linux-sunxi
H313 FEL support
I am trying to use FEL mode on TV BOX Wudung W01 which is similar to Tanix TX1 and Vontar QTV Q1. All are based on Allwinner H313, but it's detected as H616.
$ ./sunxi-fel ver
AWUSBFEX soc=00001823(H616) 00000001 ver=0001 44 08 scratchpad=00027e00 00000000 00000000
But it fails on uploading SPL:
$ ./sunxi-fel -v spl sunxi-spl.bin
found DT name in SPL header: allwinner/sun50i-h313-tanix-tx1
Stack pointers: sp_irq=0x00021400, sp=0x00053FFC
MMU is not enabled by BROM
=> Executing the SPL... done.
usb_bulk_send() ERROR -7: Operation timed out
After fail ver also is not working until the board is not rebooted in FEL mode.
$ ./sunxi-fel ver
usb_bulk_send() ERROR -7: Operation timed out
The same problem with uboot feature:
$ ./sunxi-fel -v uboot u-boot-sunxi-with-spl.bin
found DT name in SPL header: allwinner/sun50i-h313-tanix-tx1
Stack pointers: sp_irq=0x00021400, sp=0x00053FFC
MMU is not enabled by BROM
=> Executing the SPL... done.
usb_bulk_send() ERROR -7: Operation timed out
UART is silent in FEL mode.
Could you please fix FEL functions for H313 ?
PS: I did add Wudung W01 PCB images on Tanix TX1 page (both are similar): https://linux-sunxi.org/Tanix_TX1
It fails on executing the SPL as the device freezes and becomes unresponsive. Is this particular SPL binary successfully bootable from an SD card?
edit: Okay, there's no SD card on this device, based on the info from the wiki. Still the problem is likely that the SPL binary or the DT is just incompatible with this hardware. Do you have serial console? Are there any messages printed on it?
There's a special UART helloworld binary in the sunxi-tools repository, which is device-agnostic and compatible with a wide range of devices. Can you boot it instead of the SPL using sunxi-fel?
I did prepare USB flash:
dd if=u-boot-sunxi-with-spl.bin of=/dev/sdc bs=1024 seek=8
Here is UART log
[238]HELLO! SBOOT is starting!
[241]sboot commit : 12a0e3cc
[244]set pll start
[247]periph0 has been enabled
[250]set pll end
[252]unknow PMU
[253]unknow PMU
[255]PMU: AXP1530
[257]dram return write ok
[260]board init ok
[262]try to probe rtc region
[264]DRAM BOOT DRIVE INFO: V0.651
[268]the chip id is 0x5c00
[270]chip id check OK
[274]DRAM_VCC set to 1200 mv
[276]DRAM CLK =720 MHZ
[279]DRAM Type =7 (3:DDR3,4:DDR4,7:LPDDR3,8:LPDDR4)
[287]Actual DRAM SIZE =1536 M
[289]DRAM SIZE =1536 MBytes, para1 = 30fa, para2 = 6001000, dram_tpr13 = 26061
[299]DRAM simple test OK.
[301]rtc standby flag is 0x0, super standby flag is 0x0
[306][mmc]: mmc driver ver 2021-10-12 13:56
[311][mmc]: b mmc 2 bias 4
[319][mmc]: Wrong media type 0x0, but host sdc2, try mmc first
[325][mmc]: ***Try MMC card 2***
[348][mmc]: RMCA OK!
[351][mmc]: MMC 5.0
[353][mmc]: HSSDR52/SDR25 8 bit
[356][mmc]: 50000000 Hz
[358][mmc]: 15028 MB
[360][mmc]: ***SD/MMC 2 init OK!!!***
[448]read toc1 from emmc 32800 sector
[452]OLD version: 0.0
[454]NEW version: 0.0
[529]load rotpk hash
[593]load monitor-key hash
[595]load monitor hash
[800]load boot-key hash
[802]load boot hash
[868]load vbmeta-key hash
[870]load vbmeta hash
[938]load recovery-key hash
[941]load recovery hash
[944]monitor entry=0x48000000
[947]uboot entry=0x4a000000
[949]optee entry=0x48600000
[952]tunning data addr:0x4a0003e8
[958]run out of boot0
NOTICE: BL3-1: v1.0(debug):05d6c57
NOTICE: BL3-1: Built : 13:35:35, 2021-10-28
NOTICE: BL3-1 commit: 8
NOTICE: cpuidle init version V1.0
NOTICE: secure os exist
MESSAGE: [0x0] TEE-CORE: OP-TEE version: 81ab7a47 #1 2020年 05月 06日 星期三 02:40:04 UTC arm
NOTICE: BL3-1: Preparing for EL3 exit to normal world
NOTICE: BL3-1: Next image address = 0x4a000000
�OTICE: BL3-1: Next image spsr = 0x1d3
U-Boot 2018.05-g8ac4189 (Feb 27 2025 - 14:03:05 +0800) Allwinner Technology
[01.052]CPU: Allwinner Family
[01.055]Model: sun50iw9
I2C: ready
[01.060]Relocation Offset is: 55ebe000
[01.099]secure enable bit: 1
[01.101]pmu_axp152_probe pmic_bus_read fail
[01.105]PMU: AXP1530
[01.111]CPU=1008 MHz,PLL6=600 Mhz,AHB=200 Mhz, APB1=100Mhz MBus=400Mhz
[01.119]drv_disp_init
[01.149]__clk_enable: clk is null.
[01.155]drv_disp_init finish
[01.157]gic: sec monitor mode
[01.185]flash init start
[01.187]workmode = 0,storage type = 2
[01.191]MMC: 2
[01.192][mmc]: mmc driver ver uboot2018:2021-07-19 14:09:00
[01.198][mmc]: get sdc_type fail and use default host:tm4.
[01.210][mmc]: SUNXI SDMMC Controller Version:0x40502
[01.234][mmc]: Best spd md: 3-HS200/SDR104, freq: 4-150000000, Bus width: 8
[01.240]sunxi flash init ok
[fd650] show_string: 8888 8
[01.251]Loading Environment from SUNXI_FLASH... OK
secure storage read hdcpkey fail
[01.263]secure storage read hdcpkey fail with:-1
secure storage read widevine fail
[01.270]secure storage read widevine fail with:-1
[01.275]probe MP tools from boot
delay time 0
weak:otg_phy_config
[01.289]usb init ok
[01.792]usb overtime
[01.797]usb burn from boot
delay time 0
weak:otg_phy_config
[01.811]usb prepare ok
[02.614]overtime
[02.618]do_burn_from_boot usb : no usb exist
[02.622]boot_gui_init:start
FAT: Misaligned buffer address (9be7a258)
32 bytes read in 4 ms (7.8 KiB/s)
tcon_de_attach:de=0,tcon=2[02.909]boot_gui_init:finish
[02.912]bmp_name=bootlogo.bmp
2764854 bytes read in 21 ms (125.6 MiB/s)
[02.955][mmc]: delete mmc-hs400-1_8v from dtb
[02.962]update dts
** Unrecognized filesystem type **
[02.975]load file(ULI/factory/rootwait init.txt) error.
[02.980]name in map snum
[02.982]name in map mac
** Unrecognized filesystem type **
[02.996]load file(ULI/factory/wifi_mac.txt) error.
** Unrecognized filesystem type **
[03.012]load file(ULI/factory/bt_mac.txt) error.
** Unrecognized filesystem type **
[03.027]load file(ULI/factory/selinux.txt) error.
** Unrecognized filesystem type **
[03.045]load file(ULI/factory/specialstr.txt) error.
[03.059]update part info
[03.206]update bootcmd
[03.208]No ethernet found.
Hit any key to stop autoboot: 0
[03.462]not supported key
[03.464]actual n size:1000, e:10001
[03.467]exptect n size:800, e:10001
show hash of file
92 e2 04 ab ff 7a c1 ad 2e 92 27 f6 fb 3c 74 ae
ab 5b c7 ee 10 e5 e0 7f e4 71 f6 5f 26 13 94 d4
image vbmeta hash valid
CACHE: Misaligned operation at range [44ffffe0, 462a6800]
[03.638]Starting kernel ...
It's booted from internal bootloader anyway.
UPD: I did use Linaro aarch64-linux-gnu to compile ATF bl31 for H616: https://github.com/ARM-software/arm-trusted-firmware/releases/tag/v2.13.0
make CROSS_COMPILE=aarch64-linux-gnu- PLAT=sun50i_h616 DEBUG=0
and u-boot: CROSS_COMPILE=aarch64-linux-gnu- make tanix_tx1_defconfig
BL31=/longpath/arm-trusted-firmware-2.13.0/build/sun50i_h616/release/bl31.bin CROSS_COMPILE=aarch64-linux-gnu- make
H313 and H616 are the same die (sun50iw9) so what sunxi-fel prints is correct.
Have you tried from a different host? The timeout issues may be related to the host USB stack and not to an actual issue with sunxi-fel or the binaries (bootrom USB implementations tend to be a bit fragile).
Have you tried from a different host? The timeout issues may be related to the host USB stack and not to an actual issue with sunxi-fel or the binaries (bootrom USB implementations tend to be a bit fragile).
The log says that executing the SPL was "done", so it was presumably successfully uploaded and executed. I would still do a test with the helloworld payload. If it works fine, then there are no problems on the sunxi-fel side.
edit: The the uart0-helloworld-sdboot.sunxi binary in the bin directory seems to be a bit stale. It probably needs to be refreshed.
One more thing:
When I use sunxi-fel v1.4.2 from Gentoo Portage i'm getting one scratchpad:
fel ver AWUSBFEX soc=00001823(unknown) 00000001 ver=0001 44 08 scratchpad=00007e00 00000000 00000000
With master branch sunxi-fel v1.4.2-195-g7540cb2 it's another: AWUSBFEX soc=00001823(H616) 00000001 ver=0001 44 08 scratchpad=00027e00 00000000 00000000
Have you tried from a different host?
I did try another host and got the same result.
I would still do a test with the helloworld payload.
Could you explain what do you mean? What steps should be done?
One more thing:
When I use sunxi-fel v1.4.2 from Gentoo Portage i'm getting one scratchpad:
fel ver AWUSBFEX soc=00001823(unknown) 00000001 ver=0001 44 08 scratchpad=00007e00 00000000 00000000
With master branch sunxi-fel v1.4.2-195-g7540cb2 it's another: AWUSBFEX soc=00001823(H616) 00000001 ver=0001 44 08 scratchpad=00027e00 00000000 00000000
Gentoo Portage has an older version of sunxi-fel, which doesn't recognize your SoC. The master branch has support for it.
I would still do a test with the helloworld payload.
Could you explain what do you mean? What steps should be done?
U-boot SPL is a big and complicated code with a lot of moving parts. You are trying to boot an SPL built for a different device and it fails.
The uart0-helloworld-sdboot.sunxi is a very lightweight replacement for the SPL, which is easy to troubleshoot. Try to run:
sunxi-fel spl uart0-helloworld-sdboot.sunxi
And check if it prints anything on the serial console. But build it from git master sources.
So I just tried it on my Tanix-TX1: it all works as expected for me, with everything from its master branch:
- sunxi-tools commit 7540cb235
- uart0-helloworld-sdboot.sunxi as from the bin/ directory on github
- TF-A 06a5fe8e735
- U-Boot a854c12062c4
Built with some GCC 11.2 compiler, but please use a distro provided cross compiler. Don't use Linaro GCC builds anymore, they are out of fashion for years now. Cross toolchains from kernel.org or bootlin should work equally well, maybe just avoid the latest builds - GCC 15.0 for instance is quite new and less well tested. Make sure you enter FEL mode correctly, it can be a bit touchy. What worked well for me is to boot into the internal firmware, type "su" to become root, keep the FEL button (in the AV socket) pressed, then type reboot and wait for "Restarting system with command 'shell'". Then try "sunxi-fel -v spl uart0-helloworld-sdboot.sunxi", that should return very quickly and print a hello message on the UART. Hope that helps.
Just finished the test and UART output is:
Hello from Allwinner H616!
Returning back to FEL.
Does anybody have idea where is my problem now and how to make TV BOX to work with custom u-boot ? I can try to recompile with crossdev GCC 14, but do not think it could change something. I understand that I should close the ticket now but please let me know where I could continue such discussion.
So I just tried it on my Tanix-TX1: it all works as expected for me, with everything from its master branch:
Did you try to boot compiled u-boot in FEL or on USB flash?
Do you get any output on the serial from the mainline SPL? If you get output from uart0-helloworld-sdboot.sunxi and from the vendor firmware, then you should see some messages from the SPL, for instance if the DRAM init fails, which would explain your symptoms. For reference, try this (mainline) build of mine, for the TX1: https://paste.c-net.org/ThatcherSnowman Also, can you please check the name of the Samsung chip on your device? I read something like KMD31000 on the (rather poor) picture in the Wiki, though that doesn't hit anything in Google. The TX1 uses a KMR31000 DRAM/eMMC chip, and the Wudung PCB read v2.0 (instead of v1.1 for the TX1), so there might be some differences in the DRAM setup. Also do you have any vendor update image that can be scanned for boot0 and its DRAM parameters?
Do you get any output on the serial from the mainline SPL?
I did try to compile two repos compiled with aarch64-unknown-linux-gnu-gcc: https://github.com/apritzel/u-boot/ https://source.denx.de/u-boot/u-boot.git
I do not have any problems with getting "Hello from Allwinner H616!" in my console but I'm getting timeout error with SPLs from both repos and the SPL provided in previous message link:
/usr/local/bin/sunxi-fel -v spl u-boot-sunxi-with-spl.bin
found DT name in SPL header: allwinner/sun50i-h313-tanix-tx1
Stack pointers: sp_irq=0x00021400, sp=0x00053FFC
MMU is not enabled by BROM
=> Executing the SPL... done.
usb_bulk_send() ERROR -7: Operation timed out
My compiler:
aarch64-unknown-linux-gnu-gcc --version
aarch64-unknown-linux-gnu-gcc (Gentoo 15.1.1_p20250705-r1 p2) 15.1.1 20250705
Exact chip name: kmq310006a
I did not find firmware update but I have original dump ( I downloaded it using Android console from /dev/block/mmcblk0 . Full dump is huge: https://uploadnow.io/f/G5DZcDm
Here are something what I found uisng binwalk.
system.dtb: https://paste.c-net.org/MilnerWally
env:
earlyprintk=sunxi-uart,0x05000000initcall_debug=0console=ttyS0,115200nand_root=/dev/nand0p4mmc_root=/dev/mmcblk0p4init=/initloglevel=1selinux=0cma=64Mmac=wifi_mac=bt_mac=specialstr=keybox_list=hdcpkey,widevinesetargs_nand=setenv bootargs earlyprintk=${earlyprintk} initcall_debug=${initcall_debug} console=${console} loglevel=${loglevel} root=${nand_root} init=${init} partitions=${partitions} cma=${cma} snum=${snum} mac_addr=${mac} wifi_mac=${wifi_mac} bt_mac=${bt_mac} selinux=${selinux} specialstr=${specialstr} gpt=1setargs_mmc=setenv bootargs earlyprintk=${earlyprintk} initcall_debug=${initcall_debug} console=${console} loglevel=${loglevel} root=${mmc_root} rootwait init=${init} partitions=${partitions} cma=${cma} snum=${snum} mac_addr=${mac} wifi_mac=${wifi_mac} bt_mac=${bt_mac} selinux=${selinux} specialstr=${specialstr} gpt=1boot_normal=sunxi_flash read 45000000 boot;bootm 45000000boot_recovery=sunxi_flash read 45000000 recovery;bootm 45000000boot_fastboot=fastbootrecovery_key_value_max=0x13recovery_key_value_min=0x10fastboot_key_value_max=0x8fastboot_key_value_min=0x2bootdelay=0bootcmd=run setargs_nand boot_normal
I did try to find signatures in boot0 and did not find something useful to detect DRAM settings. Thank you for your help.
Ah, so the box is using Allwinner's "secure boot" mechanism. Normally that would just mean you need to enable SPL_IMAGE_TYPE_SUNXI_TOC0=y in the U-Boot build, to get a (self-signed) TOC0 encoded boot image, which would work on SD cards and eMMC. So if you manage to get this to the eMMC, this might work. FEL booting is a bit tricky with secure boot on newer SoCs, as FEL runs in non-secure state there, so we can only access parts of the system. In particular we cannot switch to 64-bit this way - this is probably what you are seeing. On the A64 it was sufficient to do an SMC call (sunxi-fel does this automatically), but this does no longer work this way on for instance the H616. We have some leads how to overcome this, but the return to FEL is not working yet. So I guess you need to wait until we find the solution, or try to "dd" a TOC0 U-Boot build to the eMMC.
I generated fake PEM: openssl genrsa -out root_key.pem 2048
and did compile SPL with SPL_IMAGE_TYPE_SUNXI_TOC0=y
But Wudung W01 does not have MMC slot and it refuses to search SPL on USB drive: Can you give me a hint how can I dd TOC0 to eMMC without access to uboot console? Here is boot log and it does not change when USB flash is connected:
[316]HELLO! SBOOT is starting!
[319]sboot commit : 12a0e3cc
[322]set pll start
[325]periph0 has been enabled
[328]set pll end
[330]unknow PMU
[331]unknow PMU
[333]PMU: AXP1530
[335]dram return write ok
[337]board init ok
[339]try to probe rtc region
[342]DRAM BOOT DRIVE INFO: V0.651
[345]the chip id is 0x5c00
[348]chip id check OK
[351]DRAM_VCC set to 1200 mv
[354]DRAM CLK =720 MHZ
[356]DRAM Type =7 (3:DDR3,4:DDR4,7:LPDDR3,8:LPDDR4)
[364]Actual DRAM SIZE =1536 M
[367]DRAM SIZE =1536 MBytes, para1 = 30fa, para2 = 6001000, dram_tpr13 = 26061
[376]DRAM simple test OK.
[379]rtc standby flag is 0x0, super standby flag is 0x0
[384][mmc]: mmc driver ver 2021-10-12 13:56
[388][mmc]: b mmc 2 bias 4
[396][mmc]: Wrong media type 0x0, but host sdc2, try mmc first
[402][mmc]: ***Try MMC card 2***
[426][mmc]: RMCA OK!
[429][mmc]: MMC 5.0
[431][mmc]: HSSDR52/SDR25 8 bit
[434][mmc]: 50000000 Hz
[436][mmc]: 15028 MB
[438][mmc]: ***SD/MMC 2 init OK!!!***
[526]read toc1 from emmc 32800 sector
[529]OLD version: 0.0
[531]NEW version: 0.0
[607]load rotpk hash
[670]load monitor-key hash
[673]load monitor hash
[877]load boot-key hash
[880]load boot hash
[946]load vbmeta-key hash
[948]load vbmeta hash
[1016]load recovery-key hash
[1018]load recovery hash
[1022]monitor entry=0x48000000
[1025]uboot entry=0x4a000000
[1028]optee entry=0x48600000
[1030]tunning data addr:0x4a0003e8
[1036]run out of boot0
NOTICE: BL3-1: v1.0(debug):05d6c57
NOTICE: BL3-1: Built : 13:35:35, 2021-10-28
NOTICE: BL3-1 commit: 8
NOTICE: cpuidle init version V1.0
NOTICE: secure os exist
MESSAGE: [0x0] TEE-CORE: OP-TEE version: 81ab7a47 #1 2020年 05月 06日 星期三 02:40:04 UTC arm
NOTICE: BL3-1: Preparing for EL3 exit to normal world
NOTICE: BL3-1: Next image address = 0x4a000000
�OTICE: BL3-1: Next image spsr = 0x1d3
U-Boot 2018.05-g8ac4189 (Feb 27 2025 - 14:03:05 +0800) Allwinner Technology
...
I have a heap of linux boxes but this one is an unclosed gestalt.
Yes, as you figured Allwinner BSP firmware never tries to read anything from USB. Indeed the Tanix TX1 and this box are a bit of a challenge, since they are one of the very few without an SD slot, which normally makes AW based boxes quite hackable. Do you have root access on the vendor firmware? I guess you could then try to download the U-Boot image to the device (via a webserver or file sharing or via an SSH server), then try to get a console and call dd from there.
The other (more involved) solution would be to compile a 32-bit U-Boot (or at least SPL), then load and execute this via FEL, then upload the actual 64-bit image to DRAM and use the booted 32-bit U-Boot to write this to the eMMC boot partition. This might work without leaving the non-secure world that you are trapped in. I did compile 32-bit U-Boot builds for 64-bit SoCs in the past, but I haven't tried lately to see what kind of hacks are still needed to make this work. This scheme is based on the fact that you don't need secure or 64-bit mode to access the eMMC, this is all readily available from non-secure AArch32. Theoretically you can program all needed MMIO registers via FEL, but it's extremely tedious, of course. I heard of people working on direct MMC access via sunxi-fel (similar to how we can write to NOR flash this way), but I don't think this went anywhere. But there should be no technical hurdles preventing this.
So I think I found a way, based on the 32-bit build idea above. Please try the following:
- Build a normal firmware version of mainline U-Boot (plus TF-A) for the Tanix TX1, but set
CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0=yin menuconfig or the defconfig file. Copy the resultingu-boot-sunxi-with-spl.binsomewhere safe. - Apply this patch (on top of mainline): https://gist.github.com/apritzel/573e1607b255f23ee025837379d8c706
- Do a
$ make clean; then re-configure for the Tanix TX1 again (make sure CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0 is not set) - Now switch your cross-compiler to an arm32 bit compiler, and compile U-Boot again.
- Verify with
$ file spl/u-boot-spl u-bootthat both are 32-bit binaries. - Bring your box into FEL mode (turn on with hidden FEL button in headphone jack pushed)
- Boot the box with the 32-bit build, and upload the real 64-bit build into DRAM:
$ sunxi-fel -v -p spl spl/sunxi-spl.bin write 0x4a000000 u-boot-dtb.bin write 0x50000000 /path/to/saved/64-bit/u-boot-sunxi-with-spl.bin exec 0x4a000000
-
Write the uploaded 64-bit binary to the eMMC boot partition:
=> mmc dev 1 => mmc bootbus 1 1 0 0 => mmc partconf 1 1 1 1 => mmc write 0x50000000 0 0x7f0
-
reset the board:
=> reset, now it should boot into mainline U-Boot. Load a kernel from a USB drive and enjoy. -
To get back to the vendor BSP firmware, boot into mainline U-Boot, then type:
=> mmc partconf 1 1 0 0, then reset. -
To re-activate the mainline firmware, boot via FEL into the 32-bit firmware (no need to upload the 64-bit build again), then just re-activate the eMMC boot partition:
=> mmc partconf 1 1 1 0, then reset.
Hope that works, I tested this on a secure-boot A133 tablet, where FEL has the exact same problem as your box.