Somewhere in the year 2012 I thought buying a cheapish Chinese android based tablet was a good idea. My wife just got her first iPad, and I was curious what sort of tablet €85 would get me. From a tablet point of view this turned out as somewhat of a disappointment, or rather, it would have been a disappointment if I would have expected to get a useable tablet.
Looking at it from the hackable Linux device perspective it was actually quite okay. It came with a 7" 800x480 colour LCD, ethernet, WiFi, serial port, microphone, speakers, camera, two USB ports, 2Gb flash, a micro SD port, and a resistive (i.e. single touch) touchscreen digitiser. On top of that it had a rechargeable battery that would sustain the thing for about two hours. And all this rather underpowered by a 300MHz ARM processor and 128Mb of ram.
The tablet came with this dongle. On this side I hacked a serial port. On the other side, there are two USB2 ports. And on the left side, there is an UTP plug for ethernet. |
Unfortunately, I started with trying different versions of Android based firmware. A firmware upgrade consisted of downloading a zip, extracting to SD card, and booting the tablet with the SD in it. Apart from a new android kernel and rootfs, all these firmware updates always included an update for w-boot and u-boot as well. These were the pre-bootloader and main bootloader respectively. At a certain moment I left the SD card in when I hadn't meant to, booted, noticed my mistake, yanked the card out, and corrupted either w-boot or u-boot. As a result, the tablet would not boot anymore, and I had made myself a fancy paperweight.
At the time, I looked into fixing this. The bootloaders are stored in a spi flash chip, while the rest of the software lives in another set of flash chips. So I hooked my buspirate to the spi flash and tried to access it in circuit. This was ultimately unsuccessful: while I could read the flash chip id, the rest of the tablet's circuitry a somehow prevented me from writing or even reliably reading the chip's contents. I decided that I would have to desolder the chip to continue, and that I had more important things to.
Attempt at in-situ programming of the spi flash chip. |
So I put the tablet in its box and more or less forgot about it for a couple of years.
Recently I came across it again while looking for something else. I then saw connection points for a JTAG interface. These I had noticed before, but at the time I did not have anything to interface with JTAG. But now it seemed that, with a firmware update, my buspirate and openocd could be made to do this.
So I soldered a connector to the JTAG interface, hooked it to my buspirate and tried openocd. I quickly found that openocd needs some kind of description of the item on the other side of the JTAG to work. This makes sense as designing such a hardware debug interface, with a very limited number of users, for "plug and play" would be a serious waste of effort. Unfortunately the tablet was based on a wondermedia WM8505-board that was unknown to openocd.
JTAG header added to tablet. GND is hooked to the spi flash ground pin. And I stuck a description of the pins to the inside of the tablet case, for future reference. |
This meant I had to make my own definition file, while discovering how openocd actually works. I could find a single post on a forum of someone who had done the same or similar, but that post did not have much detail. But fortunately, it all proved relatively straightforward. When I connected the board, only a single JTAG tap (something like a client or receiver) was found, so this had to be the processor. And by now I knew that the WM8505 had an ARM926ej-s core, for which openocd already had a definition file. So after some experimenting, I could halt the processor on the tablet, dump/change its registers and other state, and make it do anything I want.
For those in need of this, here is the definition file I cobbled together:
# Barebones openocd definition file for WM8505 # # not sure if this actually works jtag_rclk 3000 # WM8505 SoC jtag newtap WM cpu -irlen 4 -expected-id 0x07926f0f # CPU target create CPU arm926ejs -chain-position WM.cpu # no hard reset, use soft reset CPU configure -event reset-assert { jtag arp_init } # Work area in ram: last 8k from 128M CPU configure -work-area-phys 0x07ffe000 -work-area-size 0x4000 arm7_9 dcc_downloads enable arm7_9 fast_memory_access enable reset_config trst_only
Next step was to load a copy of u-boot via JTAG into the tablet's ram, and run it. From there, I could take control of u-boot via the serial interface, and use that to flash both u-boot and w-boot from the SD card into the spi rom. But first I hit a small snag: the first 6 or so u-boot versions I tried all seemed to work, but then shut down the tablet. Fortunately, the 7th version did give me a prompt, and I could fix the corrupted spi flash.
(I later discovered that the other u-boot copies were actually fine: what happened was that these checked the state of the power-button. If the button was pressed for about 1 second, the boot process would continue. If not, the tablet would power down. As u-boot is (almost) the first thing to run when the tablet is powered on, this would prevent accidental turning on of the tablet. But in my JTAG case, the power button was always off, so u-boot would power down the tablet.)
After fixing the spi flash, it was also possible again to update the original android firmware in nand flash. However, I had difficulties finding a correct one. For starters I was and am not 100% sure which exact model of tablet I have. Many variants with minor differences in hardware existed, and firmwares of other models would sort-of work on mine, but with some features (i.e. touchscreen or audio) missing. And most firmware versions originally were on download sites that either no longer exist, or do not have the files anymore. Some of the versions that I could find did boot and show something but I could not get the touchscreen to work.
Success! Notice the low-glare screen on this high quality product. |
So I decided to forget about android, and install a plain Debian Linux on the tablet. But that will be the subject of another post.
No comments:
Post a Comment