Database Users

[Android] TouchPad Android kernel mini howto

It seems there is little information on the internet regarding how to compile the kernel and how to convert to the correct image format so the boot loader will recognise and how to transfer it over to the touchpad. I ended up spent a few hours and finally figured out. I hope this will be useful for someone. I will try to make it concise as this is mainly aimed for developers.
What you will need
A linux development machine with uboot mkimage tool installed.
Sourcery G++ Lite 2010q1-188 for ARM EABI cross compile tool chain
https://sourcery.mentor.com/sgpp/lite/arm/portal/release1294
Touchpad kernel source
https://github.com/CyanogenMod/hp-kernel-tenderloin
CM7 Alpha 3 image (zip file)
http://goo-inside.me/roms/cmtouchpad/alpha3/update-cm-7.1.0-tenderloin-a3-fullofbugs-signed.zip
Prepare
Download CM7 Alpha 3 image and extract the boot.img to a temporary place.
Download Sourcery G++ Lite and install it. Add the G++ Lite tool chain binaray path to the PATH env variable. Get the kernel source from git hub and extract to local disk and change directory to the kernel source.
Compile the kernel
Still in the kernel source directory run
Code:
make ARCH=arm CROSS_COMPILE=arm-none-eabi- tenderloin_android_defconfig
make ARCH=arm CROSS_COMPILE=arm-none-eabi- uImage
Prepare the initramfs U-boot image
Extract the initramfs from the boot.img saved in temporary folder and convert it to uboot-image format
Code:
dd if=boot.img bs=1 skip=3577748 of=img.gz
mkimage -A arm -O linux -T ramdisk -C none -a 0x60000000 -e 0x60000000 -n "Image" -d ./img.gz arch/arm/boot/uRamdisk
(The dd offset for alpha 2.1 image is 3561152)
Combine the kernel and initramfs into a single U-boot image
Create a combined U-boot image (kernel and initramfs)
Code:
mkimage -A arm -O linux -T multi -a 0x40208000 -e 0x40208000 -C none -n "multi image" -d arch/arm/boot/uImage:arch/arm/boot/uRamdisk uImage.CyanogenMod.new
Transfer it to the device
Boot your touchpad into recovery mode and run
Code:
adb shell mount /dev/block/mmcblk0p13 /boot
adb push uImage.CyanogenMod.new /boot/uImage.CyanogenMod.new
adb shell umount /boot
adb shell reboot
After it reboot you should be able to see a new CyanogenMod.new item from the boot menu.
That's it!
Optimisation
For those who wants to experiment with GCC build options you can update the entry "arch-$(CONFIG_CPU_32v7" in file arch/arm/Makefile and I set mine to
Code:
arch-$(CONFIG_CPU_32v7) :=-D__LINUX_ARM_ARCH__=7 -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -mfloat-abi=softfp -O2 $(call cc-option,-march=armv7-a,-march=armv5t -Wa$(comma)-march=armv7-a)
Warning
Please be aware you are working on the bleeding edge kernel for touchpad and there is no guarantee that the latest git version will work for you. Please try an earlier version if that's the case.
As of 2011-11-23 you will need the latest kernel source to build kernel for alpha 3. Please do not mix the kernel with an initramfs from a different version, i.e. don't use initramfs extracted from alpha 2.1 and use it with alpha3.

Thanks for this. Last weekend spent a while trying to figure this out.
Sent from my HP Touchpad using Tapatalk

x2. Huge thanks

Thank you soooooo much for this guide. Quick question if you don't mind though.. I am using an mkimage that goes back to my nook kernel days. Is there anything newer out, or would this still be ok,?

Divine_Madcat said:
Thank you soooooo much for this guide. Quick question if you don't mind though.. I am using an mkimage that goes back to my nook kernel days. Is there anything newer out, or would this still be ok,?
Click to expand...
Click to collapse
As long as the mkimage can generate a standard U-boot image it should be fine.
You can always try it yourself. In worst case you have to hard reboot the touchpad by pressing the power button and home button at the same time for more than 10 minutes. As long as you keep the original image files (UImage.*) untouched I don't think you can brick it even if you want to.

S7
I have been trying to compile the kernel for some time now, and was hopeful reading your guide (and this last post) However, still following the steps to merge the ramdisk, i cannot make a booting kernel. I can get it flashed, as i am using the update.zip method, but moboot always gives me a crc error when booting it.
Though, before i totally go nuts, i think i need to try the source forgery toolchain, as i am using the Android ndk r6b...

Divine_Madcat said:
S7
I have been trying to compile the kernel for some time now, and was hopeful reading your guide (and this last post) However, still following the steps to merge the ramdisk, i cannot make a booting kernel. I can get it flashed, as i am using the update.zip method, but moboot always gives me a crc error when booting it.
Though, before i totally go nuts, i think i need to try the source forgery toolchain, as i am using the Android ndk r6b...
Click to expand...
Click to collapse
Could you check the md5sum of the u-boot image crated on disk and the one installed by update.zip file? Do they match? If they do then you probably will need to upgrade your mkimage tool.

s7mx1 said:
Could you check the md5sum of the u-boot image crated on disk and the one installed by update.zip file? Do they match? If they do then you probably will need to upgrade your mkimage tool.
Click to expand...
Click to collapse
I will give it a check; just in case, know where to get a newer mkimage?

Thanks so much for this guide
s7mx1 said:
You can always try it yourself. In worst case you have to hard reboot the touchpad by pressing the power button and home button at the same time for more than 10 minutes.
Click to expand...
Click to collapse
It feels like 10 mins.. doesn't it

WEll, i checked the MD5 sums, and it looks good. So, i guess it is time to try again with the toolchain listed here, and perhaps a new mkimage (if there is a "modern" one i should using, please point me to it...)
edit: Never mind.. in all my looking, i never saw that ubuntu had a nice one waiting for me.... doh
edit2: Woo! After getting the probably correct mkimage, and the CS toolchain, looks like i finally got it to pass the crc check. Now, lets see if it finishes booting. Thanks again for the guide!
Nope.. no boot. I get a dmesg with this:
<3>[ 69.978716] init: untracked pid 224 exited
<6>[ 70.086076] android_usb gadget: high speed config #1: android
<6>[ 70.086209] gadget_event: schedule host_connected
<6>[ 70.096953] max8903b_current_setup: CURRENT_500MA
<6>[ 70.097040] gadget_event: source=bus mA=500 (no change)
<4>[ 70.910953] UDC-CHG (2-2-2): usb_multi_chg_detect (591) : USB host Adaptor
(500mA)!
<6>[ 70.912805] gadget_event: schedule host_disconnected
<6>[ 70.925482] max8903b_current_setup: CURRENT_ZERO
<6>[ 71.164066] android_usb gadget: high speed config #1: android
<6>[ 71.164220] gadget_event: schedule host_connected
<6>[ 71.173640] max8903b_current_setup: CURRENT_500MA
<6>[ 71.178212] gadget_event: source=bus mA=500 (no change)
<6>[ 72.160955] gadget_event: host_connected=1 (no change)
<6>[ 74.142224] request_suspend_state: wakeup (0->0) at 74121495501 (2011-11-1
1 22:49:33.378031648 UTC)
<3>[ 74.143675] init: untracked pid 266 exited
<3>[ 74.155217] init: untracked pid 273 exited
<6>[ 79.285016] request_suspend_state: wakeup (0->0) at 79264287462 (2011-11-1
1 22:49:38.520824942 UTC)
The last three lines repeat alot, with different pid's .
Alrighty.. figured this one out - You cannot use the latest repository commits with the 2.1 alpha build. However, i was able to build commit fd70bb7aae, and it builds and actually boots. Now, i can actually play around and tweak it. Thank you again for the guide, and sorry for the edit spamming.. heh.

myn said:
x2. Huge thanks
Click to expand...
Click to collapse
Myn, do you have a touchpad???!!!? God I hope so!

vinscuzzy said:
Myn, do you have a touchpad???!!!? God I hope so!
Click to expand...
Click to collapse
He does
Sent from my PG86100 using Tapatalk

Divine_Madcat said:
WEll, i checked the MD5 sums, and it looks good. So, i guess it is time to try again with the toolchain listed here, and perhaps a new mkimage (if there is a "modern" one i should using, please point me to it...)
edit: Never mind.. in all my looking, i never saw that ubuntu had a nice one waiting for me.... doh
edit2: Woo! After getting the probably correct mkimage, and the CS toolchain, looks like i finally got it to pass the crc check. Now, lets see if it finishes booting. Thanks again for the guide!
Nope.. no boot. I get a dmesg with this:
<3>[ 69.978716] init: untracked pid 224 exited
<6>[ 70.086076] android_usb gadget: high speed config #1: android
<6>[ 70.086209] gadget_event: schedule host_connected
<6>[ 70.096953] max8903b_current_setup: CURRENT_500MA
<6>[ 70.097040] gadget_event: source=bus mA=500 (no change)
<4>[ 70.910953] UDC-CHG (2-2-2): usb_multi_chg_detect (591) : USB host Adaptor
(500mA)!
<6>[ 70.912805] gadget_event: schedule host_disconnected
<6>[ 70.925482] max8903b_current_setup: CURRENT_ZERO
<6>[ 71.164066] android_usb gadget: high speed config #1: android
<6>[ 71.164220] gadget_event: schedule host_connected
<6>[ 71.173640] max8903b_current_setup: CURRENT_500MA
<6>[ 71.178212] gadget_event: source=bus mA=500 (no change)
<6>[ 72.160955] gadget_event: host_connected=1 (no change)
<6>[ 74.142224] request_suspend_state: wakeup (0->0) at 74121495501 (2011-11-1
1 22:49:33.378031648 UTC)
<3>[ 74.143675] init: untracked pid 266 exited
<3>[ 74.155217] init: untracked pid 273 exited
<6>[ 79.285016] request_suspend_state: wakeup (0->0) at 79264287462 (2011-11-1
1 22:49:38.520824942 UTC)
The last three lines repeat alot, with different pid's .
Alrighty.. figured this one out - You cannot use the latest repository commits with the 2.1 alpha build. However, i was able to build commit fd70bb7aae, and it builds and actually boots. Now, i can actually play around and tweak it. Thank you again for the guide, and sorry for the edit spamming.. heh.
Click to expand...
Click to collapse
That's because dalingrin has updated the default configuration to use the HIGHMEM which seems to kill all the apps. The latest git actually works if you disable all the HIGHMEM related stuff.

decalex said:
Thanks so much for this guide
It feels like 10 mins.. doesn't it
Click to expand...
Click to collapse
Absolutely
I just hope there is a rest button as the touchscreen occasionally will not respond at all after wake up and I have to reboot to webos and then reboot back to get the touchscreen back.

Great guide and I got the kernel all built, but how do you change the kernel arguments for booting? e.g. where does moboot get its whole root=/dev/ram0 ro fb...stuff, and how does the CyanogenMod kernel know where to look for the rootfs partition?

crimsonredmk said:
Great guide and I got the kernel all built, but how do you change the kernel arguments for booting? e.g. where does moboot get its whole root=/dev/ram0 ro fb...stuff, and how does the CyanogenMod kernel know where to look for the rootfs partition?
Click to expand...
Click to collapse
The root parameter (root=/dev/ram0) that passed to kernel is not useful to you. The root / is mere extracted initramfs in memory. I assume you are looking for system, data partitions etc. With TP we have LVM partitions which you can do really fancy stuff with. The actual mount device and mount point is defined (hard coded) in file init.tenderloin.rc which you can find in the initramfs (i.e. the img.gz which is a gzipped cpio file). You can extract all the contents out from img.gz and modify init.tenderloin.rc to suit your need and then create an updated initramfs file to go with the kernel.
Since Android (at least CM7 on TP) does not use pivot_root any changes made to the initramfs will appear automatically when you boot up the device.
You can google if you are not sure how to work with initramfs file.

[Q] [L7] [DEV] V20a Kernel Build problems

So, i tried to compile V20a kernel and i get this errors:
Code:
CC drivers/power/lge_pm_sysfs.o
drivers/power/lge_pm_sysfs.c:25:38: fatal error: ../../kernel/power/power.h: No such file or directory
compilation terminated.
make[2]: *** [drivers/power/lge_pm_sysfs.o] Error 1
make[1]: *** [drivers/power] Error 2
make[1]: *** Waiting for unfinished jobs....
Code:
LD drivers/net/built-in.o
make: *** [drivers] Error 2
make: *** Waiting for unfinished jobs....
CC net/netfilter/xt_length.o
Anyone tried to compile? How can i solve this error?

i managed to compile it but it doesn't boot . logcat not available.
Please, can you give me some ideea as i am not a developer. I will flash now my original boot img

hmmm is bad

Hint
Hello,
I also discovered that the way the kernel should be compiled according to the readme file is impossible. It does mention a defconfig file that is not available.
However, it is possible to get the config file of an existing kernel, because it is compiled in in the kernel:
Use the following steps, when your PC is connected to your phone with an working v20a kernel:
$adb pull /proc/config.gz
$gunzip config.gz
$mv config YOURKERNELROOT/arch/arm/configs/u2_my_defconfig
$cd YOURKERNELROOT
$make youroptions u2_my_defconfig

de-wolff said:
Hello,
I also discovered that the way the kernel should be compiled according to the readme file is impossible. It does mention a defconfig file that is not available.
However, it is possible to get the config file of an existing kernel, because it is compiled in in the kernel:
Use the following steps, when your PC is connected to your phone with an working v20a kernel:
$adb pull /proc/config.gz
$gunzip config.gz
$mv config YOURKERNELROOT/arch/arm/configs/u2_my_defconfig
$cd YOURKERNELROOT
$make youroptions u2_my_defconfig
Click to expand...
Click to collapse
I built it using my phones defconfig and removed this from makefile "drivers/power/lge_pm_sysfs.o". The build was successful but it doesn't boot. I will start working on it today.
Update: IT BOOTS!
I wasn't packing it correctly:
These are the lines to pack it:
./mkbootimg --kernel zImage --ramdisk boot.img-ramdisk.gz --cmdline androidboot.hardware=u0 --base 0x00200000 --pagesize 4096 -o boot.img
Click to expand...
Click to collapse
kernel version is:
Linux version 3.4.0-perf ([email protected]) (gcc version 4.6.2 20111004 (prerelease) (Linaro GCC 4.6-2011.10) ) #2 PREEMPT Wed Apr 17 23:22:22 EEST 2013
Click to expand...
Click to collapse
i will start patching tomorrow or later because i have to figure out how to OC and how to git

tudorsirb said:
So, i tried to compile V20a kernel and i get this errors:
Code:
CC drivers/power/lge_pm_sysfs.o
drivers/power/lge_pm_sysfs.c:25:38: fatal error: ../../kernel/power/power.h: No such file or directory
compilation terminated.
make[2]: *** [drivers/power/lge_pm_sysfs.o] Error 1
make[1]: *** [drivers/power] Error 2
make[1]: *** Waiting for unfinished jobs....
Code:
LD drivers/net/built-in.o
make: *** [drivers] Error 2
make: *** Waiting for unfinished jobs....
CC net/netfilter/xt_length.o
Anyone tried to compile? How can i solve this error?
Click to expand...
Click to collapse
open lge_pm_sysfs.c and set power.h file to the correct path.

moon61 said:
open lge_pm_sysfs.c and set power.h file to the correct path.
Click to expand...
Click to collapse
i fixed that error, the kernel build and boots from stock sources. Now i'm trying to figure out what to do with the modules as wireless doesn't work, how to apply patches and how to overclock because i can't find freqs in acpuclock. Any sugestions?

How to modify kernel
Once you are able to make a working kerrnel, it is quite easy to modify it.
After you did make a working kernel, you can do from the commandline in the kernel root:
Make [crosscompile options] menuconfig.
Now you can change all kernel options, using a menu.
You have to install ncurses-dev, before you can do a make menuconfig
Once you are ready using the menuconfig, a new config file is created, with the name ,config ([dot]config). Beware that this is a hidden file in linux!. You can rename it and move it to your config dir.
Of course, most of the options are hardware related, and you do not want to change them, but the options you want to change, you can find all in the menu, together with a brief explanation of their usage,
(Excuses for my bad english, it is not my primary language)

de-wolff said:
Once you are able to make a working kerrnel, it is quite easy to modify it.
After you did make a working kernel, you can do from the commandline in the kernel root:
Make [crosscompile options] menuconfig.
Now you can change all kernel options, using a menu.
You have to install ncurses-dev, before you can do a make menuconfig
Once you are ready using the menuconfig, a new config file is created, with the name ,config ([dot]config). Beware that this is a hidden file in linux!. You can rename it and move it to your config dir.
Of course, most of the options are hardware related, and you do not want to change them, but the options you want to change, you can find all in the menu, together with a brief explanation of their usage,
(Excuses for my bad english, it is not my primary language)
Click to expand...
Click to collapse
Thanks, this will be useful after i apply some upstream changes. I know about menuconfig but i haven't got the tine to check it out. Right now i'm trying to overclock this kernel and i keep getting compile errors (took some code from l5). Will come back with info. If you can help me these days PM me with a gtalk ID.

tudorsirb said:
i fixed that error, the kernel build and boots from stock sources. Now i'm trying to figure out what to do with the modules as wireless doesn't work, how to apply patches and how to overclock because i can't find freqs in acpuclock. Any sugestions?
Click to expand...
Click to collapse
Yes I have a problem with wifi too, even I used new compiled modules. Did you fix it?
Sent from my LG-P705 using Tapatalk 2

moon61 said:
Yes I have a problem with wifi too, even I used new compiled modules. Did you fix it?
Sent from my LG-P705 using Tapatalk 2
Click to expand...
Click to collapse
I didn't fix it. I will look into it later (i'm at work ATM).
Logcat is:
Code:
need to unregister
04-22 11:28:19.010 E/WifiStateMachine( 449): Couldn't get getWiFiOffloadingIfaceIface :
04-22 11:28:19.010 E/WifiStateMachine( 449): useWiFiOffloading() : false
04-22 11:28:19.010 E/WifiStateMachine( 449): CONFIG_LGE_WLAN_PATH : true
04-22 11:28:19.010 D/WifiStateMachine( 449): setWifiState: enabling
04-22 11:28:19.010 I/WifiServiceExt( 449): WIFI_STATE_CHANGED_ACTION [2]
04-22 11:28:19.020 D/QuickSettingsReceiverStation( 514): Received: android.net.wifi.WIFI_STATE_CHANGED
04-22 11:28:19.030 E/WifiHW ( 449): nv_cmd_remote status 0
04-22 11:28:19.030 E/WifiHW ( 449): nv_cmd_remote status 0
04-22 11:28:19.030 E/WifiHW ( 449): Modem MAC address: a8 16 b2 93 c8 f6
04-22 11:28:19.030 E/WifiHW ( 449): Set wifi mac address a8 16 b2 93 c8 f6
04-22 11:28:19.030 E/WifiUtil( 449): U0 : CONFIG_LGE_WLAN_U0_JB_PATCH
04-22 11:28:19.030 I/ONCRPC ( 449): Setup RPC Call for task 4049f920
04-22 11:28:19.030 I/ONCRPC ( 449): oncrpc_xdr_call_msg_start: Prog: 3000000e, Ver: 00090001, Proc: 00000009
04-22 11:28:19.030 I/ONCRPC ( 449): xdr_std_msg_send_call: Sent Xid: a68, Prog: 3000000e, Ver: 00090001, Proc: 00000009
04-22 11:28:19.030 I/ONCRPC ( 449): xdr_std_msg_send_call: Received Reply Xid: a68, Prog: 3000000e, Ver: 00090001, Proc: 00000009
04-22 11:28:19.090 E/WifiStateMachine( 449): Failed to load driver!
04-22 11:28:19.090 E/WifiStateMachine( 449): Couldn't get getWiFiOffloadingIfaceIface :
04-22 11:28:19.090 E/WifiStateMachine( 449): useWiFiOffloading() : false
04-22 11:28:19.090 E/WifiStateMachine( 449): CONFIG_LGE_WLAN_PATH : true
04-22 11:28:19.090 D/WifiStateMachine( 449): setWifiState: unknown state
04-22 11:28:19.090 I/WifiServiceExt( 449): WIFI_STATE_CHANGED_ACTION [4]
04-22 11:28:19.090 E/WifiServiceExt( 449): WifiManager.WIFI_STATE_UNKNOWN
04-22 11:28:19.090 D/QuickSettingsReceiverStation( 514): Received: android.net.wifi.WIFI_STATE_CHANGED

Any news about how to fix wifi problem?
Sent from my LG-P705 using Tapatalk 2

any news??

Ok, i think i had find where the problem is. I change the cfg80211 value in the config file to "m". And know wifi work fine.
This is the kernel link
http://db.tt/lfJeyFeY
The kernel also o/c able too
Thanx to @tudorsirb :thumbup: and sorry for my bad english.
Sent from my LG-P705 using Tapatalk 2

moon61 said:
Ok, i think i had find where the problem is. I change the cfg80211 value in the config file to "m". And know wifi work fine.
This is the kernel link
http://db.tt/lfJeyFeY
The kernel also o/c able too
Thanx to @tudorsirb :thumbup: and sorry for my bad english.
Sent from my LG-P705 using Tapatalk 2
Click to expand...
Click to collapse
Did you use pll2 or pll4 for oc? If you use pll4 there's no difference in performance when using the phone becuase our phone does not OC that way.
Your OC code hould look like this:
Code:
{ 1, 1200000, [B]ACPU_PLL_2, 2, 0, [/B]150000, 3, 7, 200000 },
I learned it the hard way . Check out github for more references.

Possibly new exploit to root devices with recent firmware versions

Hi,
I stumbled upon this a few days back:
http://bloggingthemonkey.blogspot.de/2014/06/fire-in-root-hole.html
This describes a CVE that Rob Clark discovered earlier this year. He did not create a root method using this as Towelroot was still working back then. He published some proof of concept code though:
https://github.com/robclark/kilroy
Now, Qualcomm created patches to fix this and published them here:
https://www.codeaurora.org/projects...can-change-the-iommu-page-table-cve-2014-0972
It also has been fixed in the official Android source:
https://android.googlesource.com/kernel/msm/+/android-4.4w_r8/drivers/gpu/msm/adreno.c (see Log)
I downloaded the latest source that Amazon provided for the FireTV:
https://kindle-src.s3.amazonaws.com/firetv_src_51.1.3.0_user_513011820.tar.bz2
The Linux kernel sources in there all have a timestamp from June 2014, I assume this is when they created this source bundle.
However, as example adreno.c has still a Copyright notice from only 2013. It looks like Amazon is working with older source code here. I also searched for the added lines of the patch and can not find them in there.
Please note that the latest FireTV firmwares source is not yet published, so there is a possibility that this is fixed in the latest versions. I'm hopeful however, that it might very well not be fixed, as they seem to use some old kernel branch even in mid of 2014.
My FireTV did not arrive yet unfortunately, but I hope this can help to root mine and many others!
Could someone please compile the proof-of-concept code and check it out on a FireTV running a recent version?

Ask geohot maybe he can

Wish I could be more helpfull but I tried to compile it and somehow it doesn't work out.
I've built it, pushed it over to /data/local/tmp, chmod 755 but all I get is "not executable: magic 7F45". There seems to be something wrong with my toolchain. Maybe it's because I'm using Windows... Tried to use the NDK and followed the last post over there: http://stackoverflow.com/questions/6745064/how-to-run-arm-binary-on-android-platform
At least there is something I can provide to you, the CONFIG_KGSL_PER_PROCESS_PAGE_TABLE parameter is set to y in the kernel config for version 51.1.3.0_user_513011820.
And I attached the files that are needed to compile kilroy for version 51.1.3.0_user_513011820. Note I have modified the msm_ion.h from #include <ion.h> to #include "ion.h" so it finds the file in the same directory.
Hopefully someone with a bit more knowledge (and the right operating system ) could check this out!

g4rb4g3 said:
Wish I could be more helpfull but I tried to compile it and somehow it doesn't work out.
I've built it, pushed it over to /data/local/tmp, chmod 755 but all I get is "not executable: magic 7F45". There seems to be something wrong with my toolchain. Maybe it's because I'm using Windows... Tried to use the NDK and followed the last post over there: http://stackoverflow.com/questions/6745064/how-to-run-arm-binary-on-android-platform
At least there is something I can provide to you, the CONFIG_KGSL_PER_PROCESS_PAGE_TABLE parameter is set to y in the kernel config for version 51.1.3.0_user_513011820.
And I attached the files that are needed to compile kilroy for version 51.1.3.0_user_513011820. Note I have modified the msm_ion.h from #include <ion.h> to #include "ion.h" so it finds the file in the same directory.
Hopefully someone with a bit more knowledge (and the right operating system ) could check this out!
Click to expand...
Click to collapse
Cool, thanks.
Are you running v5.1.1.3.0 on your FireTV? If yours is newer I could imagine that you need to compile the binary statically. This way it should no longer depend on the library versions currently installed.

freezer2k said:
Cool, thanks.
Are you running v5.1.1.3.0 on your FireTV? If yours is newer I could imagine that you need to compile the binary statically. This way it should no longer depend on the library versions currently installed.
Click to expand...
Click to collapse
Yes my FTV is running on this version. I compiled it static already but it doesn't work...

Finaly I was able to compile it, I used the Terminal IDE and compiled it on the FTV.
But I don't know if it works the right way... when I execute it suddenly every connection breaks down and the FTV restarts after a few seconds. I don't know how to proof that it worked out the way we want it to...
I had to make the following changes to the source files to compile it:
kilroy.h:
change line 24 from
Code:
#include <sys/unistd.h>
to
Code:
#include <unistd.h>
add
Code:
#define NEW_ION
kilroy.c
change line 350 from
Code:
CHK((ion_fd = open("/dev/ion", O_RDONLY|O_DSYNC, 0)) < 0);
to
Code:
CHK((ion_fd = open("/dev/ion", O_RDONLY|O_SYNC, 0)) < 0);
commands used to compile it (start Terminal IDE app and launch telnetd to connect from your pc):
Code:
terminal-gcc -c ./ion.c -o ./ion.o
terminal-gcc -c ./kgsl.c -o ./kgsl.o
terminal-gcc -c ./kilroy.c -o ./kilroy.o
terminal-gcc -o ./kilroy ./ion.o ./kgsl.o ./kilroy.o
I have attachted the compiled file, extract it push it to /data/local/tmp, chmod 755 it and start it.
Maybe someone can find out if this is helpfull for us or not.

g4rb4g3 said:
Finaly I was able to compile it, I used the Terminal IDE and compiled it on the FTV.
But I don't know if it works the right way... when I execute it suddenly every connection breaks down and the FTV restarts after a few seconds. I don't know how to proof that it worked out the way we want it to...
Click to expand...
Click to collapse
Did you had adb debug output running during execution? Anything you can see there?

I couldn't resist and just picked up a FireTV @ MediaMarkt in Berlin.
Successfully blocked any updates during the inital setup and my version is now 51.1.3.0_user_513010720 -- so looks like it's even older than 51.1.3.0_user_513011820.

Okay,
just tried running the kilroy binary you provided.
Exactly the same thing happens, the FireTV reboots immediatly.
I had adb logcat running in a second window, but no output there.
On a 2nd try I had another shell open writing dmesg to /data/local/tmp/dmesg in a loop every 200ms, but it did not capture anything.
In another local shell window, i ran ping -i 0.1 <FireTV> to ping it every 100ms, the FireTV stopped responding immediatly after ./kilroy was started.
Not sure what it is doing, but it seems to manage to crash the box hard Not sure what this means exactly, should a faulty binary cause a reboot like this? Maybe it did manage to corrupt the memory in some way, causing a system crash?
Will try to compile this on my own, though I'm not an expert on Android. Maybe someone else could give this a shot!

I've written a comment on Robs blog, maybe he can held us.
http://bloggingthemonkey.blogspot.c...omment=1414359782492&m=1#c4713581984059861436

freezer2k said:
I couldn't resist and just picked up a FireTV @ MediaMarkt in Berlin.
Successfully blocked any updates during the inital setup and my version is now 51.1.3.0_user_513010720 -- so looks like it's even older than 51.1.3.0_user_513011820.
Click to expand...
Click to collapse
Try rooting it with one of the apps on that FW just for kicks... Since is not on the list of FW's. You never know..

Y314K said:
Try rooting it with one of the apps on that FW just for kicks... Since is not on the list of FW's. You never know..
Click to expand...
Click to collapse
I just installed Towelroot v3 and it just says 'This phone isn't currently supported' when i click on the 'make it ra1n' button.

freezer2k said:
I just installed Towelroot v3 and it just says 'This phone isn't currently supported' when i click on the 'make it ra1n' button.
Click to expand...
Click to collapse
Ahh.. Was worth a shot. Guess any 51.1.3.0 FW is out of reach. Thanks for trying.

Y314K said:
Ahh.. Was worth a shot. Guess any 51.1.3.0 FW is out of reach. Thanks for trying.
Click to expand...
Click to collapse
I tried to use the default modstring, this is the ADB output:
I/towelroot( 7479): ************************
I/towelroot( 7479): native towelroot running with pid 7479 params 1337 0 1 0 4 0
I/towelroot( 7479): CPU affinity was 1
I/towelroot( 7479): set CPU affinity 0
I/towelroot( 7479): parsing modstring
I/towelroot( 7479): modstring is valid 0 1 0 4 0
I/towelroot( 7479): i have a client like hookers
But it seems to hang after that, root button stays greyed out and after clicking a bit the app just closes.
SuperSU 2.4.0 won't open at all and 1.9.4 says it can't install the su binary.

freezer2k said:
Okay,
just tried running the kilroy binary you provided.
Exactly the same thing happens, the FireTV reboots immediatly.
I had adb logcat running in a second window, but no output there.
On a 2nd try I had another shell open writing dmesg to /data/local/tmp/dmesg in a loop every 200ms, but it did not capture anything.
In another local shell window, i ran ping -i 0.1 <FireTV> to ping it every 100ms, the FireTV stopped responding immediatly after ./kilroy was started.
Not sure what it is doing, but it seems to manage to crash the box hard Not sure what this means exactly, should a faulty binary cause a reboot like this? Maybe it did manage to corrupt the memory in some way, causing a system crash?
Will try to compile this on my own, though I'm not an expert on Android. Maybe someone else could give this a shot!
Click to expand...
Click to collapse
What do you want to see in the logcat? The program accesses memory and writes a string into it.
As it crashes and reboots the device, i assume that it did not got there and crashed the gpu/cpu before that and so there is no system log as the cpu resets and not the system. Even if it worked, you wont have seen anything in the logcat - that would be the point where somebody would need to inject proper shellcode into the exploit to use it.

sammy98 said:
What do you want to see in the logcat? The program accesses memory and writes a string into it.
As it crashes and reboots the device, i assume that it did not got there and crashed the gpu/cpu before that and so there is no system log as the cpu resets and not the system. Even if it worked, you wont have seen anything in the logcat - that would be the point where somebody would need to inject proper shellcode into the exploit to use it.
Click to expand...
Click to collapse
Thats what we want to see, so we can be sure that it worked out the way we want it to.
Code:
Before:
[ 11.974607] ###### victim=c11ac000 (813ac000): ""
After:
[ 33.401709] ###### victim=c11ac000 (813ac000): "Kilroy was here"

g4rb4g3 said:
Thats what we want to see, so we can be sure that it worked out the way we want it to.
Code:
Before:
[ 11.974607] ###### victim=c11ac000 (813ac000): ""
After:
[ 33.401709] ###### victim=c11ac000 (813ac000): "Kilroy was here"
Click to expand...
Click to collapse
Yeah but it crashed before that and resets the cpu. So no cookies here

sammy98 said:
Yeah but it crashed before that and resets the cpu. So no cookies here
Click to expand...
Click to collapse
since no exploit was ever really made from his findings, its very possible that it could still be used. its not known if the fix was patched by amazon.

I catched this yesterday doing a 'while true; do dmesg; done' via ADB and then running ./kilroy:
<6>[ 699.556243] binder: release 5006:5006 transaction 124685 out, still active
<6>[ 699.559326] binder: 639:951 transaction failed 29189, size 4-0
<6>[ 699.559326] binder: send failed reply for transaction 124685, target dead
Also, while streaming a video, kilroy does not kill the box, and this shows up in dmesg:
<3>[ 144.678894] ion_mmap: failure mapping buffer to userspace
Only seems to happen when streaming video, box does crash immediately while the screensaver is running, a game is running etc.
I had a chat with Rob, summing up:
<robclark> ... but basically what you want to do is figure out some kernel fxn to overwrite w/ your own code to give you root.. or maybe some data structure to overwrite... find it's virtual address.. find the offset between some lowmem virtual address and phys address so you can convert the virtual address you want to smash to a phys address to smash..
<robclark> I guess the interrupt vector table is always at a well defined virtual address.. that might be something to attack.. although that might be more tricky because your shell code would have to somehow restore it again at the end..
We tried to check out the physical addresses from /proc/kallsyms ; but as non-root all addresses are 0x0, could someone with a similar kernel and root do this and paste it here? Dmesg prints the virtual memory layout, so we have that.
At least on my non-rooted box there is no /proc/last_kmsg, so a dmesg from the previous boot that could contain the dmesg of the crash. Anyone knows how to enable this or something similar?
Hopefully Rob will have some time to help us with this
I will proceed now and set up my own Android build environment.

Okay, I set up the latest Android NDK on Ubuntu 14.04 and made the changes suggested by you, g4rb4g3!
Interestingly enough, the resulting bytesize is different from yours, i used the howto from here:
http://stackoverflow.com/questions/6745064/how-to-run-arm-binary-on-android-platform
And then:
$CC -c ./ion.c -o ./ion.o
$CC -c ./kgsl.c -o kgsl.o
$CC -c ./kilroy.c -o kilroy.o
$CC -o ./kilroy ./ion.o ./kgsl.o kilroy.o
Some interesting output:
<2>[51518.474853] kgsl kgsl-3d0: |a3xx_err_callback| CP | Protected mode error| WRITE | addr=1ec
<3>[51518.628448] kgsl kgsl-3d0: |adreno_ft_detect| Proc kilroy2, ctxt_id 4 ts 1 triggered fault tolerance on global ts 1225504
<3>[51518.628601] kgsl kgsl-3d0: RBBM STATUS 80004001 | IB1:10009000/00000000 | IB2: C000B000/00000033 | RPTR: 1D20 | WPTR: 1EB6
<3>[51518.629791] kgsl kgsl-3d0: |push_object| snapshot: Can't find GPU address for 10009000
<3>[51518.629882] kgsl kgsl-3d0: |kgsl_snapshot_get_object| Unable to find GPU buffer C000B500
<3>[51518.639801] kgsl kgsl-3d0: |kgsl_device_snapshot| snapshot created at pa adf00000 size 136036
<3>[51518.639984] kgsl kgsl-3d0: |kgsl_iommu_clk_disable_event| IOMMU disable clock event being cancelled, iommu_last_cmd_ts: 12b322, retired ts: 12b31f
<2>[51518.646911] kgsl kgsl-3d0: |a3xx_err_callback| CP | Protected mode error| WRITE | addr=1ec
<3>[51518.807830] kgsl kgsl-3d0: |adreno_ft_detect| Proc kilroy2, ctxt_id 4 ts 1 triggered fault tolerance on global ts 1225504
<3>[51518.807983] kgsl kgsl-3d0: |adreno_idle| spun too long waiting for RB to idle
<3>[51518.807983] kgsl kgsl-3d0: |_adreno_ft| Replay unsuccessful
<3>[51518.828369] kgsl kgsl-3d0: |adreno_ft| policy 0x6 status 0x0
<3>[51550.911590] init: untracked pid 29017 exited
[email protected]:/data/local/tmp $ ./kilroy2
main:362: ttbr0=a000006a
add_large_mapping:232: pa=a0000000, va=10000000, len=1000000, cached=0
add_large_mapping:232: pa=81000000, va=81000000, len=1000000, cached=1
add_small_mapping:271: pa=07c00000, va=c000c000, len=1000, cached=0
add_small_mapping:271: pa=07d00000, va=c010c000, len=1000, cached=0
add_small_mapping:271: pa=a0008000, va=c000b000, len=1000, cached=0
main:403: cs[0]: 10008000/c000b000 (115 dwords) (limit: c000b1cc)
main:444: buf: 0x40515000 / 10000000
main:448: ibaddrs[0]: 0x4051e000 / 10009000 (152 dwords)
00000000: c0733d00 c000b000 000001ec 00000020 c0002600 00000000 c0001300 00000000
00000020: c0013d00 c000b500 000000a0 c0002600 00000000 c0043c00 00000013 c000b500
00000040: 000000a0 ffffffff ffffffff c0023d00 c000c010 a000006a a000006a c0013d00
00000060: c000b500 000000a7 c0002600 00000000 c0043c00 00000013 c000b500 000000a7
00000080: ffffffff ffffffff c0023d00 c010c010 a000006a a000006a c0013d00 c000b500
000000A0: 000000ae c0002600 00000000 c0043c00 00000013 c000b500 000000ae ffffffff
000000C0: ffffffff c0013d00 c000c000 00000003 c0002600 00000000 c0043c00 00000013
000000E0: c000c000 00000003 ffffffff ffffffff c0013d00 c010c000 00000003 c0002600
00000100: 00000000 c0043c00 00000013 c010c000 00000003 ffffffff ffffffff c0013d00
00000120: c000c800 00000001 c0002600 00000000 c0013d00 c010c800 00000001 c0002600
00000140: 00000000 c0013d00 c000b500 000000b9 c0002600 00000000 c0043c00 00000013
00000160: c000b500 000000b9 ffffffff ffffffff c0002600 00000000 c0001300 00000000
00000180: 000001ec 00000000 c0002600 00000000 c0001300 00000000 c0013d00 c000b500
000001A0: 000000cb c0002600 00000000 c0043c00 00000013 c000b500 000000cb ffffffff
000001C0: ffffffff c0002600 00000000 c0001300 00000000 c0002600 00000000 c0013700
000001E0: c000b000 00000073 c0002600 00000000 c0013700 c000b000 00000073 c0002600
00000200: 00000000 c0002600 00000000 c0004600 00000006 c0043d00 813ac000 726c694b
00000220: 7720796f 68207361 00657265 c0002600 00000000 c0013d00 c000b500 cafebabe
00000240: c0002600 00000000 c0043c00 00000013 c000b500 deadbeef ffffffff ffffffff
[email protected]:/data/local/tmp $
It does not crash my box anymore. Not sure if this was compiled correctly, as i only took the 3 header files from the Amazon package and the rest is from the NDK.
@g4rb4g3
Could you try to run this binary on your box as well, as I'm running a different kernel/firmware, that does not match exactly https://kindle-src.s3.amazonaws.com/firetv_src_51.1.3.0_user_513011820.tar.bz2.
Wonder if that could also be related to changing DSYNC to SYNC in kilroy.c?

[Q] Phone randomly vibrates

Hi!
I have a problem with my phone that it randomly vibrates with no notification what so ever, even after doing a full wipe and flashing new ROM.
Lets start with some info:
GT-i9505
Danvdh Google Play ROM 4.4.4 (Pure nexus version)
GoogyMax3_GE 1.1.6 Kernel
I have Xposed Framwork installed
I have "Show all app that don't respond" in Developer options, still no errors have popped up.
No app which i've seen send vibration without notification when an update occurs.
I've tried to trace the source with logcat but havent really gotten any far.
Using the app aLogcat ROOT i often get the message:
Code:
E/AndroidRuntime(xxxxx): cannot open customer xml file
E/memtrack(same numbers): couldn't load memtrack module (no such file or directory)
E/Android.os.Debug(same numbers): failed to load memtrack module: -2
If i have the logging up and running in the app and then press Home button (Which takes me to Apex Launcher) i often get 2 quick vibrations
If i then start aLogcat ROOT again, i sometimes get another vibration followed by either
Code:
I/DEBUG (26414): Build fingerprint: 'samsung/jgedlteue/jgedlte:4.4.4/KTU84P.S001/140602:user/release-keys
or
Code:
E/LightSensor ( 1010): Light old sensor_state 1, new sensor_state : 1 en : 0
However, it seems most often related to I/DEBUG (26414): Build fingerprint: 'samsung/jgedlteue/jgedlte:4.4.4/KTU84P.S001/140602:user/release-keys
It's kinda getting frustrating and nothing i've Googled have seem to have provided the answer, most answers are something in line of Facebook messenger, repeat notification functions (For example vibration every 5 mins for sms, etc).
It happened more often before i wiped phone, which i then had Danvdh GPE rom, but 4.4.2 version instead, and ktoonez kernel. Apps were mostly same.
Following caused 2 vibrations 2 times:
Code:
I/DEBUG (26830): Build fingerprint: 'samsung/jgedlteue/jgedlte:4.4.4/KTU84P.S001/140602:user/release-keys'
I/DEBUG (26830): Build fingerprint: 'samsung/jgedlteue/jgedlte:4.4.4/KTU84P.S001/140602:user/release-keys'
E/LocSvc_eng( 1010): D/void loc_eng_deferred_action_thread(void*):1627] received msg_id = LOC_ENG_MSG_INJECT_LOCATION context = 0x8012add0
E/LocSvc_adapter( 1010): I/<--- void globalRespCb(locClientHandleType, uint32_t, locClientRespIndUnionType, void*) line 115 QMI_LOC_INJECT_POSITION_REQ_V02
E/LocSvc_api_v02( 1010): D/loc_free_slot:298]: freeing slot 0
E/Watchdog( 1010): [email protected] 194
E/AndroidRuntime(27295): cannot open customer xml file
E/memtrack(27295): Couldn't load memtrack module (No such file or directory)
E/android.os.Debug(27295): failed to load memtrack module: -2
I/DEBUG (26830): Build fingerprint: 'samsung/jgedlteue/jgedlte:4.4.4/KTU84P.S001/140602:user/release-keys'
I/DEBUG (26830): Build fingerprint: 'samsung/jgedlteue/jgedlte:4.4.4/KTU84P.S001/140602:user/release-keys'
E/AndroidRuntime(27396): cannot open customer xml file
E/memtrack(27396): Couldn't load memtrack module (No such file or directory)
E/android.os.Debug(27396): failed to load memtrack module: -2
Does anyone have ANY clue on how to fix this, or what might be causing it.
Anyone have any similar findings?
Thanks in advance

I have same problem!
If I remove Xposed Framework the random vibrations no longer appear, but it is very useful for me!
I opened a thread in Xposed Framework General -> here

Hi, ive got the same problem, random vibration 1 to 3 time, im running on the same
Rom with xposed installed. Anyone know any fix for that? Thank you

[Q] NFC problems in CM12-based mods with klte/g900f

Hi,
the mod threads for the various cm12 builds claim that NFC is working, and there are also several user replies with reports that it works fine. Yet it doesn't work correctly for me, and at least some others: The device reports that NFC is working, I can activate and deactivate it, but accessing cards only works partially or not at all. The funny thing is that after flashing cm12, restoring an old cm11 nandroid backup does not restore NFC functionality. It doesn't matter if I do a clean install/full wipe. With Lollipop TW roms (I've tried XtreStoLite), NFC works fine.
I'll try to keep this top post up to date. Last update: 2015/03/15
We've found the issue that caused the major part of the problems. A configuration file must be adapted to the latest firmware. (update.zip version) This fix has been accepted upstream and is included in nightlies starting from 20150316.
There are cards/tags that still don't work, but do with stock, though. I've tested:
German eID (works)
Mifare Ultralight (works)
Beam (works)
EMV (works)
Mifare Classic (e.g. German "Mensacard", membership card from gym / McFit, ..) does not work. See below for debug output of libncf-nci.

Hi there,
I have exactly the same problem. NFC doesn't work for me neither. My device is a G900F from Germany, bought via Amazon using Euphoria OS which is based on CM12.
Ah, and just to get that straight, european G900F is klte without any other letters, right?

This post is obsolete: The problem is very likely not kernel-driver related.
I investigated a bit if the Kernel could be the problem. For this, I took the amplitude_rw kernel (based on Samsung's, but available from github) and Ktoonsez's version of the CM12 kernel . Both use the same version of the pn547 driver. The nfc-nci driver differs, but it doesn't make any difference if I copy the files over from the Samsung-based version and recompile. (The driver is disabled in the CM kernel by default anyway, I tried to enable it, of course. If I additionaly copy the related .so files from the Samsung rom that doesn't change anything either.) Continuing to investigate the differences, I noticed that the other difference is that the CM kernel has a hack that prevents the bcm2079x from being loaded on non-900P/I variants. I removed that line and noticed that the probe function of the driver did not complain that the device was missing, though from the looks of the code it would if it wasn't there. With that in mind, I tried to copy the bcm2079x firmware, configuration and .so files from a CM12 sprint build, but that didn't resolve the problem either.
More info: I've also compiled Ktoonsez's kernel with NFC_DEBUG set, and enabled the dynamic debug output for the driver. Doesn't look helpful to me, but for the sake of completeness:
Code:
<7>[ 967.651230] pn547_dev_open : 10,60
<6>[ 967.662071] pn547_dev_ioctl power on, irq=1
<6>[ 967.762268] pn547_dev_ioctl power off, irq=0
<6>[ 967.884563] pn547_dev_ioctl power on, irq=1
<6>[ 967.887970] pn547 : + w
<7>[ 967.888021] pn547_dev_write : writing 4 bytes.
<6>[ 967.889048] pn547 : - w
<7>[ 967.889159] pn547_dev_read : reading 3 bytes. irq=0
<6>[ 967.889218] pn547 : + r
<6>[ 967.889264] pn547: wait_event_interruptible : in
<6>[ 967.918905] pn547 : call
<6>[ 967.919127] pn547 : h
<6>[ 967.919655] pn547: i2c_master_recv
<7>[ 967.919741] pn547_dev_read : reading 3 bytes. irq=1
<6>[ 967.919793] pn547 : + r
<6>[ 967.920168] pn547: i2c_master_recv
<6>[ 967.921893] pn547 : + w
<7>[ 967.921938] pn547_dev_write : writing 3 bytes.
<6>[ 967.922314] pn547 : - w
<6>[ 967.922474] pn547 : call
<7>[ 967.922664] pn547_dev_read : reading 3 bytes. irq=1
<6>[ 967.922709] pn547 : + r
<6>[ 967.923138] pn547: i2c_master_recv
.. etc ..
<6>[ 998.860380] pn547: i2c_master_recv
<6>[ 998.873274] pn547_dev_ioctl power off, irq=0
During the log, I've had an NFC test application open and an NFC tag close to the device.
Last, I tried to check what's the problem with copying Samsung's files. If I use their NfcNci.adb, logcat throws
Code:
E/AndroidRuntime( 2655): FATAL EXCEPTION: main
E/AndroidRuntime( 2655): Process: com.android.nfc, PID: 2655
E/AndroidRuntime( 2655): java.lang.NoSuchMethodError: No static method isProductShip()I in class Landroid/os/Debug; or its super classes (declaration of 'android.os.Debug' appears in /system/framework/framework.jar)
E/AndroidRuntime( 2655): at com.android.nfc.NfcService.<clinit>(NfcService.java:164)
E/AndroidRuntime( 2655): at com.android.nfc.NfcApplication.onCreate(NfcApplication.java:61)
E/AndroidRuntime( 2655): at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1011)
E/AndroidRuntime( 2655): at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4553)
E/AndroidRuntime( 2655): at android.app.ActivityThread.access$1600(ActivityThread.java:147)
E/AndroidRuntime( 2655): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1357)
E/AndroidRuntime( 2655): at android.os.Handler.dispatchMessage(Handler.java:102)
E/AndroidRuntime( 2655): at android.os.Looper.loop(Looper.java:135)
E/AndroidRuntime( 2655): at android.app.ActivityThread.main(ActivityThread.java:5256)
E/AndroidRuntime( 2655): at java.lang.reflect.Method.invoke(Native Method)
E/AndroidRuntime( 2655): at java.lang.reflect.Method.invoke(Method.java:372)
E/AndroidRuntime( 2655): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:898)
E/AndroidRuntime( 2655): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:693)

After doing some more digging, I discovered that running
Code:
setprop nfc.nxp_log_level_global 3
as root enables tons of debug messages.
Maybe it's the firmware
Obsolete: This is unlikely. Its only Mifare cards that don't work, and the protocols are, as far as I can see, implemented in the userland library.
I noticed that after enabling NFC, one of the logcat outputs is
Code:
D/NxpHal ( 1081): FW version for FW file = 0x118
D/NxpHal ( 1081): FW version from device = 0x8011f
D/NxpHal ( 1081): FW image older than device's, skip update
Maybe this helps. (Could anyone with working NFC check which FW their device has? Should work the same way: Run setprop.. as root, enable NFC, search logcat output for the FW info, then reset the log level to 0.)
Mifare cards
I further noticed that holding a Mifare card near the antenna does trigger a reaction:
Code:
D/NxpTml ( 2317): PN547 - I2C Read successful.....
D/NxpNciR ( 2317): len = 23 > 61051401808000FF010904000454566739010800000000
D/NxpTml ( 2317): PN547 - Posting read message.....
D/NxpHal ( 2317): read successful status = 0x0
D/NxpHal ( 2317): NxpNci: RF Interface = MIFARE
D/NxpHal ( 2317): NxpNci: Protocol = MIFARE
D/NxpHal ( 2317): NxpNci: Mode = A Passive Poll
D/NxpExtns( 2317): const CNfcParam* CNfcConfig::find(const char*) const found MIFARE_READER_ENABLE=(0x1)
D/NxpTml ( 2317): PN547 - Write requested.....
D/NxpTml ( 2317): PN547 - Invoking I2C Write.....
D/NxpTml ( 2317): PN547 - Read requested.....
D/NxpTml ( 2317): PN547 - Invoking I2C Read.....
D/NxpNciX ( 2317): len = 7 > 20020401800100
D/NxpTml ( 2317): PN547 - I2C Write successful.....
D/NxpTml ( 2317): PN547 - Posting Fresh Write message.....
D/NxpTml ( 2317): PN547 - Tml Writer Thread Running................
D/NxpHal ( 2317): write successful status = 0x0
D/NxpTml ( 2317): PN547 - I2C Read successful.....
D/NxpNciR ( 2317): len = 4 > 40020106
D/NxpTml ( 2317): PN547 - Posting read message.....
D/NxpHal ( 2317): read successful status = 0x0
D/NxpHal ( 2317): > Deinit workaround for LLCP set_config 0x0 0x0 0xa
D/NxpHal ( 2317): phNxpNciHal_print_res_status: response status =STATUS_OK
D/NxpTml ( 2317): PN547 - Read requested.....
D/NxpTml ( 2317): PN547 - Invoking I2C Read.....
But nothing ever shows up in an NFC test app and I have to deactivate and reactivate NFC at this point to scan any of the working smartcards. So likely something in the mifare reader code does not work.

No NFC for me either

Running yesterday's nightly 20150310 on klte, no NFC either.

Any news? I have a SM-G900F and am unable to read NFC tags since updating to CM12 (now using 20150313).

My NFC was gone too after I updated to the latest nightly yesterday. It appears that copying the firmware file and configuration from XtreStoLite fixed that, and that I'm back to the situation I described in the top post again now. I'll attach both files (in one archive). They should be placed in the according directories in the /system partition, i.e.
etc/libnfc-nxp.conf -> /system/etc/libnfc-nxp.conf
system/vendor/firmware/libpn547_fw.so -> system/vendor/firmware/libpn547_fw.so
Could you test if copying them & rebooting (partially) restores NFC for you, too? (This should be possible with a file manager like X-Plore) If you don't want to use my archive, download XtreStoLite and extract the same files from their zip. Flashing CM should restore the original files in any case.

FirebirdDE said:
My NFC was gone too after I updated to the latest nightly yesterday. It appears that copying the firmware file and configuration from XtreStoLite fixed that, and that I'm back to the situation I described in the top post again now. I'll attach both files (in one archive). They should be placed in the according directories in the /system partition, i.e.
etc/libnfc-nxp.conf -> /system/etc/libnfc-nxp.conf
system/vendor/firmware/libpn547_fw.so -> system/vendor/firmware/libpn547_fw.so
Could you test if copying them & rebooting (partially) restores NFC for you, too? (This should be possible with a file manager like X-Plore) If you don't want to use my archive, download XtreStoLite and extract the same files from their zip. Flashing CM should restore the original files in any case.
Click to expand...
Click to collapse
Hey, that actually worked! I tried with an NFC reader app, and my nfc tag popped up right away.

So now we're missing only flashable zip
I will try this one and if it will work, I will try my scripting luck
And here it is, enjoy

I believe that it might suffice to update the configuration file. According to the logs, at least on my phone, the firmware file isn't used anyway.

FirebirdDE said:
My NFC was gone too after I updated to the latest nightly yesterday. It appears that copying the firmware file and configuration from XtreStoLite fixed that, and that I'm back to the situation I described in the top post again now. I'll attach both files (in one archive). They should be placed in the according directories in the /system partition, i.e.
etc/libnfc-nxp.conf -> /system/etc/libnfc-nxp.conf
system/vendor/firmware/libpn547_fw.so -> system/vendor/firmware/libpn547_fw.so
Could you test if copying them & rebooting (partially) restores NFC for you, too? (This should be possible with a file manager like X-Plore) If you don't want to use my archive, download XtreStoLite and extract the same files from their zip. Flashing CM should restore the original files in any case.
Click to expand...
Click to collapse
WOHOOOO! Thank you very much. My klte's NFC stopped working after flashing some alpha CM12. Some days ago I flashed cm-12-20150310-NIGHTLY-klte and the NFC problem remained. Now I replaced /etc/libnfc-nxp.conf with the config file you attached and NFC is working again.

Great! I've submitted this upstream, hopefully they'll accept this. It would be good to get feedback from someone who didn't experience any NFC issues in the first place, though, to make sure that this does not break NFC for anyone.

How awesome. NFC is really stable too and I think we have found the fix. I belive that many galaxy s5 CM12 users will be happy

Seems like the fix will be in the next nightly, too.

Still some Problems
Hello,
first at all thanks for your research!
I installed your fix for the NFC (tried both zip and "self" copy) but NFC is not working correct:
* sometimes when enable/disable NFC i get a sound (not allways)
* When i scan a tag (the first time after enabling nfc) i get a sound for scanning, but NFC TagInfo and Tagstand Writer did not recognize the tag.
* Sometimes NFC TagInfo by NXP is working but one one time... (hard to explain, often the scanning works when i open the settings?)
* The Scanning works only once till i deaktivate/active NFC
I used the the fix with cyanogenmod nightly 14-03-2015 and now with the Unofficial build [ROM] CyanogenMod 12.0 | Android 5.0 Lollipop | [03/13/2015]
Also installed the latest Xposed framwork and SELinux "Permissive" ...
Any ideas?
Thanks in advance

Which variant do you have? (I, and afaik all others that reported here, have a g900f)
What kind of NFC tag do you try to scan? (As I've already written in the top post, Mifare Classic does not work.)
The relevant logcat (see a few posts up, I've posted a setprop-command that enables debug output) would also be interesting.
Btw., the only sound I get is for the recognition of a NFC chip and its removal. Enabling/disabling makes no sound whatsoever.

FirebirdDE said:
Which variant do you have? (I, and afaik all others that reported here, have a g900f)
What kind of NFC tag do you try to scan? (As I've already written in the top post, Mifare Classic does not work.)
The relevant logcat (see a few posts up, I've posted a setprop-command that enables debug output) would also be interesting.
Btw., the only sound I get is for the recognition of a NFC chip and its removal. Enabling/disabling makes no sound whatsoever.
Click to expand...
Click to collapse
What i forgot i have G900F
Sometimes i really got sound for enable/disable!?!
Hard to tell you what type of NFC tag i use, bacuse i cannot read them at all.
I tried
* a writable tag from androidbands.com
* a company card
* a skiing card
I will try to logcat later this day....

FirebirdDE said:
Which variant do you have? (I, and afaik all others that reported here, have a g900f)
What kind of NFC tag do you try to scan? (As I've already written in the top post, Mifare Classic does not work.)
The relevant logcat (see a few posts up, I've posted a setprop-command that enables debug output) would also be interesting.
Btw., the only sound I get is for the recognition of a NFC chip and its removal. Enabling/disabling makes no sound whatsoever.
Click to expand...
Click to collapse
Here is a loccat (created with logcat extrem app - currently no adb available for me)
Actions:
Activate NFC // Scann androidbrands.com Tag // Deactivate NFC
Looks like problems with the "libpn547_fw":
Code:
Line 191: D/NxpFwDnld( 447): @@@/system/vendor/firmware/libpn547_fw.so
Line 193: E/NxpFwDnld( 447): NULL handler : unable to load the library file, specify correct path
Line 199: E/NxpFwDnld( 447): Image extraction Failed - invalid imginfo or imginfolen!!
Line 201: E/NxpFwDnld( 447): Error loading libpn547_fw !!
Line 209: E/NxpHal ( 447): Wrong FW Version >>> Firmware download not allowed
The file exists in "/system/vendor/firmware/libpn547_fw.so" with "rw-rw----"

ostauss said:
Here is a loccat (created with logcat extrem app - currently no adb available for me)
Actions:
Activate NFC // Scann androidbrands.com Tag // Deactivate NFC
Looks like problems with the "libpn547_fw":
Code:
Line 191: D/NxpFwDnld( 447): @@@/system/vendor/firmware/libpn547_fw.so
Line 193: E/NxpFwDnld( 447): NULL handler : unable to load the library file, specify correct path
Line 199: E/NxpFwDnld( 447): Image extraction Failed - invalid imginfo or imginfolen!!
Line 201: E/NxpFwDnld( 447): Error loading libpn547_fw !!
Line 209: E/NxpHal ( 447): Wrong FW Version >>> Firmware download not allowed
The file exists in "/system/vendor/firmware/libpn547_fw.so" with "rw-rw----"
Click to expand...
Click to collapse
changed permissions to "rw-rw-r--" looks like lib is correctly loaded, but scanned androidbands.com Tag still not recognized by TagInfo...