Serial pinout, and getting MRUA running

[matthewc]

I'm using my Wiz as a loungeroom media player, and I'm rapidly getting frustrated with the CD player on it, which has lots of little bugs. Anyway, I figure that rather than complaining I should do something about it.


The first issue that I ran into while debugging stuff on the Wiz is that it's a pain to get the kernel messages. BW has compiled the kernel with Sigma Designs' CONFIG_SD_UARTPRINTK hack, which sends output only to the serial port and not to dmesg (see the SD kernel sources in the GPL_DA package). You can get the very last line written by peeking in kernel memory, but beyond that you'd have to hook printk to log stuff somewhere.

I figured that rather than going down that path it would be more useful in the long run to connect a serial cable to my Wiz. As correctly guessed by peteru and verified with an oscilloscope, the serial console (/dev/ttyAM0) is the 4-pin header on the motherboard, the pinout looks like this:

Code: Select all

1 [right side]: +5V
2: serial data out (3.3V LVTTL, 115200 8n1)
3: serial data in, presumably (5K pulldown to GND)
4: GND

Why the 5V, I hear you ask? Well, to interface it to an RS-232 serial port you're going to want to use a MAX232 or similar... which happens to need a 5V supply. How very convenient. I'm going to put together a cable tomorrow and will report back.


In terms of actually getting a replacement CD player app working, I've been looking at getting the MRUA libraries from SD (also in the GPL_DA package) running on the box. All of the SD sample apps eventually break with error 12, RM_INVALIDMODE, when 'setting'/'exchanging' properties (which are the interface to hardware modules on the chip). Supposedly that means that it thinks the property is read-only. For instance:

Code: Select all

# ./colorbars
[colorbars.c:134] Cannot set color bars intensity, 12
# ./display_ascii 0 -X 300 -Y 200 -S 2 -F 255,0,0,255 -B 0,0,255,128 font.psf "foo bar"
[osdlib.c:227] Cannot exchange Property 4019 on module 3, 12
Error getting OSD infos : RM_INVALIDMODE
# ./play_picture mono.bmp
[parse_display_cmdline.c:1779] Cannot open display 12
[play_picture.c:205] Cannot set display options 12

A number of the bits do seem to work, though, as evidenced by the following strace from play_mp4 (using my own hacked strace which prints out em8xxx stuff):

Code: Select all

ioctl(4, EM8XXX_IOCTL_SET_PROPERTY, {moduleId=18 propId=4026 propInVal=0x91b4e5c6 propInSize=0x1 propOutVal=(nil) propOutSize=0 status=6}) = 0
ioctl(4, EM8XXX_IOCTL_SET_PROPERTY, {moduleId=19 propId=4026 propInVal=0x91b4e5c6 propInSize=0x1 propOutVal=(nil) propOutSize=0 status=6}) = 0
ioctl(4, EM8XXX_IOCTL_SET_PROPERTY, {moduleId=20 propId=4026 propInVal=0x91b4e5c6 propInSize=0x1 propOutVal=(nil) propOutSize=0 status=18}) = 0
ioctl(4, EM8XXX_IOCTL_SET_PROPERTY, {moduleId=21 propId=4026 propInVal=0x91b4e5c6 propInSize=0x1 propOutVal=(nil) propOutSize=0 status=18}) = 0

Property ID 4026 is set contrast; notice how it succeeds with status=6(OK) for the first two (digital/analog outputs) and fails with 18(NOT_FOUND) for the others (component/composite outputs) which aren't present on the 862xL chips.

I can only guess that maybe that there's a slight ABI difference between the em8xxx module from the GPL_DA package and the one on the Wiz, or maybe wizdvp is setting things up so as to lock out other apps (although I've tried killing wizdvp before running the apps).

Anyone else played with MRUA? Anyone have any ideas?

[tonymy01]

Holy toledo, have you posted any of this on " http://www.openwiz.org/wiki/Main_Page " ?
We were just talking about the 4 pin connector on #openwiz last week, and PeterU come to the conclusion that nothing much was working on it, he fried his serial to TTL adapter trying to get anything from it.
It seems you have done way more tweaking than most of us I think, only maybe Eric Fry and possibly Peter/PRL have gone into this depth?
Regards

[matthewc]

Not yet, but I'll do that when I have a moment.

Quick update on MRUA stuff:

I looked at another version of MRUA that SD released and the numbers for the property IDs in emhwlib_properties_1000.h are rather different, even though the functionality is much the same (apparently the file is autogenerated from some master list). I suspect that the whole thing depends on building userspace code against the same header files that were used for emhwlib in the kernel.

Ho hum. The most ideal option would be to get an updated source package out of Beyonwiz/SigmaDesigns - which they clearly must provide in order to comply with the GPL, it's not sufficient to provide old kernel sources that don't correspond to what they're shipping. The other, less desirable, option is to try and build a kernel from scratch using the old SD sources (thus hopefully being able to build a matching set of userspace and kernel components).

[peteru]

Where do you get your toolchain and sources from?

I've tried to get GPL compliance from Beyonwiz, but it goes ignored. The best response I've had so far was from Steven Han. Needless to say, I was underwhelmed by that response. Clearly Beyonwiz are not complying with their GPL obligations, but his response seems to suggest that they have no intention to comply. Perhaps I am misundertanding his response - you can judge for yourself.

Either way, I would be very happy to get a hold of a compatible toolchain and kernel source so that we can build alternative firmware that is still binary compatible with the proprietary Beyonwiz applications.

Edit: Fixed link to point to the correct post.

[matthewc]

I'm using the toolchain and sources from Sigma Designs, i.e. from the GPL_DA package. The build breaks intermittently but with a bit of fiddling I got it all to build from start to end. I tried a couple of the other toolchains suggested on OpenWiz but had various problems with them (particularly binary compatibility with the non-open-source bits of MRUA ). Possibly in hindsight I could now build a toolchain from scratch, but the SD one works well.

At some point I'll go through the process again and see if I can put together a howto for building it. If there's a particular point in the build you can't get past, though, feel free to ask me.

The link in your post (re Steven Han) doesn't seem to work...

[Gully]

Matthew, try this link

http://www.beyonwiz.com.au/phpbb2/viewt ... 9169#19169

[matthewc]

I get "The topic or post you requested does not exist" (just to confirm, URL is viewtopic.php?p=19169#19169). How very odd.

[peteru]

I'm using the toolchain and sources from Sigma Designs, i.e. from the GPL_DA package.

Do you mean the 188MB download over at http://www.services.digitus.de/data/dow ... 900.tar.gz ?

The link in your post (re Steven Han) doesn't seem to work...

Fixed.

[matthewc]

Yep, that's the one.

The link still doesn't work for me for some reason...

BTW, I added a few additional little details on the OpenWiz Hardware pages. I find it quite neat how they use the USB card reader IC to double as the microcontroller.

[peteru]

I see why the link does not work. The post was in the beta forums, which have restricted access. I'll quote:

Hi

There's virtually no GPL code we can provide.
Strictly say, we use libraries under LGPL license.

So what can you do with GPL codes that we're using?
There's not much. You maybe make some applications that runs on our box.
Since we use the GCC/uClinux/uClibc/strport.

But you won't be able to create any application that shows something on your TV,
because the drivers, libraries, bootloader and a lot of other things are SigmaDesigns'
intellecture property. And I can't let you use it because you're not paying for using them.

So I don't feel right that somebody say "give me all the GPL thing in your box".
All the GPL code is downloadable from www.gnu.org.

LGPL libraries we're using are
libjpeg zlib libpng ptmalloc etc

GPL tools we're using are
uclinux(2.4.26) gcc (2.95.3) uclibc stlport

That's all.

What can you really do with these things?
What can we open more?

As I said 2 weeks ago, there's no plan for TAPI equivalent things, for now.
And It's incorrect to say GPL with TAPI things.
If they release TAPI under GPL that's fine.
But still, we can't let you do anything with our box if you keep talking about GPL.
We need totally different way of doing this.

(like the codecs that run in the on-chip video processor)

There's nothing really interesting with Codecs.
They are all hardwired except WMA/WMAPRO which is compiled binaries,
not in the form of source codes.
They run some kind of software in there processor, and it's called microcodes by them.
The microcode is hiddel in the driver (i think) and it can't be compiled with given
dev environment, since we don't have the compiler nor the source code.
I think they won't open it forever. Wink

Thanks.
_________________
Regards,
Steven Han @ RnD, BeyonWiz

[peteru]

BTW, I added a few additional little details on the OpenWiz Hardware pages. I find it quite neat how they use the USB card reader IC to double as the microcontroller.

Interesting. The extra info on the front panel MCU / card reader suggests that the front panel firmware is in fact capable of being re-programmed in-circuit using the USB port. This means that some of the information that we got from Beyonwiz in the past is not quite right.

To be more specific, it should be possible to change the IR decode process so that an alternative set of IR code can be used in installations with more than one Beyonwiz PVR.

[matthewc]

I got the serial port adapter working, based on the pinout I posted above. So without further ado, here's a log of the Beyonwiz booting...

First there's some 20 bytes of binary gunk, not sure if this is at a different baud rate or just meant for some program to interpret. Then:

Code: Select all

SIGMVersion : 1.0.14.4 build 10
System ID              : 08080000:0E20BE3E

(pause as Linux loads)

Code: Select all

Linux version 2.4.26-uc0-sigma-20070326-nm (hanjo@secondwave.nazgul33.com) (gcc version 2.95.3 20010315 (release)) #98 Thu May 8 02:14:21 KST 2008
Found bootloader memory map at 0x10000fc0.
Processor: ARM pt110 revision 0
Architecture: EM86XX
Tango15 Rev B (kernel supports Rev B)
Board name is wmc_au_0_9
On node 0 totalpages: 16384
Free page pool initialized (size=512)
zone(0): 16384 pages.
Warning: wrong zone alignment (0x90080000, 0x0000000c, 0x00001000)
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/blkmem/0
Calibrating delay loop... 100.76 BogoMIPS
Memory: 64MB = 64MB total
Memory: 44364KB available (2412K code, 17913K data, 64K init)
Dentry cache hash table entries: 8192 (order: 4, 65536 bytes)
Inode cache hash table entries: 4096 (order: 3, 32768 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 4096 (order: 2, 16384 bytes)
Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
fastmapmm_big: allocated 0x80000 from 0x93d80000-0x93e00000
POSIX conformance testing by UNIFIX
PCI: bus0: Fast back to back transfers disabled
PCI: Configured EM86XX as a PCI slave with 128MB PCI memory
PCI: Each Region size is 16384KB
PCI: Reserved memory from 0x10080000 to 0x14080000 for DMA and mapped to 0x11000000
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
skbmem: allocated 0x400000 from 0x93680000-0x93a80000
Initializing RT netlink socket
EM86XX: Setting UART0 as partial GPIO.
EM86XX: Setting UART1 as partial GPIO.
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
NTFS driver 2.1.6b [Flags: R/O].
udf: registering filesystem
pty: 256 Unix98 ptys configured
serial_em86xx: setup_console @ 115mumk_register_tasklet: (0) tasklet 93e84460 status @912b1428
ir: driver loaded (wait_period = 20, buffer_size = 2)
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 5 disk images:
0: 902FF000-91284BFF [VIRTUAL 102FF000-11284BFF] (RO)
1: 46020000-467DFFFF [VIRTUAL 46020000-467DFFFF] (RO)
loop: loaded (max 8 devices)
8139too Fast Ethernet driver 0.9.27
eth0: RealTek RTL8139 at 0x60112000, 00:19:1e:00:23:33, IRQ 13
eth0:  Identified 8139 chip type 'RTL-8100B/8139D'
Uniform Multi-Platform E-IDE driver Revision: 7.00beta4-2.4
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
EM86XX Bus Mastering IDE activated as ide0.
Bounce buffer starts at 0x12f80000
hda: ST3250820ACE, ATA DISK drive
hdb: EPO EPO-LDR DP-306D, ATAPI CD/DVD-ROM drive
IDE: Set drive 0 to Ultra DMA mode 3
IDE: DMA enabled for ATA DISK hda
IDE: Set drive 1 to Ultra DMA mode 3
IDE: DMA enabled for ATAPI CDROM hdb
ide0 at 0x223c0-0x223c7,0x22398 on irq 18
hda: attached ide-disk driver.
hda: host protected area => 1
hda: 488397168 sectors (250059 MB) w/8192KiB Cache, CHS=30401/255/63
hdb: attached ide-cdrom driver.
### : ide_cdrom_probe_capabilities returned
	cd_r_read = 1
	cd_rw_read = 1
	method2 = 1
	dvd_rom = 1
	dvd_r_read = 1
	dvd_ram_read = 1
	cd_r_write = 0
	cd_rw_write = 0
	test_write = 0
	dvd_r_write = 0
	dvd_ram_write = 0
	audio_play = 1
	composite = 0
	digport1 = 0
	digport2 = 0
	mode2_form1 = 1
	mode2_form2 = 1
	cdda = 1
	cdda_accurate = 1
	rw_supported = 1
	rw_corr = 0
	c2_pointers = 1
	isrc = 1
	upc = 1
	lock = 1
	lock_state = 0
	prevent_jumper = 0
	eject = 1
	mechtype = 1
	separate_volume = 1
	separate_mute = 1
	disc_present = 0
	maxspeed = 32784
	n_vol_levels = 65280
	buffer_size = 2
	curspeed = 8196
hdb: ATAPI 24X DVD-ROM drive, 512kB Cache
Uniform CD-ROM driver Revision: 3.12
Partition check:
 /dev/ide/host0/bus0/target0/lun0: p1
SCSI subsystem driver Revision: 1.00
Probing EM86XX Flash Memory
EM86XX mapped flash: Found an alias at 0x800000 for the chip at 0x0
 Amd/Fujitsu Extended Query Table v1.3 at 0x0040
number of CFI chips: 1
Using word write method
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
Creating 5 MTD partitions on "EM86XX mapped flash":
0x00020000-0x007d0000 : "RootFS"
0x007d0000-0x007e0000 : "Config"
0x007e0000-0x007f0000 : "Config2"
0x007f0000-0x00800000 : "SplashConfig"
0x00000000-0x00020000 : "BootROM"
rt2500 1.1.0 BETA4 2006/06/18 http://rt2x00.serialmonkey.com
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
ehci_hcd 00:02.2: PCI device 1106:3104
ehci_hcd 00:02.2: irq 14, pci mem 60112100
usb.c: new USB bus registered, assigned bus number 1
ehci_hcd 00:02.2: USB 2.0 enabled, EHCI 1.00, driver 2003-Dec-29/2.4
hub.c: USB hub found
hub.c: 4 ports detected
host/uhci.c: USB Universal Host Controller Interface driver v1.1
host/uhci.c: USB UHCI at I/O 0x58000400, IRQ 14
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
host/uhci.c: USB UHCI at I/O 0x58000420, IRQ 14
usb.c: new USB bus registered, assigned bus number 3
hub.c: USB hub found
hub.c: 2 ports detected
Initializing USB Mass Storage driver...
usb.c: registered new driver usb-storage
USB Mass Storage support registered.
usb.c: registered new driver QPixel USB H.264 codec
Linux video capture interface: v1.00
Initializing Cryptographic API
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
cramfs: wrong magic
FAT: bogus logical sector size 25728
FAT: bogus logical sector size 25728
VFS: Mounted root (romfs filesystem) readonly.
Mounted devfs on /dev
Freeing init memory: 64K
init started:  BusyBox v1.00 (2008.04.08-13:14+0000) multi-call binary
Starting pid 11, console /dev/ttyAM0: '/etc/rc.sysinit'
hub.c: new USB device 00:02.2-1, assigned address 2
scsi0 : SCSI emulation for USB Mass Storage devices
  Vendor: Generic   Model: IC1210        CF  Rev: 1.9E
  Type:   Direct-Access                      ANSI SCSI revision: 02
  Vendor: Generic   Model: IC1210        MS  Rev: 1.9E
  Type:   Direct-Access                      ANSI SCSI revision: 02
  Vendor: Generic   Model: IC1210    MMC/SD  Rev: 1.9E
  Type:   Direct-Access                      ANSI SCSI revision: 02
  Vendor: Generic   Model: IC1210        SM  Rev: 1.9E
  Type:   Direct-Access                      ANSI SCSI revision: 02
Attached scsi removable disk sda at scsi0, channel 0, id 0, lun 0
Attached scsi removable disk sdb at scsi0, channel 0, id 0, lun 1
Attached scsi removable disk sdc at scsi0, channel 0, id 0, lun 2
Attached scsi removable disk sdd at scsi0, channel 0, id 0, lun 3
PID 34 : code start = 0x92dc0040, code end = 0x92e184c0
WIZPIMP: vfd_version 01.05.235
PID 34 : code start = 0x92dc0040, code end = 0x92e184c0
sda: Unit Not Ready, sense:
 /dev/scsi/host0/bus0/target0/lun0: I/O error: dev 08:00, sector 0
 I/O error: dev 08:00, sector 0
 unable to read partition table
sdb: Unit Not Ready, sense:
 /dev/scsi/host0/bus0/target0/lun1: I/O error: dev 08:10, sector 0
 I/O error: dev 08:10, sector 0
 unable to read partition table
sdc: Unit Not Ready, sense:
 /dev/scsi/host0/bus0/target0/lun2: I/O error: dev 08:20, sector 0
 I/O error: dev 08:20, sector 0
 unable to read partition table
sdd: Unit Not Ready, sense:
PID 54 : code start = 0x91bac040, code end = 0x92040c00
dump.dat at 0x90D0C6F0
 /dev/scsi/host0/bus0/target0/lun3: I/O error: dev 08:30, sector 0
 I/O error: dev 08:30, sector 0
 unable to read partition table
WARNING: USB Mass Storage data integrity not assured
USB Mass Storage device found at 2
HDD : write cache disabled (1)
HDD : write cache enabled (1)
MSDOS FS: IO charset utf8
ir: Enable NEC decoder (0x00000000)
ir: Enable RC5 decoder (0x00000000)
sys_up : parsing /etc/config/network/wired
sys_up : parsing /etc/config/network/wireless
eth0: link down
sys_up : link status off (eth0)
sys_up : link status off (eth0)... skipping...

(N.B. I didn't have the Ethernet plugged in.)

On shutdown:

Code: Select all

<< a 
<< b 
<< c 
<< d 
<< e 
<< f 
>>> setting written to /dev/mtd/3
<< g 
<< h
ir: Disable NEC decoder
ir: Disable RC5 decoder
<< i 
>>>>>>>>>>>> Unmounting FILESYSTEMS >>>>>>>>>>>>>>
HDD : write cache disabled (1)
rootfs / rootfs rw 0 0
/dev/root / romfs ro 0 0
none /dev devfs rw 0 0
/dev/blkmem/1 /flash romfs ro 0 0
proc /proc proc rw 0 0
usbfs /proc/bus/usb usbfs rw 0 0
ramfs /tmp ramfs rw 0 0

>>>>>>>>>>>> Unmounted FILESYSTEMS >>>>>>>>>>>>>>
HDD : write cache disabled (1)
<< j 
>>> MICOM POWER OFF NOW

[peteru]

Nice. It looks like the IR decoder supports at least two IR protocols, and the decoders are programmable. That is good news for those with more than one Beyonwiz, since it means that is should be possible to switch the Beyonwiz to use a different set of IR codes through software only. All that is required is a remote that can send an alternative set of IR codes. It may be possible to use the TV mode of the original Beyonwiz remote to do that.

The challenge now is to get into the bootloader to see if we can pass some args to the kernel or possibly tftp boot with a different kernel/rootfs.

P.S. I think I fried my serial port adaptor when I tried 1.5 years ago because I used a Maxim 3232, which is only good for 3.3V. Next time, I'll try with an Intersil 3232, which will handle +5V.

[tonymy01]

Peter, does this mean that you had your chain pulled again? Didn't you say that in the past the Wiz guys said it definitely didn't have serial access? This is dissapointing deception by the Wiz guys, but excellent progress by Matthew!
Now, is there any way of building a Kernel with that info, I have never attempted this (the best I have done so far is getting the current busybox working on the Wiz using the toolchain here: http://mvixcommunity.com/~jeruko/ ).
This can also mean we can, say, have the Wiz multi-boot into various environments. It shouldn't be too hard to turn the Wiz into a Mediagate MG350 should it?
Regards

[prl]

Peter, does this mean that you had your chain pulled again? Didn't you say that in the past the Wiz guys said it definitely didn't have serial access? This is dissapointing deception by the Wiz guys, but excellent progress by Matthew!
...

The existence of a serial console port is implied pretty heavily by the setup in /etc/rc.sysinit, for example, that boot in MP_MODE runs the shell at the end of its startup sequence, and the comment that JIG_TEST boot mode has "no console shell". I'd always suspected that if the serial port connector could be found, all that would be needed to have access through it in NORMAL boot mode would be to add the file /tmp/config/shell to the config area.

What's the baud rate?

[peteru]

115200 8n1

Yes, when I asked about the serial port, I was told that it was not available. I'll give Beyonwiz the benefit of the doubt and will assume that they meant to say that there is no RS-232 serial port on the case of the unit available for end users. I'll chalk this up as a misunderstanding, rather than deception.

One of the trickiest problems to sort out on embedded devices when bringing up a Linux kernel on a new board, is the board specific configuration of devices. You usually need the circuit schematics of the board as well as data sheets for the various ICs and sometimes the specs or code for any programmable parts, such as ASICs. To do it right would require Beyonwiz to release the full source to all OpenSource parts of the kernel and linkable object files to anything that is not OpenSource. They are actually obliged to do so, but we all know that they are not very forthcoming in this department.

[efry]

Yes, when I asked about the serial port, I was told that it was not available. I'll give Beyonwiz the benefit of the doubt and will assume that they meant to say that there is no RS-232 serial port on the case of the unit available for end users. I'll chalk this up as a misunderstanding, rather than deception.

I was also told by Beyonwiz that the S1 didn't have serial pins on the motherboard. I got the feeling they were just trying to dissuade me from poking around with their firmware. As I asked if they had a serial connection so I could use it to reflash the device with a custom firmware.

Regards,
Eric

[peteru]

Well, I hope that Beyonwiz now get the message - lack of co-operation is not going to stop determined users.

The way I see it, Beyonwiz can either take advantage of the community support and make it easier for others to add value to their product, or they can alienate the community and watch everyone leave as soon as an alternative appears on the market. It's happened to Topfield - a lot of toppy hackers switched to the Beyonwiz. There's no reason to think that they will not switch again if something more interesting comes along.

[matthewc]

Some slow progress here. I've managed to enable debug in my bootloader...

Code: Select all

TANGO15-2 boot loader v1.0.14.4 for wmc_au_0_9/unnamed board
(C) Copyright 2002-2005 Sigma Designs, Inc

NOTE: this boot loader is designed to boot kernels made with the
      2.4.xx releases of the Sigma Designs ARMutils package

Built at Jun 28 2007 16:10:42
Loaded to 0x90060000
Found boot configuration
Booted from parallel flash.
CPU freq.: 202 MHz
DRAM size is 128MB (128MB/0MB)
DRAM0 Params (0xf63001f8/0x00084454)
Triggering LOW to reset pins
Version : 1.0.14.4 build 10
System ID              : 08080000:0E20BE3E
- ROMFS CHECK START : at 6
Triggering HIGH to reset pins
- MICOM GET PARAM DURING ROMFS CHECK : at 2500
BOOTPARAM: 00000000

- ROMFS CHECK END : at 3855
ROMFS found at 0x46020000, Volume name = mambo
File linux.bin.gz found
Unzipping image from 0x46020130 to 0x90090000, size = 3016389
Inptr = 0x0000001a(26)
Inflating....
Outcnt = 0x013b62a8(20669096)
Final Inptr = 0x002e06bd(3016381)
Original CRC = 0xc6d68bbd
Computed CRC = 0xc6d68bbd
@@ kunzip took 4730 miliseconds
Boot kernel at 0x90090000 with ROMFS at 0x46020000
Linux version 2.4.26-uc0-sigma-20070326-nm (hanjo@secondwave.nazgul33.com) (gcc version 2.95.3 20010315 (release)) #98 Thu May 8 02:14:21 KST 2008

And with 1+2+3+4+PWR:

Code: Select all

TANGO15-2 boot loader v1.0.14.4 for wmc_au_0_9/unnamed board
(C) Copyright 2002-2005 Sigma Designs, Inc

NOTE: this boot loader is designed to boot kernels made with the
      2.4.xx releases of the Sigma Designs ARMutils package

Built at Jun 28 2007 16:10:42
Loaded to 0x90060000
Found boot configuration
Booted from parallel flash.
CPU freq.: 202 MHz
DRAM size is 128MB (128MB/0MB)
DRAM0 Params (0xf63001f8/0x00084454)
Triggering LOW to reset pins
Version : 1.0.14.4 build 10
System ID              : 08080000:0E20BE3E
- ROMFS CHECK START : at 6
Triggering HIGH to reset pins
- MICOM GET PARAM DURING ROMFS CHECK : at 2500
BOOTPARAM: 00000004

PCI: Configured EM86XX as a PCI slave with 16MB PCI memory
PCI: Each Region size is 2048KB
PCI: Reserved memory from 0x94980000 to 0x95580000 for DMA and mapped to 0x10400
Found RTL8139 at PCI IDSEL 1
  Assign I/O address from 0x58100000, size 0x100
  Assign Memory address from 0x64000000, size 0x100
  Use Memory Mapped I/O
  Chip version: 0x74 (RTL8139C)
  MAC address: 00:19:1E:00:23:33
Bring up network with DHCP.
Discovering DHCP server...
Timeout. Retrying...
Timeout. Retrying...
Timeout. Connection failed.
...............................................................................

Now I'm trying to get it to give me a bootloader prompt. Based on the output, I suspect that one needs a special BOOTPARAM from the micom, maybe there's a special button combination other than 1+2+3+4 to do this? Would be nice if Beyonwiz could provide that info... (but I'm not holding my breath).

[peteru]

Of course, the obvious question is - how is the bootloader debug output enabled? Do you think you could put some of this handy hacking info into the OpenWiz wiki please?

As far as the value of BOOTPARAM goes, you seem to have access to a DP-S1, it would be interesting to see what the BOOTPARAM value is when the unit is taken out of standby with the EJECT button.

I also wonder - if BOOTPARAM=0x04 when you press 1+2+3+4, does that imply that 1+2+3+5 may lead to BOOTPARAM=0x05? I wonder if the 0x04 is the flash partition number to boot from - perhaps the splash partition contains the flash recovery code.

When BOOTPARAM was 0x04, the ROMFS check never completed, Whatever ROMFS is checking, it appears that it interprets some byte sequences as instructions to perform specific tasks - such as MICOM GETPARAM.

Another random bit of info - when I had a look at the 1+2+3+4 DHCP/BOOTP requests from the Beyonwiz with wireshark, it was requesting not only the address, but also the TFTP bootserver and filename. I wonder if this is just a generic netboot mode and the recovery utility sends down a program that downloads the firmware image and then writes it to flash. If so, it may be possible to hijack this process to netboot alternative kernels.

[peteru]

A bit of very selective Googling came up with the following promising bits extracted from a different device. One of the MediaGate boxes, by the looks of the Japanese page. Apparently the MediaGate version of the bootloader can be interrupted with a keypress, but won't respond until a passphrase is entered. The passphrase for the MediaGate box happens to be "MediaGate." I think the passphrase was discovered by scanning the bootloader memory for ASCII strings.

Anyway, this is what the older versions of the bootloader on a MediaGate box can do:

Code: Select all

PCI: Configured EM86XX as a PCI slave with 16MB PCI memory
PCI: Each Region size is 2048KB
PCI: Reserved memory from 0x92590000 to 0x93190000 for DMA and mapped to 0x10400000
Found RTL8139 at PCI IDSEL 1
  Assign I/O address from 0x58100000, size 0x100
  Assign Memory address from 0x64000000, size 0x100
  Use Memory Mapped I/O
  Chip version: 0x74 (RTL8139C)
  MAC address: xx:xx:xx:xx:xx:xx
Bring up network with static IP address.

boot> help
TANGO10 boot loader 0.12.15
Copyright (C) 2002-2005 by Sigma Designs, Inc

Command List :
  help : shows list of commands
  help  : help on command
  boot  : boots kernel
  config  [options] : configures boot loader
  download   [gz] [address] [size] : downloads image via various media
  dump [option] [addr] [len] : dumps memory area
  flash  [args...] : flash commands
  ide  [args...] : IDE commands
  info  : shows information on specified class
  mem  [args] : reads from or writes to memory
  net  [args...] : network commands
  pci  [args...] : PCI operation
boot> help boot
  boot  : boots kernel
    rom : loads kernel from ROMFS in ROM and boots
    ide : looks for the bootable image in IDE devices and boots
    ide   [subpart] : loads kernel or romfs from IDE device and boots
    cd : loads kernel or romfs from CDROM and boots
    net : loads kernel via network and boots
    kernel : boots kernel directly on RAM
    initrd : boots kernel with separate initrd on RAM
    boot   : boots downloaded bootloader (TESTLOADERONRAM=y)
     : jumps to specified address
boot> help config
  config  [options] : configures boot loader
    clock [speed] : CPU clock configuration
      valid speed range : 100 - 200 MHz
    serial [baudrate] : UART configuration
      valid baud rate : 9600, 19200, 38400 (def), 57600, 115200 (fast)
    net : network configuration
    file : download filename setting
    cache/icache/dcache [on|off] : Enables or disables internal caches
    save/load [index(load only)] : save bootconfig
boot> help download
  download   [gz] [address] [size] : downloads image via various media
     : serial / ram / romfs / net
     : boot / romfs / initrd / kernel / kernelfs / binary / instfile /
      boot : boot loader (loader.bin)
      romfs : rom filesystem (romfs.bin)
      initrd : initial ramdisk (initrd.bin)
      kernel : kernel (linux.bin)
      kernelfs : kernel with separate filesystem (linux.bin)
      binary : any binary (address needs to be provided)
      instfile : installable file
    [gz] option : allows gzipped image. not used with 'ram' media
    [address] : valid with 'ram' media only
    [size] : valid with 'ram' media only
boot> help dump
  dump [option] [addr] [len] : dumps memory area
    [option] : -l (4 bytes), -w (2 bytes), -b (1 byte)
boot> help flash
  flash  [args...] : flash commands
    probe [addr] : probe flash
    list : show flash chip information
    boot : write boot loader image on RAM into FLASH
    romfs : write ROMFS image on RAM into FLASH
    erase  [len] : erase one or more sectors of flash memory
boot> help ide
  ide  [args...] : IDE commands
    probe  : probes drive (0/1)
    probeall : probes all drives
    eject  [open] : opens or closes CD-ROM tray
    kernel   [subpart] [addr] [length] : writes kernel image into IDE device
    romfs   [subpart] [addr] [length] : writes romfs image into IDE device
boot> help info
  info  : shows information on specified class
    edge : shows edge detector registers
    irq : shows interrupt controller registers
    fiq : shows fast interrupt controller registers
    sflash : shows serial flash controller registers
    pb : shows peripheral bus registers
    gpio : shows GPIO status
boot> help mem
  mem  [args] : reads from or writes to memory
    rb  : reads one byte of data
    rw  : reads two bytes of data
    rl  : reads four bytes of data
    wb   : writes one byte of data
    ww   : writes two bytes of data
    wl   : writes four bytes of data
    sum   : gives the sum of size bytes from addr
boot> help net
  net  [args...] : network commands
    config : shows current network configuration
    up : enables networking
    down : disables networking
    arp : shows entire ARP table
    arp  : gets the hardware address of specified host
    ping  : sends an ICMP echo message to specified host
    dhcp : requests DHCP
    status : shows network device status
boot> help pci
  pci  [args...] : PCI operation
    info : shows information about PCI host controller
    scan : scans entire PCI bus for PCI devices
    select  : selects specified device as current device
boot> boot rom
Unzipping image from 0x46020000 to 0x900A0000, size = 978010
Inptr = 0x00000014(20)
Inflating....
Outcnt = 0x001f07b0(2033584)
Final Inptr = 0x000eec4e(977998)
Original CRC = 0xa7486a03
Computed CRC = 0xa7486a03
Boot kernel at address 0x900a0000 with CRAMFS at 0x46020000
Network is down already.
AMD: JEDEC Device ID is 0xE0. Assuming broken CFI table.
Swapping erase regions for broken CFI table.
0030.0030 mfr 00ec id 00e0 Top bootsector
Flash 0 at 0x46000000
  ID : AMD/Fujitsu Standard
  Size : 8192 KB
  Buffer Size : 0
  Regions : 2
    0 : 0x00000000 - 0x00010000 * 127
    1 : 0x007f0000 - 0x00002000 *  8
bootconfig = 0x9008c000
bootconfig_load: last = 1
old_config_size = 00003148, new_config_size = 00003148


  Current MAC Address : (xx:xx:xx:xx:xx:xx) 

[janilxx]

The most ideal option would be to get an updated source package out of Beyonwiz/SigmaDesigns - which they clearly must provide in order to comply with the GPL, it's not sufficient to provide old kernel sources that don't correspond to what they're shipping.

If there is real evidences that GPL is violated and BW would have to release some codes, maybe someone could take stronger methods into use? Codes will be released if users really want it. Wasn't e.g. NSLU2's codes first not released? And look at that device now Much better than original.

And do not look at me... For some reasons I would rather have good relationships with BW (as I still believe BW and Finland will meet some day).

[prl]

...
Another random bit of info - when I had a look at the 1+2+3+4 DHCP/BOOTP requests from the Beyonwiz with wireshark, it was requesting not only the address, but also the TFTP bootserver and filename. I wonder if this is just a generic netboot mode and the recovery utility sends down a program that downloads the firmware image and then writes it to flash. If so, it may be possible to hijack this process to netboot alternative kernels.

Hi, Peter.

I reached much the same conclusion from looking at the strings in RemoteUpdater. It appears to use a BOOTP BOOTREQUEST/BOOTREPLY to find a tftp server and the .wrp file path on the server, and then uses tftp to download the .wrp file and flash it. I've never got around to trying it, because I was a bit chary about interrupting the 1+2+3+4 boot while I was investigating. I may not be as gung ho as Ian appears to think I am

The MediaGate help info you posted has a 'boot net' command, and if the BW has the same command, I wouldn't be surprised if it used the same mechanism as for firmware recovery.

[IanSav]

Hi Peter,

I may not be as gung ho as Ian appears to think I am

Don't get me wrong, gung ho is fine and good as long as you only put your own Beyonwiz at risk. The work that you guys are doing should ultimately pay huge dividends for all Beyonwiz users. My concerns are about all the others who use this information without fully understanding the implications of what they are doing. Not only could those people be putting their Beyonwiz at risk of failure they may also be wasting a lot of other people's time persuing issues that don't exist in the official firmware.

Regards,
Ian.

[prl]

Hi Ian.

I agree that the use of hacked firmware puts the user's BW at risk, and I try to be careful to warn of the associated risks. This is a real risk, and for example, caught peteru out when I inadvertently pointed him at the wrong version of Wiz Firmware Tools to use with BWFWTools.

I agree, too, that there is potential for hacked firmware to interfere more subtly with the operation of the BW and be the cause of wasted time chasing bugs, and I think I should extend the warnings in BWFW documentation to point this out. However, I'm not aware of any actual instance of this happening.

[IanSav]

Hi Peter,

I wish Beyonwiz would nibble, bite or respond to our requests for a more formalised and official user addon interface. Once they accept the model then this issue of supportability can be handled within the design of the plugin interface.

Regards,
Ian.

[prl]

Hi Ian.

Hear! Hear!

[matthewc]

Of course, the obvious question is - how is the bootloader debug output enabled?

First, this needs a big "not recommended" disclaimer, as overwriting the bootloader could easily brick a Wiz, presumably leaving JTAG as the only recovery option. The word that controls the bootloader debug output is at offset 0x00184d0 in the boot ROM (0x900778D0 once the bootloader is loaded to RAM), immediately before the string 0123456789ABCDEF. This should be set to -1 (0xffffffff). You can read the boot ROM contents with e.g. dd if=/dev/mtd/5ro of=/tmp/bootrom, and reflash it with (** do not do this unless you know what you are doing **) dd if=/tmp/bootrom of=/dev/mtdblock/5. I'll write up some more info about the bootloader soon. There may be a way to enable debug at runtime without changing the bootloader, but I couldn't find it.

Do you think you could put some of this handy hacking info into the OpenWiz wiki please?

Yep, I'll do it on the weekend, there's only so many hours in my day.

As far as the value of BOOTPARAM goes, you seem to have access to a DP-S1, it would be interesting to see what the BOOTPARAM value is when the unit is taken out of standby with the EJECT button.

EJECT produces BOOTPARAM=1. The bootloader, however, proceeds as for BOOTPARAM=0.

I also wonder - if BOOTPARAM=0x04 when you press 1+2+3+4, does that imply that 1+2+3+5 may lead to BOOTPARAM=0x05? I wonder if the 0x04 is the flash partition number to boot from - perhaps the splash partition contains the flash recovery code.

Nope, unfortunately, 1+2+3+5 doesn't do anything (nor 1+2+3+3 etc), BOOTPARAM=0.

Another random bit of info - when I had a look at the 1+2+3+4 DHCP/BOOTP requests from the Beyonwiz with wireshark, it was requesting not only the address, but also the TFTP bootserver and filename. I wonder if this is just a generic netboot mode and the recovery utility sends down a program that downloads the firmware image and then writes it to flash. If so, it may be possible to hijack this process to netboot alternative kernels.

That would be nice, but I doubt that it is the case, as the code to flash WRPs is definitely in the bootloader. I'm guessing it uses something like the "download binary" command in the bootloader to fetch the image, and then flashes it. I don't think there's any executable code transferred, although it would be nice if I was wrong.

Do you or anyone else have a wireshark capture which shows RemoteUpdater DHCP responses? I've been trying to get it to boot using a normal DHCP server, but it's not working (despite having filled out all the 'requested' fields), and I don't have a Windows box to run the RemoteUpdater thingy to compare against.

A bit of very selective Googling came up with the following promising bits extracted from a different device. One of the MediaGate boxes, by the looks of the Japanese page. Apparently the MediaGate version of the bootloader can be interrupted with a keypress, but won't respond until a passphrase is entered. The passphrase for the MediaGate box happens to be "MediaGate." I think the passphrase was discovered by scanning the bootloader memory for ASCII strings.

Yeah, I came across that in my Google travels too. Unfortunately the Wiz boot doesn't stop on a keypress. I did find a reference to "password:" in the bootloader and some subsequent code that checks for something starting with [!~ however I haven't yet got it to anywhere where that prompt appears.

[matthewc]

Progress: holding down @ during boot causes the Wiz to drop to the password prompt. Yet to work out the password.

[matthewc]

Password is b3y0nw1z

Code: Select all

TANGO15-2 boot loader v1.0.14.4 for wmc_au_0_9/unnamed board
(C) Copyright 2002-2005 Sigma Designs, Inc

NOTE: this boot loader is designed to boot kernels made with the
      2.4.xx releases of the Sigma Designs ARMutils package

Built at Jun 28 2007 16:10:42
Loaded to 0x90060000
Found boot configuration
Booted from parallel flash.
CPU freq.: 202 MHz
DRAM size is 128MB (128MB/0MB)
DRAM0 Params (0xf63001f8/0x00084454)
password : ********
Serial Flash not found
PCI: Configured EM86XX as a PCI slave with 16MB PCI memory
PCI: Each Region size is 2048KB
PCI: Reserved memory from 0x94980000 to 0x95580000 for DMA and mapped to 0x10400
Found RTL8139 at PCI IDSEL 1
  Assign I/O address from 0x58100000, size 0x100
  Assign Memory address from 0x64000000, size 0x100
  Use Memory Mapped I/O
Use "net up" to enable network.

boot> help
TANGO15 boot loader 1.0.14.4
Copyright (C) 2002-2005 by Sigma Designs, Inc

Command List :
  help : shows list of commands
  help <command> : help on command
  boot <target> : boots kernel
  config <conf> [options] : configures boot loader
  download <media> <target> [gz] [address] [size] : downloads image via various media
  dump [option] [addr] [len] : dumps memory area
  flash <command> [args...] : flash commands
  ide <cmd> [args...] : IDE commands
  info <class> : shows information on specified class
  mem <op> [args] : reads from or writes to memory
  net <command> [args...] : network commands
  pci <command> [args...] : PCI operation
  sflash <command> [args...] : sflash operation
boot> 

[peteru]

Well done!

peteru gives matthewc a pat on the back and passes him a nice cool beer!

I'm away this weekend, but I think I'll be rigging up an Intersil 3232 or a Maxim 232 circuit next week. Things just got more interesting, all we need now is the ability to build a binary compatible kernel.

Who knows, maybe when I come back on Monday, the OpenWiz wiki and this thread may have a documented solution.

[prl]

A bit of very selective Googling came up with the following promising bits extracted from a different device. One of the MediaGate boxes, by the looks of the Japanese page. Apparently the MediaGate version of the bootloader can be interrupted with a keypress, but won't respond until a passphrase is entered. The passphrase for the MediaGate box happens to be "MediaGate." I think the passphrase was discovered by scanning the bootloader memory for ASCII strings.

Anyway, this is what the older versions of the bootloader on a MediaGate box can do:

Code: Select all

...
boot> help
TANGO10 boot loader 0.12.15
Copyright (C) 2002-2005 by Sigma Designs, Inc
...

The Beyonwiz loader is

Code: Select all

TANGO15-2 boot loader v1.0.14.4 for wmc_au_0_9

It has a similar command set, including a net boot command.

[prl]

...
perhaps the splash partition contains the flash recovery code.
...

The SplashConfig MTD partition on my DP-H1 is completely zeroed out.

[DaveR]

Well done!

peteru gives matthewc a pat on the back and passes him a nice cool beer!

Yep, Kudos Matthew

[tonymy01]

Looks quite similar Peter:

Code: Select all

password : ********
Serial Flash not found
PCI: Configured EM86XX as a PCI slave with 16MB PCI memory
PCI: Each Region size is 2048KB
PCI: Reserved memory from 0x94980000 to 0x95580000 for DMA and mapped to 0x10400000
Found RTL8139 at PCI IDSEL 1
  Assign I/O address from 0x58100000, size 0x100
  Assign Memory address from 0x64000000, size 0x100
  Use Memory Mapped I/O
Use "net up" to enable network.

boot> help
TANGO15 boot loader 1.0.14.1
Copyright (C) 2002-2005 by Sigma Designs, Inc

Command List :
  help : shows list of commands
  help <command> : help on command
  boot <target> : boots kernel
  config <conf> [options] : configures boot loader
  download <media> <target> [gz] [address] [size] : downloads image via various media
  dump [option] [addr] [len] : dumps memory area
  flash <command> [args...] : flash commands
  ide <cmd> [args...] : IDE commands
  info <class> : shows information on specified class
  mem <op> [args] : reads from or writes to memory
  net <command> [args...] : network commands
  pci <command> [args...] : PCI operation
  sflash <command> [args...] : sflash operation

boot> help boot
  boot <target> : boots kernel
    rom : loads kernel from ROMFS in ROM and boots
    ide : looks for the bootable image in IDE devices and boots
    ide <drive> <part> [subpart] : loads kernel or romfs from IDE device and boots
    cd : loads kernel or romfs from CDROM and boots
    net : loads kernel via network and boots
    kernel : boots kernel directly on RAM
    initrd : boots kernel with separate initrd on RAM
    boot   : boots downloaded bootloader (TESTLOADERONRAM=y)
    <addr> : jumps to specified address

boot> help config
  config <conf> [options] : configures boot loader
    cmd <command line string> : Kernel command line string
    clock [speed] : CPU clock configuration
      valid speed range : 100 - 200 MHz
    serial [baudrate] : UART configuration
      valid baud rate : 9600, 19200, 38400 (def), 57600, 115200 (fast)
    net : network configuration
    file : download filename setting
    cache/icache/dcache [on|off] : Enables or disables internal caches

boot> help download
  download <media> <target> [gz] [address] [size] : downloads image via various media
    <media> : serial / ram / romfs / net
    <target> : boot / romfs / initrd / kernel / kernelfs / binary / instfile / <addr>
      boot : boot loader (loader.bin)
      romfs : rom filesystem (romfs.bin)
      initrd : initial ramdisk (initrd.bin)
      kernel : kernel (linux.bin)
      kernelfs : kernel with separate filesystem (linux.bin)
      binary : any binary (address needs to be provided)
      instfile : installable file
    [gz] option : allows gzipped image. not used with 'ram' media
    [address] : valid with 'ram' media only
    [size] : valid with 'ram' media only

boot> help dump
  dump [option] [addr] [len] : dumps memory area
    [option] : -l (4 bytes), -w (2 bytes), -b (1 byte)

boot> help flash
  flash <command> [args...] : flash commands
    probe [addr] : probe flash
    list : show flash chip information
    boot : write boot loader image on RAM into FLASH
    romfs : write ROMFS image on RAM into FLASH

boot> help ide
  ide <cmd> [args...] : IDE commands
    probe <drive> : probes drive (0/1)
    probeall : probes all drives
    eject <drive> [open] : opens or closes CD-ROM tray
    kernel <drive> <partition> [subpart] [addr] [length] : writes kernel image into IDE device
    romfs <drive> <partition> [subpart] [addr] [length] : writes romfs image into IDE device

boot> help info
  info <class> : shows information on specified class
    edge : shows edge detector registers
    irq : shows interrupt controller registers
    fiq : shows fast interrupt controller registers
    sflash : shows serial flash controller registers
    pb : shows peripheral bus registers
    gpio : shows GPIO status
    cleandiv : shows cleandiv registers

boot> help mem
  mem <op> [args] : reads from or writes to memory
    rb <addr> : reads one byte of data
    rw <addr> : reads two bytes of data
    rl <addr> : reads four bytes of data
    wb <addr> <data> : writes one byte of data
    ww <addr> <data> : writes two bytes of data
    wl <addr> <data> : writes four bytes of data
    sum <addr> <size> : gives the sum of size bytes from addr

boot> help net
  net <command> [args...] : network commands
    config : shows current network configuration
    up : enables networking
    down : disables networking
    arp : shows entire ARP table
    arp <IP addr> : gets the hardware address of specified host
    ping <IP addr> : sends an ICMP echo message to specified host
    dhcp : requests DHCP
    status : shows network device status

boot> help pci
  pci <command> [args...] : PCI operation
    info : shows information about PCI host controller
    scan : scans entire PCI bus for PCI devices
    select <idsel> : selects specified device as current device

boot> help sflash
  sflash <command> [args...] : sflash operation
    probe : probes serial flash
    force : specifies serial flash model
    forcelist : shows supported serial flash models
    boot : writes downloaded bootloader image into serial flash

Ok, lets run one or two things:

Code: Select all

boot> ide probeall
Probing drive 0 :
  Found ATA device : WDC WD5000AAKB-00YSA0, 131071MB, LBA, UDMA
  UDMA = 0x003f, MDMA = 0x0407, PIO = 0x0003
  PIO mode support : 3 4
  Major Rev = 0x01fe, Minor Rev = 0x0000
  Set drive 0 to Ultra DMA set_mode 5
  Partitions : p0
Probing drive 1 :
  Found ATAPI device : EPO EPO-LDR DP-306D, 0MB, CHS, No DMA
  cylinders = 0, heads = 0, sectors = 0
  MDMA = 0x0107, PIO = 0x0003
  PIO mode support : 3 4
  Major Rev = 0x0400, Minor Rev = 0x0900
  Set drive 1 to Multi-word DMA set_mode 2

Code: Select all

boot> boot rom
ROMFS found at 0x46020000, Volume name = mambo
File linux.bin.gz found
Network is down already.
Unzipping image from 0x46020080 to 0x90090000, size = 3009969
Inptr = 0x00000014(20)
Inflating....
Outcnt = 0x013b92a8(20681384)
Final Inptr = 0x002deda9(3009961)
Original CRC = 0x5571fe7a
Computed CRC = 0x5571fe7a
Boot kernel at 0x90090000 with ROMFS at 0x46020000
Network is down already.
init started:  BusyBox v1.00 (2008.04.08-13:14+0000) multi-call binary
Starting pid 11, console /dev/ttyAM0: '/etc/rc.sysinit'
PID 32 : code start = 0x92dc0040, code end = 0x92e184c0
WIZPIMP: vfd_version 01.05.247
PID 32 : code start = 0x92dc0040, code end = 0x92e184c0
PID 45 : code start = 0x91c78040, code end = 0x92101700
dump.dat at 0x90D7EDF0
[MON][ERR]DEAD TIMEOUT

****************************************
        DETECT!!!! Heart-beat timeout : NO REBOOT
****************************************

Oops...
Hit standby, wait 30secs, shutdown ok.
Normal bootup:

Code: Select all

IGMVersion : 1.0.14.1 build 8
System ID              : 08080000:0E20BE3E
........init started:  BusyBox v1.00 (2008.04.08-13:14+0000) multi-call binary
Starting pid 11, console /dev/ttyAM0: '/etc/rc.sysinit'
PID 32 : code start = 0x92dc0040, code end = 0x92e184c0
WIZPIMP: vfd_version 01.05.247
PID 32 : code start = 0x92dc0040, code end = 0x92e184c0
PID 45 : code start = 0x91c78040, code end = 0x92101700
dump.dat at 0x90D7EDF0
HDD : write cache disabled (1)
HDD : write cache enabled (1)
sys_up : parsing /etc/config/network/wired
sys_up : parsing /etc/config/network/wireless
Detected RT2500 Wireless
sys_up : link status off (ra0)
Detected RT2500 Wireless
sys_up : activating ra0
calling minidhcp()
info, udhcpc (v0.9.9-pre) started
debug, Sending discover...
debug, Sending select for 192.168.0.110...
info, Lease of 192.168.0.110 obtained, lease time -1
UPNP SRV: creating desc_doc_name : wizy
UPNP SRV: creating :  tvpictureSCPD.xml