Chip Flashing

Flash or no flash Flashing the wrong firmware can cause trouble

Vitor finds a way to bring a satellite meter back from the dead be careful when installing a new software simple device programmers are helpful a soldiering iron is sufficient for connecting the wires remember to make backups before starting any work
110 TELE-satellite International The Worlds Largest Digital TV Trade Magazine 04-05/2012 www.TELE-satellite.com
www.TELE-satellite.com 04-05/2012 TELE-satellite International The Worlds Largest Digital TV Trade Magazine

111

Chip Flashing

This is the story on how the desire to change the localized settings of a satellite meter ended up with the external programming of its flash chip
Vitor Martins Augusto
1

I own a satellite meter, which is being sold under many different brands. It is easy to recognize the different OEM versions, as they look pretty much the same, with slight variations on the colour and logo. Because my model came pre-configured with Asian locations and my distributor does not provide any localized firmware for the European region, I figured that I could upgrade the firmware with a release
1. Picture of the main board of my satellite meter. 2. The ALI M3329D processor gives hopes that there is a possible JTAG programming route to rescue the firmware.

made available from a different distributor. I expected to get some extra functionality, but above all, I hoped that the new settings would match my region. Actually, the only annoyance that got me to look for a different firmware in the first place was the fact that I could not edit the name of my location. I had to program Shanghai with my latitude and longitude, but I could not change the name to my hometown Porto. This annoyed me. A lot. After copying the new firmware file onto a USB pen, I activated the flashing procedure on my satellite meter and the device turned itself off, as

112 TELE-satellite International The Worlds Largest Digital TV Trade Magazine 04-05/2012 www.TELE-satellite.com

expected. Unfortunately, it would not turn on again: I was holding a dead device! No big deal, I thought, since this meter is provided with an extra RS232 cable, that fits in the Audio/Video jack. Since no flashing software was provided, I assumed that the flashing could be done with HyperTerminals

X-Modem protocol, which is how the firmware is flashed in with many other satellite meters of the same kind. I tried the obvious settings: 115200, 8N1, but got no reply. A little scared, I started to press all conceivable key combinations on the meter, hoping that the boot loader would allow a recovery USB flashing procedure. No luck. To make sure that the boot loader was at least operational, I opened both the original firmware, which I had backed up before flashing the meter (the meter has this option and you should definitely use it) and the firmware I just flashed with an HEX-editor and both revealed the same boot loader. All bytes were equal. This should mean that even though I flashed a wrong firmware (at this point I was not certain if I had a different hardware revision or if the firmware had some kind of OEM check), at least the boot loader should be operational. Again, I tried several flashing tools for hand held satellite meters, but none did seem to work. At this point I was pretty certain that my only way out of having transformed my meter into a brick was to actually program the flash chip myself. There are two options for this: one is to look out for a JTAG-adapter on the main board, the other is to use an external device programmer to write the flash chip. I opened up the meter and looked for the typical flash chip but somehow didnt find it! Only after a long search did I notice that this board was using a serial Eeprom, which means that the flash chip is actually a tiny chip with only 8 pins (4 each side). I found pins which correspond to a regular JTAG, but the main CPU of the board was an ALI chip. I had no JTAG utility that would program a Spansion S25FL016A through an ALI CPU. A Google search did, however, point me to two interesting facts: 1) There are plenty of satellite receivers using the exact same CPU, unfortunately with different flash chips. Someone had adapted a flashing utility for this CPU and even included the source code (C++). 2) From the router hacking scene (DD-WRT and OpenWRT), I found out that this Spansion S25L016A is not so uncommon with routers and that later revisions of the same flashing utility

would actually support this flash chip, but not the ALI CPU. Again, I got hold of the source code. The next attempt was pretty straight forward: I implemented the flash definitions of one source code into the source code that had the ALI CPU support. I soldered some wires to the JTAG on the board and tried if I could connect though the JTAG port to the CPU and flash. Short answer: I couldnt. Since there were too many unclear factors (wrong connections to the JTAG, too long wires, errors in the compiled utility, etc.), I decided that this route was too risky. This meant that I would have to program the flash externally. Because I did not own a device programmer, I searched eBay to figure out if there was a cheap solution. I always wanted to own a device programmer, anyway, as it is a really useful device. I was sick of having to build parallel port programmers that would only support one single chip type, whenever I needed to program a new chip. EBay revealed a huge amount of different device programmers at a broad price range. I decided to spend as little money as possible and bought one for just 37 Euros and free shipping. I thought that the risk was small, plus the list of supported devices did include my Spansion flash! After two weeks the device programmer finally arrived. I installed the software and tried to read and write some Atmel chips. Everything worked fine. The next step was to desolder the S25FL016A from my dead satellite meter. Unfortunately I only own a regular soldering iron and I was not able to desolder this chip, mainly because I didnt want to destroy it. Instead, I asked a friend for help, who owns a professional soldering station with tweezers and within 2 seconds, the chip was desoldered without any harm done on either the chip or the PCB. Back home, I connected wires to each of the 8 pins, since I didnt own a compatible chip holder for my programmer. After connecting all wires to the device programmer, the chip was indeed recognized and I started the programming cycle. The software of the programmer erased the chip (all bytes are set to &HFF), programmed my original backup of the firmware and finally did a verification, to check

desolder anything. Had I only known about this tool two weeks ago! Not satisfied, I wondered how this tool managed to establish a connection through the serial port, since I hadnt been able to do so in my own previous trials. The answer: the meter uses even parity instead of none... This must be the first device I see with such configuration: 115200 8E1. Now I could see the boot loader messages on HyperTerminal, too.
3. A JTAG interface is quickly found. Unfortunatly no success trying to program the firmware this way. 4. The flash chip, a Spansion S25FL016A, had to be desoldered. 5. No harm was done to the PCB. It is important not to overheat the PCB, to avoid traces popping out. 6. Due to a lack of a suitable chip adapter, small wires were soldered on the 8 pins of the chip. 7. The chip was connected to the device programmer. Extra care was taken to avoid any mistake connecting the right wires to the programmer.

if the programmed bytes matched the ones from the original file. Everything went smoothly without any error. This gave me the courage to solder the Spansion back onto the board. I turned the meter on and... It worked again! Not satisfied I did a more exhaustive Google search and this time came up with a support site for yet another OEM version of my meter. Though the website was in Russian language, I got around with Googles translator and found out that it actually offered two firmware releases, a flashing tool and a settings editor. Despite the fact that the tools were in Russian language too (using Cyrillic characters), I tried them out and this time I checked the hardware revision of my satellite meter and compared it with the pictures shown on the website: they matched. So after having returned the meter from the brick-land for just half an hour, I flashed it with this firmware version, only to find out that the meter was dead again. No problem, I thought. I could always flash it externally with my new programmer. But since I would have to ask my friend to desolder the Spansion again, I tried the flashing tool first. Without being able to understand any message displayed, I managed to figure out how to use it and who would have guessed it! It worked! I was able to flash my backup to the meter, without having to

114 TELE-satellite International The Worlds Largest Digital TV Trade Magazine 04-05/2012 www.TELE-satellite.com

www.TELE-satellite.com 04-05/2012 TELE-satellite International The Worlds Largest Digital TV Trade Magazine

115

sure that you have a plan B, if things go wrong. Normally, boot loaders do provide a way to flash the firmware, even if your device is dead (unless you managed to delete the boot loader, too). 3) You are totally at ease, if you own an external programmer, which supports your flash chip. My cheap programmer has proven to be very good value for money. It is impressive how such a cheap programmer manages to support that many devices. Another thumbs up for this device, because it works even if you just solder some wires to the pins of your chip, instead of using a proper adapter. Professional

10

1) Never trust a firmware-image from a different OEM model, even if it looks exactly as yours! You might have a different hardware revision, or the OEM producers might have implemented some kind of firmware-check, that prevents cross flashing. The reason is of course the different level of support that each brand invests in its devices. 2) Before flashing a device, make
8. Selection of the chip using the software included with the programmer. 9. The flashing operation was successful! 10. After programming, the chip was soldered back to the board and the meter is working again!

Conclusions

programmers would not work in such way, requiring for each chip package the correct adapter (and such adapters cost more than my cheap programmer). After this adventure, I can say that I am much more fond of my satellite meter and I have a deep respect on how miniaturized it is. It is a pretty good meter for standard installations and for amateur enthusiasts of satellite reception. Not being able to use it for two weeks made me realize how much I depended on it. So I promised myself to not flash it with any firmware again

116 TELE-satellite International The Worlds Largest Digital TV Trade Magazine 04-05/2012 www.TELE-satellite.com