-
Notifications
You must be signed in to change notification settings - Fork 12
NX300 Bootloader
This is an analysis of the bootloader used for Samsung Galaxy NX, NX2000 and NX300 based on binary and source code analysis.
There are two bootloader stages before the actual OS, according to TIZEN/project/NX300/packages/bootloader/rom.txt:
- D4_IPL, 8KB at offset
0x00000000 - D4_PNLBL, 64KB at memory offset
0x70200000 - OS image at memory offset 0xC0007FC0
This wiki page aims to document their tasks.
IPL and PNLBL binaries are built from the same source code directory, using CONFIG_IPL and CONFIG_PNLBL defines to distinguish functionality.
Furthermore, the Makefile references a third loader, dnloader. It is a "downloader" for the firmware image located on the SD card. It is seems to be used as a recovery method, when flashing a firmware image from SD-card by shorting to contact points on the main board, without a usable display or linux running.
Source code review pending.
According to strings D4_IPL.bin it performs the following tasks:
- boot mode detection (warm start, RTC timer wakeup)?
- watchdog init
- DDR memory initialization
- set DSP core voltage based on e-fuse (ImgInfo[127]), only NX2000?
- PNLBL loading from NAND (addresses based on ImgInfo[4..6])
The bootloader outputs a short hello and the board version over UART.
PNL seems to be either the NAND controller or data layout used by Samsung, background info can be obtained from drv/nand/PNL.c.
Tasks:
- Flash new firmware updates (
nx300.binon SD card)? (ifdef-0'ed in Main.c) - Usage of
fwinfoandrom.txtfiles on SD card with flashing instructions - Interactive shell over UART (press
[Enter]fast enough, but where is the UART?) - Boot Linux kernel / resume from suspend image
- ...
There is code in PNL.c to read page 62 from NAND and check it for the string "SLP_FW_UPRADE", but the call is ifdef-0'ed in Main.c.
A brave user needs to disassemble the device to find the UART. Or maybe use the right resistor combination to access it via USB
bootloader>
Supported bult-in commands:
help
boot
show
test
Example of the show cmd help:
usage: show [cmd]
show help
display this help screen.
show env
display environment variables.
show image
display image informations.
show image_raw
display image raw informations.
It seems like PNLBL or the di-camera-app is extracting metadata from a nx300.bin file on SD card, and then on bootup a dnloader is launched that performs the actual firmware flashing. It can either read a full update package (nx300.bin) and flash the necessary parts of it into NAND and boot the Linux, or use the rom.txt and flash single files to specific locations.
Tasks:
- if
nx300.binexists, load vImage partition from it into RAM and start it - Read list of filenames, partition numbers, offsets and sizes from
rom.txtand flash them - Load
xImagefrom SD and start it
The dnloader is referenced in the service manual. You'll need the dnloader and an update image as a recovery method. A SD Card of less than 1 GB is recommended (the dnloader can only read FAT32 filesystems). Disassemble the case (be careful, there is a ribbon cable from the main PCB to the display section). Then there are two triangular contact points. Short these out, switch the power of the device on (the LED should switch on), release the contacts. The LED should blink and the flashing should commence.
It's not clear whether a non-writable firmware on the DRIME IV is responsible for this behaviour, or if any of the other two bootloaders loads the dnloader, when these contacts are shorted.