|
|
Post by jj0 on May 8, 2022 12:17:30 GMT
Ahh sorry about that, I forgot to say that I didn't yet get a chance to test it. I suspect that extract-symvers needs to be updated to support newer kernels -- the tool is ten years old, and I already found one issue [*], and there's probably more to it. [1] The pointer to the CRC table is an unsigned long pointer, but it was advancing by 4 bytes instead of 8 bytes, so every other value would be zero. But I probably missed some other detail while making this change. Part of my issue was caused by sloppy procedure on my side, I didn't delete a self-compiled vmlinux from my kernel tree and also used a Module.symvers extracted myself so without your fixes. Your Module.symvers has the right version for module_layout: 0xafa30df0 module_layout vmlinux EXPORT_SYMBOLSorry for the confusion. Compiling pl2303.ko again still leaves me with: pl2303: Unknown symbol dev_get_drvdata (err -22)
<....>
pl2303: Unknown symbol usb_serial_register_drivers (err -22)(I'll get back on the symvers research soon-ish hopefully, just going to finish reversing the kernel config. Basically started with the config from "The C64 Maxi" that I had and carefully waded through `make oldconfig`. Next up is diffing the resulting kernel's symbols and going through the rinse-and-repeat process once again.) You can extract the/a kernel config with: H6-lichee-v1.1/lichee/linux-3.10/scripts/extract-ikconfig ImageUsing the SDK from the linux-sunxi Wiki. The actual link doesn't work but I've downloaded it by using: wget --no-check-certificate https://dl.linux-sunxi.org/H6/H6-lichee-v1.1.tar.gzOk, after cleaning up more sloppiness on my part now it works fine with the 'oleavr' Module.symvers :-) I've attached a few serial2usb modules. I've only tested the pl2303.ko Attachments:ch341.ko (14.95 KB)
cp210x.ko (28.41 KB)
pl2303.ko (23.99 KB)
|
|
|
|
Post by tambua1981 on May 8, 2022 20:45:54 GMT
U are great man!! Thanx to everybody...now things are becoming interesting...
|
|
|
|
Post by jj0 on May 9, 2022 10:34:35 GMT
Could u please provide me the steps you followed for building those modules? In particular, which kernel have u downloaded..and from where? This is the procedure I usually use: 1)make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- sun50iw6p1smp_defconfig 2)Change "# CONFIG_USB_SERIAL is not set" in "CONFIG_USB_SERIAL=y" 3)ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make -j4 prepare 4)ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make -j4 modules_prepare 5)ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make -j4 SUBDIRS=scripts/mod 6)ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make -j4 SUBDIRS=drivers/usb/serial modules The kernel source I use is the Allwinner H6 SDK from the linux-sunxi Wiki. The actual link doesn't work but I've downloaded it by using: wget --no-check-certificate https://dl.linux-sunxi.org/H6/H6-lichee-v1.1.tar.gzInstead of using sun50iw6p1smp_defconfig I used the/a kernel config from THEA500 Image file extracted with: cd H6-lichee-v1.1/lichee/linux-3.10
./scripts/extract-ikconfig <path to extracted Image>/Image >.config
make ARCH=arm64 oldconfigAnd the Module.symvers from oleavr in that directory as well. Instead of 2)Change "# CONFIG_USB_SERIAL is not set" in "CONFIG_USB_SERIAL=y" I use: make ARCH=arm64 menuconfigBecause there might be other CONFIG settings that are depending on whatever you want to set. For 3/4/5.6 I do it slightly differently, but your way might work as well, I'm not sure about the difference between prepare and modules_prepare: make ARCH=arm64 CROSS_COMPILE=$CC_LICHEE64 prepare
make ARCH=arm64 CROSS_COMPILE=$CC_LICHEE64 scripts
make ARCH=arm64 CROSS_COMPILE=$CC_LICHEE64 M=drivers/usb/serial/ clean
make ARCH=arm64 CROSS_COMPILE=$CC_LICHEE64 M=drivers/usb/serial/
|
|
|
|
Post by oleavr on May 9, 2022 19:22:01 GMT
Part of my issue was caused by sloppy procedure on my side, I didn't delete a self-compiled vmlinux from my kernel tree and also used a Module.symvers extracted myself so without your fixes. Your Module.symvers has the right version for module_layout: 0xafa30df0 module_layout vmlinux EXPORT_SYMBOLSorry for the confusion. Ahh I see. No worries! Compiling pl2303.ko again still leaves me with: pl2303: Unknown symbol dev_get_drvdata (err -22)
pl2303: disagrees about version of symbol tty_kref_put
pl2303: Unknown symbol tty_kref_put (err -22)
(...)
I ran into the same issue myself. Turns out that there's some build state generated from Module.symvers, so it ends up using stale data if you replace that file too late. This works for me: export ARCH=arm64
export CROSS_COMPILE=aarch64-linux-gnu-
export KBUILD_BUILD_VERSION=32
export KBUILD_BUILD_TIMESTAMP="Fri Nov 12 10:48:03 GMT 2021"
export KBUILD_BUILD_USER="chris"
export KBUILD_BUILD_HOST="puck"
cd "$repo/lichee/linux-3.10"
git clean -xffd
cp "$repo/kernel/config" .config
cp "$repo/kernel/Module.symvers" .
make oldconfig
make modules_prepare
Then after that I can proceed to building the out-of-tree drivers and CRCs are fine. (As a last sanity check I found that inspecting drivername.mod.c and checking a few values against Module.symvers may save some back and forth.) You can extract the/a kernel config with: (...) Wooow, thanks! TIL about ikconfig! Yay, I was already using the exact same one 
Edit: Oops, sorry for the spam here -- I somehow missed the new posts. Think I need more coffee  |
|
|
|
Post by oleavr on May 9, 2022 23:28:23 GMT
Yay, just got my A500 Mini to speak TCP/IP on the LAN! \o/
Had some fun this evening and managed to turn the TCP/IP stack into a kernel module (attached as ipv4.ko). The IPv6 part is almost there as well, but I have to get some sleep now.
(The patch isn't pretty due to how the IP stack makes use of quite a few unexported kernel APIs, so I solved this by duplicating/porting those bits behind `#ifdef CONFIG_INET_MODULE`.)
Attachments:ipv4.ko (717.78 KB)
|
|
|
|
Post by jj0 on May 10, 2022 6:38:21 GMT
Yay, just got my A500 Mini to speak TCP/IP on the LAN! \o/
Had some fun this evening and managed to turn the TCP/IP stack into a kernel module (attached as ipv4.ko). The IPv6 part is almost there as well, but I have to get some sleep now.
(The patch isn't pretty due to how the IP stack makes use of quite a few unexported kernel APIs, so I solved this by duplicating/porting those bits behind `#ifdef CONFIG_INET_MODULE`.)
This is great work! Which network adapter are you using? |
|
|
|
Post by oleavr on May 10, 2022 10:12:30 GMT
Yay, just got my A500 Mini to speak TCP/IP on the LAN! \o/
Had some fun this evening and managed to turn the TCP/IP stack into a kernel module (attached as ipv4.ko). The IPv6 part is almost there as well, but I have to get some sleep now.
(The patch isn't pretty due to how the IP stack makes use of quite a few unexported kernel APIs, so I solved this by duplicating/porting those bits behind `#ifdef CONFIG_INET_MODULE`.)
This is great work! Which network adapter are you using? Thanks! It's a Realtek 8153 (r8152.ko). I'm using the out-of-tree driver that I was using on the C64 Maxi, though I suspect the in-tree driver works fine too. |
|
|
|
Post by jj0 on May 10, 2022 10:30:52 GMT
This is great work! Which network adapter are you using? Thanks! It's a Realtek 8153 (r8152.ko). I'm using the out-of-tree driver that I was using on the C64 Maxi, though I suspect the in-tree driver works fine too. Does that need mii.ko and usbnet.ko as well? My asix.ko crashes when I insert the adapter in the USB port. |
|
|
|
Post by tambua1981 on May 10, 2022 10:46:17 GMT
May I have the A500 image you mention?
|
|
|
|
Post by jj0 on May 10, 2022 12:38:12 GMT
May I have the A500 image you mention? The kernel Image is too large to attach here even if I zip it.. But you can follow the process mentioned here to get it from your THEA500. In brief: - Copy nanda from THEA500, either via the somewhat elaborate u-boot method or via the Amiga side running a Workbench
- Extract nanda using the abootimg command (or other Android image tools)
- Rename the zImage to Image - as it is not actually a zImage but that how abootimg calls it
|
|
|
|
Post by oleavr on May 10, 2022 20:35:11 GMT
Thanks! It's a Realtek 8153 (r8152.ko). I'm using the out-of-tree driver that I was using on the C64 Maxi, though I suspect the in-tree driver works fine too. Does that need mii.ko and usbnet.ko as well? My asix.ko crashes when I insert the adapter in the USB port. No, the out-of-tree driver is standalone. I've unfortunately only got this one USB Ethernet adapter to test with. I did try quickly with the in-tree Realtek driver though, but it turned out to be too old and only supports 8152, not 8153.
Only explanation I can think of is that some "default on" kernel option got enabled when you enabled the config options for the additional drivers, and that influenced some critical struct layout. Did you try doing "diff -u" between the .config before and after to double-check that no vmlinux-affecting options got enabled? A few are inevitable though: CONFIG_HAVE_NET_DSA -- Not used by code CONFIG_NET_CORE -- Not used by code
CONFIG_NETDEVICES -- Only used in net/core/sock.c, but harmless since it's only used for implementing SO_BINDTODEVICE
CONFIG_OF_NET -- Only used in include/linux/of_net.h, but harmless since it only affects of_get_phy_mode() and of_get_mac_address(), which are only used by regular Ethernet drivers in drivers/net/ethernet/
(But the diff shouldn't contain any vmlinux-affecting "=y" additions beyond these.)
FWIW, the sequence I'm using is: git clean -xffd
cp ../the-a500/kernel/config-ip-plus-usb-ethernet .config
cp ../the-a500/kernel/Module.symvers .
make oldconfig
make modules_prepare
make -j16 M=net
make -j16 M=drivers/net
I also noticed that make modules is a bad idea and results in the CRCs being recomputed.
(I've pushed my kernel sources here btw.) |
|
|
|
Post by oleavr on May 11, 2022 20:11:13 GMT
Got Frida running and managed to read CPU state and memory from amiberry: (Though the CPU state is probably not that useful on a live process like here, where I'm inspecting Zool, as amiberry has a JIT and I suspect that the CPU state is only updated in traps.)
It's still in the early stages of development, but frida-amiga-bridge is already a tiny bit useful, and it's only 150 LOC. If anyone wants to play with it: - Deploy jj0 's awesome LinuxConsole to the root of a USB drive
- Extract the files in frida-rgl-a500-15.1.22.1.gb8f4746.tar.xz to the root of the same USB drive
- Edit Frida/start.sh to change the IP/netmask at the top of the script
- If you don't have a Realtek 8152/8153 USB network adapter available, you will also have to add the .ko for yours, and adjust start.sh so that driver gets loaded instead
- Fire up the console and run /mnt/Frida/start.sh
- Now you can exit the console (Ctrl+D) -- the frida-server should still be running
As a smoke-test you can then try the following from your workstation:
$ pip install frida-tools
$ frida-ps -H 192.168.1.250
Which should show the running processes on The A500 Mini. If that works you can proceed to playing with frida-amiga-bridge. |
|
|
|
Post by tambua1981 on May 13, 2022 16:57:03 GMT
Is there anyone who can help me to obtain the kernel module for this usbsound adapter to work with THEA500mini? Thanx in advance.
Bus 001 Device 004: ID 8086:0808 Intel Corp. USB PnP Sound Device This is on ubuntu: [ 10.426115] usb 1-3: New USB device found, idVendor=8086, idProduct=0808, bcdDevice= 1.00
[ 10.426121] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 10.426122] usb 1-3: Product: USB PnP Sound Device
[ 10.426123] usb 1-3: Manufacturer: C-Media Electronics Inc.
[ 10.453889] hid: raw HID events driver (C) Jiri Kosina
[ 10.459227] usbcore: registered new interface driver usbhid
[ 10.459232] usbhid: USB HID core driver
[ 10.468015] IPv6: ADDRCONF(NETDEV_CHANGE): wlo1: link becomes ready
[ 10.469491] usbcore: registered new interface driver snd-usb-audio
[ 10.503533] input: C-Media Electronics Inc. USB PnP Sound Device as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.3/0003:8086:0808.0001/input/input16
[ 10.561223] hid-generic 0003:8086:0808.0001: input,hidraw0: USB HID v1.00 Device [C-Media Electronics Inc. USB PnP Sound Device] on usb-0000:00:14.0-3/input3
|
|
|
|
Post by oleavr on May 14, 2022 1:14:33 GMT
Just wrote a quick and dirty tool for inspecting and dumping firmware updates: Figured it would be good to be able to review updates before installing them |
|
|
|
Post by craip on May 14, 2022 8:49:18 GMT
Just wrote a quick and dirty tool for inspecting and dumping firmware updates: Figured it would be good to be able to review updates before installing them nice work.. it'd be nice once we can 'roll our own' firmware updates to look at the 1.1.0 a5 firmware update, see which module has the 'host-run' command blocked (whether its the compiled amiberry or amiberry.conf - I don't know) and then remove/re-implement the blockage and make our own firmware updates.. lots of steps I know. |
|
|
|
Post by spannernick on May 14, 2022 16:37:08 GMT
Host-Run is in Amiberry so they could of removed it, I run the old Amiberry on PCUAAE and Host-Run works so you need to replace the new Amiberry on the firmware with the old one that the update replaced.
Well need to find the Int screen code thats in manahttan, you need to run manhattan once to initialise the screen before you can run something else on it like VICE or another emulator, RGL changed it in the update so you can not use amiberry to do it now.
|
|
|
|
Post by spannernick on May 17, 2022 10:04:54 GMT
Just wrote a quick and dirty tool for inspecting and dumping firmware updates: Figured it would be good to be able to review updates before installing them Can you have a look at the resources.bod file and see if it can be extracted, it stores... all games save states and game info, uae files for the games, all images for the carousel, images for the games and sound files for the carousel and other stuff, the bod would have to be recreated to add games to the carousel. Anyone have any info on the progress of been able to extracting the bod file yet, or info on been able to remake the bod file...? |
|
|
|
Post by jj0 on May 17, 2022 10:06:33 GMT
Hi, Not sure if this already been done, but is there a file for the music on the carousel that can be extracted? I was hoping to be able to maybe get a .mod version of it somehow. Cheers! It's contained in the resources.bod file but you might be able to extract it using binwalk (unlikely) or cyanic's tool. |
|
|
|
Post by spannernick on May 17, 2022 10:16:21 GMT
Hi, Not sure if this already been done, but is there a file for the music on the carousel that can be extracted? I was hoping to be able to maybe get a .mod version of it somehow. Cheers! It's contained in the resources.bod file but you might be able to extract it using binwalk (unlikely) or cyanic 's tool. I could not find the music.mp3 file with binwalk, I only found png files manly. Cyanic's tool... it would need to be made into a program first, won't it, you can not use the code as it is, on its own, I was just wondering.. ... ? |
|
|
|
Post by spannernick on May 17, 2022 12:11:41 GMT
Just wrote a quick and dirty tool for inspecting and dumping firmware updates: Figured it would be good to be able to review updates before installing them error....? its Python3 thats on Linux. commodoreos@commodoreos-virtual-machine:~/Documents$ ./dumpfirmware.py ~/Documents/theA500-mini-upgrade-v1.1.1.a5u
Version: 1001001
Traceback (most recent call last):
File "./dumpfirmware.py", line 159, in <module>
dump(firmware, output_dir)
File "./dumpfirmware.py", line 53, in dump
version, payload = decrypt(firmware)
File "./dumpfirmware.py", line 122, in decrypt
cipher = Cipher(algorithms.AES(aes256_key), modes.CBC(aes256_iv))
TypeError: __init__() missing 1 required positional argument: 'backend'
commodoreos@commodoreos-virtual-machine:~/Documents$ |
|
|
|
Post by oleavr on May 18, 2022 13:59:53 GMT
It's contained in the resources.bod file but you might be able to extract it using binwalk (unlikely) or cyanic 's tool. I could not find the music.mp3 file with binwalk, I only found png files manly. Cyanic's tool... it would need to be made into a program first, won't it, you can not use the code as it is, on its own, I was just wondering.. ... ? You'll need to grab a .NET SDK and use its C# compiler to compile it. |
|
|
|
Post by oleavr on May 18, 2022 14:02:21 GMT
Just wrote a quick and dirty tool for inspecting and dumping firmware updates: Figured it would be good to be able to review updates before installing them error....? its Python3 thats on Linux. commodoreos@commodoreos-virtual-machine:~/Documents$ ./dumpfirmware.py ~/Documents/theA500-mini-upgrade-v1.1.1.a5u
Version: 1001001
Traceback (most recent call last):
File "./dumpfirmware.py", line 159, in <module>
dump(firmware, output_dir)
File "./dumpfirmware.py", line 53, in dump
version, payload = decrypt(firmware)
File "./dumpfirmware.py", line 122, in decrypt
cipher = Cipher(algorithms.AES(aes256_key), modes.CBC(aes256_iv))
TypeError: __init__() missing 1 required positional argument: 'backend'
commodoreos@commodoreos-virtual-machine:~/Documents$ Make sure your cryptography package is fairly recent. I've only tested it on 36.0.0 (the version packaged in Fedora 36), and the latest (37.0.2 currently). |
|
|
|
Post by carbonated on May 18, 2022 19:51:08 GMT
I could not find the music.mp3 file with binwalk, I only found png files manly. Cyanic's tool... it would need to be made into a program first, won't it, you can not use the code as it is, on its own, I was just wondering.. ... ? You'll need to grab a .NET SDK and use its C# compiler to compile it.
nuget install Microsoft.Net.Compilers
It'll download Microsoft.Net.Compilers.4.2.0\tools\csc.exe compiler. In order to create Program.exe:
Microsoft.Net.Compilers.4.2.0\tools\csc.exe Program.cs
But first adapt in the Program.cs code the inPath and outPath variables. And as I missed where to get the salt bytes (I don't understand the '32 bytes @ 0x7414c' comment), I just replaced it with a return true;
Regards. |
|
|
|
Post by spannernick on May 23, 2022 17:51:05 GMT
You'll need to grab a .NET SDK and use its C# compiler to compile it.
nuget install Microsoft.Net.Compilers
It'll download Microsoft.Net.Compilers.4.2.0\tools\csc.exe compiler. In order to create Program.exe:
Microsoft.Net.Compilers.4.2.0\tools\csc.exe Program.cs
But first adapt in the Program.cs code the inPath and outPath variables. And as I missed where to get the salt bytes (I don't understand the '32 bytes @ 0x7414c' comment), I just replaced it with a return true;
Regards. Where do I put the return true in the code...? But it has a return true at the bottom...? // 32 bytes @ 0x7414c per GhidraI think 32bytes is in the resources.bod file at address 007414C 8bit hexadecimal. static bool VerifyHash(Stream stream)
{
// 32 bytes @ 0x7414c per Ghidra
byte[] salt = {
// Gotta find your own here
};
using (SHA256 sha = SHA256.Create())
{
sha.TransformBlock(salt, 0, salt.Length, salt, 0);
BinaryReader br = new BinaryReader(stream);
stream.Seek(0x20, SeekOrigin.Begin);
while (stream.Position < stream.Length)
{
int readCount = (int)Math.Min(4096, stream.Length - stream.Position);
byte[] buf = br.ReadBytes(readCount);
if (readCount >= 4096)
sha.TransformBlock(buf, 0, buf.Length, buf, 0);
else
sha.TransformFinalBlock(buf, 0, buf.Length);
}
stream.Seek(0, SeekOrigin.Begin);
byte[] expectedHash = br.ReadBytes(0x20);
for (int i = 0; i < expectedHash.Length; ++i)
{
if (expectedHash[i] != sha.Hash[i]) return false;
}
}
return true; |
|
|
|
Post by jj0 on May 24, 2022 6:04:00 GMT
nuget install Microsoft.Net.Compilers
It'll download Microsoft.Net.Compilers.4.2.0\tools\csc.exe compiler. In order to create Program.exe:
Microsoft.Net.Compilers.4.2.0\tools\csc.exe Program.cs
But first adapt in the Program.cs code the inPath and outPath variables. And as I missed where to get the salt bytes (I don't understand the '32 bytes @ 0x7414c' comment), I just replaced it with a return true;
Regards. Where do I put the return true in the code...? But it has a return true at the bottom...? // 32 bytes @ 0x7414c per GhidraI think 32bytes is in the resources.bod file at address 007414C 8bit hexadecimal. static bool VerifyHash(Stream stream)
{
// 32 bytes @ 0x7414c per Ghidra
byte[] salt = {
// Gotta find your own here
};
using (SHA256 sha = SHA256.Create())
{
sha.TransformBlock(salt, 0, salt.Length, salt, 0);
BinaryReader br = new BinaryReader(stream);
stream.Seek(0x20, SeekOrigin.Begin);
while (stream.Position < stream.Length)
{
int readCount = (int)Math.Min(4096, stream.Length - stream.Position);
byte[] buf = br.ReadBytes(readCount);
if (readCount >= 4096)
sha.TransformBlock(buf, 0, buf.Length, buf, 0);
else
sha.TransformFinalBlock(buf, 0, buf.Length);
}
stream.Seek(0, SeekOrigin.Begin);
byte[] expectedHash = br.ReadBytes(0x20);
for (int i = 0; i < expectedHash.Length; ++i)
{
if (expectedHash[i] != sha.Hash[i]) return false;
}
}
return true;It's probably easier to remove the line if (!VerifyHash(fs)) throw new InvalidDataException("Hash mismatch");then it doesn't check the hash so it doesn't matter. Not checking the hash means you won't get error messages if the extraction does not work OK. |
|
|
|
Post by spannernick on May 24, 2022 14:26:55 GMT
I am getting a error now, after removing the if statement from above in the Program.cs file, it compiles ok but errors when I run it and doesn't extract the bod file...? Unhandled Exception: System.IO.EndOfStreamException: Unable to read beyond the end of the stream.
at System.IO.__Error.EndOfFile()
at System.IO.BinaryReader.FillBuffer(Int32 numBytes)
at System.IO.BinaryReader.ReadUInt16()
at BodUnpack.Program.Main(String[] args)Anyone know why...? I was using the wrong bod file version 2 not version 1... All ok now. |
|
|
|
Post by spannernick on May 24, 2022 14:34:53 GMT
The new bod file from Firmware Update 1.1.0 has changed so it has a ADF png image file in it(cause the carousel now can load ADF Files) its the same size as 1.0.0 v1 - 46.7mb, Firmware 1.1.1 uses the same bod file as 1.1.0 - v2.
Is the hash check for checking the files inside the bod file to make sure they are not damaged at all...?
Thats the only reason for it.
|
|
|
|
Post by jj0 on Jun 4, 2022 8:34:39 GMT
Updated my overview post - RGL have officially documented a way to retrieve and modify nanda to access THEA500's rootfs on their github. It's almost the same as what I published  . |
|
|
|
Post by spannernick on Jun 5, 2022 14:03:01 GMT
Would you say... are we close to making PCUAE Network Mode on the A500 or some ways to go, I noticed on here people making modules for the network so they can use it with there USB Network Adapter ...?
|
|
|
|
Post by jj0 on Jun 5, 2022 15:05:26 GMT
Would you say... are we close to making PCUAE Network Mode on the A500 or some ways to go, I noticed on here people making modules for the network so they can use it with there USB Network Adapter ...? Some ways to go + not being actively worked on (by me anyway). Unless you use an adapter that uses the Realtek 8153 (r8152.ko) that oleavr got to work. |
|
.