Bootloader Unlock Ideas

Search This thread
By:
Advanced…
R

Robius

Senior Member
Mar 21, 2013
56
14
Not much to digitally hack on a car that old.

I have actually seen chainsaws being juggled. Yes, they were full on and not just idling.


Sent from my iPhone using Tapatalk
 
blakegriplingph

blakegriplingph

Senior Member
May 13, 2011
1,070
157
Amazon Fire
Realme C3
So, uh, any hope on getting the bootloader/preloader to ba hacked? I know I own a different device, but I am having a similar issue with my LeapFrog Epic - bootloader's restricted, and I can't use SP Flash Tool normally unless I use Write Memory or somehow get my hands on a signed ROM scatter package.
 
DB126

DB126

Senior Member
Oct 15, 2013
15,362
10,174
blakegriplingph said:
So, uh, any hope on getting the bootloader/preloader to ba hacked? I know I own a different device, but I am having a similar issue with my LeapFrog Epic - bootloader's restricted, and I can't use SP Flash Tool normally unless I use Write Memory or somehow get my hands on a signed ROM scatter package.
Click to expand...
Click to collapse
Exceptionally unlikely given the history of bootloader exploits on Amazon devices.
 
  • Like
Reactions: BeeWall and sd_shadow
H

hwmod

Senior Member
Dec 12, 2011
309
279
Verona
Could it be a different Firmware Updater Tool exists ?

Hooking up the serial interface to my bricked Fire 7 5th Gen, I am getting the following prompt:

BUF2!F1

The prompt stays for just 1 second or less and then is followed by a series of READYREADYREADY ... then starts the normal boot process.
I never noticed this fact previously so I went with a quick Google search and ended up here:

https://hackaday.io/project/21273-try-porting-linkit-one-on-linux/details

This is the only place I could find having small info on this, nothing else !
Does anybody have more info on this ? Is this the same protocol used by SPFlashTool or is it something different ?
Maybe a Lower level flashing procedure ? Can we use Linkit One Firmware Updater tools on this ?
Many questions and few information, I know. But anyway better than nothing...

Have fun,

.:HWMOD:.
 
  • Like
Reactions: Kramar111 and blakegriplingph
blakegriplingph

blakegriplingph

Senior Member
May 13, 2011
1,070
157
Amazon Fire
Realme C3
hwmod said:
Hooking up the serial interface to my bricked Fire 7 5th Gen, I am getting the following prompt:

BUF2!F1

The prompt stays for just 1 second or less and then is followed by a series of READYREADYREADY ... then starts the normal boot process.
I never noticed this fact previously so I went with a quick Google search and ended up here:

https://hackaday.io/project/21273-try-porting-linkit-one-on-linux/details

This is the only place I could find having small info on this, nothing else !
Does anybody have more info on this ? Is this the same protocol used by SPFlashTool or is it something different ?
Maybe a Lower level flashing procedure ? Can we use Linkit One Firmware Updater tools on this ?
Many questions and few information, I know. But anyway better than nothing...

Have fun,

.:HWMOD:.
Click to expand...
Click to collapse
Care to elaborate on the serial interface you used? If it helps, the PC I am using has a serial port built in.
 
DragonFire1024

DragonFire1024

Senior Member
Mar 27, 2017
4,921
2,013
43
Fort Lauderdale
www.twitter.com
Google Nexus 10
Motorola Droid RAZR M
hwmod said:
Hooking up the serial interface to my bricked Fire 7 5th Gen, I am getting the following prompt:

BUF2!F1

The prompt stays for just 1 second or less and then is followed by a series of READYREADYREADY ... then starts the normal boot process.
I never noticed this fact previously so I went with a quick Google search and ended up here:

https://hackaday.io/project/21273-try-porting-linkit-one-on-linux/details

This is the only place I could find having small info on this, nothing else !
Does anybody have more info on this ? Is this the same protocol used by SPFlashTool or is it something different ?
Maybe a Lower level flashing procedure ? Can we use Linkit One Firmware Updater tools on this ?
Many questions and few information, I know. But anyway better than nothing...

Have fun,

.:HWMOD:.
Click to expand...
Click to collapse

If bricked, can you boot to fastboot? See if the tool responds to fastboot? I mean it can't hurt to just plug it in and not do anything.
 
H

hwmod

Senior Member
Dec 12, 2011
309
279
Verona
blakegriplingph said:
Care to elaborate on the serial interface you used? If it helps, the PC I am using has a serial port built in.
Click to expand...
Click to collapse

I have now taken out the board from the tablet case and connected the board TX / RX and GND point to my PC through a USB to Serial converter I bought from Sparkfun.

Here is the the link to the Sparkfun page of the converter I am using: SparkFun FTDI Basic Breakout - 3.3V

By using "minicom" on Linux or Mac, when I connect the USB cable to the board I get printed the string "BUF2!F1" from the serial port.


.:HWMOD:.

---------- Post added at 10:35 AM ---------- Previous post was at 10:20 AM ----------
DragonFire1024 said:
If bricked, can you boot to fastboot? See if the tool responds to fastboot? I mean it can't hurt to just plug it in and not do anything.
Click to expand...
Click to collapse

No ... the board cannot be recognized by "fastboot", with other tools I can write to all the partitions except the "mmcblk0boot0", "mmcblk0boot1" and "mmcblk0rpm" blocks.


.:HWMOD:.
 
  • Like
Reactions: blakegriplingph
blakegriplingph

blakegriplingph

Senior Member
May 13, 2011
1,070
157
Amazon Fire
Realme C3
hwmod said:
I have now taken out the board from the tablet case and connected the board TX / RX and GND point to my PC through a USB to Serial converter I bought from Sparkfun.

Here is the the link to the Sparkfun page of the converter I am using: SparkFun FTDI Basic Breakout - 3.3V

By using "minicom" on Linux or Mac, when I connect the USB cable to the board I get printed the string "BUF2!F1" from the serial port.


.:HWMOD:.

---------- Post added at 10:35 AM ---------- Previous post was at 10:20 AM ----------



No ... the board cannot be recognized by "fastboot", with other tools I can write to all the partitions except the "mmcblk0boot0", "mmcblk0boot1" and "mmcblk0rpm" blocks.


.:HWMOD:.
Click to expand...
Click to collapse

Sounds interesting. Not sure if I could get my hands on one of those though, but if anyone is willing to donate or part with one, I'd be glad to have it so I could revive and unlock this LeapFrog Epic I bricked last January. Is that all what we need to interface with the board, or is there anything else I need to take note of?

As for the the "mmcblk0boot0", "mmcblk0boot1" and "mmcblk0rpm" blocks, could that be the reason why my Epic stayed dead even after writing pretty much every partition using Write Memory? The problem is yes the tablet is still seen by the computer, but not as an MTK preloader device unlike with a functional tablet, i.e. "USB Serial Device (COM4)" or something along the lines of it. Even if you flash everything needed to get the device to work using the aforementioned tool in SPFT, the device is still stuck in that mode - I believe that's meta mode, right? Is there a way to knock it out of meta or something?
 
T

truetech000

New member
Mar 22, 2016
4
4
BeeWall

BeeWall

Senior Member
Jun 29, 2016
631
234
truetech000 said:
I was just snooping around the net and found this, https://xdaforums.com/android/software-hacking/question-mounting-recover-partition-adb-t3591261, would we be able to use anything like this to flash a custom recovery permanently. not unlocked bootloader but might be on to something. cant boot to my recovery partition so it must have done something to modify it, it might work better for someone who knows what they are doing :)
Click to expand...
Click to collapse
Technically, it flashed it for you. However, the bootloader checks the signature, so it won't let you boot into it.
 
  • Like
Reactions: blakegriplingph, Kramar111 and t3chwizard
blakegriplingph

blakegriplingph

Senior Member
May 13, 2011
1,070
157
Amazon Fire
Realme C3
PorygonZRocks said:
Technically, it flashed it for you. However, the bootloader checks the signature, so it won't let you boot into it.
Click to expand...
Click to collapse

Same goes if you use Write Memory on critical partitions using SP Flash Tool. You can flash /system and it would still boot, but do the same with boot or logo.bin and it either gets stuck on the logo, or doesn't boot at all.
 
  • Like
Reactions: BeeWall
You must log in or register to reply here.

Similar threads

B
Identify your bootloader version:
Replies
24
Views
28K
I
i.REN
H
"UNBRICK" Fire 7 5th Gen after a downgrade attempt from 5.1.1 to 5.0.1
Replies
312
Views
120K
J
jbbandos
V
Working Bootable recovery for the KFFOWI (Ford)
Replies
53
Views
54K
sd_shadow
sd_shadow
K
[DOWNGRADE] [UNBRICK] [TWRP] any Fire 7 2015, any softbrick
Replies
241
Views
55K
P
pr91
ANDROID2468
fire OS FW's with no boot loader flashing for 5th gen and 7th gen
Replies
12
Views
13K
A
arkady789

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 13
    H
    hwmod
    Pins to use to prevent the BootROM from booting the EMMC code

    k4y0z said:
    Wait, so you're saying you have touchscreen-issues on the 5th gen?
    So far only the brom-exploit is ported on mt8127 there shouldn't be any touchscreen-issues on 5th gen.
    On 7th gen it is very likely when using the preloader/lk from the 5th gen, but currently can't do anything about it, that would need the LK-exploit.
    Good find, please share a photo with the location marked :)
    Click to expand...
    Click to collapse
    The touchscreen issues I am talking about are those already known, the need to press the power button a couple of times because
    the tablet is initialized with only the back light on but no signal on the screen. Not a bad issue, normal users will not do that often,
    so it is a low priority quirk.

    Here is the photo of the relevant pads and test points that can be used to keep the "bootrom" from booting from the EMMC.
    CMD is what we have been using up to now, but it seems to me it requires more tries, sometime too many.
    CKE should be the preferred one because it is the EMMC "clock enable" line, but that also showed some missed tentative..
    VDD1 is currently my preferred pin to short. It never missed a shot, also being it a voltage line I use a 100ohm resistor to ground (shield) to be on the safe.

    .:HWMOD:.
    View
    8
    Tomsgt
    Tomsgt
    Awesomeslayerg said:
    And bricked didnt work. Its okay i have another fire :p
    Click to expand...
    Click to collapse

    Me and @hwmod just spend 3 hours working with the preloader on the Amazon Fire 5th gen 7in tablet. We successfully wrote the none production preloader.img to the device.
    Code: 
    adb shell
su
cd data/local/tmp
busybox cat preloader.img > /dev/block/mmcblk0boot0
dd if=/dev/block/mmcblk0boot0 of=preloader_unsecure.img bs=512 count=240
busybox diff preloader_.img preloader_unsecure.img
    NOTE When sending files back and forth to the device it is best to work out of /data/local/tmp. we send the preloader.img to /data/local/tmp before running these commands.
    Also Busybox must be installed on the rooted device.
    The diff command showed that the files matched so we successfully wrote the file.
    From here we reboot the device to see what would happen and the device hard brick / only preloader is accessible.
    We can access the device in preloader mode with the handshake.py file from aftv2 files link previously but still need to figure out a way to get it booting again. :) its ok i have extra tablets.
    More to report soon hopefully along with a full post from @hwmod
    Warning this is very technical and will not be easy to unbrick devices until we can get some bugs worked out.
    View
    7
    blazinandroid1
    blazinandroid1
    Well I am going to step up and help to get the bootloader unlocked.. It should be that hard. Once I start digging into to it..

    Sent from my ASUS_Z00A using XDA-Developers mobile app
    View
    7
    N
    noelcragg
    serial console output

    I bought one of these 7-inch Fire Tablets (5th generation) during the $35 sale a few weeks back. I purchased it from a big chain store, so it has model SV98LN rather than the KFFOWI reported by others in this forum, but everything else seems the same. After removing the rear panel, I looked around for test points on the motherboard. There were two conveniently labeled TX and RX. Poking around with a multimeter revealed that things were running at 1.8v. I found a good places to attach leads for VCC and GND, and connected them along with TX and RX to a spare FD232R-based serial adapter.

    At 115200 baud (on-chip boot rom):

    Code: 
    [DL] 00000000 00000000 010701

PR: 0001 01A6
F3: 0000 0000
V0: 0000 0000 [0001]
00: 1027 0002
01: 0000 0000
BP: 0000 0059
G0: 0182 0000
T0: 0000 0418
Jump to BL

    Then at 921600 baud (preloader):

    Code: 
    [USBD] USB PRB0 LineState: 0

[USBD] USB cable/ No Cable inserted!

[PLFM] Keep stay in USB Mode
Platform initialization is ok
wait for frequency meter finish, CLK26CALI = 0x81
mt_pll_post_init: mt_get_cpu_freq = 1040000Khz
wait for frequency meter finish, CLK26CALI = 0x90
mt_pll_post_init: mt_get_bus_freq = 273000Khz
wait for frequency meter finish, CLK26CALI = 0x81
mt_pll_post_init: mt_get_mem_freq = 333251Khz
[PWRAP] pwrap_init_preloader
[PWRAP] pwrap_init
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=0,rdata=2D52
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=1,rdata=800
[PWRAP] _pwrap_init_sistrobe [Read Test] pass,index=2 rdata=5AA5
[PWRAP] _pwrap_init_sistrobe [Read Test] pass,index=3 rdata=5AA5
[PWRAP] _pwrap_init_sistrobe [Read Test] pass,index=4 rdata=5AA5
[PWRAP] _pwrap_init_sistrobe [Read Test] pass,index=5 rdata=5AA5
[PWRAP] _pwrap_init_sistrobe [Read Test] pass,index=6 rdata=5AA5
[PWRAP] _pwrap_init_sistrobe [Read Test] pass,index=7 rdata=5AA5
[PWRAP] _pwrap_init_sistrobe [Read Test] pass,index=8 rdata=5AA5
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=9,rdata=1001
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=10,rdata=B54B
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=11,rdata=B54B
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=12,rdata=B54B
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=13,rdata=B54B
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=14,rdata=B54B
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=15,rdata=B54B
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=16,rdata=B54B
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=17,rdata=2003
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=18,rdata=6A97
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=19,rdata=6A97
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=20,rdata=6A97
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=21,rdata=6A97
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=22,rdata=6A97
[PWRAP] _pwrap_init_sistrobe [Read Test] fail,index=23,rdata=6A97
[PWRAP] _pwrap_init_reg_clock
[PMIC_WRAP]wrap_init pass,the return value=0.
[pmic6323_init] Preloader Start..................
[pmic6323_init] PMIC CHIP Code = 0x2023
INT_MISC_CON: 0  TOP_RST_MISC: 0
pl pmic powerkey Release
[pmic6323_init] powerKey = 0
[pmic6323_init] is USB in = 0xB003
[pmic6323_init] Reg[0x11A]=0x1B
[pmic6323_init] Done...................
[PLFM] Init I2C: OK(0)
[PLFM] Init PWRAP: OK(0)
[PLFM] Init PMIC: OK(0)
[PLFM] chip[CA00]

[BLDR] Build Time: 20150730-164940

    At this point the port switches back to 115200 baud, emits "READY", and waits briefly for input (in case the flash programming tool is connected). After a short time, it switches back to 921000 baud and continues.

    Code: 
    ==== Dump RGU Reg ========
RGU MODE:     4D
RGU LENGTH:   FFE0
RGU STA:      0
RGU INTERVAL: FFF
RGU SWSYSRST: 0
==== Dump RGU Reg End ====
RGU: g_rgu_satus:0
 mtk_wdt_mode_config  mode value=10, tmp:22000010
PL P ON
WDT does not trigger reboot
 mtk_wdt_mode_config  mode value=5D, tmp:2200005D
RGU mtk_wdt_init:MTK_WDT_DEBUG_CTL(590200F3)
kpd read addr: 0x0040: data:0x4001
Enter mtk_kpd_gpio_set! 
kpd debug column : -2147483612, -2147483611, 0, 0, 0, 0, 0, 0
kpd debug row : 0, 0, 0, 0, 0, 0, 0, 0
after set KP enable: KP_SEL = 0x0 !
MTK_PMIC_RST_KEY is used for this project!
[RTC] get_frequency_meter: input=0x0, ouput=5
[RTC] get_frequency_meter: input=0x0, ouput=3968
[RTC] get_frequency_meter: input=0x0, ouput=5
[RTC] get_frequency_meter: input=0x0, ouput=0
[RTC] get_frequency_meter: input=0x0, ouput=0
[RTC] bbpu = 0xE, con = 0xBFFA
rtc_first_boot_init
[RTC] get_frequency_meter: input=0x0, ouput=5
[RTC] get_frequency_meter: input=0x0, ouput=3968
[RTC] get_frequency_meter: input=0x0, ouput=5
[RTC] get_frequency_meter: input=0x0, ouput=0
[RTC] get_frequency_meter: input=0x0, ouput=0
rtc_2sec_stat_clear
rtc_2sec_reboot_check cali=1536
[RTC] irqsta = 0x0, pdn1 = 0x0, pdn2 = 0x201, spar0 = 0xC0, spar1 = 0x800
[RTC] new_spare0 = 0x0, new_spare1 = 0x1, new_spare2 = 0x1, new_spare3 = 0x1
[RTC] bbpu = 0xE, con = 0x426, cali = 0x600
pl pmic powerkey Release
hw_set_cc: 450
[0x0]=0x7B
[0x1]=0x7B
[0x2]=0xB2
[0x3]=0xB2
[0x4]=0x8C
[0x5]=0x8C
[0x6]=0x1F
[0x7]=0x1F
[0x8]=0xC
[0x9]=0xC
[0xA]=0x0
[0xB]=0x0
[0xC]=0x1
[0xD]=0x1
[0xE]=0x1
[0xF]=0x1
[0x10]=0x0
[0x11]=0x0
[0x12]=0x0
[0x13]=0x0
[0x14]=0x60
[0x15]=0x60
[0x16]=0x0
[0x17]=0x0
[0x18]=0x0
[0x19]=0x0
[0x1A]=0x10
[0x1B]=0x10
[0x1C]=0x0
[0x1D]=0x0
[0x1E]=0x1
[0x1F]=0x1
[0x20]=0x1
[0x21]=0x1
[0x22]=0x0
[0x23]=0x0
[0x24]=0x0
[0x25]=0x0
[0x26]=0x0
[0x27]=0x0
[0x28]=0x21
[0x29]=0x21
[0x2A]=0x14
[0x2B]=0x14
[0x2C]=0x44
[0x2D]=0x44
[0x2E]=0x54
[0x2F]=0x54
[0x30]=0x0
[0x31]=0x0
[0x32]=0x0
[0x33]=0x0
[0x34]=0x0
[0x35]=0x0
[0x36]=0x0
[0x37]=0x0
[0x38]=0x55
[0x39]=0x55
[0x3A]=0x0
hw_set_cc: done
[PLFM] USB/charger boot!
hw_set_cc: 450
[0x0]=0x7B
[0x1]=0x7B
[0x2]=0xB2
[0x3]=0xB2
[0x4]=0x8C
[0x5]=0x8C
[0x6]=0x1F
[0x7]=0x1F
[0x8]=0xC
[0x9]=0xC
[0xA]=0x0
[0xB]=0x0
[0xC]=0x1
[0xD]=0x1
[0xE]=0x1
[0xF]=0x1
[0x10]=0x0
[0x11]=0x0
[0x12]=0x0
[0x13]=0x0
[0x14]=0x60
[0x15]=0x60
[0x16]=0x0
[0x17]=0x0
[0x18]=0x0
[0x19]=0x0
[0x1A]=0x10
[0x1B]=0x10
[0x1C]=0x0
[0x1D]=0x0
[0x1E]=0x1
[0x1F]=0x1
[0x20]=0x1
[0x21]=0x1
[0x22]=0x0
[0x23]=0x0
[0x24]=0x0
[0x25]=0x0
[0x26]=0x0
[0x27]=0x0
[0x28]=0x21
[0x29]=0x21
[0x2A]=0x14
[0x2B]=0x14
[0x2C]=0x44
[0x2D]=0x44
[0x2E]=0x54
[0x2F]=0x54
[0x30]=0x0
[0x31]=0x0
[0x32]=0x0
[0x33]=0x0
[0x34]=0x0
[0x35]=0x0
[0x36]=0x0
[0x37]=0x0
[0x38]=0x55
[0x39]=0x55
[0x3A]=0x0
hw_set_cc: done
[RTC] Check SW Long Press RST = 0xC0
[RTC] rtc_bbpu_power_on done
[SD0] Bus Width: 1
[SD0] SET_CLK(260kHz): SCLK(259kHz) MODE(0) DDR(0) DIV(193) DS(0) RS(0)
[SD0] Switch to High-Speed mode!
[SD0] SET_CLK(260kHz): SCLK(259kHz) MODE(2) DDR(1) DIV(96) DS(0) RS(0)
[SD0] Bus Width: 8
[SD0] Size: 7456 MB, Max.Speed: 52000 kHz, blklen(512), nblks(15269888), ro(0)
[SD0] Initialized
[SD0] SET_CLK(52000kHz): SCLK(50000kHz) MODE(2) DDR(1) DIV(0) DS(0) RS(0)
msdc_ett_offline_to_pl: size<2> m_id<0x90>
msdc <0> <HYNIX > <H8G1e>
msdc <1> <xxxxxx> <H8G1e>
msdc failed to find
[EMI] mcp_dram_num:0,discrete_dram_num:1,enable_combo_dis:0
mt_get_dram_type() 0x3
[EMI] LPDDR3
[Check]mt_get_mdl_number 0x0
[EMI] eMMC/NAND ID = 90,1,4A,48,38,47,31,65,5,7,D0,C8,D4,FA,82,CB
[EMI] MDL number = 0
[EMI] emi_set eMMC/NAND ID = 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
[EMI][Vcore]0x21E=0x48,0x220=0x48
[EMI][Vmem]0x554=0xF
[EMI] LPDDR3 DRAM Clock = 1333 MHz, MEMPLL MODE = 2 
[EMI] PCDDR3 RXTDN Calibration:
Start REXTDN SW calibration...
PD 0x1e4[13]:0h
1.INTREF_SEL:0x100[17:16]:0h
2.enable P drive (initial settings),DRAMC_DLLSEL:500F0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:500F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:510F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:520F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:530F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:540F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:550F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:560F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:570F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:580F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:590F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:5A0F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:5B0F0h
2.2.CMPOT:0x3dc[31]:0h
2.1.DRAMC_DLLSEL, CMPDRVP 0x0c0[15:12]:5C0F0h
2.2.CMPOT:0x3dc[31]:80000000h
P drive:12
3.INTREF_SEL:0x100[17:16]:0h
4.enable N drive (initial settings),DRAMC_DLLSEL:3C0FFh
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3C0FFh
4.2.CMPOT:0x3dc[31]:80000000h
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3C1FFh
4.2.CMPOT:0x3dc[31]:80000000h
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3C2FFh
4.2.CMPOT:0x3dc[31]:80000000h
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3C3FFh
4.2.CMPOT:0x3dc[31]:80000000h
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3C4FFh
4.2.CMPOT:0x3dc[31]:80000000h
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3C5FFh
4.2.CMPOT:0x3dc[31]:80000000h
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3C6FFh
4.2.CMPOT:0x3dc[31]:80000000h
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3C7FFh
4.2.CMPOT:0x3dc[31]:80000000h
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3C8FFh
4.2.CMPOT:0x3dc[31]:80000000h
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3C9FFh
4.2.CMPOT:0x3dc[31]:80000000h
4.1.DRAMC_DLLSEL, CMPDRVN 0x0c0[11:8]:3CAFFh
4.2.CMPOT:0x3dc[31]:0h
N drive:9
drvp=0xC,drvn=0x9
=============================================
X-axis: DQS Gating Window Delay (Fine Scale)
Y-axis: DQS Gating Window Delay (Coarse Scale)
=============================================
          0    8   16   24   32   40   48   56   64   72   80   88   96  104  112  120
      --------------------------------------------------------------------------------
0006:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0007:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0008:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0009:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000E:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000F:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0010:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0011:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0012:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    1
0013:|    0    0    0    0    0    0    0    0    0    1    1    1    1    1    1    1
0014:|    0    0    1    1    1    1    1    1    1    1    1    1    1    1    1    0
0015:|    1    1    1    1    1    1    1    1    0    0    0    0    0    0    0    0
0016:|    1    1    0    0    0    0    0    0    0    0    0    0    0    0    0    0
Rank 13 coarse tune value selection : 32, 
20
64
rank 0 coarse = 20
rank 0 fine = 64
00:|    0    0    0    0    1    1    1    0
opt_dle value:9
[EMI]warning:rank auto detect:==single rank==
Change CMD/ADDR output delay  = 15 
Change CLK output delay  = 15 
20
80
Change CMD/ADDR output delay  = 14 
Change CLK output delay  = 14 
20
80
Change CMD/ADDR output delay  = 13 
Change CLK output delay  = 13 
20
80
Change CMD/ADDR output delay  = 12 
Change CLK output delay  = 12 
20
80
Change CMD/ADDR output delay  = 11 
Change CLK output delay  = 11 
20
80
Change CMD/ADDR output delay  = 0 
Change CLK output delay  = 0 
20
64
byte:0, (DQS,DQ)=(8,9)
byte:1, (DQS,DQ)=(8,A)
byte:2, (DQS,DQ)=(8,8)
byte:3, (DQS,DQ)=(8,8)
[EMI] DRAMC calibration passed

[MEM] complex R/W mem test pass
0:dram_rank_size:40000000
[Dram_Buffer] dram size:1073741824 
[Dram_Buffer] structure size: 1557624 
[Dram_Buffer] MAX_TEE_DRAM_SIZE: 268435456 

<< binary spew, perhaps signature from nvram? >>

sram(0xC10C983F) sig  mismatch
RAM_CONSOLE start: 0x83F00000, size: 0x4000
RAM_CONSOLE wdt status (0x0)=0x0
[PLFM] Init Boot Device: OK(0)
Enter mtk_kpd_gpio_set! 
kpd debug column : -2147483612, -2147483611, 0, 0, 0, 0, 0, 0
kpd debug row : 0, 0, 0, 0, 0, 0, 0, 0

[PART] GPT dump
[PART] 1: 00000800 00000800 'KB'
[PART] 2: 00000800 00001000 'DKB'
[PART] 3: 00008B00 00001800 'EXPDB'
[PART] 4: 00000800 0000A300 'UBOOT'
[PART] 5: 00008000 0000AB00 'boot'
[PART] 6: 00008000 00012B00 'recovery'
[PART] 7: 00000400 0001AB00 'MISC'
[PART] 8: 00001C00 0001AF00 'LOGO'
[PART] 9: 00002800 0001CB00 'TEE1'
[PART] 10: 00002800 0001F300 'TEE2'
[PART] 11: 00258000 00021B00 'system'
[PART] 12: 0007D000 00279B00 'cache'
[PART] 13: 00B994DF 002F6B00 'userdata'
[LIB] HW ENC
[platform_vusb_on] PASS
step A2 : Standard USB Host!

[PLFM] USB cable in
No Battery
[0xE]=0x1005
[TOOL] USB enum timeout (Yes), handshake timeout(Yes)
USB HW reg: index14=0x0
[USBD] USB Full Speed
[TOOL] Enumeration(Start)
[USBD] USB High Speed
[TOOL] Enumeration(End): OK 616ms 
[TOOL] : usb listen timeout
[TOOL] <USB> cannot detect tools!
[TOOL] <UART> listen  ended, receive size:0!

[TOOL] <UART> wait sync time 150ms->5ms
[TOOL] <UART> receieved data: ()

Device APC domain init setup:

mmc_rpmb_get_wc, mmc_set_part_config done!!
mmc_rpmb_send_command -> req_type=0x1, type=0x2, blks=0x1
mmc_rpmb_send_command -> req_type=0x2, type=0x2, blks=0x1
mmc_rpmb_get_wc, rpmb_req.result=0
[RPMB] RPMB Provisioned
mmc_rpmb_send_command -> req_type=0x1, type=0x4, blks=0x1
mmc_rpmb_send_command -> req_type=0x2, type=0x4, blks=0x1
[RPMB] Valid anti-rollback block exists
[PART] Image with part header
[PART] name : LK
[PART] addr : FFFFFFFFh mode : -1
[PART] size : 409428
[PART] magic: 58881688h
[SECURITY]: Production device
[PART] This is a production device.
[PART] Verifying LK...
[VERIFY_LK] Succeed to pass the LK verification.

[PART] load "3" from 0x0000000001460200 (dev) to 0x81E00000 (mem) [SUCCESS]
[PART] load speed: 2960KB/s, 409428 bytes, 135ms
0:dram_rank_size:40000000
DRAM size is 0x40000000
[PART] Image with part header
[PART] name : TEE
[PART] addr : FFFFFFFFh mode : -1
[PART] size : 1063936
[PART] magic: 58881688h

[PART] load "8" from 0x0000000003960200 (dev) to 0xBFF00000 (mem) [SUCCESS]
[PART] load speed: 74213KB/s, 1063936 bytes, 14ms
[PART] Image with part header
[PART] name : TEE
[PART] addr : FFFFFFFFh mode : -1
[PART] size : 1063936
[PART] magic: 58881688h

[PART] load "8" from 0x0000000003960200 (dev) to 0xB8A00000 (mem) [SUCCESS]
[PART] load speed: 79922KB/s, 1063936 bytes, 13ms
[BLMTEE] sha256 takes 6 (ms) for 1063360 bytes
[BLMTEE] rsa2048 takes 117 (ms)
[BLMTEE] verify pkcs#1 pss: 1 (ms)
[BLMTEE] aes128cbc 9 (ms) for 1063360
[ANTI-ROLLBACK] Processing anti-rollback data

mmc_rpmb_send_command -> req_type=0x1, type=0x4, blks=0x1
mmc_rpmb_send_command -> req_type=0x2, type=0x4, blks=0x1
[ANTI-ROLLBACK] PL: 2 TEE: 3002 LK: 2
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] All checks passed
No Battery
[0xE]=0x1005
hw_set_cc: 450
[0x0]=0x6B
[0x1]=0x6B
[0x2]=0xB2
[0x3]=0xB2
[0x4]=0x8C
[0x5]=0x8C
[0x6]=0x1F
[0x7]=0x1F
[0x8]=0xC
[0x9]=0xC
[0xA]=0x0
[0xB]=0x0
[0xC]=0x1
[0xD]=0x1
[0xE]=0x1005
[0xF]=0x1005
[0x10]=0x0
[0x11]=0x0
[0x12]=0x0
[0x13]=0x0
[0x14]=0x60
[0x15]=0x60
[0x16]=0x0
[0x17]=0x0
[0x18]=0x0
[0x19]=0x0
[0x1A]=0x10
[0x1B]=0x10
[0x1C]=0x0
[0x1D]=0x0
[0x1E]=0x1
[0x1F]=0x1
[0x20]=0x1
[0x21]=0x1
[0x22]=0x0
[0x23]=0x0
[0x24]=0x3
[0x25]=0x3
[0x26]=0x0
[0x27]=0x0
[0x28]=0x21
[0x29]=0x21
[0x2A]=0x14
[0x2B]=0x14
[0x2C]=0x44
[0x2D]=0x44
[0x2E]=0x54
[0x2F]=0x54
[0x30]=0x0
[0x31]=0x0
[0x32]=0x0
[0x33]=0x0
[0x34]=0x0
[0x35]=0x0
[0x36]=0x0
[0x37]=0x0
[0x38]=0x55
[0x39]=0x55
[0x3A]=0x0
hw_set_cc: done
[PLFM] Wait for battery inserted...
pl pmic close pre-chr LED
pl charging en
hw_set_cc: 450
[0x0]=0x7B
[0x1]=0x7B
[0x2]=0xB2
[0x3]=0xB2
[0x4]=0x8C
[0x5]=0x8C
[0x6]=0x1F
[0x7]=0x1F
[0x8]=0xC
[0x9]=0xC
[0xA]=0x0
[0xB]=0x0
[0xC]=0x1
[0xD]=0x1
[0xE]=0x1005
[0xF]=0x1005
[0x10]=0x0
[0x11]=0x0
[0x12]=0x0
[0x13]=0x0
[0x14]=0x60
[0x15]=0x60
[0x16]=0x0
[0x17]=0x0
[0x18]=0x0
[0x19]=0x0
[0x1A]=0x10
[0x1B]=0x10
[0x1C]=0x0
[0x1D]=0x0
[0x1E]=0x1
[0x1F]=0x1
[0x20]=0x1
[0x21]=0x1
[0x22]=0x0
[0x23]=0x0
[0x24]=0x3
[0x25]=0x3
[0x26]=0x0
[0x27]=0x0
[0x28]=0x21
[0x29]=0x21
[0x2A]=0x14
[0x2B]=0x14
[0x2C]=0x4
[0x2D]=0x4
[0x2E]=0x54
[0x2F]=0x54
[0x30]=0x0
[0x31]=0x0
[0x32]=0x0
[0x33]=0x0
[0x34]=0x0
[0x35]=0x0
[0x36]=0x0
[0x37]=0x0
[0x38]=0x55
[0x39]=0x55
[0x3A]=0x0
hw_set_cc: done
[0x0]=0x7B
[0x1]=0x7B
[0x2]=0xB2
[0x3]=0xB2
[0x4]=0x8C
[0x5]=0x8C
[0x6]=0x1F
[0x7]=0x1F
[0x8]=0xC
[0x9]=0xC
[0xA]=0x0
[0xB]=0x0
[0xC]=0x1
[0xD]=0x1
[0xE]=0x1005
[0xF]=0x1005
[0x10]=0x0
[0x11]=0x0
[0x12]=0x0
[0x13]=0x0
[0x14]=0x60
[0x15]=0x60
[0x16]=0x0
[0x17]=0x0
[0x18]=0x0
[0x19]=0x0
[0x1A]=0x10
[0x1B]=0x10
[0x1C]=0x0
[0x1D]=0x0
[0x1E]=0x1
[0x1F]=0x1
[0x20]=0x9
[0x21]=0x9
[0x22]=0x0
[0x23]=0x0
[0x24]=0x3
[0x25]=0x3
[0x26]=0x0
[0x27]=0x0
[0x28]=0x21
[0x29]=0x21
[0x2A]=0x14
[0x2B]=0x14
[0x2C]=0x4
[0x2D]=0x4
[0x2E]=0x54
[0x2F]=0x54
[0x30]=0x0
[0x31]=0x0
[0x32]=0x0
[0x33]=0x0
[0x34]=0x0
[0x35]=0x0
[0x36]=0x0
[0x37]=0x0
[0x38]=0x55
[0x39]=0x55
[0x3A]=0x0
pl charging done
No Battery
[0xE]=0x1005
No Battery
[0xE]=0x1005

    Over the next few days, I'll try various boot configurations (holding down buttons, poking various test points, using a "factory cable") and look for differences in the console output. I'll summarize those differences when I've finished the work.

    NOTE: When I captured this output, it was after having written some bad data to the NVRAM partition. I believe that explains the initial "[Read Test] fail" messages as well as the later complaint "sram(0xC10C983F) sig mismatch".

    ---------- Post added at 12:38 AM ---------- Previous post was at 12:21 AM ----------

    If anyone has a bricked or broken tablet that they'd be willing to part with, please PM me. I'd like to have at least one more device on which to experiment.

    I've been poking and prodding my current device quite a bit already, and I think I may have zapped some part of the power-management curcuitry which charges the battery. (Pro tip: remember to unplug the USB cable before applying an alcohol-soaked Q-tip to the board.)

    I've already found lots of test points hiding on the motherboard, but it's almost impossible to see where they're going. I'd like to use a hot-air rework station and remove the big chips so I can get to the solder pads.
    View
    6
    N
    noelcragg
    serial console: no soldering!

    In reading threads about other phones and tablets, I somewhere ran across a mention that perhaps the USB port can be used directly as the console. After a bit of experimentation, I got that to work on the Fire.

    Code: 
      TTL       USB A/B   USB MINI/MICRO
  SIGNAL    PORT PIN  PORT PIN
  --------- --------- ---------------
  +5V       1         1
  RX        2         2
  TX        3         3
  NC        4
  GND       5         4

    I verified that this works with three USB/serial chipsets: FT232RL, PL-2302/X, and CP2102.
    View

New posts