Hack A10 devices

Hack A10 Devices
This page describe how to hack a A10 powered tablet and let a custom kernel to run on the tablet. The work was done on an Ainol Novo 7 Advanced tablet. But should be working on all A10 based tablet. Since A10 can boot from usb, never worry about bricking your device, but you may lose your data!!! Backup important data first!!!

Unbricking the device
The A10 can update the firmware from USB, so it can not be bricked. In case you bricked your devices, here is the instruction for flash the firmware from USB. Note that this is only can be done in Windows. You need a tool from Allwinner called livesuite, download livesuite.exe. It's a self extract program, make a new folder put it inside and click the exe, it will extract the program to the folder. And you need your firmware, which is a image file. You can download the Ainol Novo 7 Advanced stock firmware here aino_2.0.4.img. Click LiveSuite.exe to execute it and click SelectImg button to select the aino_2.0.4.img downloaded. Connect your devices to pc with a usb cable. Then do the following:

Here is instructions to let the device go to firmware upgrading mode(It should be applied for all A10 devices):


 * 1. power off the device
 * 2. Press and hold any physical key except the power key on the device(ie, press and hold Vol+ key, still holding in 3 and 4)
 * 3. Press and hold power key for about 2s(power on the device, when powering on, if a key is pressed, the devices will not boot until key released or 4)
 * 4. Release power key and press power key 3 times(i usually just keep pressing the power key)

If you pc are prompted finding new hardware, install the driver in the livesuite program UsbDriver folder.



Then livesuite wil ask do you want to format or not, choose yes. Then it will ask you to confirm, choose yes. It will start to download the image and flashing the nand.

First sight
The stock firmware in my Novo7 is android 2.3.4. With android adb i can log into the device and take a look at inside. $ adb shell boot.axf boot.ini drv_de.drv font24.sft font32.sft linux os_show script.bin script0.bin sprite sprite.axf magic.bin bImage linux.ini params paramsr recovery.ini [segment] img_name = c:\linux\bImage img_size = 0x2000000 img_base = 0x40008000
 * 1) mkdir /sdcard/nanda
 * 2) mount -t vfat /dev/block/nanda /sdcard/nanda
 * 3) ls /sdcard/nanda
 * 1) ls /sdcard/nanda/linux
 * 1) cat /sdcard/nanda/linux/linux.ini

[segment] img_name = c:\linux\params img_size = 0x100 img_base = 0x40000100

[script_info] script_base = 0x43000000 script_size = 0x10000

[logo_info] logo_name = c:\linux\android.bmp logo_address = 0x48000000 logo_show = 1 As you can see the linux/bImage is our kernel, and the linux/linux.ini is a config file that some loader reads, and load the file bImage to 0x40008000 address. And the file linux/params is the kernel cmdline. console=ttyS0,115200 root=/dev/nandb rw init=/init fbmem=32M@0x5a000000 loglevel=8; And recovery.ini and paramsr is for android recovery boot and cmdline.
 * 1) cat /sdcard/nanda/linux/params

Get a console
Allwinner uses a config file for hardware configuration, a config file is a Windows ini file, you can download the config file for novo7 advanced sys_config1.fex, which is something like this. [uart_para] uart_debug_port         = 0 uart_debug_tx           =port:PB22<2> uart_debug_rx           =port:PB23<2> The A10 uart rx and tx pin can be configured by software, usually PB22 and PB23 are for uart rx and tx, PF2 and PF4 for sdcard. But software can change this, let PF2 and PF4 be the uart rx and tx and disable sdcard, thus the usual sdcard clock pin and data3 pin is uart rx and tx. So with a TTL serial to USB cable, you can get a console from the sdcard slot.

change the following two places in the sys_config1.fex [uart_para] uart_debug_port         = 0 uart_debug_tx           =port:PB22<2> uart_debug_rx           =port:PB23<2> [uart_para0] uart_used               = 1 uart_port               = 0 uart_type               = 2 uart_tx                 =port:PB22<2> uart_rx                 =port:PB23<2> [mmc0_para] sdc_used                =1 sdc_detmode             = 1 bus_width               = 4

to [uart_para] uart_debug_port         = 0 uart_debug_tx           = port:PF2<4> uart_debug_rx           = port:PF4<4> [uart_para0] uart_used               = 1 uart_port               = 0 uart_type               = 2 uart_tx                 = port:PF2<4> uart_rx                 = port:PF4<4> (disable sdcard0) [mmc0_para] sdc_used                = 0 sdc_detmode             = 1 bus_width               = 4

To get the param working you need a pc tool, download the linux version script. This tool parses the ini file, and write the data to a bin file. Execute the downloaded program on your desktop $./script sys_config1.fex argc = 2 input name sys_config1.fex Script 1 source file Path=/tmp/sys_config1.fex Script 1 bin file Path=/tmp/sys_config1.bin parser 1 file ok you will get a file called sys_config1.bin. Now push it to the device $adb push sys_config1.bin /sdcard/nanda 3819 KB/s (40648 bytes in 0.010s) $adb shell boot.axf boot.ini drv_de.drv font24.sft font32.sft linux os_show script.bin script0.bin sprite sprite.axf magic.bin sys_config1.bin
 * 1) cd /sdcard/nanda
 * ls

Replace the original script.bin and script0.bin, script0.bin is just a copy of script.bin
 * 1) mv script.bin script.bin.bak
 * 2) mv script0.bin script0.bin.bak
 * 3) mv sys_config1.bin  script.bin

Get u-boot running
Compile u-boot git clone http://git.hands.com/u-boot.git cd u-boot git checkout lichee-dev(Branch lichee-dev set up to track remote branch lichee-dev from origin. Switched to a new branch 'lichee-dev') make sun4i CROSS_COMPILE=arm-linux-gnueabi- You get u-boot.bin in the directory. Push it to the device. adb push u-boot.bin /sdcard/nanda/linux 5446 KB/s (244928 bytes in 0.043s) adb pull /sdcard/nanda/linux/linux.ini 4 KB/s (327 bytes in 0.079s) adb shell Edit linux.ini, change [segment] img_name = c:\linux\bImage img_size = 0x2000000 img_base = 0x40008000 [segment] img_name = c:\linux\u-boot.bin img_size = 0x80000 img_base = 0x4A000000 push it back to the device adb push linux.ini /sdcard/nanda/linux 7 KB/s (329 bytes in 0.040s)
 * 1) cd /sdcard/nanda/linux
 * 2) mv linux.ini linux.ini.bak