ViaSat rm4100 uart identification
Published:
This is part of a series on reversing the ViaSat rm4100 satellite modem.
Hardware
In our first look at the board we see this device
A little google searching gives us the following information.
Lets probe out the board with a scope and a straight pin on the vias.
Because we found the TX pin we can map out the location of RX using the signal map. Holding pins against the board isn’t really a great idea long term, these vias are pretty small but we can use some 30ga wire wrap wire AKA “product enhancement wire” and some hot glue for strain relief.
Now that we have an easy interface we can start exploring this interface with a 3.3v USB UART dongle or Jtagulator.
Boot Messages
UT_BOOT v1.2.4 (Build time: Nov 24 2010 - 10:25:58) (Based on U-Boot 1.1.1)
CN3010_LF_P1 board revision major:1, minor:0, serial #: unknown
OCTEON CN5020-SCP pass 1.1, Core clock: 300 MHz, DDR clock: 300 MHz (600 Mhz data rate)
DRAM: 256 MB
Clearing DRAM...... done
Flash: 32 MB
BIST check passed.
Net: octeth0, octeth1, octeth2
Hit any key to stop autoboot: 0
Starting RAM Test...
Pattern AAAAAAAA Writing... Reading... Pass
Pattern 55555555 Writing... Reading... Pass
RAM Test = Pass
Booting Software Image 1
argv[2]: coremask=3
argv[3]: console=NULL
argv[4]: mem=268435456
Software CRC Check = Pass
Uncompressing 0xd3ec49@0xaa00014 to 0x10ef898@0xc600000
ELF file is 64 bit
Attempting to allocate memory for ELF segment: addr: 0xffffffff80100000 (adjusted to: 0x0000000000100000), size 0x11b4bf0
Allocated memory for ELF segment: addr: 0xffffffff80100000, size 0x11b4bf0
Processing PHDR 0
Loading 10ee200 bytes at ffffffff80100000
Clearing c69f0 bytes at ffffffff811ee200
## Loading Linux kernel with entry point: 0xffffffff8052b710 ...
Bootloader: Done loading app on coremask: 0x3
Linux version 3.10.20-rt14 (jperhach@vcalfutd03) (gcc version 4.7.0 (Cavium Inc. Version: SDK_3_1_0 build 32) ) #2 SMP PREEMPT Wed May 18 14:18:35 PDT 2016
CVMSEG size: 2 cache lines (256 bytes)
Cavium Inc. SDK-3.1
bootconsole [early0] enabled
CPU revision is: 000d0601 (Cavium Octeon+)
Checking for the multiply/shift bug... no.
Checking for the daddiu bug... no.
Determined physical RAM map:
memory: 0000000006000000 @ 0000000001e00000 (usable)
memory: 0000000007c00000 @ 0000000008000000 (usable)
memory: 0000000000618000 @ 0000000000100000 (usable)
memory: 0000000000ad8000 @ 0000000000718000 (usable after init)
Wasting 14336 bytes for tracking 256 unused pages
Initrd not found or empty - disabling initrd
Using LF P1 Device Tree <ffffffff80754740> DTB size 7305.
Copying FDT from fdt<ffffffff80754740> to initial_boot_params<8000000001e02000>
Storing fdt addr as: 0x1e02000
Using internal Device Tree.
software IO TLB [mem 0x0218b000-0x021cb000] (0MB) mapped at [800000000218b000-80000000021cafff]
Zone ranges:
DMA32 [mem 0x00100000-0xefffffff]
Normal empty
Movable zone start for each node
Early memory node ranges
node 0: [mem 0x00100000-0x011effff]
node 0: [mem 0x01e00000-0x07dfffff]
node 0: [mem 0x08000000-0x0fbfffff]
Primary instruction cache 32kB, virtually tagged, 4 way, 64 sets, linesize 128 bytes.
Primary data cache 16kB, 64-way, 2 sets, linesize 128 bytes.
Secondary unified cache 128kB, 8-way, 128 sets, linesize 128 bytes.
PERCPU: Embedded 11 pages/cpu @80000000021d9000 s12800 r8192 d24064 u45056
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 59777
Kernel command line: bootoctlinux aa00000 coremask=3 console=NULL mtdparts=phys_mapped_flash:512k(uboot),14m(SWImage0),14m(SWImage1),128k(certs),3328k(jffs2),-(root)
PID hash table entries: 1024 (order: 1, 8192 bytes)
Dentry cache hash table entries: 32768 (order: 7, 524288 bytes)
Inode-cache hash table entries: 16384 (order: 5, 131072 bytes)
Memory: 220608k/242624k available (4322k kernel code, 22016k reserved, 1915k data, 11104k init, 0k highmem)
SLUB: HWalign=128, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
Preemptible hierarchical RCU implementation.
[8CRCU debugfs-based tracing is enabled.
[8CRCU restricting CPUs from NR_CPUS=16 to nr_cpu_ids=2.
NR_IRQS:255
Calibrating delay loop (skipped) preset value.. 600.00 BogoMIPS (lpj=3000000)
pid_max: default: 32768 minimum: 501
Mount-cache hash table entries: 256
Checking for the daddi bug... no.
Performance counters: octeon PMU enabled, 2 64-bit counters available to each CPU, irq 7
SMP: Booting CPU01 (CoreId 1)...
CPU revision is: 000d0601 (Cavium Octeon+)
Brought up 2 CPUs
NET: Registered protocol family 16
Installing handlers for error tree at: ffffffff806b2cb0
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
EDAC MC: Ver: 3.0.0
Switching to clocksource OCTEON_CVMCOUNT
NET: Registered protocol family 2
TCP established hash table entries: 2048 (order: 3, 32768 bytes)
TCP bind hash table entries: 2048 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
octeon_pci_console: Console not created.
/proc/octeon_perf: Octeon performance counter interface loaded
NTFS driver 2.1.30 [Flags: R/O].
jffs2: version 2.2. (NAND)
2001-2006 Red Hat, Inc.
msgmni has been set to 430
alg: No test for stdrng (krng)
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
io scheduler noop registered
io scheduler cfq registered (default)
octeon_gpio 1070000000800.gpio-controller: octeon gpio register base 8001070000000800
octeon_gpio 1070000000800.gpio-controller: OCTEON GPIO
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
1180000000800.serial: ttyS0 at MMIO 0x1180000000800 (irq = 34) is a OCTEON
1180000000c00.serial: ttyS1 at MMIO 0x1180000000c00 (irq = 35) is a OCTEON
brd: module loaded
loop: module loaded
slram: not enough parameters.
spi-octeon 1070000001000.spi: octeon spi register base 8001070000001000
octeon_spi_setup cs 0 speed 16000000 mode 00000003 bpw 8 irq 0 cs-gpio 14
SPI: (2) Set TX for chipselect 0 gpio 14
octeon_spi_setup cs 1 speed 16000000 mode 00000003 bpw 8 irq 0 cs-gpio 15
SPI: (2) Set TX for chipselect 1 gpio 15
octeon_spi_setup cs 2 speed 2000000 mode 00000001 bpw 8 irq 0 cs-gpio 16
SPI: (2) Set TX for chipselect 2 gpio 16
octeon_spi_setup cs 3 speed 16000000 mode 00000003 bpw 8 irq 0 cs-gpio 17
SPI: (2) Set TX for chipselect 3 gpio 17
spi-octeon 1070000001000.spi: OCTEON SPI bus driver
mdio-octeon 1180000001800.mdio: octeon mdio register base 8001180000001800
libphy: mdio-octeon: probed
mdio-octeon 1180000001800.mdio: Version 1.0
octeon-ethernet 2.0
Memory range 8000000001400000 - 8000000001990fff reserved for hardware
Memory range 8000000001991000 - 80000000019dbfff reserved for hardware
Memory range 80000000019dc000 - 8000000001a5bfff reserved for hardware
Memory range 8000000001a5c000 - 8000000001a9bfff reserved for hardware
Memory range 8000000001a9c000 - 8000000001ccbfff reserved for hardware
Interface 0 has 3 ports (RGMII)
octeon_mgmt 1070000100000.ethernet: Version 2.0
Octeon POW only ethernet driver
Waiting for another core to setup the IPD hardware...Done
POW acquired message handle 16
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-platform: EHCI generic platform driver
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
OcteonUSB 16f0010000000.usbc: Octeon Host Controller
OcteonUSB 16f0010000000.usbc: new USB bus registered, assigned bus number 1
OcteonUSB 16f0010000000.usbc: irq 56, io mem 0x00000000
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: Octeon Host Controller
usb usb1: Manufacturer: Linux 3.10.20-rt14 Octeon USB
usb usb1: SerialNumber: 16f0010000000.usbc
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
OcteonUSB: Registered HCD for port 0 on irq 56
usbcore: registered new interface driver usb-storage
i2c /dev entries driver
i2c-octeon 1180000001000.i2c: version 2.5
octeon_wdt: Initial granularity 5 Sec
watchdog: Software Watchdog: cannot register miscdev on minor=130 (err=-16).
watchdog: Software Watchdog: a legacy watchdog module is probably present.
softdog: Software Watchdog Timer: 0.08 initialized. soft_noboot=0 soft_margin=60 sec soft_panic=0 (nowayout=0)
device-mapper: ioctl: 4.24.0-ioctl (2013-01-15) initialised: dm-devel@redhat.com
EDAC DEVICE0: Giving out device to module 'octeon-cpu' controller 'cache': DEV 'octeon_pc_edac' (INTERRUPT)
EDAC DEVICE1: Giving out device to module 'octeon-l2c' controller 'octeon_l2c_err': DEV 'octeon_l2c_edac' (POLLED)
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (1723 buckets, 6892 max)
NF_TPROXY: Transparent proxy support initialized, version 4.1.0
NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
ipip: IPv4 over IPv4 tunneling driver
gre: GRE over IPv4 demultiplexor driver
ip_gre: GRE over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
arp_tables: (C) 2002 David S. Miller
Initializing XFRM netlink socket
NET: Registered protocol family 10
mip6: Mobile IPv6
sit: IPv6 over IPv4 tunneling driver
ip6_gre: GRE over IPv6 tunneling driver
NET: Registered protocol family 17
Bridge firewalling registered
L2 lock: TLB refill 256 bytes
L2 lock: General exception 128 bytes
L2 lock: low-level interrupt 128 bytes
L2 lock: interrupt 640 bytes
L2 lock: memcpy 1152 bytes
Bootbus flash: Setting flash for 32MB flash at 0x1dc00000
phys_mapped_flash: Found 1 x16 devices at 0x0 in 16-bit bank. Manufacturer ID 0x0000c2 Chip ID 0x00227e
Amd/Fujitsu Extended Query Table at 0x0040
Amd/Fujitsu Extended Query version 1.3.
number of CFI chips: 1
6 cmdlinepart partitions found on MTD device phys_mapped_flash
Creating 6 MTD partitions on "phys_mapped_flash":
0x000000000000-0x000000080000 : "uboot"
0x000000080000-0x000000e80000 : "SWImage0"
0x000000e80000-0x000001c80000 : "SWImage1"
0x000001c80000-0x000001ca0000 : "certs"
0x000001ca0000-0x000001fe0000 : "jffs2"
0x000001fe0000-0x000002000000 : "root"
turn off boot console early0
Further Steps
Combine this with our flash storage access to get control of the boot process.