access to uboot menu

[aquadran]

Hi,

While looking uboot sources which are 1.1.6 version I compared to original, I found Samsung modified keypress to access menu:
- if (tstc()) { /* we got a key press */
- abort = 1; /* don't auto boot */
+ if (tstc() && (getc() == '\r')) /* we got a key press */
+ {
+ abort = 1; /* don't auto boot */

It's 'enter' key. I don't have serial connection myself, and I don't want test it yet, as I bought TV this month and want make sure TV doesn't have any shortcoming faults. But maybe someone can test it.
I found in sources it's possible recover flash partition using eboot. It would be very important info to safty reasons while hacking firmware.

Pawel

[aquadran]

I found boot delay suppose to be 2 seconds, so when TV power on, to enter bootloader menu it's needed press 'enter'.
It looks also that serial io should work for eboot time without touching service mode. So I think, I can build serial cable and test it myself.

[dynamic1969]

I had already tested "space" and "enter" keys and it doesn't seem to do the trick on the UExxB70xx series ...
It maybe true for the LExx650 series and I am looking forward to your test results.

Regards
dynamic

[aquadran]

I tried with serial cable and nothing on LE40B650.
Uboot generate messages on serial console, but it's nothing.

While looking into sources and binaries I think that uboot is not executed normaly. Maybe at some case. Quite posible it was used while development. eboot environments variables (that from flash partition) settting boot from nfs boot, it includes also some custom IP adress and other stuff. So that doens't much current tv boot.
look:
"nfsboot=run nfsargs;bootd baudrate=115200 netmask=255.255.255.0 bootfile=uImage loadaddr=0x61000000 rootpath=/home console=ttyS1 bootdelay=2 bootcmd=bbm load fkernel;go 60008000 nfsargs=xxx ipaddr=10.88.23.246 serverip=10.88.27.160 gatewayip=10.88.23.1 ethaddr=10:14:12:13:16:17 bootargs=root=139:6 rw ethaddr=10:14:12:13:16:11 ip=10.88.23.246 :10.88.27.160:10.88.24.1:255.255.255.0::eth0 console=ttyS1 stdin=serial stdout=serial stderr=serial PROJECT_TAG=T-CHL7DEUC :14:12:13:16:11 ip=10.88.157.76 :10.88.27.160:10.88.157.1:255.255.255.0::eth0 console=ttyS0 bootdelay=2 bootcmd=bbm load fkernel;go 60008000"

Samsung tv has two bootloaders, one uboot and second on first flash partition. can be dumped using cmd "fsrbootreader /dev/bml0/c /dtv/usb/sda1/boot".
However looking into this binary with dissassembler, it doesn't look like eboot and it sort of some other custom bootloader, and I could not find usage serial port, it seems not included.

Pawel

[dynamic1969]

Hi Pawel,

after doing some research I was able to locate the following LinuStoreII GPL Compliance Paper from Samsung, which does give some insight into the boot-process in the context of the used OneNand flash. Especially interesting is the section "Bootloader and Kernel Modules".

It seems that the boot image consists of ONBL1, ONBL2, u-boot and a separate OS. U-Boot ( which is stored in a special partition of the OneNAND Flash ) seems to come into play later during the process for system initialization, kernel loading or firmware updating.

Not yet sure though, what this actually means, in case there is a need to interrupt this boot process.

Anyone out there, that has experience with this stuff and can give a hint into the right direction ?

Regards
dynamic

[aquadran]

Hi,

I found something similiar in FSR sources:
"
#define PARTITION_ID_NBL 0 ///< NAND bootloader stage 1, 2
#define PARTITION_ID_BOOTLOADER 1 ///< NAND bootloader stage 3
#define PARTITION_ID_BOOT_PARAMETER 2 ///< NAND bootloader parameter of stage 3
#define PARTITION_ID_COPIEDOS 3 ///< OS image copied from NAND flash memory to RAM
"
If it's indeed use uboot, why there is not any messages from uboot, it should happen.
Personaly I didn't touched serial configuration in service mode as I mentioned in first post.
Just wondering if serial configuration is some lower than software level.
I guess you already enabled serial ?
On wiki page I saw this "Change setting for your RS232C interface to "debug" ( Control -> Sub Option -> RS-232 Jack -> [ Debug | UART | Logic ] )"
"Debug" is suggested, why not UART ? it's serial port, maybe this needed to be set to see messages from uboot, as bootloader use serial port.

[aquadran]

I noticed linux console works on ttyS1 not ttyS0, that maybe reason why we not see io on serial console as eboot access first serial port.
Wondering why switch for serial port in service menu.
By default it's 'uart mode' if change mode suppose change serial port which ex-link should connected, we should get io messages, but it seems we not.
I wonder also if board have more than one serial port (chipset however can access 3 serial ports which could be mapped to physical serial port or other io devices), and only one ex-link connected to second port, but first not soldered. In this case serial port mode change would make no sense I think. However maybe change mode refer to something diffrent, but still it's one second port.

[aquadran]

I found MicomCtrl and kernel space version use ttyS0 at bautrate 9600 to access to hardware like turn off watchdog, reset,... with special 9 bytes string protocol : 0xff, 0xff, cmd, 0, 0, 0, 0, 0, cmd .
Regarding ttyS1, service mode seems rather turn on/off this port I think now.
What's me wondering it's how this happen ttyS0 change meaning before kernel start, as it's used for eboot serial io console (which seems not working).
Maybe somewhere before kernel start some code trigger change port meannig, like kind switch.
Maybe even first serial port not enabled as normal serial port and need triggered by something and maybe by something like above 9 bytes protocol.

[dynamic1969]

I found MicomCtrl and kernel space version use ttyS0 at bautrate 9600 to access to hardware like turn off watchdog, reset,... with special 9 bytes string protocol : 0xff, 0xff, cmd, 0, 0, 0, 0, 0, cmd .

Interesting findings ... especially those on MicomCtrl, as this binary does have a key role when it comes to controlling core functionality of the TV.
Finding out more about further commands of MicomCtrl could well bring us a couple steps further in our aim to get better control of this device, including the bootloader. Where did you find the information on the "9 byte string protocol" ? Are you currently reverse engineering the binary and were you able to discover a couple the available commands ?

Regarding ttyS1, service mode seems rather turn on/off this port I think now.

I had again tested switching to UART and can confirm what you state above ... it seems to only switch off ttys1. However, I am suspecting that we may need to enable a couple other flags in the Service Mode to get this working.

What's me wondering it's how this happen ttyS0 change meaning before kernel start, as it's used for eboot serial io console (which seems not working).
Maybe somewhere before kernel start some code trigger change port meannig, like kind switch.
Maybe even first serial port not enabled as normal serial port and need triggered by something and maybe by something like above 9 bytes protocol.

This is definitely a path to further investigate ... looking forward to your results!!!

Regards
dynamic

[aquadran]

It seems some way trigger "upgrade mode" in eboot, code check for gpio state, before it setup gpio something related to uart0:
*(volatile unsigned int*)0x30090c8c &= ~(0xf << 4); /* gpio5.1 : UART0_RX port */
*(volatile unsigned int*)0x30090c8c |= (0x2 << 4); /* gpio5.1 set input */

upgrade_flag = (*(volatile unsigned int*)0x30090c94)>>1 & 0x1;
for(i=0; i<500000; i++);
upgrade_flag = (*(volatile unsigned int*)0x30090c94)>>1 & 0x1;

*(volatile unsigned int*)0x30090c8c &= ~(0xf << 4); /* gpio5.1 : UART0_RX port set main*/

btw, nice to see eboot log from other tv:
http://www.avsforum.com/avs-vb/showthre ... st16161981

again uart mode, from above post " 'UART Select' from 'Wall Mount' to 'STi' ". Must be something what trigger enable uart0 as normal serial port.