View Single Post
Old 03-18-2012, 04:58 PM   #1
geekmaster
Всё гениальное просто.
geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.geekmaster ought to be getting tired of karma fortunes by now.
 
geekmaster's Avatar
 
Posts: 5,070
Karma: 6789001
Join Date: Nov 2011
Location: Щедрость не имеет пределов.
Device: *.*
Arrow boot kindle from kernel image on USB drive

This thread was created in response to the following IRC request:
14:22 < nueva> geekmstr: will you post to mobileread about kexec?

The news is that multiple people (including nueva and geekmaster) have successfully booted a custom linux kernel on our kindle touch from an SSH shell, by using the kexec program to load a diags kernel image file from the USB drive and to boot the kindle from it.

The information provided here includes a "cleaned up" IRC transcript, serial port status messages captured during a kexec kernel boot, and other files from links provided by neuva and geekmaster.

IRC Transcript:
Spoiler:
Code:
----- Tue Feb 28 2012 -----
15:15 : nueva    : looks like KT kernel is compiled with CONFIG_KEXEC=y
15:19 : nueva 	 : wondering, is it enough to load new kernel from FS by invoking
kexec in /sbin/init?
17:58 : nueva    : after some googling I've realized that there is a good chance of
working kexec on stock KT kernel. I've downloaded kexec executable from Debian archive
(kexec-toos package for armel arch) and it is showing help just fine on KT
17:58 : nueva    : anybody has a compiled kernel of KT?
18:00 : nueva    : ah, ok. I can dd'ing stock kernel by myself from /dev/mmcblk0 to
file
18:01 : nueva    : geekmstr: I believe you know how to do it. ^^ do you?
18:01 : nueva    : can you help with starting offset of kernel and it's length?
18:17 : geekmstr : I ripped the stock kernels (main and diags) out of my mmcblk0.img
backup. Do you want them? I need a SPECIAL uboot compile that does not overwrite them
with the mmc copy when it boots though...
18:22 : geekmstr : Stock kernels start at 0x41000 (main) and 0xe41000 (diags). The 4th
dword is the kernel length, but you need to add 0x80 to that (to compensate for the
flash header). You can see that there are usually many 0xff past the end of the image
block. And do not dd more than bs=1024 out of it or you might lose the last partial
block (depending on default dd options)...
18:25 : nueva    : could you upload diag kernel somewhere?
18:27 : geekmstr : I make .tar.gz (diags_kernel.img.tgz).
18:28 : geekmstr : 2.4 MB
18:35 : geekmstr : http://www.mediafire.com/?91e9rcsfy59y1ur
18:44 : nueva    : ok. got the file. thanks. I asked for diag kernel, because if kexec
will be successful, I'll reload into a diag mode which will be distinctive sign of
success
18:44 : nueva    : do you have also an init string for diag kernel?
18:51 : nueva    : found init string in /proc/cmdline, thanks
18:53 : nueva    : is diag partition /dev/mmcblk0p3 ?
18:53 : geekmstr : p3 is /var/local
18:53 : nueva    : oh shit :D
18:55 : nueva    : no, there was /dev/mmcblk0p1 as root defined in init string and
I've changed it to /dev/mmcblk0p3 :)
18:55 : geekmstr : That init string was not diags. Diags may use different params.
18:56 : nueva    : it was stuck but after a hard reset it is rebooted (into a main
mode) just fine
19:00 : nueva    : ok, no success even with /dev/mmcblk0p2. it stuck on image with
tree on some time then rebooted into a main mode automatically. I guess you are right
and I need real init string for diag mode.
19:13 : geekmstr : consoleblank=0 rootwait ro ip=off root=/dev/mmcblk0p2 quiet
user_debug=31 eink=fslepdc video=mxcepdcfb:E60,bpp=8 console=ttymxc0,115200
19:13 : geekmstr : diags cmdline ^^^
19:14 : nueva    : thanks, will try
19:24 : nueva    : no success, though kexec executes without any error (I mean,
'kexec' program doesn't complains about anything). I hope that these fails are just
because my lack of knowledge
19:25 : geekmstr : according to yifanlu, the kindle resets the kernel cmdline.
changing does not work...
19:40 : nueva    : looks like stock kernel at least reacts to kexec invoking. I see in
log messages "Starting new kernel" and "Bye!".
20:07 : Nyoxi    : no luck with the kexec I see
20:13 : Nyoxi    : nueva: did you specify where is initrd somehow?
20:13 : nueva    : aha. first attempts were failed. no explicit errors though, so
there is still a chance
20:13 : nueva    : no, I didn't
20:15 : Nyoxi    : nueva: what are the ways of passing initrd to the kernel?
20:15 : Nyoxi    : and I assume after the kexec fails for you, you have to restart,
right?
20:16 : nueva    : there is an option in kexec tool for pointing to initrd
20:16 : Nyoxi    : as a file?
20:18 : nueva    : no, I didn't have to restart. it's restarted automatically. and (by
looking into logs) it didn't restart from the kernel loading, it proceeds straight to
displaying progress bar within image with tree
20:19 : nueva    : yes, one could point to initrd file
20:20 : Nyoxi    : you got just the kernel image from geekmstr or the beginning of
mmcblk0 as a whole?
20:21 : nueva    : again, there were no signs of fail from kexec (no error messages on
stdout/stderr, no error messages in logs, nothing).
20:21 : Nyoxi    : I can tell you how to get the initrd out of there
20:21 : Nyoxi    : hmm, but you have diag kernel, right?
20:21 : Nyoxi    : I don't know the offset for diag, only for main kernel :/
20:22 : Nyoxi    : I guess somebody will have to read more about kexec
20:22 : nueva    : got the kernel image, as far as I could see (there is a string with
kernel version at offset 0x20 in file)
20:23 : nueva    : yes, it's a diag kernel (according to geekmstr)
20:24 : Nyoxi    : maybe it's on the same offset, can you show what's around the
address 0x18f00 ?
20:26 : Nyoxi    : no, the offset is different for diag :/
20:28 : Nyoxi    : 00190a0
20:34 : Nyoxi    : and the size is 984064 bytes
20:36 : geekmstr : diag_kernel @ 0xe41000
20:36 : geekmstr : main kernel @ 0x41000
20:37 : Nyoxi    : this is initrd in the kernel
20:37 : Nyoxi    : 0xe41000 + 0x00190a0 is diags initrd
20:38 : geekmstr : Not sure about partition image though, maybe that length includes
initrd...
20:38 : Nyoxi    : apparently the length specified in kernel header includes the
initrd
20:39 : geekmstr : how big was that image I sent? enough to contain initrd? otherwise
I need to clip that out of mmcblk0 also...
20:39 : Nyoxi    : because for diags the offset 0x190a0 is 102560 in dec, and the
reported length of kernel is 5122560 bytes
20:42 : geekmstr : yes... diags_kernel.img
20:43 : geekmstr : The flash header at the front says how long it is. Also contains
CRC that is only valid if it never changes.
21:18 : nueva    : successfully booted to diag mode through kexec'ing of geekmstr's
diag kernel
21:19 : nueva    : the key was in explicit defining of kernel image type
'--type=uImage'
21:19 : geekmstr : awesome!
21:20 : geekmstr : how did you set type? in kexec?
21:20 : geekmstr : need simple step-by-step instruction for a noob (me) ;-)
21:20 : nueva    : yes, there is an option of kexec
21:21 : geekmstr : how do you launch kexec? ssh?
21:22 : nueva    : yes through ssh
21:26 : nueva    : trying to repeat the result... crossing fingers :)
21:27 : nueva    : no success :( but why? i didn't change the script which has been
run...
21:36 : nueva    : ok, that's pretty strange. when KT is charged with USB wall
charger, it kexec's into diag mode fine (within 3-5 seconds after starting kexec).
when it's disconnected from wall outlet, it gets stuck at image with tree for minute
or so and then it's rebooted into main mode
21:37 : nueva    : here is script for kexec'ing http://pastebin.com/AHTS5Qez
21:39 : geekmstr : got it.
21:41 : nueva    : here is kexec binary extracted from Debian armel package
http://ge.tt/3xjysLE/v/0?c
21:41 : geekmstr : To load a kernel with MfgTool, the default name is "uImage".
21:42 : geekmstr : oh, I was scrolled up looking at cmdline. It matches the script.
21:43 : nueva    : yes, it is that, copied cmdline
21:45 : nueva    : ok, it's not 3-5, it's 7-10 seconds for kexec'ing to diag. there
will be an image with tree for second or two and after it -- diag mode
21:58 : nueva    : kexec'ing works even without explicit defining of kernel image type
(without '--type' option). the key was charging through wall charger.
21:59 : geekmstr : I have seen most weird behavior because of system switching to "low
power mode".
21:59 : nueva    : when Kindle is charging, kexec'ing works
22:00 : geekmstr : Most recovery efforts fail because of low battery. Much success
after charging.
22:01 : nueva    : no, no. battery is almost fully charged. (95% or about so, looking
at battery icon)
22:02 : geekmstr : ?
22:02 : geekmstr : need to look at source code on that one...
22:02 : geekmstr : perhaps something to do with battery charging or low-power mode...
22:03 : nueva    : I'm pretty lucky too, to have found this out by accident :)
----- Tue Feb 28 2012 -----

Serial port capture during kexec kernel boot:
Spoiler:
Code:
Starting new kernel
mxc_spi mxc_spi.0: can't setup spi1.0, status -22
mxc_spi mxc_spi.2: chipselect 0 already in use
2.6.31-rt11-lab126 #1 Thu Nov 3 11:23:28 PDT 2011 armv7l
INFO:Loaded module /lib/modules/eink_fb_waveform.ko  (35504 bytes)
INFO:Loaded module /lib/modules/mxc_epdc_fb.ko default_panel_hw_init=1 default_update_mode=1 (43336 bytes)
INFO:eink initialized... (486400 bytes)
Press [ENTER] for recovery menu...       0 /INFO:*** Partition table verified for /dev/mmcblk0 ***
INFO:Checking for updates... (auto-pilot mode)
/dev/mmcblk0p4:
CHS=4/16/105536 size=3458203648 bytes
flag type      first       last  lba first   lba size
Partition p1:
0x00 0x0b         16 <large>            16    6754288
    CHS: 0/1/1 - <large>
Partition p2:
Partition p3:
Partition p4:
INFO:Setup loop device /dev/loop0 for /dev/mmcblk0p4 + 8192
INFO:No update*.bin found; no update needed.
INFO:no updates found.
BOOTING DEFAULT.
  argc == 11
  argv[0]: "kinit"
  argv[1]: "consoleblank=0"
  argv[2]: "rootwait"
  argv[3]: "ro"
  argv[4]: "ip=off"
  argv[5]: "root=/dev/mmcblk0p2"
  argv[6]: "quiet"
  argv[7]: "user_debug=31"
  argv[8]: "eink=fslepdc"
  argv[9]: "video=mxcepdcfb:E60,bpp=8"
  argv[10]: "console=ttymxc0,115200"
  argc == 4
  argv[0]: "IP-Config"
  argv[1]: "-i"
  argv[2]: "Linux kinit"
  argv[3]: "ip=off"
IP-Config: no devices to configure
kinit: do_mounts
kinit: name_to_dev_t(/dev/mmcblk0p2) = dev(179,2)
kinit: root_dev = dev(179,2)
kinit: /dev/root appears to be a ext3 filesystem
kinit: trying to mount /dev/root on /root with type ext3
kinit: Mounted root (ext3 filesystem) readonly.
init started: BusyBox v1.17.1 (2011-11-03 11:08:48 PDT)
starting pid 477, tty '': '/etc/init.d/rcS'
/etc/init.d/rcS: line 85: boot_milestone: not found
system: I rcS:def:starting /etc/rcS.d/S50diags
USER=root
prevlevel=N
HOME=/
runlevel=S
eink=fslepdc
TERM=vt102
PATH=/sbin:/bin:/usr/sbin:/usr/bin
SHELL=/bin/sh
PWD=/
VERBOSE=no
READ_AHEAD=4
USER=root
prevlevel=N
HOME=/
runlevel=S
eink=fslepdc
TERM=vt102
PATH=/sbin:/bin:/usr/sbin:/usr/bin
SHELL=/bin/sh
PWD=/
VERBOSE=no
IO_SCHED=anticipatory
USER=root
prevlevel=N
HOME=/
runlevel=S
eink=fslepdc
TERM=vt102
PATH=/sbin:/bin:/usr/sbin:/usr/bin
SHELL=/bin/sh
PWD=/
VERBOSE=no
TMP_SIZE=32M
info firsttime:mount_rw:time=4430:Mounting root RW for first boot
ln: /usr/share/fonts/X11/misc/cursor.pcf: No such file or directory
info firsttime:mount_ro:time=4460:Mounting root RO
elevator: type  not found
info system:start:time=4530:
/etc/rcS.d/S50diags: line 462: f_proto: not found
info system:config:platform=yoshi,board=whitney,rev=20,proto=N,wifi=Y,wan=N:
info system:done:time=4830:
info zforce:start:version=2.0b0r12:
/etc/rcS.d/S50diags: line 462: iptables-restore: not found
/opt/ar6k/include/dbglog.h.save: No such file or directory
info userstore:run:time=5960,action=start:
info userstore:found_bootup_flag::Found BOOTUP flag file
dosfsck 2.11 (12 Mar 2005)
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Checking we can access the last sector of the filesystem
Boot sector contents:
System ID "mkdosfs"
Media byte 0xf8 (hard disk)
       512 bytes per logical sector
      8192 bytes per cluster
        32 reserved sectors
First FAT starts at byte 16384 (sector 32)
         2 FATs, 32 bit entries
   1687040 bytes per FAT (= 3295 sectors)
Root directory start at cluster 2 (arbitrary size)
Data area starts at byte 3390464 (sector 6622)
    421729 data clusters (3454803968 bytes)
32 sectors/track, 64 heads
         0 hidden sectors
   6754288 sectors total
Checking for unused clusters.
Checking free cluster summary.
/dev/loop/0: 106 files, 1569/421729 clusters
mounting waveform filesystem
umounting waveform filesystem
info display:started:time=6980:
/etc/upstart/battery-diags: line 91: f_proto: not found
info battery:charged:cap=85,mV=4083,mAH=1244:
USER=root
prevlevel=N
OLDPWD=/
HOME=/
runlevel=S
eink=fslepdc
TERM=vt102
PATH=/sbin:/bin:/usr/sbin:/usr/bin
SHELL=/bin/sh
PWD=/dev
VERBOSE=no
LD_LIBRARY_PATH=/usr/lib/tts/speech/components/common/:/usr/lib/tts
No state is present for card imxyoshi
Unknown hardware: "WM8962" "" "" "" ""
Hardware is initialized using a guess method
/etc/rcS.d/S50diags: line 13: audioServer: not found
/etc/rcS.d/S50diags: line 13: kb: not found
diags : /opt/factory/rootfs_md5_list not found.
Sending: mkdir -p /mnt/base-us/diagnostic_logs/
PostMode len = 6 of 16
Ignoring PostMode
GlobalHalImpl: found DeviceType: 19
found: zforce
Sending cmd: modprobe mx50_yoshi_mma8453
input: mma8453 as /devices/virtual/i2c-adapter/i2c-0/0-001c/input/input5
check mma8453 chip ID
mma8453 0-001c: build time Nov  3 2011 11:21:40
add mma8453 i2c driver
Sending cmd: modprobe mx50_proximity
FATAL: Module mx50_proximity not found.
found: whitney_button
Input driver version is 1.0.0
Input device ID: bus 0x18 vendor 0x0 product 0x0 version 0x0
Input device name: "WM8962 Beep Generator"
Supported events:
Input driver version is 1.0.0
Input device ID: bus 0x0 vendor 0x0 product 0x0 version 0x0
Input device name: "imx-yoshi Headset"
Supported events:
Input driver version is 1.0.0
Input device ID: bus 0x19 vendor 0x1 product 0x1 version 0x100
Input device name: "whitney-button"
Supported events:
Input driver version is 1.0.0
Input device ID: bus 0x0 vendor 0x0 product 0x0 version 0x0
Input device name: "zforce"
Supported events:
Input driver version is 1.0.0
Input device ID: bus 0x19 vendor 0x0 product 0x0 version 0x0
Input device name: "mxckpd"
Supported events:
Input driver version is 1.0.0
Input device ID: bus 0x18 vendor 0x0 product 0x0 version 0x0
Input device name: "mma8453"
Supported events:
 failed to open /dev/input/event6
 failed to open /dev/input/event7
Ignoring PostMode
system: I mntroot:def:Making root filesystem writeable
EXT3 FS on mmcblk0p2, internal journal
system: I mntroot:def:Making root filesystem read-only
1000
1000
system_diags[MainTest] 1 INFO : Start test
   WHITNEY_WFO - System Diags
   ~~~~~~  1.0.6.215  ~~~ -1094788216 ~~~~~~~~~~~~
~ S ~ Device Setting
O) Operator test suite
R) Run in Test
G) Gas Gauge
E) 511
T) Power Test
B) Audio Test
H) Adjust battery
M) MoviNand
N) Misc individual diagnostics
Y) ART 11g factory test
U) USB device mode
D) Exit, Reboot or Disable Diags
K) Lock to HOME button
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
X) Exit


check_portsc_bits: 0x18000205
Connected to a HIGH speed Host
g_file_storage gadget: full speed config #1

kexec.sh:
Spoiler:
Code:
kexec \
  -l diags_kernel.img \
  --type=uImage \
  --append="consoleblank=0 rootwait ro ip=off root=/dev/mmcblk0p2 quiet user_debug=31 eink=fslepdc video=mxcepdcfb:E60,bpp=8 console=ttymxc0,115200"
kexec -e

diags_kernel-5.0.0.img.tgz: http://www.mediafire.com/?wxv0eat6lcz6mx6

kexec binary extracted from Debian armel package: http://ge.tt/3xjysLE/v/0?c

getkernels tool: http://www.mobileread.com/forums/sho...d.php?t=174674

Please post here if you attempt this. We want to know about successes and failures, and especially any customized linux kernels that you booted. Also, be sure to post disk image and kernel files that boot Android OS from the USB Drive when you have them ready for us...

Last edited by geekmaster; 05-13-2012 at 03:55 PM. Reason: fixed bad link
geekmaster is offline   Reply With Quote