uBoot for ES-series?

E3V3A · Post by **E3V3A** » Wed Dec 05, 2012 8:55 am

I have not seen any clear indication in bootup sequence. So I just ask here.

Does the ES-series use uBoot (or similar) bootloader?

If the answer is yes:
1. How do I access the Uboot prompt? (I already tried what was shown in the Wiki here.)
2. Is anyone working on this?

Thanks.

Post by **juusso** » Wed Dec 05, 2012 9:02 am

Since C series Samsung doesn`t allow us to access u-boot and uboot doesn`t exists on bml0/2 partition even this partition is named u-boot in /mtd_exe/partitions.txt.

Does anyone work? At least none reported here except i know Denny makes some miracles with bootloader on D series, but on ES series he said bootloader is locked for editing and he was looking for methods how to unlock it. The truth is: until today we don`t have any access to TV before kernel start. In sources the tilde key still exists (don`t remember, can be - comented out) as key to stop autoboot, you should check bootloaders sources.

E3V3A · Post by **E3V3A** » Thu Dec 06, 2012 12:58 am

It seem like these are the times for eMMC hacking! In the last days I have started at least 3 threads about disabling eMMC write protection...

xorloser · Post by **xorloser** » Fri Jan 04, 2013 1:23 pm

According to onboot sources (for echo-p at least) OTP is locked during the onboot (bootloader) code.
By definition once OTP is programmed, it should not be reprogrammable.
There *may* be some kind of back door command, but I wouldn't count on it. :/

Post by **juusso** » Fri Jan 04, 2013 1:25 pm

mmc.restore makes job well and here is possible to reflash onboot. Even it looks locked to ro. You need to calculate proper hashes to binary before to flash it to don`t get TV bricked or remove hash check from sources before compilation.

Code: Select all

UE40ES8000P:/#mmc.restore /dev/mmcblk0p0 /mtd_down/onboot.bin.1024MB.cmac.img
UE40ES8000P:/#sync
UE40ES8000P:/#sync

SpoilerShow

Code: Select all

1 4 P SamyGO 0053 (Dec 20 2012-23:28:46)
Hit : ~ for u-boot, - for BootMenue
---------------------------------------------------------------
------------------------ OnBoot Menue -------------------------
---------------------------------------------------------------
[ECHO_P] a : Toogle 0
[ECHO_P] b : Toogle 1
[ECHO_P] c : Boot Kernel from MMC 0 (override micom config)
[ECHO_P] d : Boot Kernel from MMC 1 (override micom config)
[ECHO_P] e : Boot U-Boot from MMC
[ECHO_P] f : Reboot
[ECHO_P] g : Shutdown
---------------------------------------------------------------
[ECHO_P] x : Continue booting
---------------------------------------------------------------

xorloser · Post by **xorloser** » Thu Jan 10, 2013 5:07 am

Ok thx for the tip, i reversed mmc.restore and it is very basic. It does the writing via ioctls, a different ioctl depnding on the partition. It writes 0x1000 byte at a time (sector size i guess):

Code: Select all

if ( partition_num == 1 )
    ioctl_result = ioctl(fd_mmc_dev, 0x5628u, p_buff);
else
    ioctl_result = ioctl(fd_mmc_dev, 0x5629u, p_buff);

So next job is to find where the ioctl is implemented.

Post by **juusso** » Thu Jan 10, 2013 6:21 am

If you interested for custom bootloader, you should look at onboot sources, currently available on opensource.samsung.com. but they removed crypto stuff from sources, which checks kernels during initializations. Also as I said, compiled bootloader must be signed, it checks it selfsame signature.

xorloser · Post by **xorloser** » Thu Jan 10, 2013 6:43 am

Yeh I plan on doing a custom bootloader, though first I need to dump my current bootloader for reversing. Most likely I will just patch my existing bootloader rather than build the whole thing from source. (At least initially anyways).

Also FYI I found the ioctl handlers inside Image:

Code: Select all

seg4:402097C4   MOV     R3, #0x5628
seg4:402097C8   CMP     R2, R3
seg4:402097CC   MOV     R4, R0
seg4:402097D0   BEQ     is_5628
seg4:402097D4   ADD     R3, R3, #1
seg4:402097D8   CMP     R2, R3
seg4:402097DC   BEQ     is_5629

Once I realised that "Image" is where the ioctls are handled, I checked the sourcecode (from opensource.samsung,com site) and they were kind enough to include said source, saving me having to reverse it

So the two ioctls are:

Code: Select all

#define RESTORE_BOOT_PARTITION 0x5628
#define RESTORE_PARTITION 0x5629

I am still looking into what they actually do though, ie what commands they send to the flash.

nobody · Post by **nobody** » Thu Jan 17, 2013 4:54 pm

There is no mmcblk0p0 in my ES8000!
It starts from p1.
And mmcblk0p1 which should contain uboot, is empty.
So, how should I dump the onboot bootloader?

Post by **sbav1** » Thu Jan 17, 2013 6:22 pm

nobody wrote:There is no mmcblk0p0 in my ES8000!

This is actually normal; you still can use /dev/mmcblk0p0 as mmc.restore argument.

So, how should I dump the onboot bootloader?

Currently there is no support in Samsung DTV & BDP kernels for eMMC boot partitions dumping, only for flashing.

While patching kernel MMC driver sources to allow boot partitions dumping is quite easy (just adding another ioctl call with partition switch command should be sufficient), it's pretty hard to do equivalent thing safely on live/running kernel. So, for bootloader dumping, you'll need to flash custom-build kernel first in your device, OR hope someone will eventually figure out how to dump eMMC boot partition[s] "the hard way", without recompiling the kernel.

SamyGO

uBoot for ES-series?

uBoot for ES-series?

Re: uBoot for ES-series?

Re: uBoot for ES-series?

Re: uBoot for ES-series?

Re: uBoot for ES-series?

Re: uBoot for ES-series?

Re: uBoot for ES-series?

Re: uBoot for ES-series?

Re: uBoot for ES-series?

Re: uBoot for ES-series?