The process requires:
*disassembling the hub (removing four torx screws)
*USB to TTL serial adapter (available for under $5 shipped on eBay, just needs Ground, RX, and TX wires)
Complete this process is at your own risk!
Here are the steps I took...
[*] Disassemble hub
[*] Connect serial USB to TTL adapter
[*] Set to 115200 N81
[*] Dry run to make sure your TTL adapter is working
[*] Find pin #29 on the NAND chip (1-24 is on one side, 25-48 is on the other, #29 is the 5th one in starting at 25)
[*] Use a wire or anything you have available to temporarily connect #29 to ground. I used one of the huge shields over one of the chips as a ground and the tip of a multimeter test lead to touch #29
[*] Power cycle the hub (I just hit the reset button to cycle it)
[*] Immediately connect #29 to ground if you haven't already (I'm not sure if it can be shorted before the power cycle or shortly there after, I'll need to test)
[*] The boot process should look something like this...
Code: Select all
LLC
U-Boot 2014.01-14400-gda781c6-dirty (Apr 30 2014 - 22:35:38)
CPU: Freescale i.MX28 rev1.2 at 454 MHz
BOOT: NAND, 3V3
DRAM: 64 MiB
NAND: 128 MiB
In: serial
Out: serial
Err: serial
Net: FEC0 [PRIME]
Hit any key to stop autoboot: 0
UBI: attaching mtd1 to ubi0
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: attached mtd1 to ubi0
UBI: MTD device name: "mtd=3"
UBI: MTD device size: 8 MiB
UBI: number of good PEBs: 64
UBI: number of bad PEBs: 0
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 1
UBI: available PEBs: 6
UBI: total number of reserved PEBs: 58
UBI: number of PEBs reserved for bad PEB handling: 2
UBI: max/mean erase counter: 5/3
UBIFS: recovery needed
UBIFS: recovery deferred
UBIFS: mounted UBI device 0, volume 0, name "database"
UBIFS: mounted read-only
UBIFS: file system size: 5459968 bytes (5332 KiB, 5 MiB, 43 LEBs)
UBIFS: journal size: 1015809 bytes (992 KiB, 0 MiB, 6 LEBs)
UBIFS: media format: w4/r0 (latest is w4/r0)
UBIFS: default compressor: LZO
UBIFS: reserved for root: 269835 bytes (263 KiB)
Loading file 'DO_UPDATE' to addr 0x42000000 with size 1 (0x00000001)...
Done
Total of 1 word(s) were the same
NAND read: device 0 offset 0x2b00000, size 0x400000
NAND read from offset 2b00000 failed -74
0 bytes read: ERROR
NAND read: device 0 offset 0x300000, size 0x300000
NAND read from offset 300000 failed -74
0 bytes read: ERROR
Wrong Image Format for bootm command
ERROR: can't get kernel image!
Falling back to updater...
NAND read: device 0 offset 0x300000, size 0x300000
NAND read from offset 300000 failed -74
0 bytes read: ERROR
NAND read: device 0 offset 0x2b00000, size 0x400000
NAND read from offset 2b00000 failed -74
0 bytes read: ERROR
Wrong Image Format for bootm command
ERROR: can't get kernel image!
=> [*]At this point, you are at a boot prompt, enter printenv to see the boot environment
Code: Select all
=> printenv
app_boot=run appboot_args && nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}
app_boot_bad=run updater_args; setenv bootargs ${bootargs} badapp; nand read ${loadaddr} updater-kernel 0x00300000; bootm ${loadaddr}
appboot_args=setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi';
baudrate=115200
bd_addr=0021CC000000
boot_app=run app_boot || run app_boot_bad
boot_getflag=mtdparts default && ubi part database && ubifsmount ubi0:database && mw 42000000 0 8 && ubifsload 42000000 DO_UPDATE 1 && run boot_logic
boot_logic=mw 42000004 30; if cmp 42000000 42000004 1; then run boot_app; else run boot_updater; fi;
boot_updater=run updater_boot || run updater_boot_bad
bootargs=noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi badupdater
bootcmd=mtdparts default; run boot_getflag || echo Falling back to updater...; run boot_updater
bootdelay=0
bootfile=uImage
ethact=FEC0
ethaddr=00:04:00:00:00:00
ethprime=FEC0
filesize=1
loadaddr=0x42000000
mtddevname=u-boot
mtddevnum=0
mtdids=nand0=gpmi-nand
mtdparts=mtdparts=gpmi-nand:3m(u-boot),4m(updater-kernel),28m(updater-rootfs),8m(database),8m(app-kernel),-(app-rootfs)
partition=nand0,0
serialno=151312345XYZ6
stderr=serial
stdin=serial
stdout=serial
updater_args=setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=2 root=ubi0:rootfs rw gpmi';
updater_boot=run updater_args && nand read ${loadaddr} updater-kernel 0x00300000 && bootm ${loadaddr}
updater_boot_bad=run appboot_args; setenv bootargs ${bootargs} badupdater; nand read ${loadaddr} app-kernel 0x00400000; bootm ${loadaddr}
ver=U-Boot 2014.01-14400-gda781c6-dirty (Apr 30 2014 - 22:35:38)
Environment size: 1775/16379 bytesRun the appboot_args line appending "init=/bin/sh" to the end just after gpmi
Then boot using the app_boot line starting with "nand read"
Example:
Code: Select all
=> setenv bootargs 'noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi init=/bin/sh';
=> nand read ${loadaddr} app-kernel 0x00400000 && bootm ${loadaddr}
NAND read: device 0 offset 0x2b00000, size 0x400000
4194304 bytes read: OK
## Booting kernel from Legacy Image at 42000000 ...
Image Name: Linux-2.6.35.3-flex-dvt
Created: 2014-04-30 3:15:35 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1928460 Bytes = 1.8 MiB
Load Address: 40008000
Entry Point: 40008000
Verifying Checksum ... OK
Loading Kernel Image ... OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Linux version 2.6.35.3-flex-dvt (saurabh@localhost.localdomain) (gcc version 4.4.4 (4.4.4_09.06.2010) ) #32 PREEMPT Tue Apr 29 23:15:31 EDT 2014
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: Freescale MX28EVK board
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: noinitrd console=ttyAM0,115200 rootfstype=ubifs ubi.mtd=5 root=ubi0:rootfs rw gpmi init=/bin/sh
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 64MB = 64MB total
Memory: 60784k/60784k available, 4752k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xfde00000 - 0xffe00000 ( 32 MB)
vmalloc : 0x84800000 - 0xf0000000 (1720 MB)
lowmem : 0x80000000 - 0x84000000 ( 64 MB)
modules : 0x7f000000 - 0x80000000 ( 16 MB)
.init : 0x80008000 - 0x80027000 ( 124 kB)
.text : 0x80027000 - 0x803b6000 (3644 kB)
.data : 0x803b6000 - 0x803deec0 ( 164 kB)
SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Hierarchical RCU implementation.
RCU-based detection of stalled CPUs is disabled.
Verbose stalled-CPUs detection is disabled.
NR_IRQS:288
Console: colour dummy device 80x30
console [ttyAM0] enabled
Calibrating delay loop... 226.09 BogoMIPS (lpj=1130496)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
regulator: core version 0.5
NET: Registered protocol family 16
regulator: vddd: 800 <--> 1575 mV at 1500 mV fast normal
regulator: vdddbo: 800 <--> 1575 mV fast normal
regulator: vdda: 1500 <--> 2275 mV at 1800 mV fast normal
vddio = 3380000, val=10
regulator: vddio: 2880 <--> 3680 mV at 3380 mV fast normal
regulator: overall_current: fast normal
regulator: vbus5v:
regulator: mxs-duart-1: fast normal
regulator: mxs-bl-1: fast normal
regulator: mxs-i2c-1: fast normal
regulator: mmc_ssp-1: fast normal
regulator: mmc_ssp-2: fast normal
regulator: charger-1: fast normal
regulator: power-test-1: fast normal
regulator: cpufreq-1: fast normal
i.MX IRAM pool: 124 KB@0x84820000
Initializing GPMI pins
bio: create slab <bio-0> at 0
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource mxs clock source
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
Bus freq driver module loaded
mxs_cpu_init: cpufreq init finished
Slow work thread pool: Starting up
Slow work thread pool: Ready
fuse init (API version 7.14)
msgmni has been set to 118
alg: No test for stdrng (krng)
cryptodev: driver loaded.
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
mxs-duart.0: ttyAM0 at MMIO 0x80074000 (irq = 47) is a DebugUART
mxs-auart.0: ttySP0 at MMIO 0x8006a000 (irq = 112) is a mxs-auart.0
Found APPUART 3.1.0
mxs-auart.1: ttySP1 at MMIO 0x8006c000 (irq = 113) is a mxs-auart.1
Found APPUART 3.1.0
mxs-auart.2: ttySP2 at MMIO 0x8006e000 (irq = 114) is a mxs-auart.2
Found APPUART 3.1.0
mxs-auart.3: ttySP3 at MMIO 0x80070000 (irq = 115) is a mxs-auart.3
Found APPUART 3.1.0
mxs-auart.4: ttySP4 at MMIO 0x80072000 (irq = 116) is a mxs-auart.4
Found APPUART 3.1.0
loop: module loaded
i.MX GPMI NFC
NFC: Version 1, 8-chip GPMI and BCH
Boot ROM: Version 1, Single-chip boot area, block mark swapping supported
Scanning for NAND Flash chips...
NAND device: Manufacturer ID: 0x01, Chip ID: 0xf1 (AMD NAND 128MiB 3,3V 8-bit)
-----------------------------
NAND Flash Device Information
-----------------------------
Manufacturer : AMD (0x01)
Device Code : 0xf1
Cell Technology : SLC
Chip Size : 128 MiB
Pages per Block : 64
Page Geometry : 2048+64
ECC Strength : 4 bits
ECC Size : 512 B
Data Setup Time : 10 ns
Data Hold Time : 5 ns
Address Setup Time: 10 ns
GPMI Sample Delay : 6 ns
tREA : Unknown
tRLOH : Unknown
tRHOH : Unknown
Description : S34ML01G1
-----------------
Physical Geometry
-----------------
Chip Count : 1
Page Data Size in Bytes: 2048 (0x800)
Page OOB Size in Bytes : 64
Block Size in Bytes : 131072 (0x20000)
Block Size in Pages : 64 (0x40)
Chip Size in Bytes : 134217728 (0x8000000)
Chip Size in Pages : 65536 (0x10000)
Chip Size in Blocks : 1024 (0x400)
Medium Size in Bytes : 134217728 (0x8000000)
------------
NFC Geometry
------------
ECC Algorithm : BCH
ECC Strength : 8
Page Size in Bytes : 2112
Metadata Size in Bytes : 10
ECC Chunk Size in Bytes: 512
ECC Chunk Count : 4
Payload Size in Bytes : 2048
Auxiliary Size in Bytes: 16
Auxiliary Status Offset: 12
Block Mark Byte Offset : 1999
Block Mark Bit Offset : 0
-----------------
Boot ROM Geometry
-----------------
Boot Area Count : 1
Boot Area Size in Bytes : 3145728 (0x300000)
Stride Size in Pages : 64
Search Area Stride Exponent: 2
Scanning device for bad blocks
Bad eraseblock 730 at 0x000005b40000
Boot area protection is enabled.
Creating 6 MTD partitions on "gpmi-nfc-main":
0x000000000000-0x000000300000 : "gpmi-nfc-0-boot"
0x000000300000-0x000000700000 : "updater-kernel"
0x000000700000-0x000002300000 : "updater-rootfs"
0x000002300000-0x000002b00000 : "database"
0x000002b00000-0x000003300000 : "app-kernel"
0x000003300000-0x000008000000 : "gpmi-nfc-general-use"
cmdlinepart partition parsing not available
UBI: attaching mtd5 to ubi0
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: attached mtd5 to ubi0
UBI: MTD device name: "gpmi-nfc-general-use"
UBI: MTD device size: 77 MiB
UBI: number of good PEBs: 615
UBI: number of bad PEBs: 1
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 1
UBI: available PEBs: 0
UBI: total number of reserved PEBs: 615
UBI: number of PEBs reserved for bad PEB handling: 6
UBI: max/mean erase counter: 3/1
UBI: image sequence number: 99799859
UBI: background thread "ubi_bgt0d" started, PID 922
ubiblka: unknown partition table
mice: PS/2 mouse device common for all mice
MXS RTC driver v1.0 hardware v2.3.0
mxs-rtc mxs-rtc.0: rtc core: registered mxs-rtc as rtc0
mxs watchdog: initialized, heartbeat 19 sec
mxs-mmc: MXS SSP Controller MMC Interface driver
__mxs_reset_block(f0010000): timeout when resetting
__mxs_reset_block(f0010000): timeout when resetting
__mxs_reset_block(f0010000): timeout when resetting
__mxs_reset_block(f0010000): timeout when resetting
__mxs_reset_block(f0010000): timeout when resetting
__mxs_reset_block(f0010000): timeout when resetting
mxs-mmc mxs-mmc.0: mmc0: MXS SSP MMC DMAIRQ 82 ERRIRQ 96
TCP cubic registered
NET: Registered protocol family 17
NET: Registered protocol family 15
lib80211: common routines for IEEE802.11 drivers
mxs-rtc mxs-rtc.0: setting system clock to 1970-01-01 00:20:01 UTC (1201)
mmc0: queuing unknown CIS tuple 0x80 (7 bytes)
mmc0: queuing unknown CIS tuple 0x80 (6 bytes)
UBIFS: recovery needed
mmc0: new high speed SDIO card at address 0001
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 0, name "rootfs"
UBIFS: file system size: 75423744 bytes (73656 KiB, 71 MiB, 594 LEBs)
UBIFS: journal size: 9023488 bytes (8812 KiB, 8 MiB, 72 LEBs)
UBIFS: media format: w4/r0 (latest is w4/r0)
UBIFS: default compressor: zlib
UBIFS: reserved for root: 0 bytes (0 KiB)
VFS: Mounted root (ubifs filesystem) on device 0:11.
Freeing init memory: 124K
/bin/sh: can't access tty; job control turned off
/ # [*] Required for ubiattach to work
Code: Select all
mount -a[*] You should now be sitting at a root prompt, congrats, you have root!... but only temporarily, now to make it persistent through reboots.
[*] Mount the database partition by running "ubiattach -p /dev/mtd3"
Code: Select all
/ # ubiattach -p /dev/mtd3
UBI: attaching mtd3 to ubi1
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: attached mtd3 to ubi1
UBI: MTD device name: "database"
UBI: MTD device size: 8 MiB
UBI: number of good PEBs: 64
UBI: number of bad PEBs: 0
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 1
UBI: available PEBs: 6
UBI: total number of reserved PEBs: 58
UBI: number of PEBs reserved for bad PEB handling: 2
UBI: max/mean erase counter: 5/3
UBI: image sequence number: 0
UBI: background thread "ubi_bgt1d" started, PID 1024
ubiblkb: unknown partition table
UBI device number 1, total 64 LEBs (8126464 bytes, 7.8 MiB), available 6 LEBs (761856 bytes, 744.0 KiB), LEB size 126976 bytes (124.0 KiB)
[*] Then mount -t "ubifs ubi1:database /database"
Code: Select all
/etc # mount -t ubifs ubi1:database /database
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 1, volume 0, name "database"
UBIFS: file system size: 5459968 bytes (5332 KiB, 5 MiB, 43 LEBs)
UBIFS: journal size: 1015809 bytes (992 KiB, 0 MiB, 6 LEBs)
UBIFS: media format: w4/r0 (latest is w4/r0)
UBIFS: default compressor: lzo
UBIFS: reserved for root: 257887 bytes (251 KiB)
/etc #[*] Enable SSH by running "touch /database/ENABLE_SSH"
Code: Select all
/ # touch /database/ENABLE_SSH
[*] Uncomment the serial console line in /etc/inittab
Code: Select all
# vi /etc/inittab
ttyAM0::respawn:/sbin/getty -L ttyAM0 115200 vt100 # GENERIC_SERIAL [*] Set a new root passwd by running "passwd" OR edit /etc/shadow and remove the password
[*] Add your SSH key to /database/authorized_keys
[*] Remove the dropbear ssh options file restricting ssh login options
Code: Select all
rm -f /tmp/rootfs/etc/default/dropbear # removes the "DROPBEAR_ARGS=-sg" arguments preventing logins [*] Apply any other modifications you wish (see http://www.rootwink.com/viewtopic.php?f=6&t=4)
[*] reboot
Code: Select all
/ # reboot
