From the U-boot shell prompt we can explore the command options available to us using the help command. There is a lot for us to explore:

kiwi# help
?       - alias for 'help'
CmdPerformanceTest- gettime   - Get the system executing time

ac      - set a new config to the bootargs

base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootargs_set- Set info exchange and set to boot args. 
bootcheck- bootcheck   - Do boot check

bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
checkfile- check file exist in u disk,and set the partition.
checkstr- check_str_resume

cleanallenv- cleanall environment variables to persistent storage
cmp     - memory compare
config2env- Set config to environment.
config_raw_io- Config the target device for raw I/O
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
custar  - do usb update from the specified file that is in usb.

dbg     - set debug message level. Default level is INFO
dc      - delete the specific cofig that is in the bootargs

delay   - delay time, time unit is ms

dhcp    - boot image via network using DHCP/TFTP protocol
du      - du  - Disable UART

ebist   - PHY loopback test
echo    - echo args to console
editenv - edit environment variable
edump   - EMAC Register settings dump
eloopback- Long loopback test
env     - environment handling commands
epd     - emac power down
estart  - EMAC start
ewavetest- EMAC wave test
exit    - exit script
false   - do nothing, unsuccessfully
fatfilesize- fatfilesize - load binary file from a dos filesystem

fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fatpartload- fatpartload - load binary file from a dos filesystem

fatwrite- fatwrite - write binary file to a dos filesystem

filelist- Dump the file list.

filelisttest- This command is only for file list test

filepartload- load part of a file to RAM
get_mmap- get memory info from supernova's mmap
gettime - gettime   - Get the system executing time

go      - start application at address 'addr'
gpio    - GPIO Command:
help    - print command description/usage
if_boot_to_pm- if boot to PM

iminfo  - print header information for application image
imxtract- extract a part of a multi-image
initDbgLevel- Initial varaible 'dbgLevel' 
init_raw_io- init raw_io module
itest   - return true/false on integer compare
kernelProtect- kernelProtect  - Protect kernel

kernelProtectBist- kernelProtectBist  - Protect kernel bist

led     - See led commands
loadb   - load binary file over serial line (kermit mode)
loadenv - loadenv   - load env for nand 

loads   - load S-Record file over serial line
loadspi - load data from SPI
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
m2e     - Restore the address and len to env from supernova's mmap

macaddr - setup EMAC MAC addr
mbup    - mboot upgrade

md      - memory display
memtest - Get the performance of memory
miuProtect- miuProtect  - Protect miu

mm      - memory modify (auto-incrementing address)
mscompress7- Compress or decompress lzma files
msg     - print string - msg [string]

mstar   - update kernal & root file system automatically by script file
mtest   - simple RAM read/write test
mversion- show changelist - mversion 

mw      - memory write (fill)
nm      - memory modify (constant address)
nuttxProtect- nuttx Protect  - Protect nuttx

ota_zip_check- do OTA zip package check.

ping    - send ICMP ECHO_REQUEST to network host
pm51    - pm51 command: pm51 [option]

pmProtect- runtime pm Protect  - Protect runtime PM

pop_raw_io_config- pop raw_io last config
printenv- print environment variables
push_raw_io_config- push raw_io current config
raw_io_status- get raw_io status
raw_read- Read the raw datas that store in the target device
Yo have to execute 'config_raw_io' before using this cmd

raw_write- Write the raw datas that store in the target deviceYo have to execute 'config_raw_io' before using this cmd

recovery_wipe_partition- do recovery wipe data or cache.

reset   - Perform RESET of the CPU
riu     - riu  - riu command

run     - run commands in an environment variable
sar     - sar Command:
saveenv - save environment variables to persistent storage
setenv  - set environment variables
showtb  - Show register command table.    -  showtb [stage]

showvar - print local hushshell variables
showversion- Show version
sleep   - delay execution for some time
source  - run script from memory
spi     - See SPI commands
spi2usb - Read data from spi to usb
spi_rdc - spi_rdc - SPI read code from SPI flash to DRAM

spi_wrc - spi_wrc - SPI write code from DRAM to SPI flash

test    - minimal test like /bin/sh
testmode- set testmode into bootargs.
tftpboot- boot image via network using TFTP protocol
true    - do nothing, successfully
udstar  - Execute the script file that is stored in usb disk

unlockcmi- unlock cmi transfer board   -  unlock

update_mode- get/set update_mode 

updatemiureg- Call driver to update miu setting
usb     - USB sub-system
usb2spi - write data from usb to spi
usb_bin_check- do usb bin document check.

usbboot - boot from USB device
ustar   - ustar   - update kernal & root file system automatically by script file

version - print monitor, compiler and linker version
wdt_enable- wdt_enable n - set Watchdog timer to n secs

Looking at the version information we can confirm this is U-boot running on a MIPS platform: 

kiwi# version

U-Boot 2011.06-svn565 (Mar 01 2018 - 21:27:50)
mips-linux-gnu-gcc (Sourcery G++ Lite 4.3-51) 4.3.2
GNU ld (Sourcery G++ Lite 4.3-51) 2.18.50.20080215

Running bdinfo we can see we have 256MiB RAM is mapped onto virtual address range 0x80000000 to 0x8FFFFFFF. We can also peek into this address space using the md command. Peeking into any address outside of this range (certainly the addresses I've tried) causes the board to crash. 

kiwi# bdinfo
boot_params = 0x88492E00
memstart    = 0x80000000
memsize     = 0x10000000
flashstart  = 0x00000000
flashsize   = 0xDEADBEEF
flashoffset = 0x00000000
ethaddr     = (not set)
ip_addr     = 87E52D7CI4
baudrate    = 115200 bps

The flash information is clearly garbage, perhaps meant to be a decoy. Aside from the amusing hexspeak the flash is only 16MiB in size and flashsize=0xDEADBEEF is nonesense. Without a datasheet for this SoC it is difficult to understand the full memory map, there must be boot-ROM code somewhere, as well as various hardware registers. All we know so far is where the RAM resides. We don't yet know what the reset vector is.

Running printenv we can see the output of the U-boot environment variables:

kiwi# printenv
UARTOnOff=on
baudrate=115200
bootcmd=if mmc rescan ${mmcdev}; then if run loadbootscript; then run bootscript; else if run loaduimage; then run mmcboot; fi; fi; fi
bootdelay=0
bootscript=echo Running bootscript from mmc${mmcdev} ...; source ${loadaddr}
console=ttyS2,115200n8
loadaddr=0x82000000
loadbootscript=fatload mmc ${mmcdev} ${loadaddr} boot.scr
loaduimage=fatload mmc ${mmcdev} ${loadaddr} uImage
mmcargs=setenv bootargs console=${console} vram=${vram} root=${mmcroot} rootfstype=${mmcrootfstype}
mmcboot=echo Booting from mmc${mmcdev} ...; run mmcargs; bootm ${loadaddr}
mmcdev=0
mmcroot=/dev/mmcblk0p2 rw
mmcrootfstype=ext3 rootwait
osd_language=English
stderr=serial
stdin=serial
stdout=serial
ubispeedup=UBI
usbtty=cdc_acm
vram=16M

Environment size: 788/65532 bytes

Once again we can see misleading information here.... The bootcmd is bounded by an if statement which requires the command mmc rescan 0 to return success as a condition for the execution of the boot script or kernel image. Since mmc rescan 0 is not a valid command (according to help it doesn't appear in the list) this is not possible, and there is no alternative captured in the bootcmd for if this conditional statement fails. Furthermore there is no MMC/SD hardware on this board, it isn't possible to load from an MMC/SD based file system. Clearly the U-boot is booting something, so one must presume there is a hardcoded alternative boot command somewhere in the binary and this bootcmd environment variable is either another decoy, or a remnant from a previous development version.

Last updated 27th Oct 2023