Page 1 of 2 12 LastLast
Results 1 to 15 of 24

Thread: The Series5 (Tivo Roamio) Development Thread

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date
    Aug 2010
    Posts
    17

    The Series5 (Tivo Roamio) Development Thread

    Figure a new thread will keep from the Premiere information/efforts and the Roamio efforts getting intertwined. Here are some high res pics of the PCB. They're a but slanted and blurry in a couple of places but it was the best I was able to get with the camera and lens I have.

    They were too large to attach, but here are the links:

    Top
    Bottom

    eMMC is KLM4G1YE4C-B001. Datasheet
    Last edited by GaveUp; 01-18-2014 at 01:03 AM. Reason: Add eMMC datasheet

  2. #2
    Join Date
    Nov 2013
    Posts
    1
    Ok, the next step would be to identify all the connectors.

    Top left is:
    Sata
    Power for the Hard Drive
    Fan?

    2 Bottom edge connectors go to the front panel.

    Which leaves J3200 in the middle, as the most interesting.

    What does the connector between the wifi daughtercard and the motherboard look like?

    Next, we need a boot log either via serial console or reading /var/log/* off of a booted hard drive. And if anyone is pulling out their hard drive, what the partition map looks like would be useful as well.

  3. #3
    Join Date
    Aug 2010
    Posts
    17
    Quote Originally Posted by prom.eth.eus View Post
    Ok, the next step would be to identify all the connectors.

    Top left is:
    Sata
    Power for the Hard Drive
    Fan?

    2 Bottom edge connectors go to the front panel.

    Which leaves J3200 in the middle, as the most interesting.

    What does the connector between the wifi daughtercard and the motherboard look like?

    Next, we need a boot log either via serial console or reading /var/log/* off of a booted hard drive. And if anyone is pulling out their hard drive, what the partition map looks like would be useful as well.
    You're right on the top left. Sata, Sata power, and a fan. Two connectors on the bottom left and right wire up to the LEDs. When pulling it apart I don't remember seeing any unpopulated headers, but now I'm actually not sure on J3200 (yeah, should have taken intermediary photos). Dumping the HD is on the list as well. It would be nice to get the contents of a never powered on image and the first boot log as well.

    Lastly, it would be nice to get a couple highres photos of the other roamio models. Comparing to the linked photos in the other thread there are quite a few differences (including a labeled uart0).

  4. #4
    Join Date
    Aug 2010
    Posts
    17
    It looks like the HD ships blank on the Roamios so the OS must be contained on the eMMC. Anyone have the equipment to pop that off so we can trace out CLK/CMD/DAT lines for dumping?

  5. #5
    Join Date
    Jul 2005
    Posts
    347
    Quote Originally Posted by GaveUp View Post
    It looks like the HD ships blank on the Roamios so the OS must be contained on the eMMC. Anyone have the equipment to pop that off so we can trace out CLK/CMD/DAT lines for dumping?
    I have access to IR rework equipment now, so I can pop off the chip.

    I'm currently trying to get Xeltek to add support for this chip so I can dump the firmware directly.
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  6. #6
    Join Date
    Aug 2010
    Posts
    17
    Probably not news to most but J3200 is the serial. Pin 1 is TX, 2 is GND, 3 appears to be RX. You can connect to it with an FTDI cable, MicroFTX or similar. Settings are 115200 8N1. Output on boot is:

    Code:
    Initializing XXXXXXXX (LOCKED)...
    
    TiVo Gen10 release 1.00 (2013-06-17 18:31:53)
    Copyright by TiVo Inc.  All Rights Reserved.
    System temperature: 32C
    TSN: XXXXXXXXXXXXXXX  BREV: 0xXXXX  MAC: 00:00:00:00:00:00
    Initializing mmc...
    Booting from internal device partition 3...
    Loading 6196192 bytes...
    Image signed by '... the Porridge bird ...'
    Hashing image... done
    Checking signature... done.
    Valid for release
    Kernel entry point is 0x8037c510
    Confirms that it is booting off the eMMC and given it's booting off partition 3 it's probably safe to assume it's using a similar partition layout to previous models. The, obvious, next step is getting a dump of the eMMC. I'll also wager J2205 is probably JTAG so that would also be worth investigating.

    J3202 is most likely a second serial port, but it doesn't display anything nor accept any input.
    Last edited by GaveUp; 01-26-2014 at 04:38 PM.

  7. #7
    Join Date
    Jul 2005
    Posts
    347
    I should note that I have yet to be able to see a Roamio in person, but if we have a sure-fire way of pulling the data off, perhaps it's wroth getting a Roamio to start dumping code...
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  8. #8
    Join Date
    Aug 2010
    Posts
    17
    If we had the lines of the chip it should be possible to dump it with an SD reader as has been done with the consoles that have eMMC chips. I do have a heat gun that could pop the chip off easy enough, but I don't have the equipment or skills to get it back on in working order. Without a throwaway tivo it's not a route I want to go down at this point.

  9. #9
    Join Date
    Jul 2005
    Posts
    347
    Quote Originally Posted by GaveUp View Post
    If we had the lines of the chip it should be possible to dump it with an SD reader as has been done with the consoles that have eMMC chips. I do have a heat gun that could pop the chip off easy enough, but I don't have the equipment or skills to get it back on in working order. Without a throwaway tivo it's not a route I want to go down at this point.
    I'm not worried about getting the chip back on as much as I am about accidentally corrupting the chip with the SD reader method. If that happens, the TiVo is still dead.
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  10. #10
    Join Date
    Aug 2010
    Posts
    17
    Quote Originally Posted by Omikron View Post
    I'm not worried about getting the chip back on as much as I am about accidentally corrupting the chip with the SD reader method. If that happens, the TiVo is still dead.
    True. On that I'd be curious how the thing behaves with the chip removed. Does it try to boot from somewhere else (hard drive)? JTAG might be an option for poking at the chip too, assuming it's functional. I'd guess it's not.

  11. #11
    Join Date
    Jul 2005
    Posts
    347
    Quote Originally Posted by GaveUp View Post
    True. On that I'd be curious how the thing behaves with the chip removed. Does it try to boot from somewhere else (hard drive)? JTAG might be an option for poking at the chip too, assuming it's functional. I'd guess it's not.
    Most likely the JTAG fuse in the Broadcom CPU is blown. There's no reason they wouldn't blow it, and since it was blown on the S4, it's got to be blown here as well. Still, no reason not to try anyway...

    My guess is that it behaves the same way the other platforms do when you remove the PROM, which is for the CPU to halt.

    I've contacted Xeltek and they are willing to add the programing algorithm for this chip to the SP6000 series, but there's a $200 development fee, plus they need three samples of the chip to test with (we should be able to source these externally), plus the BGA153 adapter, which is about $600.

    All in all, it's a fairly expensive proposition but from my experience it's a known-good way of getting a perfect, reliable, read and write. Unfortunately, considering how stymied the S4 development got, it's hard to justify the money since it's likely that we'll be stopped in our tracks even once we get the firmware out. We won't know if we don't try...
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  12. #12
    Join Date
    Jan 2002
    Location
    Sonoran Desert
    Posts
    2,829
    Quote Originally Posted by Omikron View Post
    Most likely the JTAG fuse in the Broadcom CPU is blown. There's no reason they wouldn't blow it, and since it was blown on the S4, it's got to be blown here as well. Still, no reason not to try anyway...

    My guess is that it behaves the same way the other platforms do when you remove the PROM, which is for the CPU to halt.
    It turns out that CableLabs completely forbids any kind of debug or developer access ports (such as jtag) in any CableLabs certified device. This would probably explain why S3 and beyond don't have a serial port, whereas all previous models did (though they did have a poorly hidden TTL port.)

    Anyways, I recall during my S3 hacking days that parts of the PROM were read and executed while tivoapp (or swedishchef as I think it's now called?) was live. I learned this inadvertently when the tivo locked up when I pulled the PROM out of a live system, and only booting the tivo in a "bare" state (e.g. terminating rc.sysinit early in the boot stage) allowed me to use a live tivo to reprogram a prom chip (because I didn't have any actual tools for reprogramming one.)

    Aside from the sata idea I came up with earlier, I was thinking alternatively you could *possibly* figure out what portions are read and swap out the prom early in the boot stage (but after the prom has done its signing checks.) Wouldn't be a permanent solution, but it would at least allow you to gain initial entry and learn more about how they work.
    Before PMing me: Iím not your personal tech support. If you have a question, ask in public so I don't have to repeat if somebody else asks. If you want images or slices, use emule. I will ignore all support PMs.

    Sponsor a vegetarian! I have taken the pledge, how about you?

  13. #13
    Join Date
    Jul 2005
    Posts
    347
    So after looking through what people are doing on the Xbox One side to dump the NAND via the SD card method, I think it may have merit.

    Now to find a Roamio to start attacking with hot pointy things... ;-)
    .-=Omikron=-.

    TiVo Series4 Premiere Development HERE

    Do you have a PROM related question? Check HERE and HERE before sending me a PM. Any questions that have already been answered will be deleted if sent via PM.

  14. #14
    Join Date
    Apr 2005
    Location
    Providence, RI
    Posts
    484
    Omikron - if you get to a point where a donation call is in order, don't hesitate. Some of us old-timers still stop by, but we've all been stymied by the Premiere for the past few years.
    More software at http://davidlauria.com/software.
    The lost alt-rock masterpiece from the '90s, Range of Motion's "Soft Buzz of Silence", is now available on iTunes!

  15. #15
    Join Date
    Aug 2010
    Posts
    17
    Quote Originally Posted by djl View Post
    Omikron - if you get to a point where a donation call is in order, don't hesitate. Some of us old-timers still stop by, but we've all been stymied by the Premiere for the past few years.
    At this point I think the most helpful thing would be tracking down more of the datasheets and tracing the pin outs of the main chips. Even the less technically inclined can help in that area.

    Quote Originally Posted by Omnikron
    Most likely the JTAG fuse in the Broadcom CPU is blown. There's no reason they wouldn't blow it, and since it was blown on the S4, it's got to be blown here as well. Still, no reason not to try anyway...

    My guess is that it behaves the same way the other platforms do when you remove the PROM, which is for the CPU to halt.
    I'd guess the same on the JTAG as well. It'd be a pretty big oops if not. The eMMC is different in purpose over the PROM in that it holds the OS as well. Just my thought is there's probably some, presumably disabled, way of telling it to boot of some other media. It'd make sense from the development perspective.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •