http://droid-developers.org/api.php?action=feedcontributions&user=Nothize&feedformat=atomMILEDROPEDIA - User contributions [en]2024-03-28T12:59:33ZUser contributionsMediaWiki 1.23.2http://droid-developers.org/wiki/SwapSwap2011-09-01T10:39:45Z<p>Nothize: /* Swap as module for x8 */</p>
<hr />
<div>== Introduction ==<br />
<br />
Goal is to add support for swap via kernel module ( by default it can't be compiled as module ) or prove that its not possible.<br />
<br />
kernel sources: http://sourceforge.net/projects/milestone.motorola/files/Milestone%20Source%20Froyo/05.26.0/kernel.tar.gz/download<br />
<br />
milestone config: mapphone_defconfig<br />
<br />
== Overview ==<br />
<br />
=== Information gathering phase ===<br />
<br />
The principle is to find out all the portion that is related to CONFIG_SWAP, directly and indirectly, but limited to the current mapphone_defconfig. Once the whole chain of files and portions are identified, classify and organize to generalize a list of types that need different handling.<br />
<br />
=== Swap as module for x8 ===<br />
<br />
http://forum.xda-developers.com/showthread.php?t=1213211<br />
<br />
github: https://github.com/AnDyXX/X8<br />
<br />
One of the commit: https://github.com/AnDyXX/X8/commit/9c67084ab8a614e04cf63917fa7fe65da59ece64<br />
<br />
=== Design and implementation phase ===<br />
<br />
Analyze and design a runtime patching method for each type, implement test case for each design. Better wrap each approach with a macro to allow cleaner source code and easier global modification.<br />
<br />
== Information gathering ==<br />
<br />
List of the files where CONFIG_SWAP is found:<br />
<br />
<br />
* include/linux/swap.h<br />
* include/linux/page-flags.h<br />
* include/linux/mm.h<br />
* mm/Makefile:obj-$(CONFIG_SWAP)»·+= page_io.o swap_state.o swapfile.o thrash.o<br />
* mm/swap.c<br />
* mm/mincore.c<br />
<br />
also it exists in mm/memcontrol.c but i think its not neccesary for swap to work<br />
<br />
<br />
=== include/linux/swap.h ===<br />
<br />
<syntaxhighlight lang="c"><br />
#ifdef CONFIG_SWAP<br />
/* linux/mm/page_io.c */<br />
extern int swap_readpage(struct page *);<br />
extern int swap_writepage(struct page *page, struct writeback_control *wbc);<br />
extern void end_swap_bio_read(struct bio *bio, int err);<br />
<br />
/* linux/mm/swap_state.c */<br />
extern struct address_space swapper_space;<br />
#define total_swapcache_pages swapper_space.nrpages<br />
extern void show_swap_cache_info(void);<br />
extern int add_to_swap(struct page *);<br />
extern int add_to_swap_cache(struct page *, swp_entry_t, gfp_t);<br />
extern void __delete_from_swap_cache(struct page *);<br />
extern void delete_from_swap_cache(struct page *);<br />
extern void free_page_and_swap_cache(struct page *);<br />
extern void free_pages_and_swap_cache(struct page **, int);<br />
extern struct page *lookup_swap_cache(swp_entry_t);<br />
extern struct page *read_swap_cache_async(swp_entry_t, gfp_t,<br />
struct vm_area_struct *vma, unsigned long addr);<br />
extern struct page *swapin_readahead(swp_entry_t, gfp_t,<br />
struct vm_area_struct *vma, unsigned long addr);<br />
<br />
/* linux/mm/swapfile.c */<br />
extern long nr_swap_pages;<br />
extern long total_swap_pages;<br />
extern void si_swapinfo(struct sysinfo *);<br />
extern swp_entry_t get_swap_page(void);<br />
extern swp_entry_t get_swap_page_of_type(int);<br />
extern void swap_duplicate(swp_entry_t);<br />
extern int swapcache_prepare(swp_entry_t);<br />
extern int valid_swaphandles(swp_entry_t, unsigned long *);<br />
extern void swap_free(swp_entry_t);<br />
extern void swapcache_free(swp_entry_t, struct page *page);<br />
extern int free_swap_and_cache(swp_entry_t);<br />
extern int swap_type_of(dev_t, sector_t, struct block_device **);<br />
extern unsigned int count_swap_pages(int, int);<br />
extern sector_t map_swap_page(struct swap_info_struct *, pgoff_t);<br />
extern sector_t swapdev_block(int, pgoff_t);<br />
extern struct swap_info_struct *get_swap_info_struct(unsigned);<br />
extern int reuse_swap_page(struct page *);<br />
extern int try_to_free_swap(struct page *);<br />
struct backing_dev_info;<br />
<br />
/* linux/mm/thrash.c */<br />
extern struct mm_struct *swap_token_mm;<br />
extern void grab_swap_token(struct mm_struct *);<br />
extern void __put_swap_token(struct mm_struct *);<br />
<br />
static inline int has_swap_token(struct mm_struct *mm)<br />
{<br />
return (mm == swap_token_mm);<br />
}<br />
<br />
static inline void put_swap_token(struct mm_struct *mm)<br />
{<br />
if (has_swap_token(mm))<br />
__put_swap_token(mm);<br />
}<br />
<br />
static inline void disable_swap_token(void)<br />
{<br />
put_swap_token(swap_token_mm);<br />
}<br />
<br />
#ifdef CONFIG_CGROUP_MEM_RES_CTLR<br />
extern void<br />
mem_cgroup_uncharge_swapcache(struct page *page, swp_entry_t ent, bool swapout);<br />
#else<br />
static inline void<br />
mem_cgroup_uncharge_swapcache(struct page *page, swp_entry_t ent, bool swapout)<br />
{<br />
}<br />
#endif<br />
</syntaxhighlight><br />
<br />
<br />
=== include/linux/page-flags.h ===<br />
<br />
<br />
<syntaxhighlight lang="c"><br />
#ifdef CONFIG_SWAP<br />
PAGEFLAG(SwapCache, swapcache)<br />
#else<br />
PAGEFLAG_FALSE(SwapCache)<br />
SETPAGEFLAG_NOOP(SwapCache) CLEARPAGEFLAG_NOOP(SwapCache)<br />
#endif<br />
</syntaxhighlight><br />
<br />
=== include/linux/mm.h ===<br />
<br />
<syntaxhighlight lang="c"><br />
static inline struct address_space *page_mapping(struct page *page)<br />
{<br />
struct address_space *mapping = page->mapping;<br />
<br />
VM_BUG_ON(PageSlab(page));<br />
#ifdef CONFIG_SWAP<br />
if (unlikely(PageSwapCache(page)))<br />
mapping = &swapper_space;<br />
else<br />
#endif<br />
if (unlikely((unsigned long)mapping & PAGE_MAPPING_ANON))<br />
mapping = NULL;<br />
return mapping;<br />
}<br />
</syntaxhighlight><br />
<br />
<br />
=== mm/swap.c ===<br />
<br />
<syntaxhighlight lang="c"><br />
/*<br />
* Perform any setup for the swap system<br />
*/<br />
void __init swap_setup(void)<br />
{<br />
unsigned long megs = totalram_pages >> (20 - PAGE_SHIFT);<br />
<br />
#ifdef CONFIG_SWAP<br />
bdi_init(swapper_space.backing_dev_info);<br />
#endif<br />
<br />
/* Use a smaller cluster for small-memory machines */<br />
if (megs < 16)<br />
page_cluster = 2;<br />
else<br />
page_cluster = 3;<br />
/*<br />
* Right now other parts of the system means that we<br />
* _really_ don't want to cluster much more<br />
*/<br />
}<br />
</syntaxhighlight></div>Nothizehttp://droid-developers.org/wiki/SwapSwap2011-09-01T10:39:26Z<p>Nothize: Added github source link for the x8 swap module by AndyX</p>
<hr />
<div>== Introduction ==<br />
<br />
Goal is to add support for swap via kernel module ( by default it can't be compiled as module ) or prove that its not possible.<br />
<br />
kernel sources: http://sourceforge.net/projects/milestone.motorola/files/Milestone%20Source%20Froyo/05.26.0/kernel.tar.gz/download<br />
<br />
milestone config: mapphone_defconfig<br />
<br />
== Overview ==<br />
<br />
=== Information gathering phase ===<br />
<br />
The principle is to find out all the portion that is related to CONFIG_SWAP, directly and indirectly, but limited to the current mapphone_defconfig. Once the whole chain of files and portions are identified, classify and organize to generalize a list of types that need different handling.<br />
<br />
=== Swap as module for x8 ===<br />
<br />
http://forum.xda-developers.com/showthread.php?t=1213211<br />
<br />
github: https://github.com/AnDyXX/X8<br />
One of the commit: https://github.com/AnDyXX/X8/commit/9c67084ab8a614e04cf63917fa7fe65da59ece64<br />
<br />
<br />
=== Design and implementation phase ===<br />
<br />
Analyze and design a runtime patching method for each type, implement test case for each design. Better wrap each approach with a macro to allow cleaner source code and easier global modification.<br />
<br />
== Information gathering ==<br />
<br />
List of the files where CONFIG_SWAP is found:<br />
<br />
<br />
* include/linux/swap.h<br />
* include/linux/page-flags.h<br />
* include/linux/mm.h<br />
* mm/Makefile:obj-$(CONFIG_SWAP)»·+= page_io.o swap_state.o swapfile.o thrash.o<br />
* mm/swap.c<br />
* mm/mincore.c<br />
<br />
also it exists in mm/memcontrol.c but i think its not neccesary for swap to work<br />
<br />
<br />
=== include/linux/swap.h ===<br />
<br />
<syntaxhighlight lang="c"><br />
#ifdef CONFIG_SWAP<br />
/* linux/mm/page_io.c */<br />
extern int swap_readpage(struct page *);<br />
extern int swap_writepage(struct page *page, struct writeback_control *wbc);<br />
extern void end_swap_bio_read(struct bio *bio, int err);<br />
<br />
/* linux/mm/swap_state.c */<br />
extern struct address_space swapper_space;<br />
#define total_swapcache_pages swapper_space.nrpages<br />
extern void show_swap_cache_info(void);<br />
extern int add_to_swap(struct page *);<br />
extern int add_to_swap_cache(struct page *, swp_entry_t, gfp_t);<br />
extern void __delete_from_swap_cache(struct page *);<br />
extern void delete_from_swap_cache(struct page *);<br />
extern void free_page_and_swap_cache(struct page *);<br />
extern void free_pages_and_swap_cache(struct page **, int);<br />
extern struct page *lookup_swap_cache(swp_entry_t);<br />
extern struct page *read_swap_cache_async(swp_entry_t, gfp_t,<br />
struct vm_area_struct *vma, unsigned long addr);<br />
extern struct page *swapin_readahead(swp_entry_t, gfp_t,<br />
struct vm_area_struct *vma, unsigned long addr);<br />
<br />
/* linux/mm/swapfile.c */<br />
extern long nr_swap_pages;<br />
extern long total_swap_pages;<br />
extern void si_swapinfo(struct sysinfo *);<br />
extern swp_entry_t get_swap_page(void);<br />
extern swp_entry_t get_swap_page_of_type(int);<br />
extern void swap_duplicate(swp_entry_t);<br />
extern int swapcache_prepare(swp_entry_t);<br />
extern int valid_swaphandles(swp_entry_t, unsigned long *);<br />
extern void swap_free(swp_entry_t);<br />
extern void swapcache_free(swp_entry_t, struct page *page);<br />
extern int free_swap_and_cache(swp_entry_t);<br />
extern int swap_type_of(dev_t, sector_t, struct block_device **);<br />
extern unsigned int count_swap_pages(int, int);<br />
extern sector_t map_swap_page(struct swap_info_struct *, pgoff_t);<br />
extern sector_t swapdev_block(int, pgoff_t);<br />
extern struct swap_info_struct *get_swap_info_struct(unsigned);<br />
extern int reuse_swap_page(struct page *);<br />
extern int try_to_free_swap(struct page *);<br />
struct backing_dev_info;<br />
<br />
/* linux/mm/thrash.c */<br />
extern struct mm_struct *swap_token_mm;<br />
extern void grab_swap_token(struct mm_struct *);<br />
extern void __put_swap_token(struct mm_struct *);<br />
<br />
static inline int has_swap_token(struct mm_struct *mm)<br />
{<br />
return (mm == swap_token_mm);<br />
}<br />
<br />
static inline void put_swap_token(struct mm_struct *mm)<br />
{<br />
if (has_swap_token(mm))<br />
__put_swap_token(mm);<br />
}<br />
<br />
static inline void disable_swap_token(void)<br />
{<br />
put_swap_token(swap_token_mm);<br />
}<br />
<br />
#ifdef CONFIG_CGROUP_MEM_RES_CTLR<br />
extern void<br />
mem_cgroup_uncharge_swapcache(struct page *page, swp_entry_t ent, bool swapout);<br />
#else<br />
static inline void<br />
mem_cgroup_uncharge_swapcache(struct page *page, swp_entry_t ent, bool swapout)<br />
{<br />
}<br />
#endif<br />
</syntaxhighlight><br />
<br />
<br />
=== include/linux/page-flags.h ===<br />
<br />
<br />
<syntaxhighlight lang="c"><br />
#ifdef CONFIG_SWAP<br />
PAGEFLAG(SwapCache, swapcache)<br />
#else<br />
PAGEFLAG_FALSE(SwapCache)<br />
SETPAGEFLAG_NOOP(SwapCache) CLEARPAGEFLAG_NOOP(SwapCache)<br />
#endif<br />
</syntaxhighlight><br />
<br />
=== include/linux/mm.h ===<br />
<br />
<syntaxhighlight lang="c"><br />
static inline struct address_space *page_mapping(struct page *page)<br />
{<br />
struct address_space *mapping = page->mapping;<br />
<br />
VM_BUG_ON(PageSlab(page));<br />
#ifdef CONFIG_SWAP<br />
if (unlikely(PageSwapCache(page)))<br />
mapping = &swapper_space;<br />
else<br />
#endif<br />
if (unlikely((unsigned long)mapping & PAGE_MAPPING_ANON))<br />
mapping = NULL;<br />
return mapping;<br />
}<br />
</syntaxhighlight><br />
<br />
<br />
=== mm/swap.c ===<br />
<br />
<syntaxhighlight lang="c"><br />
/*<br />
* Perform any setup for the swap system<br />
*/<br />
void __init swap_setup(void)<br />
{<br />
unsigned long megs = totalram_pages >> (20 - PAGE_SHIFT);<br />
<br />
#ifdef CONFIG_SWAP<br />
bdi_init(swapper_space.backing_dev_info);<br />
#endif<br />
<br />
/* Use a smaller cluster for small-memory machines */<br />
if (megs < 16)<br />
page_cluster = 2;<br />
else<br />
page_cluster = 3;<br />
/*<br />
* Right now other parts of the system means that we<br />
* _really_ don't want to cluster much more<br />
*/<br />
}<br />
</syntaxhighlight></div>Nothizehttp://droid-developers.org/wiki/SwapSwap2011-08-11T15:06:32Z<p>Nothize: </p>
<hr />
<div>== Introduction ==<br />
<br />
Goal is to add support for swap via kernel module ( by default it can't be compiled as module ) or prove that its not possible.<br />
<br />
kernel sources: http://sourceforge.net/projects/milestone.motorola/files/Milestone%20Source%20Froyo/05.26.0/kernel.tar.gz/download<br />
<br />
milestone config: mapphone_defconfig<br />
<br />
== Overview ==<br />
<br />
=== Information gathering phase ===<br />
<br />
The principle is to find out all the portion that is related to CONFIG_SWAP, directly and indirectly, but limited to the current mapphone_defconfig. Once the whole chain of files and portions are identified, classify and organize to generalize a list of types that need different handling.<br />
<br />
=== Design and implementation phase ===<br />
<br />
Analyze and design a runtime patching method for each type, implement test case for each design. Better wrap each approach with a macro to allow cleaner source code and easier global modification.<br />
<br />
== Information gathering ==<br />
<br />
List of the files where CONFIG_SWAP is found:<br />
<br />
<br />
* include/linux/swap.h<br />
* include/linux/page-flags.h<br />
* include/linux/mm.h<br />
* mm/Makefile:obj-$(CONFIG_SWAP)»·+= page_io.o swap_state.o swapfile.o thrash.o<br />
* mm/swap.c<br />
* mm/mincore.c<br />
<br />
also it exists in mm/memcontrol.c but i think its not neccesary for swap to work</div>Nothizehttp://droid-developers.org/wiki/SwapSwap2011-08-11T15:04:17Z<p>Nothize: </p>
<hr />
<div>=== Overview ===<br />
<br />
Goal is to add support for swap via kernel module ( by default it can't be compiled as module ) or prove that its not possible.<br />
<br />
kernel sources: http://sourceforge.net/projects/milestone.motorola/files/Milestone%20Source%20Froyo/05.26.0/kernel.tar.gz/download<br />
<br />
milestone config: mapphone_defconfig<br />
<br />
=== Information gathering phase ===<br />
<br />
The principle is to find out all the portion that is related to CONFIG_SWAP, directly and indirectly, but limited to the current mapphone_defconfig. Once the whole chain of files and portions are identified, classify and organize to generalize a list of types that need different handling.<br />
<br />
List of the files where CONFIG_SWAP is found:<br />
<br />
<br />
* include/linux/swap.h<br />
* include/linux/page-flags.h<br />
* include/linux/mm.h<br />
* mm/Makefile:obj-$(CONFIG_SWAP)»·+= page_io.o swap_state.o swapfile.o thrash.o<br />
* mm/swap.c<br />
* mm/mincore.c<br />
<br />
also it exists in mm/memcontrol.c but i think its not neccesary for swap to work<br />
<br />
<br />
=== Design and implementation phase ===<br />
<br />
Analyze and design a runtime patching method for each type, implement test case for each design. Better wrap each approach with a macro to allow cleaner source code and easier global modification.</div>Nothizehttp://droid-developers.org/wiki/SwapSwap2011-08-11T14:44:50Z<p>Nothize: </p>
<hr />
<div>Goal is to add support for swap via kernel module ( by default it can't be compiled as module ) or prove that its not possible.<br />
<br />
kernel sources: http://sourceforge.net/projects/milestone.motorola/files/Milestone%20Source%20Froyo/05.26.0/kernel.tar.gz/download<br />
<br />
milestone config: mapphone_defconfig<br />
<br />
=== Information gathering phase ===<br />
<br />
The principle is to find out all the portion that is related to CONFIG_SWAP, directly and indirectly, but limited to the current mapphone_defconfig. Once the whole chain of files and portions are identified, classify and organize to generalize a list of types that need different handling.<br />
<br />
List of the files where CONFIG_SWAP is found:<br />
<br />
<br />
* include/linux/swap.h<br />
* include/linux/page-flags.h<br />
* include/linux/mm.h<br />
* mm/Makefile:obj-$(CONFIG_SWAP)»·+= page_io.o swap_state.o swapfile.o thrash.o<br />
* mm/memcontrol.c<br />
* mm/swap.c<br />
* mm/mincore.c<br />
<br />
<br />
=== Design and implementation phase ===<br />
<br />
Analyze and design a runtime patching method for each type, implement test case for each design. Better wrap each approach with a macro to allow cleaner source code and easier global modification.</div>Nothizehttp://droid-developers.org/wiki/SwapSwap2011-08-11T11:05:48Z<p>Nothize: </p>
<hr />
<div>Goal is to add support for swap via kernel module ( by default it can't be compiled as module ) or prove that its not possible.<br />
<br />
kernel sources: http://sourceforge.net/projects/milestone.motorola/files/Milestone%20Source%20Froyo/05.26.0/kernel.tar.gz/download<br />
<br />
milestone config: mapphone_defconfig<br />
<br />
Information gathering phase:<br />
<br />
The principle is to find out all the portion that is related to CONFIG_SWAP, directly and indirectly, but limited to the current mapphone_defconfig. Once the whole chain of files and portions are identified, classify and organize to generalize a list of types that need different handling.<br />
<br />
<br />
Design and implementation phase:<br />
<br />
Analyze and design a runtime patching method for each type, implement test case for each design. Better wrap each approach with a macro to allow cleaner source code and easier global modification.</div>Nothizehttp://droid-developers.org/wiki/How_to_load_mbmloader_from_SD_cardHow to load mbmloader from SD card2011-03-22T20:50:10Z<p>Nothize: Added follow-up</p>
<hr />
<div>== Introduction ==<br />
<br />
After software reset, OMAP BootROM checks scratchpad memory at address 0x48002910 where can be address of "software booting configuration".<br />
<br />
<blockquote>The software booting configuration is a simple structure at the address stored<br />
at the first location of available scratchpad memory: 0x48002910. There are two sections in this structure:<br />
* The first section provides devices for the booting device list.<br />
* The second section provides clock settings, which are applied before booting.<br />
<pre><br />
Devices to be put on the device list<br />
0x00: Void, no device<br />
0x01: XIP memory<br />
0x02: NAND<br />
0x03: OneNAND<br />
0x04: DOC<br />
0x05: MMC/SD2<br />
0x06: MMC/SD1<br />
0x07: XIP memory with wait monitoring<br />
0x08 to 0x0F: Reserved<br />
0x10: UART<br />
0x11: HS USB<br />
</pre><br />
</blockquote><br />
<br />
== Implementation ==<br />
<br />
We will use boot device "0x06: MMC/SD1" to load mbmloader and device "0x11: HS USB" to check if boot from SD was failed.<br />
<br />
=== Prepare file to load ===<br />
# You need to have original mbmloader from Milestone's NAND (first 128K) in file. <br />
# Then replace string X-LOADER to MLO inside second 512 bytes block.<br />
# Rename file to MLO<br />
# Reduce file up to end of mbmloader code.<br />
# Copy this file to the root directory of SD card. Partition should be "active" and formatted as FAT16/32. I think default formatting of SD card by Milestone is Ok.<br />
<br />
=== Prepare code to software reset the Milestone ===<br />
<br />
We need to create right structure inside scratch memory and to do software reset.<br />
I've selected address 0x480029B0 to store booting configuration.<br />
<br />
I've used 2ndboot module from yakk to inject my code, because I'm not ready to develop full kernel module yet.<br />
<br />
Example of my code:<br />
<pre><br />
#define SCRATCH_MEM 0x48002910<br />
#define GLOBAL_REG_PRM 0x48307200<br />
<br />
scratch_mem = ioremap(SCRATCH_MEM, 240);<br />
global_reg_prm = ioremap(GLOBAL_REG_PRM, 256);<br />
<br />
// Disable IRQ<br />
local_irq_disable();<br />
local_fiq_disable();<br />
<br />
// Store address of booting configuration structure<br />
__raw_writel(SCRATCH_MEM+0xA0, scratch_mem + 0);<br />
<br />
// Header of booting config<br />
__raw_writel(0xCF00AA01, scratch_mem + 0xA0);<br />
// Size of booting config<br />
__raw_writel(0xC, scratch_mem + 0xA4);<br />
// First booting device is 0x06<br />
__raw_writel(0x00060000, scratch_mem + 0xA8);<br />
// Second is 0x06, third is 0x11<br />
__raw_writel(0x00060011, scratch_mem + 0xAC);<br />
// Fourth is 0x11<br />
__raw_writel(0x00000011, scratch_mem + 0xB0);<br />
<br />
// software reset<br />
__raw_writel(0x04, global_reg_prm + 0x50);<br />
<br />
</pre><br />
Here is archive with compiled module and Motorola's mbmloader: [[File:Boot_from_sd.gz]]<br />
<br />
=== Put all of them together ===<br />
# Copy module 2ndboot_mmc_usb.ko to root of SD card where MLO copied<br />
# Run command: insmode /sdcard/2ndboot_mmc_usb.ko<br />
<br />
Your phone should black screen and reboot successfuly, if your MLO file is Ok. <br />
If you remove MLO file from SD card and load module again, your phone should be in infinite loop of tries to boot from SD card (unsuccessful) and from USB, so your computer should see tries of USB enumerations every 3-4 seconds. You may "fix" your phone from that state by battery removing only (or maybe you can try to upload some mbmloader through USB, but it should be signed by Motorola).<br />
<br />
== Why all of this ? ==<br />
<br />
We can try to load changed mbmloader and see which effect it has, without flash the phone. For example: you can try to change CHSETTINGS because it's not signed.<br />
Also we can try to break RSA checks in some way.<br />
<br />
== Follow-up of the process ==<br />
<br />
Although no 3rd party tester has been able to repeat the scene from booting from MLO on Milestone, it is confirmed that(by another user Nothize other than the original writer SergeyZH) (on Windows) the control panel -> system -> hardware -> device manager can be used to monitor the USB enumeration after the phone has entered the software boot device list state.<br />
<br />
A standalone module has been written based on the code above to try a boot list of three 0x11(HS USB) and one 0x11 respectively and the response of the USB enumerations comply with these two sets.<br />
<br />
The setting for MLO and USB booting should refer to the ROM code memory and peripheral booting guide.</div>Nothizehttp://droid-developers.org/wiki/Application_Processor_Boot_ROMApplication Processor Boot ROM2011-03-22T20:07:50Z<p>Nothize: Added power up reason.</p>
<hr />
<div>= Booting Flow =<br />
<br />
[[File:Omap_bootrom_boot.png]]<br />
<br />
= ROM table =<br />
<br />
The DAP (Debug Access Port, see CoreSight manual) provides an internal ROM table connected to the master Debug APB port of<br />
the APB-Mux. The Debug ROM table is loaded at address 0x00000000 and 0x80000000<br />
of this bus and is accessible from both APB-AP and the system APB input. Bit [31] of<br />
the address bus is not connected to the ROM Table, ensuring that both views read the<br />
same value. The ROM table stores the locations of the components on the Debug APB.<br />
See the CoreSight Architecture Specification for more information.<br />
The ROM table has a standard APB interface except for the exclusion of<br />
'''PWRITEDBG''' and '''PWDATADBG'''. All transfers are assumed to be reads. The ROM<br />
table is a read-only device and writes are ignored.<br />
<br />
== ROM table registers ==<br />
<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! Offset<br />
! Type<br />
! Bits<br />
! Name<br />
! Function<br />
|-<br />
| 0xFDC<br />
| -<br />
| [7:0]<br />
| Peripheral ID7<br />
| Reserved SBZ. Read as 0x00.<br />
|-<br />
| 0xFD8<br />
| -<br />
| [7:0]<br />
| Peripheral ID6<br />
| Reserved SBZ. Read as 0x00.<br />
|-<br />
| 0xFD4<br />
| -<br />
| [7:0]<br />
| Peripheral ID5<br />
| Reserved SBZ. Read as 0x00.<br />
|}<br />
<br />
0xFD0<br />
RO<br />
[7:4]<br />
Peripheral ID4<br />
4KB count, set to 0x0.<br />
[3:0]<br />
0xFEC<br />
RO<br />
[7:4]<br />
JEP106 continuation code, implementation defined.<br />
Peripheral ID3<br />
[3:0]<br />
0xFE8<br />
RO<br />
[7:4]<br />
RevAnd, at top level, implementation defined.<br />
Customer Modified, implementation defined.<br />
Peripheral ID2<br />
Revision number of Peripheral, implementation defined.<br />
[3] [2:0] <br />
0xFE4<br />
RO<br />
1 = indicates that a JEDEC assigned value is used.<br />
0 = indicates that a JEDEC assigned value is not used.<br />
JEP106 Identity Code [6:4], implementation defined.<br />
[7:4]<br />
Peripheral ID1<br />
[3:0]<br />
0xFE0<br />
2-72<br />
RO<br />
[7:0]<br />
JEP106 Identity Code [3:0], implementation defined.<br />
PartNumber1, implementation defined.<br />
Peripheral ID0<br />
PartNumber0, implementation defined.<br />
0xFF0 RO [7:0] Component ID0 Preamble. Set to 0x0D.<br />
0xFF4 RO [7:0] Component ID1 Preamble. Set to 0x10.<br />
0xFF8 RO [7:0] Component ID2 Preamble. Set to 0x05.<br />
0xFFC RO [7:0] Component ID3 Preamble. Set to 0xB1.<br />
<br />
The ROM table has a specific PrimeCell class. In all registers 0xFD0-0xFFC, bits [31:8]<br />
are reserved and should be read as zero. Locations 0xF00-0xFCC are reserved and should<br />
be read as zero.<br />
<br />
== ROM table entries ==<br />
<br />
Table shows the ROM table entries bit assignments for each entry in the<br />
0x000-0xEFC region:<br />
<br />
{| border="1" cellpadding="0" cellspacing="0" style="border: 1px solid #cccccc;"<br />
! Bits<br />
! Name<br />
! Description<br />
|-<br />
| [31:12]<br />
| Address offset<br />
| Base address of the component, relative to the ROM address. Negative values are permitted using two's complement. ComponentAddress = ROMAddress + (AddressOffset SHL 12).<br />
|-<br />
| [11:2]<br />
| none<br />
| Reserved SBZ.<br />
|-<br />
| [1] <br />
| Format <br />
| 1 = 32-bit format. In the DAP Debug ROM this is set to 1. 0 = 8-bit format.<br />
|-<br />
| [0]<br />
| Entry present<br />
| Set HIGH to indicate an entry is present.<br />
|}<br />
<br />
<br />
The last entry in the ROM table has the value 0x00000000, which is reserved.If the<br />
CoreSight component occupies several consecutive 4KB blocks, the base address of the<br />
lowest block in memory is given. The locations of components are stored in sequential<br />
locations with the ROM table. The entry following the last component in the table must<br />
read 0x00000000, and subsequent locations are assumed to read as zero.<br />
<br />
<br />
= Public part of Application Boot ROM =<br />
<br />
== Interesting concurrency loop ==<br />
<br />
It is eventually found that in '''do_something_with_mmc@40016f88''', a short loop expect changes in memory by external means.<br />
<br />
R4 is never updated in the loop '''loc_ROM_40016FC0''' but '''[R4+0x130]''' is expected to change by the following logics. So it is suspected that there is multi-thread operation or parallel operation with other processor like DSP or the like.<br />
<br />
Since concurrency could be tricky, loops with this pattern should be found and further analysed.<br />
<br />
<pre><br />
40016FC0 loc_ROM_40016FC0 ; CODE XREF: do_something_with_mmc+3E�j<br />
40016FC0 ; do_something_with_mmc+4A�j<br />
40016FC0 00C D4 F8 30 21 LDR.W R2, [R4,#0x130] ; Load from Memory<br />
40016FC4 00C 00 2A CMP R2, #0 ; Set cond. codes on Op1 - Op2<br />
40016FC6 00C FB D0 BEQ loc_ROM_40016FC0 ; Branch<br />
40016FC6<br />
40016FC8 00C 15 04 LSLS R5, R2, #0x10 ; Logical Shift Left<br />
40016FCA 00C 01 D5 BPL loc_ROM_40016FD0 ; Branch<br />
40016FCA<br />
40016FCC 00C 01 20 MOVS R0, #1 ; Rd = Op2<br />
40016FCE 00C 30 BD POP {R4,R5,PC} ; Pop registers<br />
40016FCE<br />
40016FD0 ; ---------------------------------------------------------------------------<br />
40016FD0<br />
40016FD0 loc_ROM_40016FD0 ; CODE XREF: do_something_with_mmc+42�j<br />
</pre><br />
<br />
comment: in this example '''LDR.W R2, [R4,#0x130]''' really read not from memory, but from registers of mmc peripherals, so it can change as the state of that peripheral changes.. but there are also irq handlers, that interrupts the main thread and perform some actions that can change memory.<br />
<br />
=== How to locate this kind of loop? ===<br />
<br />
# Open rom3.idb, set "number of opcode bytes" to 4 then copy all the text and save as a text file.<br />
# Use this RE to locate short loops(adjust the parameters as necessary):<br />
<br />
<pre>grep -B 6 -E "[0-9]{3} F. D." rom3.txt</pre><br />
<br />
=== Sample snippet grep'ed ===<br />
<br />
<pre><br />
400144DE 000 01 61 STR R1, [R0,#0x10]<br />
400144DE<br />
400144E0<br />
400144E0 loc_ROM_400144E0<br />
400144E0 000 41 69 LDR R1, [R0,#0x14]<br />
400144E2 000 C9 07 LSLS R1, R1, #0x1F<br />
400144E4 000 FC D0 BEQ loc_ROM_400144E0<br />
--<br />
400145F8 004 81 40 LSLS R1, R0<br />
400145F8<br />
400145FA<br />
400145FA loc_ROM_400145FA<br />
400145FA 004 50 6D LDR R0, [R2,#0x54]<br />
400145FC 004 08 42 TST R0, R1<br />
400145FE 004 FC D0 BEQ loc_ROM_400145FA<br />
--<br />
</pre><br />
<br />
= Secure part of Application Processor Boot ROM =<br />
<br />
impossible to dump - fully hardware implemented in cortex-a8 core; used by some handlers in BootROM/mbmloader for SVC/SMC calling. and some wrappers for secure coprocessor operations<br />
<br />
= Power up reason =<br />
<br />
The boot ROM will pass the power up reason via atag. This info can be found from two places: 1) dmesg; 2) /proc/bootinfo .<br />
<br />
See bootinfo.h for the interpretation of the power up reason:<br />
<pre><br />
#define PU_REASON_USB_CABLE 0x00000010 /* Bit 4 */<br />
#define PU_REASON_FACTORY_CABLE 0x00000020 /* Bit 5 */<br />
#define PU_REASON_PWR_KEY_PRESS 0x00000080 /* Bit 7 */<br />
#define PU_REASON_CHARGER 0x00000100 /* Bit 8 */<br />
#define PU_REASON_POWER_CUT 0x00000200 /* bit 9 */<br />
#define PU_REASON_SW_AP_RESET 0x00004000 /* Bit 14 */<br />
#define PU_REASON_WDOG_AP_RESET 0x00008000 /* Bit 15 */<br />
#define PU_REASON_AP_KERNEL_PANIC 0x00020000 /* Bit 17 */<br />
</pre><br />
<br />
[[Category:Booting Chain]]</div>Nothizehttp://droid-developers.org/wiki/2ndboot2ndboot2010-10-04T06:47:11Z<p>Nothize: Added usbmon method.</p>
<hr />
<div>=== Overview ===<br />
<br />
This is bootloader, which can boot custom boot image even droid-family phone has locked bootloader. <br />
<br />
It consist from:<br />
* small kernel module, for creating device for booting/controlling boot<br />
* small userspace program, which give for module boot image and flags <br />
* universal bootloader, which can uses many places for booting<br />
<br />
It's derived from collaborative work of '''yakk''' and '''dimichxp''' for creating bootloader for older Motorola phones,<br />
before their RSA have been cracked.<br />
<br />
Now, this project ported to the Milestone hardware and can boot custom kernel fully, except of baseband part.<br />
<br />
Here you can find current development sources of 2ndboot: [http://bitbucket.org/droiddev/2ndboot/overview]<br />
<br />
See published binaries: [http://www.droid-developers.org/files/2ndboot.rar here (build number 1.03)] and [http://www.droid-developers.org/files/uploads/kern0231.rar here (build number 2.31)].<br />
<br />
Also it is necessary for developing 2ndboot and custom bootloader/kernel to debug over serial port: [[Debugging]]<br />
<br />
=== Download ===<br />
<br />
hg clone http://hg.droid-developers.org/2ndboot<br />
<br />
=== Compilation ===<br />
<br />
# You need kernel sources for that from Motorola<br />
# You need special arm toolchain for that<br />
# Build you module of 2ndboot<br />
<br />
You can find all info about compilation of kernel, toolchain and 2ndboot [[Compiling | here]]<br />
<br />
=== Progress ===<br />
<br />
Latest attempt: '''Yakk''' patched 2nd-boot to make it work on the Milestone, but his source code remains partly unpublished at this time. Status: boots another kernel, which Yakk has also patched to get serial output over the USB connector (using custom hardware to connect to it). Currently the booted kernel has some problems with USB and fails to initialize the phone's modem so it crashes. See published code and binaries: [http://www.droid-developers.org/files/2ndboot.rar here (build number 1.03)] and [http://www.droid-developers.org/files/uploads/kern0231.rar here (build number 2.31)]. All current development of 2ndboot now going [http://hg.droid-developers.org/droiddev/2ndboot here] When GSM is disabled this kexec module is able to boot the system with the recompiled kernel, but it is not really useful as a phone then. WiFi works fine, though. Yakk is now trying to use 2ndboot to start a patched version of mbm, which should be able to initialize the modem and then pass control to a custom Linux kernel. This is still under development, so don't get too excited. We'll keep you posted.<br />
<br />
== Further testing ==<br />
<br />
=== USB Monitoring ===<br />
<br />
<pre><br />
mount -t debugfs none_debugs /sys/kernel/debug<br />
cat /sys/kernel/debug/usbmon/1t<br />
</pre></div>Nothize