Very easy:
(gdb) set {int}0x83040 = 4
Source: http://stackoverflow.com/questions/3305164/how-to-modify-memory-contents-using-gdb
Category Archives: Hacks
Flashing a new uImage linux kernel on H6837WI camera
This is the way I flash a new kernel image:
Transfer uImage over serial port:
object$ loady ## Ready for binary (ymodem) download to 0x50C07FC0 at 115200 bps... C## Total Size = 0x00170000 = 1507328 Bytes
Erase Linux kernel flash partition:
object$ erase 0x10030000 0x1019FFFF
Copy downloaded image to flash:
object$ cp.b 0x50C07FC0 0x10030000 0x00170000
Created patch to add ssd1935 support on linux kernel 2.6.24
I created a patch to simplify adding support to SSD1935 on Linux kernel.
Then instead of downloading many files from my github you just need to download this small patch:
https://www.4shared.com/archive/F8UtHqnz/patch_kernel_2624_solomon_ssd1.html
You can apply it over linux kernel 2.6.24 this way:
$ tar xvf patch_kernel_2.6.24_solomon_ssd1935.tar.gz $ cd linux-2.6.24 $ patch -p1 < ../kernel_2.6.24_solomon_ssd1935.patch
Very easy!
Mapping Flash partition from command line
Yesterday we saw how to map the NOR flash of VStarcam H6837WI camera.
Now we need to create the partitions to it.
We know from original linux kernel log it has 5 partitions:
[ 0.870000] Creating 5 MTD partitions on "NOR flash on ipcam": [ 0.870000] 0x000000000000-0x000000030000 : "ARMboot" [ 0.880000] 0x000000030000-0x0000001a0000 : "Kernel" [ 0.890000] 0x0000001a0000-0x0000005a0000 : "RootFS" [ 0.900000] 0x0000005a0000-0x0000007f0000 : "IpcamFS" [ 0.910000] 0x0000007f0000-0x000000800000 : "param"
Then I need to pass this mtdparts to Linux kernel command line:
mtdparts=physmap-flash.0:192k(ARMboot)ro,1472k(Kernel),4096k(RootFS),2368k(IpcamFS),-(param)
This is my complete bootargs line:
bootargs=mtdparts=physmap-flash.0:192k(ARMboot)ro,1472k(Kernel),4096k(RootFS),2368k(IpcamFS),-(param) mem=20M console=ttyS0,115200n8 init=/sbin/init root=/dev/mtdblock2
Excellent, it can boots to camera Linux file system:
$ bootm Starting kernel ... Uncompressing Linux............................................................................................. done, booting the kern el. [ 0.000000] Linux version 2.6.24ssl (alan@aureo) (gcc version 3.4.6) #1 PREEMPT Sat Dec 15 16:13:03 BRST 2012 [ 0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177 [ 0.000000] Machine: Solomon Magus Accio P1 [ 0.000000] Memory policy: ECC disabled, Data cache writeback [ 0.000000] CPU0: D VIVT write-back cache [ 0.000000] CPU0: I cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets [ 0.000000] CPU0: D cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets [ 0.000000] Built 1 zonelists in Zone order, mobility grouping off. Total pages: 5080 [ 0.000000] Kernel command line: mtdparts=physmap-flash.0:192k(ARMboot)ro,1472k(Kernel),4096k(RootFS),2368k(IpcamFS),-(param) mem=20 M console=ttyS0,115200n8 init=/sbin/init root=/dev/mtdblock2 [ 0.000000] intc: init info - ver=1,0 [ 0.000000] gpio: init info - ver=1,0 [ 0.000000] clock: init info - ver=1,0 [ 0.000000] MAGUS Clocks : ARM-240.000 MHz, HCLK-120.000 MHz, PCLK-60.000 MHz, PERCLK1-60.000 MHz, PERCLK2-24.000 MHz [ 0.000000] PID hash table entries: 128 (order: 7, 512 bytes) [ 0.000000] Console: colour dummy device 80x30 [ 0.000000] console [ttyS0] enabled [ 0.010000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.020000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) [ 0.030000] Memory: 20MB = 20MB total [ 0.040000] Memory: 17280KB available (2680K code, 219K data, 72K init) [ 0.270000] Mount-cache hash table entries: 512 [ 0.270000] CPU: Testing write buffer coherency: ok [ 0.290000] net_namespace: 64 bytes [ 0.300000] NET: Registered protocol family 16 [ 0.330000] dma: init info - ver 1.0 fifosize=128, 8 channels [ 0.330000] MAGUS cpu freq change driver v1.0 [ 0.340000] [ 0.340000] cpufreq: magus_set_target: request for target_freq = 240000 KHz [ 0.350000] cpufreq: magus_set_target: cur_pll_out = 240000 KHz, cur_arm_freq = 240000 KHz [ 0.380000] SCSI subsystem initialized [ 0.390000] usbcore: registered new interface driver usbfs [ 0.400000] usbcore: registered new interface driver hub [ 0.400000] usbcore: registered new device driver usb [ 0.470000] NET: Registered protocol family 2 [ 0.570000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.580000] TCP established hash table entries: 1024 (order: 1, 8192 bytes) [ 0.590000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes) [ 0.590000] TCP: Hash tables configured (established 1024 bind 1024) [ 0.600000] TCP reno registered [ 0.630000] Power Management for MAGUS. V0.1.1 [ 0.630000] NetWinder Floating Point Emulator V0.97 (extended precision) [ 0.650000] JFFS2 version 2.2. (NAND) �© 2001-2006 Red Hat, Inc. [ 0.660000] io scheduler noop registered [ 0.660000] io scheduler deadline registered (default) [ 0.690000] Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled [ 0.700000] ttyS0: autoconf (0x0000, 0xf000300c): uart: id=7000041 [ 0.700000] type=16550A [ 0.710000] serial8250: ttyS0 at MMIO 0x0 (irq = 16) is a 16550A [ 0.710000] ttyS1: autoconf (0x0000, 0xf000400c): uart: id=7000041 [ 0.720000] type=16550A [ 0.720000] serial8250: ttyS1 at MMIO 0x0 (irq = 17) is a 16550A [ 0.730000] Driver 'sd' needs updating - please use bus_type methods [ 0.740000] Driver 'sr' needs updating - please use bus_type methods [ 0.750000] physmap platform flash device: 00800000 at 10000000 [ 0.760000] physmap-flash.0: Found 1 x16 devices at 0x0 in 16-bit bank [ 0.770000] Amd/Fujitsu Extended Query Table at 0x0040 [ 0.770000] number of CFI chips: 1 [ 0.770000] cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. [ 0.780000] 5 cmdlinepart partitions found on MTD device physmap-flash.0 [ 0.790000] Creating 5 MTD partitions on "physmap-flash.0": [ 0.800000] 0x00000000-0x00030000 : "ARMboot" [ 0.800000] 0x00030000-0x001a0000 : "Kernel" [ 0.810000] 0x001a0000-0x005a0000 : "RootFS" [ 0.820000] 0x005a0000-0x007f0000 : "IpcamFS" [ 0.830000] 0x007f0000-0x00800000 : "param" [ 0.840000] spi: init info - ver=1.0 fifo=16 slaves=5 master=1 [ 0.850000] spi: init info - ver=1.0 fifo=16 slaves=5 master=1 [ 0.970000] ehci ehci: ssl ehci [ 0.970000] ehci ehci: new USB bus registered, assigned bus number 1 [ 0.980000] ehci ehci: irq 14, io mem 0x08403000 [ 1.000000] ehci ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004 [ 1.010000] usb usb1: configuration #1 chosen from 1 choice [ 1.010000] hub 1-0:1.0: USB hub found [ 1.020000] hub 1-0:1.0: 1 port detected [ 1.130000] usb usb1: Product: ssl ehci [ 1.130000] usb usb1: Manufacturer: Linux 2.6.24ssl ssl ehci [ 1.140000] usb usb1: SerialNumber: ssl_ehci [ 1.140000] Initializing USB Mass Storage driver... [ 1.370000] CI reset done [ 1.430000] usb 1-1: new high speed USB device using ehci and address 2 [ 1.550000] CI reset done [ 1.660000] usb 1-1: configuration #1 chosen from 1 choice [ 1.680000] usb 1-1: Product: 802.11 n WLAN [ 1.680000] usb 1-1: Manufacturer: Ralink [ 1.690000] usb 1-1: SerialNumber: 1.0 [ 1.690000] usbcore: registered new interface driver usb-storage [ 1.700000] USB Mass Storage support registered. [ 1.710000] usbcore: registered new interface driver libusual [ 1.710000] i2c /dev entries driver [ 1.720000] i2c: init info - ver=1,0 [ 1.730000] [ 1.730000] cpufreq: magus_set_target: request for target_freq = 240000 KHz [ 1.740000] cpufreq: magus_set_target: cur_pll_out = 240000 KHz, cur_arm_freq = 240000 KHz [ 1.750000] TCP cubic registered [ 1.750000] NET: Registered protocol family 1 [ 1.760000] NET: Registered protocol family 17 [ 1.770000] VFS: Can't find an ext2 filesystem on dev mtdblock2. [ 1.780000] VFS: Mounted root (cramfs filesystem) readonly. [ 1.790000] Freeing init memory: 72K /usr/bin/sdupdate: error while loading shared libraries: libgpioctrl.so: cannot open shared object file: No such file or directory [ 4.240000] jffs2: Too few erase blocks (1) mount: mounting /dev/mtdblock4 on /mnt failed: Invalid argument /etc/init.d/rcS: line 132: /mnt/init/ipcam.sh: not found / #
Finally a kernel compiled from source code is starting on VStarCam H6837WI
If you are following this blog you know I’m hacking an Wireless IP Camera VStarCam H6837WI and I have good news!
I found the Linux source code for SSD1935, thanks TEAC for releasing it. But I was wrong when I thought it should be very easy to get it working on my camera.
First, the machine ID used on TEAC WAP R8900 didn’t match the machine passed by u-boot, it was supposed to happen. I think neither Solomon Systech or TEAC was thinking to integrate it on mainly because they are using an invalid board ID (registered by other company).
Then I just need to select the right board ID, but Solomon used this board ID, used on VStarCam H6837WI, at least in three other boards. Then I just selected the board with same name used on the u-boot (it was a fault as you will see further below).
After compiling it and uploading the resulting uImage in the camera using ymodem transfer protocol on u-boot it didn’t start correctly.
Then I start debugging the low level kernel initialization, at first using ‘printascii’ (with DEBUG_LL activated), but with no luck. After many trials I decide to use other strategy, I decided to disassemble the original uImage retrieved from camera flash memory. This is the information from original uImage:
$ file uImage_h6837wi.bin uImage_h6837wi.bin: u-boot legacy uImage, Linux-2.6.24ssl, Linux/ARM, OS Kernel Image (Not compressed), 1467600 bytes, Mon Apr 8 17:01:50 2013, Load Address: 0x50C08000, Entry Point: 0x50C08000, Header CRC: 0xFFA94C01, Data CRC: 0xA90B8571
First I extracted the zImage from uImage and then decompressed it. After decompressing it to an Image I disassembled it and started to compare with the Image which I compiled.
This site helped too much: http://chdk.wikia.com/wiki/Gpl_Disassembling
I used these commands to create a disassembled file:
strings -t x Image | ./renumber.pl 0x50C08000 > Image.strings hexdump -C Image |./renumber.pl 0x50C08000 > Image.hex arm-linux-objcopy --change-addresses=0x50C08000 -I binary -O elf32-littlearm -B arm Image Image.elf arm-linux-objcopy --set-section-flags .data=code Image.elf arm-linux-objdump -d Image.elf > Image.dis
Then I noticed a visible difference at this position:
Then using ‘arm-linux-addr2line’ it returned:
$ arm-linux-addr2line -f -e vmlinux 0xc00080dc __create_page_tables .tmp_kallsyms2.S:0
I searched for ‘__create_page_tables’ and it returned the file ‘arch/arm/kernel/head.S’ then I opened this file and started comparing the assembly code, and found the difference at this line:
orr r6, r6, #(PHYS_OFFSET & 0x00f00000)
Then I searched for ‘PHYS_OFFSET’ and found this file: ‘kernel/include/asm-arm/arch-magus/memory.h’ :
#ifdef CONFIG_ARCH_MAGUS_FPGA #define PHYS_OFFSET UL(0xE2000000) #elif defined CONFIG_ARCH_MAGUS_ADS #define PHYS_OFFSET UL(0x51000000) #elif defined CONFIG_ACCIO_CM5208 #define PHYS_OFFSET UL(0x51000000) #elif defined CONFIG_ACCIO_CM5210 #define PHYS_OFFSET UL(0x51000000) #elif defined CONFIG_ACCIO_A2818T #define PHYS_OFFSET UL(0x51000000) #elif defined CONFIG_ACCIO_LITE #define PHYS_OFFSET UL(0x50400000/*0x50C00000*/) #else #define PHYS_OFFSET UL(0x51000000) #endif
I noticed the address 0x50C00000 was commented (for my luck) and should be used for ‘ACCIO_LITE’, hmm I was using ‘ACCIO_A2818T’ because this was the board name I saw at u-boot bootloader source code. Then after removing 0×50400000 and using 0x50C00000 I reconfigured the kernel to use ACCIO_LITE.
Then I compiled the source code again, but no luck, it still no starting.
What should be wrong now?
I decide to compiled the kernel again and paying more attention at log messages, then I noticed these lines:
Data Size: 1471920 Bytes = 1437.42 kB = 1.40 MB Load Address: 0x50408000 Entry Point: 0x50408000 Image arch/arm/boot/uImage is ready
Ouch, it should be 0x50C08000, as in the original uImage file!
“Let’s search again like we did last year!”, replace ‘search’ by ‘twist’ to understand the lyrics 
Searching for 0×50408000 returned this file:
kernel/arch/arm/mach-magus/Makefile.boot
This is the content:
zreladdr-$(CONFIG_ACCIO_LITE) := 0x50408000
Bingo! Replacing it by 0x50C08000 and compiling again fixed the booting issue.
See my compiled kernel booting here:
object$ loady ## Ready for binary (ymodem) download to 0x50C07FC0 at 115200 bps... CxyzModem - CRC mode, 11503(SOH)/0(STX)/0(CAN) packets, 8 retries ## Total Size = 0x001675f0 = 1471984 Bytes object$ bootm 0x50C07FC0 Starting kernel ... Uncompressing Linux............................................................................................. done, . [ 0.000000] Linux version 2.6.24ssl (alan@aureo) (gcc version 3.4.6) #1 PREEMPT Sun Dec 9 17:37:11 BRST 2012 [ 0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177 [ 0.000000] Machine: Solomon Magus Accio P1 [ 0.000000] Memory policy: ECC disabled, Data cache writeback [ 0.000000] CPU0: D VIVT write-back cache [ 0.000000] CPU0: I cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets [ 0.000000] CPU0: D cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets [ 0.000000] Built 1 zonelists in Zone order, mobility grouping off. Total pages: 5080 [ 0.000000] Kernel command line: mem=20M console=ttyS0,115200n8 init=/sbin/init root=/dev/mtdblock3 [ 0.000000] intc: init info - ver=1,0 [ 0.000000] gpio: init info - ver=1,0 [ 0.000000] clock: init info - ver=1,0 [ 0.000000] MAGUS Clocks : ARM-240.000 MHz, HCLK-120.000 MHz, PCLK-60.000 MHz, PERCLK1-60.000 MHz, PERCLK2-24.000 MHz [ 0.000000] PID hash table entries: 128 (order: 7, 512 bytes) [ 0.000000] Console: colour dummy device 80x30 [ 0.000000] console [ttyS0] enabled [ 0.020000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.020000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) [ 0.030000] Memory: 20MB = 20MB total [ 0.040000] Memory: 17268KB available (2680K code, 229K data, 72K init) [ 0.280000] Mount-cache hash table entries: 512 [ 0.280000] CPU: Testing write buffer coherency: ok [ 0.300000] net_namespace: 64 bytes [ 0.310000] NET: Registered protocol family 16 [ 0.340000] dma: init info - ver 1.0 fifosize=128, 8 channels [ 0.340000] MAGUS cpu freq change driver v1.0 [ 0.350000] [ 0.350000] cpufreq: magus_set_target: request for target_freq = 240000 KHz [ 0.360000] cpufreq: magus_set_target: cur_pll_out = 240000 KHz, cur_arm_freq = 240000 KHz [ 0.390000] SCSI subsystem initialized [ 0.400000] usbcore: registered new interface driver usbfs [ 0.410000] usbcore: registered new interface driver hub [ 0.420000] usbcore: registered new device driver usb [ 0.480000] NET: Registered protocol family 2 [ 0.580000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.590000] TCP established hash table entries: 1024 (order: 1, 8192 bytes) [ 0.600000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes) [ 0.600000] TCP: Hash tables configured (established 1024 bind 1024) [ 0.610000] TCP reno registered [ 0.640000] Power Management for MAGUS. V0.1.1 [ 0.640000] NetWinder Floating Point Emulator V0.97 (extended precision) [ 0.660000] yaffs Dec 9 2012 17:36:12 Installing. [ 0.670000] io scheduler noop registered [ 0.670000] io scheduler deadline registered (default) [ 0.680000] lcdc: init info - dsg=0 ver=0 [ 0.680000] abc=1, dbc=1 rdback=1 pp=0 lut=1 stn=1 dma=1 [ 0.690000] lcdc: init warn - actually ver 0001 [ 0.690000] SSL_FB: disable wid: 1 [ 0.700000] SSL_FB: disable wid: 2 [ 0.720000] Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled [ 0.730000] ttyS0: autoconf (0x0000, 0xf000300c): uart: id=7000041 [ 0.740000] type=16550A [ 0.740000] serial8250: ttyS0 at MMIO 0x0 (irq = 16) is a 16550A [ 0.750000] ttyS1: autoconf (0x0000, 0xf000400c): uart: id=7000041 [ 0.760000] type=16550A [ 0.760000] serial8250: ttyS1 at MMIO 0x0 (irq = 17) is a 16550A [ 0.770000] Driver 'sd' needs updating - please use bus_type methods [ 0.780000] Driver 'sr' needs updating - please use bus_type methods [ 0.790000] NAND Driver, (c) 2007 Solomon Systech [ 0.790000] nfc: init info - ver=100 buf=4224 [ 1.800000] nfc nand reset tout [ 1.800000] nfc: init info - ver=100 buf=4224 [ 1.800000] No NAND device found!!! [ 1.810000] spi: init info - ver=1.0 fifo=16 slaves=5 master=1 [ 1.820000] spi: init info - ver=1.0 fifo=16 slaves=5 master=1 [ 1.940000] ehci ehci: ssl ehci [ 1.940000] ehci ehci: new USB bus registered, assigned bus number 1 [ 1.950000] ehci ehci: irq 14, io mem 0x08403000 [ 1.970000] ehci ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004 [ 1.980000] usb usb1: configuration #1 chosen from 1 choice [ 1.980000] hub 1-0:1.0: USB hub found [ 1.990000] hub 1-0:1.0: 1 port detected [ 2.100000] usb usb1: Product: ssl ehci [ 2.100000] usb usb1: Manufacturer: Linux 2.6.24ssl ssl ehci [ 2.110000] usb usb1: SerialNumber: ssl_ehci [ 2.110000] Initializing USB Mass Storage driver... [ 2.340000] CI reset done [ 2.400000] usb 1-1: new high speed USB device using ehci and address 2 [ 2.520000] CI reset done [ 2.630000] usb 1-1: configuration #1 chosen from 1 choice [ 2.650000] usb 1-1: Product: 802.11 n WLAN [ 2.650000] usb 1-1: Manufacturer: Ralink [ 2.660000] usb 1-1: SerialNumber: 1.0 [ 2.660000] usbcore: registered new interface driver usb-storage [ 2.670000] USB Mass Storage support registered. [ 2.680000] usbcore: registered new interface driver libusual [ 2.680000] i2c /dev entries driver [ 2.690000] i2c: init info - ver=1,0 [ 2.700000] [ 2.700000] cpufreq: magus_set_target: request for target_freq = 240000 KHz [ 2.710000] cpufreq: magus_set_target: cur_pll_out = 240000 KHz, cur_arm_freq = 240000 KHz [ 2.720000] TCP cubic registered [ 2.720000] NET: Registered protocol family 1 [ 2.730000] NET: Registered protocol family 17 [ 2.730000] VFS: Cannot open root device "mtdblock3" or unknown-block(0,0) [ 2.740000] Please append a correct "root=" boot option; here are the available partitions: [ 2.750000] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
There is too much work to be done. I need to add flash memory support and layout to it load the file-system. No problem, now I can see it starting, then everything will be more easy 
When even DEBUG_LL fails, uncompressed kernel image help you
I was copying the kernel image (uImage) for H6837WI camera using YMODEM protocol over serial to address 0x50C07FC0 (default u-boot address for the command ‘loady’ on this device) and even enabling “Early printk” (DEBUG_LL) didn’t help me.
Then I noticed the uImage entry point was 0×51008000, but even copying the uImage file to there didn’t print anything. Then I decided to try the uncompressed image (arch/arm/boot/Image).
Then I got early printk working and explaining the error I was getting:
object$ loady 0x51008000
## Ready for binary (ymodem) download to 0x51008000 at 115200 bps...
CxyzModem - CRC mode, 23007(SOH)/0(STX)/0(CAN) packets, 9 retries
## Total Size = 0x002cede8 = 2944488 Bytes
object$ go 0x51008000
## Starting application at 0x51008000 ...
Error: unrecognized/unsupported machine ID (r1 = 0x52f2026c).
Available machine support:
ID (hex) NAME
0000078d Solomon Magus ADS
Please check your kernel config and/or bootloader.
Extraindo o Image descompactado do arquivo uImage
Estava procurando uma forma simples de extrair o cabeçalho do uImage. A forma mais simples é usar o dd e dar um skip nos primeiros 64 bytes do uImage (ou 64 + 8 no caso de uImage para ARM), mas encontrei o script simples que verifica o tipo do uImage e cria o zImage:
http://buffalo.nas-central.org/wiki/How_to_Extract_an_uImage
Outra alternativa é utilizar o uImage.py
Agora é só extrair o conteúdo do zImage para ter o Image do kernel:
$ arm-linux-objdump -EL -b binary -D -m armv5t zImage | grep 8b1f
31e4: 00088b1f andeq r8, r8, pc, lsl fp
28404: 6c8b1f44 stcvs 15, cr1, [fp], {68}
$ dd if=zImage of=myImage.gz bs=1 skip=12772
1454876+0 records in
1454876+0 records out
1454876 bytes (1.5 MB) copied, 2.4514 s, 593 kB/s
$ gunzip myImage.gz
gzip: myImage.gz: decompression OK, trailing garbage ignored
Mais informações sobre o header do uImage, leia este post:
http://www.isysop.com/unpacking-and-repacking-u-boot-uimage-files/
Fonte da dica de como descompactar o zImage:
http://openinkpot.org/wiki/Documentation/ZImageFormat
Accessing VStarcam H6837WI seeing kernel log
In my previous post I show some information about getting access to serial of H6837WI and U-Boot console.
Now let see the Linux kernel booting:
object$ bootm 10030000
Starting kernel ...
Uncompressing Linux.............................................................................................. done,.
init_gpio()
default key isn't press
[ 6.630000] rtc-s35390a 0-0030: error resetting chip
hwclock: can't open '/dev/misc/rtc': No such file or directory
init_gpio()
WDT enable.
main pid 317
init_gpio()
read system param from file
dns set
mac0:0 mac1:a9 mac2:c0 mac3:0 mac4:92 mac5:99
eth is start
size:0
system ie and ad init
ov7725 id1 id2:77-21
this is ov7725
reglen 97
ov7725 init ok
50hz reglen 76
ie param ppid 341
Ad init ok
video and audio is start
PIU sig thread parent PID 317
PIU Signal Handler Thread PID 345
piu_signal_thread_created !
GPT init ok
[ 11.660000] DV Module Opened
[ 11.660000] VIP Module Opened
bitrate 1048576 framerate 30 key 50 quant 26 ratemode 1
cbr=1
net service is start
cmd pid 357
media pid 358
livestream pid 359
encry
enc start...
tmp:ff-dc-a8-49-17-16
tmp:12-34-56-78-9a-bc
check key
adjust is ok
set done!
argc=3 argv=554=554
msginit
socket fd=6
create ipc(6667) socket successful!
socket fd=11
create ipc(6669) socket successful!
accept proc is start
network proc is start
socket fd=14
bind(6666) address successful!
socket fd=15
bind(6668) address successful!
route: SIOCDELRT: No such process
Sun Nov 25 22:32:39 UTC 2012
start upnp web...
upnpc : miniupnpc library test client. (c) 2006-2010 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
Sun Nov 25 23:00:44 UTC 2012
write date ok
"H264" stream, from the file "test.264"
Play this stream using the URL "rtsp://0.0.0.0/H264"
curtime 1353884404
add alias
add alias
select loop
web socket 423
SD Record is start...
sd pid 424
enter main loop
mount: mounting /dev/mmcblk0 on /media/sd failed: No such file or directory
==========sd iRet=0=========
Alarm is start...
dns name:user.gocam.so
dns user:vsyw
dns pass:335085
dns port:808
start run ddns
No IGD UPnP Device found on the network !
upnpc : miniupnpc library test client. (c) 2006-2010 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
No IGD UPnP Device found on the network !
recive:3 data=e2-e5-23- 0- 0- 0- 0- 0
=========Get dns Ip failed============
dns name:user.gocam.so
dns user:vsyw
dns pass:335085
dns port:808
NTP=0
write date ok
=========Get dns Ip failed============
dns name:user.gocam.so
dns user:vsyw
dns pass:335085
dns port:808
start read
Too bad, by default the “console=” kernel command line parameter is not set. Then let do it:
object$ set bootargs 'mem=20M console=ttyS0,115200n8 init=/sbin/init root=/dev/mtdblock3'
object$ saveenv
Saving Environment to Flash...
Un-Protected 1 sectors
Erasing Flash...Erasing sector 134 ... ok.
Erased 1 sectors
Writing to Flash... dest 107f0802
dest 107f1006
dest 107f180a
dest 107f200e
dest 107f2812
dest 107f3016
dest 107f381a
dest 107f401e
dest 107f4822
dest 107f5026
dest 107f582a
dest 107f602e
dest 107f6832
dest 107f7036
dest 107f783a
dest 107f803e
dest 107f8842
dest 107f9046
dest 107f984a
dest 107fa04e
dest 107fa852
dest 107fb056
dest 107fb85a
dest 107fc05e
dest 107fc862
dest 107fd066
dest 107fd86a
dest 107fe06e
dest 107fe872
dest 107ff076
dest 107ff87a
done
Protected 1 sectors
object$
Ouch, it is printing “dest ” debug messages, too noise!
object$ bootm
Starting kernel ...
Uncompressing Linux.............................................................................................. done,.
[ 0.000000] Linux version 2.6.24ssl (root@localhost.localdomain) (gcc version 3.4.6) #200 PREEMPT Tue Apr 9 04:01:493
[ 0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
[ 0.000000] Machine: object h264 ipcam
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] CPU0: D VIVT write-back cache
[ 0.000000] CPU0: I cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
[ 0.000000] CPU0: D cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping off. Total pages: 4572
[ 0.000000] Kernel command line: mem=18M console=ttyS0,115200n8 root=/dev/mtdblock3
[ 0.000000] intc: init info - ver=1,0
[ 0.000000] clock: init info - ver=1,0
[ 0.000000] MAGUS Clocks : ARM-240.000 MHz, HCLK-120.000 MHz, PCLK-60.000 MHz, PERCLK1-60.000 MHz, PERCLK2-24.000 MHz
[ 0.000000] PID hash table entries: 128 (order: 7, 512 bytes)
[ 0.000000] Console: colour dummy device 80x30
[ 0.000000] console [ttyS0] enabled
[ 0.010000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.020000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.030000] Memory: 18MB = 18MB total
[ 0.030000] Memory: 15200KB available (2688K code, 213K data, 96K init)
[ 0.270000] Mount-cache hash table entries: 512
[ 0.270000] CPU: Testing write buffer coherency: ok
[ 0.290000] net_namespace: 64 bytes
[ 0.300000] NET: Registered protocol family 16
[ 0.310000] dma: init info - ver 1.0 fifosize=128, 8 channels
[ 0.320000] MAGUS cpu freq change driver v1.0
[ 0.330000]
[ 0.330000] cpufreq: magus_set_target: request for target_freq = 240000 KHz
[ 0.340000] cpufreq: magus_set_target: cur_pll_out = 240000 KHz, cur_arm_freq = 240000 KHz
[ 0.380000] SCSI subsystem initialized
[ 0.390000] usbcore: registered new interface driver usbfs
[ 0.400000] usbcore: registered new interface driver hub
[ 0.400000] usbcore: registered new device driver usb
[ 0.500000] NET: Registered protocol family 2
[ 0.600000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.610000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[ 0.620000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.620000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.630000] TCP reno registered
[ 0.660000] Power Management for MAGUS. V0.1.1
[ 0.660000] NetWinder Floating Point Emulator V0.97 (extended precision)
[ 0.680000] JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 0.690000] io scheduler noop registered
[ 0.690000] io scheduler deadline registered (default)
[ 0.720000] Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
[ 0.730000] ttyS0: autoconf (0x0000, 0xf000300c): uart: id=7000041
[ 0.740000] type=16550A
[ 0.740000] serial8250: ttyS0 at MMIO 0x0 (irq = 16) is a 16550A
[ 0.750000] ttyS1: autoconf (0x0000, 0xf000400c): uart: id=7000041
[ 0.750000] type=16550A
[ 0.750000] serial8250: ttyS1 at MMIO 0x0 (irq = 17) is a 16550A
[ 0.760000] PPP generic driver version 2.4.2
[ 0.770000] PPP Deflate Compression module registered
[ 0.780000] PPP BSD Compression module registered
[ 0.780000] PPP MPPE Compression module registered
[ 0.790000] NET: Registered protocol family 24
[ 0.790000] PPPoL2TP kernel driver, V1.0
[ 0.800000] SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256).
[ 0.800000] tun: Universal TUN/TAP device driver, 1.6
[ 0.810000] tun: (C) 1999-2004 Max Krasnyansky
[ 0.820000] Driver 'sd' needs updating - please use bus_type methods
[ 0.830000] SPAN-NOR:0x00800000 at 0x10000000
[ 0.830000] nor flash cfi probe
[ 0.830000] NOR flash on ipcam: Found 1 x16 devices at 0x0 in 16-bit bank
[ 0.840000] Amd/Fujitsu Extended Query Table at 0x0040
[ 0.850000] number of CFI chips: 1
[ 0.850000] cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
[ 0.860000] using static partition definition
[ 0.870000] Creating 5 MTD partitions on "NOR flash on ipcam":
[ 0.870000] 0x000000000000-0x000000030000 : "ARMboot"
[ 0.880000] 0x000000030000-0x0000001a0000 : "Kernel"
[ 0.890000] 0x0000001a0000-0x0000005a0000 : "RootFS"
[ 0.900000] 0x0000005a0000-0x0000007f0000 : "IpcamFS"
[ 0.910000] 0x0000007f0000-0x000000800000 : "param"
[ 0.920000] spi: init info - ver=1.0 fifo=16 slaves=5 master=1
[ 0.930000] spi: init info - ver=1.0 fifo=16 slaves=5 master=1
[ 0.940000] i2c /dev entries driver
[ 0.950000] i2c: init info - ver=1,0
[ 0.950000] MAGUS Watchdog Timer, (c) 2008 Solomon Systech
[ 0.960000] wdog wdog: watchdog inactive, reset disabled.
[ 0.970000]
[ 0.970000] cpufreq: magus_set_target: request for target_freq = 240000 KHz
[ 0.980000] cpufreq: magus_set_target: cur_pll_out = 240000 KHz, cur_arm_freq = 240000 KHz
[ 0.990000] Advanced Linux Sound Architecture Driver Version 1.0.15 (Tue Nov 20 19:16:42 2007 UTC).
[ 1.000000] ASoC version 0.13.1
[ 1.010000] ALSA device list:
[ 1.010000] No soundcards found.
[ 1.010000] TCP cubic registered
[ 1.020000] NET: Registered protocol family 1
[ 1.020000] NET: Registered protocol family 17
[ 1.030000] ieee80211: 802.11 data/management/control stack, git-1.1.13
[ 1.030000] ieee80211: Copyright (C) 2004-2005 Intel Corporation
[ 1.060000] VFS: Mounted root (cramfs filesystem) readonly.
[ 1.060000] Freeing init memory: 96K
/usr/bin/sdupdate: error while loading shared libraries: libgpioctrl.so: cannot open shared object file: No such file oy
[ 3.560000] JFFS2 notice: (185) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unche.
[ 3.710000] Micrel KSZ8851 driver with MLL interface
[ 3.710000] io fc000000 fc000000
[ 3.720000] Micrel KSZ8851 1.0.4 (Apr 23, 2009)
[ 3.720000] zqh base:fc000000
[ 3.740000] read ID by zqh
[ 3.740000] read ID end
[ 3.750000] hardware is init ok
[ 3.750000] device ok
[ 3.750000] init 1
[ 3.760000] ether setup
[ 3.760000] read mac
[ 3.760000] init proc ok
[ 3.880000] piu reg start addr 0xc1876000, phy addr 0xd0132000
[ 3.880000] PIU driver loaded - mem @ 0x503FFF00
[ 4.100000] vpp in maj=251
[ 4.320000] VIP: Module has been loaded into the kernel
[ 4.520000] DV Module loaded into the kernel
[ 5.150000] enter magus_init func
[ 5.160000] wm8731: WM8731 Audio Codec 0.13
[ 5.170000] asoc: WM8731 magus-i2s mapping ok
[ 5.190000] enter magus_wm8731_init func
[ 5.190000] exit magus_wm8731_init func
[ 5.360000] exit magus_init func OK, device added
[ 5.690000] ssli2c: do err - actual=-1 len=1. Reset I2C Host.
[ 5.690000] i2c: init info - ver=1,0
[ 5.700000] rtc-s35390a 0-0030: error resetting chip
[ 5.840000] rtc-s35390a: probe of 0-0030 failed with error -5
[ 6.860000] sslotg: Set Magus as Host.
[ 6.860000] otg: init info - ver=0041
[ 6.880000] ehci ehci: ssl ehci
[ 6.890000] ehci ehci: new USB bus registered, assigned bus number 1
[ 6.890000] ehci ehci: irq 14, io mem 0x08403000
[ 6.920000] ehci ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
[ 6.970000] usb usb1: configuration #1 chosen from 1 choice
[ 6.990000] hub 1-0:1.0: USB hub found
[ 6.990000] hub 1-0:1.0: 1 port detected
[ 7.150000] usb usb1: Product: ssl ehci
[ 7.150000] usb usb1: Manufacturer: Linux 2.6.24ssl ssl ehci
[ 7.160000] usb usb1: SerialNumber: ssl_ehci
[ 7.380000] CI reset done
[ 7.440000] usb 1-1: new full speed USB device using ehci and address 2
[ 7.510000] CI reset done
[ 7.600000] usb 1-1: not running at top speed; connect to a high speed hub
hwclock: can't open '/dev/misc/rtc': No such file or directory
[ 7.700000] usb 1-1: configuration #1 chosen from 1 choice
daemon: error while loading shared libraries: libgpioctrl.so: cannot open shared object file: No such file or directory
[ 8.020000] usb 1-1: Product: 802.11 n WLAN
[ 8.020000] usb 1-1: Manufacturer: Ralink
[ 8.020000] usb 1-1: SerialNumber: 1.0
encoder: error while loading shared libraries: libgpioctrl.so: cannot open shared object file: No such file or directory
/ #
Great! I have a Linux terminal with “root” access.
Getting access to serial of VStarcam H6837WI
VStarcam H6837WI came with a serial connector (label SERIA1) soldered on the board. It is funny!
I found a connector cable in an old laptop and connected it, then I got access to U-Boot bootloader used on it:
.........
U-Boot 1.1.6 (May 19 2011 - 16:36:28)
DRAM: 64 MB
Flash: 8 MB
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
0
object$
Let see the default environment variables:
object$ pri
bootcmd=bootm
bootdelay=1
baudrate=115200
ethaddr=00:02:04:06:08:0a
ipaddr=192.168.3.189
bootfile="uImage"
stdin=serial
stdout=serial
stderr=serial
Environment size: 148/32764 bytes
object$
I noticed they are not using a valid MAC Address, the MAC address they are using (00-02-04) is registered by Bodmann Industries, a Germany company, as you can see here: http://standards.ieee.org/develop/regauth/oui/oui.txt
Next Step, let see the commands available on this U-Boot compilation:
object$ help
? - alias for 'help'
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dhcp - invoke DHCP client to obtain IP/boot params
echo - echo args to console
eeprom - EEPROM sub-system
erase - erase FLASH memory
exit - exit script
flinfo - print FLASH memory information
go - start application at address 'addr'
help - print online help
icrc32 - checksum calculation
iloop - infinite loop on address range
imd - i2c memory display
iminfo - print header information for application image
imm - i2c memory modify (auto-incrementing)
imw - memory write (fill)
inm - memory modify (constant address)
iprobe - probe to discover valid I2C chip addresses
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sleep - delay execution for some time
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
version - print monitor version
object$
Wow, we have serial binary transfer support (ymodem and kermit) then if I flash a wrong Linux kernel it is possible to reinstall it using the serial cable.
Let me see the flash information:
object$ flinfo
Bank # 1: data:
d003d003e3e0e3e0 3c 3ce59fe59f12011201e3a0e3a02b022b02e3a0e3a0
AMD: S29GL064TFI04 (64Mbit)
Size: 8 MB in 135 Sectors
Sector Start Addresses:
10000000 (RO) 10002000 (RO) 10004000 (RO) 10006000 (RO) 10008000 (RO)
1000A000 (RO) 1000C000 (RO) 1000E000 (RO) 10010000 (RO) 10020000 (RO)
10030000 10040000 10050000 10060000 10070000
10080000 10090000 100A0000 100B0000 100C0000
100D0000 100E0000 100F0000 10100000 10110000
10120000 10130000 10140000 10150000 10160000
10170000 10180000 10190000 101A0000 101B0000
101C0000 101D0000 101E0000 101F0000 10200000
10210000 10220000 10230000 10240000 10250000
10260000 10270000 10280000 10290000 102A0000
102B0000 102C0000 102D0000 102E0000 102F0000
10300000 10310000 10320000 10330000 10340000
10350000 10360000 10370000 10380000 10390000
103A0000 103B0000 103C0000 103D0000 103E0000
103F0000 10400000 10410000 10420000 10430000
10440000 10450000 10460000 10470000 10480000
10490000 104A0000 104B0000 104C0000 104D0000
104E0000 104F0000 10500000 10510000 10520000
10530000 10540000 10550000 10560000 10570000
10580000 10590000 105A0000 105B0000 105C0000
105D0000 105E0000 105F0000 10600000 10610000
10620000 10630000 10640000 10650000 10660000
10670000 10680000 10690000 106A0000 106B0000
106C0000 106D0000 106E0000 106F0000 10700000
10710000 10720000 10730000 10740000 10750000
10760000 10770000 10780000 10790000 107A0000
107B0000 107C0000 107D0000 107E0000 107F0000 (RO)
object$
The first 10 sectors are used by U-Boot (up to 128KB) and the last one (0x107F0000) is used to store environment variables.
More info to come, stay tuned!
Linux kernel source code for Solomon Systech SSD1935
As you know, based on previous posts, I’m hacking a VStarcam H6837WI IP Camera.
Then I start searching for source code of kernel for this camera, but didn’t find it. Then I discovered this camera is using the chip SSD1935 from Solomon Systech.
I have been browsing for all places on Internet searching for the kernel to this chip, but with no success. So I decide search for similar chip, first SSD1936… no way, then I searched for SSD1933 and found this post at Rockbox:
http://www.rockbox.org/irc/log-20111109
There I got the pot of gold posted by TEAC for their WAP R8900:
Now I created a repository at github to let other people to get it easily:
https://github.com/acassis/linux_kernel_ssd1935
Some driver are compiled separated from ssd1935 kernel, then I will include it there to simplify kernel compilation.
