Related
Hi. This is a message to experts.
Loiking at bootloader in my broken ELFIN, well lets better say death, because even with GOLD CARD couldnt get alive, i found a commnad called wdata. This this the screen result:
==========================================================
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
==========================================================
So the question is. Is there any way of using that command to access the F****** g_cKeyCardSecurityLevel = FF register and modify it?.
Anyone knows whats the memory position of that register?, if so, How can i change it?
Hopping anwsers.
Thanks
Info about A500 ICS bootloader (and only ICS Bootloader, HC bootloader files don't have that - it was partly discussed in leak thread):
What we know so far:
- ICS bootloader has fastboot
- ICS bootloader is built as unlockable and relockable; however this right now doesn't work on A500/A100, it's confirmed to work on A200
Currently I don't know if the "unlock process" can be done "manually" - that is whether it's not forcibly disabled or just "not yet implemented" (It's just a leak, so keep that in mind). Lock command looks like to be fully in effect. On the other hand, old bootloader and itsmagic will do just fine, at least for now (for A500/A501).
Fastboot has these variables:
Code:
version-bootloader
version-baseband
version
secure
serialno
mid
product
(serialno will probably be your UID)
Fastboot OEM commands are:
Code:
fastboot oem debug on
fastboot oem debug off
fastboot oem lock
fastboot oem unlock
If you try to relock locked device, you'll get:
Code:
Fastboot: Device is already locked! Abort ...
Unlocked BL also supports these commands:
Code:
flash
boot
download
erase
(normal FB commands: so if you screw up your boot / recovery image, you can quite easily restore it).
PATCHED BOOTLOADER - !!!TO BE FLASHED WITH NVFLASH!!!
- overriden GetUnlockMode to return 1 (=Unlocked)
- overriden SetUnlockMode to return 0 (=Error)
- when booting to recovery it won't add the update command
- fastboot oem lock / fastboot oem unlock commands removed
DL: http://forum.xda-developers.com/attachment.php?attachmentid=919618&d=1330199867
In V2 there is additionally
- says "Custom Mode" instead of "Unlock Mode"
- fastboot variable secure: no
- boot command works (for some reason tight to secure variable)
- booting recovery manually with VOL_Down is like booting it via "adb reboot recovery": i.e won't erase cache etc.
DL: http://forum.xda-developers.com/attachment.php?attachmentid=922059&d=1330348851
Also fastboot is buggy (sometimes failed flashing recovery), but flashing boot.img works for instance. And yeah you won't have to use itsmagic for this one. Also, I flashed the stock ICS leak, and wasn't testing how it goes with HC.
CWM for ICS bootloader: http://forum.xda-developers.com/showpost.php?p=22978118&postcount=49
CLASSIC STUFF - YOU DO EVERYTHING AT YOUR OWN RISK!!!
This guy seems to have been around a very long time . I am not a DEV but this might be worth someone to take a look at . Here is the Link to his post.. He claims he if i read right repacked ics rom . guessing self signed and flashed with FAST BOOT.
or im lame and misread
http://www.acertabletforum.com/forum/acer-a200-general-discussions/3649-how-unlock-boot-loader.html
check the link
Hope this helps you.
erica_renee said:
This guy seems to have been around a very long time . I am not a DEV but this might be worth someone to take a look at . Here is the Link to his post.. He claims he if i read right repacked ics rom . guessing self signed and flashed with FAST BOOT.
or im lame and misread
http://www.acertabletforum.com/forum/acer-a200-general-discussions/3649-how-unlock-boot-loader.html
check the link
Hope this helps you.
Click to expand...
Click to collapse
Makes sense. I had to use fastboot to unlock the bootloader, flash recovery, and then flash a new system/boot/data img to my Galaxy Nexus for the first time. It seemed the unlock process wiped the operating system, so it was required to push the files from my computer to the phone manually in order to restore it.
Yeah, fastboot erases literally everything for security reasons IIRC.
Well reading that post on the other forum, it seems that they get the option to unlock like on the Google nexus devices, although it seems that screen doesn't appear on the a500 when trying this method.
Sent from my Desire HD using xda premium
heres a text file containing some more info. I ripped apart the bootloader update in a hex editor.
starts at 88640
Code:
AKBMSCLock switched
vendor/nvidia/tegra/prebuilt_t20/../core/system/fastboot/acer_funcs.cVOL_DOWN key pressed
VOL_UP key pressed
FastbootModeFOTAFactoryResetrecovery
--update_package=SDCARD:update.zip
Erasing Cache before SD update...
CACSD update cmd: %s
Error: Data not start yet!
whole-file signature verified against key %d
failed to verify whole-file signature
Error: Not enough buffer!!!
buffer & signature cannot be NULL!ANDROID!LNX%s: No boot image found!%s: Verify failed! Please redownload official image from Acer and try again!SOS%s: No recovery image found!Please flash official system.img and try againError: System.img is not official
Please flash official flexrom.img and try againError: flexrom.img is not official
%s: LockMode verified ok!
%s: LockMode verified failed
Magic value mismatch: %c%c%c%c%c%c%c%c
%s
Failed to setup warmboot args %x
Failed to set shmoo boot argument
Critical failure: Unable to start kernel.
Load OS now via JTAG backdoor....
Failed to initialize Aboot
Platform Pre Boot configuration...
Entering OS Download mode
LockUnlockFastboot: Device is now in %s mode
Bootloader Version %s (Unlock Mode)0.03.11-ICS
Bootloader version: %s
HW version 0x%x
NOYESIs Wifi Only? %s
EB2Unable to parse odmdata for wait input
Checking for android ota recovery
Erasing Userdata...
UDAErasing Cache...
Booting recovery kernel image
Recovery Verified!
Recovery verified failed ...(UnlockMode)Bootloader v%s%s: Starting Fastboot USB download protocol
No CAC partitions found
getvar:version-bootloaderOKAY%sversion-basebandOKAYversionOKAY0.4secureOKAYyesOKAYnoserialnoOKAYKal-El001midOKAY001productdownload:Fastboot: Not support the command in Lock modeDATA%08x
Insufficient memory
Staging partition size is not big enough
bootrebootRebooting the device ...continueflash:bootloaderrecoverysystemflexuserdataFastboot: Not support!No %s partition found
Not enough space in %s partitionFastboot: Official system image checked passed!
Fastboot: Official flex image checked passed!
Fastboot: Official system image checked failed!
Fastboot: Official flex image checked failed!
erase:StorMgr Formatting %s
Erasing %s
oem debug ondebug offlockFastboot: Device is already locked! Abort ...
Fastboot: Please use left key (VOL_DOWN) to choose, and use right key (VOL_UP) to select
Please wait ...Fastboot: Device locked!!!Please reboot the device to take affect!Fastboot: Failed to set lock modeFastboot: Cancelled by user or timeoutunlockFAIL(%08x)Failed to process command %s error(0x%x)
Boot Verified!
Boot verified failed ...Unrecoverable bootloader error (0x%08x).
vendor/nvidia/tegra/prebuilt_t20/../core/system/fastboot/main_acer.cmiscAPPcachestagingUSPbcttableBCTEBTubuntuUBNmbrMBRFLXUse scroll wheel or keyboard for movement and selection
Neither Scroll Wheel nor Keyboard are detected ...Booting OS
Checking for RCK.. press <Enter> in 5 sec to enter RCK
Press <Enter> to select, Arrow key (Left, Right) for selection move
Key driver not found.. Booting OS
Checking for RCK.. press key <Menu> in 5 sec to enter RCK
Press <Menu> to select, Home(Left) and Back(Right) for selection move
Picasso2Picasso_MPicasso_EPicassoVangoghMayaChecking for RCK.. press any key in 5 sec to enter RCK
Press scroll wheel to select, Scroll for selection move
Scroll wheel not found.. Booting OS
Press <Wake> to select, Home(Left) and Back(Right) for selection move
Checking for RCK.. press key <Volume Down> in 5 sec to enter RCK
Press <Volume Down> to select, <Volume Up> for selection move
tegraid=%x.%x.%x.%x.%x.%s mem=%[email protected]%uM vmalloc=%uM androidboot.serialno=%08x%08x video=tegrafb console=ttyS0,115200n8 debug_uartport=lsport console=none debug_uartport=hsport usbcore.old_scheme_first=1 lp0_vec=%[email protected]%x tegra_fbmem=%[email protected]%x brand=acer target_product=%s a500_ww_gen1max_cpu_cur_ma=%d core_edp_mv=%d pmuboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x displayboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x power_supply=Adapter power_supply=Battery audio_codec=%s cameraboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x upnosmp usbroot=/dev/nfs ip=:::::usb%c:on rw netdevwait ethroot=/dev/nfs ip=:::::eth%c:on rw netdevwait sdroot=/dev/sd%c%c rw rootwait mmchdroot=/dev/mmchd%c%c%c rw rootwait mtdblockroot=/dev/mtdblock%c rw rootwait mmcblkroot=/dev/mmcblk%c%c%c rw rootwait Unrecognized root device: %s
root=/dev/sda1 rw rootwait tegraboot=nand tegraboot=nor tegraboot=emmc tegraboot=sdmmc mtdparts=tegra_nand:mtdparts=tegra_nor:%[email protected]%uK(%s),tegrapart=gpt_sector=%d Unable to query partition %s
%s:%x:%x:%x%cmodem_id=%d androidboot.carrier=wifi-only bootloader_ver=%s gpt %s: Fail set unlock mode!
%s: Successfully %s the device!
%s: Error occured while %s the device ...
%s: Error e = 0x%x
Do not support in ACER T20 Projects
MSM-RADIO-UPDATE
Unsupported binary in blob
Start Updating %s
failed-update-%s
End Updating %s
failed-updateboot-recoverySignature length wrong!!!! %d
data length wrong!!!! %d
Clearing useless bytes ...
Not legal!!!!!!! abort
Warning: The blob package is not official ~ Abort!
blob update failed
vendor/nvidia/tegra/prebuilt_t20/../core/system/nvaboot/nvaboot.cPassedFailedClearSBKTest: %s
LockSSKTest: SSK = Zero
LockSSKTest: LockSSK %s
Jumping to kernel at:%d ms
EFI PARTFastboot: Unlock mode, Clear SSK!!!
SetPartitionToVerify failed. NvError %u NvStatus %u
GetSecondaryBootDevice failed. NvError %u NvStatus %u
LoadPartitionTable failed. NvError %u NvStatus %u
AllocateState failed. NvError %u NvStatus %u
nverror:0x%x (0x%x)
GetBct failed. NvError %u NvStatus %u
DownloadBct failed. NvError %u NvStatus %u
SetBlHash failed. NvError %u NvStatus %u
UpdateBct failed. NvError %u NvStatus %u
SetDevice failed. NvError %u NvStatus %u
StartPartitionConfiguration failed. NvError %u NvStatus %u
EndPartitionConfiguration failed. NvError %u NvStatus %u
FormatPartition failed. NvError %u NvStatus %u
Start Downloading %s
UpdateBlInfo failed. NvError %u NvStatus %u
End Downloading %s
QueryPartition failed. NvError %u NvStatus %u
CreatePartition failed. NvError %u NvStatus %u
ReadPartition failed. NvError %u NvStatus %u
RawReadPartition failed. NvError %u NvStatus %u
RawWritePartition failed. NvError %u NvStatus %u
SetBootPartition failed. NvError %u NvStatus %u
ReadPartitionTable failed. NvError %u NvStatus %u
DeleteAll failed. NvError %u NvStatus %u
Obliterate failed. NvError %u NvStatus %u
OdmOptions failed. NvError %u NvStatus %u
Error in memory allocation
FuelGaugeFwUpgrade failed. NvError %u NvStatus %u
sdram validation can not be done at bootloader level
OdmCommand failed. NvError %u NvStatus %u
Sync failed. NvError %u NvStatus %u
VerifySignature failed. NvError %u NvStatus %u
ReadVerifyData failed. NvError %u NvStatus %u
VerifyPartition failed. NvError %u NvStatus %u
SetTime failed. NvError %u NvStatus %u
DownloadPartition failed. NvError %u NvStatus %u
FormatAll failed. NvError %u NvStatus %u
LocatePartitionToVerify failed. NvError %u NvStatus %u
Error PT partition format sector start=%d, count=%d
Format partition %s PT%s: Error BCT handle!
%s: Version = %x
%s: Version = 0x%x
Bct read verify failed
Error Bct Verify: NO valid Bct found lost+foundNvDdkDispSetWindowSurface/ controller: %d window: %d count: %d
surface: 0
tiledpitchsurface width: %d height: %d Bpp: %d layout: %s
NvDdkDispSetMode/ controller: %d
width: %d height: %d bpp: %d refresh: %d frequency: %d flags: 0x%x
NvDdkDispSetMode/ null mode
NTSC/PAL1WIN3WIN_AC2WIN_A2WIN_Cdisplay %d isn't clocked
Error when writing data
Error on clock en!!! Set to Tx_only mode!!!
ByPassHdmiDll/sys/firmware/fuse/kfuse_rawlibnvodm_hdmiNvOdmDispHdmiI2cTransactionNvOdmDispHdmiI2cOpenNvOdmDispHdmiI2cCloseNvOdmDispHdcpIsRevokedKsvlibnvodm_tvoNvOdmDispTvoGetGlobNvOdmDispTvoReleaseGlobNo SmartDimmer activity has been recorded.
Constant Values:
SD_LUT = R_LUT G_LUT B_LUT
%d: 0x%02x 0x%02x 0x%02x
SD_BL_TF = PT_0 PT_1 PT_2 PT_3
%d: 0x%02x 0x%02x 0x%02x 0x%02x
Total SD3 activities count: %d
Entry(%d) Info:
SD_CONTROL = 0x%08X
SD_BL_CONTROL = 0x%08X
SD_CSC_COEFF = 0x%08X
SD_FLICKER_CONTROL = 0x%08X
SD_PIXEL_COUNT = 0x%08X
SD_BL_PARAMETERS = 0x%08X
SD_HW_K_VALUES = 0x%08x
SD_HISTOGRAM = BIN_0 BIN_1 BIN_2 BIN_3
Input Backlight Intensity = %d
Output Backlight Intensity = %d
PWM frequence = %4.2f, SD percentage = %4.2f
JEDEC
Calling simple log2 with value which is not power of 2
Failed Ddk Rd. Bad block
Failed Ddk Wr. Bad block
Failed Ddk Erase. Bad block
Failed Ddk Cpybk. Bad block
Failed Ddk unknown Operation. Bad block Error code=0x%x at chip=%d,block=%d
DDK_Ers:dev = %d, number of blks = %d
Chip: %d, Page = %d, blk = %d
NandRead Error: Number of Pages=%d < interleave count=%d
Ecc.Err pgoffset: %d, status: 0x%x
Ecc.Err in Tag pgoffset: %d, status: 0x%x
Chip: %d, Page = %d
-MAINTAG
DDK_Rd:dev = %d, %s + %s, number_of_pages = %d
DDK_Cpbk:Srcdev = %d, Dstdev = %d, number_of_pages = %d
SrcChip: %d, Page = %d, blk = %d
DstChip: %d, Page = %d, blk = %d
DDK_Write:device = %d, %s + %s, number_of_pages = %d
Factory Bad block: Chip%u Block=%u
Runtime Bad block: Chip%u Block=%u,RTB=0x%x
Scan for Region table blocks: Chip=%u, Block=%u Bad
Marking Runtime Bad block: Chip%u Block=%u
Block driver mark bad failed at Chip=%d, Block=%d
Erase Partition Error: failed to erase block chip=%d,blk=%d
Nand block driver: Write Error = 0x%x, PartId=%u, , Write: start=0x%x, sector count=0x%x
Nand block driver: Read Error = 0x%x, PartId=%u, Read: start=0x%x, sector count=0x%x
Possible forced region table load
Region Table copy at CurrBlockNum %u is probably corrupt
Device Bad block table:
{%u, %d},
Device has %d bad blocks
Error Nand block driver Load Region table call failed for part-id=%d, error code=%d
Global Nand Interleave count = %u
Error: NandUtilGetRegionEntry failed for part Id=%d
Partitions in region table: Id=%d
FTL open for partition=%d failed,code=%d
Nand Block dev open failed error 0x%x
Physical Rd/Wr on block error: req=%d,actual=%d
Bad block during Rd/Wr physical found at: Chip=%d, Block=%d
Block dev Physical Ioctl failed. Marking Chip=%d,Blk=%d
Unable to Erase Nand starting block 0x%x
Nand Block driver map logical2physical failed BlockNum=%d, DeviceNum=%d, CurrPhysBlk=%d
Error: Failed to map logical block=%d in entire Nand.
Error: As Region table is bigger than 1 sector size. Need to change Load Region table logic
Unable to Erase Nand chip=%d,block=%d
Partition %d - number of physical blocks = %d
Error: Unable to find requested blocks on Nand: req=%d,found=%d
Invalid value for PercentReserved = %d [should not exceed]%d, setting PercentReserved = %d
Insufficient space, cannot create partition
PartId %u: LB[%u %u] PB[%u %u] IL%u LS[%u %u]
Abs PartId %u: LB[%u %u] PB[%u %u] IL%u
Last Abs PartId %u: LS[%u %u] PartId %u: LB[%u %u] PB[%u %u] IL%u
Abs ** PartId %u: LS[%u %u]
Data mismatch in Copy of Region Table at BlockNum %d
Erase failed. Get Physical Sectors failed for logical start=%d,stop=%d
Erase Partition part-id=%d: Start=%d,End=%d NvDdkBlockDevIoctlType_DisableCacheNvDdkBlockDevIoctlType_EraseLogicalSectorsNvDdkBlockDevIoctlType_QueryFirstBootNvDdkBlockDevIoctlType_DefineSubRegionNvDdkBlockDevIoctlType_WriteVerifyModeSelectNvDdkBlockDevIoctlType_AllocatePartitionNvDdkBlockDevIoctlType_PartitionOperationNvDdkBlockDevIoctlType_ReadPhysicalSectorNvDdkBlockDevIoctlType_WritePhysicalSectorNvDdkBlockDevIoctlType_QueryPhysicalBlockStatusNvDdkBlockDevIoctlType_ErasePhysicalBlockNvDdkBlockDevIoctlType_LockRegionNvDdkBlockDevIoctlType_MapLogicalToPhysicalSectorNvDdkBlockDevIoctlType_FormatDeviceNvDdkBlockDevIoctlType_GetPartitionPhysicalSectorsNvDdkBlockDevIoctlType_IsGoodBlockNvDdkBlockDevIoctlType_UnprotectAllSectorsNvDdkBlockDevIoctlType_ProtectSectors
Nand Block dev ioctl opcode=%s error 0x%x
Save Region Table copy %u at CurrBlockNum %u
ftllite mark bad: chip=%d blk=%d
ftllite mark bad erase fail error=0x%x : chip=%d blk=%d
Ftl Lite bad block mark failed at Chip=%d, Block=%d
EraseAllBlocks: GetBlockInfo error=0x%x @ chip=%d,blk=%d
EraseAllBlocks: factory bad block @ chip=%d,blk=%d
EraseAllBlocks: runtime bad block @ chip=%d,blk=%d
Bad block in pba2lba ftlite map: chip=%d, blk=%d
Fatal error in pba2lba ftllite: line%d,lba=%d, startlba=%d chip=%d blk=%d
sparebuf[0]=0x%x, factory good=%d
Erasing block at chip=%d, blk=%d
continuing mapping erased blk
Erase partition error: start arg=%d, start log blk=%d
Erase partition error: count arg=%d, erase size=%d
Ftllite erase logical failed: blk start=%d,end=%d
Replace block=%d in chip=%d for read failure
New Block at: chip=%d,block=%d
Partition sequential read type: read failure at chip=%d, blk=%d
Error in FtlLitePrivCreatePba2LbaMapping: e=0x%x
Write called without PBA mapping info: chip=%d,lba=%d
Data area read verification failed in FTL Lite at Chip=%d,Blk=%d,Pg=%d
FTL Lite Read Verify error code=0x%x
Wr Error: 0x%x, Replace ftl lite bad block, PbaIndex=%d,Chip=%d,Block=%d,StartPg=%d,PgCount=%d
Rd verify error: 0x%x, Replace ftl lite bad block, PbaIndex=%d,Chip=%d,Block=%d,StartPg=%d,PgCount=%d
Replaced mapped block for lba=%d: old=%d new pba=%d
Factory bad block at chip=%d blk=%d:
Runtime bad block at chip=%d blk=%d:
Error: exhausted spare blocks toreplace lba=%d
finished remapping till index=%d out of total blocks=%d
used spare blocks=%d
Error: Unable to replace blocks with spare blocks for %d blocks
Error in FTL Lite write
RETURNING ERROR FROM NvNandWriteSector TL error=%u,Sector Start=0x%x,Count=0x%x
RETURNING ERROR FROM NvNandReadSector TL error=%u,Sector Start=0x%x,Count=0x%x
RETURNING ERROR FROM NvNandOpen
Error: trying cached read past page limits
512B Read: Page=%d, within page sector in page=%d, sector count=%d
Error: 512B buffer allocate failed earlier
Error: trying cached write past page limits
Error: failed to allocate buffer for 512B sector support
Alloc memory failed
TLvalidate FAIL1 sector offset=0x%x,count=0x%x,sectorsPerRow=%u
TLvalidate FAIL2, Interleave bank Pgs[ %d ]
TLvalidate FAIL3
TLvalidate FAIL4
TLvalidate FAIL5 page[0]=0x%x,Reqd rows=0x%x
TLEraseAll fail BtlGetPba: Chip=%d,Block=%d
GetBlock info failed: Chip=%d, Blk=%d
Marking Bad block failed forChip=%d Block=%d
Found Bad block Chip=%d Block=%d
Factory Bad: 0x%x, Run-time bad marker: 0x%x
Interleave2PhysicalPg fail1: illegal page
Interleave2PhysPg fail2: illegal device
Ddk Read error code=0x%x
In NandTLGetBlockInfo Error = 0x%x
NandTL_INVALID_ARGUMENT3
NandTL_INVALID_ARGUMENT4
NandTL_INVALID_ARGUMENT5
NandTL_INVALID_ARGUMENT6
Error: No free Blk, Region[%d]=%d
Strategy Handle Error failed in Wr Status:%d,
TL write error=%u,sector start=0x%x,count=0x%x
NandTL_INVALID_ARGUMENT1
NandTL_INVALID_ARGUMENT2
TlRead failed Status:%d,
TL read error=%u,sector start=0x%x,count=0x%x
Region=%d SD Erase start 512B-sector=%d,512B-sector-num=%d
LCM of %d and %d =%d
Part-id=%d size from %d sectors by %d sectors
SD Alloc Partid=%d, start sector=%d,num=%d NvDdkBlockDevIoctlType_ErasePartitionNvDdkBlockDevIoctlType_VerifyCriticalPartitionsUnknownIoctl
Inst=%d, SD ioctl %s failed: error code=0x%x SPIF ERROR: SpifOpen failed..
SPIF ERROR: Trying to read more than SPI flash device size..
SPIF ERROR: Trying to program more than SPI flash device size..
SPIF ERROR: Trying to erase more than chipsize NumberOfSectors[0x%x] TotalBlocks[0x%x]
SPIF ERROR: Trying to erase more than chipsize NumberOfBlocks[0x%x] TotalBlocks[0x%x]
SPIF ERROR: Illegal block driver Ioctl..
SPIF ERROR: SpifBlockDevIoctl failed error[0x%x]..
Inst=%d, SPI Flash ioctl %s failed: error code=0x%x Trying to close driver without open
SPIF ERROR: NvDdkSpifBlockDevInit failed error[0x%x]..
Error SD clear skip blocks - sector=%d
Skipping SD erase of prefix %d blocks from %d
Skipping SD erase of suffix %d blocks from %d
Hsmmc Erase start sector=%d,num=%d
Hsmmc Alloc Partid=%d, start sector=%d,num=%d
NvNandHandle: FtlStartLba=%d, FtlEndLba=%d FtlStartPba=%d, FtlEndPba=%d pBlocks[%d ] prevBlocks[]
TrackLba[%d]: lba=%d, %s
Misc start
NumOfBanksOnBoard = %d
NoOfILBanks = %d
PhysBlksPerBank = %d
ZonesPerBank = %d
PhysBlksPerZone = %d
PhysBlksPerLogicalBlock = %d
TotalLogicalBlocks = %d
TotEraseBlks = %d
NumOfBlksForTT = %d
PgsRegForTT = %d
TtPagesRequiredPerZone = %d
NumOfBlksForTAT = %d
BlksRequiredForTT = %d
PgsAlloctdForTT = %d
ExtraPagesForTTMgmt = %d
LastTTPageUsed = %d
CurrentTatLBInUse = %d
bsc4PgsPerBlk = %d
Misc end
TAT Handler start
tatBlocks[%d] bank = %d, block = %d
ttBlocks[%d] bank = %d, block = %d
tat Block bank = %d, block = %d
TtAllocBlk[%d] bank = %d, block = %d
lastUsedTTBlock bank = %d, block = %d
TAT Handler end
++++++++++++++++++
TT 32-bit entry format in dump :
=============
Region: b31-b30
BlockNotUsed: b29
BlockGood: b28
DataReserved: b27
SystemReserved: b26
TatReserved: b25
TtReserved: b24
PhysBlkNum: b23-b0
============
Dumping page %d
**SuperBlock %d
*0x%08X [%d] [SYS-RSVD]
*0x%08X [%d] [ ^^^ FREE BLK ] Region%d
*0x%08X [%d] [ USED BLK ] Region%d
*0x%08X [%d] [*** BAD BLK ***]
Total=%u,Free=%u,Bad=%u,Reserve Data=%u,System=%u,Tat=%u,Tt=%u,Illegal=%u,Region0=%u,Region1=%u,Region2=%u,Region3=%u
No free blocks Available- find out the reason, bank = %d
[Strategy] Erase Failed
Bad Block found at LBA %d
Marked blk bad bank = %d, block = %d Rev = %d lba = %d
TAT write failed page = %d, bank = %d, block = %d Rev = %d lba = %d WriteOnlyHeader = %d
NO FREE TAT BLOCKS AVAILABLE
writing to TAT blocks failedInvalid percent reserved value = %d, should not exceed%d, setting it to %d
[Nand_Strategy] Failed to mark PBAs BAD
**** Fail: Invalid Case ****
Not Expected to come here
NvError_NandNoFreeBlock1
Error: NandStrategyGetSectorPageToWrite InTracking case, No Page
Error: NandStrategyGetSectorPageToWrite GetPBA case, No Page
NvError_NandNoFreeBlock2
GetNewPBA failed Sts: 0x%x in GetSectorPage2Write #2
Error: NandStrategyGetSectorPageToWrite PBA assigned already case, No Page Crypto Engine Disabled, Returning IOCTL
AES DDK Unsupported IOCTL COMMAND
Invalidate-only cache maint not supported in NvOs
NVRM Initialized shmoo database
NVRM Got shmoo boot argument (at 0x%x)
ActiveIdleAutoHwRM power state before suspend: %s (%d)
Active Module: 0x%x*** Wakeup from LP0 ***
*** Wakeup from LP1 ***
*** Wakeup after Skipped LP0 ***
DTT: TMON initialization failed
DTT: T = %d, Range = %d (%d : %d)
DVFS set core at %dmV
Clock control balance failed for module %d, instance %d
ADJUSTED CLOCKS:
MC clock is set to %6d KHz
EMC clock is set to %6d KHz (DDR clock is at %6d KHz)
PLLX0 clock is set to %6d KHz
PLLC0 clock is set to %6d KHz
CPU clock is set to %6d KHz
System and AVP clock is set to %6d KHz
GraphicsHost clock is set to %6d KHz
3D clock is set to %6d KHz
2D clock is set to %6d KHz
Epp clock is set to %6d KHz
Mpe clock is set to %6d KHz
Vde clock is set to %6d KHz
NVRM CLOCKS: PLLX0: %d Khz
NVRM CLOCKS: PLLM0: %d Khz
NVRM CLOCKS: PLLC0: %d Khz
NVRM CLOCKS: PLLP0: %d Khz
NVRM CLOCKS: PLLA0: %d Khz
NVRM CLOCKS: CPU: %d Khz
NVRM CLOCKS: AVP: %d Khz
NVRM CLOCKS: System Bus: %d Khz
NVRM CLOCKS: Memory Controller: %d
NVRM CLOCKS: External Memory Controller: %d
ODM CPU freq request beyond SOC limit
GPUHandheldBrChipsCrushMCPCkVaioHandheld SOCSimulation Chip: 0x%x
FPGAQuickTurnEmulation (%s) Chip: 0x%x Netlist: 0x%x Patch: 0x%x
Chip Id: 0x%x (%s) Major: 0x%x Minor: 0x%x SKU: 0x%x
pNV_CFG_RMC_FILENV_CFG_CHIPLIBNV_CFG_CHIPLIB_ARGSSECURITY_VIOLATION DecErrAddress=0x%x SECURITY_VIOLATION DecErrStatus=0x%x EMEM DecErrAddress=0x%x EMEM DecErrStatus=0x%x GART DecErrAddress=0x%x GART DecErrStatus=0x%x DTT: Invalid Range = %d
Err in I2c transfer: Controller Status 0x%08x
AP20 Master I2c Isr got unwanted interrupt IntStatus 0x%08x
I2c slave rx buffer filled
%s(): Slave is not started
%s(): No space in Tx fifo
%s(): Slave is already started
I2cSlaveIsr(): Illegal transfer at this point
AP20 Slave I2c Isr got unwanted interrupt IntStatus 0x%08x
ARB EMEM Interrupt occurredSMMU DecErrAddress=0x%x SMMU DecErrStatus=0x%x QueryIface_CQueryIfacebogusOBS bus modID 0x%x index 0x%x = value 0x%xLLC Client %d Count: 0x%.8X, %u
LLC Client %d Clocks: 0x%.8X, %u
Client %.3d Count: 0x%.8X, %u
Total MC Clocks: 0x%.8X, %u
AXI DecErrAddress=0x%x AXI DecErrStatus=0x%x NvRmChannelSubmit failed (err = %d, SyncPointValue = %d)
Output FIFO does not refill, context read is stuck.Error> DSI Panel Initialization Failed
Error> DSI Panel Suspend Failed
ERROR: GPIO_PCF50626_I2cWrite8() failed.
Thanks gh123man.
Can you also try to extract the strings in the original bootloader that itsmagic works on for comparison?
namely the cmdline part which is this from the ics one
Code:
tegraid=%x.%x.%x.%x.%x.%s mem=%[email protected]%uM vmalloc=%uM androidboot.serialno=%08x%08x video=tegrafb console=ttyS0,115200n8 debug_uartport=lsport console=none debug_uartport=hsport usbcore.old_scheme_first=1 lp0_vec=%[email protected]%x tegra_fbmem=%[email protected]%x brand=acer target_product=%s a500_ww_gen1max_cpu_cur_ma=%d core_edp_mv=%d pmuboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x displayboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x power_supply=Adapter power_supply=Battery audio_codec=%s cameraboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x upnosmp usbroot=/dev/nfs ip=:::::usb%c:on rw netdevwait ethroot=/dev/nfs ip=:::::eth%c:on rw netdevwait sdroot=/dev/sd%c%c rw rootwait mmchdroot=/dev/mmchd%c%c%c rw rootwait mtdblockroot=/dev/mtdblock%c rw rootwait mmcblkroot=/dev/mmcblk%c%c%c rw rootwait Unrecognized root device: %s
root=/dev/sda1 rw rootwait tegraboot=nand tegraboot=nor tegraboot=emmc tegraboot=sdmmc mtdparts=tegra_nand:mtdparts=tegra_nor:%[email protected]%uK(%s),tegrapart=gpt_sector=%d Unable to query partition %s
%s:%x:%x:%x%cmodem_id=%d androidboot.carrier=wifi-only bootloader_ver=%s gpt %s: Fail
drellisdee said:
Thanks gh123man.
Can you also try to extract the strings in the original bootloader that itsmagic works on for comparison?
namely the cmdline part which is this from the ics one
Code:
tegraid=%x.%x.%x.%x.%x.%s mem=%[email protected]%uM vmalloc=%uM androidboot.serialno=%08x%08x video=tegrafb console=ttyS0,115200n8 debug_uartport=lsport console=none debug_uartport=hsport usbcore.old_scheme_first=1 lp0_vec=%[email protected]%x tegra_fbmem=%[email protected]%x brand=acer target_product=%s a500_ww_gen1max_cpu_cur_ma=%d core_edp_mv=%d pmuboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x displayboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x power_supply=Adapter power_supply=Battery audio_codec=%s cameraboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x upnosmp usbroot=/dev/nfs ip=:::::usb%c:on rw netdevwait ethroot=/dev/nfs ip=:::::eth%c:on rw netdevwait sdroot=/dev/sd%c%c rw rootwait mmchdroot=/dev/mmchd%c%c%c rw rootwait mtdblockroot=/dev/mtdblock%c rw rootwait mmcblkroot=/dev/mmcblk%c%c%c rw rootwait Unrecognized root device: %s
root=/dev/sda1 rw rootwait tegraboot=nand tegraboot=nor tegraboot=emmc tegraboot=sdmmc mtdparts=tegra_nand:mtdparts=tegra_nor:%[email protected]%uK(%s),tegrapart=gpt_sector=%d Unable to query partition %s
%s:%x:%x:%x%cmodem_id=%d androidboot.carrier=wifi-only bootloader_ver=%s gpt %s: Fail
Click to expand...
Click to collapse
sure ill have it up asap
Edit:
up. see next post
I have uploaded the archive with nvflash and some instructions on using it with A500. This is only intended for hardcore geeks who know how ARM boots. Be careful - while you can't really brick tegra2 (since it has a minimal usb-capable bootloader in the OTP area), you can screw up things and it will be quite hard to force the tablet to boot in some cases due to stupid security checks.
You can use this to download any bootloader/recovery/linux you want. That will help us with porting uboot. Someone may even write an automated tool for reflashing bootloaders and unbricking tablets..
http://www.mediafire.com/?pp97x9aahs58hzp
Let me just copy-paste the README from the archive here.
1. First, generate your sbk with http://vache-android.com/v1/index.php?site=sbk
2. Then, get a hold of mmcblk0 start sectors (at least 4KB) and copy it to mmcblk0_start
3. run the ./rip_bct.sh script and supply it with your SBK to rip BCT (boot config table. contains ram timings among other things)
4. run ./download.sh to connect nvflash to iconia (do it in APX mode). Note that you also need to supply your SBK here, but not as a long single number, but as it is displayed on the website
5. You can now play with nvflash - for example, read partitions, partition table and write your own flash_ic.cfg with partition layout
6. If you flash linux/recovery, make sure to update the magic values (like itsmagic does).
To do it, first download the 12th partition (AKB)
then, in the akb.bin, at address 0x84, replace 4 16-byte entries with the same pattern
"00 FB 30 94 99 01 4F 97 2E 4C 2B A5 18 6B DD 06"
ok, you need to patch the file once and can use it in further flashing. Just upload it to the device (like sign.sh does)
POTENTIAL PITFALLS. Listen up, I ain't gonna help you if you eff up here.
1. You must use BCT from your device. Otherwise, the bootloader will not boot.
You will still be able to use NVFLASH, but until you dump your own BCT and use it
with NVFLASH, the device will not be booting again
2. If you use the ./iconia_boot.bin that differs from the bootloader on your
device, the device will get stuck in the APX mode after a reboot. If you do it,
flash the new ./iconia_boot.bin to the device (to the partition 4).
The archive contains several bootloaders to play with - ./iconia_boot.bin is from
Honeycomb, iirc, ./ics_boot.bin is from ICS, obviously and ./tf101_boot.bin is
from transformer tf101
---------- Post added at 11:56 PM ---------- Previous post was at 11:42 PM ----------
Sorry for another off-topic post. If any of the devs is interested
Here is the uboot binary http://www.mediafire.com/?1zb2zc163tla8cj
And here is the linux kernel version 3.0 in the uboot image format http://www.mediafire.com/?j8fddkbm5fdsuu4
You can create vfat partition on the micro sd (/dev/mmcblk1p1) and copy the uImage there
The bootloader only supports booting from microsd now. The precompiled kernel tries to mount ubuntu rootfs on /dev/mmcblk1p2 and boot it.
drellisdee said:
Thanks gh123man.
Can you also try to extract the strings in the original bootloader that itsmagic works on for comparison?
namely the cmdline part which is this from the ics one
Code:
tegraid=%x.%x.%x.%x.%x.%s mem=%[email protected]%uM vmalloc=%uM androidboot.serialno=%08x%08x video=tegrafb console=ttyS0,115200n8 debug_uartport=lsport console=none debug_uartport=hsport usbcore.old_scheme_first=1 lp0_vec=%[email protected]%x tegra_fbmem=%[email protected]%x brand=acer target_product=%s a500_ww_gen1max_cpu_cur_ma=%d core_edp_mv=%d pmuboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x displayboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x power_supply=Adapter power_supply=Battery audio_codec=%s cameraboard=0x%04x:0x%04x:0x%02x:0x%02x:0x%02x upnosmp usbroot=/dev/nfs ip=:::::usb%c:on rw netdevwait ethroot=/dev/nfs ip=:::::eth%c:on rw netdevwait sdroot=/dev/sd%c%c rw rootwait mmchdroot=/dev/mmchd%c%c%c rw rootwait mtdblockroot=/dev/mtdblock%c rw rootwait mmcblkroot=/dev/mmcblk%c%c%c rw rootwait Unrecognized root device: %s
root=/dev/sda1 rw rootwait tegraboot=nand tegraboot=nor tegraboot=emmc tegraboot=sdmmc mtdparts=tegra_nand:mtdparts=tegra_nor:%[email protected]%uK(%s),tegrapart=gpt_sector=%d Unable to query partition %s
%s:%x:%x:%x%cmodem_id=%d androidboot.carrier=wifi-only bootloader_ver=%s gpt %s: Fail
Click to expand...
Click to collapse
here is the string section of the original bootloader. puled from the tar.gz thanks to sp3dev
Code:
UnknownChecking for RCK.. press any key in 5 sec
HarmonyTangoWhistlerVentana
Assert on %s:%d: %s
Assert on %s:%d
Signal %d raised!
vendor/nvidia/proprietary_src/prebuilt/../core/utils/nvos/aos/nvap/nvos_aos_gcc.cvendor/nvidia/proprietary_src/prebuilt/../core/utils/nvos/aos/nvap/nvos_aos_libc.c0123456789abcdefghijklmnopqrstuvwxyz**********Aos DebugSemiHosting Initialized*******
GetSkuId ************ * ************* ************* * * * * * * * * * * ** ** * * * * ** ** ************ * * * * *********** *********** ************ ************ * ************* ************ ************ * * * * * * * * * * * * * * * * * * ************** **************recovery
--update_package=SDCARD:update.zip
Erasing Cache before SD update...
CACMSCSD update cmd:%s
[%s] read gpio OK, a6=%d b5=%d a3=%d
[%s] read gpio FAIL, a6=%d b5=%d a3=%d
AKBANDROID!vendor/nvidia/proprietary_src/prebuilt/../core/system/fastboot/main.cMagic value mismatch: %c%c%c%c%c%c%c%c
%s
Failed to setup warmboot args %x
Failed to set shmoo boot argument
HarmonyVentanaCritical failure: Unable to start kernel.
Load OS now via JTAG backdoor....
TEGRA_PMC_BASE::PMC_CNTRL_0 = 0x%x
FIX TEGRA_PMC_BASE::PMC_CNTRL_0 = 0x%x
Entering Acer Download Mode
LNXFactoryResetErasing Userdata...
UDAErasing Cache...
FOTAVolume up pressed.
Volume down pressed.
SOSBooting recovery kernel image
Unrecoverable bootloader error (0x%08x).
miscrecoverybootsystemAPPcachestagingUSPuserdatabcttableBCTbootloaderEBTubuntuUBNmbrMBRUse scroll wheel or keyboard for movement and selection
Neither Scroll Wheel nor Keyboard are detected ...Booting OS
Checking for RCK.. press <Enter> in 5 sec to enter RCK
Press <Enter> to select, Arrow key (Left, Right) for selection move
Key driver not found.. Booting OS
Checking for RCK.. press key <Menu> in 5 sec to enter RCK
Press <Menu> to select, Home(Left) and Back(Right) for selection move
Checking for RCK.. press any key in 5 sec to enter RCK
Press scroll wheel to select, Scroll for selection move
Scroll wheel not found.. Booting OS
Press <Wake> to select, Home(Left) and Back(Right) for selection move
nvmem=%[email protected]%uM mem=%[email protected] vmalloc=%uM video=tegrafb console=ttyS0,115200n8 console=none usbcore.old_scheme_first=1 lp0_vec=%[email protected]%x upnosmp usbroot=/dev/nfs ip=:::::usb%c:on rw ethroot=/dev/nfs ip=:::::eth%c:on rw sdroot=/dev/sd%c%c rw rootdelay=15 mmchdroot=/dev/mmchd%c%c%c rw rootdelay=1 mtdblockroot=/dev/mtdblock%c rw rootdelay=15 mmcblkroot=/dev/mmcblk%c%c%c rw rootdelay=15 Unrecognized root device: %s
root=/dev/sda1 rw rootdelay=15 tegraboot=nand tegraboot=emmc tegraboot=sdmmc board_info=%x:%x:%x:%x:%x mtdparts=tegra_nand:%[email protected]%uK(%s),tegrapart=%s:%x:%x:%x%cUnable to query partition %s
gpt MSM-RADIO-UPDATEboot-recoveryupdatefailed-updateinvalid-updatefailed-update-%sokayWQ02824SATMA1278vendor/nvidia/proprietary_src/prebuilt/../core/system/nvaboot/nvaboot.cEFI PARTakb4820110311jeqNULLSecure boot: image %s checksum fail!nverror:0x%x (0x%x)
Error PT partition format sector start=%d, count=%d
Format partition %s PT
Bct read verify failed
Error Bct Verify: NO valid Bct found lost+foundNvDdkDispSetWindowSurface/ controller: %d window: %d count: %d
surface: 0
tiledpitchsurface width: %d height: %d Bpp: %d layout: %s
NvDdkDispSetMode/ controller: %d
width: %d height: %d bpp: %d refresh: %d frequency: %d flags: 0x%x
NvDdkDispSetMode/ null mode
NTSC/PAL1WIN3WIN_AC2WIN_A2WIN_Cdisplay %d isn't clocked
ByPassHdmiDlllibnvodm_hdmiNvOdmDispHdmiI2cTransactionNvOdmDispHdmiI2cOpenNvOdmDispHdmiI2cCloseNvOdmDispHdcpIsRevokedKsvlibnvodm_tvoNvOdmDispTvoGetGlobNvOdmDispTvoReleaseGlob====== Register Dump Start =========
Start command count=0x%x
NAND_COMMAND = 0x%8.8x
NAND_STATUS = 0x%8.8x
NAND_ISR = 0x%8.8x
NAND_IER = 0x%8.8x
NAND_CONFIG = 0x%8.8x
NAND_TIMING = 0x%8.8x
NAND_RESP = 0x%8.8x
NAND_TIMING2 = 0x%8.8x
NAND_CMD_REG1 = 0x%8.8x
NAND_CMD_REG2 = 0x%8.8x
NAND_ADDR_REG1 = 0x%8.8x
NAND_ADDR_REG2 = 0x%8.8x
NAND_DMA_MST_CTRL = 0x%8.8x
NAND_DMA_CFG.A = 0x%8.8x
NAND_DMA_CFG.B = 0x%8.8x
NAND_FIFO_CTRL = 0x%8.8x
NAND_DATA_BLOCK_PTR = 0x%8.8x
NAND_TAG_PTR = 0x%8.8x
NAND_ECC_PTR = 0x%8.8x
NAND_DEC_STATUS = 0x%8.8x
NAND_HWSTATUS_CMD = 0x%8.8x
NAND_HWSTATUS_MASK = 0x%8.8x
NAND_LL_CONFIG = 0x%8.8x
NAND_LL_PTR = 0x%8.8x
NAND_LL_STATUS = 0x%8.8x
====== Register Dump End ===========
Calling simple log2 with value which is not power of 2
Failed Ddk Rd. Bad block
Failed Ddk Wr. Bad block
Failed Ddk Erase. Bad block
Failed Ddk Cpybk. Bad block
Failed Ddk unknown Operation. Bad block Error code=0x%x at chip=%d,block=%d
NandRead Error: Number of Pages=%d < interleave count=%d
Ecc.Err pgoffset: %d, status: 0x%x
Ecc.Err in Tag pgoffset: %d, status: 0x%x
Chip: %d, Page = %d
-MAINTAG
DDK_Rd:dev = %d, %s + %s, number_of_pages = %d
Chip: %d, Page = %d, blk = %d
DDK_Cpbk:Srcdev = %d, Dstdev = %d, number_of_pages = %d
SrcChip: %d, Page = %d, blk = %d
DstChip: %d, Page = %d, blk = %d
DDK_Write:device = %d, %s + %s, number_of_pages = %d
DDK_Ers:dev = %d, number of blks = %d
Factory Bad block: Chip%u Block=%u
Runtime Bad block: Chip%u Block=%u,RTB=0x%x
Scan for Region table blocks: Chip=%u, Block=%u Bad
Marking Runtime Bad block: Chip%u Block=%u
Block driver mark bad failed at Chip=%d, Block=%d
Erase Partition Error: failed to erase block chip=%d,blk=%d
Nand block driver: Write Error = 0x%x, PartId=%u, , Write: start=0x%x, sector count=0x%x
Nand block driver: Read Error = 0x%x, PartId=%u, Read: start=0x%x, sector count=0x%x
Possible forced region table load
Region Table copy at CurrBlockNum %u is probably corrupt
Device Bad block table:
{%u, %d},
Device has %d bad blocks
Error Nand block driver Load Region table call failed for part-id=%d, error code=%d
Global Nand Interleave count = %u
Error: NandUtilGetRegionEntry failed for part Id=%d
Partitions in region table: Id=%d
FTL open for partition=%d failed,code=%d
Nand Block dev open failed error 0x%x
Physical Rd/Wr on block error: req=%d,actual=%d
Bad block during Rd/Wr physical found at: Chip=%d, Block=%d
Block dev Physical Ioctl failed. Marking Chip=%d,Blk=%d
Unable to Erase Nand starting block 0x%x
Nand Block driver map logical2physical failed BlockNum=%d, DeviceNum=%d, CurrPhysBlk=%d
Error: Failed to map logical block=%d in entire Nand.
Error: As Region table is bigger than 1 sector size. Need to change Load Region table logic
Unable to Erase Nand chip=%d,block=%d
Partition %d - number of physical blocks = %d
Chip%d Block=%d bad
Error: Unable to find requested blocks on Nand: req=%d,found=%d
Invalid value for PercentReserved = %d [should not exceed]%d, setting PercentReserved = %d
Insufficient space, cannot create partition
PartId %u: LB[%u %u] PB[%u %u] IL%u LS[%u %u]
Abs PartId %u: LB[%u %u] PB[%u %u] IL%u
Last Abs PartId %u: LS[%u %u] PartId %u: LB[%u %u] PB[%u %u] IL%u
Abs ** PartId %u: LS[%u %u]
Data mismatch in Copy of Region Table at BlockNum %d
Erase failed. Get Physical Sectors failed for logical start=%d,stop=%d
Erase Partition part-id=%d: Start=%d,End=%d NvDdkBlockDevIoctlType_DisableCacheNvDdkBlockDevIoctlType_EraseLogicalSectorsNvDdkBlockDevIoctlType_QueryFirstBootNvDdkBlockDevIoctlType_DefineSubRegionNvDdkBlockDevIoctlType_WriteVerifyModeSelectNvDdkBlockDevIoctlType_AllocatePartitionNvDdkBlockDevIoctlType_PartitionOperationNvDdkBlockDevIoctlType_ReadPhysicalSectorNvDdkBlockDevIoctlType_WritePhysicalSectorNvDdkBlockDevIoctlType_QueryPhysicalBlockStatusNvDdkBlockDevIoctlType_ErasePhysicalBlockNvDdkBlockDevIoctlType_LockRegionNvDdkBlockDevIoctlType_MapLogicalToPhysicalSectorNvDdkBlockDevIoctlType_FormatDeviceNvDdkBlockDevIoctlType_GetPartitionPhysicalSectorsNvDdkBlockDevIoctlType_IsGoodBlock
Nand Block dev ioctl opcode=%s error 0x%x
Save Region Table copy %u at CurrBlockNum %u
Ftl Lite bad block mark failed at Chip=%d, Block=%d
New Block at: chip=%d,block=%d
Replace block=%d in chip=%d for read failure
Data area read verification failed in FTL Lite at Chip=%d,Blk=%d,Pg=%d
FTL Lite Read Verify error code=0x%x
Wr Error: 0x%x, Replace ftl lite bad block, PbaIndex=%d,Chip=%d,Block=%d,StartPg=%d,PgCount=%d
Rd verify error: 0x%x, Replace ftl lite bad block, PbaIndex=%d,Chip=%d,Block=%d,StartPg=%d,PgCount=%d
Error in FTL Lite write
RETURNING ERROR FROM NvNandWriteSector TL error=%u,Sector Start=0x%x,Count=0x%x
RETURNING ERROR FROM NvNandReadSector TL error=%u,Sector Start=0x%x,Count=0x%x
RETURNING ERROR FROM NvNandOpen
Error: trying cached read past page limits
512B Read: Page=%d, within page sector in page=%d, sector count=%d
Error: 512B buffer allocate failed earlier
Error: trying cached write past page limits
Error: failed to allocate buffer for 512B sector support
Alloc memory failed
TLvalidate FAIL1 sector offset=0x%x,count=0x%x,sectorsPerRow=%u
TLvalidate FAIL2, Interleave bank Pgs[ %d ]
TLvalidate FAIL3
TLvalidate FAIL4
TLvalidate FAIL5 page[0]=0x%x,Reqd rows=0x%x
TLEraseAll fail BtlGetPba: Chip=%d,Block=%d
GetBlock info failed: Chip=%d, Blk=%d
Marking Bad block failed forChip=%d Block=%d
Found Bad block Chip=%d Block=%d
Factory Bad: 0x%x, Run-time bad marker: 0x%x
Interleave2PhysicalPg fail1: illegal page
Interleave2PhysPg fail2: illegal device
Ddk Read error code=0x%x
In NandTLGetBlockInfo Error = 0x%x
NandTL_INVALID_ARGUMENT3
NandTL_INVALID_ARGUMENT4
NandTL_INVALID_ARGUMENT5
NandTL_INVALID_ARGUMENT6
Error: No free Blk, Region[%d]=%d
Strategy Handle Error failed in Wr Status:%d,
TL write error=%u,sector start=0x%x,count=0x%x
NandTL_INVALID_ARGUMENT1
NandTL_INVALID_ARGUMENT2
TlRead failed Status:%d,
TL read error=%u,sector start=0x%x,count=0x%x
Region=%d SD Erase start 512B-sector=%d,512B-sector-num=%d
LCM of %d and %d =%d
Part-id=%d size from %d sectors by %d sectors
SD Alloc Partid=%d, start sector=%d,num=%d NvDdkBlockDevIoctlType_ErasePartitionNvDdkBlockDevIoctlType_VerifyCriticalPartitionsUnknownIoctl
Inst=%d, SD ioctl %s failed: error code=0x%x SPIF ERROR: SpifOpen failed..
SPIF ERROR: Trying to read more than SPI flash device size..
SPIF ERROR: Trying to program more than SPI flash device size..
SPIF ERROR: Trying to erase more than chipsize NumberOfSectors[0x%x] TotalBlocks[0x%x]
SPIF ERROR: Trying to erase more than chipsize NumberOfBlocks[0x%x] TotalBlocks[0x%x]
SPIF ERROR: Illegal block driver Ioctl..
SPIF ERROR: SpifBlockDevIoctl failed error[0x%x]..
Inst=%d, SPI Flash ioctl %s failed: error code=0x%x Trying to close driver without open
SPIF ERROR: NvDdkSpifBlockDevInit failed error[0x%x]..
Error SD clear skip blocks - sector=%d
Skipping SD erase of prefix %d blocks from %d
Skipping SD erase of suffix %d blocks from %d
Hsmmc Erase start sector=%d,num=%d
Hsmmc Alloc Partid=%d, start sector=%d,num=%d
NvNandHandle: FtlStartLba=%d, FtlEndLba=%d FtlStartPba=%d, FtlEndPba=%d pBlocks[%d ] prevBlocks[]
TrackLba[%d]: lba=%d, %s
Misc start
NumOfBanksOnBoard = %d
NoOfILBanks = %d
PhysBlksPerBank = %d
ZonesPerBank = %d
PhysBlksPerZone = %d
PhysBlksPerLogicalBlock = %d
TotalLogicalBlocks = %d
TotEraseBlks = %d
NumOfBlksForTT = %d
PgsRegForTT = %d
TtPagesRequiredPerZone = %d
NumOfBlksForTAT = %d
BlksRequiredForTT = %d
PgsAlloctdForTT = %d
ExtraPagesForTTMgmt = %d
LastTTPageUsed = %d
CurrentTatLBInUse = %d
bsc4PgsPerBlk = %d
Misc end
TAT Handler start
tatBlocks[%d] bank = %d, block = %d
ttBlocks[%d] bank = %d, block = %d
tat Block bank = %d, block = %d
TtAllocBlk[%d] bank = %d, block = %d
lastUsedTTBlock bank = %d, block = %d
TAT Handler end
++++++++++++++++++
TT 32-bit entry format in dump :
=============
Region: b31-b30
BlockNotUsed: b29
BlockGood: b28
DataReserved: b27
SystemReserved: b26
TatReserved: b25
TtReserved: b24
PhysBlkNum: b23-b0
============
Dumping page %d
**SuperBlock %d
*0x%08X [%d] [SYS-RSVD]
*0x%08X [%d] [ ^^^ FREE BLK ] Region%d
*0x%08X [%d] [ USED BLK ] Region%d
*0x%08X [%d] [*** BAD BLK ***]
Total=%u,Free=%u,Bad=%u,Reserve Data=%u,System=%u,Tat=%u,Tt=%u,Illegal=%u,Region0=%u,Region1=%u,Region2=%u,Region3=%u
No free blocks Available- find out the reason, bank = %d
[Strategy] Erase Failed
Bad Block found at LBA %d
Marked blk bad bank = %d, block = %d Rev = %d lba = %d
TAT write failed page = %d, bank = %d, block = %d Rev = %d lba = %d WriteOnlyHeader = %d
NO FREE TAT BLOCKS AVAILABLE
writing to TAT blocks failedInvalid percent reserved value = %d, should not exceed%d, setting it to %d
[Nand_Strategy] Failed to mark PBAs BAD
**** Fail: Invalid Case ****
Not Expected to come here
NvError_NandNoFreeBlock1
Error: NandStrategyGetSectorPageToWrite InTracking case, No Page
Error: NandStrategyGetSectorPageToWrite GetPBA case, No Page
NvError_NandNoFreeBlock2
GetNewPBA failed Sts: 0x%x in GetSectorPage2Write #2
Error: NandStrategyGetSectorPageToWrite PBA assigned already case, No Page Crypto Engine Disabled, Returning IOCTL
AES DDK Unsupported IOCTL COMMAND
AES Engine[%d] Disabled - EngineStatus[%d]
MemMap failed.
.NVRM Initialized shmoo database
NVRM Got shmoo boot argument (at 0x%x)
ActiveIdleAutoHwRM power state before suspend: %s (%d)
Active Module: 0x%x*** Wakeup from LP0 ***
*** Wakeup from LP1 ***
*** Wakeup after Skipped LP0 ***
DTT: TMON initialization failed
DTT: T = %d, Range = %d (%d : %d)
DVFS set core at %dmV
Clock control balance failed for module %d, instance %d
ADJUSTED CLOCKS:
MC clock is set to %6d KHz
EMC clock is set to %6d KHz (DDR clock is at %6d KHz)
PLLX0 clock is set to %6d KHz
PLLC0 clock is set to %6d KHz
CPU clock is set to %6d KHz
System and AVP clock is set to %6d KHz
GraphicsHost clock is set to %6d KHz
3D clock is set to %6d KHz
2D clock is set to %6d KHz
Epp clock is set to %6d KHz
Mpe clock is set to %6d KHz
Vde clock is set to %6d KHz
NVRM CLOCKS: PLLX0: %d Khz
NVRM CLOCKS: PLLM0: %d Khz
NVRM CLOCKS: PLLC0: %d Khz
NVRM CLOCKS: PLLP0: %d Khz
NVRM CLOCKS: PLLA0: %d Khz
NVRM CLOCKS: CPU: %d Khz
NVRM CLOCKS: AVP: %d Khz
NVRM CLOCKS: System Bus: %d Khz
NVRM CLOCKS: Memory Controller: %d
NVRM CLOCKS: External Memory Controller: %d
GPUHandheldBrChipsCrushMCPCkVaioHandheld SOCSimulation Chip: 0x%x
FPGAQuickTurnEmulation (%s) Chip: 0x%x Netlist: 0x%x Patch: 0x%x
Chip Id: 0x%x (%s) Major: 0x%x Minor: 0x%x SKU: 0x%x
NV_CFG_RMC_FILENV_CFG_CHIPLIBNV_CFG_CHIPLIB_ARGSSECURITY_VIOLATION DecErrAddress=0x%x SECURITY_VIOLATION DecErrStatus=0x%x EMEM DecErrAddress=0x%x EMEM DecErrStatus=0x%x GART DecErrAddress=0x%x GART DecErrStatus=0x%x DTT: Invalid Range = %d
Err in I2c transfer: Controller Status 0x%08x
AP20 I2c Isr got unwanted interrupt IntStatus 0x%08x
QueryIface_CQueryIfacebogusOBS bus modID 0x%x index 0x%x = value 0x%xLLC Client %d Count: 0x%.8X, %u
LLC Client %d Clocks: 0x%.8X, %u
Client %.3d Count: 0x%.8X, %u
Total MC Clocks: 0x%.8X, %u
AXI DecErrAddress=0x%x AXI DecErrStatus=0x%x Output FIFO does not refill, context read is stuck.Error> DSI Panel Initialization Failed
Error> DSI Panel Suspend Failed
Max8907bRtcCountWrite() error. Max8907bRtcCountRead() error. ERROR: GPIO_PCF50626_I2cWrite8() failed.
Sorry for spamming this thread, just wanted to show off some cool pics and vids
http://img404.imageshack.us/img404/4427/20120224235839.jpg
http://www.youtube.com/watch?v=moflp1BDCpA
sp3dev said:
Sorry for spamming this thread, just wanted to show off some cool pics and vids
http://img404.imageshack.us/img404/4427/20120224235839.jpg
http://www.youtube.com/watch?v=moflp1BDCpA
Click to expand...
Click to collapse
I would not call that spam. Thats AMAZING. cant wait to see more!
edit:
so did you completely replace acers bootloader on the tab with uboot?
gh123man said:
I would not call that spam. Thats AMAZING. cant wait to see more!
edit:
so did you completely replace the bootloader on the tab with uboot?
Click to expand...
Click to collapse
Yes, but..
1. Right now it does not support the tegra's partition layout - no luck with reading emmc partitions. Probably need to port tegrapart to uboot or figure out how to use EFI partition table (possibly needs hacking GPT offset)
2. Uboot doesn't support Android's boot images. The support can be added, but it may be easier to just repack kernel and initrd to uImage.
3. There's no USB client driver, so one will need to use microsd or usb stick to flash kernel/recovery for the first time.
So. I didn't have much time to play with it, but I'll look into it further
sp3dev said:
Yes, but..
1. Right now it does not support the tegra's partition layout - no luck with reading emmc partitions. Probably need to port tegrapart to uboot or figure out how to use EFI partition table (possibly needs hacking GPT offset)
2. Uboot doesn't support Android's boot images. The support can be added, but it may be easier to just repack kernel and initrd to uImage.
3. There's no USB client driver, so one will need to use microsd or usb stick to flash kernel/recovery for the first time.
So. I didn't have much time to play with it, but I'll look into it further
Click to expand...
Click to collapse
thanks... extremely interesting... keep us updated with progress, im sure im not the only one interested in this.
sp3dev said:
I have uploaded the archive with nvflash and some instructions on using it with A500. This is only intended for hardcore geeks who know how ARM boots. Be careful - while you can't really brick tegra2 (since it has a minimal usb-capable bootloader in the OTP area), you can screw up things and it will be quite hard to force the tablet to boot in some cases due to stupid security checks.
Click to expand...
Click to collapse
Just curious, you are using 0x300d8011 as odmdata, when EUU's are using 0xb00d8011.
My understanding is that LPSTATE=LP0 with yours (instead of LP1).
Any reason/consequences ?
wlk0 said:
Just curious, you are using 0x300d8011 as odmdata, when EUU's are using 0xb00d8011.
My understanding is that LPSTATE=LP0 with yours (instead of LP1).
Any reason/consequences ?
Click to expand...
Click to collapse
Actually you should use the value from the BCT (it's around the end of it). As far as I understand, there are several SoC revisions, and one of them is iirc A03p, which supports LP0, and the other one is A03, which does not. I think I had a file somewhere describing ODM value
In tegra devkit here
145 /// Soc low power state
146 #define TEGRA_DEVKIT_BCT_CUSTOPT_0_LPSTATE_RANGE 31:31
147 #define TEGRA_DEVKIT_BCT_CUSTOPT_0_LPSTATE_LP0 0x0UL
148 #define TEGRA_DEVKIT_BCT_CUSTOPT_0_LPSTATE_LP1 0x1UL
Other than mmcblk0 p1-8 what other hidden partitions are there? I can write the detection for mmc as I have it for recovery just haven't set the debugging to find the dtypes for iconia as I've been lazy and defined them. Can you list any partitions after p8 or hidden ones related to nvflash etc I have the usual boot, data, cache, misc, recovery, system etc please id any new ones as well.
sp3dev said:
I have uploaded the archive with nvflash and some instructions on using it with A500 ...
Click to expand...
Click to collapse
Oh, so the bootloader is actually unsigned - or I missed something? So what prevents me to patch the ICS BL and force unlock mode? I see I am a bit desoriented on Acer scene.
Back to the stock ICS BL, the unlock info is stored to BCT.
Skrilax_CZ said:
Oh, so the bootloader is actually unsigned - or I missed something? So what prevents me to patch the ICS BL and force unlock mode (so ppl can use fastboot)? I see I am a bit desoriented on Acer scene.
Back to the stock ICS BL, the unlock info is stored to BCT.
Click to expand...
Click to collapse
correct me if im wrong. now since we can generate the sbk we have full access to nvflash which gives us direct access to flash anything we want. including a new bootloader (weather its signed or not). its like a layer above the bootloader. sp3dev could explain it better...
QFLASH Problem
What the hell .. squint emoticon
"No data read from USB. This may not be an error. Trying again..."
if anyone knw about it so Guide me .i am very close :|
D:\Downloads\Compressed\Moto.X.Unbrick\Python27>python 8960_blankflash.py
Emergency download enumeration detected on port - com3
Starting qflash!
Executing command qflash.exe -com3 -ramload MPRG8960.hex -mbn 33 MSM8960_bootloa
der_singleimage.bin -v -o
Motorola qflash Utility version 1.3
COMPORT :COM3
RAMLOADER :MPRG8960.hex
type is 0x21
7 mbn file name MSM8960_bootloader_singleimage.bin type 33
verbose mode on
Motorola qflash dll version 1.6
RAMLOADER VERSION: PBL_DloadVER2.0
------------------------------------------------------
DEVICE INFORMATION:
------------------------------------------------------
Version : 0x8
Min Version : 0x1
Max Write Size: 0x600
Model : 0x90
Device Size : 0
Description : Intel 28F400BX-TL or Intel 28F400BV-TL
------------------------------------------------------
Using passed in packet size, changing from 0x600 -> 0x600
EXTENDED_LINEAR_ADDRESS_REC @ 0x2a000000
Write 65536 bytes @ 0x2a000000
100EXTENDED_LINEAR_ADDRESS_REC @ 0x2a010000
Write 11840 bytes @ 0x2a010000
100START_LINEAR_ADDRESS_REC @ 0x2a000000
No data read from USB. This may not be an error. Trying again...
No data read from USB. This may not be an error. Trying again...
No data read from USB. This may not be an error. Trying again...
No data read from USB. This may not be an error. Trying again...
No data read from USB. This may not be an error. Trying again...
Still no data, giving up!
dmss_go : failed to receive ACK
Error loading MPRG8960.hex into device
Blank flashing successful
Device will now enumerate in fastboot mode
D:\Downloads\Compressed\Moto.X.Unbrick\Python27>pause
Press any key to continue . .
Brief synopsis
Bootloader unlock isn't likely. Amazon provide the facility to unlock the bootloader, but there is no way of getting the key.
The program which is locking the bootloader appears to be specific to MediaTek and Amazon, therefore, there isn't any source code.
The partitions with an Android bootimg header are all signed with two Amazon certificates. This includes the Little Kernel (LK) and the kernel itself.
The preloader is custom built for Amazon. The preloader doesn't respond to SP Flash Tool because it's constantly in a reboot loop when in 'META mode'. I presume it's intentional; a different version can however be installed (See 'However...').
However...
@bibikalka has found some strings in tz.img refering to a bootloader unlock. There is an amzn_unlock_verify function in lk too.
There must be a is a way to get the preloader to work properly with SP Flash Tool. However, this won't allow you custom ROMs, just reinstall Amazon's software. The software installed is still verified during the boot process. See this unbrick guide to install a different preloader. The preloader is not signed or checked by the boot process.
There is a small chance some part of the boot process could be fooled.
Downgrade potential
An anti-rollback program appears to have been built in to the bootloader which prevents any attempt at downgrading the software on the device. This is rather irritating, and means that downgrading is almost impossible. Only the preloader seems to be unaffected by this anti-rollback system – so, if you attempted to downgrade, and caused your device to become bricked, then you can restore the version you left.
Note that I vaguely reference to the preloader, uboot and lk collectively as 'the bootloader'.
Original post
I previously had downloaded the 5.0.1 and 5.1.1 LK versions, and thought, why not run these through binwalk?
For the old, 5.0.1 bootloader, putting lk.bin through binwalk gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204256 0x31DE0 SHA256 hash constants, little endian
292292 0x475C4 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
330144 0x509A0 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
330752 0x50C00 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
334248 0x519A8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
339912 0x52FC8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
341028 0x53424 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
350360 0x55898 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
351732 0x55DF4 Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
353656 0x56578 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
369736 0x5A448 CRC32 polynomial table, little endian
397548 0x610EC LZMA compressed data, properties: 0x91, dictionary size: 33554432 bytes, uncompressed size: 134217728 bytes
Whilst the 5.1.1 bootloader's lk.bin gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204960 0x320A0 SHA256 hash constants, little endian
293720 0x47B58 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
332024 0x510F8 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/cry
332628 0x51354 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/mem
336096 0x520E0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/asn
341712 0x536D0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/evp
342820 0x53B24 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/obj
352064 0x55F40 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/x50
353420 0x5648C Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
355344 0x56C10 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
371656 0x5ABC8 CRC32 polynomial table, little endian
So there you go! The bootloader uses OpenSSL to check the partition against two DER format certificates. Ignore the LZMA header for now; binwalk thinks almost everything is LZMA compressed.
Can you run binwalk with -e and post the 5.1.1 certs here
benwaffle said:
Can you run binwalk with -e and post the 5.1.1 certs here
Click to expand...
Click to collapse
Look at the thread about the 5.1.1 lk.bin in this forum and download the binary so you can run binwalk on it yourself.
Here is the lk.bin file, zipped. You can try and run '-e' on this binary.
The extracted certificates appear to contain format strings for decompression/compression error and debug messages. It doesn't look right. But the top of the files are valid certificate headers (or appear to be to the untrained eye).
Thanks @benwaffle.
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
bibikalka said:
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
Click to expand...
Click to collapse
Thanks @bibikalka!
Yes – Amazon must have a way of flashing firmware. I wonder if there is a JTAG header on the board as well. The Fire HD 6 had a 'JDEBUG' port, as seen in iFixit's teardown photographs: https://www.ifixit.com/Teardown/Kindle+Fire+HD+6+Teardown/29815#s70239
There might be a bootloader unlock then! It might need someone to decompile uboot to see how to trigger the unlock.
I've only managed to get the preloader_prod.img at this moment in time (I haven't taken preloader.img off). The SHA256 hash starts at around 95% (117KB out of 121KB) of the file, according to binwalk.
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
stargo said:
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
Click to expand...
Click to collapse
How interesting. Thanks @stargo! I've updated the OP accordingly to your findings. Yes, it seems more complex than previously thought. I'll upload my 5.1.1 rpmb binary soon.
Hi there! As se en within I read mtk is a very hard platform to work with, because they are very closed, and they hardly ever release any source, so most Roms are ports of a similar decide. I'll have a search for a device with this same soc to ser if i can come back with related info. That's why I'm surprised we have cm here!
DISCLAIMER: This guide describes procedures with tools that are designed to write directly to the storage of your device. This has the potential to lead to data loss or bricking your device. If you follow this guide carefully, none of these things should happen. That being said, you are still responsible for your own actions and how you handle the tools mentioned in this guide. Caution is advised.
When do i need this?The following procedure can be used to get your device back into a booting state if all else fails. Usually you'd want to use this tool to get a working recovery running on your device and then go from there. If your bootloader is locked you can use this tool to flash the stock recovery again and unlock the bootloader as ususal.
If that is not sufficient, you can also reflash all of firmware, bootloader and stock recovery.
This guide is not needed if:- The device still boots into stock recovery or TWRP
Flashing the official OxygenOS can fix many issues and you can unlock your bootloader as needed.
- The bootloader is unlocked. Use fastboot flash recovery <twrp image>
Check it with fastboot oem device-info
Use TWRP v3.0.2-0 with the OxygenOS 2 bootloader and the latest TWRP with the OxygenOS 3 bootloader.
- The ROM still boots and is rooted. Flash a stock recovery in a root shell:
adb root && adb shell
dd of=/dev/block/platform/msm_sdcc.1/by-name/recovery if=/sdcard/OxygenOS_recovery.img
OxygenOS 2 Lollipop recovery - OxygenOS 3 Marshmallow recovery
On custom ROMs, you can usually enable root access for ADB in developer settings, even if you didn't root them youself.
If any link is dead, search for it on https://web.archive.org
Spoiler: Verify downloaded files
The OxygenOS recovery links download from OnePlus's official amazon cloud storage. To verify, compare with the OxygenOS download link from the official page. OnePlus no longer links to these files and provides no checksums, you can use these to verify your download:
Code:
de38f20e72da38d48899f14d022cc1b1cd6bff0f4a506adb7bcf0153e73b1934 OPX_recovery.img
2810feb0d87686ea0529d8718600fdf3181cf0c93f0b9e29e5f13004af0e2d84 OPX_MM_recovery.img
e2fb0f0fef7d644cf3e6c1c0699381074fd4a83f64be319b75b9942443a95c90 OnePlusXOxygen_14_OTA_019_all_201611071506_03f73e21449d4d31.zip
fd58d703cf677dc5148ab5dd0f4af6c3df13faeb51166719e17aa192a86a6c0a OPX_UnBrick_Mini_By_Naman_Bhalla.zip
Don't continue unless you actually checked if your bootloader is still unlocked. Sometime it is re-locked on accident if some things go wrong.
Recovery and ROM only boot with a compatible bootloader. If you're not sure, try one then the other.
There are two major versions of the OnePlus X bootloader, one from OxygenOS 2 (Lollipop) and one from OxygenOS 3 (Marshmallow), released ca. September 2016, all newer ROMs should be compatible.
Trying to boot into a ROM or recovery that is incompatible with the installed bootloader will get you stuck on the bootlogo screen. On the OxygenOS 2 bootloader the "Powered by Android" part will disappear.
A locked OxygenOS 2 bootloader will boot any compatible software.
A locked OxygenOS 3 bootloader will only boot software signed by OnePlus. When trying to boot an unsigned ROM or recovery the device will vibrate, splash the bootlogo for a second and reboot, resulting in an endless loop.
If all else fails: Flashing through EDL
You may know the legendary Mega Unbrick Guide for A Hard Bricked OnePlus X by Naman Bhalla but it only works on Windows.
It uses EDL, a hidden Qualcomm interface that allows direct read/write access to the devices flash storage to restore firmware, bootloader and stock recovery.
EDL is a powerful tool. A device in EDL mode will follow all instructions given to it without checking whether it would be a good idea to do so. If the instructions tell your device to overwrite userdata, IMEI or MAC address it will do so. Only flash files that are meant for your device. Don't edit any file unless you know what it does.
Preparation:You need to be at least somewhat familiar with the command line to do this.
- Install git from your distribution
- Download and compile the open source flashing tool QDL. Follow the section "Get the Linux flashing tool" from these instructions.
- Temporarily add QDL to your $PATH with export PATH="$(pwd):$PATH"
QDL must be able to communicate with your device. You can install the appropriate udev rules right now or try it without them first.
- Open a text editor sudo nano /etc/udev/rules.d/51-edl.rules
- Copy these rules and paste them. Ctrl+S to save, Ctrl+X to exit
- The rules should apply the next time you connect your device
- If flashing does not work check the file contents: cat /etc/udev/rules.d/51-edl.rules
- If you can't read the file: sudo chmod a+r /etc/udev/rules.d/51-edl.rules
- If the new rules still don't load for some reason: sudo udevadm control --reload
- Download the "UnBrick tool mini" as uploaded by Naman Bhalla. (direct link)
- Create a clean working directory and extract the zip file.
Customize what to flash:By default, the UnBrick tool mini will flash OxygenOS 2 bootloader, firmware and stock recovery. From there you can flash the latest OxygenOS and unlock your bootloader again for a clean start.
Flashing OxygenOS will always install a compatible bootloader and firmware and OxygenOS will automatically upgrade the recovery during the boot process.
If this is what you want just skip to the next step.
The UnBrick tool will flash config.bin and persist.img and reset these partitions.
Resetting config will re-lock the bootloader.
Resetting persist will require it to be repopulated again. OxygenOS can do this but most Custom ROMs will have broken sensors.
If you don't want to flash certain files, rename them or move them to another directory.
If you only want to flash certain partitions like the recovery, create a new directory, e.g. flash_recovery-only. Download the recovery version you need:
OxygenOS 2 Lollipop recovery - OxygenOS 3 Marshmallow recovery
Copy it to the new directory and rename it to recovery.img to match the filename the UnBrick tool uses.
Additionaly, copy these files from the UnBrick tool:
gpt_main0.bin
gpt_backup0.bin
patch0.xml
prog_emmc_firehose_8974.mbn
rawprogram0.xml
Main procedure:
cd to the directory with the files from the UnBrick tool. Go to your custom directory if you created one in the previous step.
Run qdl prog_emmc_firehose_8974.mbn rawprogram0.xml patch0.xml
QDL will wait for your device to connect.
If QDL asks for permissions go back to "Preparation" and install the udev rules.
With the OnePlus X powered off hold VolUp and connect it to the PC. Otherwise, connect it to the PC first and hold Power+VolUp until it connects in EDL mode.
To verify the connection you can check lsusb or sudo dmesg -w
Devices in EDL mode show up with idVendor=05c6 and idProduct=9008, usually as Product: QHSUSB__BULK
lsusb example: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
To filter the output: lsusb -d 05c6:9008
QDL should print several lines of output, reporting what is flashed etc.
Once it's done, QDL will kick your device out of EDL mode. If everything is alright your phone should vibrate and boot to the charging screen. You should be able to boot to recovery now.
Congratulations on unbricking your device on a Linux machine, enjoy.
Changelog:
2019-12-12 - Original post
??? - undocumented edits
2020-05-24 - Fix possible execution of QDL without patch0.xml which would break the partition table
2022-09-05 - Fix unnessesarily confusing instructions
Thanks
I have a new TWRP on my OPX, but I don't really know what to change in the rawprogram0.xml file.
emilianoheyns said:
I have a new TWRP on my OPX, but I don't really know what to change in the rawprogram0.xml file.
Click to expand...
Click to collapse
I'm not sure if i correctly understood your situation so i am going to assume the folloing:
- You are running a Linux based operating system on your desktop computer
- You have downloaded all necessary files as mentioned in the guide and successfully compiled qdl
- You want to use modern (newer than 2016) ROMs and the current OnePlus firmware and bootloader, i.e. from OxygenOS 3.1.4
- On your OnePlus X, you have "the old bootloader" installed, that is firmware prior to OxygenOS 3 (based on Marshmallow), i.e. firmware from OxygenOS 2.2.1 or similar
- Additionally, you accidentaly flashed TWRP version 3.0.2-1 or newer to your OnePlus X and rebooted into a soft-bricked state
If these assumptions are correct, i suggest as the easiest solution to reflash a compatible TWRP and update your firmware using that version of TWRP. If you can use your recovery, it is almost always the easiest method to make any remaining modifications in the recovery.
The procedure is as follows:
- From https://dl.twrp.me/onyx/, download TWRP version 3.0.2-0 and 3.3.1-0
- Reflash an old version of TWRP that is compatible, i.e. anything version 3.0.2-0 and below.
Once you flashed TWRP in one way or another, continue with the following steps to update your bootloader:
- Reboot to that version of TWRP to see if you succeeded
- In TWRP, install either one of the following to update your firmware:
- The official OxygenOS 3.1.4 zip downloaded from OnePlus via https://www.oneplus.com/support/softwareupgrade- Only the firmware by following this guide: https://forum.xda-developers.com/oneplus-x/general/guide-update-bootloader-firmware-to-t347891766- Copy to your device: twrp-3.3.1-0-onyx.img and the installation zip you chose in the previous step
- Flash the zip in TWRP. Once TWRP is done flashing, immediately flash a version of TWRP 3.0.2-1 or later to recovery
- In TWRP, choose Reboot > Recovery. If your OnePlus X reboots to TWRP, everything went good and you can go on to flash roms and anything else like you're used to. Just note that very old ROMs (like from 2016 and before) will no longer boot on your device, but you can revert your Firmware by flashing the follwing zip: https://forum.xda-developers.com/oneplus-x/general/zip-recovery-flashable-firmware-radio-t3381420
Just remember that immediately after flashing this zip in TWRP, you have to flash TWRP version 3.0.2-0 or older again.
Now, there are some differnt cases that affect how TWRP initially needs to be flashed:
1. Your OnePlus X bootloader is not locked
(tested by running "fastboot oem device-info" on your desktop while your phone is connected in fastboot mode)
If your bootloader is still unlocked you can avoid the hassle of using qdl and simply resort to "fastboot flash recovery <recovery image file>" to fix your device.
2. Your ROM still boots and that ROM is rooted.
In this situation you can still avoid going through the hassle of using qdl.
All you need to do is to get a root shell running. There are several ways to achieve this:
- In a Terminal Emulator on the device run the command "su"
- On a desktop with your phone connected with adb enabled:
- Run either "adb root" and then "adb shell"
- Or run "adb shell" and within that shell, run "su"
Once you got the shell running you can flash your recovery with
"dd of=/dev/block/bootdevice/by-name/recovery if=/sdcard/twrp-3.0.2-0-onyx.img"
To get the image to your device if downloaded on your desktop you can use "adb push twrp-3.0.2-0-onyx.img /sdcard/"
3. Your ROM does not boot or is not rooted.
This is the case where you absolutely need qdl and the situation i assume you are in.
Once you downloaded and unpacked the package from Naman Bhalla, you should see a directory containing the rawprogram0.xml and prog_emmc_firehose_8974.mbn files and a lot of others. You can take just the rawprogram0.xml and the prog_emmc_firehose_8974.mbn file and copy them to your working directory for the next steps.
Now, open rawprogram0.xml in a text editor. Search for the string "recovery". You will see a line starting with "<program" and ending in "/>". In your case, only the line containing " label="recovery" " and " filename="recovery.img" " is relevant. Remove all other lines starting with "<program" and save. Optionally, rename the file to "program-onyx-recovery.xml" or something you will recognize. This might be useful if you plan to keep the file and use it again in the future.
Now, optionally change filename="recovery.img" to the file name of your TWRP file or just rename your downloaded TWRP file to "recovery.img".
To flash, make sure that the following files are in your working directory:
- prog_emmc_firehose_8974.mbn
- rawprogram0.xml (but your customized version)
- recovery.img (whatever recovery you want to flash)
If that is settled, run qdl as explained in my initial guide in the original post to flash the recovery file.
Edit 2022-09-04: This whole paragraph only applies to the OxygenOS 2 bootloader. A locked OxygenOS 3 bootloader will only boot a signed ROM or a signed recovery. However, the device storage can always be dumped through EDL and the final point about encryption always applies.
Some final remarks on locked bootloader on the OnePlus X:
For the future, remember to just keep your bootloader unlocked. It can save you a lot of hassle.
And if you feel uncomfortable about walking around with an unlocked bootloader:
Re-locking the bootloader while TWRP is installed doesn't give any security benefit at all (for obvious reasons). Even if your Recevery would not be open to any local attacker, a locked bootloader doesn't give you much of a benefit on the OnePlus X.
Yes, the generic attac surface of simply using "fastboot flash" is gone, but remember how easy it is to find the UnBrick tool for the OnePlus X we used in this guide. Any attacker can use it as well to flash a malicious recovery onto your device, even if your bootloader is locked - and your OnePlus will boot it.
This is because the OnePlus X does not support Android Verified Boot. This is a security feature on newer Android devices that prevents booting unsigned software if the bootloader is locked. This can prevent flashing malicious firmware, OS or revovery onto a device. But since it also prevents booting TWRP you'd likely be walking around with an unlocked bootloader anyway even if your device were to support this security feature.
Funnily enough, this leads to the conclusion that running your OnePlus X with stock OxygenOS, Recovery and locked bootloader is about as insecure as running TWRP and having an unlocked bootloader if we are talking about an attacker with physical access to the device who also knows about this tool. And since such a tool exists for pretty much every android device as it is originally used to flash these devices in their factories and can be publicly found for most devices, it can be assumed that any attacker has access to this tool.
So remember, the only protection you can have on a OnePlus X is encrypting your data with a strong passcode and hoping that your data stays private even if you might lose your device.
I have no problems with having an unlocked bootloader -- I thought this device had one already. Yesterday it was running TWRP3.0.2-1 and LOS Marshmellow, I just screwed it up trying to upgrade it to an unofficial LOS16. It would first bootloop constantly, then I tried QDL, and now it doesn't even seem to turn on; I can hold the power button for a full minute but the screen remains black, and there's no vibration as I'm used to. It does show up in QDL mode; I tried the procedure as per point 3, using twrp-3.0.2-1 as the recovery image. QDL says:
Code:
HELLO version: 0x2 compatible: 0x1 max_len: 1024 mode: 0
READ image: 13 offset: 0x0 length: 0x50
READ image: 13 offset: 0x50 length: 0x1000
READ image: 13 offset: 0x1050 length: 0x1000
READ image: 13 offset: 0x2050 length: 0x1000
READ image: 13 offset: 0x3050 length: 0x1000
READ image: 13 offset: 0x4050 length: 0x1000
READ image: 13 offset: 0x5050 length: 0x1000
READ image: 13 offset: 0x6050 length: 0x1000
READ image: 13 offset: 0x7050 length: 0x1000
READ image: 13 offset: 0x8050 length: 0x1000
READ image: 13 offset: 0x9050 length: 0x1000
READ image: 13 offset: 0xa050 length: 0x1000
READ image: 13 offset: 0xb050 length: 0x1000
READ image: 13 offset: 0xc050 length: 0x1000
READ image: 13 offset: 0xd050 length: 0x1000
READ image: 13 offset: 0xe050 length: 0x1000
READ image: 13 offset: 0xf050 length: 0x1000
READ image: 13 offset: 0x10050 length: 0x1000
READ image: 13 offset: 0x11050 length: 0x1000
READ image: 13 offset: 0x12050 length: 0x1000
READ image: 13 offset: 0x13050 length: 0x1000
READ image: 13 offset: 0x14050 length: 0x890
END OF IMAGE image: 13 status: 0
DONE status: 0
qdl: failed to read: Connection timed out
LOG: Host's payload to target size is too large
LOG: [email protected] [email protected]
LOG: [email protected] [email protected]
LOG: [email protected] [email protected]
LOG: start 1409024, num 31680
LOG: Finished sector address 1440704
[PROGRAM] flashed "recovery" successfully at 3960kB/s
no boot partition found
but the OPX still won't boot.
Is your bootloader actually unlocked?
The OnePlus X ships with a locked bootloader that prevents flashing files to the device using fastboot.
The usual steps to modify the OnePlus X and installing custom ROMs are:
- Unlock the bootloader by running "fastboot oem unlock" on a desktop PC while the phone is connected in fastboot mode.
- Flash TWRP by running "fastboot flash recovery TWRP.img" on a desktop PC while the phone is connected in fastboot mode.
Pressing the volume up button while turning on the device normally puts it into fastboot mode and "Fasboot Mode" will be displayed in the middle of the screen along with the oneplus logo.
Unlocking only works with the original OnePlus recovery and if the option "Allow OEM unlocking" is checked in the developer settings. Unlocking requires wiping all userdata.
Did you never do this yourself with your OnePlus X? Did you get this device as a used phone from someone else who already unlocked the bootloader?
What do you mean by "bootloop constantly"? Could you not boot the recovery?
Are you saying you already ran QDL with the unmodified files from the UnBrick tool?
If you really had TWRP 3.0.2-1 running before all your problems started, then doing so initially soft-bricked your device to begin with, as i outlined in footnote [1] of my original post.
I am not sure of the precise timeline and order of your descriptions. I currently assume that you're saying:
1. Had a working device with ROM: "LineageOS 13.0" Recovery: "TWRP version 3.0.2-1" Firmware: Unknown
2. Flashed some "lineage-16.0-unofficial.zip" in TWRP
3. When rebooting, "bootloops" appeared [How did that look? What was affected - just ROM or recovery as well?]
4. Run QDL with the unmodified files from the UnBrick tool that is linked in my original post
5. Phone does not react to button presses except when putting into EDL mode
6. Run QDL with recovery only as described in Point 3 of my follow up post, with the image file of TWRP version 3.0.2-1, QDL repoted success
7. Still not booting [What exactly does this mean? Still no reaction to button presses? Dees the phone vibrate and bring up the OnePlus logo?]
I've followed the mentioned steps and Im still stuck on linux logo..
I desesperately need help, bought a bricked second hand Oneplus X which I know nothing of in terms of past actions but previous owner
BolitaBolita said:
I've followed the mentioned steps and Im still stuck on linux logo..
I desesperately need help, bought a bricked second hand Oneplus X which I know nothing of in terms of past actions but previous owner
Click to expand...
Click to collapse
If you did not modify any files from the unbrick tool by Naman Bhalla and qdl ran through sucessfully, it should have flashed a compatible combination of bootloader and stock recovery so you should be able to reboot to that one.
If this is not the case, you can also go with flashing just a TWRP image. Since there are really just two possible versions of the bootloader (at least in regards to booting compatibility) this should succeed after the second try at most. If not, it means that some other stuff might be broken as well.
As i wrote in my OP, for the OnePlus X any TWRP v3.0.2-0 or older is compatible with the "old bootloader" (Lollipop) and any TWRP v3.0.2-1 or newer is compatible with the "new bootloader" (Marshmallow).
What you basically want to achieve is to just get any recovery booting (be it Stock, TWRP, orangefox or any other useful recovery). From that point, it is fairly easy to get anywhere else on the OnePlus X.
As for other things that can break:
Most of the partitions in your device can be restored to an intact state by flashing an official OxygenOS zip (https://www.oneplus.com/support/softwareupgrade). There are some other ways but this is the safe and easy method.
Only a few partitions cannot be restored once tampered, since they are unique to the specific device. If this happens to be the case, then it can be fairly hard to fix. If the previous owner had unlocked the devices bootloader and flashed some stuff on it, you should ask them whether they might have some TWRP backups around, namely of the partitions "Persist" and "EFS".
SebiderSushi said:
If you did not modify any files from the unbrick tool by Naman Bhalla and qdl ran through sucessfully, it should have flashed a compatible combination of bootloader and stock recovery so you should be able to reboot to that one.
If this is not the case, you can also go with flashing just a TWRP image. Since there are really just two possible versions of the bootloader (at least in regards to booting compatibility) this should succeed after the second try at most. If not, it means that some other stuff might be broken as well.
As i wrote in my OP, for the OnePlus X any TWRP v3.0.2-0 or older is compatible with the "old bootloader" (Lollipop) and any TWRP v3.0.2-1 or newer is compatible with the "new bootloader" (Marshmallow).
What you basically want to achieve is to just get any recovery booting (be it Stock, TWRP, orangefox or any other useful recovery). From that point, it is fairly easy to get anywhere else on the OnePlus X.
As for other things that can break:
Most of the partitions in your device can be restored to an intact state by flashing an official OxygenOS zip (https://www.oneplus.com/support/softwareupgrade). There are some other ways but this is the safe and easy method.
Only a few partitions cannot be restored once tampered, since they are unique to the specific device. If this happens to be the case, then it can be fairly hard to fix. If the previous owner had unlocked the devices bootloader and flashed some stuff on it, you should ask them whether they might have some TWRP backups around, namely of the partitions "Persist" and "EFS".
Click to expand...
Click to collapse
Thank you for your reply SebiderSushi.
The only option I have in terms of recovery booting is the Oneplus original one since I bought the phone bricked (can't access dev options and can't connect through ADB for oem unlock).
I've managed to unlock the bootloader and tried to flash the official OsOxygen zip. The update stopped halfway and the phone bricked once again.
I've tried the Naman Bhalla unbrick tool with the MSMdownloadtool 2.1 (previously attempted 2.0). The process runs successfully, until its marked in green 'download complete'. Phone still bricked.
I'm currently attempting with QFIL through this thread https://www.droidsavvy.com/unbrick-qualcomm-mobiles/
Drivers correctly installed, port 9008 is detected and QFIL is currently. I'm using the files from the unbrick tool by Naman Bhalla for this. The output is the following:
Process Index:0
Programmer Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
Image Search Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla
Please select the XML file
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Sending Programmer Finished
Switch To FireHose
Max Payload Size to Target:49152 Bytes
Device Type:eMMC
Platform:8x26
Disable Ack Raw Data Every N Packets
Ack Raw Data:False
Skip Write:False
Always Validate:False
Use Verbose:False
COM Port number:3
Sending NOP
FireHose NOP sent successfully
Sending Configuration
Device Type:eMMC
Platform:8x26
Request payload size 0xc000 is not the same as support payload size, change to 0x20000
Set TxBuffer 0x20000, RxBuffer 0x4000
Firehose configure packet sent successfully!
Total Bytes To Program 0x62AE4A0
Download Image
PROGRAM: Partition 0, Sector: 0, Length: 33 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\gpt_backup0.bin
PROGRAM: Written Bytes 0x4200 (64)
Program Size: 0.02 MB
PROGRAM: Partition 0, Sector: 0, Length: 34 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\gpt_main0.bin
PROGRAM: Written Bytes 0x4400 (64)
Program Size: 0.02 MB
PROGRAM: Partition 0, Sector: 1609554, Length: 1024 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\config.bin
PROGRAM: Written Bytes 0x80000 (64)
Program Size: 0.50 MB
PROGRAM: Replace the partition sectors number 0x8000 to file size in sector 0x254
PROGRAM: Partition 0, Sector: 1460242, Length: 596 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\logo.bin
PROGRAM: Written Bytes 0x4a800 (64)
Program Size: 0.29 MB
PROGRAM: Replace the partition sectors number 0x8000 to file size in sector 0x74f0
PROGRAM: Partition 0, Sector: 1409024, Length: 29936 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\recovery.img
PROGRAM: Written Bytes 0xe9e000 (64)
Program Size: 14.62 MB
PROGRAM: Replace the partition sectors number 0x10000 to file size in sector 0x26a3
PROGRAM: Partition 0, Sector: 294912, Length: 9891 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\persist.img
PROGRAM: Written Bytes 0x4d4600 (64)
Program Size: 4.83 MB
PROGRAM: Partition 0, Sector: 259048, Length: 20480 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\static_nvbk.bin
PROGRAM: Written Bytes 0xa00000 (64)
Program Size: 10.00 MB
PROGRAM: Partition 0, Sector: 238568, Length: 20480 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\dynamic_nvbk.bin
PROGRAM: Written Bytes 0xa00000 (64)
Program Size: 10.00 MB
PROGRAM: Replace the partition sectors number 0x3e8 to file size in sector 0x28d
PROGRAM: Partition 0, Sector: 229376, Length: 653 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\tz.mbn
PROGRAM: Written Bytes 0x51a00 (64)
Program Size: 0.32 MB
PROGRAM: Replace the partition sectors number 0x3e8 to file size in sector 0x174
PROGRAM: Partition 0, Sector: 182272, Length: 372 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\rpm.mbn
PROGRAM: Written Bytes 0x2e800 (64)
Program Size: 0.18 MB
PROGRAM: Replace the partition sectors number 0x800 to file size in sector 0x380
PROGRAM: Partition 0, Sector: 180224, Length: 896 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\emmc_appsboot.mbn
PROGRAM: Written Bytes 0x70000 (64)
Program Size: 0.44 MB
PROGRAM: Replace the partition sectors number 0x40 to file size in sector 0x17
PROGRAM: Partition 0, Sector: 148480, Length: 23 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\sdi.mbn
PROGRAM: Written Bytes 0x2e00 (64)
Program Size: 0.01 MB
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x22d
PROGRAM: Partition 0, Sector: 147456, Length: 557 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\sbl1.mbn
PROGRAM: Written Bytes 0x45a00 (64)
Program Size: 0.27 MB
PROGRAM: Replace the partition sectors number 0x20000 to file size in sector 0x1c983
PROGRAM: Partition 0, Sector: 16384, Length: 117123 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\NON-HLOS.bin
PROGRAM: Written Bytes 0x3930600 (64)
Program Size: 57.19 MB
Total Size: 98.68 MB
Total Size: 28 Seconds
Throughput: 3.52 MB/Seconds
PATCH: Partition 0, Sector: 9, Offset 40 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 0, Offset 40 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 1, Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 0, Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 1, Offset 32 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
PATCH: Partition 0, Sector: 0, Offset 24 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
PATCH: Partition 0, Sector: 0, Offset 72 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-33.
PATCH: Partition 0, Sector: 1, Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(2,4096)
PATCH: Partition 0, Sector: 0, Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-33.,4096)
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: 0
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(1,92)
PATCH: Partition 0, Sector: 0, Offset 16 Bytes, Size: 4 Bytes, Value: 0
PATCH: Partition 0, Sector: 0, Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-1.,92)
Total download file size: 98.68066MB
Throughput: 3.524309M/s
Reset Phone
Waiting for reset done...
Download Fail:FireHose Fail Fail to find QDLoader port after switch
Finish Download
BolitaBolita said:
The only option I have in terms of recovery booting is the Oneplus original one since I bought the phone bricked (can't access dev options and can't connect through ADB for oem unlock).
Click to expand...
Click to collapse
Now what exactly do you even mean when you say "Bricked"?
If you can boot into recovery, then your device is usually not bricked, but even if, it is usually not in a state where using a flashing tool and risking to **** up the device for good has any real advantage over solving whatever problem in the recovery.
As long as your device doesn't have any hardware errors (broken storage) then the official OnePlus Recovery should almost always be able to install the official OxygenOS.
Under what terms did you even buy this device? How did the previous owner describe the state of the device and its defects if they mentioned them?
BolitaBolita said:
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\config.bin
Click to expand...
Click to collapse
You are using windows, so how did you even end up in this thread?
Sorry for the delay -- I thought I had set up notifications and didn't want to push on the point until you had time, but I did not receive a notification for this.
SebiderSushi said:
Is your bootloader actually unlocked?
The OnePlus X ships with a locked bootloader that prevents flashing files to the device using fastboot.
The usual steps to modify the OnePlus X and installing custom ROMs are:
- Unlock the bootloader by running "fastboot oem unlock" on a desktop PC while the phone is connected in fastboot mode.
- Flash TWRP by running "fastboot flash recovery TWRP.img" on a desktop PC while the phone is connected in fastboot mode.
Click to expand...
Click to collapse
I had a LineageOS running on the OPX before I screwed up an upgrade of LOS. I had TWRP on the phone. The bootloader must be unlocked then yes?
SebiderSushi said:
Pressing the volume up button while turning on the device normally puts it into fastboot mode and "Fasboot Mode" will be displayed in the middle of the screen along with the oneplus logo.
Click to expand...
Click to collapse
broadly, that is what I had done before, but right now I don't even get the fastboot logo.
SebiderSushi said:
Unlocking only works with the original OnePlus recovery and if the option "Allow OEM unlocking" is checked in the developer settings. Unlocking requires wiping all userdata.
Click to expand...
Click to collapse
Right, but I had passed that station before, as it was running LOS.
SebiderSushi said:
Did you never do this yourself with your OnePlus X? Did you get this device as a used phone from someone else who already unlocked the bootloader?
Click to expand...
Click to collapse
No, I did all this myself, but screwed up the update to a non-official LOS.
SebiderSushi said:
What do you mean by "bootloop constantly"? Could you not boot the recovery?
Click to expand...
Click to collapse
I could not, no, but now I'm not even getting the fastboot logo
SebiderSushi said:
Are you saying you already ran QDL with the unmodified files from the UnBrick tool?
Click to expand...
Click to collapse
Correct, yes.
SebiderSushi said:
I am not sure of the precise timeline and order of your descriptions. I currently assume that you're saying:
1. Had a working device with ROM: "LineageOS 13.0" Recovery: "TWRP version 3.0.2-1" Firmware: Unknown
2. Flashed some "lineage-16.0-unofficial.zip" in TWRP
3. When rebooting, "bootloops" appeared [How did that look? What was affected - just ROM or recovery as well?]
Click to expand...
Click to collapse
Initially I could get to recovery, I tried to upgrade to the latest TWRP for the OPX, when I tried to restart that to recovery, it would just vibrate and reboot continuously
SebiderSushi said:
7. Still not booting [What exactly does this mean? Still no reaction to button presses? Dees the phone vibrate and bring up the OnePlus logo?]
Click to expand...
Click to collapse
Currently, the screen stays black, and I can hold volume up or power for 20 seconds with no reaction (no vibrate, no logo)
First off, i'm extremely sorry for my delay! I also happened to notice your message just today.
Right now i got around and tried reproducing your scenario on my own OnePlus X.
As you said that you ran the unmodified setup from the unbrick tool according to my guide, i did as well - and ran into the same issue you were describing.
After some fiddling around, i realized that you must supply the patch0.xml file as well for a complete flash on the OnePlus X when you also modify the GPT (partition table), which the unmodified rawprogram0.xml does. This is not the case if you only install a recovery or other individual partitions so it slipped my mind. I deeply apologize for not testing the command line for the unmodified UnBrick tool package well enough while writing my Guide.
If nothing else is wrong, running
"/path/to/qdl_source_code/qdl prog_emmc_firehose_8974.mbn rawprogram0.xml patch0.xml"
with the unmodified UnBrick tool will fix the device back to a booting state with the stock recovery and Lollipop Bootloader installed on the device., it did so in my case.
Alternatively, if you don't want to reflash all partitions from the package, you can also just try running
"/path/to/qdl_source_code/qdl prog_emmc_firehose_8974.mbn patch0.xml"
Short of any good documentation, i guessed that the problem appeared because the unmodified rawprogram0.xml also writes the GPT table in its last two program elements. If you look in patch0.xml, you can see that it takes care of the GPT in some way. Once i removed the two program items regarding the GPT, rawprogram0.xml could be applied without needing to flash patch0.xml together with it.
So i assume that it is safe to individually flash any partition listed it rawprogram0.xml apart from the GPT. If your GPT is not in a valid state, there's not much booting going on, since your device won't be able to even read your bootloader from the disk without a partition table.
emilianoheyns said:
I had a LineageOS running on the OPX before I screwed up an upgrade of LOS. I had TWRP on the phone. The bootloader must be unlocked then yes?
Click to expand...
Click to collapse
While this implies that you very likely once had an unlocked bootloader to allow installation of TWRP to your device, it is not necessarily the case. For one, it is possible to re-lock the bootloader on the OnePlus X and still boot and use custom recoveries and software. Only flashing images via fastboot becomes impossible again if you relock the bootloader. This is because the OnePlus X is a fairly old device (remember it came out with android 5.1). Such old devices don't support features like Android Verified Boot yet. This is the standard on modern android devices and it implies that a locked bootloader should only load and boot untampered system partitions as signed by the device vendor.
Edit 2022-09-04: I was wrong about this. This only applies to the OxygenOS 2 bootloader. Trying to boot an unsigned ROM or recovery with an unlocked OxygenOS 3 bootloader causes the exact symptoms that were described; The bootloader repeatedly tries booting in an infinite loop. Probably the LOS fash that went wrong caused the bootloader to re-lock, which is why rebooting to recovery didn't work afterwards as well as booting the ROM.
Also, qdl (or any othe software using the Qualcomm Emergency Download Mode) can also install custom Recoveries or ROMs to the devices without unlocking the bootloader and flashing stuff through fastboot.
After that, you can also boot back into fastboot mode and the run
fastboot oem device-info
from your computer to check if your devices bootloader is currently unlocked or not. If it is not, this is a perfect chance to unlock it, since you already got the official recovery installed and probably no user data to take care of anyway.
Hi, thanks for getting back to me. The problem I'm facing currently is that the OPX currently seems unresponsive -- the screen stays black, and no vibration, seemingly regardless of what button combination I use or how long I keep it on the charger. Any idea what key combo is most likely to bring it up in a state that QDL would see it?
I have fetched a fresh copy of OPX_UnBrick_Mini_By_Naman_Bhalla; I'm sorry to have to ask again, but I should then copy over prog_emmc_firehose_8974.mbn, rawprogram0.xml and patch0.xml unchanged, and run `/path/to/qdl_source_code/qdl prog_emmc_firehose_8974.mbn rawprogram0.xml patch0.xml`? I think I'd prefer to get it back to a booting state to then figure out what I can safely flash on it.
---------- Post added at 04:35 PM ---------- Previous post was at 04:30 PM ----------
I should note, if I connect the charger, the red charging light comes on for a second, maybe two, end then goes out again. It does not come back on unless I plug in again, even if I let it charge overnight.
In my case the usual route to enter EDL mode worked fine - that is, disconnect your OnePlus X from any power source for a few seconds, then press and hold the Volume Up button and after a few seconds reconnect it to your PC where you run qdl, then release the button and execute qdl.
If you want to flash the default confuguration of the unbrick tool you must open your terminal window in the folder you extracted from the download (or cd to it). This is because the files that are flashed to the device are in this folder as you caj see and they are being referenced with relative paths / their filenames from within "rawprogram0.xml".
SebiderSushi said:
In my case the usual route to enter EDL mode worked fine - that is, disconnect your OnePlus X from any power source for a few seconds, then press and hold the Volume Up button and after a few seconds reconnect it to your PC where you run qdl, then release the button and execute qdl.
Click to expand...
Click to collapse
Ah well, it must have died somewhere along the way then. When I do that, even after having it on the charger, nothing shows up in dmesg. Thanks in any case!
I wouldn't give up just yet. The actual rule for entering EDL mode on the OnePlus X is:
- The device must be powered off at the beginning
- The Volume Up button must be in pressed state when connecting it to the computer
Edit 2022-09-04: I was wrong about this. It is also possible to hold Power+Vol Up while connected to the PC until the device shows up in dmesg -w
Everything else, like waiting few seconds here and there is mostly safeties to ensure each state is entered or recognized cleanly.
I mostly had my phone running fresh from the last flashing process, which means that qdl had turned it off cleanly for me. So i definitely had good conditions to enter EDL mode.
I don't know what's going on with your notification LED since i didn't notice this on my device or payed any attention to it - but it might indicate that your phone could be in a not cleanly powered off state.
You can still try pressing the power button for a longer time (maybe about 10 to 30 seconds) to see if that switches off your device the right way before you retry entering EDL mode.
Or do any other experiments pressing buttons or try with different cables.
When was the last time you could successfully connect your device in any mode and which mode was it?
The symptoms you described about black screen, no vibrations or any reaction to button presses were also present on my device as well so this is i'd guess it's just normal for the state.
If you get it back to a booting state you should be able to install the official OxygenOS right from the stock recovery, or flash a compatible TWRP image using qdl or fastboot and copy any remaining data that you want to keep.
@SebiderSushi, could you please take a look at >this post< and hint if anything else can be done using edl on linux?