A closer look at Pandora's box 4S
A closer look at these chinese boxes.
For this example i will use a public dump called pb4sfix.img. This one appears to be unencrypted.
Kernel Boot
The first partition holds kernels, configfiles and script.bin. The last one is a parameter file for the A13 platform that the Pandora's run on. Sectors 0-2048 of this SD card are reserved for u-boot. (I have seen a few different Pandora SD cards where the first partition starts later on, but that is beyond the scope of this post.)
At boot, the script inside U-boot you can see here reads the GAME parameter and boots the kernel accordingly. This parameter is possible to change at boot by holding 1p start & 1p shot 1 at boot until a board selection screen appears.
Init
After kernel is loaded, and booting, the second partition will be mounted as root filesystem (/dev/mmcblk02). It is a basic Busybox system. Then /etc/init.d/rcS is parsed.
There are some interresting things before we get to this point that i skipped over. The binary /usr/emu/gameselectmenu is called, (with -m $MODE), and also the binary /usr/emu/testHD.
The gameselectmenu allows switching between pandora/xmame/pb4s mode. The testHD binary is likely for HDMI implementation. A HDMI version of PB4S exists, built into a control panel for direct use on a HDTV
Of more interest is the file '/usr/emu/getkey3m' which runs as part of the init.
Earlier versions of Pandora used a 'jamma.ko' loadable kernel object, and getkey seems to use gpio to get input keys, or perhaps transfer coins or something. It reads/writes to /usr/sd1/bi , /dev/mem, /dev/i2c-0 and /dev/ttyS1. The exact use of this is unclear, as i don't have the box yet :)
With all that out of the way, we are on our way to /tmp/libnsxs.so.. Or whatever is linked symbolically at that point. See you next post!
For this example i will use a public dump called pb4sfix.img. This one appears to be unencrypted.
The SD card.
Disk pb4sfix.img: 7,2 GiB, 7744782336 bytes, 15126528 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x14e65c89
Device Boot Start End Sectors Size Id Type
pb4sfix.img1 2048 609929 607882 296,8M 83 Linux
pb4sfix.img2 609930 15126527 14516598 6,9G 83 Linux
Quick and dirty mounter script:
mount -o rw,loop,offset=1048576 pb4sfix.img ./testYou can calculate the offset by doing start * 512. (2048*512=1048576 for example.)
mount -o rw,loop,offset=312284160 pb4sfix.img ./test2
Kernel Boot
The first partition holds kernels, configfiles and script.bin. The last one is a parameter file for the A13 platform that the Pandora's run on. Sectors 0-2048 of this SD card are reserved for u-boot. (I have seen a few different Pandora SD cards where the first partition starts later on, but that is beyond the scope of this post.)
At boot, the script inside U-boot you can see here reads the GAME parameter and boots the kernel accordingly. This parameter is possible to change at boot by holding 1p start & 1p shot 1 at boot until a board selection screen appears.
There are several other parameter filesFor now, let's assume we're booting pb4s
bi = 4 bytes, function unknown
forcevga = 4 bytes, 1 or 0.
game = 4 bytes, pb4s, kzbw, or mame
lang =
xmame.game = may contain a romname for launching.
Init
After kernel is loaded, and booting, the second partition will be mounted as root filesystem (/dev/mmcblk02). It is a basic Busybox system. Then /etc/init.d/rcS is parsed.
mount -t vfat /dev/mmcblk0p1 /usr/sd1
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
export QWS_DISPLAY=LinuxFb:/dev/fb0
export QTDIR=/root/real210/qt3
/usr/emu/runGame &
Nothing special. Let's see about runGame. this is a big beast of a file. So i only include the parts relevant for $GAME=pb4s at this point.
# main loop
while true;
do
rm -f /tmp/libnsxs.so
cp /tmp/configfile /usr/sd1/configfile.last.$GAME; sync
EMU0=`od -t d -N 1 -j 538 /tmp/configfile | head -n 1 | awk '{print $2}`
EMU=$(( $EMU0 & 15 ))
#switch game emulator
if [ $EMU -eq 0 ]; then
ln -sf /lib/$GAME/libnsxas.so /tmp/libnsxs.so
elif [ $EMU -eq 1 ]; then
ln -sf /lib/$GAME/libnsxcs.so /tmp/libnsxs.so
elif [ $EMU -eq 2 ]; then
ln -sf /lib/$GAME/libnsxns.so /tmp/libnsxs.so
elif [ $EMU -eq 3 ]; then
ln -sf /lib/$GAME/libnsxnsa.so /tmp/libnsxs.so
elif [ $EMU -eq 4 ]; then
ln -sf /lib/$GAME/libnsxnsap.so /tmp/libnsxs.so
elif [ $EMU -eq 5 ]; then
ln -sf /lib/$GAME/libnsxnx.so /tmp/libnsxs.so
else
ln -sf /lib/$GAME/libnsxas.so /tmp/libnsxs.so
fi
if [ "`cat /lib/pb4s/home `" -eq "1" ]; then
if [ $EMU -eq 5 ]; then
(cd /tmp && ./libnsxs.so btime )
else
if [ $MODE -eq 0 ]; then
( cd /tmp && ./libnsxs.so -qws 52 800 600 )
else
( cd /tmp && ./libnsxs.so -qws 52 384 224)
fi
fi
else
if [ $EMU -eq 5 ]; then
(cd /tmp && ./libnsxs.so tankfrce )
else
if [ $MODE -eq 0 ]; then
( cd /tmp && ./libnsxs.so -qws 54 800 600 )
else
( cd /tmp && ./libnsxs.so -qws 54 384 224)
fi
fi
fi
done
}
The gameselectmenu allows switching between pandora/xmame/pb4s mode. The testHD binary is likely for HDMI implementation. A HDMI version of PB4S exists, built into a control panel for direct use on a HDTV
Of more interest is the file '/usr/emu/getkey3m' which runs as part of the init.
Earlier versions of Pandora used a 'jamma.ko' loadable kernel object, and getkey seems to use gpio to get input keys, or perhaps transfer coins or something. It reads/writes to /usr/sd1/bi , /dev/mem, /dev/i2c-0 and /dev/ttyS1. The exact use of this is unclear, as i don't have the box yet :)
With all that out of the way, we are on our way to /tmp/libnsxs.so.. Or whatever is linked symbolically at that point. See you next post!
gepost door Zonko op
mei 07, 2017
1 reacties:
Hi how can i contact you? I'm debugging a pandorabox4s to solve a sync problem with crt arcade monitor
Een reactie posten
Aanmelden bij Reacties posten [Atom]
<< Homepage