|
Announce: Open Source Cold Flasher for RX51
1 Attachment(s)
Cold-flashing is process to flash NOLO bootloader when bootloader in RX51 is damaged - when normal flashing not working.
I successfully patched pusb (from omap-u-boot-utils) to send 2nd x-loader image to RX51. This was easy because protocol is same as for omap3 TI borard - only double ASIC ID reading does not working on RX51, which caused error. I sent pusb patch for upstreaming, my post with patch is here: http://groups.google.com/group/beagl...3f2a446f36b2c6 Next part sending NOLO (secondary image) is difficult. This is handled by Nokia X-Loader, so other TI boards does not use it. I patched libusb.so library + using ltrace to debug how flasher-3.5 cold-flashing. I spend one day with this and here is result: Open Source program for cold-flashing Nokia N900. Program working fine (with my N900)... Program has code for flashing x-loader and nolo too, so pusb is not needed. Sorce code is attached (file cold-flasher-rx51.c) EDIT: Now magic 8 bytes is not secret :D First 4 bytes is CRC32 checksum of file and second 4 bytes is CRC32 checksum of message. Why Nokia implemented 4bytes checksum of 12bytes message?? Source code is updated and now open source cold flashing is complete :) EDIT: Info - How is Cold-Flashing implemented: Cold-Flashing is devided into two parts: 1. Sending 2nd X-Loader image 2. Sending Secondary NOLO image 1. For sending 2nd X-Loader image over USB bus is used standard OMAP mehod (reply to ASIC ID message). This is specified in "OMAP35X Technical Reference Manual" (spruf98u.pdf) section 25.4.5 Peripheral Booting. One of working OSS implementation is pusb tool (part of omap-u-boot-utils) with small patch here. 2. When 2nd X-Loader image is received by Omap BootROM it is automatically executed. Flasher tool must wait until X-Loader inilialize USB bus and is ready for next flashing. Checking if X-Loader is ready can be done by X-Loader ping message. Answer is 4 bytes message. When X-Loader is ready, flashing process is started by X-Loader init message and after that is NOLO image itself. When X-Loader receive NOLO image, it automatically start boot it. X-Loader message struct: 0-3 byte - type 4-7 byte - size of image (low endian) 8-11 byte - crc32 of image 12-15 byte - crc32 of 0-11 byte of this X-Loader message Ping X-Loader message has type (uint32_t)(0x6301326E), size and first crc32 is 0x00000000. Init X-Loader message has type (uint32_t)(0x6302326E), size and first crc32 belongs to secondary image (which will be send) Sending over USB bus is done by libusb library (functions usb_blk_read, usb_blk_write), see pusb tool. EDIT: Cold flasher is now part of 0xFFFF open source flasher. Look here: http://talk.maemo.org/showthread.php?t=87996 |
Re: Announce: Open Source Cold Flasher for RX51
Possible to replace NOLO with U-Boot or such?
|
Re: Announce: Open Source Cold Flasher for RX51
Quote:
And of course if somebody generate that 8 bytes... |
Re: Announce: Open Source Cold Flasher for RX51
Wow pali, you are keeping busy! I'm subscribing to this thread. Wish I could do more than that, but I hope you get the help you need!
|
Re: Announce: Open Source Cold Flasher for RX51
Couldn't it be some kind of checksum of the to be sent nolo secondary image?
Just my 2 cents. Ciao |
Re: Announce: Open Source Cold Flasher for RX51
BTW: you should change all occurrences of "responce" in the .c file to "response".
|
Re: Announce: Open Source Cold Flasher for RX51
Quote:
Quote:
sorry for my bad english :) |
Re: Announce: Open Source Cold Flasher for RX51
LD_PRELOAD library is in first post
|
Re: Announce: Open Source Cold Flasher for RX51
What is the exact name for the snd.bin and secondary.bin ?
I unpacked the rx-51 rootfs image, but there are many 2nd.bin-RX-51.XXXX and secondary.bin-RX-51:XXX files. Nicolai |
Re: Announce: Open Source Cold Flasher for RX51
Quote:
You need to use that which is for your N900 HW revision (that XXXX). If you do not know your HW revision, run flasher-3.5 -i (it write it) |
Re: Announce: Open Source Cold Flasher for RX51
Hardware revision 2101
NOLO version 1.4.14 Magic 8 byte sequence is: 0x3F 0x27 0xF5 0xE9 0xCA 0x06 0xE2 0x28 |
Re: Announce: Open Source Cold Flasher for RX51
Quote:
You can see this hardcoded in my cold flasher. Also I have this: HW rev 2101 NOLO version 1.4.13 0xA5, 0xE4, 0xD3, 0x2D, 0x9E, 0xAA, 0x21, 0x36 |
Re: Announce: Open Source Cold Flasher for RX51
Generating last 8 bytes of meesage was disassembled and decrypted :) See first post with updated my flasher tool - now it is complete :)
|
Re: Announce: Open Source Cold Flasher for RX51
Please provide non-code documentation on the entire procedure. Your own flasher is now tainted and can be argued to be copyright infringement. By documenting the process in English, someone else can implement it cleanly.
|
Re: Announce: Open Source Cold Flasher for RX51
@Pali: Please forgive my ignorance, but what is the implication of this project of yours? Does it mean we can revive otherwise dead N900s due to bad flashing? Or is there a bigger implication to this?
Perhaps we can now flash anything we want into the N900? |
Re: Announce: Open Source Cold Flasher for RX51
Quote:
We don't have to use now-UNMAINTAINED flasher made by Nokia. May make it easier to reflash under newer OSes. Most stuff is handled in NOLO, but that's another high-priority project. Right now, I guess it would be cool if we could reflash rootfs and emmc using this tool. |
Re: Announce: Open Source Cold Flasher for RX51
Don't bother with flashing rootfs/eMMC. Just get it able to load and boot a kernel (using the clean-room reverese engineering I already suggested). From there, we can make minimal Linux builds that flash rootfs/eMMC over some standard protocol. So the process would be (all internal to the tool): load minimal-kernel, boot it, then have it reflash the rootfs/eMMC intelligently (it could even optionally preserve repartitioning, by formatting and mounting the target filesystem itself!).
|
Re: Announce: Open Source Cold Flasher for RX51
Quote:
Quote:
It would be good if we start improving 0xFFFF project (add this cold flashing...) |
Re: Announce: Open Source Cold Flasher for RX51
Hmm, isn't the function of ape-algo in Harmattan is a small Linux system to flash the OS (apparently supplanting functions provided by NOLO)? IIRC cmt-algo in Fremantle is similar.
|
Re: Announce: Open Source Cold Flasher for RX51
I do not know what is ape-algo or cmt-algo...
|
Re: Announce: Open Source Cold Flasher for RX51
Apparently it's a Linux kernel that serves one purpose: flash files.
|
Re: Announce: Open Source Cold Flasher for RX51
Quote:
|
Re: Announce: Open Source Cold Flasher for RX51
Excellent :-) Does this have any relevance to OMAP2 devices?
|
Re: Announce: Open Source Cold Flasher for RX51
Quote:
|
Re: Announce: Open Source Cold Flasher for RX51
Quote:
|
Re: Announce: Open Source Cold Flasher for RX51
Pali, since the time I first notice you being active in this forum you have got power-kernel out of unmaintained limbo, made it vastly more feature-complete, got open getbootstate backported to Maemo 5, and have near as I can tell started updating bootmenu and uboot as well. And now this.
Where do I click to shower you with donation money? |
Re: Announce: Open Source Cold Flasher for RX51
Now this open source cold flasher is part of new 0xFFFF, see: http://talk.maemo.org/showthread.php?t=87996
|
| All times are GMT. The time now is 01:12. |
vBulletin® Version 3.8.8