Pandora 11S RRTV

 Hello,

Pandora 11s rrtv Hacking

In this posts i will try to describe the steps taken to insert more games in pandora 11s rrtv

First some pics of my pandora

Pandora 11s rrtv, has an SD card. The First thing/step i did was a backup of the card.

Backing up the card is easy.

Linux example:

$ dd if=<YOUR SD DEVICE> of=/tmp/backup_pandora_sd_card.bin bs=512

of course /tmp/backup_pandora_sd_card.bin can be any file you want.

if you use windows, you can also and should make a backup of you sd card

Copy the backup to another card. ( my advice sandisk ultra, top white or red bottom grey,  or lexar top white bottom blue)

$ dd  if=/tmp/backup_pandora_sd_card.bin of=<NEW SD DEVICE> bs=512

Test the backup sd card in pandora 11s rrtv, should boot and work.

Second step
Remove SD card lock protection

Has you probably read, Pandora 11s rrdtv locks the sd cards in a read only mode to change the mode to read-write you must use a tool called sdtool ( the link: https://github.com/BertoldVdb/sdtool )

In this step, you MUST have a computer with a pci device sd host controller. 

Command truncated , only some output is shown

# lspci

03:00.2 SD Host controller: JMicron Technology Corp. Standard SD Host Controller

# lspci -v 

03:00.2 SD Host controller: JMicron Technology Corp. Standard SD Host Controller (prog-if 01)

Subsystem: CLEVO/KAPOK Computer Standard SD Host Controller

Flags: fast devsel, IRQ 16

Memory at d8100400 (32-bit, non-prefetchable) [size=256]

Capabilities: [a4] Power Management version 3

Capabilities: [80] Express Endpoint, MSI 00

Capabilities: [94] MSI: Enable- Count=1/1 Maskable- 64bit-

Kernel modules: sdhci_pci

It is very important because sdtool only works if your sd card is identified has an /dev/mmcblk0

Install sdtool, and try 

~/sdtool# ./sdtool 

This program requires two arguments. The first argument is the device to use. The second argument one of the following actions:
  status:   show current write protection setting
  unlock:   disable write protection
  lock:     enable temporary write protection
  permlock: enable permanent write protection
  reset:    send go_idle_state command to all cards

Example: ./sdtool /dev/mmcblk0 lock

Lets try (  always use the backup card )

~/sdtool#./sdtool /dev/mmcblk0 status

[+] Found RCA for /dev/mmcblk0: E624.

[+] Card CSD: 400E00325B590000EDC87F800A4050F1.

[+] Write protection state: Temporary.

Nice card is locked...
lets unlock the card

~/sdtool# ./sdtool /dev/mmcblk0 unlock

[+] Found RCA for /dev/mmcblk0: E624.

[+] Writing CSD.

[+] Write protection state: Off.

lets test

~/sdtool# ./sdtool /dev/mmcblk0 status

[+] Found RCA for /dev/mmcblk0: E624.

[+] Card CSD: 400E00325B590000EDC87F800A4040C3.

[+] Write protection state: Off.

DONE :) SD CARD is in READ-WRITE mode

Third step

mount the sd card in linux 

# fdisk  -l /dev/mmcblk0 

Disk /dev/mmcblk0: 29,7 GiB, 31914983424 bytes, 62333952 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos

Disk identifier: 0xae33ded7

Dispositivo    Inicializar Start      Fim  Setores  Size Id Tipo
/dev/mmcblk0p1 *           65537    98304    32768   16M  e FAT16 W95 (LBA)
/dev/mmcblk0p2             98305 28901376 28803072 13,8G 83 Linux

# mount  -o loop,offset=$((512*98305)),rw /dev/mmcblk0 /mnt/

Fourth step

Browsing in the files, 

# ls /mnt/

 bin  dev  etc  home  lib  linuxrc   lost+found  mnt  proc  sbin  sys  tmp  usr

 

# ls lib/*.bin

lib/3309namelist.bin  lib/gameindex0.bin  lib/gameindex1.bin  lib/gameindex2.bin  lib/gameindex3.bin  lib/gameindex.bin  lib/gl.bin lib/name.bin

# ls usr

emu/  myinit  sd/

# ls usr/emu/

emulotar  music/

# ls  usr/sd

movies/   roms/  romsp/ 

# ls etc/init.d/

rcS

You are now abble to start hacking Pandora 11s rrtv

( lets cd into the sd card ) 

# cd /mnt/

# ls -l 

( you should see something like this )

linuxrc -> bin/busybox

 if so, lets

# cd /mnt/bin/

:/mnt/bin# file busybox 

busybox: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, BuildID[sha1]=1c88ec36f2cac1fe5e0a43e7139265f17e8b2c0c, stripped

( lets change this busybox that i dont trust )

go to https://busybox.net/ and download arm busybox, 

i downloaded busybox-armv7l to /tmp/ :  download link:  https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l

(lets copy busybox-armv7l to bin folder)

# cp /tmp/busybox-armv7l /mnt/bin/

# cd /mnt/bin/

(rename the origianl busybox to busybox_orig)

# mv busybox busybox_orig

( make a sym link to the busybox-armv7l )

# ln -s busybox-armv7l busybox

( if you make an ls -alh the link will be correctly displayed, every file now points to busybox , and busybox points to busybox-armv7l)

# cd /mnt/

# ls -l linuxrc 

linuxrc -> bin/busybox

( Unmount the card and try to boot pandora again, if it boots and you can play lets continue )

 

Dont forget, every time you boot pandora you have to unlock the card with sdtool

lets fingerprint the pandora system

in the file /etc/init.d/rcS you may have something like

#!/bin/sh

/bin/hostname -F /etc/hostname

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin

exec /usr/myinit

# end of file

What i did was 

insert a bunch of commands so i can undertstand what kind of systema pandora is.

#!/bin/sh

/bin/hostname -F /etc/hostname

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin

#### DEBUG file rcS  #####

# remount in rw

mount -o remount, rw /

# make debug test dir

mkdir -p /home/zhang/t

fdisk -l  2>&1 >> /home/zhang/t/fdisk.log 

df / 2>&1 >> /home/zhang/t/df.log

du -sch  / 2>&1 >> /home/zhang/t/du.log

lspci   2>&1 >> /home/zhang/t/lspci.log

lsusb   2>&1 >> /home/zhang/t/lsusb.log

dmesg   2>&1 >> /home/zhang/t/dmesg.log

ls -R /proc 2>&1 >> /home/zhang/t/lsR_proc.log

ls -R /proc 2>&1 >> /home/zhang/t/ls_proc.log

ls -R /sys 2>&1 >> /home/zhang/t/ls_sys.log

ls -R /dev 2>&1 >> /home/zhang/t/ls_dev.log

ls -R /tmp 2>&1 >> /home/zhang/t/ls_tmp.log

ls -R / 2>&1 >> /home/zhang/t/ls_root.log

free 2>&1 >> /home/zhang/t/free_dev.log

#/bin/vp  >> /home/zhang/t/vp.log # media player

/bin/busybox --list   2>&1 >> /home/zhang/t/busybox_em_uso.log

uname -a > /home/zhang/t/uname.log

############### END OF DEBUG file rcS ###################

exec /usr/myinit

#end of file

Save the file, put the card in pandora 11s rrtv and i get this in /home/zhang/t/

And this is strange

 /home/zhang/t/

# cat df.log

Filesystem           1K-blocks      Used Available Use% Mounted on

# cat du.log

12.8G /

12.8G total

# cat free_dev.log 

              total        used        free      shared  buff/cache   available

Mem:                 total        used        free      shared  buff/cache   available

#cat ls_dev.log

/dev:

console

pty

ptya0

ptyp0

ptyp1

ptyp2

ptyp3

tty

tty1

tty2

tty3

tty4

tty5

tty6

tty7

tty8

ttyp0

ttyp1

ttyp2

ttyp3

#cat ls_proc.log 

/proc:

# cat ls_sys.log 

/sys:

# cat dmes.logcat ls_tmp.log 

/tmp:

# cat uname.log 

Linux hhh 3.4.39-h3 #484 SMP PREEMPT Tue Jul 10 12:17:40 CST 2018 armv7l GNU/Linux

Not as much info has i hopped for.

TODO : compile an emulator for H3 devices, and test. Havent done that ( 27/4/21)

lets continue...

Go into the lib dir

and rename all the bin files, i am currently working with gl.bin

rename the files as an example to

gameindex0.bin_orig
gameindex1.bin_orig
gameindex2.bin_orig

gameindex3.bin_orig

gameindex.bin_orig

gl.bin_orig

name.bin_orig

3309namelist.bin_orig

Now delete all the bin files. Put the card back in the Pandora 11s rrtv and you can play the games, but the menu list disapeared.
hypotheses: same games are harcoded in the emulotar

After playing arround i decided to dedicate my time to gl.bin, and in that file i can insert more games.

But only games that are in romsp dir and util now for PSX

Remeber the dir /usr/sd, rom and romsp are the dirs where the games are placed.

rom for md games  and mame games

romsp PSX games.

SPOILLER: I CAN ONLY INSERT GAMES FROM PSX.

The gl.bin file is an HEX file , and each entry for each game is 52bytes long

touch gl.bin, # make an empty gl.bin, and open and copy the 52 bytes need from gl.bin_orig.

 

From  0 - 3 bytes ( 4 bytes ) 

Header 

( Cant understand what it does if i change the header the game boots )

From  4 - 18 (15 bytes)  

game name.. 

( must have the same name as the file name in romsp )

from  18 - 51 (emulator bytes)          

( maybe emulator bytes )

Lets show an example..Number one

                                                                                gl.bin

04  : bytes H...

15 :  bytes mk5....... and so on

the rest...of bytes

In the file system i have

/mnt/usr/sd/romsp# ls mk5.bin 

mk5.bin

So this way i can boot mk5, that in fact is a link to the already installed game mk4

# ls -l

mk5.bin -> ../romsp_ORIG/mk4.bin

lets check the file with the file command.

# file ../romsp_ORIG/mk4.bin 

../romsp_ORIG/mk4.bin: AIX core file fulldump 32-bit 64-bit

Conclusion... you can download any PSX bin game, copy the game to the romsp folder, change the name in the gl.bin entry, and it is done.

Lets show an example..Number two

04  : bytes F... ( notice the change, with F or whitout F the game boots ? )

15 :  bytes kzone....... and so on

the rest...of bytes differente from the previous example

I think this loads PSX files CUE files, example kzone ( is the game kill zone )

Important, the game bin files, and cue file cant have spaces. So i change the name to kzone

The content of the cue file, must always be changed to the same names of the files, example of the cue file

# cat kzone.cue

FILE "kzone1.bin" BINARY

  TRACK 01 MODE2/2352

    INDEX 01 00:00:00

FILE "kzone2.bin" BINARY

  TRACK 02 AUDIO

    INDEX 00 00:00:00

    INDEX 01 00:02:00

FILE "kzone3.bin" BINARY

  TRACK 03 AUDIO

    INDEX 00 00:00:00

    INDEX 01 00:02:00

FILE "kzone4.bin" BINARY

  TRACK 04 AUDIO

    INDEX 00 00:00:00

    INDEX 01 00:02:00

FILE "kzone5.bin" BINARY

  TRACK 05 AUDIO

    INDEX 00 00:00:00

    INDEX 01 00:02:00

.............

In the filesytem in the romsp

:/mnt/usr/sd/romsp# ls kzone*

kzone10.bin  kzone13.bin  kzone16.bin  kzone19.bin  kzone21.bin  kzone24.bin  kzone27.bin  kzone2.bin   kzone32.bin  kzone3.bin  kzone6.bin  kzone9.bin

kzone11.bin  kzone14.bin  kzone17.bin  kzone1.bin   kzone22.bin  kzone25.bin  kzone28.bin  kzone30.bin  kzone33.bin  kzone4.bin  kzone7.bin  kzone.cue

kzone12.bin  kzone15.bin  kzone18.bin  kzone20.bin  kzone23.bin  kzone26.bin  kzone29.bin  kzone31.bin  kzone34.bin  kzone5.bin  kzone8.bin

See the relation between names .... file name and name inside the cue, must be the same.

Put the card back in Pandora 11s rrtv, it will boot and can play games. But you cant read the name of the game :)  work in progress. Example silent Hill , also a PSX " cue " game