Project

General

Profile

Fernvale » History » Version 48

Version 47 (unrznbl, 05/09/2019 09:21 PM) → Version 48/50 (unrznbl, 05/12/2019 03:13 PM)

h1. Fernvale

Fernvale is an open-source development platform for the Mediatek MT6260.

It was also specifically designed to make reverse engineering easier.

It is available on the "sysmocom web-shop":http://shop.sysmocom.de/products/fernvale-mt6260-reverse-engineering-development-kit-dvt2

h2. Software

* There is a simple bootloader/interactive shell called "fernly":https://github.com/xobs/fernly/ which can also be used for reverse engineering.
* There is a downstream "port to Nuttx":https://github.com/sutajiokousagi/fernvale-nuttx which is bootable but provides limited features
* There is a downstream "OsmocomBB port":https://gitlab.com/unrznbl/osmocom-bb/tree/mtk-layer1 which has a bootable layer1 image that doesn't support any of the GSM hardware yet.

|_. Hardware feature |_. Support |
| Backlight | "Fernly":https://github.com/xobs/fernly/blob/master/cmd-bl.c |
| Bluetooth | None yet |
| External memory | "Fernly":https://github.com/xobs/fernly/blob/master/emi.c "Nuttx":https://github.com/sutajiokousagi/fernvale-nuttx/blob/master/nuttx/configs/kosagi-fernvale/src/fernvale_mem.c |
| GSM, GPRS | None yet |
| Keypad | "Fernly":https://github.com/xobs/fernly/blob/master/cmd-keypad.c |
| LCD | "Fernly":https://github.com/xobs/fernly/blob/master/cmd-lcd.c , "Nuttx":https://github.com/sutajiokousagi/fernvale-nuttx/blob/master/nuttx/arch/arm/src/mt6260/mt6260_framebuffer.c |
| Leds | "Fernly":https://github.com/xobs/fernly/blob/master/cmd-led.c "Nuttx":https://github.com/sutajiokousagi/fernvale-nuttx/blob/master/nuttx/configs/kosagi-fernvale/src/fernvale_leds.c |
| SDIO | "Nuttx":https://github.com/sutajiokousagi/fernvale-nuttx/blob/master/nuttx/configs/kosagi-fernvale/src/fernvale_mmcsd.c |
| SPI | "Fernly":https://github.com/xobs/fernly/blob/master/cmd-spi.c "Nuttx":https://github.com/sutajiokousagi/fernvale-nuttx/blob/master/nuttx/configs/kosagi-fernvale/src/fernvale_spi.c |
| UART | "Fernly":https://github.com/xobs/fernly/blob/master/serial.c "Nuttx":https://github.com/sutajiokousagi/fernvale-nuttx/blob/master/nuttx/arch/arm/src/mt6260/mt6260_serial.c |
| USB peripheral? | "Nuttx":https://github.com/sutajiokousagi/fernvale-nuttx/blob/master/nuttx/configs/kosagi-fernvale/src/fernvale_hidkbd.c |
| USB host | "Nuttx":https://github.com/sutajiokousagi/fernvale-nuttx/blob/master/nuttx/configs/kosagi-fernvale/src/fernvale_usbhost.c |

h2. Load Layer1 via Fernly

For now only loading into RAM is supported and via the fernly loader. Use this script: https://gitlab.com/unrznbl/fernly/blob/mtk-layer1/load-layer1.sh to load a built layer1 firmware from osmocom-bb to the fernvale via fernly.

h2. Boot ROM cycles due to no Firmware flashed

If you simple connect the fernvale via micro USB cable to your host you will likely see some failures like this:

<pre>
[10045.367504] usb 1-4: new full-speed USB device number 14 using xhci_hcd
[10045.516385] usb 1-4: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
[10045.516397] usb 1-4: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[10046.102791] cdc_acm 1-4:1.1: ttyACM0: USB ACM device
[10046.103011] usbcore: registered new interface driver cdc_acm
[10046.103012] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[10046.109599] usbcore: registered new interface driver usbserial_generic
[10046.109623] usbserial: USB Serial support registered for generic
[10046.116192] usbcore: registered new interface driver option
[10046.116229] usbserial: USB Serial support registered for GSM modem (1-port)
[10051.794634] usb 1-4: USB disconnect, device number 14
[10052.491445] usb 1-4: new full-speed USB device number 15 using xhci_hcd
[10052.640174] usb 1-4: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
[10052.640184] usb 1-4: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[10052.643070] option 1-4:1.0: GSM modem (1-port) converter detected
[10052.652198] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB0
[10052.652881] cdc_acm: probe of 1-4:1.1 failed with error -16
[10058.956408] usb 1-4: USB disconnect, device number 15
[10058.956910] option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0
[10058.956972] option 1-4:1.0: device disconnected
[10059.651427] usb 1-4: new full-speed USB device number 16 using xhci_hcd
[10059.800240] usb 1-4: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00
[10059.800247] usb 1-4: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[10059.803041] option 1-4:1.0: GSM modem (1-port) converter detected
[10059.803284] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB0
[10059.803885] cdc_acm: probe of 1-4:1.1 failed with error -16
</pre>

This is likely due to no firmware being flashed onto fernvale but only the BROM firmware being available and since BROM doesn't have anything to transfer control to, it cycles.

h2. Progress

Apr 22 2018 - layer1 firmware has stubbed out implementations for mediatek/fernvale. layer1/main blinks the big LED on fernvale and fernly usb serial is ported so that debug messages are possible. See "mtk-layer1 branch":https://gitlab.com/unrznbl/osmocom-bb/tree/mtk-layer1 on gitlab.

Feb 13 2018 - fixed up Makefile.mtk so that both [[SciphoneDreamG2]] and Fernvale firmwares build. An LED blink firmware is working on Fernvale but the loader_mtk firmware no longer seems to work on the [[SciphoneDreamG2]].

h2. JTAG?

Is it possible that "openocd_mt6235.cfg":https://osmocom.org/attachments/2176/openocd_mt6235.cfg for "SciphoneDreamG2":https://osmocom.org/projects/baseband/wiki/SciphoneDreamG2 could work with small modifications for fernvale/mt6260? Here is the output of running a slightly modified version with an olimex arm-usb-ocd-h adapter. Any help would be appreciated to adjust this cfg to get working JTAG since fernvale should support this fairly easily (kit includes parts to make a JTAG adapter interface).

<pre>openocd -f interface/ftdi/olimex-arm-usb-ocd-h.cfg -f fernvale.cfg</pre>

<pre>
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 1000 kHz
Warn : There are no enabled taps. AUTO PROBING MIGHT NOT WORK!!
Error: JTAG scan chain interrogation failed: all ones
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Warn : Bypassing JTAG setup events due to errors
Warn : gdb services need one or more targets defined
</pre>

h2.
TODOs

* port [[Layer1bin]] - "unrznbl":https://gitlab.com/unrznbl is working on this currently
* create library from osmocom-bb to be used in NuttX layer1 app (hopefully very little copying of code into nuttx tree)
* port [[Mobile]] to NuttX

h2. Help welcome

Very few people are working on it[1], and because of that progress have been very slow.

fn1. See "This blog post":http://laforge.gnumonks.org/blog/20180929-fernvale-discount/ for more background on the issue.

h2. References and documentation

* https://postmarketos.org/blog/2018/04/14/lowlevel/ : Article on porting OsmocomBB to the Fernvale
* https://kosagi.com/w/index.php?title=Fernvale_Main_Page : Fernvale hardware documentation
* https://kosagi.com/forums/ : Kosagi forums: they have a section on the Fernvale
* https://www.bunniestudios.com/blog/?p=4297 : Blog post on the initial hardware and software reverse engineering
* https://xobs.io/fernvale-the-path-not-taken/ : Blog post on the initial software reverse engineering
* There was a talk at the 31c3 about the Fernvale. "video":https://media.ccc.de/v/31c3_-_6156_-_en_-_saal_1_-_201412282145_-_fernvale_an_open_hardware_and_software_platform_based_on_the_nominally_closed-source_mt6260_soc_-_bunnie_-_xobs "slides":http://www.bunniefoo.com/fernvale/fernvale-31c3.pdf
* Nuttx's "mt6260_tdma.h":https://github.com/sutajiokousagi/fernvale-nuttx/blob/master/nuttx/arch/arm/src/mt6260/mt6260_tdma.h seem to contain some information on the GSM part
Add picture from clipboard (Maximum size: 48.8 MB)