Page 2 of 5
Re: How to dump the bootloader from UA65ES8000
Posted: Sat Feb 09, 2013 5:07 pm
by E3V3A
Thanks! We'll need to parse that to get something readable and useful out from that hex... I'll see what I can do.
Also, for Samsung based eMMC devices there is a hidden CMD62 that can be used to read and write eMMC firmware. This functionality is shown in some of the Android brickbug patches in the ./drivers/mmc/core/quirks.c over
HERE. (See line 228)
Here are the relevant documents just in case...
http://yourcmc.ru/wiki/images/5/55/EMMC_JESD84-A441.pdf
https://dl.dropbox.com/u/69550833/JESD84-B451.pdf
http://www.jedec.org/sites/default/file ... r_Tsai.pdf
Very handy to know!
Re: How to dump the bootloader from UA65ES8000
Posted: Sun Feb 10, 2013 1:01 am
by xorloser
You could alter the mmcsmart tool to print out what the various values mean. I just looked at it in a hex editor and cross referenced values to the emmc specs to ensure that the data I got made sense, which it did. I wasn't actually that interested in the data itself, but more in the calling of the kernel ioctl to dump the smart data.
It seems that cmd62 will access the extra hidden sectors in the emmc flash that stores the firmware. On a hdd you can usually use either the serial port or vendor specific commands to read/write firmware and physical sectors. So same kinda thing.
If you want to send me your current kernel image I can have a look and see if it is easy to port my patches across for you so you can dump your bootloader. If it is totally different I probably won't bother, but if it is essentially the same it shouldn't be too hard.
Re: How to dump the bootloader from UA65ES8000
Posted: Sun Feb 10, 2013 3:10 pm
by E3V3A
That would be great!
I'm using UExxES6xxx.zip which is very similar to yours with only
THESE files differing.
My kernel image is
T-MST10PDEUC_1029.0.
Also, I seem to have lost the doc describing the smart info data... I'm sure I had it somewhere. :/
Please remind me where to find it.
Re: How to dump the bootloader from UA65ES8000
Posted: Sun Feb 10, 2013 4:51 pm
by E3V3A
Oh, here it is!
Found it in
THIS datasheet for moviNAND.
moviNAND_SmartReport.png
Re: How to dump the bootloader from UA65ES8000
Posted: Sun Feb 10, 2013 5:08 pm
by Mkò
How to dump the booatloader from samsung c series tv??? any hints on how to do this on c series?
Re: How to dump the bootloader from UA65ES8000
Posted: Sun Feb 10, 2013 5:24 pm
by juusso
you can dump, but you cant reflash it back. bootloader is ro locked on c series.
p.s this is not c series thread!
Re: How to dump the bootloader from UA65ES8000
Posted: Mon Feb 11, 2013 1:45 am
by xorloser
E3V3A: Ok it seems the code in your kernel is the same as in mine, so should just be a matter of changing addresses and useing same patches. To ensure I use the correct addresses, can you dump say 0x100 bytes of data at address 0xA1FBB80 via that viewmem tool and paste it here or in a pastebin.
Re: How to dump the bootloader from UA65ES8000
Posted: Mon Feb 11, 2013 1:54 am
by dajojo
looking at bootloader code , do you see any signs of hardcoded adresses being used ?
probably everything is in eMMC chip but there could be some in micom hardcoded to some adresses. it is wise to leave eMMC diskstructure intact.
seems evrything except cpu and gpu and mem pointers is the same. so like with there phones there using branch upgrades, so more or less there is a chance of replacing kernel without it going nuts
Re: How to dump the bootloader from UA65ES8000
Posted: Mon Feb 11, 2013 10:26 pm
by E3V3A
xorloser wrote:E3V3A: Ok it seems the code in your kernel is the same as in mine, so should just be a matter of changing addresses and useing same patches. To ensure I use the correct addresses, can you dump say 0x100 bytes of data at address 0xA1FBB80 via that viewmem tool and paste it here or in a pastebin.
What addresses?
I just finished the Smart Report parser, to use in conjunction with your
mmcsmart.
Here is the output from your smart.bin that you posted. Please verify that it is correct.
Code: Select all
$ ./smartview.pl
Parsing Smart Records from: smart.bin
Error Mode: Normal
004: 4 : Super Block Size [1] :00200000
008: 4 : Super Page Size [2] :00004000
012: 4 : Optimal Write Size [3] :00004000
016: 4 : Number Of Banks :00000001
020: 4 : Bank0 Initial bad blocks :00000004
024: 4 : Bank0 Runtime bad blocks : <zero>
028: 4 : Bank0 Remaining reserved blocks :00000038
032: 4 : Bank1 Initial bad blocks : <zero>
036: 4 : Bank1 Runtime bad blocks : <zero>
040: 4 : Bank1 Remaining reserved blocks : <zero>
044: 4 : Bank2 Initial bad blocks : <zero>
048: 4 : Bank2 Runtime bad blocks : <zero>
052: 4 : Bank2 Remaining reserved blocks : <zero>
056: 4 : Bank3 Initial bad blocks : <zero>
060: 4 : Bank3 Runtime bad blocks : <zero>
064: 4 : Bank3 Remaining reserved blocks : <zero>
068: 4 : Max. Erase Count :00000079
072: 4 : Min. Erase Count : <zero>
076: 4 : Avg. Erase Count :0000002c
080: 4 : ECC Uncorrectable Errors : <zero>
084: 60 : ECC_UEL Physical Block Address [4]:
0000:002c
0000:0001
0000:0079
0000:001e
0000:0000
0000:0054
30ae:df3e
2295:c924
1457:415f
0f7c:29a5
4cdb:54ee
338a:b1dd
96ab:785f
9e0b:80bd
0000:2000
144: 60 : ECC_UEL Physical Page Offset [4] : <zero>
204: 16 : Reserved : <zero>
220: 4 : Read Reclaim Count : <zero>
224: 288: Reserved : <zero>
----------------------------------------------------------------
[1] Number of Channel * N-way Interleaving * physical block size
[2] Number of Channel * physical page size
[3] Super Page Size * N-way Interleaving
[4] These addresses/offsets are 30 x 2-bytes...
----------------------------------------------------------------
This Customer Smart Report Data is based on the Samsung moviNAND
specifications found in the document: http://tiny.cc/2jacsw
----------------------------------------------------------------
I haven't gotten around to compiling
mmcsmart & viewmem yet...
I'll soon post a download link, once I get it all to work.
(Or send me a PM, if you need it immediately.)
BTW. Two more questions,
1) Did you need to edit any other files from UExxES8xxx.zip sources? (The mmcsmart.cpp dependencies?)
2) Did you just cross-compile with default settings, or did you use any particular flags?
Cheers!
Re: How to dump the bootloader from UA65ES8000
Posted: Tue Feb 12, 2013 12:50 am
by xorloser
E3V3A: I need you to dump memory from your TV to ensure I am patching the right locations, I am not sure if your kernel is actually based in mem at 0x0Axxxxxx or 0x40xxxxxx. I need you to dump 0x100 bytes at 0x0xA1FBB80, ie addresses 0xA1FBB80 to 0xA1FBC80 to know for sure.
1) I didnt edit any sources cos I didn't build any of the sources, I just patch ARM opcodes into memory while it is running. I just looked at the sourcecode to know what I needed to patch it to do.
2) I cross compiled with default settings, the zip file in my first post includes my sourcecode and the makefile I used to build it. If you look at makefile you'll see its very basic. I just added the toolchain binaries to my path in linux and the ran 'make'. For the record I used ubuntu v10.04.1 32bit mainly cos I already downloaded the iso image for it ages ago, so already had it on my hdd.