Failed Hack - OEM DMS Won't Boot - Fixed!

[STiDriver]

I have a Kenwood C710 Keg.  I used the PhatHack CD ISO and followed the procs to the letter.  When I put the OEM DMS in with the flash code it showed the song tags for the first song on my first playlist.  The timer was rolling but I had no sound.  At about a minute into the track the headunit displayed 'EJECT' and I heard the hard drive respin like it was rebooting.  This repeated several times while I smashed my head into the steering wheel.

I went ahead and finished the procedure though so that my new drive would be ready to go.  I went ahead and tried the new drive without luck.  I swapped the OEM drive back in, launched PMM, deleted the first playlist, ejected and tried again.  Still won't boot.

Being new to the Phat-hacking I'm thinking my next steps are to add a serial port and hope that I can finish the hack manually.  Any other ideas?

Here's my patch.log:


: No such file or directory
2048+0 records in
2048+0 records out

hdparm - get/set hard disk parameters - version v3.9

Usage:  hdparm  [options] [device] ..

Options:
-a   get/set fs readahead
-A   set drive read-lookahead flag (0/1)
-c   get/set IDE 32-bit IO setting
-C   check IDE power mode status
-d   get/set using_dma flag
-D   enable/disable drive defect-mgmt
-E   set cd-rom drive speed
-f   flush buffer cache for device on exit
-g   display drive geometry
-h   display terse usage information
-i   display drive identification
-I   read drive identification directly from drive
-k   get/set keep_settings_over_reset flag (0/1)
-K   set drive keep_features_over_reset flag (0/1)
-L   set drive doorlock (0/1) (removable harddisks only)
-m   get/set multiple sector count
-n   get/set ignore-write-errors flag (0/1)
-p   set PIO mode on IDE interface chipset (0,1,2,3,4,...)
-P   set drive prefetch count
-Q   print out the drive id only (60bytes\n)
-q   change next setting quietly
-r   get/set readonly flag (DANGEROUS to set)
-R   register an IDE interface (DANGEROUS)
-S   set standby (spindown) timeout
-t   perform device read timings
-T   perform cache read timings
-u   get/set unmaskirq flag (0/1)
-U   un-register an IDE interface (DANGEROUS)
-v   default; same as -acdgkmnru (-gr for SCSI, -adgr for XT)
-V   display program version and exit immediately
-W   set drive write-caching flag (0/1) (DANGEROUS)
-w   flush os cache and wakeup drive
-X   set IDE xfer mode (DANGEROUS)
-y   put IDE drive in standby mode
-Y   put IDE drive to sleep
-Z   disable Seagate auto-powersaving mode
PhatPatch v0.4 - original code by bushing, additional patches by sbingner
Verifying:
Patch 1 @ 0bb8: make drive signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0033 1a00
Unverified!
Patch 2 @ 0bec: make rc.sh signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0026 1a00
Unverified!
Patch 3 @ 0c20: make phatd signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0019 1a00
Unverified!
Patch 4 @ 0c54: make linux signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 000c 1a00
Unverified!
Patch 5 @ 0354: make ramdisk invalid signature return 0 instead of 0xFFFFFFFF: [movlne r0, 0xFFFFFFFF -> movlne r0, #0]
Expected: 0000 13a0    Actual: 0000 13e0
Unverified!
Patch 6 @ 0c80: make ramdisk signature check verify 0 instead of 1: [cmp r0, #1 -> cmp r0, #0]
Expected: 0000 e350    Actual: 0001 e350
Unverified!
Patch 7 @ 0358: make ramdisk valid signature return 0 instead of 1: [moveq r0, #1 -> moveq r0, #0]
Expected: 0000 03a0    Actual: 0001 03a0
Unverified!
Segmentation fault
PhatPatch v0.4 - original code by bushing, additional patches by sbingner
Verifying:
Patch 1 @ 0bb8: make drive signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0000 1a00
Verified!
Patch 2 @ 0bec: make rc.sh signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0026 1a00
Unverified!
Patch 3 @ 0c20: make phatd signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0019 1a00
Unverified!
Patch 4 @ 0c54: make linux signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 000c 1a00
Unverified!
Patch 5 @ 0354: make ramdisk invalid signature return 0 instead of 0xFFFFFFFF: [movlne r0, 0xFFFFFFFF -> movlne r0, #0]
Expected: 0000 13a0    Actual: 0000 13e0
Unverified!
Patch 6 @ 0c80: make ramdisk signature check verify 0 instead of 1: [cmp r0, #1 -> cmp r0, #0]
Expected: 0000 e350    Actual: 0001 e350
Unverified!
Patch 7 @ 0358: make ramdisk valid signature return 0 instead of 1: [moveq r0, #1 -> moveq r0, #0]
Expected: 0000 03a0    Actual: 0001 03a0
Unverified!
Segmentation fault
PhatPatch v0.4 - original code by bushing, additional patches by sbingner
Verifying:
Patch 1 @ 0bb8: make drive signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0000 1a00
Verified!
Patch 2 @ 0bec: make rc.sh signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0000 1a00
Verified!
Patch 3 @ 0c20: make phatd signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0019 1a00
Unverified!
Patch 4 @ 0c54: make linux signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 000c 1a00
Unverified!
Patch 5 @ 0354: make ramdisk invalid signature return 0 instead of 0xFFFFFFFF: [movlne r0, 0xFFFFFFFF -> movlne r0, #0]
Expected: 0000 13a0    Actual: 0000 13e0
Unverified!
Patch 6 @ 0c80: make ramdisk signature check verify 0 instead of 1: [cmp r0, #1 -> cmp r0, #0]
Expected: 0000 e350    Actual: 0001 e350
Unverified!
Patch 7 @ 0358: make ramdisk valid signature return 0 instead of 1: [moveq r0, #1 -> moveq r0, #0]
Expected: 0000 03a0    Actual: 0001 03a0
Unverified!
Segmentation fault
PhatPatch v0.4 - original code by bushing, additional patches by sbingner
Verifying:
Patch 1 @ 0bb8: make drive signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0000 1a00
Verified!
Patch 2 @ 0bec: make rc.sh signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0000 1a00
Verified!
Patch 3 @ 0c20: make phatd signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a Ί
<Many ASCII Charactors Follow>
<No more readable text>

[Genesis]

Your flash ROM didn't have what was expected where it was expected, and the patch didn't run.

The original DMS should be ok, but you may need to do a repair on it using PMM or, if that fails, using the rescue disk.

Note that you will need to reload the firmware after doing a rescue.

[STiDriver]

I just finished doing exactly that.  After using the rescue disk PMM said it was a new DMS.  It copied the firware to the DMS.  It still just keeps rebooting (the same way it did when I tried using my new drive w/ no hacks).

The thing that I see is that some of the values are verified and some are unverified.  Is it possible it modified some bits rendering my keg unbootable? If so, is there anything that can be done even with a serial port?  

[judb]

try copying the ramdisk.sig to ramdisk.bak and making a new txt file and rename it ramdisk.sig.. try booting that way...

[bushing]

The thing that I see is that some of the values are verified and some are unverified.  Is it possible it modified some bits rendering my keg unbootable? If so, is there anything that can be done even with a serial port?  

Two things are become clear to me:

1. I really need to work on those "verified" message to make it more clear what's going on.

2. We really need to figure out why it takes us a zillion reboots to do the whole patch... and maybe stop doing the extra (ie anything beyond the first patch) until wie figure that out.

Looking at STiDriver's debug log (oh, and thanks for being a good sport here , we see:

Code: [Select]


** run 1 **
PhatPatch v0.4 - original code by bushing, additional patches by sbingner
Verifying... patch 1 unverified, etc ...
[at this point, it must have started to patch -- that's what causes the seg faults]
Segmentation fault (reboot)

** run 2 **
PhatPatch v0.4 - original code by bushing, additional patches by sbingner
Verifying... patches 1 verified etc ...
Segmentation fault (reboot)

** run 3 **
patches  1,2 verified

** run 4 **
patches 1,2 verified --- crash in middle of verifying 3


As I've mentioned earlier, there's some issue with the kernel on the phatbox such that it crashes when we try to reprogram out the flash.  This is mostly ok, becasue we have written the patches in a way such that they can be individually applied, and usually not result in a dead phatbox.

I'm guessing, like judb is suggesting, that it did get into patch 4 or 5, where it is in the middle of patching to disable the ramdisk checking.  That's a little trickier, but still possible to boot -- it just requires a little "tweaking".

In short, I agree with judb. If you got patch #6 in but not patch #7, you'd get your current problem -- the fix is to, as he says, backup the ramdisk.sig file and replace it with some garbage file; right now your phatbox will ONLY boot with a BAD signature, I suspect.

In any case, what are the contents of your BOOTLOAD.LOG file?

-b

[STiDriver]

The 0 byte sig didn't help.  I'll try fudging the existing file just in case it's failing because it's 0 bytes but I'm not thinking it will matter.

Where can I find bootload.log?

[bushing]

The 0 byte sig didn't help.  I'll try fudging the existing file just in case it's failing because it's 0 bytes but I'm not thinking it will matter.

Where can I find bootload.log?

If there isn't one already, create a file of at least 8k in size on the PHTSYS partition, in the root directory, called "BOOTLOAD.LOG".  (It doesn't matter what's in it.)

When it boots, if the bootloader sees that file, it will overwrite it with debug info, indicating where it stopped in the signature checking process, etc.

-b

[STiDriver]

BOOT0-0: OK
BOOT0-1: OK
BOOT0: Successful
BOOT9: Successful
BOOTB: Successful
BOOTF: Successful
BOOT*: Successful

Note: This was created after I replaced the 0-byte sig with 241 bytes of 'X'.

[STiDriver]

Wahoo!

"Welcome to the PhatNoise Audio System"
The 0-byte sig did not work but creating a sig of the same length full of 'X's did.  My replacement drive also works.  At this point should I repatch or let it be?

[judb]

If you run the patch again it SHOULD fix it where the corrputed sig wont be required.

[STiDriver]

I'd like to understand a bit more of what did and didn't work.  First of all, I used the DMS Hack CD v1_3.  What version of PhatHack does that use?  Is there a detailed description of what each hack does so I can figure out what has and has not been changed?

Also, why does the signature have to mismatch?  Is this just a down-and-dirty way of getting around the check?

[sbingner]

The problem is that there's no single patch to remove the ramdisk sig check, so I had it do the following:

1.  Patch the invalid signature check to return 0 instead of 0xFFFFFFFF for an invalid (not missing) signature - I'd said the proper way of replacing the sig somewhere before but I guess it never got put in the right place.  Simplest is to just use a different file's sig as the ramdisk.sig
2.  Patch the verification check to look for a return code of 0 instead of 1 (at this point, since the valid sig returns 1 it won't boot with a valid sig)
3.  Patch the valid sig to return 0 instead of 1

Your problem was that your box crashed right after step 2 but before step 3 above (which are actually patches 5 through 7) - I knew this was a problem and had tested it on my box by applying each patch and rebooting one at a time so I knew it was impossible to actually make an unbootable phatbox.  I had also found the issue that you do require a signature to exist rather than a 0 byte file.

Again, dont make a new sig for it if this happens just copy the sig from say phatd.sig

Sam

[sbingner]

A possible fix would be to have the hack itself corrupt the ramdisk sig right before applying Patch 6 then fix it when it runs Patch 7

[STiDriver]

One more question...  My Keg would not boot with the bootloader.log.  It went through and gave me thumbs up on all checks but I had to delete the file before it would successfully boot.  Is that normal?

[judb]

it should have been bootload.log I think.. also it should be about 4 kilobytes in size for it to work properly.  

I suggest running a chkdsk /f on whatever volume is your phtsys...