release
dev builds
extras
themes manual
wiki
device status forums
mailing lists
IRC bugs
patches
dev guide



Search | Go
Wiki > Main > TEACHAP90SDPort
Porting effort to TEAC HA-P90SD and Onkyo DAC-HA300

Product info

The Onkyo DAC-HA300 is essentially the same device with different Branding and a different $3 opamp.

Analysis

Vendor firmware update files

  • Placed on SD-Card. Flash update tool invoked by pressing up-switch during power-up.
  • < 3MB
  • Size always n * 2048 bytes + 32
  • looks like a 32bit checksum at the end
  • entropy
    • not compressed or serious crypto
    • Very few high-entropy regions. Probably DRM stuff we're not interested in
  • Scrambled via simple byte substitution
  • contains blackfin boot ROM stream
  • code: https://github.com/pamaury/onkyo_teac_tools
  • Firmware includes a ThreadX kernel

Magic key combos

during powerup program
Home chinese font selection
Up firmware update
Push test mode

Hardware

Inventory

Disassembling

  • Use a suction cup to remove the glass above the display/button
  • Very slowly and carefully loosen the OLED display from the heavy-duty glue. Be careful not to break the kynar cable connecting it to the button pcb. Using two guitar picks I needed 15 minutes to this…
  • Remove the button/display PCB (two screws), detaching their cabling
  • After removing all the screws of the player, the innards can be slid out

Wiring

  • DAC and SPDIF RX/TX chips appear to be wired to the PSoC3
  • USB A wired to blackfin
  • USB micro-B wired to the PSoC3

Testpoints

testpoint device pin
TP10 bfin? 0V
TP12 bfin? 3V3, can be pulled low
TP14 bfin? 0V
TP16 bfin? GND
TP2 bfin? 3V3
TP33 PSoC3 3V3?
TP34 PSoC3 TMS
TP35 PSoC3 TCK
TP36 PSoC3 TDO
TP37 PSoC3 TDI
TP38 PSoC3 #XRES
TP39 PSoC3 GND
TP4 bfin? 3V3, can be pulled low
TP51 SPI flash CS
TP52 SPI flash DO
TP53 SPI flash SCK
TP54 SPI flash DI
TP55 SPI flash VCC
TP6 bfin? 3V3, can be pulled low
TP8 bfin? 0V

Interesting signals

bfin ball pin comment
J03 SYS_BMODE0 appears not accessible
H03 SYS_BMODE1 appears not accessible
G03 SYS_BMODE2 appears not accessible
  SYS_RESET appears not accessible

Disassembly

  • vendor update file -> descramble -> bfin bootcode to elf converter -> bfin-objdump
  • Almost all addresses make sense. Rest is probably code copied to SRAM for a speedup.
  • biggish jump table obscures calls. Maybe C++ vtables.
  • CAN peripheral heavily used, probably to move audio from bfin to PSoC3

Flash dump

  • SPI bus exposed via testpoints
  • System can be put into reset by pulling the spot marked in the attached image low via 1kΩ while powering the unit up from, battery detached
  • Watch for the blue power led to be dimly lit to be certain the blackfin is in reset
  • Use the labelled GND pin, other ground planes seem to be isolated via low-pass filters, making behavior erratic
  • Writing the bfin boot stream extracted using the abovementioned repo straight to the SPI flash yields a normally operating player
  • Starting at 0x3f0000, the OFW uses the SPI flash as a wear-levelling store

  • Labelled test points for taking over the SPI flash:
    spi_reset.jpg

I Attachment Action Size Date Who Comment
HA-P90SD-front-digital.jpgjpg HA-P90SD-front-digital.jpg manage 1580.9 K 09 Feb 2017 - 06:50 UnknownUser  
spi_reset.jpgjpg spi_reset.jpg manage 71.5 K 15 Feb 2017 - 21:24 UnknownUser Labelled test points for taking over the SPI flash
r4 - 02 Apr 2021 - 20:46:07 - UnknownUser

Copyright © by the contributing authors.