How to dump the bootloader from UA65ES8000

[E3V3A]

Thanks! We'll need to parse that to get something readable and useful out from that hex... I'll see what I can do.

Also, for Samsung based eMMC devices there is a hidden CMD62 that can be used to read and write eMMC firmware. This functionality is shown in some of the Android brickbug patches in the ./drivers/mmc/core/quirks.c over HERE. (See line 228)

Here are the relevant documents just in case...

http://yourcmc.ru/wiki/images/5/55/EMMC_JESD84-A441.pdf
https://dl.dropbox.com/u/69550833/JESD84-B451.pdf
http://www.jedec.org/sites/default/file ... r_Tsai.pdf

Very handy to know!

[xorloser]

You could alter the mmcsmart tool to print out what the various values mean. I just looked at it in a hex editor and cross referenced values to the emmc specs to ensure that the data I got made sense, which it did. I wasn't actually that interested in the data itself, but more in the calling of the kernel ioctl to dump the smart data.

It seems that cmd62 will access the extra hidden sectors in the emmc flash that stores the firmware. On a hdd you can usually use either the serial port or vendor specific commands to read/write firmware and physical sectors. So same kinda thing.

If you want to send me your current kernel image I can have a look and see if it is easy to port my patches across for you so you can dump your bootloader. If it is totally different I probably won't bother, but if it is essentially the same it shouldn't be too hard.

[E3V3A]

That would be great!

I'm using UExxES6xxx.zip which is very similar to yours with only THESE files differing.
My kernel image is T-MST10PDEUC_1029.0.

Also, I seem to have lost the doc describing the smart info data... I'm sure I had it somewhere. :/
Please remind me where to find it.

[E3V3A]

Oh, here it is!
Found it in THIS datasheet for moviNAND.

moviNAND_SmartReport.png

[Mkò]

How to dump the booatloader from samsung c series tv??? any hints on how to do this on c series?

[juusso]

you can dump, but you cant reflash it back. bootloader is ro locked on c series.

p.s this is not c series thread!

[xorloser]

E3V3A: Ok it seems the code in your kernel is the same as in mine, so should just be a matter of changing addresses and useing same patches. To ensure I use the correct addresses, can you dump say 0x100 bytes of data at address 0xA1FBB80 via that viewmem tool and paste it here or in a pastebin.

[dajojo]

looking at bootloader code , do you see any signs of hardcoded adresses being used ?
probably everything is in eMMC chip but there could be some in micom hardcoded to some adresses. it is wise to leave eMMC diskstructure intact.
seems evrything except cpu and gpu and mem pointers is the same. so like with there phones there using branch upgrades, so more or less there is a chance of replacing kernel without it going nuts

[E3V3A]

E3V3A: Ok it seems the code in your kernel is the same as in mine, so should just be a matter of changing addresses and useing same patches. To ensure I use the correct addresses, can you dump say 0x100 bytes of data at address 0xA1FBB80 via that viewmem tool and paste it here or in a pastebin.

What addresses?

I just finished the Smart Report parser, to use in conjunction with your mmcsmart.
Here is the output from your smart.bin that you posted. Please verify that it is correct.

SpoilerShow

Code: Select all

$ ./smartview.pl
Parsing Smart Records from: smart.bin

Error Mode: Normal

004: 4  : Super Block Size [1]              :00200000
008: 4  : Super Page Size [2]               :00004000
012: 4  : Optimal Write Size [3]            :00004000
016: 4  : Number Of Banks                   :00000001
020: 4  : Bank0 Initial bad blocks          :00000004
024: 4  : Bank0 Runtime bad blocks          : <zero>
028: 4  : Bank0 Remaining reserved blocks   :00000038
032: 4  : Bank1 Initial bad blocks          : <zero>
036: 4  : Bank1 Runtime bad blocks          : <zero>
040: 4  : Bank1 Remaining reserved blocks   : <zero>
044: 4  : Bank2 Initial bad blocks          : <zero>
048: 4  : Bank2 Runtime bad blocks          : <zero>
052: 4  : Bank2 Remaining reserved blocks   : <zero>
056: 4  : Bank3 Initial bad blocks          : <zero>
060: 4  : Bank3 Runtime bad blocks          : <zero>
064: 4  : Bank3 Remaining reserved blocks   : <zero>
068: 4  : Max. Erase Count                  :00000079
072: 4  : Min. Erase Count                  : <zero>
076: 4  : Avg. Erase Count                  :0000002c
080: 4  : ECC Uncorrectable Errors          : <zero>

084: 60 : ECC_UEL Physical Block Address [4]:
                                             0000:002c
                                             0000:0001
                                             0000:0079
                                             0000:001e
                                             0000:0000
                                             0000:0054
                                             30ae:df3e
                                             2295:c924
                                             1457:415f
                                             0f7c:29a5
                                             4cdb:54ee
                                             338a:b1dd
                                             96ab:785f
                                             9e0b:80bd
                                             0000:2000

144: 60 : ECC_UEL Physical Page Offset [4]  : <zero>
204: 16 : Reserved                          : <zero>
220: 4  : Read Reclaim Count                : <zero>
224: 288: Reserved                          : <zero>

----------------------------------------------------------------
[1] Number of Channel * N-way Interleaving * physical block size
[2] Number of Channel * physical page size
[3] Super Page Size * N-way Interleaving
[4] These addresses/offsets are 30 x 2-bytes...
----------------------------------------------------------------
This Customer Smart Report Data is based on the Samsung moviNAND
specifications found in the document: http://tiny.cc/2jacsw
----------------------------------------------------------------

I haven't gotten around to compiling mmcsmart & viewmem yet...
I'll soon post a download link, once I get it all to work.
(Or send me a PM, if you need it immediately.)

BTW. Two more questions,
1) Did you need to edit any other files from UExxES8xxx.zip sources? (The mmcsmart.cpp dependencies?)
2) Did you just cross-compile with default settings, or did you use any particular flags?

Cheers!

[xorloser]

E3V3A: I need you to dump memory from your TV to ensure I am patching the right locations, I am not sure if your kernel is actually based in mem at 0x0Axxxxxx or 0x40xxxxxx. I need you to dump 0x100 bytes at 0x0xA1FBB80, ie addresses 0xA1FBB80 to 0xA1FBC80 to know for sure.

1) I didnt edit any sources cos I didn't build any of the sources, I just patch ARM opcodes into memory while it is running. I just looked at the sourcecode to know what I needed to patch it to do.
2) I cross compiled with default settings, the zip file in my first post includes my sourcecode and the makefile I used to build it. If you look at makefile you'll see its very basic. I just added the toolchain binaries to my path in linux and the ran 'make'. For the record I used ubuntu v10.04.1 32bit mainly cos I already downloaded the iso image for it ages ago, so already had it on my hdd.