https://www.marcusfolkesson.se/tags/linux-kernel/ Recent content in Linux Kernel on Marcus Folkesson Hugo en-us Thu, 07 May 2026 12:07:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part7/ Thu, 07 May 2026 12:07:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part7/ Rooting a VMC2040 security camera part 7: Conclusion and summary Brief In this part we are going to give some thoughts about the security of the camera and what to do to prevent this kind of attack. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Lets talk a bit about security Often when I talk with my clients about security of their products, I urge them to analyze what threat they want to protect against. https://www.marcusfolkesson.se/blog/arlo-vmc2040-part6/ Thu, 07 May 2026 12:06:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part6/ Rooting a VMC2040 security camera part 6: What did work Brief In this part I will show how I finally got root access to the camera. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary What about those symlinks in /config? startSPARROW creates three symlinks that points to an executable binary in the rootfs: https://www.marcusfolkesson.se/blog/arlo-vmc2040-part5/ Thu, 07 May 2026 12:05:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part5/ Rooting a VMC2040 security camera part 5: What didn't work Brief In this part I will write down the things I tried that didn't work. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary U-Boot Environment The first thing I tried was to modify the U-Boot environment variables as those were not verified against any signature. https://www.marcusfolkesson.se/blog/arlo-vmc2040-part4/ Thu, 07 May 2026 12:04:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part4/ Rooting a VMC2040 security camera part 4: Deeper analysis Brief This part will focus on gather as much information as possible about the system. As I in this stage don't know what I'm looking for, I will just try to document everything I find interesting. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary U-Boot environment I used dd to extract the U-Boot environment from the NAND dump. https://www.marcusfolkesson.se/blog/arlo-vmc2040-part3/ Thu, 07 May 2026 12:03:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part3/ Rooting a VMC2040 security camera part 3: Analyze the boot sequence Brief In this part we will go through the init script to see what (and how!) services are started during the boot. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse the boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Boot sequence I've tried to summarize the boot sequence in the diagram below. https://www.marcusfolkesson.se/blog/arlo-vmc2040-part2/ Thu, 07 May 2026 12:02:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part2/ Rooting a VMC2040 security camera part 2: Extract the firmware Brief As there were no exposed vulnerabilities via UART (no TX, only RX) or network (no open ports that could be exploited), I decided to extract the firmware from the SPINAND flash. This part of the series is about the process of extracting the firmware and analyzing it. The other parts of the series are: Part1: Basic examination Part2: Extract the firmware Part3: Analyse boot sequence Part4: Deeper analysis Part5: What didn't work Part6: What did work Part7: Conclusion and summary Extract the firmware I have a XGECU-T48 programmer for such tasks. https://www.marcusfolkesson.se/blog/arlo-vmc2040-part1/ Thu, 07 May 2026 12:00:34 +0100 https://www.marcusfolkesson.se/blog/arlo-vmc2040-part1/ Rooting a VMC2040 security camera part 1: Basic examination Brief My friend had a Arlo VMC2040 security camera [1] on his shelf. He bought it a while ago, but never really used it as it required a subscription to work properly. The only feature that he wanted was to get the video stream out from the camera without any cloud involvement, but that was unfortunately not possible. Here in Sweden we have a long holiday due to Easter, so I decided to take a look at the camera and see what's possible. https://www.marcusfolkesson.se/blog/i2c-bus-recovery/ Sat, 04 Oct 2025 10:00:34 +0100 https://www.marcusfolkesson.se/blog/i2c-bus-recovery/ I2C Bus Recovery Brief I was working on a project where we had a problem with an I2C bus that was sporadically hanging during communication with a certain device. I2C works with open-drain lines, which means that devices can only pull the lines low, and a pull-up resistor is used to pull the line high. If a device misbehaves and holds one of the lines low, the bus will be stuck, and no further communication can take place. https://www.marcusfolkesson.se/blog/mutex-guards-in-the-linux-kernel/ Fri, 01 Dec 2023 12:00:34 +0100 https://www.marcusfolkesson.se/blog/mutex-guards-in-the-linux-kernel/ Mutex guards in the Linux kernel I found an interresting thread [1] while searching my inbox for something completely unrelated. Peter Zijistra has written a few cleanup functions that where introduced in v6.4 with this commit: commit 54da6a0924311c7cf5015533991e44fb8eb12773 Author: Peter Zijlstra <peterz@infradead.org> Date: Fri May 26 12:23:48 2023 +0200 locking: Introduce __cleanup() based infrastructure Use __attribute__((__cleanup__(func))) to build: - simple auto-release pointers using __free() - 'classes' with constructor and destructor semantics for scope-based resource management. https://www.marcusfolkesson.se/blog/use-b4-for-kernel-contributions/ Wed, 23 Aug 2023 12:00:34 +0100 https://www.marcusfolkesson.se/blog/use-b4-for-kernel-contributions/ Use b4 for kernel contributions There is a little tool called b4 [1] that has been part of my workflow with the Linux kernel for a while. It's developed to be a tool used to simplify the work of the maintainers, but my main use of the tool has been to fetch patch series from the mailing list and apply them to my local git repository during reviews. I recently noticed that it got a lot of handy features (experimental though) for the contributors as well, which I now want to test! https://www.marcusfolkesson.se/blog/linux-wireless-regulatory/ Mon, 14 Aug 2023 12:00:34 +0100 https://www.marcusfolkesson.se/blog/linux-wireless-regulatory/ Linux wireless regulatory domains I had a case where I had an embedded system that should act as a WiFi Access Point on the 5GHz band. The HW was capable and the system managed to act as a client to 5GHz networks, so everything looked good. However, the system could not create an access point on some frequencies. How is it that? It's all about regulatory domains! Regulatory domains Radio regulations is something that applies to all devices that make transmissions in the radio spectrum. https://www.marcusfolkesson.se/blog/add-support-for-mcp39xx/ Fri, 04 Aug 2023 12:00:34 +0100 https://www.marcusfolkesson.se/blog/add-support-for-mcp39xx/ Add support for MCP39XX in Linux kernel I've maintained the MCP3911 driver in the Linux kernel for some time and continuously add support for new features [1] upon requests from people and companies. Microchip has several IC:s in this series of ADC:s that works similar to MCP3911. Actually, all other IC:s are register compatible but MCP3911. The IC:s I've extended support for is MCP3910, MCP3912, MCP3913, MCP3914, MCP3918 and MCP3919. https://www.marcusfolkesson.se/blog/contiguous-memory-allocator/ Mon, 06 Feb 2023 10:00:34 +0100 https://www.marcusfolkesson.se/blog/contiguous-memory-allocator/ Contiguous Memory Allocator Introduction I do find memory management as one of the most fascinating subsystem in the Linux kernel, and I take every chance I see to talk about it. This post is inspired by a project I'm currently working on; an embedded Linux platform with a camera connected to the CSI-2 bus. Before we dig into which problems we could trip over, lets talk briefly about how the kernel handles memory. https://www.marcusfolkesson.se/blog/audio-and-embedded-linux/ Fri, 23 Dec 2022 12:00:34 +0100 https://www.marcusfolkesson.se/blog/audio-and-embedded-linux/ Audio and Embedded Linux Brief Last time I used wrote kernel drivers for the ASoC (ALSA System on Chip) subsystem, the functionality was split up into these parts: Platform class driver that defines the SoC audio interface for the actual CPU itself. This includes both the DAI (Digital Audio Interface) and any potential audio muxes (e.g. i.MX6 has its AUDMUX). CODEC class driver that controls the actual CODEC. Machine drivers that are the magic glue between the SoC and the CODEC which connects both interfaces. https://www.marcusfolkesson.se/blog/debug-kernel-with-kgdb/ Sat, 17 Dec 2022 12:00:34 +0100 https://www.marcusfolkesson.se/blog/debug-kernel-with-kgdb/ Debug kernel with KGDB What is KGDB? KGDB intend to be used as a source code level debugger on a running Linux kernel. It works with GDB and allows the user to inspect memory, variables, setup breakpoints, step lines and instructions. Pretty much the same that all application developers are used to, but for the kernel itself. Almost every embedded Linux system does have a serial port available, and that is all that you need to connect GDB to your kernel. https://www.marcusfolkesson.se/blog/libcamera/ Fri, 25 Nov 2022 12:00:34 +0100 https://www.marcusfolkesson.se/blog/libcamera/ What is libcamera and why should you use it Read out a picture from camera Once in a time, video devices was not that complex. To use a camera back then, your application software could iterated through /dev/video* devices and pick the camera that you want and then immediately start using it. You could query which pixel formats, frame rates, resolutions and all other properties that are supported by the camera. https://www.marcusfolkesson.se/blog/hid-report-descriptors/ Sat, 15 Oct 2022 12:00:34 +0100 https://www.marcusfolkesson.se/blog/hid-report-descriptors/ HID report descriptors and Linux HID Devices USB HID (Human Interface Device) device class is the type of computer peripherals that human interacts with, such as keyboards, mice, game controllers and touchscreens. The protocol is probably one of the most simple protocols in the USB specification. Even if HID was originally written for USB in mind, it works with several other transport layers. Your mouse and keyboard do probably use HID over USB, the touchscreen in your smartphone could use HID over I2C. https://www.marcusfolkesson.se/blog/industrial-io-triggers/ Thu, 18 Aug 2022 12:00:34 +0100 https://www.marcusfolkesson.se/blog/industrial-io-triggers/ Industrial I/O and triggers I've maintained a couple of IIO-drivers (MCP3911 [4] and LTC1660 [5]) for some time now and it's time to give at least the MCP3911 a face-lift. This time the face lift includes support for: Buffers Triggers Make the driver interrupt driven Add support for setting Oversampling Ratio Add support for setting PGA (Pre Gain Amplifier) Also clean it up a bit by only using device managed resources. https://www.marcusfolkesson.se/blog/gplv3/ Thu, 10 Feb 2022 09:39:34 +0200 https://www.marcusfolkesson.se/blog/gplv3/ Open Source "Free as in freedom - not as in free beer". Free beer is nice, but freedom is even nicer. I have been working with companies from different sections including consumer electronics, military applications, automotive and aeronautics. One common question, regardless of section, is "Can we really use Open Source in our product?". The answer is usually Yes, you can, but.... One common misunderstanding is to interpret Open Source as in free beer. https://www.marcusfolkesson.se/blog/qca6584-and-wireless-network-stack/ Wed, 04 Apr 2018 19:39:34 +0200 https://www.marcusfolkesson.se/blog/qca6584-and-wireless-network-stack/ ath10k QCA6584 and Wireless network stack ATH10K is the mac80211 wireless driver for Qualcomm Atheros QCA988x family of chips, and I'm currently working [1] with the QCA6584 chip which is an automotive graded radio chip with PHY support for the abgn+ac modes. The connection interface to the chip is SDIO which is hardly supported for now, but my friend and kernelhacker, Erik Strömdahl [2] , has got his hands dirty and is currently working on it. https://www.marcusfolkesson.se/blog/driver-for-phoenixrc-adapter/ Sat, 17 Mar 2018 19:39:34 +0200 https://www.marcusfolkesson.se/blog/driver-for-phoenixrc-adapter/ Linux driver for PhoenixRC adapter Update: Michael Larabel on Phoronix has written a post [3] about this driver. Go ahead and read it as well! A few years ago I used to build multi rotors, mostly quad copters and tricopters. It's a fun hobby, both building and flying is incredible satisfying. The first multi rotors i built was nicely made with CNC cutted details. They looked really nice and robust. https://www.marcusfolkesson.se/blog/get_maintainers-and-git-send-email/ Sun, 07 Jan 2018 19:39:34 +0200 https://www.marcusfolkesson.se/blog/get_maintainers-and-git-send-email/ get_maintainers and git send-email Many with me prefer email as communication channel, especially for patches. Github, Gerrit and all other "nice" and "user friendly" tools that tries to "help" you to manage your submissions does not simply fit my workflow. As you may already know, all patches to the Linux kernel is by email. scripts/get_maintainer.pl (see [1] for more info about the process) is a handy tool that takes a patch as input and gives back a bunch of emails addresses. https://www.marcusfolkesson.se/blog/oom-killer/ Fri, 01 Dec 2017 19:39:34 +0200 https://www.marcusfolkesson.se/blog/oom-killer/ OOM-killer When the system is running out of memory, the Out-Of-Memory (OOM) killer picks a process to kill based on the current memory footprint. In case of OOM, we will calculate a badness score between 0 (never kill) and 1000 for each process in the system. The process with the highest score will be killed. A score of 0 is reserved for unkillable tasks such as the global init process (see [1]) or kernel threads (processes with PF_KTHREAD flag set). https://www.marcusfolkesson.se/blog/printk/ Thu, 02 Nov 2017 19:39:34 +0200 https://www.marcusfolkesson.se/blog/printk/ printk() So, a week in Prague has come to its end. The Embedded Linux Conference Europe was this year co-located with Open Source Summit and offered a lot of interesting talks on various topics. One of the hottest topics this year was about our most beloved debugging function - prink(). What is so hard with printing? It turns out that printk is quite deadlock-prone and that is not an easy thing to work around in the current infrastructure of the kernel. https://www.marcusfolkesson.se/blog/memory-management-in-the-kernel-1/ Wed, 27 Sep 2017 19:39:34 +0200 https://www.marcusfolkesson.se/blog/memory-management-in-the-kernel-1/ Memory management in the kernel Memory management is among the most complex parts in the Linux kernel. There is so many critical parts such as page allocator, slab allocator, virtual memory handling, memory mapping, MMU, IOMMU and so on. All these parts have to work perfect (or at least almost perfect :-) ) because all systems do use them whether they want to or not. If there is a bug or performance issue you will be noticed quite soon. https://www.marcusfolkesson.se/blog/mmap-memory-between-kernel-and-userspace/ Wed, 27 Sep 2017 19:39:34 +0200 https://www.marcusfolkesson.se/blog/mmap-memory-between-kernel-and-userspace/ MMAP memory between kernel and userspace Allocate memory in kernel space and then let the userspace map it to their virtual address space sounds like an easy task, and sure it's. There are just a few things that is good to know about page mapping. The MMU (Memory Management Unit) contains page tables with entries for mapping between virtual and physical addresses. These pages is the smallest units that the MMU deals with. https://www.marcusfolkesson.se/blog/pid1-in-containers/ Wed, 27 Sep 2017 19:39:34 +0200 https://www.marcusfolkesson.se/blog/pid1-in-containers/ PID1 in containers What is PID 1 The top-most process in a UNIX system has PID (Process ID) 1 and is usually the init process. The Init process is the first userspace application started on a system and is started by the kernel at boottime. The kernel is looking in a few predefined paths (and the init kernel parameter). If no such application is found, the system will panic(). https://www.marcusfolkesson.se/blog/tft_beaglebone/ Sun, 27 Aug 2017 19:39:34 +0200 https://www.marcusfolkesson.se/blog/tft_beaglebone/ 2.2" TFT display on Beaglebone I recently bought a 2.2" TFT display on Ebay (come on, 7 bucks...) and was up to use it with my BeagleBone. Luckily for me there was no Linux driver for the ILI9341 controller so it's just to roll up my sleeves and get to work. Boot up the BeagleBone I haven't booted up my bone for a while and support for the board seems https://www.marcusfolkesson.se/blog/high-resolution-timers/ Thu, 27 Jul 2017 19:39:34 +0200 https://www.marcusfolkesson.se/blog/high-resolution-timers/ High resolution timers Nearly all systems have some kind of Programmable Interrupt Timer (PIT) or High Precision Event Timer (HPET) that is programmed to periodically interrupt the operating system (if not configured with CONFIG_NO_HZ). The kernel performs several tasks in these ticks such as timekeeping, calculate statistics for the currently running process, schedule a new process and so on. The interrupt occurs at regular intervals - exactly HZ times per second. https://www.marcusfolkesson.se/blog/modules-with-parameters/ Tue, 27 Jun 2017 19:39:34 +0200 https://www.marcusfolkesson.se/blog/modules-with-parameters/ Modules with parameters Everybody knows that modules can take parameters, either via /sys/modules/<module>/parameters, sysctl or via cmdline to the kernel, but how are these parameters created? Parameters without callbacks The Linux kernel provides the module_param() macro. The syntax is: 1module_param(name, type, perm) Which will simply create the module parameter and expose it as an entry in /sys/modules/<module>/parameters. Code example 1int debug_flag; 2module_param(debug_flag, bool, S_IRUSR | S_IWUSR | S_IRGRP) 3MODULE_PARM_DESC(debug_flag, "Set to 1 if debug should be enabled, 0 otherwise"); MODULE_PARM_DESC() is a short description of the parameter.