Handling Cmd: reboot-bootloader
Rebooting the device into bootloader mode
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SW_RENDERER
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPANELSUPPORTFLAGS
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_POWERDOWN
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SW_RENDERER
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPANELSUPPORTFLAGS
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_POWERDOWN
Start EBS [279413]
App Log Flush : 0 ms
ScmArmV8ExitBootServicesHandler, Status = 0x0.
Exit EBS [279586] UEFI End
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.MXF.1.0-00773-LAHAINA-1
S - IMAGE_VARIANT_STRING=SocCedrosLAA
S - OEM_IMAGE_VERSION_STRING=c5-xm-ota-bd006.bj
S - Boot Interface: UFS
S - Secure Boot: On
S - Boot Config @ 0x00786070 = 0x00000041
S - JTAG ID @ 0x00786130 = 0x001590e1
S - OEM ID @ 0x00786138 = 0x00720000
S - Serial Number @ 0x00786134 = 0xcc773c71
S - Feature Config Row 0 @ 0x00784148 = 0x0000000000000000
S - Feature Config Row 1 @ 0x00784150 = 0x0000000000000000
S - Core 0 Frequency, 1516 MHz
S - PBL Patch Ver: 2
D - 8926 - pbl_apps_init_timestamp
D - 37267 - bootable_media_detect_timestamp
D - 955 - bl_elf_metadata_loading_timestamp
D - 7991 - bl_hash_seg_auth_timestamp
D - 7166 - bl_elf_loadable_segment_loading_timestamp
D - 4660 - bl_elf_segs_hash_verify_timestamp
D - 16951 - bl_sec_hash_seg_auth_timestamp
D - 802 - bl_sec_segs_hash_verify_timestamp
D - 23 - pbl_populate_shared_data_and_exit_timestamp
S - 84741 - PBL, End
B - 92811 - SBL1, Start
B - 211426 - SBL1 BUILD @ 13:55:24 on Apr 12 2022
B - 215482 - usb: usb_shared_hs_phy_init: hs phy cfg size , 0xc
D - 224632 - sbl1_hw_init
B - 315766 - UFS INQUIRY ID: SKhynix H9HQ15AECMBDAR A043
B - 317932 - UFS Boot LUN: 1
D - 109800 - boot_media_init
D - 0 - smss_load_cancel
B - 337726 - SMSS - Image Load, Start
D - 3050 - SMSS - Image Loaded, Delta - (0 Bytes)
D - 4484 - Auth Metadata
D - 5582 - sbl1_xblconfig_init
B - 352488 - XBL Config - Image Load, Start
D - 0 - shrm_load_cancel
B - 360205 - SHRM - Image Load, Start
D - 4087 - Auth Metadata
D - 1189 - Segments hash check
D - 12383 - SHRM - Image Loaded, Delta - (39616 Bytes)
D - 30 - boot_default_cdt_init
B - 381402 - Using default CDT
D - 3477 - boot_cdt_init
B - 387960 - CDT - Image Load, Start
B - 390766 - CDT Version:3,Platform ID:34,Major ID:1,Minor ID:0,Subtype:0
D - 16561 - sbl1_hw_platform_pre_ddr
D - 0 - devcfg init
B - 416904 - PM: pm_device_pre_init 0xf0a0: 0x0
B - 416935 - PMIC A:2.0 B:2.2 C:2.2 D:2.0 F:2.1
B - 423370 - PM: Reset by PSHOLD
B - 426207 - PM: Reset Type: Hard Reset
B - 429531 - PM: PON by SYSOK
B - 678076 - PM: SET_VAL:Skip
B - 678381 - PM: pm_device_post_init 0xf0a0: 0x0
B - 681156 - PM: 0xf0ed: 0x3
B - 685884 - PM: 0xf241: 0x0
B - 688842 - PM: 0xf23f: 0x0
B - 691770 - PM: 0xf067: 0xa
B - 694729 - PM: 0xf0f2: 0xf
B - 697687 - PM: 0xf047: 0xc5
B - 700646 - PM: 0xf060: 0x66
B - 703696 - PM: 0xE44C: 0x42
B - 706746 - PM: 0xE44D: 0xe
B - 709765 - PM: 0xE453: 0xa6
B - 712724 - PM: 0xE432: 0x40
B - 715835 - PM: PSI: b0x04_v0x12
B - 722118 - PM: Device Init # SPMI Transn: 15042
D - 314851 - pm_device_init, Delta
B - 727028 - pm_driver_init, Start
B - 739106 - PM: Driver Init # SPMI Transn: 558
D - 8632 - pm_driver_init, Delta
B - 743803 - PM: CHG Type in CHG init : 0
B - 747616 - PM: 0x2706: 0xa
B - 751367 - PM: 0x2707: 0xa
B - 754326 - PM: 0x2708: 0xa
B - 757284 - PM: 0x2709: 0xa
B - 761219 - PM: Battery ID: 101246Ohm
B - 763323 - PM: VBAT: 4273mV IBAT: 103mA
B - 767075 - PM: CHG Init # SPMI Transn: 15660
B - 771131 - vsense_init, Start
D - 0 - vsense_init, Delta
D - 380762 - sbl1_hw_pre_ddr_init
D - 0 - boot_dload_handle_forced_dload_timeout
D - 2958 - sbl1_load_ddr_training_data
B - 796538 - Pre_DDR_clock_init, Start
D - 92 - Pre_DDR_clock_init, Delta
D - 12871 - sbl1_ddr_set_params
B - 808219 - sbl1_ddr_init, Start
B - 811635 - LP4 DDR detected
D - 14609 - sbl1_ddr_init, Delta
B - 826184 - DSF version = 262.0.18
B - 829569 - Manufacturer ID = 6, Device Type = 7
B - 833138 - Rank 0 size = 2048 MB, Rank 1 size = 4096 MB
D - 29860 - sbl1_ddr_init
D - 0 - boot_pre_ddi_entry
B - 846253 - do_ddr_training, Start
D - 214 - sbl1_load_gsort_data
B - 892430 - DDR: Start of DDR Training Restore
B - 896029 - Current DDR Freq = 1555 MHz
B - 897096 - Max enabled DDR Freq = 2092 MHz
B - 901092 - DDR: End of DDR Training Restore
D - 56028 - do_ddr_training, Delta
D - 63836 - sbl1_do_ddr_training
D - 153 - sbl1_load_gsort_data
B - 916921 - magic str match
B - 920307 - magic_str: gsort, test_trigger_bitmap: 0
B - 923265 - gsort_versionffset:8.val:0x1
B - 928450 - trigger bit map is null
D - 19215 - sbl1_do_ddr_gsort
D - 518 - boot_ddi_entry
B - 939522 - Pimem init cmd, entry
D - 9150 - Pimem init cmd, exit
B - 951874 - External heap init, Start
B - 954955 - External heap init, End
B - 961756 - log rotate_flag=0
D - 22936 - sbl1_post_ddr_init
D - 30 - sbl1_hw_init_secondary
B - 970113 - ADC done - mv: 127941, percent: 4471
B - 973651 - ADC done - mv: 1629368, percent: 56949
B - 977220 - chiptype: 450, projectid adc within range 3800 to 5125, hwid adc within range 55047 to 58857
B - 987925 - ProjectType:6 ProductName:renoir HwLevel:MP HwCountry:GL HwId:0x190000
D - 28914 - sbl1_hw_get_mihwinfo
B - 999881 - DDR - Image Load, Start
B - 1003389 - usb: UFS Serial - 263ba23e
B - 1007079 - usb: chgr - SDP_CHARGER
B - 1011410 - usb: usb_shared_hs_phy_init: hs phy cfg size , 0xc
D - 17233 - boot_fedl_check
B - 1020804 - APDP - Image Load, Start
D - 3203 - APDP - Image Loaded, Delta - (64 Bytes)
D - 0 - boot_dload_dump_security_regions
D - 0 - ramdump_load_cancel
B - 1037244 - RamDump - Image Load, Start
D - 3324 - RamDump - Image Loaded, Delta - (0 Bytes)
D - 0 - boot_update_abnormal_reset_status
D - 0 - boot_cache_set_memory_barrier
D - 0 - boot_smem_debug_init
D - 427 - boot_smem_init
D - 31 - boot_smem_alloc_for_minidump
D - 92 - boot_smem_store_pon_status
D - 30 - sbl1_hw_platform_smem
D - 0 - sbl1_hw_store_mihwinfo_smem
D - 31 - boot_smem_store_ddr_status
D - 61 - boot_ddr_share_data_to_aop
D - 366 - boot_clock_init_rpm
D - 0 - boot_vsense_copy_to_smem
D - 0 - boot_populate_ram_partition_table
D - 0 - boot_populate_ddr_details_shared_table
D - 0 - sbl1_tlmm_init
D - 0 - sbl1_efs_handle_cookies
B - 1107943 - OEM_MISC - Image Load, Start
D - 3782 - OEM_MISC - Image Loaded, Delta - (64 Bytes)
B - 1115812 - QTI_MISC - Image Load, Start
D - 5520 - QTI_MISC - Image Loaded, Delta - (0 Bytes)
B - 1130513 - PM: PM Total Mem Allocated: 2684
D - 5429 - sbl1_pm_aop_pre_init_wrapper
B - 1135545 - AOP - Image Load, Start
D - 4392 - Auth Metadata
D - 1555 - Segments hash check
D - 13725 - AOP - Image Loaded, Delta - (202056 Bytes)
B - 1152595 - QSEE Dev Config - Image Load, Start
D - 4087 - Auth Metadata
D - 458 - Segments hash check
D - 13054 - QSEE Dev Config - Image Loaded, Delta - (40464 Bytes)
B - 1174646 - QSEE - Image Load, Start
D - 20832 - Auth Metadata
D - 20740 - Segments hash check
D - 83753 - QSEE - Image Loaded, Delta - (3588097 Bytes)
B - 1261937 - set bob err_flag[0] = 0x0
B - 1267336 - set bob err_flag[1] = 0x0
B - 1271179 - set bob err_flag[2] = 0x0
B - 1275022 - set bob err_flag[3] = 0x0
D - 17141 - sbl1_hw_play_vibr
B - 1282708 - SEC - Image Load, Start
D - 4118 - Auth Metadata
D - 213 - Segments hash check
D - 10522 - SEC - Image Loaded, Delta - (7252 Bytes)
B - 1296555 - CPUCPFW - Image Load, Start
D - 20404 - Auth Metadata
D - 15006 - Segments hash check
D - 46726 - CPUCPFW - Image Loaded, Delta - (111592 Bytes)
B - 1352309 - QHEE - Image Load, Start
D - 4209 - Auth Metadata
D - 8723 - Segments hash check
D - 16500 - QHEE - Image Loaded, Delta - (1949313 Bytes)
B - 1372134 - APPSBL - Image Load, Start
D - 4148 - Auth Metadata
D - 10126 - Segments hash check
D - 22905 - APPSBL - Image Loaded, Delta - (2379776 Bytes)
D - 0 - sbl1_save_appsbl_index
B - 1404311 - SBL1, End
D - 1314916 - SBL1, Delta
S - Flash Throughput, 211951 KB/s (8478072 Bytes, 40474 us)
S - DDR Frequency, 1555 MHz
B - 1418494 - restore bob err_flag[4] = 0x0
B - 1420964 - restore bob err_flag[5] = 0x0
B - 1425173 - restore bob err_flag[6] = 0x0
B - 1429382 - restore bob err_flag[7] = 0x0
UEFI Start [ 1613]
- 0x09FC01000 [ 1615] Sec.efi
ASLR : ON
DEP : ON (RTB)
Timer Delta : +2 mS
RAM Entry 0 : Base 0x0080000000 Size 0x003A800000
RAM Entry 1 : Base 0x0100000000 Size 0x0100000000
RAM Entry 2 : Base 0x00C0000000 Size 0x0040000000
Total Available RAM : 6056 MB (0x017A800000)
Total Installed RAM : 6144 MB (0x0180000000)
Init 1 aux cores of 7
Init CPU core 1
> Scheduler up on Core 1
UEFI Ver : 6.0.220412.BOOT.MXF.1.0-00773-LAHAINA-1
Build Info : 64b Apr 12 2022 13:55:59
Boot Device : UFS
PROD Mode : TRUE
Retail : TRUE
PM0: 47, PM1: 48, PM2: 49, PM3: 50, PM5: 52,
Module cannot re-initialize DAL module environment
UFS INQUIRY ID: SKhynix H9HQ15AECMBDAR A043
UFS Boot LUN: 1
HW Wdog Setting from PCD : Disabled
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_INIT
Setvariable Logo Image returned Success
LogoCompressedBlockNum:116 LogoCompressedBytesNum:472176
DecompressBufferSize:31104218 ScratchSize:131072
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPANELDTINFO
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SW_RENDERER
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPLATFORMINFO
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SW_RENDERER
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPANELSUPPORTFLAGS
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SW_RENDERER
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPANELSUPPORTFLAGS
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_POWERUP
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPANELCONFIG
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_RESETPANEL
Offset cmd: 0x39 0x06
MIDynamic DSI readback = 00 readSize = 2, uRetryCount = 1
MIDynamic-Detected: readSize: 2, readback: 0x0000
Detected panel id: 0x00
DisplayDxe: K9 42 02 0b amoled dsc cmd
DisplayDxe: Resolution 1080x2400 (1 intf)
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPLATFORMINFO
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SW_RENDERER
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SW_RENDERER
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPANELSUPPORTFLAGS
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_POWERUP
smem_alloc_ex: SMEM alloc_ex failed with err=-3! smem_type=478, remote=3, size=32, flags=0x40000000.smem_alloc_ex: SMEM alloc_ex failed with err=-3! smem_type=478, remote=13, size=32, flags=0x40000000.ChargerLib:: ChargerLibTarget_HWInit Charger PlatHWConfig = 1, (overrided by CFG item)
ChargerLib:: ChargerLibTarget_HWInit PlatformType = 34: ChargerHW = 1, GaugeHW = 1
ChargerLib:: ChargerLibTarget_GetBatteryID BATT_ID_2 = 101203
QcomChargerDxe:: ChargerPlatform_Init Enabled WDOG.
QcomChargerDxe:: ChargerPlatform_Init Successfully Success
do_authentication
entery AuthenticateDS28E16
entery DS28E16_get_page_status_retry
entery DS28E16_Read_RomID_retry
Ready to write 0x33 to maxim IC!
RomID = 9F,D3,31,11,15,F0,04,CA
crc_low_first = CA
entery DS28E16_cmd_computeS_Secret_retry
computeS_Secret:
computeS_Secret:
entery DS28E16_cmd_computeReadPageAuthentication_retry
Seeds:
host data
battery verify ok: 1
Battery verified result:1
Ready to write 0x33 to maxim IC!
RomID = 9F,D3,31,11,15,F0,04,CA
crc_low_first = CA
Battery verified chip ok result:1
Battery verified value:0x30
read once_run_flag=0
read load_adsp_value=0x0
read load_adsp_value=0x30
QcomChagerDxe: Set boot service variable <BattVerifiedResult> = androidboot.batt_verified_result=11
QcomChargerDxe:: ChargerPlatform_Init battery verified Successfully = Success
UsbConfigLibOpenProtocols: PMI version (0x30)
UsbConfigInit: Failed to attach USB Arid 0x0 HAL IOMMU domain Result = (0x14)
UsbConfigInit: Failed to attach USB Arid 0x1 HAL IOMMU domain Result = (0x14)
UsbConfigPortsQueryConnectionChange: usbport->connectstate: ATT
ButtonsDxeTest: Keypress SDAM data payload 0
ISENSE TOTAL TIME 1ms
smem_get_addr: SMEM get addr failed! smem_type=628MinidumpTADxe: Minidump TA loading not enabled.
Disp init wait [ 2598]
DisplayDxe: pFrameBufferBase = 0xE1000000
DisplayDxe: uFrameBufferSize = 10368000
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SW_RENDERER
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPANELSUPPORTFLAGS
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SETGPIOSTATE
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SETGPIOSTATE
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_RESETPANEL
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_SETBACKLIGHT
Read Dsi White Color Coordinate Register: 01 F3 02 09 09 03 01 05
Read White Color Coordinate: 01 F3 02 09 09 03 01 05
DispalyDxe: Set boot service variable <DisplayOledPanelWp> = androidboot.oled_wp=01f3020909030105
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPLATFORMINFO
[Cedros] eDisplayId:0, Config = MDPPLATFORM_CONFIG_GETPANELSUPPORTFLAGS
Display_Utils_RenderSplashScreen USE IMAGEFV
Display_Utils_RenderSplashScreen: hw_country GL, uLogoIndex = 4
DeCompressLogoData: Setvariable Logo Image returned Success
DeCompressLogoData: Setvariable Logo Image returned LG!!9
DeCompressLogoData: LogoCompressedBlockNum:57 LogoCompressedBytesNum:231346
DeCompressLogoData: DecompressBufferSize:77760558 ScratchSize:131072
LoadBitmapImageFromLogoData USE IMAGEFV
DisplayUtils: enter render.
DisplayUtils: Display_Utils_RenderBGRTImage end Status:0
-----------------------------
Platform Init [ 3006] BDS
INFO: UEFI NV tables are enabled as VOLATILE!
UEFI Ver : 6.0.220412.BOOT.MXF.1.0-00773-LAHAINA-1
Platform : IDP
Subtype : 0
Boot Device : UFS
Chip Name : SM_CEDROS
Chip Ver : 1.0
Chip Serial Number : 0xCC773C71
-----------------------------
ChargerLib:: ChargerLibTarget_GetBatteryID BATT_ID_2 = 101203
ChargerLib:: ChargerLib_GetBatteryID BATT_ID_2 = 101203
ChargerLib:: ChargerLibTarget_GetBatteryID BATT_ID_2 = 101228
ChargerLib:: ChargerLib_GetBatteryID BATT_ID_2 = 101228
ChargerLib:: ChargerLibTarget_GetBatteryID BATT_ID_2 = 101203
TNT BatteryVoltage::= 4282
ChargerLib:: ChargerLibTarget_GetBatteryID BATT_ID_2 = 101252
TNT BatteryVoltage::= 4282
ChargerLib:: ChargerLib_GetErrors pChargingError = 0
ChargerLib:: ChargerLibTarget_GetBatteryID BATT_ID_2 = 101252
ChargerLib:: ChargerLib_GetBatteryID BATT_ID_2 = 101252
ChargerLib:: ChargerLibTarget_GetBatteryID BATT_ID_2 = 101277
TNT BatteryVoltage::= 4282
QcomChargerDxe:: ChargerPlatform_ChkChgFwLoadRequired VBatt = 4282 V, gThresholdVbatt = 3600 V
QcomChargerDxe:: ChargerPlatform_ChkChgFwLoadRequired Chg Fw Load not required boot to HLOS
read once_run_flag=1
read load_adsp_value=0x30
read load_adsp_value=0x30
QcomChargerDxe:: ChargerPlatform_ChkChgFwLoadRequired boot to hlos, set load_adsp_value=0
ChargerLib:: ChargerLibTarget_GetBatteryID BATT_ID_2 = 101302
TNT BatteryVoltage::= 4282
UEFI Total : 1430 ms
POST Time [ 3044] OS Loader
Loader Build Info: Apr 12 2022 14:33:58
QseeResponse->result = 0xFFFFFFFF
Status = 0x7
VB: RWDeviceState: Succeed using rpmb!
ProjectType:0x6 hw_id:0x190000 hw_level:MP
Total DDR Size: 0x000000017A800000
Partition not found : oem_misc1
Get Partition info for oem_misc1 failed
PON Reason is 1 cold_boot:1
ProjectType:0x6 hw_id:0x190000 hw_level:MP
Total DDR Size: 0x000000017A800000
getting IsColdBoot reset status: 1, key: 0
MpDevice!!
KeyPress:0, BootReason:2
Fastboot=1, Recovery:1
Launching fastboot
Fastboot Build Info: Apr 12 2022 14:33:27
usb_shared_hs_phy_init: hs phy cfg size: 12
usb_shared_ss_phy_init: ss phy cfg size: 143
ssusb_phy_init_success_lane_B: 1
SSUsb1InitCommon: End of SSusb1initcommon coreType 5
Fastboot: Initializing...
Token Length: 128
Fastboot: Processing commands
LoadBitmapImageFromLogoData USE IMAGEFV
Picture 1 Successfully load
DisplayUtils: enter render.
DisplayUtils: Display_Utils_RenderBGRTImage end Status:0
Picture 1 Successfully render
display picture 1 [ 3360]
Dev_Common_Speed: Dev Bus Speed: High, state 2
Related
Hey, one of my buddies got a SGS2. I was able to play with it for a bit. I sterilized the Serial numbers. This was recorded on Linux, then transfered to Windows, so the formatting was off. I had to use some Microsoft Word Regex in order to get it to format right.
here's the full UART Logs
http://pastebin.ubuntu.com/715171/
http://pastebin.ubuntu.com/715182/
Here's a single boot log
Code:
Welcome to Samsung Primitive Bootloader.
build time: Aug 27 2011 04:53:51
current time: f4/f/4 3f:69:11
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #49152.
jump to sbl 0x4d400000.
Secondary Bootloader v3.1 version.
Copyright (C) 2011 System S/W Group. Samsung Electronics Co., Ltd.
Board: C1 REV 02 / Aug 27 2011 04:53:57
current time: f4/f/4 3f:69:11
booting code=0x0
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
CID:150100 56594c30 304d1926 b2473a8e
<display_card_info:1040> ext_csd
<display_card_info:1042>card_size: 15028
Total Card Size: 15029 MByte
Total Sector Count: 30777344
MoviNand Initialization Complete!
===== PARTITION INFORMATION =====
ID : GANG (0x0)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : BOOT (0x1)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : EFS (0x4)
DEVICE : MMC
FIRST UNIT : 8192
NO. UNITS : 40960
=================================
ID : SBL1 (0x2)
DEVICE : MMC
FIRST UNIT : 49152
NO. UNITS : 2560
=================================
ID : SBL2 (0x3)
DEVICE : MMC
FIRST UNIT : 53248
NO. UNITS : 2560
=================================
ID : PARAM (0x5)
DEVICE : MMC
FIRST UNIT : 57344
NO. UNITS : 16384
=================================
ID : KERNEL (0x6)
DEVICE : MMC
FIRST UNIT : 73728
NO. UNITS : 16384
=================================
ID : RECOVERY (0x7)
DEVICE : MMC
FIRST UNIT : 90112
NO. UNITS : 16384
=================================
ID : CACHE (0x8)
DEVICE : MMC
FIRST UNIT : 106496
NO. UNITS : 512000
=================================
ID : MODEM (0x9)
DEVICE : MMC
FIRST UNIT : 618496
NO. UNITS : 32768
=================================
ID : FACTORYFS (0xa)
DEVICE : MMC
FIRST UNIT : 651264
NO. UNITS : 1048576
=================================
ID : DATAFS (0xb)
DEVICE : MMC
FIRST UNIT : 1699840
NO. UNITS : 4194304
=================================
ID : UMS (0xc)
DEVICE : MMC
FIRST UNIT : 5894144
NO. UNITS : 23826432
=================================
ID : HIDDEN (0xd)
DEVICE : MMC
FIRST UNIT : 29720576
NO. UNITS : 1048576
=================================
loke_init: j4fs_open..success
<start_checksum:1033>CHECKSUM_HEADER_SECTOR :42
<start_checksum:1035>offset:42, size:1024
Not Need Movinand Checksum
load_lfs_parameters valid magic code and version.
switch_sel_str='6543 '
load_debug_level: read debug level successfully(0x574f4c44)...LOW
init_ddi_data: usable ddi data.
init_fuel_gauge : not por status
fuel_gauge_get_version: [1]=0, [0]=92
init_fuel_gauge: vcell = 3848 mV, vfocv = 3915 mV, soc = 66
init_fuel_gauge : check s/w reset (20000000) : use wide tolerance
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
6308 = (382800 - 337808)*14022/100000
[3] 388426 = (6308 * 100000) / 11164 + 331923
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL2:0x3a
init_microusb_ic: MUIC: CONTROL2:0x3a
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQSRC = 0x2
PMIC_IRQ1 = 0x33
PMIC_IRQ2 = 0x1b
PMIC_IRQ3 = 0x3
PMIC_IRQ4 = 0x11
PMIC_STATUS1 = 0x2
PMIC_STATUS2 = 0x17
PMIC_STATUS3 = 0x3
PMIC_STATUS4 = 0x2
bootloader base address=0x4d400000
LPDDR0 1st. cached=0x40000000, size=0xe400000
LPDDR0 non-cached=0x4e400000, size=0xa00000
LPDDR0 2nd. cached=0x4ee00000, size=0x1200000
RST_STAT = 0x20000000
get_hwrev() = 14
board_process_platform: MAGIC 0 at 40000000!
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
hw_pm_status: jig_status = 1, chg_status = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
div:2, FB_SOURCE_CLOCK:667000000, FB_PIXEL_CLOCK:25067520
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop
boot_kernel: debug level low!
checkbit: find RECOVERY
checkbit (0)
......ATAG_CORE: 5 54410001 0 0 0
MEMCONFIG: 20e01323 20e01323
ATAG_MEM: 4 54410002 10000000 40000000
ATAG_MEM: 4 54410002 10000000 50000000
ATAG_MEM: 4 54410002 10000000 60000000
ATAG_MEM: 4 54410002 10000000 70000000
ATAG_SERIAL:
ATAG_REVISION: 3 54410007 e
ATAG_CMDLINE: 39 54410009 'loglevel=4 console=ttySAC2,115200 sec_debug.enable=0 sec_debug.enable_user=0 c1_watchd ATAG_NONE: 0 0
Starting kernel at 0x40008000...
Uncompressing Linux... done, booting the kernel.
[ 0.000000] s3c_register_clksrc: clock armclk has no registers set
[ 0.000000] mout_audss: bad source 0
[ 0.000000] mem infor: bank0 start-> 0x40000000, bank0 size-> 0x10000000[30;89H[ 0.000000] bank1 start-> 0x50000000, bank1 size-> 0x10000000
[ 0.000000] CMA reserve : pmem, addr is 0x4fc00000, size is 0x400000
[ 0.000000] CMA reserve : pmem_gpu1, addr is 0x4f800000, size is 0x400000
[ 0.000000] CMA reserve : pmem_adsp, addr is 0x4f47c000, size is 0x384000
[ 0.000000] CMA reserve : fimd, addr is 0x4f17c000, size is 0x300000
[ 0.000000] CMA reserve : mfc0, addr is 0x4cd7c000, size is 0x2400000
[ 0.000000] CMA reserve : mfc1, addr is 0x4a97c000, size is 0x2400000
[ 0.000000] CMA reserve : fimc0, addr is 0x4a47c000, size is 0x500000
[ 0.000000] CMA reserve : fimc1, addr is 0x4967c000, size is 0xe00000
[ 0.000000] CMA reserve : fimc2, addr is 0x47e7c000, size is 0x1800000
[ 0.000000] CMA reserve : fimc3, addr is 0x4777c000, size is 0x700000
[ 0.000000] CMA reserve : srp, addr is 0x4767c000, size is 0x100000
[ 0.000000] CMA reserve : jpeg, addr is 0x4627c000, size is 0x1400000
[ 0.000000] CMA reserve : fimg2d, addr is 0x45a7c000, size is 0x800000
[ 0.000000] CMA reserve : (null), addr is 0x45a7c000, size is 0x0
[ 0.000000] (sec_debug_set_upload_magic) 66262564
[ 0.000000] (sec_debug_set_upload_cause) cafebabe
[ 0.121650] s5pv310_subrev: 1
[ 0.166379] ram_console: invalid start 0 or end 0
[ 0.251103] max8997 5-0066: max8997_irq_init: fail to read PMIC ID(-6)
[ 0.648050] [TSP] family = 0x81, variant = 0x1, version = 0x10, build = 170
Partition information
Code:
===== PARTITION INFORMATION =====
ID : GANG (0x0)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : BOOT (0x1)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : EFS (0x4)
DEVICE : MMC
FIRST UNIT : 8192
NO. UNITS : 40960
=================================
ID : SBL1 (0x2)
DEVICE : MMC
FIRST UNIT : 49152
NO. UNITS : 2560
=================================
ID : SBL2 (0x3)
DEVICE : MMC
FIRST UNIT : 53248
NO. UNITS : 2560
=================================
ID : PARAM (0x5)
DEVICE : MMC
FIRST UNIT : 57344
NO. UNITS : 16384
=================================
ID : KERNEL (0x6)
DEVICE : MMC
FIRST UNIT : 73728
NO. UNITS : 16384
=================================
ID : RECOVERY (0x7)
DEVICE : MMC
FIRST UNIT : 90112
NO. UNITS : 16384
=================================
ID : CACHE (0x8)
DEVICE : MMC
FIRST UNIT : 106496
NO. UNITS : 512000
=================================
ID : MODEM (0x9)
DEVICE : MMC
FIRST UNIT : 618496
NO. UNITS : 32768
=================================
ID : FACTORYFS (0xa)
DEVICE : MMC
FIRST UNIT : 651264
NO. UNITS : 1048576
=================================
ID : DATAFS (0xb)
DEVICE : MMC
FIRST UNIT : 1699840
NO. UNITS : 4194304
=================================
ID : UMS (0xc)
DEVICE : MMC
FIRST UNIT : 5894144
NO. UNITS : 23826432
=================================
ID : HIDDEN (0xd)
DEVICE : MMC
FIRST UNIT : 29720576
NO. UNITS : 1048576
=================================
SBL Commands
Code:
Following commands are supported:
* movichk
* setenv
* saveenv
* printenv
* help
* reset
* boot
* kernel
* loadpart
* loadkernel
* erasepart
* format
* open
* close
* eraseall
* showpart
* addpart
* delpart
* savepart
* nkernel
* nandread
* nandwrite
* usb
* crc
* log
* sud
* upload
* emmc
* keyread
* readadc
* mmctest
* usb_read
* usb_write
* fuelgauge
There's some new ones in this 3.1 version of Samsung SBL
* crc
* log
* sud
* upload
* emmc
I think Upload allows a dump of all partitions. Also, Keyread allows testing of button presses, Volume - =0 Volume + = 1, Power = 2
I couldn't get a FULL debug log in the time I had, but I managed to get some kernel output.
Code:
Starting kernel at 0x40008000...
Uncompressing Linux... done, booting the kernel.
[ 0.000000] s3c_register_clksrc: clock armclk has no registers set
[ 0.000000] mout_audss: bad source 0
[ 0.000000] mem infor: bank0 start-> 0x40000000, bank0 size-> 0x10000000[30;89H[ 0.000000] bank1 start-> 0x50000000, bank1 size-> 0x10000000
[ 0.000000] CMA reserve : pmem, addr is 0x4fc00000, size is 0x400000
[ 0.000000] CMA reserve : pmem_gpu1, addr is 0x4f800000, size is 0x400000
[ 0.000000] CMA reserve : pmem_adsp, addr is 0x4f47c000, size is 0x384000
[ 0.000000] CMA reserve : fimd, addr is 0x4f17c000, size is 0x300000
[ 0.000000] CMA reserve : mfc0, addr is 0x4cd7c000, size is 0x2400000
[ 0.000000] CMA reserve : mfc1, addr is 0x4a97c000, size is 0x2400000
[ 0.000000] CMA reserve : fimc0, addr is 0x4a47c000, size is 0x500000
[ 0.000000] CMA reserve : fimc1, addr is 0x4967c000, size is 0xe00000
[ 0.000000] CMA reserve : fimc2, addr is 0x47e7c000, size is 0x1800000
[ 0.000000] CMA reserve : fimc3, addr is 0x4777c000, size is 0x700000
[ 0.000000] CMA reserve : srp, addr is 0x4767c000, size is 0x100000
[ 0.000000] CMA reserve : jpeg, addr is 0x4627c000, size is 0x1400000
[ 0.000000] CMA reserve : fimg2d, addr is 0x45a7c000, size is 0x800000
[ 0.000000] CMA reserve : (null), addr is 0x45a7c000, size is 0x0
[ 0.000000] (sec_debug_set_upload_magic) 66262564
[ 0.000000] (sec_debug_set_upload_cause) cafebabe
[ 0.121650] s5pv310_subrev: 1
[ 0.166379] ram_console: invalid start 0 or end 0
[ 0.251103] max8997 5-0066: max8997_irq_init: fail to read PMIC ID(-6)
[ 0.648050] [TSP] family = 0x81, variant = 0x1, version = 0x10, build = 170
Would be interesting to see the logs from a boot with the flash counter incremented (yellow triangle) to see if it's logged and what it's keying on.
Hi Adam,
Nice to see u here on this forum , hope to see some of your great work here on S II.
This is only possible using UART.
Download Mode without having to accept wipe!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Upload Mode
Stock PARAMS.lfs
othermark said:
Would be interesting to see the logs from a boot with the flash counter incremented (yellow triangle) to see if it's logged and what it's keying on.
Click to expand...
Click to collapse
You can reset the counter via UART
What ROM did you dump JH7/KJ1/KJ2 ?
AdamOutler said:
You can reset the counter via UART
Click to expand...
Click to collapse
Jig will reset it too - or will UART reset it even on the J2 bootloaders?
Entropy512 said:
Jig will reset it too - or will UART reset it even on the J2 bootloaders?
Click to expand...
Click to collapse
Can you flash back the J1 bootloader with ODIN? I'm willing to try this.
Another big player from the captivate scene......I feel more comfortable fashing the SGS2 now that AdamOutler is in the house to help clean up the mess lol
Yay, I'm the first dumbass to brick his I777. Kids, don't run the "emmc" command.
FWIW, when USB is connected and battery plugged in, I get this device:
Bus 001 Device 011: ID 04e8:1234 Samsung Electronics Co., Ltd
Which ModeDetect says is Unbrickable Debug mode...
Ah, I thought for a second I miss clicked forum and came to captivate one.
Happy to see you here, hope you will get your own attsgs2.
Thanks for spending time and sharing findings!
Sent from my SAMSUNG-SGH-I777 using xda premium
Entropy512 said:
Jig will reset it too - or will UART reset it even on the J2 bootloaders?
Click to expand...
Click to collapse
pokey9000 said:
Yay, I'm the first dumbass to brick his I777. Kids, don't run the "emmc" command.
FWIW, when USB is connected and battery plugged in, I get this device:
Bus 001 Device 011: ID 04e8:1234 Samsung Electronics Co., Ltd
Which ModeDetect says is Unbrickable Debug mode...
Click to expand...
Click to collapse
Yeah. So, you should try the SMDK Upload Tool.. this is good. this means you've established that UnBrickable Mod is possible on this device.
Now I need one for teardown.
Is it dead bricked? remove the battery and hold power for 10 seconds, then put back in the battery and hold it for 10 seconds. should turn on normally.
emmc usually means external MMC... try making a boot disk using the Fusing Tool. I bet it will work.
AdamOutler said:
emmc usually means external MMC... try making a boot disk using the Fusing Tool. I bet it will work.
Click to expand...
Click to collapse
I'm not sure what I'd put on the card to tell if it worked...
pokey9000 said:
Yeah. Nothing seems to bring it to life. Here's trying to send HIBL. It hangs after this. I didn't expect it to work...
$ ./smdk-usbdl -f HIBL.bin -a d0020000
SMDK42XX,S3C64XX USB Download Tool
Version 0.20 (c) 2004,2005,2006 Ben Dooks <[email protected]>
S3C64XX Detected!
=> found device: bus 001, dev 018
=> loaded 24576 bytes from HIBL.bin
=> Downloading 24586 bytes to 0xd0020000
=> Data checksum 5d9c
Click to expand...
Click to collapse
That's what happens when it tries to upload a larger file then memory can handle.
The HIBL is a Hummingbird Interceptor BootLoader. We could use a Exynos interceptor bootloader.
Let me contact Rebellos and get him in here. That polish Hairy Potter can probly wave his magic wand over a memory dump and have it doing the hokey-pokey. He is busy and recovering from a serious loss while trying to get his device into the mode which your device is in currently... he could probly use some donations.
We will need someone with a working device to do a memory dump...
1a) I need few different bootloader images from I9100 and similiar SGS2 series models (I777 or whatever is it called for eg.), can you guys post these here?
1b) If you notice some weird files in ROM releases, like *.elf - post these too! These are very helpful in reversing stuff. Samsung released these for S8500 and S8530 bootloaders so here is also a chance.
2) If anybody has got rooted Exynos based device and some know-how about using SU functions - I need iROM dump.
The procedure should be 99% the same as in there http://blog.maurus.be/index.php/2011/01/samsung-i9000-irom-dump/
Just grab viewmem ARM binary http://blog.maurus.be/wp-content/uploads/viewmem and use script posted there. With small modification!
Instead of
/tmp/viewmem 0xD0000000 0x10000 > /sdcard/iromdump
Click to expand...
Click to collapse
try
/tmp/viewmem 0x00000000 0x10000 > /sdcard/iromdump
Click to expand...
Click to collapse
if it doesnt work then try this
/tmp/viewmem 0x02000000 0x10000 > /sdcard/iromdump_mirror
Click to expand...
Click to collapse
One/both of these should produce 64KB iROM image.
3) WANTED:
- newer manual than this one: https://dl.dropbox.com/u/36177984/SEC_Exynos4210_pulbic_manual_Ver.0.00.01.pdf (we don't know if it does exist)
- Exynos 4210 Application Notes
- Exynos 4210 Secure Booting Guide
And so on.
Thank you.
Don't fear the reaper.
//edit:
Also SGS2 series seems to be more unbrickable than SGS, I bet PBL has got functionality to boot from SD card. I don't see other reason why PBL would mount it before trying to look for SBL.
Welcome to Samsung Primitive Bootloader.
build time: Aug 27 2011 04:53:51
current time: f4/f/4 3f:69:11
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #49152.
jump to sbl 0x4d400000.
Click to expand...
Click to collapse
Disassembly will show.
I'm going to see about getting a replacement tomorrow as this is my daily driver. So I won't have it around to test anything. However, once I'm up and running again I'll try to get iROM dumped.
Meanwhile, tonight I'll see if I can fuse a 9100 PBL and SBL (they're supposed to be mostly compatible) to a microsd and test the external SD boot theory.
edit:
Hmm, looks like the fusing tool needs a monolithic PBL and SBL. My attention span for reading Google translated Korean forums is shot.
That's probably not necessary anyway, because I think the confusion here over "emmc" is due to the SGS2 using eMMC (embedded MMC) for the boot device as opposed to the i9000 which boots off of parallel oneNAND. The SGS2 is always booting off of MMC, it just happens that it's soldered down.
Check this out: http://docs.kali.org/armel-armhf/kali-linux-on-galaxy-note
I looked over the recovery and thought it looked ok (though thats an area i usually leave to pros), and attempted to make a x86 image so altering
Code:
dd if=/dev/block/mmcblk0p6 of=recovery.img_orig
and
dd if=recovery.img of=/dev/block/mmcblk0p6
and inputting this
Code:
dd if=/dev/block/mmcblk0p11 of=recovery.img_orig
and
dd if=recovery.img of=/dev/block/mmcblk0p11
then I rebooted and it hung up at the samsung galaxy tab 3 screen
How hard would it be to rewrite the recovery image linked to there to work on our device. Or if its in good shape I guess i screwed up making my x86 image of Kali any input of on either subject would be appreciated.
Had an idea as soon as I reflash and reroot and download a couple more files and reboot and finish updating this laptop I'm working on, ill try to break my gtab again
You can't. Those versions of Kali is for ARM (armel = ARM soft-float / armhf = ARM hard-float), while the GTab3 10.1. is x86.
But you should be able to modify any x86 (tablet-)linux for use with GTab3 10.1
Setialpha said:
You can't. Those versions of Kali is for ARM (armel = ARM soft-float / armhf = ARM hard-float), while the GTab3 10.1. is x86.
But you should be able to modify any x86 (tablet-)linux for use with GTab3 10.1
Click to expand...
Click to collapse
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
hey
xkwr27 said:
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
Click to expand...
Click to collapse
are you still up for this ?
i tried the same thing, i also tried swapping out the zimage from the kali recovery with p5210 stock
then changed any mmcblk refs i found in the init and instead of screen hang got it reboot, [over and over]
but didn't catch. this is totally doable and i wish i'd found this thread before starting another on the same subject.
but anyway i could go on forever.....we need to recruit people somehow... i would like a setup on this
tab so i could distro hop like i used to on pc :good:
Yes I'm still down for this, I've been so busy with work, and keeping my car running(done with the car now, motor/Trans rebuild) since my last post. Now I have my days off if not totally free free enough to put a few hours into this on my days off. I also know 2 people who could help if I can convince them one a relative with a name in the security industry and the other a relatively new guy to all things computer but with a knack for finding fixes that will be a help but for tonight I'm going to compare the two recoveries side by side during break and take notes. Then tomorrow I am going to see if I can put those notes to good use after I get back from taking my daughter and wife blackberry picking on my father's land.i figure I'll start on it noonish us central time and keep you updated...
xkwr27 said:
Yes I'm still down for this, I've been so busy with work, and keeping my car running(done with the car now, motor/Trans rebuild) since my last post. Now I have my days off if not totally free free enough to put a few hours into this on my days off. I also know 2 people who could help if I can convince them one a relative with a name in the security industry and the other a relatively new guy to all things computer but with a knack for finding fixes that will be a help but for tonight I'm going to compare the two recoveries side by side during break and take notes. Then tomorrow I am going to see if I can put those notes to good use after I get back from taking my daughter and wife blackberry picking on my father's land.i figure I'll start on it noonish us central time and keep you updated...
Click to expand...
Click to collapse
good deal, okay noob warning, but gleefully brick happy tester here.
right now i on the samsung open source site looking p5210 but not sure which
git-hub isn't an option for me as my surviving pc is a bit screwy but i still want to see the source
and try to get what the devs are saying, anyway i'm glad to hear from you
just thought i'd let you in on what i'm up to. hope to get something working.
:good:
do i need to get ubuntu 64bit for kernel stuff?
If you plan to tear into the recovery.img you'll need linux I use debian or debian based distro's, but ubuntu will work just fine.
https://01.org/android-ia
Not sure if this site will help but i'll post it anyways
I'll keep trying to post useful stuff
http://forum.xda-developers.com/showthread.php?t=1916936
Hope this helps somehow
Can we not change the partitions to whatever sizes we want using ODIN and .pit files ? if yes then we can do ANYTHING
Excercise caution. This MAY have the pit file for our device
http://forum.xda-developers.com/showthread.php?t=2526119
hey
Nitro_123 said:
https://01.org/android-ia
Not sure if this site will help but i'll post it anyways
I'll keep trying to post useful stuff
http://forum.xda-developers.com/showthread.php?t=1916936
Hope this helps somehow
Can we not change the partitions to whatever sizes we want using ODIN and .pit files ? if yes then we can do ANYTHING
Excercise caution. This MAY have the pit file for our device
http://forum.xda-developers.com/showthread.php?t=2526119
Click to expand...
Click to collapse
cool :good: reading:good:
as for repartitiong hold off for now but, read this anyway,
copy every command you see and keep in organized file for reference
http://forum.xda-developers.com/showthread.php?t=1388996
this command in term should pull pit file [get it right,check,double,check,triple check] must su first i believe
dd if=/dev/block/mmcblk0 of=/sdcard/out.pit bs=8 count=481 skip=2176
to xkwr27 hi, you're comparing with stock recovery right?
In terms of custom bootloaders we could install grub onto the device. but first we need to figure out the boot order.
http://forum.xda-developers.com/showthread.php?t=1018862 This thread is an amazing thread for samsung related stuff but kind of off topic for us.
Is there any way of figuring out the way the device boots ?
Sorry for stressing boot order and stuff so much but I really think it's the key to everything.
If we install GRUB after that everything else will be a piece of cake.
http://www.gnu.org/software/grub/
hey
Nitro_123 said:
In terms of custom bootloaders we could install grub onto the device. but first we need to figure out the boot order.
http://forum.xda-developers.com/showthread.php?t=1018862 This thread is an amazing thread for samsung related stuff but kind of off topic for us.
Is there any way of figuring out the way the device boots ?
Sorry for stressing boot order and stuff so much but I really think it's the key to everything.
If we install GRUB after that everything else will be a piece of cake.
http://www.gnu.org/software/grub/
Click to expand...
Click to collapse
the boot sequence is more where my thinking is going to.
my understanding is there are three stages , power on the boot loader does it's work, the kernel get's up and lays out the ramdrive and hardware
and get's the usual/basic/expected linux stuff going [yes, linux is already present,a form of it anyway] and finally, the android user space stuff.
altering something in the process to halt/bypass that last stage and get to , for now at least, a command prompt is the thought.
the hardware hacking looks really neat and is a good find as far as gaining insight on the basic boot process so thank you for
pointing me to it. having no up to speed modern pc i'm left to do what i can on my tab and can't risk it. but i DID find a
a kernel/boot img pack/repack/editing setup that i'm already using on my tab!!!
the link is http://forum.xda-developers.com/showthread.php?t=2073775
read the op then go to my post on the last page.
grub would be sweet though, wouldn't it ?
round one
okay this is what i did today
swapped busybox [arm] for [x86]
added parted in bin
replaced symlink named mtab==>/proc/self/mounts with actual file
corrected [?] mmcblk,loop references in hooks/looproot
changed this in init to experiment [attempt to return to android if fail,] marked edit and commented
if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
#if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
# Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
# We fall back into a shell, but the shell has now PID 1
# This way, manual recovery is still possible.
init=/init
# err "Failed to mount the real root device." [edit]
# echo "Bailing out, you are on your own. Good luck." [edit]
# echo [edit]
# launch_interactive_shell --exec [edit]
elif [ ! -x "/new_root${init}" ]; then
# Successfully mounted /new_root, but ${init} is missing
# The same logic as above applies
err "Root device mounted successfully, but ${init} does not exist."
echo "Bailing out, you are on your own. Good luck."
echo
launch_interactive_shell --exec
fi
swapped zimage [from stock reco]
added modules [from stock reco]
result=fail, continuous reboot, re-odin recovery
try again tomorrow [yawn] uploaded experiment, contains .img ramdisk.gz and zimage
okay upload fail, i'll try again tomorrow grrrr.
moonbutt74 said:
okay this is what i did today
swapped busybox [arm] for [x86]
added parted in bin
replaced symlink named mtab==>/proc/self/mounts with actual file
corrected [?] mmcblk,loop references in hooks/looproot
changed this in init to experiment [attempt to return to android if fail,] marked edit and commented
if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
#if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
# Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
# We fall back into a shell, but the shell has now PID 1
# This way, manual recovery is still possible.
init=/init
# err "Failed to mount the real root device." [edit]
# echo "Bailing out, you are on your own. Good luck." [edit]
# echo [edit]
# launch_interactive_shell --exec [edit]
elif [ ! -x "/new_root${init}" ]; then
# Successfully mounted /new_root, but ${init} is missing
# The same logic as above applies
err "Root device mounted successfully, but ${init} does not exist."
echo "Bailing out, you are on your own. Good luck."
echo
launch_interactive_shell --exec
fi
swapped zimage [from stock reco]
added modules [from stock reco]
result=fail, continuous reboot, re-odin recovery
try again tomorrow [yawn] uploaded experiment, contains .img ramdisk.gz and zimage
okay upload fail, i'll try again tomorrow grrrr.
Click to expand...
Click to collapse
hahaha i wish you good luck
thanks
FurFur_ said:
hahaha i wish you good luck
Click to expand...
Click to collapse
i've been through roughly 17 different experiments by now
but i'm too stupid to quit so we'll see :laugh:
---------- Post added at 10:46 PM ---------- Previous post was at 10:38 PM ----------
xkwr27 said:
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
Click to expand...
Click to collapse
so if i'm understanding this right the samsung bootloader [which we don't mess with....snicker]
is initiating the command which grabs the kernel and get's things rolling..?
even if i'm not right in the init.rc scripting language is there a means to repeat that process ===> initramfs,bzimage ?
Ok the 3 key combos tell the tablet what to do 1 is power only boots normal 2 is power + volume up boots recovery 3 is power + volume down boots to download mode (odin)... what offensive security did was rewrite the recovery.img so that instead of launching you to the normal recovery all it does is tells the tab to boot the kali img in /SdCard/ so if you just power up with combo 1 it should still boot normal and 3 should still put you in odin mode but 2 will tell the tab to boot kali instead so all we should need is busybox maybe , a x86 kali img and a recovery img similar to the offensive security one. That is why I'm working to pick this recovery.img apart.
hey
i flashed the image as is first ; mmcblk's dont matchup in hook/looproot ; corrected[?] them no dice
aside from zimage&module&busybox mixing and matching
i think something with the hooks is the stumper
this is the ramdisk, i wasn't sure if you were asking or me to crack the image open or not,
i was hoping you might have a handle on kernel command lines.
if it comes to kernel building/compiling i'm boned:crying:
if there's something you want me to try or test let me know. :good:
kernel command
no_console_suspend=1 console=null
xkwr27 said:
Ok the 3 key combos tell the tablet what to do 1 is power only boots normal 2 is power + volume up boots recovery 3 is power + volume down boots to download mode (odin)... what offensive security did was rewrite the recovery.img so that instead of launching you to the normal recovery all it does is tells the tab to boot the kali img in /SdCard/ so if you just power up with combo 1 it should still boot normal and 3 should still put you in odin mode but 2 will tell the tab to boot kali instead so all we should need is busybox maybe , a x86 kali img and a recovery img similar to the offensive security one. That is why I'm working to pick this recovery.img apart.
Click to expand...
Click to collapse
Mate that sounds very good I'm so busy with life nowadays Final year of school I don't know too much and I can't learn anything cause I have literally no time
I won't be posting too often Good luck with your project. Eager to see some success :fingers-crossed::good:
Santos10 Bootloader trace:
Code:
IA32 CPU Firmware
Copyright (C) 1999-2013, Intel Corporation. All rights reserved.
7[0;23r[24;75H[1K[24;1H[1mIntel(R) Atom(TM) Z2560 CPU FW 00.73 (INTELFDK)[0m8------------------------------>FOR Teewinot ONLY<-----------------------------
******************************************************************************
************** Customer release based on Rel 00.49 + TWN changes**************
**************** BZ=115220 Bypass time/date check for product ****************
****************** BZ=118523 Cold Reset on ExecuteOS failure *****************
****** BZ=124478[TW 346-500-676] Request for logging enhancement in IAFW *****
************* BZ=127192 Disable Active Refresh during JEDEC Init *************
******************* BZ=none include ucode patch M013065110E ******************
**************************** New in this code drop ***************************
***** BZ=none Changed trace to match TWN RAMDUMP application requirement *****
*************** BZ=none Removed UART and PTI HW output methods ***************
******** Short circuiting the emInit when a fixed battery is detected. *******
********************* Customization done 201308261512 MST ********************
******************************************************************************
[37;41m******************************INTEL CONFIDENTIAL******************************
[0m
0x1E, 0x20, 0x21,
ERROR:::::SPID Not Programmed, Fake data being used based on IFWI version
ERROR:::::SPID FRU Not Programmed, Fake data being used based on IFWI version
OSC_CLK3 defaults only
0x22,
OEM board; Skip spidBasedPanelNdxUpdate
0x23,
Forced Battery via SMIP FPO Bit 2
0x28, 0x2A, 0x2B, in csSFIDevsEntries, HW Id 0x0019
SFI Dev...PR3
in csSFIGpioEntries, HW Id 0x0019
SFIOEMBInit:tbl->spidTbl update
0x2C, 0x2D, 0x2F PostCodes Done
IA32 FW: CPU v000.073/00.49; SUPP v000.073/00.49; VH: 000.081/00.51
IA Timestamp: 2013.08.26:18.00 (INTELFDK)
SCU FW: ROM 177.000/B1.00; RT 033.046/21.2E
PUNIT FW: v160.064/A0.40
IFWI: v249.086/F9.56
PL: 0000010E
Config & PCB: OEM Platform, C, CLV+ B1, Samsung (01,00) SR 4Gb 1067 1GB
FHOB DW0/DW1: 00000104:00010140
I2C Expander: FFFFFFFC:0000000F
IA Options: 024020A1:00000000:03E00000:80005C00:00000101;1264
[OS HASH VERIFY] [EIST] [eMMC] [VALID BATT][WDT]
Loading OS...
pOsip = 1000000
-->OSIP verified
00000000 E0000000
[COLOR="Red"]Android COS path taken
E0000000 D303000A[/COLOR]
[COLOR="red"]Boot path override selected OS image 0[/COLOR] (OS Attribute 0x00, Reboot Reason 0x0A)
D303000A D303000A
Splash disabled in GCT
Splash display time: 2 ms
[COLOR="red"]-->Bootable OS image 0 found for requested type 2 [/COLOR](OSII attribute 0x00)
-->[COLOR="red"]Loading OS image 0 from eMMC block 0x00000032 to DRAM address 0x010FFE20[/COLOR]
-->Starting transfer of 0xA11 512-byte blocks to DRAM
-->Done loading OS Image to DRAM
-->platformConfigBuffer_pt.scuFhobDw0.osven != 0
-->osIndex: 0, Signed Image
OS image 0 PASSED verify
Booting COS
*********************************
Starting command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100
-
OSNIB.wakesrc = 0x3
OSNIB.RR = 0xA
Battery is high enough for normal boot
4166mV > 0mV
Ending command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100 androidboot.wakesrc=03 androidboot.mode=charger-
*********************************
WDT aka Timer7 setup
Warn Duration for Timer7: 00 seconds
Start Timer7 bit 0 -> 1: 00000000000000000000000000000000
[0;24r[24;1H[2KM
Calling OS entry point --> 0x01101000 ...
Using NEW OSHOB structure size = 176 bytes
OSNIB size = 32 bytes OEMNIB size = 64 bytes
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Watchdog Disabled!
usb is connected, skip to set uart path
__stmpe811_write : fail
MUIC: CONTROL1:0x00
MUIC: CONTROL1:0x00
MUIC: CONTROL2:0x3b
MUIC: CONTROL2:0x3b
[SCU_IPC_DEBUG] board ID: NOT_IDENTIFIED(8)
VERSION : 0xa501
mmc_read_ext_csd : ext_csd_rev = 0x7
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
!!!Enter 8 Bit mode.!!!
clt_mmc_init: mmc->capacity = 0x1d56000
[BOOT] RESETIRQ1=0x00 RESETIRQ2=0x00 (interrupt tree)
[BOOT] SCU_TR=0x00020013 IA_TR=0xffffffff (oshob)
[BOOT] RR=0x00 WD=0x00 ALARM=0x00 (osnib)
[BOOT] WAKESRC=0x03 RESETIRQ1=0x20 RESETIRQ2=0x00 (osnib)
Samsung S-Boot 4.0-1816966 for GT-P5200 (Nov 26 2013 - 01:43:08)
CLT(EVT 0.0) / 1024MB / 15020MB / Rev 8 / P5200XXUAMK8
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (159:0xc)
PARAM ENV VERSION: v1.0..
pressed_key = 0x1
clt_charger_init : [battery] using external charger init(3)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
[check_cable_type] : Output of USB Charger Detection 3
[max77693_init_charger] : attached device(0x02) : TA
clt_max77693_set_charger_state: chg_cnfg_02 (0x1f) -> (0x1f) -> (0x1f)
clt_max77693_set_charger_state: chg_cnfg_03 (0x00) -> (0x00) -> (0x00)
clt_max77693_set_charger_state: chg_cnfg_04 (0xdd) -> (0xdd) -> (0xdd)
clt_max77693_set_charger_state: chg_cnfg_09 (0x64) -> (0x64) -> (0x64)
set_charger_state : buck(1), chg(0), reg(0x04)
init_fuel_gauge: Start!!
[0] get_adc_battid() = 92
[1] get_adc_battid() = 92
[2] get_adc_battid() = 92
get_adc_battid() = 92
init_fuel_gauge: Battery type : SDI
init_fuel_gauge: Already initialized (0x32cd, SDI type)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
fuel_gauge_compensate_soc: Start!!
fuel_gauge_read_soc: SOC(73), data(0x491b)
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
calculate_table_soc: Get table SOC in case of charging!!
calculate_table_soc: i(1), vcell(4071), table_soc(88)
differ(15), table_soc(88), RepSOC(73)
clt_charger_init : cable_type(0x02)
set_charger_state : buck(1), chg(1), reg(0x05)
intel_scu_ipc_cmd_oemnib : done => 0x0
check_reboot_cmd: nCmd = 0 ... skip check_reboot_cmd
debug level = 0x4f4c
disable max77693 manual reset
clt_max77693_disable_manual_reset: set max77693 MANCTRL1 val = 0x4
clt_max77693_disable_manual_reset: read max77693 MANCTRL1 val = 0x4
disable PMIC cod off triggered by PWRBTN#: 6
do_keypad: 0x1
intel_scu_ipc_cmd_oemnib : done => 0x0
check_download: 0
Is_lpm_boot : boot-mode saved in param = 0
Is_lpm_boot : jig-on level = 0, ignore...
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
stat=0x1031f, adc=0x1f, chg=0x3, vbvolt=1, pinLevel=1
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
fuel_gauge_read_soc: SOC(73), data(0x491b)
check_low_battery : rb=0 jig=0
check_low_battery : v=4071 soc=73
skip check low battery
scr_draw_image: draw 'logo.jpg'...
read 'logo.jpg'(105420) completed.
<start_checksum:355>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:357>offset:6144, size:6296
<start_checksum:361>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:27
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
load_kernel: loading boot image from 106496..
total size : 8495104
pit_check_signature (BOOT) valid.
Set valid sign flag
if_ddi_data: succeeded. (159:0xc)
BOOT_MAGIC == ANDROID!
CMDLINE LENGTH = 538
CMDLINE = init=/init console=sec_log_buf kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=santos103g sec_debug.level=0 loglevel=0 androidboot.debug_level=0x4f4c vmalloc=256m [email protected] sec_bootfb=0x3f000000 lcd_panel_id=0 androidboot.revision=8 switch_sel=3 cordon=615d013e557994c8ad53b3325c31b124 connie=GT-P5200_OPEN_EUR_cf878c59e3c2eeb1cdb40863938b834d androidboot.emmc_checksum=3 androidboot.bootloader=P5200XXUAMK8 androidboot.serialno=4300b61fdc125000 snd_soc_core.pmdown_time=1000 jig=0
Bootstub: map SFI MMAP to e820 table
add mmap: 0x00000000 0x00098000 1
add mmap: 0x00100000 0x00580000 2
add mmap: 0x00680000 0x00680000 1
add mmap: 0x00d00000 0x00300000 2
add mmap: 0x01000000 0x35ff0000 1
add mmap: 0x36ff0000 0x0090d000 2
add mmap: 0x378fd400 0x00100000 2
add mmap: 0x379fd400 0x02602000 1
add mmap: 0x3a000000 0x02200000 2
add mmap: 0x3c200000 0x02d00000 1
add mmap: 0x3ef00000 0x00100000 2
add mmap: 0x3f000000 0x01000000 2
add mmap: 0xfec00000 0x00001000 2
add mmap: 0xfee00000 0x00001000 2
add mmap: 0xff000000 0x01000000 2
IMR6 start=0x3a000000 end=0x3c1fffff
new mmap: 0x3a000000 0x02200000 2
IMR7 start=0x00100000 end=0x0067ffff
new mmap: 0x00100000 0x00580000 2
Final E820 table:
e820: 0x00000000 0x00098000 1
e820: 0x00100000 0x00580000 2
e820: 0x00680000 0x00680000 1
e820: 0x00d00000 0x00300000 2
e820: 0x01000000 0x35ff0000 1
e820: 0x36ff0000 0x0090d000 2
e820: 0x378fd400 0x00100000 2
e820: 0x379fd400 0x02602000 1
e820: 0x3a000000 0x02200000 2
e820: 0x3c200000 0x02d00000 1
e820: 0x3ef00000 0x00100000 2
e820: 0x3f000000 0x01000000 2
e820: 0xfec00000 0x00001000 2
e820: 0xfee00000 0x00001000 2
e820: 0xff000000 0x01000000 2
Final mb_mmap table:
mb_mmap: 0x00000000 0x00098000 1
mb_mmap: 0x00100000 0x00580000 0
mb_mmap: 0x00680000 0x00680000 1
mb_mmap: 0x00d00000 0x00300000 0
mb_mmap: 0x01000000 0x35ff0000 1
mb_mmap: 0x36ff0000 0x0090d000 0
mb_mmap: 0x378fd400 0x00100000 0
mb_mmap: 0x379fd400 0x02602000 1
mb_mmap: 0x3a000000 0x02200000 0
mb_mmap: 0x3c200000 0x02d00000 1
mb_mmap: 0x3ef00000 0x00100000 0
mb_mmap: 0x3f000000 0x01000000 0
mb_mmap: 0xfec00000 0x00001000 0
mb_mmap: 0xfee00000 0x00001000 0
mb_mmap: 0xff000000 0x01000000 0
Using bzImage to boot
Relocating initramfs to high memory ...
usb is connected, skip to set uart path
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Jump to kernel 32bit entry ...0x05003c00
I check interesting rows by red color. But there is easy way: need to compile x86 binaries and inject some code to twrp recovery. After that Linux OS must load from any img or partition on internal or external SD. Manual for coding this: link. This method accept to boot any second linux-based OS from any defined partition. It's on Russian - use translator to read.
Santos10 partiton table:
Code:
major minor #blocks name
7 0 61362 loop0
7 1 7308 loop1
179 0 15380480 mmcblk0
179 1 3072 mmcblk0p1
179 2 20480 mmcblk0p2
179 3 16384 mmcblk0p3
179 4 2048 mmcblk0p4
179 5 2048 mmcblk0p5
179 6 358400 mmcblk0p6
179 7 4096 mmcblk0p7
179 8 2416640 mmcblk0p8
179 9 12337152 mmcblk0p9
259 0 20480 mmcblk0p10
259 1 20480 mmcblk0p11
259 2 20480 mmcblk0p12
259 3 102400 mmcblk0p13
259 4 4096 mmcblk0p14
259 5 4096 mmcblk0p15
259 6 4096 mmcblk0p16
259 7 12288 mmcblk0p17
259 8 2048 mmcblk0p18
259 9 2048 mmcblk0p19
259 10 1024 mmcblk0p20
259 11 8192 mmcblk0p21
179 40 8192 mmcblk0gp0
179 30 1 mmcblk0rpmb
[COLOR="Red"]179 20 4096 mmcblk0boot1[/COLOR]
[COLOR="red"]179 10 4096 mmcblk0boot0[/COLOR]
252 0 307200 zram0
179 50 1955840 mmcblk1
179 51 1954816 mmcblk1p1
253 0 61362 dm-0
253 1 7308 dm-1]
Look at the red text i marked. I think we already have dual boot bootloader by Samsung.
Angel_666 said:
Santos10 Bootloader trace:
Code:
IA32 CPU Firmware
Copyright (C) 1999-2013, Intel Corporation. All rights reserved.
7[0;23r[24;75H[1K[24;1H[1mIntel(R) Atom(TM) Z2560 CPU FW 00.73 (INTELFDK)[0m8------------------------------>FOR Teewinot ONLY<-----------------------------
******************************************************************************
************** Customer release based on Rel 00.49 + TWN changes**************
**************** BZ=115220 Bypass time/date check for product ****************
****************** BZ=118523 Cold Reset on ExecuteOS failure *****************
****** BZ=124478[TW 346-500-676] Request for logging enhancement in IAFW *****
************* BZ=127192 Disable Active Refresh during JEDEC Init *************
******************* BZ=none include ucode patch M013065110E ******************
**************************** New in this code drop ***************************
***** BZ=none Changed trace to match TWN RAMDUMP application requirement *****
*************** BZ=none Removed UART and PTI HW output methods ***************
******** Short circuiting the emInit when a fixed battery is detected. *******
********************* Customization done 201308261512 MST ********************
******************************************************************************
[37;41m******************************INTEL CONFIDENTIAL******************************
[0m
0x1E, 0x20, 0x21,
ERROR:::::SPID Not Programmed, Fake data being used based on IFWI version
ERROR:::::SPID FRU Not Programmed, Fake data being used based on IFWI version
OSC_CLK3 defaults only
0x22,
OEM board; Skip spidBasedPanelNdxUpdate
0x23,
Forced Battery via SMIP FPO Bit 2
0x28, 0x2A, 0x2B, in csSFIDevsEntries, HW Id 0x0019
SFI Dev...PR3
in csSFIGpioEntries, HW Id 0x0019
SFIOEMBInit:tbl->spidTbl update
0x2C, 0x2D, 0x2F PostCodes Done
IA32 FW: CPU v000.073/00.49; SUPP v000.073/00.49; VH: 000.081/00.51
IA Timestamp: 2013.08.26:18.00 (INTELFDK)
SCU FW: ROM 177.000/B1.00; RT 033.046/21.2E
PUNIT FW: v160.064/A0.40
IFWI: v249.086/F9.56
PL: 0000010E
Config & PCB: OEM Platform, C, CLV+ B1, Samsung (01,00) SR 4Gb 1067 1GB
FHOB DW0/DW1: 00000104:00010140
I2C Expander: FFFFFFFC:0000000F
IA Options: 024020A1:00000000:03E00000:80005C00:00000101;1264
[OS HASH VERIFY] [EIST] [eMMC] [VALID BATT][WDT]
Loading OS...
pOsip = 1000000
-->OSIP verified
00000000 E0000000
[COLOR="Red"]Android COS path taken
E0000000 D303000A[/COLOR]
[COLOR="red"]Boot path override selected OS image 0[/COLOR] (OS Attribute 0x00, Reboot Reason 0x0A)
D303000A D303000A
Splash disabled in GCT
Splash display time: 2 ms
[COLOR="red"]-->Bootable OS image 0 found for requested type 2 [/COLOR](OSII attribute 0x00)
-->[COLOR="red"]Loading OS image 0 from eMMC block 0x00000032 to DRAM address 0x010FFE20[/COLOR]
-->Starting transfer of 0xA11 512-byte blocks to DRAM
-->Done loading OS Image to DRAM
-->platformConfigBuffer_pt.scuFhobDw0.osven != 0
-->osIndex: 0, Signed Image
OS image 0 PASSED verify
Booting COS
*********************************
Starting command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100
-
OSNIB.wakesrc = 0x3
OSNIB.RR = 0xA
Battery is high enough for normal boot
4166mV > 0mV
Ending command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100 androidboot.wakesrc=03 androidboot.mode=charger-
*********************************
WDT aka Timer7 setup
Warn Duration for Timer7: 00 seconds
Start Timer7 bit 0 -> 1: 00000000000000000000000000000000
[0;24r[24;1H[2KM
Calling OS entry point --> 0x01101000 ...
Using NEW OSHOB structure size = 176 bytes
OSNIB size = 32 bytes OEMNIB size = 64 bytes
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Watchdog Disabled!
usb is connected, skip to set uart path
__stmpe811_write : fail
MUIC: CONTROL1:0x00
MUIC: CONTROL1:0x00
MUIC: CONTROL2:0x3b
MUIC: CONTROL2:0x3b
[SCU_IPC_DEBUG] board ID: NOT_IDENTIFIED(8)
VERSION : 0xa501
mmc_read_ext_csd : ext_csd_rev = 0x7
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
!!!Enter 8 Bit mode.!!!
clt_mmc_init: mmc->capacity = 0x1d56000
[BOOT] RESETIRQ1=0x00 RESETIRQ2=0x00 (interrupt tree)
[BOOT] SCU_TR=0x00020013 IA_TR=0xffffffff (oshob)
[BOOT] RR=0x00 WD=0x00 ALARM=0x00 (osnib)
[BOOT] WAKESRC=0x03 RESETIRQ1=0x20 RESETIRQ2=0x00 (osnib)
Samsung S-Boot 4.0-1816966 for GT-P5200 (Nov 26 2013 - 01:43:08)
CLT(EVT 0.0) / 1024MB / 15020MB / Rev 8 / P5200XXUAMK8
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (159:0xc)
PARAM ENV VERSION: v1.0..
pressed_key = 0x1
clt_charger_init : [battery] using external charger init(3)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
[check_cable_type] : Output of USB Charger Detection 3
[max77693_init_charger] : attached device(0x02) : TA
clt_max77693_set_charger_state: chg_cnfg_02 (0x1f) -> (0x1f) -> (0x1f)
clt_max77693_set_charger_state: chg_cnfg_03 (0x00) -> (0x00) -> (0x00)
clt_max77693_set_charger_state: chg_cnfg_04 (0xdd) -> (0xdd) -> (0xdd)
clt_max77693_set_charger_state: chg_cnfg_09 (0x64) -> (0x64) -> (0x64)
set_charger_state : buck(1), chg(0), reg(0x04)
init_fuel_gauge: Start!!
[0] get_adc_battid() = 92
[1] get_adc_battid() = 92
[2] get_adc_battid() = 92
get_adc_battid() = 92
init_fuel_gauge: Battery type : SDI
init_fuel_gauge: Already initialized (0x32cd, SDI type)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
fuel_gauge_compensate_soc: Start!!
fuel_gauge_read_soc: SOC(73), data(0x491b)
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
calculate_table_soc: Get table SOC in case of charging!!
calculate_table_soc: i(1), vcell(4071), table_soc(88)
differ(15), table_soc(88), RepSOC(73)
clt_charger_init : cable_type(0x02)
set_charger_state : buck(1), chg(1), reg(0x05)
intel_scu_ipc_cmd_oemnib : done => 0x0
check_reboot_cmd: nCmd = 0 ... skip check_reboot_cmd
debug level = 0x4f4c
disable max77693 manual reset
clt_max77693_disable_manual_reset: set max77693 MANCTRL1 val = 0x4
clt_max77693_disable_manual_reset: read max77693 MANCTRL1 val = 0x4
disable PMIC cod off triggered by PWRBTN#: 6
do_keypad: 0x1
intel_scu_ipc_cmd_oemnib : done => 0x0
check_download: 0
Is_lpm_boot : boot-mode saved in param = 0
Is_lpm_boot : jig-on level = 0, ignore...
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
stat=0x1031f, adc=0x1f, chg=0x3, vbvolt=1, pinLevel=1
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
fuel_gauge_read_soc: SOC(73), data(0x491b)
check_low_battery : rb=0 jig=0
check_low_battery : v=4071 soc=73
skip check low battery
scr_draw_image: draw 'logo.jpg'...
read 'logo.jpg'(105420) completed.
<start_checksum:355>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:357>offset:6144, size:6296
<start_checksum:361>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:27
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
load_kernel: loading boot image from 106496..
total size : 8495104
pit_check_signature (BOOT) valid.
Set valid sign flag
if_ddi_data: succeeded. (159:0xc)
BOOT_MAGIC == ANDROID!
CMDLINE LENGTH = 538
CMDLINE = init=/init console=sec_log_buf kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=santos103g sec_debug.level=0 loglevel=0 androidboot.debug_level=0x4f4c vmalloc=256m [email protected] sec_bootfb=0x3f000000 lcd_panel_id=0 androidboot.revision=8 switch_sel=3 cordon=615d013e557994c8ad53b3325c31b124 connie=GT-P5200_OPEN_EUR_cf878c59e3c2eeb1cdb40863938b834d androidboot.emmc_checksum=3 androidboot.bootloader=P5200XXUAMK8 androidboot.serialno=4300b61fdc125000 snd_soc_core.pmdown_time=1000 jig=0
Bootstub: map SFI MMAP to e820 table
add mmap: 0x00000000 0x00098000 1
add mmap: 0x00100000 0x00580000 2
add mmap: 0x00680000 0x00680000 1
add mmap: 0x00d00000 0x00300000 2
add mmap: 0x01000000 0x35ff0000 1
add mmap: 0x36ff0000 0x0090d000 2
add mmap: 0x378fd400 0x00100000 2
add mmap: 0x379fd400 0x02602000 1
add mmap: 0x3a000000 0x02200000 2
add mmap: 0x3c200000 0x02d00000 1
add mmap: 0x3ef00000 0x00100000 2
add mmap: 0x3f000000 0x01000000 2
add mmap: 0xfec00000 0x00001000 2
add mmap: 0xfee00000 0x00001000 2
add mmap: 0xff000000 0x01000000 2
IMR6 start=0x3a000000 end=0x3c1fffff
new mmap: 0x3a000000 0x02200000 2
IMR7 start=0x00100000 end=0x0067ffff
new mmap: 0x00100000 0x00580000 2
Final E820 table:
e820: 0x00000000 0x00098000 1
e820: 0x00100000 0x00580000 2
e820: 0x00680000 0x00680000 1
e820: 0x00d00000 0x00300000 2
e820: 0x01000000 0x35ff0000 1
e820: 0x36ff0000 0x0090d000 2
e820: 0x378fd400 0x00100000 2
e820: 0x379fd400 0x02602000 1
e820: 0x3a000000 0x02200000 2
e820: 0x3c200000 0x02d00000 1
e820: 0x3ef00000 0x00100000 2
e820: 0x3f000000 0x01000000 2
e820: 0xfec00000 0x00001000 2
e820: 0xfee00000 0x00001000 2
e820: 0xff000000 0x01000000 2
Final mb_mmap table:
mb_mmap: 0x00000000 0x00098000 1
mb_mmap: 0x00100000 0x00580000 0
mb_mmap: 0x00680000 0x00680000 1
mb_mmap: 0x00d00000 0x00300000 0
mb_mmap: 0x01000000 0x35ff0000 1
mb_mmap: 0x36ff0000 0x0090d000 0
mb_mmap: 0x378fd400 0x00100000 0
mb_mmap: 0x379fd400 0x02602000 1
mb_mmap: 0x3a000000 0x02200000 0
mb_mmap: 0x3c200000 0x02d00000 1
mb_mmap: 0x3ef00000 0x00100000 0
mb_mmap: 0x3f000000 0x01000000 0
mb_mmap: 0xfec00000 0x00001000 0
mb_mmap: 0xfee00000 0x00001000 0
mb_mmap: 0xff000000 0x01000000 0
Using bzImage to boot
Relocating initramfs to high memory ...
usb is connected, skip to set uart path
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Jump to kernel 32bit entry ...0x05003c00
I check interesting rows by red color. But there is easy way: need to compile x86 binaries an inject some code to twrp recovery. After that Linux OS must load from any img or partition on internal or external SD. Manual for coding this: link. It's on Russian - use translator to read.
Click to expand...
Click to collapse
Awesome work on that manual dude, now I have something to do while I'm at work bored... and we'll know what we can and can't remove/put in...
xkwr27 said:
Awesome work on that manual dude
Click to expand...
Click to collapse
If you mean manual on that site - it's not mine.
Post updated. Take a look at device partitions.
Hey Guys,
I've been tinkering with my MI Box as I've been having packet loss issues with it, long story short its bricked, here is the bootlog + UART Pins if anyone is interested:
Boot Log:
Code:
TE: 98645
BL2 Built : 18:13:36, Jun 17 2016.
gxl g176ecdb - [email protected]
rn5t567_power_init
Board ID = 1
CPU clk: 1200MHz
DDR3 chl: Rank0+1 @ 912MHz - PASS
DQS-corr enabled
DDR scramble enabled
Rank0: 1024MB(auto)-2T-13
Rank1: 1024MB(auto)-2T-13
DataBus test pass!
AddrBus test pass!
-s
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000
aml log : R1024 check pass!
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600
aml log : R1024 check pass!
Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x00014400
aml log : R1024 check pass!
Load bl32 from eMMC, src: 0x00038200, des: 0x01700000, size: 0x0002ee00
aml log : R1024 check pass!
Load bl33 from eMMC, src: 0x00068200, des: 0x01700000, size: 0x0007f800
aml log : R1024 check pass!
NOTICE: BL3-1: v1.0(debug):ed1aadc
NOTICE: BL3-1: Built : 11:06:24, May 31 2016
aml log : bl31 detect secure boot !
[Image: gxl_v1.1.3118-31ffc57 2016-09-27 10:04:49 [email protected]]
OPS=0x82
ef be ad de d f0 ad ba ef be ad de bl30:thermal init err
[0.626102 Inits done]
secure task start!
high task start!
low task start!
INFO: BL3-1: Initializing runtime services
INFO: BL3-1: Initializing BL3-2
INFO: BL3-2: ATOS-V1.4-gb959fd4 #13 Tue Sep 6 15:28:58 CST 2016 arm
INFO: BL3-2: chip version = RevA (21:A - 0:0)
INFO: BL3-2: crypto engine DMA
INFO: BL3-2: secure time TEE
INFO: BL3-1: Preparing for EL3 exit to normal world
INFO: BL3-1: Next image address = 0x1000000
INFO: BL3-1: Next image spsr = 0x3c9
U-Boot 2015.01-g57a5217-dirty (Jan 25 2017 - 11:17:54), Build: jenkins-Once_MP-750
DRAM: 2 GiB
Relocation Offset is: 76ef5000
register usb cfg[0][1] = 0000000077f64870
vpu: error: vpu: check dts: FDT_ERR_BADMAGIC, load default parameters
vpu: clk_level = 7
vpu: set clk: 666667000Hz, readback: 666660000Hz(0x300)
SARADC channel(1) is 0x1d2.
adcAvg hw_version is 353
MMC: aml_priv->desc_buf = 0x0000000073ef56e0
aml_priv->desc_buf = 0x0000000073ef7870
SDIO Port B: 0, SDIO Port C: 1
emmc/sd response timeout, cmd8, status=0x3ff2800
emmc/sd response timeout, cmd55, status=0x3ff2800
[mmc_init] mmc init success
mmc read lba=0x4000, blocks=0x400
start dts,buffer=0000000073ef9f30,dt_addr=0000000073ef9f30
parts: 12
00: cache 0000000010000000 2
01: logo 0000000000300000 1
02: encrypt 0000000000100000 1
03: recovery 0000000002000000 1
04: tee 0000000000800000 1
05: crypt 0000000002000000 1
06: misc 0000000002000000 1
07: boot 0000000001400000 1
08: system 0000000060000000 1
09: persist 0000000000800000 4
10: panic 0000000000400000 4
11: data ffffffffffffffff 4
get_dtb_struct: Get emmc dtb OK!
overide_emmc_partition_table: overide cache
[mmc_get_partition_table] skip partition cache.
Partition table get from SPL is :
name offset size flag
===================================================================================
0: bootloader 0 400000 0
1: reserved 400000 800000 0
2: cache c00000 10000000 2
3: env 10c00000 400000 0
4: logo 11000000 300000 1
5: encrypt 11300000 100000 1
6: recovery 11400000 2000000 1
7: tee 13400000 800000 1
8: crypt 13c00000 2000000 1
9: misc 15c00000 2000000 1
10: boot 17c00000 1400000 1
11: system 19000000 60000000 1
12: persist 79000000 800000 4
13: panic 79800000 400000 4
14: data 79c00000 158400000 4
mmc read lba=0x2000, blocks=0x2
mmc read lba=0x2002, blocks=0x2
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
mmc env offset: 0x10c00000
In: serial
Out: serial
Err: serial
reboot_mode=cold_boot
hardware_version =1
Saving Environment to aml-storage...
mmc env offset: 0x10c00000
Writing to MMC(1)... done
hpd_state=0
cvbs performance type = 6, table = 0
[store]To run cmd[emmc dtb_read 0x1000000 0x40000]
read emmc dtb
amlkey_init() enter!
[EFUSE_MSG]keynum is 4
[KM]Error:f[key_manage_query_size]L507:key[sn2] not programed yet
wipe_data=successful
wipe_cache=successful
Boot command:
Boot status:
Boot message
""
upgrade_step=2
[OSD]load fb addr from dts
[OSD]failed to get fb addr for logo
[OSD]use default fb_addr parameters
[OSD]fb_addr for logo: 0x3d800000
[OSD]load fb addr from dts
[OSD]failed to get fb addr for logo
[OSD]use default fb_addr parameters
[OSD]fb_addr for logo: 0x3d800000
[CANVAS]canvas init
[CANVAS]addr=0x3d800000 width=5760, height=2160
pull down bt_reset
pull up bt_reset
set hci reset
04 0e 04 01 03 0c 00
set scan parameters
04 0e 04 01 0b 20 00
set scan enable
04 0e 04 01 0c 20 00
pull down bt_enable
IR init done!
[imgread]szTimeStamp[2017012511355519]
[imgread]secureKernelImgSz=0x778000
aml log : R1024 check pass!
aml log : R1024 check pass!
aml log : R1024 check pass!
ee_gate_off ...
## Booting Android Image at 0x01080000 ...
reloc_addr =73f7a130
copy done
load dtb from 0x1000000 ......
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x01fa8620
Loading Ramdisk to 73e02000, end 73ee3000 ... OK
Loading Device Tree to 000000001fff4000, end 000000001fffff5e ... OK
Starting kernel ...
uboot time: 2832461 us
...
<See Attached>
UART Pins:
<See Attached>
You can hook the TX and RX lines into the 3.5mm headphone jack for easy UART use.
See attached
It turns out JTAG is enabled according to the Android dmesg log, this could mean a neat little BootROM dump...
Can someone makes a flash able rom for Almogic burning tool for mi tv box 3 mdz 16-ab?
Can you boot from usb device (libreelec)?
My mi tv box 3 is totally bricked no boot to recovery, only pc recognize like WorldCub device.
gyb001 said:
Can you boot from usb device (libreelec)?
Click to expand...
Click to collapse
I haven't looked at that yet, I don't really have any expirence playing with AMLogic SoCs, you can boot via USB? This would actually work if you can as I have boot.img and system...
(dylanger) said:
I haven't looked at that yet, I don't really have any expirence playing with AMLogic SoCs, you can boot via USB? This would actually work if you can as I have boot.img and system...
Click to expand...
Click to collapse
Thanks.
unfortunatelly i haven't img.
But i find intresting things
once#usb start
(Re)start USB...
USB0: USB3.0 XHCI init start
Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.00
This box have usb3?
Do you know how can i make full backup from emmc?
I think we can run somehow twrp with this env:
recovery_from_udisk=if fatload usb 0 ${loadaddr} aml_autoscript; then autoscr ${loadaddr}; fi;if fatload usb 0 ${loadaddr} recovery.img; then if fatload usb 0 ${dtb_mem_addr} dtb.img; then echo udisk dtb.img loaded; fi;bootm ${loadaddr};fi;
I won
amlogic login: root
Password:
Last login: Sat Nov 4 12:30:06 UTC 2017 on ttyS0
/etc/update-motd.d/30-sysinfo: line 37: read: read error: 0: Invalid argument
/etc/update-motd.d/30-sysinfo: line 38: [: -le: unary operator expected
____ ___
/ ___|/ _ \__ ____ ____ __
\___ \ (_) \ \/ /\ \/ /\ \/ /
___) \__, |> < > < > <
|____/ /_//_/\_\/_/\_\/_/\_\
Welcome to ARMBIAN 5.34 user-built Debian GNU/Linux 9 (stretch) 3.14.29
System load: 0.44 0.12 0.04 Up time: 0 min
Memory usage: 4 % of 1790MB IP:
Usage of /: 18% of 7.1G storage/: 56% of 128M
[email protected]:~# ls
fstab install.sh
[email protected]:~# uname -a
Linux amlogic 3.14.29 #108 SMP PREEMPT Sat Nov 4 14:50:04 MSK 2017 aarch64 GNU/Linux
[email protected]:~# cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
processor : 0
processor : 1
processor : 2
processor : 3
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: AArch64
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
Hardware : Amlogic
Serial : 210a82005fb86cbf061167e2b0552e2f
Revision : 020a
gyb001 said:
I won
amlogic login: root
Password:
Last login: Sat Nov 4 12:30:06 UTC 2017 on ttyS0
/etc/update-motd.d/30-sysinfo: line 37: read: read error: 0: Invalid argument
/etc/update-motd.d/30-sysinfo: line 38: [: -le: unary operator expected
____ ___
/ ___|/ _ \__ ____ ____ __
\___ \ (_) \ \/ /\ \/ /\ \/ /
___) \__, |> < > < > <
|____/ /_//_/\_\/_/\_\/_/\_\
Welcome to ARMBIAN 5.34 user-built Debian GNU/Linux 9 (stretch) 3.14.29
System load: 0.44 0.12 0.04 Up time: 0 min
Memory usage: 4 % of 1790MB IP:
Usage of /: 18% of 7.1G storage/: 56% of 128M
[email protected]:~# ls
fstab install.sh
[email protected]:~# uname -a
Linux amlogic 3.14.29 #108 SMP PREEMPT Sat Nov 4 14:50:04 MSK 2017 aarch64 GNU/Linux
[email protected]:~# cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
processor : 0
processor : 1
processor : 2
processor : 3
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: AArch64
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
Hardware : Amlogic
Serial : 210a82005fb86cbf061167e2b0552e2f
Revision : 020a
Click to expand...
Click to collapse
Woot! Nice work! So you've managed to boot into a Debian build? Damn nice work! Do you know if its possible to do that without having access to Android in the first place?
Like from UBOOT?
Yes i used to uart.
Write this command to uboot:
setenv bootcmd "run start_autoscript; run storeboot;"
setenv start_autoscript "if usb start ; then run start_usb_autoscript; fi; if mmcinfo; then run start_mmc_autoscript; fi;"
setenv start_mmc_autoscript "if fatload mmc 0 1020000 s905_autoscript; then autoscr 1020000; fi;"
setenv start_usb_autoscript "if fatload usb 0 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 1 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 2 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 3 1020000 s905_autoscript; then autoscr 1020000; fi;"
setenv upgrade_step "0"
saveenv
Click to expand...
Click to collapse
I'm not sure it necessary, but i set the selinux disabled.
Download and write the image to usb drive
https://yadi.sk/d/srrtn6kpnsKz2/Linux/ARMBIAN
gyb001 said:
Yes i used to uart.
Write this command to uboot:
I'm not sure it necessary, but i set the selinux disabled.
Download and write the image to usb drive
https://yadi.sk/d/srrtn6kpnsKz2/Linux/ARMBIAN
Click to expand...
Click to collapse
Can we use this image with Amlogic usb burning tool ?
venioni said:
Can we use this image with Amlogic usb burning tool ?
Click to expand...
Click to collapse
No, the image will not pass the burning tool vertify.
I think you can use the amlogic burning tool only with uart. In uboot write "update" command.
gyb001 said:
No, the image will not pass the burning tool vertify.
I think you can use the amlogic burning tool only with uart. In uboot write "update" command.
Click to expand...
Click to collapse
Can you help me to unbrick my mind that box 3 international?
is totally bricked,no boot to recovery mode.
venioni said:
Can you help me to unbrick my mind that box 3 international?
is totally bricked,no boot to recovery mode.
Click to expand...
Click to collapse
Unfortunately i don't know how its possibile, but That sure, you have to use u boot.
You should buy uart usb device. I have cp2102
gyb001 said:
Unfortunately i don't know how its possibile, but That sure, you have to use u boot.
You should buy uart usb device. I have cp2102
Click to expand...
Click to collapse
If i buy this uart usb device cp 2102 can you make a tutorial how can i use this to unbrick my mi tv box3 and what firmwares i need to do all this?
venioni said:
If i buy this uart usb device cp 2102 can you make a tutorial how can i use this to unbrick my mi tv box3 and what firmwares i need to do all this?
Click to expand...
Click to collapse
Now, i can boot only Armbian.
Stock rom img file
https://mega.nz/#F!BDRG3J4B!VZqB0qJ9fseMhy4Y8anIaA
gyb001 said:
Stock rom img file
https://mega.nz/#F!BDRG3J4B!VZqB0qJ9fseMhy4Y8anIaA
Click to expand...
Click to collapse
Can we flash this stock rom image with Almogic burning tool for unbrick mi tv box 3 ?
venioni said:
Can we flash this stock rom image with Almogic burning tool for unbrick mi tv box 3 ?
Click to expand...
Click to collapse
No.
You have to use uboot
Hello friends, I need a little help with the usid / mac_ether script
i am starting to study about android and i would like to ask you:
First I would like someone to help me record a serial
at box amlogic
1: Firmware already passed Amlogic Customization tools (key usid, mac marked for write)
2: in the SN part I always want the serial to be written to be this ... 8e.05-17.06-10500171 <---------- SN
3: on mac's part i want this recorded
EC: 2C: A9: 51: 52: 31
3: usid script
[Group1]
usid = ShiningStar <1> MBX <2>
param_1_format =% 04x
param_1_start = 0000
param_1_end = FFFF
param_1_used = 0x0
param_1_total = 1000
param_2_format =% 04x
param_2_start = 0000
param_2_end = FFFF
param_2_used = 0x0
param_2_total = 1000
[Size]
Size = 22
[fragment]
fragment =
4: mac script
[Group1]
start = 00: 0f: a3: 45: 9b: 12
end = 00: 0f: a3: 45: a1: 34
total = 1540
used = 2
current =
[fragment]
fragment =
5: Help me understand how to put the above information into the script to write it to the box.
Hi all,
i've a ZTE MF286D router thas has the 4G modem broken.
The modem it self is an MDM9250 that is stuck in this way:
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1-00311
S - IMAGE_VARIANT_STRING=MAATANAZA
S - OEM_IMAGE_VERSION_STRING=scl_xa242_062
S - Boot Interface: NAND
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000000a1
S - JTAG ID @ 0x000a607c = 0x100320e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x19146b45
S - OEM Config Row 0 @ 0x000a4150 = 0x0900000000000000
S - OEM Config Row 1 @ 0x000a4158 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4160 = 0x14000000000009a0
S - Feature Config Row 1 @ 0x000a4168 = 0x0342f80200000005
B - 3343 - PBL, Start
B - 6754 - bootable_media_detect_entry, Start
B - 8077 - bootable_media_detect_success, Start
B - 8081 - elf_loader_entry, Start
B - 11491 - auth_hash_seg_entry, Start
B - 11743 - auth_hash_seg_exit, Start
B - 60253 - elf_segs_hash_verify_entry, Start
B - 112850 - PBL, End
B - 127947 - SBL1, Start
B - 222253 - pm_device_init, Start
B - 282735 - PM_SET_VAL:Skip
D - 59414 - pm_device_init, Delta
B - 283924 - usb: usb: hs_phy_nondrive_start
B - 287920 - usb: usb: hs_phy_nondrive_finish
B - 291305 - boot_config_data_table_init, Start
D - 0 - boot_config_data_table_init, Delta - (0 Bytes)
B - 301431 - CDT Version:3,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B - 308141 - sbl1_ddr_set_params, Start
D - 30 - sbl1_ddr_set_params, Delta
B - 315644 - Pre_DDR_clock_init, Start
D - 366 - Pre_DDR_clock_init, Delta
B - 330650 - pm_driver_init, Start
D - 1799 - pm_driver_init, Delta
B - 332511 - clock_init, Start
D - 183 - clock_init, Delta
B - 337177 - boot_flash_init, Start
D - 31293 - boot_flash_init, Delta
B - 445147 - Image Load, Start
D - 39345 - QSEE Image Loaded, Delta - (394044 Bytes)
B - 484492 - QSEE Execution, Start
D - 65910 - QSEE Execution, Delta
D - 213 - boot_pm_post_tz_device_init, Delta
B - 554032 - Image Load, Start
D - 19520 - RPM Image Loaded, Delta - (161732 Bytes)
B - 726357 - ZTE_POWER_ON_NORMAL
B - 779092 - Error code 3039 at boot_elf_loader.c Line 1365
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1-00311
S - IMAGE_VARIANT_STRING=MAATANAZA
S - OEM_IMAGE_VERSION_STRING=scl_xa242_062
S - Boot Interface: NAND
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000000a1
S - JTAG ID @ 0x000a607c = 0x100320e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x19146b45
S - OEM Config Row 0 @ 0x000a4150 = 0x0900000000000000
S - OEM Config Row 1 @ 0x000a4158 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4160 = 0x14000000000009a0
S - Feature Config Row 1 @ 0x000a4168 = 0x0342f80200000005
B - 3343 - PBL, Start
B - 6754 - bootable_media_detect_entry, Start
B - 7468 - bootable_media_detect_success, Start
B - 7472 - elf_loader_entry, Start
B - 10881 - auth_hash_seg_entry, Start
B - 11133 - auth_hash_seg_exit, Start
B - 59645 - elf_segs_hash_verify_entry, Start
B - 112242 - PBL, End
B - 122854 - SBL1, Start
B - 213561 - pm_device_init, Start
B - 273554 - PM_SET_VAL:Skip
D - 58956 - pm_device_init, Delta
B - 274713 - usb: usb: hs_phy_nondrive_start
B - 278739 - usb: usb: hs_phy_nondrive_finish
B - 282125 - boot_config_data_table_init, Start
D - 0 - boot_config_data_table_init, Delta - (0 Bytes)
B - 292251 - CDT Version:3,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B - 298961 - sbl1_ddr_set_params, Start
D - 30 - sbl1_ddr_set_params, Delta
B - 306464 - Pre_DDR_clock_init, Start
D - 366 - Pre_DDR_clock_init, Delta
B - 321470 - pm_driver_init, Start
D - 1799 - pm_driver_init, Delta
B - 323330 - clock_init, Start
D - 152 - clock_init, Delta
B - 328058 - boot_flash_init, Start
D - 31293 - boot_flash_init, Delta
B - 435997 - Image Load, Start
D - 39345 - QSEE Image Loaded, Delta - (394044 Bytes)
B - 475373 - QSEE Execution, Start
D - 20191 - QSEE Execution, Delta
D - 0 - post_tz_pm_init cancelled by dload, Delta
B - 499773 - High speed USB mode
B - 503036 - usb: init start
Click to expand...
Click to collapse
The modem if connected directly to the PC with an Mini-PCIe-2-USB is recognized as QUSB__BULK.
We talked about this modem also on this forum: https://eko.one.pl/forum/viewtopic.php?id=21790
I've tried various tools like:
- qdtools, but the modem refues to read\write nand
- QPST, each tool I run (except for QLIF) send a message to the modem, that prints on console a string "Memory dump allowed", the the modem reset itself in a continous loop
I've all operating system images from ZTE that can be uploaded using fastboot, but if the modem doesn't boot into this mode doesn't allow me to do anything
any suggestion?
thanks!
stich86 said:
any suggestion?
Click to expand...
Click to collapse
@stich86
Welcome to XDA. I hope you'll always find and get the support you require.
However, prior to your next posting please read the guidances that are stuck on top of every forum like
Note: Questions go in Q&A Forum
If you are posting a Question Thread post it in the Q&A forum. Technical discussion of Android development and hacking. No noobs, please. Device-specific releases should go under the appropriate device forum...
forum.xda-developers.com
and the others. I've moved the thread to Android Q&A.
Thanks for your cooperation!
Regards
Oswald Boelcke
Senior Moderator
Thanks Oswald and sorry for my mistake!