اعادة برمجة جهاز استقبال عطالن يمكن العثور على جميع ... - TELE-satellite

FEATUREReceiver FirmwareThe Solution for aFaulty Firmware UpdateVitor Martins AugustoFor those of you who update satellitereceiver software on a more regularbasis, you will almost certainly recognizethese two aggravating problems:uploading the wrong software or a versionthat is incompatible as well as theunexpected power failure during an update.If either of these problems showtheir face, the result is almost always a“dead” receiver or as it’s also called, a“brick” - good for nothing.But wait, there might still be one lastchance to upload the software if the receivercomes with a JTAG interface. Butfirst things first. What actually happenswhen you turn on a receiver? When thereceiver is turned on, the processorstarts a program called the “Bootloader”.The “Bootloader’s” job is to determineat the start if a firmware updateshould be undertaken. If that’s not thecase, it would then copy the contentsof the flash memory into RAM and willstart the firmware from there. This processof copying the Flash to RAM and atthe same time uncompressing it is responsiblefor the time delay that occursduring a receiver power up.The “Bootloader” program can befound in the flash memory at a specificaddress (usually the last 64KB, startingat &H7FFFE000). If no program canbe found at this address or the wrongone happens to be there, the processorwon’t be able to start the receiver andit instantly turns into a brick. Nothingworks anymore.There are two different situationshere: if the “Bootloader” is still intactbut the firmware itself is missing or corrupt,it won’t be able to start the receiver,however, since the “Bootloader”is also responsible for firmware updates,the user can still upload the correctfirmware through the “Bootloader”.But it’s much worse if the “Bootloader”itself is missing. You won’t be able todo anything at all. Many manufacturersoffer updated firmware that doesn’t involvereplacing the “Bootloader” in orderto prevent problems like this. If the■The inside of a standard receiver. The arrow points to the JTAG connector while the circlehighlights a white triangle that indicates pin #1 on the JTAG connector. The JTAG interfaceis plugged in such that the red line on the cable is on the same side as the triangle.216 TELE-satellite — Global Digital TV Magazine — 10-11/2011 — www.TELE-satellite.com

13“Bootloader” is defective, the receivercan no longer be started. On the whole,it would probably be better to includea new installation of the “Bootloader”program with every new firmware update.If the receiver displays “8888” ornothing at all, then the firmware updatehas failed. If the receiver can nolonger perform an update via the serialinterface, then it’s safe to say thatthe “Bootloader” has been deleted andnothing will work anymore.Experienced users enjoy the idea ofuploading the firmware from anotherreceiver, for example, because thehardware is identical. Many budget receiversare based on the same hardware;the manufacturer simply matchesthe firmware to the receiver. It couldtherefore be quite interesting to try outthe firmware from another manufacturer.In this case though you almostalways have to update the “Bootloader”software. It’s easy to mistakenlyupload the wrong firmware and at thesame time the wrong “Bootloader”.If the receiver can no longer startup because of the lack of the correctfirmware and “Bootloader”, then thereare only two ways to repair the receiver.Either you unsolder the Flashchips, reprogram them externally andthen resolder them in place with all ofthis requiring professional equipmentto remove, reprogram and reinstall thechips, or, with a little bit of luck, you’llfind a JTAG interface on the main circuitboard. The JTAG interface provides anindirect way to access the Flash chipsvia the processor. When the box isturned on, the processor is placed intoa specific mode so that you can read,delete and reprogram the Flash chips.For this to work you’d need a JTAGinterface along with the correspondingsoftware. Fortunately, it’s fairly easy2to fabricate a JTAG interface so thatit can be inexpensively purchased inmany electronic shops. If you can’t finda JTAG interface in your local store, youcan build one yourself. All you need is afew resistors and a standard 74HC244Nbuilding block. You’ll find schematicdiagrams in the Internet for every capablereceiver that can be programmedvia JTAG.The JTAG protocol consists of sixlines:• TRST • TDO • TDI• TCK • TMS • GNDQuite often manufacturers use a standardplug with 20 pins. If this isn’t thecase, it becomes necessary to determinethe correct pin layout. Normally,the correct JTAG pin layout for specificreceivers can be found by performing aGoogle search when you’re not dealingwith a standard 20-pin connector.The JTAG interface is connected toyour PC via the parallel port. But firstyou have to check and see if such a PCstill exists in your house. Your best betwould be to use an older laptop withWindows XP. A laptop like this wouldalso be perfect to use for uploadingnew receiver firmware via the serial4interface and should therefore be anintegral part of your toolkit. WindowsVista and Windows 7, especially the 64-bit versions, often have problems withthe tools for firmware uploads.Many receivers are based on processorsmanufactured by STi. This is thecase with most budget receivers. Andjust for this family of processors there’san excellent freeware program: jKeys.This tool functions perfectly with theJTAG interface on the parallel port andthrough a current database automaticallyrecognizes most of the STi processorsin common receivers. Most ofthe time, however, jKeys cannot recognizethe receiver’s Flash chip. Thereare far too many different Flash chipsout there and every manufacturer usestheir own set of chips; you’d have tobe able to read the name of the manufacturerand the model of the chip andthen find the corresponding datasheetin the Internet.For our example we’ll use a standardreceiver. The built-in Flash chip is themodel MX 29LV160CTTC. A search onGoogle yields numerous websites thatprovide the necessary datasheet. Whyis it so easy to find this? It has to do1. The rear panel of an older laptop: parallelports and serial interfaces were standardback then and are needed for the JTAGinterface. Don’t throw away or give awaythose old laptops! They can serve as excellentrepair tools!2. Our workstation for our JTAG firmwarework.3. If the receiver only displays “8888” ornothing at all, then the firmware upload hasfailed. If the receiver doesn’t talk anymoreregarding a firmware update through theserial port, it’s safe to say that the “Bootloader”was also deleted.4. A look inside our defective sample receiver:here you can see the STi chip to thelower left (an STi 5518BVC) as well as theMX 29LV160CTTC-70G Flash chip and theJTAG connector. These components arealways located close to each other sincethe connections between them have to bekept short because of the high frequenciesbeing used.218 TELE-satellite — Global Digital TV Magazine — 10-11/2011 — www.TELE-satellite.comwww.TELE-satellite.com — 10-11/2011 — TELE-satellite — Global Digital TV Magazine 219

cisely 2MB. Once the programming processhas been completed, you simplyturn the receiver off, remove the JTAGinterface and then turn the receiverback on. The newly uploaded softwareshould then automatically start.To make sure that the receiver wascorrectly programmed and won’t crashbecause of some faulty configuration, itis recommended that the original firmwarebe loaded via the serial interface.The process described here works withnearly every STi processor based receiver.But what do you do if you have a receiverthat doesn’t come with an STiprocessor? It still pays to look into itfurther: many manufacturers use aJTAG interface on the main circuitboard and offer either officially or unofficiallyJTAG software for their receiver.A quick search via Google will revealthe necessary pin layout for the JTAGinterface as well as the correspondingprogramming software. This will allowyou to program various Linux receivermodels through JTAG.Another problem is that many usersdon’t have a backup of the firmwarethat they can use to reload onto a receivervia JTAG. Even here there arepossibilities:1) You can extract the firmware froma second functional receiver.2) You can search the Internet to seeif someone else has exactly the firmwarethat you need.3) You can extract the firmware froma manufacturer’s firmware update.With the last option you should notethat a firmware update often includesa so-called “header”, in other words, aspecific number of bytes that describethe firmware and are not programmedonto the Flash chip. In a case like this,you would need to open the firmware ina Hex editor and delete the extra bytesthat don’t belong to the firmware. Thisactually sounds harder to do than it reallyis.First of all, the firmware must be exactlythe same size as the capacity ofthe Flash chip. If it’s 2MB (2048 KB) insize, then the firmware must be exactlythe same size. Therefore, you simplycut out the corresponding bytes rightat the start. Sometimes only the “Bootloader”is made available. This wouldhave to be loaded at the end of theFlash chip’s memory space, typically at&HFFFE000. This involves the last 64KBand the data containing the “Bootloader”must have exactly this size. Ifyou’re only loading the “Bootloader”program, the receiver still won’t work,but at least you’ll be able to upload thefirmware through normal channels.Modern, more sophisticated receiversquite often don’t come with a JTAGconnector. In order to handle any firmwareupgrades, a slightly different conceptis used: the receiver operates usingtwo “Bootloaders”. The “First StageBootloader” checks to see if any firmwareneeds to be uploaded. If that’s notthe case, a “Second Stage Bootloader”is run that then starts up the existingfirmware. The advantage to this methodis that the “First Stage Bootloader”is never overwritten; this would allowthe user to reload the firmware in anysituation.Manufacturers of proprietary receiversfor PayTV providers do thingsquite differently. Here there’s not onlyno JTAG connector (it’s been omittedon purpose), there are also no circuitboard tracks available from the pro-4. If the deleting and programming modeof the Flash chip has been successfullyactivated, this menu will appear.5. Security question before starting theFlash chip writing process.cessor on the main board where a usercould attach a JTAG connector. On topof that, the Flash chip is made inaccessibleby a special type of glue. All of thisis designed to prevent a hacker fromgaining access to the contents of theFlash chip which would contain criticalencryption data.If you tried working with JTAG justonce before, it won’t seem so difficultthe next time. The big advantageis that once you know how to do it,you can easily return a receiver to itsoriginal condition through JTAG shouldsomething ever go wrong.Smaller specialized digital TV companieswould certainly be able to bringmany receivers back to life since thereare many end users out there that willmanage to make a mistake uploadingfirmware. Digital receivers aren’t theonly devices that utilize the JTAG protocol;in fact, you’ll find it in almostany device that uses a processor and aflash chip. This would make it possibleto save even Smartphones and otherdevices after a failed firmware update.But let’s not forget that safety is paramount!Be careful when working insidean exposed receiver! Keep in mindthat receivers come with an integrated220V power supply (110V in some partsof the world)! Take every safety precaution!One false move could place theJTAG interface in contact with a powersupply component; this could lead toserious damage to the receiver and potentialelectric shock to the user. Makesure the JTAG interface is securely inplace before turning the receiver on.222 TELE-satellite — Global Digital TV Magazine — 10-11/2011 — www.TELE-satellite.com