The Freeze Fix Project

From Digisaster
Jump to: navigation, search

About

As you may know firmware 2.9.3 for KiSS DP-50x players has the so called Freeze Bug. The aim of this project is to debug and eventually fix it.

There is another project called Stage2 that works around the Freeze Bug by using components of different firmware versions.

Thanks to divxplayer who donated a DP-508 for this project.

All code examples on this page assume that you are doing this on a system running Linux. Use VmWare Player to run Linux as a guest inside a Windows system.

The project is looking for volunters, more players of different revisions and other donations (books).

PCB and Components

Components:

The EM8550 has two built-in UART controller. One is used for the front panel controller and the other for the serial console. In the lower right corner of the board a SUB9 (J18) can be connected. The driver chip (U17, 28pin) that converts from TTL to RS232 voltage levels is not soldered on the board.

Console Access

Hardware

A data cable for mobile phones (USB-to-Serial converter) is connected to the PCB (T62 -> TxD, T63 -> RxD, chassis -> GND). A calliper is connected to J14 and acts as RESET.

Terminal settings are: 115200 Baud, 8N1, flow control disabled.

Buy RS232-to-TTL level converter at Pollin.de, ELV.de, or Reichelt.de.

Software

The boot loader does not output anything to the console. It has to be disassembled to get further information on its function. It can boot the player from a bootable CD or from flash, but not from hard disk.

An unmodified player uses the console only as output device. There is neither a getty nor a shell process waiting for keyboard input. If we want to interact with the operating system another process beside the main DVD player application (in the folllowing called kissapp) must run.

Boot messages from Linux kernel

Building and Running a Custom Firmware

Media players based on Sigma Desings' EM85xx processors are in fact computers powered by special Linux edition named uCLinux. Firmwares for this players are ordinary computer programs compiled for EM85xx processor - if we dig enough we will find Linux kernel, directories, graphics files and decoders prepared as any other application for Linux.

Extracting a Firmware Image

After running the below script on a firmware ISO image firmware.iso

DIR=firmware_dir
ISO=firmware.iso

mkdir -p ${DIR} ${DIR}/mount ${DIR}/cdrom ${DIR}/romfs
mount -t iso9660 -o ro,loop "${ISO}" ${DIR}/mount
(cd ${DIR}/mount; tar cf - .) | (cd ${DIR}/cdrom; tar xf -)
umount ${DIR}/mount
mount -t romfs -o ro,loop ${DIR}/cdrom/romfs.bin ${DIR}/mount
(cd ${DIR}/mount; tar cf - .) | (cd ${DIR}/romfs; tar xf -)
umount ${DIR}/mount

we end up with the following directory structure

firmware_dir
+- cdrom
+- mount
+- romfs

The directory romfs is the most interesting one. It contains the player firmware that we are going to modify.

Building a Custom Kernel

This page explains how to build a Linux kernel from the source provided by KiSS. Since the source does not contain the kernel modules fipmodule, khwl, kiss_khwl we are forced to use the binary modules.

Building a Firmware Image

After modifying the extracted firmware the below script will build a firmware ISO image from it.

DIR=firmware_dir
ISO=firmware.iso
BOOT=boot293.img

cd ${DIR}
genromfs -v -d romfs -f romfs.bin -a 512 -V 'romfs'
md5sum romfs.bin
cp -f romfs.bin cdrom
md5sum cdrom/loader.bin | sed 's#^\([a-z0-9]*\) .*$#/loader.bin 0 131 \1#' > cdrom/layout.txt
md5sum cdrom/romfs.bin | sed 's#^\([a-z0-9]*\) .*$#/romfs.bin 0x6000 293 \1#' >> cdrom/layout.txt
cp -f $BOOT cdrom/boot.img
mkisofs -V 'KiSS DP-500' -P 'KiSS Technology A/S     ' -o ${ISO} -c boot.cat -b boot.img -no-emul-boot -N -U -no-pad -hide boot.cat -hide boot.img cdrom

You need the boot image boot293.img, extracted with geteltorito from the firmware ISO image, and a patched version of mkisofs to create a bootable ISO image of architecture type 3. Otherwise the KiSS boot loader will not recognise the disc as a valid one.

The resulting firmware.iso can be burned on CD and flashed into the player.

Running a Custom Firmware from NFS

The above described procedure is very time consuming when testing small changes. The firmware uses ROMFS as filesystem for the flash, which is a read-only filesystem. To overcome this limitation, ROMFS has to be replaced with a read-writeable filesystem. This could be JFFS2 or NFS among others.

NFS is used by Stage2 to simmulate a hard disk over the network. So it is obvious to use NFS also as an alternative for ROMFS. A server can be set up very easy.

Some more preparations are needed to run from NFS.

Running a Custom Firmware from Hard Disk

The idea behind this is to create another partition on the hard disk, format it with ext2 and use it as root file system. Since the boot loader is not able to load the Linux kernel from hard disk, it has to remain in flash.

Some preparations are needed to run from hard disk.

Debugging the System

Application

The strace command is a powerful tool that shows all of the system calls issued by a user-space program. strace displays the arguments to the calls and returns values in symbolic form. Strace receives information from the kernel and does not require the kernel to be built in any special way.

Kernel

The Linux kernel debugger (kdb) is a patch for the Linux kernel and provides a means of examining kernel memory and data structures while the system is operational. Note that kdb does not require two machines, but it does not allow you to do source level debugging like kgdb. Unfortunately it does not support the ARM architecture.

The Freeze

There are three applications running on the player:

  • kissapp is the GUI and the control program. It runs continuously in the background, waiting for button presses on the front panel or on the remote. If needed, it will call other programs to play the media files.
  • fileplayer will play the indicated file but will not update the screen. Instead, it will print a heartbeat message on console at every second.
  • mpegplayer will play the indicated file but will not update the screen. Instead, it will print a heartbeat message on console at every second.

On other player models there is a fourth application called pclinkmpeg. Details are not kwown.

When and how does it freeze

It has been observed that the freeze only happens to kissapp. Fileplayer and mpegplayer do not freeze.

Please contribute to the tables by using the discussion tab of this page. The hardware revision is printed on the back side of the player, the EM8550 revision on the chip. If you do not want to open your player, burn and boot this firmware ISO.

Freeze Matrix by revision
Hardware EM8550
A B
1 Yes ?
2 ? Yes
3 ? No
Freeze Matrix by file type
Type Source
CD/DVD Harddisk Network
Audio-CD No - -
VCD/SVCD No - -
Video-DVD No - -
MP3 No Yes No *
MPEG1 No ? ?
MPEG2 No ? ?
DIVX No Yes No *
Webradio - - Yes
Picture  ?  ? ?
Navigation  ? Yes Yes

Player freezes randomly during playback or file browsing (1-4 times per hour); it hangs during 2 min, and then playback continues.

Technical Aspects

So far I have observed that kissapp hangs in an ioctl to the realmagic device (/dev/realmagichwl0).

khwl.o contains functions for accessing eeprom, i2c bus, EM85xx, video memory, overlay, etc and is accesed via /dev/realmagichwl0.

    0.010000 open("/dev/fip", O_RDONLY|O_NONBLOCK) = 3
    0.000000 open("/dev/realmagichwl0", O_RDONLY) = 4
....
    0.010000 ioctl(4, 0x5393, 0x1465dc0) = 0
    0.000000 ioctl(3, 0xc004f11a, 0x1465e20) = 0 

The Solution

Still unknown...

Download

Here you will find firmware ISO images for testing purpose. Flash your player with it and report the test result either in the discussion tab of this page or in The Freeze Fix thread at the Stage2 forum.

Firmware ISO images
Player Comment Purpose Download
DP508 based on original 2.9.3
without the network driver
check if playback from hard disk freezes dp508_tffp_wo_net.zip
DP50x based on original 2.9.3
with stage2 1.0 merged
just for fun dp50x_tffp_stage2.zip
DP508 based on original 2.9.3 and stage2 extensions
with tracing of fileplayer and mpegpayer
protocol the freeze at syscall level work in progress

Links