Introduction
As with many embedded devices, it's possible to get your MG-35's internal firmware into a state whereby the unit won't work and can't be reflashed in the normal way. This process is usually called "bricking" and your media player is now "bricked" or a "brick". The reverse process is called "debricking" or "unbricking" and after performing it your MG-35 is "unbricked". As the manufacturers of embedded devices make the debricking process rather difficult, and dependent on secret knowledge and undocumented connectors, stronger terms are used at times.
This serial approach to recovering your MG-35 will only work if the serial loader at the start of the flash is intact. If your unit died due to reflashing with firmware with a suspect kernel or disk image, then the loader should be OK. If it dies due to loss of power during an erase/flash cycle, then you're probably out of luck. If your blue light flashes on power on, and never stops flashing, then you're probably OK with the approach here. Otherwise, you need to use the JTAG approach.
To use the MG-35's serial port you will need a special cable with a voltage shifter (the MG-35's serial is 3.3V versus 12V for a PC's serial) but the cables are only a few dollars and you can even make your own.
Firing it up
If you then connect the cable to a PC and fire up Hyperterminal (or similar) with the settings on 38400 for bit rate, no parity, one stop bit and xon/off handshaking (38400-8-N-1) you should see the serial loader messages as you power on the MG-35. If you don't, try swaping RX and TX and check your settings.
Here is roughly what you should see. Your output may look different if you have a different flash chip, and you may well see an error if your Linux kernel didn't decompress correctly due to it being corrupt.
Jasper Bootloader v1.0.0 (Feb 10 2006 15:34:08)
Supports BootMenu Flash Network
This version of fips use micom with power control, version3
Swapping erase regions for broken CFI table.
0031.0032 mfr 00ec id 2275 Top bootsector
Flash 0 at address 0x00000000
ID : AMD/Fujitsu Standard
Size : 4096 KB
Regions : 2
0 : 0x003e0000 - 0x00004000 * 8
1 : 0x00000000 - 0x00020000 * 31
0BF0IDENTIFY FAILED
Inptr=
00000014
Inflating....
Final Inptr=000A27FD
Original LEN =0014BB48OutCnt = 0014BB48
Original CRC =B1201065
Computed CRC =B1201065
01008000
Login
To get access to the serial loader's menus, you have to press any key as you power on the device. The sequence stops after "This version of fips..." and the MG35 is waiting for a pasword to be entered. Note there is no prompt to enter this string - the MG-35 will just echo your typing until you type the magic string.
The correct password is:
Note the capitalization and the period at the end.
Commands
On the serial console we have commands to download kernel and cramfs filesystem, and even flash them.
pbarette: The bootloader saves the config settings, but I can't get it to save a new default serial baudrate. I usually connect at 38400 then issue "config serial 115200" and disconnect, change the baud on my comm port and reconnect. Since the serial interface is a 3-wire deal, the MG35 doesn't notice the dis/re-connect at all.
Todo: add here the commands.
gadgetmind:
What "boot image" expects is a full rom image at 0x1400000
So -
boot> memcpy 0x1400000 0 0x400000 (4MBytes of rom to 0x1400000)
boot> boot image
Results in a successful inflate of the kernel and the box booting. However, it's currently hard to tell if it's using the new kernel and/or cramFS.
I guess I'd also need -
mem wl 0x1440000 0x014e2809
to tell it to use the new cramFS
pbarette:
The command "flash romfs" erases the flash region from "0x40000" to "0x3FFFFF" then it writes the contents of "0x1400000" into that flash region. So I didn't try to use memcpy to do that.
Also note that there's an unlisted "config save" command, but that doesn't seem to change the default baudrate either.
Comments (0)
You don't have permission to comment on this page.