Firmware for the PDP G9 dissected (PDP-LX6090H and PDP-LX5090H)

I thought that somebody might find it interesting to know what actually drives the media player functionality in the PDPG9, and therefore I decided to have a little peek at the firmware. The following will detail some of these findings.

Firmware updates

The easiest way into the PDP G9 is through the firmware updates that Pioneer makes available. I used the 0907-0701 released in December 2008, which contains the following files:

boot.img contains a simple 128 byte header with a size, a name and something that looks like a CRC. The payload is just a gzipped file and can be extracted with dd if=boot.img skip=1 bs=128 |zcat >vmlinux. The extracted data contains a linux kernel and an initial ramdisk, which can be unpacked with dd if=vmlinux skip=1 bs=2703360 |zcat|cpio -id --no-absolute-filenames.

In the unpacked ramdisk we can easily find information on how to decrypt the firmware update. The file /etc/init.d/S25update.sh contains the following interesting lines:

...

UPDATE_IMG_ENCRYPTED=${USBDIR}/update.enc
UPDATE_KEY=${USBDIR}/update.key

...

/usr/sbin/pdec -i /etc/rsa_pub.pem -o /var/tmp/rsa_pub.pem -k 7
openssl rsautl -verify -inkey /var/tmp/rsa_pub.pem -pubin \
        -in ${UPDATE_KEY} -out /var/tmp/aes.key >/dev/null
cat /var/tmp/aes.key | \
        mount -o encryption=aes -p0 ${UPDATE_IMG_ENCRYPTED} ${UPDATE_DIR}

pdec decrypts the RSA public key, which seems to be encrypted using AES-128 in CBC mode with a "secret" key. When decrypted it looks like a standard public key:

-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----

This is then used to decrypt our firmware specific key (pure ASCII when decrypted), which is then fed into a crypto loop mount of the encrypted image. The firmware update contains the following:

./bin/dlprep
./bin/pacdump
./bin/qs1getver
./bin/updater
./e2sv.pac
./error_codes.sh
./lib/libgcc_s.so.1
./lib/libstdc++.so.6
./package_selection.sh
./PT08EE_P1_part0.img
./PT08EE_P1_part1.img
./PT08EE_P1_part2.img
./PT08EE_P1_part6.img
./update.sh
./update_dtv.sh
./update_types.sh
./version.sh

The interesting files are PT08EE_P1_*

Running your own stuff on the PDP G9

Luckily our friends from Pioneer included a feature where you can actually make unencrypted firmware updates. Just make a USB stick with a folder named upgrade and put boot.img into this. Then make an ISO (I used mkisofs) and put a file named update.sh in it. Mine looked like this:

#!/bin/sh

/sbin/modprobe bcmemacnet

/bin/ifconfig eth0 192.168.1.107

utelnetd -d

sleep 86400

As you can see the ramdisk already comes with a telnet daemon and the included busybox is also pretty good loaded.

The hardware

According to /proc/cpuinfo the tv sports a Broadcom 7401 which is clocked at 300 MHz. 100 MB RAM is available for the Linux kernel (version 2.6.12-4.2-pdp9g-r276). Here is a dump of /proc/cpuinfo:

system type             : BCM97xxx Settop Platform
processor               : 0
cpu model               : Brcm7401 V0.0
cpu MHz                 : 295.93
BogoMIPS                : 295.93    ( udelay_val : 147968  HZ = 1000 )
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : no
ASEs implemented        :
VCED exceptions         : not available
VCEI exceptions         : not available
RAC setting             : I/D-RAC enabled
unaligned access        : 0