Rooting Toon (or boxx)

Everything about rooting Toons 1 and 2.

Moderators: marcelr, TheHogNL, Toonz

RomMon
Starting Member
Starting Member
Posts: 44
Joined: Mon Aug 29, 2016 9:05 pm

Re: Rooting Toon

Post by RomMon »

Hi Marcelr,

That's sounds great.
Well done!
Ierlandfan
Member
Member
Posts: 151
Joined: Thu Oct 03, 2013 7:53 pm

Re: Rooting Toon

Post by Ierlandfan »

Not even Quby, Eneco or marcelr as password. Make it valentine 8) I assume you modified the bootloader for that purpose that is...did you not?
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

Ierlandfan wrote:Not even Quby, Eneco or marcelr as password. Make it valentine 8) I assume you modified the bootloader for that purpose that is...did you not?
Yes, I tweaked the bootloader code just a little bit. Nothing fancy. In the final version there shouldn't be a password at all. Just hitting <Enter> to enter the bootloader environment should suffice. Will fix that later.
To actually root a machine, there's no need to flash the boot loader onto it, just booting once from a password-free bootloader, and then performing all the rooting steps should do the trick. You will need JTAG hardware and some code to do it, though.
Toonz
Forum Moderator
Forum Moderator
Posts: 1873
Joined: Mon Dec 19, 2016 1:58 pm

Re: Rooting Toon

Post by Toonz »

great work. I used my Raspberry Pi for the rooting process. I believe there are also JTAG pins on the GPIO block but have never used JTAG before. Anyway, do the newer Toons have better hardware or just an updated bootloader?
member of the Toon Software Collective
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

The latter; same hardware, tweaked bootloader.

Oh, by the way: I uploaded a bootloader image and a slightly patched ed20.cfg file to the downloads section. The rooting manual has been extended with a rooting option for the newer boot loaders (toons with serial #16 etc).
balans
Starting Member
Starting Member
Posts: 26
Joined: Wed Feb 01, 2017 7:21 pm

Re: Rooting Toon

Post by balans »

Ok tried using my raspberry2 as a jtag i did this before and had most of the things still around.

got this

pi@raspberrypi:~/openocd-0.9.0 $ sudo openocd -f rpi.cfg -f ed20.cfg
Open On-Chip Debugger 0.9.0 (2017-02-16-14:23)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
SysfsGPIO nums: tck = 11, tms = 25, tdi = 10, tdo = 9
SysfsGPIO num: trst = 7
SysfsGPIO num: srst = 24
trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain connect_deassert_srst
Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
dcc downloads are enabled
ed20_init
Info : SysfsGPIO JTAG/SWD bitbang driver
Info : JTAG only mode enabled (specify swclk and swdio gpio to add SWD mode)
Info : This adapter doesn't support configurable speed
Info : JTAG tap: imx27.etb tap/device found: 0x1b900f0f (mfg: 0x787, part: 0xb900, ver: 0x1)
Info : JTAG tap: imx27.cpu tap/device found: 0x07926121 (mfg: 0x090, part: 0x7926, ver: 0x0)
Info : Embedded ICE version 6
Info : imx27.cpu: hardware has 2 breakpoint/watchpoint units
Info : ETM v1.3

so far looking good in telnet

> soft_reset_halt
requesting target halt and executing a soft reset
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x600000d3 pc: 0x00000000
MMU: disabled, D-Cache: disabled, I-Cache: disabled
> load_image u-boot.bin 0xa1f00000
166504 bytes written at address 0xa1f00000
downloaded 166504 bytes in 10.175384s (15.980 KiB/s)
> resume 0xa1f00000

log from serial

U-Boot 2010.09 (Feb 15 2017 - 18:17:02)

CPU: Freescale i.MX27 at 400.168 MHz

Prodrive B.V. ED2.0
DRAM: 128 MiB
NAND: No NAND device found!!!
0 MiB
*** Warning - bad CRC or NAND, using default environment

LCD: Initializing LCD frambuffer at a1400000
LCD: 800x480, pbb 4
LCD: Drawing the logo...
In: serial
Out: serial
Err: serial

the no nand seems to be the problem

so i try

> nand list
#0: not probed

> soft_reset_halt
requesting target halt and executing a soft reset
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x200000d3 pc: 0x00000000
MMU: disabled, D-Cache: disabled, I-Cache: disabled
> nand probe 0
memory read caused data abort (address: 0xd8000e00, size: 0x2, count: 0x1)
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 2c5
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 2c5
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 2c5
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 2c5
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 2c5

so maybe this cant be done with a raspberry pi2

i`m open for suggestions :mrgreen:
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

> soft_reset_halt
requesting target halt and executing a soft reset
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x200000d3 pc: 0x00000000
MMU: disabled, D-Cache: disabled, I-Cache: disabled
> nand probe 0
memory read caused data abort (address: 0xd8000e00, size: 0x2, count: 0x1)
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 2c5
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 2c5
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 2c5
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 2c5
timeout waiting for SYSCOMP & DBGACK, last DBG_STATUS: 2c5

so maybe this cant be done with a raspberry pi2
The raspberry pi has nothing to do with this. I had (and have) similar issues with a JLink interface.

This bit occurs every now and then: The JTAG I/O with a freescale imx27 is not very stable. What I do in these cases is the following: I try to upload the u-boot image, resume the processor without the starting address, and then soft_reset_halt it again. This gives (sometimes only after a few tries) a random number in the pc register (not 0x00000000 but something like 0x1267f34b0 or anything non-zero. As soon as this is the case, soft_reset_halt and then nand probing usually works and you can go ahead with the rest.

The U-boot image not detecting NAND is different. The ed20_config routine in ed20.cfg should set the registers of the processor such that SDRAM and NAND are configured properly (all the mww statements). If those are incorrect, the processor cannot find memory or NAND, and you're screwed. There's mention of timing issues in the openocd output. I would try and tackle these before anything else.

Could you post the serial output of a normal boot (specifically the mtd-partition configuration, uboot env,splash_image, rootfs, that part)? See if the NAND addressing has changed, although I doubt it.
balans
Starting Member
Starting Member
Posts: 26
Joined: Wed Feb 01, 2017 7:21 pm

Re: Rooting Toon

Post by balans »

Ok i`ll try to see if i can get that pc register .
i would like to note that i do not have al the jtag pins like the seggler jlink has
i`ve the GND , TCK, TMS, TDI, TDO, SRST, TRST and then the last 2 are optional i read i head to prefer the SRST instead of the TRST
but i could not get it to work with either

here`s my boot log before the halt

U-Boot 2010.09-R10 (Dec 14 2015 - 19:28:18)

CPU: Freescale i.MX27 at 400.168 MHz

Prodrive B.V. ED2.0
DRAM: 128 MiB
NAND: 128 MiB
LCD: Initializing LCD frambuffer at a1400000
LCD: 800x480, pbb 4
LCD: Drawing the logo...
In: serial
Out: serial
Err: serial
Configure for LCD: TDA-WVGA0700F00048
LCD: Initializing LCD frambuffer at a1400000
LCD: 800x480, pbb 4
LCD: Drawing the logo...
Display-bmp: 800 x 480 with 16777216 colors
Net: FEC
Warning: FEC MAC addresses don't match:
Address in SROM is 00:00:20:03:00:00
Address in environment is 00:0f:11:07:f1:9b


Enter password - autoboot in 2 sec...

NAND read: device 0 offset 0x300000, size 0x300000
3145728 bytes read: OK
## Booting kernel from Legacy Image at a1000000 ...
Image Name: Linux-2.6.36-R10-h25
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2245600 Bytes = 2.1 MiB
Load Address: a0008000
Entry Point: a0008000
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Linux version 2.6.36-R10-h25 (jbraam@dvl) (gcc version 4.5.3 20110223 (prerelease) (GCC) ) #1 PREEMPT Tue May 24 11:41:01 CEST 2016
CPU: ARM926EJ-S [41069264] revision 4 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: Prodrive B.V ED2.0
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512
Kernel command line: ubi.mtd=4 root=ubi0:rootfs rw rootfstype=ubifs mtdparts=mxc_nand:512K@0x00100000(u-boot-env)ro,1536K(splash-image),3M(kernel),3M(kernel-backup),119M(rootfs) console=ttymxc0,115200 mem=128M lpj=999424 lcd=TDA-WVGA0700F00048
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 128MB = 128MB total
Memory: 125536k/125536k available, 5536k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xffa00000 - 0xffe00000 ( 4 MB)
vmalloc : 0xc8800000 - 0xf4000000 ( 696 MB)
lowmem : 0xc0000000 - 0xc8000000 ( 128 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.init : 0xc0008000 - 0xc0024000 ( 112 kB)
.text : 0xc0024000 - 0xc03ea000 (3864 kB)
.data : 0xc0404000 - 0xc042a5a0 ( 154 kB)
Hierarchical RCU implementation.
RCU-based detection of stalled CPUs is disabled.
Verbose stalled-CPUs detection is disabled.
NR_IRQS:272
MXC IRQ initialized
MXC GPIO hardware
Console: colour dummy device 80x30
Calibrating delay loop (skipped) preset value.. 199.88 BogoMIPS (lpj=999424)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
Configured for LCD: TDA-WVGA0700F00048
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource mxc_timer1
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
msgmni has been set to 245
io scheduler noop registered (default)
imx-fb imx-fb.0: PreserveUBootFramebuffer(1): xres=800, yres=480 [skip _update_lcdc]
imx-fb imx-fb.0: PreserveUBootFramebuffer(2): xres=800, yres=480 [skip _update_lcdc]
Console: switching to colour frame buffer device 100x30
imx-fb imx-fb.0: fb0: DISP0 BG fb device registered successfully.
imx-fb imx-fb.0: PreserveUBootFramebuffer(3): xres=800, yres=480 [skip _update_lcdc]
imx-fb imx-fb.0: fb1: DISP0 FG fb device registered successfully.
Serial: IMX driver
imx-uart.0: ttymxc0 at MMIO 0x1000a000 (irq = 20) is a IMX
console [ttymxc0] enabled
imx-uart.1: ttymxc1 at MMIO 0x1000b000 (irq = 19) is a IMX
imx-uart.2: ttymxc2 at MMIO 0x1000c000 (irq = 18) is a IMX
NAND device: K9F1G08U0E detected, disabling sub-page writes
NAND device: Manufacturer ID: 0xec, Chip ID: 0xf1 (Samsung NAND 128MiB 3,3V 8-bit)
Scanning device for bad blocks
RedBoot partition parsing not available
5 cmdlinepart partitions found on MTD device mxc_nand
Creating 5 MTD partitions on "mxc_nand":
0x000000100000-0x000000180000 : "u-boot-env"
0x000000180000-0x000000300000 : "splash-image"
0x000000300000-0x000000600000 : "kernel"
0x000000600000-0x000000900000 : "kernel-backup"
0x000000900000-0x000008000000 : "rootfs"
UBI: attaching mtd4 to ubi0
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: max. sequence number: 34771
UBI: attached mtd4 to ubi0
UBI: MTD device name: "rootfs"
UBI: MTD device size: 119 MiB
UBI: number of good PEBs: 952
UBI: number of bad PEBs: 0
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 1
UBI: available PEBs: 0
UBI: total number of reserved PEBs: 952
UBI: number of PEBs reserved for bad PEB handling: 9
UBI: max/mean erase counter: 118/36
UBI: image sequence number: 620272818
UBI: background thread "ubi_bgt0d" started, PID 319
at25 spi0.0: 32 KByte at25640B eeprom, pagesize 64
spi_imx spi_imx.0: probed
FEC Ethernet Driver
fec_enet_mii_bus: probed
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver

eureka got somewhere

pi@raspberrypi:~/openocd-0.9.0 $ telnet localhost 4444
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> soft_reset_halt
requesting target halt and executing a soft reset
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x000000d3 pc: 0x00000000
MMU: disabled, D-Cache: disabled, I-Cache: disabled
> reset halt
JTAG tap: imx27.etb tap/device found: 0x1b900f0f (mfg: 0x787, part: 0xb900, ver: 0x1)
JTAG tap: imx27.cpu tap/device found: 0x07926121 (mfg: 0x090, part: 0x7926, ver: 0x0)
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x20000093 pc: 0xc014316c
MMU: disabled, D-Cache: disabled, I-Cache: disabled
srst pulls trst - can not reset into halted mode. Issuing halt after reset.
NOTE! Severe performance degradation without fast memory access enabled. Type 'help fast'.
> load_image u-boot.bin 0xa1f00000
166504 bytes written at address 0xa1f00000
downloaded 166504 bytes in 9.972180s (16.306 KiB/s)
> resume 0xa1f00000

i tried this sequence multiple times and this seems to work for my raspberry setup notice the reset halt
that one gave me the right registers i quess
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

From the imx27 cfg file:

Code: Select all

reset_config trst_and_srst srst_pulls_trst
Which would mean that toon's processor needs both srst and trst.
If you can get to the point that you can actually probe the nand chip

Code: Select all

nand probe 0
and get sensible output:
NAND flash device 'NAND 128MiB 3.3V 8-bit (Samsung)' found

your JTAG connection should be OK.

If you then still experience problems loading and resuming, there's another way to get in, by flashing a bootloader image (which is different from the bootloader binary I uploaded) to toon. However, this is more or less a last resort, would try to get in through the software first.
balans
Starting Member
Starting Member
Posts: 26
Joined: Wed Feb 01, 2017 7:21 pm

Re: Rooting Toon

Post by balans »

well like i said when after the soft_reset_halt i give a reset halt al turns up fine like you mentioned in earlier messages

i get cpsr: 0x20000093 pc: 0xc014316c

instead of

cpsr: 0x000000d3 pc: 0x00000000 with only a soft_reset_halt

and from there i can nand probe 0 , but that was not nessecary
load_image u-boot.bin 0xa1f00000
resume 0xa1f00000
and then quickly to the serial to enter the password and follow you guidelines to further root
one hacked toon with series 16 is showing in front of me
a big thnx
and read and fiddle some more arround
R0cc0
Starting Member
Starting Member
Posts: 5
Joined: Thu Oct 29, 2015 11:53 am

Re: Rooting Toon

Post by R0cc0 »

I was successful in rooting my Toon using the instructions on the forum.
Everything seems to work OK and I'm able to connect (for example) through http://192.168.1.124:10080/happ_thermst ... mostatInfo

I am now trying to connect to Toon with SSH but that doesn't seem to work. It is just as if there is no SSH deamon running?
When I run netstat on Toon, there is nothing listening on port 22. (i did open the port in the firewall)
Do I manually need to install SSH?

What is possibly related is that I can't download any packages (like Dropbear) using an httpS link.
The response I get is: HTTPS support not compiled in.

Am I missing something here?

U-Boot 2010.09-R6 (Mar 14 2012 - 11:15:10)
Linux version 2.6.36-R10-h25 (jbraam@dvl) (gcc version 4.5.3 20110223 (prerelease) (GCC) ) #1 PREEMPT Tue May 24 11:41:01 CEST 2016
CPU: ARM926EJ-S [41069264] revision 4 (ARMv5TEJ), cr=00053177
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

Do I manually need to install SSH?
Yes, get it here:

http://domoticaforum.eu/download/file.php?id=2987

(omit the s from the URL)
Or set up your own web server.
Marijn
Starting Member
Starting Member
Posts: 40
Joined: Wed Jul 03, 2013 8:13 pm

Rooting Toon

Post by Marijn »

Toonz wrote:great work. I used my Raspberry Pi for the rooting process. I believe there are also JTAG pins on the GPIO block but have never used JTAG before. Anyway, do the newer Toons have better hardware or just an updated bootloader?
How does this work? I don't have a JTAG interface but I have a pi.
On internet I found an option via GPIO pins and via ethernet.
Unfortunatly I don't have experience with JTAG at all.

Last but not least which steps can be skipped (for an early Toon)from the rooting instructions.
marcelr
Global Moderator
Global Moderator
Posts: 1153
Joined: Thu May 10, 2012 10:58 pm
Location: Ehv

Re: Rooting Toon

Post by marcelr »

For an earlier toon (boot loader version 2010.9-R8 or earlier), you don't need JTAG access. A 3.3V serial interface will do.
You still need to start at the top of the manual, and work your way through. The parts on JTAG/screwdrivers etc. can be skipped.
Marijn
Starting Member
Starting Member
Posts: 40
Joined: Wed Jul 03, 2013 8:13 pm

Re: Rooting Toon

Post by Marijn »

@marcelr thanks for the fast reply, I skip the JTAG stuff [emoji1303]
Post Reply

Return to “Toon Rooting”