Finally a kernel compiled from source code is starting on VStarCam H6837WI

If you are following this blog you know I’m hacking an Wireless IP Camera VStarCam H6837WI and I have good news!

I found the Linux source code for SSD1935, thanks TEAC for releasing it. But I was wrong when I thought it should be very easy to get it working on my camera.

First, the machine ID used on TEAC WAP R8900 didn’t match the machine passed by u-boot, it was supposed to happen. I think neither Solomon Systech or TEAC was thinking to integrate it in the Linux mainline because they are using an invalid board ID (registered by other company).

Then I just need to select the right board ID, but Solomon used this board ID, used on VStarCam H6837WI, at least in three other boards. Then I just selected the board with same name used on the u-boot (it was a fault as you will see further below).

After compiling it and uploading the resulting uImage in the camera using ymodem transfer protocol on u-boot it didn’t start correctly.

Then I start debugging the low level kernel initialization, at first using ‘printascii’ (with DEBUG_LL activated), but with no luck. After many trials I decide to use other strategy, I decided to disassemble the original uImage retrieved from camera flash memory. This is the information from original uImage:

$ file uImage_h6837wi.bin 
uImage_h6837wi.bin: u-boot legacy uImage, Linux-2.6.24ssl, Linux/ARM, OS Kernel Image (Not compressed), 1467600 bytes, Mon Apr  8 17:01:50 2013, Load Address: 0x50C08000, Entry Point: 0x50C08000, Header CRC: 0xFFA94C01, Data CRC: 0xA90B8571

First I extracted the zImage from uImage and then decompressed it. After decompressing it to an Image I disassembled it and started to compare with the Image which I compiled.

This site helped too much: http://chdk.wikia.com/wiki/Gpl_Disassembling

I used these commands to create a disassembled file:

strings -t x Image | ./renumber.pl 0x50C08000 > Image.strings
hexdump -C Image |./renumber.pl 0x50C08000 > Image.hex
arm-linux-objcopy --change-addresses=0x50C08000 -I binary -O elf32-littlearm -B arm Image Image.elf
arm-linux-objcopy --set-section-flags .data=code Image.elf
arm-linux-objdump -d Image.elf > Image.dis

Then I noticed a visible difference at this position:

image_difference

Then using ‘arm-linux-addr2line’ it returned:

$ arm-linux-addr2line -f -e vmlinux 0xc00080dc
__create_page_tables
.tmp_kallsyms2.S:0

I searched for ‘__create_page_tables’ and it returned the file ‘arch/arm/kernel/head.S’ then I opened this file and started comparing the assembly code, and found the difference at this line:

orr     r6, r6, #(PHYS_OFFSET & 0x00f00000)

Then I searched for ‘PHYS_OFFSET’ and found this file: ‘kernel/include/asm-arm/arch-magus/memory.h’ :

#ifdef CONFIG_ARCH_MAGUS_FPGA
#define PHYS_OFFSET     UL(0xE2000000)
#elif defined CONFIG_ARCH_MAGUS_ADS
#define PHYS_OFFSET     UL(0x51000000)
#elif defined CONFIG_ACCIO_CM5208
#define PHYS_OFFSET     UL(0x51000000)
#elif defined CONFIG_ACCIO_CM5210
#define PHYS_OFFSET UL(0x51000000)
#elif defined CONFIG_ACCIO_A2818T
#define PHYS_OFFSET     UL(0x51000000)
#elif defined CONFIG_ACCIO_LITE
#define PHYS_OFFSET UL(0x50400000/*0x50C00000*/)
#else
#define PHYS_OFFSET     UL(0x51000000)
#endif

I noticed the address 0x50C00000 was commented (for my luck) and should be used for ‘ACCIO_LITE’, hmm I was using ‘ACCIO_A2818T’ because this was the board name I saw at u-boot bootloader source code. Then after removing 0x50400000 and using 0x50C00000 I reconfigured the kernel to use ACCIO_LITE.

Then I compiled the source code again, but no luck, it still no starting.

What should be wrong now?

I decide to compiled the kernel again and paying more attention at log messages, then I noticed these lines:

Data Size:    1471920 Bytes = 1437.42 kB = 1.40 MB
Load Address: 0x50408000
Entry Point:  0x50408000
  Image arch/arm/boot/uImage is ready

Ouch, it should be 0x50C08000, as in the original uImage file!

“Let’s search again like we did last year!”, replace ‘search’ by ‘twist’ to understand the lyrics 🙂

Searching for 0x50408000 returned this file:

kernel/arch/arm/mach-magus/Makefile.boot

This is the content:

        zreladdr-$(CONFIG_ACCIO_LITE)           := 0x50408000

Bingo! Replacing it by 0x50C08000 and compiling again fixed the booting issue.

See my compiled kernel booting here:

object$ loady
## Ready for binary (ymodem) download to 0x50C07FC0 at 115200 bps...                               
CxyzModem - CRC mode, 11503(SOH)/0(STX)/0(CAN) packets, 8 retries
## Total Size      = 0x001675f0 = 1471984 Bytes

object$ bootm 0x50C07FC0

 Starting kernel ...

Uncompressing Linux............................................................................................. done, .
[    0.000000] Linux version 2.6.24ssl (alan@aureo) (gcc version 3.4.6) #1 PREEMPT Sun Dec 9 17:37:11 BRST 2012
[    0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
[    0.000000] Machine: Solomon Magus Accio P1
[    0.000000] Memory policy: ECC disabled, Data cache writeback
[    0.000000] CPU0: D VIVT write-back cache
[    0.000000] CPU0: I cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
[    0.000000] CPU0: D cache: 8192 bytes, associativity 4, 32 byte lines, 64 sets
[    0.000000] Built 1 zonelists in Zone order, mobility grouping off.  Total pages: 5080
[    0.000000] Kernel command line: mem=20M console=ttyS0,115200n8 init=/sbin/init root=/dev/mtdblock3
[    0.000000] intc: init info - ver=1,0
[    0.000000] gpio: init info - ver=1,0 
[    0.000000] clock: init info - ver=1,0 
[    0.000000] MAGUS Clocks : ARM-240.000 MHz, HCLK-120.000 MHz, PCLK-60.000 MHz, PERCLK1-60.000 MHz, PERCLK2-24.000 MHz
[    0.000000] PID hash table entries: 128 (order: 7, 512 bytes)
[    0.000000] Console: colour dummy device 80x30
[    0.000000] console [ttyS0] enabled
[    0.020000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.020000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.030000] Memory: 20MB = 20MB total
[    0.040000] Memory: 17268KB available (2680K code, 229K data, 72K init)
[    0.280000] Mount-cache hash table entries: 512
[    0.280000] CPU: Testing write buffer coherency: ok
[    0.300000] net_namespace: 64 bytes
[    0.310000] NET: Registered protocol family 16
[    0.340000] dma: init info - ver 1.0 fifosize=128, 8 channels
[    0.340000] MAGUS cpu freq change driver v1.0
[    0.350000] 
[    0.350000] cpufreq: magus_set_target: request for target_freq = 240000 KHz
[    0.360000] cpufreq: magus_set_target: cur_pll_out = 240000 KHz, cur_arm_freq = 240000 KHz
[    0.390000] SCSI subsystem initialized
[    0.400000] usbcore: registered new interface driver usbfs
[    0.410000] usbcore: registered new interface driver hub
[    0.420000] usbcore: registered new device driver usb
[    0.480000] NET: Registered protocol family 2
[    0.580000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.590000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[    0.600000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.600000] TCP: Hash tables configured (established 1024 bind 1024)
[    0.610000] TCP reno registered
[    0.640000] Power Management for MAGUS. V0.1.1
[    0.640000] NetWinder Floating Point Emulator V0.97 (extended precision)
[    0.660000] yaffs Dec  9 2012 17:36:12 Installing. 
[    0.670000] io scheduler noop registered
[    0.670000] io scheduler deadline registered (default)
[    0.680000] lcdc: init info - dsg=0 ver=0
[    0.680000]       abc=1, dbc=1 rdback=1 pp=0 lut=1 stn=1 dma=1
[    0.690000] lcdc: init warn - actually ver 0001
[    0.690000] SSL_FB: disable wid: 1
[    0.700000] SSL_FB: disable wid: 2
[    0.720000] Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
[    0.730000] ttyS0: autoconf (0x0000, 0xf000300c): uart: id=7000041
[    0.740000] type=16550A
[    0.740000] serial8250: ttyS0 at MMIO 0x0 (irq = 16) is a 16550A
[    0.750000] ttyS1: autoconf (0x0000, 0xf000400c): uart: id=7000041
[    0.760000] type=16550A
[    0.760000] serial8250: ttyS1 at MMIO 0x0 (irq = 17) is a 16550A
[    0.770000] Driver 'sd' needs updating - please use bus_type methods
[    0.780000] Driver 'sr' needs updating - please use bus_type methods
[    0.790000] NAND Driver, (c) 2007 Solomon Systech
[    0.790000] nfc: init info - ver=100 buf=4224
[    1.800000] nfc nand reset tout
[    1.800000] nfc: init info - ver=100 buf=4224
[    1.800000] No NAND device found!!!
[    1.810000] spi: init info - ver=1.0 fifo=16 slaves=5 master=1
[    1.820000] spi: init info - ver=1.0 fifo=16 slaves=5 master=1
[    1.940000] ehci ehci: ssl ehci
[    1.940000] ehci ehci: new USB bus registered, assigned bus number 1
[    1.950000] ehci ehci: irq 14, io mem 0x08403000
[    1.970000] ehci ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
[    1.980000] usb usb1: configuration #1 chosen from 1 choice
[    1.980000] hub 1-0:1.0: USB hub found
[    1.990000] hub 1-0:1.0: 1 port detected
[    2.100000] usb usb1: Product: ssl ehci
[    2.100000] usb usb1: Manufacturer: Linux 2.6.24ssl ssl ehci
[    2.110000] usb usb1: SerialNumber: ssl_ehci
[    2.110000] Initializing USB Mass Storage driver...
[    2.340000] CI reset done
[    2.400000] usb 1-1: new high speed USB device using ehci and address 2
[    2.520000] CI reset done
[    2.630000] usb 1-1: configuration #1 chosen from 1 choice
[    2.650000] usb 1-1: Product: 802.11 n WLAN
[    2.650000] usb 1-1: Manufacturer: Ralink
[    2.660000] usb 1-1: SerialNumber: 1.0
[    2.660000] usbcore: registered new interface driver usb-storage
[    2.670000] USB Mass Storage support registered.
[    2.680000] usbcore: registered new interface driver libusual
[    2.680000] i2c /dev entries driver
[    2.690000] i2c: init info - ver=1,0
[    2.700000] 
[    2.700000] cpufreq: magus_set_target: request for target_freq = 240000 KHz
[    2.710000] cpufreq: magus_set_target: cur_pll_out = 240000 KHz, cur_arm_freq = 240000 KHz
[    2.720000] TCP cubic registered
[    2.720000] NET: Registered protocol family 1
[    2.730000] NET: Registered protocol family 17
[    2.730000] VFS: Cannot open root device "mtdblock3" or unknown-block(0,0)
[    2.740000] Please append a correct "root=" boot option; here are the available partitions:
[    2.750000] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)

There is too much work to be done. I need to add flash memory support and layout to it load the file-system. No problem, now I can see it starting, then everything will be more easy 😉

2 thoughts on “Finally a kernel compiled from source code is starting on VStarCam H6837WI

  1. Hi,
    I have an VStarCam H6837WI – upgraded the software by using the official http://cd.gocam.so/H_en.html webpage and nothing is working anymore. Event the LAN not (the lights are on but the ports on the the default IP address 192.168.1.126 are closed). I tried to use Telnet but it isn’t working anymore either.
    Do you have an Linux image that I can put on the TF Card and load from the TF Card? Or, is there another way to put image in IP-CAM?

    Antony

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s