mg-350hd

 

Firmware

Page history last edited by furaisanjin 2 yrs ago

  1. General
  2. Booting process
  3. .update file format
    1. Calculating the checksums:
    2. Calculating the offset to Cramfs.img
  4. Boot loader
    1. romfs format
  5. uClinux kernel
    1. NTFS driver
  6. cramfs image
    1. busybox
    2. curacao
    3. upgrader
    4. setup
    5. nbtscan
    6. smbmount

 

General

 

A starting point to understand the boot process of Sigma Designs - based players can be found here.

 

 

Booting process

 

On power-up, the bootloader at 0x00000000 is executed. It will:

  • initialize the hardware (?)
  • check for a tftp server (?? not confirmed)
  • check the serial console. If any char received, wait for the passphrase. When the correct passphrase was received, go to [SerialConsole|].
  • if no char received, print some info to the console and jump bootloader. The same result could be obtained by issuing "boot rom" command at the SerialConsole.
  • inflate the kernel from flash to RAM.
  • run the inflated kernel

 

The kernel will:

  • ...
  • run /sbin/init. /sbin/init reads /etc/inittab where some initializations are defined.
    • mount proc on /proc.
    • setup hostname (em86xx).
    • initialize local loopback device (lo).
    • starts /etc/init.d/rcS, where media player (curacao) is invoked.

 

When needed, curacao will call other programs to perform other functions:

  • upgrader to upgrade the firmware.
  • setup to configure the device.
  • nbtscan to scan samba servers.
  • netcheck
  • ntfs-3g to mount NTFS file system to read and write files for ftp server.

 

.update file format

 

There are three main sections to the file.

  1. The boot loader, which is written to the flash at location 0. This is confirmed to be optional.
  2. A compressed Linux kernel with a dword header giving the offset to the cramFS. This is written to the flash at location 0x40000.
  3. A cramFS compressed filing system. This is written to the flash immediately after the kernel.

 

[UPGIMG03] (ASCII)
[VERS]     (Dword) - Firmware version (ie: 03-04-01-00 = v1.4.3)
[BOOT]     (ASCII)
[CKSMb]    (Dword) - Checksum of bootloader
[OFFSb]    (Dword) - Offset to bootloader in flash (0x46000000)
[BOOTLEN]  (Dword) - Length of bootloader
[BOOTLDR]  (Data)  - * Start of the bootloader data
...
[ROFS]     (ASCII)
[CKSMr]    (Dword) - Checksum of ROFS
[OFFSr]    (Dword) - Offset to ROFS in flash (0x46020000)
[ROFSLEN]  (Dword) - Length of ROFS ([OFFSc]+[LINUX]+[CRAMFS])
[OFFSc]    (Dword) - * Offset to Cramfs.img in flash
[LINXGZ]   (Data)  - Start of the linux.gz data
...
[CRAMFS]   (Data)  - Start of the Cramfs.img data
...
(* = Section checksum calculation starts here)
(Note: All data is in little-endian byte order)

 

Calculating the checksums:

 

Convert each DWORD of a section into a 32bit unsigned integer and add them all together. The checksum for each section is the sum of the DWORDs.

 

Calculating the offset to Cramfs.img

The OFFSs, linux.gz and cramfs.img are placed in flash at 0x46020000 exactly as they appear in the .update file. Therefore, the start of the cramfs.img is at 0x46020000 + 4 bytes (for the OFFSc) + length of linux.gz.

 

Boot loader

 

Judging by the messages found in serial console, it can at least:

- configure the ethernet i/f using BOOTP or DHCP

- download and burn a firmware image using TFTP

 

 

romfs format

 

The MG-350HD "ROMFS" image is not a standard, Linux style "ROMFS" image. In fact, it is not even a filesystem. :-) Instead it consists of a 4 byte header followed by a gzipped linux kernel followed by a standard CramFS image.

 

The "romfs" format is composed of the following parts:

  1. 4 bytes locating the offset of the cramfs image.
  2. Linux.bin.gz
  3. Cramfs.img

 

The 4 byte "header" can be found in the complete firmware image. To get the correct one, I took a ".upgrade" firmware image and deleted everything up to 4bytes before the start of the compressed kernel.

 

In fact, the ".upgrade" image has a section called "ROFS" and requires a checksum in the firmware image for /bin/upgrader to accept it as valid. To calculate the "ROFS" section's checksum, you start with the [OFFSc] DWORD and end with the last bytes of the CramFS image. So the checksum is calculated against what the bootloader expects to see as a "ROMFS" image.

 

uClinux kernel

The MG-350HD runs uClinux 2.4.22 for ARM processors without an MMU. Specifically, it runs the Sigma|Designs port for the JASPER architecture platform. The GPL'd portions of the kernel has never been released by Al Tech for MG-350HD.

 

The full version string is - 

Linux version 2.4.22-em86xx-uc0-sigma (mediagate@Canaria.localdomain)
(gcc version 2.95.3 20010315 (release)) #7 2007. 08. 01. () 12:24:23 KST

(Line breaks added for formatting purposes.)

 

NTFS driver

MG-350HD is using the driver from NTFS-3G Read/Write Driver and has write support compiled in. The NTFS disk can be unmounted, remounted and files can be written to it via FTP. Please rember that MG-350HD doesn't have RTC. Therefore time stap on written files are totally useless unless you initialize clock.

 

cramfs image

busybox

curacao

curacao is the main program. It gets the external events (device button or remote control key-press) using fipmodule.o, and launches the corresponding player program to do the job. After that, it will send the received commands (e.g. Play/Stop/FF/REW) to the player. curacao also takes care of the TV screen updating.

upgrader

When you want to perform a firmware upgrade, curacao calls on "/bin/upgrader" to do it. The GUI gets the status from the output of "upgrader" so the user knows what's happening. In the meantime, all the graphics being displayed on the screen are retained in the display buffer, so "upgrader" doesn't have to worry about that part. In fact, if you change "logontsc.jpg" in your new ".upgrade" file, you can see how this is true.

 

When the device has finished flashing a new image, it tells you to turn it off. When you hit the power button, it briefly displays the logon image before powering down. If the new firmware image contains a different logon image, this is the one you see flash on the screen just before the device turns off.

 

The command line to upgrader basically passes the entire job over to it.

 

/bin/upgrader -f file:///cdrom/Shell-144f.upgrade

 

setup

 

/bin/setup

 

It seems to:

1) Try and use -USR1, -USR2, -TERM, and -HUP on some process and check it's dead. I suspect it's trying to do this to udhcpc but as udhcpc is currently set to exit after getting the lease, this won't work right well!

2) Be able to rmmod hc_isp116x and dm9000x_32. The former is a USB driver that we don't have and the latter the network driver. I'm not wure why it might want to remove this driver!

3) Mount a ramfs over /hosts, /net and /usb.

4) Take down the network with "ifconfig eth0 down" (probably also zaps the memory locations holding the IP and netmask at the same time)

5) Either, a) Run udhcpc, or b) run ifconfig and generate smb.conf directly.

 

So, the "meat" is really just 3, 4 and 5 and this is trivial to duplicate later if we want to do it properly (the current approach fails to renew the DHCP lease!)

 

Anyway, setup can be run multiple times. It takes a few seconds, but this is no big deal.

 

nbtscan

 

The stock MG-350HD firmware has a modified version of the GPL nbtscan that takes extra parameters and directly generates /hosts/hosts and creates directories in /net.

 

Example command line:

nbtscan -q -b /net -e 192.168.0.15/24

 

If your network has functional DNS, you can use the first form. To test this use -

nslookup myserver

 

You can test whether this is all working by running nbtscan from the telnet command line and by checking the contents of /hosts/hosts afterwards.

 

 

smbmount

 

smbmount -b /net/server_name -L server_name -U guest -N -s /hosts/smb.conf C

 

Although smbmount's built-in help doesn't show it, there's actually a second "help" buried in the executable: 

Usage: mount.smbfs service mountpoint [-o options,...]
Version 2.0.7
Options:
username=<arg>                  SMB username
password=<arg>                  SMB password
netbiosname=<arg>               source NetBIOS name
uid=<arg>                       mount uid or username
gid=<arg>                       mount gid or groupname
port=<arg>                      remote SMB port number
fmask=<arg>                     file umask
dmask=<arg>                     directory umask
debug=<arg>                     debug level
ip=<arg>                        destination host or IP address
workgroup=<arg>                 workgroup on destination
sockopt=<arg>                   TCP socket options
scope=<arg>                     NetBIOS scope
guest                           don't prompt for a password
ro                              mount read-only
rw                              mount read-write
This command is designed to be run from within /bin/mount by giving
the option '-t smbfs'. For example:
mount -t smbfs -o username=tridge,password=foobar //fjall/test /data/test

 

 

To connect to a network share, try the next commands after you connected to the device via telnet:

 

mkdir /hosts/home
smbmount //192.168.1.65/my_share /hosts/home rw

 

Note that you have to use the IP address of the server unless you can access DNS!

 

This page has been viewed times.

Comments (0)

You don't have permission to comment on this page.

Printable version
 
Anonymous Create an account or Log in