Database Users

[WIP] Open Bootloader Development for Archos Gen8

Hey geeks,
you might know my hardware hacking thread already:
http://forum.xda-developers.com/showthread.php?t=1199450
Some time ago i started thinking about starting with an open bootloader for Archos Gen8.
So i started from scratch and made use of external boot mode to completely start from external MicroSD and leave the internal memory alone.
Remark: This is a geek project, there's no GUI or something. So don't expect anything useful right now.
At the moment you'll need some hardware hacking, because you'll need a serial console over uart3.
Unfortunately you'll also need a dirty hack to power up the MicroSD permanently.
Don't hesitate to ask for details about it.
So this is for the weird ones out there...
Right now there's work in progress, because stock kernel stucks at some point in the boot process.
Maybe there's some setup missing in the bootcode (it's very basic at the moment) or stock kernel relies heavily on avboot at some point.
I will work on this issue whenever i'll find some time.
Anyway it might be still an interesting project for at least a very few of you, so here's the source code:
- x-loader-archos
- u-boot-2011.09-archos
As pointed out the Archos implementation is very basic at the moment, but the code itself works very well and had been tested on A101IT Gen8.
To further devices, e.g. A70S Gen8, the machine id had to be included in the board file, the rest of the setup in early stage should be very similar.
The code bases:
- x-loader (https://gitorious.org/x-loader/x-loader)
- u-boot (taken from this archive: http://www.technexion.com/images/downloads/ARM_CPU_Modules/TDM-3730/linux-2.6.32-tdm3730.tar.xz)
I'd like to switch to official u-boot release 2011.09 as a base soon.
To start playing with it:
- open your case and start hacking, to get serial console working
- tweak the hardware to power the MicroSD slot permanently
- create a bootable MicroSD for OMAP systems
- place the binaries on your card
- insert the card and use vitalifs kernel module to reboot your device in external bootmode
Please refer to these posts from vitalif (thanks a lot for contributing!!!):
http://forum.xda-developers.com/showpost.php?p=22719203&postcount=105
http://forum.xda-developers.com/showpost.php?p=22765441&postcount=108
You might start digging in the source code and create your own loader:
- use a linux machine with a recent distribution
- setup a cross environment with ARM cross compiler suitable for ARMV7
- extract the sources to directory of your choice
- to compile x-load:
Code:
cd ./x-loader-archos
make archos_config
make
- to compile u-boot-2011.09-archos:
Code:
cd ./u-boot-2011.09-archos
make a101it_config
make
It might be required to tweak the top-level Makefiles to point at your toolchain.
I used my ready to work toolchain (for 32-bit linux only) here:
http://forum.xda-developers.com/showthread.php?t=1328027
Unfortunately i haven't found some time to create a project page at gitorious,
but hopefully i'll manage to do so in the next weeks...
I know this is a very very special project, but anyway if there's some interest, this might lead to something useful in the end.
If the bootcode is working very nice some day, it might also be possible to replace stock loader, but that's fiction yet.
You might ask what for...
I say... it's just for fun!
cheers,
scholbert

Boot console output... so far
Hey,
it had been posted already but her again for completeness...
The console log on UART3 starting custom kernel configured with stock config:
Code:
Texas Instruments X-Loader 1.5.1 (Mar 26 2012 - 20:41:11)
Found 0256 MB
Archos Gen8
Reading boot sector
Loading u-boot.bin from mmc
Done!
U-Boot 2011.09 (Mar 23 2012 - 18:53:39)
OMAP3630/3730-GP ES1.2, CPU-OPP2, L3-165MHz, Max CPU Clock 1 Ghz
Archos 101IT Gen8 + LPDDR/MMC
I2C: ready
DRAM: 256 MiB
MMC: OMAP SD/MMC: 0
Using default environment
In: serial
Out: serial
Err: serial
Die ID #144800029ff800000160a4bb18027009
Hit any key to stop autoboot: 0
reading boot.scr
** Unable to read "boot.scr" from mmc 0:1 **
reading uImage
2987000 bytes read
Booting from mmc ...
## Booting kernel from Legacy Image at 82000000 ...
Image Name: Linux-2.6.29-omap1
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2986936 Bytes = 2.8 MiB
Load Address: 80008000
Entry Point: 80008000
Verifying Checksum ... OK
Loading Kernel Image ... OK
OK
Starting kernel ...
Uncompressing Linux.............................................................
................................................................................
..................................................... done, booting the kernel.
<6>Initializing cgroup subsys cpu
<5>Linux version 2.6.29-omap1 ([email protected]) (gcc version 4.4.1 (GCC) ) #1
PREEMPT Thu Mar 22 23:59:34 CET 2012
CPU: ARMv7 Processor [413fc082] revision 2 (ARMv7), cr=10c5387f
CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: Archos A101IT board
fixup_archos: [console=ttyS2,115200n8 androidboot.console=ttyGS0 init=/linuxrc d
ebug omapdss.debug=0 vram=4915200 omapfb.vram=0:4915200 omapfb.debug=0 mmc_block
.split=0.0001:512M]
Memory policy: ECC disabled, Data cache writeback
<7>On node 0 totalpages: 65536
<7>free_area_init_node: node 0, pgdat c05fd368, node_mem_map c06a5000
<7> Normal zone: 512 pages used for memmap
<7> Normal zone: 0 pages reserved
<7> Normal zone: 65024 pages, LIFO batch:15
<4>L2 CACHE is enabled in bootloader
<6>OMAP3630 ES1.2
<6>DIE ID: 144800029FF800000160A4BB18027009
<6>FEATURE_STATUS: 00000c00
<6>SRAM: Mapped pa 0x40200000 to va 0xfc800000 size: 0x100000
<6>Reserving 4915200 bytes SDRAM for VRAM
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 65024
<5>Kernel command line: console=ttyS2,115200n8 androidboot.console=ttyGS0 init=/
linuxrc debug omapdss.debug=0 vram=4915200 omapfb.vram=0:4915200 omapfb.debug=0
mmc_block.split=0.0001:512M
<3>Unknown boot option `androidboot.console=ttyGS0': ignoring
<3>Unknown boot option `omapdss.debug=0': ignoring
<6>Clocking rate (Crystal/DPLL/ARM core): 26.0/332/600 MHz
BTW, i extracted the function from Archos loader setup up PLL and MPU stuff.
Need some time to extract the stock setup for PLL at early stage.
Maybe this will give some answers.
One of my next plans is, to build some kind of bare bone kernel (console only), which may be used for recovery and debug purpose.
Maybe this gives it a kick and things start up to a login shell
TBC
Have fun!
scholbert

One of my next plans is, to build some kind of bare bone kernel (console only), which may be used for recovery and debug purpose.
Maybe this gives it a kick and things start up to a login shell.
Click to expand...
Click to collapse
Seems like an internal monologue... but i like to point out that i stopped this project for a while.
So don't expect anything like a brick recovery tool or similar.
If others will join in it might be possible that it would led to something,
but as long as no one even starts hacking the hardware this is just for me...
Happy days!
scholbert

scholbert said:
Seems like an internal monologue... but i like to point out that i stopped this project for a while.
So don't expect anything like a brick recovery tool or similar.
If others will join in it might be possible that it would led to something,
but as long as no one even starts hacking the hardware this is just for me...
Happy days!
scholbert
Click to expand...
Click to collapse
Shame you stopped your efforts for now, I always followed your posts with much interest. However I can understand it is frustrating being on your own.
Thanks for what you did this far and for posting your info .
divx118

Sorry to read that, this was a very very interesting reading.
But I don't have the knowledge to make the necessary hardware hack, and above all, my wife would kill me if she saw me opening the tab
Thanks again for all that amazing information scholbert

Hey,
first off all thanks for your interest and your replies
Some words on your comments though...
divx118 said:
Shame you stopped your efforts for now, I always followed your posts with much interest. However I can understand it is frustrating being on your own.
Click to expand...
Click to collapse
I did not want to sound frustrated, because i'm not.
All i do with the device and all that hacking stuff is fun and mostly for educational purpose
Maybe i'll continue working with this stuff, but for now i wanted to point out to not expect too much.
Some guys out there, bricked their devices and were looking for a solution.
That's why i wrote it down.
Basically it should be possible to recover bricks by using external boot procedure, but it's still far from a simple solution.
grim-a101 said:
Sorry to read that, this was a very very interesting reading.
But I don't have the knowledge to make the necessary hardware hack, and above all, my wife would kill me if she saw me opening the tab
Click to expand...
Click to collapse
Yeah that's a good point, the barrier for this kind of hacking is little high.
Unfortunately you'll have to tweak the hardware, to gain access to the serial debugging port and cheat the power management of the MicroSD slot.
Most of you simply want to use the device and do some less harder tweaks at system level.
Anyway, there are some other possibilities as well (e.g. using USB and TI Flash) to access the platform. Maybe i'll do some research here as well.
Thanks again for appreciation!!!
Regards,
scholbert

[REF]Booting/Unlocking Xperia 2011 series: What's under the hood? (Update 13.03.13)

I know that there are many guides about unlocking bootloader and things have been posted a million times.
From what i've learned from various sources all over the web there's still a lot of confusion,
if and how a device could be unlocked and what is really happening under the hood.
In fact i didn't want to create yet another unlocking bootloader thread, but hopefully a collection of facts,
already known about the process and if it's safe or could be done this way or the other.
Another thing i'd like to put some light on, are some details about the boot process in general.
Please refer to this older thread as well:
http://forum.xda-developers.com/showthread.php?t=1429038
Noob's posting will never end, unless we lift some secrets and make more clear how the processes are basically working.
This should as well cover some basics on how the bootloader/kernel are protected by the manufacturers.
Would be better to use the term security locked/unlocked bootloader anyway.
See this nice page (also referenced in the thread above), which describes the whole boot process on Qualcomm CPU's:
http://www.anyclub.org/2012/02/android-board-bring-up.html
You'll find a link to the original document in the 2 post.
Please prepare for some boring technical details, but as well for some essential guidelines,
how to proceed with your device. Anyway, consider this as a starter...
Enough talking, let's define some headlines or topics to be discussed.
Bootmodes and Protocols
Just to sum up three known modes residing in different stages of bootcode:
- QDL
(PBL loader, lowest level, entered by powering up without battery and testpoint pulled to GND)
- QHUSB_LOAD
(a.k.a. SEMC USB Flash, a.k.a green LED mode, entered by powering up with back button pressed)
- FASTBOOT
(a.k.a blue LED mode, entered by powering up with menu button pressed)
unlocking security vs. SIM-lock
Description:
Locked/unlocked security of the bootloader and SIM-lock are different tracks,
though there's an important dependency between them.
Your device is SIM-locked if service menu gives "bootloader unlockable: no"
or simply refuses SIM-cards from another carrier.
What we know:
- fastboot is disabled on SIM-locked phones
- without removing the SIM-lock there's no way to unlock these phones for free
- normally you may purchase SIM unlock code from your provider
- removing the SIM-lock seems to give access to the fastboot option (confirmed by gen_scheisskopf, thanks!!)
- some devices seem to have restrictions here, result: no fastboot even after removing SIM-lock (this was pointed out once in another thread)
What we need to know:
Please confirm, if bootloader unlock is working after SIM-lock is removed!
In other words will you get fastboot feature after removing SIM-lock?
See the feedback from gen_scheisskopf:
http://forum.xda-developers.com/showpost.php?p=36783582&postcount=8
Result:
As long as you're able to remove the SIM-lock and your phone is old security you would be able to unlock bootloader as well!
old security vs. new security
Description:
Old/new security is independent of the EROM version (e.g. 1241-3656 R9B031) but relates to certain manufacturing dates,
or better the CPU types.
I got trustworthy reports about R9B031 getting unlocked with s1tool.
This date code may vary between the device models, but it seems to be proven,
that devices manufactured in Q2 2012 and later (~12W11..12W16) are new security.
I found out as well, that the manufacturing date of the device and the mainboard may be different.
This might explain why there are some diverging reports for devices in this period.
From what i got so far, the chain of trust includes the secondary bootloader (SBL) on all devices.
In other words SBL is signed code in any case.
At least the fuse setup for this feature is common on most of the Xperia 2011 series.
On a new security device patching or replacing the SBL (s1boot) will fail because OTP ROM could not be cheated.
If you got the "qcreceivepacket" error, your device is new security or at least not supported by s1tool (e.g. MSM8255T models seem not to work).
Only known method to unlock new security is Sony official method (grey market may work as well...).
What we know:
- testpoint method does not work on new security
- it should be safe to try the testpoint method because it won't break anything (if it is done correctly)
- right now there's only one way to check for new security (try and error)
- breaking new security would take ages or is impossible
What we need to know:
Perhaps someone needs to confirm that official Sony method works without flaws on new security.
Result:
Testpoint method should not result in a bricked device.
Official method should do it in these cases.
SEMC patch (testpoint method) vs. Sony official (oem key method)
Description (need some feedback though):
Sony official method to unlock security in the bootloader is done by flashing a generated key to a certain region of NAND.
The keys are device specific and the IMEI is part of the key generation (maybe serial number as well).
The fastboot command oem with the valid key certifies the unlock process and device specific key gets written in the TA section.
Unpatched SBL (s1boot) will always scan for a valid key in this section of NAND.
If there's a valid key, routine will report success and security checks of kernel code will be overriden.
The testpoint method seemse to make use of a bug inside the chips primary bootloader (OTP PBL).
It had been found out that this bug existed in the early Xperia 2011 series and could be used to rewrite parts of NAND flash.
This opened the door to patch parts of the NAND bootcode (s1boot) or even replace the bootloader code.
As a result, the bootloader leaves further security checks aside and continues booting even with an unsigned kernel.
So how could we apply a patch to the bootloader?
By setting the testpoint to GND (force WE# of NAND to GND) external NAND is blocked and the phone gets started on the bare metal.
Only PBL is running at that point.
Though the procedure is not 100% understood, it is for sure that a tiny loader is transfered to the SoC's IRAM and gets executed.
This loader then allows to overwrite first blocks of external NAND memory and replace or at least patch the bootloader.
What we know:
Sony way:
- Sony official method works well with fastboot enabled devices
- DRM get's lost with Sony official method and could not be reverted (it's gone... and yes: no way back!!!)
- If using Sony official method, bootloaders could be re-locked by deleting the key
S1tool way:
- testpoint method does not work on new security (and will never work!)
- By pressing the restore button in S1tool everything is virgin again
- OS is not aware of the patched bootloader
- FOTA will cause bricks
What we need to know:
Basically we need so more details about bootloaders on Xperia 2011 from the cracks here...
Result:
Better understanding of "black box" procedures.
Debugging features at boot level
Description:
Parts of the boot code could still be dumped from memory with Android up and running.
We could dump the specific memory areas by reading the content with tools, such as viewmem.
The areas of interest are accessible in RAM area at:
Code:
0x00000000 - ~0x000023a0
0x00090300 - ~0x000ab190
By disassembling these dumped areas or simply extracting the strings of that region you may get a clue of the bootloaders secrets.
For the geeks and kernel developers its even more interesting to follow the startup procedure of the bootloader and early kernel inits,
with a console hooked up on a serial interface.
In fact we got this debug UART on most of the Xperia 2011.
This interface is present as dev/ttyMSM2 in the Android base system as well and is attached to UART3 of the MSM8255 SoC.
See this post for details:
http://forum.xda-developers.com/showpost.php?p=37660319&postcount=76
The debug UART was at least identified on the MK16i mainboard.
If you need more details, please ask!
We got the testpoints confirmed to be working on lt18i as well.
See here for the location:
http://forum.xda-developers.com/showpost.php?p=37701777&postcount=82
... and the logs:
http://forum.xda-developers.com/showpost.php?p=37983019&postcount=109
Thanks a lot for contribution!
See this beautiful hack for the X8/10 as well:
http://forum.xda-developers.com/showthread.php?t=2064108
What we know:
- parts of NAND could only be accessed with some "evil" tricks (e.g. kexec method)
- there are extensive debugging features available in our bootcode
What we need to know:
It would be nice to find a way to activate a cmdline interface at bootlevel.
Result:
Get some insights of the implemented functions in bootcode.
O.k. i'll stop writing for now.
If this thread will draw some attention, i'll continue
You're always welcome to correct me or leave a comment here.
If you like more technical reading tell me as well.
Opinions and discussion welcome!!!
P.S:
If anyone could point me to some code to write a NAND mtd mapper for 2.6.32-9 stock kernel, you're welcome!
Background: I'd like to get mtdblock4 & 5 access on rooted but security locked device.
CREDITS (no particular order):
Dilesh Perera (for s1tool logs, which helped a lot to draw some conclusions)
gen_scheisskopf (for very useful discussion all over this thread)
hillbeast (for confirmation of UART3 testpoints on LT18i and logs)
...all others who helped to get a better understanding of the fuse registers!
Hugh thanks!!!
TBC
Cheers,
scholbert

Hi,
in the meantime i was able to identify some of the OTP registers used on MSM8255(T), a.k.a. fuse registers.
There's another interesting factory register which identifies the type of CPU.
Though it seems that of "old" and "new" security chip could not directly identified using these registers, it is a nice journey to the internals.
We need a tool to dump these values from userland.
Check out viewmem:
http://blog.maurus.be/index.php/2011/01/samsung-i9000-irom-dump/
Grab the viewmem tool from http://blog.maurus.be/wp-content/uploads/viewmem
Copy to /data/local on your device and execute the tool as root.
HW_REVISION_NUMBER
I started some investigation again and made some dumps using this tool.
./viewmem 0xabc00270 0x4 | hexdump -C
As an example given my device got this ID:
HW_REVISION_NUMBER 0xabc00270 = 0x205720e1
This equals to the JTAG Core ID of the Qualcomm chip.
The other one used for JTAG is the TAP ID = 0x27B360E1
I found these Core ID values of derivates in the web:
CPU: Qualcomm MSM8255
Core ID: 0x205700E1
and
Core ID: 0x205720E1
There's this one as well:
CPU: Qualcomm MSM8255T
Core ID: 0x2057A0E1
If someone likes to contribute, please run the viewmem command given above and post it here.
This way we might get an idea which chip revisions are floating around.
MSM_TCSR_CONF_FUSE
I stumbled over the MSM_TCSR register set by looking into bootloaders and disassembled parts of s1_boot as well.
These gave the same offset in some code snippets.
So here we go...
Code:
MSM_TCSR_PHYS 0xab600000
TCSR_CONF_FUSE_0 0xab60005c // TCSR_CONF_FUSE_0 register (base security setup)
TCSR_CONF_FUSE_1 0xab600060 // TCSR_CONF_FUSE_1 register (enhanced debug)
TCSR_CONF_FUSE_2 0xab600064 // TCSR_CONF_FUSE_2 register (feature setup)
TCSR_CONF_FUSE_3 0xab600068 // TCSR_CONF_FUSE_3 register (unique serial#)
TCSR_CONF_FUSE_4 0xab60006c // TCSR_CONF_FUSE_4 register (L1&L2 clocking)
TCSR_CONF_FUSE_5 0xab600070 // TCSR_CONF_FUSE_5 register (not used)
These are the values i dumped from my device:
Code:
0xab60005c = 0x00716d4b
0xab600060 = 0xc8041447
0xab600064 = 0x28040815
0xab600068 = 0x695888c0 (unique serial number of CPU)
0xab60006c = 0x200001b0
0xab600070 = 0x00000000
MSM8255 based:
Xperia pro (MK16)
FUSE(0-5): 00716d4b c8041447 28040815 695888c0 200001b0 00000000
Which looks very similar to these (found on the web over various forums):
MSM8255 based:
Xperia arc (LT15)
FUSE(0-5): 00716d4b c8041447 28040815 fe53ed80 200001b0 00000000
MSM8255 based (according to GSM forum this is a new security device):
Sony Walkman (WT19i)
FUSE(0-5): 00714b6d c8041447 28040815 14b248a0 200001b0 00000000
MSM8255 based (security unknown):
Xperia neo V (MT11)
FUSE(0-5): 00714b6d c8041447 28040815 13789bc0 200001b0 00000000
MSM8255T based (security unknown):
Xperia arc S (LT18)
FUSE(0-5): 00714b6d e8041447 28040815 e99f59a0 200001b0 00000000
MSM8255T based (new security):
Xperia arc S (LT18)
FUSE(0-5): 00714b6d c8041447 28040815 c25cf0a0 200001b0 00000000
MSM8655 based (security unknown):
Xperia acro (IS11S)
FUSE(0-5): 00714b6d 08041447 28000816 5244e280 200001b0 00000000
We need to confirm if this is true...
Copy viewmem to /data/local on your device and execute the tool as root.
Read out the value of TCSR_CONF_FUSE_0:
./viewmem 0xab60005c 0x4 | hexdump -C
result: 4b 6d 71 00
which is LSB first so please rearrange to get MSB first...
result: 00 71 6d 4b
This is one of the things that still need some clarification:
value = 0x00716d4b old and newsecurity
value = 0x00714b6d definitely new security
This is not proven and maybe it's not the correct register to look at.
Anyway this will be mostly guessing because i'm missing documents.
It's still unknown at which position the trusted boot bit is located and if it play a role for "old" vs "new" security setup.
I will need some more dumps of these registers. So i really would appreciate any help here...
At least dumping that register of:
one device successfully unlocked with s1tool
and
one from a device giving that packet error.
EDIT:
There's no difference here... as far as we got it right now.
How to participate?
First i need information about your device:
- model
- manufacturing date form the sticker under the battery
Second you need root, busyboy installed (with hexdump feature) viewmem tool (see 2nd post) and Android terminal or working adb.
- grab viewmem from the link in 2nd post
- put the viewmem binary on your device in /data/local
- type:
cd /data/local
chmod 0755 ./viewmem
- post the output of your Hardware ID, type:
./viewmem 0xabc00270 0x4 | hexdump -C
- post the output of your TCSR_CONF_FUSE_0..5
./viewmem 0xab60005c 0x14 | hexdump -C
Additionally you might give some details if you already tried to unlock with s1tool and if you got the paket error.
Thanks for all the fish :laugh: !!
MARM_ANY_MODE_DEBUG_DISABLE
Apart from the location of the trusted boot bit this is another very interesting fuse bit.
More to come on this topic soon!
Any help would be appreciated to shed some light on this!
Please join in :victory:
To get a better idea of all this stuff you might have a brief look into the application note attached to this post.
To the admins:
I know that some confidential data could be found all over in this forum, but please tell me if you see conflicts with the forum rules.
Geek stuff link collection:
If you like engineer stuff, check out this comprehensive thread:
http://forum.xda-developers.com/showthread.php?t=1856327
This as well:
http://www.anyclub.org/2012/05/qpst-emergency-download-support.html
EDIT:
This document will give you a good idea what happens on bootup and how parts interact with each other:
http://dl.dropbox.com/u/69550833/Android_Board_Bringup - 80-VM984-1-B.pdf
Hugh thanks to Antagonist42 for this beautiful document collection!!
I may add some referals to the parts used on the Xperia 2011 series...
I will clean up here from time to time and write down conclusions in the first post.
TBC
Regards,
scholbert

Nice post, would put a few more spaces between sentences to make for easier reading though.
Sent from myushi

i dont understank

Thanks for this. It would be good if you could add info on how device owners can determine whether they have a device with "old security" or "new security".

Kris-lam said:
i dont understank
Click to expand...
Click to collapse
What?
Whole world?
Life?
... or the reason why i wrote this thread?
pelago said:
Thanks for this. It would be good if you could add info on how device owners can determine whether they have a device with "old security" or "new security".
Click to expand...
Click to collapse
That would be on of the goals... see my comment in the first post again:
We need the register offset for the security efuse bank on MSM7x30 (MSM8255 as well) devices!
Click to expand...
Click to collapse
Once we got the offset, we may try to dump this region and look for different bits on same models.
If my conclusions are correct, old & new security hardware differ by a single efuse bit and as a result using different signatures and stuff inside NAND.
EDIT:
As an example, here's a driver implementation for LG device using APQ8064:
https://android.googlesource.com/ke...f6e/arch/arm/mach-msm/lge/lge_qfprom_access.c
These are the values on that platform:
Code:
...
#define QFPROM_HW_KEY_STATUS 0x702050
#define QFPROM_SECURE_BOOT_ENABLE 0x700310
#define QFPROM_OEM_CONFIG 0x700230
#define QFPROM_DEBUG_ENABLE 0x700220
#define QFPROM_SECONDARY_HW_KEY 0x7002A0
#define QFPROM_READ_PERMISSION 0x7000A8
#define QFPROM_WRITE_PERMISSION 0x7000B0
#define QFPROM_OVERRIDE_REG 0x7060C0
#define QFPROM_CHECK_HW_KEY 0x123456
...
Little further in that code...
Code:
...
/* addr LSB MSB */
//{ QFPROM_SECURE_BOOT_ENABLE, 0x00000020, 0x00000000}, /* SECURE ENABLE */
//{ QFPROM_OEM_CONFIG, 0x00000031, 0x00000000}, /* OEM ID */
//{ QFPROM_DEBUG_ENABLE, 0xC1000000, 0x0000006F}, /* JTAG DISABLE */
//{ QFPROM_CHECK_HW_KEY, 0x0, 0x0},
//{ QFPROM_READ_PERMISSION, 0x0C000000, 0x00000000}, /* READ PERMISSION */
//{ QFPROM_WRITE_PERMISSION, 0x54100000, 0x00000000}, /* WRITE PERMISSION */
...
Regards,
scholbert

Hi again,
though this thread is drawing less attention, i'd like to inform you about my process.
In the meantime i reviewed some low level code for the MSM7x30 (e.g. AMSS bootcode, moboot bootloader repository) to get a hint how to identify security level on the Xperia 2011 platforms.
As far as i got it the MSM7x30 is the base for the MSM8255 devices as well and i assume that most register offsets and peripheral I/O maps are equal.
First i found an interesting offset definition in the moboot bootloader:
Code:
#define HW_REVISION_NUMBER 0xABC00270
I compiled a little tool for my Xperia, which could be used to read back the content from memory mapped registers (a.k.a. memdump).
By addressing 0xabc00270 some mechanism got triggered and my device rebooted immediately.
My guess is that this is offset belongs to the security area and accessing this area is simply prevented by causing a reboot.
No output here at Android userland...
Next i had a look into the AMSS sources for the Hisense TS7008 development platform.
This seems to be reference code for the modem bootloader (baseband processor) which is a previous step before we boot the oem bootloader ( application processor) in our phones.
Anyway, the interesting part is, that i found another offset address, which is included in the moboot sources as well:
Code:
#define MSM_CRYPTO_BASE 0xA8400000
There are many references to this address and the related registers inside the routines for the crypto stuff (e.g. validate hash values).
I'm gonna try to read some content in this area this afternoon.
EDIT:
O.K. just tried to access these areas... seems like a no go from userland.
My phone freezes, after a while something like a watchdog timeout comes in and resets the device.
This is different to accessing the HW_REVISION_NUMBER, which caused an immediate reset.
Anyway, i guess i give up on this issue...
No discusssion, less interest, no comments from the cracks... the_laser is far away as well...
Cheers,
scholbert

scholbert said:
What we need to know:
Please confirm, if bootloader unlock is working after SIM-lock is removed!
In other words will you get fastboot feature after removing SIM-lock?
Click to expand...
Click to collapse
Yes, bootloader unlock is working after removing SIM-lock.
My ArcS was SIM-locked and I had to remove the lock in order to use the phone. Unlock was done using a code generator. I didn't touch the bootloader in case phone is somehow damaged (bought it as "unused second-hand")
Later I unlocked the bootloader using Wotan server (testpoint method)- no problems during the process, phone works fine.
One question regarding s1boot comes to my mind- how it manages partitioning (and would it be possible co create custom partition layout)?
Flashing official ICS using flashtool changed default (Gingerbread) partition sizes

Hey gen_scheisskopf,
it's a pleasure to meet you again over here :highfive:
How are things rollin' ?
gen_scheisskopf said:
Yes, bootloader unlock is working after removing SIM-lock.
Click to expand...
Click to collapse
Thanks for the feedback.
Just to make it clearer, after applying removing the SIM-lock, the fastboot feature got available... is this right?
gen_scheisskopf said:
My ArcS was SIM-locked and I had to remove the lock in order to use the phone. Unlock was done using a code generator. I didn't touch the bootloader in case phone is somehow damaged (bought it as "unused second-hand")
Later I unlocked the bootloader using Wotan server (testpoint method)- no problems during the process, phone works fine.
Click to expand...
Click to collapse
Mmmh, do you know what's behind this Wotan server method?
Is the bootloader patched as well (real bypass like s1tool) or is there a key generated and flashed to the phone (like official method)?
Just for the statistics... could you please tell me the date code of your phone?
gen_scheisskopf said:
One question regarding s1boot comes to my mind- how it manages partitioning (and would it be possible co create custom partition layout)?
Flashing official ICS using flashtool changed default (Gingerbread) partition sizes
Click to expand...
Click to collapse
This is very interesting indeed and i guess it's possible... someone should spend some time on investigating.
Will require to tweak TA sections or something. BTW i'm not sure if the TA parts are covered by certificates or something.
Anyway it would be required to get a good understanding of this process, otherwise this would cause bricks
Best regards,
scholbert

scholbert said:
Hey gen_scheisskopf,
it's a pleasure to meet you again over here :highfive:
How are things rollin' ?
Click to expand...
Click to collapse
Thanks, everything is OK. Still messing around with my devices (tweaking Toshiba ac100 Froyo now, got usb gamepad+GamepadIME working without any need for chmod-ing )
scholbert said:
Thanks for the feedback.
Just to make it clearer, after applying removing the SIM-lock, the fastboot feature got available... is this right?
Click to expand...
Click to collapse
Honestly I didn't check fastboot availability before removing SIM-lock. For sure it worked after removing the lock
scholbert said:
Mmmh, do you know what's behind this Wotan server method?
Is the bootloader patched as well (real bypass like s1tool) or is there a key generated and flashed to the phone (like official method)?
Click to expand...
Click to collapse
I'm not sure but it's possible that it flashed a patched bootloader- some files were downloaded in order to make the unlock but I didn't investigate what's inside. Client software was "unpack when executed then clean up" exe.
scholbert said:
Just for the statistics... could you please tell me the date code of your phone?
Click to expand...
Click to collapse
11W51 (December 2011?)
scholbert said:
This is very interesting indeed and i guess it's possible... someone should spend some time on investigating.
Will require to tweak TA sections or something. BTW i'm not sure if the TA parts are covered by certificates or something.
Click to expand...
Click to collapse
For sure we can investigate tft files themselves (GB vs ICS). Maybe for repartitioning it would be enough to prepare and flash custom .sin images? Official update seems to work this way, it was reported to work also for Arc using ArcS files
EDIT:
Correction- loader.sin flashing is also required for partition layout modification- original topic
However loader.sin provided in the mod is the same file as the one found in ArcS's baseband 70 and 72

gen_scheisskopf said:
Thanks, everything is OK. Still messing around with my devices (tweaking Toshiba ac100 Froyo now, got usb gamepad+GamepadIME working without any need for chmod-ing )
Click to expand...
Click to collapse
Cool!!
Once thought to buy one, there are many cool hacks floating around.
... off-topic though
gen_scheisskopf said:
Honestly I didn't check fastboot availability before removing SIM-lock. For sure it worked after removing the lock
Click to expand...
Click to collapse
Again thanks for this feedback, will add it to the first post soon...
gen_scheisskopf said:
I'm not sure but it's possible that it flashed a patched bootloader- some files were downloaded in order to make the unlock but I didn't investigate what's inside. Client software was "unpack when executed then clean up" exe.
Click to expand...
Click to collapse
O.k. it's not that important... i'd really like to know a little more about this low level stuff of the unlocking procedure on Xperia 2011, that's why i asked.
gen_scheisskopf said:
11W51 (December 2011?)
Click to expand...
Click to collapse
So s1tool would have worked as well...
gen_scheisskopf said:
For sure we can investigate tft files themselves (GB vs ICS). Maybe for repartitioning it would be enough to prepare and flash custom .sin images? Official update seems to work this way, it was reported to work also for Arc using ArcS files
EDIT:
Correction- loader.sin flashing is also required for partition layout modification- original topic
However loader.sin provided in the mod is the same file as the one found in ArcS's baseband 70 and 72
Click to expand...
Click to collapse
Great, thanks a lot for the link... i'll have a look what's up with it.
Regards,
scholbert

fuse register dump
Hey geeks,
still not giving up... i have a clue now
Just to remember...
I am looking for a way to identify "old" and "new" security chipsets on the Xperia 2011 series.
Few days ago i posted that i could not read the some parts of the internal
register space.
Seemed to be an issue with the tool i used (perhaps wrong flags) which caused system resets.
EDIT:
Updated second post http://forum.xda-developers.com/showpost.php?p=36264032&postcount=2
I'd really find some indication for security level...
If you need some explanation, please ask...
Cheers,
scholbert

My result: 0x00716d4b
Arc S 11w51, unlocked using Wotan server (tespoint method, most likely s1tool-like)
I'll check other registers tomorrow

scholbert said:
Please i need some help here...
At least dumping that register of:
one device successfully unlocked with s1tool
and
one from a device giving that packet error.
Would be very helpful to shed some light on this!
Please join in :victory:
If you need some explanation, please ask...
Cheers,
scholbert
Click to expand...
Click to collapse
Sadly, I have an Arc S 12W16 (edit: Sorry, I was mistaken: it was 12W14 and I'm unlocked via testpoint today), so S1 doesn't work AFAIK (and I read that people that can unlock with SETool doesn't touch any 12W16, so I didn't checked the unlock possibilities/prices). Anyway, I dunno if I did it right but, here's a screen: http://s1.postimage.org/wujbqrs5r/2013_01_25_14_50_41.png - looks like the result is 4b 6d 71 00
Amazing work, btw. I always asked to myself if there was a way to check the type of security (old X new).

Hi,
just to make it clear again... right now i'm still trying to sort things out, that's why i need little help :fingers-crossed:
gen_scheisskopf said:
My result: 0x00716d4b
Arc S 11w51, unlocked using Wotan server (tespoint method, most likely s1tool-like)
I'll check other registers tomorrow
Click to expand...
Click to collapse
Thanks!
So i guess we could definitely mark this as old security fuse setting.
The other values should be similar to the ones i already listed (apart form your unique serial of course).
panda0 said:
Sadly, I have an Arc S 12W16, so S1 doesn't work AFAIK (and I read that people that can unlock with SETool doesn't touch any 12W16, so I didn't checked the unlock possibilities/prices). Anyway, I dunno if I did it right but, here's a screen: http://s1.postimage.org/wujbqrs5r/2013_01_25_14_50_41.png - looks like the result is 4b 6d 71 00
Amazing work, btw. I always asked to myself if there was a way to check the type of security (old X new).
Click to expand...
Click to collapse
Thanks as well... looks O.K. for me. So this is the same value.
Did you try the testpoint method already?
If my assumption is correct, then you might be lucky and got old security as well. BTW, i don't want to be responsible for bricked devices
At least this was my intention to get a real indicator for old security and give a clear statement:
Yes, it's safe to try the testpoint method.
So maybe you just be a little patient...
Some words on the production date:
I found out that the sticker on the back gives the production date of your phone.
There's another one on the processor under the shield on the mainboard.
This one is more related to the series of processors used for your mainboard.
My device is marked as 12W11 (sticker under the battery), while the sticker on the processor states 11W44.
See the pic attached.
In other words, they produced an amount of mainboards back in 2011, but the phone itself got assembled in 2012.
Thanks a lot for helping out, i really appreciate this!
Regards,
scholbert

hi i have a arc s 12w28 i i tryed to execute the viewmem but got nothing
Code:
[email protected]:/data/local # ./viewmem 0xab60005c 0x4 | hexdump -C
sh: hexdump: not found
[INFO] Reading 4 bytes at 0xab60005c...
am i doing something wrong ??

scholbert said:
Hi,
just to make it clear again... right now i'm still trying to sort things out, that's why i need little help :fingers-crossed:
Click to expand...
Click to collapse
:fingers-crossed:
scholbert said:
Thanks as well... looks O.K. for me. So this is the same value.
Did you try the testpoint method already?
If my assumption is correct, then you might be lucky and got old security as well. BTW, i don't want to be responsible for bricked devices
Click to expand...
Click to collapse
Not yet. But if everything works as we're expecting, indeed, I might be a lucky one. I'll see this question ASAP to give some feedback.

Re: [REF]Booting/Unlocking Xperia 2011 series: What's under the hood?
danielgek said:
hi i have a arc s 12w28 i i tryed to execute the viewmem but got nothing
Code:
[email protected]:/data/local # ./viewmem 0xab60005c 0x4 | hexdump -C
sh: hexdump: not found
[INFO] Reading 4 bytes at 0xab60005c...
am i doing something wrong ??
Click to expand...
Click to collapse
Partly... the tool hexdump is used to get a formatted output for console.
You'll need at least a version of busybox with the hexdump feature installed.
Maybe your missing some symbolic links.
Try again with this command:
./viewmem 0xab60005c 0x4 | busybox hexdump -C
If the error persists, your version of busybox is missing that feature.
Would be very interesting to get your output though...
Good luck,
scholbert

scholbert said:
Partly... the tool hexdump is used to get a formatted output for console.
You'll need at least a version of busybox with the hexdump feature installed.
Maybe your missing some symbolic links.
Try again with this command:
./viewmem 0xab60005c 0x4 | busybox hexdump -C
If the error persists, your version of busybox is missing that feature.
Would be very interesting to get your output though...
Good luck,
scholbert
Click to expand...
Click to collapse
Code:
[email protected]:/data/local # ./viewmem 0xab60005c 0x4 | busybox hexdump -C
[INFO] Reading 4 bytes at 0xab60005c...
00000000 4b 6d 71 00 |Kmq.|
00000004
its an arc s 12w18 loked bootloader and sim loked

Re: [REF]Booting/Unlocking Xperia 2011 series: What's under the hood?
danielgek said:
Code:
[email protected]:/data/local # ./viewmem 0xab60005c 0x4 | busybox hexdump -C
[INFO] Reading 4 bytes at 0xab60005c...
00000000 4b 6d 71 00 |Kmq.|
00000004
its an arc s 12w18 loked bootloader and sim loked
Click to expand...
Click to collapse
Mmmh, still the same value... if we trust the statements about date code i would say that this should be new security...
but as i tried to point out already, this could not be taken for granted.
Anyway, locked or unlocked doesn't matter, because i'm looking for security bit in fuse registers.
Did you ever try testpoint method on your device?
Guess we need someone, who already tried the s1tool procedure and got the paket error with his device.
If this phone would give different value on FUSE0 register, it would prove that i'm on the right way.
Thanks for contributing!
Regards,
scholbert

[Q] Odin crashes

I tried 2 different versions of Odin to root my Galaxy S5. Its now TF but I had insurance so meh. My main problem is that Odin keeps crashing on me after it starts doing its thing. I have no idea what I'm doing now and the recovery mode wont work either.
This is the error I keep getting. Does anyone know what happened?
Problem signature:
Problem Event Name: APPCRASH
Application Name: Odin3-v3.07.exe
Application Version: 3.0.0.0
Application Timestamp: 4fc5bb56
Fault Module Name: Odin3-v3.07.exe
Fault Module Version: 3.0.0.0
Fault Module Timestamp: 4fc5bb56
Exception Code: c0000094
Exception Offset: 0001a688
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 3081
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789
Also the main reason I tried to do this in the first place is I contracted a virus on my phone but no anti virus app I tried could delete it or even detect it. Another app I got said I had an "Air Push" virus. Is there a way to disable the Air Push thingy on my phone?

Allwinner R16 (astar_d7) Android 6.0.1 Marshmallow - Partition Dump & Information

Please note that I gave up on this unit (MTCD PX5 units are so much nicer...). I will try to update this post (however infrequently) with information that may appear in this thread or come my way by other means, but I will not seek information actively and updates will no longer be from my own experience or experiments.
At the time of writing this head unit is available here and (probably) here. These are both custom fit for Kia Sorento, but other versions do exist; in particular several EONON units feature the same hardware configuration (model numbers GA2160, GA7153 GA7163, and I am sure others).
Hardware-wise this seems to be the same unit as described in this thread so many tricks therein will work for this unit. In particular the USB debugging password continues to be "[email protected]" (without quotes); the extra settings password is most likely either 123456 or 668811; the factory reset and developer options passwords appear to be both 7890.
In all the unit is an Allwinner quad core R16, with the MCU version 5.3.19-16-10-650101-161115 and System version V7.3.1-2016-11-12.100233_TW2. Here is the Droid Info report:
Code:
DEVICE
Model: QuadCore-R16 (astar_d7)
Manufacturer: Allwinner
Baseband Version: Not Available
RIL Version: sw-dataonly-ril-for-6.0_v1.0
Build Number: astar_d7-eng 6.0.1 MOB30R 20161112 test-keys
Build Fingerprint: Allwinner/astar_d7/astar-d7:6.0.1/MOB30R/20161112:eng/test-keys
Bootloader: unknown
Java VM: ART 2.1.0
OS Version: Marshmallow (6.0.1)
SDK: 23
DISPLAY
Resolution: 1024x600 pixels
Software Density: 160 dpi (mdpi)
Refresh Rate: 60 Hz
PROCESSOR
CPU Architecture: ARMv7 Processor rev 5 (v7l)
Board: exdroid
Chipset: sun8i
Cores: 4
Clock Speed: 480 MHz - 1200 MHz
Instruction Sets: armeabi-v7a, armeabi
CPU Features: swp half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpv4 idiva idivt
CPU Governor: Not Available
Kernel Version: 3.4.39
Kernel Architecture: armv7l
GRAPHICS
Renderer: Mali-400 MP
Vendor: ARM
OpenGL Version: OpenGL ES 2.0
RAM
Total: 986 MB
Java Heap: 80 MB
STORAGE
Internal: 12 GB
EXTERNAL: Not Detected
Software-wise the unit comes with a fairly stock version of Marshmallow, though as usual the operating system is a bit locked down (but to my surprise not too locked down) compared to stock.
The purpose of this thread is to gather information about the software and possible customization for these units. I have added the information I gathered from my experience and I will update this post with any new information I manage to obtain.
1. Partition dump
For reference I dumped all the partitions of my device. The dump is available here. The dump was done by name (for those partitions that have a name) and symlinks point to the device name from /dev/block. Feel free to share (credit appreciated but not necessary) and please share any information that you gather from it (which will be included in this section as it becomes available).
2. Flashing firmware
There are multiple ways of flashing new firmware, depending on the actual unit and also its state (working, bootloop, etc.). All methods require that the all the files (three to six) that contain said firmware (see next section) be placed in the root of a SD card formatted FAT32 and inserted in the GPS slot of the unit. Some reports of the firmware being flashed from a USB stick rather than the SD card also exist; they also mention that choosing one USB port over another might make the difference between success and failure.
On a working system inserting the card and/or USB stick and choosing "update system" from preferences will likely do the trick.
On a system that is not working the following methods have been reported:
Hold Home, press Reset, and keep holding Home until the update starts (thanks).
A hardware solution is to short Key 1 (steering wheel controls) to ground, then press and hold Reset for 10 seconds; release Reset and disconnect Key 1 when "update" is displayed (thanks).
Yet another procedure might be needed for some units (thanks): Using a USB stick prepared as above and inserted in the unit, turn ignition to ACC, press Reset, turn ignition off, then after 5 seconds turn it again to ACC. A video is also available.
3. Flashable firmware
All the reports I have seen indicate that all the firmware versions are interchangeable. However, a factory reset will be needed most of the time for full functionality, especially so when installing firmware from a different vendor. It is VERY important however to note that the file bd07a5ee-fbb0-11e4-ae78-000c29ba27c0 contains the MCU firmware and so SHOULD NOT be flashed on incompatible devices as doing so will brick the unit (thanks).
Partition 11 of the above dump in particular stores a flashable image. It contains the following files:
81cb828c-9b57-11e6-ad2a-df6786178d62
827ba428-9b57-11e6-8dfb-37398ea70e52.0
827ba428-9b57-11e6-8dfb-37398ea70e52.1
bd07a5ee-fbb0-11e4-ae78-000c29ba27c0
The files 827ba428-9b57-11e6-8dfb-37398ea70e52.* in particular when cat-ed together form an ext4 file system that appear to be a copy of the system partition. This 4pda forum thread contain more information (thanks @Ahfish22); I do not speak Russian at all but Google Translate does a good job most of the time.
Since I started this thread many people have posted many firmware versions. Here is a hopefully complete list. There might be duplicates and misses and I apologize for both in advance.
The following set of firmware (in particular V7.3.1_20170610.110122_KED1 therein) come recommended by several users (thanks).
EONON firmware:
GA2162_KBT2_20170309 (thanks)
V7.3.1_20170114.111256_KBT2 (thanks)
EONON-R16-20170509 (thanks)
EONON-R16-KLD20170515
V7.3.1_20170427.104257_KBT2 (thanks)
EONON-R16-KLD20170515 (thanks)
KED1 (MEDEKE?) firmware (thanks):
V7.3.1_20170216.180104_KED1
V7.3.1_20170720.152039_KED1
TW2 (TopWinner?) firmware (thanks):
V7.3.1_20170111.114952_TW2-IVT+ROOT+RADIO
V7.3.1_20161229.175327_TW2
V7.3.1_20161201.154419_TW2
TH6 firmware (thanks): V7.3.1_20161129.194710_TH6
JYZC1 (Joying?) firmware (thanks):V7.3.1_20170317.114203_JYZC1
Kaier firmware (thanks)
Rooted KLD (Klyde) firmware (thanks):V7.3.1_20170512.203736_KLD1-0-1-mod
4. Recovery
Mot units do have a working recovery partition, though some are reported not to have such. The command "reboot recovery" at a root prompt (terminal emulator or ADB) will enter recovery (if available).
Alternatively recovery can be reached with an external USB keyboard as follows: While holding Alt and Print Screen keep tapping i; the system will eventually restart in recovery (thanks pir8man) .
It should be noted that despite the on-screen instructions the stock recovery does not react to any buttons on the head unit, but works well with an external USB keyboard.
5. Customization
There are useful tweaks that come with the stock operating system including speed-dependent volume and (apparently, I have not tested exhaustively) the elimination of the full-screen keyboard.
I found this alternative to the stock radio app (context, source code) which is pretty nice except that the app force closes upon attempting to enter settings. If you speak Russian it may be worth discussing this with the developer.
Root: Kingoroot works, though several attempts (reboot and try again) may be needed. Note that a reliable Internet connection is needed during the whole process. I do not like the extra apps and intrusive ads that come with Kingoroot. I therefore recommend once rooted to install Chainfire's SUperSU, let it update the su binary, and then uninstall Kingoroot. Note however that the current Play Store SuperSU (namely, version 2.82) may not be able to overwrite Kingoroot's su (saying instead that "the su binary is occupied"). If this is the case you may want to try version 2.79 (downloadable from here) which is known to work. Once the Kingoroot's su binary is overwritten you can upgrade to the latest (Play Store) SuperSU.
Busybox: Installed without incidents using the usual installer from the Play Store.
Xposed: Installed using the Xposed installer v. 3.1.1 and works well. I tried Gravity Box and Xprivacy.
6. Outstanding issues
It should be possible to redefine the default apps for music, video, and radio but I did not find any way to do it.
Mapping SWC and front button panel events works to some degree (for testing purposes I mapped the "Band" button to the app drawer), but this seems to be exclusively at the mercy of the MCU, which only allows mapping to predefined actions. I could find no way to map these events to custom actions on the OS side. It was reported that button events are communicated to the OS as long as no MCU app is running. However, I was unable to reproduce this; for me no event is ever seen by the OS no matter how many (or how few) apps are running. I stopped all the MCU apps but even so KeyTest does not register any event.
Needless to say, no custom recovery (such as TWRP) exist for these units.

So if the hardware is the same as the other 4.4.2 units then can we update our old units to 6.0?

Can you share me the content of /sbin directory?

sambacha said:
So if the hardware is the same as the other 4.4.2 units then can we update our old units to 6.0?
Click to expand...
Click to collapse
If the hardware matches then I do not see why not. In addition to dd-ing the system and boot partitions of my dump (which you are welcome to try) please see my last edits of the first post for possible flashable firmware being available.
Just make sure that you have a (tested) way to get back if things do not work...

mrtnb said:
Can you share me the content of /sbin directory?
Click to expand...
Click to collapse
See attached.

Found a thread in the russian site about updating the older units that came with 4.4.2 to 6.0. I will give that a try later today and report back. I'm mostly concerned about it's native support to USB DAC's so I can finally stop change audio sources in my DSP every time I want to use any app other than UAPP.
EDIT: spoke too soon before reading the updates to the original post!

Alternative to the stock radio -- help needed
I found this alternative radio app (reference, source code). It works well but I am unable to set preferences as the app force closes on selecting the setting menu item.
I would ask the developer, except that I do not speak Russian. I was wondering if any Russian speaker around here could inquire about the issue. I have also downloaded the sources and I am poking around but I am not holding my breath until I find a solution (I am a coder but not an Android developer). Many thanks in advance!

sambacha said:
Found a thread in the russian site about updating the older units that came with 4.4.2 to 6.0. I will give that a try later today and report back. I'm mostly concerned about it's native support to USB DAC's so I can finally stop change audio sources in my DSP every time I want to use any app other than UAPP.
EDIT: spoke too soon before reading the updates to the original post!
Click to expand...
Click to collapse
Can you share your experience and the russian thread's link?

sambacha said:
Found a thread in the russian site about updating the older units that came with 4.4.2 to 6.0. I will give that a try later today and report back. I'm mostly concerned about it's native support to USB DAC's so I can finally stop change audio sources in my DSP every time I want to use any app other than UAPP.
EDIT: spoke too soon before reading the updates to the original post!
Click to expand...
Click to collapse
Can you give us a link?
---------- Post added at 07:40 AM ---------- Previous post was at 07:21 AM ----------
can I flash this over Android 4.4?
This is my unit:
Android 4.4.2 Operation System
CPU Processor: Allwinner R16 Cortex A9 Quad-core 1.6GHz
RAM Memory: Samsung DDR3 1GB/16GB

I just installed an EONON GA2162. Link
Which appears to be a clone of the same..
MCU version: 5.3.19-108-10-943101-170114
System version: V7.3.1_20170114.111256_KBT2
Code:
DEVICE
Model: QuadCore-R16 (astar_d7)
Manufacturer: Allwinner
Baseband Version: Not Available
RIL Version: sw-dataonly-ril-for-6.0_v1.0
Build Number: astar_d7-eng 6.0.1 MOB30R 20170112 test-keys
Build Fingerprint: Allwinner/astar_d7/astar-d7:6.0.1/MOB30R/20170112:eng/test-keys
Bootloader: unknown
Java VM: ART 2.1.0
OS Version: Marshmallow (6.0.1)
SDK: 23
DISPLAY
Resolution: 1024x600 pixels
Software Density: 160 dpi (mdpi)
Refresh Rate: 60 Hz
PROCESSOR
CPU Architecture: ARMv7 Processor rev 5 (v7l)
Board: exdroid
Chipset: sun8i
Cores: 4
Clock Speed: 480 MHz - 1200 MHz
Instruction Sets: armeabi-v7a, armeabi
CPU Features: swp half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpv4 idiva idivt
CPU Governor: Not Available
Kernel Version: 3.4.39
Kernel Architecture: armv7l
GRAPHICS
Renderer: Mali-400 MP
Vendor: ARM
OpenGL Version: OpenGL ES 2.0
RAM
Total: 836 MB
Java Heap: 80 MB
STORAGE
Internal: 12 GB
EXTERNAL: Not Detected
I can dump the rom if anyone desires.

sbruda said:
[*]It would be great if long press events (SWC and/or front panel buttons) can be used. Some hints in various threads suggest that this is possible with these units but I found no way to do it. Advice is once more much appreciated.
Click to expand...
Click to collapse
Hi, I recently bought one of these for a Ford Mondeo and I somehow have figured about using keypress events.
The problem doesn't lie in the unit itself, but the damn apps it has.
I have been two entire days staring at Extreme Logcat screen and button event but no go, but, suddently, key event started registering next, prev and play/pause.
GREAT, I thought, and I started configuring Xposed Additions to start some audio visualizers in some buttons but when I started the music app, it stopped registering the events. It closed that app and those events where working again. Tried powerAmp and everything works like a charm. Menu and back keystrokes can also be mapped while the on-screen button still do the default action, so:
- It seems like the built-in apps capture those events and prevent anyone (tasker, Xposed Additions) to use them.
- MP3 and video player can be replaced pretty easyly but radio and specially bluetooth manager (Which has a whooping 12 keys that can be customized (0-9, # and *)) cannot be replaced.
- Decompiling the app, and disabling those captures could be the solution to use all those keystrokes OR finding some way to block those apps from capturing those events.
If I get something new I'll post asap.
Hope this helps.

pir8man said:
I just installed an EONON GA2162. Link
Which appears to be a clone of the same..
MCU version: 5.3.19-108-10-943101-170114
System version: V7.3.1_20170114.111256_KBT2
Code:
DEVICE
Model: QuadCore-R16 (astar_d7)
Manufacturer: Allwinner
Baseband Version: Not Available
RIL Version: sw-dataonly-ril-for-6.0_v1.0
Build Number: astar_d7-eng 6.0.1 MOB30R 20170112 test-keys
Build Fingerprint: Allwinner/astar_d7/astar-d7:6.0.1/MOB30R/20170112:eng/test-keys
Bootloader: unknown
Java VM: ART 2.1.0
OS Version: Marshmallow (6.0.1)
SDK: 23
DISPLAY
Resolution: 1024x600 pixels
Software Density: 160 dpi (mdpi)
Refresh Rate: 60 Hz
PROCESSOR
CPU Architecture: ARMv7 Processor rev 5 (v7l)
Board: exdroid
Chipset: sun8i
Cores: 4
Clock Speed: 480 MHz - 1200 MHz
Instruction Sets: armeabi-v7a, armeabi
CPU Features: swp half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpv4 idiva idivt
CPU Governor: Not Available
Kernel Version: 3.4.39
Kernel Architecture: armv7l
GRAPHICS
Renderer: Mali-400 MP
Vendor: ARM
OpenGL Version: OpenGL ES 2.0
RAM
Total: 836 MB
Java Heap: 80 MB
STORAGE
Internal: 12 GB
EXTERNAL: Not Detected
I can dump the rom if anyone desires.
Click to expand...
Click to collapse
could you please upload this rom for us
thanks man

me sumo al pedido
Saludos !
no se si alguien puede pero estaría bueno que puedan subir los packs de actualización. para R16 en la resolucion 1024*600
por ejemplo estos son los Nombres de los archivos que hacen falta...
tambien especificar el android si es 4.4 o 5.1 o 6.0
bd07a5ee-fbb0-11e4-ae78-000c29ba27c0
90436790-1e25-11e5-9b35-000c29ba27c0
91973a18-1e25-11e5-b937-000c29ba27c0
92e82e86-1e25-11e5-bffa-000c29ba27c0

khalwd said:
could you please upload this rom for us
thanks man
Click to expand...
Click to collapse
Hi,
(my first post):laugh:
I would also like to have a copy of this ROM.
I have the same Droid report.
Being someone that cant leave things alone i have somehow corrupted my unit.
I rooted with Kingoroot and all worked well. Uploaded a recovery to the cloud, all good.
Decided to down load back to the unit. Wife moves car and interrupts download.
Now when i boot up all i get is the car logo and the android screen, this is where it stops.
Tried installing various updates, They seem to install. Progress bar for abut 5 min shows update end
then boots to the car logo Android screen and stops.
Cheers

Hi,
pirulazul said:
Hi, I recently bought one of these for a Ford Mondeo and I somehow have figured about using keypress events.
The problem doesn't lie in the unit itself, but the damn apps it has.
I have been two entire days staring at Extreme Logcat screen and button event but no go, but, suddently, key event started registering next, prev and play/pause.
GREAT, I thought, and I started configuring Xposed Additions to start some audio visualizers in some buttons but when I started the music app, it stopped registering the events. It closed that app and those events where working again. Tried powerAmp and everything works like a charm. Menu and back keystrokes can also be mapped while the on-screen button still do the default action, so:
Click to expand...
Click to collapse
Thank you for the report. I tried the same (stop all system apps) but even so KeyTest does not register any event. This was done for the panel buttons since I do not have yet any SWC (the unit is on the bench), which may or may not be the cause of my failure.
pirulazul said:
- It seems like the built-in apps capture those events and prevent anyone (tasker, Xposed Additions) to use them.
- MP3 and video player can be replaced pretty easyly but radio and specially bluetooth manager (Which has a whooping 12 keys that can be customized (0-9, # and *)) cannot be replaced.
Click to expand...
Click to collapse
Have you found any way to replace the default association for these apps? By default the "Mode" action cycles through the default apps, did you find any way to convince this action to cycle through some other (custom) rotation?
pirulazul said:
- Decompiling the app, and disabling those captures could be the solution to use all those keystrokes OR finding some way to block those apps from capturing those events.
Click to expand...
Click to collapse
I'll try to look into this, but at this time I cannot promise any timeline.
Cheers!

would one of my units be similar to yours?
i received a newer firmware from the chinese (build 29.12) as a ZIP which contains the 4 files as above, but i can't update it since i get a signature error (seen below). In the meantime i managed to **** up the screen by accidentally switching to 800x480 and now i can't see anything useful on the display...

zerozoneice said:
would one of my units be similar to yours?
Click to expand...
Click to collapse
Looks pretty much the same as mine (with a slightly newer firmware though).
zerozoneice said:
i received a newer firmware from the chinese (build 29.12) as a ZIP which contains the 4 files as above, but i can't update it since i get a signature error (seen below). In the meantime i managed to **** up the screen by accidentally switching to 800x480 and now i can't see anything useful on the display...
Click to expand...
Click to collapse
Most (all?) Chinese vendors know absolutely nothing about the units they sell so it is quite possible to have the wrong firmware. This, or the file got corrupted during transfer somehow. Have you tried my firmware blob or the others that float around? The probability that it will work look decent and what have you gotta loose?
You can also try to restore the resolution by trial and error (touching the screen where things should be). A couple of success stories have been posted in this thread though the process looks painful...

there are couple of FWs around, i saw them on 4PDA as well. The latest is february, something. The problem is that the ZIP file has the 4 files you listed above, instead of an IMG file. Shouldn't IMG be the default ROM update? I mean even PowerSuit recognizes only IMGs, that is if i manage to connect to the damn box somehow.
I tried TV out, hoping the signal is ****ed only from the mainboard to the screen and it would manage to display it on another external screen, but....there is no TV out. Didn't work with the cables provided.
Trial & error...i would need to see another menu next to me in order to see where the hell i'm pressing on my screen
Resolution change is the first menu, but is hidden in the extra settings, behind a password which i'd also need to enter....blindly.
Did you manage to install any of the 4PDA firmwares properly on yours? Try the December 29th one, this is the one that Infidini sent me....
LE: LOL, i just read the following passage from the thread you posted above:
"What is the Extra Settings password?
Resolved: 123456
Note: Do NOT change the resolution of the head unit. You will destroy your unit. However it is reversible."
Post 807: another quickfinger like me, changed the res. the other way around, from 800 to 1200, but he still sees something....
https://forum.xda-developers.com/showpost.php?p=70762889&postcount=807
Post 747: same problem as me.
https://forum.xda-developers.com/showpost.php?p=70047172&postcount=747
How can i flash this damn unit? How can we connect to it?
@sbruda: i have an idea. Can you please post screenshots of the menu, from the main menu screen all the way to the extra settings, where u enter the password and then the "change resolution" menu option? It can help me to figure my fingers around the screen blindly... THX!
---------- Post added at 04:43 PM ---------- Previous post was at 04:15 PM ----------
HERE is the link to the FW that infidini support provided me.

zerozoneice said:
there are couple of FWs around, i saw them on 4PDA as well. The latest is february, something. The problem is that the ZIP file has the 4 files you listed above, instead of an IMG file. Shouldn't IMG be the default ROM update? I mean even PowerSuit recognizes only IMGs, that is if i manage to connect to the damn box somehow.
Click to expand...
Click to collapse
I believe that the four files can be used directly to upgrade, at least this is what people have reported (I have never tried to upgrade myself). This also makes sense given that a restore to factory from the (Android) menu will presumably use the partition with those files.
zerozoneice said:
I tried TV out, hoping the signal is ****ed only from the mainboard to the screen and it would manage to display it on another external screen, but....there is no TV out. Didn't work with the cables provided.
Click to expand...
Click to collapse
It would appear that TV out only works for the DVD.
zerozoneice said:
Did you manage to install any of the 4PDA firmwares properly on yours? Try the December 29th one, this is the one that Infidini sent me....
Click to expand...
Click to collapse
No, I meant to but I am really pressed for time nowadays so I have no idea when will I get to it.
zerozoneice said:
@sbruda: i have an idea. Can you please post screenshots of the menu, from the main menu screen all the way to the extra settings, where u enter the password and then the "change resolution" menu option? It can help me to figure my fingers around the screen blindly...
Click to expand...
Click to collapse
Here they are. Sorry for the crappy photos but I have no idea how to take screenshots on this unit (please advise):
1-main.jpg - main screen
2-notif.jpg - notifications pulled down (two times)
3-settings-scrolled.jpg - the settings app scrolled all the way down
4-car-settings-scrolled.jpg - the Car settings screen scrolled all the way down
5-settings-pass.jpg - the password entry box and keyboard (I would advise the use of a USB keyboard instead though)
6-extra-settings.jpg - the Extra setting screen
7-resolution.jpg - the resolution dialogue
I hope this helps. If somebody can advise on how to take screenshots I will come back with better quality photos.

sbruda said:
1-main.jpg - main screen
2-notif.jpg - notifications pulled down (two times)
3-settings-scrolled.jpg - the settings app scrolled all the way down
4-car-settings-scrolled.jpg - the Car settings screen scrolled all the way down
5-settings-pass.jpg - the password entry box and keyboard (I would advise the use of a USB keyboard instead though)
6-extra-settings.jpg - the Extra setting screen
7-resolution.jpg - the resolution dialogue
I hope this helps. If somebody can advise on how to take screenshots I will come back with better quality photos.
Click to expand...
Click to collapse
thx, they're good enough. using phone is fine. afaik password for that extras in my case is 123456 and restore to factory settings 7890
i will try tomorrow.
---------- Post added at 07:32 PM ---------- Previous post was at 07:01 PM ----------
How do you power on the thing when not connected in the car???

Eonon GA2175

Hello everyone.
For my first post here I'd like to share and learn more about rooting the EONON GA2175. This Android HU currently operating with Oreo on a RK3326_mid chipset. So after an exhaustive search, there is not much information available in rooting this system. It seems that's this HU seems to be almost completely locked down. For starters, I wasn't able to even access developer mode through the build number as usual. I was finally able to get through by installing a developer access app called "Developer Options Shortcut & Device Info" on the app store.
Using one click apps like Kingo Root, Root Master or Towel Root are completely ineffective. As a matter of fact, Root Master says my "phone is too strong"
I tried connecting the unit to a laptop by using a male to male USB cable. But both my laptop of the HU do not recognize each other. Maybe some drivers may help but none are available.
I've watched you tube videos that demonstrating other people rooting similar units by accessing the safe boot option then loading TWRP on a SD card. I believe this is the only way to root these units. However, for this unit I am unable to access safe mode. I've discovered that holding the "Vol/PWR" knob for approximately 10 sec will cause it to start blinking but combinations with the "RST" button, home or quick pressing the "PWR" doesn't work. That's as far as I got.
I hope this helps anyone with the same unit but any help with my roadblock will be greatly appreciated.
Thanx!

UPDATE
So I finally managed to get to recovery mode on this device.
1. With a tooth pick, quick press the "RST" button.
2. Long press the "PWR/VOL" knob for approximately 10secs until the lights blink.
3. Then immediately quick press the "PWR/VOL"
You may need to do it more than once but it'll work.
Well.... now what TWRP version should I use?
I didn't see my HU listed.
Or should I use a different program?

did you end up getting something to work?
Mark

Not yet.
I did manage to find some unit specifics. I'll post them shortly. Maybe some coder can do something with that info. Where I run into a roadblock is that I cannot find a suitable ROM and MCU.

If this help to figure things out.
BOARD : rk30sdk
SERIAL : 77A6117127A8F7B2
eng.hct.20181229.163118
eng.hct.20181229.163118
DEVICE: rk3326_mid
HOST : r930
MODEL : rk3326_mid
RELEASE : 8.1.0
MANUFACTURER: rockchip
USER : hct
BUILD NUMBER: PX30 8.1.0 OPM8.181105.002 eng.hct.20181229.163118
CPU_ABI: arm64-v8a ; Quad-Core [email protected]
MEMORY: 1960MB
BRAND : rockchip
SDK_INT: 27
DISPLAY : rk3326_mid-userdebug 8.1.0 OPM8.181105.002 eng.hct.20181229.163118 test-keys
FINGERPRINT: rockchip/rk3326_mid/rk3326_mid:8.1.0/OPM8.181105.002/hct12291631:userdebug/test-keys
HARDWARE: rk30board
PRODUCT : rk3326_mid
BOOTLOADER : unknown
REL: REL
ID: OPM8.181105.002
UNKNOWN: unknown
TYPE : userdebug
TAGS : test-keys
MCU VERSION: MTCE_HT_V2.99_1
November 18, 2018 19:03:43

Root Path info
Root Access:
No Access
SU:
su found
UID/GID:
uid=10105(u0_a105) gid=10105(u0_a105) groups=10105(u0_a105),3003(inet),9997(everybody),20105(u0_a105_cache),50105(all_a105) context=u:r:untrusted_app:s0:c512,c768
Utils:
busybox
toybox
toolbox
Path:
/sbin
/system/sbin
/system/bin
/system/xbin
/vendor/bin
/vendor/xbin
Path:
[/system/xbin/su]
Version:
/system/bin/sh: <stdin>[16]: /system/xbin/su: can't execute: Permission denied
Permissions:
rwsr-x---
Owner:
root:shell
SELinux:
Permissive
Path:
[/system/bin/busybox]
Permissions:
rwxr-xr-x
Owner:
root:shell

Get any further with this, wouldn't mind a custom ROM for mine although i'm pretty happy how it works now.

Actually yes!! Type "ADBON" in factory setting password to access developer options. It works. Thanks Ric69!