Asus Eee Note, a peek within....

Discussion in 'Asus (Android)' started by whazzup, Jan 12, 2011.

  1. Shurik

    Shurik Pen Pal - Newbie

    Messages:
    20
    Likes Received:
    4
    Trophy Points:
    6
    That would be fantastic!

    More than with anything else. But I'm definitely not a hardcore hacker, so figuring out how to boot this thing into a custom version of Linux might be beyond my capabilities.

    I can try ;-)

    Thanks a lot!
     
  2. Shurik

    Shurik Pen Pal - Newbie

    Messages:
    20
    Likes Received:
    4
    Trophy Points:
    6
    Due to infinite generosity of whazzup, who shared the disk image from his Eee Note with me, I could peek inside it and here's what I have to report:

    1) The Linux kernel is 2.6.21, built on December 1, 2010 by Helen ;) The system architecture is ARMv5tel, as expected, CPU speed is 312/624 MHz (Run Mode vs. Turbo Mode) and bus clock speed is 208MHz.

    2) There is 256MB RAM and, apparently, 128MB NAND memory on board. RAM chip is Hynix H5MS2G62MFR and it is soldered in, so no upgrades here :( The camera is v2655:
    http://www.ovt.com/download_document.php?type=sensor&sensorid=31

    3) OS identifies itself as "PXA Linux Preview Kit". This is apparently a reference Linux distribution for the PXA series of processor. In fact, the main part of the OS is very spartan and is stripped down to a bare minimum, but more about this below.

    4) During the boot time, all the kernel output is sent to the serial console at /dev/ttyS1 (/dev/ttyS0 is the Wacom digitizer) and later a shell is started on this console as well, so as soon as someone finds out where the serial connector is (I hope it is not DEBUGCON1), it would be very easy to connect to Eee Note remotely and to monitor everything that happens on it. There is no root password :)

    5) Boot and initialization process is very short and streamlined. There are almost no modules that can be loaded. udev is used only to automatically mount/umount inserted sd-card. At the end, a mysterious /usr/bin/ipmd daemon is run in the background (I suspect that it does power management, suspend/resume etc.) and a shell is started. /bin/sh loads /etc/profile that initializes all the devices such as wacom, touchscreen etc. and passes control to /usr/local/eTablet/run.sh that, in turn, sets all the environment variables and starts /usr/local/eTablet/bin/server/eeeserver --- the main Eee program, apparently.

    6) Configuration: /etc/profile contains a line
    export ENOTE_LOCALE=zh_TW.UTF-8
    If "zh_TW" is replaced with "en_US", the tablet should start speaking English ;)
    /etc/pointercal is calibration data.

    7) Configuration: /eTablet/etc/launcher/Config.xml contains layout of, well, the launcher: the order of icons, which programs they start, brief description etc. It would be trivial to add something else to this list.

    8) Root filesystem is mounted from the 6-th partition of the sd-card and the 5-th partition is mounted as /usr. Moreover, /usr/data contains apparent backups rootfs.tar.gz and tmprootfs.tar.gz of the whole filesystem without the /usr directory. tmprootfs.tar.gz is also lacking /eTablet. They are identical otherwise. Despite their names, these are not tar but cpio archives and should be dealt with like
    zcat rootfs.tar.gz | cpio -t
    or
    zcat rootfs.tar.gz | cpio -i -m
    I wasn't able to find any kernel image anywhere, so I guess it is stored in one of the first three partitions together with initrd.

    9) Everything Eee Note specific is located in /eTablet and /usr/local/eTablet directories. /eTablet/etc contains all UI configuration and /eTablet/var all user data (ebooks, notes, pictures etc.) Yes, I did erase everything there as soon as I realized this ;) /usr/local/eTablet/bin stores all ASUS programs and their resources --- on program per directory. They are based on QtEmbedded-4.6.2-arm located in /usr/local/Trolltech

    10) /usr/bin/ipmd is not stripped :p so some better-educated people might be able to figure out what it does.

    I guess that's it for now. Questions are welcome :)

    Conclusion: the device should be easily hackable and is purposely made very open. It would be great to port Xournal to run on Eee Note (to get anti-aliasing and better pressure sensitivity at the very least), but I don't know how easy this could be as Xournal is a GTK/Gnome program, while all of the current GUI is based on QT. This shouldn't be a problem hardware-wise, as Xournal runs happily on Nokia N800 that is considerably slower. Even better would be to port MeeGo, but this is already well beyond my expertise, as I don't even know how to make a custom kernel boot on Eee Note.
     
  3. whazzup

    whazzup Scribbler - Standard Member

    Messages:
    531
    Likes Received:
    32
    Trophy Points:
    41
    and a big thank you for the breakdown! Great work!

    So in a way, hardware-wise, it's like a big WinMo 6.5 phone?

    Like what you said, if eventually there're ways to improve the pressure sensitivity, anti-aliasing, or even an option to keep the CPU on turbo mode constantly, that would be awesome!

    if someone at xda can take a crack at it, might be interesting to see what they come up with....lol...
     
  4. latinvixen

    latinvixen Artist

    Messages:
    262
    Likes Received:
    0
    Trophy Points:
    31
    Oh man a better art program would be amazing :D. Would love to know how to install that for sure ^.^
     
  5. Joshua.Lamorie

    Joshua.Lamorie Pen Pal - Newbie

    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    15
    I did a bit of peeking at the USB connection used for e Eee Note sync. It uses a standard Linux IP over USB system, and everything interesting happens on port 20000. I have windows running in a virtual machine, so I was able to sniff all of the USB traffic during a normal sync and saw some of the commands and responses.

    It appears as if the Eee Sync application (in windows) ends up issuing SQL commands across the link in order to get data to/from the device. Makes sense since they use sqlite.

    I upgraded last night, but didn't sniff the transfer.

    I did examine the files that were downloaded in order to perform the upgrade, but it was pretty weird stuff. There were a bunch of gzipped files (they have to be extracted with dd), each with a silly 'etablet' header (very easy to figure out with ghex2). Although they have different file sizes when compressed, they all gunzipped to 157MB and appear to be ext2 images, or diffs of ext2 images. I managed to mount one file loopback, but it was pretty messed up.

    I bought some T5 torx drivers the other day, so I'm going to head to the basement now and rip out the microSD.

    BTW, I still, for the life of me cannot upload notes to Evernote that ar larger than 7 pages.
     
  6. whazzup

    whazzup Scribbler - Standard Member

    Messages:
    531
    Likes Received:
    32
    Trophy Points:
    41
    i just tried uploading a 26-page notebook to Evernote as well.....no go....ends with a 'Error Handling' message....
     
  7. Joshua.Lamorie

    Joshua.Lamorie Pen Pal - Newbie

    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    15
    ipmd is a power management daemon that opens /dev/ipmc and deals with the power button, 'backlight' and CPU speed.

    However, after saying that.. it kinda leaves us at a dead end regarding how the launcher app gets started. I'd also like to know what the eeeserver is. It is called by eTablet/run.sh and appears to be some sort of mainline for the Qt stuff.

    Or is it used for the eee note sync?

    There appears to be telnetd on there, so perhaps if we toss that into the background in rc.local, or respawn in /etc/inittab we might be able to telnet in through USB or wifi.

    It's kinda neat boot process though. This is my understanding of the SD card partitions.

    1 - 9M data with possibly bootloader (it's got the ASUS logo bitmap) and a compressed kernel (there is a gzip header after the logo).
    2 - initramfs.cpio.gz - contains 'run-init' switchroot app
    3 - not sure
    4 (extended primary)
    5 - ext2 filesystem with system executables (mounted as /usr)
    6 - ext3 filesystem (root file system)

    The /etc/profile script is definitely how things start, but did you notice the following lines?

    if [ -e /mnt/extsdcard/dvt_check ]; then cd /mnt/extsdcard;./dvt_check; fi

    So, it will automatically execute code from the external SD card. However, I can't tell what user that code is executing as.

    Very cool stuff.

    I posted a support request/message to the asus site about the evernote upload. Haven't heard anything yet.
     
  8. pbarrette

    pbarrette Scribbler - Standard Member

    Messages:
    196
    Likes Received:
    2
    Trophy Points:
    31
    Hi Joshua.Lamorie,

    The eTablet.rom file currently available for download contains 6 sections.

    The sections are delineated by separate headers, with the 6th section broken into 5 subsections.

    The sections, in order are:
    etablet info
    etablet part
    etablet bmps
    etablet kern
    etablet init
    etabletz root

    There are actually 5 "etabletz root" sections in the ROM file.

    Each section has a 32 byte header:

    00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F
    == == == == == == == == - == == == == == == == ==
    65 74 61 62 6C 65 74 20 - 20 00 00 00 69 6E 66 6F etablet info
    XX XX XX XX YY YY YY YY - 00 00 00 00 00 00 00 00


    There is only 1 space (0x20) instead of two when the header is of type "etabletz".

    The "XX" section is a 32bit number which delineates the length of the section without the header.
    The "YY" section is a CRC of the section contents which verifies it is not corrupted. I haven't yet figured out how the CRC is calculated.

    The sections appear to contain the following information:
    [info] = Version information about the update.
    [part] = Partition order and size (MB) for the internal SD card.
    [bmps] = Raw 768x275 8bPP bitmap files with minimal headers used as startup images.
    [kern] = The gzipped linux kernel, sans ELF header.
    [init] = A gzipped, cpio archive of the initrd filesystem called by the kernel.
    [root] = A gzipped, ext2 disk image filesystem containing the binaries necessary for the user interface.

    The 5 [root] sections can be extracted to 4 files of exactly 150MB in size, with the last file being exactly 50MB in size.

    If I concatenate all 5 sections in order, I can mount the resulting file as a 650MB ext2fs disk image. Not coincidentally, the [part] section lists a 650MB "Root" partition.

    It also appears that the "launcher" program is actually the main user interface which is used to launch the other "apps" like browser and ebookreader.

    The eeeserver program appears to handle the PC synchronization and communication with the Windows EeeNoteSync application.

    About the EeeNoteSync application. It is written in a .NET programming language, the code has not been obfuscated and appears to be known internally as PctoolsClient. If you understand .NET programming languages, you can easily open the Sync software in .NET Reflector and find quite a bit of useful information.

    I currently have my EEE Note on order from "global.pchome.com.tw" for shipping to the US. Hopefully, once I get it, I can figure out more about customizing it.

    One thing I did find is that the Boot.rom contents indicate that the bootloader has an emergency restoration mode.
    It appears to require that the eTablet.rom file be placed in a folder on the external SD card and a key combination is used during power-on.

    Finally, from .NET Reflector, I was able to determine that the EeeNoteSync application is determining whether new firmware is available by checking the XML file found here:
    http://dlcdnet.asus.com/pub/ASUS/LiveUpdate/Release/Eee Family/EeeNote.idx

    The XML file lists all of the firmware and software currently available for download.

    Hope this helps,

    pb
     
  9. pbarrette

    pbarrette Scribbler - Standard Member

    Messages:
    196
    Likes Received:
    2
    Trophy Points:
    31
    Hi all,

    The section checksums are computed as follows:
    1] Strip the section of its 32byte header.
    2] Read every 4 bytes as a 32bit integer.
    3] Add each 32bit integer together.
    4] If there are remaining bytes that don't comprise a 32bit integer, add each remaining byte to the total individually.

    The result of the byte addition is the section checksum.

    Please note that when viewed in a hex editor, the checksum is stored in little-endian order. Your computed checksum may appear to be reversed from that.

    Ugly CSharp code for the checksum computation is as follows:
    Code:
            public string CkSum()
            {
                FileInfo fInfo = new FileInfo(FirmwareFile);
                FileStream firmFile = new FileStream(FirmwareFile, FileMode.Open, FileAccess.Read, FileShare.Delete);
    
                byte[] input = new byte[fInfo.Length];
                int iResult = firmFile.Read(input, 0, (int)fInfo.Length);
    
                int num = 0;
                int i = 0;
                for (i = 0; i < (input.Length -4); i += 4)
                {
                    num += BitConverter.ToInt32(input, i);
                }
                if (i < input.Length)
                {
                    while (i < input.Length)
                    {
                        num += input[i];
                        i = i + 1;
                    }
                }
                return string.Format("{0:x2}", num);
            }
    
    This was determined based on some previous work I did on the firmware format of a uClinux based media player. Apparently, this kind of checksum calculation is relatively common, though I'd never heard of it before.

    pb
     
  10. whazzup

    whazzup Scribbler - Standard Member

    Messages:
    531
    Likes Received:
    32
    Trophy Points:
    41
    @pbarrette

    wow, awesome stuff....hope you get your unit soon too!
     
Loading...

Share This Page