Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
1292 lines (1114 sloc) 48.8 KB

df

rootfs 8192 6156 2036 /
tmpfs 31684 /dev/shm
/dev/mtdblock5 32768 32768 0 /ebrmain
/dev/mtdblock6 477256 233632 243624 /mnt/ext1
/dev/mmcblk0p1 1932992 1002240 930752 /mnt/ext2

the script ins_usb_mod.sh exports the internal 500MB flash over usb

insmod /lib/modules/usb/Usbpdc.ko
insmod /lib/modules/usb/phMscd.ko file=/dev/mtdblock6

/etc/devicename

  • Pocket101
  • g-sensor
insmod /lib/modules/mma7455.ko

compress folders on the device

martin@acergpu:/dev/shm$ cat /mnt/c.sh
#!/bin/sh
tar cvf /mnt/ext2/b.tar /bin /dev /ebrmain /etc /lib /linuxrc /sbin /tmp /var /usr  
dmesg > /mnt/ext2/dmesg
cat /proc/cpuinfo > /mnt/ext2/cpuinfo
tar cvf /mnt/ext2/proc.tar /proc
tar cvf /mnt/ext2/sys.tar /sys

martin@acergpu:/dev/shm$ mkdir /dev/shm/pb
martin@acergpu:/dev/shm$ cp /mnt/{dmesg,proc.tar,sys.tar,cpuinfo,b.tar} /dev/shm/pb
  • i copied all into ~/pb-contents

cpuinfo

Processor       : ARM920T rev 0 (v4l)
BogoMIPS        : 201.93
Features        : swp half thumb 
CPU implementer : 0x41
CPU architecture: 4T                  <--- that can probably not run clozure common lisp
CPU variant     : 0x1
CPU part        : 0x920
CPU revision    : 0
Cache type      : write-back
Cache clean     : cp15 c7 ops
Cache lockdown  : format A
Cache format    : Harvard
I size          : 16384
I assoc         : 64
I line length   : 32
I sets          : 8
D size          : 16384
D assoc         : 64
D line length   : 32
D sets          : 8

Hardware        : SBZ2440
Revision        : 0000
Serial          : 0000000000000000

root

  • i’m the user reader and su doesn’t work

lsmod

mma7455          gravitation sensor, get-axis, mode switch
hal_s3c2440      Isp1582, charging, monitor irq, usb controller
einkfb           sending commands to display
pvi_io           suspend and keyboard, electrophoretic display driver

pcb schematic

  • NetronixEB600_Schematic (1).zip
  • it doesn’t look exactly identical but tp613 is on usb

pvi (prime view international)

  • drives source and gate drivers for 800x600 display
  • composes image with external lookup table from flash
  • 10MBytes/s to host 8bit async parallel interface with handshake
  • full screen commands
    • load picture 0xa0 stores data in external ram, 60kB for binary, 120kB for 2bit grayscale
    • stop loading 0xa1 recommended to always send this after data
    • display pic 0xa2
    • erase display 0xa3
    • controller remembers old image because the display has to be driven with the difference
    • init display 0xa4 makes display white and then loads data into display (if display was in an undefined state)
    • before powering down it is mendatory to make the display white
    • there is a special command that makes the display white even if content isn’t known
    • restore pic 0xa5 to swap between two images for menus…
  • partial drawing
    • load partial 0xb0
    • display partial picture 0xb1
    • ushort coordinates 16-bit, multiple of 4 pixels
  • get-status 0xaa
  • version 0xe0
  • display-size 0xe2 returns 0x22 to indicate 800x600 with 4bits grayscale
  • reset 0xee
  • normal mode 0xf0, sleep mode 0xf1, standby 0xf2
  • set-depth 0xf3
  • orientation, positive, negative, write flash rom, read from flash, write reg, read reg, read temperature
  • autorefresh 0xf9 by default 10min
  • cancel autorefres, set refresh timer 0xfb, manual refresh 0xfc, read-refresh-timer
  • gray vs. b/w
    • monochrome allows general image flow smoothly from one image into next
    • grayscale is slower
    • controller sees, what is necessary from the difference image

isp1582

  • high speed usb periphery controller 480Mbit/s or 12Mbit/s
  • maintains up to 16 endpoints

ebrmain/bin/monitor.app

  • handles usb connection events

openinkpot

  • has usbmon module

its /etc/network/interfaces

auto lo
iface lo inet loopback

auto usb0
iface usb0 inet static
    address 192.168.111.1
    netmask 255.255.255.0
    broadcast 192.168.111.255
    gateway 192.168.111.2

try to compile the usbnet kernel module on my laptop:

  • Multi-purpose USB Networking Framework
This driver supports several kinds of network links over USB,               
with "minidrivers" built around a common network driver core                
that supports deep queues for efficient transfers.  (This gives             
better performance with small packets and at high speeds).                  
                                                                            
The USB host runs "usbnet", and the other end of the link might be:         
  • Another USB host, when using USB “network” or “data transfer” cables. These are often used to network laptops to PCs, like “Laplink” parallel cables or some motherboards. These rely on specialized chips from many suppliers.
  • An intelligent USB gadget, perhaps embedding a Linux system. These include PDAs running Linux (iPaq, Yopy, Zaurus, and others), and devices that interoperate using the standard CDC-Ethernet specification (including many cable modems).
  • Network adapter hardware (like those for 10/100 Ethernet) which uses this driver framework.
The link will appear with a name like "usb0", when the link is              
a two-node link, or "eth0" for most CDC-Ethernet devices.  Those            
two-node links are most easily managed with Ethernet Bridging               

i do a firmware update to 15.3

  • the new firmware has some option to delete the ADE authorization, this is probably related to this output in dmesg:
/mnt/ext1/.adobe-digital-editions/devicesalt: Operation not permitted
Copying new files...
/mnt/ext2/.adobe-digital-editions/devicesalt: Operation not permitted
  • for pdf documents – i don’t think i care about that
  • gzip header of my debian’s initrd
00000000  1f 8b 08 00 01 5c 5f 4f  00 03 ac bd 09 7c 13 d5  |.....\_O.....|..|
00000010  f6 38 9e 34 49 1b a0 65  a2 b4 58 15 b4 d5 a0 ed  |.8.4I..e..X.....|
  • some arbitrary gzip data has this header:
00000000  1f 8b 08 08 92 a9 03 4d  00 03 52 65 6c 65 61 73  |.......M..Releas|
00000010  65 20 6e 6f 74 65 73 20  31 35 5f 33 5f 45 4e 47  |e notes 15_3_ENG|
00000020  2e 64 6f 63 00 ec 5b 07  5c 54 d7 d2 3f 0b 57 a4  |.doc..[.\T..?.W.|
  • header of cpio archive
martin@acergpu:/dev/shm$ hexdump -C init.cpio |head
00000000  30 37 30 37 30 31 30 30  30 30 30 46 46 35 30 30  |07070100000FF500|
00000010  30 30 34 31 45 44 30 30  30 30 30 30 30 30 30 30  |0041ED0000000000|
00000020  30 30 30 30 30 30 30 30  30 30 30 30 30 39 34 46  |000000000000094F|
00000030  35 46 35 43 30 31 30 30  30 30 30 30 30 30 30 30  |5F5C010000000000|
00000040  30 30 30 30 30 30 30 30  30 30 30 30 31 30 30 30  |0000000000001000|
  • header of the SWUP… file
00000000  50 6f 63 6b 65 74 42 6f  6f 6b 55 70 64 61 74 65  |PocketBookUpdate|
00000010  50 6f 63 6b 65 74 31 30  31 00 00 00 00 00 00 00  |Pocket101.......|
00000020  00 00 00 00 44 33 36 30  2e 31 35 2e 33 00 00 00  |....D360.15.3...|
00000030  b2 7d a2 a5 07 54 b2 7c  1b e9 89 5d 4a 17 4d dd  |.}...T.|...]J.M.|
00000040  7a 3d 9c 19 18 6b f6 30  15 b0 5f 38 4a c3 bc ab  |z=...k.0.._8J...|
00000050  b4 c0 e6 58 12 1b 8d c6  64 cc 17 a3 bd d6 dd c7  |...X....d.......|
00000060  ee a7 9e 1f 9f fb 37 7a  c9 d4 26 33 f6 05 18 62  |......7z..&3...b|
00000070  3d ad 8e 4d 8f 1e 1b 1e  3f c9 88 8b 1a 26 02 27  |=..M....?....&.'|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000100  6b 00 00 00 00 00 00 00  00 00 00 00 f8 17 0c 00  |k...............|
00000110  72 00 00 00 00 00 00 00  00 00 0d 00 c0 73 41 00  |r............sA.|
00000120  65 00 00 00 00 00 00 00  00 00 4f 00 00 44 e7 01  |e.........O..D..|
00000130  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400  27 05 19 56 a5 52 79 f9  4c 6d 37 2b 00 0c 17 b8  |'..V.Ry.Lm7+....|
00000410  30 00 80 00 30 00 80 00  c1 99 8c 2a 05 02 02 00  |0...0......*....|
00000420  4c 69 6e 75 78 2d 32 2e  36 2e 31 38 2e 32 00 00  |Linux-2.6.18.2..|
00000430  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000440  00 00 a0 e1 00 00 a0 e1  00 00 a0 e1 00 00 a0 e1  |................|
*
00000460  02 00 00 ea 18 28 6f 01  00 00 00 00 b8 17 0c 00  |.....(o.........|
00000470  01 70 a0 e1 02 80 a0 e1  00 20 0f e1 03 00 12 e3  |.p....... ......|
  • maybe photorec can extract files or the beginning of compressed data
    • it finds lots of txt, a shell und few other files, no gzip archive
  • the file contains a gzip block at 14448:
00003870  1f 8b 08 00 29 37 6d 4c  02 03 ec fd 0d 7c 54 c5  |....)7mL.....|T.|
00003880  d9 37 8e cf d9 dd 24 4b  88 70 42 5e 0c 10 65 03  |.7....$K.pB^..e.|
00003890  d1 46 1b f5 04 82 a6 34  ea 22 d1 46 c1 ba 40 54  |.F.....4.".F..@T|
  • the decompressed data seems to contain bootloader and kernel, here are the first strings:
Error: unrecognized/unsupported processor variant.
Error: unrecognized/unsupported machine ID (r1 = 0x
Available machine support:
ID (hex)        NAME
Please check your kernel config and/or bootloader.
initcall_debug
rdinit=
init=
loglevel=
quiet
debug
maxcpus=
nosmp
rootdelay=
rootfstype=
rootflags=
root=
load_ramdisk=
ramdisk_start=
prompt_ramdisk=
lpj=
reboot=
nohlt
fpe=
noinitrd root=/dev/mtdblock2 rw rootfstype=jffs2 init=/linuxrc console=ttySAC0
user_debug=
apm=
noalign
uncached
  • note the console=ttySAC0, apparently there is a serial console and also the filesystem type is given
  • and 1649516 (this can’t be decompressed)
00192b60  68 d0 8d e2 f0 8f bd e8  f8 48 06 00 1f 8b 08 00  |h........H......|
00192b70  34 2e 00 00 54 61 05 00  30 29 00 00 36 61 05 00  |4...Ta..0)..6a..|
00192b80  a4 29 00 00 58 18 00 00  e0 23 00 00 e2 23 00 00  |.)..X....#...#..|
00192b90  17 01 00 00 de 23 00 00  1f 01 00 00 58 21 00 00  |.....#......X!..|
  • and 30655424
01d3c3a0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
01d3c3c0  1f 8b 08 00 33 df 55 4b  00 03 ec 9d 0b 78 13 55  |....3.UK.....x.U|
01d3c3d0  da c7 27 b4 29 6d 6d cb  29 97 72 b1 40 85 72 11  |..'.)mm.).r.@.r.|
01d3c3e0  b9 24 69 9a 22 c2 42 5b  28 08 2d 14 5b 17 44 b0  |.$i.".B[(.-.[.D.|

  • this is some the beginning of the decompressed data in this file
martin@acergpu:/dev/shm$ hexdump -C 30655424-dat |head
00000000  41 66 72 69 63 61 2f 00  00 00 00 00 00 00 00 00  |Africa/.........|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000060  00 00 00 00 30 30 30 30  37 35 35 00 30 30 30 30  |....0000755.0000|
00000070  30 30 30 00 30 30 30 30  30 30 30 00 30 30 30 30  |000.0000000.0000|
00000080  30 30 30 30 30 30 30 00  31 31 33 32 32 33 31 34  |0000000.11322314|
00000090  36 35 34 00 30 31 30 37  34 32 00 20 35 00 00 00  |654.010742. 5...|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000100  00 75 73 74 61 72 20 20  00 72 6f 6f 74 00 00 00  |.ustar  .root...|
  • and 32788544
01f45020  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
01f45040  1f 8b 08 00 39 42 ff 4c  00 03 ec 7d 0b 7c 55 d5  |....9B.L...}.|U.|
01f45050  95 f7 be 8f 3c 08 57 b8  09 a0 11 d1 5c 10 67 32  |....<.W.....\.g2|
  • it only contains a tar with some games
martin@acergpu:/dev/shm$ hexdump -C 30655424-dat ^C
martin@acergpu:/dev/shm$ dd if=s.raw bs=1 skip=32788544 > 32788544.gz
file 324371392+0 records in
4371392+0 records out
4371392 bytes (4.4 MB) copied, 2.48768 s, 1.8 MB/s
martin@acergpu:/dev/shm$ file 32788544.gz 
32788544.gz: gzip compressed data, from Unix, last modified: Wed Dec  8 09:30:49 2010
martin@acergpu:/dev/shm$ zcat 32788544.gz > 32788544-dat
martin@acergpu:/dev/shm$ file 32788544-dat 
32788544-dat: POSIX tar archive (GNU)
martin@acergpu:/dev/shm$ tar xvf 32788544-dat 
games/
games/sudoku.app
tar: Unexpected EOF in archive
  • this is how my vmlinuz files look like on i386
martin@acergpu:/dev/shm$ hexdump -C /boot/vmlinuz-2.6.32-mk.old |head
00000000  ea 05 00 c0 07 8c c8 8e  d8 8e c0 8e d0 31 e4 fb  |.............1..|
00000010  fc be 2d 00 ac 20 c0 74  09 b4 0e bb 07 00 cd 10  |..-.. .t........|
00000020  eb f2 31 c0 cd 16 cd 19  ea f0 ff 00 f0 44 69 72  |..1..........Dir|
00000030  65 63 74 20 62 6f 6f 74  69 6e 67 20 66 72 6f 6d  |ect booting from|
martin@acergpu:/dev/shm$ hexdump -C /boot/vmlinuz-2.6.32-mk|head
00000000  ea 05 00 c0 07 8c c8 8e  d8 8e c0 8e d0 31 e4 fb  |.............1..|
00000010  fc be 2d 00 ac 20 c0 74  09 b4 0e bb 07 00 cd 10  |..-.. .t........|
00000020  eb f2 31 c0 cd 16 cd 19  ea f0 ff 00 f0 44 69 72  |..1..........Dir|
00000030  65 63 74 20 62 6f 6f 74  69 6e 67 20 66 72 6f 6d  |ect booting from|
  • in jffs2.h i see this:
#define JFFS2_OLD_MAGIC_BITMASK 0x1984
#define JFFS2_MAGIC_BITMASK 0x1985
#define KSAMTIB_CIGAM_2SFFJ 0x8519 /* For detecting wrong-endian fs */
#define JFFS2_EMPTY_BITMASK 0xffff
#define JFFS2_DIRTY_BITMASK 0x0000

/* Summary node MAGIC marker */
#define JFFS2_SUM_MAGIC 0x02851885

jffs2

  • i installed the tools for this filesystem, sudo apt-get install mtd-utils

maybe i can find the serial port with the oscilloscope

port with 4 connectors in battery case

  • i think the separated pin (with an extra rectangle around) should be ground
  • the pin next to ground has bursts with values from 0..-3V
  • the next thing would probably be input because the last pin is constant at -3.2V (when the device is powered on)
  • serial 115200 8N1, lsb first, inverted
  • first string:
martin@acergpu:/dev/shm/Logic 1.1.15 (64-bit)$ cat bla.txt |cut -d "," -f 2|sed ':a;N;$!ba;s/\n//g'
 Value'0'\n\rU-Boot' '1.1.4' '(Aug' '24' '2009' '-'
 '22:37:50)\n\rU-Boot' 'code:' '33F80000' '->' '00000000' '' 'BSS:'
 '->' '33FA0AAC\n\rSDRAM:' '64' 'MB\n\rNAND' 'device' 'ID:' '[0xdcec]'
 '[Samsung' 'K9F4G08U0A]\n\rNAND' 'Total' 'Blocks=4096'
 '<5>\n\rnand_read_ecc:' 'Attempt' 'read' 'beyond' 'end' 'of' 'device'
 '30000' '10000' '0\n\r***' 'Warning' '-' 'bad' 'CRC' 'or' 'NAND'
 'using' 'default' 'environment\n\r
  • the data looks a bit strange, with all these quotes. maybe this is a jtag port?
  • here is a longer dump, i wonder what the USB information means – can I maybe attach a serial console or a keyboard with USB and no soldering?
martin@acergpu:/dev/shm/Logic 1.1.15 (64-bit)$ cat bla2.txt |cut -d "," -f 2|sed ':a;N;$!ba;s/\n//g'|tr "\'" '"'|xargs echo -e
Value2550000000108250319225501t2031000
U-Boot 1.1.4 (Aug 24 2009 - 22:37:50)
U-Boot code: 33F80000 -> 00000000  BSS: -> 33FA0AAC
SDRAM: 64 MB
NAND device ID: [0xdcec] [Samsung K9F4G08U0A]
NAND Total Blocks=4096 <5>
nand_read_ecc: Attempt read beyond end of device 30000 10000 0
*** Warning - bad CRC or NAND using default environment
Start Logo 0x260000
USB device init ....chip_id:[0x00158230]..done.
USB information[ISPs USBD]: EP0: control EP1: in EP3: out
Hit any key to stop autoboot:  1 888 0 
From 0x00080000 to 0x00240000
Target read size = 0x001c0000
Target read size = 0x000c2000
Booting image at 31000000
   Image Name:   Linux-2.6.18.2
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    792504 Bytes = 773.9 kB
   Load Address: 30008000
   Entry Point:  30008000
   Verifying Checksum ... OK
OK
Starting kernel ...
Uncompressing Linux.................................................... done booting the kernel.
Linux version 2.6.18.2 (gcc version 3.4.1) #1 Thu Aug 19 16:52:40 EEST 2010
CPU: ARM920T [41129200] revision 0 (ARMv4T) cr=c0007177
Machine: SBZ2440
Memory policy: ECC disabled Data cache writeback
Emergency data: c019c220=c019c220
CPU S3C2440A (id 0x32440001)
S3C244X: core 405.000 MHz memory 135.000 MHz peripheral 67.500 MHz
S3C24XX Clocks (c) 2004 Simtec Electronics
CLOCK: Slow mode (1.500 MHz) fast MPLL on UPLL on
irq: clearing subpending status 00000002
PID hash table entries: 512 (order: 9 2048 bytes)
Console: colour dummy device 80x30
Memory: 64MB = 64MB total
Memory: 63232KB available (1252K code 276K data 76K init)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
S3C2410 Power Management (c) 2004 Simtec Electronics
wake enabled for irq 16
S3C2440: Initialising architecture
SBZ: s3c244x_irq_add() 
S3C2440: IRQ Support
S3C2440: Clock Support DVS off
S3C2410 DMA Driver (c) 2003-2004 Simtec Electronics
NetWinder Floating Point Emulator V0.97 (double precision)
squashfs: version 3.4 (2008/08/26) Phillip Lougher
yaffs Aug 19 2010 16:52:33 Installing. 
Initializing Cryptographic API
io scheduler noop registered
io scheduler deadline registered (default)
S3C2440 ADC (c) 2004 Simtec Electronics
adc_PreScale= 32
S3C2410 Watchdog Timer (c) 2004 Simtec Electronics
RAMDISK driver initialized: 8 RAM disks of 32768K size 1024 blocksize
S3C24XX NAND Driver (c) 2004 Simtec Electronics
s3c2440-nand s3c2440-nand: Tacls=3 22ns Twrph0=7 51ns Twrph1=3 22ns
writesize:2048 oobsize:64 erasesize:131072
NAND device: Manufacturer ID: 0xec Chip ID: 0xdc (Samsung NAND 512MiB 33V 8-bit)
Scanning device for bad blocks
Bad eraseblock 1926 at 0x0f0c0000
Bad eraseblock 1927 at 0x0f0e0000
Bad eraseblock 1932 at 0x0f180000
Bad eraseblock 1933 at 0x0f1a0000
Bad eraseblock 2951 at 0x170e0000
Bad eraseblock 2957 at 0x171a0000
Bad eraseblock 3975 at 0x1f0e0000
Bad eraseblock 3981 at 0x1f1a0000
Creating 7 MTD partitions on NAND 512MiB 33V 8-bit:
mtd6: found block remapping table (8 items)
mice: PS/2 mouse device common for all mice
S3C24XX RTC (c) 20042006 Simtec Electronics
s3c2410-rtc s3c2410-rtc: rtc core: registered s3c as rtc0
i2c /dev entries driver
s3c2440-i2c s3c2440-i2c: i2c-0: S3C I2C adapter
s3cmci_2440_probe()
s3c2410-sdi s3c2410-sdi: initialisation done.
s3c2410-rtc s3c2410-rtc: hctosys: invalid date/time
yaffs: dev is 32505860 name is mtdblock4
yaffs: passed flags 
yaffs: Attempting MTD mount on 31.4 mtdblock4
yaffs: auto selecting yaffs2
VFS: Mounted root (yaffs filesystem).
Freeing init memory: 76K
init started: BusyBox v1.12.2 (2009-01-04 17:45:10 EET)
starting pid 222 tty : /etc/init.d/rcS
mmc0: error requesting CID: -110
mmcblk0: mmc0:0007 SD02G 1933312KiB 
 mmcblk0: p1
****** init pvi_io
Board name:             EB-500
Hardware configuration: 00000000 10141012
Platform:               EBR-500
Controller:             PVI6001
Display:                600x800 5
Keyboard:               pocket-360
Touchpanel:             none
USB:                    ISP1582
Audio:                  none
G-sensor:               MMA7455/1
Bluetooth:              none
WiFi:                   none
Display orientation:    top-down
Touchpanel orientation: default

Virtual e-ink frame buffer device
hal_s3c2440 isp1582 module init
phHal_Isp1582_Probe
halDev->io_addr=0xc5400000
halDev->irqRes->start=62
halDev->irqRes_monitor->start=18
chip_id:0x158230
isp1582 was register sucessful  (ret:0)
init_mma7455() - EB500 
yaffs: dev is 32505861 name is mtdblock5
yaffs: passed flags no-checkpoint
yaffs: Attempting MTD mount on 31.5 mtdblock5
current time: 37/25/265 14:44:21
error: cannot set time
Atached mp shm: id 0 addr 4015f000
::: flash arrived
::: sdcard arrived
mount: mounting /dev/mtdblock6p1 on /mnt/ext1 failed: No such file or directory
FAT: utf8 is not a recommended IO charset for FAT filesystems filesystem will be case sensitive!
--- mounted flash (disc)
FAT: utf8 is not a recommended IO charset for FAT filesystems filesystem will be case sensitive!
--- mounted sdcard (part)
--- started bookshelf (pid 279)
creating default directories... ok
Atached mp shm: id 0 addr 402ca000 size 16720
Atached fb shm: id 8001 addr 402d3000 size 489616
/mnt/ext1/.adobe-digital-editions/devicesalt: Operation not permitted
Copying new files...
/mnt/ext2/.adobe-digital-editions/devicesalt: Operation not permitted
-E<4>Unbalanced IRQ 46 wake disable
BUG: wa
ing at ke
el/irq/manage.c:167/set_irq_wake()
wake disabled for irq 46
22:00:05 S
-M-7-6-5-4-3PlaS-2-1+1+2+3+4+Ms3c2410-wdt: * watchdog enabled
mmc0: error requesting CID: -110
+ERestarting tasks... done
22:00:11 W
-E<4>Unbalanced IRQ 46 wake disable
BUG: wa
ing at ke
el/irq/manage.c:167/set_irq_wake()
wake disabled for irq 46
22:00:14 S
-M-7-6-5-4-3PlaS-2-1

serial port

  • i pried open a usb-to-serial converter
  • Bus 001 Device 004: ID 067b:2303 Prolific Technology, Inc. PL2303 Serial Port
  • contains a MAXIM C78091 9821 and a 12MHz quartz
  • the pl2303 might not be supported much longer:
Due to EOL (End-of-Life) policy, please note that PL-2303HX (Chip Rev
A) and PL-2303X (Chip Rev A) will not have driver support for the
coming Windows 8 operating system as it is not a supported OS
mentioned in the chip datasheet. So it is advisable to switch to the
new PL2303TA chip which will include support for Windows 8.

Please kindly inform your last order by the end of
September, 2012. Prolific already started supplying PL2303TA since the
beginning of December, 2011.
  • I connected 7 (gnd) and 1 (tx), the oscilloscope shows constant +5V
  • I saw packets, when i turned off hardware flow control in minicom. however, that was only for a short time, while i was in the options menu. entering characters in the big window doesn’t produce serial output on tx.
    • this was probably because the oscilloscope is too slow for 115200 and doesn’t trigger
    • with 9600 baud i see characters
  • apparently, the arm uart pins are not 5V tolerant:
    • http://www.friendlyarm.net/forum/topic/600
    • according to S3C2440.pdf, only “t10” type inputs are 5V tolerant. RXD0 is “t8” type, which means UART is not 5v tolerant. You should not exceed 4.8V (Absolute maximum rating page)
    • In that case, 2x D1n4148 in series or a large resistor should do the job. I forgot to mention that my setup does have a resistor in series.
    • I guess D1n4148 is a diode
    • in the EB600 schematic, they have a long connector with three versions of cts,txd,rts,rxd (but only txd2,rxd2: no flow control on third uart as described in the arm datasheet)
    • J15 rxd2, K14 rxd0, K17 rxd1 all of io-type t8 (on page 1-14 in s3c-2440 manual)
  • I obtained datasheets on SD cards from https://www.sdcard.org/downloads/pls/simplified_specs/Part_1_Physical_Layer_Simplified_Specification_Ver_3.01_Final_100518.pdf
martin@acergpu:~/pb-contents/bla$ perl pbfwsplit.pl 
         kernel.img:6B: 00000400 0000001024 -> 000C17F8 0000792568
         rootfs.img:72: 000D0400 0000852992 -> 004173C0 0004289472
            app.img:65: 004F0400 0005178368 -> 01E74400 0031933440
// from the perl program pbfwsplit.pl and c++ program

0x40=> "elf.img",
0x57=> "waveform.bin",
0x61=> "a.img",
APP_IMG = 0x65,
0x6B=> "kernel.img", 
ROOTFS_IMG = 0x72,
0x73=> "swupdate.tar.gz",

struct FWPart
{
  uint32_t type;
  uint32_t reserved;
  uint32_t offset;
  uint32_t size;
};
  • have a look at the header of the SW..Bin file again:
00000000  50 6f 63 6b 65 74 42 6f  6f 6b 55 70 64 61 74 65  |PocketBookUpdate|
00000010  50 6f 63 6b 65 74 31 30  31 00 00 00 00 00 00 00  |Pocket101.......|
00000020  00 00 00 00 44 33 36 30  2e 31 35 2e 33 00 00 00  |....D360.15.3...|
00000030  b2 7d a2 a5 07 54 b2 7c  1b e9 89 5d 4a 17 4d dd  |.}...T.|...]J.M.|
00000040  7a 3d 9c 19 18 6b f6 30  15 b0 5f 38 4a c3 bc ab  |z=...k.0.._8J...|
00000050  b4 c0 e6 58 12 1b 8d c6  64 cc 17 a3 bd d6 dd c7  |...X....d.......|
00000060  ee a7 9e 1f 9f fb 37 7a  c9 d4 26 33 f6 05 18 62  |......7z..&3...b|
00000070  3d ad 8e 4d 8f 1e 1b 1e  3f c9 88 8b 1a 26 02 27  |=..M....?....&.'|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  • now look try to find the following fields in there
struct PocketBookUpdateHeader
{
  char magic[0x10];    // 0x00 PocketBookUpdate
  char model[0x20];    // 0x10 .. 0x30-1 Pocket101 followed by 11 zero bytes and D360.15.3
  char unknownBuffer1[0x50]; // 0x30..0x70-1  b27d **** **** b27c ** ... 
  char padding1[0x40]; // 0x80 .. 0x100-1 is all zero in my file
  uint32_t unknownUInt32
  char padding2[0x3C];
  FWPart fwParts[0x30]; // 0x100 .. 0x130-1
};
                                                                      type reserved     offset        size
00000100: 6b00 0000 0000 0000 0000 0000 f817 0c00  k............... kernel  0        0            0x000c 17f8
00000110: 7200 0000 0000 0000 0000 0d00 c073 4100  r............sA. rootfs  0        0x000d 0000  0x0041 73c0
00000120: 6500 0000 0000 0000 0000 4f00 0044 e701  e.........O..D.. appimg  0        0x004f 0000  0x10e7 4400 
  • the offset must be increased by 0x400 to accommodate header
  • check how the c program extracts the file
martin@acergpu:~/pb-contents/pocketbook_free_swupdate$ ./parseUpdate SWUPDATE.BIN  o
Header part: 
         0       0x10           Magic:                  PocketBookUpdate
      0x10       0x30           Model:                  Pocket101D360.15.3
      0x30       0x80           Unknown buffer 1:
      0x80       0xc0           Padding1:
      0xc0       0xc4           UnknownUInt32:         0
      0xc4      0x100           Padding2:
     0x100      0x400           Partition table:
Firmware partitions: 
  0x4f0400  0x2364800           app.img:
   0xd0400   0x4e77c0           rootfs.img:
     0x400    0xc1bf8           unknownImg:
                ^--- this is offset+size
  • this is what the perl program outputs:
martin@acergpu:~/pb-contents/split$ perl pbfwsplit.pl SWUPDATE.BIN 
        kernel.img:6B: 00000400 0000001024 -> 000C17F8 0000792568
        rootfs.img:72: 000D0400 0000852992 -> 004173C0 0004289472
           app.img:65: 004F0400 0005178368 -> 01E74400 0031933440
                                
martin@acergpu:~/pb-contents/split$ sum *.img
26335 31185 app.img      0x66df
16850   774 kernel.img   0x41d2
61720  4189 rootfs.img   0xf118
martin@acergpu:~/pb-contents/split$ file kernel.img 
kernel.img: u-boot legacy uImage, Linux-2.6.18.2, Linux/ARM, OS Kernel
Image (Not compressed), 792504 bytes, Thu Aug 19 15:52:43 2010, Load
Address: 0x30008000, Entry Point: 0x30008000, Header CRC: 0xA55279F9,
Data CRC: 0xC1998C2A
  • the kernel.img is probably created with the tool mkimage (from u-boot distribution, see Introduction to Das U-Boot in Linux Journal, Curt Brune, 2004-08-29)
  • apparently, i can’t just boot these things in qemu martin@acergpu:~/pb-contents/split$ qemu-system-arm -kernel kernel.img -mtdblock rootfs.img VNC server running on `127.0.0.1:5900’ qemu: fatal: Trying to execute code outside RAM or ROM at 0x30008000
  • the images are yaffs Aug 19 2010 16:52:33 (this is probably not the yaffs version, but the time, when the image was created – one hour later than the kernel) and not jffs2
  • software to decode yaffs http://code.google.com/p/yaffs2utils/
  • someone posted a possible password 0df6126571f873829f9ab23d129d786e in the u-boot, and here and there. This amount corresponds to the md5 password allenchen
martin@acergpu:~/pb-contents/split$ unyaffs2 kernel.img  kernel
unyaffs2 0.2.9: image extracting tool for YAFFS2.
warning: non-root users.
warning: image size (792568)is NOT a multiple of (2048 + 64).

scanning image 'kernel.img'... [done]
scanning complete, total objects: 1

building fs tree ... [done]
building complete, total objects: 1

extracting image into 'kernel'
[=======================================================================================================] 1/1 10 %

modify files attributes... [done]

operation complete,
files were extracted into 'kernel'.
martin@acergpu:~/pb-contents/split$ ls kernel
martin@acergpu:~/pb-contents/split$ ls
Anleitung Firmareupdate PB360.doc  SWUPDATE.BIN           app.img  kernel.img    rootfs.img
Release notes 15_3_ENG.doc         Upgrade FW Manual.rtf  kernel   pbfwsplit.pl
martin@acergpu:~/pb-contents/split$ unyaffs2 kernel.img  kerne^C
martin@acergpu:~/pb-contents/split$ unyaffs2 app.img app
unyaffs2 0.2.9: image extracting tool for YAFFS2.
warning: non-root users.

scanning image 'app.img'... [done]
scanning complete, total objects: 151

building fs tree ... [done]
building complete, total objects: 200

extracting image into 'app'
[=================================================================================================] 200/200 100%

modify files attributes... [done]

operation complete,
files were extracted into 'app'.
martin@acergpu:~/pb-contents/split$ ls app
bin  config  fonts  fsimage.tar.gz  language  lib  logo  pocketbook  share  themes
martin@acergpu:~/pb-contents/split$ unyaffs2 rootfs.img rootfs
unyaffs2 0.2.9: image extracting tool for YAFFS2.
warning: non-root users.

scanning image 'rootfs.img'... [done]
scanning complete, total objects: 64

building fs tree ... [done]
building complete, total objects: 376

extracting image into 'rootfs'
[================================                                                                 ] 126/376  33%
object 382: [????] 'dev/null' (FAILED).
...
object 603: [????] 'usr/dev/urandom' (FAILED).
[=============================================================                                    ] 240/376  63%

modify files attributes... [*]

operation incomplete,
files contents may be broken!!!
martin@acergpu:~/pb-contents/split$ ls rootfs
bin  dev  ebrmain  etc  lib  linuxrc  mnt  proc  sbin  sys  tmp  usr  var
  • i redid the extraction as root, to prevent the errors when creating device files and
  • the following 3 programs have setuid rights:
martin@acergpu:~/pb-contents/split$ find . -perm -4000 -print |xargs ls -ln
-rwsr-sr-x 1  102 102 8685376 Dec  8  2010 ./app/bin/AdobeViewer.app
-rwsr-sr-x 1 4000   0    3952 May  5  2010 ./rootfs/bin/mattr
-rwsr-sr-x 1 4000   0    3720 May  5  2010 ./rootfs/bin/suspend
  • none of them are owned by root
martin@acergpu:~/pb-contents/split$ cat rootfs/etc/passwd 
root:*:0:0:root:/:/bin/sh
...
sreader:*:102:102:sreader:/:

martin@acergpu:~/pb-contents/split$ cat rootfs/etc/group  
root:*:0:
...
sreader:*:102:
  • i just stumbled on lida, a x86 disassembler

swupdate

  • maybe i can run swupdate in qemu and see how it verifies the binary blob
martin@acergpu:~/pb-contents/split$ sudo chroot rootfs /bin/qemu-arm /bin/swupdate -u
Unsupported ioctl: cmd=0x00a5
Unsupported ioctl: cmd=0x0064
Unsupported ioctl: cmd=0x0064
/bin/mount -t vfat /dev/mmcblk0p1 /mnt/ext2
/bin/mount -t vfat /dev/mmcblk0 /mnt/ext2
/bin/mount -t vfat /dev/mtdblock6p1 /mnt/ext1
/bin/mount -t vfat /dev/mtdblock6 /mnt/ext1
  • apparently they used ASN1 to create swupdate:
martin@acergpu:~/pb-contents/split/rootfs/bin$ strings swupdate |grep ASN
ASN1 lib
ASN.1 part of OpenSSL 0.9.8g 19 Oct 2007
ASN1_OCTET_STRING_NDEF
ASN1_FBOOLEAN
ASN1_TBOOLEAN

-other strings that seem useful:

/ebrmain/config/device.cfg
/dev/mmcblk0
/mnt/ext2
/mnt/ext2/SWUPDATE.BIN
/mnt/ext1/SWUPDATE.BIN
/usr/etc/swupdate.pk
/tmp/update.exec
/tmp/update.kernel
Cannot open key file %s
Key entry %i does not exist
rsa key loaded (entry %i)
error loading rsa key file
Cannot verify image signature
Updating bitmap...
Updating waveforms...
Updating ebrmain...
Updating zimage...
Updating root fs...
Testing spi write...
Updating u-boot...
unknown partition type: %s
Unknown image type: %s
Resource w not applicable to this controller
md5 sum not match
Press center key to start update
Firmware version: %s
rsa signature not matches
wrong md5 checksum
  • they use openssl and md5 to verify the image signatures:
operation complete,
files were extracted into 'kernel'.
martin@acergpu:~/pb-contents/split$ ls kernel
martin@acergpu:~/pb-contents/split$ ls
Anleitung Firmareupdate PB360.doc  SWUPDATE.BIN           app.img  kernel.img    rootfs.img
Release notes 15_3_ENG.doc         Upgrade FW Manual.rtf  kernel   pbfwsplit.pl
martin@acergpu:~/pb-contents/split$ unyaffs2 kernel.img  kerne^C
martin@acergpu:~/pb-contents/split$ unyaffs2 app.img app
unyaffs2 0.2.9: image extracting tool for YAFFS2.
warning: non-root users.

scanning image 'app.img'... [done]
scanning complete, total objects: 151

building fs tree ... [done]
building complete, total objects: 200

extracting image into 'app'
[=================================================================================================] 200/200 100%

modify files attributes... [done]

operation complete,
files were extracted into 'app'.
martin@acergpu:~/pb-contents/split$ ls app
bin  config  fonts  fsimage.tar.gz  language  lib  logo  pocketbook  share  themes
martin@acergpu:~/pb-contents/split$ unyaffs2 rootfs.img rootfs
unyaffs2 0.2.9: image extracting tool for YAFFS2.
warning: non-root users.

scanning image 'rootfs.img'... [done]
scanning complete, total objects: 64

building fs tree ... [done]
building complete, total objects: 376

extracting image into 'rootfs'
[================================                                                                 ] 126/376  33%
object 382: [????] 'dev/null' (FAILED).
...
object 603: [????] 'usr/dev/urandom' (FAILED).
[=============================================================                                    ] 240/376  63%

modify files attributes... [*]

operation incomplete,
files contents may be broken!!!
martin@acergpu:~/pb-contents/split$ ls rootfs
bin  dev  ebrmain  etc  lib  linuxrc  mnt  proc  sbin  sys  tmp  usr  var
  • i redid the extraction as root, to prevent the errors when creating device files and
  • the following 3 programs have setuid rights:
martin@acergpu:~/pb-contents/split$ find . -perm -4000 -print |xargs ls -ln
-rwsr-sr-x 1  102 102 8685376 Dec  8  2010 ./app/bin/AdobeViewer.app
-rwsr-sr-x 1 4000   0    3952 May  5  2010 ./rootfs/bin/mattr
-rwsr-sr-x 1 4000   0    3720 May  5  2010 ./rootfs/bin/suspend
  • none of them are owned by root
martin@acergpu:~/pb-contents/split$ cat rootfs/etc/passwd 
root:*:0:0:root:/:/bin/sh
...
sreader:*:102:102:sreader:/:

martin@acergpu:~/pb-contents/split$ cat rootfs/etc/group  
root:*:0:
...
sreader:*:102:
  • i just stumbled on lida, a x86 disassembler

swupdate

  • maybe i can run swupdate in qemu and see how it verifies the binary blob
martin@acergpu:~/pb-contents/split$ sudo chroot rootfs /bin/qemu-arm /bin/swupdate -u
Unsupported ioctl: cmd=0x00a5
Unsupported ioctl: cmd=0x0064
Unsupported ioctl: cmd=0x0064
/bin/mount -t vfat /dev/mmcblk0p1 /mnt/ext2
/bin/mount -t vfat /dev/mmcblk0 /mnt/ext2
/bin/mount -t vfat /dev/mtdblock6p1 /mnt/ext1
/bin/mount -t vfat /dev/mtdblock6 /mnt/ext1
  • maybe they use ASN1 within swupdate. but maybe these are just unused remnants of openssl
martin@acergpu:~/pb-contents/split/rootfs/bin$ strings swupdate |grep ASN
ASN1 lib
ASN.1 part of OpenSSL 0.9.8g 19 Oct 2007
ASN1_OCTET_STRING_NDEF
ASN1_FBOOLEAN
ASN1_TBOOLEAN

-other strings that seem useful:

/ebrmain/config/device.cfg
/dev/mmcblk0
/mnt/ext2
/mnt/ext2/SWUPDATE.BIN
/mnt/ext1/SWUPDATE.BIN
/usr/etc/swupdate.pk
/tmp/update.exec
/tmp/update.kernel
Cannot open key file %s
Key entry %i does not exist
rsa key loaded (entry %i)
error loading rsa key file
Cannot verify image signature
Updating bitmap...
Updating waveforms...
Updating ebrmain...
Updating zimage...
Updating root fs...
Testing spi write...
Updating u-boot...
unknown partition type: %s
Unknown image type: %s
Resource w not applicable to this controller
md5 sum not match
Press center key to start update
Firmware version: %s
rsa signature not matches
wrong md5 checksum
  • they use openssl and md5 to verify the image signatures:
MD5 part of OpenSSL 0.9.8g 19 Oct 2007
RSA part of OpenSSL 0.9.8g 19 Oct 2007
  • there are at least bitmap, waveforms, ebrmain, zimage, root-fs and u-boot image types. i expect them to be indicated with single letters in the images partition table
  • more useful is the command arm-linux-strings, it prints the positions of the strings in the file
martin@acergpu:~/pb-contents/split/rootfs/bin$ arm-linux-strings -tx swupdate      
     f4 /lib/ld-linux.so.2
    6ed __gmon_start__
    6fc __clz_tab
    706 libc.so.6
    710 strcpy
    717 ioctl
    71d connect
    725 strerror
    72e snprintf
    737 getenv
    73e __strtol_internal
    750 usleep
    757 getpid
    75e qsort
    764 fgets
    76a memcpy
    771 getuid
    778 system
    77f feof
    784 malloc
    78b socket
    792 fflush
...
  • and readelf can show external functions. it would be useful to have them in the disassembly
martin@acergpu:~/pb-contents/split/rootfs/bin$ arm-linux-readelf -s swupdate 

Symbol table '.dynsym' contains 66 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND 
     1: 00008bd8    80 FUNC    GLOBAL DEFAULT  UND usleep@GLIBC_2.0 (2)
     2: 00008be8    16 FUNC    GLOBAL DEFAULT  UND mkdir@GLIBC_2.0 (2)
     3: 00008bf8    68 FUNC    GLOBAL DEFAULT  UND ferror@GLIBC_2.0 (2)
     4: 00008c08   252 FUNC    GLOBAL DEFAULT  UND strchr@GLIBC_2.0 (2)
     5: 00008c18    68 FUNC    GLOBAL DEFAULT  UND feof@GLIBC_2.0 (2)
     6: 00008c28    16 FUNC    GLOBAL DEFAULT  UND getpid@GLIBC_2.0 (2)
     7: 00008c38   116 FUNC    GLOBAL DEFAULT  UND write@GLIBC_2.0 (2)
...
martin@acergpu:~/pb-contents/split/rootfs/bin$ arm-linux-readelf -r swupdate 

Relocation section '.rel.dyn' at offset 0x9b4 contains 3 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
00046ae4  00004015 R_ARM_GLOB_DAT    00000000   __gmon_start__
00046ae8  00002a15 R_ARM_GLOB_DAT    0003e41b   __clz_tab
00046b00  00001914 R_ARM_COPY        00046b00   stderr

Relocation section '.rel.plt' at offset 0x9cc contains 61 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
000469f0  00000116 R_ARM_JUMP_SLOT   00008bd8   usleep
000469f4  00000216 R_ARM_JUMP_SLOT   00008be8   mkdir
000469f8  00000316 R_ARM_JUMP_SLOT   00008bf8   ferror
000469fc  00000416 R_ARM_JUMP_SLOT   00008c08   strchr
00046a00  00000516 R_ARM_JUMP_SLOT   00008c18   feof
00046a04  00000616 R_ARM_JUMP_SLOT   00008c28   getpid
00046a08  00000716 R_ARM_JUMP_SLOT   00008c38   write
00046a0c  00000816 R_ARM_JUMP_SLOT   00008c48   poll
...
  • I wonder what /usr/etc/swupdate.pk contains, maybe something related to ASN1?
00000000  00 00 00 00 10 00 00 00  11 00 00 00 00 00 00 00  |................|
00000010  01 00 00 00 01 00 00 00  01 00 00 00 00 00 00 00  |................|
00000020  01 00 00 00 00 00 00 00  1b 6f 78 ff ce 17 3f 6c  |.........ox...?l|
00000030  75 d9 6b c9 34 c4 ed c1  d4 16 04 d3 ec 97 03 b3  |u.k.4...........|
00000040  6b 0e a3 39 3c 00 11 cb  16 a3 41 76 9a 58 1f e5  |k..9<.....Av.X..|
00000050  2a 55 cc a0 54 b0 b4 60  d3 2c e1 e7 4d de 61 d1  |*U..T..`.,..M.a.|
00000060  5a b4 c1 5c 0a 1e ae be  00 00 00 00 00 00 00 00  |Z..\............|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000a0  00 00 00 00 00 00 00 00  01 00 01 00 00 00 00 00  |................|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000120  00 00 00 00 00 00 00 00  00 00 00 00 10 00 00 00  |................|
00000130  11 00 00 00 00 00 00 00  01 00 00 00 01 00 00 00  |................|
00000140  01 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
00000150  f7 7e 31 81 65 e4 a3 60  b1 e4 93 3a 18 f1 e5 5d  |.~1.e..`...:...]|
00000160  9f 07 7e 62 45 02 98 2b  87 dd 59 18 40 1e 54 c3  |..~bE..+..Y.@.T.|
00000170  c7 ca 09 40 45 df c7 5a  9a 92 f8 93 a2 94 8b 31  |...@E..Z.......1|
00000180  ec 57 98 b1 a1 b9 6d 8b  31 d4 68 8b 72 95 28 ec  |.W....m.1.h.r.(.|
00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001d0  01 00 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000250  00 00 00 00 10 00 00 00  11 00 00 00 00 00 00 00  |................|
00000260  01 00 00 00 01 00 00 00  01 00 00 00 00 00 00 00  |................|
00000270  01 00 00 00 00 00 00 00  89 a4 5e e9 6b 0e 7c 26  |..........^.k.|&|
00000280  1e 8a ad e6 da 15 ca 37  75 97 49 84 f8 72 a5 c6  |.......7u.I..r..|
00000290  d0 dc b4 99 3a 3c 5a 37  38 5c 93 a8 38 83 e4 76  |....:<Z78\..8..v|
000002a0  78 b2 f9 1a 26 e1 15 96  52 d0 b3 58 eb b7 b4 0a  |x...&...R..X....|
000002b0  99 43 07 cc 9f d0 03 ca  00 00 00 00 00 00 00 00  |.C..............|
000002c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000002f0  00 00 00 00 00 00 00 00  01 00 01 00 00 00 00 00  |................|
00000300  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000370
  • i copy the rootfs folder and change /etc/passwd to not contain any root password
  • create the changed image file:
martin@acergpu:~/pb-contents/split$ mkyaffs2 rootfs-changed/ rootfs-changed.img
mkyaffs2 0.2.9: image building tool for YAFFS2.
warning: non-root users.
stage 1: scanning directory 'rootfs-changed/'... [done]
scanning complete, total objects: 378.

stage 2: creating image 'rootfs-changed.img'
[=================================================================================================] 378/378 100%

operation complete,
378 objects in 3533 NAND pages.
  • qemu works in chroot env
martin@acergpu:~/pb-contents/153$ sudo chroot b /bin/qemu-arm /bin/sh


BusyBox v1.12.2 (2009-01-04 17:45:10 EET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# 
  • busybox in 153 implements the following functions
        [, [[, ash, awk, basename, bunzip2, bzcat, cat, chgrp, chmod, chown,
        chroot, cksum, clear, cp, cut, date, dd, df, dirname, dmesg, du,
        echo, egrep, env, expand, expr, false, fgrep, fold, free, fuser,
        grep, gunzip, gzip, halt, head, hostname, hwclock, id, ifconfig,
        ifdown, ifup, init, insmod, ipcrm, ipcs, kill, killall, length,
        linuxrc, ln, ls, lsmod, md5sum, mdev, microcom, mkdir, mkfifo,
        mknod, modprobe, more, mount, mv, nc, netstat, nice, nohup, nslookup,
        ping, pivot_root, pkill, poweroff, printf, ps, pwd, reboot, renice,
        reset, rm, rmdir, rmmod, route, rx, sed, sh, sha1sum, sleep, sort,
        split, stat, strings, stty, su, sync, sysctl, tail, tar, tee, telnet,
        test, time, touch, tr, true, tty, umount, uname, uniq, unzip, uptime,
        usleep, vi, watch, watchdog, wc, wget, which, xargs, yes, zcat
  • the old firmware contains an identical busybox binary
martin@acergpu:~/pb-contents/old$ sum b/bin/busybox 
31225   332
martin@acergpu:~/pb-contents/old$ sum ../153/b/bin/busybox 
31225   332
  • most notably passwd and login are missing
  • they have su but it is not suid
  • mdev seems to be a nice tool
  • if i had a device with network, that would be much better
  • password hashes quite a lot of code:
 martin@acergpu:/dev/shm$ wc /dev/shm/busybox-1.12.2/libbb/pw_encrypt{,_md5,_des}.c
   84   268  1985 /dev/shm/busybox-1.12.2/libbb/pw_encrypt.c
  648  3307 18668 /dev/shm/busybox-1.12.2/libbb/pw_encrypt_md5.c
  798  3957 22802 /dev/shm/busybox-1.12.2/libbb/pw_encrypt_des.c
 1530  7532 43455 total
  • boot rom: i think the device boots from nand flash
  • in the About device dialog i found some interesting information:
Model: PocketBook 101
Hardware Type: EB-500          -> I wonder if the schematics are available as well
E-ink parameters: A101.81/16
developed by Western Graphics
  • cat /proc/devices
1 mem
2 pty
3 ttyp
4 /dev/vc/0
4 tty
5 /dev/tty
5 /dev/console
5 /dev/ptmx
7 vcs
10 misc
13 input
14 sound
29 fb
89 i2c
90 mtd
126 ptm
136 pts
204 s3c2410_serial
254 rtc
Block devices
1 ramdisk
31 mtdblock
254 mmc

arm instructions

  • thumb vs. arm
  • arm
    • all instructions are 4 bytes long

u-boot

  • advice in linux journal:
    • You can use your favorite serial communications program to connect to UBoot. I prefer to use Kermit and a tiny Kermit script from w ithin an emacs shell buffer. I put the follow ing Kermit script into a file called “serialterm” and make the file executable:
#!/usr/bin/kermit
echo c onnecting /dev/ttyS0 .....
set line /dev/ttyS0
set FLOW AUTO
set speed 19200
set serial 8n1
SET CARRIERWATCH OFF
connect 
  • I like running serialterm from w ithin an emacs shell because emacs keeps track of my command history, w hich the UBoot shell does not support. Trust me, w hile developing you w ill be hitting the reset button on your board a lot and w ant to “up arrow ” to the previous load command you just entered.

uiquery.app

uiquery - interaction with inkview UI from external programs

  Message:       uiquery -m <icon> <title> <text> <timeout>
  Dialog:        uiquery -d <icon> <title> <text> <button1> [button2]
  Text entry:    uiquery -t <title> <text> <maxlen> [flags]
  Progressbar:   uiquery -p <icon> <title> <text> <percent>
   update:       uiquery -u <percent>
  Event:         uiquery -e <type> <par1> <par2>
  check status:  uiquery -s
  dismiss:       uiquery -x

create new image

  • I used this program to put together a new image with a changed rootfs. But the update program complains, that the image is corrupted. It says “Update image is corrupted”.
  • This string is at offset #x3328c in the binary.
(defparameter *fw* "SWUPDATE.BIN")
(defun get-head ()
  (let ((a (make-array #x400 :element-type '(unsigned-byte 8))))
    (with-open-file (s *fw* :element-type '(unsigned-byte 8))
      (read-sequence a s))
    a))

(defun get-rootfs ()
  (with-open-file (s "rootfs-changed.img" :element-type '(unsigned-byte 8))
    (let ((a (make-array (file-length s) :element-type '(unsigned-byte 8))))
      (read-sequence a s)  
      a)))

(length (get-rootfs))

(defun construct-image ()
 (let ((h (get-head))
       (r (get-rootfs)))
   ;; delete old partition table
   (loop for i from #x100 below #x400 do
	(setf (aref h i) 0))
   (progn ;; write rootfs into partition table
     ;; indicator 'r' as first byte
     (setf (aref h #x100) (char-code #\r))
     ;; last four bytes contain length of image as le integer
     (let ((l (length r)))
       (loop for i below 4 do
	    (setf (aref h (+ #x100 12 i)) 
		  (ldb (byte 8 (* 8 (- 3 i))) l)))))
   (let ((res (make-array (+ (length r) (length h)) :element-type '(unsigned-byte 8))))
     (loop for e across h and i from 0 do (setf (aref res i) e))
     (loop for e across r and i from (length h) do (setf (aref res i) e))
     res)))


(with-open-file (s "out.fw" :direction :output
		   :element-type '(unsigned-byte 8)
		   :if-does-not-exist :create
		   :if-exists :supersede)
  (write-sequence (construct-image) s))
  • make 10MB vfat
sudo mkfs.vfat -C  o.vfat 10000
sudo mount -o loop o.vfat  /mnt/
sudo cp -r out.fw /mnt/SWUPDATE.BIN

sudo umount /mnt sudo cp o.vfat rootfs/dev/mmcblk0p1

  • above didn’t just work
  • also doesn’t work:
    • copying SW.. into /mnt/ext1
    • copy SW.. on vfat formatted usb stick and make link to /dev/mmc..
    • replace mount and sh with x86 versions
    • replace mount and sh with x86 version of true
    • replace execve (which is used to call mount) with a function that always returns 0 (success) using LD_PRELOAD