09-18-2010 12:21 AM - edited 09-18-2010 09:54 AM
This 1.55 version looks to be quite a bit different (I've heard because of the Netflix stuff in it). I have to admit, I did buy my device with Netflix in mind
but didn't realize I had to give Netflix exclusive use of my box to do that. (I didn't knowingly say they could have it.)
Got my live Debian lenny CD going and was able to download the 1.55 version, unzip the image file, and then un-tar it.
This is the result I came up with (there are two more items total than what was shown by Playdude on the standard 1.26 firmware version - the 3
yaffs image files are not there but there are 5 other items besides for a total of 17); items in bold are new as compared to the older versions:
Note on two AES files above in bold...these are encrypted using AES Crypt...see: http://www.aescrypt.com/
So, trying to mod 1.55 could be a nearly hopeless endeavor unless someone has the encryption key.
For the "configuration.xml" file (below) I see several references to "rsa" that I didn't see at all in the 1.26 version of that file (again, dealing with encryption):
<?xml version="1.0" encoding="ISO-8859-1" ?>
<company>Realtek Semiconductor Corp.</company>
<description>This image file contains 2 Mars packages. One is for AVHDD on NOR and the other is for AVHDD on NAND.</description>
<signature>MARS AVHDD on NOR or NAND</signature>
<description>This is Mars AVHDD on NAND</description>
I came to the conclusion the modded 1.45 versions might be the last there will ever be.
There could be a way to edit the shell script file in his to force the flashing command to backflash from 1.55 to 1.45
I'm convinced that that can be done. It's all in how the flasher is executed. I used to do the same thing with IBM firmware packages
I used to put together for their servers where I had to have a command line force the firmware back to an earlier version.
Then if I want to use Netflix, I would have to reflash to 1.55, then back to 1.45 if I want to take advantage
of the extra capabilities again...kind of a messy solution, but at least I could have the best of both worlds.
More to come...
09-18-2010 06:42 AM
I am glad you are looking into all of this. Perhaps you'll find something new.
Since the earliest firmware, Seagate has been encrypting their video firmware, audio firmware and the kernel.
With the latest firmware Seagate encrypted their Resource directory and the root filesystem.
They also changed the rescue kernel, and perhaps settings and/or portions of the Realtek Rom Monitor (a significantly cut down, modified YAMON Rom Monitor). That's what's happening with the bootloader.tar section.
What this means is that from here on out, there's three principle hopes for getting into firmware 1.55 flashed fat+:
The most hopeful one is the last, based on the fact that two people mentioned downgrading from fw 1.55 by way the liveupdate url- one was a brand new person who seemed otherwise rather competent, but as he/she was new and never returned, there's some question about which firmware was actually downgraded from... who can say what the precise details were there. The other came a member who'd shown that he knew he was way around the fat+ and other devices. Presumably he knew what he was talking about when he said he downgraded from fw 1.55, but as he firmly stated he wouldn't share details on it, that is apparently that.
Anyway, hope you have some luck. Oh, you might try your luck at some other forums, other eyes on the problems you know.
09-18-2010 06:52 AM - edited 09-18-2010 09:25 AM
I apologize for editing my post this morning before I noticed that you replied. I changed the direction of it completely away from modding 1.55 to backflashing from it to 1.45.
09-18-2010 09:24 AM - edited 09-18-2010 10:30 AM
Been working with the unyaffs application and opening up the img files in Playdude's last mod release.
I'm trying to find the ".sh" (shell script) file that executes the flash.
Does anyone know where this file is located or how the flashing mechanism works as a command?
I suspect that it executes from the installed firmware on the device unless the cold method is executed, then it executes off the image file on the USB.
But in order to backflash I have to find the script file on the flash drive to change the command line to force it, otherwise by default it will detect and
not override the newer version on the device.
When I extracted the "yaffs2_1.img" file, I found a boot.img file located in /usr/local/firmware that I suspect contains the shell script I'm looking for.
Just looking to see if I can open that file.
09-18-2010 10:07 AM
You could find a lot of good background info over on: minimodding.com
Generally speaking, loader_a is the executable that starts the install process. It then hands things off to install_a from the firmware file, install.img which does most of the installation.
As for scripts, the configuration.xml file from the install.img hands off a lot of vital information to install_a-- however they are related to one another. Some changes to the configuration.xml will be rejected by the install_a, even though such changes may have worked with a previous firmware. In some cases, people have had success swapping out older install_a's, from previous firmwares, to accomplish their mods.
When you use the "cold boot" you're triggering the "rescue" kernel. That's a second, minimal kernel just to save your device when things go wrong. loader_a is running like a watchdog application when you boot up the rescue kernel, whenever you plug in a usb drive it will search its root directory for an install.img and get started with installing the firmware.
The latest firmware, 1.55, replaced the rescue kernel by way of the bootloader.tar. So, previously observed behaviour there may no longer be true.
I guess that's all I got.
09-18-2010 10:39 AM
OK, thanks. So where is this "loader_a" application in all this?
Is there still a script involved where a flashing command line is executed (that could be easily edited) or is the command built into the binary?
Still seems like that stuff could be bypassed somehow and just go straight for some kind of boot.sh that handles flashing.
09-18-2010 12:48 PM
There's no simple script that I am aware of. It's all compiled as near as I can tell.
09-18-2010 05:55 PM
In the latest (1.45) modded INSTALL.IMG file, this is the path to the file I'm asking about...
(INSTALL.IMG opened with 7zip)
...then, upon un-YAFFS'ing the above-mentioned IMG file, look in:
/usr/local/firmware/boot.img (160kB in size)
I would just like to know what format that BOOT.IMG file is in.
TrID (http://mark0.net/soft-trid-e.html) seems to think it's Macbinary. I don't know of any better utility to identify what the compression format of a file is.
Nothing I've tried to use so far can touch it.
It seems there could be something in there that would be useful to boot the FAT+, maybe more.
09-18-2010 08:02 PM
I've always wondered what that was. An examination of the strings of that file aren't terribly revealing to me. It seems like it's something to do with wireless network connections..... I don't think it's the answer. Of course I haven't found the answer yet so I wouldn't know it when I found it I suppose.
If you want to go done this road, you might examine the gpl source code released by Seagate and other manufacturers utilizing the rtd1073dd, or realtek 1073dd SoC.
Understand that all such gpl releases have been incomplete and often quite of date, however.....