Tech memo of imx27 pdk (2) -- For hacking linux booting code

In the last article Tech memo of imx27 pdk (1), we already introduced how to build zImage for imx27 pdk. Let's copy it to the root folder of tftp server and flash the kernel image of pdk platform. Open board rs232 interface, and go to redboot command line, and then set:

load -r -b 0x100000 zImage

fis delete kernel

fis create -l 0xa00000 kernel

and then reset.

Unfortunately, we will see kernel stops at:

 

Uncompressing Linux................................................................................................................... done, booting the kernel.

 

What happens?

1. arch/arm/boot/compressed/misc.c,

let's add a debug function:

/** hongao add some glibc like functions */
/** length is added for string length */
/** radix is fixed to support HEX only for the error:
misc.c:(.text+0xcc): undefined reference to `__aeabi_uidivmod'
misc.c:(.text+0xf4): undefined reference to `__aeabi_uidiv'
currently dun know why the div lib not be linked in.
*/

char *hongao_ultoa(unsigned long value, char *string, int length, int radix)
{   
    char *tmp = string + length;   
    char *tp = tmp;   
    long i;   
    unsigned long v = value;  
    char *sp;    
    if (radix > 32 || radix <= 1)   
    {      
     return 0;   
    }      
 
    for(i=length; i>=0; i--)        
     string[i] = '0';   

    *tp-- = 0;    
 
    while ((v || tp == tmp) && tp >= string)   
    {      
     i = v & 0x0000000f; //i = v % radix;      
     v= v >> 4; //v = v / radix;      
     if (i < 10)         
      *tp-- = i+'0';     
     else         
      *tp-- = i + 'a' - 10;   
    }  
    return string;
}

 

ulg
decompress_kernel(ulg output_start, ulg free_mem_ptr_p, ulg free_mem_ptr_end_p,
    int arch_id)
{
 output_data  = (uch *)output_start; /* Points to kernel start */
 free_mem_ptr  = free_mem_ptr_p;
 free_mem_ptr_end = free_mem_ptr_end_p;
 __machine_arch_type = arch_id;

 arch_decomp_setup();

 makecrc();
 putstr("Uncompressing Linux...");
 gunzip();
 putstr(" done, booting the kernel. [HONGAO DBG] parameters from boot loader:");
#if 1

 {
              char tmp[9];  
        /** for the limitation during boot stage, we only support HEX output */
  putstr("/n output_start: 0x");
  putstr(hongao_ultoa((unsigned long)output_start, tmp, 8, 16));
  putstr("/n free_mem_ptr_p: 0x");
  putstr(hongao_ultoa((unsigned long)free_mem_ptr_p, tmp, 8, 16));
  putstr("/n free_mem_ptr_end_p: 0x");
  putstr(hongao_ultoa((unsigned long)free_mem_ptr_end_p, tmp, 8, 16));
  putstr("/n arch_id: 0x");
  putstr(hongao_ultoa((unsigned long)arch_id, tmp, 8, 16));
  putstr("/n output_ptr: 0x");
   putstr(hongao_ultoa((unsigned long)output_ptr, tmp, 8, 16));
  }
#endif
  
 return output_ptr;
}

then recompile and flash, we see:

 

Uncompressing Linux................................................................................................................... done, booting the kernel. [HONGAO DBG] parameters from boot loader:
 output_start: 0xa01c826c
 free_mem_ptr_p: 0xa01b826c
 free_mem_ptr_end_p: 0xa01c826c
 arch_id: 0x00000596
 output_ptr: 0x00379a0c

2. So kernel image decompressing seems ok. Let's go to lower level code to find the root cause.

Firstly, let's set CONFIG_DEBUG_LL = y, and set some debug information in the code, like in arch/arm/boot/compressed/head.S:

 

start:
  .type start,#function
  .rept 8
  mov r0, r0
  .endr

  b 1f
  .word 0x016f2818  @ Magic numbers to help the loader
  .word start   @ absolute load/run zImage address
  .word _edata   @ zImage end address
1:           
  mov r7, r1   @ save architecture ID
  mov r8, r2   @ save atags pointer

  /** hongao */
  kputc #'1'
  kputc #'3'
  kputc #'4'
  kputc #':'
  kphex r7, 8 
  kputc #'/n'

However, you MUST be careful with the corrupted registers in the subroutine you called, like kphex. Never call this kind of debug funtions until you master it, or serious problems happen.

If you've ever read through the Makefile and link scripts under arch/arm/boot/, you may understand how the vmlinux.lds be generated with Makefile and vmlinux.lds.in and how the entry code be called. In general we need to hack the following files:

arch/arm/boot/compressed/head.S

arch/arm/kernel/head.S

arch/arm/kernel/head-common.S

arch/arm/kernel/debug.S

Of cource, good knowledge of ARM intruction set is a MUST before reading above codes. I'm going to introduce the details of kernel booting sequence in a separated session.

Ok, base on my code, the following messages are printed out:

 [HONGAO DBG] parameters from boot loader:
00000596

A01C82E8-A0541D68>A0008000
A0541D68
A0008000: E321F0D3 EE109F10 EB0000B3 E1B0A005  0A00005C EB0000C8 E1B08005 0A00006A
A0008020: EB000014 E59FD0F4 E28FE000 E28AF010  E3800002 E3A0501F EE035F10 EE024F10
A0008040: EA000006 00000000 00000000 00000000  00000000 00000000 00000000 00000000
A0008060: E1A00000 EE010F10 EE103F10 E1A03003  E1A03003 E1A0F00D E59F4098 E1A00004
A0008080: E3A03000 E2806901 E4803004 E4803004  E4803004 E4803004 E1300006 1AFFFFF9
A00080A0: E59A7008 E1A06A2F E1873A06 E7843106  E2840A03 E5A03000 E59F605C E2800004
A00080C0: E0846926 E1500006 E2833601 94803004  9AFFFFFB E2840A03 E387620A E5806000
A00080E0: E59A700C E5983008 E0840003 E2633901  E3530B02 83A03B02 E0806003 E5983004

&00000596

Error: unrecognized/unsupported machine ID (r1 = 0x00000596).

Available machine support:

ID (hex)        NAME
0000034e        Freescale i.MX27ADS

Please check your kernel config and/or bootloader.

The machine ID passed from bootloader with r1 is 0x596, which is not match the id built-in linux kernel.

Checking linux/arch/arm/tools/mach-types we find the following information at the last line:

mx27_3ds  MACH_MX27_3DS  MX27_3DS  1430

So we may missing some configuration settings. Check .config file and set CONFIG_MACH_MX27_3STACK=y,

and then recompile and reflash.

OK, this time kernel is running:-) B-U-T, dun feel happy, see, when kernel is trying to mount rootfs, it gets TROUBLE. BTW, i'm trying to boot rootfs from NFS, and the script is:

exec -b 0x100000 -l 0x200000 -c "console=ttymxc0,115200 root=/dev/nfs nfsroot=192.168.10.212:/ltib/rootfs init=/linuxrc ip=192.168.10.119:192.168.10.15"

and on NFS server, my configuration is:

server: root
vim /etc/exports
/home/hongao_client *(rw,sync,no_root_squash)
/home/hongao_client/ltib/rootfs *(rw,sync,no_root_squash)
#/home/hongao_client/utu/s3c2440_recover *(rw,sync,no_root_squash)

service iptalbes stop
service nfs restart
showmount -e

TROUBLE of our kernel:

NET: Registered protocol family 1
NET: Registered protocol family 17
ieee80211: 802.11 data/management/control stack, git-1.1.13
ieee80211: Copyright (C) 2004-2005 Intel Corporation <jketreno@linux.intel.com>
input: mxc_ts as /class/input/input2
mxc input touchscreen loaded
mxc_rtc mxc_rtc.0: setting the system clock to 1970-01-01 00:25:23 (1523)
eth0: config: auto-negotiation on, 100FDX, 100HDX, 10FDX, 10HDX.
eth1: SMSC911x/921x identified at 0xc885e000, IRQ: 256
eth1: SMSC911x MAC Address: 00:04:9f:00:d2:b0
eth1: link down
Sending DHCP requests .<6>eth1: link up, 100Mbps, full-duplex, lpa 0x45E1
..... timed out!
IP-Config: Reopening network devices...
eth0: config: auto-negotiation on, 100FDX, 100HDX, 10FDX, 10HDX.
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = c0004000
[00000000] *pgd=00000000
Internal error: Oops: 805 [#1] PREEMPT
Modules linked in:
CPU: 0    Not tainted  (2.6.22-pdk27-hongao #49)
PC is at mii_link_poll+0x5c/0x70
LR is at mii_queue+0x9c/0xc8
pc : [<c01ca1a0>]    lr : [<c01c9bac>]    psr: a0000013
sp : c7c1de88  ip : c7c1de40  fp : c7c1de9c
r10: c7e0d800  r9 : 00000000  r8 : c0072e00
r7 : 00001002  r6 : 00001002  r5 : c7c4fba0  r4 : c7c4f800
r3 : ffffb724  r2 : c03e86c0  r1 : 00000000  r0 : c7c4fd2c
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  Segment kernel
Control: 0005317f  Table: a0004000  DAC: 00000017
Process swapper (pid: 1, stack limit = 0xc7c1c260)
Stack: (0xc7c1de88 to 0xc7c1e000)
de80:                   c7c4f800 c7c4fba0 c7c1deb4 c7c1dea0 c01ca9ec c01ca154
dea0: c7c4f800 00001003 c7c1decc c7c1deb8 c026ff4c c01ca950 c7c9a410 c7c4f800
dec0: c7c1deec c7c1ded0 c026e314 c026fefc c03b3500 c7c4f800 00000001 00001002
dee0: c7c1df8c c7c1def0 c0020050 c026e2c8 c7e0d938 00000240 ffff8c10 00000000
df00: 00000001 c7e0d938 c02163b4 c01bde3c c001c888 c7e67a00 c7c1df8c c7c1df28
df20: c001c8cc c02163a0 00000001 00000001 00000000 00000019 c7c1df64 c7c1df48
df40: c02a46b8 c018bd08 00000019 c037a3c0 00000000 00000000 c7c1df7c 00000bb8
df60: c02a47cc c0023404 00000000 c0021fe0 00000000 c7c1c000 00000000 00000001
df80: c7c1dff4 c7c1df90 c0008960 c001ff00 c0085df0 c00848b4 00000000 00000000
dfa0: 00000000 c7c1dfb0 c0073f44 c0085d6c 00000000 00000000 c00088ac c008c72c
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 c7c1dff8 c008c72c c00088bc 00000000 00000000
Backtrace:
[<c01ca144>] (mii_link_poll+0x0/0x70) from [<c01ca9ec>] (fec_enet_open+0xac/0xd8)
 r5:c7c4fba0 r4:c7c4f800
[<c01ca940>] (fec_enet_open+0x0/0xd8) from [<c026ff4c>] (dev_open+0x60/0xc4)
 r5:00001003 r4:c7c4f800
[<c026feec>] (dev_open+0x0/0xc4) from [<c026e314>] (dev_change_flags+0x5c/0x130)
 r4:c7c4f800
[<c026e2b8>] (dev_change_flags+0x0/0x130) from [<c0020050>] (ip_auto_config+0x160/0xe8c)

Tomorrow i will check the problem and try to fix it! God Bless!!