t-hack.com

zfeet · 09. Jan 2010, 12:12

Are there any resources on hacking KISS EM86xx based players anywhere? The only thing so far has been a DP-1600 boot log. It does have an interesting strings though, for example:

Code: [Select]


ROMFS found at 0x46030000, Volume name = mambo                                              
File image.bin found                    
DRAM copy ... OK                
Decrypt ... OK              
Decrypt signature ... OK                        
Verify signature ... OK                       
Unzipping image from 0x91680000 to 0x90090000, size = 7531554                                                             
Inptr = 0x0000001f(31)                      
Inflating....             
Outcnt = 0x011d3578(18691448)                             
Final Inptr = 0x0072eb0a(7531274)                                 
Original CRC = 0xd8c2a082                         
Computed CRC = 0xd8c2a082                         
Boot kernel at address 0x90090000 with ROMFS at 0x46030000                                                          
Linux version 2.4.22DP1600 (morten@mh) (gcc version 3.4.6) #2 Tue Mar 25 10:53:0

Code: [Select]

Creating 2 MTD partitions on "EM86XX m                                     
0x00030000-0x00760000 : "RootFS"                                
0x00760000-0x00800000 : "Keys"

joepub · 11. Jan 2010, 09:28

What exactly do you want to achieve, I have done extensive reversing of the Kiss 1600 and without a hardware mod you cannot update the firmware with your own. They sign the Linux kernel with a public/private key so creating your own is a no go without the private key.

I do plan on blogging about it shortly.

zfeet · 12. Jan 2010, 14:39

Quote from: joepub on 11. Jan 2010, 09:28

What exactly do you want to achieve, I have done extensive reversing of the Kiss 1600 and without a hardware mod you cannot update the firmware with your own. They sign the Linux kernel with a public/private key so creating your own is a no go without the private key.

I do plan on blogging about it shortly.

Just anything really would be nice as I haven't found any sites with information about hacking DP-600 or Kiss 1600. How to get access to filesystem for instance.

joepub · 13. Jan 2010, 10:07

Quote from: zfeet on 12. Jan 2010, 14:39

Just anything really would be nice as I haven't found any sites with information about hacking DP-600 or Kiss 1600. How to get access to filesystem for instance.

Well as far as I could work out with the stock firmware you cannot get shell access, they disabled the key sequence during the 1st stage boot loader also so no joy sending extra kernel parameters to enable it yourself. So that leaves flashing it with your own firmware and since the JTAG port on the EM8622 is not accessible on the Kiss 1600 board that rules out flashing it via JTAG so your only other option is to use the SPI flash mode of the chip to do it. The EM8622 support loading flash from a serial flash interface or parallel flash, parallel flash is what the Kiss 1600 does but you should be able to see footprints for the SPI flash on the board near the EM8622 core, it's labelled U12, you also need to solder a 10k SMT resistor on R88 near the SPI pad and 3 pin jumper on J18, the purpose of the jumper is to select between SPI and parallel flash, once you have done this you will be able to flash your own serial flash (has to be the ST25 types) a boot off that instead.

zfeet · 13. Jan 2010, 19:45

Do you have any information about DP-600?

joepub · 13. Jan 2010, 21:31

Nope, if you could upload a photo of the board I could see if it's the same as the Kiss 1600

zfeet · 14. Jan 2010, 04:06

Quote from: joepub on 13. Jan 2010, 21:31

Nope, if you could upload a photo of the board I could see if it's the same as the Kiss 1600

http://www.radonmaster.de/robernd/dp600/

joepub · 14. Jan 2010, 09:17

J23 looks like the jumper to switch between parallel/serial flash, and I wouldn't mind betting that U33 near J23 is the footprint for the parallel flash, but there looks to be some resistors missing from that area too. J22 could be a serial port, check the pins with an oscilloscope if you have one. There appears to be a lot more unpopulated headers on the DP-600 board than the 1600, I would first see if you can determine if any of them are JTAG ports, that will make life much easier.

zfeet · 14. Jan 2010, 20:21

Thanks for all the information! I still find it strange that the whole net doesn't seem to have any relevant information about hacking these devices and they have been released quite a long time ago.

CEMERS · 07. Jun 2010, 16:53

someone knows how to make jtag in dp-600?

zfeet · 03. Sep 2010, 08:01

I found a little more information about DP-600:

Quote

KISS DP-600 serial pinout
J22:
1 NC 2 NC
3 NC 4 NC
5 RX 6 TX
7 NC 8 NC
9 5V 10 GND

Boot log:

Code: [Select]

TANGO10 boot loader v0.12.15 for generic2/unnamed board
(C) Copyright 2002-2005 Sigma Designs, Inc


Modified by KSJ:
- If CRC check fails -> Try to boot from CD
- Stage1 image size hardcoded to avoid Flash prtition change when switching between 64k and 128k S-Flash
- Eject loader if the Factory default button is held down during boot


NOTE: this boot loader is designed to boot kernels made with the
2.4.xx releases of the Sigma Designs ARMutils package

Built at Jan 30 2006 10:32:36
Loaded to 0x90060000
Found boot configuration
Securely booted from serial flash
Using stage2 loader: version matched
CPU freq.: 166 MHz
DRAM size is 64MB (64MB/0MB)
DRAM0 Params (0xe63001f8/0x00066666)
ROMFS found at 0x46030000, Volume name = KiSS_DP-601
File image.bin found
DRAM copy ... OK
Decrypt ... OK
Decrypt signature ... OK
Verify signature ... OK
Unzipping image from 0x90B80000 to 0x90090000, size = 6112862
Inptr = 0x0000001e(30)
Inflating....
Outcnt = 0x00efe0dc(15720668)
Final Inptr = 0x005d4546(6112582)
Original CRC = 0x43fbf0ae
Computed CRC = 0x43fbf0ae
Boot kernel at address 0x90090000 with ROMFS at 0x46030000
Linux version 2.4.22DP600 (morten@mh) (gcc version 3.4.6) #4 Mon Mar 10 14:54:53 CET 2008
Found bootloader memory map at 0x10000fc0.
Processor: ARM pt110 revision 0
Architecture: EM86XX
Tango10 Rev C (kernel supports Rev C)
Board name is kiss8m
On node 0 totalpages: 9216
zone(0): 9216 pages.
BUG: wrong zone alignment, it will crash
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/blkmem/0
Console: colour dummy device 80x30
serial_em86xx: setup_console @ 115200
Calibrating delay loop... 82.94 BogoMIPS
Memory: 36MB = 36MB total
Memory: 20864KB available (1463K code, 13988K data, 68K init)
Dentry cache hash table entries: 8192 (order: 4, 65536 bytes)
Inode cache hash table entries: 4096 (order: 3, 32768 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
POSIX conformance testing by UNIFIX
PCI: bus0: Fast back to back transfers disabled
PCI: Configured EM86XX as a PCI slave with 128MB PCI memory
PCI: Each Region size is 16384KB
PCI: Reserved memory from 0x10080000 to 0x12480000 for DMA and mapped to 0x12000000
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
skbmem: allocated 0x200000 from 0x92258000-0x92458000
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
NTFS driver 2.1.6a [Flags: R/O].
JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.
udf: registering filesystem
pty: 256 Unix98 ptys configured
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 90231000-90F7CBFF [VIRTUAL 90231000-90F7CBFF] (RO)
8139too Fast Ethernet driver 0.9.27
Enabling negativ pulse on LWAKE pin
Writing Register 4. New value 0x8C
eth0: RealTek RTL8139 at 0x58000000, 00:d0:e0:91:c5:74, IRQ 14
Uniform Multi-Platform E-IDE driver Revision: 7.00beta4-2.4
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
EM86XX Bus Mastering IDE activated as ide0.
Bounce buffer starts at 0x12165000
hda: TSSTcorpDVD-ROM SH-D162C, ATAPI CD/DVD-ROM drive
IDE: Set drive 0 to Ultra DMA mode 2
Unknown IRQ18 happening, disabled (may get re-enabled later).
Unknown IRQ18 happening, disabled (may get re-enabled later).
IDE: DMA enabled for ATAPI CDROM hda
ide0 at 0x223c0-0x223c7,0x22398 on irq 18
hda: attached ide-cdrom driver.
hda: ATAPI 48X DVD-ROM drive, 256kB Cache
Uniform CD-ROM driver Revision: 3.12
SCSI subsystem driver Revision: 1.00
Probing EM86XX Flash Memory
Amd/Fujitsu Extended Query Table v1.3 at 0x0040
number of CFI chips: 1
Using word write method
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
Creating 5 MTD partitions on "EM86XX mapped flash":
0x00030000-0x00760000 : "RootFS"
0x007f0000-0x00800000 : "UserSettings"
0x00770000-0x007f0000 : "Keys"
0x00010000-0x00030000 : "2ndBoot"
0x00760000-0x00770000 : "Default settings (XML)"
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
ehci_hcd 00:02.2: PCI device 1106:3104
ehci_hcd 00:02.2: irq 15, pci mem 60108100
usb.c: new USB bus registered, assigned bus number 1
ehci_hcd 00:02.2: USB 2.0 enabled, EHCI 1.00, driver 2003-Dec-29/2.4
hub.c: USB hub found
hub.c: 4 ports detected
host/usb-uhci.c: $Revision: 1.275 $ time 14:54:58 Mar 10 2008
host/usb-uhci.c: High bandwidth mode enabled
host/usb-uhci.c: USB UHCI at I/O 0x58000400, IRQ 15
host/usb-uhci.c: Detected 2 ports
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
host/usb-uhci.c: USB UHCI at I/O 0x58000420, IRQ 15
host/usb-uhci.c: Detected 2 ports
usb.c: new USB bus registered, assigned bus number 3
hub.c: USB hub found
hub.c: 2 ports detected
host/usb-uhci.c: v1.275:USB Universal Host Controller Interface driver
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 2048 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
FAT: bogus logical sector size 10336
FAT: bogus logical sector size 10336
VFS: Mounted root (romfs filesystem) readonly.
Mounted devfs on /dev
Freeing init memory: 68K

init started: BusyBox v1.00 (2008.03.10-13:19+0000) multi-call binary

Starting pid 17, console /dev/console: '/etc/init.d/rcS'
BINFMT_FLAT: Loading file: /etc/init.d/S10ramdisk
-n Initializing ramdisk... 
mount: Mounting /proc on /proc failed: Device or resource busy
Using /lib/llad.o
Using /lib/em8xxx.o
mumk_register_tasklet: (1) tasklet 0x910dfb20 status @0x91aaa8c4
Using /lib/hal.o
Hello, world
Using /lib/gpio.o
Init GPIO driver
Using /lib/timer.o
Init HW Timer driver
Using /lib/i2c.o
minor_open: #0 new mum_id 16
CLD: Stereo main
Socket 3 belong to /tmp/StereoIn
waiting for StereoOut to be available
Socket StereoIn is now available
Using /lib/hdmi_km.o
HDMI km init: HDMI_RESET=7 HDMI_INT=10
S3 value added twice [65/video.output.warn]
insmod: /lib/modules/2.4.22DP600: No such file or directory
insmod: /lib/modules: No such file or minor_open: #0 new mum_id 16
directory
insmod: pcbid.o: no module by that name found
Failed to open pcbid No such file or directory
Switching off
ColorMode: 8
ColorFormat: 4
SamplingMode: 4
Width: 720
Height: 576
Luma Address: 0x93e7518c
LumaSize: 414720
Chroma Address 0x93eda58c
ChromaSize: 207360
ColorSpace: 4
PixelAspectRatio.X: 1
PixelAspectRatio.Y: 1
Connecting video to 4 surface id 2481410252
Acquire
No. scalers: 3 No. free scalers: 1
GFX Multi scaler got surface id 2481410252
input : (<[0,0]>,<(720,576)>
output : (<[0,0]>,<(0,0)>
ColorMode: 5
ColorFormat: 7
SamplingMode: 3
Width: 720
Height: 576
Luma Address: 0x93daa8c0
LumaSize: 829440
Chroma Address 0x0
ChromaSize: 0
ColorSpace: 3
PixelAspectRatio.X: 1
PixelAspectRatio.Y: 1
Got OSD mem in bank0
Connecting video to 3 surface id 2480580608
Acquire
No. scalers: 3 No. free scalers: 1
OSD scaler got surface id 2480580608
input : (<[0,0]>,<(720,576)>
output : (<[0,0]>,<(0,0)>
Krua::setVolume called with 255 setting volume to 0x10000000
Done constructing HDMIChip
siI9030::unreset
Found the part: siI9030, ID = 0x01005392
TMDS/HDCP State is now: DISABLED/NOT ENCRYPTED
Using /lib/spi.o
SPI ports
SCK: 0x05
MISO: 0x0C
MOSI: 0x03
Registered SW SPI Adapter
Using /lib/generic_fp.o
VFD_Init() $Date: 2008/02/11 11:57:03 $
VFD fw version 01.01.08
VFD reply 01.01.08 (9949 left)
Using /lib/rt61.o
RT61: Vendor = 0x1814, Product = 0x0301 
RaLink 0xffffffff910e78f8
consider ra0: 0000 0. 0 113 0 0 0 0 0 0

Failed to get range Network is down
getRange failed
*RT61*<7>--> Error 2 opening /lib/rt2561s.bin
RT61: RfIcType= 3
RT61::call(set,WirelessMode=0)
USB mountPoint file:///media/usb/
VFD_SetContrast() 7
setOpen 0
AV Device Started
ControlPoint Started
Cardea is not supported...
Socket 19 belong to /tmp/StereoOut
Socket StereoOut is now available
DivX DRM model id (lo-hi) a3-d0
stereo: DivX DRM Update Registratio string "YJ5XNJ62"
/tmp/StereoIn Waiting for connection...
Connected to ...
Socket StereoIn is now available
/tmp/StereoIn Waiting for connection...
Connected to ...
stereo: Audio config: I2S chans 2, SPDIF chans 1
Mono::setAudioConfig called with codec=0 setting nI2sChannels=2 nSpdifChannels=1
stereo: Audio config: I2S chans 0, SPDIF chans 2
Mono::setAudioConfig called with codec=4 setting nI2sChannels=0 nSpdifChannels=2
stereo: Audio config: I2S chans 2, SPDIF chans 1
Mono::setAudioConfig called with codec=7 setting nI2sChannels=2 nSpdifChannels=1
stereo: Audio config: I2S chans 2, SPDIF chans 1
Mono::setAudioConfig called with codec=2 setting nI2sChannels=2 nSpdifChannels=1
VCDPlayer_Impl::VCDPlayer_Impl()
KGBStartUp::KGBStartUp
KGBStartUp: starting to load skin
KGBStartUp: starting to load focus
KGBStartUp: starting to build skin
DefaultDecoder: 'file:///home/resources/icon/'
+++++++++++++++++++++ VISIT upnp play focus stack +++++++++++++++++++++++ 
KGBStartUp: done building skin
+++++++++++++++++++++ VISIT upnp play focus stack +++++++++++++++++++++++ 
VideoOutput Got HDMI Auto ID
HDMI auto 1 connection 0
Switching off
Krua::setVolume called with ff setting volume to 0x10000000
VideoOutput Got Screen ID
VFD_SetContrast() 0
Krua::setVolume called with ff setting volume to 0x10000000
stereo: Audio config: I2S chans 2, SPDIF chans 2
Mono::setAudioConfig called with codec=0 setting nI2sChannels=2 nSpdifChannels=2
stereo: Audio config: I2S chans 0, SPDIF chans 2
Mono::setAudioConfig called with codec=4 setting nI2sChannels=0 nSpdifChannels=2
stereo: Audio config: I2S chans 6, SPDIF chans 1
Mono::setAudioConfig called with codec=7 setting nI2sChannels=6 nSpdifChannels=1
stereo: Audio config: I2S chans 2, SPDIF chans 1
Mono::setAudioConfig called with codec=2 setting nI2sChannels=2 nSpdifChannels=1
O_DIRECT not supported (buffer alignment)
VideoOutput Got On ID
Output 0
TVSystem 0
TVStandard HD PAL 1
TVStandard HD NTSC 1
TVStandard HDMI PAL 255
TVStandard HDMI NTSC 255
Screen 1
HDMI Auto 1
Krua::setAgc called with 0 calling rua with 0
Krua::setCgms called with 0 calling rua with 0
*RT61*<7>--> Error 2 opening /lib/rt2561s.bin
RT61: RfIcType= 3
RT61::call(set,WirelessMode=0)
O_DIRECT not supported (buffer alignment)
(39) N4KiSS3KGB9ArubaSkinE took a long time: 0.745158 secs
/tmp/StereoOut Waiting for connection...
Connected to ...
DivX registration string YJ5XNJ62

em862x hacking