Hej456

thijsnl · **Posted:** Mon Jan 18, 2010 7:38 pm

Is this our unencrypted bootloader we are looking for?

00:00:00.004 Image$$BOOT$$Base.........(0x00100000)
00:00:00.008 Image$$BOOT$$Limit........(0x00100a48)

i did a dump from 0x00100000 with a len of 0xa48

nickba · **Posted:** Wed Feb 03, 2010 8:38 pm

Hi,

I read a lot of this topic. I have an Oppo-BD83 and I also have a modchip for it. All the magic is done in the I2C bus as you already know.

As you may have more experience with other Mediatek chips, I have a question:

Do you know if other mediatek chips sends an I2C requests that requires a authentication? I am asking that because everytime the master sends different bytes and waits for different bytes in the I2C log.

Gradius · **Posted:** Tue Feb 23, 2010 6:11 pm

That modchip just fool the firmware via I2C believing the region match with the disc on unit.

Gradius · **Posted:** Tue Feb 23, 2010 6:24 pm

Well, I like practical things, I was thinking to desoldering TSOP EEPROM and put in on universal programmer to rip all the contents, will I have it unencrypted ?

I guess the firmware inside is still encrypted, to avoid such means, or I'm wrong?

Gradius

new_age · **Posted:** Tue Feb 23, 2010 6:37 pm

Are you talking about the serial flash in the MT85xx board?

Gradius · **Posted:** Tue Feb 23, 2010 6:41 pm

new_age @ Tue Feb 23, 2010 2:37 pm wrote:

Are you talking about the serial flash in the MT85xx board?

No, the regular one (not serial eeprom).

On Serial EEPROM it should contains only the keys for Blu-ray.

Which IC is the Flash EEPROM? I don't have the player yet and I cannot find those photos about BDP-83.

Gradius · **Posted:** Tue Feb 23, 2010 7:15 pm

I found the photo here:
http://vtbsd.net/bdp83/IMG_2632.JPG

But it sucks completly, I cannot read the Flash IC at all!

I only know (from photo) is a Hynix TSOP 48-pin.

new_age · **Posted:** Tue Feb 23, 2010 7:29 pm

MT85xx

serial flash (NOR) content:

0: encrypted boot loader (when chip starts it decrypts its contents to dram 0 address and starts it): this decompress NAND content into dram and then starts it
1: some kind of NOR and NAND upgrader code from USB
2: encrypted data (maybe keys)
3: main firmware config data

NAND flash content:
0: compressed main code parts, compressed data parts (message table, font(s), images, icons)
1: FAT formatted data space for BD

The firmware update contains: NOR (bootloader + unknown upgrade code) and NAND parts (compressed code and data)

Gradius · **Posted:** Tue Feb 23, 2010 10:58 pm

What's the Serial EEPROM IC (type) ?

If is inside on MT852x it will be hard to get access to it.

I need to know the IC type for Flash EEPROM too, so I can choose the proper universal programmer for both.

new_age · **Posted:** Wed Feb 24, 2010 12:12 pm

Search for 8pin small ic. You'll find the sflash.
Usually cfEon (25F80).

Gradius · **Posted:** Wed Feb 24, 2010 8:24 pm

LOL, I cannot, like I said before, I don't have the player.

new_age · **Posted:** Wed Feb 24, 2010 8:39 pm

"I was thinking to desoldering TSOP EEPROM and put in on universal programmer to rip all the contents"

Ehm. If you don't have a player. Then from what?

Gradius · **Posted:** Sat Feb 27, 2010 4:30 pm

"I don't have the player yet and I cannot find those photos about BDP-83."

"I need to know the IC type for Flash EEPROM too, so I can choose the proper universal programmer for both."

Gradius

new_age · **Posted:** Wed Apr 07, 2010 6:40 pm

Philips put some sources on their P4C site for different players but the file is all the same for all players.
One link: http://www.p4c.philips.com/files/b/bdp5100_12/bdp5100_12_osf_eng.zip

derbeDeus · **Posted:** Fri Jul 09, 2010 10:36 pm

thijsnl @ Sun Jan 17, 2010 10:56 pm wrote:

i did not find the password, but during testing, i found a workaround (actually a bug in the firmware that lets me execute commands without authenticating ;)

Hi, could you tell us what is the workaround?
Thanks