New Firmware / New Features

[sbingner]

That sounds about right... but what happens when we load a bad program onto the 8051?  how do we reflash it?

[az1324]

As far as the power, don't we just have to do some bit-flipping once we figure out how stuff is plugged into the 8051?

Yeah that is the key -- having the full schematic of how that chip is wired up. 

After that there are many open source programs that interface with head units that could be ported over.

[phatchicken]

That sounds about right... but what happens when we load a bad program onto the 8051?  how do we reflash it?

I get the feeling we don't need to worry about that.  There are two firmware areas on that 8051, one is a 4k section and the other is 64k.

From the Winbond datasheet:

The W78E516B contains a 64K bytes of main MTP-ROM and a 4K bytes of auxiliary MTP-ROM which allows the contents of the 64KB main MTP-ROM to be updated by the loader program located auxiliary MTP-ROM;

Plus, wouldn't it behoove the makers of the box to not allow its customers to brick the box?

[sbingner]

Right, it accepts it over the serial port, but the question is if it'll let us turn the box on to initiate that... perhaps it will just default to powering on the 7312 processor then?

Worst case we can probably short a couple pins to make it power on the 7312...

[phatchicken]

Right, it accepts it over the serial port, but the question is if it'll let us turn the box on to initiate that... perhaps it will just default to powering on the 7312 processor then?

I can program my extra PhatBox with empty firmware, and see what happens.  That would be a definitive test.

Here is the firmware.pac file which I will try:

39 50 01 0f fd 00 08 01 23 45 67 89 ab cd ef

[phatchicken]

I programmed the box with the bogus firmware, and it didn't do very much.  After that, I replaced the bogus firmware with the old firmware, and reprogrammed the box.  When it was done reprogramming, it worked fine.  So, there shouldn't be any danger in programming new firmware.

[sbingner]

Perfect... time to break out my bench setup... and my office looks so neat right now!

[sbingner]

Code: [Select]

Simple perl script to generate firmware.pac files.

Usage: "perl genfirmare firmware.bin > firmware.pac"
[code#!/usr/bin/perl
use strict;

my @hdr = (0x39, 0x50, 0x1, 0x0f, 0xfd, 0, 0);

die "ERROR: Provide a file as argument\n" unless (-f $ARGV[0]);
my @info = stat($ARGV[0]);
my $padding;
if ((my $size = $info[7]) > 0)
{ # If size > 0
        $padding = 8-($size%8);
        $hdr[5] = ($size>>8)&0xff;            # set size high
        $hdr[6] = $size&0xff;                 # set size low
        die "ERROR: Your firmware is way too big\n" if (($size>>16)&0xff);
        printf(STDERR "Firmare size: 0x%02x high: %02x low: %02x padding:%d\n", $size, $hdr[5], $hdr[6], $padding);
} else {
  die "Foolishly refusing to create a zero-sized firmware";
}
my $hdr = pack('C7', @hdr);
open(FILE, $ARGV[0]) or die "ERROR: Unable to open $ARGV[0]\n";
{
  local $/;
  print $hdr, <FILE>;
  if ($padding) {
    for (1..$padding) {
      print chr(0);
    }
  }
}
close(FILE);

EDIT: oops, forgot padding

[sbingner]

Why did it take me so long to find this?

Code: [Select]

~ # /dos/51d help
Arguments:
update - force update
blank - blank uC
update_noenc - force unencrypted update, depricated?
 
Environment variables:
uC_ISP_TIMEOUT - timeout in old-style ISP programming, in uSec
uC_ROLLINS_TIMEOUT - timeout in ProtoPhat2 communications, in uSec
uC_CONTROL_OFF - Don't connect to media daemon (e.g. - using WavePC)

[VorTechS]

Because you couldn't see the forest for the trees?

[sbingner]

I decided if I kept trying to get 51d to do it for me I was going to have to break something... so I did this instead:

http://phatos.cvs.sourceforge.net/phatos/51d/

It will now (on my system) happily replace 51d to the extent that it will:

• Keep the phatbox from rebooting
• Make phatd play songs and tell the 8051 the track/disk name and the first 11 chars of the titles

I still need to add firmware update code, a routine to write multi-part text values, and some parsing of phatbox.ini.  The first two tasks are actually the same one since that's how it updates the firmware too.  It's pretty simple, but I'm tired...

EDIT: I already had code to init the DSP... and it seems to be working, so I put it back in.

[sbingner]

FYI: There is a type in the output of "51d help"

Where it says

Code: [Select]

uC_CONTROL_OFF - Don't connect to media daemon (e.g. - using WavePC)It should really say

Code: [Select]

uC_CONTROLL_OFF - Don't connect to media daemon (e.g. - using WavePC)
This is why I couldn't get it to run with those parameters.

[sbingner]

ok, so when it sends 3 in the firmware update field, it doesn't initate a firmware upload.  But when it boots after a cold power off... it's booting from the 4K ROM.  When you send 3 then, it uploads the file.  I uploaded a valid firmware that way and it did NOT work.  This makes me think that it probably actually did what we expect.   The encrypt bit must apply to OUTPUT data only, and it will accept input either way?

[sbingner]

OK, first step... I need to figure out how to write a program for the 8051 that just tells it to turn on the system... heh.

I THINK upload is working   but I won't really know if it works, or just takes a bad upload until I have a program that does something I can see.  I tried blinky LED sample program but of course that's not what's really hooked up to those ports on the 8051... the LED is connected to the 7312.

[shoora]

I want to allocate some time in development of 51d. As I understand this thing is not much more than pipeline between 8051 chip and phatd?
I am familiar with IDA and can try understand some things from original program.
sbingner! do you have task for me to do?

[sbingner]

I want to allocate some time in development of 51d. As I understand this thing is not much more than pipeline between 8051 chip and phatd?
I am familiar with IDA and can try understand some things from original program.
sbingner! do you have task for me to do?

The source is on sourceforge (http://sf.net/projects/phatos) -- feel free to try to flesh out the 51d...  I haven't been working on it recently, but having a full replacement would be useful... there are obvious work-arounds we could do to make it have more options...

What we REALLY want is to get custom firmware loadable to the 8051...

[ccdalla]

** updated, because I thought of new stuff while fixing typos **

Maybe I'll take a look at the 8051 as well...I'd be very surprised if there weren't some way for us to get our own code into the chip, even if we have to fully erase the thing to make it happen.

I looked over Winbond's (very terse) data sheet on that part awhile back, and if I recall correctly the type of security the thing uses, it's basically a sort that allows the contents of the chip to be read back out, but unless the person doing the reading knows what the security key is, they can't directly read the output data.  Typically, the way that type of security works is, there's an 8-, 16-, or 64-byte key that's programmed into special registers on the MCU, and when the code is read out of the processor, each N-byte block is XORed with the security key.

Often times, this type of security can be worked around if the person programming the part is lazy, because if they leave unprogrammed locations unprogrammed, then reading the chip results in a bunch of garbled code, followed by a bunch of repeated blocks of the same data, which will usually be the key XORed with 0xFF (in rare cases, it'll just be the key, because some compilers produce .HEX files that stuff 0's into unused locations).

One thing that you can often do to decide if you've decrypted the data correctly on this type of processor is to look at the byte at locations 0x0000, 0x0003, and 0x0013 - Usually, they'll all be 0x02, because those locations are the reset vectors and a couple of interrupt vectors, respectively, so the instruction at those locations is often an LJMP to the appropriate handler.

Of course, all this assumes that our primary intent is to decrypt the code that's already in the MCU- in actual fact, if our goal is just to get fully custom firmware into the thing, then the existing firmware is a moot point- we just need to be able to communicate with the ARM sufficiently well to convince it that we're a bona fide product of the Phatnoise labs, and not some poseur trying to make the Phatbox do something it's creators didn't originally intend...and based on what I recall from the Wiki, we have a reasonably good idea of what that communication looks like.

Once we've made the ARM happy, there's no reason in the world that we can't add whatever esoteric functionality we want for a given head unit, provided we have an understanding of that head unit's interface.

-c