Problems patching Keg - HELP!!

[Firefox]

A few further unsuccessful attempts to read the Manufacturer ID using modified patch.sh...

Code: [Select]


#!/bin/sh

echo Starting Address Checks > /dos/log/PatchAddress.log

echo CheckingAddressCombo1 >> /dos/log/PatchAddress.log
/dos/backup/debugw 0x555=0xAA >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x2AA=0x55 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x555=0x90 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugr 0x0 >> /dos/log/PatchAddress.log 2>&1
echo FinishAddressCombo1 >> /dos/log/PatchAddress.log

echo CheckingAddressCombo2 >> /dos/log/PatchAddress.log
/dos/backup/debugw 0xAAA=0xAA >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x554=0x55 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0xAAA=0x90 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugr 0x0 >> /dos/log/PatchAddress.log 2>&1
echo FinishAddressCombo2 >> /dos/log/PatchAddress.log

echo CheckingAddressCombo3 >> /dos/log/PatchAddress.log
/dos/backup/debugw 0x1554=0xAA >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0xAAA=0x55 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x1554=0x90 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugr 0x0 >> /dos/log/PatchAddress.log 2>&1
echo FinishAddressCombo3 >> /dos/log/PatchAddress.log

echo CheckingAddressCombo4 >> /dos/log/PatchAddress.log
/dos/backup/debugw 0x555=0xAA >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0xAAA=0x55 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x555=0x90 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugr 0x0 >> /dos/log/PatchAddress.log 2>&1
echo FinishAddressCombo4 >> /dos/log/PatchAddress.log

echo CheckingAddressCombo5 >> /dos/log/PatchAddress.log
/dos/backup/debugw 0x5555=0xAA >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x2AAA=0x55 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x5555=0x90 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugr 0x0 >> /dos/log/PatchAddress.log 2>&1
echo FinishAddressCombo5 >> /dos/log/PatchAddress.log

echo CheckingAddressCombo6 >> /dos/log/PatchAddress.log
/dos/backup/debugw 0x15554=0xAA >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0xAAA8=0x55 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x15554=0x90 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugr 0x0 >> /dos/log/PatchAddress.log 2>&1
echo FinishAddressCombo6 >> /dos/log/PatchAddress.log

echo Finished Address Checks >> /dos/log/PatchAddress.log


results as follows...

Code: [Select]


Starting Address Checks
CheckingAddressCombo1
Offset: 0x555=aa
Offset: 0x2aa=55
Offset: 0x555=90
Offset: 0=c102
FinishAddressCombo1
CheckingAddressCombo2
Offset: 0xaaa=aa
Offset: 0x554=55
Offset: 0xaaa=90
Offset: 0=c102
FinishAddressCombo2
CheckingAddressCombo3
Offset: 0x1554=aa
Offset: 0xaaa=55
Offset: 0x1554=90
Offset: 0=c102
FinishAddressCombo3
CheckingAddressCombo4
Offset: 0x555=aa
Offset: 0xaaa=55
Offset: 0x555=90
Offset: 0=c102
FinishAddressCombo4
CheckingAddressCombo5
Offset: 0x5555=aa
Offset: 0x2aaa=55
Offset: 0x5555=90
Offset: 0=c102
FinishAddressCombo5
CheckingAddressCombo6
Offset: 0x15554=aa
Offset: 0xaaa8=55
Offset: 0x15554=90
Offset: 0=c102
FinishAddressCombo6
Finished Address Checks


Looks like i'm going to have to bite the bullet and remove the Keg from the car and dissassemble to see what flash chip I have - which is not easy because of how I have mounted it so neatly............

[sbingner]

The 8051 couldn't do that, the communication to the flash chip goes directly from the processor and the communication between processor and 8051 is via serial port.   The 8051 also has control of the power, but that's pretty obvious when it turns that off


I suppose it's possible they have a different flash chip in there, but every other chip they've used has accepted the same unlock codes...

[Firefox]

I suppose it's possible they have a different flash chip in there, but every other chip they've used has accepted the same unlock codes...

Hi again all - thread still alive...

...I finally got my Keg out of the car and just performed open heart surgery on it.

The good news   It is using a different flash. It's a Silicon Storage Technology SST39VF200A.



I've added it to the Hardware_FAQ http://wiki.phathack.com/Hardware_FAQ

The bad news   according to the datasheet http://www.sst.com/downloads/datasheet/S71117.pdf it looks to me like it should respond to one of the combos i tried earlier...
/dos/backup/debugw 0x5555=0xAA >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x2AAA=0x55 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x5555=0x90 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugr 0x0 >> /dos/log/PatchAddress.log 2>&1

Could one of you pros check out the datasheet and see if my untrained verdict is correct?

Any other ideas?

[sbingner]

try:

./debugw 0xAAAA=0xAA
./debugw 0x5554=0x55
./debugw 0xAAAA=0x90
./debugr 0x0

[Firefox]

try:

./debugw 0xAAAA=0xAA
./debugw 0x5554=0x55
./debugw 0xAAAA=0x90
./debugr 0x0

Well I got a different result from usual and I think it's the manufacturer code!!!!  

Using a patch.sh of...

Code: [Select]

echo CheckingAddressComboSam1 >> /dos/log/PatchAddress.log
/dos/backup/debugw 0xAAAA=0xAA >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0x5554=0x55 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugw 0xAAAA=0x90 >> /dos/log/PatchAddress.log 2>&1
/dos/backup/debugr 0x0 >> /dos/log/PatchAddress.log 2>&1
echo FinishAddressComboSam1 >> /dos/log/PatchAddress.log

I got...

Code: [Select]

CheckingAddressComboSam1
Offset: 0xaaaa=aa
Offset: 0x5554=55
Offset: 0xaaaa=90
Offset: 0=bf
FinishAddressComboSam1

I think you've finally cracked it!!!!!!  

Does that mean I will need a custom phatpatch created just for me?
Is that something you can send me?

Thanks for sticking with this....
Simon

ps where in the datasheet did you get that sequence from?

pps you would not believe how big a grin i have on my face now..........

[sbingner]

Yea, that's it... you would need a custom compiled patcher, or you could just do it with debugw

I'll try to update phatpatch now, give me a few mins and I think I can give you one that'll work

BTW: I got it from where you were looking, what you didn't know is that phatnoise connected the thing up without connecting one of the pins so all the offset addresses have to be doubled

[sbingner]

try http://www.phathack.com/downloads-direct/sbingner/phatpatch-0.5 -- it's totally untested but I think it should work

If not, I'll be able to fix it when I get home

[Firefox]

thanks - i'll give it a try and report back.............

.............WOOOHOOO!!!!! My Keg is finally patched  

Great job Sam. The new v0.5 worked a treat
looks like you just need to update the version number in the printf code  

Here is the output...

PatchWrite.log

Code: [Select]

PhatPatch v0.4 - original code by bushing, additional patches by sbingner
first 2 words of flash=c102 0025
testing offsets 0x555 and 0x2aa
writing auto-id command (AA, 55, 90)
testing offsets 0x5555 and 0x2aaa
writing auto-id command (AA, 55, 90)
Flash chip reports manufacturer id=00bf, device id=2789
offsets 0x5555 and 0x2aaa verified
Resetting flash.
Testing patch locations:
Patch 1 @ 0bb8: make drive signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0033 1a00    Actual: 0033 1a00
Match! Programming...
Wrote 0000
Patch 2 @ 0bec: make rc.sh signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0026 1a00    Actual: 0026 1a00
Match! Programming...
Wrote 0000
Patch 3 @ 0c20: make phatd signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0019 1a00    Actual: 0019 1a00
Match! Programming...
Wrote 0000
Patch 4 @ 0c54: make linux signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 000c 1a00    Actual: 000c 1a00
Match! Programming...
Wrote 0000
Patch 5 @ 0354: make ramdisk invalid signature return 0 instead of 0xFFFFFFFF: [movlne r0, 0xFFFFFFFF -> movlne r0, #0]
Expected: 0000 13e0    Actual: 0000 13e0
Match! Programming...
Wrote 13a0
Patch 6 @ 0c80: make ramdisk signature check verify 0 instead of 1: [cmp r0, #1 -> cmp r0, #0]
Expected: 0001 e350    Actual: 0001 e350
Match! Programming...
Wrote 0000
Patch 7 @ 0358: make ramdisk valid signature return 0 instead of 1: [moveq r0, #1 -> moveq r0, #0]
Expected: 0001 03a0    Actual: 0001 03a0
Match! Programming...
Wrote 0000

PatchVerify.log

Code: [Select]

Starting Patch Process
PhatPatch v0.4 - original code by bushing, additional patches by sbingner
Verifying:
Patch 1 @ 0bb8: make drive signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0033 1a00
Unverified!
Patch 2 @ 0bec: make rc.sh signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0026 1a00
Unverified!
Patch 3 @ 0c20: make phatd signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0019 1a00
Unverified!
Patch 4 @ 0c54: make linux signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 000c 1a00
Unverified!
Patch 5 @ 0354: make ramdisk invalid signature return 0 instead of 0xFFFFFFFF: [movlne r0, 0xFFFFFFFF -> movlne r0, #0]
Expected: 0000 13a0    Actual: 0000 13e0
Unverified!
Patch 6 @ 0c80: make ramdisk signature check verify 0 instead of 1: [cmp r0, #1 -> cmp r0, #0]
Expected: 0000 e350    Actual: 0001 e350
Unverified!
Patch 7 @ 0358: make ramdisk valid signature return 0 instead of 1: [moveq r0, #1 -> moveq r0, #0]
Expected: 0000 03a0    Actual: 0001 03a0
Unverified!
PhatPatch v0.4 - original code by bushing, additional patches by sbingner
Verifying:
Patch 1 @ 0bb8: make drive signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0000 1a00
Verified!
Patch 2 @ 0bec: make rc.sh signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0000 1a00
Verified!
Patch 3 @ 0c20: make phatd signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0000 1a00
Verified!
Patch 4 @ 0c54: make linux signature check always succeed: [bne verify_sig_failed -> bne PC+1]
Expected: 0000 1a00    Actual: 0000 1a00
Verified!
Patch 5 @ 0354: make ramdisk invalid signature return 0 instead of 0xFFFFFFFF: [movlne r0, 0xFFFFFFFF -> movlne r0, #0]
Expected: 0000 13a0    Actual: 0000 13a0
Verified!
Patch 6 @ 0c80: make ramdisk signature check verify 0 instead of 1: [cmp r0, #1 -> cmp r0, #0]
Expected: 0000 e350    Actual: 0000 e350
Verified!
Patch 7 @ 0358: make ramdisk valid signature return 0 instead of 1: [moveq r0, #1 -> moveq r0, #0]
Expected: 0000 03a0    Actual: 0000 03a0
Verified!

Thanks for all your help - now I can (hopefully) complete the disk swap!

The new version should hopefully help others with a similar flash chip in future too.

[sbingner]

Cool, I updated the internal version etc.  This will work for either unlock code, and it checks to make sure the unlock code works before it tries to patch now

binary: http://downloads.phathack.com/sbingner/phatpatch-0.5.gz
source: http://downloads.phathack.com/sbingner/phatpatch-0.5.c

It should be visible in about an hour, looks like I just missed the rsync window until then it can be seen from downloads-direct

[Firefox]

I'm not quite there yet...

My new 80GB DMS does not boot (created using manual method). Bootload.log points to a problem with Ramdisk I think:

Code: [Select]

BOOT0-0: OK
BOOT0-1: OK
BOOT0-2: Successful
BOOT9-X: Successful
BOOTB-X: Successful
BOOTF: Successful
BOOT*-X: Failed

I tried corrupting ramdisk.sig to see if that helped. No joy, so I put it back again to original.
I tried with and then without plugins folder. No joy.

Original 10GB DMS still boots fine with or without the plugins folder.

Any ideas?

[sbingner]

The problem isn't with your flashing, how did you create your second DMS?   Make sure you have a primary partition (1) an extended partition (2) and a logical partition (would be called 5)

You might be able to find me on IRC...

[Firefox]

The problem isn't with your flashing, how did you create your second DMS?   Make sure you have a primary partition (1) an extended partition (2) and a logical partition (would be called 5)

You might be able to find me on IRC...

I created the new DMS using the "Genesis" manual method described here which uses the phathack boot cd to reformat the new drive...
http://forum.phathack.com/cgi-bin/yabb2/YaBB.pl?num=1123119033/1#1
That all went OK.

I checked the partitions and they are exactly as you describe.

chkdsk reports no errors.

I'll try to catch you on IRC over the next couple of days.

If anyone else has any bright ideas in the meantime, please share.

[Firefox]

Tried a second firmware reload to the new DMS and hey presto - the new DMS is now recognised!!

 

Thanks everyone for helping with this marathon. Especially Sam.

It was painful but worth it - and I'm glad we ironed out another potential problem for the bootdisk in the process!

[judb]

We'll need to get RobM or Bushing to recompile the code Sam published because his compiler makes huge executable files that I can't fit on the boot floppy image.  

Once i have one thats under 30Kb I can update the disc and floppy with the new file and make a few other minor updates.

[Jamz]

I worked with dafamous12 and managed to get his audible working as well, had to put the original aadec in as "aadec-orig" and "aadec-orig.sig" then change the config to use that instead of aadec....

Can I get some more details on this? I finally got my DMS "patched" this weekend and mp3's work just fine but I'd like to get my Audible books to work now. I don't need to copy them from the old DMS or anything, just add new ones from the PC via PMM.

I tried to copy the aadec and aadec.sig from the original drive, rename them -orig and put them on the new DMS, then I modified exec.ini and changed it to aadec-orgig (only place I saw reference aadec?)

After doing this, the keg wouldn't play ANYTHING and now just ejects after a min... :/

[judb]

yeah don't mess with the exec file..  compare the file sizes of the aadec on the old drive and the aadec on the new drive.. are they the same?

[sbingner]

forgot to mention, you need to sign the new exec.ini file -- you can use http://www.phathack.com/plsign.cgi to sign it

I also have a patched phatd somewhere but I never got around to posting a patcher for it

[Jamz]

yeah don't mess with the exec file..  compare the file sizes of the aadec on the old drive and the aadec on the new drive.. are they the same?

Hmm, actually ya, they seem to be the same file.  Further investigation, I find there's the aadec files in the backup folder on the hacked DMS. the aadec-hacked file is the same as the aadec file in the root, but the aadec file in the backup folder is 108kb (vs 25 kb of the others).

The version.txt file has this in it as well (if it means anything).
phatpatch-v4
aadec-v4

[Jamz]

forgot to mention, you need to sign the new exec.ini file -- you can use http://www.phathack.com/plsign.cgi to sign it

I also have a patched phatd somewhere but I never got around to posting a patcher for it

Ok, now i'm confused  Do i mess with the exec.ini or not? Do I put the aadec-orig files in, use the one from the backup, or leave them all alone?

Or do I ONLY have to put the new exec.sig file in?

I'm guessing since the aadec file from the old disk is the same as the one on the hacked dms and the same as the aadec-hacked in the backup file, this is the correct file and I should just put the new exec.sig file in place?

PS. just curious, why does it seem that the actual original aadec file is 85k larger than the hacked version?

[sbingner]

The hacked version doesn't DO anything so it doesn't need to be very big... but it is neccesary

yes you need to modify the exec.ini file and resign it you need to change it to point to the REAL aadec (aadec-orig)