天启android5.1系统无法在非1650批次号的rk3288w芯片上启动
天启android5.1系统无法在非1650批次号的rk3288w芯片上启动
挂掉log,说明在rtc初始化后挂掉
[ 1.420240] ======== PULL WL_REG_ON(-1) HIGH! ======== [ 1.420246] [WLAN_RFKILL]: rockchip_wifi_power: 1 [ 1.420253] [WLAN_RFKILL]: rockchip_wifi_ref_voltage: 1 [ 1.420258] [WLAN_RFKILL]: rockchip_wifi_ref_voltage: wifi io reference voltage control is disabled. [ 1.420759] android_usb gadget: Mass Storage Function, version: 2009/09/11 [ 1.420768] android_usb gadget: Number of LUNs=2 [ 1.420776] lun0: LUN: removable file: (no medium) [ 1.420782] lun1: LUN: removable file: (no medium) [ 1.420924] android_usb gadget: android_usb ready [ 1.420991] sensor_init: Probe name sensors [ 1.421006] sensor-dev.c v1.4 add angle calculation support between two gsensors 2013-09-01 [ 1.421532] rtc_hym8563 0-0051: setting system clock to 2011-01-01 12:00:00 UTC (1293883200) [ 1.430593] u?
开发板正常log,说明在snd-usb-audio初始化前挂掉
[ 2.456978] sensor_init: Probe name sensors [ 2.456995] sensor-dev.c v1.4 add angle calculation support between two gsensors 2013-09-01 [ 2.457525] rtc_hym8563 0-0051: setting system clock to 2011-01-01 12:14:58 UTC (1293884098) [ 2.463556] rockchip-spdif-card rockchip-spdif-card.25: rk-hdmi-spdif-hifi <-> ff880000.rockchip-spdif mapping ok [ 2.464517] ret 1024 [ 2.464896] usbcore: registered new interface driver snd-usb-audio [ 2.464903] ALSA device list: [ 2.464908] #0: RK_ES8323 [ 2.464912] #1: RK-SPDIF-CARD
system.map
kernel 部分驱动启动顺序映射表
c0c11154 t __initcall_init7
c0c11158 t __initcall_sensor_init7
c0c1115c t __initcall_rtc_hctosys7
c0c11160 t __initcall_sync_debugfs_init7
c0c11164 t __initcall_clk_debug_init7
c0c11168 t __initcall_rockchip_headset_init7
c0c1116c t __initcall_rockchip_spdif_init7
c0c11170 t __initcall_tcp_congestion_default7
c0c11174 t __initcall_tcp_fastopen_init7
c0c11178 t __initcall_ip_auto_config7
c0c1117c t __initcall_drm_misc_init7s
c0c11180 t __initcall_clk_disable_unused7s
c0c11184 t __initcall_snd_usb_audio_init7s
c0c11188 t __initcall_alsa_sound_last_init7s
c0c1118c t __initcall_initialize_hashrnd7s
c0c11190 T __con_initcall_end
c0c11190 T __con_initcall_start
c0c11190 T __initcall_end
c0c11190 t __initcall_selinux_init
在rtc_hctosys与snd_usb_audio启动之间有以下驱动程序初始化
c0c11160 t __initcall_sync_debugfs_init7
c0c11164 t __initcall_clk_debug_init7
c0c11168 t __initcall_rockchip_headset_init7
c0c1116c t __initcall_rockchip_spdif_init7
c0c11170 t __initcall_tcp_congestion_default7
c0c11174 t __initcall_tcp_fastopen_init7
c0c11178 t __initcall_ip_auto_config7
c0c1117c t __initcall_drm_misc_init7s
c0c11180 t __initcall_clk_disable_unused7s
在这些驱动函数初始化中加入log调试
挂掉log:
[ 3.037934] sensor_init: Probe name sensors [ 3.037949] sensor-dev.c v1.4 add angle calculation support between two gsensors 2013-09-01 [ 3.038475] rtc_hym8563 0-0051: setting system clock to 2018-09-14 17:07:26 UTC (1536944846) [ 3.044644] rockchip-spdif-card rockchip-spdif-card.25: rk-hdmi-spdif-hifi <-> ff880000.rockchip-spdif mapping ok [ 3.044959] carroll : tcp_fastopen_init [ 3.044987] carroll : ip_auto_config u�
正常启动log为:
[ 2.456978] sensor_init: Probe name sensors [ 2.456995] sensor-dev.c v1.4 add angle calculation support between two gsensors 2013-09-01 [ 2.457525] rtc_hym8563 0-0051: setting system clock to 2011-01-01 12:14:58 UTC (1293884098) [ 2.463556] rockchip-spdif-card rockchip-spdif-card.25: rk-hdmi-spdif-hifi <-> ff880000.rockchip-spdif mapping ok [ 2.463889] carroll : tcp_fastopen_init [ 2.463917] carroll : ip_auto_config [ 2.464517] ret 1024 [ 2.464588] carroll : clk_disable_unused [ 2.464896] usbcore: registered new interface driver snd-usb-audio [ 2.464903] ALSA device list: [ 2.464908] #0: RK_ES8323 [ 2.464912] #1: RK-SPDIF-CARD
对比上述驱动初始化顺序表发现只剩下一个驱动初始化的嫌疑
c0c1117c t __initcall_drm_misc_init7s
查找drm_misc_init在整个SDK中 grep drm_misc_init -r firefly-rk3288_android5.1_git_20180126/*
firefly-rk3288_android5.1_git_20180126/android.iws: <find>drm_misc_init</find> Binary file firefly-rk3288_android5.1_git_20180126/kernel/.tmp_vmlinux2 matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/vmlinux matches firefly-rk3288_android5.1_git_20180126/kernel/System.map:c0be3a14 t drm_misc_init firefly-rk3288_android5.1_git_20180126/kernel/System.map:c0c1111c t __initcall_drm_misc_init7s Binary file firefly-rk3288_android5.1_git_20180126/kernel/pie/pie_stage1.o matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/pie/pie_stage2.o matches firefly-rk3288_android5.1_git_20180126/kernel/.tmp_System.map:c0be3a14 t drm_misc_init firefly-rk3288_android5.1_git_20180126/kernel/.tmp_System.map:c0c1111c t __initcall_drm_misc_init7s Binary file firefly-rk3288_android5.1_git_20180126/kernel/vmlinux.o matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/built-in.o matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.o matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/built-in.o matches
发现并没有drm_misc_init的函数,到此嫌疑只能推给这几个文件了
Binary file firefly-rk3288_android5.1_git_20180126/kernel/.tmp_vmlinux2 matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/vmlinux matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/pie/pie_stage1.o matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/pie/pie_stage2.o matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/vmlinux.o matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/built-in.o matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.o matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/built-in.o matches
根据名字可能再筛选出以下三个
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.o matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/built-in.o matches
可能是这两个的原因
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd matches Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.o matches
调试发现firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/目录下的Makefile发现
删除此驱动模块编译注册 obj-y += virtdrm.o
产生编译错误
OBJCOPY pie/pie.bin OBJCOPY pie/pie.bin.o LD pie/built-in.o GEN .version CHK include/generated/compile.h UPD include/generated/compile.h CC init/version.o LD init/built-in.o drivers/built-in.o: In function `mmc_blk_shutdown': binder.c:(.text+0x338e90): undefined reference to `mmc_blk_emmc_remove' drivers/built-in.o: In function `mmc_blk_probe': binder.c:(.text+0x33ae28): undefined reference to `mmc_blk_emmc_add' drivers/built-in.o: In function `mmc_blk_remove': binder.c:(.text+0x33b270): undefined reference to `mmc_blk_emmc_remove' make: *** [vmlinux] Error 1 /work/rk3288/firefly-rk3288_android5.1_git_20180126 TARGET_PRODUCT=rk3288_box TARGET_HARDWARE=rk30board IMG_TARGET=all , ota = withoutkernel system filesysystem is ext4
然后分别屏蔽代码调用
编译成功并且跳过之前挂掉的地方,但是在内核启动完成后挂了 log
[ 2.446169] sensor_init: Probe name sensors [ 2.446183] sensor-dev.c v1.4 add angle calculation support between two gsensors 2013-09-01 [ 2.446709] rtc_hym8563 0-0051: setting system clock to 2011-01-01 13:52:53 UTC (1293889973) [ 2.452731] rockchip-spdif-card rockchip-spdif-card.25: rk-hdmi-spdif-hifi <-> ff880000.rockchip-spdif mapping ok [ 2.453062] carroll : tcp_fastopen_init [ 2.453091] carroll : ip_auto_config [ 2.453108] carroll : clk_disable_unused [ 2.453418] usbcore: registered new interface driver snd-usb-audio [ 2.453426] ALSA device list: [ 2.453430] #0: RK_ES8323 [ 2.453435] #1: RK-SPDIF-CARD
分析原因屏蔽掉的源码为添加emmc设备,屏蔽后添加失败,文件系统初始化不成功
[ 1.650105] 1358..dw_mci_set_ios: no card. [mmc1] [ 1.662562] mmc0: BKOPS_EN bit is not set [ 1.664435] rk_sdmmc: BOOT Bus speed=0Hz,Bus width=8bits.[mmc0] [ 1.666717] mmc_host mmc0: Bus speed (slot 0) = 100000000Hz (slot req 100000000Hz, actual 100000000HZ div = 0) [ 1.666742] rk_sdmmc: BOOT dw_mci_setup_bus: argue clk_mmc workaround out normal clock [mmc0] [ 1.666764] [mmc0] tuning regsbase addr 0x218. [ 1.667453] [mmc0] Data transmission error !!!! MINTSTS: [0x00000088] [ 1.667464] [mmc0] host was already tuning, Don't need to retry tune again ignore 0. [ 1.667492] dwmmc_rockchip ff0f0000.rksdmmc: Tuning error: cmd.error:0, data.error:-84 [ 1.667518] [mmc0] Data transmission error !!!! MINTSTS: [0x00000088] [ 1.667527] [mmc0] host was already tuning, Don't need to retry tune again ignore 0. [ 1.667554] dwmmc_rockchip ff0f0000.rksdmmc: Tuning error: cmd.error:-84, data.error:-115 [ 1.667580] [mmc0] Data transmission error !!!! MINTSTS: [0x00000088] [ 1.667589] [mmc0] host was already tuning, Don't need to retry tune again ignore 0. [ 1.667615] dwmmc_rockchip ff0f0000.rksdmmc: Tuning error: cmd.error:-84, data.error:-115 [ 1.667640] [mmc0] Data transmission error !!!! MINTSTS: [0x00000088] [ 1.667649] [mmc0] host was already tuning, Don't need to retry tune again ignore 0. [ 1.667676] dwmmc_rockchip ff0f0000.rksdmmc: Tuning error: cmd.error:0, data.error:-84 [ 1.667722] dwmmc_rockchip ff0f0000.rksdmmc: Good phase range 0-225 (21 len) [ 1.667733] dwmmc_rockchip ff0f0000.rksdmmc: Good phase range 282-282 (1 len) [ 1.667744] dwmmc_rockchip ff0f0000.rksdmmc: Best phase range 0-225 (21 len) [ 1.667754] dwmmc_rockchip ff0f0000.rksdmmc: Successfully tuned phase to 113 [ 1.667796] mmc0: new HS200 MMC card at address 0001 [ 1.668069] mmcblk0: mmc0:0001 AJNB4R 14.5 GiB [ 1.668202] mmcblk0rpmb: mmc0:0001 AJNB4R partition 3 4.00 MiB [ 1.668519] uboot: 0x000400000 -- 0x000800000 (4 MB) [ 1.668530] misc: 0x000800000 -- 0x000c00000 (4 MB) [ 1.668539] resource: 0x000c00000 -- 0x001c00000 (16 MB) [ 1.668548] kernel: 0x001c00000 -- 0x002c00000 (16 MB) [ 1.668557] boot: 0x002c00000 -- 0x004c00000 (32 MB) [ 1.668566] recovery: 0x004c00000 -- 0x006c00000 (32 MB) [ 1.668574] backup: 0x006c00000 -- 0x00a000000 (52 MB) [ 1.668583] cache: 0x00a000000 -- 0x012000000 (128 MB) [ 1.668591] kpanic: 0x012000000 -- 0x012400000 (4 MB) [ 1.668599] system: 0x012400000 -- 0x072400000 (1536 MB) [ 1.668608] metadata: 0x072400000 -- 0x073400000 (16 MB) [ 1.668616] baseparamer: 0x073400000 -- 0x073800000 (4 MB) [ 1.668625] userdata: 0x077800000 -- 0x3a3a00000 (12994 MB) [ 1.668653] mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 p11 p12 p13[ 1.669832] dwmmc_rockchip ff0c0000.rksdmmc: DW MMC controller ao [ 1.669848] dwmmc_rockchip ff0c0000.rksdmmc: 1 slots initialized [ 1.670158] dw cru_regsbase addr 0x1d8. [ 1.670168] dw cru_reset_offset val 1. [ 1.670179] dwmmc_rockchip ff0d0000.rksdmmc: Version ID is 270a [ 1.670218] dwmmc_rockchip ff0d0000.rksdmmc: failed to get hpclk_mmc [ 1.670473] dwmmc_rockchip ff0d0000.rksdmmc: Using internal DMA controller. [ 1.670605] dw_mci_init_slot: fmin=200000, fmax=50000000 [mmc2] [ 1.670851] 1358..dw_mci_set_ios: no card. [mmc2] ------------------------------------------------------------------------------------------ [ 1.670945] carroll : mmc_blk_probe mmc_blk_emmc_add ------------------------------------------------------------------------------------------ [ 1.670992] 1358..dw_mci_set_ios: no card. [mmc1] [ 1.689476] 1358..dw_mci_set_ios: no card. [mmc2] [ 1.709161] 1358..dw_mci_set_ios: no card. [mmc2] [ 1.709185] dwmmc_rockchip ff0d0000.rksdmmc: DW MMC controller at irq 65, 32 bit host data width, 256 deep fifo [ 1.709198] dwmmc_rockchip ff0d0000.rksdmmc: 1 slots initialized
说明这里不能删除只能做修改兼容其他批次cpu
再次把问题锁定文件,下边几个文件好像是天启android5.1特供的,就是这个东西让内核挂掉的,天启android4.4以及荣品都能正常开机,并且源码中也无下属文件
firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.o文件
firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd
firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.mod.c
firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/.virtdrm.o.cmd
天启2017年07-21添加kernel->driver:fix queue file,才添加的这几个文件
https://bitbucket.org/T-Firefly/firenow-lollipop/commits/bd3833f7c215b3f907464866510412ae505d2e73
最终将问题锁定在编译产生的二进制文件firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd
下节尝试逆向分析