Accessing uart on Galaxy Nexus i9250 - Hardware Hacking General

I'm going to do some low-level software development on Samsung Galaxy Nexus (replacing kernel with custom one doing stuff that are not Android-related). To do so I'll require accessing uart output of bootloaders and Linux.
I'm looking for an information how to connect to i9250's uart serial port and possibly other stuff.
Currently the best what I've found is The all-in-one Galaxy S2 Hack Pack (http://forum.xda-developers.com/showthread.php?t=1316501), but obviously this is not entirely what I'm looking for. The i9250 service manual maybe some help too. If anyone has any information regarding this matter, please post.

dpc.ucore.info said:
I'm looking for an information how to connect to i9250's uart serial port and possibly other stuff.
Click to expand...
Click to collapse
To get access to your kernel's, bootloader's logs through UART you need UART jack(dont know this word in english, I think I guess 'jack') on your board, in your case i9250's.
If developers of board didn't add that jack to pcb design, your attempts to view logs will be unsuccessful.
If you find UART pins of your SoC, connect it to UART-USB converter and plug to your PC.
In bootloader sources you will find to which UART port debug messages will go, if your SoC has more than one controller.
In linux's kernel case debug port you could assign through startup string, like bootargs in uboot, or through menuconfig.
But all this stuff depends on have you got UART pins on board or not.

dpc.ucore.info said:
I'm looking for an information how to connect to i9250's uart serial port and possibly other stuff.
Click to expand...
Click to collapse
First you have to tell us what hardware you have! Find some links to "tear-aparts / tear-downs" etc. Also make sure, what you find, corresponds to your device. Samsung is going wild when it comes to making (incompatible) product variations. When we know the hardware we can start to find out the rest... In your case the most important is to find out about the application processor (AP), baseband processor (P) and the micro-USB mux.

Its the Galaxy Nexus GSM/HSPA version. It has an OMAP4460. The processor found on the pandaboard.

This device should have external UART.
Have you tried 619Kohms on the USB port yet? Most samsung device, including this one, have a FSA chip. This is the first way to tell if UART is properly connected.
If it is, than you can probe deeper to find the internal UART which will show more. The Internal UART connection will show UART before the FSA chip is initialized giving you even more to work with.
It's likely that because this is an OMAP chip, it should have the following characteristics:
192600 or 115200 bps
8 bits per word
1 stop bit
No parity
No flow control
1.8V high, Open drain
I'm not sure if the FSA chip will increase that level to 3V or not.

To briefly clarify (and confirm) what Adam says.
There is already built in UART-USB functionality controlled by the FSA (MUX). Thus you can just connect an external microUSB connector with appropriate resistor values, to get a serial connection. (Just google "I9x00 USB JIG"). But if you decide to use internal UART pins on the PCB, then you get earlier access to everything and you can start reading already at the IBL (Initial Boot Loader) stage, which are the absolute first characters coming out of phone after a reboot.

I can confirm the 619Kohm trick works on Galaxy Nexus. I used a 3.3V USB/UART breakout card. Serial output:
�����[sbl_board_charger_init_post] : Succeed set model data : 0x78!!!!!
====== VCELL : 368500, SOC : 23, nType : 4 ======
[Charger] nScaledVCELL : 368500000, nDesriedSOC, : 23, nMaxSOC : 43, nMinSOC : 3
[ omap_power_get_reset_source :47] PRM_RSTST : 0x1
[ __omap_usbacc_test_donwload_by_musb :280] nDeviceType : 0x4
[ omap_usbacc_get_reboot_reason :333] nJigStatus = 0x00000001
[ __sbl_board_hw_init_late :719] final reboot mode in cable = 0x20000
[ __sbl_board_hw_init_late :730] Wake up by TA / USB / JIG
* FB base addr = 0xbea70000!
* PANEL_S6E8AA0_ID_READ : 0x12, 0x8e, 0x9f.
[ omap_power_get_reset_source :47] PRM_RSTST : 0x1
message.command =
message.status =
message.recovery =
Starting kernel at 0x81808000...
<hit enter twice to activate fiq debugger>
AST_POWERON

This is what comes prior to the above, in case anyone is interested.
-- OMAP 00004460 (version 04460e11) PPA release 1.6.1 Hash 30639809--
Device type: HS, DEBUG OFF
CPFROM HAL API support integrated
THERMAL support integrated: Run Time + Boot time
HDCP support integrated
-- PROD PPA RC3.2.3 --
Reset reason = 00037ba2
PRM_RSTST = 00000002
PPA freed 2992 bytes
Texas Instruments X-Loader 1.41 (Nov 16 2011 - 16:28:45)
Starting OS Bootloader from MMC/SD1 ...
EXCEPTION : CM_CLKMODE_DPLL_ABE = 0x7
EXCEPTION : CM_IDLEST_DPLL_ABE = 0x1
EXCEPTION : CM_CLKSEL_DPLL_ABE = 0x804018
EXCEPTION : CM_CLKMODE_DPLL_CORE = 0xf
EXCEPTION : CM_IDLEST_DPLL_CORE = 0x1
EXCEPTION : CM_CLKSEL_DPLL_CORE = 0x7d05
EXCEPTION : CM_CLKMODE_DPLL_PER = 0x107
EXCEPTION : CM_IDLEST_DPLL_PER = 0x1
EXCEPTION : CM_CLKSEL_DPLL_PER = 0x1400
EXCEPTION : CM_CLKMODE_DPLL_MPU = 0x117
EXCEPTION : CM_IDLEST_DPLL_MPU = 0x1
EXCEPTION : CM_CLKSEL_DPLL_MPU = 0x807d07
CFG_LOADADDR = 0xa0208000
1st instruct = 0xEA000007
[ __omap_twl6030_init_vbat_cfg :49] SA_PHOENIX_START_CONDITION = 0x8
[ __omap_twl6030_init_vbat_cfg :54] SA_PH_CFG_VBATLOWV = 0x80
[ __omap_twl6030_init_vbat_cfg :63] SA_PH_CFG_VBATLOWV = 0x80
[ __omap_twl6030_init_vbat_cfg :86] SA_BBSPOR_CFG = 0x78

Now, could we have the English translation (of all that above) please?
[And if debug is OFF, how can we turn it ON?]
I seem to be able to count 4 bootloaders there, how many damn boot loaders are there!?

USB - UART 619Kohm cable
Would anyone build a custom 619Kohm mini-USB to UART cable and ship it in the U.S. or India? We need it.
Is there any supplier of this in the U.S.?
Thanks,
Bahadir

I've attached a circuit diagram. You will need to modify your cable. You will need a UART device like the FTDIFriend or Bus Pirate. I specified the communications settings above.
Here is the cable modifications and where to hook up on the MicroUSB port.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Power is disconnected
Data- and Data+ are your signal lines.
Pin X (aka Pin4) is connected to ground via 619Kohm resistor
Ground is used as a reference.
Just tear up a MicroUSB cable and modify it as above.

I managed to get the UART cable done and also some output from there. Now my questions is has anyone managed to get kernel boot log out of the UART as well? Atm. I get only the bootloader things:
Code:
[sbl_board_charger_init_post] : Succeed set model data : 0x78!!!!!
====== VCELL : 380250, SOC : 57, nType : 4 ======
[Charger] nScaledVCELL : 380250000, nDesriedSOC, : 60, nMaxSOC : 80, nMinSOC : 40
[ omap_power_get_reset_source :47] PRM_RSTST : 0x1
[ __omap_usbacc_test_donwload_by_musb :280] nDeviceType : 0x4
[ omap_usbacc_get_reboot_reason :333] nJigStatus = 0x00000001
[ __sbl_board_hw_init_late :719] final reboot mode in cable = 0x20000
[ __sbl_board_hw_init_late :730] Wake up by TA / USB / JIG
* FB base addr = 0xbea70000!
* PANEL_S6E8AA0_ID_READ : 0x12, 0x8e, 0x9d.
[ omap_power_get_reset_source :47] PRM_RSTST : 0x1
message.command =
message.status =
message.recovery =
Starting kernel at 0x81808000...
So does anyone know what kernel configs and cmdline I need in order to get the kernel messages out from the UART?
Thanks in advance.

Where is the actual resistor values determined? I know it has something to do with the USB MUX, but are the actual values determined by code or by hardware? Or is the Nexus MUX different? I'm wondering because according to this thread (for the GT-I9100) the resistor value should be R = 523 K.
---------- Post added at 11:58 AM ---------- Previous post was at 11:55 AM ----------
iamsage2 said:
So does anyone know what kernel configs and cmdline I need in order to get the kernel messages out from the UART?
Click to expand...
Click to collapse
Check the link above...
...and let us know how it goes.
[EDIT] I've just answered my own questions, plus a resistor reference table over here.

I managed to get the kernel output out with the 619K resistor. Just had to enable some kernel options of FIQ_DEBUGGER
Code:
CONFIG_FIQ_DEBUGGER=y
CONFIG_FIQ_DEBUGGER_NO_SLEEP=y
# CONFIG_FIQ_DEBUGGER_WAKEUP_IRQ_ALWAYS_ON is not set
CONFIG_FIQ_DEBUGGER_CONSOLE=y
CONFIG_FIQ_DEBUGGER_CONSOLE_DEFAULT_ENABLE=y
And have the console=ttyFIQ0 on cmdline. Thanks for the nice thread

Hey guys... I just got a Galaxy Nexus. I'm going to be doing some work. I used UART for the first time last night.
This works differently than standard UART with SBL or U-BOOT. How do you access the command line parmeters for the kernel, or do you need to take a kernel, un-boot.img it and then add new parmeters?

AdamOutler said:
...How do you access the command line parmeters for the kernel, or do you need to take a kernel, un-boot.img it and then add new parmeters?
Click to expand...
Click to collapse
Probably you don't remember this and this. But basically you can use the sblParam tool, to look at and set your command line on the fly. (Do backup and check that the output of that program is the same, as it was originally developed for a different phone.) You can check with:
# hexdump -C /mnt/.lfs/param.blk
BTW. Do you know what the voltage levels are for Tx/Rx (D+/D-), when using the various resistor values, for USB/UART?
In particular the values:
150K UART Cable
255K Factory Mode Boot OFF-USB
301K Factory Mode Boot ON-USB
523K Factory Mode Boot OFF-UART
619K Factory Mode Boot ON-UART
I'd also like to know if the voltages changes when switching USB/UART mode when using:
a) The PhoneUtil menu: *#7284#
b) The ServiceMode menu : *#197328640#
Code:
==> MAIN MENU --> COMMON --> DIAG CONFIG
[1] LOG VIA USB *
[2] LOG VIA UART
Why?
1) It may be possible that there are already level-shifters built in to the MUX, and thus we may no longer need to build level shifter UART cables.
(Your PC should automatically recognize a new serial device, using one of the ~7 drivers included in the Samsung CDC, when connecting disconnecting via USB and using some (?) of the resistors above.)
2) I have the FTDI FT232R-3V3 cable and need to check if its TTL 5V or CMOS 3.3V levels on the output..
This is all hypothetical, so it may be that I'm on a wild goose chase... But I'm still waiting for my μUSB breakout connector and cable...and then found out I may have the wrong levels for my cable.

Thanks.
Its supposed to be 3v3. 5v works fine thanks to the fsa chip

Those menus dont exist on my stock device.

AdamOutler said:
Those menus don't exist on my stock device.
Click to expand...
Click to collapse
Really!? I don't believe it. They must have changed the code(s) to something else. Sometimes you also need to write the "*#" parts twice before or after the number, for reasons unknown, but probably some lame attempts to further hide these menus from curious users. Did you try *#0011#? (Or any other of the hundreds of "hidden" function codes?) No worry, we can find them by looking in the baseband or the available Apps on the phone...
[EDIT] Ah, I just remembered, the various codes are pointers to the various sub-menus in the servicemode app, so if they have updated this app, which they surely have if you're on ICS and Nexus, the sub-entry codes have likely changed as well. (Remember that this app is just a wrapper for the real/native code running on BP which is different for different platforms (phones). However, most main entry codes should always be the same. Like 0011 and 06 etc etc.
Also try:
Code:
# find / -iname "*service*"
If indeed none of these menus are available, they must have done some interesting kernel mods to extend the auto-detection and for tweaking functionality elsewhere. You're on ICS 404, right?

E:V:A said:
Really!? I don't believe it. They must have changed the code(s) to something else. Sometimes you also need to write the "*#" parts twice before or after the number, for reasons unknown, but probably some lame attempts to further hide these menus from curious users. Did you try *#0011#? (Or any other of the hundreds of "hidden" function codes?) No worry, we can find them by looking in the baseband or the available Apps on the phone...
[EDIT] Ah, I just remembered, the various codes are pointers to the various sub-menus in the servicemode app, so if they have updated this app, which they surely have if you're on ICS and Nexus, the sub-entry codes have likely changed as well. (Remember that this app is just a wrapper for the real/native code running on BP which is different for different platforms (phones). However, most main entry codes should always be the same. Like 0011 and 06 etc etc.
Also try:
Code:
# find / -iname "*service*"
If indeed none of these menus are available, they must have done some interesting kernel mods to extend the auto-detection and for tweaking functionality elsewhere. You're on ICS 404, right?
Click to expand...
Click to collapse
I dont have find or hexdump yet. I have decided that any modifications i do to this device will be CASUAL implementations. I am running stock 4.0.2 ICL53F.i9250XWKL2.
I believe there is a root exploit out there i can port into CASUAL. Its a matter of getting time to do it.

Related

Multi Touch ? Mod Edit: Use this thread for the purpose.

Let's say I root my phone and install one of those 2.2 or 2.3 roms ,would I have multi touch ?
Sorry for the noob question ,but I just couldn't find the answer.
couldn't find answer? here are min. 5 threads about it.. someone say no someone yes.. i think no
removed...
You can NOT get MT lol. Unless you crack bootloader.
haha, i love all this threds about MT its impossible guys to day when someone crack that bootloader - i dont think im going to live that long
kakawo said:
haha, i love all this threds about MT its impossible guys to day when someone crack that bootloader - i dont think im going to live that long
Click to expand...
Click to collapse
sorry for my english.I used google translate.
You can do multitouch driver as a module. This
kernel module to be unloaded from memory the old driver and load a new one. one person did it for the ebook.
can somebody help to make it to our phone.
links to the Web in a text file
andrej456 said:
sorry for my english.I used google translate.
You can do multitouch driver as a module. This
kernel module to be unloaded from memory the old driver and load a new one. one person did it for the ebook.
can somebody help to make it to our phone.
links to the Web in a text file
Click to expand...
Click to collapse
Did Any1 tried this ? My X8 is not rooted yet
This is done for other device. need to do on xperia x8.
need someone who knows well the programming language c.
yep, it has been told that this is for the devices with the 1.5 firmware and it's not working on X8
Sully.E said:
yep, it has been told that this is for the devices with the 1.5 firmware and it's not working on X8
Click to expand...
Click to collapse
sorry for my english.I used google translate.
You can compile the kernel and modules. According to this guide
http://forum.xda-developers.com/showthread.php?t=977146
only after "make clean" needs to be done "make semc_shakira_defconfig"
then "make menuconfig" and "make" or "make modules"
config file is located in /kernel\arch\arm\configs\semc_shakira_defconfig
driver is in \kernel\drivers\input\touchscreen\
synaptics_i2c_rmi.c or synaptics_i2c_rmi4.c
need to change it, add a function unload the old driver
http://translate.google.com/transla...rver.net/2010/11/blog-post.html&client=ubuntu
and change the driver under multitouch. as did the man on the G1
http://lukehutch.wordpress.com/android-stuff/
compile the kernel and modules
copy the module to your phone in /system/lib/modules/
then run the module with the command in the console "insmod"
http://linux.about.com/od/commands/l/blcmdl8_insmod.htm
only need someone who knows well the programming language c and make it to our phone.
add an example of drivers from G1
@andrej456:
It's not clear, do we have to make ONLY kernel module in /system or we have to replace driver in kernel itself too?
blagus said:
@andrej456:
It's not clear, do we have to make ONLY kernel module in /system or we have to replace driver in kernel itself too?
Click to expand...
Click to collapse
we must replace the driver in the kernel
driver is loaded into memory at boot
Here is the text of the "dmesg"
Code:
<6>[ 2.194121] msm72k_udc: reset controller
<6>[ 2.198791] synaptics_load_rmi4_func_regs: Func:f11_2D Query_Base:0x80 Cmd_Base:0x5f Ctrl_Base:0x26 Data_Base:0x18
<6>[ 2.208818] synaptics_load_rmi4_func_regs: Func:f08_BIST Query_Base:0x7e Cmd_Base:0x5e Ctrl_Base:0x20 Data_Base:0x15
<6>[ 2.219328] synaptics_load_rmi4_func_regs: Func:f01_RMI Query_Base:0x69 Cmd_Base:0x5d Ctrl_Base:0x1e Data_Base:0x13
<6>[ 2.230314] usb: notify offline
<6>[ 2.235506] msm72k_udc: suspend
<6>[ 2.331561] synaptics_ts_probe: nbr_panels:1 nbr_fingers:1 data_size:5
<6>[ 2.332454] synaptics_ts_probe: fw_rev:2 max_x:1689 max_y:2534
<6>[ 2.338291] synaptics_ts_probe: max_x 1689, max_y 2534
<6>[ 2.343406] synaptics_ts_probe: inactive_x 0 0, inactive_y 0 0
<6>[ 2.349209] synaptics_ts_probe: snap_x 0-0 0-0, snap_y 0-0 0-0
<6>[ 2.355471] input: synaptics-rmi-touchscreen as /devices/virtual/input/input0
<6>[ 2.362759] synaptics_ts_probe: Start touchscreen synaptics-rmi-touchscreen in interrupt mode
<3>[ 2.370899] cyttsp_init: Failed to request GPIO 112
<3>[ 2.375508] cyttsp_core_init: platform init failed!
<4>[ 2.380506] cyttsp-i2c: probe of 0-0024 failed with error -12
<6>[ 2.386329] cyttsp_i2c_init: Cypress TrueTouch® Standard Product I2C Touchscreen Driver (Built Jan 18 2011 @ 23:43:30) returned 0
<6>[ 2.398618] SEMC GPIO Matrix Keypad Driver: Start keypad matrix for shakira_keypad in interrupt mode
<6>[ 2.407599] input: shakira_keypad as /devices/virtual/input/input1
<6>[ 2.413983] msm72k_udc: reset
<6>[ 2.416269] msm72k_udc: portchange USB_SPEED_HIGH
need to do to when downloading our driver, old driver was unloaded from memory
need to initialize the new driver, find the old driver and unloaded from memory
about to do so
find the old driver
Code:
struct device_driver * other;
other = driver_find (SYNAPTICS_I2C_RMI_NAME, & i2c_bus_type); other = driver_find(SYNAPTICS_I2C_RMI_NAME, &i2c_bus_type);
if (other) if (other)
{ {
printk ("Previous driver found:% s \ n", other-> name); printk( "Previous driver found: %s\n" , other->name);
return-ENOMEM; return -ENOMEM;
} }
unload old driver from memory
Code:
struct i2c_driver * otherDriver;
struct device_driver * other; struct device_driver * other;
other = driver_find (SYNAPTICS_I2C_RMI_NAME, & i2c_bus_type); other = driver_find(SYNAPTICS_I2C_RMI_NAME, &i2c_bus_type);
if (other) if (other)
{ {
otherDriver = to_i2c_driver (other); otherDriver = to_i2c_driver(other);
printk (KERN_ERR "Previous driver found:% s, addr 0x% x, owner% x \ n", other-> name, (int) otherDriver, (int) other-> owner); printk(KERN_ERR "Previous driver found: %s, addr 0x%x, owner %x\n" , other->name, ( int )otherDriver, ( int )other->owner);
i2c_del_driver (otherDriver); i2c_del_driver(otherDriver);
} }
I found the source code of the ebook
I found it here
xttp://nookdevs.com/Talk:Multitouch
xttp://runserver.net/temp/synaptics_i2c_rmi.c
it does not work for our phone. will use it as an example
But there is still the problem of accessing kernel and replacing driver... I'll see what I can do, although
manutdsnake said:
You can NOT get MT lol. Unless you crack bootloader.
Click to expand...
Click to collapse
I think bootloader is cracked, check bin4ry's flasher, modify the kernel.sin with multitouch drivers, then, flash it(with bin4ry's flasher) and there you go
not yet =S
But lets pray for the developers =D
bogdan_mihai554 said:
I think bootloader is cracked, check bin4ry's flasher, modify the kernel.sin with multitouch drivers, then, flash it(with bin4ry's flasher) and there you go
Click to expand...
Click to collapse
NO, it's NOT, it's kernel from OFFICIAL Japanese update...
mukambc said:
not yet =S
But lets pray for the developers =D
Click to expand...
Click to collapse
Yeah, but can't the kernel(.sin file) be modded and then flashed??(I once flashed an X10 kernel on the x8...won't boot but hey, it flashed ), now i got Gingerbread on my x8 :>:> And i'm waiting for a M.T Kernel...So, if the bootloader's not cracked, how is it that you can flash kernels with Bin4ary's flasher?? So, just modd the .sin file(put Mt. driver) and you're done ^_^
Is Synaptics T1021A hardware capable of multitouch? It will be great if somebody will add this function for us thanx
really interesting on all about MT.
should this be stickied? so we can persuade the developer to do this..

MotoUSB reverse tether w/ linux success

I have successfully used reverse USB tethering on a flipout. This method should be portable to other devices running the motorola android multi-device driver with usb0.
If you are comparing to any windows drivers, say that installed from the driver installer MSI when connecting a flipout and maybe other devices in 'portal' mode, the (windows) driver will be motousbnet. On linux, the driver is cdc_subset. However, this driver does not know how to bind to the motorola
1. Figure out the usb vendor id, product id, and interface class, interface subclass, and interface protocol of the networking interface. On the flipout, this is named the 'motorola networking interface'. On my device, it has these ids: 0x22b8, 0x41da, 0x02, 0x0a, 0x01. You can find these ids via exploring /sys/bus/usb on a linux system, or with the lsusb utility.
2. patch your cdc_subset driver to support the USB id and interface of the above device. You will need to inspect via lsusb or sysfs to setup a 'product' and 'driver info' structure in cdc_subset.c to select the correct interface and endpoints. The pertinent parts of my cdc_subset.c are as follows:
Code:
add to products
{
// Moto flipout usb
USB_DEVICE_AND_INTERFACE_INFO (0x22b8, 0x41da, 0x02, 0x0a, 0x01),
.driver_info = (unsigned long) &motousb_info,
},
add near other driver_infos:
static const struct driver_info motousb_info = {
.description = "Motorola USB endpoint",
.check_connect = always_connected,
.in=0x84, .out=0x03,
};
3. Doing such a mod and compiling yourself a new cdc_subset.ko, and installing that, will yield a usb driver that can talk to usb0 on your flipout. At this point, you just have to configure networking. I setup proxyarp on my LAN and usb0 interfaces, and set up some manual addresses and routes. Other options could be to add usb0 to a bridge, or do routing and DHCP, or routing + nat + DHCP. You'll probably need to netcfg rmnet0 down and setprop net.dns1 and net.rmnet0.dns1 your ips manually. Make sure you save your old dns. I'm not sure if that gets restored from carrier when you turn rmnet back on.
4. after all that, you should be online.
5. EDIT: all compiling and module installation steps noted above happen on the host PC, if that wasn't clear.
Work to follow:
use SL4A to automate usb0 bringup
interface with APNDroid to soft-down the 3g instead of nuking it the hard way. killing the radio process will get you back online, but thats effectively the same as resetting the baseband, so you'll need to re-unlock your SIM etc.
Thanks man! This is awesome. It worked on my Motorola Defy (same parameters) under Ubunutu.
Hi,
I thing this is what i am looking for, enable a motorola device (defy) to be a usb0 device with ubuntu so you can have an IP, and ssh easly with your droid (using vlc remote with usb cable). I realy appreciate this native feature with my old htc.
where is the cdc_subset.c ?
tkx
balek said:
Hi,
I thing this is what i am looking for, enable a motorola device (defy) to be a usb0 device with ubuntu so you can have an IP, and ssh easly with your droid (using vlc remote with usb cable). I realy appreciate this native feature with my old htc.
where is the cdc_subset.c ?
tkx
Click to expand...
Click to collapse
It's in the kernel source. -- You'll have to download the linux or kernel source package that matches the kernel you run on your ubuntu machine, modify your cdc_subset driver, rebuild it, and install it.
Learning things like the kernel build system and how to install a kernel module are exercises for the reader.
Good job! I'll try it once i get my Ubuntu installation up and running again ^_^
Defy and Debian USB network works partially...
Hello. The idea was good...
My config is:
- on one side: a Defy (CM7 1.0-RC1 Nightly build 2037, Gingerbread 2.3.4)
- on the other side: a Linux Debian (Squeeze , kernel 3.0.0-1-686-pae)
I patched the cdc_subset driver as proposed. I saw a little difference on the endpoints: lsusb -v reports 0x83 for 'in' endpoint and 0x2 (bulk) or 0x3 (interrupt) for 'out' endpoint. I tried all combinations and only 0x83/0x2 give a working ping between hosts. => Are the initial endpoints working (0x84/0x3) ?
See attached file for the complete listing, search 'SDX' to see where I patched.
When I plug the USB cable, the usb0 interface is brought up on linux automatically and that's perfect.
With a simple network configuration, ping works on both hosts.
.
So everything seems right.
I then tried to transfer a huge 100MB file to see the performance:
- scp from linux to defy => OK, ~5MB/s
- scp from defy to linux => FAILURE after a few MB transfered
In the second test, the connection is completely frozen and I see errors on both interfaces (ifconfig usb0, error packets). I repeated the test multiple times with alternate network configs, without wifi etc., and I could never transfer the file completely.
Can someone confirm me:
- that the transfer is working for him in both ways with huge files
- what is reported by "lsusb -v -d 22b8:41da" to see if my endpoints for a Defy are correct
I'm not sure, but maybe cdc_subset is not the right driver to patch ?
Or simply it's a bug in scp or sshd on Defy ! I should try with something else like ftp or http...
I keep working on this topic...Thx for any clue !
sdxmob said:
Hello. The idea was good...
My config is:
- on one side: a Defy (CM7 1.0-RC1 Nightly build 2037, Gingerbread 2.3.4)
- on the other side: a Linux Debian (Squeeze , kernel 3.0.0-1-686-pae)
I patched the cdc_subset driver as proposed. I saw a little difference on the endpoints: lsusb -v reports 0x83 for 'in' endpoint and 0x2 (bulk) or 0x3 (interrupt) for 'out' endpoint. I tried all combinations and only 0x83/0x2 give a working ping between hosts. => Are the initial endpoints working (0x84/0x3) ?
See attached file for the complete listing, search 'SDX' to see where I patched.
When I plug the USB cable, the usb0 interface is brought up on linux automatically and that's perfect.
With a simple network configuration, ping works on both hosts.
.
So everything seems right.
I then tried to transfer a huge 100MB file to see the performance:
- scp from linux to defy => OK, ~5MB/s
- scp from defy to linux => FAILURE after a few MB transfered
In the second test, the connection is completely frozen and I see errors on both interfaces (ifconfig usb0, error packets). I repeated the test multiple times with alternate network configs, without wifi etc., and I could never transfer the file completely.
Can someone confirm me:
- that the transfer is working for him in both ways with huge files
- what is reported by "lsusb -v -d 22b8:41da" to see if my endpoints for a Defy are correct
I'm not sure, but maybe cdc_subset is not the right driver to patch ?
Or simply it's a bug in scp or sshd on Defy ! I should try with something else like ftp or http...
I keep working on this topic...Thx for any clue !
Click to expand...
Click to collapse
Any news with defy ?

MSM8960 jtag!

This thread was initially started for the purpose of unbricking the HTC evo 4g lte (HTC Jewel) with the possible help of JTAG. But since i was unable to find any corresponding jtag mod/pinouts for any other phone, the thread has been re-titled as MSM8960 Jtag. It would be good if members share there knowledge about possibilities of discovering JTAG locations on newer Snapdragon S4 based chipsets
A short history how the phone was bricked.
Code:
My phone was S-OFF with lazypanda and flashed the OMJ 1.13 stock rooted odex rom. After that i downloaded latest radio from the radio thread and flashed it. However it seems that the wifi gave up due to this, it only showed error. It never turned on, so i tried to flash another previous version radio which seems to be flashed normally without any issues. After this the phone never showed anything, windows detects it as QHUSB_DLOAD. I have tried to use lazypanda evo lte unbricker but it is not able to find the device!
[QUOTE][email protected]:~/new$ sudo ./brickdetect.sh
Searching for bricked device...
Device can't be detected. Check connections
[/QUOTE]
However the getbrickdevice script which is in with yarrimapirate downgrade thread is able to pick the phone
[QUOTE][email protected]:~/hboot$ sudo ./getbrickdrive.sh
Your bricked phone is accessible at /dev/sdd[/QUOTE]
lsusb output
[QUOTE][email protected]:~/hboot$ lsusb
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 003 Device 002: ID 154b:0059 PNY
Bus 003 Device 014: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 004: ID 046d:c068 Logitech, Inc. G500 Laser Mouse
[/QUOTE]
Now, when i use this command
[QUOTE]sudo ./emmc_recover -f ./hboot_1.12.0000_signedbyaa.nb0 -d /dev/sdc12 -c 24576[/QUOTE]
It outputs the below results
[QUOTE][email protected]:~/hboot$ sudo ./emmc_recover_new -f ./hboot_1.12.0000_signedbyaa.nb0 -d /dev/sdd12 -c 24576
================= emmc_recover 0.3 alpha 2 ==========================
Using chunksize 24576
Messing up with device /dev/sdd12, ARE YOU SURE?
CTRL+C if not, ENTER to continue
Waiting for device.
[/QUOTE]
Running the lanzypanda unbricker shows
[QUOTE][email protected]:~/unbrick$ sudo ./PandaFinder -d /dev/sdd
============ PandaFinder 0.1 ===========
(c) Copyright 2012 Unlimited.IO
This program may not be redistributed in
nor included in other works works without
the express permission of team Unlimited.
Bricked device will appear to device node /dev/sdd
ARE YOU SURE?
CTRL+C if not, ENTER to continue
Realnode is /dev/sdd12
Ready to go.
(1) Remove MicroSD card from phone
(2) Connect bricked EVO 4G LTE to usb
Press ENTER when ready
*** Do NOT remove usb cable during process
*** Do NOT press any buttons until PandaFinder requests you to do that!!
******** Press ENTER when you understand this!! Really ********
Lets try unbricking once, before we run it really
Press ENTER to start test
Waiting for device.
- found /dev/ttyUSB1 - OK
Waiting device /dev/sdd12.......
[/QUOTE]
dmesg output
[QUOTE][ 208.362070] qcserial ttyUSB0: Qualcomm USB modem converter now disconnected from ttyUSB0
[ 208.362094] qcserial 1-1:1.0: device disconnected
[ 242.659408] usb 1-1: new high-speed USB device number 3 using ehci_hcd
[ 242.802505] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 242.802511] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 242.802514] usb 1-1: Product: QHSUSB_DLOAD
[ 242.802517] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 242.805254] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 242.805492] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
[/QUOTE]
And here it gets stucked forever, previously when the reset command was being sent to the phone, it shows Qualcomm Inc in lsusb output and after some 7-10sec it swtich to Qualcomm QDL. But it only gets stucked onto Qualcomm QDL now.
Please post in the proper sections. This belongs in Q&A not development...
Yep... MOVED to Q and A
Might be better asking here:
http://unlimited.io/support.htm
Sent from my HTC One X using xda app-developers app
Can any1 provide any info on jtag pinouts of this device? It seems that i m not ableto recover the phone unless i jtag it. The riff box supports ressurection for all the msm8960 snapdragon s4 based phones so i think it will be able to recover evo lte also. I asked dexter @ thr irc channel and he said that screwed things up and hence will not be able to recover the device using thr provided method
Sent from my LG-LS840 using Tapatalk 2
You might find something here, these guys are trying to map everything. MSM8960 Info
The NRST pad location is shown in this picture of evo 4g lte motherboard. It would be really appreciated if some1 can help in location the remaining pads as well.
Full size image
http://img221.imageshack.us/img221/1503/cam00068.jpg
Bump, now since the phone is completely dead, m trying to locate the jtag pads on this phone. here is a rough idea for jtag pads. Let me known if any1 is willing to help.
https://www.dropbox.com/s/gbfyaf5aouc27ee/htcevo4glte2.jpg
The pad locations are just assumptions on the basis of regular jtag allocations on various htc phones.
Below are some of the voltage readings which are observed with Riff Box Voltage probe.
https://www.dropbox.com/s/reipjimu8toola4/CAM00068.jpg
http://pastebin.com/ZBw8TFcg
+C= Cable attached.
+B= Battery attached.
funkym0nk3y said:
Below are some of the voltage readings which are observed with Riff Box Voltage probe.
https://www.dropbox.com/s/reipjimu8toola4/CAM00068.jpg
http://pastebin.com/ZBw8TFcg
+C= Cable attached.
+B= Battery attached.
Click to expand...
Click to collapse
which adapter are you using? riff? ort? I was searching for just this because I have a very difficult HTC One xl brick. your thread was the first Google result, and this was the second:
http://www.cdmahosting.com/showthread.php?p=1491
I hope that helps!
at $200, the ort-jtag is a tempting buy, esp. When you see so many tough bricks lately. too bad I don't even know where to start with it... lol
=JKT= said:
which adapter are you using? riff? ort? I was searching for just this because I have a very difficult HTC One xl brick. your thread was the first Google result, and this was the second:
http://www.cdmahosting.com/showthread.php?p=1491
I hope that helps!
at $200, the ort-jtag is a tempting buy, esp. When you see so many tough bricks lately. too bad I don't even know where to start with it... lol
Click to expand...
Click to collapse
I know, in my country i got it for around 100$ (RIFFBOX, thanks to a known person). Riff box new update also supports MSM8960 chipset and so i think once we are able to locate jtag pads, thr isnt going to be any problem.
so in the case of, say, jewel and evita, the soft part of the jtag will be the same (using the right imgs of course) since they are both msm8960, but the connection points will be different because the board layout is different? but, on the other hand, the correct pins will show similar behaviour re: voltage as another msm8960, correct? Hopefully they will not be in the set that seems to hover around 1.8v...
One last question. will the pin voltage behaviour be more or less consistent between chip sets? I'm specifically thinking of the pins that have unique behaviour like 25, 26, 29 on your pastebin.com chart. If so, we might get lucky referring to a somewhat similar, but known chip set.
Hopefully yes, and that might provide help in locating possible known behavior and voltages on other similar phones. But i think this totally depends on the pull up resistors being used by manufacturers? I might be wrong here, maybe more and older hardcore junkies can shed some light on this.
funkym0nk3y said:
Hopefully yes, and that might provide help in locating possible known behavior and voltages on other similar phones. But i think this totally depends on the pull up resistors being used by manufacturers? I might be wrong here, maybe more and older hardcore junkies can shed some light on this.
Click to expand...
Click to collapse
yeah. this seems like an esoteric topic, and google isn't yielding results too easily. perhaps I'm just searching for the wrong thing. jtag is a really broad topic, and I'm unsure what the crucial variables are to narrow the search.
edit: this method seems helpful. take a look, if you haven't already seen it.
Success
Finally able to find all the necessary pinouts.
Thanks to htc unbrick team.
funkym0nk3y said:
Finally able to find all the necessary pinouts.
Thanks to htc unbrick team.
Click to expand...
Click to collapse
did you share these somewhere, or was it like a "for your eyes only" type thing?
At the moment its only for my eyes thing, will update the pinout pic and post here
Update
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Enjoy.
funkym0nk3y said:
Update
View attachment 1471313
Enjoy.
Click to expand...
Click to collapse
You rock. Hopefully this will help us Evita people out with JTAGing some stubborn bricks.
Evita is already jtagged
Sent from my EVO using Tapatalk 2

[EXPLOIT] [BOOTLOADER] Mediatek based LG K10 2017 M250 bootloader secure boot bypass.

Hello.
I managed to bypass secure boot on LG K10 M250E (should also work on other versions like M250 M250N etc.)
See https://github.com/arturkow2000/lgk10exploit
This repository contains LK exploit capable of booting unsigned system and tools for reading/writing from/to device.
For instructions check README.md in repository.
Hi and sorry for the inconvenience, I am happy that you finally managed to make this exploit to this device which unfortunately I no longer have. But can this exploit be ported to other devices or is it just for this device?
XRed_CubeX said:
Hi and sorry for the inconvenience, I am happy that you finally managed to make this exploit to this device which unfortunately I no longer have. But can this exploit be ported to other devices or is it just for this device?
Click to expand...
Click to collapse
Exploit is only for this device.
However this repository also contains tools that can aid in creating exploits for other Mediatek based devices and tools that can read/write device memory, these should work most mt6755 devices as long as they can bypass preloader/bootrom security.
If you have any MT6755/MT6750 (should also work for MT6795/MT6797) device you can try using these tools as replacement for SP Flash Tool.
OficerX said:
Exploit is only for this device.
However this repository also contains tools that can aid in creating exploits for other Mediatek based devices and tools that can read/write device memory, these should work most mt6755 devices as long as they can bypass preloader/bootrom security.
If you have any MT6755/MT6750 (should also work for MT6795/MT6797) device you can try using these tools as replacement for SP Flash Tool.
Click to expand...
Click to collapse
I can flash partitions only in preloader mode with SP flash tool or with root with Android, however my problem is on an MT6737, which also has fastboot but not an unlockable bootloader and I would like to try to port it
See these:
https://github.com/xyzz/amonet
https://github.com/amonet-kamakiri/kamakiri
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
And these leeks:
https://gitlab.com/mt6797/vendor
https://gitlab.com/MT6795/vendor
Exploit works by crafting boot image that on load overrides LK data with payload, it works because mboot_android_load_bootimg does not check if it overlaps.
https://gitlab.com/MT6795/vendor/-/...otloader/lk/platform/mt6795/load_image.c#L811
Probably your device is vulnerable in same way.
See here how to craft boot image
https://github.com/arturkow2000/lgk10exploit/blob/master/microloader/inject_microloader_nougat.py
and here
https://github.com/amonet-kamakiri/kamakiri/blob/master/microloader/inject_microloader.py
At the beginning you could set inject_addr to some invalid address like 0x0 or 0xFFFFFFFF to trigger crash, LK will print all registers and stack pointer.
Do you have access to UART or some other way to get logs from crashed LK?
OficerX said:
See these:
https://github.com/xyzz/amonet
https://github.com/amonet-kamakiri/kamakiri
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
And these leeks:
https://gitlab.com/mt6797/vendor
https://gitlab.com/MT6795/vendor
Exploit works by crafting boot image that on load overrides LK data with payload, it works because mboot_android_load_bootimg does not check if it overlaps.
https://gitlab.com/MT6795/vendor/-/...otloader/lk/platform/mt6795/load_image.c#L811
Probably your device is vulnerable in same way.
See here how to craft boot image
https://github.com/arturkow2000/lgk10exploit/blob/master/microloader/inject_microloader_nougat.py
and here
https://github.com/amonet-kamakiri/kamakiri/blob/master/microloader/inject_microloader.py
At the beginning you could set inject_addr to some invalid address like 0x0 or 0xFFFFFFFF to trigger crash, LK will print all registers and stack pointer.
Do you have access to UART or some other way to get logs from crashed LK?
Click to expand...
Click to collapse
No, because I don't know how to solder, if there is no alternative to the UART I first try on another device to see if I can solder well.
Some devices expose UART over USB, see this: https://wiki.postmarketos.org/wiki/Serial_debugging
it may help.
If not try crashing LK, your device after reboot may show logs.
In my device when LK crashes after reboot it enters DemiGod Crash Handler which shows all relevant information.
Alternatively you may try porting this:
https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L421
This does temporary unlock lasting till reboot but it will allow you to run tampered LK.
Then you can redirect dprintf() calls in exception handler to video_printf().
This temporary unlock method uses gcpu to bypass BootROM range checks (bootrom checks memory address/length you read/write).
And then writes two magic values:
0x3B6C243C at 0x102080
0xF843E0A at 0x00102084
This causes preloader to ignore EFUSE state and turn Secure Boot off.
See amonet thread I linked in previous post, @xyz` described there how to disable range checks.
Use this to dump BootROM https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L455
XRed_CubeX said:
No, because I don't know how to solder, if there is no alternative to the UART I first try on another device to see if I can solder well.
Click to expand...
Click to collapse
No soldering, just pressure. It depends the device of course...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
http://cxzstuff.blogspot.com/2017/02/making-connections-ainol-crystal-dual.html
CXZa said:
No soldering, just pressure. It depends the device of course...
http://cxzstuff.blogspot.com/2017/02/making-connections-ainol-crystal-dual.html
Click to expand...
Click to collapse
No, forgive me but what is that? Pliers? How does it work?
XRed_CubeX said:
No, forgive me but what is that? Pliers? How does it work?
Click to expand...
Click to collapse
Yep. Pliers have rubber bands (not showing) to keep them closed holding those wires made out of copper paper clips. Visit the link to see bigger pics.
OficerX said:
Some devices expose UART over USB, see this: https://wiki.postmarketos.org/wiki/Serial_debugging
it may help.
If not try crashing LK, your device after reboot may show logs.
In my device when LK crashes after reboot it enters DemiGod Crash Handler which shows all relevant information.
Alternatively you may try porting this:
https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L421
This does temporary unlock lasting till reboot but it will allow you to run tampered LK.
Then you can redirect dprintf() calls in exception handler to video_printf().
This temporary unlock method uses gcpu to bypass BootROM range checks (bootrom checks memory address/length you read/write).
And then writes two magic values:
0x3B6C243C at 0x102080
0xF843E0A at 0x00102084
This causes preloader to ignore EFUSE state and turn Secure Boot off.
See amonet thread I linked in previous post, @xyz` described there how to disable range checks.
Use this to dump BootROM https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L455
Click to expand...
Click to collapse
OK, I managed to get the brom payload with the help of a friend of mine, however what do you mean by "Tampered LK"?
How can I modify this LK and boot it with this brom-payload?
XRed_CubeX said:
OK, I managed to get the brom payload with the help of a friend of mine, however what do you mean by "Tampered LK"?
How can I modify this LK and boot it with this brom-payload?
Click to expand...
Click to collapse
XRed_CubeX said:
OK, I managed to get the brom payload with the help of a friend of mine, however what do you mean by "Tampered LK"?
How can I modify this LK and boot it with this brom-payload?
Click to expand...
Click to collapse
https://drive.google.com/file/d/158G2a-xX_I3USwlIbxGw0mMUKsO_TaYU/view?usp=sharing
Use these strings to find video_printf
then look for references to "undefined abort, halting", "data abort", "prefetch abort", "unhandled syscall".
these are directly followed by call dprintf, change them to call video_printf
https://drive.google.com/file/d/1xCKjLaXFYoGimKmoeQojRtHRI9ZBhSGB/view?usp=sharing
Next call (here sub_4601C90C) is to function that dump registers and stack contents.
https://drive.google.com/file/d/1iLNVs-ntfjW33UhHWslRP8jSWWNPYS16/view?usp=sharing
Change all dprintf calls to video_printf.
Flash exploit and patched lk then reboot.
Your device should boot into directly into bootrom, then run unlock procedure, your device should resume booting and proceed to loading LK from.
Device after leaving bootrom should enter for a moment into preloader download, so before flashing anything you can use pl.py --identify command to check if SBC, SLA and DAA are all off to check if unlocking works.
OficerX said:
https://drive.google.com/file/d/158G2a-xX_I3USwlIbxGw0mMUKsO_TaYU/view?usp=sharing
Use these strings to find video_printf
then look for references to "undefined abort, halting", "data abort", "prefetch abort", "unhandled syscall".
these are directly followed by call dprintf, change them to call video_printf
https://drive.google.com/file/d/1xCKjLaXFYoGimKmoeQojRtHRI9ZBhSGB/view?usp=sharing
Next call (here sub_4601C90C) is to function that dump registers and stack contents.
https://drive.google.com/file/d/1iLNVs-ntfjW33UhHWslRP8jSWWNPYS16/view?usp=sharing
Change all dprintf calls to video_printf.
Flash exploit and patched lk then reboot.
Your device should boot into directly into bootrom, then run unlock procedure, your device should resume booting and proceed to loading LK from.
Device after leaving bootrom should enter for a moment into preloader download, so before flashing anything you can use pl.py --identify command to check if SBC, SLA and DAA are all off to check if unlocking works.
Click to expand...
Click to collapse
Correct me if I'm wrong but the addresses to change the secure boot are the same right?
OficerX said:
https://drive.google.com/file/d/158G2a-xX_I3USwlIbxGw0mMUKsO_TaYU/view?usp=sharing
Use these strings to find video_printf
then look for references to "undefined abort, halting", "data abort", "prefetch abort", "unhandled syscall".
these are directly followed by call dprintf, change them to call video_printf
https://drive.google.com/file/d/1xCKjLaXFYoGimKmoeQojRtHRI9ZBhSGB/view?usp=sharing
Next call (here sub_4601C90C) is to function that dump registers and stack contents.
https://drive.google.com/file/d/1iLNVs-ntfjW33UhHWslRP8jSWWNPYS16/view?usp=sharing
Change all dprintf calls to video_printf.
Flash exploit and patched lk then reboot.
Your device should boot into directly into bootrom, then run unlock procedure, your device should resume booting and proceed to loading LK from.
Device after leaving bootrom should enter for a moment into preloader download, so before flashing anything you can use pl.py --identify command to check if SBC, SLA and DAA are all off to check if unlocking works.
Click to expand...
Click to collapse
Hey,
Could you check those links? The second and the last one aren't working and I'd like to see how the function that dumps registers looks like (as reference).
Thanks :good:
XRed_CubeX said:
Correct me if I'm wrong but the addresses to change the secure boot are the same right?
Click to expand...
Click to collapse
I'm 99% sure they are, I found this while reversing seclib from MT6535, it turned out these addresses are valid for my SOC, your SOC is very similar to my and MT6535, so I think should correct.
But you can find it by looking for reads from 0x10206060 (efuses).
See here
https://drive.google.com/file/d/19kqoLTT0nKR7vmf9AwwHOy6ihKjqEoNo/view?usp=sharing
As you can see it checks for these values and if they match it disables secure boot.
https://drive.google.com/file/d/19ITt5NV9EZggnFjfbUmf_cp5WCPBG_m_/view?usp=sharing
https://drive.google.com/file/d/1JeBjTOwTOjdjBTZkQmaP22edgZEKPiBE/view?usp=sharing
Rortiz2 said:
Hey,
Could you check those links? The second and the last one aren't working and I'd like to see how the function that dumps registers looks like (as reference).
Thanks :good:
Click to expand...
Click to collapse
Oops, forgot to set permissions, now it's working.
OficerX said:
I'm 99% sure they are, I found this while reversing seclib from MT6535, it turned out these addresses are valid for my SOC, your SOC is very similar to my and MT6535, so I think should correct.
But you can find it by looking for reads from 0x10206060 (efuses).
See here
https://drive.google.com/file/d/19kqoLTT0nKR7vmf9AwwHOy6ihKjqEoNo/view?usp=sharing
As you can see it checks for these values and if they match it disables secure boot.
https://drive.google.com/file/d/19ITt5NV9EZggnFjfbUmf_cp5WCPBG_m_/view?usp=sharing
https://drive.google.com/file/d/1JeBjTOwTOjdjBTZkQmaP22edgZEKPiBE/view?usp=sharing
Oops, forgot to set permissions, now it's working.
Click to expand...
Click to collapse
Thanks you!
BTW, secure boot addresses are different for mt8163:
OficerX said:
Some devices expose UART over USB, see this: https://wiki.postmarketos.org/wiki/Serial_debugging
it may help.
If not try crashing LK, your device after reboot may show logs.
In my device when LK crashes after reboot it enters DemiGod Crash Handler which shows all relevant information.
Alternatively you may try porting this:
https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L421
This does temporary unlock lasting till reboot but it will allow you to run tampered LK.
Then you can redirect dprintf() calls in exception handler to video_printf().
This temporary unlock method uses gcpu to bypass BootROM range checks (bootrom checks memory address/length you read/write).
And then writes two magic values:
0x3B6C243C at 0x102080
0xF843E0A at 0x00102084
This causes preloader to ignore EFUSE state and turn Secure Boot off.
See amonet thread I linked in previous post, @xyz` described there how to disable range checks.
Use this to dump BootROM https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L455
Click to expand...
Click to collapse
Hi, I think that the option to modify the LK and modify the printf will take some time for now because unfortunately I don't have the knowledge and skills in using such a powerful tool as ida pro, another option that I you had advised, the UART via micro USB, it is not the first time I hear it and once I have already tried to build a UART with a micro usb cable but unfortunately I have not obtained any logs from the devices and I think I have built it wrong , I'll probably get a pre-made one from a shopping site. A friend of mine advised me not to use the microusb cable because it "probably" doesn't get the logs from a crashed LK.
So I ask you that you are probably sure or you have tried it, but UART via microusb is a good option?
From fastboot if I do "fastboot oem p2u on", fastboot responds and confirms so I can be sure my device supports UART. If anything you have any tips or tutorials to build a uart cable correctly?
My UART adapter is a CP2102, okay?
(P.S: My micro usb connector doesn't have a wire ID, ONLY D+, D- and GND and VCC)
(P.S2o you have any tips or tutorials to disassemble the binary well in ARM)
XRed_CubeX said:
Hi, I think that the option to modify the LK and modify the printf will take some time for now because unfortunately I don't have the knowledge and skills in using such a powerful tool as ida pro, another option that I you had advised, the UART via micro USB, it is not the first time I hear it and once I have already tried to build a UART with a micro usb cable but unfortunately I have not obtained any logs from the devices and I think I have built it wrong , I'll probably get a pre-made one from a shopping site. A friend of mine advised me not to use the microusb cable because it "probably" doesn't get the logs from a crashed LK.
So I ask you that you are probably sure or you have tried it, but UART via microusb is a good option?
From fastboot if I do "fastboot oem p2u on", fastboot responds and confirms so I can be sure my device supports UART. If anything you have any tips or tutorials to build a uart cable correctly?
My UART adapter is a CP2102, okay?
(P.S: My micro usb connector doesn't have a wire ID, ONLY D+, D- and GND and VCC)
(P.S2o you have any tips or tutorials to disassemble the binary well in ARM)
Click to expand...
Click to collapse
On my device at first I was booting modified LK, it was very slow process, at one point I couldn't move further, I had working exploit running my payload but I couldn't make it boot Linux (later it turned out that it did not load DTB, I added call to bldr_load_dtb and it worked then), device was just hanging.
I updated to Oreo, LG added crash handler so I did'nt have to boot patched LK anymore and this significantly sped up everything.
I could'nt use UART because LG disabled it.
When device boots preloader checks whether proper cable is connected and either switches USB into UART or leaves it as it is, but in my case this feature was disabled at compile time.
You can check in linux source in usb phy driver code that performs mode switch and then check if preloader or LK has it.
P.S. Now I have partially working UART, I enable it in payload (see microloader/linuxboot), it works (TX voltage goes high to ~3.3V), but I cannot get output till Linux boots, I still need to figure it out.
This won't help you in making exploit but can help later during kernel development.
If you won't get UART working then I think that patching LK is all you have left.
OficerX said:
On my device at first I was booting modified LK, it was very slow process, at one point I couldn't move further, I had working exploit running my payload but I couldn't make it boot Linux (later it turned out that it did not load DTB, I added call to bldr_load_dtb and it worked then), device was just hanging.
I updated to Oreo, LG added crash handler so I did'nt have to boot patched LK anymore and this significantly sped up everything.
I could'nt use UART because LG disabled it.
When device boots preloader checks whether proper cable is connected and either switches USB into UART or leaves it as it is, but in my case this feature was disabled at compile time.
You can check in linux source in usb phy driver code that performs mode switch and then check if preloader or LK has it.
P.S. Now I have partially working UART, I enable it in payload (see microloader/linuxboot), it works (TX voltage goes high to ~3.3V), but I cannot get output till Linux boots, I still need to figure it out.
This won't help you in making exploit but can help later during kernel development.
If you won't get UART working then I think that patching LK is all you have left.
Click to expand...
Click to collapse
Maybe you need to patch the cmdline? I don't know, I'm just throwing some ideas.
Rortiz2 said:
Maybe you need to patch the cmdline? I don't know, I'm just throwing some ideas.
Click to expand...
Click to collapse
I already did that, UART works in Linux, it doesn't work in LK, it's enabled but there is no output, I need it to get working as early in boot process as possible to debug 64 bit kernel (for it's not booting at all)
My UART driver must faulty.
I turned in Linux most stuff related usb, gpio, clocks into no-op and UART is still working.
Right now i'm porting TWRP, but whem I finish it I will try again with uart.

Kernel Source for Nook Glowlight 2013 (BNRV500)

EDIT: The files have now reappeared on B&N's servers. For safety and convenience I've attached the Nook-1.3.0 and Nook-1.3.1 Delta files here in one Zip file. Hope this helps someone else. I'm off to try patching this kernel.
Hi all!
Does anyone have a copy of the source code for the 2013 Glowlight? The links on B&N's site aren't working. I've tried hunting around on XDA, but it doesn't seem as though anyone has ever uploaded them here.
Nook OS version on my GL 2013 is 1.3.2, but I'm guessing 1.3.0 and 1.3.1 aren't that different and would be better than nothing.
Thank you!
Alex
Found them! B&N must have fixed their site, because the links are working again. I've attached them here in one Zip file just in case they go missing again. I've also popped them on the Wayback Machine.
I've managed to build the kernel using the Sourcery G++ Lite 2010q1-202 toolchain. There was a tiny tweak needed to get it to work with newer versions of Perl, but otherwise it's compiled without a problem. I've tried with a couple of later Linaro toolchain builds, but they failed.
Patch-wise I'm trying to get features as close to the NST modded kernels as possible. The kernel on my old NST has the smartassv2 CPU governor and the SIO scheduler, so I've found patches for those and added them.
I have a few other patches, but no success so far. FastMode needs quite a few tweaks for the patch to work. USB Host Mode compiles fine but does nothing, with no chipset shown in Renate's USB Mode Utility. Finally, I can't work out how to overclock to 1000 MHz.
I'm sure a lot of these issues are solved somewhere in this forum, or there are at least clues (the "Hacking the New Nook Glowlight" thread has certainly helped). I haven't found the answers yet. It's not an urgent project - my NST is still hanging on for dear life - so I'm just working on it when I have a few minutes or feel inspired to do so.
I'll post updates here as I work things out. If anyone has any tips or can offer any help, please do reply to this thread.
albrow said:
USB Host Mode compiles fine but does nothing, with no chipset shown in Renate's USB Mode Utility.
Click to expand...
Click to collapse
The old driver(s) exposed:
Code:
/sys/devices/platform/musb_hdrc/mode
/sys/devices/platform/musb_hdrc/vbus
/sys/devices/platform/i2c_omap.1/i2c-adapter/i2c-1/1-0048/twl4030_usb/vbus
/sys/devices/virtual/sec/switch/adc
/sys/devices/platform/bq24073/regulator/regulator.5/state
/sys/devices/platform/bq24073/force_current
I've uploaded what I've done so far to GitHub.
GitHub - PocketNerdIO/nook-kernel-1.3.1: Kernel for the Nook Glowlight 1 (BNRV500), based on B&N's stock kernel (nook-1.3.1, Android 2.1, Linux 2.6.29-omap1) with some extra patches.
Kernel for the Nook Glowlight 1 (BNRV500), based on B&N's stock kernel (nook-1.3.1, Android 2.1, Linux 2.6.29-omap1) with some extra patches. - GitHub - PocketNerdIO/nook-kernel-1.3.1: Kern...
github.com
Currently the only changes from stock are adding SIO and smartassv2. I've attached the uImage and .config files, should you want to give them a go yourself.
I don't know how many NG1 users are still out there, but hopefully someone will find this useful.
Sidenote: I'm a Linux user. If you run ADB in Linux first, Renate's ADBGRAB runs perfectly in Wine. See the screenshot below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I'll try look into it.
I thought I should add that I've already adjusted the partition table. My NG1 currently has a uRamdIsk that mounts /sdcard as a simlink, but some apps really don't like this. I think I'm going to repurpose "reserve" as /sdcard instead.
Code:
NAME FSTYPE FSVER LABEL SIZE
sdb
├─sdb1 vfat FAT32 boot 76M
├─sdb2 vfat FAT32 rom 16M
├─sdb3 ext2 1.0 factory 190M
├─sdb4
├─sdb5 ext2 1.0 288M
├─sdb6 vfat FAT32 NOOK 2.5G
├─sdb7 ext3 1.0 cache 239M
├─sdb8 ext3 1.0 reserve 15M
└─sdb9 ext3 1.0 userdata 300M
albrow said:
Renate's ADBGRAB runs perfectly in Wine.
Click to expand...
Click to collapse
Gosh! Glad to hear it.
Don't forget that for a simple grab give it a filename:
Code:
adbgrab grab.png /o90
Rotate works on this (but not Scale /s)
For interactive:
Code:
adbgrab /s.5
Rotate & Scale work.
Mouse clicks and most keys work on this (but slowly due to Android "input" command which does it in Java).
Renate NST said:
Don't forget that for a simple grab give it a filename:
Code:
adbgrab grab.png /o90
Rotate works on this (but not Scale /s)
For interactive:
Code:
adbgrab /s.5
Rotate & Scale work.
Mouse clicks and most keys work on this (but slowly due to Android "input" command which does it in Java).
Click to expand...
Click to collapse
Thank you! I'm going to try running a few more of your tools with Wine in the next few days. I'm especially interested in patching the Reader using MergeSmali, as well as swapping versions (seeing if the one in 1.2.1/1.2.2 is better than the one in 1.3.1).
I added some compilation tweaks to the code so that it aimed at Cortex-8 rather than a generic ARMv7 build. The changes are on Github and will be part of the next binary I release.
I've been wondering if it's worth trying to find some other patches for this old kernel to give it a speed boost, or maybe more battery savings. I'm guessing it's not worth trying to get it running with a newer kernel (2.6.32/35/36). To be honest I don't know much about kernel hacking beyond some beginner-level C and adding patches. For now I'd like to get things like multitouch and FastMode running, which shouldn't be too tough.
With a quick tweak to the code, the kernel now compiles and boots with Linaro 2012-08 (gcc 4.7.2). I'll push the change to Github later.
I was also able to compile it with Linaro's gcc 4.9.4, but unfortunately the NG1 wouldn't boot. I probably need to work out how to look at u-boot and kernel logs to see if it's fixable, but it's not as important as getting the other patches working.
I'm slowly going through Guevor's old patch file (v4) for the NST. I've added the option for Veno TCP congestion control to the kernel. The change is up on Github. Plus, here's my latest kernel compiled with Linaro gcc 4.7.2, along with the config. To recap, here's the changelog from the stock Nook 1.3.1 kernel (2.6.29):
Compiles (and boots) with Linaro gcc 4.7.2
Fixed to compile with modern versions of Perl
Use SIO I/O Scheduler as default
Use smartassv2 as default
Add Veno TCP congestion and set as default
Not a huge number of changes from stock, but hopefully still some improvements. Next up are FastMode, Multitouch and USB Host. There are also the overclocking settings, but I'm less sure about whether they're all that worthwhile.
EDIT: Realised that I'd uploaded a kernel compiled with the Sourcery toolchain, so I've just uploaded one compiled with Sourcery and one with Linaro gcc 4.7.2. Feel free to test both.
In other news (cc @Renate NST), the stock Reader on my device really doesn't like files loaded using the Temblast Library, which is a massive shame as it's my preferred library app. It takes a long time to load the file, and then has no indexing whatsoever: "Content" does nothing, "go to" shows "Page 3 of 0", and highlighting a word crashes the reader. It's not the end of the world as I can use the stock Library, although I don't know if it's going to read the files in /sdcard. Further research required.
Also, this version of the stock reader REALLY dislikes Button Savior drawing over the top of it. This is most noticeable when the trigger fades out. It will try to refresh the screen at every gradient of change, sometimes making the device unresponsive for up to 30 seconds. I thought there was a way of turning off the fade-out, but I can't find it. One workaround is to close the Button Savior panel, press home, wait for the button to fade, then go back to the reader. It's times like this when I actually miss the "n" button bar on the NST. I can live without physical buttons if the virtual ones do the job well enough.
Think my next task will be to rearrange the partitions so that there's a proper /sdcard rather than a symlink.
albrow said:
The stock Reader on my device really doesn't like files loaded using the Temblast Library...
Click to expand...
Click to collapse
That's very strange. If it opens the intended book then it should be ok from there.
In my world the reader gets the last reading point by itself.
Maybe your reader is expecting something extra in the intent and it isn't handling the lack gracefully?
Does it always go to page 1 even if you've read further?
albrow said:
Also, this version of the stock reader REALLY dislikes Button Savior...
Click to expand...
Click to collapse
Mmm, I dislike those things too.
I was looking at the Onyx Boox Poke 3. It has only a power button, no home, no anything.
It has this arc of icons that follows your finger, a bit like Button Savior.
It's great hardware but I'd have to do a bunch of work to make it clean.
Renate NST said:
Maybe your reader is expecting something extra in the intent and it isn't handling the lack gracefully?
Click to expand...
Click to collapse
I'm certain you're right on this, but I have no idea how to monitor that.
Renate NST said:
Does it always go to page 1 even if you've read further?
Click to expand...
Click to collapse
Yes, unless you're re-opening the same book that is currently open (i.e. Reader is already running in the background with that book.
I've just noticed something with this Reader. It NEVER does a refresh on a page turn, nor when the bottom menu appears or disappears. It sometimes does a refresh when it first loads a book, but not always. But if something tries to draw over the top of it (Button Savior, the Android volume HUD), it refreshes on every change to the screen.
I have a theory on this. When trying to apply the FastMode patches, I noticed that the nook 1.3.1 kernel has more functionality than the one from 1.2.x. I've attached them both here, along with a diff of the two files. Could it be that this newer Reader uses a "new" (given the device is 8 years old) screen drawing method that the NG1 is switching in and out of when something draws over the top of Reader?
I might compile another kernel with the old kernel driver to see what it does.
Renate NST said:
I was looking at the Onyx Boox Poke 3. It has only a power button, no home, no anything.
It has this arc of icons that follows your finger, a bit like Button Savior.
It's great hardware but I'd have to do a bunch of work to make it clean.
Click to expand...
Click to collapse
Oh, don't tempt me! Hacking around with Android 2.1 does feel futile in 2021, but I'm not sure if I want to spend $189 on an ereader right now.
So, a quick update. I've managed to get the OTG patch on and enable the right kernel options (thanks to guevor's old NST .config file). It can now see devices!
Unfortunately, even though I've enabled block devices and SCSI, no new devices are showing in /dev. I'm sure I'm just missing some kernel options.
I found a later version of Linaro's gcc, specifically 4.7.3 from April 2013, which creates a bootable kernel. I think this is the latest version of gcc that will work properly with this code - any later and I just get a freeze at boot, not even a bootloop. It would've been nice (for me) to run a 64 bit compiler, but this works for now so I'll stick with it.
Latest amendments are on Github. I'm not at my laptop at the moment so I don't have a copy of the uImage or .config, but I'll add them when I'm next about.
Finally, I was wondering how easy it would be to "backport" this kernel to work on the NST or NST/G. It might just require an old .config file such as guevor's one. I don't know how useful that would be for anyone, especially as it doesn't have multitouch or FastMode, but it might provide some better screen writing code. I guess it could be a good experiment.
Hmm, it's interesting that it's not showing any interfaces or endpoints.
Are you using UsbMode-2.2.apk?
What does dmesg say when you plug it in?
Does a keyboard or something else work fine?
I think I've only got 2.1 on there actually - an old copy from when I was setting up my NST many years ago. I'll download 2.2 and get the dmesg log tonight. I don't have the USB stick or an OTG cable with me.
Do I need usbhostd as well, or is that only for the KitKat Nooks?
albrow said:
Do I need usbhostd as well, or is that only for the KitKat Nooks?
Click to expand...
Click to collapse
No, that's only for Glow2/3/4
I couldn't get UsbMode 2.2 to install on the NST or the NG1, but 2.1 runs fine on both. I've tried my Microsoft Ergonomic Keyboard on the NG1. It's showing in UsbMode, but dmesg comes up with this:
Code:
<6>[ 283.243438] usb 1-1: new low speed USB device using musb_hdrc and address 7
<3>[ 283.445098] usb 1-1: device v045e p00db is not supported
<6>[ 283.452697] usb 1-1: configuration #1 chosen from 1 choice
For the Sandisk OTG memory stick I get the following (of course, this could just be the stick asking for too much current):
Code:
<6>[ 589.997344] usb 1-1: new high speed USB device using musb_hdrc and address 9
<3>[ 590.163635] usb 1-1: device v0bda p0109 is not supported
<6>[ 590.171295] usb 1-1: rejected 1 configuration due to insufficient available bus power
<4>[ 590.179595] usb 1-1: no configuration chosen from 1 choice
Here's an Apple Mighty Mouse:
Code:
<6>[ 666.583343] usb 1-1: new low speed USB device using musb_hdrc and address 10
<3>[ 666.771850] usb 1-1: device v05ac p0304 is not supported
<6>[ 666.779510] usb 1-1: configuration #1 chosen from 1 choice
And for a laugh I thought I'd plug my NST into the NG1:
Code:
<6>[ 1193.856811] usb 1-1: new high speed USB device using musb_hdrc and address 21
<3>[ 1194.021789] usb 1-1: device v2080 p0003 is not supported
<6>[ 1194.029296] usb 1-1: rejected 1 configuration due to insufficient available bus power
<4>[ 1194.037597] usb 1-1: no configuration chosen from 1 choice
I'm sure I've just not enabled something in the kernel, but right now I'm not sure what.
OK, here's an interesting thing.
I thought I'd try plugging in an unpowered USB 2.0 Hub, which was recognised:
Code:
<6>[ 1858.059326] usb 1-1: new high speed USB device using musb_hdrc and address 25
<6>[ 1858.222869] usb 1-1: configuration #1 chosen from 1 choice
<6>[ 1858.229644] hub 1-1:1.0: USB hub found
<6>[ 1858.233978] hub 1-1:1.0: 4 ports detected
And then I plugged in the USB stick into the hub... which also worked and created /dev/block/sda and sda1!
Code:
<6>[ 2031.161499] usb 1-1: reset high speed USB device using musb_hdrc and address 25
<6>[ 2031.968811] usb 1-1.3: new high speed USB device using musb_hdrc and address 26
<3>[ 2032.104217] usb 1-1.3: device v0bda p0109 is not supported
<6>[ 2032.111999] usb 1-1.3: configuration #1 chosen from 1 choice
<6>[ 2032.130249] scsi0 : SCSI emulation for USB Mass Storage devices
<7>[ 2032.139739] usb-storage: device found at 26
<7>[ 2032.144134] usb-storage: waiting for device to settle before scanning
<5>[ 2037.149627] scsi 0:0:0:0: Direct-Access Generic- SD/MMC 1.00 PQ: 0 ANSI: 0 CCS
<6>[ 2037.273895] usb 1-1.3: reset high speed USB device using musb_hdrc and address 26
Unfortunately the Apple Mighty Mouse did what it did before, although it showed as being plugged in to the hub.
Code:
<6>[ 79.115997] usb 1-1.2: new low speed USB device using musb_hdrc and address 3
<3>[ 79.238891] usb 1-1.2: device v05ac p0304 is not supported
<6>[ 79.246276] usb 1-1.2: configuration #1 chosen from 1 choice
albrow said:
I couldn't get UsbMode 2.2 to install on the NST or the NG1.
Click to expand...
Click to collapse
Well, it looks like someone has to do some regression testing.
Edit: @albrow 2.2 works fine on my NST. I don't have a BNRV500.
If the logcat tells you something could you post it?
albrow said:
Code:
<6>[ 590.171295] usb 1-1: rejected 1 configuration due to insufficient available bus power
You should always test questionable USB OTG things using a powered hub.
After you get it working you can try flying solo.
Click to expand...
Click to collapse

Categories

Resources