Save/Restore config eeprom

[juusso]

Is there a way to trigger the partition swap ? If yes, we could read before and after to see what has changed

Yes, the /sbin/toggle 0 or toggle 1 makes the magic, but don't execute it from cmd line if device has no patched out authuld - you become bricked in bootloop by wrong authuld authentication.
Just the case is if you have identical set of active and passive firmware whose hashes naturally are equal too.

[oga83]

When you backup your eeprom with TDM, make sure to disable all debug messages on the console.
Those messages are not synchronous with the result of the dump : if they arrive in the middle of the 'Read data' line, you can miss some bytes, and the final result can be corrupt

[sbav1]

Apart of the front pannel (and maybe the power on/off system), do you know what is exactly doing Micom ?

I'm not very familiar with Samsung BD-players internals.. generally speaking, I guess micom/standby CPU in Samsung BD players and TVs is:

- handling/pre-processing IR remote signals (+ radio/zigbee remote in some TV models) & front panel keys; recognizing some special key sequences/combination to trigger factory menu etc.
(another IR receiver, incorporated into virtually all Samsung BD/DTV SoCs is AFAIK never actually used by Samsung - not in the in production models, anyway)
- handling RTC (sadly, usually there is no battery backup in recent units), alarms/timers,
- providing configurable hardware-based watchdog for main SoC
- controlling and monitoring power circuits - turning DC/DC converters on and off etc. (+ panel backlight/panel VCC in TVs),
- providing reset signals for various components and subsystems on the mainboard (and other boards, if any)
- informing main SoC about boot/power-up reason & status: normal boot, wake-up upgrade, on-time boot (eg. scheduled recording), ..
- storing and handling some factory/config settings: boot-time partition switch (in C-series models and up), watchdog config, ..
- external RS232 jack setup (factory menu UART|Debug|Logic setting ???); hmm, in TVs there is usually an analog switch for UART inputs, controlled by micom GPIOs, but - nothing like that is probably needed in BD players - so even if such setting is present in BDP factory menu, it will be most likely redundant (???)
- providing extra GPIOs for (e.g): front panel LEDs drivers,
- hardware options recognition (i.e to establish what is actually soldered on the given PCB and what isn't, or to determine if it's an EU or US variant)
- handling some additional sensors/triggers (depending on the unit model/type, like ambient light sensor on IR & function board in some TVs);
- perhaps (I don't actually know, just a guess): executing fan control (if any), temperature and power consumption measuring (in some TV models), maybe checking out mainboard master reset switch on boot time (?).

I wonder if the front panel VFD in (Samsung SoC based) BD players is controlled by micom - do we know if main SoC is not involved somehow?
So far my experience with Samsung BD players hardware is almost entirely theoretical.. Recently, just for fun, I got myself HT-D7100 (only the main unit, with broken IR receiver and unreliable loader - 10 EUR + shipping). Despite the lack of working IR receiver (it's still partially controllable via HDMI CEC using TV remote) I managed to root it by "downgrade" with patched firmware (many thanks to arris, great work!); sadly, not much time for playing with it right now.

[sbav1]

Thanks !
Do you have an image of the Micom software that is downloaded into the Renesas ?

Some kind of Micom flash update file (Micom.mts) seems to be incorporated into firmware update for BD-D8500 (B-FIRURDEUC, I don't remember what version exactly, I only kept decrypted partition contents). It's on the mtd_exe partition, along with "MicomUpgradeForce" binary. Looks like D-series BDP micom upgrade is first inited by /dev/spi0, and then performed via /dev/ttyS0.

That's the only micom firmware for Samsung BD-players I was able to find. I'm not sure for what kind of micom chip it is for.. In my HT-D7100 (SDP1004/Firenze based) micom == Sanyo LC87F5WC8A (http://www.alldatasheet.com/datasheet-p ... 5WC8A.html), may be something different in BD-D7000/BD-D8000 models..

We also have one micom flash contents from D550 (?) Samsung TV model (for Weltrend chip), it was extracted via JTAG by some clever guy, AFAIRC.

[oga83]

I agree on the micom functions.

On my BD, the debug console is not connected to micom, it is connected to Soc.
Changing the parameter in the factory setup menu (jack,rs232,logic) does not change anything; debug console is still operative whatever I choose.
There is also a serial line on the microm controler, but I was not able to do anything with it ([EDIT] RX-TX along with CLK-CTL-FRST are used to program the controler in UART6 mode)

I've got both BD-D8900 and BD-E8300 : the micom chip seems to be the same (renesas 78K0/KC2 48-pin microcontroler http://www.renesas.com/products/mpumcu/ ... /index.jsp; it has 48kByte of flash, 1kByte of high speed RAM, 1kByte of expansion RAM).

Thanks for the file. Micom.mts is a hex encoded text file. Need to convert it with

Code: Select all

echo -n -e $(cat Micom.mts | sed 's/../\\x&/g') >Micom.bin

I don't know yet if it's the renesas code in clear or not, but with the specs above, I hope I can get something from it

[oga83]

The content of the config eeprom is very confusing and I was not able to locate any of the parameters; many bytes are changing between reboots

It also seems that the micom eeprom is deeply involved in the config.
For example, changing the region doesn't change anything in the config eeprom; this parameters is probably stored in the micom eeprom.

[oga83]

The content of micom.bin is really code
There is an issue with segments in the binary file (there is an aditional header in binary file + code starts misplaced at 0x98 in file and 0x85 in microcontroler + other segments of code not at the correct place; ...); however it sounds promising !

Here is an extract of the reset code that seems coherent :

Code: Select all

RESET:
        DI
        sel     RB0
        movw    SP, #0FBFFh ; 256 bytes for the stack from 0xfbff down to 0xfb00
        mov     IMS, #0CCh ; Internal memory size switching register
        mov     IXS, #04h ; Internal expansion RAM size switching register
        mov     RTPC01, #41h ; Real-time output port control register 1
        mov     PR1H, #00h ; Priority specification flag register 1H
        mov     ASIM00, #03h    ; Asynchronous serial interface mode register 0
        mov     BRGC00, #00h    ; Baud rate generator control register 0
        mov     ASIS00, #05h    ; Asynchronous serial interface status register 0
        mov     OSTS, #05h ; Oscillation stabilization time select register
        mov     A, #01h
        mov     !byte_FDEF, A
        movw    HL, #0FB00h ; High speed RAM base address
loop0: ; Init RAM
        movw    AX, HL
        cmpw    AX, #0FDEFh
        bz      branch0
        mov     A, #00h
        mov     [HL], A
branch0:
        incw    HL
        movw    AX, HL
        cmpw    AX, #0FEE0h
        bc      loop0

[sbav1]

if you find where to change eeprom to switch between active partitions (toggle command writes some data to eeprom to let TV know which active partition to boot)

I think this particular setting (kernel partition toggle/select) is most likely stored in the different EEPROM (connected to sub-micom - usually a small one, 256bytes or 512 bytes).

Ouch, it turned out to be not true. In recent (Firenze and Echo-B based) BD-players partition switch is not stored in any EEPROM. Instead, for boot partition switching, Samsung is using a string ("START2222END": 2nd partition is selected as active, "START1111END" or anything else: 1st partition is active). This string is stored in yet another small partition (e.g, /dev/mmcblk0p11 in BD-D6900).

BTW, there should be some track on the mainboard between main SoC (GPIO pin) and sub-micom (also GPIO pin) which are used for that purpose.
Assuming we can force this track up/low (I expect this track to be equipped with some kind of test pad or something) we should be able to select kernel partition we want to boot.

So, unfortunately, that approach will not work in such BD-players .

[E3V3A]

Great job!