Technical topic solo2 clone (please only technical talk)

dirkjan73

DW Regular +
Joined
Jan 6, 2014
Messages
867
Reaction score
195
@Ferret and @AJT,
i have opend this topic we realy need a Topic whos going to help us te solve the Bricked problem,a topic ONLY meant for technical details and if possible sollutions to FIX the problemwere saving at this moment,

So please only reply if u have technical information!!

If you want to talk or want to complain,please do that at this link:

http://www.digitalworldz.co.uk/vu-solo2-receivers-633/378201-anyone-got-chinese-vu-263.html

So basicaly what happend was this:

So for some technical background, just for those who care
wink.png


About half a year or so ago i already made aware that there was added into the Vu drivers a 'time bomb', i don't know the exact thread by heart but pretty sure that the search function will bring it up..

The following driver releases where, apart for the usual bug fixes and improvements, trial runs for what has now gone 'live'.

Due to the fact the guys who cloned the security for the Chinese (and this was actually done in Europe, as many of you might know) made a pretty good copy of the alpu tpm chip (from neowine), which is used by many stb manufacturers and of course offers no real sense of clone protection what so ever
smile.png
Vu had to look for another means of establishing the board authenticity.


So the logical second choice was the FPGA, hey, it was sitting on the board anyway and for the clone companies would for sure mean another $10/25K to read out and so that was of course the logical way to go.

So that brings us to the current situation, the best they can do is just wipe out the block in the nand where the SoC boots from, that would mean that the resellers will have to be equipped with at least BBS tools and software to 'revive' all boxes killed in the 19-4 attack.
Which is of course a good thing in more that one way,
First - the clones where shut off, even if it will be for a very short time. But this is giving a strong signal to the end user market never to buy a clone (of course, buying a clone is always a bad thing) as you can never be sure what will happen.
Second - this creates a market for the 'guy on the attic with a soldering station' (not that he will need one in this case) but you know the guy i am talking about, these are the same guys who helped out when ci modules and other stb where killed (a.k.a. erased) in the past.

So i guess the next thing that will happen is that the manufacturer of the clone boxes will start shipping BBS tools and so on to their resellers and they will 'fix' the problem in a jiffie any day soon now.

And now, just because we can, a quick rundown of what is exactly the 'authenticity check' and the 'counter measure' taken by Vu.
Let me first just state, i have no involvement in any cloning activities, i am just an independent researcher who likes to 'see what went down'.
And if i tell or not, it won't matter for the outcome, the current 'disabled' hardware will be revived, i am sure of this as there where too many sold already so it is imperative to the companies who made them that the 'problem' will be fixed, and so it will.

So, first what they have done is do some FPGA magic, to confirm to the drivers that they are in fact dealing with cloned hardware (i won't go into details on how they do this, its some challenge, some des crypto and some other stuff but not really relevant to be known exactly).
Then after they have established that it is in fact not a genuine board some counters start running in some critical places, like the tuning of the front end, vfd actions and a random one connected to the a/v input. So doing this they are pretty sure that at some point the counter limits are reached and then it is time to run 'the check'.
The check of course consist of a simple 'hello, what day are we at?' if this is in fact 19-4-2014 or later it is time to do some erasing to make sure that we are not happy that you cloned our board.
So now we start erasing, all they need to do is clean out the area where to SoC start reading from after it start up (a.k.a. the boot loader, a.k.a CFE). But for whatever reasons they chose to erase 64 pages, I guess to make sure it really won't start (not that it would matter at all, 1 would have been enough).
After that the erasing continues some more when the critical functions are called until the stb is rebooted and at that point the user will get a nice black screen and no reaction from the stb what so ever. All gpio will remain uninitialized after powering on, this for instance causes the LAN light to stay on continuously and so forth.

So that's pretty much the background of the whole thing, clones are killed and now let's see what the next move will be
smile.png


For those who want to investigate the matter for them selves,
the recent functions where added into the drivers from a file called brcm_fpga_secu.c,
find it and you will see what i was talking about
wink.png


A quick code snippet from it (the least interesting one, as here the damage is 'already being done') just for reference:

void nand_erase_64_pages(void)
{
for (int addr = 0; addr < 64; addr += 2)
{
BDEV_WR_RB((BCHP_NAND_CMD_ADDRESS, addr));
BDEV_WR_RB((BCHP_NAND_CMD_START, CMD_ERASE << BCHP_NAND_CMD_START_OPCODE_SHIFT));
BDEV_WR_RB((BCHP_NAND_CMD_START, CMD_NULL << BCHP_NAND_CMD_START_OPCODE_SHIFT));
BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_0 + 0x00, 0));
BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_0 + 0x04, 0));
BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_0 + 0x08, 0));
BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_0 + 0x0c, 0));
BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_10 + 0x00, 0));
BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_10 + 0x04, 0));
BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_10 + 0x08, 0));
BDEV_WR(BCHP_NAND_SPARE_AREA_WRITE_OFS_10 + 0x0c, 0));
BKNI_Sleep_tagged(20);
}
BKNI_Sleep_tagged(100);
}
Moral of the story is of course, with the genuine product you would have never had these kind of issues and thus that is ALWAYS the way to go!

These where my 2 cents
wink.png
happy reading.

The situation is that we are having a situation that the Bootlog is deleted and the CHIP is write protected

So we have to find out if there JTAG possibilities,so please lets concentrate on that!

@omni ive read here and on the Ferrari forum you have some mtd files,do you have enough info or what else do you need more?
@smart did managed to extract the mtd0-mtd1-mtd2-mtd3-mtd4 files from his lonrus boxes he did upload this.


So what`s the next step?

 
Last edited:
To do the jtag need to get the sdk for the broadcom chip.
Can't really do anything else with out that ..
And problem is it's not public..
maybe if you try asking for this from chinese ...
 
Ok @zomi tell me what u want me to ask from my Chinese i ll do my best...but you say we need the 'SDK from the Broadcom chip"?

If thats u want i will ask him

Anyone else want me to ask something to him?Please let me know!
 
JTAG Board :

Cypress CY7C68013A EZ-USB FX2LP USB2.0 Develope Board for Logic Analyzer | eBay

Details of Flash memory :

root@vusolo2:~# cat /proc/mtd
dev: size erasesize name
mtd0: 0e100000 00020000 "rootfs"
mtd1: 0e100000 00020000 "rootfs(redundant)"
mtd2: 00700000 00020000 "kernel"
mtd3: 00100000 00020000 "mac"
mtd4: 0d6d2000 0001f000 "rootfs"


Commands to dump a partition : nanddump -nf /hdd/mtd3 /dev/mtd3

Dumper : nanddump (see attachment)

Omni
 

Attachments

  • jtag_board.jpg
    jtag_board.jpg
    56.6 KB · Views: 60
  • nanddump.rar
    6.3 KB · Views: 18
  • CY7C68013A+_DataSheet.pdf
    3.2 MB · Views: 26
Last edited:
Ok @omni lets say we all bought this JTAG tool...whats the next step...We have to connect to oure motherboard,whats next?Could we,thanx to this tool,be able to write the boot again?
 
Last edited by a moderator:
Ok @omni lets say we all bought this JTAG tool...whats the next step...We have to connect to oure motherboard,whats next?Could we,thanx to this tool,be able to write the boot again?

No, becuase as far as i know. No one knows the mount points. Also, no one has the bootloader files. So you are still a long way off
 
Last edited by a moderator:
Thank u @simba thats was the thing i was thinking also...But there must be the connection point somewhere...but where...?
 
Last edited by a moderator:
JTAG point on the motherboard, you find exactly the same on the VU+ Solo,

Omni
 

Attachments

  • solo2_JTAG.jpg
    solo2_JTAG.jpg
    904.1 KB · Views: 66
  • solo.jpg
    solo.jpg
    9.6 KB · Views: 328
  • solo_cfe.rar
    104.6 KB · Views: 11
  • duo.jpg
    duo.jpg
    401.5 KB · Views: 74
  • need-info-vu-jtag-broadcom-tools-solved-vu.pdf
    456.3 KB · Views: 20
  • how_to_use_BBS_-_SOLO_UNO_DUO_ULTIMO.rar
    1.7 MB · Views: 11
Ok so you are saying with this tool we are able to READ...but i heard it is WRITE protected...But first things first...So you are sayin we should order one of these and try to make a connection..?
 
Exactly, we will need that board (it's 5 £ including postage), then we need from manufacturer the details about the pins exact connection. We will also need the release by any source of the bcm7345 software package.

Omni
 
Ok @omni we do that,tommorow i am going to talk with the Chinese again,what do you need?Please be specific as possible...I will ask them and i hope they ccoperate because that would make a little heat of them knowing that we are trying also,

If we all ask this to oure Chinese eventualy some of them will send the codes and manuals to us!
 
Generally the JTAG is near to the CPU, so it could also be this one,

Omni
 

Attachments

  • Solo2_JTAG_CPU.jpg
    Solo2_JTAG_CPU.jpg
    117 KB · Views: 44
Most of the Chinese suppliers we buy from are small resellers they are not the actual clone manufactures. Hence they can do very little, they can however feed back up the chain to their suppliers and the manufacturer to apply pressure for the JTAG info and software tools to be provided. Lonrisun has been mentioned as the manufacturer of the clones.

Sent from my Nexus 5 using Tapatalk
 
You need to ask :

- CFE.bin file usable with JTAG.
- Broadcom Studio software with BCM7345 support (pack).
- Full dump file of the Flash chip.

And indication of the JTAG jumper on the motherboard + the description of every pin function of the JTAG jumper.

Would be also of interest to know how with the Broadcom Studio for BCM7345, how we can remove the write protect of the Flash chip (and if this is possible).

Omni

Ok @omni we do that,tommorow i am going to talk with the Chinese again,what do you need?Please be specific as possible...I will ask them and i hope they ccoperate because that would make a little heat of them knowing that we are trying also,

If we all ask this to oure Chinese eventualy some of them will send the codes and manuals to us!
 
Most of the Chinese suppliers we buy from are small resellers they are not the actual clone manufactures. Hence they can do very little, they can however feed back up the chain to their suppliers and the manufacturer to apply pressure for the JTAG info and software tools to be provided. Lonrisun has been mentioned as the manufacturer of the clones.

Sent from my Nexus 5 using Tapatalk

Absolutely correct, talking to lonrisun would cut down the whole process, so it would be ideal if someone could communicate with them directly.
 
Ok my questions to the China guys are:

- "SDK from the Broadcom chip" @zomi wants to know this;

- "EXACT mount points,JTAG indications and description of the pin functions";

- "CFE.bin file usable with JTAG";

- "broadcom studio with BCM7345 support";

Ok This it?
 
Last edited by a moderator:
Ask also for the full dump of the Flash, it will be always handy to have such dump for reflashing the chip if removed/desoldered or to use it in full or in part with JTAG.

Ask how to "deprotect the Flash chip" if "write protected".

Omni

Ok my questions to the China guys are:

- "SDK from the Broadcom chip" @zomi wants to know this;

- "EXACT mount points,JTAG indications and description of the pin functions";

- "CFE.bin file usable with JTAG";

- "broadcom studio with BCM7345 support";

Ok This it?
 
sdk for the broadcom chip and broadcom studio with bcm7345 support are same thing.

Just ask for broadcom studio with bcm7345 sup, its easier for them to understand.

See how you get on.. be interesting what they come back with..
 
Ok i will do that and hope that they will answer...But doing nothing and just waiting is not my filosophy of life;-)
 
Back
Top