Page 1 of 3 123 LastLast
Results 1 to 15 of 44

Thread: YES YOU CAN SOFTWARE FLASH 39's!

  1. #1
    Join Date
    Nov 2002
    Location
    Santa Clara (SF Bay area)
    Posts
    65

    YES YOU CAN SOFTWARE FLASH 39's!

    Ok, I _FINALLY_ figured it out!

    The problem was the MIP's processors cache. It was write combining so that the chip wouldn't see consecutive writes to the same offset. This would prevent the chip from going into identify, erase sector, erase chip or write byte modes.

    Solution? The msync command:

    [BEGIN]

    // Software ID Entry
    pFlashAddr[0x5555] = 0xAA;
    msync((void*) &pFlashAddr[0x5555], 1, MS_SYNC);
    pFlashAddr[0x2AAA] = 0x55;
    msync((void*) &pFlashAddr[0x2AAA], 1, MS_SYNC);
    pFlashAddr[0x5555] = 0x90;
    msync((void*) &pFlashAddr[0x5555], 1, MS_SYNC);

    //NanoDelay(150); // 150 nanoSeconds

    // read Software ID
    results = *(short*) pFlashAddr;

    // Software ID Exit
    pFlashAddr[0x5555] = 0xAA;
    msync((void*) &pFlashAddr[0x5555], 1, MS_SYNC);
    pFlashAddr[0x2AAA] = 0x55;
    msync((void*) &pFlashAddr[0x2AAA], 1, MS_SYNC);
    pFlashAddr[0x5555] = 0xF0;
    msync((void*) &pFlashAddr[0x5555], 1, MS_SYNC);

    //NanoDelay(150); // 150 nanoSeconds

    [END]

    The full source code, makefile, etc. is enclosed. NOTE: This enclosed file is a .sit file not a .zip file. rename and unstuff. Sorry, I was just too tired to zip it.

    Legal Crap: USE AT YOUR OWN RISK! If improperly used it can BRICK your TiVo!
    I make absolutely NO guarantees. This code has NOT been robustly tested.

    Run it with NO paramaters first and it should print out the SoftWare ID for your flash. If it sez "Unknown softwareID: 0x0BF0" then you have the 37' chip and it can't be flashed. But if it sez "Software ID: 0xBFD4, size: 524288 (0x00080000)." then you're in business! ;-)

    To get a copy of what's in your flash:

    ./flash39 -s flash39.data

    To verify:

    ./flash39 -v flash39.data

    To FLASH: *** WARNING, DANGERIOUS! ***

    ./flash39 -F flash39.data

    good luck.

  2. #2
    Join Date
    Nov 2002
    Location
    Santa Clara (SF Bay area)
    Posts
    65
    Gee, did I forget the file?!? Sorry.

    [EDIT] you can get the "real" zip file from alldeadhomiez response below.
    Last edited by geowar; 06-12-2003 at 12:07 PM.

  3. #3
    Join Date
    Jan 2002
    Posts
    60
    Exactly what is a .sit file? What program do I use to unstuff? Thanx for the file.

  4. #4
    Join Date
    Nov 2002
    Location
    Santa Clara (SF Bay area)
    Posts
    65

    What's the .sit? ;-)

    .sit's have about 20% better compression than .zip's. Windows, Mac & Linux versions are at:

    <http://www.stuffit.com/win/expander/index.html>

  5. #5
    Join Date
    Jan 2002
    Posts
    1,778

    Re: What's the .sit? ;-)

    Originally posted by geowar
    .sit's have about 20% better compression than .zip's. Windows, Mac & Linux versions are at:

    <http://www.stuffit.com/win/expander/index.html>
    Here's the flasher in zip format - it's a whole 2k smaller out of about 720k :P
    Attached Files Attached Files

  6. #6
    Join Date
    Feb 2003
    Posts
    52
    How do you check to see if you have a 39??
    Webmaster @
    Shr00mServer's i730 Resources.
    http://nextel.shroomserver.org/

  7. #7
    Join Date
    Nov 2002
    Location
    Santa Clara (SF Bay area)
    Posts
    65
    Originally posted by Shr00m
    How do you check to see if you have a 39??
    Run it with NO paramaters first and it should print out the SoftWare ID for your flash. If it sez "Unknown softwareID: 0x0BF0" then you have the 37' chip and it can't be flashed. But if it sez "Software ID: 0xBFD4, size: 524288 (0x00080000)." then you're in business! ;-)

  8. #8
    Join Date
    Jun 2003
    Posts
    1

    29

    Sorry, I new to this. Are we talking about flashing the PROM? If so, how to do we connect to it? via a serial cable ??

  9. #9
    Join Date
    Jun 2001
    Posts
    3,108
    Originally posted by mrfrodo
    Sorry, I new to this. Are we talking about flashing the PROM? If so, how to do we connect to it? via a serial cable ??
    1) you cannot use this on any series 2 directivo unless you have previously swapped out the prom. all series 2 directivos ship with the 37 chips, so they can't be flashed in place without modifications. some series 2 SA units can be flashed, since they shipped with 39 chips.

    2) you must get bash in order to run this program on your tivo. bash_env is pretty much your only option.
    Step one: search button!
    Silly Wabbit, guides are for kids

  10. #10
    Join Date
    Feb 2003
    Posts
    52
    Originally posted by geowar
    Run it with NO paramaters first and it should print out the SoftWare ID for your flash. If it sez "Unknown softwareID: 0x0BF0" then you have the 37' chip and it can't be flashed. But if it sez "Software ID: 0xBFD4, size: 524288 (0x00080000)." then you're in business! ;-)
    Can somebody point me to a thread that shows me how to check this? I've been reading and reading on both forums, and and need to get a straight answer from somebody on what to do to check.

    thanks in advance...
    Webmaster @
    Shr00mServer's i730 Resources.
    http://nextel.shroomserver.org/

  11. #11
    Join Date
    Jun 2001
    Posts
    3,108
    Originally posted by Shr00m
    Can somebody point me to a thread that shows me how to check this? I've been reading and reading on both forums, and and need to get a straight answer from somebody on what to do to check.

    thanks in advance...
    what do you mean "how to check this"? you do as it says: get the file onto the tivo, then run it with no parameters
    Step one: search button!
    Silly Wabbit, guides are for kids

  12. #12
    Join Date
    Nov 2002
    Location
    Santa Clara (SF Bay area)
    Posts
    65

    Quick notes:

    I've got reports from some brave souls that flashing forced their TiVo's to reboot (w/o flashing). Others have just reported a hang (had to power cycle to boot (and still no flash)) and I've got one report that their TiVo bricked (won't boot). No one has reported back that it's worked (except me).

    Just for giggles: I accidentally wrote the wrong image and bricked a TiVo this morning. Laugh's on me. ;-)

    Like I said, this thing's dangerous. I'll continue to investigate to see what might be causing these problems. Lucky for you I have a few spare 39's laying around (and a 37' that I can't accidentally erase. ;-)

  13. #13
    Join Date
    Jan 2002
    Posts
    1,778

    How I flashed my HDVR2

    I am now running an HDVR2 with a hacked PROM that was programmed in-circuit from a blank. Here are my notes:

    • I began by socketing my SST37 chip and bumming some SST39 chips off a friend. Hint: practice on something other than your tivo mainboard if you are new to SMD rework. It's not as bad as a TSOP-48 but you can still do a lot of damage.
    • I tried the TiVo getprom binary, which worked but did an annoying SHA1 hash on the prom image prior to burning it. (easily bypassed but this way was more fun)
    • flash39.c did seem to have some bugs and did not work correctly for me. I wrote my own flasher, homieflash.c, heavily based on geowar's code. I did not need to use msync() operations (nor did TiVo in getprom fwiw).
    • Do not touch this stuff if you do not have a backup chip.
    • Be very careful extracting the chip from the socket if you do not have the right tools. Otherwise you will crack the socket and have to install a new one. That is a real pisser.
    • I booted using a good chip and then popped the blank one in after the system was up. Do not do this if you are a clumsy or squeamish. If you screw up your box will lock up. If you screw up badly you will start a fire. This is not covered under warranty.
    • I would not advise trying to reflash your prom while anything else is happening on the system (i.e. rc.sysinit or tivoapp running). YMMV as will your tolerance for risk.
    • To facilitate easy removal of your prom from the socket, put a well-insulated twist tie on the diagonal underneath the chip and pull on both ends to pop it out. (for temporary installation of course)
    • The chipset really does not like it when you try to write past the end of the prom (>= 1fc20000). This will probably lock up or reboot your box.
    • I have permanently changed the chip id from 0xbfd5 to 0xffff on one of my sst39 chips. I have no frickin idea how this happened but the chip still works fine. Erasing and reprogramming it has no effect.
    • homieflash is attached. Do not use it unless you are able to recover from a borked prom. It does not check chip IDs or do much preventative error checking so don't screw up.
    • geowar has reported that his (SA) asic is causing reboots when writing to certain address ranges. I did not see this on my hdvr2 but I do not have an SA to test on.
    • The tivo getprom util sets the process priority (presumably to something very high) while flashing. I am too lazy to look up how to do this at the moment.
    Attached Files Attached Files

  14. #14
    Join Date
    Nov 2002
    Location
    Santa Clara (SF Bay area)
    Posts
    65
    >I am now running an HDVR2 with a hacked PROM that was programmed in-circuit from a blank.

    Is the HDVR2 a series two? Is it MIPS or PowerPC processor? AFAIK only the MIPS processor needs the msync to flush the caches and force the writes to the PROM.

    > flash39.c did seem to have some bugs and did not work correctly for me. I wrote my own flasher, homieflash.c, heavily based on geowar's code. I did not need to use msync() operations (nor did TiVo in getprom fwiw).

    Bugs? Me? Never! ;-) Grin. You can tell I'm not a Unix programmer huh? ;-) I'm glad my efforts were at least helpful. I had lots of "dead" code that was in there while I was trying things out. Once I get everything working right I can dead strip it to the minimal.

    Actually, I'm curious as to what bugs you found. I know all the sizes are 8 times to big (why are ROM sizes in bits not bytes?!?) and I've already fixed that in my sources but what else did you find? You may email me privately (@<geowar@apple.com>) if you don't want to embarrass me in public. ;-)

    >The tivo getprom util sets the process priority (presumably to something very high) while flashing.

    I didn't see this in the dissassembly for getprom?!?
    Enjoy,
    George Warner,
    Schizophrenia Optimization Scientist
    Apple Developer Technical Support (DTS)

  15. #15
    Join Date
    Jan 2002
    Posts
    1,778
    Originally posted by geowar
    >I am now running an HDVR2 with a hacked PROM that was programmed in-circuit from a blank.

    Is the HDVR2 a series two? Is it MIPS or PowerPC processor? AFAIK only the MIPS processor needs the msync to flush the caches and force the writes to the PROM.
    Hughes HDVR2 = Series2 DTV combo box (MIPS)


    > flash39.c did seem to have some bugs and did not work correctly for me. I wrote my own flasher, homieflash.c, heavily based on geowar's code. I did not need to use msync() operations (nor did TiVo in getprom fwiw).

    Bugs? Me? Never! ;-) Grin. You can tell I'm not a Unix programmer huh? ;-) I'm glad my efforts were at least helpful. I had lots of "dead" code that was in there while I was trying things out. Once I get everything working right I can dead strip it to the minimal.
    Well, for one thing, it was a C program that needed a C++ compiler because of some of the "conventions." It crashed my box when I tried to program (without doing anything) but I don't recall what caused that.

    The logic is essentially the same; I just wanted to pare the code down to the bare essentials and clean up the flow. homieflash.c is intentionally very simple.

    >The tivo getprom util sets the process priority (presumably to something very high) while flashing.

    I didn't see this in the dissassembly for getprom?!?
    I did not look at the getprom disassembly, but I did observe the strace output.

    BTW, running strace on getprom corrupted my flash both times I tried. I do not think it likes to be interfered with.
    Last edited by alldeadhomiez; 07-02-2003 at 06:16 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •