Get Your XDA 2015 Custom Avatar and Signature Images Here

As stated in our motto, XDA Developer is for developers, by developers. The … more

Pin Your Photos on Android Lollipop with Photo Pinner

In the last few weeks,we have been talking quite a bit about Android 5.0 Lollipop. This … more

Samsung Galaxy Note Edge Hands On – XDA TV

Perhaps one of the more peculiar announcements this year was the curved edge-screened … more

Nova Launcher Update Brings Lollipop Functionality and Feel

One of the most popular third party launcher on Android, Nova Launcher, has just … more
Post Reply

UART and bootloader strap pinouts for recovery

OP tylerwhall

21st May 2013, 04:29 AM   |  #1  
OP Junior Member
Thanks Meter: 3
 
7 posts
Join Date:Joined: Oct 2008
I started looking into bootloader-level recovery tonight before messing with the file system too much and potentially getting into a bad state. I couldn't find this information anywhere else.

UART pinout

J3 - 4 pin unpopulated header on the front of the board near the LED
Pin 1: 3.3v
Pin 2: TX
Pin 3: RX
Pin 4: GND
Bootloader and kernel console output comes out this port, but android doesn't start a shell.

Bootloader strap
On the back of the board in the center, there is an unpopulated button (U33). When jumped while the power button is pressed, this appears to put the bootloader into USB recovery mode. It enumerates with an nvidia vendor id. Presumably nvflash or tegrarcm could be used to unbrick the device.

I haven't done anything with the bootloader recovery since I haven't yet made a backup. I'm not sure how much of the functionality is allowed given the state of the production fuse, but I would think we could use this to at least get back to a stock state.
Last edited by tylerwhall; 21st May 2013 at 05:56 AM.
The Following 3 Users Say Thank You to tylerwhall For This Useful Post: [ View ]
21st May 2013, 11:55 AM   |  #2  
Junior Member
Thanks Meter: 37
 
22 posts
Join Date:Joined: Dec 2010
I had posted pretty much the same thing a few hours earlier over on the ouya forums - https://forums.ouya.tv/discussion/co...#Comment_11742

The good news about the bootloader is that none of the android partitions have any sort of signature, which means that the bootloader is effectively "unlocked", you can even do a "fastboot boot". The bad news is that there doesn't seem to be any sort of hotkey to enter the bootloader or recovery mode, although I did find that you could usually get into recovery with the sysrq, just press alt-sysrq-i a few times at bootup to crash the processes spawned by init and eventually it will reboot into recovery -- obviously this won't work if your ouya doesn't even boot that far, so be careful.

The button at u33 does get you into nvflash mode, but from what I can tell it's entirely useless since every command will return a 0x4; we'll need the secure boot key to actually get this working.

As far as backups, the OTA download contains an entire copy of the system and boot partitions, this can be flashed from recovery using adb sideload; rayman has posted a link to all the known OTA downloads over on this thread - http://forum.xda-developers.com/show....php?t=2266629
22nd May 2013, 11:17 AM   |  #3  
Recognized Developer
Thanks Meter: 1,091
 
248 posts
Join Date:Joined: May 2008
Donate to Me
More
Quote:
Originally Posted by tylerwhall

I started looking into bootloader-level recovery tonight before messing with the file system too much and potentially getting into a bad state. I couldn't find this information anywhere else.

UART pinout

J3 - 4 pin unpopulated header on the front of the board near the LED
Pin 1: 3.3v
Pin 2: TX
Pin 3: RX
Pin 4: GND
Bootloader and kernel console output comes out this port, but android doesn't start a shell.

Bootloader strap
On the back of the board in the center, there is an unpopulated button (U33). When jumped while the power button is pressed, this appears to put the bootloader into USB recovery mode. It enumerates with an nvidia vendor id. Presumably nvflash or tegrarcm could be used to unbrick the device.

I haven't done anything with the bootloader recovery since I haven't yet made a backup. I'm not sure how much of the functionality is allowed given the state of the production fuse, but I would think we could use this to at least get back to a stock state.

Sadly, no. The way nvidia does security means that you need to know the Secure Boot key (if set - but it is set on ouya) to even be able to communicate with the device through APX/nvflash.
As embeem mentions, it will return 0x4, which essentially means "go away, i don't know you" after which it goes into an almost turned off state where it refuses to do anything but restart. The SBK is an AES-128 key so it's essentially impossible (inpractical) to bruteforce it.
1st June 2013, 11:22 AM   |  #4  
Member
Thanks Meter: 220
 
68 posts
Join Date:Joined: Mar 2009
Donate to Me
More
Quote:
Originally Posted by rayman

Sadly, no. The way nvidia does security means that you need to know the Secure Boot key (if set - but it is set on ouya) to even be able to communicate with the device through APX/nvflash.
As embeem mentions, it will return 0x4, which essentially means "go away, i don't know you" after which it goes into an almost turned off state where it refuses to do anything but restart. The SBK is an AES-128 key so it's essentially impossible (inpractical) to bruteforce it.

So what was the trick that you used/developed to bypass the encryption on TF101 B80+ / TF201 / TF701 ? As far as I know their bootloaders also required SBK, nevertheless you published tool that works with them even though SBK remain unknown, or am I wrong and misread something?

Cheers
1st June 2013, 10:11 PM   |  #5  
Recognized Developer
Thanks Meter: 1,091
 
248 posts
Join Date:Joined: May 2008
Donate to Me
More
Quote:
Originally Posted by wolf849

So what was the trick that you used/developed to bypass the encryption on TF101 B80+ / TF201 / TF701 ? As far as I know their bootloaders also required SBK, nevertheless you published tool that works with them even though SBK remain unknown, or am I wrong and misread something?

Cheers

Black magic.
The Following 3 Users Say Thank You to rayman For This Useful Post: [ View ]
13th June 2013, 02:11 AM   |  #6  
Well, not much capable in nvflash mode, can't get anything to work properly.

UART lets me see it boot up, and fail miserably. Sadly, nothing doing there either. Nothing I send to it seems to affect it.

Back story: I broke init. The sysrq trick doesn't work unless you're getting to init.

Boot log via UART:
http://pastebin.com/ENQYQbTS

It still responds to sysrq, but nothing I'm doing seems to do much. I can dump the memory, crash the system, reboot it, shut it down, all kinds of things. Here's the HELP for sysrq:

Code:
[   66.672046] SysRq : HELP : loglevel(0-9) reBoot Crash terminate-all-tasks(E) memory-full-oom-kill(F) kill-all-tasks(I) thaw-filesystems(J) show-backtrace-all-active-cpus(L) show-memory-usage(M) nice-all-RT-tasks(N) powerOff show-registers(P) show-all-timers(Q) Sync show-task-states(T) Unmount show-blocked-tasks(W) dump-ftrace-buffer(Z)
an easier list of sysrq commands:
Code:
alt + sysrq + [0-9] - set log level (doesn't seem to work)
alt + sysrq + B     - reboot
alt + sysrq + C     - crash
alt + sysrq + E     - terminate-all-tasks
alt + sysrq + F     - memory-full-oom
alt + sysrq + I     - kill-all-tasks
alt + sysrq + J     - thaw-filesystems
alt + sysrq + L     - show-backtrace-all-active-cpus
alt + sysrq + M     - show-memory-usage
alt + sysrq + N     - nice-all-RT-tasks
alt + sysrq + O     - poweroff
alt + sysrq + P     - show-registers
alt + sysrq + Q     - show-all-timers
alt + sysrq + S     - sync
alt + sysrq + T     - show-task-states
alt + sysrq + U     - unmount
alt + sysrq + W     - show-blocked-tasks
alt + sysrq + Z     - dump-ftrace-buffer
Some more detailed information on what these are: http://en.wikipedia.org/wiki/Magic_SysRq_key

Open to ideas!
Last edited by invisiblek; 13th June 2013 at 01:54 PM.
14th June 2013, 12:46 AM   |  #7  
DivinityCycle's Avatar
Senior Member
Flag Portland, OR
Thanks Meter: 220
 
433 posts
Join Date:Joined: Jul 2010
More
This reminds me of the old Droid X I had years back, which had a locked bootloader.
Because of this, there had to be a special "boot to recovery" boot strapper installed onto the system.
We have full RW access to the Ouya's filesystem and software, so it would seem like the first thing the community should do is develop some sort of "successfully booted" flagging to make the system try to automatically drop into CWM in the event that it looks like the OS is broken.
Couldn't such a thing live in the boot.img, and thus be available even if some silly person formats their /system partition? (This has happened already, and so the guy pretty much bricked his Ouya)
14th June 2013, 07:21 AM   |  #8  
Quote:
Originally Posted by DivinityCycle

This reminds me of the old Droid X I had years back, which had a locked bootloader.
Because of this, there had to be a special "boot to recovery" boot strapper installed onto the system.
We have full RW access to the Ouya's filesystem and software, so it would seem like the first thing the community should do is develop some sort of "successfully booted" flagging to make the system try to automatically drop into CWM in the event that it looks like the OS is broken.
Couldn't such a thing live in the boot.img, and thus be available even if some silly person formats their /system partition? (This has happened already, and so the guy pretty much bricked his Ouya)

My plan is to develop a sysrq key to write the appropriate bit(s) to SCRATCH0 and reboot. This would allow us to get into recovery via a simple keystroke. I've actually got it written but need to test it. Testing it would not be dangerous as it would normally boot the stock kernel/init.

Next week when I'm home I'll try to find a tester since I cannot test it (can't write anything to my mmcblk0)

This shouldn't be dangerous to test.

Sent from my SCH-I545 using Tapatalk 4 Beta
15th September 2013, 11:28 PM   |  #9  
nchantmnt's Avatar
Senior Member
Thanks Meter: 134
 
444 posts
Join Date:Joined: Jan 2012
Donate to Me
Any news on uart? I guess I bricked my ouya.
I was testing my custom kernel, did forget to use fastboot boot instead of flash and now have nothing but a black screen. My linux machine doesn't recognize my ouya and I can't go to recovery. So at least knowing what is causing the issue would be helpful.

Do you mind giving me a short intro on uart?

I guess I need a usb/uart adapter? If yes, which one should I get?

Thanks in advance

Gesendet von meinem HTC One X+ mit Tapatalk 2
20th September 2013, 12:43 PM   |  #10  
nchantmnt's Avatar
Senior Member
Thanks Meter: 134
 
444 posts
Join Date:Joined: Jan 2012
Donate to Me
anyone already saw this: http://forum.xda-developers.com/show....php?t=2071626

did only have time to skimm it but might be useful to people with still working devices

aim is to get the sbk which should be - if i have understood it the right way - unique for each device as long as the company didn't burn in a fix sbk.

so maybe this will help us to save people from further bricks...as long as nvflash is usable via usb

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Ouya Android Development by ThreadRank