Technical topic solo2 clone (please only technical talk)

In mips world(s) JTAG is 2x7 connector. Cypress or original BRCM adapter connects to 4 pin i2c. Not really relevant as the needs and effect is the same.
 
It is in the interest of the clone manufacturer to resolve this issue ASAP there future sales depend on it. So far what we are seeing is the smaller resellers all panicking and not knowing what to do so they are offering flash chip replacements as a quick fix or the option of sending the motherboard back. These suppliers will have to report this issue back the actual clone manufacturer to develop a fix..the resellers are not capable of solving this issue.

- We know that there appear to be JTAG headers on the motherboard for the SOLO2.
- We know the Cypress board should be able to used to JTAG the receivers.
- We know that previous VU models Solo, Duo etc can have their CFE boot loader restored via JTAG this has been done before.

The issues/queries that need to be posed to the clone manufacturers via the resellers are as below, we do not have direct access ti the manufacturers so we need to pressurize the resellers, I suggest everyone with a bricked Solo or Solo2 contact your reseller and ask them to pass on the below queries to the clone manufacturer. The hardware of these clones is manufactured by LONRISUN , this is where the fix should come from.

- We DO NOT know the layout, locations and pin assignments for the JTAG connections.
- We DO NOT have Broadcom Studio software with support for the BMC 7345 chip used on the SOLO2.
- We DO NOT have a dump of the bootloader CFE to flash to the receivers.
- We DO NOT know if it is possible to remove the write protection on the flash that has been applied by the VU anti clone measure... Is it possible to remove the write protection via JTAG ?? If not then the JTAG idea is a non starter.
 
Last edited:
I have send the Chinese a email and hopely he will give us feedback...
 
I ask you, professionals, this idea is possible? or not possible?

http://www.digitalworldz.co.uk/vu-solo2-receivers-633/378201-anyone-got-chinese-vu-post2416697.html#post2416697
 
reini12 said:
I ask you, professionals, this idea is possible? or not possible?

http://www.digitalworldz.co.uk/vu-solo2-receivers-633/378201-anyone-got-chinese-vu-post2416697.html#post2416697
Click to expand...

Might be trying it...Is anyone be able to try this?Has anyone got the gears?

And here is the mtd3.zip upload from @edogg http://www.digitalworldz.co.uk/attachment.php?attachmentid=80754&d=1398260208

And like i said i send the questions to the Chinese guy and he promissed me to give this to the engineer whom is involved in the solving,fingers cross he answers..
 
dirkjan73 said:
Might be trying it...Is anyone be able to try this?Has anyone got the gears?

And here is the mtd3.zip upload from @edogg http://www.digitalworldz.co.uk/attachment.php?attachmentid=80754&d=1398260208

And like i said i send the questions to the Chinese guy and he promissed me to give this to the engineer whom is involved in the solving,fingers cross he answers..
Click to expand...

No, we cannot try to try to flash this file to our SOLO2 clones. It may well be part of the solution however.

1. We need to know for sure the JTAG pin configurations and location on the motherboard ( I think it maybe the 4 PIN header at P701 this looks similar to the connector and location on the DUO).
2. We need a Cypress development board and BBS Tools software with support files for the BCM 7345 CPU (broadcom Studio), without this we cannot communicate with the receiver via JTAG. (I have a cypress board on order at the moment).
3. We need to know whether it is possible to remove he write protection from the NAND that was apparently applied by the anti clone measure. Is write protection applied ? If so is it possible tp remove it via JTAG ? If so how is it done ???

Once all of the above is confirmed then we can attempt to flash the mtd3 that edogg has dumped. The BBS tools with BCM 7345 support files is the important bit...hopefully the clone manufacturers will release it if they have it, or someone else will leak it... This software is nt made public by Broadcom, it is only supplied to high volume customers who are made to sign a NDA (Non disclosure Agreement).

Broadcom studio 3 software itself has been leaked a long time ago, you can findon other forums posts where people have used this software with a JTAG to flash CFE bootloaders to VU Duo and Solo recievrs...So this does work, it's proven.. BUT the 2 main differences being:

- The files for the Solo and Duo BCM chips are available, the SOLO 2 ones are not...
- The CFE flash carried out on Solo and Duo receivers did not have their NAND chips write protection enabled.
 
Last edited:
@gsmtech thanx bro!but we NOW realy have to get some gear to explore the hardware side of this damn...ed thing...We dont have a guarantee that this will be resolved on SW basis...And if we lucky and it would,maybe next month VU give us a summer vacation surprise and after that a christmass...We realy must concentrate on the JTAG..

I think we can eventualy get the info like BCM7345 and the nand files no sweat,but we now have to find the gate to the heart so we can communicate with this thing,

I talked to the Chinese guy and said that we could use their help,because if we knock this thing open,it also would be in there advantage,they could continue selling boxes..


So lets order these JTAG equipments...i am going to oder today!
 
Last edited by a moderator:
I was wondering I own a openbox s9 and when these got bricked one way of restoring them was to connect a working one to a none working one with a r232 cable with the none working one turned we then turned the working one on and they would download so maybe this would work or use the cable that comes with the solo2 it must be used for something because the real solo2 does not come with the cable
 
The cypress board itself is pretty cheap..but it will take time to ship from China... We will have to make our own interface cable between the cypress board and pin header on the solo2 main board once we know the correct pinouts.

Sent from my Nexus 5 using Tapatalk
 
edogg said:
I was wondering I own a openbox s9 and when these got bricked one way of restoring them was to connect a working one to a none working one with a r232 cable with the none working one turned we then turned the working one on and they would download so maybe this would work or use the cable that comes with the solo2 it must be used for something because the real solo2 does not come with the cable
Click to expand...

I think the rs232 serial cable your referring to is something to do with being able to write to the security module on the receivers.
I don't think we can use it to write to the flash memory NAND or remove the write protection..if indeed it is even applied..this needs to be confirmed.
Maybe someone else can confirm this I'm no expert !
 
@gsmtech ok bro,i will that find out for you!And if we know that then we going to start physicaly rap..ing this thing instead of only talking theorie...!

I will ask the Chinese tommorow when i talk to him again!
 
Last edited by a moderator:
Guys what's to say the manufacturers have not already tried the JTAG themselves. That might be why they are saying chip replacement

Sent from my Nexus 5 using Tapatalk
 
friendzi said:
Guys what's to say the manufacturers have not already tried the JTAG themselves. That might be why they are saying chip replacement

Sent from my Nexus 5 using Tapatalk
Click to expand...

We dont know that,but a fact is that the manufactures,those very brilliant Chinese guys,are still using our safe images,images made and distributed by this site...We have to try some things waiting and talking theorie isnt going to solve this...Do you remember when the everyone was stock on the images for 15/12/13,we said were going to try and resolve this thing,and you know what then did happend,i feel we can do the same thing

We can do this bro;-)
 
friendzi said:
Guys what's to say the manufacturers have not already tried the JTAG themselves. That might be why they are saying chip replacement

Sent from my Nexus 5 using Tapatalk
Click to expand...

It's possible they have tried this. But I don't see any reason why JTAG wouldn't work unless they haven't implemented the JTAG properly on the clone boards.. Or if the NAND is write protected they may not be able to remove the write protection. Its already proven that original duo and solo receivers with damaged bootloaders can be restored via JTAG and BBS tools.

Also I don't believe the guys we are contacting are in a position to really help us.. They are small resellers they are not the manufactures, they probably don't have the tools or know how to try a JTAG solution.

Lonrisun should be developing a fix which they then hand down to there resellers. The fix if possible will take time won't be overnight.
 
gsmtech said:
It's possible they have tried this. But I don't see any reason why JTAG wouldn't work unless they haven't implemented the JTAG properly on the clone boards.. Or if the NAND is write protected they may not be able to remove the write protection. Its already proven that original duo and solo receivers with damaged bootloaders can be restored via JTAG and BBS tools.

Also I don't believe the guys we are contacting are in a position to really help us.. They are small resellers they are not the manufactures, they probably don't have the tools or know how to try a JTAG solution.

Lonrisun should be developing a fix which they then hand down to there resellers. The fix if possible will take time won't be overnight.
Click to expand...


@gsm is there a verry big difference between resolving a crashed vs deleted bootlog?...Correct me if i am wrong but in both cases we need the nand dump...right?
 
Yes we definitely need a known good working NAND dump that we can flash via JTAG.

I don't believe it matters that if the boot loader is corrupt or deleted, as long as we have the ability to rewrite a clean bootloader to the NAND.

There maybe other issues as well . is it as easy as writing directly to the NAND ? Or is there any involvement with the security module ? I.e: is there any RSA keys and authentication required before writing to the NAND is allowed ??
Do we even know fully what the anti clone measure actually did ?? We know 64 pages of the NAND were deleted including the boot loader. This was confirmed by the pli team core member who looked into this.

The same guy also said he expects this to be able to be fixed very quickly by the clone manufacturers using JTAG and BBS tools..

Sent from my Nexus 5 using Tapatalk
 
acidrainz said:
"JTAG" pinout p701 4pin spits out something, HEX.. try´d to connect referring to this thread
Jtag pinout mips-BCM7538(STB Kaon) - USB JTAG

but i just used a very simple usb rs232 uart.. and without 3.3v ... because i dont really know what im doing..

with the other p403 10 Pin, i had no luck with that:
Actel FlashPro JTAG

hex output
Code: 
You don't have permission to view the code content. Log in or register now.

View attachment 80744View attachment 80745


regards
Click to expand...
not sure will help or not but have connected to same port with old phone cable (as I have problem with my dvd when load wrong software and fixed by that) and use MTKtool heave a log LOG: Start to upgrade
LOG: Init Rs232 ...
LOG: Flash Type - Unknown Flash Type
LOG: Erasing ...
LOG: Erasing ...
LOG: Erasing ...
ERR: fail to erase flash!
seams there is some respond from that port....
 
Do we know that the flash ram is write protected after the attack?

Sent from my GT-I9505 using Tapatalk
 
You must log in or register to reply here.

Similar threads

Trabbs
Amazon Fire TV Help please - Firestick setup?
Replies
9
Views
266
Trabbs
Trabbs
rawsy
    • Like
ISP Cityfibre Vodafone
Replies
1
Views
196
rawsy
rawsy
J
New Home - Lutron Homeworks QS
Replies
2
Views
311
Mick
Mick
O
    • Like
08/04 Solar eclipse visible in parts of UK
Replies
2
Views
141
Oggiman
O
spud1966
    • Like
Desktop Extender 1D [for PC]
Replies
0
Views
114
spud1966
spud1966
Back
Top