Abusing the SPMP8000 via serial port – Part I


Ready to get serial-ized? Let’s go.

Roll call:

PC attached to USB-> Serial Converter… Check!

3.3v RS232 lines attached to new PMP connector… Check!

New PMP connector soldered to RxD, TxD pads on mainboard… Check!

Serial port settings 115200, 8n1, Flow Control OFF… Check!
Minicom, Hyperterminal, or just cat /dev/ttyUSB0 listening… Check!

And now, fire up the PMP and see what you see. With the device switched off but the serial connection alive and connected, plug the USB and it should start talking. If the UP button is held, the device will do a few quick checks and then wait in ISP mode for new firmware to be sent over USB – that’s a topic for another day. An example of what you’ll see over the serial terminal if you boot up into ISP mode (by holding UP) is:

+++MMP RomCode ver 0.3.0 2008/06/05
pwrc_cfg=a0000006
vic1_rawSts=00000020
keyscan4=00001890
iotraps=00000000
KEY is pressed & USB connected
Enter ISP mode
NAND_TYPE: HYNIX
prPyld_LDWORD=b614d5ad
prPyld_HDWORD=4414d544
u16PageNoPerBlk=128
u16PageSize=4224
u16PyldLen=4096
u16ReduntLen=64
u16SpareLen=64
u16TotalBlkNo=4096
Id=3008a7b3

If you don’t see any output, you may have the TxD, RxD lines reversed. Switch them around and try again. If you still don’t see any output, unplug the TxD and RxD lines and touch them together. When you type on the terminal screen this connection should show your typing echo’d back to you. If after this verification you STILL don’t see anything and you’re sure you have the port settings right, bundle up your PMP and send it to us. :)

All kidding aside, your terminal setup should be ready to go. The ISP mode messages are woefully boring, consisting of just a little config info and data about the on-board flash.

If you plug USB without holding the UP key the device will enter it’s normal RedBoot startup routine. The text during this sequence is much more verbose, giving messages about DRAM, Flash, Clock Speed, and much more. You can study it in detail by saving the log to a file and perusing at your leisure. Here is an excerpt from that boot sequence.

+++MMP RomCode ver 0.3.0 2008/06/05
pwrc_cfg=a0000006
vic1_rawSts=00000020
keyscan4=00001880
iotraps=00000000
NAND_TYPE: HYNIX
prPyld_LDWORD=b614d5ad
prPyld_HDWORD=4414d544
u16PageNoPerBlk=128
u16PageSize=4224
u16PyldLen=4096
u16ReduntLen=64
u16SpareLen=64
u16TotalBlkNo=4096
Start to read DRAM_Init code from flash…
start to extract DRAM_Init code…
call DRAM_Init()…
no dramcfg available
+ScanRam ver v1.0.0.0
DRAM Type Scan Start

00000020

init DRAM done
Enter the bypass mode!
+ver=00030000
RedBoot_ver=01000000
Scanram_ver=01000000

… … … and so on … …

After RedBoot is happily running, the device will pause for a split second to decide if it should go into interactive (console) mode before it executes its startup script. This choice can be seen much further down in the serial output:

== Executing boot script in 0.010 seconds – enter ^C to abort

To get into the very useful RedBoot console, simply hit Ctrl-C at some point during the bootloader startup. Don’t worry, you have more than 10 milliseconds to hit the trap. The device is pretty generous about keeping old keystrokes in the buffer so you don’t have to be very fast at all to get some console, just ^C early. You will be rewarded with

RedBoot>

And you can now use and abuse the device as you like. Type help for a list of what this build of RedBoot can do (it’s slightly modified from the official version) or look online at http://sourceware.org/redboot/.

We will save the detailed explanation of how RedBoot works for another article, but we will tell you that in order to upload your own elf files (with load -m xmodem) you must have the load address set properly in RAM during link. Find where RAM is by inspecting the startup text – we’ll leave that as an exercise for the reader.

The whole startup text dump (up to booting the OS software) is pasted below for your nerdy enjoyment. Ciao!

+++MMP RomCode ver 0.3.0 2008/06/05
pwrc_cfg=a0000006
vic1_rawSts=00000020
keyscan4=00001880
iotraps=00000000
NAND_TYPE: HYNIX
prPyld_LDWORD=b614d5ad
prPyld_HDWORD=4414d544
u16PageNoPerBlk=128
u16PageSize=4224
u16PyldLen=4096
u16ReduntLen=64
u16SpareLen=64
u16TotalBlkNo=4096
Start to read DRAM_Init code from flash…
start to extract DRAM_Init code…
call DRAM_Init()…
no dramcfg available
+ScanRam ver v1.0.0.0
DRAM Type Scan Start

00000020

init DRAM done
Enter the bypass mode!
+ver=00030000
RedBoot_ver=01000000
Scanram_ver=01000000
warning! target IC is not 8000(eco_e) or 8050
version=ffff0000
usb sno=0000ffff
g_delay2ExitSelfRefresh=600, delayForDllLock=0, g_clk_sw_check=00000000
g_LcdRatio[0]=0
g_spll_ratio[0]=000e0a00
g_LcdRatio[1]=7
g_spll_ratio[1]=000e082c
g_LcdRatio[2]=11
g_spll_ratio[2]=000e082c
g_LcdRatio[3]=7
g_spll_ratio[3]=000e082c
g_LcdRatio[4]=8
g_spll_ratio[4]=000e0a44
there is case that dll is diabled
-RetrieveSysInfo
romfs_mount g_IsFirst_Mount:0
ReadID(1,0)
begin ReSet(1,0)
end ReSet(1,0)
ReadID(1, 0)buf:0x1001b1c0

ad d5 14 b6 44 ad d5 14 – b6 44 ad d5 14 b6 44 ad
d5 14 b6 44 ad d5 14 b6 – 44 ad d5 14 b6 44 ad d5
######################################

g_ChipMap[0]=0
g_ChipMap[1]=255
g_ChipMap[2]=255
g_ChipMap[3]=255
ReadID(1,0)
buf:0x1001b1c0

ad d5 14 b6 44 ad d5 14 – b6 44 ad d5 14 b6 44 ad
d5 14 b6 44 ad d5 14 b6 – 44 ad d5 14 b6 44 ad d5
ID : ad d5 14 b6 44
#############pstSysInfo->u16PyldLen:4096
#############pstSysInfo->u16PageNoPerBlk:128
#############pstSysInfo->u16TotalBlkNo:4096
XXpstSysInfo->u8Internal_Chip_Number:0
###################sysinfo###################
pstSysInfo->u16PageNoPerBlk:128
pstSysInfo->u16PageSize:4224
pstSysInfo->u16PyldLen:4096
pstSysInfo->u16ReduntLen:64
pstSysInfo->u16TotalBlkNo:4096
pstSysInfo->u8TotalBlkNoShift:12
pstSysInfo->u8MultiChannel:0
pstSysInfo->u8Support_Internal_Interleave:0
pstSysInfo->u8Support_External_Interleave:0
pstSysInfo->u8Internal_Chip_Number:0
pstSysInfo->u8PagePerBlkShift:7
pstSysInfo->u8Support_TwoPlan:0
g_IsNand_4CS:1
#############################################
begin ReadPage_Test
rFM_AC_TIMING:0x1f1111
end of AutoSettingACTiming:0x1f1111
g_nbi.RomFs_Max_BlkCount : 160
**********************NFRC INFO*************************
nfrc.rom.start : 64
nfrc.rom.count : 160
nfrc.rom1.start : 224
nfrc.rom1.count : 160
nfrc.rom_a.start : 384
nfrc.rom_a.count : 0
nfrc.block_count : 160
nfrc.page_per_block : 128
nfrc.pagesize : 4096
nfrc.phy_pagesize : 4096
nfrc.sectors_per_page : 8
nfrc.u8Support_TwoPlan : 0
nfrc.u8Support_Internal_Interleave : 0
nfrc.u8Support_External_Interleave : 0
nfrc.u8Internal_Chip_Number : 0
********************************************************
g_PageSize:4096
pdisk->magic:0x526f6d2e
pdisk->nodecount:0×315
sizeof(romfs_node):32
page count:7

pwrc_cfg=a0000006
vic1_rawSts=00000020
keyscan4=00001880
iotraps=00000000

ref_clk: 243000000 Hz
sys_clk: 121500000, sys_ahb=60750000, sys_apb=30375000 Hz
ceva_clk: 243000000, ceva_ahb=121500000, ceva_apb=60750000 Hz
arm_clk: 243000000, arm_ahb=121500000, arm_apb=15187500 Hz

do_bootcfg: [Exec kernel][Load romfs]
========= usbmsd_init: enter
if_dm9000.c debug var(0x0002fbdc)=0
sysCtrl.c debug var(0x0002fbe4)=1
msd debug var(0x0002fbec)=1
net_io.c debug var(0x0002fbf4)=0
standalone eth_drv.c debug var(0x0002fbfc)=0
main.c debug var(0x0002fc04)=3
enet.c debug var(0x0002fc0c)=0
[UDC ]::init_msd(394) ========== init_msd:enter ==========
pInfo->heards:55545353
pInfo->hearde:55545345
pInfo->pattern:3008a7b3
Id=3008a7b3
pInfo->heards:55545353
pInfo->hearde:55545345
pInfo->pattern:3008a7b3
[UDC ]::genRandomSerial_UDC(2784) read have Id=3008a7b3
[UDC ]::genRandomSerial_UDC(2838) finish genRandomSerial_UDC()
[UDC ]::init_msd(402) ========== disconnect UDC =========
[UDC ]::initial_udc(1992) –UDC_Init() finish–[UDC ]::start_udc(2022) —- star
t_udc()——-

g_IsInit_nf:1
[UDC ]::init_msd(419) ======= init udc finish ========
[UDC ]::poll_udc_connected(2622) ====== poll..=======
[UDC ]::poll_udc_connected(2650) ====== poll.EXIT EXIT .=======
usbmsd_init: exit
net_init: skip init ethernet

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0_28 – built 13:43:27, Jun 15 2009

Platform: SUNPLUS_MMP (ARM 9)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2003, 2004, eCosCentric Limited

Copyright (C) 2008, Sunplusmm v1.0.0.0

RAM: 0×00000000-0x00f00000, [0x00200000-0x00f00000] available
Load image from romfs!
Found the image entry point: 0×280040
== Executing boot script in 0.010 seconds – enter ^C to abort
RedBoot> go -c 0×280040
+do_go
image sel: 0, image_sel_set: 0
rmvb enable!
Mask interrupts on all channels
ID-CACHE sync and invalidate
set up a temporary context. workspace_end=0x00f00000, entry=0×00280040
switch context to trampoline. workspace_end=0x00efffb0



This entry was posted in MP5. Bookmark the permalink.

2 Responses to "Abusing the SPMP8000 via serial port – Part I"

Leave a reply