Hardware root/JTAG pinout - Fire TV General

For those interested, Amazon FireTV JTAG pinout is very close to the standard 20-pin ARM JTAG. See atached image for the actual pinout. If anybody has an OpenOCD config file for QUalcomm Krait 300 (SnapDragon 600), please share. Rooting can be done by bypassing a couple of checks in the bootloader.

Huh. Question. Is it snapdragon 600 you want or S4 pro. I dug pretty deeply before I got the box to figure exactly what processor is in there. Amazon gives: snapdragon 8064, krait 300, 1.7 GHz with adreno 320. I couldn't actually find a direct match for those specs in Qualcomm info, but the only thing that matched those specifications was the S4 pro, the same thing in the Nexus 7. Not to derail what you started, just want to be sure you're seeking the correct thing.
from my N5
Edit: let me clarify a bit. Amazon says it's the 8064. I went to qualcomm's site and that wasn't listed anywhere. So through deductive reasoning: CPU speed and the adreno 320 match the S4 pro which is also in the N7 2013. I haven't actually looked what xda says it has, but that's how I came to the S4 pro.

DroidIt! said:
Huh. Question. Is it snapdragon 600 you want or S4 pro. I dug pretty deeply before I got the box to figure exactly what processor is in there. Amazon gives: snapdragon 8064, krait 300, 1.7 GHz with adreno 320. I couldn't actually find a direct match for those specs in Qualcomm info, but the only thing that matched those specifications was the S4 pro, the same thing in the Nexus 7. Not to derail what you started, just want to be sure you're seeking the correct thing.
from my N5
Edit: let me clarify a bit. Amazon says it's the 8064. I went to qualcomm's site and that wasn't listed anywhere. So through deductive reasoning: CPU speed and the adreno 320 match the S4 pro which is also in the N7 2013. I haven't actually looked what xda says it has, but that's how I came to the S4 pro.
Click to expand...
Click to collapse
Being curious, I did some reading. I'm pretty sure it's a S4 Pro as well. 600 uses LPDDR3, has higher clock speed 1.7 vs 1.9GHz, and has wireless AC.
http://forum.xda-developers.com/nexus-4/help/snapdragon-600-vs-snapdragon-s4-pro-t2157201
http://www.ifixit.com/Teardown/Amazon+Fire+TV+Teardown/23856

Luxferro said:
Being curious, I did some reading. I'm pretty sure it's a S4 Pro as well. 600 uses LPDDR3, has higher clock speed 1.7 vs 1.9GHz, and has wireless AC.
http://forum.xda-developers.com/nexus-4/help/snapdragon-600-vs-snapdragon-s4-pro-t2157201
http://www.ifixit.com/Teardown/Amazon+Fire+TV+Teardown/23856
Click to expand...
Click to collapse
Yeah they didn't match up to me. I see xda just says 1.7 ghz, etc and not the 600. I'm thinking S4 Pro too. Good to get a confirmation though. :good:

DroidIt! said:
Yeah they didn't match up to me. I see xda just says 1.7 ghz, etc and not the 600. I'm thinking S4 Pro too. Good to get a confirmation though. :good:
Click to expand...
Click to collapse
The 600 was mentioned in some specs on the web, but it may have been a guess.
Actual JTAG device IDs:
4BA00477 (dap)
2071E0E1(cpu) <- googling this one yields nothing

Luxferro said:
Being curious, I did some reading. I'm pretty sure it's a S4 Pro as well. 600 uses LPDDR3, has higher clock speed 1.7 vs 1.9GHz, and has wireless AC.
http://forum.xda-developers.com/nexus-4/help/snapdragon-600-vs-snapdragon-s4-pro-t2157201
http://www.ifixit.com/Teardown/Amazon+Fire+TV+Teardown/23856
Click to expand...
Click to collapse
the original apq8064 was dubbed the 'S4 Pro' (before the new naming scheme kicked in). Later variants (apq8064t, apq8064ab, etc) are dubbed 'snapdragon 600'. The newer variants have newer krait and newer revision of a320 (gpu), clock bumps, etc.. but basically tweaks of the original.

Determined said:
For those interested, Amazon FireTV JTAG pinout is very close to the standard 20-pin ARM JTAG. See atached image for the actual pinout. If anybody has an OpenOCD config file for QUalcomm Krait 300 (SnapDragon 600), please share. Rooting can be done by bypassing a couple of checks in the bootloader.
Click to expand...
Click to collapse
I've got a third FireTV hooked up to my riffbox now, but having issues. If I can get a successful read and write, I'll post a dump with a hacked bootloader to run unsigned images.
Issue I'm as is im not getting any response from RTCK. Fuses indicate that jtag was not disabled, and this isnt my strong point.

jcase said:
If I can get a successful read and write, I'll post a dump with a hacked bootloader to run unsigned images.
Click to expand...
Click to collapse
No need to pull that dump, it is provided in the OTA (emmc_appsboot.mbn). There is a procedure (located at 0x88F01144 in OTA 51.1.0.1) that checks unlock code, if you force it to return 1, you will be able to boot anything as well as run "oem unlock" and other restricted commands.

Determined said:
No need to pull that dump, it is provided in the OTA (emmc_appsboot.mbn). There is a procedure (located at 0x88F01144 in OTA 51.1.0.1) that checks unlock code, if you force it to return 1, you can boot anything as well as run "oem unlock" and other restricted commands.
Click to expand...
Click to collapse
Not what I was referring to, sorry for my bad wording.
I have already rooted and unlocked mine, but I an unable to release the root at this point (will shortly, waiting on Amazn not confirm a patch is done for the root exploit). I was trying to say I would release a riffbox flashable binary, with a bootloader hack allowing booting of custom images.
Booting unsigned recovery with modified res images:
I can't get a response over jtag, will put more effort into it this week.
emmc_appsboot.mbn itself can not be alternated, sbl3 validates it before continuing with boot.

jcase said:
emmc_appsboot.mbn itself can not be alternated, sbl3 validates it before continuing with boot.
Click to expand...
Click to collapse
Hah! If you step through it using a jtag and skip the checks it won't actually need any changes.

Determined said:
Hah! If you step through it using a jtag and skip the checks it won't actually need any changes.
Click to expand...
Click to collapse
Hah? Stepping through it is impractical for most uses. For the few of us that have one sitting on our desk? Sure ok, for those that have it in their entertainment center? Not practical at all.
If you are going to jtag it, might as well hack it proper once, and not worry about having to step through it each boot.
If you choose to jtag and step through it, have it return a value of being unlocked will result in androidboot.unlocked_kernel=true being passed to cmdline, and /sbin/adbd will not drop root when that exists. Would be a easy-ish root through jtag without actually flashing anything.

jcase said:
If you are going to jtag it, might as well hack it proper once, and not worry about having to step through it each boot.
Click to expand...
Click to collapse
That is your [much appreciated] thunder. I don't have time to generate public-friendly hacks anymore.

Determined said:
That is your [much appreciated] thunder. I don't have time to generate public-friendly hacks anymore.
Click to expand...
Click to collapse
Thunder is over, I'm done after I provide a few promised ones come Blackhat (including this one). Too much of time sink, and the public factor of the amusement has long gone.
If you have gtalk/hangouts give me a shout to the address in my signature.

There is also a serial debug port.

Are the pins known which is which?

{ParanoiA} said:
Are the pins known which is which?
Click to expand...
Click to collapse
I'll try and verify tomorrow
Sent from my HTC One_M8 using XDA Premium 4 mobile app

iNT0XiC8D said:
There is also a serial debug port.
Click to expand...
Click to collapse
Nothing to see there, just kernel messages:
Code:
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk: current version is lk_rel_3.0.1_02272014
[10] platform_init()
[10] target_init(): platform_id 109
[10] Its BUELLER. revision 3
[70] display_init(),target_id=7337.
[70] hdmi_msm_panel_init: default format=4
[2730] splash_screen_mmc :235, 67
[2750] Config HDMI PANEL.
[2750] Turn on HDMI PANEL.
[2760] EDID: no DTD or non-DTD data present
[2760] EDID: no DTD or non-DTD data present
[2760] hdmi_edid_get_audio_data: No adb found
[2770] hdmi_audio_playback: 48KHz not supported by TV
[2770] hdmi_msm_audio_acr_setup: video format 0 not supported
[2780] aboot_init: calling idme_initialize
[2780] Idme version is 2.0 and set related function to V2.0
[2790] IDME INFO: checking for new items to add (stored items:12 specified items:12)
[2790] serial num from idme: XXXXXXXXXXXXXXXXXX
[2800] Reboot -- restart_reason=427810811 (0x197fdffb)
[2800] aboot_init: IDME - device boot up info
[2810] idme items number:12
[2810] name: board_id, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2820] name: serial, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2830] name: mac_addr, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2830] name: bt_mac_addr, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2840] name: productid, size: 32, exportable: 1, permission: 292, data= 00000000000000000000000000000000
[2850] name: productid2, size: 32, exportable: 1, permission: 292, data= 00000000000000000000000000000000
[2860] name: bootmode, size: 4, exportable: 1, permission: 292, data= 1
[2860] name: postmode, size: 4, exportable: 1, permission: 292, data= 2
[2870] name: bootcount, size: 8, exportable: 1, permission: 292, data= 32
[2880] name: eth_mac_addr, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2890] bootcount = 33
[3080] aboot_init: Boot linux from MMC
[3090] boot_into_recovery=0 idme_bootmode=1 (NORMAL)
[3090] use_signed_kernel=1, is_unlocked=0, is_tampered=0.
[3100] Loading boot image (6344704): start
[3340] Loading boot image (6344704): done
[3340] Authenticating boot image (6344704): start
[3350] Attempting to enable ce3_src_clk before setting its rate.[3360] TZ channel swith returned 0
[5070] TZ channel swith returned 0
[5070] Authenticating boot image: done return value = 1
[5090] cmdline = 'androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 maxcpus=2'
[5100] Power on reason 1
[5100] Its bueller again 3.
[5100] cmdline_length=170, n=172, n1=45
[5110] IDME: idme atag init (export to kernel), atag_size=514
[5110] name: board_id, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5120] name: serial, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5130] name: mac_addr, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5140] name: bt_mac_addr, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5140] name: productid, size: 32, exportable: 1, permission: 292, data: 00000000000000000000000000000000
[5150] name: productid2, size: 32, exportable: 1, permission: 292, data: 00000000000000000000000000000000
[5160] name: bootmode, size: 4, exportable: 1, permission: 292, data: 1
[5170] name: postmode, size: 4, exportable: 1, permission: 292, data: 2
[5180] name: bootcount, size: 8, exportable: 1, permission: 292, data: 33
[5180] name: eth_mac_addr, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5190] The atag idme items number:11
booting linux @ 0x80208000, ramdisk @ 0x82200000 (368957)

No JTAG Debug
Connecting to JTAG with OpenOCD needs a few changes in the cortex_a.c source to enable support for Cortex-A15. If you actually make those changes and play with debug registers, you will discover that DBGEN and SPIDEN signals/fuses are disabled, so debug mode is not accessible.
I have not yet tried flashing.

Determined said:
Connecting to JTAG with OpenOCD needs a few changes in the cortex_a.c source to enable support for Cortex-A15. If you actually make those changes and play with debug registers, you will discover that DBGEN and SPIDEN signals/fuses are disabled, so debug mode is not accessible.
I have not yet tried flashing.
Click to expand...
Click to collapse
ohh, openocd? I'm listening..
I have a number of snapdragon devices that I'd love to use jtag with.. but no windows machine for the riffbox sw.. openocd would be awesome

I spent a bit trying today, I never could get a response from RTCK at all

Related

JTAG + PXA025 + flashing

Hello,
I have bricked Typhoon MyGuide 5500 XL pocket. Even it is based on ASUS 620, according to the site:http://www.handhelds.org/moin/moin.cgi/MyPal620JTAG I wasn't able to flash it.
Here is snapshot from jtag:
jtag> detect
IR length: 5
Chain length: 1
Device Id: 01101001001001100100000000010011
Manufacturer: Intel
Part: PXA250
Stepping: PXA255A0
Filename: /usr/local/share/jtag/intel/pxa250/pxa250c0
jtag> print
No. Manufacturer Part Stepping Instruction
Register
---------------------------------------------------------------------------------------------
0 Intel PXA250 PXA255A0 BYPASS BR
Active bus:
*0: Intel PXA2x0 compatible bus driver via BSR (JTAG part No. 0)
start: 0x00000000, length: 0x04000000, data width: 32 bit, (Static ChipSelect 0)
start: 0x48000000, length: 0x04000000, data width: 32 bit, (Memory Mapped registers (Memory Ctl))
jtag> detectflash
jedec_detect: mid 4, did ea00
Flash not found!
In internet I found another guy who faced the same problem (mid 4, did ea00), so it might be that it is something Typhoon specific, because I checked/fixed five times my cable, trying to make it as short as possible, then changed all the possible LPT modes (SPP, EPP, etc), then tested it with XP/SP2+Cygwin and Linux (Fedora Core release 2 (Tettnang), kernel 2.6.5) separately. The same problems. The flash is not recognized.
Can I pass some commands using jtag to the processor and in such way to manipulate with flash? What kind of commands? Where I could read about them?
Can I change BOOT_SEL[0] value to 0, which is now 1? Will it help?
Or do you know some more hints to make jtag to recognize my flash (M-SYS DiskOnChip G3)?
Thank you

[TUT] About reinstalling hw69xx series,ROM and OS

all solve here :
1st
need: MTTY
steps
1: Bootloader
2: mtty
3: task 28 55aa (fully format device)
4: rtask 0 (reset radio)
5: Reflash device
Above from wiki XDA dev's
Important, do not try to start device after above, after radio reset, put device back to bootloader directly
If above does not help you need to reflow or reball radio chip (tested and working if above does not work)
And my result from MTTY:
task 32
USB>password BOOTLOADER
HTCSPass.< YHTCEUSB>info 8
DOCInfoTableinitHW+
Binary0 Size: 0x100000
FAT0 Size: 0x4000000
FAT1 Size: 0x3340000
All Size: 0x7440000
FAT0_ADDR=0x100000,FAT1_ADDR=0x4100000
USB>info 7
HTC Integrated Re-Flash Utility for bootloader Version:1.50a SABLE EVT version:G.39
MainBoardID = C
Built at: Jun 12 2006 13:46:04
Copyright (c) 1998-2005 High Tech Computer Corporation
Turbo Mode Frequency = 312 MHz
Run Mode Frequency = 208 MHz
Memory Frequency = 208 MHz
SDRAM Frequency = 104 MHz
USB>info 4
HTCS Lњ3ЖHTCE
USB>task 28
DOCInfoTableinitHW+
Binary0 Size: 0x100000
FAT0 Size: 0x4000000
FAT1 Size: 0x3340000
All Size: 0x7440000
FAT0_ADDR=0x100000,FAT1_ADDR=0x4100000
USB>task 28 55aa
Wait..
DOCInfoTableinitHW+
Binary0 Size: 0x100000
FAT0 Size: 0x4000000
FAT1 Size: 0x33C0000
All Size: 0x74C0000
FAT0_ADDR=0x100000,FAT1_ADDR=0x4100000
USB>set 14 0
HTCST ЪИТHTCEUSB>set 14 10
HTCSF kEШ(HTCEUSB>set 14 9
HTCSF kEШ(HTCEUSB>
DONT PANYC after NO BOOT-> REFLASH CEOS.nbf (HW6915 ROM FOR G4-121UK) FROM HP Utility.
Info for Pass1:
HTCSPass1.CM€ЛHTCEUSB>password 0000000000000000
source:
http://forum.xda-developers.com/showthread.php?t=471942
final steps
If your Flash chip type is G4, you can use ENG V1.21UK rom to update, I have uploaded the rom to Yahoo.com mail box.
I have changed my 6965 CHT ver to ENG ver successfully.
You can login yahoo mail box by using [email protected] as id and 69656965 as password.
Pls note not to delete the rom as others might need it too.
Flsah method:
1. Sync your mobil with PC by ActiveSync4.5 or up
2. Double click the downloaded update rom programme.
3. Click upgrade button and wait for 8-10 minutes
4. Done.
source
http://forum.xda-developers.com/showthread.php?t=420041
please, don't chage anything. keep data safe for other people
has anyone tried the above instructions and succeeded ? I have a perfectly working 6915, but it's in Spanish and I would like to change the language to English. I'm afraid of bricking the phone or end up with the "No GSM" problem.
DO NOT USE that way.Surely, your phone will become a brick. That will change Product ID with invalid code and you will never restore SW for radio ROM .

Odroid u2 Won't boot to recovery

My Odroid won't boot to CWM recovery with CM10.1 installed on the emmc.
I extracted the three files from here: http://cyanogenmod.org/rc/odroidu2-recovery.zip and placed them on the root of the emmc but every time I boot up I get this
Code:
U-Boot 2010.12-svn (Jan 28 2013 - 14:10:19) for Exynox4412
CPU: S5PC220 [Samsung SOC on SMP Platform Base on ARM CortexA9]
APLL = 1000MHz, MPLL = 880MHz
DRAM: 2047 MiB
PMIC VERSION : 0x00, CHIP REV : 2
TrustZone Enabled BSP
BL1 version: 20121128
Checking Boot Mode ... EMMC4.41
REVISION: 2.0
Manufacturer TOSHIBA [ 15028MB ]
NAME: S5P_MSHC4
MMC Device 0: 15028 MB
MMC Device 1: 0 MB
MMC Device 2 not found
*** Warning - using default environment
ModeKey Check... run normal_boot
Net: No ethernet found.
Hit any key to stop autoboot: 0
NAME: S5P_MSHC4
NAME: S5P_MSHC4
>>> Load Boot Script from mmc 0:1 <<<
NAME: S5P_MSHC4
Partition1: Start Address(0x520000), Size(0x181a000)
reading boot.scr
Warning : Reads a file that is smaller than the cluster size.
623 bytes read
## Executing script at 40008000
Wrong image format for "source" command
Exynos4412 #
how can i get past this?
deleted

Debricking my Rockchip Device

I would like to share my experience from the weekend to help others.
At first let me explain the situation:
I got my A5X Max+ 64GB eMMC preinstalled with Android 8.1 but I thought that the latest firmware available on the net can maybe make a positive difference to the shipped one.
Seraching the web I found 3 different firmware version I thoght it would be good to give it a try.
An A5X MAX+ Android 8.1 firmware
An A5X MAX+ Android 7 firmware
An A5X MAX Android 9 firmware (non "+" uses a dirfferent WiFi Chipset,....)
Next Step folowing the firmware upgrade guides:
1. Trying to directly flash a new firmware via a SD card and SD_Firmware_Tool_v146_eng_AndroidPC failed
2. Trying to flash with a computer using RK_Batch_tool_v1_8_AndroidPC in combination with Rockchip_DriverAssitant_v4.4 is working
Ok no difference to the preinstalled one so next step flashing a different firmware.
The most interesting was the Android 9.0 firmware even when I know that it is for the non "+" version using a slightly different peripheral hardware.
So I use the Batch tool again and start flashing. ==> Do not flash similar firmware on any device.
The flash process abort after flashing only parts of the whole image.
My Box is not starting anymore, and there is no video output when booting and it is not recognized by my computer anymore via USB
My process to debrick my Device:
My luck when starting into Recovery it is still recognized via USB
Also there a dedicated test pins marked with TX, GND and RX so I connect a Serial to USB converter and check if I can find the problem.
I could not find out what kind of baud rate the serial is using neither Start/Stop Bit configuration.
A oscilloscope (Red Pitaya) helped a lot to see that the serial interface is working at a abnormal high baud rate: ~1350000 baud per second / 8N1
find here the current bootloop log:
normal boot
Code:
Wed Oct 31 06:28:55 UTC 2018 aarch64)
INF [0x0] TEE-CORE:init_primary_helper:338: Release version: 1.4
INF [0x0] TEE-CORE:init_teecore:83: teecore inits done
INFO: BL31: Preparing for EL3 exit to normal world
INFO: Entry point address = 0x200000
INFO: SPSR = 0x3c9
U-Boot 2017.09-02211-gd8ce1d0-dirty (Nov 27 2018 - 09:57:42 +0800)
Model: Rockchip RK3328 EVB
DRAM: 4 GiB
Relocation Offset is: fcbda000
Using default environment
[email protected]: 1, [email protected]: 0
Card did not respond to voltage select!
mmc_init: -95, time 10
switch to partitions #0, OK
mmc0(part 0) is current device
boot mode: normal
bad resource image magic: oint (current EL)
DTB: rk-kernel.dtb
bad resource image magic: oint (current EL)
Can't find file:rk-kernel.dtb
init_kernel_dtb dtb in resource read fail
In: serial
Out: serial
Err: serial
Model: Rockchip RK3328 EVB
rockchip_set_serialno: could not find efuse device
CLK: apll 400000000 Hz
dpll 664000000 Hz
cpll 1200000000 Hz
gpll 491009999 Hz
npll 600000000 Hz
armclk 600000000 Hz
aclk_bus 150000000 Hz
hclk_bus 75000000 Hz
pclk_bus 75000000 Hz
aclk_peri 150000000 Hz
hclk_peri 75000000 Hz
pclk_peri 75000000 Hz
Net: Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot: 0
ca head not found
ANDROID: reboot reason: "(none)"
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
read_is_device_unlocked() ops returned that device is UNLOCKED
avb_slot_verify.c:637: ERROR: vbmeta: Error verifying vbmeta image: OK_NOT_SIGNE D
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
DDR version 1.13 20180428
ID:0x805 N
In
DDR3
333MHz
Bus Width=32 Col=11 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=4096MB
ddrconfig:3
OUT
Boot1 Release Time: Sep 7 2018 15:49:55, version: 2.49
ChipType = 0x11, 193
mmc2:cmd19,100
SdmmcInit=2 0
BootCapSize=2000
UserCapSize=59640MB
FwPartOffset=2000 , 2000
SdmmcInit=0 NOT PRESENT
StorageInit ok = 286281
Raw SecureMode = 0
SecureInit read PBA: 0x4
SecureInit read PBA: 0x404
SecureInit read PBA: 0x804
SecureInit read PBA: 0xc04
SecureInit read PBA: 0x1004
SecureInit ret = 0, SecureMode = 0
GPT part: 0, name: uboot, start:0x4000, size:0x2000
GPT part: 1, name: trust, start:0x6000, size:0x2000
GPT part: 2, name: misc, start:0x8000, size:0x2000
GPT part: 3, name: baseparameter, start:0xa000, size:0x800
GPT part: 4, name: resource, start:0xa800, size:0x8000
GPT part: 5, name: kernel, start:0x12800, size:0x10000
GPT part: 6, name: dtb, start:0x22800, size:0x2000
GPT part: 7, name: dtbo, start:0x24800, size:0x2000
GPT part: 8, name: logo, start:0x26800, size:0x8000
GPT part: 9, name: vbmeta, start:0x2e800, size:0x800
GPT part: 10, name: boot, start:0x2f000, size:0x10000
GPT part: 11, name: recovery, start:0x3f000, size:0x20000
GPT part: 12, name: backup, start:0x5f000, size:0x8000
GPT part: 13, name: cache, start:0x67000, size:0x80000
GPT part: 14, name: system, start:0xe7000, size:0x400000
GPT part: 15, name: metadata, start:0x4e7000, size:0x8000
GPT part: 16, name: vendor, start:0x4ef000, size:0x60000
GPT part: 17, name: oem, start:0x54f000, size:0x20000
GPT part: 18, name: frp, start:0x56f000, size:0x400
GPT part: 19, name: security, start:0x56f400, size:0x1000
GPT part: 20, name: userdata, start:0x570400, size:0x6f0bbdf
find partition:uboot OK. first_lba:0x4000.
find partition:trust OK. first_lba:0x6000.
LoadTrust Addr:0x6000
No find bl30.bin
HashBits:256, HashData:
6cf28742
2df532aa
1ea29e7b
85e4e128
9675b550
859f84c1
c47158c4
9373e8ea
CalcHash:
2a0cacfb
655bd8b6
09989b08
c0ff4464
9d525d13
47eb7212
89197119
20d1a938
bl31.bin_0:CheckImage Fail!
LoadTrust Addr:0x6400
LoadTrust Addr:0x6800
LoadTrust Addr:0x6c00
LoadTrust Addr:0x7000
No find bl30.bin
Load uboot, ReadLba = 4000
hdr 000000000337a380 + 0x0:0x50,0x41,0x52,0x4d,0x66,0x03,0x00,0x00,0x46,0x49,0x52,0x4d,0x57,0x41,0x52,0x45,
Load OK, addr=0x200000, size=0xeb934
RunBL31 0x10000
NOTICE: BL31: v1.3(debug):9d3f591
NOTICE: BL31: Built : 14:39:02, Jan 17 2018
NOTICE: BL31:Rockchip release version: v1.3
INFO: ARM GICv2 driver initialized
INFO: Using opteed sec cpu_context!
INFO: boot cpu mask: 1
INFO: plat_rockchip_pmu_init: pd status 0xe
INFO: BL31: Initializing runtime services
INFO: BL31: Initializing BL32
ERR [0x0] TEE-CORE:atags_get_tag:146: atags_get_tag: find unknown magic(d7f5f65b)
INF [0x0] TEE-CORE:init_primary_helper:337: Initializing (1.1.0-187-g3f0aafa6 #9 Wed Oct 31 06:28:55 UTC 2018 aarch64)
pressing and holding reset (without connecting to USB)
Code:
Wed Oct 31 06:28:55 UTC 2018 aarch64)
INF [0x0] TEE-CORE:init_primary_helper:338: Release version: 1.4
INF [0x0] TEE-CORE:init_teecore:83: teecore inits done
INFO: BL31: Preparing for EL3 exit to normal world
INFO: Entry point address = 0x200000
INFO: SPSR = 0x3c9
U-Boot 2017.09-02211-gd8ce1d0-dirty (Nov 27 2018 - 09:57:42 +0800)
Model: Rockchip RK3328 EVB
DRAM: 4 GiB
Relocation Offset is: fcbda000
Using default environment
[email protected]: 1, [email protected]: 0
Card did not respond to voltage select!
mmc_init: -95, time 10
switch to partitions #0, OK
mmc0(part 0) is current device
boot mode: normal
bad resource image magic: oint (current EL)
DTB: rk-kernel.dtb
bad resource image magic: oint (current EL)
Can't find file:rk-kernel.dtb
init_kernel_dtb dtb in resource read fail
In: serial
Out: serial
Err: serial
Model: Rockchip RK3328 EVB
rockchip_set_serialno: could not find efuse device
CLK: apll 400000000 Hz
dpll 664000000 Hz
cpll 1200000000 Hz
gpll 491009999 Hz
npll 600000000 Hz
armclk 600000000 Hz
aclk_bus 150000000 Hz
hclk_bus 75000000 Hz
pclk_bus 75000000 Hz
aclk_peri 150000000 Hz
hclk_peri 75000000 Hz
pclk_peri 75000000 Hz
Net: Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot: 0
ca head not found
ANDROID: reboot reason: "(none)"
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
read_is_device_unlocked() ops returned that device is UNLOCKED
avb_slot_verify.c:637: ERROR: vbmeta: Error verifying vbmeta image: OK_NOT_SIGNE D
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
DDR version 1.13 20180428
ID:0x805 N
In
DDR3
333MHz
Bus Width=32 Col=11 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=4096MB
ddrconfig:3
OUT
Boot1 Release Time: Sep 7 2018 15:49:55, version: 2.49
ChipType = 0x11, 193
mmc2:cmd19,100
SdmmcInit=2 0
BootCapSize=2000
UserCapSize=59640MB
FwPartOffset=2000 , 2000
SdmmcInit=0 NOT PRESENT
StorageInit ok = 286281
Raw SecureMode = 0
SecureInit read PBA: 0x4
SecureInit read PBA: 0x404
SecureInit read PBA: 0x804
SecureInit read PBA: 0xc04
SecureInit read PBA: 0x1004
SecureInit ret = 0, SecureMode = 0
GPT part: 0, name: uboot, start:0x4000, size:0x2000
GPT part: 1, name: trust, start:0x6000, size:0x2000
GPT part: 2, name: misc, start:0x8000, size:0x2000
GPT part: 3, name: baseparameter, start:0xa000, size:0x800
GPT part: 4, name: resource, start:0xa800, size:0x8000
GPT part: 5, name: kernel, start:0x12800, size:0x10000
GPT part: 6, name: dtb, start:0x22800, size:0x2000
GPT part: 7, name: dtbo, start:0x24800, size:0x2000
GPT part: 8, name: logo, start:0x26800, size:0x8000
GPT part: 9, name: vbmeta, start:0x2e800, size:0x800
GPT part: 10, name: boot, start:0x2f000, size:0x10000
GPT part: 11, name: recovery, start:0x3f000, size:0x20000
GPT part: 12, name: backup, start:0x5f000, size:0x8000
GPT part: 13, name: cache, start:0x67000, size:0x80000
GPT part: 14, name: system, start:0xe7000, size:0x400000
GPT part: 15, name: metadata, start:0x4e7000, size:0x8000
GPT part: 16, name: vendor, start:0x4ef000, size:0x60000
GPT part: 17, name: oem, start:0x54f000, size:0x20000
GPT part: 18, name: frp, start:0x56f000, size:0x400
GPT part: 19, name: security, start:0x56f400, size:0x1000
GPT part: 20, name: userdata, start:0x570400, size:0x6f0bbdf
find partition:uboot OK. first_lba:0x4000.
find partition:trust OK. first_lba:0x6000.
LoadTrust Addr:0x6000
No find bl30.bin
HashBits:256, HashData:
6cf28742
2df532aa
1ea29e7b
85e4e128
9675b550
859f84c1
c47158c4
9373e8ea
CalcHash:
2a0cacfb
655bd8b6
09989b08
c0ff4464
9d525d13
47eb7212
89197119
20d1a938
bl31.bin_0:CheckImage Fail!
LoadTrust Addr:0x6400
LoadTrust Addr:0x6800
LoadTrust Addr:0x6c00
LoadTrust Addr:0x7000
No find bl30.bin
Load uboot, ReadLba = 4000
hdr 000000000337a380 + 0x0:0x50,0x41,0x52,0x4d,0x66,0x03,0x00,0x00,0x46,0x49,0x52,0x4d,0x57,0x41,0x52,0x45,
Load OK, addr=0x200000, size=0xeb934
RunBL31 0x10000
NOTICE: BL31: v1.3(debug):9d3f591
NOTICE: BL31: Built : 14:39:02, Jan 17 2018
NOTICE: BL31:Rockchip release version: v1.3
INFO: ARM GICv2 driver initialized
INFO: Using opteed sec cpu_context!
INFO: boot cpu mask: 1
INFO: plat_rockchip_pmu_init: pd status 0xe
INFO: BL31: Initializing runtime services
INFO: BL31: Initializing BL32
ERR [0x0] TEE-CORE:atags_get_tag:146: atags_get_tag: find unknown magic(d7f5f65b)
INF [0x0] TEE-CORE:init_primary_helper:337: Initializing (1.1.0-187-g3f0aafa6 #9 Wed Oct 31 06:28:55 UTC 2018 aarch64)
INF [0x0] TEE-CORE:init_primary_helper:338: Release version: 1.4
INF [0x0] TEE-CORE:init_teecore:83: teecore inits done
INFO: BL31: Preparing for EL3 exit to normal world
INFO: Entry point address = 0x200000
INFO: SPSR = 0x3c9
U-Boot 2017.09-02211-gd8ce1d0-dirty (Nov 27 2018 - 09:57:42 +0800)
Model: Rockchip RK3328 EVB
DRAM: 4 GiB
Relocation Offset is: fcbda000
Using default environment
[email protected]: 1, [email protected]: 0
Card did not respond to voltage select!
mmc_init: -95, time 9
switch to partitions #0, OK
mmc0(part 0) is current device
boot mode: None
bad resource image magic: oint (current EL)
DTB: rk-kernel.dtb
bad resource image magic: oint (current EL)
Can't find file:rk-kernel.dtb
init_kernel_dtb dtb in resource read fail
In: serial
Out: serial
Err: serial
Model: Rockchip RK3328 EVB
rockchip_set_serialno: could not find efuse device
CLK: apll 400000000 Hz
dpll 664000000 Hz
cpll 1200000000 Hz
gpll 491009999 Hz
npll 600000000 Hz
armclk 600000000 Hz
aclk_bus 150000000 Hz
hclk_bus 75000000 Hz
pclk_bus 75000000 Hz
aclk_peri 150000000 Hz
hclk_peri 75000000 Hz
pclk_peri 75000000 Hz
Net: Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot: 0
ca head not found
ANDROID: reboot reason: "(none)"
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
read_is_device_unlocked() ops returned that device is UNLOCKED
avb_slot_verify.c:637: ERROR: vbmeta: Error verifying vbmeta image: OK_NOT_SIGNED
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
Booting kernel at 0x207f800 with fdt at f4dcfca0...
## Booting Android Image at 0x0207f800 ...
Kernel load addr 0x02080000 size 19005 KiB
## Flattened Device Tree blob at f4dcfca0
Booting using the fdt blob at 0xf4dcfca0
XIP Kernel Image ... OK
Loading Device Tree to 00000000081fb000, end 00000000081ff0f8 ... OK
Adding bank: 0x00200000 - 0x08400000 (size: 0x08200000)
Adding bank: 0x0a200000 - 0xff000000 (size: 0xf4e00000)
Starting kernel ...
"Synchronous Abort" handler, esr 0x02000000
* Relocate offset = 00000000fcbda000
* ELR(PC) = ffffffff064c6000
* LR = 0000000000201f00
* SP = 00000000f4dcf2a0
* ESR_EL2 = 0000000002000000
EC[31:26] == 000000, Exception with an unknown reason
IL[25] == 1, 32-bit instruction trapped
* DAIF = 00000000000003c0
D[9] == 1, DBG masked
A[8] == 1, ABORT masked
I[7] == 1, IRQ masked
F[6] == 1, FIQ masked
* SPSR_EL2 = 00000000600003c9
D[9] == 1, DBG masked
A[8] == 1, ABORT masked
I[7] == 1, IRQ masked
F[6] == 1, FIQ masked
M[4] == 0, Exception taken from AArch64
M[3:0] == 1001, EL2h
* SCTLR_EL2 = 0000000030c50830
I[12] == 0, Icache disabled
C[2] == 0, Dcache disabled
M[0] == 0, MMU disabled
* HCR_EL2 = 0000000000000002
* VBAR_EL2 = 00000000fcdda800
* TTBR0_EL2 = 00000000feff0000
x0 : 00000000081fb000 x1 : 0000000000000000
x2 : 0000000000000000 x3 : 0000000000000000
x4 : 0000000002080000 x5 : 0000000000000001
x6 : 0000000000000008 x7 : 0000000000000000
x8 : 00000000f4dcf320 x9 : 0000000001008000
x10: 000000000a200023 x11: 0000000000000002
x12: 0000000000000002 x13: 00000000f4dcf36c
x14: 00000000081fb000 x15: 00000000fcddb5a8
x16: 0000000000000002 x17: 00000000081ff0f9
x18: 00000000f4dd1da0 x19: 0000000000000400
x20: 00000000fcec52e0 x21: 0000000000000000
x22: 0000000000000003 x23: 00000000f4dcf630
x24: 0000000000000000 x25: 0000000002080000
x26: 00000000fcddbea4 x27: 0000000000000400
x28: 0000000002080000 x29: 00000000f4dcf480
SP:
f4dcf2a0: 00000000 00000000 00000000 00000000
f4dcf2b0: 00000000 00000000 fcea3759 00000000
f4dcf2c0: 00000000 00000000 00000000 00000000
f4dcf2d0: fcea37a0 00000000 fcea37c6 00000000
f4dcf2e0: fcea3813 00000000 fcea3860 00000000
f4dcf2f0: fcea38a0 00000000 fcea38e0 00000000
f4dcf300: fcea391d 00000000 00000000 00000000
f4dcf310: 00000000 00000000 fcea395a 00000000
f4dcf320: f4dcf480 00000000 fcddaa0c 00000000
f4dcf330: 00000400 00000000 fce9d415 00000000
f4dcf340: feff0000 00000000 00000002 00000000
f4dcf350: 30c50830 00000000 f4dcf2a0 00000000
f4dcf360: 600003c9 00000000 fcdda800 00000000
f4dcf370: 000003c0 00000000 02000000 00000000
f4dcf380: 030a0000 00000000 081fb000 00000000
f4dcf390: 00000000 00000000 00000000 00000000
Resetting CPU ...
WARN: PSCI sysreset is disabled
DDR version 1.13 20180428
ID:0x805 N
In
SRX
DDR3
333MHz
Bus Width=32 Col=11 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=4096MB
ddrconfig:3
OUT
Boot1 Release Time: Sep 7 2018 15:49:55, version: 2.49
ChipType = 0x11, 261
mmc2:cmd19,100
SdmmcInit=2 0
BootCapSize=2000
UserCapSize=59640MB
FwPartOffset=2000 , 2000
SdmmcInit=0 NOT PRESENT
StorageInit ok = 285008
Raw SecureMode = 0
SecureInit read PBA: 0x4
SecureInit read PBA: 0x404
SecureInit read PBA: 0x804
SecureInit read PBA: 0xc04
SecureInit read PBA: 0x1004
SecureInit ret = 0, SecureMode = 0
GPT part: 0, name: uboot, start:0x4000, size:0x2000
GPT part: 1, name: trust, start:0x6000, size:0x2000
GPT part: 2, name: misc, start:0x8000, size:0x2000
GPT part: 3, name: baseparameter, start:0xa000, size:0x800
GPT part: 4, name: resource, start:0xa800, size:0x8000
GPT part: 5, name: kernel, start:0x12800, size:0x10000
GPT part: 6, name: dtb, start:0x22800, size:0x2000
GPT part: 7, name: dtbo, start:0x24800, size:0x2000
GPT part: 8, name: logo, start:0x26800, size:0x8000
GPT part: 9, name: vbmeta, start:0x2e800, size:0x800
GPT part: 10, name: boot, start:0x2f000, size:0x10000
GPT part: 11, name: recovery, start:0x3f000, size:0x20000
GPT part: 12, name: backup, start:0x5f000, size:0x8000
GPT part: 13, name: cache, start:0x67000, size:0x80000
GPT part: 14, name: system, start:0xe7000, size:0x400000
GPT part: 15, name: metadata, start:0x4e7000, size:0x8000
GPT part: 16, name: vendor, start:0x4ef000, size:0x60000
GPT part: 17, name: oem, start:0x54f000, size:0x20000
GPT part: 18, name: frp, start:0x56f000, size:0x400
GPT part: 19, name: security, start:0x56f400, size:0x1000
GPT part: 20, name: userdata, start:0x570400, size:0x6f0bbdf
find partition:uboot OK. first_lba:0x4000.
find partition:trust OK. first_lba:0x6000.
LoadTrust Addr:0x6000
No find bl30.bin
HashBits:256, HashData:
6cf28742
2df532aa
1ea29e7b
85e4e128
9675b550
859f84c1
c47158c4
9373e8ea
CalcHash:
2a0cacfb
655bd8b6
09989b08
c0ff4464
9d525d13
47eb7212
89197119
20d1a938
bl31.bin_0:CheckImage Fail!
LoadTrust Addr:0x6400
LoadTrust Addr:0x6800
LoadTrust Addr:0x6c00
LoadTrust Addr:0x7000
No find bl30.bin
Load uboot, ReadLba = 4000
hdr 000000000337a380 + 0x0:0x50,0x41,0x52,0x4d,0x66,0x03,0x00,0x00,0x46,0x49,0x52,0x4d,0x57,0x41,0x52,0x45,
Load OK, addr=0x200000, size=0xeb934
RunBL31 0x10000
NOTICE: BL31: v1.3(debug):9d3f591
NOTICE: BL31: Built : 14:39:02, Jan 17 2018
NOTICE: BL31:Rockchip release version: v1.3
INFO: ARM GICv2 driver initialized
INFO: Using opteed sec cpu_context!
INFO: boot cpu mask: 1
INFO: plat_rockchip_pmu_init: pd status 0xe
INFO: BL31: Initializing runtime services
INFO: BL31: Initializing BL32
INF [0x0] TEE-CORE:init_primary_helper:337: Initializing (1.1.0-187-g3f0aafa6 #9 Wed Oct 31 06:28:55 UTC 2018 aarch64)
When connecting USB for flashing the Log shows the detection and do not loop anymore, it is waiting for the process to be initiated by the computer
I try to flash the Android 8.1 firmware without luck because the automatic checks stopped the process before starting
So I tried to flash with Factory Tool 1.6 but also without success, it is checking also before starting the flash process
Searching all over the web I found different versions of these tools and test newer ones but also without success.
After a while I found a Tool called Rockchip Android Tool 2.1 for Rockchip based single board computers.
This tool has much more options to check and flash a Rockchip board over USB.
Most of the checks failed and I figured out that a normal flashing process will always reboot the board into Maskrom mode
It seems that my device is not able to go into Maskrom Mode anymore because after starting the flash process it is reseting and booting normal (bootloop) instead of switching to Maskrom Mode.
A bit of evaluation tells me that the Maskrom Mode can also be achieved by shorting the Flash CLK to ground during boot. (I know a similar process for my Fire HD8 Tablet)
I checked if I can find the CLK line on the board but it seems that it is not accessably from the surface of the PCB.
After minutes of reaserch I figured out that there are also newer version of the Android Tool available and I tested all I can find.
Also Device drivers shall be updated due to a problem report of an Rockchip device singel board computer owner that has also some difficulties working with the tools.
My luck I found RKDevTool 2.52 (The new name of the Android Tool), in this tool a few of the tests for Rockchip devices are working and I was able to flash Android 8.1 and enter the Maskrom Mode sucessfully.
Now that my Device is back alive I will also post some logs and pictures of my device to help others when trying to debrick/reacticate from an unexpected state.
@sandman01
Try this
thanks for your post.
I think I was a bit to euphoric because my box is working again and I only want to share my experiance for others runnign in the same Situation.
It was hard to get all the Information out of the web, from multiple places.
sandman01 said:
thanks for your post.
I think I was a bit to euphoric because my box is working again and I only want to share my experiance for others runnign in the same Situation.
It was hard to get all the Information out of the web, from multiple places.
Click to expand...
Click to collapse
Ok no probs
Can't find those files on Drive anymore, can you please share them? Can't find a place to download RKDevtool
Thanks in advance

Xiaomi Mi Tv Stick: Boot loop

Morning all.
I'm trying to debug and restore a Mi TV stick that is stuck in a boot loop. It happened after I switched it on, its video got stuck in xiaomi logo, and after power cycling it never worked again.
The LED doesn't switch on and have no video signal on the hdmi, so I disassembled it and connected to its serial port pins and saw the following trace, in loop:
Code:
GXL:BL1:9ac50e:bb16dc;FEAT:BDFD71BC:0;POC:3;RCY:0;EMMC:0;READ:0;0.0;0.0;CHK:5E6;READ:0;0.0;0.0;CHK:0;
TE: 444948
BL2 Built : 10:47:30, Jan 14 2019. gxl g152d217 - [email protected]
set vcck to 1120 mv
set vddee to 1000 mv
Board ID = 7
CPU clk: 1200MHz
DQS-corr enabled
DDR scramble enabled
DDR3 chl: Rank0+1 @ 912MHz - FAIL
DDR3 chl: Rank0 @ 912MHz - FAIL
DDR3 chl: Rank0 16bit @ 912MHz - FAIL
DDR4 chl: Rank0+1 @ 912MHz - FAIL
DDR4 chl: Rank0 @ 912MHz
bist_test rank: 0 21 03 40 2b 12 44 1f 02 3d 32 1a 4a 20 00 40 2b 14 43 26 08 45 27 0d 41 660 - PASS
Rank0: 1024MB(auto)-2T-18
AddrBus test pass!
eMMC boot @ 1
sw8 s
emmc switch 3 ok
BL2: rpmb counter: 0x00000020
emmc switch 1 ok
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000, part: 1
aml log : R1024 check pass!
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600, part: 1
aml log : R1024 check pass!
Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x0002b400, part: 1
aml log : R1024 check pass!
aml log : SIG CHK : 231 for address 0x01700000
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000, part: 2
emmc switch 2 ok
I assume that perhaps when I power cycled it was updating and its emmc got corrupted?
Is their a way of reflashing the firmware on these devices? I've seen this post here at XDA but wasn't able to enter in USB mode as described. I was able to find the 2 pins but after shorting them nothing happens.
Any tips on how to recover this device?
Thank you!
Did you try to change the charger and/or the cable?

Categories

Resources