BTV external flash dumped

Started by Herman, 17. Sep 2008, 12:14

previous topic - next topic
Go Down

Herman

17. Sep 2008, 12:14 Last Edit: 17. Sep 2008, 12:33 by Herman
Having set about wanting to dump the flash of the bt vision board - if only to wonder why they covered it in a rather nasty epoxy which isnt coming off in a hurry.
I was running yamon by renaming ya.bin to nk.bin and had connected via serial to pins 3+4.
It appears the flash is write protected as trying to set xenv variables in yamon fails :(
Anyway, the flash is mapped by the cpu to 0xac000000 and a pflash probe tells me it is 16 MB therefore 0x1000000
I set teraterm to log the screen then proceeded to issue
dump 0xac000000 0x1000000
which then spewed data for well over an hour which i logged to disk

Review of this log shows the flash has the following data in it.
Data exists from
0x0 - 0x7f which appears to be an xenv block(s)
0x8000 0xd8434 = bootblock as specifiec in xenv and common bootloader start
0xf0000 - 0xfffff =  recovery partition ? shows come id values in 0x1000 blocks with plain text refs to ftp site and philips info. also ftp to philips for crl files
0x100000 - end = 0xff


just found this

    * 0x00-0x03: Size of the xenv datastrcutre (including this 4 bytes and the sha1 hash)
    * 0x04-0x17: SHA1 hash value (20 bytes length)
    * 0x18- : XEN records and values in the following format:
          o first byte is allways 0x00
          o second byte is the size of the record (including this and the first bytes)
          o Name of the record (0 terminated string)
          o Value of the record

from http://forum.opentvix.com/viewtopic.php?f=6&t=53 :D

mce2222

16 MB flash ???? wow.. what a waste.
with all that space you could easily put a full linux boot partition in flash, to have it loaded via jtag ... thats much easier than on the x300t, where we would need to load from hdd or network

Herman

#2
17. Sep 2008, 19:03 Last Edit: 18. Sep 2008, 16:29 by Herman
just for proof, i dumped 0x0 - 0xd8434 on my 2nd box and got a directly identical compare Vs box1 so no unique data held on flash.

Interestingly, I compiled the sha1 hash tool from that thread and tested it on the beta_rom.img from the wiki and got this result

[root@CentOS5 bin]# nmsha1 beta_rom_img.bin
nmSHA1 v1.0 by leader
---------------------
XENV structure size: 0x000005bb
Stored SHA1 signature: 45 5c 81 75 43 a1 07 1a 86 f4 c4 1b 76 6c 32 0d da e2 98 3a
Calculated SHA1 signature: 45 5c 81 75 43 a1 07 1a 86 f4 c4 1b 76 6c 32 0d da e2 98 3a
so maybe we share quite a bit with other cpu derivitives :D

Go Up