xobs/fernly xobs/fernly

  • Stars
    star
    140
  • Rank 261,473 (Top 6 %)
  • Language
    C
  • License
    BSD 2-Clause "Sim...
  • Created over 10 years ago
  • Updated almost 9 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
xobs/fernly
github

xobs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fernvale research OS

Fernly - Fernvale Reversing OS

Fernly is a simple operating system designed for use in the reverse engineering of the Fernvale CPU. It will likely be disposed of when the system has been understood well enough to implement a full operating system.

Setting up cross compilation

Linux

git clone https://github.com/robertfoss/setup_codesourcery.git
sudo setup_codesourcery/setup.sh
/usr/local/bin/codesourcery-arm-2014.05.sh

Building Fernly

To compile, simply run "make". If you're cross-compiling, set CROSS_COMPILE to the prefix of your cross compiler. This is very similar to how to compile for Linux.

For example:

make CROSS_COMPILE=arm-none-linux-gnueabi-

Running Fernly

To run, connect the target device and run the following command:

./build/fernly-usb-loader -s /dev/fernvale ./build/usb-loader.bin ./build/firmware.bin

This will open up /dev/fernvale, load usb-loader.bin as a stage 1 bootloader, and then load (and jump to) firmware.bin as stage 2. Optionally, you can add a stage 3 file by specifying it as an additional argument.

Many 3rd-party devices enter bootloader mode only for a short window (~1s) after being connected to USB. A device almost certainly should be "off". Some devices require that battery is removed, while some - don't. To accommodate such cases, there's -w (wait) option. Run fernly-usb-loader, and only then connect a device to USB. This will allow to try various combinations mentioned above with greater comfort (you need to disconnect and poweroff device after each try, and restart fernly-usb-loader).

./build/fernly-usb-loader -w -s /dev/ttyUSB0 ./build/usb-loader.bin ./build/firmware.bin

Linux Notes

Since Fernvale is based on a Mediatek chip, ModemManager will, by default, try to treat it as a modem and make it available for network connections. This is undesirable.

To work around this problem, create a udev rule under /etc/udev/rules.d/ called 98-fernvale.rules with the following contents:

SUBSYSTEM=="tty", ATTRS{idVendor}=="0e8d",\
    ATTRS{idProduct}=="0003",\
    MODE="0660", SYMLINK+="fernvale"

ACTION=="add|change", SUBSYSTEM=="usb",\
    ENV{DEVTYPE}=="usb_device", ATTRS{idVendor}=="0e8d",\
    ATTRS{idProduct}=="0003",\
    ENV{ID_MM_DEVICE_IGNORE}="1"

OSX Notes

The default OSX CDC matching seems to miss the Fernvale board. Use fernvale-osx-codeless to get a com port.

SPI and Flashrom

Fernly includes a special 'flashrom' mode that allows for direct communication with the flashrom program to manipulate the onboard SPI. The protocol is binary, and can be entered by issuing the following command:

spi flashrom

Fernly will respond with a binary 0x05, indicating it is ready.

The format of the protocol is very simple. The host writes the number of bytes to write, then the number of bytes to read, and then writes the data to send to the flash chip. It then reads the requested number of bytes. For example, to send a 2-byte command '0xfe 0xfa' followed by a 3-byte response, write the following data to the serial port:

| 02 03 fe fa |

Then read three bytes of data from the serial port.

A maximum of 255 bytes may be transmitted and received at one time, though in practice these numbers may be smaller.

To exit 'spi flashrom' mode and return to fernly, read/write zero bytes. That is, send the following packet:

| 00 00 |

See ROM-BACKUP.txt for user-level instructions how to backup/restore FlashROM of your device.

Licensing

Fernly is licensed under the BSD 2-clause license (see LICENSE).

Previous versions of fernly linked against division libraries taken from U-Boot, which were licensed under GPL-2. These files have been removed.

Instead, we supply a version of libgcc.a. This file was extracted from a standard gcc toolchain, specifically:

https://code.google.com/p/yus-repo/downloads/detail?name=arm-none-eabi-4.6-armv5.tar.gz

It has not been modified, and its distribution here should be covered under the "runtime exception".

Memory Map

0x00000000 0x0fffffff 0x0fffffff PSRAM map, repeated and mirrored at 0x00800000 offsets
0x10000000 0x1fffffff 0x0fffffff Memory-mapped SPI chip
?????????? ?????????? ?????????? ???????????????????????????????????
0x70000000 0x7000cfff 0xcfff On-chip SRAM (maybe cache?)
?????????? ?????????? ?????????? ???????????????????????????????????
0x80000000 0x80000008 0x08 Config block (chip version, etc.)
0x82000000 0x82d00000 ?????????? Modem system stuff
0x83000000 0xa3090000 ?????????? Modem peripheral stuff
0x83020000 TDMA unit
0x83050000 Frame Check Sequence unit
0x83060000 GPRS cipher unit
0x83070000 Baseband serial interface
0x83080000 Baseband parallel interface
0xa0000000 0xa0000008 0x08 Config block (mirror?)
0xa0010000 ?????????? ?????????? Power, config block
0xa0020000 0xa0020e10 0x0e10 GPIO control block
0xa0030000 0xa0030040 0x40 WDT block
- 0x08 -> WDT register (?)
- 0x18 -> Boot src (?)
0xa0030800 ?????????? ?????????? ????????????????????????????
0xa0040000 ?????????? ?????????? ???????????????????????????????????
0xa0050000 ?????????? ?????????? External memory block
0xa0060000 ?????????? ?????????? IRQ Controller block
0xa0070000 ========== ========== DMA Controller block
0xa0080000 0xa008005c 0x5c UART1 block
0xa0090000 0xa009005c 0x5c UART2 block
0xa00a0000 0xa00a0000 0x5c UART3 block
0xa00b0000 0xa00b006c 0x6c Bluetooth interface block
0xa00c0000 0xa00c002c 0x2c General purpose timer block
0xa00d0000 0xa00d0024 0x24 Keypad scanner block
0xa00e0000 0xa00e0008 0x0c PWM1 block
0xa00f0000 0xa00f00b0 0xb0 SIM1 interface block
0xa0100000 0xa01000b0 0xb0 SIM2 interface block
0xa0110000 ?????????? ?????????? SEJ/CHE (Security engine) block
0xa0120000 0xa0120074 0x74 I2C block
0xa0130000 0xa0130098 0x98 SD1 block (MSDC)
0xa0140000 ?????????? ?????????? Serial flash block
0xa0150000 ?????????? ?????????? ?? MAYBE also SPI ?????????????????
0xa0160000 ?????????? ?????????? Die-to-die master interface
0xa0170000 ?????????? ?????????? Analogue chip controller block
0xa0180000 ?????????? ?????????? TOPSM block
0xa0190000 0xa0190310 0x58 HIF (DMA?) interface block
0xa01b0000 0xa01b0058 0x58 NLI (arbiter) interface block
0xa01c0000 ?????????? ?????????? EFuse block
0xa01e0000 ?????????? ?????????? SPI block
0xa01f0000 0xa01f0060 0x60 OS timer block
0xa0210000 ?????????? ?????????? More analog bits
0xa0220000 ?????????? ?????????? MBist block
0xa0240000 ?????????? ?????????? NAND flash block
0xa0260000 0xa0260058 0x58 FSPI (internal FM radio) block
0xa0270000 0xa0270098 0x98 SD2 block
0xa02A0000 0xa02A0074 0x74 I2C2 block 1.8v
0xa0400000 ?????????? ?????????? IMGDMA block
0xa0410000 ?????????? ?????????? IDP RESZ CR2
0xa0420000 0xa04201d8 0x01d8 CAM interface block
0xa0430000 ?????????? ?????????? Serial camera block
0xa0440000 ?????????? ?????????? 2D graphics block
0xa0450000 ?????????? ?????????? LCD interface block
0xa0460000 ?????????? ?????????? Multimedia system BIST block
0xa0470000 ?????????? ?????????? Multimedia colour config block
0xa0480000 ?????????? ?????????? Multimedia system config block
0xa0500000 ?????????? ?????????? ARM configuration block
0xa0510000 ?????????? ?????????? Boot configuration block
0xa0520000 ?????????? ?????????? Code decompression engine block
0xa0530000 ?????????? ?????????? Level 1 cache block
0xa0540000 ?????????? ?????????? MPU config block
0xa0700000 ?????????? ?????????? Power management block. Write (val & 0xfe0f | 0x140) to 0xa0700230 to power off.
0xa0710000 0xa0710078 0x78 RTC block
0xa0720000 ?????????? ?????????? Analogue baseband config block
0xa0730000 0xa0730100 ?????? Analogue die config
0xa0730104 0xa073104c ?????? GPIO mode / pull control blocks
0xa074000c 0xa0740014 0x0c PWM2 block
0xa0740018 0xa0740020 0x0c PWM3 block
0xa0750000 0xa075005c 0x5c ADCDET block
0xa0760000 ?????????? ?????????? Analogue IRQ controller
0xa0790000 0xa07900d8 0xd8 ADC block
0xa07a0000 ?????????? ?????????? Analogue Die-to-die block
0xa0900000 0xa0900240 ?????????? USB block
0xa0910000 ?????????? ?????????? ???????????????????????????????????
0xa0920000 ?????????? ?????????? AHB DMA block
0xa3300000 0xa33a0000 0x6c? Bluetooth things
0xfff00000 0xffffffff 0x100000 Boot ROM, mirrored each 64K (its real size)

More Repositories

1

grainuum

Software USB stack
C
157
star
2

novena-linux

Linux kernel with Novena patches -- expect frequent rebases!
C
86
star
3

ax2xx-code

Some code for the AX211 or AX215 8051-based CPU
C
85
star
4

midi-to-keypress

Takes MIDI input and turns it into keypresses
Rust
80
star
5

ecp5-toolchain

Open-source ECP5 toolchain, including synthesis, place-and-route, and Risc-V GCC
Shell
55
star
6

debian-installer

Mirror of Debian installer, with Novena support
Shell
20
star
7

novena-image

Shell script to create a Novena image from scratch
Shell
14
star
8

chumby-yeti3d

A chumby port of the Yeti3D engine
C
13
star
9

lxbuildenv

Simplified environment for litex
Python
12
star
10

mcrpi-wrapper

A wrapper around Minecraft Raspberry Pi to get it working on Novena
C
11
star
11

coriolis

An alternative PnR system, or at least an attempt to get it running on Ubuntu 18.04.
C++
10
star
12

spibone

Wishbone bridge over SPI
Python
10
star
13

wishbone-utils

Utilities for working with a Wishbone bridge
9
star
14

gpu-viv

Kernel modules for GC2000 in i.MX6
9
star
15

u-boot-novena-spl

SPL image for Novena that inits DDR3 and loads a secondary bootloader
C
8
star
16

ioquake3-gles

Mirror of ioQuake3 GLES port, with Xlib input support
C
8
star
17

teardown2019-workshop

Workshop Example code for Fomu at Teardown 2019
C
8
star
18

jig-20

Generalized factory test jig repository
Rust
7
star
19

circuitpython

C
7
star
20

xserver-xorg-video-armada

imx6 accelerated xserver, forked from rmk
C
7
star
21

netv2-fpga

FPGA code for NeTV2
C
6
star
22

novena-eeprom

Manipulate the contents of Novena's personality EEPROM
C
6
star
23

haddecks

LiteX for the Hack-a-Day 2019 Badge
Coq
5
star
24

chumby-mame

A chumby port of Mame4All
5
star
25

chumby-sdl

A port of SDL to the chumby
5
star
26

imx6-pcie

Decoder program for imx6 PCIe bits
C
5
star
27

novena-ws2812b-fpga

WS2312B driver for Novena FPGA
Verilog
5
star
28

fernvale-qemu

qemu module for fernvale
C
5
star
29

kicad-fab-tools

Create .csv files from KiCad .pos files, suitable for a PnP machine
Python
5
star
30

adafruit-rpi-fbtft

Fork of FBTFT for use with Adafruit TS shield
C
5
star
31

jsthumb

Toy javascript thumb emulator
JavaScript
4
star
32

novena-test

Factory test framework for Novena
C++
4
star
33

it6251-dump-dptx

Dump the EDID over the DPTX channel on an IT6251
C
4
star
34

caravel-gf180-pio

PIO project for GF180 based on Caravel
Verilog
4
star
35

osqoop

osqoop with Novena plugin
C++
4
star
36

wishbone-adapter

An adapter for the Wishbone network, and in particular the Ethernet interface
C
4
star
37

chumbot

Simple robot for chumby
3
star
38

usb-descriptor-generator

Python script to generate USB descriptors
Python
3
star
39

dependy

Rust-based dependency resolution library
Rust
3
star
40

pixelart

Some pixel art, to be used to simulate FPGA shaders.
C
3
star
41

perlin

Perlin noise playground
C
3
star
42

runny

Cargo library for running processes in their own environment
Rust
3
star
43

senoko-chibios-3

ChibiOS 3.0 for Senoko
C
3
star
44

desktop-ponies-mac

A port of Desktop Ponies for OS X
Objective-C
3
star
45

novena-bluetooth-reset

Reset Bluetooth on Novena when the Config button is pressed
C
3
star
46

novena-scope-gui

GUI (based on Qwt) for Novena oscilloscope
C++
3
star
47

libetnaviv

C
3
star
48

vexriscv-rust

Fork of the riscv crate to support vexriscv
Rust
3
star
49

joyboot

Bootloader for Palawan joysticks
C
3
star
50

xoblogs

Repo for xoblo.gs
Ruby
3
star
51

toolchain-nextpnr-ecp5

ECP5 build of nextpnr
C
3
star
52

genfatfs

Kosagi mirror of genfatfs
C
3
star
53

ice40-repack

Repack an ICE40 bitstream image with new memory contents
C++
2
star
54

novena-firstrun

A series of scripts that handle setting up Novena when it is first booted
Shell
2
star
55

toolchain-nextpnr-ice40

Prebuilt nextpnr-ice40 toolchain
C
2
star
56

firmware-senoko

Installer and firmware for Senoko battery board
Shell
2
star
57

dumbrle

Super simple RLE encoder / decoder
C
2
star
58

woodlands-soc

Complete SoC based on litex/vexriscv
Python
2
star
59

horribly-patch-elf-files

Rust
2
star
60

ice40-multest

Cocotb test bench for checking SB_MAC16 inference
Coq
2
star
61

rpi-tools

Miscellaneous utilities useful in manipulating various Raspberry Pi registers
C
2
star
62

lxsocsupport

Support files for SoC devices on litex
Python
2
star
63

kovan-jtag

Read out JTAG ID of the FPGA on a Kovan board
C
2
star
64

openlane-cpu-synth-test

Test synthesis of a CPU using OpenLane
Verilog
2
star
65

lua-server

fastcgi-based Lua server
C
2
star
66

fomu-captouchtest

Experiments with captouch on Fomu
Python
2
star
67

novena-eeprom-gui

GUI editor for the Novena personality EEPROM
C++
1
star
68

linux-2.6.28.mx233-falconwing

A Git mirror of linux-2.6.28 for the Falconwing platform
C
1
star
69

netv2-kms

KMS driver for NeTV2
C
1
star
70

dreg

Self-documenting Registers for Litex
Python
1
star
71

test-chip-digital

Test chip using a digital device
Verilog
1
star
72

tiny-tapeout-pio

PIO block as part of Tiny Tapeout
Verilog
1
star
73

caravel-minimax

Silicon implementation of minimax
Verilog
1
star
74

grainuum-33c3

Repo for the talk at 33c3
JavaScript
1
star
75

tinycc

Personal copy of tinycc
C
1
star
76

chibitronics-love-to-code-advanced-topics

1
star
77

pc-hid-updater

Update small devices over USB HID
Rust
1
star
78

xorg-novena

Xorg configuration files for Novena
1
star
79

sound-engine

Cheesy sound engine, targeted at LtC
C
1
star
80

pddb-raw

Experiments in accessing PDDB without the while Xous machinery
Rust
1
star
81

reveal-serve

Server for managing reveal.js presentations
JavaScript
1
star
82

ice40-repack-rs

Rust version if ice40-repack
Rust
1
star
83

swot

Spi Write-Out Tool
Rust
1
star
84

senoko-chibios

Distribution of ChibiOS/RT with support for the Novena Power Management Board
C
1
star
85

caravel-r8051

R8051 processor in silicon
Verilog
1
star
86

chumbradiod

HTTP daemon used by chumby
C
1
star
87

conda-yosys

Yosys built as a Conda package
Batchfile
1
star
88

tone-generator

Generate tones based on a pentatonic scale
C
1
star
89

ws2812b-catcher

Spec catcher for WS2812b timing violations
Python
1
star
90

chumbhttpd

Chumby http server
Shell
1
star
91

libxtaf

Simple XTAF filesystem library
C
1
star
92

novena-whack-lcd

Poke the LCD system when the User button is pressed, to fix LCD corruption
C
1
star
93

conda-prjtrellis

PowerShell
1
star
94

qomu-test-jig

Test jig files for Qomu
Python
1
star
95

alliance

Mirror / work on lip6 Alliance
C
1
star
96

fake-root-keys

A fake root-keys library for Xous for use without a UI
Rust
1
star
97

barebox-novena

Barebox with Novena support
C
1
star
98

novena-debian-support

Support scripts for Debian on Novena
Shell
1
star
99

novena-usb-hub

Hub management (power control, etc.) for Novena
C
1
star