Philips BDP3200-79 "teardown" Part 0
About the thing
The Philips BDP3200 I was able to pick up for $40, it's a "fully featured" standalone DVD/BD player with USB, Ethernet and optional WiFi, plays lots of video formats and has digital restrictions management to stop you watching some of those video formats.
I got bored
There are only so many movies one person can watch, so I went looking for manuals and firmware. When I first looked at the firmware downloads on philips.com in March 2013, I was dropped into a directory with lots of different firmware and an open source zip.
This has since been "fixed", and the correct thing to do is to email open.source at philips.com with your request. I sent an email to get the latest code and got the following (really excellent) response.
Dear Mr. Baxter, Thanks for your request for source code. The source code for the software of the open source packages involved is available from https://some-official-looking-fileserver. This directory will automatically be removed after 7 days. Legal disclaimer: all downloads are being logged. Our primary method of making source code available is as a download because it is faster and greener. If you prefer to receive a CD (as you are entitled to under some of the licenses involved), please let me know (and if so please provide an address), and we will gladly send you a CD (free of charge). With respect to the content of the source code package, it is limited to the software which is released under an open source license. It will allow you to inspect the source code, scripts, and, if applicable, any amendments, but it is not accompanied by compilation tooling. Please do not expect to be able to regenerate and download the full firmware image using this source code. Due to a number of reasons, Philips is not releasing all data and code necessary to fully regenerate the firmware (and the open source licenses involved do not require us to do so). Please do not hesitate to contact me at email@example.com directly in case of any remaining questions related to Open Source code licensing aspects. For Customer Care questions please contact Customer Care; contact details can be found on http://www.philips.com/support. Kind regards / Met vriendelijke groet, [name] Assistant OSS Compliance Officer Philips Intellectual Property & Standards P.O. Box 220, 5600 AE Eindhoven, The Netherlands http://www.ip.philips.com
Aside from the amusing legal note, this is pretty much the best response you could expect from any company.
The file they gave me was BDP3200.zip, and I've put a file listing online - note the 2010 modified dates probably meant that I didn't need to check for updated source... (this player was a 2012 model).
The player is based on a modified 2.6.27 kernel and some proprietary modules.
I've put the kernel source up on a Gitorious repo, but I'm still trying to work out the best way to structure the rest of the files (uBoot, DirectFB etc.)
Anyway, comparisons of the source from different models of player (say my 3200-79 vs the more expensive 3200x-77) suggest there's a few ./configure options between the high end and the low end - that's all.
I knew from looking at Android phones that you could do video decoding on one chip. Some strings in BDP_Linux/build_uboot_2009_08_test.sh suggest that it's all running from a MediaTek MT8530 chipset. There's no matching -mediatek toolchain that I could find freely and I haven't gotten around to trying a generic ARM one yet.
Into the firmware.
Binwalk is like the *nix 'file' command on steroids. It'll search through a binary blob looking for compressed data and filesystems that it recognises.
I used a set of utilities that includes binwalk called firmware-mod-kit. It simplifies things and automates some/all of the unpacking, and all of the repacking of firmware. It was originally designed for modifying router firmware, but it works pretty well in this case, too.
Scan Time: 2013-05-28 16:08:30 Signatures: 193 Target File: Philips/BDP3200-79/Firmware/Original/bdp3200_79_fus_eng/UPG_ALL/BDP_3200_A.BIN MD5 Checksum: 31ed90ba06f78502eaba325716c87ceb DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 68170 0x10A4A Mediatek bootloader 95162 0x173BA Mediatek bootloader 335416 0x51E38 LZMA compressed data, properties: 0x02, dictionary size: 16777216 bytes, uncompressed size: 16804096 bytes 392451 0x5FD03 LZMA compressed data, properties: 0x0B, dictionary size: 33554432 bytes, uncompressed size: 1376252 bytes 392471 0x5FD17 LZMA compressed data, properties: 0x0B, dictionary size: 33554432 bytes, uncompressed size: 1114108 bytes 418903 0x66457 LZMA compressed data, properties: 0x02, dictionary size: 1048576 bytes, uncompressed size: 1073741824 bytes 418927 0x6646F LZMA compressed data, properties: 0x02, dictionary size: 1048576 bytes, uncompressed size: 1073741824 bytes 418999 0x664B7 LZMA compressed data, properties: 0x02, dictionary size: 2097152 bytes, uncompressed size: 1073741824 bytes 419023 0x664CF LZMA compressed data, properties: 0x02, dictionary size: 2097152 bytes, uncompressed size: 1073741824 bytes 419095 0x66517 LZMA compressed data, properties: 0x02, dictionary size: 4194304 bytes, uncompressed size: 1073741824 bytes 419119 0x6652F LZMA compressed data, properties: 0x02, dictionary size: 4194304 bytes, uncompressed size: 1073741824 bytes 419191 0x66577 LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes 419215 0x6658F LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes 419239 0x665A7 LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes 419359 0x6661F LZMA compressed data, properties: 0x02, dictionary size: 16777216 bytes, uncompressed size: 1073741824 bytes 425418 0x67DCA uImage header, header size: 64 bytes, header CRC: 0x8F988CA7, created: Wed May 16 18:15:28 2012, image size: 1543428 bytes, Data Address: 0xDA00000, Entry Point: 0xDA00000, data CRC: 0xB1F141A6, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "" 442274 0x6BFA2 gzip compressed data, from Unix, last modified: Sat Apr 28 18:54:12 2012, max compression 1968922 0x1E0B1A gzip compressed data, was "initrd.img", from Unix, last modified: Wed May 16 18:16:01 2012 3335770 0x32E65A Squashfs filesystem, little endian, version 3.1, size: 24642859 bytes, 143 inodes, blocksize: 131072 bytes, created: Wed May 16 18:16:06 2012 48322138 0x2E1565A PNG image, 1920 x 1080, 8-bit/color RGBA, non-interlaced
That's almost too easy. Ignoring the chunk of LZMA, as it might be a false positive, the listing is as pretty much as straight forward as it gets.
There's the uBoot image, the initrd, a squashfs filesystem that's most likely mounted as
/ and even a HD PNG that I'm going to guess is used as the splash screen (see, not everyone upscales from 720p!)
There are two other segments of firmware - if anyone knows how to extract YAFFS, please get in touch.
From the listing above, extracting the squashfs gave a reasonably standard file system, the interesting bits including:
./usr/share/rhapsody: total 8 -rwxr-xr-x 0 voltagex voltagex 1184 Apr 28 2012 Mediatek.cert.pem -rwxr-xr-x 0 voltagex voltagex 887 Apr 28 2012 Mediatek.key.pem
./usr/opera: total 0 drwxr-xr-x 0 voltagex voltagex 0 May 28 22:13 fonts drwxr-xr-x 0 voltagex voltagex 0 May 28 22:13 lib drwxr-xr-x 0 voltagex voltagex 0 May 28 22:13 opera_dir drwxr-xr-x 0 voltagex voltagex 0 May 28 22:13 opera_home
That certainly wasn't advertised on the box!
./usr/share/netflix/swf: total 624 -rwxr-xr-x 0 voltagex voltagex 267839 Apr 28 2012 application.swf -rwxr-xr-x 0 voltagex voltagex 1875 Apr 28 2012 device.xml -rwxr-xr-x 0 voltagex voltagex 796 Apr 28 2012 keymap.xml -rwxr-xr-x 0 voltagex voltagex 126826 Apr 28 2012 loader.swf -rwxr-xr-x 0 voltagex voltagex 229437 Apr 28 2012 registration.swf
Neither was that.
At this point I wanted to get into the device while it was running. I sunk many many hours into this goal, and probably wore out the NAND on the device a fair bit.
I managed to create modified versions of the firmware, including a "trojaned" version that started telnetd as part of the init-script.
I had hoped this would give me a console to play with on the device. Instead, I'm guessing that a binary calld 'bdpprog' runs most of the system, or at least takes precedence over my silly attempts to launch utelnetd
rootfs/$ strings ./usr/local/bin/bdpprog | grep telnet /usr/sbin/telnetd & telnetd invoked ok telnetd invoked failed invoke_telnetd
One of these days I'm going to have to learn ARM assembly.
A hardware solution to a software problem
You can click the images for a closer look. If you look carefully at the main board you can see a line of four pins, which is a candidate for a serial console (and the service manual seemed to agree). There's a fair amount of empty space in the case and I'm impressed at what you can do with a system-on-chip, a video converter and a standard-ish Blu-Ray drive.
The first step was to probe for voltages around 3.3V and then attach some wires.
With help from a friend and a soldering iron, we then started to hit problems. I'm not sure if my soldering iron isn't hot enough or we need to try a different approach, but it's amost impossible to remove the existing solder from the board (even with wick or a 'solder sucker').
So unfortunately that's where I'm stuck for now. I'm going to continue to analyse the existing firmware and the source provided, and maybe have another go at soldering to the serial console.