Disassemble Firmware

JTAG (NT) on Cable Boxes
Post Reply
yarolinux
Junior Member
Posts: 3
Joined: Wed Jul 13, 2016 7:26 pm

Modify firmware checksum on a cable box (OPENTEL HCB2-IR60)

Post by yarolinux »

Hello,

I managed to get the firmware to spi flash (spansion fl032pif), also I have been able to enter through the serial console, my question is, there any possibility to remove the firmware checksum? Because when I did some change in I get an error in the boot "MAC SPCB field has failed".

This is the PCB --->

Image

Its a OPENTEL HCB2-IR60

This is the boot log --->

http://pastebin.com/39huZ2zT

This is the flash info -->

Code: Select all

Device Name          Description
-------------------  ---------------------------------------------------------
              uart0  16550 DUART at 0xB0406800 channel 0
      flash0.Loader  SPI  flash at 1F000000 offset 00000000 size 1024KB
         flash0.cfe  SPI  flash at 1F000000 offset 00100000 size 512KB
      flash0.dummy0  SPI  flash at 1F000000 offset 00180000 size 64KB
     flash0.KeyInfo  SPI  flash at 1F000000 offset 00190000 size 64KB
      flash0.macadr  SPI  flash at 1F000000 offset 001A0000 size 64KB
       flash0.nvram  SPI  flash at 1F000000 offset 001B0000 size 64KB
 flash0.loader-info  SPI  flash at 1F000000 offset 001C0000 size 64KB
      flash0.header  SPI  flash at 1F000000 offset 001D0000 size 64KB
        flash0.CPCB  SPI  flash at 1F000000 offset 001E0000 size 64KB
        flash0.BBCB  SPI  flash at 1F000000 offset 001F0000 size 64KB
      flash0.splash  SPI  flash at 1F000000 offset 00200000 size 512KB
      flash0.dummy1  SPI  flash at 1F000000 offset 00280000 size 512KB
      flash0.dummy2  SPI  flash at 1F000000 offset 00300000 size 1024KB
      nandflash0.DB  New NAND flash at 00000000 offset 00000000 size 5120KB spare 256KB
  nandflash0.dummy3  New NAND flash at 00000000 offset 00500000 size 1024KB spare 128KB
  nandflash0.Irdeto  New NAND flash at 00000000 offset 00600000 size 5120KB spare 256KB
     nandflash0.usr  New NAND flash at 00000000 offset 00B00000 size 10240KB spare 512KB
nandflash0.Main-APP  New NAND flash at 00000000 offset 01500000 size 12288KB spare 768KB
  nandflash0.kernel  New NAND flash at 00000000 offset 02100000 size 8192KB spare 256KB
  nandflash0.NonCRC  New NAND flash at 00000000 offset 02900000 size 1024KB spare 128KB
nandflash0.avail-na  New NAND flash at 00000000 offset 02A00000 size 88064KB spare 2048KB
               eth0  GENET Internal Ethernet at 0xB0430800
This is the CPU INFO -->

Code: Select all

cpuinfo 
system type		: BCM7552B0 STB platform
processor		: 0
cpu model		: Broadcom BMIPS3300 V3.2
BogoMIPS		: 499.71
cpu MHz			: 501.012
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 32
extra interrupt vector	: yes
hardware watchpoint	: no
ASEs implemented	: mips16
shadow register sets	: 1
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available
I hope for help, Thank You!
yarolinux
Junior Member
Posts: 3
Joined: Wed Jul 13, 2016 7:26 pm

Post by yarolinux »

This is the xml config file based on flash info.

Code: Select all

<Test>
   <Name>HCB2-IR60</Name>
   <Cat>CableBox</Cat>
   <Protocol>SPIFLASH</Protocol>
   <Endian>Big</Endian>
   <Memorys>
      <Memory>
         <Name>Loader</Name>
         <Type>1</Type>
         <Address>0</Address>
         <Size>0x100000</Size>
      </Memory>
      <Memory>
         <Name>cfe</Name>
         <Type>1</Type>
         <Address>0x100000</Address>
         <Size>0x80000</Size>
      </Memory>
      <Memory>
         <Name>dummy0</Name>
         <Type>1</Type>
         <Address>0x180000</Address>
         <Size>0x10000</Size>
      </Memory>
      <Memory>
         <Name>KeyInfo</Name>
         <Type>1</Type>
         <Address>0x190000</Address>
         <Size>0x10000</Size>
      </Memory>
      <Memory>
         <Name>macadr</Name>
         <Type>1</Type>
         <Address>0x1A0000</Address>
         <Size>0x10000</Size>
      </Memory>
      <Memory>
         <Name>nvram</Name>
         <Type>1</Type>
         <Address>0x1B0000</Address>
         <Size>0x10000</Size>
      </Memory>
      <Memory>
         <Name>loader-info</Name>
         <Type>1</Type>
         <Address>0x1C0000</Address>
         <Size>0x10000</Size>
      </Memory>
      <Memory>
	 <Name>header</Name>
	 <Type>1</Type>
	 <Address>0x1D0000</Address>
	 <Size>0x10000</Size>
      </Memory>
      <Memory>
	 <Name>CPCB</Name>
	 <Type>1</Type>
	 <Address>0x1E0000</Address>
	 <Size>0x10000</Size>
      </Memory>
      <Memory>
	 <Name>BBCB</Name>
 	 <Type>1</Type>
	 <Address>0x1F0000</Address>
	 <Size>0x10000</Size>
      </Memory>
      <Memory>                 
	 <Name>splash</Name>
	 <Type>1</Type>                                  
	 <Address>0x200000</Address>
	 <Size>0x80000</Size>                           
      </Memory>
      <Memory>                          
	 <Name>dummy1</Name>
	 <Type>1</Type>                                             
	 <Address>0x280000</Address>
	 <Size>0x80000</Size>                           
      </Memory>
      <Memory>
	 <Name>dummy2</Name>
	 <Type>1</Type>                                             
	 <Address>0x300000</Address>
	 <Size>0x100000</Size>                           
      </Memory>
   </Memorys>
</Test>
yarolinux
Junior Member
Posts: 3
Joined: Wed Jul 13, 2016 7:26 pm

Post by yarolinux »

This is the full backup 4096kb in total ->
You do not have the required permissions to view the files attached to this post.
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests