Difference between revisions of "Hack A10 devices"

From eLinux.org
Jump to: navigation, search
(First sight)
m (Console: serial)
 
(4 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
== Hack A10 Devices ==
 
== Hack A10 Devices ==
  
This page describe how to hack a A10 powered tablet and let a custom kernel to run on the tablet. The work was done on an Ainol Novo 7 Advanced tablet. But should be working on all A10 based tablet. Since A10 can boot from usb, never worry about bricking your device, but you may lose your data!!! Backup important data first!!!
+
This page describe how to hack a A10 powered tablet and let a custom kernel to run on the tablet. The work was done on an Ainol Novo 7 Advanced tablet. But should be working on all A10 based tablet. Since A10 can boot from USB, never worry about bricking your device, but you may lose your data!!! Backup important data first!!!
  
 
== Unbricking the device ==
 
== Unbricking the device ==
The A10 can update the firmware from USB, so it can not be bricked. In case you bricked your devices, here is the instruction for flash the firmware from USB. Note that this is only can be done in Windows. You need a tool from Allwinner called livesuite, download [http://goo.gl/PWUwv livesuite.exe]. It's a self extract program,  make a new folder put it inside and click the exe, it will extract the program to the folder. And you need your firmware, which is a image file. You can download the Ainol Novo 7 Advanced stock firmware here [http://goo.gl/r1tc9 aino_2.0.4.img]. Click LiveSuite.exe to execute it and click SelectImg button to select the aino_2.0.4.img downloaded. Connect your devices to pc with a usb cable. Then do the following:  
+
The A10 can update the firmware from USB, so it can not be bricked. In case you bricked your devices, here is the instruction for flashing the firmware from USB. Note that this is only can be done in Windows (also through VirtualBox). You need a tool from Allwinner called LiveSuite, download [http://goo.gl/PWUwv livesuite.exe]. It's a self extracting program,  make a new folder, put it inside and open the exe. It will extract the program to the folder. You also need your firmware, which is an image file. You can download the Ainol Novo 7 Advanced stock firmware here [http://goo.gl/r1tc9 aino_2.0.4.img]. Execute LiveSuite.exe and click SelectImg button to select the aino_2.0.4.img downloaded. Connect your devices to PC with a USB cable. Then do the following:  
  
Here is instructions to let the device go to firmware upgrading mode(It should be applied for all A10 devices):
+
Here are the instructions to let the device go to firmware upgrading mode (It should be applied for all A10 devices):
  
* 1. power off the device
+
* 1. Power off the device
* 2. Press and hold any physical key except the power key on the device(ie, press and hold Vol+ key, still holding in 3 and 4)
+
* 2. Press and hold any physical key except the power key on the device (ie press and hold Vol+ key, still holding in 3 and 4)
* 3. Press and hold power key for about 2s(power on the device, when powering on, if a key is pressed, the devices will not boot until key released or 4)
+
* 3. Press and hold power key for about 2s (power on the device, when powering on, if a key is pressed, the devices will not boot until key released or 4)
* 4. Release power key and press power key 3 times(i usually just keep pressing the power key)
+
* 4. Release power key and press power key 3 times (I usually just keep pressing the power key)
  
If you pc are prompted finding new hardware, install the driver in the livesuite program UsbDriver folder.  
+
If your PC prompts finding new hardware, install the driver in the LiveSuite program UsbDriver folder.  
  
 
[[image:Livesuite.png]]
 
[[image:Livesuite.png]]
 +
 +
Then LiveSuite will ask if you want to format or not, choose yes. Then it will ask you to confirm, choose yes. It will start to load the image and flashing the NAND. Don't press NetSync, it will try to update LiveSuite but will never finish.
  
 
== First sight ==
 
== First sight ==
  
The stock firmware in my Novo7 is android 2.3.4. With android adb i can log into the device and take a look at inside.
+
The stock firmware in my Novo7 is Android 2.3.4. With Android adb I can log into the device and take a look inside.
 
<pre>
 
<pre>
 
$ adb shell
 
$ adb shell
Line 38: Line 40:
 
magic.bin
 
magic.bin
 
</pre>
 
</pre>
 +
 +
In folder linux
 
<pre>
 
<pre>
 
# ls /sdcard/nanda/linux
 
# ls /sdcard/nanda/linux
Line 46: Line 50:
 
recovery.ini
 
recovery.ini
 
</pre>
 
</pre>
 +
 +
Content of linux/linux.ini
 
<pre>
 
<pre>
 
# cat /sdcard/nanda/linux/linux.ini
 
# cat /sdcard/nanda/linux/linux.ini
Line 67: Line 73:
 
logo_show = 1
 
logo_show = 1
 
</pre>
 
</pre>
As you can see the linux/bImage is our kernel, and the linux/linux.ini is a config file that some loader reads, and load the file bImage to 0x40008000 address. And the file linux/params is the kernel cmdline.
+
As you can see linux/bImage is our kernel, and linux/linux.ini is a config file that the bootloader reads and loads the kernel to 0x40008000 address. And the file linux/params is the kernel cmdline.
 
<pre>
 
<pre>
 
# cat /sdcard/nanda/linux/params
 
# cat /sdcard/nanda/linux/params
 
console=ttyS0,115200 root=/dev/nandb rw init=/init fbmem=32M@0x5a000000 loglevel=8;
 
console=ttyS0,115200 root=/dev/nandb rw init=/init fbmem=32M@0x5a000000 loglevel=8;
 
</pre>
 
</pre>
And recovery.ini and paramsr is for android recovery boot and cmdline.
+
And recovery.ini and paramsr are for Android recovery boot and cmdline.
  
== Get a console ==
+
== Get a [[serial console|console]] ==
  
Allwinner uses a config file for hardware configuration, a config file is a Windows ini file, you can download the config file for novo7 advanced [http://goo.gl/QKXn6 sys_config1.fex], which is something like this.
+
Allwinner uses a config file for hardware configuration. The config file is like a Windows ini file. You can download the config file for Novo7 Advanced [http://goo.gl/QKXn6 sys_config1.fex] which contains something like this.
 
<pre>
 
<pre>
 
[uart_para]
 
[uart_para]
Line 83: Line 89:
 
uart_debug_rx            =port:PB23<2>
 
uart_debug_rx            =port:PB23<2>
 
</pre>
 
</pre>
The A10 uart rx and tx pin can be configured by software, usually PB22 and PB23 are for uart rx and tx, PF2 and PF4 for sdcard. But software can change this, let PF2 and PF4 be the uart rx and tx and disable sdcard, thus the usual sdcard clock pin and data3 pin is uart rx and tx. So with a TTL serial to USB cable, you can get a console from the sdcard slot.
+
The A10 [http://en.wikipedia.org/wiki/UART UART] Rx and Tx pins can be reconfigured by software: As you can see PB22 and PB23 are for UART Rx and Tx. In our example PF2 and PF4 are for SD card Clock (sdc_clk) and Data 3 (sdc_d3). We change the configuration and disable the SD card, thus the usual SD card Clock pin and Data 3 pin are UART Rx and Tx. So with a SD card adapter (breakout/sniffer) and a TTL serial to USB cable you can get a console from the SD card slot.
  
change the following two places in the sys_config1.fex
+
Change the following places in the sys_config1.fex
 
<pre>
 
<pre>
 
[uart_para]
 
[uart_para]
Line 102: Line 108:
 
<pre>
 
<pre>
 
[mmc0_para]
 
[mmc0_para]
sdc_used                =1
+
sdc_used                = 1
 
sdc_detmode              = 1
 
sdc_detmode              = 1
 
bus_width                = 4
 
bus_width                = 4
Line 130: Line 136:
 
</pre>
 
</pre>
  
To get the param working you need a pc tool, download the linux version [http://goo.gl/Zwhbk script]. This tool parses the ini file, and write the data to a bin file. Execute the downloaded program on your desktop
+
To get the param working you need a PC tool, download the Linux version [http://goo.gl/Zwhbk script]. This tool parses the ini file and writes the data to a bin file. Execute the downloaded program on your desktop:
 
<pre>
 
<pre>
 
$./script sys_config1.fex  
 
$./script sys_config1.fex  
Line 139: Line 145:
 
parser 1 file ok
 
parser 1 file ok
 
</pre>
 
</pre>
you will get a file called sys_config1.bin.
+
 
 +
Or you could compile these tools: https://github.com/amery/sunxi-tools
 +
<pre>$git clone git://github.com/amery/sunxi-tools.git
 +
$cd sunxi-tools
 +
$make
 +
$./fex2bin sys_config1.fex sys_config1.bin
 +
</pre>
 +
 
 +
You will get a file called sys_config1.bin.
 
Now push it to the device
 
Now push it to the device
 
<pre>
 
<pre>
Line 162: Line 176:
 
</pre>
 
</pre>
  
Replace the original script.bin and script0.bin, script0.bin is just a copy of script.bin
+
Replace the original script.bin and script0.bin. script0.bin is just a backup of script.bin
 
<pre>
 
<pre>
 
# mv script.bin script.bin.bak
 
# mv script.bin script.bin.bak
Line 174: Line 188:
 
git clone http://git.hands.com/u-boot.git
 
git clone http://git.hands.com/u-boot.git
 
cd u-boot
 
cd u-boot
git checkout lichee-dev(Branch lichee-dev set up to track remote branch lichee-dev from origin. Switched to a new branch 'lichee-dev')
+
git checkout lichee-dev (Branch lichee-dev set up to track remote branch lichee-dev from origin. Switched to a new branch 'lichee-dev')
 
make sun4i CROSS_COMPILE=arm-linux-gnueabi-
 
make sun4i CROSS_COMPILE=arm-linux-gnueabi-
 
</pre>
 
</pre>
Line 205: Line 219:
 
7 KB/s (329 bytes in 0.040s)
 
7 KB/s (329 bytes in 0.040s)
 
</pre>
 
</pre>
 +
 +
[[Category:Allwinner A1X]]

Latest revision as of 03:00, 31 August 2012

Hack A10 Devices

This page describe how to hack a A10 powered tablet and let a custom kernel to run on the tablet. The work was done on an Ainol Novo 7 Advanced tablet. But should be working on all A10 based tablet. Since A10 can boot from USB, never worry about bricking your device, but you may lose your data!!! Backup important data first!!!

Unbricking the device

The A10 can update the firmware from USB, so it can not be bricked. In case you bricked your devices, here is the instruction for flashing the firmware from USB. Note that this is only can be done in Windows (also through VirtualBox). You need a tool from Allwinner called LiveSuite, download livesuite.exe. It's a self extracting program, make a new folder, put it inside and open the exe. It will extract the program to the folder. You also need your firmware, which is an image file. You can download the Ainol Novo 7 Advanced stock firmware here aino_2.0.4.img. Execute LiveSuite.exe and click SelectImg button to select the aino_2.0.4.img downloaded. Connect your devices to PC with a USB cable. Then do the following:

Here are the instructions to let the device go to firmware upgrading mode (It should be applied for all A10 devices):

  • 1. Power off the device
  • 2. Press and hold any physical key except the power key on the device (ie press and hold Vol+ key, still holding in 3 and 4)
  • 3. Press and hold power key for about 2s (power on the device, when powering on, if a key is pressed, the devices will not boot until key released or 4)
  • 4. Release power key and press power key 3 times (I usually just keep pressing the power key)

If your PC prompts finding new hardware, install the driver in the LiveSuite program UsbDriver folder.

Livesuite.png

Then LiveSuite will ask if you want to format or not, choose yes. Then it will ask you to confirm, choose yes. It will start to load the image and flashing the NAND. Don't press NetSync, it will try to update LiveSuite but will never finish.

First sight

The stock firmware in my Novo7 is Android 2.3.4. With Android adb I can log into the device and take a look inside.

$ adb shell
# mkdir /sdcard/nanda
# mount -t vfat /dev/block/nanda /sdcard/nanda
# ls /sdcard/nanda
boot.axf
boot.ini
drv_de.drv
font24.sft
font32.sft
linux
os_show
script.bin
script0.bin
sprite
sprite.axf
magic.bin

In folder linux

# ls /sdcard/nanda/linux
bImage
linux.ini
params
paramsr
recovery.ini

Content of linux/linux.ini

# cat /sdcard/nanda/linux/linux.ini
[segment]
img_name = c:\linux\bImage
img_size = 0x2000000
img_base = 0x40008000

[segment]
img_name = c:\linux\params
img_size = 0x100
img_base = 0x40000100

[script_info]
script_base = 0x43000000
script_size = 0x10000

[logo_info]
logo_name = c:\linux\android.bmp
logo_address = 0x48000000
logo_show = 1

As you can see linux/bImage is our kernel, and linux/linux.ini is a config file that the bootloader reads and loads the kernel to 0x40008000 address. And the file linux/params is the kernel cmdline.

# cat /sdcard/nanda/linux/params
console=ttyS0,115200 root=/dev/nandb rw init=/init fbmem=32M@0x5a000000 loglevel=8;

And recovery.ini and paramsr are for Android recovery boot and cmdline.

Get a console

Allwinner uses a config file for hardware configuration. The config file is like a Windows ini file. You can download the config file for Novo7 Advanced sys_config1.fex which contains something like this.

[uart_para]
uart_debug_port          = 0
uart_debug_tx            =port:PB22<2>
uart_debug_rx            =port:PB23<2>

The A10 UART Rx and Tx pins can be reconfigured by software: As you can see PB22 and PB23 are for UART Rx and Tx. In our example PF2 and PF4 are for SD card Clock (sdc_clk) and Data 3 (sdc_d3). We change the configuration and disable the SD card, thus the usual SD card Clock pin and Data 3 pin are UART Rx and Tx. So with a SD card adapter (breakout/sniffer) and a TTL serial to USB cable you can get a console from the SD card slot.

Change the following places in the sys_config1.fex

[uart_para]
uart_debug_port          = 0
uart_debug_tx            =port:PB22<2>
uart_debug_rx            =port:PB23<2>
[uart_para0]
uart_used                = 1
uart_port                = 0
uart_type                = 2
uart_tx                  =port:PB22<2>
uart_rx                  =port:PB23<2>
[mmc0_para]
sdc_used                 = 1
sdc_detmode              = 1
bus_width                = 4

to

[uart_para]
uart_debug_port          = 0
uart_debug_tx            = port:PF2<4>
uart_debug_rx            = port:PF4<4>
[uart_para0]
uart_used                = 1
uart_port                = 0
uart_type                = 2
uart_tx                  = port:PF2<4>
uart_rx                  = port:PF4<4>

(disable sdcard0)

[mmc0_para]
sdc_used                 = 0
sdc_detmode              = 1
bus_width                = 4

To get the param working you need a PC tool, download the Linux version script. This tool parses the ini file and writes the data to a bin file. Execute the downloaded program on your desktop:

$./script sys_config1.fex 
argc = 2
input name sys_config1.fex
Script 1 source file Path=/tmp/sys_config1.fex
Script 1 bin file Path=/tmp/sys_config1.bin
parser 1 file ok

Or you could compile these tools: https://github.com/amery/sunxi-tools

$git clone git://github.com/amery/sunxi-tools.git
$cd sunxi-tools
$make
$./fex2bin sys_config1.fex sys_config1.bin

You will get a file called sys_config1.bin. Now push it to the device

$adb push sys_config1.bin /sdcard/nanda
3819 KB/s (40648 bytes in 0.010s)
$adb shell
#cd /sdcard/nanda
#ls
boot.axf
boot.ini
drv_de.drv
font24.sft
font32.sft
linux
os_show
script.bin
script0.bin
sprite
sprite.axf
magic.bin
sys_config1.bin

Replace the original script.bin and script0.bin. script0.bin is just a backup of script.bin

# mv script.bin script.bin.bak
# mv script0.bin script0.bin.bak
# mv sys_config1.bin  script.bin

Get u-boot running

Compile u-boot

git clone http://git.hands.com/u-boot.git
cd u-boot
git checkout lichee-dev (Branch lichee-dev set up to track remote branch lichee-dev from origin. Switched to a new branch 'lichee-dev')
make sun4i CROSS_COMPILE=arm-linux-gnueabi-

You get u-boot.bin in the directory. Push it to the device.

adb push u-boot.bin /sdcard/nanda/linux
5446 KB/s (244928 bytes in 0.043s)
adb pull /sdcard/nanda/linux/linux.ini 
4 KB/s (327 bytes in 0.079s)
adb shell
# cd /sdcard/nanda/linux
# mv linux.ini linux.ini.bak

Edit linux.ini, change

[segment]
img_name = c:\linux\bImage
img_size = 0x2000000
img_base = 0x40008000
[segment]
img_name = c:\linux\u-boot.bin
img_size = 0x80000
img_base = 0x4A000000

push it back to the device

adb push linux.ini /sdcard/nanda/linux
7 KB/s (329 bytes in 0.040s)