Hack A10 devices

Hack A10 Devices
This page describe how to hack a A10 powered tablet and let a custom kernel to run on the tablet. The work was done on an Ainol Novo 7 Advanced tablet. But should be working on all A10 based tablet. Since A10 can boot from USB, never worry about bricking your device, but you may lose your data!!! Backup important data first!!!

Unbricking the device
The A10 can update the firmware from USB, so it can not be bricked. In case you bricked your devices, here is the instruction for flashing the firmware from USB. Note that this is only can be done in Windows (also through VirtualBox). You need a tool from Allwinner called LiveSuite, download livesuite.exe. It's a self extracting program, make a new folder, put it inside and open the exe. It will extract the program to the folder. You also need your firmware, which is an image file. You can download the Ainol Novo 7 Advanced stock firmware here aino_2.0.4.img. Execute LiveSuite.exe and click SelectImg button to select the aino_2.0.4.img downloaded. Connect your devices to PC with a USB cable. Then do the following:

Here are the instructions to let the device go to firmware upgrading mode (It should be applied for all A10 devices):


 * 1. Power off the device
 * 2. Press and hold any physical key except the power key on the device (ie press and hold Vol+ key, still holding in 3 and 4)
 * 3. Press and hold power key for about 2s (power on the device, when powering on, if a key is pressed, the devices will not boot until key released or 4)
 * 4. Release power key and press power key 3 times (I usually just keep pressing the power key)

If your PC prompts finding new hardware, install the driver in the LiveSuite program UsbDriver folder.



Then LiveSuite will ask if you want to format or not, choose yes. Then it will ask you to confirm, choose yes. It will start to load the image and flashing the NAND. Don't press NetSync, it will try to update LiveSuite but will never finish.

First sight
The stock firmware in my Novo7 is Android 2.3.4. With Android adb I can log into the device and take a look inside. $ adb shell boot.axf boot.ini drv_de.drv font24.sft font32.sft linux os_show script.bin script0.bin sprite sprite.axf magic.bin
 * 1) mkdir /sdcard/nanda
 * 2) mount -t vfat /dev/block/nanda /sdcard/nanda
 * 3) ls /sdcard/nanda

In folder linux bImage linux.ini params paramsr recovery.ini
 * 1) ls /sdcard/nanda/linux

Content of linux/linux.ini [segment] img_name = c:\linux\bImage img_size = 0x2000000 img_base = 0x40008000
 * 1) cat /sdcard/nanda/linux/linux.ini

[segment] img_name = c:\linux\params img_size = 0x100 img_base = 0x40000100

[script_info] script_base = 0x43000000 script_size = 0x10000

[logo_info] logo_name = c:\linux\android.bmp logo_address = 0x48000000 logo_show = 1 As you can see linux/bImage is our kernel, and linux/linux.ini is a config file that the bootloader reads and loads the kernel to 0x40008000 address. And the file linux/params is the kernel cmdline. console=ttyS0,115200 root=/dev/nandb rw init=/init fbmem=32M@0x5a000000 loglevel=8; And recovery.ini and paramsr are for Android recovery boot and cmdline.
 * 1) cat /sdcard/nanda/linux/params

Get a console
Allwinner uses a config file for hardware configuration. The config file is like a Windows ini file. You can download the config file for Novo7 Advanced sys_config1.fex which contains something like this. [uart_para] uart_debug_port         = 0 uart_debug_tx           =port:PB22<2> uart_debug_rx           =port:PB23<2> The A10 UART Rx and Tx pins can be reconfigured by software: As you can see PB22 and PB23 are for UART Rx and Tx. In our example PF2 and PF4 are for SD card Clock (sdc_clk) and Data 3 (sdc_d3). We change the configuration and disable the SD card, thus the usual SD card Clock pin and Data 3 pin are UART Rx and Tx. So with a SD card adapter (breakout/sniffer) and a TTL serial to USB cable you can get a console from the SD card slot.

Change the following places in the sys_config1.fex [uart_para] uart_debug_port         = 0 uart_debug_tx           =port:PB22<2> uart_debug_rx           =port:PB23<2> [uart_para0] uart_used               = 1 uart_port               = 0 uart_type               = 2 uart_tx                 =port:PB22<2> uart_rx                 =port:PB23<2> [mmc0_para] sdc_used                = 1 sdc_detmode             = 1 bus_width               = 4

to [uart_para] uart_debug_port         = 0 uart_debug_tx           = port:PF2<4> uart_debug_rx           = port:PF4<4> [uart_para0] uart_used               = 1 uart_port               = 0 uart_type               = 2 uart_tx                 = port:PF2<4> uart_rx                 = port:PF4<4> (disable sdcard0) [mmc0_para] sdc_used                = 0 sdc_detmode             = 1 bus_width               = 4

To get the param working you need a PC tool, download the Linux version script. This tool parses the ini file and writes the data to a bin file. Execute the downloaded program on your desktop: $./script sys_config1.fex argc = 2 input name sys_config1.fex Script 1 source file Path=/tmp/sys_config1.fex Script 1 bin file Path=/tmp/sys_config1.bin parser 1 file ok

Or you could compile these tools: https://github.com/amery/sunxi-tools $git clone git://github.com/amery/sunxi-tools.git $cd sunxi-tools $make $./fex2bin sys_config1.fex sys_config1.bin

You will get a file called sys_config1.bin. Now push it to the device $adb push sys_config1.bin /sdcard/nanda 3819 KB/s (40648 bytes in 0.010s) $adb shell boot.axf boot.ini drv_de.drv font24.sft font32.sft linux os_show script.bin script0.bin sprite sprite.axf magic.bin sys_config1.bin
 * 1) cd /sdcard/nanda
 * ls

Replace the original script.bin and script0.bin. script0.bin is just a backup of script.bin
 * 1) mv script.bin script.bin.bak
 * 2) mv script0.bin script0.bin.bak
 * 3) mv sys_config1.bin  script.bin

Get u-boot running
Compile u-boot git clone http://git.hands.com/u-boot.git cd u-boot git checkout lichee-dev (Branch lichee-dev set up to track remote branch lichee-dev from origin. Switched to a new branch 'lichee-dev') make sun4i CROSS_COMPILE=arm-linux-gnueabi- You get u-boot.bin in the directory. Push it to the device. adb push u-boot.bin /sdcard/nanda/linux 5446 KB/s (244928 bytes in 0.043s) adb pull /sdcard/nanda/linux/linux.ini 4 KB/s (327 bytes in 0.079s) adb shell Edit linux.ini, change [segment] img_name = c:\linux\bImage img_size = 0x2000000 img_base = 0x40008000 [segment] img_name = c:\linux\u-boot.bin img_size = 0x80000 img_base = 0x4A000000 push it back to the device adb push linux.ini /sdcard/nanda/linux 7 KB/s (329 bytes in 0.040s)
 * 1) cd /sdcard/nanda/linux
 * 2) mv linux.ini linux.ini.bak