Related
Hi there, (not to sure if this is the right place, please redirect me
if it is wrong)
Basically I am writing an application which receives data from a blue tooth enabled device which has no user interface. I've been developing with the Nexus One with Android 2.2 however I decided to test it on a Samsung Galaxy S (Model GT-I9000) to ensure that it worked properly on other handsets. The Samsung is running 2.1-update1 albeit it's been customised by Samsung.
First thing I noticed was that the blue tooth enabled device did not show on the search results when attempting to pair the device which was odd considering that it appears on the Nexus One without any problem.
To get around this I wrote a few lines of code to scan the available devices and attempt a connection to the device matching the advertised name, which in turn would start the pairing process and the phone would remember the device.
So I have a very simple BroadcastReciever class which has the Intent filters for device found and discovery finished events. What I found whilst debugging in Eclipse was the following in LogCat:
E DTUN_HCID Device [00:07:CF:59:04:38] class is 0x00 - skip it
The 'skip it' part worries me because no intents are fired for the BroadcastReciever to process and I have only found this with the Samsung handset, I've yet to try others (as I have no others to hand) Has anyone else ever encountered this problem or could perhaps suggest a work-around or at least a pointer to where I could at least override this behaviour?
Thanks for any help.
I've exactly the same problem with the HTC Desire (2.1 or FroYo). Looks like they crippled the bluetooth scan, so it doesn't list devices like these.
I can connect to the device (at least under 2.2) by giving it the bluetooth address directly and it works fine. It even is listed as paired after that...
Any idea how to fix this (i don't know yet, where this message ("...class is [0]...") originates from)?
For what it's worth I had a quick look at the Samsung open source and this message comes from vendor/brcm/adaptation/dtun/dtunc_bz4/dtun_hcid.c in function dtun_dm_sig_device_found, so it's probably Broadcom's fault, but I can't see a workaround, it looks like it will never interactively pair with something with class of device=0.
hello,
I'm having the exact same problem on the galaxy s.
Have you found a sollution for this?
It is rather critical for my application :-(
Greetings,
Kristof taveirne
Hi Guys, thanks for the replies, didn't get an e-mail to let me know that there was a response.
@TheBeano: Thanks for having a look at that. You can pair the device if it initiates a connection to the phone, however the device I'm using makes this very difficult. Thanks for your efforts.
@fheldt: I have no idea on a workaround bar attempting to trace logs, find the address and attempting to connect to the device, however that isn't exactly an elegant solution.
@Liquinno As far as theBeano has stated there doesn't look like a workaround, it's rather critical to my application. Sorry I can't help further
Thanks for your efforts, if you come up with an idea or workaround, would mind letting us know ?
Maybe we'll have some luck with the Froyo firmware update that's coming up later this month.
For now I'm using other BT devices that are not class 0x00 to continue development. But I'll definitely get back on this.
Kristof
fheldt said:
I've exactly the same problem with the HTC Desire (2.1 or FroYo). Looks like they crippled the bluetooth scan, so it doesn't list devices like these.
I can connect to the device (at least under 2.2) by giving it the bluetooth address directly and it works fine. It even is listed as paired after that...
Any idea how to fix this (i don't know yet, where this message ("...class is [0]...") originates from)?
Click to expand...
Click to collapse
"I can connect to the device (at least under 2.2) by giving it the bluetooth address directly and it works fine. It even is listed as paired after that..."
are you sure???
can you describe how you did that please (step by step) ?
running JP5 and froyo still skipping class 0x00 any clues ??
just patched libbluetoothd.so to allow class 0x00 on pairing, please back up your /system/lib/bluetoothd.so and copy this one in /system/lib, once your pairing is done replace your old libbluetoothd.so
this library comes from a JPA so it maybe ok for froyo, not for enclair.
Hi everyone,
I encounter the same issue with a Samsung Galaxy 3 GT-I5800 and a HTC Wildfire on Android 2.1. I am writing an application to exchange data with a simple Bluetooth device using Serial Port Profile. I tried scanning devices with both of these but the class of the device is not recognized. I'm a bit desperate right now.
Is there any issue to make it discoverable? Or there is no way and it's definitely over. Thanks in advance for your help.
Lorenth
yes, by patching libbluetoothd.so
Did you not say that it's working on Froyo but not on Eclair?
yes, that patch is for froyo only.
Well I'm using Eclair Is there a chance to have the same thing on Eclair? Or did you aware about another solution to fix it? Thank you for help anyway.
you need root and give me /system/lib/libbluetoothd.so and i will fix it.
husq510 said:
just patched libbluetoothd.so to allow class 0x00 on pairing, please back up your /system/lib/bluetoothd.so and copy this one in /system/lib, once your pairing is done replace your old libbluetoothd.so
this library comes from a JPA so it maybe ok for froyo, not for enclair.
Click to expand...
Click to collapse
so can we use this to pair our device with a wiimote? what do you mean by saying "once your pairing is done replace your old libbluetoothd.so" do we still need the old libbluetoothd.so even after using your patched version? another question, will this version work with JPO? if not, here is a JPO version to get patched by you! thanks in advance, would love to pair a wiimote with my sgs
bump bump bump bump
BlueEyes99 said:
so can we use this to pair our device with a wiimote?
Click to expand...
Click to collapse
No the Wiimote issue is a different one, the native Bluetooth libraries don't behave in the way the Wiimote IME developer is expecting on the SGS and HTC.
Verizon reply from their Admin
See this link:
add the http etc...
community.vzw.com/t5/Other-Android-Devices/Bluetooth-broken-on-Verizon-Galaxy-Tab/m-p/343162
From the admin: Moates
Re: Bluetooth broken on Verizon Galaxy Tab?
Options
12-06-2010 04:40 PM
We are aware of this issue and we are diligently working on resolving it. As soon as we get some additional information we will be sure to pass it along.
wow, this works!!
husq510 said:
just patched libbluetoothd.so to allow class 0x00 on pairing, please back up your /system/lib/bluetoothd.so and copy this one in /system/lib, once your pairing is done replace your old libbluetoothd.so
this library comes from a JPA so it maybe ok for froyo, not for enclair.
Click to expand...
Click to collapse
ok this is just super fine.
here is what i did (i am running DocRom XXJPU 2.0 now) while phone was running normally and fully switched on:
on SGS do:
turn BT off
reboot phone
after fresh reboot when phone is running normally and fully switched on
mount /system as r/w (use SGS tools)
on PC do:
> adb push <this libbluetoothd.so file> /system/lib/libbluetoothd_patched.so
> adb root
> adb shell
> cp -p /system/lib/libbluetoothd.so /system/lib/libbluetoothd_orig.so
> cp -p /system/lib/libbluetoothd_patched.so /system/lib/libbluetoothd.so
now on your SGS turn on BT and search, it will find your class 0x00 device
pair it and enter code
now back to the still open adb shell:
> cp -p /system/lib/libbluetoothd_orig.so /system/lib/libbluetoothd.so
> exit
on SGS do:
mount /system as r/o (use SGS tools)
and it all worked just super fine.
if somebody else would need this, we can make a script and automate this process
Code:
Sooner or later it will be hard to get a rootable Chromecast. The community is limited by the number of people able to root their own devices. A remote exploit is desirable to expand the community. Please brainstorm and post progress in exploring the targets.
Targets:
Web interface
Chromecast executes commands to start netflix etc with user specified arguments. Arguments are sent through dial interface. From app.conf:
Code:
{ "app_name": "Netflix",
"external": true,
"command_line": "/bin/logwrapper /netflix/bin/netflix_init --data-dir /data/netflix/data -I /data/netflix/AACS -D QWS_DISPLAY=directfb -D LD_LIBRARY_PATH=/system/lib:/netflix/qt/lib -D NF_PLAYREADY_DIR=/data/netflix/playready -D KEYSTORE=/data/netflix/AACS -D KEYBOARD_PORT=7000 -D ENABLE_SECURITY_PATH=1 -D DISABLE_SECURITY_PATH_VIDEO=0 -D DISABLE_SECURITY_PATH_AUDIO=1 --dpi-friendlyname ${FRIENDLY_NAME} -Q source_type=12&dial=${URL_ENCODED_POST_DATA}",
"allow_empty_post_data": true,
"dial_info": "<port>9080</port><capabilities>websocket</capabilities>"
},
FFMPEG vulnerabilities
Intercepting updates (I know, the signatures would likely prevent this.)
Cable based attacks similar to current root methods
Soldering based attacks
Post your ideas and progress.
My chromecast is not rooted, so I can't get logs from netflix being run with different URL_ENCODED_POST_DATA, but we might be able to fork the command.
TVRemoteExploit said:
Code:
Sooner or later it will be hard to get a rootable Chromecast. The community is limited by the number of people able to root their own devices. A remote exploit is desirable to expand the community. Please brainstorm and post progress in exploring the targets.
Targets:
Web interface
Chromecast executes commands to start netflix etc with user specified arguments. Arguments are sent through dial interface. From app.conf:
Code:
{ "app_name": "Netflix",
"external": true,
"command_line": "/bin/logwrapper /netflix/bin/netflix_init --data-dir /data/netflix/data -I /data/netflix/AACS -D QWS_DISPLAY=directfb -D LD_LIBRARY_PATH=/system/lib:/netflix/qt/lib -D NF_PLAYREADY_DIR=/data/netflix/playready -D KEYSTORE=/data/netflix/AACS -D KEYBOARD_PORT=7000 -D ENABLE_SECURITY_PATH=1 -D DISABLE_SECURITY_PATH_VIDEO=0 -D DISABLE_SECURITY_PATH_AUDIO=1 --dpi-friendlyname ${FRIENDLY_NAME} -Q source_type=12&dial=${URL_ENCODED_POST_DATA}",
"allow_empty_post_data": true,
"dial_info": "<port>9080</port><capabilities>websocket</capabilities>"
},
FFMPEG vulnerabilities
Intercepting updates (I know, the signatures would likely prevent this.)
Cable based attacks similar to current root methods
Soldering based attacks
Post your ideas and progress.
My chromecast is not rooted, so I can't get logs from netflix being run with different URL_ENCODED_POST_DATA, but we might be able to fork the command.
Click to expand...
Click to collapse
what if somehow we were able to attack it like jailbreakme used to. Looking at the developer options in chrome you could write a program for your phone that has the cast button when you click it, it'll tell chrome cast to go to the apps domain where it automatically roots for you. I'm no developer, so i don't even know if that kind of hack would even be possible. I did download the cast app for windows and it has a button for factory reset. Would it be possible to hack that chromecast program and change the factory reset to use a hacked pulled firmware?
scarygood536 said:
what if somehow we were able to attack it like jailbreakme used to. Looking at the developer options in chrome you could write a program for your phone that has the cast button when you click it, it'll tell chrome cast to go to the apps domain where it automatically roots for you.
Click to expand...
Click to collapse
This would be extremely difficult to pull off, as you would need to both escape Chrome's sandbox and find a privilege escalation vulnerability in the Linux kernel or a setuid binary. Both Chrome and Linux are extremely mature and secure pieces of software, so vulnerabilities are few and far between and get patched quickly when they are found.
I tried tacking commands onto the tail of the netflix commands like this:
Code:
curl ****192.168.1.126:8008/apps/Netflix -X POST -d "intent=play&titleid=***%3A%2F%2Fapi.netflix.com%2Fcatalog%2Ftitles%2Fmovies%2F70138593;reboot"
, however I can't see the log file without root.
tchebb said:
This would be extremely difficult to pull off, as you would need to both escape Chrome's sandbox and find a privilege escalation vulnerability in the Linux kernel or a setuid binary. Both Chrome and Linux are extremely mature and secure pieces of software, so vulnerabilities are few and far between and get patched quickly when they are found.
Click to expand...
Click to collapse
so is our best bet to find a vulnerability within the hardware level we could utilize and wouldn't have the chance of being patched?
In all honesty, the best method of attack would be to figure out the JTAG port. with that, you could then simply just flash back on the rootable bootloader on any device, and go from there. I doubt any software methods will be found, and even if one is found, it will be patched by google within a month. The JTAG port however is at a hardware level, and unless it actually does signature checks (like the USB method does on updated devices), it would allow a person full control of the flash chip.
EDIT: To clarify, if the UART port is hardware based (like normal JTAG ports on wireless routers and such), then there should be no security checks. If, for whatever reason, it is software based though (so like fastboot, or Samsungs ODIN mode), then there is a chance it checks image files.
ddggttff3 said:
In all honesty, the best method of attack would be to figure out the JTAG port. with that, you could then simply just flash back on the rootable bootloader on any device, and go from there. I doubt any software methods will be found, and even if one is found, it will be patched by google within a month. The JTAG port however is at a hardware level, and unless it actually does signature checks (like the USB method does on updated devices), it would allow a person full control of the flash chip.
EDIT: To clarify, if the UART port is hardware based (like normal JTAG ports on wireless routers and such), then there should be no security checks. If, for whatever reason, it is software based though (so like fastboot, or Samsungs ODIN mode), then there is a chance it checks image files.
Click to expand...
Click to collapse
Unfortunately (although I don't believe anyone has confirmed this on the Chromecast), all known GTV devices with this SoC ship with their JTAG port disabled. It may be possible to re-enable it in software, but (of course) that requires running your own kernel. The only hardware hack I know of that is sure to work is manually soldering a NAND flasher up to the memory chip and rewriting the partitions that way, which is expensive, error-prone, and extremely tricky to do right.
tchebb said:
Unfortunately (although I don't believe anyone has confirmed this on the Chromecast), all known GTV devices with this SoC ship with their JTAG port disabled. It may be possible to re-enable it in software, but (of course) that requires running your own kernel. The only hardware hack I know of that is sure to work is manually soldering a NAND flasher up to the memory chip and rewriting the partitions that way, which is expensive, error-prone, and extremely tricky to do right.
Click to expand...
Click to collapse
The more you know.
Well, while looking through the chromecast's "fts" partition in a hex editor, I found the following variable show up in multiple places.
Code:
device_configured=true
makes me wonder what happens if this is flipped to false. I will look through the bootloader source more to see if it is used at a software level.
EDIT: Doesn't look like it does anything for us, seems to just enable the crash counter.
tchebb said:
Unfortunately (although I don't believe anyone has confirmed this on the Chromecast), all known GTV devices with this SoC ship with their JTAG port disabled. It may be possible to re-enable it in software, but (of course) that requires running your own kernel. The only hardware hack I know of that is sure to work is manually soldering a NAND flasher up to the memory chip and rewriting the partitions that way, which is expensive, error-prone, and extremely tricky to do right.
Click to expand...
Click to collapse
ddggttff3 said:
The more you know.
Well, while looking through the chromecast's "fts" partition in a hex editor, I found the following variable show up in multiple places.
Code:
device_configured=true
makes me wonder what happens if this is flipped to false. I will look through the bootloader source more to see if it is used at a software level.
EDIT: Doesn't look like it does anything for us, seems to just enable the crash counter.
Click to expand...
Click to collapse
ddggttff3 said:
In all honesty, the best method of attack would be to figure out the JTAG port. with that, you could then simply just flash back on the rootable bootloader on any device, and go from there. I doubt any software methods will be found, and even if one is found, it will be patched by google within a month. The JTAG port however is at a hardware level, and unless it actually does signature checks (like the USB method does on updated devices), it would allow a person full control of the flash chip.
EDIT: To clarify, if the UART port is hardware based (like normal JTAG ports on wireless routers and such), then there should be no security checks. If, for whatever reason, it is software based though (so like fastboot, or Samsungs ODIN mode), then there is a chance it checks image files.
Click to expand...
Click to collapse
Maybe I'm missing something, possibly am, but couldn't we dual boot firmwares? Have the normal factory firmware on the eMMC chip, then, install a rooted image to a USB stick. Next solder a different wire to each side of pin 26, finally solder a switch in between. This should force the device to load off the USB rather than eMMC. On paper it works. On the physical device? That could be a bit different. If you do try this, I'll do my best to help you and point you in the right direction.
The switch is to choose between the two firmwares, if however, you only want to boot from the USB, you could, possibly, just have a permanent jump of pin 26. That should force booting from the EMMC to fail every time forcing it to boot from USB.
NOTICE: none of these suggested ideas have been used and or tested. They work on paper only! The real device may, and possibly is, different! Attempt at your own risk.
OP, XDA, nor I am responsible for anything that happens to your device. If anything does happen it's completely on you! This is a dangerous hardware mod, I don't recommend if you don't know how to solder. Also, the points for pin 26 are very very small, smaller than some solder iron's tips. All of mine are way too big, and I have bought small tips to use on other mobile devices. If you mess this up there is none to very little chance of going back.
SECOND NOTICE: constantly jumping the 26th pin of the CPU could cause permanent hardware problems. If such problem does happen, it is not known at this time. Once again, this is a dangerous hardware mod that should not be attempted by those who aren't good with soldering.
The good news: if you do attempt this and it works, we could have a hardware way to be rooted. More good news is that if you mess up and can't fix it, then it's only $35 to get a new one.
Aaron Swartz, Rest in Pixels.
jamcar said:
The switch is to choose between the two firmwares, if however, you only want to boot from the USB, you could, possibly, just have a permanent jump of pin 26. That should force booting from the EMMC to fail every time forcing it to boot from USB.
Click to expand...
Click to collapse
Just to let you know, a permanent jump to pin 26 will cause the device to not boot, at all. It causes a read interrupt to the EMMC, so if jumped permanently the device will not see the flash, so it wouldn't even load the bootloader. Jumping the pin should ONLY be used if the standard button hold boot process does not work.
jamcar said:
Maybe I'm missing something, possibly am, but couldn't we dual boot firmwares? Have the normal factory firmware on the eMMC chip, then, install a rooted image to a USB stick. Next solder a different wire to each side of pin 26, finally solder a switch in between. This should force the device to load off the USB rather than eMMC. On paper it works. On the physical device? That could be a bit different. If you do try this, I'll do my best to help you and point you in the right direction.
The switch is to choose between the two firmwares, if however, you only want to boot from the USB, you could, possibly, just have a permanent jump of pin 26. That should force booting from the EMMC to fail every time forcing it to boot from USB.
NOTICE: none of these suggested ideas have been used and or tested. They work on paper only! The real device may, and possibly is, different! Attempt at your own risk.
OP, XDA, nor I am responsible for anything that happens to your device. If anything does happen it's completely on you! This is a dangerous hardware mod, I don't recommend if you don't know how to solder. Also, the points for pin 26 are very very small, smaller than some solder iron's tips. All of mine are way too big, and I have bought small tips to use on other mobile devices. If you mess this up there is none to very little chance of going back.
SECOND NOTICE: constantly jumping the 26th pin of the CPU could cause permanent hardware problems. If such problem does happen, it is not known at this time. Once again, this is a dangerous hardware mod that should not be attempted by those who aren't good with soldering.
The good news: if you do attempt this and it works, we could have a hardware way to be rooted. More good news is that if you mess up and can't fix it, then it's only $35 to get a new one.
Aaron Swartz, Rest in Pixels.
Click to expand...
Click to collapse
This wouldn't work with any post-12072 bootloader, since the USB image's signature is still checked. The signature verification would simply fail and the device would fail to boot, same as if.you tried to boot from USB with a button press.
Kindle Fire HD 16gb
I bought a KFHD on ebay, and the wifi option is greyed out in the menu (in the original AmazonOS).
I installed CM10.1 and have android 4.2.2 running....same thing, stuck in "turning on Wi-Fi" mode...
I checked the antenna cable, and scanned the board for any anomalies or damage - it looks very clean.
Battery is full.
Can the chip just go dead on these things, is there any electrical tests that i can try to confirm it?
thanks
Does the Bluetooth not want to turn on as well?
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
Bluetooth is working, and everything else about the device seems to function as normal. I'm stumped.
That is weird, I think Bluetooth is on the same chip as WiFi on the kfhd's, try plugging the kindle into your PC with adb enabled and running "adb logcat" and watch the output for any errors when enabling the WiFi, if that still doesn't show anything useful try "adb shell dmesg", it might tell you if the kernel is having errors with the device. I thought this could be related to your boot0 block at first but if Bluetooth works then a I doubt thats the problem. You did wipe system, cache, and dalvik cache and do a factory reset when you flashed cm right?
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
I had the same issue when on 7.4.3. Restore to Amazon's android version and make sure you are on 7.4.6, it worked for me. Is there a way to keep TWRP, however. That is the question.
Thanks guys, I'm still stuck.
@stunts503
I've done system wipe, cache and dalvik cache wipe and a factory reset - several times.
I'm not great with the sdk or adb, but i manually installed Catlog and when i try to turn on the Wifi, these are some of the errors I get:
"Unable to change interface settings: java.lang.IllegalStateException: command '61 interface setcfg wlan0 0.0.0.0 0 down' failed '400 61 Failed to set address (No such device)'"
"n180211: Could not configure driver interface"
"could not read interface wlan0 flags: no such device"
"wlan0: Failed to initialize driver interface"
these messages coming from "wpa_supplicant"
@x10knight
I reverted back to amazonOS, and installed 7.4.6 ... problem is still there. no change.
It's like the wifi chip isn't there, but if you're right if infact the bluetooth lives on the same chip, it must be working somehow... unless the bluetooth is a different chip, can't seem to answer that....
the bluetooth works, but also gives an error
"SOCK FLAG = 0"
"SOCK FLAG = 1"
"SOCK FLAG = 3"
not sure where to go from here, maybe i could peel back the RF shielding and take a look? solder splash?
thanks guys
Wow that is weird, I wonder if someone knows exactly why the WiFi isn't showing up, seems like that might be the problem, like the module didn't load up because the device wasn't detected. Interesting... Hopefully someone might know why its doing this. If you know what your doing you could peruse the /dev directory and see if u can even find the WiFi device, think that's the directory on android.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
swjedi101 said:
Kindle Fire HD 16gb
I bought a KFHD on ebay, and the wifi option is greyed out in the menu (in the original AmazonOS).
I installed CM10.1 and have android 4.2.2 running....same thing, stuck in "turning on Wi-Fi" mode...
I checked the antenna cable, and scanned the board for any anomalies or damage - it looks very clean.
Battery is full.
Can the chip just go dead on these things, is there any electrical tests that i can try to confirm it?
thanks
Click to expand...
Click to collapse
Have you tried switching the security setting on your router? Also, have your power cycled your router yet? Often times this has been due to the router not playing nice with your KFHD.
Sent from my Amazon Kindle Fire HD running CM 10.2 using xda app-developers app
Don't know how to get to /dev right now, will have to look that up.
I don't think this is related to my router in anyway, the kindle just doesn't see the wifi chip at all.
thanks again
OK basically its not loading up the interface, when it can't find wlan0, that means the WiFi interface is missing so a driver hasn't been loaded for it, usually because its not being detected. /dev is a folder on the root of the storage device, you can peruse it with a program like es file explorer, the files you see in that folder aren't actually files, but devices, and you can even query them as if they were files with Linux commands, its a very interesting perspective on seeing your devices compared to windows. Anyways I don't know where to look in the dev directory for the WiFi device offhand, but if its in there then that's a good sign.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
Kindle Fire HD 16gb
I bought a KFHD on ebay, and the wifi option is greyed out in the menu (in the original AmazonOS).
I installed CM10.1 and have android 4.2.2 running....same thing, stuck in "turning on Wi-Fi" mode...
I checked the antenna cable, and scanned the board for any anomalies or damage - it looks very clean.
Battery is full.
Can the chip just go dead on these things, is there any electrical tests that i can try to confirm it?
thanks
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=2236511
If you cannot get it working, You might do full restore. I don't know if flashing the original Amazon OS to the second bootloader will suffice. Might need to go full stock and after wifi is working, reroot and so on.
Sent from my Amazon Kindle Fire HD running CM 10.2 using xda app-developers app
I have already done a full restore a few times - with no change . thanks for reply.
Go into either an adb shell on your PC, or into a mobile terminal app on your kindle(you will have to side load it), once you have a form of shell up type "netcfg" if it reports wlan0 in the list of interfaces report back with that if not try browsing your file system and see if this folder exists, I believe its the WiFi device folder, but its kinda hard to know for sure because I'm more used to conventional Linux than android so the device paths are a bit different. Anyways check for this path: /sys/class/net/wlan0
If that exists then that either means the physical device is there, or I misunderstood and those are the device files showing up from the driver loading up on mine. Gunna peruse the /sys folder a bit more and see if I find anything noteworthy, I'll report back if I find anything else.
Edit: After some more perusing I think if you type lsmod into the shell, if you see a module in the list called "bcmdhd", then that I think is the Linux driver module for the device, if that's not loaded up we know another part of the problem.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
types in netcfg, i do not get any wlan0 mention, only a list of (lo, ifb0, ifb1, tun10,sit0,ip6tn10) all of them then say DOWN, except for lo, which says UP and has an address.
the command "ismod" doesn't seem to work..... after googling i tried 'insmod' incase thats what you mean, which only reports
"usage: insmod <module.o>"
thanks again, this has been informative.
also, i navigated to /sys/class/net/ and wlan0 does not exist...
I'm thinking this is a hardware issue, i may peel back the RF shielding and take a look at it...
That wasn't an I it was a lowercase L. But yea it seems like a hardware problem I'm thinking, don't known how that happens... Still try running lsmod again and see if you see what i mentioned. If you can't fix the hardware, maybe when/if hashcode ever gets otg working you could use a WiFi dongle. xD
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
sorry, i'm a dingus. always wanted to learn linux, maybe a good time to start.
put in lsmod, and got:
bcmhd 319072 0 - Live 0x00000000
atmel_mxt_ts 18503 0 - Live 0x00000000
pvrsrvkm_sgx540_120 308606 60 - Live 0x00000000
Well that's weird to say the least, I think the WiFi driver is loaded, unless that is the Bluetooth driver. I wish there was a lscpi command for android, but even if there was, it would be pointless because I am pretty sure mobile devices don't have a PCI bus. I mean obviously there is no PCI slot, but some times integrated things are on a PCI bus.
Sent from my Amazon Kindle Fire HD running CM10.1 Tablet UI using xda-developers app
i see what you're saying. I'm going to swap out with another board i've got (bad ESN).
thanks for your help, i'm stumped.
swjedi101 said:
i see what you're saying. I'm going to swap out with another board i've got (bad ESN).
thanks for your help, i'm stumped.
Click to expand...
Click to collapse
I have same issue on a FK2. Reading through threads led me to think it could be software related. I'll pull dmesg to see where driver is loaded in bootup. I do show a MAC in the idme, but not on the kindle screen.
UPDATE: Walked through trying to setup wifi manualy, no device found. Did find another thread mentioning same issues after Kitkat update. User wiped System and wifi worked afterwards. I'll give it a try tonight to find out if its a software issue.
I have an olg Galaxy S with a complete broken screen. The phone is fully functional but theres no image on the screen. I tried to plug it on the tv to use it has a sort of tv box since I'm not willing to buy a screen because is more of it is worth.
Anyone knows a way I can activate the tv-out since only connecting the cables isn't sufficient?
Imaginati0n said:
I have an olg Galaxy S with a complete broken screen. The phone is fully functional but theres no image on the screen. I tried to plug it on the tv to use it has a sort of tv box since I'm not willing to buy a screen because is more of it is worth.
Anyone knows a way I can activate the tv-out since only connecting the cables isn't sufficient?
Click to expand...
Click to collapse
Well, that's an interesting problem.... Three ways I can think of getting around it.
1)
If you've got a linux box and can compile a ROM, the commit you'll need to revert (assuming you're building for CM) is at https://github.com/CyanogenMod/andr...mmit/ae5393e4349fe392d4d39f9b600461ea57f510ad I'm assuming you have working adb? If you were to build a zip with that commit reverted, you would still need to install the zip anyway. You could probably accomplish that using ADB sideload, but that has only been around since JB. If you're on an older ROM then you'll have to get someone to post screenshots of each recovery screen that you would need to go through and do a "blind flash" by clicking the buttons to do the selections needed....
2)
Try to manually select TV-Out to be working. You could have a look at http://android.stackexchange.com/qu...ted-under-settings-from-terminal-or-adb-shell for an idea of where to start. Not sure how to select a checkbox though...
3)
Try manually starting the tvoutserver and tvouthack. All you would need to do would be from an adb shell run "tvouthack" and "tvoutserver". Heck, you could probably even put a script in /etc/init.d and have it run automatically on boot.
One problem you might run into is that it defaults the TV type to PAL. If you need NTSC, you might be in trouble. If you got through the "compile ROM" option, then change the line
Code:
mSystem = Integer.parseInt(mPref.getString(DeviceSettings.KEY_TVOUT_SYSTEM, "2")); // Default = PAL
to
Code:
mSystem = Integer.parseInt(mPref.getString(DeviceSettings.KEY_TVOUT_SYSTEM, "1")); // Default = NTSC
Also, if you've never used the TV-Out function before, the video is sometimes on the red plug as opposed to the yellow (go figure).
Good luck!
Trying to brainstorm ideas for unbrick (firstly) of the new Fire 7 2020 Gen 9 models that feature 6.3.1.5 and were released post Feb 2020. Already have a method to downgrade this and many other devices (HD8 Onyx and HD 10 post patch Feb 2020) possibly a lot more other devices
Downgrade is a bit of a Sledge Hammer, in that it impacts numerous parts of IT (not just Android) as a new general hacking technique, and currently there seems no way of using my technique on these devices without resulting in hard brick, with no recovery possible.
On devices, if they exist, which contain cryptographic key burnt by eFuse, my bug will not be easily fully patchable. Very likely these devices will be constantly able to be attacked by different permutations of the bug.
I'm also not entirely sure if the technique is needed at all on this device (fbtool sounds more promising Started work on my own tool to talk to bootrom and preloader -after playing around with the protocol and staring at the preloader source, it seems impossible to to send DA / jump DA properly on this device), I actually suspect it will work on the HD 10 post Feb 2020 devices better - i.e. forcing downgrade from 7.3.1.2 to 7.3.1.0 but again it might brick instead from RPMB checks, similar to current scenario with using it on the Fire 7. Need to test hack on HD 10 2020, should work fully, holding back whilst fixing the fire 7.
SOFTWARE Related Ideas/Notes:
AFTV2-tools?
THOUGHTS: Can complete handshake, but on read it stalls - no response. Was this blocked on this preloader? YES.
Does anyone have any other crash to bootrom from preloader methods other than the one's in this code base?
amonet-kamakiri?
THOUGHTS: How do you modify this to use UART instead of VCOM? Maybe UART mode for flashing might allow it, anyone know how to get device into UART SP Flash mode?
Don't think this device has UART flashing mode but can't be sure (only able to get logging)
mediatek-datool?
GitHub - mtk09422/chromiumos-third_party-mediatek-datool
Contribute to mtk09422/chromiumos-third_party-mediatek-datool development by creating an account on GitHub.
github.com
THOUGHTS:
This might do it, but sounds complicated, I think it might be able to be used to clear existing chain of trust if used in a certain method - still mulling over the details. Upon some brief testing when used with 6315 preloader and lk.bin i get error about .sign file, but the gibberish from the UART seems different to cold boot scenario, i.e. the device is logging something extra based on passing in command to device. Jump DA / Send DA logging appeared on UART
Need to understand what the code is doing more - looks like it is sending a preloader and lk.bin to boot the device into fastboot mode, and the sign file is rather a patch file generated by the gen-dalk-from-lk.py to make a temporary DA file to start transfer of the preloader/lk.bin to reboot into fastboot - if so, then this may work as a generic method for mtk devices to unlock/root, by compiling lineage lk.bin/preloader without secureboot enabled and with fastboot unlocked then using the script to create the .sign file and using fbtool to boot to fastboot which is then unlocked. Might also need a hacked preloader which bypasses rpmb rollback check and any other security preventing booting. I still think it is possible by using MTK's key not Amazon's key. Need to find a MTK 8163V preloader / lk.bin source code (anyone have any links?)
This will only work with lineage compiles not FireOS as you need to boot it in secure chip mode using fbtool which then would need an auth file from existing amazon key (This is assuming that there is no existing key check to block fbtools from booting up - Need to confirm if fbtool can be used in insecure mode to boot into fastboot on this device Insecure mode doesn't work) - There is still possibly a way to use FireOS, but it would mean fully unsigning FireOS and resigning it with your own key then flashing that on, after having generated the relevant auth file / sign file for fbtool - This approach should enable FireOS with your own key. Whilst once in hacked fastboot should be able to reflash the original full ROM which would cause it to revert to stock.
I think fbtool is one of the only uses for the preloader, and offers a chance to unbrick devices which only have preloader access and no bootrom access (like this patched device). Need to either sign with Amazon or MTK's key - I think either one may work. Whilst Amazon's key is unavailable, isn't MTK's key supplied in the BSP?
Anyone have lineage installed on Fire 7? Need someone to test generating a DA file from fbtool's python script to see if it works. If what I'm thinking about the difference in Secure DA and DAA is right it is likely to work - DAA i think is disabled as it looks like it is to do with verifying preloader / lk.bin at bootrom stage.
[ROM][testing][mustang] Lineage-16.0 [25 Jan 2022]
Disclaimer /* * I am not responsible for bricked devices, dead SD cards, thermonuclear war, * or you getting fired because the alarm app failed. * Please do some research if you have any concerns about features included * in the products you find...
forum.xda-developers.com
Doesn't seem to have lk.bin. lk..bin provided by MTK not android project...
Some further ideas to investigate:
Using a blank preloader file for fbtool, to see if it causes device to drop into bootrom mode
DIdn't notice in fbtool readme that enable DAA was a one time operation.
Does anyone know of a definitive example of a device which has eFuse blown for crypto key?
Looking at previous threads, there is an indication that amazon attempted to test whether the eFuse is functioning, but there was no verified proof that eFuse has been blown. For the Fire 7 Gen 9 that I have, it appears the brom access was disabled by changing the eMMC chip not blowing a eFuse.
There is also no evidence of Amazon using an eFuse to store the crypto keys for this device that I can locate, meaning fbtool is very likely to be where chain of trust begins.
I think the way to check properly is to look at SPFT's terminal mode for reading the efuse's on the device. We might be able to do this on a unlocked/accessible Fire 7 Gen 9 2019 (i.e. one with available eMMC short to brom)
signfile-for-brom.sh indicates the preloader is patched with key? Does the preloader.img.sign file get accessed by the brom when being used by fbtool?
Need to look at bootrom code to verify what it does when fbtool has sent it a sign file as part of reboot to fastboot cycle. Looked at preloader code for answers instead
Is TEE/TZ1/TZ2/Trustzone updated by fbtool/datool? Is this where it is processing the sign files. Its also maybe using RPMB to store keys?
fbtool requires a almost payload like data structure, this is contained in gen-dalk-from-lk.py and will require one per SoC type. The above github does not contain a copy, but I have located one for MT8163 from another source. In order for this method to work on more devices, would need to locate more "payloads" for other SoCs. This method is very likely to be a clean method to access numerous MTK based devices.
The preloader contained inside Amzons rom files seems to be split into main preloader.img and preloader.hdr0/1 files, These look like they need merging or prehaps they are the MTK headerless version of the files (fbtools readme indicates a need for headerless files)
Any ideas where you might find "fbtool-da-pl.bin is a pre-built preloader_${PROJECT}_NO_GFH.bin" for this device? Should be in preloader/lk.bin compile process.
What about boot.img renamed to factory.img and placed on sdcard?
THOUGHTS: strings on the preloader indicate this may be possible, unless this has been blocked and the message hasn't been removed. Need this tested. No sdcard boot on preloader/lk.bin available but... Bootrom boot maybe possible see latest!
Tried SP Flash 5.1532 (insecure boot version) any other flashing tools that might work?
If it is in preloader mode, will there still be security blocking flashing if attempting to do UART flash instead of USB flash (UART might have different permission level than USB), will MTK-Bypass work with some modifications to talk to real COM port instead of VCOM?
THOUGHTS: mtk-bypass says it is bypassing DAA (Download Agent Authorization), My current understanding is it is disabling DAA and SecureBoot unnecessarily and should only disable SLA.
DAA sounds like it occurs at bootrom to verify preloader and lk.bin has been signed itself (fbtool Readme)
Secureboot sounds like it is the flag that is passed through to AVB (Android Documentation)
SLA sounds like it is the Secure DA being verified at preloader stage
Had a look at source / info online about it, and i think I'm right that DAA and secureboot disabling are not needed - SLA bypass is needed for SPFT fulll flash as that is bypassing secure DA check on preloader - whilst DAA and secureboot bypass via MTK-Bypass is needed only for a tethered boot scenario where device has DAA enabled fully, and you want to boot a preloader/lk.bin that hasn't been signed, mtk-bypass could then be used to tether bootup to disable both flags and enable booting - maybe then we can modify it a bit for devices where DAA is fully working with secureboot?
Which devices have problems with modified preloader/lk.bin which feature mtk chip, those would likely benefit? Not relevant for this Fire 7 I dont think. This allows a tethered boot solution for various scenarios, like linux dual boot, full system rw android install, etc.
Would using a hacked preloader which has secure DA verification disabled, whilst the device has bricked preloader and in bootrom mode, enable SPFT to flash device without mtk-bypass?
This would mean mtk-bypass is only worth using if you can't remove secure DA support from the preloader file itself - i think it might be patchable out with decompilation. Either that or the preloader is not fully bricked and still being read by bootrom to perform secure DA verification, would likely also need mtk-bypass in this situation.
This pad is ridiculously infuriatingly annoying to attempt to recover back to stock... Unless I am missing something obvious that i haven't tried.
Also anyone know where I can find the signed images for 6.3.1.1 6.3.1.0 or earlier, need the original update-*.bin files?
THOUGHTS: Already got everything from waybackmachine - any other sources of urls from their servers?
Also is there any available Preloader versions for this device or any *OTHER* Amazon devices that have preloader crash to Bootrom available? I need full collection of Amazon ROMs for all devices if possible, with it I might be able to get unlock/root working on them all - Chasing after a preloader that works to crash to get into bootrom or has available shortcut to enter bootrom (i.e. power/vol buttons) - with it plus what i've worked out, should be answer to all Amazon devices unlock, hopefully. I might also be able to repeat for all other devices - this might even work with the 2021 HD 10 which is just released!
Also any good guides to preloader/IDA Pro decompiling? Is this what I need to buy from IDA in order to repair and recover my Fire 7?
IDA Pro Computer License [Windows]1879 USD
ARM64 Decompiler Fixed License [Windows]2629 USD
ARM32 Decompiler Fixed License [Windows]2629 USD
The home version is a cloud based decompiler isn't it? Above is minimum price for offline decompilation isn't it?
Hardware related Ideas/Notes:
Tried hw method for CMD/DAT0/CLK and the emmc pin at front, no response (CMD jumps to preloader while all other test points result in no response - same as previous testers of newer Fire 7 device)
Anyone know what the other testpoints are, like:
VCOM/VGH/RST/ON/ID/VBAT/AUX_NTC/PWRKEY/USB_ID/DP/DM/VBUS/VGP3_PMU/FCHR_ENB/COL0
GND - Why did they put a pad for this when there is GND everywhere on the board?
CLK/CMD/DAT0 - MicroSD connection! NOT eMMC... Test with ohmmeter against MicroSD pins!
TX/RX - UART
SDI/SDO/SCI/CS
Is SDI/SDO/SCI/CS some kind of SPI or another interface? Likely it is SPI (anyone know how to talk to it? I have raspberry pi's / picos / arduinos / ch341a)
What about the covered over points?
VIO8_PMU - 1.8V to eMMC?
VCC_IO - Cant rememebr if it is this one or above, need to retest.
VEMC3V_PMU - 3.3V to eMMC?
VCCK_PMU - Voltage to SoC?
AVOD/VGL/LEDA/LEDK/SPK_N/SPK_P/VPROC_PMU/VMCH_PMU/VMCA_PMU/VCAMD_IO/VCAMD_PMU/HPL/HPR
Maybe can make a list of all points and how they behave for this board?
Anyone know of how to interface directly with the eMMC by soldering MMC adapter?
Tried to attach to dat0 from front of board but ended up tearing pad - need to use a better method than soldering, maybe use Rubber+Needles+Crocodile Clips
Any chance of doing stock recovery by UART RX/TX flash?
THOUGHTS: Probably not, likely only get boot logs.
Can I use a raspberryPi B to connect to UART, Do I have to use RS232 or TTL?
THOUGHTS: No, possibly dangerous, RaspberryPi B is at 3.3v whilst this is possibly 1.8v - need to measure using voltmeter. RS232 should be safe as it uses -13v-+13v for RX/TX. USB TTL would also need a logic level shift from 3.3v to 1.8v. Therefore USB RS232 adapter is best choice. (I think for TX from board to RX from USB Serial - But dangerous from RX from board to TX from USB Serial because of over voltage from adapter possibly supplying +13v - need confirmation as this is useful for potentially debugging other gear by UART) Problem with RS232 is signal is inverted when read, therefore needing inversion by another chip to display correctly - better RS232 USB adapters seem to be able to be flashed by EEPROM to invert signal (FTDI ones with mProg). Need a USB TTL for further testing. Need to see if PL2303 can be hacked to invert signal - maybe driver hack for linux possible? Anyone have any simpler solutions to see UART logging from this device, or do I need a logic level analyser?
If so how to connect it?
THOUGHTS: Connect TX to Pin 2 from RS232 and GND to Pin 5 (Dont attach RX from board, else possible over voltage from sending data from PC). Using CH340G attach RX to TX on PCB, GND to GND, Make sure cables are shielded or split due to interference from cabling touching each other. Connection currently without battery installed seems to output gibberish, need to test with battery installed (Maybe bootloader logs will output) -Currently despite gibberish output it is most likely 961200 baud Databits 8, no flow control, 1 stop bits for preloader. Bootrom logging sounds like it might be 115200 (according to older kindle device thread )
Since the device can seemingly only output from UART, why is there an RX pad on the board? How or what can you transmit to the device by UART?
Is there anything inside the console for flashing back 6.3.1.5? No Console
Managed to hook this pad up by UART - RS232, but despite trying all the baud speeds / settings only getting gibberish output - is this because the UART is spitting out MTK flashing protocol language since its in preloader mode without battery attached?
THOUGHTS: Think it is inverted signal logic rather than low level protocol.
Should I attach battery instead of USB power to see Bootloader logs? If so, how to attach battery to board whilst UART is soldered to cabling?
THOUGHTS: Unlikely to help, and potentially dangerous
Anyone tried any dongles with the Fire 7 or any other Amazon devices? MT/NCK/etc?
Last thing I can think to try is the NCC Group Hack on mt8163v chips using FPGA and chip whisperer. Anyone know how to simplify that process for this scenario of brick recovery rather than full unlock? - sounds like some well timed shorts in bootup might glitch it enough. Does this even work still or was this fully patched as part of mtk-su patching? Tried GND VCCK_PMU but couldn't get anything other than normal boot
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group’s Hardware &…
research.nccgroup.com
Modding the Redmi Note 8 Pro — An Adventure
Back in November 2019, Xiaomi sent some of us the Redmi Note 8 Pro through XDA, to play with and mod. The Redmi Note 8 Pro is powered by…
medium.com
"The difference between the two is, in SLA, BootROM performs the checks and in DAA, Download Agent (DA) performs the check. Download Agent is loaded by SP Flash Tool. On devices that implement SLA, you cannot load a DA file without completing the SLA challenge. On devices that implement DAA, the challenge is done by DA and a modified DA file is enough to bypass security (That is, assuming you manage to reverse things or have the BSP)."
I think the above (one of the few places I've seen talking about DAA online) is again not quiet entirely right - Description above indicates DAA is Just normal Secure DA necessity, i.e. less secure than SLA.
SLA is the usage of a Secure DA itself, whilst DAA is preloader and lk.bin signature verification.
Secure DA could contain, in this case Xiaomi Authroisation Request, therefore in this case only SLA needed disabling.
What is interesting is the mention of BSP. fbtool is part of this isn't it?
Given how complicated this is and the number of slight mistakes in terminology use I see everywhere online, I think fbtool really might work on this device and many others for a "fastboot cable" with enough tinkering.
Also notice how the tool is named both datool and fbtool in the same package, google also returns very little about both of these, and DAA now contains only links to mtk-bypass. Suspicious!
https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3264.pdf
The above links to the cryptocore usage for X30 chip MT6799W, which sounds like a more complex design than the MT8163V.
"Chaining of secondary public keys, signed by the root-of-trust public key, to permit parts of the system image to be signed by other trusted developers"
Don't we just need a copy of the root-of-trust public key for signing the bootloader image?
"The module remains assigned to the User Role permanently, unless the operator moves the module into one of the special Life Cycle States intended for fualt discovery (Secure Debug and RMA)"
"a) Run a special boot loader that can be flashed to the device
Flash a special boot loader to the device and power up
The boot loader enables RMA state
Set all 1’s for all the platform keys that are stored in OTP
b) Use a PC tool to send command to the device
Send a zeroization command from PC tool to the device
Device firmware interpreters the command and enables RMA state
Set all 1’s for all the platform keys that are stored in OTP"
Wonder how to shift the Life Cycle State? Wonder what PC tool is being referred to there?
I doubt the MT8163 is as secure, can anyone confirm?
Also notice they call it One-Time-Programmable but you seem to be able to set all 1s after the One Time Programming operation! (isn't zeroing setting it to 0 not 1...)
Bit off topic, but too appropriate:
stickfiretv2020 said:
After months of slowly calculating this I finally have some solutions for the latter hw revised devices!
Option 1:
Randomly poke at area near the emmc chip, yes seriously... I did it on one that I was trying to scrape the pcb tracks on, after tearing off pads near emmc by accident. It now doesn't boot but I get bootrom output!?! bootrom is halting (as seen on uart) and its error message is varying based on changes to inserted microSD (i.e. change partition names on card and I get different error from bootrom), i.e. I think I got bootrom booting from microSD - I don't think these newer devices have bootrom DL mode at all anymore, replaced by microSD boot instead. The damage to board is likely the cutting of one of the eMMC tracks that has done this, need a microscope to see where i cut exactly on the pcb.
Problem I now have is how do I partition a microSD card to match the eMMC's layout and flash Android onto the card? Anyone got good instructions? It is MTK Bootrom MicroSD boot mode not preloader/lk.bin boot Android from MicroSD mode. I think I need to partition EMMC_BOOT0 EMM_RPMB EMMC_USER etc like Jedec standard, or like armbian.
There is a second option but I wont go into that as it is very hard! requires special circuit made from arduino/microcontroller and a really clever hack for fire 7 2020, for fire 10 2020 it may only need hack still waiting to try it on my pads, holding back testing it because of this dead fire 7 i've been trying to fix instead.
Click to expand...
Click to collapse
So close!
Is there a way to identify these devices? I was given a new Fire 7 Gen 9 and updated it to the stock rom 6.3.2.1 I think. Then used the h/w trick of shorting a tiny pin, which worked. It's now running a non-stock rom with TWRP 3.3.1-0. I don't know how to tell if I have an older device or just lucky with the new device.
stickfiretv2020 said:
There is a second option but I wont go into that as it is very hard! requires special circuit made from arduino/microcontroller and a really clever hack for fire 7 2020, for fire 10 2020 it may only need hack still waiting to try it on my pads, holding back testing it because of this dead fire 7 i've been trying to fix instead.
Click to expand...
Click to collapse
Any progress on this option? I have a Fire 7 2019 that appears to be a post-Feb 2020 hardware that I'd like to have running LineageOS. It currently has stock 7.3.2.2. I'm comfortable with arduino/microcontrollers and soldering, so I'd happily volunteer to help with testing.
It's unfortunate that the Fire 7 9th gen can't be downgraded. I've done everything I can to slim down the bloat with this tablet, such as fire toolbox, but it's just not enough to make this tablet usable in real life. It is excruciatingly slow trying to do anything with it. The grossly insufficient 1gb ram is full after boot with bloated apps and services before you even try to do anything and it only gets worse from there. The best thing you can do with this tablet is to make it into a digital picture frame or something that requires no intervention. Nowadays, I only use mine to run a ping app to continuously ping google.com during an internet outage to see when my connection is restored while I'm using the hotspot on my phone waiting for my home connection to work again. This tablet is effectively dead for the unfortunate people who own one except for the most desperate of people who can afford to wait a full minute or two or three for a website to load or just an app to open, or to just get it to respond to any user intervention. It's too painful to try to use in any way at all. It's like trying to run Vista on an old grossly underpowered XP office pc. We all know how that went. So, I think I speak for everyone when I say that this tablet is effectively dead until a method is discovered to root it. R.I.P. Fire 7 9th gen. "He's dead, Jim."