For those interested, Amazon FireTV JTAG pinout is very close to the standard 20-pin ARM JTAG. See atached image for the actual pinout. If anybody has an OpenOCD config file for QUalcomm Krait 300 (SnapDragon 600), please share. Rooting can be done by bypassing a couple of checks in the bootloader.
Hardware root/JTAG pinout
- Thread starter Determined
- Start date
DroidIt!
Senior Member
Huh. Question. Is it snapdragon 600 you want or S4 pro. I dug pretty deeply before I got the box to figure exactly what processor is in there. Amazon gives: snapdragon 8064, krait 300, 1.7 GHz with adreno 320. I couldn't actually find a direct match for those specs in Qualcomm info, but the only thing that matched those specifications was the S4 pro, the same thing in the Nexus 7. Not to derail what you started, just want to be sure you're seeking the correct thing.
from my N5
Edit: let me clarify a bit. Amazon says it's the 8064. I went to qualcomm's site and that wasn't listed anywhere. So through deductive reasoning: CPU speed and the adreno 320 match the S4 pro which is also in the N7 2013. I haven't actually looked what xda says it has, but that's how I came to the S4 pro.
from my N5
Edit: let me clarify a bit. Amazon says it's the 8064. I went to qualcomm's site and that wasn't listed anywhere. So through deductive reasoning: CPU speed and the adreno 320 match the S4 pro which is also in the N7 2013. I haven't actually looked what xda says it has, but that's how I came to the S4 pro.
Last edited:
Being curious, I did some reading. I'm pretty sure it's a S4 Pro as well. 600 uses LPDDR3, has higher clock speed 1.7 vs 1.9GHz, and has wireless AC.
http://xdaforums.com/nexus-4/help/snapdragon-600-vs-snapdragon-s4-pro-t2157201
http://www.ifixit.com/Teardown/Amazon+Fire+TV+Teardown/23856
DroidIt!
Senior Member
Yeah they didn't match up to me. I see xda just says 1.7 ghz, etc and not the 600. I'm thinking S4 Pro too. Good to get a confirmation though. :good:
The 600 was mentioned in some specs on the web, but it may have been a guess.
Actual JTAG device IDs:
4BA00477 (dap)
2071E0E1(cpu) <- googling this one yields nothing
the original apq8064 was dubbed the 'S4 Pro' (before the new naming scheme kicked in). Later variants (apq8064t, apq8064ab, etc) are dubbed 'snapdragon 600'. The newer variants have newer krait and newer revision of a320 (gpu), clock bumps, etc.. but basically tweaks of the original.
I've got a third FireTV hooked up to my riffbox now, but having issues. If I can get a successful read and write, I'll post a dump with a hacked bootloader to run unsigned images.
Issue I'm as is im not getting any response from RTCK. Fuses indicate that jtag was not disabled, and this isnt my strong point.
No need to pull that dump, it is provided in the OTA (emmc_appsboot.mbn). There is a procedure (located at 0x88F01144 in OTA 51.1.0.1) that checks unlock code, if you force it to return 1, you will be able to boot anything as well as run "oem unlock" and other restricted commands.
Last edited:
Not what I was referring to, sorry for my bad wording.
I have already rooted and unlocked mine, but I an unable to release the root at this point (will shortly, waiting on Amazn not confirm a patch is done for the root exploit). I was trying to say I would release a riffbox flashable binary, with a bootloader hack allowing booting of custom images.
Booting unsigned recovery with modified res images:
I can't get a response over jtag, will put more effort into it this week.
emmc_appsboot.mbn itself can not be alternated, sbl3 validates it before continuing with boot.
Last edited:
Hah! If you step through it using a jtag and skip the checks it won't actually need any changes.
Hah? Stepping through it is impractical for most uses. For the few of us that have one sitting on our desk? Sure ok, for those that have it in their entertainment center? Not practical at all.
If you are going to jtag it, might as well hack it proper once, and not worry about having to step through it each boot.
If you choose to jtag and step through it, have it return a value of being unlocked will result in androidboot.unlocked_kernel=true being passed to cmdline, and /sbin/adbd will not drop root when that exists. Would be a easy-ish root through jtag without actually flashing anything.
Last edited:
That is your [much appreciated] thunder. I don't have time to generate public-friendly hacks anymore.
That is your [much appreciated] thunder. I don't have time to generate public-friendly hacks anymore.
Thunder is over, I'm done after I provide a few promised ones come Blackhat (including this one). Too much of time sink, and the public factor of the amusement has long gone.
If you have gtalk/hangouts give me a shout to the address in my signature.
I'll try and verify tomorrow
Sent from my HTC One_M8 using XDA Premium 4 mobile app
Nothing to see there, just kernel messages:
Code:
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk: current version is lk_rel_3.0.1_02272014
[10] platform_init()
[10] target_init(): platform_id 109
[10] Its BUELLER. revision 3
[70] display_init(),target_id=7337.
[70] hdmi_msm_panel_init: default format=4
[2730] splash_screen_mmc :235, 67
[2750] Config HDMI PANEL.
[2750] Turn on HDMI PANEL.
[2760] EDID: no DTD or non-DTD data present
[2760] EDID: no DTD or non-DTD data present
[2760] hdmi_edid_get_audio_data: No adb found
[2770] hdmi_audio_playback: 48KHz not supported by TV
[2770] hdmi_msm_audio_acr_setup: video format 0 not supported
[2780] aboot_init: calling idme_initialize
[2780] Idme version is 2.0 and set related function to V2.0
[2790] IDME INFO: checking for new items to add (stored items:12 specified items:12)
[2790] serial num from idme: XXXXXXXXXXXXXXXXXX
[2800] Reboot -- restart_reason=427810811 (0x197fdffb)
[2800] aboot_init: IDME - device boot up info
[2810] idme items number:12
[2810] name: board_id, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2820] name: serial, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2830] name: mac_addr, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2830] name: bt_mac_addr, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2840] name: productid, size: 32, exportable: 1, permission: 292, data= 00000000000000000000000000000000
[2850] name: productid2, size: 32, exportable: 1, permission: 292, data= 00000000000000000000000000000000
[2860] name: bootmode, size: 4, exportable: 1, permission: 292, data= 1
[2860] name: postmode, size: 4, exportable: 1, permission: 292, data= 2
[2870] name: bootcount, size: 8, exportable: 1, permission: 292, data= 32
[2880] name: eth_mac_addr, size: 16, exportable: 1, permission: 292, data= XXXXXXXXXXXXXXXXXX
[2890] bootcount = 33
[3080] aboot_init: Boot linux from MMC
[3090] boot_into_recovery=0 idme_bootmode=1 (NORMAL)
[3090] use_signed_kernel=1, is_unlocked=0, is_tampered=0.
[3100] Loading boot image (6344704): start
[3340] Loading boot image (6344704): done
[3340] Authenticating boot image (6344704): start
[3350] Attempting to enable ce3_src_clk before setting its rate.[3360] TZ channel swith returned 0
[5070] TZ channel swith returned 0
[5070] Authenticating boot image: done return value = 1
[5090] cmdline = 'androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 maxcpus=2'
[5100] Power on reason 1
[5100] Its bueller again 3.
[5100] cmdline_length=170, n=172, n1=45
[5110] IDME: idme atag init (export to kernel), atag_size=514
[5110] name: board_id, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5120] name: serial, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5130] name: mac_addr, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5140] name: bt_mac_addr, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5140] name: productid, size: 32, exportable: 1, permission: 292, data: 00000000000000000000000000000000
[5150] name: productid2, size: 32, exportable: 1, permission: 292, data: 00000000000000000000000000000000
[5160] name: bootmode, size: 4, exportable: 1, permission: 292, data: 1
[5170] name: postmode, size: 4, exportable: 1, permission: 292, data: 2
[5180] name: bootcount, size: 8, exportable: 1, permission: 292, data: 33
[5180] name: eth_mac_addr, size: 16, exportable: 1, permission: 292, data: XXXXXXXXXXXXXXXXXX
[5190] The atag idme items number:11
booting linux @ 0x80208000, ramdisk @ 0x82200000 (368957)No JTAG Debug
Connecting to JTAG with OpenOCD needs a few changes in the cortex_a.c source to enable support for Cortex-A15. If you actually make those changes and play with debug registers, you will discover that DBGEN and SPIDEN signals/fuses are disabled, so debug mode is not accessible.
I have not yet tried flashing.
Connecting to JTAG with OpenOCD needs a few changes in the cortex_a.c source to enable support for Cortex-A15. If you actually make those changes and play with debug registers, you will discover that DBGEN and SPIDEN signals/fuses are disabled, so debug mode is not accessible.
I have not yet tried flashing.
ohh, openocd? I'm listening..
I have a number of snapdragon devices that I'd love to use jtag with.. but no windows machine for the riffbox sw.. openocd would be awesome
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
3For those interested, Amazon FireTV JTAG pinout is very close to the standard 20-pin ARM JTAG. See atached image for the actual pinout. If anybody has an OpenOCD config file for QUalcomm Krait 300 (SnapDragon 600), please share. Rooting can be done by bypassing a couple of checks in the bootloader.2
I've got a third FireTV hooked up to my riffbox now, but having issues. If I can get a successful read and write, I'll post a dump with a hacked bootloader to run unsigned images.
Issue I'm as is im not getting any response from RTCK. Fuses indicate that jtag was not disabled, and this isnt my strong point.1
Being curious, I did some reading. I'm pretty sure it's a S4 Pro as well. 600 uses LPDDR3, has higher clock speed 1.7 vs 1.9GHz, and has wireless AC.
http://xdaforums.com/nexus-4/help/snapdragon-600-vs-snapdragon-s4-pro-t2157201
http://www.ifixit.com/Teardown/Amazon+Fire+TV+Teardown/238561
that's not true, i currently play with openocd, flyswatter2 and ifc6410 (another apq8064 box) and i discovered, that problem is how openocd handles writing to crtlstat register. seems openocd implements dap ver. 0 way, but not dap ver. 1 and dap ver. 2 ways. i'm currently diving to arm coresight documentation and openocd code.
