Related
Hi..
I have been instalaling some BTroute and Jetaware aplications in my touch Dual- so now my \HKEY_LOCAL_MACHINE\software\microsoft\Bluetooth\audioGateway does not have the factory settins
Can someone send me the default settins?
Just check on the registry and write down here the Keys and Values
Thank you
Default setting from my Touch Dual 20keys
\HKEY_LOCAL_MACHINE\software\microsoft\Bluetooth\AudioGateway
BTAGExtModule = OEMAGW.dll
BTAGPBModule = \Windows\BthAGPhonebook.dll
Capability = 0x65(101)
ConnectHFOnCall = 0x0(0)
NoRoleSwitch = 0x1(1)
SupportCLI = 0x0(0)
Hope this can help you.
My was
BTAGextmodule=BthagPhoneBook.dll
BTAGPBModule=OEMAGW.DLL
Capability 0x65
ConnectHFOnCall 0x0
MicVolume 0x8
NoRoleSwitch 0x1
PowerSave 0x0
SpkVolume 0x8
SupportCli 0x0
I'm going to try yours
Thanks!
Hi,
i know there are a lot of threads about all this stuff already and i also know that the hero is not the latest gadget anymore.
Anyway, a few days ago i started investigating on the bluetooth sub-system running on my HTC Hero. I tried to find out how things work out on latest stock ROM 3.32.405.2 compared to some of latest nightly ROM builds based on cyanogen.
I just wanted to post what i found out in the meantime and what might be worth discussing. Here we go
The chipset:
Th Hero in fact uses a BRF6350 from Texas Intruments which is a successor of the BRF6300. This chip definitely has FM capabilites, but there's no access to this function per default.
It is yet unknown if the hardware connections would basically support this option, if set up correctly.
Again, there is some basic information at TI's website:
http://focus.ti.com/general/docs/wt...ateId=6123&navigationId=12659&contentId=14646
I also found a very interesting document in the web, that gives a more detailed block diagram of the BRF6350 chipset (see attachment).
The firmware:
In stock ROM there's only a BRF6300 firmware file, though a BRF6350 is used one the mainboard.
On the latest cyanogen nightly builds there's also a BRF6350 firmware file.
See this thread for more: http://forum.xda-developers.com/showthread.php?t=704976
I could not find out what is the origin of this file, maybe it was extracted form a WM-ROM...
Who ever knows more about it please post it here!
Anyway the firmware get's loaded during boot up, using a service call in init.hero.rc. This one is common in stock and AOSP ROM's:
Code:
service hciattach /system/bin/hciattach \
-n -s 115200 /dev/ttyHS0 texasalt 4000000 flow
user bluetooth
group bluetooth net_bt_admin
disabled
On stock ROM there's an additonal service started in init.hero.rc:
Code:
#btips - 2.22
service btips /system/bin/btipsd --logfile /data/btips/btips_log.txt -no_android_log
socket bluetooth stream 660 bluetooth bluetooth
socket dbus_bluetooth stream 660 bluetooth bluetooth
group bluetooth net_bt_admin misc
disabled # the MCP monitor service is responsible for bringing up the daemon
oneshot
AFAIK, this service is needed to start the TI bluetooth stack and does a more specific setup of the chipset.
Also it might be possible, that on stock ROMs hciattach is obsolete and btipsd in fact loads the BRF6300 firmware to the BRF6350 chipset. Some further investigation is required here...
There'd also been some discussions early this year in the IRC channel about btipsd.
By stepping through the binary, i found out that btipsd also includes some hard coded start-up scripts (*.bts).
These are similar to the scripts located in /etc/firmware.
The scripts:
After the firmware has been transferred to the chipset, a basic setup has to be made. So that's what these scripts are doing.
The firmware uses some binary command mode to communicate at this point.
Also some tweaks might be injected to match the current API.
These are the basic scripts located in /etc/firmware (stock ROM and AOSP):
avpr.bts (Description: BRF6450 AVPR FW Initialization Script, Compatibility: BRF6450 PG1 ROM)
fm_rx_init_1273.2.bts (Description: This script could be used to put the FM IP in RCV mode)
fmc_init_1273.2.bts (Description : FM Firmware Patch - v2.140, Compatibility : BL6450 2.1, BL6450 3.0, WL127x 2.0, NL55xx 2.0 ROM)
tiinit_5.3.53.bts (Description : BRF6350 2.11 ROM Initialization Script, Compatibility: BRF6350 2.11 ROM)
It seems that these scripts are generic and are used on other platforms as well. By extracting the debug messages of these scripts, if found out, that on stock ROM none of them is matching to the given firmware (BRF6300.bin).
In other words they seem to be useless!
By integrating BRF6350.bin into the AOSP ROMs, there's only one that maybe used: tiinit_5.3.53.bts
Some cross referals....
E.g. the Xperia X1 (also uses BRF6350 chipset) got a couple init scripts to match different firmware versions:
TIInit_5_3_53.bts (Description : BRF6350 2.11 ROM Initialization Script, Compatibility: BRF6350 2.11 ROM)
TIInit_5_2_34.bts (Description : BRF6350 2.34 ROM Initialization Script, Compatibility: BRF6350 2.34 ROM)
TIInit_4_2_38.bts (Description : BRF6300 1.31 ROM Initialization Script, Compatibility: BRF6300 1.31 ROM)
Inside Xperia X1 ROMs there are also some scripts to activate FM radio on a BRF6530 chipset
Fm_on_2_0.bts
Fm_on_2_1.bts (Description : BRF6350 2.11 FM Initialization, Compatibility: BRF6350 2.11 ROM)
FMInit_2.bts (Description : BRF6350 2.0 FW 2.34 FM Initialization, Compatibility: BRF6350 2.0 ROM w/ 2.0.34 Firmware)
There's also a package called HTC tools for the WM phones (HTC Diamond, HTC Raphel, etc) including similar scripts for FM.
So maybe it will be possible some day to tweak Hero ROMs and make use of these scripts. This would probably solve this issue: http://forum.xda-developers.com/showthread.php?t=533780
The stack:
HTC Hero stock ROM's use TI proprietary bluetooth stack.
The HCI communication to the chipset is mainly done through btipsd, which is also closed source.
There's also some nice command line interface (btipsd_cli) to gather some low level information.
Some proprietary libraries might be in use for the stack as well...
The firmware file is BRF6300.bin.
On the AOSP ROMs the bluetooth framework is little more open.
AFAIK the BlueZ stack is used on these ROMs.
The HCI communication seems to rely entirely on hci toolset (e.g. hciattach, hciconfig, hcitool...)
The latest cyanogen nightly ROMs make use of BRF6350.bin.
As already stated, i just started to investigate a few days ago...
... still many secrets and still little confusing, but i just wanted to start collecting some information and give it out to the community.
Another nice thread at G1 sub-forum: http://forum.xda-developers.com/showthread.php?t=527027
Please post your knowledge here or correct me, if i pointed out something wrong!
TBC....
Best regards,
scholbert
extended info about *.bts files
Init files from HTC Hero...
Debug strings in fm_rx_init_1273.2.bts:
Code:
0x24 0x4F # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
0x78 0x1B # RCV Power On - v0.8
0x9E 0x4A # Description: This script could be used to put the FM IP in RCV mode
0xED 0x19 # Author: Manav
0x010B 0x17 # Date: Dec 29, 2007
0x0127 0x14 # Changes:
0x0147 0x20 # 0] Dec'29 2007 - Initial Edits
0x016C 0x43 # 1] Jan'31 2008 - Clean up - Moved register settings to code patch
0x01B4 0x1C # 2] Mar'15 2008 - No Change
0x01DB 0x2E # Notes: Use this script after running FM Init
0x020E 0x50 # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
0x026D 0x22 # Putting the Synth in Closed Loop
0x02BD 0x57 # Select if RDS is needed (Make fm_rcv_mode =3 for RDS and FM and =1 for only FM Audio)
0x0319 0x10 #fm_rcv_mode = 3
0x033C 0x52 # RCV POWER ON API (Arg = 3 for both FM Audio and RDS / Arg = 1 for only FM Audio)
0x03B8 0x0E #Audio Enable.
0x03CB 0x31 #Send_HCI_VS_I2C_Write_to_FM 0xFD35, 0x1D, 0x0002
0x0401 0x4C #Wait_HCI_Command_Complete_VS_I2C_Write_to_FM_Event 5000, 0x00, 0xfd35, 0x00
Debug Strings in fmc_init_1273.2.bts:
Code:
0x29 0x53 #--------------------------------------------------------------------------------
0x81 0x2D # Description : FM Firmware Patch - v2.140
0xBA 0x21 # Author : Sumeer Bhatara
0xE8 0x46 # Compatibility : BL6450 2.1, BL6450 3.0, WL127x 2.0, NL55xx 2.0 ROM
0x013B 0x1D # Last Updated : 02/06/2009
0x0165 0x3C # Notes : Please refer to the SP2.22 RN for details
0x01A6 0x53 #--------------------------------------------------------------------------------
0x020D 0x39 # FM ON Command - This would activate the I2C co-relator
0x0250 0x29 #Send_HCI_VS_I2C_FM_POWER_MODE 0xFD37, 1
0x027E 0x60 #Wait_HCI_Command_Complete_VS_I2C_FM_POWER_MODE_Event 5000, any, HCI_VS_I2C_FM_POWER_MODE, 0x00
0x02E8 0x1F #time needed for APLL to lock
0x030C 0x0A #sleep 30
0x0345 0x0D #Data patch
0x035C 0x1B # PA VOLTAGE TABLE CHANGE
0x08A1 0x35 #Program the g_tCapAdjTable[5] = {-2, -1 ,0 ,2 ,4 }
0x08DB 0x32 # g_tCapAdjTable[1] = -1 , g_tCapAdjTable[0] = -2
0x093B 0x30 # g_tCapAdjTable[3] =2 , g_tCapAdjTable[2] = 0
0x0999 0x28 # g_tgLow[0] =2 , g_tCapAdjTable[4] =4
0x09EF 0x1F # g_tCapValTable TABLE CHANGE
0x0A13 0x20 # Program the g_tCapValTable[0]
0x0A61 0x20 # Program the g_tCapValTable[1]
0x0AAF 0x20 # Program the g_tCapValTable[2]
0x0AFD 0x20 # Program the g_tCapValTable[3]
0x0B4B 0x20 # Program the g_tCapValTable[4]
0x0B99 0x20 # Program the g_tCapValTable[5]
0x0BE7 0x20 # Program the g_tCapValTable[6]
0x0C35 0x20 # Program the g_tCapValTable[7]
0x0C8D 0x0C #Code Patch
0x4BD7 0x4F # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
0x4C2B 0x1B # RCV Power On - v0.8
0x4C51 0x4A # Description: This script could be used to put the FM IP in RCV mode
0x4CA0 0x19 # Author: Manav
0x4CBE 0x17 # Date: Dec 29, 2007
0x4CDA 0x14 # Changes:
0x4CFA 0x20 # 0] Dec'29 2007 - Initial Edits
0x4D1F 0x43 # 1] Jan'31 2008 - Clean up - Moved register settings to code patch
0x4D67 0x1C # 2] Mar'15 2008 - No Change
0x4D8E 0x2E # Notes: Use this script after running FM Init
0x4DC1 0x50 # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
0x4E20 0x22 # Putting the Synth in Closed Loop
0x4E70 0x57 # Select if RDS is needed (Make fm_rcv_mode =3 for RDS and FM and =1 for only FM Audio)
0x4ECC 0x10 #fm_rcv_mode = 3
0x4EEF 0x52 # RCV POWER ON API (Arg = 3 for both FM Audio and RDS / Arg = 1 for only FM Audio)
0x4F6B 0x0E #Audio Enable.
0x4F7E 0x31 #Send_HCI_VS_I2C_Write_to_FM 0xFD35, 0x1D, 0x0002
0x4FB4 0x4C #Wait_HCI_Command_Complete_VS_I2C_Write_to_FM_Event 5000, 0x00, 0xfd35, 0x00
In fact these inits are for WiLink 6.0 mobile platform WL1271/WL1273 (WLAN 802.11 a/b/g/, Bluetooth v2.1 + EDR, FM)
Debug strings in tiinit_5.3.53.bts:
Code:
0x24 0x52 #--------------------------------------------------------------------------------
0x7B 0x37 # Description : BRF6350 2.11 ROM Initialization Script
0xBE 0x22 # Compatibility: BRF6350 2.11 ROM
0xEC 0x29 # Last Updated: 14-Dec-2009 15:39:50.51
0x0121 0x1D # Version : TI_P2_11.158
0x014A 0x4D # Notes : Use this script on BRF6350 2.11 ROM device only (FW v3.0.53)
0x019C 0x52 #--------------------------------------------------------------------------------
0x36C6 0x65 #####################################################################################################
0x3730 0x65 ############## BEGIN POWER TABLE SECTION ##########################################################
0x379A 0x65 #####################################################################################################
0x3D07 0x65 #####################################################################################################
0x3D71 0x65 ############## END POWER TABLE SECTION ############################################################
0x3DDB 0x65 #####################################################################################################
0x3F63 0x3E ##############################################################
0x3FA6 0x3E #### This portion of the Init Script is for custom use. #####
0x3FE9 0x3E #### Enable/Disable as required for the actual platform. #####
0x402C 0x3E ##############################################################
0x4074 0x5C ############ Fast Clock Configuration - Disable Crystal ##############################
0x40DB 0x35 # When Crystal in use - please remove this command.
0x4115 0x4C # Please refer to BT-SW-0030 Vendor Specific document for more information.
0x419A 0x42 #-----------------------------------------------------------------
0x41EB 0x18 # Enable Protocol Viewer
0x4208 0x42 #-----------------------------------------------------------------
0x4270 0x42 #-----------------------------------------------------------------
0x42C1 0x1B # Initialize voice settings
0x42E1 0x42 #-----------------------------------------------------------------
0x436A 0x51 #Send_HCI_VS_Write_CODEC_Configuration 0xFF08, 0x01, 0x00, 0x19, 0x19, 0x19, 0x01
0x43C0 0x56 #Wait_HCI_Command_Complete_VS_Write_CODEC_Configuration_Event 5000, 0x00, 0xff08, 0x00
0x4420 0x4D # Set inactivity timer to 320 frames - 400 msec (recommended for most hosts)
0x4472 0x6A # value may be reduced in accordance to host limitations for power saving (default: 80 frames - 100msec).
0x4506 0x2D # Accept PA_SD signaling from WLAN during TX
0x456F 0x15 # Enable co-existence
0x4589 0x42 #-----------------------------------------------------------------
0x45D0 0xAB #Send_HCI_VS_Write_Wlan_Configuration 0xFD1D, 0x04, 0x01, 0x05e9, 0x0000, 0x00, 0x00, "FF:FF:FF:FF:FF:FF:FF:FF:FF:FF", 0x04, 0x01, 0x00, 0x01, 0x02, 0x01, 0x00, 0xff, 0x00
0x4680 0x55 #Wait_HCI_Command_Complete_VS_Write_Wlan_Configuration_Event 5000, 0x00, 0xfd1d, 0x00
0x46DA 0x26 #set IO17 to be the BT RF-Activity pin
0x473B 0x22 # 0x5e8 - remove SCO from Priority
0x4762 0xAB #Send_HCI_VS_Write_Wlan_Configuration 0xFD1D, 0x04, 0x01, 0x05e8, 0x0000, 0x00, 0x00, "FF:FF:FF:FF:FF:FF:FF:FF:FF:FF", 0x05, 0x01, 0x00, 0x01, 0x02, 0x01, 0x00, 0xff, 0x00
0x4812 0x55 #Wait_HCI_Command_Complete_VS_Write_Wlan_Configuration_Event 5000, 0x00, 0xfd1d, 0x00
0x4876 0x18 # HCI_VS_Set_DDIP_Params
0x48BE 0x18 # Enable deep sleep mode
It seems this init could be used after brf6350.bin has been loaded on HTC Hero.
Debug Strings in avpr.bts:
Code:
0x24 0x52 #--------------------------------------------------------------------------------
0x7B 0x37 # Description: BRF6450 AVPR FW Initialization Script
0xBE 0x21 # Compatibility: BRF6450 PG1 ROM
0xEB 0x2A # Last Updated: 30-Jun-2008 19:06:31.35
0x0121 0x15 # Version: 1.1
0x0142 0x52 #--------------------------------------------------------------------------------
0x019E 0x11 #Mask All domains
0x01DA 0x39 #Issue Switch On command (all domains - including wibree)
0x023E 0x29 #turn on COREX clock (should read 0xnnn9)
0x0292 0x31 # Cortex Reset (hold in reset while loading IMEM)
0x8FB4 0x15 #release Cortex Reset
This init is used for newer chipset BRF6450.
HTC Tools for WM (capable HTC Diamond, HTC Raphael, etc. to test FM radio) includes some FM init scripts.
Debug Strings in FMInit_2.bts:
Code:
0x24 0x52 #--------------------------------------------------------------------------------
0x7B 0x35 # Description : BRF6350 2.0 FW 2.34 FM Initialization
0xBC 0x33 # Compatibility: BRF6350 2.0 ROM w/ 2.0.34 Firmware
0xFB 0x1C # Last Updated: 14-Feb-2007
0x0123 0x13 # Version : 2.2
0x0142 0x43 # Notes : Required after runnung BRF6350 Bluetooth Initscript
0x018A 0x52 #--------------------------------------------------------------------------------
0x01E6 0x07 # FM ON
Debug Strings in FM_on_2_0.bts:
Code:
0x24 0x1C #log "FM_ON" (default 32KHz)
0x66 0x1C #log "FM_ON" (Optional FREF)
0x87 0x28 #Send_HCI_VS_I2C_FM_POWER_MODE 0xFD37, 1
0xB4 0x5F #Wait_HCI_Command_Complete_VS_I2C_FM_POWER_MODE_Event 5000, any, HCI_VS_I2C_FM_POWER_MODE, 0x00
0x0122 0x09 #SW patch
0x0130 0x20 # No FW patch defined for D2_11
0x015F 0x2D # Changes recommended by the AFE team - V0.1
0x01DF 0x0D #ADC settings
0x0297 0x15 #power on: FM and RDS
Debug Strings in FM_on_2_1.bts:
Code:
0x24 0x52 #--------------------------------------------------------------------------------
0x7B 0x2E # Description : BRF6350 2.11 FM Initialization
0xB5 0x21 # Compatibility: BRF6350 2.11 ROM
0xE2 0x1C # Last Updated: Oct 10, 2007
0x010A 0x13 # Version : 3.7
0x0129 0x15 # Author : Manav
0x0149 0x45 # Notes : Required after runnung BRF6350 Bluetooth Initscript.
0x0193 0x2F # Includes FM Register Patch v0.5
0x01C7 0x52 #--------------------------------------------------------------------------------
0x0223 0x44 # ------------------------------------------------------------------
0x026C 0x07 # FM ON
0x0278 0x44 # ------------------------------------------------------------------
0x02E7 0x44 # ------------------------------------------------------------------
0x0330 0x3A # Note: Delay of 20ms is required in after FM Power ON API
0x036F 0x40 # Checksum command has been used to create required delay.
0x03B4 0x44 # ------------------------------------------------------------------
0x03FD 0x09 #sleep 20
0x3839 0x06 x *yx
0x3F61 0x44 # ------------------------------------------------------------------
0x3FAA 0x39 # Note: Delay of ~4ms is required in after RESET command.
0x3FE8 0x40 # Checksum command has been used to create required delay.
0x402D 0x44 # ------------------------------------------------------------------
0x4076 0x09 #sleep 40
0x4586 0x44 # ------------------------------------------------------------------
0x45CF 0x42 # Un-mark SWITCH2FREF command below when working with FREF for FM
0x4616 0x2E # Default : FM on 32K (command below remarked)
0x4649 0x44 # ------------------------------------------------------------------
0x4692 0x2B # Send_HCI_VS_I2C_Write_to_FM 0xFD35, 36, 1
0x46C2 0x5C # Wait_HCI_Command_Complete_VS_I2C_Write_to_FM_Event 5000, any, HCI_VS_I2C_Write_to_FM, 0x00
0x4728 0x44 # ------------------------------------------------------------------
0x4771 0x18 # FM Register Patch v0.5
0x478E 0x44 # ------------------------------------------------------------------
0x4872 0x44 # ------------------------------------------------------------------
0x48BB 0x1E # FM Register Patch v0.5 (End)
0x48DE 0x44 # ------------------------------------------------------------------
0x4954 0x15 # Power on FM and RDS
0x4993 0x44 # ------------------------------------------------------------------
0x49DC 0x42 # Note: Delay of 30ms is required in after FM POWER ON RCV command
0x4A23 0x40 # Checksum command has been used to create required delay.
0x4A68 0x44 # ------------------------------------------------------------------
0x4AB1 0x0A # sleep 30
0x4AE2 0x20 # Enable Dynamic LNA mode switch
Stolen from Xperia X1 ROM this init is basically the same as on HTC Hero (tiinit_5.3.53.bts).
Debug strings in TIInit_5_3_53.bts (Xperia X1):
Code:
0x24 0x52 #--------------------------------------------------------------------------------
0x7B 0x37 # Description : BRF6350 2.11 ROM Initialization Script
0xBE 0x22 # Compatibility: BRF6350 2.11 ROM
0xEC 0x29 # Last Updated: 04-Mar-2008 1:32:43.58
0x0121 0x1C # Version : TI_P2_11.34
0x0149 0x4D # Notes : Use this script on BRF6350 2.11 ROM device only (FW v3.0.53)
0x019B 0x52 #--------------------------------------------------------------------------------
0x01F7 0x51 #--------------------------------------------------------------------------------
0x0257 0x24 # Update the Baudrate to 4000000 bps
0x0280 0x51 #--------------------------------------------------------------------------------
0x0301 0x51 #--------------------------------------------------------------------------------
0x2A99 0x65 #####################################################################################################
0x2B03 0x65 ############## BEGIN POWER TABLE SECTION ##########################################################
0x2B6D 0x65 #####################################################################################################
0x3191 0x65 #####################################################################################################
0x31FB 0x65 ############## END POWER TABLE SECTION ############################################################
0x3265 0x65 #####################################################################################################
0x335E 0x5A # SW bypass for spikes on IOs - Leave HCI TX, RX, CTS, RTS and BT_Wakeup during deep sleep
0x3408 0x3E ##############################################################
0x344B 0x3E #### This portion of the Init Script is for custom use. #####
0x348E 0x3E #### Enable/Disable as required for the actual platform. #####
0x34D1 0x3E ##############################################################
0x3519 0x57 ############ Enable Protocol Viewer ###############################################
0x3596 0x54 ############ Change baudrate example ###############################################
0x35F5 0x3D # Example below changes baudrate to 921k (16mHz system clock)
0x3637 0x58 # For other baudrates and system frequencies please contact your support representative.
0x3694 0x49 # Please note that the VS_Set_Uart_HCI_Baudrate_Island3 has replaced the
0x36E2 0x3A # HCI_VS_Update_Uart_HCI_Baudrate vendor specific command.
0x372C 0x3E #Send_HCI_VS_Set_Uart_HCI_Baudrate_Island3 0xFD38, 2, 17, 0, 7
0x376F 0x77 #Wait_HCI_Command_Complete_VS_Set_Uart_HCI_Baudrate_Island3_Event 5000, any, HCI_VS_Set_Uart_HCI_Baudrate_Island3, 0x00
0x37F0 0x42 #-----------------------------------------------------------------
0x3841 0x1B # Initialize voice settings
0x3861 0x42 #-----------------------------------------------------------------
0x38EA 0x42 #-----------------------------------------------------------------
0x393B 0x15 # Enable co-existence
0x3955 0x42 #-----------------------------------------------------------------
0x39D7 0x56 ############ Sleep Mode Setup ##################################################
0x3A32 0x4D # Set inactivity timer to 320 frames - 400 msec (recommended for most hosts)
0x3A84 0x6A # value may be reduced in accordance to host limitations for power saving (default: 80 frames - 100msec).
0x3AF3 0x3A #Send_HCI_VS_hcill_parameters 0xFD2B, 0x0640, 0xffff, 0xff
0x3B32 0x4D #Wait_HCI_Command_Complete_VS_hcill_parameters_Event 5000, 0x00, 0xfd2b, 0x00
0x3B89 0x0F #deep sleep: 2s
0x3BC7 0x63 # Default Settling time of 15ms may be reduced in accordance to design requirments for power saving
0x3C2F 0x2C #Send_HCI_VS_Set_Settling_Time 0xFF79, 15000
0x3C60 0x5F #Wait_HCI_Command_Complete_VS_Set_Settling_Time_Event 5000, any, HCI_VS_Set_Settling_Time, 0x00
0x3CC9 0x2B # Enable deep sleep with default parameters
Debug strings in TIInit_5_2_34.bts (Xperia X1):
Code:
0x24 0x52 #--------------------------------------------------------------------------------
0x7B 0x37 # Description : BRF6350 2.34 ROM Initialization Script
0xBE 0x22 # Compatibility: BRF6350 2.34 ROM
0xEC 0x29 # Last Updated: 08-Mar-2007 20:15:32.73
0x0121 0x17 # Version : P11.11
0x0144 0x2F # RAM consumption : 2892B used, 328B available
0x017F 0x25 # Patch entries : used 14 out of 24
0x01B0 0x4D # Notes : Use this script on BRF6350 2.34 ROM device only (FW v2.0.34)
0x0202 0x52 #--------------------------------------------------------------------------------
0x025E 0x51 #--------------------------------------------------------------------------------
0x02BE 0x24 # Update the Baudrate to 4000000 bps
0x02E7 0x51 #--------------------------------------------------------------------------------
0x0368 0x51 #--------------------------------------------------------------------------------
0x3511 0x57 ############ Enable Protocol Viewer ###############################################
0x356D 0x30 #Send_HCI_VS_Enable_Protocol_Viewer 0xFF68, 0x01
0x35A2 0x53 #Wait_HCI_Command_Complete_VS_Enable_Protocol_Viewer_Event 5000, 0x01, 0xff68, 0x00
0x35FF 0x42 #-----------------------------------------------------------------
0x3650 0x1B # Initialize voice settings
0x3670 0x42 #-----------------------------------------------------------------
0x36F9 0x42 #-----------------------------------------------------------------
0x374A 0x15 # Enable co-existence
0x3764 0x42 #-----------------------------------------------------------------
0x37E6 0x56 ############ Sleep Mode Setup ##################################################
0x3841 0x42 #-----------------------------------------------------------------
0x3892 0x18 # Enable Deep Sleep Mode
0x38AF 0x4D # Set inactivity timer to 320 frames - 400 msec (recommended for most hosts)
0x3901 0x6A # value may be reduced in accordance to host limitations for power saving (default: 80 frames - 100msec).
0x3970 0x42 #-----------------------------------------------------------------
0x39B7 0x3A #Send_HCI_VS_hcill_parameters 0xFD2B, 0x0140, 0xffff, 0xff
This is also included in Xperia stock ROM but used with a firmware for BRF6300 chipset. This chipset got no FM support.
Debug strings in TIInit_4_2_38.bts (Xperia X1):
Code:
0x24 0x52 #--------------------------------------------------------------------------------
0x7B 0x37 # Description : BRF6300 1.31 ROM Initialization Script
0xBE 0x22 # Compatibility: BRF6300 1.31 ROM
0xEC 0x29 # Last Updated: 30-Sep-2007 18:14:28.93
0x0121 0x21 # Version : DVM_BOOST_P13.48
0x014E 0x4D # Notes : Use this script on BRF6300 1.31 ROM device only (FW v2.0.38)
0x01A0 0x52 #--------------------------------------------------------------------------------
0x01FC 0x51 #--------------------------------------------------------------------------------
0x025C 0x24 # Update the Baudrate to 4000000 bps
0x0285 0x51 #--------------------------------------------------------------------------------
0x2921 0x5C ############# DEVM output power threshold. Please see release note for further information.
0x2A19 0x08 €€€€€€€€
0x2A4B 0x08 €€€€€€€€
0x2A7D 0x08 €€€€€€€€
0x2AAF 0x08 €€€€€€€€
0x2B0E 0x09 €€€€€€€€€
0x4745 0x65 #####################################################################################################
0x47AF 0x65 ############## BEGIN POWER TABLE SECTION ##########################################################
0x4819 0x65 #####################################################################################################
0x50C4 0x65 #####################################################################################################
0x512E 0x65 ############## END POWER TABLE SECTION ############################################################
0x5198 0x65 #####################################################################################################
0x532C 0x3E ##############################################################
0x536F 0x3E #### This portion of the Init Script is for custom use. #####
0x53B2 0x3E #### Enable/Disable as required for the actual platform. #####
0x53F5 0x3E ##############################################################
0x543D 0x5C ############ Fast Clock Configuration - Disable Crystal ##############################
0x54A4 0x35 # When Crystal in use - please remove this command.
0x54DE 0x4C # Please refer to BT-SW-0030 Vendor Specific document for more information.
0x5563 0x57 ############ Enable Protocol Viewer ###############################################
0x55E0 0x54 ############ Change baudrate example ###############################################
0x563F 0x3D # Example below changes baudrate to 921k (16mHz system clock)
0x5681 0x41 # For other baudrates and system frequencies please use the UART
0x56C7 0x51 # Baudrate Calculator tool. Please note that the VS_Set_Uart_HCI_Baudrate_Island3
0x571D 0x4B # has replaced the HCI_VS_Update_Uart_HCI_Baudrate vendor specific command.
0x5778 0x3E #Send_HCI_VS_Set_Uart_HCI_Baudrate_Island3 0xFD38, 2, 17, 0, 7
0x57BB 0x77 #Wait_HCI_Command_Complete_VS_Set_Uart_HCI_Baudrate_Island3_Event 5000, any, HCI_VS_Set_Uart_HCI_Baudrate_Island3, 0x00
0x583C 0x56 ############ Sleep Mode Setup ##################################################
0x589C 0x4D # Set inactivity timer to 320 frames - 400 msec (recommended for most hosts)
0x58EE 0x6A # value may be reduced in accordance to host limitations for power saving (default: 80 frames - 100msec).
0x595D 0x3A #Send_HCI_VS_hcill_parameters 0xFD2B, 0x0140, 0xffff, 0xff
0x599C 0x4D #Wait_HCI_Command_Complete_VS_hcill_parameters_Event 5000, 0x00, 0xfd2b, 0x00
0x59F3 0x63 # Default Settling time of 15ms may be reduced in accordance to design requirments for power saving
0x5A5B 0x2C #Send_HCI_VS_Set_Settling_Time 0xFF79, 15000
0x5A8C 0x5F #Wait_HCI_Command_Complete_VS_Set_Settling_Time_Event 5000, any, HCI_VS_Set_Settling_Time, 0x00
0x5AF5 0x2B # Enable deep sleep with default parameters
0x5B25 0x53 #Send_HCI_VS_Sleep_Mode_Configurations 0xFD0C, 1, 1, 0xFF, 0xFF, 0xFF, 0xFF, 0, 100
0x5B7D 0x6F #Wait_HCI_Command_Complete_VS_Sleep_Mode_Configurations_Event 5000, any, HCI_VS_Sleep_Mode_Configurations, 0x00
0x5BF6 0x42 #-----------------------------------------------------------------
0x5C47 0x28 # Initialize voice settings for 7500 PCM
0x5C74 0x42 #-----------------------------------------------------------------
0x5CFD 0x42 #-----------------------------------------------------------------
0x5D4E 0x15 # Enable co-existence
0x5D68 0x42 #-----------------------------------------------------------------
0x5E68 0x42 #-----------------------------------------------------------------
0x5EB9 0x18 # Enable Deep Sleep Mode
0x5ED6 0x4D # Set inactivity timer to 320 frames - 400 msec (recommended for most hosts)
0x5F28 0x6A # value may be reduced in accordance to host limitations for power saving (default: 80 frames - 100msec).
0x5F97 0x42 #-----------------------------------------------------------------
0x5FDE 0x3A #Send_HCI_VS_hcill_parameters 0xFD2B, 0x0140, 0xffff, 0xff
0x601D 0x3A #Send_HCI_VS_hcill_parameters 0xFD2B, 0x1f40, 0xffff, 0xff
0x605C 0x4D #Wait_HCI_Command_Complete_VS_hcill_parameters_Event 5000, 0x00, 0xfd2b, 0x00
Sorry for this extensive post, but i wanted to put it down here for completeness
Regards,
scholbert
So here I go.
I've been at this for a few days now, and made little to no progress other than further identifying what I believe the cause of my troubles is.
I had this phone rooted / S-off'ed previously, but had the dreaded M4G2DE eMMC die on me.
So I shipped my phone away and got it back (covered under warranty, with the "VOID" sticker in the battery compartment removed to boot!)
Now, however, I'm stuck in trying to downgrade. I've followed the guides here and here, re-made my goldcard 2-3 times, and re-tried the process a few times as well.
I've checked the md5 sum of my PC10IMG.zip, which matches the listed one of "2ff42897cd27e0db425a2cf36c8bd078" from the second link, and regardless of what I do, I seem to run into the same issue.
Upon booting into the bootloader, the phone will scan PC10IMG.zip, verify it, then generate the following:
Code:
Model ID Incorrect!
Update Fail!
Press <POWER> to reboot.
Now, for the info I have. My bootloader specs are as follows:
Code:
VISION PVT SHIP S-ON
HBoot-0.85.0013
Microp-0425
Radio-26.10.04.12_M
eMMC-boot
Apr 11 2011, 23:36:27
Software Specs:
Code:
Android Version 2.3.3
HTC Sense Version 2.1
Baseband version 12.57.60.25U_26.10.04.12_M
Kernel Version
2.6.35.10-g7b95729
[email protected] #1
Mon Jun 13 10:34:37 CST 2011
Build Number
2.42.666.8 CL94386 release-keys
Software Number
2.42.666.8
And, incase it might help, this is the info obtained upon doing a fastboot oem boot.
Code:
... INFOsetup_tag addr=0xA0000100 cmdline add=0x8D0878FC
INFOTAG:Ramdisk OK
INFOTAG:smi ok, size = 0
INFOTAG:hwid 0x0
INFOTAG:skuid 0x25203
INFOTAG:hero panel = 0xF
INFOTAG:engineerid = 0x4
INFOMCP dual-die
INFOMCP dual-die
INFOTAG:mono-die = 0x0
INFODevice CID is not super CID
INFOCID is BM___001
INFOsetting->cid::BM___001
INFOserial number: SH0C####### {#'s entered in by me}
INFOcommandline from head: no_console_suspend=1
INFOcommand line length =492
INFOactive commandline: board_vision.disable_uart2=0 board_visio
INFOn.usb_h2w_sw=0 board_vision.disable_sdcard=0 diag.enabled=0
INFOboard_vision.debug_uart=0 smisize=0 userdata_sel=0 androidbo
INFOot.emmc=true androidboot.baseband=26.10.04.12_M androidboot
INFO.cid=BM___001 androidboot.batt_poweron=good_battery androidb
INFOoot.carrier=BM androidboot.mid=PC1012000 androidboot.keycaps
INFO=qwerty androidboot.mode=normal androidboot.serialno=SH0CRRV
INFO00350 androidboot.bootloader=0.85.0013 zygote_oneshot=off km
INFOemleak=off no_console_suspend=1
INFOaARM_Partion[0].name=misc
INFOaARM_Partion[1].name=recovery
INFOaARM_Partion[2].name=boot
INFOaARM_Partion[3].name=system
INFOaARM_Partion[4].name=cache
INFOaARM_Partion[5].name=userdata
INFOaARM_Partion[6].name=devlog
INFOaARM_Partion[7].name=pdata
INFOpartition number=8
INFOValid partition num=8
INFOjump_to_kernel: machine_id(2245), tags_addr(0x4000100), kern
INFOel_addr(0x4008000)
INFO-------------------hboot boot time:11207 msec
FAILED (status read failed (Too many links))
I'm not a complete noob here, but I'm by no means a dev.
Is there any advice that you might have for me?
Thanks
If you come into the #g2root channel on freenode irc we have a new goldcard tool, which should help.
-Nipqer
Thanks again Nip.
Turns out I messed up my GC creation. Shows what a few nights of little sleep will do to following a simple guide .
Hi,
I stumbled upon this a few days back:
http://bloggingthemonkey.blogspot.de/2014/06/fire-in-root-hole.html
This describes a CVE that Rob Clark discovered earlier this year. He did not create a root method using this as Towelroot was still working back then. He published some proof of concept code though:
https://github.com/robclark/kilroy
Now, Qualcomm created patches to fix this and published them here:
https://www.codeaurora.org/projects...can-change-the-iommu-page-table-cve-2014-0972
It also has been fixed in the official Android source:
https://android.googlesource.com/kernel/msm/+/android-4.4w_r8/drivers/gpu/msm/adreno.c (see Log)
I downloaded the latest source that Amazon provided for the FireTV:
https://kindle-src.s3.amazonaws.com/firetv_src_51.1.3.0_user_513011820.tar.bz2
The Linux kernel sources in there all have a timestamp from June 2014, I assume this is when they created this source bundle.
However, as example adreno.c has still a Copyright notice from only 2013. It looks like Amazon is working with older source code here. I also searched for the added lines of the patch and can not find them in there.
Please note that the latest FireTV firmwares source is not yet published, so there is a possibility that this is fixed in the latest versions. I'm hopeful however, that it might very well not be fixed, as they seem to use some old kernel branch even in mid of 2014.
My FireTV did not arrive yet unfortunately, but I hope this can help to root mine and many others!
Could someone please compile the proof-of-concept code and check it out on a FireTV running a recent version?
Ask geohot maybe he can
Wish I could be more helpfull but I tried to compile it and somehow it doesn't work out.
I've built it, pushed it over to /data/local/tmp, chmod 755 but all I get is "not executable: magic 7F45". There seems to be something wrong with my toolchain. Maybe it's because I'm using Windows... Tried to use the NDK and followed the last post over there: http://stackoverflow.com/questions/6745064/how-to-run-arm-binary-on-android-platform
At least there is something I can provide to you, the CONFIG_KGSL_PER_PROCESS_PAGE_TABLE parameter is set to y in the kernel config for version 51.1.3.0_user_513011820.
And I attached the files that are needed to compile kilroy for version 51.1.3.0_user_513011820. Note I have modified the msm_ion.h from #include <ion.h> to #include "ion.h" so it finds the file in the same directory.
Hopefully someone with a bit more knowledge (and the right operating system ) could check this out!
g4rb4g3 said:
Wish I could be more helpfull but I tried to compile it and somehow it doesn't work out.
I've built it, pushed it over to /data/local/tmp, chmod 755 but all I get is "not executable: magic 7F45". There seems to be something wrong with my toolchain. Maybe it's because I'm using Windows... Tried to use the NDK and followed the last post over there: http://stackoverflow.com/questions/6745064/how-to-run-arm-binary-on-android-platform
At least there is something I can provide to you, the CONFIG_KGSL_PER_PROCESS_PAGE_TABLE parameter is set to y in the kernel config for version 51.1.3.0_user_513011820.
And I attached the files that are needed to compile kilroy for version 51.1.3.0_user_513011820. Note I have modified the msm_ion.h from #include <ion.h> to #include "ion.h" so it finds the file in the same directory.
Hopefully someone with a bit more knowledge (and the right operating system ) could check this out!
Click to expand...
Click to collapse
Cool, thanks.
Are you running v5.1.1.3.0 on your FireTV? If yours is newer I could imagine that you need to compile the binary statically. This way it should no longer depend on the library versions currently installed.
freezer2k said:
Cool, thanks.
Are you running v5.1.1.3.0 on your FireTV? If yours is newer I could imagine that you need to compile the binary statically. This way it should no longer depend on the library versions currently installed.
Click to expand...
Click to collapse
Yes my FTV is running on this version. I compiled it static already but it doesn't work...
Finaly I was able to compile it, I used the Terminal IDE and compiled it on the FTV.
But I don't know if it works the right way... when I execute it suddenly every connection breaks down and the FTV restarts after a few seconds. I don't know how to proof that it worked out the way we want it to...
I had to make the following changes to the source files to compile it:
kilroy.h:
change line 24 from
Code:
#include <sys/unistd.h>
to
Code:
#include <unistd.h>
add
Code:
#define NEW_ION
kilroy.c
change line 350 from
Code:
CHK((ion_fd = open("/dev/ion", O_RDONLY|O_DSYNC, 0)) < 0);
to
Code:
CHK((ion_fd = open("/dev/ion", O_RDONLY|O_SYNC, 0)) < 0);
commands used to compile it (start Terminal IDE app and launch telnetd to connect from your pc):
Code:
terminal-gcc -c ./ion.c -o ./ion.o
terminal-gcc -c ./kgsl.c -o ./kgsl.o
terminal-gcc -c ./kilroy.c -o ./kilroy.o
terminal-gcc -o ./kilroy ./ion.o ./kgsl.o ./kilroy.o
I have attachted the compiled file, extract it push it to /data/local/tmp, chmod 755 it and start it.
Maybe someone can find out if this is helpfull for us or not.
g4rb4g3 said:
Finaly I was able to compile it, I used the Terminal IDE and compiled it on the FTV.
But I don't know if it works the right way... when I execute it suddenly every connection breaks down and the FTV restarts after a few seconds. I don't know how to proof that it worked out the way we want it to...
Click to expand...
Click to collapse
Did you had adb debug output running during execution? Anything you can see there?
I couldn't resist and just picked up a FireTV @ MediaMarkt in Berlin.
Successfully blocked any updates during the inital setup and my version is now 51.1.3.0_user_513010720 -- so looks like it's even older than 51.1.3.0_user_513011820.
Okay,
just tried running the kilroy binary you provided.
Exactly the same thing happens, the FireTV reboots immediatly.
I had adb logcat running in a second window, but no output there.
On a 2nd try I had another shell open writing dmesg to /data/local/tmp/dmesg in a loop every 200ms, but it did not capture anything.
In another local shell window, i ran ping -i 0.1 <FireTV> to ping it every 100ms, the FireTV stopped responding immediatly after ./kilroy was started.
Not sure what it is doing, but it seems to manage to crash the box hard Not sure what this means exactly, should a faulty binary cause a reboot like this? Maybe it did manage to corrupt the memory in some way, causing a system crash?
Will try to compile this on my own, though I'm not an expert on Android. Maybe someone else could give this a shot!
I've written a comment on Robs blog, maybe he can held us.
http://bloggingthemonkey.blogspot.c...omment=1414359782492&m=1#c4713581984059861436
freezer2k said:
I couldn't resist and just picked up a FireTV @ MediaMarkt in Berlin.
Successfully blocked any updates during the inital setup and my version is now 51.1.3.0_user_513010720 -- so looks like it's even older than 51.1.3.0_user_513011820.
Click to expand...
Click to collapse
Try rooting it with one of the apps on that FW just for kicks... Since is not on the list of FW's. You never know..
Y314K said:
Try rooting it with one of the apps on that FW just for kicks... Since is not on the list of FW's. You never know..
Click to expand...
Click to collapse
I just installed Towelroot v3 and it just says 'This phone isn't currently supported' when i click on the 'make it ra1n' button.
freezer2k said:
I just installed Towelroot v3 and it just says 'This phone isn't currently supported' when i click on the 'make it ra1n' button.
Click to expand...
Click to collapse
Ahh.. Was worth a shot. Guess any 51.1.3.0 FW is out of reach. Thanks for trying.
Y314K said:
Ahh.. Was worth a shot. Guess any 51.1.3.0 FW is out of reach. Thanks for trying.
Click to expand...
Click to collapse
I tried to use the default modstring, this is the ADB output:
I/towelroot( 7479): ************************
I/towelroot( 7479): native towelroot running with pid 7479 params 1337 0 1 0 4 0
I/towelroot( 7479): CPU affinity was 1
I/towelroot( 7479): set CPU affinity 0
I/towelroot( 7479): parsing modstring
I/towelroot( 7479): modstring is valid 0 1 0 4 0
I/towelroot( 7479): i have a client like hookers
But it seems to hang after that, root button stays greyed out and after clicking a bit the app just closes.
SuperSU 2.4.0 won't open at all and 1.9.4 says it can't install the su binary.
freezer2k said:
Okay,
just tried running the kilroy binary you provided.
Exactly the same thing happens, the FireTV reboots immediatly.
I had adb logcat running in a second window, but no output there.
On a 2nd try I had another shell open writing dmesg to /data/local/tmp/dmesg in a loop every 200ms, but it did not capture anything.
In another local shell window, i ran ping -i 0.1 <FireTV> to ping it every 100ms, the FireTV stopped responding immediatly after ./kilroy was started.
Not sure what it is doing, but it seems to manage to crash the box hard Not sure what this means exactly, should a faulty binary cause a reboot like this? Maybe it did manage to corrupt the memory in some way, causing a system crash?
Will try to compile this on my own, though I'm not an expert on Android. Maybe someone else could give this a shot!
Click to expand...
Click to collapse
What do you want to see in the logcat? The program accesses memory and writes a string into it.
As it crashes and reboots the device, i assume that it did not got there and crashed the gpu/cpu before that and so there is no system log as the cpu resets and not the system. Even if it worked, you wont have seen anything in the logcat - that would be the point where somebody would need to inject proper shellcode into the exploit to use it.
sammy98 said:
What do you want to see in the logcat? The program accesses memory and writes a string into it.
As it crashes and reboots the device, i assume that it did not got there and crashed the gpu/cpu before that and so there is no system log as the cpu resets and not the system. Even if it worked, you wont have seen anything in the logcat - that would be the point where somebody would need to inject proper shellcode into the exploit to use it.
Click to expand...
Click to collapse
Thats what we want to see, so we can be sure that it worked out the way we want it to.
Code:
Before:
[ 11.974607] ###### victim=c11ac000 (813ac000): ""
After:
[ 33.401709] ###### victim=c11ac000 (813ac000): "Kilroy was here"
g4rb4g3 said:
Thats what we want to see, so we can be sure that it worked out the way we want it to.
Code:
Before:
[ 11.974607] ###### victim=c11ac000 (813ac000): ""
After:
[ 33.401709] ###### victim=c11ac000 (813ac000): "Kilroy was here"
Click to expand...
Click to collapse
Yeah but it crashed before that and resets the cpu. So no cookies here
sammy98 said:
Yeah but it crashed before that and resets the cpu. So no cookies here
Click to expand...
Click to collapse
since no exploit was ever really made from his findings, its very possible that it could still be used. its not known if the fix was patched by amazon.
I catched this yesterday doing a 'while true; do dmesg; done' via ADB and then running ./kilroy:
<6>[ 699.556243] binder: release 5006:5006 transaction 124685 out, still active
<6>[ 699.559326] binder: 639:951 transaction failed 29189, size 4-0
<6>[ 699.559326] binder: send failed reply for transaction 124685, target dead
Also, while streaming a video, kilroy does not kill the box, and this shows up in dmesg:
<3>[ 144.678894] ion_mmap: failure mapping buffer to userspace
Only seems to happen when streaming video, box does crash immediately while the screensaver is running, a game is running etc.
I had a chat with Rob, summing up:
<robclark> ... but basically what you want to do is figure out some kernel fxn to overwrite w/ your own code to give you root.. or maybe some data structure to overwrite... find it's virtual address.. find the offset between some lowmem virtual address and phys address so you can convert the virtual address you want to smash to a phys address to smash..
<robclark> I guess the interrupt vector table is always at a well defined virtual address.. that might be something to attack.. although that might be more tricky because your shell code would have to somehow restore it again at the end..
We tried to check out the physical addresses from /proc/kallsyms ; but as non-root all addresses are 0x0, could someone with a similar kernel and root do this and paste it here? Dmesg prints the virtual memory layout, so we have that.
At least on my non-rooted box there is no /proc/last_kmsg, so a dmesg from the previous boot that could contain the dmesg of the crash. Anyone knows how to enable this or something similar?
Hopefully Rob will have some time to help us with this
I will proceed now and set up my own Android build environment.
Okay, I set up the latest Android NDK on Ubuntu 14.04 and made the changes suggested by you, g4rb4g3!
Interestingly enough, the resulting bytesize is different from yours, i used the howto from here:
http://stackoverflow.com/questions/6745064/how-to-run-arm-binary-on-android-platform
And then:
$CC -c ./ion.c -o ./ion.o
$CC -c ./kgsl.c -o kgsl.o
$CC -c ./kilroy.c -o kilroy.o
$CC -o ./kilroy ./ion.o ./kgsl.o kilroy.o
Some interesting output:
<2>[51518.474853] kgsl kgsl-3d0: |a3xx_err_callback| CP | Protected mode error| WRITE | addr=1ec
<3>[51518.628448] kgsl kgsl-3d0: |adreno_ft_detect| Proc kilroy2, ctxt_id 4 ts 1 triggered fault tolerance on global ts 1225504
<3>[51518.628601] kgsl kgsl-3d0: RBBM STATUS 80004001 | IB1:10009000/00000000 | IB2: C000B000/00000033 | RPTR: 1D20 | WPTR: 1EB6
<3>[51518.629791] kgsl kgsl-3d0: |push_object| snapshot: Can't find GPU address for 10009000
<3>[51518.629882] kgsl kgsl-3d0: |kgsl_snapshot_get_object| Unable to find GPU buffer C000B500
<3>[51518.639801] kgsl kgsl-3d0: |kgsl_device_snapshot| snapshot created at pa adf00000 size 136036
<3>[51518.639984] kgsl kgsl-3d0: |kgsl_iommu_clk_disable_event| IOMMU disable clock event being cancelled, iommu_last_cmd_ts: 12b322, retired ts: 12b31f
<2>[51518.646911] kgsl kgsl-3d0: |a3xx_err_callback| CP | Protected mode error| WRITE | addr=1ec
<3>[51518.807830] kgsl kgsl-3d0: |adreno_ft_detect| Proc kilroy2, ctxt_id 4 ts 1 triggered fault tolerance on global ts 1225504
<3>[51518.807983] kgsl kgsl-3d0: |adreno_idle| spun too long waiting for RB to idle
<3>[51518.807983] kgsl kgsl-3d0: |_adreno_ft| Replay unsuccessful
<3>[51518.828369] kgsl kgsl-3d0: |adreno_ft| policy 0x6 status 0x0
<3>[51550.911590] init: untracked pid 29017 exited
[email protected]:/data/local/tmp $ ./kilroy2
main:362: ttbr0=a000006a
add_large_mapping:232: pa=a0000000, va=10000000, len=1000000, cached=0
add_large_mapping:232: pa=81000000, va=81000000, len=1000000, cached=1
add_small_mapping:271: pa=07c00000, va=c000c000, len=1000, cached=0
add_small_mapping:271: pa=07d00000, va=c010c000, len=1000, cached=0
add_small_mapping:271: pa=a0008000, va=c000b000, len=1000, cached=0
main:403: cs[0]: 10008000/c000b000 (115 dwords) (limit: c000b1cc)
main:444: buf: 0x40515000 / 10000000
main:448: ibaddrs[0]: 0x4051e000 / 10009000 (152 dwords)
00000000: c0733d00 c000b000 000001ec 00000020 c0002600 00000000 c0001300 00000000
00000020: c0013d00 c000b500 000000a0 c0002600 00000000 c0043c00 00000013 c000b500
00000040: 000000a0 ffffffff ffffffff c0023d00 c000c010 a000006a a000006a c0013d00
00000060: c000b500 000000a7 c0002600 00000000 c0043c00 00000013 c000b500 000000a7
00000080: ffffffff ffffffff c0023d00 c010c010 a000006a a000006a c0013d00 c000b500
000000A0: 000000ae c0002600 00000000 c0043c00 00000013 c000b500 000000ae ffffffff
000000C0: ffffffff c0013d00 c000c000 00000003 c0002600 00000000 c0043c00 00000013
000000E0: c000c000 00000003 ffffffff ffffffff c0013d00 c010c000 00000003 c0002600
00000100: 00000000 c0043c00 00000013 c010c000 00000003 ffffffff ffffffff c0013d00
00000120: c000c800 00000001 c0002600 00000000 c0013d00 c010c800 00000001 c0002600
00000140: 00000000 c0013d00 c000b500 000000b9 c0002600 00000000 c0043c00 00000013
00000160: c000b500 000000b9 ffffffff ffffffff c0002600 00000000 c0001300 00000000
00000180: 000001ec 00000000 c0002600 00000000 c0001300 00000000 c0013d00 c000b500
000001A0: 000000cb c0002600 00000000 c0043c00 00000013 c000b500 000000cb ffffffff
000001C0: ffffffff c0002600 00000000 c0001300 00000000 c0002600 00000000 c0013700
000001E0: c000b000 00000073 c0002600 00000000 c0013700 c000b000 00000073 c0002600
00000200: 00000000 c0002600 00000000 c0004600 00000006 c0043d00 813ac000 726c694b
00000220: 7720796f 68207361 00657265 c0002600 00000000 c0013d00 c000b500 cafebabe
00000240: c0002600 00000000 c0043c00 00000013 c000b500 deadbeef ffffffff ffffffff
[email protected]:/data/local/tmp $
It does not crash my box anymore. Not sure if this was compiled correctly, as i only took the 3 header files from the Amazon package and the rest is from the NDK.
@g4rb4g3
Could you try to run this binary on your box as well, as I'm running a different kernel/firmware, that does not match exactly https://kindle-src.s3.amazonaws.com/firetv_src_51.1.3.0_user_513011820.tar.bz2.
Wonder if that could also be related to changing DSYNC to SYNC in kilroy.c?
Hi,
the mod threads for the various cm12 builds claim that NFC is working, and there are also several user replies with reports that it works fine. Yet it doesn't work correctly for me, and at least some others: The device reports that NFC is working, I can activate and deactivate it, but accessing cards only works partially or not at all. The funny thing is that after flashing cm12, restoring an old cm11 nandroid backup does not restore NFC functionality. It doesn't matter if I do a clean install/full wipe. With Lollipop TW roms (I've tried XtreStoLite), NFC works fine.
I'll try to keep this top post up to date. Last update: 2015/03/15
We've found the issue that caused the major part of the problems. A configuration file must be adapted to the latest firmware. (update.zip version) This fix has been accepted upstream and is included in nightlies starting from 20150316.
There are cards/tags that still don't work, but do with stock, though. I've tested:
German eID (works)
Mifare Ultralight (works)
Beam (works)
EMV (works)
Mifare Classic (e.g. German "Mensacard", membership card from gym / McFit, ..) does not work. See below for debug output of libncf-nci.
Hi there,
I have exactly the same problem. NFC doesn't work for me neither. My device is a G900F from Germany, bought via Amazon using Euphoria OS which is based on CM12.
Ah, and just to get that straight, european G900F is klte without any other letters, right?
This post is obsolete: The problem is very likely not kernel-driver related.
I investigated a bit if the Kernel could be the problem. For this, I took the amplitude_rw kernel (based on Samsung's, but available from github) and Ktoonsez's version of the CM12 kernel . Both use the same version of the pn547 driver. The nfc-nci driver differs, but it doesn't make any difference if I copy the files over from the Samsung-based version and recompile. (The driver is disabled in the CM kernel by default anyway, I tried to enable it, of course. If I additionaly copy the related .so files from the Samsung rom that doesn't change anything either.) Continuing to investigate the differences, I noticed that the other difference is that the CM kernel has a hack that prevents the bcm2079x from being loaded on non-900P/I variants. I removed that line and noticed that the probe function of the driver did not complain that the device was missing, though from the looks of the code it would if it wasn't there. With that in mind, I tried to copy the bcm2079x firmware, configuration and .so files from a CM12 sprint build, but that didn't resolve the problem either.
More info: I've also compiled Ktoonsez's kernel with NFC_DEBUG set, and enabled the dynamic debug output for the driver. Doesn't look helpful to me, but for the sake of completeness:
Code:
<7>[ 967.651230] pn547_dev_open : 10,60
<6>[ 967.662071] pn547_dev_ioctl power on, irq=1
<6>[ 967.762268] pn547_dev_ioctl power off, irq=0
<6>[ 967.884563] pn547_dev_ioctl power on, irq=1
<6>[ 967.887970] pn547 : + w
<7>[ 967.888021] pn547_dev_write : writing 4 bytes.
<6>[ 967.889048] pn547 : - w
<7>[ 967.889159] pn547_dev_read : reading 3 bytes. irq=0
<6>[ 967.889218] pn547 : + r
<6>[ 967.889264] pn547: wait_event_interruptible : in
<6>[ 967.918905] pn547 : call
<6>[ 967.919127] pn547 : h
<6>[ 967.919655] pn547: i2c_master_recv
<7>[ 967.919741] pn547_dev_read : reading 3 bytes. irq=1
<6>[ 967.919793] pn547 : + r
<6>[ 967.920168] pn547: i2c_master_recv
<6>[ 967.921893] pn547 : + w
<7>[ 967.921938] pn547_dev_write : writing 3 bytes.
<6>[ 967.922314] pn547 : - w
<6>[ 967.922474] pn547 : call
<7>[ 967.922664] pn547_dev_read : reading 3 bytes. irq=1
<6>[ 967.922709] pn547 : + r
<6>[ 967.923138] pn547: i2c_master_recv
.. etc ..
<6>[ 998.860380] pn547: i2c_master_recv
<6>[ 998.873274] pn547_dev_ioctl power off, irq=0
During the log, I've had an NFC test application open and an NFC tag close to the device.
Last, I tried to check what's the problem with copying Samsung's files. If I use their NfcNci.adb, logcat throws
Code:
E/AndroidRuntime( 2655): FATAL EXCEPTION: main
E/AndroidRuntime( 2655): Process: com.android.nfc, PID: 2655
E/AndroidRuntime( 2655): java.lang.NoSuchMethodError: No static method isProductShip()I in class Landroid/os/Debug; or its super classes (declaration of 'android.os.Debug' appears in /system/framework/framework.jar)
E/AndroidRuntime( 2655): at com.android.nfc.NfcService.<clinit>(NfcService.java:164)
E/AndroidRuntime( 2655): at com.android.nfc.NfcApplication.onCreate(NfcApplication.java:61)
E/AndroidRuntime( 2655): at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1011)
E/AndroidRuntime( 2655): at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4553)
E/AndroidRuntime( 2655): at android.app.ActivityThread.access$1600(ActivityThread.java:147)
E/AndroidRuntime( 2655): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1357)
E/AndroidRuntime( 2655): at android.os.Handler.dispatchMessage(Handler.java:102)
E/AndroidRuntime( 2655): at android.os.Looper.loop(Looper.java:135)
E/AndroidRuntime( 2655): at android.app.ActivityThread.main(ActivityThread.java:5256)
E/AndroidRuntime( 2655): at java.lang.reflect.Method.invoke(Native Method)
E/AndroidRuntime( 2655): at java.lang.reflect.Method.invoke(Method.java:372)
E/AndroidRuntime( 2655): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:898)
E/AndroidRuntime( 2655): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:693)
After doing some more digging, I discovered that running
Code:
setprop nfc.nxp_log_level_global 3
as root enables tons of debug messages.
Maybe it's the firmware
Obsolete: This is unlikely. Its only Mifare cards that don't work, and the protocols are, as far as I can see, implemented in the userland library.
I noticed that after enabling NFC, one of the logcat outputs is
Code:
D/NxpHal ( 1081): FW version for FW file = 0x118
D/NxpHal ( 1081): FW version from device = 0x8011f
D/NxpHal ( 1081): FW image older than device's, skip update
Maybe this helps. (Could anyone with working NFC check which FW their device has? Should work the same way: Run setprop.. as root, enable NFC, search logcat output for the FW info, then reset the log level to 0.)
Mifare cards
I further noticed that holding a Mifare card near the antenna does trigger a reaction:
Code:
D/NxpTml ( 2317): PN547 - I2C Read successful.....
D/NxpNciR ( 2317): len = 23 > 61051401808000FF010904000454566739010800000000
D/NxpTml ( 2317): PN547 - Posting read message.....
D/NxpHal ( 2317): read successful status = 0x0
D/NxpHal ( 2317): NxpNci: RF Interface = MIFARE
D/NxpHal ( 2317): NxpNci: Protocol = MIFARE
D/NxpHal ( 2317): NxpNci: Mode = A Passive Poll
D/NxpExtns( 2317): const CNfcParam* CNfcConfig::find(const char*) const found MIFARE_READER_ENABLE=(0x1)
D/NxpTml ( 2317): PN547 - Write requested.....
D/NxpTml ( 2317): PN547 - Invoking I2C Write.....
D/NxpTml ( 2317): PN547 - Read requested.....
D/NxpTml ( 2317): PN547 - Invoking I2C Read.....
D/NxpNciX ( 2317): len = 7 > 20020401800100
D/NxpTml ( 2317): PN547 - I2C Write successful.....
D/NxpTml ( 2317): PN547 - Posting Fresh Write message.....
D/NxpTml ( 2317): PN547 - Tml Writer Thread Running................
D/NxpHal ( 2317): write successful status = 0x0
D/NxpTml ( 2317): PN547 - I2C Read successful.....
D/NxpNciR ( 2317): len = 4 > 40020106
D/NxpTml ( 2317): PN547 - Posting read message.....
D/NxpHal ( 2317): read successful status = 0x0
D/NxpHal ( 2317): > Deinit workaround for LLCP set_config 0x0 0x0 0xa
D/NxpHal ( 2317): phNxpNciHal_print_res_status: response status =STATUS_OK
D/NxpTml ( 2317): PN547 - Read requested.....
D/NxpTml ( 2317): PN547 - Invoking I2C Read.....
But nothing ever shows up in an NFC test app and I have to deactivate and reactivate NFC at this point to scan any of the working smartcards. So likely something in the mifare reader code does not work.
No NFC for me either
Running yesterday's nightly 20150310 on klte, no NFC either.
Any news? I have a SM-G900F and am unable to read NFC tags since updating to CM12 (now using 20150313).
My NFC was gone too after I updated to the latest nightly yesterday. It appears that copying the firmware file and configuration from XtreStoLite fixed that, and that I'm back to the situation I described in the top post again now. I'll attach both files (in one archive). They should be placed in the according directories in the /system partition, i.e.
etc/libnfc-nxp.conf -> /system/etc/libnfc-nxp.conf
system/vendor/firmware/libpn547_fw.so -> system/vendor/firmware/libpn547_fw.so
Could you test if copying them & rebooting (partially) restores NFC for you, too? (This should be possible with a file manager like X-Plore) If you don't want to use my archive, download XtreStoLite and extract the same files from their zip. Flashing CM should restore the original files in any case.
FirebirdDE said:
My NFC was gone too after I updated to the latest nightly yesterday. It appears that copying the firmware file and configuration from XtreStoLite fixed that, and that I'm back to the situation I described in the top post again now. I'll attach both files (in one archive). They should be placed in the according directories in the /system partition, i.e.
etc/libnfc-nxp.conf -> /system/etc/libnfc-nxp.conf
system/vendor/firmware/libpn547_fw.so -> system/vendor/firmware/libpn547_fw.so
Could you test if copying them & rebooting (partially) restores NFC for you, too? (This should be possible with a file manager like X-Plore) If you don't want to use my archive, download XtreStoLite and extract the same files from their zip. Flashing CM should restore the original files in any case.
Click to expand...
Click to collapse
Hey, that actually worked! I tried with an NFC reader app, and my nfc tag popped up right away.
So now we're missing only flashable zip
I will try this one and if it will work, I will try my scripting luck
And here it is, enjoy
I believe that it might suffice to update the configuration file. According to the logs, at least on my phone, the firmware file isn't used anyway.
FirebirdDE said:
My NFC was gone too after I updated to the latest nightly yesterday. It appears that copying the firmware file and configuration from XtreStoLite fixed that, and that I'm back to the situation I described in the top post again now. I'll attach both files (in one archive). They should be placed in the according directories in the /system partition, i.e.
etc/libnfc-nxp.conf -> /system/etc/libnfc-nxp.conf
system/vendor/firmware/libpn547_fw.so -> system/vendor/firmware/libpn547_fw.so
Could you test if copying them & rebooting (partially) restores NFC for you, too? (This should be possible with a file manager like X-Plore) If you don't want to use my archive, download XtreStoLite and extract the same files from their zip. Flashing CM should restore the original files in any case.
Click to expand...
Click to collapse
WOHOOOO! Thank you very much. My klte's NFC stopped working after flashing some alpha CM12. Some days ago I flashed cm-12-20150310-NIGHTLY-klte and the NFC problem remained. Now I replaced /etc/libnfc-nxp.conf with the config file you attached and NFC is working again.
Great! I've submitted this upstream, hopefully they'll accept this. It would be good to get feedback from someone who didn't experience any NFC issues in the first place, though, to make sure that this does not break NFC for anyone.
How awesome. NFC is really stable too and I think we have found the fix. I belive that many galaxy s5 CM12 users will be happy
Seems like the fix will be in the next nightly, too.
Still some Problems
Hello,
first at all thanks for your research!
I installed your fix for the NFC (tried both zip and "self" copy) but NFC is not working correct:
* sometimes when enable/disable NFC i get a sound (not allways)
* When i scan a tag (the first time after enabling nfc) i get a sound for scanning, but NFC TagInfo and Tagstand Writer did not recognize the tag.
* Sometimes NFC TagInfo by NXP is working but one one time... (hard to explain, often the scanning works when i open the settings?)
* The Scanning works only once till i deaktivate/active NFC
I used the the fix with cyanogenmod nightly 14-03-2015 and now with the Unofficial build [ROM] CyanogenMod 12.0 | Android 5.0 Lollipop | [03/13/2015]
Also installed the latest Xposed framwork and SELinux "Permissive" ...
Any ideas?
Thanks in advance
Which variant do you have? (I, and afaik all others that reported here, have a g900f)
What kind of NFC tag do you try to scan? (As I've already written in the top post, Mifare Classic does not work.)
The relevant logcat (see a few posts up, I've posted a setprop-command that enables debug output) would also be interesting.
Btw., the only sound I get is for the recognition of a NFC chip and its removal. Enabling/disabling makes no sound whatsoever.
FirebirdDE said:
Which variant do you have? (I, and afaik all others that reported here, have a g900f)
What kind of NFC tag do you try to scan? (As I've already written in the top post, Mifare Classic does not work.)
The relevant logcat (see a few posts up, I've posted a setprop-command that enables debug output) would also be interesting.
Btw., the only sound I get is for the recognition of a NFC chip and its removal. Enabling/disabling makes no sound whatsoever.
Click to expand...
Click to collapse
What i forgot i have G900F
Sometimes i really got sound for enable/disable!?!
Hard to tell you what type of NFC tag i use, bacuse i cannot read them at all.
I tried
* a writable tag from androidbands.com
* a company card
* a skiing card
I will try to logcat later this day....
FirebirdDE said:
Which variant do you have? (I, and afaik all others that reported here, have a g900f)
What kind of NFC tag do you try to scan? (As I've already written in the top post, Mifare Classic does not work.)
The relevant logcat (see a few posts up, I've posted a setprop-command that enables debug output) would also be interesting.
Btw., the only sound I get is for the recognition of a NFC chip and its removal. Enabling/disabling makes no sound whatsoever.
Click to expand...
Click to collapse
Here is a loccat (created with logcat extrem app - currently no adb available for me)
Actions:
Activate NFC // Scann androidbrands.com Tag // Deactivate NFC
Looks like problems with the "libpn547_fw":
Code:
Line 191: D/NxpFwDnld( 447): @@@/system/vendor/firmware/libpn547_fw.so
Line 193: E/NxpFwDnld( 447): NULL handler : unable to load the library file, specify correct path
Line 199: E/NxpFwDnld( 447): Image extraction Failed - invalid imginfo or imginfolen!!
Line 201: E/NxpFwDnld( 447): Error loading libpn547_fw !!
Line 209: E/NxpHal ( 447): Wrong FW Version >>> Firmware download not allowed
The file exists in "/system/vendor/firmware/libpn547_fw.so" with "rw-rw----"
ostauss said:
Here is a loccat (created with logcat extrem app - currently no adb available for me)
Actions:
Activate NFC // Scann androidbrands.com Tag // Deactivate NFC
Looks like problems with the "libpn547_fw":
Code:
Line 191: D/NxpFwDnld( 447): @@@/system/vendor/firmware/libpn547_fw.so
Line 193: E/NxpFwDnld( 447): NULL handler : unable to load the library file, specify correct path
Line 199: E/NxpFwDnld( 447): Image extraction Failed - invalid imginfo or imginfolen!!
Line 201: E/NxpFwDnld( 447): Error loading libpn547_fw !!
Line 209: E/NxpHal ( 447): Wrong FW Version >>> Firmware download not allowed
The file exists in "/system/vendor/firmware/libpn547_fw.so" with "rw-rw----"
Click to expand...
Click to collapse
changed permissions to "rw-rw-r--" looks like lib is correctly loaded, but scanned androidbands.com Tag still not recognized by TagInfo...