Armboot on NCB3AST

In this post, I will explain some things about armboot boot loader that I have understood. The boot loader on NCB3AST is based on the open source Armboot, but modified by Star technology (unfortunately they don’t share their modification). You need to connect to the serial port using 38400N1. I am using kermit to connect, but you can use cu or other programs. To enter the Armboot boot menu, you must hold and press USB EXIT button while powering it on. You will start seeing delay tim 0 until 9, and after that, the device will try to connect to mass production server (I don’t know what the protocol is, but if we can reverse engineer this, this can potentially be used for unbricking the device without opening the device).


delay tim 0
delay tim 1
delay tim 2
delay tim 3
delay tim 4
delay tim 5
delay tim 6
delay tim 7
delay tim 8
delay tim 9
phy0_id =0243, phy1_id =ffff
Check MAC/PHY 0 Link Status : UP!
Check MAC/PHY 1 Link Status : DOWN!
try mass production 1
eth addr: 00:1c:10:09:4a:f5
timeout
Abort
STR9100>

You can type in "help" to see all available commands:

 

STR9100>help
go      - start application at address 'addr'
run     - run commands in an environment variable
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
tftpboot- boot image via network using TFTP protocol
               and env variables ipaddr and serverip
firstboot- first boot the device for mass production
rarpboot- boot image via network using RARP/TFTP protocol
bootd   - boot default, i.e., run 'bootcmd'
loads   - load S-Record file over serial line
loadb   - load binary file over serial line (kermit mode)
autoscr - run script from memory
md      - memory display
mm      - memory modify (auto-incrementing)
nm      - memory modify (constant address)
mw      - memory write (fill)
cp      - memory copy
cmp     - memory compare
crc32   - checksum calculation
base    - print or set address offset
printenv- print environment variables
setenv  - set environment variables
saveenv - save environment variables to persistent storage
protect - enable or disable FLASH write protection
erase   - erase FLASH memory
flinfo  - print FLASH memory information
bdinfo  - print Board Info structure
iminfo  - print header information for application image
loop    - infinite loop on address range
mtest   - simple RAM test
reset   - Perform RESET of the CPU
echo    - echo args to console
sleep   - delay execution for some time
version - print monitor version
help    - print online help
?       - alias for 'help'
STR9100>

One important thing is the environment, you can see it with printenv, set it with setenv and save permanently using saveenv.

STR9100>printenv
baudrate=38400
ethaddr=00:aa:bb:cc:dd:10
netmask=255.255.0.0
bootcmd=cp.l 0x10020000 0xcf00000 0x1f0000;go cf00000
bootdelay=0
ipaddr=192.168.10.3
serverip=192.168.10.2
Environment size: 169/4092 bytes

To change the environment value, type: setenv variablename newvalue. To save the current values of the environment permanently just type saveenv. From the bootcmd we can know that the kernel is in 0x10020000, the memory location 0x10000000-0x1001FFFF is used by the armboot.

To load a new image from tftp, setup a tftpserver (for exampe atftpd), and put the new image there.

tftpboot 0x1020000 imagefile.bin

To start the new image, type:

go 0x1020000

You can load a new kernel compiled from ftp://ftp.linksys.com/opensourcecode/wrvs4400n/1.1.03/WRVS4400N_v1.1.03.tgz. Just compile the files in the star9109 directory, and you will get a file named image.9109. To execute this file, you can put it in your tftp server, load it to 0x1020000, then execute the address, like this:

tftpboot 0x1020000 image.9109
go 0x1020000

I don’t know how to permanently write it to flash using armboot yet. I will try to study this (and the firmware format) a little bit more.

 

As a side note, Chris Baird pointed me to a Chinese site where they show a Linux kernel booting 2.6.14 on the star machine. Unfortunately they didn’t mention where the got the kernel from.

3 thoughts on “Armboot on NCB3AST”

  1. I’ve cut from mtd1.bin the kernel image and initrd image, mounted and customized initrd, then combined new mtd1.bin from kernel image and new initrd. The problem is:
    then the kernel start mount the initrd, it fails on crc error from gunzip. Do you have any idea how to solve it?

    Thanks.
    Yan.

  2. I managed to change initrd and burn it to flash, but my changes were minor (only enabling few stuff) and my modifications didn’t change the compressed initrd file size.

Leave a Reply

Your email address will not be published. Required fields are marked *