Develop Reference

How to repack a customized firmware with Firmware Mod Kit?

I have been trying to mod a default firmware of a Digital Video Recorder just because of its splash screen logo, which is incredibly bright and almost blinds me everytime I turn it on at night.
I have tried to use the Firmware Mod Kit to extract the firmware from the binary file. Instead of coming across a squash or cram filesystem, I ended up with some zip compressed files. Here's some output:
Scan Time: 2015-08-17 23:28:44
Signatures: 193
Target File: /home/king/fmk/myfirmware.bin
MD5 Checksum: [omitted]
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 2118527, uncompressed size: 2154560, name: "custom-x.cramfs.img"
2118597 0x2053C5 Zip archive data, at least v2.0 to extract, compressed size: 2928495, uncompressed size: 2932800, name: "user-x.cramfs.img"
5047160 0x4D0378 Zip archive data, at least v2.0 to extract, compressed size: 2424987, uncompressed size: 2445376, name: "romfs-x.cramfs.img"
7472216 0x720458 Zip archive data, at least v2.0 to extract, compressed size: 18725, uncompressed size: 20544, name: "logo-x.cramfs.img"
7491009 0x724DC1 Zip archive data, at least v2.0 to extract, compressed size: 141, uncompressed size: 354, name: "InstallDesc"
7491611 0x72501B End of Zip archive
Extracting 0 bytes of zip header image at offset 0
ERROR: No supported file system found! Aborting...
However, If I unzip the binary file, I can get FMK to extract the only file I'd really like to change: logo-x.cramfs.img:
king#castle:~/fmk$ ./extract-firmware.sh logo-x.cramfs.img:
Firmware Mod Kit (extract) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake
Preparing tools ...
Scanning firmware...
Scan Time: 2015-08-18 00:19:50
Signatures: 193
Target File: /home/king/fmk/logo-x.cramfs.img
MD5 Checksum: [omitted]
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
0 0x0 uImage header, header size: 64 bytes, header CRC: 0x94AD77F7, created: Sun May 26 23:46:43 2013, image size: 20480 bytes, Data Address: 0x10770000, Entry Point: 0x10780000, data CRC: 0x8EDB113D, OS: Linux, CPU: ARM, image type: Standalone Program, compression type: gzip, image name: "linux"
64 0x40 CramFS filesystem, little endian size 20480 version #2 sorted_dirs CRC 0xbda508c, edition 0, 5 blocks, 2 files
Extracting 64 bytes of uimage header image at offset 0
Extracting cramfs file system at offset 64
Extracting CramFS file system...
Now I'm not sure how to proceed. build-firmware script won't mount it back to an .img file, and even if it does, I can't repack the initial binary as well because I had to manually extract it instead of doing via extract-firmware script.
Thoughts? I don't really want to brick my dvr, almost giving this up. Any helpful comments are largely appreciated.

In fmk it's not possible.
It's more complicated process since you need to generate headers ... all steps here:
http://sysmagazine.com/posts/213411/

How can I identify the protocol used in hard disk?

I have an application which needs to read information from a hard disk, stuff like serial model etc.
Now of course it matters if the drive is a SAS, SATA or FC drive.
Is there a reliable way that I can identify which protocol a connected drive uses? Either via an OS command or checking some logs or inquiring the device?
I don't want to use sysfs structure. I want to know how the OS know if it's an ATA, SCSI or whatever type of disk.

As you have mentioned in comments to user3588161's answer, you are having SATA and SAS disk attached to the same SAS controller, so I'd suggest to use the smartctl command!
The smartctl command act as a control and monitor Utility for SMART disks under Linux and Unix like operating systems. Type the following command to get information about /dev/sda (SATA disk):
# smartctl -d ata -a -i /dev/sda
For SAS disk use one of the following syntax:
# smartctl -d scsi --all /dev/sgX
# smartctl -d scsi --all /dev/sg1
# smartctl -d scsi --all /dev/sg1 -H
I guess all of the information is somehow related to this location :-
/sys/class/scsi_device/?:?:?:?/device/model
I suggest you try doing this too to check what output does it render.
cat /sys/class/scsi_device/0\:0\:0\:0/device/{model,vendor}
(The backslashes next to zeros are for escaping special char :.)
Also, I'd like to suggest you to visit these two links in order for more information or detail like sample output,etc :-
Find Out Hard Disk Specs
To Check Disk behind Adaptec RAID Controllers

Checking boot information, it seems the disk type is set in kernel ahci calls. You can check (as root) with dmesg | grep ahci (on sysvinit systems) or with journalctl -k -b -0 -l --no-pager | grep ahci (with systemd). The relevant query/setting looks to be:
kernel: ahci 0000:00:12.0: version 3.0
kernel: ahci 0000:00:12.0: controller can't do 64bit DMA, forcing 32bit
kernel: ahci 0000:00:12.0: AHCI 0001.0100 32 slots 4 ports 3 Gbps 0xf impl SATA mode
kernel: ahci 0000:00:12.0: flags: ncq sntf ilck pm led clo pmp pio slum part ccc
The third line holds the controller/type information you are looking for. This seems to be where the information comes from, but from your questions standpoint, it isn't a viable solution.
The question becomes where does this information get recorded or stored within /dev /proc or /sys. I have looked and cannot find a one-to-one correlation between this initial determination of disk type on boot and any flag stored. This information may well be part of the coded data, for example, /sys/class/scsi_disk/0:0:0:0/device or similar location. Hopefully this information may allow you or others to help pinpoint if, and if so, where this information is captured and available on a running system.

Answer rewritten in view of clarification: libATA is what you want. It's what hdparm calls and it reports the transport too. It's hard to find up to date docs on it though. See http://docs.huihoo.com/linux/kernel/2.6.26/libata/index.html for example.
I have not used libATA (directly) myself, so I can't be more specific as to the API calls needed. Since not many people need to write something like hdparm themselves, your best bet is to consult its sources to see what exactly it calls.
hdparm can report stuff like:
[root#alarmpi ~]# hdparm -I /dev/sdb
/dev/sdb:
ATA device, with non-removable media
Model Number: TOSHIBA DT01ACA200
Serial Number: Z36GKMKGS
Firmware Revision: MX4OABB0
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0; Revision: ATA8-AST T13 Project D1697 Revision 0b
If your actual problem is that only sdparm works on your system for SCSI drives (can happen) then it seems the problem is reduced to figuring out which of hdparm or sdparm to call isn't it? You could use udevinfo for that. See https://chromium.googlesource.com/chromiumos/third_party/laptop-mode-tools/+/775acea9e819bdee90cca8d2363827c13967a14b/laptop-mode-tools_1.52/usr/share/laptop-mode-tools/modules/hdparm for example.

U-Boot: Application crashes - but why

I'm trying to get a stand-alone application for U-Boot running.
Target is a LEGO EV3 brick - it has an TI OMAP (ARM9) CPU.
The output of U-Boot before hanging is:
U-Boot > fatload mmc 0:1 c0007FC0 uimage
reading uimage
384 bytes read
U-Boot > bootm
## Booting kernel from Legacy Image at c0007fc0 ...
Image Name: ITK EV3 sample OS
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 320 Bytes = 0.3 kB
Load Address: c0008000
Entry Point: c0008000
Loading Standalone Program ... OK
OK
I tried the following commands to be located at address 0xC0008000 in "uimage":
mov pc, lr (ARM code)
bx lr (ARM code)
bx lr (Thumb code)
These commands should simply return (depending on ARM or Thumb mode being active). However all three commands result in U-Boot hanging so no more output is done after the last "OK".
Why does U-Boot hang?

I found out the answer myself:
In the version of u-boot used on the EV3 brick there is a bug: The starting address that is already converted to little-endian is converted twice so the result is - of course - wrong.
By storing the number little endian in the file the output of u-boot will be wrong:
Image Type: ARM Linux Standalone Program (uncompressed)
Data Size: 320 Bytes = 0.3 kB
Load Address: c0008000
Entry Point: 008000c0 <--- actually 0xC0008000!!!
Loading Standalone Program ... OK
OK
U-Boot >
however booting will work. This bug only affects stand-alone programs and not Linux kernels.
My problem is that the program will possibly be published so it must work with both buggy and bug-fixed u-boot versions.
Therefore I think about loading the program to an address like
0xC00101C0
which is stored little and big endian the same way.

Debugging the boot filesystem environment seen by syslinux?

Hope it's OK to jot this down, even if I cannot accept answer immediately (and hope it's OK for SO - as there is a C patch below):
It seems I screwed up the hard disk on my desktop PC ({DRDY err}). So I wanted to run a bootable media to run fsck, but the CD on this desktop is broken, so I can only use USB flash. I have a couple of USB thumbdrives with Ubuntu and Suse - these start booting on the desktop; but during boot, udev tries to detect hard drives, and since the hard disk is screwed, it just loops there, and the respective OS never finishes booting.
So I tried to download SystemRescueCd; I have this USB thumbdrive, on which I tried to install SystemRescueCD:
# lsusb with sudo, to retrieve all info
$ sudo lsusb -v -d 058f:6387 | grep -i 'id\|iManufacturer\|iProduct\|iSerial\|bInterface'
Bus 001 Device 043: ID 058f:6387 Alcor Micro Corp. Transcend JetFlash Flash Drive
idVendor 0x058f Alcor Micro Corp.
idProduct 0x6387 Transcend JetFlash Flash Drive
iManufacturer 1 takeMS
iProduct 2 Mem-drive Mini
iSerial 3 C5E7F0CC
bInterfaceNumber 0
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 80 Bulk (Zip)
# search by serial:
$ find /dev/disk/by-id/ -name '*C5E7F0CC*'
/dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0:0-part1
/dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0:0
# list and get device node
$ ls -la /dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0:0
lrwxrwxrwx 1 root root 9 2013-03-25 20:37 /dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0:0 -> ../../sdc
$ ls -la /dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0\:0-part1
lrwxrwxrwx 1 root root 10 2013-03-25 20:37 /dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0:0-part1 -> ../../sdc1
# it is /dev/sdc - list disk info
$ sudo fdisk -l /dev/sdc
Disk /dev/sdc: 2108 MB, 2108686336 bytes
94 heads, 29 sectors/track, 1510 cylinders
Units = cylinders of 2726 * 512 = 1395712 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0003e405
Device Boot Start End Blocks Id System
/dev/sdc1 * 1 1511 2059263+ c W95 FAT32 (LBA)
I tried to use my Ubuntu 11.04 Natty netbook to image the thumbdrive - and I used both
the recommended usb_inst.sh installer; and
I tried to use unetbootin (via sudo apt-get install unetbootin);
in both of these cases, when I try to boot the USB thumbdrive on the desktop, the boot procedure fails with:
SYSLINUX 4.02 debian-20101016 CHS Copyright (C) 1993-2010 H. Peter Anvin et al
ERROR: No configuration file found
No DEFAULT or UI configuration directive found!
boot:
.... with prompt at boot. (In fact, unetbootin fails at "Verifying DMI Pool Data", before entering syslinux - probably because it is much older than the .iso I'm trying to image).
First I checked the md5 as mentioned in No Default or UI Configuration Found!
$ md5sum ./systemrescuecd-x86-3.5.0.iso
48552b9e905872bd5061eb112b73ea20 ./systemrescuecd-x86-3.5.0.iso
... but it seems OK, as per Sysresccd-versions.
Then I tried to reformat the drive to FAT16 (via sudo gparted /dev/sdc); and repeated both usb_inst.sh and unetbootin methods - again no dice. Funny enough, in all of these cases, if I try to run the flash USB thumbdrive in the QEMU emulator:
# sudo apt-get install qemu
sudo qemu -hda /dev/sdc
... it boots fine - showing the syslinux menu and so on; however, boot always fails on the desktop.
Here I should mention, that I could write down the following from the boot screen of the problematic desktop PC:
Award Modular BIOS v6.00PG
AMDRS740 BIOS
It has a boot menu accessed via F12, and in the boot menu, among other options, these are for USB:
...
USB-FDD
USB-ZIP
USB-CDROM
USB-HDD
...
Typically, I choose USB-HDD - but I've tried the others; either the procedure freezes before even entering syslinux - or the boot fails as described above.
There is advice to rename directories/files manually from isolinux to syslinux (Trying to boot from usb - Ask Ubuntu) - when I used usb_inst.sh, only syslinux/isolinux.bin would have to be renamed. There is also advice to copy syslinux.cfg to the root of the USB flash thumbdrive (Cannot boot Live USB, Linux - Super User). But still no improvements - syslinux is still complaining that it is missing the configuration file - which apparently is the syslinux.cfg.
Then I tried to look if it is possible to somehow "debug" syslinux; found log tracing/debugging/trouble shooting in syslinux - The Syslinux Project - reboot.pro:
> Do we have specific commands to trace or log syslinux?
Being open source, one is able to compile Syslinux and enable extra debugging output.
also [SOLVED] Stuck on boot: Syslinux Problem [Archive] - Ubuntu Forums: "_
Debugging syslinux is described at http://www.syslinux.org/wiki/index.php/Development/Debugging , but effective debugging (if I recall correctly) requires recompiling it to add the debug hooks._". However, Development/Debugging - Syslinux Wiki talks about something called bochs; and I suspect that is to debug syslinux itself - not necessarily to "debug" (or query) the environment it is in.
Anyways, at last, I could see no way out but to get syslinux from source; basically, this was needed so it builds:
sudo apt-get install nasm
sudo apt-get install uuid-dev
git clone git://git.kernel.org/pub/scm/boot/syslinux/syslinux.git syslinux-git
cd syslinux-git/
make OPTFLAGS+=-DDEBUG=1
Turns out, it isn't really clear how to enable such debugging, that will show what syslinux "sees" when plugged in a given computer; given that I do load into syslinux at boot, the problem is what does it see as a filesystem. I tried to enable the DEBUG environment variable as shown above (after adding override OPTFLAGS := to the Makefile) - but that, in itself, generated no new messages during boot failure. I have used the following command to "burn" the USB thumbdrive (after unmounting it from the Gnome applet):
sudo ./linux/syslinux --stupid --directory /syslinux --install /dev/sdc1
... and I've tried both with stupid and without (and both for the source-built version, and the one from the Ubuntu package repositories for Natty).
Grepping through the source, I realized there is something called rosh (Read-Only SHell) - however, that compiles as a rosh.c32 - and one is supposed to have it as a boot kernel option in syslinux.cfg - which, as noted, I cannot load. So rosh.c32 is unfortunately not much help for my problem.
However, given that rosh implements the ls command, I tried to copy relevant portions into the code of syslinux - and trigger a ls / listing of the root when syslinux scans for the configuration file. With those changes, recorded in syslinux-e40ba60-rosh-ls.patch; now I get the following when I boot:
SYSLINUX 4.06 CHS 5-ge40ba60* Copyright (C) 1993-2010 H. Peter Anvin et al
Listing: "/"
rosh_ls_arg_dir 0 files found
Listing: "/syslinux"
Listing: ""
CurrentDirName: "/syslinux/"
confignamebuf: /syslinux/extlinux.conf; realpath -1
confignamebuf: /syslinux/syslinux.cfg; realpath -1
confignamebuf: /boot/syslinux/extlinux.conf; realpath -1
confignamebuf: /boot/syslinux/syslinux.cfg; realpath -1
confignamebuf: /syslinux/extlinux.conf; realpath -1
confignamebuf: /syslinux/syslinux.cfg; realpath -1
confignamebuf: /extlinux.conf; realpath -1
confignamebuf: /syslinux.cfg; realpath -1
ERROR: No configuration file found
No DEFAULT or UI configuration directive found!
Interestingly; for the root /, the _ls function at least returns "0 files"; the others ("/syslinux", and the empty string "") already fail at the opendir call - and so the _ls function doesn't even get called!
I would have thought that my slapstick copying of the ls function would not work as intended; but running the thumbdrive in qemu on netbook, does in fact provide a full listing of files - and given that at least for /, the function gets called and returns on the desktop - I'd suspect that it does indeed work.
However, that still doesn't solve my problem - why does syslinux, after boot, see 0 files under the root /? What else could I do to debug this problem? I wouldn't mind patching some C code into syslinux - but I just don't know what I should be looking for, that would point me to correct preparation of the USB thumbdrive for booting on the desktop machine...

OK, I got it to boot...
First, I noted there are alternative mbr's in the built git source as per Mbr - Syslinux Wiki and HowTos - Syslinux Wiki, so I tried both mbr.bin and altmbr.bin - altmbr.bin like this:
$ printf '\1' | cat mbr/altmbr.bin - | sudo dd bs=440 count=1 conv=notrunc iflag=fullblock of=/dev/sdc
... but that didn't help much.
Finally, I noted that lsusb says "bInterfaceProtocol 80 Bulk (Zip)"; and I remembered reading something about ZIP drives somewhere, so tried to look it up - and finally found this:
syslinux/doc/usbkey.txt
The proper mode to boot a USB key drive in is "USB-HDD". That is the
ONLY mode in which the C/H/S geometry encoded on the disk itself
doesn't have to match what the BIOS thinks it is. Since geometry on
USB drives is completely arbitrary, and can vary from BIOS to BIOS,
this is the only mode which will work in general.
Some BIOSes have been reported (in particular, certain versions of the
Award BIOS) that cannot boot USB keys in "USB-HDD" mode. This is a
very serious BIOS bug, but it is unfortunately rather typical of the
kind of quality we're seeing out of major BIOS vendors these days. On
these BIOSes, you're generally stuck booting them in USB-ZIP mode.
THIS MEANS THE FILESYSTEM IMAGE ON THE DISK HAS TO HAVE A CORRECT
ZIPDRIVE-COMPATIBLE GEOMETRY.
....
The script "mkdiskimage" which is supplied with the syslinux
distribution can be used to initialize USB keys in a Zip-like fashion.
To do that, calculate the correct number of cylinders (31 in the
example above), and, if your USB key is /dev/sda (CHECK THE KERNEL
MESSAGES CAREFULLY - IF YOU ENTER THE WRONG DISK DRIVE IT CANNOT BE
RECOVERED), run:
mkdiskimage -4 /dev/sda 0 64 32
(The 0 means automatically determine the size of the device, and -4
means mimic a zipdisk by using partition 4.)
So, as recommended there, first I find the number of cylinders for my thumbdrive:
$ grep 512-byte /var/log/syslog | tail -n 1
Mar 25 22:33:34 mypc kernel: [50884.608687] sd 45:0:0:0: [sdc] 4118528 512-byte logical blocks: (2.10 GB/1.96 GiB)
# get number of cylinders:
$ wcalc '4118528/(64*32)'
= 2011
... then I continue with mkdiskimage. After that was done, I tried usb_inst.sh again - and realized that it will overwrite the partition 4 that mkdiskimage made, and make a partition 1 for itself instead. That means, one should copy those files fron usb_inst.sh in a backup elsewhere, then run mkdiskimage - then finally copy the backed up files back to thumbdrive again; here is a command line log:
# mkdiskimage is present in syslinux-git:
$ ./utils/mkdiskimage
Usage: ./utils/mkdiskimage [-doFMz4][-i id] file c h s (max: 1024 256 63)
....
# ... but also in Debian/Ubuntu packaging of syslinux
$ mkdiskimage -4 /dev/sdc 0 64 32
/usr/bin/mkdiskimage: /dev/sdc: don't know how to determine the size of this device
# use sudo - note this command takes a while to complete:
$ sudo mkdiskimage -4 /dev/sdc 0 64 32
Warning: more than 1024 cylinders (2011).
Not all BIOSes will be able to boot this device.
$ ls /dev/sdc*
/dev/sdc /dev/sdc4
$ sudo fdisk -l /dev/sdc
Disk /dev/sdc: 2108 MB, 2108686336 bytes
64 heads, 32 sectors/track, 2011 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x866262cc
Device Boot Start End Blocks Id System
/dev/sdc4 * 1 2011 2059248 e W95 FAT16 (LBA)
# (make sure umounted / ejected)
# cd to usb_inst.sh directory; and
# run usb_inst.sh for /dev/sdc; note it will:
# write MBR and "Creating filesystem on /dev/sdc1..."
# and "installing boot loader on /dev/sdc1";
# regardless of the previous setup on partition 4:
sudo bash ./usb_inst.sh
# now no more partition 4:
$ ls /dev/sdc*
/dev/sdc /dev/sdc1
# ( mount /dev/sdc1 via disk applet )
$ rsync -a /media/SYSRESC /media/backup/
# ... duhh... - again now
# ( umount/eject via disk applet )
$ sudo mkdiskimage -4 /dev/sdc 0 64 32
Warning: more than 1024 cylinders (2011).
Not all BIOSes will be able to boot this device.
$ sudo ./linux/syslinux --install /dev/sdc4
# ( mount via disk applet )
$ rsync -a /media/backup/SYSRESC/ /media/31A8-40E9/
$ sudo qemu -hda /dev/sdc # works
# ( umount/eject via disk applet )
# boot on desktop - works! loads rescue64 and initram.igz...
The interesting thing is - even if there is the warning "Not all BIOSes will be able to boot this device."; somehow this problematic BIOS loads this thumbdrive without a problem (and the _ls function above lists fine). Also interesting - here I choose the USB-HDD boot option (not the USB-ZIP) and it still works ?!
So, as a partial answer - I guess the way to debug this, would be for syslinux to somehow write on the thumbdrive the CHS geometry it sees during the syslinux installation; and on boot, to query the BIOS (I guess) about which CHS geometry the BIOS sees - and then dump these two geometries to screen; if there is a mismatch, then it is likely one should run mkdiskimage (unfortunately, I wouldn't know how to code that into syslinux)
Going back to my original HDD problem - turns out also SystemRescueCD uses udev to probe for devices - and again the boot process cannot complete (even if I choose the boot option "all files to memory (docache)")... So I get messages like:
udevadm settle - timeout of 180 seconds reached, the event queue contains:
Activating dmraid (fake hardware raid) ...
Starting mdadm (linux software raid) ....
udevd[88] worker [91] unexpectedly returned with status 0x0100 ...
udevd[88] worker [91] failed while handling '/devices/pci0000:00/.../sdb/sdb1'
So, I either find a Live USB distro which does not probe for disks using udev - or I better take this HDD out, toss it into a HDD USB enclosure, and try fsck it on another computer (hopefully I'll be able to blacklist this drive from udev on a running system)
Edit Aug 24 2013: Back to this problem, I thought I'd jot down few extra notes:
Since I cannot yet afford the time to fix this PC and its faulty drive, I've used this USB thumbdrive to boot multiple operating systems: PartedMagic and SliTaz did also encounter errors on the hard disk - but apparently use different drivers to access it (so the DRDY ERR loop didn't start), and they could finish booting relatively fast. Then I tried building a custom Ubuntu 12.04 image (using ubuntu-builder) - and this one ended up in a DRDY ERR loop, which may take more than 5 minutes to complete, before the OS finishes booting. I have posted more about this in Bug #1216397 “
It should be possible to ignore (skip probing) a known bad disk partition at boot” : Bugs : “linux” package : Ubuntu.
There are a few interesting things in respect to syslinux, now that this USB thumbdrive is used to boot multiple operating systems. First of all, the thumbdrive is, still, first made bootable with syslinux --install while empty (which places a file ldlinux.sys in the partition's root) - which corresponds to the mkdiskimage step above; and only afterwards are files (like kernel images, and including /boot/syslinux/syslinux.cfg) copied to it.
Now, I'd first build the CD image ISO in ubuntu-builder, and test it using VirtualBox (as qemu on my machine is way too slow for that). Once the ISO image was shown to work as expected, then only the files under its casper directory are relevant for the USB thumbdrive thus prepared; and they can be referenced through a boot menu entry in syslinux.cfg. So, I'd edit the syslinux.cfg on the thumbdrive, and copy the casper image files (e.g. filesystem.squashfs) to the thumbdrive - and test it with qemu as above. Once this qemu step passed, I'd move the USB thumbdrive on the target PC with the broken drive - and interestingly, here I might get syslinux boot failures of multiple sorts (during different boot stages):
"No DEFAULT or UI configuration directive found!" (or sometimes a "Bad <something> ..." message), before the syslinux boot menu is shown - even if the debug, as above, would show that syslinux reads the filesystem on the thumbdrive correctly, and finds the /boot/syslinux/syslinux.cfg (which does have proper directives)!
"Invalid or corrupt kernel image", once the syslinux menu is shown, and the new kernel image (Ubuntu) chosen - even if the other images (found previously on the thumb) boot fine on the broken drive PC; and the new image boots fine from thumb in qemu on a different machine!
"/init: line 7: can't open /dev/sr0: no medium found", once the new (Ubuntu) image is chosen from syslinux menu, and it starts booting; this seems an Ubuntu specific message, appearing a few seconds after it starts booting. I still encounter it even if booting completes succesfully - when it's a problem, this message just loops repeatedly, not allowing the rest of the boot process to complete
It turns out, any of these can appear whenever I try to change and save the syslinux.cfg file on the thumbdrive; or when I make changes in the casper image files, and I rsync or copy them to the thumbdrive. Maybe the copying process (since it may change the sectors where the files are located on the thumb), "confuses" parts of the boot process - although, this shouldn't happen, since also the working procedure above starts from a blanked, syslinux'd thumbdrive, to which files are copied after; so I think this may point to failing sectors on the thumbdrive.
However, even in this state, the working procedure above seemed to be useful - because using it, I could recover the thumb back to a working state! In more detail, it goes like this:
Keep a copy of the thumbdrive files somewhere on a different disk (e.g. ~/thumbcopy) - but without the ldlinux.sys file.
Whenever you want to make a change (to syslinux.cfg or to bootable image files) - make sure this change is saved in ~/thumbcopy first
Now, say I've changed some files on the bootable thumbdrive directly, and I encounter one of the errors above. Then:
First, delete all files but the ldlinux.sys on the thumbdrive, e.g.: rm -rf $(ls -I"ldlinux.sys" /media/31A8-40E9/)
Then, rsync or copy (cp -arv ...) the files in ~/thumbcopy to the thumbdrive, e.g.: rsync -aP ~/thumbcopy/ /media/31A8-40E9/
Now, try boot the thumbdrive in the PC again - it usually boots fine!
I've encountered all three types of errors, because I'd often try to change/copy individual files directly in the thumbdrive: sometimes the change doesn't introduce a problem, so booting is fine - however, in many cases, it does introduce a problem. For some reason, using the above procedure I managed to recover the thumbdrive from either type of abovementioned problems - maybe it has to do with USB Flash delayed writes, maybe with USB Flash failing sectors, I cannot really tell... But in any case: deleting all files, and re-copying them in one go, does seem to be a worthwhile procedure to try in case of errors like that.

It's an ancient post, but in case others stumble upon this, I'll add an answer anyway.
If you're struggling to get syslinux to boot, ROSH (Read-only Shell) can be useful, as you mentioned. To start ROSH, you can simply type rosh at the boot: prompt (if you do have a working graphical menu, press escape to drop back to the boot: prompt.
Inside the shell, you have some basic commands to look around in your environment. For more documentation, see https://wiki.syslinux.org/wiki/index.php?title=Read-Only_SHell(rosh.c32)

Can't boot basic OpenEmbedded-Core on Freescale i.MX28

I've been trying to build and boot OpenEmbedded-Core on the evaluation kit for Freescale's ARM i.MX28, using the Freescale ARM layer for OpenEmbedded-Core. Unfortunately, I can't find a basic "Getting Started" guide (though there is a Yocto getting-started guide). Unfortunately, I haven't been able to "get started", to the point of successfully booting to a basic command prompt on the board's debug serial port.
Here is what I've been able to piece together, and as far as I've managed to get so far.
Fetch sources
mkdir -p oe-core/freescale-arm
cd oe-core/freescale-arm
git clone git://git.openembedded.org/openembedded-core oe-core
git clone git://github.com/Freescale/meta-fsl-arm.git
cd oe-core
git clone git://git.openembedded.org/meta-openembedded
git clone git://git.openembedded.org/bitbake bitbake
Set up environment
. ./oe-init-build-env
That puts us in a new sub-directory build and sets certain environment variables.
Edit configuration
Edit the conf/bblayers.conf and local.conf files:
conf/bblayers.conf should have the meta-fls-arm and meta-oe layers added for BBLAYERS. E.g.:
BBLAYERS ?= " \
/home/craigm/oe-core/freescale-arm/oe-core/meta \
/home/craigm/oe-core/freescale-arm/oe-core/meta-openembedded/meta-oe \
${TOPDIR}/../../meta-fsl-arm \
"
In conf/local.conf, I set:
BB_NUMBER_THREADS = "4"
PARALLEL_MAKE = "-j 4"
MACHINE = "imx28evk"
Build
bitbake core-image-minimal
I ran this build overnight, and it has completed successfully for me. Output files were in ~/oe-core/freescale-arm/oe-core/build/tmp-eglibc/deploy/images.
There are two boot options that I'd like to try, as described below. Boot from SD card is simpler, but takes quite a long time (~30 min) to write the image to the SD card. Booting from TFTP + NFS is faster, but requires more set-up.
Boot from SD Card
Write image to SD card:
sudo dd if=tmp-eglibc/deploy/images/core-image-minimal-imx28evk.sdcard of=/dev/sdc
It took something like 30 minutes (3.5 GB file). Then I put it in the board's SD card slot 0, and powered-up. It got as far as loading the kernel, then stopped:
U-Boot 2012.04.01-00059-g4e6e824 (Aug 23 2012 - 18:08:54)
Freescale i.MX28 family at 454 MHz
BOOT: SSP SD/MMC #0, 3V3
DRAM: 128 MiB
MMC: MXS MMC: 0
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
Net: FEC0, FEC1
Hit any key to stop autoboot: 0
reading boot.scr
** Unable to read "boot.scr" from mmc 0:2 **
reading uImage
2598200 bytes read
Booting from mmc ...
## Booting kernel from Legacy Image at 42000000 ...
Image Name: Linux-2.6.35.3-11.09.01+yocto-20
Created: 2012-08-23 7:53:40 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2598136 Bytes = 2.5 MiB
Load Address: 40008000
Entry Point: 40008000
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Boot from TFTP + NFS
First, I tried to write U-Boot onto an SD card:
sudo dd if=tmp-eglibc/deploy/images/u-boot-imx28evk.mxsboot-sdcard of=/dev/sdc
Then I put it in the board's SD card slot 0, and powered-up. But all I got in the debug serial port was:
0x8020a01d
So, I decided to use Freescale's distribution of U-Boot for i.MX28 (from their LTIB distribution) onto an SD card. I set suitable U-Boot parameters for NFS booting with parameters from DHCP.
setenv bootargs console=ttyAMA0,115200n8
setenv bootargs_nfs setenv bootargs ${bootargs} root=/dev/nfs ip=dhcp nfsroot=,v3,tcp fec_mac=${ethaddr}
saveenv
I connected to a DD-WRT router with the following DNSmasq settings:
dhcp-boot=,,192.168.250.106
dhcp-option=17,"192.168.250.106:/home/craigm/rootfs"
On my host PC, I set up a TFTP server to serve the uImage file from ~/oe-core/freescale-arm/oe-core/build/tmp-eglibc/deploy/images/.
I also set up a root NFS server to serve the root file system. I edited /etc/exports to serve /home/craigm/rootfs. I extracted the root file system:
bitbake meta-ide-support
rm -Rf ~/rootfs
runqemu-extract-sdk tmp-eglibc/deploy/images/core-image-minimal-imx28evk.tar.bz2 ~/rootfs
Then I put the U-Boot SD card in the board's SD card slot 0, and powered-up. It got as far as this, then stopped:
...
TCP cubic registered
NET: Registered protocol family 17
can: controller area network core (rev 20090105 abi 8)
NET: Registered protocol family 29
can: raw protocol (rev 20090105)
mxs-rtc mxs-rtc.0: setting system clock to 1970-01-01 00:03:33 UTC (213)
eth0: Freescale FEC PHY driver [Generic PHY] (mii_bus:phy_addr=0:00, irq=-1)
eth1: Freescale FEC PHY driver [Generic PHY] (mii_bus:phy_addr=0:01, irq=-1)
Sending DHCP requests .
PHY: 0:00 - Link is Up - 100/Full
., OK
IP-Config: Got DHCP answer from 192.168.250.106, my address is 192.168.250.142
IP-Config: Complete:
device=eth0, addr=192.168.250.142, mask=255.255.255.0, gw=192.168.250.1,
host=192.168.250.142, domain=, nis-domain=(none),
bootserver=192.168.250.106, rootserver=192.168.250.106, rootpath=/home/craigm/rootfs
Looking up port of RPC 100003/3 on 192.168.250.106
Looking up port of RPC 100005/3 on 192.168.250.106
VFS: Mounted root (nfs filesystem) on device 0:15.
Freeing init memory: 160K
I'm not sure if it's running without a serial console, or some other problem. I can ping it on 192.168.250.142, but I can't Telnet or SSH to it.
Questions
Is there any sort of "getting started" guide for OpenEmbedded-Core on Freescale's i.MX28?
Is the Freescale ARM layer really intended for use with OpenEmbedded-Core, Yocto, or what? I don't really understand how those projects relate.
Has anyone else had success booting a minimal image of OpenEmbedded-Core on Freescale's i.MX28? If so, how did your procedure differ from mine?
I'm not sure at this stage whether the problem is just a non-functional serial console, or some other sort of issue. It's hard to diagnose these problems that prevent even getting a basic system running. Any pointers on how to diagnose at this point?
Why would the U-Boot be broken so it can't even boot?

From the boot message it looks like U-boot is working fine. U-boot is not broken.
The following boot message
2598200 bytes read
Booting from mmc ...
## Booting kernel from Legacy Image at 42000000 ...
Image Name: Linux-2.6.35.3-11.09.01+yocto-20
Created: 2012-08-23 7:53:40 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2598136 Bytes = 2.5 MiB
Load Address: 40008000
Entry Point: 40008000
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
By the above log u-boot has done its job.
"Booting the kernel" is the point where bootloader given the control to the kernel.
I guess the problem might be in kernel image or in memory.
To eliminate the problem of memory, try to check the manual and try to read and write in the RAM using the board's reference manual.
From the boot log RAM looks like has no problem. It has been initialized.
DRAM: 128 MiB
Check if the following message is not causing any problem.
* Warning - bad CRC, using default environment
Check if all the devices have been initialized and nothing is skipped after the bad crc warning.