Didj Make ATAP
creating an atap cartridge on an NHE board.
Warning, flashing your didj or the cart could brick it, you have been warned
If you have a modified game cart with the otp chip replaced with a rw nand chip or a NHE cart then this tutorial is for you, this is by no means complete but should get you well on your way to creating your own recovery cartridge. It will also show you the beginnings of being able to create our own partition structure for the nand devices, which in turn should eventually lead us to being able to run a full lx kernel and rootfs without having to do too much to the codebase.
Some form of writable nand cartridge Didj-Linux-4222-20090422-1236 sources ftdi cable bootstrap-LF_LF1000-0.33.5.3186_ATAP.lfp firmware-LF_LF1000-0.33.5.3186-ATAP.lfp .lfp files are in /Didj-Linux-4222-20090422-1236/packages/mfg-cart/Base2ATAP/Atap_FW
Preparing your didj to flash the cart
we need to get a custom firmware onto the Didj so that it can 'see' the extra mtd partitions on the cart, fortunately for us, leapfrog provided those in the form of the bootstrap/firmware ATAP.lfp files in /Didj-Linux-4222-20090422-1236/packages/mfg-cart/Base2ATAP/Atap_FW :)
mount the /Didj partition on your ubuntu system:
dmesg|tail sudo ./scsi_custom -c unlock /dev/sg<sg number returned from dmesg, usually sg2>
if you don't want to do the scsi_custom command you can do the following:
echo "UNLOCKED" > /flags/usb_mass_storage
bear in mind that this will leave your didj in a permanent state of readiness, as soon as you plug your didj cable in it should automount, although it doesn't auto-remount when you reboot, simply unplug/replug the cable and your devices will show up in ubuntu.
unpack each of the lfp files into /Base/
you'll end up with 2 extra folders in /Base:
bootstrap contains a lightning boot, firmware contains the kernel and rootfs files
make sure you are booted from RFS0 (we'll keep this as the original for now) and make sure the didj knows that you've got a mfcart in the unit, once done reboot:
echo RFS0 > /flags/rootfs touch /flags/mfcart reboot
Flashing the didj with the atap files will load a bootloader (not lb, but no reason you can't make it do it?) kernel1 and RFS1 to your didj's nand.
I'm not certain that you need to update the bootloader but for the sake of completeness I did, on the didj do the following to update the bootloader and firmware:
reboot and you should now be in the ATAP firmware on RFS1, you should see an extra 9 mtd partitions being created.
NAND device: Manufacturer ID: 0x2c, Chip ID: 0xda (ST Micro NAND 256MiB 3,3V 8-bit) Scanning device for bad blocks lf1000-nand: cartridge ECC mode: <6>software NAND device: Manufacturer ID: 0x20, Chip ID: 0xdc (ST Micro NAND 512MiB 3,3V 8-bit) Scanning device for bad blocks 9 cmdlinepart partitions found on MTD device lf1000-cart Creating 9 MTD partitions on "lf1000-base": 0x00000000-0x00020000 : "LF1000_uniboot" 0x00020000-0x00100000 : "Atomic_Boot_Flags" 0x00100000-0x00200000 : "Manufacturing_Data" 0x00200000-0x00400000 : "Kernel0" 0x00400000-0x01200000 : "Linux_RFS0" 0x01200000-0x01400000 : "Kernel1" 0x01400000-0x02200000 : "Linux_RFS1" 0x02200000-0x10000000 : "Brio" 0x10000000-0x10000000 : "EXT" mtd: partition "EXT" is out of reach -- disabled Creating 9 MTD partitions on "lf1000-cart": 0x00000000-0x00020000 : "prg_LF1000_uniboot" 0x00020000-0x00100000 : "prg_Atomic_Boot_Flags" 0x00100000-0x00200000 : "prg_Manufacturing_Data" 0x00200000-0x00400000 : "prg_Kernel0" 0x00400000-0x01200000 : "prg_Linux_RFS0" 0x01200000-0x01400000 : "prg_Kernel1" 0x01400000-0x02200000 : "prg_Linux_RFS1" 0x02200000-0x10000000 : "prg_Brio" 0x10000000-0x20000000 : "prg_EXT"
doing a cat /proc/mtd shows us that the mappings are not direct 1:1, our Brio/Didj partition gets moved all the way to mtd18 for some reason, not sure why it does this but I think it creates an ubi volume it then creates an extra mtd partition and mounts either the ubi volume to it or the new mtd partition to the ubi volume. It does more of the same to the cart once its formatted correctly. More on this later
# cat /proc/mtd dev: size erasesize name mtd0: 00020000 00020000 "LF1000_uniboot" mtd1: 000e0000 00020000 "Atomic_Boot_Flags" mtd2: 00100000 00020000 "Manufacturing_Data" mtd3: 00200000 00020000 "Kernel0" mtd4: 00e00000 00020000 "Linux_RFS0" mtd5: 00200000 00020000 "Kernel1" mtd6: 00e00000 00020000 "Linux_RFS1" mtd7: 0de00000 00020000 "Brio" mtd8: 00000000 00020000 "EXT" mtd9: 00020000 00020000 "prg_LF1000_uniboot" mtd10: 000e0000 00020000 "prg_Atomic_Boot_Flags" mtd11: 00100000 00020000 "prg_Manufacturing_Data" mtd12: 00200000 00020000 "prg_Kernel0" mtd13: 00e00000 00020000 "prg_Linux_RFS0" mtd14: 00200000 00020000 "prg_Kernel1" mtd15: 00e00000 00020000 "prg_Linux_RFS1" mtd16: 0de00000 00020000 "prg_Brio" mtd17: 10000000 00020000 "prg_EXT" mtd18: 0d812000 0001f800 "ubi_Brio"
Preparing the mtd partitions for mkbase.sh
mkbase.sh will flash the nhe cart with the same nand layout as the didj nand, at this moment in time the partitions don't exist, so it will fail, the flash_eraseall functions don't seem to work correctly so we do it ourselves.
We need to erase the following partitions:
mtd13: 00e00000 00020000 "prg_Linux_RFS0" mtd15: 00e00000 00020000 "prg_Linux_RFS1" mtd16: 0de00000 00020000 "prg_Brio" mtd17: 10000000 00020000 "prg_EXT"
I'll show you the first one (prg_Linux_RFS0) as an example, to do this we use mtd_debug on the didj to get mtd.size:
# mtd_debug info /dev/mtd13 mtd.type = MTD_NANDFLASH mtd.flags = MTD_CAP_NANDFLASH mtd.size = 14680064 (14M) mtd.erasesize = 131072 (128K) mtd.writesize = 2048 (2K) mtd.oobsize = 64 regions = 0
then on your ubuntu machine convert the mtd.size to something we can use in mtd_debug:
# echo 'obase=16; 14680064' | bc E00000
then on the didj do:
mtd_debug erase /dev/mtd13 0 0x00E00000
repeat this whole process for mtd15,16 and 17, then reboot the didj, you will see it complain that it couldn't find something on prg_EXT, and it will format it for you (it might do the same to mtdblock16) if not then do:
mkfs.vfat -n Didj -S 512 /dev/mtdblock16
Run the mkbase.sh script
at this point you should be ready for mkbase.sh to run to completion. give it a try, from the didj do:
# mkbase.sh Mounting /dev/mtdblock18 on /Didj as rw Mounting /dev/mtdblock19 on /opt/prg_mfg as rw /dev/mtd9 is the bootstrap partition /dev/mtd12 and /dev/mtd14 are the kernel partitions /dev/mtd13 and /dev/mtd15 are the root partitions /dev/mtd11 is the manufacturing partition /dev/mtdblock11 is the manufacturing partition block device /dev/mtd10 is the flags partition /dev/mtdblock10 is the flags partition block device /dev/mtd16 is the brio partition /dev/mtdblock2 11 is the base mfg partition /dev/mtd17 is the extended partition /dev/mtdblock17 is the extended partition mount device 10000000 is the extended partition size I have found a development cartridge Making a manufacturing cartridge BOOTLDR=/Didj/Base/bootstrap-LF_LF1000/lightning-boot.bin FLAGS=/Didj/Base/bootstrap-LF_LF1000/bootflags.jffs2 KERNEL=/Didj/Base/firmware-LF_LF1000/kernel.bin ROOTFS=/Didj/Base/firmware-LF_LF1000/erootfs.jffs2 Boot sector programmed successfully Flag partition programmed successfully Linux Kernel partition 0 programmed successfully Linux Kernel partition 1 programmed successfully Skipping manufacturing partition Root filesystem partition 0 programmed successfully Root filesystem partition 1 programmed successfully End of root filesystem setup Configuring your manufacturing cartridge... Empty flash at 0x0000007c ends at 0x00000800 No startup scripts. Cartridge will be a bare boot cartridge. No files found to preload the ATAP cartridge with. Programming complete
As you can see, there are a couple of issues, No Startup scripts and No files found to preload proably mean there are some more bits we need to to fill in to make this a completely working atap cartridge.
you should now do a reboot, check whether the cart prg_EXT partition has been mounted on the didj:
# mount rootfs on / type rootfs (rw) /dev/root on / type jffs2 (rw) none on /proc type proc (rw) sysfs on /sys type sysfs (rw) /dev/ram0 on /tmp type tmpfs (rw) /dev/mtdblock1 on /flags type jffs2 (rw,sync,noatime) /dev/mtdblock2 on /mfgdata type jffs2 (rw,sync,noatime) /dev/mtdblock18 on /Didj type vfat (rw,noatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=i) /dev/mtdblock19 on /opt/prg_mfg type vfat (rw,noatime,fmask=0022,dmask=0022,codepage=cp437,ioch)
our prg_EXT partition was on mtd17, its now been mounted as an ubi volume to mtdblock19 you can find it in /opt/prg_mfg, this is similar behavour to the Brio:/Didj partition, it starts on mtd7, without a cart its put onto mtdblock9 as an ubi volume, with a cart /Didj ends up on mtdblock18!!
do a reboot, then plug your usb cable in and mount the partitions in ubuntu(unecessary if you did the 'echo UNLOCKED > /flags/usb_mass_storage' command earlier on':
dmesg|tail sudo ./scsi_custom -c unlock /dev/sg3
You'll notice that we get sdb and sdc which translated to sg2 and sg3, you should now see both the Brio:/Didj partition and the prg_EXT:/opt/prg_mfg partitions, /Didj will be 'DIDJ' and /opt/prg_mfg will be 'MFG_PAYLOAD'
I think we need to look at all of the /scripts files to glean more information about how to truly make an atap cart, I think make_release.sh shows us how to package some files for the mfg-cart ATAP stuff so they can be installed on the didj, I think we can probably make up the rest of the files needed from mfg-cart and leapfrog lfp files
What next and what have we found out?
It would obviously be nice to make the prg_Brio partition show up automatically, I'd like to work out how we can get it to show up as an ubi volume, not entirely sure what the mechanism is there yet.
We should be able to boot from the cart, not sure how that works yet either, but something along the lines of:
echo RFS2 > /flags/rootfs
should be enough, it will be in the sources, just need to track it down (lightning boot uses RFS0, RFS1, NFS0, NFS1 currently, will probably need extra flags)
I'd like to make a full cart, there are some bits missing, which I think are in the mfg-cart folders or at least the info.
I think we've learnt how to format a nhe cart, with the same partition structure as a didj nand unit, so we now know how to roughly deal with rebuilding a didj, so by extension we are not that far removed from being able to rebuild an LX partartition structure on a didj.
If you do cat /proc/cmdline you will notice that it builds the mtd partition structure for the cart in there, I think we should be able to use the same technique to make a custom SD booting kernel that can see a cart, this way we probably wouldn't need to flash the didj at all with the atap firmware. we can use root=31:04 technique to boot from the NHE, for instance from 31:12 :) once we know that we can boot from a cart we should be able to leverage an lx kernel with sufficient mtd2/ubi utils (will need to make ubiformat etc. ourselves from the new-utils).
We should probably look at a lot more of the scripts that are dotted all over the sources, the emeraldmfgtest folder found on an original lx firmware gives us some hints, as does make_release.sh, mkbase.sh mkSuperATAP.sh and many others.