Hi,
Here is a patch, that provides support for the MSTAR ISP protocol.
Basically, among other chips, MSTAR manufactures SoCs that equip TV sets and computer screens, and it seems that all of their products use the same in-system programming protocol. Basically, they use the DDC channel of VGA or DVI connectors, which is actually an I2C bus, to encapsulate SPI frames (the flash chip is connected to the SoC through an SPI bus).
I wrote this patch since the screen I bought had a software bug, and the manufacturer only released a new firmware binary, but no tool or instructions on flashing it.
More details can be found here: http://boeglin.org/blog/index.php?entry=Flashing-a-BenQ-Z-series-for-free(do...)
I only read code from Linux kernel archives published by Acer to figure out the protocol (for a touchscreen controller and a NFC chip, both by MSTAR, that shared the same ISP protocol), so I don't think there are any legal problems with it.
Please let me know what you think about this patch, and whether you're interested in including it.
Best regards, Alex
On Sun, 4 May 2014 18:20:04 +0200 Alexandre Boeglin alex@boeglin.org wrote:
Hi,
Here is a patch, that provides support for the MSTAR ISP protocol.
Basically, among other chips, MSTAR manufactures SoCs that equip TV sets and computer screens, and it seems that all of their products use the same in-system programming protocol. Basically, they use the DDC channel of VGA or DVI connectors, which is actually an I2C bus, to encapsulate SPI frames (the flash chip is connected to the SoC through an SPI bus).
I wrote this patch since the screen I bought had a software bug, and the manufacturer only released a new firmware binary, but no tool or instructions on flashing it.
More details can be found here: http://boeglin.org/blog/index.php?entry=Flashing-a-BenQ-Z-series-for-free(do...)
I only read code from Linux kernel archives published by Acer to figure out the protocol (for a touchscreen controller and a NFC chip, both by MSTAR, that shared the same ISP protocol), so I don't think there are any legal problems with it.
Please let me know what you think about this patch, and whether you're interested in including it.
Hello Alexandre,
that's a hilarious story, thanks for sharing! I just skimmed through your blog post but it really looks like an awesome RE experience, and the whole tunnel flash access is just insane :) I would really love to include this just because of that... I am not so sure if it would be useful to many... OTOH one of our community members immediately popped up his screen after reading your story... and found a MSTAR chip and a flash and already got it to probe successfully, so... :)
I did not carefully review the patch yet, just a few remarks: - We need a proper sign-off from you to include the patch, see http://www.coreboot.org/Development_Guidelines#Sign-off_Procedure - I'd like to have at least a dedicated paragraph in the manpage that gives some background information, and some explanation regarding the dev syntax of course. - The coding style does not completely follow ours, e.g. the braces after ifs should be on the same line. - The progress print needs to go, I think. It has been decided long ago that we either do this right(tm) or not at all. flashrom should never go into infinite loops and it should also not be interrupted, hence a progress bar is only a placebo, he just have to be patient.
Hello,
Le lundi 05 mai 2014 à 01:10, Stefan Tauner a écrit:
I did not carefully review the patch yet, just a few remarks:
- We need a proper sign-off from you to include the patch, see http://www.coreboot.org/Development_Guidelines#Sign-off_Procedure
- I'd like to have at least a dedicated paragraph in the manpage that gives some background information, and some explanation regarding the dev syntax of course.
- The coding style does not completely follow ours, e.g. the braces after ifs should be on the same line.
- The progress print needs to go, I think. It has been decided long ago that we either do this right(tm) or not at all. flashrom should never go into infinite loops and it should also not be interrupted, hence a progress bar is only a placebo, he just have to be patient.
Here's a new version of the patch. I addressed your comments and added a "noreset" option, aiming to prevent the display SoC from trying to read a corrupted firmware. I also added background information to the manpage, and fixed a leak (I previously forgot to free the buffer I malloced).
Best regards, Alex
Le jeudi 08 mai 2014 à 13:54, Alexandre Boeglin a écrit:
Here's a new version of the patch.
Ah, sorry, I forgot the "Signed-off by" statement.
Here it is again…
Signed-off-by: Alexandre Boeglin alex@boeglin.org
Le jeudi 08 mai 2014 à 14:01, Alexandre Boeglin a écrit:
Signed-off-by: Alexandre Boeglin alex@boeglin.org
Here's a new revision, removing the useless err variables, as discussed on IRC.
Alex
On Thu, 8 May 2014 18:28:29 +0200 Alexandre Boeglin alex@boeglin.org wrote:
Le jeudi 08 mai 2014 à 14:01, Alexandre Boeglin a écrit:
Signed-off-by: Alexandre Boeglin alex@boeglin.org
Here's a new revision, removing the useless err variables, as discussed on IRC.
Hey Alexandre,
I have committed a slightly refined version of this patch in r1860. Additionally to your changes and some rebasing fixes I have added a compile-time check for the Linux i2c headers to the Makefile. And I have disabled the compilation of the MSTAR programmer for the time being due to the open questions and some code quality issues. Anybody who dares can easily compile it with "make CONFIG_MSTARDDC_SPI=yes" on Linux.
Thanks again for your patch and background story!
2014-05-04 18:20 GMT+02:00 Alexandre Boeglin alex@boeglin.org:
Hi,
Here is a patch, that provides support for the MSTAR ISP protocol.
Basically, among other chips, MSTAR manufactures SoCs that equip TV sets and computer screens, and it seems that all of their products use the same in-system programming protocol. Basically, they use the DDC channel of VGA or DVI connectors, which is actually an I2C bus, to encapsulate SPI frames (the flash chip is connected to the SoC through an SPI bus).
I wrote this patch since the screen I bought had a software bug, and the manufacturer only released a new firmware binary, but no tool or instructions on flashing it.
More details can be found here: http://boeglin.org/blog/index.php?entry=Flashing-a-BenQ-Z-series-for-free(do...)
There seems to be a silicon (=SoC) bug as well.
One can recover by rotating the original image (YOU DO HAVE BACKUPS, RIGHT :) ) _back_wards - the example assumes the read file is 128 kilobyte large: tail -c 1 orig_read.bin > realimage.bin; head -c 131071 orig_read.bin
realimage.bin; flashrom -p mstar -w realimage.bin --noverify
HTH,
Idwer
-
Alexandre Boeglin -
Idwer Vollering -
Stefan Tauner