be000 [4294667.396000] read rights _0 0xffffffff _1 0xffffffff write rights _0 0x00000000 _1 0x00000000 [4294667.405000] checker_1 control 0x00000008 addr low 0x003bf000 hi 0x027fff80 [4294667.412000] read rights _0 0xffffffff _1 0xffffffff write rights _0 0x00000000 _1 0x00e4f8a0 [4294667.421000] checker_2 control 0x00000008 addr low 0x20000000 hi 0x238fff80 [4294667.428000] read rights _0 0xffffffff _1 0xffffffff write rights _0 0x00000000 _1 0x00e4f8a0 [4294667.437000] checker_3 control 0x00000010 addr low 0x2fd00000 hi 0x2fdfff80 [4294667.444000] read rights _0 0xffffffff _1 0xffffffff write rights _0 0x00000000 _1 0x00010000 [4294667.466000] Driver 'sd' needs updating - please use bus_type methods [4294667.473000] Driver 'sr' needs updating - please use bus_type methods [4294667.487000] scsi 0:0:0:0: CD-ROM           LGH08SAN LG H08SAN BC7630 0591 PQ: 0 ANSI: 5 [4294667.497000] sr 0:0:0:0: Attached scsi generic sg0 type 5 [4294667.544000] brcmnand_probe: Found SLC device TOSHIBA SLC TC58NVG1S3ETA00 [4294667.550000] brcmnand_probe oobSize: 16, pageSize : 2048, blockSize: 131072<7>Writing nand config register 0x01402848 with 0x16152300 [4294667.585000] Creating 20 MTD partitions on "bcm7xxx-nand": [4294667.591000] 0x00000000-0x00100000 : "cfe" [4294667.596000] 0x00100000-0x00700000 : "splash" [4294667.601000] 0x00700000-0x00700090 : "macadr" [4294667.606000] mtd: partition "macadr" doesn't end on an erase block -- force read-only [4294667.614000] 0x00700090-0x00700800 : "nvram" [4294667.619000] mtd: partition "nvram" doesn't start on an erase block boundary -- force read-only [4294667.628000] 0x00700800-0x00800000 : "virtual" [4294667.633000] mtd: partition "virtual" doesn't start on an erase block boundary -- force read-only [4294667.642000] 0x00800000-0x00900000 : "bct" [4294667.647000] 0x00900000-0x00b00000 : "dbg" [4294667.652000] 0x00b00000-0x00f00000 : "kernel1" [4294667.657000] 0x00f00000-0x01300000 : "kernel" [4294667.662000] 0x01300000-0x07900000 : "rootfs1" [4294667.668000] 0x07900000-0x0df00000 : "rootfs" [4294667.674000] 0x0df00000-0x0e000000 : "drmregion" [4294667.679000] 0x0e000000-0x0e100000 : "eeprom" [4294667.684000] 0x0e100000-0x0f900000 : "setup" [4294667.689000] 0x0f900000-0x0fb00000 : "ofefw.0" [4294667.695000] 0x0fb00000-0x0fc00000 : "ofews.0" [4294667.700000] 0x0fc00000-0x0fe00000 : "ofefw.1" [4294667.705000] 0x0fe00000-0x0ff00000 : "ofews.1" [4294667.710000] 0x00700000-0x00800000 : "config" [4294667.715000] 0x00000000-0x0ff00000 : "all" # You have an ROOT access of uCLinux in single mode none   /dev/pts        devpts  gid=5,mode=620  0 0 none   /sys            sysfs   defaults        0 0 none   /proc           proc    defaults        0 0 none   /proc/bus/usb   usbfs   defaults        0 0 none   /usr/vfs        ramfs   size=5m         0 0 none   /filecache      ramfs   size=72m        0 0 none   /tmp            tmpfs   size=60m        0 0 none   /var            tmpfs   size=32k        0 0 # Kernel and Rootfs dump procedure is decribed below assuming that TFTP server has address 192.168.1.150 and player address is 192.168.1.200.[msg] means a Linux reply.
 * 1) cat /etc/fstab
 * 1) start as ROOT #####

mount -t proc none /proc mount -t /dev/sda1 /tmp cd /tmp ls cat /proc/mtd

[msg] dev:   size   erasesize  name [msg] mtd0: 00100000 00020000 "cfe" [msg] mtd1: 00600000 00020000 "splash" [msg] mtd2: 00000090 00020000 "macadr" [msg] mtd3: 00000770 00020000 "nvram" [msg] mtd4: 000ff800 00020000 "virtual" [msg] mtd5: 00100000 00020000 "bct" [msg] mtd6: 00200000 00020000 "dbg" [msg] mtd7: 00400000 00020000 "kernel1" [msg] mtd8: 00400000 00020000 "kernel" <- THIS [msg] mtd9: 06600000 00020000 "rootfs1" [msg] mtd10: 06600000 00020000 "rootfs" <- THIS [msg] mtd11: 00100000 00020000 "drmregion" [msg] mtd12: 00100000 00020000 "eeprom" [msg] mtd13: 01800000 00020000 "setup" [msg] mtd14: 00200000 00020000 "ofefw.0" [msg] mtd15: 00100000 00020000 "ofews.0" [msg] mtd16: 00200000 00020000 "ofefw.1" [msg] mtd17: 00100000 00020000 "ofews.1" [msg] mtd18: 00100000 00020000 "config" [msg] mtd19: 0ff00000 00020000 "all"

ifconfig eth0 192.168.1.200 netmask 255.255.255.0 up

nanddump /dev/mtd8 -f kernel.gz

[msg] Block size 131072, page size 2048, OOB size 64 [msg] Dumping data starting at 0x00000000 and ending at 0x00400000...

tftp -p 192.168.1.150 -l kernel.gz ls [msg] kernel.gz rm kernel.gz

nanddump /dev/mtd10 -s 0 -l 53477375 -f rootfs_1.bin

[msg] Block size 131072, page size 2048, OOB size 64 [msg] Dumping data starting at 0x00000000 and ending at 0x032fffff...

tftp -p 192.168.1.150 -l rootfs_1.bin

ls [msg] rootfs_1.bin rm rootfs_1.bin

nanddump /dev/mtd10 -s 53477376 -l 53477376 -f rootfs_2.bin

[msg] Block size 131072, page size 2048, OOB size 64 [msg] Dumping data starting at 0x03300000 and ending at 0x06600000...

tftp -p 192.168.1.150 -l rootfs_2.bin

ls [msg] rootfs_2.bin rm rootfs_2.bin

The dump of rootfs was made in two parts which were concatenated into one file. Files to download: kernel 8.31.231C.gz  - 4 MB rootfs 8.31.231C.rar  - 67,9 MB
 * 1) End of DUMP procedure #####

We will dump mtds' data directly to remote NFS mount - by Aleksey

[Preparations (if you don't already have modified rootfs with telnet)]

1. Prepare NFS share on PC, which have enough freespace (~600 Mb for full dump). Assuming you doing it at linux.

Owner of the shared folder: root Access mode: rwx for all (chmod u+rwx,o+rwx,g+rwx /path/to/share)

2. Boot BD560 in verbose & single mode.

3. Run partially /etc/init.d/rcS:

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin export LD_LIBRARY_PATH=.:/usr/local/lib mount -a echo /sbin/hotplug > /proc/sys/kernel/hotplug cat /proc/sys/kernel/sched_rt_period_us > /proc/sys/kernel/sched_rt_runtime_us echo 131071 > /proc/sys/net/core/rmem_max echo 131071 > /proc/sys/net/core/wmem_max echo "4096 87380 2080768" > /proc/sys/net/ipv4/tcp_rmem echo "4096 16384 2080768" > /proc/sys/net/ipv4/tcp_wmem mkdir /var/lock /var/log /var/run /var/tmp touch /var/run/utmp /var/log/wtmp chgrp utmp /var/run/utmp /var/log/wtmp chmod 0664 /var/run/utmp /var/log/wtmp ifconfig lo 127.0.0.1 netmask 255.0.0.0 up  date 080100002010 portmap

4. Up the network: ifconfig eth0 192.168.1.254 (ip is example, use any you like/can)

5. Mount remote fs: mount your_pc_ip:/path/to/share /mnt/nfs

[Dumping]

1. List mtds you have (useful): cat /proc/mtd

2. Chdir to /mnt/nfs

3. This is simple inline script for dumping all mtds (type at '#' prompt):

for n in `seq 0 19`; do nanddump -f mtd$n.dump /dev/mtd$n; done

4. You should got 20 files in your shared folder:

leshij[/home/share/nand/new]$ ls -l

-rw-r--r-- 1 nobody nogroup  1048576 2010-10-17 13:43 mtd0.dump -rw-r--r-- 1 nobody nogroup 106954752 2010-10-17 13:45 mtd10.dump -rw-r--r-- 1 nobody nogroup  1048576 2010-10-17 13:45 mtd11.dump -rw-r--r-- 1 nobody nogroup  1048576 2010-10-17 13:45 mtd12.dump ...etc...

[Restoring] - WARNING WARNING - this can be dangerous step. You should know what you're doing. Of course you have second partition with kernel and rootfs and you can restore system but you must be careful :)

1. Assuming you still at /mnt/nfs and there is located mtdX.dump you want to write to NAND partition mtdX.

2. Even simplier:

nandwrite -e /dev/mtdX mtdX.dump

3. This will flash all acontents of mtdX with erasing first (-e key).