Topic: Fernly running on MT6261

See if this works for anyone else...

https://github.com/isogashii/fernly/tree/fernly6261/

That's the "fernly6261" branch in my fork of fernly from jimparis's fork.

Coupla quick notes... I relocated Fernly down to 0x70000000, the base of static RAM. The 6261 only has 44k of static RAM and there wasn't enough room to load it at 0x70006000 with all the features compiled in without it overwriting and crashing the first stage loader above it. That meant redoing the stage 1 loader to use Fernly's serial routines, since the ROM's USB routines use the low RAM area to store their buffers and program variables. Fernly's serlal output code worked fine as-is. I re-did serial_getc() based on a pretty literal translation of the disassembled ROM code.

The new loader is named "stage1.bin" and I set fernly-usb-loader to load it at 0x70009000. I also edited usb-loader.S with the equivalent 6261 ROM entry points for reading, writing, and flushing USB serial. That isn't used for Fernly but I used it a great deal while figuring out this stuff.

There's also a ROM dumper payload included, called "dump-rom-usb.S" naturally. Instructions for it are in the README, and I put a .bin file in the /build directory so that if you've got a device and can compile fernly-usb-loader, you can run it and get a copy of your ROM. (I.e., you won't need a cross-compile toolchain for that.)

It looks like PSRAM is working. Without the scriptic_run() call, address 0 is the same as 0x10000000, beginning with "SF_BOOT". After "enable_psram", I can poke address 0 and read back the value I put there. So that's cool.

Re: Fernly running on MT6261

Wow, that's fantastic.  Great job!

Re: Fernly running on MT6261

Thanks! It was a lot of work and it feels nice to finally have something to show off from it.

What next? I'm thinking that being able to operate the display and touch sensing might be good for the "they might have something there" effect.

Re: Fernly running on MT6261

isogashii that's remarkable, you're my hero for the day. I was thinking I'd have to do this and from trying before I know just how much work it is. It's not easy either and I didn't really have the skills to do this properly.
It's good that you decided to let us know, I would have still been at it trying to figure this out.

I'm also curious about how you did some things so if you'd like to explain how you got Fernly to run that would be cool but it's optional ... it would help to learn something.

Also I assume you have the datasheets I was able to get. They might not be much but it's all I was able to get.

Re: Fernly running on MT6261

I grabbed everything I could find! The best datasheet I was able to find is a pdf called "MT6261A GSM GPRS EDGE-RX SOC Processor Data Sheet v0.2.pdf". I don't remember where I stumbled on it but googling pops up a link on the first page. Even so, there are still a lot of details missing. In the end the useful info mostly came from studying code. Code that actually works always has the last word, by my way of thinking.

Memory maps were helpful for searching through disassembler output, looking at the top four hex digits of addresses to figure out which parts of the code were banging on which peripherals. In the end maybe 98% of the Fernly codebase still worked. Figuring out the other 2% took some digging; no tricks there, just a lot of reading and taking notes and writing test code.

The big deal was getting the ROM data in the first place. I didn't do precisely the same thing as sodnpoo, with an Arduino attached to the vibrate motor wires (I'd started at it before he posted that) but I did use the vibrate motor. I've created a Wordpress blog and I'll try to write up that whole messy business before long. I'm a sucky blogger so please be patient.

Studying the disassembled ROM code is a good way to boost your skill set if that's what you're after. It was my first experience with ARM assembler and I think I learned a lot from it.

Re: Fernly running on MT6261

Thanks, I was just curious. I looked at the dissasembled code too but I'm not very good at emebedded yet, I'm a C++ programmer but I do find this interesting.
I was hoping to learn something from how others did it in the hopes of better understanding how to do it myself as I find this hacking quite fun and you can always learn something from how others succeed.
I've probably not allocated nearly enough time to this also.
If you could post some more useful info in a blog post that would probably help me and others who find this fun and want to learn. It's not urgent thoug.
For now I'm really anctious to get the time to run Fernly on my MT6261.

Also how do you plan on proceeding from this point. I'd like to help as much as I can ... I was thinking of looking at the disassembled ROM for the OS. Maybe even use Fernly to try and load the OS and watch what it does if that makes any sense ....
I like to use IDA Pro to study code but it helps a lot when you can actually run the debugged and see some values, see it dinamically running that is.

Re: Fernly running on MT6261

I started another thread for chatting about RE methods. Let's leave this one specifically for Fernly on the MT6261. Having thought about it some, I might see if I can get the Fernvale-QEMU situation up and running next, now that I've got Fernly available to backend the emulator with real hardware.

Re: Fernly running on MT6261

Sounds like a good plan to me. Once this is working it should be possible to use IDA Pro or radare2 with the gdb stub in qemu. At least that's how I understand things.
It will be very nice to be able to follow the execution of the ROM ... I'd say it's crucial for getting the support for all the connected peripherals.

Re: Fernly running on MT6261

I rigged together a flashrom serprog device-providing "stage1"-like (its just using the bootrom usb serial code... that btw likes to hang if you try to really push it (workarounded...) - not the first buggy cdc_acm implementation i've came across, sigh.) for the MT6261, in case someone likes that, and also added the spi chip (atleast in my MT6261DA-based GT08 watch) into my flashrom tree.

https://github.com/urjaman/fernly (see frser.c / build/frser.bin / load-fr-6261.sh )
https://github.com/urjaman/flashrom

So now that i can flash my watch(es), i'm kinda curious of the compression used for most of the user code/apps (the VIVA section i think), so if someone has some "pointers" on that, it'd be appreciated smile

Re: Fernly running on MT6261

Hi - thanks, this works on my recently purchased DZ09 ebay $11 special, build 11/22/2017.

Write four bytes of program size, then write program data...
>Ok
Writing stage 2... 19348 bytes...  19348 /  19348 Ok
Start Fernly shell... ��
hi there
will try to enable psram now
fernly>

Re: Fernly running on MT6261

This also works for me on a GPS/GSM tracker from Aliexpress called ZX302 (MT2503/MT6261). The flashrom patch from fernvale worked for me for backup, but not for writing. To be specific, I could for whatever reason write a flash file containing all 0x00 or all 0xFF, but writing a normal flash image would always write a few hundred bytes and then hang. See https://www.kosagi.com/forums/viewtopic.php?id=159

Re: Fernly running on MT6261

Hi isogashi !
your test motor script worked fine !
But when loading firmware.bin watch not running?
Is it my mistake or what need to do ?

Thanks you for your codes :-)