Hack A10 devices

From eLinux.org
Revision as of 02:25, 26 December 2011 by Hipboi (talk | contribs) (Unbricking the device)
Jump to: navigation, search

Hack A10 Devices

This page describe how to hack a A10 powered tablet and let a custom kernel to run on the tablet. The work was done on an Ainol Novo 7 Advanced tablet. But should be working on all A10 based tablet. Since A10 can boot from usb, never worry about bricking your device, but you may lose your data!!! Backup important data first!!!

Unbricking the device

The A10 can update the firmware from USB, so it can not be bricked. In case you bricked your devices, here is the instruction for flash the firmware from USB. Note that this is only can be done in Windows. You need a tool from Allwinner called livesuite, download livesuite.tar.gz. It's a Window GUI program. And you need your firmware, which is a image file. You can download the Ainol Novo 7 Advanced stock firmware here aino_2.0.4.img. Download livesuite.tar.gz, unzip it. There is usb driver inside. Click livesuite.exe to execute it. Connect your devices to pc with a usb cable. Then do the following:

Here is instructions to let the device go to firmware upgrading mode(It should be applied for all A10 devices):

  • 1. power off the device
  • 2. Press and hold any physical key except the power key on the device(ie, press and hold Vol+ key, still holding in 3 and 4)
  • 3. Press and hold power key for about 2s(power on the device, when powering on, if a key is pressed, the devices will not boot until key released or 4)
  • 4. Release power key and press power key 3 times(i usually just keep pressing the power key)

Your pc will be prompting finding new hardware, install the driver in the livesuite\UsbDriver folder.

First sight

The stock firmware in my Novo7 is android 2.3.4. With android adb i can log into the device and take a look at inside.

# mkdir /sdcard/nanda
# mount -t vfat /dev/block/nanda /sdcard/nanda
# ls /sdcard/nanda
boot.axf
boot.ini
drv_de.drv
font24.sft
font32.sft
linux
os_show
script.bin
script0.bin
sprite
sprite.axf
magic.bin
# ls /sdcard/nanda/linux
bImage
linux.ini
params
paramsr
recovery.ini
# cat /sdcard/nanda/linux/linux.ini
[segment]
img_name = c:\linux\bImage
img_size = 0x2000000
img_base = 0x40008000

[segment]
img_name = c:\linux\params
img_size = 0x100
img_base = 0x40000100

[script_info]
script_base = 0x43000000
script_size = 0x10000

[logo_info]
logo_name = c:\linux\android.bmp
logo_address = 0x48000000
logo_show = 1

As you can see the linux/bImage is our kernel, and the linux/linux.ini is a config file that some loader reads, and load the file bImage to 0x40008000 address. And the file linux/params is the kernel cmdline.

# cat /sdcard/nanda/linux/params
console=ttyS0,115200 root=/dev/nandb rw init=/init fbmem=32M@0x5a000000 loglevel=8;

And recovery.ini and paramsr is for android recovery boot and cmdline.

Get a console

Allwinner uses a config file for hardware configuration, a config file is a Windows ini file, you can download the config file for novo7 advanced sys_config1.fex, which is something like this.

[uart_para]
uart_debug_port          = 0
uart_debug_tx            =port:PB22<2>
uart_debug_rx            =port:PB23<2>

The A10 uart rx and tx pin can be configured by software, usually PB22 and PB23 are for uart rx and tx, PF2 and PF4 for sdcard. But software can change this, let PF2 and PF4 be the uart rx and tx and disable sdcard, thus the usual sdcard clock pin and data3 pin is uart rx and tx. So with a TTL serial to USB cable, you can get a console from the sdcard slot.

change the following two places in the sys_config1.fex

[uart_para]
uart_debug_port          = 0
uart_debug_tx            =port:PB22<2>
uart_debug_rx            =port:PB23<2>
[uart_para0]
uart_used                = 1
uart_port                = 0
uart_type                = 2
uart_tx                  =port:PB22<2>
uart_rx                  =port:PB23<2>
[mmc0_para]
sdc_used                 =1
sdc_detmode              = 1
bus_width                = 4

to

[uart_para]
uart_debug_port          = 0
uart_debug_tx            = port:PF2<4>
uart_debug_rx            = port:PF4<4>
[uart_para0]
uart_used                = 1
uart_port                = 0
uart_type                = 2
uart_tx                  = port:PF2<4>
uart_rx                  = port:PF4<4>

(disable sdcard0)

[mmc0_para]
sdc_used                 = 0
sdc_detmode              = 1
bus_width                = 4

To get the param working you need a pc tool, download the linux version script. This tool parses the ini file, and write the data to a bin file. Execute the downloaded program on your desktop

$./script sys_config1.fex 
argc = 2
input name sys_config1.fex
Script 1 source file Path=/tmp/sys_config1.fex
Script 1 bin file Path=/tmp/sys_config1.bin
parser 1 file ok

you will get a file called sys_config1.bin. Now push it to the device

$adb push sys_config1.bin /sdcard/nanda
3819 KB/s (40648 bytes in 0.010s)
$adb shell
#cd /sdcard/nanda
#ls
boot.axf
boot.ini
drv_de.drv
font24.sft
font32.sft
linux
os_show
script.bin
script0.bin
sprite
sprite.axf
magic.bin
sys_config1.bin

Replace the original script.bin and script0.bin, script0.bin is just a copy of script.bin

# mv script.bin script.bin.bak
# mv script0.bin script0.bin.bak
# mv sys_config1.bin  script.bin

Get u-boot running

Compile u-boot

git clone http://git.hands.com/u-boot.git
cd u-boot
git checkout lichee-dev(Branch lichee-dev set up to track remote branch lichee-dev from origin. Switched to a new branch 'lichee-dev')
make sun4i CROSS_COMPILE=arm-linux-gnueabi-

You get u-boot.bin in the directory. Push it to the device.

adb push u-boot.bin /sdcard/nanda/linux
5446 KB/s (244928 bytes in 0.043s)
adb pull /sdcard/nanda/linux/linux.ini 
4 KB/s (327 bytes in 0.079s)
adb shell
# cd /sdcard/nanda/linux
# mv linux.ini linux.ini.bak

Edit linux.ini, change

[segment]
img_name = c:\linux\bImage
img_size = 0x2000000
img_base = 0x40008000
[segment]
img_name = c:\linux\u-boot.bin
img_size = 0x80000
img_base = 0x4A000000

push it back to the device

adb push linux.ini /sdcard/nanda/linux
7 KB/s (329 bytes in 0.040s)