diff --git a/brom-dump/README.md b/brom-dump/README.md index 89777b5..636210b 100644 --- a/brom-dump/README.md +++ b/brom-dump/README.md @@ -13,6 +13,8 @@ * [The usb-dump payload](#the-usb-dump-payload) * [Dumping mt6573 BROM](#dumping-mt6573-brom) * [SP Flash Tool issues](#sp-flash-tool-issues) + * [UART issues](#uart-issues) + * [reset_uart_and_log](#reset_uart_and_log) # Dumping mt6589 BROM @@ -255,3 +257,36 @@ I set up Wireshark and USBPcap and shortly after got the traffic dump I was look Adding support for mt6573 in payloads was just a matter of finding some function addresses in its original DA and putting them into header files, as well as adding a new target to Makefile. Unfortunately, things didn't go as well as expected. Despite USB dump payload working properly the "Hello world" payload doesn't print anything at all. I will fix it next. + +## UART issues +When I run the readback flow in the original SP Flash Tool I *do* see the UART logs: + +``` +Output Log To Uart 4 +InitLog: 10:53:14 61440000 [MT6573] +Page size in device is 2048 +[RS] (9001B234: 4DC8) +[LIB] Security PreProcess : 16:08:11, Nov 9 2016 +[LIB] Flash Detect Results : (0x0, 0xC4D, 0xC4F) +[LIB] Search NAND +[LIB] ROM_INFO not found in NAND +... +(snip) +``` + +The first line printed after `init_log` is called is `Page size in device is 2048` and it's printed in `FUN_9000b0ee` (renamed to `request_storage_settings`). This function seems to request NAND init parameters (56 bytes) from SPFT in a loop (response is `0x69` to try the next param) until suitable ones are detected (response is `0x5A`). The parent function seems to perform some kind of storage initialization, I renamed this function to `init_storage`. + +I returned to the `init_log` function and noticed it has 2 references. I generated a graph: + +![init_log call graph](../images/brom-dump-015.png) + +Turns out I was really close because `init_storage` calls something that invokes `init_log` just before requesting NAND init params and printing the `Page size in device is 2048` line. + +## reset_uart_and_log +After inspecting this function (`FUN_90009e64`, renamed to `reset_uart_and_log`) and its outgoing calls it became clear that on mt6573 the first `init_log` call is kinda ignored and printing stuff to UART won't work until `reset_uart_and_log` is called by `init_storage`. + +Now I just need to add this call to my `hello-world-uart` payload and it should work. Aaand... + +![mt6573 hello-world-uart payload output](../images/brom-dump-016.png) + +... *ta-da!* The introduced call doesn't seem to harm the mt6589 variant of payload so I decided to not guard it with `#ifdef TARGET_MT6573` but kept the appropriate Makefile change for setting a `TARGET_MTxxxx` for future. diff --git a/brom-dump/payloads/Makefile b/brom-dump/payloads/Makefile index 500fb83..474999c 100644 --- a/brom-dump/payloads/Makefile +++ b/brom-dump/payloads/Makefile @@ -5,8 +5,8 @@ CC = $(CROSS_COMPILE)gcc AS = $(CROSS_COMPILE)as LD = $(CROSS_COMPILE)ld OBJCOPY = $(CROSS_COMPILE)objcopy -CFLAGS = -c -O0 -nodefaultlibs -nostdlib -marm $(TARGET_FLAGS) -I include/ -ASFLAGS = $(TARGET_FLAGS) +CFLAGS = -c -O0 -nodefaultlibs -nostdlib -marm $(TARGET_FLAGS) -D$(TARGET_DEF) -I include/ +ASFLAGS = $(TARGET_FLAGS) --defsym $(TARGET_DEF)=1 LDFLAGS = -T $(TARGET_LD_SCRIPT) # Root directory for build files @@ -20,6 +20,8 @@ OUT_DIR = $(BUILD_DIR)/out ALL_TARGETS = mt6573 mt6589 # This has to be set manually TARGET ?= unsupported +# Pass `#define TARGET_MTxxxx 1` to compiler +TARGET_DEF = TARGET_$(subst mt,MT,$(TARGET)) # Linker script for target TARGET_LD_SCRIPT = include/$(TARGET)/payload.ld # Target-specific init module diff --git a/brom-dump/payloads/hello-world-uart.c b/brom-dump/payloads/hello-world-uart.c index 612e714..c18a299 100644 --- a/brom-dump/payloads/hello-world-uart.c +++ b/brom-dump/payloads/hello-world-uart.c @@ -7,6 +7,8 @@ #include "hw-api.h" void main() { + DA_reset_uart_and_log(); + uint32_t chip_id = *(uint32_t*)HW_reg_chip_id; DA_printf_uart("\n\n\nHello from mt%x!\n", chip_id, 0, 0); diff --git a/brom-dump/payloads/include/mt6573/da-api.h b/brom-dump/payloads/include/mt6573/da-api.h index 73c740f..805e07f 100644 --- a/brom-dump/payloads/include/mt6573/da-api.h +++ b/brom-dump/payloads/include/mt6573/da-api.h @@ -3,6 +3,10 @@ #include +void (*DA_reset_uart_and_log)() = + ( void (*)() ) + (0x90009E64 + 1); + void (*DA_putc_wrapper_uart)(uint8_t) = ( void (*)(uint8_t) ) (0x90007AFE + 1); @@ -13,8 +17,6 @@ void (*DA_printf_uart)(uint8_t*, uint32_t, uint32_t, uint32_t) = ( void (*)(uint8_t*, uint32_t, uint32_t, uint32_t) ) (0x90007B42 + 1); - - void (*DA_io_usb_write)(uint8_t*, uint32_t) = ( void (*)(uint8_t*, uint32_t) ) (0x900099FE + 1); diff --git a/brom-dump/payloads/include/mt6589/da-api.h b/brom-dump/payloads/include/mt6589/da-api.h index 3293f18..7b985b3 100644 --- a/brom-dump/payloads/include/mt6589/da-api.h +++ b/brom-dump/payloads/include/mt6589/da-api.h @@ -3,6 +3,10 @@ #include +void (*DA_reset_uart_and_log)() = + ( void (*)() ) + (0x120093A6 + 1); + void (*DA_putc_wrapper_uart)(uint8_t) = ( void (*)(uint8_t) ) (0x12003F3A + 1); @@ -13,8 +17,6 @@ void (*DA_printf_uart)(uint8_t*, uint32_t, uint32_t, uint32_t) = ( void (*)(uint8_t*, uint32_t, uint32_t, uint32_t) ) (0x12003F7C + 1); - - void (*DA_io_usb_write)(uint8_t*, uint32_t) = ( void (*)(uint8_t*, uint32_t) ) (0x12008E60 + 1); diff --git a/images/brom-dump-015.png b/images/brom-dump-015.png new file mode 100644 index 0000000..7db6ee0 Binary files /dev/null and b/images/brom-dump-015.png differ diff --git a/images/brom-dump-016.png b/images/brom-dump-016.png new file mode 100644 index 0000000..f661a86 Binary files /dev/null and b/images/brom-dump-016.png differ