cefdk of version b39389

Trying to further the development of the Android on the Revue? Talk about it hear and document it on the wiki: http://www.wiki.gtvhacker.com

Moderator: Revue Mod

Post Reply
pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

cefdk of version b39389

Post by pcgeil »

This thread should be about the cefdk out of the following archive:
439c26f6af05.mp-signed-ota_update-b39389.zip

the link can be found in the wiki.
This cefdk is not encrypted as the honeycomb one and you can see strings in the hexeditor.
So anyone who has tried to dissasemble it, please share your information :-)
anyone else is welcomed to examine the cefdk.


update:
the first bytes are similar to the bytes of the kernel image or some other (0x00 to 0x2F)

Code: Select all

06 00 00 00 A1 00 00 00 00 00 01 00 01 00 00 00
86 80 00 00 30 03 10 20 41 3F 00 00 40 00 00 00
40 00 00 00 01 00 00 00 80 05 00 00 80 04 00 00
at 0x94 to 0x194:

Code: Select all

F2 4A DD B2 E9 DF 65 F6 33 D3 C0 05 E5 48 25 77
B2 6C F0 C0 6E E8 0F BE 24 F0 7D E6 72 AB 97 67
B6 14 27 C1 EA D0 BB 41 9E F1 75 43 DC A4 BB 62
FB 61 4B DC A4 BE 12 53 DA 33 22 98 5E F4 C0 F1
BA 93 79 31 9C BC 2F 71 DD E3 2B 7A 96 E6 FD 16
7C 55 94 A9 1B C5 30 D5 DF 0A AF 03 7D C2 61 A2
12 8B 8D 00 7E 4D FD 8C 4F 88 AC 24 25 93 2F 93
AE C4 E9 C2 F1 B1 2E 7E 20 5C 49 82 81 12 2F B0
DE C3 EC 97 87 75 CF E1 B8 69 4F B7 5C FE 98 65
70 BD AE 76 37 01 A5 26 34 06 57 56 39 85 B5 4B
3D 7D 65 DE 03 C9 5D 55 AA DE B7 AC 5D 91 29 73
B4 56 01 CE BE AA 69 EF 89 8F 93 CA CD 76 25 4B
D4 A2 71 05 24 69 BC 87 F0 A8 50 5E C0 51 D6 82
79 E9 B8 72 3E E6 2E EA 7B 60 09 90 A5 1A 74 BB
91 2D 0B 2D F5 4C E9 DE 18 6C E6 E6 EF 09 30 35
9B 85 69 C9 C3 E7 89 EC AB B4 28 6D 8F 2A 37 97
11 
looks like a signature and then at 0x480 i think the code will start of cefdk.
so from 0x480 to 0xD1FF is no big spaces with zeros.
At the end of 0xD1FF are some strings visible:

Code: Select all

FAIL: Patch was not applied!
Hanging system!

Successful patch applied!
fuse0 = 
fuse1 = fuse2 = sec fuse0 = sec fuse1 = sec fuse2 = sec output doorbell = sec output status = SEC FW: firmware version valid: .SEC FW: IPC transfer failed
SEC FW: firmware version invalid
SEC FW: SEC ready
SEC FW: firmware module sent to SEC for authentication and load
Successful firmware download!
Firmware download FAILED!
SEC FW: continuing with normal CEFDK boot ...
SEC FW: reading firmware from NAND flash failed!
don't know if these are visible on console(uart) (does anyone else know)?
at 0x20000 to 0x2065f is also something.
strings at the end looks like

Code: Select all

GCC: (GNU) 4.1.2GCC: (GNU) 4.1.2
so we knew gcc was used!
pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

Re: cefdk of version b39389

Post by pcgeil »

from 0x20800 to 0x2F7FF also non-zeros, no strings at the end

from 0x30000 to 0x0x3069b also non zeros

from 0x30d00 to 0x3120e non-zeros

from 0x31400 to 0x31D1F non-zeros

from 0x32000 to 0x3217C non-zeros

and so on ...

from 0x34800 to 0x34994:

Code: Select all

Intel Lincroft SCH Microcode Version 000.064d:00000000:Apr 28 2009 ...
from 0x37000 to 0x3b21f (there is much more just a short string overview!)

Code: Select all

CEFDK - Production Release %s (built Jul  2 2010, 18:12:31)
      core                      : %s
     cs_gen4                   : %s
     MemType                   : DDR2    MemType                   : DDR3    MemSpeed                  : 800     MemSpeed                  : 1066    MemSpeed                  : 1333    MemSpeed                  : 1600    MemSpeed                  : Unknown     Channels Enabled          :     Channel Mode              :   Hit a key to start the shell... CE4100 Stepping:  A0 A1 B0 B1 Unknown revision Board:  GoldenBeach:  Board:  ChesapeakeBay  Board:  FalconFalls  Board:  PowerHouseLake  Version Information -  Memory configuration -  A  B  Linear Interleave Mode 1 Interleave Mode 2 All A/V devices use IRQ 4. FTL Lite read MAC data fail. FTL Lite initialized failed Shell exit Please restart the board CE4100 4.016-g5be30e7d-dirty bad reg address bad dev address success not initialized bad op type tx empty timeout rx full timeout unknown error %d !!! I2C WR: *%08x=%08x
 !!! *retData=0x%x
  
R 4R -R &R ¬R  R  R I2CWaitRxFull I2CWaitTxEmpty    !!! IN %s: stop=%d ISR=0x%08x mask=%08x rwm=%08x    !!! EXIT(%d) %s: count=%d ISR=0x%08x mask=%08x rwm=%08x
    !!! EXIT(%d) %s: count=%d ISR=0x%08x mask=%08x rwm=%08x toTick=%08x%08x roll=%08x%08x procTicks=%08x%08x
   !!! IN %s: stop=%d op=%d ISR=0x%08x mask=%08x rwm=%08x
    	 

 

 
                                 Usage:
i2c 0|1|2 <I2C dev 7bit addr> [<PCI bus> <dev> <fun>]    i2c r[ead] [<bytes> [<dest addr>]] | w[rite] <byte value> [<val2> <val3> ...]]  i2c w 0x4 1 0 0 0xff 0 0 0 0 0 0 0 0
i2c r
 
Error: First do: %s <bus> <dev addr>
  Bad arg.
Usage: i2c r[ead] [<bytes> [<buffer addr>]]    Bad arg.
Usage: i2c w[rite] <byte value> [<val2> <val3> ...]    I2C buses read and write (SV ver). i2c d[ebug]  [<debug msg level: 0|1|2>] 

Example: i2c
i2c 2 0x44 i2c STATUS: %d I2C Bus: %s
 %d (0x%x) I2C Dev: %s
 PCI: 0x%x.%x.%x
 Bad byte count %d need >0
   
 0x%02x%s I2C error: %s (%d)
 Read %d bytes
 I2C DEBUG @ %d
 BAR%d:	%08X
 ICR_%d		%08X
 ISR_%d		%08X
 (ISAR_%d		%08X)
 IDBR_%d		%08X
 (ICCR_%d		%08X)
 IBMR_%d		%08X
 IWCR_%d		%08X
 ISMSCR_%d	%08X
 ISMLCR_%d	%08X
 IFMSCR_%d	%08X
 IFMLCR_%d	%08X
 IDDS_RATE_LB%d	%08X
 IDDS_RATE_UB%d	%08X

 Unknown arg. writeCount = 0x%X
 
Done Erasing block at 0x%x
 Data = 0x%08X
  Rounding up copy size to an erase boundary.. Copy Size = 0x%x
  Burning the flash using the write buffer Skipped bad block %d:%d
   !!!!ehci_read(0x%08x)=0x%08x,flag=0x%08x
   TEST_UNIT_READY failed. 0x%08X 0x%08X 0x%02X
   bulk error. 0x%08X 0x%08X 0x%02X
   Error: wTotalLength is large than %d byte.  General USB Device on Address: %d
  Try again command TEST_UNIT_READY   Error happen at command REQUEST_SENSE   Error happen at command READ_10 %d
 ehci_read( USB_PORT ) != 0x0C000800 ehci_read( USB_PORT ) != 0x08001205U
ehci_read( USB_PORT)  is %x
 Initialize EHCI %d
 Detect Device on Port %d
 Device on Port %d
 Found disk on Port %d
 ANDROID! %s: no ICSS header
 %s: no Android magic
 ERROR: missing magic Verify stage3 FAIL Verify stage3 PASS bootimg checksum correct Linux command line %s
  androidboot.bootloader=  androidboot.hardware= logitech_ka3  androidboot.serialno= %08X  androidboot.mode=recovery Using initrd size %08lx
 %s: calling usbInit
 %s: calling usbInit FAIL
 %s: calling usbInit OK
 %s: bootimg_size=%d
 Booting from USB disk... bootusb No USB disk found NORMAL RECOVERY Boot %s
 ERROR: image is too big Request factory reset boot-recovery bootloader.command recovery
--wipe_data
 bootloader.recovery boot-factory Boot FACTORY ERROR: No FACTORY image bootrecovery bootnormal Boot kernel from USB stick. 
************************************************************   *                                                          *    *                   CEFDK IS NOT SECURE!                   *    *                  DEVELOPMENT BUILD ONLY                  *    ************************************************************
   ERROR: kernel size (%ld) invalid
   ERROR: ramdisk size (%ld) invalid
  ERROR: second size (%ld) invalid
   ERROR: bootimg checksum mismatch    Boot Normal kernel from NAND flash. Boot Recovery kernel from NAND flash

Code: Select all

ERROR: Can't read BBT
  raw  %sdump block=%d page=%d:
 %02x  Scanning for bad blocks block %04d:  ERROR reading block %d! factory: all-zero  ECC-fail  ECC-ok  BBT  EEC-ok  BAD BLOCK %d
 sha block=%d page=%d:  %02x %s: No NAND flash found
 mtd dump raw sha zero wear block start page start bit position scan bbt %d is a factory bad block
 %d is a worn bad block
 Usage:   mtd dump  <Block> <Page>
    mtd raw  <Block> <Page>
    mtd sha  <Block> <Page>
    mtd zero <Block> <Page>
    mtd scan
    mtd bbt
  Test command for mtd suport. %d total bad blocks (factory %d)
   %s: ERROR: Too many bad blocks
 %s: ERROR: Can't read block %d
 %s: ERROR: Can't read nand block %d page %d (err = %d)
 WARNING: Unknown flash page size %d %s: ERROR: Can't read nand block %d page %d
    wear flash by flipping byte %d bit %d
  %s: ERROR: Can't erase block %d
    %s: ERROR: Can't write nand block %d page %d
   BBT found in block %d, version %02x
    BBT mirror in block %d, version %02x
   BBT table written in block %d
        --- Read a single page from NAND and display a hex dump.        --- Read a single page from NAND and display a raw hex dump.        --- Read a single page from NAND and display a checksum.    mtd wear <Block> <Page> <Bit>
          --- Re-write a single page from NAND, flipping the specified bit        --- Write zero's to a single page, simulating a bad block       --- Scan for bad blocks, building the bad block table       --- Display the bad block table Bbt01tbBnand_wear nand_zero nand_sha nand_dump nand_init nand_read_bbt nand_read ERROR: FTS is full fts get NULL %s: %s
 set dump Version: %ld
 CRC: %08lx
 UsageXX:   fts get  <Key>
        --- Get a fts value   fts set  <Key> <Value>
        --- Set a fts value   fts dump
        --- Dump fts state Test command for fts support. Ä   1 mmap Displays a system memory map.   Error: No room in IRQ table to add entry for device %02x:%02x:%02x
 pciIsBridge(bus, dev, func) pci_alloc.c Assert failed at %s:%d (%s)
    TØ  Error: Link %d for PCI device %X:%X:%X exceeds maximum (%d)
    
Intel(R) Consumer Electronics Firmware Development Kit (Intel(R) CEFDK)    Copyright (C) 1999-2009 Intel Corporation. All rights reserved. Build Time (%s).
 1 03/12/10 12:25:24 {%x} exit help %10s - %s
 fu reset shell>      %s Error: Missing ". Error: Invalid command. Displays this screen. Stops the shell.    ˜œ F– u– f– wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ wœ ◊œ Error: Unable to open redirection file: '%s'.
 Invalid %s: '%s'
    lspci : displays info about all PCI devices  -p : pauses after every 25 lines    -l : list all devices on [bus/buses]    -s : dump configuration space of [bus [device [function]]] MAXREGOFFSET    16550-Compatible Serial Controller  Generic PCI Hot-Plug Controller IPMI Keyboard Controller Interface  Data Acquisition/Signal Processing  BB:DD:FF  VID :DID   DevClass  IRQ  Device Type --------  ----:----  --------  ---  ------------------------------- =============================================== Bus : %x   Device : %x   Function :  %x

   Offset 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F Options:  -h : prints this message  -v : verbose mode IDE Controller SATA Controller Mass Storage Controller Ethernet Controller VGA-compatible Controller Display Controller Video Device Audio Device Hi-Definition Audio Device Multimedia Device Host-PCI Bridge PCI-ISA Bridge PCI-PCI Bridge PCI-CardBus Bridge Modem Controller Smart Card Controller IO(x) APIC SDIO Controller System Peripheral USB Controller (UHCI) SMBus Controller IR Controller Entertainment Encrypt/Decrypt Expansion Bus controller GPIO controller I2C controller SPI controller DFX controller IEEE1588 and Clock Recovery NAND controller GVSPARC (unknown) UART Controller USB Controller (EHCI) Hit any key to continue ... %02X:%02X:%02X   %04X:%04X   %02X    %s Bus .............: %.2x
 Device ..........: %.2x
 Function ........: %.2x
 Vendor ID .......: %.4x
 Device ID .......: %.4x
 Device Type .....: %s
   Class Code ....: %.2x
   Sub Class .....: %.2x
   Prog I/F ......: %.2x
 lspci -v -p -h -l -s 
    %.2x %.2x  %.2x  
 
Hit any key to continue ... Displays PCI device info. C  ymodem buffer address serial port baud rate Received 0x%X bytes.
 Transfer aborted. Error during transfer.  usage: ymodem <buf> [<port> [baud rate]]    Received file '%s' (0x%X bytes).
   Receive a file from serial using YMODEM. local apic (invalid) ram reserved rom io apic   Ú 	Ú %Ú  Ú  Ú  Ú  Ú  Ú K M %d: %016llX-%016llX (%4d%s - %4d%s) %s


from 0x40000 to 0x4fb25

Code: Select all

Usage: expflash initNor    - Initialize expansion bus for NOR flash access.        expflash norRead <address> - Read data from NOR flash.          expflash norBlockErase <address> - Erases a block, any adress whithin a block will erase that block.        expflash norWriteBuffer <srcAddress> <desAddress> <size> - Write data from DRAM to NOR flash in buffer mode.        expflash burnFlash <srcAddress (DRAM)> <destAddress (Flash)> <size> - Erases and burns the proper flash blocks   Initialize expansion bus for NOR flash access...    Access flash on expansion bus. expflash initNor norRead read address Read data from NOR flash... norBlockErase address Erases a block... erase done norWriteBuffer source address Destination address data size burnFlash

Code: Select all

No NAND flash on board! Usage:       --- Erases Blocks. FTL Lite read fail! nandFTLL read block start page start page count buffer pointer buf pointer: 0x%08x
 erase block count Erase block %d - %d
 Erase success at block %d
 Erase failure at block %d
 write listBadBySig block end BAD BLOCK: %d
 READ ERROR: %d
 listBadByRead Erase failure: %d
 burnNandImg Nand Img Buffer Abort... NAND page size = 0x%x
 Erase block 8 - 39 Programming done Successfully wrote %d pages starting at block %d, page %d
    nandFTLL read  <Bl_Start> <Pg> <Pg_Count> <Buf Addr>
           --- Read <Pg_count> pages from NAND to Ram Buf Addr.    nandFTLL write <Bl_Start> <Pg> <Pg_Count> <Buf Addr>
           --- Write <Pg_count> pages from RAM to NAND.    nandFTLL erase <Bl_Start> <Bl_Count>
       nandFTLL listBadByRead <BL_Start> <BL_End>          --- List bad blocks from block <BL_Start> to <BL_End> by Reading it     nandFTLL burnNandImg <Buf Addr>         --- Burn CEFDK Nand image from <Buf Addr> to NAND chip    Successfully read %d pages starting at block %d, page %d
   block start: %d, page start: %d, page count: %d
    WARNING: This will erae all blocks from %d to %d!
  Write error at block %d, page %d
   Read error at block %d, page %d
    WARNING: This is dangerous, make sure you have correct image load at 0x%X
  Press ENTER to continue, others to abort:   Stage1_64K: Program %d pages at block 8
    Stage2_128K: Program %d pages at block 16
  Stage2_128K: Program %d pages at block 24
  Stage2_64K: Program %d pages at block 32
   Stage1_128K: Program %d pages at block 8
   Stage2_128K: Program %d pages at block 32
  Access NAND flash via FTL-Lite API

Code: Select all

Usage: Boot from flash ... bootflash NOR redboot address in NOR NAND redboot block address in NAND     bootflash <NOR> [redboot address in NOR flash] -boot redboot from NOR Flash.    bootflash <NAND> [redboot blk address in NAND flash] -boot redboot from NAND Flash.   No valid redboot found in flash.    FTL Lite read Redboot from blk %d fail.
    Boot redboot from NOR or NAND flash.

Code: Select all

%d MBytes %02d [%s] %04d %d      F1: Save & Exit Setup   F2: Upgrade Firmware Data has been updated Please Restart the system   Version:     %s   Build Time:  %s   Board:       GoldenBeach   Board:       ChesapeakeBay   Board:       FalconFalls   Board:       PowerHouseLake   MemType:     DDR2   MemType:     DDR3   MemSpeed:    800 MHz   MemSpeed:    1066 MHz   MemSpeed:    1333 MHz   MemSpeed:    1600 MHz   MemSpeed:    Unknown  Chn Enabled:  A  B    Chn Mode:    Linear transfer addr length settings Standard Features   Drive Information      SATA Primary     SATA Secondary   Memory Information      Exe MemTest at Start     Total Ram: Data has been updated
   Enable BUnit Buffer:   Enable Security Unit:   Enable Memory Scrambling:   Use DRAM Override:   USB A0 FIB:   Disable SATA SSC:   Automatic boot Redboot:   USBKeyboard Detect:   Dynamic Rcvn Tuning:   Dynamic Read Tuning:   Dynamic Write Tuning:   Dynamic Write Levelization:   Fast Audio Path: BIOS Settings         CEFDK - Consumer Electronics Firmware Development Kit Setup               Esc: Quit                               <Arrow Keys> : Select Item    To begin the upgrade, YMODEM the file . Transfer has been cancelled, press [esc] to continue.               Burning the Flash .                                                 Complete.  Please restart your system.                                                                                                                          About CEFDK                                           Chn Mode:    Interleave Mode 1      Chn Mode:    Interleave Mode 2      Esc: Return to Previous Menu                 <--/--> : Tranverse Fields   Usage: Settings - Displays the BIOS Settings of CEFDK.  CEFDK - Consumer Electronics Firmware Development Kit Setup   Date (mm/dd/yyyy)          /  /     Time (hh:mm:ss AM/PM)      :  :            CEFDK - Consumer Electronics Firmware Development Kit Setup                                   Advanced Features                                          Esc: Return to Previous Menu                 <Arror Keys> : Select Item

from 0x50000 to 0x61048, first few bytes:

Code: Select all

00 00 80 86 20 07 05 14 00 01 80 41 00 00 00 40
00 00 00 40 00 00 00 01 00 00 05 80 00 00 04 80

Code: Select all

Loading 8051 MicroCode at 0x40000   I2C error: Unable to open I2C_BAR1 External PIC version %s
 /dev/ttyS0 /dev/ttyS1 I2C error: %s (%d)
Last edited by pcgeil on Sat Sep 03, 2011 10:44 am, edited 1 time in total.
pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

Re: cefdk of version b39389

Post by pcgeil »

ok, few hours of sleep I found something quite interessting:
the following lines are the start of the cefdk version:

Code: Select all

06 00 00 00 A1 00 00 00 00 00 01 00 01 00 00 00
86 80 00 00 30 03 10 20 41 3F 00 00 40 00 00 00
40 00 00 00 01 00 00 00 80 05 00 00 80 04 00 00
if you take kernel.img or recovery.img(not encrypted one) then you get:

Code: Select all

00 00 00 06 00 00 00 A1 00 01 00 00 80 00 00 01
00 00 80 86 20 07 05 14 00 13 20 A1 00 00 00 40
00 00 00 40 00 00 00 01 00 00 05 80 00 00 04 80
do you see similarities?
:-) ok take four bytes and mirror (after two bytes). Don't switch endianess!
First line is completly identical, second just the first four and the last four bytes.
byte 5-8 is maybe a identifier and 9-12 maybe a size, don't know it ...

byte 9-12 last line is the start of the signing 0x480 (my opinion) and 13-16 is 0x580 the start of the real content.
with kernel.img and recovery.img it suits, with cedfk can't check it
tried 0x580 as entry point in IDA Pro but it looks a bit curious (doesn't make sense for me) but I'm not so familiar with IDA and disassembling.
macky032992
Android 1.0
Posts: 10
Joined: Mon Aug 29, 2011 11:10 am
GTV Device Owned: Logitech Revue

Re: cefdk of version b39389

Post by macky032992 »

Do you think it is possible to create a USB boot disk that CEFDk will be able to use? I ask this as see strings refering to USB and boot in your post.

My revue hangs on the Logitech startup screen after upgrading and a power fail. There are more like me with a similar issue.
After playing around I noticed that powering on with the button pressed in results in the revue accessing a fat32 USB drive in USB2. This is the only indication of any program executing besides the logo. My hope is that is looking for a boot image.
I have looked up other forums on CEFDK on suggestion from zenofex and it seems as though this could be possible. I believe the cefdk sdk provided to developers will boot redboot which then loads the kernel.
I want to try to get to the recovery image and to re-apply the update.

Do you know what the format of the boot disk should be or how to create it?

All this is my assumptions and I may be completely wrong.
pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

Re: cefdk of version b39389

Post by pcgeil »

we do not know what is enabled and what not!
We have to digg deeper into cefdk but this is time intensive and my take some time ...

feel free to help


Update:
0B B0 AD DE 0F 00 01 A9 this is also used by the MBR file which Intel delivers.
Also the mentioned header is the same as the demo cefdk files Intel delivers.
User avatar
Chinpokomon
Android 1.0
Posts: 36
Joined: Mon Aug 01, 2011 10:13 pm

Re: cefdk of version b39389

Post by Chinpokomon »

macky032992 wrote:Do you think it is possible to create a USB boot disk that CEFDk will be able to use?
Having looked into it before, it doesn't look like the device mounts the USB ports before booting... in other words, it won't boot off a USB key.
Post Reply