[Tiptoi] Tiptoi hacking

[Sven A. Huerlimann]

Hi Björn

Sure.. the magic question is: how did you access this thing :)

This is brilliant! Free code execution on the Pen. Thanks a lot!

You access this via UART? Pin GPIO12 (RX) and GPIO13 (TX)?

If you find time to write down the steps needed to access the
BIOS/Boot-ROM I would be very thankful.

This just made my day, as we had longer discussions at the congress how
to inject some kind of loader code to dump and load memory.
And it's already there. Perfect.

Cheers Sven



Am 31.12.17 um 01:02 schrieb Bjoern:
> Hi Sven,
>
> The Boot ROM is called by Anyka in some cases "BIOS" (see the screen
> shot I attached to my last email).
>
> Cheers
> Björn
>
>
>
> Am 31.12.2017 um 00:03 schrieb Sven A. Huerlimann:
>>
>> Hi Björn
>>
>> What do you mean by: "enter the BIOS"? That could be very helpful for
>> me.
>>
>> About the memory map:
>>
>> section 1 is the Boot-ROM (afik)
>>
>> section 2 is the 192k L2 Memory (The larger memory)
>>
>> section 3: there should be some 64k of on chip ram somewhere (but
>> this could also be banked in on section 1 memory range after the boot
>> rom finished)
>>
>> Cheers
>>
>> sven
>>
>>
>> Am 30.12.17 um 22:19 schrieb Bjoern:
>>> Hi Matthias,
>>>
>>> When I read out the NAND directly by a Raspberry Pi, the data was
>>> not really reliable because some bits always toggled.
>>> Is your reading method giving accurate, reproducable results or are
>>> toggled bits an inherent effect of reading raw data from NANDs
>>> (hence using ECC is mandatory) or ?
>>>
>>> I have meanwhile managed to enter the BIOS of the TT. This BIOS
>>> offers the following commands:
>>> - download
>>> - setvalue
>>> - go
>>> - dump
>>>
>>> From what I could see so far, only two memory sections contain data:
>>> section 1:    0x0000'0000 - 0x0000'FFFF
>>> section 2:    0x0800'0000 - 0x0802'FFFF
>>>
>>> Section 1 is almost sure the BIOS itself, about the meaning of
>>> section 2 I have no idea (RAM?).
>>> If you think it might support you with your efforts, I can describe
>>> the steps for entering the BIOS mode more in detail.
>>>
>>> Cheers
>>> Björn
>>>
>>>
>>>
>>> Am 30.12.2017 um 18:22 schrieb Matthias Weber:
>>>> Hi Werner and list,
>>>>
>>>> up to my current knowledge, nobody is able to perform a firmware
>>>> update
>>>> of the pen. If I'm wrong, I'd be happy to read how it is done.
>>>>
>>>> So far we've taken a dump of a tiptoi pen's flash memory and are
>>>> trying
>>>> to find out how the firmware update is done or how we can get a
>>>> workaround to flash new firmware.
>>>>
>>>> It will be helpful to understand the memory mapping of the peripherals
>>>> connected to/ used by the ARM core (UART, flash interfaces). That's
>>>> what
>>>> Sven has started to work on. We'd be happy to get any support here.
>>>>
>>>> Cheers,
>>>> Matthias
>>>>
>>>>
>>>> Werner Beroux wrote:
>>>>> I updated the
>>>>> bug https://github.com/entropia/tip-toi-reveng/issues/171 as I
>>>>> kind of
>>>>> bricked my Tiptoi. Wondering if you had some known way to unbrick the
>>>>> device, flash it, or change language on a working device?
>>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
>

-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://lists.nomeata.de/pipermail/tiptoi/attachments/20171231/9ad23224/attachment.htm>