Is Das U-Boot on the MMC or some other type of ROM?

[asymptote]

1. Where is Das U-Boot on the Kindle that the ARM processor looks for and boots
2. Is it safe to erase? Can it be restored?
3. How can it be backed up/restored? With which tools?
4. What are the differences between the tools?

Where is Das U-Boot stored? Is it on the main 4GB MMC that contains the Linux filesystems as well as the VFAT "thumb drive" partition? Or is it in some specialized type of boot ROM somewhere else?

I'd like to know how to entirely backup my Kindle Keyboard (Kindle 3) including the bootloader, and I'd like to know how far I'd have to go in erasing things to completely brick the Kindle. I have a 1.8V TTL cable and can access the serial port, so if it's only possible to brick the USB functionality but it can still be reprogrammed with the UART that is fine.

The reason for my asking is that I intend to completely rewrite the Kindle's firmware from the ground up for a personal project involving the eInk display and the serial port. I know I could just the existing bootloader and Linux kernel/drivers, but that isn't what I am interested in doing. I'd like to erase everything and start with a clean slate, but at the same time I don't want to brick my Kindle to the point the reprogramming tools are useless.

Also I'd like to know what the differences are between the various Kindle flashing tools: Freescale ATK, MfgTool, fastboot, k3flasher, etc.

I dumped the first 700mb of the flash filesystem using the ATK. MfgTool didn't seem to have an ability to dump -- only to program. I have not tried fastboot, and k3flasher seems to just be an linux alternative to ATK.

I'd appreciate insight!

[qlob]

- ATK have basically the same funcionality, except that k3flasher is written just for the K3, ATK is for most freescale processors. MFGtool and fastboot are for the K4 and above....

- I think people have restored the uboot when theyhave accidentally bricked it...

- The USB downloader tool is baked into the CPU, so AFAIK losing uboot shouldnt be a problem.

Take all of the above wh a grain of salt, I am definitely NOT the resident expert here..... All i did was write the ATK guide with only a limited idea o how it works...

[eureka]

Quote:

Originally Posted by asymptote

[Where is Das U-Boot stored? Is it on the main 4GB MMC that contains the Linux filesystems as well as the VFAT "thumb drive" partition?

It should be so.

I understand, you're still needing more clear answer , but meanwhile you can also download reference manual for KK processor (i.MX353, according to Wikipedia) from Freescale site and look for chapter about system boot. There should be information about offset of MMC where processor gets initial code to execute.

[knc1]

Quote:

Originally Posted by asymptote

1. Where is Das U-Boot on the Kindle that the ARM processor looks for and boots
2. Is it safe to erase? Can it be restored?
3. How can it be backed up/restored? With which tools?
4. What are the differences between the tools?

1) Depends on the Kindle model.
Some, it is stored in a partition of the mtdblock device.
Other models only have the eMMC (mmcblk) device, it is stored there. Unusually in a locked, hardware write-protected area.

2) Yes to both, but requires special software tools. What tools depends on the model of Kindle.

3) How can what be backed up / restored on what model of Kindle?

4) The tools work at different levels of abstraction, some tools work at more than one level of abstraction.
Offer a specific question if you seek a more specific answer.

And in all cases, read the Freescale reference manuals on the model SoC you are intending to use.
Amazingly, after doing that, you should be able to answer most of your own questions above.

[asymptote]

Quote:

Originally Posted by knc1

1) Depends on the Kindle model.
Some, it is stored in a partition of the mtdblock device.
Other models only have the eMMC (mmcblk) device, it is stored there. Unusually in a locked, hardware write-protected area.

I am currently only interested in where the bootloader is stored on the Kindle 3.

If the Kindle 3 uses some other place besoides the MMC that contains the Linux partitions, I want to know how I can access that to back it up, and reflash it for experimentation and also to restore it to it's original state when I'm done.

I have read some of the Freescale documentation, but it doesn't mention the boot process. Perhaps I am looking at the wrong document, I was reading:
MCIMX35SR2CEC.pdf

[knc1]

Quote:

Originally Posted by asymptote

I am currently only interested in where the bootloader is stored on the Kindle 3.

If the Kindle 3 uses some other place besoides the MMC that contains the Linux partitions, I want to know how I can access that to back it up, and reflash it for experimentation and also to restore it to it's original state when I'm done.

I have read some of the Freescale documentation, but it doesn't mention the boot process. Perhaps I am looking at the wrong document, I was reading:
MCIMX35SR2CEC.pdf

The Kindle 3 -

Read the source code of K3Flasher (it does that, the backup and restore) ;
If the K3Flasher script does not make a copy of the first 32Mbyte of /dev/mmcblk0
Then copy that also (that area, prior to the first partition start, holds u-boots and kernels and device specific stuff - the eMMC in the K3 uses a DOS disk label).

Read Freescale AN3996.pdf (available from the Freescale site) ;

Also of interest, the source code for the ATK, for their SoC downloader client info.
Plus the application notes associated with the ATK.

[eureka]

Quote:

Originally Posted by asymptote

I have read some of the Freescale documentation, but it doesn't mention the boot process. Perhaps I am looking at the wrong document, I was reading:
MCIMX35SR2CEC.pdf

It's a data sheet, not the Reference Manual. Look for IMX35RM.

[knc1]

Quote:

Originally Posted by eureka

It's a data sheet, not the Reference Manual. Look for IMX35RM.

Should be easy to tell the difference - the Reference Manual is about 3,600 pages longer.
You will notice it when you have read it, sort of the silicon version of War and Peace.

[twobob]

Quote:

Originally Posted by knc1

Should be easy to tell the difference - the Reference Manual is about 3,600 pages longer.
You will notice it when you have read it, sort of the silicon version of War and Peace.

at one page a day I could have that finished in a little under ten years
better get started.

[knc1]

Ten years or five Kindle batteries later ...

[twobob]

Quote:

Originally Posted by knc1

Ten years or five Kindle batteries later ...

7 kindle models

[knc1]

Read faster, Freescale only commits to making that SoC for fifteen years.

- - - -

There are differences between the boot image used by a MIPS machine and that used by an ARM machine. . . .
But the directions relating to the over-all process are similar (although the tools may differ).
Once you can take apart one, you can (figure out how to) take apart any of them.

[hawhill]

Quote:

Originally Posted by asymptote

1. Where is Das U-Boot on the Kindle that the ARM processor looks for and boots
2. Is it safe to erase? Can it be restored?
3. How can it be backed up/restored? With which tools?
4. What are the differences between the tools?

Have a look at the sources of k3flasher. I did put in a bit of documentation for what I could tell at that point.

Erasing, rewriting etc. of the uboot loader is not a problem at all. k3flasher comes with a shell script that will backup the distinct parts for you.

Uboot is stored at the beginning of the eMMC flash device, following a MBR but not itself being within a partition. Same goes for some other parts like serial number/MAC address information, kernel, stuff for the e-ink driver.

That is followed by the first partition containing the rootfs, then there's the configuration storage mounted on /var/somethingIforgot and the user partition. The last one is a bit special since it contains an MBR, too, for faking a full disk with one partition when exporting that partition via USB.

I'd be quite interested in the outcome of your project, especially the initialization stage for the SoC. If I were in your position, however, I'd still go with uboot, I think. Mainly because the source code is readily there and working (admittedly, I've never compiled it myself).

[asymptote]

Thank you hawhill, that was the answer I was looking for -- that Das U-Boot is indeed stored on the MMC and can be dumped, overwritten, and restored.

My next question is this: is the MMC at least partially (perhaps not all 4gb) memory mapped into a range of addresses? If so, what are these addresses and does the ROM need to be aware of this if it uses absolute memory offsets? What is the code execution entry point in the ROM and in memory?

I want to know the structure of the ROM and how it is loaded and executed, so I can jump into writing a custom bootloader. The bootloader would do some serial IO and nothing more, I think that the next step might be to figure out how to cross compile Das U-Boot and once I get flashing my custom U-Boot ROM working I'd work on modifying it's source code and trimming it down to the point where it only did serial IO that way I'd always have something that was working.

Do you have any suggestions or information about the boot process?

Thanks!

[knc1]

To do what you purpose, write a bootloader based on u-boot, would require you to read the sources.

Once you read the sources, you will be able to answer all of your own questions.

Hint:
Since u-boot may be configured for many different machines, what I did was configure the u-boot source for the target machine, compile it, then just read those sources that where included in the load map.

I even posted the step-by-step here to do that.
(In the "debricking a DX" thread)