UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap


Published on

Slides from a talk at the first ever UWE Linux Boot Camp in 2007, about getting started playing around with embedded Linux on a budget. The example system used is the Mattel Juicebox.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheap

  1. 1. Hacking embeddedLinux on the cheapwith an examplesystemEd Langley
  2. 2. Introduction to the target system● Mattel Juicebox– Childrens video and MP3player– Only plays video fromOTP ROM cartridges● Proprietary player andformat● Low compression● No OS– Plays MP3s from MMCsocket cartridge● Running uCLinux
  3. 3. Target system specification● Samsung S3C440BX microcontroller– ARM7TDMI core– 8KB cache/SRAM– 2 channel UART– 2 channel DMA– 1 channel I2C– 5 channel PWM– 8 channel 10 bit ADC– RTC with calendar– 71 input/output pins– LCD controller with 1dedicated DMA channel● 2MB SDRAM● 8MB ROM● Audio: Cirrus Logic CS43L43● LCD: 2.7 inch color 240x160● JTAG – pads on PCB leftbehind in production boards● As are serial port Tx/Rx lines
  4. 4. Picking your own target system● Traditional industry method:– price Vs package size Vs power consumption– All of above Vs features:● Speed● Number of external interrupts● Supported memory range● Memory management● Number of GPIO pins● Assemblers/compilers/programming languagessupported● Operating systems supported
  5. 5. Picking your own target system● “On a shoestring” method– Take what you can get– Mass produced gadget/appliance– Contains CPU with architecture supported by Linux● How much work/research/porting/hacking do you want to doyourself?– E.G. Low budget:● PDAs MP4 video players (from China off Ebay for £20)● Older games consoles (Dreamcast, PS2, Game Cube)– E.G. Higher budget:● Handheld games consoles (PSP, GP2X)● Set top boxes/routers (Dreambox, Linksys routers)
  6. 6. Get your build environment together● Toolchain– GCC– Binutils (ar, as, ld, objdump, objcopy, readelf)– Debugger● If the target system has in circuit debugging ability● GDB● Interface from GDB to target– OpenOCD for JTAG, BDM patches for FreeScale MCUs● Above will have “arch-binaryformat-” prefix– E.G. arm-elf-gcc, m68k-linux-objdump
  7. 7. Test the tool chain● If system doesnt come with Linux on it already,best to start with some bare board code– C run time (assembly code to prepare CPUconfiguration and stack to run C code, then callmain())– Linker script● Tells code what memory address it will be running from,so function calls are compiled to JMP instructions to thecorrect addresses– Makefile● Sets compile/linker commands to use the cross compilingtool chain, passes linker script to linker
  8. 8. Memory management● Process memory map on typical Linux systemwith an MMU:.text0x00000000.data.bssDynamic memory0x40000000Stack0xC0000000Kernel .textKernel .dataKernel .bssKernel dynamic memoryHardware access rangesPhysical memoryPage tableLinearmapping
  9. 9. Memory Management● Process memory map created by default linkerscript, included with tool chain● When building “Bare board” code, or anoperating system kernel, need to specifycustom linker script● Script specifies where code is in output file(ELF) and what address it will be at when MMUis enabled and page tables configured
  10. 10. Lack of memory management● Low end micro controllers often dont havememory management units– Less complexity in silicon● Cheaper● Lower power consumption● Simpler for writing bare board software fromscratch● Not so easy for running Linux– No virtual memory addresses● Processes cant all have the same memory map● Cant “grow” process address space with sbrk()
  11. 11. Lack of memory management● Solution: uCLinux– All processes loaded to different physical addresses● New binary format (FLAT) to handle this– Different memory allocator● No brk()/sbrk() system call● Power of 2– No fork() system call● Cant duplicate process memory map because physicaladdresses must all be different● Forces application modification to use vfork()
  12. 12. Benefits of no MMU● Cheaper development tool setup– Was developing a Linux driver on a v4 Coldfireboard (with MMU) at work– Tried to debug kernel with m68k-linux-bdm-gdb– GDB has no concept of virtual addresses● Written to debug user mode processes– As soon as GDB tried to read a kernel variable at avirtual address – Bus error● Wasnt translating virtual address to physical address– Never had a problem on previous board (with noMMU) because virtual address=physical address
  13. 13. Benefits of no MMU● Used one of these:Lauterbauch Trace32● Could have used KGDB– Architecture specific code needs porting
  14. 14. Getting the code onto the target● Plug and prey– Can take a few goes to get right– Becomes tiresome trying out changes● Program the flash/RAM in target– Requires either:● Boot loader/monitor preprogrammed into boot ROM– Not likely on a retail product● Debug interface hardware and connector on target– This can be very slow with cheaper debug interface– Very very slow for programming flash in target
  15. 15. Getting code onto the Juicebox● The S3C44B0X has JTAG interface, connector padsare present on JB board
  16. 16. Joint Test Action Group overview● Serial data In, Out and Clock lines allow data bits to beclocked in and out of the Test Access Port (TAP) onthe device● TMS controls state machine in TAP● Devices may be chained:
  17. 17. Joint Test Action Group overview● Serial bits clocked in control device pins through apath of cells known as the Boundary Scan Register:
  18. 18. Joint Test Action Group overview● Toggling TMS signal cycles TAP through astate machine● This allows the device pins to be set to the dataclocked in via TDI● Or to capture the device pin state and clock itout via TDO● Control of the pins on the device give control ofthe device itself, and RAM/flash connected tothe device● So JTAG can be used to program memory intarget
  19. 19. The JTAG Wiggler● Macraigor is a company making hardware andsoftware for embedded development● They created the standard “Wiggler” design forconnecting PC to target via JTAG:
  20. 20. The JTAG Wiggler● Everyone soon realised the Wiggler is just abuffer chip on the end of a parallel cable● Olimex clone:
  21. 21. The JTAG Wiggler● Home made version:
  22. 22. It doesnt work- now what?● Systematic approach● Start at one end (I.E. Bottom of hardware/ topof software) and work to the other● The JTAG connection to the Juicebox wouldntwork– Started with the software● Check permissions – retry as root● Check parport_pc kernel module not loaded, interfereswith direct port access– Then moved down to parallel port setup in BIOS
  23. 23. Juicebox JTAG not working● Then checked cable wired correctly – ensureboard schematic drawn with same connectorgender as actually used● Then checked the schematic:
  24. 24. Juicebox JTAG not working● Result: schematic incorrect● Amendments made to the website where Icopied it from 5 days later● Used that schematic because it was in EagleCAD format● Moral of the story– The less work you do yourself, the more susceptibleyou are to mistakes made by others doing the workfor you
  25. 25. Getting Linux running on a targetsystem● Retail gadgets– Usually some kind of kludge/hack to get own coderunning– Boot loader often runs checksum calculation over arange of the code– Games consoles/handhelds● Generally require a massive exploit to be found beforeany progress is made
  26. 26. Getting uCLinux running on theJuice Box● Can run home brew code relatively easy– Can download binary to RAM/flash using Jtager– Can download ELF using GDB+OpenOCD● Running code from a fresh boot, not so easy– Need to steal first 512 bytes from a “Juiceware”video cartridge and patch with some hex to add abranch instruction to the custom code
  27. 27. Getting uCLinux running on theJuice Box● Not actually done this yet● Have built a “cartridge” to interface someprogrammable NAND flash to the S3C44B0X:
  28. 28. Getting uCLinux running on theJuice Box● Downloading even a minimal Kernel to RAM orflash over JTAG takes forever– Have built the kernel to run from RAM as configuredby Emsoft– Will write this to flash once● Currently crafting a boot loader to prepare theCPU, then dump the kernel from flash to RAMand run it