Full dump for clone Solo2 SE https://yadi.sk/d/mMNRE9vmbG2sr
Solo2 Jtag
- Thread starter dirkjan73
- Start date
techtechnique
Inactive User
- Joined
- Nov 25, 2012
- Messages
- 84
- Reaction score
- 8
Much appreciated. Even though it's from a Solo2 SE, I'll try it - you never know!
I just fixed my friend solo2, I don't have CY7C68013A so I made a nand flash programmer with pic18f. After read out the flash I understand the tbomb firmware erased from 0-0x400000h and programmed some random data to spare.The bootloader used was vusolo2-flash_by_jtag.zip found on the net,but attention the bytes must be swapped and ECC must be calculated if you are using external programmer.Maybe if you are using jtag programmer you don't have, because the CPU automatically write ECC after sector write.So I downloaded vusolo2-flash_by_jtag.zip inside found vusolo2-flash by jtag.bin, removed extra part from 0x400000, programmed the flash, updated the spare with good ecc, put back the flash to solo2, power on and "Starting.."-on display, powered off, put a new firmware on the usb, re-flashed with good firmware and thats all.
Hi,
i jtag my solo2 with no success
I have a toshiba chipset, lonrisun motherboard , the box is detected by bbs , i put the "vusolo2-flash by jtag.bin" download fine, but when i boot no starting.
Is there a specific ".bin" for toshiba chipset??
Thanks
i jtag my solo2 with no success
I have a toshiba chipset, lonrisun motherboard , the box is detected by bbs , i put the "vusolo2-flash by jtag.bin" download fine, but when i boot no starting.
Is there a specific ".bin" for toshiba chipset??
Thanks
techtechnique
Inactive User
- Joined
- Nov 25, 2012
- Messages
- 84
- Reaction score
- 8
I have a Cypress programmer, but am not sure where to find the ECC. Can you give some more detailed instructions please?
I checked that solo se file and the bootloader part is same.(like vusolo2-flash by jtag.bin) No reason for a full flash because all nand flash have bad blocks, you can't manage the bad block allocation without live ubi filesystem.You can copy a full flash only if you have a totally bad block free nand which is very very rare, even a new can contain bad block(s) read the flash manual.
Only the boot must be bad block free (but some bootloader can handle the bad block too) .You have to upload only the bootloader.I think 0-0x200000, At address 0x200000 you can find the vmlinux (linux kernel) so after that no more bootloader only the kernel and filesystem.
@techtechnique: the ECC is at spare location every 512 byte have 16byte spare, but it's not directly visible for cpu.
Every 2k sector have: Data:512byte 512byte 512byte 512byte Spare 16byte 16byte 16byte 16byte (Read K9F2G08U0C manual, and understand)
@techtechnique: Can you read back the flash with cypress to see what cypress see and program??
If cypress can't program the spare location you have no chance to start solo2 because che cpu check the ECC, if wrong then ignore that sector(Harware ECC).
When I first programmed without the spare(ecc) (was lazy) and the solo not started, on serial sent only one number and nothing else.
Maybe for this reason the tbomb firmware program random data to spare and not just erase sectors, to become more harder to reflash solo2!!!???
Only the boot must be bad block free (but some bootloader can handle the bad block too) .You have to upload only the bootloader.I think 0-0x200000, At address 0x200000 you can find the vmlinux (linux kernel) so after that no more bootloader only the kernel and filesystem.
@techtechnique: the ECC is at spare location every 512 byte have 16byte spare, but it's not directly visible for cpu.
Every 2k sector have: Data:512byte 512byte 512byte 512byte Spare 16byte 16byte 16byte 16byte (Read K9F2G08U0C manual, and understand)
@techtechnique: Can you read back the flash with cypress to see what cypress see and program??
If cypress can't program the spare location you have no chance to start solo2 because che cpu check the ECC, if wrong then ignore that sector(Harware ECC).
When I first programmed without the spare(ecc) (was lazy) and the solo not started, on serial sent only one number and nothing else.
Maybe for this reason the tbomb firmware program random data to spare and not just erase sectors, to become more harder to reflash solo2!!!???
Last edited by a moderator:
techtechnique
Inactive User
- Joined
- Nov 25, 2012
- Messages
- 84
- Reaction score
- 8
Hi Tibi,
I'm not experienced at all with the internal workings of NAND flash, so I'm learning as I go!
Yes, I can read the contents of the flash after programming and it is definitely taking the bin file I am sending.
When I reboot the box with a putty session connected, I get a repeated 734600127. This is if I use the same solo2 bin file you have used. Also the same with the lonrisun bin but I get no output if I use the dragonworth one.
I'm afraid I have no understanding about the spare / ecc you mention, so I am now at a loss.
One thing I have noticed is that you say the bootloader resides in 0-0200000, in the vusolo2-flash by jtag.bin file (and the lorinsun), 0x6f750 - 0x1ffff0 are all blank. Do you also find this?
I'm not experienced at all with the internal workings of NAND flash, so I'm learning as I go!
Yes, I can read the contents of the flash after programming and it is definitely taking the bin file I am sending.
When I reboot the box with a putty session connected, I get a repeated 734600127. This is if I use the same solo2 bin file you have used. Also the same with the lonrisun bin but I get no output if I use the dragonworth one.
I'm afraid I have no understanding about the spare / ecc you mention, so I am now at a loss.
One thing I have noticed is that you say the bootloader resides in 0-0200000, in the vusolo2-flash by jtag.bin file (and the lorinsun), 0x6f750 - 0x1ffff0 are all blank. Do you also find this?
Last edited:
techtechnique
Inactive User
- Joined
- Nov 25, 2012
- Messages
- 84
- Reaction score
- 8
This is the file I uploaded to the Solo2. It is essentially the same as the original bin file, but I truncated it at 0x200000:
https://dl.dropboxusercontent.com/u/75410149/VuSolo2/lonto0x200000.bin
Here is the dump of the first 5MB of the flash after programming the above file:
https://dl.dropboxusercontent.com/u/75410149/VuSolo2/partial.bin
As you can see everything from 0x6F750 is FF, which I suspect is correct?
https://dl.dropboxusercontent.com/u/75410149/VuSolo2/lonto0x200000.bin
Here is the dump of the first 5MB of the flash after programming the above file:
https://dl.dropboxusercontent.com/u/75410149/VuSolo2/partial.bin
As you can see everything from 0x6F750 is FF, which I suspect is correct?
techtechnique
Inactive User
- Joined
- Nov 25, 2012
- Messages
- 84
- Reaction score
- 8
@tibi67 - I have tried truncating my bin file and although it appears to be good in the flash, my Solo2 seems to be bootlooping at the initial 73460012 output (via putty / RS232), so clearly something is wrong.
Do you think it may be worth me trying your edited bin file?
As I said in a previous post, I have a replacement chip that I can have soldered in, but on the basis that my existing chip is still programmable, I would like to try and fix it via software before resorting to a hardware fix.
Do you think it may be worth me trying your edited bin file?
As I said in a previous post, I have a replacement chip that I can have soldered in, but on the basis that my existing chip is still programmable, I would like to try and fix it via software before resorting to a hardware fix.
Last edited by a moderator:
Yes, don't worry actually the boot end at 0x6f750 but if somebody want a more clever and bigger bootloader can go until 0x1fffff.
Please upload your initial bad dump of your solo2(the initial readout, I hope you saved before first write)
How long you get your flash dump after readout? It must be (data)268435456+(spare)8388608=(total)276824064 if you can access the spare via jtag, if not then only 268435456.
If you can access spare then have to know where is the spare location(for this I'm asking for initial dump), if not then 2 option: 1 no spare access via jtag (then can't be fixed via jtag), 2 no spare access but cpu atuomatiacally add after write (you can forget spare and ecc problem)
The initial first dump aslo good information to know if the data must be swapped or not.
techtechnique
Inactive User
- Joined
- Nov 25, 2012
- Messages
- 84
- Reaction score
- 8
Dang, regrettably the first task I carried out with the BBS was to simply flash the vu-hd bootloader, as I'd (perhaps foolishly) assumed it would be an easy fix, so I did not dump the full flash first. It was only after that I began to explore a little deeper, leading me here!
I have posted this on another forum:
I've just found this article:
I NEED FLASH DUMP FILE FOR SOLO - VU+ Solo Chat
In there they suggest the CFE starts at 0x100000.
I have just tried flashing the CFE starting at offset 0x100000 and the BBS returned a message telling me that 0x100000 is a bad block.
This could explain why it's not working?
I have posted this on another forum:
I've just found this article:
I NEED FLASH DUMP FILE FOR SOLO - VU+ Solo Chat
In there they suggest the CFE starts at 0x100000.
I have just tried flashing the CFE starting at offset 0x100000 and the BBS returned a message telling me that 0x100000 is a bad block.
This could explain why it's not working?
techtechnique
Inactive User
- Joined
- Nov 25, 2012
- Messages
- 84
- Reaction score
- 8
Is it worth taking a full dump now?
Also, @tibi67, have you read this? Vu clone attack - [EN] Enduser support - Forums
Also, @tibi67, have you read this? Vu clone attack - [EN] Enduser support - Forums
Last edited by a moderator:
Big mistake, every time you have to make a backup, to not worse the situation.
Personally after taken out the flash I connected th WP pin to gnd to not accidentally erase the flash, only after many readout connected to VCC and flashed.
Maybe, I don't know, but if you flash from 0 and you can read back then you are programming to flash.
If you not flashed all 256M maybe yes, if you already flashed then no reason.
Yes but not 100% true, there say the addr counter take 0-64 but it's not true take 0-2048, it's not writing 0 to spare, I found some random value like 0x21 0x27 ...
You don't answered to question about full flash size!
You are so lucky, you have good flash you have Cypress.... why don't simply put the good flash start and read out the good flash then switch back and flash the erased one to see what happen?
You don't have to solder all pins 8data+4power+7control pins only.
I don't have it any cypress, nor good flash and still recovered the solo2...
techtechnique
Inactive User
- Joined
- Nov 25, 2012
- Messages
- 84
- Reaction score
- 8
I am in the process of taking a full dump now. It takes a long time!
techtechnique
Inactive User
- Joined
- Nov 25, 2012
- Messages
- 84
- Reaction score
- 8
I don't know how much use this may be, but here is a link to the full dump of the bad flash I have just made.
https://dl.dropboxusercontent.com/u/75410149/VuSolo2/full_flash.rar
Once I have replaced the chip, I will take another dump and give you the link.
https://dl.dropboxusercontent.com/u/75410149/VuSolo2/full_flash.rar
Once I have replaced the chip, I will take another dump and give you the link.
