yetangitu/fernly
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
Fernvale research OS
105 commits 2 branches 0 tags 416 KiB
Find a file
Sean Cross 0bfdbb314f fernly-usb-loader: Get rid of call to 'screen' 
Since we have an internal terminal of sorts, remove the call to 'screen'
when not running in monitor mode.

Signed-off-by: Sean Cross <xobs@kosagi.com>
2015-02-04 21:30:03 +08:00
include serial: Fix serial driver 2015-02-04 21:05:03 +08:00
scriptic kbd: Add keypad support 2015-02-02 17:26:09 +08:00
.gitignore gitignore: Add fernly.log to ignored file list 2015-02-02 17:28:07 +08:00
_divsi3.S fernly: Fix printf("%d") > 99999 2014-09-11 13:15:37 +08:00
_lshrdi3.S Makefile: Add _lshrdi3.S 2014-12-30 12:28:52 +08:00
_udivsi3.S fernly: Fix printf("%d") > 99999 2014-09-11 13:15:37 +08:00
bionic.c bionic: Emit \r in puts() 2015-02-04 21:14:14 +08:00
cmd-bl.c cmd: Use strtoul instead of _strtoul 2014-11-28 13:12:53 +08:00
cmd-hex.c cmd: Use strtoul instead of _strtoul 2014-11-28 13:12:53 +08:00
cmd-irq.c cmd: Use strtoul instead of _strtoul 2014-11-28 13:12:53 +08:00
cmd-keypad.c cmd-keypad: Slight formatting adjustments 2015-02-02 17:35:08 +08:00
cmd-lcd.c cmd-lcd: Remove "lcd setup" command 2014-11-28 17:43:51 +08:00
cmd-led.c cmd: Use strtoul instead of _strtoul 2014-11-28 13:12:53 +08:00
cmd-load.c cmd: Use strtoul instead of _strtoul 2014-11-28 13:12:53 +08:00
cmd-peekpoke.c cmd: Use strtoul instead of _strtoul 2014-11-28 13:12:53 +08:00
cmd-reboot.c cmd: Split commands into their own files 2014-09-11 14:18:51 +08:00
cmd-sleep.c cmd: Use strtoul instead of _strtoul 2014-11-28 13:12:53 +08:00
cmd-spi.c cmd-spi: Add binary mode for flashrom 2015-02-04 21:28:29 +08:00
emi.c emi: Remove infinite loop waiting on calibration 2014-11-28 13:13:38 +08:00
fernly-usb-loader.c fernly-usb-loader: Get rid of call to 'screen' 2015-02-04 21:30:03 +08:00
fernvale.ld fernvale: Fully get PSRAM working 2014-09-11 13:16:06 +08:00
irq.c irq: Work on getting IRQs working 2014-08-27 12:32:06 +08:00
irqasm.S irq: Work on getting IRQs working 2014-08-27 12:32:06 +08:00
lcd.c lcd: get rid of lcd_setup() 2014-11-28 17:43:42 +08:00
magic.mk magic: Force the use of gcc for scriptic 2014-11-28 17:33:20 +08:00
main.c kbd: Add keypad support 2015-02-02 17:26:09 +08:00
Makefile Makefile: Use relative build path for 'make test' 2015-02-02 17:27:49 +08:00
memio.c fernvale: Get IRQs to at least do something 2014-08-26 17:09:42 +08:00
mkenv.mk mkenv: Move away from clang 2014-12-30 12:29:06 +08:00
README.md README: Document flsahrom protocol 2015-02-04 21:29:04 +08:00
scriptic.c scriptic: Correct debug output format 2015-02-02 17:27:48 +08:00
serial.c serial: Fix serial driver 2015-02-04 21:05:03 +08:00
sha1.c fernly: Add USB loader 2014-12-29 09:26:22 +08:00
sha1.h fernly: Add USB loader 2014-12-29 09:26:22 +08:00
spi.c spi: use memcpy() and not _memcpy() 2014-12-30 17:14:55 +08:00
spin.sh fernly: wip 2014-07-04 17:31:32 +08:00
start.S fernly: Fix printf("%d") > 99999 2014-09-11 13:15:37 +08:00
usb-loader.S fernvale: Fully get PSRAM working 2014-09-11 13:16:06 +08:00
utils.c fernvale: Fully get PSRAM working 2014-09-11 13:16:06 +08:00
vectors.c vectors: Get rid of irq C function 2014-09-09 15:04:35 +08:00
vsprintf.c vsprintf: Fix <sys/string.h> include on Novena 2015-02-02 16:42:32 +08:00

README.md

Fernly - Fernvale Reversing OS

Fernly is a simple operating system designed for use in the reverse engineering of the Fernvale CPU. It will likely be disposed of when the system has been understood well enough to implement a full operating system.

Setting up cross compilation

Linux

git clone https://github.com/robertfoss/setup_codesourcery.git
sudo setup_codesourcery/setup.sh
/usr/local/bin/codesourcery-arm-2014.05.sh

Building Fernly

To compile, simply run "make". If you're cross-compiling, set CROSS_COMPILE to the prefix of your cross compiler. This is very similar to how to compile for Linux.

For example:

make CROSS_COMPILE=arm-none-linux-gnueabi-

Running Fernly

To run, connect the target device and run the following command:

./build/fernly-usb-loader /dev/fernvale ./build/usb-loader.bin ./build/firmware.bin

This will open up /dev/fernvale, load usb-loader.bin as a stage 1 bootloader, and then load (and jump to) firmware.bin as stage 2. Optionally, you can add a stage 3 file by specifying it as an additional argument.

Linux Notes

Since Fernvale is based on a Mediatek chip, ModemManager will, by default, try to treat it as a modem and make it available for network connections. This is undesirable.

To work around this problem, create a udev rule under /etc/udev/rules.d/ called 98-fernvale.rules with the following contents:

SUBSYSTEM=="tty", ATTRS{idVendor}=="0e8d",\
    ATTRS{idProduct}=="0003",\
    MODE="0660", SYMLINK+="fernvale"

ACTION=="add|change", SUBSYSTEM=="usb",\
    ENV{DEVTYPE}=="usb_device", ATTRS{idVendor}=="0e8d",\
    ATTRS{idProduct}=="0003",\
    ENV{ID_MM_DEVICE_IGNORE}="1"

OSX Notes

The default OSX CDC matching seems to miss the Fernvale board. Use fernvale-osx-codeless to get a com port.

SPI and Flashrom

Fernly includes a special 'flashrom' mode that allows for direct communication with the flashrom program to manipulate the onboard SPI. The protocol is binary, and can be entered by issuing the following command:

spi flashrom

Fernly will respond with a binary 0x05, indicating it is ready.

The format of the protocol is very simple. The host writes the number of bytes to write, then the number of bytes to read, and then writes the data to send to the flash chip. It then reads the requested number of bytes. For example, to send a 2-byte command '0xfe 0xfa' followed by a 3-byte response, write the following data to the serial port:

| 02 03 fe fa |

Then read three bytes of data from the serial port.

A maximum of 255 bytes may be transmitted and received at one time, though in practice these numbers may be smaller.

To exit 'spi flashrom' mode and return to fernly, read/write zero bytes. That is, send the following packet:

| 00 00 |

Memory Map

0x00000000 0x0fffffff 0x0fffffff PSRAM map, repeated and mirrored at 0x00800000 offsets
0x10000000 0x1fffffff 0x0fffffff Memory-mapped SPI chip
?????????? ?????????? ?????????? ???????????????????????????????????
0x70000000 0x7000cfff 0xcfff On-chip SRAM (maybe cache?)
?????????? ?????????? ?????????? ???????????????????????????????????
0x80000000 0x80000008 0x08 Config block (chip version, etc.)
0x82000000 0x82d00000 ?????????? Modem system stuff
0x83000000 0xa3090000 ?????????? Modem peripheral stuff
0xa0000000 0xa0000008 0x08 Config block (mirror?)
0xa0010000 ?????????? ?????????? Power, config block
0xa0020000 0xa0020e10 0x0e10 GPIO control block
0xa0030000 0xa0030040 0x40 WDT block
- 0x08 -> WDT register (?)
- 0x18 -> Boot src (?)
0xa0030800 ?????????? ?????????? ????????????????????????????
0xa0040000 ?????????? ?????????? ???????????????????????????????????
0xa0050000 ?????????? ?????????? External memory block
0xa0060000 ?????????? ?????????? IRQ Controller block
0xa0070000 ========== ========== DMA Controller block
0xa0080000 0xa008005c 0x5c UART1 block
0xa0090000 0xa009005c 0x5c UART2 block
0xa00a0000 ?????????? ?????????? ???????????????????????????????????
0xa00b0000 0xa00b006c 0x6c Bluetooth interface block
0xa00c0000 0xa00c002c 0x2c General purpose timer block
0xa00d0000 0xa00d0024 0x24 Keypad scanner block
0xa00e0000 0xa00e0008 0x0c PWM1 block
0xa00f0000 0xa00f00b0 0xb0 SIM1 interface block
0xa0100000 0xa01000b0 0xb0 SIM2 interface block
0xa0110000 ?????????? ?????????? ???????????????????????????????????
0xa0120000 0xa0120074 0x74 I2C block
0xa0130000 0xa0130098 0x98 SD1 block (MSDC)
0xa0140000 ?????????? ?????????? Serial flash block
0xa0150000 ?????????? ?????????? ?? MAYBE also SPI ?????????????????
0xa0160000 ?????????? ?????????? Die-to-die master interface
0xa0170000 ?????????? ?????????? Analogue chip controller block
0xa0180000 ?????????? ?????????? TOPSM block
0xa0190000 0xa0190310 0x58 HIF (DMA?) interface block
0xa01b0000 0xa01b0058 0x58 NLI (arbiter) interface block
0xa01c0000 ?????????? ?????????? EFuse block
0xa01e0000 ?????????? ?????????? SPI block
0xa01f0000 0xa01f0060 0x60 OS timer block
0xa0210000 ?????????? ?????????? More analog bits
0xa0220000 ?????????? ?????????? MBist block
0xa0240000 ?????????? ?????????? NAND flash block
0xa0260000 0xa0260058 0x58 FSPI (internal FM radio) block
0xa0270000 0xa0270098 0x98 SD2 block
0xa0400000 ?????????? ?????????? IMGDMA block
0xa0410000 ?????????? ?????????? IDP RESZ CR2
0xa0420000 0xa04201d8 0x01d8 CAM interface block
0xa0430000 ?????????? ?????????? Serial camera block
0xa0440000 ?????????? ?????????? 2D graphics block
0xa0450000 ?????????? ?????????? LCD interface block
0xa0460000 ?????????? ?????????? Multimedia system BIST block
0xa0470000 ?????????? ?????????? Multimedia colour config block
0xa0480000 ?????????? ?????????? Multimedia system config block
0xa0500000 ?????????? ?????????? ARM configuration block
0xa0510000 ?????????? ?????????? Boot configuration block
0xa0520000 ?????????? ?????????? Code decompression engine block
0xa0530000 ?????????? ?????????? Level 1 cache block
0xa0540000 ?????????? ?????????? MPU config block
0xa0700000 ?????????? ?????????? Power management block. Write (val & 0xfe0f | 0x140) to 0xa0700230 to power off.
0xa0710000 0xa0710078 0x78 RTC block
0xa0720000 ?????????? ?????????? Analogue baseband config block
0xa0730000 0xa0730100 ?????? Analogue die config
0xa0730104 0xa073104c ?????? GPIO mode / pull control blocks
0xa074000c 0xa0740014 0x0c PWM2 block
0xa0740018 0xa0740020 0x0c PWM3 block
0xa0750000 0xa075005c 0x5c ADCDET block
0xa0760000 ?????????? ?????????? Analogue IRQ controller
0xa0790000 0xa07900d8 0xd8 ADC block
0xa07a0000 ?????????? ?????????? Analogue Die-to-die block
0xa0900000 0xa0900240 ?????????? USB block
0xa0910000 ?????????? ?????????? ???????????????????????????????????
0xa0920000 ?????????? ?????????? AHB DMA block
0xa3300000 0xa33a0000 ?????????? Bluetooth things