alastairstevenson
Staff member
This is getting to be a bit of a habit - unbricking another Mini PTZ V2, this time from a status that was a lot closer to death's door than the previous ones.
A forum member shared with me a transcript from a serial console startup - and it was clear that an over-the-PM-dialogue wasn't going to fix this one.
mtdblock4 serious corruption ... how to get out of that? But it can be done.
So I agreed that I'd have a look at it to see what if anything could be done.
Skipping a lot of detail - and there was a lot -
Access to Amboot bootloader was OK, but it looks to me like the options for firmware updates are strictly limited via this route. Ambarella succeed in keeping useful Amboot information out of public view, unlike u-boot, which is nicely documented.
Dumping the flash, converting to binary, and splitting it as per the flash partitions confirmed the the 'lnx' partition mtdblock4 was filled with garbage.
So it looks like the only option to do an automated Amboot FW update is through an as-yet-unidentified USB interface (got some connectors on order so hope to find out if a USB stick and connector will be a magic unbricking wand). And what FW components you'd need on the USB device is (currently) a mystery.
So I explored what a tftp netboot might be able to do.
This is configurable via the Amboot 'setenv' command. Though the memory map is guesswork.
This is what I figured out - believe it or not, from using an 'hroot' initrd image extracted from Hikvision 5.3.0 R0 camera firmware (!!).
I laughed out loud when the Huisun bootup ended up with a Hikvision 'psh' prompt! How bizarre. And hated.
But at least it was the proof of concept that allowed me to figure out what could be done.
It showed what type of initrd worked (ext2, not cpio, not cramfs, not anything cloned on to the SD card), so I was able to create my own ext2 initrd image from the file system contents of a working Mini PTZ V2.
Create a large file, format as ext2, mount it in Linux, populate with the needed folder tree and utilities (a decent, non-Hikvision Busybox), unmount and gzip the image.
I was so chuffed when it worked!
After that it was plain sailing - just a matter of setting up the ethernet interface, tftp-ing the mtdblock4 and using flashcp to apply it.
And after a reboot, the camera was unbricked.
Now i just need to figure out how to enable the audio option.
A forum member shared with me a transcript from a serial console startup - and it was clear that an over-the-PM-dialogue wasn't going to fix this one.
mtdblock4 serious corruption ... how to get out of that? But it can be done.
Code:
[ 2.334824] VFP support v0.3: implementor 41 architecture 3 part 30 variant 9 rev 4
[ 2.342481] ThumbEE CPU extension supported.
[ 2.347528] ambarella-rtc e8015000.rtc: setting system clock to 2016-08-26 20:43:55 UTC (1472244235)
[ 3.539183] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008aaf94: 0x0005 instead
[ 3.548665] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008aaf9c: 0x4040 instead
[ 3.558130] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008aafa0: 0x00c0 instead
[ 3.567592] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008aafa4: 0x0002 instead
[ 3.577051] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008aafa8: 0x006d instead
[ 3.586512] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008aafb0: 0x0004 instead
[ 3.595972] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008aafb4: 0x1210 instead
[ 3.605431] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008aafb8: 0x0090 instead
[ 3.614891] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008aafc0: 0x8000 instead
[ 3.624350] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x008aafcc: 0x0002 instead
[ 3.633806] jffs2: Further such events for this erase block will not be printed
[ 4.309048] VFS: Mounted root (jffs2 filesystem) on device 31:4.
[ 4.315300] devtmpfs: mounted
[ 4.318450] Freeing unused kernel memory: 132K (803cc000 - 803ed000)
/linuxrc: symbol lookup error: /lib/libc.so.6: undefined symbol: , version GLIBC_2.4
[ 4.769702] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00Skipping a lot of detail - and there was a lot -
Access to Amboot bootloader was OK, but it looks to me like the options for firmware updates are strictly limited via this route. Ambarella succeed in keeping useful Amboot information out of public view, unlike u-boot, which is nicely documented.
Dumping the flash, converting to binary, and splitting it as per the flash partitions confirmed the the 'lnx' partition mtdblock4 was filled with garbage.
So it looks like the only option to do an automated Amboot FW update is through an as-yet-unidentified USB interface (got some connectors on order so hope to find out if a USB stick and connector will be a magic unbricking wand). And what FW components you'd need on the USB device is (currently) a mystery.
So I explored what a tftp netboot might be able to do.
This is configurable via the Amboot 'setenv' command. Though the memory map is guesswork.
This is what I figured out - believe it or not, from using an 'hroot' initrd image extracted from Hikvision 5.3.0 R0 camera firmware (!!).
I laughed out loud when the Huisun bootup ended up with a Hikvision 'psh' prompt! How bizarre. And hated.
But at least it was the proof of concept that allowed me to figure out what could be done.
It showed what type of initrd worked (ext2, not cpio, not cramfs, not anything cloned on to the SD card), so I was able to create my own ext2 initrd image from the file system contents of a working Mini PTZ V2.
Create a large file, format as ext2, mount it in Linux, populate with the needed folder tree and utilities (a decent, non-Hikvision Busybox), unmount and gzip the image.
I was so chuffed when it worked!
After that it was plain sailing - just a matter of setting up the ethernet interface, tftp-ing the mtdblock4 and using flashcp to apply it.
And after a reboot, the camera was unbricked.
Now i just need to figure out how to enable the audio option.
Code:
___ ___ _________ _
/ _ \ | \/ || ___ \ | |
/ /_\ \| . . || |_/ / ___ ___ | |_
| _ || |\/| || ___ \ / _ \ / _ \ | __|
| | | || | | || |_/ /| (_) || (_) || |_
\_| |_/\_| |_/\____/ \___/ \___/ \__|
----------------------------------------------------------
Amboot(R) Ambarella(R) Copyright (C) 2004-2014
Boot From: SPI NOR
SYS_CONFIG: 0x3000404B POC: 101
Cortex freq: 600000000
iDSP freq: 216000000
Dram freq: 528000000
Core freq: 216000000
AHB freq: 108000000
APB freq: 54000000
UART freq: 24000000
SD freq: 50000000
SDIO freq: 50000000
SDXC freq: 60000000
amboot>
s not a recognized command! Type 'help' for help...
amboot>
amboot>
amboot>
amboot> show netboot
eth0_mac: 00:01:02:01:02:03
eth0_ip: 192.168.1.22
eth0_mask: 255.255.255.0
eth0_gw: 0.0.0.0
eth1_mac: 00:00:00:00:00:00
eth1_ip: 0.0.0.0
eth1_mask: 0.0.0.0
eth1_gw: 0.0.0.0
auto_dl: 0
tftpd: 192.168.1.21
pri_addr: 0x00208000
pri_file: hs_mtdblock3
pri_comp: 0
rmd_addr: 0x00800000
rmd_file: cpio_2
rmd_comp: 0
dsp_addr: 0x00000000
dsp_file:
dsp_comp: 0
amboot> set rmd_file hroot_mainbody_1.gz
amboot>
amboot>
amboot>
amboot>
amboot>
amboot> tftp boot console=ttyS0 root=0x800000 init=/bin/busybox sh
downloading [hroot_mainbody_1.gz]:
........... got 3063594 bytes
downloading [hs_mtdblock3]:
...... got 1769472 bytes
Jumping to 0x00208000
cmdline: console=ttyS0 root=0x800000 init=/bin/busybox sh
cpux_jump: 0x00000000
initrd2_start: 0x00800000 initrd2_size: 0x002EBF2A
kernelp: 0x00200000 kernels: 0x07E00000
idspp: 0x08000000 idsps: 0x08000000
flspinor addr = 0x00200000, size = 0x00DF0000
flspinor addr = 0x00050000, size = 0x001B0000
flspinor addr = 0x00040000, size = 0x00010000
flspinor addr = 0x00010000, size = 0x00030000
flspinor addr = 0x00000000, size = 0x00010000
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Linux version 3.10.73 (robot@dev-ubuntu-14) (gcc version 4.9.1 20140625 (prerelease) (crosstool-NG - Ambarella Linaro Multilib GCC [CortexA9 & ARMv6k] 2014.06) ) #6 PREEMPT Wed Nov 11 13:58:11 CST 2015
[ 0.000000] CPU: ARMv7 Processor [414fc091] revision 1 (ARMv7), cr=10c53c7d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[ 0.000000] Machine: Ambarella S2L (Flattened Device Tree), model: Ambarella S2LM Kiwi Board
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] Ambarella: AHB = 0xe0000000[0xe0000000],0x01000000 0
[ 0.000000] Ambarella: APB = 0xe8000000[0xe8000000],0x01000000 0
[ 0.000000] Ambarella: PPM = 0x00000000[0xdfe00000],0x00200000 9
[ 0.000000] Ambarella: AXI = 0xf0000000[0xf0000000],0x00030000 0
[ 0.000000] Ambarella: DRAMC = 0xdffe0000[0xef000000],0x00020000 0
[ 0.000000] Ambarella: DBGBUS = 0xec000000[0xec000000],0x00200000 0
[ 0.000000] Ambarella: DBGFMEM = 0xee000000[0xee000000],0x01000000 0
[ 0.000000] Ambarella: IAVMEM = 0x08000000[ ],0x08000000
[ 0.000000] CPU: All CPU(s) started in SVC mode.
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32004
[ 0.000000] Kernel command line: console=ttyS0 root=0x800000 init=/bin/busybox sh
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Memory: 126MB = 126MB total
[ 0.000000] Memory: 120492k/120492k available, 8532k reserved, 0K highmem