[g1-hackers] G1 boot code

Eddie C. Dost ecd at brainaid.de
Thu Dec 4 09:42:46 UTC 2008


Hello Jay,

now it is clear why we do not see the full nand device. If the
msm_nand driver registers partitions, it will not register the
device itself, so we cannot access this as char device.

Could you compile a kernel where you remove the two lines containing
the word "else" in drivers/mtd/devices/msm_nand.c, lines 1237 and 1263?
With this the msm_nand.c driver will register the whole device as
7th device after the 6 partions. A dump of the partitions is not really
interesting, as we know what is on there. Maybe you can also change
line 72 in drivers/mtd/mtdcore.c from DEBUG(0, "mtd:...") to
printk("mtd:...");

Once you have this, and the kernel is booted you should see seven
nand devices registered in the kernel boot log you get with "dmesg".

Now, please create the device nodes for the 7ths nand:

mknod /dev/mtd/mtd6 c 90 12
mknod /dev/mtd/mtd6ro c 90 13

Then you should be able to dump the nand image before the partitions
used by linux:

dd if=/dev/mtd/mtd6ro of=<path to dump> bs=2048 count=18944

which should produce around 38797312 bytes of data. This data is the
start of the nand interesting to analyze and the "misc" partition, to
verify we have it dumped correctly.

I know this is a hell of work to do, and your support is greatly
appreciated! - Remote kernel hacking is a pain, on both sides, I know...

Thanks a lot,
Eddie

On Wed, Dec 03, 2008 at 03:57:18PM +0100, Eddie C. Dost wrote:
> Hi Jay,
> 
> another idea, maybe we should find out some more about the nand
> first, the following code dumps info about the device structure as
> seen from the kernel. This could evolve into a dump utility if needed,
> I am willing to code this, as long as you could be so kind to run
> it on your G1...
> 
> Please compile with:
> 
> arm-eabi-gcc -I<path to kernel>/include -o mtd-getinfo mtd-getinfo.c
> 
> Let this run with /dev/mtdchar0 and /dev/mtdchar1 as argument (Two
> separate runs).
> 
> Thanks a lot,
> Eddie
> 
> -- snip file: mtd-getinfo.c --
> #include <unistd.h>
> #include <stdlib.h>
> #include <stdio.h>
> #include <string.h>
> #include <stdint.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <sys/ioctl.h>
> 
> #include <mtd/mtd-abi.h>
> 
> int
> main(int argc, char **argv)
> {
> 	struct mtd_info_user info;
> 	int fd;
> 
> 	if (argc != 2) {
> 		fprintf(stderr, "usage: %s <device>\n", argv[0]);
> 		exit(1);
> 	}
> 
> 	fd = open(argv[1], O_RDONLY);
> 	if (fd < 0) {
> 		fprintf(stderr, "%s: open %s: %s\n", argv[0],
> 			argv[1], strerror(errno));
> 		exit(1);
> 	}
> 
> 	if (ioctl(fd, MEMGETINFO, &info) != 0) {
> 		fprintf(stderr, "%s: ioctl MEMGETINFO %s: %s\n", argv[0],
> 			argv[1], strerror(errno));
> 		exit(1);
> 	}
> 
> 	close(fd);
> 
> 	printf("device:    %s\n", argv[1]);
> 	printf("type:      0x%02x\n", info.type);
> 	printf("flags:     0x%08x\n", info.flags);
> 	printf("size:      0x%08x\n", info.size);
> 	printf("erasesize: 0x%08x\n", info.erasesize);
> 	printf("writesize: 0x%08x\n", info.writesize);
> 	printf("oobsize:   0x%08x\n", info.oobsize);
> 
> 	return 0;
> }
> -- snip --
> 
> On Wed, Dec 03, 2008 at 05:38:17AM -0800, Jay Freeman (saurik) wrote:
> > Touche. I (unfortunately) don't know enough about this type of hardware to 
> > have noticed "wait, 'the nand' is just 'the mtd device', which we already 
> > have simple access to ;P". Ok, so that only happens to dump 256k of data ;P. 
> > Shouldn't that device be backing all 256MB of the MTD?
> > 
> > -J
> > 
> > --------------------------------------------------
> > From: "Eddie C. Dost" <ecd at brainaid.de>
> > Sent: Wednesday, December 03, 2008 5:18 AM
> > To: "Anton Kukoba" <hex at apriorit.com>; "Hacking the Android T-Mobile G1" 
> > <g1-hackers at telesphoreo.org>
> > Cc: "Jay Freeman (saurik)" <saurik at saurik.com>
> > Subject: Re: [g1-hackers] G1 boot code
> > 
> > > Hi,
> > >
> > > on my G1 I find they have CONFIG_MTD_CHAR=y in the kernel, so
> > > the following should provide a full nand dump:
> > >
> > > mknod /dev/mtdchar0 c 90 0
> > > dd if=/dev/mtdchar0 of=namd.dump bs=2048
> > >
> > > I used bs=2048, because I found in this in kernel source:
> > >
> > > drivers/mtd/devices/msm_nand.c: line 310: unsigned page = from / 2048;
> > >
> > >
> > > Hope this helps,
> > > Eddie
> > >
> > > On Wed, Dec 03, 2008 at 02:40:27PM +0200, Anton Kukoba wrote:
> > >> Hello Jay,
> > >>
> > >> Can't see anything stupid.
> > >> Does it reboot if you only call flash_init()?
> > >>
> > >> Wednesday, December 3, 2008, 2:29:45 PM, you wrote:
> > >>
> > >> > Ok, here is my first attempt at a program to dump the nand:
> > >>
> > >> > http://test.saurik.com/g1-hackers/nanddump-1.c
> > >>
> > >> > Running it rebooted the phone ;P. See anything stupid in it?
> > >>
> > >> > -J
> > >>
> > >> > --------------------------------------------------
> > >> > From: "Anton Kukoba" <hex at apriorit.com>
> > >> > Sent: Wednesday, December 03, 2008 4:13 AM
> > >> > To: "Hacking the Android T-Mobile G1" <g1-hackers at telesphoreo.org>
> > >> > Subject: Re: [g1-hackers] G1 boot code
> > >>
> > >> >> Hello Jay,
> > >> >>
> > >> >> Wednesday, December 3, 2008, 2:06:02 PM, you wrote:
> > >> >>
> > >> >>> Any idea how many pages I'm going to be trying to get? -J
> > >> >> There are two standard page sizes: 512 and 1024.
> > >> >> The name of the chip contains information about the total size of the
> > >> >> memory.
> > >> >>
> > >> >> Total size / page size = number of pages
> > >> >>
> > >> >> That's why I ask about the name of the chip.
> > >> >>
> > >> >>> --------------------------------------------------
> > >> >>> From: "Anton Kukoba" <hex at apriorit.com>
> > >> >>> Sent: Wednesday, December 03, 2008 3:56 AM
> > >> >>> To: "Hacking the Android T-Mobile G1" <g1-hackers at telesphoreo.org>
> > >> >>> Subject: Re: [g1-hackers] G1 boot code
> > >> >>
> > >> >>>> Hello Jay,
> > >> >>>>
> > >> >>>> Let's assume they used Nand, then these files are what you need:
> > >> >>>> \android\bootloader\legacy\include\msm7k\nand.h
> > >> >>>> \android\bootloader\legacy\arch_msm7k\nand.c
> > >> >>>>
> > >> >>>> If they allow to access the registers starting from MSM_NAND_BASE,
> > >> >>>> you can call flash_init(), then just use flash_read_page() for
> > >> >>>> dumping, incrementing the "page" argument.
> > >> >>>>
> > >> >>>>
> > >> >>>> Wednesday, December 3, 2008, 1:35:25 PM, you wrote:
> > >> >>>>
> > >> >>>>> "virtual address space"... these attempts were done using /dev/mem,
> > >> >>>>> which
> > >> >>>>> should operate over "physical address space" (at least from the
> > >> >>>>> perspective
> > >> >>>>> of this running OS, which I think is being mutilated by the
> > >> >>>>> hypervisor),
> > >> >>>>> and
> > >> >>>>> were under direction of people who have hacked previous HTC 
> > >> >>>>> bootloaders
> > >> >>>>> (and
> > >> >>>>> claimed to know where the Nand chip was likely to be mapped). -J
> > >> >>>>
> > >> >>>>> --------------------------------------------------
> > >> >>>>> From: "Anton Kukoba" <hex at apriorit.com>
> > >> >>>>> Sent: Wednesday, December 03, 2008 3:04 AM
> > >> >>>>> To: "Jay Freeman (saurik)" <saurik at saurik.com>
> > >> >>>>> Cc: "Hacking the Android T-Mobile G1" <g1-hackers at telesphoreo.org>
> > >> >>>>> Subject: Re[2]: [g1-hackers] G1 boot code
> > >> >>>>
> > >> >>>>>> Hello Jay,
> > >> >>>>>>
> > >> >>>>>> Tuesday, December 2, 2008, 9:03:00 AM, you wrote:
> > >> >>>>>>
> > >> >>>>>> As I can understand you're expecting the boot code to be mapped at
> > >> >>>>>> some address and you're trying to dump it.
> > >> >>>>>> I think such approach won't give any results. There must be Nand 
> > >> >>>>>> or
> > >> >>>>>> OneNand flash memory with a bootsector which contains a boot code,
> > >> >>>>>> just like HDD in PC.
> > >> >>>>>> So, you'll need to dump whole Nand chip to find the boot code 
> > >> >>>>>> instead
> > >> >>>>>> of searching the virtual address space.
> > >> >>>>>>
> > >> >>>>> ...
> > >> >>>>>>
> > >> >>>>>>> If you tell me where to dump I will happily dump things. The last
> > >> >>>>>>> person
> > >> >>>>>>> to
> > >> >>>>>>> have spent a bunch of time trying to tell me where to dump 
> > >> >>>>>>> things,
> > >> >>>>>>> though,
> > >> >>>>>>> kept giving me addresses that were no longer backed by hardware 
> > >> >>>>>>> by
> > >> >>>>>>> the
> > >> >>>>>>> time
> > >> >>>>>>> the device booted up. I currently blame the hypervisor. :( -J
> > >> >>>>
> > >> >>>>
> > >> >>>>> _______________________________________________
> > >> >>>>> G1-Hackers mailing list
> > >> >>>>> G1-Hackers at telesphoreo.org
> > >> >>>>> http://www.telesphoreo.org/cgi-bin/mailman/listinfo/g1-hackers
> > >> >>>>
> > >> >>>>
> > >> >>>>
> > >> >>>>
> > >> >>>>
> > >> >>>> -- 
> > >> >>>> Best regards,
> > >> >>>> Anton                            mailto:hex at apriorit.com
> > >> >>>> Chief research officer of ApriorIT - ApriorIT - A PriorITy choice!
> > >> >>>>
> > >> >>>>
> > >> >>>>
> > >> >>>>
> > >> >>>> _______________________________________________
> > >> >>>> G1-Hackers mailing list
> > >> >>>> G1-Hackers at telesphoreo.org
> > >> >>>> http://www.telesphoreo.org/cgi-bin/mailman/listinfo/g1-hackers
> > >> >>>>
> > >> >>
> > >> >>> _______________________________________________
> > >> >>> G1-Hackers mailing list
> > >> >>> G1-Hackers at telesphoreo.org
> > >> >>> http://www.telesphoreo.org/cgi-bin/mailman/listinfo/g1-hackers
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >> -- 
> > >> >> Best regards,
> > >> >> Anton                            mailto:hex at apriorit.com
> > >> >> Chief research officer of ApriorIT - ApriorIT - A PriorITy choice!
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >> _______________________________________________
> > >> >> G1-Hackers mailing list
> > >> >> G1-Hackers at telesphoreo.org
> > >> >> http://www.telesphoreo.org/cgi-bin/mailman/listinfo/g1-hackers
> > >> >>
> > >>
> > >> > _______________________________________________
> > >> > G1-Hackers mailing list
> > >> > G1-Hackers at telesphoreo.org
> > >> > http://www.telesphoreo.org/cgi-bin/mailman/listinfo/g1-hackers
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> -- 
> > >> Best regards,
> > >>  Anton                            mailto:hex at apriorit.com
> > >> Chief research officer of ApriorIT - ApriorIT - A PriorITy choice!
> > >>
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> G1-Hackers mailing list
> > >> G1-Hackers at telesphoreo.org
> > >> http://www.telesphoreo.org/cgi-bin/mailman/listinfo/g1-hackers
> > >
> > > -- 
> > > ___________________________________________________brainaid_____________
> > > Eddie C. Dost           Rue de la Chapelle 51      phone +32 87 788817
> > >                        B-4850 Moresnet            fax   +32 87 788818
> > > ecd at brainaid.de         Belgium                    cell  +49 172 9312808
> > > 
> > 
> > _______________________________________________
> > G1-Hackers mailing list
> > G1-Hackers at telesphoreo.org
> > http://www.telesphoreo.org/cgi-bin/mailman/listinfo/g1-hackers
> 
> -- 
> ___________________________________________________brainaid_____________
> Eddie C. Dost           Rue de la Chapelle 51      phone +32 87 788817
>                         B-4850 Moresnet            fax   +32 87 788818
> ecd at brainaid.de         Belgium                    cell  +49 172 9312808
> 
> _______________________________________________
> G1-Hackers mailing list
> G1-Hackers at telesphoreo.org
> http://www.telesphoreo.org/cgi-bin/mailman/listinfo/g1-hackers

-- 
___________________________________________________brainaid_____________
Eddie C. Dost           Rue de la Chapelle 51      phone +32 87 788817
                        B-4850 Moresnet            fax   +32 87 788818
ecd at brainaid.de         Belgium                    cell  +49 172 9312808



More information about the G1-Hackers mailing list