Well, as we all know, its basically a PC, and has plenty of potential. Broken units can be had cheap ($100 or so, w/ a 2.4ghz p4 + 1gb DDR, and a IDE hd-dvd drive)

Issue is, these broken units usually have a corrupt flash (which has mostly GPL'd linux code on it), same with mine. And of course, nobody out there has a backup (its on a usb key!)

So, the hunt goes on. Eventually, id love to turn it into a standalone linux box, with the ability to play hd-dvd's.

Anyone have any ideas?
Thanks!

Well, still looking for any info, I am sure someone must have one, that can help!

I have found this:
"I was able to get access to another HD-DVD player, and after reading the image on its flash disk it's different in a couple places. Also when trying to put the daughter card from my unit in this other player it would reference the disk for a little while, but then halt partway through the boot process. So it looks like there's probably a serial number stored in the firmware, and a check performed during boot to make sure it's the right firmware for that specific unit by serial number."
http://geekswithblogs.net/lorint/archive/2006/04/21/75795.aspx

It also seems like the "brother" doesn't like CPU upgrades:
"HD-XA1 powered up, the typical 'WELCOME' appeared on the lcd, there was a little drive activity, then nothing. Completely locked up."
- the discussion below the abovementioned article

Thanks for the work, but alas, I've also gone over that page, atleast 20 times!

The issue is that there is a 32mb spansion flash chip onboard as well, but its use evades me (hooked to a xlinx chip) The CPU could be tied w/ a processor serial number, but its hard to test all this with a corrupt flash, you know? If I had a working one, I've got a unit to screw around with, whats the worse that would happen, it breaks?

try Ebay, there are quite a few listed, however, you know the risks of being deceived.
Eg. $60+25
http://cgi.ebay.com/Toshiba-HD-A1-DVD-Player-AS-IS_W0QQitemZ160093394188QQcategoryZ61250QQrdZ1QQcmdZViewItem
AN EXAMPLE

Oh I have, daily, the issue with buying something broken = it dont work (of course!), and im just out more cash!

I just ordered a used HD-A1 ("It's in the mail"), primarily because I am interested in playing with the Linux on the thing.

Technically, what I am intersted in doing, is the following:

The HD-A1 has a USB header on board, into which the USB disk is plugged in. From photos it seems to be fairely standard (And if it's not, USB ports are pretty simple, with 4 wires and ground). When I saw that, I started thinking of instead of dedicating the port to the internal USB flash, about replacing it with a USB hub. Technically, this should provide a couple of advantages: I should be able to hook up a hard drive over USB to the hub, and not only boot from it (personally I prefer flash - fewer things to break), but also run aacskeys + BackupHDDVD (or some form thereof) right on the stand-alone player. Keyboard, of course, can also be connected. And hey, maybe the player can be convinced to play HD-DVD images right from the hard drive :-)

But thing to do right away, it seems, is to back up internal flash to safe read-only media.

So some questions to those of you that opened up your units already.

This is a first stand-alone player that Toshiba released, so it probably is very rough around the edges, and haven't been fully stripped of all the development features.

Are there headers on the motherboard anywhere, which might be serial ports? Anything that looks like 10 (or 9) solder points, possibly in two rows of 5 (These would be most obvious, of course)? HD-A1 had to be debugged somehow, right? Some Toshiba kernel engineer had to watch the thing boot, and log on, and fix up all the typos in the config scripts, right? So even if it needs a MAX232 or somesuch to bring serial port out, it's not too bad.

Is the JTAG interface brought out? Microcode had to be debugged somehow, and hardware had to be tested.

Is it running a port of a PC BIOS of some kind, or some kind of custom firmware? CFE? RedBoot? Something else?

I guess I'll know more once I open up my unit, but if someone already did all of this research, and is happily using it as a general purpose computer in a living room, or as a mail server on his network, I'd like to know about it ;-)

I guess I'll know more once I open up my unit, but if someone already did all of this research, and is happily using it as a general purpose computer in a living room, or as a mail server on his network, I'd like to know about it ;-)"Hacking the Toshiba A1" is a great subject but there doesn't seem to be much progress on this vs. the earlier-posted link to Thwait's site. I'm interested too, but can only say at this point that Toshiba is "not unsophisticated" about their use of Linux and its interaction with custom hardware, as I own a couple of Magnia SGXX servers, and these are pretty slick boxes themselves.

Of course I have no idea if the folks involved in their computing business have also advised the HD-DVD guys, but it's a data point.

awhitehead, thats what im talking about. I did some work on my busted box (got a new one coming, $$ = meh!)

Ok, the USB flash = has a few readable partitions, on mine = no kernel of any sort, some encrypted looking executables (however it had a bad flash, possibly incomplete!)

There are two headers, one connects to the NEC chip thats on the back (with 128kb of flash), the other may connect to the xlinx chip on the lower left, which in turn is connected to a 32mb spansion flash chip (BGA, although there is a TSOP pad)

As far as a hub/hdd, havent gone that far (only wired a USB socket in place of the flash)

But alas, since its bricked anywho, it dont get far.

As far as the USB flash drive, it is supposed to be locked with a 64bit RSA key, mine isnt (again, possibly due to the whole bricked unit thing)

Going out on a limb, but somehow the Intel firmware hub connects with the other 32mb spansion flash (would like to see whats on there, but I cant pull the BGA chip, not that skilled, any other chip = sure!)

We should also invetigate eachothers flash backups (for compare, try to find the uniqueness) as it is also apparently tied (flash, motherboard, and hd-dvd drive) somehow! Theres a tool by the flash manufacturer, has partition stuff, backup/write etc = interesting (and freeware!)

And there is the serial port on the HD-XA1 (and hdv5000), and its on every gen 1 HD-DVD player , just missing the line converter (however, dunno if that can tap into any debug interface or not)

But, the headers that are interesting = the lower two in the left hand side, the one further up is unknown, the lower one = connects to the NEC chip on the back (I beleive!)

The upper one is 8 pins if memory serves me, lower one is 10, however I did not get to tracing the pinout, and comparing (however I thought jtag as well, issue is 128kb is a bit small for much if anything, cept maybe those illusive keys!)

I also heard a rumor that it runs busybox (tiny kernel etc), which i am very familiar with = a start! Would make one great Myth frontend!

Atleast someone feels the same way!

Ok, got my working unit, some quick updates!

Flash unit itelf = isnt tied to the unit, i did a 1:1 copy of one flash chip to the other = both work.

Also changed an entry (device id keys) , differently = player still boots

Alas, no HD-DVD yet to test playback, but dvd playback works. I beleive the goodies are inside the 32mb spansion chip on the boards underside, as most of the stuff on the flash drive is either encrypted, or an image/config file!

Well, booting from an external usb pendrive now, I can modify non-critical data, and some critical (IE, can make it fail boot, display custom error messages and images etc)

Working on region-freeing it now, but thats not my stront point (yes, i can write to the flash, and it works)

Goal is to somehow drop a ssh daemon etc on there, to ssh in, and use real linux commands, however thats still a ways off, namely, as all of the interesting exectutables are encrypted, or hashed!

Well, booting from an external usb pendrive now, I can modify non-critical data, and some critical (IE, can make it fail boot, display custom error messages and images etc)


Could you elaborate how you are doing this? I guess you imaged the contents of the flash to a USB key, and connected that to your (broken?) unit?


Working on region-freeing it now, but thats not my stront point (yes, i can write to the flash, and it works)


Well, region-freeing would be for standard DVDs, right? HD-DVDs so far are (thankfully) region-free. For doing something like that, you would need a two stage solution: a region-free (RPC1) firmware for the DVD drive, and software that was modded to always return "region OK" during the region check.

What is the HD-DVD drive in the unit? One thing I am idely curious about, is taking whatever's inside out, and connecting Toshiba SD-S802A (drive from Xbox 360 HD-DVD attachment) together with a JED50 adapter in place of what's inside. This is a purely intellectual excercise, though, with no practical value. :-)


Goal is to somehow drop a ssh daemon etc on there, to ssh in, and use real linux commands, however thats still a ways off, namely, as all of the interesting exectutables are encrypted, or hashed!

I am still waiting for my A1 (was shipped yesterday, finally. You never can tell with sellers on eBay how fast they would ship.). In the meanwhile, a few questions:

Is the firmware running a busybox binary, or are all programs independent?

If you connect the unit to the ethernet network, and port scan it, does it list any services as running?
Is there an inetd or xinetd present on the filesystem? sshd doesn't require inetd-like service, but having inetd means that

You mention checksumming, etc. Does it check the flash checksum, or files can be added to the flash without any problems?
Can you copy a binary onto the system, and would a system run an unsigned binary?

What firmware version are you running? Myself I was thinking about imaging the flash with the old firmware to file, upgrading firmware, imaging flash to a diffeernt file, and then looking at what changed. Maybe this way it's possible to figure out where checksums are stored, etc, and subvert firmware.

Lastly, would it be possible to post (maybe as an attachment) a recursive directory listing of the flash? ls -laRt should generate what I have in mind (although you might want to sanitize the user/group listing, if you sufficiently care about such things).

Thank you.

Ok! Well, it has the NEC 1100A drive in it, straight up IDE, guess we can wait a bit on region free.

I am using my new working unit (different one, ebay!), removed the internal flash drive, imaged it to my usb key, and can insert/remove while the cover is on! (a simple dd in linux did the trick)

Ran nmap on it, showed no open ports at all = really a kick in the pants, but I suppose it needs to be secured atleast (woulda loved port 22!)

Files can be added without any issue at all, some of the binaries on there will run on this x86 pc (simple ones, like eject)

Its running FW 2.0, and I am sure the older FW's have more data, however.

The issue is the 32mb Spansion memory chip on the back, i am 99.9% sure that it holds the goodies (as in, the rest of busybox, you will see with the directory listing)

There are symbolic links on the flash that lead to nowhere, all the good executables are encrypted in some form etc. I beleive our first goal is to get some kind of code access, then grab the data from the other flash, where the real goodies are!

Basically, alot is getting extracted to /tmp, no idea where its coming from.
The fact that the flash boots from any usb drive = showing how much the intel firmwarehub is interacting, i THINK over the GPIO ports its using the xlinx chip as a bios chip of sorts, then reading the data off the 32mb spansion, but I havent a way to prove it (yet!) Still hoping to get my bricked unit fixed, and having access to linux on both!

Edit: Cant attach (or quote, too big) , but here are a few of the interesting ones:


.:
total 31
drwxr-xr-x 4 root root 4096 Mar 21 13:15 ..
drwxr-xr-x 3 root root 1024 Mar 20 21:51 etc
drwxr-xr-x 12 root root 1024 Mar 20 21:01 .
drwxr-xr-x 6 root root 1024 Jan 2 09:50 usr
drwxr-xr-x 2 root root 2048 Jan 2 09:43 lib
drwxr-xr-x 3 root root 1024 Jan 2 09:43 var
drwx------ 2 root root 12288 Oct 19 03:37 lost+found
drwxr-xr-x 2 root root 1024 Jul 5 2006 NetArea
drwxr-xr-x 2 root root 1024 Jan 19 2006 HD_DVD
drwxr-xr-x 2 root root 1024 Sep 23 2005 STRFLG
drwxr-xr-x 3 root root 1024 Jul 11 2005 share


./usr:
total 136222
drwxr-xr-x 5 root root 1024 Mar 20 21:46 local
drwxr-xr-x 12 root root 1024 Mar 20 21:01 ..
drwxr-xr-x 2 root root 1024 Mar 20 21:01 bin
-rw-r--r-- 1 root root 3145728 Mar 20 18:39 netarea.img
-rw-r--r-- 1 root root 135790592 Mar 20 18:39 pstorage
drwxr-xr-x 6 root root 1024 Jan 2 09:50 .
drwxr-xr-x 4 root root 2048 Jan 2 09:43 lib
drwxr-xr-x 4 root root 1024 Jan 2 09:43 share

./usr/local:
total 17
-rwxr--r-- 1 root root 6077 Mar 20 22:04 setting.conf
drwxr-xr-x 5 root root 1024 Mar 20 21:46 .
-rwxr--r-- 1 root root 1361 Mar 20 21:46 capability.conf
drwxr-xr-x 2 root root 1024 Mar 20 21:02 bin
-rwxr--r-- 1 root root 1361 Mar 20 20:09 capability.conf~
drwxr-xr-x 2 root root 1024 Mar 20 18:39 etc
drwxr-xr-x 2 root root 1024 Jan 2 10:55 lib
drwxr-xr-x 6 root root 1024 Jan 2 09:50 ..
-rw-r--r-- 1 root root 81 Jan 2 09:46 driveinfo.conf
-rw-r--r-- 1 root root 56 Aug 8 2006 version.conf

./usr/local/bin:
total 36759
drwxr-xr-x 5 root root 1024 Mar 20 21:46 ..
drwxr-xr-x 2 root root 1024 Mar 20 21:02 .
-rw-r--r-- 1 root root 147476 Jan 2 10:47 excparam2
-rw-r--r-- 1 root root 147476 Jan 2 10:47 excparam1
-rwxr-xr-x 1 root root 16420 Jan 2 09:43 exethromctl.ko
-rwxr-xr-x 1 root root 16420 Jan 2 09:43 exHDD_MOUNT_POINT.txt
-rwxr-xr-x 1 root root 16420 Jan 2 09:43 exrootca.pem
-rwxr-xr-x 1 root root 14909460 Jan 2 09:43 exadvplayer
-rwxr-xr-x 1 root root 16404 Jan 2 09:43 expsinfogen
-rwxr-xr-x 1 root root 98324 Jan 2 09:43 exwriter
-rwxr-xr-x 1 root root 16404 Jan 2 09:43 exwriter.sh
-rwxr-xr-x 1 root root 2949140 Jan 2 09:43 excdplayerd
-rwxr-xr-x 1 root root 3784724 Jan 2 09:43 exdvdplayerd
-rwxr-xr-x 1 root root 3751956 Jan 2 09:43 exdvdvrplayerd
-rwxr-xr-x 1 root root 901140 Jan 2 09:43 exgasdisplay
-rwxr-xr-x 1 root root 4292628 Jan 2 09:43 exhddvdplayerd
-rwxr-xr-x 1 root root 114708 Jan 2 09:43 exvupappd
-rwxr-xr-x 1 root root 3227668 Jan 2 09:43 exlauncherd
lrwxr-xr-x 1 root root 19 Jan 2 09:43 ethromctl.ko -> /tmp/exethromctl.ko
lrwxr-xr-x 1 root root 26 Jan 2 09:43 HDD_MOUNT_POINT.txt -> /tmp/exHDD_MOUNT_POINT.txt
lrwxr-xr-x 1 root root 17 Jan 2 09:43 rootca.pem -> /tmp/exrootca.pem
-rw-r--r-- 1 root root 98388 Aug 31 2006 enexwriter_060317

./usr/local/etc:
total 9
drwxr-xr-x 5 root root 1024 Mar 20 21:46 ..
drwxr-xr-x 2 root root 1024 Mar 20 18:39 .
-rw-r--r-- 1 root root 362 Mar 20 18:39 info.txt
-rwxr--r-- 1 root root 6077 Jul 30 2006 setting.conf

./usr/local/lib:
total 2589
drwxr-xr-x 5 root root 1024 Mar 20 21:46 ..
drwxr-xr-x 2 root root 1024 Jan 2 10:55 .
-rw-r--r-- 1 root root 21120 Jan 2 10:55 libs.so
-rw-r--r-- 1 root root 213028 Jan 2 09:43 exlibsetting.so.1.10
-rw-r--r-- 1 root root 180260 Jan 2 09:43 exlibwmadecode.so.1.1
-rwxr-xr-x 1 root root 122219 Aug 8 2006 libcdaudio.so.1.0.0
-rwxr-xr-x 1 root root 1020971 Aug 8 2006 libiconv.so.2.2.0
-rwxr-xr-x 1 root root 51518 Aug 8 2006 libmp3decode.so.1.2
-rwxr-xr-x 1 root root 1019186 Nov 15 2005 libiconv_plug.so

./usr/bin:
total 649
drwxr-xr-x 2 root root 1024 Mar 20 21:01 .
drwxr-xr-x 6 root root 1024 Jan 2 09:50 ..
lrwxr-xr-x 1 root root 15 Jan 2 09:43 libpng-config -> libpng12-config
-rwxr-xr-x 1 root root 2107 Aug 8 2006 libpng12-config
-rwxr-xr-x 1 root root 593052 Dec 12 2005 fsck.ext2
-rwxr-xr-x 1 root root 18568 Oct 11 2004 setserial
-r-xr-xr-x 1 root root 12636 Sep 28 2004 pkill
-rwxr-xr-x 1 root root 18860 Sep 8 2004 eject

./usr/lib:
total 6415
drwxr-xr-x 6 root root 1024 Jan 2 09:50 ..
drwxr-xr-x 4 root root 2048 Jan 2 09:43 .
-rw-r--r-- 1 root root 114724 Jan 2 09:43 exlibaudiocontroller.so.2.12
-rw-r--r-- 1 root root 32804 Jan 2 09:43 exlibaudiotransfer.so.1.5
-rw-r--r-- 1 root root 65572 Jan 2 09:43 exlibexdvd.so.1.3.2
-rw-r--r-- 1 root root 983076 Jan 2 09:43 exlibgcp.so.4.0.32
-rw-r--r-- 1 root root 65572 Jan 2 09:43 exlibhdmi.so.0.5.0.17
-rw-r--r-- 1 root root 32804 Jan 2 09:43 exlibtossucom.so.1.45
-rw-r--r-- 1 root root 49188 Jan 2 09:43 exlibtsbbackend.so.1.6
-rw-r--r-- 1 root root 1835044 Jan 2 09:43 exlibvideocont.so.003100
-rw-r--r-- 1 root root 32804 Jan 2 09:43 exlibvideotransfer.so.0.5
drwxr-xr-x 5 root root 1024 Jan 2 09:43 locale
drwxr-xr-x 2 root root 1024 Jan 2 09:43 gconv
lrwxr-xr-x 1 root root 33 Jan 2 09:43 libaudiocontroller.so -> /tmp/exlibaudiocontroller.so.2.12
lrwxr-xr-x 1 root root 30 Jan 2 09:43 libaudiotransfer.so -> /tmp/exlibaudiotransfer.so.1.5
lrwxr-xr-x 1 root root 34 Jan 2 09:43 libcdaudio.so -> /usr/local/lib/libcdaudio.so.1.0.0
lrwxr-xr-x 1 root root 34 Jan 2 09:43 libcdaudio.so.1 -> /usr/local/lib/libcdaudio.so.1.0.0
lrwxr-xr-x 1 root root 29 Jan 2 09:43 libcrypto.so -> ../../lib/libcrypto.so.0.9.7a
lrwxr-xr-x 1 root root 24 Jan 2 09:43 libexdvd.so -> /tmp/exlibexdvd.so.1.3.2
lrwxr-xr-x 1 root root 23 Jan 2 09:43 libgcp.so -> /tmp/exlibgcp.so.4.0.32
lrwxr-xr-x 1 root root 21 Jan 2 09:43 libgssapi_krb5.so -> libgssapi_krb5.so.2.2
lrwxr-xr-x 1 root root 21 Jan 2 09:43 libgssapi_krb5.so.2 -> libgssapi_krb5.so.2.2
lrwxr-xr-x 1 root root 26 Jan 2 09:43 libhdmi.so -> /tmp/exlibhdmi.so.0.5.0.17
lrwxr-xr-x 1 root root 32 Jan 2 09:43 libiconv.so -> /usr/local/lib/libiconv.so.2.2.0
lrwxr-xr-x 1 root root 32 Jan 2 09:43 libiconv.so.2 -> /usr/local/lib/libiconv.so.2.2.0
lrwxr-xr-x 1 root root 13 Jan 2 09:43 libjpeg.so -> libjpeg.so.62
lrwxr-xr-x 1 root root 17 Jan 2 09:43 libjpeg.so.62 -> libjpeg.so.62.0.0
lrwxr-xr-x 1 root root 18 Jan 2 09:43 libk5crypto.so.3 -> libk5crypto.so.3.0
lrwxr-xr-x 1 root root 14 Jan 2 09:43 libkrb5.so.3 -> libkrb5.so.3.2
lrwxr-xr-x 1 root root 26 Jan 2 09:43 libmp3decode.so -> /usr/lib/libmp3decode.so.1
lrwxr-xr-x 1 root root 34 Jan 2 09:43 libmp3decode.so.1 -> /usr/local/lib/libmp3decode.so.1.2
lrwxr-xr-x 1 root root 13 Jan 2 09:43 libpng12.so -> libpng12.so.0
lrwxr-xr-x 1 root root 19 Jan 2 09:43 libpng12.so.0 -> libpng12.so.0.1.2.7
lrwxr-xr-x 1 root root 10 Jan 2 09:43 libpng.a -> libpng12.a
lrwxr-xr-x 1 root root 11 Jan 2 09:43 libpng.so -> libpng.so.3
lrwxr-xr-x 1 root root 17 Jan 2 09:43 libpng.so.3 -> libpng.so.3.1.2.7
lrwxr-xr-x 1 root root 19 Jan 2 09:43 libpng.so.3.1.2.7 -> libpng12.so.0.1.2.7
lrwxr-xr-x 1 root root 24 Jan 2 09:43 libresolv.so -> ../../lib/libresolv.so.2
lrwxr-xr-x 1 root root 25 Jan 2 09:43 libsetting.so -> /tmp/exlibsetting.so.1.10
lrwxr-xr-x 1 root root 26 Jan 2 09:43 libssl.so -> ../../lib/libssl.so.0.9.7a
lrwxr-xr-x 1 root root 26 Jan 2 09:43 libtossucom.so -> /tmp/exlibtossucom.so.1.45
lrwxr-xr-x 1 root root 27 Jan 2 09:43 libtsbbackend.so -> /tmp/exlibtsbbackend.so.1.6
lrwxr-xr-x 1 root root 29 Jan 2 09:43 libvideocont.so -> /tmp/exlibvideocont.so.003100
lrwxr-xr-x 1 root root 30 Jan 2 09:43 libvideotransfer.so -> /tmp/exlibvideotransfer.so.0.5
lrwxr-xr-x 1 root root 26 Jan 2 09:43 libwmadecode.so -> /usr/lib/libwmadecode.so.1
lrwxr-xr-x 1 root root 26 Jan 2 09:43 libwmadecode.so.1 -> /tmp/exlibwmadecode.so.1.1
lrwxr-xr-x 1 root root 15 Jan 2 09:43 libz.so.1 -> libz.so.1.2.1.2
-rw-r--r-- 1 root root 169800 Aug 8 2006 libpng12.a
-rwxr-xr-x 1 root root 142648 Aug 8 2006 libpng12.so.0.1.2.7
-rwxr-xr-x 1 root root 63528 Aug 8 2006 libz.so.1.2.1.2
-rwxr-xr-x 1 root root 3350 Feb 16 2006 libcxaguard.so.5
-rwxr--r-- 1 root root 133410 Feb 15 2006 libjpeg.so.62.0.0
-rwxr-xr-x 1 root root 2152277 Sep 13 2005 libimf.so
-rwxr-xr-x 1 root root 82944 Aug 31 2004 libgssapi_krb5.so.2.2
-rwxr-xr-x 1 root root 136044 Aug 31 2004 libk5crypto.so.3.0
-rwxr-xr-x 1 root root 415188 Aug 31 2004 libkrb5.so.3.2

Edit: Cant attach (or quote, too big) , but here are a few of the interesting ones:


.:
total 31
drwxr-xr-x 4 root root 4096 Mar 21 13:15 ..
drwxr-xr-x 3 root root 1024 Mar 20 21:51 etc
drwxr-xr-x 12 root root 1024 Mar 20 21:01 .
drwxr-xr-x 6 root root 1024 Jan 2 09:50 usr
drwxr-xr-x 2 root root 2048 Jan 2 09:43 lib
drwxr-xr-x 3 root root 1024 Jan 2 09:43 var
drwx------ 2 root root 12288 Oct 19 03:37 lost+found
drwxr-xr-x 2 root root 1024 Jul 5 2006 NetArea
drwxr-xr-x 2 root root 1024 Jan 19 2006 HD_DVD
drwxr-xr-x 2 root root 1024 Sep 23 2005 STRFLG
drwxr-xr-x 3 root root 1024 Jul 11 2005 share



Neat!

Is /etc on the removable flash as well (It lists as a directory, but you didn't list contents)? If yes, then maybe we can attempt to either replace init outright, or attempt to modify some of the start-up scripts.

(Of course there is a possibility that kernel is not calling /etc/init at bootup. Hrm. But then it's a matter of figuring out what it is that kernel starts up on bootup. There is also a possibility of encrypted/signed binary or some sort of sanity checking performed by the kernel. Hrm.)

Well, it is, but its filled with all graphics files (why i coulndt list em, its 3x skins by 3x menus, every letter button etc = alot of PNG's, but ill list the root of em!)

I think its a two part system, the unprotected essentials (that wouldnt change, like the kernel, bootloader, crypto stuff), are on the 32mb flash chip, on the underside of the board, and the stuff that does change (like the player executables, images etc) is on the flash drive. Its actually a great idea, two fold, keeps things very secure, and much easier to fix in the event of any kind of upgrade failure etc!

However, it got me thinking, the iso and udf kernel modules are in the clear, if for some reason there not checked, and if we cross compile our own kernel module, that does XYZ (lets say, everything we want), were in business!

The key is to either get that going, or a dump of the other flash, alas, im no good at removing BGA'd chips!

The conf's are just listings of error messages, and XY coords on placement of images, no goodies etc! Sad part is, ive been working quite abit with busybox as of late, and its a great piece of work!


./etc:
total 5
-rw-r--r-- 1 root root 45 Mar 20 22:04 adjtime
drwxr-xr-x 3 root root 1024 Mar 20 21:51 .
-rw-r--r-- 1 root root 60 Mar 20 21:51 resolv.conf
drwxr-xr-x 12 root root 1024 Mar 20 21:01 ..
lrwxr-xr-x 1 root root 42 Jan 2 09:43 localtime -> /mnt/ROM/usr/share/zoneinfo/Canada/Eastern
drwxr-xr-x 11 root root 1024 Jan 2 09:43 image

./etc/image:
total 414
drwxr-xr-x 3 root root 1024 Mar 20 21:51 ..
drwxr-xr-x 5 root root 1024 Jan 2 09:43 1_SetupMenu_old
drwxr-xr-x 11 root root 1024 Jan 2 09:43 .
drwxr-xr-x 5 root root 1024 Jan 2 09:43 1_SetupMenu
drwxr-xr-x 5 root root 1024 Jan 2 09:43 ControlGuide
drwxr-xr-x 2 root root 4096 Jan 2 09:43 launcher
drwxr-xr-x 11 root root 1024 Jan 2 09:43 CD
drwxr-xr-x 5 root root 2048 Jan 2 09:43 COMMON
drwxr-xr-x 6 root root 1024 Jan 2 09:43 DVD
drwxr-xr-x 5 root root 1024 Jan 2 09:43 DVDtitlelist
drwxr-xr-x 4 root root 1024 Jan 2 09:43 pstorage
-rwxr--r-- 1 root root 13758 Jul 26 2006 us_alertparts1.conf
-rwxr--r-- 1 root root 13754 Jul 26 2006 us_alertparts.conf
-rwxr--r-- 1 root root 22210 Jul 26 2006 us_advdvdplayerparts.conf
-rwxr--r-- 1 root root 13549 Jul 26 2006 jp_alertparts1.conf
-rwxr--r-- 1 root root 13545 Jul 26 2006 jp_alertparts.conf
-rwxr--r-- 1 root root 20364 Jul 26 2006 jp_advdvdplayerparts.conf
-rwxr--r-- 1 root root 18313 Jul 26 2006 fr_alertparts1.conf
-rwxr--r-- 1 root root 18309 Jul 26 2006 fr_alertparts.conf
-rwxr--r-- 1 root root 19242 Jul 26 2006 fr_advdvdplayerparts.conf
-rwxr--r-- 1 root root 72268 Jul 11 2006 jp_dvdplayerparts.conf
-rwxr--r-- 1 root root 72574 Jul 11 2006 fr_dvdplayerparts.conf
-rwxr--r-- 1 root root 72119 Apr 28 2006 us_dvdplayerparts.conf
-rw-r--r-- 1 root root 6240 Feb 28 2006 fr_controlguide.conf
-rw-r--r-- 1 root root 6271 Feb 28 2006 jp_controlguide.conf
-rw-r--r-- 1 root root 6256 Feb 28 2006 us_controlguide.conf

./etc/image/1_SetupMenu_old:
total 5
drwxr-xr-x 5 root root 1024 Jan 2 09:43 .
drwxr-xr-x 6 root root 1024 Jan 2 09:43 2_Contrast
drwxr-xr-x 6 root root 1024 Jan 2 09:43 3_Material
drwxr-xr-x 11 root root 1024 Jan 2 09:43 ..
drwxr-xr-x 6 root root 1024 Jan 2 09:43 1_CalmBlue

./etc/image/1_SetupMenu_old/2_Contrast:
total 36
drwxr-xr-x 6 root root 1024 Jan 2 09:43 .
drwxr-xr-x 5 root root 1024 Jan 2 09:43 ..
drwxr-xr-x 2 root root 8192 Jan 2 09:43 fn
drwxr-xr-x 2 root root 8192 Jan 2 09:43 jp
drwxr-xr-x 2 root root 10240 Jan 2 09:43 common
drwxr-xr-x 2 root root 8192 Jan 2 09:43 en

./etc/image/1_SetupMenu_old/2_Contrast/fn:
total 1065
drwxr-xr-x 2 root root 8192 Jan 2 09:43 .
drwxr-xr-x 6 root root 1024 Jan 2 09:43 ..
-rwxr-xr-x 1 root root 1609 Apr 27 2006 bl_text_1_1.png
-rwxr-xr-x 1 root root 3061 Apr 27 2006 bl_text_1_3.png
-rwxr-xr-x 1 root root 2301 Apr 27 2006 bl_text_1_4.png
-rwxr-xr-x 1 root root 2948 Apr 27 2006 bl_text_2_1.png
-rwxr-xr-x 1 root root 3009 Apr 27 2006 bl_text_2_2.png
-rwxr-xr-x 1 root root 3405 Apr 27 2006 bl_text_2_3.png
-rwxr-xr-x 1 root root 3729 Apr 27 2006 bl_text_2_4.png
-rwxr-xr-x 1 root root 3020 Apr 27 2006 bl_text_2_5.png
-rwxr-xr-x 1 root root 3000 Apr 27 2006 bl_text_3_1.png
-rwxr-xr-x 1 root root 2690 Apr 27 2006 bl_text_3_2.png
-rwxr-xr-x 1 root root 2427 Apr 27 2006 bl_text_3_3.png
-rwxr-xr-x 1 root root 2228 Apr 27 2006 bl_text_3_4.png
-rwxr-xr-x 1 root root 1128 Apr 27 2006 bl_text_4_1.png
-rwxr-xr-x 1 root root 2619 Apr 27 2006 bl_text_4_2.png
-rwxr-xr-x 1 root root 1979 Apr 27 2006 bl_text_4_3.png
-rwxr-xr-x 1 root root 2841 Apr 27 2006 bl_text_4_4.png
-rwxr-xr-x 1 root root 1862 Apr 27 2006 bl_text_4_5.png
-rwxr-xr-x 1 root root 2437 Apr 27 2006 bl_text_5_1.png
-rwxr-xr-x 1 root root 2784 Apr 27 2006 bl_text_5_2.png
-rwxr-xr-x 1 root root 3710 Apr 27 2006 bl_text_5_3.png
-rwxr-xr-x 1 root root 3189 Apr 27 2006 bl_text_5_4.png
-rwxr-xr-x 1 root root 2015 Apr 27 2006 bl_text_5_5.png
-rwxr-xr-x 1 root root 965 Apr 27 2006 bl_text_5_6.png
-rwxr-xr-x 1 root root 1794 Apr 27 2006 bl_text_5_7.png
-rwxr-xr-x 1 root root 1390 Apr 27 2006 bm_text_1.png
-rwxr-xr-x 1 root root 1272 Apr 27 2006 bm_text_2.png
-rwxr-xr-x 1 root root 1442 Apr 27 2006 bm_text_3.png
-rwxr-xr-x 1 root root 1450 Apr 27 2006 bm_text_4.png
-rwxr-xr-x 1 root root 1376 Apr 27 2006 bm_text_5.png
-rwxr-xr-x 1 root root 666 Apr 27 2006 bs_text_1_1_1.png
-rwxr-xr-x 1 root root 492 Apr 27 2006 bs_text_1_1_2.png
-rwxr-xr-x 1 root root 1785 Apr 27 2006 bs_text_1_1_3.png
-rwxr-xr-x 1 root root 1069 Apr 27 2006 bs_text_1_3_1.png
-rwxr-xr-x 1 root root 764 Apr 27 2006 bs_text_1_3_2.png
-rwxr-xr-x 1 root root 520 Apr 27 2006 bs_text_1_4_1.png
-rwxr-xr-x 1 root root 927 Apr 27 2006 bs_text_1_4_2.png
-rwxr-xr-x 1 root root 686 Apr 27 2006 bs_text_1_4_3.png
-rwxr-xr-x 1 root root 1417 Apr 27 2006 bs_text_2_1_1.png
-rwxr-xr-x 1 root root 795 Apr 27 2006 bs_text_2_1_2.png
-rwxr-xr-x 1 root root 686 Apr 27 2006 bs_text_2_2_1.png
-rwxr-xr-x 1 root root 1417 Apr 27 2006 bs_text_2_2_2.png
-rwxr-xr-x 1 root root 795 Apr 27 2006 bs_text_2_2_3.png
-rwxr-xr-x 1 root root 2769 Apr 27 2006 bs_text_2_2_4.png
-rwxr-xr-x 1 root root 1069 Apr 27 2006 bs_text_2_3_1.png
-rwxr-xr-x 1 root root 764 Apr 27 2006 bs_text_2_3_2.png
-rwxr-xr-x 1 root root 1069 Apr 27 2006 bs_text_2_4_1.png
-rwxr-xr-x 1 root root 764 Apr 27 2006 bs_text_2_4_2.png
-rwxr-xr-x 1 root root 1025 Apr 27 2006 bs_text_2_5_1_1.png
-rwxr-xr-x 1 root root 927 Apr 27 2006 bs_text_2_5_1_2.png
-rwxr-xr-x 1 root root 1134 Apr 27 2006 bs_text_2_5_1.png
-rwxr-xr-x 1 root root 604 Apr 27 2006 bs_text_2_5_2_1.png
-rwxr-xr-x 1 root root 927 Apr 27 2006 bs_text_2_5_2_2.png
-rwxr-xr-x 1 root root 2416 Apr 27 2006 bs_text_2_5_2_3.png
-rwxr-xr-x 1 root root 1110 Apr 27 2006 bs_text_2_5_2.png
-rwxr-xr-x 1 root root 1111 Apr 27 2006 bs_text_3_1_1.png
-rwxr-xr-x 1 root root 1010 Apr 27 2006 bs_text_3_1_2.png
-rwxr-xr-x 1 root root 1086 Apr 27 2006 bs_text_3_1_3.png
-rwxr-xr-x 1 root root 592 Apr 27 2006 bs_text_3_1_4_1.png
-rwxr-xr-x 1 root root 818 Apr 27 2006 bs_text_3_1_4_2.png
-rwxr-xr-x 1 root root 779 Apr 27 2006 bs_text_3_1_4.png
-rwxr-xr-x 1 root root 831 Apr 27 2006 bs_text_3_2_1.png
-rwxr-xr-x 1 root root 1111 Apr 27 2006 bs_text_3_2_2.png
-rwxr-xr-x 1 root root 1086 Apr 27 2006 bs_text_3_2_3.png
-rwxr-xr-x 1 root root 592 Apr 27 2006 bs_text_3_2_4_1.png
-rwxr-xr-x 1 root root 818 Apr 27 2006 bs_text_3_2_4_2.png
-rwxr-xr-x 1 root root 779 Apr 27 2006 bs_text_3_2_4.png
-rwxr-xr-x 1 root root 1111 Apr 27 2006 bs_text_3_3_1.png
-rwxr-xr-x 1 root root 1086 Apr 27 2006 bs_text_3_3_2.png
-rwxr-xr-x 1 root root 592 Apr 27 2006 bs_text_3_3_3_1.png
-rwxr-xr-x 1 root root 818 Apr 27 2006 bs_text_3_3_3_2.png
-rwxr-xr-x 1 root root 779 Apr 27 2006 bs_text_3_3_3.png
-rwxr-xr-x 1 root root 1111 Apr 27 2006 bs_text_3_4_1.png
-rwxr-xr-x 1 root root 1010 Apr 27 2006 bs_text_3_4_2.png
-rwxr-xr-x 1 root root 1086 Apr 27 2006 bs_text_3_4_3.png
-rwxr-xr-x 1 root root 930 Apr 27 2006 bs_text_4_1_1.png
-rwxr-xr-x 1 root root 788 Apr 27 2006 bs_text_4_1_2.png


It keeps on going, more and more PNG's!

As far as the USB flash drive, it is supposed to be locked with a 64bit RSA key, mine isnt (again, possibly due to the whole bricked unit thing)
64-bit? Isn't that extremely weak?

Well, that is what the msystems PDF says, however the two I have arent locked at all, and work just fine (odd, I know, but it does!)

I beleive the key to moving forward is getting an image of the data off that 32mb spansion flash, but as to do it, not too sure. Thinking jtag the xilinx chip, but not sure on the pinout for it, and dont have a scope!

I finally picked up my HD-A1 today, and verified functionality (used unit). So about to start playing with the firmware on the thing (Pulling down a latest knoppix live DVD as we speak, since I live primarily in Solaris and MacOS world, and don't have a general purpose Linux system).

A couple of questions to sega32x:

You mention booting off a USB key. Did you remove the internal msystems USB flash, and just plugged a USB key with a copy of the image into one of the two USB slots on the front?

Did you dd the image from the internal flash to USB keyfob directly, or actually mke2fs'ed the USB key, and copied the files over? After digging around I can only find a 1 gig and 2 gig USB keys (from back when I used them with Asus wireless AP that run Linux on Broadcom to run general purpose Debian for mips on the thing, instead of busybox), so am curious what your experiences are.

As an aside: Documentation for HD-A1 provides a copy of GPL for Linux kernel and busybox components. So the thing runs busybox, which is great - easy to understand and recompile. Does Toshiba provide their copy of these components (together with libpng, etc) anywhere on their websites? I don't particularly care about GPL violations if they dont (although I should probably care more), but if they provide their modifications, it could help us to figure out what they did.

1 -> Yes, I did (originally wired up the internal to a socket etc, and wired a usb cable to the msystems key), but then realised i could use a usb key

2-> Yeah, i did a simple DD, however i dont see why a copy of the filesystem etc wouldnt work

3-> Ive heard the same, mine (a new refurb) didnt, but it is not on there site at all, it would be a good start.

Furthermore, did some sniffing on the update procedure, it connects to https://dtv.ivcreation.com, but thats where I lost it, due to the whole SSL and all, and man in the middle attacks arent working yet (im blaming user error on this one!)

I really want to get this wide open, and get my other unit working too, baby steps though, first root access :)

Edit: seems like /usr/local/bin/exlauncherd may be busybox itself, but I am yet to be sure of that, basically, remove that file, and the system wont init at all, and that (3.1mb) is about the size of busybox + a kernel, stripped very light, of course. I also fear that the flash contents are encrypted per box, unless the other flash from the other box I have is corrupt (as the box is non-working!) If so, this just got alot harder.

Furthermore, did some sniffing on the update procedure, it connects to https://dtv.ivcreation.com, but thats where I lost it, due to the whole SSL and all, and man in the middle attacks arent working yet (im blaming user error on this one!)


Well, the realistic way of intercepting HTTPS requests is through a proxy (since decrypting SSL session packet captures can be a bit of a headache) . So maybe the way to see what's going on is not through sniffing, but through compiling squid, configuring squid to proxy ssl, and then telling the HD-A1 to use the proxy for net access. Check to make sure that squid generates verbose logs, and you should be able to see at least what the requests are.

Coincidentially, http://www.1080x1920.net/ has the firmware images of 1.2, 1.3, 1.4 and 2.0 firmware for HD-A1. Requires registration to download, though. I poked around the firmware, but it seems that after the header that identifies the hardware platform, there is just either compressed or encrypted binary, so I didn't get anything of interest.

Yeah, I also have plenty of those, have the header with model number, version number, then a 512bit section (maybe crypto keys? dunno), then some null space, and some kinda crypted binary, just as you said.

But, even if the SSL was intercepted etc, decrypted (or whatever), that might help identify the update file etc, which is probably just as encrypted, so we need to look elsewhere!

Quick question:
I am poking at the m-systems flash board. Looking at the pinouts.
(9 on one side, and 5 on the other, you know what I am talking about)
Are the 9 pins just the standard USB 2 pinout, as used on motherboards, etc? In other words, if I plug it right in, I won't fry the flash, right?

The other 5 pins are marked as "NC", which I "translate" as "not connected"

Yep, exactically, sorry on the late reply, a IM would be easier id bet, but yeah, its 100% usb pinout, I just wired it up!

Ok, got the image off of the flash. Thank you for all the advice.

Luckily one of the PCs at home had the USB pinouts on the motherboard that were not too crowded (I had to put the tape on a near-by capacitor to prevent any potential short), so Knoppix CD happily let me dd the device. Cursory fdisk check showed that it's kind of funnily partitioned - partition is flagged as Fat32 bootable (primary), yet the actual filesystem is ext2 (This might be important later on). Out of 256 megs on the flash, 19 are free (2.0 firmware). Gzipped image is ~90 megs.

I'll poke around at it some more tomorrow.

When I had the m-disk in the PC, and was selecting boot device, PC bios offered me a possibility of booting off of it. I didn't at the time, but this looks like something to try.

Here are a few links that might be a interest if you don't already have them.

http://www.m-systems.com/NR/rdonlyres/1E31358E-3E13-48DB-960E-61FC37F731EA/0/uDOC_DS_rev23.pdf

http://www.m-systems.com/site/en-US/Support/SoftwareDownload/uDOC_Boot_Files.htm

http://dvd.sourceforge.net/dvdinfo/sprm.html


http://sourceforge.net/projects/ext2fsd

Yeah, I tried booting here = no luck. But if you can, give it a shot!

Yeah, I tried booting here = no luck. But if you can, give it a shot!

Boot block corresponds to boot block generated by Windows 95b/98/ME.
However filesystem on the primary partition is ext2.

On my copy:

00000000 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C 3.....|.P.P....|
00000010 BF 1B 06 50 57 B9 E5 01 F3 A4 CB BE BE 07 B1 04 ...PW...........
00000020 38 2C 7C 09 75 15 83 C6 10 E2 F5 CD 18 8B 14 8B 8,|.u...........
00000030 EE 83 C6 10 49 74 16 38 2C 74 F6 BE 10 07 4E AC ....It.8,t....N.
00000040 3C 00 74 FA BB 07 00 B4 0E CD 10 EB F2 89 46 25 <.t...........F%
00000050 96 8A 46 04 B4 06 3C 0E 74 11 B4 0B 3C 0C 74 05 ..F...<.t...<.t.
00000060 3A C4 75 2B 40 C6 46 25 06 75 24 BB AA 55 50 B4 :.u+@.F%.u$..UP.
00000070 41 CD 13 58 72 16 81 FB 55 AA 75 10 F6 C1 01 74 A..Xr...U.u....t
00000080 0B 8A E0 88 56 24 C7 06 A1 06 EB 1E 88 66 04 BF ....V$.......f..
00000090 0A 00 B8 01 02 8B DC 33 C9 83 FF 05 7F 03 8B 4E .......3.......N
000000A0 25 03 4E 02 CD 13 72 29 BE 46 07 81 3E FE 7D 55 %.N...r).F..>.}U
000000B0 AA 74 5A 83 EF 05 7F DA 85 F6 75 83 BE 27 07 EB .tZ.......u..'..
000000C0 8A 98 91 52 99 03 46 08 13 56 0A E8 12 00 5A EB ...R..F..V....Z.
000000D0 D5 4F 74 E4 33 C0 CD 13 EB B8 00 00 00 00 00 00 .Ot.3...........
000000E0 56 33 F6 56 56 52 50 06 53 51 BE 10 00 56 8B F4 V3.VVRP.SQ...V..
000000F0 50 52 B8 00 42 8A 56 24 CD 13 5A 58 8D 64 10 72 PR..B.V$..ZX.d.r
00000100 0A 40 75 01 42 80 C7 02 E2 F7 F8 5E C3 EB 74 49 .@u.B......^..tI
00000110 6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E nvalid partition
00000120 20 74 61 62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 table.Error loa
00000130 64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 ding operating s
00000140 79 73 74 65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 ystem.Missing op
00000150 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00 erating system..
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000180 00 00 00 8B FC 1E 57 8B F5 CB 00 00 00 00 00 00 ......W.........
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................


My information is based on this (http://209.85.165.104/search?q=cache:KAjjotKficAJ:www.geocities.com/thestarman3/asm/mbr/95BMEMBR.htm&hl=en)
site.

Based on my understanding of how embedded systems tend to work, most likely bootloader loads a kernel from a particular point in the (internal 32 meg?) flash, and passes kernel an argument where the root filesystem (on the m-systems flash?) is, and potentially where init is.

That's why we are having a hard time finding a kernel, as it's just not there.

So most likely what matters more is not the bootblock on the USB key (with which I am going to replace the internal m-systems flash), but the fact that it's the first (or the only) USB mass storage device on the USB bus (at least for now), and that filesystem is on the first primary partition on the disk. Since we can't (yet) change the arguments passed to the kernel, that aspect needs to be duplicated for things to work.

Alas, I beleive your 100% correct, I thought the same too, and feared it. Our goodies (kernel etc) are in the 32mb flash, and we need a way to get them out. However, I havent a clue, except to "hack" the player, to get root access, there are some symoblic links to /mnt/ROM , im going to assume our ROM is that 32mb flash, not to mention all the links to modules in /tmp , that dont exist.

So, We can assume the boot process may be something like this.
Power on
Bios startup, (Possible, Read Crypto key from HD-DVD drive)
Read the kernel from 32mb flash (and possible decrypt w/ the key)
Mount the first partition on the first USB device
Decrypt and run /usr/local/exlauncherd

All that is done while the player still says "Welcome", and the exlauncherd is running when the HDMI/1080i output etc is shown on screen, then the HD-DVD animation, and then its live.

However, if this is correct, we need to get into this 32mb of flash, which only has three options, pulling and reading the chip (since its a BGA, not very practical), jtag'ing the connected xilinx chip (if it will even work), or the fun alternative, get a shell, and do it that way :)

Alas, I beleive your 100% correct, I thought the same too, and feared it. Our goodies (kernel etc) are in the 32mb flash, and we need a way to get them out. However, I havent a clue, except to "hack" the player, to get root access.

So next step is to get access to the system while it's running.

Currently the most promising, at least to me, is the 'eject' binary, that is unencrypted and is located in /usr/bin on the image.

Basically, while I have only a vague idea as to when the rest of the binaries in /usr/bin are run (pkill would run on shutdown, most likely, setserial might not be triggered at all, fsck.ext2 ditto, libpng-* might be
triggered if we are decrypting and uncompressing an ACA menu file, with PNGs in it, or might be used for every aspect of the operation of the player), eject most likely gets run when you press the correct button on the remote.

So this is what my next avenue of attack will be:

Compile stand alone shell (or some other shell that is easy to compile statically), and drop it into /usr/local. Compile netcat, drop it into /usr/local. Write a small C wrapper, that would call netcat and tell it to bind to a port and run sash. Compile the wrapper statically, call it "eject", and drop it in place of eject.

Boot the player, hit eject button, telnet to port, see what waits for us there.

Gotta start somewhere.

You know what's next if it fails, right? Praying that libpng Toshiba used is unpatched, and trying to overflow it with malformed png file. Or recompiling udf.ko with some additional modifications :)



BTW, file returns that the binaries are built under Linux 2.2.5 (or newer? I've not looked at elf signatures in years), however strings on the two unencrypted kernel objects in /share/excalibur/drivers returns

author=Ben Fennema
description=Universal Disk Format Filesystem
license=GPL
vermagic=2.6.10-R040 preempt PENTIUM4 16KSTACKS gcc-3.4

and

license=GPL
alias=iso9660
vermagic=2.6.10-R035 preempt PENTIUM4 16KSTACKS gcc-3.4
depends=


So most likely we are dealing with 2.6.10 kernel.

Come to think about it, busybox might be a better sash then sash :-)
sash: http://members.tip.net.au/~dbell/
busybox: http://www.busybox.net/

I love the method of attack, I only have one issue, does the eject binary even run? As in, we need to start simple, rename the executable (or remove it), and see when eject makes it not work.

I think our manual eject button may not call eject, but more like doing an upgrade, hitting no, and it ejecting the disk = may be it! I will look into that in a few minutes, if so, I hope your compiler is warm :)

Hrmm, I deleted our fun eject binary, and well, update disk, even the eject button = still work, question is, why are those still there!

Very weird. And frustrating. Looking at the various encrypted files (the ones that start with ex*, it seems like some sort of block cypher is used. Not feasible to break, unfortunately.

For a bit I was wondering about /var/spool/cron/crontabs, but it seems unlikely that the unit has a running crond. Maybe worth trying, though.

I have a couple of other ideas, but they are a bit farfetched.

I guess I shall poke around libpng source code, maybe backdooring that is the solution.

Well, to our benefit, we may be able to replace the libpng modules with older versions (or ones compiled ourselves), and plant in a nice large exploit.

But if we can run the code, it can be run (if that makes sesne). I really want to revert to like 1.2, I'd beleive there would be more remnants mostlilkely, but I am not sure if reverting is possible w/o bricking the unit.

Also need to look into how the box reads data from the 32mb flash. Not to mention the serial port, the southbridge = legacy free, datasheets suggest it uses the LPC bus for most stuff (including COM), its very possible the 32mb flash and xilinx chip is on that bus , which might make it easier, or harder!

So this evening I recreated the fileystem on a 1 gig USB flash key (Apacer, but it doesn't matter), and yanked the internal m-systems flash out. Indeed, all system cares about is for the data it expects to be on the first partition, and partition to be formatted ext2.

After that I tried to give the thing an IP, and spent about an hour cursing at the f*&^en mac os, that ships with bloody non-standard DHCP server. Of course I want to hand the HD-A1 an IP address, but not let it connect to internet yet. This way I can sniff all traffic going through. Didn't get anywhere as bootpd wasn't cooperating (and mac os x one ships with some weird dialect of bootpd, that doesn't use the normal /etc/bootptab and /etc/dhcptab). Eventually she who must be obeyed told me that she wants to watch a movie, and that I should let it go for the night.

So I'll poke around at it some more tomorrow, once I compile ISC dhcpd on the macbook.

In the meanwhile, here is what the DHCP packet looks like:

22:41:48.063928 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], length: 576) 0.0.0.0.bootpc > broadcasthost.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:0e:7c:d4:02:fe, length: 548, xid:0xf4337f74, flags: [none] (0x0000)
Client Ethernet Address: 00:0e:7c:d4:02:fe
Vendor-rfc1048:
DHCP:DISCOVER
CID:[ether]00:0e:7c:d4:02:fe
VC:"udhcp 0.9.9-pre"
PR:SM+DG+NS+HN+DN+BR


Google search for udhcp results in top hit leading to busybox.

Unit tries three times during bootup (before the HD-DVD logo shows), and then 3 more times about 30 seconds later. After that it stops (there might be a way to trigger DHCP requests through the menus - I didn't try).

Re: Rolling back the firmware: Sadly I got mine with 2.0 pre-installed (And probably would have had to upgrade pretty soon - SWMBO wanted to watch some HD-DVDs that were created using standard authoring support, which got supported in 2.0). However, /usr/local/version.conf contains this:

USER=T
LANGUAGE=E
HARD=HD-XA1
VERNUM=2.001N
MODULE=0001


One experiment I am thinking about, is manually decreasing the number to 1.4, and telling the unit to attempt an update, and see what happens. It the unit happily upgrades, then it's maybe possible to also downgrade it using a CD-R.

Question: Are all HD-A1s encrypted with the same key, or is the key host specific (might even be the MAC of the NIC, or the drive serial number or the USB device serial number, it's there and it's different)? Anyone who has a copy of the firmware wants to do some comparisons? I can privately send my image. If the key is unique, then how are the update images rolled out? Encrypted with Toshiba key, they get decrypted and re-encrypted?

Very nice read, I heard an update will take (even a downgrade) w/o mucking with the FW version numbers, but that you loose HD-DVD playback (until you reupgrade possibly), so I have yet to go that far.

Well, we can trade if you want, but I am nearly 100% sure they are different per box, which is bad. I can only assume that the files are stored encrypted on update disk, decrypted, then reencrypted with the key, as you say, which isnt that well.

I have made a little progress however, the udf and isofs kernel modules, delete them, disks wont read, replace them, they do. I have been able to (for now) a simple hex edit, change a few lines of plaintext, and they still work. Which would possibly mean theres no check, or crc etc. I am working on installing 2.6.10 kernel source, and will recompile the module, if it works, we just might have a way in!

Since the motherboard, HD-DVD , and contents on the flash are tied per key, I am really thinking its on the idea of the 360 , key in the dvd drive, key for the flash etc, however this case, the key would not be in the CPU, which is a start. If the HD-DVD drive is not plugged in, the unit fails to boot, so, we can hope thats where its stored, and we can dump that FW possibly too!

If you go into setup, ethernet, ntp server, and toggle that option off and on again, unit starts initiating connections to dtv.ivcreation.com (Hrm. Maybe a static /etc/hosts entry, pointing at a system controlled by me?) , and portscan reports that port 10570 is now open, and listening.

Since I did the portscan from the system that also acted as a DNS server and DHCP server for the unit, it's possible that it's still waiting on a DNS reply, etc, however opening port 10570 is a consistent behavior across reboots.


root@hostname:/opt/nmap/bin[03:10 PM]# ./nmap -v -sS -p 1-61337 -O 192.168.2.8

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2007-03-24 15:10 EDT
Initiating ARP Ping Scan against 192.168.2.8 [1 port] at 15:10
The ARP Ping Scan took 0.03s to scan 1 total hosts.
Initiating SYN Stealth Scan against 192.168.2.8 [61337 ports] at 15:10
Discovered open port 10570/tcp on 192.168.2.8
The SYN Stealth Scan took 52.66s to scan 61337 total ports.
For OSScan assuming port 10570 is open, 1 is closed, and neither are firewalled
Host 192.168.2.8 appears to be up ... good.
Interesting ports on 192.168.2.8:
(The 61336 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
10570/tcp open unknown
MAC Address: 00:0E:7C:D4:02:FE (Toshiba)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11
Uptime 0.004 days (since Sat Mar 24 15:05:35 2007)
TCP Sequence Prediction: Class=random positive increments
Difficulty=4807373 (Good luck!)
IPID Sequence Generation: All zeros

Nmap finished: 1 IP address (1 host up) scanned in 57.847 seconds
Raw packets sent: 61353 (2.45MB) | Rcvd: 61351 (3.07MB)
root@hostname:/opt/nmap/bin[03:11 PM]#


Yes, I tried connecting to it, but I have no idea what it expects after connection is opened. Standard HTTP and FTP commands and random ascii strings did not result in anything. Googling for what usually binds to port 10570 didn't return any obvious/useful results, although I didn't check IANA port allocations database.

P.S. I've tried to subvert the ntp update script, using the logic that files with prefix "ex" are actually decrypted first, and then executed, as opposed to decrypted on the fly. So far, that proved to be wrong, but I don't know if that's because I wrote bad scripts, compiled binaries that are unliked by OS, or something else.

Well, the dtv.icreation.com site, a fake DNS entry would be simple to do (arp poisoning anyone?), or even just changing the DNS servers, the issue is it (on update, dunno on others, didnt sniff) tries to go over HTTPS.

But, looking through my capture, it contacts a dns server, gets the IP for that site, and runs from there, however, very nice find at that open port, its the first one!

I am nearly sure we can throw in a hook in the isofs or udf kernel modules, the problem is, I am not that skilled w/ asm (im only good with editing stuff to bypass, not go externally). Ideally, we could create a dev enviroment thats nearly 100% the same, and go from there, but if any modifications were made to there code, they would fail to compile, and run (it seems).

About that port, google suggested some sorta VPN, seems terribly illogical for something like that, but a port is a port is a port!

Edit: What I find really interesting is the fact that you got an OS hit etc off of that port, with ports closed, I couldnt get a thing!

Edit 2: Got a hit off the same port, so its not a fluke! Key is, what is that port!

I am nearly sure we can throw in a hook in the isofs or udf kernel modules, the problem is, I am not that skilled w/ asm (im only good with editing stuff to bypass, not go externally). Ideally, we could create a dev enviroment thats nearly 100% the same, and go from there, but if any modifications were made to there code, they would fail to compile, and run (it seems).


I thought about it myself, and recompiling the kernel module for the iso 9660 filesystem is not that hard (I'd rather touch that, then patched UDF 2.5 kernel extension). Problem is that then we have access to the system in the kernel mode, and kernel mode is significantly different from user mode (I never coded anything in Linux kernel mode), since you have access to kernel memory, and can easily hose the system, switching from kernel mode to user mode (so as to, for example, run a service binding to the network port) is pretty complicated.

Seriously, I'd still rather try to replace the libpng, since we have a rough idea when PNGs get loaded (when we trigger setup, or when we put in an HD-DVD with menus, or during the bootup, when it shows a nice picture of HD-DVD logo), and it's already in a user mode, but running with root priviledges.

Edit: Maybe first step is to just add an extra routine to the libpng procedure that decodes the image, and in process runs a system call, outputing results of uname -a; ps auxww; dmesg and friends to a file in /usr/local. Then we can yank the flash, and just read it, and then re-compile it again with additional information that is now known.


About that port, google suggested some sorta VPN, seems terribly illogical for something like that, but a port is a port is a port!


It would make sense that any and all data transfers from toshiba's update site would be encrypted/tunnelled. So it just might be the VPN


Edit: What I find really interesting is the fact that you got an OS hit etc off of that port, with ports closed, I couldnt get a thing!
System only opens this port when I toggle the NTP service off and then on again. Could you try and see if it works for you? In my case HD-A1 had limited IP connectivity - I handed it IP over DHCP, however I didn't give it a route to the internet.

Well, I just did some scanning, that port opens upon going into the DHCP menu (enabling), and also when I am in the NTP setting menu, but going into system update etc, it closes!

Edit: Just did a DNS hijack to my own SSL server, its refusing the certificate, that isnt too good!

Well, downgraded to 1.2, HD-DVD playback broke (of course), replaced w/ 2.0 executable (hddvd player that is) , no luck, edited config files for proper version and drive/aacs numbers = nothing.

However, stick my 2.0 flash usb stick in there, everything works fine!

Seems 1.00 will be the best, if we can get ahold of it (alot of extra files on the root, stuff for the VFD display etc), but alas, no upgrade disk for that :/

Edit: Same ports are open, seem it opens up only while in setup = hrmm!

Edit 2: Went to upgrade to 2.0, player bricked, went to 50% and died! = @_@, luckily I kept a backup of the flash, all still works (at 2.0!)

Well, lets bump up a thread, with some more info, player works again (as before)

Seems theres a LPC -> super IO chip on the XA1, backside, but havent a clue as to what it is (anyone?)

Also, seems the northbridge has an active VGA output (but not used), it may be possible to tap and view the output of that, for possible debug messages etc (anything would be a help!) However doing that = tough, need to sort the BGA pinout, wire it up to a cable etc = a pain, as the points are very small, and they dont adjust well (as its on the bottom of the board!)

Hi guys i've been reading ur posts as i have a damaged rca version of the player (a rebadged xa1)

I'm in the uk so a failing stepdown transformer blew out the players power supply. I've repaired this but my system is hanging at boot prob due to a corrupt flash. would it be possible to use ur dump to reimage mine.

I also took out the hd-dvd drive to see if i could use it for movie viewing coupled with vista and anydvdHD but the drive wouldn't read any disk i put in. be it cd dvd or hd-dvd. Vista sees it fine and know its a hd-dvd drive but won't see any disks in it

I think a binflash dump of this drive would have me running again if any of u have access to one.

After reading ur progress i'm very intersted in trying to help out as i see a hacked linux kernel or a machine runing anydvd hd as a way of getting 1080p from this machine.

If any of u can offer a copy of the dumped hr-1100a firmware and/or the dumped flash files then i'd be glad to try and further ur progress with the aid of my hopefully repaired machine.

Thanks, but the issue is that the HD-DVD drive, the motherboard, and the flash are all keyed to eachother, even with our dumps of the drive and flash, yours still will not work, until we can figgure out how to reprogram the motherboard :/

i'm pretty sure the hd-dvd firmware will be identical. tho i see ur point with the flash drive.

i've been playing about with mine today and it seems to be booting now. it had a hand shake issue and was stuck on hdmi 1080i but the drive still won't read discs.

If i had a firmware dump then i could compare it with my drives dump in windows and see if i can flash it to get disc access back.

According to other forums normal dvd playback works but with my drive it says unrecognised disc. It still seems to know if disc is iso9660 or udf and also disc size but no fille access is possible.

Have u tried the HR-1100a in windows?

Have yet to dump the drive (got two here, a working A1, and a Broken!), It may be possible to do it however!

What Firmware are you running on? if it was upgraded to 2.00, then downgraded to like 1.2, it wont read disks (usually).

However, if your bored, take out the motherboard, flip it around, there is an 86 pin chip near the top left, can you take a picture of it? Its the LPC interface chip (to provide the serial port, among other things, like a floppy drive, keyboard etc!)


Edit: Just tried it, alas it shows the drive as unsupported, ideas?

ok got the drive out to dump drives firmware with binflash. when i plug it into windows it works fine. dvdinfo reports its as a hd-dvd drive and all the specs match what i have found on the web. just the disk access seems to be the problem.

my machine was updated to 2.0 using an iso i got from 1080x1920.com as mine is an rca machine the network update only gives ur there approved file which is 1.4 or there abouts the toshiba dvd update works fines tho

I think i can see the lpc port on the main board. i'll get some pics uploaded later this afternoon

(I am still around, however being exceedingly busy with finals, and with life in general. But I am continuing to tinker with HD-A1 on and off, and am still reading this thread)

ok got the drive out to dump drives firmware with binflash. when i plug it into windows it works fine. dvdinfo reports its as a hd-dvd drive and all the specs match what i have found on the web. just the disk access seems to be the problem.


gonesuper, could you clarify a little thing for me?
When you say "disk access seems to be the problem", do you mean that if you plug the HD-DVD drive into a PC, it will be detected, but PC will not read HD-DVD disks? If that's the case, could it be lack of the UDF 2.5 filesystem driver (Look in the sticky in the Decryption forum, called "HD-DVD (and Blu-Ray) decrypting tools" for a pointer where to find the drivers for XP and for Linux)?


my machine was updated to 2.0 using an iso i got from 1080x1920.com as mine is an rca machine the network update only gives ur there approved file which is 1.4 or there abouts the toshiba dvd update works fines tho

In one of the threads on avsforums it was mentioned that if you have an RCA rebadged Toshiba, you can call up Toshiba technical support, and they will send you a "special" disk, that will remove the RCA rebadging, and make it behave like a normal OEM Toshiba unit.


I think i can see the lpc port on the main board. i'll get some pics uploaded later this afternoon

Myself, I am waiting for 2.1 firmware for the first gen players to come out, in hopes that it will provide further insight in the system.

We know that the two unencrypted kernel modules - udf.ko and isofs.ko are being used, since the system doesn't mount respective disk types if these kernel modules are absent. I loath touching these, however, since my Linux kernel kung-fu is very weak.

In the meanwhile, I am still confused if the binaries in /usr/bin are actually used. sega32x tested the effects of removal of eject binary, and concluded that /usr/bin/eject is not being triggered by anything.

I suspect that /usr/bin/setserial and /usr/bin/pkill are dead end as well, since there is no serial in the HD-A1 (OK, there is a serial port in HD-XA1, so you might be able to get further along there), and pkill, if used, is likely used only during shutdown routines (Although pkill *MIGHT* be useful to try replacing, since even during shutdown it can do exciting things, like dump process listing, dmesg and list of kernel modules to disk)

It is possible that fsck.ext2 actually does get run by the system in some situtations, and thus can be useful, however.

I've been toying around with an idea of generating a linux filesystem, using tunefs to force it to be fscked next time it gets mounted. This should trigger fsck.ext2. But then what? Burn it onto a CD, and put CD in the player? Technically nothing forces one to use UDF or ISO9660 filesystem to store data on CD or DVD, so ext2 filesystem should work.

So many unknowns, and I have so little time until I am done with finals..... :(

When i say i have no drive access what i mean is when i put the HR-1100a in my desktop pc the drive is seen be windows xp and vista but no disks can be read. As far as any software reports the drive is fine and has all functions working but when i try to put any disks in it they fail to read.

I believe this is because my firmware is corrupt from the above meantioned power fault and the main reason why i'm looking for a binflash firmware dump.

This thread (http://www.avsforum.com/avs-vb/showthread.php?t=667995) shows that when the poster tried the same thing with his windows pc, dvd and cd access was fine but no hd-dvd access was avalible. I have both xp and vista machines here so i've been able to try it with the vista udf driver and the generic xp udf driver thats doing the rounds but there is still no change.

Up until the power supply problem the player was working fine on the toshiba 2.0 update so i don't really have any concerns there. If i wait for the 2.1 update is it likely to reflash the drive firmware or just the os side of things?

If i wait for the 2.1 update is it likely to reflash the drive firmware or just the os side of things?

Honestly, I don't know. Technically flashing a drive firmware is not a complicated process: You need to have a firmware file, and then send the CDBs to the drive to get it into flash mode ("Boot mode" on Toshiba drives, don't know what NEC uses), and then send a bunch of vendor specific CDBs intermixed with firmware. Since Linux allowes you to compose arbitrary CDBs, and send them to the drive....

The point of the above is that if you have a firmware image and know the vendor specific CDBs, it's not that complicated to flash a drive. So I don't know. If Toshiba has a reason to flash a drive, they probably will.

Here might be something to try:

You have your NEC HD-1100a in a PC, right? It gets a drive letter assigned, right? Can you try KenD00's dumpvid.exe (http://forum.doom9.org/attachment.php?attachmentid=6824&d=1171837753), and see if you get anything in the file bca.bin?

Dumpvid is supposed to get you the first 8 bytes of the 16 byte volume id (that you need to decrypt the AACS on HD-DVD), but here it can be used to test if the drive actually deals with AACS mandated commands properly. If it does, then there is probably a vendor specific firmware that is used by the Toshiba. If it doesn't, then maybe indeed your drive got it's firmware scrambed (but how? it's not that commonly written to).

Just thinking out loud.

P.S. Here is the bca.bin generated on "Relentless Enemies" HD-DVD.

10011104481200001002100840000115
20072036000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
000000000000000000000000


the bytes 40 00 01 15 20 07 20 36 are the first 8 bytes of 16 byte volume id

You should get something similar, where the first two bytes of the 8 byte ID is generally 40 00
to the best of my knowledge.

After re-reading the thread on HD-1100A not being able to read HD-DVDs under XP, and looking at the dates of the posts, I am convinced that the problem there was lack of UDF 2.5 drivers in the host operating system.

UDF 2.5 drivers for windows XP exist.

Take a look at http://uneasysilence.com/archive/2006/11/8303/ - they needed the UDF 2.5 drivers too, before xbox HD-DVD drive started to work with Windows XP and HD-DVDs.

Well, at a last resort here, software is really starting to seem possibly like the hard way in. Anyone possibly have a scope that can ID some pins? (namely the two debug headers)

I'm nearly sure the upper one may be a serial port, it matches the same general pins that Toshiba used on an older model DVD player w/ serial port, but still investigating it, its not easy tracing a multilayer PCB !

The lower is mostlikely a JTAG to the NEC chip on the back (its function is unknown however)

Worse comes to worse, I can buy a hot air station, remove the BGA chip, read it, make a pinout to external pads, dump one from my working player, and go from there. (This would probably need to be coupled w/ a reflash of the HD-DVD drive, if it is tied, as they say, and also a replacement of the flash) so we would essentially have a bunch of cloned boxes, which still works for me.

Issue is however, that 32mb spansion is our bios, but does it have our crypto / bootloader etc in there, or is the bootloader in our launcher, thats about 4mb, which does fit for a very tiny linux kernel, busybox etc.

If i wait for the 2.1 update is it likely to reflash the drive firmware or just the os side of things?

This (http://www.avsforum.com/avs-vb/showthread.php?p=10202133&&#post10202133) post on avsforums indicates that indeed 2.1 firmware updates the drive firmware:

Well, going by lookings at, 2.0T is the new drive firmware (as Ive pulled a drive from a 2.0 model, thru a PC it shows revision at 2.0R, R S T) so we can assume a new one, and hopefully much more reliable!


I've not upgraded yet.

Indeed, I saw that, and thats the new working theory, atleast on the bricked units, is that when the disk is in the drive, and it reboots after a reflash, it mucks (somehow) the reflash.

I know the drive has a debug output, as do many NEC drives, but as for the exact protocol to use, im not sure. Also incontact w/ the guys who wrote binflash, sent them some stuff, hopefully they will have support for the drive in a future version as well.

Also working on jtagging the pentium 4 itself, mabe get better access, able to step thru code, dump memory (or the flash itself), Out of the 5 jtag pins, 3 are accessible on the underside, the other two, need to tap into the processor itself (vs the socket) which will be very fun to do (one is on the edge = easy, other is in the middle = tough!)

Ideally, a Socket 478 interposer would be great, but alas, havent found one for sale (yet).

Worst case scenario, I drop the money on a hot air rework station, pull the BGA chip, trace a pinout, dump the flash of the working unit, do the same to the HD-DVD drive, but thats nuts.

Looking at the kernel modules however, kills me, modules for the broadcom chip, southbridge, audio controllers, EVERYTHING, this unit will be amazing to play with in time, but we just cant get into it , yet!

Edit: It also seems like on a non working unit (or a bad flash etc), it searches the usb stick around every 30sec - 1 min for a file. I am wondering if its a failsafe for reflashing, alas I am not sure how to monitor and log USB activites!

*sigh*

I was just gonna reply that the new binflash has dumping support, and I was dumping both my drives for a compare (to possibly find a key)

I would be very interested in looking at the flashdump.

What is somewhat amusing is that Toshiba software reports itself as GPL.

Joys of corporate license violations... Just spent about about thirty minutes on gpl-violations.org Lots of people with too much spare time there.

(For the record, I don't care other then find it amusing)

Really? I love how toshiba never responded to anyones GPL requests, which is something, but I dont think any of us has the cash to go up against Toshiba in a court!

So is the support for the NEC HD-1100A drive is in the latest binflash?

Since I am out of ideas, I am toying around with an idea of opening the player, and moving the drive into a PC. Sadly she who must be obeyed is not thrilled by the idea of cannibalizing a working piece of expensive AV gear.

Heh, yeah, it is supported (read only for now apparently), hopefully write support will be soon (clone drives anyone!)

Sorry its been a while since i posted, been busy with work. Got a few updates to list. Got my RCA fixed by removing the bios battery to clear all settings then booting up using a hr-1100a from a mates machine. i then hot swapped my drive and performed a network update to 2.1.

Since then i've went back to 2.0 using the iso on 1080x1920.net with no problems and all functions of the player work fine.

Later on tonight i'll reupdate to 2.1 and dump the new drive firmware and hopefully post the results along with any windows compatibalty changes if present.

Been able to dump the firmware using liggys testdump.exe tool but the output has only been something that liggy can work untill now. Hopefully with the full binflash dump the firmware can be edited and made rpc1.

According to this post (http://www.videohelp.com/dvdhacks.php?select=Toshiba+HD-A1) the player will play a non region 1 disc if the drives region setting is changed so a rpc1 patch should be a step in the right direction

You got your RCA fixed? Very nice! So it did the whole "freeze on welcome screen" thing, you pulled the battery, booted w/ a secondary drive, and that worked? (and you did the hotswap for the repair)

If so, kudos to you, I may have to try that myself!

The new Binflash (1.39) does dump the FW fine, problem is, it cant write it back, yet!

yeah i'd been told that hooking up any other connection (i use hdmi) and hitting v.output on the remote remote can solve the welcome message crash but i figured that mine was more than a handshake issue.

esp since i'd blown out most of the power psu.:devil:

with my player after i'd removed and resolidered the cmos battery it would begin to boot, i could see the activity light on the usb storage rom go mad but it would just hang with welcome on the screen. the rca didn't accept any remote or front button presses. so the v.output fix didn't work but with the other drive connected the player booted. couldn't get any movies to work but all the menus seemed fine.

i then used a y splitter on the drives power supply and hot swapped the drive when all usb activity had stopped. after that it was easy enough to update the firmware which seem to sort the drive out.

The player is working 100% now. Ended up finally watching V for Vendetta on it late last night. I'd promised myself i wouldn't rent the DVD out as it was the main drive in fixing the player. It was def worth the wait. The only other HighDef player i have is a ps3 which, until i saw the output from my rca side by side, had impressed me. The rca def handles things a lot more cleanly. On the ps3 i'd noticed some blocking on superman returns which isn't there on the hd-dvd edition

As far as binflash goes, i'd been following liggys progress with it. He sent me the testdump.exe file which produced a dump but was no real use to me or him as the drive was wrecked in the first place. i was hoping others with a working drive would follow the same route which is what happened with sega32x (thanks for that btw) and ended up with dump support in 1.39.

Liggy works fast so i'm sure write support wont be too far away when dumped firmware appears. I'll dump the new 2.1 drive image when i get my xp machine back over the weekend. tried it last night on vista but it was a no go.

Very thankfull for all ur help. Google searches on this player doesn't turn up much. if u want any linux dumps of my player then i'd be glad to help.

I'm a linux noob but learn quite quickly and i'm finding that i remember more from my dos days than i thought. the RCA has a rs232 port on it which i think the xa1 is missing, don't know if it will help u guys out but if u need any more info on it then talk me thru it and i'll upload the outcome. hopefully get the hr-1100a dump on sunday night.

:thanks:

I was wondering if any more work has been done in exploring the hack-ability of the linux based players.

I dont have one but I do have some knowledge of how linux works and one thing seemed to jump at me when I saw the file listings. The libz library, if that is used by the OS that is probably easier to hack than libpng and libjpeg since its is much simpler ( and probably has less dependancies )

Anyway I'm thinking of getting one of these players just to mess around with it, are there any models to stay away from ( i.e. any that have been know to have been updated to be less hackable ).

I should also add that this discussion has been very interesting ;-)

Some other questions:
- What architecture are the players based on? ( I think I read Pentium 4, but just to be sure)
- Has anyone tried replacing any of the libs with a custom build (and had a successfull boot)?
-- If so, anyone tried adding fopen('/var/testfile') and then checked to see if the file was created on the usb drive(asuming it is mounted read/write when the system boots)?

Well gonesuper, your way worked, I just did it here, and it got the player revived (will go into details later), although it wont play any DVD's ("A system error has occured"), or HD-DVD (The drive motor = fubar, disk wabbles too much when the HD-DVD is in), but alas , it boots!

Still need to get a longer FFC cable to replace the one there (it came cut), as well as fix the motor, but, it boots :)

Firt i apologize for my poor english, i'm from Italy.

Please, help.
My hd-a1 just frozen upgrading to 2.1, going back to 2.0 and then reupdating to 2.1 all seems ok and i get the massage 2.10 in, but powering up now i get 01-system error and my player freezes.
I opened the player and i see on the flash memory a red led flashing. I also tried to unplug the cmos battery, but nothing changes.
What can i do? i don't have another player to swap my drive.

Thanks and regards
Luigi

Please, anyone will be so kind to send me a dump of the drive firmware so, when bin flash will allow to write, i'll try to flash the drive of my dead player.
Thanks
Luigi

The issue is , even that wont work, yet. I am in the same boat, though mine does not error, but it refuses to play any VIDEO disks, due to some type of mismatch (after the reflash/hotswap etc).

Nevertheless, what is yours doing? are you getting any picture on the screen? or is it the fun "Welcome" bug?

First 01-sistem error on the display, then welcome.
Thanks
Luigi

Well, if your curageous, unplug the HD-DVD drive, and remove the flash, if it still does it, your basically screwed, if not, you have hope! As if it says the error before anything, it could be the data on the main board, and there is no current way to fix that (short of removing a 64 ball bga chip from two boxes, cloning one, if thats even possible, etc)

I've got the error message after 1 min that the player load from the flash memory.
I already tried to un plug everything
Regards
Luigi

Do you guys know of anywhere that I can get a dump of the USB "Disk on a chip"? I'm both a Linux programmer, and a good reverse engineer, and I'd LOVE to have a look in there, and "see what I can see."

Well, if your curageous, unplug the HD-DVD drive, and remove the flash, if it still does it, your basically screwed, if not, you have hope! As if it says the error before anything, it could be the data on the main board, and there is no current way to fix that (short of removing a 64 ball bga chip from two boxes, cloning one, if thats even possible, etc)

Hi.
Firstly, apologies for jumping straight in with a request for help.

I have an A1 which froze after downloading 2.2 firmware. It completed successfully and powered down. When I rebooted, I got the welcome screen followed by the message "system error 01".
The only way to switch it off now is via the button push on the front panel, pressing for 10 seconds. With the cover removed I can see the led flashing red on the Daughterboard? during bootup.

I did then remove the "daughterboard" and booted up to see what would happen. With that removed I get the welcome screen permanently displayed.

Tosh USA can't help me because I'm in England.

Can anyone give me some advice please?

Hi.
Firstly, apologies for jumping straight in with a request for help.

I have an A1 which froze after downloading 2.2 firmware. It completed successfully and powered down. When I rebooted, I got the welcome screen followed by the message "system error 01".
The only way to switch it off now is via the button push on the front panel, pressing for 10 seconds. With the cover removed I can see the led flashing red on the Daughterboard? during bootup.

I did then remove the "daughterboard" and booted up to see what would happen. With that removed I get the welcome screen permanently displayed.

Tosh USA can't help me because I'm in England.

Can anyone give me some advice please?


Daughter board contains, amongst other things, the images necessary for the menu system to operate, libraries necessary to decode and display the .png files, and persistent storage file.

Thus it would make sense that the system will freeze if it can't find the graphic elements of the images that you have to display.

You can try downloading the 2.0 firmware image from http://www.1080x1920.net/ , burning it to CD, and attempting a downgrade. However, chances are high that it will not work, since it's my understanding that you need to get the "No disc" prompt, before you can do a downgrade.

sega32x was successful in figuring out that in order to resurrect a system you need both the HD-DVD drive and the internal flash, since the encrypted files are keyed to the serial number of the drive.

Were you to have a second HD-A1 unit, a complicated shuffling of drives and daughterboards together with copious flashing might have gotten you somewhere, if it's the files on the flash daughterboard that are corrupt, but chances are slim...

I am idely curious: Isn't it 110 volts in USA, and 220 volts in UK? Are you running HD-A1 through a transformer?

Oh, another thing that just came to mind. Try calling Robert at http://www.valueelectronics.com/ in the States. People on AVSforum are very fond of him. See if he will repair your unit for you if you ship it to US, and pay him for return shipping. He is authorized to service Toshiba products. Yes, it's expensive, but it's likely cheaper then a new unit.

Thanks for your advice.

Yes, I am using a step down converter for the power supply. Also, I did try loading firmware disc 2.0, but as you say, I need to get past the welcome screen and the 01 error.

Toshiba USA did say they would repair it if I shipped it over, but it's not worthwhile. It would cost around $150 to ship it there and back, I think.

Well actually, one one of mine (the USB stick isnt big enough to hold everything , like 252mb vs 256), none of the bootup images display, however it does still work, there is also a blink pattern to the daughterboard as well, sounds insane, but true.

As awhitehead said, the best way to do it, is to get someone elses drive and daughterboard , stick em in yours, boot up, run the update (from net), hotswap the drives, and be all set, of course, reimage the daughterboard first, so the other player does not brick (you can also just image it to a usb key etc).

Issue is, I did that too, though it still will not play HD-DVD's, but its a drive issue (the drive wont pass AACS verification), however, hopefully you will not have the same problem!

Ideally, in the future, if we had a way to boot a "universal" dvd/flash, we would be set, but nothing of that sort, atleast not yet!

Thanks for your advice.

So it couldn't be done just by swapping the daughterboard then? Booting it up with another daughterboard, then switching them once it's booted, to allow access to the set-up options. Then running the firmware disc? I would need another drive too?

Sorry, I should have read the post properly. I see why you need two drives. Doh!

Yeah, like you read, it wont, as the data on the daughterboard is tied to something in the HD-DVD drive!

So no takers? No suggestions on where I can find it?

We might be able to break the ties between the software, and the drive through my investigations.

@FrankRizzo

For what it's worth, it's widely believed that the data on the first generation Toshiba units is encrypted, with each image being tied to the hardware. Since replacing both drive and flash at the same time seems to fix it, it's most likely that the serial number (or some similar identifier) of the drive is used to encrypt the files on the flash.

So an image would be rather useless to you without the rest of the hardware.

Nope, see, all of the goodies are encrypted on the usb flash (hddvd player, dvd player, cd player, setup, update, scripts, everything)

And that site, the majorty of the code wasnt anything useful, IE strings about the filesystem (which isnt encrypted, just the contents are!)

The only things not encrypted are just a few, any of the images (for the GUI), and the error messages, ie "THIS DISK CANT BE PLAYED".

Seems the A2's, atleast as the service manual states, are based somewhat off Windows CE, if you want a hole, thats probably got plenty :D

Seems the A2's, atleast as the service manual states, are based somewhat off Windows CE, if you want a hole, thats probably got plenty :D

Is it Windows CE based? I was thinking about picking up an HD-A2. *sigh* Is the manual available as a PDF from Toshiba?


Edit: HD-A1, HD-XA1, HD-A2, HD-XA2 manuals are all availble from http://209.167.114.38/support/ceg/manuals/ (press 2006 -> HD-DVD for firsg gen, 2007 -> HD-DVD for second gen units)

Edit2: Page 61 of the 72 page user manual for HD-A2 states:
"License information on the software used in Toshiba HD-DVD player"

Pre-installed software EULA Pre-installed software EULA
Linux Kernel Busybox Exhibit A
glibc Exhibit B
OpenSSL Exhibit C
freetype Exhibit D

Various exhibits are the apropriate licenses - GPL, LGPL, OpenSSL license, and Freetype license.

Thus I suspect that HD-A2 is also Linux based.

Ironically, the service manual says the -2's are CE based, so now with what you found, I am not sure which it is!

Has anybody here spoken to Boing99 lately? I'm trying to contact him. :).

With the HD-A2's now selling for $98, anyone planning on reviving this project?

Would love to, but dont have any funds for an A2. Id love to get my hands on a broken one tho (any GEN2 player).

Namely, the debug access alone should be a bit easier (real chips vs unknown xilinx chips). If anyone wants to sell a broken one (or a working one cheap), do let me know.

Nevertheless, the fate of my original unit, it did work again, did not play movies (the drive was hosed), however I used it for parts to fix two other units, and they both work great!

I had some contact with awhitehead some time ago and he claimed that he had succeeded to get his Xbox360 drive to work with the HD-A1. When I asked him how to do this, his reply was that he could explain it to me but it was of no use since it did not work with AACS. This ofcourse is true, since the NEC drive uses KCD and not the authentication through RSA certificates like the 2nd gen and Xbox does.

Now since my problem is that the HD-A1 does not play my homebrew disks correctly, I was pretty interested in his solution. Unfortunately I never got word from him again. Now with the current situation that Toshiba has given up on HD-DVD, getting a replacement drive to work with the player has even more interest. The drive is the weakest part of the whole player, so it is pretty interesting to be able to use another one.

Unfortunately I have not much experience in Linux, and am not much of a hacker. Is there anybody who has any clue how to do this?

No help, but a partially overlapping problem; I'm trying to get into a HD-EP30 (http://forum.doom9.org/showthread.php?t=135265). My primairy target is the firmware. It's encrypted, so that's a major problem, but the thought it that once we can get into the firmware (maybe same encryption or method), it might be possible to modify it to play homebrew discs, change DVD region, hack AACS, etc.. May or may not be possible, but it would allow you to make homebrew discs works by changing firmware instead of modifying the hardware.

You know what would be awesome is if you could just drop in a blu-ray drive. any of you tried just installing a plain old dvd-rom drive? I just got a hd-a1 today.

I think the best goal is as a streaming media server (even drop in a hard disk)

On the hardware side that is fairly easy (just solder in a new pad, some resistors), which i have done. Or even easier, use a USB hdd. The larger issue is compiling software to run on the box!

yeah I would even be willing to pay for the software. Toshiba just needs to release the update :D. I mean why not if their format is dead in the water. Then I could still have some use for it. Come on Toshiba!

BUMP, come on guys! do you have any solutions?

I have been tinkering with my XA2 as of late, the hardware is a bit more standard (no more mystery FPGA's). Attempting to dump the flash (boot), but my adapter is being flakey. There is a JTAG and UART for the REON (CNP01 and CNP02), uart even outputs some nice stuff. Still searching for one for the actual player (it should be on here, somewhere)

Anyone got a LA/Scope and wanna take a peek?

So it sounds like things are more standardized and easier to get at on it?

Well yes, since the Gen 2's are much closer to the DSTB reference design than the Gen 1's, there are more documents on them etc. Although the Gen 1 is based off of the DSTB reference design, the Gen 2's are much closer (no reprogrammable fpgas!)

At the moment, ive traced out the flash lines on the XA2, and need to get ahold of another Gen 2 box to dump the flash. Needless to say, removing tons of epoxy kinda destroyed the flash, which sucks, but shouldnt be too hard to fix!

Namely since its directly connected to the southbridge, there should be no encryption etc, since the southbridge is not custom logic (unlike the gen 1)

Well, this thread seems pretty much dead now.
Anywhos..

I was able to gain a root shell and install dropbear on my HD-A1 and RCA-HDV5000 units.

Your suspicions with key-signed files were close, the problem with swapping without swapping both the uDoC and the HD-DVD drive is that the binaries that the linux system executes to load the actual "player" are encrypted with the AACS key from the IDE device itself.

However, the kernel is NOT on the filesystem that the linux mounts from the 32mB rom chip. I think it is loaded into memory on boot each time. The only way we can get our /etc/ and important linux changes to stick is to reverse engineer the update process(well, excluding actually flashing it with an external programmer, which I would want anyway to not brick my units!).

I managed to get a lighttpd running on it, just for funsies. (http://chasesechrist.com/).

Here's some general information about the system:
[Linux:Ash30]$cat /etc/passwd
root:EDITED OUT:0:0:root:/tmp:/bin/sh
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:

[Linux:Ash30]$mount
/dev/root on / type ext2 (rw)
/proc on /proc type proc (rw,nodiratime)
/sys on /sys type sysfs (rw)
/proc/bus/usb on /proc/bus/usb type usbfs (rw)
/dev/sda1 on /mnt/ROM type ext2 (rw,sync)
/dev/loop0 on /mnt/ROM/HD_DVD type vfat (rw,sync,nodiratime,fmask=0022,dmask=0022,shortname=mixed)
/dev/loop1 on /mnt/ROM/NetArea type vfat (rw,sync,nodiratime,fmask=0022,dmask=0022)
none on /dev/pts type devpts (rw)
[Linux:Ash30]$

(/dev/root doesn't exist, it's a pseudo device.)

[Linux:Ash30]$cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 15
model : 2
model name : Mobile Intel(R) Pentium(R) 4 - M CPU 2.50GHz
stepping : 9
cpu MHz : 2499.914
cache size : 512 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe cid xtpr
bogomips : 4947.96


[Linux:Ash30]$busybox
BusyBox v1.00 (2005.09.13-00:20+0000) multi-call binary

Usage: busybox [function] [arguments]...
or: [function] [arguments]...


[Linux:Ash30]$uname -a
Linux (none) 2.6.10-R040 #20 Mon Mar 20 09:43:01 JST 2006 i686 unknown

[Linux:Ash30]$lspci -i ./pci.ids
00:00.0 Host bridge: Intel Corporation Unknown device 358c (rev 02)
00:00.1 System peripheral: Intel Corporation 82852/82855 GM/GME/PM/GMV Processor to I/O Controller (rev 02)
00:00.3 System peripheral: Intel Corporation 82852/82855 GM/GME/PM/GMV Processor to I/O Controller (rev 02)
00:02.0 Display controller: Intel Corporation Unknown device 358e (rev 02)
00:1d.0 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #1 (rev 03)
00:1d.1 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #2 (rev 03)
00:1d.2 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #3 (rev 03)
00:1d.7 USB Controller: Intel Corporation 82801DB/DBM (ICH4/ICH4-M) USB2 EHCI Controller (rev 03)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev 83)
00:1f.0 ISA bridge: Intel Corporation 82801DBM (ICH4-M) LPC Interface Bridge (rev 03)
00:1f.1 IDE interface: Intel Corporation 82801DBM (ICH4-M) IDE Controller (rev 03)
00:1f.3 SMBus: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) SMBus Controller (rev 03)
00:1f.5 Multimedia audio controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 03)
01:08.0 Ethernet controller: Intel Corporation 82801DB PRO/100 VE (LOM) Ethernet Controller (rev 83)
01:09.0 Bridge: Broadcom Corporation Unknown device 7411
01:0b.0 Multimedia controller: Toshiba America Info Systems Unknown device 0419
01:0b.1 Multimedia controller: Toshiba America Info Systems Unknown device 041a
01:0b.2 Multimedia controller: Toshiba America Info Systems Unknown device 041b
01:0c.0 System peripheral: Toshiba America Info Systems TC6371AF SmartMedia Controller (rev 06)
[Linux:Ash30]$

I haven't tried getting the AC'97 to work, and the graphics chips seem to be proprietary :(

If anybody here is interested in helping, has any questions, or is a programmer/general hacker willing to help, please contact me on AIM (sekhrist).

PS: I got in with libcdaudio at first, then later got in with libpng(so I didn't have to have a CD in the tray).
I just recompiled the libraries and dropped them on my flash drive(which I DD'd from the original, so it was a exact bit-per-bit match).

PSS: http://www.remotecentral.com/cgi-bin/mboard/rc-touch/thread.cgi?1160 for serial port control. It won't give you a shell, but it's neat to tinker with!

PSSS: http://i25.tinypic.com/2lksc9k.jpg

Well, this thread seems pretty much dead now....If anybody here is interested in helping, has any questions, or is a programmer/general hacker willing to help, please contact me..Yeah I think you're very "bleeding edge" with this, it's way over my head, but thought I'd post some words of encouragement anyway:

I'm Impressed! :)

Well very nice! Its about time someone else did it. A few of us have had it for a while, but kept it hush hush due to the whole aacs thing.

Considering that the player is dead now, not much hassle.

For boot, it boots the kernel from the NOR flash on a BGA chip behind the XC2C256 chip iirc, its a tiny kernel and bootloader.

There is a debug interface, but have yet to gain access.

Check out the intel PDK kit, with a little tinkering you can compile an application to output to the on screen display.

In regards to the update, the kernel image is encrypted, so you need to decrypt/crypt to take care of that.

Ideally, a port of mplayer or the like would make this player great. It is possible to boot up the player WITHOUT the HD-DVD drive (software needs to be tinkered with, but its fairly simple). So we could throw in a HDD, and use it as a nice network media player, in time!

Oh wonderful!

How are you able to change the boot process to boot without the drive in? I've been working on a cable to get a slave device in, as well.

As far as I know, the only problem with it booting without the dvd drive in is that it needs it to decrypt the actual player with the key from the drive. Are you able to get permanent storage on it(On the chip, not the uDoC)?

Originally before I even bought the thing, I was hoping I could port XBMC linux to it, and with the PDK it might be possible with a good bit of work.
I was planning to set up MPD on it as soon as I got the AC'97 working.
Is it standard AC'97, and alsa will work?

In regards to sound, never even tinkered with it. Basically umm, the player boots fine without it, but hangs up. You need to obtain the decrypted libraries, and look at the symbolic links. They all point from the DOC to /tmp, you just replace em w/ the legitimate file, and you got it working without a drive.

Furthermore, Ive hooked a HDD up, albeit unsuccessfully to IDE0. Soldered on a new pad, some 0 value resistors etc, the player refused to boot. If I had to guess it overrides the kernel itself, to be used for testing, but specifically how, I am not yet sure.

According to these PDFs I'm reading, a IDE-ssd is used for using the PSP before they burn to the chip.
I guess it could be looking for that on the ide drive.

As for the decrypted binaries, i thought the player executed the explay before(then they're dropped in /tmp for about a split second, I got them though).
explay ran on a non-mangled binary fails, but I'll try playing with symlinks.

In regards to the binaries, I was talking about the system itself. You can bring the system up without the drive, as long as all of the included libs/kernel modules are decrypted first. There is the player software too, but that is not needed to bring the system up.

Well, I've pretty much managed to do everything I wanted to do it with short of a full blown media center.
With an edited GLIBC, and proper checks, you can hijack the boot process pretty early and use your own init scripts before it even needs the HD-DVD player. I've done that and used the _one_ ide port I have to mount a pretty big hard drive, and later pivot_root to it with a normal FC3 system installed. I hooked up the hd-dvd player with a crappy usb thing I had and apparently AACS and the custom ioctls work fine. Unfortunately the sound hardware has no documentation available, so the only way to get a /dev/dsp endpoint is to hack together a userland program that converts /dev/dsp PCM to the appropriate /dev/dsptrans and /dev/dspctl commands. Until then, I have hacked up cdplayerd to play mp3s off of a samba share(Sounds pretty dang good, other than it choking on VBRs!)

As for the video hardware, as sega32x said, it's all documented in the Intel PDK. I was able to compile kernel modules even after applying the 16KSTACK patch, making sure PREEMPT is on, and setting the uname to 2.6.10-R040.
The interfaces are a little changed, and toshiba won't give out code, so we're stuck with a little gimped functionality. I was able to get a UVCVIDEO driver compiled and inserted, so now I have a nice webcam streamer so I can spy on my living room from the office :P, but I digress.

Once we have gotten a /dev/dsp frontend, it's just a matter of porting XBMC to use SDL/DirectFB(Which ever is easier), and watching the magic happen. I hope it doesn't require opengl, as I doubt the 854 chipset has that, but we'd hack the code either way to make it work. MPD would also be nice, but again it needs proper sound support.

If any developers have this thing and are willing to help make an awesome media center, please say so.

Hello everyone! I'm assisting some friends in their quest to get a couple of HD-A1 units setup as media servers.

I've done some research on the Xilinx site in order to determine what the three Xilinx chips are doing. I thought I would share some things.

First, if you didn't already know, the Xilinx chips are completely customizable and could contain an infinite number of possible programming configurations.

With that in mind, I believe the entire purpose of the chips is the remote upgrade features they possess. In fact, there is a reference design (http://www.xilinx.com/support/documentation/application_notes/xapp441.pdf) on the Xilinx website that would seem to be very similar to what I would expect to be programmed on the Xilinx chips.

Ultimately, I think to unlock the true potential of the device we would need to reprogram the Xilinx chips. The only way I can see to do this would be to discover the update process in order to push our own update. Has anyone researched the CD update method?

One more thing, for anyone with an electronic engineering background or experience, the Xilinx site has a plethora of freely available information regarding the Xilinx chips. There is also a freely available design software for the chips.

In the end, we will probably need someone familiar with these chips to assist with discovering the true potential of this device.

If any developers have this thing and are willing to help make an awesome media center, please say so.

Sechrist, can you post a little walkthrough on how to get control over the box? The easier it is, the more people will try and and hopefully come up with suggestions on getting more stuff working.

Without using BCM7411, HD-A1 is barely faster then the original XBOX and is probably too slow for HD MPEG2 and useless for H.264/AVC. The way the rest of the system is connected to 7411 (except PCI bus of course) is still a mystery to me. I did not look too deeply into it but at least the way to switch between video output of i854 and BCM7411 needs to be figured out.

Has anyone researched the CD update method?

Yes, and this is flashed the same way the kernel and boot loader are. I have in my possession the Toshiba tool to flash, but not to read. Too risky I say =)

And, tomorrow I'll write up a guide and post my pre-fabricated files to hack into this thing. Be advised though, it's not for the linux novice.

Also, I don't see how your logic claims the xbox is almost as fast as the pentium 4 2.6ghz that's in it.
I know the P4s were unoptimized as hell, but 2.6ghz is a great deal faster than 733mhz =)

Also, I don't see how your logic claims the xbox is almost as fast as the pentium 4 2.6ghz that's in it.
I know the P4s were unoptimized as hell, but 2.6ghz is a great deal faster than 733mhz =)

It was a poor choice of words on my part. I guess I meant to say that it is not good enough for HD H.264

It looks like this has died down, but I figured I should add my two cents. I was looking at explay, and found it to be interesting. It checks the dvd drive when decrypting binaries. It has three calls to ioctl for the drive. The first two times are a generic CDROM_DRIVE_STATUS / CDROM_DISC_STATUS (look in linux/cdrom.h). The third call to ioctl is with SG_IO, and the command 0x46 02 01 08 00 00 00 00 18 00 00 00. This returns the drive serial number, which is printed on a sticker on the drive itself. Therefore, the only special thing explay needs is the serial number from the dvd drive. I've successfully decrypted exadvplayer on a generic pc with the drive added. It would probably run in qemu with the emulated dvd drive modified to return the proper serial number. I have no idea what kind of encryption explay uses, but the keys must be embedded in explay, or based around the serial number, which, again, is easily available. It looks like explay was written in assembly, and it decrypts parts of itself while running. Which is completely stupid because I could run it in gdb, break after it had decrypted itself, and then dump the memory. Or I might be doing something wrong.

Anyways, I've managed to brick my hd-a1, and it no longer boots. And I have no idea what exactly is wrong.