0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@yamori813(もり や)

[失敗]フォトフレームHack

Last updated at Posted at 2018-03-06

SUNPLUSという台湾の会社のSPMF2800というSOCを使ったフォトフレームをHardOffで購入しHackしてみたのですが断念しました。理由は以下です。

  • データーシートが入手できず仕様が分からない
  • オープンソースなコードも存在しない
  • 商用のRTOSが使われている
  • 同じものを入手するのが難しい

写真(2018-03-03 09.20).jpg

Hackして分かった事は以下の通りです。

  • ターゲットのチップは2009年39週の製造でこのチップは2008年に発表されていた
  • OSはThreadXというRTOS製品を使っている
  • ThreadXはOS自体にアプリケーションも組み込まれていて、ファイルシステムには基本設定しかない
  • シリアルのパターンがある
  • RTOSのcmdオペレーションはUARTで115200で出来る
  • M12L64164A(SDRAM) 8MByte/S25FL016A(SPI Flash) 2MByte
  • JTAGは出ていないように見える
  • FlashにOSとA:とC:のファイルシステムが入っている
  • SDカードはD:となる
  • CPUはMIPS 4KでMMUなし(?)
  • パッケージはSPMF2800と読めるがSPMP2800と同じもの?
  • ドイツでHackを試みた人がいるが情報は少ない
  • SUNPLUSはMIPS 4KなSOCもあるがARMなSOCも出している
  • SDカードやUSBメモリを使ったupgradeのソリューションが入ってるみたい
  • SPMP2800のプレスリリースは2008年1月
  • SUNPLUSは2003/02にMIPS32 4Kのライセンスを受けている
  • SUNPLUSは2006/10にMIPS32 24KEのライセンスを受けている
  • MIPSのライセンスを受ける前にはLexraを使っていた模様
  • 後継のSPMF2892Aというチップも存在するらしい
  • SONYのフォトフレームでも使われている模様
  • SPCA5000(2006年) -> SPCA5110 -> SPCA5330の順にリリースされてた
  • SPMP305XというチップはARM926EJ-Sのsocだった
  • SPMF2800はGeneralplus Technologyに譲渡された
  • ネットワークカメラ用のSPCA6350(iCatchに譲渡)もMIPS(24K)でThreadXらしい
  • SPCA6350のHackはあった
  • SPCA6350は同じMIPS SOCとはいえかなり高機能になっている
  • SPHE1506もMIPS 24Kらしい
  • SPCA6350の後継でV35MAというチップがある
  • SPCA6350前にはSPCA6330というチップがあった模様
  • SunplusはSPEH15xxというケーブモデム用のmips socも作っていた
  • SPEH15xxにはlinuxのコードがあるがほとんど類似点はなさそう

SPMF2800.png

Copyright (c) 1996-2005 Express Logic Inc. * ThreadX MIPS32_4Kx/GNU Version G4.0c.R

HannStar社製のHSD070I651という7インチの480x234なTFTが付いていたので、これを別用途にするという作戦も考えましたが、ドライバーの入手が面倒だったり高かったりするので、とりあずお蔵入りとします。324円で手に入れたジャンクに5000円もするコントローラーを用意するのは本末転倒です。

HSD070I651は昔鳥取三洋が作っていたTM070WA-22L06を進化させたもののように思われます。

ディスプレイ,USB Host,UARTがあるのでターミナルにでもできると面白いのだが。

起動ログ

BOOT SPI
.B(128)P(1)D(1)M(0)
..
------------ [SPMF28XX Boot Loader] ------------
1 memProfile.pheapStart=8000D9A0
=========>new buddy system<============
new buddy system start_addr=0xA06FF000, size=0x100000
IOTRAp=200

[loadLzoFW] run,807FF000
[loadLzoFW] run,807FF000
[loadLzoFW] run,807FF000
[loadLzoFW] run,807FF000
[loadLzoFW] run,807FF000
[loadLzoFW] run,807FF000
[serialFlashDetect] run,dmaMode=0
. buf=A06FF010,size=256
EXEC round=16
   0 | 53;50;49;46;20;52;53;56;EF;BE;00;00;F1;0E;0F;F1;
   1 | 00;00;00;00;7F;00;00;00;00;00;00;00;00;00;00;00;
   2 | 00;00;00;00;00;05;00;07;7F;00;00;00;19;00;00;00;
   3 | 71;02;00;00;00;00;00;00;00;00;00;00;00;00;00;00;
   4 | 8C;20;15;00;01;00;80;00;00;01;00;00;00;02;00;A0;
   5 | 7F;00;00;00;04;00;00;00;01;00;1C;00;20;71;00;B0;
   6 | 00;00;00;00;40;70;00;B0;00;00;00;00;50;70;00;B0;
   7 | 02;00;00;00;02;00;0C;00;54;70;00;B0;00;02;00;00;
   8 | 01;00;24;00;5B;70;00;B0;02;00;00;00;73;70;00;B0;
   9 | 28;00;00;00;80;70;00;B0;02;00;00;00;E6;70;00;B0;
   A | 02;00;00;00;01;00;0C;00;23;40;00;B0;00;00;00;00;
   B | 00;00;00;00;00;00;00;00;00;00;00;00;00;00;00;00;
   C | 00;00;00;00;00;00;00;00;00;00;00;00;00;00;00;00;
   D | 00;00;00;00;00;00;00;00;00;00;00;00;00;00;00;00;
   E | 00;00;00;00;00;00;00;00;00;00;00;00;00;00;00;00;
   F | 00;00;00;00;00;00;00;00;00;00;00;00;00;00;00;00;
[loadLzoFW] run,lzoSrc = 0xA06B0000,lzoSize = 0x4E200
[loadLzoFW] run prsvHeader->realFwBlks=19,prsvHeader->nrRealFW=271
.Using LZO firmware
..........[loadLzoFW] run,dstLen = 682576
[loadLzoFW] run , _exceptVect = 0x80010000;80000280
 buf=B0001000,size=16
EXEC round=1
   0 | 00;00;00;00;00;00;06;00;00;00;00;00;00;00;01;00;
2800 sysAppInit run 
Module[Evm Board Config] init
BoardConfig init
MS Card Function Open
Module[A070FW05 Display Driver] init
Module[Evm RC Driver] init
Module[Evm Key Driver] init
Total Dev [4]
 manu ID = 1 
 Device ID 1= 2 
 Device ID 2= 14 
Disable write protection, Status = 0 
 
RSV Disk A mount SUCCESS
[Jfs_findLastBlock:164] block=1
[Jfs_findLastSector:196] sector=129
[Jfs_mount:393] sector=129
[Jfs_findLastBlock:164] block=1
RSV Disk B mount SUCCESS
RSV Disk C mount SU[ERR rtc]timer read t?ERROR !!! rtc reliable code not matERROR !!! rtc reliable code not match : 0
[USB HOST] Initial and Enable
Module[APP Desktop] init
Module[APP Slideshow] init
Module[APP Thumbnail] init
Module[APP Photo] init
Module[APP ISP] init
Module[APP Explorer] init
Module[APP Black] init
Module[APP Mode] init
Module[3D Flip Effect] init
Module[3D Circle Effect] init
Module[3D Float Effect] init
Module[3D Cube Effect] init
Module[Shutter Effect] init
Module[Boxing Shutter Effect] init
Module[Cross Comb Effect] init
Module[Insert Effect] init
Module[News Effect] init
Module[Plus Sign Effect] init
Module[Flabellate Effect] init
Module[Fade Effect] init
Module[Shrink Effect] init
SD not insert
sysAppInit OK
spGuiTask thread start!
******************* hw_disppnlvhsel 
 pbh0 = 148 pbv0 = 10 pbh1 = 627 pbv1 = 243
pbx0 = 0 pby0 = 0 pbx1 = 479 pby1 = 233
osdh0 = 148 osdv0 = 10 osdh1 = 627 osdv1 = 243
 AUO a070fw05 INITIAL 
pnlsel = A
 hw_disppnlvhsel 
 ***********
* Press 'Enter' to continue  *
******************************
cmd>customerApplication enter
open [A:\res\COLOR.BIN]
MatrixA[0]=[133][   307]
MatrixA[1]=[FFFFFFE6][-   26]
MatrixA[2]=[FFFFFFE6][-   26]
MatrixA[3]=[FFFFFFCD][-   51]
MatrixA[4]=[166][   358]
MatrixA[5]=[FFFFFFCD][-   51]
MatrixA[6]=[FFFFFFDA][-   38]
MatrixA[7]=[FFFFFFDA][-   38]
MatrixA[8]=[14D][   333]
MatrixB[0]=[0][     0]
MatrixB[1]=[0][     0]
MatrixB[2]=[0][     0]
yzyan to open:A:\lang\language.cfg
[settingsInit:227] Load settings B:\settings.dat
yzyan to open:B:\settings.dat
[Jfs_findLastBlock:164] block=1
[Jfs_findFile:228] file=B:\settings.dat sector=129
[Jfs_open:449] pFile=-2146729424
[Jfs_read:529] fd=1, nbytes=648
[Jfs_close:498] fd=1
bri=[0] con=[FF] sat=[100] hue=[0]
con=[FF],bri=[0],hue=[0],sat=[100]
MatrixB[0]=    0 MatrixB[1]=    0 MatrixB[2]=    0 
yzyan to open:A:\lang\ja.txt
yzyan to open:A:\res\app.rc
yzyan to open:A:\lang\ja.txt
yzyan to open:A:\res\fallback.jpg
dstY [0] dstHeight[48] preader->srcROI.y[0] segment_height[48] startY[0] orgH[48] TargetY[0]
DRAM WIDTH=[64]
pdramReg->stillsb_hsize=pdramReg->mpgRechsize =[48]   pmjpgReg->srcwidth=[48] pmjpgReg->decscale_pbwidth=[48]
offsetx=[0] ini=[0]
[_imageReaderLoad] A:\res\fallback.jpg 2 ticks, ret=0
[0,0 48x48]
[3585][imageReaderLoad] A:\res\fallback.jpg 0 ticks, ret=0
[3605][imageReaderLoad] A:\res\fallback.jpg 0 ticks, ret=0
ok=OK
customerApplication exit
open dev /dev/input0  00000000
spGuiInputTask thread start!
open dev /dev/input1  00000001
spGuiInputTask thread start!
[stateDesktopLogo:538] loading <A:\res\logo.jpg> as logo
yzyan to open:A:\res\logo.jpg
dstY [0] dstHeight[234] preader->srcROI.y[0] segment_height[270] startY[0] orgH[272] TargetY[0]
DRAM WIDTH=[496]
pdramReg->stillsb_hsize=pdramReg->mpgRechsize =[480]   pmjpgReg->srcwidth=[480] pmjpgReg->decscale_pbwidth=[480]
offsetx=[0] ini=[0]
[_imageReaderLoad] A:\res\logo.jpg 9 ticks, ret=0
[0,0 480x234]
[3585][imageReaderLoad] A:\res\logo.jpg 0 ticks, ret=0
[3605][imageReaderLoad] A:\res\logo.jpg 1 ticks, ret=0
decodeWithoutGpe : outRect 0, 0, 480, 234
[storageMgrOnDeviceMount:433] devId=0
deviceTypeGet devId = 0  type = <FLOOPY-A>
storageMgrOnDeviceMount <FLOOPY-A> on <A:>
[storageMgrOnDeviceMount:433] devId=1
deviceTypeGet devId = 1  type = <NAND>
storageMgrOnDeviceMount <NAND> on <C:>
[storageMgrOnDeviceMount:433] devId=7
deviceTypeGet devId = 7  type = <FLOOPY-B>
storageMgrOnDeviceMount <FLOOPY-B> on <B:>
[storageMgrPluginVolumeMoveTypeToFirst:760] count=0
[storageMgrPluginVolumeMoveTypeToFirst:762] no need
[playlistFactoryGet:389] info.mountPoint=C:
yzyan to open:C:\1.jpg
dstY [0] dstHeight[234] preader->srcROI.y[0] segment_height[270] startY[0] orgH[272] TargetY[0]
DRAM WIDTH=[496]
pdramReg->stillsb_hsize=pdramReg->mpgRechsize =[496]   pmjpgReg->srcwidth=[496] pmjpgReg->decscale_pbwidth=[480]
offsetx=[0] ini=[0]
[_imageReaderLoad] C:\1.jpg 9 ticks, ret=0
[0,0 478x234]
[3585][imageReaderLoad] C:\1.jpg 0 ticks, ret=0
[3605][imageReaderLoad] C:\1.jpg 0 ticks, ret=0
decodeWithoutGpe : outRect 0, 0, 478, 234
spFontLoad A:\font\JapFont.fnt
LZO font open fail
yzyan to open:A:\font\JapFont.fnt
spFontLoad 0x803F1380
yzyan to open:C:\2.jpg
dstY [0] dstHeight[234] preader->srcROI.y[0] segment_height[270] startY[0] orgH[272] TargetY[0]
DRAM WIDTH=[496]
pdramReg->stillsb_hsize=pdramReg->mpgRechsize =[496]   pmjpgReg->srcwidth=[496] pmjpgReg->decscale_pbwidth=[480]
offsetx=[0] ini=[0]
[_imageReaderLoad] C:\2.jpg 23 ticks, ret=0
[0,0 478x234]
[3585][imageReaderLoad] C:\2.jpg 1 ticks, ret=0
[3605][imageReaderLoad] C:\2.jpg 1 ticks, ret=0
decodeWithoutGpe : outRect 0, 0, 478, 234
degree=0
degree=4
degree=8
degree=12
degree=16
degree=20
degree=24
degree=28
degree=31
degree=34
degree=37
degree=40
degree=43
degree=46
degree=49
degree=52
degree=55
degree=57
degree=59
degree=61
degree=63
degree=65
degree=67
degree=69
degree=71
degree=73
degree=75
degree=77
degree=79
degree=80
degree=81
degree=82
degree=83
degree=84
degree=85
degree=86
degree=87
degree=88
degree=89
degree=90
degree=91
degree=92
degree=93
degree=94
degree=95
degree=96
degree=97
degree=98
degree=99
degree=100
degree=101
degree=102
degree=103
degree=105
degree=108
degree=109
degree=111
degree=114
degree=115
degree=117
degree=120
degree=121
degree=123
degree=126
degree=129
degree=132
degree=135
degree=138
degree=141
degree=144
degree=147
degree=150
degree=153
degree=156
degree=159
degree=163
degree=168
degree=172
degree=175
degree=179
yzyan to open:C:\3.jpg
dstY [0] dstHeight[234] preader->srcROI.y[0] segment_height[270] startY[0] orgH[272] TargetY[0]
DRAM WIDTH=[496]
pdramReg->stillsb_hsize=pdramReg->mpgRechsize =[496]   pmjpgReg->srcwidth=[496] pmjpgReg->decscale_pbwidth=[480]
offsetx=[0] ini=[0]
[_imageReaderLoad] C:\3.jpg 16 ticks, ret=0
[0,0 478x234]
[3585][imageReaderLoad] C:\3.jpg 0 ticks, ret=0
[3605][imageReaderLoad] C:\3.jpg 0 ticks, ret=0
decodeWithoutGpe : outRect 0, 0, 478, 234
cmd>os all
THRD[802F6FD0](prio 0)System Timer Thread [Susp]timeout0
----stk(L   0) 888/1024@802F73F0(top802F7078/bot802F7477)ok

THRD[80310D30](prio31)BK              [WQue]timeout-1
----stk(L   0)3952/4096@80311D50(top80310DE0/bot80311DDF)ok
  waits QUEU[80310CA0]BK_JOB         [0   /8   ]x2 (R80310CD8/S80310CD8)

THRD[80422BF0](prio15)Cmd             [Ready]timeout0
----stk(L   0)3608/4096@80423AB8(top80422CA0/bot80423C9F)ok
  waits QUEU[80311E30]UartRx         [0   /64  ]x1 (R80311E68/S80311E68)

THRD[80423CB0](prio10)DeviceMgr       [Sleep]timeout1
----stk(L   0)3944/4096@80424CC8(top80423D60/bot80424D5F)ok

THRD[80424D70](prio20)DeviceFlush     [Sleep]timeout68
----stk(L   0) 880/1024@80425190(top80424E20/bot8042521F)ok

THRD[800B6AA0](prio13)gui thread      [WSem]timeout-1
----stk(L   0)16136/16384@8030B5D8(top803076D0/bot8030B6CF)ok
  waits SEMA[802EDFA8]msgQueue       [0]

THRD[800B89C8](prio 9)key driver      [Sleep]timeout1
----stk(L   0) 368/ 512@800B8BE0(top800B8A70/bot800B8C6F)ok

THRD[803F1B80](prio12)input thread    [WEvt]timeout-1
----stk(L   0) 296/ 512@803F02A8(top803F0180/bot803F037F)ok
  waits DVDN[803F1C80]ringBuf event  [00000002]

THRD[803EFF80](prio12)input thread    [WEvt]timeout-1
----stk(L   0) 296/ 512@803F0EA8(top803F0D80/bot803F0F7F)ok
  waits DVDN[803F0080]ringBuf event  [00000002]

ID[addr]      Name           [#que/caps]sz Rcv/Send
------------- -------------- ------------- --------
QUEU[80310CA0]BK_JOB         [0   /8   ]x2 (R80310CD8/S80310CD8)
   susp THRD[80310D30](prio31)BK              [WQue]timeout-1

QUEU[80311E30]UartRx         [0   /64  ]x1 (R80311E68/S80311E68)
ID[addr]      Name           Sem Cnt
------------- -------------- --------
SEMA[A0411F90]DISK_RW        [1]
SEMA[804121E0]SEM_DISK       [1]
SEMA[80422B90]ADC            [1]
SEMA[800B70C0]OTG_sem_1      [0]
SEMA[800B6FC0]MSDC_CMD       [1]
SEMA[800B70E0]SUSPEND_CMD    [1]
SEMA[802EDFA8]msgQueue       [0]
   susp THRD[800B6AA0](prio13)gui thread      [WSem]timeout-1

SEMA[80422BC0]EXIF_PARSE_WAIT[1]
SEMA[80426610]halGpeCmdQue   [1]
SEMA[80426640]ImageGpeGlobalSem[1]
SEMA[80426670]ImageReaderExifSem[1]
SEMA[804266A0]HAL_JPGTOK     [1]
SEMA[804266D0]HAL_JPG        [0]
ID[addr]      Name           Evt flags
------------- -------------- ---------
DVDN[802EE6E4]syncExec       [00000000]
DVDN[802F6CC8]tmrEvt         [00000000]
DVDN[800B8940]vsync_event_flags[00000001]
DVDN[803F1C80]ringBuf event  [00000002]
   susp REQ00000001(1) THRD[803F1B80](prio12)input thread    [WEvt]timeout-1

DVDN[803F0080]ringBuf event  [00000002]
   susp REQ00000001(1) THRD[803EFF80](prio12)input thread    [WEvt]timeout-1

ID[addr]      Name           Mutx Own cnt by THRD
------------- -------------- --------- ---------------
MUTE[802F7678]pure mutex     [0       ]by<-              >

MUTE[800B81F0]FAT_LOCK       [0       ]by<-              >

MUTE[802EDF70]msgQueue       [0       ]by<-              >

ID[addr]      Name           Timeout/Freq       callback
------------- -------------- ------------------ --------
ATIM[802EE768]spgui_timer    [50      /0       ]calls800394CC(00000000)

ID[addr]      Name           Start addr Total size Free  size #frags search
------------- -------------- ---------- ---------- ---------- ------ --------
BYTE[80310C50]memBig         [A0310C90]    5170024    4032768      27 A04266F0
A0310C90 [-USED-] sz      144(0x      90) [N:A0310D20]
A0310D20 [-USED-] sz     4288(0x    10C0) [N:A0311DE0]
A0311DE0 [-USED-] sz       64(0x      40) [N:A0311E20]
A0311E20 [-USED-] sz      336(0x     150) [N:A0311F70]
A0311F70 [-USED-] sz  1048592(0x  100010) [N:A0411F80]
A0411F80 [-USED-] sz       48(0x      30) [N:A0411FB0]
A0411FB0 [-USED-] sz      544(0x     220) [N:A04121D0]
A04121D0 [-USED-] sz       48(0x      30) [N:A0412200]
A0412200 [-USED-] sz    30880(0x    78A0) [N:A0419AA0]
A0419AA0 [-USED-] sz     3104(0x     C20) [N:A041A6C0]
A041A6C0 [-USED-] sz    30880(0x    78A0) [N:A0421F60]
A0421F60 [-USED-] sz     3104(0x     C20) [N:A0422B80]
A0422B80 [-USED-] sz       48(0x      30) [N:A0422BB0]
A0422BB0 [-USED-] sz       48(0x      30) [N:A0422BE0]
A0422BE0 [-USED-] sz     4288(0x    10C0) [N:A0423CA0]
A0423CA0 [-USED-] sz     4288(0x    10C0) [N:A0424D60]
A0424D60 [-USED-] sz     1216(0x     4C0) [N:A0425220]
A0425220 [-USED-] sz      272(0x     110) [N:A0425330]
A0425330 [-USED-] sz     4816(0x    12D0) [N:A0426600]
A0426600 [-USED-] sz       48(0x      30) [N:A0426630]
A0426630 [-USED-] sz       48(0x      30) [N:A0426660]
A0426660 [-USED-] sz       48(0x      30) [N:A0426690]
A0426690 [-USED-] sz       48(0x      30) [N:A04266C0]
A04266C0 [-USED-] sz       48(0x      30) [N:A04266F0]
A04266F0 [-free-] sz      528(0x     210) [N:A0426900]
A0426900 [-free-] sz  4032240(0x  3D86F0) [N:A07FEFF0]
A07FEFF0 [ END~ ] sz        0(0x       0) [N:A0310C90]

BYTE[802D5990]USB            [A02D59D0]      98312      97920       5 A02D5B50
A02D59D0 [-USED-] sz      128(0x      80) [N:A02D5A50]
A02D5A50 [-USED-] sz      128(0x      80) [N:A02D5AD0]
A02D5AD0 [-USED-] sz      128(0x      80) [N:A02D5B50]
A02D5B50 [-free-] sz    97920(0x   17E80) [N:A02ED9D0]
A02ED9D0 [??????] sz1607542320(0x5FD12630) [N:00000000]

bootとThreadXは別々になるようで、先頭の64Kがbootのようです。

Flashアドレス 内容
0000-00ff シグネチャ
0100-01ff 空き
0200-0x27f アトリビュート
0280-03ff 文字列
0400-bfff boot実行コード(非圧縮)
c000-c23f loadLzoFWコード
10000-affff FAT12 A:
b0000-18ffff FAT12 C:
190000-1dffff ThreadX(LZO Size:0x4e200)
1e0000-1effff JFS
1f0000-1fffff JFS(バックアップ?)

lzoにlzopackというプログラムがあってためしているのだが、0x000a6a50を圧縮すると0x0004e18cとなるところが、0x0004e14dになってしまう。なんでかな。。。

loadLzoFWコードが分離されているのはGPL対策かもしれません。

SPI Flashにソケットを付けて、簡単に試せるようにしたのですが。

写真(2022-06-30 16.23).jpg

flashromで焼く時はDIPに変換します。

写真(2022-07-01 6.21).jpg

% binwalk original.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
506340        0x7B9E4         Boot section Start 0x100804 End 0xE100800
540840        0x840A8         Copyright string: "Copyright (c) 2008 by Sunplus mMedia Inc.   *"
541006        0x8414E         Copyright string: "copyrighted by and is the property of Sunplus  *"
541462        0x84316         Copyright string: "Copyright notice MUST not be removed or modified without prior   *"
547840        0x85C00         JPEG image data, JFIF standard 1.02
549888        0x86400         JPEG image data, JFIF standard 1.02
585216        0x8EE00         JPEG image data, JFIF standard 1.01
585246        0x8EE1E         TIFF image data, big-endian, offset of first image directory: 8
586240        0x8F200         JPEG image data, JFIF standard 1.02
607744        0x94600         JPEG image data, JFIF standard 1.02
610304        0x95000         JPEG image data, JFIF standard 1.02
612864        0x95A00         JPEG image data, JFIF standard 1.02
615424        0x96400         JPEG image data, JFIF standard 1.02
651264        0x9F000         JPEG image data, JFIF standard 1.02
653824        0x9FA00         JPEG image data, JFIF standard 1.02
743936        0xB5A00         JPEG image data, JFIF standard 1.02
764928        0xBAC00         JPEG image data, JFIF standard 1.02
833536        0xCB800         JPEG image data, JFIF standard 1.02
879104        0xD6A00         JPEG image data, JFIF standard 1.02
934400        0xE4200         JPEG image data, JFIF standard 1.02
1935581       0x1D88DD        Copyright string: "Copyright (c) 1996-2005 Express Logic Inc. * ThreadX MIPS32_4Kx/GNU Version G4.0c.R"
% binwalk -A original.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1632          0x660           MIPSEL instructions, function epilogue
1764          0x6E4           MIPSEL instructions, function epilogue
1788          0x6FC           MIPSEL instructions, function epilogue
1892          0x764           MIPSEL instructions, function epilogue
1916          0x77C           MIPSEL instructions, function epilogue
2356          0x934           MIPSEL instructions, function epilogue
2572          0xA0C           MIPSEL instructions, function epilogue
2724          0xAA4           MIPSEL instructions, function epilogue
2896          0xB50           MIPSEL instructions, function epilogue
3284          0xCD4           MIPSEL instructions, function epilogue
3340          0xD0C           MIPSEL instructions, function epilogue
3504          0xDB0           MIPSEL instructions, function epilogue
3568          0xDF0           MIPSEL instructions, function epilogue
3636          0xE34           MIPSEL instructions, function epilogue
4152          0x1038          MIPSEL instructions, function epilogue
4468          0x1174          MIPSEL instructions, function epilogue
4548          0x11C4          MIPSEL instructions, function epilogue
4624          0x1210          MIPSEL instructions, function epilogue
4744          0x1288          MIPSEL instructions, function epilogue
4928          0x1340          MIPSEL instructions, function epilogue
4984          0x1378          MIPSEL instructions, function epilogue
5528          0x1598          MIPSEL instructions, function epilogue
5592          0x15D8          MIPSEL instructions, function epilogue
5952          0x1740          MIPSEL instructions, function epilogue
6864          0x1AD0          MIPSEL instructions, function epilogue
7724          0x1E2C          MIPSEL instructions, function epilogue
8080          0x1F90          MIPSEL instructions, function epilogue
8512          0x2140          MIPSEL instructions, function epilogue
10068         0x2754          MIPSEL instructions, function epilogue
10376         0x2888          MIPSEL instructions, function epilogue
10468         0x28E4          MIPSEL instructions, function epilogue
11672         0x2D98          MIPSEL instructions, function epilogue
12672         0x3180          MIPSEL instructions, function epilogue
13648         0x3550          MIPSEL instructions, function epilogue
13892         0x3644          MIPSEL instructions, function epilogue
14656         0x3940          MIPSEL instructions, function epilogue
14708         0x3974          MIPSEL instructions, function epilogue
14820         0x39E4          MIPSEL instructions, function epilogue
14852         0x3A04          MIPSEL instructions, function epilogue
24108         0x5E2C          MIPSEL instructions, function epilogue
24114         0x5E32          MIPS instructions, function epilogue
24304         0x5EF0          MIPSEL instructions, function epilogue
24452         0x5F84          MIPSEL instructions, function epilogue
25374         0x631E          MIPS instructions, function epilogue
26848         0x68E0          MIPSEL instructions, function epilogue
26916         0x6924          MIPSEL instructions, function epilogue
27440         0x6B30          MIPSEL instructions, function epilogue
27824         0x6CB0          MIPSEL instructions, function epilogue
27862         0x6CD6          MIPS instructions, function epilogue
27994         0x6D5A          MIPS instructions, function epilogue
28208         0x6E30          MIPSEL instructions, function epilogue
28222         0x6E3E          MIPS instructions, function epilogue
28544         0x6F80          MIPSEL instructions, function epilogue
28558         0x6F8E          MIPS instructions, function epilogue
28728         0x7038          MIPSEL instructions, function epilogue
28848         0x70B0          MIPSEL instructions, function epilogue
29020         0x715C          MIPSEL instructions, function epilogue
29476         0x7324          MIPSEL instructions, function epilogue
29512         0x7348          MIPSEL instructions, function epilogue
29632         0x73C0          MIPSEL instructions, function epilogue
30000         0x7530          MIPSEL instructions, function epilogue
30044         0x755C          MIPSEL instructions, function epilogue
30824         0x7868          MIPSEL instructions, function epilogue
31064         0x7958          MIPSEL instructions, function epilogue
31868         0x7C7C          MIPSEL instructions, function epilogue
31936         0x7CC0          MIPSEL instructions, function epilogue
32080         0x7D50          MIPSEL instructions, function epilogue
32332         0x7E4C          MIPSEL instructions, function epilogue
33452         0x82AC          MIPSEL instructions, function epilogue
34348         0x862C          MIPSEL instructions, function epilogue
34472         0x86A8          MIPSEL instructions, function epilogue
35108         0x8924          MIPSEL instructions, function epilogue
35492         0x8AA4          MIPSEL instructions, function epilogue
35712         0x8B80          MIPSEL instructions, function epilogue
36116         0x8D14          MIPSEL instructions, function epilogue
36360         0x8E08          MIPSEL instructions, function epilogue
36484         0x8E84          MIPSEL instructions, function epilogue
37080         0x90D8          MIPSEL instructions, function epilogue
40748         0x9F2C          MIPSEL instructions, function epilogue
41744         0xA310          MIPSEL instructions, function epilogue
41828         0xA364          MIPSEL instructions, function epilogue
41980         0xA3FC          MIPSEL instructions, function epilogue
42292         0xA534          MIPSEL instructions, function epilogue
43208         0xA8C8          MIPSEL instructions, function epilogue
45512         0xB1C8          MIPSEL instructions, function epilogue
45536         0xB1E0          MIPSEL instructions, function epilogue
49214         0xC03E          MIPS instructions, function epilogue
49254         0xC066          MIPS instructions, function epilogue

IO空間

B0000000 00000005 00000000-00099019 00000000 | ................
B0000010 00000000 00000000-00000000 00000000 | ................
B0000020 00000000 00000000-00000000 00000000 | ................
B0000030 00000000 00000000-00000000 00000000 | ................
B0000040 00000000 00000000-00000000 00000000 | ................
B0000050 00000000 00000000-00000100 00000000 | ................
B0000060 0000000F 009BFFFF-00000000 00000000 | ................
B0000070 00000200 04010010-00000001 00000307 | ................
B0000080 02000000 1C3F0000-05050100 01050002 | .....?..........
B0000090 00000005 00000000-04131809 00000000 | ................
B00000A0 00000000 00000000-00000000 00000000 | ................
B00000B0 00000000 00000000-00000000 00000000 | ................
B00000C0 00000000 00000100-00000000 00000000 | ................
B00000D0 0700AA00 00000000-00000000 00000000 | ................
B00000E0 00000003 00000000-00000000 00000000 | ................
B00000F0 14030000 00000000-00000000 00000000 | ................
B0000100 00000000 7FFF0000-00000000 0000FFFF | ...............
B0000110 00000000 00000000-00000000 00000000 | ................
B0000120 FFFFFFFF 0000003F-00010600 00000000 | .......?........
B0000130 00000000 00000000-00000000 00000000 | ................
B0000140 FFFFFFFF 007FFFFF-00000000 00000000 | ...............
B0000150 0000181C 00200000-0000180C 00200000 | ..... ....... ..
B0000160 FFFFFFFF 0000000F-00000000 00000000 | ................
B0000170 06000848 00000000-00000840 00000000 | ...H.......@....
B0000180 0000000F 00000000-00000000 00000000 | ................
B0000190 00000001 00000000-00000000 00000000 | ................

B0000FF0 00000000 00000000-00000000 0B0A090A | ................
B0001000 00000000 00062000-00005E8B 00010245 | ...... ...^....E
B0001010 00000000 00000000-00000000 00000000 | ................
B0001020 00000000 00000000-00000000 00000000 | ................
B0001030 00000210 0000F708-FDFF0AF5 00000042 | ...............B
B0001040 00080000 00001000-00000000 00000000 | ................
B0001050 FFFF0000 00040C03-00010034 00000000 | ...........4....
B0001060 D0000000 D0001FFF-1FC01000 1FC02FFF | ............../.
B0001070 00000000 00000000-00000000 00000000 | ................
B0001080 000F0000 00000000-00000000 00000000 | ................

B0001100 00009001 000001A0-0000002D 00000030 | ...........-...0
B0001110 00006000 000001A0-00000000 000001FF | ..`.............
B0001120 00000000 00000000-00000000 00000000 | ................
B0001130 00000001 00000000-00000000 00000000 | ................
B0001140 001A0001 00002710-00000251 00000000 | ......'....Q....
B0001150 69770002 00800000-00800000 00000000 | iw..............
B0001160 001A0000 00800000-00800000 00000000 | ................
B0001170 69770002 00800000-00800000 00000000 | iw..............
B0001180 69770002 00800000-00800000 00000000 | iw..............
B0001190 69770002 00800000-00800000 00000000 | iw..............
B00011A0 00000003 3B100FFF-3B103B10 0000B130 | ....;...;.;....0
B00011B0 0003B538 0001DA9C-0003B538 000107AC | ...8.......8....
B00011C0 FF004500 00000000-00000000 00000000 | ..E.............
B00011D0 00000000 00000000-00000000 00000000 | ................
B00011E0 00000002 00000000-00010002 00000000 | ................
B00011F0 00000000 00000000-00000000 00000000 | ................
B0001200 00000000 00000000-00000001 00103FFF | ..............?.
B0001210 00000001 00000000-00000000 00AA01CB | ................
B0001220 00000000 00000000-00000001 00000000 | ................
B0001230 00000000 00000000-00000001 00000000 | ................
B0001240 00000000 00000000-00000001 00000000 | ................
B0001250 00000000 00000000-00000001 00000000 | ................

B0001FF0 00000000 00000000-00000000 100E0E05 | ................

B00020A0 00010100 00000000-00000000 00000000 | ................

B00020F0 00000000 00000000-00000000 0411090A | ................
B0002100 00000000 01000000-01000000 00000000 | ................
B0002110 00000140 00000000-00000000 00000000 | ...@............
B0002120 01100100 00000000-FF000001 181003FF | ................
B0002130 00000050 00000000-00000000 00000000 | ...P............

B00022E0 00010100 00000000-00000000 00000000 | ................

B0003020 00000007 00000000-00000000 00000000 | ................
B0003030 00000000 00000000-00000000 00000000 | ................
B0003040 00000000 00000000-00000000 00000000 | ................
B0003050 00000000 00000000-00000000 00000000 | ................
B0003060 07FFFFFF 00000111-00000000 07FFFFFF | ................
B0003070 00000000 00000000-00000000 00000000 | ................
B0003080 00000002 000001FF-00419CB0 BCB2BCB2 | .........A......
B0003090 00000000 00000000-00000000 00000000 | ................
B00030A0 00000000 00000000-00000000 52005200 | ............R.R.

B0003FF0 00000000 00000000-00000000 1F15100A | ................
B0004000 003DFF4D 00000000-009E9AD7 00000000 | .=.M............
B0004010 0E000000 00000000-00000000 00000000 | ................
B0004020 020800FF 00BCBC00-00000000 00000000 | ................
B0004030 00000000 00000000-00000010 00100000 | ................
B0004040 FFFFDFEF 0067E3FF-000007E0 00430000 | .....g.......C..
B0004050 00000003 00000018-00000000 00000000 | ................
B0004060 53021100 00010000-00000000 00000000 | S...............
B0004070 0001EFFF 31330000-00000000 00000000 | ....13..........
B0004080 00020030 013F0035-FF0008FF FFFFFFFF | ...0.?.5........
B0004090 0900000D 00003F00-00000000 00000000 | ......?.........
B00040A0 00000000 00000000-00000000 00000000 | ................
B00040B0 0F100000 00000000-00000000 00000000 | ................
B00040C0 00000000 0000F001-00000000 01000000 | ................
B00040D0 00000100 009BAA95-00000000 00000000 | ................
B00040E0 00000300 00000000-00000000 00000000 | ................
B00040F0 00000000 00000080-00000000 00000000 | ................
B0004100 04000000 FFFFFFFF-F7FFEFEF FFFFFFFF | ................
B0004110 000000FF 03FF03FF-03FF03FF 03FF03FF | ................
B0004120 02FF03FF FFFFFFFF-77F7FFFF 00000701 | ........w.......

B0004FF0 00000000 00000000-00000000 3A11040A | ............:...
B0005000 00060000 00000000-00000000 00000000 | ................
B0005010 00000000 00000000-00000000 00000000 | ................
B0005020 00001F1F 00000000-00000000 00000000 | ................
B0005030 00000000 00000000-4FC7FFFF 00000000 | ........O.......
B0005040 00000000 00000000-00000000 00000000 | ................
B0005050 00000000 00000000-00000000 00000000 | ................
B0005060 00000000 00000000-00000000 00000000 | ................
B0005070 00000000 00000000-00000000 00000000 | ................
B0005080 00000000 0000FBCC-00000000 00000000 | ................
B0005090 00000002 00000000-00000000 00000000 | ................
B00050A0 00000000 00000000-00000000 00000000 | ................
B00050B0 00000000 00000000-00000000 00000000 | ................
B00050C0 00000000 00000000-00000000 00000000 | ................
B00050D0 00000000 00000000-00000000 00000000 | ................
B00050E0 00000000 00000000-00000000 00000000 | ................
B00050F0 00000000 00000000-00000000 00000000 | ................
B0005100 00000000 00000010-00000000 00000000 | ................
B0005110 00050308 00000000-00000000 00000000 | ................
B0005120 00000000 00000000-00000000 00000000 | ................
B0005130 600000E0 0000FF05-0D030501 00000000 | `...............
B0005140 00000023 00000000-00000000 00000000 | ...#............



B000A000 00000000 00000001-00000000 00000000 | ................
B000A010 00000000 00000000-00000000 00000000 | ................
B000A020 00000007 02750108-02020000 02740094 | .....u.......t..
B000A030 00F3000A 013F0000-00EF0000 034F0080 | .....?.......O..
B000A040 02050026 01DF0000-00E90000 02730094 | ...&.........s..
B000A050 00F3000A 00000000-00000000 00000000 | ................
B000A060 01DF0000 00E90000-02730094 00F3000A | .........s......
B000A070 00000000 00000000-00000000 00000000 | ................
B000A080 00000000 00000000-00000000 00000000 | ................
B000A090 00000000 00000000-00000000 00000000 | ................
B000A0A0 00000000 00000000-00000000 00000000 | ................
B000A0B0 00000070 00000000-00000004 00010000 | ...p............
B000A0C0 00004208 00002220-22222222 22222222 | ..B..." """"""""
B000A0D0 00000000 00000000-00000000 00000000 | ................
B000A0E0 0133000A FFE6FFE7-0164FFCD FFDAFFCD | .3.......d......
B000A0F0 014DFFDB 00000000-00000000 00000000 | .M..............
B000A100 0000000A 00000000-FFFCF180 FFFCFFA0 | ................
B000A110 00000180 00000180-00000100 00000000 | ................
B000A120 00020000 00000000-00000000 00FFFFFF | ................
B000A130 00000020 00000000-00000000 00000000 | ... ............
B000A140 00000000 DD22DD22-00000121 00000000 | ....."."...!....
B000A150 00000000 00000000-00000000 00000000 | ................
B000A160 00000003 00000000-00000000 00000000 | ................
B000A170 00F4000A 00420036-00360000 004E0025 | .....B.6.6...N.%
B000A180 00080094 00000004-0000000F 00000000 | ................
B000A190 00000000 00000000-00000000 00000000 | ................
B000A1A0 00F301F4 00000000-00000000 00000000 | ................

B000A600 00000040 00000000-00000000 00000000 | ...@............
B000A610 0000000F 001F1F06-00000020 00000000 | ........... ....
B000A620 00000000 00000000-00000000 00000000 | ................
B000A630 E8000000 00000000-00000000 00000000 | ................
B000A640 0000003F AAAAAA87-00000000 00000000 | ...?............

ThreadXをSunplus自社内でポートしたようなので公式なデーターシートは存在しないのかもしれません。

HI1018

HaierのHiPatriot HI1018を使ったフォトフレームも手に入れてみた。8051系のCPUのようだが、こちらもHackできていない。

ネットで調べるとHI1016Dというチップもあったようだ。

M12L1616TA(1M)のDRAMがついていて、これは8051で使っているのではなくLCDコントローラーのフレームバッファではないかと思われる。

26ピンのLCDへの接続

Pin Sym Function
6 STV Vertical start pulse
9 OEV Output enable input for scan(Gate) driver
14 OEH Output enable input for data (Source) driver
15 STH Start pulse for horizontal scan (Gate) line
19 CKV Sampling and shifting clock pulse for data (Source) driver
22 VR Alternated video signal input(Red)
23 VG Alternated video signal input(Green)
24 VB Alternated video signal input(Blue)

マイコンの情報が出てくる事はないと思われ、このモジュールは裏に上記のパッドが出ているので、マイコンを外して別のマイコンを付けて乗っ取るのが良さそうな気がしている。

LCDは同じ仕様のものっぽいが、CPUが32Bitと8Bitだったりしてまったく作り込みが違う。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?