Hello SPMP8000a enthusiasts!
We apologize that past revisions of FRMorp have a bug which was flagged by azri in a comment in the original FRMorp post.
It seems that we used a defunct subroutine to flag an error, and our mistake was not found by the compiler. The bottom line is if the tool can’t find your device it does not properly die. Instead, it runs the whole sequence LOOKING like it’s doing something when in fact it doesn’t even have a USB connection. Duh!
So here’s the new version which will happily keel over and die when things go wrong. Now it won’t fix what went wrong, but at least you’ll know that there’s a problem.
Apologies to any hackers inconvenienced by this issue.
Continue on to page 2 for the downloadie.
Continued on Next Page… Jump to Page 2
I cannot backup my firmware using FRMorp, i receive message
Device opened…
Configuration Set…
Interface Claimed…
Phase 1 – Dumping files…
———————————-
Dumping RedBoot.mmp…
No magic page!Couldn’t dump File 1
please help me, what can i do with it?
Interesting. FRMorp uses the data in the magic page to determine where to get the rest of the data. If it does not find the proper signatures to mark a page as a magic page (signature = 0x55AACC33), then it quits here with the message you see after checking the first 16 pages.
Maybe your device has the magic page somewhere else, or perhaps a different signature..?
Try dumping the first 64 pages using nandoori, and look to see if the signature exists anywhere in those pages. If so, just update the search length from 16 (i=(*patptr)+ 0×10;) to the necessary search len.
If there’s no signature anywhere, then you’ll need to look at the actual data to see if it contains a PAT table, and either remove the sig check from FRMorp or update it to whatever signature you have.
I have same problem on my 4GB device. After some investigation I foud, that only first 2048bytes from every 4k page contain valid data.
Manipulation with mycbw.xlen can make shorter valid part but never more than 2k.
If I try change read page to 2k, it is not complete image, miss data.
I have same problem. And I made some investigation on my 4GB HW and here is result:
Only first 2kB on every 4kB page is correct. I try to change mycbw.xlen = longswap(0×00100000) but can’t help. It is possible reduce correct part on page, but not expand over 2kB.
How about dumping all the data with nandoori? Then you can at least find out whether the right data is there and FRMorp is just missing it. Top of the head guess: The flash chip is different, maybe, and the page fetch is smaller than FRMorp expects. You may have to open the device and look at the flash to prove that, unless you can get the chip ID on bootup through serial port?
I made internal photos from my HW. It is litle bit different to yours.
http://img98.imageshack.us/img98/5995/dsc3049b.jpg
http://img688.imageshack.us/img688/984/dsc3052n.jpg
http://img835.imageshack.us/img835/7638/dsc3054.jpg
no solo ofreserles mi apoyo en lo que pueda
Same problem here,
I’ve flashed a working firmware and made a full dump with nandoori.
There is too many missing parts from the firmware that i can’t find in the dumpfile.
I’ll try to modify Frmorp by myself, but my coding skills are not that good
)
my board is SK8607C01.
If you need dump/testing/flashing, don’t hesitate to ask me.
Thanks for your tools !!
fredoagain can u upload it somewhere cause i couldnt dump fw from my device and its not working now, having your firmware might help, or pm me at b1ack.web.tests@gmail.com ;]
thanks in advance
For anyone interested I’ve uploaded it here, as it’s not availiable on liunx website anymore…
this one is the SK8607C02 version but it works for both C01 and C02.
I had another PMP with SK8607C03… with this firmware the device takes 30 seconds to power on…and the lines aren’t reverted :[
http://dl.free.fr/hUx9JCclD
Where’s any info regarding SPMP8 commands? In according to USB spec. read command (i.e. mycbw.cmd = longswap(0xC2130000)) consists of:
- operation code 2 (0-4 bits)
- group 6 (5-7 bits)
- service action 13 (8-C bits)
But I didn’t manage to find any meanings of op-code and service action…
Could anybody point me where it could be found?
Ahh, you have to disassemble and understand the workings of the binary. That actually led us (led AleMaxx, who led us) to discovering many more commands than we could see just by snooping the USB transactions. But that, of course is a good way to start.
Our notes on the SPMP8 commands are buried deep in some boxes at the moment, so our usefulness is limited. But by finding the command interpreter in the disasm, it’s fairly simple to see all the commands as well as to trace through their function. That is the best suggestion we can give you if you want an exhaustive list.
I was looking at the code of FRMorp, and I wonder how could you know the location of the RedBoot and other software on the NAND. Also how did you know how to pack the Firmware image so FRMpro can work with it and not end up with a bricked device.
I’m trying to make a similar tool for ATJ2259 based devices.
Cool application you have here.
We determined the location and format from reverse engineering both the NAND dumps and FRMpro packed images. The device talked about RedBoot on the debug port upon boot, so it was not difficult to find the chunks of code corresponding to RB. From there, we wrote “nandoori” to basically dump every byte from NAND back to the PC. From hex editing those dumps, we slowly deciphered the boot process of the device and traced the path through NAND. RedBoot was easy to find, located at the end of that boot process – ie, once RB loads, it’s all high-level from there on out.
You’ll need to get info on the ATJ2259 and understand it’s boot process. From there, you can work from a NAND dump (from EPROM programmer or other method) to see how it all fits together when written to chip. Then, it should be simple to write a bunch of different firmwares to your test device and inspect via NAND dumps how the upgrader puts data into different places. From that, you can reconstruct the image format such as we (mostly AleMaxx) did for the SPMP.
As far as bricking – well, your final product should not brick your user’s device. But if you are the developer… You will (and should) brick your test device in every possible way. So your first goal should be to determine how to unbrick. In the case of the SPMP, you can almost always recover via serial port which gives a nice safety net unless you low-level trash the NAND data. And in that case, there is always desoldering the NAND itself and reflashing via an eeprom burner. Buy and install a TSSOP socket if you feel that unrecoverable errors are going to be a part of your development process. They have TSSOP sockets that fit right on the pads of a normal NAND chip which are great for deep hacking.
Thank you for your reply.
I’ve have ordered another ATJ2259 device and a FT232 board, first step I took was setting up serial connection but the USB -> Serial adapter I used only printed garbage.. I blame that to the fact that the adapter outputs 5Volts on the communication pins. So I’ll have to wait for the FT232 board to arrive from the US.
For second step I’m thinking of modifying nandoori and setup the usbvid and usbpid variables so it matches my device, and also check if the my NAND can be read the same way as SPMP8000 devices you are using. The NAND in my device is a Hynix H27UBG8T2ATR-BC (has 4GB) what I can tell from previous entries yours is Hynix HY5DU561622ETP. So probably they are similar.
One more question: Could using nandoori can cause the NAND data to be modified and hence end up with a damage boot section ?
Regards.
hola .gente tengo el firmware sk8607c01 100804 ,dispositivo grande .modelo dv -103 si alguno esta interesado yo se lo envio .solo digame como se los descargo ,o mejor aun si lo puedo descargar en esta pagina .mi correo es jgcf521@hotmail.com jim gaviria .pais ,colombia .
hello. sk8607c01 people I have the 100804 firmware, large device. -103 dv model if anyone is interested I sent it. just tell me how you download them, or better yet if I can download on this page. jgcf521 my email is @ hotmail. com jim gaviria. country, Colombia.
necesito es la guia para poderlo montar el sk8607c01 en mi dispositivo ,que sea facil de entender ,gracias .
need is the guide so that it can mount the sk8607c01 on my device that is easy to understand, thanks.
iam not able to install libusb driver …
1) driver update for removable device not installing
pls help me
You may have to seek help from the LibUSB guys, we have no guess why the installer is failing. If you can provide more detail we will try to help!
I have the same problem, “No magic page!”
I know nothing about coding. I have tried nandoori and succesfully dumped 64 pages in a .bin file, how can I “look to see if the signature exists anywhere in those pages”? And if the signature exists in the pages, how can I “update the search length from 16 (i=(*patptr)+ 0×10;) to the necessary search len”?
Sorry, I’m totally a noob