Support and General Use > Hardware
STMP3770 low level flash access
LanMarc77:
Hi,
I am the maintainer of https://github.com/lanmarc77/playaway and currently own a few different models of the Playaways. They seem to have different firmware versions and at least for the Playaway Light model range from version 01:03 to 01:08. I also already discovered some firmware bugs.
As I understood the STMP3770 is only used in a few rockbox supported models. But it seems someone must know how to access the attached flash memory in a low level way so that one can read the current firmware and write it back to actually upgrade older models to the newest version.
The pins on the PCB allow me to put a Playaway in recovery mode and it shows up at that via USB. Still I do not know how to proceed as I seem to need some tools and protocols to now send correct commands to the recovery mode firmware to access the flash memory.
I hope someone in this forum can point me in the right direction.
Thanks.
7o9:
It is not clear from your post whether you have explored the information available on the wiki, like for example https://www.rockbox.org/wiki/STMP37xxRecovery.html or https://www.rockbox.org/wiki/SigmaTelSTMP3xxx.html
I have not tried it myself as I have no STMP-based device but I would start there.
Google shows some hits for ‘sigmatel firmware extractor’ too, which might help.
LanMarc77:
Thanks for your links. I worked through them again as I did earlier.
From what I understood these are not directly usable for the Playaways.
My findings so far that I need confirmation for to decide how and if to go on:
I can get the Playaway to a mass storage mode where I can put audio files on it (USB IDS. 066f:8000). I described this and the audio format in my repo.
By pulling the PSWITCH high with a pullup resistor I get to the more interesting ROM recovery mode which is part of every STMP3770.
The Playaway then reports via USB as Sigmatel Inc. ROM Recovery device with 066f:3770. This mode only allows for uploading code in .sb format via sbloader. So all other tools like the Sigmatel Firmware extractor work with other modes that the Playaway does not have or I am unable to enter.
Still if my assumptions are correct with sbloader one would be able to put code into the RAM of the STMP3770 only and execute it. This code then could add more functionality like reading/writing the whole flash content. But one would need to write this code or if I am lucky it does exist already?
If I would need to write that code any hint on existing code with kind of the same functionality would be nice.
I do have experience with micro controllers but I am not sure how much work this would be and after all if my understanding of the whole situation is correct.
saratoga:
If you didn't see my reply on IRC, imxtools can extract the firmware from many players with that CPU:
https://github.com/Rockbox/rockbox/tree/master/utils/imxtools
No idea if it will work for yours, but probably a good place to start.
LanMarc77:
No I did not see your reply in IRC, but thanks for coming here and: Eureka!
There were three tools in that folder. I took scsitools as the mass storage mode seemed to fit. Compiled it and needed to fix a multiple definition error (where I am going to report that?).
And indeed the tool outputs data:
Information
Vendor: SigmaTel
Product: SDK Device
Protocol: 6.0
Device
Serial Number: 1a 0b 00 00 02 ae cc 14 00 02 e3 42 08 2d cc 14 ...........B.-..
Chip Major Rev ID: 37b0
ROM Rev ID: 2
Logical Media
Number of drives: 0
Media size: 134217728 (128.000 MiB)
Allocation unit size: 2048 (2.000 KiB)
Initialised: 1
State: 0
Write protected: 0
Serial: 31 41 30 42 30 30 30 30 30 32 41 45 43 43 31 34 1A0B000002AECC14
30 30 30 32 45 33 34 32 30 38 32 44 43 43 31 34 0002E342082DCC14
System: 1
Present: 1
Page size: 2112 (2.062 KiB)
Vendor: 194 (?)
Number of devices: 1
Logical Media Table
Drive No: 0 Type: 0 (Data) Tag: 0xa (Data) Size: 112.000 MiB
Drive No: 50 Type: 0x1 (System) Tag: 0x50 (Boot) Size: 3.750 MiB
Drive No: 60 Type: 0x1 (System) Tag: 0x60 (?) Size: 3.750 MiB
Drive No: 70 Type: 0x1 (System) Tag: 0x70 (?) Size: 3.750 MiB
Drive No: 3 Type: 0x2 (Hidden) Tag: 0xc (?) Size: 1.000 MiB
Drive No: 2 Type: 0x2 (Hidden) Tag: 0xb (Hidden) Size: 1.000 MiB
Drive 00
Sector size: 2048 (2.000 KiB)
Erase size: 131072 (128.000 KiB)
Drive size: 110493696 (105.375 MiB)
Sector count: 53952
Type: 0 (Data)
Tag: 0 (System)
Component version: 0.0.0
Project version: 0.0.0
Write protected: 0
Drive 50
Sector size: 2048 (2.000 KiB)
Erase size: 131072 (128.000 KiB)
Drive size: 3932160 (3.750 MiB)
Sector count: 1920
Type: 1 (System)
Tag: 0 (System)
Component version: 5.0.0
Project version: 4.1.0
Write protected: 0
Drive 60
Sector size: 2048 (2.000 KiB)
Erase size: 131072 (128.000 KiB)
Drive size: 3932160 (3.750 MiB)
Sector count: 1920
Type: 1 (System)
Tag: 0 (System)
Component version: 5.0.0
Project version: 4.1.0
Write protected: 0
Drive 70
Sector size: 2048 (2.000 KiB)
Erase size: 131072 (128.000 KiB)
Drive size: 3932160 (3.750 MiB)
Sector count: 1920
Type: 1 (System)
Tag: 0 (System)
Component version: 5.0.0
Project version: 4.1.0
Write protected: 0
Drive 03
Sector size: 2048 (2.000 KiB)
Erase size: 131072 (128.000 KiB)
Drive size: 1048576 (1.000 MiB)
Sector count: 512
Type: 2 (Hidden)
Tag: 0 (System)
Component version: 0.0.0
Project version: 0.0.0
Write protected: 0
Drive 02
Sector size: 2048 (2.000 KiB)
Erase size: 131072 (128.000 KiB)
Drive size: 1048576 (1.000 MiB)
Sector count: 512
Type: 2 (Hidden)
Tag: 0 (System)
Component version: 0.0.0
Project version: 0.0.0
Write protected: 0
Is someone able to explain a litte bit what I see here?
And it does extract a firmware. I will test the different sha values of my different Playaway firmwares before I dare to try an upgrade.
Am I interpreting it right, that this scsi functionality actually is part of the original Playaway firmware and not the ROM chip? And if so, I guess I can brick the device if I do an upgrade and for whatever reasons the newer firmware is then incompatible with that older Playaway and can not even run the mass storage mode?
Navigation
[0] Message Index
[#] Next page
Go to full version