Re: [HT-E4200] Loader problem (SOLVED)

Samsung's BluRay player related hacks.
Post Reply

gutmaj
Posts: 6
Joined: Fri Jan 05, 2024 3:20 pm
Location: Poland

Re: [HT-E4200] Loader problem (SOLVED)

Post by gutmaj »

I got second hand Samsung HT-E4200 not fully operable after firmware flashing (probably corrupted flashing, what I've learned from the 1st owner). I'm looking for help or advice how to troubleshoot it further. But let start from the beginning:

Problem Statement: Unit boots after power-on (from both from panel as well from remote controller) to initial screen as normal, but at the end of the pop-up window "Please close the tray" shows up, although the tray is closed. Deck/loader is not operable (no reaction to play, stop, eject requests both from front panel neither remote controller). This pop-up prevents going to any menu options including firmware update. On Front display "OPEN" is shown. When power-off is triggered (both front panel or RC) screen shuts off, but "OFF" is continuously shown on front display.

Device Info: ]Model: HTE4200ZF; Remote Controller: AH59-02350A; Audio: 2.1, SPDIF In; Video: 1x HDMi, 1x Composite; USB: 2x Port (1x front, 1x rear), Ethernet LAN; Options: FM Tuner; Main SoC: Samsung? Firenze SPD1004 (IC29); MiCom: Sanyo LC87F5WC8A (IC23); Loader/deck/OPU: Sunext SC7300 (IC2);

Troubleshooting Status:
[*] Obtained Service Manual for this unit - google is your friend :)
[*] Serial console to main SoC connected
[*] Cannot get access to U-BOOT by pressing <SHIFT> + <~>
[*] Possible to see system log which shows that firmware on SoC is secure boot verified

Code: Select all

Secure boot for kernel: success: 3386528-1541.
...
[CIP_KERNEL] >>> (/bin/authuld) file is successfully authenticated <<<
 ...
[CIP_KERNEL] Success!! Authuld is successfully completed.
[*] MiCom firmware looks okay while it controls power rails, receives RC keys and front panel buttons, VFD display works too
[*] Can see in system log that unit reacts to front panel buttons, RC buttons, USB device (pendrive detected)
[*] System log overwhelm with errors 22 from loader suggesting this sub-circuit isn't working properly

Code: Select all

...
[InitLoaderModule] Thread_ID=0x40207450 : CREATE
cdrom mod ld
sr_mod mod ld
sd_mod mod ld
libata mod ld
...
m_semInsLoaderModules.Take
[LoaderHal_Create] : Create the loader
LoaderCreate() -- enter!
...
ata1: softreset failed (device not ready)
ata1: softreset failed (device not ready)
ata1: softreset failed (device not ready)
ata1: softreset failed (device not ready)
ata1: reset failed, giving up
m_semLoadATAModules.Give
...
errno : 6(No such device or address)  [BdsBDSystemLoaderCtrl.cpp][Create][1303]	LoaderCreate() --FAILED 
...
errno : 22(Invalid argument)  [BdsBDSystemLoaderInfo.cpp][GetStatus][440]	LoaderGetStatus() --FAILED 
errno : 22(Invalid argument)  [BdsBDSystemLoaderInfo.cpp][GetStatus][440]	LoaderGetStatus() --FAILED 
errno : 22(Invalid argument)  [BdsBDSystemLoaderInfo.cpp][GetStatus][440]	LoaderGetStatus() --FAILED 
errno : 22(Invalid argument)  [BdsBDSystemLoaderInfo.cpp][GetStatus][440]	LoaderGetStatus() --FAILED 
[*] I'm able to get into Top Debug Menu and access sub-menus however it is difficult due to error 22 flooding the system log

Code: Select all

====================================
      [ TOP Debug Menu]   
------------------------------------
  2  : Platform Print Setting       
  4  : Oss Print Debug level        
  5  : Sdal Print Setting           
  6  : Sdal Trace Setting           
  10 : OSS Debugger                 
  11 : TD Debug                     
  21 : Louvre Print Setting         
------------------------------------
  30 : Arts Debug 		            
------------------------------------
  60 : MediaLink Debug              
-----------------------------------
  99 : Exit                         
====================================
DBG>
You do not have the required permissions to view the files attached to this post.
Last edited by gutmaj on Sun May 05, 2024 9:53 am, edited 2 times in total.
_gutmaj_
gutmaj
Posts: 6
Joined: Fri Jan 05, 2024 3:20 pm
Location: Poland

Re: [HT-E4200] Loader problem

Post by gutmaj »

Hypothesis: Based on above mentioned system log errors and fact that deck seems not to react at all (no spindle, no optical pick-up unit movement, no tray open/close) I suspect problem is with the loader sub-system where Sunext's SC7300 single chip optical drive device IC is main component connected to main SoC over SATA interface which looks not responsive in the system log. There is no much info in the net for this IC - will need community help with further investigation (see questions below). Here are further investigation path (any comments and/or more ideas welcome):
(1) Power rails problem all five power rails verified and okay (FE_12V_PW, FE5.0V_PW, FE3.3V_PW, FE1.2V_PW, BLD12V_PW)
(2) Wrong deck open/close signals both OPEN and CLOSE signal reacts correctly upon manual try move in/out (both signals are active low accordingly)
(3) Corrupted loader flash image (16Mbit, SPI) [UPDATE: 2024/Jan/20] Bingo! :D I've reprogram off-board the loader flash memory (IC1: Winbond W25Q16BVSSIG) and device has started without flooding loader errors in system log. The tray was operable from remote controller, front panel as well from TDM. Unfortunately after power-off/on cycle problem reappear, and loader doesn't react on any action, the system log is flooded again with loader errors. I suspect there is a copy of the loader image somewhere else in eMMC and system overwrote it.
(4) Faulty ICs or other components in loader sub-system

Questions/Requests:
[Q1] Looking for more info on SC7300 IC
[Q2] There is serial console for loader ICs in my unit. Does anyone know what is its speed, what data, logs can be capture there?
[Q3] Where to find loader flash image? [UPDATE 2024/Jan/20] Finally I've decrypted, de-xor genuine and unsquased firmware package download from Smasung's support web page. The loader images are stored in root folder of exe.img. These files are 512kB long and when you parse them with strings utility you will find plenty of plain text information suggesting it is loader firmware. Additionally I've read out partitions.txt which describes partitions on eMMC and it looks there are ones which supposed to store loader images too - that's probably causing problem with overwriting serial flash after power-off/on cycle
[Q4] Is there any way to trigger firmware update from TDM on my device?
[Q5] How to stop system log dump on serial console and get access to Linux command line?
[Q6] Any hints how to get into u-boot at the beginning of power-up?

[UPDATE 2024/Jan/20] eMMC memory partition scheme as per partitions.txt retrieved from exe.img (B-FIRHT7WWC 1015.1)

Code: Select all

partitionID	flash_device_name	flash_device_size	flash_image_name	flash_device_type	flash_upgrade_type	flash_partition_map	flash_mount_path	default_block_size	flash_format_option	flash_mount_option
0	/dev/mmcblk0	524288	onboot.bin	MLC	NONE	BOOTLOADER0	NONE	524288	NONE	NONE
1	/dev/mmcblk0p1	524288	u-boot.bin	MLC	NONE	BOOTLOADER1	NONE	524288	NONE	NONE
2	/dev/mmcblk0p2	1048576	boot_image.raw	MLC	NONE	CONTENT1	NONE	524288	NONE	NONE
3	/dev/mmcblk0p3	6291456	Image	MLC	USER	KERNEL0	NONE	524288	NONE	NONE
4	/dev/mmcblk0p4	0	ex_partition	MLC	NONE	NONE	NONE	524288	NONE	NONE
5	/dev/mmcblk0p5	4718592	rootfs.img	MLC	USER	RFS0	NONE	524288	NONE	NONE
6	/dev/mmcblk0p6	6291456	Image	MLC	USER	KERNEL1	NONE	524288	NONE	NONE
7	/dev/mmcblk0p7	4718592	rootfs.img	MLC	USER	RFS1	NONE	524288	NONE	NONE
8	/dev/mmcblk0p8	8192	sign0.bin	MLC	NONE	SECUREMAC0	NONE	524288	NONE	NONE
9	/dev/mmcblk0p9	8192	sign1.bin	MLC	NONE	SECUREMAC1	NONE	524288	NONE	NONE
10	/dev/mmcblk0p10	8192	NONE	MLC	NONE	NONE	NONE	524288	NONE	NONE
11	/dev/mmcblk0p11	8192	NONE	MLC	NONE	NONE	NONE	524288	NONE	NONE
12	/dev/mmcblk0p12	31457280	NONE	MLC	OTHER	NONE	/mtd_rwarea	524288	NONE	NONE
13	/dev/mmcblk0p13	146800640	exe.img	MLC	USER	EXE0	/mtd_exe	524288	NONE	-t_squashfs
14	/dev/mmcblk0p14	146800640	exe.img	MLC	USER	EXE1	/mtd_exe	524288	NONE	-t_squashfs
15	/dev/mmcblk0p15	136314880	rocommon.img	MLC	OTHER	CONTENT0	/mtd_rocommon	524288	NONE	-t_squashfs
16	/dev/mmcblk0p16	1048576	Loader_HL_E5500.bin	MLC	NONE	NONE	NONE	524288	NONE	NONE
17	/dev/mmcblk0p17	1048576	Loader_HL_E7500.bin	MLC	NONE	NONE	NONE	524288	NONE	NONE
18	/dev/mmcblk0p18	1048576	Loader_HL_E8200.bin	MLC	NONE	NONE	NONE	524288	NONE	NONE
19	/dev/mmcblk0p19	1048576	Loader_HL_ES8200.bin	MLC	NONE	NONE	NONE	524288	NONE	NONE
20	/dev/mmcblk0p20	1048576	NONE	MLC	NONE	NONE	NONE	524288	NONE	NONE
21	/dev/mmcblk0p21	1048576	NONE	MLC	NONE	NONE	NONE	524288	NONE	NONE
22	/dev/mmcblk0p22	6291456	NONE	MLC	NONE	NONE	/mtd_drmregion_a	524288	-S_1024-s_1	-t_rfs
23	/dev/mmcblk0p23	6291456	psadata.img	MLC	OTHER	RESERVE0	/mtd_drmregion_b	524288	-S_1024-s_1	-t_rfs
24	/dev/mmcblk0p24	367001600	NONE	MLC	NONE	NONE	NONE	524288	NONE	NONE
25	/dev/mmcblk0p25	1073741824	NONE	MLC	NONE	NONE	/mtd_rwbdjava	524288	NONE	NONE
26	/dev/mmcblk0p26	31457280	NONE	MLC	NONE	NONE	/mtd_contents	524288	NONE	NONE
27	/dev/mmcblk0p27	24403968	NONE	MLC	NONE	NONE	/tmp/app_log	524288	NONE	NONE
Last edited by gutmaj on Sun May 05, 2024 10:00 am, edited 2 times in total.
_gutmaj_
gutmaj
Posts: 6
Joined: Fri Jan 05, 2024 3:20 pm
Location: Poland

Re: [HT-E4200] Loader problem (SOLVED)

Post by gutmaj »

Finally it get solved. Here is how I've made it:

A) All symptoms and ata/loader error flood in the system log gave me indication that loader (IC2) is not operating correctly. Previous owner told me that it happen after system re-flash. I assumed that maybe loader NOR flash is corrupted, therefore loader is not correctly configured to make SATA interface communicating with Firenze SOC (that's what I read form the log).

B) I decided to make off-board programming of this NOR flash (IC1) to avoid interference with loader IC, therefore used SOIC adapter to have possibility to re-program this flash multiple times.
Image

C) How to get loader image: (a) from other working device (to big invest :), (b) from main eMMC (there is mirror stored in partition 16, but you need to have root access on the device to dump this content), (c) extract it from firmware update package you could download from Samsung's official support page). I chose option (c) (see details here: https://forum.samygo.tv/viewtopic.php?t=14207)

D) The loader for my device is Loader_HL_E5500.bin (512kB). I've made a copy of original content and programmed new one.

E) After plugging it into SOIC adapter the system power up properly indicating without flooding system log with loader errors. The deck start to operate, open/close, play, pause, etc.

F) To make sure the NOR flash content is equal to mirror stored in eMMC I've made entire system upgrade from USB pendrive with latest firmware from Samsung's support web page.

G) After reboot all is fine. I could solder back the NOR flash directly to the bottom of PCB. From now onwards no issues with loader.

Remarks and open points:
  • All investigation took a while because I had reverse engineer the system architecture (google is your friend to obtain Service Manual), draw power-tree, get a bit of understanding of system logs, TDM and loader logs, learn how to extract original Samsung's firmware packages, etc. It was very interesting and learning journey. Image
  • There is an UART console from loader IC (connector CN4: 3: RxD, 4: +3.3V, 5: TxD, 6: GND) , but I wasn't able to get any text messages there. First it uses non-standard baud rate of 345.6kbps (3x 115.2kbps), which I finally made running under my Linux PC.

Code: Select all

# set custom speed and appropriate divisor of baude base clock to derive desired non-standard baud rate
$ sudo setserial /dev/ttyUSB1 divisor 174 spd_cust

# check what have been configured in serial driver (60000000 / 174 -> 344.83kbps in my case)
$ setserial -a /dev/ttyUSB1
/dev/ttyUSB1, Line 1, UART: unknown, Port: 0x0000, IRQ: 0
	Baud_base: 60000000, close_delay: 50, divisor: 174
	closing_wait: 3000
	Flags: spd_cust

# call your favourite console terminal with 38.4kbps speed (this one must be used for custom speed selection by linux serial driver)
$ screen /dev/ttyUSB1 38400
  • Unfortunately all UART message characters except LF (0x0A) are change to character '@' (0x40) showing kind of strange output in the console (ass shown below). I suspect that's done by purpose to limit any possibilities to hack loader and enable unauthorized DVD/BD discs to be played. I guess there will be some back door in loader firmware to enable this messages to be send in plain text for debug purpose, but this requires next investigation and reveres engineering of firmware (sounds like new project for next winter :).

Code: Select all

@@@@@
     @@@@@@@@@@@
                @@@@@@@@@@@@@@@@
                                @@@@@@@@@@@@@@@@@@@@
                                                    @@@@
@@@@@@@@@@@
           @@@@@@@@@@@@@@@@@
                            @@@@@@@@
                                    @@@@@@@@@@@@@@@@@
  • There is also an issue with some DVDs playback. I treat it as normal for 12years old device - very likely laser pick-up is dirty or optical power deteriorated to the level laser beam isn't reflected well from disc surface.
You do not have the required permissions to view the files attached to this post.
_gutmaj_
fredwta
SamyGO Project Donor
Posts: 26
Joined: Thu Jul 31, 2014 11:54 am

Re: Re: [HT-E4200] Loader problem (SOLVED)

Post by fredwta »

Good afternoon.
I have a similar problem with a similar model: Samsung HT-E4550K.
Maybe you still have this loader file: Loader_HL_E5500.bin (512kB)?
It would be very good...
Waiting for an answer.
UE46ES8007- SamyGo Skype type + Oscam. UE48H6410 - Root Skype type and Oscam
gutmaj
Posts: 6
Joined: Fri Jan 05, 2024 3:20 pm
Location: Poland

Re: Re: [HT-E4200] Loader problem (SOLVED)

Post by gutmaj »

Yes. I do have this file. How to share it with you?
_gutmaj_

Post Reply

Return to “BluRay Players”