Have done a lot of testing with two available mainboards and have some summary. To switch partitions,
we need to change two bytes:
0x03 and 0x04 and unplug TV from the wall for few seconds.
Mentioned 00 and 02 at address 0x18 do nothing, at least i couldn`t find any relation between changing them and partition switch. Tested on UE40D6750 and UE406500...
1. Read config micom:
2. Enable micom debug (if disabled, no boot log, no debug trough exlink, no chance to get shell!) set 0x05 to 00:
N.B you have to enable debug and disable watchdog on SoC eeprom (use another eeprom, check here) by commands below:
3. Switch boot partition.
For example:
To force toggle to
1st partition set (cmd line rootfs=/dev/tfsr6...), values should be
AD CD:
http://ip/write?device=80&addr=3&data=AD&width=8
http://ip/write?device=80&addr=4&data=CD&width=8
0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
0020: FF FF AD CD 00 FF 00 FF 00 00 02 00 FF 65 6E 67 FF 00 FF FF 01 C2 2B 02 6E FF B2 FF FF FF FF FF .............eng......+.n.......
0040: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
0060: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
0080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
00a0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
00c0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
00e0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
To boot
2nd set of partitions (cmd line rootfs=/dev/tfsr8...) values are
B0 77
http://ip/write?device=80&addr=3&data=B0&width=8
http://ip/write?device=80&addr=4&data=77&width=8
0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
0020: FF FF B0 77 00 FF 00 FF 00 00 02 00 FF 65 6E 67 FF 00 FF FF 01 C2 2B 02 6E FF B2 FF FF FF FF FF ...w.........eng......+.n.......
0040: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
0060: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
0080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
00a0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
00c0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
00e0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................................
Checked many times and every time tv booted as expected according values above. Method doesn`t work if powered off to standby and powered on back, no reaction to modified boot flags: to get partitions toggling, unplug from wall is mandatory.
On D series boards i haven`t soldered wires direct to the chip, on backside of mobo i noticed three pads, used multimeter and identified they`re connected to proper eeprom config pads! GND i took from another place, one of legs of socket (look at black wire).
I`m lucky i have had healthy mobo i could make testing with, now both mainboards working.
Some notices. I think this way on D series, with original rootfs and kernel is not really acceptable, because toggling partitions will force TV to start rebooting by authuld, here is only one exe.img partition onboard and
toggle won`t switch cmac partitions. This may be solutions for advanced users, who have patched kernel and hashes aren`t important anymore or devels if bricked while messing with rootfs or kernel.
For C series this could be ok, because "toggle" is used to completely switch firmware, but not only rootfs+kernel. Someone could do similar testing on C series mainboards, time to time here are some bricks, what could be treatable this way. If similar pads exist, perhaps no soldering is needed at all?
Oga83, i haven`t tested your new sketch yet, TV was already assembled when i saw your post. Will do that later.
one more edit: inspecting some another behavior: B0 77 definitelly loads 2nd partition set, but AD CD does not. Or not always. So, research to be continued