Xiaomi MI Box 3 MDZ-16-AB Boot Log and UART Location - Android Stick & Console AMLogic based Computers

Hey Guys,
I've been tinkering with my MI Box as I've been having packet loss issues with it, long story short its bricked, here is the bootlog + UART Pins if anyone is interested:
Boot Log:
Code:
TE: 98645
BL2 Built : 18:13:36, Jun 17 2016.
gxl g176ecdb - [email protected]
rn5t567_power_init
Board ID = 1
CPU clk: 1200MHz
DDR3 chl: Rank0+1 @ 912MHz - PASS
DQS-corr enabled
DDR scramble enabled
Rank0: 1024MB(auto)-2T-13
Rank1: 1024MB(auto)-2T-13
DataBus test pass!
AddrBus test pass!
-s
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000
aml log : R1024 check pass!
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600
aml log : R1024 check pass!
Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x00014400
aml log : R1024 check pass!
Load bl32 from eMMC, src: 0x00038200, des: 0x01700000, size: 0x0002ee00
aml log : R1024 check pass!
Load bl33 from eMMC, src: 0x00068200, des: 0x01700000, size: 0x0007f800
aml log : R1024 check pass!
NOTICE: BL3-1: v1.0(debug):ed1aadc
NOTICE: BL3-1: Built : 11:06:24, May 31 2016
aml log : bl31 detect secure boot !
[Image: gxl_v1.1.3118-31ffc57 2016-09-27 10:04:49 [email protected]]
OPS=0x82
ef be ad de d f0 ad ba ef be ad de bl30:thermal init err
[0.626102 Inits done]
secure task start!
high task start!
low task start!
INFO: BL3-1: Initializing runtime services
INFO: BL3-1: Initializing BL3-2
INFO: BL3-2: ATOS-V1.4-gb959fd4 #13 Tue Sep 6 15:28:58 CST 2016 arm
INFO: BL3-2: chip version = RevA (21:A - 0:0)
INFO: BL3-2: crypto engine DMA
INFO: BL3-2: secure time TEE
INFO: BL3-1: Preparing for EL3 exit to normal world
INFO: BL3-1: Next image address = 0x1000000
INFO: BL3-1: Next image spsr = 0x3c9
U-Boot 2015.01-g57a5217-dirty (Jan 25 2017 - 11:17:54), Build: jenkins-Once_MP-750
DRAM: 2 GiB
Relocation Offset is: 76ef5000
register usb cfg[0][1] = 0000000077f64870
vpu: error: vpu: check dts: FDT_ERR_BADMAGIC, load default parameters
vpu: clk_level = 7
vpu: set clk: 666667000Hz, readback: 666660000Hz(0x300)
SARADC channel(1) is 0x1d2.
adcAvg hw_version is 353
MMC: aml_priv->desc_buf = 0x0000000073ef56e0
aml_priv->desc_buf = 0x0000000073ef7870
SDIO Port B: 0, SDIO Port C: 1
emmc/sd response timeout, cmd8, status=0x3ff2800
emmc/sd response timeout, cmd55, status=0x3ff2800
[mmc_init] mmc init success
mmc read lba=0x4000, blocks=0x400
start dts,buffer=0000000073ef9f30,dt_addr=0000000073ef9f30
parts: 12
00: cache 0000000010000000 2
01: logo 0000000000300000 1
02: encrypt 0000000000100000 1
03: recovery 0000000002000000 1
04: tee 0000000000800000 1
05: crypt 0000000002000000 1
06: misc 0000000002000000 1
07: boot 0000000001400000 1
08: system 0000000060000000 1
09: persist 0000000000800000 4
10: panic 0000000000400000 4
11: data ffffffffffffffff 4
get_dtb_struct: Get emmc dtb OK!
overide_emmc_partition_table: overide cache
[mmc_get_partition_table] skip partition cache.
Partition table get from SPL is :
name offset size flag
===================================================================================
0: bootloader 0 400000 0
1: reserved 400000 800000 0
2: cache c00000 10000000 2
3: env 10c00000 400000 0
4: logo 11000000 300000 1
5: encrypt 11300000 100000 1
6: recovery 11400000 2000000 1
7: tee 13400000 800000 1
8: crypt 13c00000 2000000 1
9: misc 15c00000 2000000 1
10: boot 17c00000 1400000 1
11: system 19000000 60000000 1
12: persist 79000000 800000 4
13: panic 79800000 400000 4
14: data 79c00000 158400000 4
mmc read lba=0x2000, blocks=0x2
mmc read lba=0x2002, blocks=0x2
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
mmc env offset: 0x10c00000
In: serial
Out: serial
Err: serial
reboot_mode=cold_boot
hardware_version =1
Saving Environment to aml-storage...
mmc env offset: 0x10c00000
Writing to MMC(1)... done
hpd_state=0
cvbs performance type = 6, table = 0
[store]To run cmd[emmc dtb_read 0x1000000 0x40000]
read emmc dtb
amlkey_init() enter!
[EFUSE_MSG]keynum is 4
[KM]Error:f[key_manage_query_size]L507:key[sn2] not programed yet
wipe_data=successful
wipe_cache=successful
Boot command:
Boot status:
Boot message
""
upgrade_step=2
[OSD]load fb addr from dts
[OSD]failed to get fb addr for logo
[OSD]use default fb_addr parameters
[OSD]fb_addr for logo: 0x3d800000
[OSD]load fb addr from dts
[OSD]failed to get fb addr for logo
[OSD]use default fb_addr parameters
[OSD]fb_addr for logo: 0x3d800000
[CANVAS]canvas init
[CANVAS]addr=0x3d800000 width=5760, height=2160
pull down bt_reset
pull up bt_reset
set hci reset
04 0e 04 01 03 0c 00
set scan parameters
04 0e 04 01 0b 20 00
set scan enable
04 0e 04 01 0c 20 00
pull down bt_enable
IR init done!
[imgread]szTimeStamp[2017012511355519]
[imgread]secureKernelImgSz=0x778000
aml log : R1024 check pass!
aml log : R1024 check pass!
aml log : R1024 check pass!
ee_gate_off ...
## Booting Android Image at 0x01080000 ...
reloc_addr =73f7a130
copy done
load dtb from 0x1000000 ......
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x01fa8620
Loading Ramdisk to 73e02000, end 73ee3000 ... OK
Loading Device Tree to 000000001fff4000, end 000000001fffff5e ... OK
Starting kernel ...
uboot time: 2832461 us
...
<See Attached>
UART Pins:
<See Attached>

You can hook the TX and RX lines into the 3.5mm headphone jack for easy UART use.
See attached

It turns out JTAG is enabled according to the Android dmesg log, this could mean a neat little BootROM dump...

Can someone makes a flash able rom for Almogic burning tool for mi tv box 3 mdz 16-ab?

Can you boot from usb device (libreelec)?

My mi tv box 3 is totally bricked no boot to recovery, only pc recognize like WorldCub device.

gyb001 said:
Can you boot from usb device (libreelec)?
Click to expand...
Click to collapse
I haven't looked at that yet, I don't really have any expirence playing with AMLogic SoCs, you can boot via USB? This would actually work if you can as I have boot.img and system...

(dylanger) said:
I haven't looked at that yet, I don't really have any expirence playing with AMLogic SoCs, you can boot via USB? This would actually work if you can as I have boot.img and system...
Click to expand...
Click to collapse
Thanks.
unfortunatelly i haven't img.
But i find intresting things
once#usb start
(Re)start USB...
USB0: USB3.0 XHCI init start
Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.00
This box have usb3?
Do you know how can i make full backup from emmc?
I think we can run somehow twrp with this env:
recovery_from_udisk=if fatload usb 0 ${loadaddr} aml_autoscript; then autoscr ${loadaddr}; fi;if fatload usb 0 ${loadaddr} recovery.img; then if fatload usb 0 ${dtb_mem_addr} dtb.img; then echo udisk dtb.img loaded; fi;bootm ${loadaddr};fi;

I won
amlogic login: root
Password:
Last login: Sat Nov 4 12:30:06 UTC 2017 on ttyS0
/etc/update-motd.d/30-sysinfo: line 37: read: read error: 0: Invalid argument
/etc/update-motd.d/30-sysinfo: line 38: [: -le: unary operator expected
____ ___
/ ___|/ _ \__ ____ ____ __
\___ \ (_) \ \/ /\ \/ /\ \/ /
___) \__, |> < > < > <
|____/ /_//_/\_\/_/\_\/_/\_\
Welcome to ARMBIAN 5.34 user-built Debian GNU/Linux 9 (stretch) 3.14.29
System load: 0.44 0.12 0.04 Up time: 0 min
Memory usage: 4 % of 1790MB IP:
Usage of /: 18% of 7.1G storage/: 56% of 128M
[email protected]:~# ls
fstab install.sh
[email protected]:~# uname -a
Linux amlogic 3.14.29 #108 SMP PREEMPT Sat Nov 4 14:50:04 MSK 2017 aarch64 GNU/Linux
[email protected]:~# cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
processor : 0
processor : 1
processor : 2
processor : 3
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: AArch64
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
Hardware : Amlogic
Serial : 210a82005fb86cbf061167e2b0552e2f
Revision : 020a

gyb001 said:
I won
amlogic login: root
Password:
Last login: Sat Nov 4 12:30:06 UTC 2017 on ttyS0
/etc/update-motd.d/30-sysinfo: line 37: read: read error: 0: Invalid argument
/etc/update-motd.d/30-sysinfo: line 38: [: -le: unary operator expected
____ ___
/ ___|/ _ \__ ____ ____ __
\___ \ (_) \ \/ /\ \/ /\ \/ /
___) \__, |> < > < > <
|____/ /_//_/\_\/_/\_\/_/\_\
Welcome to ARMBIAN 5.34 user-built Debian GNU/Linux 9 (stretch) 3.14.29
System load: 0.44 0.12 0.04 Up time: 0 min
Memory usage: 4 % of 1790MB IP:
Usage of /: 18% of 7.1G storage/: 56% of 128M
[email protected]:~# ls
fstab install.sh
[email protected]:~# uname -a
Linux amlogic 3.14.29 #108 SMP PREEMPT Sat Nov 4 14:50:04 MSK 2017 aarch64 GNU/Linux
[email protected]:~# cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
processor : 0
processor : 1
processor : 2
processor : 3
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: AArch64
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
Hardware : Amlogic
Serial : 210a82005fb86cbf061167e2b0552e2f
Revision : 020a
Click to expand...
Click to collapse
Woot! Nice work! So you've managed to boot into a Debian build? Damn nice work! Do you know if its possible to do that without having access to Android in the first place?
Like from UBOOT?

Yes i used to uart.
Write this command to uboot:
setenv bootcmd "run start_autoscript; run storeboot;"
setenv start_autoscript "if usb start ; then run start_usb_autoscript; fi; if mmcinfo; then run start_mmc_autoscript; fi;"
setenv start_mmc_autoscript "if fatload mmc 0 1020000 s905_autoscript; then autoscr 1020000; fi;"
setenv start_usb_autoscript "if fatload usb 0 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 1 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 2 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 3 1020000 s905_autoscript; then autoscr 1020000; fi;"
setenv upgrade_step "0"
saveenv
Click to expand...
Click to collapse
I'm not sure it necessary, but i set the selinux disabled.
Download and write the image to usb drive
https://yadi.sk/d/srrtn6kpnsKz2/Linux/ARMBIAN

gyb001 said:
Yes i used to uart.
Write this command to uboot:
I'm not sure it necessary, but i set the selinux disabled.
Download and write the image to usb drive
https://yadi.sk/d/srrtn6kpnsKz2/Linux/ARMBIAN
Click to expand...
Click to collapse
Can we use this image with Amlogic usb burning tool ?

venioni said:
Can we use this image with Amlogic usb burning tool ?
Click to expand...
Click to collapse
No, the image will not pass the burning tool vertify.
I think you can use the amlogic burning tool only with uart. In uboot write "update" command.

gyb001 said:
No, the image will not pass the burning tool vertify.
I think you can use the amlogic burning tool only with uart. In uboot write "update" command.
Click to expand...
Click to collapse
Can you help me to unbrick my mind that box 3 international?
is totally bricked,no boot to recovery mode.

venioni said:
Can you help me to unbrick my mind that box 3 international?
is totally bricked,no boot to recovery mode.
Click to expand...
Click to collapse
Unfortunately i don't know how its possibile, but That sure, you have to use u boot.
You should buy uart usb device. I have cp2102

gyb001 said:
Unfortunately i don't know how its possibile, but That sure, you have to use u boot.
You should buy uart usb device. I have cp2102
Click to expand...
Click to collapse
If i buy this uart usb device cp 2102 can you make a tutorial how can i use this to unbrick my mi tv box3 and what firmwares i need to do all this?

venioni said:
If i buy this uart usb device cp 2102 can you make a tutorial how can i use this to unbrick my mi tv box3 and what firmwares i need to do all this?
Click to expand...
Click to collapse
Now, i can boot only Armbian.

Stock rom img file
https://mega.nz/#F!BDRG3J4B!VZqB0qJ9fseMhy4Y8anIaA

gyb001 said:
Stock rom img file
https://mega.nz/#F!BDRG3J4B!VZqB0qJ9fseMhy4Y8anIaA
Click to expand...
Click to collapse
Can we flash this stock rom image with Almogic burning tool for unbrick mi tv box 3 ?

venioni said:
Can we flash this stock rom image with Almogic burning tool for unbrick mi tv box 3 ?
Click to expand...
Click to collapse
No.
You have to use uboot

Related

UART Output/ Bootloader hacking/ Kernel Debugging on AT&T SGS2

Hey, one of my buddies got a SGS2. I was able to play with it for a bit. I sterilized the Serial numbers. This was recorded on Linux, then transfered to Windows, so the formatting was off. I had to use some Microsoft Word Regex in order to get it to format right.
here's the full UART Logs
http://pastebin.ubuntu.com/715171/
http://pastebin.ubuntu.com/715182/
Here's a single boot log
Code:
Welcome to Samsung Primitive Bootloader.
build time: Aug 27 2011 04:53:51
current time: f4/f/4 3f:69:11
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #49152.
jump to sbl 0x4d400000.
Secondary Bootloader v3.1 version.
Copyright (C) 2011 System S/W Group. Samsung Electronics Co., Ltd.
Board: C1 REV 02 / Aug 27 2011 04:53:57
current time: f4/f/4 3f:69:11
booting code=0x0
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
CID:150100 56594c30 304d1926 b2473a8e
<display_card_info:1040> ext_csd
<display_card_info:1042>card_size: 15028
Total Card Size: 15029 MByte
Total Sector Count: 30777344
MoviNand Initialization Complete!
===== PARTITION INFORMATION =====
ID : GANG (0x0)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : BOOT (0x1)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : EFS (0x4)
DEVICE : MMC
FIRST UNIT : 8192
NO. UNITS : 40960
=================================
ID : SBL1 (0x2)
DEVICE : MMC
FIRST UNIT : 49152
NO. UNITS : 2560
=================================
ID : SBL2 (0x3)
DEVICE : MMC
FIRST UNIT : 53248
NO. UNITS : 2560
=================================
ID : PARAM (0x5)
DEVICE : MMC
FIRST UNIT : 57344
NO. UNITS : 16384
=================================
ID : KERNEL (0x6)
DEVICE : MMC
FIRST UNIT : 73728
NO. UNITS : 16384
=================================
ID : RECOVERY (0x7)
DEVICE : MMC
FIRST UNIT : 90112
NO. UNITS : 16384
=================================
ID : CACHE (0x8)
DEVICE : MMC
FIRST UNIT : 106496
NO. UNITS : 512000
=================================
ID : MODEM (0x9)
DEVICE : MMC
FIRST UNIT : 618496
NO. UNITS : 32768
=================================
ID : FACTORYFS (0xa)
DEVICE : MMC
FIRST UNIT : 651264
NO. UNITS : 1048576
=================================
ID : DATAFS (0xb)
DEVICE : MMC
FIRST UNIT : 1699840
NO. UNITS : 4194304
=================================
ID : UMS (0xc)
DEVICE : MMC
FIRST UNIT : 5894144
NO. UNITS : 23826432
=================================
ID : HIDDEN (0xd)
DEVICE : MMC
FIRST UNIT : 29720576
NO. UNITS : 1048576
=================================
loke_init: j4fs_open..success
<start_checksum:1033>CHECKSUM_HEADER_SECTOR :42
<start_checksum:1035>offset:42, size:1024
Not Need Movinand Checksum
load_lfs_parameters valid magic code and version.
switch_sel_str='6543 '
load_debug_level: read debug level successfully(0x574f4c44)...LOW
init_ddi_data: usable ddi data.
init_fuel_gauge : not por status
fuel_gauge_get_version: [1]=0, [0]=92
init_fuel_gauge: vcell = 3848 mV, vfocv = 3915 mV, soc = 66
init_fuel_gauge : check s/w reset (20000000) : use wide tolerance
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
6308 = (382800 - 337808)*14022/100000
[3] 388426 = (6308 * 100000) / 11164 + 331923
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL2:0x3a
init_microusb_ic: MUIC: CONTROL2:0x3a
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQSRC = 0x2
PMIC_IRQ1 = 0x33
PMIC_IRQ2 = 0x1b
PMIC_IRQ3 = 0x3
PMIC_IRQ4 = 0x11
PMIC_STATUS1 = 0x2
PMIC_STATUS2 = 0x17
PMIC_STATUS3 = 0x3
PMIC_STATUS4 = 0x2
bootloader base address=0x4d400000
LPDDR0 1st. cached=0x40000000, size=0xe400000
LPDDR0 non-cached=0x4e400000, size=0xa00000
LPDDR0 2nd. cached=0x4ee00000, size=0x1200000
RST_STAT = 0x20000000
get_hwrev() = 14
board_process_platform: MAGIC 0 at 40000000!
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
hw_pm_status: jig_status = 1, chg_status = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
div:2, FB_SOURCE_CLOCK:667000000, FB_PIXEL_CLOCK:25067520
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop
boot_kernel: debug level low!
checkbit: find RECOVERY
checkbit (0)
......ATAG_CORE: 5 54410001 0 0 0
MEMCONFIG: 20e01323 20e01323
ATAG_MEM: 4 54410002 10000000 40000000
ATAG_MEM: 4 54410002 10000000 50000000
ATAG_MEM: 4 54410002 10000000 60000000
ATAG_MEM: 4 54410002 10000000 70000000
ATAG_SERIAL:
ATAG_REVISION: 3 54410007 e
ATAG_CMDLINE: 39 54410009 'loglevel=4 console=ttySAC2,115200 sec_debug.enable=0 sec_debug.enable_user=0 c1_watchd ATAG_NONE: 0 0
Starting kernel at 0x40008000...
Uncompressing Linux... done, booting the kernel.
[ 0.000000] s3c_register_clksrc: clock armclk has no registers set
[ 0.000000] mout_audss: bad source 0
[ 0.000000] mem infor: bank0 start-> 0x40000000, bank0 size-> 0x10000000[30;89H[ 0.000000] bank1 start-> 0x50000000, bank1 size-> 0x10000000
[ 0.000000] CMA reserve : pmem, addr is 0x4fc00000, size is 0x400000
[ 0.000000] CMA reserve : pmem_gpu1, addr is 0x4f800000, size is 0x400000
[ 0.000000] CMA reserve : pmem_adsp, addr is 0x4f47c000, size is 0x384000
[ 0.000000] CMA reserve : fimd, addr is 0x4f17c000, size is 0x300000
[ 0.000000] CMA reserve : mfc0, addr is 0x4cd7c000, size is 0x2400000
[ 0.000000] CMA reserve : mfc1, addr is 0x4a97c000, size is 0x2400000
[ 0.000000] CMA reserve : fimc0, addr is 0x4a47c000, size is 0x500000
[ 0.000000] CMA reserve : fimc1, addr is 0x4967c000, size is 0xe00000
[ 0.000000] CMA reserve : fimc2, addr is 0x47e7c000, size is 0x1800000
[ 0.000000] CMA reserve : fimc3, addr is 0x4777c000, size is 0x700000
[ 0.000000] CMA reserve : srp, addr is 0x4767c000, size is 0x100000
[ 0.000000] CMA reserve : jpeg, addr is 0x4627c000, size is 0x1400000
[ 0.000000] CMA reserve : fimg2d, addr is 0x45a7c000, size is 0x800000
[ 0.000000] CMA reserve : (null), addr is 0x45a7c000, size is 0x0
[ 0.000000] (sec_debug_set_upload_magic) 66262564
[ 0.000000] (sec_debug_set_upload_cause) cafebabe
[ 0.121650] s5pv310_subrev: 1
[ 0.166379] ram_console: invalid start 0 or end 0
[ 0.251103] max8997 5-0066: max8997_irq_init: fail to read PMIC ID(-6)
[ 0.648050] [TSP] family = 0x81, variant = 0x1, version = 0x10, build = 170
Partition information
Code:
===== PARTITION INFORMATION =====
ID : GANG (0x0)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : BOOT (0x1)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : EFS (0x4)
DEVICE : MMC
FIRST UNIT : 8192
NO. UNITS : 40960
=================================
ID : SBL1 (0x2)
DEVICE : MMC
FIRST UNIT : 49152
NO. UNITS : 2560
=================================
ID : SBL2 (0x3)
DEVICE : MMC
FIRST UNIT : 53248
NO. UNITS : 2560
=================================
ID : PARAM (0x5)
DEVICE : MMC
FIRST UNIT : 57344
NO. UNITS : 16384
=================================
ID : KERNEL (0x6)
DEVICE : MMC
FIRST UNIT : 73728
NO. UNITS : 16384
=================================
ID : RECOVERY (0x7)
DEVICE : MMC
FIRST UNIT : 90112
NO. UNITS : 16384
=================================
ID : CACHE (0x8)
DEVICE : MMC
FIRST UNIT : 106496
NO. UNITS : 512000
=================================
ID : MODEM (0x9)
DEVICE : MMC
FIRST UNIT : 618496
NO. UNITS : 32768
=================================
ID : FACTORYFS (0xa)
DEVICE : MMC
FIRST UNIT : 651264
NO. UNITS : 1048576
=================================
ID : DATAFS (0xb)
DEVICE : MMC
FIRST UNIT : 1699840
NO. UNITS : 4194304
=================================
ID : UMS (0xc)
DEVICE : MMC
FIRST UNIT : 5894144
NO. UNITS : 23826432
=================================
ID : HIDDEN (0xd)
DEVICE : MMC
FIRST UNIT : 29720576
NO. UNITS : 1048576
=================================
SBL Commands
Code:
Following commands are supported:
* movichk
* setenv
* saveenv
* printenv
* help
* reset
* boot
* kernel
* loadpart
* loadkernel
* erasepart
* format
* open
* close
* eraseall
* showpart
* addpart
* delpart
* savepart
* nkernel
* nandread
* nandwrite
* usb
* crc
* log
* sud
* upload
* emmc
* keyread
* readadc
* mmctest
* usb_read
* usb_write
* fuelgauge
There's some new ones in this 3.1 version of Samsung SBL
* crc
* log
* sud
* upload
* emmc
I think Upload allows a dump of all partitions. Also, Keyread allows testing of button presses, Volume - =0 Volume + = 1, Power = 2
I couldn't get a FULL debug log in the time I had, but I managed to get some kernel output.
Code:
Starting kernel at 0x40008000...
Uncompressing Linux... done, booting the kernel.
[ 0.000000] s3c_register_clksrc: clock armclk has no registers set
[ 0.000000] mout_audss: bad source 0
[ 0.000000] mem infor: bank0 start-> 0x40000000, bank0 size-> 0x10000000[30;89H[ 0.000000] bank1 start-> 0x50000000, bank1 size-> 0x10000000
[ 0.000000] CMA reserve : pmem, addr is 0x4fc00000, size is 0x400000
[ 0.000000] CMA reserve : pmem_gpu1, addr is 0x4f800000, size is 0x400000
[ 0.000000] CMA reserve : pmem_adsp, addr is 0x4f47c000, size is 0x384000
[ 0.000000] CMA reserve : fimd, addr is 0x4f17c000, size is 0x300000
[ 0.000000] CMA reserve : mfc0, addr is 0x4cd7c000, size is 0x2400000
[ 0.000000] CMA reserve : mfc1, addr is 0x4a97c000, size is 0x2400000
[ 0.000000] CMA reserve : fimc0, addr is 0x4a47c000, size is 0x500000
[ 0.000000] CMA reserve : fimc1, addr is 0x4967c000, size is 0xe00000
[ 0.000000] CMA reserve : fimc2, addr is 0x47e7c000, size is 0x1800000
[ 0.000000] CMA reserve : fimc3, addr is 0x4777c000, size is 0x700000
[ 0.000000] CMA reserve : srp, addr is 0x4767c000, size is 0x100000
[ 0.000000] CMA reserve : jpeg, addr is 0x4627c000, size is 0x1400000
[ 0.000000] CMA reserve : fimg2d, addr is 0x45a7c000, size is 0x800000
[ 0.000000] CMA reserve : (null), addr is 0x45a7c000, size is 0x0
[ 0.000000] (sec_debug_set_upload_magic) 66262564
[ 0.000000] (sec_debug_set_upload_cause) cafebabe
[ 0.121650] s5pv310_subrev: 1
[ 0.166379] ram_console: invalid start 0 or end 0
[ 0.251103] max8997 5-0066: max8997_irq_init: fail to read PMIC ID(-6)
[ 0.648050] [TSP] family = 0x81, variant = 0x1, version = 0x10, build = 170
Would be interesting to see the logs from a boot with the flash counter incremented (yellow triangle) to see if it's logged and what it's keying on.
Hi Adam,
Nice to see u here on this forum , hope to see some of your great work here on S II.
This is only possible using UART.
Download Mode without having to accept wipe!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Upload Mode
Stock PARAMS.lfs
othermark said:
Would be interesting to see the logs from a boot with the flash counter incremented (yellow triangle) to see if it's logged and what it's keying on.
Click to expand...
Click to collapse
You can reset the counter via UART
What ROM did you dump JH7/KJ1/KJ2 ?
AdamOutler said:
You can reset the counter via UART
Click to expand...
Click to collapse
Jig will reset it too - or will UART reset it even on the J2 bootloaders?
Entropy512 said:
Jig will reset it too - or will UART reset it even on the J2 bootloaders?
Click to expand...
Click to collapse
Can you flash back the J1 bootloader with ODIN? I'm willing to try this.
Another big player from the captivate scene......I feel more comfortable fashing the SGS2 now that AdamOutler is in the house to help clean up the mess lol
Yay, I'm the first dumbass to brick his I777. Kids, don't run the "emmc" command.
FWIW, when USB is connected and battery plugged in, I get this device:
Bus 001 Device 011: ID 04e8:1234 Samsung Electronics Co., Ltd
Which ModeDetect says is Unbrickable Debug mode...
Ah, I thought for a second I miss clicked forum and came to captivate one.
Happy to see you here, hope you will get your own attsgs2.
Thanks for spending time and sharing findings!
Sent from my SAMSUNG-SGH-I777 using xda premium
Entropy512 said:
Jig will reset it too - or will UART reset it even on the J2 bootloaders?
Click to expand...
Click to collapse
pokey9000 said:
Yay, I'm the first dumbass to brick his I777. Kids, don't run the "emmc" command.
FWIW, when USB is connected and battery plugged in, I get this device:
Bus 001 Device 011: ID 04e8:1234 Samsung Electronics Co., Ltd
Which ModeDetect says is Unbrickable Debug mode...
Click to expand...
Click to collapse
Yeah. So, you should try the SMDK Upload Tool.. this is good. this means you've established that UnBrickable Mod is possible on this device.
Now I need one for teardown.
Is it dead bricked? remove the battery and hold power for 10 seconds, then put back in the battery and hold it for 10 seconds. should turn on normally.
emmc usually means external MMC... try making a boot disk using the Fusing Tool. I bet it will work.
AdamOutler said:
emmc usually means external MMC... try making a boot disk using the Fusing Tool. I bet it will work.
Click to expand...
Click to collapse
I'm not sure what I'd put on the card to tell if it worked...
pokey9000 said:
Yeah. Nothing seems to bring it to life. Here's trying to send HIBL. It hangs after this. I didn't expect it to work...
$ ./smdk-usbdl -f HIBL.bin -a d0020000
SMDK42XX,S3C64XX USB Download Tool
Version 0.20 (c) 2004,2005,2006 Ben Dooks <[email protected]>
S3C64XX Detected!
=> found device: bus 001, dev 018
=> loaded 24576 bytes from HIBL.bin
=> Downloading 24586 bytes to 0xd0020000
=> Data checksum 5d9c
Click to expand...
Click to collapse
That's what happens when it tries to upload a larger file then memory can handle.
The HIBL is a Hummingbird Interceptor BootLoader. We could use a Exynos interceptor bootloader.
Let me contact Rebellos and get him in here. That polish Hairy Potter can probly wave his magic wand over a memory dump and have it doing the hokey-pokey. He is busy and recovering from a serious loss while trying to get his device into the mode which your device is in currently... he could probly use some donations.
We will need someone with a working device to do a memory dump...
1a) I need few different bootloader images from I9100 and similiar SGS2 series models (I777 or whatever is it called for eg.), can you guys post these here?
1b) If you notice some weird files in ROM releases, like *.elf - post these too! These are very helpful in reversing stuff. Samsung released these for S8500 and S8530 bootloaders so here is also a chance.
2) If anybody has got rooted Exynos based device and some know-how about using SU functions - I need iROM dump.
The procedure should be 99% the same as in there http://blog.maurus.be/index.php/2011/01/samsung-i9000-irom-dump/
Just grab viewmem ARM binary http://blog.maurus.be/wp-content/uploads/viewmem and use script posted there. With small modification!
Instead of
/tmp/viewmem 0xD0000000 0x10000 > /sdcard/iromdump
Click to expand...
Click to collapse
try
/tmp/viewmem 0x00000000 0x10000 > /sdcard/iromdump
Click to expand...
Click to collapse
if it doesnt work then try this
/tmp/viewmem 0x02000000 0x10000 > /sdcard/iromdump_mirror
Click to expand...
Click to collapse
One/both of these should produce 64KB iROM image.
3) WANTED:
- newer manual than this one: https://dl.dropbox.com/u/36177984/SEC_Exynos4210_pulbic_manual_Ver.0.00.01.pdf (we don't know if it does exist)
- Exynos 4210 Application Notes
- Exynos 4210 Secure Booting Guide
And so on.
Thank you.
Don't fear the reaper.
//edit:
Also SGS2 series seems to be more unbrickable than SGS, I bet PBL has got functionality to boot from SD card. I don't see other reason why PBL would mount it before trying to look for SBL.
Welcome to Samsung Primitive Bootloader.
build time: Aug 27 2011 04:53:51
current time: f4/f/4 3f:69:11
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #49152.
jump to sbl 0x4d400000.
Click to expand...
Click to collapse
Disassembly will show.
I'm going to see about getting a replacement tomorrow as this is my daily driver. So I won't have it around to test anything. However, once I'm up and running again I'll try to get iROM dumped.
Meanwhile, tonight I'll see if I can fuse a 9100 PBL and SBL (they're supposed to be mostly compatible) to a microsd and test the external SD boot theory.
edit:
Hmm, looks like the fusing tool needs a monolithic PBL and SBL. My attention span for reading Google translated Korean forums is shot.
That's probably not necessary anyway, because I think the confusion here over "emmc" is due to the SGS2 using eMMC (embedded MMC) for the boot device as opposed to the i9000 which boots off of parallel oneNAND. The SGS2 is always booting off of MMC, it just happens that it's soldered down.

How to find out what's causing lock-ups?

I haven't managed to find a ROM that doesn't freeze up on me. I suspect that it may be apps, rather than ROMS, that are causing this, because it also happens when I revert to a stock ROM.
Can anyone recommend a way of diagnosing which app(s) may be causing the crashes? There's usually no regular pattern in behaviour - i.e. it happens in a variety of different situations/apps
mate apps generally dont cause lookups..its your settings that do..apps only forceclose..thats it...if you are on any custom kernel then its a 90% chance that whats causing your lock ups is your undervolt settings...otherwise..flash again with all the wipes...if you dont wipe then lockups are gonna be a very common occurance..backup all the stuff..!
Nah man. Apps, some apps, definitely cause Wake up's dude.
The most popular application to check wakelock's is BetterBatteryStats. And additionally i can tell you some wakelock's are also caused by Ad's, yes you read it right, damn AD'S. To block them please use AdAway, free in Play Store.
What are you going on about wakelocks for?
the thread is about lockups mate not wakeups!
naveediftikhar said:
mate apps generally dont cause lookups..its your settings that do..apps only forceclose..thats it...if you are on any custom kernel then its a 90% chance that whats causing your lock ups is your undervolt settings...otherwise..flash again with all the wipes...if you dont wipe then lockups are gonna be a very common occurance..backup all the stuff..!
Click to expand...
Click to collapse
I never do undervolting or any CPU mods, so it can't be that. I also routinely wipe, clear the cache and dalvik cache every time I flash a ROM. That's why I figure that it's probably apps doing things in the background that are the problem.
what about factory reseting via recovery and formatting system,data and cache in recovery under mount and storage option...wiping dalvik and cache dont reset or wipe your device..perform all the above mentioned wipes and your problem will hopefully end!
and if your are on any custom kernel..try increasing the stock volts by 25..!give it a try...!
Will "formatting system,data and cache in recovery under mount and storage option" wipe the contents of the internal SD card?
no...i do it always..never it has touched either of my sdcards...!
Should I do all of that AFTER flashing or before?
do it before flashing...and try to let the rom boot and run for 30 mins or so before going back and installing any mod or kernel!
Next time it happens, grab a kmsg as soon as you reboot:-
In a terminal editor enter the following:
su
cat /proc/last_kmsg > /mnt/sdcard/last_kmsg
and post it as an attachment to this thread. Might yield some clues as to what the phone was doing when it locks up/crashes.
MistahBungle said:
Next time it happens, grab a kmsg as soon as you reboot:-
In a terminal editor enter the following:
su
cat /proc/last_kmsg > /mnt/sdcard/last_kmsg
and post it as an attachment to this thread. Might yield some clues as to what the phone was doing when it locks up/crashes.
Click to expand...
Click to collapse
Ok it's just crashed again - this time while copying a large folder from the phone to a PC over USB. I rebooted, downloaded a Terminal Emulator from the Market, then generated the attached "last_kmsg" file as instructed. Please let me know if this gives any clues.
...sorry...here's the attachment...
Just had another lock-up. This time the phone got quite warm, and drained from 97% battery to 11% in 1.5 hours, so something was chewing up the CPU. Here's the last_kmsg output from immediately after the reboot:
Ibl: pbl_read_emmc441() read 8k
Ibl: pbl_read_emmc441() read 96k
Ibl: pbl_read_emmc441() read download info
Ibl: pbl_read_emmc441() endop
Ibl: jump() verify_binary_integrity...ok
Ibl: jump() jump!!!
Welcome to Samsung Primitive Bootloader.
build time: May 8 2012 19:31:07
current time: f0/e/1 30:70:7c
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #53248.
jump to sbl 0x4d400000.
Secondary Bootloader v3.1 version.
Copyright (C) 2011 System S/W Group. Samsung Electronics Co., Ltd.
Board: C1 REV 02 / Aug 12 2011 11:37:21
current time: f0/e/1 30:70:7d
booting code=0xc0c080c0
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
CID:150100 56594c30 304d1941 4e02a76e
<display_card_info:1040> ext_csd
<display_card_info:1042>card_size: 15028
Total Card Size: 15029 MByte
Total Sector Count: 30777344
MoviNand Initialization Complete!
===== PARTITION INFORMATION =====
ID : GANG (0x0)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : BOOT (0x1)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : EFS (0x4)
DEVICE : MMC
FIRST UNIT : 8192
NO. UNITS : 40960
=================================
ID : SBL1 (0x2)
DEVICE : MMC
FIRST UNIT : 49152
NO. UNITS : 2560
=================================
ID : SBL2 (0x3)
DEVICE : MMC
FIRST UNIT : 53248
NO. UNITS : 2560
=================================
ID : PARAM (0x5)
DEVICE : MMC
FIRST UNIT : 57344
NO. UNITS : 16384
=================================
ID : KERNEL (0x6)
DEVICE : MMC
FIRST UNIT : 73728
NO. UNITS : 16384
=================================
ID : RECOVERY (0x7)
DEVICE : MMC
FIRST UNIT : 90112
NO. UNITS : 16384
=================================
ID : CACHE (0x8)
DEVICE : MMC
FIRST UNIT : 106496
NO. UNITS : 204800
=================================
ID : MODEM (0x9)
DEVICE : MMC
FIRST UNIT : 311296
NO. UNITS : 32768
=================================
ID : FACTORYFS (0xa)
DEVICE : MMC
FIRST UNIT : 344064
NO. UNITS : 1048576
=================================
ID : DATAFS (0xb)
DEVICE : MMC
FIRST UNIT : 1392640
NO. UNITS : 4194304
=================================
ID : UMS (0xc)
DEVICE : MMC
FIRST UNIT : 5586944
NO. UNITS : 24133632
=================================
ID : HIDDEN (0xd)
DEVICE : MMC
FIRST UNIT : 29720576
NO. UNITS : 1048576
=================================
loke_init: j4fs_open..success
<start_checksum:1033>CHECKSUM_HEADER_SECTOR :42
<start_checksum:1035>offset:42, size:1024
Not Need Movinand Checksum
load_lfs_parameters valid magic code and version.
switch_sel_str='1'
load_debug_level: read debug level successfully(0x574f4c44)...LOW
init_ddi_data: usable ddi data.
init_fuel_gauge : not por status
fuel_gauge_get_version: [1]=0, [0]=92
init_fuel_gauge: vcell = 3670 mV, vfocv = 3785 mV, soc = 37
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
1227 = (365000 - 356525)*14484/100000
[14] 368610 = (1227 * 100000) / 32927 + 364884
init_microusb_ic: MUIC: CONTROL1:0x0
init_microusb_ic: MUIC: CONTROL1:0x0
init_microusb_ic: MUIC: CONTROL2:0x3a
init_microusb_ic: MUIC: CONTROL2:0x3a
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQSRC = 0x0
PMIC_IRQ1 = 0x8b
PMIC_IRQ2 = 0x1c
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x11
PMIC_STATUS1 = 0x1
PMIC_STATUS2 = 0x10
PMIC_STATUS3 = 0x0
PMIC_STATUS4 = 0x0
bootloader base address=0x4d400000
LPDDR0 1st. cached=0x40000000, size=0xe400000
LPDDR0 non-cached=0x4e400000, size=0xa00000
LPDDR0 2nd. cached=0x4ee00000, size=0x1200000
RST_STAT = 0x10000
get_hwrev() = 14
board_process_platform: MAGIC c0c080c0 at 40000000!
scan_keypad_level: pressed key is 2
scan_keypad_level: pressed key is 2
scan_keypad_level: pressed key is 2
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
hw_pm_status: jig_status = 0, chg_status = 0
.....kernel is non signed binary.
DISPLAY_PATH_SEL[MDNIE 0x1]is on
div:2, FB_SOURCE_CLOCK:667000000, FB_PIXEL_CLOCK:25067520
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop
boot_kernel: debug level low!
checkbit: find RECOVERY
checkbit (0)
.....kernel is non signed binary.
ATAG_CORE: 5 54410001 0 0 0
MEMCONFIG: 20e01323 20e01323
ATAG_MEM: 4 54410002 10000000 40000000
ATAG_MEM: 4 54410002 10000000 50000000
ATAG_MEM: 4 54410002 10000000 60000000
ATAG_MEM: 4 54410002 10000000 70000000
ATAG_SERIAL: 4 54410006 4e02a76e 304d1941
ATAG_REVISION: 3 54410007 e
ATAG_CMDLINE: 37 54410009 'loglevel=4 console=ram sec_debug.enable=0 sec_debug.enable_user=0 c1_watchdog.sec_pet=5 [email protected] s3cfb.bootloaderfb=0x5ec00000 ld9040.get_lcdtype=0x0 consoleblank=0 lpj=3981312 vmalloc=144m'
ATAG_NONE: 0 0
Starting kernel at 0x40008000...
Juice Defender causing the problem?
I disabled Juice Defender last night and have gone all day without the phone locking up. Has anyone had problems with Juice Defender causing lock-ups coupled with excessive battery usage?

kali for note 10.1 why not us

Check this out: http://docs.kali.org/armel-armhf/kali-linux-on-galaxy-note
I looked over the recovery and thought it looked ok (though thats an area i usually leave to pros), and attempted to make a x86 image so altering
Code:
dd if=/dev/block/mmcblk0p6 of=recovery.img_orig
and
dd if=recovery.img of=/dev/block/mmcblk0p6
and inputting this
Code:
dd if=/dev/block/mmcblk0p11 of=recovery.img_orig
and
dd if=recovery.img of=/dev/block/mmcblk0p11
then I rebooted and it hung up at the samsung galaxy tab 3 screen
How hard would it be to rewrite the recovery image linked to there to work on our device. Or if its in good shape I guess i screwed up making my x86 image of Kali any input of on either subject would be appreciated.
Had an idea as soon as I reflash and reroot and download a couple more files and reboot and finish updating this laptop I'm working on, ill try to break my gtab again
You can't. Those versions of Kali is for ARM (armel = ARM soft-float / armhf = ARM hard-float), while the GTab3 10.1. is x86.
But you should be able to modify any x86 (tablet-)linux for use with GTab3 10.1
Setialpha said:
You can't. Those versions of Kali is for ARM (armel = ARM soft-float / armhf = ARM hard-float), while the GTab3 10.1. is x86.
But you should be able to modify any x86 (tablet-)linux for use with GTab3 10.1
Click to expand...
Click to collapse
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
hey
xkwr27 said:
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
Click to expand...
Click to collapse
are you still up for this ?
i tried the same thing, i also tried swapping out the zimage from the kali recovery with p5210 stock
then changed any mmcblk refs i found in the init and instead of screen hang got it reboot, [over and over]
but didn't catch. this is totally doable and i wish i'd found this thread before starting another on the same subject.
but anyway i could go on forever.....we need to recruit people somehow... i would like a setup on this
tab so i could distro hop like i used to on pc :good:
Yes I'm still down for this, I've been so busy with work, and keeping my car running(done with the car now, motor/Trans rebuild) since my last post. Now I have my days off if not totally free free enough to put a few hours into this on my days off. I also know 2 people who could help if I can convince them one a relative with a name in the security industry and the other a relatively new guy to all things computer but with a knack for finding fixes that will be a help but for tonight I'm going to compare the two recoveries side by side during break and take notes. Then tomorrow I am going to see if I can put those notes to good use after I get back from taking my daughter and wife blackberry picking on my father's land.i figure I'll start on it noonish us central time and keep you updated...
xkwr27 said:
Yes I'm still down for this, I've been so busy with work, and keeping my car running(done with the car now, motor/Trans rebuild) since my last post. Now I have my days off if not totally free free enough to put a few hours into this on my days off. I also know 2 people who could help if I can convince them one a relative with a name in the security industry and the other a relatively new guy to all things computer but with a knack for finding fixes that will be a help but for tonight I'm going to compare the two recoveries side by side during break and take notes. Then tomorrow I am going to see if I can put those notes to good use after I get back from taking my daughter and wife blackberry picking on my father's land.i figure I'll start on it noonish us central time and keep you updated...
Click to expand...
Click to collapse
good deal, okay noob warning, but gleefully brick happy tester here.
right now i on the samsung open source site looking p5210 but not sure which
git-hub isn't an option for me as my surviving pc is a bit screwy but i still want to see the source
and try to get what the devs are saying, anyway i'm glad to hear from you
just thought i'd let you in on what i'm up to. hope to get something working.
:good:
do i need to get ubuntu 64bit for kernel stuff?
If you plan to tear into the recovery.img you'll need linux I use debian or debian based distro's, but ubuntu will work just fine.
https://01.org/android-ia
Not sure if this site will help but i'll post it anyways
I'll keep trying to post useful stuff
http://forum.xda-developers.com/showthread.php?t=1916936
Hope this helps somehow
Can we not change the partitions to whatever sizes we want using ODIN and .pit files ? if yes then we can do ANYTHING
Excercise caution. This MAY have the pit file for our device
http://forum.xda-developers.com/showthread.php?t=2526119
hey
Nitro_123 said:
https://01.org/android-ia
Not sure if this site will help but i'll post it anyways
I'll keep trying to post useful stuff
http://forum.xda-developers.com/showthread.php?t=1916936
Hope this helps somehow
Can we not change the partitions to whatever sizes we want using ODIN and .pit files ? if yes then we can do ANYTHING
Excercise caution. This MAY have the pit file for our device
http://forum.xda-developers.com/showthread.php?t=2526119
Click to expand...
Click to collapse
cool :good: reading:good:
as for repartitiong hold off for now but, read this anyway,
copy every command you see and keep in organized file for reference
http://forum.xda-developers.com/showthread.php?t=1388996
this command in term should pull pit file [get it right,check,double,check,triple check] must su first i believe
dd if=/dev/block/mmcblk0 of=/sdcard/out.pit bs=8 count=481 skip=2176
to xkwr27 hi, you're comparing with stock recovery right?
In terms of custom bootloaders we could install grub onto the device. but first we need to figure out the boot order.
http://forum.xda-developers.com/showthread.php?t=1018862 This thread is an amazing thread for samsung related stuff but kind of off topic for us.
Is there any way of figuring out the way the device boots ?
Sorry for stressing boot order and stuff so much but I really think it's the key to everything.
If we install GRUB after that everything else will be a piece of cake.
http://www.gnu.org/software/grub/
hey
Nitro_123 said:
In terms of custom bootloaders we could install grub onto the device. but first we need to figure out the boot order.
http://forum.xda-developers.com/showthread.php?t=1018862 This thread is an amazing thread for samsung related stuff but kind of off topic for us.
Is there any way of figuring out the way the device boots ?
Sorry for stressing boot order and stuff so much but I really think it's the key to everything.
If we install GRUB after that everything else will be a piece of cake.
http://www.gnu.org/software/grub/
Click to expand...
Click to collapse
the boot sequence is more where my thinking is going to.
my understanding is there are three stages , power on the boot loader does it's work, the kernel get's up and lays out the ramdrive and hardware
and get's the usual/basic/expected linux stuff going [yes, linux is already present,a form of it anyway] and finally, the android user space stuff.
altering something in the process to halt/bypass that last stage and get to , for now at least, a command prompt is the thought.
the hardware hacking looks really neat and is a good find as far as gaining insight on the basic boot process so thank you for
pointing me to it. having no up to speed modern pc i'm left to do what i can on my tab and can't risk it. but i DID find a
a kernel/boot img pack/repack/editing setup that i'm already using on my tab!!!
the link is http://forum.xda-developers.com/showthread.php?t=2073775
read the op then go to my post on the last page.
grub would be sweet though, wouldn't it ?
round one
okay this is what i did today
swapped busybox [arm] for [x86]
added parted in bin
replaced symlink named mtab==>/proc/self/mounts with actual file
corrected [?] mmcblk,loop references in hooks/looproot
changed this in init to experiment [attempt to return to android if fail,] marked edit and commented
if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
#if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
# Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
# We fall back into a shell, but the shell has now PID 1
# This way, manual recovery is still possible.
init=/init
# err "Failed to mount the real root device." [edit]
# echo "Bailing out, you are on your own. Good luck." [edit]
# echo [edit]
# launch_interactive_shell --exec [edit]
elif [ ! -x "/new_root${init}" ]; then
# Successfully mounted /new_root, but ${init} is missing
# The same logic as above applies
err "Root device mounted successfully, but ${init} does not exist."
echo "Bailing out, you are on your own. Good luck."
echo
launch_interactive_shell --exec
fi
swapped zimage [from stock reco]
added modules [from stock reco]
result=fail, continuous reboot, re-odin recovery
try again tomorrow [yawn] uploaded experiment, contains .img ramdisk.gz and zimage
okay upload fail, i'll try again tomorrow grrrr.
moonbutt74 said:
okay this is what i did today
swapped busybox [arm] for [x86]
added parted in bin
replaced symlink named mtab==>/proc/self/mounts with actual file
corrected [?] mmcblk,loop references in hooks/looproot
changed this in init to experiment [attempt to return to android if fail,] marked edit and commented
if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
#if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
# Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
# We fall back into a shell, but the shell has now PID 1
# This way, manual recovery is still possible.
init=/init
# err "Failed to mount the real root device." [edit]
# echo "Bailing out, you are on your own. Good luck." [edit]
# echo [edit]
# launch_interactive_shell --exec [edit]
elif [ ! -x "/new_root${init}" ]; then
# Successfully mounted /new_root, but ${init} is missing
# The same logic as above applies
err "Root device mounted successfully, but ${init} does not exist."
echo "Bailing out, you are on your own. Good luck."
echo
launch_interactive_shell --exec
fi
swapped zimage [from stock reco]
added modules [from stock reco]
result=fail, continuous reboot, re-odin recovery
try again tomorrow [yawn] uploaded experiment, contains .img ramdisk.gz and zimage
okay upload fail, i'll try again tomorrow grrrr.
Click to expand...
Click to collapse
hahaha i wish you good luck
thanks
FurFur_ said:
hahaha i wish you good luck
Click to expand...
Click to collapse
i've been through roughly 17 different experiments by now
but i'm too stupid to quit so we'll see :laugh:
---------- Post added at 10:46 PM ---------- Previous post was at 10:38 PM ----------
xkwr27 said:
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
Click to expand...
Click to collapse
so if i'm understanding this right the samsung bootloader [which we don't mess with....snicker]
is initiating the command which grabs the kernel and get's things rolling..?
even if i'm not right in the init.rc scripting language is there a means to repeat that process ===> initramfs,bzimage ?
Ok the 3 key combos tell the tablet what to do 1 is power only boots normal 2 is power + volume up boots recovery 3 is power + volume down boots to download mode (odin)... what offensive security did was rewrite the recovery.img so that instead of launching you to the normal recovery all it does is tells the tab to boot the kali img in /SdCard/ so if you just power up with combo 1 it should still boot normal and 3 should still put you in odin mode but 2 will tell the tab to boot kali instead so all we should need is busybox maybe , a x86 kali img and a recovery img similar to the offensive security one. That is why I'm working to pick this recovery.img apart.
hey
i flashed the image as is first ; mmcblk's dont matchup in hook/looproot ; corrected[?] them no dice
aside from zimage&module&busybox mixing and matching
i think something with the hooks is the stumper
this is the ramdisk, i wasn't sure if you were asking or me to crack the image open or not,
i was hoping you might have a handle on kernel command lines.
if it comes to kernel building/compiling i'm boned:crying:
if there's something you want me to try or test let me know. :good:
kernel command
no_console_suspend=1 console=null
xkwr27 said:
Ok the 3 key combos tell the tablet what to do 1 is power only boots normal 2 is power + volume up boots recovery 3 is power + volume down boots to download mode (odin)... what offensive security did was rewrite the recovery.img so that instead of launching you to the normal recovery all it does is tells the tab to boot the kali img in /SdCard/ so if you just power up with combo 1 it should still boot normal and 3 should still put you in odin mode but 2 will tell the tab to boot kali instead so all we should need is busybox maybe , a x86 kali img and a recovery img similar to the offensive security one. That is why I'm working to pick this recovery.img apart.
Click to expand...
Click to collapse
Mate that sounds very good I'm so busy with life nowadays Final year of school I don't know too much and I can't learn anything cause I have literally no time
I won't be posting too often Good luck with your project. Eager to see some success :fingers-crossed::good:
Santos10 Bootloader trace:
Code:
IA32 CPU Firmware
Copyright (C) 1999-2013, Intel Corporation. All rights reserved.
7[0;23r[24;75H[1K[24;1H[1mIntel(R) Atom(TM) Z2560 CPU FW 00.73 (INTELFDK)[0m8------------------------------>FOR Teewinot ONLY<-----------------------------
******************************************************************************
************** Customer release based on Rel 00.49 + TWN changes**************
**************** BZ=115220 Bypass time/date check for product ****************
****************** BZ=118523 Cold Reset on ExecuteOS failure *****************
****** BZ=124478[TW 346-500-676] Request for logging enhancement in IAFW *****
************* BZ=127192 Disable Active Refresh during JEDEC Init *************
******************* BZ=none include ucode patch M013065110E ******************
**************************** New in this code drop ***************************
***** BZ=none Changed trace to match TWN RAMDUMP application requirement *****
*************** BZ=none Removed UART and PTI HW output methods ***************
******** Short circuiting the emInit when a fixed battery is detected. *******
********************* Customization done 201308261512 MST ********************
******************************************************************************
[37;41m******************************INTEL CONFIDENTIAL******************************
[0m
0x1E, 0x20, 0x21,
ERROR:::::SPID Not Programmed, Fake data being used based on IFWI version
ERROR:::::SPID FRU Not Programmed, Fake data being used based on IFWI version
OSC_CLK3 defaults only
0x22,
OEM board; Skip spidBasedPanelNdxUpdate
0x23,
Forced Battery via SMIP FPO Bit 2
0x28, 0x2A, 0x2B, in csSFIDevsEntries, HW Id 0x0019
SFI Dev...PR3
in csSFIGpioEntries, HW Id 0x0019
SFIOEMBInit:tbl->spidTbl update
0x2C, 0x2D, 0x2F PostCodes Done
IA32 FW: CPU v000.073/00.49; SUPP v000.073/00.49; VH: 000.081/00.51
IA Timestamp: 2013.08.26:18.00 (INTELFDK)
SCU FW: ROM 177.000/B1.00; RT 033.046/21.2E
PUNIT FW: v160.064/A0.40
IFWI: v249.086/F9.56
PL: 0000010E
Config & PCB: OEM Platform, C, CLV+ B1, Samsung (01,00) SR 4Gb 1067 1GB
FHOB DW0/DW1: 00000104:00010140
I2C Expander: FFFFFFFC:0000000F
IA Options: 024020A1:00000000:03E00000:80005C00:00000101;1264
[OS HASH VERIFY] [EIST] [eMMC] [VALID BATT][WDT]
Loading OS...
pOsip = 1000000
-->OSIP verified
00000000 E0000000
[COLOR="Red"]Android COS path taken
E0000000 D303000A[/COLOR]
[COLOR="red"]Boot path override selected OS image 0[/COLOR] (OS Attribute 0x00, Reboot Reason 0x0A)
D303000A D303000A
Splash disabled in GCT
Splash display time: 2 ms
[COLOR="red"]-->Bootable OS image 0 found for requested type 2 [/COLOR](OSII attribute 0x00)
-->[COLOR="red"]Loading OS image 0 from eMMC block 0x00000032 to DRAM address 0x010FFE20[/COLOR]
-->Starting transfer of 0xA11 512-byte blocks to DRAM
-->Done loading OS Image to DRAM
-->platformConfigBuffer_pt.scuFhobDw0.osven != 0
-->osIndex: 0, Signed Image
OS image 0 PASSED verify
Booting COS
*********************************
Starting command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100
-
OSNIB.wakesrc = 0x3
OSNIB.RR = 0xA
Battery is high enough for normal boot
4166mV > 0mV
Ending command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100 androidboot.wakesrc=03 androidboot.mode=charger-
*********************************
WDT aka Timer7 setup
Warn Duration for Timer7: 00 seconds
Start Timer7 bit 0 -> 1: 00000000000000000000000000000000
[0;24r[24;1H[2KM
Calling OS entry point --> 0x01101000 ...
Using NEW OSHOB structure size = 176 bytes
OSNIB size = 32 bytes OEMNIB size = 64 bytes
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Watchdog Disabled!
usb is connected, skip to set uart path
__stmpe811_write : fail
MUIC: CONTROL1:0x00
MUIC: CONTROL1:0x00
MUIC: CONTROL2:0x3b
MUIC: CONTROL2:0x3b
[SCU_IPC_DEBUG] board ID: NOT_IDENTIFIED(8)
VERSION : 0xa501
mmc_read_ext_csd : ext_csd_rev = 0x7
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
!!!Enter 8 Bit mode.!!!
clt_mmc_init: mmc->capacity = 0x1d56000
[BOOT] RESETIRQ1=0x00 RESETIRQ2=0x00 (interrupt tree)
[BOOT] SCU_TR=0x00020013 IA_TR=0xffffffff (oshob)
[BOOT] RR=0x00 WD=0x00 ALARM=0x00 (osnib)
[BOOT] WAKESRC=0x03 RESETIRQ1=0x20 RESETIRQ2=0x00 (osnib)
Samsung S-Boot 4.0-1816966 for GT-P5200 (Nov 26 2013 - 01:43:08)
CLT(EVT 0.0) / 1024MB / 15020MB / Rev 8 / P5200XXUAMK8
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (159:0xc)
PARAM ENV VERSION: v1.0..
pressed_key = 0x1
clt_charger_init : [battery] using external charger init(3)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
[check_cable_type] : Output of USB Charger Detection 3
[max77693_init_charger] : attached device(0x02) : TA
clt_max77693_set_charger_state: chg_cnfg_02 (0x1f) -> (0x1f) -> (0x1f)
clt_max77693_set_charger_state: chg_cnfg_03 (0x00) -> (0x00) -> (0x00)
clt_max77693_set_charger_state: chg_cnfg_04 (0xdd) -> (0xdd) -> (0xdd)
clt_max77693_set_charger_state: chg_cnfg_09 (0x64) -> (0x64) -> (0x64)
set_charger_state : buck(1), chg(0), reg(0x04)
init_fuel_gauge: Start!!
[0] get_adc_battid() = 92
[1] get_adc_battid() = 92
[2] get_adc_battid() = 92
get_adc_battid() = 92
init_fuel_gauge: Battery type : SDI
init_fuel_gauge: Already initialized (0x32cd, SDI type)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
fuel_gauge_compensate_soc: Start!!
fuel_gauge_read_soc: SOC(73), data(0x491b)
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
calculate_table_soc: Get table SOC in case of charging!!
calculate_table_soc: i(1), vcell(4071), table_soc(88)
differ(15), table_soc(88), RepSOC(73)
clt_charger_init : cable_type(0x02)
set_charger_state : buck(1), chg(1), reg(0x05)
intel_scu_ipc_cmd_oemnib : done => 0x0
check_reboot_cmd: nCmd = 0 ... skip check_reboot_cmd
debug level = 0x4f4c
disable max77693 manual reset
clt_max77693_disable_manual_reset: set max77693 MANCTRL1 val = 0x4
clt_max77693_disable_manual_reset: read max77693 MANCTRL1 val = 0x4
disable PMIC cod off triggered by PWRBTN#: 6
do_keypad: 0x1
intel_scu_ipc_cmd_oemnib : done => 0x0
check_download: 0
Is_lpm_boot : boot-mode saved in param = 0
Is_lpm_boot : jig-on level = 0, ignore...
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
stat=0x1031f, adc=0x1f, chg=0x3, vbvolt=1, pinLevel=1
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
fuel_gauge_read_soc: SOC(73), data(0x491b)
check_low_battery : rb=0 jig=0
check_low_battery : v=4071 soc=73
skip check low battery
scr_draw_image: draw 'logo.jpg'...
read 'logo.jpg'(105420) completed.
<start_checksum:355>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:357>offset:6144, size:6296
<start_checksum:361>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:27
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
load_kernel: loading boot image from 106496..
total size : 8495104
pit_check_signature (BOOT) valid.
Set valid sign flag
if_ddi_data: succeeded. (159:0xc)
BOOT_MAGIC == ANDROID!
CMDLINE LENGTH = 538
CMDLINE = init=/init console=sec_log_buf kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=santos103g sec_debug.level=0 loglevel=0 androidboot.debug_level=0x4f4c vmalloc=256m [email protected] sec_bootfb=0x3f000000 lcd_panel_id=0 androidboot.revision=8 switch_sel=3 cordon=615d013e557994c8ad53b3325c31b124 connie=GT-P5200_OPEN_EUR_cf878c59e3c2eeb1cdb40863938b834d androidboot.emmc_checksum=3 androidboot.bootloader=P5200XXUAMK8 androidboot.serialno=4300b61fdc125000 snd_soc_core.pmdown_time=1000 jig=0
Bootstub: map SFI MMAP to e820 table
add mmap: 0x00000000 0x00098000 1
add mmap: 0x00100000 0x00580000 2
add mmap: 0x00680000 0x00680000 1
add mmap: 0x00d00000 0x00300000 2
add mmap: 0x01000000 0x35ff0000 1
add mmap: 0x36ff0000 0x0090d000 2
add mmap: 0x378fd400 0x00100000 2
add mmap: 0x379fd400 0x02602000 1
add mmap: 0x3a000000 0x02200000 2
add mmap: 0x3c200000 0x02d00000 1
add mmap: 0x3ef00000 0x00100000 2
add mmap: 0x3f000000 0x01000000 2
add mmap: 0xfec00000 0x00001000 2
add mmap: 0xfee00000 0x00001000 2
add mmap: 0xff000000 0x01000000 2
IMR6 start=0x3a000000 end=0x3c1fffff
new mmap: 0x3a000000 0x02200000 2
IMR7 start=0x00100000 end=0x0067ffff
new mmap: 0x00100000 0x00580000 2
Final E820 table:
e820: 0x00000000 0x00098000 1
e820: 0x00100000 0x00580000 2
e820: 0x00680000 0x00680000 1
e820: 0x00d00000 0x00300000 2
e820: 0x01000000 0x35ff0000 1
e820: 0x36ff0000 0x0090d000 2
e820: 0x378fd400 0x00100000 2
e820: 0x379fd400 0x02602000 1
e820: 0x3a000000 0x02200000 2
e820: 0x3c200000 0x02d00000 1
e820: 0x3ef00000 0x00100000 2
e820: 0x3f000000 0x01000000 2
e820: 0xfec00000 0x00001000 2
e820: 0xfee00000 0x00001000 2
e820: 0xff000000 0x01000000 2
Final mb_mmap table:
mb_mmap: 0x00000000 0x00098000 1
mb_mmap: 0x00100000 0x00580000 0
mb_mmap: 0x00680000 0x00680000 1
mb_mmap: 0x00d00000 0x00300000 0
mb_mmap: 0x01000000 0x35ff0000 1
mb_mmap: 0x36ff0000 0x0090d000 0
mb_mmap: 0x378fd400 0x00100000 0
mb_mmap: 0x379fd400 0x02602000 1
mb_mmap: 0x3a000000 0x02200000 0
mb_mmap: 0x3c200000 0x02d00000 1
mb_mmap: 0x3ef00000 0x00100000 0
mb_mmap: 0x3f000000 0x01000000 0
mb_mmap: 0xfec00000 0x00001000 0
mb_mmap: 0xfee00000 0x00001000 0
mb_mmap: 0xff000000 0x01000000 0
Using bzImage to boot
Relocating initramfs to high memory ...
usb is connected, skip to set uart path
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Jump to kernel 32bit entry ...0x05003c00
I check interesting rows by red color. But there is easy way: need to compile x86 binaries and inject some code to twrp recovery. After that Linux OS must load from any img or partition on internal or external SD. Manual for coding this: link. This method accept to boot any second linux-based OS from any defined partition. It's on Russian - use translator to read.
Santos10 partiton table:
Code:
major minor #blocks name
7 0 61362 loop0
7 1 7308 loop1
179 0 15380480 mmcblk0
179 1 3072 mmcblk0p1
179 2 20480 mmcblk0p2
179 3 16384 mmcblk0p3
179 4 2048 mmcblk0p4
179 5 2048 mmcblk0p5
179 6 358400 mmcblk0p6
179 7 4096 mmcblk0p7
179 8 2416640 mmcblk0p8
179 9 12337152 mmcblk0p9
259 0 20480 mmcblk0p10
259 1 20480 mmcblk0p11
259 2 20480 mmcblk0p12
259 3 102400 mmcblk0p13
259 4 4096 mmcblk0p14
259 5 4096 mmcblk0p15
259 6 4096 mmcblk0p16
259 7 12288 mmcblk0p17
259 8 2048 mmcblk0p18
259 9 2048 mmcblk0p19
259 10 1024 mmcblk0p20
259 11 8192 mmcblk0p21
179 40 8192 mmcblk0gp0
179 30 1 mmcblk0rpmb
[COLOR="Red"]179 20 4096 mmcblk0boot1[/COLOR]
[COLOR="red"]179 10 4096 mmcblk0boot0[/COLOR]
252 0 307200 zram0
179 50 1955840 mmcblk1
179 51 1954816 mmcblk1p1
253 0 61362 dm-0
253 1 7308 dm-1]
Look at the red text i marked. I think we already have dual boot bootloader by Samsung.
Angel_666 said:
Santos10 Bootloader trace:
Code:
IA32 CPU Firmware
Copyright (C) 1999-2013, Intel Corporation. All rights reserved.
7Intel(R) Atom(TM) Z2560 CPU FW 00.73 (INTELFDK)8------------------------------>FOR Teewinot ONLY<-----------------------------
******************************************************************************
************** Customer release based on Rel 00.49 + TWN changes**************
**************** BZ=115220 Bypass time/date check for product ****************
****************** BZ=118523 Cold Reset on ExecuteOS failure *****************
****** BZ=124478[TW 346-500-676] Request for logging enhancement in IAFW *****
************* BZ=127192 Disable Active Refresh during JEDEC Init *************
******************* BZ=none include ucode patch M013065110E ******************
**************************** New in this code drop ***************************
***** BZ=none Changed trace to match TWN RAMDUMP application requirement *****
*************** BZ=none Removed UART and PTI HW output methods ***************
******** Short circuiting the emInit when a fixed battery is detected. *******
********************* Customization done 201308261512 MST ********************
******************************************************************************
******************************INTEL CONFIDENTIAL******************************

0x1E, 0x20, 0x21,
ERROR:::::SPID Not Programmed, Fake data being used based on IFWI version
ERROR:::::SPID FRU Not Programmed, Fake data being used based on IFWI version
OSC_CLK3 defaults only
0x22,
OEM board; Skip spidBasedPanelNdxUpdate
0x23,
Forced Battery via SMIP FPO Bit 2
0x28, 0x2A, 0x2B, in csSFIDevsEntries, HW Id 0x0019
SFI Dev...PR3
in csSFIGpioEntries, HW Id 0x0019
SFIOEMBInit:tbl->spidTbl update
0x2C, 0x2D, 0x2F PostCodes Done
IA32 FW: CPU v000.073/00.49; SUPP v000.073/00.49; VH: 000.081/00.51
IA Timestamp: 2013.08.26:18.00 (INTELFDK)
SCU FW: ROM 177.000/B1.00; RT 033.046/21.2E
PUNIT FW: v160.064/A0.40
IFWI: v249.086/F9.56
PL: 0000010E
Config & PCB: OEM Platform, C, CLV+ B1, Samsung (01,00) SR 4Gb 1067 1GB
FHOB DW0/DW1: 00000104:00010140
I2C Expander: FFFFFFFC:0000000F
IA Options: 024020A1:00000000:03E00000:80005C00:00000101;1264
[OS HASH VERIFY] [EIST] [eMMC] [VALID BATT][WDT]
Loading OS...
pOsip = 1000000
-->OSIP verified
00000000 E0000000
[COLOR="Red"]Android COS path taken
E0000000 D303000A[/COLOR]
[COLOR="red"]Boot path override selected OS image 0[/COLOR] (OS Attribute 0x00, Reboot Reason 0x0A)
D303000A D303000A
Splash disabled in GCT
Splash display time: 2 ms
[COLOR="red"]-->Bootable OS image 0 found for requested type 2 [/COLOR](OSII attribute 0x00)
-->[COLOR="red"]Loading OS image 0 from eMMC block 0x00000032 to DRAM address 0x010FFE20[/COLOR]
-->Starting transfer of 0xA11 512-byte blocks to DRAM
-->Done loading OS Image to DRAM
-->platformConfigBuffer_pt.scuFhobDw0.osven != 0
-->osIndex: 0, Signed Image
OS image 0 PASSED verify
Booting COS
*********************************
Starting command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100
-
OSNIB.wakesrc = 0x3
OSNIB.RR = 0xA
Battery is high enough for normal boot
4166mV > 0mV
Ending command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100 androidboot.wakesrc=03 androidboot.mode=charger-
*********************************
WDT aka Timer7 setup
Warn Duration for Timer7: 00 seconds
Start Timer7 bit 0 -> 1: 00000000000000000000000000000000
M
Calling OS entry point --> 0x01101000 ...
Using NEW OSHOB structure size = 176 bytes
OSNIB size = 32 bytes OEMNIB size = 64 bytes
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Watchdog Disabled!
usb is connected, skip to set uart path
__stmpe811_write : fail
MUIC: CONTROL1:0x00
MUIC: CONTROL1:0x00
MUIC: CONTROL2:0x3b
MUIC: CONTROL2:0x3b
[SCU_IPC_DEBUG] board ID: NOT_IDENTIFIED(8)
VERSION : 0xa501
mmc_read_ext_csd : ext_csd_rev = 0x7
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
!!!Enter 8 Bit mode.!!!
clt_mmc_init: mmc->capacity = 0x1d56000
[BOOT] RESETIRQ1=0x00 RESETIRQ2=0x00 (interrupt tree)
[BOOT] SCU_TR=0x00020013 IA_TR=0xffffffff (oshob)
[BOOT] RR=0x00 WD=0x00 ALARM=0x00 (osnib)
[BOOT] WAKESRC=0x03 RESETIRQ1=0x20 RESETIRQ2=0x00 (osnib)
Samsung S-Boot 4.0-1816966 for GT-P5200 (Nov 26 2013 - 01:43:08)
CLT(EVT 0.0) / 1024MB / 15020MB / Rev 8 / P5200XXUAMK8
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (159:0xc)
PARAM ENV VERSION: v1.0..
pressed_key = 0x1
clt_charger_init : [battery] using external charger init(3)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
[check_cable_type] : Output of USB Charger Detection 3
[max77693_init_charger] : attached device(0x02) : TA
clt_max77693_set_charger_state: chg_cnfg_02 (0x1f) -> (0x1f) -> (0x1f)
clt_max77693_set_charger_state: chg_cnfg_03 (0x00) -> (0x00) -> (0x00)
clt_max77693_set_charger_state: chg_cnfg_04 (0xdd) -> (0xdd) -> (0xdd)
clt_max77693_set_charger_state: chg_cnfg_09 (0x64) -> (0x64) -> (0x64)
set_charger_state : buck(1), chg(0), reg(0x04)
init_fuel_gauge: Start!!
[0] get_adc_battid() = 92
[1] get_adc_battid() = 92
[2] get_adc_battid() = 92
get_adc_battid() = 92
init_fuel_gauge: Battery type : SDI
init_fuel_gauge: Already initialized (0x32cd, SDI type)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
fuel_gauge_compensate_soc: Start!!
fuel_gauge_read_soc: SOC(73), data(0x491b)
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
calculate_table_soc: Get table SOC in case of charging!!
calculate_table_soc: i(1), vcell(4071), table_soc(88)
differ(15), table_soc(88), RepSOC(73)
clt_charger_init : cable_type(0x02)
set_charger_state : buck(1), chg(1), reg(0x05)
intel_scu_ipc_cmd_oemnib : done => 0x0
check_reboot_cmd: nCmd = 0 ... skip check_reboot_cmd
debug level = 0x4f4c
disable max77693 manual reset
clt_max77693_disable_manual_reset: set max77693 MANCTRL1 val = 0x4
clt_max77693_disable_manual_reset: read max77693 MANCTRL1 val = 0x4
disable PMIC cod off triggered by PWRBTN#: 6
do_keypad: 0x1
intel_scu_ipc_cmd_oemnib : done => 0x0
check_download: 0
Is_lpm_boot : boot-mode saved in param = 0
Is_lpm_boot : jig-on level = 0, ignore...
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
stat=0x1031f, adc=0x1f, chg=0x3, vbvolt=1, pinLevel=1
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
fuel_gauge_read_soc: SOC(73), data(0x491b)
check_low_battery : rb=0 jig=0
check_low_battery : v=4071 soc=73
skip check low battery
scr_draw_image: draw 'logo.jpg'...
read 'logo.jpg'(105420) completed.
<start_checksum:355>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:357>offset:6144, size:6296
<start_checksum:361>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:27
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
load_kernel: loading boot image from 106496..
total size : 8495104
pit_check_signature (BOOT) valid.
Set valid sign flag
if_ddi_data: succeeded. (159:0xc)
BOOT_MAGIC == ANDROID!
CMDLINE LENGTH = 538
CMDLINE = init=/init console=sec_log_buf kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=santos103g sec_debug.level=0 loglevel=0 androidboot.debug_level=0x4f4c vmalloc=256m [email protected] sec_bootfb=0x3f000000 lcd_panel_id=0 androidboot.revision=8 switch_sel=3 cordon=615d013e557994c8ad53b3325c31b124 connie=GT-P5200_OPEN_EUR_cf878c59e3c2eeb1cdb40863938b834d androidboot.emmc_checksum=3 androidboot.bootloader=P5200XXUAMK8 androidboot.serialno=4300b61fdc125000 snd_soc_core.pmdown_time=1000 jig=0
Bootstub: map SFI MMAP to e820 table
add mmap: 0x00000000 0x00098000 1
add mmap: 0x00100000 0x00580000 2
add mmap: 0x00680000 0x00680000 1
add mmap: 0x00d00000 0x00300000 2
add mmap: 0x01000000 0x35ff0000 1
add mmap: 0x36ff0000 0x0090d000 2
add mmap: 0x378fd400 0x00100000 2
add mmap: 0x379fd400 0x02602000 1
add mmap: 0x3a000000 0x02200000 2
add mmap: 0x3c200000 0x02d00000 1
add mmap: 0x3ef00000 0x00100000 2
add mmap: 0x3f000000 0x01000000 2
add mmap: 0xfec00000 0x00001000 2
add mmap: 0xfee00000 0x00001000 2
add mmap: 0xff000000 0x01000000 2
IMR6 start=0x3a000000 end=0x3c1fffff
new mmap: 0x3a000000 0x02200000 2
IMR7 start=0x00100000 end=0x0067ffff
new mmap: 0x00100000 0x00580000 2
Final E820 table:
e820: 0x00000000 0x00098000 1
e820: 0x00100000 0x00580000 2
e820: 0x00680000 0x00680000 1
e820: 0x00d00000 0x00300000 2
e820: 0x01000000 0x35ff0000 1
e820: 0x36ff0000 0x0090d000 2
e820: 0x378fd400 0x00100000 2
e820: 0x379fd400 0x02602000 1
e820: 0x3a000000 0x02200000 2
e820: 0x3c200000 0x02d00000 1
e820: 0x3ef00000 0x00100000 2
e820: 0x3f000000 0x01000000 2
e820: 0xfec00000 0x00001000 2
e820: 0xfee00000 0x00001000 2
e820: 0xff000000 0x01000000 2
Final mb_mmap table:
mb_mmap: 0x00000000 0x00098000 1
mb_mmap: 0x00100000 0x00580000 0
mb_mmap: 0x00680000 0x00680000 1
mb_mmap: 0x00d00000 0x00300000 0
mb_mmap: 0x01000000 0x35ff0000 1
mb_mmap: 0x36ff0000 0x0090d000 0
mb_mmap: 0x378fd400 0x00100000 0
mb_mmap: 0x379fd400 0x02602000 1
mb_mmap: 0x3a000000 0x02200000 0
mb_mmap: 0x3c200000 0x02d00000 1
mb_mmap: 0x3ef00000 0x00100000 0
mb_mmap: 0x3f000000 0x01000000 0
mb_mmap: 0xfec00000 0x00001000 0
mb_mmap: 0xfee00000 0x00001000 0
mb_mmap: 0xff000000 0x01000000 0
Using bzImage to boot
Relocating initramfs to high memory ...
usb is connected, skip to set uart path
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Jump to kernel 32bit entry ...0x05003c00
I check interesting rows by red color. But there is easy way: need to compile x86 binaries an inject some code to twrp recovery. After that Linux OS must load from any img or partition on internal or external SD. Manual for coding this: link. It's on Russian - use translator to read.
Click to expand...
Click to collapse
Awesome work on that manual dude, now I have something to do while I'm at work bored... and we'll know what we can and can't remove/put in...
xkwr27 said:
Awesome work on that manual dude
Click to expand...
Click to collapse
If you mean manual on that site - it's not mine.
Post updated. Take a look at device partitions.

Bricked Huawei HiSilicon phones - Honor P6, Mate, 4C etc... way to unbrick???

Hi people.
I have new bricked Huawei Honor 4c with HiSilicon Kirin 620 octacore (Hi6620) Hardly bricked.
I`ve unlocked bootloader and custom recovery used to flash it with my own update.zip from other phone (with LTE support). At the end of flashing - it turned off and bricked.
BUT! After connecting to PC via USB it flashes GREEN and RED leds a few times and after windows determines it as a device with USB\VID_12D1&PID_3609&REV_0000 and named as 䕇䕎䥎 ㄰㌲㔴㜶㤸 .
It is Huawei`s VID. And after a lot of search I found a driver for it - and device became HUAWEI USB-COM 1.0. But nothing else.
No flash utility, nothing. HiSilicon-IDT for K3 processor doesn`t work.
After another searches I found very similar device - it`s named HiKey board. Based on Hisilicon Kirin processor too https://www.96boards.org/.
This board is base around the HiSilicon Kirin 6220 eight-core ARM Cortex-A53 64-bit SoC running at 1.2GHz and delivering over 10,000 Dhrystone VAX MIPS total performance. The SoC also delivers high performance 3D graphics support with its ARM Mali 450-MP4 GPU.
1GB 800MHz LPDDR3 DRAM, 4GB eMMC Flash Storage and the standard 96Boards microSD v3.0 socket provide high performance. Flexible storage options and connectivity are available through 802.11a/b/g/n WiFi, Bluetooth 4.0 LE, three high speed USB 2.0 ports (1 OTG), an HDMI 1.3 1080p video output with audio, and Maker, DSI display and CSI camera interfaces. The board is the standard 96Boards credit-card form factor powered by an 8-18V DC 2A power supply.
Click to expand...
Click to collapse
As we can see - it is very close to ours phone.
It is fully documented and has a lot of spec about proc and other.
And in it`s manual written about recovery procedure after damage of ROM - when device is powered on - it is in "download mode" for 90 seconds - abslolutly like mine phone - after 90 second it turns off from windows.
In short - it is ability to write 2 fastboot images (fastboot1.img and fastboot2.img) in RAM, launch them and using fastboot command flash images to eMMC. They use SERIAL COM PORT to manipulate with device.
It uses utility called "hisi-idt.py" - it is a python script for Linux based machines.
I`ve Installed Linux Mint and try it.
And I`ve some result - first image is going fine and I receive "Done"
But second image is always "Failed". And fastboot command "fastboot devices" do not list any devices.
Viewing binaries from my ROM (Fastboot.img and Fastboot1.img) in HEX - I can see load addresses to ROM are the same as in python script. It is 0xf9800800 and 0x0700000 for both images.
But.... have no success. It looks like I`m close to the goal.
Any ideas?
Noone intersted in?
I`ve found UART Rx Tx points on the motherboard and now I can get some debug info.
I see I can load images into RAM but...
Code:
debug EMMC boot: print init OK
debug EMMC boot: send RST_N .
debug EMMC boot: start eMMC boot......
OnChipRom: fastboot1 Verif sucess !
[BDID]boardid: 745 <7.4.5>
battery ocv is 4141 mv
�����������������������������������������������������壂�{��?O
H�����������w!!I㡡�v�J�ơ�����硾�B����9�F�F�$�/"�0D�c���������f��B���B�f��B�rreset device done.
start enum.
enum done intr
Enum is starting.
usb reset intr
enum done intr
NULL package
NULL package
USB ENUM OK.
init ser device done....
USB:: Err!! Unknown USB setup packet!
NULL package
USB:: Err!! Unknown USB setup packet!
NULL package
USB:: Err!! Unknown USB setup packet!
NULL package
USB:: Err!! Unknown USB setup packet!
NULL package
USB:: Err!! Unknown USB setup packet!
NULL package
uFileAddress=ss=f9800800
start armboot download mode
[BDID]boardid: 745 <7.4.5>
battery 펟v���W�����ʝcn�g������
H�����������w!!I㡡�v�J�ơ�����硾�B����9�F�F�$�/"�0D�c���������f��B���B�f���gc姾����fB�ʔ
thats all for a while
i have same problem pleas tell me if you fix it
michfood said:
Noone intersted in?
I`ve found UART Rx Tx points on the motherboard and now I can get some debug info.
I see I can load images into RAM but...
Code:
debug EMMC boot: print init OK
debug EMMC boot: send RST_N .
debug EMMC boot: start eMMC boot......
OnChipRom: fastboot1 Verif sucess !
[BDID]boardid: 745 <7.4.5>
battery ocv is 4141 mv
�����������������������������������������������������壂�{��?O
H�����������w!!I㡡�v�J�ơ�����硾�B����9�F�F�$�/"�0D�c���������f��B���B�f��B�rreset device done.
start enum.
enum done intr
Enum is starting.
usb reset intr
enum done intr
NULL package
NULL package
USB ENUM OK.
init ser device done....
USB:: Err!! Unknown USB setup packet!
NULL package
USB:: Err!! Unknown USB setup packet!
NULL package
USB:: Err!! Unknown USB setup packet!
NULL package
USB:: Err!! Unknown USB setup packet!
NULL package
USB:: Err!! Unknown USB setup packet!
NULL package
uFileAddress=ss=f9800800
start armboot download mode
[BDID]boardid: 745 <7.4.5>
battery 펟v���W�����ʝcn�g������
H�����������w!!I㡡�v�J�ơ�����硾�B����9�F�F�$�/"�0D�c���������f��B���B�f���gc姾����fB�ʔ
thats all for a while
Click to expand...
Click to collapse
Hello, can you uload somewere the python file to have a look at it? Also the log you have provided to us it's the whole log?
no the log is not full.
it changes UART speed while booting.
script:
Code:
#!/usr/bin/python
#-*- coding: utf-8 -*-
import os
import os.path
import serial, time
import array
import sys, getopt
class bootdownload(object):
'''
Hisilicon boot downloader
>>> downloader = bootdownload()
>>> downloader.download(filename)
'''
# crctab calculated by Mark G. Mendel, Network Systems Corporation
crctable = [
0x0000, 0x1021, 0x2042, 0x3063, 0x4084, 0x50a5, 0x60c6, 0x70e7,
0x8108, 0x9129, 0xa14a, 0xb16b, 0xc18c, 0xd1ad, 0xe1ce, 0xf1ef,
0x1231, 0x0210, 0x3273, 0x2252, 0x52b5, 0x4294, 0x72f7, 0x62d6,
0x9339, 0x8318, 0xb37b, 0xa35a, 0xd3bd, 0xc39c, 0xf3ff, 0xe3de,
0x2462, 0x3443, 0x0420, 0x1401, 0x64e6, 0x74c7, 0x44a4, 0x5485,
0xa56a, 0xb54b, 0x8528, 0x9509, 0xe5ee, 0xf5cf, 0xc5ac, 0xd58d,
0x3653, 0x2672, 0x1611, 0x0630, 0x76d7, 0x66f6, 0x5695, 0x46b4,
0xb75b, 0xa77a, 0x9719, 0x8738, 0xf7df, 0xe7fe, 0xd79d, 0xc7bc,
0x48c4, 0x58e5, 0x6886, 0x78a7, 0x0840, 0x1861, 0x2802, 0x3823,
0xc9cc, 0xd9ed, 0xe98e, 0xf9af, 0x8948, 0x9969, 0xa90a, 0xb92b,
0x5af5, 0x4ad4, 0x7ab7, 0x6a96, 0x1a71, 0x0a50, 0x3a33, 0x2a12,
0xdbfd, 0xcbdc, 0xfbbf, 0xeb9e, 0x9b79, 0x8b58, 0xbb3b, 0xab1a,
0x6ca6, 0x7c87, 0x4ce4, 0x5cc5, 0x2c22, 0x3c03, 0x0c60, 0x1c41,
0xedae, 0xfd8f, 0xcdec, 0xddcd, 0xad2a, 0xbd0b, 0x8d68, 0x9d49,
0x7e97, 0x6eb6, 0x5ed5, 0x4ef4, 0x3e13, 0x2e32, 0x1e51, 0x0e70,
0xff9f, 0xefbe, 0xdfdd, 0xcffc, 0xbf1b, 0xaf3a, 0x9f59, 0x8f78,
0x9188, 0x81a9, 0xb1ca, 0xa1eb, 0xd10c, 0xc12d, 0xf14e, 0xe16f,
0x1080, 0x00a1, 0x30c2, 0x20e3, 0x5004, 0x4025, 0x7046, 0x6067,
0x83b9, 0x9398, 0xa3fb, 0xb3da, 0xc33d, 0xd31c, 0xe37f, 0xf35e,
0x02b1, 0x1290, 0x22f3, 0x32d2, 0x4235, 0x5214, 0x6277, 0x7256,
0xb5ea, 0xa5cb, 0x95a8, 0x8589, 0xf56e, 0xe54f, 0xd52c, 0xc50d,
0x34e2, 0x24c3, 0x14a0, 0x0481, 0x7466, 0x6447, 0x5424, 0x4405,
0xa7db, 0xb7fa, 0x8799, 0x97b8, 0xe75f, 0xf77e, 0xc71d, 0xd73c,
0x26d3, 0x36f2, 0x0691, 0x16b0, 0x6657, 0x7676, 0x4615, 0x5634,
0xd94c, 0xc96d, 0xf90e, 0xe92f, 0x99c8, 0x89e9, 0xb98a, 0xa9ab,
0x5844, 0x4865, 0x7806, 0x6827, 0x18c0, 0x08e1, 0x3882, 0x28a3,
0xcb7d, 0xdb5c, 0xeb3f, 0xfb1e, 0x8bf9, 0x9bd8, 0xabbb, 0xbb9a,
0x4a75, 0x5a54, 0x6a37, 0x7a16, 0x0af1, 0x1ad0, 0x2ab3, 0x3a92,
0xfd2e, 0xed0f, 0xdd6c, 0xcd4d, 0xbdaa, 0xad8b, 0x9de8, 0x8dc9,
0x7c26, 0x6c07, 0x5c64, 0x4c45, 0x3ca2, 0x2c83, 0x1ce0, 0x0cc1,
0xef1f, 0xff3e, 0xcf5d, 0xdf7c, 0xaf9b, 0xbfba, 0x8fd9, 0x9ff8,
0x6e17, 0x7e36, 0x4e55, 0x5e74, 0x2e93, 0x3eb2, 0x0ed1, 0x1ef0,
]
startframe = {
'hi3716cv200':[0xFE,0x00,0xFF,0x01,0x00,0x00,0x00,0x04,0x00,0x00,0x02,0x01]
}
headframe = {
'hi3716cv200':[0xFE,0x00,0xFF,0x01,0x00,0x00,0x00,0x04,0x00,0x00,0x02,0x01]
}
bootheadaddress = {
'hi3716cv200':0xF9800800
}
bootdownloadaddress = {
'hi3716cv200':0x07000000
}
BOOT_HEAD_LEN = 0x4F00
MAX_DATA_LEN = 0x400
def __init__(self,chiptype,serialport):
try:
self.s = serial.Serial(port=serialport, baudrate=115200, timeout=1)
except serial.serialutil.SerialException:
#no serial connection
self.s = None
print "\nFailed to open serial!", serialport
sys.exit(2)
self.chip = chiptype
def __del__(self):
if self.s != None:
self.s.close()
def calc_crc(self, data, crc=0):
for char in data:
crc = ((crc << 8) | ord(char)) ^ self.crctable[(crc >> 8) & 0xff]
for i in range(0,2):
crc = ((crc << 8) | 0) ^ self.crctable[(crc >> 8) & 0xff]
return crc & 0xffff
def getsize(self, filename):
st = os.stat(filename)
return st.st_size
def sendframe(self, data, loop):
for i in range(1, loop):
self.s.flushOutput()
self.s.write(data)
self.s.flushInput()
try:
ack = self.s.read()
if len(ack) == 1:
if ack == chr(0xaa):
return None
except:
return None
print 'failed'
def sendstartframe(self):
self.s.setTimeout(0.01)
data = array.array('B', self.startframe[self.chip]).tostring()
crc = self.calc_crc(data)
data += chr((crc >> 8)&0xff)
data += chr(crc&0xff)
self.sendframe(data,10000)
def sendheadframe(self,length,address):
self.s.setTimeout(0.03)
self.headframe[self.chip][4] = (length>>24)&0xff
self.headframe[self.chip][5] = (length>>16)&0xff
self.headframe[self.chip][6] = (length>>8)&0xff
self.headframe[self.chip][7] = (length)&0xff
self.headframe[self.chip][8] = (address>>24)&0xff
self.headframe[self.chip][9] = (address>>16)&0xff
self.headframe[self.chip][10] = (address>>8)&0xff
self.headframe[self.chip][11] = (address)&0xff
data = array.array('B', self.headframe[self.chip]).tostring()
crc = self.calc_crc(data)
data += chr((crc >> 8)&0xff)
data += chr(crc&0xff)
self.sendframe(data,16)
def senddataframe(self,seq,data):
self.s.setTimeout(0.15)
head = chr(0xDA)
head += chr(seq&0xFF)
head += chr((~seq)&0xFF)
data = head + data
crc = self.calc_crc(data)
data += chr((crc >> 8)&0xff)
data += chr(crc&0xff)
self.sendframe(data,32)
def sendtailframe(self,seq):
data = chr(0xED)
data += chr(seq&0xFF)
data += chr((~seq)&0xFF)
crc = self.calc_crc(data)
data += chr((crc >> 8)&0xff)
data += chr(crc&0xff)
self.sendframe(data,16)
def senddata(self, data, address):
length=len(data)
self.sendheadframe(length,address)
seq=1
while length > self.MAX_DATA_LEN:
self.senddataframe(seq,data[(seq-1)*self.MAX_DATA_LEN:seq*self.MAX_DATA_LEN])
seq = seq+1
length = length-self.MAX_DATA_LEN
self.senddataframe(seq,data[(seq-1)*self.MAX_DATA_LEN:])
self.sendtailframe(seq+1)
def download(self, filename1, filename2):
f=open(filename1,"rb")
data = f.read()
f.close()
print 'Sending', filename1, '...'
self.senddata(data,self.bootheadaddress[self.chip])
print 'Done\n'
if filename2:
f=open(filename2,"rb")
data = f.read()
f.close()
print 'Sending', filename2, '...'
self.senddata(data,self.bootdownloadaddress[self.chip])
print 'Done\n'
def burnboot(chiptype, serialport, filename1, filename2=''):
downloader = bootdownload(chiptype, serialport)
downloader.download(filename1, filename2)
def startterm(serialport=0):
try:
miniterm = Miniterm(
serialport,
115200,
'N',
rtscts=False,
xonxoff=False,
echo=False,
convert_outgoing=2,
repr_mode=0,
)
except serial.SerialException, e:
sys.stderr.write("could not open port %r: %s\n" % (port, e))
sys.exit(1)
miniterm.start()
miniterm.join(True)
miniterm.join()
def main(argv):
'''
img2 = 'fastboot2.img'
'''
img1 = 'fastboot1.img'
img2 = ''
dev = '/dev/serial/by-id/usb-䕇䕎䥎_㄰㌲㔴㜶㤸-if00-port0'
try:
opts, args = getopt.getopt(argv,"hd:",["img1=","img2="])
except getopt.GetoptError:
print 'hisi-idt.py -d device --img1 <fastboot1> --img2 <fastboot2>'
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
print 'hisi-idt.py -d device --img1 <fastboot1> --img2 <fastboot2>'
sys.exit()
elif opt in ("-d"):
dev = arg
elif opt in ("--img1"):
img1 = arg
elif opt in ("--img2"):
img2 = arg
print '+----------------------+'
print ' Serial: ', dev
print ' Image1: ', img1
print ' Image2: ', img2
print '+----------------------+\n'
if not os.path.isfile(img1):
print "Image don't exists:", img1
sys.exit(1)
if (img2):
if not os.path.isfile(img2):
print "Image don't exists:", img2
sys.exit(1)
burnboot('hi3716cv200', dev, img1, img2)
if __name__ == "__main__":
main(sys.argv[1:])
logs:
Code:
��������������������������������������������������������������������������������������������������������������������������0
===>vbus_is_high!
fastboot1 charger_type:CHARGER_TYPE_PC
get_hw_config_int,hw_afreq:1200000.
get_efuse_value,efuse ATE_flag temp:0x0af00000.
ATE PASS,ate flag value:0x00000001.
get_efuse_value,efuse acpu_freq change level:0x8e186100.
get_efuse_value,efuse afreq change level val:0x00000000.
get_efuse_value,efuse acpu_freq level:0x8e186100.
get_efuse_value,efuse acpu freq sys level:0x00000000.
###INFO###,soc_freq = hw_afreq, efuse_afreq:1200000,hw_afreq:1200000.
efuse ACPU 1.4G HPM:0.
efuse ACPU 1.2G HPM:0.
efuse ACPU 960M HPM:0.
fastboot: acpu_dvfs_init successful!
begin get voltage by hpm...
prof[729000]: hpm_dly_exp = 0x00000cb0, hpm_dly_exit = 0x00000cf6!
prof[960000]: hpm_dly_exp = 0x00000cb6, hpm_dly_exit = 0x00000cfc!
prof[1200000]: hpm_dly_exp = 0x00000e94, hpm_dly_exit = 0x00000eda!
acpu support freq num:5
volt:0x0000004a 0x0000004a 0x0000004a 0x0000004a 0x00000057
acpu_get_dvfs_volt,g_afreq_max_pro is :5��acpu max freq:1200000.
#### success !!!!! set_acpu_freq: acpu support freq num is 5 and start is 4 .
get_ddr_type 1; (lpddr2: 0; lpddr3: 1)
pass the func addr: [0xfff81b10]: 0xf980d044ddr_init(): get_ddr_type: 1
ddr freq: 800000
in lpddr3_init: mode: 0; freq_config: 800
switch ddr voltage: 1.25V -> 1.2V
lpddr3_init 150
lpddr3_150_rank0_init_pass
lpddr3_150_rank1_init_pass
lpddr3_init 266
lpddr3_266_rank0_init_pass
lpddr3_266_rank1_init_pass
lpddr3_init 400
lpddr3_400_rank0_init_pass
lpddr3_400_rank1_init_pass
switch ddr voltage: 1.2V -> 1.25V
lpddr3_init 533
lpddr3_rank0_phydraminit_pass
lpddr3_cat_pass
lpddr3_533_rank0_init_pass
rdet_lbs_passrdet_ds_passrdet_rbs_av_passwdet_lbs_passwdet_ds_passwdet_rbs_av_passlpddr3_533_rank1_init_pass
lpddr3_init 800
lpddr3_rank0_phydraminit_pass
lpddr3_cat_pass
lpddr3_800_rank0_init_pass
rdet_lbs_passrdet_ds_passrdet_rbs_av_passwdet_lbs_passwdet_ds_passwdet_rbs_av_passlpddr3_800_rank1_init_pass
ERROR: tmp_freq: 0
tmp_freq: 400000
MR8 value=:0x0000005b
MR5 value=:0x00000001
Samsung DDR
MR6 value=:0x00000004
MR5 value=:0x00000000
[MR7,MR6,MR5]=:0x00000401
ddr init pll1 0x00007800!ddrc_qos_init done
bootloader_logger got buffer at 0x07300000, size 0x00040000
bootloader_logger: no valid data in buffer , (sig = 0x43474244)
[emmc_set_card_ready]emmc id:0xb64432c9 0x520644c1 0x474e4433 0x15010038
[emmc_set_card_ready]manufid: 0x00000015
DDR mode emmc
--error: gps/ldo16
[SEC]check_oem_hw: carrier_id = 0x00000000
DX_BIV_SwImageVerification image id is 0x00000011, return is 0xf1000002 !
execute_load_fastboot2: In secure mode and fastboot2 verify failed!
Load fastboot2 failed!
hw_error_print : led = 12. func = 0. err = 0.
[fastboot]:k3_led_green_on
[fastboot]:k3_led_green_on
[fastboot]:k3_led_green_on
[fastboot]:k3_led_green_on
[fastboot]:k3_led_green_on
[fastboot]:k3_led_green_on
enter fatal_exception!
Unrecovery Error, go to onchiprom usbloader!
USB Soft Disconnect
��������������������������������������������������������������������������������������������������������������������������0
===>vbus_is_high!
fastboot1 charger_type:CHARGER_TYPE_PC
get_hw_config_int,hw_afreq:1200000.
get_efuse_value,efuse ATE_flag temp:0x0af00000.
ATE PASS,ate flag value:0x00000001.
get_efuse_value,efuse acpu_freq change level:0x8e186100.
get_efuse_value,efuse afreq change level val:0x00000000.
get_efuse_value,efuse acpu_freq level:0x8e186100.
get_efuse_value,efuse acpu freq sys level:0x00000000.
###INFO###,soc_freq = hw_afreq, efuse_afreq:1200000,hw_afreq:1200000.
efuse ACPU 1.4G HPM:0.
efuse ACPU 1.2G HPM:0.
efuse ACPU 960M HPM:0.
fastboot: acpu_dvfs_init successful!
begin get voltage by hpm...
prof[729000]: hpm_dly_exp = 0x00000caf, hpm_dly_exit = 0x00000cf5!
prof[960000]: hpm_dly_exp = 0x00000cb5, hpm_dly_exit = 0x00000cfb!
prof[1200000]: hpm_dly_exp = 0x00000e90, hpm_dly_exit = 0x00000ed6!
acpu support freq num:5
volt:0x0000004a 0x0000004a 0x0000004a 0x0000004a 0x00000057
acpu_get_dvfs_volt,g_afreq_max_pro is :5��acpu max freq:1200000.
#### success !!!!! set_acpu_freq: acpu support freq num is 5 and start is 4 .
get_ddr_type 1; (lpddr2: 0; lpddr3: 1)
pass the func addr: [0xfff81b10]: 0xf980d044ddr_init(): get_ddr_type: 1
ddr freq: 800000
in lpddr3_init: mode: 0; freq_config: 800
switch ddr voltage: 1.25V -> 1.2V
lpddr3_init 150
lpddr3_150_rank0_init_pass
lpddr3_150_rank1_init_pass
lpddr3_init 266
lpddr3_266_rank0_init_pass
lpddr3_266_rank1_init_pass
lpddr3_init 400
lpddr3_400_rank0_init_pass
lpddr3_400_rank1_init_pass
switch ddr voltage: 1.2V -> 1.25V
lpddr3_init 533
lpddr3_rank0_phydraminit_pass
lpddr3_cat_pass
lpddr3_533_rank0_init_pass
rdet_lbs_passrdet_ds_passrdet_rbs_av_passwdet_lbs_passwdet_ds_passwdet_rbs_av_passlpddr3_533_rank1_init_pass
lpddr3_init 800
lpddr3_rank0_phydraminit_pass
lpddr3_cat_pass
lpddr3_800_rank0_init_pass
rdet_lbs_passrdet_ds_passrdet_rbs_av_passwdet_lbs_passwdet_ds_passwdet_rbs_av_passlpddr3_800_rank1_init_pass
ERROR: tmp_freq: 0
tmp_freq: 400000
MR8 value=:0x0000005b
MR5 value=:0x00000001
Samsung DDR
MR6 value=:0x00000004
MR5 value=:0x00000000
[MR7,MR6,MR5]=:0x00000401
ddr init pll1 0x00007800!ddrc_qos_init done
bootloader_logger got buffer at 0x07300000, size 0x00040000
bootloader_logger: no valid data in buffer , (sig = 0x43474244)
[emmc_set_card_ready]emmc id:0xb64432c9 0x520644c1 0x474e4433 0x15010038
[emmc_set_card_ready]manufid: 0x00000015
DDR mode emmc
--error: gps/ldo16
[SEC]check_oem_hw: carrier_id = 0x00000000
DX_BIV_SwImageVerification image id is 0x00000011, return is 0xf1000002 !
execute_load_fastboot2: In secure mode and fastboot2 verify failed!
Load fastboot2 failed!
hw_error_print : led = 12. func = 0. err = 0.
[fastboot]:k3_led_green_on
[fastboot]:k3_led_green_on
[fastboot]:k3_led_green_on
[fastboot]:k3_led_green_on
[fastboot]:k3_led_green_on
[fastboot]:k3_led_green_on
enter fatal_exception!
Unrecovery Error, go to onchiprom usbloader!
USB Soft Disconnect
��������������������������������������������������������������������������������������������������������������������������́v
nUpdate debug uart baudRate to :921600
===>vbus_is_high!
fastboot1 download_mode:1
fastboot1 charger_type:CHARGER_TYPE_PC
get_hw_config_int,hw_afreq:1200000.
get_efuse_value,efuse ATE_flag temp:0x0af00000.
ATE PASS,ate flag value:0x00000001.
get_efuse_value,efuse acpu_freq change level:0x8e186100.
get_efuse_value,efuse afreq change level val:0x00000000.
get_efuse_value,efuse acpu_freq level:0x8e186100.
get_efuse_value,efuse acpu freq sys level:0x00000000.
###INFO###,soc_freq = hw_afreq, efuse_afreq:1200000,hw_afreq:1200000.
efuse ACPU 1.4G HPM:0.
efuse ACPU 1.2G HPM:0.
efuse ACPU 960M HPM:0.
fastboot: acpu_dvfs_init successful!
begin get voltage by hpm...
prof[729000]: hpm_dly_exp = 0x00000cad, hpm_dly_exit = 0x00000cf3!
prof[960000]: hpm_dly_exp = 0x00000cad, hpm_dly_exit = 0x00000cf3!
prof[1200000]: hpm_dly_exp = 0x00000e88, hpm_dly_exit = 0x00000ece!
acpu support freq num:5
volt:0x0000004a 0x0000004a 0x0000004a 0x0000004a 0x00000057
acpu_get_dvfs_volt,g_afreq_max_pro is :5��acpu max freq:1200000.
#### success !!!!! set_acpu_freq: acpu support freq num is 5 and start is 4 .
get_ddr_type 1; (lpddr2: 0; lpddr3: 1)
pass the func addr: [0xfff81b10]: 0xf980d044ddr_init(): get_ddr_type: 1
ddr freq: 800000
in lpddr3_init: mode: 0; freq_config: 800
switch ddr voltage: 1.25V -> 1.2V
lpddr3_init 150
lpddr3_150_rank0_init_pass
lpddr3_150_rank1_init_pass
lpddr3_init 266
lpddr3_266_rank0_init_pass
lpddr3_266_rank1_init_pass
lpddr3_init 400
lpddr3_400_rank0_init_pass
lpddr3_400_rank1_init_pass
switch ddr voltage: 1.2V -> 1.25V
lpddr3_init 533
lpddr3_rank0_phydraminit_pass
lpddr3_cat_pass
lpddr3_533_rank0_init_pass
rdet_lbs_passrdet_ds_passrdet_rbs_av_passwdet_lbs_passwdet_ds_passwdet_rbs_av_passlpddr3_533_rank1_init_pass
lpddr3_init 800
lpddr3_rank0_phydraminit_pass
lpddr3_cat_pass
lpddr3_800_rank0_init_pass
rdet_lbs_passrdet_ds_passrdet_rbs_av_passwdet_lbs_passwdet_ds_passwdet_rbs_av_passlpddr3_800_rank1_init_pass
ERROR: tmp_freq: 0
tmp_freq: 400000
MR8 value=:0x0000005b
MR5 value=:0x00000001
Samsung DDR
MR6 value=:0x00000004
MR5 value=:0x00000000
[MR7,MR6,MR5]=:0x00000401
ddr init pll1 0x00007800!ddrc_qos_init done
bootloader_logger got buffer at 0x07300000, size 0x00040000
bootloader_logger: found existing buffer, size 1044, addr 24
USB_DOWNLOAD_MODE
timestamp: 0xfff2c982
return from fastboot1!
uFileAddress=ss=07000000
uFileAddress=ss=07000000
uFileAddress=ss=07000000
image verify failed!
@michfood hmm okay i had a look. As i can understand your phone doesn't accept the second fastboot.img. I don't think that the problem is the crctable. Maybe you have a wrong fastboot.img?? Try to get a new dump from an another phone.
If your image it's an original dump then there is no reason why it fails to pass the check. The reason why i think the crc signature it's correct it is because you are able to download both images(i saw more details in 96boards forum).
the second image do not start.
after loading first - it says:
"timestamp: 0xfff2c982
return from fastboot1!
uFileAddress=ss=07000000
image verify failed!"
so it is returned from fastboot1 to onchip loader and tries to load second image - but fails.
have no possibility to look normal boot as all phones are under guaranty - nobody want to solder uart pins
Actually i didn't said to you to look at a normal boot uart log. In a normal boot you'll just see the kernel booting. Maybe you second fastboot.img is faulty...
the second boot is correct - from the update.app, as the first one
there is a thought that message "image verify failed" is an onchip loader message after fastboot2 loads, runs, made some checks of other partitions (broken) (with no UART messages) and exits with some error code.
here we can see difference between boot from eMMC (left) and boot from RAM (right)
http://clip2net.com/s/3mFVeRi
No, i think fastboot2 doesn't boot at all. Look at ths:
Code:
execute_load_fastboot2: In secure mode and fastboot2 verify failed!
If you try to load only one fastboot.img? what happens?
you just look at log booting from emmc. while booting from ram - no such message.
and once more - after loading first fastboot to RAM it exits with message "return from fastboot1" and tries to load second file to RAM. read carefully
I've got a honor 4x which uses the same chipset. Mine is also bricked but loads into Fastboot&rescue mode, which does not allow me to update the fastboot image due to a signature verify problem (BL31 image). This is related to ARM Trusted Firmware. Also, it does not load a new update.app from the SDCARD - Simply hangs on the logo screen. Therefore, I need to force it to flash a new fastboot.img. I read the HiKey user guide, and noticed there's a J15 SEL jumper, where, when closed, will attempt to program the flash from USB OTG source. Before a pull my phone apart, I would like to know whether anybody has tried flashing a new fastboot.img via USB OTG via closing the J15 SEL jumper and whether it worked. Or if there's any other way to boot my own fastboot.img
some info. i`m looking for motherboard on ali.. have no success
Same problem
michfood said:
Hi people.
I have new bricked Huawei Honor 4c with HiSilicon Kirin 620 octacore (Hi6620) Hardly bricked.
I`ve unlocked bootloader and custom recovery used to flash it with my own update.zip from other phone (with LTE support). At the end of flashing - it turned off and bricked.
BUT! After connecting to PC via USB it flashes GREEN and RED leds a few times and after windows determines it as a device with USB\VID_12D1&PID_3609&REV_0000 and named as 䕇䕎䥎 ㄰㌲㔴㜶㤸 .
It is Huawei`s VID. And after a lot of search I found a driver for it - and device became HUAWEI USB-COM 1.0. But nothing else.
No flash utility, nothing. HiSilicon-IDT for K3 processor doesn`t work.
After another searches I found very similar device - it`s named HiKey board. Based on Hisilicon Kirin processor too https://www.96boards.org/.
As we can see - it is very close to ours phone.
It is fully documented and has a lot of spec about proc and other.
And in it`s manual written about recovery procedure after damage of ROM - when device is powered on - it is in "download mode" for 90 seconds - abslolutly like mine phone - after 90 second it turns off from windows.
In short - it is ability to write 2 fastboot images (fastboot1.img and fastboot2.img) in RAM, launch them and using fastboot command flash images to eMMC. They use SERIAL COM PORT to manipulate with device.
It uses utility called "hisi-idt.py" - it is a python script for Linux based machines.
I`ve Installed Linux Mint and try it.
And I`ve some result - first image is going fine and I receive "Done"
But second image is always "Failed". And fastboot command "fastboot devices" do not list any devices.
Viewing binaries from my ROM (Fastboot.img and Fastboot1.img) in HEX - I can see load addresses to ROM are the same as in python script. It is 0xf9800800 and 0x0700000 for both images.
But.... have no success. It looks like I`m close to the goal.
Any ideas?
Click to expand...
Click to collapse
Hi,
I'm stucked in the same hard brick. Could you provide a download link for the driver you found?
Are there news about progresses with this issue?
Thank you very much, I'll try to help if you want
In China,Hisilicon Kirin 620 is hi6210,not 6620.You can get the source code of HUAWEI Honor 4C from:http://emuirom123.dbankcloud.com/Cherrymini_kernel_[Android 5.1 EMUI3.1].tar.gz?rid=1520
It is for the China Mobile version(CHM-TL00H) with Kirin 620.
Chinese version Kirin 620 runs 8×A53 1.2GHz cores and ARM Mali-450 MP4 Gpu.The baseband of hisilicon kirin 620 is Balong V8R1SFT.
Sorry for my bad English.
来自搭载Android 2.3 GingerBread的华为Y220-T10
JackLenz said:
Hi,
I'm stucked in the same hard brick. Could you provide a download link for the driver you found?
Are there news about progresses with this issue?
Thank you very much, I'll try to help if you want
Click to expand...
Click to collapse
still nothing
zhaozihanzzh said:
In China,Hisilicon Kirin 620 is hi6210,not 6620.You can get the source code of HUAWEI Honor 4C from:http://emuirom123.dbankcloud.com/Cherrymini_kernel_[Android 5.1 EMUI3.1].tar.gz?rid=1520
It is for the China Mobile version(CHM-TL00H) with Kirin 620.
Chinese version Kirin 620 runs 8×A53 1.2GHz cores and ARM Mali-450 MP4 Gpu.The baseband of hisilicon kirin 620 is Balong V8R1SFT.
Sorry for my bad English.
来自搭载Android 2.3 GingerBread的华为Y220-T10
Click to expand...
Click to collapse
thanks for info - but how it helps?
michfood said:
still nothing
Click to expand...
Click to collapse
And what about the driver link?
I found some source code on github, maybe it could be useful
https://github.com/muhammadfahadbaig/android_vendor_huawei_hi6210sft

Question couldn't host Android Automotive OS 11 in Raspberry Pi 4 Model B

Hi, I downloaded the img file from the provided link(https://images.snappautomotive.com/rpi/snapp_automotive_rpi4_32gb_20211119.img.zip), but after successfully flashing the image file to an SD card, the raspberry pi4 model b didn't boot up. It shows (attached are the images of shown error) :
Raspberry Pi 4 Model B - 8GB bootloader: 6efe41bd 2022/01/25
board: 003115 6485fcf2 e4:5f:01:ad:58:05 boot: mode SD 1 order f41 retry 0/1 restart 18/-1
SD: card detected 00035344534431323885fa236632a165 part: mbr [0x0c:00000800 0x83:00040800 0x83:00440800 0x83:00480800]
fw: start4.elf fixup4.dat
net: down ip: 0.0.0.0 sn: 0.0.0.0 gw: 0.0.0.0
tftp: 0.0.0.0 00:00:00:00:00:00
Trying partition: 6
type: 16 lba: 2048 oem: 'mkfs. fat' volume:
rsc 4 fat-sectors 256 c-count 65399 c-size 4
root dir cluster 1 sectors 32 entries 512 Read config.txt bytes 206 hnd 0x00000000
Read start4.elf bytes 2214880 hnd 0x00000000 Read fixup4.dat bytes 5433 hnd 0x00000000
Firmware: 4b4aff21f72c5b9ba39d83c7b0f8fa910a6ef99b Dec 15 2020 14:48:29
0x00d03115 0x00000000 0x0000003f
start4.elf: is not compatible This board requires newer software
Get the latest software from https://www.raspberrypi.com/software/
Help me solve the issue. What should I follow?
just add the polestar and volvo images for emulator in android auto

Categories

Resources