I've just bought my first DVD writer, an ASUS DRW-1608P3S, and have been reading the forums trying to get my head around its firmware: partly so I know what I'm doing when I flash it, and partly because I want to (virtually) take it apart and see how it works.
This is what I've come up with - can anyone who knows the drive confirm if these hypotheses are correct?
1. The DRW-1608P3S hardware is identical to the Pioneer DVR-111 (h/w code ATA 0012). In principle, DVR-111 firmware will run on the 1603P3S (see below for practical issues).
2. Chipset is the NEC uPD63645A (digital) / uPC3345 (analogue). The '645A is like the uPD63645
used in the DVR-110, but supports the 3.3V uPC3346 in addition to the 5V uPC3345. It has a V850E1
core, but besides from the architecture manual
(1.7MB PDF) no chipset-specific docs are publically available.
3. In addition to the NEC parts it has 2MB of RAM and 2MB of Flash ROM (Spansion S29AL016D70
in "top boot" configuration).
4. The firmware is divided into kernel (128KB) and normal (~1792KB) parts. The flasher can update just the normal part, or it can place the drive in kernel mode and update the kernel too. However, no public firmware release so far has included a kernel image.
5. The Pioneer flasher UPR111.exe checks the device identification string in the kernel to prevent cross-flashing. Official ASUS firmware comes with a modified flasher UPR11AS.exe that checks for an ASUS kernel. Even if you disable this check in the flasher, the official kernel still disallows cross-flashing of the normal part.
6. So, to cross-flash a DRW-1608P3S with DVR-111 firmware, you need a Pioneer kernel and a modified flasher that will upload it. This is what TDB supply in their 1.06 RPC1
release. Once the Pioneer kernel is installed, the official Pioneer flasher will happily work with it, which is why there's no need for TDB to patch later ASUS firmware releases (just apply 1.06 then the current Pioneer RPC1).
Does the DVR-110 kernel work on the 111? Or have the bros acquired a true 111 kernel? Note that I am not asking how they might have done this
7. The firmware images are encrypted, so you can't just feed them to a V850E1 disassembler. FWIW, the encryption scheme hasn't changed significantly from that used for the 110.
I don't expect anyone to hand me decryption code on a plate, but I'd appreciate a pointer - does decryption happen in the host flasher code, or does the drive kernel decrypt the uploaded image prior to flashing? (The flasher versions I've looked at contain strings like "The F/W scramble mode mismatches the choosen F/W file", which suggests maybe the kernel is involved in the process.)
Any comments or corrections would be appreciated. Thanks!