I thought that somebody might find it interesting to know what actually drives the media player functionality in the PDPG9, and therefore I decided to have a little peek at the firmware. The following will detail some of these findings.
The easiest way into the PDP G9 is through the firmware updates that Pioneer makes available. I used the 0907-0701 released in December 2008, which contains the following files:
boot.img contains a simple 128 byte header with a size, a name and something that looks like a CRC. The payload is just a gzipped file and can be extracted with dd if=boot.img skip=1 bs=128 |zcat >vmlinux. The extracted data contains a linux kernel and an initial ramdisk, which can be unpacked with dd if=vmlinux skip=1 bs=2703360 |zcat|cpio -id --no-absolute-filenames.
In the unpacked ramdisk we can easily find information on how to decrypt the firmware update. The file /etc/init.d/S25update.sh contains the following interesting lines:
...
UPDATE_IMG_ENCRYPTED=${USBDIR}/update.enc
UPDATE_KEY=${USBDIR}/update.key
...
/usr/sbin/pdec -i /etc/rsa_pub.pem -o /var/tmp/rsa_pub.pem -k 7
openssl rsautl -verify -inkey /var/tmp/rsa_pub.pem -pubin \
-in ${UPDATE_KEY} -out /var/tmp/aes.key >/dev/null
cat /var/tmp/aes.key | \
mount -o encryption=aes -p0 ${UPDATE_IMG_ENCRYPTED} ${UPDATE_DIR}
pdec decrypts the RSA public key, which seems to be encrypted using AES-128 in CBC mode with a "secret" key. When decrypted it looks like a standard public key:
-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----
This is then used to decrypt our firmware specific key (pure ASCII when decrypted), which is then fed into a crypto loop mount of the encrypted image. The firmware update contains the following:
./bin/dlprep ./bin/pacdump ./bin/qs1getver ./bin/updater ./e2sv.pac ./error_codes.sh ./lib/libgcc_s.so.1 ./lib/libstdc++.so.6 ./package_selection.sh ./PT08EE_P1_part0.img ./PT08EE_P1_part1.img ./PT08EE_P1_part2.img ./PT08EE_P1_part6.img ./update.sh ./update_dtv.sh ./update_types.sh ./version.sh
The interesting files are PT08EE_P1_*
PT08EE_P1_part0.img - squashfs 3.0 root filesystemPT08EE_P1_part1.img - Broadcom CFE bootloaderPT08EE_P1_part2.img - Pioneer main application. Just a 128 byte header and an ELF filePT08EE_P1_part6.img - squashfs 3.0 application filesystemLuckily our friends from Pioneer included a feature where you can actually make unencrypted firmware updates. Just make a USB stick with a folder named upgrade and put boot.img into this. Then make an ISO (I used mkisofs) and put a file named update.sh in it. Mine looked like this:
#!/bin/sh /sbin/modprobe bcmemacnet /bin/ifconfig eth0 192.168.1.107 utelnetd -d sleep 86400
As you can see the ramdisk already comes with a telnet daemon and the included busybox is also pretty good loaded.
According to /proc/cpuinfo the tv sports a Broadcom 7401 which is clocked at 300 MHz. 100 MB RAM is available for the Linux kernel (version 2.6.12-4.2-pdp9g-r276). Here is a dump of /proc/cpuinfo:
system type : BCM97xxx Settop Platform processor : 0 cpu model : Brcm7401 V0.0 cpu MHz : 295.93 BogoMIPS : 295.93 ( udelay_val : 147968 HZ = 1000 ) wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : yes hardware watchpoint : no ASEs implemented : VCED exceptions : not available VCEI exceptions : not available RAC setting : I/D-RAC enabled unaligned access : 0