I know there is a Proxuser's guide - "How to Port MIUI v4 for your device" and GREAT thread intended to eliminate porting quirks.
My goal is to collect all the experience we got in that thread, which could be helpful for new users porting newest releases of miui.
FAQ assumes questionaire, but my format will be more look like a guide but as collection, it could be treated as FAQ.
Structure will be Stage-divided to ease of use.
Stage 1. Initial port
Let's start with first moment - bases choice.
Under base I will mean rom which could be used to port miui and also miui release you choose.
Let's assume - just "Base" will mean rom for your device with ICS/JellyBean, such as Cyanogen Mod or AOKP or AOSP and their variations(I don't know if it is possible to use stock rom for porting and wouldn't recommend it), when "MIUI base" means any miui rom you prefer (my preference and advice - MIUIandroid crespo [nexus S] or MIUIandroid maguro (Galaxy Nexus) release). You could use any miui base but results will be unpredictable and may very vary from guide stands, for those cases I prepared common debugging stage, which will help to eliminate bugs I haven't listed.
MIUI for nexus S and Galaxy Nexus are now upgraded to Jelly Bean. That actually means - you couldn't use their miui bases to port ICS roms(which still under support).
For those who stuck at ICS the situation is as follows:
If version number is not crucial, you might just stick at MIUI 2.8.10 http://weedy.ca/miuiandroid/ and use old kind Nexus S/Galaxy Nexus roms. In guide I will describe steps right for you with mark "ICS-only".
If for you version number is crucial - stop reading this guide and just use PatchROM (though rom will be based on Stock rom).
There is third variant, but it needs a device with nearly same specs:
you might just replace some files in miui-supported device rom with files from your stock rom. For now that case is only tested on xperia 2011 products (play,live with walkman,ray, mini, pro, mini pro etc) - arc s [lt18i] miui base and xperia 2012 (u,p, sola etc) - S miui base.
When base choosen, start to port:
Copy unpacked base rom (so set of folders) to any folder you prefer (let's name it "MIUI"), it usually contains:
system - folder on which we will work more often
data - may contain something necessary such as first boot scripts, config files etc.
META-INF - contains certificates and signature for signcheck, updater-script(we also will work on it) update-binary (updater-script command processor)
boot.img, kernel and ramdisk packed together, touch only if kernel should be changed to something more recent or if your preference is not similar with base rom maker's, but keep in mind that you have to place modules that provided with kernel to lib/modules [or in place where .ko files are]
Starting with system:
delete:
app
framework
media
fonts
then open miui archive and extract those folders to system. Don't close archive.
Open lib folder in system to add from the same archive:
content-types.properties [for themes]
liblbesec.so [for LBE Guard - MIUI superuser]
liblocSDK_2.2.so [for baidu location service, prevents network location provider FC]
JellyBean-only:
libjni_resource_drm.so [themes DRM, actually involves download online themes screen]
Open etc folder in system to add from the same archive:
yellowpage.db [Phone calls ability]
ICS-only
telocation.td (as for nexus S and telocation.db in others) [location provider dependency]
JellyBean-only:
telocation.idf (possible new telocation.db)
go to permissions folder in etc to add:
com.nxp.mifare.xml [NFC]
miui-framework.xml [activates miui framework, near all apps won't work without that]
com.google.android.media.effects.xml [gallery]
com.google.widevine.software.drm.xml [something also related to google may affect play market]
com.google.android.maps.xml [gmaps]
Open xbin folder in system to add from the same archive:
su [replace, don't even use base one!]
invoke-as [binary with near busybox and toolbox functionality, need everywhere in system, mostly in themes and SU]
that's all about additional files. Devices which don't have NFC(Near Field Communication chip) also shouldn't have Nfc.apk in app folder!
Let's modify build.prop then, to add:
Code:
ro.build.id=MIUI
ro.build.display.id=MIUI
ro.build.version.incremental=2.x.x
ro.config.ringtone=MI.ogg
ro.config.notification_sound=FadeIn.ogg
ro.config.alarm_alert=GoodMorning.ogg
ro.config.sms_received_sound=FadeIn.ogg
ro.config.sms_delivered_sound=MessageComplete.ogg
ro.build.version.incremental points to MIUI you port, so specify it.
At your base you will most likely see these lines
Code:
ro.config.ringtone=
ro.config.notification_sound=
ro.config.alarm_alert=
ro.config.sms_received_sound=
ro.config.sms_delivered_sound=
are filled with ringtones that only base have, soo just change them as MIUI do have different ringtone set.
Initial port done, in system part, let's talk about Updater-script:
any release of miui you port should have that line:
Code:
set_perm(0, 0, 06755, "/system/xbin/invoke-as");
for example you have that bunch of code [which is mostly common for CM9 release]:
Code:
set_perm_recursive(0, 0, 0755, 0644, "/system");
set_perm_recursive(0, 2000, 0755, 0755, "/system/bin");
set_perm(0, 3003, 06755, "/system/bin/ip");
set_perm(0, 3003, 02750, "/system/bin/netcfg");
set_perm(0, 3004, 02755, "/system/bin/ping");
set_perm(0, 2000, 06750, "/system/bin/run-as");
set_perm_recursive(1002, 1002, 0755, 0440, "/system/etc/bluetooth");
set_perm(0, 0, 0755, "/system/etc/bluetooth");
set_perm(1000, 1000, 0640, "/system/etc/bluetooth/auto_pairing.conf");
set_perm(3002, 3002, 0444, "/system/etc/bluetooth/blacklist.conf");
set_perm(1002, 1002, 0440, "/system/etc/dbus.conf");
set_perm(1014, 2000, 0550, "/system/etc/dhcpcd/dhcpcd-run-hooks");
set_perm(0, 2000, 0550, "/system/etc/init.goldfish.sh");
set_perm_recursive(0, 0, 0755, 0555, "/system/etc/ppp");
set_perm_recursive(0, 2000, 0755, 0644, "/system/vendor");
set_perm_recursive(0, 2000, 0755, 0755, "/system/xbin");
set_perm(0, 0, 06755, "/system/xbin/librank");
set_perm(0, 0, 06755, "/system/xbin/procmem");
set_perm(0, 0, 06755, "/system/xbin/procrank");
set_perm(0, 0, 06755, "/system/xbin/su");
set_perm(0, 0, 06755, "/system/xbin/tcpdump");
set_perm_recursive(0, 0, 0755, 0644, "/system/vendor/firmware");
set_perm(0, 2000, 0755, "/system/vendor/firmware");
set_perm_recursive(0, 0, 0755, 0555, "/system/etc/init.d");
So line I pointed should be somewhere there, for example:
Code:
set_perm(0, 0, 06755, "/system/xbin/librank");
set_perm(0, 0, 06755, "/system/xbin/procmem");
set_perm(0, 0, 06755, "/system/xbin/procrank");
set_perm(0, 0, 06755, "/system/xbin/su");
[B][SIZE="4"]set_perm(0, 0, 06755, "/system/xbin/invoke-as");[/SIZE][/B]
set_perm(0, 0, 06755, "/system/xbin/tcpdump");
IF you have problems with SU, that line may help:
Code:
symlink("/system/xbin/su", "/system/bin/su");
paste it somewhere after
Code:
symlink("busybox"[B][COLOR="YellowGreen"][later big code bunch like "/system/xbin/[" etc][/COLOR][/B]
but before
Code:
unmount("/system");
Your own MIUI is now ready to be flashed, but only, if your device is SOOO near on hardware part with MIUI base
For those who didn't met that rule I prepared next parts - framework mods and common debugging and troubleshooting. See next 2 posts.
Stage 2
Recently I had an Acer Liquid MT[now bricked], which is Qualcomm S2 device(msm7x30) and my guide defines also assume you have device with Qualcomm inside. But some of guide moments[first stage is not exception] are common for most devices with other chips.
I also used Cyanogen Mod 9 as base, so some of these defines wouldn't be applicable to your porting using AOSP base.
That was on ICS, and I will count that in while describing for those who don't care about miui version and porting something before MIUI 2.8.10.
Now I have MIUI-supported Xperia Arc S. But its MIUI is based on stock rom (such a shame). So as FXP provides us CM 10, I started to port over it to bring latest and greatest of MIUI jellybean on that device. So again Qualcomm, but with stock ICS, which means lesser quirks on porting. I again will assume you are on Qualcomm but I have to say that all defines of this stage are nomore device-specific.
Returning to guide:
Stage 2. Framework mods to make it boot
Rom not booting? - that is most likely a framework issue, that is remained from Nexus S/Galaxy Nexus. But don't run to base to grab all framework and paste it to base, else you will have a base rom instead of miui
My suggestion is port.
For those who are new in apktool disassembling, I suggest to read something like that http://forum.xda-developers.com/showthread.php?t=1511730 or that http://forum.xda-developers.com/showthread.php?t=1752201 or google it to understand common principles of work.
For framework-res.apk mods we will use Connor-apktool and scripts for ease of use: http://code.google.com/p/android-apktool/downloads/list (choose only dependencies for your platform, don't replace AAPT from them). Always choose latest one!
Let's assume again:
disassemble something - usually means issuing
Code:
apktool d [[COLOR="YellowGreen"]full name of apk or jar[/COLOR]]
command on file I specify if more info not specified
assemble something - usually means issuing
Code:
apktool b [[COLOR="YellowGreen"]disassembled apk or jar folder without .apk in name or with ".out" at the end for jars[/COLOR] ]
command on file I specify
better way to assemble is drag assembled classes.dex(or resources.arsc and xmls at rest folders in case of assembling framework-res.apk) from [file you modified]/build/apk to original file, opened as archive (in windows you also have to check out a compression rate to make it the same as there were before dragging, which prompts to you as compression method like "Normal" and "Store")
smali - piece of code on dalvik bytecode language, are part of nearly any disassembled file
smali tree/just "tree"/"*.smali" - usually means set of files with the same name in the beginning but with different end(usually with $ before), for example
Code:
RIL*.smali means:
[LIST]
[*]RIL.smali
[*]RIL$1.smali
[*]RIL$RILReceiver.smali
[*]RIL$RILSender.smali
[/LIST]
Let's start with framework mods:
All frameworks are located at system/framework.
framework.jar
Mostly issues are produced there.
Disassemble framework.jar from MIUI port you are working so you will see framework.jar.out. Go to smali folder in it. Later all actions we will produce from there (except assembling).
First replace some files from your base framework.jar (fist disassemble base rom's framework.jar and move all files I will specify, replace if asked).
Listing all smali I had to replace in framework.jar:
ICS-only:
Code:
[B]android/os/Power.smali[/B]
org/codeaurora/Performance.smali
[B]android/media/MediaRecorder*.smali[/B]
android/graphics/Paint.smali
android/os/Environment.smali
android/view/HardwareCanvas.smali
[B]android/net/wifi/WifiNative.smali[/B]
Common:
Code:
android/view/Gles20*.smali (not only canvas but all with gles20 at the beginning)
[B]android/hardware/Camera*.smali[/B]
[B]android/server/BluetoothA2dpService*.smali[/B]
[B]android/content/res/PackageRedirectionMap*.smali[/B]
[B]com/android/internal/telephony/RIL*.smali[/B]
JellyBean Only:
Code:
[B]android/bluetooth/HeadsetBase*.smali[/B]
[B]com/android/internal/app/ActivityTrigger.smali[/B]
[B]android/webkit/HTML5*.smali[/B]
[B]android/webkit/SelectActionModeCallback[/B]
I highlighted those could be common for all chips, not only for Qualcomm ones.
But some of smalis are not following common rules.
The weirdest exception of that - WebviewCore. If you replace only WebViewCore tree, Gmail, Facebook, Browser, HTML viewer and all that is using this class WON'T WORK. What was my solution is to replace Webview*.smali tree, so I met all dependencies that class may work with.
ICS-only:
That class, and Sound Recorder are in need of one property from SystemProperties.smali, which is located at android/os/.
But don't run to base to take it and replace immediately as you read It have to be patched
end of ICS-only
I highlighted it as ICS-only as you will just replace it on JellyBean - it's now hard to patch, but easy to replace.
>>Common Remark about patching smalis
Patching (usually named diffing, diff, that means "find differences and eliminate them") in our context is a process of comparing two files and adding contents of one of them to another and not replacing anything. Our diff process will consist of base->miui content addition so smali we modify could live in dual life - for your base and for MIUI remained framework. For start of diff you should have both base and miui files you want to modify, and a diff tool (in windows - beyond compare,total commander, winmerge or notepad++), my preference - Meld diff viewer[really simple and visual-oriented], the only thing - it's running on linux environment and I don't know if there is a windows version. Then just open files in tool and start adding. Sometimes you have to add all entries are not present in miui one from base, sometimes you should be smart enough to mod only part which needed and nothing more and also sometimes to replace pieces of code which are actually safe to do so. That's a whole process.
>>
Example - our SystemProperties.smali:
Actually after opening you see it is full of differences from base:
http://minus.com/mbmfprmG4K/
you see those green blocks? Each of them signs a missing part of code you should add, in Meld it's just about of clicking little arrow that represents that block. As for windows tools, they should have something like "add all" and many other things could do it in a batch way.
A little piece of smartness:
that file is the only one I discovered which allow replacing .line with big code pieces, see that:
http://minus.com/mdnAholnL/
do you see ".line 126" and HUGE code block against it? you may forget about ".line 126" and copy block against it with no doubt. Note that line numbers etc could change, always check before doing something.
That line also became a dealbreaker on JellyBean, that's why we decided it would be better to just replace it. Ecample will give you a clue just about common patch process.
>>
Another file has to be modified in same way - AssetManager.smali, which is located at android/content/res.
Beware of replacing anything on it[only add, as stand before], if something went wrong, it might produce awful logcat nobody could understand so you have to re-port rom again to catch a causer.
Another interesting patch you should perform if you have different than RIL telephony class.
To determine which ril class you have, seek for following line in your build.prop:
Code:
ro.telephony.ril_class=
If you don't have such, mostly it means you are using RIL class and don't need a patch.
in my case it was:
Code:
ro.telephony.ril_class=LGEQualcommRIL
so I'll describe a process for it, pointing what is common.
All ril classes located at com/android/internal/telephony, so go to it.
LGEqualcommRIL have a single smali, so copy only that one[if your class also have another smali with the same name, for example LGEStarRIL$1.smali, copy them too], Also, unlike most classes in CM, LGEQualcommRIL have a dependency - QualcommSharedRIL, which tree you should also move to that folder near LGE one.
Classes that are also have that dependency:
LGEQualcommUiccRIL
HTCQualcommRIL
SamsungQualcommUiccRIL
Others are dervied from RIL and don't have any dependencies like that. As CM involves more and more devices, to determine what dependencies you actually need, ask source code:
Code:
public class LGEQualcommRIL extends QualcommSharedRIL implements CommandsInterface
extends means your dependency you have to also add to MIUI, if it is "RIL", go ahead and continue porting.
To make your class work instead of RIL, you should modify MIUI' PhoneFactory.smali located at the same folder in following way:
Code:
.line 136
new-instance v8, Lcom/android/internal/telephony/RIL;
invoke-direct {v8, p0, v4, v0}, Lcom/android/internal/telephony/RIL;-><init>(Landroid/content/Context;II)V
->
Code:
.line 136
new-instance v8, Lcom/android/internal/telephony/[B]LGEQualcomm[/B]RIL;
invoke-direct {v8, p0, v4, v0}, Lcom/android/internal/telephony/[B]LGEQualcomm[/B]RIL;-><init>(Landroid/content/Context;II)V
it changes a constructor of RIL class to LGEQualcommRIL class. If my lines incorrect, just type RIL in search in Phonefactory, it will show you exactly 2 defines with "RIL" involved.
Another case for patching is android/media/AudioFormat.smali.
Copy all missing lines from base to miui, it would be enough. I have decide to not replacing it coz of constructor that is differ and might one day turn into bomb.
The most complicated smali case, WebSettingsClassic. It do contains lines that should be added, also lines that should be slightly modified.
Let's try to make the process bit easier with these steps:
first of all, find those fields:
Code:
.field private mMediaPreloadEnabled
.field private mWebGLEnabled:Z
they are at the beginning of file, marked as green blocks. Attention: then there is a listing that asks you about default value, like that:
Code:
.line 91
iput-boolean v2, p0, Landroid/webkit/WebSettingsClassic;->mMediaPreloadEnabled:Z
DON'T EVEN TOUCH THEM! Even if you know what are you doing - it will fail on boot if you placed that lines in miui file.
interesting place here.. when you will search for webgl from the beginning, you will hit such block, marked as blue (incompatible):
Code:
goto/16 :goto_1
.end method
.method private native nativeIsWebGLAvailable()Z
.end method
while miui file will show just that:
Code:
goto :goto_1
and ".end method" after. "You f***n kiddng?" - will you ask.. yeah, pure cheat. Let's fix it up:
paste only:
Code:
.end method
.method private native nativeIsWebGLAvailable()Z
before ".end_method" but after "goto :goto_1", so that full block will be instantly turned to whie:
Code:
goto :goto_1
.end method
.method private native nativeIsWebGLAvailable()Z
.end method
except "goto", which will show as differ, but who cares?
After searching "webgl" on base file you will possibly see a code block starting with:
Code:
.method public declared-synchronized isWebGLAvailable()Z
add it without any thought. You should do the same with following methods:
Code:
.method public declared-synchronized setMediaPreloadEnabled(Z)V
.method public declared-synchronized setWebGLEnabled(Z)V
btw, those methods are so-called "setters" - methods in class that intended to adjust value to class field.
DON'T ADD ANYTHING ELSE, IT WILL POSSIBLY BREAK BOOTING AGAIN! You've been warned.
Framework.jar port done!
the only thing to do - assemble it.
services.jar
Unlike framework.jar, there are lesser things to do. But they are also significant for porting process.
ICS-only:
InputManager*.smali - the only thing should be replaced [and located in com/android/server/wm/].
On JellyBean it is located at com/android/server/Input ands also have to be replaced.
You may also replace usb folder, but actually those who have MTP(devices with kernel 3.0 or so, that are having new "USB gadget framework" drivers, consult with development branch for details) are in no need to do so, as for others (as of mine instance on MT development) you have to replace it. In stage 4 I will present my ways to make usb subsystem work on miui.
Also, there is a new smali on Jellybean: watchdog*.smali. Just replace whole tree of this in com/android/server/.
As for diff files, there is one: PowerManagerService.smali(may I shorten its name to PMS?)
there is no matter to diff it like others as it have too much dependencies to resolve and may cause your system crash.
ICS-only:
So, it only asks about nativeStartSurfaceFlingerOffAnimation method. but hey, PMS do have such method, but its name is nativeStartSurfaceFlingerAnimation, so without "Off"; my solution is to add "Off" to it, see that stack:
http://minus.com/lY4DiQfJ451Aq
that's where you should find you first entry (there are 2)
second entry showed there:
http://minus.com/lchMVcHtKe46T
after editing , you should see a huge block to add:
http://minus.com/lbmNygeJBs9klv
add it, and that smali is ported.
end of ICS-only
On jellybean porting it more trivial:
nativeCPUBoost is missing. You will have some defines in base file. Use search by keyword "cpuboost" in base file to determine where they are and just add them to miui one.
defines will be:
Code:
.method private static native nativeCpuBoost(I)V
-method definition.
Code:
.method public cpuBoost(I)V
-method code block.
and nothing extra.
Assemble new services.jar.out to services.jar when complete.
Done those but still not boots or boots but functions improperly? see next Stages- 3 and 4, I will enlighten all moments of debugging what's wrong and also additional tweaks for specific devices that faced problems with porting [It's just impossible to do that for each device, so there is a great thread you could always ask what's wrong if my advices didn't help].
Stage 3
Third part mostly touches cases where tuto above didn't resolved boot problems, also cases where there is no confidence 2nd stage will work/cases when people are trying to investigate themselves but mostly not xperienced in such(the most respectable case). To understand what's going on with your build it would be better to be CM/AOSP/AOKP dev, so you will most likely know where to find an answer. But if it is not about you, let me point on some moments could help.
Stage 3. Understanding logs and debugging
Yes, exactly understanding. Most likely people are going to forum and just posting logcat (that might contain common error). My goal is show you - logcat is not shuch thing you should fear to investigate!
First of all, let's assume something:
adb - powerful tool, in our case the must have thing to make a log. Article on android devs most likely describes all the moments about adb power: http://developer.android.com/tools/help/adb.html
logcat/log - one of the android advantages that allows you to debug what's going on with your system. by "make log" I will assume issuing
Code:
adb logcat >log.txt
command, last argument - log.txt is a text file with log system provided to you (you could use any name).
sometimes we need an answer about things that are going on with baseband (so-called radio). In those cases I usually asking to take radiolog. That's how it could be produced:
Code:
adb logcat -b radio >log.txt
reading it might be a pain, as terms of it are too much hardware-specific, but it anyway complies with principles I will put below.
debug/debugging - process of analyzing code which helps to eliminate bugs (that's why de-bug)
Some people experiencing problems with log, most common are:
-wrong MIUI base which prevents usb subsytem to start (nexus S base most likely allows you to use log)
-no/corrupted/wrong usb drivers on PC
-Windows :crying: most likely is about new usb subsystems etc, so advice is the only one - try on ubuntu (not working without udev rules)
-somewhat corrupted/inconsistent usb port
-lack of "persist.sys.usb.config= mass_storage,adb" in build.prop, specifically "adb" in this line.
Note: if your log only consists of:
Code:
link system/bin/sh failed: no such file or directory
or something like that, you should contact a CM dev, else, you are most likely know what happened ;]
Alright when we got a log, it consist of many many lines that are looping if your system not boots. That's why that kind of situation is sometimes called bootloop. System may repeat a error eternal time it lives, so log might be huge.
To parse what's going on there are some advice:
keywords:
search in log you got some keywords, that might be useful on debugging boot issue;
most common keywords are:
"E/" - error
"E/dalvikvm" - possibly crucial system error
"No such file or directory" - says it all
"couldn't" - android likes that, mostly shows faulty things.
"fail"/"failed" - mostly crucial error
"W/"/"warning" - says it all, but not always warn could be a boot failure cause
"exception"(especially NullPointerException) - points you that something went wrong in framework or application work
I/ tags could be also useful at debugging, but most helpful are errors and warnings.
Most common constructs:
"couldn't find native method", the most common reason of a bootloop.
For instance:
Code:
E/dalvikvm( 100): ERROR: couldn't find native method
E/dalvikvm( 100): Requested: Landroid/view/GLES20Canvas;.nStartTileRendering:(IIIII)V
E/JNIHelp ( 100): RegisterNatives failed for 'android/view/GLES20Canvas', aborting
Let's parse that construct to extract parts we will fix.
First of all. smali path might be extracted from that line:
Code:
E/JNIHelp ( 100): RegisterNatives failed for 'android/view/GLES20Canvas', aborting
->
Code:
android/view/GLES20Canvas
that's it, smali we are looking for is GLES20Canvas.smali. But.. android/view.. where it is? Answer comes from android source, it took some time to analyze frameworks.. Just let's assume: all that starting with "android" in path belongs to framework,jar.
What if path doesn't contain "android" at the beginning?
Again the answer is in source. Paths like"org/" are belong to framework.jar.
"com/android/server" - services.jar (there is the same folder at framework.jar but most likely you don't need to touch it).
another place we could be mixed up:
"com/android/internal" - framework.jar
"com/android/internal/policy/impl/" - android.policy.jar
for framework.jar path ends up on internal, which represents telephony folder. policy/impl is the only android.policy.jar folder.
Other frameworks are actually not used in port as they contain core android functionality which is common.
Note about smali you found:
it might be not smali you are looking for, most likely when code points you to android functionality and widgets (control elements) like combobox or listview, it's a sign to think twice what have you done on your system to port it
it might be tree of smali(remember 2nd stage assumes?), to ease of use, always replace smali with its tree, and only if error becomes worse, think about single smali or about diff(2nd stage assumes again )
from
Code:
E/dalvikvm( 100): Requested: Landroid/view/GLES20Canvas;.nStartTileRendering:(IIIII)V
we could extract a method which is missing - nStartTileRendering. In some cases only that method should be added and nothing more.
" android.content.res.Resources$NotFoundException: Resource ID #XXX"
Example:
Code:
E/AndroidRuntime( 3047): *** FATAL EXCEPTION IN SYSTEM PROCESS: WindowManagerPolicy
E/AndroidRuntime( 3047): android.content.res.Resources$NotFoundException: Resource ID #0x3060008
E/AndroidRuntime( 3047): at android.content.res.Resources.getValue(Resources.j ava:1022)
E/AndroidRuntime( 3047): at android.content.res.MiuiResources.getValue(MiuiRes ources.java:56)
E/AndroidRuntime( 3047): at miui.util.ResourceMapper.resolveReference(Resource Mapper.java:9)
E/AndroidRuntime( 3047): at miui.util.HapticFeedbackUtil.updateSettings(Haptic FeedbackUtil.java:109)
E/AndroidRuntime( 3047): at miui.util.HapticFeedbackUtil$SettingsObserver.obse rve(HapticFeedbackUtil.java:92)
E/AndroidRuntime( 3047): at miui.util.HapticFeedbackUtil.<init>(HapticFeedback Util.java:75)
E/AndroidRuntime( 3047): at com.android.internal.policy.impl.MiuiPhoneWindowMa nager.init(MiuiPhoneWindowManager.java:108)
E/AndroidRuntime( 3047): at com.android.server.wm.WindowManagerService$PolicyT hread.run(WindowManagerService.java:733)
Wrong MIUI base, mostly. Appear when something changed by previous porter (miui) which affects resources you won't have, banal link error.
" Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1)"
Hope all of you heared about C language. That error is a form of C "exceptional case"(in other words - exception).
You will see if it happen:
Code:
F/libc ( 2698): Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1)
I/DEBUG ( 130): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 130): Build fingerprint: 'tmous/htc_doubleshot/doubleshot:4.0.3/IML
74K/275847.101:user/release-keys'
I/DEBUG ( 130): pid: 2698, tid: 2698 >>> zygote <<<
I/DEBUG ( 130): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaa
d
I/DEBUG ( 130): r0 deadbaad r1 00000001 r2 a0000000 r3 00000000
I/DEBUG ( 130): r4 00000000 r5 00000027 r6 4086fbfd r7 00000036
I/DEBUG ( 130): r8 40253f04 r9 40233a7e 10 0000904c fp 00009062
I/DEBUG ( 130): ip 4028b240 sp befcfa60 lr 401043c1 pc 40100adc cpsr 600
00030
I/DEBUG ( 130): d0 2f64696f72646e61 d1 2f746e65746e6f63
I/DEBUG ( 130): d2 657373412f736572 d3 726567616e614d74
I/DEBUG ( 130): d4 0000d4cc0000d4b1 d5 0000d4e80000d4cd
yaa.. ENORMOUS code block, build fingerprint, fatal signal and stack trace.. welcome to hell
One little thing: error is right above that block, don't even try to parse its contents, ignore it.
WE ALL DIE!!!111
yaa, series of "died" errors:
Code:
I/ServiceManager( 1478): service 'media.audio_flinger' died
I/ServiceManager( 1478): service 'media.player' died
I/ServiceManager( 1478): service 'media.camera' died
I/ServiceManager( 1478): service 'media.audio_policy' died
IGNORE them, it's a result of exception right above(no matter C exception or java one), it's better to see it instead of posting "WE ALL DIE!!!111"
"Unable to extract+optimize DEX from '/system/framework/framework.jar'" and other WTF cases
examples:
Code:
D/dalvikvm( 103): DexOpt: --- BEGIN 'framework.jar' (bootstrap=1) ---
E/dalvikvm( 172): Duplicate class definition: 'Landroid/media/MediaRecorder;'
E/dalvikvm( 172): Trouble with item 2900 @ offset 0x17a86c
E/dalvikvm( 172): Cross-item verify of section type 0006 failed
E/dalvikvm( 172): ERROR: Byte swap + verify failed
E/dalvikvm( 172): Optimization failed
W/dalvikvm( 103): DexOpt: --- END 'framework.jar' --- status=0xff00, process failed
E/dalvikvm( 103): Unable to extract+optimize DEX from '/system/framework/framework.jar'
D/dalvikvm( 103): Unable to process classpath element '/system/framework/framework.jar'
E/JNIHelp ( 103): Native registration unable to find class 'android/debug/JNITest', aborting
Code:
05-30 14:15:15.970: E/NetworkLocationRealOs(2304): no android ID; can't access encrypted cache
05-30 14:15:15.970: E/NetworkLocationRealOs(2304): java.io.IOException: no android ID; can't access encrypted cache
Code:
1012: 07-03 03:28:21.350: E/System(1538): ************ Failure starting core service
07-03 03:28:21.350: E/System(1538): java.lang.NullPointerException
07-03 03:28:21.350: E/System(1538): at com.android.server.pm.PackageManagerService.grantPermissionsLPw(PackageManagerService.java:4299)
07-03 03:28:21.350: E/System(1538): at com.android.server.pm.PackageManagerService.updatePermissionsLPw(PackageManagerService.java:4247)
07-03 03:28:21.350: E/System(1538): at com.android.server.pm.PackageManagerService.<init>(PackageManagerService.java:1170)
07-03 03:28:21.350: E/System(1538): at com.android.server.pm.PackageManagerService.main(PackageManagerService.java:858)
07-03 03:28:21.350: E/System(1538): at com.android.server.ServerThread.run(SystemServer.java:167)
07-03 03:28:21.350: I/SystemServer(1538): Input Method Service
07-03 03:28:21.360: W/SystemServer(1538): ***********************************************
1021: 07-03 03:28:21.370: A/SystemServer(1538): BOOT FAILURE starting Input Manager Service
1022: 07-03 03:28:21.370: A/SystemServer(1538): java.lang.NullPointerException
1023: 07-03 03:28:21.370: A/SystemServer(1538): at android.app.PendingIntent.getBroadcast(PendingIntent.java:293)
1024: 07-03 03:28:21.370: A/SystemServer(1538): at com.android.server.InputMethodManagerService.<init>(InputMethodManagerService.java:548)
1025: 07-03 03:28:21.370: A/SystemServer(1538): at com.android.server.ServerThread.run(SystemServer.java:271)
1026: 07-03 03:28:21.400: E/AndroidRuntime(1538): Error reporting WTF
1027: 07-03 03:28:21.400: E/AndroidRuntime(1538): java.lang.NullPointerException
1028: 07-03 03:28:21.400: E/AndroidRuntime(1538): at com.android.internal.os.RuntimeInit.wtf(RuntimeInit.java:345)
1029: 07-03 03:28:21.400: E/AndroidRuntime(1538): at android.util.Log$1.onTerribleFailure(Log.java:103)
1030: 07-03 03:28:21.400: E/AndroidRuntime(1538): at android.util.Log.wtf(Log.java:278)
1031: 07-03 03:28:21.400: E/AndroidRuntime(1538): at com.android.server.ServerThread.reportWtf(SystemServer.java:77)
1032: 07-03 03:28:21.400: E/AndroidRuntime(1538): at com.android.server.ServerThread.run(SystemServer.java:274)
mostly likely is about way assembling framework files. Also some of them might be just corrupted by accident. Sometimes these errors caused by wrong smali replacement or wrong diff methodology. Or it might be just banal reason - no place in system or cache partitions.
English []
Most log parts are in mere, not technician English,log might be read as little book with bright characters. Find what you are looking for and fix it..
Source code is your best friend in porting
I'd recommend to have an android source code [from internet or on your local PC] to port something that outstands of rules I listed. For example CM frameworks source could be found here: https://github.com/CyanogenMod/android_frameworks_base .
That mostly affect cases in which hardware that is not working/working but not perfect/working incorrect on MIUI but worked like a charm on base.
Any log line represents a line of code in source, that one could search and debug from there (as source is mostly common, that miui ports possibility proove). Each smali represents a java source code or its part(- subclass which signed by $), each java is in frameworks folder on source (mostly frameworks/base). Log line is a message, which formed with C rules about these rules, so you have to avoid ciphers or guess how could code represent that message. You may search guessed line in source to locate java file, or locate it manually according to smali location and my advice and search in it.
Happy debugging
Stage 4
Last part. We recently ported miui, all is great and mostly functions, But.. am I the only one or that one looks incomplete? One could make its port complete by following next stage:
Stage 4. Advanced tweaks and specific hardware fixes
USB subsystem(mass storage/tether/debugging sign)
First of all, little self - check:
you have to be on old USB Gadget framework kernel source. Those you could clarify by talking with cm dev. Also I'm not rejecting it could work for others but in slightly modified sequence.
Starting from framework-res.apk.
You have to disassemble it first, but before you use actual "apktool d", you should also issue:
Code:
apktool if framework-res.apk
that is necessary for decoding internal resources correctly.
Disassemble base and MIUI frameworks and leave base one as we will work with MIUI one and will use base as a reference.
After disassembling, let's go to res/values in it:
As old usb gadget needs old mass storage path which was applicable to gingerbread, we should add that path to strings.xml.
If you only disassembled that file, you should see something like that:
Code:
<string name="launchBrowserDefault">Launch Browser?</string>
<string name="SetupCallDefault">Accept Call?</string>
</resources>
exact line to add at the near end:
Code:
<string name="config_legacyUmsLunFile">/sys/devices/platform/usb_mass_storage/lun0/file</string>
so that you will get something like that:
Code:
<string name="launchBrowserDefault">Launch Browser?</string>
<string name="SetupCallDefault">Accept Call?</string>
<string name="config_legacyUmsLunFile">/sys/devices/platform/usb_mass_storage/lun0/file</string>
</resources>
Remark:
that case is the only applicable to devices which have old kind SD card only. Look at the framework-res on your device, it also might have different LUN file path(actually it is a file, which collects all your SD data to be mounted as usb drive), that you should always replace in mind my defines with yours to make actual usb work.
Devices with flash memory(also called EMMC or embedded SD on flash) and SD[or without SD support at all], should be treat in custom way unfortunately I don't know, consult with your device CM devs for more details. And hey, most of these devices are on new usb gadget, so don't need my guide at all
<<
After addition, save strings.xml and go to res/xml in the same framework-res.That's where you also should use base framework-res.
copy from base to miui storage_list.xml and replace when prompted. That file provides only your device-specific SD support, not nexus S or whatever miui base you use.
Assemble miui framework-res.apk and, attention! disassemble it again. That action allows you to see resource ID-s for each line exactly in manner they will be used in living rom.
Remark:
Each resource-drawable, string, boolean switcher etc is treated by its ID - personal identificator. Resources are used in other frameworks and APK to identify something necessary for them. framework-res.apk is a resource storage, which handled by android.content.res package classes like ResourceManager.
USB subsystem also uses some resource to provide to user actual USB status and right mass storage.
<<
Make sure you have both base and miui framework-res, then open both: res/values/public.xml.
Now, we could start the main part - services.jar mod
After adding line "config_legacyUmsLunFile" there will be its id in public.xml after compiling. That's why I stand you should disassemble assembled framework-res again. Remember both ID-s from base and from miui.
Also you need ID-s from both base and miui for following resources:
"stat_sys_adb" - usb debugging icon
"adb_active_notification_title" - usb debugging short message
"adb_active_notification_message" - usb debugging long message
JellyBean-specific:
"config_oemUsbModeOverride" - usb mode override flag
Remark:
public.xml is a resource dictionary, example of line:
Code:
<public type="drawable" name="stat_sys_adb" id="0x010804f8" />
means as follows: public type="drawable", drawable - mere picture for different resolution, drawn on the screen, public type subsequently is a type of resource. name="stat_sys_adb" - name of resource, that may be name of acual file or string or bool define etc. id="0x010804f8" - hexadecimal resource identifier. Important note: most resource users are treat resource name without leading zero, for example, 0x010804f8 in usb smalis presented as 0x10804f8, that fact will be necessary on finding and replacing resources(I'd call it matching process), exactly what we are going to do with USB folder smalis.
<<
Open USB folder in miui services.jar (smali/com/android/server/usb), you will see smalis, as usual. Replace its contents with those in base services.jar' usb folder.
Then we are going to match resources: each ID you found in public.xml should be bound to resource call in smali. Let's start:
we will work with miui usb folder smalis. Open UsbService.smali, now remember what id was bound to config_legacyUmsLunFile in base public.xml, for example it was 0x01040029, eliminate leading zero and search file contents for resource 0x1040029, so you will find its entry. Replace that entry with resource you got from public.xml in miui, again, without leading zero. Search for the same ID in LegacyUsbDeviceManager.smali and replace it to miui one.
If you got how that process work, remaining task is match other resource id-s that listed above (usb debugging icon, long and short message). They will be in following files
LegacyUsbDeviceManager$LegacyUsbHandler
UsbDeviceManager$UsbHandler
JellyBean-specific:
UsbDeviceManager.smali also contains necessary switch - config_oemUsbModeOverride, also match ID-s with miui framework and here you go.
USB debugging message is not so necessary as mass storage [coz if resource of mass storage file not found, you won't get usb subsystem to work].
After matching is done, assemble services.jar.
Done! USB subsystem now works.
Another moment could be necessary is to change USB tether interface device to usb0 (as Nexus S is using rndis0 instead, and base whatever you choosed may also have another tether interface)
To change it, you again need a disassembled framework-res.apk(don't forget "apktool if") In it navigate to res/values/arrays.xml.
find the following:
Code:
<string-array name="config_tether_usb_regexs">
in nexus S full block will look like that:
Code:
<string-array name="config_tether_usb_regexs">
<item>[COLOR="Orange"]rndis0[/COLOR]</item>
</string-array>
Look, I highlighted interface name for you! So the only part you should do it is just replace it to yours. Example for usb0:
Code:
<string-array name="config_tether_usb_regexs">
<item>[COLOR="Orange"]usb0[/COLOR]</item>
</string-array>
Interface name could be seen in the same file but in base rom.
By The Way, do you see
Code:
<string-array name="config_tether_wifi_regexs">
<item>[COLOR="Orange"]wl0.1[/COLOR]</item>
</string-array>
right after usb one? That is the interface for wifi tether, that you also should change to yours (one your base needed) and that is it! I saw somewhere following interface variant:
Code:
<string-array name="config_tether_wifi_regex[/B]">
<item>[COLOR="orange"]tiap//d[/COLOR]</item>
</string-array>
which is for Sony [Ericsson] devices with Texas Instruments wifi chip, just see yours in base to check this out.
in the same file you may also fix Autobrightness levels, I mean those ones:
Code:
<integer-array name="config_autoBrightnessLevels">
<integer-array name="config_autoBrightnessLcdBacklightValues">
<integer-array name="config_autoBrightnessButtonBacklightValues">
<integer-array name="config_autoBrightnessKeyboardBacklightValues">
MIUI doesn't have autobrightness tweaks so that is the only way those levels could be applied.
To fully close framework-res and don't come back no more, let's see other things you could do with it:
Minimal brightness too low
There is a bug with brightness: when you regulating it to minmal, screen comes black and won't come back until wipe.
Reason is banal - screen highlight couldn't handle so low value (in nexus S it's 10), first of all find a line at res/values/integers.xml:
Code:
<integer name="config_screenBrightnessDim">10</integer>
in most cases value "20" will be reliable, so change "10" to "20":
Code:
<integer name="config_screenBrightnessDim">20</integer>
Fix "Network won't automatically picks up"
The problem on some devices like HTC on 7x30 QC architecture, is in one little switch [res/values/bools.xml] :
Code:
<bool name="skip_restoring_network_selection">[COLOR="orange"]true[/COLOR]</bool>
just change it to "false":
Code:
<bool name="skip_restoring_network_selection">[COLOR="orange"]false[/COLOR]</bool>
and network will come up.
Fix "Deep sleep issue on some devices"
Problem reported Wildfire S users resolved by that little define [res/values/bools.xml] :
Code:
<bool name="config_bluetooth_adapter_quick_switch">[COLOR="orange"]true[/COLOR]</bool>
change it to "false":
Code:
<bool name="config_bluetooth_adapter_quick_switch">[COLOR="orange"]false[/COLOR]</bool>
and issue will be resolved.
Also, it might be interesting to check out all bools.xml defines to see if something should be changed.
Fixing wrong hardware-software keyboard relationship [auto-rotate and showing issues] (also for galaxy tab 7)
Those with built-in hardware keyboard may experiencing following issue: when hardware keyboard opened, you also see a software keyboard and when you just need a software keyboard, it won't show. Also auto-rotate won't work properly when keyboard is activated.
Seems on Galaxy Tab 7 Samsung(or maybe Cyanogen Mod?) handles software keyboard in relation of some kind of dummy hardware keyboard, so it's our case too.
ICS-only:
To fix that issue, disassemble miui android.policy.jar and navigate to smali/com/android/internal/policy/impl/PhoneWindowManager.smali
there are three constants, according to the source: 0(0x0) - lid closed, 1(0x1) - lid open, and -1(-0x1) - lid absent.
they are located after a function "GetSwitchState".
Original idea was to swap these constants so that system gets fooled about your keyboard state:
code that exists:
Code:
const/4 v1, 0x1
-> code that you will get after mod:
Code:
const/4 v1, 0x0
the same you should proceed with zero:
Code:
const/4 v1, 0x0
->
Code:
const/4 v1, 0x1
you might also have to change
Code:
const/4 v1, -0x1
->
Code:
const/4 v1, 0x1
to get rid of absent state.
another ways to fix this up:
res/values/bools.xml
change
Code:
<bool name="config_forceDisableHardwareKeyboard">[COLOR="Orange"]false[/COLOR]</bool>
->
Code:
<bool name="config_forceDisableHardwareKeyboard">[COLOR="Orange"]true[/COLOR]</bool>
as we see, it force-disables hardware keyboard so that only soft one will show up.
for devices with hardware keyboard that might also be a deal:
res/values/integers.xml
change the following two line:
Code:
<integer name="config_lidOpenRotation">90</integer>
<integer name="config_lidKeyboardAccessibility">1</integer>
Next questions will be related to various APK fixes:
before we start you need to know that all apk are depend on framework-res resources, so before you start disassembling them, let's clarify steps: "apktool if" each framework with resources you have in miui, in stock there are two:
Code:
apktool if framework-res.apk
Code:
apktool if framework-miui-res.apk
then each apk could be disassembled as usual.
Getting rid of MIUI start screen
Have you mentioned it? Ya, that annoying setup wizard.. In the end it suggests you to input your XIAOMI account which some users may never had and won't create. Keep them out of stress - get rid of that wizard!
Let me show how:
there are 2 ways, one - fully infiltrate that wizard from user's eye, second - will let you choose a language(useful in multilanguage releases) and setup wifi, then go right to homescreen.
Common moment: disassemble Provision.apk and go to smali contents - com/android/provision and choose DefaultActivity.smali
First method - codename "infiltration":
we will modify contents of "isProvisioned" method.
Kill all except "const/4 v1" and "return v1" in it, change const/4 v1 to 0x1 so you will get something like that:
Code:
.method private deviceIsProvisioned()Z
.locals 3
.prologue
const/4 v1, 0x1
return v1
.end method
actually, we are just saying to setup wizard that device is already passed its steps and don't need them anymore. So that setup wizard won't even be showed.
Second method - codename "multilang":
it is based on exploit, which is as follows: one could bypass xiaomi account prompt if before flashing miui he pull off sim card and then on setupwizard won't set up wifi. Wizard will send you to "sim not found" dialog, which then will allow one to "dismiss" account request.
Line which asks about SIM state is as follows:
Code:
invoke-virtual {v1}, Landroid/telephony/TelephonyManager;->getSimState()I
then
Code:
move-result v1
const/4 v2, 0x5
some variable now consists of returned value.
To initialte that value to fail a check, I've just changed constant value to one that telephony manager will never return: -0x5
Code:
const/4 v2, -0x5
Now its time to point fail to logical end of wizard, we are going to change label..
Code:
if-ne v1, v2, :[COLOR="DarkOrange"]cond_5[/COLOR]
if not equals v1, v2 (if (v1!=v2) in С manner ) go to label cond_5. As we stated, v1 won't be equal v2,so it will go to cond_5, which is not a place we wish to go (coz of unbelieveable hardcode). But there is a wishable place - cond_6:
Code:
invoke-direct {p0}, Lcom/android/provision/DefaultActivity;->finishSetup()V
yyyyeah, right to finish
so we are changing cond_5 to cond_6:
Code:
if-ne v1, v2, :[COLOR="DarkOrange"]cond_6[/COLOR]
that's it! In the end you will get: language selection->wifi setup->homescreen, almost briliant!
Whether you choosed first or second method - assemble apk you got after all things done.
Fixing not working mic in calls
Disassemble Phone.apk and navigate to res/values/bools.xml to change:
Code:
<bool name="send_mic_mute_to_AudioManager">[COLOR="Orange"]false[/COLOR]</bool>
->
Code:
<bool name="send_mic_mute_to_AudioManager">[COLOR="orange"]true[/COLOR]</bool>
Fixing pin code prompt on xperia devices
Disassemble Phone.apk and navigate to res/values/bools.xml to change:
Code:
<bool name="ignore_sim_network_locked_events">[COLOR="orange"]false[/COLOR]</bool>
->
Code:
<bool name="ignore_sim_network_locked_events">[COLOR="orange"]true[/COLOR]</bool>
Enabling hidden settings
Did you know that you may activate LEDs settings? Or maybe use camera key to trigger some useful functions? If not, follow the next little tuto.
Disassemble Settings.apk, navigate to bools.xml in res/values.
Activating LED settings
It would be enough to change
Code:
<bool name="has_led">[COLOR="orange"]false[/COLOR]</bool>
->
Code:
<bool name="has_led">[COLOR="orange"]true[/COLOR]</bool>
As you may got, other hidden settings are also there, I'll just list them and assume all of them needs just replacement false to true to make them activated
Multitouch gestures
Still didn't mentioned how they works, but, xiaomi wouldn't make something just for its appearence in settings.
Code:
<bool name="has_multi_touch">[COLOR="orange"]false[/COLOR]</bool>
MI button
Mi button on any device that has camera button!
What is MI button? It's a tweak that allows dedicated button to do something instead of its mere function (for example-issuing camera app as for cam button). You may adjust any app in rom to be executed, any switch from miui switchers and also trigger some actions like "menu", "call", "screen off toggle"(allows you to switch screen on and off, so possibly replace power button which is mostly weak) and "screenshot".
how to activate it? - the same:
Code:
<bool name="has_camera_key">[COLOR="orange"]false[/COLOR]</bool>
change to "true"
Dock settings
mere dock station settings dialog.
Code:
<bool name="has_dock_settings">[COLOR="orange"]false[/COLOR]</bool>
Trackball settings
for devices such as nexus one with active trackball.
Code:
<bool name="has_track_ball">[COLOR="orange"]false[/COLOR]</bool>
"Black bar" fix
more details - https://www.dropbox.com/s/6u63tozthmj6xa9/Screenshot_2012-08-07-09-49-09.png
Let's get MiuiSystemUI.apk and disassemble it.
Locate to res/values/drawables.xml and delete first line:
Code:
<item type="drawable" name="notification_header_bg">#ff000000</item>
it might vary but always contains black colour (#ff000000). Recompile modified systemUI.
Least but hope not last define for that guide, hope it will fill up with latest and greatest from MIUI devices users and porters around the world.
Cheers, L_F.
Finally Come up with great Tut.. Thanks Alot Brother
Very detailed and good written tutorial! Thanks and good job!
Thanks
AS my device bricked, you could always tell me what to replace/add on my guide, so it will look up-to-date
ADD: added Stage 3.
Done. Have something to add? Write here, I'll form a new guide branch for you. Found a mistake? Contact me.
BTW, if somebody have more time than I, It would be great you could support that guide to keep it up-to-date.
Thanks for the detailed guide. I just started porting for my device. I have one question though. Once I successfully port to one version, what are the files I need to consider for next version? I think some files I can just use from the previous port (like hardware related files). If you have any suggestions on the files I have to look for while porting next version of miui, it will be very helpful. Not sure whether I am asking the right question. Looks like once I do this I can reuse all the files for next port
raj_k_r said:
Thanks for the detailed guide. I just started porting for my device. I have one question though. Once I successfully port to one version, what are the files I need to consider for next version? I think some files I can just use from the previous port (like hardware related files). If you have any suggestions on the files I have to look for while porting next version of miui, it will be very helpful. Not sure whether I am asking the right question. Looks like once I do this I can reuse all the files for next port
Click to expand...
Click to collapse
I replace all the files from last build on next and try to boot.
If I get errors, I look if I have to replace more files or re-replace some.
what are the files I need to consider for next version? I
Click to expand...
Click to collapse
All the same, you have to repeat guide for each release coz frameworks are changing each release.
I'd form a patch kit with all smalis you want to replace and patch remaining each time.
here is my logcat
what the things need to change
assetmanager.smali ??? and/or any other things ????
Code:
$ adb logcat
I/miui ( 1113): Welcome to Android 4.0.4 /
I/miui ( 1114): .-.-.-..-..-..-..-. .-..-..---.
I/miui ( 1115): | | | || || || || | | || | \ \
I/miui ( 1116): '-'-'-''-''----''-'O'----''---'
I/miui ( 1117):
I/run-parts( 1108): dealing with default theme
I/mountext( 1129): Checking /dev/block/mmcblk0p2 for errors...
I/run-parts( 1108): e2fsck 1.41.12 (17-May-2010)
I/run-parts( 1108): /dev/block/mmcblk0p2: clean, 11/1050624 files, 132591/420099 7 blocks
I/run-parts( 1108): mount: mounting /dev/block/mmcblk0p2 on /sd-ext failed: No s uch file or directory
E/mountext( 1133): Unable to mount filesystem for /sd-ext!
I/mountext( 1136): No swap partition found.
I/apps2sd ( 1139): /sd-ext not mounted...nothing to do
I/run-parts( 1108): cp: can't stat '/system/etc/wifi/hostapd.conf': No such file or directory
I/run-parts( 1108): chown: /data/misc/wifi/hostapd.conf: No such file or directo ry
I/run-parts( 1108): chmod: /data/misc/wifi/hostapd.conf: No such file or directo ry
I/DEBUG ( 1158): debuggerd: Jul 14 2012 05:52:57
I/Vold ( 1156): Vold 2.1 (the revenge) firing up
D/Vold ( 1156): Volume sdcard state changing -1 (Initializing) -> 0 (No-Media )
I/Netd ( 1157): Netd 1.0 starting
D/Vold ( 1156): Volume sdcard state changing 0 (No-Media) -> 2 (Pending)
D/DirectVolume( 1156): DirectVolume::handlePartitionAdded -> MAJOR 179, MINOR 1, PARTN 1
D/DirectVolume( 1156): DirectVolume::handlePartitionAdded -> MAJOR 179, MINOR 2, PARTN 2
D/Vold ( 1156): Volume sdcard state changing 2 (Pending) -> 1 (Idle-Unmounted )
E/Netd ( 1157): Unable to bind netlink socket: No such file or directory
E/Netd ( 1157): Unable to open quota2 logging socket
D/AndroidRuntime( 1161):
D/AndroidRuntime( 1161): >>>>>> AndroidRuntime START com.android.internal.os.Zyg oteInit <<<<<<
D/AndroidRuntime( 1161): CheckJNI is OFF
I/SurfaceFlinger( 1160): SurfaceFlinger is starting
I/SurfaceFlinger( 1160): SurfaceFlinger's main thread ready to run. Initializing graphics H/W...
E/qsd8k.gralloc( 1160): We support 2 buffers
I/qsd8k.gralloc( 1160): using (fd=9)
I/qsd8k.gralloc( 1160): id = msmfb31_1ffff
I/qsd8k.gralloc( 1160): xres = 480 px
I/qsd8k.gralloc( 1160): yres = 854 px
I/qsd8k.gralloc( 1160): xres_virtual = 480 px
I/qsd8k.gralloc( 1160): yres_virtual = 1708 px
I/qsd8k.gralloc( 1160): bpp = 16
I/qsd8k.gralloc( 1160): r = 11:5
I/qsd8k.gralloc( 1160): g = 5:6
I/qsd8k.gralloc( 1160): b = 0:5
I/qsd8k.gralloc( 1160): width = 76 mm (160.421051 dpi)
I/qsd8k.gralloc( 1160): height = 136 mm (159.497055 dpi)
I/qsd8k.gralloc( 1160): refresh rate = 0.00 Hz
D/CALCFPS ( 1160): DEBUG_CALC_FPS: 0
D/CALCFPS ( 1160): period: 10
D/CALCFPS ( 1160): ignorethresh_us: 500000
D/CALCFPS ( 1160): DEBUG_CALC_FPS: 0
D/CALCFPS ( 1160): period: 10
D/CALCFPS ( 1160): ignorethresh_us: 500000
D/FramebufferNativeWindow( 1160): mNumBuffers = 2
D/libEGL ( 1160): loaded /system/lib/egl/libGLES_android.so
D/libEGL ( 1160): loaded /system/lib/egl/libEGL_adreno200.so
D/libEGL ( 1160): loaded /system/lib/egl/libGLESv1_CM_adreno200.so
D/libEGL ( 1160): loaded /system/lib/egl/libGLESv2_adreno200.so
I/AudioFlinger( 1163): Loaded primary audio interface from LEGACY Audio HW HAL ( audio)
I/AudioFlinger( 1163): Using 'LEGACY Audio HW HAL' (audio.primary) as the primar y audio interface
I/AudioFlinger( 1163): Loaded a2dp audio interface from A2DP Audio HW HAL (audio )
D/AudioHardwareInterface( 1163): setMode(NORMAL)
I/AudioHardwareQSD( 1163): Set master volume to 1.000000.
I/CameraService( 1163): CameraService started (pid=1163)
E/CameraService( 1163): Could not load camera HAL module
I/SurfaceFlinger( 1160): EGL informations:
I/SurfaceFlinger( 1160): # of configs : 35
I/SurfaceFlinger( 1160): vendor : Android
I/SurfaceFlinger( 1160): version : 1.4 Android META-EGL
I/SurfaceFlinger( 1160): extensions: EGL_KHR_image EGL_KHR_image_base EGL_KHR_fe nce_sync EGL_ANDROID_image_native_buffer EGL_ANDROID_image_native_buffer EGL_AND ROID_get_render_buffer
I/SurfaceFlinger( 1160): Client API: OpenGL ES
I/SurfaceFlinger( 1160): EGLSurface: 5-6-5-0, config=0x0
I/SurfaceFlinger( 1160): OpenGL informations:
I/SurfaceFlinger( 1160): vendor : Qualcomm
I/SurfaceFlinger( 1160): renderer : Adreno (TM) 200
I/SurfaceFlinger( 1160): version : OpenGL ES-CM 1.1
I/SurfaceFlinger( 1160): extensions: GL_AMD_compressed_ATC_texture GL_AMD_perfor mance_monitor GL_APPLE_texture_2D_limited_npot GL_ARB_vertex_buffer_object GL_EX T_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_type_ 2_10_10_10_REV GL_OES_blend_equation_separate GL_OES_blend_func_separate GL_OES_ blend_subtract GL_OES_compressed_ETC1_RGB8_texture GL_OES_compressed_paletted_te xture GL_OES_depth_texture GL_OES_draw_texture GL_OES_EGL_image GL_OES_EGL_image _external GL_OES_framebuffer_object GL_OES_matrix_palette GL_OES_packed_depth_st encil GL_OES_point_size_array GL_OES_point_sprite GL_OES_read_format GL_OES_rgb8 _rgba8 GL_OES_stencil_wrap GL_OES_texture_cube_map GL_OES_texture_env_crossbar G L_OES_texture_float GL_OES_texture_half_float GL_OES_texture_half_float_linear G L_OES_texture_npot GL_OES_texture_mirrored_repeat GL_QCOM_binning_control GL_QCO M_extended_get GL_QCOM_tiled_rendering GL_AMD_compressed_3DC_texture
I/SurfaceFlinger( 1160): GL_MAX_TEXTURE_SIZE = 4096
I/SurfaceFlinger( 1160): GL_MAX_VIEWPORT_DIMS = 4096 x 4096
I/SurfaceFlinger( 1160): flags = 00200000
D/CALCFPS ( 1160): DEBUG_CALC_FPS: 0
D/CALCFPS ( 1160): period: 10
D/CALCFPS ( 1160): ignorethresh_us: 500000
D/libEGL ( 1273): loaded /system/lib/egl/libGLES_android.so
D/libEGL ( 1273): loaded /system/lib/egl/libEGL_adreno200.so
D/libEGL ( 1273): loaded /system/lib/egl/libGLESv1_CM_adreno200.so
D/libEGL ( 1273): loaded /system/lib/egl/libGLESv2_adreno200.so
E/dalvikvm( 1161): ERROR: couldn't find native method
E/dalvikvm( 1161): Requested: Landroid/content/res/AssetManager;.splitThemePacka ge:(Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;)I
E/JNIHelp ( 1161): RegisterNatives failed for 'android/content/res/AssetManager' , aborting
F/libc ( 1161): Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1)
I/AudioFlinger( 1163): AudioFlinger's thread 0x105c8 ready to run
W/AudioFlinger( 1163): Thread AudioOut_1 cannot connect to the power manager ser vice
I/AudioHardwareQSD( 1163): Routing audio to Speakerphone
D/AudioHardwareQSD( 1163): Switching audio device to
D/AudioHardwareQSD( 1163): Speakerphone
I/AudioPolicyService( 1163): Loaded audio policy from LEGACY Audio Policy HAL (a udio_policy)
I/DEBUG ( 1158): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** * **
I/DEBUG ( 1158): Build fingerprint: 'SEMC/LT18i_0000-0000/LT18i:4.0.3/4.1.C.0. 7/-H9_3w:user/release-keys'
I/DEBUG ( 1158): pid: 1161, tid: 1161 >>> zygote <<<
I/DEBUG ( 1158): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaa d
I/DEBUG ( 1158): r0 deadbaad r1 00000001 r2 a0000000 r3 00000000
I/DEBUG ( 1158): r4 00000000 r5 00000027 r6 40838acd r7 00000036
I/DEBUG ( 1158): r8 401aca80 r9 4018d722 10 0000904c fp 00009062
I/DEBUG ( 1158): ip 401f7240 sp beedba60 lr 4001f881 pc 4001bbcc cpsr 600 00030
I/DEBUG ( 1158): d0 2f64696f72646e61 d1 2f746e65746e6f63
I/DEBUG ( 1158): d2 657373412f736572 d3 726567616e614d74
I/DEBUG ( 1158): d4 0000d4cc0000d4b1 d5 0000d4e80000d4cd
I/DEBUG ( 1158): d6 0000d5040000d4e9 d7 0000d5200000d505
I/DEBUG ( 1158): d8 0000000000000000 d9 0000000000000000
I/DEBUG ( 1158): d10 0000000000000000 d11 0000000000000000
I/DEBUG ( 1158): d12 0000000000000000 d13 0000000000000000
I/DEBUG ( 1158): d14 0000000000000000 d15 0000000000000000
I/DEBUG ( 1158): d16 7265747369676552 d17 207365766974614e
I/DEBUG ( 1158): d18 0000d5740000d559 d19 0000d5900000d575
I/DEBUG ( 1158): d20 0000d5ac0000d591 d21 0000d5c80000d5ad
I/DEBUG ( 1158): d22 0000d5e40000d5c9 d23 0000d6000000d5e5
I/DEBUG ( 1158): d24 0000000000000000 d25 0000000000000000
I/DEBUG ( 1158): d26 0000000000000000 d27 0000000000000000
I/DEBUG ( 1158): d28 0000000000000000 d29 0000000000000000
I/DEBUG ( 1158): d30 0000000000000000 d31 0000000000000000
I/DEBUG ( 1158): scr 60000010
I/DEBUG ( 1158):
I/AudioHardwareQSD( 1163): AudioHardware pcm playback is going to standby.
I/DEBUG ( 1158): #00 pc 00017bcc /system/lib/libc.so
I/DEBUG ( 1158): #01 pc 0000c282 /system/lib/libnativehelper.so (jn iRegisterNativeMethods)
I/DEBUG ( 1158): #02 pc 00044778 /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime21registerNativeMethodsEP7_JNIEnvPKcPK15JNINativeMet hodi)
I/DEBUG ( 1158): #03 pc 0005e0a6 /system/lib/libandroid_runtime.so (_ZN7android37register_android_content_AssetManagerEP7_JNIEnv)
I/DEBUG ( 1158): #04 pc 00044884 /system/lib/libandroid_runtime.so
I/DEBUG ( 1158): #05 pc 000448b6 /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime8startRegEP7_JNIEnv)
I/DEBUG ( 1158): #06 pc 000449ac /system/lib/libandroid_runtime.so (_ZN7android14AndroidRuntime5startEPKcS2_)
I/DEBUG ( 1158): #07 pc 00008f0a /system/bin/app_process
I/DEBUG ( 1158): #08 pc 00016bd0 /system/lib/libc.so (__libc_init)
I/DEBUG ( 1158):
I/DEBUG ( 1158): code around pc:
I/DEBUG ( 1158): 4001bbac 4623b15c 2c006824 e026d1fb b12368db \.#F$h.,..&..h# .
I/DEBUG ( 1158): 4001bbbc 21014a17 6011447a 48124798 24002527 .J.!zD.`.G.H'%. $
I/DEBUG ( 1158): 4001bbcc f7f47005 2106edda ee86f7f5 460aa901 .p.....!....... F
I/DEBUG ( 1158): 4001bbdc f04f2006 94015380 94029303 ea32f7f5 . O..S........2 .
I/DEBUG ( 1158): 4001bbec 4622a905 f7f52002 f7f4ea3c 2106edc6 .."F. ..<...... !
I/DEBUG ( 1158):
I/DEBUG ( 1158): code around lr:
I/DEBUG ( 1158): 4001f860 41f0e92d 46804c0c 447c2600 68a56824 -..A.L.F.&|D$h. h
I/DEBUG ( 1158): 4001f870 e0076867 300cf9b5 dd022b00 47c04628 gh.....0.+..(F. G
I/DEBUG ( 1158): 4001f880 35544306 37fff117 6824d5f4 d1ee2c00 .CT5...7..$h.,. .
I/DEBUG ( 1158): 4001f890 e8bd4630 bf0081f0 00028c7e 41f0e92d 0F......~...-.. A
I/DEBUG ( 1158): 4001f8a0 fb01b086 9004f602 461f4815 4615460c .........H.F.F. F
I/DEBUG ( 1158):
I/DEBUG ( 1158): memory map around addr deadbaad:
I/DEBUG ( 1158): beec7000-beedc000 [stack]
I/DEBUG ( 1158): (no map for address)
I/DEBUG ( 1158): (no map above)
I/DEBUG ( 1158):
I/DEBUG ( 1158): stack:
I/DEBUG ( 1158): beedba20 4019702a /system/lib/libandroid_runtime.so
I/DEBUG ( 1158): beedba24 4b9f7e00 /dalvik-LinearAlloc (deleted)
I/DEBUG ( 1158): beedba28 4b9f75e8 /dalvik-LinearAlloc (deleted)
I/DEBUG ( 1158): beedba2c 0000002b
I/DEBUG ( 1158): beedba30 40048780 /system/lib/libc.so
I/DEBUG ( 1158): beedba34 40048718 /system/lib/libc.so
I/DEBUG ( 1158): beedba38 00000000
I/DEBUG ( 1158): beedba3c 4001f881 /system/lib/libc.so
I/DEBUG ( 1158): beedba40 00000000
I/DEBUG ( 1158): beedba44 beedba74 [stack]
I/DEBUG ( 1158): beedba48 40838acd /system/lib/libdvm.so
I/DEBUG ( 1158): beedba4c 00000036
I/DEBUG ( 1158): beedba50 401aca80 /system/lib/libandroid_runtime.so
I/DEBUG ( 1158): beedba54 4001e9ed /system/lib/libc.so
I/DEBUG ( 1158): beedba58 df0027ad
I/DEBUG ( 1158): beedba5c 00000000
I/DEBUG ( 1158): #00 beedba60 1d200031
I/DEBUG ( 1158): beedba64 52010c85
I/DEBUG ( 1158): beedba68 40196926 /system/lib/libandroid_runtime.so
I/DEBUG ( 1158): beedba6c 0000f2c8 [heap]
I/DEBUG ( 1158): beedba70 40196926 /system/lib/libandroid_runtime.so
I/DEBUG ( 1158): beedba74 fffffbdf
I/DEBUG ( 1158): beedba78 00000036
I/DEBUG ( 1158): beedba7c 0000f2c8 [heap]
I/DEBUG ( 1158): beedba80 40196926 /system/lib/libandroid_runtime.so
I/DEBUG ( 1158): beedba84 401d0285 /system/lib/libnativehelper.so
I/DEBUG ( 1158): #01 beedba88 0000f2c8 [heap]
I/DEBUG ( 1158): beedba8c 1d200031
I/DEBUG ( 1158): beedba90 0000f2c8 [heap]
I/DEBUG ( 1158): beedba94 4018dbb8 /system/lib/libandroid_runtime.so
I/DEBUG ( 1158): beedba98 40196926 /system/lib/libandroid_runtime.so
I/DEBUG ( 1158): beedba9c 4019365b /system/lib/libandroid_runtime.so
I/DEBUG ( 1158): beedbaa0 1d200025
I/DEBUG ( 1158): beedbaa4 4015177b /system/lib/libandroid_runtime.so
I/ServiceManager( 1155): service 'media.audio_flinger' died
I/ServiceManager( 1155): service 'media.player' died
I/ServiceManager( 1155): service 'media.camera' died
I/ServiceManager( 1155): service 'media.audio_policy' died
what the things need to change
assetmanager.smali ???
Click to expand...
Click to collapse
right you are. Read third stage, you will orient on those logs more fluently ;]
Ленс, у меня при декомпиляции frasmework.jar от miui.us(Desire HD) появляются ошибки: http://yadi.sk/d/8ylx4nI504DD
Подскажи,это нормально или нет?
Lens, mind you translate that to russian or ukrainian and share with me? My mail [email protected]
Click to expand...
Click to collapse
I'm not planning such translation in near future, sorry.
пока нет времени на подобный перевод, извините.
lens! log attached
http://sebsauvage.net/paste/?c0dc044424fe8df6#mlqLGewvWaQYfr2e/iPyiMotdNf1+oE50qBIn5IGPNA=
Hello,
Can same one help me out? My MIUI port has two mayor issue. First is sometimes my device not boot. Seems totally random for me. The logcat simple stops at a point, and it not continue the reboot process, but the boot animation just going and going. After I reboot my device it boot up without any problem... Sometimes boot up at the first time... sometimes not... Seems totally random.
Here is the log: http://pastebin.com/XVMBQS8L
As I mentioned it just stop at this and not go any further until I reset with the reset button.
My other problem with it is, after I receive an email and MIUI send a notification to the statusbar soon after it crash. And keeps crash (reboot) until I remove those notifacations. Here is the log: http://pastebin.com/Fn2zhAxL
Any idea how to fix it? Thank you very much in advance!
log attached
http://sebsauvage.net/paste/?c0dc044...E50qBIn5IGPNA=
Click to expand...
Click to collapse
that one:
Code:
E/AndroidRuntime(1305): java.lang.NoClassDefFoundError: com.android.server.CpuGovernorService
check your services.jar for CpuGovernorService I almost sure it's not there
sometimes my device not boot. Seems totally random for me. The logcat simple stops at a point, and it not continue the reboot process, but the boot animation just going and going
Click to expand...
Click to collapse
Sounds like there are codecs which faulty when talk with miui frameworks. Could you wipe out them?
after I receive an email and MIUI send a notification to the statusbar soon after it crash. And keeps crash (reboot) until I remove those notifacations.
Click to expand...
Click to collapse
yess, again faulty codecs..
Hey flytouch users, why you want miui for that MONSTER?
I could boot but it says SystemUI has stopped, updater has stopped. There is no status bar. But I can make calls, send SMS, wifi works, can apply themes. What could be the problem for SystemUI stopped error? Nowhere I could get the answer. In some thread I read that I have to copy framework-res-miui.xml to etc/permissions but I could not find this file anywhere.
Attaching the log file.
Want adopted sd enabled in the latest cm based custom rom for our dear moto e
Here is a temporary workaround
Firstly this was done by making use of a guide found in ashwin007's thread called
[ROM][OFFICIAL][condor] CyanogenMod 13 for Moto E 2014
Page 134 by millerscout.
In that guide youll find 11 steps to follow.
Now you'll just have to make small changes to two of the steps
Step 2. Change to whatever MM CM based rom you want and
Step 10. to the MM CM based rom you have chosen.
Now I usually keep these things to myself but for some time now I've noticed a lot of persons keep asking in the threads if adopted sd card is working. C'mon guys Its annoying. Despite the answers being yes at times its only after I've wiped my phone and install the latest rom I find out that adopted sd card is not working and corrupts my sd card. The guide by millerscout is a simple workaround I found for this small problem and with my added input it could work with other cm based marshmallow roms. Ive never tried it with AOSP or any other marshmallow based roms only CM.
That's it now enjoy the latest mm cm based roms with adopted sd until it as been officially fixed by ashwin007 :highfive:
Disclaimer: The instructions are pretty straightforward. Read and follow the instructions to reap your reward. With that said I will not be responsible for any fumes leaking from your phone
I could testify it
Just done it yesterday, using cm13 20160113 instead of temasek unoficial build
1. Factory reset using twrp
2. Clean flash cm13 20160113 and gapps
3. Wipe cache n dalvik cache, don't know if it is necessary, it just habits
4. Reboot system, finish setup wizard, set up sdcard as internal
5. Reboot to twrp
6. Flash newest cm13 build, i use 20160224 yesterday
7. Wipa cache n dalvik cache
8. Reboot system, sdcard as internal still working fine
I heard that aospb n orionos has sdcard as internal worked too
Thanks to @ehrans and @millerscout for the tricks
didnt worked for me with ressurection
any other way i can use..??really frustrated with the storage running out msg
I've Successfully formatted my sd card as internal but having a serious problem..when i connect my phone to the computer, it doesn't show my sd card for transfering the backup files to my phone.. what to do now ?? Any help Guyss ??
Edit : I've restarted my phone also but still doesn't helped..
Hello everyone. I've been hearing a lot of users reporting issues with adopted SD on condor. It worls fine on otus, so it is evidently a condor specific issue. I don't yet have the device, so I can't test and debug the issue myself at the moment. However, if someone coulld share logs of trying to format the SD card as internal on the latest nightly, that would be helpful. In particular, I want to see the logcat and dmesg output during the SD card formatting process.
A few word of advice on capturing logs: It's usually more helpful to capture a log of just doing the action of interest rather than providing a log from bootup till an hour after reproducing the issue. The way I usually do this on Linux or Mac is to start adb logcat on a shell, let it spew out everything, then clear the terminal, do the action of interest, let it complete, then hit Ctrl-C to stop logcat. Then copy paste the terminal contents into a file. For dmesg, just copy paste the last n secomds showing the relevant operation.
squid2 said:
Hello everyone. I've been hearing a lot of users reporting issues with adopted SD on condor. It worls fine on otus, so it is evidently a condor specific issue. I don't yet have the device, so I can't test and debug the issue myself at the moment. However, if someone coulld share logs of trying to format the SD card as internal on the latest nightly, that would be helpful. In particular, I want to see the logcat and dmesg output during the SD card formatting process.
A few word of advice on capturing logs: It's usually more helpful to capture a log of just doing the action of interest rather than providing a log from bootup till an hour after reproducing the issue. The way I usually do this on Linux or Mac is to start adb logcat on a shell, let it spew out everything, then clear the terminal, do the action of interest, let it complete, then hit Ctrl-C to stop logcat. Then copy paste the terminal contents into a file. For dmesg, just copy paste the last n secomds showing the relevant operation.
Click to expand...
Click to collapse
please find attached dmesg.txt
Ansh2000 said:
please find attached dmesg.txt
Click to expand...
Click to collapse
Thanks for the log. The associated logcat would also be helpful, but from what I see in the dmesg, a couple things jumped out to me.
It looks like the f2fs formatting utility (mkfs.f2fs) crashes, and subsequent attempts crash further:
Code:
[ 2413.240089,0] mmcblk1: p1
[ 2414.518112,1] mmcblk1: p1 p2
[ 2414.969437,1] Core dump to |/system/bin/coredump mkfs.f2fs 8800 1457156718 pipe failed
...
[ 2462.808252,1] mmcblk1: unknown partition table
[ 2464.031938,0] mmcblk1: p1 p2
[ 2464.556586,0] Core dump to |/system/bin/coredump mkfs.f2fs 8996 1457156767 pipe failed
The big question would be why it crashes. The logcat may give more hints as to this. One thing I did notice is that there are an awful lot of untrusted_app selinux denials. One should usually not grant additional permission to untrusted_app. However, I'm curious if SELinux is causing issues for you. One thing worth trying would be to make selinux permissive (run "setenforce 0" as root) before trying to format the card. If that makes formatting work, then we'd know for sure that it's an SELinux related issue. However, this is just a wild guess, and the issue may be something completely unrelated.
squid2 said:
Thanks for the log. The associated logcat would also be helpful, but from what I see in the dmesg, a couple things jumped out to me.
It looks like the f2fs formatting utility (mkfs.f2fs) crashes, and subsequent attempts crash further:
Code:
[ 2413.240089,0] mmcblk1: p1
[ 2414.518112,1] mmcblk1: p1 p2
[ 2414.969437,1] Core dump to |/system/bin/coredump mkfs.f2fs 8800 1457156718 pipe failed
...
[ 2462.808252,1] mmcblk1: unknown partition table
[ 2464.031938,0] mmcblk1: p1 p2
[ 2464.556586,0] Core dump to |/system/bin/coredump mkfs.f2fs 8996 1457156767 pipe failed
The big question would be why it crashes. The logcat may give more hints as to this. One thing I did notice is that there are an awful lot of untrusted_app selinux denials. One should usually not grant additional permission to untrusted_app. However, I'm curious if SELinux is causing issues for you. One thing worth trying would be to make selinux permissive (run "setenforce 0" as root) before trying to format the card. If that makes formatting work, then we'd know for sure that it's an SELinux related issue. However, this is just a wild guess, and the issue may be something completely unrelated.
Click to expand...
Click to collapse
logcat
@squid2 http://forum.cyanogenmod.org/topic/...-sd-as-internal-storage-then-says-sd-corrupt/
does this seems legit? and if it would works (it works acc. to users in cm12.1 forum) how to execute it?
see the post made by socram8888
can anyone confirm at all if running the command "mkfs.f2fs /dev/block/dm-0" in terminal emulator would do the job? without having to format card using january nightly
booo159159 said:
@squid2 http://forum.cyanogenmod.org/topic/...-sd-as-internal-storage-then-says-sd-corrupt/
does this seems legit? and if it would works (it works acc. to users in cm12.1 forum) how to execute it?
see the post made by socram8888
can anyone confirm at all if running the command "mkfs.f2fs /dev/block/dm-0" in terminal emulator would do the job? without having to format card using january nightly
Click to expand...
Click to collapse
The mkfs.f2fs /dev/block/dm-0 is the command that is failing when trying to format through the wizard. Maybe it works properly when invoked manually. It's worth a try. Let me know what happens when you try it. Be sure to run it as root.
@Ansh2000 Thanks for the logcat. The relevant problem that repeats in the logcat is this crash in mkfs.f2fs:
Code:
03-05 12:09:15.017 192 200 D vold : Resolved auto to f2fs
03-05 12:09:15.017 192 200 V vold : /system/bin/mkfs.f2fs
03-05 12:09:15.017 192 200 V vold : /dev/block/dm-0
--------- beginning of crash
03-05 12:09:15.121 6320 6320 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x6 in tid 6320 (mkfs.f2fs)
03-05 12:09:15.122 231 231 I DEBUG : property debug.db.uid not set; NOT waiting for gdb.
03-05 12:09:15.122 231 231 I DEBUG : HINT: adb shell setprop debug.db.uid 100000
03-05 12:09:15.122 231 231 I DEBUG : HINT: adb forward tcp:5039 tcp:5039
03-05 12:09:15.206 231 231 I SELinux : SELinux: Loaded file_contexts contexts from /file_contexts.
03-05 12:09:15.209 706 1108 W NativeCrashListener: Couldn't find ProcessRecord for pid 6320
03-05 12:09:15.210 231 231 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-05 12:09:15.210 231 231 E DEBUG : AM write failed: Broken pipe
03-05 12:09:15.210 231 231 F DEBUG : Build fingerprint: 'motorola/condor_retaildsds/condor_umtsds:5.1/LPC23.13-34.8/12:user/release-keys'
03-05 12:09:15.210 231 231 F DEBUG : Revision: '0'
03-05 12:09:15.210 231 231 F DEBUG : ABI: 'arm'
03-05 12:09:15.210 231 231 F DEBUG : pid: 6320, tid: 6320, name: mkfs.f2fs >>> /system/bin/mkfs.f2fs <<<
03-05 12:09:15.210 231 231 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6
03-05 12:09:15.221 231 231 F DEBUG : r0 b6d2e1c0 r1 00000006 r2 b7b770c8 r3 b7b770d8
03-05 12:09:15.222 231 231 F DEBUG : r4 b6d2e1c0 r5 b6d2e1c0 r6 b7b770c8 r7 00000000
03-05 12:09:15.222 231 231 F DEBUG : r8 00000036 r9 b6f4fff4 sl b6f001a4 fp 00000006
03-05 12:09:15.222 231 231 F DEBUG : ip 00000000 sp bea446c0 lr 000007c0 pc b6ef3368 cpsr 60070030
03-05 12:09:15.236 231 231 F DEBUG :
03-05 12:09:15.236 231 231 F DEBUG : backtrace:
03-05 12:09:15.237 231 231 F DEBUG : #00 pc 00001368 /system/lib/libf2fs.so (utf8_to_utf16+31)
03-05 12:09:15.237 231 231 F DEBUG : #01 pc 0000f843 /system/lib/libutils.so
03-05 12:09:15.237 231 231 F DEBUG : #02 pc 0000f897 /system/lib/libutils.so (android::String16::String16(char const*)+22)
03-05 12:09:15.237 231 231 F DEBUG : #03 pc 0001fa41 /system/lib/libbinder.so
03-05 12:09:15.341 231 231 F DEBUG :
03-05 12:09:15.341 231 231 F DEBUG : Tombstone written to: /data/tombstones/tombstone_00
03-05 12:09:15.344 192 200 I mkfs.f2fs: mkfs.f2fs terminated by signal 11
03-05 12:09:15.344 706 733 I BootReceiver: Copying /data/tombstones/tombstone_00 to DropBox (SYSTEM_TOMBSTONE)
03-05 12:09:15.344 192 200 E vold : private:179_66 failed to format: No such device or address
You can see that the crash is happening in some string conversion code (invokations via utf8_to_utf16). I'm not yet sure why this crash is happening, but at least we now know what the crash is. One wild and probably incorrect guess is that it has something to do with differences between the condor fstab and otus fstab (such as the dual f2fs and ext4 userdata support, different mount flags).
BTW: Just to be sure, @Ansh2000, your internal storage userdata partition is formatted as f2fs and not ext4?
@squid2 formatted with f2fs.
Thanks @squid2 for taking your time out and looking at this condor specific issue. Thanks a bunch
@squid2 the partition formats successfully but still in the setting, it shows the sd card as corrupted even after a reboot. again trying to format through wizard and still unable to use.
FYI I had permissive selinux, and yes i ran it as root
and I use ext4 only, I never migrated to f2fs
EDIT: i made a mistake, this command would only work through the stock kernel, while i was using custom kernel. And flashing the kernel after making the sd card internal wont work either.
I mean the sd card would format. But only will be usable as internal through stock kernel
So i guess we'll have to wait until @rainforce279 brings some updates
squid2 said:
The mkfs.f2fs /dev/block/dm-0 is the command that is failing when trying to format through the wizard. Maybe it works properly when invoked manually. It's worth a try. Let me know what happens when you try it. Be sure to run it as root.
It is not working says mkfs.f2fs not found.
Click to expand...
Click to collapse
cm13 20160113
from where i can get cm13 20160113 build. bcoz it's not available on official site...
can u plz provide the link...
rajeev20 said:
from where i can get cm13 20160113 build. bcoz it's not available on official site...
can u plz provide the link...
Click to expand...
Click to collapse
http://forum.xda-developers.com/showpost.php?p=65406771&postcount=1338
:laugh::laugh:
squid2 said:
Thanks for the log. The associated logcat would also be helpful, but from what I see in the dmesg, a couple things jumped out to me.
It looks like the f2fs formatting utility (mkfs.f2fs) crashes, and subsequent attempts crash further:
Code:
[ 2413.240089,0] mmcblk1: p1
[ 2414.518112,1] mmcblk1: p1 p2
[ 2414.969437,1] Core dump to |/system/bin/coredump mkfs.f2fs 8800 1457156718 pipe failed
...
[ 2462.808252,1] mmcblk1: unknown partition table
[ 2464.031938,0] mmcblk1: p1 p2
[ 2464.556586,0] Core dump to |/system/bin/coredump mkfs.f2fs 8996 1457156767 pipe failed
The big question would be why it crashes. The logcat may give more hints as to this. One thing I did notice is that there are an awful lot of untrusted_app selinux denials. One should usually not grant additional permission to untrusted_app. However, I'm curious if SELinux is causing issues for you. One thing worth trying would be to make selinux permissive (run "setenforce 0" as root) before trying to format the card. If that makes formatting work, then we'd know for sure that it's an SELinux related issue. However, this is just a wild guess, and the issue may be something completely unrelated.
Click to expand...
Click to collapse
even if we somehow get adopted working on the roms which gives corrupted sd card error ....another error arises that is when we update apps that is on sd card the updated app comes on internal and when we try to move that app to sd card again ,phone soft reboots and app still remains on internal.
I'm on bliss 6.0 tried all the methods get error 255 I like m but if can't get SD fixed I'm going back to 5.1.1
Hi,
i just rooted my Fire TV 1 (version 51.1.4.0) via dirtycow, and I wanted to share my experience. (Unfortunately I cannot post external Links here)
Dirtycow allows you to write to files, even if you have no permission to do so. Unfortunately there is no binary on the system with the suid bit set, so I could not replace this binary. (Other attempts on other Android devices replaced the run-as binary. This is not possible here). Another problem was, that the modification only last for the current boot, so I could not just modify boot scripts. I had to find a binary, that is executed as root while the system is running, preferably on demand. This binary is ip. Every time one modifies the network settings in the Fire TV gui, ip is executed as root. Yay. With that in mind, I replaced ip with a shell script, that deploys the su binary.
This is what I did:
I compiled the dirtycow.c from timwr GitHub Repository CVE-2016-5195
Then I put the resulting binary into /data/local/tmp on my Firetv (via adb)
Now I pushed chainfires su binary to /data/local/tmp
I copied the /system/bin/ip binary to /data/local/tmp
I wrote this shell script, pushed it to /data/local/tmp and marked it executable (755)
Code:
#!/system/bin/sh
mount -o remount,rw /system
cp /data/local/tmp/su /system/xbin
chmod 4755 /system/xbin/su
/data/local/tmp/ip "[email protected]"
After that, I used dirtycow to replace ip with my new ip script (./dirtycow /system/bin/ip ip_script) [This may take a while]
Now I went to my network settings of my Fire TV and changed them to a static ip address.
I reconnected to my amazon Fire tv and typed su
Code:
[email protected]:/ $ su
[email protected]:/ #
Lastly I installed the Supersu.apk from chainfire
Root seems to work with the adb shell and the terminal app. Somehow it does not with amaze file manager. If I start it I get thrown into the amazon fire ui.
This rooting method should also work for other versions of the fireOS, though I have not tested them.
Can you downgrade with being in the root state?
sconnyuk said:
Can you downgrade with being in the root state?
Click to expand...
Click to collapse
Yes. After rooting, I downgraded to 5.1.0.2 and did a full bootloader unlock. I am now running a rooted 5.2.1.1
christofsteel said:
Yes. After rooting, I downgraded to 5.1.0.2 and did a full bootloader unlock. I am now running a rooted 5.2.1.1
Click to expand...
Click to collapse
Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.
sconnyuk said:
Will have to try this for fire stick.
Excellent find, ive been watching the dirtycow and this will come in handy if it works for fire stick.
Click to expand...
Click to collapse
Please report back
I think it is important to note, that I configured a static ip address to trigger the ip script. Root is permanent btw. as soon as the su binary is deployed, you can reboot all you like.
firetv have selinux? what version linux is it?
christianrodher said:
firetv have selinux? what version linux is it?
Click to expand...
Click to collapse
I thought I read somewhere, that FireOS 5 had SELinux. I could not check, because I still ran FireOS 3. Seems like it does not have SELinux. I will remove the remark from my initial post.
christofsteel said:
I thought I read somewhere, that FireOS 5 had SELinux. I could not check, because I still ran FireOS 3. Seems like it does not have SELinux. I will remove the remark from my initial post.
Click to expand...
Click to collapse
can you double check if sepolicy is present or something similar?
christianrodher said:
can you double check if sepolicy is present or something similar?
Click to expand...
Click to collapse
Ok. In my FireOS version 5.2.1.1 there is SELinux activated and enforcing. In FireOS version 51.1.0.4 there was none. But I do not know if that hinders the rooting process.
christofsteel said:
Ok. In my FireOS version 5.2.1.1 there is SELinux activated and enforcing. In FireOS version 51.1.0.4 there was none. But I do not know if that hinders the rooting process.
Click to expand...
Click to collapse
ok so when you do the exploit u where at selinux enforcing.... ok if is that simple after weve been working our asses here https://github.com/timwr/CVE-2016-5195/issues/9 im going to break the pc and the cell phone lol
@christianrodher No worries, I doubt this is the universal solution! I think it's that the TV runs `ip` with a really lenient SELinux context for some stupidly weird reason.
christianrodher said:
ok so when you do the exploit u where at selinux enforcing.... ok if is that simple after weve been working our asses here https://github.com/timwr/CVE-2016-5195/issues/9 im going to break the pc and the cell phone lol
Click to expand...
Click to collapse
No I did the exploit on my FireOS version 51.1.0.4. Afaik there was no SELinux present. SELinux is present in FireOS version 5.2.1.1. I can test, if this exlploit works on my now updated Fire TV.
Edit: It did not work I could not mount system read write. Seems like it only works for FireOS 3
Really tried to get this to work. I think I'm close. I saw SELinux complain about the file size so I did some padding. Here's where I'm at
187594885]
I/Kernel ( 163): [ 1503.059370] (0)[163:healthd]healthd: battery l=100 v=4200
t=2.2 h=2 st=5 chg=u
W/linker (10431): ./dirtycow: unused DT entry: type 0x6ffffffe arg 0x600
W/linker (10431): ./dirtycow: unused DT entry: type 0x6fffffff arg 0x1
I/exploit (10431): size 223296
I/exploit (10431):
I/exploit (10431): [*] mmap 0xf7546000
I/exploit (10431): [*] exploit (patch)
I/exploit (10431): [*] currently 0xf7546000=464c457f
I/exploit (10431): [*] madvise = 0xf7546000 223296
I/Kernel ( 0): [ 1509.432532]-(2)[0:swapper/2]CPU2: Booted secondary process
or
I/Kernel ( 0): [ 1509.437302]-(3)[0:swapper/3]CPU3: Booted secondary process
or
I/Kernel ( 87): [ 1509.437743] (0)[87:hps_main][HPS] (0004)(1)(0)action end(2
7)(35)(0)(2) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (6)(230)(0) (0)(0)(0) (0)(6)(230)(0)
(6)
I/exploit (10431): [*] madvise = 0 1048576
I/Kernel ( 0): [ 1511.439231]-(1)[0:swapper/1]CPU1: Booted secondary process
or
I/Kernel ( 87): [ 1511.440339] (0)[87:hps_main]CPU3: shutdown
I/Kernel ( 87): [ 1511.440873] (0)[87:hps_main][HPS] (0800)(1)(2)action end(1
05)(102)(0)(1) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (105)(10)(0) (1666)(10)(0) (0)(102
)(10)(0)(102)
I/exploit (10431): [*] /proc/self/mem -1048576 1048576
I/exploit (10431): [*] exploited 0xf7546000=464c457f
I/art ( 501): Background partial concurrent mark sweep GC freed 256902(12MB
) AllocSpace objects, 15(2MB) LOS objects, 33% free, 20MB/31MB, paused 690us tot
al 136.802ms
E/WifiStateMachine( 501): WifiStateMachine CMD_START_SCAN source -2 txSuccessRa
te=50.64 rxSuccessRate=38.79 targetRoamBSSID=58:6d:8f:09:b7:37 RSSI=-39
E/WifiStateMachine( 501): WifiStateMachine L2Connected CMD_START_SCAN source -2
93, 94 ignore because P2P is connected
I/Kernel ( 87): [ 1513.438566] (0)[87:hps_main]CPU2: shutdown
I/Kernel ( 87): [ 1513.439651] (0)[87:hps_main][HPS] (0400)(2)(1)action end(7
)(4)(0)(0) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (7)(10)(0) (288)(10)(0) (0)(4)(10)(0)(
4)
I/Kernel ( 87): [ 1515.438476] (0)[87:hps_main]CPU1: shutdown
I/Kernel ( 87): [ 1515.439146] (0)[87:hps_main][HPS] (0200)(2)(0)action end(4
)(3)(0)(0) (2)(2)(2)(2)(2)(2)(2)(2)(1)(0) (4)(10)(0) (46)(10)(0) (0)(3)(10)(0)(3
)
I/Kernel ( 119): [ 1521.197537] (0)[119:wdtk-0]wdk: [WDK], local_bit:0x1, cpu:
0, check_bit:0x1, RT[1521197519702]
I/Kernel ( 119): [ 1521.197575] (0)[119:wdtk-0]wdk: [WDK]: kick Ex WDT,RT[1521
197568471]
E/WifiStateMachine( 501): WifiStateMachine CMD_START_SCAN source -2 txSuccessRa
te=3.98 rxSuccessRate=3.61 targetRoamBSSID=58:6d:8f:09:b7:37 RSSI=-39
E/WifiStateMachine( 501): WifiStateMachine L2Connected CMD_START_SCAN source -2
94, 95 ignore because P2P is connected
^C
C:\Program Files (x86)\Minimal ADB and Fastboot>
130|[email protected]:/data/local/tmp $ getenforce
Enforcing
130|[email protected]:/data/local/tmp $ getenforce
Enforcing
I have an AFTV2 running latest firmware. I also noticed chainfires su binary i had was 32bit so I grabbed a 64bit one. Still no dice
[email protected]:/data/local/tmp $ ls -la
-rwxrwxrwx shell shell 13776 2016-10-31 17:43 dirtycow
-rwxrwxrwx shell shell 223296 2016-10-31 18:27 ip
-rwxrwxrwx shell shell 223296 2016-10-31 19:48 ip_script
-rwxrwxrwx shell shell 108480 2016-10-31 19:39 su
[email protected]:/data/local/tmp $
Hopes this helps someone
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
VastVenomm said:
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
Click to expand...
Click to collapse
you need to extract the SU binary file from Supersu. apk
I ran:
./dirtycow /system/bin/ip ip_script
I marked the scripts as 755 as well.
Error:
/system/bin/sh: ./dirtycow: not executable: 64-bit ELF file.
I also tried compiling dirtycow as 32bit. And got:
/system/bin/sh: ./dirtycow: not executable: 32-bit ELF file.
Help would be appreciated, thank you.
Do you save the shell script as ip_script.sh?
Sent from my SM-G920P using Tapatalk
VastVenomm said:
I've reached Step 3, I don't understand what you mean by su binary, as in, the whole flashable zip of supersu? or something else? Could you please explain? Thank you
Edit: Before I carry on, I was attempting this on the fire tv *Stick* instead of the box, running 5.2.1.1 would it still work?
Click to expand...
Click to collapse
You do not need to extract the binary from the SuperSU.apk, rather download the zip from here: https://download.chainfire.eu/696/supersu/
Then extract the zipfile and copy the su file from the arm folder.
Edit: I think it would not work because FireOS > 5.2.0.0 has SELinux activated. This method does not seem to work with SELinux.
VastVenomm said:
I ran:
./dirtycow /system/bin/ip ip_script
I marked the scripts as 755 as well.
Error:
/system/bin/sh: ./dirtycow: not executable: 64-bit ELF file.
I also tried compiling dirtycow as 32bit. And got:
/system/bin/sh: ./dirtycow: not executable: 32-bit ELF file.
Help would be appreciated, thank you.
Click to expand...
Click to collapse
You compiled the source to x86 code. You need to compile dirtycow with a compiler for arm. I recommend using androids ndk.
I still got 5.0.5.1 on my FTV1. Is there a chance that I might get root using the dirtycow exploit?
christofsteel said:
You do not need to extract the binary from the SuperSU.apk, rather download the zip from here: https://download.chainfire.eu/696/supersu/
Then extract the zipfile and copy the su file from the arm folder.
Edit: I think it would not work because FireOS > 5.2.0.0 has SELinux activated. This method does not seem to work with SELinux.
You compiled the source to x86 code. You need to compile dirtycow with a compiler for arm. I recommend using androids ndk.
Click to expand...
Click to collapse
Rename apk to zip and extract su no diffence from what I posted.
I know that this comes a little bit late but this device still a good machine...
This could be used potentially to boot bricked devices. Unfortunately further work would be required since the Shield Tablet uses a private key (not on the device) to sign the bootloader and if I understand correctly from fuses, nvflash cmds. Probably it could be posible boot into Linux implementing something like shofelf2 does and reflash the emmc from it.... at the same time I don't have a bricked device to verify this.
My main aim with this was to learn about SOCs bootchain/baremetal and related protocols and maybe boot clean Debian with a clean uBoot.... I still pending to acknowledge the second but I really don't know how long will it take me... I don't have that much spare time and this took me almost 1 year and a half to earn the knowledge to reach this point...
ShofEL2 for T124
This is a Fusee Gelee / ShofEL2 exploit port for the Nvidia T124 (a.k.a Jetson TK1, Shield K1, etc).
Currently this code allows you to download and execute a payload to the T124, dump the fuses and memory and boot bct without apply the locks.
Mostly of my code is based on the original ShofEL2 code and Katherine Temkin research, so I cannot take that much credit for this.
See the original fail0verflow blog post: https://fail0verflow.com/blog/2018/shofel2/ See additional info at the original Katherine Temkin github: https://github.com/Qyriad/fusee-launcher/blob/master/report/fusee_gelee.md
Obligatory disclaimer
This code is provided without any warranty, use under your own resposability.
Usage
You need an arm-*-eabi toolkit. You can use Crosstool-ng compile it.
Build the loader and payloads:
$ cd ShofEL2-for-T124
$ make
Usage
$ ./shofel2_t124 ( MEM_DUMP | READ_FUSES | BOOT_BCT | PAYLOAD ) [options]
$ MEM_DUMP address length out_file -> Dumps "length" bytes starting from "address" to "out_file".
$ READ_FUSES out_file -> Dumps the T124 fuses to "out_file" and show them in console.
$ BOOT_BCT -> Boots BCT without applying locks.
$ PAYLOAD payload.bin [arm|thumb] -> Boots "payload.bin" the entrymode mode can be specified (thumb by default)
Interesting facts (maybe some of them wrong):
RCM loads the payload to IRAM at 0x4000E000 (described on tegrarcm source code).
RCM cmd format is sligitly different. RCM cmd header length is 0x284 bytes but the firtst 4 bytes still containing the RCM cmd length.
RCM cmd length restrictions are different to X1 bootrom:
Bulk transfers need to be multiply of 0x1000 to ensure use the whole usb buffer.
RCM cmd length minus 0x284 (header length) must be a multiple of 0x10 (which means RCM CMD length needs to end in 4).
RCM cmd min length is 0x404 bytes. Due to the previous condition the minimun length would be 0x1004.
RCM cmd length cannot exceed avaiable IRAM for the payload (from 0x4000E000 till 0x4003FFFF).
With all this in mind max RCM cmd length is 0x32274 bytes.
Since the exploit uses usb buffer 2, only 0x31000 bytes can be used for the payload in order to avoid finishing the RCM cmd.
A payload can still be loaded using the same path as the one used by the original shofEL2, since no validation is carried out till the whole payload is received.
Even if the specs says that the JTAG is enabled by default, cold bootrom code disasbles it while is runnig (not as dumb as expected ).
RCM runs on an ARM7TDMI core, I manage to halt the CPU on uboot using a Segger J-LINK.
When the poisoned get status is executed, 0x30C bytes will be copied before the payload. These bytes are part of the execution stack, starting with the USB status var.
Using the original sanity_check function from shofel2, I got from the execution stack that the RCM USB buffers are located at 0x40004000 and 0x40008000.
Two USB buffers of 0x1000 bytes still present. They still alternating on each USB txn. And odd number of USB txn will let you on the hight buffer for the next txn.
Using the original sanity_check function from shofel2, I got from the execution stack that the memcpy return address is located at 0x4000DCD8 (0x4000DCF4 - 0xC - 2 * 4 - 2 * 4).
The position in the RCM cmd where the entry adress need to be write to smash the memcpy return address is calculated as follow:
n_bytes_to_copy = 0x4000DCD8 - 0x40008000 (memcpy_ret_add_loc - usb_buf2_add) -> n_bytes_to_copy = 0x5CD8 bytes
pos_in_payload = n_bytes_to_copy - 0x30C (copied from the execution stack) - 0x4 -> pos_in_payload = 0x59C8
pos_in_rcm_cmd = pos_in_payload + 0x284 (header length) -> pos_in_rcm_cmd = 0x5C4C
I found the following functions on the the bootrom:
void ep1_in_write_imm(void *buffer, u32 size, u32 *num_xfer) -> 0x001065C0 -> Writes EP1_IN
void ep1_out_read_imm(void *buffer, u32 size, u32 *num_xfer) -> 0x00106612 -> Reads EP1_OUT
void do_bct_boot() -> 0x00100624 -> Boots BCT without applying locks.Hello
Source: https://github.com/LordRafa/ShofEL2-for-T124/releases
Great work! Does this mean you could in theory push payloads made for the switch to the K1, as they are both tegra-based devices?
xdpirate said:
Great work! Does this mean you could in theory push payloads made for the switch to the K1, as they are both tegra-based devices?
Click to expand...
Click to collapse
Well, yes that is partially right but bear in mind that these payloads relies sometimes on the switch peripherals, so for example if you want to show something on the LCD it will not work because the shield and switch LCDs controllers aint the same, the code will run on the boot CPU but the LCD will not work because they don't work in the same way... It is something like use the wrong driver for a device.
Also you need to understand that the payloads normally are used as first stage loader for something else, if that something else is wrote for the switch app CPU it will not work at all. Switch Tegra app CPU is an arm64 CPU and shield app CPU is a 32bit armv7 so they are not compatible. E.g. this is why I cannot run the Switch Linux directly on my shield.... and even if they could work, again you will find the problem of the peripherals and many others customized things for Nintendo... that is why a Shield TV is not a Switch... same same... but different.
This can be more useful to those people that are interesting to do some research around this device.
Is it possible to unbrick a Shield Tablet killed with this ?
Tonio1987french said:
Is it possible to unbrick a Shield Tablet killed with this ?
Click to expand...
Click to collapse
With some additional development I think that it could be posible. Unfortunately I don't have a killed device to work on this.
Someone that would like to work on this, would need to check where the kill switch is enabled and where is verified.
If I understand correctly this would be the boot chain: bootrom -> nvtboot ( boot cpu code ) -> nvtboot ( app cpu code ) -> second stage bootloader( uboot/fastboot??? ) -> Android.
I would be tempted to think that nvtboot at boot cpu is the responsible to check if the kill switch has been enabled, or maybe the kill switch just modifies the bct header to break the boot chain... If I am right then maybe it would be posible to use shoelf2 to restore a backup to the emmc.
A payload would still need to be developed to being able to read/write the emmc using shoelf2. This is something that I am considering to implement as part of the works porting mainline Linux.
Also it would be nice to see if all devices shares the same private key that would be great because anyone could read a working shield emmc and share it to restore a killed one... if anyone could share the fuse dump, that my shoelf2 generates I could answer this question....
Anyway I would require a killed switch to being able to work on this... My main focus now is run mainline Linux....
Lord_Rafa said:
With some additional development I think that it could be posible. Unfortunately I don't have a killed device to work on this.
Someone that would like to work on this, would need to check where the kill switch is enabled and where is verified.
If I understand correctly this would be the boot chain: bootrom -> nvtboot ( boot cpu code ) -> nvtboot ( app cpu code ) -> second stage bootloader( uboot/fastboot??? ) -> Android.
I would be tempted to think that nvtboot at boot cpu is the responsible to check if the kill switch has been enabled, or maybe the kill switch just modifies the bct header to break the boot chain... If I am right then maybe it would be posible to use shoelf2 to restore a backup to the emmc.
A payload would still need to be developed to being able to read/write the emmc using shoelf2. This is something that I am considering to implement as part of the works porting mainline Linux.
Also it would be nice to see if all devices shares the same private key that would be great because anyone could read a working shield emmc and share it to restore a killed one... if anyone could share the fuse dump, that my shoelf2 generates I could answer this question....
Anyway I would require a killed switch to being able to work on this... My main focus now is run mainline Linux....
Click to expand...
Click to collapse
I do have a killed Shield Tablet LTE. Where are you from?
The OTA that kills the tablet has been dissected here: https://forum.xda-developers.com/shield-tablet/general/kill-kill-switch-shield-tablet-xx-t3179489
Once flashed the tablet doesn't give any signs of life, and goes only in APX mode when connected:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Is it possible to use ShoEL in APX mode? I don't think?
Gave a quick try compiling crosstool-ng on Debian 8 but it's hanging at make, will have a look at it later.
On a side note, one user (Drims75) from Ukraine restores motherboard for a modic cost, you can find a couple of user who sent their motherboard to him: https://forum.xda-developers.com/showpost.php?p=71516196&postcount=139
Thanks for your work!
I can confirm the exploit is working.
Thanks so much LordRafa, you're a legend!
How do i get the SBK Key? Is the FUSE_PRIVATE_KEY i get via READ_FUSES the SBK? And is it possible to dump the BIS keys? The biskeydump payload seems only working for switch. Anyone has a biskeydump payload for t124?
This is absolutely awesome.
I have a bricked shield tablet, here is the output from the fuses:
Waiting T124 to enter RCM mode (ctrl-c to cancel). Note: root permission could be required.
K1 in RCM mode connected.
Chip ID: 0x40 0x02 0x07 0x01 0x00 0x00 0x00 0x10 0x09 0xa1 0x0c 0x74 0x01 0x10 0x00 0x64
Hacky Get Status returned error... Probably the stack got smashed, Congrats
Dumping 768 bytes from 0x7000f900.
FUSE_PRODUCTION_MODE: 00000001
FUSE_JTAG_SECUREID_VALID: 00000001
FUSE_ODM_LOCK: 00000006
FUSE_OPT_OPENGL_EN: 00000001
FUSE_SKU_INFO: 0000001f
FUSE_CPU_SPEEDO_0_CALIB: 000008cd
FUSE_CPU_IDDQ_CALIB: 0000030f
RESERVED_0x01C: 00000000
RESERVED_0x020: 00000000
RESERVED_0x024: 00000000
FUSE_OPT_FT_REV: 00000022
FUSE_CPU_SPEEDO_1_CALIB: 00000000
FUSE_CPU_SPEEDO_2_CALIB: 000007fe
FUSE_SOC_SPEEDO_0_CALIB: 0000089f
FUSE_SOC_SPEEDO_1_CALIB: 00000000
FUSE_SOC_SPEEDO_2_CALIB: 00000000
FUSE_SOC_IDDQ_CALIB: 0000025f
RESERVED_0x044: 00000000
FUSE_FA: 00000000
FUSE_RESERVED_PRODUCTION: 00000002
FUSE_HDMI_LANE0_CALIB: 00000000
FUSE_HDMI_LANE1_CALIB: 00000000
FUSE_HDMI_LANE2_CALIB: 00000000
FUSE_HDMI_LANE3_CALIB: 00000000
FUSE_ENCRYPTION_RATE: 00000000
FUSE_PUBLIC_KEY 0-3: bc420312 298f5d3c a5abe328 9e556001
FUSE_PUBLIC_KEY 4-7: 0eefbfaa 756a7b0f b7507e2f 149672c4
FUSE_TSENSOR1_CALIB: 03a27cbb
FUSE_TSENSOR2_CALIB: 03ee9ee6
RESERVED_0x08C: 00000000
FUSE_OPT_CP_REV: 00000022
FUSE_OPT_PFG: 00000000
FUSE_TSENSOR0_CALIB: 0053a324
FUSE_BOOTROM_PATCH_SIZE: 00000002
FUSE_SECURITY_MODE: 00000001
FUSE_PRIVATE_KEY: 5f244a57 d0197865 940f80a3 15484c8f
FUSE_DEVICE_KEY: 5e65bbde
FUSE_ARM_DEBUG_DIS: 00000000
FUSE_BOOT_DEVICE_INFO: 00000000
FUSE_RESERVED_SW: 00000000
FUSE_VP8_ENABLE: 00000001
FUSE_RESERVED_ODM 0-3: 00000000 00007090 0000000b 00000000
FUSE_RESERVED_ODM 4-7: 00000000 00000000 00000000 00000000
FUSE_OBS_DIS: 00000000
RESERVED_0x0EC: 00000000
FUSE_USB_CALIB: 02c6038b
FUSE_SKU_DIRECT_CONFIG: 00000000
FUSE_KFUSE_PRIVKEY_CTRL: 00000003
FUSE_PACKAGE_INFO: 00000004
FUSE_OPT_VENDOR_CODE: 00000000
FUSE_OPT_FAB_CODE: 00000000
FUSE_OPT_LOT_CODE_0: 00000000
FUSE_OPT_LOT_CODE_1: 00000000
FUSE_OPT_WAFER_ID: 00000000
FUSE_OPT_X_COORDINATE: 00000000
FUSE_OPT_Y_COORDINATE: 00000000
FUSE_OPT_SEC_DEBUG_EN: 00000000
FUSE_OPT_OPS_RESERVED: 00000000
FUSE_SATA_CALIB: 00000000
FUSE_GPU_IDDQ_CALIB: 0000036e
FUSE_TSENSOR3_CALIB: 03e21f59
FUSE_SKU_BOND_OUT_L: 00000000
FUSE_SKU_BOND_OUT_H: 00000000
FUSE_SKU_BOND_OUT_U: 00000000
FUSE_SKU_BOND_OUT_V: 00000000
FUSE_SKU_BOND_OUT_W: 00000000
RESERVED_0x144: 00000000
FUSE_OPT_SUBREVISION: 00000000
FUSE_OPT_SW_RESERVED_0: 00000000
FUSE_OPT_SW_RESERVED_1: 00000000
FUSE_TSENSOR4_CALIB: 03b41d91
FUSE_TSENSOR5_CALIB: 0024c106
FUSE_TSENSOR6_CALIB: 03f15f1c
FUSE_TSENSOR7_CALIB: 00788335
FUSE_OPT_PRIV_SEC_EN: 00000000
FUSE_PKC_DISABLE: 00000000
RESERVED_0x16C: 00000000
RESERVED_0x170: 00000000
RESERVED_0x174: 00000000
RESERVED_0x178: 00000000
FUSE_FUSE2TSEC_DEBUG_DISABLE: 00000001
FUSE_TSENSOR8_CALIB: 00173ab1
FUSE_OPT_CP_BIN: 00000003
FUSE_OPT_GPU_FS: 00000000
FUSE_OPT_FT_BIN: 00000001
RESERVED_0x190: 00000000
FUSE_SKU_BOND_OUT_X: 00000000
FUSE_APB2JTAG_DISABLE: 00000000
RESERVED_0x19C: 00000000
FUSE_PHY_FLOORSWEEP: 00000000
FUSE_PHY_FLOOR_ENABLE: 00000000
FUSE_ARM_CRYPT_DE_FEATURE: 00000000
FUSE_DENVER_MTS_DE_FEATURE: 00000000
FUSE_DIE_VERSION_OVERRIDE: 00000000
FUSE_TRIMMERS: 00000000
FUSE_DENVER_BOOT_SEC: 00000000
FUSE_DENVER_DFD_ACCESS: 00000000
FUSE_WOA_SKU_FLAG: 00000000
FUSE_ECO_RESERVE_1: 00000000
FUSE_GCPLEX_CONFIG_FUSE: 00000002
RESERVED_0x1CC: 00000000
RESERVED_0x1D0: 00000000
RESERVED_0x1D4: 00000000
RESERVED_0x1D8: 00000000
RESERVED_0x1DC: 00000000
RESERVED_0x1E0: 00000000
RESERVED_0x1E4: 00000000
RESERVED_0x1E8: 00000000
RESERVED_0x1EC: 00000000
RESERVED_0x1F0: 00000000
RESERVED_0x1F4: 00000000
RESERVED_0x1F8: 00000000
FUSE_SPARE_REALIGNMENT_REG: 00000000
FUSE_SPARE_BITS 00-03: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 04-07: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 08-11: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 12-15: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 16-19: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 20-23: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 24-27: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 28-31: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 32-35: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 36-39: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 40-43: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 44-47: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 48-51: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 52-55: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 56-59: 00000000 00000000 00000000 00000000
FUSE_SPARE_BITS 60-63: 00000000 00000000 00000000 00000000
Lord_Rafa said:
With some additional development I think that it could be posible. Unfortunately I don't have a killed device to work on this.
Someone that would like to work on this, would need to check where the kill switch is enabled and where is verified.
If I understand correctly this would be the boot chain: bootrom -> nvtboot ( boot cpu code ) -> nvtboot ( app cpu code ) -> second stage bootloader( uboot/fastboot??? ) -> Android.
I would be tempted to think that nvtboot at boot cpu is the responsible to check if the kill switch has been enabled, or maybe the kill switch just modifies the bct header to break the boot chain... If I am right then maybe it would be posible to use shoelf2 to restore a backup to the emmc.
A payload would still need to be developed to being able to read/write the emmc using shoelf2. This is something that I am considering to implement as part of the works porting mainline Linux.
Also it would be nice to see if all devices shares the same private key that would be great because anyone could read a working shield emmc and share it to restore a killed one... if anyone could share the fuse dump, that my shoelf2 generates I could answer this question....
Anyway I would require a killed switch to being able to work on this... My main focus now is run mainline Linux....
Click to expand...
Click to collapse
Did you have any success running/porting mainline linux?
Would this dump the key required to nvflash u-boot?
Edit: I think I understand enough now to know why this is a dumb question. One would use tegrarcm, not nvflash.
Fuses - Nintendo Switch Brew
switchbrew.org
Edit: From NVidia's bct-overview:
When a chip has an RSA public key (PKC) programmed into its flash, it expects the BCT to contain RSA-PSS signatures created/validated using that key pair. When a chip has an AES key (SBK; Secure Boot Key) programmed into its flash, it expects the BCT to contain AES-CMAC hashes created/validated using that key.
Click to expand...
Click to collapse
Has anyone done any testing around what that means for devices with both PKC and SBK? As in does it validate both, either or a does one take precedence over the other?