Replicant

h1. Galaxy Nexus (I9250) Serial Console

See [[SamsungSerial]] for the hardware setup.

h2. Without patching the kernel on Replicant 6

Adding @loglevel=8 fiq_debugger.console_enable=1 fiq_debugger.no_sleep=1@ to the kernel command line enables to see some of the boot of the kernel without having to recompile the kernel.

Though it requires to repack a boot.img to add the commandline arguments.

<pre>

IMAGE ?= boot.img

EXTRA_CMDLINE ?= loglevel=8 fiq_debugger.console_enable=1 fiq_debugger.no_sleep=1

.PHONY: $(IMAGE) flash

$(IMAGE):

	unbootimg --kernel kernel \

		--ramdisk ramdisk \

		-i ../$(IMAGE)

	mkbootimg \

		--kernel kernel \

		--ramdisk ramdisk \

		--base 0x80000000 \

		--cmdline "androidboot.hardware=tuna ${EXTRA_CMDLINE}" \

		-o $(IMAGE)

flash:

	fastboot flash boot $(IMAGE)

	fastboot flash recovery $(IMAGE)

	fastboot boot $(IMAGE)

</pre>

h2. Real serial console by patching the kernel

When you connect the cable you get the FIQ debugger, but what if you want kgdb instead:

* apply that patch:

<pre>

diff --git a/arch/arm/mach-omap2/board-tuna.c b/arch/arm/mach-omap2/board-tuna.c

index a022a43..7098227 100644

--- a/arch/arm/mach-omap2/board-tuna.c

+++ b/arch/arm/mach-omap2/board-tuna.c

@@ -1001,6 +1001,8 @@ static inline void __init board_serial_init(void)

        omap_serial_init_port_pads(0, uart1_pads, uart1_pads_sz, NULL);

        omap_serial_init_port_pads(1, tuna_uart2_pads,

                ARRAY_SIZE(tuna_uart2_pads), &tuna_uart2_info);

+       omap_serial_init_port_pads(2,tuna_uart3_pads,

+               ARRAY_SIZE(tuna_uart3_pads), NULL);

        omap_serial_init_port_pads(3, tuna_uart4_pads,

                                   ARRAY_SIZE(tuna_uart4_pads), NULL);

 }

</pre>

* remove the FIQ debugger in the kernel configuration.

* change the CMDLINE trough the kernel configuration:

Use:

<pre>CONFIG_CMDLINE="console=ttyO2 androidboot.console=ttyO2 [...]"</pre>

Instead of:

<pre>CONFIG_CMDLINE="console=ttyFIQ0 androidboot.console=ttyFIQ0 [...]"</pre>

* Verify that you get the kernel messages.

h2. KGDB

* You need to change the cmdline for kgdb

<pre>

CONFIG_CMDLINE="kgdboc=ttyO2,115200 console=ttyO2 androidboot.console=ttyO2 [...]"

</pre>

Don't add kgdbwait tough because it result in that:

<pre>

(gdb) set remotebaud 115200

(gdb) target remote /dev/ttyUSB0

/dev/ttyUSB0: Device or resource busy.

(gdb) target remote /dev/ttyUSB0

Remote debugging using /dev/ttyUSB0

kgdb_breakpoint ()

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/kernel/debug/debug_core.c:954

954		arch_kgdb_breakpoint();

(gdb) c

Continuing.

Program received signal SIGSEGV, Segmentation fault.

__raw_spin_lock_irqsave (lock=0x288)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/kernel/spinlock.c:112

112	BUILD_LOCK_OPS(spin, raw_spinlock);

(gdb) bt

#0  __raw_spin_lock_irqsave (lock=0x288)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/kernel/spinlock.c:112

#1  0xc061aecc in _raw_spin_lock_irqsave (lock=0x288)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/kernel/spinlock.c:145

#2  0xc0098620 in try_to_wake_up (p=0x0, state=1611595795, wake_flags=1)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/kernel/sched.c:2681

#3  0xc009897c in wake_up_process (p=0x288)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/kernel/sched.c:2785

#4  0xc00e2090 in proc_dohung_task_timeout_secs (table=<value optimized out>, write=<value optimized out>, 

    buffer=<value optimized out>, lenp=<value optimized out>, ppos=0xc782bf70)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/kernel/hung_task.c:190

#5  0xc0174178 in proc_sys_call_handler (filp=<value optimized out>, buf=0x24808, count=1, ppos=0xc782bf70, 

    write=1) at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/fs/proc/proc_sysctl.c:158

#6  0xc01741b0 in proc_sys_write (filp=0x288, buf=0x600f0013 <Address 0x600f0013 out of bounds>, count=1, 

    ppos=0xc782a000)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/fs/proc/proc_sysctl.c:176

#7  0xc0126420 in vfs_write (file=0xc73be500, buf=0x24808 "0", count=<value optimized out>, pos=0xc782bf70)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/fs/read_write.c:377

#8  0xc0126590 in sys_write (fd=<value optimized out>, buf=0x24808 "0", count=1)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/fs/read_write.c:429

#9  0xc0055a00 in ?? ()

Cannot access memory at address 0x0

#10 0xc0055a00 in ?? ()

Cannot access memory at address 0x0

Backtrace stopped: previous frame identical to this frame (corrupt stack?)

</pre>

* disable the watchdog timer in the kernel, and recompile it and reflash the boot.img.

then open a root console and do:

<pre>

echo g > /proc/sysrq-trigger

</pre>

<pre>

gnutoo@gnutoo-laptop:~/embedded/android/replicant-4.0$ . build/envsetup.sh 

including device/ti/panda/vendorsetup.sh

including vendor/replicant/vendorsetup.sh

including sdk/bash_completion/adb.bash

gnutoo@gnutoo-laptop:~/embedded/android/replicant-4.0$ lunch replicant_maguro-eng

============================================

PLATFORM_VERSION_CODENAME=REL

PLATFORM_VERSION=4.0.4

TARGET_PRODUCT=replicant_maguro

TARGET_BUILD_VARIANT=eng

TARGET_BUILD_TYPE=release

TARGET_BUILD_APPS=

TARGET_ARCH=arm

TARGET_ARCH_VARIANT=armv7-a-neon

HOST_ARCH=x86

HOST_OS=linux

HOST_BUILD_TYPE=release

BUILD_ID=IMM76L

============================================

gnutoo@gnutoo-laptop:~/embedded/android/replicant-4.0$ arm-linux-androideabi-gdb

GNU gdb (GDB) 7.1-android-gg2

Copyright (C) 2010 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "--host=i686-linux-gnu --target=arm-elf-linux".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>.

(gdb) file /home/gnutoo/embedded/android/replicant-4.0/out/target/product/maguro/obj/KERNEL_OBJ/vmlinux

Reading symbols from /home/gnutoo/embedded/android/replicant-4.0/out/target/product/maguro/obj/KERNEL_OBJ/vmlinux...done.

(gdb) set remotebaud 115200

(gdb) target remote /dev/ttyUSB0

Remote debugging using /dev/ttyUSB0

kgdb_breakpoint ()

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/kernel/debug/debug_core.c:954

954		arch_kgdb_breakpoint();

(gdb) bt

#0  kgdb_breakpoint ()

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/kernel/debug/debug_core.c:954

#1  0xc00df764 in sysrq_handle_dbg (key=-29306880)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/kernel/debug/debug_core.c:745

#2  0xc02f2e18 in __handle_sysrq (key=103, check_mask=false)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/drivers/tty/sysrq.c:522

#3  0xc02f2ec4 in write_sysrq_trigger (file=<value optimized out>, buf=<value optimized out>, count=2, 

    ppos=0xc4a01f70)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/drivers/tty/sysrq.c:870

#4  0xc016ba88 in proc_reg_write (file=0xc49ea3c0, buf=0x137fc84 "g\n\f@", count=2, ppos=0xc4a01f70)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/fs/proc/inode.c:200

#5  0xc0126420 in vfs_write (file=0xc49ea3c0, buf=0x137fc84 "g\n\f@", count=<value optimized out>, 

    pos=0xc4a01f70) at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/fs/read_write.c:377

#6  0xc0126590 in sys_write (fd=<value optimized out>, buf=0x137fc84 "g\n\f@", count=2)

    at /home/gnutoo/embedded/android/replicant-4.0/kernel/samsung/tuna/fs/read_write.c:429

#7  0xc0055a00 in ?? ()

Cannot access memory at address 0x0

#8  0xc0055a00 in ?? ()

Cannot access memory at address 0x0

Backtrace stopped: previous frame identical to this frame (corrupt stack?)

(gdb) 

</pre>

h2. Multiplexing the serial port

since we have only 1 serial port, you can also use agent proxy to get kgdb and the console at the same time....

<pre>

git clone git://git.kernel.org/pub/scm/utils/kernel/kgdb/agent-proxy.git

cd agent-proxy ; make

</pre>

h2. Root on serial port

* Modify system/su/su.c:

<pre>

diff --git a/su.c b/su.c

index d36eaed..51137d4 100644

--- a/su.c

+++ b/su.c

@@ -494,11 +494,13 @@ int main(int argc, char *argv[])

             deny(&ctx);

         }

+#if 0

         // disallow su in a shell if appropriate

         if (ctx.from.uid == AID_SHELL && (atoi(enabled) == 1)) {

             LOGE("Root access is disabled by a system setting - enable it under settings -> developer options");

             deny(&ctx);

         }

+#endif

     }

     if (ctx.from.uid == AID_ROOT || ctx.from.uid == AID_SHELL)

</pre>

* adb push it to /system/xbin/su

* remove /system/bin/su

* chmod +s it: <pre>busybox chmod +s /system/xbin/su</pre>

h2. TODO

 * reliable rebugging (right now it breaks on the wrong line)

 * phone that doesn't power off screen while debugging...