Better Mobile App

[MOD]UART Debugging Connection

Introduction
Why is UART useful? It's a debugging tool. During the boot sequence on most computers, you see a splash screen. On most computers, you can hit 'ESC' to see the diagnostics in the background and then press a key like 'F2' to jump into the BIOS and make changes. On our devices we don't have that option.
On the Nook we have U-Boot which functions as a BIOS. We press 'Space Bar' to get into the U-Boot options. UART allows you to get into the U-Boot and make changes, as well as view the logs as they are generated. See the following code block for an example output
Code:
Texas Instruments X-Loader 1.41 (Oct 21 2011 - 14:00:05)
Start not on PWRON, skipping power button check.
Starting OS Bootloader from EMMC ...
U-Boot 1.1.4-acclaim1.4_1.4.0.1029^{} (Nov 11 2011 - 12:34:20)
Load address: 0x80e80000
DRAM: 1024 MB
Using default environment
In: serial
Out: serial
Err: serial
hw_status 0x23 vbus_status 0x80
mmc read: Invalid size
mmc read: Invalid size
2 bytes read
MAX17042+UBOOT: battery type=LG
MAX17042+UBOOT: gas gauge detected (0x0000)
MAX17042_STATUS (00h) is 0x0000
MAX17042+UBOOT: BATTERY Detected!
MAX17042+UBOOT:WARM BOOT
mmc read: Invalid size
mmc read: Invalid size
40 bytes read
Valid max17042 init data is loaded into memory
0x1234
0x215b
0x00d6
0x2037
0x0000
0x0100
0x007e
0x3670
0x078f
0x0000
0x0000
0x6435
0x2f2c
0x0140
0x7d5a
0x87a4
0x1400
0x205c
0x205c
0x6046
verify if mem loaded: FullcapNom was saved as 2037
uboot verify: 1d CONFIG is 2210 ; should be 2210 & 0xFDFB
uboot verify: 2a RELAXCFG is 083b ; should be 083b
uboot verify: 29 FILTERCFG is 87a4 ; should be 87a4
uboot verify: 28 LEARNCFG is 2466 ; should be 2406 & 0xFF0F
uboot verify: 18 DesignCap is 205c ; should be 205c
uboot verify: 12 Vempty is 7d5a ; should be 7d5a
uboot verify: 25 TEMPLIM is 2305 ; should be 2305
uboot verify: 2b MiscCFG is 0810 ; should be 0810 & cc1f
uboot verify: 2c TGAIN is e3e1 ; should be e3e1
uboot verify: 2d TOFF is 290e ; should be 290e
uboot verify: 2e CGAIN is 4000 ; should be 4000
uboot verify: 2f COFF is 0000 ; should be 0000
uboot verify: 37 FCTC is 05e0 ; should be 05e0
MAX17042+UBOOT: warm config is okay
SOC 90%, booting.
Board revision PVT
mmc read: Invalid size
mmc read: Invalid size
16 bytes read
ptn 0 name='xloader' start=256 len=131072
ptn 1 name='bootloader' start=512 len=262144
ptn 2 name='recovery' start=1024 len=15728640
ptn 3 name='boot' start=32768 len=16777216
ptn 4 name='rom' start=65536 len=50331648
ptn 5 name='bootdata' start=163840 len=50331648
ptn 6 name='factory' start=262144 len=387973120
ptn 7 name='system' start=1019904 len=641728512
ptn 8 name='cache' start=2273280 len=446693376
ptn 9 name='media' start=3145728 len=1073741824
ptn 10 name='userdata' start=5242880 len=64991232
mmc read: Invalid size
1088 bytes read
BCB found, checking...
** Unable to use mmc 0:1 for fatload **
** Unable to use mmc 0:1 for fatload **
** Unable to use mmc 0:1 for fatload **
Booting into Android
mmc read: Invalid size
mmc read: Invalid size
4 bytes read
BootCnt 2
1 bytes written
Autobooting in 0 seconds, press <SPACE> to stop...
kernel @ 80088120 (2682952)
ramdisk @ 81080000 (157153)
Initrd start : 81080000 , Initrd end : 810a64c1Acclaim Board.
Starting kernel ...
Linux version 2.6.35.7 ([email protected]) (gcc version 4.4.1 (Sourcery G++ Lite 2010q1-202) ) #1 SMP PREEMPT Fri Nov 11 12:35:42 PST 2011
CPU: ARMv7 Processor [411fc093] revision 3 (ARMv7), cr=10c53c7f
CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: OMAP4430 ACCLAIM
Memory policy: ECC disabled, Data cache writealloc
On node 0 totalpages: 245760
free_area_init_node: node 0, pgdat c0587e00, node_mem_map c062a000
Normal zone: 1536 pages used for memmap
Normal zone: 0 pages reserved
Normal zone: 178688 pages, LIFO batch:31
HighMem zone: 512 pages used for memmap
HighMem zone: 65024 pages, LIFO batch:15
***********************
OMAP4430 ES2.3 type(HS)
id-code (6b95c02f)
Die-id (5C360006-00000001-09111715-1601D00D)
Prod-id (000DB95C-000600CC)
***********************
SRAM: Mapped pa 0x40300000 to va 0xfe400000 size: 0x100000
FIXME: omap44xx_sram_init not implemented
Reserving 33554432 bytes SDRAM for VRAM
SMC: Allocated workspace of 3M at (0x9c900000)
PERCPU: Embedded 7 pages/cpu @c0e37000 s5632 r8192 d14848 u65536
pcpu-alloc: s5632 r8192 d14848 u65536 alloc=16*4096
pcpu-alloc: [0] 0 [0] 1
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 243712
Kernel command line: androidboot.console=ttyO0 console=ttyO0,115200n8 [email protected] [email protected] init=/init rootwait vram=32M,82000000 omapfb.vram=0:[email protected]
PID hash table entries: 4096 (order: 2, 16384 bytes)
Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
Memory: 448MB 256MB 256MB = 960MB total
Memory: 935252k/935252k available, 47788k reserved, 262144K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
vmalloc : 0xf0800000 - 0xf8000000 ( 120 MB)
lowmem : 0xc0000000 - 0xf0000000 ( 768 MB)
pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB)
modules : 0xbf000000 - 0xbfe00000 ( 14 MB)
.init : 0xc0008000 - 0xc003d000 ( 212 kB)
.text : 0xc003d000 - 0xc053f000 (5128 kB)
.data : 0xc0540000 - 0xc05888c0 ( 291 kB)
SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
Hierarchical RCU implementation.
RCU-based detection of stalled CPUs is disabled.
Verbose stalled-CPUs detection is disabled.
You will need
In order to get started you will need some things. Here's what you will need.
Torx T5 screw driver (the star kind)
Soldering iron ( any soldering iron)
Case opener tool ( or guitar pick or something small and plastic)
30-40 AWG wire (small wires)
1.8V UART to USB converter (Like The Bus Priate)
Tweezers (Makes it easier to handle small things)
Most of the tools and parts used can be obtained at Lowes or Radio Shack
For a UART device, I recommend The Bus Pirate. The Bus Pirate is known as "The Hacker's Multi-tool" and it is useful for alot more than just UART. It is an Open-Source, Open-Hardware, community supported tool. You can get it from SeeedStudios.com for $27.15.
Instructions
There are several ways to set up UART. Here is how I set up mine.
Image 1:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Disassembly
If you have an SDCard inserted, remove it.
Remove two(2) T5 Torx screws securing the back cover to the unit
Using the Case Opener tool, pry the rear cover off the unit. It is held on by small plastic hooks. They are fairly durable and I have not broken any in several removal and installations.
Remove ten(10) T5 torx screws from the metal case which secure the front cover
Image 2:
disconnect the battery and the volume control swich connections which are accessible through holes in the metal case.
Remove the front cover using a case opener tool or your bare hands, whichever is more comfortable for you
Remove the board and LCD from the metal case
Modification
Image 3:
Locate the UART RX and TX lines on the board shown in Image2.
You can hook your UART device to this directly, RX to TX and TX to RX, or keep reading and I'll show you how I set mine up. so..
Stop here and use UART or continue on for a cleaner method
run 40 awg wire to a piece of perf-board, about 8 holes wide.
Using 20 awg wire, make a loop on the perf-board which joins two holes in two spots on the small piece of perf-board
attach the UART RX
Image 4:
Route the wires along the board and tape them down
Use epoxy to mount the perfboard. It should be mounted at a very slight downward angle. Set something under the board while it dries. This gives room for the case to close.
Reassemble the unit, Assembly is reverse of Disassembly.
Image 5:
Hook up RX, TX to your perf-board hooks and connect ground to the metal case.
Image 6:
You will now be able to talk to your UART device using
Baud: 115200
Bits: 8
Parity: None
Stop Bits: 1
Voltage: 1.8 (open drain)
For the Bus Pirate, get it working in a termianal and use the following settings:
Code:
HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
9. DIO
x. exit(without change)
(1)>3
Set serial port speed: (bps)
1. 300
2. 1200
3. 2400
4. 4800
5. 9600
6. 19200
7. 38400
8. 57600
9. 115200
10. BRG raw value
(1)>9
Data bits and parity:
1. 8, NONE *default
2. 8, EVEN
3. 8, ODD
4. 9, NONE
(1)>1
Stop bits:
1. 1 *default
2. 2
(1)>1
Receive polarity:
1. Idle 1 *default
2. Idle 0
(1)>1
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1)>1
Ready
UART>(3)
Conclusion
For those of you helping with security bypass methods, this will surely be useful as it will tell you when a secure failure is encountered. For those of you who want to experiment with U-Boot or a cool electronics project, I'd encourage you to try this. There's not alot that can go wrong because the board is well built and fairly heat resistant and the tools/parts used in this mod are available from several sources.
I hope this was informative and/or interesting for you to read.
Thanks to pokey9000 for pointing me to the right area.

A few lines before the kernal starts loading, it has bootcnt 2. What does this mean and what happens if it is modified? Or is any modification break the secure CHAIN?
Also, what would happen if it didn't autoboot in 0 seconds and you could hit the spacebar?
Sent from my BNTV250 using Tapatalk

HMG10 said:
A few lines before the kernal starts loading, it has bootcnt 2. What does this mean and what happens if it is modified? Or is any modification break the secure CHAIN?
Sent from my BNTV250 using Tapatalk
Click to expand...
Click to collapse
That's the number of boots since the counter was reset. After 8 failed boots, the device will go into recovery and restore all firmware.

this is great! I have been looking at my arduino and my pandaII (.netMF) dev boards and my tablet for a few days now.
Glad I dont have to pull out the logic analyser and find those pins..

servergod said:
this is great! I have been looking at my arduino and my pandaII (.netMF) dev boards and my tablet for a few days now.
Glad I dont have to pull out the logic analyser and find those pins..
Click to expand...
Click to collapse
that's exactly what I did...

Adafruit's FTDI Friend should also do the trick, $10 less.

I changed up my UART connection. I feel this is much cleaner and runs less wire through the nook. This makes it into a really good development device.
This new setup is made with a piece of perf-board from Radio Shack and it's held onto the nook using double-sided tape. Here are some pictures:
The wires are routed through the crack in the back cover and run to the same points mentioned in the Original Post. The 3rd connection (middle) here is Ground. Ground is the point on the board closest to the edge and furthest from UART TX in the staggered group of pins..

I thought I'd update this... I though I'd update this after a few weeks of working with it. The external connection works very well. It is easy to remove and replace if required with just 3 solder joints if required. The external perf-board is very unobtrusive, and does not interfere with operation.
I also found a case that works well with this modification. it's called "Mini Suit" for Nook Tablet.
If you go with this method and need a case, Mini Suit will suit you.

Adam,
In picture 3 you have a diagram that shows the pinout for uart tx and rx on the nook tablet (appears to be the left two pins of the 4 in the diagram), but if you look closely at picture 4, the top wire appears to be soldered to the top right pin rather than the top left pin as show on the diagram in picture 3. Is this just an optical illusion?
Thanks Again for all you do on these forums.!

acruxksa said:
Adam,
In picture 3 you have a diagram that shows the pinout for uart tx and rx on the nook tablet (appears to be the left two pins of the 4 in the diagram), but if you look closely at picture 4, the top wire appears to be soldered to the top right pin rather than the top left pin as show on the diagram in picture 3. Is this just an optical illusion?
Thanks Again for all you do on these forums.!
Click to expand...
Click to collapse
disregard picture 4. I took alot of pictures while setting things up and I chose the ones that gave the best idea of what was going on. Thanks.

Replacement for Bus Pirate
Hi Adam
Good day to you.
I would like to setup my own Uart devices for Samsung Phone, however, not able to locate the Bus Pirate devices as mention in your thread.
but i found a USB to RS232 converter as per attach PDF file.
would you please help to check on it? is it possible to setup the UART setup use on Samsung phone?
if can kindly help to give a detail guide connection setup from PC USB to Phone.
appreciate you help.
thanks

chongns said:
Hi Adam
Good day to you.
I would like to setup my own Uart devices for Samsung Phone, however, not able to locate the Bus Pirate devices as mention in your thread.
but i found a USB to RS232 converter as per attach PDF file.
would you please help to check on it? is it possible to setup the UART setup use on Samsung phone?
if can kindly help to give a detail guide connection setup from PC USB to Phone.
appreciate you help.
thanks
Click to expand...
Click to collapse
This should really go into the Samsung forum for the phone you're trying to get to, however here is where you can buy a bus pirate.

KEXEC works in the nook tablet

I managed to execute a customized kernel. But it hangs in somewhere.
The main trouble is l2 cache. The l2 cache may crash the kernel in the somewhere. I am inspired by hkvc. http://forum.xda-developers.com/showthread.php?t=1427610
Did you meet this problem?
Here is output from uart:
<code>
<5>Linux version 2.6.35.7-g63bc7cb-dirty ([email protected]) (gcc version 4.4.1 (Sourcery G++ Lite 2010q1-202) ) #8 SMP PREEMPT Sat Jan 14 22:48:10 CST 2012
CPU: ARMv7 Processor [411fc093] revision 3 (ARMv7), cr=10c53c7f
CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: OMAP4430 ACCLAIM
Memory policy: ECC disabled, Data cache writealloc
<7>On node 0 totalpages: 245760
<7>free_area_init_node: node 0, pgdat c058bec0, node_mem_map c0a6c000
<7> Normal zone: 1536 pages used for memmap
<7> Normal zone: 0 pages reserved
<7> Normal zone: 178688 pages, LIFO batch:31
<7> HighMem zone: 512 pages used for memmap
<7> HighMem zone: 65024 pages, LIFO batch:15
<6>***********************<6>OMAP4430 ES2.3 type(HS)
<6>id-code (6b95c02f)
<6>Die-id (22DC0006-00000001-09111ED0-06011014)
<6>Prod-id (000DB95C-000600CC)
<6>***********************<6>SRAM: Mapped pa 0x40300000 to va 0xfe400000 size: 0x100000
<3>FIXME: omap44xx_sram_init not implemented
<6>Reserving 33554432 bytes SDRAM for VRAM
<6>SMC: Allocated workspace of 3M at (0x9c900000)
<6>PERCPU: Embedded 7 pages/cpu @c1279000 s5632 r8192 d14848 u65536
<6>pcpu-alloc: s5632 r8192 d14848 u65536 alloc=16*4096
<6>pcpu-alloc: [0] 0 [0] 1
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 243712
<5>Kernel command line: androidboot.console=ttyO0 console=ttyO0,115200n8 [email protected] [email protected] init=/init rootwait vram=32M,82000000 omapf0
<6>PID hash table entries: 4096 (order: 2, 16384 bytes)
<6>Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
<6>Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
<6>Memory: 448MB 256MB 256MB = 960MB total
<5>Memory: 935228k/935228k available, 47812k reserved, 262144K highmem
<5>Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
vmalloc : 0xf0800000 - 0xf8000000 ( 120 MB)
lowmem : 0xc0000000 - 0xf0000000 ( 768 MB)
pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB)
modules : 0xbf000000 - 0xbfe00000 ( 14 MB)
.init : 0xc0008000 - 0xc003e000 ( 216 kB)
.text : 0xc003e000 - 0xc0543000 (5140 kB)
.data : 0xc0544000 - 0xc058c980 ( 291 kB)
<6>SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
<6>Hierarchical RCU implementation.
<6> RCU-based detection of stalled CPUs is disabled.
<6> Verbose stalled-CPUs detection is disabled.
<6>NR_IRQS:388
<4>omap_hwmod: sys_32k_ck: missing clockdomain for sys_32k_ck.
<4>omap_hwmod: l3_div_ck: missing clockdomain for l3_div_ck.
<4>omap_hwmod: dpll_mpu_m2_ck: missing clockdomain for dpll_mpu_m2_ck.
<4>omap_hwmod: dmic: resetting
<4>omap_hwmod: dss: cannot be enabled (3)
<4>omap_hwmod: dss_dispc: cannot be enabled (3)
<4>omap_hwmod: dss_dsi1: cannot be enabled (3)
<4>omap_hwmod: dss_dsi2: cannot be enabled (3)
<4>omap_hwmod: dss_hdmi: cannot be enabled (3)
<4>omap_hwmod: dss_rfbi: cannot be enabled (3)
<4>omap_hwmod: dss_venc: cannot be enabled (3)
<4>omap_hwmod: iva: reset already de-asserted
<4>omap_hwmod: mailbox: resetting
<4>omap_hwmod: omap-mcpdm-dai: cannot be enabled (3)
<4>omap_hwmod: mcspi1: resetting
<4>omap_hwmod: mcspi2: resetting
<4>omap_hwmod: mcspi3: resetting
<4>omap_hwmod: mcspi4: resetting
<4>omap_hwmod: mmc1: resetting
<4>omap_hwmod: mmc2: resetting
<4>omap_hwmod: mmc3: resetting
<4>omap_hwmod: mmc4: resetting
<4>omap_hwmod: mmc5: resetting
<4>omap_hwmod: timer3: resetting
<4>omap_hwmod: timer4: resetting
<4>omap_hwmod: timer5: resetting
<4>omap_hwmod: timer6: resetting
<4>omap_hwmod: timer7: resetting
<4>omap_hwmod: timer8: resetting
<4>omap_hwmod: timer9: resetting
<4>omap_hwmod: timer11: resetting
</code>

you could try the l2 cache flush logic in my linboothkvc
Hi Highfly,
I haven't really looked at kexec directly, because I figured/or_rather_think(haven't had time to patiently go thro it, I am bit lazy and impatient wrt reading thro documents or others code and so, unless I have to) it has too many dependcies or a few kernel space things distributed here and there and few userspace stuff distributed here and there logically and so on and so forth. And also because I was more interested in exploring and facing the possible problems on my own so that I learn more about the new Arm cores and SOCs.
If you are facing any problem with L2 cache, then try the l2 cache flush stuff I have put in my source package and see if it helps. It is a much much simplified version of what is there in sleep file and the PL310 trm, because I don't really want to wakeup from a sleep, so I or for that matter, even you don't have to worry much about saving stuffs (i don't mean everything here, yes some stuffs you have to save from cache to memory like the code you want to run in the new environment etc) and other stuff. Also I take care of disabling the 2nd processor before I do the cache related stuff, so that way also I don't have to worry about syncing across them (There is a small corner case, there in my flow, but I haven't seen it triggered till now, and I have a simple way of bypassing it for now, so I am not worrying too much about the 2nd processor).
Or you could also try disabling the L2 cache specifically before exiting from existing kernel (which I am not doing by the way, rather I fully disable all cache thro cp15), based on what I have read, disabling L2 cache specifically is supposed to make it automatically do a safe flush i.e clean followed by invalidate in a automic manner.

How to find out what's causing lock-ups?

I haven't managed to find a ROM that doesn't freeze up on me. I suspect that it may be apps, rather than ROMS, that are causing this, because it also happens when I revert to a stock ROM.
Can anyone recommend a way of diagnosing which app(s) may be causing the crashes? There's usually no regular pattern in behaviour - i.e. it happens in a variety of different situations/apps

mate apps generally dont cause lookups..its your settings that do..apps only forceclose..thats it...if you are on any custom kernel then its a 90% chance that whats causing your lock ups is your undervolt settings...otherwise..flash again with all the wipes...if you dont wipe then lockups are gonna be a very common occurance..backup all the stuff..!

Nah man. Apps, some apps, definitely cause Wake up's dude.
The most popular application to check wakelock's is BetterBatteryStats. And additionally i can tell you some wakelock's are also caused by Ad's, yes you read it right, damn AD'S. To block them please use AdAway, free in Play Store.

What are you going on about wakelocks for?

the thread is about lockups mate not wakeups!

naveediftikhar said:
mate apps generally dont cause lookups..its your settings that do..apps only forceclose..thats it...if you are on any custom kernel then its a 90% chance that whats causing your lock ups is your undervolt settings...otherwise..flash again with all the wipes...if you dont wipe then lockups are gonna be a very common occurance..backup all the stuff..!
Click to expand...
Click to collapse
I never do undervolting or any CPU mods, so it can't be that. I also routinely wipe, clear the cache and dalvik cache every time I flash a ROM. That's why I figure that it's probably apps doing things in the background that are the problem.

what about factory reseting via recovery and formatting system,data and cache in recovery under mount and storage option...wiping dalvik and cache dont reset or wipe your device..perform all the above mentioned wipes and your problem will hopefully end!
and if your are on any custom kernel..try increasing the stock volts by 25..!give it a try...!

Will "formatting system,data and cache in recovery under mount and storage option" wipe the contents of the internal SD card?

no...i do it always..never it has touched either of my sdcards...!

Should I do all of that AFTER flashing or before?

do it before flashing...and try to let the rom boot and run for 30 mins or so before going back and installing any mod or kernel!

Next time it happens, grab a kmsg as soon as you reboot:-
In a terminal editor enter the following:
su
cat /proc/last_kmsg > /mnt/sdcard/last_kmsg
and post it as an attachment to this thread. Might yield some clues as to what the phone was doing when it locks up/crashes.

MistahBungle said:
Next time it happens, grab a kmsg as soon as you reboot:-
In a terminal editor enter the following:
su
cat /proc/last_kmsg > /mnt/sdcard/last_kmsg
and post it as an attachment to this thread. Might yield some clues as to what the phone was doing when it locks up/crashes.
Click to expand...
Click to collapse
Ok it's just crashed again - this time while copying a large folder from the phone to a PC over USB. I rebooted, downloaded a Terminal Emulator from the Market, then generated the attached "last_kmsg" file as instructed. Please let me know if this gives any clues.

...sorry...here's the attachment...

Just had another lock-up. This time the phone got quite warm, and drained from 97% battery to 11% in 1.5 hours, so something was chewing up the CPU. Here's the last_kmsg output from immediately after the reboot:
Ibl: pbl_read_emmc441() read 8k
Ibl: pbl_read_emmc441() read 96k
Ibl: pbl_read_emmc441() read download info
Ibl: pbl_read_emmc441() endop
Ibl: jump() verify_binary_integrity...ok
Ibl: jump() jump!!!
Welcome to Samsung Primitive Bootloader.
build time: May 8 2012 19:31:07
current time: f0/e/1 30:70:7c
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #53248.
jump to sbl 0x4d400000.
Secondary Bootloader v3.1 version.
Copyright (C) 2011 System S/W Group. Samsung Electronics Co., Ltd.
Board: C1 REV 02 / Aug 12 2011 11:37:21
current time: f0/e/1 30:70:7d
booting code=0xc0c080c0
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
CID:150100 56594c30 304d1941 4e02a76e
<display_card_info:1040> ext_csd
<display_card_info:1042>card_size: 15028
Total Card Size: 15029 MByte
Total Sector Count: 30777344
MoviNand Initialization Complete!
===== PARTITION INFORMATION =====
ID : GANG (0x0)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : BOOT (0x1)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : EFS (0x4)
DEVICE : MMC
FIRST UNIT : 8192
NO. UNITS : 40960
=================================
ID : SBL1 (0x2)
DEVICE : MMC
FIRST UNIT : 49152
NO. UNITS : 2560
=================================
ID : SBL2 (0x3)
DEVICE : MMC
FIRST UNIT : 53248
NO. UNITS : 2560
=================================
ID : PARAM (0x5)
DEVICE : MMC
FIRST UNIT : 57344
NO. UNITS : 16384
=================================
ID : KERNEL (0x6)
DEVICE : MMC
FIRST UNIT : 73728
NO. UNITS : 16384
=================================
ID : RECOVERY (0x7)
DEVICE : MMC
FIRST UNIT : 90112
NO. UNITS : 16384
=================================
ID : CACHE (0x8)
DEVICE : MMC
FIRST UNIT : 106496
NO. UNITS : 204800
=================================
ID : MODEM (0x9)
DEVICE : MMC
FIRST UNIT : 311296
NO. UNITS : 32768
=================================
ID : FACTORYFS (0xa)
DEVICE : MMC
FIRST UNIT : 344064
NO. UNITS : 1048576
=================================
ID : DATAFS (0xb)
DEVICE : MMC
FIRST UNIT : 1392640
NO. UNITS : 4194304
=================================
ID : UMS (0xc)
DEVICE : MMC
FIRST UNIT : 5586944
NO. UNITS : 24133632
=================================
ID : HIDDEN (0xd)
DEVICE : MMC
FIRST UNIT : 29720576
NO. UNITS : 1048576
=================================
loke_init: j4fs_open..success
<start_checksum:1033>CHECKSUM_HEADER_SECTOR :42
<start_checksum:1035>offset:42, size:1024
Not Need Movinand Checksum
load_lfs_parameters valid magic code and version.
switch_sel_str='1'
load_debug_level: read debug level successfully(0x574f4c44)...LOW
init_ddi_data: usable ddi data.
init_fuel_gauge : not por status
fuel_gauge_get_version: [1]=0, [0]=92
init_fuel_gauge: vcell = 3670 mV, vfocv = 3785 mV, soc = 37
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
1227 = (365000 - 356525)*14484/100000
[14] 368610 = (1227 * 100000) / 32927 + 364884
init_microusb_ic: MUIC: CONTROL1:0x0
init_microusb_ic: MUIC: CONTROL1:0x0
init_microusb_ic: MUIC: CONTROL2:0x3a
init_microusb_ic: MUIC: CONTROL2:0x3a
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQSRC = 0x0
PMIC_IRQ1 = 0x8b
PMIC_IRQ2 = 0x1c
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x11
PMIC_STATUS1 = 0x1
PMIC_STATUS2 = 0x10
PMIC_STATUS3 = 0x0
PMIC_STATUS4 = 0x0
bootloader base address=0x4d400000
LPDDR0 1st. cached=0x40000000, size=0xe400000
LPDDR0 non-cached=0x4e400000, size=0xa00000
LPDDR0 2nd. cached=0x4ee00000, size=0x1200000
RST_STAT = 0x10000
get_hwrev() = 14
board_process_platform: MAGIC c0c080c0 at 40000000!
scan_keypad_level: pressed key is 2
scan_keypad_level: pressed key is 2
scan_keypad_level: pressed key is 2
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
hw_pm_status: jig_status = 0, chg_status = 0
.....kernel is non signed binary.
DISPLAY_PATH_SEL[MDNIE 0x1]is on
div:2, FB_SOURCE_CLOCK:667000000, FB_PIXEL_CLOCK:25067520
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop
boot_kernel: debug level low!
checkbit: find RECOVERY
checkbit (0)
.....kernel is non signed binary.
ATAG_CORE: 5 54410001 0 0 0
MEMCONFIG: 20e01323 20e01323
ATAG_MEM: 4 54410002 10000000 40000000
ATAG_MEM: 4 54410002 10000000 50000000
ATAG_MEM: 4 54410002 10000000 60000000
ATAG_MEM: 4 54410002 10000000 70000000
ATAG_SERIAL: 4 54410006 4e02a76e 304d1941
ATAG_REVISION: 3 54410007 e
ATAG_CMDLINE: 37 54410009 'loglevel=4 console=ram sec_debug.enable=0 sec_debug.enable_user=0 c1_watchdog.sec_pet=5 [email protected] s3cfb.bootloaderfb=0x5ec00000 ld9040.get_lcdtype=0x0 consoleblank=0 lpj=3981312 vmalloc=144m'
ATAG_NONE: 0 0
Starting kernel at 0x40008000...

Juice Defender causing the problem?
I disabled Juice Defender last night and have gone all day without the phone locking up. Has anyone had problems with Juice Defender causing lock-ups coupled with excessive battery usage?

kali for note 10.1 why not us

Check this out: http://docs.kali.org/armel-armhf/kali-linux-on-galaxy-note
I looked over the recovery and thought it looked ok (though thats an area i usually leave to pros), and attempted to make a x86 image so altering
Code:
dd if=/dev/block/mmcblk0p6 of=recovery.img_orig
and
dd if=recovery.img of=/dev/block/mmcblk0p6
and inputting this
Code:
dd if=/dev/block/mmcblk0p11 of=recovery.img_orig
and
dd if=recovery.img of=/dev/block/mmcblk0p11
then I rebooted and it hung up at the samsung galaxy tab 3 screen
How hard would it be to rewrite the recovery image linked to there to work on our device. Or if its in good shape I guess i screwed up making my x86 image of Kali any input of on either subject would be appreciated.
Had an idea as soon as I reflash and reroot and download a couple more files and reboot and finish updating this laptop I'm working on, ill try to break my gtab again

You can't. Those versions of Kali is for ARM (armel = ARM soft-float / armhf = ARM hard-float), while the GTab3 10.1. is x86.
But you should be able to modify any x86 (tablet-)linux for use with GTab3 10.1

Setialpha said:
You can't. Those versions of Kali is for ARM (armel = ARM soft-float / armhf = ARM hard-float), while the GTab3 10.1. is x86.
But you should be able to modify any x86 (tablet-)linux for use with GTab3 10.1
Click to expand...
Click to collapse
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.

hey
xkwr27 said:
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
Click to expand...
Click to collapse
are you still up for this ?
i tried the same thing, i also tried swapping out the zimage from the kali recovery with p5210 stock
then changed any mmcblk refs i found in the init and instead of screen hang got it reboot, [over and over]
but didn't catch. this is totally doable and i wish i'd found this thread before starting another on the same subject.
but anyway i could go on forever.....we need to recruit people somehow... i would like a setup on this
tab so i could distro hop like i used to on pc :good:

Yes I'm still down for this, I've been so busy with work, and keeping my car running(done with the car now, motor/Trans rebuild) since my last post. Now I have my days off if not totally free free enough to put a few hours into this on my days off. I also know 2 people who could help if I can convince them one a relative with a name in the security industry and the other a relatively new guy to all things computer but with a knack for finding fixes that will be a help but for tonight I'm going to compare the two recoveries side by side during break and take notes. Then tomorrow I am going to see if I can put those notes to good use after I get back from taking my daughter and wife blackberry picking on my father's land.i figure I'll start on it noonish us central time and keep you updated...

xkwr27 said:
Yes I'm still down for this, I've been so busy with work, and keeping my car running(done with the car now, motor/Trans rebuild) since my last post. Now I have my days off if not totally free free enough to put a few hours into this on my days off. I also know 2 people who could help if I can convince them one a relative with a name in the security industry and the other a relatively new guy to all things computer but with a knack for finding fixes that will be a help but for tonight I'm going to compare the two recoveries side by side during break and take notes. Then tomorrow I am going to see if I can put those notes to good use after I get back from taking my daughter and wife blackberry picking on my father's land.i figure I'll start on it noonish us central time and keep you updated...
Click to expand...
Click to collapse
good deal, okay noob warning, but gleefully brick happy tester here.
right now i on the samsung open source site looking p5210 but not sure which
git-hub isn't an option for me as my surviving pc is a bit screwy but i still want to see the source
and try to get what the devs are saying, anyway i'm glad to hear from you
just thought i'd let you in on what i'm up to. hope to get something working.
:good:
do i need to get ubuntu 64bit for kernel stuff?

If you plan to tear into the recovery.img you'll need linux I use debian or debian based distro's, but ubuntu will work just fine.

https://01.org/android-ia
Not sure if this site will help but i'll post it anyways
I'll keep trying to post useful stuff
http://forum.xda-developers.com/showthread.php?t=1916936
Hope this helps somehow
Can we not change the partitions to whatever sizes we want using ODIN and .pit files ? if yes then we can do ANYTHING
Excercise caution. This MAY have the pit file for our device
http://forum.xda-developers.com/showthread.php?t=2526119

hey
Nitro_123 said:
https://01.org/android-ia
Not sure if this site will help but i'll post it anyways
I'll keep trying to post useful stuff
http://forum.xda-developers.com/showthread.php?t=1916936
Hope this helps somehow
Can we not change the partitions to whatever sizes we want using ODIN and .pit files ? if yes then we can do ANYTHING
Excercise caution. This MAY have the pit file for our device
http://forum.xda-developers.com/showthread.php?t=2526119
Click to expand...
Click to collapse
cool :good: reading:good:
as for repartitiong hold off for now but, read this anyway,
copy every command you see and keep in organized file for reference
http://forum.xda-developers.com/showthread.php?t=1388996
this command in term should pull pit file [get it right,check,double,check,triple check] must su first i believe
dd if=/dev/block/mmcblk0 of=/sdcard/out.pit bs=8 count=481 skip=2176
to xkwr27 hi, you're comparing with stock recovery right?

In terms of custom bootloaders we could install grub onto the device. but first we need to figure out the boot order.
http://forum.xda-developers.com/showthread.php?t=1018862 This thread is an amazing thread for samsung related stuff but kind of off topic for us.
Is there any way of figuring out the way the device boots ?
Sorry for stressing boot order and stuff so much but I really think it's the key to everything.
If we install GRUB after that everything else will be a piece of cake.
http://www.gnu.org/software/grub/

hey
Nitro_123 said:
In terms of custom bootloaders we could install grub onto the device. but first we need to figure out the boot order.
http://forum.xda-developers.com/showthread.php?t=1018862 This thread is an amazing thread for samsung related stuff but kind of off topic for us.
Is there any way of figuring out the way the device boots ?
Sorry for stressing boot order and stuff so much but I really think it's the key to everything.
If we install GRUB after that everything else will be a piece of cake.
http://www.gnu.org/software/grub/
Click to expand...
Click to collapse
the boot sequence is more where my thinking is going to.
my understanding is there are three stages , power on the boot loader does it's work, the kernel get's up and lays out the ramdrive and hardware
and get's the usual/basic/expected linux stuff going [yes, linux is already present,a form of it anyway] and finally, the android user space stuff.
altering something in the process to halt/bypass that last stage and get to , for now at least, a command prompt is the thought.
the hardware hacking looks really neat and is a good find as far as gaining insight on the basic boot process so thank you for
pointing me to it. having no up to speed modern pc i'm left to do what i can on my tab and can't risk it. but i DID find a
a kernel/boot img pack/repack/editing setup that i'm already using on my tab!!!
the link is http://forum.xda-developers.com/showthread.php?t=2073775
read the op then go to my post on the last page.
grub would be sweet though, wouldn't it ?

round one
okay this is what i did today
swapped busybox [arm] for [x86]
added parted in bin
replaced symlink named mtab==>/proc/self/mounts with actual file
corrected [?] mmcblk,loop references in hooks/looproot
changed this in init to experiment [attempt to return to android if fail,] marked edit and commented
if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
#if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
# Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
# We fall back into a shell, but the shell has now PID 1
# This way, manual recovery is still possible.
init=/init
# err "Failed to mount the real root device." [edit]
# echo "Bailing out, you are on your own. Good luck." [edit]
# echo [edit]
# launch_interactive_shell --exec [edit]
elif [ ! -x "/new_root${init}" ]; then
# Successfully mounted /new_root, but ${init} is missing
# The same logic as above applies
err "Root device mounted successfully, but ${init} does not exist."
echo "Bailing out, you are on your own. Good luck."
echo
launch_interactive_shell --exec
fi
swapped zimage [from stock reco]
added modules [from stock reco]
result=fail, continuous reboot, re-odin recovery
try again tomorrow [yawn] uploaded experiment, contains .img ramdisk.gz and zimage
okay upload fail, i'll try again tomorrow grrrr.

moonbutt74 said:
okay this is what i did today
swapped busybox [arm] for [x86]
added parted in bin
replaced symlink named mtab==>/proc/self/mounts with actual file
corrected [?] mmcblk,loop references in hooks/looproot
changed this in init to experiment [attempt to return to android if fail,] marked edit and commented
if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
#if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
# Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
# We fall back into a shell, but the shell has now PID 1
# This way, manual recovery is still possible.
init=/init
# err "Failed to mount the real root device." [edit]
# echo "Bailing out, you are on your own. Good luck." [edit]
# echo [edit]
# launch_interactive_shell --exec [edit]
elif [ ! -x "/new_root${init}" ]; then
# Successfully mounted /new_root, but ${init} is missing
# The same logic as above applies
err "Root device mounted successfully, but ${init} does not exist."
echo "Bailing out, you are on your own. Good luck."
echo
launch_interactive_shell --exec
fi
swapped zimage [from stock reco]
added modules [from stock reco]
result=fail, continuous reboot, re-odin recovery
try again tomorrow [yawn] uploaded experiment, contains .img ramdisk.gz and zimage
okay upload fail, i'll try again tomorrow grrrr.
Click to expand...
Click to collapse
hahaha i wish you good luck

thanks
FurFur_ said:
hahaha i wish you good luck
Click to expand...
Click to collapse
i've been through roughly 17 different experiments by now
but i'm too stupid to quit so we'll see :laugh:
---------- Post added at 10:46 PM ---------- Previous post was at 10:38 PM ----------
xkwr27 said:
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
Click to expand...
Click to collapse
so if i'm understanding this right the samsung bootloader [which we don't mess with....snicker]
is initiating the command which grabs the kernel and get's things rolling..?
even if i'm not right in the init.rc scripting language is there a means to repeat that process ===> initramfs,bzimage ?

Ok the 3 key combos tell the tablet what to do 1 is power only boots normal 2 is power + volume up boots recovery 3 is power + volume down boots to download mode (odin)... what offensive security did was rewrite the recovery.img so that instead of launching you to the normal recovery all it does is tells the tab to boot the kali img in /SdCard/ so if you just power up with combo 1 it should still boot normal and 3 should still put you in odin mode but 2 will tell the tab to boot kali instead so all we should need is busybox maybe , a x86 kali img and a recovery img similar to the offensive security one. That is why I'm working to pick this recovery.img apart.

hey
i flashed the image as is first ; mmcblk's dont matchup in hook/looproot ; corrected[?] them no dice
aside from zimage&module&busybox mixing and matching
i think something with the hooks is the stumper
this is the ramdisk, i wasn't sure if you were asking or me to crack the image open or not,
i was hoping you might have a handle on kernel command lines.
if it comes to kernel building/compiling i'm boned:crying:
if there's something you want me to try or test let me know. :good:
kernel command
no_console_suspend=1 console=null

xkwr27 said:
Ok the 3 key combos tell the tablet what to do 1 is power only boots normal 2 is power + volume up boots recovery 3 is power + volume down boots to download mode (odin)... what offensive security did was rewrite the recovery.img so that instead of launching you to the normal recovery all it does is tells the tab to boot the kali img in /SdCard/ so if you just power up with combo 1 it should still boot normal and 3 should still put you in odin mode but 2 will tell the tab to boot kali instead so all we should need is busybox maybe , a x86 kali img and a recovery img similar to the offensive security one. That is why I'm working to pick this recovery.img apart.
Click to expand...
Click to collapse
Mate that sounds very good I'm so busy with life nowadays Final year of school I don't know too much and I can't learn anything cause I have literally no time
I won't be posting too often Good luck with your project. Eager to see some success :fingers-crossed::good:

Santos10 Bootloader trace:
Code:
IA32 CPU Firmware
Copyright (C) 1999-2013, Intel Corporation. All rights reserved.
7[0;23r[24;75H[1K[24;1H[1mIntel(R) Atom(TM) Z2560 CPU FW 00.73 (INTELFDK)[0m8------------------------------>FOR Teewinot ONLY<-----------------------------
******************************************************************************
************** Customer release based on Rel 00.49 + TWN changes**************
**************** BZ=115220 Bypass time/date check for product ****************
****************** BZ=118523 Cold Reset on ExecuteOS failure *****************
****** BZ=124478[TW 346-500-676] Request for logging enhancement in IAFW *****
************* BZ=127192 Disable Active Refresh during JEDEC Init *************
******************* BZ=none include ucode patch M013065110E ******************
**************************** New in this code drop ***************************
***** BZ=none Changed trace to match TWN RAMDUMP application requirement *****
*************** BZ=none Removed UART and PTI HW output methods ***************
******** Short circuiting the emInit when a fixed battery is detected. *******
********************* Customization done 201308261512 MST ********************
******************************************************************************
[37;41m******************************INTEL CONFIDENTIAL******************************
[0m
0x1E, 0x20, 0x21,
ERROR:::::SPID Not Programmed, Fake data being used based on IFWI version
ERROR:::::SPID FRU Not Programmed, Fake data being used based on IFWI version
OSC_CLK3 defaults only
0x22,
OEM board; Skip spidBasedPanelNdxUpdate
0x23,
Forced Battery via SMIP FPO Bit 2
0x28, 0x2A, 0x2B, in csSFIDevsEntries, HW Id 0x0019
SFI Dev...PR3
in csSFIGpioEntries, HW Id 0x0019
SFIOEMBInit:tbl->spidTbl update
0x2C, 0x2D, 0x2F PostCodes Done
IA32 FW: CPU v000.073/00.49; SUPP v000.073/00.49; VH: 000.081/00.51
IA Timestamp: 2013.08.26:18.00 (INTELFDK)
SCU FW: ROM 177.000/B1.00; RT 033.046/21.2E
PUNIT FW: v160.064/A0.40
IFWI: v249.086/F9.56
PL: 0000010E
Config & PCB: OEM Platform, C, CLV+ B1, Samsung (01,00) SR 4Gb 1067 1GB
FHOB DW0/DW1: 00000104:00010140
I2C Expander: FFFFFFFC:0000000F
IA Options: 024020A1:00000000:03E00000:80005C00:00000101;1264
[OS HASH VERIFY] [EIST] [eMMC] [VALID BATT][WDT]
Loading OS...
pOsip = 1000000
-->OSIP verified
00000000 E0000000
[COLOR="Red"]Android COS path taken
E0000000 D303000A[/COLOR]
[COLOR="red"]Boot path override selected OS image 0[/COLOR] (OS Attribute 0x00, Reboot Reason 0x0A)
D303000A D303000A
Splash disabled in GCT
Splash display time: 2 ms
[COLOR="red"]-->Bootable OS image 0 found for requested type 2 [/COLOR](OSII attribute 0x00)
-->[COLOR="red"]Loading OS image 0 from eMMC block 0x00000032 to DRAM address 0x010FFE20[/COLOR]
-->Starting transfer of 0xA11 512-byte blocks to DRAM
-->Done loading OS Image to DRAM
-->platformConfigBuffer_pt.scuFhobDw0.osven != 0
-->osIndex: 0, Signed Image
OS image 0 PASSED verify
Booting COS
*********************************
Starting command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100
-
OSNIB.wakesrc = 0x3
OSNIB.RR = 0xA
Battery is high enough for normal boot
4166mV > 0mV
Ending command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100 androidboot.wakesrc=03 androidboot.mode=charger-
*********************************
WDT aka Timer7 setup
Warn Duration for Timer7: 00 seconds
Start Timer7 bit 0 -> 1: 00000000000000000000000000000000
[0;24r[24;1H[2KM
Calling OS entry point --> 0x01101000 ...
Using NEW OSHOB structure size = 176 bytes
OSNIB size = 32 bytes OEMNIB size = 64 bytes
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Watchdog Disabled!
usb is connected, skip to set uart path
__stmpe811_write : fail
MUIC: CONTROL1:0x00
MUIC: CONTROL1:0x00
MUIC: CONTROL2:0x3b
MUIC: CONTROL2:0x3b
[SCU_IPC_DEBUG] board ID: NOT_IDENTIFIED(8)
VERSION : 0xa501
mmc_read_ext_csd : ext_csd_rev = 0x7
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
!!!Enter 8 Bit mode.!!!
clt_mmc_init: mmc->capacity = 0x1d56000
[BOOT] RESETIRQ1=0x00 RESETIRQ2=0x00 (interrupt tree)
[BOOT] SCU_TR=0x00020013 IA_TR=0xffffffff (oshob)
[BOOT] RR=0x00 WD=0x00 ALARM=0x00 (osnib)
[BOOT] WAKESRC=0x03 RESETIRQ1=0x20 RESETIRQ2=0x00 (osnib)
Samsung S-Boot 4.0-1816966 for GT-P5200 (Nov 26 2013 - 01:43:08)
CLT(EVT 0.0) / 1024MB / 15020MB / Rev 8 / P5200XXUAMK8
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (159:0xc)
PARAM ENV VERSION: v1.0..
pressed_key = 0x1
clt_charger_init : [battery] using external charger init(3)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
[check_cable_type] : Output of USB Charger Detection 3
[max77693_init_charger] : attached device(0x02) : TA
clt_max77693_set_charger_state: chg_cnfg_02 (0x1f) -> (0x1f) -> (0x1f)
clt_max77693_set_charger_state: chg_cnfg_03 (0x00) -> (0x00) -> (0x00)
clt_max77693_set_charger_state: chg_cnfg_04 (0xdd) -> (0xdd) -> (0xdd)
clt_max77693_set_charger_state: chg_cnfg_09 (0x64) -> (0x64) -> (0x64)
set_charger_state : buck(1), chg(0), reg(0x04)
init_fuel_gauge: Start!!
[0] get_adc_battid() = 92
[1] get_adc_battid() = 92
[2] get_adc_battid() = 92
get_adc_battid() = 92
init_fuel_gauge: Battery type : SDI
init_fuel_gauge: Already initialized (0x32cd, SDI type)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
fuel_gauge_compensate_soc: Start!!
fuel_gauge_read_soc: SOC(73), data(0x491b)
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
calculate_table_soc: Get table SOC in case of charging!!
calculate_table_soc: i(1), vcell(4071), table_soc(88)
differ(15), table_soc(88), RepSOC(73)
clt_charger_init : cable_type(0x02)
set_charger_state : buck(1), chg(1), reg(0x05)
intel_scu_ipc_cmd_oemnib : done => 0x0
check_reboot_cmd: nCmd = 0 ... skip check_reboot_cmd
debug level = 0x4f4c
disable max77693 manual reset
clt_max77693_disable_manual_reset: set max77693 MANCTRL1 val = 0x4
clt_max77693_disable_manual_reset: read max77693 MANCTRL1 val = 0x4
disable PMIC cod off triggered by PWRBTN#: 6
do_keypad: 0x1
intel_scu_ipc_cmd_oemnib : done => 0x0
check_download: 0
Is_lpm_boot : boot-mode saved in param = 0
Is_lpm_boot : jig-on level = 0, ignore...
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
stat=0x1031f, adc=0x1f, chg=0x3, vbvolt=1, pinLevel=1
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
fuel_gauge_read_soc: SOC(73), data(0x491b)
check_low_battery : rb=0 jig=0
check_low_battery : v=4071 soc=73
skip check low battery
scr_draw_image: draw 'logo.jpg'...
read 'logo.jpg'(105420) completed.
<start_checksum:355>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:357>offset:6144, size:6296
<start_checksum:361>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:27
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
load_kernel: loading boot image from 106496..
total size : 8495104
pit_check_signature (BOOT) valid.
Set valid sign flag
if_ddi_data: succeeded. (159:0xc)
BOOT_MAGIC == ANDROID!
CMDLINE LENGTH = 538
CMDLINE = init=/init console=sec_log_buf kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=santos103g sec_debug.level=0 loglevel=0 androidboot.debug_level=0x4f4c vmalloc=256m [email protected] sec_bootfb=0x3f000000 lcd_panel_id=0 androidboot.revision=8 switch_sel=3 cordon=615d013e557994c8ad53b3325c31b124 connie=GT-P5200_OPEN_EUR_cf878c59e3c2eeb1cdb40863938b834d androidboot.emmc_checksum=3 androidboot.bootloader=P5200XXUAMK8 androidboot.serialno=4300b61fdc125000 snd_soc_core.pmdown_time=1000 jig=0
Bootstub: map SFI MMAP to e820 table
add mmap: 0x00000000 0x00098000 1
add mmap: 0x00100000 0x00580000 2
add mmap: 0x00680000 0x00680000 1
add mmap: 0x00d00000 0x00300000 2
add mmap: 0x01000000 0x35ff0000 1
add mmap: 0x36ff0000 0x0090d000 2
add mmap: 0x378fd400 0x00100000 2
add mmap: 0x379fd400 0x02602000 1
add mmap: 0x3a000000 0x02200000 2
add mmap: 0x3c200000 0x02d00000 1
add mmap: 0x3ef00000 0x00100000 2
add mmap: 0x3f000000 0x01000000 2
add mmap: 0xfec00000 0x00001000 2
add mmap: 0xfee00000 0x00001000 2
add mmap: 0xff000000 0x01000000 2
IMR6 start=0x3a000000 end=0x3c1fffff
new mmap: 0x3a000000 0x02200000 2
IMR7 start=0x00100000 end=0x0067ffff
new mmap: 0x00100000 0x00580000 2
Final E820 table:
e820: 0x00000000 0x00098000 1
e820: 0x00100000 0x00580000 2
e820: 0x00680000 0x00680000 1
e820: 0x00d00000 0x00300000 2
e820: 0x01000000 0x35ff0000 1
e820: 0x36ff0000 0x0090d000 2
e820: 0x378fd400 0x00100000 2
e820: 0x379fd400 0x02602000 1
e820: 0x3a000000 0x02200000 2
e820: 0x3c200000 0x02d00000 1
e820: 0x3ef00000 0x00100000 2
e820: 0x3f000000 0x01000000 2
e820: 0xfec00000 0x00001000 2
e820: 0xfee00000 0x00001000 2
e820: 0xff000000 0x01000000 2
Final mb_mmap table:
mb_mmap: 0x00000000 0x00098000 1
mb_mmap: 0x00100000 0x00580000 0
mb_mmap: 0x00680000 0x00680000 1
mb_mmap: 0x00d00000 0x00300000 0
mb_mmap: 0x01000000 0x35ff0000 1
mb_mmap: 0x36ff0000 0x0090d000 0
mb_mmap: 0x378fd400 0x00100000 0
mb_mmap: 0x379fd400 0x02602000 1
mb_mmap: 0x3a000000 0x02200000 0
mb_mmap: 0x3c200000 0x02d00000 1
mb_mmap: 0x3ef00000 0x00100000 0
mb_mmap: 0x3f000000 0x01000000 0
mb_mmap: 0xfec00000 0x00001000 0
mb_mmap: 0xfee00000 0x00001000 0
mb_mmap: 0xff000000 0x01000000 0
Using bzImage to boot
Relocating initramfs to high memory ...
usb is connected, skip to set uart path
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Jump to kernel 32bit entry ...0x05003c00
I check interesting rows by red color. But there is easy way: need to compile x86 binaries and inject some code to twrp recovery. After that Linux OS must load from any img or partition on internal or external SD. Manual for coding this: link. This method accept to boot any second linux-based OS from any defined partition. It's on Russian - use translator to read.
Santos10 partiton table:
Code:
major minor #blocks name
7 0 61362 loop0
7 1 7308 loop1
179 0 15380480 mmcblk0
179 1 3072 mmcblk0p1
179 2 20480 mmcblk0p2
179 3 16384 mmcblk0p3
179 4 2048 mmcblk0p4
179 5 2048 mmcblk0p5
179 6 358400 mmcblk0p6
179 7 4096 mmcblk0p7
179 8 2416640 mmcblk0p8
179 9 12337152 mmcblk0p9
259 0 20480 mmcblk0p10
259 1 20480 mmcblk0p11
259 2 20480 mmcblk0p12
259 3 102400 mmcblk0p13
259 4 4096 mmcblk0p14
259 5 4096 mmcblk0p15
259 6 4096 mmcblk0p16
259 7 12288 mmcblk0p17
259 8 2048 mmcblk0p18
259 9 2048 mmcblk0p19
259 10 1024 mmcblk0p20
259 11 8192 mmcblk0p21
179 40 8192 mmcblk0gp0
179 30 1 mmcblk0rpmb
[COLOR="Red"]179 20 4096 mmcblk0boot1[/COLOR]
[COLOR="red"]179 10 4096 mmcblk0boot0[/COLOR]
252 0 307200 zram0
179 50 1955840 mmcblk1
179 51 1954816 mmcblk1p1
253 0 61362 dm-0
253 1 7308 dm-1]
Look at the red text i marked. I think we already have dual boot bootloader by Samsung.

Angel_666 said:
Santos10 Bootloader trace:
Code:
IA32 CPU Firmware
Copyright (C) 1999-2013, Intel Corporation. All rights reserved.
7Intel(R) Atom(TM) Z2560 CPU FW 00.73 (INTELFDK)8------------------------------>FOR Teewinot ONLY<-----------------------------
******************************************************************************
************** Customer release based on Rel 00.49 + TWN changes**************
**************** BZ=115220 Bypass time/date check for product ****************
****************** BZ=118523 Cold Reset on ExecuteOS failure *****************
****** BZ=124478[TW 346-500-676] Request for logging enhancement in IAFW *****
************* BZ=127192 Disable Active Refresh during JEDEC Init *************
******************* BZ=none include ucode patch M013065110E ******************
**************************** New in this code drop ***************************
***** BZ=none Changed trace to match TWN RAMDUMP application requirement *****
*************** BZ=none Removed UART and PTI HW output methods ***************
******** Short circuiting the emInit when a fixed battery is detected. *******
********************* Customization done 201308261512 MST ********************
******************************************************************************
******************************INTEL CONFIDENTIAL******************************

0x1E, 0x20, 0x21,
ERROR:::::SPID Not Programmed, Fake data being used based on IFWI version
ERROR:::::SPID FRU Not Programmed, Fake data being used based on IFWI version
OSC_CLK3 defaults only
0x22,
OEM board; Skip spidBasedPanelNdxUpdate
0x23,
Forced Battery via SMIP FPO Bit 2
0x28, 0x2A, 0x2B, in csSFIDevsEntries, HW Id 0x0019
SFI Dev...PR3
in csSFIGpioEntries, HW Id 0x0019
SFIOEMBInit:tbl->spidTbl update
0x2C, 0x2D, 0x2F PostCodes Done
IA32 FW: CPU v000.073/00.49; SUPP v000.073/00.49; VH: 000.081/00.51
IA Timestamp: 2013.08.26:18.00 (INTELFDK)
SCU FW: ROM 177.000/B1.00; RT 033.046/21.2E
PUNIT FW: v160.064/A0.40
IFWI: v249.086/F9.56
PL: 0000010E
Config & PCB: OEM Platform, C, CLV+ B1, Samsung (01,00) SR 4Gb 1067 1GB
FHOB DW0/DW1: 00000104:00010140
I2C Expander: FFFFFFFC:0000000F
IA Options: 024020A1:00000000:03E00000:80005C00:00000101;1264
[OS HASH VERIFY] [EIST] [eMMC] [VALID BATT][WDT]
Loading OS...
pOsip = 1000000
-->OSIP verified
00000000 E0000000
[COLOR="Red"]Android COS path taken
E0000000 D303000A[/COLOR]
[COLOR="red"]Boot path override selected OS image 0[/COLOR] (OS Attribute 0x00, Reboot Reason 0x0A)
D303000A D303000A
Splash disabled in GCT
Splash display time: 2 ms
[COLOR="red"]-->Bootable OS image 0 found for requested type 2 [/COLOR](OSII attribute 0x00)
-->[COLOR="red"]Loading OS image 0 from eMMC block 0x00000032 to DRAM address 0x010FFE20[/COLOR]
-->Starting transfer of 0xA11 512-byte blocks to DRAM
-->Done loading OS Image to DRAM
-->platformConfigBuffer_pt.scuFhobDw0.osven != 0
-->osIndex: 0, Signed Image
OS image 0 PASSED verify
Booting COS
*********************************
Starting command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100
-
OSNIB.wakesrc = 0x3
OSNIB.RR = 0xA
Battery is high enough for normal boot
4166mV > 0mV
Ending command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100 androidboot.wakesrc=03 androidboot.mode=charger-
*********************************
WDT aka Timer7 setup
Warn Duration for Timer7: 00 seconds
Start Timer7 bit 0 -> 1: 00000000000000000000000000000000
M
Calling OS entry point --> 0x01101000 ...
Using NEW OSHOB structure size = 176 bytes
OSNIB size = 32 bytes OEMNIB size = 64 bytes
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Watchdog Disabled!
usb is connected, skip to set uart path
__stmpe811_write : fail
MUIC: CONTROL1:0x00
MUIC: CONTROL1:0x00
MUIC: CONTROL2:0x3b
MUIC: CONTROL2:0x3b
[SCU_IPC_DEBUG] board ID: NOT_IDENTIFIED(8)
VERSION : 0xa501
mmc_read_ext_csd : ext_csd_rev = 0x7
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
!!!Enter 8 Bit mode.!!!
clt_mmc_init: mmc->capacity = 0x1d56000
[BOOT] RESETIRQ1=0x00 RESETIRQ2=0x00 (interrupt tree)
[BOOT] SCU_TR=0x00020013 IA_TR=0xffffffff (oshob)
[BOOT] RR=0x00 WD=0x00 ALARM=0x00 (osnib)
[BOOT] WAKESRC=0x03 RESETIRQ1=0x20 RESETIRQ2=0x00 (osnib)
Samsung S-Boot 4.0-1816966 for GT-P5200 (Nov 26 2013 - 01:43:08)
CLT(EVT 0.0) / 1024MB / 15020MB / Rev 8 / P5200XXUAMK8
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (159:0xc)
PARAM ENV VERSION: v1.0..
pressed_key = 0x1
clt_charger_init : [battery] using external charger init(3)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
[check_cable_type] : Output of USB Charger Detection 3
[max77693_init_charger] : attached device(0x02) : TA
clt_max77693_set_charger_state: chg_cnfg_02 (0x1f) -> (0x1f) -> (0x1f)
clt_max77693_set_charger_state: chg_cnfg_03 (0x00) -> (0x00) -> (0x00)
clt_max77693_set_charger_state: chg_cnfg_04 (0xdd) -> (0xdd) -> (0xdd)
clt_max77693_set_charger_state: chg_cnfg_09 (0x64) -> (0x64) -> (0x64)
set_charger_state : buck(1), chg(0), reg(0x04)
init_fuel_gauge: Start!!
[0] get_adc_battid() = 92
[1] get_adc_battid() = 92
[2] get_adc_battid() = 92
get_adc_battid() = 92
init_fuel_gauge: Battery type : SDI
init_fuel_gauge: Already initialized (0x32cd, SDI type)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
fuel_gauge_compensate_soc: Start!!
fuel_gauge_read_soc: SOC(73), data(0x491b)
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
calculate_table_soc: Get table SOC in case of charging!!
calculate_table_soc: i(1), vcell(4071), table_soc(88)
differ(15), table_soc(88), RepSOC(73)
clt_charger_init : cable_type(0x02)
set_charger_state : buck(1), chg(1), reg(0x05)
intel_scu_ipc_cmd_oemnib : done => 0x0
check_reboot_cmd: nCmd = 0 ... skip check_reboot_cmd
debug level = 0x4f4c
disable max77693 manual reset
clt_max77693_disable_manual_reset: set max77693 MANCTRL1 val = 0x4
clt_max77693_disable_manual_reset: read max77693 MANCTRL1 val = 0x4
disable PMIC cod off triggered by PWRBTN#: 6
do_keypad: 0x1
intel_scu_ipc_cmd_oemnib : done => 0x0
check_download: 0
Is_lpm_boot : boot-mode saved in param = 0
Is_lpm_boot : jig-on level = 0, ignore...
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
stat=0x1031f, adc=0x1f, chg=0x3, vbvolt=1, pinLevel=1
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
fuel_gauge_read_soc: SOC(73), data(0x491b)
check_low_battery : rb=0 jig=0
check_low_battery : v=4071 soc=73
skip check low battery
scr_draw_image: draw 'logo.jpg'...
read 'logo.jpg'(105420) completed.
<start_checksum:355>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:357>offset:6144, size:6296
<start_checksum:361>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:27
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
load_kernel: loading boot image from 106496..
total size : 8495104
pit_check_signature (BOOT) valid.
Set valid sign flag
if_ddi_data: succeeded. (159:0xc)
BOOT_MAGIC == ANDROID!
CMDLINE LENGTH = 538
CMDLINE = init=/init console=sec_log_buf kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=santos103g sec_debug.level=0 loglevel=0 androidboot.debug_level=0x4f4c vmalloc=256m [email protected] sec_bootfb=0x3f000000 lcd_panel_id=0 androidboot.revision=8 switch_sel=3 cordon=615d013e557994c8ad53b3325c31b124 connie=GT-P5200_OPEN_EUR_cf878c59e3c2eeb1cdb40863938b834d androidboot.emmc_checksum=3 androidboot.bootloader=P5200XXUAMK8 androidboot.serialno=4300b61fdc125000 snd_soc_core.pmdown_time=1000 jig=0
Bootstub: map SFI MMAP to e820 table
add mmap: 0x00000000 0x00098000 1
add mmap: 0x00100000 0x00580000 2
add mmap: 0x00680000 0x00680000 1
add mmap: 0x00d00000 0x00300000 2
add mmap: 0x01000000 0x35ff0000 1
add mmap: 0x36ff0000 0x0090d000 2
add mmap: 0x378fd400 0x00100000 2
add mmap: 0x379fd400 0x02602000 1
add mmap: 0x3a000000 0x02200000 2
add mmap: 0x3c200000 0x02d00000 1
add mmap: 0x3ef00000 0x00100000 2
add mmap: 0x3f000000 0x01000000 2
add mmap: 0xfec00000 0x00001000 2
add mmap: 0xfee00000 0x00001000 2
add mmap: 0xff000000 0x01000000 2
IMR6 start=0x3a000000 end=0x3c1fffff
new mmap: 0x3a000000 0x02200000 2
IMR7 start=0x00100000 end=0x0067ffff
new mmap: 0x00100000 0x00580000 2
Final E820 table:
e820: 0x00000000 0x00098000 1
e820: 0x00100000 0x00580000 2
e820: 0x00680000 0x00680000 1
e820: 0x00d00000 0x00300000 2
e820: 0x01000000 0x35ff0000 1
e820: 0x36ff0000 0x0090d000 2
e820: 0x378fd400 0x00100000 2
e820: 0x379fd400 0x02602000 1
e820: 0x3a000000 0x02200000 2
e820: 0x3c200000 0x02d00000 1
e820: 0x3ef00000 0x00100000 2
e820: 0x3f000000 0x01000000 2
e820: 0xfec00000 0x00001000 2
e820: 0xfee00000 0x00001000 2
e820: 0xff000000 0x01000000 2
Final mb_mmap table:
mb_mmap: 0x00000000 0x00098000 1
mb_mmap: 0x00100000 0x00580000 0
mb_mmap: 0x00680000 0x00680000 1
mb_mmap: 0x00d00000 0x00300000 0
mb_mmap: 0x01000000 0x35ff0000 1
mb_mmap: 0x36ff0000 0x0090d000 0
mb_mmap: 0x378fd400 0x00100000 0
mb_mmap: 0x379fd400 0x02602000 1
mb_mmap: 0x3a000000 0x02200000 0
mb_mmap: 0x3c200000 0x02d00000 1
mb_mmap: 0x3ef00000 0x00100000 0
mb_mmap: 0x3f000000 0x01000000 0
mb_mmap: 0xfec00000 0x00001000 0
mb_mmap: 0xfee00000 0x00001000 0
mb_mmap: 0xff000000 0x01000000 0
Using bzImage to boot
Relocating initramfs to high memory ...
usb is connected, skip to set uart path
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Jump to kernel 32bit entry ...0x05003c00
I check interesting rows by red color. But there is easy way: need to compile x86 binaries an inject some code to twrp recovery. After that Linux OS must load from any img or partition on internal or external SD. Manual for coding this: link. It's on Russian - use translator to read.
Click to expand...
Click to collapse
Awesome work on that manual dude, now I have something to do while I'm at work bored... and we'll know what we can and can't remove/put in...

xkwr27 said:
Awesome work on that manual dude
Click to expand...
Click to collapse
If you mean manual on that site - it's not mine.
Post updated. Take a look at device partitions.

Xiaomi MI Box 3 MDZ-16-AB Boot Log and UART Location

Hey Guys,
I've been tinkering with my MI Box as I've been having packet loss issues with it, long story short its bricked, here is the bootlog + UART Pins if anyone is interested:
Boot Log:
Code:
TE: 98645
BL2 Built : 18:13:36, Jun 17 2016.
gxl g176ecdb - [email protected]
rn5t567_power_init
Board ID = 1
CPU clk: 1200MHz
DDR3 chl: Rank0+1 @ 912MHz - PASS
DQS-corr enabled
DDR scramble enabled
Rank0: 1024MB(auto)-2T-13
Rank1: 1024MB(auto)-2T-13
DataBus test pass!
AddrBus test pass!
-s
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000
aml log : R1024 check pass!
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600
aml log : R1024 check pass!
Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x00014400
aml log : R1024 check pass!
Load bl32 from eMMC, src: 0x00038200, des: 0x01700000, size: 0x0002ee00
aml log : R1024 check pass!
Load bl33 from eMMC, src: 0x00068200, des: 0x01700000, size: 0x0007f800
aml log : R1024 check pass!
NOTICE: BL3-1: v1.0(debug):ed1aadc
NOTICE: BL3-1: Built : 11:06:24, May 31 2016
aml log : bl31 detect secure boot !
[Image: gxl_v1.1.3118-31ffc57 2016-09-27 10:04:49 [email protected]]
OPS=0x82
ef be ad de d f0 ad ba ef be ad de bl30:thermal init err
[0.626102 Inits done]
secure task start!
high task start!
low task start!
INFO: BL3-1: Initializing runtime services
INFO: BL3-1: Initializing BL3-2
INFO: BL3-2: ATOS-V1.4-gb959fd4 #13 Tue Sep 6 15:28:58 CST 2016 arm
INFO: BL3-2: chip version = RevA (21:A - 0:0)
INFO: BL3-2: crypto engine DMA
INFO: BL3-2: secure time TEE
INFO: BL3-1: Preparing for EL3 exit to normal world
INFO: BL3-1: Next image address = 0x1000000
INFO: BL3-1: Next image spsr = 0x3c9
U-Boot 2015.01-g57a5217-dirty (Jan 25 2017 - 11:17:54), Build: jenkins-Once_MP-750
DRAM: 2 GiB
Relocation Offset is: 76ef5000
register usb cfg[0][1] = 0000000077f64870
vpu: error: vpu: check dts: FDT_ERR_BADMAGIC, load default parameters
vpu: clk_level = 7
vpu: set clk: 666667000Hz, readback: 666660000Hz(0x300)
SARADC channel(1) is 0x1d2.
adcAvg hw_version is 353
MMC: aml_priv->desc_buf = 0x0000000073ef56e0
aml_priv->desc_buf = 0x0000000073ef7870
SDIO Port B: 0, SDIO Port C: 1
emmc/sd response timeout, cmd8, status=0x3ff2800
emmc/sd response timeout, cmd55, status=0x3ff2800
[mmc_init] mmc init success
mmc read lba=0x4000, blocks=0x400
start dts,buffer=0000000073ef9f30,dt_addr=0000000073ef9f30
parts: 12
00: cache 0000000010000000 2
01: logo 0000000000300000 1
02: encrypt 0000000000100000 1
03: recovery 0000000002000000 1
04: tee 0000000000800000 1
05: crypt 0000000002000000 1
06: misc 0000000002000000 1
07: boot 0000000001400000 1
08: system 0000000060000000 1
09: persist 0000000000800000 4
10: panic 0000000000400000 4
11: data ffffffffffffffff 4
get_dtb_struct: Get emmc dtb OK!
overide_emmc_partition_table: overide cache
[mmc_get_partition_table] skip partition cache.
Partition table get from SPL is :
name offset size flag
===================================================================================
0: bootloader 0 400000 0
1: reserved 400000 800000 0
2: cache c00000 10000000 2
3: env 10c00000 400000 0
4: logo 11000000 300000 1
5: encrypt 11300000 100000 1
6: recovery 11400000 2000000 1
7: tee 13400000 800000 1
8: crypt 13c00000 2000000 1
9: misc 15c00000 2000000 1
10: boot 17c00000 1400000 1
11: system 19000000 60000000 1
12: persist 79000000 800000 4
13: panic 79800000 400000 4
14: data 79c00000 158400000 4
mmc read lba=0x2000, blocks=0x2
mmc read lba=0x2002, blocks=0x2
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
mmc env offset: 0x10c00000
In: serial
Out: serial
Err: serial
reboot_mode=cold_boot
hardware_version =1
Saving Environment to aml-storage...
mmc env offset: 0x10c00000
Writing to MMC(1)... done
hpd_state=0
cvbs performance type = 6, table = 0
[store]To run cmd[emmc dtb_read 0x1000000 0x40000]
read emmc dtb
amlkey_init() enter!
[EFUSE_MSG]keynum is 4
[KM]Error:f[key_manage_query_size]L507:key[sn2] not programed yet
wipe_data=successful
wipe_cache=successful
Boot command:
Boot status:
Boot message
""
upgrade_step=2
[OSD]load fb addr from dts
[OSD]failed to get fb addr for logo
[OSD]use default fb_addr parameters
[OSD]fb_addr for logo: 0x3d800000
[OSD]load fb addr from dts
[OSD]failed to get fb addr for logo
[OSD]use default fb_addr parameters
[OSD]fb_addr for logo: 0x3d800000
[CANVAS]canvas init
[CANVAS]addr=0x3d800000 width=5760, height=2160
pull down bt_reset
pull up bt_reset
set hci reset
04 0e 04 01 03 0c 00
set scan parameters
04 0e 04 01 0b 20 00
set scan enable
04 0e 04 01 0c 20 00
pull down bt_enable
IR init done!
[imgread]szTimeStamp[2017012511355519]
[imgread]secureKernelImgSz=0x778000
aml log : R1024 check pass!
aml log : R1024 check pass!
aml log : R1024 check pass!
ee_gate_off ...
## Booting Android Image at 0x01080000 ...
reloc_addr =73f7a130
copy done
load dtb from 0x1000000 ......
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x01fa8620
Loading Ramdisk to 73e02000, end 73ee3000 ... OK
Loading Device Tree to 000000001fff4000, end 000000001fffff5e ... OK
Starting kernel ...
uboot time: 2832461 us
...
<See Attached>
UART Pins:
<See Attached>

You can hook the TX and RX lines into the 3.5mm headphone jack for easy UART use.
See attached

It turns out JTAG is enabled according to the Android dmesg log, this could mean a neat little BootROM dump...

Can someone makes a flash able rom for Almogic burning tool for mi tv box 3 mdz 16-ab?

Can you boot from usb device (libreelec)?

My mi tv box 3 is totally bricked no boot to recovery, only pc recognize like WorldCub device.

gyb001 said:
Can you boot from usb device (libreelec)?
Click to expand...
Click to collapse
I haven't looked at that yet, I don't really have any expirence playing with AMLogic SoCs, you can boot via USB? This would actually work if you can as I have boot.img and system...

(dylanger) said:
I haven't looked at that yet, I don't really have any expirence playing with AMLogic SoCs, you can boot via USB? This would actually work if you can as I have boot.img and system...
Click to expand...
Click to collapse
Thanks.
unfortunatelly i haven't img.
But i find intresting things
once#usb start
(Re)start USB...
USB0: USB3.0 XHCI init start
Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.00
This box have usb3?
Do you know how can i make full backup from emmc?
I think we can run somehow twrp with this env:
recovery_from_udisk=if fatload usb 0 ${loadaddr} aml_autoscript; then autoscr ${loadaddr}; fi;if fatload usb 0 ${loadaddr} recovery.img; then if fatload usb 0 ${dtb_mem_addr} dtb.img; then echo udisk dtb.img loaded; fi;bootm ${loadaddr};fi;

I won
amlogic login: root
Password:
Last login: Sat Nov 4 12:30:06 UTC 2017 on ttyS0
/etc/update-motd.d/30-sysinfo: line 37: read: read error: 0: Invalid argument
/etc/update-motd.d/30-sysinfo: line 38: [: -le: unary operator expected
____ ___
/ ___|/ _ \__ ____ ____ __
\___ \ (_) \ \/ /\ \/ /\ \/ /
___) \__, |> < > < > <
|____/ /_//_/\_\/_/\_\/_/\_\
Welcome to ARMBIAN 5.34 user-built Debian GNU/Linux 9 (stretch) 3.14.29
System load: 0.44 0.12 0.04 Up time: 0 min
Memory usage: 4 % of 1790MB IP:
Usage of /: 18% of 7.1G storage/: 56% of 128M
[email protected]:~# ls
fstab install.sh
[email protected]:~# uname -a
Linux amlogic 3.14.29 #108 SMP PREEMPT Sat Nov 4 14:50:04 MSK 2017 aarch64 GNU/Linux
[email protected]:~# cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
processor : 0
processor : 1
processor : 2
processor : 3
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: AArch64
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
Hardware : Amlogic
Serial : 210a82005fb86cbf061167e2b0552e2f
Revision : 020a

gyb001 said:
I won
amlogic login: root
Password:
Last login: Sat Nov 4 12:30:06 UTC 2017 on ttyS0
/etc/update-motd.d/30-sysinfo: line 37: read: read error: 0: Invalid argument
/etc/update-motd.d/30-sysinfo: line 38: [: -le: unary operator expected
____ ___
/ ___|/ _ \__ ____ ____ __
\___ \ (_) \ \/ /\ \/ /\ \/ /
___) \__, |> < > < > <
|____/ /_//_/\_\/_/\_\/_/\_\
Welcome to ARMBIAN 5.34 user-built Debian GNU/Linux 9 (stretch) 3.14.29
System load: 0.44 0.12 0.04 Up time: 0 min
Memory usage: 4 % of 1790MB IP:
Usage of /: 18% of 7.1G storage/: 56% of 128M
[email protected]:~# ls
fstab install.sh
[email protected]:~# uname -a
Linux amlogic 3.14.29 #108 SMP PREEMPT Sat Nov 4 14:50:04 MSK 2017 aarch64 GNU/Linux
[email protected]:~# cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
processor : 0
processor : 1
processor : 2
processor : 3
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: AArch64
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
Hardware : Amlogic
Serial : 210a82005fb86cbf061167e2b0552e2f
Revision : 020a
Click to expand...
Click to collapse
Woot! Nice work! So you've managed to boot into a Debian build? Damn nice work! Do you know if its possible to do that without having access to Android in the first place?
Like from UBOOT?

Yes i used to uart.
Write this command to uboot:
setenv bootcmd "run start_autoscript; run storeboot;"
setenv start_autoscript "if usb start ; then run start_usb_autoscript; fi; if mmcinfo; then run start_mmc_autoscript; fi;"
setenv start_mmc_autoscript "if fatload mmc 0 1020000 s905_autoscript; then autoscr 1020000; fi;"
setenv start_usb_autoscript "if fatload usb 0 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 1 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 2 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 3 1020000 s905_autoscript; then autoscr 1020000; fi;"
setenv upgrade_step "0"
saveenv
Click to expand...
Click to collapse
I'm not sure it necessary, but i set the selinux disabled.
Download and write the image to usb drive
https://yadi.sk/d/srrtn6kpnsKz2/Linux/ARMBIAN

gyb001 said:
Yes i used to uart.
Write this command to uboot:
I'm not sure it necessary, but i set the selinux disabled.
Download and write the image to usb drive
https://yadi.sk/d/srrtn6kpnsKz2/Linux/ARMBIAN
Click to expand...
Click to collapse
Can we use this image with Amlogic usb burning tool ?

venioni said:
Can we use this image with Amlogic usb burning tool ?
Click to expand...
Click to collapse
No, the image will not pass the burning tool vertify.
I think you can use the amlogic burning tool only with uart. In uboot write "update" command.

gyb001 said:
No, the image will not pass the burning tool vertify.
I think you can use the amlogic burning tool only with uart. In uboot write "update" command.
Click to expand...
Click to collapse
Can you help me to unbrick my mind that box 3 international?
is totally bricked,no boot to recovery mode.

venioni said:
Can you help me to unbrick my mind that box 3 international?
is totally bricked,no boot to recovery mode.
Click to expand...
Click to collapse
Unfortunately i don't know how its possibile, but That sure, you have to use u boot.
You should buy uart usb device. I have cp2102

gyb001 said:
Unfortunately i don't know how its possibile, but That sure, you have to use u boot.
You should buy uart usb device. I have cp2102
Click to expand...
Click to collapse
If i buy this uart usb device cp 2102 can you make a tutorial how can i use this to unbrick my mi tv box3 and what firmwares i need to do all this?

venioni said:
If i buy this uart usb device cp 2102 can you make a tutorial how can i use this to unbrick my mi tv box3 and what firmwares i need to do all this?
Click to expand...
Click to collapse
Now, i can boot only Armbian.

Stock rom img file
https://mega.nz/#F!BDRG3J4B!VZqB0qJ9fseMhy4Y8anIaA

gyb001 said:
Stock rom img file
https://mega.nz/#F!BDRG3J4B!VZqB0qJ9fseMhy4Y8anIaA
Click to expand...
Click to collapse
Can we flash this stock rom image with Almogic burning tool for unbrick mi tv box 3 ?

venioni said:
Can we flash this stock rom image with Almogic burning tool for unbrick mi tv box 3 ?
Click to expand...
Click to collapse
No.
You have to use uboot