Related
Hello folks,
This is a revised version of the same question posted to another forum, where no usable answer was received. I hope this might reach more knowledgeable people here .
On Allwinner A10/A13 platforms (tablets), the boot process differs significantly in Gingerbread (& earlier) vs. ICS (& later)
I think I have a pretty good understanding of the normal vs. recovery boot process in GB-style firmwares:
- boot.axf detects the special "boot to recovery" button combination based on info (key_min, key_max) found in script.bin
- it goes reading /linux/recovery.ini instead of /linux/linux.ini
- recovery.ini gives the name of the kernel to boot (uImage) and the name of the parameters file: paramsr instead of params found in linux.ini
- paramsr contains the name of the NAND partition to mount as root (the one that contains the recovery) and the proper arguments passed as the kernel command line
- done deal.
However in ICS-style firmware, things happen differently:
The uImage kernel has been replaced by a tertiary bootloader: u-boot.bin, whose job is to load the Linux kernel.
The recovery.ini file is gone, only linux.ini remains.
The u-boot binary does seem to have all the necessary parameters embbeded to boot in normal or recovery mode. But since it is boot.axf that detects the key combination, how does it pass the information "boot in recovery, dude" to u-boot? It's not using the "boot-recovery" string written to the "misc" partition because this information is checked and used by boot.axf itself and not by u-boot.bin as far as I can tell. Since boot.axf gets alls the information it needs from linux.ini I doubt that it has the ability to pass command-line arguments to u-boot.bin (I suspect that the limited environment available at this time has any such notion as process arguments anyway).
Actually the same question goes when "boot-recovery" is written to the "misc" partition: boot.axf detects this, but how is this information passed to u-boot?
Summary: in ICS-style firmware, how is the "boot to recovery" information passed from boot.axf to u-boot.bin?
I've Googled for this and found only one post with someone basically asking the same question, without a reply.
If someone can enlighten me I'd be immensely grateful.
@Lannig - I'm facing a similar issue in trying to figure out how the "boot to recovery, dude" message is passed to u-boot from boot.axf. I've created a thread with the information here: http://forum.xda-developers.com/general/help/allwinner-a20-stuck-recovery-reboot-loop-t2979416
I went through your thread here as well: http://www.slatedroid.com/topic/41091-ics-bootloader-recovery-boot-process-question/, where you seem to have had little success in your venture, could you please update on the details how you got the boot from SD card working. Thanks!
Hi all,
I have tried to build CM 10.1 based Ubuntu Touch for Samsung Tab 2 10.1 but all version will be boot looping only. I have not much Android background but I have read about logcat and reading last kernel messages that could reveal reasons for boot looping. Currently I can seen login screen for a few seconds.
Ubuntu Touch has a limited version of Cyanogenmod so it probably requires different ways to debug, track down the kernel fault. If you have been porting Ubuntu to some other Samsung Tablet what ways you have used? Or would you have some handy tip in your sleeve?
/data/ubuntu/var/log contains some informations but none seems to be directly relating to kernal fault.
Thank you for all suggestions how to proceed with fault determination.
simosays said:
Hi all,
I have tried to build CM 10.1 based Ubuntu Touch for Samsung Tab 2 10.1 but all version will be boot looping only. I have not much Android background but I have read about logcat and reading last kernel messages that could reveal reasons for boot looping. Currently I can seen login screen for a few seconds.
Ubuntu Touch has a limited version of Cyanogenmod so it probably requires different ways to debug, track down the kernel fault. If you have been porting Ubuntu to some other Samsung Tablet what ways you have used? Or would you have some handy tip in your sleeve?
/data/ubuntu/var/log contains some informations but none seems to be directly relating to kernal fault.
Thank you for all suggestions how to proceed with fault determination.
Click to expand...
Click to collapse
Succesfully compiled (@ the other thread), see my github for modifications (only forked 2 repos, kernel + device tree, both from Kumajaya's hub)
For the debugging things, isn't the documentation enough ? You should know how to work your way out
- https://wiki.ubuntu.com/Touch
- https://wiki.ubuntu.com/Touch/Testing
- http://developer.ubuntu.com/packaging/html/fixing-a-bug-example.html
Debugging errors in P5100
Sympnotic said:
Succesfully compiled (@ the other thread), see my github for modifications (only forked 2 repos, kernel + device tree, both from Kumajaya's hub)
For the debugging things, isn't the documentation enough ? You should know how to work your way out
- <removed>
- <removed>
- <removed>
Click to expand...
Click to collapse
Thank you Symptonic!
I am finally debugging ...would you happened to see any similar messages when making porting to other Samsung devices?
E/linker ( 690): ics/linker.c:1598| WARNING: Skipping libc.so
...
E/linker ( 690): ics/linker.c:1072| ERROR: Library 'libOpenVG.so' not found
...
E/linker ( 690): ics/linker.c:1072| ERROR: Library 'libPVROGL.so' not found
E/linker ( 690): ics/linker.c:1072| ERROR: Library 'libPVROCL.so' not found
D/libEGL ( 690): loaded /vendor/lib/egl/libGLESv1_CM_POWERVR_SGX540_120.so
D/libEGL ( 690): loaded /vendor/lib/egl/libGLESv2_POWERVR_SGX540_120.so
Click to expand...
Click to collapse
As far as I understand that relates to device/samsung/omap4-common/ and to device (p5100) which does not support libOpenVG.so. Anyway when those errors are shown couple of times in logcat device will reboot itself see "pastebin". Would you have any suggestions how to configure device settings or track down the error?
Thank you for all comments and ideas!
Entire logcat in pastebin: /J2mNneYw
Testers wanted: Anyone who uses this method, let me know if you can access stock recovery after this method.
Summery
Thanks to the amazing work by our active member @bibikalka, a method was found to unbrick these devices Thread link here. The method he found was slightly tedious for some people, so I've decided to put together a Linux iso that you can boot into on your computer with everything you need to get your device running again. It uses the same methods proposed but makes things easier. This comes with all the necessary drivers, scripts to do everything you need, all the img files needed to flash, a hex editor for advanced users, and more. Before the scripts included in this OS, determining the option (A, B, or C) to take in order to unbrick the device required .part files to be evaluated manually. Now with the custom script, it can quickly evaluate what option to take.
Video Instructions
Brief Instructions
1. Download the Linux iso:
Linux ISO
2. Burn the iso to a USB drive or cd
3. Boot into the operating system
4. Type "root" at the login prompt
5. Right click on the desktop and choose file manager. Go to "aftv2-tools" folder
6. Right click on file manager and press "open in terminal"
7. From device turned off, enter command "./handshake.py", then plug in device. You may need to do this a couple times to get a connection. Try pressing volume keys & power etc to get it connected. See video if you have problems
8. After handshake is complete, run "./reader.sh"
9. After all addresses are read in, run "./determineOption.sh". You should get back a result of A, B, or C
10. Depending on the option returned (A,B,or C), run "./readerSpecialOptionA.sh", "./readerSpecialOptionB.sh", or "./readerSpecialOptionC.sh". This is an optional step but may be useful if you want to back up part files or their were no options available. Back up part files to a usb drive if you want to be safe.
11. Now the actual unbricking. Run "./unbrickOptionA.sh", "./unbrickOptionB.sh", or "./unbrickOptionA.sh" depending on your option. This can take about 40 minutes
12. hold volume up and run "./complete.sh" at the same time to get into TWRP
13. boot into your default operating system on your computer
BE VERY CAREFUL FROM NOW ON
13. We will be installing Fire OS 5.3.1. If you are not installing this ROM, make sure you know what you are doing. Download the ROM:
update-kindle-20.5.5.2_user_552153420.bin
14. Download 5.4.1_1133_stock_recovery_uboot.zip: 5.4.1_1133_stock_recovery_uboot.zip. Without this you could turn your device into a paperweight. This installs stock recovery and a uboot version that MUST be installed. This file was taken from the thread here: how-to-upgrade-to-lollipop-root-gapps
15. Rename the ROM extension from .bin to .zip
16. Transfer the two files to the Fire
17. Do a factory reset. Flash the ROM and uboot&recovery file
18. Reboot! Your device should now be working. It will take about 15 mins to boot up.
Big thanks to @bibikalka for helping work everything out and for the initial unbrick method.
Edit 10/13/21: Fixed Google Drive Link
Linux ISO Changelog
Updated 10/5/16:
*Optomized scripts
*Added "complete.sh" This reboots the device
Updated 9/27/16:
*Added script to auto-detect which unbrick option to use (determineOption.sh)
*Added scripts to write img files to correct addresses ( unbrickOptionA.sh, unbrickOptionB.sh, and unbrickOptionC.sh)
*Added scripts to read in and label part files (readerSpecialOptionA.sh, readerSpecialOptionB.sh, and readerSpecialOptionC.sh)
*Nemo open in terminal fixed
*.part files set to open with ghex by default
Updated 9/24/16:
*Nemo as default file manager
*Updated html page with instructions from forum
well, after seriously struggling with the parent thread mentioned in the OP I've managed to get to TWRP & am just waiting for my win10 machine to install it's updates before attempting to adb push the uboot & zip files for installation back to fireOS.
feels great to see the screen displaying something other than the looping amazon logo after months of frustration. I do not have the words to express my gratitude for @powerpoint45 for an excellent & well thought through tool and walkthrough. special mention also goes out to @bibikalka
gascomm said:
well, after seriously struggling with the parent thread mentioned in the OP I've managed to get to TWRP & am just waiting for my win10 machine to install it's updates before attempting to adb push the uboot & zip files for installation back to fireOS.
feels great to see the screen displaying something other than the looping amazon logo after months of frustration. I do not have the words to express my gratitude for @powerpoint45 for an excellent & well thought through tool and walkthrough. special mention also goes out to @bibikalka
Click to expand...
Click to collapse
great to hear! I hope everything works for you! After you get everything done, can you check if you can get into recovery.
after flashing both zips & rebooting I've now got my working fire (OS 5.3.1.0) back. thank you Mr PowerPoint!
i tried rebooting to recovery & it now takes me to the stock amazon recovery not TWRP..... which is unfortunate.
I did get asked if I wanted to install SuperUser which was a no-brainer YES. although I'm staying offline until I identify a functional (fast) flavour of android to flash. suggestions welcome.
gascomm said:
after flashing both zips & rebooting I've now got my working fire (OS 5.3.1.0) back. thank you Mr PowerPoint!
i be tried rebooting to recovery & it now takes me to the stock amazon recovery not TWRP..... which is unfortunate.
I did get asked if I wanted to install SuperUser which was a no-brainer YES. although I'm staying offline until I identify a functional (fast) flavour of android to flash. suggestions welcome.
Click to expand...
Click to collapse
Good to hear everything is working. Ya TWRP does not work with 5.x bootloader. Good to hear you can get into stock recovery because I had some incidents where I could not get into it. Thanks for responding. The only custom ROM ATM is CM13.
powerpoint45 said:
The only custom ROM ATM is CM13.
Click to expand...
Click to collapse
sorry to trouble you again but do you know where I can find a guide/walkthrough of how to root via adb & install twrp or cwm to allow flashing of a rom & gapps..
I can only find the kingroot method & the CM11 rom discussion. where might I find the CM13 you mentioned?
I have searched fruitlessly. I guess I just need a little guidance to avoid running straight into another brick.
cheers.
gascomm said:
sorry to trouble you again but do you know where I can find a guide/walkthrough of how to root via adb & install twrp or cwm to allow flashing of a rom & gapps..
I can only find the kingroot method & the CM11 rom discussion. where might I find the CM13 you mentioned?
I have searched fruitlessly. I guess I just need a little guidance to avoid running straight into another brick.
cheers.
Click to expand...
Click to collapse
I meant to say CM11. This guide is probably one of the best http://forum.xda-developers.com/fire-hd/general/how-to-upgrade-to-lollipop-root-gapps-t3163950/page1
This is a bit older one: http://forum.xda-developers.com/fire-hd/general/how-to-downgrade-to-4-5-3-root-device-t3139351/page1
In order to have TWRP, you must have a 4.x bootloader so CM11 would work with it.
Thank you
I have a question I can work downgrade from 5.3.1 to 4.5.3
I'm currently on version 5.3.1
PRInCEI7 said:
Thank you
I have a question I can work downgrade from 5.3.1 to 4.5.3
I'm currently on version 5.3.1
Click to expand...
Click to collapse
yes you should be fine doing that
Unfortunately, did not respond
I worked
MacBook-Air-2:ROOT IP$ ./handshake.py
Waiting for preloader...
Found port = /dev/cu.usbmodem1420
Handshake complete!
In the second step does not respond to the order ./reader.sh
Also tried
/.read_mmc.py 0x0000000 0x1000 0x0000000.part
Does not respond
By the way tried way on more than one device
And tried through the system Max os x and the system arch-custom-firehd67-unbrick100516.iso did not work and also the same result
MY device Amazon Fire HD 6 version 5.3.1 All functions work, but I need to work downgrade to 4.5.3
Is there a solution to my problem
[/SIZE]
@powerpoint45 thanks for the pointers. I am now the proud owned of an hd6 booting straight into cm11 & it's been well worth the wait. I am forever in your digital debt.
gascomm said:
@powerpoint45 thanks for the pointers. I am now the proud owned of an hd6 booting straight into cm11 & it's been well worth the wait. I am forever in your digital debt.
Click to expand...
Click to collapse
sweet!!!
PRInCEI7 said:
Unfortunately, did not respond
I worked
MacBook-Air-2:ROOT IP$ ./handshake.py
Waiting for preloader...
Found port = /dev/cu.usbmodem1420
Handshake complete!
In the second step does not respond to the order ./reader.sh
Also tried
/.read_mmc.py 0x0000000 0x1000 0x0000000.part
Does not respond
By the way tried way on more than one device
And tried through the system Max os x and the system arch-custom-firehd67-unbrick100516.iso did not work and also the same result
MY device Amazon Fire HD 6 version 5.3.1 All functions work, but I need to work downgrade to 4.5.3
Is there a solution to my problem
[/SIZE]
Click to expand...
Click to collapse
I am also getting the same results with my HD 7 4th gen. The handshake completes just fine, but the reader just hangs. When I'm in recovery, I get errors saying the /cache folder failed to mount. I'm thinking the memory is corrupt and there is no way to fix this.
nai1ed said:
I am also getting the same results with my HD 7 4th gen. The handshake completes just fine, but the reader just hangs. When I'm in recovery, I get errors saying the /cache folder failed to mount. I'm thinking the memory is corrupt and there is no way to fix this.
Click to expand...
Click to collapse
Unfortunately it appears that with the latest bootloader on the latest Amazon update that they have disabled these commands (such as reading and writing). Unfortunately if you can't get into recovery with (vol+ & power) then it is currently unrecoverable. Best option for an unrecoverable device would be to buy another motherboard from eBay or some place. They are pretty cheap and easy to replace. I've had to do it a couple times now.
Confused
First you say it should be OK to downgrade:
powerpoint45 said:
PRInCEI7 said:
Thank you
I have a question I can work downgrade from 5.3.1 to 4.5.3
I'm currently on version 5.3.1
Click to expand...
Click to collapse
yes you should be fine doing that
Click to expand...
Click to collapse
Although, it's unclear how, since reports indicate that sideloading older
firmware bricks the device (or, does that only apply to 5.x?).
Then, we learn that the preloader trick (from aftv2-tools) doesn't work anymore:
Code:
[[email protected] aftv2-tools]# ./handshake.py
Waiting for preloader...
Found port = /dev/ttyACM0
Handshake complete!
[[email protected] aftv2-tools]# ./reader.sh
^CTraceback (most recent call last):
File "./read_mmc.py", line 355, in <module>
if msdc_dma_status():
File "./read_mmc.py", line 146, in msdc_dma_status
return False if sdr_read32(MSDC_CFG) & MSDC_CFG_PIO else True
File "./read_mmc.py", line 82, in sdr_read32
check(dev.read(2), b'\x00\x00') # arg check
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 450, in read
ready, _, _ = select.select([self.fd, self.pipe_abort_read_r], [], [], timeout)
KeyboardInterrupt
^CTraceback (most recent call last):
File "./read_mmc.py", line 355, in <module>
if msdc_dma_status():
File "./read_mmc.py", line 146, in msdc_dma_status
return False if sdr_read32(MSDC_CFG) & MSDC_CFG_PIO else True
File "./read_mmc.py", line 82, in sdr_read32
check(dev.read(2), b'\x00\x00') # arg check
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 450, in read
ready, _, _ = select.select([self.fd, self.pipe_abort_read_r], [], [], timeout)
KeyboardInterrupt
^Z
[1]+ Stopped ./reader.sh
[[email protected] aftv2-tools]# kill %1
[[email protected] aftv2-tools]#
[1]+ Terminated ./reader.sh
[[email protected] aftv2-tools]#
The above is for a 4th gen HD7 with this device showing in 'lsusb':
Code:
Bus 001 Device 006: ID 0e8d:3000 MediaTek Inc.
powerpoint45 said:
Unfortunately it appears that with the latest bootloader on the latest Amazon update that they have disabled these commands (such as reading and writing). Unfortunately if you can't get into recovery with (vol+ & power) then it is currently unrecoverable. Best option for an unrecoverable device would be to buy another motherboard from eBay or some place. They are pretty cheap and easy to replace. I've had to do it a couple times now.
Click to expand...
Click to collapse
BTW, are we sure that this is *disabled* as opposed to _tweaked_?
(e.g. by changing the protocol slightly by, say, requiring an extra byte
or two "confirmation" before execution? has anyone bothered reversing
the bootloader? [Please excuse my ignorance, but would this be handled
by UBOOT, TEE1, or some other component?])
So, what's the current best option for 5.3.1?
---------- Post added at 11:23 ---------- Previous post was at 10:58 ----------
draxie said:
BTW, are we sure that this is *disabled* as opposed to _tweaked_?
(e.g. by changing the protocol slightly by, say, requiring an extra byte
or two "confirmation" before execution? has anyone bothered reversing
the bootloader?
Click to expand...
Click to collapse
OK. So, I found this post by @zeroepoch,
which makes it very clear that said exercise has been performed for the AFTV2...
No reason to believe that this would be different for the Fire HD7...
draxie said:
First you say it should be OK to downgrade:
Although, it's unclear how, since reports indicate that sideloading older
firmware bricks the device (or, does that only apply to 5.x?).
Then, we learn that the preloader trick (from aftv2-tools) doesn't work anymore:
The above is for a 4th gen HD7 with this device showing in 'lsusb':
BTW, are we sure that this is *disabled* as opposed to _tweaked_?
(e.g. by changing the protocol slightly by, say, requiring an extra byte
or two "confirmation" before execution? has anyone bothered reversing
the bootloader? [Please excuse my ignorance, but would this be handled
by UBOOT, TEE1, or some other component?])
So, what's the current best option for 5.3.1?
---------- Post added at 11:23 ---------- Previous post was at 10:58 ----------
OK. So, I found this post by @zeroepoch,
which makes it very clear that said exercise has been performed for the AFTV2...
No reason to believe that this would be different for the Fire HD7...
Click to expand...
Click to collapse
My understanding is that you only need to worry about bricking if You are downgrading to another lollypop ROM. We found out that the device has a fuse that is set in later lollypop ROMs where it will check against the current version. But this check only seems to be on lollipop ROM's. As for the aftv2 protocol, you might be right but I don't know enough about that yet to know. Currently we have no unbrick method for latest bootloader. If you can get into recovery then you could sideload but most can't get into recovery during brick.
I've followed the steps but not into twrp, only screen amazon and reset. I'm not good at English
error trying to unbrick hd6
[[email protected] aftv2-tools]# ./complete.sh
1: 0xd1
4: 0x00 0x00 0x00 0x00
4: 0x00 0x00 0x00 0x01
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 468, in read
'device reports readiness to read but returned no data '
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./read32.py", line 69, in <module>
ret = read32(addr, size)
File "./read32.py", line 45, in read32
print_hex_byte(dev.read(2)) # status
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 475, in read
raise SerialException('read failed: {}'.format(e))
serial.serialutil.SerialException: read failed: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
[[email protected] aftv2-tools]#
kingwill101 said:
[[email protected] aftv2-tools]# ./complete.sh
1: 0xd1
4: 0x00 0x00 0x00 0x00
4: 0x00 0x00 0x00 0x01
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 468, in read
'device reports readiness to read but returned no data '
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./read32.py", line 69, in <module>
ret = read32(addr, size)
File "./read32.py", line 45, in read32
print_hex_byte(dev.read(2)) # status
File "/usr/lib/python3.5/site-packages/serial/serialposix.py", line 475, in read
raise SerialException('read failed: {}'.format(e))
serial.serialutil.SerialException: read failed: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
[[email protected] aftv2-tools]#
Click to expand...
Click to collapse
You are on any version.
You can access to recovery now
[ROM][7.1.2][i9305]Unofficial LineageOS 14.1 by Exynos4 Team
Code:
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/
What is Exynos4 Team?
The Exynos4 team is composed of the current maintainers for T0LTE/T0LTEKOR for both LineageOS and Resurrection Remix.
(@Option58, @kozmo21 and @PoisonNinja)
Difference between this and official Lineage 14.1
This is more like a bleeding edge build. Upcoming changes/fixes will show up here first, and eventually make it into Lineage official. So, if you want the latest and greatest changes for the Note 2 and than ported to the i9305, if possible, flash this instead of official.
Due to LineageOS rules, if you are switching between official and unofficial builds you will have to clean flash.
Exynos4 Team like to say thanks to:
The great developer community out there. We've had a lot of help from other people.
- the LineageOS team
- the Galaxy S3 LineageOS maintainer github.com/fourkbomb.
- the NamelessROM project github.com/namelessrom.
- xda users for testing and bug reports.
And I want to say thanks to:
PoisonNinja and Option58, who helped me a lot to set up the device tree and vendor blobs for that Exynos4 rom,
which is mainly created or grown out of the hwc idea.
and credits to @p.a.n for his work and providing his changes and patches.
Working
Graphics
Wifi
Data
RIL
Bluetooth (?!?)
Sensors
Vibration
Camera
NFC
Audio
Video Playback
Not working/Bugs/Unknown
[*]GPS is not working currently Fix is in second post!!
Bluetooth audio (may or may not work for you), please check and report back
MTP crashes when uninstalling an app
Installation
Read the FAQ to familiarize yourself with any issues that may come up
Make sure you're using the latest TWRP version
Download and copy latest rom version to the phone, preferably on internal storage
Factory reset in TWRP (Very important! Do not skip)
Format system, cache, dalvik, data
Flash unofficial LineageOS 14.1
Flash Gapps
Optional: Flash root package
Reboot
Be patient. The first boot will take between 5 - 15 minutes.
See the FAQ to avoid common issues
For updates, it's OK to dirty flash. If you experience any issues however, it is recommended that you clean flash.
Download
lineage-14.1-20170618-UNOFFICIAL-i9305-HWC.zip: June 18, 2017
6/18/2017 (i9305)
Sync with the latest Lineage sources
Hardware composer fixes
[*] Switch back to proprietary RIL 4.4 blobs
Properly fixed screencast
Lots of security patches in the kernel
Temporarily switched SELinux to permissive
XDA:DevDB Information
LineageOS 14.1 by Exynos4 Team, ROM for the Samsung SIII LTE (i9305)
Contributors
PoisonNinja, Option58, kozmo21, LineageOS team
Source Code: https://github.com/Exynos4
ROM OS Version: 7.x Nougat
Based On: LineageOS
Version Information
Status: Beta
Created 2017-06-18
Last Updated 2017-06-18
Just a few info
Root
LineageOS removed builtin root, so you need to flash the root package linked above.
Please test especially calls, incoming and outgoing, mobile data and bluetooth.
The rom/build is based on pans vendor proprietary (ril) blobs and should improve our ril and hopefully fix our reboot problem.
Kernel is set to permissive at the moment. Stickt version also ok.
Please also test bluetooth (audio transfer), because I am not sure, whether it works correct.
GPS is currently not working. Will try to fix that with one of the next builds.
Edit: previous GPS fix is working and solve the problem. Changes will be added in next update.
You can also find it here attached fixed in version: 0702
Other than the HWC and blob changes, the rom is based on pure lineageos sources/repos.
if I need another one
I'm getting bootloops with that build (it doesn't reach far enough for adb to pull the logs). I tried building a build with older blobs yesterday. My build was getting SIGSEGV caused by ks. I'll try building a non hwc version using your blobs and i9305 repository.
I also noticed some reboots, but none anymore during the last night. So I assume that the reboots could not be solved with changing the blobs and also not with that different ril sources/blobs. I doubt that the reboots will be gone with a non hwc version, but we will see. Beside of that are the other things working? Calls, mobile data etc?
Non hwc version booted ok. at_distributor is having problems :
Code:
06-19 03:06:25.941 2812 2812 F libc : CANNOT LINK EXECUTABLE "/system/bin/at_distributor": cannot locate symbol "supportExpandedNV" referenced by "/system/bin/at_distributor"...
06-19 03:06:25.941 2812 2812 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 2812 (at_distributor)
but RIL works anyway (at least SMS). I'll try replacing it with stock i9305 at_distributor. I've got one reboot but I didn't launch logcat/kmsg before and had only short last_kmsg. We should try replacing the blobs with the stock i9305 ones because for now they are mixed. We could give a shot to persist.radio.apm_sim_not_pwdn=1 in system.prop too. I haven't tested anything beside RIL reboots (I'm testing it during night and hoping it will manage to reboot before next day because for daily usage I'm going back to the last stable rom).
Many thanks and when you managed to solve the mix up and your tests are ok, it would be good, if you can upload your changes to github. Think it doesn't make sense that we do all the work twice
Edit: seems to be again or still:
Code:
Kernel panic - not syncing: Fatal exception
and I think caused because of:
Code:
<6>[ 184.685341] c0 mdm_hsic_pm_notify_event: unblock request
<6>[ 184.685375] c0 notify_modem_fatal or shutdown
<6>[ 184.685403] c0 ap2mdm_status is high
<6>[ 184.685425] c0 ap2mdm_errfatal is high
<6>[ 184.685449] c0 mdm2ap_status is low
<6>[ 184.685471] c0 mdm2ap_errfatal is low
<6>[ 184.685492] c0 During shutdown, return notify_modem_fatal
rodman01 said:
Many thanks and when you managed to solve the mix up and your tests are ok, it would be good, if you can upload your changes to github. Think it doesn't make sense that we do all the work twice
Edit: seems to be again or still:
Code:
Kernel panic - not syncing: Fatal exception
and I think caused because of:
Code:
<6>[ 184.685341] c0 mdm_hsic_pm_notify_event: unblock request
<6>[ 184.685375] c0 notify_modem_fatal or shutdown
<6>[ 184.685403] c0 ap2mdm_status is high
<6>[ 184.685425] c0 ap2mdm_errfatal is high
<6>[ 184.685449] c0 mdm2ap_status is low
<6>[ 184.685471] c0 mdm2ap_errfatal is low
<6>[ 184.685492] c0 During shutdown, return notify_modem_fatal
Click to expand...
Click to collapse
Don't worry, I'll upload when I have something that's worth uploading. If you got
Code:
<6>[ 184.685425] c0 ap2mdm_errfatal is high
then the issue is still there.
Update
at_distributor from stock references the same function (supportExpandedNV) so the problem rather doesn't lie in the at_distributor itself but in a missing file that contains the missing function.
Update 2
Replacing ks blob with i9305 stock one alone won't work. That leads to the problem that @p.a.n had (https://forum.xda-developers.com/showpost.php?p=64395738&postcount=218) (https://forum.xda-developers.com/showpost.php?p=64448961&postcount=269)
mtr_ said:
Update 2
Replacing ks blob with i9305 stock one alone won't work. That leads to the problem that @p.a.n had (https://forum.xda-developers.com/showpost.php?p=64395738&postcount=218) (https://forum.xda-developers.com/showpost.php?p=64448961&postcount=269)
Click to expand...
Click to collapse
There is a simple solution (or hack to be more precise) to this and I believe I`ve also described it somewhere here - open the ks binary with some binary editor, find the connect string (it should be there twice) and replace it something else with the same length (I used xonnect).
This is a linker related problem, ks contains symbol connect, which replaces connect from libc (I hope it is there, if not it is some other system library), but with a totally different functionality, which causes a crash. Don`t ask me why this is happening in one environment and in other (the old one), I don`t know.
Maybe this last_kmsg looks better now?
Code:
Samsung S-Boot 4.0 for GT-I9305 (Sep 12 2014 - 13:40:58)
EXYNOS4412(EVT 1.1) / 2044MB / 0MB / Rev 2 / I9305XXUFNI3 /(PKG_ID 0xb070018)
BOOTLOADER VERSION : I9305XXUFNI3
PMIC rev = PASS2(4)
BUCK1OUT(vdd_mif) = 0x05
BUCK3DVS1(vdd_int) = 0x20
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
[mmc] capacity = 30777344
MODEL_NAME:{{GT-I9305}}
eMMC_SERIAL_NUMBER:{{1501004D4147344642F74A00ABD19F03}}
- read_bl1
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (4:0xe)
[RPMB] emmc_rpmb_open:
Get DATA success.
[RPMB] emmc_rpmb_close:
initialize_rpmb_data: usable! (GT-I9305:VERSION_-+A3)
PARAM ENV VERSION: v1.0..
set_charger_current: chg curr(3f), in curr(17)
set_charger_state: buck(1), chg(1), reg(0x05)
microusb_get_attached_device: STATUS1:0x3f, 2:0x00
set_auto_current: ta_state(0), curr(700)
init_fuelgauge: fuelgauge power ok
init_fuelgauge: POR status
fuelgauge_por: POR start: vcell(3975), vfocv(4026), soc(79)
fuelgauge_por: update SDI M0 parameter
fuelgauge_por: RCOMP(0x0063), TEMPCO(0x0930)
fuelgauge_por: POR finish: vcell(3977), vfocv(4085), soc(73)
get_table_soc: vcell(3976) is caculated to t-soc(75.735)
init_fuelgauge: start: vcell(3976), vfocv(4081), soc(73), table soc(75)
init_fuelgauge: finish: vcell(3976), vfocv(4081), soc(73), table soc(75)
init_microusb_ic: before MUIC: CDETCTRL:0x2d
init_microusb_ic: after MUIC: CDETCTRL:0x2d
init_microusb_ic: MUIC: CONTROL1:0x00
init_microusb_ic: MUIC: CONTROL1:0x00
init_microusb_ic: MUIC: CONTROL2:0x3b
init_microusb_ic: MUIC: CONTROL2:0x3b
PMIC_ID = 0x02
PMIC_IRQSRC = 0x00
PMIC_IRQ1 = 0x02
PMIC_IRQ2 = 0x00
PMIC_IRQ1M = 0xff
PMIC_IRQ2M = 0xff
PMIC_STATUS1 = 0x13
PMIC_STATUS2 = 0x00
PMIC_PWRON = 0x01
PMIC_RTCINT = 0x11
PMIC_RTCINTM = 0x3f
s5p_check_keypad: 0x100000
s5p_check_reboot_mode: INFORM3 = 0 ... skip
s5p_check_upload: MAGIC(0xc1d0c0d6), RST_STAT(0x10000)
microusb_get_attached_device: STATUS1:0x3f, 2:0x00
s5p_check_download: 0
microusb_get_attached_device: STATUS1:0x3f, 2:0x00
check_pm_status: charger is not detected
check_pm_status: voltage(3978) is ok
cmu_div:1, div:7, src_clk:800000000, pixel_clk:38102400
s5p_dsim_display_config: VIDEO MODE
a2, 60, 90,
<start_checksum:481>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:483>offset:50, size:6296
<start_checksum:485>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:20
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
[mobi_drv] add: 0x43e52500, size: 3933
MobiCore INIT response = 0
MobiCore RTM has initialized!
MobiCore IDLE flag = 0
MobiCore driver address 43e52500, size = 3933
MobiCore RTM Notified back!
MobiCore Driver loaded and RTM IDLE!
MobiCore RTM has been uninitialized!
load_kernel: loading boot image from 106496..
Verify_Binary_Signature: failed.
pit_check_signature (BOOT) invalid.
Set invalid sign flag
No need to update kernel type.
SMC Num = 0x83000001
mobismc success!!! [ret = 0]
[s5p_check_sboot_version_rpmb]cur_version:VERSION_-+A3, rpmb_version:VERSION_-+A3
rpmb_version:51, cur_version:51
ATAG_CORE: 5 54410001 0 0 0
ATAG_MEM: 4 54410002 20000000 40000000
ATAG_MEM: 4 54410002 20000000 60000000
ATAG_MEM: 4 54410002 20000000 80000000
ATAG_MEM: 4 54410002 1FC00000 A0000000
ATAG_SERIAL: 4 54410006 42f74a00 abd19f03
ATAG_INITRD2: 4 54420005 42000000 17b548
ATAG_REVISION: 3 54410007 2
check_rustproof [0]
ATAG_CMDLINE: b1 54410009 'console=ram loglevel=4 androidboot.baseband=mdm sec_debug.level=0 sec_watchdog.sec_pet=5 androidboot.debug_level=0x4f4c [email protected] [email protected] [email protected] s3cfb.bootloaderfb=0x5ec00000 lcdtype=96 consoleblank=0 lpj=3981312 vmalloc=176m oops=panic pmic_info=67 cordon=471c411f44a4d1cb9c99510ec7e578a1 connie=GT-I9305_OPEN_EUR_10e569b8255514f00b8793d908e78a26 androidboot.emmc_checksum=3 androidboot.boot_salescode= androidboot.odin_download=1 androidboot.bootloader=I9305XXUFNI3 androidboot.selinux=enforcing androidboot.warranty_bit=1 androidboot.sec_atd.tty=/dev/ttySAC2 androidboot.serialno=42f74a00abd19f03 snd_soc_core.pmdown_time=1000'
ATAG_NONE: 0 0
Starting kernel at 0x40008000...
SWITCH_SEL(3)
p.a.n said:
There is a simple solution (or hack to be more precise) to this and I believe I`ve also described it somewhere here - open the ks binary with some binary editor, find the connect string (it should be there twice) and replace it something else with the same length (I used xonnect).
This is a linker related problem, ks contains symbol connect, which replaces connect from libc (I hope it is there, if not it is some other system library), but with a totally different functionality, which causes a crash. Don`t ask me why this is happening in one environment and in other (the old one), I don`t know.
Click to expand...
Click to collapse
Thanks for hint, I know that you don't work on i9305 anymore. Isn't that connect that comes internally in ks used somewhere ? After all they had to have a reason to place an internal function like that. After you left the development, it seems that the current ks that is being used in LineageOS based roms seems to be taken from other device. The current situation is as follows: the modem crashes from time to time, ks during that crash is having issues during SAHARA protocol file transfer. I don't know whether it is the modem that causes the ks crash, or ks that causes modem crash.
rodman01 said:
Maybe this last_kmsg looks better now?
Click to expand...
Click to collapse
The pasted log contains only what happened after reboot. It shows the next boot. If you wanted to show a crash, it isn't saved. It could be truncated, because last_kmsg has limited buffer (for most of the modem issues it was just too small to show everything). You can use the methods to capture logs I posted somewhere else.
yes I noticed this too after pulling another one.
But with my current used blobs I do not have that:
Code:
<6>[ 184.685425] c0 ap2mdm_errfatal is high
anymore, but still reboots and:
Code:
<6>[ 1581.571051] c0 mdm_subsys_powerup: mdm modem restart timed out.
<0>[ 1581.571210] c0 Kernel panic - not syncing: subsystem_restart_wq_func[eac9d720]: Failed to powerup external_modem!
rodman01 said:
yes I noticed this too after pulling another one.
But with my current used blobs I do not have that:
Code:
<6>[ 184.685425] c0 ap2mdm_errfatal is high
anymore, but still reboots and:
Code:
<6>[ 1581.571051] c0 mdm_subsys_powerup: mdm modem restart timed out.
<0>[ 1581.571210] c0 Kernel panic - not syncing: subsystem_restart_wq_func[eac9d720]: Failed to powerup external_modem!
Click to expand...
Click to collapse
Still not good. Have you tried modyfing the stock ks as @p.a.n wrote ? I think that the blobs can be swapped on already installed Android, without recompiling everything. Doing adb push should work too. Something like: adb root, adb remount, adb push, reboot.
I know that this is not good.
No I haven't, I have no such editor and haven't searched for it. Have you tried that already?
rodman01 said:
I know that this is not good.
No I haven't, I have no such editor and haven't searched for it. Have you tried that already?
Click to expand...
Click to collapse
Any hex editor should be enough (for Windows you could try https://mh-nexus.de/en/hxd/ ). I haven't tried yet, I returned to stock rom.
mtr_ said:
Thanks for hint, I know that you don't work on i9305 anymore. Isn't that connect that comes internally in ks used somewhere ? After all they had to have a reason to place an internal function like that. After you left the development, it seems that the current ks that is being used in LineageOS based roms seems to be taken from other device. The current situation is as follows: the modem crashes from time to time, ks during that crash is having issues during SAHARA protocol file transfer. I don't know whether it is the modem that causes the ks crash, or ks that causes modem crash.
Click to expand...
Click to collapse
I actually do work on it, just don`t publish, since I was under impression that the official version is fine and the problem you are describing here is caused by old version of modem. I didn`t want to change it, so I solved the problem by using the KitKat RIL with the modification I mentioned.
As far as I know the connect symbol in the ks binary is used only internaly (and shouldn`t be exported at all). It seems like a simple name colision, which was handled differently in KitKat. I`ve been using the modified ks for a long time and it doesn`t seem to have any negative side effect.
I`ll try to put together all the changes against the official code I have and publish again some of my builds. LineageOS 14.1 is quite stable on my device, so I hope this will help you. I just cannnot promise, when this will be, since I am pretty bussy now (more I`ve ever been).
I am uploading at the moment a new test build, where in my logcat no at distributor error and no SIGABRT error or message is to be seen at the moment. Maybe someone is around who is willing to test it....?!?
New test build is uploaded now.
Its based on todays leos sources and nameless/crazyweasel 3.0 vendor/blobs.
Download
lineage-14.1-20170621-UNOFFICIAL-i9305-hwc.zip: https://www.androidfilehost.com/?fid=673368273298966239
Please report back about reboots and or any other error or bug.
GPS is fixed and should work now.
p.a.n said:
I actually do work on it, just don`t publish, since I was under impression that the official version is fine and the problem you are describing here is caused by old version of modem. I didn`t want to change it, so I solved the problem by using the KitKat RIL with the modification I mentioned.
Click to expand...
Click to collapse
Lucky. It seems that by doing that you avoided the RIL problems (and thus saved time ). The thing worth mentioning is that there are quite new stock releases available (I9305XXSFQ series).
rodman01 said:
New test build is uploaded now.
Its based on todays leos sources and nameless/crazyweasel 3.0 vendor/blobs.
Please report back about bootloops and or any other error or bug.
GPS is fixed and should work now.
Click to expand...
Click to collapse
Tested, unfortunately bootloops. Did you try it after a dirty flash or a clean one ?
I made a non hwc build with https://github.com/CrazyWeasel/proprietary_vendor_samsung/tree/n-3.0/i9305 and modified ks from https://github.com/p-an/android_device_samsung_i9305/blob/cm-14.1/proprietary/system/bin/ks . ks works, at_distributor doesn't whine about missing symbol, but that it can't connect to ATD.
Code:
06-22 04:24:28.916 5290 5290 V AT_Distributor_diag: can't connect to atd socket
06-22 04:24:29.046 5293 5293 V AT_Distributor_diag: ConnectToATD
I was running the build for an hour, so not long enough to tell whether the modem issue appears. 4:50 AM, time to get back to stock
I had a reboot during the night too. And now, since the last half an hour, several reboots again. So I would say, this test version is almost unusable at the moment. Did a clean flash after changing to crazyweasel blobs.
Tl;dr = I have studied the boot process. I understand the Qualcomm SOC boot process PBL > SBL/XBL > And so on. I am trying to get a disassembly of the SBL. I dumped the EMMC and can view all its partitions. Now I am stuck at the 80 bytes header containing the "Loading Address". I can't figure out where and how the processor jumps to this loading address.
Greetings XDA community. This post is more relevant to the developers and power users of android and people who work as embedded developers/security researchers/reverse engineers in general.
Background - I am deeply interested in OSDev and running my own code on the hardware I own. Just like I am building my own bootloader for my PC, I had also been wanting to study the android boot processs for quite some time. In the last few days I got to it and found that the whole low level ecosystem of Android, iOS and Smartphones is really toxic and full of proprietary stuff. But I am still determined to make my own bootloader for my smartphone even if it only displays the good old "Hello World" on that little black display. I am not concerned about bricking my few phones as they are pretty much useless to me now and can be used for RE purposes.
Some Useful Links - https://blog.quarkslab.com/analysis-of-qualcomm-secure-boot-chains.html , https://alephsecurity.com/2018/01/22/qualcomm-edl-1/ , https://lineageos.org/engineering/Qualcomm-Firmware/
Technicals - I copied the whole EMMC from my rooted phone (Xiaomi Mi4) and studied the boot process. So apparently the boot process goes something like PBL --> SBL --> And so on... I found the partition labelled SBL in the dump. I am trying to get code execution at the lowest level possible but it seems I might not be able to resurrect the phone easily if I mess with the SBL (as the phone might not even go into EDL mode then). So I am first considering taking control after the SBL (and before Aboot) with my own code (even if it includes some certificate/proprietary blobs from the manufacturer). But for this I have to understand what exactly the SBL is doing in my particular processor's case. So in the SBL partition is an 80 byte header (source : http://vm1.duckdns.org/Public/Qualcomm-Secure-Boot/Qualcomm-Secure-Boot.htm). This header contains a loading address for the processor. What I can't figure out is how the processor jumps to this address. The source mentions to "remove the header and then load the file in IDA Pro" but what file are they talking about (The EMMC dump? The partition? Something else?). How does the CPU use this loading address? In my particular phone the loading address is : 00 C0 00 F8 (
https://imgur.com/a/ngfFsj5
).
Please shed some light on this issue.
I've barely read it and never dealt with qualcomm before but:
Based on the article linked they seem to be referring to SBL1... but also it should be noted according to them PBL authenticates SBL1 so unless it's unlocked or you have a private key to sign your own SBL1 probably SOL.
Also, can't you just replace kernel/rootfs and achieve the same results utilizing the built-in bootloader?
@vigilante_stark Thread closed as duplicate of
Reverse Engineering Android Boot Process - Need Help
Tl;dr = I have studied the boot process. I understand the Qualcomm SOC boot process PBL > SBL/XBL > And so on. I am trying to get a disassembly of the SBL. I dumped the EMMC and can view all its partitions. Now I am stuck at the 80 bytes header...
forum.xda-developers.com
Please review the XDA Forum Rules with special emphasis on rule no. 5 and post only ONCE! Thanks for your cooperation.
Regards
Oswald Boelcke