Monday, September 28, 2009

Progress on x760+ / buildroot published

First and foremost: sorry for being so hard to get in touch with lately. We've been in defcon 1 for the last week at work preparing a demo for the current project (OMAP3530 based) which is crucial to the future of the company, so I had reduced my daily routine to sleep-eat-work-sleep. My inbox is exploding.

Sweetlimre commented on having a writable home directory (see interview). If I recall correctly, I wrote about this already. The main application executed by busybox's init process is responsible for this. At this stage in the boot process no HOME environment variable has been set. I could easily modify busybox's init to set it to "/usr/local/home", but I felt it's better to stick to a vanilla busybox as much as possible. Oh, wait: maybe if (as I recommended) the main menu application is using exec() to launch emus/apps things are not so simple. Need some input from devs here, and if the only solution is to modify busybox's init, so be it.

Regarding the modified buildroot I'm using, as he requested it's now available for download at the google code project page. I hadn't published it before just because I could not find time to fix all the dirty hacks I used, which resulted in a partially manual build. I'll be glad to add anything developers suggest. Just send me the buildroot recipe. I would really like to stay away from OpenEmbedded. I have to use it for the OMAP3530 and IMHO it is way overengineered.

Some good news on the Ingenic front: the Qi-Hardware guys have managed to get Ingenic to release their kernel development trees DAILY. This means immediate access to any useful fix they make. There are and 2.6.27 branches, and I'm working on porting the A320 support code to the later, mostly to see if it helps somehow with the USB/DMA and SD/MMC standing bugs. Note that in the case of embedded devices like the A320 I don't think that newer kernel is necessarily better.

Regarding the Gemei x760+ things are going slower than expected. I dumped the hardware initialization .DL from NAND flash and disassembled it, only to discover I was looking in the wrong place. Let me explain:

When the JZ4740 boots a piece of code called the IPL (Initial Program Loader) is executed from ROM. Depending on the state of some pins this code either enters USB boot mode or boots from NOR or NAND flash. In the A320 we can only choose to enter USB boot mode or boot from NAND. The IPL only supports 512 and 2048 page size NAND, so despite the fact that the NAND chip in the A320 has a 4096 page size it is handled by the IPL as if it was 2048.

The IPL reads the four first pages (8KB total) of NAND into the instruction cache (because the SDRAM is not yet available). This is called the SPL (secondary program loader) and its purpose is to do a basic hardware initialization, most notably making the SDRAM available, and load the system loader from NAND. The A320 SPL also handles the NAND as if it was 2048.

In the original firmware the SDL is stored in the first 8KB of the first NAND block (0x00000-0x3FFFF). It loads the system loader from 0x50000-0xBFFFF. Before loading the operating system the A320 system loader does something interesting: it loads from 0x40000-0x4FFFF a piece of code that I call the hardware initialization DL. It is a dynamic linked object code chunk that does board-specific hardware initialization: GPIO, LCD, etc. This is the interesting stuff. In both the older and newer A320 the LCD initialization code was reverse engineered from this DL.

However, the x760+ LCD initialization seems to be mostly done by the system loader itself. It stil loads the DL and uses it for some GPIO initialization that is also related to the LCD controller, but not much more. The DL does contain a large LCD register initialization code routine, but it is unused (and I lost a lot of time reverse engineering it).

Since the system loader code is much larger (~260KB) than the DL code (~10KB), it's gonna take some time to reverse engineer the LCD handling code. Note also that I had already reverse engineered the A320 DL code and that helped a lot, but the system loader is unexplored territory.

Wednesday, September 16, 2009

Testing new dual-boot installer

I've just released a new dual-boot installer in the hope that it fixes the "flash write error" problem some users have experienced. The error is caused by one or more bad pages in the first block of NAND. This is normal and there is a mechanism that was supposed so handle it but wasn't working. As I don't have bad pages in this first block in my two A320s, I can't test it myself, so, until someone reports that it is working for him, consider it beta.

UPDATE 1: so far three success reports. Yeah, looks like this bug is squashed!.

UPDATE 2: confirmed. No more flash write errors.

Thursday, September 10, 2009

Merged latest Ingenic patch

No big news. Ingenic released a new kernel patch, which mostly adds support for a new development board. There are though some minor changes in common parts of the assembly code in the core, so, just in case they had fixed some bug I applied the patch (their ChangeLog doesn't say anything, though).

I tested the two major standing problems (USB failure when using DMA and card corruption when using 4-bit bus mode) and they're both still there. Regarding this last issue, I recently had my card corrupted again, so there is a chance that setting the card in 1-bit bus mode only makes the bug much less likely to happen.

Some other in-no-particular-order news:
  • Fixed the network mask problem (changed from to
  • Rebuilt the whole toolchain and rootfs as MIPS32r1 architecture (was MIPS I). This should result in faster, smaller code. Ingenic doesn't even mention in their documentation that the CPU is MIPS, much less say which MIPS flavor it is. However, Vladimir Silyaev noticed that the Ingenic kernel default configuration is for MIPS32r1, so the toolchain should be too).
  • The guys at Qi-Hardware sent me a prototype of their Ben NanoNote device. A post on this soon. They also got a newer patch from Ingenic (kernel 2.6.27), but I'm yet to find time to examine it for fixes that might solve the USB DMA or the card corruption problems (not optimistic thought, because any important fixes should have gone out in their latest "official" patch).
  • Some users have reported flash write failures during dual-boot installation. The original SPL restore feature works fine, though. It seems that they have bad pages in the first flash block (which is normal in NAND flash) and the flash write tool doesn't handle them properly. This should be easy to fix, but will take some time because I haven't got an A320 with bad pages.

Tuesday, September 8, 2009

Good news on Gemei x760+

Today I installed the serial console connector on the Gemei x760+ and had a chance to examine the hardware a bit better. I would say that except for the buttons and the LCD the hardware is exactly equal. Same CPU, same SDRAM, same FM chip, same TV-out chip, etc.

I tried to boot dingux straight to SDRAM vía USB boot mode and everything worked, except that the kernel paniced because I had no SD/MMC card inserted and thus no rootfs in place. I could see the LCD backlight blinking, so the same GPIO pin is used to control it.

As I mentioned in the previous post test point 1 (TP1) is the console TX signal, and I confirmed that test point 2 (TP2) is the RX signal.

So, we should have dingux runing on the x760+ in a few weeks. All that's needed is map the GPIO pins (if different from A320) and disassemble the hardware initialization code in the unbricker tool to get the LCD initialization code.

I would say the donated money has been put to good use :-). Thank you all again.

Offtopic UPDATE 1: I see a problem coming: the lack of start and select keys. On one side, you know that the dingus kernel uses power+start+whatever for special functions (volume, brightness, reboot, etc). On the other side, developers have been porting applications and using the very convenient start and select keys. I would like to hear suggestions on how do deal with that. Besides up/down/left/right and the four "action" buttons, the x760+ has only power and reset buttons.

Offtopic UPDATE 2: I was wrong in the previous post: the x760+ indeed has a power button (not slider), and does charge through USB.

Friday, September 4, 2009

Gemei x760+ (UPDATED)

As mentioned in the preceeding post, the Gemei x760+ arrived from DealExtreme yesterday. Fridays use to be a bit frenzy at work but a while ago I could finally take a break and dissect it.

At a glance:
  • Very sturdy feel.
  • Shorter but wider and thicker than the A320.
  • Smaller battery than A320 (you'll see the internals later), should mean shorter battery life.
  • I'm not a gamer myself, but the gaming controls of the A320 are much better. In the x760+ you touch the rubber pad, while the A320 has hard plastic caps/cross over it.
  • No on/off switch.
  • Large SD/MMC card slot, maybe more convenient than miniSD in the A320.
  • Seems not to charge from USB, which is certainly quite inconvenient. Has a separate power port, which is +5V like USB, so I just can't understand this design decission.
It came uncharged, so I can't at the moment comment on the LCD quality. Size is obviously the same.

Here are a couple of pictures so you can compare sizes:

Splitting it open was a bit hard. You must remove the four tiny screws from the sides and then pry it open carefully. The plastic snaps that hold it together fit extremelly well, so I would say it is almost impossible to open it without breaking at least a couple of them. If you want to do it anyway, I'll soon make available the full set of pictures where you see where they're located before opening. That should increase your chances. I haven't put it back together yet, so I don't know how the couple of broken snaps affect the body integrity, but I bet it's almost unnoticeable.

In the following picture you can see the circuit board with better detail. The test point 1 is highlighted, and it is the serial console transmit signal (3.3V). I had a hard time finding it because as opposed to all the other test pads, this one has solder on it and this does not have the typical golden appearance:

Once you remove the internal screws, you gain access to the other side of the board where the LCD is located. Note that as opposed to the A320 where the LCD is soldered, here the LCD has a connector and thus can be easily removed:

This should be the LCD model (some clues on it too in the hidded diagnostics screen of the firmware). Haven't even googled for the LCD model yet:

Finally, once the LCD is removed, this is what you see on the back of the PCB:

The highlighted test point 2 is my best suspect for the serial console receive signal, but this is yet to be confirmed.

For the curious, this is the serial console output seen on the serial console transmit signal during a normal boot:

NAND Booting...ECD755B6..
loader size = 0x00050CA0
NAND Loading...
get ccpmp_config ok!!!
ccpmp_config.firmware_name = GM760P.HXF. ccpmp_config.update_key = 123, ccpmp_config.lcm.width = 320, ccpmp_config.lcm.height = 240.
loader normal mode...
Creating ftl device...
id:EC D7 55 B6 78
id:00 00 00 00 00
id:00 00 00 00 00
id:00 00 00 00 00
usb_connect = 1
into lcd_init.
into rgb_lcd_init.
into rgb_user_init.
into rgb_lcd_mode_init.
out rgb_lcd_mode_init.
rgb_user_init ok!!!
out rgb_lcd_init.
Start decode...
OK 153601.
out lcd_init.
get_lcd_brightness -- value = 3.
00000525:1.00000535:1.000003C4:1.len is 0x 500000
os_len = 0x 26c3a0. checksum = 0x0b3a8155.
0000243C:1.ret = 1
Run image...

c_main enter------!!
kseg init OK!
new loader, system config ok!
intc init OK!
intc lib OK!

the os is start

UPDATE: as Douglas points out in the comments, the x760+ does charge through USB and does have a power button with functionality similar to the A320 power slider.

Thursday, September 3, 2009

Gemei x760+ is here

Ordered from trustworthy DealExtreme, just arrived. Can't believe it after such an oddisey with MP4nation.

Review, pictures and disassembly tomorrow.

BTW, DealExtreme just added this to their catalog, and added this a few days ago too.

First is from JXD, second is from Benss. No hardware info whatsoever, but with 8GB of internal flash, 4.3" LCD and integrated cámera, they both offer a good bang for the buck. Let's wait and see if details on the hardware emerge in the next weeks...