Fernly - Fernvale Reversing OS ======================================== Fernly is a simple operating system designed for use in the reverse engineering of the Fernvale CPU. It will likely be disposed of when the system has been understood well enough to implement a full operating system. Setting up cross compilation ---------------------------- ### Linux git clone https://github.com/robertfoss/setup_codesourcery.git sudo setup_codesourcery/setup.sh /usr/local/bin/codesourcery-arm-2014.05.sh Building Fernly --------------- To compile, simply run "make". If you're cross-compiling, set CROSS_COMPILE to the prefix of your cross compiler. This is very similar to how to compile for Linux. For example: make CROSS_COMPILE=arm-none-linux-gnueabi- Running Fernly -------------- To run, connect the target device and run the following command: ./build/fernly-usb-loader /dev/fernvale ./build/usb-loader.bin ./build/firmware.bin This will open up /dev/fernvale, load usb-loader.bin as a stage 1 bootloader, and then load (and jump to) firmware.bin as stage 2. Optionally, you can add a stage 3 file by specifying it as an additional argument. Linux Notes ----------- Since Fernvale is based on a Mediatek chip, ModemManager will, by default, try to treat it as a modem and make it available for network connections. This is undesirable. To work around this problem, create a udev rule under /etc/udev/rules.d/ called 98-fernvale.rules with the following contents: SUBSYSTEM=="tty", ATTRS{idVendor}=="0e8d",\ ATTRS{idProduct}=="0003",\ MODE="0660", SYMLINK+="fernvale" ACTION=="add|change", SUBSYSTEM=="usb",\ ENV{DEVTYPE}=="usb_device", ATTRS{idVendor}=="0e8d",\ ATTRS{idProduct}=="0003",\ ENV{ID_MM_DEVICE_IGNORE}="1" OSX Notes --------- The default OSX CDC matching seems to miss the Fernvale board. Use [fernvale-osx-codeless](https://github.com/jacobrosenthal/fernvale-osx-codeless) to get a com port. SPI and Flashrom ---------------- Fernly includes a special 'flashrom' mode that allows for direct communication with the flashrom program to manipulate the onboard SPI. The protocol is binary, and can be entered by issuing the following command: spi flashrom Fernly will respond with a binary 0x05, indicating it is ready. The format of the protocol is very simple. The host writes the number of bytes to write, then the number of bytes to read, and then writes the data to send to the flash chip. It then reads the requested number of bytes. For example, to send a 2-byte command '0xfe 0xfa' followed by a 3-byte response, write the following data to the serial port: | 02 03 fe fa | Then read three bytes of data from the serial port. A maximum of 255 bytes may be transmitted and received at one time, though in practice these numbers may be smaller. To exit 'spi flashrom' mode and return to fernly, read/write zero bytes. That is, send the following packet: | 00 00 | Memory Map ---------- | 0x00000000 | 0x0fffffff | 0x0fffffff | PSRAM map, repeated and mirrored at 0x00800000 offsets | | ---------- | ---------- | ---------- | ----------------------------------- | | 0x10000000 | 0x1fffffff | 0x0fffffff | Memory-mapped SPI chip | | ?????????? | ?????????? | ?????????? | ??????????????????????????????????? | | 0x70000000 | 0x7000cfff | 0xcfff | On-chip SRAM (maybe cache?) | | ?????????? | ?????????? | ?????????? | ??????????????????????????????????? | | 0x80000000 | 0x80000008 | 0x08 | Config block (chip version, etc.) | | 0x82000000 | 0x82d00000 | ?????????? | Modem system stuff | | 0x83000000 | 0xa3090000 | ?????????? | Modem peripheral stuff | | 0xa0000000 | 0xa0000008 | 0x08 | Config block (mirror?) | | 0xa0010000 | ?????????? | ?????????? | Power, config block | | 0xa0020000 | 0xa0020e10 | 0x0e10 | GPIO control block | | 0xa0030000 | 0xa0030040 | 0x40 | WDT block | | | | | - 0x08 -> WDT register (?) | | | | | - 0x18 -> Boot src (?) | | 0xa0030800 | ?????????? | ?????????? | ???????????????????????????? | | 0xa0040000 | ?????????? | ?????????? | ??????????????????????????????????? | | 0xa0050000 | ?????????? | ?????????? | External memory block | | 0xa0060000 | ?????????? | ?????????? | IRQ Controller block | | 0xa0070000 | ========== | ========== | DMA Controller block | | 0xa0080000 | 0xa008005c | 0x5c | UART1 block | | 0xa0090000 | 0xa009005c | 0x5c | UART2 block | | 0xa00a0000 | ?????????? | ?????????? | ??????????????????????????????????? | | 0xa00b0000 | 0xa00b006c | 0x6c | Bluetooth interface block | | 0xa00c0000 | 0xa00c002c | 0x2c | General purpose timer block | | 0xa00d0000 | 0xa00d0024 | 0x24 | Keypad scanner block | | 0xa00e0000 | 0xa00e0008 | 0x0c | PWM1 block | | 0xa00f0000 | 0xa00f00b0 | 0xb0 | SIM1 interface block | | 0xa0100000 | 0xa01000b0 | 0xb0 | SIM2 interface block | | 0xa0110000 | ?????????? | ?????????? | ??????????????????????????????????? | | 0xa0120000 | 0xa0120074 | 0x74 | I2C block | | 0xa0130000 | 0xa0130098 | 0x98 | SD1 block (MSDC) | | 0xa0140000 | ?????????? | ?????????? | Serial flash block | | 0xa0150000 | ?????????? | ?????????? | ?? MAYBE also SPI ????????????????? | | 0xa0160000 | ?????????? | ?????????? | Die-to-die master interface | | 0xa0170000 | ?????????? | ?????????? | Analogue chip controller block | | 0xa0180000 | ?????????? | ?????????? | TOPSM block | | 0xa0190000 | 0xa0190310 | 0x58 | HIF (DMA?) interface block | | 0xa01b0000 | 0xa01b0058 | 0x58 | NLI (arbiter) interface block | | 0xa01c0000 | ?????????? | ?????????? | EFuse block | | 0xa01e0000 | ?????????? | ?????????? | SPI block | | 0xa01f0000 | 0xa01f0060 | 0x60 | OS timer block | | 0xa0210000 | ?????????? | ?????????? | More analog bits | | 0xa0220000 | ?????????? | ?????????? | MBist block | | 0xa0240000 | ?????????? | ?????????? | NAND flash block | | 0xa0260000 | 0xa0260058 | 0x58 | FSPI (internal FM radio) block | | 0xa0270000 | 0xa0270098 | 0x98 | SD2 block | | 0xa0400000 | ?????????? | ?????????? | IMGDMA block | | 0xa0410000 | ?????????? | ?????????? | IDP RESZ CR2 | | 0xa0420000 | 0xa04201d8 | 0x01d8 | CAM interface block | | 0xa0430000 | ?????????? | ?????????? | Serial camera block | | 0xa0440000 | ?????????? | ?????????? | 2D graphics block | | 0xa0450000 | ?????????? | ?????????? | LCD interface block | | 0xa0460000 | ?????????? | ?????????? | Multimedia system BIST block | | 0xa0470000 | ?????????? | ?????????? | Multimedia colour config block | | 0xa0480000 | ?????????? | ?????????? | Multimedia system config block | | 0xa0500000 | ?????????? | ?????????? | ARM configuration block | | 0xa0510000 | ?????????? | ?????????? | Boot configuration block | | 0xa0520000 | ?????????? | ?????????? | Code decompression engine block | | 0xa0530000 | ?????????? | ?????????? | Level 1 cache block | | 0xa0540000 | ?????????? | ?????????? | MPU config block | | 0xa0700000 | ?????????? | ?????????? | Power management block. Write (val & 0xfe0f | 0x140) to 0xa0700230 to power off. | | 0xa0710000 | 0xa0710078 | 0x78 | RTC block | | 0xa0720000 | ?????????? | ?????????? | Analogue baseband config block | | 0xa0730000 | 0xa0730100 | ?????? | Analogue die config | | 0xa0730104 | 0xa073104c | ?????? | GPIO mode / pull control blocks | | 0xa074000c | 0xa0740014 | 0x0c | PWM2 block | | 0xa0740018 | 0xa0740020 | 0x0c | PWM3 block | | 0xa0750000 | 0xa075005c | 0x5c | ADCDET block | | 0xa0760000 | ?????????? | ?????????? | Analogue IRQ controller | | 0xa0790000 | 0xa07900d8 | 0xd8 | ADC block | | 0xa07a0000 | ?????????? | ?????????? | Analogue Die-to-die block | | 0xa0900000 | 0xa0900240 | ?????????? | USB block | | 0xa0910000 | ?????????? | ?????????? | ??????????????????????????????????? | | 0xa0920000 | ?????????? | ?????????? | AHB DMA block | | 0xa3300000 | 0xa33a0000 | ?????????? | Bluetooth things |