GU10N, T40L firmware reverse engineering, questions


#1

I am looking into reverse engineering (and eventually modifying) the firmware on my HLDS drives: two GU10N (one Dell OEM, one Lenovo OEM) and GSA-T40L. Both drives have R8J320xx controllers, with an h8s-based controller very similar to the GSA-T21N discussed in How to disassemble GSA-T21N Firmware up to having very similar looking memory maps.

My end goal, hopefully, is to gain control of the voice coil and sled motors.

So far, I have modified the firmware, but haven’t yet attempted to execute code. To execute code on the h8s, I plan to take the same approach as coastermelt ( https://github.com/scanlime/coastermelt) and change an undefined scsi command table entry to point to custom code which I will add near the end of the firmware.

Poking around in the firmware looking for strings, I notice what appears to be a firmware header part way through the main firmware, which is identical to the one at the start of main firmware at 0x410000. Right after the header is the string “RTOS(RX850) for DVDRAM GSA-T40L k001.05.03.00a”. RX850 is an RTOS for the NEC/renesas v850, which suggests that there might be a v850 in the controller.

Does this drive actually have a v850 in addition to the main h8s? I know that some early HLDS DVD drives such as the GSA-4040B have a vx850 in them, according to the HLDS table and LG’s service manual. It’s possible, I suppose, that the string is a remnant of previous firmwares which did run on v850e cpus.

Unfortunately, no such service manual exists for my drives, or as far as I can tell, any drive after the DSP/CPU and the analog front end (AFE) were merged. None of the manuals I found describe the dsp itself in any detail. In the v850-based drives, the DSP was on an LSI chip separate from the CPU. This chip also takes care of dram and IDE interfaces.

I don’t think it’s a high enough quality decap to be useful in any way, but there are die photos of the GU10N controller R8J32040FPV2 at https://www.experimental-engineering.co.uk/ic-decap-renesas-r8j32040fpv2-dvd-drive-controller/ .

Does anyone have any information on these drives, or ideas of next steps to take?


#2

I have gained code execution, using the same method as coastermelt. I am going to make the interface a bit nicer, and attempt to execute code from a RAM area so I don’t have to keep reflashing firmware.

I am pretty sure that there is some kind of h8sx/1600 series cpu inside this. From the datasheets I’ve looked at, they appear pretty similar. Unfortunately, it appears as if the datasheets I’ve looked at don’t correspond directly to this chip. I’ll have a look through all of them later to see if anything matches more closely.