Porting effort to TEAC HA-P90SD and Onkyo DAC-HA300
Product info
The Onkyo DAC-HA300 is essentially the same device with different
Branding and a different $3 opamp.
Analysis
Vendor firmware update files
- Placed on SD-Card. Flash update tool invoked by pressing up-switch during power-up.
- < 3MB
- Size always n * 2048 bytes + 32
- looks like a 32bit checksum at the end
- entropy
- not compressed or serious crypto
- Very few high-entropy regions. Probably DRM stuff we're not interested in
- Scrambled via simple byte substitution
- contains blackfin boot ROM stream
- code: https://github.com/pamaury/onkyo_teac_tools
- Firmware includes a ThreadX kernel
Magic key combos
during powerup |
program |
Home |
chinese font selection |
Up |
firmware update |
Push |
test mode |
Hardware
Inventory
Disassembling
- Use a suction cup to remove the glass above the display/button
- Very slowly and carefully loosen the OLED display from the heavy-duty glue. Be careful not to break the kynar cable connecting it to the button pcb. Using two guitar picks I needed 15 minutes to thisÂ
- Remove the button/display PCB (two screws), detaching their cabling
- After removing all the screws of the player, the innards can be slid out
Wiring
- DAC and SPDIF RX/TX chips appear to be wired to the PSoC3
- USB A wired to blackfin
- USB micro-B wired to the PSoC3
Testpoints
testpoint |
device |
pin |
TP10 |
bfin? |
0V |
TP12 |
bfin? |
3V3, can be pulled low |
TP14 |
bfin? |
0V |
TP16 |
bfin? |
GND |
TP2 |
bfin? |
3V3 |
TP33 |
PSoC3 |
3V3? |
TP34 |
PSoC3 |
TMS |
TP35 |
PSoC3 |
TCK |
TP36 |
PSoC3 |
TDO |
TP37 |
PSoC3 |
TDI |
TP38 |
PSoC3 |
#XRES |
TP39 |
PSoC3 |
GND |
TP4 |
bfin? |
3V3, can be pulled low |
TP51 |
SPI flash |
CS |
TP52 |
SPI flash |
DO |
TP53 |
SPI flash |
SCK |
TP54 |
SPI flash |
DI |
TP55 |
SPI flash |
VCC |
TP6 |
bfin? |
3V3, can be pulled low |
TP8 |
bfin? |
0V |
Interesting signals
bfin ball |
pin |
comment |
J03 |
SYS_BMODE0 |
appears not accessible |
H03 |
SYS_BMODE1 |
appears not accessible |
G03 |
SYS_BMODE2 |
appears not accessible |
|
SYS_RESET |
appears not accessible |
Disassembly
- vendor update file -> descramble -> bfin bootcode to elf converter -> bfin-objdump
- Almost all addresses make sense. Rest is probably code copied to SRAM for a speedup.
- biggish jump table obscures calls. Maybe C++ vtables.
- CAN peripheral heavily used, probably to move audio from bfin to PSoC3
Flash dump
- SPI bus exposed via testpoints
- System can be put into reset by pulling the spot marked in the attached image low via 1kΩ while powering the unit up from, battery detached
- Watch for the blue power led to be dimly lit to be certain the blackfin is in reset
- Use the labelled GND pin, other ground planes seem to be isolated via low-pass filters, making behavior erratic
- Writing the bfin boot stream extracted using the abovementioned repo straight to the SPI flash yields a normally operating player
- Starting at 0x3f0000, the OFW uses the SPI flash as a wear-levelling store
- Labelled test points for taking over the SPI flash:
Copyright © by the contributing authors.