The document discusses using a JTAG interface to reprogram receivers when the firmware is corrupted or a firmware update fails. It explains that receivers use a bootloader program to run the firmware from flash memory. If the bootloader is still intact but the firmware is corrupted, the receiver can still be reprogrammed via JTAG. If the bootloader is also corrupted, reprogramming may still be possible if the manufacturer provides JTAG software and the pinout layout. The document provides steps for using jKeys software to reprogram an STi-based receiver via JTAG, including downloading the flash memory contents as a backup, deleting the flash, and programming new firmware.
1. FEATURE Receiver Firmware
该独家技术信息由工程师所做
JTAG-
Interface ■ Standard JTAG interface for a
parallel port. It can be ordered from
many electronic shops.
TELE-satellite Magazine
Business Voucher
www.TELE-satellite.info/11/11/jtag
Direct Contact to Sales Manager
• Reprogram a Defective Receiver
• All Necessary Information can be Found
in the Internet
• Can Also be Used On Other Boxes With
Flash Chips
• Allows for Better Understanding of
Receiver Functions
214 TELE-satellite — Global Digital TV Magazine — 10-1
1/201 — www.TELE-satellite.com
1 www.TELE-satellite.com — 10-1
1/201 — TELE-satellite — Global Digital TV Magazine
1 215
2. FEATURE Receiver Firmware
The Solution for a
Faulty Firmware Update
Vitor Martins Augusto
For those of you who update satel- starts a program called the “Bootload- won’t be able to start the receiver and
lite receiver software on a more regular er”. The “Bootloader’s” job is to deter- it instantly turns into a brick. Nothing
basis, you will almost certainly recog- mine at the start if a firmware update works anymore.
nize these two aggravating problems: should be undertaken. If that’s not the
uploading the wrong software or a ver- case, it would then copy the contents There are two different situations
sion that is incompatible as well as the of the flash memory into RAM and will here: if the “Bootloader” is still intact
unexpected power failure during an up- start the firmware from there. This pro- but the firmware itself is missing or cor-
date. If either of these problems show cess of copying the Flash to RAM and at rupt, it won’t be able to start the re-
their face, the result is almost always a the same time uncompressing it is re- ceiver, however, since the “Bootloader”
“dead” receiver or as it’s also called, a sponsible for the time delay that occurs is also responsible for firmware up-
“brick” - good for nothing. during a receiver power up. dates, the user can still upload the cor-
rect firmware through the “Bootloader”.
But wait, there might still be one last The “Bootloader” program can be But it’s much worse if the “Bootloader”
chance to upload the software if the re- found in the flash memory at a specific itself is missing. You won’t be able to
ceiver comes with a JTAG interface. But address (usually the last 64KB, start- do anything at all. Many manufacturers
first things first. What actually happens ing at &H7FFFE000). If no program can offer updated firmware that doesn’t in-
when you turn on a receiver? When the be found at this address or the wrong volve replacing the “Bootloader” in or-
receiver is turned on, the processor one happens to be there, the processor der to prevent problems like this. If the
■ The inside of a standard receiver. The arrow points to the JTAG connector while the circle
highlights a white triangle that indicates pin #1 on the JTAG connector. The JTAG interface
is plugged in such that the red line on the cable is on the same side as the triangle.
216 TELE-satellite — Global Digital TV Magazine — 10-1
1/201 — www.TELE-satellite.com
1
3. 1 3
“Bootloader” is defective, the receiver receiver, for example, because the ceiver. Either you unsolder the Flash to fabricate a JTAG interface so that Quite often manufacturers use a stan- interface and should therefore be an
can no longer be started. On the whole, hardware is identical. Many budget re- chips, reprogram them externally and it can be inexpensively purchased in dard plug with 20 pins. If this isn’t the integral part of your toolkit. Windows
it would probably be better to include ceivers are based on the same hard- then resolder them in place with all of many electronic shops. If you can’t find case, it becomes necessary to deter- Vista and Windows 7, especially the 64-
a new installation of the “Bootloader” ware; the manufacturer simply match- this requiring professional equipment a JTAG interface in your local store, you mine the correct pin layout. Normally, bit versions, often have problems with
program with every new firmware up- es the firmware to the receiver. It could to remove, reprogram and reinstall the can build one yourself. All you need is a the correct JTAG pin layout for specific the tools for firmware uploads.
date. therefore be quite interesting to try out chips, or, with a little bit of luck, you’ll few resistors and a standard 74HC244N receivers can be found by performing a
the firmware from another manufac- find a JTAG interface on the main circuit building block. You’ll find schematic Google search when you’re not dealing Many receivers are based on proces-
If the receiver displays “8888” or turer. In this case though you almost board. The JTAG interface provides an diagrams in the Internet for every ca- with a standard 20-pin connector. sors manufactured by STi. This is the
nothing at all, then the firmware up- always have to update the “Bootload- indirect way to access the Flash chips pable receiver that can be programmed case with most budget receivers. And
date has failed. If the receiver can no er” software. It’s easy to mistakenly via the processor. When the box is via JTAG. The JTAG interface is connected to just for this family of processors there’s
longer perform an update via the se- upload the wrong firmware and at the turned on, the processor is placed into your PC via the parallel port. But first an excellent freeware program: jKeys.
rial interface, then it’s safe to say that same time the wrong “Bootloader”. a specific mode so that you can read, The JTAG protocol consists of six you have to check and see if such a PC This tool functions perfectly with the
the “Bootloader” has been deleted and delete and reprogram the Flash chips. lines: still exists in your house. Your best bet JTAG interface on the parallel port and
nothing will work anymore. If the receiver can no longer start would be to use an older laptop with through a current database automati-
up because of the lack of the correct For this to work you’d need a JTAG • TRST • TDO • TDI Windows XP. A laptop like this would cally recognizes most of the STi pro-
Experienced users enjoy the idea of firmware and “Bootloader”, then there interface along with the corresponding • TCK • TMS • GND also be perfect to use for uploading cessors in common receivers. Most of
uploading the firmware from another are only two ways to repair the re- software. Fortunately, it’s fairly easy new receiver firmware via the serial the time, however, jKeys cannot rec-
ognize the receiver’s Flash chip. There
are far too many different Flash chips
out there and every manufacturer uses
2 4 their own set of chips; you’d have to
be able to read the name of the manu-
facturer and the model of the chip and
then find the corresponding datasheet
in the Internet.
For our example we’ll use a standard
receiver. The built-in Flash chip is the
model MX 29LV160CTTC. A search on
Google yields numerous websites that
provide the necessary datasheet. Why
is it so easy to find this? It has to do
1. The rear panel of an older laptop: parallel
ports and serial interfaces were standard
back then and are needed for the JTAG
interface. Don’t throw away or give away
those old laptops! They can serve as excel-
lent repair tools!
2. Our workstation for our JTAG firmware
work.
3. If the receiver only displays “8888” or
nothing at all, then the firmware upload has
failed. If the receiver doesn’t talk anymore
regarding a firmware update through the
serial port, it’s safe to say that the “Boot-
loader” was also deleted.
4. A look inside our defective sample recei-
ver: here you can see the STi chip to the
lower left (an STi 5518BVC) as well as the
MX 29LV160CTTC-70G Flash chip and the
JTAG connector. These components are
always located close to each other since
the connections between them have to be
kept short because of the high frequencies
being used.
218 TELE-satellite — Global Digital TV Magazine — 10-1
1/201 — www.TELE-satellite.com
1 www.TELE-satellite.com — 10-1
1/201 — TELE-satellite — Global Digital TV Magazine
1 219
4. Update via jKeys
with electronics wholesalers that pro-
vide datasheets for every component
so that prospective buyers can choose
the correct component for their needs.
That’s just perfect for us!
From these datasheets we can get all
the relevant information regarding the
makeup of the chip. We are interested
in the following information:
- Size of the chip, in this case 2MB
- Construction of the memory banks
- If any write-protection needs to be
bypassed before deleting and writing
on the chip
This information is entered into the
jKeys Definitions Data. In jKeys Defini-
tions we search for the group with these
Flash definitions and carry in the data
structure of the Flash chips. Now we
can actually start jKeys. As a precau-
tion, you should download the contents
of the Flash memory. It’s a task that
would only make sense with a function-
ing receiver. We’ll hold on to this image
dump just in case a future firmware up-
grade isn’t completed successfully.
If that does happen though, you can
then reload your backup image. For
this purpose we would need to use the
jKeys Flash menu to which a receiver
reset would be necessary. Perform
these steps in order: turn the receiv-
er off, turn it back on and at the same
time press the jKeys OK button. If ev-
erything is OK, the programming menu
will be displayed.
Let’s assume that nothing works any-
more. The first step is to delete the
entire Flash. This process sets all the
bits in the Flash memory to “1”. The
programming function can only set a
bit from “1” to “0”, not the other way
around. This would explain why an in-
terrupted firmware update always leads
to a defective receiver: the “Bootload-
er” is located in the last 64KB and is de-
leted before the Flash process! Lastly,
you select the desired firmware data
and program the Flash chip. Many STi
based receivers link the Flash chip to
an address range of &H7FE00000 to
&H7FFFFFFF; this corresponds to pre-
1. jKeys has in this case recognized the
receiver with its Flash chip since the cor-
responding definitions are already in the
database.
2. Reading the entire Flash chip (address
&H7FE00000 to &H7FFFFFFFF). It’s always
a good idea to make a backup of the firm-
ware with new receivers.
3. To activate the deleting and program-
ming mode of the Flash chip, the receiver
must briefly be turned off and then back on.
220 TELE-satellite — Global Digital TV Magazine — 10-1
1/201 — www.TELE-satellite.com
1
5. cisely 2MB. Once the programming pro- the firmware and are not programmed 4. If the deleting and programming mode
cess has been completed, you simply onto the Flash chip. In a case like this, of the Flash chip has been successfully
activated, this menu will appear.
turn the receiver off, remove the JTAG you would need to open the firmware in
5. Security question before starting the
interface and then turn the receiver a Hex editor and delete the extra bytes Flash chip writing process.
back on. The newly uploaded software that don’t belong to the firmware. This
should then automatically start. actually sounds harder to do than it re- cessor on the main board where a user
ally is. could attach a JTAG connector. On top
To make sure that the receiver was of that, the Flash chip is made inacces-
correctly programmed and won’t crash First of all, the firmware must be ex- sible by a special type of glue. All of this
because of some faulty configuration, it actly the same size as the capacity of is designed to prevent a hacker from
is recommended that the original firm- the Flash chip. If it’s 2MB (2048 KB) in gaining access to the contents of the
ware be loaded via the serial interface. size, then the firmware must be exactly Flash chip which would contain critical
The process described here works with the same size. Therefore, you simply encryption data.
nearly every STi processor based re- cut out the corresponding bytes right
ceiver. at the start. Sometimes only the “Boot- If you tried working with JTAG just
loader” is made available. This would once before, it won’t seem so diffi-
But what do you do if you have a re- have to be loaded at the end of the cult the next time. The big advantage
ceiver that doesn’t come with an STi Flash chip’s memory space, typically at is that once you know how to do it,
processor? It still pays to look into it &HFFFE000. This involves the last 64KB you can easily return a receiver to its
further: many manufacturers use a and the data containing the “Boot- original condition through JTAG should
JTAG interface on the main circuit loader” must have exactly this size. If something ever go wrong.
board and offer either officially or unof- you’re only loading the “Bootloader”
ficially JTAG software for their receiver. program, the receiver still won’t work, Smaller specialized digital TV com-
A quick search via Google will reveal but at least you’ll be able to upload the panies would certainly be able to bring
the necessary pin layout for the JTAG firmware through normal channels. many receivers back to life since there
interface as well as the corresponding are many end users out there that will
programming software. This will allow Modern, more sophisticated receiv- manage to make a mistake uploading
you to program various Linux receiver ers quite often don’t come with a JTAG firmware. Digital receivers aren’t the
models through JTAG. connector. In order to handle any firm- only devices that utilize the JTAG pro-
ware upgrades, a slightly different con- tocol; in fact, you’ll find it in almost
Another problem is that many users cept is used: the receiver operates us- any device that uses a processor and a
don’t have a backup of the firmware ing two “Bootloaders”. The “First Stage flash chip. This would make it possible
that they can use to reload onto a re- Bootloader” checks to see if any firm- to save even Smartphones and other
ceiver via JTAG. Even here there are ware needs to be uploaded. If that’s not devices after a failed firmware update.
possibilities: the case, a “Second Stage Bootloader”
is run that then starts up the existing But let’s not forget that safety is par-
1) You can extract the firmware from firmware. The advantage to this meth- amount! Be careful when working in-
a second functional receiver. od is that the “First Stage Bootloader” side an exposed receiver! Keep in mind
2) You can search the Internet to see is never overwritten; this would allow that receivers come with an integrated
if someone else has exactly the firm- the user to reload the firmware in any 220V power supply (110V in some parts
ware that you need. situation. of the world)! Take every safety pre-
3) You can extract the firmware from caution! One false move could place the
a manufacturer’s firmware update. Manufacturers of proprietary re- JTAG interface in contact with a power
ceivers for PayTV providers do things supply component; this could lead to
With the last option you should note quite differently. Here there’s not only serious damage to the receiver and po-
that a firmware update often includes no JTAG connector (it’s been omitted tential electric shock to the user. Make
a so-called “header”, in other words, a on purpose), there are also no circuit sure the JTAG interface is securely in
specific number of bytes that describe board tracks available from the pro- place before turning the receiver on.
222 TELE-satellite — Global Digital TV Magazine — 10-1
1/201 — www.TELE-satellite.com
1