How to fix a bricked Chinese UC40 projector

December 1, 2015

0 minute read

A friend of mine was enjoying his Chinese UC40 projector, but for some strange reason, the manufacturer figured that it would be a nice feature to watermark the projected image. So he decided to upgrade this beamer with what turned out to be a incompatible image.

"A watermark in your projected image... not great"

So when he encountered a supposed update for his projector (which was hosted on Facebook), which made the watermark optional, he took a leap of faith…. and was disappointed, the watermark was gone, but also the rest of his projector functionality, he bricked it.

So he inquired as to what his options where, grabbed some beer, and started googling like mad-men.

We assumed there where two possible reasons as to why the projector didn’t function anymore:

The firmware was in contrast to it’s description, not meant for this hardware
The projector failed to flash the file into his flash properly

So we started prying open the case to look for the components that may give some hints, as to how to revert to a working device

"visual inspection"

What we found was rather intrestring:

A standard SOIC SPI flash, Macronix
Some CPU
A FPGA (Altera), which presumably acts as either video decoder, or video card, to control the LCD panel

Using a SPI-reader/write (the bus-pirate), with beta-firmware to speed-up the read/writes, we dumped the information. But any programmer, supported by Flashrom, will do!, so a spare Arduino, will do the trick, just check if it is 3.3 volt :P/

Comparing the the flashed file, as well as size of the image residing in the SPI-flash, revealed some interesting hypothesis:

"Chaos..."

Either the firmware only updates the CPU stuff assuming the latter part in the SPI-flash, contains the FGPA-image, or this is a completely different device.

"mmm, the new firmware does contain considerabele more data"

Assuming that the firmware file, retrieved from Facebook clearly wasn’t a full SPI-flash, we searched on, with result! We found some Russian electronics forum, which contained a full dump of a Tronfy projector (which striking similarities). This file did contain the latter part of what remained in the SPI flash.

"spot the differences"

Removing the SPI flash (due to inconsistent dump), and attaching it to the bus pirate gave consistent reads from the chips’s data.

"Chip downloading with my chromebook"

writing back the Russian version, made the projector project again, with a Russian Menu.

"Its running again"

Some interesting observations made. When using binwalk, there are Tiff images, which make up the boot-screen,

the firmware: [download id=“5”]

Final results:

The projector works
The watermark is still there.
But we probably will dive into the firmware one more time, in order to remove the watermark. Presumably it is a bitmap, with some color, used for the transparent background. Duplicating those ‘colors’ to the white ‘UNIC’ letters will take care of things.
We fixed the firmware, without buying any new parts :)

post

Home

About

Categories

Recent Posts

Making a cute thermometer

Sniffing my Volvo's multimedia bus to get custom text on the screen

Let there be Source; Milight alternative firmware

Doing some RF spectrum analyser stuff