Related
First, thanks $aur0n for the nice work and I can now also boot from SD card and enjoy the rooted system in EXT4
For those interested in overclock, you can try this kernel (I have tested it in Archos 70IT, but it should work in A101/A43IT as well):
** See below for instructions on how to apply this overclock kernel with the newest firmware
2011-04-15 (Latest version)
=========================
- Re-compile the whole kernel from archos latest kernel source code
- Suggested to use with newest chulri's initramfs
- Overclock to 1200Mhz
For firmware 2.3.20:
Download here: http://www.mediafire.com/?pnbev44hk2m1346
Click to expand...
Click to collapse
File name: zImage_archos_2.3.20_recode09.zip (MD5: 7756BA280F3FEBAD23A528A10EB1D6B5)
==================================================
Get rooted with newest firmware 2.X.X + overclock!
Click to expand...
Click to collapse
** Special thanks to chulri for the updated initramfs **
0) Install SDE first
1) Download chulri's initramfs from here: http://code.google.com/p/archos-gen8-sde-rooting/downloads/list
(Download the appropriate version that matches with your firmware version)
2) Grap the newest overclock kernel: http://www.mediafire.com/?pnbev44hk2m1346
3) Reboot your Archos holding "Volume -"
4) Recovery System -> Developer Edition Menu -> Flash Kernel and Initramfs
5) Connect USB and copy initramfs from (e.g. avos_2.X.XX_temproot.zip) and copy zImage from (e.g. zImage_archos_recode04A.zip) to Archos machine
6) Reboot by holding "Volume -"
7) Choose the 2nd menu item (Developer Edition)
8) Here, you get rooted in the newest firmware + overclock kernel
9) Enjoy ^_^
==================================================
Previous Versions
==================================================
2011-02-11
===================
- Further complier optimization
- Better performance on Archos 101
- Max frequency back to 1200Mhz because some users report not stable at 1280Mhz
- Revert interactive CPU governor (seems not stable)
- Suggested to use with chulri's initramfs
1200Mhz version:
Download here: http://www.mediafire.com/?eo3cmqg64md7qdb
Mirror: http://www.zshare.net/download/8731000468bf80d9/
Click to expand...
Click to collapse
File name: zImage_archos_recode04A.zip (MD5: 950D533F09131FCFCBD2BE4084C44691)
File name: zImage_archos_2.1.04_recode01.zip (MD5: ADF0C6FCCA503932D1C3860B3BAF61B3)
2011-02-01
===================
- Rebase from the original kernel source
- Complier optimization
- Add interactive CPU governor
- Bluetooth fix (please test, should still have problems)
- For those enjoying online flash movie, e.g. myTV.tvb.com, please set the freq to min:1000/max:1000 (Best with flash player v10.1.105.6 or upper)
- Set freq to min:1100/max:1100 for best 3D gaming experience
- Suggested to use with chulri's initramfs
1280Mhz version:
Download here: http://www.mediafire.com/?wu37fj90g69o61e
Mirror: http://www.zshare.net/download/860178577cd732f3/
Click to expand...
Click to collapse
File name: zImage_archos_2.1.04_recode01.zip (MD5: ADF0C6FCCA503932D1C3860B3BAF61B3)
2011-01-17
==================
- Not guarantee to work with $aur0n's 0.4.1 initramfs. Please use 0.2/0.3 initramfs (boot from SD) if you get problems
- More stable & smooth
- Overclock to 1280Mhz (Stable in playing NFS shift for a few hours - I am in world track now...)
- Remove 250Mhz and add 600Mhz (as 600Mhz is needed for SetCPU to display correctly)
- Fix the SetCPU 'time in state' problem
- Revert the bluetooth driver
- Cherry-pick more commits (refer to my github)
- Special thanks to $aur0n's initramfs
1280Mhz version:
Download here: http://www.mediafire.com/?1qweknppsoyb6rx
Mirror: http://www.zshare.net/download/8536472801a3552a/
1200Mhz version:
Download here: http://www.mediafire.com/?36wjsvkh6615dxg
Click to expand...
Click to collapse
Alternative link to $aur0n's initramfs (boot from SD): http://www.mediafire.com/?t41kvaonad7c83d
File name: zImage_archos_1280_fix01.zip (MD5: 5DAC535DA0EFFB1422BC887EF19564F8)
File name: zImage_archos_1200_ext4_fix07.zip (MD5: 1F022CCCD127A051154E98C5AC56CD2F)
2011-01-12
================
- More stable & smooth
- Apply 2.6.29.6 patchset - kernel
- Apply 2.6.29.6 patchset - ipv4
- ramzswap support (refer: http://code.google.com/p/compcache/)
- Cherry-pick more commits (refer to my github)
Download here: http://www.mediafire.com/?dih30gjy0lvljpk
Mirror: http://www.zshare.net/download/85094141432e0aae/
File name: zImage_archos_1200_ext4_fix05.zip (MD5: ECA8381E8371D1FE89FE2253D3482E9E)
2011-01-06
======================
- EXT4 fix (Quadrant score ~ 2500)
- Stable at max frequency 1200Mhz and min frequency 250Mhz (thanks Tzbob)
- Selectable frequency using SetCPU: 250/300/1000/1152/1200 Mhz
- 2.6.31 scheduling tweaks
- Source code pushed to github.com for easy sharing and conforming to GNU public license
- Merge various commits ( details can be seen in my github: https://github.com/ardatdat/archos-kernel/ )
- Quadrant scoring 2808 using 1200Mhz and boot from SD (Sandisk 8G Class 4)
Download here: http://www.mediafire.com/?7o7wnyipxwffx3w
Mirror: http://www.zshare.net/download/8483628818cf11b2/
File name: zImage_archos_1200_ext4_fix04.zip (MD5: 2CEF2D7F526DCD81B9C75EE2DAEBFF6F)
2011-01-03
================
- Updated a new kernel that supports $aur0n script (EXT4 support)
- Down-clock to 1100 Mhz because 1200 Mhz seems too hot and not too stable
- Merge some patches from kernel 2.6.29.6
Download here: http://www.mediafire.com/?ut6deu41216wdyd
Mirror (zip): http://www.mediafire.com/?83rd6te7a8ndmts (MD5: 7C8F9D48D74F45251B358FB3E2454485)
2011-01-02
============
- Initial version (not EXT4 support)
- Over-clock to 1200Mhz
http://www.mediafire.com/?bw8iq34tkvkllxe (MD5: 83D2A38A84C97C9336325EDD48C8D1B3)
Beware! After overclock, you will feel a bit hotter than before and battery drains much faster!! Flash it at your own risk.
What you need to do is:
1) Install SDE
2) Get the initramfs from this post (download the kernel+init.zip and extract it): http://forum.xda-developers.com/showpost.php?p=9948644&postcount=1
3) Replace the zImage with the new overclocked kernel
4) Boot into SDE recovery menu and copy the initramfs.cpio.gz and zImage through USB cable
5) Boot into SDE developer OS
6) You should get all your apps here and have superuser right now
You will now have read/write access to /system/ or /data/ ...etc.
Next step: You can download GScript from the market (free) to make some custom scripts to remove unnecessary apps and replace the hosts file, etc.
=================================================
Give us a "Thank" if you think this kernel works great for you
* Feel free to buy me a beer by clicking at the 'donate' button
=================================================
Oh thanks man! I'll impliment this into my own version of Auron's, yeah there was some confusion about your method, thanks for clearing that up!
Nevermind XD I don't know enough to add that, but Auron heavily uses EXT4 which he compiled into his kernel, which is probably why it isn't working for you, he explains in his topic the things he did or did not do.
Tzbob said:
Oh thanks man! I'll impliment this into my own version of Auron's, yeah there was some confusion about your method, thanks for clearing that up!
Nevermind XD I don't know enough to add that, but Auron heavily uses EXT4 which he compiled into his kernel, which is probably why it isn't working for you, he explains in his topic the things he did or did not do.
Click to expand...
Click to collapse
Thanks. BTW, it would be good if Auron will release his source such that we know what exactly is changed apart from the EXT4 things.
New kernel updated!!!
Get it at the #1 post
Now, it is EXT4 support and can be used together with $aur0n initramfs !!!
Down-clock to 1100Mhz seems to make it more stable
Thanks man really appreciate your quick work! works perfectly with Auron's
Although I'm curious how that overclock works, I've read up on it and it seems that everyone else is making overclocking modules etc. your solution seems a lot more efficient. Do other people know about it too?
I first though it was just a soft change, something that didn't affect the hardware, but something that just forced the digit 1100 instead of 1000, this doesn't appear to be the case since I get some speed gains in Quadrant
~ benched a 2438 ^^
edit: is it possible for you to change the LOWEST value as well? i'm not sure how it would react but I imagine a 100Mhz/200Mhz feature would save up some standby-battery-usage also is it possible to change the intervals with this method? so that we can get 300/400/500/600/700..1100?
edit2: would it be theoretically possible to compile a kernel with driver support for gamepads and others? perhaps ntfs-3g to mount ntfs external drivers... thinking about this we have usb host on this device and an open bootloader
Tzbob said:
Thanks man really appreciate your quick work! works perfectly with Auron's
Although I'm curious how that overclock works, I've read up on it and it seems that everyone else is making overclocking modules etc. your solution seems a lot more efficient. Do other people know about it too?
I first though it was just a soft change, something that didn't affect the hardware, but something that just forced the digit 1100 instead of 1000, this doesn't appear to be the case since I get some speed gains in Quadrant
~ benched a 2438 ^^
edit: is it possible for you to change the LOWEST value as well? i'm not sure how it would react but I imagine a 100Mhz/200Mhz feature would save up some standby-battery-usage also is it possible to change the intervals with this method? so that we can get 300/400/500/600/700..1100?
edit2: would it be theoretically possible to compile a kernel with driver support for gamepads and others? perhaps ntfs-3g to mount ntfs external drivers... thinking about this we have usb host on this device and an open bootloader
Click to expand...
Click to collapse
The most difficult part is to determine how much voltage to be given to each frequency. So, it would take some efforts to study.
In addition, setting too low frequency is not necessary be good because the machine might go into deep sleep and never wake up.
Have you run any Super PI tests (or something similar) to see if there are stability issues with the increased clock rates?
Typically when I over-clock my CPU on my PC I increase the voltages at the micro or mini level (CPU, Front Side Bus, Memory, Memory Controller, etc.). As an example 1.3500 may not be stable but 1.3501 could be. Typically You can find the voltage tolerances typically at CPU manufacturer website (ie Intel for me). of course you also have to deal with the temperature of the CPU and other supporting components that regulate the voltage. I will run a Super PI type application to test stability for a few hours. If it works then dont add voltage.. if it comes back with a miscalculation OR an application/OS crash then increase the voltage by a micro amount...
You are correct when you saw it not performing at a higher clock rate... typically what happens if the CPU does not have enough voltage to perform at the expected clock rate it seems to throttle the execution rate to ensure some level of integrity of the executing transaction..
Unfortunately over-clocking is not a science..
ardatdat said:
The most difficult part is to determine how much voltage to be given to each frequency. So, it would take some efforts to study.
In addition, setting too low frequency is not necessary be good because the machine might go into deep sleep and never wake up.
Click to expand...
Click to collapse
its using the same cpu as a lot of android phones are and i daresay that most of the work (working out optimal cpu voltage etc) has already been done
The question is for non-standard clock rates. Standard clock rates should have well defined voltages.
thefunkygibbon said:
its using the same cpu as a lot of android phones are and i daresay that most of the work (working out optimal cpu voltage etc) has already been done
Click to expand...
Click to collapse
can this kernel work on a101 or not?
Yes it will work, I'm 90% sure since they tested it on the 70IT and it's working perfect on my 43IT.
Tzbob said:
Yes it will work, I'm 90% sure since they tested it on the 70IT and it's working perfect on my 43IT.
Click to expand...
Click to collapse
ok i will give it a try....
I have tried this 1100 Mhz kernel and angry birds don't want to start and asphalt 5 have to force closing, I have returned with the only rooted rom....
merlin_1492 said:
I have tried this 1100 Mhz kernel and angry birds don't want to start and asphalt 5 have to force closing, I have returned with the only rooted rom....
Click to expand...
Click to collapse
While this kernel has been OC, it only allows you to choose higher frequencies. BUT, you can still choose 1000 Mhz as the highest by setting it in SetCPU.
After setting min/max as 1000Mhaz in SetCPU, this kernel is just like any other kernels, except that I have applied some of the newest kernel patches (fix bugs?) so that this kernel MUST be better than the stock one.
Hope you enjoy using it
no no, the problem is that after installing oc kernel(without touching anything about frequency), angry birds doesn't run and asphalt 5 doesn't run well and it closes when init a race...So, what's the problem? I have returned to original kernel(with rooting), and now are perfectly running(angry birds and asphalt5)...
merlin_1492 said:
no no, the problem is that after installing oc kernel(without touching anything about frequency), angry birds doesn't run and asphalt 5 doesn't run well and it closes when init a race...So, what's the problem? I have returned to original kernel(with rooting), and now are perfectly running(angry birds and asphalt5)...
Click to expand...
Click to collapse
It is quit strange, coz I can run angry birds, dungeon hunter, etc.. very smoothly even when I use 1100 Mhz, have you tried to install SetCPU and set the frequency?
Any one have similar problems?
Working great on my A101! It's subtle, but I do notice a slight performance increase in pocket legends. Keep up the great work ardatdat!
ok so i did it and now the youtube app freezes up with 1100 or 1200 mhz...the video plays for like 3 or 4 sec and than freeze leaving only audio playback.. video plays normal at 1000 mhz and down...
thanks for your sharing
but I can't unzipped the newest kernel
the 7-zip showed "file broken"
uglin said:
thanks for your sharing
but I can't unzipped the newest kernel
the 7-zip showed "file broken"
Click to expand...
Click to collapse
Thanks. A mirror (zip) link is posted in post #1, please check and re-download
For use with Streak Gingerbread Roms
Edit 12-7-11
This is the marked end of Gkernels project,
Gkernels 1.5 FINAL
but the marked beginning of Gxkernels!
Changes to 1.5 include:
Bumped the Dell source to 2.6.35.14 -Stable
Removed QoS in networking for reasons clear to my mind
Flashable zip here: http://db.tt/JuCSscC8
Developer tar.gz here: http://db.tt/pNkHIPRQ
Special thanks to you, the user of Gkernels!
-G
Edit 12-4-11
Gkernels1.4.3.1 now a flashable zip from your recovery, for easy installs!
lex parsimoniae
Special thanks going to _n0p_ for this method!
Download link here:http://db.tt/XrDJQ6Jv
to install:
copy the zip to sdcard, launch recovery in your streak, flash the zip file
for future releases, I will include the standard Gkernels tar.gz for rom developers, and also the flashable zip file, as two separate links for the community.
-Greg
Edit 12-3-11
GKERNELS1.4.3.1
Built with an older toolchain arm-eabi-4.3.1
Changes from 1.4.0.1 include:
<*> General filesystem local caching manager
<*> Filesystem caching on files
Wifi-
<*> Common routines for IEEE802.11 drivers
--- Bluetooth subsystem support
[*] L2CAP Extended Features support (EXPERIMENTAL)
networking options-
[*] IP: multicasting
[*] IP: ARP daemon support
Qos service changed-
<*> Hierarchical Fair Service Curve (HFSC)
---removed from 1.4.0.1 version---
adjust priority to speedup resume thread, (seems to help with wifi issue, special thanks DSC-Team)
Again, no overclocking;
Download Link here: http://db.tt/0vlfvlaI
Edit 11-27-11
1.4.0.1
changes since 1.3.3:
Suspend sleep mode (Power collapse suspend)
Control the low power modes of memory
Default Memory Low Power Mode during Idle (Memory in retention)
Default Memory Low Power Mode during Suspend (Memory in deep power down)
Enable standalone power collapse
Android RAM Console Enable error correction
Virtual Contiguous Memory (VCM) Layer
Download link: http://db.tt/ZnaqJ9qH
I am fairly certain wifi freeze issue is resolved. Further testing is needed to prove this;
Enjoy!
-Greg
Gkernels 1.3.3 still attached below
Gkernels 1.3.3
changes from Gkernels1.0
Enable WiFi control function abstraction
Preallocate memory for WiFi buffers
Enable KSM for page merging
Use kernel mem{cpy,set}() for {copy_to,clear}_user() (EXPERIMENTAL)
I've got some under-volting going on with static voltage regulator
kernel switched to low resolution timer
Cross-Compiled using arm-eabi-4.4.3 from Dell 4.05 source, thanks given to Dj Steve for his tip with wifi practices. Thanks going out to kernel cross-compiling sources and books; thanks to all the rom chefs;
To me, Streak kernel work is more of an art than a science. Include Gkernels in your rom; do what you feel with it, all is permitted.
Installation Instructions
Method 1:Assumption is on a linux distro,
obtain a prebuilt fastboot and adb binary, and get them into your /bin folder, to use the commands from anywhere within your system
download Gkernels1.3 and extract, if you have not already done so.
attach streak to computer with usb cable;
from the extracted archive directory run this command in terminal:
sudo adb reboot bootloader
the streak will then boot into the fastboot mode
Then:
fastboot -i 0x413c flash boot boot.img
Then:
fastboot -i 0x413c reboot
then from same directory, run this command as phone is rebooting:
sudo adb push dhd.ko /system/lib/modules
I then recommend rebooting one more time.
Method 2: Any system
Re-substitute the boot.img and dhd.ko in the archive, by replacing same files, in your chosen rom's update zip;
transfer to the device
then flash as you would, the rom using your prior flashed recovery.
Thanks to Delirium77!
Method 3: Bypass for adb with root explorer/total commander app from the market
flash the boot.img with fastboot per method 1-
copy the dhd.ko file to your sd card, unplug your device, and using root explorer/total commander, navigate to the file on the sdcard, then move it to:
/system/lib/modules
ensure the dhd.ko file has correct permissions, then your wifi will function after a reboot.
-Greg
Thanks for your work!
can you build for your kernel few modules?
cifs.ko, slow-work.ko
for slow-work there is some kind of manual editing and preparing.
or if you give me your .config i will try this myself?
EDIT:
also you can statically compile CIFS filesystem into kernel
mind if i ask what advantage/s does this kernel have over Steve's gingerstreak kernel?
I can provide a .config file, sometime this evening, as I am away-
Gkernels is a project based on the 4.05 Dell source;
It is not better than another kernel in that regard, I am trying to get all I can out of it, without overclock. Changes to my knowledge, that differ from the Steve kernel, are listed above;
Thanks to _n0p_ 's tip 1.3.3 solves the RTC issue- Thanks _n0p_
I believe this was done by changing to the low resolution timer.
-Greg
.config
Sorry for the delay, I was detained-
attached is the .config for 1.3.3
Working with an attempt to solve the wifi issues-
one environment seemed to work during my testing, yet at a great sacrifice to battery life, by enabling:
control the low power modes of memory -->
Default Memory Low Power Mode during Idle (Memory active)
Default Memory Low Power Mode during Suspend (Memory active)
I am still uncertain-
before I release a 1.4, I will trial more of these modes
-Greg
Can this modes be switched by detecting if external power supplied?
--
I've also recieved some requests, saying that power (and maybe other) buttons sometimes "flickers". Is there any way to filter key events a little?
--
Thank you for your devotion,
Sergei
I will look into this.
Hi, there seems to be some screen tearing , I suspect that it has something to do with vsync. Could this be fixed with a new kernel update or is this ROM related?
Sharptv-
This may be kernel, rom or both related;
you may try and experiment with different roms and kernels-
This could also be screen density related, on my device there is minimal tearing on default density
I had some screen tearing on power rom but none on DSC....
Good work on the kernal
May bishnu grant you many donkeys and wives
@Roy
are u indian
Hi GSpecial!
I'd like to ask you to join forces with ltrifonov.
You both are advanced system builders, i think Streakers community would really benefit from your teamwork!
That's an awesome job you are doing. Never was able to crack more than 1500 upload until now!
Sent from the SuperStreak!
borijess said:
That's an awesome job you are doing. Never was able to crack more than 1500 upload until now!
Sent from the SuperStreak!
Click to expand...
Click to collapse
Is this considered a good score?? I just did the test and got 10ping, 15162kbps down and 8912kbps up
Sent from my Dell Streak using xda premium
Greg, your new kernel 1.4.0.1 (can say after a day of tests), is absolutely fantastic.
Fast, responsive even with conservative governor waking from 128Mhz - and WiFi is simply excellent!
Thank you!
Nop can you make a flashable zip plz???
You might pay attention to Downloads section for DSC ROM (not ad )
greekunit690 said:
Is this considered a good score?? I just did the test and got 10ping, 15162kbps down and 8912kbps up
Sent from my Dell Streak using xda premium
Click to expand...
Click to collapse
I guess compared to u rs no but normally I was getting around 1000 up. So its 3 times as fast now for me.
Sent from the SuperStreak!
>>>> 24Jan2012_2155 - linboothkvc v1.1 source - does a bit more thorough job with Cache flushing for the corner cases where the new guy in the Nirvana environment doesn't do a thorough job of cache invalidation. Now have added the source to this post itself (cas, it is pretty much done now, except for any forgotten corner cases, and also one pass at removing all dependence on hidden kernel functions which I shamelessly depend on - rather it is only setup_mm and cache flush walking, others (on 2nd thought rather all) are trivial to replace but have left it there just from a future proofing perspective). However the details or blah blahs are in the newer posts towards the end of the thread. <<<<
>>>> 22Jan2012_1430 - linboothkvc v1.0 source with working binary kernel module for Nook Tablet released - look towards end (may be page 2) for the source - As you would already know, it can also work with any rooted arm based linux device provided it is recompiled for the given linux kernel on that device along with updated kernel function addresses in lbhkvc_k.c and appropriate Nirvana (some minimal change, if required) and NChild code (ie the bootloader you love for your device) <<<<
>>>> 22Jan2012_0058 - I have uploaded the source for a working linboothkvc for Omap3/Omap4/Arm_Cortex_A SOC based devices. As far as linboothkvc is concerned, it works on NookTab also successfully. However there is some effort/love still required wrt the NChild or bootloader used from with in the Nirvana environment ;-) <<<<
>>>> 17Jan2012_2325 - FINALLY SUCCESS on NookTab also ALSO Note that the POWER of KERNEL Modules and linboothkvc in turn is well beyond NookTab for the adventurers ... ;-) <<<<
>>>> 16Jan2012_2326 - Beta version of code posted towards the end, Now it fully runs on BeagleXM Hw - with minimal love should run on NookTab also, so enjoy <<<<
>>>> 15Jan2012_0251 - Alpha version of source code in post towards end, fully runs in Qemu for now ;-). And the difference between this cup and the lip (i.e actual h/w) being the missing proper cache handling from my side <<<<
Hi All,
Before my ideas with init hijack, and uboot hijack, I had a idea with trying to implement a kernel module to allow execution of any code, after killing linux without a full reboot (which would give control back to secure boot). However 2ndihkvc and NOPBypass came in between this.
However I will try and put sometime into it, as and when possible. I have some work coming up over the next few days, so going will be bit slow compared to my other two threads, but if nothing turns up from BN side (what I heard from Adamoutler on the other thread) wrt open ended bootloader then I will spend bit time on this.
Note that one doesn't require kexec to achieve functionality similar to kexec ;-). Linux kernel modules is a very powerfull mechanism which we have in our hand to give lot of or all the control required (Unless linux has changed drastically over the last few years, when I have been away from it, but that seems less likely, even thou I have heard and discussed some ideas which curtail this power almost a decade back, but I don't think it has materialised yet, which should be good for the situation we are in, and hope it remains like that for the forseeable future, what with all these close minded companies and closed devices these days).
NOTE: Look to the newer posts below for the Source Codes. RC1 source code in a day or two (but has mentioned, no significant changes wrt Beta
[REPOST] MAYBE Exec_Anycode instead of kexec
>>>> This was my old post on bypass bootloader ideas thread, put here for completeness <<<<
*** MAY BE A POSSIBLE EXEC_ANYCODE logic instead of KEXEC***
NOTE: KEXEC tries to run another linux kernel, so may be its logic is more complicated, than if we are trying to run just any code in kernel or better privilage level. I haven't looked into kexec as of now, so I am only guessing about kexec complexity, beyond what I have mentioned below for my method (which again I haven't tried as of now, just a idea).
If one is trying to run something from memory when already in Linux, then one also has to worry about the privilage level at which the processor is running, as well as about page table mapping etc... If the other thing which we are trying to run is another kernel or x-loader or uboot or another bootloader for that matter.
So if kexec doesn't work, may be there is another option available which is to
a) Create a kernel module (NOTE: It runs with same privilages as the kernel) which does
a.1) Disable interrupts so that control doesn't get out of our code
a.2) Over write the reset vector with x-loader or what ever custom bootloader one wants to get control of.
a.3) Change the memory map to have a 1-to-1 map for the region where the code is currently running (or rather for the code which will be run in the next step) or overwrite a region which already has 1-to-1 map between Physical and Virtual addresses, with the code for the next steps. Go to next step.
a.4) Disable page tables (I haven't tried this before, ie after it has already been enabled, but I don't see any reason why ARM doesn't allow this - except for things like what we are trying).
a.5) Change to the reset ARM privilage level (If a soft reset doesn't do it already, haven't looked at ARM at this level for ages, so don't remember)
a.6) Trigger a soft reset
This should give control to the bootloader which we have loaded into the reset vector address. (Rather we should trap all possible exceptions i.e all the 8 or 16 or what ever is the number of exception addresses in the exception vector).
NOTE: If we are not able to change back to the reset time privilage level for the ARM processor, then we should be still able to have a modified Linux kernel, which doesn't try to switch ARM privilages if not required - this I have tried, ages ago, If I am not wrong as part of some other activity I had done.
Current thoughts
Hi,
On thinking once again
a) We definately want to disable interrupts, so that we don't lose control other than for exceptions if at all.
b) We may have to stop the other processor if it is up in SMP, but I have noticed that most of the time, the other processor is shutdown in NookTab.(Have to think thro this bit more, later).
c) May be trap the TLB exception handler and inject custom pagetable till MMU is switched off (An idea for now, have to experiment a bit later). Rather than going thro the linux mmu code (am getting bit old, a decade back I would have done the required linux magic in few jiffies, but have been away from linux for too long now . OR force few entries into current/kernel linux memory map.
d) Copy
d.1) the core code required to manage stuff to a 1:1 mapped region.
d.2) Also the code required to jump to like (i.e the bootloader or what ever)
Other d.2) Or implement minimal code (as part of d.1) to read uart (oops - now that would have cut the complexity by 3/4th, but for people hating uart these days;-) or may be sd card and get a sector into memory (like x-loader).
e) Disable the mmu
f) Jump to the required code location of new universe
Today I did a quick running/jumping glance thro kexec code once, and even it does some what similar only, if I am not wrong, except for may be it not hijacking the TLB exception handler or having some junk for debugging or so ..., so I am not that off wrt the required idea.
First baby step - try and understand the default memory map
Hi,
Did try the 1st baby step towards this, by trying to go thro the running systems memory map.
LBHKVC driver v04Jan2012_2110
INFO: Total memory is iTotalMem 0x40000000
INFO: Page Size ??? PAGE_SHIFT 12 ie 4096
INFO: Begining of Platform ram PHYS_OFFSET 0x80000000(0x40000000)
INFO: End of userspace mapping TASK_SIZE 0xbf000000(0x7f000000)
INFO: Start address for Modules Space MODULES_VADDR 0xbf000000(0x7f000000)
INFO: End address for Modules Space MODULES_END 0xbfe00000(0x7fe00000)
INFO: Permanent kernal mappings PKMAP_BASE 0xbfe00000(0x7fe00000)
INFO: Kernel direct 1:1 map ??? platform RamBeg PAGE_OFFSET 0xc0000000(0x80000000)
INFO: Kernel direct 1:1 map ??? platform RamEnd high_memory 0xf0000000(0xb0000000)
INFO: vmalloc/ioremap space Begin VMALLOC_START 0xf0800000(0xb0800000)
INFO: vmalloc/ioremap space End VMALLOC_END 0xf8000000(0xb8000000)
Now one thing which is potentially true and easy is, the Physical Memory from 0x8000.0000 is 1:1 mapped to 0xc000.0000 in a linear way (Have to validate, but should be). There are certain virtual to physical maps which seem bit odd, most probably I am using the wrong function to do the conversion and or traversal of pagetable. Also some of them are not necessarily meant to have a mapping other than act has markers conceptually (Have to verify later).
Having something same to same mapped would have kept things to a minimal, and made this too trivial now - why not ooh linux gods ;-(. Now this is forcing some hijacking or forcing of page table entries or experimenting and seeing if this is good enough to me/any one else interested.
Also there seems to be something called SAR_RAM, have to see if this is of any use. As well as some of the regions reserved thro kernel command line and see if anyone is using it, or if it can be evicted if required, there are only for funny experimentations.
Otherwise I think, I should be able to get even my current modules virtual address translated to physical address and may be same-to-same mapped if required. Or forcefully take some region beyond my current running code and any exception logic I require.
Also I have to check how critical is the same-to-same map if any when switching off mmu, or is 1:1 map good enough, have been away from lowlevel arm also for too long now.
Wow hkvc you respond quicker then I do.
First off it is not a 1 to 1 mapping if you look at the arm B&Ndefconfig youll see that they utilize a different way of mapping (not looking at the code right now).
Second off kexec with the kernel module that does KEXEC_LOADED is essentially this. I would look at the kexec.c code, and you will see that you can comment out the sanity checks in the find hole function and it will find a valid hole, then with injection you could make this work. However, while i have done embedded design and some hacking, kernel modules are not my specialty. We need a high priority kernel module that removes interrupts, so that the kexec code can load.
baby step2 of linboothkvc
Hi Loglud/All,
Thanks for your inputs.
Not sure about ur (Loglud) 1:1 map part comment. Currenty when people say 1:1 I am not sure whether they mean linear map (i.e with a constant addition or substration you can get virtual - to - physical mapping and inturn the other way round) or same to same mapping, I have to look at arm initial booting code and see what they mean (and in turn what ARM requires), because they require this when booting and inturn the mmu gets enabled.
Also the code to dump the map what I put above, was my first attempt at kernel level view of memory maps after ages, so there are some FUNNY ;-) errors in the way I tried to dump it quick and dirty.
If you are talking about 0xC000.0000 (Virt) to 0x8000.0000 (Phys) mapping which I mentioned, I still feel it is linear mapping, but I have to verify once. Linux kernel used to maintain a linear mapped region to simplify the internal management of physical pages(i.e memory), so that they can convert from virt2phy and back easily wrt physical memory with out requiring to go thro pagetables and for other reasons (Obviously with limits, i.e the Full memory is not linearly mapped but the initial 800MB or 900MB or so used to be). I will verify it later.
Either way independent of that I have potentially found the region which I will be attacking wrt getting the required same-to-same mapping (which I want to use, even if linear map is good enough, which again I am not sure is true at this time). The VIRTUAL ADDRESS space set aside for kernel Modules in Linux (MODULES_VADDR (0xbf00.0000 ...) and MODULES_END) overlaps with the actual physical memory location (0x8000.0000 - 0xc000.0000) here. And there is enough free memory in this module virtual address space, as there are only 2 modules loaded in NookTab, plus the region is originally there to allow lot of modules plus worst case I don't really worry much about stomping_on/reusing someone elses used memory because I am going to kill the system shortly and I have already locked the current cpu by blocking interrupts.
Inturn I will initially see if there is a physical page in the physical address space from 0xbf00.0000 to MODULES_END such that I can do a direct same-to-same mapping into the corresponding Virtual address space. Again even if there is non, at one level I may not have to mind really ;-) as I will be nuking the full system shortly.
I am looking at same-to-same mapping to allow the code which will do the mmu disable to continue to work before and after mmu disabling. While a Linear mapped region is good to load the code (bootloader, kernel, ....), before mmu is switched off, which will be passed control after mmu has been disabled, and which inturn can welcome the new system.
NOTE: I am in this more for the fun of exploring, so at least initially I don't want to use kexec and modify it (If I fail, then I may look at using it directly, but don't see a reason to fail for now), rather I want to come up with a concept (and as you rightly mentioned, even kexec follows (and it definitely should) similar concept to a great extent except for may be some of the implementation steps, as end goals are similar) and then implement it for the fun of it, even in crazy ways if possible (I am just starting out on this now, so I dont want to say one way or the other on this aspect now) just for it
NOTE: I am explaining my thoughts, so if someone else is interested in experimenting parallely on his/her own, they can get some ideas (good or bad
BabyStep3 basic implementation done - but results say long fight ahead
Hi All,
Over yesterday and today, I have implemented a basic logic to test minimal kexec equivalent logic using kernel module.
Rather had to dig thro the kernel source code to
a) refresh thro my kernel basics and to understand atleast some of the changes in the newer kernel versions and MORE importantly
b) to OVER COME the tendency of core kernel developers to DISABLE EXPORT of some of the useful functions to external kernel modules.
Eitherway most of the disabled symbols I could pickup and hardcode the address in my code to still access them indirectly using function pointers - what would world be with out function pointers or rather pointers in general.
Also because of the SMP nature of the SOC, had to dig thro some of those stuffs also. Then for now decided to use some of the support mechanism already available within kernel to help with kexec logic like fin, reset, etc to try and see if I could use the easy path into it for now initially
However what I seem to have realised/found is that
a) Either these support routines haven't been fully implemented in the used kernel version on NookTab currently and or
b) I am missing few more additional steps wrt SMP (Have already killed the 2nd Processor using proper api in kernel - Have to cross check the CP15 to verify for sure once again later).
It seems to be mostly (a) and inturn related to cache cleanup and may be mmu switching, have to debug further.
Otherwise the same logic seems to be working in BeagleboardXM (rather within qemu -M beaglexm) except for some reason the uart messages seem to disappear once I switch over even thou the code seems to be running in the new Same-to-Same map with the physical memory address part, with proper UART address - checked using info registers in qemu (Have to debug this part of qemu related to how it decides which uart to show in Ctl-Alt-3 etc bit more and or try on a physical board sometime next week).
In few days time I will upload the code I have come up with (even thou useless from using/achieving kexec logic perspective currently, still may provide some ideas or act as a base platform for someone wanting to experiment, but having initial inertia , if I am not able to spend more time on it.
Initial Pre-Alpha source for linboothkvc kernel module and utils
Hi All,
As promised, I am uploading the initial version of the kernel module source code (with lot more updates compared to last weekend, when I mentioned about it) for achieving kexec like functionality even if kexec is disabled in kernel. As I always told, kernel modules are equivalent to kernel, so you can do what ever you want in kernel module that can be done in kernel, provided one is bit patient ;-).
Note: This is pre - alpha version of code for people with initial inertia/starting trouble to experiment. This has a known bug with cache handling which I have to fix as well as some restructuring and cleanup to do.
This will currently only run in Qemu, because it doesn't bother much with Cache. But on ACTUAL targets it will fail Randomly (there is a very very small one in a million chance that it can succeed if all the stars line up and the cache gods support you
This is no longer as critical for NookTab has it was 1 week back, because Now some people have already released a exploit which uses a uboot bug ;-(, which ideally we could have with held for a future product (because NookTab was already sufficiently open and didn't need any more exploits to use its full potential, as I had mentioned last week). But either way I realise that people are very impatient these days. And congrats to those people for their work however.
For people who want to experiment, the initial skeleton is available in this release
Alpha release with embedded x-loader for BeagleXM Qemu
Hi,
NOTE: This release successfully bootstraps a new linux from with in linux in Qemu, my yesterdays release would have also done the same, but would have required additional code to handle the final nitty grities, this is taken care of now in this release. So that it is easier for people wanting to experiment.
I have updated the kernel module to allow two images to be embedded into it.
a) The initial boot strap loader called Nirvana (Examples like bloop0.S, bloop1.S, ... and now a full fledged omap3callbootrom1.S for BeagleXM on Qemu - Rather it in itself is independent of Qemu-BeagleXm or Hw-BeagleXM)
and
b) The actual bootloader/???? to run in the new prestine environment called Nirvana's Child (NChild). Currenlty it is a version of the x-loader for BeagleXM (Either Qemu or Actual BeagleXM).
In turn once the kernel module is done with its job. It passes control to Nirvana. Also it passes the physical address and length of the NChild image to Nirvana thro r0 and r1.
The Nirvana code in turn can decide what it wants to do with the system. The default Nirvana code i.e omap3callbootrom1.S takes care of copying the NChild(by default x-load.bin) to 0x4020.0800 and then pass control to 0x4001.4000 so that it loads x-loader properly (ie setup stack for all modes etc).
NOTE: As of now it works on Qemu only. My earlier release yesterday would have just printed 1s on the screen, while this version actually boots into a new linux kernel + system in Qemu from with in a already running Linux system in qemu.
However it won't run outside Qemu successfully, as I haven't yet had time to look at fixing the cache issue, because I had to add support for NChild image logic either way for doing anything useful with the code.
NOTE: As this is either way no longer critical for NookTab, I will take a stab at it based on my hack-vs-life balance also. Depending on what and all come up over the next few days in life.
HOWEVER this latest release has the FULL REQUIRED INFRASTRUCTURE/LOGIC for running this on a actual h/w expect for the missing proper cache handling. It also includes a x-load.bin by default for BeagleXM which can be used either with Qemu-BeagleXm or Hw-BeagleXm.
Beta Source - Success on a Hardware (beaglexm for now) should work on NT also ...
Hi All,
I have finally identified the stupid cache issue which was frustrating me and eating my head for long and stalling this project unnecessarily . However it gave a nice oppurtunity for me to dig thro the kernel code as well as Arm documentations - which is what I am after either way So ALL IS WELL in the end
The problem was related to kernel's normal code using MVA based cache operations for flushing, which in the newer architectures stops mostly at L2 cache rather than hitting the memory. This is fine for Normal linux kernel operations because they don't disable cache and so the proper data will get used. But for us as we want to disable cache to give a true pristine NIRVANA environment, this doesn't work, as memory contains old/stale/wrong data. In our code flow This even affects the KERNEL MODULE CODE itself, leave alone Nirvana or NChild code.
Once I realised this by digging thro documents as well as seeing the strange behaviour (rather unbelieavble, initially for me) of my code(kernel module as well as Nirvana and NChild)/logic after cache disable, I was able to get it RUNNING SUCCESSFULLY on BeagleXM actual hardware and not the qemu emulation which I was previously using.
As of now it is restricted to Omap3/BeagleXM, because the Nirvana code Omap3callbootrom2 makes use of the bootrom memory map usage knowledge to setup NChild appropriately and pass control to it thro Bootrom (so that stack is setup for all modes). With small effort the same can be changed or updated for Omap4 and NT should be in the fold (Unless SMP creeps up, inspite of me shutting down the 2nd processor, for some crazy reason in the worst case ;-)
NOTE: Also my last release (alpha) for Qemu beagle had a bug which was a blessing in disguise, in that it was not disabling the MMU from with in kernel module(which I had added just for the heck of it and is actually not required). However it was still doing it once it hit Nirvana code, as required. If I had not done the mistake of using mrc instead of mcr with in my kernel module code, it would have failed immidiately, because BeagleXM has only 512MB ram and the kernel module code space is at virtual address 0xbf00.0000 or around it, which is WELL BEYOND the 512 MB of physical memory, so there would not have been any 1-to-1 memory map for it and disabling MMU would have made things go crazy. Note that Nirvana and NChild are kmalloced into linear mapped kernel address space which is with in physical memory limits normally ;-).
NOTE: May be there is a watchdog timer or coprocessor or so which I have to disable, haven't looked into this yet, which seems to mess things up, if I stay in Nirvana code for too long. However as by default there is no need to remain in Nirvana code for long, as it is required to pass control to NChild as quickly as possible, this is not a immidiate issue to worry about now.
Let the experimentations begin
For H/w BeagleXM boot, bypass stupid SMI based L2 Cache maintaince rot in uboot ;-)
Hi All,
If anyone has tried running my yesterdays Beta release on BeagleXM h/w there is one update and one other IMPORTANT things to keep in mind.
a) Update the omap3callbootrom2.S to directly call into NChild rather than thro BootRom, that call into BootRom is not required. i.e jump to 0x4020.0800 instead of 0x4001.4000 at the end.
NOTE: This also makes the code more generic and usable with minimal love across Beagle and NookTab.
b) In U-Boot remember to DISABLE/BYPASS the calls to ROM Support routines thro SMI to setup L2 cache as well as to invalidate cache. This is no longer required in newer Omap3 chips as well as there is actually few bugs in u-boot code itself related to this, as one wants to clear full cache but SMI rom routine only clears L2 (also the full cache walking for invalidate is there following the SMI call, so bypassing doesn't lose functionality), if I get rom code description in TRM correctly, plus few other bugs atleast in rowboat version. The files board.c and cache.S contain the calls to SMI which has to be bypassed.
I have attached the minimal patch required to uboot to allow it to work with linboothkvc with BeagleXM.
With the above two changes, linboothkvc will always succeed in BeagleXM, enjoy
NOTE: In my setup today, I have modified the NChild x-loader to load u-bootk.bin rather than u-boot.bin. Thus I can have both the Normal u-boot.bin for Normal booting and u-bootk.bin for linboothkvc based booting . My Beta release doesn't contain this modified x-loader NChild, the next release will contain the modified one. But with source of x-loader, you can do it yourself and copy over as NChild into linboothkvc
Success on nook tab
Hi All,
LinBootHKVC has successfully booted into Nirvana code in NookTab
NOTE: No major change required to my beta release other than one mentioned in my last post to make my released Nirvana code more generic and the address update in this post for NookTab.
As I had mentioned yesterday, even thou I hadn't got the time yesterday to check it on NookTab yet, it should work 90% except for any crazy SMP issues, inspite of me disabling the 2nd Processor. WELL IT turns out that what I had done already was sufficient for NookTab also.
Only in omap3callbootrom2.S you have to change the sram address to which things are copied from 0x4020.0800 to 0x4030.0800 for NChild code. However I haven't crosschecked the x-loader based NChild on NookTab as of now, but DONT SEE ANY REASON why it should fail, other than for any issues with stupid code, like the SMI calls to manage L2 cache in u-boot for beaglexm and for some reason if 0x4030.0000 space has some issues I haven't thought of in Omap4 (I am relatively new to Omap4 started with NookTab only).
Will upload the Release Candidate version 1 of the code in a day or two. It is late here and I have been up on this NookTab project for few weeks now
a) starting from idea of linboothkvc
b) then moving to 2ndihkvc
c) followed by NOPBypass with UART access
0) The uboot loop hole (Oh my my my (But not released from my side hoping to keep it for future, but alas, if only people have/had patience ..., that is partly a dream now
d) followed by MenuK for 2ndihkvc - haven't released yet, time got sucked back
into linboothkvc
and back to
e) linboothkvc
all of the above work on NookTab successfully as of today and all can be used to achieve custom Roms and in case of NOPBypass and linboothkvc even custom kernels
So enjoy everyone. Some sweet rest for me atlast ;-)
NOTE: The POWER of Kernel MODULE and inturn linboothkvc goes well beyond NookTab for the adventures people out there
Oh My MURPHY - For now keep away from 0x4030.xxxx
Hi All,
Now as Murphys law would have it , 0x4030.4350 (the default address used by x-loader in Omap4) has some issue with it (which I have to debug later). So if trying on NookTab remember to use some other address (what other I will leave as a exercise to the interested
Also the x-loader from BN and or inturn from Ti expects a special meta data structure to be passed along thro r0, which inturn tells it about boot device and boot mode. So you will require to take care of this or better still simplify the structure to handle in cpu/omap4/start.S
Also I did the cardinal sin of doing too many changes when working/debugging on a new unknown device (from my perspective i.e NookTab) with no jtag access (atleast at my end for now).
So ended up digging into Arm L2X0 cache and inturn PL310 trm and writing a L2X0 cache flush logic (obviously also cross checking the equivalent logic in Linux kernel) when none was required in reality as I had already found and mentioned in my last post few days back. I forgot (rather got too lazy to checkout my own old code, just for the fun of exploring further ;-) my own Nirvana code which I had tried towards the beginning of the week which had successfully run and printed stuff on screen.
Also dug into the Address translation support registers in CP15 to be 100% sure that the 1-to-1 map was in fact there (again lazy to dig thro the linux kernel setup_mm code, when arm walks the page table tree for you and on top when I had not tried this arm instruction method before .
But ended up finally realizing that me using the 0x4030.4350 was the culprit atleast for now.
So keep away from that address for now (or debug further on this on your own for now, I will be looking at it only later, could be something to do with HS code using that region or ..., there is more interesting stuff to do for now) and remember to patch x-loader appropriately and you should be able to get it running on NookTab; again with my last code release with hardly any changes other than what I have already mentioned in the last 2 to 3 posts.
A updated source with the now useless l2x0 cache flush and va2pa address translation verification logic and a newer nirvana code with panda board support also (verified works perfectly - only slight changes required between Panda and NookTab as far as Nirvana code is concerned) I will release after some more experimentation and code stabilisation at my end.
hkvc said:
Hi All,
Now as Murphys law would have it , 0x4030.4350 (the default address used by x-loader in Omap4) has some issue with it (which I have to debug later). So if trying on NookTab remember to use some other address (what other I will leave as a exercise to the interested
Also the x-loader from BN and or inturn from Ti expects a special meta data structure to be passed along thro r0, which inturn tells it about boot device and boot mode. So you will require to take care of this or better still simplify the structure to handle in cpu/omap4/start.S
Also I did the cardinal sin of doing too many changes when working/debugging on a new unknown device (from my perspective i.e NookTab) with no jtag access (atleast at my end for now).
So ended up digging into Arm L2X0 cache and inturn PL310 trm and writing a L2X0 cache flush logic (obviously also cross checking the equivalent logic in Linux kernel) when none was required in reality as I had already found and mentioned in my last post few days back. I forgot (rather got too lazy to checkout my own old code, just for the fun of exploring further ;-) my own Nirvana code which I had tried towards the beginning of the week which had successfully run and printed stuff on screen.
Also dug into the Address translation support registers in CP15 to be 100% sure that the 1-to-1 map was in fact there (again lazy to dig thro the linux kernel setup_mm code, when arm walks the page table tree for you and on top when I had not tried this arm instruction method before .
But ended up finally realizing that me using the 0x4030.4350 was the culprit atleast for now.
So keep away from that address for now (or debug further on this on your own for now, I will be looking at it only later, could be something to do with HS code using that region or ..., there is more interesting stuff to do for now) and remember to patch x-loader appropriately and you should be able to get it running on NookTab; again with my last code release with hardly any changes other than what I have already mentioned in the last 2 to 3 posts.
A updated source with the now useless l2x0 cache flush and va2pa address translation verification logic and a newer nirvana code with panda board support also (verified works perfectly - only slight changes required between Panda and NookTab as far as Nirvana code is concerned) I will release after some more experimentation and code stabilisation at my end.
Click to expand...
Click to collapse
hkvc:
Thanks for all of your work. Even though the bootloader bypass has been found, you do not know how many others you are helping. This could be used as an indefinite alternative to locked bootloaders for ALL DEVICES! Keep chugging on this, and I'm sure you'll find your solution to the l2 cache flush. Also i have been looking around, and I was curious if this could be another explotable boot flaw,
Code:
/*
* The SAR RAM is maintained during Device OFF mode.
* It is split into 4 banks with different privilege accesses
*
* ---------------------------------------------------------------------
* Access mode Bank Address Range
* ---------------------------------------------------------------------
* HS/GP : Public 1 0x4A32_6000 - 0x4A32_6FFF (4kB)
* HS/GP : Public, Secured
* if padconfaccdisable=1 2 0x4A32_7000 - 0x4A32_73FF (1kB)
* HS/EMU : Secured
* GP : Public 3 0x4A32_8000 - 0x4A32_87FF (2kB)
* HS/GP :
* Secure Priviledge,
* write once. 4 0x4A32_9000 - 0x4A32_93FF (1kB)
* ---------------------------------------------------------------------
* The SAR RAM save regiter layout is fixed since restore is done by hardware.
*/
27.4.4.4.1 Public Use of SAR RAM
At system level, the OMAP4430 SAR RAM memory is divided into four banks. The public ROM code uses only the first bank, which is always public-accessible. More specifically, the software booting configurationstructure must be located in the upper 1.5KB of the first bank.
The public ROM code offers some flexibility about the location of the software booting configuration structure. The PUBLIC_SW_BOOT_CFG_ADDR pointer defines the start address of the structure within the SAR RAM bank (see Table 27-14).
As mentioned previously, the software booting configuration feature is optional. Hence, the public ROM code decides to use the feature based on the value read on a warm reset at the address pointed to by the PUBLIC_SW_BOOT_CFG_ADDR pointer. If the value matches the range 0x4A326A00 – 0x4A326FFF, the ROM code tries to extract the structure located at that address. The value pointed to by PUBLIC_SW_BOOT_CFG_ADDR is always overwritten to zero on a cold reset.
The recommended address for storing the software booting configuration structure described hereafter is defined as PUBLIC_SAR_RAM_1_FREE. It is, however, possible to locate the structure at any location within the 1.5-KB range.
It is moreover possible to use the public SAR RAM area for any other purpose, such as storing traces for HLOS use. Obviously, care must be taken not to overwrite the locations used for low-power modes and/or software booting configuration if used.
Click to expand...
Click to collapse
linboothkvc v1.0_RC3 with good x-loader for O3Beagle and O4Pandabrd and semi 4NookTab
Hi All,
I am attaching the source code for linboothkvc with a good basic Nirvana code for Omap3 (Many mobiles and few tablets) and Omap4 (few mobiles and tablets) devices. NOTE: for NookTab, basic linboothkvc works perfectly now (except for may be some toning down of the secure Monitor code if possible), However there is some more work required at x-loader (which I am using as my NChild code) level which I have mentioned further below as TODO. Otherwise the basic logic fully works for NookTab also now. At this stage it can be used by developers and not end users as NChild code for NookTab still requires some love.
[A] obviously there would be some minor tweaks to the NChild load address and args to pass etc based on x-loader/bootloader used in a given device, but still the basic skeleton is fully there in Nirvana code now. And the same can be modified for other SOCs from Samsung/NVidia/(Not getting the other vendor name now funny)... pretty easily.
Also the addresses for the linux kernel functions which I use require to be updated for any new device or for a new/different kernel for the devices which I have already put the code in this release.
[C] It expects to find a u-bootk.bin in mmc vfat root dir, provided you are using the x-loader code which I have bundled. How ever based on your device, you may have to change to a different bootloader or modify x-loader to suit that devices need, and thus With your own version of x-loader or NChild code, you can always modify it the way you want as to what it loads and from where.
But with the above changes/setup this can be used with any Rooted ARM based Linux device (be it android or webos or ...)
Changes I had to do to x-loader for NookTab:
[1] I had to bypass or find alternate locations for some of the 0x.4030.xxxx addresses used in x-loader from BN/Ti (Haven't had time to look into the details as to why this is forced on us and how to force the use of the same address yet). For this reason I am recompiling the x-loader with a load address of 0x8000.7ff0 for now and sidestepping it mostly.
[2] Clock and related init settings related to MPU,IVA and DDR memory are offlimits for now (but then again for a basic working these need not be changed at x-loader level eitherway).
[3] smc/SEC_Ppa functions are offlimits for now, again not required at x-loader level.
[4] TODO: the x-loader bundled with BN source seems to be a old version or has some non required (from BN perspective, but usefull from our perspective) logics for BN stripped. So even thou I have modified the high level logic to do a FAT load from MMC for u-bootk.bin. Because of this missing support for FAT boot mode, the current version of x-loader for NookTab which I have bundled in my code doesn't load u-bootk.bin.
Enjoy and happy Experimenting all
NOTE: When I say bundled x-loader, it is only binary blob, you can get the actual source code for x-loader from the respective git sources. I think few days back I uploaded the patch required for beagle x-loader to make it run in linboothkvc Nirvana env. I will do the same for x-loader for NookTab and Omap4 (rather omap4/panda hardly any change required from Ti release - I had to mainly simplify the argument mechanism passed to x-loader and nothing much, if I remember correctly, as I tried pandaboard 1 day back and after that I have done so many other things that, pandaboard is out of my memory Fifo) in few days.
[DONE] source of linboothkvc v1.0 (includes binary for NookTab with working xloader)
Hi All,
LinBootHKVC for NookTab is fully DONE now. Well (for developers) it can work with any ROOTED ARM based LINUX device (android or not doesn't matter) with kernel module support with minimal love, for those who are interested ;-).
Along with the source (which can work with any Arm based linux setup with some minimal love), this release also includes the binary kernel module for BN NOOK TABLET with firmware 1.4.0. Which inturn contains a working x-loader binary as its NChild for NookTab, which looks for a u-bootk.bin file on the uSD card.
To use this on NookTab (similar steps work for any other device, provided you have suitably compiled linboothkvc for your device with proper love)
a) get your required/prefered u-boot.bin file and prepend a 288 (0x120) byte dummy header and name it u-bootk.bin
i.e
dd if=/dev/zero of=/tmp/dummy.bin bs=288 count=1
cat /tmp/dummy.bin u-boot.bin > u-bootk.bin
b) copy this u-bootk.bin to the root directory of the 1st partiton on a uSD card which inturn should be VFAT formated. (To be 100% safe and sure use a newly formated uSD - Or you never know when Murphys law can kick in, see my note at the end for a bad luck I had yesterday night
c) Insert the uSD card to your Nook Tablet
d) Copy to your Rooted NOOK TABLET with firmware 1.4.0 the kernel module lbhkvc_km_DEVICE_NOOKTAB.ko which I have provided with in the release folder in the source package uploaded with this message/post.
__may be__ adb push lbhkvc_km_DEVICE_NOOKTAB.ko /data/local/tmp/
or similar or thro the uSD card and a file manager.
e) either from adb (on PC) or a terminal (on NookTab) or serial port (on PC) get to a root shell.
if using ADB on a PC connected to rooted Nook Tab it will be
adb shell
su
NOTE: PC is NOT required, you can also load the kernel module directly from Nooktab by using a android terminal package to get shell access.
f) insmod the copied Kernel module from the root shell/prompt
insmod lbhkvc_km_DEVICE_NOOKTAB.ko
This will load linboothkvc and inturn do a forced reboot/hijack into a x-loader environment, which will inturn load the u-bootk.bin which you had copied into SD card in steps a to c above.
NOTE: Based on what I have verified, u-boot works with out requiring any change to it (unless you want to bypass the security check in u-boot . So ENJOY.
NOTE: This can equally work on a 1.4.1 firmware based Nook Tablet, provided it is rooted. But for that you will most probably have to recompile my kernel module with updated addresses (if it has changed) for the kernel functions which I am using. However if BN hasn't done any change to kernel in 1.4.1 firmware, then the current kernel module which I have bundled it self will work. I haven't verified with 1.4.1 firmware currently (as I haven't upgraded to 1.4.1)
NOTE: Be sure to save any things you might be working on your NookTab, before loading the kernel module, because it will force a reboot with out any mercy, so any unsaved things in your NookTab can get lost. so BEWARE
NOTE: Rather even yesterdays release would have worked 99%, I had a problem with my uSD card being bit corrupt wrt rootdirectory, which is why it was failing yesterday when I finished it originally . However in this release I have also cleaned up the Nirvana code a small bit to avoid the hardcoded ioremap address of UART.
Release v1.1 source with binary for NookTab
Hi All,
Being bit lazy I had not called cache flush once again after disabling the cache, because I was calling it just a wee bit before disabling it and was also expecting any body who enables Cache in Nirvana environment to do a thorough job of cache invalidation before enabling it again.
However found that the linux kernel 2.6.35 used by Nook firmware has this problem, so now I take care of calling cache disable once again after disabling the Cache to be on safe side and it does help for NookTab (while on Beagle and Pandboard I didn't have this issue, it was a newer kernel which I had tried there so may be it has some additional effort put in wrt cache invalidation or it was pure luck, either way haven't debugged that aspect now).
So with this release, linboothkvc provides a better Nirvana environment, except for the SMC related stuff, which I am ignoring for now . So related to that there is some cleanup or bypassing required to be done in Kernel otherwise linux kernel should be pretty much ok in linboothkvc Nirvana environment, haven't had time to look at it fully yet. Will spend sometime in a day or two when a holiday is coming my way.
Check out the README file some of the same info as above and may be a few more things here and there. Also the new binary for NookTab is there in the source package within the release directory.
I've read every one of these posts and have no idea what is going on but I'm glad that it's all working. Great job!
Sent from my Nexus S using xda premium
Getting Linux kernel for NookTab up in LinBootHKVC - Step2 and 3
Hi All,
Step2
------------
There seems to be few race conditions in the linux kernel source and or some initialisations not being done properly in the kernel code, because of which by default the BN kernel source will fail in LinBootHKVC environment.
The below patch fixes 1 such race issue I have noticed wrt initial clock event handler for ipi timer (Have to debug this further later).
NOTE: A initialisation issue with the Cache, in that it not getting invalidated properly during booting was fixed in my v1.1 linboothkvc kernel module, by doing a additional flush before switching to Nirvana. Because that was also a appropriate stuff for linboothkvc also to do, independent of the kernel initialisation issue.
static void ipi_timer(void)
{
struct clock_event_device *evt = &__get_cpu_var(percpu_clockevent);
irq_enter();
- evt->event_handler(evt);
+ if(evt) {
+ if(evt->event_handler) {
+ evt->event_handler(evt);
+ }
+ else
+ printk("WARN:ipi_timer: event_handler missing\n");
+ }
+ else
+ printk("WARN:ipi_timer: evt not set\n");
irq_exit();
}
Beyond this any additional issues, I have to check yet. Also the reason for this race, I haven't debugged for now.
UPDATE1 (Step3)
----------------------
I have further cross checked that CONFIG_OMAP_RESET_CLOCKS causes some problem in linboothkvc Nirvana environment for few specific clocks, either way for now Disabling this config in BN NookTab kernel before compilation will allow the resultant kernel to run SUCCESSFULLY on NOOKTAB.
NOTE: As of now, even thou SMP is enabled, one of the Processors doesn't come up live. That has to be debugged later. But otherwise the Linux is FULLY running in NookTab from with in the LinBoothKVC Nirvana Environment and in turn the Linux User space is also running fine.
That sounds like a big step. Awesome work!
Hi,
No access to dev subforum. Admin, please can you move it ?
This article can be usefull for developpers on other devices where kexec-hardboot does not work.
This derivated method could be an alternative.
This post follow this one http://forum.xda-developers.com/showthread.php?t=2558783 to give details about kernel patch to add this fonctionnality.
To understand the method used by mkasick, you can read this thread : http://forum.xda-developers.com/showthread.php?t=1266827. You can read also Tassadar explaination post here : http://forum.xda-developers.com/showthread.php?t=2104706
The important information is that, after a reboot, a part of the memory is not erased and then can be used to store data.
On stock distrib, this feature is used to keep previous kernel messages and make them readable from userspace in /proc/last_kmsg.
The kexec-harboot method was to use this feature to store kernel and initrd (and atags param) in a part of memory that will survice a reboot.
kexec comes in to part : a kernel syscall and a userspace programm.
On regular PC with Linux distrib, usually, when we want to restart quickly to another kernel, we do two steps :
- a first call to kexec program from userspace to load kernel/initrd into memory : kexec syscall is called and store all pages anywhere in free virtual pages. kexec kernel keep an index to know how to reorder all the pages to put them in real physical destination, when it will be time to jump to the new kernel.
- a second call to kexec (kexec -e) from userspace to switch to the new kernel : kexec syscall prepare the shutdown of all internal stuff ( flushing memory cache in TLB, disabling MMU, reseting cpu... ). At the very end of the process, just before jumping to the new kernel, all pages previously stored everywhere in memory are relocated to there final destination. This relocation process is done after mmu disabled. Just after relocation, new kernel is ready and kexec jump to first entry.
This process did not work well on android devices because some internal devices where not properly shutdown. That's why mkasick had the brilliant idea to store the new kernel in non flushed memory after reboot.
kexec-hardboot change the last action of kexec (jump to new kernel) by a reboot. After reboot (all internal devices are in a proper state), the second part of the patch verify if a kexec kernel has been previously loaded and if yes, jump to it, instead of the regular one.
( atags copy is also done there ).
I tried to apply this method on our Galaxy Note 8, everything was fine (reboot asm code, hardboot patch) except one blocking issue : the disable MMU code in kernel for our exynos4412 seems to not work well and hangs the system.
To solve this issue my idea was the following : If kexec can not do all the stuff and especially the relocation stuff, just do it by yourself : Instead off calling first time kexec to load kernel in non contigus virtual pages and creates index for relocation, we will write a userspace procedure to load directly the kernel at the physical final destination.
The only prerequisite will be to reserve enough physical memory at boot time. In the attached kernel patch, I reserve 32M of memory but, theorically, 8M could be enough for roms booting ( 8M limitation of boot.img block device).
Reserving more space is usable in case we want to play with bigger initrd. A lot of more memory can be reserved if needed.
To conclude, the method is as follow :
- Patch kernel to add hardboot patch
- Patch kernel to add Memory reservation at boot time ( bootmem allocator )
- Replace all kexec work by a userspace program to load kernel/initrd/atags directly to destinationI think this method can be applied easily to almost all android devices, as far as they support /proc/last_kmsg.
References/credits :
mkasic : kexec-hardboot creator
Tassadar : multirom creator - nice kexec-hardboot explainations
Philippe,
Hi everybody!
Today I've experimented with kernel a bit and have found a way to increase accessible RAM up to 691.1 MB, at the cost of not working(or not fully working) camera, HW decoding and inablilty boot to recovery. The way is to modify cmdline:
https://github.com/ChronoMonochrome/Chrono_Kernel/commit/17d83a66bcb07a79e4575e0da3b762acd0def203
We use CONFIG_CMDLINE_FORCE=y to ignore cmdline passed by bootloader and use instead new one which contains defconfig.
The default cmdline is(JB bootloader with 624 MB - don't remember its baseband name)
CONFIG_CMDLINE="cachepolicy=writealloc mpcore_wdt.mpcore_margin=359 root=/dev/ram0 rw rootwait crash_reboot=yes crash_dump=no init=init console='null' [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] vmalloc=264M jig_smd=0 lpm_boot=0 checksum_pass=1 checksum_done=1 sec_debug.enable=0 sec_debug.enable_user=0 androidboot.serialno=47907233a768cf60 board_id=12 startup_graphics=1 logo. lcdtype=4 sbl_copy=1"
Click to expand...
Click to collapse
and new one that's in config:
CONFIG_CMDLINE="cachepolicy=writealloc mpcore_wdt.mpcore_margin=359 root=/dev/ram0 rw rootwait crash_reboot=yes crash_dump=no init=init console='null' [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] vmalloc=264M jig_smd=0 lpm_boot=0 checksum_pass=1 checksum_done=1 sec_debug.enable=0 sec_debug.enable_user=0 androidboot.serialno=47907233a768cf60 board_id=12 startup_graphics=1 logo. lcdtype=4 sbl_copy=1"
Click to expand...
Click to collapse
Take a look at "[email protected] [email protected]". 72M means size of HWMEM, "@256M" - its physical address. The same is for "mem" - 55M is size of nearest RAM bank.
Because we forcibly passed this cmdline and bootloader can't add parameter bootmode=2, it disallows to boot into recovery. Maybe later I'll be able to fix it.
Now about other side-effects of reduction of HWMEM - I've tested few sizes of HWMEM, and results as follows:
HWMEM=16M(699M) - camera, audio and hw decoding doesn't work at all
HWMEM=24M(691M) - camera and hw decoding doesn't work at all
HWMEM=48M - video recording and hw decoding doesn't work
HWMEM=64M - video recording still doesn't work, but camera doesn't FC when enabling video mode. May be some cameras will work.
HWMEM=72M - haven't found any bugs yet.
HWMEM=84M - default HWMEM size.
UPD. also uploaded kernel with [email protected] - this decreases available RAM, but maybe for some app or game will be useful this plenty of HWMEM
http://xda.mister-freeze.eu/XDA-files/ChronoMonochrome/kernel/mem_repart/
I've also tried to decrease modem_mem and mem_trace, but unfortunately, it causes bootloop (tested 8MB of modem memory, and 10M of mem_trace, both of these settings separately)
Now few words about how to flash it when recovery is unavailable: extract boot.img to /sdcard and flash kernel via terminal. Script to flashing kernel is attached - if you not familiar with terminal commands I recommend just execute this script to automatize the process. To return to usual kernel, extract boot.img to the same place, flash it, reboot to recovery and flash installable kernel again.
Enjoy :highfive:
@ChronoMonochrome thanks for keeping alive our ace 2 , so far I test HWMEM = 72M , but I have one question , what else do you bring to our phone ? Cheers ^^ :good::good:
Now some users will know why we doesn't see a full 768MB of RAM in phone info.
But @chrono, because of "androidboot.serialno=47907233a768cf60 board_
id=12 lcdtype=4" forced cmdline will bootup every codina devices?
Ave_Hornet said:
but I have one question , what else do you bring to our phone ? Cheers ^^ :good::good:
Click to expand...
Click to collapse
haha maybe LK3.1, but it's f***n buggy, it has problems with earlysuspend - it's unable to play music when screen is off and etc. Furthermore, I'm unable so far merge all changes from chrono kernel (most of them cause bootloop).
PolishVodka said:
Now some users will know why we doesn't see a full 768MB of RAM in phone info.
But @chrono, because of "androidboot.serialno=47907233a768cf60 board_
id=12 lcdtype=4" forced cmdline will bootup every codina devices?
Click to expand...
Click to collapse
Hm, honestly I've some doubts about it - maybe anyone already tested it?
This "androidboot.serialno" probably was generated by bootloader - I haven't tested yet whether other number works or not.
UPD. checked right now - at least androidboot.serialno=ffffffffffffffff works as well as mentioned one. board_
id=12 shouldn't cause problems since it's probably number, specific for codina, but only lcdtype=4 may cause problems on s6d display.
ChronoMonochrome said:
Because we forcibly passed this cmdline and bootloader can't add parameter bootmode=2, it disallows to boot into recovery. Maybe later I'll be able to fix it.
Click to expand...
Click to collapse
Fixed! :fingers-crossed: https://github.com/ChronoMonochrome/Chrono_Kernel/commit/8dbbd48feb1c57db7a335684ff418af01de00d40
This extends bootloader cmdline with new size of HWMEM, instead of passing custom cmdline.
As it turned out, HWMEM should be minimum 68 MB to avoid having any bugs:
http://xda.mister-freeze.eu/XDA-files/ChronoMonochrome/kernel/mem_repart/codina_kernel_hwmem68M.zip
Let me know, if you need a build with even lower size of HWMEM.
As for now, I did not notice any error in HWMEM=64 , but if I think well, that if the will not be any errors ,such modification will be commonplace in Your Kernel?
:silly: Btw. You Are CRAZY @ChronoMonochrome :good: :good:
Edit1. Searches for the network, but nothing works related to the Internet ,Anyone can confirm that ?
Damn it, it was too fast. I've seen some errors in kmsg and camera randomly FCs. I'm afraid that some errors in logs also can evidence about damage FS. I had to restore CWM backup to avoid camera FC, but even on usual kernel with orig HWMEM size I still have errors in kmsg when taking a photo:
Code:
<4>[ 54.664611] CM_NO_MORE_MEMORY domainId: 22, memType 7, wordSize 61440, alignement 15
<4>[ 54.664642] ALLOCATOR Dumping allocator "scratch" [0x00058800:0x00068800]
<4>[ 54.664642] Error: CM_NO_MORE_MEMORY: CM_AllocMpcMemory() failed
<6>[ 55.954864] dma dma0chan22: allocated logical channel (phy 3)
But I should say that I've previously used more unstable HWMEM size as low as mentioned 16 MB - and I've had some crashes which probably caused memory corruption(I do not mean the RAM, as is a non-volatile memory). The problem is that I've used dynamic fsync - now I came to conclusion that we should forget about using it - even simple app FC can cause problems, which persists until you restore full CWM backup. Does anyone have camera FC or errors in kmsg like above?
ChronoMonochrome said:
...... The problem is that I've used dynamic fsync - now I came to conclusion that we should forget about using it - even simple app FC can cause problems, which persists until you restore full CWM backup. Does anyone have camera FC or errors in kmsg like above?
Click to expand...
Click to collapse
Yeah, exactly the same what i had said for some weeks.. it makes no sense.... kernel default is "0" Fsync ON and i've removed NT-APP Permission to make it fail-safe (for this tweak)..
usually it's no problem if we have a fresh cwm backup.. simply format /data and restore only /data .. in 99% of cases the system works normal again..
PolishVodka said:
Now some users will know why we doesn't see a full 768MB of RAM in phone info.
Click to expand...
Click to collapse
Why was clear since beginning, but i remember talk about HOW to change it you-know-where over year ago
Now this topic is extremly interesting.
Vodka, will you make SAME kernel that's used in slimkat with HWMEM=64?
I fell off my chair seeing how this rom with your kernel works, this is totally unreal, man(14760 pts in antutu at 1.1ghz - also - machine works now at 500mhz like at 800mhz before).
Outstanding! Simply outstanding! :good:
Sorry to be without any information in this post. But this news must be celebrated.
EDIT
Using 68M without any issues... Camera/Video are working fine... with incredible RAM of 647 MB :good:
fluffi444 said:
Using 68M without any issues... Camera/Video are working fine... with incredible RAM of 647 MB :good:
Click to expand...
Click to collapse
I could confirm this :good::good:
Edit:
Btw, would this work for any kernel @ChronoMonochrome? Or is it specific to yours?
Why not simply use dynamic memory allocation through CMA for all ION heaps to free up more RAM when not used by surfaceflinger, audio or other subsystems? Afaik legacy memory allocators like PMEM, CMEM, HWMEM were all deprecated when the unified memory manager (ION) was introduced in Android 4.0.
yowanvista said:
Why not simply use dynamic memory allocation through CMA for all ION heaps to free up more RAM when not used by surfaceflinger, audio or other subsystems?
Click to expand...
Click to collapse
Yep, I thought about dynamic memory allocation too. Unfortunately, with one thought it ended up. I do not have much experience in programming to do so. Too many things use HWMEM - if I'm not wrong, mali also use it. It doesn't seem to me a simple.
shaqman89 said:
Btw, would this work for any kernel @ChronoMonochrome? Or is it specific to yours?
Click to expand...
Click to collapse
There are nothing specific to my kernel. As I said, it just adds new parameters "hwmem" and "mem" to the end of cmdline(it's much simplier to don't override old parameters but just do as it done). Therefore, it should work with every kernel.
Should i flash the zip after chronokernel version 2.19 or no?
HI @ChronoMonochrome
Take a look at "[email protected] [email protected]". 72M means size of HWMEM, "@256M" - its physical address. The same is for "mem" - 55M is size of nearest RAM bank.
if i change hwmem from 72 to 70 or 71 and mem from 55 to 60 or 56 its good for ace 2
and how i change this hwmem and mem ?
thanks sorry if my english is bad
I want to test it on my Ace 2. What is most stable value for our phone? And can You tell me how-to-do-it with noob-friendly tut?
str3tch72 said:
I want to test it on my Ace 2. What is most stable value for our phone? And can You tell me how-to-do-it with noob-friendly tut?
Click to expand...
Click to collapse
A user with over 2000 post is not allowed to ask for an "noob-friendly how-to".
If you do so anyway you are just only to lazy to search or to lazy to switch brain to ON.
*just kidding (a bit)* :highfive:
Just flash complete Kernel - HWMEM changes are hardcoded in kernel...
http://xda.mister-freeze.eu/XDA-files/ChronoMonochrome/kernel/mem_repart/
chrono_kernel_R2.21.2_hwmem68.zip is the latest with HWMEM68 which gives you 640 of RAM.
But be warned - Sooner or later some apps starting to FC without any obvious reason.
@ChronoMonochrome
Good job , thnaks.
I remember , when we upgrade Android 2 to 4 , there was two partitions named param and normal , that shoud be replaced in order to increase memory from 500MB to 624 , so what was that?
Here is that thread
sorset said:
@ChronoMonochrome
Good job , thnaks.
I remember , when we upgrade Android 2 to 4 , there was two partitions named param and normal , that shoud be replaced in order to increase memory from 500MB to 624 , so what was that?
Here is that thread
Click to expand...
Click to collapse
624MEM_V2.tar.md5 replaces bootloader, but 624MEM_V1.tar.md5 doesn't... It should be interesting itself, but I haven't any idea how it can work without replacing bootloader and its cmdline.
UPD. Maybe cmdline isn't hardcoded in bootloader, but written somewhere in param.lfs.
fluffi444 said:
......
chrono_kernel_R2.21.2_hwmem68.zip is the latest with HWMEM68 which gives you 640 of RAM.
But be warned - Sooner or later some apps starting to FC without any obvious reason.
Click to expand...
Click to collapse
Right now flashed my Kernel with HWMEM=68 (646MB RAM) .. and now i just want to ask u how long i need to wait till some Apps starts to FC ?? - Of course just approxx. maybe after 1 day of usage ???