sphaleronOn examination of the help output there is a command dbg that can be used to set the debug message level:
kiwi# help .... dbg - set debug message level. Default level is INFO
The default level is INFO. We can use this command to change the level of feedback in the terminal when any commands are executing. Let's set to level DEBUG, this is the highest level of detail.
kiwi# dbg DEBUG Saving Environment to SPI Flash... Write addr=0x00FE0000, size=0x00010000 block erase Write addr=0x00FF0000, size=0x00010000 block erase
This change is made to the environment variables which are stored on the SPI flash. The good news is these changes therefore persist after a reboot. The address locations in flash where the environment variables are stored will be helpful when we later analyze our firmware flash dump. We can check the changes to the environment variables by running the printenv command:
UARTOnOff=on
baudrate=115200
bootcmd=if mmc rescan ${mmcdev}; then if run loadbootscript; then run bootscript; else if run loaduimage; then run mmcboot; fi; fi; fi
bootdelay=0
bootscript=echo Running bootscript from mmc${mmcdev} ...; source ${loadaddr}
console=ttyS2,115200n8
dbgLevel=DEBUG
loadaddr=0x82000000
loadbootscript=fatload mmc ${mmcdev} ${loadaddr} boot.scr
loaduimage=fatload mmc ${mmcdev} ${loadaddr} uImage
mmcargs=setenv bootargs console=${console} vram=${vram} root=${mmcroot} rootfstype=${mmcrootfstype}
mmcboot=echo Booting from mmc${mmcdev} ...; run mmcargs; bootm ${loadaddr}
mmcdev=0
mmcroot=/dev/mmcblk0p2 rw
mmcrootfstype=ext3 rootwait
osd_language=English
stderr=serial
stdin=serial
stdout=serial
ubispeedup=UBI
usbtty=cdc_acm
vram=16M
Environment size: 805/65532 bytes
A new line dbgLevel=DEBUG has been appended.
Let's reset the unit and allow the normal boot process to proceed so we can review the debug level output:
UART_115200
AC_FLOW
[23456789A][23456789A][3456789AB][3456789AB]-6677
BST-OK_RAM[AT][MB][start ub][677]
U-Boot 2011.06-svn565 (Mar 01 2018 - 21:27:50) MBOT-1106-0.8.KANO_TEE_NAND.a1
DRAM: 256 MiB
Hello U-Boot
Stack Pointer at: 87E52E00
mem initial, start 0x86DD0180, len 0x420000
msIR_Initialize
[MIU INFO] miu opencreate instance at 86FE7288 with private size 80 bytes at 86FE72D0
SPI: Flash is detected (0x0C05, 0xC8, 0x40, 0x18)
MDrv_SERFLASH_GetInfo()
u32AccessWidth = 1
u32TotalSize = 16777216
u32SecNum = 256
u32SecSize = 65536
create instance at 86FE7328 with private size 48 bytes at 86FE7370
uboot held at [8F000000~90000000]
Now running in RAM - U-Boot at: 871F0180
In: serial
Out: serial
Err: serial
Net: No ethernet found.
Set MAC default
MAC: 0x0: 0x30: 0x1B: 0xBA:0x2: 0xDB
[AT][MB][initDbgLevel][779]_end
[TRACE] getNextCmd IN
[DEBUG] getNextCmd:159: This is the last cmd
[TRACE] MsDrv_GetMIUSize IN
[TRACE] MsDrv_GetMIUSize OK
[TRACE] MsDrv_GetMIUSize IN
[TRACE] MsDrv_GetMIUSize OK
[TRACE] MsDrv_GetMIUSize IN
[TRACE] MsDrv_GetMIUSize OK
Hit any key to stop autoboot: 0
[TRACE] do_spi_rdc IN
offset 0x2E0000, size 0x10000
[TRACE] _spi_rdc IN
[DEBUG] _spi_rdc:768: dram_addr=0x80700000
[DEBUG] _spi_rdc:769: flash_addr=0x2E0000
[DEBUG] _spi_rdc:770: len=0x10000
Flash is detected (0x0C05, 0xC8, 0x40, 0x18)
initialization done!
[DEBUG] _spi_rdc:799: Start read 10000 data from serial device...
[TRACE] do_spi_rdc OK
ERR>Invalid Ldr Sign
ERR>Reading LDR sign from backup
[TRACE] do_spi_rdc IN
offset 0x80000, size 0x10000
[TRACE] _spi_rdc IN
[DEBUG] _spi_rdc:768: dram_addr=0x80700000
[DEBUG] _spi_rdc:769: flash_addr=0x80000
[DEBUG] _spi_rdc:770: len=0x10000
[DEBUG] _spi_rdc:799: Start read 10000 data from serial device...
[TRACE] do_spi_rdc OK
**********************LOADER_INFO*********************
@DF.0 #1.0 $1.0 ^1.5 *17
************************************************************
SSS eLOADER 21:28:06 Mar 1 2018
************************************************************
CPS SZE[1740]
MAIN.C 2484> Checking for key sequence...
enInvokemode:0
M.c 712> USB_(0)
Check USB port[0]:
[USB] usb_lowlevel_init++
[USB] USB EHCI LIB VER: 2014.10.02
[USB] Port 0 is Enabled
[USB] TV_usb_init (UTMI Init) ++
[USB] UTMI Base BF207500
[USB] UHC Base BF204800
[USB] USBC Base BF200E00
[USB] BC Base BF240A00
[USB] TV_usb_init--
[USB] Usb_host_Init++
[USB] Async base addr: 0xA7E1A100
[USB] Reg 0x28: 0xA100 0xA7E1
[USB] disable run
[USB] Host Speed:2
[USB] enable aynch
[USB] Usb_host_Init--
[USB] FAILED
[USB] usb_lowlevel_init--[0]
scanning bus for devices... [USB] control1 max:40
[USB] interface[0] conf:1 value FF:
1 USB Device(s) found
M.c 716>USB_0_Init_Success
[TRACE] do_spi_rdc IN
offset 0xDC0000, size 0x10000
[TRACE] _spi_rdc IN
[DEBUG] _spi_rdc:768: dram_addr=0x80600000
[DEBUG] _spi_rdc:769: flash_addr=0xDC0000
[DEBUG] _spi_rdc:770: len=0x10000
[DEBUG] _spi_rdc:799: Start read 10000 data from serial device...
[TRACE] do_spi_rdc OK
Marker read success
Marker [0xFFFFFFFF] mode[0]
Jumping to Application...
MsBoot.c E-1174>APP CRC Check..!!
[TRACE] do_spi_rdc IN
offset 0x2E8000, size 0x8000
[TRACE] _spi_rdc IN
[DEBUG] _spi_rdc:768: dram_addr=0x80900000
[DEBUG] _spi_rdc:769: flash_addr=0x2E8000
[DEBUG] _spi_rdc:770: len=0x8000
[DEBUG] _spi_rdc:799: Start read 8000 data from serial device...
[TRACE] do_spi_rdc OK
[TRACE] do_spi_rdc IN
offset 0x300000, size 0x4B29FC
[TRACE] _spi_rdc IN
[DEBUG] _spi_rdc:768: dram_addr=0x81100000
[DEBUG] _spi_rdc:769: flash_addr=0x300000
[DEBUG] _spi_rdc:770: len=0x4B29FC
[DEBUG] _spi_rdc:799: Start read 4B29FC data from serial device...
[TRACE] do_spi_rdc OK
APP CRC Success...
[TRACE] _spi_rdc IN
[DEBUG] _spi_rdc:768: dram_addr=0x81100000
[DEBUG] _spi_rdc:769: flash_addr=0x300000
[DEBUG] _spi_rdc:770: len=0x700000
[DEBUG] _spi_rdc:799: Start read 700000 data from serial device...
Decompression OK!
MSBOOT.C 1196-E> Decompression OK[Go]
disable interrupts
## Starting application at 0x80000224 ...
We can now see much more detail regarding how data is moved from flash to RAM using the spi_rdc command, the address locations and size in flash, and the destination address is RAM. This will be helpful in the later firmware analysis and how we may intercept this process to boot a custom OS.
Updated 13th October 2023
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.