1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
Copyright (C) 2012-2014 Pali Rohár <pali.rohar@gmail.com>
Mk II protocol is the only protocol which can be used to flash eMMC images.
NOLO does not support eMMC, so flashing eMMC is done in Maemo system. NOLO
will boot device into "update" mode and Maemo will start only softupd daemon
(which is responsible for flashing from Maemo system) and load kernel driver
g_softupd which handle USB communication to user space daemon. When device
is in PC Suite mode Maemo system start softupd daemon and load kernel driver
g_nokia which can also handle communication via Mk II protocol.
Default Maemo flasher (v2.5.2 (Oct 21 2009)) support only some basic functions
via Mk II protocol - it can send eMMC image to softupd server which flash it.
But there is unofficial Maemo flasher (flasher v2.8.2 (Jan 8 2010)) distributed
with omap aes kernel driver for Nokia RX-51 under name "flasher.rover" which
support more functions. So "flasher.rover" is better for RE this protocol.
Via Mk II protocol over usb with softupd daemon in device it is possible to
flash any type of image except rootfs (xloader, secondary, kernel, mmc,
cmt-2nd, cmt-algo, cmt-mcusw). Maemo system using same Mk II protocol over
local TCP socket (server also provided by softupd) to update/flash system.
Over usb are used only these functions for communication:
usb_claim_interface (interface=1)
usb_set_altinterface (alternate=1)
usb_bulk_write (ep=1, timeout=5000)
usb_bulk_read (ep=129, timeout=5000)
And this function for sending raw data:
usb_bulk_write (ep=2, timeout=1000)
For every (request) message which is send by host, server send back response.
Format of message every message is same. It has 6 bytes header and (at least)
4 bytes body.
HEADER
4 bytes -- type of header
0x8810001B - out (sent by host: usb_bulk_write)
0x8800101B - in (received by host: usb_bulk_read)
2 bytes -- size of body (big endian)
BODY
2 bytes -- unknown (always zero)
1 byte -- or. num of message (starting with zero)
1 byte -- type of message
N bytes -- data
Reply message data always starts with char 0x00 (except pong response).
Message types:
0x00 - PING
0x01 - GET
0x02 - TELL
0x0C - REBOOT
0x20 - RESPONCE
Here are some sniffed messages from Nokia RX-51. First two messages seems to
must be always protocol version exchange (first host ask for protocol version of
server and then host send its protocol version). On RX-51 is used version "2".
Ping:
req_type = 0x00
res_type = 0x20
Get protocol version:
req_type = 0x01
req_data = "/update/protocol_version"
res_type = 0x21
res_data = 0x00 "2"
Tell our protocol version:
req_type = 0x02
req_data = "/update/host_protocol_version" 0x00 "2"
res_type = 0x22
res_data = 0x00
Get device:
req_type = 0x01
req_data = "/device/product_code"
res_type = 0x21
res_data = 0x00 "RX-51"
Get hwrev:
req_type = 0x01
req_data = "/device/hw_build"
res_type = 0x21
res_data = 0x00 "2101"
Get image types:
req_type = 0x01
req_data = "/update/supported_images"
res_type = 0x21
res_data = 0x00 "xloader,secondary,kernel,mmc,cmt-2nd,cmt-algo,cmt-mcusw"
Reboot device:
req_type = 0x0C
req_data = "reboot" 0x00
res_type = 0x2C
res_data = 0x00
Send image (mmc):
req_type = 0x03
res_type = 0x23
res_data = 0x00
req_type = 0x04
req_data = fiasco subimage header
res_type = 0x24
res_data = 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00
req_type = 0x05
req_data = 0x00 0x00 0x00 0x00 "usb:raw"
res_type = 0x25
res_data = 0x00
req_type = 0x06
req_data = 0x00 0x00 0x00 0x00
res_type = 0x26
res_data = 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
req_type = 0x0B
req_data = 0x00 0x00 0x00 0x64
res_type = 0x2B
res_data = 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x00
req_type = 0x08
req_data = 0x00 0x00 0x00 0x00 0x00 0x10 0x00 0x00
res_type = 0x28
res_data = 0x00
(raw data on ep=2 size=1048576)
req_type = 0x06
req_data = 0x00 0x00 0x00 0x00
res_type = 0x26
res_data = 0x00 0x00 0x00 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x0F 0x9F 0x2C 0x00 0x00
req_type = 0x0B
req_data = 0x00 0x00 0x00 0x64
res_type = 0x2B
res_data = 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x01 0xF0 0x00 0x00 0x00
req_type = 0x08
req_data = 0x00 0x00 0x00 0x00 0x00 0x10 0x00 0x00
res_type = 0x28
res_data = 0x00
(raw data on ep=2 size=1048576)
...
|
