STMP3770 low level flash access

[LanMarc77]

Hi,
I am the maintainer of https://github.com/lanmarc77/playaway and currently own a few different models of the Playaways. They seem to have different firmware versions and at least for the Playaway Light model range from version 01:03 to 01:08. I also already discovered some firmware bugs.
As I understood the STMP3770 is only used in a few rockbox supported models. But it seems someone must know how to access the attached flash memory in a low level way so that one can read the current firmware and write it back to actually upgrade older models to the newest version.
The pins on the PCB allow me to put a Playaway in recovery mode and it shows up at that via USB. Still I do not know how to proceed as I seem to need some tools and protocols to now send correct commands to the recovery mode firmware to access the flash memory.

I hope someone in this forum can point me in the right direction.
Thanks.

[7o9]

It is not clear from your post whether you have explored the information available on the wiki, like for example https://www.rockbox.org/wiki/STMP37xxRecovery.html or https://www.rockbox.org/wiki/SigmaTelSTMP3xxx.html

I have not tried it myself as I have no STMP-based device but I would start there.

Google shows some hits for ‘sigmatel firmware extractor’ too, which might help.

[LanMarc77]

Thanks for your links. I worked through them again as I did earlier.
From what I understood these are not directly usable for the Playaways.

My findings so far that I need confirmation for to decide how and if to go on:
I can get the Playaway to a mass storage mode where I can put audio files on it (USB IDS. 066f:8000). I described this and the audio format in my repo.
By pulling the PSWITCH high with a pullup resistor I get to the more interesting ROM recovery mode which is part of every STMP3770.
The Playaway then reports via USB as Sigmatel Inc. ROM Recovery device with 066f:3770. This mode only allows for uploading code in .sb format via sbloader. So all other tools like the Sigmatel Firmware extractor work with other modes that the Playaway does not have or I am unable to enter.
Still if my assumptions are correct with sbloader one would be able to put code into the RAM of the STMP3770 only and execute it. This code then could add more functionality like reading/writing the whole flash content. But one would need to write this code or if I am lucky it does exist already?
If I would need to write that code any hint on existing code with kind of the same functionality would be nice.

I do have experience with micro controllers but I am not sure how much work this would be and after all if my understanding of the whole situation is correct.

[saratoga]

If you didn't see my reply on IRC, imxtools can extract the firmware from many players with that CPU:

https://github.com/Rockbox/rockbox/tree/master/utils/imxtools

No idea if it will work for yours, but probably a good place to start.

[LanMarc77]

No I did not see your reply in IRC, but thanks for coming here and: Eureka!

There were three tools in that folder. I took scsitools as the mass storage mode seemed to fit. Compiled it and needed to fix a multiple definition error (where I am going to report that?).
And indeed the tool outputs data:

Information
  Vendor: SigmaTel
  Product: SDK Device     
  Protocol: 6.0
Device
  Serial Number:  1a 0b 00 00 02 ae cc 14 00 02 e3 42 08 2d cc 14 ...........B.-..
  Chip Major Rev ID: 37b0
  ROM Rev ID: 2
Logical Media
  Number of drives: 0
  Media size: 134217728 (128.000 MiB)
  Allocation unit size: 2048 (2.000 KiB)
  Initialised: 1
  State: 0
  Write protected: 0
  Serial:  31 41 30 42 30 30 30 30 30 32 41 45 43 43 31 34 1A0B000002AECC14
 30 30 30 32 45 33 34 32 30 38 32 44 43 43 31 34 0002E342082DCC14
  System: 1
  Present: 1
  Page size: 2112 (2.062 KiB)
  Vendor: 194 (?)
  Number of devices: 1
Logical Media Table
  Drive No:  0 Type: 0 (Data) Tag: 0xa (Data) Size: 112.000 MiB
  Drive No: 50 Type: 0x1 (System) Tag: 0x50 (Boot) Size: 3.750 MiB
  Drive No: 60 Type: 0x1 (System) Tag: 0x60 (?) Size: 3.750 MiB
  Drive No: 70 Type: 0x1 (System) Tag: 0x70 (?) Size: 3.750 MiB
  Drive No:  3 Type: 0x2 (Hidden) Tag: 0xc (?) Size: 1.000 MiB
  Drive No:  2 Type: 0x2 (Hidden) Tag: 0xb (Hidden) Size: 1.000 MiB
Drive 00
  Sector size: 2048 (2.000 KiB)
  Erase size: 131072 (128.000 KiB)
  Drive size: 110493696 (105.375 MiB)
  Sector count: 53952
  Type: 0 (Data)
  Tag: 0 (System)
  Component version: 0.0.0
  Project version: 0.0.0
  Write protected: 0
Drive 50
  Sector size: 2048 (2.000 KiB)
  Erase size: 131072 (128.000 KiB)
  Drive size: 3932160 (3.750 MiB)
  Sector count: 1920
  Type: 1 (System)
  Tag: 0 (System)
  Component version: 5.0.0
  Project version: 4.1.0
  Write protected: 0
Drive 60
  Sector size: 2048 (2.000 KiB)
  Erase size: 131072 (128.000 KiB)
  Drive size: 3932160 (3.750 MiB)
  Sector count: 1920
  Type: 1 (System)
  Tag: 0 (System)
  Component version: 5.0.0
  Project version: 4.1.0
  Write protected: 0
Drive 70
  Sector size: 2048 (2.000 KiB)
  Erase size: 131072 (128.000 KiB)
  Drive size: 3932160 (3.750 MiB)
  Sector count: 1920
  Type: 1 (System)
  Tag: 0 (System)
  Component version: 5.0.0
  Project version: 4.1.0
  Write protected: 0
Drive 03
  Sector size: 2048 (2.000 KiB)
  Erase size: 131072 (128.000 KiB)
  Drive size: 1048576 (1.000 MiB)
  Sector count: 512
  Type: 2 (Hidden)
  Tag: 0 (System)
  Component version: 0.0.0
  Project version: 0.0.0
  Write protected: 0
Drive 02
  Sector size: 2048 (2.000 KiB)
  Erase size: 131072 (128.000 KiB)
  Drive size: 1048576 (1.000 MiB)
  Sector count: 512
  Type: 2 (Hidden)
  Tag: 0 (System)
  Component version: 0.0.0
  Project version: 0.0.0
  Write protected: 0

Is someone able to explain a litte bit what I see here?

And it does extract a firmware. I will test the different sha values of my different Playaway firmwares before I dare to try an upgrade.
Am I interpreting it right, that this scsi functionality actually is part of the original Playaway firmware and not the ROM chip? And if so, I guess I can brick the device if I do an upgrade and for whatever reasons the newer firmware is then incompatible with that older Playaway and can not even run the mass storage mode?

[LanMarc77]

Statusupdate.
I downloaded multiple firmware versions also from different Playaways with different flash chips. The same firmware versions did not differ in their sha256 value so each firmware version seems to be identical. I updated my repo accordingly.

I dared to try to update a Playaway from version 01:04 to 01:08 and...failed. The Playaway did not start anymore. I can still of course access the ROM recovery but do not have a fitting .sb to reenable the mass storage mode to rewrite the older version.
As we can see from the log output of scsitools above there are multiple partitions in the flash. After looking at the scsitool I saw that only the boot partition is taken into account if firmware is read or written to the device. But there are other partitions. I have modified scsitools to also download the other same size partitions and they have the exact same content. I guess I would have needed to update them as well. The other two partitions mainly contain FF (empty/default for a NAND flash).

Maybe someone with more inside knowledge can shed light on the situation on how to maybe rescue my brick or be able to update others without bricking them.

[saratoga]

I didn't follow the stmp devices closely but maybe you could look at the firmware recovery process for the other devices and adapt them for your needs.

[LanMarc77]

I kinda went down the rabbit hole. Not fully though.
I understood all the sbload processes and the ROM Recovery which the datasheet calls USB Boot driver with RHID interface and uses the BTLC protocol.

Using this I could create and compile an own program that runs from SRAM and lets the backlight of the LCD of the Playaway blink. So now I need to decide if I want to go all the way through that rabbit hole because this would mean writing code for some kind of communication channel, preferable USB, to then be able to access the nand flash, that also needs a driver. I might be able to use some existing code but I am not yet experienced with this controller.
Another option would be to somehow utilize the original firmware extract. But this might also need adjustments as it was written to run from flash and I do not know what this means for all the addresses.

Maybe someone does have code already. None of the recovery files of existing players can be used as they other recovery modes than the one with the BLTC protocol.