Steve's Homepage
http://www.steves-homepage.co.uk/cgi-bin/yabb/YaBB.cgi
Upload area >> Receiver patches & firmware >> JTAG DRX 890-C
http://www.steves-homepage.co.uk/cgi-bin/yabb/YaBB.cgi?num=1382391739

Message started by dannyt0812 on Oct 21st, 2013, 11:42pm

Title: JTAG DRX 890-C
Post by dannyt0812 on Oct 21st, 2013, 11:42pm

Does anybody know if its possible to JTAG the DRX-890c? Also I was wondering if using TTL to access the receiver is possible at all.

Title: Re: JTAG DRX 890-C
Post by Matt52656 on Feb 6th, 2014, 11:32pm

I tried to jtag it, but with no luck..... I can provide details/attempts I made if you are willing to carry on....

However, I think I have fried it now,  due to an ESD shock.  Its now compleatly unstable and does not boot.

Title: Re: JTAG DRX 890-C
Post by Matt52656 on Feb 12th, 2014, 10:24am

Hello, no prob, I can post it up here.   You'll have to give me a little bit to gather my old info - so you can understand it.

Also, I used the phrase ESD shock, it was more of a earth/grounding shock (well it really hert me!)

Title: Re: JTAG DRX 890-C
Post by Matt52656 on Feb 12th, 2014, 1:15pm

The main problem was I could not find a proper datasheet for the BCM7335 CPU, or even something silimar.  The only Broadcom STB chip pinout I found was this:
http://hwdb.mipt.cc/BCM7405/Pinout
So it looks like its on the top right of the chip, everywhere else on the board does not look right / in use by something.

I used these photos and ALT-Tabbed between them so I could flip between the Top and the Bottom of the board so I can follow the tracks easier.  (although its probably a multi layered board)
http://jpegbay.com/gallery/003402614-.html#1 http://img1.jpegbay.com/gallery/003402614/1_t.jpg http://jpegbay.com/gallery/003402614-.html#2 http://img1.jpegbay.com/gallery/003402614/2_t.jpg
The second image is mirrored...  (Line up the pink dots)
I marked the corner of the chip to where I think the jtag pins could be (based on the pins location of the board/chip).  This area has to be the only logical choice, because the tracks lead off to no where. Just a bank of Pull Up/Pull Down resistors. and because there 5K, that implies to me that they are just ...  .   well you see.


10 x 4k7 Resistors:
I measured them and wanted to see what happend if I toggle them during bootup.

Code:
Original Setting      Does boot on polarity Change  (plus comment)
1 +v                  yes
2 0v                  yes      (if pulled high... pulls low after 3 secs)
3 0v                  yes      (if pulled high... pulls low after 3 secs)
4 0v                  yes      (if pulled high... pulls low after 3 secs, after 6 secs its a clock sng until 28 secs (about 0.1us))
5 0v                  yes      (if pulled high... pulls low after 3 secs)
6 +v                  yes      (3 sec power up signal)
7 0v                  yes      (if pulled high... pulls low after 3 secs, after 6 secs its a clock sng until 28 secs (about 0.1us))
8 +v                  no      (outputs on bootup, 6 secs in, flash read?, clock 0.0375us (about 0.05us))
9 0v                  no      (if pulled high... pulls low after 3 secs, then blips a few times)
10 0v                  yes      (if pulled high... pulls low after 3 secs)

I removed the resistors, and I think I used 1K's to pull them in the other voltage direction? to see what happens.

All voltages are 3.3v except the first 3 boot-up seconds of the I2C interface, which was 1.8v (I think?).


BTW, after 3 seconds it starts to read the flash at the bottom of the board.

Heres a little timeline I tried to put together (this is based on assumption):

Code:
Power on:       Flash Read Bootloader   Flash Stops     Flash Read F/W                  Flash Stops     S/W Unpacked?
\/              \/                      \/              \/              \/              \/              \/
-----------------------------------------------------------------------------------------------------------------------
0 secs          3 secs                  5.4 secs        6.3 secs        ~29 secs        34.1 secs       ~77 secs
red led              yellow led                              A/V on          A/V off                              (No HDD)
               Power to Flash
                                               |data pins |            (Codeloader:
                                               |short here|            Booting Linux
                                               |S/W update|            kernel)






Anywayz,
I made a kind-of jtag-scanner using 2 parallel ports (via 2 PCs / very low) to see if I could get anything out of them, but I did not succeed.  Maybe because I was only using 1K pull up resistors (that made 4ma), and I'm not sure if the Clock Rising Time was too slow?.  At the time I wanted to play-it-safe so I would not damage it (oh the irony),  I've had similar problems when trying to read/write flash chips directly.

I tried scanning it when it was booting normally, in "Software Update Mode" or completely Crashed by shorting(ish) a couple of the data pins on the flash.
I'm sure the jtag is in that area of those 6 odd pins above, I just can not do any more.  Well at least I have a spare 500GB drive now   :)
http://jpegbay.com/gallery/003402614-.html#4 http://img1.jpegbay.com/gallery/003402614/4_t.jpg

I was planning to bypass the card reading part of the code, so I can record without a subscription & change the Anytime space down to 1GB.  If you do extract the firmware, would you mind sending it to me.  Just out of curiosity.  And get any other PROM/BROM, which is probably located at 0xBFC00000.





OTHER:
------
I also looked at the Flash and the I2C port on the board.  I gave up on the flash idea (I hate BGA chips), but tried the I2C bus.
http://jpegbay.com/gallery/003402614-.html#3 http://img1.jpegbay.com/gallery/003402614/3_t.jpg
Those pins go directly into the CPU.  And because there is a voltage selection bridge, it has to be I2C because there is no standard voltage in the specs.
I tried to make my own I2C connector/program, and of course I got nowhere.  When I bombarded it with random data, it some times got stuck.  I mean the Clock or the Data line went Low and stayed Low.  So it makes me think that it is a active port.  Perhaps if you have a proper I2C connection, you will do better than I did.

There is a Broadcom program called "Broadband Studio 3" which can talk to the BCM97335 Chip directly via I2C.  I think that would be a good place to start with this connector. (Probably Slave Address 8 ?)



I hope Ive explained my-self ok, any Q's?
I take lots of photos, because I find its the best way to see the tiny-tiny components on the board.

Title: Re: JTAG DRX 890-C
Post by Matt52656 on Feb 21st, 2014, 3:13am

Hello Digibox333, sorry I can not help.  I need to own the box in-order to debug the running memory, and it takes a lot of effort.
The Pace3100 uses the ST20 instruction set.  And as far as I know... no HD box uses these old chips anymore.  Its all the MIPS instruction set (mostly).

Title: Re: JTAG DRX 890-C
Post by Digibox333 on Feb 23rd, 2014, 12:24am

Can't wait for hd modification info  :) cheers

Title: Re: JTAG DRX 890-C
Post by dannyt0812 on May 8th, 2014, 11:44pm

I think you could be onto something with the I2C. I think the board needed to connect directly via I2C is the following: Cypress CY7C68013A EZ-USB FX2LP USB2.0 Developement Board/module

The VU receiver uses the same CPU and people have used this board to connect. I have ordered one to have a play with just waiting for it to arrive.

Title: Re: JTAG DRX 890-C
Post by dannyt0812 on May 29th, 2014, 5:45pm

Cypress board has finally arrived but so far no luck. I've used the 3.3v selection bridge and linked up to Broadband Studio but it just won't connect.
There is something going on though. Now i've linked the 3.3v voltage bridge, the box won't boot when the cypress board is connected. The yellow led light comes on but thats as far as it goes. Nothing on screen and no response. If I disconnect it boots properly again.
There is obvioulsy more to getting the I2C port active so we can connect to it. I'll keep trying and post any updates.

Title: Re: JTAG DRX 890-C
Post by Digibox333 on May 29th, 2014, 11:13pm

Nice one Danny fair play :)

Title: Re: JTAG DRX 890-C
Post by Digibox333 on May 29th, 2014, 11:46pm

Hi Danny I also have a cypress board , how did you link the 3.3v voltage bridge?
Cheers :)

Title: Re: JTAG DRX 890-C
Post by Digibox333 on May 29th, 2014, 11:49pm

The fact that the box won't boot may indicate you have Done what your supposed to do but are missing the bcm7335 msi file  to open in broadband studio when trying to connect , the vu uses bcm97335 I think there may be a difference although m not entirely sure ! :)

Title: Re: JTAG DRX 890-C
Post by Digibox333 on May 29th, 2014, 11:50pm

A bit like when you have the jtag on the pace 3100 and switch on it doesn't boot if you know what I mean cheers

Title: Re: JTAG DRX 890-C
Post by dannyt0812 on May 30th, 2014, 1:11am

If you take a look at the pictures above in this thread you will see what looks like the I2C port. Directly under the +V pin is the 3.3v bridge. I just soldered those two spots together. You could be right about the msi file I only have the 97335. I can't seem to find one for the 7335. I don't know just how different these files are and if that is the problem.

Title: Re: JTAG DRX 890-C
Post by delboy1234 on Sep 29th, 2014, 2:42pm

Unfortunately still not having look with JTAG/i2c. The msi file is the correct one for BBS so that isn't the problem. I managed to find somewhat of a chip diagram (_http://www.2shared.com/document/nkt6a6wF/BCM7335_EJTAG.html).
After looking at this it took me to somewhere else on the board for the i2c port but still the same result. When the cypress board is connected the box fails to boot properly but nothing past that.

I still think its possible to connect to the box but i'm wondering if the chip is somewhat 'password protected' What I mean by that is you would need to use a key sequence or command to connect. Again no luck with this either so far.

If anyone has any other ideas on this let me know what you think

Title: Re: JTAG DRX 890-C
Post by delboy1234 on May 30th, 2015, 1:37pm

I see this gone very quiet in the last few months. Is anybody still looking at this?
I've done various testing but every option (EJTAG, RS232, TTL, I2C, BBS) are all closed off as standard.
I think the only other option is to look along the lines of glitching the CPU similar to the xbox.

Title: Re: JTAG DRX 890-C
Post by Matt52656 on Jan 13th, 2017, 1:59pm

This is in response to the message on the other thread.....


delboy1234 wrote:
That's some impressive work. Did that give you full access to the board over an i2c connection? How did you go about tracing pintouts on the board for something like that.

The new HD boxes (DRX890) also use a similar MIPS32 processor in the form of BCM7335
I have got a pinout for the BCM7335 that shows EJTAG and BBS pinouts but as your already aware they don't seem to be active.
BCM7335_EJTAG.zip (attachment)


AAAHHHH you have a diagram which shows you some pin numbers, that should be really useful.  Did you find the pins on the board ???
I "guess" it would be best to hold the RESETb line down while you power up the board, so its more lightly that the ejtag would be accessable using something like UrJTAG (or whatever you use) ?.

IMHO I would give-up on the I2C/BBS connection because I think Sky would never allow this.


About finding the board pinouts (on a Thomson box not the Amstrad).....
All those connections were direct pins to the flash.  I see that sky uses dual flash's for backup so I removed one of them to see the pins.
* Unfortunately I removed the primary and not the backup, which caused power on issues.  So I had to bodge the CE lines *
The thing that helped me map out the pins was aluminum foil... I had one of the multimeter probes on a flash pin, then I rubbed the probe (with the foil) over the board until I heard the annoying buzz from the multimeter.

Another thing I did for completely different small BGA chip, was to cut a very thin strip of foil and slide it under the chip.  So I could find the outside pins 'quite' easily.  But the inner pins were a pain.

Heres some old pictures, because I'm guessing you are curious.

Title: Re: JTAG DRX 890-C
Post by delboy1234 on Jan 19th, 2017, 10:37pm

Unfortunately not. I connected the jtag to the board in what I thought was the correct area but didn't get anyting back from urjtag.
I could of messed up the pull up resistor values, got the wrong connection for the RESETb line or just damaged the board when soldering.

Picked up a new DRX890 today so hope to have another try over the weekend.
Either was its good to see some activity in this and the other thread again!

Title: Re: JTAG DRX 890-C
Post by johnjoes58 on Apr 28th, 2017, 10:06am


delboy1234 wrote:
Unfortunately still not having look with JTAG/i2c. The msi file is the correct one for BBS so that isn't the problem. I managed to find somewhat of a chip diagram (_http://www.2shared.com/document/nkt6a6wF/BCM7335_EJTAG.html).
After looking at this it took me to somewhere else on the board for the i2c port but still the same result. When the cypress board is connected the box fails to boot properly but nothing past that.

I still think its possible to connect to the box but i'm wondering if the chip is somewhat 'password protected' What I mean by that is you would need to use a key sequence or command to connect. Again no luck with this either so far.

If anyone has any other ideas on this let me know what you think


Has anyone got a working link for the drx890 chip?

Title: Re: JTAG DRX 890-C
Post by romman on Dec 18th, 2018, 2:48am

Has anyone had a look at this

http://www.ph-mb.com/products/sky-fw-tool

Just wondering if the firmware could be modified for recording purposes like the old pvr2, i suppose whats key with later skyboxes is the sky modified linux firmware and its security checks prohibiting access via jtags.

Does anyone know if any of these later model sky boxes have bga chips in use?

Cheers

Steve's Homepage » Powered by YaBB 2.1!
YaBB © 2000-2005. All Rights Reserved.