lekernel.net - scrapbook » frontpage ~ forums ~ about

electronics

software

ti89 projects

inside electronics

chemistry !

lekernel.net - scrapbook

ISIconnect WebTVs

Those boxes are built by the French company ISIconnect. They are based upon the CS7808 system-on-chip by Cirrus Logic. This is a very interesting device, featuring among others two 32-bits RISC processors of 81 MIPS each, MPEG 1&2 video decoders, AC'97 audio, and support for IDE. It runs Nucleus and Oregan TV Interactor (although the CS7808 is not said to be supported by Nucleus, I've managed to get an email from Accelerated Technology saying that it actually is). It would be cool to run my own software on it, to play MP3s, program games, use it as an advanced microcontroller development card, and just for fun :o) Unfortunately, neither Cirrus Logic, Accelerated Technology nor Oregan accepted to give me technical information about this device, so I have to find it out by myself.
Global view CS7808

First attempt : Using the auto-update feature

According to Oregan's website, their software is able to maintain itself up-to-date with an Internet connection. Moreover, some features in the menus are said to be "soon available". Therefore, I tried to connect the box to the Internet and monitor everything it does in order to understand how auto-update works and be able to build my fake update server to send my own software to the box instead of Oregan's.
I've built a fake telephone line using a regulated power supply (12V was enough) in series with a 300 ohm resistor (there is no other solution : as the device uses a software modem, no RS232 signal exists on the board). The device and a Hayes-compatible 28k modem were connected in parallel. A 440Hz tone was injected on the line to prompt the device to dial. After the end of the dial, the command ATA was issued to the modem so that it tried to establish the connection and... it didn't work. The device complained about a "weak telephone line". I've tried increasing the line's DC voltage and reducing the line impedance, no result. I finally found out that the box doesn't detect a low DC component but a decrease in the DC component - probably to avoid such manipulations to be done. A capacitor in series with the modem solved the problem ; it didn't even complain despite the total absence of the DC component on its input.
A few minutes later, I had a TCP/IP connection established between the device and a Linux box. Using iptables and Ethereal, the box was online and all its activity was logged. Unfortunately, I didn't find out a lot of interesting stuff. The box just goes to http://www.isiconnect.fr/reunica/ and displays the page in its browser. The software updates may be available in the subscribers section of this website, but I'm unable to go there. The server redirects us to http://62.210.248.36/isiFact/ccare/home2.jsp, and 62.210.248.36 doesn't appear to be available from the public Internet ; it seems to be an IP attributed to PPP subscribers of magic.fr. It is probably a private IP that you can only contact when you are connected using ISIconnect's internet service. Connecting to this service with a Linux box to monitor the traffic would be complicated (I'd have to crack the former owner's password stored in the device), expensive (phone bills) and probably not up to legality. So I tried different techniques.

Using the I2C bus

The box is equipped with an internal connector which goes to the CS7808's I2C interface :
I2C connector
I connected the I2C bus to my computer's parallel port, and, using Linux's I2C bit-banging interface, I wrote a program to scan all adresses on the I2C bus.
The CS7808 is configured in slave (debug) mode, and responds at the address 0x18, in compliance with the datasheet. I haven't managed to understand how to debug the software using I2C. Reading from the address 0x18 returns the sequence 0 1 6 4 8 16 32 64 135 0 (base 10), then the I2C port locks up, asserting low SDA and SCL until the device is power-cycled. Writing changes some numbers in the sequence read back, and then the I2C locks up like before.
I found out later that this port is meant to be used with Cirrus Logic's debugging device ERomulator, about which they refused to give me any information.

Dealing directly with the FlashROM chips

The CS7808 gets its software from two 29LV160 FlashROM chipsets. They use a TSOP case, making solders on them almost impossible with amateur means. Emulation Technology sells a so-called TSOP clip which allows every signal to be picked up on the chipset (http://www.emulation.com/catalog/off-the-shelf_solutions/debugging_accessories/test_clips/tsop_test_clips/), but their price is simply abusive (about $300).
FlashROM
But the WebTV is equipped with extra pads on the circuit board meant to solder protection resistor networks making the FlashROMs connected to another internal connector (which can be seen in the top right-hand corner of the main picture of the card, "ACCESS DEVICES" is written right under it). I tried to add the resistor networks (scavenged from out-of-order hard disks ;-), but no luck, they were really small and I had lot of problems with them (short circuits, poor solders, ...). I even damaged some pads on the circuit board :-(. But I finally managed to solder wires instead of the resistors, that was difficult but feasible. At this point, I have the FlashROM signals going to a connector I added, everything is checked with an ohmmeter and my card is still working ;-).
FlashROM connector FlashROM connector
Here are the names of the signals the pads lead to (starting from the pad close to the card reader) :
1A162A173A18
4A195A126A13
7A148A159A8
10A911A1012A11
13A414A515A6
16A717A018A1
19A220A321D8
22D923D1024D11
25D426D527D6
28D729D1230D13
31D1432D1533D0
34D135D236D3
37CE# (U10)38CE# (U14)39WE#
40OE#
(end of project because I have better things to do...)