The Nexus 7 (2013 version) is a Qualcomm APQ8064-based tablet sold in (duh) 2013. It has got some community attention as a nice hackable target. It is know inside LG Electronics as ME571K-RG and inside Google as Flo.
Getting into it
Making the UART Cable
You need a serial cable attached to the headphone jack. I essentially followed the instructions from this blog post but I used no resistors whatsoever, just slamming GND, VDD, TX and RX into the right wires from the headphone jack works JUST FINE.
- I used the Sparkfun small FTDI Basic Breakout card
- I used the Sparkfun 4-element TRRS 3.5mm headphone plug
- TIP is RX (red cable from my plug)
- RING 1 is TX (white cable from my plug)
- RING 2 is GND (green cable from my plug)
- SLEEVE is VDD (3.3V, black cable from my plug)
I soldered this to some pins and stuck into the FTDI Breakout Board GND/VCC/RX/TX slots. Here is a picture of the result.
After connecting this to USB I open minicom on /dev/ttyUSB0 at 115200 baud, 8n1 and there is some text in the console. When I get to prompt, it is also interactive.
Booting a kernel
This board only talks the fastboot boot protocol. (No U-Boot or such.) So you need to get this tool. On Fedora, simply:
dnf -y install android-tools
This will get you the command-line tool fastboot.
First you need to unlock the boot loader, I think. Mine was unlocked so I didn't have to do this step.
The next thing to do to boot a random kernel is to get the tablet into fastboot mode. This is when you see the little droid with open chest and the "Start"/"Power off"/"Recovery mode" etc text on top of the screen. In this mode the device is running little kernel and accepting fastboot commands over USB.
- Power the device off completely. If nothing else works, just press and hold the power button until the backlight goes off.
- Immediately after this some part of the system goes online again, so quickly press and hold "volume down".
- If this doesn't work, keep "volume down" pressed and also press the power button again.
- The fastboot screen should come up. The device will now accept commands over USB.
Kick a kernel using fastboot (you can use one of those downloadable below for test):
fastboot -b 0x80200000 -c "xxxxxxxxxxxxxxxxxxxxxxxxxxconsole=ttyMSM0,115200,n8" boot zImage
You should get a boot to a prompt (atleast with my precompiled kernels). This is how my bootlog looked at my first successful attempt 2017-05-13.
You may ask yourself why there are 26 "x" in front of the command line arguments. It is there to feed the whacky bootloader that eats 26 characters. Incidentally, the size of a console argument. So the manufacturer wanted to disable the console at one point, and hacked around it in the boot loader instead of changing the actual command line. Clever.
To get earlydebug on the console and all:
fastboot -b 0x80200000 -c "xxxxxxxxxxxxxxxxxxxxxxxxxxconsole=ttyMSM0,115200,n8 debug earlyprintk=serial,0x16640000,115200 verbose" boot zImage
Older web pages talk about a "fixup" assembly piece that need to be prepended to the kernel. That has been fixed upstream, but is an issue with older kernels.
These are prebuilt kernel with baked-in initramfs that takes you to a prompt. They can be used to test the above approach for downloading and booting a kernel.
- zImage for v4.12-HEAD made in early tests prior to v4.12-rc1
Compiling the kernel
To compile a fresh APQ8060 DragonBoard kernel you first need a cross compiler such as the Linaro GCC toolchain. Then you can use my makefile and my rootfs CPIO image - put this in your $HOME directory (in case you're interested that was generated using this script) in the main Linux source tree like this:
linux$ make -f nexus7.mak config && make -f nexus7.mak build