One of the tools I needed before starting the kernel work is a Linux replacement for FRM Pro. I didn't want to boot Windows and pack the firmware into its image format every time for a firmware update so I coded up this utility that can write bootfiles with their PATs directly from Linux.
Alemaxx's and openschemes.com tools did help a lot in this, so a big thank you goes to them!
The Letcool device seems to be different to what they have had in at least two regards: It has a newer internal bootloader (ver 4) and a different type of flash chip. This didn't allow for correct dumps with romboy, and very slow dumps with frmorp.
The Sunburn utility overcomes this, by more precisely doing what FRM Pro does. I had to look through a lot of USB traces to come to this solution, but this seems to work the best.
I also want Sunburn to be the tool later on to flash Linux to the devices, allowing dual-booting of the original and the new firmware.
Now, a request to all those wanting to help:
To create a dual-boot loader later on, it would be useful to have more information about the flash chips, and layouts of all the SPMP8000 devices out there.
What you have to do is:
1. Donwload Sunburn
2. Compile it
3. Run it with the "-Di" flags
4. Post the output as a comment here
Note: Sunburn is now only available for linux and in source code.
If there is significant interest for a Windows binary, I'll look into it.
I wish I could help but don't have any knowledge regarding this. But thank you very much for the Hard work that you are doing. I am sure lot of people will start donating. Please keep up the good work....cheers!!!
ReplyDeleteNice work Zoltan! Does it indeed build the correct partition table for the actual firmware? I know that openschemes.com has info on the format for the two dram inits and redboot but not for the firmware part.
ReplyDeleteI tried to build your tool but I get some undefined references for the endian functions (I guess I just have weired setup), Ill try to fix it later and post the outcome here. Although I currently don't understand what this information would be useful for.
For the flash size, size of the blocks and the size of the spare area, etc ... I think (at least for the older bootrom, and acoording to frmorp or some other code I got from openschemes.com) it is stored at some location in sram by the bootrom, so you can read it back.
Best regards
I have used your tool with my Defender MultiMix Magic.
ReplyDeleteOutput:
Sunburn - Sunplus SPMP8000 firmware flashing tool v1.0
- SPMP8000 device found
-- Device information --
- ROMBOOT ID:
00000000: 00 00 FF FF FF FF 00 00
- NAND Info:
Pages per block: 128
Real Pagesize: 4224
Pagesize: 4096
Total number of blocks: 256
ECC mode: 0
Total size : 131072 KB
NAND ID: 00-0D-B2-0B-0C-00-BD-25
Hedump:
00000000: 80 00 80 10 00 10 40 00 40 00 00 10 00 01 07 00
00000010: B2 C5 81 F9 5E D7 B3 29 46 22 97 51 32 74 E7 B2
00000020: 00 0D B2 0B 0C 00 BD 25 29 C2 83 02 20 10 00 20
00000030: D9 E0 36 42 79 D0 76 4B 02 81 81 71 2A 08 08 C0
- DRAM Inited
- NAND Info:
Pages per block: 128
Real Pagesize: 4224
Pagesize: 4096
Total number of blocks: 256
ECC mode: 0
Total size : 131072 KB
NAND ID: 00-0D-B2-0B-0C-00-BD-25
Hedump:
00000000: 80 00 80 10 00 10 40 00 40 00 00 10 00 01 07 00
00000010: B2 C5 81 F9 5E D7 B3 29 46 22 97 51 32 74 E7 B2
00000020: 00 0D B2 0B 0C 00 BD 25 29 C2 83 02 20 10 00 20
00000030: D9 E0 36 42 79 D0 76 4B 02 81 81 71 2A 08 08 C0
- Bootfile info:
Patpage: 0x00000000
ID: 0xFFFE0001
Size: 206248
First page: 0x00000200
Last page: 0x00000232
- Bootfile info:
Patpage: 0x00000002
ID: 0xFFFE0201
Size: 3360
First page: 0x00000233
Last page: 0x00000233
- Bootfile info:
Patpage: 0x00000012
ID: 0xFFFE0401
Size: 3888
First page: 0x00000234
Last page: 0x00000234
Oh!
ReplyDeleteJust good news from you.
i SUDDENLY install linux and stoppd any deals with this console.
But this gives me chance to hope, u nou.
After my last custom firmware i don't see anything that i can do wit this konsole.
Thx a lot, gonna try this stuff.
At least i need to install libusb-dev.
ReplyDeleteMake attention on it
Воспользуюсь случаем,
ReplyDeletelsd_blottr, спасибо за вашу прошивку!
Хотя последняя прошивка от defender (3.1) чуть более допилена в плане функционала, чем ваша, но меня подкупил хороший русский и pixel-art.
Here is output of sunburn:
ReplyDeletehttp://pastebin.com/fbhBKApm
Спасибо :)
Getting this error message:
ReplyDeleteSunburn - Sunplus SPMP8000 firmware flashing tool v1.0
- SPMP8000 device found
-- Device information --
- Error: USB I/O: Can't read data: -110
Can't read device ID
@AMX:
ReplyDelete- Yes, it builds the "Partition table" for a boot program.
- The endian functions should be in endian.h, but that's a GNU thing, so not available everywhere. Should be easy to fix though.
- Problem with reading the flash info from memory is that different versions of the bootrom put it in a different place. Hence this program uses a dedicated command for that, but I don't know whether it is available in all versions of the bootroms, thatswhy I asked for testing it.
@Raslav: Thanks! Seems like the Defender has a different romboot than the Letcool. Could you run sunburn with -b first, then with -l defender_bootrom.bin and mail me the output files ?
@lst_blottr: Thanks also! What kind of device is yours ?
@Anonymous: Was the device started in ISP mode ? (Remove battery, hold down the keys on the right, and plug USB)
Thanks for your tip, zdevai.
ReplyDeleteAs you suggested, I ran sunburn against my JXD 1000 again -- this time after having properly induced the device into ISP Mode (By pressing X before inserting the USB plug). Sunburn got much further this time:
Sunburn - Sunplus SPMP8000 firmware flashing tool v1.0
- SPMP8000 device found
-- Device information --
- ROMBOOT ID:
00000000: 00 00 FF FF FF FF 00 00
- NAND Info:
Pages per block: 128
Real Pagesize: 4224
Pagesize: 4096
Total number of blocks: 256
ECC mode: 0
Total size : 131072 KB
NAND ID: 14-81-AA-A9-30-ED-07-68
Hedump:
00000000: 80 00 80 10 00 10 40 00 40 00 00 10 00 01 07 00
00000010: A8 05 13 80 8F A3 02 28 81 E3 CB 8C 00 04 02 21
00000020: 14 81 AA A9 30 ED 07 68 93 97 B8 84 0B 6E 44 67
00000030: F7 66 10 4E 8F 31 20 BA 99 60 D2 48 9A 23 80 F0
- DRAM Inited
- NAND Info:
Pages per block: 128
Real Pagesize: 4224
Pagesize: 4096
Total number of blocks: 256
ECC mode: 0
Total size : 131072 KB
NAND ID: 14-81-AA-A9-30-ED-07-68
Hedump:
00000000: 80 00 80 10 00 10 40 00 40 00 00 10 00 01 07 00
00000010: A8 05 13 80 8F A3 02 28 81 E3 CB 8C 00 04 02 21
00000020: 14 81 AA A9 30 ED 07 68 93 97 B8 84 0B 6E 44 67
00000030: F7 66 10 4E 8F 31 20 BA 99 60 D2 48 9A 23 80 F0
- Bootfile info:
Patpage: 0x00000000
ID: 0xFFFE0001
Size: 206248
First page: 0x00000200
Last page: 0x00000232
- Bootfile info:
Patpage: 0x00000002
ID: 0xFFFE0201
Size: 3360
First page: 0x00000233
Last page: 0x00000233
- Bootfile info:
Patpage: 0x00000012
ID: 0xFFFE0401
Size: 3888
First page: 0x00000234
Last page: 0x00000234
Sup.
ReplyDeleteMine letcool is from chinavasion.
@zdevai:
ReplyDeletehere is a tiny mmp that doesnt rely on the address the bootrom stores the info: http://uploaded.to/file/58pnrnyx
output on serial:
NAND init... done (00201678)
READ ID: 2c d7 94 3e 84
Manufacturer : Micron (2c)
usable page size : 4kb
spare area size : 16 bytes per 512bytes
total page size : 4224bytes
dump of READ ID bytes via romboy:
$ romboy -r 0x203a70
romboy 6.6.6
initializing device...
detached..
done
initializing DRAM... done
read from 0x203a70...done
00000000 : 24 41 90 12 04 02 61 00 2C D7 94 3E 84 57 65 20 - $A....a.,..>.We
00000010 : 77 61 6E 74 20 4C 69 6E 75 78 21 21 21 20 3B 2D - want Linux!!! ;
00000020 : 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - )..............
So you can simply run the mmp on the device and then fetch 5 bytes from 0x203a70 and intepret them like:
int pgsz = 1 << (fetched_bytes[3] & 3);
int spare = 8 << ((fetched_bytes[3] >> 2) & 1);
int totpgsz = (pgsz << 10) + (pgsz << 1) * spare;
This comment has been removed by the author.
ReplyDeleteI have tried it, and that is the result:
ReplyDeleteraslav@zhelezyaka:~/sunburn-1.0$ sudo ./sunburn -b
Sunburn - Sunplus SPMP8000 firmware flashing tool v1.0
- Error: Unknown option specified
raslav@zhelezyaka:~/sunburn-1.0$ sudo ./sunburn -l defender_bootrom.bin
Sunburn - Sunplus SPMP8000 firmware flashing tool v1.0
- SPMP8000 device found
- Error: USB I/O: CSW invalid
- Error: Can't send flash configuration
any news on the progress?
ReplyDeleteHi.
ReplyDeleteCan some one walk me through how to compile sunburn in ubuntu?
Im new to linux and i have no idea where to start..
And is there any news?
Thanks.
any news on the progress ² on the port of Linux to SPMP8000???
ReplyDeletePlease continue the project, in Brazil there is an console called Dynacom Cybergame, which is nothing more than a Letcool N350JP with SPMP8000 but it is not portable, but a normal console. :)
Hello there.
ReplyDeleteSorry if this seems annoying, but I'd like to know if this project is still alive, since I just bought a PSPKOX, and I'd really like to install Linux on it. If it is, please let us know! I'm sure there's a lot of people out there that would love to do the same thing!
The following is the result of my JXD990(8GB) device. Unfortunately, there's no boot file information obtained.
ReplyDelete--------
Sunburn - Sunplus SPMP8000 firmware flashing tool v1.0
- SPMP8000 device found
-- Device information --
- ROMBOOT ID:
00000000: A5 02 12 5A 82 CB 1C 07
- NAND Info:
Pages per block: 256
Real Pagesize: 8704
Pagesize: 8192
Total number of blocks: 2048
ECC mode: 1
Total size : 4194304 KB
NAND ID: AD-D7-94-9A-74-42-AD-D7
Hedump:
00000000: 00 01 00 22 00 20 60 01 40 00 2C 00 00 08 0B 01
00000010: 00 00 00 00 5D F0 08 00 00 02 02 00 06 00 00 00
00000020: AD D7 94 9A 74 42 AD D7 94 9A 74 42 AD D7 94 9A
00000030: 74 42 AD D7 94 9A 74 42 AD D7 94 9A 74 42 AD D7
- DRAM Inited
- NAND Info:
Pages per block: 256
Real Pagesize: 8704
Pagesize: 8192
Total number of blocks: 2048
ECC mode: 1
Total size : 4194304 KB
NAND ID: AD-D7-94-9A-74-42-AD-D7
Hedump:
00000000: 00 01 00 22 00 20 60 01 40 00 2C 00 00 08 0B 01
00000010: 00 00 00 00 5D F0 08 00 00 02 02 00 06 00 00 00
00000020: AD D7 94 9A 74 42 AD D7 94 9A 74 42 AD D7 94 9A
00000030: 74 42 AD D7 94 9A 74 42 AD D7 94 9A 74 42 AD D7
Could anyone please teach me how to dump FLASH, RAM image, and boot files from my device?
BTW, to compile this utility, make sure your lib-usbdev package is installed first. Otherwise, you'll see errors when making it.
Thanks,
is this still alive? i really hope so, since its a great project!
ReplyDeletelet everybody know even your slightest progress :)
He gave up on this project.
ReplyDeleteToo bad this thing looks dead. Just got a JXD A1000 and was hoping there was any progress in this field.
ReplyDeleteSunburn - Sunplus SPMP8000 firmware flashing tool v1.0
ReplyDelete- SPMP8000 device found
-- Device information --
- ROMBOOT ID:
00000000: A5 02 12 5A 82 CF 22 61
- NAND Info:
Pages per block: 32
Real Pagesize: 2112
Pagesize: 2048
Total number of blocks: 4096
ECC mode: 0
Total size : 262144 KB
NAND ID: AD-D7-94-DA-74-C3-AD-D7
Hedump:
00000000: 20 00 40 08 00 08 40 00 20 00 20 00 00 10 0C 00
00000010: 00 00 00 00 5D F0 05 00 40 00 02 00 00 00 00 00
00000020: AD D7 94 DA 74 C3 AD D7 94 DA 74 C3 AD D7 94 DA
00000030: 74 C3 AD D7 94 DA 74 C3 AD D7 94 DA 74 C3 AD D7
- DRAM Inited
- NAND Info:
Pages per block: 256
Real Pagesize: 8704
Pagesize: 8192
Total number of blocks: 2048
ECC mode: 1
Total size : 4194304 KB
NAND ID: AD-D7-94-DA-74-C3-AD-D7
Hedump:
00000000: 00 01 00 22 00 20 60 01 40 00 2C 00 00 08 0B 01
00000010: 00 00 00 00 5D F0 08 00 00 02 02 00 06 00 00 00
00000020: AD D7 94 DA 74 C3 AD D7 94 DA 74 C3 AD D7 94 DA
00000030: 74 C3 AD D7 94 DA 74 C3 AD D7 94 DA 74 C3 AD D7
dmitrywrk spmp: jxd a1000, cpu 8110c, hynix. for boot we use xmodem, adress 0x280040 from redboot http://handheld.freeforums.org/linux-spmp8000-development-f57.html use googletranslate :(