Chinese Wonder* (pun)

Ok i have one of those tiny 7 inch laptops which has a ARM and WinCE/Android running on it..

While this is pretty cool to have i have no use for it. Unless i start learning how to program for android. Which i will not even get into. The cool thing i like about this laptop is the 7in LCD and the fact it has a mouse and keyboard built in. I would love to be able to use this for something other than what it has.

This so called PC uses a WM8505 Processor which in it self is quite hard to find good info on..

Here are some specs on my model:

Max Resolution: 800 x 480 px
OS Language: English
Operating System: Windows CE 6.0 or Android
CPU: ARM-WM8505 or VIA VT8505( ARM926EJ-S)
Chipset: WM8505
Memory: 128 MB
Flash Disk: 2GB Built-in
External Memory: SD/MMC card (16GB Max.)
LAN: RJ45, 10/100Mbps
WLAN: 802.11b/g Wifi / Wireless LAN
Speaker: Internal Speaker x 2
Touchpad: Yes
Keyboard: 80-key keyboard
2 * USB External
1 * USB Internal
1 * RJ45 LAN
1 * 3.5mm Microphone
1 * 3.5mm Headphone
1 * SD/MMC card slot

Now for the GOOD the BAD and the UGLY!

The Good… The main board has a UART port on it and i am able to get valuable information from it. I can even access a terminal on it.

Here is what i get on boot:

WonderMedia Technologies, Inc. W-Load Version : ethaddr............found U-Boot 1.1.4 (Apr  1 2010 - 16:26:54) WonderMedia Technologies, Inc. WMT U-Boot Version : U-Boot code: 03F80000 -> 03FB9294  BSS: -> 040076AC RAM Configuration: Bank #0: 00000000 128 MB boot from spi flash. flash:      Bank1: FFF80000 -- FFFFFFFF      Bank2: FF780000 -- FFF7FFFF Flash:  8.5 MB In:    serial Out:   serial Err:   serial ### main_loop entered: bootdelay=1 bootcmd="nand read 3c00000 12f00000 100000;logo show;run text1" CE0: NAND FLASH ID: 0xECD514B6 CE0: NAND FLASH Name: SAMSUNG_K9XXG08UXM (2048 MB) block4095 tag=74624230  version =1 block4094 tag=62743142  version =1 g_nfinfo[0].id = 0xE, g_nfinfo[1].id = 0xFFFF Read finsih show logo ..... LCD param (setting): 1,30000,8,800,480,48,40,40,3,29,13 PWM param (setting): 0,4,599,599 LCD FrameBuffer = 0x07900000, BMP Address = 0x03C00000 Loading BMP ..... ok no string .... PWM0 input freq = 47916666 Hz, output freq = 19998 Hz PWM0 register setting: scalar = 3, period = 598, duty = 598 "V1.5.2" Execute register operation:   reg op: 0xD8110064 | 0xC   reg op: 0xD811008C | 0xC   reg op: 0xD81100B4 & 0xFFFFFFFB   reg op: 0xD81100B4 | 0x8   reg op: 0xD8130054 | 0x1 ### main_loop: bootcmd="nand read 0 0 300000;bootm 0" Hit any key to stop autoboot:  0 WMT # 

When I type help this is what i get:

WMT # help
?       - alias for 'help'
autoscr - run script from memory
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
cleanlcd - clean LCD screen
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dhcp    - invoke DHCP client to obtain IP/boot params
diskboot- boot from IDE device
dmacp     - dma memory copy
echo    - echo args to console
erase   - erase FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fatstore - store binary file to a dos filesystem
flinfo  - print FLASH memory information
go      - start application at address 'addr'
help    - print online help
ide     - IDE sub-system
iminfo  - print header information for application image
imls    - list all images found in flash
itest   - return true/false on integer compare
lcdinit - initialize LCD
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
show    -
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing)
mmcinit - init mmc card
mtest   - simple RAM test
mw      - memory write (fill)
nand    - NAND sub-system
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
randmac - generate a random MAC address and save to "ethaddr" environment variable
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
sdwaitins - wait sd card inserted or removed
sdwaitins 0 -- waiting removed
sdwaitins 1 -- waiting inserted
setenv  - set environment variables
sleep   - delay execution for some time
textout - show text to the screen
textout x y "str" color
color is 24bit Hex, R[23:16], G[15:8], B[7:0]
for example: textout 0 0 "hello world" FFFFFF
tftpboot- boot image via network using TFTP protocol
tmpt     - execute Mass Production Tool
uploadfile- Transfer the spi flash image to the server.
version - print monitor version

While this maybe cool and usefull it will suck if i can not create my own code.

The BAD…. Since im mostly interested in the LCD and keyboard and could care less about the processor or anything else i am stuck.
As you might expect there is no datasheet for either and manually reverse engineering both is beyond me since i dont have the necessary tools.

The Ugly… Now what i am trying to figure out is how do i get into a U-Boot.bin file to get all the source. This is beyond me as well. The U-Boot.bin file has the bootloader and from what i can see some LCD init stuff and a ton more. To find out what can be expected in the file i used my Linux OS (debian) to search for strings in the file…

(this is from Cygwin tho easier to copy/paste)

Jason@Jason-PC ~/ARM8505/script
$ strings u-boot.bin
U-Boot 1.1.4 (Apr  1 2010 - 16:26:54)
Font 12x22
LCD panel ID????
Un-Support LCD panel ID ( %d )
LCD FrameBuffer = 0x%08X, BMP Address = 0x%08X
LCD param (default): 1,25000,8,800,480,48,40,40,3,29,13
LCD param (setting): %s
LCD param Error: expected version 1, but get %d
LCD param Error: need %d arg count, but get %d
So use default LCD param: 1,25000,8,800,480,48,40,40,3,29,13
LCD param Error: the string length of extra register opreation length = %d, it is too long, it should be less than %d
Not excute extra register operation for LCD
LCD already initialized
Loading BMP .....
no string ....
Execute register operation for LCD:

Obviously there is more but i clipped out what wasnt relevant to save scroll space…

I know know there are quite a few things related to the LCD in there which is something i will need. I ran across a program called binwalk and tried it on the uboot bin file and got:

Scan Time:    Jan 10, 2012 @ 22:04:41
Magic File:   /usr/local/etc/binwalk/magic.binwalk
Signatures:   75
Target File:  u-boot.bin
MD5 Checksum: d2c6f4e628ee5594caaccedb95fda7a6
184350         0x2D01E        LZMA compressed data, properties: 0x01, dictionary size: 8388608 bytes, uncompressed size: 128 bytes
185224         0x2D388        LZMA compressed data, properties: 0x03, dictionary size: 8388608 bytes, uncompressed size: 64 bytes
186634         0x2D90A        LZMA compressed data, properties: 0x01, dictionary size: 8388608 bytes, uncompressed size: 4194432 bytes
231695         0x3890F        LZMA compressed data, properties: 0xD8, dictionary size: 65011712 bytes, uncompressed size: 1 bytes

This leads me to believe that there is something i can extract and decompress … Look at address 186634 (0x2D90A) the uncompressed size is 4,194,432 bytes.

That is just about 4MB big… Also since there are strings easily readable in there it also leads me to think that there are most likely normal files i can open. (i hope)


The Only BIG problem im having is… getting the data out of the u-boot.bin which is the main goal. I made a simple program to extract data from a file at a specific offset for a specifiv length and output it to a file. All in binary. While it does the job it doesnt work . I think its because i dont know when the archive ends? Or when it starts really.

While the above binwalk gives me a address i doubt its to the actual compressed file. LZMA compressed file have a magic number which usually is something like :

0x5D, 0x00,0x00,0x08 or something similar. I know the 0x5D is correct. But the above binwalk points to the Properties of said location… like 186634 offset is a 0x01 and not a 0x5D…

So if anyone knows how to extract this stuff please help me out.

Published by atomsoft

Starting a small company. Trying to build it from ground up. Only 2 employees so far. Nothing serious yet but soon!

2 thoughts on “Chinese Wonder* (pun)

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: