Recent Linux on the Nexus 7 (2013) "Flo" Tablet
(booted 2017-10-04 with v4.14-rc3)

Nexus 7 (2013)

Nexus 7

The Nexus 7 (2013 version) is a Qualcomm APQ8064-based tablet sold in (duh) 2013. It has got some community attention as a nice hackable target. It is know inside LG Electronics as ME571K-RG and inside Google as Flo.

Getting into it

Making the UART Cable

You need a serial cable attached to the headphone jack. I essentially followed the instructions from this blog post but I used no resistors whatsoever, just slamming GND, VDD, TX and RX into the right wires from the headphone jack works JUST FINE.

I soldered this to some pins and stuck into the FTDI Breakout Board GND/VCC/RX/TX slots. Here is a picture of the result.

After connecting this to USB I open minicom on /dev/ttyUSB0 at 115200 baud, 8n1 and there is some text in the console. When I get to prompt, it is also interactive.

Booting a kernel

This board only talks the fastboot boot protocol. (No U-Boot or such.) So you need to get this tool. On Fedora, simply:

dnf -y install android-tools

This will get you the command-line tool fastboot.

First you need to unlock the boot loader, I think. Mine was unlocked so I didn't have to do this step.

The next thing to do to boot a random kernel is to get the tablet into fastboot mode. This is when you see the little droid with open chest and the "Start"/"Power off"/"Recovery mode" etc text on top of the screen. In this mode the device is running little kernel and accepting fastboot commands over USB.

Kick a kernel using fastboot (you can use one of those downloadable below for test):

  fastboot --base 0x80200000 --cmdline "xxxxxxxxxxxxxxxxxxxxxxxxxxconsole=ttyMSM0,115200,n8" boot zImage

Some elder versions of fastboot only accepts -b rather than --base and -c rather than --cmdline. You should get a boot to a prompt (atleast with my precompiled kernels). This is how my bootlog looked at my first successful attempt 2017-05-13.

You may ask yourself why there are 26 "x" in front of the command line arguments. It is there to feed the whacky bootloader that eats 26 characters. Incidentally, the size of a console argument. So the manufacturer wanted to disable the console at one point, and hacked around it in the boot loader instead of changing the actual command line. Clever.

To get earlydebug on the console and all:

  fastboot --base 0x80200000 --cmdline "xxxxxxxxxxxxxxxxxxxxxxxxxxconsole=ttyMSM0,115200,n8 debug earlyprintk=serial,0x16640000,115200 verbose" boot zImage

Older web pages talk about a "fixup" assembly piece that need to be prepended to the kernel. That has been fixed upstream, but is an issue with older kernels.

Pre-Built kernels

These are prebuilt kernel with baked-in initramfs that takes you to a prompt. They can be used to test the above approach for downloading and booting a kernel.

Compiling the kernel

To compile a fresh APQ8060 DragonBoard kernel you first need a cross compiler such as the Linaro GCC toolchain. Then you can use my makefile and my rootfs CPIO image - put this in your $HOME directory (in case you're interested that was generated using this script) in the main Linux source tree like this:

linux$ make -f nexus7.mak config && make -f nexus7.mak build

Kernel TODO