SPMP8k NAND Overview and NAND File Dump Tool – beta

As you probably know, we’ve been busy dumping the raw NAND page data of the SPMP8k to see what mysteries it holds.   The answer is, surprisingly: not many!   But that’s a good thing – mysteries deep in the ROM are not a good thing.

One interesting note is that there are three filesystems on the flash:

BOOTFS: Bootcode (2nd stage) and Redboot.   Starts at page 0.
RO(M)FS: System Software.   Starts at page 0×2000
FAT: The Mass storage you can see over USB.     Takes up the rest of the flash.

The first fielsystem is BOOTFS – this is our name by the way, just calling it the first thing that comes into mind.   This filesystem resides in the first few pages of flash.   It consists of several one-page (4k) functions and then the RedBoot binary.   This is what you’d find in the firmware files such as BOOT_V15.IMG.

The ROM bootstrapper (+++MMP RomCode…) searches the first few NAND pages to try to find the magic bytes 33 CC AA 55.   This signifies the start of a set of very crude allocation tables which point to two binary files responsible for initializing the DRAM, and the RedBoot binary.

Bootstrapper loads and executes the DRAM_Init() from flash, and once it has 16MB of DRAM, it load RedBoot into that and hands off control.

RedBoot either gets interrupted by you for nefarious purposes, or it loads a script which tells it to boot /IMAGE/8000_MMI.RAP.     Woo, directories – now we’re getting fancy!
This second filesystem is called ROMFS (we saw ROFS somewhere too) but it does not seem to be compliant with the actual ROMFS that was around long before the SPMP.   It’s still a fairly simple filesystem though, and can be explored through RedBoot by mounting the device /dev/nf2 and using the ls commands as we’re sure you’ve already done.

ROFS/ROMFS seems to be the whole kit & kaboodle of the eCos platform, containing executables, codecs and emulators as well as tons of XML files for configuration.   This filesystem is what is contained in the big (>50MB) software files generated by the SKLOGO tool.

But SKLOGO simply takes different binary chunks and pastes them together – other than hex editing (which seems to work pretty well ala Jaime) it is difficult to make significant changes to the file system.   And that’s something that you KNOW we’re going to want to do.

In order to have free reign over the filesystem, it is easiest to unpack the entire ROFS filesystem to it’s individual files and directories and modify it at well.   Then, it’s pretty easy to use the Sunplus tools to repack and reflash your new filesystem to the device.

SIDE NOTE:

We were very disappointed/entertained to see the following entries in the directory dump:

/IMAGE/GAME/GAME_CONFIG.TXT 22963
/IMAGE/GAME/GBA_BIOS.BIN 16384
/IMAGE/GAME/GPSP.BIN 776004

Because it means that not only has Sunplus ripped off GNU/eCos, they have also ripped off Exophase as well as Nintendo.   I mean, couldn’t you have changed it to data.dat1 and data.dat2?   No shame..   Still a nice IC tho, so we’re happy to continue plugging along in the hopes of getting SOMETHING legal onto this little device.

The bright side is that we’ve invented a new game: Take a shot whenever you find something pirated, stolen, or used without permission in the Sunplus ’8k PMP.   We’ve been hammered for days.

OK, OK – on to the dump tool..   Let us preface this with the warning that if you already have a copy of your firmware, there are much easier ways to extract it’s goods than the following tool.   This tool is a glorified console script that can also convert ASCII to bin.   Downloading the entire software will take time.   (5.25*Size)/115.2kbaud as a rough estimate, where 5.25 is a rough multiplier based on the ascii conversion and overhead.

We’re talking hours, folks.   About 6-7h if your RS-232 port is reliable.   If you’re like us and want an exact copy of one device to another, then this is a little faster than a nand dump so it might be a viable option.   A more likely use would be to download all the XML config data for your device to merge into a resource directory of another firmware.   But IMO, letting an inanimate object work itself to death all night while we sleep is not a big deal.

If you’re not scared off yet, then please

Continue to Next Page…   Jump to Page 2