Pagina 114 - TELE-satellite-1205

Versione HTML di base

TELE-satellite International — The World‘s Largest Digital TV Trade Magazine
— 04-05/2012
would actually support this flash chip,
but not the ALI CPU. Again, I got hold
of the source code.
The next attempt was pretty
straight forward: I implemented the
flash definitions of one source code
into the source code that had the ALI
CPU support. I soldered some wires
to the JTAG on the board and tried if
I could connect though the JTAG port
to the CPU and flash. Short answer: I
couldn’t. Since there were too many
unclear factors (wrong connections to
the JTAG, too long wires, errors in the
compiled utility, etc.), I decided that
this route was too risky.
This meant that I would have to pro-
gram the flash externally. Because I
did not own a device programmer, I
searched eBay to figure out if there
was a cheap solution. I always wanted
to own a device programmer, anyway,
as it is a really useful device. I was
sick of having to build parallel port
programmers that would only sup-
port one single chip type, whenever I
needed to program a new chip.
EBay revealed a huge amount of dif-
ferent device programmers at a broad
price range. I decided to spend as lit-
tle money as possible and bought one
for just 37 Euros and free shipping. I
thought that the risk was small, plus
the list of supported devices did in-
clude my Spansion flash!
After two weeks the device pro-
grammer finally arrived. I installed the
software and tried to read and write
some Atmel chips. Everything worked
The next step was to desolder the
S25FL016A from my dead satellite me-
ter. Unfortunately I only own a regu-
lar soldering iron and I was not able
to desolder this chip, mainly because
I didn’t want to destroy it. Instead, I
asked a friend for help, who owns a
professional soldering station with
tweezers and within 2 seconds, the
chip was desoldered without any harm
done on either the chip or the PCB.
Back home, I connected wires to
each of the 8 pins, since I didn’t own
a compatible chip holder for my pro-
grammer. After connecting all wires to
the device programmer, the chip was
indeed recognized and I started the
programming cycle. The software of
the programmer erased the chip (all
bytes are set to &HFF), programmed
my original backup of the firmware
and finally did a verification, to check
X-Modem protocol, which is how the
firmware is flashed in with many other
satellite meters of the same kind.
I tried the obvious settings: 115200,
8N1, but got no reply. A little scared,
I started to press all conceivable key
combinations on the meter, hoping
that the boot loader would allow a
recovery USB flashing procedure. No
To make sure that the boot loader
was at least operational, I opened
both the original firmware, which I
had backed up before flashing the me-
ter (the meter has this option and you
should definitely use it) and the firm-
ware I just flashed with an HEX-editor
and both revealed the same boot load-
er. All bytes were equal. This should
mean that even though I flashed a
wrong firmware (at this point I was not
certain if I had a different hardware
revision or if the firmware had some
kind of OEM check), at least the boot
loader should be operational.
Again, I tried several flashing tools
for hand held satellite meters, but
none did seem to work.
At this point I was pretty certain
that my only way out of having trans-
formed my meter into a brick was to
actually program the flash chip myself.
There are two options for this: one is
to look out for a JTAG-adapter on the
main board, the other is to use an ex-
ternal device programmer to write the
flash chip.
I opened up the meter and looked
for the typical flash chip but somehow
didn’t find it! Only after a long search
did I notice that this board was using
a serial Eeprom, which means that the
flash chip is actually a tiny chip with
only 8 pins (4 each side). I found pins
which correspond to a regular JTAG,
but the main CPU of the board was
an ALI chip. I had no JTAG utility that
would program a Spansion S25FL016A
through an ALI CPU. A Google search
did, however, point me to two inter-
esting facts:
1) There are plenty of satellite re-
ceivers using the exact same CPU, un-
fortunately with different flash chips.
Someone had adapted a flashing util-
ity for this CPU and even included the
source code (C++).
2) From the router hacking scene
(DD-WRT and OpenWRT), I found out
that this Spansion S25L016A is not so
uncommon with routers and that later
revisions of the same flashing utility
expected. Unfortunately, it would not
turn on again: I was holding a dead
“No big deal”, I thought, since this
meter is provided with an extra RS-
232 cable, that fits in the Audio/Video
jack. Since no flashing software was
provided, I assumed that the flashing
could be done with HyperTerminal’s