EC20 DFOTA » History » Revision 6
Revision 5 (zecke, 12/11/2016 05:08 PM) → Revision 6/8 (zecke, 12/23/2016 10:39 AM)
h1. EC20/EC25 Delta Firmware over the air (DFOTA) upgrades An example of the DFOTA file is here: http://dfota.quectel-service.com:8088/Dfiles/EC20/EC20EQAR02A05V03-R02A09V02.zip. EC25 seems to use the stock "recovery"/"applypatch". http://dfota.quectel-service.com:8088/Dfiles/EC20/EC20EQAR02A05V03-R02A09V02.zip h2. Mechanism It is based on the recovery.git of Android. For the EC20 the delta format (and RSA signing) has been replaced by the usage of RedBend FOTA. The RedBend FOTA is used by other Qualcomm customers too and is also used on the UC20. For the EC25 it seems that the stock Android/LinuxFoundation @recovery@ is used. The general approach is: * APN is configured for the Linux system * AT+QFOTADL is handled by atfwd_daemon and starts @wget@ to write to @update.zip@ * @"IP_START_UPDATE" > /cache/fota/ipth_config_dfs.txt@ * Reboot into the recovery image * recovery will apply the update. h2. Start delta upgrade <pre> AT+QICSGP=1,1,"APN_NAME_HERE","","",1 AT+QFOTADL="http://dfota.quectel-service.com:8088/Dfiles/EC20/EC20EQAR02A05V03-R02A09V02.zip" </pre> It will start an internal connection manager to terminate data on the Linux module and then run wget to store the file to "update.zip". If it worked a reboot into the recovery system will be made. h2. Recovery image It seems that /usr/bin/recovery will be started and finds a update.zip in the right partition and will then apply the delta updates. On exit it will reboot the system. h2. Delta format Delta updates are available for the bootloader (?), dsp, userdata and system. The delta image contains a FileNamesTable It is speculated that has a null terminated ascii string of which part to update. The partition table for RedBend the is populated with information if this is a filsystem or image update. system and userdata yaffs2 the actual filesystem will be mounted and individual files will be modified. <pre> struct upgrade_file_begin { uint32_t checksum; // ???? different in all of these upgrades uint32_t __le len; // len.. E.g. 184014 of a 184059 file, len includes the size of len+checksum too ... still a lot of 32bit length.. not really TLV }; struct upgrade_file_trailer { uint32_t __le len; char name[len]; with trailing \0 uint32_t null_end (four bytes 0x00) }; </pre> <pre> Trailer... checksum.. len.. data.. chunks a 32bit aligned with 0x00 padding inbetween.. can be seen with the dsp2.diff # system.diff 9c113566 2b00000050400100803801000000000000030000010000000700000073797374656d0000000000 # userdata.diff 05608f30 2d00000050400100803801000000000000030000010000000900000075736572646174610000000000 # dsp2.diff 66ecbcdc 20000000504001008038010000000000000300000000000000000000 four byte? </pre> h2. Kicking the recovery binary * mount /dev/mtdblock14 /mnt.. * Place update.zip to /cache/ * echo "IP_START_UPDATE" > /cache/fota/ipth_config_dfs.txt to say what to do Was difficult to repeat, e.g. creating backup and mounting system partition failed on second/third tries <pre> / # ./strace -o foo.txt -f ./recovery2 mount: mounting none on /sys/kernel/debug failed: Device or resource busy Starting recovery on Fri Oct 14 12:39:48 2016 recovery filesystem table ========================= 0 /tmp ramdisk (null) (null) 0 1 / auto rootfs (null) 0 2 /proc proc proc (null) 0 3 /dev/pts devpts devpts (null) 0 4 /proc/bus/usb usbfs usbfs (null) 0 5 /dev/shm tmpfs tmpfs (null) 0 6 /cache yaffs2 /dev/mtdblock9 (null) 0 7 /media/card auto /dev/mmcblk0p1 (null) 0 8 /system yaffs2 /dev/mtdblock14 (null) 0 9 /data yaffs2 /dev/mtdblock15 (null) 0 10 /misc mtd /dev/mtdblock10 (null) 0 rootfs on / type rootfs (rw) /dev/root on / type yaffs2 (rw,relatime) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,relatime) tmpfs on /dev type tmpfs (rw,relatime,size=64k,mode=755) devpts on /dev/pts type devpts (rw,relatime,mode=600) tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777) /dev/mtdblock15 on /usr type yaffs2 (rw,relatime) /dev/mtdblock9 on /cache type yaffs2 (rw,relatime) /dev/mtdblock13 on / type yaffs (rw,relatime) tmpfs on /dev type tmpfs (rw,relatime,size=64k,mode=755) /dev/mtdblock9 on /cache type yaffs2 (rw,relatime) none on /sys type sysfs (rw,relatime) none on /sys/kernel/debug type debugfs (rw,relatime) proc on /proc type proc (rw,relatime) total 3 lrwxrwxrwx 1 root root 31 Jul 21 07:10 boot_hsic_composition -> /usr/bin/usb/compositions/empty lrwxrwxrwx 1 root root 30 Jul 21 07:10 boot_hsusb_composition -> /usr/bin/usb/compositions/9215 drwxr-xr-x 1 root root 2048 Jul 21 07:10 compositions crw--w---- 1 root root 247, 0 Jan 8 1970 /dev/ttyGS0 RB_Progress: fwrite "/dev/ttyGS1" fail I:Checking delta update status... handle_redbend_update: START_DELTA_UPDATE I:Setting delta update status... I:Delta update status is set to (IP_PREVIOUS_UPDATE_IN_PROGRESS 0) I:Start delta update... I:Setting recovery boot... I:Recovery mode reached maximum retry. Clear boot message. mtd: successfully wrote block at bebe0f4800000000 I:Set boot command "" I:boot.command= I:boot.recovery= I:Update location: /cache/update.zip I:number of files in zip is 1 I:verifying file at index 0 I:No radio diff images found I:system.diff found E:No modem package available. E:No modem update needed. returning O.K mtd: successfully wrote block at bebe23a000000000 I:Reset FOTA cookie done. start fota update (/cache/fota/system.diff) redbend_fs_entry: device_name: /dev/mtdblock14 redbend_fs_entry: mount_point: /tmp/system redbend_fs_entry: update_name: /cache/fota/system.diff redbend_fs_entry: part_name: system RB_GetDelta: offset 0x0(0), size 0x14(20) RB_GetDelta: offset 0x0(0), size 0x18(24) RB_GetDelta: offset 0x4(4), size 0x3508(13576) RB_GetDelta: offset 0x0(0), size 0x40(64) RB_GetDelta: offset 0x350c(13580), size 0x18(24) RB_GetDelta: offset 0x3510(13584), size 0x27(39) RB_GetDelta: offset 0x0(0), size 0x14(20) RB_GetDelta: offset 0x0(0), size 0x18(24) RB_GetDelta: offset 0x350c(13580), size 0x18(24) RB_GetDelta: offset 0x0(0), size 0x18(24) RB_GetDelta: offset 0x0(0), size 0x18(24) RB_GetDelta: offset 0x350c(13580), size 0x18(24) RB_GetDelta: offset 0x3524(13604), size 0x4(4) RB_GetDelta: offset 0x3528(13608), size 0x4(4) RB_GetDelta: offset 0x352c(13612), size 0x7(7) RB_GetDelta: offset 0x0(0), size 0x40(64) RB_GetDelta: offset 0x0(0), size 0x40(64) RB_GetDelta: offset 0x40(64), size 0x304(772) RB_GetDelta: offset 0x344(836), size 0xd(13) RB_GetDelta: offset 0x351(849), size 0x4a8(1192) FS partition delta dump RedBend: Delta Info: delta_sig - 0x6d0d05e5 RedBend: Delta Info: delta_size - 13580 RedBend: Delta Info: ver - 82000 RedBend: Delta Info: scout_ver - 80000 RedBend: Delta Info: flags - 0x80000000 RedBend: Delta Info: runtype_flags - 0x280 RedBend: Delta Info: ram_size - 0x200c8 RedBend: Delta Info: sector_size - 0x40000 RedBend: Delta Info: dic_sz - 0xdc8 RedBend: Delta Info: compress_sz - 0x4b5 RedBend: Delta Info: min_alloc_ram_use - 0x22 RedBend: Delta Info: ext_info_sz - 2 RedBend: Delta Info: num_copy - 0 RedBend: Delta Info: num_diff - 95 RedBend: Delta Info: num_insert - 3 RedBend: Delta Info: num_delete - 0 RedBend: Delta Info: num_del_dirs - 0 RedBend: Delta Info: num_dirs - 0 RedBend: Delta Info: num_del_link - 0 RedBend: Delta Info: num_link - 4 RedBend: Delta Info: num_critical_update - 95 RedBend: Delta Info: num_critical_insert - 3 RB_CreateFolder: /cache/fota/a, mode:0x1ff open file /cache/fota/a/backup RB_OpenFile: Path:/cache/fota/a/backup | Mode: RDONLY First open() with error 2 open file /tmp/system/etc/version RB_OpenFile: Path:/tmp/system/etc/version | Mode: RDONLY First open() with error 2 open file /tmp/system/etc/version RB_OpenFile: Path:/tmp/system/etc/version | Mode: RDONLY First open() with error 2 RedBend: Error in scout, file signature mismatch in file /tmp/system/etc/version umount: can't umount /tmp/system: No such file or directory fota update fail (/cache/fota/system.diff) I:fs:/cache/update.zip update err mtd: successfully wrote block at bebe23a000000000 I:Reset FOTA cookie done. mtd: successfully wrote block at bebe0f3800000000 I:Set boot command "" I:Setting delta update status... I:Delta update status is set to (IP_PREVIOUS_UPDATE_FAILED 500) handle_redbend_update: DELTA_UPDATE_IN_PROGRESS I:Setting delta update status... I:Delta update status is set to (IP_PREVIOUS_UPDATE_IN_PROGRESS 0) I:Start delta update... I:Setting recovery boot... I:Error opening recovery count file. Ignore. mtd: successfully wrote block at bebe0f4800000000 I:Set boot command "boot-recovery" I:boot.command=boot-recovery I:boot.recovery=recovery I:Update location: /cache/update.zip E:Can't open /cache/update.zip (No such file or directory) mtd: successfully wrote block at bebe0f3800000000 I:Set boot command "" I:Setting delta update status... I:Delta update status is set to (IP_PREVIOUS_UPDATE_FAILED 410) mtd: successfully wrote block at bebe23a000000000 I:Reset FOTA cookie done. RB_Progress: fwrite "/dev/ttyGS1" fail precent:0 total:1 cur:1 Rebooting after recovery I:Rebooting at the end of recovery module. mtd: successfully wrote block at bebe0f8000000000 I:Set boot command "" </pre>
