Ok, in this thread I will describe one problem that I have faced with my Iconia and that was also reported by one other user on a forum.
Basically, Iconia uses Atmel mxt1386 touchscreen controller. The same controller is used in Asus EEE Transformer and Motorola Xoom and even Samsung Galaxy Tab 10.1. So far, there are a lot of reports of EEE Transformer's and Xoom's touchscreens suddenly stopping working and starting working after a full battery discharge.
One day after a reboot my Iconia stopped booting - it keeped hanging on the Acer logo and when I tried entering recovery it was hanging at "booting recovery kernel image". However, that only happened with Acer kernels. With my own kernel, ported from EEE Transformer, the tablet could boot. I have recompiled the acer kernel with framebuffer console and found out it got stuck at the touchscreen interrupt handler while EEE's driver just printed an error and stopped working.. Basically, the response I got from from the touchscreen was [1, 0x80, 0, 0, 0, 0, 0, 0]. And it was not detected with i2cdetect
At first, I thought my touchscreen cable was damaged. I have disassembled the tablet and tried twisting the cable to see if it gives any result. My result was that if I disconnect and reconnect the cable, an interrupt comes. Btw, the cable has sharp 'teeth' and you can crimp it pretty much like ethernet.
Ok, so then I added some printks to the driver. Turns out, when some data coming from the touchscreen was incorrect, the driver hanged (deadlocked) because the semaphore was pushed down two times and never upped. So, I have commented out semaphores and bingo - it continued booting. Although there were a lot of warn_slowpath errors and CRC error, it reported correct coordinates. I flashed Acer's kernel after it and it booted fine. Looks like a proper init by Acer driver reset the controller.
The archive in the link contains tegra i2c driver from the chromium tree (in case it finds i2c errors like nak, it retries the transmission several times) and the touchscreen driver. You need to comment out "#define USE_SEMA" to disable semaphores and build the kernel with it in case you encounter the problem..
http://www.mediafire.com/?jt6b19nr7rsy70s
I do not have another 'brick' to test if my solution works in all cases but I'm just leaving the stuff here in case anyone faces the trouble. To flash when your tablet is not booting you'll probably some help from sc2k..
What's the moral of the story? The moral is that as touchscreen is not used in recovery, it may be a good idea to add the 'hacked and buggy' driver to the recovery kernel to allow to recover the device by just booting recovery in case anyone faces the problem.. Of course it's better to fix the driver properly or even use the driver from mainline linux and patch it.
EDIT 29-oct-2011:
here is a link to the cwm recovery image with the 'hacked' driver. Boots just fine.
http://www.mediafire.com/?39jk1j15wkpr57o
So just to clarify this is a software/recovery problem not a hardware problem?
This is a combined problem. It is a hardware problem as the touchscreen stops getting recognized by i2cdetect, probably due to firmware bugs.. It is a software problem because the driver behaves incorrectly when the hardware fails.
Ok, I will post the reply from sc2k who investigated the issue a bit. Let's keep it here for reference. I think it will be nice to patch the mainline driver (from chromium or mainline linux) and use it instead of acer's driver but I won't probably do it unless I hit the issue again or make some progress with my chromium kernel
sc2k said:
Ok.. I finally understand the issue:
Your tochscreen always responded with [1, 0x80, 0, 0, 0, 0, 0, 0]
buffer[1].bit7 seems to be some kind of "message incomplete" bit. As this is always transmitted, the worker thread never releases the semaphore which causes the ATMEL_Initial to stop at ATMEL_SyncWithThreadToReadMsg.
After you disabled the semaphore, ATMEL_Initial continues. ConfigError is probably 0, so next function to be called will be ATMEL_CheckConfig.
This function first calls ATMEL_SendCMDgetCRC. As semaphores are disabled, this will probably not be able to receive the checksum (due to timing) so that ConfigChecksumError=1.
If ConfigChecksumError==1, ATMEL_CheckConfig will call ATMEL_WriteConfig and ATMEL_Backup that will probably be successful and thus fixes the configuration issue. Even if it does not complete succesfully, the whole recovery process is repeated until all conditions are satisfied.
Conclusion:
- Somehow the configuration in your touchscreen controller got messed up.
- Removing the semaphores triggered ATMEL_WriteConfig + ATMEL_Backup which probably fixed the issue.
I believe, a good fix would be to add a check "if (counts > 20) { up(&mxt->sema); goto fail; }" or similar to mxt_worker for irq_type == ATMEL_ReadResponseMsg_Noaddress. This would prevent these endless interrupt loop and allow the driver to fix the configuration.
Really nice bug that you have found in this driver
Click to expand...
Click to collapse
Link to cwm recovery image invalid
Hi sp3dev,
sorry to ask but could you pls reupload your cwm recovery image? Mediafire says the file is not available any more.
I am not an expert in ROMs and I know nothing about cooking them or kernels. But I think I am having a problem similar to that described in your thread: after a sw update the touchscreen became unsensitive. Shutdown, reset, factory reset do not solve the problem. When I flash a new ROM to try and "reset" the screen controller, I get stuck at the "ACER" logo after flashing with CWM and rebooting the system. If I shut down and restart again, the machine starts but the touchscreen is still unresponsive. Luckily enough, I can use a USB mouse to interact with the device.
I am currently running HC 3.1 (stock), rooted. I took a full nandroid backup with CWM. Do you think it is safe to flash your recovery with the modified touchscreen driver (that is, if you are kind enough to re-upload it for me...)?
Thanks a lot for any advice you can provide.
Best, Andrea
I see that thor2002ro has seen this thread, but will we see the driver implemented in the next CWM release?
If it can help people recover from a known brick and if the stack does not introduce problems then I hope that we see something, at least a recovery instruction for the touchscreen added to CWM or the whole stack. aferall this could be something that ends up happening to alot of us :S
I had this problem with my Galaxy Tab and tried the fixes mentioned but it just didn't work for me. I have, however, figured out what's really going wrong.
I always had this failure showing up in dmesg:
[ 1.707677] tegra-i2c tegra-i2c.1: I2c error status 0x00000008
[ 1.707913] tegra-i2c tegra-i2c.1: no acknowledge from address 0x4c
[ 1.708080] tegra-i2c tegra-i2c.1: Packet status 0x00010009
[ 1.709363] Warning: To wake up touch-ic in deep sleep, retry i2c communication!
[ 1.748037] tegra-i2c tegra-i2c.1: I2c error status 0x00000008
[ 1.748355] tegra-i2c tegra-i2c.1: no acknowledge from address 0x4c
[ 1.748523] tegra-i2c tegra-i2c.1: Packet status 0x00010009
[ 1.749788] sec_touch 1-004c: Failure accessing maXTouch device
So, it can't read from the touchscreen controller at address 0x4c. The fix mentioned in this thread was to re-write the configuration, with the assumption that the device was somehow wedged. That doesn't work either, since you can't write to 0x4c - same lack of acknowledgement.
I tried adding a reset. No change. Disconnected the battery overnight. Also no change.
Then, I realized what's going on. The MXT1386 has a "Firmware Update" mode. When you put it into update mode, the device address changes from 0x4c to 0x26! Once it gets into that mode, it doesn't respond to the original address. Since I don't have the docs for the device, I just called the driver function that updates the firmware. Once that process is complete and the chip reset, it reverts to its original address. At that point (after a final reboot), all is well.
I have a replacement kernel that you can install and boot which re-enables the touchpad. I'd suggest making a nandroid backup first, installing my kernel, then restoring the nandroid once it's fixed.
http://www.rickmurphy.net/mxt1386_fixer.zip. While this is a p4wifi (Gtab 10.1 Wifi-only) it'll probably fix the problem on a 3G tablet as well as long as you restore the correct kernel once it's done..
Whew. It's good to have the toy back working.
k1mu said:
I had this problem with my Galaxy Tab and tried the fixes mentioned but it just didn't work for me. I have, however, figured out what's really going wrong.
I always had this failure showing up in dmesg:
[ 1.707677] tegra-i2c tegra-i2c.1: I2c error status 0x00000008
[ 1.707913] tegra-i2c tegra-i2c.1: no acknowledge from address 0x4c
[ 1.708080] tegra-i2c tegra-i2c.1: Packet status 0x00010009
[ 1.709363] Warning: To wake up touch-ic in deep sleep, retry i2c communication!
[ 1.748037] tegra-i2c tegra-i2c.1: I2c error status 0x00000008
[ 1.748355] tegra-i2c tegra-i2c.1: no acknowledge from address 0x4c
[ 1.748523] tegra-i2c tegra-i2c.1: Packet status 0x00010009
[ 1.749788] sec_touch 1-004c: Failure accessing maXTouch device
So, it can't read from the touchscreen controller at address 0x4c. The fix mentioned in this thread was to re-write the configuration, with the assumption that the device was somehow wedged. That doesn't work either, since you can't write to 0x4c - same lack of acknowledgement.
I tried adding a reset. No change. Disconnected the battery overnight. Also no change.
Then, I realized what's going on. The MXT1386 has a "Firmware Update" mode. When you put it into update mode, the device address changes from 0x4c to 0x26! Once it gets into that mode, it doesn't respond to the original address. Since I don't have the docs for the device, I just called the driver function that updates the firmware. Once that process is complete and the chip reset, it reverts to its original address. At that point (after a final reboot), all is well.
I have a replacement kernel that you can install and boot which re-enables the touchpad. I'd suggest making a nandroid backup first, installing my kernel, then restoring the nandroid once it's fixed.
http://www.rickmurphy.net/mxt1386_fixer.zip. While this is a p4wifi (Gtab 10.1 Wifi-only) it'll probably fix the problem on a 3G tablet as well as long as you restore the correct kernel once it's done..
Whew. It's good to have the toy back working.
Click to expand...
Click to collapse
Though I don't have this problem, and hope never to, it is a scary scenario. Thanks for investing your time to come up with a fix for ppl who have this problem.
Sent from my GT-P7510 using xda app-developers app
OTAw said:
Though I don't have this problem, and hope never to, it is a scary scenario. Thanks for investing your time to come up with a fix for ppl who have this problem.
Click to expand...
Click to collapse
Thanks. I've also sent a patch to the person who I thing maintains the driver. If they'll accept the fix, it'll automatically correct this problem regardless of the type of device being used. That'd be a good thing.
I have the common problem with my Acer Iconia A500.
The tablet's touchscreen suddenly stopping working. And didn't start working after reset, shutdown, deattaching the battery, or any firmware upgrades/downgrades.
Custom bootloaders and restores also didn't help.
It is starting working only when I shutdown the tablet and don't use it for a while.
When I turn on the tablet after 2-3 hours, the touchscreen works. But after 10-15 minutes of usage(or even idle), touchscreen stop working again.
I tried many ways to solve this problem, but nothing works for me.
When I tryed to figure out this issue, I found only a few topics in the internet, but all of them was leading to this thread.
So, tell me please, is there any workaround to this touchscreen problem?
I suggest, this is the hardware problem. But if there is any software fix, it would be good.
DIZAZTER said:
I have the common problem with my Acer Iconia A500.
The tablet's touchscreen suddenly stopping working. And didn't start working after reset, shutdown, deattaching the battery, or any firmware upgrades/downgrades.
Custom bootloaders and restores also didn't help.
It is starting working only when I shutdown the tablet and don't use it for a while.
When I turn on the tablet after 2-3 hours, the touchscreen works. But after 10-15 minutes of usage(or even idle), touchscreen stop working again.
I tried many ways to solve this problem, but nothing works for me.
When I tryed to figure out this issue, I found only a few topics in the internet, but all of them was leading to this thread.
So, tell me please, is there any workaround to this touchscreen problem?
I suggest, this is the hardware problem. But if there is any software fix, it would be good.
Click to expand...
Click to collapse
Well, if you have done a rollback using TD's V4 rollback tool, and the problem still persists, then it's likely a hardware issue.
If it were software, the TS would either work, or it wouldn't. The fact there's a time limit involved, indicates some component heating up and causing the issue.
I would suggest, if you are no longer under warranty, to pop off the cover, and start checking connections. More than likely a connection is failing. (cold expands, heat contracts). Might explain why it works when it's cool. (this is why we put old HDD's in the freezer, sounds strange, but can't deny physics)
You can google for 500 breakdown videos. Plenty of them out there.
As a test in the temp theory, just play with the tab till it fails. Toss it in the fridge for 15 minutes or so. If it works, then it's mechanical.
I'd bet on the connectors. Then check the board with a magnifying glass.
MD
Moscow Desire said:
Well, if you have done a rollback using TD's V4 rollback tool, and the problem still persists, then it's likely a hardware issue.
If it were software, the TS would either work, or it wouldn't. The fact there's a time limit involved, indicates some component heating up and causing the issue.
I would suggest, if you are no longer under warranty, to pop off the cover, and start checking connections. More than likely a connection is failing. (cold expands, heat contracts). Might explain why it works when it's cool. (this is why we put old HDD's in the freezer, sounds strange, but can't deny physics)
You can google for 500 breakdown videos. Plenty of them out there.
As a test in the temp theory, just play with the tab till it fails. Toss it in the fridge for 15 minutes or so. If it works, then it's mechanical.
I'd bet on the connectors. Then check the board with a magnifying glass.
MD
Click to expand...
Click to collapse
You're right about the temp.
Actually, I put the tablet in the fridge even before I saw you reply.
After that procedure, touchscreen works fine for a while. And after freezing it works much longer period. I guess, it works just before getting warm.
I wanted to mention about the temperature dependence, but you did it first.
My warranty is expired. So I'm already has disassembled and taken the tablet apart. But I saw nothing noticeably wrong there.
I guess, there is some kind of connection failure, but it's microscopically small. Or it's situated inside of a board or a chip.
Anyway, thanks a lot.
At least I figured out that this is only hardware issue and there is no way to fix it with software patch.
Moscow Desire said:
If it were software, the TS would either work, or it wouldn't. The fact there's a time limit involved, indicates some component heating up and causing the issue.
..
I'd bet on the connectors. Then check the board with a magnifying glass.
Click to expand...
Click to collapse
I agree. Your problem has nothing in common with the issue that was causing my touchscreen to not work. That was a software problem with a reliable software fix.
I have seen a Galaxy Tab with a flaky touchscreen, but when I took it apart to look at what was wrong I found that the connector for the touchscreen had been ripped completely off the motherboard. The induhvidual responsible tried to fix it by taping the touchscreen connector to the motherboard! Needless to say, that wasn't a very reliable fix. :laugh:
I've pulled the kernel that had my patch off of my web site because it's only usable on the P7510 (WiFi) device and caused a 3G tablet to hang.
Could someone please explain what went wrong?
I use a acer a700 and get everytime i make display on such errors:
mXT1386E: mxt_late_resume
<4>[ 1641.027524] tegra-i2c tegra-i2c.1: I2c error status 0x00000008
<4>[ 1641.027938] tegra-i2c tegra-i2c.1: no acknowledge from address 0x4c
<4>[ 1641.028178] tegra-i2c tegra-i2c.1: Packet status 0x00010009
<4>[ 1641.045244] tegra-i2c tegra-i2c.1: I2c error status 0x00000008
<4>[ 1641.045398] tegra-i2c tegra-i2c.1: no acknowledge from address 0x4c
<4>[ 1641.045670] tegra-i2c tegra-i2c.1: Packet status 0x00010009
<4>[ 1641.069140] mXT1386E i2c write 3 time
<4>[ 1641.069539] mXT1386E: ATMEL_Resume OK!
Any idea?
Why?
On boot, dmesg write this:
mXT1386E: reenter_count: 0
mXT1386E: Config has errors
mXT1386E: The status is 0x90
mXT1386E: reenter_count: 1
mXT1386E: Config status is ready
How can we fix it?
Please devs!Help us!!!
djsven said:
Could someone please explain what went wrong?
I use a acer a700 and get everytime i make display on such errors:
mXT1386E: mxt_late_resume
<4>[ 1641.027524] tegra-i2c tegra-i2c.1: I2c error status 0x00000008
<4>[ 1641.027938] tegra-i2c tegra-i2c.1: no acknowledge from address 0x4c
<4>[ 1641.028178] tegra-i2c tegra-i2c.1: Packet status 0x00010009
<4>[ 1641.045244] tegra-i2c tegra-i2c.1: I2c error status 0x00000008
<4>[ 1641.045398] tegra-i2c tegra-i2c.1: no acknowledge from address 0x4c
<4>[ 1641.045670] tegra-i2c tegra-i2c.1: Packet status 0x00010009
<4>[ 1641.069140] mXT1386E i2c write 3 time
<4>[ 1641.069539] mXT1386E: ATMEL_Resume OK!
Any idea?
Why?
On boot, dmesg write this:
mXT1386E: reenter_count: 0
mXT1386E: Config has errors
mXT1386E: The status is 0x90
mXT1386E: reenter_count: 1
mXT1386E: Config status is ready
How can we fix it?
Please devs!Help us!!!
Click to expand...
Click to collapse
That "no acknowledge from address 0x4c" means that your touchscreen chip is not responding. It's possible that it's just dead, or possible that it's stuck in firmware update mode (in update mode, the address changes to 0x26). If you can point me to kernel source for your A700, I can modify it try to recover the touchscreen. (Of course, I'm assuming that it's just dead and that the touchscreen never works. If it works some of the time but fails later, it's probably just a hardware problem.)
k1mu said:
That "no acknowledge from address 0x4c" means that your touchscreen chip is not responding. It's possible that it's just dead, or possible that it's stuck in firmware update mode (in update mode, the address changes to 0x26). If you can point me to kernel source for your A700, I can modify it try to recover the touchscreen. (Of course, I'm assuming that it's just dead and that the touchscreen never works. If it works some of the time but fails later, it's probably just a hardware problem.)
Click to expand...
Click to collapse
Hi @k1mu got a question regarding this discussion. Would there also be benefits from this fix if it's only a unresponsiveness in runtime? I assume also djsven has it within runtime and the ts recovers itself... what I get from this thread is that it's regarded to the tab being unrecoverably stuck on firmware update mode? If not and it could fix hangs for some seconds in runtime it would be awesome if you could make a patch for this driver or just point me to a diff...
Thanks in advance
Elibl said:
Hi @k1mu got a question regarding this discussion. Would there also be benefits from this fix if it's only a unresponsiveness in runtime? I assume also djsven has it within runtime and the ts recovers itself... what I get from this thread is that it's regarded to the tab being unrecoverably stuck on firmware update mode? If not and it could fix hangs for some seconds in runtime it would be awesome if you could make a patch for this driver or just point me to a diff...
Thanks in advance
Click to expand...
Click to collapse
If it's just slow to respond, then the touchscreen is basically working and isn't going to be helped by this fix.
That (slow, jerky response to screen input) is caused by CPU hogging processes keeping the tablet too busy, or too many applications running at once, keeping the OS busy shuffling memory around (that's called thrashing).
k1mu said:
If it's just slow to respond, then the touchscreen is basically working and isn't going to be helped by this fix.
That (slow, jerky response to screen input) is caused by CPU hogging processes keeping the tablet too busy, or too many applications running at once, keeping the OS busy shuffling memory around (that's called thrashing).
Click to expand...
Click to collapse
Sure that's only system hangs... I ment does your fix help for input lags/death regarding 0x4c address/firmware update mode... If you show me the diff I could just test it... Would be highly appreciated
Elibl said:
Sure that's only system hangs... I ment does your fix help for input lags/death regarding 0x4c address/firmware update mode... If you show me the diff I could just test it... Would be highly appreciated
Click to expand...
Click to collapse
No, the system doesn't hang, it works just fine if you plug in a keyboard.
Here's the diff:
Code:
diff -c drivers/input/touchscreen/orig/atmel_mxt1386.c drivers/input/touchscreen/atmel_mxt1386.c
*** drivers/input/touchscreen/orig/atmel_mxt1386.c 2012-10-10 08:11:10.543325982 -0400
--- drivers/input/touchscreen/atmel_mxt1386.c 2012-10-10 08:35:30.545044039 -0400
***************
*** 22,27 ****
--- 22,29 ----
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
+ #define FIX_CHIP_HANG
+
#define DEBUG_INFO 1
#define DEBUG_VERBOSE 2
#define DEBUG_MESSAGES 5
***************
*** 2539,2544 ****
--- 2541,2550 ----
/* Initialization of driver */
/******************************************************************************/
+ #ifdef FIX_CHIP_HANG
+ extern int mxt_do_firmware_load(struct mxt_data *mxt, const char *fn);
+ #endif
+
static int __devinit mxt_identify(struct i2c_client *client,
struct mxt_data *mxt)
{
***************
*** 2559,2564 ****
--- 2565,2585 ----
msleep(30);
goto retry_i2c;
}
+ #ifdef FIX_CHIP_HANG
+ /* If we tried twice and no response, maybe it's in firmware
+ * load mode. Try to upload firmware.
+ */
+ if (mxt->read_fail_counter == 2) {
+ printk(KERN_DEBUG "Trying firmware reload.");
+ mxt->last_read_addr = -1;
+
+ mxt_do_firmware_load(mxt, MXT1386_FIRMWARE);
+
+ reset_chip(mxt, RESET_TO_NORMAL);
+ msleep(300);
+ goto retry_i2c;
+ }
+ #endif
dev_err(&client->dev, "Failure accessing maXTouch device\n");
return -EIO;
}
diff -c drivers/input/touchscreen/orig/atmel_mxt1386_cfg.c drivers/input/touchscreen/atmel_mxt1386_cfg.c
*** drivers/input/touchscreen/orig/atmel_mxt1386_cfg.c 2012-10-10 08:12:43.773952501 -0400
--- drivers/input/touchscreen/atmel_mxt1386_cfg.c 2012-10-10 08:36:55.704576439 -0400
***************
*** 408,417 ****
return 0;
}
- int mxt_load_firmware(struct device *dev, const char *fn)
- {
- struct mxt_data *mxt = dev_get_drvdata(dev);
unsigned int frame_size;
unsigned int pos = 0;
unsigned int retry;
--- 408,416 ----
return 0;
}
+ int mxt_do_firmware_load(struct mxt_data *mxt, const char *fn)
+ {
unsigned int frame_size;
unsigned int pos = 0;
unsigned int retry;
***************
*** 518,520 ****
--- 517,526 ----
return ret;
}
+ int mxt_load_firmware(struct device *dev, const char *fn)
+ {
+ struct mxt_data *mxt = dev_get_drvdata(dev);
+
+ return mxt_do_firmware_load(mxt, fn);
+ }
+
Related
Presently we're running a little short on kernel exploits, with the following being the only one that looks remotely plausible:
http://xorl.wordpress.com/2010/01/14/cve-2009-4141-linux-kernel-fasync-locked-file-use-after-free/
Big hold-up? For all that we have a trigger, we don't have an exploit. I believe it's up to us at this point to make that happen.
If I'm reading it right, it looks like the bug initially rears its head right here:
Code:
void __kill_fasync(struct fasync_struct *fa, int sig, int band)
{
while (fa) {
struct fown_struct * fown;
if (fa->magic != FASYNC_MAGIC) {
printk(KERN_ERR "kill_fasync: bad magic number in "
"fasync_struct!\n");
return;
}
[B]fown = &fa->fa_file->f_owner;[/B]
/* Don't send SIGURG to processes which have not set a
queued signum: SIGURG has its own default signalling
mechanism. */
if (!(sig == SIGURG && fown->signum == 0))
send_sigio(fown, fa->fa_fd, band);
fa = fa->fa_next;
}
}
... as fa_file now points to invalid memory (having been free'd earlier). The f_owner member gets shot out to send_sigio, which look like this:
Code:
void send_sigio(struct fown_struct *fown, int fd, int band)
{
struct task_struct *p;
enum pid_type type;
struct pid *pid;
int group = 1;
read_lock(&fown->lock);
type = fown->pid_type;
if (type == PIDTYPE_MAX) {
group = 0;
type = PIDTYPE_PID;
}
[B]pid = fown->pid;[/B]
if (!pid)
goto out_unlock_fown;
read_lock(&tasklist_lock);
do_each_pid_task(pid, type, p) {
send_sigio_to_task(p, fown, fd, band, group);
} while_each_pid_task(pid, type, p);
read_unlock(&tasklist_lock);
out_unlock_fown:
read_unlock(&fown->lock);
}
... in which we see the f_owner member being dereferenced. Also it gets pushed through several other functions which may be exploitable.
There are several questions to be answered before we can start attacking this:
Can we resolve the address of the fa_file data structure so we can overwrite the f_owner value?
Can we do anything with it once we've done that? (Presumably we can set it to zero to cause a null-pointer dereference, but we're mmap_min_addr = 32768 on the most recent versions, so unless we can flag the mmap region to grow down and apply memory pressure to reach page 0 this will do us no good.)
Failing the plan above: are any of the functions that f_owner gets pushed into vulnerable? I evaluated this over the weekend, but without the help of a trained kernel dev I'm not going to get very far.
While I studied a lot of this in uni, I'll admit I'm green when it comes to actually writing these exploits. I'm hoping that this will get the creative juices flowing, and perhaps provide a more comprehensive resource in case any hard-core kernel hackers want to take a look at what we're doing or give us pointers (harhar) in the right direction.
Thanks, guys. Great work up to this point.
In the original POC if you change /bin/true to /system/bin/sh you can get a new shell to open just not as root. So I'm guessing that their needs to be more added to the POC to make it a full exploit.
Right, the fork()'s in the PoC exist only to cause the file descriptor's fasync_struct to be erroneously killed, not start a root session. The root session would need to be started (presumably) by the kernel doing something to our maliciously crafted fown_struct.
The tough part is figuring out exactly where and what that fown_struct needs to be.
Well I definetly agree with you that this seems to be our best best bet I am some what of a newbie when it comes to linux allthough i am learning as i go. Do you know of any good sites to read up on kernel hacking?
Sorry Guys just got the word that this one is dead for us.....
Here is the explantion i got.
some_person said:
Nope, the bug didn't exist in 2.6.27. That's why they say >= 2.6.28 are vulnerable.
As far as how the bug works, there are 2 other issues. 1) our kernel probably wasn't compiled with AT_RANDOM 2) we don't have an elf executable.
The exploit you found does not give us root access, it crashes the system. Basically, you open the "random number generator" file, lock it, and close it... but the lock release when you close it. Then you have to call an elf executable because that generates a random number (running an elf executable) provided the kernel was compiled AT_RANDOM. you continue to call that executable (and generating random numbers) until the the lock is released on the "random number generator" file... then it's your program's turn... the kernel tries to send your program notification that the file is available, but your program has moved on. BLAM the kernel stops (or "oops").
Click to expand...
Click to collapse
Sorry to dredge up an old thread:
This exploit *will* work. According to Zanfur, the hole is in our kernel. We need to use it without AT_RANDOM (which I dont know how to do).
http://sourceware.org/ml/libc-alpha/2008-10/msg00016.html
I am pretty sure we do have elf executables, here is proof:
% file m6
m6: ELF 32-bit LSB executable, ARM, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
If our kernel is susceptible to this bug then it should work, as long as there is a way to do it without at random.
Though I do not in any way represent my self as a hacker or developer I was wondering if I could throw in my 2 cents. I notice that this bug/exploit won't work because it requires AT RANDOM. I was wondering if it s possible to write code that does what the function does and insert it in. Is root required to do this (i.e. insert code into the kernel that wasn't there before) or is this a matter of know-how? Just some brainstorming I thought that I would throw in.
jballz0682 said:
Though I do not in any way represent my self as a hacker or developer I was wondering if I could throw in my 2 cents. I notice that this bug/exploit won't work because it requires AT RANDOM. I was wondering if it s possible to write code that does what the function does and insert it in. Is root required to do this (i.e. insert code into the kernel that wasn't there before) or is this a matter of know-how? Just some brainstorming I thought that I would throw in.
Click to expand...
Click to collapse
This won't get us root. Even zanfur said it. Moving on....
Framework43 said:
This won't get us root. Even zanfur said it. Moving on....
Click to expand...
Click to collapse
To clarify, even if we get AT_RANDOM functionality working, we can't use this to exploit our kernel. All we can do with this is get data from a file that was recently closed. The point of this exploit is to send a signal to a process, but there are no processes we could send a signal to that would give us root.
Our kernel seems practically invulnerable, it appears that almost all exploits are patched
Hi,
I did some experimenting with getting kernel serial console output on SGSII I9100 without soldering, or even disasembling the device. And seems I succeeded .
So, for anyone interested, here are the details.
First, two warnings:
- you will loose access to CWM recovery! ODIN still usable though.
- no access to bootloader output, only kernel logging available
Now the steps:
enable UART PDA
Flash original samsung ROM (changes in service mode settings in cyanogenmod are not permanent for some reason, I haven't tried other ROMs)
Enter service mode by dialing *#7284#, select UART mode PDA (default is modem. No need to change USB mode to PDA, leave it as is).
Configure, build and flash the kernel
get your kernel command line using dmesg right after boot
modify the console parameter to console=ttySAC2,115200
configure your kernel with this command line (CONFIG_CMDLINE). In my case, the commandline used was:
Code:
loglevel=4 console=ttySAC2,115200 sec_debug.enable=0 sec_debug.enable_user=0 c1_watchdog.sec_pet=5 [email protected] s3cfb.bootloaderfb=0x5ec00000 ld9040.get_lcdtype=0x2 consoleblank=0 lpj=3981312 vmalloc=144m
set force override parameters passed by the bootloader (CONFIG_CMDLINE_FORCE=y)
build the kernel
build your ROM of choice (I have used cyanogenmod) with this new kernel
flash
power off the device, connect "standard" Samsung UART cable - microUSB with 523K resistor to ID pin, 3.3V to RS232 level converter
Now the phone should start and you should see kernel boot messages on connected terminal emulator.
Open questions:
Why UART switch changes are not permanent from cyanogenmod? Is this i known bug?
How to change bootloader parameters from within linux? E.g. kernel command line options... Does anyone know where are the persistent settings of the bootloader stored?
This information is mainly collected from many sources here on this forum, thanks to all of you for publishing your findings. I take credit only for putting all this information together and spending a lot of time trying it out . Also, I take no responsibility for any bricked devices, make sure you know what you are doing, before you start following my steps.
Hope this helps anyone .
--DELETED--
KickerTom said:
[*]Why UART switch changes are not permanent from cyanogenmod? Is this i known bug?
Click to expand...
Click to collapse
The only reason I see for this is kernel. Are you using CM7 or CM9 ?
What did you use as UART cable? Do you have a microUSB to RJ45 + Z3X, or some homemade all-in-one ?
I am using CM7.2RC0 KANG, updated yesterday. Kernel also latest git, home built. But I remember having this problem with "official" nightly builds as well.
For cable, I have my own micro USB with id pin on break out cable, so I can switch resistors, and home made level shifter made from a MAX chip, that connected via stock USB to serial to the PC.
Why not just change index 0x10 in /mnt/.lfs/param.blk?
Odia said:
Why not just change index 0x10 in /mnt/.lfs/param.blk?
Click to expand...
Click to collapse
More details on this? - is that what changes UART PDA?
For the kernel cmdline side of things - I have never found any way to override the kernel cmdline in a controllable manner. The bootloader has a fixed commandline, and it makes changes to it depending on what buttons are pressed (which is why you can't enter CWM via the button combos if you force the cmdline) However, if you're working with a custom kernel, you can just go find the handler for the console= option and force it to always be ttySAC2 regardless of what is passed in the source. This won't work for custom kernels. (Wait... neither will the OP's approach either, sorry - not enough caffeine yet.)
If there's another cmdline option you want enabled, you can overload one of the ones that is in use, and have it trigger other handlers (but those have to have their parameters hardcoded) - such as how garyd9 caused ramconsole setup to be triggered by the loglevel cmdline parameter at https://github.com/garyd9/linux_kernel_GT-P6210/commit/d796ac86dcff1eeda19d7638315dcf6fe3978318. If you're wondering why he did this to enable ramconsole - in the I777 and GT-P6210 source drops, ramconsole support seems to be improved compared to the I9100 source drops - it requires little to no extra patching AND it's controllable by the kernel cmdline - while that's normally an improvement, it's a pain in the ass if you can't change the bootloader to add the ramconsole cmdline parameters.
Odia said:
Why not just change index 0x10 in /mnt/.lfs/param.blk?
Click to expand...
Click to collapse
Never heard of this file before, now took a look and it looks very interesting. I will investigate this option further, thanks for the hint.
Entropy512 said:
For the kernel cmdline side of things - I have never found any way to override the kernel cmdline in a controllable manner. The bootloader has a fixed commandline, and it makes changes to it depending on what buttons are pressed (which is why you can't enter CWM via the button combos if you force the cmdline) However, if you're working with a custom kernel, you can just go find the handler for the console= option and force it to always be ttySAC2 regardless of what is passed in the source.
Click to expand...
Click to collapse
Yes, I agree that your approach is also usable. Advantage of your way is that you are not loosing CWM and such. Mine is that it's without ugly hacks in the kernel ;-).
Ultimate goal would be to modify the bootloader parameters, so kernel recompilation is not needed at all, but not sure it is possible - thats my next direction of research .
Entropy512 said:
This won't work for custom kernels. (Wait... neither will the OP's approach either, sorry - not enough caffeine yet.)
Click to expand...
Click to collapse
Sorry, not following you here. Custom kernel - you mean kernels compiled by third party, which we can't modify? Well, not sure you need a log for kernel you can't modify, maybe for bug reporting to original author? If the kernel works, you can get most of the log using dmesg... And I am not interested in binary-only kernels...
Entropy512 said:
If there's another cmdline option you want enabled, you can overload one of the ones that is in use, and have it trigger other handlers (but those have to have their parameters hardcoded) - such as how garyd9 caused ramconsole setup to be triggered by the loglevel cmdline parameter at github.com commit d796ac86dcff1eeda19d7638315dcf6fe3978318. If you're wondering why he did this to enable ramconsole - in the I777 and GT-P6210 source drops, ramconsole support seems to be improved compared to the I9100 source drops - it requires little to no extra patching AND it's controllable by the kernel cmdline - while that's normally an improvement, it's a pain in the ass if you can't change the bootloader to add the ramconsole cmdline parameters.
Click to expand...
Click to collapse
Maybe that's a better solution for a kernel distributed to users and such. What I was trying to achieve is to have serial log of a booting kernel so you can troubleshoot kernel which does not boot, or which hard-locks or oops. AFAIK, ram console is useless in such cases (correct me if I am wrong, I have very little experience with ram console).
As far as I am interested, the description above does exactly what I need .
KickerTom said:
Sorry, not following you here. Custom kernel - you mean kernels compiled by third party, which we can't modify? Well, not sure you need a log for kernel you can't modify, maybe for bug reporting to original author? If the kernel works, you can get most of the log using dmesg... And I am not interested in binary-only kernels...
Click to expand...
Click to collapse
That was a brainfart - meant it won't work with stock kernels!
The ramconsole approach was just meant as an example - but instead of hooking loglevel to do ramconsole stuff, you could hook it to do other stuff. Of course here, since there's already a serial cmdline entry but it's just wrong, it's easy to just override.
As an example, I abused the "overload the loglevel handler" trick to try and enable profiling. (However, profiling didn't let me get any info on which interrupt handler is eating our IRQ time on suspend/resume.)
Just for reference, here is the cable I am using. There is a stock prolific PL-2303 based USB to serial converter (the grey cable), then a RS232 to 3.3V TTL level shifter (home made, built into the DB9 conector), and then there is a stock micro USB cable. The connection between these two is on this connector for easy re-configuration, as I am using the level shifter for other purposes as well.
The micro USB cable is stock microUSB to USB-A, but I cut off one end to connect it to the level shifter, and I have also cut the micro USB conector to connect a cable to the ID pin. That one and ground are on the blue/white cable, for easy resistor switching.
Except for the ID resistor (523K according to the table, some 507K in my case), all electronic parts are SMD .
A good source for USB-to-TTL/LVTTL cables is FTDI - they sell FT232-based cables. Adafruit is a good vendor for these in the USA.
Just noticed you can get bootloader output by booting the phone and shortly pressing Volume Down (shortly so that it doesn't boot into Download mode). I did it by accident and saw some Samsung PBL logging on my screen.
XpLoDWilD said:
Just noticed you can get bootloader output by booting the phone and shortly pressing Volume Down (shortly so that it doesn't boot into Download mode). I did it by accident and saw some Samsung PBL logging on my screen.
Click to expand...
Click to collapse
Cool. If you can get the bootloader prompt, we are maybe a step closer to being able to even unbrick phones .
So far, I was not able to reproduce this, can you, please, describe better the steps? Also, what version of bootloader do you use?
I did it once by accident, I haven't retried. Basically when I booted phone I mistakenly pressed the Volume Down button with the Power button, but not long enough to make it boot in download mode.
I'm not sure which bootloader I'm running, I think it is some LPx one (if flashing KI4 PDA doesn't overwrite it).
Here's the log of it:
http://pastie.org/3544766
Following up on Odia's hint (thanks ), I decoded the structure of the params.blk file and wrote an utility to deal with it. The file contains parameters normally visible in SBL. With this utility, you can manipulate then from within normally booted phone.
Run it without parameters, it will display current values for all parameters. With parameter name (case insensitive), it will display just that one parameter, run it with param name and value, it will set the new value.
WARNING: no checking on validity of the values is done. If you brick or fry your phone, I take no responsibility and it is your brick!
Put the utility somewhere where you can execute it, e.g. /data. Then to set e.g. a kernel command line to start logging on console, issue:
sblparam command_line "loglevel=4 console=ttySAC2,115200"
From my experiments it looks like the SWITCH_SEL parameter is ignored by the HW, at least I haven't observed any real effect. But you can change the UART switch by modifying a file next to the param.blk, /mnt/.lfs/sw_sel. It contains an ASCII number, by default 1. That is modem uart. Change it to 3 to get PDA uart connected, by e.g. "echo -n 3 > /mnt/.lfs/sw_sel".
Please, be careful about files in /mnt/.lfs, the j4fs is a strange filesystem. You can create files there, but you can't delete them. If you grow a file, you can't trim it back down. I tried longer numbers in sw_sel, and I broke the output completely, and I had to restore the whole .lfs partititon from backup (which reminds me - do a backup first , e.g. with dd).
Now there is no need to flash samsung firmware or compile custom kernel to get kernel console anymore! .
EPIC WIN!!!
This is going to be very nice.
This is amazingly cool!!! Maybe we can get even more...
Inviato dal mio GT-I9100 usando Tapatalk
My kernel finally boots
Seems like I get everytime the bootloader output by booting the phone with Power + Vol Down while having UART cable plugged in, then releasing the buttons when log starts to appear to make it not go into Download mode.
XpLoDWilD said:
My kernel finally boots
Click to expand...
Click to collapse
Wow, congratulations! Looking forward to try out your kernel with CM9 .
XpLoDWilD said:
Seems like I get everytime the bootloader output by booting the phone with Power + Vol Down while having UART cable plugged in, then releasing the buttons when log starts to appear to make it not go into Download mode.
Click to expand...
Click to collapse
Hmmm, must be really something with your kernel. I was not able to get any bootloader messages, and my unit always turn on as soon as I insert the cable.
AFAIK, the resistor is "read" and attach interrupt asserted by the FSA9280 switch. So it looks like your kernel "programs" the switch not to wake up the CPU? Maybe the switch has interrupt assert masked out? I will check the switch sources, when I get some time, maybe I find something interesting...
KickerTom said:
Wow, congratulations! Looking forward to try out your kernel with CM9 .
Hmmm, must be really something with your kernel. I was not able to get any bootloader messages, and my unit always turn on as soon as I insert the cable.
AFAIK, the resistor is "read" and attach interrupt asserted by the FSA9280 switch. So it looks like your kernel "programs" the switch not to wake up the CPU? Maybe the switch has interrupt assert masked out? I will check the switch sources, when I get some time, maybe I find something interesting...
Click to expand...
Click to collapse
I'm wondering if maybe he uses a different resistor value than you do. If I recall, there were multiple values that could trigger UART mode.
The difference in behavior being seen goes earlier in the boot process than kernel boot.
Entropy512 said:
I'm wondering if maybe he uses a different resistor value than you do. If I recall, there were multiple values that could trigger UART mode.
Click to expand...
Click to collapse
No, he does not (apart from the fact that no two resistors are exactly the same ;-) ). I know, because I made both cables ;-).
Moreover, I tried couple of different resistor values, and found none which would not trigger the boot on my unit. You can get e.g. car mode active together with UART with slightly different resistor, but AFAIK, you can not prevent the boot trigger.
Entropy512 said:
The difference in behavior being seen goes earlier in the boot process than kernel boot.
Click to expand...
Click to collapse
Yes, for sure. But don't forget that "turning off" the phone does not mean all ICs in the phone are really powered off. E.g. the switch IC is, AFAIK, always on (unless you pull the battery). So you can set the interrupt mask in the switch and then turn off the main CPU. When UART cable is detected by the switch, it uses the mask to trigger or not trigger interrupt to the CPU.
Which brings another idea - XpLoDWilD, can you, please, try pulling out the battery, put it back and then connect the cable? The switch does not have any means of persistent storage, according to the spec sheet, so if there is no hidden easter egg, then the cable should trigger boot in this case, I believe.
Hey geeks,
you might know my hardware hacking thread already:
http://forum.xda-developers.com/showthread.php?t=1199450
Some time ago i started thinking about starting with an open bootloader for Archos Gen8.
So i started from scratch and made use of external boot mode to completely start from external MicroSD and leave the internal memory alone.
Remark: This is a geek project, there's no GUI or something. So don't expect anything useful right now.
At the moment you'll need some hardware hacking, because you'll need a serial console over uart3.
Unfortunately you'll also need a dirty hack to power up the MicroSD permanently.
Don't hesitate to ask for details about it.
So this is for the weird ones out there...
Right now there's work in progress, because stock kernel stucks at some point in the boot process.
Maybe there's some setup missing in the bootcode (it's very basic at the moment) or stock kernel relies heavily on avboot at some point.
I will work on this issue whenever i'll find some time.
Anyway it might be still an interesting project for at least a very few of you, so here's the source code:
- x-loader-archos
- u-boot-2011.09-archos
As pointed out the Archos implementation is very basic at the moment, but the code itself works very well and had been tested on A101IT Gen8.
To further devices, e.g. A70S Gen8, the machine id had to be included in the board file, the rest of the setup in early stage should be very similar.
The code bases:
- x-loader (https://gitorious.org/x-loader/x-loader)
- u-boot (taken from this archive: http://www.technexion.com/images/downloads/ARM_CPU_Modules/TDM-3730/linux-2.6.32-tdm3730.tar.xz)
I'd like to switch to official u-boot release 2011.09 as a base soon.
To start playing with it:
- open your case and start hacking, to get serial console working
- tweak the hardware to power the MicroSD slot permanently
- create a bootable MicroSD for OMAP systems
- place the binaries on your card
- insert the card and use vitalifs kernel module to reboot your device in external bootmode
Please refer to these posts from vitalif (thanks a lot for contributing!!!):
http://forum.xda-developers.com/showpost.php?p=22719203&postcount=105
http://forum.xda-developers.com/showpost.php?p=22765441&postcount=108
You might start digging in the source code and create your own loader:
- use a linux machine with a recent distribution
- setup a cross environment with ARM cross compiler suitable for ARMV7
- extract the sources to directory of your choice
- to compile x-load:
Code:
cd ./x-loader-archos
make archos_config
make
- to compile u-boot-2011.09-archos:
Code:
cd ./u-boot-2011.09-archos
make a101it_config
make
It might be required to tweak the top-level Makefiles to point at your toolchain.
I used my ready to work toolchain (for 32-bit linux only) here:
http://forum.xda-developers.com/showthread.php?t=1328027
Unfortunately i haven't found some time to create a project page at gitorious,
but hopefully i'll manage to do so in the next weeks...
I know this is a very very special project, but anyway if there's some interest, this might lead to something useful in the end.
If the bootcode is working very nice some day, it might also be possible to replace stock loader, but that's fiction yet.
You might ask what for...
I say... it's just for fun!
cheers,
scholbert
Boot console output... so far
Hey,
it had been posted already but her again for completeness...
The console log on UART3 starting custom kernel configured with stock config:
Code:
Texas Instruments X-Loader 1.5.1 (Mar 26 2012 - 20:41:11)
Found 0256 MB
Archos Gen8
Reading boot sector
Loading u-boot.bin from mmc
Done!
U-Boot 2011.09 (Mar 23 2012 - 18:53:39)
OMAP3630/3730-GP ES1.2, CPU-OPP2, L3-165MHz, Max CPU Clock 1 Ghz
Archos 101IT Gen8 + LPDDR/MMC
I2C: ready
DRAM: 256 MiB
MMC: OMAP SD/MMC: 0
Using default environment
In: serial
Out: serial
Err: serial
Die ID #144800029ff800000160a4bb18027009
Hit any key to stop autoboot: 0
reading boot.scr
** Unable to read "boot.scr" from mmc 0:1 **
reading uImage
2987000 bytes read
Booting from mmc ...
## Booting kernel from Legacy Image at 82000000 ...
Image Name: Linux-2.6.29-omap1
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2986936 Bytes = 2.8 MiB
Load Address: 80008000
Entry Point: 80008000
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux.............................................................
................................................................................
..................................................... done, booting the kernel.
<6>Initializing cgroup subsys cpu
<5>Linux version 2.6.29-omap1 ([email protected]) (gcc version 4.4.1 (GCC) ) #1
PREEMPT Thu Mar 22 23:59:34 CET 2012
CPU: ARMv7 Processor [413fc082] revision 2 (ARMv7), cr=10c5387f
CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: Archos A101IT board
fixup_archos: [console=ttyS2,115200n8 androidboot.console=ttyGS0 init=/linuxrc d
ebug omapdss.debug=0 vram=4915200 omapfb.vram=0:4915200 omapfb.debug=0 mmc_block
.split=0.0001:512M]
Memory policy: ECC disabled, Data cache writeback
<7>On node 0 totalpages: 65536
<7>free_area_init_node: node 0, pgdat c05fd368, node_mem_map c06a5000
<7> Normal zone: 512 pages used for memmap
<7> Normal zone: 0 pages reserved
<7> Normal zone: 65024 pages, LIFO batch:15
<4>L2 CACHE is enabled in bootloader
<6>OMAP3630 ES1.2
<6>DIE ID: 144800029FF800000160A4BB18027009
<6>FEATURE_STATUS: 00000c00
<6>SRAM: Mapped pa 0x40200000 to va 0xfc800000 size: 0x100000
<6>Reserving 4915200 bytes SDRAM for VRAM
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 65024
<5>Kernel command line: console=ttyS2,115200n8 androidboot.console=ttyGS0 init=/
linuxrc debug omapdss.debug=0 vram=4915200 omapfb.vram=0:4915200 omapfb.debug=0
mmc_block.split=0.0001:512M
<3>Unknown boot option `androidboot.console=ttyGS0': ignoring
<3>Unknown boot option `omapdss.debug=0': ignoring
<6>Clocking rate (Crystal/DPLL/ARM core): 26.0/332/600 MHz
BTW, i extracted the function from Archos loader setup up PLL and MPU stuff.
Need some time to extract the stock setup for PLL at early stage.
Maybe this will give some answers.
One of my next plans is, to build some kind of bare bone kernel (console only), which may be used for recovery and debug purpose.
Maybe this gives it a kick and things start up to a login shell
TBC
Have fun!
scholbert
One of my next plans is, to build some kind of bare bone kernel (console only), which may be used for recovery and debug purpose.
Maybe this gives it a kick and things start up to a login shell.
Click to expand...
Click to collapse
Seems like an internal monologue... but i like to point out that i stopped this project for a while.
So don't expect anything like a brick recovery tool or similar.
If others will join in it might be possible that it would led to something,
but as long as no one even starts hacking the hardware this is just for me...
Happy days!
scholbert
scholbert said:
Seems like an internal monologue... but i like to point out that i stopped this project for a while.
So don't expect anything like a brick recovery tool or similar.
If others will join in it might be possible that it would led to something,
but as long as no one even starts hacking the hardware this is just for me...
Happy days!
scholbert
Click to expand...
Click to collapse
Shame you stopped your efforts for now, I always followed your posts with much interest. However I can understand it is frustrating being on your own.
Thanks for what you did this far and for posting your info .
divx118
Sorry to read that, this was a very very interesting reading.
But I don't have the knowledge to make the necessary hardware hack, and above all, my wife would kill me if she saw me opening the tab
Thanks again for all that amazing information scholbert
Hey,
first off all thanks for your interest and your replies
Some words on your comments though...
divx118 said:
Shame you stopped your efforts for now, I always followed your posts with much interest. However I can understand it is frustrating being on your own.
Click to expand...
Click to collapse
I did not want to sound frustrated, because i'm not.
All i do with the device and all that hacking stuff is fun and mostly for educational purpose
Maybe i'll continue working with this stuff, but for now i wanted to point out to not expect too much.
Some guys out there, bricked their devices and were looking for a solution.
That's why i wrote it down.
Basically it should be possible to recover bricks by using external boot procedure, but it's still far from a simple solution.
grim-a101 said:
Sorry to read that, this was a very very interesting reading.
But I don't have the knowledge to make the necessary hardware hack, and above all, my wife would kill me if she saw me opening the tab
Click to expand...
Click to collapse
Yeah that's a good point, the barrier for this kind of hacking is little high.
Unfortunately you'll have to tweak the hardware, to gain access to the serial debugging port and cheat the power management of the MicroSD slot.
Most of you simply want to use the device and do some less harder tweaks at system level.
Anyway, there are some other possibilities as well (e.g. using USB and TI Flash) to access the platform. Maybe i'll do some research here as well.
Thanks again for appreciation!!!
Regards,
scholbert
Hello all Forum Users.
Unfortunately I'm not yet allowed to post on Android Development, so I have to write here.
I would be gratuful if someone could post a link there or permit me to write there:
http://forum.xda-developers.com/showthread.php?t=2180085
I'm quite experienced FreeBSD kernel developer and I would like to get involved into pinkflozd CM kernel development.
I'm almost newbe to Linux kernel but I think there are some problems with WiFi on e610 devices.
I have the latest CM 10 with pinkflozd CM kernel v0.70.
Everything seems to work OK except from the Wifi.
When the WiFi is off, "lsmod" shows only "frandom" module - it's OK.
When I turn the WiFi on, "lsmod" shows also "librasdioif" and "wlan" modules loaded
but the WiFi is unable to turn on and the modules are unloaded soon.
"dmesg" show some info (not including everything):
- wlan0: link is not ready (many times)
- init: untracked pid xxxx exited
- wlan: unloading driver v0.2.2.542
- <many other errors>
- libra sdio remove : Module removed.
I also tried "l5_wifi_fix" - it didn't help.
I can send more debug info if required. I am not familiar with the Android "log" subsystem.
I have a problem with the 3G Data Connection. The WiFi is working fine, sorry I can't help about it. I just didn't know where to ask my question. How can i fix data connectivity? before flashing CM10, on original ICS it was working just fine. I also tried flashing only the ROM without the pinkflozd kernel, still no connectivity. In settings its set on "allowed" or whatever it says. Please help. :/
l5_wifi_fix must be started from PC, there is fix.cmd, of course phone must be connected by USB
Andro995 said:
I have a problem with the 3G Data Connection. The WiFi is working fine, sorry I can't help about it. I just didn't know where to ask my question. How can i fix data connectivity? before flashing CM10, on original ICS it was working just fine. I also tried flashing only the ROM without the pinkflozd kernel, still no connectivity. In settings its set on "allowed" or whatever it says. Please help. :/
Click to expand...
Click to collapse
I'm afraid I can't help. Everyone says that 3G Data Connection starts working after the second reboot.
Try reboot and then run "dmesg" from the terminal. Scroll it and try to find something which might be useful to solve the problem.
twisted_tits said:
l5_wifi_fix must be started from PC, there is fix.cmd, of course phone must be connected by USB
Click to expand...
Click to collapse
Thanks, I know it. I've rewritten the script so it could be executed from Linux.
Some dmesg output
I have something like that when booting PinkFlozd kernel:
<4>[ 23.496161] ------------[ cut here ]------------
<4>[ 23.496248] WARNING: at arch/arm/mach-msm/clock.c:196 clk_disable+0x138/0x148()
<4>[ 23.496274] ebi_grp_3d_clk is unbalanced
<4>[ 23.496288] Modules linked in: wlan(P) librasdioif frandom
<4>[ 23.496351] [<c00467c4>] (unwind_backtrace+0x0/0x138) from [<c00d5e00>] (warn_slowpath_common.constprop.7+0x4c/0xd0)
<4>[ 23.496391] [<c00d5e00>] (warn_slowpath_common.constprop.7+0x4c/0xd0) from [<c00d5ea8>] (warn_slowpath_fmt+0x24/0x34)
<4>[ 23.496428] [<c00d5ea8>] (warn_slowpath_fmt+0x24/0x34) from [<c00569c4>] (clk_disable+0x138/0x148)
<4>[ 23.496466] [<c00569c4>] (clk_disable+0x138/0x148) from [<c046dd9c>] (_sleep+0x108/0x3ec)
<4>[ 23.496499] [<c046dd9c>] (_sleep+0x108/0x3ec) from [<c046eadc>] (kgsl_idle_check+0x154/0x1c8)
<4>[ 23.496538] [<c046eadc>] (kgsl_idle_check+0x154/0x1c8) from [<c00f0d44>] (process_one_work+0x1ec/0x354)
<4>[ 23.496573] [<c00f0d44>] (process_one_work+0x1ec/0x354) from [<c00f10a0>] (worker_thread+0x1c8/0x308)
<4>[ 23.496608] [<c00f10a0>] (worker_thread+0x1c8/0x308) from [<c00f6b0c>] (kthread+0x84/0x8c)
<4>[ 23.496646] [<c00f6b0c>] (kthread+0x84/0x8c) from [<c0040e9c>] (kernel_thread_exit+0x0/0x8)
<4>[ 23.496673] ---[ end trace a139245ee3e508ee ]---
It might be the reason why WiFi doesn't work.
kkarpowi said:
Thanks, I know it. I've rewritten the script so it could be executed from Linux.
Click to expand...
Click to collapse
BTW - Running l5_wifi_fix results are:
modprobe: 'librasdioif.ko': invalid module format
modprobe: 'wlan.ko': invalid module format
WiFi working
WiFi is working after a total wipe and CM10-20130414 installed.
I don't know what was wrong or if anything was fixed. Really don't know.
PinkFlozd kernel and gapps also installed and still OK.
I hope that everything else is working fine - checking...
I recommend to update your stock firmware to V20A_Rooted.kdz. Its very smooth and runs my Temple run 2 whith no lags on 800mhz.
Link for the kdz update:
http://forum.xda-developers.com/showthread.php?t=2230679
Link for the 4.1.2 Clean rom v2:
http://forum.xda-developers.com/showthread.php?t=2232123
jannick63 said:
I recommend to update your stock firmware to V20A_Rooted.kdz. Its very smooth and runs my Temple run 2 whith no lags on 800mhz.
Link for the kdz update:
http://forum.xda-developers.com/showthread.php?t=2230679
Link for the 4.1.2 Clean rom v2:
http://forum.xda-developers.com/showthread.php?t=2232123
Click to expand...
Click to collapse
That's what I did yesterday. And AFTER that (and of course after reinstalling the latest CM10 from scratch) WiFi started working. Strange, isn't it?
my sim card is not working
Andro995 said:
I have a problem with the 3G Data Connection. The WiFi is working fine, sorry I can't help about it. I just didn't know where to ask my question. How can i fix data connectivity? before flashing CM10, on original ICS it was working just fine. I also tried flashing only the ROM without the pinkflozd kernel, still no connectivity. In settings its set on "allowed" or whatever it says. Please help. :/
Click to expand...
Click to collapse
my sim card is not working
you should try flashing baseband,specify which base band you are in now
Sent from my LG-P700 using xda app-developers app
OP, if you want to help pm pinkflozd. And I think you need to post at least 10 times to be able to post on development forum.
So just keep posting on this thread
on my p705g - vanir rom
Hi Folks,
Another "no wifi" s4 here. This is a work colleagues phone that was totally stock. After upgrading to 4.4.2, wifi won't turn on. I've tried pretty much everything I've found on this site with regards to fixing it. The last thing that I hadn't looked at was the /persist folder (MMCBLK0P17). The one on this phone is empty and from what I've read, it should be populated. Could someone with a rooted i9505 post a list of the contents or better still, upload a copy of their /persist folder please?
TIA!
Mark
mjh74 said:
Hi Folks,
Another "no wifi" s4 here. This is a work colleagues phone that was totally stock. After upgrading to 4.4.2, wifi won't turn on. I've tried pretty much everything I've found on this site with regards to fixing it. The last thing that I hadn't looked at was the /persist folder (MMCBLK0P17). The one on this phone is empty and from what I've read, it should be populated. Could someone with a rooted i9505 post a list of the contents or better still, upload a copy of their /persist folder please?
TIA!
Mark
Click to expand...
Click to collapse
So what is everything found on this site with regards to fix it?
/persist folder is also empty on my phone.
mjh74 said:
Hi Folks,
Another "no wifi" s4 here. This is a work colleagues phone that was totally stock. After upgrading to 4.4.2, wifi won't turn on. I've tried pretty much everything I've found on this site with regards to fixing it. The last thing that I hadn't looked at was the /persist folder (MMCBLK0P17). The one on this phone is empty and from what I've read, it should be populated. Could someone with a rooted i9505 post a list of the contents or better still, upload a copy of their /persist folder please?
TIA!
Mark
Click to expand...
Click to collapse
Dial *#1234# and paste here what appears.
AP: I9505XXUGNG8
CP: I9505XXUGNG8
CSC: I9505BTUGNG2
So far I've tried the following:
Flashing the wifi-fix
Re-partitioning before flashing a stock rom
Rooting, Phillz recovery, clear dalvik, factory reset and format for new rom option before flashing various different 4.4.2 UK stock roms.
Editing build.prop and changing "ro.securestorage.support=true" to false.
Removing the back, removing and replacing the antenna wire.
Flashing a CM11 nightly.
Deleting wpa_supplicant.conf
Dmesg shows some interesting stuff.
"<4>[ 1277.591125] ## wifi_remove
<4>[ 1277.591125] wifi_set_power = 0
<4>[ 1277.591156] ####btlock released, cookie: WiFi
<6>[ 1277.591156] ------------------------------------------------
<6>[ 1277.591156] ------------------------------------------------
<6>[ 1277.591156] brcm_wlan_power Enter: power off
<6>[ 1277.591186] barcode_emul_ice4: ice_gpiox_set : num = 3 , val = 0
<7>[ 1277.592590] usb 1-1: usb wakeup-resume
<7>[ 1277.592651] usb 1-1: finish resume
<7>[ 1277.599456] hub 1-0:1.0: resume on port 1, status 0
<7>[ 1277.599487] hub 1-0:1.0: port 1, status 0503, change 0004, 480 Mb/s
<6>[ 1277.727569] [email protected] 42
<6>[ 1277.732635] set_freq_limit: 0x1 -1, min 384000, max 1350000
<4>[ 1277.822662] wifi_set_carddetect = 0
<4>[ 1277.822692] brcm_wifi_status:298 status 0
<6>[ 1277.822692] mmc1: Slot status change detected (1 -> 0)
<4>[ 1277.823638]
<4>[ 1277.823638] failed to power up wifi chip, max retry reached, exits **"
As I'm typing this, the phone has a stock rom and isn't rooted. I've just rooted again with CF-ROOT and Odin, rebooted the phone and wifi enabled instantly, something I've not seen before! It was the first boot and SuperSU wanted to update and reboot. After the reboot, wifi will no longer come on again.
I See you have the same error as I'm having:
Code:
<6>[ 1277.822692] mmc1: Slot status change detected (1 -> 0)
Can you check dmesg for mmc1 CRC errors and post output here?
ajax505 said:
I See you have the same error as I'm having:
Code:
<6>[ 1277.822692] mmc1: Slot status change detected (1 -> 0)
Can you check dmesg for mmc1 CRC errors and post output here?
Click to expand...
Click to collapse
Here you go.
mjh74 said:
Here you go.
Click to expand...
Click to collapse
So after pretty much giving up and weeks of flashing and faffing around. I managed to get wifi enabled. I've no idea how but I went from stock rom XXUGNG2, rooted with CF-AUTO-ROOT, Phillz recovery installed and a Cyanogen nightly and no wifi. Flashed XXUGNG2 back to the phone and wifi sprung into life! I then flashed XXUGNG8 and wifi still worked! I then performed a factory reset from Backup & Reset and wifi hasn't worked again since!?!?
So I'm not so convinced now that it's a hardware issue as I first thought.....
Lucky you I tried every possible solution. The interesting thing is that if I flash stock I can see Wifi mac, toggle button is "alive" but wifi won't turn on. If I flash cyanogen, wifi mac is not available and the wifi button is gray saying "turning wifi on" like forever.
ajax505 said:
Lucky you I tried every possible solution. The interesting thing is that if I flash stock I can see Wifi mac, toggle button is "alive" but wifi won't turn on. If I flash cyanogen, wifi mac is not available and the wifi button is gray saying "turning wifi on" like forever.
Click to expand...
Click to collapse
Like you, I'm back at exactly the same place. Cyanogen won't even let me turn wifi on now, the button is grayed out and says "turning wifi on". Stock roms show a pale green wifi signal icon until it turns gray again and fails. Arghhh how did I get it working briefly?!
mjh74 said:
So after pretty much giving up and weeks of flashing and faffing around. I managed to get wifi enabled. I've no idea how but I went from stock rom XXUGNG2, rooted with CF-AUTO-ROOT, Phillz recovery installed and a Cyanogen nightly and no wifi. Flashed XXUGNG2 back to the phone and wifi sprung into life! I then flashed XXUGNG8 and wifi still worked! I then performed a factory reset from Backup & Reset and wifi hasn't worked again since!?!?
So I'm not so convinced now that it's a hardware issue as I first thought.....
Click to expand...
Click to collapse
mjh74 said:
Like you, I'm back at exactly the same place. Cyanogen won't even let me turn wifi on now, the button is grayed out and says "turning wifi on". Stock roms show a pale green wifi signal icon until it turns gray again and fails. Arghhh how did I get it working briefly?!
Click to expand...
Click to collapse
When people learn that means "nightly" with CM?