Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - 7.4

Pages: [1]
1
Hardware / Re: jtag flash dump dit9719
11. Oct 2011, 23:45
I'll answer my own question.

I found the bootloader at 0x93600000.

007.4
2
News / Wiki hacked?
10. Oct 2011, 17:20
Has the wiki been hacked or spammed?
All the info seems to have gone :(

007.4
3
Hardware / Re: jtag flash dump dit9719
10. Oct 2011, 14:37
I've now gone back to jtag as I cannot get the box to boot without the NR01 error enev though the modchip appears to be working.

I've dumped 1meg starting at 0xAC000000.  There are big sections very similar to the bootloader that Mick posted however my dump starts with this
Code: [Select]

AC000000h: 80 00 00 00 EE 07 8E 07 EB CB 74 89 5D 55 D5 1A ; €...î.Ž.ëËt‰]UÕ.
AC000010h: E7 85 45 D4 69 63 19 93 00 0D 78 2E 62 6F 6F 74 ; ç…EÔic."..x.boot
AC000020h: 00 00 80 00 00 00 0B 78 2E 64 73 00 40 00 01 00 ; ..€....x.ds.@...
AC000030h: 00 0F 78 2E 64 30 2E 63 66 67 00 BA 11 41 E3 00 ; ..x.d0.cfg.º.Aã.
AC000040h: 0F 78 2E 64 31 2E 63 66 67 00 BA 11 41 E3 00 0B ; .x.d1.cfg.º.Aã..
AC000050h: 78 2E 64 74 00 01 00 00 00 00 0C 78 2E 63 73 66 ; x.dt.......x.csf
AC000060h: 00 02 00 00 00 00 0E 78 2E 6C 32 72 7A 63 00 0C ; .......x.l2rzc..
AC000070h: 00 00 00 00 0D 78 2E 6C 32 78 7A 00 15 00 00 00 ; .....x.l2xz.....


whereas my dump starting at 0x1FC00000 was
Code: [Select]

1FC00000h: F0 00 00 00 63 B3 1A 3C 78 2C 5A 37 08 00 40 03 ; ð...c³.<x,Z7..@.
1FC00010h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
1FC00020h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
1FC00030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
1FC00040h: 45 43 45 43 E4 3E 66 93 E4 3E 06 00 00 00 00 00 ; ECECä>f"ä>......


which is the same as Mick's bootloader.

What is the correct offset for the bootloader?

Thanks for any help.
007.4
4
Hardware / Re: NR01 problem with modchip on DiT9719
06. Oct 2011, 22:08
I discovered I was using the X30xT version of the modchip hex.  I've now re-programmed with Mick's BTvision version.

I'm now confident the modchip is working correctly
Yellow - for about 5 seconds
Yellow and Green - very briefly
Yellow and Green and Red - for about 4 seconds
then just Green....

..... but I'm still getting NR01 on screen.
Is it OK to use an old HDD with just one partition or do i have to emulate the original HDD?

007.4
5
Hardware / Re: NR01 problem with modchip on DiT9719
06. Oct 2011, 19:03
OK, so I've now added the LEDs.
I get
Yellow - for about 20 seconds
Yellow and Green - very briefly
Yellow and Green and Red - for about ten seconds
then just Green....

I think this is correct?  Yes?

But... and NR01 whilst the box downloads from internet. :(
So I guess the modchip is working OK but something else is wrong.  Any ideas anyone please.

Thanks
007.4
6
Hardware / NR01 problem with modchip on DiT9719
06. Oct 2011, 14:18
After three years I've dug out my old BTVision DiT9719 box to have a play.
It is an old version with just the NK.bin and no ETC.bin.

I'd long since removed the HDD after backing up the original files. I've now fitted a much smaller (500mb HDD formatted FAT32) and restored the original files on this. I've replaced BooterCe.exe in NK.bin and start.xml, BootstrapDiag.xml and tv2config.xml in the Contents folder.  But I've not done anything with TV2ClientCE.exe.  I could not find a replacement or details of what to patch. I also did the CRC correction with NKpatcher.exe.

I programmed and verified OK an Atmega8 modchip and installed it (no LEDS) and double checked pinouts/solders etc.

When I boot the box I just get error NR01. I do not know whether this is because the modchip is not working or because TV2ClientCE.exe is not patched. I did notice that the reset pin remains high (3.3v). Should it just go high briefly when the box starts and then go low again?

When the box is connected to the internet it downloads a new version of firmware but I've not let this be installed

Is there any way to check what the problem is?  Or is there something else I've forgotten and I need to do?

Can someone let me have a patched TV2ClientCE.exe.

Many thanks for any help.
007.4
7
Hardware / Re: jtag flash dump dit9719
06. Oct 2011, 11:33
Hi
I've disconnected the jtag now and installed a modchip (I've got problems with that - I'll post about later!)

The FLAPS.exe is just a more recent version of wrt54g.exe with three jtag devices supported. It just needed some minor tweaking for the SMP8634  CPU chip.

It took about 18 minutes to dump 1meg.
I started at 0x1FC00000.  Up to 0x1FC10000 the dump was all OK, same as bootloader posted by Mick. After that it was all 00000....

It seems I should have set start at 0xAC000000 or dumped RAM to get the decrypted version. 
What is the RAM start address?

Thanks for your input.
007.4
8
Hardware / jtag flash dump dit9719
04. Oct 2011, 21:11
Hi
I eventually got around to playing with this box.  I used a xeloa type jtag interface and I patched FLAPs1.4.exe ( a branch of wrt54g) to include the SMP8634 cpu.

It all works fine but when I try to dump 1 meg of flash starting at 0x1FC00000 I only get the first 64K dumped correctly.  Everything after 0x1FC10000 is all 00 00 00....
Is this read protected?  The first 64K is identical to Mick's bootloader.bin so I'm confident the interface is working correctly.

This is a short version my output from 0x1FC10000

Code: [Select]

BTVJTAG>flaps  -backup:custom  /instrlen:5 /fc:01
/window:1FC00000 /start:1FC10000 /length:00000100  /notimestamp /xeloa

=====================================================
    FLAPS MIPS EJTAG Flash Utility probes-v1.4
    Patched for BT Vision DiT9719   by 007.4
=====================================================

   Waiting 1 second..

Selected  port  = 0x0378

Probing bus ... Done

Instruction Length set to 5

CPU Chip ID: 00001000011000110000000000000001 (08630001)
*** Found a SigmaDesigns SMP8634 Rev A CPU chip ***

  - EJTAG IMPCODE ............... : 01000000010000010100000000000000 (40414000)
  - EJTAG Version ............... : 2.6
  - EJTAG Implementation flags .. : R4k ASID_8 MIPS16 NoDMA MIPS32

Issuing Processor / Peripheral Reset ... Done
Enabling Memory Writes ... Skipped
Halting Processor ... <Processor Entered Debug Mode!> ... Done
Init PrAcc ... Done
Clearing Watchdog ... Done
Done

Flash Vendor ID: 00000000000000000000000000000000 (00000000)
Flash Device ID: 00000000000000000000000000000000 (00000000)
    - Flash Chip Window Start .... : 1fc00000
    - Flash Chip Window Length ... : 00100000
    - Selected Area Start ........ : 1fc10000
    - Selected Area Length ....... : 00000100

*** Manually Selected a MX29LV800BTC 512kx16 TopB  (1MB) Flash Chip ***

*** You Selected to Backup the CUSTOM.BIN ***

=========================
Backup Routine Started
=========================

Saving CUSTOM.BIN.SAVED to Disk...
[  1% Backed Up]   1fc10000: 00000000 00000000 00000000 00000000
[  7% Backed Up]   1fc10010: 00000000 00000000 00000000 00000000
[ 14% Backed Up]   1fc10020: 00000000 00000000 00000000 00000000
[ 20% Backed Up]   1fc10030: 00000000 00000000 00000000 00000000
[ 26% Backed Up]   1fc10040: 00000000 00000000 00000000 00000000
[ 32% Backed Up]   1fc10050: 00000000 00000000 00000000 00000000
[ 39% Backed Up]   1fc10060: 00000000 00000000 00000000 00000000
[ 45% Backed Up]   1fc10070: 00000000 00000000 00000000 00000000
[ 51% Backed Up]   1fc10080: 00000000 00000000 00000000 00000000
[ 57% Backed Up]   1fc10090: 00000000 00000000 00000000 00000000
[ 64% Backed Up]   1fc100a0: 00000000 00000000 00000000 00000000
[ 70% Backed Up]   1fc100b0: 00000000 00000000 00000000 00000000
[ 76% Backed Up]   1fc100c0: 00000000 00000000 00000000 00000000
[ 82% Backed Up]   1fc100d0: 00000000 00000000 00000000 00000000
[ 89% Backed Up]   1fc100e0: 00000000 00000000 00000000 00000000
[ 95% Backed Up]   1fc100f0: 00000000 00000000 00000000 00000000
Done  (CUSTOM.BIN.SAVED saved to Disk OK)

bytes written: 256
=========================
Backup Routine Complete
=========================
elapsed time: 0 seconds


*** REQUESTED OPERATION IS COMPLETE ***


Also I have to manually select the flash chip.  Anyone know why it is not correctly identified?

Help please!

Cheers
007.4
9
Hardware / Re: HOW TO
29. Aug 2008, 17:45
This is great Mick.  I've been waiting for a doc like this for some-time following the progress here and on other sites.  This should keep me busy for a while having a play.  Well done :)
Cheers
007.4
Pages: [1]