err4o4 / spotify-car-thing-reverse-engineering

426 stars 4 forks source link

Similar to Radxa Zero ? #7

Open bishopdynamics opened 2 years ago

bishopdynamics commented 2 years ago

The Radxa Zero uses an Amlogic S905Y2, and I wonder if some of the development information is applicable? For example, check out this page about maskrom, which mentions the same 1b8e:c003 Amlogic, Inc. GX-CHIP device just like the Car Thing does when you hold the 4 buttons.

I wonder if this is a way we could sideload our own binaries, kind of like using fastboot to boot a recovery image on an android device.

null-dev commented 2 years ago

This sounds like it has potential so I tried following the instructions on the maskrom page, however I ran into difficulties.

The "RZ USB Boot Helper" program is able to detect the Car Thing, however when I try to flash anything, it just gets stuck. It outputs the following log:

----------  start run  ----------
Firmware Version:
ROM: 3.2 Stage: 0.0
Need Password: 0 Password OK: 1
Writing C:/Users/null-dev/Desktop/Software/RZ_USB_Boot_Helper_V1.0.0/rz-fastboot-loader.bin at 0xfffa0000...
[DONE]
Running at 0xfffa0000...
[DONE]

The device doesn't switch into fastboot mode either.

I also tried flashing rz-udisk-loader.bin but it did the exact same thing.

bishopdynamics commented 2 years ago

I had the same experience. With a serial console hooked up, you get a message like "CHK:1F;#" and I think that is a signature check error, but thats just a guess.

My interpretation is that the tools may be useful, but we still need to build our own image to boot, which matches the specific hardware of the Car Thing and is properly signed. Hopefully 0xfffa0000 is still the right address to load into, for this particular variation of the SoC.

I've been trying to build uboot from here, using superbird_production but I've been having a lot of trouble getting it to build. I'm just not particularly familiar with cross-compiling and gcc to troubleshoot it.

The makefile suggests the toolchain "gcc-linaro-aarch64-none-elf-4.8-2013.11_linux/bin/aarch64-none-elf-", which I found here

I tried loosely following instructions from here to build it in a container (swapping LXC for docker), but I ran into errors that don't know enough to troubleshoot.

I will clean up and upload what I have to repo today, maybe someone else will spot what I missed

bishopdynamics commented 2 years ago

I made a tiny bit more progress! I successfully built u-boot for superbird, but now we just need to find the right set of firmware blobs to assemble with it, for this hardware. The container and script i have right now can build and assemble it all, but it does so using the gxl firmware blobs, and not the g12a ones, so it does not actually work.

Still, its a place to start

https://github.com/bishopdynamics/spotify-car-thing_uboot_builder

bishopdynamics commented 2 years ago

I found an article where they dumped amlogic bootrom from S905D3 by building a little bl2 binary and sideloading, using similar tools.

That article also led me to this repos which has the fip/g12a folder i was looking for. It looks like some additional steps are needed to produce the binaries needed, but still a starting point, and it includes aml_encrypt_g12a which is critical.

I will keep digging into this, see if i can get something boot

jja2000 commented 2 years ago

Hi! Haven't been able to pick up a Car Thing for now since I'm on a different continent, but I've been doing some preliminary research.

Looked around a bit at linux-meson's site for useful tools and found this https://gitlab.com/baylibre/amlogic/amlogic-boot-fip/-/tree/master/ which links to https://github.com/angerman/meson64-tools

If we're in some way able to get the firmware used for the G12A from the dump in the other issue thread it might be possible to get some kernel uart output.

bishopdynamics commented 2 years ago

@jja2000 I actually just found those meson64-tools, i also found some more fip binaries, including for board u200, which i believe is the reference development board for the S905D2.

I've updated my repo (linked earlier) to use the u200 blobs, and it all builds and packages just fine, but still does not boot.

jja2000 commented 2 years ago

@jja2000 I actually just found those meson64-tools, i also found some more fip binaries, including for board u200, which i believe is the reference development board for the S905D2.

xdarklight on #linux-meson@libera.chat mentioned that FIP files could be board dependent so proceed with caution (I'd suggest joining that chat by the way so you can ask direct questions).

I've updated my repo (linked earlier) to use the u200 blobs, and it all builds and packages just fine, but still does not boot.

What problem or error are you running into? Is it that checksum error from an earlier try?

bishopdynamics commented 2 years ago

Yeah, the same CHK:1F;# at the serial console when i try to boot the image using boot-g12.py. I will jump on that channel, thanks for that!

chewitt commented 2 years ago

You can read https://u-boot.readthedocs.io/en/latest/board/amlogic/pre-generated-fip.html to understand more about the files used in the u-boot signing process (which I have been collecting in https://github.com/LibreELEC/amlogic-boot-fip for use with LibreELEC/Armbian and any other distro that needs repeatable packaging for buildsystems). The u-boot docs also have info on boot flow.

In short, the fileset is standardised except for the acs.bin file which contains DDR ram timings; which are frequently tweaked by manufacturers to account for binning and which effectively makes each FIP fileset unique to a specific board, although there are occasional exceptions, and bl301.bin which contains the power management and boot changes the manufacturer has made. Amlogic's BSP supports A/B updates so that's nothing particularly exotic, although most info you'll find/read on Amlogic boot is for Android TV boxes which never implement it so documented examples of it are scarce. The SEI510 device in u-boot documentation may be a good device to read up on https://u-boot.readthedocs.io/en/latest/board/amlogic/sei510.html since it's a Google TV dongle based on S905X2 so a similar use-case. This site https://fredericb.info/ also has some fun reading on breaking into similar Google devices.

This repo has some useful things related to dumping the RAM timing data from an SM1 board which should be applicable https://github.com/hexdump0815/u-boot-misc since SM1 is a minor evolution from the G12A platform. You can find the author lurking as hexdump in the linux-amlogic IRC channel.

The one thing that's unclear from this repo is what the objective of breaking the devices is? - run other Android apps, or to switch to an alternative OS, or? .. knowing that might help other people to help.

quentinhayot commented 2 years ago

Hi! Haven't been able to pick up a Car Thing for now since I'm on a different continent, but I've been doing some preliminary research.

@jja2000 I'm about to order a couple of Things just in case you guys make something awesome out of it. I'm in France but will have them deliver at a friend's in LA who comes in Europe frequently. Are you in Europe and do you want one? I'm placing my order in a few hours.

jja2000 commented 2 years ago

Hi! Haven't been able to pick up a Car Thing for now since I'm on a different continent, but I've been doing some preliminary research.

@jja2000 I'm about to order a couple of Things just in case you guys make something awesome out of it. I'm in France but will have them deliver at a friend's in LA who comes in Europe frequently. Are you in Europe and do you want one? I'm placing my order in a few hours.

Thank you for the offer! But I have my own proxy and it would be cheaper due to the shipping of France to the Netherlands.

everettperiman commented 2 years ago

@bishopdynamics the linked article is super interesting. Have you gotten a chance to boot the device into the boot loader mode as referenced in #3? There might be a path forward with watching the UART shells while it's in that loader mode as mentioned in the article.