summaryrefslogtreecommitdiffstats
path: root/doc/mkii
blob: 0d3ecc21b299fb603abbb95e1be4e0b6ab09c9ba (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
 Copyright (C) 2012-2014  Pali Rohár <pali.rohar@gmail.com>

Mk II protocol is the only protocol which can be used to flash eMMC images.
NOLO does not support eMMC, so flashing eMMC is done in Maemo system. NOLO
will boot device into "update" mode and Maemo will start only softupd daemon
(which is responsible for flashing from Maemo system) and load kernel driver
g_softupd which handle USB communication to user space daemon. When device
is in PC Suite mode Maemo system start softupd daemon and load kernel driver
g_nokia which can also handle communication via Mk II protocol.

Default Maemo flasher (v2.5.2 (Oct 21 2009)) support only some basic functions
via Mk II protocol - it can send eMMC image to softupd server which flash it.
But there is unofficial Maemo flasher (flasher v2.8.2 (Jan  8 2010)) distributed
with omap aes kernel driver for Nokia RX-51 under name "flasher.rover" which
support more functions. So "flasher.rover" is better for RE this protocol.

Via Mk II protocol over usb with softupd daemon in device it is possible to
flash any type of image except rootfs (xloader, secondary, kernel, mmc,
cmt-2nd, cmt-algo, cmt-mcusw). Maemo system using same Mk II protocol over
local TCP socket (server also provided by softupd) to update/flash system.

Over usb are used only these functions for communication:

 usb_claim_interface (interface=1)
 usb_set_altinterface (alternate=1)

 usb_bulk_write (ep=1, timeout=5000)
 usb_bulk_read (ep=129, timeout=5000)

And this function for sending raw data:

 usb_bulk_write (ep=2, timeout=1000)

For every (request) message which is send by host, server send back response.
Format of message every message is same. It has 6 bytes header and (at least)
4 bytes body.

HEADER

   4 bytes          --  type of header
                          0x8810001B - out (sent by host: usb_bulk_write)
                          0x8800101B - in (received by host: usb_bulk_read)
   2 bytes          --  size of body (big endian)

BODY

   2 bytes          --  unknown (always zero)
   1 byte           --  or. num of message (starting with zero)
   1 byte           --  type of message
   N bytes          --  data

Reply message data always starts with char 0x00 (except pong response).

Message types:

0x00 - PING
0x01 - GET
0x02 - TELL
0x0C - REBOOT

0x20 - RESPONCE

Here are some sniffed messages from Nokia RX-51. First two messages seems to
must be always protocol version exchange (first host ask for protocol version of
server and then host send its protocol version). On RX-51 is used version "2".

 Ping:
   req_type = 0x00
   res_type = 0x20

 Get protocol version:
   req_type = 0x01
   req_data = "/update/protocol_version"
   res_type = 0x21
   res_data = 0x00 "2"

 Tell our protocol version:
   req_type = 0x02
   req_data = "/update/host_protocol_version" 0x00 "2"
   res_type = 0x22
   res_data = 0x00

 Get device:
   req_type = 0x01
   req_data = "/device/product_code"
   res_type = 0x21
   res_data = 0x00 "RX-51"

 Get hwrev:
   req_type = 0x01
   req_data = "/device/hw_build"
   res_type = 0x21
   res_data = 0x00 "2101"

 Get image types:
   req_type = 0x01
   req_data = "/update/supported_images"
   res_type = 0x21
   res_data = 0x00 "xloader,secondary,kernel,mmc,cmt-2nd,cmt-algo,cmt-mcusw"

 Reboot device:
   req_type = 0x0C
   req_data = "reboot" 0x00
   res_type = 0x2C
   res_data = 0x00

 Send image (mmc):
   req_type = 0x03
   res_type = 0x23
   res_data = 0x00

   req_type = 0x04
   req_data = fiasco subimage header
   res_type = 0x24
   res_data = 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00

   req_type = 0x05
   req_data = 0x00 0x00 0x00 0x00 "usb:raw"
   res_type = 0x25
   res_data = 0x00

   req_type = 0x06
   req_data = 0x00 0x00 0x00 0x00
   res_type = 0x26
   res_data = 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

   req_type = 0x0B
   req_data = 0x00 0x00 0x00 0x64
   res_type = 0x2B
   res_data = 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x00

   req_type = 0x08
   req_data = 0x00 0x00 0x00 0x00 0x00 0x10 0x00 0x00
   res_type = 0x28
   res_data = 0x00

   (raw data on ep=2 size=1048576)

   req_type = 0x06
   req_data = 0x00 0x00 0x00 0x00
   res_type = 0x26
   res_data = 0x00 0x00 0x00 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x0F 0x9F 0x2C 0x00 0x00

   req_type = 0x0B
   req_data = 0x00 0x00 0x00 0x64
   res_type = 0x2B
   res_data = 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x01 0xF0 0x00 0x00 0x00

   req_type = 0x08
   req_data = 0x00 0x00 0x00 0x00 0x00 0x10 0x00 0x00
   res_type = 0x28
   res_data = 0x00

   (raw data on ep=2 size=1048576)

   ...