Technaxx Magno

From ST2205u wiki
Jump to: navigation, search

Some tech specs from the case:

  • 2.4" CSTN Display
  • 32 mb internal memory
  • 240x320 display (yes not 320x240 - at least all images get stored in this format)

Firmware Version 1, Revision 5 (see Photoviewer)

link to the device

--Michu This device has 32mb ram, i try to flash it. It is a sitronix device.

--Joe This *may* be the same device as a Mercury ME-DPF24MG. It's the same magnetic 2.4", the picture looks identical to one on the Technaxx Mango product page, suggesting the hardware may be of the same origin, with the only differences being in firmware. With the guidance on this page so far, I have also managed to dump my firmware, and build a (untested so far) spec, with many things matching the first spec below. The only real possible difference, is I found I could put EMPTY_AT at $3258, I'm also seeing it empty all the way to 7FD8, suggesting from the free space comment in that spec, that there's nearly 3K more headroom, and this may be a markedly different firmware.

The untested spec file:

;Spec-file for Technaxx Magno. 
;Please keep the way the adresses are entered ($ to indicate a hex number,
;adresses in 4 digits) intact or the hackfw.sh script won't work anymore.
;Adresses here refer to file-adresses; in runtime these are loaded $4000
;bytes higher but that's accounted for in the hack-code itself.
;
; free space = 550 bytes
;
CMP_VAR1=$037A
CMP_VAR2=$037B
PATCH_AT=$30B1
EMPTY_AT=$32A4
SEND_CSW=$2f79
LEN0=$036C
LEN1=$036D
LEN2=$036E
LEN3=$036F
CONF_XRES=240
CONF_YRES=240
CONF_BPP=24
CONF_PROTO=0
CTRTYPE=0 ;PCF8833
OFFX=0
OFFY=0

and another version:

CMP_VAR1=$037A
CMP_VAR2=$037B
PATCH_AT=$30BD
EMPTY_AT=$32A4
SEND_CSW=$2f85
LEN0=$036E
LEN1=$036F
LEN2=$0370
LEN3=$0371
CONF_XRES=240
CONF_YRES=240
CONF_BPP=24
CONF_PROTO=0
CTRTYPE=0 ;PCF8833
OFFX=0
OFFY=0

Hint: this device use another crttype: an ST7787 (320x240)

  • TODO* list:

1) write new display driver for st7787 - datasheet (I guess not - columnset, rowset and writeram command are the same...
2) find a way to flash/dump firmware

Contents

new phack patch

upload firmware:

            sendcmd(f,3,0x80000000,0x4000,0);
            y=read(o,buff,0x4000);
            write_data(f,buff,0x4000);

-> this do NOT work.. I managed to flash the new firmware, but i cant remember how...

dump firmware:

            sendcmd(f,3,0x80000000,0x4000,0);
            y=read(o,buff,0x4000);
            write_data(f,buff,0x4000);

0x80000000 is a special adress, bit 7 of bankid(param 3) needs to be set du access the first 2 banks...

Some other new functions:

#define CMD_GET_MEM_SIZE 1
#define CMD_GET_PIC_INFO 5
#define CMD_GET_VERSION 8

//Allocate buffer and send a command. Check the result as an extra caution
//against non-photoframe devices.
buff=malloc_aligned(0x10000);
sendcmd(f,CMD_GET_MEM_SIZE,0,0,0);
read_data(f,buff,0x200);
//get memory size
mem=buff[0];
mem = (mem*128*1024)/512;
/*    if (mem!=8 && mem!=0x1f) {
printf("Expected response 0x8 or 0x1f on cmd 1, got 0x%hhx!\n",buff[0]);
exit(1);
}*/
printf("Found device with %i kb memory\n",mem);

//get image size
sendcmd(f,CMD_GET_PIC_INFO,0,0,0);
read_data(f,buff,0x200);
int xsize = (buff[0]<<8)+buff[1];
int ysize = (buff[2]<<8)+buff[3];
int bpp = buff[4]+0x80;
printf("Xres: %i, Yres%i, bpp: %i\n",xsize,ysize,bpp);

//get firmware version
sendcmd(f,CMD_GET_VERSION,0,0,0);
read_data(f,buff,0x200);
//allways 90...
int check=buff[0];
int ver = (buff[1]<<8)+buff[2];
int addInfo = (buff[3]<<8)+buff[4];
printf("ver: %i (%i)\n",ver,addInfo);

OLD phack patch

because this device has more memory, the main.c (phack) needs to be adjusted...

--- main.orig   2009-01-22 21:28:23.000000000 +0100
+++ main.c      2009-01-31 15:21:58.000000000 +0100
@@ -156,6 +156,7 @@

 int main(int argc, char** argv) {
     int f,o;
+    int mem=0;
     unsigned int x,y;
     int mode=0;
     unsigned char *buff;
@@ -216,16 +217,22 @@
     buff=malloc_aligned(0x10000);
     sendcmd(f,1,0,0,0);
     read_data(f,buff,0x200);
-    if (buff[0]!=8) {
-       printf("Expected response 8 on cmd 1, got 0x%hhx!\n",buff[0]);
+
+    //get memory size
+    mem=buff[0];
+    if (mem!=8 && mem!=0x1f) {
+       printf("Expected response 0x8 or 0x1f on cmd 1, got 0x%hhx!\n",buff[0]);
        exit(1);
     }
+    printf("Found device with 0x%hhx memory\n",mem);
+
+#define MEMSIZE 8192

     if (mode==M_DMP) {
        //dump picture memory
        //get everything except the last 64K (wraps around to the firmware)
        //in 32K chunks.
-       for (x=0; x<((2048-64)/32); x++) {
+       for (x=0; x<((MEMSIZE-64)/32); x++) {
            sendcmd(f,4,x,0x8000,0);
            read_data(f,buff,0x8000);
            write(o,buff,0x8000);
@@ -236,18 +243,20 @@
     } else if (mode==M_FDMP) {
        //Use a trick to get the 64K of firmware: if we request the data starting
        //at (2M-64K), the data gets read from a mirror of the flash, position 0.
-       for (x=((2048-64)/32); x<(2048/32); x++) {
+       for (x=((MEMSIZE-64)/32); x<(MEMSIZE/32); x++) {
+           //cmd = 4: READ_BUFFER : tell the device to prepare data to be read from memory, data are read at page arg1 with a length of arg2
            sendcmd(f,4,x,0x8000,0);
            read_data(f,buff,0x8000);
            write(o,buff,0x8000);
-           fprintf(stderr,".");
+           fprintf(stderr,"x=%i / %i\n", x, MEMSIZE/32);
+           //fprintf(stderr,".");
        }
        fprintf(stderr,"\n");
        printf("Firmware dumped.\n");
     } else if (mode==M_UP) {
        //send everything except the last 64K (wraps around to the firmware)
        //in 32K chunks.
-       for (x=0; x<((2048-64)/32); x++) {
+       for (x=0; x<((MEMSIZE-64)/32); x++) {
            sendcmd(f,3,x,0x8000,0);
            y=read(o,buff,0x8000);
            write_data(f,buff,0x8000);
@@ -271,14 +280,16 @@
            write_data(f,buff,0x8000);
            sendcmd(f,2|0x80000000,x,0x8000,0);
            read_data(f,buff,0x200);
-           sendcmd(f,3,x|0x1f40,0x8000,0);
-           write_data(f,buff,0x8000);
+//         sendcmd(f,3,x|0x1f40,0x8000,0);
+//         write_data(f,buff,0x8000);
            if (y!=0x8000) {
                printf("Premature file end. Hope everything still works OK.\n");
                x=9999;
            }
            fprintf(stderr,".");
        }
+       sendcmd(f,21,0x42494F53,0x55504458,0);  // BIOSUPDX
+
        fprintf(stderr,"\n");
        printf("Firmware upgraded. Un- and replug USB connection to restart device.\n");
     } else if (mode==M_MSG) {

with this patch, the firmware can be dumped but NOT saved... Note: in this patch i use the pixika method to save the firmware, but the original version also didnt work

hmmm: 0x80000000 is the key i guess: 2048*1024*1024 is 0x80000000.. for this device this should be 0x200000000.. but this is too large for an unsigned int...

open issues

With the code changes below, I was able to get the firmware and also created a profile for my device. But I failed to write back the new firmware... I took a look at the code:

    } else if (mode==M_FUP) {
        printf("Firmware update! If unsure, press ctrl-C NOW!\n");
        sleep(3);             
        printf("Too late. Commencing firmware update...\n"); .
        for (x=0; x<2; x++) {                                                                                                                                                
            sendcmd(f,3,x|0x80000000,0x8000,0);
            y=read(o,buff,0x8000);
            write_data(f,buff,0x8000);
            sendcmd(f,2|0x80000000,x,0x8000,0);
            read_data(f,buff,0x200);
            sendcmd(f,3,x|0x1f40,0x8000,0);
            write_data(f,buff,0x8000);
            if (y!=0x8000) {
                printf("Premature file end. Hope everything still works OK.\n");
                x=9999;
            }
            fprintf(stderr,".");
        }
        fprintf(stderr,"\n");
        printf("Firmware upgraded. Un- and replug USB connection to restart device.\n");

which makes me believe that

   sendcmd(f,3,x|0x80000000,0x8000,0);
   sendcmd(f,2|0x80000000,x,0x8000,0);

should be changed to

   sendcmd(f,3,x|0xF80000000,0x8000,0);
   sendcmd(f,2|0xF80000000,x,0x8000,0);

?? or is this completely wrong? --Ben : i think so, you should keep 0x80000000 (it is a special address)
--Michu : any idea, what i need to change? The page 0x1f40?
--Ben : look at [Pixika] or start to debug your [firmware]
--Michu : Ben, what was the reaction, while you wanted to update the fw but the device refused it? My device just overwrite the 2nd picture. This happend using sprites phack AND using photoviewer...
--Ben : the device take around 1 minute to reboot (black screen) and then screen was mirrored and one of the picture was overwritten... where is the dump of your firmware ?
--Michu : the dump is here. Its just the firmware, not the memory.
--Ben : look at 0x615d (loading address is 0x4000) it is the start of the update procedure. The valids commands seems to be only common one (1..9) (no special function like pixika... so common method should apply...)
--Michu : I agree about the firmware debug. but everytime, I try to store a new firmware, the 2nd picture gets overwriten, this means the fw goes into the pic memory instead into the fw position....
--Ben : first you should correct sendcmd(f,2|0x80000000,x,0x8000,0); in sendcmd(f,2,x|0x80000000,0x8000,0); (in order to write the whole firmware at the right position), then you have to find your '0x1F40' because sendcmd(f,3,x|0x1f40,0x8000,0); write in memory position not in a 'special' position
--Michu
sendcmd(f,3,x|0x1f40,0x8000,0);
-> means write to memory at page x.

  1 page is 32k (0x8000) -> so 0x8000 * 0x1f40 = FA00000 (absolute address)

or in other word... i need to find out, whats this FA00000 address is...
--Ben : sorry i've made a mistake, sendcmd(f,3,x|0x1f40,0x8000,0); write at page 0x1f40 or 0x1f41. 0x1f40 = page n° 8000. If your device is 64mb, you have 2048 pages. So 0x1f40 is a special address....
--Michu I'm running out of ideas... any hints how to flash this beast?
--Ben : quickly looking for strings in firmware one mean "Update Program OFF", maybe you have to find how to unlock this....(try pressing 1 or 2 or 3 button by pressing reset), ....



Another issue is the screen size, it is 240x320. And there is just an unsigned char available to save the size:

typedef struct {
    char sig[4];
    char version;
    unsigned char width;        <<
    unsigned char height;       <<
    char bpp;
    char proto;
    char offx;
    char offy;
} fw_descriptor;

So until I fixed the other errors, I'll leave the resolution at 128x128. Perhaps increasing those markers to 16b would make sense... this would be a waste of 2 bytes.

main.c changes (phack)

Because this device has more memory, I had to change main.c, here is the diff:

Index: main.c
===================================================================
--- main.c      (revision 21)
+++ main.c      (working copy)
@@ -308,16 +228,17 @@
     buff=malloc_aligned(0x10000);
     sendcmd(f,1,0,0,0);
     read_data(f,buff,0x200);
-    if (buff[0]!=8) {
+    if (buff[0]!=8) { //mem
        printf("Expected response 8 on cmd 1, got 0x%hhx!\n",buff[0]);
-       exit(1);
+//     exit(1);
     }
+int flash_size = (0x1f) * 1024 * 2;

     if (mode==M_DMP) {
        //dump picture memory
        //get everything except the last 64K (wraps around to the firmware)
        //in 32K chunks.
-       for (x=0; x<((2048-64)/32); x++) {
+       for (x=0; x<((flash_size-64)/32); x++) {
            sendcmd(f,4,x,0x8000,0);
            read_data(f,buff,0x8000);
            write(o,buff,0x8000);
@@ -328,7 +249,7 @@
     } else if (mode==M_FDMP) {
        //Use a trick to get the 64K of firmware: if we request the data starting
        //at (2M-64K), the data gets read from a mirror of the flash, position 0.
-       for (x=((2048-64)/32); x<(2048/32); x++) {
+       for (x=((flash_size-64)/32); x<(flash_size/32); x++) {
            sendcmd(f,4,x,0x8000,0);
            read_data(f,buff,0x8000);
            write(o,buff,0x8000);
@@ -339,7 +260,7 @@
     } else if (mode==M_UP) {
        //send everything except the last 64K (wraps around to the firmware)
        //in 32K chunks.
-       for (x=0; x<((2048-64)/32); x++) {
+       for (x=0; x<((flash_size-64)/32); x++) {
            sendcmd(f,3,x,0x8000,0);
            y=read(o,buff,0x8000);
            write_data(f,buff,0x8000);

And of course we need to change the libst2205 too:

Index: main.c
===================================================================
--- main.c      (revision 25)
+++ main.c      (working copy)
@@ -232,7 +232,8 @@
        printf("\n");
     }
 }
-#define FW_PAGE_OFFSET ((2048-64)/32)
+//define FW_PAGE_OFFSET ((2048-64)/32)
+#define FW_PAGE_OFFSET ((0x1f*1024*2-64)/32)

 static fw_descriptor *get_parm_block(DPF_HANDLE fd, char* buff) {
     int a,p;
Personal tools