Hacking Samsung BD-P1620A/BD-P3600

Piorun

Standard Member
Joined
Mar 16, 2010
Messages
30
Reaction score
4
Points
4
Here is short guide how to enable telnet service on BD-P1620A / BD-P3600 players.

:devil: !!! You can damage your player, so think twice before you go forward PLEASE!!!!! :devil:

The guide is for experts who know Linux, NFS and TFPT (configuration steps for NFS / TFTP services are not included).


Player BDP1620A and BD-3600 use the same motherboard BD-3600 (Broadcom BCM97601 chipset), BD-P1620 has BP-P1600 board. You can use the same procedure for Momitsu 799 and other clones, but you need to find console connector on MB.

1. Connecting the RS-232 console:
Code:
OPUCN1(BDP3600) and UCON1(BDP1600) pinouts:
|1 3 5.....13  15|
 \2 ..........14/
1 TX
3 RX
13 3.3V
15 GND
COM : 115200,n,8,1 and you have to use TTL -> RS232 converter

2. When player is starting, you will see:
Code:
Booting Secured CFE...
BCM97601 B0-BSEC  CFE v2.1.12 (CFE core v2.1, BSP_REV 12), Endian Mode: Little
Build Date: Tue May 19 14:46:23 KST 2009 ([email protected])
Copyright (C) Broadcom Corporation
Quickly press CTRL-C, and you should get “CFE>” if not, you are too slowly, try again.

3. Run kernel in single mode
Code:
CFE>splashsd -480p;boot -elf -z flash0.kernel: 'root=/dev/romblock2 console=0,115200n8 BDVD_BOOT_AUTOSTART=n BAPP_OUT=/dev/console  single ro'
You should get the shell!

4. Dumping rootfs and kernel
Code:
mount -t proc none /proc
mount /dev/sda1 /var
#or mount /dev/sdb1 /var
cd /var
#check /dev/mtd partitions
cat /proc/mtd
nanddump /dev/mtd1  -f  kernel.gz
nanddump /dev/mtd2  -f  rootfs.bin
#Copy both files to TFTP server
Code:
ifconfig eth0 192.168.10.6 netmask 255.255.255.0 up
tftp -p 192.168.10.7 -l kernel.gz
tftp -p 192.168.10.7 -l rootfs.bin

5. Boot player on NFS (single mode)
- Mount rootfs.bin on NFS server (unsquash it before mounting)

Code:
CFE>ifconfig eth0 -addr=192.168.10.6 -mask=255.255.255.0 -gw=192.168.10.2 -dns=192.168.10.2
CFE>boot -elf -z  flash0.kernel:  "ip=192.168.10.6:192.168.10.2:192.168.10.2:255.255.255.0:bdp::off root=/dev/nfs ro nfsroot=192.168.10.7:/bdp/rootfs console=0,115200n8 BDVD_BOOT_AUTOSTART=y BAPP_OUT=/dev/console sinlge rw"

- Set password and enable telnetd
Code:
# passwd 
# vi /root/rc.user
---
#!/bin/sh
telnetd –d
---

6. Boot player on NFS with telned enabled

Code:
CFE>ifconfig eth0 -addr=192.168.10.6 -mask=255.255.255.0 -gw=192.168.10.2 -dns=192.168.10.2
CFE>boot -elf -z  flash0.kernel:  "ip=192.168.10.6:192.168.10.2:192.168.10.2:255.255.255.0:bdp::off root=/dev/nfs ro nfsroot=192.168.10.7:/bdp/rootfs console=0,115200n8 BDVD_BOOT_AUTOSTART=y BAPP_OUT=/dev/console rw"


7. Write new rootfs to NAND
:lesson: This is danger step - you should't do it if you plan to run player from NFS only.
DON'T touch /dev/mtd0 and /dev/mtd10 partitions – you can damage your player !
- You have to build the modified squash on NFS server
- Copy it to /var via tftp or NFS
- And write new squash rootfs to /dev/mtd2
Code:
nandwrite -p -a /dev/mtd2 new_rootfs.bin

That's ALL!:smashin:
 
Last edited:
Thanks Piorun,
I take it if the new rootfs fails to boot, you can still get a CFE prompt and boot over NFS to restore the original rootfs?

Is this player a Broadcom reference design, or close to it? (Using Broadcom software)
I have an "Allure" branded one, and can get a login prompt on the serial port just by ^C after it has booted.
Then just 'root', no password, and I can start telnetd.
Should we be able to write a modified squashfs rootfs to /dev/mtd2 (or other?) from that normal running environment? Or is it essential to boot in single user mode from CFE?

And out of curiosity, any idea what equipment is needed to recover should you write to the wrong nand partition?
ie How did they load the firmware in the first place? Is there any sort of ROM-based loader?

Allure thread is here:
Clive Peeters $99 Blu Ray, any good? - DVD/Blu-ray - Home theatre
$99 Bluray Player From Clive Peters - DTV Forum Australia - Australia's Leading Digital TV and AV Forum
 
These steps worked perfectly on insignia player. Only difference is the cable and the mtd device number. Insignia uses /dev/mtd10 instead of /dev/mtd2
 
@piorun

I tried to do this on a Samsung BD-C5500/XAA, it works almost the same.

But something was wrong with my squashfsed rootfs, the player did not start Are there special options required when you create the squashfs-Image from rootfs with mksquashfs? :confused:

Thanks

habee

P.S.: I could offer drmregion.flash from Region A/1
 
Are there special options required when you create the squashfs-Image from rootfs with mksquashfs? :confused:
I use old redhat distribution with squashfs 3.0 - no special options ..
 
I find this thread and I have a question. I'm trying to enter boot sequence via RS232 in a BD-C5300. I found the 15 pins connector area and now I would try to connect via TTL but as I've to also connect the 3,3v I would like to know how can I understand the right pinout for my player. How do you discover that 1=TX, 3=RX and 13=3.3V? I think that trying to find the right scheme without a logic is not a good idea?!?!
Any help will be very appreciated!
 

Attachments

  • RS_BD_15pins.png
    RS_BD_15pins.png
    40 KB · Views: 1,418
Yes, I know. I've searched and found the service manual for my player and I realized that the pin numbers are the same, thanks ;) Now I'll try the physical connection, hoping it'll work.
 
You could also look on the bottom side of the mainboard:

https://sourceforge.net/apps/phpbb/samygo/viewtopic.php?f=16&t=1156

BD-C5500 and C5300 are almost the same, they share the same firmware.

If you get it to run I would be interested in a complete firmware dump as a way to change region settings (espcially drmregion). I have a region A/1 player.

I think the main settings regarding the regioncode is stored in a flasheeprom 24c02 which is placed close to the front micom processor (IC8).

Unfortunately you can flash the eeprom from the cfe-console (using the flasheeprom command), but you cannot read it.

Maybe I try to desolder it and read it external.

Bye habee
 
Wonderful, thanks for the link. Now I've a question: as the 5300 probably is exact the same as 5500 except for DLNA support and change the firmware directly with the 5500 RUF is impossible due to the hash check, loading the 5500 dump on the 5300 would unlock the DLNA function on the 5300? Or is enough to change the BD_MODEL variable with the command "setenv" and then load the 5500 firmware from the player GUI?
Ah, my player is a region B for blu-ray and region 2 for DVD by default (DVD can be made region free). ;)
I'll make a dump as soon as I can so it's possible to compare the two versions.

Now I think it's better to continue in the thread you linked as this one is for P1620 and I made enough offtopic :hiya:
 
Last edited:
Hi guys,

I am a new user here interested in firmware hacking, especially of linux devices.

Thanks a lot for your work! I would like to hack my Samsung BD-C5500 but I do not dare to solder any cables to the connectors...

Could anyone please mail me the partitions. I would love to have a look at the linux files. Perhaps there is any possibility to get telnet access to the device without opening it. I thougt of a firmware modification or a special "update" for opening the ports. That would be my aim...

Thanks in advace

faxs
 
You could also look on the bottom side of the mainboard:

https://sourceforge.net/apps/phpbb/samygo/viewtopic.php?f=16&t=1156

BD-C5500 and C5300 are almost the same, they share the same firmware.

If you get it to run I would be interested in a complete firmware dump as a way to change region settings (espcially drmregion). I have a region A/1 player.

I think the main settings regarding the regioncode is stored in a flasheeprom 24c02 which is placed close to the front micom processor (IC8).

Unfortunately you can flash the eeprom from the cfe-console (using the flasheeprom command), but you cannot read it.

Maybe I try to desolder it and read it external.

Bye habee



Hi habee

Did you manage to get anything done with the region code?
 
Hi there,

i´ve got a broken bd-p 1600 with bd3600 pcb. the player is stuck in the load modus and nothing more will happen.
the problem is, that i am not an expert of ubuntu and now i need some little help.

i installed ubuntu 10.04 on my old notebook, because it has an serial interface.

after starting putty.exe i get the message kernel.gz not found.

i really don´t know where to copy the kernel and the other files onto the directory structure from ubuntu.

hope, someone could help me.

thanks in advance and sorry for the bad english.

cheers
mano
 
Mano, you are trying to run a windows program on linux? Better treat this as a learning exercise, not a repair attempt.

Putty is for Windows. You want something like minicom. But better to learn some linux first.
We have a saying about trying to run before you can walk.

Also, there is no point using "old notebook, because it has an serial interface.". You need a TTL signal, so better to buy a USB device that does this, not a standard rs-232 port.

Good luck. I hope you learn from this and do not get discouraged completely.
 
@mykh,

thanks for your answer.

sorry, that it was not clear, that i use putty0.61 for linux, and also i use a ttl converter.

my problem is, how can i config tftp and nfs and also i don´t know where i copy the files into the linux file-system.

cheers
mano
 
Mano, you said "putty.exe".

OK, so the "kernel.gz not found" message came form where? From the command typed at the CFE prompt??

You need to install NFS and TFTP servers on linux first.
# apt-get install nfs-kernel-server tftpd

Google will help you further.
 
yes, the message "kernel not found" comes from the cfe command line.

nfs and tftp is installed before.

now i am searching for the share folder from tftp. i didn´t find it.


thanks in advance
 
Last edited:
now i am a little bit further.

now i can use putty.
i try

splashsd -480p
ifconfig eth0 -addr=192.168.0.198 -mask=255.255.255.0 -gw=192.168.0.1 -dns=192.168.0.1
boot -elf -z -tftp 192.168.0.199:kernel.gz "ip=192.168.0.198:192.168.0.1:192.168.0.1:255.255.255.0:bdp::eek:ff root=/dev/nfs ro nfsroot=192.168.0.199:/bdp/1620 console=0,115200n8 BDVD_BOOT_AUTOSTART=y BAPP_OUT=/dev/console rw"

and get following error
Successfully loaded secure elf image....
Entry address is 0x80322450
Closing network.
Starting program at 0x80322450

[4294667.296000] -- DDR Bank 0: 128 MB
[4294667.296000] -- DDR Bank 1: 256 MB
[4294667.296000] Linux version 2.6.24.7_257-uclibc-brcm (root@monster) (gcc version 4.2.0 20070124 (prerelease) - BRCM 9ts-20080702) #5 Thu Mar 11 18:40:18 KST 2010
[4294667.296000] Kernel command line: ip=192.168.0.198:192.168.0.1:192.168.0.1:255.255.255.0:bdp::eek:ff root=/dev/nfs ro nfsroot=192.168.0.199:/bdp/1620 console=0,115200n8 BDVD_BOOT_AUTOSTART=y BAPP_OUT=/dev/console rw
[4294667.299000] Bad page state in process 'swapper'
[4294667.299000] page:d8004020 flags:0x05000000 mapping:00000000 mapcount:-65537 count:0
[4294667.299000] Trying to fix it up, but a reboot is needed
[4294667.299000] Backtrace:
[4294667.300000] Bad page state in process 'swapper'
[4294667.300000] page:d8004040 flags:0x05000000 mapping:00000000 mapcount:-65537 count:0
[4294667.300000] Trying to fix it up, but a reboot is needed
[4294667.300000] Backtrace:


something must be wrong, but i don´t know.

cheers
mano
 
After recovering a BD-P1600 (http://www.avforums.com/forums/blu-...-samsung-bd-p1620-after-firmware-upgrade.html), I played with it for a while and discovered some interesting stuff:

1) The region code (at least for DVD) is stored in binary file /mnt/pstor/pharos_setup2.ini at offset 0x28. Setting it to 09 will make the player region free. BD region is likely at offset 0x29, but I did not test it. It may be useful for firmwares where the 6 digit code method does not work.

2) There is a smb/cifs support in kernel, so it's possible to mount a windows network share into the filesystem.
If mounted into a subdirectory of a connected usb drive, player will nicely browse and play the files over the network.

I know this thread and discussed devices are quite old, but I thought it might be still useful for somebody.
 

The latest video from AVForums

Is Home Theater DEAD in 2024?
Subscribe to our YouTube channel
Back
Top Bottom