Database Info

somthing intresting help unbrick

[PWRAP] pwrap_init_preloader
[PWRAP] pwrap_init
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=0 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=1 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=2 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=3 rdata=5AA5
[PMIC_WRAP]wrap_init pass,the return value=0.
pl pmic init start
pl pmic efuse start
pl pmic efuse BUCK trim
[0x1C8]=0xF802
[0x1CA]=0x807F
[0x20E]=0xE0
[0x260]=0xF0
[0x286]=0xF0
pl pmic efuse end
pl pmic en rst [0x126]=0x13
[0xE]=0x1
[0x540]=0xA0
Battery exist
[0xE]=0x1
[0x540]=0xA0
pl vm read [0x290]=0x50
pl vm set [0x290]=0x52
pl vm check [0x290]=0x52
pl pmic init done
[PLFM] Init I2C: OK(0)
[PLFM] Init PWRAP: OK(0)
[PLFM] Init PMIC: OK(0)
[PLFM] chip[CA00]
[I2C][PL] [i2c0 write] i2c transaction complate
[BLDR] Build Time: 20140218-141828
==== Dump RGU Reg ========
RGU MODE: 75
RGU LENGTH: FFE0
RGU STA: 40000000
RGU INTERVAL: FFF
RGU SWSYSRST: 0
==== Dump RGU Reg End ====
RGU: g_rgu_satus:2
mtk_wdt_mode_config mode value=35, tmp:22000030
PL RGU RST: ??
SW reset with bypass power key flag
Find bypass powerkey flag
mtk_wdt_mode_config mode value=70, tmp:22000071
kpd register for pmic set!
mt_usb_calibraion: input_reg = 0x0
mt_usb_calibraion: term_vref = 0x0, clkref = 0x0, vrt_vref = 0x0,
[RTC] bbpu = 0x5, con = 0x426
[RTC] irqsta = 0x0, pdn1 = 0x0, pdn2 = 0x201, spar0 = 0x40, spar1 = 0x800
[RTC] new_spare0 = 0x0, new_spare1 = 0x1, new_spare2 = 0x1, new_spare3 = 0x1
[RTC] bbpu = 0x5, con = 0x424
SW reset with bypass power key flag
SW reset with bypass power key flag
[PLFM] WDT reboot bypass power key!
p1 pmic read INT_RSV(bit7)[0x138][0x80]
[RTC] rtc_bbpu_power_on done
[SD0] Bus Width: 1
[SD0] SET_CLK(260kHz): SCLK(259kHz) MODE(0) DDR(0) DIV(193) DS(0) RS(0)
[SD0] Switch to High-Speed mode!
[SD0] SET_CLK(260kHz): SCLK(259kHz) MODE(2) DDR(1) DIV(96) DS(0) RS(0)
[SD0] Bus Width: 8
[SD0] Size: 3696 MB, Max.Speed: 52000 kHz, blklen(512), nblks(7569408), ro(0)
[SD0] Initialized
[SD0] SET_CLK(52000kHz): SCLK(50000kHz) MODE(2) DDR(1) DIV(0) DS(0) RS(0)
msdc_ett_offline_to_pl: size<2> m_id<0x90>
msdc <0> <HYNIX > <H4G1d>
msdc <1> <xxxxxx> <H4G1d>
msdc failed to find
*******EMMC_INFO*******
eMMC partition size(1 block = 512Bytes):
BOOT1:<4096> blocks
BOOT2:<4096> blocks
RPMB :<4096> blocks
GP1 :<0> blocks
GP2 :<0> blocks
GP3 :<0> blocks
GP4 :<0> blocks
USER :<7569408> blocks
*******EMMC_INFO*******
fw id len:1
found:1,i:1
[EMI] DDR2
[EMI] eMMC/NAND ID = 90,1,4A,48,34,47,31,64,4
[EMI] MDL number = 1
[MEM] 1066 MHZ
rank 0 coarse = 15
rank 0 fine = 48
10:| 0 0 1 1 1 0
opt_dle value:8
rank 1 coarse = 15
rank 1 fine = 48
10:| 0 0 1 1 1 0
opt_dle value:8
byte:0, (DQS,DQ)=(8,8)
byte:1, (DQS,DQ)=(8,A)
byte:2, (DQS,DQ)=(8,8)
byte:3, (DQS,DQ)=(8,A)
[EMI] DRAMC calibration passed
[EMI] DQSINCTL:50000
[MEM] complex R/W mem test pass
[PLFM] Init Boot Device: OK(0)
[ROM_INFO] 'v2','0x2700000','0x20000','0x46C0000','0x2C00'
[SEC_K] SML KEY AC = 0
[SEC_K] SBC_PUBK Found
[SEC] AES Legacy : 0
[SEC] SECCFG AC : 1
[SEC] read '0x2700000'
0x41,0x4E,0x44,0x5F,0x53,0x45,0x43,0x43,
[LIB] SecLib.a '20121226-155014'
[LIB] CFG read size '0x4000' '0x1860'
[LIB] Name = SOMC
[LIB] Config = 0x11, 0x11
0x31,0x41,0x35,0x35
0x6F679858
[LIB] HW DEC
0x49494949
[LIB] SEC CFG 'v3' exists
[LIB] Status = 0x43434343
[LIB] ty = 0 , ld = 0
[PART] Image with part header
[PART] name : LK
[PART] addr : FFFFFFFFh
[PART] size : 316772
[PART] magic: 58881688h
[PART] load "UBOOT" from 0x0000000003960200 (dev) to 0x81E00000 (mem) [SUCCESS]
[PART] load speed: 9374KB/s, 316772 bytes, 33ms
[LIB] HW DEC
[SECRO] secroimg '0x41414141'
[SECRO] secroimg '0x35353535'
[SECRO] factory mode enabled
[AUTHEN] rsa.N length = 1024 bytes
[AUTHEN] rsa.E length = 20 bytes
[LIB] Verify 'UBOOT'
0x43434343
[LIB] part load '0x3960000'
[AUTHEN] 0x53,0x53,0x53,0x53
[AUTHEN] verify signature ... pass
[LIB] Verify 'LOGO'
0x43434343
[LIB] part load '0x4D40000'
[AUTHEN] 0x53,0x53,0x53,0x53
[AUTHEN] verify signature ... failed, error is 7
[SECLIB_IMG_VERIFY] Signature Fail.
[LIB] Fail (0x0)
<ASSERT> sec_boot.c:line 181 0
[PLFM] preloader fatal error...
[PLFM] emergency download mode(timeout: 30s).
mtk_arch_reset at pre-loader!
this is console with serial interface
i will post picture with pin layaut

how to unbrick?

botioni said:
[PWRAP] pwrap_init_preloader
[PWRAP] pwrap_init
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=0 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=1 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=2 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=3 rdata=5AA5
[PMIC_WRAP]wrap_init pass,the return value=0.
pl pmic init start
pl pmic efuse start
pl pmic efuse BUCK trim
[0x1C8]=0xF802
[0x1CA]=0x807F
[0x20E]=0xE0
[0x260]=0xF0
[0x286]=0xF0
pl pmic efuse end
pl pmic en rst [0x126]=0x13
[0xE]=0x1
[0x540]=0xA0
Battery exist
[0xE]=0x1
[0x540]=0xA0
pl vm read [0x290]=0x50
pl vm set [0x290]=0x52
pl vm check [0x290]=0x52
pl pmic init done
[PLFM] Init I2C: OK(0)
[PLFM] Init PWRAP: OK(0)
[PLFM] Init PMIC: OK(0)
[PLFM] chip[CA00]
[I2C][PL] [i2c0 write] i2c transaction complate
[BLDR] Build Time: 20140218-141828
==== Dump RGU Reg ========
RGU MODE: 75
RGU LENGTH: FFE0
RGU STA: 40000000
RGU INTERVAL: FFF
RGU SWSYSRST: 0
==== Dump RGU Reg End ====
RGU: g_rgu_satus:2
mtk_wdt_mode_config mode value=35, tmp:22000030
PL RGU RST: ??
SW reset with bypass power key flag
Find bypass powerkey flag
mtk_wdt_mode_config mode value=70, tmp:22000071
kpd register for pmic set!
mt_usb_calibraion: input_reg = 0x0
mt_usb_calibraion: term_vref = 0x0, clkref = 0x0, vrt_vref = 0x0,
[RTC] bbpu = 0x5, con = 0x426
[RTC] irqsta = 0x0, pdn1 = 0x0, pdn2 = 0x201, spar0 = 0x40, spar1 = 0x800
[RTC] new_spare0 = 0x0, new_spare1 = 0x1, new_spare2 = 0x1, new_spare3 = 0x1
[RTC] bbpu = 0x5, con = 0x424
SW reset with bypass power key flag
SW reset with bypass power key flag
[PLFM] WDT reboot bypass power key!
p1 pmic read INT_RSV(bit7)[0x138][0x80]
[RTC] rtc_bbpu_power_on done
[SD0] Bus Width: 1
[SD0] SET_CLK(260kHz): SCLK(259kHz) MODE(0) DDR(0) DIV(193) DS(0) RS(0)
[SD0] Switch to High-Speed mode!
[SD0] SET_CLK(260kHz): SCLK(259kHz) MODE(2) DDR(1) DIV(96) DS(0) RS(0)
[SD0] Bus Width: 8
[SD0] Size: 3696 MB, Max.Speed: 52000 kHz, blklen(512), nblks(7569408), ro(0)
[SD0] Initialized
[SD0] SET_CLK(52000kHz): SCLK(50000kHz) MODE(2) DDR(1) DIV(0) DS(0) RS(0)
msdc_ett_offline_to_pl: size<2> m_id<0x90>
msdc <0> <HYNIX > <H4G1d>
msdc <1> <xxxxxx> <H4G1d>
msdc failed to find
*******EMMC_INFO*******
eMMC partition size(1 block = 512Bytes):
BOOT1:<4096> blocks
BOOT2:<4096> blocks
RPMB :<4096> blocks
GP1 :<0> blocks
GP2 :<0> blocks
GP3 :<0> blocks
GP4 :<0> blocks
USER :<7569408> blocks
*******EMMC_INFO*******
fw id len:1
found:1,i:1
[EMI] DDR2
[EMI] eMMC/NAND ID = 90,1,4A,48,34,47,31,64,4
[EMI] MDL number = 1
[MEM] 1066 MHZ
rank 0 coarse = 15
rank 0 fine = 48
10:| 0 0 1 1 1 0
opt_dle value:8
rank 1 coarse = 15
rank 1 fine = 48
10:| 0 0 1 1 1 0
opt_dle value:8
byte:0, (DQS,DQ)=(8,8)
byte:1, (DQS,DQ)=(8,A)
byte:2, (DQS,DQ)=(8,8)
byte:3, (DQS,DQ)=(8,A)
[EMI] DRAMC calibration passed
[EMI] DQSINCTL:50000
[MEM] complex R/W mem test pass
[PLFM] Init Boot Device: OK(0)
[ROM_INFO] 'v2','0x2700000','0x20000','0x46C0000','0x2C00'
[SEC_K] SML KEY AC = 0
[SEC_K] SBC_PUBK Found
[SEC] AES Legacy : 0
[SEC] SECCFG AC : 1
[SEC] read '0x2700000'
0x41,0x4E,0x44,0x5F,0x53,0x45,0x43,0x43,
[LIB] SecLib.a '20121226-155014'
[LIB] CFG read size '0x4000' '0x1860'
[LIB] Name = SOMC
[LIB] Config = 0x11, 0x11
0x31,0x41,0x35,0x35
0x6F679858
[LIB] HW DEC
0x49494949
[LIB] SEC CFG 'v3' exists
[LIB] Status = 0x43434343
[LIB] ty = 0 , ld = 0
[PART] Image with part header
[PART] name : LK
[PART] addr : FFFFFFFFh
[PART] size : 316772
[PART] magic: 58881688h
[PART] load "UBOOT" from 0x0000000003960200 (dev) to 0x81E00000 (mem) [SUCCESS]
[PART] load speed: 9374KB/s, 316772 bytes, 33ms
[LIB] HW DEC
[SECRO] secroimg '0x41414141'
[SECRO] secroimg '0x35353535'
[SECRO] factory mode enabled
[AUTHEN] rsa.N length = 1024 bytes
[AUTHEN] rsa.E length = 20 bytes
[LIB] Verify 'UBOOT'
0x43434343
[LIB] part load '0x3960000'
[AUTHEN] 0x53,0x53,0x53,0x53
[AUTHEN] verify signature ... pass
[LIB] Verify 'LOGO'
0x43434343
[LIB] part load '0x4D40000'
[AUTHEN] 0x53,0x53,0x53,0x53
[AUTHEN] verify signature ... failed, error is 7
[SECLIB_IMG_VERIFY] Signature Fail.
[LIB] Fail (0x0)
<ASSERT> sec_boot.c:line 181 0
[PLFM] preloader fatal error...
[PLFM] emergency download mode(timeout: 30s).
mtk_arch_reset at pre-loader!
this is console with serial interface
i will post picture with pin layaut
Click to expand...
Click to collapse
how did you check this out?

theonecallednick said:
how did you check this out?
Click to expand...
Click to collapse
I found uart pin on mainboard for debuging .
with serial usb cable pl2303

This is the red light only and unknown hardware found (the unknown hardware is in fact mtk usb vcom driver buth sony version ) if you try sp flash tool for mtk then it comunicates with de phone buth it needs some authentication file.

Help..
I am also having same problem..I falshed wrong rom..
It just shows red led and does not detects by PC...
Were you able to solve the problem..if yes..please help..

botioni said:
[PWRAP] pwrap_init_preloader
[PWRAP] pwrap_init
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=0 rdata=5AA5
.........................
this is console with serial interface
i will post picture with pin layaut
Click to expand...
Click to collapse
Samuel Wankhede said:
I am also having same problem..I falshed wrong rom..
It just shows red led and does not detects by PC...
Were you able to solve the problem..if yes..please help..
Click to expand...
Click to collapse
Try the guide given in thread linked below
http://forum.xda-developers.com/showpost.php?p=57614511&postcount=13

Please share uart pinout
Baudrate should be 115200??
Thanks

uart
please share the uart pinout , thanks

[TOOL-TESTING] dirtydump (a way to dump boot or recovery for every un-rooted device)

Hi,
A little tool or frontend that I've made and share to the community.
Intro
If you are like me :
Searching a way to backup your device, try some tools like SP Flash Tool, or MTK Droid Tools (for generating a Scatter File).
I have found a lot of thread, but I've allways got a dead end or a risk to brick the device (Never take a risk to brick your device if no stock rom available or backup).
A few days ago, i've found this thread : https://forum.xda-developers.com/v20/development/h918-recowvery-unlock-v20-root-shell-t3490594
It's not for my device, it's maybe not for your device, but help a lot to do our need. This exploit work for everyone and what to do the little tools below.
What's the change ?
Instead of that does jcadduono (a big thanks to him), via applypatch, it don't patch the recovery partition to run an Android in Permissive mode, my applypatch only open and read the boot or recovery partition and display all data to logging (binary converted to hex value).
Yes, I know, logging is not for that, it's realy hard-core, but it's the only way working. I've tried with socket, but SELinux in Enforced mode don't allow this.
You can see my recowvery-applypatch.c below :
Code:
#include <unistd.h>
#include <stdio.h>
#include <stdint.h>
#include <time.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <time.h>
#include <fcntl.h>
#include <sys/stat.h>
#define APP_NAME "recowvery"
#define HOST_NAME "applypatch"
#ifdef DEBUG
#include <android/log.h>
#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, APP_NAME, __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); }
#define LOGE(...) { __android_log_print(ANDROID_LOG_ERROR, APP_NAME, __VA_ARGS__); fprintf(stderr, __VA_ARGS__); fprintf(stderr, "\n"); }
#else
#define LOGV(...) { printf(__VA_ARGS__); printf("\n"); }
#define LOGE(...) { fprintf(stderr, __VA_ARGS__); fprintf(stderr, "\n"); }
#endif
#define SEP LOGV("------------")
#include "bootimg.h"
/* Time delay in microsecond for next loop (1000 = 1ms)
* 250 is good for every PC
* (you can try with 0 to boost the process, but you can have an <unexpected EOF>)
*/
#define DELAY_T 250
void delay(long t)
{
if (t == 0)
return;
long timens = t * 1000;
nanosleep((const struct timespec[]){{0, timens}}, NULL);
}
/*
* Search in *str the word *word.
* &rslt => Result, a sort of substr version of *str from 0 to the last char of the searched *word if found.
* &len => Length of &rslt.
*
* Return 0 if found or -1 if not found.
* (A substr like)
*/
int findStr(char *str, char *word, char** rslt, int* len)
{
int i = 0;
int j = 0;
int allmatch = 0;
char *temp;
*len = 0;
for (i = 0; i < (int)strlen(str); i++)
{
if (str[i] == word[0])
{
allmatch = 0;
for (j = 0; j < (int)strlen(word); j++)
{
if (str[i + j] != word[j])
{
allmatch = 1;
break;
}
}
if (allmatch == 0)
{
*len = i + strlen(word);
break;
}
}
}
if (*len != 0)
{
temp = malloc(*len);
for (i = 0; i < *len; i++)
temp[i] = str[i];
*rslt = temp;
return 0;
}
return -1;
}
/*
* run "mount" and find "/by-name/" from result.
* if matched, fill path var
* return 0 if success else -1
*/
int getBlockDevice(char** path)
{
FILE* cmd;
char br[512];
char* search = "/by-name/";
char* tmp;
int slength = 0;
cmd = popen("mount 2>&1", "r");
if (cmd)
{
/* Read result and try to find the first corresponding mount point */
while(fgets(br, sizeof br, cmd) != NULL)
{
/* If found, log the result */
if (findStr(br, search, &tmp, &slength) != -1)
{
/* Append "boot" (your can replace this by "recovery", "system") at the end */
sprintf(*path, "%srecovery", tmp);
break;
}
}
fclose(cmd);
}
else
{
LOGE("ERROR Getting filesystem mountpoint");
}
if (slength > 0)
return 0;
else
return -1;
}
int main(int argc, char **argv)
{
int ret = 0;
int i = 0;
LOGV("Welcome to %s! (%s)", APP_NAME, HOST_NAME);
char *blockDev = malloc(256);
if (getBlockDevice(&blockDev) == -1)
{
LOGE("ERROR : Could not find FileSystem mount point.");
ret = errno;
goto oops;
}
else
{
LOGV("BLOCK_DEVICE : %s", blockDev);
SEP;
}
/*
* Sometimes <applypatch> run before <dirtycow> finish its process that cause our device not ready to start <adb logcat -s recowvery>
* and we have to wait more than 3min...
* A little sleep of 30 sec ensure that our device is ready.
*/
LOGV("The process start in 30s");
sleep(30);
byte rb[32];
char *content = malloc(256);
FILE *fp;
size_t nread;
fp = fopen(blockDev, "r");
if (fp) {
LOGV("*** DUMP START ***");
while ((nread = fread(rb, 1, sizeof rb, fp)) > 0)
{
sprintf(content, "HEXDUMP = [");
for (i = 0; i < (int)nread; i++)
{
if (i == 0)
sprintf(content, "%s%.2x", content, rb[i]);
else
sprintf(content, "%s,%.2x", content, rb[i]);
}
sprintf(content, "%s];", content);
LOGV("%s", content);
/* sleep to prevent any unexpected EOF with with pipe stream */
delay(DELAY_T);
}
if (ferror(fp)) {
ret = errno;
LOGE("*** DUMP ERROR ***");
LOGE("Error while reading the file...");
}
LOGV("*** DUMP END ***");
fclose(fp);
}
else
{
LOGV("Can't read the file...");
ret = errno;
goto oops;
}
return 0;
oops:
LOGE("*** DUMP ERROR ***");
LOGE("Error %d: %s", ret, strerror(ret));
LOGE("Exiting...");
return ret;
}
Don't laugh please, I am very new in C
Ok, but about the tool ?
The tool is a frontend and easy to use, it copy exploit files for you, run exploit, read logging from adb and do the revert of applypatch (Convert hex to binary and write them to the image file) and finaly reboot your device when it's finish.
An example here :
Code:
~/Documents/dirtydump/bin/Debug$ ./dirtydump boot
***************
**** Init *****
***************
adb push ./bin/dirtycow /data/local/tmp
159 KB/s (9984 bytes in 0.061s)
adb push ./bin/recowvery-applypatch_boot /data/local/tmp
234 KB/s (10200 bytes in 0.042s)
adb push ./bin/recowvery-applypatch_recovery /data/local/tmp
238 KB/s (10200 bytes in 0.041s)
adb push ./bin/recowvery-app_process64 /data/local/tmp
240 KB/s (10200 bytes in 0.041s)
adb push ./bin/recowvery-app_process32 /data/local/tmp
411 KB/s (17992 bytes in 0.042s)
adb shell chmod 0777 /data/local/tmp/dirtycow
adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_boot
adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_recovery
adb shell chmod 0777 /data/local/tmp/recowvery-app_process64
adb shell chmod 0777 /data/local/tmp/recowvery-app_process32
* Android x64 version detected.
**********************
**** Run Exploit *****
**********************
adb shell /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/recowvery-applypatch_boot
warning: new file size (10200) and file old size (74712) differ
size 74712
[*] mmap 0x7faa6a7000
[*] exploit (patch)
[*] currently 0x7faa6a7000=10102464c457f
[*] madvise = 0x7faa6a7000 74712
[*] madvise = 0 1048576
[*] /proc/self/mem 1031798784 1048576
[*] exploited 0x7faa6a7000=10102464c457f
adb shell /data/local/tmp/dirtycow /system/bin/app_process64 /data/local/tmp/recowvery-app_process64
warning: new file size (10200) and file old size (22456) differ
size 22456
[*] mmap 0x7f8f303000
[*] exploit (patch)
[*] currently 0x7f8f303000=10102464c457f
[*] madvise = 0x7f8f303000 22456
[*] madvise = 0 1048576
[*] /proc/self/mem 2071986176 1048576
[*] exploited 0x7f8f303000=10102464c457f
*********************************
**** adb logcat -s recowvery ****
*********************************
--------- beginning of main
--------- beginning of system
--------- beginning of crash
01-24 15:40:37.206 5266 5266 I recowvery: Welcome to recowvery! (app_process64)
01-24 15:40:37.206 5266 5266 I recowvery: ------------
01-24 15:40:37.206 5266 5266 I recowvery: Current selinux context: u:r:zygote:s0
01-24 15:40:37.206 5266 5266 I recowvery: Set context to 'u:r:system_server:s0'
01-24 15:40:37.206 5266 5266 I recowvery: Current security context: u:r:system_server:s0
01-24 15:40:37.206 5266 5266 I recowvery: Setting property 'ctl.start' to 'flash_recovery'
01-24 15:40:37.211 5266 5266 I recowvery: ------------
01-24 15:40:37.211 5266 5266 I recowvery: Recovery flash script should have started!
01-24 15:40:37.211 5266 5266 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery
01-24 15:40:37.211 5266 5266 I recowvery: Waiting 3 minutes to try again (in case it didn't start or you forgot to dirtycow applypatch first)...
01-24 15:40:37.242 5269 5269 I recowvery: Welcome to recowvery! (applypatch)
01-24 15:40:37.272 5269 5269 I recowvery: BLOCK_DEVICE : /dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/boot
01-24 15:40:37.272 5269 5269 I recowvery: ------------
01-24 15:40:37.272 5269 5269 I recowvery: The process start in 30s
Start writing to file...
Block read : 524288 (Size : 16777216)
Finish
Image file saved here :
./boot.img
Rebooting your device...
************************
**** Reboot Device *****
************************
How to use ?
Extract all files from archive attached below in a directory of our choice.
./dirtydump boot : dump boot partition and store it to ./boot.img
./dirtydump recovery : dump recovery partition and store it to ./recovery.img
When all done, you have all to make your Custom Recovery for your device.
Requirements
<dirtycow> capable device.
Working adb (adb devices to check)
Linux distribution.
Source code
Code:
#include <iostream>
#include <stdio.h>
#include <regex>
using namespace std;
#define BOOT 0
#define RECOVERY 1
#define ANDROID_64 "64"
#define ANDROID_32 "32"
#ifdef __linux__
#define DIRECTORY_SEPARATOR "/"
#elif __APPLE__
#define DIRECTORY_SEPARATOR "/"
#else
#define DIRECTORY_SEPARATOR "\\"
#endif
typedef unsigned char byte;
static string appDirectory;
static string arch;
static FILE *fsout;
static bool startwrite = false;
static int ncrash = 0;
static int nBlock = 0;
static long currentSize = 0;
// Shorter regex is possible, but I prefer like that.
static regex rs("^.+I recowvery: (\\*\\*\\* DUMP START \\*\\*\\*)\\s+"); // Used to start writting binary file
static regex rl("^.+I recowvery: HEXDUMP = \\[([^\\]]+)\\];\\s+"); // Used to match all data block, and populate < datalist >
static regex rf("^.+I recowvery: (\\*\\*\\* DUMP END \\*\\*\\*)\\s+"); // Used to end writting, and exit infinit loop
static regex re("^.+I recowvery: (\\*\\*\\* DUMP ERROR \\*\\*\\*)\\s+"); // Used to intercept error from < recowvery-applypatch >
static regex radbe("^error:(.+)\\s+"); // ADB cmd error
static regex rarch("^.+(aarch64).*\\s+"); // Get arch from <uname -a>
/**
* Run command
* return : 0 if success else -1 if error
**/
int runcmd(string cmd)
{
char rslt[256];
int cmdv = 0;
FILE *fc = popen(cmd.c_str(), "r");
/* Redirect stderr to stdout */
cmd.append(" 2>&1");
// To remove the \n or \r\n at the end.
regex rcmdline("^(.+)\\s+");
if (fc)
{
while (fgets(rslt, sizeof rslt, fc) != NULL)
{
if (regex_match(string(rslt), rcmdline))
cout << regex_replace(string(rslt), rcmdline, "$1") << endl;
// If error matched, return -1
if (regex_match(rslt, radbe))
{
cmdv = -1;
break;
}
}
cout << endl;
fclose(fc);
}
else
{
cerr << "Error running '" << string(cmd) << "'" << endl;
return -1;
}
return cmdv;
}
/**
* Used to split string
* s : string to split (in)
* delim : used char for split (in)
* elems : string array result (out)
**/
void split(const string &s, char delim, vector<string> &elems) {
stringstream ss;
ss.str(s);
string item;
while (getline(ss, item, delim)) {
elems.push_back(item);
}
}
/**
* Used to split string
* s : string to split (in)
* delim : char delimeter (in)
* return : vector string
**/
vector<string> split(const string &s, char delim) {
vector<string> elems;
split(s, delim, elems);
return elems;
}
/** Convert hex string to byte array **/
void string_to_bytearray(std::string str, unsigned char* &array, int& size)
{
int length = str.length();
// make sure the input string has an even digit numbers
if(length%2 == 1)
{
str = "0" + str;
length++;
}
// allocate memory for the output array
array = new unsigned char[length/2];
size = length/2;
std::stringstream sstr(str);
for(int i=0; i < size; i++)
{
char ch1, ch2;
sstr >> ch1 >> ch2;
int dig1, dig2;
if(isdigit(ch1)) dig1 = ch1 - '0';
else if(ch1>='A' && ch1<='F') dig1 = ch1 - 'A' + 10;
else if(ch1>='a' && ch1<='f') dig1 = ch1 - 'a' + 10;
if(isdigit(ch2)) dig2 = ch2 - '0';
else if(ch2>='A' && ch2<='F') dig2 = ch2 - 'A' + 10;
else if(ch2>='a' && ch2<='f') dig2 = ch2 - 'a' + 10;
array[i] = dig1*16 + dig2;
}
}
/**
* Get architecture type
* Run <adb shell uname -a> and find the word : aarch64
* If found return <ANDROID_64> else <ANDROID_32>
**/
string getArchType()
{
char rslt[256];
string val;
FILE *fc = popen("adb shell uname -a", "r");
// To remove the \n or \r\n at the end.
if (fc)
{
while (fgets(rslt, sizeof rslt, fc) != NULL)
{
if (regex_match(string(rslt), rarch))
{
cout << "* Android x64 version detected." << endl;
val = string(ANDROID_64);
}
else
{
cout << "* Android x32 version detected." << endl;
val = string(ANDROID_32);
}
}
cout << endl;
fclose(fc);
}
else
{
cerr << "Error running 'adb shell uname -a'" << endl;
}
return val;
}
/**
* Display help
**/
void help()
{
cout << "dirtydump boot | recovery" << endl;
cout << "Usage :" << endl;
cout << "\tdirtydump boot : Dump device boot partition and save it to boot.img." << endl;
cout << "\tdirtydump recovery : Dump device recovery partition and save it to recovery.img." << endl << endl;
cout << "Information :" << endl;
cout << "\tThis app use the same exploit explained here : " << endl;
cout << "\thttps://github.com/jcadduono/android_external_dirtycow" << endl;
cout << "\tThe only difference is by the <applypatch>, instead of patching," << endl;
cout << "\tit read your boot / recovery partition." << endl;
cout << "\tConvert all data to hex value, and display it." << endl;
cout << "\tDuring the process, the app read all data through" <<endl;
cout << "\t<adb logcat -s recowvery> and do the reverse," << endl;
cout << "\tconvert all hex value to binary, and write it to a file." << endl;
cout << "\tBecause your device is like crashing, this app reboot" << endl;
cout << "\tautomaticaly when the process is finished." << endl;
cout << endl;
}
/**
* Initialize process.
* Push required files to your device and apply a chmod to them and exit.
**/
int init()
{
cout << "***************" << endl;
cout << "**** Init *****" << endl;
cout << "***************" << endl << endl;
string files[] = {"dirtycow",
"recowvery-applypatch_boot",
"recowvery-applypatch_recovery",
"recowvery-app_process64",
"recowvery-app_process32"};
string cmdlist[] = {"adb shell chmod 0777 /data/local/tmp/dirtycow",
"adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_boot",
"adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_recovery",
"adb shell chmod 0777 /data/local/tmp/recowvery-app_process64",
"adb shell chmod 0777 /data/local/tmp/recowvery-app_process32"};
char cmd[128];
/* Push files to the device */
for(auto s : files)
{
sprintf(cmd, "adb push %s%sbin%s%s /data/local/tmp", appDirectory.c_str(), DIRECTORY_SEPARATOR, DIRECTORY_SEPARATOR, s.c_str());
cout << string(cmd) << endl;
if (runcmd(cmd) != 0)
return -1;
}
/* Apply chmod to the pushed files */
for(auto s : cmdlist)
{
cout << string(s) << endl;
if (runcmd(s) != 0)
return -1;
}
arch = getArchType();
if (arch.empty())
return -1;
return 0;
}
/**
* Apply exploit to applypatch (for boot or process) and app_process64
**/
int runExploit(int v)
{
cout << "**********************" << endl;
cout << "**** Run Exploit *****" << endl;
cout << "**********************" << endl << endl;
string cmdlist[] = {
"", // For applypatch
"" // For app_process
};
if (v == BOOT)
cmdlist[0].append("adb shell /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/recowvery-applypatch_boot");
else if (v == RECOVERY)
cmdlist[0].append("adb shell /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/recowvery-applypatch_recovery");
else
return -1;
if (arch == ANDROID_64)
cmdlist[1] = "adb shell /data/local/tmp/dirtycow /system/bin/app_process64 /data/local/tmp/recowvery-app_process64";
else
cmdlist[1] = "adb shell /data/local/tmp/dirtycow /system/bin/app_process32 /data/local/tmp/recowvery-app_process32";
for(auto s : cmdlist)
{
cout << s << endl;
if (runcmd(s) != 0)
return -1;
}
return 0;
}
/**
* reboot device from adb
**/
int rebootDevice()
{
cout << "************************" << endl;
cout << "**** Reboot Device *****" << endl;
cout << "************************" << endl << endl;
return runcmd(string("adb reboot"));
}
/**
* Function that do the stuff
* If a line contain *** DUMP START *** it start to get all hex value in HEXDUMP = [a1,e2,b4,ect.] and convert to binary before writing to output file.
* All other line are :
* <*** DUMP ERROR ***> : Error during the process, or your device is disconnected, no more battery...
* <*** DUMP END ***> : Dumping is end / end of process.
* <Other lines> : Displayed
**/
int displayLogAndConvertData(string line)
{
/**
* If an unexpected EOF from recowvery-applypatch or if no <pipe>...
* We can't receive a null string, so break the loop, close fsout, and exit the program.
**/
if (line.empty())
{
cout << string("* < null > received !") << endl;
cout << string("Try again...") << endl;
return -1;
}
/**
* *** DUMP START ***
* set startwrite = true to write parsed data to fsout
**/
if (regex_match(line, rs))
{
startwrite = true;
cout << "Start writing to file..." << endl;
}
/**
* Parse all string received if match
* Note :
* It's possible to have matched string before intercept DUMP START,
* If we convert now, it's a good idea to have a broken output file.
**/
if (startwrite && regex_match(line, rl))
{
string s = regex_replace(line, rl, "$1");
vector<string> data = split(s, ',');
for (int c = 0; c < (int)data.size(); c++)
{
try
{
byte *b = NULL;
int sb;
string_to_bytearray(data[c], b, sb);
fwrite(b, 1, sb, fsout);
}
catch (const exception &ex)
{
cout << endl;
cout << string("** Exception **") << endl;
cout << string(" - When convert : ") << data[c] << endl;
cout << string(" - Message : ") << ex.what() << endl;
}
}
nBlock++;
currentSize = nBlock * 32;
cout << "\r";
cout << "Block read : " << nBlock << " (Size : " << currentSize << ")";
}
/**
* Display the other lines (for debuging, logging...)
**/
else if (!regex_match(line, rl) && (!regex_match(line, rf) && !startwrite) && line.length() > 1)
{
cout << line;
}
/**
* *** DUMP END ***
* Flush and close fsout, inform the user, and break the loop.
**/
if (startwrite && regex_match(line, rf))
{
cout << endl << "Finish" << endl;
startwrite = false;
return 1;
}
/**
* *** DUMP ERROR ***
* An error intercepted from ADB, close fsout, set start to false.
* < applypatch > will restart every 3 min.
* We break the loop after 3 errors.
**/
if (regex_match(line, re))
{
cout << std::string("* Error received from ADB *") << std::endl;
startwrite = false;
if (ncrash == 3)
{
cout << std::string("* Too many tries, please check your < recowvery-applypatch.c > and try again.") << std::endl;
return -1;
}
cout << std::string("* Be patient, recowvery-applypatch will restart in a few minutes.") << std::endl;
ncrash++;
}
return 0;
}
/**
* run <adb logcat -s recowvery> and send line by line to <displayLogAndConvertData> function
**/
int readFromLogcat()
{
cout << "*********************************" << endl;
cout << "**** adb logcat -s recowvery ****" << endl;
cout << "*********************************" << endl << endl;
char buff[1024];
int prc = 0;
FILE *fc = popen("adb logcat -s recowvery", "r");
if (fc)
{
while(fgets(buff, sizeof buff, fc) != NULL)
{
prc = displayLogAndConvertData(string(buff));
// Error occuring
if (prc == -1)
{
cerr << "Error during the process !" << endl;
break;
}
// Process finished
if (prc == 1)
break;
}
/*
* When finish or an error received from adb, <startwrite> is set to false.
* If set to true, a NULL string has been received before receiving a DUMP_END or DUMP_ERROR.
* So, so we display an error.
*/
if (startwrite)
{
cerr << "Error during the process !" << endl;
prc = errno;
}
fclose(fc);
}
else
{
cerr << "Error running <adb logcat -s recowvery" << endl;
}
return prc;
}
/** main **/
int main(int argc, char** argv)
{
int ret = 0;
string filename;
if (argc == 1)
{
help();
return ret;
}
/* Fix for windows
* If run in same directory as the exe, return only the exe name without folder where it run.
* So, if DIRECTORY_SEPARATOR not found in argv_str, appDirectory = "." for linux, mac and windows
*/
string argv_str(argv[0]);
if (argv_str.find_last_of(DIRECTORY_SEPARATOR) != string::npos)
appDirectory = argv_str.substr(0, argv_str.find_last_of(DIRECTORY_SEPARATOR));
else
appDirectory = string(".");
ret = init();
if (ret != 0)
return ret;
if (string(argv[1]) == "boot")
{
ret = runExploit(BOOT);
filename = "boot.img";
}
else
{
ret = runExploit(RECOVERY);
filename = "recovery.img";
}
if (ret != 0)
return ret;
else
{
fsout = fopen(filename.c_str(), "wb");
if (!fsout)
{
cerr << "Can't open or create file : <" << string(filename) << ">" << endl;
rebootDevice();
return errno;
}
else
{
ret = readFromLogcat();
fclose(fsout);
}
cout << endl;
cout << "Image file saved here :" << endl;
cout << " " << appDirectory << string(DIRECTORY_SEPARATOR) << string(filename) << endl;
cout << endl;
}
cout << "Rebooting your device..." << endl;
ret = rebootDevice();
return ret;
}
Note :
There is only linux binary, the windows version come soon.
(I don't know why Windows don't work as expected :x)
If you are interested by the source code, I can attach it.
Tested and build from Ubuntu 16.04 (x64) / Code::Blocks & gedit.
If any bug, I will do the best to solve this.
So sorry for my english, or any misspelling :x

Hey man great work
I was in need of such a tool
I needed the recovery partition for andromax x58
Though I dont own the phone its for someone(yeah you understand it right)
And now finally ported Twrp to it

please make compatible for 32 bit device

Hi,
Normaly, it may work for 32bit device, but can't test it :/
Can you give me error log, text displayed on your terminal please ?
And if possible, what do you have when you do : "adb shell uname -a" ? (because I detect 32 or 64bits device by this)
Regards,
Vincent

could you please post the dirty dump executable source code so i can port it to windows?
or just tell me how you determind what binary the device needs?

Ricky Divjakovski said:
could you please post the dirty dump executable source code so i can port it to windows?
or just tell me how you determind what binary the device needs?
Click to expand...
Click to collapse
The boss Appear.What a pleasant thing it is.
China user

Ricky Divjakovski said:
could you please post the dirty dump executable source code so i can port it to windows?
or just tell me how you determind what binary the device needs?
Click to expand...
Click to collapse
Hi and sorry for the time to answer...
I've added the source code at the end of the first post

The Hard Gamer said:
Hey man great work
I was in need of such a tool
I needed the recovery partition for andromax x58
Though I dont own the phone its for someone(yeah you understand it right)
And now finally ported Twrp to it
Click to expand...
Click to collapse
Hai Bro,what command you issue in linux to run ?
Thks

Hmm this is awesome except the part it doesn't work on Ubuntu 14.04 and source code need gcc-4.9 to build (not sure).
Anyway I will install Ubuntu 16.04 to make new things to LG K4 (2016) [MTK MT6735m], good job thanks for it

@Vince_02100 what compilers did you used to applypatch and app_process64?
I need to compile a version to armv7(aka 32), since my current device (the LG K4) have a x32 Android and a x64 CPU.
I'm improving your dirtydump but with limitations since I don't know much about C/C++.
Please reply or PM me, anyway I will try my best to make it x32 support

@Vince_02100
My question is, did you base the operation of your tool on the dirtycow exploit? Seems like it because of its name and reference to jcadduono.
This is actually awesome then because I have a tool very similar only it works as a shell command handler. The Greyhat Root Console essentially is it's own Terminal Interface specifically to use dirtycow for root shell commands.
I only bring that up because Stock OEM builds that are dated October 2016 or later pretty much can't utilize CVE-2016-5195. Some didn't get patched that soon but most did. The rule of thumb I've always had when working with Dirtycow is to use stock builds from September 2016. Since they are the most up to date builds still vulnerable. I don't know how many people reading this thread know that.
Here is the thread I made where @droidvoider explains how to use the Greyhat Root Console: https://forum.xda-developers.com/android/help/injecting-root-setting-selinux-stages-t3573036
The thread also details our journey into modifying the Device SEPolicy using the console in order to elevate our normal user privileges. We have the instructions to build the Console for both 32-Bit and 64-Bit Builds of Android 5.1.1 & 6.0.1
I think the source code and our thread may just give you some good insight going forward with your tool, even though The Greyhat Root Console was developed on an AT&T Galaxy Note 5. That thread is a gold mine for dirtycow information.

Thanks for your great tool and explanation @Vince_02100. I'm researching to dump boot, recovery for Onkyo DP-CMX1 to make custom TWRP. I have some stupid questions and need your help like following:
1. Tool will not break system partition and it can boot normally after dumping recovery, boot?
2. I don't have root so how can I copy dumped files: ./boot.img , ./recovery.img to /sdcard or to computer? Do I edit your code
fp = fopen(blockDev, "r"); to make it write to /sdcard/boot.img?

Build Android error. Help me,plz!

Code:
FAILED: /home/jack/Mokee/O/out/target/common/docs/mokee-api-stubs-timestamp
/bin/bash -c "(mkdir -p /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/ ) && (rm -f /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list ) && (touch /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list ) && (echo -n 'mokee-sdk/sdk/src/java/mokee/alarmclock/ClockContract.java mokee-sdk/sdk/src/java/mokee/alarmclock/MoKeeAlarmClock.java mokee-sdk/sdk/src/java/mokee/app/CustomTile.java mokee-sdk/sdk/src/java/mokee/app/CustomTileListenerService.java mokee-sdk/sdk/src/java/mokee/app/MKContextConstants.java mokee-sdk/sdk/src/java/mokee/app/MKStatusBarManager.java mokee-sdk/sdk/src/java/mokee/app/MKTelephonyManager.java mokee-sdk/sdk/src/java/mokee/app/Profile.java mokee-sdk/sdk/src/java/mokee/app/ProfileGroup.java mokee-sdk/sdk/src/java/mokee/app/ProfileManager.java mokee-sdk/sdk/src/java/mokee/app/StatusBarPanelCustomTile.java mokee-sdk/sdk/src/java/mokee/content/Intent.java mokee-sdk/sdk/src/java/mokee/externalviews/ExternalView.java mokee-sdk/sdk/src/java/mokee/externalviews/ExternalViewProperties.java mokee-sdk/sdk/src/java/mokee/externalviews/ExternalViewProviderService.java mokee-sdk/sdk/src/java/mokee/hardware/DisplayMode.java mokee-sdk/sdk/src/java/mokee/hardware/HSIC.java mokee-sdk/sdk/src/java/mokee/hardware/LiveDisplayConfig.java mokee-sdk/sdk/src/java/mokee/hardware/LiveDisplayManager.java mokee-sdk/sdk/src/java/mokee/hardware/MKHardwareManager.java mokee-sdk/sdk/src/java/mokee/hardware/ThermalListenerCallback.java mokee-sdk/sdk/src/java/mokee/hardware/TouchscreenGesture.java mokee-sdk/sdk/src/java/mokee/media/AudioSessionInfo.java mokee-sdk/sdk/src/java/mokee/media/MKAudioManager.java mokee-sdk/sdk/src/java/mokee/media/MediaRecorder.java mokee-sdk/sdk/src/java/mokee/os/Build.java mokee-sdk/sdk/src/java/mokee/os/Concierge.java mokee-sdk/sdk/src/java/mokee/power/PerformanceManager.java mokee-sdk/sdk/src/java/mokee/power/PerformanceManagerInternal.java mokee-sdk/sdk/src/java/mokee/power/PerformanceProfile.java mokee-sdk/sdk/src/java/mokee/preference/ConstraintsHelper.java mokee-sdk/sdk/src/java/mokee/preference/GlobalSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKGlobalSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKSecureSettingListPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKSecureSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKSystemSettingDropDownPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKSystemSettingListPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKSystemSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/RemotePreference.java mokee-sdk/sdk/src/java/mokee/preference/RemotePreferenceManager.java mokee-sdk/sdk/src/java/mokee/preference/RemotePreferenceUpdater.java mokee-sdk/sdk/src/java/mokee/preference/SecureSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingDropDownPreference.java mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingListPreference.java mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingPreference.java mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/SettingsHelper.java mokee-sdk/sdk/src/java/mokee/preference/SystemSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/profiles/AirplaneModeSettings.java mokee-sdk/sdk/src/java/mokee/profiles/BrightnessSettings.java mokee-sdk/sdk/src/java/mokee/profiles/ConnectionSettings.java mokee-sdk/sdk/src/java/mokee/profiles/LockSettings.java mokee-sdk/sdk/src/java/mokee/profiles/RingModeSettings.java mokee-sdk/sdk/src/java/mokee/profiles/StreamSettings.java mokee-sdk/sdk/src/java/mokee/providers/DataUsageContract.java mokee-sdk/sdk/src/java/mokee/providers/MKSettings.java mokee-sdk/sdk/src/java/mokee/providers/WeatherContract.java mokee-sdk/sdk/src/java/mokee/util/ColorUtils.java mokee-sdk/sdk/src/java/mokee/util/palette/ColorCutQuantizer.java mokee-sdk/sdk/src/java/mokee/util/palette/ColorUtils.java mokee-sdk/sdk/src/java/mokee/util/palette/DefaultGenerator.java mokee-sdk/sdk/src/java/mokee/util/palette/Palette.java mokee-sdk/sdk/src/java/mokee/weather/MKWeatherManager.java mokee-sdk/sdk/src/java/mokee/weather/RequestInfo.java mokee-sdk/sdk/src/java/mokee/weather/WeatherInfo.java mokee-sdk/sdk/src/java/mokee/weather/WeatherLocation.java mokee-sdk/sdk/src/java/mokee/weather/util/WeatherUtils.java mokee-sdk/sdk/src/java/mokee/weatherservice/ServiceRequest.java mokee-sdk/sdk/src/java/mokee/weatherservice/ServiceRequestResult.java mokee-sdk/sdk/src/java/mokee/weatherservice/WeatherProviderService.java /home/jack/Mokee/O/out/target/common/obj/APPS/org.mokee.platform-res_intermediates/src/mokee/platform/R.java /home/jack/Mokee/O/out/target/common/obj/APPS/org.mokee.platform-res_intermediates/src/mokee/platform/Manifest.java /home/jack/Mokee/O/out/target/common/obj/APPS/org.mokee.platform-res_intermediates/src/org/mokee/platform/internal/R.java ' >> /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list ) && (for d in /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/src /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/org.mokee.platform.sdk_intermediates/src ; do find \$d -name '*.java' -and -not -name '.*' >> /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list 2> /dev/null ; done ; true ) && (( javadoc -encoding UTF-8 \\@/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list -J-Xmx1600m -J-XX:-OmitStackTraceInFastThrow -XDignore.symbol.file -quiet -doclet com.google.doclava.Doclava -docletpath /home/jack/Mokee/O/out/host/linux-x86/framework/jsilver.jar:/home/jack/Mokee/O/out/host/linux-x86/framework/doclava.jar -templatedir build/tools/droiddoc/templates-sdk -bootclasspath /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-oj_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-libart_intermediates/classes.jar -classpath /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-libart_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-oj_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/ext_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/framework_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/org.mokee.platform.sdk_intermediates/classes.jar: -sourcepath sdk/src/java/mokee/alarmclock/ClockContract.java:sdk/src/java/mokee/alarmclock/MoKeeAlarmClock.java:sdk/src/java/mokee/app/CustomTile.java:sdk/src/java/mokee/app/CustomTileListenerService.java:sdk/src/java/mokee/app/MKContextConstants.java:sdk/src/java/mokee/app/MKStatusBarManager.java:sdk/src/java/mokee/app/MKTelephonyManager.java:sdk/src/java/mokee/app/Profile.java:sdk/src/java/mokee/app/ProfileGroup.java:sdk/src/java/mokee/app/ProfileManager.java:sdk/src/java/mokee/app/StatusBarPanelCustomTile.java:sdk/src/java/mokee/content/Intent.java:sdk/src/java/mokee/externalviews/ExternalView.java:sdk/src/java/mokee/externalviews/ExternalViewProperties.java:sdk/src/java/mokee/externalviews/ExternalViewProviderService.java:sdk/src/java/mokee/hardware/DisplayMode.java:sdk/src/java/mokee/hardware/HSIC.java:sdk/src/java/mokee/hardware/LiveDisplayConfig.java:sdk/src/java/mokee/hardware/LiveDisplayManager.java:sdk/src/java/mokee/hardware/MKHardwareManager.java:sdk/src/java/mokee/hardware/ThermalListenerCallback.java:sdk/src/java/mokee/hardware/TouchscreenGesture.java:sdk/src/java/mokee/media/AudioSessionInfo.java:sdk/src/java/mokee/media/MKAudioManager.java:sdk/src/java/mokee/media/MediaRecorder.java:sdk/src/java/mokee/os/Build.java:sdk/src/java/mokee/os/Concierge.java:sdk/src/java/mokee/power/PerformanceManager.java:sdk/src/java/mokee/power/PerformanceManagerInternal.java:sdk/src/java/mokee/power/PerformanceProfile.java:sdk/src/java/mokee/preference/ConstraintsHelper.java:sdk/src/java/mokee/preference/GlobalSettingSwitchPreference.java:sdk/src/java/mokee/preference/MKGlobalSettingSwitchPreference.java:sdk/src/java/mokee/preference/MKSecureSettingListPreference.java:sdk/src/java/mokee/preference/MKSecureSettingSwitchPreference.java:sdk/src/java/mokee/preference/MKSystemSettingDropDownPreference.java:sdk/src/java/mokee/preference/MKSystemSettingListPreference.java:sdk/src/java/mokee/preference/MKSystemSettingSwitchPreference.java:sdk/src/java/mokee/preference/RemotePreference.java:sdk/src/java/mokee/preference/RemotePreferenceManager.java:sdk/src/java/mokee/preference/RemotePreferenceUpdater.java:sdk/src/java/mokee/preference/SecureSettingSwitchPreference.java:sdk/src/java/mokee/preference/SelfRemovingDropDownPreference.java:sdk/src/java/mokee/preference/SelfRemovingListPreference.java:sdk/src/java/mokee/preference/SelfRemovingPreference.java:sdk/src/java/mokee/preference/SelfRemovingSwitchPreference.java:sdk/src/java/mokee/preference/SettingsHelper.java:sdk/src/java/mokee/preference/SystemSettingSwitchPreference.java:sdk/src/java/mokee/profiles/AirplaneModeSettings.java:sdk/src/java/mokee/profiles/BrightnessSettings.java:sdk/src/java/mokee/profiles/ConnectionSettings.java:sdk/src/java/mokee/profiles/LockSettings.java:sdk/src/java/mokee/profiles/RingModeSettings.java:sdk/src/java/mokee/profiles/StreamSettings.java:sdk/src/java/mokee/providers/DataUsageContract.java:sdk/src/java/mokee/providers/MKSettings.java:sdk/src/java/mokee/providers/WeatherContract.java:sdk/src/java/mokee/util/ColorUtils.java:sdk/src/java/mokee/util/palette/ColorCutQuantizer.java:sdk/src/java/mokee/util/palette/ColorUtils.java:sdk/src/java/mokee/util/palette/DefaultGenerator.java:sdk/src/java/mokee/util/palette/Palette.java:sdk/src/java/mokee/weather/MKWeatherManager.java:sdk/src/java/mokee/weather/RequestInfo.java:sdk/src/java/mokee/weather/WeatherInfo.java:sdk/src/java/mokee/weather/WeatherLocation.java:sdk/src/java/mokee/weather/util/WeatherUtils.java:sdk/src/java/mokee/weatherservice/ServiceRequest.java:sdk/src/java/mokee/weatherservice/ServiceRequestResult.java:sdk/src/java/mokee/weatherservice/WeatherProviderService.java:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-libart_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-oj_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/ext_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/framework_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/org.mokee.platform.sdk_intermediates/classes.jar: -d /home/jack/Mokee/O/out/target/common/docs/mokee-api-stubs -hdf page.build OPR3.170623.013-\$(cat /home/jack/Mokee/O/out/build_number.txt) -hdf page.now \"\$(date -d @\$(cat /home/jack/Mokee/O/out/build_date.txt) \"+%d %b %Y %k:%M\")\" -stubs /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-sdk_stubs_current_intermediates/src -stubpackages mokee.alarmclock:mokee.app:mokee.content:mokee.externalviews:mokee.hardware:mokee.media:mokee.os:mokee.preference:mokee.profiles:mokee.providers:mokee.platform:mokee.power:mokee.util:mokee.weather:mokee.weatherservice -exclude org.mokee.platform.internal -api /home/jack/Mokee/O/out/target/common/obj/PACKAGING/mk_public_api.txt -removedApi /home/jack/Mokee/O/out/target/common/obj/PACKAGING/mk_removed.txt -nodocs && touch -f /home/jack/Mokee/O/out/target/common/docs/mokee-api-stubs-timestamp ) || (rm -rf /home/jack/Mokee/O/out/target/common/docs/mokee-api-stubs /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list; exit 45) )"
mokee-sdk/sdk/src/java/mokee/preference/ConstraintsHelper.java:27: error:package android.support.v7.preference does not exist
import android.support.v7.preference.Preference;
^
mokee-sdk/sdk/src/java/mokee/preference/ConstraintsHelper.java:28: error: package android.support.v7.preference does not exist
import android.support.v7.preference.PreferenceGroup;
^
mokee-sdk/sdk/src/java/mokee/preference/ConstraintsHelper.java:29: error: package android.support.v7.preference does not exist
import android.support.v7.preference.PreferenceManager;
^
mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingDropDownPreference.java:28: error:
public class SelfRemovingDropDownPreference extends DropDownPreference {
^
mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingDropDownPreference.java:48: error: cannot find symbol
public void onBindViewHolder(PreferenceViewHolder holder) {
^
mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingPreference.java:53: error: cannot find symbol
public void onBindViewHolder(PreferenceViewHolder holder) {
^
symbol: class PreferenceViewHolder
location: class SelfRemovingPreference
javadoc: error - In doclet class
In com.google.doclava.Doclava, method start had thrown an exception java.lang.reflect.InvocationTargetException
java.lang.IllegalArgumentException: Unable to find IThermalListenerCallback.java. This is usually because doclava has been asked to generate stubs for a file that isn't present in the list of input source files but exists in the input classpath.
at com.google.doclava.Stubs.parseLicenseHeader(Stubs.java:494)
at com.google.doclava.Stubs.writeClassFile(Stubs.java:478)
at com.google.doclava.Stubs.writeClassFile(Stubs.java:465)
at com.google.doclava.Stubs.writeStubsAndApi(Stubs.java:193)
at com.google.doclava.Doclava.start(Doclava.java:511)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.tools.javadoc.DocletInvoker.invoke(DocletInvoker.java:310)
at com.sun.tools.javadoc.DocletInvoker.start(DocletInvoker.java:189)
at com.sun.tools.javadoc.Start.parseAndExecute(Start.java:366)
at com.sun.tools.javadoc.Start.begin(Start.java:219)
at com.sun.tools.javadoc.Start.begin(Start.java:205)
at com.sun.tools.javadoc.Main.execute(Main.java:64)
at com.sun.tools.javadoc.Main.main(Main.java:54)
1 error
39 warning
ninja: build stopped: subcommand failed.
11:45:41 ninja failed with: exit status 1
build/core/main.mk:21: recipe for target 'run_soong_ui' failed
make: *** [run_soong_ui] Error 1

Post-factory reset problems

I performed a factory reset on my Redmi Note 6 Pro and it seems things went wrong as it now won't boot. When I turn it on, I get the Mi.com screen for a few seconds then nothing. I did some googling and decided to try a fastboot flash. This did not work with an error "Flash xbl error"
Here is the log:
MiFlash 2020.3.14.0
vboytest index:1
idproduct: 53261 idvendor: 6353
Thread id:10 Thread name:95c0959
image path:C:\Users\User\Desktop\tulip_global_images_V12.0.1.0.PEKMIXM_20201229.0000.00_9.0_global
env android path:"C:\Users\User\Desktop\MIUI_Flash\Source\ThirdParty\Google\Android"
script :C:\Users\User\Desktop\tulip_global_images_V12.0.1.0.PEKMIXM_20201229.0000.00_9.0_global\flash_all_lock.bat
Physical Memory Usage:1044480 Byte
start process id 2968 name cmd
info1:$fastboot -s devicename getvar product 2&1 | findstr /r /c:"^product: *tulip" || echo Missmatching image and device
info1roduct: tulip
info1:$fastboot -s devicename getvar product 2&1 | findstr /r /c:"^product: *tulip" || exit /B 1
info1roduct: tulip
info1:$set CURRENT_ANTI_VER=4
info1:$for /F "tokens=2 delims=: " %i in ('fastboot -s devicename getvar anti 2&1 | findstr /r /c:"anti:"') do (set version=%i )
info1:$(set version=4 )
info1:$if [4] EQU [] set version=0
info1:$if 4 GTR 4 (
info1:echo current device antirollback version is greater than this package
info1: exit /B 1
info1
info1:$fastboot -s devicename flash xbl C:\Users\User\Desktop\tulip_global_images_V12.0.1.0.PEKMIXM_20201229.0000.00_9.0_global\images\xbl.elf ||
info2:Sending 'xbl' (2504 KB) OKAY [ 0.078s]
info1:"Flash xbl error"
info2:Writing 'xbl' FAILED (remote: 'Flashing is not allowed in Lock State')
info2:fastboot: error: Command failed
begin FlashDone
error:"Flash xbl error"
process exit.
flashSuccess False
isFactory False CheckCPUID False
before:flashSuccess is False set IsUpdate:True set IsDone True
after:flashSuccess is False set IsUpdate:false set IsDone true
Click to expand...
Click to collapse
Can anyone assist? I see the "flashing is not allowed in lock state" message but my various googlings seem to suggest I shouldn't need to unlock? Perhaps I do (I did start down that path but got a bit stuck - will persevere if that is the issue).

Managed to get into Recovery mode on the device and that fixed it. No need to flash after all.

Mi Stick stuck on boot logo (bricked?)

Hello everybody.
A couple of years ago I bought a Mi Stick for my mother, to use connected to an old LED tv she had. She used just 3 o 4 times tops with a Netflix account my brother shared with her. The device was practically new. My brother stopped paying Netflix a couple of months ago so she stopped using the device altogether so I disconnected it. But yesterday she told me my brother started paying Netflix again and told me to connect the MiStick to her TV again. Surprisingly, the device is now stuck on the boot logo:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I'm really angry because the device had very little use and especially because I live in third world ****hole: a new MiStick costs almost 4 times more now. It's not like I have couple of dollars getting dust on a drawer somewhere and I can go buy another one.
Anyway, I know it's possible to flash/unbrick a MiBox, I did it some time ago. Anybody knows if it's possible to the same with the Mi Stick??? I googled about it but I didn't find anything.
Thank you for your time.

hello, my Mi TV Stick MDZ-24-AA also unfortunately hangs all the time on the logo, checked on various cables and on a decent power supply
through the remote control (arrow + OK) does not want to enter the bootloader
I have purchased PL2303HX converter
According to the instructions from https://forum.xda-developers.com/t/help-pleas...-no-power-led-no-video.4452819/#post-87044521
and partially supported by Ruslan's film
With a backup downloaded from https://disk-yandex-ru.translate.goog/d/aL5Xo...en&_x_tr_hl=en&_x_tr_pto=wapp&_x_tr_hist=true
Using Putty and ADB
I went through the entire installation process
Unfortunately, my mi stick still hangs on the logo: / What could be the cause? Is my mi stick still salvageable?

kedzior.kedzior said:
I have purchased PL2303HX converter
Using Putty and ...
I went through the entire installation process
Unfortunately, my mi stick still hangs on the logo
Click to expand...
Click to collapse
With the PL2303HX connected to the uart while the device is booting (to a hung state), what is shown in the uart log while the device is trying to boot?
Are you able to get a prompt over the uart as shown in the video?

Functioner said:
With the PL2303HX connected to the uart while the device is booting (to a hung state), what is shown in the uart log while the device is trying to boot?
Are you able to get a prompt over the uart as shown in the video?
Click to expand...
Click to collapse
GXL:BL1:9ac50e:bb16dc;FEAT:BDFD71BC:0;POC:3;RCY:0;EMMC:0;READ:0;0.0;0.0;CHK:0;
TE: 138335
BL2 Built : 10:18:52, Sep 14 2020. gxl g9f162b4-dirty - [email protected]
set vcck to 1120 mv
set vddee to 1000 mv
id=3
DDR4 board
CPU clk: 1200MHz
DDR scramble enabled
DDR4 chl: Rank0+1 @ 1056MHz - FAIL
DDR4 chl: Rank0 @ 1056MHz
bist_test rank: 0 19 05 2e 28 16 3a 17 02 2d 2b 1d 3a 17 02 2c 2c 1c 3d 18 02 2f 27 16 38 706 - PASS
Rank0: 1024MB(auto)-2T-18
AddrBus test pass!
eMMC boot @ 0
sw8 s
emmc switch 3 ok
BL2: rpmb counter: 0x00000020
emmc switch 0 ok
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000, part: 0
aml log : R1024 check pass!
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600, part: 0
aml log : R1024 check pass!
Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x0002b400, part: 0
aml log : R1024 check pass!
Load bl32 from eMMC, src: 0x0004c200, des: 0x01700000, size: 0x0003e200, part: 0
aml log : R1024 check pass!
Load bl33 from eMMC, src: 0x0008c200, des: 0x01700000, size: 0x00080e00, part: 0
aml log : R1024 check pass!
NOTICE: BL3-1: v1.0(release):129a6bc
NOTICE: BL3-1: Built : 17:09:37, Apr 25 2019
[BL31]: GXL CPU setup!
NOTICE: BL3-1: GXL secure boot!
NOTICE: BL3-1: BL33 decompress pass
mpu_config_enable:system pre init ok
dmc sec lock
[Image: gxl_v1.1.3377-2941e55e3 2020-07-08 17:19:09 [email protected]]
OPS=0xb4
21 0d b4 00 6b a3 4a 05 e8 35 9e 81 38 16 4f b7
[0.733983 Inits done]
secure task start!
high task start!
low task start!
INFO: BL3-2: ATOS-V2.4-239-g48b8c37d #1 Wed Feb 5 09:34:09 UTC 2020 arm
INFO: BL3-2: Chip: GXL Rev: D (21 - B0:2)
INFO: BL3-2: crypto engine DMA
INFO: BL3-2: secure time TEE
INFO: BL3-2: CONFIG_DEVICE_SECURE 0xb200000e
U-Boot 2015.01-g2e3e77d-dirty (Nov 07 2020 - 00:20:15), Build: jenkins-aquaman-664
DRAM: 1 GiB
Relocation Offset is: 36e80000
gpio: pin gpiodv_24 (gpio 43) value is 1
register usb cfg[0][1] = 0000000037f4c4f8
[CANVAS]canvas init
MMC: aml_priv->desc_buf = 0x0000000033e80ab0
aml_priv->desc_buf = 0x0000000033e82df0
SDIO Port B: 0, SDIO Port C: 1
co-phase 0x2, tx-dly 0, clock 400000
co-phase 0x2, tx-dly 0, clock 400000
co-phase 0x2, tx-dly 0, clock 400000
emmc/sd response timeout, cmd8, status=0x1ff2800
emmc/sd response timeout, cmd55, status=0x1ff2800
co-phase 0x2, tx-dly 0, clock 400000
co-phase 0x2, tx-dly 0, clock 40000000
[mmc_startup] mmc refix success
init_part() 297: PART_TYPE_AML
[mmc_init] mmc init success
aml log : R1024 check pass!
start dts,buffer=0000000033e85640,dt_addr=0000000033e85640
get_partition_from_dts() 71: ret 0
parts: 17
00: logo 0000000000800000 1
01: recovery 0000000001800000 1
02: misc 0000000000800000 1
03: dtbo 0000000000800000 1
04: cri_data 0000000000800000 2
05: param 0000000001000000 2
06: boot 0000000001000000 1
set has_boot_slot = 0
07: rsv 0000000001000000 1
08: tee 0000000002000000 1
09: vendor 0000000006400000 1
10: odm 0000000001400000 1
11: metadata 0000000001000000 1
12: vbmeta 0000000000200000 1
13: system 000000005ac00000 1
14: product 0000000006a00000 1
15: cache 0000000010000000 2
16: data ffffffffffffffff 4
init_part() 297: PART_TYPE_AML
eMMC/TSD partition table have been checked OK!
crc32_s:0x1577dad == storage crc_pattern:0x1577dad!!!
crc32_s:0xee152b83 == storage crc_pattern:0xee152b83!!!
crc32_s:0x7fd3b243 == storage crc_pattern:0x7fd3b243!!!
mmc env offset: 0x17400000
In: serial
Out: serial
Err: serial
reboot_mode=cold_boot
[store]To run cmd[emmc dtb_read 0x1000000 0x40000]
_verify_dtb_checksum()-2755: calc 6955a20f, store 6955a20f
_verify_dtb_checksum()-2755: calc 6955a20f, store 6955a20f
dtb_read()-2972: total valid 2
update_old_dtb()-2953: do nothing
aml log : R1024 check pass!
vpu: clk_level in dts: 7
vpu: set clk: 666667000Hz, readback: 666666667Hz(0x300)
vpu: vpu_clk_gate_init_off finish
vpp: vpp_init
hpd_state=0
vpp: vpp_matrix_update: 2
cvbs performance type = 6, table = 0
cvbs_config_hdmipll_gxl
cvbs_set_vid2_clk
the HHI_VDAC_CNTL0 =b0001
the HHI_VDAC_CNTL0 =b0200
the HHI_VDAC_CNTL1 =0
the HHI_VDAC_CNTL1 =8
amlkey_init() enter!
[EFUSE_MSG]keynum is 4
[BL31]: tee size: 0
[BL31]: tee size: 0
[BL31]: tee size: 0
[BL31]: tee size: 0
[KM]Error:f[key_manage_query_size]L507:key[region] not programed yet
CONFIG_AVB2: avb2
Start read misc partition datas!
info->magic =
info->version_major = 1
info->version_minor = 0
info->slots[0].priority = 15
info->slots[0].tries_remaining = 7
info->slots[0].successful_boot = 0
info->slots[1].priority = 14
info->slots[1].tries_remaining = 7
info->slots[1].successful_boot = 0
info->crc32 = -1075449479
active slot = 0
wipe_data=successful
wipe_cache=successful
upgrade_step=2
reboot_mode:::: cold_boot
[OSD]load fb addr from dts:/meson-fb
[OSD]fb_addr for logo: 0x3f800000
[OSD]load fb addr from dts:/meson-fb
[OSD]fb_addr for logo: 0x3f800000
[OSD]VPP_OFIFO_SIZE:0xfff00fff
[CANVAS]addr=0x3f800000 width=5760, height=2160
[OSD]osd_hw.free_dst_data: 0,719,0,575
Command: bcb uboot-command
Start read misc partition datas!
BCB hasn't any datas,exit!
do_monitor_bt_cmdline
gpio: pin GPIOX_17 (gpio 17) value is 0
gpio: pin GPIOX_17 (gpio 17) value is 1
gpio: pin GPIOX_18 (gpio 18) value is 1
hw_config_start:state = 3
bt_cmdline: fw downloaded
no recovery mod!
gpio: pin GPIOX_8 (gpio 8) value is 1
Hit Enter or space or Ctrl+C key to stop autoboot -- : 0
CONFIG_SYSTEM_AS_ROOT: systemroot
system_mode: 1
CONFIG_AVB2: avb2
active_slot: normal avb2: 1
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
InUsbBurn
[MSG]sof
Set Addr 4
Get DT cfg
Get DT cfg
Get DT cfg
set CFG
Get DT cfg
Get DT cfg
Get DT cfg
Get DT cfg
waitIdentifyTime(751) > timeout(750)
(Re)start USB...
USB0: USB3.0 XHCI init start
Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
** Bad device usb 0 **
** Bad device usb 0 **
active_slot: normal
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
gxl_aquaman_v1#

kedzior.kedzior said:
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
Click to expand...
Click to collapse
The above error might be an issue.
at the prompt:
gxl_aquaman_v1#
type:
printenv
and post the output.

Functioner said:
The above error might be an issue.
at the prompt:
gxl_aquaman_v1#
type:
printenv
and post the output.
Click to expand...
Click to collapse
gxl_aquaman_v1#printenv
1080p60hz_deepcolor=444,12bit
480p60hz_deepcolor=rgb,8bit
EnableSelinux=permissive
active_slot=normal
avb2=1
baudrate=115200
bcb_cmd=get_avb_mode;get_valid_slot;
boardid=3
boot_part=boot
bootargs=init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xc81004c0 ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000 ro rootwait skip_initramfs reboot_mode_android=normal androidboot.selinux=permissive logo=osd1,loaded,0x3d800000,576cvbs maxcpus=4 vout=576cvbs,enable hdmimode=1080p60hz frac_rate_policy=1 cvbsmode=576cvbs hdmitx=,444,12bit cvbsdrv=0 androidboot.firstboot=0 jtag=apao androidboot.veritymode=enforcing androidboot.hardware=amlogic androidboot.btmacaddr=00:00:00:00:00:00 androidboot.wifimac=00:00:00:00:00:00 androidboot.wificountrycode=US androidboot.bootloader= androidboot.serialno=26919800002433906 androidboot.boardid=3 androidboot.region=none androidboot.reboot_mode=cold_boot page_trace=on androidboot.rpmb_state=0 aml_dt= recovery_part={recovery_part} recovery_offset={recovery_offset} aml_dt= recovery_part={recovery_part} recovery_offset={recovery_offset}
bootcmd=run storeboot
bootdelay=1
bootup_offset=0x1133b50
bootup_size=0x5eec7a
btmac=00:00:00:00:00:00
cmdline_keys=keyman init 0x1234; setkeys;
colorattribute=444,12bit
cvbs_drv=0
cvbsmode=576cvbs
display_bpp=24
display_color_bg=0
display_color_fg=0xffff
display_color_index=24
display_height=576
display_layer=osd1
display_width=720
dtb_mem_addr=0x1000000
factory_reset_poweroff_protect=echo wipe_data=${wipe_data}; echo wipe_cache=${wipe_cache};if test ${wipe_data} = failed; then run init_display; run storeargs;if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;fi; if test ${wipe_cache} = failed; then run init_display; run storeargs;if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;fi;
fb_addr=0x3d800000
fb_height=1080
fb_width=1920
fdt_high=0x20000000
firstboot=0
frac_rate_policy=1
fs_type=ro rootwait skip_initramfs
hdmimode=1080p60hz
identifyWaitTime=750
init_display=get_rebootmode;echo reboot_mode:::: ${reboot_mode};if test ${reboot_mode} = quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;osd open;osd clear;else if test ${reboot_mode} = recovery_quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;osd open;osd clear;else setenv reboot_mode_android normal;run storeargs;osd open;osd clear;imgread pic logo bootup $loadaddr;bmp display $bootup_offset;bmp scale; fi;fi;
initargs=init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xc81004c0 ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000
jtag=apao
loadaddr=1080000
lock=10001000
maxcpus=4
outputmode=576cvbs
page_trace=on
preboot=run cmdline_keys;run bcb_cmd; run factory_reset_poweroff_protect;run upgrade_check;run init_display;run storeargs;bcb uboot-command;run switch_bootmode;
reboot_mode=cold_boot
reboot_mode_android=normal
recovery_from_flash=get_valid_slot;echo active_slot: ${active_slot};if test ${active_slot} = normal; then setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part={recovery_part} recovery_offset={recovery_offset};if itest ${upgrade_step} == 3; then if ext4load mmc 1:2 ${dtb_mem_addr} /recovery/dtb.img; then echo cache dtb.img loaded; fi;if ext4load mmc 1:2 ${loadaddr} /recovery/recovery.img; then echo cache recovery.img loaded; wipeisb; bootm ${loadaddr}; fi;else fi;if imgread kernel ${recovery_part} ${loadaddr} ${recovery_offset}; then wipeisb; bootm ${loadaddr}; fi;else setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part=${boot_part} recovery_offset=${recovery_offset};if imgread kernel ${boot_part} ${loadaddr}; then bootm ${loadaddr}; fi;fi;
recovery_from_udisk=setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part={recovery_part} recovery_offset={recovery_offset};if fatload usb 0 ${loadaddr} aml_autoscript; then autoscr ${loadaddr}; fi;if fatload usb 0 ${loadaddr} recovery.img; then if fatload usb 0 ${dtb_mem_addr} dtb.img; then echo udisk dtb.img loaded; fi;wipeisb; bootm ${loadaddr};fi;
recovery_offset=0
recovery_part=recovery
region=none
rpmb_state=0
sdc_burning=sdc_burn ${sdcburncfg}
sdcburncfg=aml_sdc_burn.ini
serialno=26919800002433906
sn2=3236393139383030303032343333393036
stderr=serial
stdin=serial
stdout=serial
storeargs=get_rebootmode;setenv bootargs ${initargs} ${fs_type} reboot_mode_android=${reboot_mode_android} androidboot.selinux=${EnableSelinux} logo=${display_layer},loaded,${fb_addr},${outputmode} maxcpus=${maxcpus} vout=${outputmode},enable hdmimode=${hdmimode} frac_rate_policy=${frac_rate_policy} cvbsmode=${cvbsmode} hdmitx=${cecconfig},${colorattribute} cvbsdrv=${cvbs_drv} androidboot.firstboot=${firstboot} jtag=${jtag}; setenv bootargs ${bootargs} androidboot.veritymode=enforcing androidboot.hardware=amlogic androidboot.btmacaddr=${btmac} androidboot.wifimac=${wifimac} androidboot.wificountrycode=${wifi_ccode} androidboot.bootloader=${bootloader} androidboot.serialno=${serialno} androidboot.boardid=${boardid} androidboot.region=${region} androidboot.reboot_mode=${reboot_mode};setenv bootargs ${bootargs} page_trace=${page_trace};setenv bootargs ${bootargs} androidboot.rpmb_state=${rpmb_state};
storeboot=get_system_as_root_mode;echo system_mode: ${system_mode};if test ${system_mode} = 1; then setenv fs_type ro rootwait skip_initramfs;run storeargs;fi;get_valid_slot;get_avb_mode;echo active_slot: ${active_slot} avb2: ${avb2};if test ${active_slot} != normal; then setenv bootargs ${bootargs} androidboot.slot_suffix=${active_slot};fi;if test ${avb2} = 0; then if test ${active_slot} = _a; then setenv bootargs ${bootargs} root=/dev/mmcblk0p23;else if test ${active_slot} = _b; then setenv bootargs ${bootargs} root=/dev/mmcblk0p24;fi;fi;fi;if imgread kernel ${boot_part} ${loadaddr}; then bootm ${loadaddr}; fi;run update;
switch_bootmode=get_rebootmode;if test ${reboot_mode} = factory_reset; then setenv reboot_mode_android normal;run storeargs;run recovery_from_flash;else if test ${reboot_mode} = update; then setenv reboot_mode_android normal;run storeargs;run update;else if test ${reboot_mode} = quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;else if test ${reboot_mode} = recovery_quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;run recovery_from_flash;else if test ${reboot_mode} = cold_boot; then setenv reboot_mode_android normal;run storeargs;else if test ${reboot_mode} = fastboot; then setenv reboot_mode_android normal;run storeargs;fastboot;fi;fi;fi;fi;fi;fi;if monitor_bt_cmdline; then run update; fi;
system_mode=1
try_auto_burn=update 700 750;
update=run try_auto_burn; if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;
upgrade_check=echo upgrade_step=${upgrade_step}; if itest ${upgrade_step} == 3; then run init_display; run storeargs; run update;else fi;
upgrade_step=2
usb_burning=update 1000
wifi_ccode=US
wifimac=00:00:00:00:00:00
wipe_cache=successful
wipe_data=successful
Environment size: 7334/65532 bytes

I'm not sure if imgread is being called by the normal boot process, or a recovery process because the device failed to boot.
At the uart prompt type:
imgread dtb boot 0x1000000
imgread kernel boot 0x1080000
bootm 0x1080000
and post the output.
If it's the same error as before, the boot partition might not be flashed with the correct image.

gxl_aquaman_v1#imgread dtb boot 0x1000000
Err imgread(L220):Fmt unsupported! only support 0x3
gxl_aquaman_v1#imgread kernel boot 0x1080000
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
gxl_aquaman_v1#imgread kernel boot 0x1080000
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
gxl_aquaman_v1#<INTERRUPT>
gxl_aquaman_v1#bootm 0x1080000
aml log : Sig Check 1830

kedzior.kedzior said:
gxl_aquaman_v1#imgread dtb boot 0x1000000
Err imgread(L220):Fmt unsupported! only support 0x3
Click to expand...
Click to collapse
Are you able to flash the boot partition with the boot image again?
Which version of the firmware did you flash?

Are you able to flash the boot partition with the boot image again?
Yes
Which version of the firmware did you flash?
https://disk.yandex.ru/d/aL5XolrdAbTJ0g How to check it?
Other than this one I have no other
Did you flash it with fastboot or burn mode?
According to the instructions from the post https://forum.xda-developers.com/t/help-please-mdz-24-aa-no-power-led-no-video.4452819/post-87044521
but one of the commands "fastboot oem unlock" not working
"astboot flashing unlock" worked
"fastboot flashing unlock_critical" worked
I notice from the environment that the bootloader is currently locked.
The russian guy in the video mentioned that it is important to keep the older version of the bootloader, because the newer version could lock you out.
What I would try is starting fastboot, and then using the ota source files, flashing all of the partitions again, except NOT the bootloader.
What you could try first is just flashing the boot partition again from whatever firmware you used the last time.
Unfortunately, I do not have the previous works version :/

kedzior.kedzior said:
https://disk.yandex.ru/d/aL5XolrdAbTJ0g How to check it?
Click to expand...
Click to collapse
I will check that version, and will also check which version is the newest version.

At the uart prompt, type:
get_bootloaderversion
and post the version.

Functioner said:
At the uart prompt, type:
get_bootloaderversion
and post the version.
Click to expand...
Click to collapse
gxl_aquaman_v1#get_bootloaderversion
Nieznane polecenie 'get_bootloaderversion' - spróbuj 'help'
C:\adb>fastboot getvar version-bootloader
version-bootloader: U-Boot 2015.01-g2e3e77d-dirty
Finished. Total time: 0.003s

The version of the firmware in backup-Restore.rar from the above yandex link is r293:
Xiaomi/aquaman/aquaman:9/PI/293:user/release-keys
This is quite old. It's from May 26 2020.
If you flashed the tee image from that download, it could have corrupted your device.

thank you very much for your help and your time. I will continue to try to bring my stick back to life

kedzior.kedzior said:
thank you very much for your help and your time. I will continue to try to bring my stick back to life
Click to expand...
Click to collapse
sure, good luck.