PhatHack
The Hacking Hoedown => PhatBox Hacking => Topic started by: para on March 16, 2005, 08:48:32 pm
-
Hi all,
has anyone yet opened his PB? There are two serial ports supposed to be existing on the PCB which are not connected externally. Usually these interfaces are used for debugging purposes. It'd be interesting to see if we could establish some telnet/rsh/ssh session or just a basic line-connection using 'em...
Para
-
There doesn't seem to be any place a port would be attached to the circuit board on mine, a Keg. I think they removed the serial port after the Red boxes.
-
the chip itself has the serial port built into it and we would need to pull the leads off the package to a port using some method. I dont know how hard to do a soilder job would be for that. They may have removed that set of traces on the PCB but it might be possible to hook directly to the CPU packaging or some of the pins on it to get the serial port.
-
If you're talking about the 8051... inherently, the 8051 is a "bit slinger"... you can drive any port pin directly or indirectly (there are at least 3 off 8 bit ports that can be bit twiddled real easy)
Obviously, there's also the "serial" output that would generally run into a 12V converter for true serial communications
-
A pic of the PCB is at http://ns3.bingner.com/phatnoise/phatbox.jpg -- I also have a pic of the back http://ns3.bingner.com/phatnoise/phatbox-back.jpg ... do you see anywhere that it looks like a serial port could be soldered on?
the chip itself has the serial port built into it and we would need to pull the leads off the package to a port using some method. I dont know how hard to do a soilder job would be for that. They may have removed that set of traces on the PCB but it might be possible to hook directly to the CPU packaging or some of the pins on it to get the serial port.
-
What's the purpose of the 14-pin connector (JP4) and these two jumpers (JP1,JP2) found on the frontside?
-
Oops, forst post I lied, I have no clue what either of those are doing... all I know is nothing was connected to them
-
J6 looks interesting to me. from the looks of it theres 5 connectors and 2 holes for supports for some type of external interface.
-
Wonder how hard these are to come by.. http://www.cirrus.com/en/pubs/devKit/EP7312dk-3.pdf
hmmm
-
Wonder how hard these are to come by.. http://www.cirrus.com/en/pubs/devKit/EP7312dk-3.pdf
hmmm
http://www.newark.com/NewarkWebCommerce/newark/en_US/endecaSearch/partDetail.jsp?SKU=76C0109&N=4
Looks like about $1500
-
Also, I've been wondering if it's possible that a portion of the communications to the head unit makes use of one of the two serial ports supported by the chipset? If so it should give us an idea of where to start to add a serial port. Or if somebody can get more info on a RedBox?
-
i think we can use the jtag interface (should be on the board in one of those jp connections) to extract the boot flash code.
A friend of mine whos been a mod freak on the xbox / ps2 and a DirectTivo hax0r (i mean the software changes to enable features) is coming by the house tomorrow to check it out. I sold him an older kenwood deck and I have some extra kegs I ordered online to toy with so we'll see what we can figure out.
-
http://www.cirrus.com/en/pubs/proDatasheet/EP7312-5.pdf
This has the pin out diagram for the 208 pin LQFP chip thats used on the phatbox hardware.
However.. this concerns me.. The Maverick Unique ID which is described on page 6 of the PDF. You can't cut n paste from the doc or I would here.
It says in a nut shell that each CPU has 32 bit specific ID and an 128 bit random ID etched into it by laser during the manufacturing process and that it can be used for SDMI (Secure Digital Music Initiative) to mark audio for the hardware only playback.
Now, if they are smart thats how they protect the audio and we'd be foobared from breaking that, HOWEVER we know the DMS works in diffrent boxes as its set up today, not coded for our specific CPU's Perhaps the non random number is some seed key they have programmed into these units that we need to know? maybe its not used at all by Phatnoise. Who knows.
Its something to think about though.
-
W78E516B-40
The winbond microcontroler on my pcb's datasheet:
http://www.datasheetarchive.com/datasheet/pdf/69/699566.html
-
Judb,
just looked at the datasheet, dammit, can u read "protect code"... did Phatnoise go this far?
-
Lets hope not.
-
Okay.. so looking at the PDF about the winbond chip, thats where the head unit controls are operated, but we also think thats where the boot loader is right?
Looking at the doc i linked.. ports 2.6 and 2.7 are the reset leads to enable you to reprogram the winbond chip.
They head over to another chip, the XILINX XCR5032C chip. it looks like either I/O-A13 and I/O-A14 or GND and IO-B9 ... im having some difficulty determining pin 1 on the chip as some goop wont come off and i cant tell where the dot is exactly. Im leaning toward pins 13 and 14 which would be the A13 / 14 pins.
This is the Plastic VQFP on my hardware it seems.
Heres the datasheet for the XCR5032C:
http://www.nalanda.nitc.ac.in/industry/appnotes/xilinx/documents/partinfo/ds046.pdf
-
Next up we have the XILINK XC9572XL chip
datasheet: http://www.engin.brown.edu/courses/En163/xc9572XL.pdf
This chip seems to be tied to the IDE interface to the JP5 pins and to the interface connector to the head unit... but I need a magnifying glass to tell where each pin goes.
-
Well last for the night..
the ST Micro 2 MBit flash M29W200BB automotive grade flash.
Datasheet:
http://us.st.com/stonline/books/pdf/docs/6616.pdf
-
Great findings! Keep up that work!
-
@judb: referencing your post over there (http://forum.phathack.com/cgi-bin/yabb/YaBB.cgi?board=dmshack;action=display;num=1111968118;start0#5), have you seen the locking and encryption feature built into the 8052? I don't think they use the lock (because it might not allow firmware updates) but I'm pretty sure they use the encryption. This would mean we can't get the controller's code without erasing the whole IC...
Para
-
I am going to try and be optimistic about it and say perhaps they didnt take the time to implement that.
Since we are dealing with two diffrent firmware regions (on flash chip for the ARM CPU) and the Winbond microcontroler has an embeded reprogrammabale area for booting I'd guess the winbond portion is not encrypted data, unless we have the boot process completley backwards.
Do we know for sure that the ARM CPU isnt the booting device that boots directly from flash and then straps the 8052 with code from the same flash rom?
I think we should update an assumption thread about the whole loading process given the patent info we saw and the capabiliities of the chips that are listed in the PDF's I posted.
Also who had the board that took pictures of it and posted them? That thread disappeared.
That board has pretty significant deviation in layout from my board and I'd like to compare the chips on each to see if they are the same or not.
Also anyone have a red box they can open up and read the chip part numbers / post good photos of the boards? I doubt the design is that drastic.
In fact, I wouldn't be suprised if there was a way to bypass the encryption / setup diffrences by putting the right chip or resistor on the surface of the board. (more wishful thinking)
-
Just another thought. It's possible that the Red boxes don't have protected code. We might be able to extract their boot code and get a general idea of how the newer boxes boot, or even use the Red boot code to program the newer uC.
We need some Red info.
-
Do we know for sure that the ARM CPU isnt the booting device that boots directly from flash and then straps the 8052 with code from the same flash rom?
Well, the 8052 has a loader ROM which activates a firmware (application) update if requested. If not it loads the application ROM . That's exactly the procedure being described by Terry Kennedy (see FAQ), isn't it?
Also who had the board that took pictures of it and posted them? That thread disappeared.
Damn, you're right! I got these images on my HDD but don't have enough allowed traffic to put it on a public server... I hope Paul's taking care of that problem and restores that thread. A few hours ago it was still there!
Para
-
Send them to me, I'll host them. I have over 60 gigs of bandwidth on my server to burn by the end of march. :)
-
Heres some photos I took of my board...
http://www.savageguild.com/phatnoise/keg1-02.jpg
http://www.savageguild.com/phatnoise/keg1-03.jpg
Higher rez versions available...
-
That looks definitely different compared to the other shots! Is there any model number you could post with the pictures? Just for us to know what model where're looking at...
Para
-
This is from a Keg CX910. I have two of them and they both have a similar layout. They are from 2001 2002 timeframe.
the board itself has a silk screened name on the back if you look at the photo.
Also, I think the 710 keg is the same board but with less connectors on the back (power and RCA I think)
-
Hm, is there any warranty seal on the Phatbox? I hope I get mine out of customs tomorrow morning. If there's no seal I'll try to open it and get us some pix.
Para
PS: I'll send you the other shots in the next hours...
Update: Well, we're just too stupid 8):
http://forum.phathack.com/cgi-bin/yabb/YaBB.cgi?board=faqlist;action=display;num=1111166455
(I wrote it and you should be aware of it)
-
Yeah my photos are of a diffrent rev board and those pictures were posted in a diffrent thread a while back I swear! :)
-
Ok, so we're even more stupid than I thought! Have a look at page 1 from time to time :-[
Going to bed, Para
-
LOL okay im a moron and or the search feature is broken as I searched for those photos and it came up with results that were not the post on page 1.
BAH!
-
The pics were mine, should still be accessible... but I have to wait till I get home to get the links again... I'll go ahead and make links off the http://www.phathack.com page... anybody have high bandwidth? I have a 384K upstream at the moment, soon to be 768K...
Sam
-
http://www.cirrus.com/en/products/pro/detail/P36.html
The output DAC on my keg... CS4341
Datasheet:
http://www.cirrus.com/en/pubs/proDatasheet/CS4341_F3.pdf
-
Okay, so here's the deal. Mitch and I sat down tonight and traced the board to find the JTAG connector pins for the xilink chips and the ARM CPU.
JP5 -- XILINX 9572XL - JTAG
Pin 6 > 9572XL Pin 48 - TDO
Pin 8 > 9572XL Pin 83 - TDO
Pin 10 > 9572XL Pin 45 - TDO
Pin 12 > 9572XL Pin 47 - TDO
JP6 -- ARM JTAG (No Connector, just pads)
Pin 3 > 7312 Pin 125 - nTRST
Pin 5 > 7312 Pin 11 - TDI
Pin 7 > 7312 Pin 58 - TMS
Pin 9 > 7312 Pin 90 - TCLK
Pin 11 > 7312 Pin 22 - TDO
JP8 -- ARM UART1 (SERIAL PORT!!!)
Pin 5 > 7312 Pin 32 - TDX[1]
Pin 7 > 7312 Pin 36 - RXD[1]
Pin 9 > 7312 Pin 37 - DCD
Pin 11 > 7312 Pin 38 - DSR
Pin 13 > 7312 Pin 35 - CTS
JP9 -- XILINX 5032C - JTAG
Pin 6 > 5032C Pin 26 - TCLK
Pin 8 > 5032C Pin 32 - TDO
Pin 10 > 5032C Pin 1 - TDI
Pin 12 > 5032C Pin 7 - TMS
You can use either:
Molex 87332-1420
or
DigiKey WM18078-ND
To connect to the 14 pin mini JTAG interface on the boards to get access to all but the ARM JTAG interface as it doesnt have anything on the boards pads.
I think this is how they program the boxes from the factory so this SHOULD be a way for us to get into them and fix em.
I really need my hands on a red box, anyone in central texas got one? I swear we wont break it. :)
heres some info i found on the JTAG interface for ARM.
http://www.arm.com/support/faqdev/4511.html
-
Tomorrow we are headed to see if we can get the parts we need to roll our own JTAG interface...
http://www.xilinx.com/support/programr/jtag_cable.pdf should be some help for making your own if you are so inclined.
Ebay has some already made but the pins are too far apart to hook into this connector on the board.
I am mostly interested in starting with the serial port right now.
I bought a KCA-R70FM adaptor so I can test at my desk the Keg. :)
-
I've got a Red box and would be happy to contribute, though I'm not much of a hardware kind of guy.
-
Just in case we need to modify the XILINX chips:
http://www.xilinx.com/xlnx/xebiz/designResources/ip_product_details.jsp?key=DS-ISE-WEBPACK
-
Looks like if bash and profile files exist on the DMS in the root of PHATSYS (/dos) it will launch a shell.. but not otherwise.
I need an ARM complied version of bash... hmmm (wanders over to google)
-
On further inspection, if I read the busy box setup right, the -/bin/sh command SHOULD be putting a shell on /dev/console which is redirected to /dev/ttyS0 so the bash script might be out of date and not used anymore.
I need to keep plugging at getting the console to work. stupid serial ports! bah!
-
What's the purpose of the 14-pin connector (JP4) and these two jumpers (JP1,JP2) found on the frontside?
JP4 sure looks like a ARM JTAG inteface to me.
Another thing that might be worth mention is that the 7312 is a low power chip package, so if you want to use the serial port and connect it to a RS232 port you will have to convert the logic levels from 3.3v to RS232 levels.
Here is a pinout of UART 1 on the 7312.
http://www.webeatyou.com/phatbox-serial.jpg
just_z00t
-
JP4 sure looks like a ARM JTAG inteface to me.
Another thing that might be worth mention is that the 7312 is a low power chip package, so if you want to use the serial port and connect it to a RS232 port you will have to convert the logic levels from 3.3v to RS232 levels.
Here is a pinout of UART 1 on the 7312.
http://www.webeatyou.com/phatbox-serial.jpg
just_z00t
http://forum.phathack.com/cgi-bin/yabb/YaBB.cgi?board=faqlist;action=display;num=1111166455
Thanks for the photo though. The 3.3 volt to serial voltage levels might be what I am missing.. hmmm didnt think of that. I'll have to look into it.
-
http://hans.liss.pp.se/work/wrt54gs_serial.html may be useful, it goes over converting the voltage for the WRT, and it may be very similar for the phatbox
-
http://hans.liss.pp.se/work/wrt54gs_serial.html may be useful, it goes over converting the voltage for the WRT, and it may be very similar for the phatbox
Bah! I just ordered one of each of these on eBay:
$19 RS232 to 3.3~5v TTL Converter Cable(Max3232 inside)
http://cgi.ebay.ca/ws/eBayISAPI.dll?ViewItem&item=7501584474
$25 **** COMPACT BUFFERED JTAG ** UNIVERSAL SOLDERLESS R/W
http://cgi.ebay.ca/ws/eBayISAPI.dll?ViewItem&item=5777335122
*crosses fingers*
-b
-
the connector for your jtag device is too big me thinks. I could only find that the connector pins for a compact flash card reader / PCMCIA interface are close enough together to correctly mate with the interface on the board. just FYI.
-
the connector for your jtag device is too big me thinks. I could only find that the connector pins for a compact flash card reader / PCMCIA interface are close enough together to correctly mate with the interface on the board. just FYI.
Yeah, I know. I don't need no stinkin' connectors.
;)
-b