Hacking the Popcorn Hour C-200

Update: A new firmware version has been released since the publication of this article. I do not know if the procedure described below will work with the new version.

The Popcorn Hour C-200 is a Linux-based media player with impressive specifications. At its heart is a Sigma Designs SMP8643 system on chip with a 667MHz MIPS 74Kf as main CPU, several co-processors, and 512MB of DRAM attached. Gigabit Ethernet, SATA, and USB provide connectivity with the world around it. With a modest $299 on the price tag, the temptation to repurpose the unit as a low-power server or cheap development board is hard to resist. This article shows how such a conversion can be achieved.


The PCH runs a patched Linux kernel. A source tarball is available from the manufacturer. This contains the sources with Sigma support patches, Con Kolivas’ patch set (scheduler tweaks), and assorted unrelated changes. Properly split patches are unfortunately not available. I have created a reduced patch against vanilla with only Sigma-specific changes, available here.

The installed kernel has a number of features disabled, notably PTY support and oprofile. We will use kexec to load a more friendly one.

As might be expected, the PCH kernel does not have kexec support enabled. It does however, by virtue of using closed-source components, support module loading. This lets us turn kexec into a module and load it. A patch for this is available here. To build the module, apply the patch to the PCH sources and build using this configuration. This will produce two modules, kexec.ko and mips_kexec.ko. No other products of this build will be needed.

The replacement kernel can be built from the PCH sources or, if one prefers, from vanilla with the Sigma-only patch. For the latter case, this config provides a minimal starting point suitable for NFS-root.

When configuring the kernel, make sure CONFIG_TANGOX_IGNORE_CMDLINE is enabled. Otherwise the command line will be overridden by a useless one stored in flash. A good command line can be set with CONFIG_CMDLINE (under “Kernel hacking” in menuconfig) or passed from kexec.

Taking control

In order to load our kexec module, we must first gain root privileges on the PCH, and here a few features of the system are working to our advantage:

  1. The PCH allows mounting any NFS export to access media files stored there.
  2. There is an HTTP server running. As root.
  3. This HTTP server can be readily instructed to fetch files from an NFS mount.
  4. Files with a name ending in .cgi are executed. As root.

All we need do to profit from this is place the kexec modules, the kexec userspace tools, and a simple script on an NFS export. Once this is done, and the mount point configured on the PCH, a simple HTTP request will send the old kernel screaming to /dev/null, our shiny new kernel taking its place.

The rootfs

A kernel is mostly useless without a root filesystem containing tools and applications. A number of tools for cross-compiling a full system exist, each with its strengths and weaknesses. The only thing to look out for is the version of kernel headers used (usually a linux-headers package). As we will be running an old kernel, chances are the default version is too recent. Other than this, everything should be by the book.

Assembling the parts

Having gathered all the pieces, it is now time to assemble the hack. The following steps are suitable for an NFS-root system. Adaptation to a disk-based system is left as an exercise.

  1. Build a rootfs for MIPS 74Kf little endian. Make sure kernel headers used are no more recent than 2.6.22.x. Include a recent version of the kexec userspace tools.
  2. Fetch and unpack the PCH kernel sources.
  3. Apply the modular kexec patch.
  4. Using this config, build the modules and install them as usual to the rootfs. The version string must be
  5. From either the same kernel sources or plain with Sigma patches, build a vmlinux and (optionally) modules using this config. Modify the compiled-in command line to point to the correct rootfs. Set the version string to something other than in the previous step.
  6. Copy vmlinux to any directory in the rootfs.
  7. Copy kexec.sh and kexec.cgi to the same directory as vmlinux.
  8. Export the rootfs over NFS with full read/write permissions for the PCH.
  9. Power on the PCH, and update to latest firmware.
  10. Configure an NFS mount of the rootfs.
  11. Navigate to the rootfs in the PCH UI. A directory listing of bin, dev, etc. should be displayed.
  12. On the host system, run the kexec.sh script with the target hostname or IP address as argument.
  13. If all goes well, the new kernel will boot and mount the rootfs.

Serial console

A serial console is indispensable for solving boot problems. The PCH board has two UART connectors. We will use the one labeled UART0. The pinout is as follows (not standard PC pinout).

       2| * * * * * |10
       1| * * * * * |9
          J7 UART0
    /---------------------/ board edge
Pin Function
1 +5V
5 Rx
6 Tx
10 GND

The signals are 3.3V so a converter, e.g. MAX202, is required for connecting this to a PC serial port. The default port settings are 115200 bps 8n1.

Bookmark the permalink.

22 Responses to Hacking the Popcorn Hour C-200

  1. boudicca says:

    Mind Blowing….Well Done !

  2. Neat. Let me know when you need a new FATE machine ID and config ID for running FFmpeg build/test cycles on the Popcorn Hour. :-)

  3. Would this work for A200 as well?

  4. Alex says:

    Could this in theory boot the Android kernel with directfb and other goodies from the Arriba development kit ?

    If so one could be running Android on this bad boy soon!

  5. Alex says:

    It holds a full Eclipse development kit, which builds kernel & images to boot from NFS and run Android (1.6-2.1) with. I built the kernel and filesystem as a test before, but have no access to it right now (It’s a long weekend off, i am not at my home pc. I got stuck at the point where Yamon refused to boot it on production hardware since it was not signed.)

    The kernel itself is mostly open, with some closed-source MRUA .ko files. An example (hardware-accelerated?) mediaplayer for the Android OS on sigma boxes is included as well.

  6. Alex says:

    The site is back up, for those that may be interested. It’s not mine, but visiosofts’. Guess they had problems this weekend on the server. There’s several bootlogs on the bug tracker and some screenshots as well. If i find some real time, i might try your work on my 865x :) Thanks for the hack!

  7. Andy says:

    There is a problem though: your config (http://hardwarebug.org/files/pch_hack/kernel_config) doesn’t work for vanilla kernel (at least from linux-mips.org).

  8. Andy says:

    Thanks, a lot, I’ve successfully built the kernel. But loading it with kexec userspace tool (latest version from kernel.org, 2.0.1) fails with

    Invalid memory segment 0x4000000 – 0x42d3fff

    What kexec binary did you use?

  9. Pingback: ANSI FATE | Breaking Eggs And Making Omelettes

  10. wojci says:

    I build some software for my C-200 and documented it here:
    http://code.google.com/p/popcorn-bld/wiki/Readme. I hope that others can find it useful. I added a pty module and I was able to start an ssh server (dropbear).

  11. Catalin says:

    I am just wondering about if you can advice me how to repair a non booting Popcorn Hour A300.
    Maybe via jtag or something.
    The box power up. nothing shows on screen.
    Power led goes white like should be.
    The only thing I can do from remote is long press power for hardware reset in order to autodetect video output connected. that way box goes off and I can power it back from remote. but software is not loading. usb devices are not accessed since I use a usb stick with a led equipped. usb stick is not accessed. I wrote them a ticket but they told me to try a forced firmware writing method by shortcut those two pins on jtag. obviously not working since usb is not accessed, therefore box is not going to load anything from usb stick. maybe one of you smart guys can help me since the PCH support team is useless

  12. Pingback: Popcorn Hour revisited - Hardwarebug

  13. Stoka says:

    Could anyone help me downgrade C200 firmware back to first original firmware please to hopefully remove Cinavia and 3D stop play

  14. Liviu says:

    I’m trying to do the same with a A-110.
    I connected the UART to the PC with a TTL-USB 3.3v converter, I see the boot messages from the A-110, but when the messages stop I don’t have a shell running on the console.
    Is that normal? Can I run a shel and how can I do this?
    Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.