Home > AMLogic AML8726, Android, Linux, Linux 3.0, Testing, Ubuntu > How to Extract a Device Tree File from Android Firmware Files

How to Extract a Device Tree File from Android Firmware Files

Up to now, all our cheap Android devices were based on older Linux kernel (3.0.x, 3.4.x) that still used board files (arch/arm/board, but we’ve recently seen companies like Amlogic and Rockchip release source code with Linux kernel 3.10.x. One of the key differences between these version are the move from board files to flattened device tree and multi-platform support. If it is fully implemented, a single kernel image should be able to boot multiple hardware platforms, and all low level configuration handled by the device tree file. Since I’ve connected the serial port of Tronsmart Vega S89 for debugging, and it’s a slow news day, I thought I might try to boot the Linux kernel I compiled myself, but one of the challenge was to get the device tree file. I’ll show how to extract it from the firmware. It should also be possible to get it directly from the flash, but “cat /proc/mtd” does not show a complete list of partition as in previous versions.

I’ve performed the steps below in Ubuntu 14.04. The first thing is to install some tools: the device tree compiler that we’ll use to decompile the dtb (binary) file into a dtd (text) file, and split_bootimg.pl a standard PERL script to extract files from boot.img:

sudo apt-get install device-tree-compiler
wget https://gist.githubusercontent.com/jberkel/1087743/raw/5be96af0e1c1346678379b0c0f0330b71df51f25/split_bootimg.pl
sudo cp split_bootimg.pl /usr/local/bin
sudo chmod +x /usr/local/bin/split_bootimg.pl

I’ll use M8 / TM8 firmware (Amlogic S802) as an example. The exact procedure will vary between firmware files, but if you can boot.img, the procedure should be platform independent and work for any ARM SoC. After having downloaded and extracted the firmware file (TM8 ap6330_03102014A_0410_ROOT.rar), let’s create a working directory, and unzip the “OTA” file.

mkdir TM8
cd TM8
unzip ../k200-ota-20140410.zip

We now get a bunch of files, including boot.img. Great! Time to run split_bootimg.pl script to extract its content:

split_bootimg.pl boot.img
Page size: 2048 (0x00000800)
Kernel size: 7209567 (0x006e025f)
Ramdisk size: 2024995 (0x001ee623)
Second size: 17699 (0x00004523)
Board name: 
Command line: 
Writing boot.img-kernel ... complete.
Writing boot.img-ramdisk.gz ... complete.
Writing boot.img-second.gz ... complete.

So we’ve got the kernel, a ramdisk, and a “second file” that happens to be the dtb file. We can now decompile it with dtc (device tree compiler) as follows:

dtc -I dtb boot.img-second.gz -O dts -o meson8_tm8.dtd

That’s it. Here’s M8 device tree file.

I’ve done the same for Tronsmart Vega S89 (Elite). S89 firmware is usually distributed as an IMG file to be used with AML Flash Burning tool, but I haven’t found a way to extract such file yet. however, I’ve found an “OTA” firmware, to be updated via SD Card, on freaktab, and could extract the device tree file for Tronsmart Vega S89 Elite & Vega S89. Both M8 and S89 Elite DTD files are very similar, but the maximum CPU frequency seems to be higher in M8, and there are other apparently minor differences. Vega S89 DTD file appears to be much different however.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

  1. m][sko
    May 12th, 2014 at 22:37 | #1

    Did you finally boot up fully working kernel now?

  2. Alain Theriault
    May 13th, 2014 at 00:57 | #2

    This looks like fun… let me know how I can help.

  3. May 13th, 2014 at 09:37 | #3

    @m][sko
    I’m loading the built boot.img via tftp and running it from there.
    Before it could boot to command line (in the ramdisk), but no Ethernet.
    With the right device tree file, I get Ethernet, and access to the command line. HDMI output seems to work but it’s all black. I was expecting the Android UI to show up as well. It’s probably because I need to modify the ramdisk. There are some pinmux conflict in the log as well, because of a camera module which is not present in the stock firmware. Expect progress to be slow, as I play on this only if I can’t find much to write about during the day.

    @Alain Theriault
    If you want to give it a try, here’s what I’m planning to do:
    1. Get console access to your M8 – Similar to http://www.cnx-software.com/2014/05/07/how-to-open-tronsmart-vega-s89-elite-and-access-the-serial-console/
    2. Build the kernel with the M8 DTD file (modify mk_m8.sh)- http://www.cnx-software.com/2014/03/10/amlogic-gpl-source-code-release-kernel-3-10-u-boot-and-drivers-wi-fi-nand-tvin-mali-gpu/ + post above
    3. Configure a tftp and nfs server in your Linux PC
    4. Copy to your boot.img to the tftp directory, and an ARM Linux rootfs to the NFS share (e.g. ALIP: http://releases.linaro.org/13.11/openembedded/vexpress-lsk/linaro-image-alip-genericarmv7a-20131126-163.rootfs.tar.gz)
    5. Try to boot with an adaptation of the following: http://forum.xbmc.org/showthread.php?tid=152328&pid=1304803#pid1304803

    If you want to make sure the kernel is working properly, you may want to boot Android instead. As mentioned to misko answer, your may need to modify the ramdisk, or just take the one from M8 firmware.

  4. gizmomelb
    May 13th, 2014 at 19:34 | #4

    hey cnxsoft, don’t know if it’s of any use – but I extracted the partitions with boot.img etc. on my Beelink 16GB (Tronsmart Standard S89 hardware-a-like) if those files are of any use to putter around in?

    I’m mostly a windows guy, I need to set up a *nix box for playing around on (mm.. maybe I could use my raspberry pi for that).

  5. Dante
    May 13th, 2014 at 19:51 | #5

    M8 is better then S89 Elite?
    Antutu benchmark? I Can’t find anything good about m8 (S802).

    Thanks

  6. May 13th, 2014 at 20:17 | #6

    @Dante
    Both are about the same. But when I tried M8 tended to hang from time to time. It could have been hardware (overheat) or firmware issue. Not sure.

    @gizmomelb
    Did you get the boot.img from the NAND Flash or firmware file? If from the NAND flash, how did you do? I can’t find the partitions in my Vega S89 Elite.
    If you are a Windows guy, and want to play around, you’d better install VirtualBox + Ubuntu on your windows PC, especially if you’re going to give a try at building the kernel. The Raspberry Pi use would be limited (tftp / nfs server), hence unnecessary.

  7. gizmomelb
    May 14th, 2014 at 16:18 | #7

    hey cnxsoft – I extracted the boot.img from the NAND using adb shell and some help from Finless Bob on freaktab.

    http://www.freaktab.com/showthread.php?12472-factory-default-firmware-images&highlight=

    I have the extracted files from the 100k4 NAND, I’ve since updated to 101k4 but haven’t extracted the files again (is there any point if we can unpack the firmware update?).

    I’m happy to help out in any way I can. I have two Beelink M8 round boxes, one for testing – my USB -> serial cable/adapter arrived today as I need to update my Gotek floppy emulator (another project).

  8. gizmomelb
    May 14th, 2014 at 16:20 | #8

    @Dante

    Hi Dante! The square S802 boxes are going by the M8 brand, however Beelink have a round (Tronsmart S89 clone essentially – same motherboard, different firmware but you can flash with the S89 firmware) S802 device which is named M8 (and another one named S82). Confusing!

  9. gizmomelb
    May 14th, 2014 at 16:21 | #9

    @cnxsoft

    Hi cnxsoft – yeah I’ll go virtualbox or if I look around I can probably find an old VMDK VMware ubuntu image I was using to play around with thin client firmware from quite a few years back.

  10. May 14th, 2014 at 17:40 | #10

    @gizmomelb
    Extracting from NAND is useful if you don’t have the firmware, which may happen for some low cost devies in the future with zero support. I got confused when I tried cat /proc/mtd…, but “ls /dev/block/” is what I should have done.

    Now I’m at the stage where I try to boot the rootfs (Linaro ALIP) from NFS. The usual bootargs method does not seem to work at all, so I’m trying switch_root, which sort of work until the “Connection Manager” starts, and seems to mess with the nfsroot…

  11. m][sko
    May 14th, 2014 at 19:43 | #11

    @cnxsoft
    I don’t have any problem with debian 7.0 armhf rootfs with kernel 3.0 over NFS
    But it is maybe that you use initrd https://www.ibm.com/developerworks/library/l-initrd/
    As I build most amlogic modules as static as I don’t need any hotplug :)

    I didn’t use linaro(Ubuntu).

  12. m][sko
    May 14th, 2014 at 19:45 | #12

    @m][sko
    my uboot paramters for AML8726-MX,
    http://pastebin.com/V6bhWYqh

  13. May 14th, 2014 at 20:33 | #13

    @m][sko
    Finally even if I can’t mount the NFS share directly with bootargs (I had to edit init with switch_root), it’s still importnt to have a proper bootargs in u-boot. So now I can mount the ALIP rootfs. The display is still black, but at least I get network, and USB mass storage support. I’ll document that tomorrow.

  1. May 15th, 2014 at 16:15 | #1