[openfirmware] Making Open Firmware look like CE

Mark Morgan Lloyd markMLl.openfirmware at telemetry.co.uk
Sun May 29 15:47:35 CEST 2011 

Mitch Bradley wrote:
> On 5/28/2011 2:19 AM, Mark Morgan Lloyd wrote:
>> A few weeks ago (mid March) I mentioned that I had some ARM boards that
>> I'd like use as Linux development systems. Unfortunately, they come with
>> CE, and while the manufacturer does supply Linux it's prohibitively
>> expensive.
>>
>> CE is booted from a partitioned CompactFlash card, and I initially
>> thought that the code in the partition and filesystem boot sectors was
>> relevant, i.e. that there was something equivalent to a PC's BIOS in
>> Flash. However on inspection I think that the code is x86, which implies
>> that the loader in Flash is reading and transferring control to the OS
>> image directly.
>>
>> Is it possible to build Open Firmware to look like a CE image, which
>> would possibly allow this board (and potentially many other devices) to
>> run Linux without modification to the content of internal Flash?
>>
> 
> It should be relatively easy.  The ARM version of OFW is dynamically 
> relocatable, so all you have to do is put it somewhere in memory and 
> jump to it.
> 
> I believe that WinCE use the PECOFF image format, documented at 
> http://msdn.microsoft.com/en-us/windows/hardware/gg463125
> 
> There is also /usr/include/linux/coff.h which may clarify some things.
> 
> PECOFF has a lot of features but I think all you need is file header 
> followed by a single section header.  My best guess is that the section 
> name should be ".text".  The physical address and virtual address should 
> be the desired load address (which is pretty flexible as I mentioned), 
> and the file pointer would be the offset to the OFW image data.
> 
> This is the sort of thing - slapping on random headers as required by 
> some pre-existing bootloader - that I do routinely when porting to a new 
> platform.
> 
> The thing to do is to hex dump the first thousand bytes of the CE image 
> and see if you can make sense of it as a PECOFF header.  Then put a 
> similar header on the front of the OFW image.
> 
> cpu/arm/savefort.fth contains an example of making a header (in this 
> case in AIF - ARM Image Format) then writing the header and the OFW 
> dictionary image out to a file.

Interesting, so in the current case I should be able to wrap it in a 
header using a binary editor, at least initially.

I think that I'm going to have to update viewers before I can make sense 
of that reference :-(

For reference (and Google), this is what I see while booting:

Microsoft Windows CE Ethernet Bootloader Common Library Version 1.1 
Built May  5 2006 17:09:07
LP3970 Init Fail!!
ICPEMS WinCE Bootloader 1.7 for the HMI270 Built May  5 2006
CF_Reset: Reset CF card ... Success!
CF_Reset: Reset CF card ... Success!
CF_Reset: Reset CF card ... Success!
CF_CopyImageToRAM: Starting to copy OS image to memory
  -Image address  = 0x80100000
  -Image length   = 0x01b64c00
  -Launch address = 0x80101000
CF_CopyImageToRAM: Succeeded to copy image from CF card to memory
CF_Reset: Reset CF card ... Success!
Download successful!  Jumping to image at 0x80101000 (physical 
0xA0101000)...

At that point I suspect it's trying to talk to an LCD, which in my case 
I have not got. I presume that the physical address in the last line is 
a red herring as far as headers are concerned. I think the ICPEMS is a 
loader peculiar to this manufacturer (IEI) or board model (Kamio-2701), 
but I don't know whether "PE" and "MS" in that name are related to the 
format or indicate an author.

On the FAT-16 contained in the partitioned CF module, there's a boot.ini 
which specifies BinFile=nk.bin. I think the boot.ini is read by a file 
called BLDR (boot loader?) which I presume is the one we want to 
emulate. However, here are the file sizes:

drwxr-xr-x 2 root root     2048 2006-07-28 10:18 System
-rwxr-xr-x 1 root root 28199699 2006-06-13 14:05 NK.bin
-rwxr-xr-x 1 root root   481080 2006-05-17 09:24 logo.bmp
-rwxr-xr-x 1 root root     1181 2005-01-01 18:51 BOOT.INI
-r-xr-xr-x 1 root root    20480 2004-09-30 21:24 BLDR
-rwxr-xr-x 1 root root     3544 2004-07-01 12:00 SPLASH.BMX

The image length from the load messages looks more like that of NK.bin 
plus a 512K offset. Those messages don't appear to be in the BLDR file 
so it might actually be that it calls back to code in Flash, I suspect 
that I'm going to have to bite the bullet and hook up JTAG (something 
I've not done before- I'm a logic analyser man) before I can get any 
further.

This 
http://blogs.msdn.com/b/ce_base/archive/2007/11/26/how-does-windows-embedded-ce-6.0-start_3f00_.aspx 
is a very good description of loading the kernel for CE 6.0, but in the 
current case I think I'm looking at 5.0 and while it's similarly got an 
ECEC marker I think what comes after differs... it's definitely not a PE 
variant, although it's always possible that some of the internal 
structures are similar to COFF.

[Slightly later] Google suggests that the embedded ECEC marker is 
critical, but http://itsme.home.xs4all.nl/ cryptically refers to this 
format as being "xip" (execute in place?). I need to look at BLDR with a 
disassembler but I suspect that it might actually be a binary with no 
significant header. Can I build OFW with code or at least a relative 
jump at the start?

I'll be back... after I've tried to make sense of somebody's MIPS 
compiler port.

-- 
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]

More information about the openfirmware mailing list