LaCinema MiniHD Firmware Recovery

  1. Send it back!
  2. firmware is not "okok"
  3. The RS232-console
  4. Forcing a firmwareupdate from the RS232-console-shell
  5. Getting into YAMON
  6. Flagging the firmware not "okok"
  7. boot linux from YAMON
  8. sources and acknowledgments

So - you bricked your LaCinema MiniHD? The device gets stuck on the splash screen? No change even after plugging the usb-media and reboot?

Send it back!

The first thing you should think of, is to send this little black beauty back on warranty. You are a valued customer. Noone expects you to know details about firmware updates, how to open the device or in which memory-section of the nand-flash the linux-kernel is at home. All techno babble to you? So send the LaCinema MiniHD back on warranty!

By opening up your device, you will void your warranty. Although you could make things even worse, if you read on and try out things blindly or not in the proper order. Therefore I'm not responsible what happens when you do this. All the following information is presented to the best of my knowleage. I'm not so ever affiliated with LaCie or Sigma in another way as to be a customer of their product. So don't expect deep internal knowleage or help with them.

firmware is not "okok"

In some cases, the firmware gets stuck and knows about it. So you may try a firmware recovery update out of the box. Therefore you need:

  1. Format your flash-drive with the FAT-filesystem. ntfs,ex2,ext3 and even hfs will work, too. But FAT is the first, the LaCinema MiniHD tries. Also prefer superfloppy-format (no partitions on the flash-drive) over (multiple) partitions.
  2. Unpack (unzip) the official firmware update archiv.
  3. copy the files mini_hd.bin and mini_hd.ver from that archiv to the root-directory of the new formated flash-drive.
  4. turn of the LaCinema MiniHD and plug out every usb-device.
  5. plug in the prepared usb-flash-drive into the front usb-port of the LaCinema MiniHD.
  6. turn the LaCinema MiniHD on.
The device should now show the splash screen. Sometimes it will continue with the firmware-upgrade screen, but this is not necessary. Give it 3-5 minutes. In most of the cases the Lacinema MiniHD reboots by itself and will be useable again. If not, I take pity on you, because the following needs more than the usual hacker skills.

The RS232-console

Now it gets technical and really dirty. Please keep calm and work careful. We need shell-access to the device. If your box doesn't respond to telnet, you will have to do the RS232-console. Therefore you need:

  1. disconnect the unit completely
  2. remove the cover of the Lacinema MiniHD.
  3. There are four screws at set side of the metal casing. Open them and remove the shield plate. There goes your warranty.
  4. Identify JP1 on the right side, just below the ir-receiver
  5. Connect the RS232-TTL converter cables to JP1 connector. Cross RX and TX. You need one GND wire. I crossed RTS and CTS on side of the converter, too.
  6. Connect the other side (USB or SUB-D9 connector) of the RS232-TTL-converter to your computer.

    USB is hotplug, RS232/Serial is not! So you may break your computer if it is turned on, when you connect something to the serial port.

  7. Start your terminal program. Identify the port you connected the RS232-TTL-converter into: /dev/ttyS0 or COM1: for SUB-D9, /dev/ttyUSB0 or COM9: for USB
  8. Configure your terminal program: 115200 baud, 8N1, no handshake
My minicom configuration looks like this:



    +-----------------------------------------------------------------------+
    | A -    Serial Device      : /dev/ttyUSB0                              |
    | B - Lockfile Location     : /var/lock                                 |
    | C -   Callin Program      :                                           |
    | D -  Callout Program      :                                           |
    | E -    Bps/Par/Bits       : 115200 8N1                                |
    | F - Hardware Flow Control : No                                        |
    | G - Software Flow Control : No                                        |
    |                                                                       |
    |    Change which setting?                                              |
    +-----------------------------------------------------------------------+
            | Screen and keyboard      |
            | Save setup as dfl        |
            | Save setup as..          |
            | Exit                     |
            | Exit from Minicom        |
            +--------------------------+

There should be shown something in your terminal program, when LaCinema MiniHD is turned on. If not, may check the settings, the wire and your RS232-TTL-converter. And try it again. Congratulations, if you get the text eventually.

If the text stops scrolling, press enter. If there is a hash-mark (#) you got a RS232-console-shell.

Otherwise your firmware got stuck before it gives you a RS232-console-shell. So you should go for YAMON and press "0" during the next reboot of the LaCinema MiniHD

Forcing a firmwareupdate from the RS232-console-shell

If you get a console-prompt, than you are very lucky. You need the files mini_hd.bin and mini_hd.ver as described on a superfloppy formated usb-flash-drive plugged into front usb-port of the LaCinema MiniHD. Than just type into the console:

The console will now show a lot of debugging-information. Eventually something like
firmware_upgrade_bar_callback,598: updateData->update_percentage = 100
firmware_upgrade_bar_callback,598: updateData->update_percentage = 100
umount ok
firmware_upgrade_bar_callback,598: updateData->update_percentage = 100
reboot
DMA_reboot, 63,  =========== SYNC all data start =============
DMA_reboot, 67,  =========== SYNC all data done  =============
Restarting system.
Bingo! Give it 1-2 minutes. The Lacinema MiniHD reboots and will be useable again. If not, we need to get into YAMON.

Getting into YAMON

YAMON is the powerful memory monitor used on MIPS Technologies' development boards. This software is installed on the LaCinema MiniHD and is started before the linux-kernel boots. To get into YAMON you need to turn on the LaCinema MiniHD and press "0" on the RS232-console. Sometimes multiple times until the following apears:

**********************************
* YAMON ROM Monitor
* Revision 02.13-SIGMADESIGNS-24-R2.13-24
**********************************
Memory:  code: 0x86000000-0x86060000, 0x85200000-0x85204000
reserved data: 0x86200000-0x86300000, 0x86700000-0x87000000
PCI memory: 0x86300000-0x86700000



NAND FLASH Driver Version [ S I G M  1.0.6 ] on CS 0

!! No NAND hardware found on CS 1 !!


YAMON>
You are now in the backbone of your LaCinema MiniHD.

Be very careful! From YAMON it is easy to shoot oneself in the foot. You have full access to the complete ram and permanent nflash-memory. Even YAMON itself is stored here. So you may brick your LaCinema MiniHD for real, or at least find out a lot about JTAG-programing

Flagging the firmware not "okok"

At some place in the internal nand-flash of the LaCinema MiniHD there is the string "okok" that tells the firmware it is working fine. We need to change this to force an recovery update out of the box. "okok" are the last four bytes in the firmware block. On a running Lacinema MiniHD you find the firmware in /dev/sigmblockh. In YAMON I found it at 0x01ec0000 in the nflash area. You may check this by the following comands:

It will show you something like this:
A8DBFF00: 77 1A AE 52 4C 76 AF 01 FC 7B 49 03 EF 89 EE 98  w.®RLv¯..{I.....
A8DBFF10: DD 3F C1 55 4E DD 8C 6F 51 9F D3 AA 6A B9 74 26  Ý?ÁUNÝ.oQ.Óªj¹t&
A8DBFF20: 4B 6C DD 60 E3 13 AB 9B 29 6F 71 67 26 4F 0B 16  KlÝ`..«.)oqg&O..
A8DBFF30: 9B 13 30 4F 34 45 D6 D8 85 31 3E 4E 71 2C 40 51  ..0O4EÖØ.1>Nq,@Q
A8DBFF40: 1F 44 AC 92 CC 42 EC B0 0D 81 3C 6D E2 D3 01 F0  .D¬.ÌB.°..<m.Ó..
A8DBFF50: 88 01 A3 1D 02 4E 6F 76 F3 15 DD E0 86 BA CF 28  ..£..Nov..Ý..ºÏ(
A8DBFF60: 65 19 26 09 B5 65 D7 ED 34 4C F6 D9 EE 74 67 EA  e.&.µe×.4L.Ù.tg.
A8DBFF70: E9 E0 D8 2C DE 5D 06 D7 B5 4A 05 A6 14 B9 B2 52  ..Ø,Þ].×µJ.¦.¹²R
A8DBFF80: CC F6 E4 05 AF 50 3E 57 AA 0C B4 73 46 2E B5 69  Ì...¯P>Wª.´sF.µi
A8DBFF90: D1 69 76 0F 6D 55 3E A7 45 87 E9 3D 78 49 CD 28  Ñiv.mU>§E..=xIÍ(
A8DBFFA0: 0A 10 13 7B E0 93 7B E0 A7 F7 C0 CF F4 E1 57 E4  ...{..{.§.ÀÏ..W.
A8DBFFB0: B3 BC F6 A1 F8 E4 1E F8 E9 3D F0 33 BD F8 12 04  ³¼.¡.....=.3½...
A8DBFFC0: 11 EA 2A 8B BD AA 05 ED 8C 72 5E 2A 83 B4 72 30  ..*.½ª...r^*.´r0
A8DBFFD0: 1F 17 54 B0 4D 70 F6 F0 A2 A9 E5 35 A2 94 A6 F1  ..T°Mp..¢©.5¢.¦.
A8DBFFE0: EE 1E 84 2B AB AC 6E 08 1F E4 33 12 6F 07 F2 B7  ...+«¬n...3.o..·
A8DBFFF0: 86 00 F2 69 AD EA 5B F9 3B 88 4E B9 6F 6B 6F 6B  .....i­.[.;.N¹okok
The last four bytes are "okok" and we need to change that.
A8DBFF00: 77 1A AE 52 4C 76 AF 01 FC 7B 49 03 EF 89 EE 98  w.®RLv¯..{I.....
A8DBFF10: DD 3F C1 55 4E DD 8C 6F 51 9F D3 AA 6A B9 74 26  Ý?ÁUNÝ.oQ.Óªj¹t&
A8DBFF20: 4B 6C DD 60 E3 13 AB 9B 29 6F 71 67 26 4F 0B 16  KlÝ`..«.)oqg&O..
A8DBFF30: 9B 13 30 4F 34 45 D6 D8 85 31 3E 4E 71 2C 40 51  ..0O4EÖØ.1>Nq,@Q
A8DBFF40: 1F 44 AC 92 CC 42 EC B0 0D 81 3C 6D E2 D3 01 F0  .D¬.ÌB.°..<m.Ó..
A8DBFF50: 88 01 A3 1D 02 4E 6F 76 F3 15 DD E0 86 BA CF 28  ..£..Nov..Ý..ºÏ(
A8DBFF60: 65 19 26 09 B5 65 D7 ED 34 4C F6 D9 EE 74 67 EA  e.&.µe×.4L.Ù.tg.
A8DBFF70: E9 E0 D8 2C DE 5D 06 D7 B5 4A 05 A6 14 B9 B2 52  ..Ø,Þ].×µJ.¦.¹²R
A8DBFF80: CC F6 E4 05 AF 50 3E 57 AA 0C B4 73 46 2E B5 69  Ì...¯P>Wª.´sF.µi
A8DBFF90: D1 69 76 0F 6D 55 3E A7 45 87 E9 3D 78 49 CD 28  Ñiv.mU>§E..=xIÍ(
A8DBFFA0: 0A 10 13 7B E0 93 7B E0 A7 F7 C0 CF F4 E1 57 E4  ...{..{.§.ÀÏ..W.
A8DBFFB0: B3 BC F6 A1 F8 E4 1E F8 E9 3D F0 33 BD F8 12 04  ³¼.¡.....=.3½...
A8DBFFC0: 11 EA 2A 8B BD AA 05 ED 8C 72 5E 2A 83 B4 72 30  ..*.½ª...r^*.´r0
A8DBFFD0: 1F 17 54 B0 4D 70 F6 F0 A2 A9 E5 35 A2 94 A6 F1  ..T°Mp..¢©.5¢.¦.
A8DBFFE0: EE 1E 84 2B AB AC 6E 08 1F E4 33 12 6F 07 F2 B7  ...+«¬n...3.o..·
A8DBFFF0: 86 00 F2 69 AD EA 5B F9 3B 88 4E B9 00 00 00 00  .....i­.[.;.N¹....
Now we need to write this block back to the nflash. We can only write in complete 2k-blocks to the nflash, so we have to write back the stuff from 0xa8dbe000 until 0xa8dbffff At the next boot after the kernel is startet and before the firmware-filesystem is mounted, a minimal ramdisk/initrd will look for "okok" and find only 0x00000000. It will decide, to update the firmware from the first filesystem it can find. Go on with firmware is not "okok", then.

boot linux from YAMON

The command

tells us - beside other variables - about three possible boot configurations for the LaCinema MiniHD
...
(0x00)    4 z.boot0 0x00080000
(0x00)    4 z.boot1 0x000c0000
(0x00)    4 z.boot2 0x003c0000
...
The first one at 0x00080000 is YAMON_XLOAD where YAMON itself is stored on the nflash (/dev/sigmblockc from linux).
At 0x000c0000 we have the first MIPSLINUX_XLOAD (/dev/sigmblockd) where one vmlinux_xload.zbf linux kernel is stored.
At 0x003c0000 we have the second MIPSLINUX_XLOAD (/dev/sigmblocke) where the second vmlinux_xload.zbf linux kernel is stored.

We want to boot into the first linux kernel at 0x000c0000. Therefore we copy it into ram at a unsuspicious place at 0xa7000000.

Next thing is to find the offset of the vmlinux_xload.zbf kernel file in the MIPSLINUX_XLOAD rom-filesystem:
ROMFS found at 0xa7000000, Volume name = MIPSLINUX_XLOAD
a7000040 : Name = ., Type = dir, Size = 00000000, Next = 00000040
a7000060 : Name = .., Type = hard link, Size = 00000000, Next = 00000060
a7000090 : Name = vmlinux_xload.zbf, Type = file, Size = 00279c34, Next = 00000000
Voilá. It is at 0xa7000090. Please YAMON load/uncompress and decrypt the kernel for us:
  Checking zboot signature..  it's a zboot file, signature OK.
ZBOOT_ATTR_PHY_LOAD OFF
g_load_addr=0x80000000,g_base_addr=0x830000b0,count=0x00279c14
Waiting for XLOAD completion.
XLOAD done. status = 0x6 .. OK.
ZBOOT_ATTR_GZIP ON
  Decompressing to 0x84000000 ..
Output length: 0x004e7f26(5144358)
Decompressing decrypted data from 0xa70004c4 to 0x84000000 OK
Thank you very much and now start into linux, please: Now you get a the booting linux kernel.

sources and acknowledgments

Last update was on Thursday, 05-Aug-2010 by Sven Dickert