Hacking no-name "MP5" players with SPMP8000A – Part I, teardown

Now if you are dangerous enough to remove the Li-Ion battery, LCD, and desolder the NAND Flash TSOPs then you will pretty much have a bare board. That’s what we’ll be showing you today. Let’s start with the back of the board – go ahead and click the pic for a little higher resolution if you need.

Back of the Gindart MP5 PCB
Fig 3 – Back of the PCB with all the cool bits labelled

On the back of the board we can see the support hardware and ancillary bits.

  • 1.3MP Camera with video function (no flash or torch light)
  • MicroSD/TransFlash socket
  • USB 2.0 port
  • Video Out (and maybe IN) jack
  • Headphone out jack
  • Back of the Analog Joystick
  • Footprint for Flash 2 extended storage
  • CPU Serial Port – Note this location, folks. You’ll be soldering here soon!

Continuing on with the front of the PCB…

Front of the Gindart MP5 PCB

Fig 4 – Front of the PCB with all the cool bits labelled

Here we can see most of the interesting IC’s in the list of goodies.

  • CPU – Sunplus SPMP8000A Media Processor (ARM926) with plenty of bells, whistles, and media-decoding subsystems to make it worth a second look.
  • DDR – 16MB (boo) Hynix HY5DU561622ETP
  • Flash 1 (Main Flash) – Can be various devices and sizes. Ours was Hynix H27UAG8T2 2GB
  • Analog Joystick ala PSP

Not bad. A nice, compact, low-cost system ripe for the hacking. This pretty much concludes our overview for today, so go start fetching datasheets and installing the ARM toolchains in preparation for some pretty deep hacking that’s about to take place. In order to whet your appetite, we’ll leave you with a few fun facts.

  • Absolutely no firmware signing, checking, or security
  • Built in bootloader accessed by plugging USB while holding a magic button, or by starting up or plugging USB with no flash or blank flash installed.
  • Bootloader automatically executes anything you send to it, as the firmware updater consists of first sending a flashing program, then sending a flash image. What could be easier – you can run your own code in 30 seconds!
This entry was posted in MP5, Reviews/Teardowns. Bookmark the permalink.

13 Responses to "Hacking no-name "MP5" players with SPMP8000A – Part I, teardown"

Leave a reply