skip to main |
skip to sidebar
I've wanted to get the JTAG pinouts for the Reciva Barracuda board for a long time. That way it should be possible to resurrect bricked radios without having to desolder the flash and add an XD card socket.
Since the Samsung processor is a BGA package, the only way to be sure of the connections seemed to be removing the chip and buzzing out the pads with a multimeter. I mentioned this to a friend at work, he said he'd like to have a look at the board. 2 minutes later he arrived back and the board looked like this (thanks Robin!):
After work I got busy with the multimeter and datasheet. The results seem to be as shown below - I've marked up one of the diagrams from the Sharpfin project:
I've got a JTAG cable, but haven't had chance to try anything yet.
I had a quick look for anything interesting in the kernel sources Reciva have on their site and noticed lirc_barracuda.c. LIRC is the well known Linux Infrared Remote Control software. Some Reciva based radios have a remote control so I though it'd be interesting to see if I could add one to the Logik IR100. All the software is already installed so it should just be a case of adding a bit of hardware, connecting it to the right pin on the Barracuda board then tweaking the appropriate configuration file.
A glance at lirc_barracuda.c showed that the radio expects incoming IR signals on GPIO pin GPG6. This is present on the long connector of the Barracuda board.
Here's the hardware I'm currently using (based on an IR reciever for the NSLU2 "Slug" here modified slightly, it uses an SFH5110-38):
It seems to work fine and provides additional buttons such as Alarm, Sleep and Media. I did have to cross compile irrecord to create the configuration file for my remote.
Many devices running embedded Linux tend to have webserver giving control over various configuration options. A similar thing could be handy for Reciva based Internet Radios.
I've installed boa, a small web server and am currently experimenting. It currently just shows the contents of my presets but there's a lot of scope there...
Interestingly, the usb wifi dongle used in the IR100 can be removed and a hub plugged in to the empty socket. Plugging the wifi device into the hub allows the radio to function as normal. More importantly it allows for other usb devices to be connected :)
If a usb flash disk is connected as the radio boots it is recognised and mounted under /tmp/usb/a/1 (in the case of /dev/sda1) automatically.
Modules are included for usb to serial converters including the popular Prolific PL2303 chip. After installing the usbserial and pl2303 modules a connected usb to serial cable is available as /dev/usb/tts/0.
So, with the help of SimpleDNS, Apache and the familiar linux dropbear ipkg I've finally got a shell:
Right, since it looks like subverting the firmware upgrade is going to require work to crack or circumvent the encryption maybe there's an easier way in.
Perhaps a serial console, for testing purposes, is just waiting to be found on the Barracuda board?
First, those pins on the headers which have obvious uses (power, display, keypad, usb etc.) were identified. Then, the rest of the pins, including the test points on the back of the board, were monitored with an oscilloscope during startup in the hopes of identifying something that looked like the Tx line of a UART. Nothing. Back to the drawing board.
One of the most obvious routes to shell access would be to subvert the firmware upgrade process.
Using ethereal to analyse network traffic turned up lots of interesting information about how the radio functions. Unfortunately it also showed that new firmware is transferred via an encrypted protocol - RTP (Reciva Transfer Protocol?). The curl application has been modified to implement this and accept urls of the form "reciva://xxx.xxx.xxx".
Ideally it would have been possible to intercept a firmware upgrade, analyse the contents and produce a version which would enable a telnet or SSH server. The encryption makes this a tougher task.
