The Freeze Fix Project
Contents
About
As you may know firmware 2.9.3 for KiSS DP-50x players has the so called Freeze Bug. The aim of this project is to debug and eventually fix it.
There is another project called Stage2 that works around the Freeze Bug by using components of different firmware versions.
Thanks to divxplayer who donated a DP-508 for this project.
All code examples on this page assume that you are doing this on a system running Linux. Use VmWare Player to run Linux as a guest inside a Windows system.
PCB and Components
Components:
- EM8550 Media Processor (ARM7 based) - Data Sheet
- 48LC2M32B2 32MBit SDRAM (512K x 32 x 4banks) for the DSP Quasar
- K4S641632F 64MBit SDRAM (1M x 16 x 4banks) for the ARM7 Jasper
- AM29LV320DB 32MBit CMOS Boot Sector Flash Memory (4M x 8/2M x 16)
- DM9000E NIC
- WM8728 24Bit stereo DAC with digital volume control
The EM8550 has two built-in UART controller. One is used for the front panel controller and the other for the serial console. In the lower right corner of the board a SUB9 (J18) can be connected. The driver chip (U17, 28pin) that converts from TTL to RS232 voltage levels is not soldered on the board.
Console Access
Hardware
A data cable for mobile phones (USB-to-Serial converter) is connected to the PCB (T62 -> TxD, T63 -> RxD, chassis -> GND). A calliper is connected to J14 and acts as RESET.
Terminal settings are: 115200 Baud, 8N1, flow control disabled.
Buy RS232-to-TTL level converter at Pollin.de, ELV.de, or Reichelt.de.
Software
The boot loader does not output anything to the console. It has to be disassembled to get further information on its function. It can boot the player from a bootable CD or from flash, but not from hard disk.
An unmodified player uses the console only as output device. There is neither a getty nor a shell process waiting for keyboard input. If we want to interact with the operating system another process beside the main DVD player application (in the folllowing called kissapp) must run.
Boot messages from Linux kernel |
Building and Running a Custom Firmware
Media players based on Sigma Desings' EM85xx processors are in fact computers powered by special Linux edition named uCLinux. Firmwares for this players are ordinary computer programs compiled for EM85xx processor - if we dig enough we will find Linux kernel, directories, graphics files and decoders prepared as any other application for Linux.
A wonderfuld job. Super helpful information.
Building a Custom Kernel
This page explains how to build a Linux kernel from the source provided by KiSS. Since the source does not contain the kernel modules fipmodule, khwl, kiss_khwl we are forced to use the binary modules.
Building a Firmware Image
After modifying the extracted firmware the below script will build a firmware ISO image from it.
DIR=firmware_dir ISO=firmware.iso BOOT=boot293.img cd ${DIR} genromfs -v -d romfs -f romfs.bin -a 512 -V 'romfs' md5sum romfs.bin cp -f romfs.bin cdrom md5sum cdrom/loader.bin | sed 's#^\([a-z0-9]*\) .*$#/loader.bin 0 131 \1#' > cdrom/layout.txt md5sum cdrom/romfs.bin | sed 's#^\([a-z0-9]*\) .*$#/romfs.bin 0x6000 293 \1#' >> cdrom/layout.txt cp -f $BOOT cdrom/boot.img mkisofs -V 'KiSS DP-500' -P 'KiSS Technology A/S ' -o ${ISO} -c boot.cat -b boot.img -no-emul-boot -N -U -no-pad -hide boot.cat -hide boot.img cdrom
You need the boot image boot293.img, extracted with geteltorito from the firmware ISO image, and a patched version of mkisofs to create a bootable ISO image of architecture type 3. Otherwise the KiSS boot loader will not recognise the disc as a valid one.
The resulting firmware.iso can be burned on CD and flashed into the player.
Running a Custom Firmware from NFS
The above described procedure is very time consuming when testing small changes. The firmware uses ROMFS as filesystem for the flash, which is a read-only filesystem. To overcome this limitation, ROMFS has to be replaced with a read-writeable filesystem. This could be JFFS2 or NFS among others.
NFS is used by Stage2 to simmulate a hard disk over the network. So it is obvious to use NFS also as an alternative for ROMFS. A server can be set up very easy.
Some more preparations are needed to run from NFS.
Frankly I think that's absolutely good stuff.
The Freeze
There are three applications running on the player:
- kissapp is the GUI and the control program. It runs continuously in the background, waiting for button presses on the front panel or on the remote. If needed, it will call other programs to play the media files.
- fileplayer will play the indicated file but will not update the screen. Instead, it will print a heartbeat message on console at every second.
- mpegplayer will play the indicated file but will not update the screen. Instead, it will print a heartbeat message on console at every second.
On other player models there is a fourth application called pclinkmpeg. Details are not kwown.
When and how does it freeze
It has been observed that the freeze only happens to kissapp. Fileplayer and mpegplayer do not freeze.
Please contribute to the tables by using the discussion tab of this page. The hardware revision is printed on the back side of the player, the EM8550 revision on the chip. If you do not want to open your player, burn and boot this firmware ISO.
Hardware | EM8550 | |
---|---|---|
A | B | |
1 | Yes | ? |
2 | ? | Yes |
3 | ? | No |
Type | Source | ||
---|---|---|---|
CD/DVD | Harddisk | Network | |
Audio-CD | No | - | - |
VCD/SVCD | No | - | - |
Video-DVD | No | - | - |
MP3 | No | Yes | No * |
MPEG1 | No | ? | ? |
MPEG2 | No | ? | ? |
DIVX | No | Yes | No * |
Webradio | - | - | Yes |
Picture | ? | ? | ? |
Navigation | ? | Yes | Yes |
- see discussion tab for reason
Player freezes randomly during playback or file browsing (1-4 times per hour); it hangs during 2 min, and then playback continues.
Technical Aspects
So far I have observed that kissapp hangs in an ioctl to the realmagic device (/dev/realmagichwl0).
khwl.o contains functions for accessing eeprom, i2c bus, EM85xx, video memory, overlay, etc and is accesed via /dev/realmagichwl0.
0.010000 open("/dev/fip", O_RDONLY|O_NONBLOCK) = 3
0.000000 open("/dev/realmagichwl0", O_RDONLY) = 4
....
0.010000 ioctl(4, 0x5393, 0x1465dc0) = 0
0.000000 ioctl(3, 0xc004f11a, 0x1465e20) = 0
After weeks and months of disassembling the khwl.o from 2.8.8 and 2.9.3 and debugging it I came to the conclusion that the error is within the Quasar microcode.
The Solution
I am afraid there will be no solution until KiSS releases the source of the khwl.o driver and the Quasar microcode. Either go for Stage2 or drop the player for a different one.
Download
Here you will find firmware ISO images for testing purpose. Flash your player with it and report the test result either in the discussion tab of this page or in The Freeze Fix thread at the Stage2 forum.
Player | Comment | Purpose | Download |
---|---|---|---|
DP508 | based on original 2.9.3 without the network driver |
check if playback from hard disk freezes | dp508_tffp_wo_net.zip |
DP50x | based on original 2.9.3 with stage2 1.0 merged |
just for fun | dp50x_tffp_stage2.zip |
Links
- Thread: debug and fix the freeze bug
- Thread: Official FREEZE Problem Tracking for DP-50x players
- Thread: FW 2.9.3 freeze bug solution? (new clue)
- Thread: FW 2.9.4 for DP-50X with freeze fix and BiG modifications
- Hacking Embedded Linux Based Home Appliances
- Reverse Engineering ARM Based Devices
- SAA7118 Datasheet
- ARM: Assembly Language Programming
- ARM Developer Suite: Assembler Guide
- ARM Microcontroller HOWTO
- Linux DXR3 and Hollywood+ Driver Project
- EM8500 progressive DVD player reference design
- Mastering Linux debugging techniques
- kdb project page, kdb download
- Mediagate MG-35 WIKI, MG-35 Tools
- Reverse Engineering Malware on Linux with IDA Pro