1 (edited by tuna 2015-01-03 19:14:30)

Topic: Getting started

Hi,

I just talked to bunnie at 31C3 and got handed a Fernvale board.

Now I'm looking for a good place to start. From what I heard hooking it up through USB would give me a serial interface.
https://github.com/xobs?tab=repositories contains some code, and I'm assuming that the fernly is the place to start.

Are there any more specific instructions available for getting the board up and running?

Re: Getting started

Sorry for the poor docs...you want to start with this repo:

https://github.com/sutajiokousagi/fernvale-nuttx

Check that out and build it, and then go to the fernvale-nuttx/nuttx/configs/kosagi-fernvale/tools directory, and run this command:

./fernly-usb-loader /dev/fernvale ~/code/fernly/build/usb-loader.bin ~/code/fernly/build/firmware.bin ../../../nuttx.bin

That will boot nuttx on the board. You can interact with it via the USB port by doing

screen /dev/ttyUSB0 115200

Re: Getting started

Derp of course that command I sent you assumes some things about your directory structure (eg your repos are in ~/code/) and that you have also previously checked out and built fernly from https://github.com/xobs/fernly

Re: Getting started

I'm having some issues compiling with both the codesourcery and linaro cross compilations suites.

The reoccurring issue that I've been seeing while building fernly is:
vsprintf.c:15:23: fatal error: sys/types.h: No such file or directory

None of the suites seems to provide a types.h at all.

Re: Getting started

Try replacing it with #include <types.h>
Another try would be #include <linux/types.h>
If there really is no such file anywhere, then try to remove it

Re: Getting started

I believe types.h is required for size_t, but it should be possible to remove that.  It's mostly there because it spits out warnings otherwise.

Re: Getting started

It turns out I was using the wrong cross compilation suite.

I found an modified a script for setting up a cross compilation environment on linux.
https://github.com/robertfoss/setup_codesourcery

8 (edited by kaiserb 2015-06-11 00:57:55)

Re: Getting started

Hi,

does it exist version for Windows users?

At least usb-loader.bin and firmware.bin?

Kind regards.

Re: Getting started

You'd have to build it under the Cygwin environment. Big and complex to set up.

Re: Getting started

haiqu wrote:

You'd have to build it under the Cygwin environment. Big and complex to set up.

Hi, if someone can share loaders as binary files, will be enough.

Regards.

Re: Getting started

Today I managed to run all on Ubuntu.

Unfortunately first loader wasn't loaded:

:/home/projects/ferny/fernly# ./build/fernly-usb-loader -s /dev/fernvale ./build/usb-loader.bin ./build/firmware.bin
Setting serial port parameters... Ok
Initiating communication... Ok
Getting hardware version... 0xca01
Getting chip ID... 0x625a
Getting boot config (low)... 0x0000
Getting boot config (high)... 0x0000
Getting hardware subcode... 0x8000
Getting hardware version (again)... 0xca01
Getting chip firmware version... 0x0001
Getting security version... v 5
Enabling security (?!)... Ok
Reading ME... 00000000 5a c2 9e 20 c9 5d 9c 31  24 e4 fb e3 8e dd b5 b3  |Z.. .].1$.......|
Disabling WDT... Ok
Reading RTC Baseband Power Up (0xa0710000)... 0x0001
Reading RTC Power Key 1 (0xa0710050)... 0xa357
Reading RTC Power Key 2 (0xa0710054)... 0x67d2
Setting seconds... Ok
Disabling alarm IRQs... Ok
Disabling RTC IRQ interval... Ok
Enabling transfers from core to RTC... Ok
Reading RTC Baseband Power Up (0xa0710000)... 0x0001
Getting security configuration... Unable to read from Sec Conf buffer: Success
Getting PSRAM mapping... 0x0000
Disabling PSRAM -> ROM remapping... Ok
Checking PSRAM mapping... 0x0002
Checking on PSRAM mapping again... 0x0002
Updating PSRAM mapping again for some reason... Ok
Reading some fuses... 0x00000007
Enabling UART... 0x0000
Loading Fernly USB loader... !! First response is 0x1d0d, not 0 !!

I tried several times and the result is the same.
What could be the reason ?

Kind regards.

Re: Getting started

The device you've got there doesn't have an MT6260 in it.  It has an MT625A (as evidenced by the line "Getting chip ID... 0x625a").

The chip errors out when the loader tries to poke Fernly into SRAM, because either the SRAM has changed, or the memory offset is invalid.

You can try figuring out where SRAM is and changing the command to load there, but at that point you're porting it to a new platform.

Re: Getting started

It seems, that MT625A is more secured - it needs authentication file (0xE2 command) and 0x80 bytes RSA signature, generated from 0x10 bytes response of 0xE3 command.

Re: Getting started

My research gave me the impression that there are different variants of all chip families, most variants are non-secured, and some variants are secured. (Another big difference is whether they are using only internal flash or can (also) use external flash)
It also seems that there are 3 E-Fuses burnt already on your chip (0x00000007), which might enable such extra-security mechanisms. I haven´t found much documentation about the actual effect of those fuses yet.

Re: Getting started

kaiserb wrote:

It seems, that MT625A is more secured - it needs authentication file (0xE2 command) and 0x80 bytes RSA signature, generated from 0x10 bytes response of 0xE3 command.


And the next bad thing - loaders must be signed too.

For now I can't experiment with custom loader.

Re: Getting started

Mediatek has a signed loader they upload as part of the memory check process.  You may be able to find a vulnerability in there, but now you're into the realm of working around deliberate roadblocks set up to prevent code execution.