My Tab has become a compete brick after firmware flashing. Screen is black, no USB connection, no other signs of life. I've disassembled the device and have access to JTAG pins. Does anyone have experience with using OpenOCD to recover Galaxy Tab or Galaxy S? In my understanding, I need to flash initial and secondary bootloader to be able to proceed with Odin/Heimdall.
For anyone interested, I was able to attach to board with OpenOCD using configuration script bellow.
Tab halted in first bootloader with next output
PBL: Error.. sbl verification failed..
PBL: booting stop!
Code:
reset_config trst_and_srst
jtag_rclk 8
if { [info exists CHIPNAME] } {
set _CHIPNAME $CHIPNAME
} else {
set _CHIPNAME S5PC110
}
# CoreSight Debug Access Port
if { [info exists DAP_TAPID ] } {
set _DAP_TAPID $DAP_TAPID
} else {
set _DAP_TAPID 0x1ba00477
}
jtag newtap $_CHIPNAME DAP -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_DAP_TAPID
# GDB target: Cortex-A8, using DAP
set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME cortex_a8 -chain-position $_CHIPNAME.DAP
proc S5PC110_dbginit {target} {
# General Cortex A8 debug initialisation
cortex_a8 dbginit
}
# Slow speed to be sure it will work
#jtag_rclk 1000
#$_TARGETNAME configure -event "reset-start" { jtag_rclk 1000 }
$_TARGETNAME configure -event reset-assert-post "S5PC110_dbginit $_TARGETNAME"
I haven't got any experience with OpenOCD yet. But from what I heard, oneNAND access using openOCD is hard. I would try first to load SBL directly into memory. Dunno whats it location in Tab, if you upload somewhere PBL+SBL I can tell you. If its the same mem location as in I9000, then run it, halt core where PBL hangs (its important, because then you've got DRAM controllers configured - mem is accessible) and write sbl.bin onto 0x40244000 (or whatever is the address in Tab, it should be hex written in little endian notation at 0x20 offset of sbl.bin), then just jump into beggining of SBL holding download mode key combination. If partitions are corrupted it probably wont show anything on screen, but should produce UART output and enter dload mode.
Its just my concept, but should work.
If it doesn't work - try to find S5P oneNAND drivers for OpenOCD, maybe they exists already.
Thank you for this suggestion. Unfortunately it doesn't help. I downloaded Sbl image and run it, but it stacked somewhere in UART2 transmition.
Will try to connect to UART lines to see what's output there.
Here is my logs of OpenOcd session
connected and halted board
Code:
Open On-Chip Debugger
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x600001d3 pc: 0x40205450
MMU: disabled, D-Cache: disabled, I-Cache: enabled
> arm disassemble 0x40205430 15
0x40205430 0xeb004b0f BL 0x40218074 ; ?? call some verification function
0x40205434 0xe1a03000 MOV r3, r0
0x40205438 0xe3530000 CMP r3, #0x0
0x4020543c 0x0a000004 BEQ 0x40205454 ; result OK, jump _VerifyOK
0x40205440 0xe59f002c LDR r0, [r15, #0x2c]
0x40205444 0xebfffdff BL 0x40204c48 ; printf "PBL: Error.. sbl verification failed.."
0x40205448 0xe59f0028 LDR r0, [r15, #0x28]
0x4020544c 0xebfffdfd BL 0x40204c48 ; printf "PBL: booting stop!"
0x40205450 0xeafffffe B 0x40205450 ; halt
; _VerifyOK
0x40205454 0xe59f3014 LDR r3, [r15, #0x14] ; r3 = 0x4053924c
0x40205458 0xe5933000 LDR r3, [r3] ; r3 = 0x40244000
0x4020545c 0xe12fff33 BLX r3 ; call Sbl at RAM 0x40244000
0x40205460 0xe24bd004 SUB r13, r11, #0x4
0x40205464 0xe8bd8800 LDM r13!, {r11, r15}
0x40205468 0x402186e0 EORMI r8, r1, r0, ROR #0xd
lets insert NOP (0xe1a00000) at 0x40205450 to continue execution
Code:
> mww 0x40205450 0xe1a00000
> arm disassemble 0x40205450 3
0x40205450 0xe1a00000 NOP
0x40205454 0xe59f3014 LDR r3, [r15, #0x14]
0x40205458 0xe5933000 LDR r3, [r3]
one more thing, let's put a breakpoint at start of Sbl
Code:
> bp 0x40244000 4 hw
breakpoint set at 0x40244000
> resume
after a while board halted at breakpoint
Code:
target state: halted
target halted in ARM state due to breakpoint, current mode: Supervisor
cpsr: 0x600001d3 pc: 0x40244000
MMU: disabled, D-Cache: disabled, I-Cache: enabled
remove breakpoint
> rbp 0x40244000
let's check where we are
Code:
> arm disassemble 0x40244000 15
0x40244000 0xea000007 B 0x40244024
0x40244004 0xeafffffe B 0x40244004
0x40244008 0xeafffffe B 0x40244008
0x4024400c 0xeafffffe B 0x4024400c
0x40244010 0xeafffffe B 0x40244010
0x40244014 0xeafffffe B 0x40244014
0x40244018 0xeafffffe B 0x40244018
0x4024401c 0xeafffffe B 0x4024401c
0x40244020 0x40244000 EORMI r4, r4, r0
0x40244024 0xe10f0000 MRS r0, CPSR
0x40244028 0xe3c000ff BIC r0, r0, #0xff
0x4024402c 0xe38000d3 ORR r0, r0, #0xd3
0x40244030 0xe129f000 MSR CPSR_cf, r0
0x40244034 0xe59fd17c LDR r13, [r15, #0x17c]
0x40244038 0xe3a00000 MOV r0, #0x0
load Sbl image and resume
> load_image Sbl.bin 0x40244000 bin
> resume 0x40244000
Tab still dead, no USB, no screen. If I halt it, it stacked at this function.
Code waits for transmit empty (UTRSTAT2), but UTRSTAT2 value always #0
Code:
40253394: e52db004 push {fp} ; (str fp, [sp, #-4]!)
40253398: e28db000 add fp, sp, #0
4025339c: e24dd00c sub sp, sp, #12
402533a0: e50b0008 str r0, [fp, #-8]
402533a4: e59f302c ldr r3, [pc, #44] ; 0x402533d8 r3 = 0xe2900810 (UTRSTAT2)
402533a8: e5933000 ldr r3, [r3]
402533ac: e2033002 and r3, r3, #2
402533b0: e3530000 cmp r3, #0
402533b4: 0afffffa beq 0x402533a4
402533b8: e59f201c ldr r2, [pc, #28] ; 0x402533dc r2 = 0xe2900820 (UTXH2)
402533bc: e51b3008 ldr r3, [fp, #-8]
402533c0: e5823000 str r3, [r2]
402533c4: e3a03000 mov r3, #0
402533c8: e1a00003 mov r0, r3
402533cc: e28bd000 add sp, fp, #0
402533d0: e8bd0800 pop {fp}
402533d4: e12fff1e bx lr
Odd. PBL is loading SBL but checksum function fails.
Maybe try with different SBL version. Also please upload SBL and PBL you're using. I can't find the right one to analyze. (look at your private messages)
A look into UART output may be useful also. You can always try to set NOP in SBL there, bricking UART handling and pray that it will run USB Dload successfully.
To provide progress on unbricking. I was unable to find OpenNAND support for OpenOCD to flash correct images.
Got Riff Box and reflashed bootloaders with it. Now my device back to healthy condition.
Related
Hi,
I can't find fsck.vfat in order to repair a corrupt internal SD card.
How come it's not that popular (if it exists at all)?
Thanks,
Yaron.
I found there is a build in one patched by samsung, if it was not added by custom firmware.
# /system/bin/fsck_msdos -ny /dev/block/vold/179:1
/system/bin/fsck_msdos -ny /dev/block/vold/179:1
patched by [email protected] 2011/01/21
** /dev/block/vold/179:1
Boot sector contents:
bytes per sector:.............512
sectors per cluster:..........64
number of reserved sectors:...32
number of FATs:...............2
number of sectors are in FAT:.3440 (1720 KB)
cluster mask (bit):...........32
FAT entries:..................440320
first cluster offset..........6784
cluster size(bytes):..........32768
number of sectors:............28180416
hidden sectors:...............0
number of clusters:...........440213
oem name:.....................android { 0x61 0x6e 0x64 0x72 0x6f 0x69 0x64 0x20}
volume serial number:.........466b-16f7
volume label:.................NO NAME { 0x4f 0x20 0x4e 0x41 0x4d 0x45 0x20 0x20 0x20 0x20 0x46}
file system string id:........FAT32 { 0x41 0x54 0x33 0x32 0x20 0x20 0x20 0xfa}
** Phase 1 - Read and Compare FATs
Attempting to allocate 1720 KB for FAT
Attempting to allocate 1720 KB for FAT
** Phase 2 - Check Cluster Chains
** Phase 3 - Checking Directories
** Phase 4 - Checking for Lost Files
FSNext block (3) is correct, NumClusters (440213)
11950 files, 4180320 free (130635 clusters)
passing strings to a sbl i got some interesting text:
Code:
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Board Name: %s %s
ARIES
REV 03
Build On: %s %s
Jul 30 2010
09:53:23
boot_kernel
loadkernel
boot
command_loop
SBL>
%s: parse command error! (%s)
Autoboot (%d seconds) in progress, press any key to stop
Autoboot aborted..
__Re_partition
%s: undefined code for format.
%s: write virtual pit image.
%s: write bootloader images to NAND!
%s: format failed..
Re_partition
%s: magic code(0x%x)
loke_init
%s: file system init failed..
%s: j4fs_open success..
%s: j4fs_open failed..
%s: bye~ bye!
main
%s: booting stop.
%s: booting stop and power off..
I9000XXIL
console=ttySAC2,115200
/mnt/rsv
setting param.serialnr=0x%08x 0x%08x
setting param.board_rev=0x%x
bootmode=2
bootmode=3
setting param.cmdline=%s
argv[%d] : %s
value : %d
Invalide Parameter Name
setenv
valid magic and version 2 ...
invalid magic and version 2 ...
saveenv
save %s, size: %d
param.blk
save %s successfully.
PARAM Rev %d.%d
%s : %d
%s : %s
printenv
load_lfs_parameters
%s valid magic code and version.
load_lfs_parameters invalid magic code and version
boot parameter file does not exist ..
make new boot paremeter file ..
/mnt/rsv
load_debug_level
debug_level.inf
%s reading debug level from file successfully(0x%x).
debug level file does not exist ..
debug level value is incorrect!! Set default level (LOW)..
get_debug_level
%s current debug level is 0x%x.
There're no available commands.
* Help : %s
* Usage : %s
There's no command
Following commands are supported:
* %s
To get commands help, Type "help <command>"
help
Rebooting...
reset
Code:
open
close
erasepart
eraseall
loadkernel
showpart
bbm add partition start
addpart
delpart
savepart
fsr_bml open error
error return value %x
bbm_erase_all
some of them even look like commands, anyone knows if there is some use for this?
in boot.bin:
Code:
-----------------------------------------------------------
Samsung Primitive Bootloader (PBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Error Occurs During Boot. Please ReBoot.
FSR_BML_Init Error
BML_Open Error
BML_GetVolInfo Error
BML_LoadPIEntry Error! Part_ID: %d
+n1stVPN %d
+nPgsPerBlk %d
BML_Read Error
ERROR.. Bootable SBL doesn't exist ..
PBL found bootable SBL: Partition(%d).
The input address don't need a virtual-to-physical translation : %08lx
""DD
UPCH
LPCH
LPCH
UPCH
[B]e-fused[/B]
i wonder what e-fused is for, and if its related to e-fuse: http://en.wikipedia.org/wiki/EFUSE
How did you got this? UART, jtag?
that's a dump of the PBL and SBL from memory into a file, then the Linux "strings" command was run on the file.
I've used search for UPCH and found this thread.
1.
Any idea what UPCH means?
2.
I can't see Thanx button for luismanson...
Maybe my Browser...
Thanx in advance.
Best Regards
Please.
Any news about UPCH?
I need this for JTAG... maybe.
But I don't know what it is...
http://www.ort-jtag.com/blog/?e=10
For instance it is visible in this Video...
But I have an RIFF Box... not ORT... or Medusa seems also to "repair" UPCH...
It seems Bootloader related...
Thanx in advance.
Best Regards
C:\Android>qflash.exe -com10 -ramload MPRG8960.hex -mbn 33 MSM8960_bootloader_si
ngleimage.bin -v -o
Motorola qflash Utility version 1.3
COMPORT :COM10
RAMLOADER :MPRG8960.hex
type is 0x21
7 mbn file name MSM8960_bootloader_singleimage.bin type 33
verbose mode on
Motorola qflash dll version 1.6
RAMLOADER VERSION: PBL_DloadVER2.0
------------------------------------------------------
DEVICE INFORMATION:
------------------------------------------------------
Version : 0x8
Min Version : 0x1
Max Write Size: 0x600
Model : 0x90
Device Size : 0
Description : Intel 28F400BX-TL or Intel 28F400BV-TL
------------------------------------------------------
Using passed in packet size, changing from 0x600 -> 0x600
EXTENDED_LINEAR_ADDRESS_REC @ 0x2a000000
Write 65536 bytes @ 0x2a000000
100EXTENDED_LINEAR_ADDRESS_REC @ 0x2a010000
Write 11840 bytes @ 0x2a010000
100START_LINEAR_ADDRESS_REC @ 0x2a000000
EOF_REC
Sleeping for 3s
-----------------------------------------------------
RAM DOWNLOADER INFORMATION
-----------------------------------------------------
cmd : 0x2
description : QCOM fast download protocol targ
version_number : 0x7
compatible_version: 0x2
max_block_size : 0x400
flash_base_address: 0x0
flash_id_len : 0x4
flash id : eMMC
window_size : 0x1e
number_of_sectors : 0x80
-----------------------------------------------------
sdl_send_security_mode: secutiry mode 0x0
Flashing MSM8960_bootloader_singleimage.bin 1969664 bytes into device
Keeping the first packet (1024 bytes) as hostage
Will release it if all is flashed well
100
Hostage released!
done
@ but same problem here. not come to fastboot and mobile like dead.
please help me. @
Not sure what exactly you are attempting to flash? Or how?
Can you provide more details on what happened to your device and what you are now trying to do?
Thanks!
Also note, questions go in the Q&A section, not general. This thread will be moved to Q&A for you. ?
Ah! This is what you are trying...
http://forum.xda-developers.com/showthread.php?t=2629057
Unfortunately, if the method is followed exactly in that thread, and doesn't work.... There isn't much else you can do. Going to a repair shop might be the only way.
Darth said:
Not sure what exactly you are attempting to flash? Or how?
Can you provide more details on what happened to your device and what you are now trying to do?
Thanks!
Also note, questions go in the Q&A section, not general. This thread will be moved to Q&A for you.
Click to expand...
Click to collapse
My moto x xt1052 older android version 4.4.4, then i am trying to flash (ATT_XT1058_4.4-13.11.1Q2.X-69-3_CFC_1FF.xml) with RSDLite but (gpt.bin) file not to be enter. then i am unlock bootloder (Device is UNLOCKED. Status Code: 3 )
then i am trying to flash with (XT1052_RETAIL-EU_4.4.4_KXA21.12-L1.26_54_cid7_CFC_1FF.xml) then gpt.bin and some file enter but others file not to be enter then not come to fastboot and mobile like dead. then i am completely success with blank flash but same problem here. not come to fastboot and mobile like dead.
You've either downgraded and bricked, or attempted to downgrade and bricked. Ask for help in the thread I linked. But if it doesn't work, your device is likely dead. You'll need a repair shop to look at it.
What could you solve it?
Hello,
I tried to build a kernel myself and it just fails to boot. I have UART access (through headphone adapter) and I just get nothing in the serial console.
I have CM 11.0 and I cloned CM's android_kernel_lge_hammerhead repo and checked out stable/cm-11.0 with hammerhead_defconfig.
I used google's arm-eabi-4.8 precompiled toolchain.
To boot:
Code:
ttouch android_kernel_lge_hammerhead> sudo fastboot boot arch/arm/boot/zImage-dtb
creating boot image...
creating boot image - 8583168 bytes
downloading 'boot.img'...
OKAY [ 0.375s]
booting...
OKAY [ 0.123s]
finished. total time: 0.498s
Here is what I get in UART:
Code:
welcome to hammerhead bootloader
[10] Power on reason 81
[10] DDR: elpida
[90] Loaded IMGDATA at 0x11000000
[90] Display Init: Start
[170] MDP GDSC already enabled
[170] bpp 24
[210] Config MIPI_CMD_PANEL.
[210] display panel: ORISE
[210] display panel: Default setting
[340] Turn on MIPI_CMD_PANEL.
[390] Display Init: Done
[390] cable type from shared memory: 8
[390] vibe
[590] USB init ept @ 0xf957000
[610] secured device: 1
[610] fastboot_init()
[660] splash: fastboot_op
FASTBOOT MODE
PRODUCT_NAME - hammerhead
VARIANT - hammerhead D821(E) 16GB
HW VERSION - rev_11
BOOTLOADER VERSION - HHZ11k
BASEBAND VERSION - M8974A-2.0.50.1.16
CARRIER INFO - None
SERIAL NUMBER - <blablablabla>
SIGNING - production
SECURE BOOT - enabled
LOCK STATE - unlocked
[770] splash: start
[1260] splash: bootloader
[1260] Fastboot mode started
[1260] udc_start()
�����l[60660] -- reset --
[60660] -- portchange --
[60820] -- reset --
[60820] -- portchange --
[60990] fastboot: processing commands
��[112660] fastboot: download:0082f800
downloading...
[113140] fastboot: boot
[113150] Found Appeneded Flattened Device tree
[113150] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[113160] get_display_kcal = 0, 0, 0, x
[113200] vibe
[113300] splash: boot
[113340] splash: unlocked
[113380] cmdline: uart_console=enable lcd_maker_id=primary lge.hreset=off lge.reset=unknown gpt=enable lge.kcal=0|0|0|x lge.rev=rev_11 androidboot.laf androidboot.emmc=true fastboot=true androidboot.serialno=<blablablabla> androidboot.bootloader=HHZ11k androidb[113400] Updating device tree: start
[113420] Updating device tree: done
[113420] booting linux @ 0x10008000, ramdisk @ 0x11000000 (0), tags/device tree @ 0x10000100
[113430] Turn off MIPI_CMD_PANEL.
[113430] Continuous splash enabled, keeping panel alive.
[113430] undefined abort, halting
[113430] r0 0x00000000 r1 0x00000000 r2 0x10000100 r3 0x003996e3
[113430] r4 0x10008000 r5 0x0f92607a r6 0x0f925d5b r7 0x0f925f89
[113430] r8 0x0f955652 r9 0x0f9556c7 r10 0x00000001 r11 0x10000100
[113430] r12 0x20000193 usp 0x00000000 ulr 0x00000000 pc 0x1000800c
[113430] spsr 0x40000193
I've never installed a kernel like that (via fastboot) and I had to look up the headphone UART adapter thing.
I don't have much to offer. I always use mkbootimg to link my kernel and ramdisk, then flash it via fastboot. Looking at your serial dump, the only thing I see is that the base, ramdisk, and tags offsets look completely different from the ones I use with mkbootimg.
BASE=0x00000000
PAGESIZE=2048
RAMDISK_OFFSET=0x02900000
TAGS_OFFSET=0x02700000
I'm playing around with my breadboard and an FTDI USB<-->Serial board I have to try and make a working serial console and I'll see what my N5 dumps.
Gene Poole said:
I've never installed a kernel like that (via fastboot) and I had to look up the headphone UART adapter thing.
I don't have much to offer. I always use mkbootimg to link my kernel and ramdisk, then flash it via fastboot. Looking at your serial dump, the only thing I see is that the base, ramdisk, and tags offsets look completely different from the ones I use with mkbootimg.
BASE=0x00000000
PAGESIZE=2048
RAMDISK_OFFSET=0x02900000
TAGS_OFFSET=0x02700000
Click to expand...
Click to collapse
Thanks, I'll try that.
Gene Poole said:
I'm playing around with my breadboard and an FTDI USB<-->Serial board I have to try and make a working serial console and I'll see what my N5 dumps.
Click to expand...
Click to collapse
I guess you're trying to build the N4 cable, but it does not work.
For the N5 to work you need to supply 3V3 and not 1V8 to the VCC
The RX though (serial input to the N5) should be 1V8 (done with a simple voltage divider, try 1K and 1.2K to GND) or there is a chance that you'll fry your serial.
Yeah, my search showed that the N5 version needed no resistors, but I used some anyway just to shunt some voltage. It worked. I got a dump and it does appear that your offsets are not right. Here's my dump up to the kernel taking over:
Code:
welcome to hammerhead bootloader
[10] Power on reason 80
[10] DDR: hynix
[90] Loaded IMGDATA at 0x11000000
[90] Display Init: Start
[170] MDP GDSC already enabled
[170] bpp 24
[210] Config MIPI_CMD_PANEL.
[210] display panel: ORISE
[260] Found Appeneded Flattened Device tree
[260] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[300] Set panel ON cmds [35]
[420] Turn on MIPI_CMD_PANEL.
[470] Display Init: Done
[470] cable type from shared memory: 8
[470] reboot_mode restart reason = power_on
[520] vibe
[620] splash: boot
[660] splash: unlocked
[700] use_signed_kernel=0, is_unlocked=1, is_tampered=0.
[700] Loading boot image (9226240): start
[1030] Loading boot image (9226240): done
[1030] Found Appeneded Flattened Device tree
[1040] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[1040] get_display_kcal = 0, 0, 0, x
[1050]
Booting Linux
[1050] cmdline: console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1 selinuxt
[1090] Updating device tree: done
[1090] booting linux @ 0x8000, ramdisk @ 0x2900000 (714802), tags/device tree @ 0x2700000
[1100] Turn off MIPI_CMD_PANEL.
[1100] Continuous splash enabled, keeping panel alive.
[ 0.000000] Booting Linux on physical CPU 0
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Linux version 3.4.0-hoxnet-gd745771 ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #7 SMP PREE5
[ 0.000000] CPU: ARMv7 Processor [512f06f0] revision 0 (ARMv7), cr=10c5387d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, PIPT instruction cache
...
I see a fastboot option, -b, for specifying the kernel base address. Try with -b 0x8000.
Edit: maybe it's -b 0. looks like the address gets 0x8000 added by default.
Gene Poole said:
Yeah, my search showed that the N5 version needed no resistors, but I used some anyway just to shunt some voltage. It worked. I got a dump and it does appear that your offsets are not right. Here's my dump up to the kernel taking over:
Code:
welcome to hammerhead bootloader
[10] Power on reason 80
[10] DDR: hynix
[90] Loaded IMGDATA at 0x11000000
[90] Display Init: Start
[170] MDP GDSC already enabled
[170] bpp 24
[210] Config MIPI_CMD_PANEL.
[210] display panel: ORISE
[260] Found Appeneded Flattened Device tree
[260] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[300] Set panel ON cmds [35]
[420] Turn on MIPI_CMD_PANEL.
[470] Display Init: Done
[470] cable type from shared memory: 8
[470] reboot_mode restart reason = power_on
[520] vibe
[620] splash: boot
[660] splash: unlocked
[700] use_signed_kernel=0, is_unlocked=1, is_tampered=0.
[700] Loading boot image (9226240): start
[1030] Loading boot image (9226240): done
[1030] Found Appeneded Flattened Device tree
[1040] DTB: platform id 126, board id 150, soc rev 20002, board rev 11
[1040] get_display_kcal = 0, 0, 0, x
[1050]
Booting Linux
[1050] cmdline: console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1 selinuxt
[1090] Updating device tree: done
[1090] booting linux @ 0x8000, ramdisk @ 0x2900000 (714802), tags/device tree @ 0x2700000
[1100] Turn off MIPI_CMD_PANEL.
[1100] Continuous splash enabled, keeping panel alive.
[ 0.000000] Booting Linux on physical CPU 0
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Linux version 3.4.0-hoxnet-gd745771 ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #7 SMP PREE5
[ 0.000000] CPU: ARMv7 Processor [512f06f0] revision 0 (ARMv7), cr=10c5387d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, PIPT instruction cache
...
I see a fastboot option, -b, for specifying the kernel base address. Try with -b 0x8000.
Edit: maybe it's -b 0. looks like the address gets 0x8000 added by default.
Click to expand...
Click to collapse
Didn't work.
I also tried to build a boot.img, I flashed it (just to be sure) and I get all the same results.
My tags/device tree is different and I don't know how to change it. There is no available option in fastboot or mkbootimg
ttouch said:
Didn't work.
I also tried to build a boot.img, I flashed it (just to be sure) and I get all the same results.
My tags/device tree is different and I don't know how to change it. There is no available option in fastboot or mkbootimg
Click to expand...
Click to collapse
mkbootimg has an undocumented --tags_offset option. I don't know why it doesn't show up in the --help. I found it in the source for mkbootimg (in the AOSP tree) when I first ran the unpackbootimg and noticed that it dumped text files containing info about the offsets.
I have a shell script I use to make boot images. Here it is:
Code:
#!/bin/sh
RAMDISK=ramdisk
KERNEL=zImage
BASE=0x00000000
PAGESIZE=2048
RAMDISK_OFFSET=0x02900000
TAGS_OFFSET=0x02700000
CMDLINE="console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1 selinux=1"
echo Making ramdisk image ...
(cd ${RAMDISK} ; mkbootfs . | gzip -9c > ../${RAMDISK}.cpio.gz )
echo Making boot image ...
mkbootimg --kernel ${KERNEL} --ramdisk ${RAMDISK}.cpio.gz --cmdline "${CMDLINE}" -o boot.img --base ${BASE} --pagesize ${PAGESIZE} --ramdisk_offset ${RAMDISK_OFFSET} --tags_offset ${TAGS_OFFSET}
"ramdisk" is a directory containing the unpacked AOSP stock ramdisk (plus my modifications). These offset values were obtained from unpackbootimg executable but I can't remember where I found the source. I'll send you a copy if you want it.
Gene Poole said:
mkbootimg has an undocumented --tags_offset option. I don't know why it doesn't show up in the --help. I found it in the source for mkbootimg (in the AOSP tree) when I first ran the unpackbootimg and noticed that it dumped text files containing info about the offsets.
I have a shell script I use to make boot images. Here it is:
Code:
#!/bin/sh
RAMDISK=ramdisk
KERNEL=zImage
BASE=0x00000000
PAGESIZE=2048
RAMDISK_OFFSET=0x02900000
TAGS_OFFSET=0x02700000
CMDLINE="console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1 selinux=1"
echo Making ramdisk image ...
(cd ${RAMDISK} ; mkbootfs . | gzip -9c > ../${RAMDISK}.cpio.gz )
echo Making boot image ...
mkbootimg --kernel ${KERNEL} --ramdisk ${RAMDISK}.cpio.gz --cmdline "${CMDLINE}" -o boot.img --base ${BASE} --pagesize ${PAGESIZE} --ramdisk_offset ${RAMDISK_OFFSET} --tags_offset ${TAGS_OFFSET}
"ramdisk" is a directory containing the unpacked AOSP stock ramdisk (plus my modifications). These offset values were obtained from unpackbootimg executable but I can't remember where I found the source. I'll send you a copy if you want it.
Click to expand...
Click to collapse
My mkbootimg does not have the tags_offset.
When I try to build the boot image with tags_offset, mkbootimg shows me the help message, which means it got no tags_offset option.
EDIT: Nevermind, I cloned and compiled the latest mkbootimg from here. Trying to boot it now...
EDIT2: IT WORKS!!
Since the AOSP build has to create a boot image, it is included in the utilities. I always use the one native to the build tree. It is in:
[aosp_root]/out/host/linux-x86/bin/mkbootimg
and the source is in:
[aosp_root]/system/core/mkbootimg/
As title says, I was JUST about to backup all my app data, contacts and stored messages from my Z3 Compact, when it started bootlooping on its own.
I did some researching since I have a basic background in Electronics repair (not to mention almost unlimited amounts of stubbornness and patience) and learned of a Serial debug test pads under the battery (the battery were a real pain in the rear to remove without ruining anything) which gave me following boot log (with IMEI numbers censored by me):
Code:
Format: Log Type - Time(microsec) - Message
Log type: B - since boot(excluding boot rom). D - delta
B - 253882 - SBL1, Start
B - 259158 - scatterload_region && ram_init, Start
D - 0 - scatterload_region && ram_init, Delta
B - 276147 - pm_device_init, Start
D - 27328 - pm_device_init, Delta
B - 303658 - boot_flash_init, Start
D - 217739 - boot_flash_init, Delta
B - 521733 - boot_config_data_table_init, Start
D - 0 - boot_config_data_table_init, Delta
B - 527863 - PBS setup, Start
D - 1159 - PBS setup, Delta
B - 533719 - sbl1_ddr_set_params, Start
B - 538355 - Pre_DDR_clock_init, Start
D - 244 - Pre_DDR_clock_init, Delta
D - 0 - sbl1_ddr_set_params, Delta
B - 551745 - pm_driver_init, Start
D - 237930 - pm_driver_init, Delta
B - 790041 - clock_init, Start
D - 183 - clock_init, Delta
B - 793152 - Image Load, Start
B - 907649 - Tz Execution, Start
D - 173392 - Tz Execution, Delta
B - 1090771 - Image Load, Start
B - 1147776 - Signal PBL to Jump to RPM FW
B - 1148050 - sbl1_wait_for_ddr_training, Start
D - 31750 - sbS1 BOOT
[120] USB init ept @ 0x7365000
[140] TA config read from GPT: 0x10 blocks of size 0x20000 @ 0x20000
S1 BOOT (1286-7314 S1_Boot_MSM8974AC_LA3.0_L_15.4)
[180] GPIO HW_ID[3:0]: [0000]
[180] soc_ver: 0x10001, pmic_ver: 3.1
[190] die_id: 0x1070712e, oem_product_id: 0x4, otp_lock: 0x155
PBA ID: 1285-0545 (4)
[200] CHG_STATUS_REG is 0x0 after pm8x41_chg_sts_get()
Startup flags: [ONKEY PRESSED]
Warmboot reason: [COLDBOOT]
Remote lock is UNSUPPORTED
Rooting status is: Not done
[340] OV: 0x80000 0x0 0x0
[ERROR @ S1/boot/src/s1boot_config_parser.c:595]:
MiscTA unit 2473 could not be read!
[ERROR @ S1/boot/src/s1boot_config_parser.c:845]:
None or incorrect vbus_pulse configuration!
[ERROR @ S1/boot/src/s1boot_config_parser.c:904]:
No variant configuration to store!
[360] USB ID: 1790
[360] OTG State is invalid
Service mode detected: [NONE]
[ERROR @ S1/boot/src/s1boot_lib_api.c:1448]:
TA read failed!
[450] S1 decisions complete, image to boot is 0.
[450] IMEI[0]: ##############
[450] Info: failed to retrieve secondary IMEI (optional) in facility 0x1 with code 0x2 (error ignored)
[1150] Using DTB entry 194/00010000/8/0 for device 194/00010001/8/0
[1160] CHG_STATUS_REG is 0x0 after pm8x41_chg_sts_get()
[1160] icon_flg is 0x0 battery_flg is 0x0 chg_presence_flg is 0x0
[1170] backlight_enable=1
[1190] Detected display: jdi novatek 720p cmd
[1310] No lp855x --> PMIC backlight
[1570] Battery is Good! go to HLOS
[1580] CHG_STATUS_REG is 0x0 after pm8x41_chg_sts_set()
[1580] cmdline: "androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3b7"\
[1590] " ehci-hcd.park=3 androidboot.bootdevice=msm_sdcc.1 vmalloc=3"\
[1600] "00M dwc3.maximum_speed=high dwc3_msm.prop_chg_detect=Y andro"\
[1600] "idboot.emmc=true androidboot.bootloader=s1 oemandroidboot.s1"\
[1610] "boot=1286-7314_S1_Boot_MSM8974AC_LA3.0_L_15.4 androidboot.se"\
[1620] "rialno=YT9112XZ6P ta_info=1,16,256 startup=0x00000001 warmbo"\
[1620] "ot=0x00000000 oemandroidboot.imei=##############00 oemandroi"\
[1630] "dboot.phoneid=0000:##############00 oemandroidboot.security="\
[1640] "1 oemandroidboot.babe08b3=50000000 lcdid_adc=0x5D4F8 display"\
[1640] "_status=on androidboot.baseband=msm".
[1650] Updating device tree: start
[1680] Updating device tree: done
Leaving S1 BOOT
[1730] If you can read this line, S1 BOOT is done. Start the stone rolling!
[1740] booting linux @ 0x8000, ramdisk @ 0x2000000 (3754834), tags/device tree @ 0x1e00000
[1740] Continuous splash enabled, keeping panel alive.
Format: Log Type - Time(microsec) - Message
Log type: B - since boot(excluding boot rom). D - delta
B - 89883 - SBL1, Start
B - 95160 - scatterload_region && ram_init, Start
D - 0 - scatterload_region && ram_init, Delta
B - 112148 - pm_device_init, Start
D - 27328 - pm_device_init, Delta
B - 139629 - boot_flash_init, Start
D - 65117 - boot_flash_init, Delta
B - 205082 - boot_config_data_table_init, Start
D - 30 - boot_config_data_table_init, Delta
B - 211243 - PBS setup, Start
D - 1159 - PBS setup, Delta
B - 217068 - sbl1_ddr_set_params, Start
B - 221460 - Pre_DDR_clock_init, Start
D - 244 - Pre_DDR_clock_init, Delta
D - 0 - sbl1_ddr_set_params, Delta
B - 235033 - pm_driver_init, Start
D - 237930 - pm_driver_init, Delta
B - 473451 - clock_init, Start
D - 183 - clock_init, Delta
B - 579805 - Image Load, Start
B - 689178 - Tz Execution, Start
D - 32574 - Tz Execution, Delta
B - 731512 - Image Load, Start
B - 787754 - Signal PBL to Jump to RPM FW
B - 788150 - sbl1_wait_for_ddr_training, Start
D - S1 BOOT
[120] USB init ept @ 0x7365000
[140] TA config read from GPT: 0x10 blocks of size 0x20000 @ 0x20000
S1 BOOT (1286-7314 S1_Boot_MSM8974AC_LA3.0_L_15.4)
[180] GPIO HW_ID[3:0]: [0000]
[180] soc_ver: 0x10001, pmic_ver: 3.1
[190] die_id: 0x1070712e, oem_product_id: 0x4, otp_lock: 0x155
PBA ID: 1285-0545 (4)
[200] CHG_STATUS_REG is 0x0 after pm8x41_chg_sts_get()
Startup flags: [ONKEY PRESSED]
Warmboot reason: [CRASH]
Remote lock is UNSUPPORTED
Rooting status is: Not done
[330] OV: 0x80000 0x0 0x0
[ERROR @ S1/boot/src/s1boot_config_parser.c:595]:
MiscTA unit 2473 could not be read!
[ERROR @ S1/boot/src/s1boot_config_parser.c:845]:
None or incorrect vbus_pulse configuration!
[ERROR @ S1/boot/src/s1boot_config_parser.c:904]:
No variant configuration to store!
[360] USB ID: 1790
[360] OTG State is invalid
Service mode detected: [NONE]
[ERROR @ S1/boot/src/s1boot_lib_api.c:1448]:
TA read failed!
[370] S1 decisions complete, image to boot is 1.
[380] IMEI[0]: ##############
[380] Info: failed to retrieve secondary IMEI (optional) in facility 0x1 with code 0x2 (error ignored)
[ERROR @ S1/util/src/s1_elf_loader.c:422]:
File image is not an known ELF-file.
[ERROR IN FAC 0xB CODE 0x3 @ S1/util/src/s1_elf_loader.c:1501]:
ELF-Loader initialization failed. De-initializing.
[ERROR @ S1/util/src/s1_elf_loader.c:1577]:
Invalid parameter.
[ERROR IN FAC 0xB CODE 0x3 @ S1/boot/src/s1boot_elf_loader.c:707]:
ELF loading failed!
[420] Crash detected, but ramdumper not found.
[420] clean ramdump info
[430] rebooting.
Leaving S1 BOOT
As for the OS, I wasn't running a recent version since I was rooted (despite what the log says) and Sony being both the only manufacturer of appropriately sized smartphones and a huge trouble to anyone who likes to have a rooted and fully functional phone at the same time (often nerfing the camera when rooting via their official means).
So is there any way to recovering the rest of the data on the internal eMMC chip? I frankly don't care much about rescuing the phone itself, only the data, so if it comes to having to desolder the eMMC and dumping the data via the backwards compatibility interface many eMMC chips have that's identical to the SD-card protocol and a holding jig (with eventual 1.8v to 3.3v level converter) then so be it, the data is number #1 priority while making the phone itself useful again is only a nice bonus, so if data recovery isn't possible at all then I'm not gonna bother spending more energy on it.
Any useful help appreciated
UPDATE: crisis toned down from DEFCON 1 to DEFCON 3, as it turns out I DID have a 3rd-party bootloader on the phone after all (Philz Touch fork of CWM) that I had completely forgotten both that I installed it and how to enter it.
Both embarrassing and a pleasant surprise.
So now I'm looking for a way to restore the late part of the original boot system and core OS files so It can boot, which'll enable me to make a nice dump of critical files with convenient app(s), instead of having to manually pilfer through a backup for data and figuring out how to transfer them over to my new phone the nicest way.
UPDATE #2
Dug through my computer backup and found the files from when I originally rooted it, including the latest .ftf file i flashed to the phone.
Could I be cheeky and get away with only flashing the kernel and the boot_delivery to make it boot normally again so I can do a "traditional" phone data transfer? or is that a waste of time?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}