Abusing the SPMP8000 via serial port – Part I

As you may have read in our first article about SPMP8000 hacking, this PMP has an easily-accessed serial port on the mainboard. To better get to know your PMP and to jumpstart your own development efforts, you will want to get serial port access.

Through the serial port you can monitor startup messages and other interesting text. But the real fun comes to those with quick fingers: By interrupting the boot sequence you can drop right into the RedBoot shell and begin uploading and debugging software in just a few minutes.

We’ll first cover installation of some serial port extensions, then a short overview of what can be done when you’re attached to the port.

Installation: Honestly, the only thing that needs to be done is to connect to the TxD and RxD pads on the PCB. We started out with two pins from an old DIP socket just soldered to the pads. This worked fine but required the cover to be off, which slightly complicated entering ISP mode by holding UP (The UP key was not there – it was a bare PCB, man!).

So our suggestion is to cut a new hole in the case of the device and solder a little extension from the PCB pads to a socket that can be accessed via this new hole. In our case, we cut the hole at the top between the headphone and AV ports and used more DIP socket pins as a cheapo connector.

Photo of the PCB with serial port extension

Fig 1 – SPMP8000a Serial Port extension (Green wires) Note that the battery was removed for clarity and normally would cover these wires.

We don’t suggest removing the battery unless you have to – the soft-pack Lipo battery could be punctured and in the very worst case, cause a fire. But for the sake of clarity we took the risk and moved the battery for the above pic.

You can put your own serial port extension on the bottom, top, side, or even drill through the metal back case and come directly in. It shouldn’t matter. What WOULD matter is the grounding of the port. The PMP GND (battery black or USB shield) needs to be on the same GND as the port it’s talking to or you will get junk and noisy comms. In our case, we will have the PMP connected to a PC via USB and we will access the serial port via a RS-232 to USB connector so the grounds are both the same USB shell (PC GND). But if this is not your setup you may need to add a GND wire to your connector.

We’ve used two USB->serial converters to access this PMP: A sparkfun FTDI232 board and a cheap PL-2303 based USB->serial device that we opened up and accessed the RxD, TxD pins. Either way, we can say that 3.3v RS232 works fine. DO NOT connect this device directly to your PC’s serial port. That port is -12v, +12v and will surely blow up the UART on the SPMP8000. You’d be screwed at that point and would have to resort to using the device for it’s intended purpose. Oh no!

Photo of MP5 serial port accessed with FT232

Fig 2 – New port being abused by FT232

Now we’re sure that if you understood that you want to access a serial port and are able to disassemble your PMP and solder one on, you are probably smart enough to know that you should also connect to it. BUT IF NOT, we’ve included Fig 2 anyway to show you that for our testing, the port worked best when we connected to it. 115.2k, 8n1 and flow control OFF if it’s an option.

Before we get into the RedBoot shell overview, let’s take a quick look at a picture of a tiny linbox pwning the even tinier PMP via minicom. dump -b 0×00 -l 0x0FFFFFF. Basically a stickup: “Give me everything, smaller system!”. The big eat the small, that’s the way it goes. You can’t enjoy the fact that the ram dump has been scrolling for a half hour now and has plenty more to go. But you can enjoy the sight of a cheap USB->Serial port (Prolific PL-2303 chipset, $5) that was ripped open during the wifi hacks and is now reborn as a 3.3v serial port for interfacing the PMP.

Photo of the linbox pwning RedBoot via minicom

Fig 3 – Tiny linbox pwning even tinier PMP. Minicom vs RedBoot – Minicom won.

At this point, we’ll assume that you have your connections to the serial port pads sorted. The next part of the article talks about what the heck this all gets you, other than the satisfaction of another disassembled toy. Continue on to page 2 to read the gory details.

Continued on Next Page… Jump to Page 2

This entry was posted in MP5. Bookmark the permalink.

2 Responses to "Abusing the SPMP8000 via serial port – Part I"

Leave a replyLeave a Reply to sl1fka