6 6
Staars

Proof of concept - Realtek 1295

Recommended Posts

I'm still running binwalk over stuff, but I was looking over a log of normal boot (from the hard drive) and I noticed it actually prints out a memory address for what I'm looking for: I tried to copy it out with dd, but it doesn't seem to have resulted in valid results (At least according to file). Here's the log:

 

## Flattened Device Tree blob at 01f00000
   Booting using the fdt blob at 0x1f00000
   reserving fdt memory region: addr=0 size=30000
   reserving fdt memory region: addr=1f000 size=1000
   reserving fdt memory region: addr=30000 size=d0000
   reserving fdt memory region: addr=1b00000 size=400000
   reserving fdt memory region: addr=1ffe000 size=4000
   reserving fdt memory region: addr=10000000 size=14000
   reserving fdt memory region: addr=2200000 size=400000
   reserving fdt memory region: addr=3200000 size=b800000
   reserving fdt memory region: addr=2600000 size=c00000
   reserving fdt memory region: addr=11000000 size=3c00000
   Using Device Tree in place at 0000000001f00000, end 0000000001f122aa

 

I tried copying it out with dd if=/dev/sdf$i bs=1 seek=32505856 count=74410 of=test$i.dtb with a loop: I also used the drive itself, but I feel like it's probably using an image and using memory addresses. Not sure how I'd be able to find out how to get it though.

Share this post


Link to post
Share on other sites

@ShaRose, try following:

strings -t x <your_image> | grep rtd129x-usb2phy

you should find an aproximate location of your DTB.

Share this post


Link to post
Share on other sites

For me it works, let's assume it's not compressed. If it is, binwalk should find tar, gzip, xz or something.... these have signatures.

Share this post


Link to post
Share on other sites

Meanwhile I downloaded the 12GB-GPL-Package from WD and it contains a lot of stuff.

 

I suppose one of the DTB's with the WD-prefix could be usable for @ShaRose. The rest of the kernel-4.1.17-tree should not be that helpful.

I will add them to my kernel repo, but maybe you can test it before. 

 

The second interesting thing could be the bootloader-folder,  but I still have to digest it.

 

Share this post


Link to post
Share on other sites
3 hours ago, Staars said:

Meanwhile I downloaded the 12GB-GPL-Package from WD and it contains a lot of stuff.

 

I suppose one of the DTB's with the WD-prefix could be usable for @ShaRose. The rest of the kernel-4.1.17-tree should not be that helpful.

I will add them to my kernel repo, but maybe you can test it before. 

 

The second interesting thing could be the bootloader-folder,  but I still have to digest it.

 

I found the wd-monarch-1GB.dts file, but I wasn't able to compile it: I'm assuming it has a bunch of preprocessor things to do during compilation, but the compile script wipes it away each time. Not really sure how I'd be able to compile it into a dtb.

 

EDIT: Never mind, just realized I could just compile the WD kernel and grab the dtb files from that. Sadly, it still doesn't work, either for wd-monarch-1GB.dtb or wd-monarch-1GB.SATA.dtb. Maybe it needs to be built along with the kernel I'm actually using? Not really sure. I'll try a few other dtb files.

 

EDIT 2: Ok, as somewhat expected, nothing works: but it seems the most correct one is wd-monarch-1gb.sata.dtb from checking the logs. wd-monarch-1gb.dtb had an additional error, which is kind of my baseline at this point. Here's the logs for that one (After it does usb scanning and stuff):

 

reading boot/vmlinuz-4.9.181-rtd1295
Filesize: 8249990 bytes
8249990 bytes
Size: 8249990, got: 8249990

8249990 bytes read (take 525ms)
reading boot/dtb-4.9.181-rtd1295/realtek/rtd129x/wd-monarch-1gb.sata.dtb
Filesize: 62123 bytes
62123 bytes
Size: 62123, got: 62123

62123 bytes read (take 211ms)
libfdt fdt_path_offset() returned FDT_ERR_NOTFOUND
Info: Try to add new node /factory...
*****************************************
factory {
        bootstate = "3";
        bna = "0";
        nbr = "B";
        cbr = "B";
        ver = "4.1.4";
        serial = "CENSORED";
        ipaddr = "192.168.100.1";
        ethaddr = "00:00:00:00:00:00";
};
*****************************************


EXPORT ENV AT 0x10000000, ENV size info:0x00002000,0x00001ffc,0x00000004
rtk_preload_bootimages_spi : header info
 0x00000600 0x00067440 0x00010b00 0x00000000
 0x00005040 0x00000000 0x00000000 0x00026360
 0x00000000
rtk_preload_bootimages_spi : load U-Boot 64 from 0x8819de60 to 0x01500000 with size 0x00026360
rtk_preload_bootimages_spi : load BL31 from 0x88198e00 to 0x10120000 with size 0x00005040
copy_2nd_bootloader_and_run : src:0x01500000, dst:0x00021000, size:0x00028000
Jumping to 2nd bootloader...


U-Boot 2015.07-g5a4a178-dirty (Jun 22 2016 - 11:33:46 +0800)

CPU  : Cortex-A53 Quad Core
Board: Realtek QA Board
[ERR] get_accessible_ddr_size: hw setting error. (impossible value 0x0)
[ERR] Fall back to using CONFIG_SYS_RAM_DCU1_SIZE
DRAM:  1 GiB
mapping memory 0x20000000-0x40000000 non-cached
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  0
Unknown command 'usb' - try 'help'
rtk_plat_set_fw not port yet, use default configs
Not raw Image, Starting Decompress Image.gz...


## Flattened Device Tree blob at 01f00000
   Booting using the fdt blob at 0x1f00000
   reserving fdt memory region: addr=0 size=30000
   reserving fdt memory region: addr=1f000 size=1000
   reserving fdt memory region: addr=30000 size=d0000
   reserving fdt memory region: addr=1b00000 size=400000
   reserving fdt memory region: addr=1ffe000 size=4000
   reserving fdt memory region: addr=10000000 size=14000
   reserving fdt memory region: addr=2200000 size=400000
   reserving fdt memory region: addr=3200000 size=b800000
   reserving fdt memory region: addr=2600000 size=c00000
   reserving fdt memory region: addr=11000000 size=3c00000
   Using Device Tree in place at 0000000001f00000, end 0000000001f122aa
Bring UP slave CPUs

Starting Kernel ...

[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.9.181-rtd1295 (root@build-virtual-machine) (gcc version 7.4.1 20181213 [linaro-7.4-2019.02 revision 56ec6f6b99cc167ff0c2f8e1a2eed33b1edc85d4] (Linaro GCC 7.4-2019.02) ) #1 SMP PREEMPT Thu Jun 20 20:31:22 NDT 2019
[    0.000000] Boot CPU: AArch64 Processor [410fd034]
[    0.000000] DT: logo_start_addr 0x0, size 0x0
[    0.000000] DT: of_cma_info.region_enable 1
[    0.000000] DT: saving_section_page_table 0
[    0.000000] earlycon: uart8250 at MMIO32 0x0000000098007800 (options '')
[    0.000000] bootconsole [uart8250] enabled
[    0.000000] efi: Getting EFI parameters from FDT:
[    0.000000] efi: UEFI not found.
[    0.000000] cma: fdt region 0
[    0.000000] cma: size 0x0000000002000000, base 0x0000000020000000, fixed(1)
[    0.000000] cma: Reserved 32 MiB at 0x0000000020000000
[    0.000000] missing or invalid resume-entry-addr property
[    0.000000] missing or invalid resume-entry-addr property
[    0.000000] missing or invalid resume-entry-addr property
[    0.000000] percpu: Embedded 22 pages/cpu s53144 r8192 d28776 u90112
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] CPU features: enabling workaround for ARM erratum 845719
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 257536
[    0.000000] Kernel command line: earlycon=uart8250,mmio32,0x98007800 console=ttyS0,115200 noinitrd root=/dev/mmcblk0p1 rootfs=ext4 init=/sbin/init
[    0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[    0.000000] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes)
[    0.000000] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes)
[    0.000000] Memory: 704360K/1046528K available (12540K kernel code, 1682K rwdata, 3612K rodata, 1152K init, 488K bss, 309400K reserved, 32768K cma-reserved)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     modules : 0xffffff8000000000 - 0xffffff8008000000   (   128 MB)
[    0.000000]     vmalloc : 0xffffff8008000000 - 0xffffffbebfff0000   (   250 GB)
[    0.000000]       .text : 0xffffff8008280000 - 0xffffff8008ec0000   ( 12544 KB)
[    0.000000]     .rodata : 0xffffff8008ec0000 - 0xffffff8009250000   (  3648 KB)
[    0.000000]       .init : 0xffffff8009250000 - 0xffffff8009370000   (  1152 KB)
[    0.000000]       .data : 0xffffff8009370000 - 0xffffff8009514a00   (  1683 KB)
[    0.000000]        .bss : 0xffffff8009514a00 - 0xffffff800958eb7c   (   489 KB)
[    0.000000]     fixed   : 0xffffffbefe7fb000 - 0xffffffbefec00000   (  4116 KB)
[    0.000000]     PCI I/O : 0xffffffbefee00000 - 0xffffffbeffe00000   (    16 MB)
[    0.000000]     vmemmap : 0xffffffbf00000000 - 0xffffffc000000000   (     4 GB maximum)
[    0.000000]               0xffffffbf00000000 - 0xffffffbf01000000   (    16 MB actual)
[    0.000000]     memory  : 0xffffffc000000000 - 0xffffffc040000000   (  1024 MB)
[    0.000000] Preemptible hierarchical RCU implementation.
[    0.000000]  Build-time adjustment of leaf fanout to 64.
[    0.000000]  RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=1.
[    0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=1
[    0.000000] NR_IRQS:64 nr_irqs:64 0
[    0.000000] arm_arch_timer: Architected cp15 timer(s) running at 27.00MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x63a1e71a3, max_idle_ns: 440795203123 ns
[    0.000006] sched_clock: 56 bits at 27MHz, resolution 37ns, wraps every 4398046511093ns
[    0.009201] rmem_count: 1
[    0.013124]
[    0.014798] rsvmem_remap 143, rmem->name ramoops_mem
[    0.021374] rsvmem_remap 147, no compatible prop
[    0.027954] Console: colour dummy device 80x25
[    0.032992] Calibrating delay loop (skipped), value calculated using timer frequency.. 54.00 BogoMIPS (lpj=108000)
[    0.044670] pid_max: default: 32768 minimum: 301
[    0.050043] Security Framework initialized
[    0.054673] SELinux:  Initializing.
[    0.058749] Mount-cache hash table entries: 2048 (order: 2, 16384 bytes)
[    0.066316] Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes)
[    0.075286] ftrace: allocating 40059 entries in 157 pages
[    0.199328] sched-energy: CPU device node has no sched-energy-costs
[    0.206445] Invalid sched_group_energy for CPU0
[    0.211566] CPU0: update cpu_capacity 1024
[    0.216203] ASID allocator initialised with 32768 entries
[    0.257861] EFI services will not be available.
[    0.271040] Brought up 1 CPUs
[    0.274382] SMP: Total of 1 processors activated.
[    0.279719] CPU features: detected feature: 32-bit EL0 Support
[    0.286310] CPU features: detected feature: Kernel page table isolation (KPTI)
[    0.297850] CPU: All CPU(s) started at EL2
[    0.302498] alternatives: patching kernel code
[    0.307778] Invalid sched_group_energy for CPU0
[    0.312905] CPU0: update max cpu_capacity 1024
[    0.317926] Invalid sched_group_energy for Cluster0
[    0.324207] devtmpfs: initialized
[    0.352378] DMI not present or invalid.
[    0.357186] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.368238] futex hash table entries: 256 (order: 3, 32768 bytes)
[    0.377289] pinctrl core: initialized pinctrl subsystem
[    0.385487] NET: Registered protocol family 16
[    0.402737] cpuidle: using governor ladder
[    0.419434] cpuidle: using governor menu
[    0.424155] vdso: 2 pages (1 code @ ffffff8008ec7000, 1 data @ ffffff8009374000)
[    0.432519] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[    0.441794] DMA: preallocated 256 KiB pool for atomic allocations
[    0.449380] rst-control : base ffffff800804b600, offset 0xb4
[    0.455880] ****** rtk_lockapi_init 620, chip: id=0x00000000, revision=0x00010000
[    0.471873] gpiochip_add_data: GPIOs 0..100 (rtk_misc_gpio) failed to register
[    0.480349] [drivers/gpio/gpio-rtd129x.c]  rtk_gpio_probe  line: 844
[    0.493472] [GPIO] set_default_gpio: Could not get gpio from of
[    0.500234] [GPIO] set_default_gpio: Could not get gpio from of
[    0.507567] gpiochip_add_data: GPIOs 101..135 (rtk_iso_gpio) failed to register
[    0.515931] [drivers/gpio/gpio-rtd129x.c]  rtk_gpio_probe  line: 844
[    0.525116] [GPIO] No default gpio need to set
[    0.540036] [RTK_SB2_DBG] Info 0x10000
[    0.544457] [RTK_SB2_DBG] memory monitor 0x98013b00 - 0x98013c00
[    0.551418] [RTK_SB2_DBG] initialized
[    0.668278] ACPI: Interpreter disabled.
[    0.673084] Unable to handle kernel NULL pointer dereference at virtual address 000000d4
[    0.682335] [00000000000000d4] user address but active_mm is swapper
[    0.689550] Internal error: Oops: 96000045 [#1] PREEMPT SMP
[    0.695824] Modules linked in:
[    0.699268] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.181-rtd1295 #1
[    0.706809] Hardware name: Realtek_RTD1295 (DT)
[    0.711909] task: ffffffc0222dcd80 task.stack: ffffffc0222e0000
[    0.718581] PC is at acpu_set_flag+0x50/0xb0
[    0.723388] LR is at acpu_set_flag+0x3c/0xb0
[    0.728194] pc : [<ffffff8008762a70>] lr : [<ffffff8008762a5c>] pstate: 80000045
[    0.736521] sp : ffffffc0222e3d00
[    0.740249] x29: ffffffc0222e3d00 x28: ffffff8009324c90
[    0.746234] x27: 0000000000000005 x26: ffffff80092be7b0
[    0.752219] x25: ffffff8009518000 x24: ffffff8009250468
[    0.758204] x23: ffffff8009242330 x22: ffffff800956c000
[    0.764188] x21: 00000000000000d4 x20: 0000000000000000
[    0.770171] x19: 0000000000000000 x18: 0000000000000000
[    0.776154] x17: 0000000000000000 x16: 000000000000000e
[    0.782137] x15: ffffffffffffffff x14: ffffffffffffffff
[    0.788121] x13: ffffffffffffffff x12: 0000000000000008
[    0.794104] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f
[    0.800087] x9 : fefefefefefeff64 x8 : 7f7f7f7f7f7f7f7f
[    0.806072] x7 : 616e716f6e737460 x6 : 0080808080808080
[    0.812054] x5 : 0000000000000000 x4 : ffffffffffffffff
[    0.818038] x3 : 0000000000000000 x2 : 00000000000000d4
[    0.824020] x1 : 0000000000000200 x0 : 0000000000000000
[    0.830004]
[    0.830004] SP: 0xffffffc0222e3c80:
[    0.835591] 3c80  0956c000 ffffff80 09242330 ffffff80 09250468 ffffff80 09518000 ffffff80
[    0.844830] 3ca0  092be7b0 ffffff80 00000005 00000000 09324c90 ffffff80 222e3d00 ffffffc0
[    0.854064] 3cc0  08762a5c ffffff80 222e3d00 ffffffc0 08762a70 ffffff80 80000045 00000000
[    0.863298] 3ce0  222e3d00 ffffffc0 08762a4c ffffff80 ffffffff ffffffff 08762a5c ffffff80
[    0.872533] 3d00  222e3d30 ffffffc0 0928a820 ffffff80 0928a7f0 ffffff80 090fa000 ffffff80
[    0.881768] 3d20  0956c760 ffffff80 08678624 ffffff80 222e3dd0 ffffffc0 08283c3c ffffff80
[    0.891001] 3d40  0928a7f0 ffffff80 00000000 00000000 222dcd80 ffffffc0 092be7d0 ffffff80
[    0.900237] 3d60  09242330 ffffff80 09250468 ffffff80 09518000 ffffff80 092be7b0 ffffff80
[    0.909491]
[    0.909491] X29: 0xffffffc0222e3c80:
[    0.915176] 3c80  0956c000 ffffff80 09242330 ffffff80 09250468 ffffff80 09518000 ffffff80
[    0.924411] 3ca0  092be7b0 ffffff80 00000005 00000000 09324c90 ffffff80 222e3d00 ffffffc0
[    0.933645] 3cc0  08762a5c ffffff80 222e3d00 ffffffc0 08762a70 ffffff80 80000045 00000000
[    0.942881] 3ce0  222e3d00 ffffffc0 08762a4c ffffff80 ffffffff ffffffff 08762a5c ffffff80
[    0.952114] 3d00  222e3d30 ffffffc0 0928a820 ffffff80 0928a7f0 ffffff80 090fa000 ffffff80
[    0.961346] 3d20  0956c760 ffffff80 08678624 ffffff80 222e3dd0 ffffffc0 08283c3c ffffff80
[    0.970583] 3d40  0928a7f0 ffffff80 00000000 00000000 222dcd80 ffffffc0 092be7d0 ffffff80
[    0.979818] 3d60  09242330 ffffff80 09250468 ffffff80 09518000 ffffff80 092be7b0 ffffff80
[    0.989053]
[    0.990726] Process swapper/0 (pid: 1, stack limit = 0xffffffc0222e0000)
[    0.998273] Stack: (0xffffffc0222e3d00 to 0xffffffc0222e4000)
[    1.004745] 3d00: ffffffc0222e3d30 ffffff800928a820 ffffff800928a7f0 ffffff80090fa000
[    1.013565] 3d20: ffffff800956c760 ffffff8008678624 ffffffc0222e3dd0 ffffff8008283c3c
[    1.022385] 3d40: ffffff800928a7f0 0000000000000000 ffffffc0222dcd80 ffffff80092be7d0
[    1.031206] 3d60: ffffff8009242330 ffffff8009250468 ffffff8009518000 ffffff80092be7b0
[    1.040028] 3d80: 0000000000000005 ffffff8009324c90 ffffff80092890b4 0000000000000000
[    1.048851] 3da0: ffffffc0222dcd80 ffffff80092be7d0 ffffff8009242330 ffffff8009250468
[    1.057672] 3dc0: ffffffc0222e3dd0 ffffff8008283c3c ffffffc0222e3e40 ffffff8009250cec
[    1.066492] 3de0: 00000000000001aa ffffff8009518000 0000000000000004 ffffff80092be7b0
[    1.075314] 3e00: 0000000000000000 ffffff8009324b80 ffffff80093913c8 0000000000000000
[    1.084134] 3e20: 0000000000000000 ffffff80090a8d78 0000000400000004 ffffff80090a1058
[    1.092956] 3e40: ffffffc0222e3ea0 ffffff8008eaced0 ffffff8008eaceb8 0000000000000000
[    1.101776] 3e60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.110597] 3e80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.119417] 3ea0: 0000000000000000 ffffff8008283980 ffffff8008eaceb8 0000000000000000
[    1.128236] 3ec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.137056] 3ee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.145877] 3f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.154696] 3f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.163515] 3f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.172335] 3f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.181156] 3f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.189976] 3fa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.198796] 3fc0: 0000000000000000 0000000000000005 0000000000000000 0000000000000000
[    1.207615] 3fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    1.216432] Call trace:
[    1.219183] Exception stack(0xffffffc0222e3b30 to 0xffffffc0222e3c60)
[    1.226435] 3b20:                                   0000000000000000 0000007fffffffff
[    1.235257] 3b40: ffffffc0222e3d00 ffffff8008762a70 ffffff80095685d8 0000000000000001
[    1.244077] 3b60: ffffffc02222f590 ffffff8009555000 0000000080000000 00000000024000c0
[    1.252898] 3b80: 0000000000000040 ffffff80092be7b0 ffffffc0222e3bb0 ffffff8008eb3454
[    1.261720] 3ba0: 0000000000000040 ffffffc02229a8f0 ffffffc0222e3bd0 ffffff8008676ee8
[    1.270540] 3bc0: ffffff80095685d8 0000000000000001 0000000000000000 0000000000000200
[    1.279361] 3be0: 00000000000000d4 0000000000000000 ffffffffffffffff 0000000000000000
[    1.288182] 3c00: 0080808080808080 616e716f6e737460 7f7f7f7f7f7f7f7f fefefefefefeff64
[    1.297004] 3c20: 7f7f7f7f7f7f7f7f 0101010101010101 0000000000000008 ffffffffffffffff
[    1.305823] 3c40: ffffffffffffffff ffffffffffffffff 000000000000000e 0000000000000000
[    1.314646] [<ffffff8008762a70>] acpu_set_flag+0x50/0xb0
[    1.320634] [<ffffff800928a820>] rtk_suspend_init+0x30/0x80c
[    1.327010] [<ffffff8008283c3c>] do_one_initcall+0x44/0x130
[    1.333289] [<ffffff8009250cec>] kernel_init_freeable+0x190/0x234
[    1.340151] [<ffffff8008eaced0>] kernel_init+0x18/0x108
[    1.346033] [<ffffff8008283980>] ret_from_fork+0x10/0x50
[    1.352019] Code: d503201f 14000001 d503201f 52804001 (b90002a1)
[    1.358886] ---[ end trace 1c1cf6cb41d444c2 ]---
[    1.364214] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[    1.364214]
[    1.374520] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[    1.374520]

 

Share this post


Link to post
Share on other sites

So you glue a BSP DTB from a 4.1 kernel together with a BSP 4.9 kernel.. good luck to get these things working.. :P In theory DTS should be backwords compatible, assuming that the drivers in the kernel are written properly.. :D well for a moment, we don't assume that all BSP drivers are written properly..

 

On 6/22/2019 at 2:15 AM, ShaRose said:

When compiling the DTS I did get a LOT of warnings, so I'm not sure if that's normal

 

depends what warnings.. a compile log might be helpful..

 

did you check how many partitions this WD thingie has? Those android based system have often a bunch of them.. with some weird schema.. so you can probably guess on which one it should be found.. If stuff is not encrypted..

5 hours ago, ShaRose said:

## Flattened Device Tree blob at 01f00000

just tells you the memory adress this thing is loaded into it.. to actually see where it comes form, you probably have to look into sources.. But it's a Flattened device tree.. so it should be a own file for the dtb, it's not glued to the kernel so hope might be there that you just find it somewhere in the boot partition of your device..

 

1 hour ago, ShaRose said:

Maybe it needs to be built along with the kernel I'm actually using? Not really sure. I'll try a few other dtb files.

if it would be backwards compatible drivers then not (but since bsp kernels don't give a fuck about this.. it might mess.. it might also mess if you compile this dt with a new kernel..)

 

On 6/22/2019 at 2:15 AM, ShaRose said:

I also noticed when trying out different dtb files that the kernel would panic sooner or later: Some got as far as 9 seconds in. Not sure if that's good or bad though.

did you also test if the kernel panics reliable on the same event? :P When I had fun with the mediatek stuff.. it wasn't as predictable when the kernel crashed.. it was just sure that it will happen.. :P

 

1 hour ago, ShaRose said:

I found the wd-monarch-1GB.dts file, but I wasn't able to compile it: I'm assuming it has a bunch of preprocessor things to do during compilation, but the compile script wipes it away each time. Not really sure how I'd be able to compile it into a dtb.

does it throws you errors during compilation? and when which one? did you also check which dts or dtsi files are included in these dts.. did you copy them as well?

 

lastly. believe that a vendor DTS is correct is IMO naive.. my experience is more that the vendor dts is glued together from some reference-board dts modified until the thing actually boots up and mostly works before nobody ever has a look at those files.. a bunch of nodes are there witch are not populated on the actual board, on the other hand.. those there might not be 100% correct.. :P  But you might frankenstein together a 4.9 DTS from some reference boards there by looking into a working 4.1 DTS (for the 4.1 kernel).. if the same reference boards are present on a 4.1 and a 4.9 kernel it might be easy to get an idea how things have to change.. :P

 

Share this post


Link to post
Share on other sites

:), yes that is not really unexpected. But I think, we still can get some information from it.

(BTW,  I will not be able to contribute very much in the next few days)

Share this post


Link to post
Share on other sites
14 hours ago, chwe said:

So you glue a BSP DTB from a 4.1 kernel together with a BSP 4.9 kernel.. good luck to get these things working.. :P In theory DTS should be backwords compatible, assuming that the drivers in the kernel are written properly.. :D well for a moment, we don't assume that all BSP drivers are written properly..

 

I don't really know anything about embedded stuff, so I figured it was worth a shot.

 

14 hours ago, chwe said:

depends what warnings.. a compile log might be helpful..

 

Considering it was coming from a tarred device tree, probably not, but here.

<stdout>: Warning (unit_address_vs_reg): Node /soc has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /rtk_iso_gpio@98007100/scdc_rr@98007200 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /dwc3_u3host_usb2phy has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /dwc3_u3host_usb3phy has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /timer0@9801b000 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /ramoops@10014000 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /rtk_dwc3_drd@98013200/rtk_dwc3_drd_type_c has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /rfkilligpio@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /usb_phy_rle0599 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/pll_bus_h has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/pll_vodma has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/pll_acpu has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/pll_ddsa has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/pll_ddsb has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/pll_scpu has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/pll_bus has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/pll_gpu has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/pll_ve1 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/pll_ve2 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/clk_vodma has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/clk_gpu has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/clk_sys has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/clk_ve1 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/clk_ve2 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /clocks/clk_ve3 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/ir@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/ir@1 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/rgmii@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/rgmii@1 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/i2c@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/i2c@1 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/i2c@2 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/i2c@3 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/i2c@4 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/i2c@5 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/i2c@6 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/spi@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/spi@1 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/tp0@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/tp0@1 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/tp1@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/tp1@1 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/etn_led@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/spdif@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/scpu_ejtag@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/scpu_ejtag@1 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/pwm0_0@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/pwm0_1@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/pwm3_0@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/pwm3_1@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/uart0@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/uart1@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/uart2@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/uart2@1 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/gspi@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/i2s_out@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/i2s_out@1 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/pcie@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/sdcard_low@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/pwm1@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/pwm2@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/sdio@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/dc_fan_sensor@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/sdcard_high@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /pinctrl@9801A000/acpu_ejtag@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_iso_mis has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_nat_wrap has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_mipi_aphy has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_mhl3_en has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_cp has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_cr has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_md has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_se has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_tp has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_vo has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_disp_top has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_cecrx_aphy has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_usb_p3_mac_A has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_gpu has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_mis has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_sb2 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_rsa has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_ve1 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_ve2 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_ve3 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_scpu_wrapper has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_emmc has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_gspi has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_jpeg has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_mipi has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_nand has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_sata has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_sdio has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_usb_p0_iso has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_usb_p0_mac has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_usb_p0_phy has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_usb_p3_iso has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_usb_p3_phy has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_hdmirx has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_jd_top has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_lsadc_top has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_cbus has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_sdio has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_iso_sata_p0 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_iso_sata_p1 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_cectx_aphy has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_pcie1 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_pcie2 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_disp_core has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_usb_p0 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_usb_p1 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_usb_p2 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_l4_icg_usb_p3 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_adc has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_gpu has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_nat has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_rtc has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_ve1 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_ve2 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_ve3 has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_cr has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/pctrl_usb_p3_mac_ECO_B has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/dc0_pll has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power_control/dc1_pll has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /memory has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /timer1@9801b000 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /resets/usb_rst has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /reserved-memory/ramoops_mem has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /mem_remap/rbus has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /mem_remap/ringbuf has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /mem_remap/common has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /dwc3_drd_usb2phy has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /dwc3_drd_usb3phy has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /rtd1295-lsadc@0x98012800/rtd1295-lsadc1-pad0@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /rtd1295-lsadc@0x98012800/rtd1295-lsadc1-pad1@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /rtd1295-lsadc@0x98012800/rtd1295-lsadc0-pad0@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /rtd1295-lsadc@0x98012800/rtd1295-lsadc0-pad1@0 has a unit name, but no reg property
<stdout>: Warning (unit_address_vs_reg): Node /rtk_usb_power_manager has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /power-management has a reg or ranges property, but no unit name
<stdout>: Warning (unit_address_vs_reg): Node /dwc3_u2host_usb2phy has a reg or ranges property, but no unit name
<stdout>: Warning (pci_bridge): Node /pcie2@9803B000 node name is not "pci" or "pcie"
<stdout>: Warning (unit_address_format): Failed prerequisite 'pci_bridge'
<stdout>: Warning (pci_device_reg): Failed prerequisite 'pci_bridge'
<stdout>: Warning (pci_device_bus_num): Failed prerequisite 'pci_bridge'

 

14 hours ago, chwe said:

did you check how many partitions this WD thingie has? Those android based system have often a bunch of them.. with some weird schema.. so you can probably guess on which one it should be found.. If stuff is not encrypted..

just tells you the memory adress this thing is loaded into it.. to actually see where it comes form, you probably have to look into sources.. But it's a Flattened device tree.. so it should be a own file for the dtb, it's not glued to the kernel so hope might be there that you just find it somewhere in the boot partition of your device..

 

24 partitions, 23 of them for the system, one for user data. I know any of the partitions that could mount didn't have it because one of the first things I did was run a for loop to mount every one into /mnt/wdcloud/part_xx, and then ran file / grep.

 

14 hours ago, chwe said:

did you also test if the kernel panics reliable on the same event? :P When I had fun with the mediatek stuff.. it wasn't as predictable when the kernel crashed.. it was just sure that it will happen.. :P

 

If you mean with the same DTB, yes: The only difference (once you remove timestamps) is the trace ID at the end of the crash.

 

14 hours ago, chwe said:

does it throws you errors during compilation? and when which one? did you also check which dts or dtsi files are included in these dts.. did you copy them as well?

 

lastly. believe that a vendor DTS is correct is IMO naive.. my experience is more that the vendor dts is glued together from some reference-board dts modified until the thing actually boots up and mostly works before nobody ever has a look at those files.. a bunch of nodes are there witch are not populated on the actual board, on the other hand.. those there might not be 100% correct.. :P  But you might frankenstein together a 4.9 DTS from some reference boards there by looking into a working 4.1 DTS (for the 4.1 kernel).. if the same reference boards are present on a 4.1 and a 4.9 kernel it might be easy to get an idea how things have to change.. :P

 

 

The dtsi files weren't included in the vendor output, and even in the source area there weren't any for the wd_stuff. As for editing the 4.9 DTS files to match, I still don't know how to stop compile.sh from blowing away any changes I make, nor do I know how to just tell it to build the DTS files and nothing else (without cleaning anything).

Share this post


Link to post
Share on other sites
On 6/23/2019 at 1:24 AM, ShaRose said:

Using Device Tree in place at 0000000001f00000, end 0000000001f122aa

 

@ShaRose, do you have root access on your original system? Can you try:

dd if=/dev/mem bs=1 skip=32505856 count=74410 of=original.dtb

(skip and count are translated from hex to dec)

 

@others Meanwhile I was experimenting with the d/g/r> shell. I'm struggling to make ymodem work in minicom but I have some ideas...

Share this post


Link to post
Share on other sites
8 hours ago, danman said:

 

@ShaRose, do you have root access on your original system? Can you try:


dd if=/dev/mem bs=1 skip=32505856 count=74410 of=original.dtb

(skip and count are translated from hex to dec)

 

@others Meanwhile I was experimenting with the d/g/r> shell. I'm struggling to make ymodem work in minicom but I have some ideas...

Wouldn't really matter since I was able to compile the DTB from the gpl sources though, would it?

Share this post


Link to post
Share on other sites
9 hours ago, danman said:

Any ideas?

Sorry,  no.

Does your boot log suggest, that the box even tries to access the SPI-flash? Or does it not matter, what you have written to the SPI?

Share this post


Link to post
Share on other sites

@Staars, I think it doesn't matter. But I'm celebrating first success booting code from d/g/n

d/g/r>h                                                                                                                 
download to 0x80005EF0                                                                                                  
                                                                                                                        
Ymodem:                                                                                                                 
CCCCCCCC                                                                                                                
d/g/r>s                                                                                                                 
98007058                                                                                                                
98007058 = 0x00020000                                                                                                   
                                                                                                                        
d/g/r>d                                                                                                                 
download to 0x00020000                                                                                                  

Ymodem:                                                                                                                 
CCCCCCCCCCCCCCCCCCCCCCCCC
crc32:0xA96F74D3, len:0x000B21E0

d/g/r>g
jump to 0x00020000
64b


U-Boot 2012.07 (Aug 13 2016 - 10:06:21)

CPU  : Cortex-A53 quad core - AARCH32
Board: Realtek QA Board
DRAM:  0 Bytes
Watchdog: Disabled
Cache: Enabled
Non-Cache Region: 1 MB@0x07900000
MMC:   rtk_emmc : Detect chip rev. >= B
RTD1295 eMMC: 0
rtk_emmc : Detect chip rev. >= B
EMMC ERROR ---------> Response timeout
Card did not respond to voltage select!
mmc->version=0x00010000
version=0x00000004
[LY] cardtype=57, mmc->card_caps=0f
[LY] freq = 00464388, clk diver = 00000080
[LY] speed up emmc at HS-200 
[LY] HS-200 bus width=2
[LY] mmc->boot_caps = 20b
TEMP TX_WINDOW=0x1ffffff8, TX_best=0xf 
RX_WINDOW=0xffff41ff, RX_best=0x1c 
TX1_WINDOW=0x1fffff80, TX_best=0x11 
[LY] hs200 : 0
[HC] WPG_SIZE = 4194304
Device: RTD1295 eMMC
Manufacturer ID: 11
OEM: 100
Name: 008G7 
Tran Speed: 5f5e100
Rd Block Len: 512
MMC version 4.0
High Capacity: No
Capacity: 7.3 GiB
Bus Width: 8-bit
Speed: HS200
Factory: MMC
Factory: pp:0, seq#:0x25, size:0x25a00
------------tmp/factory/000BootParam.h found
[logo]src w/h=1280/720 dst w/h=3840/2160
In:    serial
Out:   serial
Err:   serial
Net:   Realtek PCIe GBE Family Controller mcfg = 0024
dev->name=r8168#0
Hit Esc or Tab key to enter console mode or rescue linux:  0 
------------can't find tmp/factory/recovery
======== Checking into android recovery ====

Start Boot Setup ... 
---------------LOAD  NORMAL FW  TABLE ---------------
[INFO] fw desc table base: 0x00620000, count: 22
Normal boot fw follow...
Kernel:
         FW Image to 0x03000000, size=0x00f3d000 (0x03f3d000)
         FW Image fr 0x02b30400 
DT:
         FW Image to 0x01f00000, size=0x0000f448 (0x01f0f448)
         FW Image fr 0x027b0200 
Audio FW:
         FW Image to 0x01b00000, size=0x003401a8 (0x01e401a8)
         FW Image fr 0x027f0200 
IMAGE FILE:
         FW Image to 0x1e800000, size=0x00384000 (0x1eb84000)
         FW Image fr 0x199002000 
Start A/V Firmware ...
kylin_bring up hwsetting
Finish kylin_bring_temp hwsetting
[+][AO][aio_HWEnable]
[AO]aio_CRTOn:
SYS_CLOCK_ENABLE1 [ 0x9800000c]: 0x13dec561
SYS_CLOCK_ENABLE2 [ 0x98000010]: 0x58ffe416
SYS_SOFT_RESET1 [ 0x98000000]: 0xb7da1001
SYS_SOFT_RESET4 [ 0x98000050]: 0x0000801f
[AO]ao_SetDACAnalogOn:
TVE_VDAC_CTR1 [ 0x980183a0]: 0xa86c0280
x1O_O_ACANA_GCTL1 [ 0x980066E0X4P]:OR 0T xE24N9V 5A15T0 04
NAI0O_00I_00A0CA
64_tAkD_pC_reGCloTaLd2 _b[o o0xti98ma0g06es61 :0 ]:l oa0xd 8U80-Bao3ao0t0 
 0IfOro_Im_ 0AxDC0_0T0C2O81N 2[5  t0ox9 08x00016650f0c]00:0 0 wx2i2th1 fs00i0z0e
Ax0IO0_10I_0A00DC0_
TCON [ 0x980066fc]: 0x221fff00
[-][AO][aio_HWEnable]
[ACPU] Set protect, start: 0x00000000 end: 0x00001000 moduleid:6
HDMI Raw Enable: MPG AC3 DTS MPEG2 AAC DDP WMAPRO MLP 

SPDIF Raw Enable: MPG AC3 DTS MPEG2 AAC DDP WMAPRO MLP 

Force 2ch Format: DTS DTSHD AC3 DDP MLP AAC WMAPRO 


@@@@@@@One Step TV System magic number = 0xffffffff, addr = 0xa001f800@@@@@@@
[AUDIO WARNING] ERR UNCACHEABLE_VADDR  0xb8071200 @  0x81b2e590

@@@@One Step magic number not match! use fw default TV System!
[@@VIDEO_RPC_VOUT_ToAgent_ConfigTVSystem_0_svc]type 0!
HDMIOff = 0
[VO]vo->is_hdmi_off_clock_on:86248
[@@VIDEO_RPC_VOUT_ToAgent_ConfigVideoStandard_0_svc]
[VO_SetVideoStandard]st 25 p 1 1 0
[VO_SetVideoStandard]ped 1 data0  0x00000004 data1  0x00000000
 VO_SetVideoStandard]HDMIoff 0c oipsy__t2vned__obno o1t luosaedre_rc_vabnsd__orfufn  0:
slrvcd:s0.xf0o1r5m0a0t0 000 ,p odrstt_:s0ext0ti0n0g2 1 000x00,0 0s0i0z3e81: 0lxv0d0s0_bw1b0 000

.JVuOm pseitnTgV Sttoa n2dnadr db o2o5t l3oDa d0e r0.].

(
TVE) TVE_DAC_mode 0,cmd->enProg 1!!
TV_NTSC_J
~~comp 0, ch2 1, mode_3D 0!!
~~comp 0, ch2 1, mode_3D 0!!
~~TVE standard#
SetVideoStandard return!
[@@VIDEO_RPC_VOUT_ToAgent_ConfigHdmiInfoFrame_0_svc]

(VO_ConfigHDMI_InfoFrame) L:236, is_hdmi_plugin 1, hdmiMode 1!!Mode 1 dataByte1  0x00000040  0x000000a8  0x00000000
dataByte4  0x00000000  0x00000000 int0  0x00000001

(HDMI_3D) mode 1, HDMI_gen 1, En_3D 0, Format_3D 0 scramble:0!!@@@@DeepColor:0 deep Depth:0 

 go back SET_HDMI!!boot_info  0xa001f600 magic  0x2452544b en 1
boot_info.w 1280 h 720
boot_addr  0x1e800000
w 1280, h 720, img0  0x1e800000, pitch0 5120
disp.x 0 y 0 w 1920 h 1080
PowerOnOSD~~
[AO][_AO_if_video_HDMI_mode]gpAudio->HDMI_output_en = 0


U-Boot 2015.07-ge1162f1 (Aug 02 2016 - 11:24:56 +0800)

CPU  : Cortex-A53 Quad Core
Board: Realtek QA Board
[ERR] get_accessible_ddr_size: hw setting error. (impossible value 0x0)
[ERR] Fall back to using CONFIG_SYS_RAM_DCU1_SIZE
DRAM:  1 GiB
mapping memory 0x20000000-0x40000000 non-cached
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  0 
rtk_plat_set_fw not port yet, use default configs
## Flattened Device Tree blob at 01f00000
   Booting using the fdt blob at 0x1f00000
   reserving fdt memory region: addr=0 size=30000
   reserving fdt memory region: addr=1f000 size=1000
   reserving fdt memory region: addr=30000 size=d0000
   reserving fdt memory region: addr=2c00000 size=b800000
   reserving fdt memory region: addr=1b00000 size=4be000
   reserving fdt memory region: addr=2600000 size=600000
   reserving fdt memory region: addr=1ffe000 size=4000
   reserving fdt memory region: addr=11000000 size=9200000
   reserving fdt memory region: addr=10000000 size=14000
   reserving fdt memory region: addr=2200000 size=400000
   Using Device Tree in place at 0000000001f00000, end 0000000001f12447
Bring UP slave CPUs
Jump to BL31 entrypoint
"Synchronous Abort" handler, esr 0x02000000
ELR:     10120000
LR:      23e90
x0 : 0000000000280000 x1 : 0000000001f00000
x2 : 0000000010120000 x3 : 0000000000000000
x4 : 000000000000d40a x5 : 0000000001f0e000
x6 : 0000000001f00000 x7 : 0000000001f0d4f2
x8 : 0000000001f000d8 x9 : 0000000001008000
x10: 000000000a200023 x11: 0000000000000002
x12: 0000000000000002 x13: 00000000000fec10
x14: 0000000001f0e000 x15: 00000000000228e4
x16: 0000000000022b8c x17: 5090100082221ac5
x18: 000000003ff44ea8 x19: 0000000000000400
x20: 0000000000000400 x21: 00000000000477e8
x22: 0000000000000003 x23: 00000000000ffd50
x24: 0000000000000000 x25: 0000000000000000
x26: 0000000001400000 x27: 0000000000023e48
x28: 0000000000000000 x29: 00000000000ffba0

Resetting CPU ...

resetting ...
"Synchronous Abort" handler, esr 0x96000021
ELR:     233dc
LR:      2416c
x0 : 00000000000000a5 x1 : 0000000000d7c601
x2 : 0000000000d7c601 x3 : 0000000000000001
x4 : 000000009801b50c x5 : ffffffff00000000
x6 : 000000000003b000 x7 : 000000000000000f
x8 : 0000000001f000d8 x9 : 0000000001008000
x10: 000000000a200023 x11: 000000000000000c
x12: 0000000000000002 x13: 00000000000fec10
x14: 0000000001f0e000 x15: 00000000000228e4
x16: 0000000000022b8c x17: 5090100082221ac5
x18: 000000003ff44ea8 x19: 00000000000ffaa0
x20: 0000000000000400 x21: 00000000000477e8
x22: 0000000000000003 x23: 00000000000ffd50
x24: 0000000000000000 x25: 0000000000000000
x26: 0000000001400000 x27: 0000000000023e48
x28: 0000000000000000 x29: 00000000000ff950

Resetting CPU ...

resetting ...
"Synchronous Abort" handler, esr 0x96000021
ELR:     233dc
LR:      2416c
x0 : 00000000000000a5 x1 : 0000000001326344
x2 : 0000000001326344 x3 : 0000000000000001
x4 : 000000009801b50c x5 : ffffffff00000000
x6 : 000000000003b000 x7 : 000000000000000f
x8 : 0000000001f000d8 x9 : 0000000001008000
x10: 000000000a200023 x11: 000000000000000c
x12: 0000000000000002 x13: 00000000000fec10
x14: 0000000001f0e000 x15: 00000000000228e4
x16: 0000000000022b8c x17: 5090100082221ac5
x18: 000000003ff44ea8 x19: 00000000000ff850
x20: 0000000000000400 x21: 00000000000477e8
x22: 0000000000000003 x23: 00000000000ffd50
x24: 0000000000000000 x25: 0000000000000000
x26: 0000000001400000 x27: 0000000000023e48
x28: 0000000000000000 x29: 00000000000ff700

Resetting CPU ...

or

d/g/r>h                                                                                                                 
download to 0x80005EF0                                                                                                  
                                                                                                                        
Ymodem:                                                                                                                 
CCCCCCCCCCxBFD37A61, len:0x00000680                                                                                     
                                                                                                                        
d/g/r>s                                                                                                                 
98007058                                                                                                                
98007058 = 0x10100000                                                                                                   
                                                                                                                        
d/g/r>d                                                                                                                 
download to 0x10100000                                                                                                  

Ymodem:                                                                                                                 
CCCCCCCCCC
crc32:0xD5BB5842, len:0x00010BA0

d/g/r>g
jump to 0x10100000
64b
<=============================================>
fsbl_main: sys_secure_type = 0x0000BEEE
fsbl_main: sys_boot_type = 0x00000002
fsbl_main: sys_boot_enc = 0x00000000
fsbl_main: sys_bisr_done = 0x00000000
Time out 
Time out 
Time out 
sys_hwsetting_size:B25F8493
sys_bootcode_size:B6A21E75
sys_secure_fsbl_size:1E28B723
sys_secure_os_size:26B3B9BB
sys_bl31_size:738D6681
sys_rsa_key_fw_size:E42FBBDF
sys_rsa_key_tee_size:DAE32C2D
sys_rescue_size:9E8B6998

HwSetting:
hwsetting_blk_no:00000100
hwsetting_total_size:B25F8513
hwsetting_blk_count:00592FC3

Bootcode:
bootcode_blk_no:005930C3
bootcode_total_size:B6A21E95
bootcode_blk_count:005B5110

FSBL:
secure_fsbl_blk_no:00B481D3
secure_fsbl_total_size:1E28B743
secure_fsbl_blk_count:000F145C

TEE OS:
secure_os_blk_no:00C3962F
secure_os_total_size:26B3B9DB
secure_os_blk_count:001359DD

BL31:
bl31_blk_no:00D6F00C
bl31_total_size:738D66A1
bl31_blk_count:0039C6B4

RSA Key Fw:
rsa_key_fw_blk_no:0110B6C0
rsa_key_fw_total_size:E42FBBFF
rsa_key_fw_blk_count:007217DE

RSA Key TEE:
rsa_key_tee_blk_no:0182CE9E
rsa_key_tee_total_size:DAE32C4D
rsa_key_tee_blk_count:006D7197

Rescue:
rescue_blk_no:01F04035
rescue_total_size:9E8B69B8
rescue_blk_count:004F45B5
********** FW_TYPE_GOLD_TEE **********                                                                                  
fwInfo->fwType: 00000023                                                                                                
fwInfo->isGolden: 00000001                                                                                              
fwInfo->ddrReadAddr: 00520000                                                                                           
fwInfo->ddrDestAddr: 10200000                                                                                           
fwInfo->flashType: 00000002                                                                                             
fwInfo->flashUnitSize: 00000200                                                                                         
fwInfo->flashOffset: 872C5E00                                                                                           
fwInfo->dataSize: 26B3B9DB                                                                                              
body_size:26B3B9BB                                                                                                      
flash_unit_no:0043962F                                                                                                  
flash_unit_count:001359DD                                                                                               
Time out                                                                                                                
Time out                                                                                                                
Time out                                                                                                                
Time out                                                                                                                
Time out                                                                                                                

 

Share this post


Link to post
Share on other sites

🤔, it is a start.

slightly off-topic: Is there any use for the SPI-flash on your zidoo, when using it as a TV-box? It seems to get ignored anyway or did I misunderstand something?

Share this post


Link to post
Share on other sites

It's main purpose is to help with boot but without switching BOOTSEL it cannot be used. So currently it is doing nothing and I'm out of ideas how to find it... :/ Perhaps you could X-ray my box too?

 

But first, I'd like to have a reliable way to recover whole eMMC without attached wires which is very close now.

Then I'd like to experiment with running various systems (your armbian, porting Android 7 from w2, etc.) to be able to use HDMI input with hw encoding, prefferably with ffmpeg. SPI is only a bonus milestone for me.

Share this post


Link to post
Share on other sites
4 hours ago, danman said:

 

It's main purpose is to help with boot but without switching BOOTSEL it cannot be used. So currently it is doing nothing and I'm out of ideas how to find it... :/ Perhaps you could X-ray my box too

 

That is my impression too. 

I better put my box in my bag for tomorrow now. Yesterday I forgot it. At least we will get a very special product picture :)

 

My interest in the SPI-solution is based on the hope, to get rid of the encrypted bootloaders. On the Lake1 we would have to keep the partition structure of the emmc as delivered, because the fixed boot process breaks, if anything unplanned happens to the emmc (and not only to a boot partition). So ATM you better not touch the emmc.

Share this post


Link to post
Share on other sites

Btw, do you have two Lake1 boxes now? Don't you want to try to recover the bricked one using one of my methods (soldering or d/g/r boot) ? Can you send me first 20 megs of eMMC from a working one?

Share this post


Link to post
Share on other sites
29 minutes ago, danman said:

Btw, do you have two Lake1 boxes now? Don't you want to try to recover the bricked one using one of my methods (soldering or d/g/r boot) ? Can you send me first 20 megs of eMMC from a working one?

Yes, I have two now. 

Some posts ago I shortly described, how I bricked the first one.

d/g/r needs SPI-flash, which is not populated on the Lake1. The first try, to solder a chip went wrong (probably incompatible chip, maybe a defective one or bad soldering). Now I wait for some weeks for the arrival of new chips (the one I got told from chwe), but somehow it takes a very long time.

I think, that your soldering trick will not work with my box. I can flash all sorts of firmware without a problem, but the box complains about an encyption error early in the boot process. That’s why I believe, that a pure emmc-boot is impossible forever on that box.

 

I could send you the data, but I would not recommend it. As long as we are not totally shure, what happens with cross flashing and the SPI-path is not working, it might lead to a bricked box. AFAIK the zidoo boxes are exceptions with their firmware with more unencrypted parts, means I would especially not cross flash a zidoo box (unless you find a believable report, that this works).

BTW, technically you can simply flash the (easy to find) lake-firmware on your box with the realtek utility,  but again: I DO NOT RECOMMEND THIS BASED ON MY CURRENT KNOWLEDGE.

Share this post


Link to post
Share on other sites
3 minutes ago, Staars said:

d/g/r needs SPI-flash

I'm convinced this is not true and I can prove it later.

 

4 minutes ago, Staars said:

That’s why I believe, that a pure emmc-boot is impossible forever on that box.

I think this is also not true.

 

5 minutes ago, Staars said:

I can flash all sorts of firmware without a problem

What do you mean by this? Does the box boot?

 

My idea how to save your box:

1. extract hwconfig and uboot from the dump I asked for and a bootlog (it shows blob locations)

2. boot these using d/g/r into u-boot

3. reflash full emmc dump from working box to not working one within u-boot or recovery linux

Share this post


Link to post
Share on other sites

I really hope you are right and will gladly change my opinion.

 

In this post: 

... you see the bootlog of the bricked box after flashing an Android image (OTP verification) including my incorrect assumption about ‚uu3‘.

 

On the bricked box I can not reach any prompt. It is just the flashing procedure with the windows tools, that works without an error message.

Share this post


Link to post
Share on other sites

So you can flash from the windows utility but the box still doesn't boot, right?

 

Can you reach d/g/r from terminal using Ctrl+q?

Share this post


Link to post
Share on other sites
2 hours ago, danman said:

So you can flash from the windows utility but the box still doesn't boot, right?

 

Can you reach d/g/r from terminal using Ctrl+q?

Yes I can flash, no I can‘t boot.

No, I can‘t reach d/g/r using ctrl+q.

Share this post


Link to post
Share on other sites

@Staars, just because of you I did a test. I removed SPI flash and wiped first 4megs by writing zeroes:

$ sudo dd if=/dev/zero of=/dev/sdc bs=1M count=4
4+0 records in
4+0 records out
4194304 bytes (4.2 MB, 4.0 MiB) copied, 0.686883 s, 6.1 MB/s

result:

C1:80000000
C2
?
C3hswitch frequency to 0x00000046
frequency divider is 0x00000080
switch frequency to 0x00000046
frequency divider is 0x00000004
switch to SDR 8 bit
switch bus width to 0x00000008 bits success
0000001�
C1:80000000
C2
?uu3-1

but when I hold Ctrl+q while booting:

C1:80000000
C2
?
d/g/r>
d/g/r>
d/g/r>
d/g/r>
d/g/r>
d/g/r>
d/g/r>

So I am 99% sure d/g/r works regardless on what you have on you emmc, if you have SPI or whatever. I believe this is firmware inside of the SoC.

What terminal are you using?

Share this post


Link to post
Share on other sites

Yes, I see.

 

I tried „screen“ and „miniterm“ on macos and „hypertrm“ (the recommended one from bananapi) on win10. I think @jeanrhum also tried it without success, but I do not know, which terminal he used.

 

I think that this d/g/r-thingie os part of the soc-firmware too, but it might be possible, that a compatible SPI-chip is needed or (additional) a resistor or something has to be added or removed, before the SOC decides to launch this prompt. Keep in mind, that the Lake1 (and some other boxes) do not have a SPI-chip when they leave the factory. They only have the unpopulated connector and maybe there is a missing secret sauce.

 

Anyway, I already have my bricked box prepared and it will get the x-ray-treatment tomorrow (if I do not forget it :wacko:).

 

BTW,  I wonder what the box expects to find on the usb device at the stage of „uu3-1“? 

Share this post


Link to post
Share on other sites

My box also comes without SPI. Can you try minicom? Is it available on mac?

You should first press and hold both keys (you should see your USB-serial TX LED blinking quicky) and while holding, connevt power to your box.

Share this post


Link to post
Share on other sites
6 minutes ago, Staars said:

They only have the unpopulated connector and maybe there is a missing secret sauce.

I would check the schematics of the BPi W2 (assuming that those boards are more or less reference design at this part).. Maybe check CS pin during boot? or soldering a logic analyzer to sniff? :P

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
6 6