Database Info

[R&D] Unlock Bootloaders

Rules:
Do not post in here unless you have something constructive to say. "Thanks", "Hey this is wonderful", and any other comments like that are not wanted. They take up space and make it more difficult to find information. I'm requesting that this thread be heavily moderated. In order to work efficiently, information density must be kept high. We are all guilty of adding in a few off-topic sentances from time-to-time, but this thread is strictly business and I expect the moderators to moderate me as well.
What is this?
This is the place where we can research and develop a method to unlock the bootloader of the Verizon Galaxy SIII. Hopefully, this will be development at its finest.
Why not just buy a developer edition
GTFO! Not a single person got started developing by buying a developer phone. They started developing because they were unhappy with the features of their device and wanted something better. They wanted something more. This developer phone is a tax on developer innovation. We do not stand for that. We will break the security and we will enable XDA-Developers to do what they do best.
Until security is broken and available for everyone, this device will get updates last, users will be unhappy because there are no additional features and Samsung violates the spirit of Open Source and copyright laws. Take a look at the bottom line of GPL-Violations.org FAQ located here: http://gpl-violations.org/faq/sourcecode-faq.html
What are the goals?
Attain a bootloader recovery - 75% JTAG (the extra 25% will be for a user-friendly method)
The Galaxy S3 is bootable from SDCard. In case of emergency this is needed. We need to verify that this works on the Verizon GS3 to bring up Odin. This will set up infrastructure for research.
Attain a full stock restoration via Odin or Heimdall - 90%
For use with Odin3.
Bootloader - BOOTLOADER_I535VRALF2_618049_REV09_user_low_ship.tar.md5 - 1.97 MB - Thanks nbsdx
PDA - SCH-I535_VZW_1_20120705143513_fti2qg2lmf.zip
NEED CSC PACKAGE (MODEM, PARAMS and Other Miscellaneous partitions). This is enough to recover a device though.
To include bootloaders and recovery to a working and stock condition with the EMMC wiped entirely. Heimdall is a work in progress for this device. This will complete the infrastructure needed for research.
Collect information
This will be the longest and most difficult part of this development. The information provided by Qualcomm is not readily available. Samsung is notoriously secretive about their bootloaders. Mainly we, as a community, will generate information. Please post any relevant datasheets, theory-of-operation, or manuals which you can find.
Provide a way to remove security checks from Odin3.] 100% - insecure aboot.img which may break in the future
By removing security checks from Odin3 on the computer or the Loki daemon on the device we can flash anything through Odin or Heimdall.
Provide a way to bypass security checks within bootloaders. 200% we have two exploits, only one has been released.
This is the ultimate goal. Once we can bypass the security checks, kernels can be flashed giving us the control required to develop
Initial information
[BOOTLOADER] Locked bootloader research and news: http://forum.xda-developers.com/showthread.php?t=1756919
My own research
SBL1 is the first booting partition. Qualcomm provides the Modem partition so it comes first on the EMMC. SBL1 is the first bootloader and that is specified by Qualcomm standards. Qualcom mmake sthe primitive bootloader and allows their customers (Samsung) to make a Secondary bootloader. Samsung chose to use three secondary bootloaders.
The following 0p* are located in /dev/block/mmcblk*
0p1 = modem
Built by se.infra
HUDSON_GA_D2_USA-VZW-HARDKEY-PROD-USER
I take this to mean this Qualcomm modem was built in Hudson Georgia.
I was not able to find signatures on this block . This does NOT mean that there are no signatures on this block. The file is 33 megs. The file is unencrypted.
The modem uses the BLAST Kernerl ver : 02.04.02.02.00 Unfortunately we need someone who speaks French(???) to understand how this works http://blast.darkphpbb.com/faq.php
Judging by the contents of this file, it is an operating system of it's own including keyboard, mouse and a lot of debugging information. We need to find out more about the BLAST Kernel and this partition.
Samsung Proprietary partitions SBL1,2,3
Overall I'm not entirely familiar with this new 3 SBL setup. If someone could help me out, that would be great. This 3 SBL setup looks like they tried to adapt (slopily) their IBL+PBL+SBL setup to the Qualcomm and added overhead.
op2=sbl1
This block is signed by Samsung, we will not be able to modify it.
Some Strings we expect to see on UART are:
0p3=sbl2
This block is signed by Samsung, we will not be able to modify it.
Some of the strings we may see over UART are:
Code:
RPM loading is successful.
cancel RPM loading!
SBL2, End
SBL2, Delta
.sbl2_hw.c
sbl2_hw_init, Start
sbl2_hw_init, Delta
sbl2_hw_init_secondary, Start
h/w version : %d
sbl2_hw_init_secondary, Delta
.SBL2, Start
scatterload_region & ram_init, Start
.scatterload_region & ram_init, Delta
.sbl2_mc.c
sbl2_retrieve_shared_info_from_sbl1, Start
.sbl2_retrieve_shared_info_from_sbl1, Delta
0p4=sbl3
This block is signed by Samsung, we will not be able to modify it.
Possibly useful information:
SVC: R1-R14
FIQ:R13-R14
IRQ:R13-R14
UND:R13-R14
ABT:R13-R14
SYS:R13-R14
This block appears to be a full OS of its own. I'm not sure of its purpose.
op5= aboot
This block is signed by Samsung, we will not be able to modify it
This block contains HTML information. It would appear that it is possible to put the device into a mode where it will provide a webserver which displays state information.
This block appears to be a complete operating system
This block contains the Loke Daemon which communicates with Odin3.
0p6= rpm
This block is signed by Samsung we will not be able to modify it
0p7= boot
This is the kernel. There are several things we can do here... I belive this package itself is not signed, but the zImage itself is... here is the bootimg.cfg file
Code:
[email protected]:~/Desktop/VZWGS3$ cat ./bootimg.cfg
bootsize = 0xa00000
pagesize = 0x800
kerneladdr = 0x80208000
ramdiskaddr = 0x81500000
secondaddr = 0x81100000
tagsaddr = 0x80200100
name =
cmdline = console=null androidboot.hardware=qcom user_debug=31
It may be possible to use that cmdline variable as an exploit.
0p8= tzTrust Zone
0p9= pad
0p10= param -boot mode parameters - this could be a potential exploitation point.
0p11= efs -serial numbers
I've honestly got no clue about most of the following partitions.
0p12= modemst1
0p13= modemst2
0p14= system - Android stuff
0p15= userdata - App Stuff
0p16= persist
0p17= cache - Storage for updates
0p18= recovery - recovery partition
0p19= fota
0p20= backup
0p21= fsg
0p22= ssd
0p23= grow
External UART log from initial power up:
Code:
[1630] AST_POWERON
[ 0.000000] heap->name mm, mb->start c0000000
[ 0.000000] Reserving memory at address ea000000 size: 100000
[ 0.000000] sec_dbg_setup: [email protected]
[ 0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_size = 0x40000
[ 0.000000] etb_buf_setup: [email protected]
[ 0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_size = 0x4000
[ 0.174515] rdev_init_debugfs: Error-Bad Function Input
[ 0.174881] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[ 0.176957] sec_debug_init: enable=0
[ 0.177475] ec_debug_nit: restrt_reason: 0xdf0085c
[ .216358] msm8960_iit_cam:292]settingdone!!
[ 0.25006] i2c 2c-14: Inalid 7-bi I2C addrss 0x00
0.25237] i2c ic-14: Can' create evice at x00
[ 0.252220]i2c i2c-1: Failed o registeri2c clien cmc624 t 0x38 (-6)
[ .252250] 2c i2c-19:Can't crete deviceat 0x38
0.25433] rdevinit_debufs: Error-ad Functin Input
0.25222] max892 19-006: DVS mode disabledbecause VD0 and VI1 do not ave prope control.
[ 0.79536] ms_etm msm_tm: ETM tacing is ot enable beacaussec_debug s not enaled!
[ 0.284449 smd_chanel_probe_orker: alocation tble not iitialized
[ 0.38766] pm_untime: fil to wak up
[ 0.362032]hdmi_msm dmi_msm.1 externalcommon_stte_create sysfs grup de39e68
[ 0362673] Iside writback_drivr_init
[ 0.36275] Insidewritebackprobe
[ 1.244803] TZCOM: unable to get bus clk
[ 1.431680] cm36651_setup_reg: initial proximity value = 3
[ 1.549671] msm_otg msm_otg: request irq succeed for otg_power
[ 1.566702] mms_ts 3-0048: [TSP] ISC Ver [0xbb] [0x20] [0x20]
[ 1.571341] mms_ts 3-0048: [TSP] fw is latest. Do not update.
[ 1.583488] [__s5c73m3_probe:3818] S5C73M3 probe
[ 1.587089] [s5c73m3_sensor_probe_cb:3793] Entered
[ 1.591942] [s5c73m3_i2c_probe:3675] Entered
[ 1.596123] [s5c73m3_init_client:3381] Entered
[ 1.600579] [s5c73m3_i2c_probe:3695] Exit
[ 1.604608] [s5c73m3_sensor_probe:3726] Entered
[ 1.609095] [s5c73m3_spi_init:226] Entered
[ 1.613154] [s5c73m3_spi_probe:191] Entered
[ 1.617335] [s5c73m3_spi_probe:201] s5c73m3_spi successfully probed
[ 1.623561] [s5c73m3_sensor_probe : 3749] Probe_done!!
[ 1.672638] mmc0: No card detect facilities available
[ 1.682984] aat1290a_led_probe : Probe
[ 1.693850] msm_soc_platform_init
[ 1.697298] msm_afe_afe_probe
[ 1.843064] msm_asoc_pcm_new
[ 1.849748] msm_asoc_pcm_new
[ 2.023134] set_dload_mode <1> ( c00176d4 )
[ 2.052220] cypress_touchkey 16-0020: Touchkey FW Version: 0x06
[ 2.123851] init: /init.qcom.rc: 466: invalid command '/system/bin/log'
[ 2.129620] init: /init.qcom.rc: 573: ignored duplicate definition of service 'sdcard'
[ 2.137402] init: /init.qcom.rc: 586: ignored duplicate definition of service 'ftm_ptt'
[ 2.145490] init: /init.target.rc: 73: ignored duplicate definition of service 'thermald'
[ 2.154677] init: could not open /dev/keychord
[ 2.239951] init: Device Encryption status is (0)!!
[ 2.243705] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p15 (ext4):::::
[ 2.251823] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p15
[ 2.588921] init: [disk_config] ext_check ->ok
[ 2.611597] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p17 (ext4):::::
[ 2.617762] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p17
[ 2.655333] init: [disk_config] ext_check -> ok
[ 2.664947] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p11 (ext4):::::
[ 2.671081] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p11
[ 2.704532] init: [disk_config] ext_check -> ok
[ 3.259056] init: cannot find '/system/etc/install-recovery.sh', disabling 'flash_recovery'
[ 3.270471] init: cannot find '/system/bin/dmbserver', disabling 'dmb'
External UART log from battery-pull and reinsert
Code:
[1630] AST_POWERON
[ 0.000000] heap->name mm, mb->start c0000000
[ 0.000000] Reserving memory at address ea000000 size: 100000
[ 0.000000] sec_dbg_setup: [email protected]
[ 0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_size = 0x40000
[ 0.000000] etb_buf_setup: [email protected]
[ 0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_size = 0x4000
[ 0.174484] rdev_init_debugfs: Error-Bad Function Input
[ 0.174851] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[ 0.176926] sec_debug_init: enable=0
[ 0.177445] sc_debug_iit: restat_reason 0xdf0086c
[ 0216206] [sm8960_int_cam:299]setting one!!
[ 0.217915 select_req_plan:ACPU PVS:Nominal
0.25206] i2c ic-14: Invaid 7-bit 2C addres 0x00
[ 0.25207] i2c i2-14: Can'tcreate deice at 0x0
[ 0252250] 2c i2c-19 Failed t register 2c clientcmc624 at0x38 (-16
[ 0252250] ic i2c-19: an't creae device t 0x38
[ 0.25243] rdev_iit_debugs: Error-Bd Functio Input
[ 0.25292] max895 19-0060:DVS modesdisabled ecause VI0 and VID do not hve propercontrols.
[ 0.29536] msmetm msm_em: ETM trcing is nt enable!
[ 0.35797] pm_rntime: fal to wakeupllcation tale not intialized
[ .362093] dmi_msm hmi_msm.1:external_ommon_stae_create:sysfs grop de39e60
[ 0.62734] Inide writeack_driverinit
[ 0.36285] Inside riteback_robe
[ 1.244803] TZCOM: unable to get bus clk
possible exploitations
Possible entry point MODEM - Someone with a JTAG setup test viability of modifying a single byte on /dev/block/mmcblk0p1
Possible entry point PARAMS - Samsung stores their boot parameters in PARAMS partition. It may be possible to modify PARAMS for insecure boot
Possible entry point BOOT - Modify CMDLINE parameter to load information from another location.
Possible entry point BOOT - We may be able to shove an insecure bootloader into memory, boot into that, and then use the recovery partition as our kernel partition. Bauwks 2nd U-Boot. U-Boot is available for the Exynos 4412, we need to find one for Qualcomm.
Possible entry point SYSTEM - It may be possible to use a 2nd init hack from this partition to load custom kernels into memory and reboot the kernel.
Current tasks
What do all of these partitions do?
Do we have a SDCard based recovery?
Where can we find an Odin3 CSC Flash?
Testing methods above is required

You may want to try using google translate for the French website. I gave it a shot and it translates pretty well. See attached (sorry, I'm not a developer, but am trying to help in anyway I can). You can also try this url, but you may need to re-enter yourself
http://translate.google.com/transla...tf=1&u=http://blast.darkphpbb.com/faq.php#f42

What I am looking into is the upload mode available in Odin. It has no signature checks from what I can tell. Also do you mean a stock Odin file which we do have.
Sent from my SCH-I535 using Tapatalk 2

Adam, appreciate you keeping us up to date. As an electrical/systems engineer the journey is great learning experience for me and all.
I'm not sure if you've come across this document. It talks about the MSM7xxx series security capabilities. I couldn't find one for the MSM8xxx, but this may give some insight into how Qualcomm approaches security.
MSM7xxx
Edit: Looks like you are aware of the concepts from your reference about IBL,PBL,SBL.

Not sure if this will be any help, but found this regarding the blast kernel:
http://www.anyclub.org/2012/06/how-to-add-more-physical-ram-memory.html
how to add more physical RAM memory section to Blast Kernel in the MDM9200/MDM9600
Blast Kernel has the capability to take more than one contiguous physical RAM space (section) and use it for its own system memory. In order to add more RAM mem section to Blast, the customer need to modify blast_config.c file.
Here is the example of adding 4MB additional RAM mem section.
In blast_config.c,
struct phys_mem_pool_config pool_configs[] __attribute__((weak)) = {
{"DEFAULT_PHYSPOOL", //name
{
{0x00c00000, 0x02f00000}, // 47MB, the first mem section
{0x00700000, 0x00400000} // adding 4MB, QC default value is {0}
}
},
In this example, additional 4MB is added starting from 0x700000 physical address offset.
Please note the start address has to be physical address.
By adding the second mem section, the Blast Kernel can now use 51MB in total, while it used only 47MB before adding the 4MB mem section
Click to expand...
Click to collapse
Found this http://code.google.com/p/blastkernel/ (locked down though, I couldn't get access) which was linked from here (also in french but translated through google) but I'm unsure as to if it is related to the blastkernel you are looking for as all the links for the source code are now broken.
Also, while looking through the vz source I found that the person responsible for a lot the vzw specific code also helped to develop this http://www.uclinux.org/ so maybe some of that source might be of some help too.

There are relatively large pins between the processor and the other larger chip on the back side of the board. I'm not sure what I'm looking at, but it's definitely communications of some kind. These were taken with the battery out of the device when plugged into USB. Each set starts a new unplug-plugin sequence.
Code:
:�0�0�0
�0
�0
�0
�0��0
�0
�0��0
�0��0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0��0�0
�0
�0
�0
�0
�0
�0 x
:�0�0�0
�0
�0
�0
�0��0
�0��0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0��0
�0
�0 z
�0
p
:�0�0�0
�0
�0
�0��0
�0�0
�0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0��0
�0
�0 �
�0�
This is from another pin on the back. As soon as plugged in, a series of 2's come out at 115200BPS:
Code:
22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
Here's another one:
Code:
2"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""�
All of these were located between the processor and SDCard. I must examine these bettter. In particular, there are two points at the corner of the processor just above where my needle is located in this picture.
Code:
U��UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU�UUU��JUU��UUUU��UUU��Z���UUUU���UUUUU���UUUUUU���UUUU���UUUUUUٙ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
These points seem to be what I'm looking for. as far as UART.. Especially that last one. It moves just as you'd expect start-up checks to move, random strings of characters... While not intelligable in the above, after figuring out the bitrate I'm sure something will come through.
I need to analyze the bitrate at this point. I'm quitting for the night though.
I am at the wrong baud rate, but I think I pulled up some valuable boot data from the processor.

Just a sidenote - some of these testpoints might be CLK/PWM signals, the one with serie of "2222" seems like this.
Also - if UART coming out of FSA muxer is 115200bps - the same debug line, on testpoint before FSA must be aswell 115200bps. Unless bootloader output goes to other port with different baud rate, which sounds unlikely.

Rebellos said:
Just a sidenote - some of these testpoints might be CLK/PWM signals, the one with serie of "2222" seems like this.
Also - if UART coming out of FSA muxer is 115200bps - the same debug line, on testpoint before FSA must be aswell 115200bps. Unless bootloader output goes to other port with different baud rate, which sounds unlikely.
Click to expand...
Click to collapse
You're right about the 2's.. it's probly a sync signal or something....ie...
Code:
00000010
However, I don't believe the UART is all consistant. Here's my reasoning. Samsung does not control the processor or the initial bootloader on the processor. I've spoken to some engineers and they are frustrated because things must be sent to Qualcomm to get work done on the bootloaders. It's highly likely that they simply change the bps of the UART to match the Samsung standard.
Thanks to Josh Groce at MobileTechVideos for the heads up on this trick: I was able to mount the Qualcomm Modem partition which I also belive to be the PBL as a FAT partition
Code:
[email protected]:~/Desktop/VZWGS3$ sudo mount ./0p1 ./p1
[email protected]:~/Desktop/VZWGS3$ ls -l ./p1
total 16
drwxr-xr-x 2 root root 16384 Jul 5 2011 image
[email protected]:~/Desktop/VZWGS3$ ls -l ./p1/image
total 42464
-rwxr-xr-x 1 root root 244 Jun 15 08:33 dsps.b00
-rwxr-xr-x 1 root root 160 Jun 15 08:33 dsps.b01
-rwxr-xr-x 1 root root 147456 Jun 15 08:33 dsps.b02
-rwxr-xr-x 1 root root 31872 Jun 15 08:33 dsps.b03
-rwxr-xr-x 1 root root 6220 Jun 15 08:33 dsps.b04
-rwxr-xr-x 1 root root 13824 Jun 15 08:33 dsps.b05
-rwxr-xr-x 1 root root 404 Jun 15 08:33 dsps.mdt
-rwxr-xr-x 1 root root 180 Jun 15 07:50 dxhdcp2.b00
-rwxr-xr-x 1 root root 6520 Jun 15 07:50 dxhdcp2.b01
-rwxr-xr-x 1 root root 135168 Jun 15 07:50 dxhdcp2.b02
-rwxr-xr-x 1 root root 2100 Jun 15 07:50 dxhdcp2.b03
-rwxr-xr-x 1 root root 6700 Jun 15 07:50 dxhdcp2.mdt
-rwxr-xr-x 1 root root 308 Jun 15 08:33 modem.b00
-rwxr-xr-x 1 root root 6600 Jun 15 08:33 modem.b01
-rwxr-xr-x 1 root root 21960368 Jun 15 08:33 modem.b02
-rwxr-xr-x 1 root root 4962049 Jun 15 08:33 modem.b03
-rwxr-xr-x 1 root root 1358104 Jun 15 08:33 modem.b04
-rwxr-xr-x 1 root root 72208 Jun 15 08:33 modem.b06
-rwxr-xr-x 1 root root 707124 Jun 15 08:33 modem.b07
-rwxr-xr-x 1 root root 1044 Jun 15 08:25 modem_f1.b00
-rwxr-xr-x 1 root root 7060 Jun 15 08:25 modem_f1.b01
-rwxr-xr-x 1 root root 2676 Jun 15 08:25 modem_f1.b02
-rwxr-xr-x 1 root root 954800 Jun 15 08:25 modem_f1.b03
-rwxr-xr-x 1 root root 575208 Jun 15 08:25 modem_f1.b04
-rwxr-xr-x 1 root root 246484 Jun 15 08:25 modem_f1.b05
-rwxr-xr-x 1 root root 94208 Jun 15 08:25 modem_f1.b06
-rwxr-xr-x 1 root root 13568 Jun 15 08:25 modem_f1.b07
-rwxr-xr-x 1 root root 11212 Jun 15 08:25 modem_f1.b08
-rwxr-xr-x 1 root root 9548 Jun 15 08:25 modem_f1.b09
-rwxr-xr-x 1 root root 68223 Jun 15 08:25 modem_f1.b10
-rwxr-xr-x 1 root root 113468 Jun 15 08:25 modem_f1.b13
-rwxr-xr-x 1 root root 164412 Jun 15 08:25 modem_f1.b14
-rwxr-xr-x 1 root root 3604 Jun 15 08:25 modem_f1.b21
-rwxr-xr-x 1 root root 28156 Jun 15 08:25 modem_f1.b22
-rwxr-xr-x 1 root root 19136 Jun 15 08:25 modem_f1.b23
-rwxr-xr-x 1 root root 74360 Jun 15 08:25 modem_f1.b25
-rwxr-xr-x 1 root root 49740 Jun 15 08:25 modem_f1.b26
-rwxr-xr-x 1 root root 84476 Jun 15 08:25 modem_f1.b29
-rwxr-xr-x 1 root root 1064 Jun 15 08:25 modem_f1.fli
-rwxr-xr-x 1 root root 8104 Jun 15 08:25 modem_f1.mdt
-rwxr-xr-x 1 root root 1044 Jun 15 08:25 modem_f2.b00
-rwxr-xr-x 1 root root 7060 Jun 15 08:25 modem_f2.b01
-rwxr-xr-x 1 root root 2676 Jun 15 08:25 modem_f2.b02
-rwxr-xr-x 1 root root 955792 Jun 15 08:25 modem_f2.b03
-rwxr-xr-x 1 root root 579032 Jun 15 08:25 modem_f2.b04
-rwxr-xr-x 1 root root 239892 Jun 15 08:25 modem_f2.b05
-rwxr-xr-x 1 root root 94208 Jun 15 08:25 modem_f2.b06
-rwxr-xr-x 1 root root 13568 Jun 15 08:25 modem_f2.b07
-rwxr-xr-x 1 root root 11212 Jun 15 08:25 modem_f2.b08
-rwxr-xr-x 1 root root 9580 Jun 15 08:25 modem_f2.b09
-rwxr-xr-x 1 root root 68223 Jun 15 08:25 modem_f2.b10
-rwxr-xr-x 1 root root 116188 Jun 15 08:25 modem_f2.b13
-rwxr-xr-x 1 root root 158012 Jun 15 08:25 modem_f2.b14
-rwxr-xr-x 1 root root 3604 Jun 15 08:25 modem_f2.b21
-rwxr-xr-x 1 root root 28156 Jun 15 08:25 modem_f2.b22
-rwxr-xr-x 1 root root 19200 Jun 15 08:25 modem_f2.b23
-rwxr-xr-x 1 root root 74360 Jun 15 08:25 modem_f2.b25
-rwxr-xr-x 1 root root 49756 Jun 15 08:25 modem_f2.b26
-rwxr-xr-x 1 root root 84476 Jun 15 08:25 modem_f2.b29
-rwxr-xr-x 1 root root 1064 Jun 15 08:25 modem_f2.fli
-rwxr-xr-x 1 root root 8104 Jun 15 08:25 modem_f2.mdt
-rwxr-xr-x 1 root root 6908 Jun 15 08:33 modem.mdt
-rwxr-xr-x 1 root root 276 Jun 15 08:24 q6.b00
-rwxr-xr-x 1 root root 6580 Jun 15 08:24 q6.b01
-rwxr-xr-x 1 root root 3447760 Jun 15 08:24 q6.b03
-rwxr-xr-x 1 root root 1653278 Jun 15 08:24 q6.b04
-rwxr-xr-x 1 root root 757840 Jun 15 08:24 q6.b05
-rwxr-xr-x 1 root root 14472 Jun 15 08:24 q6.b06
-rwxr-xr-x 1 root root 6856 Jun 15 08:24 q6.mdt
-rwxr-xr-x 1 root root 180 Jun 15 07:50 tzapps.b00
-rwxr-xr-x 1 root root 6520 Jun 15 07:50 tzapps.b01
-rwxr-xr-x 1 root root 503808 Jun 15 07:50 tzapps.b02
-rwxr-xr-x 1 root root 452 Jun 15 07:50 tzapps.b03
-rwxr-xr-x 1 root root 6700 Jun 15 07:50 tzapps.mdt
-rwxr-xr-x 1 root root 212 Jun 15 07:44 wcnss.b00
-rwxr-xr-x 1 root root 140 Jun 15 07:44 wcnss.b01
-rwxr-xr-x 1 root root 8360 Jun 15 07:44 wcnss.b02
-rwxr-xr-x 1 root root 1778532 Jun 15 07:44 wcnss.b04
-rwxr-xr-x 1 root root 352 Jun 15 07:44 wcnss.mdt
[email protected]:~/Desktop/VZWGS3$

tz - is the trustzone, normal qualcomm
cache - should not be the dalvik cache, dalvik cache should be on teh userdata partition now on. (Could be wrong, dont have the device). Cache should be almost strictly for updates and recovery use now.
boot itself is signed, not the zImage.
I believe hopping on the developer device is a better option, not only is it made for such, it's also not purchasing a phone within Verizon's sales network (my favorite part of it all)

But google slapped on the GPLv3 i believe. And since GPL allows multiple licenses then the TIVO clause would still apply. Correct me if I am wrong.

Adam you may want to look at this its found in otacert.zip in this folder
http://db.tt/f4QYrK8x
Sent from my SCH-I535 using Tapatalk 2

In the uart dump in the op, the line stamped at 1.57 seems interesting. Looks like the modem (assuming that's still where the activity is going on then) is checking firmware. Makes me think that there might be something there that could be captured. I wonder where it is confirming the fw is updated.
This might not be useful, but it seems interesting.
Sent from my SCH-I535 using Xparent ICS Tapatalk 2

Why not try the Samsung flash utility instead of Odin.
Sent from my SCH-I535 using Tapatalk 2

tpike said:
In the uart dump in the op, the line stamped at 1.57 seems interesting. Looks like the modem (assuming that's still where the activity is going on then) is checking firmware.
Click to expand...
Click to collapse
Usually the firmware is loaded and checked in modem by modem RTOS kernel. But I don't know what modem (BP/CP) is used in the Verizon S3...

Errata to OP:
/efs partition on qualcomm models is as far as i know empty (not used)

AdamLange said:
Errata to OP:
/efs partition on qualcomm models is as far as i know empty (not used)
Click to expand...
Click to collapse
Many people on the forums here have stated IMEI information is stored in a file within /efs (at least on GSM models?) but I can't confirm myself.
There are several threads about attempting to restore lost IMEIs that might have more info.

papi92 said:
Adam you may want to look at this its found in otacert.zip in this folder
http://db.tt/f4QYrK8x
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
That's just the public key VZW uses to sign updates. Not of use to us.

I was playing around with Odin3. I'm a Linux guy so this was exploration for me.... I was able to make my own Odin package with signed Samsung images under Linux and flash it with Odin3 under Windows.
Code:
[email protected]:~/Desktop/Untitled Folder$ tar -cf OdinCustom.tar recovery.img boot.img
[email protected]:~/Desktop/Untitled Folder$ md5sum -t OdinCustom.tar >> OdinCustom.tar
[email protected]:~/Desktop/Untitled Folder$ mv ./OdinCustom.tar ./OdinCustom.tar.md5
[email protected]:~/Desktop/Untitled Folder$
The first command create a TAR (Tape ARchive format) of a recovery.img and a boot.img in a file called OdinCustom.tar. Then appends the MD5 to the end of the package. The third command renames it to OdinCustom.tar.md5. The resulting file is flashable by Odin.
This could prove useful if we can find another Qualcomm device which has a bootloader signed by Samsung.
Also, Odin3 has a cool inf file which can be modified to change the title and characteristics of Odin3 http://i49.tinypic.com/352q7t0.png
I found something in the qualcomm bootloader (first partition which is a fat32 and appears to be unsigned) in the tzapps.b02 file which may or may not be of use. apparently they are looking for something called "/file/file.dat" and it contains dummy data for executive test suite. May be a possible exploit.
Also, this is a very important excerpt from the Qualcomm manual mentioned earlier... http://www.scribd.com/doc/51789612/80-V9038-15-APPLICATION-NOTE-MSM7XXX-QFUSES-AND-SECURITY
Code:
The PBL performs the following functions during a cold boot:
■Performs the minimal hardware setup required for PBL execution
■Reads off-chip boot configuration data from the flash memory
■Processes configuration data setting up clocks and memory access based on this data
■Loads the QCSBL image from the flash memory into the RAM
■Authenticates the QCSBL image if authentication is enabled
■Branches execution to the QCSBL image
Reads off-chip boot configuration data from the flash memory!
I spent a lot of time tonight looking at the individual files on the MODEM partition. I got nowhere except to possibly add a test file I mentioned above. It was alot of data to go through. that MODEM is 60 megs!
So, I started loooking at the SBL1 file. Now, it appears that this file runs linearly and tells a story as it goes through...
Code:
[email protected]:~/Desktop/VZWGS3$ strings ./0p2|head -n 200
: 2q
: 4q
`" 2q
: 4q
: 4q
(R '
(R '
(R '
~}|{zyxwvvutsrqqponnmllkjjihhgffeddccbaa``__^^]]\\[[ZZYYXXWWVVUUUTTSSRRRQQPPPOOONNMMMLLLKKKJJJIIIHHHGGGGFFFEEEDDDDCCCCBBBBAAA
/!(
/!(0
/!(0
/!(
SDCC4 HAL v2.0.1
boot_error_handler.c
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
boot_pbl_authenticator.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_config.c
boot_config.c
*Image Loaded by %s, Start on 0x%x
Data Abort
boot_mc.c
boot_error_handler.c
*BOOT
SCL_SBL1_STACK_BASE-SCL_SBL1_STACK_SIZE
boot_error_handler.c
boot_flash_dev_if.c
boot_flash_dev_if.c
boot_flash_dev_if.c
boot_flash_dev_sdcc_if.c
boot_flash_dev_sdcc_if.c
boot_flash_dev_sdcc.c
boot_flash_init, Start
boot_flash_init, Delta
boot_flash_target.c
boot_flash_trans_sdcc.c
*[email protected]
boot_flash_trans_sdcc.c
boot_fota_restore_partition, Start
boot_fota_restore_partition, Delta
boot_fota_restore_partition, Start
restore_fota_partition fail
boot_fota_restore_partition, Delta
boot_error_handler.c
boot_error_handler.c
boot_loader.c
*[email protected]
*[email protected]
boot_pbl_authenticator.c
boot_pbl_v1.c
boot_pbl_v1.c
boot_pbl_v1.c
Prefetch Abort
boot_error_handler.c
boot_rollback_version.c
boot_flash_dev_sdcc.c
boot_error_handler.c
Undefined
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_sdcc_hotplug.c
EFI PART
%sp%lu
%sh%d
%s%c%lu
*[email protected]
boot_sdcc_hotplug.c
boot_sdcc_hotplug.c
read fail
*hdev open fail: fota
hdev open fail: dest
size fail: src
size fail: too big
read fail: src
read fail: dest
write fail: signature clear
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*|@-
boot_sdcc_hotplug.c
%sp%lu
*[email protected]
*[email protected]
SBL1, End
SBL1, Delta
*[email protected]
sbl1_check_device_temp, Start
sbl1_check_device_temp, Delta
sbl1_hw.c
sbl1_hw_init, Start
sbl1_hw_init, Delta
*SBL1, Start
scatterload_region && ram_init, Start
*scatterload_region && ram_init, Delta
sbl1_mc.c
sbl1_mc.c
*[email protected]
*[email protected]
*[email protected]
*{%u}
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
[email protected]
[email protected]
SBL2 Image Loaded, Delta
SBL1
DSP1
RAMFS1
SBL2
DSP2
RAMFS2
SBL3
ADSP_Q5
NONE
NANDPRG
NORPRG
HASH
QCSBL
FSBL
OSBL
APPSBL
OEM_SBL
EHOSTDL
APPS_KERNEL
BACKUP_RAMFS
APPS
AMSS
SSD_KEYS
fs_hotplug_api.c
Assertion phy_hdev != NULL failed
boot_flash_trans_sdcc
boot_flash_trans_sdcc_factory
boot_flash_dev_sdcc
HAL_SBI_SSBI_V2_PMIC_ARBITER
fs_hotplug_iter.c
Assertion 0 failed
fs_hotplug_legacy_hdev.c
Assertion phy_hdev->legacy_hdev != NULL failed
fs_hotplug_partition.c
Assertion parti->is_locked == 0 failed
Assertion parti->is_formatting == 0 failed
Assertion parti->is_locked == 1 failed
Assertion parti->is_formatting == 1 failed
Assertion parti->ref_cnt >= 1 failed
Assertion hdev_name != NULL failed
Assertion parti != NULL failed
fs_hotplug_dev_state.c
Assertion phy_hdev->dev_state == HPDEV_UNDISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_DISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED || phy_hdev->dev_state == HPDEV_LOCKED || phy_hdev->dev_state == HPDEV_FORMATTING || phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_MOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED failed
fs_hotplug_poll.c
Assertion phy_hdev->bdev_handle == NULL failed
Assertion phy_hdev->parti_list == NULL failed
Assertion phy_hdev->hdev_list == NULL failed
fs_blockdev_devnull_driver.c
Assertion devnull_ops != NULL failed
/hdev/dev.null
BDEV_DEVNULL_DRIVER
BDEV_SD_DRIVER
/hdev/sdc1
/hdev/sdc2
/hdev/sdc3
/hdev/sdc4
fs_blockdev_sd_driver.c
Assertion sdcc_ops != NULL failed
fs_hotplug_parser.c
Assertion blk_cnt != 0 failed
fs_blockdev_sd.c
Assertion sd_data != NULL failed
Assertion handle != NULL failed
Assertion sdcc_handle != NULL failed
Assertion bytes_per_block != NULL failed
Assertion blocks != NULL failed
Assertion bdev != NULL failed
Assertion dev->driveno < max_sd_slots failed
@@@@@@@@@[email protected]@@@@@@@@@@@@@@@@@
Format: Log Type - Time(microsec) - Message
Log type: B - since boot(excluding boot rom). D - delta
OVERFLOW
........
Particularly "boot_fota_restore_partition, Start". It looks like one of the first things the GS3 does is check for information to be updated on FOTA partition. Whatever it choses to do, it performs security checks on the size, and a few other things.
I believe it then loads SBL2 as the rest of the partitions do not have this message.. "SBL2 Image Loaded, Delta".
SBL2:
Code:
[email protected]:~/Desktop/VZWGS3$ strings ./0p3
SVC: R1-R14
FIQ:R13-R14
IRQ:R13-R14
UND:R13-R14
ABT:R13-R14
SYS:R13-R14
[email protected]
K{DiF
K{DiF
D(b(F
hu)AF
019Ud
3F*[email protected]
G [email protected]
&_F F
h/F F
fJF)F F&`NF
F 9"
pJpO
: 4q
: 6q
: 8q
! 6q
`" 2q
: 4q
pG hJ
G [email protected]
bNE
G [email protected]
G [email protected]
j8D b F
02:Ud
3F*[email protected]
CreT
#L|D
!L|D
F)F F
5EC/
x0(
02bUm
#\b\cTI
FAF F
F!h
b h
G jv
G [email protected]
G [email protected]
,pp
2F!F
G [email protected]
1JzD
2FhF
2FiF
: 4q
: 6q
: 8q
bF9FN
RAIAK
bF9FN
RAIAK
bF9FN
~}|{zyxwvvutsrqqponnmllkjjihhgffeddccbaa``__^^]]\\[[ZZYYXXWWVVUUUTTSSRRRQQPPPOOONNMMMLLLKKKJJJIIIHHHGGGGFFFEEEDDDDCCCCBBBBAAA
! 3[B
[email protected]
[email protected]
SDCC4 HAL v2.0.1
pGxG
.boot_error_handler.c
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
.boot_auth_if.c
.boot_auth_if.c
.boot_sbl_authenticator.c
.boot_clobber_prot.c
.boot_clobber_prot_local.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_config_data_table_init, Start
.boot_config_data_table_init, Delta
.boot_config.c
.boot_config.c
.Image Loaded by %s, Start on 0x%x
Data Abort
Ufw}3{
O*2PC~
[email protected]
.boot_mc.c
.0:ALL
.boot_error_handler.c
.BOOT
SCL_SBL2_STACK_BASE-SCL_SBL2_STACK_SIZE
.boot_error_handler.c
.boot_flash_dev_if.c
.boot_flash_dev_if.c
.boot_flash_dev_if.c
.boot_flash_dev_sdcc_if.c
.boot_flash_dev_sdcc_if.c
.boot_flash_dev_sdcc.c
boot_flash_init, Start
boot_flash_init, Delta
.boot_flash_target.c
.boot_flash_trans_sdcc.c
[email protected]
.boot_flash_trans_sdcc.c
.boot_hash.c
.boot_hash_if.c
.boot_hash_if.c
.boot_sys_loader.c
.boot_error_handler.c
.boot_error_handler.c
.boot_loader.c
.boot_loader.c
.boot_logger_ram.c
[email protected]
[email protected]
BRPMSignal SBL1 to Jump to RPM FW
.boot_sys_loader.c
.boot_pbl_v1.c
.boot_pbl_v1.c
.boot_pbl_v1.c
.boot_pbl_v1.c
Prefetch Abort
.boot_error_handler.c
.boot_rollback_version.c
.boot_sbl_authenticator.c
.boot_flash_dev_sdcc.c
[email protected]
.boot_ddr_info.c
.boot_sbl_authenticator.c
.boot_error_handler.c
Undefined
[email protected]
[email protected]
[email protected]
[email protected]
RDDL
Testing DDR Read/Write.
.Testing DDR Read/Write: Memory map.
Testing DDR Read/Write: Data lines.
Testing DDR Read/Write: Address lines.
Testing DDR Read/Write: Own-address algorithm.
Testing DDR Read/Write: Walking-ones algorithm.
Testing DDR Deep Power Down.
Testing DDR Deep Power Down: Entering deep power down.
Testing DDR Deep Power Down: In deep power down.
Testing DDR Deep Power Down: Exiting deep power down.
Testing DDR Deep Power Down: Read/write pass.
Testing DDR Self Refresh.
.Testing DDR Self Refresh: Write pass.
Testing DDR Self Refresh: Read pass.
Testing DDR Self Refresh: Entering self refresh.
Testing DDR Self Refresh: In self refresh.
Testing DDR Self Refresh: Exiting self refresh.
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
[email protected]
.CDT
.Error: Platform ID EEPROM is not programmed
boot_config_data.c
.boot_sdcc_hotplug.c
[email protected]
EFI PART
%sp%lu
%sh%d
%s%c%lu
[email protected]
.boot_sdcc_hotplug.c
.boot_sdcc_hotplug.c
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
.|@-
.boot_sdcc_hotplug.c
%sp%lu
[email protected]
[email protected]
[email protected]
0!0
[email protected]
RPM loading is successful.
cancel RPM loading!
SBL2, End
SBL2, Delta
.sbl2_hw.c
sbl2_hw_init, Start
sbl2_hw_init, Delta
sbl2_hw_init_secondary, Start
h/w version : %d
sbl2_hw_init_secondary, Delta
.SBL2, Start
scatterload_region & ram_init, Start
.scatterload_region & ram_init, Delta
.sbl2_mc.c
sbl2_retrieve_shared_info_from_sbl1, Start
.sbl2_retrieve_shared_info_from_sbl1, Delta
.sbl2_mc.c
[email protected]
.sbl2_config.c
[email protected]
.boot_hash.c
[email protected]
[email protected]
[email protected]
[email protected]
.SHA256
[email protected]
LOGM
.{%u}
Tz Execution, Start
Tz Execution, Delta
pG B
0pGO
!pGO
sbl2_ddr_init
DalEnv
TargetCfg
SHA1
DEBUG
SW_ID
HW_ID
OEM_ID
SHA256
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
DEV_SDC1
DEV_SDC2
DEV_SDC3
DEV_SDC4
CHAN_SDC1
CHAN_SDC2
CHAN_SDC3
CHAN_SDC4
[email protected]
[email protected]
SBL3 Image Loaded, Delta
RPM Image Loaded, Delta
TZ Image Loaded, Delta
boot_auth
boot_hash
SBL1
DSP1
RAMFS1
SBL2
DSP2
RAMFS2
SBL3
ADSP_Q5
NONE
NANDPRG
NORPRG
HASH
QCSBL
FSBL
OSBL
APPSBL
OEM_SBL
EHOSTDL
APPS_KERNEL
BACKUP_RAMFS
APPS
AMSS
SSD_KEYS
fs_hotplug_api.c
Assertion phy_hdev != NULL failed
boot_flash_trans_sdcc
boot_flash_trans_sdcc_factory
boot_flash_dev_sdcc
fs_hotplug_iter.c
Assertion 0 failed
fs_hotplug_legacy_hdev.c
Assertion phy_hdev->legacy_hdev != NULL failed
fs_hotplug_partition.c
Assertion parti->is_locked == 0 failed
Assertion parti->is_formatting == 0 failed
Assertion parti->is_locked == 1 failed
Assertion parti->is_formatting == 1 failed
Assertion parti->ref_cnt >= 1 failed
Assertion hdev_name != NULL failed
Assertion parti != NULL failed
fs_hotplug_dev_state.c
Assertion phy_hdev->dev_state == HPDEV_UNDISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_DISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED || phy_hdev->dev_state == HPDEV_LOCKED || phy_hdev->dev_state == HPDEV_FORMATTING || phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_MOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED failed
fs_hotplug_poll.c
Assertion phy_hdev->bdev_handle == NULL failed
Assertion phy_hdev->parti_list == NULL failed
Assertion phy_hdev->hdev_list == NULL failed
fs_blockdev_devnull_driver.c
Assertion devnull_ops != NULL failed
/hdev/dev.null
BDEV_DEVNULL_DRIVER
BDEV_SD_DRIVER
/hdev/sdc1
/hdev/sdc2
/hdev/sdc3
/hdev/sdc4
fs_blockdev_sd_driver.c
Assertion sdcc_ops != NULL failed
fs_hotplug_parser.c
Assertion blk_cnt != 0 failed
fs_blockdev_sd.c
Assertion sd_data != NULL failed
Assertion handle != NULL failed
Assertion sdcc_handle != NULL failed
Assertion bytes_per_block != NULL failed
Assertion blocks != NULL failed
Assertion bdev != NULL failed
Assertion dev->driveno < max_sd_slots failed
@@@@@@@@@[email protected]@@@@@@@@@@@@@@@@@
Format: Log Type - Time(microsec) - Message
Log type: B - since boot(excluding boot rom). D - delta
OVERFLOW
AT24C128BN
:Hg~
D{L0
*gRn
0D,l}
b=Fe-+
gW6y
South Korea1
Suwon City1
Samsung Corporation1
DMC1#0!
Samsung AttestationCA cert1%0#
[email protected]
120614224636Z
320609224636Z0
KR1!0
Samsung Attestation CERT1
Suwon City1
Samsung Corporation1
South Korea1
04 0000 OEM_ID1%0#
[email protected]
05 0001E0C8 SW_SIZE1
06 0000 MODEL_ID1
07 0001 SHA2561"0
01 0000000000000005 SW_ID1"0
02 006B10E100000000 HW_ID1"0
03 0000000000000000 DEBUG0
y$_$
[OLW'}
Q^<T
&#xk#
z0x0:
3010/
)http://crl.qdst.com/crls/qctdevattest.crl0
6p5o
%e>I`
<dQ=#
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
120412114438Z
320407114438Z0
South Korea1
Suwon City1
Samsung Corporation1
DMC1#0!
Samsung AttestationCA cert1%0#
[email protected]
&bMb
%pWj\
`0^0
#7ie
?f{M
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
120412114438Z
320407114438Z0
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
U)_|e}f
^AZp
<0:0
v)BT
zd0u
=j[P
As for SBL2. It looks like it starts up, performs security checks, then it can jump to "RPM" partition ", "RPM loading is successful.
cancel RPM loading!, .BRPM", "Signal SBL1 to Jump to RPM FW", This may be Odin, or some other undiscovered mode I'm not sure yet and it looks like "ABOOT" is actually Odin's partition... What is RPM?
It then executes "TZ" or "Trust Zone" which I need to do some reading on...
More to come later. It's late and I need to get some rest.

{i} PARAMS
AdamOutler said:
possible exploitations
Possible entry point PARAMS - Samsung stores their boot parameters in PARAMS partition. It may be possible to modify PARAMS for insecure boot
Click to expand...
Click to collapse
The PARAMS partition (from an adb dump) contains almost all 0's. Here are the first 32 bytes
(layed out in hex offsets of 0x00000000 && 0x00000010):
Code:
00000000 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
00000010 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
From what I understand, each occurance of 01 indicates a boot_mode variable that the SBL reads*. The rest of the file, about 10,485,739bytes of data, can contain information for other variables such as debug_level and switch_sel and maybe more, but I have too look more into dissembling the SBL patition image (sbl2.img) to see what other variables there are. I'll report back as soon as I have any more info on that.
*See this link for more info on the param.blk:
http://epiccm.blogspot.com/p/stock-firmware.html
I think its interesting that from an adb dump, BOOT, EFS, FOTA and PARAMS are all the same size. Only BOOT and PARAMS contain any data though. EFS and FOTA must be loaded from the BOOT partition depending on the boot variables loaded in the PARAMS partition, but I may be wrong on that.
As for booting from SDcard here's a link on how it was done with the Epic 4G:
http://epiccm.blogspot.com/2012/01/multiboot-android-for-debuggingtesting.html
The instructions seem like they should work, especially since they had to use kexec to load from the SDcard and the SGS3 will have to do the same for now. I haven't built this yet, but I will give it a go as soon as I have a spare moment.
EDIT: this might be what you're looking for as far as booting from SD --> http://forum.xda-developers.com/showthread.php?t=1774795 END EDIT
I am currently manually going through each hex offset in IDA and seaching for commands to disassemble aboot.img, I haven't gotten very far as this is extremely time intensive.
I can post any dissasm DB's that anyone wants. They can get rather large though.
On a side note, I'm using IDAPro6.1 for disassembly of the adb dumped partitions. If you have any pointers on using IDA for debugging/disassembling android partitions, that would be fantastic. I have an arm toolchain, but beyond that IDA I've only had experience poking at Window$ crap.
Ta,
ALQI

recovery kernel log
The recovery kernel log is in this path:
/data/log/recovery_kernel_log.txt​I'd post it in a code section here but it's just too long.
There's a few other interesting logs in that path as well.
As I understand it, this seems to be the log from the kernel loaded during the bootloader/Odin mode boot. Could reveal some of the variables set in the params partition. Plus it has juicy hex offsets for all kinds of things.
It's quite verbose.
K sleepy time now.
Ta,
ALQI

KGDB hammerhead some errors

Hi all. I'm trying connect to device remotly and get kernel debug. Two weeks i trying and make everything by google but now i couldn't understand why it want not work.
What i do:
1. Prepare USBtoUART with 1.8V and plug into headphone jack. And test him with terminals on host and phone - all is OK.
2. Download hammerhead 6.0.1.mr2 sources from android dev page.
3. Download kernel serial KGDB patch from github 'jduck' member (gist.github_com/jduck/caf1eddcd4c9ac27d818)
4. Compile the kernel and replace it with mkbootimg
last cmdline is
./mkbootimg --base 0 --pagesize 2048 --board 'LGE rev_11' --kernel_offset 0x00008000 --ramdisk_offset 0x02900000 --second_offset 0x00f00000 --tags_offset 0x02700000 --cmdline ' kgdboc=ttyHSL0,115200 kgdbretry=10 kgdbwait' --kernel /home/udroid/workdir/src/kernels/hammerhead/6.0.1.mr2/arch/arm/boot/zImage-dtb --ramdisk ramdisk.cpio.gz -o /home/udroid/workdir/imgs/hammerhead/boot.img
Click to expand...
Click to collapse
*without kgdbwait phone booting fine and waiting debugger connection by "echo g > sysrq-trigger".
5. Download and install Ubuntu 16.04 LTS (x64).
6. Install arm-none-eabi-gdb (7.10) from ubuntu repo.
7. PowerOn the phone, run gdb with kenel symbols.
what i have in log:
(gdb) set debug remote 1
(gdb) set serial baud 115200
(gdb) target remote /dev/ttyUSB0
Remote debugging using /dev/ttyUSB0
Sending packet: $qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+#c9...putpkt: Junk: ode.
_signed_kernel=0, is_unlocked=1, is_tampered=1.
[730] Loading boot image (9441280): start
[1070] Loading boot image (9441280): done
[1070] Found Appeneded Flattened Device tree
[1070] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[1080] get_display_kcal = 0, 0, 0, x
[1080]
Booting Linux
[1090] cmdline: kgdboc=ttyHSL0,115200 kgdbretry=10 kgdbwait uart_console=enable gpt=enable lge.kcal=0|0|0|x lge.rev=rev_11 androidboot.laf androidue androidb096f76 androidboot.bootloader=HHZ20f androidboomsm bootrea[1110] Updating device t[1130] Updating30] booting ^CQuit
(gdb) target remote /dev/ttyUSB0
Remote debugging using /dev/ttyUSB0
Sending packet: $qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+#c9...putpkt: Junk: hammerhead bootloader
[10] Power on reason 20010
[10] DDR: hynix
[120] Lored memory: 8
[500] reboot_mode restart reason = hw_reset
[510] do not enter dload mode.
[550] vibe
[650] splash: boot
[690] splash: unlocked
[730] use_signed_kernel=0, is_unlocked=1, is_tampered=1.
[730] Loading boot image (9441280): start
[1070] Loading boot image (9441280): done
[1070] Found Appeneded Flattened Device tree
[1070] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[1080] get_display_kcal = 0, 0, 0, x
[1080]
Booting Linux
[1090] cmdline: kgdboc=ttyHSL0,115200 kgdbretry=10 kgdbwait uart_console=enable gpt=enable lge.kcal=0|0|0|x lge.rev=rev_11 androidboot.laf androidboot.emmc=true androidboot.serialno=030de1dbdb096f76 androidboot.bootloader=HHZ20f androidboot.baseband=msm bootrea[1110] Updating device tree: start
[1130] Updating device tree: done
[1130] booting linux @ 0x8000, ramdisk @ 0x2900000 (983099), tags/device tree @ 0x2700000
[1130] Turn off MIPI_CMD_PANEL.
[1130] Continuous splash enabled, keeping panel alive.
Sending packet: $qSupported:multiprocess+;swbreak+;hwbreak+;qRelocInsn+#c9...Ack
Packet received:
Packet qSupported (supported-packets) is NOT supported
Sending packet: $Hg0#df...Ack
Packet received: OK
Sending packet: $qTStatus#49...Ack
Packet received:
Packet qTStatus (trace-status) is NOT supported
Sending packet: $?#3f...Ack
Packet received: S05
Sending packet: $qfThreadInfo#bb...Ack
Packet received: mfffffffe,fffffffd,fffffffc,fffffffb,01,02,03,04,05,06,07,08,09,0a,0b,0c,0d,0e,0f,10,11
Sending packet: $qsThreadInfo#c8...Ack
Packet received: m12,13,14,15,16,17,18,19,1a,1b,1c,1d,1e,1f,20,21,22
Sending packet: $qsThreadInfo#c8...Ack
Packet received: m23,24,25,26,27,28,29,2a,2b,2c,2d,2e,2f,30,31,32,33
Sending packet: $qsThreadInfo#c8...putpkt: Junk:
welcome to hammerhead bootloader
[10] Power on reason 20010
[10] DDR: hynix
[120] Loaded IMGDATA at 0x11000000
[120] Display Init: Start
[200] MDP GDSC already enabled
[200] bpp 24
[240] Config MIPI_CMD_PANEL.
[240] display panel: ORISE
[290] Found Appeneded Flattened Device tree
[290] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[330] Set panel ON cmds [35]
[450] Turn on MIPI_CMD_PANEL.
[500] Display Init: Done
[500] cable type from shared memory: 8
[500] reboot_mode restart reason = hw_reset
[510] do not enter dload mode.
[550] vibe
[650] splash: boot
[690] splash: unlocked
[730] use_signed_kernel=0, is_unlocked=1, is_tampered=1.
[730] Loading boot image (9441280): start
[1070] Loading boot image (9441280): done
[1070] Found Appeneded Flattened Device tree
[1070] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[1080] get_display_kcal = 0, 0, 0, x
[1080]
Booting Linux
[1090] cmdline: kgdboc=ttyHSL0,115200 kgdbretry=10 kgdbwait uart_console=enable gpt=enable lge.kcal=0|0|0|x lge.rev=rev_11 androidboot.laf androidboot.emmc=true androidboot.serialno=030de1dbdb096f76 androidboot.bootloader=HHZ20f androidboot.baseband=msm bootrea[1110] Updating device tree: start
[1130] Updating device tree: done
[1130] booting linux @ 0x8000, ramdisk @ 0x2900000 (983099), tags/device tree @ 0x2700000
[1130] Turn off MIPI_CMD_PANEL.
[1130] Continuous splash enabled, keeping panel alive.
Sending packet: $qsThreadInfo#c8...Ack
Packet received:
Sending packet: $qAttached#8f...Ack
Packet received:
Packet qAttached (query-attached) is NOT supported
Sending packet: $Hc-1#09...Ack
Packet received: OK
Sending packet: $qC#b4...Ack
Packet received: QC01
Sending packet: $qOffsets#4b...Ack
Packet received:
Sending packet: $g#67...Ack
Packet received: 0000000001000000e86020c1d46120c100000000c82408c1d46120c1c82408c18c39f2c0a701000000000000f4fe04eef8fe04eee8fe04ee30da1fc028d81fc000000000000000000000000000000000000000000000000000000000000000000000000000000000
Sending packet: $qfThreadInfo#bb...Ack
Packet received: mfffffffe,fffffffd,fffffffc,fffffffb,01,02,03,04,05,06,07,08,09,0a,0b,0c,0d,0e,0f,10,11
Sending packet: $qsThreadInfo#c8...Ack
Packet received: m12,13,14,15,16,17,18,19,1a,1b,1c,1d,1e,1f,20,21,22
Sending packet: $qsThreadInfo#c8...Ack
Packet received: m23,24,25,26,27,28,29,2a,2b,2c,2d,2e,2f,30,31,32,33
Sending packet: $qsThreadInfo#c8...Ack
Packet received: m34,35,36,37,38,39,3a,3c,3d,3e,3f,40,41,42,43,44,45
Sending packet: $qsThreadInfo#c8...Ack
Packet received: m46,58,59,5a,5b
Sending packet: $qsThreadInfo#c8...Ack
Packet received:
Sending packet: $mc01fd828,4#fd...Ack
Packet received: ffdeffe7
0xc01fd828 in arch_kgdb_breakpoint () at kernel/debug/debug_core.c:997
997 wmb(); /* Sync point before breakpoint */
Sending packet: $qSymbol::#5b...Ack
Packet received:
Packet qSymbol (symbol-lookup) is NOT supported
Click to expand...
Click to collapse
Phone rebooting and trying again connect to debugger, but after connection it get NOT supported packets and reboot again. For test reason i just comment "goto kgdb_exit;" in gdb_serial_stub() but nothing changed. I try to see "qSymbol" in sources but again - nothing found, gdb_cmd_query() do not have code for processing this type of request.
Maybe someone can explain me - how to i can debug kernel in android systems? Maybe i need other patch for kernel sources? Please help me understand this.
Thank You.
**sorry for my english

maybe someone can tell about some forum/community where i can find peoples who understand something in kernel debugging in android?

Did you resolve this issue ?

Can't get mobile data working on AOSP for Pixel, please help!

I have compiled AOSP (android-7.1.1_r8) for my pixel and I am able to boot, however, mobile data is not working. I get the following message in the "logcat" every 5 seconds which I think may be related:
01-06 14:58:08.749 2503 2503 I libmdmdetect: No supported ESOC's found
01-06 14:58:08.753 2503 2503 I libmdmdetect: slpi subsystem located
01-06 14:58:08.753 2503 2503 I libmdmdetect: Found internal modem: modem
01-06 14:58:08.753 2503 2503 I libmdmdetect: modem subsystem found
01-06 14:58:08.758 2503 2503 I libmdmdetect: No supported ESOC's found
01-06 14:58:08.759 2503 2503 I libmdmdetect: slpi subsystem located
01-06 14:58:08.759 2503 2503 I libmdmdetect: Found internal modem: modem
01-06 14:58:08.759 2503 2503 I libmdmdetect: modem subsystem found
01-06 14:58:08.760 2503 2503 E QC-NETMGR-LIB: QC-NETMGR
I have the latest radio image. Any help would be greatly appreciated.

It seems netmgrd fails to start, from dmesg:
[ 3051.236076] c2 1 init: Starting service 'netmgrd'...
[ 3051.344711] c2 1 init: Service 'netmgrd' (pid 3714) exited with status 255
[ 3051.344840] c2 1 init: Service 'netmgrd' (pid 3714) killing any children in process group
every 5 seconds.
and no rmnet interface? hmmm
please help...

Okay, I used strace and found that persist.rmnet.data.enable was false and a config file /system/etc/data/netmgr_config.xml was missing. I used setprop to set persist.rmnet.data.enable to true. I also grabbed that config file from the stock rom and had aosp add it to my system image. It seems this keeps netmgr from crashing. Now I have an rmnet_data0 interface but I still can't get an IP. Progress? maybe but not sure...
Please help.

logcat -b radio yields:
01-10 07:43:14.385 1560 1708 D DC-1 : onConnect: carrier='Rogers LTE' APN='ltemobile.apn' proxy='' port=''
01-10 07:43:14.386 1560 1708 D RILJ : [3911]> SETUP_DATA_CALL 14 0 ltemobile.apn 0 IPV4V6 [SUB0]
01-10 07:43:14.388 607 755 E RILQ : (0/607): RIL[0][main] qcril_data_request_setup_data_call: unable to get dsi hndl
01-10 07:43:14.388 607 755 E RILQ : (0/607): RIL[0][main] qcril_data_request_setup_data_call: qcril_data_request_setup_data_call: EXIT with FAILURE
01-10 07:43:14.388 1560 1659 D RILJ : [3911]< SETUP_DATA_CALL DataCallResponse: {version=11 status=4100 retry=-1 cid=0 active=0 type= ifname= mtu=0 addresses=[] dnses=[] gateways=[] pcscf=[]} [SUB0]
01-10 07:43:14.389 1560 1659 E TelephonyMetrics: Unknown type:
any help would be appreciated.

Okay I figured it out.
There are two files that are present in the system image of the stock rom, /system/etc/data/dsi_config.xml and /system/etc/data/netmgr_config.xml these files must be present in your AOSP system image in order to have LTE.

Thanks for this, only helpful info I found on No Supported ESOCs. Allowed me to debug my problem and fix.

Lineage 14.1 Stable - Micromax Canvas 5 E481

Join this groups for roms and support...
Telegram:
https://t.me/teammaxmtk
Facebook:
https://m.facebook.com/groups/673560846179945?ref=bookmarks

Congrats to every canvas 5 user.
Don't forget to join the official whatsapp group of canvas 5.
https://chat.whatsapp.com/2YtWDoFzukZKthAUenMv74

Plz share the SS of the rom.
Big hit and Thanks to Arshjot singh and Harishwarrior bro... U two are the best dev... Give new soul to MMX CANVAS 5

..

sun75 said:
Hi,
after some debugging, I solved the compass problem (at least on the Wiko Fever 4G). If the Canvas has the same sensor, you have to put a /etc/init.d/30compass script as follow:
---CUT HERE
#!/system/bin/sh
# Adding Ecompass Daemon - By Sun75 @ XDA ####
su 0 setenforce 0
/system/bin/logwrapper /system/bin/akmd09911 &
##############################################
---CUT HERE
Make sure you have /xbin/su in your Rom, but in your's... there is!
Repack the Rom zip, and reflash it (you will lack Selinux permissions by adding with a Root explorer) with TWRP.
At next boot, your Msensord will fail starting the gsensor child daemon, but you will have the gsensor/compass daemon started as a separated daemon fixing the problem!
09-16 21:53:28.249 330 330 D MsensorDaemon: Msensor deamon statr!!!!!!!!!!!!
09-16 21:53:28.249 330 330 D MsensorDaemon: msensor demon start process detect demon name = akmd09911
09-16 21:53:28.249 330 330 D MsensorDaemon:
09-16 21:53:28.249 330 330 D MsensorDaemon: msensor demon start process detect demon prop = init.svc.akmd09911
09-16 21:53:28.249 330 330 D MsensorDaemon:
09-16 21:53:28.249 330 330 D MsensorDaemon: start_msensor_demon
09-16 21:53:28.500 330 330 D MsensorDaemon: do not USE_LIBC_SYSTEM_PROPERTIES
09-16 21:53:28.500 330 330 E MsensorDaemon: [99] ''
09-16 21:53:28.600 330 330 D MsensorDaemon: do not USE_LIBC_SYSTEM_PROPERTIES
09-16 21:53:28.601 330 330 E MsensorDaemon: [98] ''
09-16 21:53:28.701 330 330 D MsensorDaemon: do not USE_LIBC_SYSTEM_PROPERTIES
09-16 21:53:28.701 330 330 E MsensorDaemon: [97] ''
.....
09-16 21:53:38.324 330 330 E MsensorDaemon: [01] ''
09-16 21:53:38.424 330 330 D MsensorDaemon: do not USE_LIBC_SYSTEM_PROPERTIES
09-16 21:53:38.424 330 330 E MsensorDaemon: [00] ''
09-16 21:53:38.524 330 330 E MsensorDaemon: start daemon timeout!!
09-16 21:53:38.524 330 330 D MsensorDaemon: msensor demon start akmd09911 fail
09-16 21:53:38.524 330 330 D MsensorDaemon: Msensor deamon2 statr!!!!!!!!!!!!
09-16 21:53:38.525 330 330 D MsensorDaemon: open demon attr err = No such file or directory
-> and after:
09-16 21:53:29.396 448 448 I AKMD2 : AKMD 6D with Pseudo Gyro v20130531(Library for AK9911: v6.1.1.531) started.
09-16 21:53:29.396 448 448 I AKMD2 : Debug: ON
09-16 21:53:29.399 448 448 E AKMD2 : LoadPDC:106 fopen Error (No such file or directory).
Ignore the errors...
If your sensor is not the akm09911, you can find it yourself:
V:\Android\logs>adb shell cat /sys/bus/platform/drivers/msensor/chipinfo
akm09911 Chip
Ok, now open cpu-z or Mtk Engineering (Msensor data) and you will find your compass ready to use (and to calibrate!).
I have ported your all your RR Roms to Wiko Fever 4G fixing many problems, but not all:
- RR-N-v5.8.3-20170527-e481-Official -> VERY stable, compass and gps working, kernel 3.10.65 Stock, FM Radio and front flash NOT working
- RR-N-v5.8.4-20170903-E481-Release.zip -> instable, compass, FM Radio and gps working, kernel 3.10.65 Stock, front flash NOT working
- Resseruction Remix N 5.8.3 By Asfand.zip -> the MOST stable, compass and fm radio working, kernel 3.18.x (MM_V34 Stock), front flash AND gps NOT working. It's a pity that the kernel can not link /dev/stpgps and read /dev/ttyC2 (while it can on 3.10.x kernels!)... I reassembled the boot.img and edited the init.scripts many and many times trying everything... but, it's a no go, at least with the MM Kernel...
Ok, I think I have to open a new thread for the Wiko Fever releases, if you agree!
Click to expand...
Click to collapse
thank you so much , and please help us to fix front flash
Thanks in advance

Bro do you know how to make a volte patch?

--------- beginning of crash
09-17 11:46:21.913 302 302 F libc : CANNOT LINK EXECUTABLE "/system/bin/mtk_agpsd": cannot locate symbol "UCNV_TO_U_CALLBACK_STOP_53" referenced by "/system/bin/mtk_agpsd"...
09-17 11:46:21.913 302 302 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 302 (mtk_agpsd)
09-17 11:46:21.975 336 336 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-17 11:46:21.975 336 336 F DEBUG : LineageOS Version: '14.1-20170527-OFFICIAL-E481'
09-17 11:46:21.975 336 336 F DEBUG : Build fingerprint: 'Micromax/lineage_E481/E481:7.1.2/N2G47O/29cf694e04:userdebug/test-keys'
09-17 11:46:21.975 336 336 F DEBUG : Revision: '0'
09-17 11:46:21.975 336 336 F DEBUG : ABI: 'arm'
09-17 11:46:21.975 336 336 F DEBUG : pid: 302, tid: 302, name: mtk_agpsd >>> /system/bin/mtk_agpsd <<<
09-17 11:46:21.975 336 336 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
09-17 11:46:21.975 336 336 F DEBUG : r0 00000000 r1 0000012e r2 00000006 r3 00000008
09-17 11:46:21.975 336 336 F DEBUG : r4 f72e158c r5 00000006 r6 f72e1534 r7 0000010c
09-17 11:46:21.975 336 336 F DEBUG : r8 ff8502c8 r9 00000003 sl ff850300 fp f726f010
09-17 11:46:21.975 336 336 F DEBUG : ip 00000000 sp ff850260 lr f72c16a7 pc f72c209c cpsr 200f0010
09-17 11:46:22.197 336 336 F DEBUG :
09-17 11:46:22.197 336 336 F DEBUG : backtrace:
09-17 11:46:22.198 336 336 F DEBUG : #00 pc 0004609c /system/bin/linker (__dl_tgkill+12)
09-17 11:46:22.198 336 336 F DEBUG : #01 pc 000456a3 /system/bin/linker (__dl_pthread_kill+34)
09-17 11:46:22.198 336 336 F DEBUG : #02 pc 0003ded9 /system/bin/linker (__dl_raise+10)
09-17 11:46:22.198 336 336 F DEBUG : #03 pc 0003cb11 /system/bin/linker (__dl___libc_android_abort+34)
09-17 11:46:22.198 336 336 F DEBUG : #04 pc 0003bb14 /system/bin/linker (__dl_abort+4)
09-17 11:46:22.198 336 336 F DEBUG : #05 pc 0003da47 /system/bin/linker (__dl___libc_fatal+22)
09-17 11:46:22.198 336 336 F DEBUG : #06 pc 00009c43 /system/bin/linker (__dl__ZL29__linker_init_post_relocationR19KernelArgumentBlockj+3146)
09-17 11:46:22.198 336 336 F DEBUG : #07 pc 00008f63 /system/bin/linker (__dl___linker_init+358)
09-17 11:46:22.198 336 336 F DEBUG : #08 pc 000027c0 /system/bin/linker (_start+4)

Bro i got this
please help me

@sun75
Bravo! Have you opened the new thread for the Wiko Fever yet?
In other news, I have started work on a custom kernel based on the Wiko Fever MM source. I don't have much time to work on it though, so if anyone would like to help you can submit pull requests to the source here.

..

sun75 said:
I fixed LTE in build.prop, but I don't know how to to do a VoLTE patch: I'm not a developer, but a system engineer!
---------- Post added at 11:10 ---------- Previous post was at 10:56 ----------
I have already seen it:
just unpack the boot.img and edit the init.mt6735.rc. Diff format:
--- Line 21:
on init
+ export LD_SHIM_LIBS "/system/lib/libui.so|libshim_ui.so:/system/lib64/libui.so|libshim_ui.so:/system/lib/libgui.so|libshim_gui.so:/system/lib64/libgui.so|libshim_gui.so"
export USBOTG_STORAGE /storage/usbotg
mount tmpfs tmpfs /mnt/media_rw/ mode=0755,uid=1000,gid=1000
mkdir /mnt/media_rw/usbotg 0700 media_rw media_rw
mkdir /storage/usbotg 0700 root root
mount tmpfs tmpfs /storage/usbotg mode=0755,uid=1000,gid=1000
chmod 0666 /dev/kmsg
export USBOTG_STORAGE /storage/usbotg
-----
The export LD_ is ONE LINE!!
And:
---- Line 1286:
# GPS
service agpsd /system/bin/mtk_agpsd
class main
socket agpsd stream 660 gps system
socket agpsd2 stream 660 gps inet
socket agpsd3 stream 660 gps inet
user gps
group gps radio inet sdcard_r sdcard_rw misc
+ setenv LD_SHIM_LIBS "/system/bin/mtk_agpsd|libshim_agps.so"
service wifi2agps /system/bin/wifi2agps
--------
Repack the boot.img and reflash it with sp flash tool!
You have to make sure to have /system/[lib|lib64]/libshim_[agps|gui|ui].so
If you open with an hex editor libshim_agps.so you will find the symbol it'll search for!
---------- Post added at 11:37 ---------- Previous post was at 11:10 ----------
I'll open a Wiko Fever thread today, starting with this release: RR-N-v5.8.3-20170527-e481-Official -> RR-N-v5.8.3-20170527-l5460-Official.
Now I'm working on Stock Kernels only (they work on Stock images, they have to work on custom images... and, by the way, the 3.10.x custom based RR is working with the V39 Stock Kernel...): I miss the point on working with custom Kernels, the hardware is the same, what changes is only the OS layer. Please let me know your point of view, maybe in the Wiko thread, once opened. Thank you!
Click to expand...
Click to collapse
The main reasons for working on a custom kernel are:
To have a more up-to-date kernel (so with extra security and bug fixes)
To remove some unnecessary pre-installed bits making it smaller and therefore faster
Adding more tweaking options, such as custom governors, I/O schedulers, TCP congestion algorithms etc.
Add extra features, such as DT2W and Volte (looking at other android kernel sources helps with this)
Other tweaks and fixed if they come up and are needed
Besides, I'm a developer, and not a systems engineer

..

Thread Updated added TWRP 3.0.0 ported by Rick02
CrDROID and hexagon rom is on development
Hit the thank button

Gratitude
Really thankful to you man! Hats off:victory:
---------- Post added at 04:50 PM ---------- Previous post was at 04:47 PM ----------
Hope my heat issue resolves

Hello,
the Rom works fine and smoothly on my Wiko Fever 4g. The compass, front flash, UKW-Radio and Sim-Contacts are not working but I have restore the Contacts from Google.
When the display is on, it pulls up to 1.7 amps from the battery. I hope that there will be updates with bug fixes and security patches soon.
Otherwise good work.

NobodyDbg said:
Hello,
the Rom works fine and smoothly on my Wiko Fever 4g. The compass, front flash, UKW-Radio and Sim-Contacts are not working but I have restore the Contacts from Google.
When the display is on, it pulls up to 1.7 amps from the battery. I hope that there will be updates with bug fixes and security patches soon.
Otherwise good work.
Click to expand...
Click to collapse
i dont have wiko fever i only support mmx
sun75 will help you

Thanking
I would like to thanks XDA team . I have been waiting for months just for a single update for. MMX canvas 5 . Now this morning I found noighat for my phone . Thank you very much XDA team. Keep it on .

Rahul1436 said:
I would like to thanks XDA team . I have been waiting for months just for a single update for. MMX canvas 5 . Now this morning I found noighat for my phone . Thank you very much XDA team. Keep it on .
Click to expand...
Click to collapse
Thanks goes to Arshjot Singh
Hit the thanks button

Bug in Video playback
Harishwarrior said:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Lineage 14.1​
Arshjot singh made an another rom for Micromax Canvas 5.He puts his time ,Skills ,Effort and Brain on the line to make this awesome Rom.
Without wasting any further time. Lets get started.:fingers-crossed:
Requirements:
You must be in stock lollipop rom , whether it's Rooted or Non rooted
How to install :
1. Download and copy the Rom to your SD card.
2. Backup your Rom using TWRP recovery.
3. Format data and Wipe Factory reset your Phone.
4. Flash the Rom.
5. Change the language.
6. Go to developer option, and set the Animation to 0.5
7. Google apps are not included due to some reason. Go the Google apps link,and select ARM 64 as platform , 7.1 as android,pico as variant.download and flash the zip.
8. Dont install Google system webview otherwise your app will crash
Links:
Lineage 14.1 : https://drive.google.com/uc?id=0B9ToB3iQjd_-eWhuTU1tcnFod00&export=download
TWRP 2.8.7.0: https://forum.xda-developers.com/an...overy-twrp-2-8-7-0-micromax-canvas-5-t3641576
TWRP 3.0.0: https://forum.xda-developers.com/android/development/twrp-3-0-0-micromax-canvas-5-e481-t3677085
Google Apps : http://opengapps.org/
Bugs:
1. Front flash (Not necessary)the default camera app has Selfie flash option try that.
2.Compass (Useless) google maps works without Compass.
Heat Fix:
ONLY TRY THIS , IF YOU FACING HEATING ISSUE .Download and Open kernel Aduitor (Grant root permission)and Go to cpu , select apply on boot , Change the maximum frequency to 1040 Mhz .This will reduces the heat.
CREDITS::angel:
Thanks to
Arshjot singh for Lineage
Infinite4evr for TWRP 2.8.7.0
Rick02::fingers-crossed: for TWRP 3.0.0
Harishwarrior(Me) Moderator.
If you have any ideas or bug fix , Post it down.
This post will be updated Daily or Weekly.Stay tuned
Hit the thanks button......
Click to expand...
Click to collapse
Hello,
I assume that you have already observed bug in video playback issue with this rom.
Solution provided here is for high quality videos but the same can not work for low quality videos.
Is there any known fix for low quality video & formats like .3gpp ??

QUIZILLA said:
Hello,
I assume that you have already observed bug in video playback issue with this rom.
Solution provided here is for high quality videos but the same can not work for low quality videos.
Is there any known fix for low quality video & formats like .3gpp ??
Click to expand...
Click to collapse
Try SW Decoder or use stock video player(Gallery)

Mi Stick stuck on boot logo (bricked?)

Hello everybody.
A couple of years ago I bought a Mi Stick for my mother, to use connected to an old LED tv she had. She used just 3 o 4 times tops with a Netflix account my brother shared with her. The device was practically new. My brother stopped paying Netflix a couple of months ago so she stopped using the device altogether so I disconnected it. But yesterday she told me my brother started paying Netflix again and told me to connect the MiStick to her TV again. Surprisingly, the device is now stuck on the boot logo:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I'm really angry because the device had very little use and especially because I live in third world ****hole: a new MiStick costs almost 4 times more now. It's not like I have couple of dollars getting dust on a drawer somewhere and I can go buy another one.
Anyway, I know it's possible to flash/unbrick a MiBox, I did it some time ago. Anybody knows if it's possible to the same with the Mi Stick??? I googled about it but I didn't find anything.
Thank you for your time.

hello, my Mi TV Stick MDZ-24-AA also unfortunately hangs all the time on the logo, checked on various cables and on a decent power supply
through the remote control (arrow + OK) does not want to enter the bootloader
I have purchased PL2303HX converter
According to the instructions from https://forum.xda-developers.com/t/help-pleas...-no-power-led-no-video.4452819/#post-87044521
and partially supported by Ruslan's film
With a backup downloaded from https://disk-yandex-ru.translate.goog/d/aL5Xo...en&_x_tr_hl=en&_x_tr_pto=wapp&_x_tr_hist=true
Using Putty and ADB
I went through the entire installation process
Unfortunately, my mi stick still hangs on the logo: / What could be the cause? Is my mi stick still salvageable?

kedzior.kedzior said:
I have purchased PL2303HX converter
Using Putty and ...
I went through the entire installation process
Unfortunately, my mi stick still hangs on the logo
Click to expand...
Click to collapse
With the PL2303HX connected to the uart while the device is booting (to a hung state), what is shown in the uart log while the device is trying to boot?
Are you able to get a prompt over the uart as shown in the video?

Functioner said:
With the PL2303HX connected to the uart while the device is booting (to a hung state), what is shown in the uart log while the device is trying to boot?
Are you able to get a prompt over the uart as shown in the video?
Click to expand...
Click to collapse
GXL:BL1:9ac50e:bb16dc;FEAT:BDFD71BC:0;POC:3;RCY:0;EMMC:0;READ:0;0.0;0.0;CHK:0;
TE: 138335
BL2 Built : 10:18:52, Sep 14 2020. gxl g9f162b4-dirty - [email protected]
set vcck to 1120 mv
set vddee to 1000 mv
id=3
DDR4 board
CPU clk: 1200MHz
DDR scramble enabled
DDR4 chl: Rank0+1 @ 1056MHz - FAIL
DDR4 chl: Rank0 @ 1056MHz
bist_test rank: 0 19 05 2e 28 16 3a 17 02 2d 2b 1d 3a 17 02 2c 2c 1c 3d 18 02 2f 27 16 38 706 - PASS
Rank0: 1024MB(auto)-2T-18
AddrBus test pass!
eMMC boot @ 0
sw8 s
emmc switch 3 ok
BL2: rpmb counter: 0x00000020
emmc switch 0 ok
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000, part: 0
aml log : R1024 check pass!
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600, part: 0
aml log : R1024 check pass!
Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x0002b400, part: 0
aml log : R1024 check pass!
Load bl32 from eMMC, src: 0x0004c200, des: 0x01700000, size: 0x0003e200, part: 0
aml log : R1024 check pass!
Load bl33 from eMMC, src: 0x0008c200, des: 0x01700000, size: 0x00080e00, part: 0
aml log : R1024 check pass!
NOTICE: BL3-1: v1.0(release):129a6bc
NOTICE: BL3-1: Built : 17:09:37, Apr 25 2019
[BL31]: GXL CPU setup!
NOTICE: BL3-1: GXL secure boot!
NOTICE: BL3-1: BL33 decompress pass
mpu_config_enable:system pre init ok
dmc sec lock
[Image: gxl_v1.1.3377-2941e55e3 2020-07-08 17:19:09 [email protected]]
OPS=0xb4
21 0d b4 00 6b a3 4a 05 e8 35 9e 81 38 16 4f b7
[0.733983 Inits done]
secure task start!
high task start!
low task start!
INFO: BL3-2: ATOS-V2.4-239-g48b8c37d #1 Wed Feb 5 09:34:09 UTC 2020 arm
INFO: BL3-2: Chip: GXL Rev: D (21 - B0:2)
INFO: BL3-2: crypto engine DMA
INFO: BL3-2: secure time TEE
INFO: BL3-2: CONFIG_DEVICE_SECURE 0xb200000e
U-Boot 2015.01-g2e3e77d-dirty (Nov 07 2020 - 00:20:15), Build: jenkins-aquaman-664
DRAM: 1 GiB
Relocation Offset is: 36e80000
gpio: pin gpiodv_24 (gpio 43) value is 1
register usb cfg[0][1] = 0000000037f4c4f8
[CANVAS]canvas init
MMC: aml_priv->desc_buf = 0x0000000033e80ab0
aml_priv->desc_buf = 0x0000000033e82df0
SDIO Port B: 0, SDIO Port C: 1
co-phase 0x2, tx-dly 0, clock 400000
co-phase 0x2, tx-dly 0, clock 400000
co-phase 0x2, tx-dly 0, clock 400000
emmc/sd response timeout, cmd8, status=0x1ff2800
emmc/sd response timeout, cmd55, status=0x1ff2800
co-phase 0x2, tx-dly 0, clock 400000
co-phase 0x2, tx-dly 0, clock 40000000
[mmc_startup] mmc refix success
init_part() 297: PART_TYPE_AML
[mmc_init] mmc init success
aml log : R1024 check pass!
start dts,buffer=0000000033e85640,dt_addr=0000000033e85640
get_partition_from_dts() 71: ret 0
parts: 17
00: logo 0000000000800000 1
01: recovery 0000000001800000 1
02: misc 0000000000800000 1
03: dtbo 0000000000800000 1
04: cri_data 0000000000800000 2
05: param 0000000001000000 2
06: boot 0000000001000000 1
set has_boot_slot = 0
07: rsv 0000000001000000 1
08: tee 0000000002000000 1
09: vendor 0000000006400000 1
10: odm 0000000001400000 1
11: metadata 0000000001000000 1
12: vbmeta 0000000000200000 1
13: system 000000005ac00000 1
14: product 0000000006a00000 1
15: cache 0000000010000000 2
16: data ffffffffffffffff 4
init_part() 297: PART_TYPE_AML
eMMC/TSD partition table have been checked OK!
crc32_s:0x1577dad == storage crc_pattern:0x1577dad!!!
crc32_s:0xee152b83 == storage crc_pattern:0xee152b83!!!
crc32_s:0x7fd3b243 == storage crc_pattern:0x7fd3b243!!!
mmc env offset: 0x17400000
In: serial
Out: serial
Err: serial
reboot_mode=cold_boot
[store]To run cmd[emmc dtb_read 0x1000000 0x40000]
_verify_dtb_checksum()-2755: calc 6955a20f, store 6955a20f
_verify_dtb_checksum()-2755: calc 6955a20f, store 6955a20f
dtb_read()-2972: total valid 2
update_old_dtb()-2953: do nothing
aml log : R1024 check pass!
vpu: clk_level in dts: 7
vpu: set clk: 666667000Hz, readback: 666666667Hz(0x300)
vpu: vpu_clk_gate_init_off finish
vpp: vpp_init
hpd_state=0
vpp: vpp_matrix_update: 2
cvbs performance type = 6, table = 0
cvbs_config_hdmipll_gxl
cvbs_set_vid2_clk
the HHI_VDAC_CNTL0 =b0001
the HHI_VDAC_CNTL0 =b0200
the HHI_VDAC_CNTL1 =0
the HHI_VDAC_CNTL1 =8
amlkey_init() enter!
[EFUSE_MSG]keynum is 4
[BL31]: tee size: 0
[BL31]: tee size: 0
[BL31]: tee size: 0
[BL31]: tee size: 0
[KM]Error:f[key_manage_query_size]L507:key[region] not programed yet
CONFIG_AVB2: avb2
Start read misc partition datas!
info->magic =
info->version_major = 1
info->version_minor = 0
info->slots[0].priority = 15
info->slots[0].tries_remaining = 7
info->slots[0].successful_boot = 0
info->slots[1].priority = 14
info->slots[1].tries_remaining = 7
info->slots[1].successful_boot = 0
info->crc32 = -1075449479
active slot = 0
wipe_data=successful
wipe_cache=successful
upgrade_step=2
reboot_mode:::: cold_boot
[OSD]load fb addr from dts:/meson-fb
[OSD]fb_addr for logo: 0x3f800000
[OSD]load fb addr from dts:/meson-fb
[OSD]fb_addr for logo: 0x3f800000
[OSD]VPP_OFIFO_SIZE:0xfff00fff
[CANVAS]addr=0x3f800000 width=5760, height=2160
[OSD]osd_hw.free_dst_data: 0,719,0,575
Command: bcb uboot-command
Start read misc partition datas!
BCB hasn't any datas,exit!
do_monitor_bt_cmdline
gpio: pin GPIOX_17 (gpio 17) value is 0
gpio: pin GPIOX_17 (gpio 17) value is 1
gpio: pin GPIOX_18 (gpio 18) value is 1
hw_config_start:state = 3
bt_cmdline: fw downloaded
no recovery mod!
gpio: pin GPIOX_8 (gpio 8) value is 1
Hit Enter or space or Ctrl+C key to stop autoboot -- : 0
CONFIG_SYSTEM_AS_ROOT: systemroot
system_mode: 1
CONFIG_AVB2: avb2
active_slot: normal avb2: 1
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
InUsbBurn
[MSG]sof
Set Addr 4
Get DT cfg
Get DT cfg
Get DT cfg
set CFG
Get DT cfg
Get DT cfg
Get DT cfg
Get DT cfg
waitIdentifyTime(751) > timeout(750)
(Re)start USB...
USB0: USB3.0 XHCI init start
Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.00
scanning bus 0 for devices... 1 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
** Bad device usb 0 **
** Bad device usb 0 **
active_slot: normal
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
gxl_aquaman_v1#

kedzior.kedzior said:
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
Click to expand...
Click to collapse
The above error might be an issue.
at the prompt:
gxl_aquaman_v1#
type:
printenv
and post the output.

Functioner said:
The above error might be an issue.
at the prompt:
gxl_aquaman_v1#
type:
printenv
and post the output.
Click to expand...
Click to collapse
gxl_aquaman_v1#printenv
1080p60hz_deepcolor=444,12bit
480p60hz_deepcolor=rgb,8bit
EnableSelinux=permissive
active_slot=normal
avb2=1
baudrate=115200
bcb_cmd=get_avb_mode;get_valid_slot;
boardid=3
boot_part=boot
bootargs=init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xc81004c0 ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000 ro rootwait skip_initramfs reboot_mode_android=normal androidboot.selinux=permissive logo=osd1,loaded,0x3d800000,576cvbs maxcpus=4 vout=576cvbs,enable hdmimode=1080p60hz frac_rate_policy=1 cvbsmode=576cvbs hdmitx=,444,12bit cvbsdrv=0 androidboot.firstboot=0 jtag=apao androidboot.veritymode=enforcing androidboot.hardware=amlogic androidboot.btmacaddr=00:00:00:00:00:00 androidboot.wifimac=00:00:00:00:00:00 androidboot.wificountrycode=US androidboot.bootloader= androidboot.serialno=26919800002433906 androidboot.boardid=3 androidboot.region=none androidboot.reboot_mode=cold_boot page_trace=on androidboot.rpmb_state=0 aml_dt= recovery_part={recovery_part} recovery_offset={recovery_offset} aml_dt= recovery_part={recovery_part} recovery_offset={recovery_offset}
bootcmd=run storeboot
bootdelay=1
bootup_offset=0x1133b50
bootup_size=0x5eec7a
btmac=00:00:00:00:00:00
cmdline_keys=keyman init 0x1234; setkeys;
colorattribute=444,12bit
cvbs_drv=0
cvbsmode=576cvbs
display_bpp=24
display_color_bg=0
display_color_fg=0xffff
display_color_index=24
display_height=576
display_layer=osd1
display_width=720
dtb_mem_addr=0x1000000
factory_reset_poweroff_protect=echo wipe_data=${wipe_data}; echo wipe_cache=${wipe_cache};if test ${wipe_data} = failed; then run init_display; run storeargs;if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;fi; if test ${wipe_cache} = failed; then run init_display; run storeargs;if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;fi;
fb_addr=0x3d800000
fb_height=1080
fb_width=1920
fdt_high=0x20000000
firstboot=0
frac_rate_policy=1
fs_type=ro rootwait skip_initramfs
hdmimode=1080p60hz
identifyWaitTime=750
init_display=get_rebootmode;echo reboot_mode:::: ${reboot_mode};if test ${reboot_mode} = quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;osd open;osd clear;else if test ${reboot_mode} = recovery_quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;osd open;osd clear;else setenv reboot_mode_android normal;run storeargs;osd open;osd clear;imgread pic logo bootup $loadaddr;bmp display $bootup_offset;bmp scale; fi;fi;
initargs=init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xc81004c0 ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000
jtag=apao
loadaddr=1080000
lock=10001000
maxcpus=4
outputmode=576cvbs
page_trace=on
preboot=run cmdline_keys;run bcb_cmd; run factory_reset_poweroff_protect;run upgrade_check;run init_display;run storeargs;bcb uboot-command;run switch_bootmode;
reboot_mode=cold_boot
reboot_mode_android=normal
recovery_from_flash=get_valid_slot;echo active_slot: ${active_slot};if test ${active_slot} = normal; then setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part={recovery_part} recovery_offset={recovery_offset};if itest ${upgrade_step} == 3; then if ext4load mmc 1:2 ${dtb_mem_addr} /recovery/dtb.img; then echo cache dtb.img loaded; fi;if ext4load mmc 1:2 ${loadaddr} /recovery/recovery.img; then echo cache recovery.img loaded; wipeisb; bootm ${loadaddr}; fi;else fi;if imgread kernel ${recovery_part} ${loadaddr} ${recovery_offset}; then wipeisb; bootm ${loadaddr}; fi;else setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part=${boot_part} recovery_offset=${recovery_offset};if imgread kernel ${boot_part} ${loadaddr}; then bootm ${loadaddr}; fi;fi;
recovery_from_udisk=setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part={recovery_part} recovery_offset={recovery_offset};if fatload usb 0 ${loadaddr} aml_autoscript; then autoscr ${loadaddr}; fi;if fatload usb 0 ${loadaddr} recovery.img; then if fatload usb 0 ${dtb_mem_addr} dtb.img; then echo udisk dtb.img loaded; fi;wipeisb; bootm ${loadaddr};fi;
recovery_offset=0
recovery_part=recovery
region=none
rpmb_state=0
sdc_burning=sdc_burn ${sdcburncfg}
sdcburncfg=aml_sdc_burn.ini
serialno=26919800002433906
sn2=3236393139383030303032343333393036
stderr=serial
stdin=serial
stdout=serial
storeargs=get_rebootmode;setenv bootargs ${initargs} ${fs_type} reboot_mode_android=${reboot_mode_android} androidboot.selinux=${EnableSelinux} logo=${display_layer},loaded,${fb_addr},${outputmode} maxcpus=${maxcpus} vout=${outputmode},enable hdmimode=${hdmimode} frac_rate_policy=${frac_rate_policy} cvbsmode=${cvbsmode} hdmitx=${cecconfig},${colorattribute} cvbsdrv=${cvbs_drv} androidboot.firstboot=${firstboot} jtag=${jtag}; setenv bootargs ${bootargs} androidboot.veritymode=enforcing androidboot.hardware=amlogic androidboot.btmacaddr=${btmac} androidboot.wifimac=${wifimac} androidboot.wificountrycode=${wifi_ccode} androidboot.bootloader=${bootloader} androidboot.serialno=${serialno} androidboot.boardid=${boardid} androidboot.region=${region} androidboot.reboot_mode=${reboot_mode};setenv bootargs ${bootargs} page_trace=${page_trace};setenv bootargs ${bootargs} androidboot.rpmb_state=${rpmb_state};
storeboot=get_system_as_root_mode;echo system_mode: ${system_mode};if test ${system_mode} = 1; then setenv fs_type ro rootwait skip_initramfs;run storeargs;fi;get_valid_slot;get_avb_mode;echo active_slot: ${active_slot} avb2: ${avb2};if test ${active_slot} != normal; then setenv bootargs ${bootargs} androidboot.slot_suffix=${active_slot};fi;if test ${avb2} = 0; then if test ${active_slot} = _a; then setenv bootargs ${bootargs} root=/dev/mmcblk0p23;else if test ${active_slot} = _b; then setenv bootargs ${bootargs} root=/dev/mmcblk0p24;fi;fi;fi;if imgread kernel ${boot_part} ${loadaddr}; then bootm ${loadaddr}; fi;run update;
switch_bootmode=get_rebootmode;if test ${reboot_mode} = factory_reset; then setenv reboot_mode_android normal;run storeargs;run recovery_from_flash;else if test ${reboot_mode} = update; then setenv reboot_mode_android normal;run storeargs;run update;else if test ${reboot_mode} = quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;else if test ${reboot_mode} = recovery_quiescent; then setenv reboot_mode_android quiescent;run storeargs;setenv bootargs ${bootargs} androidboot.quiescent=1;run recovery_from_flash;else if test ${reboot_mode} = cold_boot; then setenv reboot_mode_android normal;run storeargs;else if test ${reboot_mode} = fastboot; then setenv reboot_mode_android normal;run storeargs;fastboot;fi;fi;fi;fi;fi;fi;if monitor_bt_cmdline; then run update; fi;
system_mode=1
try_auto_burn=update 700 750;
update=run try_auto_burn; if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;
upgrade_check=echo upgrade_step=${upgrade_step}; if itest ${upgrade_step} == 3; then run init_display; run storeargs; run update;else fi;
upgrade_step=2
usb_burning=update 1000
wifi_ccode=US
wifimac=00:00:00:00:00:00
wipe_cache=successful
wipe_data=successful
Environment size: 7334/65532 bytes

I'm not sure if imgread is being called by the normal boot process, or a recovery process because the device failed to boot.
At the uart prompt type:
imgread dtb boot 0x1000000
imgread kernel boot 0x1080000
bootm 0x1080000
and post the output.
If it's the same error as before, the boot partition might not be flashed with the correct image.

gxl_aquaman_v1#imgread dtb boot 0x1000000
Err imgread(L220):Fmt unsupported! only support 0x3
gxl_aquaman_v1#imgread kernel boot 0x1080000
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
gxl_aquaman_v1#imgread kernel boot 0x1080000
Err imgread(L328):Fmt unsupported!genFmt 0x0 != 0x3
gxl_aquaman_v1#<INTERRUPT>
gxl_aquaman_v1#bootm 0x1080000
aml log : Sig Check 1830

kedzior.kedzior said:
gxl_aquaman_v1#imgread dtb boot 0x1000000
Err imgread(L220):Fmt unsupported! only support 0x3
Click to expand...
Click to collapse
Are you able to flash the boot partition with the boot image again?
Which version of the firmware did you flash?

Are you able to flash the boot partition with the boot image again?
Yes
Which version of the firmware did you flash?
https://disk.yandex.ru/d/aL5XolrdAbTJ0g How to check it?
Other than this one I have no other
Did you flash it with fastboot or burn mode?
According to the instructions from the post https://forum.xda-developers.com/t/help-please-mdz-24-aa-no-power-led-no-video.4452819/post-87044521
but one of the commands "fastboot oem unlock" not working
"astboot flashing unlock" worked
"fastboot flashing unlock_critical" worked
I notice from the environment that the bootloader is currently locked.
The russian guy in the video mentioned that it is important to keep the older version of the bootloader, because the newer version could lock you out.
What I would try is starting fastboot, and then using the ota source files, flashing all of the partitions again, except NOT the bootloader.
What you could try first is just flashing the boot partition again from whatever firmware you used the last time.
Unfortunately, I do not have the previous works version :/

kedzior.kedzior said:
https://disk.yandex.ru/d/aL5XolrdAbTJ0g How to check it?
Click to expand...
Click to collapse
I will check that version, and will also check which version is the newest version.

At the uart prompt, type:
get_bootloaderversion
and post the version.

Functioner said:
At the uart prompt, type:
get_bootloaderversion
and post the version.
Click to expand...
Click to collapse
gxl_aquaman_v1#get_bootloaderversion
Nieznane polecenie 'get_bootloaderversion' - spróbuj 'help'
C:\adb>fastboot getvar version-bootloader
version-bootloader: U-Boot 2015.01-g2e3e77d-dirty
Finished. Total time: 0.003s

The version of the firmware in backup-Restore.rar from the above yandex link is r293:
Xiaomi/aquaman/aquaman:9/PI/293:user/release-keys
This is quite old. It's from May 26 2020.
If you flashed the tee image from that download, it could have corrupted your device.

thank you very much for your help and your time. I will continue to try to bring my stick back to life

kedzior.kedzior said:
thank you very much for your help and your time. I will continue to try to bring my stick back to life
Click to expand...
Click to collapse
sure, good luck.