{"id":16974772,"url":"https://github.com/3f/aml_s905_uboot","last_synced_at":"2025-03-22T14:31:39.073Z","repository":{"id":144757674,"uuid":"163871584","full_name":"3F/aml_s905_uboot","owner":"3F","description":"u-boot DDR mods ~","archived":false,"fork":false,"pushed_at":"2021-07-18T18:56:59.000Z","size":18667,"stargazers_count":69,"open_issues_count":3,"forks_count":19,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-03-18T12:03:01.213Z","etag":null,"topics":["aml-encrypt-gxb","amlogic","ddr","ddrpara","memory","mtool","s905","u-boot"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/3F.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"License.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["3F.github.io/Donation"]}},"created_at":"2019-01-02T17:48:23.000Z","updated_at":"2025-01-09T07:15:19.000Z","dependencies_parsed_at":null,"dependency_job_id":"c2dbee3b-ff51-4ff5-b3ee-e40463f644d0","html_url":"https://github.com/3F/aml_s905_uboot","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/3F%2Faml_s905_uboot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/3F%2Faml_s905_uboot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/3F%2Faml_s905_uboot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/3F%2Faml_s905_uboot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/3F","download_url":"https://codeload.github.com/3F/aml_s905_uboot/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244972068,"owners_count":20540917,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aml-encrypt-gxb","amlogic","ddr","ddrpara","memory","mtool","s905","u-boot"],"created_at":"2024-10-14T01:08:00.662Z","updated_at":"2025-03-22T14:31:39.066Z","avatar_url":"https://github.com/3F.png","language":"C","funding_links":["3F.github.io/Donation"],"categories":[],"sub_categories":[],"readme":"\n```\nCopyright (c) 2018 Denis Kuzmin \u003cx-3F@outlook.com\u003e github/3F\n```\n\n[ [ ☕ ](https://3F.github.io/Donation/) ]\n\nMy personal experiments since ~February 2018 thanks to my personal reverse engineering because the manufacturer of the board refused to provide the source code even though it is under GPL.\n\n*Nobody has been hurt except my time.*\n\n⚠ Everything below is at your own risk. Enjoy.\n\n```\n~ DDR init; h224_v2.01_M9S-PRO ~\n00009800 03 02 01 00 00 03 02 00 00 0C 10 02 00 00 00 00 ................\n00009810 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00009820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00009830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00009840 00 00 00 00 06 50 00 0A 78 00 E8 03 00 00 00 00 .....P..x.и.....\n00009850 20 4E 80 08 E8 03 B4 00 00 00 00 00 00 00 00 00 NЂ.и.ґ.........\n00009860 00 00 21 00 ..!.\n```\n\n# AML Gxb\n\ns905 ARM64; For h224_v2.01_M9S-PRO (RAM \u0026 ROM: 3G `kmr21000bm-b809` \u0026 32G `thgbmbg8d4kbair`)\n\nDRAM bus width for s905 is **16-bit**:\n\n* 16 lines, balls {P4, P1, R1, V1, L4, U2, N2, T2, M2, R2, L2, N3, P2, T1, N4, M1}\n\n![](./resources/img/h224_v2.01_sm.jpg)\n![](./resources/img/h224_v2.01_bk.jpg)\n\n## Extracting bootloader from ROM\n\ns905 bootloader will be stored with **0-offset in emmc** (s905x +512 bytes).\n\nFor attached /dev/block, we can use dd:\n\n```bash\ndd if=/dev/block/bootloader of=/usb_otg/bootloader.img\n```\n\nFirst ~848 Kb from bootloader.img is compiled **u-boot.**\n\nFull prepared image: [u-boot_2G__3F__-_h224_v2.01_gxb_g4fcf8d0_aarch64.img](./resources/u-boot_2G__3F__-_h224_v2.01_gxb_g4fcf8d0_aarch64.img)\n\n\n## Structure to configure DDR\n\nExtracting img:\n\n```\nmkdir out \u0026 AmlImagePack -d u-boot_2G__3F__-_h224_v2.01_gxb_g4fcf8d0_aarch64.img out\n\n[Msg]Image package version 0x2\n[Msg]Unpack item [USB , DDR] to (out\\DDR.USB) size:49152 bytes\n[Msg]Unpack item [USB , UBOOT] to (out\\UBOOT.USB) size:819200 bytes\n[Msg]Unpack item [PARTITION , bootloader] to (out\\bootloader.PARTITION) size:868352 bytes\n[Msg]Unpack item [conf , platform] to (out\\platform.conf) size:202 bytes\n[Msg]Write config file \"out\\image.cfg\" OK!\nImage unpack OK!\n```\n\n```\nPlatform:0x0811\nDDRLoad:0xd9000000\nDDRRun:0xd9000000\nUbootLoad:0x200c000\nUbootRun:0xd9000000\nControl0=0xd9000000:0x000000b1\nControl1=0xd9000000:0x00005183\nEncrypt_reg:0xc8100228\nbl2ParaAddr=0xd900c000 \u003c\u003c\u003c\u003c\u003c\u003c BL2, see ddrpara section below\n```\n\nOffset **0x9800** from the beginning of the extracted bootloader.PARTITION\n\n```\n03 02 01 00 01 03 02 00 00 04\n```\n\nLooks like:\n\n```\n [03] [02] [01 00] [01] 03 02 00 [ 00 04 ]\n ^\n .ddr_type ^ \n .ddr_channel_set ^\n .ddr_clk ^\n .ddr_size_detect ^\n .ddr_size\n \n```\n\n* If .ddr_size_detect = **0** then, for example, .ddr_size = **00 04** will map only 1024Mb\n* If .ddr_size_detect = **1**, it will use an std algorithm to detect the range.\n\nThat is, we need to reset .ddr_size_detect flag and use .ddr_size like:\n\n```\n0002: 512MB\n0004: 1G\n0008: 2G\n...\n```\n\nAn original structure and types of fields in \\uboot-2015-11-04-e90bf25ce2\\arch\\arm\\include\\asm\\arch-gxb\\timing.h\n\nValues: \\board\\amlogic\\gxb_p201_v1\\firmware\\timing.c; \\include\\configs\\gxb_p201_v1.h\n\n* The **__ddr_setting** struct (where defined this fields) should be marked with a magic word **ddrs_** (`64 64 72 73 5F`)\n\n\\arch\\arm\\cpu\\armv8\\gxb\\firmware\\acs\\acs.c\n Placed at the end - address **0x9AE0**\n\n```\n .ddr_magic = \"ddrs_\",\n .ddr_set_version = 1,\n .ddr_set_length = sizeof(ddr_set_t),\n .ddr_set_addr = (unsigned long)(\u0026__ddr_setting), \n```\n\nField types - \\arch\\arm\\include\\asm\\arch-gxb\\acs.h\n\n```\n //ddr setting part, 16 bytes\n char ddr_magic[5]; //magic word. \n unsigned char ddr_set_version; //struct version, for PC tool use.\n unsigned short ddr_set_length; //length of ddr struct.\n unsigned long ddr_set_addr; //address of ddr setting.\n```\n\nFinally, the specific address of block with the entire structure and its length is calculated as follows:\n\n```\n* Find \"ddrs_\" (64 64 72 73 5F)\n* The next byte indicates the version - 03\n* After, 44 01 is a size of struct: 324 bytes\n* Next must be unsigned long 4 bytes, But! my value is too large or written with an offset in 0xD9000000: \n\nThus, we are moving to 0x9800\n\n\n00009800 03 02 01 00 00 03 02 00 00 0C 10 02 00 00 00 00 ................\n00009810 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00009820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00009830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00009840 00 00 00 00 06 50 00 0A 78 00 E8 03 00 00 00 00 .....P..x.и.....\n00009850 20 4E 80 08 E8 03 B4 00 00 00 00 00 00 00 00 00 NЂ.и.ґ.........\n00009860 00 00 21 00 ..!.\n\n\n^ This is full data of struct to configure DDR. \n```\n\n## Changing DDR binary struct\n\nWe need to rehash and rebuild the header of this file before updating ROM.\n\nHowever, we shouldn't use header from image.h (u-boot).\n\nOur header is a special **executable sequence for AML** processors (**ddrpara** sequence, see below)\n\nFortunately, Amlogic distributes an closed linux tool **aml_encrypt_gxb** (in \\fip\\gxb\\ )\n\nJust command this:\n\n```\naml_encrypt_gxb --bootsig --input bootloader.PARTITION --output u-boot_new.bin\n```\n\nAfter, copy new data into the same folder\n\n```\ndel /Q/F bootloader.PARTITION DDR.USB UBOOT.USB\nren u-boot_new.bin bootloader.PARTITION\nren u-boot_new.bin.usb.bl2 DDR.USB\nren u-boot_new.bin.usb.tpl UBOOT.USB \n```\n\nAnd pack it:\n\n```\nAmlImagePack -r out\\image.cfg out mod1.img\n```\n\nDon't forget to reinitialize u-boot in RAM. Reboot, or:\n\n```\n0xd9000000 // \u003c bl2\n0x200c000 // \u003c tpl to ddr\n0xd900c000 // \u003c write here seq to exec 0x200c000 -\u003e 0xd9000000 \n```\n\n## ARM Trusted Firmware\n\nBoot levels called BL1, BL2, BL3-1, BL3-2 BL3-3\n\nFirst part of bootloader.PARTITION is a DDR.USB:\n\n* About 48 Kb before sequence [**010064AA**] ~ u-boot.bin.usb.bl2 (**BL2**)\n\n Header is an executable sequence for AML. Before `@AMLрї`\n\nSecond part starting with `010064AA` is UBOOT.USB ~ u-boot.bin.usb.tpl\n\n## ddrpara and executable sequence for AML\n\n### ddr init from usb\n\n```\nwrite DDR.USB 0xd9000000 //download usb bl2 \nwrite usbbl2runpara_ddrinit.bin 0xd900c000 //download bl2 para\n``` \n\nwhere usbbl2runpara_ddrinit.bin is **BL2** seq for DDR initialization (32 bytes):\n```\nAB CD 12 34 00 02 00 00 DF C0 00 00 01 00 00 00 00 00 40 00 CC C0 82 00 00 00 00 10 00 00 00 00 \n```\n\nrun bl2 to ddr init:\n```\nrun 0xd9000000\n```\n \n### run u-boot from usb\n\n```\nwrite u-boot.bin.usb.bl2 0xd9000000 // bl2 \nwrite u-boot.bin.usb.tpl 0x200c000 // tpl to ddr \nwrite usbbl2runpara_runfipimg.bin 0xd900c000 // for booting tpl from 0x200c000 \n```\n\nusbbl2runpara_runfipimg.bin:\n```\nAB CD 12 34 00 02 00 00 E1 C0 00 00 01 00 00 00 00 00 00 00 00 C0 00 00 01 00 00 00 00 C0 00 02 00 40 0A 00 57 62 CC 85 C6 7E 5E 10 D4 F8 84 DF\n```\n\nrun bl2 to boot tpl:\n```\nrun 0xd9000000\n```\n\n\n## u-boot copy memory \u0026 mread tests\n\n```\nmread mem 0x7FFFFFF0 normal 0x0F\n```\n\nResults for .ddr_size_detect = 0; .ddr_size = \n\n```\n-----------------\n04 08\n------\n\n0x90000000 - 0xF0000000: 770 Mb (807 403 520 bytes)\n0x40000000 - 0xC0000000: 2,00 Gb (2 149 580 800 bytes)\n0x10000000 - 0xC0000000: 2,75 Gb (2 954 887 168 bytes)\n 0x1000000 - 0xF0000000: 2,98 Gb (3 206 545 408 bytes)\n\n\n= 3Gb (-\u003e 2^10) + 2 097 152b \nmread mem 0x1000000 normal 0xF0000000\n```\n\n**u-boot, cp - copy memory:**\n\n```\ntplcmd \"cp 0x7FFFFF00 0xB0000000 0xFF\"\nAmlUsbTplCmd = cp 0x7FFFFF00 0xB0000000 0xFF rettemp = 1 buffer = cp 0x7FFFFF00 0xB0000000 0xFF\nAmlUsbReadStatus retusb = 1\nreply success\n```\n\nWith the following unicorns:\n\n* Speed. Drops down when addressing more than ~1,4G. Means not so fast as before.\n\nAs I see, **s905 has address bus width - 16-bit** (i.e. 16 lines, see balls above). That is, there should be multiplexing on addressing the second half of the upper range, anyway at least 64K+. So ...\n\n\nResults for .ddr_size_detect = 0; .ddr_size = \n\n```\n-------------\n00 0C\n------\n\nlimit: mread BFFFFF00 200000\nthat is: C01FFF00 = 3 223 322 368 b\n```\n\nand it also can be addressed like:\n\n```\nmread C0200FFE FF\n\nor even\nmread D0000000 FF\n```\n\nThat is, either e-mmc or scattered pieces of reserved regions. Because the sequential reading had 3G for s905 (yes, exactly not for s905x) with magic sequence (non-repeated, and from a single region).\n\nhmm, emmc? or...\n\n## mtool via mread, tplcmd, bulkcmd\n\nupdate.exe provides the following commands: mread, tplcmd, bulkcmd. That just sends commands to **mtool** (part of u-boot)\n\nFor example, Response of **tplcmd** command \\uboot-2015-11-04-e90bf25ce2\\drivers\\usb\\gadget\\v2_burning\\v2_usb_tool\\optimus_transform.c\n\n```cpp\nint optimus_working (const char *cmd, char* buff)\n ...\n else\n {\n int flag = 0;\n ret = run_command(cmd, flag);\n DWN_MSG(\"ret = %d\\n\", ret);\n /*ret = ret \u003c 0 ? ret : 0;*/\n }\n\n if (ret)\n {\n memcpy(buff, \"failed:\", strlen(\"failed:\"));//use memcpy but not strcpy to not overwrite storage/key info\n }\n else\n {\n memcpy(buff, \"success\", strlen(\"success\"));//use memcpy but not strcpy to not overwrite storage/key info\n }\n```\n\nThe only possible response \"success\" or \"failed:\". Via USB-sniffer tools, update.exe tplcmd \"\" will receive \"failed:no command at all\"\n\n```cpp\nif ((argc = cli_simple_parse_line(cmdBuf, argv)) == 0)\n{\n strcpy(buff, \"failed:no command at all\");\n printf(\"no command at all\\n\");\n return -1; /* no command at all */\n}\n```\n\n### UART\n\n![](./resources/img/UART.jpg)\n\nfrom square pin: GND, TX, RX, VCC (is not required)\n\n\n## linux kernel\n\nUnable to handle kernel paging request at virtual address 21b839b029 ? yeah :)\n```\n[ 126.734416@0] Unable to handle kernel paging request at virtual address 21b839b029\n[ 126.735081@2] Unable to handle kernel paging request at virtual address 21b83b3029\n[ 126.735090@2] pgd = ffffffc09ccfb000\n[ 126.735103@2] [21b83b3029] *pgd=0000000000000000\n[ 126.735119@2] Internal error: Oops: 96000005 [#1] PREEMPT SMP\n[ 126.735147@2] Modules linked in: dwc_otg aml_thermal(O) mali(O) aml_nftl_dev(PO)\n[ 126.735168@2] CPU: 2 PID: 4712 Comm: RenderThread Tainted: P W O 3.14.29-g76ab4eb-dirty #2\n[ 126.735173@2] task: ffffffc0a05c8000 ti: ffffffc075e74000 task.ti: ffffffc075e74000\n[ 126.735213@2] PC is at kfree+0x94/0x238\n[ 126.735219@2] LR is at kfree+0x88/0x238\n[ 126.735222@2] pc : [\u003cffffffc0011ac178\u003e] lr : [\u003cffffffc0011ac16c\u003e] pstate: a0000145\n[ 126.735225@2] sp : ffffffc075e77a40\n[ 126.735230@2] x29: ffffffc075e77a40 x28: ffffffc075e77c00 \n[ 126.735234@2] x27: 0000000000000000 x26: 00000021b83b3021 \n[ 126.735237@2] x25: 00000000b83b3000 x24: ffffffc020101b40 \n[ 126.735241@2] x23: ffffff8042b2d9f0 x22: ffffffc075e74000 \n[ 126.735245@2] x21: ffffffc001764404 x20: ffffffc0994cee00 \n[ 126.735248@2] x19: 0000002100000021 x18: 0000000000000000 \n[ 126.735252@2] x17: 0000000000000000 x16: ffffffc001795064 \n[ 126.735255@2] x15: 0000000000000000 x14: 00000000f6e4f21b \n[ 126.735260@2] x13: 00000000daf21320 x12: 00000000daf21330 \n[ 126.735264@2] x11: 00000000ab2decc8 x10: 00000000daf21d20 \n[ 126.735268@2] x9 : 00000000daf21d28 x8 : 0000000000000960 \n[ 126.735273@2] x7 : 0000000000000124 x6 : 0000000000000018 \n[ 126.735277@2] x5 : ffffffc07cb27bb0 x4 : 0000000002b1d9f0 \n[ 126.735282@2] x3 : 0000000000000b53 x2 : ffffffc0994cee00 \n[ 126.735287@2] x1 : 0000000000000000 x0 : ffffffc075e74000 \n[ 126.735292@2] \n\n...\n\n[ 131.465441@0] Call trace:\n[ 131.468031@0] [\u003cffffffc0011ac178\u003e] kfree+0x94/0x238\n[ 131.472868@0] [\u003cffffffbffc01ce1c\u003e] _mali_osk_free+0x8/0x14 [mali]\n[ 131.478908@0] [\u003cffffffbffc028db8\u003e] mali_pp_job_delete+0x44/0x54 [mali]\n[ 131.485379@0] [\u003cffffffbffc02ad78\u003e] mali_scheduler_complete_pp_job+0x68/0x78 [mali]\n[ 131.492884@0] [\u003cffffffbffc02db4c\u003e] mali_executor_interrupt_pp+0x104/0x1d0 [mali]\n[ 131.500214@0] [\u003cffffffbffc02ffa4\u003e] mali_group_upper_half_pp+0x20/0x30 [mali]\n[ 131.507193@0] [\u003cffffffbffc01c1a8\u003e] $x+0x20/0x34 [mali]\n[ 131.512281@0] [\u003cffffffc0010f2664\u003e] handle_irq_event_percpu+0x64/0x260\n[ 131.518660@0] [\u003cffffffc0010f28b0\u003e] handle_irq_event+0x50/0x80\n[ 131.524353@0] [\u003cffffffc0010f5d9c\u003e] handle_fasteoi_irq+0xa0/0x140\n[ 131.530303@0] [\u003cffffffc0010f1c80\u003e] generic_handle_irq+0x38/0x54\n[ 131.536169@0] [\u003cffffffc0010848ac\u003e] handle_IRQ+0x50/0xd0\n[ 131.541343@0] [\u003cffffffc001081418\u003e] gic_handle_irq+0x44/0x88\n[ 131.546862@0] Exception stack(0xffffffc0992f3a40 to 0xffffffc0992f3b60)\n[ 131.553420@0] 3a40: 7b2a8840 ffffffc0 97931000 ffffffc0 992f3b80 ffffffc0 0117bb54 ffffffc0\n[ 131.561700@0] 3a60: 7583bed0 ffffffc0 7c9eb810 ffffffc0 7c864000 ffffffc0 20070010 00000000\n[ 131.569979@0] 3a80: e2ca9000 00000000 0000fffd 00000000 00000000 00000000 00000000 00000000\n[ 131.578259@0] 3aa0: 00000000 00000000 00000004 00000000 0000000f 00000000 992f39f8 ffffffc0\n[ 131.586539@0] 3ac0: 01a27000 ffffffc0 00000001 00000000 f70ffa59 00000000 00000000 00000000\n[ 131.594819@0] 3ae0: 011b52e0 ffffffc0 00000000 00000000 00000000 00000000 7b2a8840 ffffffc0\n[ 131.603100@0] 3b00: 97931000 ffffffc0 00000000 00000000 7cf36900 ffffffc0 00000001 00000000\n[ 131.611380@0] 3b20: 97931000 ffffffc0 000002be 00000000 9bb8ac40 ffffffc0 ab346402 00000000\n[ 131.619659@0] 3b40: 992f3e30 ffffffc0 992f3b80 ffffffc0 0117bb24 ffffffc0 992f3b80 ffffffc0\n[ 131.627938@0] [\u003cffffffc001083da8\u003e] el1_irq+0x68/0xd8\n[ 131.632856@0] [\u003cffffffc00121d180\u003e] show_map_vma+0x1cc/0x264\n[ 131.638374@0] [\u003cffffffc00121dd98\u003e] show_smap+0xa4/0x2d4\n[ 131.643549@0] [\u003cffffffc00121dff0\u003e] show_pid_smap+0x28/0x38\n[ 131.648986@0] [\u003cffffffc0011d9410\u003e] seq_read+0x328/0x418\n[ 131.654161@0] [\u003cffffffc0011b4950\u003e] vfs_read+0x94/0x18c\n[ 131.659247@0] [\u003cffffffc0011b5330\u003e] SyS_read+0x50/0xb0\n[ 131.664250@0] Code: 97fc7670 d538d099 f9400313 8b13033a (f940075b) \n[ 131.670459@0] ---[ end trace f089fc822127ed99 ]---\n```\n\nlayout from boot:\n\n```\n[ 0.000000@0] Memory: 2624776K/3093504K available (9512K kernel code, 991K rwdata, 3288K rodata, 1030K init, 3245K bss, 468728K reserved)\n[ 0.000000@0] Virtual kernel memory layout:\n[ 0.000000@0] vmalloc : 0xffffff8000000000 - 0xffffff8040000000 ( 1024 MB)\n[ 0.000000@0] vmemmap : 0xffffff8040010000 - 0xffffff8043580000 ( 53 MB)\n[ 0.000000@0] modules : 0xffffffbffc000000 - 0xffffffc000000000 ( 64 MB)\n[ 0.000000@0] memory : 0xffffffc000000000 - 0xffffffc0be000000 ( 3040 MB)\n[ 0.000000@0] .init : 0xffffffc001d02000 - 0xffffffc001e03b80 ( 1031 kB)\n[ 0.000000@0] .text : 0xffffffc001080000 - 0xffffffc001d01134 ( 12805 kB)\n[ 0.000000@0] .data : 0xffffffc001e04000 - 0xffffffc001efbdb8 ( 992 kB)\n[ 0.000000@0] PM: Registered nosave memory: [mem 0x01080000-0x01d00fff]\n\n```\n\n### Device tree\n\nTo load into memory and send to the kernel from u-boot\n\n```\nDevice Tree - base address, on/off drivers, ...\n v \u003c --- dynamic bunding\n Kernel Image\n v\n Boot loader (runtime svc)\n v\n```\n\ntemplate for memory:\n\n```\nmemory {\n\treg = \u003c(baseaddr1) (size1)\n\t\t(baseaddr2) (size2)\n\t\t...\n\t\t(baseaddrN) (sizeN)\u003e;\n};\n```\n\nregions:\n\n```\n(name): region@(base-address) {\n\treg = \u003c(baseaddr) (size)\u003e;\n\t(linux,contiguous-region);\n\t(linux,default-contiguous-region);\n};\n```\n\n#### Extracting Dtb from boot image\n\n* Find: `D0 0D FE ED`\n* Next is size in **BE** seq (i.e. 9E5A is 40538): `[D0 0D FE ED] [00 00 96 B0] ... 38576 bytes`\n\n#### Updating Dtb in ROM\n\n```bash\nupdate mwrite %1 mem 0x1080000 normal \nupdate bulkcmd \"store dtb write 0x1080000\"\n```\n\n#### device-tree-compiler\n\n```\napt-get install device-tree-compiler\n```\n\nDtb -\u003e Dts:\n\n```\ndtc -I dtb -O dts -o {dts} {dtb}\nor\nfdtdump {dtb} \u003e {dts}\n```\n\nDts -\u003e Dtb:\n\n```\ndtc -I dts -O dtb -o {dtb} {dts}\n```\n\n## Mods\n\n```\n* 0108 and 0408, ok:\n\n DDR0: 4096MB-1T-49\n DDR1: 2048MB-1T-49\n \n* 000С, ok:\n\n DDR0: 2048MB-1T-49\n DDR1: 1024MB-1T-49\n \n* 0004, ok:\n\n DDR0: 512MB-1T-49\n DDR1: 512MB-1T-49\n \n* 0002, ok:\n\n DDR0: 256MB-1T-49\n DDR1: 256MB-1T-49\n \n* Without mod 0008 + auto-detect, ok:\n\n DDR0: 1024MB(auto)-1T-49\n DDR1: 1024MB(auto)-1T-49\n \n* 0008: ok\n\n DDR0: 1024MB-1T-49\n DDR1: 1024MB-1T-49\n```\n\n* 0003 \u0026 0005 \u0026 0006 \u0026 0007: not tested\n\n```\n* 0001:\n ! bootloop: after GXBB:BL1:08dafd:0a8993;FEAT:EDFC318C;POC:3;RCY:0;EMMC:0;READ:0;CHK:0;\n \n DDR0: 128MB-1T-49\n DDR1: 128MB-1T-49\n\n* 0009 \u0026 000B \u0026 000D \u0026 000F:\n ! bootloop, DRAM: \"Synchronous Abort\" handler, esr 0x96000010\n \n DDR0: 512MB-1T-49\n DDR1: 256MB-1T-49\n \n\n* 000A \u0026 000E:\n ! bootloop, DRAM: \"Synchronous Abort\" handler, esr 0x96000010\n\n DDR0: 1024MB-1T-49\n DDR1: 512MB-1T-49\n```\n\n## Access Mode\n\nWhen u-boot/ddr is corrupted, we can try to switch memory controller into access mode\n\ne-mmc 5.0 standard (used in THGBMBGxxxxx) describes the following **OCR** registers:\n\nOCR Register | VDD voltage window | High Voltage | Dual voltage \n----------------|--------------------|-----------------------------------|-------\n[23:15] | 2.7-3.6V | 1 1111 1111b | 1 1111 1111b \n[28:24] | Reserved | 0 0000b | 0 0000b \n[30:29] | Access Mode | 00b (byte mode) 10b (sector mode) | 00b (byte mode) 10b (sector mode) \n[31] | Device power up status bit (busy) \n\nTherefore, we need **29-30** pins (from the key):\n\n![](./resources/img/emmc_5_access_mode_thgbmbg8d4kbair.jpg)\n\nNow, just rewrite bootloader from zero offset (s905), and so on. Works for me.\n\n## build u-boot\n\n```\naarch64-none-elf-gcc (crosstool-NG linaro-1.13.1-4.8-2013.11 - Linaro GCC 2013.10) 4.8.3 20131111 (prerelease)\n\nGNU ld (crosstool-NG linaro-1.13.1-4.8-2013.11 - Linaro GCC 2013.10) 2.23.2.20130610 Linaro 2013.10-4\n```\n\n```\nsudo apt-get install gcc-arm-none-eabi\n\n# optional sudo apt-get install build-essential\n```\n\n```\n$ make gxb_p201_v1_defconfig\n$ make\n...\nCreating \"../fip/gxb/fip.bin\"\nFirmware Image Package ToC:\n---------------------------\n- SCP Firmware BL3-0: offset=0x4000, size=0x9E88\n- SCP Firmware BL3-0-1: offset=0x10000, size=0x1644\n- EL3 Runtime Firmware BL3-1: offset=0x14000, size=0x110D0\n- Non-Trusted Firmware BL3-3: offset=0x28000, size=0x9D2B8\n---------------------------\nACS tool process done.\n9396+0 records in\n9396+0 records out\n9396 bytes (9.4 kB, 9.2 KiB) copied, 0.0487996 s, 193 kB/s\n../fip/gxb/u-boot.bin build done!\nreg@M9S-VirtualBox:~/uboot$ \n```\n\namlogic build env:\n\n```\nwget http://openlinux.amlogic.com:8000/deploy/deploy_amlogic_ubuntu.sh\n# wget http://openlinux.amlogic.com:8000/deploy/TOOLSENV.sh\nbash deploy_amlogic_ubuntu.sh\n```\n\nwith buildroot: \n\n```\n$ tar zxvf arm-buildroot.tar.gz\n$ cd buildroot\n$ make mesongxb_p201_release_defconfig\n$ make\n```\n\n## code errors\n\ngxb_p201_v1\\firmware\\timing.c2 should be:\n\n```\npll_set_t __pll_setting = {\n .cpu_clk = CONFIG_CPU_CLK / 24 * 24,\n .spi_ctrl = 0,\n .vddee = CONFIG_VDDEE_INIT_VOLTAGE,\n .vcck = CONFIG_VCCK_INIT_VOLTAGE,\n};\n```\n\nstruct inside arch/arm/include/asm/arch-gxb/timing.h\n\n```\nstruct pll_set{\n unsigned short cpu_clk;\n unsigned short pxp;\n unsigned int spi_ctrl;\n unsigned short vddee;\n unsigned short vcck;\n unsigned char szPad[4];\n unsigned long lCustomerID;\n}__attribute__ ((packed));\n\ntypedef struct pll_set pll_set_t;\n```\n\nBL2 will be also passed for .pxp = 1 (CONFIG_PXP_EMULATOR=y) based on cfg skt_v1\n\nPXP_defconfig is a wrapper of skt with enabled .pxp emulator (same instruction from the processor).\n\n## _\n\n```\nCopyright (c) 2018 Denis Kuzmin \u003cx-3F@outlook.com\u003e github/3F\n```\n\n[ [ ☕ ](https://3F.github.io/Donation/) ]\n\nMy personal experiments since ~February 2018 thanks to my personal reverse engineering because the manufacturer of the board refused to provide the source code even though it is under GPL.\n\n*Nobody has been hurt except my time.*\n\n⚠ Everything above is at your own risk. Enjoy.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F3f%2Faml_s905_uboot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F3f%2Faml_s905_uboot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F3f%2Faml_s905_uboot/lists"}