Here's my chat with ichinomoto (the one who got the console port working). We're trying to get root shell. It seems like it won't be as easy as the Kindle 3/2. To summarize, most uboot options (including read/write to NAND or RAM) are gone. bootargs are reset to null on boot (should be a way to bypass. looking in the source code). Recovery menu shows Export MMC0, but the option does not work. Anyone has any other ideas I can pass along? Some way to get Linux to load /bin/sh instead of kinit when starting up.
Quote:
Yifan Lu: so any luck getting root?
ichinomoto ekesete: I still not get root.
ichinomoto ekesete: Is there any way other than to transfer the kernel?
Yifan Lu: yes, the way is to get linux to boot /bin/sh
Yifan Lu: instead of /bin/init
Yifan Lu: so you get shell on boot
Yifan Lu: then mount the usb and copy the filesystem
Yifan Lu: on the k3, you do
Yifan Lu: setenv bootargs console=ttymxc0,115200 root=/dev/mmcblk0p1 rw init=/bin/sh
Yifan Lu: then
Yifan Lu: boot
ichinomoto ekesete: I tried it, but it seems to boot with /bin/init .
Yifan Lu: it may be that "boot" resets bootarg
Yifan Lu: can you try bootm 0×41000 again aftrer setenv/
ichinomoto ekesete: I paste the log
Yifan Lu: thanks
ichinomoto ekesete: Hit any key to stop autoboot: 0
uboot > setenv bootargs console=ttymxc0,115200 root=/dev/mmcblk0p1 rw init=/bin/sh
uboot > bootm 0x41000
## Booting kernel from Legacy Image at 70800000 ...
Image Name: Linux-2.6.31-rt11-lab126
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 4760896 Bytes = 4.5 MB
Load Address: 70008000
Entry Point: 70008000
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK
Starting kernel ...
Linux version 2.6.31-rt11-lab126 (build2@lucid-build02) (gcc version 4.5.3 20110406 (prerelease) (Linaro GCC 4.5-2011.04-0) ) #5 Fri Sep 2 22:46:52 PDT 2011
CPU: ARMv7 Processor [412fc085] revision 5 (ARMv7), cr=10c53c7f
CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: Amazon.com MX50 YOSHI Board
Board ID and Serial Number driver for Lab126 boards version 1.0
MX50 Board id - 00315011137300IG
Memory policy: ECC disabled, Data cache writeback
On node 0 totalpages: 65536
free_area_init_node: node 0, pgdat c0491b24, node_mem_map c04bd000
DMA zone: 192 pages used for memmap
DMA zone: 0 pages reserved
DMA zone: 24384 pages, LIFO batch:3
Normal zone: 320 pages used for memmap
Normal zone: 40640 pages, LIFO batch:7
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 65024
Kernel command line: consoleblank=0 rootwait ro ip=off root=/dev/mmcblk0p1 debug eink=fslepdc video=mxcepdcfb:E60,bpp=8 console=ttymxc0,115200
PID hash table entries: 1024 (order: 10, 4096 bytes)
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Memory: 256MB = 256MB total
Memory: 254860KB available (3376K code, 362K data, 1072K init, 0K highmem)
NR_IRQS:368
MXC IRQ initialized
cko2_set_rate, new divider=5
MXC_Early serial console at MMIO 0x53fbc000 (options '115200')
console [ttymxc0] enabled
Console: colour dummy device 80x30
Calibrating delay loop... 799.53 BogoMIPS (lpj=3997696)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
regulator: core version 0.5
NET: Registered protocol family 16
i.MX IRAM pool: 128 KB@0xd0840000
CPU is i.MX50 Revision 1.1
MXC GPIO hardware
Using SDMA I.API
MXC DMA API initialized
bio: create slab <bio-0> at 0
mxc_spi mxc_spi.0: chipselect 0 already in use
mxc_spi mxc_spi.0: chipselect 0 already in use
CSPI: mxc_spi-0 probed
CSPI: mxc_spi-1 probed
mxc_spi mxc_spi.2: chipselect 0 already in use
CSPI: mxc_spi-2 probed
MXC I2C driver
MXC I2C driver
PMIC Light driver loading...
mc13892 Rev 2.1 FinVer 2 detected
Initializing regulators for mx50 yoshi.
regulator: SW1: 600 <--> 1375 mV
regulator: SW2: 900 <--> 1850 mV
regulator: SW3: 900 <--> 1850 mV
regulator: SW4: 1100 <--> 1850 mV
regulator: SWBST: 0 mV
regulator: VIOHI: 0 mV
regulator: VPLL: 1050 <--> 1800 mV
regulator: VDIG: 1200 mV
regulator: VSD: 1800 <--> 3150 mV
regulator: VUSB2: 2400 <--> 2775 mV
regulator: VVIDEO: 2775 mV
regulator: VAUDIO: 2300 <--> 3000 mV
regulator: VCAM: 2500 <--> 3000 mV fast normal
regulator: VGEN1: 3000 mV
regulator: VGEN2: 1200 <--> 3150 mV
regulator: VGEN3: 1800 mV
regulator: VUSB: 0 mV
regulator: GPO1: 0 mV
regulator: GPO2: 0 mV
regulator: GPO3: 0 mV
regulator: GPO4: 0 mV
PMIC ADC start probe
PMIC Light successfully loaded
Device spi3.0 probed
NET: Registered protocol family 2
IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
TCP reno registered
NET: Registered protocol family 1
LPMode driver module loaded
Static Power Management for Freescale i.MX5
PM driver module loaded
sdram autogating driver module loaded
Bus freq driver module loaded
Initializing MX50 Yoshi Accessory Port
mxc_dvfs_core_probe
DVFS driver module loaded
i.MXC CPU frequency driver
msgmni has been set to 498
alg: No test for stdrng (krng)
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
regulator: DISPLAY: 0 mV
regulator: GVDD: 20000 mV
regulator: GVEE: -22000 mV
regulator: VCOM: 0 <--> 2749 mV
regulator: VNEG: -15000 mV
regulator: VPOS: 15000 mV
regulator: TMST: 0 mV
papyrus 1-0048: PMIC PAPYRUS for eInk display
Amazon MX35 Yoshi Power Button Driver
Serial: MXC Internal UART driver
mxcintuart.0: ttymxc0 at MMIO 0x53fbc000 (irq = 31) is a Freescale MXC
console handover: boot [ttymxc0] -> real [ttymxc0]
loop: module loaded
mxc_rtc mxc_rtc.0: rtc core: registered mxc_rtc as rtc0
Probing mxc_rtc done
mc13892 rtc probe start
pmic_rtc pmic_rtc.1: rtc core: registered pmic_rtc as rtc1
mc13892 rtc probe succeed
i2c /dev entries driver
MXC WatchDog Driver 2.0
MXC Watchdog # 0 Timer: initial timeout 127 sec
MXC Watchdog: Started 10000 millisecond watchdog refresh
PMIC Character device: successfully loaded
pmic_battery: probe of pmic_battery.1 failed with error -1
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
mxsdhci: MXC Secure Digital Host Controller Interface driver
mxsdhci: MXC SDHCI Controller Driver.
mmc0: SDHCI detect irq 273 irq 2 INTERNAL DMA
mxsdhci mxsdhci.1: dmabounce: registered device
mxsdhci: MXC SDHCI Controller Driver.
mmc1: SDHCI detect irq 0 irq 3 INTERNAL DMA
Registered led device: pmic_ledsr
Registered led device: pmic_ledsg
Registered led device: pmic_ledsb
nf_conntrack version 0.5.0 (4096 buckets, 16384 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 17
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
kernel: I perf:kernel:kernel_loaded=0.72 seconds:
VFP support v0.3: implementor 41 architecture 3 part 30 variant c rev 2
regulator_init_complete: disabling TMST
regulator_init_complete: disabling VCOM
regulator_init_complete: disabling GPO4
regulator_init_complete: disabling GPO3
regulator_init_complete: disabling GPO2
regulator_init_complete: disabling GPO1
regulator_init_complete: disabling VGEN3
regulator_init_complete: disabling VGEN1
regulator_init_complete: disabling VCAM
regulator_init_complete: disabling VAUDIO
regulator_init_complete: disabling VVIDEO
regulator_init_complete: disabling VSD
regulator_init_complete: disabling SWBST
mxc_rtc mxc_rtc.0: setting system clock to 1970-01-01 00:00:00 UTC (0)
Freeing init memory: 1072K
mmc0: queuing CIS tuple 0x01 length 3
mmc0: queuing CIS tuple 0x1a length 5
2.6.31-rt11-lab126 #5 Fri Sep 2 22:46:52 PDT 201mmc0: queuing CIS tuple 0x1b length 8
1 armv7l
mmc0: queuing CIS tuple 0x14 length 0
mmc0: queuing CIS tuple 0x80 length 1
mmc0: queuing CIS tuple 0x81 length 1
mmc0: queuing CIS tuple 0x82 length 1
mmc0: new high speed SDIO card at address 0001
emmc: I def:mmcpartinfo:vendor=toshiba, ddr=1, host=mmc1:
mmc1: new high speed MMC card at address 0001
mmcblk0: mmc1:0001 002G00 1.82 GiB
mmcblk0: p1 p2 p3 p4
INFO:Loaded module /lib/modules/eink_fb_waveform.ko (35500 bytes)
INFO:Loaded module /lib/modules/eink_fb_hal.ko (71576 bytes)
INFO:Loaded module /lib/modules/mxc_epdc_fb.ko dont_register_fb=1 (43068 bytes)
mxc_epdc_fb_init_hw: 06_05_0039_3c_151621_03_37_000007ae_85.wbf
eink_fb: I EINKFB_PROBE:def:fb0 using 1416K of RAM for framebuffer
INFO:Loaded module /lib/modules/eink_fb_hal_fslepdc.ko (21580 bytes)
INFO:Loaded module /lib/modules/eink_fb_shim.ko (119240 bytes)
INFO:eink initialized...input: tequila-keypad as /devices/platform/tequila-keypad/input/input0
(480000 bytes)
INFO:Using default keypad setting. (not passing "kb_rev" to module)
INFO:Loaded module /lib/modules/tequila_keypad.ko (11264 bytes)
Press [ENTER] for recovery menu... 0 /INFO:* Partition table verified for /dev/mmcblk0 *
INFO:Checking for updates... (auto-pilot mode)
/dev/mmcblk0p4:
CHS=4/16/44608 size=1461714944 bytes
flag type first last lba first lba size
Partition p1:
0x00 0x0b 16 <large> 16 2854896
CHS: 0/1/1 - <large>
Partition p2:
Partition p3:
Partition p4:
INFO:Setup loop device /dev/loop0 for /dev/mmcblk0p4 + 8192
INFO:No update*.bin found; no update needed.
INFO:no updates found.
BOOTING DEFAULT.
argc == 10
argv[0]: "kinit"
argvkjournald starting. Commit interval 5 seconds
[1]: "consoleblank=0"
Yifan Lu: OH!
Yifan Lu: when you see Press [ENTER] for recovery menu.
Yifan Lu: press enter!
Yifan Lu: that's great that it's still there
Yifan Lu: then paste me what the menu options are
ichinomoto ekesete: Menu
====
3. Load MMC0 over USB storage
4. Erase MMC0
I. Initialize Partition Table (fdisk) and format FAT
O. Format and overwrite FAT partition
E. Export FAT partition
U. Update using update*.bin file on FAT partition
M. Update using update*.bin file on FAT partition of second MMC port
D. dmesg / kernel printk ring buffer.
Q. quit
Choose: 6 /
Yifan Lu: YES! press 3 and see if you get a password prompt
ichinomoto ekesete: Unknown option '3' ???
Yifan Lu: does 'E' work?
ichinomoto ekesete: please wait
ichinomoto ekesete: Choose: 10 /e
INFO:storage_export(/dev/mmcblk0p4): exporting
Charge: 51% [##############################:::::::::::::::::::: ::::::::]
[FAT32]
1. done
R. reboot
Choose: /
Yifan Lu: ok, that works. but that only exports the user partition
Yifan Lu: we want /dev/mmcblk0p1
Yifan Lu: press 1 and see if it's done
Yifan Lu: then try 3 again
Yifan Lu: if it still doesn't work
Yifan Lu: reboot and do
Yifan Lu: setenv bootargs $bootargs init=/bin/sh
Yifan Lu: then
Yifan Lu: boot
ichinomoto ekesete: ok
ichinomoto ekesete: setenv and boot
ichinomoto ekesete: then kindle show normal login prompt
ichinomoto ekesete: this kindle, S/N: {REMOVED}
Yifan Lu: so option 3 does not work?
ichinomoto ekesete: yes, Unknown option '3'
Yifan Lu: hmm
Yifan Lu: in boot
Yifan Lu: md.b 0 40
Yifan Lu: what does that do?
ichinomoto ekesete: uboot > md.b 0 40
Unknown command 'md.b' - try 'help'
Yifan Lu: hmm
Yifan Lu: it seems that all the helpful stuff are gone
Yifan Lu: we need to get creative
Yifan Lu: this may not do anything useful, but try
Yifan Lu: run bootcmd_diags
Yifan Lu: also, try "idme ?"
ichinomoto ekesete: uboot > idme
serial: {REMOVED}
accel:
mac: {REMOVED}
sec: {REMOVED}
pcbsn: {REMOVED}
bootmode: main
postmode: normal
Yifan Lu: sec: {REMOVED} that's new
Yifan Lu: it looks like a password of some sort
Yifan Lu: I haven't seen it on the kindle 3 or kindle 2
ichinomoto ekesete: hmm, anyway try in diagmode
ichinomoto ekesete: system_diags[MainTest] 1 INFO : Start test
TEQUILA - System Diags
~~~~~~ 1.0.6.194 ~~~ -1094669432 ~~~~~~~~~~~~
~ S ~ Device Setting
O) Operator test suite
R) Run in Test
G) Gas Gauge
E) 511
T) Power Test
H) Adjust battery
M) MoviNand
N) Misc individual diagnostics
Y) ART 11g factory test
U) USB device mode
D) Exit, Reboot or Disable Diags
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
X) Exit - FW RIGHT to exit
No USB/Charger found ... entering low power idle
mxc_rtc: saved=0x820 boot=0xa08
boot: I def:rbt:reset=user_reboot,version=000000:
Yifan Lu: first try U and see if it gives more options
Yifan Lu: then try M and see what other options
ichinomoto ekesete: system_diags[USB_DeviceModeTest] 1 INFO : Start test
testName = USBexport
export USB
Check USB_cable
TEQUILA - USB device mode
~~~~~~ 1.0.6.194 ~~~ 327739 ~~~~~~~~~~~~
Please connect the USB cable
from PC to the device
~ Q ~ to continue - FW LEFT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
X) Exit - FW RIGHT to exit
Yifan Lu: oh! I was just reading the kindle bootloader source
Yifan Lu: remember when you did setenv bootargs and nothing happened
Yifan Lu: it is because the kindle is designed to reset bootargs when booting in main mode
Yifan Lu: in uboot
Yifan Lu: do
Yifan Lu: idme bootmode none
Yifan Lu: setenv bootargs console=ttymxc0,115200 root=/dev/mmcblk0p1 rw init=/bin/sh
Yifan Lu: bootm 0×41000
Yifan Lu: thanks
ichinomoto ekesete: it boots normal
Yifan Lu: after doing the idme commmand
Yifan Lu: do idme ? to check
Yifan Lu: that bootmode is set
ichinomoto ekesete: bootmode setting was changed.
ichinomoto ekesete: uboot > idme ?
serial: {REMOVED}
accel:
mac: {REMOVED}
sec: {REMOVED}
pcbsn: {REMOVED}
bootmode: none
postmode: normal
uboot > setenv bootargs console=ttymxc0,115200 root=/dev/mmcblk0p1 rw init=/bin/sh
uboot > bootm 0x41000
Yifan Lu: what if you add
Yifan Lu: idme postmode slow
Yifan Lu: along with idme bootmode none
Yifan Lu: do those two commands first
Yifan Lu: then reboot and use idme ?
Yifan Lu: to see that your settings are kept
Yifan Lu: then do the setenv
Yifan Lu: and bootm
Yifan Lu: even if it looks like a normal boot, wait until you see
Yifan Lu: BOOTING DEFAULT.
* argc == 10
* argv[0]: "kinit"
Yifan Lu: and so on
Yifan Lu: and see if your options are there
Yifan Lu: thanks
ichinomoto ekesete: idme postmode slow
ichinomoto ekesete: and reboot
Yifan Lu: along with setenv, right?
Yifan Lu: and idme bootmode none?
ichinomoto ekesete: then boot time until uboot is very slow.
ichinomoto ekesete: i miss the key hit timing. try once more
ichinomoto ekesete: uboot > idme ?
serial: {REMOVED}
accel:
mac: {REMOVED}
sec: {REMOVED}
pcbsn: {REMOVED}
bootmode: none
postmode: slow
ichinomoto ekesete: BOOTING DEFAULT.
argc == 10
argv[0]: "kinit"
argvkjournald starting. Commit interval 5 seconds
[1]: "consoleblank=0"
argv[2]EXT3-fs: mounted filesystem with writeback data mode.
: "rootwait"
argv[3]: "ro"
argv[4]: "ip=off"
argv[5]: "root=/dev/mmcblk0p1"
argv[6]: "debug"
argv[7]: "eink=fslepdc"
argv[8]: "video=mxcepdcfb:E60,bpp=8"
argv[9]: "console=ttymxc0,115200"
Running ipconfig
argc == 4
argv[0]: "IP-Config"
argv[1]: "-i"
argv[2]: "Linux kinit"
argv[3]: "ip=off"
IP-Config: no devices to configure
kinit: do_mounts
Yifan Lu: hmm
Yifan Lu: the problem is that your bootargs are not being read
Yifan Lu: ok, last thing I can think off
Yifan Lu: reboot
Yifan Lu: setenv bootargs $bootargs init=/bin/sh
Yifan Lu: bootm 0×41000
Yifan Lu: if that doesn't work
Yifan Lu: remember to reset your idme variables back to orignal values (after you're done so you can boot normally)
Yifan Lu: idme bootmode main
Yifan Lu: idme postmode normal
Yifan Lu: and thanks for your help
ichinomoto ekesete: it doesn't work...
Yifan Lu: oh well thanks anyways for your time
Yifan Lu: sorry, one more thing. when you are booting into diags, do you see: Press [ENTER] for recovery menu.
ichinomoto ekesete: ok
Yifan Lu: I have to go now, thanks again
Yifan Lu: if you want to play around, try to get option 3 in recovery menu to work
Yifan Lu: if you can get it to ask you for a password, I can get you the password
Yifan Lu: once you get option 3 to work on the recovery menu
Yifan Lu: you can modify the rootfs and dump it via usb
|