Some stuff around the archos G9.
(For some android programs I made, see there.)
Read this.
Important notice: all what is described in this page is for the archos G9 A80S, the one I have. The bootloader and the ATAGS are the most version-sensitive things I think. It may fail to work as is with your G9 if it's not an A80S.
There are many ways, once you are root, to boot another operating system. My way is to not touch anything in the firmware. I log into android, get root, and reboot on the SD card. A bit cumbersome, I agree. But I don't want to experiment with modifications of the system to avoid bricking it.
Note also that archos released the SDE for the G9. It might be easier to build a custom system within this framework (but you miss the bootloader's fun).
HELP WANTED! Trev sent me his /proc/atags file, but I take other people' stuff too, so if someone with SDE can make a kernel with /proc/atags support, please send me the content of this file (boot from SDE, I need the official content) to check that my own ATAGS thing is full and correct. I need stuff for an archos G9 A80S, but I take from any model. I'll put the information on this webpage. (To get /proc/atags, make menuconfig -> Boot options -> enable "Kexec system call" and then enable "Export atags in procfs", thanks to Trev for pointing that out.)
Thanks to Trev for his atags! (He just remove the serial number.)
2012-10-17: version 1.0.
Official documention from Texas Instruments for the OMAP4430: here (may be out of date, go to the main page, but the URL may be different when you click; corporate world likes to change everything all the time...) (You want the OMAP4430 ES2.x TRM.)
I become root under the official firmware, then do a "warm reboot" to boot on the SD card. The idea came from there where you read "OMAP processor boot sequence can be configured via special memory area which remains unchanged after soft reset, and this configuration will override one determined by physical pin configuration. This does not give us much profit, but is also interesting..." (shame on me for not figuring that out with the OMAP4430 documentation)
How to do a warm reboot?
You can't just type "reboot" in a root adb shell, it won't work. (Why? I don't know. I tried, it does not work, period.)
Here is a hack that does the warm reboot. Compile with your arm cross-compiler and put it on the G9. Run it as root (with adb on your linux computer for example).
The program puts the G9 in USB boot mode, waiting for some stuff from the USB line. You can see the device popup with lsusb for example. The device ID is 0451:d00f. You can also use usbboot from omap4boot to check that the connection really works by sending a file and see if something happens.
I also checked if the G9 can boot from the SD card after warm reboot. It can. Edit reboot-usb.c, change the 0x45 to 0x05, put a SD card FAT16 formatted with a file named "MLO" on it and the ROM will load it and run it. (I didn't try the SD raw mode. Maybe I will at some point.)
(Here is reboot-sd.c, that boots from SD if possible and fails back to USB if it fails, so you can know if the SD boot went somewhere or not; if lsusb reports the device 0451:d00f then the SD boot failed. Bad SD card? No MLO file? Another problem?)
The program does not un-mount disks, so take care of your data before you use it. It's a barbarian beast. With firmware 4.0.5, it will switch the screen on in some cases.
This is not a very clean solution. Better is to write a kernel module, as done here for another omap device. My program seems to work so I won't bother for the moment...
For version 1.0, u-boot Linaro with a patch from here (the patch is in this message, which seems to be updated from time to time, so might be different from the version provided here) (thanks to yargil for pointing that out, the XDA forum is so full of noise that it's impossible to work with) and a custom patch for ATAGS thing.
What the bootloader has to do (maybe not in this order, maybe I forget some):
The ATAGS part is not addressed by the forum's patch above. I extracted it from the MMC of the G9. I dumped /dev/mmcblk0 and found the ATAG at 0x00060600. Dig for "34 12 a0 fe" in the dump, that's around that (and read kernel's arch/arm/include/asm/feature_list.h which describes it all). Specifically, this is not ATAG, but FEATURE_TAG. See atags.c from the release to know how the FEATURE_TAG thing is put into the main ATAGS thing.
I found about this FEATURE_TAG thing because of bugs that forced me to read the function board_memory_prepare in arch/arm/mach-omap2/archos-memory.c where we see a call to get_feature_tag. The data it looks for was nowhere in the kernel, so had to come from the bootloader. I digged in the MMC just in case, and there it was.
So if you work on a bootloader, don't forget to throw a clean ATAG to the linux kernel. get_feature_tag is called here and there and needs good data.
An MLO file has a header! Don't forget it. See the OMAP documentation. You must put the size of MLO (-8, the header is not counted) and the load address at first (you can use 0x4030000, why u-boot does not use that, mystery...).
U-boot also adds a CHSETTINGS header, which is not necessary.
If you make your own bootloader, don't forget those two numbers at the start of MLO and just skip the CHSETTINGS thing.
And if you make your own bootloader, I think you can skip the second-stage thing and have MLO directly load the kernel and jump to it. You have 48KiB, it's much enough. You may even code a fast SD card reading routine. U-boot needs around 6 seconds to load a kernel of 4MiB. That's a bit insane. The official archos' bootloader is not better here.
For version 1.0, the official kernel-ics from archos is used, with a patch to have the USB OTG working. The patch introduces a BUG at boot-time, but things seem to work.
The kernel is taken from a git repository. I hope my patch works with current versions. It works with version 15f2e8471c1e10dbc711d7a77ad2ac48ba146f53. So you can do a git checkout 15f2e8471c1e10dbc711d7a77ad2ac48ba146f53 if things fail. (I guess. I'm a git noob.)
In 1.0, the screen works, the USB OTG works. RAM, SD card read/write also work. Not much else was tested, but should work. It's the official archos' kernel after all.
In 1.0, Angstrom was used to have telnetd and a more or less working environment. init-telnetd.c is a custom quick and dirty hack. Things need to be cleaned up here. But I can telnet to the G9 via the USB OTG thing, so that's fine.
I did not open the G9. I did not hack a USB cable. To get debugging information from the bootloader and later from the kernel, I used the warm reboot trick from inside the bootloader. The good thing it that you can write to some memory, do the warm reboot, and once you are in the rooted android, you can read back that memory. So you can extract values from the bootloader.
It's long and painful but that works. I traced the bootloader, then the kernel with that method and a lot of reboots. Some debugging that would normally take one hour can easily take more than a day. But no open, no hardware hack. Totally clean.
In the kernel, you must take care of the MMU. Since we write to specific addresses, you must hack the MU settings for those addresses to be visible to your reboot routine. After a while, you can write a C reboot routine calling ioremap, but between the MMU settings and that moment a lot happens...
Ah, take also care of ICACHE/DCACHE things. I had troubles with those beasts when I hacked the mini2440 in 2011. No problem with the G9 (I think), but keep that in mind. Basically you want it off.
See debug.S and debug.c in the version 1.0 for some dirty code that warm reboots. See readmem.c to get the value in android.
Some people might not have a SD card. For those, a pure USB solution might be nice. The ROM already can download the bootloader via USB. Next is to have a bootloader that gets the kernel from USB. And then, have a kernel that works with NFS via the gadget ether over USB (or whatever).
There is a FSF reverse engineering project to make a free PowerVR driver. I plan to work on that. If you are good at reverse engineering join.
AOS firmware files provided by Archos are ciphered. But some people analyzed the file format, made tools to unpack the files, and found cryptographic keys. Unfortunately there is no "just download and run" program out there for the G9 AOS files, you have to glue information from here and there to be done. I make available a tool with the keys to read those AOS files for the G9.
(I did not write the tools. I did not find the keys. I just glued information.)
aos-tools-g9a.tar.gz is a copy of aos-tools including the Gen9 keys as found on this forum.
I successfully unpacked firmware 4.0.5 on 2012-04-16 with it.
Only aos-info and aos-unpack have been tested. Other programs may not work.
Contact: sed@free.fr
Created:
Mon, 16 Apr 2012 11:19:42 +0200
Last update:
Tue, 15 Jan 2013 11:49:43 +0100