current thoughts

Ok, so after looking over the docs on loading up the onda and polaroid it seems like it may actually be going into a debug mode when we hit a key while powering on or hooking up a usb to computer from power off. The next thing that happens at this point in the normal procedure is it copies the new firmware IMG file to the internal card (it specifies that the sd card be pulled out BTW). Then it boots into recovery to install. Both of those options obviously would be easy to do over a usb adb shell. The other thing is i saw somewhere that exiting this mode could be accomplished with long pressing the power button or three presses to the power button which both seemed to happen. I can confirm thst it at least attempted to install drivers when i tried hitting the menu button while insering the usb cable from power off last night, just didnt find ones it liked and i was way late for bed at that point. The good thing is that it at least could give us a way to get to clockwork using a usb cable from power off. Ideally it would be nice to figure out where the secondary recovery loader is so we could change it to just boot into clockwork directly, assuming i am right on this anyway, and i admit i am just guessing here

You might be onto something

Thats mostly good news. I am wondering about the naming convention used on the 'update.zip' files.

My bet based on another thread where a guy edited sun4init.rc and found that a power off over writes his edits vs a reset does not, that in order to get CWM fully working, changes to boot.img will be required! Also since boot.img is a ext4 file system, it is probably also mounted at init as RO. Making that RW might allow CWM to make the mods it needs.

But we need a ROM first. I am all ready to start editing system and boot for you guys.

Bob

hey guys did you try this



i have also cwm on my phone the same version.
this is a zip file .
flash with cwm and you have touch buttons.
its beta but works perfect on my phone.
maybe on tab also.

I am betting you are right

I was able to get superonetouch to force in some drivers for me so I can shell in now, but it wont shell in the initial recovery so my guess is there is a connection made for a limited number of commands set up in the boot.img triggered by holding down a key when booting by plugging in USB (and not sure that is necissary since I have hit that mode just with hitting power and a second button) that basically cover copying the image and then soft booting into the recovery partition to do the flash. I am half tempted to try setting up a USB sniffer and watching those commands, but knowing the distinct chance of having at least an unstable unit, and possibly flat out bricked it is a bit scary. Unstable I could probably deal with since if I am right and it boots into recovery it would be the clockwork one so I could go from there since I do have my recovery files backed up on the PC now even if it wiped my data area.
so far looks like the two options that people have used are the livesuite package that looks to have come straight from Allwinner and I think I have seen the RKtools mentioned as possibly getting in there, but wasnt sure what things I could do without sending into flash mode. Hard part with the LiveSuite way is it looks to be an all or nothing proposition and since all the documentation has been in chinese it has been a bit tough to read up on.

Found this on rhombus-tech. Looks like the recovery boot program is built into the A10 itself so figuring out how to issue the command to reboot to recovery from PC may be the only way to go.

http://rhombus-tech.net/allwinner_a10/a10_boot_process/

A10 boot overview

A10 is a quite 'closed chip'. There is a brom in the chip, which can not be modified. This brom will load program from external storage(nand, mmc), which is called boot0 in allwinner. Brom will check the header of boot0, and get hardware information from boot0. The hardware information is in a config file called sys_config.fex. A pc tools will read the config file, and write the hardware information to the head of boot0. After boot0 is booted up, it will continue to load another loader boot1, boot1 init all other hardware and provides hardware abstracts and services. According to the boot OS, boot1 loads an arm elf program, boot.axf. For booting linux, boot.axf loads the u-boot and jumps to the u-boot. Then u-boot will take over.
So, the whole boot process is: brom -> boot0 -> boot1 -> boot.axf -> u-boot -> kernel
BROM

Brom in A10 is at the address 0xFFFF0000, After power up, arm core will fetch the first instruction at 0xFFFF0000 and execute it. The brom code contains two parts, one is the normal boot, the other is a block of code called FEL, which is mainly a USB communication program with host pc. Steps of brom boot:

1. Check the status of one pin (the bsp pin), if the pin is low, jump to FEL, waiting host command through usb, usually communicate with a pc tool livesuite to update the firmware in nand flash. This pin can be accessible by a button marked as Recovery or RECV on tablets.

today killerkink posted another cwmod trial for us to try to debug the touchscreen, download away

might have same good info in here.

Hmm brain working a bit

OK so looking over the instructions again on the Polaroid site for flashing recovery I noticed that it never made mention of using any key when booting nor did it use the LiveSuite program. It seems closer to a standard recovery, except it uses plugging in the USB from power off as the trigger. I think it likely jumps it into one of the secondary boot programs, and one that seems to have more going on than the hit the menu button recovery. So with that in mind I wonder if we really have 2 seperate options for recovery going on. Call it a hardware based one where you hit a button while powering on, and a firmware based one where you plug the tablet into a computer with the power off. Now the firmware one seems to have more going on so it ispossible that we might get into it with ADB or otherwise trick it into getting into the clockwork recovery. Unfortunately I dont have my tablet here so it will be a bit before I can test this out, so if someone else wants to in the meantime go for it.

The plan is :
1 turn off the tablet
2 plug in the USB cable from computer to tablet
3 try to establish an ADB connection, not sure if ADB shell or ADB reboot recovery would be the best
4 if that doesnt work go ahead and establish the connection
5 break the connection
6 see if it boots into recovery
if not we might have to copy an update.img to it since it might detect that operation as needed before booting into recovery

See the firmware procedure for our specific tablet here (or so Southern Telecom says):


There are a few other tablets on their firmware downloads page here, just not for ours:

again I think your onto something

The brom / livesuite solution is the low level way to re-flash. I would bet you are right and a software update/recovery is possible/likely even. I even think there is a way to re-trigger the brom flash by triple clicking the power button on boot (or something like that).

I need to worry only about a working clone of stock ROM first tho and all this cool stuff comes up and I want to go digging in the dumps to see.

All I really need todo now is pull some info from the root.img (kernel part) and edit some configs and see if snowbreeze can wrap it all up into a output.img (or not).

At this rate the versions of this tablet with ICS on them will ship before I get this done. If only they (southerntelcom) would post our ROM or even just an update to take apart and make sure of a few things. I like being sure when flashing the brains of my toys.

I need to FOCUS POWER!

Pod-of-the-not

Let me know if I can help you in any way. Seems you have a damn good handle on things but please feel free to ask for advice from me if you need!

CRACK this beoch open man

Bob

Ahhh, this could be good

According to the description this is the source code for U-Boot, one of the possible options for getting into recovery with a brick.

FYI
From what I have read Hipboi AKA Tom Cubie is an engineer at Allwinner. Only bad thing is reading through some of the posts I have seen it looks like they really went with the PFM method of putting the A10 together. I guess most of the documentation even at Allwinner takes the form of hen scratched notes on half written code snippet pages. In otherwords they dont even seem to know how half of this stuff works. I did see a post though that roughly translated went that if you want to reverse engineer talking to it, please do it, just let us know what you find out. There is a data dump of a USB communication stream out there, bu it ends up being over 200MB after unzipping it.