天启android5.1系统无法在非1650批次号的rk3288w芯片上启动

天启android5.1系统无法在非1650批次号的rk3288w芯片上启动

挂掉log，说明在rtc初始化后挂掉

[    1.420240] ======== PULL WL_REG_ON(-1) HIGH! ========
[    1.420246] [WLAN_RFKILL]: rockchip_wifi_power: 1
[    1.420253] [WLAN_RFKILL]: rockchip_wifi_ref_voltage: 1
[    1.420258] [WLAN_RFKILL]: rockchip_wifi_ref_voltage: wifi io reference voltage control is disabled.
[    1.420759] android_usb gadget: Mass Storage Function, version: 2009/09/11
[    1.420768] android_usb gadget: Number of LUNs=2
[    1.420776]  lun0: LUN: removable file: (no medium)
[    1.420782]  lun1: LUN: removable file: (no medium)
[    1.420924] android_usb gadget: android_usb ready
[    1.420991] sensor_init: Probe name sensors
[    1.421006] sensor-dev.c v1.4 add angle calculation support between two gsensors 2013-09-01
[    1.421532] rtc_hym8563 0-0051: setting system clock to 2011-01-01 12:00:00 UTC (1293883200)
[    1.430593] 
u?

开发板正常log，说明在snd-usb-audio初始化前挂掉

[    2.456978] sensor_init: Probe name sensors
[    2.456995] sensor-dev.c v1.4 add angle calculation support between two gsensors 2013-09-01
[    2.457525] rtc_hym8563 0-0051: setting system clock to 2011-01-01 12:14:58 UTC (1293884098)
[    2.463556] rockchip-spdif-card rockchip-spdif-card.25:  rk-hdmi-spdif-hifi <-> ff880000.rockchip-spdif mapping ok
[    2.464517] ret 1024
[    2.464896] usbcore: registered new interface driver snd-usb-audio
[    2.464903] ALSA device list:
[    2.464908]   #0: RK_ES8323
[    2.464912]   #1: RK-SPDIF-CARD

system.map
kernel 部分驱动启动顺序映射表

c0c11154 t __initcall_init7
c0c11158 t __initcall_sensor_init7
c0c1115c t __initcall_rtc_hctosys7
c0c11160 t __initcall_sync_debugfs_init7
c0c11164 t __initcall_clk_debug_init7
c0c11168 t __initcall_rockchip_headset_init7
c0c1116c t __initcall_rockchip_spdif_init7
c0c11170 t __initcall_tcp_congestion_default7
c0c11174 t __initcall_tcp_fastopen_init7
c0c11178 t __initcall_ip_auto_config7
c0c1117c t __initcall_drm_misc_init7s
c0c11180 t __initcall_clk_disable_unused7s
c0c11184 t __initcall_snd_usb_audio_init7s
c0c11188 t __initcall_alsa_sound_last_init7s
c0c1118c t __initcall_initialize_hashrnd7s
c0c11190 T __con_initcall_end
c0c11190 T __con_initcall_start
c0c11190 T __initcall_end
c0c11190 t __initcall_selinux_init

在rtc_hctosys与snd_usb_audio启动之间有以下驱动程序初始化

c0c11160 t __initcall_sync_debugfs_init7
c0c11164 t __initcall_clk_debug_init7
c0c11168 t __initcall_rockchip_headset_init7
c0c1116c t __initcall_rockchip_spdif_init7
c0c11170 t __initcall_tcp_congestion_default7
c0c11174 t __initcall_tcp_fastopen_init7
c0c11178 t __initcall_ip_auto_config7
c0c1117c t __initcall_drm_misc_init7s
c0c11180 t __initcall_clk_disable_unused7s

在这些驱动函数初始化中加入log调试
挂掉log：

[    3.037934] sensor_init: Probe name sensors
[    3.037949] sensor-dev.c v1.4 add angle calculation support between two gsensors 2013-09-01
[    3.038475] rtc_hym8563 0-0051: setting system clock to 2018-09-14 17:07:26 UTC (1536944846)
[    3.044644] rockchip-spdif-card rockchip-spdif-card.25:  rk-hdmi-spdif-hifi <-> ff880000.rockchip-spdif mapping ok
[    3.044959] carroll : tcp_fastopen_init
[    3.044987] carroll : ip_auto_config

u�

正常启动log为：

[    2.456978] sensor_init: Probe name sensors
[    2.456995] sensor-dev.c v1.4 add angle calculation support between two gsensors 2013-09-01
[    2.457525] rtc_hym8563 0-0051: setting system clock to 2011-01-01 12:14:58 UTC (1293884098)
[    2.463556] rockchip-spdif-card rockchip-spdif-card.25:  rk-hdmi-spdif-hifi <-> ff880000.rockchip-spdif mapping ok
[    2.463889] carroll : tcp_fastopen_init
[    2.463917] carroll : ip_auto_config
[    2.464517] ret 1024
[    2.464588] carroll : clk_disable_unused
[    2.464896] usbcore: registered new interface driver snd-usb-audio
[    2.464903] ALSA device list:
[    2.464908]   #0: RK_ES8323
[    2.464912]   #1: RK-SPDIF-CARD

对比上述驱动初始化顺序表发现只剩下一个驱动初始化的嫌疑
c0c1117c t __initcall_drm_misc_init7s

查找drm_misc_init在整个SDK中 grep drm_misc_init -r firefly-rk3288_android5.1_git_20180126/*

firefly-rk3288_android5.1_git_20180126/android.iws:      drm_misc_init
Binary file firefly-rk3288_android5.1_git_20180126/kernel/.tmp_vmlinux2 matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/vmlinux matches
firefly-rk3288_android5.1_git_20180126/kernel/System.map:c0be3a14 t drm_misc_init
firefly-rk3288_android5.1_git_20180126/kernel/System.map:c0c1111c t __initcall_drm_misc_init7s
Binary file firefly-rk3288_android5.1_git_20180126/kernel/pie/pie_stage1.o matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/pie/pie_stage2.o matches
firefly-rk3288_android5.1_git_20180126/kernel/.tmp_System.map:c0be3a14 t drm_misc_init
firefly-rk3288_android5.1_git_20180126/kernel/.tmp_System.map:c0c1111c t __initcall_drm_misc_init7s
Binary file firefly-rk3288_android5.1_git_20180126/kernel/vmlinux.o matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/built-in.o matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.o matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/built-in.o matches

发现并没有drm_misc_init的函数，到此嫌疑只能推给这几个文件了

Binary file firefly-rk3288_android5.1_git_20180126/kernel/.tmp_vmlinux2 matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/vmlinux matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/pie/pie_stage1.o matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/pie/pie_stage2.o matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/vmlinux.o matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/built-in.o matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.o matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/built-in.o matches

根据名字可能再筛选出以下三个

Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.o matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/built-in.o matches

可能是这两个的原因

Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd matches
Binary file firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.o matches

调试发现firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/目录下的Makefile发现
删除此驱动模块编译注册 obj-y += virtdrm.o
产生编译错误

OBJCOPY pie/pie.bin
  OBJCOPY pie/pie.bin.o
  LD      pie/built-in.o
  GEN     .version
  CHK     include/generated/compile.h
  UPD     include/generated/compile.h
  CC      init/version.o
  LD      init/built-in.o
drivers/built-in.o: In function `mmc_blk_shutdown':
binder.c:(.text+0x338e90): undefined reference to `mmc_blk_emmc_remove'
drivers/built-in.o: In function `mmc_blk_probe':
binder.c:(.text+0x33ae28): undefined reference to `mmc_blk_emmc_add'
drivers/built-in.o: In function `mmc_blk_remove':
binder.c:(.text+0x33b270): undefined reference to `mmc_blk_emmc_remove'
make: *** [vmlinux] Error 1
/work/rk3288/firefly-rk3288_android5.1_git_20180126
TARGET_PRODUCT=rk3288_box
TARGET_HARDWARE=rk30board
IMG_TARGET=all , ota = withoutkernel
system filesysystem is ext4

然后分别屏蔽代码调用

编译成功并且跳过之前挂掉的地方，但是在内核启动完成后挂了 log

[    2.446169] sensor_init: Probe name sensors
[    2.446183] sensor-dev.c v1.4 add angle calculation support between two gsensors 2013-09-01
[    2.446709] rtc_hym8563 0-0051: setting system clock to 2011-01-01 13:52:53 UTC (1293889973)
[    2.452731] rockchip-spdif-card rockchip-spdif-card.25:  rk-hdmi-spdif-hifi <-> ff880000.rockchip-spdif mapping ok
[    2.453062] carroll : tcp_fastopen_init
[    2.453091] carroll : ip_auto_config
[    2.453108] carroll : clk_disable_unused
[    2.453418] usbcore: registered new interface driver snd-usb-audio
[    2.453426] ALSA device list:
[    2.453430]   #0: RK_ES8323
[    2.453435]   #1: RK-SPDIF-CARD

分析原因屏蔽掉的源码为添加emmc设备，屏蔽后添加失败，文件系统初始化不成功

[    1.650105] 1358..dw_mci_set_ios:  no card. [mmc1]
[    1.662562] mmc0: BKOPS_EN bit is not set
[    1.664435] rk_sdmmc: BOOT Bus speed=0Hz,Bus width=8bits.[mmc0]
[    1.666717] mmc_host mmc0: Bus speed (slot 0) = 100000000Hz (slot req 100000000Hz, actual 100000000HZ div = 0)
[    1.666742] rk_sdmmc: BOOT dw_mci_setup_bus: argue clk_mmc workaround out normal clock [mmc0]
[    1.666764] [mmc0] tuning regsbase addr 0x218.
[    1.667453] [mmc0] Data transmission error !!!!  MINTSTS: [0x00000088]
[    1.667464] [mmc0] host was already tuning, Don't need to retry tune again ignore 0.
[    1.667492] dwmmc_rockchip ff0f0000.rksdmmc: Tuning error: cmd.error:0, data.error:-84
[    1.667518] [mmc0] Data transmission error !!!!  MINTSTS: [0x00000088]
[    1.667527] [mmc0] host was already tuning, Don't need to retry tune again ignore 0.
[    1.667554] dwmmc_rockchip ff0f0000.rksdmmc: Tuning error: cmd.error:-84, data.error:-115
[    1.667580] [mmc0] Data transmission error !!!!  MINTSTS: [0x00000088]
[    1.667589] [mmc0] host was already tuning, Don't need to retry tune again ignore 0.
[    1.667615] dwmmc_rockchip ff0f0000.rksdmmc: Tuning error: cmd.error:-84, data.error:-115
[    1.667640] [mmc0] Data transmission error !!!!  MINTSTS: [0x00000088]
[    1.667649] [mmc0] host was already tuning, Don't need to retry tune again ignore 0.
[    1.667676] dwmmc_rockchip ff0f0000.rksdmmc: Tuning error: cmd.error:0, data.error:-84
[    1.667722] dwmmc_rockchip ff0f0000.rksdmmc: Good phase range 0-225 (21 len)
[    1.667733] dwmmc_rockchip ff0f0000.rksdmmc: Good phase range 282-282 (1 len)
[    1.667744] dwmmc_rockchip ff0f0000.rksdmmc: Best phase range 0-225 (21 len)
[    1.667754] dwmmc_rockchip ff0f0000.rksdmmc: Successfully tuned phase to 113
[    1.667796] mmc0: new HS200 MMC card at address 0001
[    1.668069] mmcblk0: mmc0:0001 AJNB4R 14.5 GiB
[    1.668202] mmcblk0rpmb: mmc0:0001 AJNB4R partition 3 4.00 MiB
[    1.668519]      uboot: 0x000400000 -- 0x000800000 (4 MB)
[    1.668530]       misc: 0x000800000 -- 0x000c00000 (4 MB)
[    1.668539]   resource: 0x000c00000 -- 0x001c00000 (16 MB)
[    1.668548]     kernel: 0x001c00000 -- 0x002c00000 (16 MB)
[    1.668557]       boot: 0x002c00000 -- 0x004c00000 (32 MB)
[    1.668566]   recovery: 0x004c00000 -- 0x006c00000 (32 MB)
[    1.668574]     backup: 0x006c00000 -- 0x00a000000 (52 MB)
[    1.668583]      cache: 0x00a000000 -- 0x012000000 (128 MB)
[    1.668591]     kpanic: 0x012000000 -- 0x012400000 (4 MB)
[    1.668599]     system: 0x012400000 -- 0x072400000 (1536 MB)
[    1.668608]   metadata: 0x072400000 -- 0x073400000 (16 MB)
[    1.668616] baseparamer: 0x073400000 -- 0x073800000 (4 MB)
[    1.668625]   userdata: 0x077800000 -- 0x3a3a00000 (12994 MB)
[    1.668653]  mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 p11 p12 p13[    1.669832] dwmmc_rockchip ff0c0000.rksdmmc: DW MMC controller ao
[    1.669848] dwmmc_rockchip ff0c0000.rksdmmc: 1 slots initialized
[    1.670158] dw cru_regsbase addr 0x1d8.
[    1.670168] dw cru_reset_offset val 1.
[    1.670179] dwmmc_rockchip ff0d0000.rksdmmc: Version ID is 270a
[    1.670218] dwmmc_rockchip ff0d0000.rksdmmc: failed to get hpclk_mmc
[    1.670473] dwmmc_rockchip ff0d0000.rksdmmc: Using internal DMA controller.
[    1.670605] dw_mci_init_slot: fmin=200000, fmax=50000000 [mmc2]
[    1.670851] 1358..dw_mci_set_ios:  no card. [mmc2]
------------------------------------------------------------------------------------------
[    1.670945] carroll : mmc_blk_probe mmc_blk_emmc_add
------------------------------------------------------------------------------------------
[    1.670992] 1358..dw_mci_set_ios:  no card. [mmc1]
[    1.689476] 1358..dw_mci_set_ios:  no card. [mmc2]
[    1.709161] 1358..dw_mci_set_ios:  no card. [mmc2]
[    1.709185] dwmmc_rockchip ff0d0000.rksdmmc: DW MMC controller at irq 65, 32 bit host data width, 256 deep fifo
[    1.709198] dwmmc_rockchip ff0d0000.rksdmmc: 1 slots initialized

说明这里不能删除只能做修改兼容其他批次cpu

再次把问题锁定文件，下边几个文件好像是天启android5.1特供的，就是这个东西让内核挂掉的，天启android4.4以及荣品都能正常开机，并且源码中也无下属文件
firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.o文件
firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd
firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtdrm.mod.c
firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/.virtdrm.o.cmd

天启2017年07-21添加kernel->driver:fix queue file，才添加的这几个文件
https://bitbucket.org/T-Firefly/firenow-lollipop/commits/bd3833f7c215b3f907464866510412ae505d2e73

最终将问题锁定在编译产生的二进制文件firefly-rk3288_android5.1_git_20180126/kernel/drivers/char/virtd
下节尝试逆向分析
转载天启android5.1系统无法在非1650批次号的rk3288w芯片上启动

1、ELF文件内容解析
readelf: 可解析ELF文件的所有内容;
strings: 查看ELF文件中的字符串;
file : 查看ELF文件的信息;
nm : 查看ELF文件中的符号信息;
ldd : 查看ELF文件所依赖的库文件;

2、objdump
用于对ELF文件进行反汇编;
objdump -d ;反汇编部分可执行的二进制代码;
objdump -D ;反汇编全部的可执行的二进制代码;
objdump -S ;尽量把可执行的二进制代码反汇编成源码;

3、hexdump
以十六进制格式查看ELF格式的二进制可执行文件的内容;
hexdump -C elf_file_name

readelf -a virtd
查看文件信息

查看程序静态文本
strings -a virtd

发现一段字符串是 ret %d
跟日志打印吻合，ret 1024，为了查找这个原始打印也废了很大劲

我们可以根据里边的函数名称，去找kernel中哪些文件使用过这些函数，并去git还原老版本，估计关联很多。
先暴力恢复老版本，等以后有空了再适配
git reset --hard f5535b6cbc2264aacf9927a95490ae10b00c4fb7
重新编译烧录就可以正常启动android

但还是有几点疑惑：

1. 为什么其他型号的rk3288烧录最新系统会卡在内核驱动初始化，天启自己的rk3288w 1650批次的没问题，但是其他rk3288w 1652 等以后生产的都不行
2. 为什么出问题系统都会卡在这里drm_misc_init，kernel/drivers/char/virtd这个文件到底是为了优化什么功能的，为什么天启不提供源文件，国内都是这样的开源？

转载解析天启rk3288源码 /kernel/drivers/char/virtd