What's inside my Blu-Ray player?

Philips BDP3200-79 "teardown" Part 0

About the thing

The Philips BDP3200 I was able to pick up for $40, it's a "fully featured" standalone DVD/BD player with USB, Ethernet and optional WiFi, plays lots of video formats and has digital restrictions management to stop you watching some of those video formats.

I got bored

There are only so many movies one person can watch, so I went looking for manuals and firmware. When I first looked at the firmware downloads on philips.com in March 2013, I was dropped into a directory with lots of different firmware and an open source zip.

This has since been "fixed", and the correct thing to do is to email open.source at philips.com with your request. I sent an email to get the latest code and got the following (really excellent) response.

Dear Mr. Baxter,
Thanks for your request for source code.
The source code for the software of the open source packages involved is available from https://some-official-looking-fileserver. This directory will automatically be removed after 7 days. 
Legal disclaimer: all downloads are being logged.

Our primary method of making source code available is as a download because it is faster and greener. If you prefer to receive a CD (as you are entitled to under some of the licenses involved), please let me know (and if so please provide an address), and we will gladly send you a CD (free of charge).
With respect to the content of the source code package, it is limited to the software which is released under an open source license. It will allow you to inspect the source code, scripts, and, if applicable, any amendments, but it is not accompanied by compilation tooling. Please do not expect to be able to regenerate and download the full firmware image using this source code. Due to a number of reasons, Philips is not releasing all data and code necessary to fully regenerate the firmware (and the open source licenses involved do not require us to do so).
Please do not hesitate to contact me at open.source@philips.com directly in case of any remaining questions related to Open Source code licensing aspects. For Customer Care questions please contact Customer Care; contact details can be found on http://www.philips.com/support.
Kind regards / Met vriendelijke groet,

[name]

Assistant OSS Compliance Officer

Philips Intellectual Property & Standards
P.O. Box 220, 5600 AE Eindhoven, The Netherlands
http://www.ip.philips.com

Aside from the amusing legal note, this is pretty much the best response you could expect from any company.

The file they gave me was BDP3200.zip, and I've put a file listing online - note the 2010 modified dates probably meant that I didn't need to check for updated source... (this player was a 2012 model).

The player is based on a modified 2.6.27 kernel and some proprietary modules.

I've put the kernel source up on a Gitorious repo, but I'm still trying to work out the best way to structure the rest of the files (uBoot, DirectFB etc.)

Anyway, comparisons of the source from different models of player (say my 3200-79 vs the more expensive 3200x-77) suggest there's a few ./configure options between the high end and the low end - that's all.

I knew from looking at Android phones that you could do video decoding on one chip. Some strings in BDP_Linux/build_uboot_2009_08_test.sh suggest that it's all running from a MediaTek MT8530 chipset. There's no matching -mediatek toolchain that I could find freely and I haven't gotten around to trying a generic ARM one yet.

Into the firmware.

Binwalk is like the *nix 'file' command on steroids. It'll search through a binary blob looking for compressed data and filesystems that it recognises.

I used a set of utilities that includes binwalk called firmware-mod-kit. It simplifies things and automates some/all of the unpacking, and all of the repacking of firmware. It was originally designed for modifying router firmware, but it works pretty well in this case, too.

Scan Time:     2013-05-28 16:08:30
Signatures:    193
Target File:   Philips/BDP3200-79/Firmware/Original/bdp3200_79_fus_eng/UPG_ALL/BDP_3200_A.BIN
MD5 Checksum:  31ed90ba06f78502eaba325716c87ceb

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------
68170       0x10A4A     Mediatek bootloader
95162       0x173BA     Mediatek bootloader
335416      0x51E38     LZMA compressed data, properties: 0x02, dictionary size: 16777216 bytes, uncompressed size: 16804096 bytes
392451      0x5FD03     LZMA compressed data, properties: 0x0B, dictionary size: 33554432 bytes, uncompressed size: 1376252 bytes
392471      0x5FD17     LZMA compressed data, properties: 0x0B, dictionary size: 33554432 bytes, uncompressed size: 1114108 bytes
418903      0x66457     LZMA compressed data, properties: 0x02, dictionary size: 1048576 bytes, uncompressed size: 1073741824 bytes
418927      0x6646F     LZMA compressed data, properties: 0x02, dictionary size: 1048576 bytes, uncompressed size: 1073741824 bytes
418999      0x664B7     LZMA compressed data, properties: 0x02, dictionary size: 2097152 bytes, uncompressed size: 1073741824 bytes
419023      0x664CF     LZMA compressed data, properties: 0x02, dictionary size: 2097152 bytes, uncompressed size: 1073741824 bytes
419095      0x66517     LZMA compressed data, properties: 0x02, dictionary size: 4194304 bytes, uncompressed size: 1073741824 bytes
419119      0x6652F     LZMA compressed data, properties: 0x02, dictionary size: 4194304 bytes, uncompressed size: 1073741824 bytes
419191      0x66577     LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes
419215      0x6658F     LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes
419239      0x665A7     LZMA compressed data, properties: 0x02, dictionary size: 8388608 bytes, uncompressed size: 1073741824 bytes
419359      0x6661F     LZMA compressed data, properties: 0x02, dictionary size: 16777216 bytes, uncompressed size: 1073741824 bytes
425418      0x67DCA     uImage header, header size: 64 bytes, header CRC: 0x8F988CA7, created: Wed May 16 18:15:28 2012, image size: 1543428 bytes, Data Address: 0xDA00000, Entry Point:     0xDA00000, data CRC: 0xB1F141A6, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: ""
442274      0x6BFA2     gzip compressed data, from Unix, last modified: Sat Apr 28 18:54:12 2012, max compression
1968922     0x1E0B1A    gzip compressed data, was "initrd.img", from Unix, last modified: Wed May 16 18:16:01 2012
3335770     0x32E65A    Squashfs filesystem, little endian, version 3.1, size: 24642859 bytes,  143 inodes, blocksize: 131072 bytes, created: Wed May 16 18:16:06 2012 
48322138    0x2E1565A   PNG image, 1920 x 1080, 8-bit/color RGBA, non-interlaced

That's almost too easy. Ignoring the chunk of LZMA, as it might be a false positive, the listing is as pretty much as straight forward as it gets. There's the uBoot image, the initrd, a squashfs filesystem that's most likely mounted as / and even a HD PNG that I'm going to guess is used as the splash screen (see, not everyone upscales from 720p!)

There are two other segments of firmware - if anyone knows how to extract YAFFS, please get in touch.

From the listing above, extracting the squashfs gave a reasonably standard file system, the interesting bits including:

./usr/share/rhapsody:
total 8
-rwxr-xr-x 0 voltagex voltagex 1184 Apr 28  2012 Mediatek.cert.pem
-rwxr-xr-x 0 voltagex voltagex  887 Apr 28  2012 Mediatek.key.pem

oops!

./usr/opera:
total 0
drwxr-xr-x 0 voltagex voltagex 0 May 28 22:13 fonts
drwxr-xr-x 0 voltagex voltagex 0 May 28 22:13 lib
drwxr-xr-x 0 voltagex voltagex 0 May 28 22:13 opera_dir
drwxr-xr-x 0 voltagex voltagex 0 May 28 22:13 opera_home

That certainly wasn't advertised on the box!

./usr/share/netflix/swf:
total 624
-rwxr-xr-x 0 voltagex voltagex 267839 Apr 28  2012 application.swf
-rwxr-xr-x 0 voltagex voltagex   1875 Apr 28  2012 device.xml
-rwxr-xr-x 0 voltagex voltagex    796 Apr 28  2012 keymap.xml
-rwxr-xr-x 0 voltagex voltagex 126826 Apr 28  2012 loader.swf
-rwxr-xr-x 0 voltagex voltagex 229437 Apr 28  2012 registration.swf

Neither was that.

At this point I wanted to get into the device while it was running. I sunk many many hours into this goal, and probably wore out the NAND on the device a fair bit.

I managed to create modified versions of the firmware, including a "trojaned" version that started telnetd as part of the init-script.

I had hoped this would give me a console to play with on the device. Instead, I'm guessing that a binary calld 'bdpprog' runs most of the system, or at least takes precedence over my silly attempts to launch utelnetd

rootfs/$ strings ./usr/local/bin/bdpprog | grep telnet
/usr/sbin/telnetd &
telnetd invoked ok
telnetd invoked failed
invoke_telnetd

One of these days I'm going to have to learn ARM assembly.

A hardware solution to a software problem

You can click the images for a closer look. If you look carefully at the main board you can see a line of four pins, which is a candidate for a serial console (and the service manual seemed to agree). There's a fair amount of empty space in the case and I'm impressed at what you can do with a system-on-chip, a video converter and a standard-ish Blu-Ray drive.

The first step was to probe for voltages around 3.3V and then attach some wires.

With help from a friend and a soldering iron, we then started to hit problems. I'm not sure if my soldering iron isn't hot enough or we need to try a different approach, but it's amost impossible to remove the existing solder from the board (even with wick or a 'solder sucker').

So unfortunately that's where I'm stuck for now. I'm going to continue to analyse the existing firmware and the source provided, and maybe have another go at soldering to the serial console.

Pages

Categories

Tags