Chinese Wonder* (pun)

Ok i have one of those tiny 7 inch laptops which has a ARM and WinCE/Android running on it..

While this is pretty cool to have i have no use for it. Unless i start learning how to program for android. Which i will not even get into. The cool thing i like about this laptop is the 7in LCD and the fact it has a mouse and keyboard built in. I would love to be able to use this for something other than what it has.

This so called PC uses a WM8505 Processor which in it self is quite hard to find good info on..

Here are some specs on my model:

Max Resolution: 800 x 480 px
OS Language: English
Operating System: Windows CE 6.0 or Android
CPU: ARM-WM8505 or VIA VT8505( ARM926EJ-S)
Chipset: WM8505
Memory: 128 MB
Flash Disk: 2GB Built-in
External Memory: SD/MMC card (16GB Max.)
LAN: RJ45, 10/100Mbps
WLAN: 802.11b/g Wifi / Wireless LAN
Speaker: Internal Speaker x 2
Touchpad: Yes
Keyboard: 80-key keyboard
Ports:
2 * USB External
1 * USB Internal
1 * RJ45 LAN
1 * 3.5mm Microphone
1 * 3.5mm Headphone
1 * SD/MMC card slot

Now for the GOOD the BAD and the UGLY!

The Good… The main board has a UART port on it and i am able to get valuable information from it. I can even access a terminal on it.

Here is what i get on boot:

WonderMedia Technologies, Inc. W-Load Version : 0.17.00.00 ethaddr............found U-Boot 1.1.4 (Apr  1 2010 - 16:26:54) WonderMedia Technologies, Inc. WMT U-Boot Version : 0.12.01.00.14 U-Boot code: 03F80000 -> 03FB9294  BSS: -> 040076AC RAM Configuration: Bank #0: 00000000 128 MB boot from spi flash. flash:      Bank1: FFF80000 -- FFFFFFFF      Bank2: FF780000 -- FFF7FFFF Flash:  8.5 MB In:    serial Out:   serial Err:   serial ### main_loop entered: bootdelay=1 bootcmd="nand read 3c00000 12f00000 100000;logo show;run text1" CE0: NAND FLASH ID: 0xECD514B6 CE0: NAND FLASH Name: SAMSUNG_K9XXG08UXM (2048 MB) block4095 tag=74624230  version =1 block4094 tag=62743142  version =1 g_nfinfo[0].id = 0xE, g_nfinfo[1].id = 0xFFFF Read finsih show logo ..... LCD param (setting): 1,30000,8,800,480,48,40,40,3,29,13 PWM param (setting): 0,4,599,599 LCD FrameBuffer = 0x07900000, BMP Address = 0x03C00000 Loading BMP ..... ok no string .... PWM0 input freq = 47916666 Hz, output freq = 19998 Hz PWM0 register setting: scalar = 3, period = 598, duty = 598 "V1.5.2" Execute register operation:   reg op: 0xD8110064 | 0xC   reg op: 0xD811008C | 0xC   reg op: 0xD81100B4 & 0xFFFFFFFB   reg op: 0xD81100B4 | 0x8   reg op: 0xD8130054 | 0x1 ### main_loop: bootcmd="nand read 0 0 300000;bootm 0" Hit any key to stop autoboot:  0 WMT #

When I type help this is what i get:

WMT # help ?       - alias for 'help' autoscr - run script from memory base    - print or set address offset bdinfo  - print Board Info structure boot    - boot default, i.e., run 'bootcmd' bootd   - boot default, i.e., run 'bootcmd' bootm   - boot application image from memory bootp   - boot image via network using BootP/TFTP protocol cleanlcd - clean LCD screen cmp     - memory compare coninfo - print console devices and information cp      - memory copy crc32   - checksum calculation dhcp    - invoke DHCP client to obtain IP/boot params diskboot- boot from IDE device dmacp     - dma memory copy echo    - echo args to console erase   - erase FLASH memory fatinfo - print information about filesystem fatload - load binary file from a dos filesystem fatls   - list files in a directory (default /) fatstore - store binary file to a dos filesystem flinfo  - print FLASH memory information go      - start application at address 'addr' help    - print online help ide     - IDE sub-system iminfo  - print header information for application image imls    - list all images found in flash itest   - return true/false on integer compare lcdinit - initialize LCD loadb   - load binary file over serial line (kermit mode) loads   - load S-Record file over serial line show    - loop    - infinite loop on address range md      - memory display mii     - MII utility commands mm      - memory modify (auto-incrementing) mmcinit - init mmc card mtest   - simple RAM test mw      - memory write (fill) nand    - NAND sub-system nfs     - boot image via network using NFS protocol nm      - memory modify (constant address) ping    - send ICMP ECHO_REQUEST to network host printenv- print environment variables protect - enable or disable FLASH write protection randmac - generate a random MAC address and save to "ethaddr" environment variable rarpboot- boot image via network using RARP/TFTP protocol reset   - Perform RESET of the CPU run     - run commands in an environment variable saveenv - save environment variables to persistent storage sdwaitins - wait sd card inserted or removed sdwaitins 0 -- waiting removed sdwaitins 1 -- waiting inserted setenv  - set environment variables sleep   - delay execution for some time textout - show text to the screen textout x y "str" color color is 24bit Hex, R[23:16], G[15:8], B[7:0] for example: textout 0 0 "hello world" FFFFFF tftpboot- boot image via network using TFTP protocol tmpt     - execute Mass Production Tool uploadfile- Transfer the spi flash image to the server. version - print monitor version

While this maybe cool and usefull it will suck if i can not create my own code.

The BAD…. Since im mostly interested in the LCD and keyboard and could care less about the processor or anything else i am stuck.
As you might expect there is no datasheet for either and manually reverse engineering both is beyond me since i dont have the necessary tools.

The Ugly… Now what i am trying to figure out is how do i get into a U-Boot.bin file to get all the source. This is beyond me as well. The U-Boot.bin file has the bootloader and from what i can see some LCD init stuff and a ton more. To find out what can be expected in the file i used my Linux OS (debian) to search for strings in the file…

(this is from Cygwin tho easier to copy/paste)

Jason@Jason-PC ~/ARM8505/script $ strings u-boot.bin ... U-Boot 1.1.4 (Apr  1 2010 - 16:26:54) Bbt01tbB@x} Font 12x22 ... LCD_ENABLE CxScreen CyScreen LCD_ID LCD panel ID???? Un-Support LCD panel ID ( %d ) X_LTEXT Y_LTEXT LCDC_FB BMP_ADR LCD FrameBuffer = 0x%08X, BMP Address = 0x%08X .... lcdparam LCD param (default): 1,25000,8,800,480,48,40,40,3,29,13 LCD param (setting): %s LCD param Error: expected version 1, but get %d LCD param Error: need %d arg count, but get %d So use default LCD param: 1,25000,8,800,480,48,40,40,3,29,13 LCD param Error: the string length of extra register opreation length = %d, it is too long, it should be less than %d Not excute extra register operation for LCD ..... LCD already initialized Loading BMP ..... .... LCDC_FB2 failed LOGO_STRING no string .... Execute register operation for LCD:

Obviously there is more but i clipped out what wasnt relevant to save scroll space…

I know know there are quite a few things related to the LCD in there which is something i will need. I ran across a program called binwalk and tried it on the uboot bin file and got:

Scan Time:    Jan 10, 2012 @ 22:04:41 Magic File:   /usr/local/etc/binwalk/magic.binwalk Signatures:   75 Target File:  u-boot.bin MD5 Checksum: d2c6f4e628ee5594caaccedb95fda7a6   DECIMAL        HEX            DESCRIPTION ------------------------------------------------------------------------------------------------------- 184350         0x2D01E        LZMA compressed data, properties: 0x01, dictionary size: 8388608 bytes, uncompressed size: 128 bytes 185224         0x2D388        LZMA compressed data, properties: 0x03, dictionary size: 8388608 bytes, uncompressed size: 64 bytes 186634         0x2D90A        LZMA compressed data, properties: 0x01, dictionary size: 8388608 bytes, uncompressed size: 4194432 bytes 231695         0x3890F        LZMA compressed data, properties: 0xD8, dictionary size: 65011712 bytes, uncompressed size: 1 bytes

This leads me to believe that there is something i can extract and decompress … Look at address 186634 (0x2D90A) the uncompressed size is 4,194,432 bytes.

That is just about 4MB big… Also since there are strings easily readable in there it also leads me to think that there are most likely normal files i can open. (i hope)

 

The Only BIG problem im having is… getting the data out of the u-boot.bin which is the main goal. I made a simple program to extract data from a file at a specific offset for a specifiv length and output it to a file. All in binary. While it does the job it doesnt work . I think its because i dont know when the archive ends? Or when it starts really.

While the above binwalk gives me a address i doubt its to the actual compressed file. LZMA compressed file have a magic number which usually is something like :

0x5D, 0x00,0x00,0x08 or something similar. I know the 0x5D is correct. But the above binwalk points to the Properties of said location… like 186634 offset is a 0x01 and not a 0x5D…

So if anyone knows how to extract this stuff please help me out.