kali for note 10.1 why not us - Galaxy Tab 3 10.1 Android Development

kali for note 10.1 why not us - Galaxy Tab 3 10.1 Android Development

Check this out: http://docs.kali.org/armel-armhf/kali-linux-on-galaxy-note
I looked over the recovery and thought it looked ok (though thats an area i usually leave to pros), and attempted to make a x86 image so altering
Code:
dd if=/dev/block/mmcblk0p6 of=recovery.img_orig
and
dd if=recovery.img of=/dev/block/mmcblk0p6
and inputting this
Code:
dd if=/dev/block/mmcblk0p11 of=recovery.img_orig
and
dd if=recovery.img of=/dev/block/mmcblk0p11
then I rebooted and it hung up at the samsung galaxy tab 3 screen
How hard would it be to rewrite the recovery image linked to there to work on our device. Or if its in good shape I guess i screwed up making my x86 image of Kali any input of on either subject would be appreciated.
Had an idea as soon as I reflash and reroot and download a couple more files and reboot and finish updating this laptop I'm working on, ill try to break my gtab again

You can't. Those versions of Kali is for ARM (armel = ARM soft-float / armhf = ARM hard-float), while the GTab3 10.1. is x86.
But you should be able to modify any x86 (tablet-)linux for use with GTab3 10.1

Setialpha said:
You can't. Those versions of Kali is for ARM (armel = ARM soft-float / armhf = ARM hard-float), while the GTab3 10.1. is x86.
But you should be able to modify any x86 (tablet-)linux for use with GTab3 10.1
Click to expand...
Click to collapse
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.

hey
xkwr27 said:
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
Click to expand...
Click to collapse
are you still up for this ?
i tried the same thing, i also tried swapping out the zimage from the kali recovery with p5210 stock
then changed any mmcblk refs i found in the init and instead of screen hang got it reboot, [over and over]
but didn't catch. this is totally doable and i wish i'd found this thread before starting another on the same subject.
but anyway i could go on forever.....we need to recruit people somehow... i would like a setup on this
tab so i could distro hop like i used to on pc :good:

Yes I'm still down for this, I've been so busy with work, and keeping my car running(done with the car now, motor/Trans rebuild) since my last post. Now I have my days off if not totally free free enough to put a few hours into this on my days off. I also know 2 people who could help if I can convince them one a relative with a name in the security industry and the other a relatively new guy to all things computer but with a knack for finding fixes that will be a help but for tonight I'm going to compare the two recoveries side by side during break and take notes. Then tomorrow I am going to see if I can put those notes to good use after I get back from taking my daughter and wife blackberry picking on my father's land.i figure I'll start on it noonish us central time and keep you updated...

xkwr27 said:
Yes I'm still down for this, I've been so busy with work, and keeping my car running(done with the car now, motor/Trans rebuild) since my last post. Now I have my days off if not totally free free enough to put a few hours into this on my days off. I also know 2 people who could help if I can convince them one a relative with a name in the security industry and the other a relatively new guy to all things computer but with a knack for finding fixes that will be a help but for tonight I'm going to compare the two recoveries side by side during break and take notes. Then tomorrow I am going to see if I can put those notes to good use after I get back from taking my daughter and wife blackberry picking on my father's land.i figure I'll start on it noonish us central time and keep you updated...
Click to expand...
Click to collapse
good deal, okay noob warning, but gleefully brick happy tester here.
right now i on the samsung open source site looking p5210 but not sure which
git-hub isn't an option for me as my surviving pc is a bit screwy but i still want to see the source
and try to get what the devs are saying, anyway i'm glad to hear from you
just thought i'd let you in on what i'm up to. hope to get something working.
:good:
do i need to get ubuntu 64bit for kernel stuff?

If you plan to tear into the recovery.img you'll need linux I use debian or debian based distro's, but ubuntu will work just fine.

https://01.org/android-ia
Not sure if this site will help but i'll post it anyways
I'll keep trying to post useful stuff
http://forum.xda-developers.com/showthread.php?t=1916936
Hope this helps somehow
Can we not change the partitions to whatever sizes we want using ODIN and .pit files ? if yes then we can do ANYTHING
Excercise caution. This MAY have the pit file for our device
http://forum.xda-developers.com/showthread.php?t=2526119

hey
Nitro_123 said:
https://01.org/android-ia
Not sure if this site will help but i'll post it anyways
I'll keep trying to post useful stuff
http://forum.xda-developers.com/showthread.php?t=1916936
Hope this helps somehow
Can we not change the partitions to whatever sizes we want using ODIN and .pit files ? if yes then we can do ANYTHING
Excercise caution. This MAY have the pit file for our device
http://forum.xda-developers.com/showthread.php?t=2526119
Click to expand...
Click to collapse
cool :good: reading:good:
as for repartitiong hold off for now but, read this anyway,
copy every command you see and keep in organized file for reference
http://forum.xda-developers.com/showthread.php?t=1388996
this command in term should pull pit file [get it right,check,double,check,triple check] must su first i believe
dd if=/dev/block/mmcblk0 of=/sdcard/out.pit bs=8 count=481 skip=2176
to xkwr27 hi, you're comparing with stock recovery right?

In terms of custom bootloaders we could install grub onto the device. but first we need to figure out the boot order.
http://forum.xda-developers.com/showthread.php?t=1018862 This thread is an amazing thread for samsung related stuff but kind of off topic for us.
Is there any way of figuring out the way the device boots ?
Sorry for stressing boot order and stuff so much but I really think it's the key to everything.
If we install GRUB after that everything else will be a piece of cake.
http://www.gnu.org/software/grub/

hey
Nitro_123 said:
In terms of custom bootloaders we could install grub onto the device. but first we need to figure out the boot order.
http://forum.xda-developers.com/showthread.php?t=1018862 This thread is an amazing thread for samsung related stuff but kind of off topic for us.
Is there any way of figuring out the way the device boots ?
Sorry for stressing boot order and stuff so much but I really think it's the key to everything.
If we install GRUB after that everything else will be a piece of cake.
http://www.gnu.org/software/grub/
Click to expand...
Click to collapse
the boot sequence is more where my thinking is going to.
my understanding is there are three stages , power on the boot loader does it's work, the kernel get's up and lays out the ramdrive and hardware
and get's the usual/basic/expected linux stuff going [yes, linux is already present,a form of it anyway] and finally, the android user space stuff.
altering something in the process to halt/bypass that last stage and get to , for now at least, a command prompt is the thought.
the hardware hacking looks really neat and is a good find as far as gaining insight on the basic boot process so thank you for
pointing me to it. having no up to speed modern pc i'm left to do what i can on my tab and can't risk it. but i DID find a
a kernel/boot img pack/repack/editing setup that i'm already using on my tab!!!
the link is http://forum.xda-developers.com/showthread.php?t=2073775
read the op then go to my post on the last page.
grub would be sweet though, wouldn't it ?

round one
okay this is what i did today
swapped busybox [arm] for [x86]
added parted in bin
replaced symlink named mtab==>/proc/self/mounts with actual file
corrected [?] mmcblk,loop references in hooks/looproot
changed this in init to experiment [attempt to return to android if fail,] marked edit and commented
if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
#if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
# Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
# We fall back into a shell, but the shell has now PID 1
# This way, manual recovery is still possible.
init=/init
# err "Failed to mount the real root device." [edit]
# echo "Bailing out, you are on your own. Good luck." [edit]
# echo [edit]
# launch_interactive_shell --exec [edit]
elif [ ! -x "/new_root${init}" ]; then
# Successfully mounted /new_root, but ${init} is missing
# The same logic as above applies
err "Root device mounted successfully, but ${init} does not exist."
echo "Bailing out, you are on your own. Good luck."
echo
launch_interactive_shell --exec
fi
swapped zimage [from stock reco]
added modules [from stock reco]
result=fail, continuous reboot, re-odin recovery
try again tomorrow [yawn] uploaded experiment, contains .img ramdisk.gz and zimage
okay upload fail, i'll try again tomorrow grrrr.

moonbutt74 said:
okay this is what i did today
swapped busybox [arm] for [x86]
added parted in bin
replaced symlink named mtab==>/proc/self/mounts with actual file
corrected [?] mmcblk,loop references in hooks/looproot
changed this in init to experiment [attempt to return to android if fail,] marked edit and commented
if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
#if [ "$(stat -c %D /)" = "$(stat -c %D /new_root)" ]; then
# Nothing got mounted on /new_root. This is the end, we don't know what to do anymore
# We fall back into a shell, but the shell has now PID 1
# This way, manual recovery is still possible.
init=/init
# err "Failed to mount the real root device." [edit]
# echo "Bailing out, you are on your own. Good luck." [edit]
# echo [edit]
# launch_interactive_shell --exec [edit]
elif [ ! -x "/new_root${init}" ]; then
# Successfully mounted /new_root, but ${init} is missing
# The same logic as above applies
err "Root device mounted successfully, but ${init} does not exist."
echo "Bailing out, you are on your own. Good luck."
echo
launch_interactive_shell --exec
fi
swapped zimage [from stock reco]
added modules [from stock reco]
result=fail, continuous reboot, re-odin recovery
try again tomorrow [yawn] uploaded experiment, contains .img ramdisk.gz and zimage
okay upload fail, i'll try again tomorrow grrrr.
Click to expand...
Click to collapse
hahaha i wish you good luck

thanks
FurFur_ said:
hahaha i wish you good luck
Click to expand...
Click to collapse
i've been through roughly 17 different experiments by now
but i'm too stupid to quit so we'll see :laugh:
---------- Post added at 10:46 PM ---------- Previous post was at 10:38 PM ----------
xkwr27 said:
So you obviously didn't read the whole post.
I know the note 10.1 is arm and the gtab 10.1 is x86 I attempted to make a .img from the x86 live disc which obviously failed
I really just wanted someone to glance over the recovery.img and say with better authority than me if Offensive Security's recovery img needed anything.
However i will take your advise and toy around with some other distros that are x86 tablet ready in conjunction with that recovery. It only takes 5 min to reflash anyway.
Click to expand...
Click to collapse
so if i'm understanding this right the samsung bootloader [which we don't mess with....snicker]
is initiating the command which grabs the kernel and get's things rolling..?
even if i'm not right in the init.rc scripting language is there a means to repeat that process ===> initramfs,bzimage ?

Ok the 3 key combos tell the tablet what to do 1 is power only boots normal 2 is power + volume up boots recovery 3 is power + volume down boots to download mode (odin)... what offensive security did was rewrite the recovery.img so that instead of launching you to the normal recovery all it does is tells the tab to boot the kali img in /SdCard/ so if you just power up with combo 1 it should still boot normal and 3 should still put you in odin mode but 2 will tell the tab to boot kali instead so all we should need is busybox maybe , a x86 kali img and a recovery img similar to the offensive security one. That is why I'm working to pick this recovery.img apart.

hey
i flashed the image as is first ; mmcblk's dont matchup in hook/looproot ; corrected[?] them no dice
aside from zimage&module&busybox mixing and matching
i think something with the hooks is the stumper
this is the ramdisk, i wasn't sure if you were asking or me to crack the image open or not,
i was hoping you might have a handle on kernel command lines.
if it comes to kernel building/compiling i'm boned:crying:
if there's something you want me to try or test let me know. :good:
kernel command
no_console_suspend=1 console=null

xkwr27 said:
Ok the 3 key combos tell the tablet what to do 1 is power only boots normal 2 is power + volume up boots recovery 3 is power + volume down boots to download mode (odin)... what offensive security did was rewrite the recovery.img so that instead of launching you to the normal recovery all it does is tells the tab to boot the kali img in /SdCard/ so if you just power up with combo 1 it should still boot normal and 3 should still put you in odin mode but 2 will tell the tab to boot kali instead so all we should need is busybox maybe , a x86 kali img and a recovery img similar to the offensive security one. That is why I'm working to pick this recovery.img apart.
Click to expand...
Click to collapse
Mate that sounds very good I'm so busy with life nowadays Final year of school I don't know too much and I can't learn anything cause I have literally no time
I won't be posting too often Good luck with your project. Eager to see some success :fingers-crossed::good:

Santos10 Bootloader trace:
Code:
IA32 CPU Firmware
Copyright (C) 1999-2013, Intel Corporation. All rights reserved.
7[0;23r[24;75H[1K[24;1H[1mIntel(R) Atom(TM) Z2560 CPU FW 00.73 (INTELFDK)[0m8------------------------------>FOR Teewinot ONLY<-----------------------------
******************************************************************************
************** Customer release based on Rel 00.49 + TWN changes**************
**************** BZ=115220 Bypass time/date check for product ****************
****************** BZ=118523 Cold Reset on ExecuteOS failure *****************
****** BZ=124478[TW 346-500-676] Request for logging enhancement in IAFW *****
************* BZ=127192 Disable Active Refresh during JEDEC Init *************
******************* BZ=none include ucode patch M013065110E ******************
**************************** New in this code drop ***************************
***** BZ=none Changed trace to match TWN RAMDUMP application requirement *****
*************** BZ=none Removed UART and PTI HW output methods ***************
******** Short circuiting the emInit when a fixed battery is detected. *******
********************* Customization done 201308261512 MST ********************
******************************************************************************
[37;41m******************************INTEL CONFIDENTIAL******************************
[0m
0x1E, 0x20, 0x21,
ERROR:::::SPID Not Programmed, Fake data being used based on IFWI version
ERROR:::::SPID FRU Not Programmed, Fake data being used based on IFWI version
OSC_CLK3 defaults only
0x22,
OEM board; Skip spidBasedPanelNdxUpdate
0x23,
Forced Battery via SMIP FPO Bit 2
0x28, 0x2A, 0x2B, in csSFIDevsEntries, HW Id 0x0019
SFI Dev...PR3
in csSFIGpioEntries, HW Id 0x0019
SFIOEMBInit:tbl->spidTbl update
0x2C, 0x2D, 0x2F PostCodes Done
IA32 FW: CPU v000.073/00.49; SUPP v000.073/00.49; VH: 000.081/00.51
IA Timestamp: 2013.08.26:18.00 (INTELFDK)
SCU FW: ROM 177.000/B1.00; RT 033.046/21.2E
PUNIT FW: v160.064/A0.40
IFWI: v249.086/F9.56
PL: 0000010E
Config & PCB: OEM Platform, C, CLV+ B1, Samsung (01,00) SR 4Gb 1067 1GB
FHOB DW0/DW1: 00000104:00010140
I2C Expander: FFFFFFFC:0000000F
IA Options: 024020A1:00000000:03E00000:80005C00:00000101;1264
[OS HASH VERIFY] [EIST] [eMMC] [VALID BATT][WDT]
Loading OS...
pOsip = 1000000
-->OSIP verified
00000000 E0000000
[COLOR="Red"]Android COS path taken
E0000000 D303000A[/COLOR]
[COLOR="red"]Boot path override selected OS image 0[/COLOR] (OS Attribute 0x00, Reboot Reason 0x0A)
D303000A D303000A
Splash disabled in GCT
Splash display time: 2 ms
[COLOR="red"]-->Bootable OS image 0 found for requested type 2 [/COLOR](OSII attribute 0x00)
-->[COLOR="red"]Loading OS image 0 from eMMC block 0x00000032 to DRAM address 0x010FFE20[/COLOR]
-->Starting transfer of 0xA11 512-byte blocks to DRAM
-->Done loading OS Image to DRAM
-->platformConfigBuffer_pt.scuFhobDw0.osven != 0
-->osIndex: 0, Signed Image
OS image 0 PASSED verify
Booting COS
*********************************
Starting command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100
-
OSNIB.wakesrc = 0x3
OSNIB.RR = 0xA
Battery is high enough for normal boot
4166mV > 0mV
Ending command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100 androidboot.wakesrc=03 androidboot.mode=charger-
*********************************
WDT aka Timer7 setup
Warn Duration for Timer7: 00 seconds
Start Timer7 bit 0 -> 1: 00000000000000000000000000000000
[0;24r[24;1H[2KM
Calling OS entry point --> 0x01101000 ...
Using NEW OSHOB structure size = 176 bytes
OSNIB size = 32 bytes OEMNIB size = 64 bytes
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Watchdog Disabled!
usb is connected, skip to set uart path
__stmpe811_write : fail
MUIC: CONTROL1:0x00
MUIC: CONTROL1:0x00
MUIC: CONTROL2:0x3b
MUIC: CONTROL2:0x3b
[SCU_IPC_DEBUG] board ID: NOT_IDENTIFIED(8)
VERSION : 0xa501
mmc_read_ext_csd : ext_csd_rev = 0x7
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
!!!Enter 8 Bit mode.!!!
clt_mmc_init: mmc->capacity = 0x1d56000
[BOOT] RESETIRQ1=0x00 RESETIRQ2=0x00 (interrupt tree)
[BOOT] SCU_TR=0x00020013 IA_TR=0xffffffff (oshob)
[BOOT] RR=0x00 WD=0x00 ALARM=0x00 (osnib)
[BOOT] WAKESRC=0x03 RESETIRQ1=0x20 RESETIRQ2=0x00 (osnib)
Samsung S-Boot 4.0-1816966 for GT-P5200 (Nov 26 2013 - 01:43:08)
CLT(EVT 0.0) / 1024MB / 15020MB / Rev 8 / P5200XXUAMK8
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (159:0xc)
PARAM ENV VERSION: v1.0..
pressed_key = 0x1
clt_charger_init : [battery] using external charger init(3)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
[check_cable_type] : Output of USB Charger Detection 3
[max77693_init_charger] : attached device(0x02) : TA
clt_max77693_set_charger_state: chg_cnfg_02 (0x1f) -> (0x1f) -> (0x1f)
clt_max77693_set_charger_state: chg_cnfg_03 (0x00) -> (0x00) -> (0x00)
clt_max77693_set_charger_state: chg_cnfg_04 (0xdd) -> (0xdd) -> (0xdd)
clt_max77693_set_charger_state: chg_cnfg_09 (0x64) -> (0x64) -> (0x64)
set_charger_state : buck(1), chg(0), reg(0x04)
init_fuel_gauge: Start!!
[0] get_adc_battid() = 92
[1] get_adc_battid() = 92
[2] get_adc_battid() = 92
get_adc_battid() = 92
init_fuel_gauge: Battery type : SDI
init_fuel_gauge: Already initialized (0x32cd, SDI type)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
fuel_gauge_compensate_soc: Start!!
fuel_gauge_read_soc: SOC(73), data(0x491b)
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
calculate_table_soc: Get table SOC in case of charging!!
calculate_table_soc: i(1), vcell(4071), table_soc(88)
differ(15), table_soc(88), RepSOC(73)
clt_charger_init : cable_type(0x02)
set_charger_state : buck(1), chg(1), reg(0x05)
intel_scu_ipc_cmd_oemnib : done => 0x0
check_reboot_cmd: nCmd = 0 ... skip check_reboot_cmd
debug level = 0x4f4c
disable max77693 manual reset
clt_max77693_disable_manual_reset: set max77693 MANCTRL1 val = 0x4
clt_max77693_disable_manual_reset: read max77693 MANCTRL1 val = 0x4
disable PMIC cod off triggered by PWRBTN#: 6
do_keypad: 0x1
intel_scu_ipc_cmd_oemnib : done => 0x0
check_download: 0
Is_lpm_boot : boot-mode saved in param = 0
Is_lpm_boot : jig-on level = 0, ignore...
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
stat=0x1031f, adc=0x1f, chg=0x3, vbvolt=1, pinLevel=1
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
fuel_gauge_read_soc: SOC(73), data(0x491b)
check_low_battery : rb=0 jig=0
check_low_battery : v=4071 soc=73
skip check low battery
scr_draw_image: draw 'logo.jpg'...
read 'logo.jpg'(105420) completed.
<start_checksum:355>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:357>offset:6144, size:6296
<start_checksum:361>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:27
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
load_kernel: loading boot image from 106496..
total size : 8495104
pit_check_signature (BOOT) valid.
Set valid sign flag
if_ddi_data: succeeded. (159:0xc)
BOOT_MAGIC == ANDROID!
CMDLINE LENGTH = 538
CMDLINE = init=/init console=sec_log_buf kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=santos103g sec_debug.level=0 loglevel=0 androidboot.debug_level=0x4f4c vmalloc=256m [email protected] sec_bootfb=0x3f000000 lcd_panel_id=0 androidboot.revision=8 switch_sel=3 cordon=615d013e557994c8ad53b3325c31b124 connie=GT-P5200_OPEN_EUR_cf878c59e3c2eeb1cdb40863938b834d androidboot.emmc_checksum=3 androidboot.bootloader=P5200XXUAMK8 androidboot.serialno=4300b61fdc125000 snd_soc_core.pmdown_time=1000 jig=0
Bootstub: map SFI MMAP to e820 table
add mmap: 0x00000000 0x00098000 1
add mmap: 0x00100000 0x00580000 2
add mmap: 0x00680000 0x00680000 1
add mmap: 0x00d00000 0x00300000 2
add mmap: 0x01000000 0x35ff0000 1
add mmap: 0x36ff0000 0x0090d000 2
add mmap: 0x378fd400 0x00100000 2
add mmap: 0x379fd400 0x02602000 1
add mmap: 0x3a000000 0x02200000 2
add mmap: 0x3c200000 0x02d00000 1
add mmap: 0x3ef00000 0x00100000 2
add mmap: 0x3f000000 0x01000000 2
add mmap: 0xfec00000 0x00001000 2
add mmap: 0xfee00000 0x00001000 2
add mmap: 0xff000000 0x01000000 2
IMR6 start=0x3a000000 end=0x3c1fffff
new mmap: 0x3a000000 0x02200000 2
IMR7 start=0x00100000 end=0x0067ffff
new mmap: 0x00100000 0x00580000 2
Final E820 table:
e820: 0x00000000 0x00098000 1
e820: 0x00100000 0x00580000 2
e820: 0x00680000 0x00680000 1
e820: 0x00d00000 0x00300000 2
e820: 0x01000000 0x35ff0000 1
e820: 0x36ff0000 0x0090d000 2
e820: 0x378fd400 0x00100000 2
e820: 0x379fd400 0x02602000 1
e820: 0x3a000000 0x02200000 2
e820: 0x3c200000 0x02d00000 1
e820: 0x3ef00000 0x00100000 2
e820: 0x3f000000 0x01000000 2
e820: 0xfec00000 0x00001000 2
e820: 0xfee00000 0x00001000 2
e820: 0xff000000 0x01000000 2
Final mb_mmap table:
mb_mmap: 0x00000000 0x00098000 1
mb_mmap: 0x00100000 0x00580000 0
mb_mmap: 0x00680000 0x00680000 1
mb_mmap: 0x00d00000 0x00300000 0
mb_mmap: 0x01000000 0x35ff0000 1
mb_mmap: 0x36ff0000 0x0090d000 0
mb_mmap: 0x378fd400 0x00100000 0
mb_mmap: 0x379fd400 0x02602000 1
mb_mmap: 0x3a000000 0x02200000 0
mb_mmap: 0x3c200000 0x02d00000 1
mb_mmap: 0x3ef00000 0x00100000 0
mb_mmap: 0x3f000000 0x01000000 0
mb_mmap: 0xfec00000 0x00001000 0
mb_mmap: 0xfee00000 0x00001000 0
mb_mmap: 0xff000000 0x01000000 0
Using bzImage to boot
Relocating initramfs to high memory ...
usb is connected, skip to set uart path
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Jump to kernel 32bit entry ...0x05003c00
I check interesting rows by red color. But there is easy way: need to compile x86 binaries and inject some code to twrp recovery. After that Linux OS must load from any img or partition on internal or external SD. Manual for coding this: link. This method accept to boot any second linux-based OS from any defined partition. It's on Russian - use translator to read.
Santos10 partiton table:
Code:
major minor #blocks name
7 0 61362 loop0
7 1 7308 loop1
179 0 15380480 mmcblk0
179 1 3072 mmcblk0p1
179 2 20480 mmcblk0p2
179 3 16384 mmcblk0p3
179 4 2048 mmcblk0p4
179 5 2048 mmcblk0p5
179 6 358400 mmcblk0p6
179 7 4096 mmcblk0p7
179 8 2416640 mmcblk0p8
179 9 12337152 mmcblk0p9
259 0 20480 mmcblk0p10
259 1 20480 mmcblk0p11
259 2 20480 mmcblk0p12
259 3 102400 mmcblk0p13
259 4 4096 mmcblk0p14
259 5 4096 mmcblk0p15
259 6 4096 mmcblk0p16
259 7 12288 mmcblk0p17
259 8 2048 mmcblk0p18
259 9 2048 mmcblk0p19
259 10 1024 mmcblk0p20
259 11 8192 mmcblk0p21
179 40 8192 mmcblk0gp0
179 30 1 mmcblk0rpmb
[COLOR="Red"]179 20 4096 mmcblk0boot1[/COLOR]
[COLOR="red"]179 10 4096 mmcblk0boot0[/COLOR]
252 0 307200 zram0
179 50 1955840 mmcblk1
179 51 1954816 mmcblk1p1
253 0 61362 dm-0
253 1 7308 dm-1]
Look at the red text i marked. I think we already have dual boot bootloader by Samsung.

Angel_666 said:
Santos10 Bootloader trace:
Code:
IA32 CPU Firmware
Copyright (C) 1999-2013, Intel Corporation. All rights reserved.
7[0;23r[24;75H[1K[24;1H[1mIntel(R) Atom(TM) Z2560 CPU FW 00.73 (INTELFDK)[0m8------------------------------>FOR Teewinot ONLY<-----------------------------
******************************************************************************
************** Customer release based on Rel 00.49 + TWN changes**************
**************** BZ=115220 Bypass time/date check for product ****************
****************** BZ=118523 Cold Reset on ExecuteOS failure *****************
****** BZ=124478[TW 346-500-676] Request for logging enhancement in IAFW *****
************* BZ=127192 Disable Active Refresh during JEDEC Init *************
******************* BZ=none include ucode patch M013065110E ******************
**************************** New in this code drop ***************************
***** BZ=none Changed trace to match TWN RAMDUMP application requirement *****
*************** BZ=none Removed UART and PTI HW output methods ***************
******** Short circuiting the emInit when a fixed battery is detected. *******
********************* Customization done 201308261512 MST ********************
******************************************************************************
[37;41m******************************INTEL CONFIDENTIAL******************************
[0m
0x1E, 0x20, 0x21,
ERROR:::::SPID Not Programmed, Fake data being used based on IFWI version
ERROR:::::SPID FRU Not Programmed, Fake data being used based on IFWI version
OSC_CLK3 defaults only
0x22,
OEM board; Skip spidBasedPanelNdxUpdate
0x23,
Forced Battery via SMIP FPO Bit 2
0x28, 0x2A, 0x2B, in csSFIDevsEntries, HW Id 0x0019
SFI Dev...PR3
in csSFIGpioEntries, HW Id 0x0019
SFIOEMBInit:tbl->spidTbl update
0x2C, 0x2D, 0x2F PostCodes Done
IA32 FW: CPU v000.073/00.49; SUPP v000.073/00.49; VH: 000.081/00.51
IA Timestamp: 2013.08.26:18.00 (INTELFDK)
SCU FW: ROM 177.000/B1.00; RT 033.046/21.2E
PUNIT FW: v160.064/A0.40
IFWI: v249.086/F9.56
PL: 0000010E
Config & PCB: OEM Platform, C, CLV+ B1, Samsung (01,00) SR 4Gb 1067 1GB
FHOB DW0/DW1: 00000104:00010140
I2C Expander: FFFFFFFC:0000000F
IA Options: 024020A1:00000000:03E00000:80005C00:00000101;1264
[OS HASH VERIFY] [EIST] [eMMC] [VALID BATT][WDT]
Loading OS...
pOsip = 1000000
-->OSIP verified
00000000 E0000000
[COLOR="Red"]Android COS path taken
E0000000 D303000A[/COLOR]
[COLOR="red"]Boot path override selected OS image 0[/COLOR] (OS Attribute 0x00, Reboot Reason 0x0A)
D303000A D303000A
Splash disabled in GCT
Splash display time: 2 ms
[COLOR="red"]-->Bootable OS image 0 found for requested type 2 [/COLOR](OSII attribute 0x00)
-->[COLOR="red"]Loading OS image 0 from eMMC block 0x00000032 to DRAM address 0x010FFE20[/COLOR]
-->Starting transfer of 0xA11 512-byte blocks to DRAM
-->Done loading OS Image to DRAM
-->platformConfigBuffer_pt.scuFhobDw0.osven != 0
-->osIndex: 0, Signed Image
OS image 0 PASSED verify
Booting COS
*********************************
Starting command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100
-
OSNIB.wakesrc = 0x3
OSNIB.RR = 0xA
Battery is high enough for normal boot
4166mV > 0mV
Ending command line:
-init=/init pci=noearly console=ttyMFD2 console=ttyS0 console=logk0 earlyprintk=nologger loglevel=8 hsu_dma=7 kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=ctp_pr1 emmc_ipanic.ipanic_part_number=1 ip=50.0.0.2:50.0.0.1::255.255.255.0::usb0:on hsu_rx_wa g_android.fastboot=1 droidboot.scratch=100 androidboot.wakesrc=03 androidboot.mode=charger-
*********************************
WDT aka Timer7 setup
Warn Duration for Timer7: 00 seconds
Start Timer7 bit 0 -> 1: 00000000000000000000000000000000
[0;24r[24;1H[2KM
Calling OS entry point --> 0x01101000 ...
Using NEW OSHOB structure size = 176 bytes
OSNIB size = 32 bytes OEMNIB size = 64 bytes
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Watchdog Disabled!
usb is connected, skip to set uart path
__stmpe811_write : fail
MUIC: CONTROL1:0x00
MUIC: CONTROL1:0x00
MUIC: CONTROL2:0x3b
MUIC: CONTROL2:0x3b
[SCU_IPC_DEBUG] board ID: NOT_IDENTIFIED(8)
VERSION : 0xa501
mmc_read_ext_csd : ext_csd_rev = 0x7
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
!!!Enter 8 Bit mode.!!!
clt_mmc_init: mmc->capacity = 0x1d56000
[BOOT] RESETIRQ1=0x00 RESETIRQ2=0x00 (interrupt tree)
[BOOT] SCU_TR=0x00020013 IA_TR=0xffffffff (oshob)
[BOOT] RR=0x00 WD=0x00 ALARM=0x00 (osnib)
[BOOT] WAKESRC=0x03 RESETIRQ1=0x20 RESETIRQ2=0x00 (osnib)
Samsung S-Boot 4.0-1816966 for GT-P5200 (Nov 26 2013 - 01:43:08)
CLT(EVT 0.0) / 1024MB / 15020MB / Rev 8 / P5200XXUAMK8
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (159:0xc)
PARAM ENV VERSION: v1.0..
pressed_key = 0x1
clt_charger_init : [battery] using external charger init(3)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
[check_cable_type] : Output of USB Charger Detection 3
[max77693_init_charger] : attached device(0x02) : TA
clt_max77693_set_charger_state: chg_cnfg_02 (0x1f) -> (0x1f) -> (0x1f)
clt_max77693_set_charger_state: chg_cnfg_03 (0x00) -> (0x00) -> (0x00)
clt_max77693_set_charger_state: chg_cnfg_04 (0xdd) -> (0xdd) -> (0xdd)
clt_max77693_set_charger_state: chg_cnfg_09 (0x64) -> (0x64) -> (0x64)
set_charger_state : buck(1), chg(0), reg(0x04)
init_fuel_gauge: Start!!
[0] get_adc_battid() = 92
[1] get_adc_battid() = 92
[2] get_adc_battid() = 92
get_adc_battid() = 92
init_fuel_gauge: Battery type : SDI
init_fuel_gauge: Already initialized (0x32cd, SDI type)
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
fuel_gauge_compensate_soc: Start!!
fuel_gauge_read_soc: SOC(73), data(0x491b)
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
calculate_table_soc: Get table SOC in case of charging!!
calculate_table_soc: i(1), vcell(4071), table_soc(88)
differ(15), table_soc(88), RepSOC(73)
clt_charger_init : cable_type(0x02)
set_charger_state : buck(1), chg(1), reg(0x05)
intel_scu_ipc_cmd_oemnib : done => 0x0
check_reboot_cmd: nCmd = 0 ... skip check_reboot_cmd
debug level = 0x4f4c
disable max77693 manual reset
clt_max77693_disable_manual_reset: set max77693 MANCTRL1 val = 0x4
clt_max77693_disable_manual_reset: read max77693 MANCTRL1 val = 0x4
disable PMIC cod off triggered by PWRBTN#: 6
do_keypad: 0x1
intel_scu_ipc_cmd_oemnib : done => 0x0
check_download: 0
Is_lpm_boot : boot-mode saved in param = 0
Is_lpm_boot : jig-on level = 0, ignore...
STATUS1:0x3f, 2:0x43
vbvolt=0x1, chgtyp=0x3, adc=0x1f, ret=0x1031f
stat=0x1031f, adc=0x1f, chg=0x3, vbvolt=1, pinLevel=1
fuel_gauge_read_vcell: VCELL(4071), data(0xcb92)
fuel_gauge_read_soc: SOC(73), data(0x491b)
check_low_battery : rb=0 jig=0
check_low_battery : v=4071 soc=73
skip check low battery
scr_draw_image: draw 'logo.jpg'...
read 'logo.jpg'(105420) completed.
<start_checksum:355>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:357>offset:6144, size:6296
<start_checksum:361>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:27
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
load_kernel: loading boot image from 106496..
total size : 8495104
pit_check_signature (BOOT) valid.
Set valid sign flag
if_ddi_data: succeeded. (159:0xc)
BOOT_MAGIC == ANDROID!
CMDLINE LENGTH = 538
CMDLINE = init=/init console=sec_log_buf kmemleak=off ptrace.ptrace_can_access=1 androidboot.bootmedia=sdcard androidboot.hardware=santos103g sec_debug.level=0 loglevel=0 androidboot.debug_level=0x4f4c vmalloc=256m [email protected] sec_bootfb=0x3f000000 lcd_panel_id=0 androidboot.revision=8 switch_sel=3 cordon=615d013e557994c8ad53b3325c31b124 connie=GT-P5200_OPEN_EUR_cf878c59e3c2eeb1cdb40863938b834d androidboot.emmc_checksum=3 androidboot.bootloader=P5200XXUAMK8 androidboot.serialno=4300b61fdc125000 snd_soc_core.pmdown_time=1000 jig=0
Bootstub: map SFI MMAP to e820 table
add mmap: 0x00000000 0x00098000 1
add mmap: 0x00100000 0x00580000 2
add mmap: 0x00680000 0x00680000 1
add mmap: 0x00d00000 0x00300000 2
add mmap: 0x01000000 0x35ff0000 1
add mmap: 0x36ff0000 0x0090d000 2
add mmap: 0x378fd400 0x00100000 2
add mmap: 0x379fd400 0x02602000 1
add mmap: 0x3a000000 0x02200000 2
add mmap: 0x3c200000 0x02d00000 1
add mmap: 0x3ef00000 0x00100000 2
add mmap: 0x3f000000 0x01000000 2
add mmap: 0xfec00000 0x00001000 2
add mmap: 0xfee00000 0x00001000 2
add mmap: 0xff000000 0x01000000 2
IMR6 start=0x3a000000 end=0x3c1fffff
new mmap: 0x3a000000 0x02200000 2
IMR7 start=0x00100000 end=0x0067ffff
new mmap: 0x00100000 0x00580000 2
Final E820 table:
e820: 0x00000000 0x00098000 1
e820: 0x00100000 0x00580000 2
e820: 0x00680000 0x00680000 1
e820: 0x00d00000 0x00300000 2
e820: 0x01000000 0x35ff0000 1
e820: 0x36ff0000 0x0090d000 2
e820: 0x378fd400 0x00100000 2
e820: 0x379fd400 0x02602000 1
e820: 0x3a000000 0x02200000 2
e820: 0x3c200000 0x02d00000 1
e820: 0x3ef00000 0x00100000 2
e820: 0x3f000000 0x01000000 2
e820: 0xfec00000 0x00001000 2
e820: 0xfee00000 0x00001000 2
e820: 0xff000000 0x01000000 2
Final mb_mmap table:
mb_mmap: 0x00000000 0x00098000 1
mb_mmap: 0x00100000 0x00580000 0
mb_mmap: 0x00680000 0x00680000 1
mb_mmap: 0x00d00000 0x00300000 0
mb_mmap: 0x01000000 0x35ff0000 1
mb_mmap: 0x36ff0000 0x0090d000 0
mb_mmap: 0x378fd400 0x00100000 0
mb_mmap: 0x379fd400 0x02602000 1
mb_mmap: 0x3a000000 0x02200000 0
mb_mmap: 0x3c200000 0x02d00000 1
mb_mmap: 0x3ef00000 0x00100000 0
mb_mmap: 0x3f000000 0x01000000 0
mb_mmap: 0xfec00000 0x00001000 0
mb_mmap: 0xfee00000 0x00001000 0
mb_mmap: 0xff000000 0x01000000 0
Using bzImage to boot
Relocating initramfs to high memory ...
usb is connected, skip to set uart path
0xFF00_0510 FullChipRegister: Status flag = 0x0
0xFF10_0510 SCFabricRegister: Status flag = 0x0
Jump to kernel 32bit entry ...0x05003c00
I check interesting rows by red color. But there is easy way: need to compile x86 binaries an inject some code to twrp recovery. After that Linux OS must load from any img or partition on internal or external SD. Manual for coding this: link. It's on Russian - use translator to read.
Click to expand...
Click to collapse
Awesome work on that manual dude, now I have something to do while I'm at work bored... and we'll know what we can and can't remove/put in...

xkwr27 said:
Awesome work on that manual dude
Click to expand...
Click to collapse
If you mean manual on that site - it's not mine.
Post updated. Take a look at device partitions.

Related

UART Output/ Bootloader hacking/ Kernel Debugging on AT&T SGS2

Hey, one of my buddies got a SGS2. I was able to play with it for a bit. I sterilized the Serial numbers. This was recorded on Linux, then transfered to Windows, so the formatting was off. I had to use some Microsoft Word Regex in order to get it to format right.
here's the full UART Logs
http://pastebin.ubuntu.com/715171/
http://pastebin.ubuntu.com/715182/
Here's a single boot log
Code:
Welcome to Samsung Primitive Bootloader.
build time: Aug 27 2011 04:53:51
current time: f4/f/4 3f:69:11
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #49152.
jump to sbl 0x4d400000.
Secondary Bootloader v3.1 version.
Copyright (C) 2011 System S/W Group. Samsung Electronics Co., Ltd.
Board: C1 REV 02 / Aug 27 2011 04:53:57
current time: f4/f/4 3f:69:11
booting code=0x0
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
CID:150100 56594c30 304d1926 b2473a8e
<display_card_info:1040> ext_csd
<display_card_info:1042>card_size: 15028
Total Card Size: 15029 MByte
Total Sector Count: 30777344
MoviNand Initialization Complete!
===== PARTITION INFORMATION =====
ID : GANG (0x0)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : BOOT (0x1)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : EFS (0x4)
DEVICE : MMC
FIRST UNIT : 8192
NO. UNITS : 40960
=================================
ID : SBL1 (0x2)
DEVICE : MMC
FIRST UNIT : 49152
NO. UNITS : 2560
=================================
ID : SBL2 (0x3)
DEVICE : MMC
FIRST UNIT : 53248
NO. UNITS : 2560
=================================
ID : PARAM (0x5)
DEVICE : MMC
FIRST UNIT : 57344
NO. UNITS : 16384
=================================
ID : KERNEL (0x6)
DEVICE : MMC
FIRST UNIT : 73728
NO. UNITS : 16384
=================================
ID : RECOVERY (0x7)
DEVICE : MMC
FIRST UNIT : 90112
NO. UNITS : 16384
=================================
ID : CACHE (0x8)
DEVICE : MMC
FIRST UNIT : 106496
NO. UNITS : 512000
=================================
ID : MODEM (0x9)
DEVICE : MMC
FIRST UNIT : 618496
NO. UNITS : 32768
=================================
ID : FACTORYFS (0xa)
DEVICE : MMC
FIRST UNIT : 651264
NO. UNITS : 1048576
=================================
ID : DATAFS (0xb)
DEVICE : MMC
FIRST UNIT : 1699840
NO. UNITS : 4194304
=================================
ID : UMS (0xc)
DEVICE : MMC
FIRST UNIT : 5894144
NO. UNITS : 23826432
=================================
ID : HIDDEN (0xd)
DEVICE : MMC
FIRST UNIT : 29720576
NO. UNITS : 1048576
=================================
loke_init: j4fs_open..success
<start_checksum:1033>CHECKSUM_HEADER_SECTOR :42
<start_checksum:1035>offset:42, size:1024
Not Need Movinand Checksum
load_lfs_parameters valid magic code and version.
switch_sel_str='6543 '
load_debug_level: read debug level successfully(0x574f4c44)...LOW
init_ddi_data: usable ddi data.
init_fuel_gauge : not por status
fuel_gauge_get_version: [1]=0, [0]=92
init_fuel_gauge: vcell = 3848 mV, vfocv = 3915 mV, soc = 66
init_fuel_gauge : check s/w reset (20000000) : use wide tolerance
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
6308 = (382800 - 337808)*14022/100000
[3] 388426 = (6308 * 100000) / 11164 + 331923
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL2:0x3a
init_microusb_ic: MUIC: CONTROL2:0x3a
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQSRC = 0x2
PMIC_IRQ1 = 0x33
PMIC_IRQ2 = 0x1b
PMIC_IRQ3 = 0x3
PMIC_IRQ4 = 0x11
PMIC_STATUS1 = 0x2
PMIC_STATUS2 = 0x17
PMIC_STATUS3 = 0x3
PMIC_STATUS4 = 0x2
bootloader base address=0x4d400000
LPDDR0 1st. cached=0x40000000, size=0xe400000
LPDDR0 non-cached=0x4e400000, size=0xa00000
LPDDR0 2nd. cached=0x4ee00000, size=0x1200000
RST_STAT = 0x20000000
get_hwrev() = 14
board_process_platform: MAGIC 0 at 40000000!
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
microusb_get_attached_device: STATUS1:0x3d, 2:0x40
hw_pm_status: jig_status = 1, chg_status = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
div:2, FB_SOURCE_CLOCK:667000000, FB_PIXEL_CLOCK:25067520
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop
boot_kernel: debug level low!
checkbit: find RECOVERY
checkbit (0)
......ATAG_CORE: 5 54410001 0 0 0
MEMCONFIG: 20e01323 20e01323
ATAG_MEM: 4 54410002 10000000 40000000
ATAG_MEM: 4 54410002 10000000 50000000
ATAG_MEM: 4 54410002 10000000 60000000
ATAG_MEM: 4 54410002 10000000 70000000
ATAG_SERIAL:
ATAG_REVISION: 3 54410007 e
ATAG_CMDLINE: 39 54410009 'loglevel=4 console=ttySAC2,115200 sec_debug.enable=0 sec_debug.enable_user=0 c1_watchd ATAG_NONE: 0 0
Starting kernel at 0x40008000...
Uncompressing Linux... done, booting the kernel.
[ 0.000000] s3c_register_clksrc: clock armclk has no registers set
[ 0.000000] mout_audss: bad source 0
[ 0.000000] mem infor: bank0 start-> 0x40000000, bank0 size-> 0x10000000[30;89H[ 0.000000] bank1 start-> 0x50000000, bank1 size-> 0x10000000
[ 0.000000] CMA reserve : pmem, addr is 0x4fc00000, size is 0x400000
[ 0.000000] CMA reserve : pmem_gpu1, addr is 0x4f800000, size is 0x400000
[ 0.000000] CMA reserve : pmem_adsp, addr is 0x4f47c000, size is 0x384000
[ 0.000000] CMA reserve : fimd, addr is 0x4f17c000, size is 0x300000
[ 0.000000] CMA reserve : mfc0, addr is 0x4cd7c000, size is 0x2400000
[ 0.000000] CMA reserve : mfc1, addr is 0x4a97c000, size is 0x2400000
[ 0.000000] CMA reserve : fimc0, addr is 0x4a47c000, size is 0x500000
[ 0.000000] CMA reserve : fimc1, addr is 0x4967c000, size is 0xe00000
[ 0.000000] CMA reserve : fimc2, addr is 0x47e7c000, size is 0x1800000
[ 0.000000] CMA reserve : fimc3, addr is 0x4777c000, size is 0x700000
[ 0.000000] CMA reserve : srp, addr is 0x4767c000, size is 0x100000
[ 0.000000] CMA reserve : jpeg, addr is 0x4627c000, size is 0x1400000
[ 0.000000] CMA reserve : fimg2d, addr is 0x45a7c000, size is 0x800000
[ 0.000000] CMA reserve : (null), addr is 0x45a7c000, size is 0x0
[ 0.000000] (sec_debug_set_upload_magic) 66262564
[ 0.000000] (sec_debug_set_upload_cause) cafebabe
[ 0.121650] s5pv310_subrev: 1
[ 0.166379] ram_console: invalid start 0 or end 0
[ 0.251103] max8997 5-0066: max8997_irq_init: fail to read PMIC ID(-6)
[ 0.648050] [TSP] family = 0x81, variant = 0x1, version = 0x10, build = 170

Partition information
Code:
===== PARTITION INFORMATION =====
ID : GANG (0x0)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : BOOT (0x1)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : EFS (0x4)
DEVICE : MMC
FIRST UNIT : 8192
NO. UNITS : 40960
=================================
ID : SBL1 (0x2)
DEVICE : MMC
FIRST UNIT : 49152
NO. UNITS : 2560
=================================
ID : SBL2 (0x3)
DEVICE : MMC
FIRST UNIT : 53248
NO. UNITS : 2560
=================================
ID : PARAM (0x5)
DEVICE : MMC
FIRST UNIT : 57344
NO. UNITS : 16384
=================================
ID : KERNEL (0x6)
DEVICE : MMC
FIRST UNIT : 73728
NO. UNITS : 16384
=================================
ID : RECOVERY (0x7)
DEVICE : MMC
FIRST UNIT : 90112
NO. UNITS : 16384
=================================
ID : CACHE (0x8)
DEVICE : MMC
FIRST UNIT : 106496
NO. UNITS : 512000
=================================
ID : MODEM (0x9)
DEVICE : MMC
FIRST UNIT : 618496
NO. UNITS : 32768
=================================
ID : FACTORYFS (0xa)
DEVICE : MMC
FIRST UNIT : 651264
NO. UNITS : 1048576
=================================
ID : DATAFS (0xb)
DEVICE : MMC
FIRST UNIT : 1699840
NO. UNITS : 4194304
=================================
ID : UMS (0xc)
DEVICE : MMC
FIRST UNIT : 5894144
NO. UNITS : 23826432
=================================
ID : HIDDEN (0xd)
DEVICE : MMC
FIRST UNIT : 29720576
NO. UNITS : 1048576
=================================

SBL Commands
Code:
Following commands are supported:
* movichk
* setenv
* saveenv
* printenv
* help
* reset
* boot
* kernel
* loadpart
* loadkernel
* erasepart
* format
* open
* close
* eraseall
* showpart
* addpart
* delpart
* savepart
* nkernel
* nandread
* nandwrite
* usb
* crc
* log
* sud
* upload
* emmc
* keyread
* readadc
* mmctest
* usb_read
* usb_write
* fuelgauge
There's some new ones in this 3.1 version of Samsung SBL
* crc
* log
* sud
* upload
* emmc
I think Upload allows a dump of all partitions. Also, Keyread allows testing of button presses, Volume - =0 Volume + = 1, Power = 2

I couldn't get a FULL debug log in the time I had, but I managed to get some kernel output.
Code:
Starting kernel at 0x40008000...
Uncompressing Linux... done, booting the kernel.
[ 0.000000] s3c_register_clksrc: clock armclk has no registers set
[ 0.000000] mout_audss: bad source 0
[ 0.000000] mem infor: bank0 start-> 0x40000000, bank0 size-> 0x10000000[30;89H[ 0.000000] bank1 start-> 0x50000000, bank1 size-> 0x10000000
[ 0.000000] CMA reserve : pmem, addr is 0x4fc00000, size is 0x400000
[ 0.000000] CMA reserve : pmem_gpu1, addr is 0x4f800000, size is 0x400000
[ 0.000000] CMA reserve : pmem_adsp, addr is 0x4f47c000, size is 0x384000
[ 0.000000] CMA reserve : fimd, addr is 0x4f17c000, size is 0x300000
[ 0.000000] CMA reserve : mfc0, addr is 0x4cd7c000, size is 0x2400000
[ 0.000000] CMA reserve : mfc1, addr is 0x4a97c000, size is 0x2400000
[ 0.000000] CMA reserve : fimc0, addr is 0x4a47c000, size is 0x500000
[ 0.000000] CMA reserve : fimc1, addr is 0x4967c000, size is 0xe00000
[ 0.000000] CMA reserve : fimc2, addr is 0x47e7c000, size is 0x1800000
[ 0.000000] CMA reserve : fimc3, addr is 0x4777c000, size is 0x700000
[ 0.000000] CMA reserve : srp, addr is 0x4767c000, size is 0x100000
[ 0.000000] CMA reserve : jpeg, addr is 0x4627c000, size is 0x1400000
[ 0.000000] CMA reserve : fimg2d, addr is 0x45a7c000, size is 0x800000
[ 0.000000] CMA reserve : (null), addr is 0x45a7c000, size is 0x0
[ 0.000000] (sec_debug_set_upload_magic) 66262564
[ 0.000000] (sec_debug_set_upload_cause) cafebabe
[ 0.121650] s5pv310_subrev: 1
[ 0.166379] ram_console: invalid start 0 or end 0
[ 0.251103] max8997 5-0066: max8997_irq_init: fail to read PMIC ID(-6)
[ 0.648050] [TSP] family = 0x81, variant = 0x1, version = 0x10, build = 170

Would be interesting to see the logs from a boot with the flash counter incremented (yellow triangle) to see if it's logged and what it's keying on.

Hi Adam,
Nice to see u here on this forum , hope to see some of your great work here on S II.

This is only possible using UART.
Download Mode without having to accept wipe!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Upload Mode
Stock PARAMS.lfs

othermark said:
Would be interesting to see the logs from a boot with the flash counter incremented (yellow triangle) to see if it's logged and what it's keying on.
Click to expand...
Click to collapse
You can reset the counter via UART

What ROM did you dump JH7/KJ1/KJ2 ?

AdamOutler said:
You can reset the counter via UART
Click to expand...
Click to collapse
Jig will reset it too - or will UART reset it even on the J2 bootloaders?

Entropy512 said:
Jig will reset it too - or will UART reset it even on the J2 bootloaders?
Click to expand...
Click to collapse
Can you flash back the J1 bootloader with ODIN? I'm willing to try this.

Another big player from the captivate scene......I feel more comfortable fashing the SGS2 now that AdamOutler is in the house to help clean up the mess lol

Yay, I'm the first dumbass to brick his I777. Kids, don't run the "emmc" command.
FWIW, when USB is connected and battery plugged in, I get this device:
Bus 001 Device 011: ID 04e8:1234 Samsung Electronics Co., Ltd
Which ModeDetect says is Unbrickable Debug mode...

Ah, I thought for a second I miss clicked forum and came to captivate one.
Happy to see you here, hope you will get your own attsgs2.
Thanks for spending time and sharing findings!
Sent from my SAMSUNG-SGH-I777 using xda premium

Entropy512 said:
Jig will reset it too - or will UART reset it even on the J2 bootloaders?
Click to expand...
Click to collapse
pokey9000 said:
Yay, I'm the first dumbass to brick his I777. Kids, don't run the "emmc" command.
FWIW, when USB is connected and battery plugged in, I get this device:
Bus 001 Device 011: ID 04e8:1234 Samsung Electronics Co., Ltd
Which ModeDetect says is Unbrickable Debug mode...
Click to expand...
Click to collapse
Yeah. So, you should try the SMDK Upload Tool.. this is good. this means you've established that UnBrickable Mod is possible on this device.
Now I need one for teardown.
Is it dead bricked? remove the battery and hold power for 10 seconds, then put back in the battery and hold it for 10 seconds. should turn on normally.

emmc usually means external MMC... try making a boot disk using the Fusing Tool. I bet it will work.

AdamOutler said:
emmc usually means external MMC... try making a boot disk using the Fusing Tool. I bet it will work.
Click to expand...
Click to collapse
I'm not sure what I'd put on the card to tell if it worked...

pokey9000 said:
Yeah. Nothing seems to bring it to life. Here's trying to send HIBL. It hangs after this. I didn't expect it to work...
$ ./smdk-usbdl -f HIBL.bin -a d0020000
SMDK42XX,S3C64XX USB Download Tool
Version 0.20 (c) 2004,2005,2006 Ben Dooks <[email protected]>
S3C64XX Detected!
=> found device: bus 001, dev 018
=> loaded 24576 bytes from HIBL.bin
=> Downloading 24586 bytes to 0xd0020000
=> Data checksum 5d9c
Click to expand...
Click to collapse
That's what happens when it tries to upload a larger file then memory can handle.
The HIBL is a Hummingbird Interceptor BootLoader. We could use a Exynos interceptor bootloader.
Let me contact Rebellos and get him in here. That polish Hairy Potter can probly wave his magic wand over a memory dump and have it doing the hokey-pokey. He is busy and recovering from a serious loss while trying to get his device into the mode which your device is in currently... he could probly use some donations.
We will need someone with a working device to do a memory dump...

1a) I need few different bootloader images from I9100 and similiar SGS2 series models (I777 or whatever is it called for eg.), can you guys post these here?
1b) If you notice some weird files in ROM releases, like *.elf - post these too! These are very helpful in reversing stuff. Samsung released these for S8500 and S8530 bootloaders so here is also a chance.
2) If anybody has got rooted Exynos based device and some know-how about using SU functions - I need iROM dump.
The procedure should be 99% the same as in there http://blog.maurus.be/index.php/2011/01/samsung-i9000-irom-dump/
Just grab viewmem ARM binary http://blog.maurus.be/wp-content/uploads/viewmem and use script posted there. With small modification!
Instead of
/tmp/viewmem 0xD0000000 0x10000 > /sdcard/iromdump
Click to expand...
Click to collapse
try
/tmp/viewmem 0x00000000 0x10000 > /sdcard/iromdump
Click to expand...
Click to collapse
if it doesnt work then try this
/tmp/viewmem 0x02000000 0x10000 > /sdcard/iromdump_mirror
Click to expand...
Click to collapse
One/both of these should produce 64KB iROM image.
3) WANTED:
- newer manual than this one: https://dl.dropbox.com/u/36177984/SEC_Exynos4210_pulbic_manual_Ver.0.00.01.pdf (we don't know if it does exist)
- Exynos 4210 Application Notes
- Exynos 4210 Secure Booting Guide
And so on.
Thank you.
Don't fear the reaper.
//edit:
Also SGS2 series seems to be more unbrickable than SGS, I bet PBL has got functionality to boot from SD card. I don't see other reason why PBL would mount it before trying to look for SBL.
Welcome to Samsung Primitive Bootloader.
build time: Aug 27 2011 04:53:51
current time: f4/f/4 3f:69:11
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #49152.
jump to sbl 0x4d400000.
Click to expand...
Click to collapse
Disassembly will show.

I'm going to see about getting a replacement tomorrow as this is my daily driver. So I won't have it around to test anything. However, once I'm up and running again I'll try to get iROM dumped.
Meanwhile, tonight I'll see if I can fuse a 9100 PBL and SBL (they're supposed to be mostly compatible) to a microsd and test the external SD boot theory.
edit:
Hmm, looks like the fusing tool needs a monolithic PBL and SBL. My attention span for reading Google translated Korean forums is shot.
That's probably not necessary anyway, because I think the confusion here over "emmc" is due to the SGS2 using eMMC (embedded MMC) for the boot device as opposed to the i9000 which boots off of parallel oneNAND. The SGS2 is always booting off of MMC, it just happens that it's soldered down.

How to find out what's causing lock-ups?

I haven't managed to find a ROM that doesn't freeze up on me. I suspect that it may be apps, rather than ROMS, that are causing this, because it also happens when I revert to a stock ROM.
Can anyone recommend a way of diagnosing which app(s) may be causing the crashes? There's usually no regular pattern in behaviour - i.e. it happens in a variety of different situations/apps

mate apps generally dont cause lookups..its your settings that do..apps only forceclose..thats it...if you are on any custom kernel then its a 90% chance that whats causing your lock ups is your undervolt settings...otherwise..flash again with all the wipes...if you dont wipe then lockups are gonna be a very common occurance..backup all the stuff..!

Nah man. Apps, some apps, definitely cause Wake up's dude.
The most popular application to check wakelock's is BetterBatteryStats. And additionally i can tell you some wakelock's are also caused by Ad's, yes you read it right, damn AD'S. To block them please use AdAway, free in Play Store.

What are you going on about wakelocks for?

the thread is about lockups mate not wakeups!

naveediftikhar said:
mate apps generally dont cause lookups..its your settings that do..apps only forceclose..thats it...if you are on any custom kernel then its a 90% chance that whats causing your lock ups is your undervolt settings...otherwise..flash again with all the wipes...if you dont wipe then lockups are gonna be a very common occurance..backup all the stuff..!
Click to expand...
Click to collapse
I never do undervolting or any CPU mods, so it can't be that. I also routinely wipe, clear the cache and dalvik cache every time I flash a ROM. That's why I figure that it's probably apps doing things in the background that are the problem.

what about factory reseting via recovery and formatting system,data and cache in recovery under mount and storage option...wiping dalvik and cache dont reset or wipe your device..perform all the above mentioned wipes and your problem will hopefully end!
and if your are on any custom kernel..try increasing the stock volts by 25..!give it a try...!

Will "formatting system,data and cache in recovery under mount and storage option" wipe the contents of the internal SD card?

no...i do it always..never it has touched either of my sdcards...!

Should I do all of that AFTER flashing or before?

do it before flashing...and try to let the rom boot and run for 30 mins or so before going back and installing any mod or kernel!

Next time it happens, grab a kmsg as soon as you reboot:-
In a terminal editor enter the following:
su
cat /proc/last_kmsg > /mnt/sdcard/last_kmsg
and post it as an attachment to this thread. Might yield some clues as to what the phone was doing when it locks up/crashes.

MistahBungle said:
Next time it happens, grab a kmsg as soon as you reboot:-
In a terminal editor enter the following:
su
cat /proc/last_kmsg > /mnt/sdcard/last_kmsg
and post it as an attachment to this thread. Might yield some clues as to what the phone was doing when it locks up/crashes.
Click to expand...
Click to collapse
Ok it's just crashed again - this time while copying a large folder from the phone to a PC over USB. I rebooted, downloaded a Terminal Emulator from the Market, then generated the attached "last_kmsg" file as instructed. Please let me know if this gives any clues.

...sorry...here's the attachment...

Just had another lock-up. This time the phone got quite warm, and drained from 97% battery to 11% in 1.5 hours, so something was chewing up the CPU. Here's the last_kmsg output from immediately after the reboot:
Ibl: pbl_read_emmc441() read 8k
Ibl: pbl_read_emmc441() read 96k
Ibl: pbl_read_emmc441() read download info
Ibl: pbl_read_emmc441() endop
Ibl: jump() verify_binary_integrity...ok
Ibl: jump() jump!!!
Welcome to Samsung Primitive Bootloader.
build time: May 8 2012 19:31:07
current time: f0/e/1 30:70:7c
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
<display_card_info:1009> ext_csd
<display_card_info:1011>card_size: 15028
Total Card Size: 15029 MByte
mmc_init: card initialization completed!
pbl found bootable sbl in #53248.
jump to sbl 0x4d400000.
Secondary Bootloader v3.1 version.
Copyright (C) 2011 System S/W Group. Samsung Electronics Co., Ltd.
Board: C1 REV 02 / Aug 12 2011 11:37:21
current time: f0/e/1 30:70:7d
booting code=0xc0c080c0
[set_mmc_ocr] Sector Mode
[hsmmc_init] MMC card is detected
Product Name : VYL00M
CID:150100 56594c30 304d1941 4e02a76e
<display_card_info:1040> ext_csd
<display_card_info:1042>card_size: 15028
Total Card Size: 15029 MByte
Total Sector Count: 30777344
MoviNand Initialization Complete!
===== PARTITION INFORMATION =====
ID : GANG (0x0)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : BOOT (0x1)
DEVICE : MMC
FIRST UNIT : 0
NO. UNITS : 0
=================================
ID : EFS (0x4)
DEVICE : MMC
FIRST UNIT : 8192
NO. UNITS : 40960
=================================
ID : SBL1 (0x2)
DEVICE : MMC
FIRST UNIT : 49152
NO. UNITS : 2560
=================================
ID : SBL2 (0x3)
DEVICE : MMC
FIRST UNIT : 53248
NO. UNITS : 2560
=================================
ID : PARAM (0x5)
DEVICE : MMC
FIRST UNIT : 57344
NO. UNITS : 16384
=================================
ID : KERNEL (0x6)
DEVICE : MMC
FIRST UNIT : 73728
NO. UNITS : 16384
=================================
ID : RECOVERY (0x7)
DEVICE : MMC
FIRST UNIT : 90112
NO. UNITS : 16384
=================================
ID : CACHE (0x8)
DEVICE : MMC
FIRST UNIT : 106496
NO. UNITS : 204800
=================================
ID : MODEM (0x9)
DEVICE : MMC
FIRST UNIT : 311296
NO. UNITS : 32768
=================================
ID : FACTORYFS (0xa)
DEVICE : MMC
FIRST UNIT : 344064
NO. UNITS : 1048576
=================================
ID : DATAFS (0xb)
DEVICE : MMC
FIRST UNIT : 1392640
NO. UNITS : 4194304
=================================
ID : UMS (0xc)
DEVICE : MMC
FIRST UNIT : 5586944
NO. UNITS : 24133632
=================================
ID : HIDDEN (0xd)
DEVICE : MMC
FIRST UNIT : 29720576
NO. UNITS : 1048576
=================================
loke_init: j4fs_open..success
<start_checksum:1033>CHECKSUM_HEADER_SECTOR :42
<start_checksum:1035>offset:42, size:1024
Not Need Movinand Checksum
load_lfs_parameters valid magic code and version.
switch_sel_str='1'
load_debug_level: read debug level successfully(0x574f4c44)...LOW
init_ddi_data: usable ddi data.
init_fuel_gauge : not por status
fuel_gauge_get_version: [1]=0, [0]=92
init_fuel_gauge: vcell = 3670 mV, vfocv = 3785 mV, soc = 37
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
1227 = (365000 - 356525)*14484/100000
[14] 368610 = (1227 * 100000) / 32927 + 364884
init_microusb_ic: MUIC: CONTROL1:0x0
init_microusb_ic: MUIC: CONTROL1:0x0
init_microusb_ic: MUIC: CONTROL2:0x3a
init_microusb_ic: MUIC: CONTROL2:0x3a
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQSRC = 0x0
PMIC_IRQ1 = 0x8b
PMIC_IRQ2 = 0x1c
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x11
PMIC_STATUS1 = 0x1
PMIC_STATUS2 = 0x10
PMIC_STATUS3 = 0x0
PMIC_STATUS4 = 0x0
bootloader base address=0x4d400000
LPDDR0 1st. cached=0x40000000, size=0xe400000
LPDDR0 non-cached=0x4e400000, size=0xa00000
LPDDR0 2nd. cached=0x4ee00000, size=0x1200000
RST_STAT = 0x10000
get_hwrev() = 14
board_process_platform: MAGIC c0c080c0 at 40000000!
scan_keypad_level: pressed key is 2
scan_keypad_level: pressed key is 2
scan_keypad_level: pressed key is 2
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
microusb_get_attached_device: STATUS1:0x3f, 2:0x0
hw_pm_status: jig_status = 0, chg_status = 0
.....kernel is non signed binary.
DISPLAY_PATH_SEL[MDNIE 0x1]is on
div:2, FB_SOURCE_CLOCK:667000000, FB_PIXEL_CLOCK:25067520
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Autoboot (0 seconds) in progress, press any key to stop
boot_kernel: debug level low!
checkbit: find RECOVERY
checkbit (0)
.....kernel is non signed binary.
ATAG_CORE: 5 54410001 0 0 0
MEMCONFIG: 20e01323 20e01323
ATAG_MEM: 4 54410002 10000000 40000000
ATAG_MEM: 4 54410002 10000000 50000000
ATAG_MEM: 4 54410002 10000000 60000000
ATAG_MEM: 4 54410002 10000000 70000000
ATAG_SERIAL: 4 54410006 4e02a76e 304d1941
ATAG_REVISION: 3 54410007 e
ATAG_CMDLINE: 37 54410009 'loglevel=4 console=ram sec_debug.enable=0 sec_debug.enable_user=0 c1_watchdog.sec_pet=5 [email protected] s3cfb.bootloaderfb=0x5ec00000 ld9040.get_lcdtype=0x0 consoleblank=0 lpj=3981312 vmalloc=144m'
ATAG_NONE: 0 0
Starting kernel at 0x40008000...

Juice Defender causing the problem?
I disabled Juice Defender last night and have gone all day without the phone locking up. Has anyone had problems with Juice Defender causing lock-ups coupled with excessive battery usage?

Wierd ELF files used by QPST

Hi all,
For some reason I want to modify the bootloader on my device(Lenovo Zuk Z2 plus, which has SnapDragon 820, MSM8996). I have research a little bit and got a snippet of assembly code that I believe appears in the bootloader, and I hope to replace.
So I believe the xbl.elf file in the stock ROM, which is to be flashed by QPST, is the bootloader I hope to hack. My plan:
1. Interpret the file xbl.elf
2. find the snippet of code I hope to replace
3. replace the snippet of binary with some cooler binary.
So here is the result of `readelf -a xbl.elf`:
Code:
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: AArch64
Version: 0x1
Entry point address: 0x6213f10
Start of program headers: 64 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 17
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
NULL 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000003f8 0x0000000000000000 0
NULL 0x0000000000001000 0x0000000085eec000 0x0000000085eec000
0x0000000000001b48 0x0000000000002000 1000
LOAD 0x0000000000003000 0x0000000006208000 0x0000000006208000
0x00000000000567b4 0x00000000000567b4 R E 10000
LOAD 0x00000000000597c0 0x000000000625f000 0x000000000625f000
0x0000000000009a58 0x0000000000009a58 RW 10000
LOAD 0x0000000000063220 0x000000000626a000 0x000000000626a000
0x0000000000000000 0x00000000000052a8 RW 10000
LOAD 0x0000000000063220 0x0000000085e00000 0x0000000085e00000
0x0000000000000000 0x0000000000024da0 RW 10000
LOAD 0x0000000000063220 0x0000000006680000 0x0000000006680000
0x00000000000029d0 0x00000000000029d0 R E 10000
LOAD 0x0000000000065bf0 0x0000000006683000 0x0000000006683000
0x0000000000000694 0x0000000000000694 RW 10000
LOAD 0x0000000000066290 0x000000000021e000 0x000000000021e000
0x0000000000005e54 0x0000000000005e54 R E 10000
LOAD 0x000000000006c0f0 0x00000000066a2000 0x00000000066a2000
0x0000000000000000 0x0000000000012400 RW 10000
LOAD 0x000000000006c0f0 0x0000000085e80000 0x0000000085e80000
0x00000000000282ee 0x00000000000282ee R E 10000
LOAD 0x00000000000943e0 0x0000000085ec0000 0x0000000085ec0000
0x000000000002b9a0 0x000000000002b9a0 RW 10000
LOAD 0x00000000000bfd80 0x0000000085eb0000 0x0000000085eb0000
0x0000000000000000 0x00000000000099e8 RW 10000
LOAD 0x00000000000bfd80 0x0000000080200000 0x0000000080200000
0x00000000000f0000 0x00000000000f0000 RWE 1000
LOAD 0x00000000001afd80 0x0000000000207000 0x0000000000207000
0x000000000000ebe1 0x000000000000ebe1 R E 10000
LOAD 0x00000000001be970 0x0000000000217800 0x0000000000217800
0x00000000000004c8 0x00000000000004c8 RW 10000
LOAD 0x00000000001bee40 0x0000000000219800 0x0000000000219800
0x0000000000000000 0x00000000000001d0 RW 10000
There is no dynamic section in this file.
There are no relocations in this file.
The decoding of unwind sections for machine type AArch64 is not currently supported.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
So as you can see, this elf file is quite uncommon. Anyone has any idea how to interpret this file? Thanks!

Solved
Nevermind, I simply regard this file as binary and disemble it:
aarch64-linux-gnu-objdump -b binary -D xbl.elf -maarch64
And the assembly is crystally clear!

Xiaomi MI Box 3 MDZ-16-AB Boot Log and UART Location

Hey Guys,
I've been tinkering with my MI Box as I've been having packet loss issues with it, long story short its bricked, here is the bootlog + UART Pins if anyone is interested:
Boot Log:
Code:
TE: 98645
BL2 Built : 18:13:36, Jun 17 2016.
gxl g176ecdb - [email protected]
rn5t567_power_init
Board ID = 1
CPU clk: 1200MHz
DDR3 chl: Rank0+1 @ 912MHz - PASS
DQS-corr enabled
DDR scramble enabled
Rank0: 1024MB(auto)-2T-13
Rank1: 1024MB(auto)-2T-13
DataBus test pass!
AddrBus test pass!
-s
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000
aml log : R1024 check pass!
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600
aml log : R1024 check pass!
Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x00014400
aml log : R1024 check pass!
Load bl32 from eMMC, src: 0x00038200, des: 0x01700000, size: 0x0002ee00
aml log : R1024 check pass!
Load bl33 from eMMC, src: 0x00068200, des: 0x01700000, size: 0x0007f800
aml log : R1024 check pass!
NOTICE: BL3-1: v1.0(debug):ed1aadc
NOTICE: BL3-1: Built : 11:06:24, May 31 2016
aml log : bl31 detect secure boot !
[Image: gxl_v1.1.3118-31ffc57 2016-09-27 10:04:49 [email protected]]
OPS=0x82
ef be ad de d f0 ad ba ef be ad de bl30:thermal init err
[0.626102 Inits done]
secure task start!
high task start!
low task start!
INFO: BL3-1: Initializing runtime services
INFO: BL3-1: Initializing BL3-2
INFO: BL3-2: ATOS-V1.4-gb959fd4 #13 Tue Sep 6 15:28:58 CST 2016 arm
INFO: BL3-2: chip version = RevA (21:A - 0:0)
INFO: BL3-2: crypto engine DMA
INFO: BL3-2: secure time TEE
INFO: BL3-1: Preparing for EL3 exit to normal world
INFO: BL3-1: Next image address = 0x1000000
INFO: BL3-1: Next image spsr = 0x3c9
U-Boot 2015.01-g57a5217-dirty (Jan 25 2017 - 11:17:54), Build: jenkins-Once_MP-750
DRAM: 2 GiB
Relocation Offset is: 76ef5000
register usb cfg[0][1] = 0000000077f64870
vpu: error: vpu: check dts: FDT_ERR_BADMAGIC, load default parameters
vpu: clk_level = 7
vpu: set clk: 666667000Hz, readback: 666660000Hz(0x300)
SARADC channel(1) is 0x1d2.
adcAvg hw_version is 353
MMC: aml_priv->desc_buf = 0x0000000073ef56e0
aml_priv->desc_buf = 0x0000000073ef7870
SDIO Port B: 0, SDIO Port C: 1
emmc/sd response timeout, cmd8, status=0x3ff2800
emmc/sd response timeout, cmd55, status=0x3ff2800
[mmc_init] mmc init success
mmc read lba=0x4000, blocks=0x400
start dts,buffer=0000000073ef9f30,dt_addr=0000000073ef9f30
parts: 12
00: cache 0000000010000000 2
01: logo 0000000000300000 1
02: encrypt 0000000000100000 1
03: recovery 0000000002000000 1
04: tee 0000000000800000 1
05: crypt 0000000002000000 1
06: misc 0000000002000000 1
07: boot 0000000001400000 1
08: system 0000000060000000 1
09: persist 0000000000800000 4
10: panic 0000000000400000 4
11: data ffffffffffffffff 4
get_dtb_struct: Get emmc dtb OK!
overide_emmc_partition_table: overide cache
[mmc_get_partition_table] skip partition cache.
Partition table get from SPL is :
name offset size flag
===================================================================================
0: bootloader 0 400000 0
1: reserved 400000 800000 0
2: cache c00000 10000000 2
3: env 10c00000 400000 0
4: logo 11000000 300000 1
5: encrypt 11300000 100000 1
6: recovery 11400000 2000000 1
7: tee 13400000 800000 1
8: crypt 13c00000 2000000 1
9: misc 15c00000 2000000 1
10: boot 17c00000 1400000 1
11: system 19000000 60000000 1
12: persist 79000000 800000 4
13: panic 79800000 400000 4
14: data 79c00000 158400000 4
mmc read lba=0x2000, blocks=0x2
mmc read lba=0x2002, blocks=0x2
mmc_read_partition_tbl: mmc read partition OK!
eMMC/TSD partition table have been checked OK!
mmc env offset: 0x10c00000
In: serial
Out: serial
Err: serial
reboot_mode=cold_boot
hardware_version =1
Saving Environment to aml-storage...
mmc env offset: 0x10c00000
Writing to MMC(1)... done
hpd_state=0
cvbs performance type = 6, table = 0
[store]To run cmd[emmc dtb_read 0x1000000 0x40000]
read emmc dtb
amlkey_init() enter!
[EFUSE_MSG]keynum is 4
[KM]Error:f[key_manage_query_size]L507:key[sn2] not programed yet
wipe_data=successful
wipe_cache=successful
Boot command:
Boot status:
Boot message
""
upgrade_step=2
[OSD]load fb addr from dts
[OSD]failed to get fb addr for logo
[OSD]use default fb_addr parameters
[OSD]fb_addr for logo: 0x3d800000
[OSD]load fb addr from dts
[OSD]failed to get fb addr for logo
[OSD]use default fb_addr parameters
[OSD]fb_addr for logo: 0x3d800000
[CANVAS]canvas init
[CANVAS]addr=0x3d800000 width=5760, height=2160
pull down bt_reset
pull up bt_reset
set hci reset
04 0e 04 01 03 0c 00
set scan parameters
04 0e 04 01 0b 20 00
set scan enable
04 0e 04 01 0c 20 00
pull down bt_enable
IR init done!
[imgread]szTimeStamp[2017012511355519]
[imgread]secureKernelImgSz=0x778000
aml log : R1024 check pass!
aml log : R1024 check pass!
aml log : R1024 check pass!
ee_gate_off ...
## Booting Android Image at 0x01080000 ...
reloc_addr =73f7a130
copy done
load dtb from 0x1000000 ......
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x01fa8620
Loading Ramdisk to 73e02000, end 73ee3000 ... OK
Loading Device Tree to 000000001fff4000, end 000000001fffff5e ... OK
Starting kernel ...
uboot time: 2832461 us
...
<See Attached>
UART Pins:
<See Attached>

You can hook the TX and RX lines into the 3.5mm headphone jack for easy UART use.
See attached

It turns out JTAG is enabled according to the Android dmesg log, this could mean a neat little BootROM dump...

Can someone makes a flash able rom for Almogic burning tool for mi tv box 3 mdz 16-ab?

Can you boot from usb device (libreelec)?

My mi tv box 3 is totally bricked no boot to recovery, only pc recognize like WorldCub device.

gyb001 said:
Can you boot from usb device (libreelec)?
Click to expand...
Click to collapse
I haven't looked at that yet, I don't really have any expirence playing with AMLogic SoCs, you can boot via USB? This would actually work if you can as I have boot.img and system...

(dylanger) said:
I haven't looked at that yet, I don't really have any expirence playing with AMLogic SoCs, you can boot via USB? This would actually work if you can as I have boot.img and system...
Click to expand...
Click to collapse
Thanks.
unfortunatelly i haven't img.
But i find intresting things
once#usb start
(Re)start USB...
USB0: USB3.0 XHCI init start
Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.00
This box have usb3?
Do you know how can i make full backup from emmc?
I think we can run somehow twrp with this env:
recovery_from_udisk=if fatload usb 0 ${loadaddr} aml_autoscript; then autoscr ${loadaddr}; fi;if fatload usb 0 ${loadaddr} recovery.img; then if fatload usb 0 ${dtb_mem_addr} dtb.img; then echo udisk dtb.img loaded; fi;bootm ${loadaddr};fi;

I won
amlogic login: root
Password:
Last login: Sat Nov 4 12:30:06 UTC 2017 on ttyS0
/etc/update-motd.d/30-sysinfo: line 37: read: read error: 0: Invalid argument
/etc/update-motd.d/30-sysinfo: line 38: [: -le: unary operator expected
____ ___
/ ___|/ _ \__ ____ ____ __
\___ \ (_) \ \/ /\ \/ /\ \/ /
___) \__, |> < > < > <
|____/ /_//_/\_\/_/\_\/_/\_\
Welcome to ARMBIAN 5.34 user-built Debian GNU/Linux 9 (stretch) 3.14.29
System load: 0.44 0.12 0.04 Up time: 0 min
Memory usage: 4 % of 1790MB IP:
Usage of /: 18% of 7.1G storage/: 56% of 128M
[email protected]:~# ls
fstab install.sh
[email protected]:~# uname -a
Linux amlogic 3.14.29 #108 SMP PREEMPT Sat Nov 4 14:50:04 MSK 2017 aarch64 GNU/Linux
[email protected]:~# cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
processor : 0
processor : 1
processor : 2
processor : 3
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: AArch64
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
Hardware : Amlogic
Serial : 210a82005fb86cbf061167e2b0552e2f
Revision : 020a

gyb001 said:
I won
amlogic login: root
Password:
Last login: Sat Nov 4 12:30:06 UTC 2017 on ttyS0
/etc/update-motd.d/30-sysinfo: line 37: read: read error: 0: Invalid argument
/etc/update-motd.d/30-sysinfo: line 38: [: -le: unary operator expected
____ ___
/ ___|/ _ \__ ____ ____ __
\___ \ (_) \ \/ /\ \/ /\ \/ /
___) \__, |> < > < > <
|____/ /_//_/\_\/_/\_\/_/\_\
Welcome to ARMBIAN 5.34 user-built Debian GNU/Linux 9 (stretch) 3.14.29
System load: 0.44 0.12 0.04 Up time: 0 min
Memory usage: 4 % of 1790MB IP:
Usage of /: 18% of 7.1G storage/: 56% of 128M
[email protected]:~# ls
fstab install.sh
[email protected]:~# uname -a
Linux amlogic 3.14.29 #108 SMP PREEMPT Sat Nov 4 14:50:04 MSK 2017 aarch64 GNU/Linux
[email protected]:~# cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
processor : 0
processor : 1
processor : 2
processor : 3
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: AArch64
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
Hardware : Amlogic
Serial : 210a82005fb86cbf061167e2b0552e2f
Revision : 020a
Click to expand...
Click to collapse
Woot! Nice work! So you've managed to boot into a Debian build? Damn nice work! Do you know if its possible to do that without having access to Android in the first place?
Like from UBOOT?

Yes i used to uart.
Write this command to uboot:
setenv bootcmd "run start_autoscript; run storeboot;"
setenv start_autoscript "if usb start ; then run start_usb_autoscript; fi; if mmcinfo; then run start_mmc_autoscript; fi;"
setenv start_mmc_autoscript "if fatload mmc 0 1020000 s905_autoscript; then autoscr 1020000; fi;"
setenv start_usb_autoscript "if fatload usb 0 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 1 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 2 1020000 s905_autoscript; then autoscr 1020000; fi; if fatload usb 3 1020000 s905_autoscript; then autoscr 1020000; fi;"
setenv upgrade_step "0"
saveenv
Click to expand...
Click to collapse
I'm not sure it necessary, but i set the selinux disabled.
Download and write the image to usb drive
https://yadi.sk/d/srrtn6kpnsKz2/Linux/ARMBIAN

gyb001 said:
Yes i used to uart.
Write this command to uboot:
I'm not sure it necessary, but i set the selinux disabled.
Download and write the image to usb drive
https://yadi.sk/d/srrtn6kpnsKz2/Linux/ARMBIAN
Click to expand...
Click to collapse
Can we use this image with Amlogic usb burning tool ?

venioni said:
Can we use this image with Amlogic usb burning tool ?
Click to expand...
Click to collapse
No, the image will not pass the burning tool vertify.
I think you can use the amlogic burning tool only with uart. In uboot write "update" command.

gyb001 said:
No, the image will not pass the burning tool vertify.
I think you can use the amlogic burning tool only with uart. In uboot write "update" command.
Click to expand...
Click to collapse
Can you help me to unbrick my mind that box 3 international?
is totally bricked,no boot to recovery mode.

venioni said:
Can you help me to unbrick my mind that box 3 international?
is totally bricked,no boot to recovery mode.
Click to expand...
Click to collapse
Unfortunately i don't know how its possibile, but That sure, you have to use u boot.
You should buy uart usb device. I have cp2102

gyb001 said:
Unfortunately i don't know how its possibile, but That sure, you have to use u boot.
You should buy uart usb device. I have cp2102
Click to expand...
Click to collapse
If i buy this uart usb device cp 2102 can you make a tutorial how can i use this to unbrick my mi tv box3 and what firmwares i need to do all this?

venioni said:
If i buy this uart usb device cp 2102 can you make a tutorial how can i use this to unbrick my mi tv box3 and what firmwares i need to do all this?
Click to expand...
Click to collapse
Now, i can boot only Armbian.

Stock rom img file
https://mega.nz/#F!BDRG3J4B!VZqB0qJ9fseMhy4Y8anIaA

gyb001 said:
Stock rom img file
https://mega.nz/#F!BDRG3J4B!VZqB0qJ9fseMhy4Y8anIaA
Click to expand...
Click to collapse
Can we flash this stock rom image with Almogic burning tool for unbrick mi tv box 3 ?

venioni said:
Can we flash this stock rom image with Almogic burning tool for unbrick mi tv box 3 ?
Click to expand...
Click to collapse
No.
You have to use uboot

need help usid.ini/Mac_ether Amlogic Burning tools

Hello friends, I need a little help with the usid / mac_ether script
i am starting to study about android and i would like to ask you:
First I would like someone to help me record a serial
at box amlogic
1: Firmware already passed Amlogic Customization tools (key usid, mac marked for write)
2: in the SN part I always want the serial to be written to be this ... 8e.05-17.06-10500171 <---------- SN
3: on mac's part i want this recorded
EC: 2C: A9: 51: 52: 31
3: usid script
[Group1]
usid = ShiningStar <1> MBX <2>
param_1_format =% 04x
param_1_start = 0000
param_1_end = FFFF
param_1_used = 0x0
param_1_total = 1000
param_2_format =% 04x
param_2_start = 0000
param_2_end = FFFF
param_2_used = 0x0
param_2_total = 1000
[Size]
Size = 22
[fragment]
fragment =
4: mac script
[Group1]
start = 00: 0f: a3: 45: 9b: 12
end = 00: 0f: a3: 45: a1: 34
total = 1540
used = 2
current =
[fragment]
fragment =
5: Help me understand how to put the above information into the script to write it to the box.

Better Mobile App

welcome