Hardware root/JTAG pinout - Fire TV General
For those interested, Amazon FireTV JTAG pinout is very close to the standard 20-pin ARM JTAG. See atached image for the actual pinout. If anybody has an OpenOCD config file for QUalcomm Krait 300 (SnapDragon 600), please share. Rooting can be done by bypassing a couple of checks in the bootloader.
Huh. Question. Is it snapdragon 600 you want or S4 pro. I dug pretty deeply before I got the box to figure exactly what processor is in there. Amazon gives: snapdragon 8064, krait 300, 1.7 GHz with adreno 320. I couldn't actually find a direct match for those specs in Qualcomm info, but the only thing that matched those specifications was the S4 pro, the same thing in the Nexus 7. Not to derail what you started, just want to be sure you're seeking the correct thing.
from my N5
Edit: let me clarify a bit. Amazon says it's the 8064. I went to qualcomm's site and that wasn't listed anywhere. So through deductive reasoning: CPU speed and the adreno 320 match the S4 pro which is also in the N7 2013. I haven't actually looked what xda says it has, but that's how I came to the S4 pro.
DroidIt! said:
Huh. Question. Is it snapdragon 600 you want or S4 pro. I dug pretty deeply before I got the box to figure exactly what processor is in there. Amazon gives: snapdragon 8064, krait 300, 1.7 GHz with adreno 320. I couldn't actually find a direct match for those specs in Qualcomm info, but the only thing that matched those specifications was the S4 pro, the same thing in the Nexus 7. Not to derail what you started, just want to be sure you're seeking the correct thing.
from my N5
Edit: let me clarify a bit. Amazon says it's the 8064. I went to qualcomm's site and that wasn't listed anywhere. So through deductive reasoning: CPU speed and the adreno 320 match the S4 pro which is also in the N7 2013. I haven't actually looked what xda says it has, but that's how I came to the S4 pro.
Click to expand...
Click to collapse
Being curious, I did some reading. I'm pretty sure it's a S4 Pro as well. 600 uses LPDDR3, has higher clock speed 1.7 vs 1.9GHz, and has wireless AC.
http://forum.xda-developers.com/nexus-4/help/snapdragon-600-vs-snapdragon-s4-pro-t2157201
http://www.ifixit.com/Teardown/Amazon+Fire+TV+Teardown/23856
Luxferro said:
Being curious, I did some reading. I'm pretty sure it's a S4 Pro as well. 600 uses LPDDR3, has higher clock speed 1.7 vs 1.9GHz, and has wireless AC.
http://forum.xda-developers.com/nexus-4/help/snapdragon-600-vs-snapdragon-s4-pro-t2157201
http://www.ifixit.com/Teardown/Amazon+Fire+TV+Teardown/23856
Click to expand...
Click to collapse
Yeah they didn't match up to me. I see xda just says 1.7 ghz, etc and not the 600. I'm thinking S4 Pro too. Good to get a confirmation though. :good:
DroidIt! said:
Yeah they didn't match up to me. I see xda just says 1.7 ghz, etc and not the 600. I'm thinking S4 Pro too. Good to get a confirmation though. :good:
Click to expand...
Click to collapse
The 600 was mentioned in some specs on the web, but it may have been a guess.
Actual JTAG device IDs:
4BA00477 (dap)
2071E0E1(cpu) <- googling this one yields nothing
Luxferro said:
Being curious, I did some reading. I'm pretty sure it's a S4 Pro as well. 600 uses LPDDR3, has higher clock speed 1.7 vs 1.9GHz, and has wireless AC.
http://forum.xda-developers.com/nexus-4/help/snapdragon-600-vs-snapdragon-s4-pro-t2157201
http://www.ifixit.com/Teardown/Amazon+Fire+TV+Teardown/23856
Click to expand...
Click to collapse
the original apq8064 was dubbed the 'S4 Pro' (before the new naming scheme kicked in). Later variants (apq8064t, apq8064ab, etc) are dubbed 'snapdragon 600'. The newer variants have newer krait and newer revision of a320 (gpu), clock bumps, etc.. but basically tweaks of the original.
Determined said:
For those interested, Amazon FireTV JTAG pinout is very close to the standard 20-pin ARM JTAG. See atached image for the actual pinout. If anybody has an OpenOCD config file for QUalcomm Krait 300 (SnapDragon 600), please share. Rooting can be done by bypassing a couple of checks in the bootloader.
Click to expand...
Click to collapse
I've got a third FireTV hooked up to my riffbox now, but having issues. If I can get a successful read and write, I'll post a dump with a hacked bootloader to run unsigned images.
Issue I'm as is im not getting any response from RTCK. Fuses indicate that jtag was not disabled, and this isnt my strong point.
jcase said:
If I can get a successful read and write, I'll post a dump with a hacked bootloader to run unsigned images.
Click to expand...
Click to collapse
No need to pull that dump, it is provided in the OTA (emmc_appsboot.mbn). There is a procedure (located at 0x88F01144 in OTA 51.1.0.1) that checks unlock code, if you force it to return 1, you will be able to boot anything as well as run "oem unlock" and other restricted commands.
Determined said:
No need to pull that dump, it is provided in the OTA (emmc_appsboot.mbn). There is a procedure (located at 0x88F01144 in OTA 51.1.0.1) that checks unlock code, if you force it to return 1, you can boot anything as well as run "oem unlock" and other restricted commands.
Click to expand...
Click to collapse
Not what I was referring to, sorry for my bad wording.
I have already rooted and unlocked mine, but I an unable to release the root at this point (will shortly, waiting on Amazn not confirm a patch is done for the root exploit). I was trying to say I would release a riffbox flashable binary, with a bootloader hack allowing booting of custom images.
Booting unsigned recovery with modified res images:
I can't get a response over jtag, will put more effort into it this week.
emmc_appsboot.mbn itself can not be alternated, sbl3 validates it before continuing with boot.
jcase said:
emmc_appsboot.mbn itself can not be alternated, sbl3 validates it before continuing with boot.
Click to expand...
Click to collapse
Hah! If you step through it using a jtag and skip the checks it won't actually need any changes.
Determined said:
Hah! If you step through it using a jtag and skip the checks it won't actually need any changes.
Click to expand...
Click to collapse
Hah? Stepping through it is impractical for most uses. For the few of us that have one sitting on our desk? Sure ok, for those that have it in their entertainment center? Not practical at all.
If you are going to jtag it, might as well hack it proper once, and not worry about having to step through it each boot.
If you choose to jtag and step through it, have it return a value of being unlocked will result in androidboot.unlocked_kernel=true being passed to cmdline, and /sbin/adbd will not drop root when that exists. Would be a easy-ish root through jtag without actually flashing anything.
jcase said:
If you are going to jtag it, might as well hack it proper once, and not worry about having to step through it each boot.
Click to expand...
Click to collapse
That is your [much appreciated] thunder. I don't have time to generate public-friendly hacks anymore.
Determined said:
That is your [much appreciated] thunder. I don't have time to generate public-friendly hacks anymore.
Click to expand...
Click to collapse
Thunder is over, I'm done after I provide a few promised ones come Blackhat (including this one). Too much of time sink, and the public factor of the amusement has long gone.
If you have gtalk/hangouts give me a shout to the address in my signature.
There is also a serial debug port.
Are the pins known which is which?
{ParanoiA} said:
Are the pins known which is which?
Click to expand...
Click to collapse
I'll try and verify tomorrow
Sent from my HTC One_M8 using XDA Premium 4 mobile app
iNT0XiC8D said:
There is also a serial debug port.
Click to expand...
Click to collapse
Nothing to see there, just kernel messages:
Code:
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk: current version is lk_rel_3.0.1_02272014
[10] platform_init()
[10] target_init(): platform_id 109
[10] Its BUELLER. revision 3
[70] display_init(),target_id=7337.
[70] hdmi_msm_panel_init: default format=4
[2730] splash_screen_mmc :235, 67
[2750] Config HDMI PANEL.
[2750] Turn on HDMI PANEL.
[2760] EDID: no DTD or non-DTD data present
[2760] EDID: no DTD or non-DTD data present
[2760] hdmi_edid_get_audio_data: No adb found
[2770] hdmi_audio_playback: 48KHz not supported by TV
[2770] hdmi_msm_audio_acr_setup: video format 0 not supported
[2780] aboot_init: calling idme_initialize
[2780] Idme version is 2.0 and set related function to V2.0
[2790] IDME INFO: checking for new items to add (stored items:12 specified items:12)
[2790] serial num from idme: XXXXXXXXXXXXXXXXXX
[2800] Reboot -- restart_reason=427810811 (0x197fdffb)
[2800] aboot_init: IDME - device boot up info
[2810] idme items number:12
[2810] name: board_id, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2820] name: serial, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2830] name: mac_addr, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2830] name: bt_mac_addr, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2840] name: productid, size: 32, exportable: 1, permission: 292, data= 00000000000000000000000000000000
[2850] name: productid2, size: 32, exportable: 1, permission: 292, data= 00000000000000000000000000000000
[2860] name: bootmode, size: 4, exportable: 1, permission: 292, data= 1
[2860] name: postmode, size: 4, exportable: 1, permission: 292, data= 2
[2870] name: bootcount, size: 8, exportable: 1, permission: 292, data= 32
[2880] name: eth_mac_addr, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2890] bootcount = 33
[3080] aboot_init: Boot linux from MMC
[3090] boot_into_recovery=0 idme_bootmode=1 (NORMAL)
[3090] use_signed_kernel=1, is_unlocked=0, is_tampered=0.
[3100] Loading boot image (6344704): start
[3340] Loading boot image (6344704): done
[3340] Authenticating boot image (6344704): start
[3350] Attempting to enable ce3_src_clk before setting its rate.[3360] TZ channel swith returned 0
[5070] TZ channel swith returned 0
[5070] Authenticating boot image: done return value = 1
[5090] cmdline = 'androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 maxcpus=2'
[5100] Power on reason 1
[5100] Its bueller again 3.
[5100] cmdline_length=170, n=172, n1=45
[5110] IDME: idme atag init (export to kernel), atag_size=514
[5110] name: board_id, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5120] name: serial, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5130] name: mac_addr, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5140] name: bt_mac_addr, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5140] name: productid, size: 32, exportable: 1, permission: 292, data: 00000000000000000000000000000000
[5150] name: productid2, size: 32, exportable: 1, permission: 292, data: 00000000000000000000000000000000
[5160] name: bootmode, size: 4, exportable: 1, permission: 292, data: 1
[5170] name: postmode, size: 4, exportable: 1, permission: 292, data: 2
[5180] name: bootcount, size: 8, exportable: 1, permission: 292, data: 33
[5180] name: eth_mac_addr, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5190] The atag idme items number:11
booting linux @ 0x80208000, ramdisk @ 0x82200000 (368957)
No JTAG Debug
Connecting to JTAG with OpenOCD needs a few changes in the cortex_a.c source to enable support for Cortex-A15. If you actually make those changes and play with debug registers, you will discover that DBGEN and SPIDEN signals/fuses are disabled, so debug mode is not accessible.
I have not yet tried flashing.
Determined said:
Connecting to JTAG with OpenOCD needs a few changes in the cortex_a.c source to enable support for Cortex-A15. If you actually make those changes and play with debug registers, you will discover that DBGEN and SPIDEN signals/fuses are disabled, so debug mode is not accessible.
I have not yet tried flashing.
Click to expand...
Click to collapse
ohh, openocd? I'm listening..
I have a number of snapdragon devices that I'd love to use jtag with.. but no windows machine for the riffbox sw.. openocd would be awesome
I spent a bit trying today, I never could get a response from RTCK at all
Related
JTAG + PXA025 + flashing
Hello, I have bricked Typhoon MyGuide 5500 XL pocket. Even it is based on ASUS 620, according to the site:http://www.handhelds.org/moin/moin.cgi/MyPal620JTAG I wasn't able to flash it. Here is snapshot from jtag: jtag> detect IR length: 5 Chain length: 1 Device Id: 01101001001001100100000000010011 Manufacturer: Intel Part: PXA250 Stepping: PXA255A0 Filename: /usr/local/share/jtag/intel/pxa250/pxa250c0 jtag> print No. Manufacturer Part Stepping Instruction Register --------------------------------------------------------------------------------------------- 0 Intel PXA250 PXA255A0 BYPASS BR Active bus: *0: Intel PXA2x0 compatible bus driver via BSR (JTAG part No. 0) start: 0x00000000, length: 0x04000000, data width: 32 bit, (Static ChipSelect 0) start: 0x48000000, length: 0x04000000, data width: 32 bit, (Memory Mapped registers (Memory Ctl)) jtag> detectflash jedec_detect: mid 4, did ea00 Flash not found! In internet I found another guy who faced the same problem (mid 4, did ea00), so it might be that it is something Typhoon specific, because I checked/fixed five times my cable, trying to make it as short as possible, then changed all the possible LPT modes (SPP, EPP, etc), then tested it with XP/SP2+Cygwin and Linux (Fedora Core release 2 (Tettnang), kernel 2.6.5) separately. The same problems. The flash is not recognized. Can I pass some commands using jtag to the processor and in such way to manipulate with flash? What kind of commands? Where I could read about them? Can I change BOOT_SEL[0] value to 0, which is now 1? Will it help? Or do you know some more hints to make jtag to recognize my flash (M-SYS DiskOnChip G3)? Thank you
[TUT] About reinstalling hw69xx series,ROM and OS
all solve here : 1st need: MTTY steps 1: Bootloader 2: mtty 3: task 28 55aa (fully format device) 4: rtask 0 (reset radio) 5: Reflash device Above from wiki XDA dev's Important, do not try to start device after above, after radio reset, put device back to bootloader directly If above does not help you need to reflow or reball radio chip (tested and working if above does not work) And my result from MTTY: task 32 USB>password BOOTLOADER HTCSPass.< YHTCEUSB>info 8 DOCInfoTableinitHW+ Binary0 Size: 0x100000 FAT0 Size: 0x4000000 FAT1 Size: 0x3340000 All Size: 0x7440000 FAT0_ADDR=0x100000,FAT1_ADDR=0x4100000 USB>info 7 HTC Integrated Re-Flash Utility for bootloader Version:1.50a SABLE EVT version:G.39 MainBoardID = C Built at: Jun 12 2006 13:46:04 Copyright (c) 1998-2005 High Tech Computer Corporation Turbo Mode Frequency = 312 MHz Run Mode Frequency = 208 MHz Memory Frequency = 208 MHz SDRAM Frequency = 104 MHz USB>info 4 HTCS Lњ3ЖHTCE USB>task 28 DOCInfoTableinitHW+ Binary0 Size: 0x100000 FAT0 Size: 0x4000000 FAT1 Size: 0x3340000 All Size: 0x7440000 FAT0_ADDR=0x100000,FAT1_ADDR=0x4100000 USB>task 28 55aa Wait.. DOCInfoTableinitHW+ Binary0 Size: 0x100000 FAT0 Size: 0x4000000 FAT1 Size: 0x33C0000 All Size: 0x74C0000 FAT0_ADDR=0x100000,FAT1_ADDR=0x4100000 USB>set 14 0 HTCST ЪИТHTCEUSB>set 14 10 HTCSF kEШ(HTCEUSB>set 14 9 HTCSF kEШ(HTCEUSB> DONT PANYC after NO BOOT-> REFLASH CEOS.nbf (HW6915 ROM FOR G4-121UK) FROM HP Utility. Info for Pass1: HTCSPass1.CM€ЛHTCEUSB>password 0000000000000000 source: http://forum.xda-developers.com/showthread.php?t=471942 final steps If your Flash chip type is G4, you can use ENG V1.21UK rom to update, I have uploaded the rom to Yahoo.com mail box. I have changed my 6965 CHT ver to ENG ver successfully. You can login yahoo mail box by using [email protected] as id and 69656965 as password. Pls note not to delete the rom as others might need it too. Flsah method: 1. Sync your mobil with PC by ActiveSync4.5 or up 2. Double click the downloaded update rom programme. 3. Click upgrade button and wait for 8-10 minutes 4. Done. source http://forum.xda-developers.com/showthread.php?t=420041 please, don't chage anything. keep data safe for other people
has anyone tried the above instructions and succeeded ? I have a perfectly working 6915, but it's in Spanish and I would like to change the language to English. I'm afraid of bricking the phone or end up with the "No GSM" problem.
DO NOT USE that way.Surely, your phone will become a brick. That will change Product ID with invalid code and you will never restore SW for radio ROM .
Odroid u2 Won't boot to recovery
My Odroid won't boot to CWM recovery with CM10.1 installed on the emmc. I extracted the three files from here: http://cyanogenmod.org/rc/odroidu2-recovery.zip and placed them on the root of the emmc but every time I boot up I get this Code: U-Boot 2010.12-svn (Jan 28 2013 - 14:10:19) for Exynox4412 CPU: S5PC220 [Samsung SOC on SMP Platform Base on ARM CortexA9] APLL = 1000MHz, MPLL = 880MHz DRAM: 2047 MiB PMIC VERSION : 0x00, CHIP REV : 2 TrustZone Enabled BSP BL1 version: 20121128 Checking Boot Mode ... EMMC4.41 REVISION: 2.0 Manufacturer TOSHIBA [ 15028MB ] NAME: S5P_MSHC4 MMC Device 0: 15028 MB MMC Device 1: 0 MB MMC Device 2 not found *** Warning - using default environment ModeKey Check... run normal_boot Net: No ethernet found. Hit any key to stop autoboot: 0 NAME: S5P_MSHC4 NAME: S5P_MSHC4 >>> Load Boot Script from mmc 0:1 <<< NAME: S5P_MSHC4 Partition1: Start Address(0x520000), Size(0x181a000) reading boot.scr Warning : Reads a file that is smaller than the cluster size. 623 bytes read ## Executing script at 40008000 Wrong image format for "source" command Exynos4412 # how can i get past this?
deleted
Debricking my Rockchip Device
I would like to share my experience from the weekend to help others. At first let me explain the situation: I got my A5X Max+ 64GB eMMC preinstalled with Android 8.1 but I thought that the latest firmware available on the net can maybe make a positive difference to the shipped one. Seraching the web I found 3 different firmware version I thoght it would be good to give it a try. An A5X MAX+ Android 8.1 firmware An A5X MAX+ Android 7 firmware An A5X MAX Android 9 firmware (non "+" uses a dirfferent WiFi Chipset,....) Next Step folowing the firmware upgrade guides: 1. Trying to directly flash a new firmware via a SD card and SD_Firmware_Tool_v146_eng_AndroidPC failed 2. Trying to flash with a computer using RK_Batch_tool_v1_8_AndroidPC in combination with Rockchip_DriverAssitant_v4.4 is working Ok no difference to the preinstalled one so next step flashing a different firmware. The most interesting was the Android 9.0 firmware even when I know that it is for the non "+" version using a slightly different peripheral hardware. So I use the Batch tool again and start flashing. ==> Do not flash similar firmware on any device. The flash process abort after flashing only parts of the whole image. My Box is not starting anymore, and there is no video output when booting and it is not recognized by my computer anymore via USB My process to debrick my Device: My luck when starting into Recovery it is still recognized via USB Also there a dedicated test pins marked with TX, GND and RX so I connect a Serial to USB converter and check if I can find the problem. I could not find out what kind of baud rate the serial is using neither Start/Stop Bit configuration. A oscilloscope (Red Pitaya) helped a lot to see that the serial interface is working at a abnormal high baud rate: ~1350000 baud per second / 8N1 find here the current bootloop log: normal boot Code: Wed Oct 31 06:28:55 UTC 2018 aarch64) INF [0x0] TEE-CORE:init_primary_helper:338: Release version: 1.4 INF [0x0] TEE-CORE:init_teecore:83: teecore inits done INFO: BL31: Preparing for EL3 exit to normal world INFO: Entry point address = 0x200000 INFO: SPSR = 0x3c9 U-Boot 2017.09-02211-gd8ce1d0-dirty (Nov 27 2018 - 09:57:42 +0800) Model: Rockchip RK3328 EVB DRAM: 4 GiB Relocation Offset is: fcbda000 Using default environment [email protected]: 1, [email protected]: 0 Card did not respond to voltage select! mmc_init: -95, time 10 switch to partitions #0, OK mmc0(part 0) is current device boot mode: normal bad resource image magic: oint (current EL) DTB: rk-kernel.dtb bad resource image magic: oint (current EL) Can't find file:rk-kernel.dtb init_kernel_dtb dtb in resource read fail In: serial Out: serial Err: serial Model: Rockchip RK3328 EVB rockchip_set_serialno: could not find efuse device CLK: apll 400000000 Hz dpll 664000000 Hz cpll 1200000000 Hz gpll 491009999 Hz npll 600000000 Hz armclk 600000000 Hz aclk_bus 150000000 Hz hclk_bus 75000000 Hz pclk_bus 75000000 Hz aclk_peri 150000000 Hz hclk_peri 75000000 Hz pclk_peri 75000000 Hz Net: Net Initialization Skipped No ethernet found. Hit any key to stop autoboot: 0 ca head not found ANDROID: reboot reason: "(none)" get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1 read_is_device_unlocked() ops returned that device is UNLOCKED avb_slot_verify.c:637: ERROR: vbmeta: Error verifying vbmeta image: OK_NOT_SIGNE D get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1 DDR version 1.13 20180428 ID:0x805 N In DDR3 333MHz Bus Width=32 Col=11 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=4096MB ddrconfig:3 OUT Boot1 Release Time: Sep 7 2018 15:49:55, version: 2.49 ChipType = 0x11, 193 mmc2:cmd19,100 SdmmcInit=2 0 BootCapSize=2000 UserCapSize=59640MB FwPartOffset=2000 , 2000 SdmmcInit=0 NOT PRESENT StorageInit ok = 286281 Raw SecureMode = 0 SecureInit read PBA: 0x4 SecureInit read PBA: 0x404 SecureInit read PBA: 0x804 SecureInit read PBA: 0xc04 SecureInit read PBA: 0x1004 SecureInit ret = 0, SecureMode = 0 GPT part: 0, name: uboot, start:0x4000, size:0x2000 GPT part: 1, name: trust, start:0x6000, size:0x2000 GPT part: 2, name: misc, start:0x8000, size:0x2000 GPT part: 3, name: baseparameter, start:0xa000, size:0x800 GPT part: 4, name: resource, start:0xa800, size:0x8000 GPT part: 5, name: kernel, start:0x12800, size:0x10000 GPT part: 6, name: dtb, start:0x22800, size:0x2000 GPT part: 7, name: dtbo, start:0x24800, size:0x2000 GPT part: 8, name: logo, start:0x26800, size:0x8000 GPT part: 9, name: vbmeta, start:0x2e800, size:0x800 GPT part: 10, name: boot, start:0x2f000, size:0x10000 GPT part: 11, name: recovery, start:0x3f000, size:0x20000 GPT part: 12, name: backup, start:0x5f000, size:0x8000 GPT part: 13, name: cache, start:0x67000, size:0x80000 GPT part: 14, name: system, start:0xe7000, size:0x400000 GPT part: 15, name: metadata, start:0x4e7000, size:0x8000 GPT part: 16, name: vendor, start:0x4ef000, size:0x60000 GPT part: 17, name: oem, start:0x54f000, size:0x20000 GPT part: 18, name: frp, start:0x56f000, size:0x400 GPT part: 19, name: security, start:0x56f400, size:0x1000 GPT part: 20, name: userdata, start:0x570400, size:0x6f0bbdf find partition:uboot OK. first_lba:0x4000. find partition:trust OK. first_lba:0x6000. LoadTrust Addr:0x6000 No find bl30.bin HashBits:256, HashData: 6cf28742 2df532aa 1ea29e7b 85e4e128 9675b550 859f84c1 c47158c4 9373e8ea CalcHash: 2a0cacfb 655bd8b6 09989b08 c0ff4464 9d525d13 47eb7212 89197119 20d1a938 bl31.bin_0:CheckImage Fail! LoadTrust Addr:0x6400 LoadTrust Addr:0x6800 LoadTrust Addr:0x6c00 LoadTrust Addr:0x7000 No find bl30.bin Load uboot, ReadLba = 4000 hdr 000000000337a380 + 0x0:0x50,0x41,0x52,0x4d,0x66,0x03,0x00,0x00,0x46,0x49,0x52,0x4d,0x57,0x41,0x52,0x45, Load OK, addr=0x200000, size=0xeb934 RunBL31 0x10000 NOTICE: BL31: v1.3(debug):9d3f591 NOTICE: BL31: Built : 14:39:02, Jan 17 2018 NOTICE: BL31:Rockchip release version: v1.3 INFO: ARM GICv2 driver initialized INFO: Using opteed sec cpu_context! INFO: boot cpu mask: 1 INFO: plat_rockchip_pmu_init: pd status 0xe INFO: BL31: Initializing runtime services INFO: BL31: Initializing BL32 ERR [0x0] TEE-CORE:atags_get_tag:146: atags_get_tag: find unknown magic(d7f5f65b) INF [0x0] TEE-CORE:init_primary_helper:337: Initializing (1.1.0-187-g3f0aafa6 #9 Wed Oct 31 06:28:55 UTC 2018 aarch64) pressing and holding reset (without connecting to USB) Code: Wed Oct 31 06:28:55 UTC 2018 aarch64) INF [0x0] TEE-CORE:init_primary_helper:338: Release version: 1.4 INF [0x0] TEE-CORE:init_teecore:83: teecore inits done INFO: BL31: Preparing for EL3 exit to normal world INFO: Entry point address = 0x200000 INFO: SPSR = 0x3c9 U-Boot 2017.09-02211-gd8ce1d0-dirty (Nov 27 2018 - 09:57:42 +0800) Model: Rockchip RK3328 EVB DRAM: 4 GiB Relocation Offset is: fcbda000 Using default environment [email protected]: 1, [email protected]: 0 Card did not respond to voltage select! mmc_init: -95, time 10 switch to partitions #0, OK mmc0(part 0) is current device boot mode: normal bad resource image magic: oint (current EL) DTB: rk-kernel.dtb bad resource image magic: oint (current EL) Can't find file:rk-kernel.dtb init_kernel_dtb dtb in resource read fail In: serial Out: serial Err: serial Model: Rockchip RK3328 EVB rockchip_set_serialno: could not find efuse device CLK: apll 400000000 Hz dpll 664000000 Hz cpll 1200000000 Hz gpll 491009999 Hz npll 600000000 Hz armclk 600000000 Hz aclk_bus 150000000 Hz hclk_bus 75000000 Hz pclk_bus 75000000 Hz aclk_peri 150000000 Hz hclk_peri 75000000 Hz pclk_peri 75000000 Hz Net: Net Initialization Skipped No ethernet found. Hit any key to stop autoboot: 0 ca head not found ANDROID: reboot reason: "(none)" get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1 read_is_device_unlocked() ops returned that device is UNLOCKED avb_slot_verify.c:637: ERROR: vbmeta: Error verifying vbmeta image: OK_NOT_SIGNE D get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1 DDR version 1.13 20180428 ID:0x805 N In DDR3 333MHz Bus Width=32 Col=11 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=4096MB ddrconfig:3 OUT Boot1 Release Time: Sep 7 2018 15:49:55, version: 2.49 ChipType = 0x11, 193 mmc2:cmd19,100 SdmmcInit=2 0 BootCapSize=2000 UserCapSize=59640MB FwPartOffset=2000 , 2000 SdmmcInit=0 NOT PRESENT StorageInit ok = 286281 Raw SecureMode = 0 SecureInit read PBA: 0x4 SecureInit read PBA: 0x404 SecureInit read PBA: 0x804 SecureInit read PBA: 0xc04 SecureInit read PBA: 0x1004 SecureInit ret = 0, SecureMode = 0 GPT part: 0, name: uboot, start:0x4000, size:0x2000 GPT part: 1, name: trust, start:0x6000, size:0x2000 GPT part: 2, name: misc, start:0x8000, size:0x2000 GPT part: 3, name: baseparameter, start:0xa000, size:0x800 GPT part: 4, name: resource, start:0xa800, size:0x8000 GPT part: 5, name: kernel, start:0x12800, size:0x10000 GPT part: 6, name: dtb, start:0x22800, size:0x2000 GPT part: 7, name: dtbo, start:0x24800, size:0x2000 GPT part: 8, name: logo, start:0x26800, size:0x8000 GPT part: 9, name: vbmeta, start:0x2e800, size:0x800 GPT part: 10, name: boot, start:0x2f000, size:0x10000 GPT part: 11, name: recovery, start:0x3f000, size:0x20000 GPT part: 12, name: backup, start:0x5f000, size:0x8000 GPT part: 13, name: cache, start:0x67000, size:0x80000 GPT part: 14, name: system, start:0xe7000, size:0x400000 GPT part: 15, name: metadata, start:0x4e7000, size:0x8000 GPT part: 16, name: vendor, start:0x4ef000, size:0x60000 GPT part: 17, name: oem, start:0x54f000, size:0x20000 GPT part: 18, name: frp, start:0x56f000, size:0x400 GPT part: 19, name: security, start:0x56f400, size:0x1000 GPT part: 20, name: userdata, start:0x570400, size:0x6f0bbdf find partition:uboot OK. first_lba:0x4000. find partition:trust OK. first_lba:0x6000. LoadTrust Addr:0x6000 No find bl30.bin HashBits:256, HashData: 6cf28742 2df532aa 1ea29e7b 85e4e128 9675b550 859f84c1 c47158c4 9373e8ea CalcHash: 2a0cacfb 655bd8b6 09989b08 c0ff4464 9d525d13 47eb7212 89197119 20d1a938 bl31.bin_0:CheckImage Fail! LoadTrust Addr:0x6400 LoadTrust Addr:0x6800 LoadTrust Addr:0x6c00 LoadTrust Addr:0x7000 No find bl30.bin Load uboot, ReadLba = 4000 hdr 000000000337a380 + 0x0:0x50,0x41,0x52,0x4d,0x66,0x03,0x00,0x00,0x46,0x49,0x52,0x4d,0x57,0x41,0x52,0x45, Load OK, addr=0x200000, size=0xeb934 RunBL31 0x10000 NOTICE: BL31: v1.3(debug):9d3f591 NOTICE: BL31: Built : 14:39:02, Jan 17 2018 NOTICE: BL31:Rockchip release version: v1.3 INFO: ARM GICv2 driver initialized INFO: Using opteed sec cpu_context! INFO: boot cpu mask: 1 INFO: plat_rockchip_pmu_init: pd status 0xe INFO: BL31: Initializing runtime services INFO: BL31: Initializing BL32 ERR [0x0] TEE-CORE:atags_get_tag:146: atags_get_tag: find unknown magic(d7f5f65b) INF [0x0] TEE-CORE:init_primary_helper:337: Initializing (1.1.0-187-g3f0aafa6 #9 Wed Oct 31 06:28:55 UTC 2018 aarch64) INF [0x0] TEE-CORE:init_primary_helper:338: Release version: 1.4 INF [0x0] TEE-CORE:init_teecore:83: teecore inits done INFO: BL31: Preparing for EL3 exit to normal world INFO: Entry point address = 0x200000 INFO: SPSR = 0x3c9 U-Boot 2017.09-02211-gd8ce1d0-dirty (Nov 27 2018 - 09:57:42 +0800) Model: Rockchip RK3328 EVB DRAM: 4 GiB Relocation Offset is: fcbda000 Using default environment [email protected]: 1, [email protected]: 0 Card did not respond to voltage select! mmc_init: -95, time 9 switch to partitions #0, OK mmc0(part 0) is current device boot mode: None bad resource image magic: oint (current EL) DTB: rk-kernel.dtb bad resource image magic: oint (current EL) Can't find file:rk-kernel.dtb init_kernel_dtb dtb in resource read fail In: serial Out: serial Err: serial Model: Rockchip RK3328 EVB rockchip_set_serialno: could not find efuse device CLK: apll 400000000 Hz dpll 664000000 Hz cpll 1200000000 Hz gpll 491009999 Hz npll 600000000 Hz armclk 600000000 Hz aclk_bus 150000000 Hz hclk_bus 75000000 Hz pclk_bus 75000000 Hz aclk_peri 150000000 Hz hclk_peri 75000000 Hz pclk_peri 75000000 Hz Net: Net Initialization Skipped No ethernet found. Hit any key to stop autoboot: 0 ca head not found ANDROID: reboot reason: "(none)" get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1 read_is_device_unlocked() ops returned that device is UNLOCKED avb_slot_verify.c:637: ERROR: vbmeta: Error verifying vbmeta image: OK_NOT_SIGNED get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1 Booting kernel at 0x207f800 with fdt at f4dcfca0... ## Booting Android Image at 0x0207f800 ... Kernel load addr 0x02080000 size 19005 KiB ## Flattened Device Tree blob at f4dcfca0 Booting using the fdt blob at 0xf4dcfca0 XIP Kernel Image ... OK Loading Device Tree to 00000000081fb000, end 00000000081ff0f8 ... OK Adding bank: 0x00200000 - 0x08400000 (size: 0x08200000) Adding bank: 0x0a200000 - 0xff000000 (size: 0xf4e00000) Starting kernel ... "Synchronous Abort" handler, esr 0x02000000 * Relocate offset = 00000000fcbda000 * ELR(PC) = ffffffff064c6000 * LR = 0000000000201f00 * SP = 00000000f4dcf2a0 * ESR_EL2 = 0000000002000000 EC[31:26] == 000000, Exception with an unknown reason IL[25] == 1, 32-bit instruction trapped * DAIF = 00000000000003c0 D[9] == 1, DBG masked A[8] == 1, ABORT masked I[7] == 1, IRQ masked F[6] == 1, FIQ masked * SPSR_EL2 = 00000000600003c9 D[9] == 1, DBG masked A[8] == 1, ABORT masked I[7] == 1, IRQ masked F[6] == 1, FIQ masked M[4] == 0, Exception taken from AArch64 M[3:0] == 1001, EL2h * SCTLR_EL2 = 0000000030c50830 I[12] == 0, Icache disabled C[2] == 0, Dcache disabled M[0] == 0, MMU disabled * HCR_EL2 = 0000000000000002 * VBAR_EL2 = 00000000fcdda800 * TTBR0_EL2 = 00000000feff0000 x0 : 00000000081fb000 x1 : 0000000000000000 x2 : 0000000000000000 x3 : 0000000000000000 x4 : 0000000002080000 x5 : 0000000000000001 x6 : 0000000000000008 x7 : 0000000000000000 x8 : 00000000f4dcf320 x9 : 0000000001008000 x10: 000000000a200023 x11: 0000000000000002 x12: 0000000000000002 x13: 00000000f4dcf36c x14: 00000000081fb000 x15: 00000000fcddb5a8 x16: 0000000000000002 x17: 00000000081ff0f9 x18: 00000000f4dd1da0 x19: 0000000000000400 x20: 00000000fcec52e0 x21: 0000000000000000 x22: 0000000000000003 x23: 00000000f4dcf630 x24: 0000000000000000 x25: 0000000002080000 x26: 00000000fcddbea4 x27: 0000000000000400 x28: 0000000002080000 x29: 00000000f4dcf480 SP: f4dcf2a0: 00000000 00000000 00000000 00000000 f4dcf2b0: 00000000 00000000 fcea3759 00000000 f4dcf2c0: 00000000 00000000 00000000 00000000 f4dcf2d0: fcea37a0 00000000 fcea37c6 00000000 f4dcf2e0: fcea3813 00000000 fcea3860 00000000 f4dcf2f0: fcea38a0 00000000 fcea38e0 00000000 f4dcf300: fcea391d 00000000 00000000 00000000 f4dcf310: 00000000 00000000 fcea395a 00000000 f4dcf320: f4dcf480 00000000 fcddaa0c 00000000 f4dcf330: 00000400 00000000 fce9d415 00000000 f4dcf340: feff0000 00000000 00000002 00000000 f4dcf350: 30c50830 00000000 f4dcf2a0 00000000 f4dcf360: 600003c9 00000000 fcdda800 00000000 f4dcf370: 000003c0 00000000 02000000 00000000 f4dcf380: 030a0000 00000000 081fb000 00000000 f4dcf390: 00000000 00000000 00000000 00000000 Resetting CPU ... WARN: PSCI sysreset is disabled DDR version 1.13 20180428 ID:0x805 N In SRX DDR3 333MHz Bus Width=32 Col=11 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=4096MB ddrconfig:3 OUT Boot1 Release Time: Sep 7 2018 15:49:55, version: 2.49 ChipType = 0x11, 261 mmc2:cmd19,100 SdmmcInit=2 0 BootCapSize=2000 UserCapSize=59640MB FwPartOffset=2000 , 2000 SdmmcInit=0 NOT PRESENT StorageInit ok = 285008 Raw SecureMode = 0 SecureInit read PBA: 0x4 SecureInit read PBA: 0x404 SecureInit read PBA: 0x804 SecureInit read PBA: 0xc04 SecureInit read PBA: 0x1004 SecureInit ret = 0, SecureMode = 0 GPT part: 0, name: uboot, start:0x4000, size:0x2000 GPT part: 1, name: trust, start:0x6000, size:0x2000 GPT part: 2, name: misc, start:0x8000, size:0x2000 GPT part: 3, name: baseparameter, start:0xa000, size:0x800 GPT part: 4, name: resource, start:0xa800, size:0x8000 GPT part: 5, name: kernel, start:0x12800, size:0x10000 GPT part: 6, name: dtb, start:0x22800, size:0x2000 GPT part: 7, name: dtbo, start:0x24800, size:0x2000 GPT part: 8, name: logo, start:0x26800, size:0x8000 GPT part: 9, name: vbmeta, start:0x2e800, size:0x800 GPT part: 10, name: boot, start:0x2f000, size:0x10000 GPT part: 11, name: recovery, start:0x3f000, size:0x20000 GPT part: 12, name: backup, start:0x5f000, size:0x8000 GPT part: 13, name: cache, start:0x67000, size:0x80000 GPT part: 14, name: system, start:0xe7000, size:0x400000 GPT part: 15, name: metadata, start:0x4e7000, size:0x8000 GPT part: 16, name: vendor, start:0x4ef000, size:0x60000 GPT part: 17, name: oem, start:0x54f000, size:0x20000 GPT part: 18, name: frp, start:0x56f000, size:0x400 GPT part: 19, name: security, start:0x56f400, size:0x1000 GPT part: 20, name: userdata, start:0x570400, size:0x6f0bbdf find partition:uboot OK. first_lba:0x4000. find partition:trust OK. first_lba:0x6000. LoadTrust Addr:0x6000 No find bl30.bin HashBits:256, HashData: 6cf28742 2df532aa 1ea29e7b 85e4e128 9675b550 859f84c1 c47158c4 9373e8ea CalcHash: 2a0cacfb 655bd8b6 09989b08 c0ff4464 9d525d13 47eb7212 89197119 20d1a938 bl31.bin_0:CheckImage Fail! LoadTrust Addr:0x6400 LoadTrust Addr:0x6800 LoadTrust Addr:0x6c00 LoadTrust Addr:0x7000 No find bl30.bin Load uboot, ReadLba = 4000 hdr 000000000337a380 + 0x0:0x50,0x41,0x52,0x4d,0x66,0x03,0x00,0x00,0x46,0x49,0x52,0x4d,0x57,0x41,0x52,0x45, Load OK, addr=0x200000, size=0xeb934 RunBL31 0x10000 NOTICE: BL31: v1.3(debug):9d3f591 NOTICE: BL31: Built : 14:39:02, Jan 17 2018 NOTICE: BL31:Rockchip release version: v1.3 INFO: ARM GICv2 driver initialized INFO: Using opteed sec cpu_context! INFO: boot cpu mask: 1 INFO: plat_rockchip_pmu_init: pd status 0xe INFO: BL31: Initializing runtime services INFO: BL31: Initializing BL32 INF [0x0] TEE-CORE:init_primary_helper:337: Initializing (1.1.0-187-g3f0aafa6 #9 Wed Oct 31 06:28:55 UTC 2018 aarch64) When connecting USB for flashing the Log shows the detection and do not loop anymore, it is waiting for the process to be initiated by the computer I try to flash the Android 8.1 firmware without luck because the automatic checks stopped the process before starting So I tried to flash with Factory Tool 1.6 but also without success, it is checking also before starting the flash process Searching all over the web I found different versions of these tools and test newer ones but also without success. After a while I found a Tool called Rockchip Android Tool 2.1 for Rockchip based single board computers. This tool has much more options to check and flash a Rockchip board over USB. Most of the checks failed and I figured out that a normal flashing process will always reboot the board into Maskrom mode It seems that my device is not able to go into Maskrom Mode anymore because after starting the flash process it is reseting and booting normal (bootloop) instead of switching to Maskrom Mode. A bit of evaluation tells me that the Maskrom Mode can also be achieved by shorting the Flash CLK to ground during boot. (I know a similar process for my Fire HD8 Tablet) I checked if I can find the CLK line on the board but it seems that it is not accessably from the surface of the PCB. After minutes of reaserch I figured out that there are also newer version of the Android Tool available and I tested all I can find. Also Device drivers shall be updated due to a problem report of an Rockchip device singel board computer owner that has also some difficulties working with the tools. My luck I found RKDevTool 2.52 (The new name of the Android Tool), in this tool a few of the tests for Rockchip devices are working and I was able to flash Android 8.1 and enter the Maskrom Mode sucessfully. Now that my Device is back alive I will also post some logs and pictures of my device to help others when trying to debrick/reacticate from an unexpected state.
@sandman01 Try this
thanks for your post. I think I was a bit to euphoric because my box is working again and I only want to share my experiance for others runnign in the same Situation. It was hard to get all the Information out of the web, from multiple places.
sandman01 said: thanks for your post. I think I was a bit to euphoric because my box is working again and I only want to share my experiance for others runnign in the same Situation. It was hard to get all the Information out of the web, from multiple places. Click to expand... Click to collapse Ok no probs
Can't find those files on Drive anymore, can you please share them? Can't find a place to download RKDevtool Thanks in advance
Xiaomi Mi Tv Stick: Boot loop
Morning all. I'm trying to debug and restore a Mi TV stick that is stuck in a boot loop. It happened after I switched it on, its video got stuck in xiaomi logo, and after power cycling it never worked again. The LED doesn't switch on and have no video signal on the hdmi, so I disassembled it and connected to its serial port pins and saw the following trace, in loop: Code: GXL:BL1:9ac50e:bb16dc;FEAT:BDFD71BC:0;POC:3;RCY:0;EMMC:0;READ:0;0.0;0.0;CHK:5E6;READ:0;0.0;0.0;CHK:0; TE: 444948 BL2 Built : 10:47:30, Jan 14 2019. gxl g152d217 - [email protected] set vcck to 1120 mv set vddee to 1000 mv Board ID = 7 CPU clk: 1200MHz DQS-corr enabled DDR scramble enabled DDR3 chl: Rank0+1 @ 912MHz - FAIL DDR3 chl: Rank0 @ 912MHz - FAIL DDR3 chl: Rank0 16bit @ 912MHz - FAIL DDR4 chl: Rank0+1 @ 912MHz - FAIL DDR4 chl: Rank0 @ 912MHz bist_test rank: 0 21 03 40 2b 12 44 1f 02 3d 32 1a 4a 20 00 40 2b 14 43 26 08 45 27 0d 41 660 - PASS Rank0: 1024MB(auto)-2T-18 AddrBus test pass! eMMC boot @ 1 sw8 s emmc switch 3 ok BL2: rpmb counter: 0x00000020 emmc switch 1 ok Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000, part: 1 aml log : R1024 check pass! New fip structure! Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600, part: 1 aml log : R1024 check pass! Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x0002b400, part: 1 aml log : R1024 check pass! aml log : SIG CHK : 231 for address 0x01700000 Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000, part: 2 emmc switch 2 ok I assume that perhaps when I power cycled it was updating and its emmc got corrupted? Is their a way of reflashing the firmware on these devices? I've seen this post here at XDA but wasn't able to enter in USB mode as described. I was able to find the 2 pins but after shorting them nothing happens. Any tips on how to recover this device? Thank you!
Did you try to change the charger and/or the cable?