Commit a9fbb9ae authored by Chipp Jansen's avatar Chipp Jansen
Browse files

edits on bootloader

parent 92310eb9
......@@ -82,7 +82,7 @@ For connecting to and re-programming the device (Section \ref{sec:rooting-device
\item Mouse, keyboard and monitor peripherals
\end{itemize}
A note about the SD-CARD for the NEOS SmartCamera. The device is sensitive to having a SD-CARD of 512MB in size (very small!). Instead of having an old and small SD-CARD, one can create a 512MB partition on a larger SD-CARD, but the camera will only be able to access this small partition.
A note about the SD-CARD for the NEOS SmartCamera. The device is sensitive to having a SD-CARD of 512MB in size (very small!). Instead of having an old and small SD-CARD, one can create a 512MB partition on a larger SD-CARD, but the camera will only be able to access this small partition.
As an alternative to using the Raspberry PI, you can use a laptop with a USB to TTL Serial cable, also known as a Serial Console cable \footnote{\url{https://www.adafruit.com/product/954}}.
......@@ -146,7 +146,7 @@ From our research online, we can find the main processor of the NEOS, which is t
\subsubsection{Tear-down}
Here's a step-by-step tear down of the device.
Here's a step-by-step tear down of the device.
%
% Opening the case
......@@ -268,7 +268,7 @@ With a fingernail or very gently with a spudger, unplug the antenna (highlighted
\label{fig:open-antenna-unplugged}
\end{figure}
In order to remove the electronics assembly from the case, unscrew the third screw which is located at the bottom of a plastic screw well (Figure \ref{fig:open-third-screw}). You will need a longer necked Phillips screw-driver (Figure \ref{fig:open-third-screw-driver}).
In order to remove the electronics assembly from the case, unscrew the third screw which is located at the bottom of a plastic screw well (Figure \ref{fig:open-third-screw}). You will need a longer necked Phillips screw-driver (Figure \ref{fig:open-third-screw-driver}).
\begin{figure}[h!]
\centering
......@@ -301,7 +301,7 @@ In the case that you screw driver does not reach the screw, you might have to cu
\end{figure}
\paragraph{Disassemble the internals boards}
Now you can lift the electronics assembly out of the case. You will see that there is an internal plastic mount with three circuit boards sandwiching it (Figure \ref{fig:assembly}).
Now you can lift the electronics assembly out of the case. You will see that there is an internal plastic mount with three circuit boards sandwiching it (Figure \ref{fig:assembly}).
\begin{figure}[h!]
\centering
......@@ -310,7 +310,7 @@ Now you can lift the electronics assembly out of the case. You will see that th
\label{fig:assembly}
\end{figure}
Next, remove two screws from the USB side (Figure \ref{fig:assembly-usb-top}) and from the camera side of the assembly (Figure \label{fig:assembly-camera-bottom}).
Next, remove two screws from the USB side (Figure \ref{fig:assembly-usb-top}) and from the camera side of the assembly (Figure \label{fig:assembly-camera-bottom}).
Start unwrapping the assembly by lifting the camera side off and unplugging the camera module's power plug (Figure \ref{fig:assembly-camera-remove}).
\begin{figure}[h!]
......@@ -334,7 +334,7 @@ Start unwrapping the assembly by lifting the camera side off and unplugging the
\label{fig:assembly-camera-remove}
\end{figure}
Remove the middle board from the plastic mounting bracket by unscrewing only the two outer screws (Figure \ref{fig:assembly-middle-board}). Do not remove the interior screws. They hold the camera module in place, and removing them might disturb the alignment of the camera optics.
Remove the middle board from the plastic mounting bracket by unscrewing only the two outer screws (Figure \ref{fig:assembly-middle-board}). Do not remove the interior screws. They hold the camera module in place, and removing them might disturb the alignment of the camera optics.
\begin{figure}[h!]
\centering
......@@ -358,7 +358,7 @@ Let's take a closer look at each of the boards. When investigating new hardware
\textcolor{red}{TODO - Tour of top/bottom of each board}
Figure \ref{fig:guts-middle-board} is the top of the USB board. In the upper right-hand corner of the board are three through-hole solder pads in a row. This is a good indication of a debug port in the form of a serial port, formally known as a UART (Universal Asynchronous Receiver and Transceiver) port \footnote{\url{https://en.wikipedia.org/wiki/Universal_asynchronous_receiver-transmitter}}.
Figure \ref{fig:guts-middle-board} is the top of the USB board. In the upper right-hand corner of the board are three through-hole solder pads in a row. This is a good indication of a debug port in the form of a serial port, formally known as a UART (Universal Asynchronous Receiver and Transceiver) port \footnote{\url{https://en.wikipedia.org/wiki/Universal_asynchronous_receiver-transmitter}}.
% TODO - new picture WITHOUT the soldered headers.
\begin{figure}[h!]
......@@ -379,7 +379,7 @@ Figure \ref{fig:guts-middle-board} is the top of the USB board. In the upper ri
\label{fig:guts-debug-port}
\end{figure}
\paragraph{Connect debug port to Raspberry PI} The three pins on the NEOS are Ground (bottom), Data Receive (RX), Data Transmit (TX). We will connect these to the UART on the Raspberry Pi using the clip headers.
\paragraph{Connect debug port to Raspberry PI} The three pins on the NEOS are Ground (bottom), Data Receive (RX), Data Transmit (TX). We will connect these to the UART on the Raspberry Pi using the clip headers.
In order to communicate properly, the Data Transmit (TX) on the NEOS needs to be connected to the Data Receive (RX) on the Raspberry Pi, and vice versa. Table \ref{tbl:connections} for the connection mapping, as well as Figures \ref{fig:debug-port-connect} and \ref{fig:rpi-connect}.
% https://pinout.xyz/pinout/uart#
......@@ -394,7 +394,7 @@ Also, an important thing to consider here is the operating voltages of the board
NEOS Pin & On NEOS & cable color & RPI Pin & On RPI \\
Ground Pin & bottom pad & black & Ground (GND) & Pin 6 \\
RX Pin & center pad & white & TX (GPIO14) & Pin 8 \\
TX Pin & top (corner) pad & grey & RX (GPIO15) & Pin 10
TX Pin & top (corner) pad & grey & RX (GPIO15) & Pin 10
\end{tabular}
\caption{Connections between the NEOS and the Raspberry PI}
\label{tbl:connections}
......@@ -433,36 +433,117 @@ The other argument that we need to give screen is the speed that the serial port
screen /dev/serial0 115200
\end{verbatim}
Once you turn on the device, and you start seeing the output, you have access to the debug console of the device. You'll see something like this output.
Once you turn on the device, and you start seeing the output, you have access to the debug console of the device. You'll see some output that starts like this:
\begin{verbatim}
TODO - Output here.
U-Boot SPL 2013.07 (Jul 05 2018 - 13:33:27)
pll_init:365
l2cache_clk = 375000000
pll_cfg.pdiv = 8, pll_cfg.h2div = 4, pll_cfg.h0div = 4, pll_cfg.cdiv = 1, pll_cfg.l2div = 3
nf=36 nr = 1 od0 = 1 od1 = 1
cppcr is 02404900
CPM_CPAPCR 0470890d
nf=42 nr = 1 od0 = 1 od1 = 1
cppcr is 02a04900
CPM_CPMPCR 07d0c90d
nf=50 nr = 1 od0 = 1 od1 = 1
cppcr is 03204900
CPM_CPVPCR 0320490d
cppcr 0x9a794410
apll_freq 860160000
mpll_freq 1000000000
vpll_freq = 1200000000
ddr sel mpll, cpu sel apll
ddrfreq 500000000
cclk 860160000
l2clk 286720000
h0clk 250000000
h2clk 250000000
pclk 125000000
DDRC_DLP:0000f003
U-Boot 2013.07 (Jul 05 2018 - 13:33:27)
Board: ISVP (Ingenic XBurst T20 SoC)
DRAM: 128 MiB
Top of RAM usable for U-Boot at: 84000000
Reserving 399k for U-Boot at: 83f9c000
Reserving 32784k for malloc() at: 81f98000
Reserving 32 Bytes for Board Info at: 81f97fe0
Reserving 124 Bytes for Global Data at: 81f97f64
Reserving 128k for boot params() at: 81f77f64
Stack Pointer at: 81f77f48
Now running in RAM - U-Boot at: 83f9c000
MMC: msc: 0
the manufacturer 1c
SF: Detected FM25Q64
...
\end{verbatim}
Now we verified that we have a successful connection to the NEOS via the Raspberry PI. In the next part we look at how people access and modify the firmware for the device.
\section{Rooting the Device} \label{sec:rooting-device}
When the NEOS boots...
\subsection{Exploring the Bootloader}
\subsection{Boot loaders}
U-Boot % https://source.denx.de/u-boot/u-boot/blob/HEAD/doc/README.autoboot
Screenshots of loading.
Help menu of U-Boot. What you can access.
SPI Sub system. You can access the memory of the FLASH.
% http://eng.fmsh.com/nvm/FM25Q64_ds_eng.pdf
% Dumping flash memory.
Printenv.
Updating the bootargs to access the device.
When the NEOS starts up, it first loads a \textit{bootloader}, which is a program that loads the operating system or the firmware for the device. The NEOS runs a version of embedded linux (MIPS Linux). The bootloader that the NEOS uses is \texttt{U-Boot}\footnote{\url{https://source.denx.de/u-boot/u-boot/blob/HEAD/doc/README.autoboot}}, which is a common open source bootloader used on embedded devices.
On start-up right before \texttt{U-Boot} loads the linux kernel (the main operating system), it waits for 1 second to listen for any input on the debug port. If there is any input, then it pauses start-up and gives you access to the \texttt{U-Boot} menu. With the NEOS connected to the Raspberry Pi, restart the NEOS while holding down a key (such as the space bar on the keyboard) in the terminal window on the RPI. You will have to be quick and try a couple of times. If successful, the loadig output will stop and you will get a prompt \texttt{isvp\_t20#} in the terminal:
\begin{verbatim}
...
misc_init_r after change the SD_able_gpio ret is 0
misc_init_r before change the wifi_enable_gpio
gpio_request lable = wifi_enable_gpio gpio = 62
misc_init_r after gpio_request the wifi_enable_gpio ret is 62
misc_init_r after change the wifi_enable_gpio ret is 1
Hit any key to stop autoboot: 0
isvp_t20#
\end{verbatim}
Typing in \texttt{help} gives you the menu of options available to you:
\begin{verbatim}
TODO - Help menu of U-Boot. What you can access.
\end{verbatim}
% SPI Sub system. You can access the memory of the FLASH.
\texttt{U-Boot} gives you access to many aspects of the hardware for the device. For instance, U-Boot can have \textit{sub-systems}, a kind of plug-in, that provides access to types of hardware. In this case, there is a SPI (Serial Peripheral Interface) sub-system which allows access to external chips connected to the main processor. On the NEOS, the main processor is connected to a flash memory chip\footnote{Remember the flash chip on the Tour of the Board - \url{http://eng.fmsh.com/nvm/FM25Q64_ds_eng.pdf}}, which stores the system's operating system and file system. It might be possible, via U-Boot to read off the entire contents of the flash memory chip, and upload a modified version.
% TODO - Example Dumping flash memory.
We can gather more information about how the NEOS starts up, by looking at the bootloader's environment variables, via the \texttt{printenv} command:
\begin{verbatim}
isvp_t20# printenv
TODO - printenv output
\end{verbatim}
The \texttt{bootargs} environment variable dictates how \texttt{U-Boot} will set-up and boot the NEOS device. It will set-up a serial \texttt{console}, to login into the operating system via the serial port that we are using. It maps memory addresses and sets-up the root file system. The \texttt{init} argument is which program to run, once the system is set-up, and in this case \texttt{/linuxrc} is the linux kernal and the rest of the operating system.
We can modify the \texttt{bootargs} variable and change \texttt{init} portion to run a different program, in this case we will run a terminal shell \texttt{/bin/sh}. We will use \texttt{setenv} to do this, it might be helpful to first copy the \texttt{bootargs} output to a text editor in order to edit it:
\begin{verbatim}
setenv bootargs console=ttyS1,115200n8 mem=104M@0x0 ispmem=8M@0x6800000 rmem=16M@0x7000000 init=/bin/sh rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:256k(boot),2048k(kernel),3392k(root),640k(driver),4736k(appfs),2048k(backupk),640k(backupd),2048k(backupa),256k(config),256k(para),-(flag)
\end{verbatim}
You can verify that the change took place by running the \texttt{printenv} command again. Run the command \texttt{boot} to continue the boot process with your modified \texttt{bootargs}. If you reset or switch the device off, the changes will be lost and you will have to go through the editing process again.
\subsection{Rooting the Device}
Now you have access to a shell like environment on the device.
Pretty empty and sparse, and does not have the kernel loaded.
You could load you're own system in this case.
But we don't have to, because had a way to load new firmware from the sdcard, which we will see in the next section.
Now you have access to a Unix shell like environment on the device. If you are familiar with moving around a Unix filesystem you take a look around. You'll find that there is not much there, as the main kernel and filesystem has not been loaded with helpful programs to run on the device. At this point, you could load you're own custom kernel and system (if you want to run the default kernel you can run the program \texttt{/linuxrc}).
However, it turns out the NEOS has an easier way to load new firmware, direct from an SD-CARD, which we will see in the next section. In fact, one does not have to use the debug port or even open the device. However, we will keep the debug console plugged in, because it is helpful to diagnose and see what is going on with the device.
\subsection{Loading New Firmware}
The Dafang-hacks community has prepared an alternative firmware to load onto the NEOS, that makes it very flexible to load and modify the NEOS.
You will either have a 512MB SD-CARD already prepared with this firmware.
First, we will have to prepare a new SD-CARD
Download the firmware from this site. (Creating your own firmware for the device. Possible topic for Day 2)
% https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/install_cfw.md
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment