Fernvale research OS
1e9fd14f3e
To make cross-compilation easy, refer users to the setup_codesourcery repo that is maintained by Robert Foss. Signed-off-by: Sean Cross <xobs@kosagi.com> |
||
|---|---|---|
| include | ||
| scriptic | ||
| .gitignore | ||
| _divsi3.S | ||
| _lshrdi3.S | ||
| _udivsi3.S | ||
| bionic.c | ||
| cmd-bl.c | ||
| cmd-hex.c | ||
| cmd-irq.c | ||
| cmd-keypad.c | ||
| cmd-lcd.c | ||
| cmd-led.c | ||
| cmd-load.c | ||
| cmd-peekpoke.c | ||
| cmd-reboot.c | ||
| cmd-sleep.c | ||
| cmd-spi.c | ||
| emi.c | ||
| fernly-usb-loader.c | ||
| fernvale.ld | ||
| irq.c | ||
| irqasm.S | ||
| lcd.c | ||
| magic.mk | ||
| main.c | ||
| Makefile | ||
| memio.c | ||
| mkenv.mk | ||
| README.md | ||
| scriptic.c | ||
| serial.c | ||
| sha1.c | ||
| sha1.h | ||
| spi.c | ||
| spin.sh | ||
| start.S | ||
| usb-loader.S | ||
| utils.c | ||
| vectors.c | ||
| vsprintf.c | ||
Fernly - Fernvale Reversing OS
Fernly is a simple operating system designed for use in the reverse engineering of the Fernvale CPU. It will likely be disposed of when the system has been understood well enough to implement a full operating system.
Setting up cross compilation
Linux
git clone https://github.com/robertfoss/setup_codesourcery.git
sudo setup_codesourcery/setup.sh
/usr/local/bin/codesourcery-arm-2014.05.sh
Building Fernly
To compile, simply run "make". If you're cross-compiling, set CROSS_COMPILE to the prefix of your cross compiler. This is very similar to how to compile for Linux.
For example:
make CROSS_COMPILE=arm-none-linux-gnueabi-
Running Fernly
To run, connect the target device and run the following command:
./build/fernly-usb-loader /dev/fernvale ./build/usb-loader.bin ./build/firmware.bin
This will open up /dev/fernvale, load usb-loader.bin as a stage 1 bootloader, and then load (and jump to) firmware.bin as stage 2. Optionally, you can add a stage 3 file by specifying it as an additional argument.
Linux Notes
Since Fernvale is based on a Mediatek chip, ModemManager will, by default, try to treat it as a modem and make it available for network connections. This is undesirable.
To work around this problem, create a udev rule under /etc/udev/rules.d/ called 98-fernvale.rules with the following contents:
SUBSYSTEM=="tty", ATTRS{idVendor}=="0e8d",\
ATTRS{idProduct}=="0003",\
MODE="0660", SYMLINK+="fernvale"
ACTION=="add|change", SUBSYSTEM=="usb",\
ENV{DEVTYPE}=="usb_device", ATTRS{idVendor}=="0e8d",\
ATTRS{idProduct}=="0003",\
ENV{ID_MM_DEVICE_IGNORE}="1"
Memory Map
| 0x00000000 | 0x0fffffff | 0x0fffffff | PSRAM map, repeated and mirrored at 0x00800000 offsets |
|---|---|---|---|
| 0x10000000 | 0x1fffffff | 0x0fffffff | Memory-mapped SPI chip |
| ?????????? | ?????????? | ?????????? | ??????????????????????????????????? |
| 0x70000000 | 0x7000cfff | 0xcfff | On-chip SRAM (maybe cache?) |
| ?????????? | ?????????? | ?????????? | ??????????????????????????????????? |
| 0x80000000 | 0x80000008 | 0x08 | Config block (chip version, etc.) |
| 0x82000000 | 0x82d00000 | ?????????? | Modem system stuff |
| 0x83000000 | 0xa3090000 | ?????????? | Modem peripheral stuff |
| 0xa0000000 | 0xa0000008 | 0x08 | Config block (mirror?) |
| 0xa0010000 | ?????????? | ?????????? | Power, config block |
| 0xa0020000 | 0xa0020e10 | 0x0e10 | GPIO control block |
| 0xa0030000 | 0xa0030040 | 0x40 | WDT block |
| - 0x08 -> WDT register (?) | |||
| - 0x18 -> Boot src (?) | |||
| 0xa0030800 | ?????????? | ?????????? | ???????????????????????????? |
| 0xa0040000 | ?????????? | ?????????? | ??????????????????????????????????? |
| 0xa0050000 | ?????????? | ?????????? | External memory block |
| 0xa0060000 | ?????????? | ?????????? | IRQ Controller block |
| 0xa0070000 | ========== | ========== | DMA Controller block |
| 0xa0080000 | 0xa008005c | 0x5c | UART1 block |
| 0xa0090000 | 0xa009005c | 0x5c | UART2 block |
| 0xa00a0000 | ?????????? | ?????????? | ??????????????????????????????????? |
| 0xa00b0000 | 0xa00b006c | 0x6c | Bluetooth interface block |
| 0xa00c0000 | 0xa00c002c | 0x2c | General purpose timer block |
| 0xa00d0000 | 0xa00d0024 | 0x24 | Keypad scanner block |
| 0xa00e0000 | 0xa00e0008 | 0x0c | PWM1 block |
| 0xa00f0000 | 0xa00f00b0 | 0xb0 | SIM1 interface block |
| 0xa0100000 | 0xa01000b0 | 0xb0 | SIM2 interface block |
| 0xa0110000 | ?????????? | ?????????? | ??????????????????????????????????? |
| 0xa0120000 | 0xa0120074 | 0x74 | I2C block |
| 0xa0130000 | 0xa0130098 | 0x98 | SD1 block (MSDC) |
| 0xa0140000 | ?????????? | ?????????? | Serial flash block |
| 0xa0150000 | ?????????? | ?????????? | ?? MAYBE also SPI ????????????????? |
| 0xa0160000 | ?????????? | ?????????? | Die-to-die master interface |
| 0xa0170000 | ?????????? | ?????????? | Analogue chip controller block |
| 0xa0180000 | ?????????? | ?????????? | TOPSM block |
| 0xa0190000 | 0xa0190310 | 0x58 | HIF (DMA?) interface block |
| 0xa01b0000 | 0xa01b0058 | 0x58 | NLI (arbiter) interface block |
| 0xa01c0000 | ?????????? | ?????????? | EFuse block |
| 0xa01e0000 | ?????????? | ?????????? | SPI block |
| 0xa01f0000 | 0xa01f0060 | 0x60 | OS timer block |
| 0xa0210000 | ?????????? | ?????????? | More analog bits |
| 0xa0220000 | ?????????? | ?????????? | MBist block |
| 0xa0240000 | ?????????? | ?????????? | NAND flash block |
| 0xa0260000 | 0xa0260058 | 0x58 | FSPI (internal FM radio) block |
| 0xa0270000 | 0xa0270098 | 0x98 | SD2 block |
| 0xa0400000 | ?????????? | ?????????? | IMGDMA block |
| 0xa0410000 | ?????????? | ?????????? | IDP RESZ CR2 |
| 0xa0420000 | 0xa04201d8 | 0x01d8 | CAM interface block |
| 0xa0430000 | ?????????? | ?????????? | Serial camera block |
| 0xa0440000 | ?????????? | ?????????? | 2D graphics block |
| 0xa0450000 | ?????????? | ?????????? | LCD interface block |
| 0xa0460000 | ?????????? | ?????????? | Multimedia system BIST block |
| 0xa0470000 | ?????????? | ?????????? | Multimedia colour config block |
| 0xa0480000 | ?????????? | ?????????? | Multimedia system config block |
| 0xa0500000 | ?????????? | ?????????? | ARM configuration block |
| 0xa0510000 | ?????????? | ?????????? | Boot configuration block |
| 0xa0520000 | ?????????? | ?????????? | Code decompression engine block |
| 0xa0530000 | ?????????? | ?????????? | Level 1 cache block |
| 0xa0540000 | ?????????? | ?????????? | MPU config block |
| 0xa0700000 | ?????????? | ?????????? | Power management block. Write (val & 0xfe0f | 0x140) to 0xa0700230 to power off. |
| 0xa0710000 | 0xa0710078 | 0x78 | RTC block |
| 0xa0720000 | ?????????? | ?????????? | Analogue baseband config block |
| 0xa0730000 | 0xa0730100 | ?????? | Analogue die config |
| 0xa0730104 | 0xa073104c | ?????? | GPIO mode / pull control blocks |
| 0xa074000c | 0xa0740014 | 0x0c | PWM2 block |
| 0xa0740018 | 0xa0740020 | 0x0c | PWM3 block |
| 0xa0750000 | 0xa075005c | 0x5c | ADCDET block |
| 0xa0760000 | ?????????? | ?????????? | Analogue IRQ controller |
| 0xa0790000 | 0xa07900d8 | 0xd8 | ADC block |
| 0xa07a0000 | ?????????? | ?????????? | Analogue Die-to-die block |
| 0xa0900000 | 0xa0900240 | ?????????? | USB block |
| 0xa0910000 | ?????????? | ?????????? | ??????????????????????????????????? |
| 0xa0920000 | ?????????? | ?????????? | AHB DMA block |
| 0xa3300000 | 0xa33a0000 | ?????????? | Bluetooth things |