xobs / fernly Goto Github PK

Fernvale research OS

License: BSD 2-Clause "Simplified" License

Makefile 2.01% C 89.85% C++ 0.35% Assembly 7.79%

fernly's Introduction

Fernly - Fernvale Reversing OS

Fernly is a simple operating system designed for use in the reverse engineering of the Fernvale CPU. It will likely be disposed of when the system has been understood well enough to implement a full operating system.

Setting up cross compilation

Linux

git clone https://github.com/robertfoss/setup_codesourcery.git
sudo setup_codesourcery/setup.sh
/usr/local/bin/codesourcery-arm-2014.05.sh

Building Fernly

To compile, simply run "make". If you're cross-compiling, set CROSS_COMPILE to the prefix of your cross compiler. This is very similar to how to compile for Linux.

For example:

make CROSS_COMPILE=arm-none-linux-gnueabi-

Running Fernly

To run, connect the target device and run the following command:

./build/fernly-usb-loader -s /dev/fernvale ./build/usb-loader.bin ./build/firmware.bin

This will open up /dev/fernvale, load usb-loader.bin as a stage 1 bootloader, and then load (and jump to) firmware.bin as stage 2. Optionally, you can add a stage 3 file by specifying it as an additional argument.

Many 3rd-party devices enter bootloader mode only for a short window (~1s) after being connected to USB. A device almost certainly should be "off". Some devices require that battery is removed, while some - don't. To accommodate such cases, there's -w (wait) option. Run fernly-usb-loader, and only then connect a device to USB. This will allow to try various combinations mentioned above with greater comfort (you need to disconnect and poweroff device after each try, and restart fernly-usb-loader).

./build/fernly-usb-loader -w -s /dev/ttyUSB0 ./build/usb-loader.bin ./build/firmware.bin

Linux Notes

Since Fernvale is based on a Mediatek chip, ModemManager will, by default, try to treat it as a modem and make it available for network connections. This is undesirable.

To work around this problem, create a udev rule under /etc/udev/rules.d/ called 98-fernvale.rules with the following contents:

SUBSYSTEM=="tty", ATTRS{idVendor}=="0e8d",\
    ATTRS{idProduct}=="0003",\
    MODE="0660", SYMLINK+="fernvale"

ACTION=="add|change", SUBSYSTEM=="usb",\
    ENV{DEVTYPE}=="usb_device", ATTRS{idVendor}=="0e8d",\
    ATTRS{idProduct}=="0003",\
    ENV{ID_MM_DEVICE_IGNORE}="1"

OSX Notes

The default OSX CDC matching seems to miss the Fernvale board. Use fernvale-osx-codeless to get a com port.

SPI and Flashrom

Fernly includes a special 'flashrom' mode that allows for direct communication with the flashrom program to manipulate the onboard SPI. The protocol is binary, and can be entered by issuing the following command:

spi flashrom

Fernly will respond with a binary 0x05, indicating it is ready.

The format of the protocol is very simple. The host writes the number of bytes to write, then the number of bytes to read, and then writes the data to send to the flash chip. It then reads the requested number of bytes. For example, to send a 2-byte command '0xfe 0xfa' followed by a 3-byte response, write the following data to the serial port:

| 02 03 fe fa |

Then read three bytes of data from the serial port.

A maximum of 255 bytes may be transmitted and received at one time, though in practice these numbers may be smaller.

To exit 'spi flashrom' mode and return to fernly, read/write zero bytes. That is, send the following packet:

| 00 00 |

See ROM-BACKUP.txt for user-level instructions how to backup/restore FlashROM of your device.

Licensing

Fernly is licensed under the BSD 2-clause license (see LICENSE).

Previous versions of fernly linked against division libraries taken from U-Boot, which were licensed under GPL-2. These files have been removed.

Instead, we supply a version of libgcc.a. This file was extracted from a standard gcc toolchain, specifically:

https://code.google.com/p/yus-repo/downloads/detail?name=arm-none-eabi-4.6-armv5.tar.gz

It has not been modified, and its distribution here should be covered under the "runtime exception".

Memory Map

0x00000000	0x0fffffff	0x0fffffff	PSRAM map, repeated and mirrored at 0x00800000 offsets
0x10000000	0x1fffffff	0x0fffffff	Memory-mapped SPI chip
??????????	??????????	??????????	???????????????????????????????????
0x70000000	0x7000cfff	0xcfff	On-chip SRAM (maybe cache?)
??????????	??????????	??????????	???????????????????????????????????
0x80000000	0x80000008	0x08	Config block (chip version, etc.)
0x82000000	0x82d00000	??????????	Modem system stuff
0x83000000	0xa3090000	??????????	Modem peripheral stuff
0x83020000			TDMA unit
0x83050000			Frame Check Sequence unit
0x83060000			GPRS cipher unit
0x83070000			Baseband serial interface
0x83080000			Baseband parallel interface
0xa0000000	0xa0000008	0x08	Config block (mirror?)
0xa0010000	??????????	??????????	Power, config block
0xa0020000	0xa0020e10	0x0e10	GPIO control block
0xa0030000	0xa0030040	0x40	WDT block
			- 0x08 -> WDT register (?)
			- 0x18 -> Boot src (?)
0xa0030800	??????????	??????????	????????????????????????????
0xa0040000	??????????	??????????	???????????????????????????????????
0xa0050000	??????????	??????????	External memory block
0xa0060000	??????????	??????????	IRQ Controller block
0xa0070000	==========	==========	DMA Controller block
0xa0080000	0xa008005c	0x5c	UART1 block
0xa0090000	0xa009005c	0x5c	UART2 block
0xa00a0000	0xa00a0000	0x5c	UART3 block
0xa00b0000	0xa00b006c	0x6c	Bluetooth interface block
0xa00c0000	0xa00c002c	0x2c	General purpose timer block
0xa00d0000	0xa00d0024	0x24	Keypad scanner block
0xa00e0000	0xa00e0008	0x0c	PWM1 block
0xa00f0000	0xa00f00b0	0xb0	SIM1 interface block
0xa0100000	0xa01000b0	0xb0	SIM2 interface block
0xa0110000	??????????	??????????	SEJ/CHE (Security engine) block
0xa0120000	0xa0120074	0x74	I2C block
0xa0130000	0xa0130098	0x98	SD1 block (MSDC)
0xa0140000	??????????	??????????	Serial flash block
0xa0150000	??????????	??????????	?? MAYBE also SPI ?????????????????
0xa0160000	??????????	??????????	Die-to-die master interface
0xa0170000	??????????	??????????	Analogue chip controller block
0xa0180000	??????????	??????????	TOPSM block
0xa0190000	0xa0190310	0x58	HIF (DMA?) interface block
0xa01b0000	0xa01b0058	0x58	NLI (arbiter) interface block
0xa01c0000	??????????	??????????	EFuse block
0xa01e0000	??????????	??????????	SPI block
0xa01f0000	0xa01f0060	0x60	OS timer block
0xa0210000	??????????	??????????	More analog bits
0xa0220000	??????????	??????????	MBist block
0xa0240000	??????????	??????????	NAND flash block
0xa0260000	0xa0260058	0x58	FSPI (internal FM radio) block
0xa0270000	0xa0270098	0x98	SD2 block
0xa02A0000	0xa02A0074	0x74	I2C2 block 1.8v
0xa0400000	??????????	??????????	IMGDMA block
0xa0410000	??????????	??????????	IDP RESZ CR2
0xa0420000	0xa04201d8	0x01d8	CAM interface block
0xa0430000	??????????	??????????	Serial camera block
0xa0440000	??????????	??????????	2D graphics block
0xa0450000	??????????	??????????	LCD interface block
0xa0460000	??????????	??????????	Multimedia system BIST block
0xa0470000	??????????	??????????	Multimedia colour config block
0xa0480000	??????????	??????????	Multimedia system config block
0xa0500000	??????????	??????????	ARM configuration block
0xa0510000	??????????	??????????	Boot configuration block
0xa0520000	??????????	??????????	Code decompression engine block
0xa0530000	??????????	??????????	Level 1 cache block
0xa0540000	??????????	??????????	MPU config block
0xa0700000	??????????	??????????	Power management block. Write (val & 0xfe0f \| 0x140) to 0xa0700230 to power off.
0xa0710000	0xa0710078	0x78	RTC block
0xa0720000	??????????	??????????	Analogue baseband config block
0xa0730000	0xa0730100	??????	Analogue die config
0xa0730104	0xa073104c	??????	GPIO mode / pull control blocks
0xa074000c	0xa0740014	0x0c	PWM2 block
0xa0740018	0xa0740020	0x0c	PWM3 block
0xa0750000	0xa075005c	0x5c	ADCDET block
0xa0760000	??????????	??????????	Analogue IRQ controller
0xa0790000	0xa07900d8	0xd8	ADC block
0xa07a0000	??????????	??????????	Analogue Die-to-die block
0xa0900000	0xa0900240	??????????	USB block
0xa0910000	??????????	??????????	???????????????????????????????????
0xa0920000	??????????	??????????	AHB DMA block
0xa3300000	0xa33a0000	0x6c?	Bluetooth things
0xfff00000	0xffffffff	0x100000	Boot ROM, mirrored each 64K (its real size)

fernly's People

Contributors

Stargazers

Watchers

fernly's Issues

"FERNLY_USB_LOADER_ADDR" is wrong for the MT6261 branch.

Well, at the very least it's wrong for my two specimens.

"FERNLY_USB_LOADER_ADDR" should be defined as $1000a5b0, not $7000c000. How do I know this?

Well, I spent the entirety of last night messing with these two smart watches. What I SHOULD have been doing was inspecting the inside of my eyelids but whatever...

Anyway, I had my CH431a hooked up to one of them, so I got to capture the serial output from the bootloader.

F1: 0000 0000
V0: 0000 0000 [0001]
00: 0000 0000
U0: 0000 0001 [0000]
G0: 0002 0000 [0000]
T0: 0000 00BB
Jump to BL
**===================================================**

Bye bye bootloader, jump to=0x1000a5b0
-

I read your reply to another issue regarding the MT6261 and addresses. Sure enough, the boot process progresses somewhat farther!

Still hangs though, but I think I can fix that.

Loader freezes while writing stage2

As of 1023337 I can't get into shell anymore. My hardware claims to be EVT1-B

build/fernly-usb-loader /dev/cu.usbmodem1410 build/usb-loader.bin build/firmware.bin
Setting serial port parameters... Ok
Initiating communication... Ok
Getting hardware version... 0xca00
Getting chip ID... 0x6260
Getting boot config (low)... 0x0000
Getting boot config (high)... 0x0000
Getting hardware subcode... 0x8000
Getting hardware version (again)... 0xca00
Getting chip firmware version... 0x0000
Getting security version... v 5
Enabling security (?!)... Ok
Reading ME... 00000000 6e a8 9a 5e 22 33 e5 43  f9 33 3b 04 11 b5 4b 15  |n..^"3.C.3;...K.|
Disabling WDT... Ok
Reading RTC Baseband Power Up (0xa0710000)... 0x0004
Reading RTC Power Key 1 (0xa0710050)... 0x79ff
Reading RTC Power Key 2 (0xa0710054)... 0xbfff
Setting seconds... Ok
Disabling alarm IRQs... Ok
Disabling RTC IRQ interval... Ok
Enabling transfers from core to RTC... Ok
Reading RTC Baseband Power Up (0xa0710000)... 0x0004
Getting security configuration... None.
Getting PSRAM mapping... 0x0000
Disabling PSRAM -> ROM remapping... Ok
Checking PSRAM mapping... 0x0002
Checking on PSRAM mapping again... 0x0002
Updating PSRAM mapping again for some reason... Ok
Reading some fuses... 0x00000000
Enabling UART... 0x0000
Loading Fernly USB loader... checksum matches 0x276e Ok
Executing Ferly USB loader... Ok
Waiting for Fernly USB loader banner... Ok
Writing stage 2... 20112 bytes...

USB no longer connects after disconnect

Linux logs timeouts and errors to syslog. This apparently happens because initial USB enumeration is handled by BootROM, and fernly doesn't handle enumeration at all.

Not able to patch the flashrom to enable fernly_spi

When i patch and make. i get this error.
Any better way to build it for flashrom.

MTK6260 Fernvale board failed when connect from USB to PC

When I connect mtk6260 board to PC with USB after 6 sec it dsiconnect from PC. How Can I solve this problem?

Project license?

The codebase seems to lack clear license statement. Knowing that "real OS" port is based on NuttX, I hope that intention for it is to be liberally licensed (BSD/MIT), but we have that explicit, please?

Weird serial port shenanigans (MT6261 branch).

Trying to run fernly ("firmware.bin") results in anything that tries to access the watch's (really "phone's") usb serial port hangs/gets REALLY slow. There is no fernly prompt.

Output from running "./fernly-usb-loader -w /dev/ttyUSB0 ./usb-loader.bin ./firmware.bin":

Waiting for serial port to connect: ...
Setting serial port parameters... Ok
Initiating communication... Ok
Getting hardware version... 0xcb01
Getting chip ID... 0x6261
Getting boot config (low)... 0x0000
Getting boot config (high)... 0x0000
Getting hardware subcode... 0x8000
Getting hardware version (again)... 0xcb01
Getting chip firmware version... 0x0001
Getting security version... v 5
Enabling security (?!)... Ok
Reading ME... 00000000 79 04 d2 36 df 84 1e 46 87 95 0f a3 2a 50 b9 ae |y..6...F....*P..|
Disabling WDT... Ok
Reading RTC Baseband Power Up (0xa0710000)... 0x0002
Reading RTC Power Key 1 (0xa0710050)... 0xa357
Reading RTC Power Key 2 (0xa0710054)... 0x67d2
Setting seconds... Ok
Disabling alarm IRQs... Ok
Disabling RTC IRQ interval... Ok
Enabling transfers from core to RTC... Ok
Reading RTC Baseband Power Up (0xa0710000)... 0x0002
Getting security configuration... None.
Getting PSRAM mapping... 0x0000
Disabling PSRAM -> ROM remapping... Ok
Checking PSRAM mapping... 0x0002
Checking on PSRAM mapping again... 0x0002
Updating PSRAM mapping again for some reason... Ok
Reading some fuses... 0x00000000
Enabling UART... 0x0000
Loading Fernly USB loader... checksum matches 0x53ea Ok
Executing Ferly USB loader... Ok
Waiting for Fernly USB loader banner... Fernvale bootloader
Write four bytes of program size, then write program data...

Ok
Writing stage 2... 19348 bytes... 19348 / 19348 Ok
Waiting for ready prompt... Ok

This bit in DMESG is interesting.

6,1310,3641289199,-;usb 1-1: USB disconnect, device number 16
SUBSYSTEM=usb
DEVICE=c189:15
6,1311,3641290367,-;option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0
SUBSYSTEM=usb-serial
DEVICE=+usb-serial:ttyUSB0
6,1312,3641290388,-;option 1-1:1.0: device disconnected
SUBSYSTEM=usb
DEVICE=+usb:1-1:1.0
6,1313,3653952413,-;usb 1-1: new full-speed USB device number 17 using xhci_hcd
SUBSYSTEM=usb
DEVICE=+usb:1-1
6,1314,3654101095,-;usb 1-1: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
SUBSYSTEM=usb
DEVICE=c189:16
6,1315,3654101115,-;usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
SUBSYSTEM=usb
DEVICE=c189:16
6,1316,3654107218,-;option 1-1:1.0: GSM modem (1-port) converter detected
SUBSYSTEM=usb
DEVICE=+usb:1-1:1.0
6,1317,3654107478,-;usb 1-1: GSM modem (1-port) converter now attached to ttyUSB0
SUBSYSTEM=usb
DEVICE=c189:16
4,1318,3654108057,-;cdc_acm: probe of 1-1:1.1 failed with error -16

I thought I did the linux acm thing listed in README.md...

The firmware loading IS working though! The vibration test binary "mt6261-test.bin" works and causes the watch to vibrate.

MTK60D-11B1308-V2 is this source suitable?

Magic subroutine addresses in usb-loader.S

Would you care to explain (comment in the source) where addresses like below come from:

ldr r3, =0xfff03639
blx r3
ldr r3, =0xfff03653
ldr r3, =0xfff04845

0xfff00000 isn't included in memory map in README.md. Is there some kind of mask ROM in MTK6260 with such predefined routines?

response 0x1d12

what's supposed in cases like this?

$ ./fernly-usb-loader -w -s -l fernly-usb-loader.log /dev/ttyACM0 usb-loader.bin firmware.bin
Waiting for serial port to connect: .....
Setting serial port parameters... Ok
Initiating communication... Ok
Getting hardware version... 0xca02
Getting chip ID... 0x6261
Getting boot config (low)... 0x0000
Getting boot config (high)... 0x0000
Getting hardware subcode... 0x8000
Getting hardware version (again)... 0xca02
Getting chip firmware version... 0x0001
Getting security version... v 5
Enabling security (?!)... Ok
Reading ME... 00000000 89 06 e0 da 41 d2 00 1c  91 88 d4 19 19 5e 7c 24  |....A........^|$|
Disabling WDT... Ok
Reading RTC Baseband Power Up (0xa0710000)... 0x0000
Reading RTC Power Key 1 (0xa0710050)... 0xa357
Reading RTC Power Key 2 (0xa0710054)... 0x67d2
Setting seconds... Ok
Disabling alarm IRQs... Ok
Disabling RTC IRQ interval... Ok
Enabling transfers from core to RTC... Ok
Reading RTC Baseband Power Up (0xa0710000)... 0x0000
Getting security configuration... None.
Getting PSRAM mapping... 0x0000
Disabling PSRAM -> ROM remapping... Ok
Checking PSRAM mapping... 0x0002
Checking on PSRAM mapping again... 0x0002
Updating PSRAM mapping again for some reason... Ok
Reading some fuses... 0x00000000
Enabling UART... 0x0000
Loading Fernly USB loader... !! First response is 0x1d12, not 0 !!
^C

GSM features how to develop?

Dump ROM from mt6261ma card phone

Hi! i bought this small (cheap) card phone (zylan z7) and dissasembled it just to take a look to the hardware. It has a IC labeled "mt6261ma". Reading about it i discovered this OS and tried to dump the rom. Seems like something is going wrong, because i got stuck at a "Invalid banner response" error (for example it expects 0x5f and returns 0xa0).

Taking a look to the source, i get to the file "fernly-usb-loader.c", function "fernvale_hello", seems like it's some kind of challenge with the phone:

mtk_banner[] = { 0xa0, 0x0a, 0x50, 0x05 };
mtk_banner_response[] = { 0x5f, 0xf5, 0xaf, 0xfa };

I modified this source forcing to continue the challenge, just to see the next responses, and seems that all are the same values in "mtk_banner" array.

I am doing something wrong?

Thanks in advance!