100% Working WiFi Monitor Mode - Nexus 5 Accessories
This article will first describe how to locate the Monitor mode code in Nexus 5 firmware (hammerhead-ktu84p-factory-35ea0277, bootloader-hammerhead-hhz11k : c32f8bec310c659c1296739b00c6a8ac). Then, we will try to understand what it does (its functionalities). Finally, you will have to find bugs by yourself because I didn't find any...so far !
Note: Terms (Non-)Secure world & (Non-)Secure state are used as synonyms. Term Normal world is also used as synonym of Non-Secure world.
I. Quick introduction to ARM Security Extensions
"The Security Extensions define two security states: Secure state and Non-secure state. All instruction execution takes place either in Secure state or in Non-secure state.[...] The Security Extensions also define an additional processor mode, Monitor mode, that provides a bridge between software running in Non-secure state and software running in Secure state."
"The Secure Monitor Call exception is implemented only as part of the Security Extensions. The Secure Monitor Call instruction, SMC , requests a Secure Monitor function, causing the processor to enter Monitor mode."
"When an exception is taken, processor execution is forced to an address that corresponds to the type of exception. This address is called the exception vector for that exception. A set of exception vectors comprises eight consecutive word-aligned memory addresses, starting at an exception base address. These eight vectors form a vector table."
-- ARM Architecture Reference Manual ARMv7-A
II. OpenSource TrustZone examples
Trusted Execution Environment (TEE) is the "small" secure kernel executed in Secure state. The Monitor code is part of the TEE code.
To get an idea of how the Monitor code works, we can take a look at two TrustZone examples:
Cortex-A9 TrustZone example by ARM : a simple example of secure and non-secure code that communicates through Monitor mode.
OP-TEE by STMicroelectronics : an Open Source TEE 1.0 implementation.
After studying these code samples, we can clearly distinguish two parts in Monitor code:
Monitor mode initialization: called once, at TEE initialization time.
In this code, we can notice two specific instructions :
Monitor Vector Base Address Register (MVBAR) setup: MVBAR contains the Monitor vector table address. Both samples use the same instructions to setup MVBAR :
MCR p15, 0, $RX,c12,c0, 1
where $RX is a pointer to the monitor mode's vector table.
SP register setup: the Monitor mode stack address is set into SP register. This register is banked, which means this value will be automatically restored next time the processor enters in Monitor mode.
Exception vectors: called when an exception is taken to Monitor mode.
Both samples implement a simple Secure Monitor Call (SMC) handler that switches between the normal and secure worlds when a SMC call is made. As SMC handler is an entry point to the Secure state, it would be interesting to analyze it in Nexus 5 firmware.
III. Extracting Nexus 5 firmware
We know that the Monitor code may be embedded into the TEE image. In the case of Nexus 5, this image can be extracted from stock ROM.
h t t p s: / / w w w . y o u t u b e . c o m /w a t c h ? v = h 6 c K G j X K S j I
h t t p s : / / w w w . y o u t u b e . c o m / w a t c h ? v = P R K y k F U Q K m 0
Once downloaded, we use a small tool to unpack bootloader-hammerhead-hhz11k.img file. One of extracted files is an ELF ARM binary named "tz".
IV. Nexus 5 Monitor mode code
To analyze the Nexus 5 TrustZone binary, we can use IDA Demo 6.6.
Given that setting up MVBAR is very specific to the monitor mode's initialization code, we use it to locate the Monitor mode's initialization code in Nexus 5 TrustZone binary.
Using IDA regex search in code disassembly, we look for the instruction used to write MVBAR :
MCR[[:space:]]+p15, 0, [^,]+,c12,c0, 1
This search returns only 3 occurrences, and one of them also sets the SP register. These instructions are expected to be found in Monitor mode initialization code.
IV.1. Monitor mode initialization function
Here's the disassembly of the Monitor mode initialization code :
LOAD:FE80DB4C init_monitor
LOAD:FE80DB4C MSR CPSR_c, #0xD6 ; switch to Monitor mode
LOAD:FE80DB50 LDR R0, =monitor_vector_table ; load monitor vector table ptr into R0
LOAD:FE80DB54 MCR p15, 0, R0,c12,c0, 1 ; write R0 to MVBAR
LOAD:FE80DB58 BL sub_FE80DB88 ; initialize Non-Secure world
LOAD:FE80DB5C LDR SP, =0xFE82B700
LOAD:FE80DB60 MRC p15, 0, R0,c0,c0, 5 ; write MPIDR value to R0
LOAD:FE80DB64 AND R0, R0, #0xFF ; keep Affinity level 0 : current virtual CPU id
LOAD:FE80DB68 MOV R1, #0x200
LOAD:FE80DB6C MUL R1, R1, R0 ; compute stack offset for current vCPU
LOAD:FE80DB70 SUB SP, SP, R1 ; setup Monitor stack register SP
LOAD:FE80DB74 MOV R0, #0b100
LOAD:FE80DB78 MCR p15, 0, R0,c1,c1, 0 ; set FIQ flag in SCR register
LOAD:FE80DB7C ISB SY ; flush the pipeline in the processor
LOAD:FE80DB80 MSR CPSR_c, #0xD3 ; switch to Supervisor mode
LOAD:FE80DB84 BX LR
LOAD:FE80DB84 ; End of function init_monitor
We will now proceed to a detailed analysis of each step.
IV.1.A Switch to Monitor mode
MSR instruction moves an immediate value (here 0xD6) to a Special register (here CPSR_c).
LOAD:FE80DB4C MSR CPSR_c, #0xD6 ; switch to Monitor mode
The Current Program Status Register (CPSR) holds processor status and control information. CPSR with "_c" suffix enables writing of bits<0:7> of CPSR (ARM Ref. B9.3.11). This bitfield controls the processor mode and exception masks.
We can use a simple IDAPython script to replace the immediate value 0xD6 with symbols documented in ARM Ref. (B1-1148) :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from idautils import *
from idaapi import *
from idc import *
Message("%s starting...\n" % __file__)
CPSR_C_enum_id = GetEnum("CPSR_C_enum")
if CPSR_C_enum_id == BADADDR:
CPSR_C_enum_id = AddEnum(-1, "CPSR_C_enum", hexflag())
SetEnumBf(CPSR_C_enum_id,1);
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_USR", 0b10000, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_FIQ", 0b10001, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_IRQ", 0b10010, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_SVC", 0b10011, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_MON", 0b10110, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_ABT", 0b10111, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_HYP", 0b11010, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_UND", 0b11011, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_SYS", 0b11111, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_THUMB", 0x20, 0x20)
AddConstEx(CPSR_C_enum_id,"CPSR_MASK_FIQ", 0x40, 0x40)
AddConstEx(CPSR_C_enum_id,"CPSR_MASK_IRQ", 0x80, 0x80)
ea = MinEA()
while True:
ea= FindText(ea, SEARCH_DOWN|SEARCH_NEXT|SEARCH_REGEX, 0, 0, " (CPS|MSR) ")
if ea == BADADDR:
break
mnem = GetMnem(ea)
if mnem == "MSR":
if GetOpnd(ea, 0) == "CPSR_c" and GetOpType(ea, 1) == o_imm:
OpEnumEx(ea, 1, CPSR_C_enum_id, 0)
Message("%s MSR CPSR_c, %s\n" % (hex(ea),GetOpnd(ea, 1)))
elif mnem == "CPS":
OpEnumEx(ea, 0, CPSR_C_enum_id, 0)
Message("%s CPS %s\n" % (hex(ea),GetOpnd(ea, 0)))
else:
Message("Unrecognized instruction @ %s : %s\n" % (hex(ea), GetDisasm(ea)))
ea = NextHead(ea)
Message("Done!\n")
view rawida-armv7a-cpsr_c.py hosted with ❤ by GitHub
Thus, the instruction becomes:
LOAD:FE80DB4C MSR CPSR_c, #CPSR_MODE_MON OR CPSR_MASK_FIQ OR CPSR_MASK_IRQ ; switch to Monitor mode
This instruction switches the processor to Monitor mode. It also sets CPSR.F and CPSR.I bits to mask FIQ and IRQ exceptions, meaning they cannot be taken.
IV.1.B Setup MVBAR
The Move to Coprocessor from ARM core register instruction (MCR) passes the value of an ARM core register (here R0) to a coprocessor (here CP15).
LOAD:FE80DB50 LDR R0, =monitor_vector_table ; load monitor vector table ptr into R0
LOAD:FE80DB54 MCR p15, 0, R0,c12,c0, 1 ; write R0 to MVBAR
CP15 c12 register is present on an ARMv7-A implementation that includes Security Extensions. This instruction writes R0 value to MVBAR. R0 contains a pointer to Monitor vector table. We will describe this table later.
IV.1.C Initialize Non-Secure world
The function sub_FE80DB88 is called to initialize the Non-Secure world context:
LOAD:FE80DB88 sub_FE80DB88
LOAD:FE80DB88 MRC p15, 0, R1,c1,c0, 0 ; read Secure SCTLR
LOAD:FE80DB8C MOV R0, #SCR_NS OR SCR_FW OR SCR_AW ; #0x31
LOAD:FE80DB90 MCR p15, 0, R0,c1,c1, 0 ; switch to Non-Secure (NS) state
LOAD:FE80DB94 ISB SY
LOAD:FE80DB98 MCR p15, 0, R1,c1,c0, 0 ; write Secure SCTLR value to NS SCTLR
LOAD:FE80DB9C MOV R0, #0
LOAD:FE80DBA0 MCR p15, 2, R0,c0,c0, 0 ; clear CSSELR
LOAD:FE80DBA4 MCR p15, 0, R0,c2,c0, 0 ; clear TTBR0
LOAD:FE80DBA8 MCR p15, 0, R0,c2,c0, 1 ; clear TTBR1
LOAD:FE80DBAC MCR p15, 0, R0,c2,c0, 2 ; clear TTBCR
LOAD:FE80DBB0 MCR p15, 0, R0,c3,c0, 0 ; clear DACR
LOAD:FE80DBB4 MCR p15, 0, R0,c5,c0, 0 ; clear DFSR
LOAD:FE80DBB8 MCR p15, 0, R0,c5,c0, 1 ; clear IFSR
LOAD:FE80DBBC MCR p15, 0, R0,c5,c1, 0 ; clear ADFSR
LOAD:FE80DBC0 MCR p15, 0, R0,c5,c1, 1 ; clear AIFSR
LOAD:FE80DBC4 MCR p15, 0, R0,c6,c0, 0 ; clear DFAR
LOAD:FE80DBC8 MCR p15, 0, R0,c6,c0, 2 ; clear IFAR
LOAD:FE80DBCC MCR p15, 0, R0,c7,c4, 0 ; clear PAR
LOAD:FE80DBD0 MCR p15, 0, R0,c10,c2, 0 ; clear PRRR
LOAD:FE80DBD4 MCR p15, 0, R0,c10,c2, 1 ; clear NMRR
LOAD:FE80DBD8 MCR p15, 0, R0,c10,c4, 0 ; clear "MMUDMTR" ?
LOAD:FE80DBDC MCR p15, 0, R0,c10,c4, 1 ; clear "MMUDCPR" ?
LOAD:FE80DBE0 LDR R1, =dword_FE82B8CC ; load Non-Secure VBAR ptr to R1
LOAD:FE80DBE4 LDR R0, [R1]
LOAD:FE80DBE8 MCR p15, 0, R0,c12,c0, 0 ; write Non-Secure VBAR
LOAD:FE80DBEC MOV R0, #0
LOAD:FE80DBF0 STR R0, [R1] ; clear Non-Secure VBAR ptr
LOAD:FE80DBF4 MCR p15, 0, R0,c13,c0, 0 ; clear FCSEIDR
LOAD:FE80DBF8 MCR p15, 0, R0,c13,c0, 1 ; clear CONTEXTIDR
LOAD:FE80DBFC MCR p15, 0, R0,c13,c0, 2 ; clear TPIDRURW
LOAD:FE80DC00 MCR p15, 0, R0,c13,c0, 3 ; clear TPIDRURO
LOAD:FE80DC04 MCR p15, 0, R0,c13,c0, 4 ; clear TPIDRPRW
LOAD:FE80DC08 MOV R0, #SCR_FW OR SCR_AW ; #0x30
LOAD:FE80DC0C MCR p15, 0, R0,c1,c1, 0 ; switch back to Secure state
LOAD:FE80DC10 ISB SY
LOAD:FE80DC14 BX LR
LOAD:FE80DC14 ; End of function sub_FE80DB88
First, the security state is switched to Non-Secure. Then, the coprocessor registers banked in both security states (ARM Ref. Banked system control registers) are initialized to zero. Finally, the security state is switched back to Secure.
IV.1.D Setup SP register
On ARMv7-A, Multiprocessor Affinity Register (MPIDR) holds the processor identification information. In this register, bits<0:7> are the affinity level 0 (Aff0). This number represents the current CPU id. Here, this id is used to compute the stack address of current CPU, which is then stored into SP register. The stack size for each CPU is 0x200 bytes.
LOAD:FE80DB5C LDR SP, =0xFE82B700
LOAD:FE80DB60 MRC p15, 0, R0,c0,c0, 5 ; write MPIDR value to R0
LOAD:FE80DB64 AND R0, R0, #0xFF ; keep Affinity level 0 : current virtual CPU id
LOAD:FE80DB68 MOV R1, #0x200
LOAD:FE80DB6C MUL R1, R1, R0 ; compute stack offset for current vCPU
LOAD:FE80DB70 SUB SP, SP, R1 ; setup Monitor stack register SP
IV.1.E Route FIQ exceptions to Monitor mode
CP15 c1 register is present on an ARMv7-A implementation that includes Security Extensions. This instruction sets bit<2> (0x4) in Secure Configuration Register (SCR), which means FIQ exceptions are now taken to Monitor mode.
LOAD:FE80DB74 MOV R0, #0b100 ; SCR.FIQ
LOAD:FE80DB78 MCR p15, 0, R0,c1,c1, 0 ; set FIQ flag in SCR register
LOAD:FE80DB7C ISB SY ; flush the pipeline in the processor
We can also notice that bit<0> (SCR.NS : Non-Secure) is not set, meaning current execution state is Secure.
IV.1.F Switch back to Supervisor mode
This instruction switches the processor to Supervisor mode, and sets FIQ & IRQ mask bits.
LOAD:FE80DB80 MSR CPSR_c, #CPSR_MODE_SVC OR CPSR_MASK_FIQ OR CPSR_MASK_IRQ ; switch to Supervisor mode
Monitor mode setup is now complete. Monitor code can then be entered through its exception vector table.
IV.2. Monitor Exception Vector Table
The Monitor exception vector table defines exception vectors to handle exceptions taken to Monitor Mode.
Its structure is described in ARM Ref. (B1-1167) :
The vector table entries
Thank to the Monitor initialization code, we know the address of Nexus 5's Monitor exception vector table:
LOAD:FE80CEE0 monitor_vector_table
LOAD:FE80CEE0 B dead_loop ; not used
LOAD:FE80CEE4 ; ---------------------------------------------------------------------------
LOAD:FE80CEE4 B dead_loop ; not used
LOAD:FE80CEE8 ; ---------------------------------------------------------------------------
LOAD:FE80CEE8 B smc_handler ; Secure Monitor Call
LOAD:FE80CEEC ; ---------------------------------------------------------------------------
LOAD:FE80CEEC B dead_loop ; Prefetch Abort
LOAD:FE80CEF0 ; ---------------------------------------------------------------------------
LOAD:FE80CEF0 B dead_loop ; Data Abort
LOAD:FE80CEF4 ; ---------------------------------------------------------------------------
LOAD:FE80CEF4 B dead_loop ; not used
LOAD:FE80CEF8 ; ---------------------------------------------------------------------------
LOAD:FE80CEF8 B sub_FE80CF24 ; IRQ interrupt
LOAD:FE80CEFC ; ---------------------------------------------------------------------------
LOAD:FE80CEFC B sub_FE80CFB4 ; FIQ interrupt
LOAD:FE80CEFC ; End of function monitor_vector_table
We can see that 3 exception handlers are configured: SMC, FIQ, IRQ. Others are dead loops.
IV.3. Secure Monitor Call handler function
HLOS (non-Secure state) can call the TrustZone API (Secure state) using the SMC instruction to trigger a Secure Monitor Call exception. This exception is taken to the Monitor mode, which switches the processor to Secure Supervisor mode to proceed the call. When called TrustZone function returns, a second SMC exception is triggered, so the processor enters Monitor mode again. Finally, the Monitor mode returns results to the calling function (Non-Secure state).
The Monitor mode acts as a bridge between Non-Secure state and Secure state. It's designed to handle calls initiated from the Non-Secure state only.
The exception vector dedicated to SMC exceptions is a pointer to a function at offset 0x08 in Monitor Exception Vector Table.
In this function, which will be named SMC handler, the very first instruction checks if an exception occurred in Secure or Non-Secure state (When the processor is in Monitor mode, the processor is in Secure state regardless of the value of the SCR.NS bit).
LOAD:FE80D028 smc_handler
LOAD:FE80D028
LOAD:FE80D028 varg_r0 = -0x10
LOAD:FE80D028 varg_r1 = -0xC
LOAD:FE80D028 varg_r2 = -8
LOAD:FE80D028 varg_r3 = -4
LOAD:FE80D028
LOAD:FE80D028 STMFD SP!, {R0-R3}
LOAD:FE80D02C MRC p15, 0, R0,c1,c1, 0 ; read SCR register
LOAD:FE80D030 TST R0, #1 ; test SCR.NS bit
LOAD:FE80D034 BEQ loc_FE80D210 ; jump if SCR.NS==0
When an exception is taken to the Monitor mode, CPSR.{A,I, F} bits are set to 1, meaning Abort, IRQ and FIQ exceptions can no longer be taken.
IV.3.A. Call to Secure World
If SCR.NS bit is set, it means the Non-Secure world wants to call the Secure world. We will now analyze the operations performed by the SMC handler until the exception return to the Secure world.
IV.3.A.a Setup current security state
This first step configures the Secure Configuration Register (SCR). Bits<1:3> (SCR.IRQ || SCR.FIQ || SCR.EA) are set to route IRQ, FIQ, and External Abort exceptions to Monitor mode. But the Non-Secure bit<0> is not set. So, this core will still be in the Secure state if it exits Monitor mode.
LOAD:FE80D038 MOV R0, #SCR_IRQ OR SCR_FIQ OR SCR_EA ; 0b1110
LOAD:FE80D03C MCR p15, 0, R0,c1,c1, 0 ; write SCR with SCR.NS==0
LOAD:FE80D040 ISB SY ; Instruction Synchronization Barrier
LOAD:FE80D040 ; flushes the pipeline in the processor
IV.3.A.b Monitor calls
On a HLOS like Android, SMC exceptions are triggered by the Secure Channel Manager (SCM), implemented in Linux kernel.
A quick look at its source code tells us {R0-R3} registers hold arguments of SMC calls. We also learn that R0 is a bitfield that can be defined by the following macro:
#define SCM_ATOMIC(svc, cmd, n) (((((svc) << 10)|((cmd) & 0x3ff)) << 12) | \
SCM_CLASS_REGISTER | \
SCM_MASK_IRQS | \
(n & 0xf))
With svc the service identifier, cmd the command identifier, and n the argument count of the SMC call.
In SMC handler, R0 value is first shifted right by 12. Based on the SCM_ATOMIC macro definition, resulting R0 value represents a service identifier svc and a command identifier cmd defined as ((svc) << 10)|((cmd) & 0x3ff).
Then R0 value is tested against several immediate values. For each case, a specific function is called if values match.
LOAD:FE80D048 MOV R2, R0,LSR#12 ; extract service & command identifiers
LOAD:FE80D04C MOV R1, #0x402 ; SCM_SVC_BOOT::SCM_CMD_TERMINATE_PC
LOAD:FE80D050 CMP R1, R2
LOAD:FE80D054 LDMEQFD SP!, {R1-R3}
LOAD:FE80D058 BEQ sub_FE80D360
LOAD:FE80D05C MOV R1, #0xC05 ; SCM_SVC_UTIL::CACHE_BUFFER_DUMP_COMMAND_ID
LOAD:FE80D060 CMP R1, R2
LOAD:FE80D064 LDMEQFD SP!, {R1-R3}
LOAD:FE80D068 BEQ sub_FE80D68C
LOAD:FE80D06C MOV R1, #0x404 ; SCM_SVC_BOOT::4
LOAD:FE80D070 CMP R1, R2
LOAD:FE80D074 LDMEQFD SP!, {R1-R3}
LOAD:FE80D078 BEQ sub_FE80D72C
LOAD:FE80D07C MOV R1, #0x1401 ; SCM_SVC_IO::SCM_IO_READ
LOAD:FE80D080 CMP R1, R2
LOAD:FE80D084 LDMEQFD SP!, {R1-R3}
LOAD:FE80D088 BEQ sub_FE80D5AC
LOAD:FE80D08C MOV R1, #0x1402 ; SCM_SVC_IO::SCM_IO_WRITE
LOAD:FE80D090 CMP R1, R2
LOAD:FE80D094 LDMEQFD SP!, {R1-R3}
LOAD:FE80D098 BEQ sub_FE80D5CC
LOAD:FE80D09C MOV R1, #0x3404 ; SCM_SVC_DCVS:CVS_CMD_EVENT
LOAD:FE80D0A0 CMP R1, R2
LOAD:FE80D0A4 LDMEQFD SP!, {R1-R3}
LOAD:FE80D0A8 BEQ sub_FE80D64C
LOAD:FE80D0AC MOV R1, #0x1403 ; SCM_SVC_IO::TZ_RESET_ID
LOAD:FE80D0B0 CMP R1, R2
LOAD:FE80D0B4 LDMEQFD SP!, {R1-R3}
LOAD:FE80D0B8 BEQ sub_FE80D5EC
LOAD:FE80D0BC MOV R1, #0x1404 ; SCM_SVC_IO::TZ_UPDATE_ID
LOAD:FE80D0C0 CMP R1, R2
LOAD:FE80D0C4 LDMEQFD SP!, {R1-R3}
LOAD:FE80D0C8 BEQ sub_FE80D618
LOAD:FE80D0CC MOV R1, #0x2401 ; SCM_SVC_PWR::SCM_IO_DISABLE_PMIC_ARBITER
LOAD:FE80D0D0 CMP R1, R2
LOAD:FE80D0D4 LDMEQFD SP!, {R1-R3}
LOAD:FE80D0D8 BEQ sub_FE80D74C
As Linux kernel itself initiates a lot of SMC calls, we explore Linux sources to enumerate service and command identifiers passed to SMC calls. Thereby, we will get more information on corresponding functions without reversing them.
Immediate value Service ID (imm>>10) Command ID (imm&0x3ff) Function description
0x402 SCM_SVC_BOOT SCM_CMD_TERMINATE_PC Put current core in low power state
0xC05 SCM_SVC_UTIL CACHE_BUFFER_DUMP_COMMAND_ID Dump the L1 and L2 caches on panic
0x404 SCM_SVC_BOOT 4 Dummy function, returns to Non-Secure world
0x1401 SCM_SVC_IO SCM_IO_READ Dummy function, returns to Non-Secure world
0x1402 SCM_SVC_IO SCM_IO_WRITE Dummy function, returns to Non-Secure world
0x3404 SCM_SVC_DCVS DCVS_CMD_EVENT Handle some Dynamic Clock and Voltage Scaling (DCVS) See also event definitions
0x1403 SCM_SVC_IO TZ_RESET_ID Related to GPU power management
0x1404 SCM_SVC_IO TZ_UPDATE_ID Related to GPU power management
0x2401 SCM_SVC_PWR SCM_IO_DISABLE_PMIC_ARBITER "Force the SPMI PMIC arbiter to shutdown so that no more SPMI transactions are sent from the MSM to the PMIC."
All these functions have the same epilogue:
LOAD:FE80D738 MOV R3, #SCR_NS OR SCR_FIQ OR SCR_AW ; 0b100101
LOAD:FE80D73C MCR p15, 0, R3,c1,c1, 0 ; write SCR : switch to Non-Secure state
LOAD:FE80D740 ISB SY
LOAD:FE80D744 MOV R3, #0 ; clear R3 to avoid leak
LOAD:FE80D748 MOVS PC, LR ; restore Non-Secure PC & CPSR from LR_mon & SPSR_mon
These instructions switch the processor to Non-Secure state and restore PC & CPSR to perform an exception return.
So SMC calls associated with these specific command/service IDs are kind of "Monitor calls", entirely handled in Monitor mode.
But if R0 value does not match these IDs, the execution continues in Monitor mode.
IV.3.A.c TrustZone lock
If the call has not been handled yet, Monitor code tries to acquire a lock to ensure that only one core at a time enters in TrustZone.
First, current CPU id is retrieved from MPIDR. Then, this value is incremented (because 0 means not locked) and used as lock value.
LOAD:FE80D0E0 LDR R1, =tz_lock
LOAD:FE80D0E4 MRC p15, 0, R2,c0,c0, 5 ; read MPIDR register
LOAD:FE80D0E8 AND R2, R2, #0xFF ; extract Aff0 from MPIDR
LOAD:FE80D0EC ADD R2, R2, #1
LOAD:FE80D0F0
LOAD:FE80D0F0 loc_FE80D0F0 ; CODE XREF: smc_handler+D8j
LOAD:FE80D0F0 LDREX R0, [R1] ; read current tz_lock value
LOAD:FE80D0F4 CMP R0, #0 ; test if TrustZone is locked
LOAD:FE80D0F8 STREXEQ R0, R2, [R1] ; if not locked, try to lock TrustZone
LOAD:FE80D0FC CMPEQ R0, #0 ; test if TrustZone is now locked
LOAD:FE80D100 BNE loc_FE80D0F0 ; retry if TrustZone is still not locked
LOAD:FE80D104 DMB SY ; Data Memory Barrier acts as a memory barrier
Then, it tries to acquire the TrustZone lock. This implementation is very similar to the example provided in ARM Ref. (D7.3.1 Acquiring a lock).
It relies on synchronization primitives (LDREX/STREX) to support exclusive accesses to memory shared between cores.
Once the lock is acquired, the current core is the only one running in TrustZone, and the execution can continue.
IV.3.A.d Pre-exception status
LR_mon and SPSR_mon are both banked registers. Their values are generated by the exception entry. LR_mon contains the return address in Non-Secure world (right after the SMC instruction). The purpose of SPSR_mon is to record the pre-exception value of the CPSR.
LOAD:FE80D108 LDR R0, =NS_core_status ; secure area to store Non-Secure (NS) status
LOAD:FE80D10C MOV R1, LR ; read NS return address (LR_mon)
LOAD:FE80D110 MRS R2, SPSR ; read NS CPSR (SPSR_mon)
LOAD:FE80D114 STMIA R0, {R1,R2} ; write LR_mon & SPSR_mon
These two registers are saved in Secure memory to be restored later on exception return.
IV.3.A.e IRQ interruption flag
Then a DWORD at a static address is unconditionally cleared:
LOAD:FE80D118 LDR R1, =tz_irq_interrupted
LOAD:FE80D11C MOV R0, #0
LOAD:FE80D120 STR R0, [R1] ; clear tz_irq_interrupted value
By looking at cross-references, we notice this DWORD is set to 1 in the IRQ handler of Monitor mode. But in both handlers (SMC & IRQ), when an exception returns to the Non-Secure world, the returned value (in R0) is set to 1 if this DWORD is not null.
Futhermore, we can have a look at how SCM interprets the value returned by a SMC call:
#define SCM_INTERRUPTED 1
do {
asm volatile(
__asmeq("%0", "r0")
__asmeq("%1", "r0")
__asmeq("%2", "r1")
__asmeq("%3", "r2")
#ifdef REQUIRES_SEC
".arch_extension sec\n"
#endif
"smc #0 @ switch to secure world\n"
: "=r" (r0)
: "r" (r0), "r" (r1), "r" (r2)
: "r3");
} while (r0 == SCM_INTERRUPTED);
SCM will reiterate each SMC call while the returned value is 1.
We can deduce that this DWORD indicates if the exception return is due to an IRQ interrupt. TrustZone Whitepaper (3.3.3 Secure interrupts) says ARM recommends the use of IRQ as a Normal world interrupt source. That's why IRQ interrupts are handled in the Normal world.
IV.3.A.f Configure Secure world MMU
Next block of instructions modifies the translation table of Secure MMU (ARM Ref. B3.1 About the VMSA) if two conditions are met:
--
Wouldn't it be easier to provide the link?
http://www.fredericb.info/2014/12/analysis-of-nexus-5-monitor-mode.html
Related
Performance for MT4G and EVO4G can be gained from a patch.
Hi, I made this post in the EVO 4G Android Development forum but it's also relevant here. As this information may result in crosstalk between MT4G ROM implementations and EVO 4G implementations, I posted it here as well. I hope that's ok. I am the author of psx4droid. It's a PSX emulator that uses a dynarec. Due to the nature of this code I can have to invalidate the instruction cache on these Android's ARM processors. Just like Yong must do in GameBoid. I noticed performance loss on the Evo 4G, MyTouch 4G and potentially others. As do some people running GameBoid (though this emulator lays heavy on frame limiting as it runs faster than 60 FPS so it's not noticed as much). Both these arch's (ARCH_QSD8X50 for the Evo 4G and ARCH_MSM7X30 for the MyTouch 4G) have an oddity when it comes to flushing the "icache". As seen in these platform's kernel sources at ./arch/arm/mm/cache-v7.S the *ENTIRE* icache is flushed on each cacheflush syscall! The fix for my performance loss, and others, is to only clear the range specified for userland cacheflush's. While this may not help much besides apps that use cacheflush a lot like emulators, it will help these apps greatly. My hope is someone can release ROM(s) for the Evo 4G and/or the MyTouch 4G with this fixed. Thanks! Here's the offending code. Note "mcr p15, 0, r0, c7, c5, 0" clears the entire icache as well as others. ENTRY(v7_coherent_user_range) UNWIND(.fnstart ) dcache_line_size r2, r3 sub r3, r2, #1 bic r0, r0, r3 1: USER( mcr p15, 0, r0, c7, c11, 1 ) add r0, r0, r2 2: cmp r0, r1 blo 1b dsb mov r0, #0 mcr p15, 0, r0, c7, c5, 0 dsb isb mov pc, lr 9001: mov r0, r0, lsr #12 mov r0, r0, lsl #12 add r0, r0, #4096 b 2b UNWIND(.fnend ) ENDPROC(v7_coherent_kern_range) ENDPROC(v7_coherent_user_range) Here's a faster version of this function from the Samsung Fascinate (Galaxy S) that clears a range as it's supposed to: ENTRY(v7_coherent_user_range) dcache_line_size r2, r3 sub r3, r2, #1 bic r0, r0, r3 1: mcr p15, 0, r0, c7, c11, 1 dsb mcr p15, 0, r0, c7, c5, 1 add r0, r0, r2 cmp r0, r1 blo 1b mov r0, #0 mcr p15, 0, r0, c7, c5, 6 dsb isb mov pc, lr ENDPROC(v7_coherent_kern_range) ENDPROC(v7_coherent_user_range)
zodttd said: Hi, I made this post in the EVO 4G Android Development forum but it's also relevant here. As this information may result in crosstalk between MT4G ROM implementations and EVO 4G implementations, I posted it here as well. I hope that's ok. I am the author of psx4droid. It's a PSX emulator that uses a dynarec. Due to the nature of this code I can have to invalidate the instruction cache on these Android's ARM processors. Just like Yong must do in GameBoid. I noticed performance loss on the Evo 4G, MyTouch 4G and potentially others. As do some people running GameBoid (though this emulator lays heavy on frame limiting as it runs faster than 60 FPS so it's not noticed as much). Both these arch's (ARCH_QSD8X50 for the Evo 4G and ARCH_MSM7X30 for the MyTouch 4G) have an oddity when it comes to flushing the "icache". As seen in these platform's kernel sources at ./arch/arm/mm/cache-v7.S the *ENTIRE* icache is flushed on each cacheflush syscall! The fix for my performance loss, and others, is to only clear the range specified for userland cacheflush's. While this may not help much besides apps that use cacheflush a lot like emulators, it will help these apps greatly. My hope is someone can release ROM(s) for the Evo 4G and/or the MyTouch 4G with this fixed. Thanks! Here's the offending code. Note "mcr p15, 0, r0, c7, c5, 0" clears the entire icache as well as others. ENTRY(v7_coherent_user_range) UNWIND(.fnstart ) dcache_line_size r2, r3 sub r3, r2, #1 bic r0, r0, r3 1: USER( mcr p15, 0, r0, c7, c11, 1 ) add r0, r0, r2 2: cmp r0, r1 blo 1b dsb mov r0, #0 mcr p15, 0, r0, c7, c5, 0 dsb isb mov pc, lr 9001: mov r0, r0, lsr #12 mov r0, r0, lsl #12 add r0, r0, #4096 b 2b UNWIND(.fnend ) ENDPROC(v7_coherent_kern_range) ENDPROC(v7_coherent_user_range) Here's a faster version of this function from the Samsung Fascinate (Galaxy S) that clears a range as it's supposed to: ENTRY(v7_coherent_user_range) dcache_line_size r2, r3 sub r3, r2, #1 bic r0, r0, r3 1: mcr p15, 0, r0, c7, c11, 1 dsb mcr p15, 0, r0, c7, c5, 1 add r0, r0, r2 cmp r0, r1 blo 1b mov r0, #0 mcr p15, 0, r0, c7, c5, 6 dsb isb mov pc, lr ENDPROC(v7_coherent_kern_range) ENDPROC(v7_coherent_user_range) Click to expand... Click to collapse Can you give a diff on this?
so, what exactly do we do? lol, i use psx4droid alot and yeah it does lag more then it should. do we do this through terminal or what?
stratax said: so, what exactly do we do? lol, i use psx4droid alot and yeah it does lag more then it should. do we do this through terminal or what? Click to expand... Click to collapse Its to be added to the code of the kernel itself. As stated: As seen in these platform's kernel sources at ./arch/arm/mm/cache-v7.S the *ENTIRE* icache is flushed on each cacheflush syscall!
edru said: Its to be added to the code of the kernel itself. As stated: As seen in these platform's kernel sources at ./arch/arm/mm/cache-v7.S the *ENTIRE* icache is flushed on each cacheflush syscall! Click to expand... Click to collapse i have no clue how to do that so i guess ill skip on this until there is a easier way lol.
Maybe grankin can include this in one of his custom kernels?
Zoltair Wright said: Maybe grankin can include this in one of his custom kernels? Click to expand... Click to collapse i agree with this aha
I'm probably wrong so correct me if i am, but isn't the MT4G QSD8x50, not MSM7x50...isnt that the G2?
5377brian said: I'm probably wrong so correct me if i am, but isn't the MT4G QSD8x50, not MSM7x50...isnt that the G2? Click to expand... Click to collapse MT4G has neither of those, it had the MSM8250.
I'm just happy zodttd is still willing to work on android phones after how bad Google f*$#&'d him over on his launch of psx4droid on the market Thanks zodttd.
[Q] Changing the system font
Any way the system font could be changed? And I don't mean those 3 offered, but if we could import our own ones...? I suspect it would be easy if someone found those 3 fonts with that explorer app and just replaced them ^^
i had found the files using stunes but no use just replacing doesnt work.... we need an app or something maybe root access to do such stuff.... by the way samsung has a very bad taste of fonts....
what'is the file ?
i had found the files using stunes Click to expand... Click to collapse Please. Where? Folder and filenames please. Then we can investigate... Best Regards
I played little bit with chinese Firmware... They have 2 Fonts... see Screenshot. My T-Mobile Branding has 3... I will try to identify Storage for chinese Fonts... maybe this could help us. Best Regards Edit 1. Found 2,5 MB DCHM_Unicode_LittleEndian.dic SystemFS\User\DioHwr Maybe this is only from Dictionary... not System Font. SystemFS\User\Fonts again empty
Code: .text:00202A4A MOVS R0, #7 .text:00202A4C BLX EcomResolveSymb .text:00202A50 MOV R2, R0 .text:00202A52 ADR R1, aSamsungFont ; "Samsung font" .text:00202A54 MOV.W R0, #0x120 .text:00202A58 BLX R2 .text:00202A5A MOVS R2, #5 .text:00202A5C MOV R3, R5 .text:00202A5E ADR.W R1, aNvsetstring ; "NvSetString" .text:00202A62 MOVS R0, #7 .text:00202A64 BLX EcomResolveSymb .text:00202A68 MOV R2, R0 .text:00202A6A ADR R1, aCoolJazz ; "Cool jazz" .text:00202A6C MOVW R0, #0x121 .text:00202A70 BLX R2 .text:00202A72 MOVS R2, #5 .text:00202A74 MOV R3, R5 .text:00202A76 ADR.W R1, aNvsetstring ; "NvSetString" .text:00202A7A MOVS R0, #7 .text:00202A7C BLX EcomResolveSymb .text:00202A80 MOV R2, R0 .text:00202A82 ADR R1, aRosemary ; "Rosemary" .text:00202A84 MOV.W R0, #0x122 .text:00202A88 BLX R2 .text:00202A8A MOVS R2, #5 .text:00202A8C MOV R3, R5 .text:00202A8E ADR.W R1, aNvsetstring ; "NvSetString" samsung native fonts are embedded...
b.kubica said: Code: .text:00202A4A MOVS R0, #7 .text:00202A4C BLX EcomResolveSymb .text:00202A50 MOV R2, R0 .text:00202A52 ADR R1, aSamsungFont ; "Samsung font" .text:00202A54 MOV.W R0, #0x120 .text:00202A58 BLX R2 .text:00202A5A MOVS R2, #5 .text:00202A5C MOV R3, R5 .text:00202A5E ADR.W R1, aNvsetstring ; "NvSetString" .text:00202A62 MOVS R0, #7 .text:00202A64 BLX EcomResolveSymb .text:00202A68 MOV R2, R0 .text:00202A6A ADR R1, aCoolJazz ; "Cool jazz" .text:00202A6C MOVW R0, #0x121 .text:00202A70 BLX R2 .text:00202A72 MOVS R2, #5 .text:00202A74 MOV R3, R5 .text:00202A76 ADR.W R1, aNvsetstring ; "NvSetString" .text:00202A7A MOVS R0, #7 .text:00202A7C BLX EcomResolveSymb .text:00202A80 MOV R2, R0 .text:00202A82 ADR R1, aRosemary ; "Rosemary" .text:00202A84 MOV.W R0, #0x122 .text:00202A88 BLX R2 .text:00202A8A MOVS R2, #5 .text:00202A8C MOV R3, R5 .text:00202A8E ADR.W R1, aNvsetstring ; "NvSetString" samsung native fonts are embedded... Click to expand... Click to collapse how weird..... -.-
b.kubica said: Code: .text:00202A7A MOVS R0, #7 .text:00202A7C BLX EcomResolveSymb .text:00202A80 MOV R2, R0 .text:00202A82 ADR R1, aRosemary ; "Rosemary" .text:00202A84 MOV.W R0, #0x122 .text:00202A88 BLX R2 .text:00202A8A MOVS R2, #5 .text:00202A8C MOV R3, R5 .text:00202A8E ADR.W R1, aNvsetstring ; "NvSetString" samsung native fonts are embedded... Click to expand... Click to collapse Hmmm... So you were able to disassemble... Which part of the OS is this? Is it in the FFS?
@adfree, did you remember that Asian firmware? comparing to the European's one some nice info we should gather
@ b.kubica S8500ZCJF7 Few interesting *.exe Apps. And funny MP4 Video. Media\Videos\Helicopter.mp4 16 MB looks nice. I will check soon arabic Firmware. Maybe here some additional Fonts can be found easier... @ anghelyi /ShpGWES/GWES/Core/Crayon/Graphics/Fonts/UTF/unitype.c /System/Font . . . Search "font" in decrypted apps_compressed.bin. Examples can be found here for investigation: http://forum.xda-developers.com/showthread.php?t=895526 Forgotten... Monotype Fonts? Maybe? Best Regards
It seems also chinese Fonts are hardcoded... not additional Fonts needed. As I saw during my changes chinese in my Main menu in european T-Mobile Firmware... Also nothing additional found in arabic... But maybe I'm blind again. Best Regards
yoonfont.co.kr Found this Link in older firmware... *.RC1 T y p e f a c e ( ) YCopyright ñ 2010 Samsung Electronics Co., Ltd. TypefacFONTRIX. All RReserv Hanjac)oundercsul989- Yoon Design Inc Search for string Font...
http://www.youtube.com/watch?v=a2MaIGt4WZo&feature=player_embedded Maybe more luck with bada 2.0... Font size... As for now True Type Fonts *.ttf are stored into *.RC1... http://forum.xda-developers.com/showthread.php?t=928178 Best Regards
User/Br/CustomFont/ Found this String in ShpApp.app... DLL00111104.DLL Tried few things, but no success. Hmmm. I thought this is only the Browser Dolfin... Best Regards
Hey cool, my own Thread. Any progress with bada 2.0 Firmware? Someone tried sucessfully? Best Regards
Well....the latest beta is able to change the whole OS font but still the encoding part not working I put Arabic font to see if it will read Arabic and it didn't so it is not fonts issue now Best Regards
it is right system font are in rc1 and it mean we cant change them now but later if we can edit and save rc1 everything is possible @mylove90 hi my friend if you want to read arabic in bada2 you have to add your arabic font to phone it will make your phone able to read arabic only in application that you installed on phone i can read persian by ucweb and also any other apps good luck
I also saw that with Bada 2.0, we can add new fonts via Samsung Apps' special part like voice recognation. However, I can't see any options in Font segment so far. (In Betas')
Please, can someone confirm working of Original Fonts in bada 2.0? Is it possible to add 1 of these old Fonts: Code: Rosemary.ttf Global_Secondary.ttf Cool jazz.ttf Someone told about Reboot... but he tried OTHER Windows Fonts... I have no SIM... can't try self. I can't choose without SIM, see screenshots. Thanx in advance. Best Regards
adfree said: Please, can someone confirm working of Original Fonts in bada 2.0? Is it possible to add 1 of these old Fonts: Code: Rosemary.ttf Global_Secondary.ttf Cool jazz.ttf Someone told about Reboot... but he tried OTHER Windows Fonts... I have no SIM... can't try self. I can't choose without SIM, see screenshots. Thanx in advance. Best Regards Click to expand... Click to collapse yes its possible . i tried windows fonts and also bada 1.2 both of them work but some fonts effects just in applications
Serial cable instead USB ? UART...
As I'm new to Samsung handsets... Someone tried to play with serial cable and Qualcomm Tools like Memory Debug for instance? Download Mode not allow USB Diag for Qualcomm... only Samsung Modem is still alive in Download Mode. So Question is. If serial cable, maybe chance to dump something as you can port to UART... Best Regards
delete.......
I use usb->serial-ttl 3.3V converter with 528K resistor on pins 4-5 for outputing diag message. And you need JIG with 301K resistor for entering to download mode. Click to expand... Click to collapse http://forum.xda-developers.com/showpost.php?p=12689198&postcount=181 Thanx for this info, but tooo difficult for me to understand. Please help to make such cable for research... or maybe their are existing cables to buy? I need something like this: http://www.badanation.de/topic.php?t=1616&page=fst_unread&highlight=widerstand Such Pictures would be nice: http://h-3.abload.de/img/p1000660eei7.jpg I need FULL Pinout please for S8500. Thanx in advance. Best Regards
You mean cable/plug for enter download mode? You can buy it. For example in Poland I can buy this for 12 zlotys = 3 euro + delivery costs. I found that, for Galaxy S, but is possible this is the same forum.xda-developers.com/showthread.php?t=819551
I "need" alternate cable for communication between PC and S8500. Also FULL Pinout is welcome. Best Regards
http://forum.xda-developers.com/showthread.php?t=820275 Here seems few infos... maybe also work for S8500. Best Regards
After I saw successfully log from srg.mstr. Thank you very much. http://forum.xda-developers.com/showpost.php?p=13426392&postcount=183 Less then 1 Euro for male Connector: http://www.conrad.de/ce/de/product/733923/MICRO-USB-STECKER-TYP-B-5POL/SHOP_AREA_40306 So I will buy few Connectors... Now I will make checklist for other parts and prices. As I have no cables at home to cut... Best Regards
TX<-->2 RX<-->3 GND<-->5 resistor between 4<-->5 http://forum.xda-developers.com/showpost.php?p=13293404&postcount=174
Will try to make such cable this year... in 2013 really. Checklist... http://www.conrad.de/ce/de/product/...Kabelmontage-ohne-Gehaeuse-BKL-Electronic-Inh . . . Best Regards
Will try to make such cable this year... Click to expand... Click to collapse Uupsi, only 2 months left... but I have found other way for Bootlog... via JTAG RAM dump... something above 0x40000000... Looks like this: http://forum.xda-developers.com/showpost.php?p=47037737&postcount=34 Best Regards
2013 soon over... but Mission UART is not over... New attempt... for 2014... It seems now "cheap" USB stuff available... based on PL2303... symbolic Photo attached... According to this Pic... http://forum.xda-developers.com/showpost.php?p=13426392&postcount=183 Other idea is to solder direct to RX TX and GND on PCB... instead resistor... Maybe... Best Regards
Short tested with 3 wires soldered direct to RX TX and Ground under battery/label... Hmm... first test failed with WinComm... maybe my settings are wrong, will try other Tool for Logging... Best Regards Btw... Never seen S5250 or S8600 user trying to capture data over UART...
:silly: Code: [PAM: ] OneNAND physical base address : 0xb0000000 [PAM: ] OneNAND virtual base address : 0xb0000000 [PAM: ] FSR_PAM_InitNANDController Success!! [PAM: ] --FSR_PAM_Init [BM : ] FSR_BML_GetFullPartI() is completed [BM : ] stPartI.nNumOfPartEntry : 7 [BM : ] 1th PartEntrt(nAttr:0x1002)(nID:0x0) [BM : ] [1th] pPEntry->n1stVun : 1 [BM : ] [1th] pPEntry->nNumOfUnits : 7 [BM : ] [1th] pPEntry->nLoadAddr : 0x0 +-------------------------------+ | Bootloader Shadowing FINISHED | +-------------------------------+ Launch Image at 0x42480000 [BOOT_V1.0 (May 28 2010, 21:22:23)] SelectBootingMode: H/W...0xe. [BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz +++FIMD_Drv_INITIALIZE FIMD_Drv_ChangeMode: MDNIE_MODE Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4 S6E63M0 : LDI_Pentile_Set_Change Pentile_Value =6c ---FIMD_Drv_INITIALIZE ---FIMD_Drv_SetWinOnOff(WIN4:1) LCD initialize Finished Flash_Unlock failed Poweron status - c0 FSA9480 0x03 Register = 0 FSA9480 0x0A Register = 0 FSA9480 0x0B Register = 0 FSA9480 0x07 Register = 1f Used WinComm as Tool... Stupid me not realized that TX connect to RX and RX to TX... :cyclops: Best Regards
Code: [PAM: ] ++FSR_PAM_Init [PAM: ] OneNAND physical base address : 0xb0000000 [PAM: ] OneNAND virtual base address : 0xb0000000 [PAM: ] FSR_PAM_InitNANDController Success!! [PAM: ] --FSR_PAM_Init bl3_info_block 1 and 2 not found, Load BL3 +-------------------------------+ | Bootloader Shadowing FINISHED | +-------------------------------+ Launch Image at 0x42080000 [BOOT_V1.0 (Jan 5 2012, 19:08:14)] SelectBootingMode: H/W...0xe. [BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz +++FIMD_Drv_INITIALIZE FIMD_Drv_ChangeMode: MDNIE_MODE Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4 S6E63M0 : LDI_Pentile_Set_Change Pentile_Value =6c ---FIMD_Drv_INITIALIZE ---FIMD_Drv_SetWinOnOff(WIN4:1) LCD initialize Finished Flash_Unlock failed Poweron status - 0 FSA9480 0x03 Register = 0 FSA9480 0x0A Register = 4 FSA9480 0x0B Register = 0 FSA9480 0x07 Register = 1f Display_LSI_Boot : disp_Main_Clean Display_LSI_Boot : disp_Main_Clean_All Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_dimming_backlight LDI_S6E63M0_Set_Brightness is Return (Level: 1) Display_LSI_Boot : disp_dimming_backlight Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message +SDHC_Open(Ch0) univ_SD_MEM_PowerOnDevice() : Power On univ_SD_MEM_PowerOnDevice(ch0) : MASSMEMORY_EN Power On [SDHC] MPLL source clock from SYSCON : 667000000Hz [SDHC] SDHC(ch0) source clock from SYSCON : 47642000Hz [SDHC] SDHC(ch0) Operating Clock : 372203Hz [SDHC][MMC]byte mode SD_MEM_Phy_CMD2(ch0) : CID(127~0) : 0x150100, 0x4d324731, 0x44441655, 0x3c7886d SD_MEM_Phy_Check_moviNAND_Version(ch0) : PRV - 0x16 MMC_Spec = 4 ----------------CSD Version 1.0--------in low level------------- channel: [0] One Block Size: [512]Byte Total card Block Count = [4014080] Total card Capacity Size = [1960]MB --------------------------------------------------- SD_HostCtrl_IssueCommand[ch0] not SDclk off, cmd13, SD_CLK_CTRL:0x400f SD_MEM_Phy_TransferState(ch0) :High: Tx : SD_FeedBackClock_BasicDelay SD_MEM_Phy_TransferState(ch0) :High: Rx : SD_FeedBackClock_InverterDelay [SDHC] MPLL source clock from SYSCON : 667000000Hz [SDHC] SDHC(ch0) source clock from SYSCON : 47642000Hz [SDHC] SDHC(ch0) Operating Clock : 47642000Hz SD_HostCtrl_IssueCommand[ch0] not SDclk off, cmd13, SD_CLK_CTRL:0xf SD_HostCtrl_IssueCommand[ch0] not SDclk off, cmd13, SD_CLK_CTRL:0xf -SDHC_Open(Ch0) Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message DRV_modem_reset!!!!!!!!!!!!!!!!! DRV_Send_DBL!!!!!!!!!!!!!!!!! [DLOAD] Download Completed !!! DRV_Wait_ModemInit!!!!!!!!!!!!!!!!! DRV_CopyQSCBootBinary!!!!!!!!!!!!!!!!! DRV_Send_BootBinaryCopyComplete!!!!!!!!!!!!!!!!! DRV_Modem_BootingStart retry count = 0. Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Display_LSI_Boot : disp_Main_Dload_Update Display_LSI_Boot : disp_Main_Dload_Message Uncompressing Linux... done, booting the kernel. <6>Initializing cgroup subsys cpu <5>Linux version 3.0.86-g5b25f8d ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #1 PREEMPT Tue Nov 5 22:35:53 CET 2013 CPU: ARMv7 Processor [412fc082] revision 2 (ARMv7), cr=10c53c7d CPU: VIPT nonaliasing data cache, VIPT aliasing instruction cache Machine: wave Memory policy: ECC disabled, Data cache writeback CPU S5PV210/S5PC110 (id 0x43110222) <7>s5pv210_init_clocks: initializing clocks <6>S3C24XX Clocks, Copyright 2004 Simtec Electronics <4>s3c24xx_register_clock: new clock sclk_csis, id -1, dev (null) uses same enable bit as mout_csis, id -1, dev (null) <4>s3c24xx_register_clock: new clock lcd, id -1, dev (null) uses same enable bit as sclk_fimd, id -1, dev (null) <4>s3c24xx_register_clock: new clock mfc, id -1, dev (null) uses same enable bit as sclk_mfc, id -1, dev (null) <4>s3c24xx_register_clock: new clock iis, id 0, dev (null) uses same enable bit as i2s_v50, id 0, dev (null) <7>s5pv210_setup_clocks: registering clocks <7>s5pv210_setup_clocks: clkdiv0 = 14131330, clkdiv1 = 00400400 <7>s5pv210_setup_clocks: xtal is 24000000 <6>S5PV210: PLL settings, A=800000000, M=667000000, E=80000000 V=54000000<6>S5PV210: ARMCLK=800000000, HCLKM=200000000, HCLKD=166750000 HCLKP=133400000, PCLKM=100000000, PCLKD=83375000, PCLKP=66700000 <6>sclk_dmc: source is mout_mpll (1), rate is 166750000 <6>sclk_onenand: source is hclk_dsys (1), rate is 83375000 <6>sclk: source is mout_mpll (6), rate is 133400000 <6>sclk: source is mout_mpll (6), rate is 66700000 <6>sclk: source is mout_mpll (6), rate is 66700000 <6>sclk: source is mout_mpll (6), rate is 66700000 <6>sclk_mixer: source is sclk_dac (0), rate is 54000000 <6>sclk_fimc: source is ext_xtal (0), rate is 24000000 <6>sclk_fimc: source is ext_xtal (0), rate is 24000000 <6>sclk_fimc: source is ext_xtal (0), rate is 24000000 <6>sclk_cam: source is xusbxti (1), rate is 24000000 <6>sclk_cam: source is ext_xtal (0), rate is 24000000 <6>sclk_fimd: source is mout_mpll (6), rate is 133400000 <6>sclk_mmc: source is mout_mpll (6), rate is 51307692 <6>sclk_mmc: source is mout_mpll (6), rate is 47642857 <6>sclk_mmc: source is mout_mpll (6), rate is 47642857 <6>sclk_mmc: source is mout_mpll (6), rate is 47642857 <6>sclk_mfc: source is sclk_a2m (0), rate is 200000000 <6>sclk_fimg2d: source is sclk_a2m (0), rate is 200000000 <6>sclk: source is mout_mpll (1), rate is 66700000 <6>sclk_csis: source is ext_xtal (0), rate is 24000000 <6>sclk_spi: source is mout_epll (7), rate is 80000000 <6>sclk_spi: source is mout_epll (7), rate is 80000000 <6>sclk_pwi: source is ext_xtal (0), rate is 24000000 <6>sclk_pwm: source is ext_xtal (0), rate is 24000000 <6>sclk_mdnie: source is mout_mpll (6), rate is 166750000 <6>sclk_mdnie_pwm: source is ext_xtal (0), rate is 24000000 <6>s5p: 11534336 bytes system memory reserved for mfc at 0x24500000, 0-bank base(0x24500000) <6>s5p: 11534336 bytes system memory reserved for mfc at 0x4f3f4000, 1-bank base(0x4f3f4000) <6>s5p: 11534336 bytes system memory reserved for fimc0 at 0x4e8f4000, 1-bank base(0x4e8f4000) <6>s5p: 11534336 bytes system memory reserved for fimc2 at 0x4ddf4000, 1-bank base(0x4ddf4000) <6>s5p: 4194304 bytes system memory reserved for jpeg at 0x24500000, 0-bank base(0x24500000) <6>s5p: 7680000 bytes system memory reserved for fimd at 0x4d6a1000, 1-bank base(0x4d6a1000) <7>On node 0 totalpages: 72621 <7> Normal zone: 1534 pages used for memmap <7> Normal zone: 0 pages reserved <7> Normal zone: 71087 pages, LIFO batch:15 <7>pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768 <7>pcpu-alloc: [0] 0 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 71087 <5>Kernel command line: init=/init loglevel=4 <6>PID hash table entries: 2048 (order: 1, 8192 bytes) <6>Dentry cache hash table entries: 65536 (order: 6, 262144 bytes) <6>Inode-cache hash table entries: 32768 (order: 5, 131072 bytes) <6>Memory: 69MB 214MB 0MB = 283MB total <5>Memory: 272496k/325052k available, 17988k reserved, 0K highmem <5>Virtual kernel memory layout: vector : 0xffff0000 - 0xffff1000 ( 4 kB) fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB) DMA : 0xff000000 - 0xffe00000 ( 14 MB) vmalloc : 0xf0000000 - 0xfc000000 ( 192 MB) lowmem : 0xc0000000 - 0xeff00000 ( 767 MB) modules : 0xbf000000 - 0xc0000000 ( 16 MB) .init : 0xc0008000 - 0xc0617000 (6204 kB) .text : 0xc0617000 - 0xc0ce8000 (6980 kB) .data : 0xc0ce8000 - 0xc0d34880 ( 307 kB) .bss : 0xc0d348a4 - 0xc0e76ad8 (1289 kB) <6>SLUB: Genslabs=11, HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 <6>Preemptible hierarchical RCU implementation. <6>NR_IRQS:339 <6>VIC @fc000000: id 0x00041192, vendor 0x41 <6>VIC @fc010000: id 0x00041192, vendor 0x41 <6>VIC @fc020000: id 0x00041192, vendor 0x41 <6>VIC @fc030000: id 0x00041192, vendor 0x41 <6>mult[140737] <6>max_delta_ns[2937815369] <6>min_delta_ns[30517] <6>rate[32768] <6>HZ[256] <6>Console: colour dummy device 80x30 <6>console [tty0] enabled <6>Calibrating delay loop... <c>795.12 BogoMIPS (lpj=1554432) <6>pid_max: default: 32768 minimum: 301 <6>Mount-cache hash table entries: 512 <6>Initializing cgroup subsys debug <6>Initializing cgroup subsys cpuacct <6>Initializing cgroup subsys freezer <6>CPU: Testing write buffer coherency: ok <6>hw perfevents: enabled with ARMv7 Cortex-A8 PMU driver, 5 counters available <6>print_constraints: dummy: <6>NET: Registered protocol family 16 <6>ram_console: got buffer at 4ff00400, size fec00 <6>ram_console: uncorrectable error in header <6>ram_console: no valid data in buffer (sig = 0xfeffdfff) <6>console [ram-1] enabled <6>S5PC110 Hardware version : EVT1 <6>HWREV is 0xf S3C Power Management, Copyright 2004 Simtec Electronics <6>pmstats at 4ffff000 <3>invalid media device <3>invalid media device <6>hw-breakpoint: debug architecture 0x4 unsupported. <6>S5PV210: Initializing architecture <6>s3c24xx-pwm s3c24xx-pwm.0: tin at 66700000, tdiv at 66700000, tin=divclk, base 0 <6>s3c24xx-pwm s3c24xx-pwm.1: tin at 66700000, tdiv at 66700000, tin=divclk, base 8 <6>s3c24xx-pwm s3c24xx-pwm.2: tin at 66700000, tdiv at 66700000, tin=divclk, base 12 <6>s3c24xx-pwm s3c24xx-pwm.3: tin at 66700000, tdiv at 66700000, tin=divclk, base 16 <6>print_constraints: pd_audio_supply: 5000 mV normal <6>print_constraints: pd_cam_supply: 5000 mV normal <6>print_constraints: pd_tv_supply: 5000 mV normal <6>print_constraints: pd_lcd_supply: 5000 mV normal <6>print_constraints: pd_g3d_supply: 5000 mV normal <6>print_constraints: pd_mfc_supply: 5000 mV normal <6>bio: create slab <bio-0> at 0 <5>SCSI subsystem initialized <6>usbcore: registered new interface driver usbfs <6>usbcore: registered new interface driver hub <6>usbcore: registered new device driver usb <6>i2c-gpio i2c-gpio.4: using pins 247 (SDA) and 246 (SCL) <6>i2c-gpio i2c-gpio.5: using pins 203 (SDA) and 204 (SCL) <3>max8998 6-0066: No interrupt base specified, no interrupts <3>i2:10, buck2_idx:0 <6>print_constraints: VALIVE_1.2V: 1200 mV <6>print_constraints: VUSB_1.1V: 1100 mV <6>print_constraints: VADC_3.3V: 3300 mV <6>print_constraints: VTF_2.8V: 2800 mV <6>print_constraints: VLCD_1.8V: 1800 mV <6>print_constraints: VUSB_3.3V: 3300 mV <6>print_constraints: VCC_2.8V_PDA: 2800 mV <6>print_constraints: CAM_AF_2.8V: 2800 mV <6>print_constraints: CAM_SENSOR_1.2V: 1200 mV <6>print_constraints: CAM_SENSOR_A2.8V: 2800 mV <6>print_constraints: CAM_ISP_1.8V: 1800 mV <6>print_constraints: CAM_ISP_HOST_2.8V: 2800 mV <6>print_constraints: VGA_DVDD_1.8V: 1800 mV <6>print_constraints: VCC_3.0V_LCD: 2800 <--> 3200 mV at 3200 mV <6>print_constraints: VDD_ARM: 750 <--> 1500 mV at 1200 mV <6>print_constraints: VDD_INT: 750 <--> 1500 mV at 1100 mV <6>print_constraints: VCC_1.8V: 1800 mV <6>print_constraints: CAM_ISP_CORE_1.2V: 1200 mV <6>print_constraints: USB_VBUS_AP: <6>print_constraints: USB_VBUS_CP: <6>i2c-gpio i2c-gpio.6: using pins 206 (SDA) and 209 (SCL) <6>i2c-gpio i2c-gpio.7: using pins 201 (SDA) and 202 (SCL) <6>i2c-gpio i2c-gpio.8: using pins 42 (SDA) and 43 (SCL) <6>i2c-gpio i2c-gpio.11: using pins 114 (SDA) and 98 (SCL) <6>i2c-gpio i2c-gpio.12: using pins 199 (SDA) and 200 (SCL) <6>s3c-i2c s3c2440-i2c.0: i2c-0: S3C I2C adapter <6>s3c-i2c s3c2440-i2c.1: i2c-1: S3C I2C adapter <6>s3c-i2c s3c2440-i2c.2: i2c-2: S3C I2C adapter <6>Advanced Linux Sound Architecture Driver Version 1.0.24. <6>Bluetooth: Core ver 2.16 <6>NET: Registered protocol family 31 <6>Bluetooth: HCI device and connection manager initialized <6>Bluetooth: HCI socket layer initialized <6>Bluetooth: L2CAP socket layer initialized <6>Bluetooth: SCO socket layer initialized <6>Switching to clocksource clock_source_systimer <6>cfg80211: Calling CRDA to update world regulatory domain <6>Switched to NOHz mode on CPU #0 <6>NET: Registered protocol family 2 <6>IP route cache hash table entries: 4096 (order: 2, 16384 bytes) <6>TCP established hash table entries: 16384 (order: 5, 131072 bytes) <6>TCP bind hash table entries: 16384 (order: 4, 65536 bytes) <6>TCP: Hash tables configured (established 16384 bind 16384) <6>TCP reno registered <6>UDP hash table entries: 256 (order: 0, 4096 bytes) <6>UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) <6>NET: Registered protocol family 1 <6>PMU: registered new PMU device of type 0 <4>clk_get: could not find clock emu_src_ck for dev s5pv210_etb_device+0x0/0x100 (etb) <6>wake enabled for irq 165 <6>wake disabled for irq 165 <6>S5PV210 ADC driver, (c) 2010 Samsung Electronics <6>Loaded driver for PL330 DMAC-0 s3c-pl330 <6> DBUFF-64x8bytes Num_Chans-8 Num_Peri-2 Num_Events-32 <6>Loaded driver for PL330 DMAC-1 s3c-pl330 <6> DBUFF-8x4bytes Num_Chans-8 Num_Peri-32 Num_Events-32 <6>Loaded driver for PL330 DMAC-2 s3c-pl330 <6> DBUFF-8x4bytes Num_Chans-8 Num_Peri-32 Num_Events-32 <6>ashmem: initialized <6>ROMFS MTD (C) 2007 Red Hat, Inc. <7>yaffs: yaffs built Nov 5 2013 22:34:00 Installing. <6>msgmni has been set to 532 <6>io scheduler noop registered <6>io scheduler deadline registered <6>io scheduler row registered (default) <6>io scheduler cfq registered <6>io scheduler sio registered MDNIE INIT .......... <6>S3C MDNIE Driver, (c) 2010 Samsung Electronics MDNIE INIT SUCCESS Addr : 0xf003c000 IELCD INIT .......... <6>S3C IELCD Driver, (c) 2010 Samsung Electronics IELCD INIT SUCCESS Addr : 0xf0040000 <6>s3cfb s3cfb: [fb2] dma: 0x4db06000, cpu: 0xf0400000, size: 0x002ee000 <6>FIMD src sclk = 166750000 <6>s3cfb s3cfb: pixclock adjusted from 39019 to 41979 <6>[mDNIe] mDNIe_tuning_initialize: addr(0x84), data(0x0) <6>[mDNIe] mDNIe_tuning_initialize: addr(0x90), data(0x0) <6>[mDNIe] mDNIe_tuning_initialize: addr(0x94), data(0xfff) <6>[mDNIe] mDNIe_tuning_initialize: addr(0x98), data(0x5c) <6>[mDNIe] mDNIe_tuning_initialize: addr(0x9c), data(0x10) <6>[mDNIe] mDNIe_tuning_initialize: addr(0xac), data(0x0) <6>[mDNIe] mDNIe_tuning_initialize: addr(0xb4), data(0x3ff) [mDNIe] mDNIe_Set_Mode: current_mDNIe_UI(6), current_mDNIe_OutDoor_OnOff(0) <6>s3cfb_late_resume is called <6>FIMD src sclk = 166750000 <6>s3cfb s3cfb: pixclock adjusted from 41979 to 41979 <6>[mDNIe] mDNIe_tuning_initialize: addr(0x84), data(0x0) <6>[mDNIe] mDNIe_tuning_initialize: addr(0x90), data(0x0) <6>[mDNIe] mDNIe_tuning_initialize: addr(0x94), data(0xfff) <6>[mDNIe] mDNIe_tuning_initialize: addr(0x98), data(0x5c) <6>[mDNIe] mDNIe_tuning_initialize: addr(0x9c), data(0x10) <6>[mDNIe] mDNIe_tuning_initialize: addr(0xac), data(0x0) <6>[mDNIe] mDNIe_tuning_initialize: addr(0xb4), data(0x3ff) [mDNIe] mDNIe_Set_Mode: current_mDNIe_UI(6), current_mDNIe_OutDoor_OnOff(0) <3>panel_reset_lcd <6>s3cfb_late_resume is complete <6>s3cfb s3cfb: registered successfully <6>s5pv210-uart.0: s3c2410_serial0 at MMIO 0xe2900000 (irq = 16) is a S3C6400/10 <6>s5pv210-uart.1: s3c2410_serial1 at MMIO 0xe2900400 (irq = 20) is a S3C6400/10 <6>s5pv210-uart.3: s3c2410_serial3 at MMIO 0xe2900c00 (irq = 28) is a S3C6400/10 PA FB = 0x4DB06000, bits per pixel = 32 screen width=480 height=800 va=0xedb06000 pa=0x4db06000 xres_virtual = 480, yres_virtual = 1600, xoffset = 0, yoffset = 0 fb_size=3072000 Back frameBuffer[0].VAddr=edc7d000 PAddr=4dc7d000 size=1536000 No space for NV12 video carveout <6>brd: module loaded <6>loop: module loaded <6>Android kernel panic handler initialized (bind=kpanic) <6>sec_jack_probe : Registering jack driver <6>wake enabled for irq 38 <6>sec_jack_init_jack_state<6>sec_jack_set_micbias_state: HWREV=15, on=1 <6>handle_jack_not_inserted <6>sec_jack_set_micbias_state: HWREV=15, on=0 <6>sec_jack_set_micbias_state: HWREV=15, on=0 <6>wake enabled for irq 167 <6>fsa9480 7-0025: dev1: 0x4, dev2: 0x0 <4>i2c-core: driver [fsa9480] using legacy suspend method <4>i2c-core: driver [fsa9480] using legacy resume method <6>modem_io_init done <6>[MODEM] bp_irq() - PHONE_ACTIVE interrupt, 1 occurence <6>wake enabled for irq 47 <6>wake enabled for irq 43 <6>modemctl probed <6>Muxed OneNAND 512MB 1.8V 16-bit (0x50) <6>OneNAND version = 0x013e <7>Chip support all block unlock <7>Chip has 4KiB pagesize <7>Chip has cache program feature <6>Scanning device for bad blocks <7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x1dd addr8 0x0 <6>OneNAND eraseblock 477 is an initial bad block <7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x6cf addr8 0x0 <6>OneNAND eraseblock 1743 is an initial bad block <7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x73f addr8 0x0 <6>OneNAND eraseblock 1855 is an initial bad block <6>OneNAND eraseblock 2047 is an initial bad block <5>Creating 2 MTD partitions on "(null)": <5>0x00001e700000-0x00001ec00000 : "nv_data" <5>0x000003300000-0x000003600000 : "fota" <6>tl2796: c0, b-6bea38dc, got v 2051000, factory wants 2051000 <6>tl2796: c1, b-7f519b2b, got v 2044000, factory wants 2044000 <6>tl2796: c2, b-ae797fc2, got v 1491000, factory wants 1491000 <6>tl2796_probe successfully probed <6>PPP generic driver version 2.4.2 <6>PPP Deflate Compression module registered <6>PPP BSD Compression module registered <6>PPP MPPE Compression module registered <6>NET: Registered protocol family 24 <6>tun: Universal TUN/TAP device driver, 1.6 <6>tun: (C) 1999-2004 Max Krasnyansky <[email protected]> <6>s3c-udc : S3C HS USB Device Controller Driver, (c) 2008-2009 Samsung Electronics s3c-udc : version 15 March 2009 (DMA Mode) <6>android_usb gadget: Mass Storage Function, version: 2009/09/11 <6>android_usb gadget: Number of LUNs=2 <6> lun0: LUN: removable file: (no medium) <6> lun1: LUN: removable file: (no medium) <6>android_usb gadget: android_usb ready <7>Registered gadget driver 'android_usb' <6>input: gpio-keys as /devices/platform/gpio-keys.0/input/input0 <6>input: s5pv210-keypad as /devices/platform/s5pv210-keypad/input/input1 <6>usbcore: registered new interface driver xpad <6>usbcore: registered new interface driver usb_acecad <6>acecad: v3.2:USB Acecad Flair tablet driver <6>usbcore: registered new interface driver aiptek <6>aiptek: v2.3 (May 2, 2007):Aiptek HyperPen USB Tablet Driver (Linux 2.6.x) <6>aiptek: Bryan W. Headley/Chris Atenasio/Cedric Brun/Rene van Paassen <6>usbcore: registered new interface driver gtco GTCO usb driver version: 2.00.0006<6>usbcore: registered new interface driver hanwang <6>usbcore: registered new interface driver kbtab <6>kbtab: v0.0.2:USB KB Gear JamStudio Tablet driver <6>usbcore: registered new interface driver wacom <6>wacom: v1.52:USB Wacom tablet driver <6>input: mxt224_ts_input as /devices/virtual/input/input2 <6>Atmel MXT224 2-004a: family = 0x80, variant = 0x1, version = 0x16, build = 171 <6>bma023 5-0038: bma023 found <6>bma023 5-0038: al_version=2, ml_version=1 <6>input: accelerometer_sensor as /devices/virtual/input/input3 <3>gp2a: proximity val = 1 <6>input: proximity as /devices/virtual/input/input4 <6>input: orientation_sensor as /devices/virtual/input/input5 <6>max8998-rtc max8998-rtc: RTC CHIP NAME: max8998-rtc S3C24XX RTC, (c) 2004,2006 Simtec Electronics <6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling <6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling <6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling <6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling <6>using rtc device, s3c, for alarms<6>s3c-rtc s3c2410-rtc: rtc core: registered s3c as rtc0 <6>i2c /dev entries driver <6>lirc_dev: IR Remote Control driver registered, major 251 <6>IR NEC protocol handler initialized <6>IR RC5(x) protocol handler initialized <6>IR RC6 protocol handler initialized <6>IR JVC protocol handler initialized <6>IR Sony protocol handler initialized <6>IR RC5 (streamzap) protocol handler initialized <6>IR LIRC bridge handler initialized <6>Linux video capture interface: v2.00 <6>mfc_init: <6>S5PC110 MFC Driver, (c) 2009 Samsung Electronics <6>S3C JPEG Driver, (c) 2007 Samsung Electronics <6>JPEG driver for S5PV210 <4>i2c-core: driver [s5p_ddc] using legacy suspend method <4>i2c-core: driver [s5p_ddc] using legacy resume method <4>i2c-core: driver [Si4709] using legacy suspend method <4>i2c-core: driver [Si4709] using legacy resume method <6>device-mapper: uevent: version 1.0.3 <6>device-mapper: ioctl: 4.20.0-ioctl (2011-02-02) initialised: [email protected] <6>Bluetooth: HCI UART driver ver 2.2 <6>Bluetooth: HCI H4 protocol initialized <6>cpuidle: using governor ladder <6>cpuidle: using governor menu <6>sdhci: Secure Digital Host Controller Interface driver <6>sdhci: Copyright(c) Pierre Ossman <6>s3c-sdhci s3c-sdhci.0: clock source 0: hsmmc (133400000 Hz) <6>s3c-sdhci s3c-sdhci.0: clock source 2: sclk_mmc (51307692 Hz) <6>mmc0: SDHCI controller on samsung-hsmmc [s3c-sdhci.0] using ADMA <6>s3c-sdhci s3c-sdhci.1: clock source 0: hsmmc (133400000 Hz) <6>s3c-sdhci s3c-sdhci.1: clock source 2: sclk_mmc (47642857 Hz) <6>mmc1: SDHCI controller on samsung-hsmmc [s3c-sdhci.1] using ADMA <6>s3c-sdhci s3c-sdhci.2: clock source 0: hsmmc (133400000 Hz) <6>s3c-sdhci s3c-sdhci.2: clock source 2: sclk_mmc (47642857 Hz) <6>mmc2: SDHCI controller on samsung-hsmmc [s3c-sdhci.2] using ADMA <6>usbcore: registered new interface driver usbhid <6>usbhid: USB HID core driver <6>logger: created 256K log 'log_main' <6>logger: created 256K log 'log_events' <6>logger: created 256K log 'log_radio' <6>logger: created 256K log 'log_system' <6>zram: num_devices not specified. Using default: 1 <6>zram: Creating 1 devices ... <6>WM8994 Audio Codec 0.1 wm8994_extensions: initializing driver v10 <6>s3c_idma_preallocate_buffer: VA-f00c0000 PA-C0000000 163840bytes <6>asoc: WM8994 PAIFRX <-> samsung-i2s.0 mapping ok <6>ALSA device list: <6> #0: smdkc110 <6>oprofile: using arm/armv7 <6>GACT probability NOT on <6>Mirror/redirect action on <6>u32 classifier <6> Actions configured <6>Netfilter messages via NETLINK v0.30. <6>nf_conntrack version 0.5.0 (4257 buckets, 17028 max) <6>ctnetlink v0.93: registering with nfnetlink. <6>NF_TPROXY: Transparent proxy support initialized, version 4.1.0 <6>NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. <6>xt_time: kernel timezone is -0000 <6>ip_tables: (C) 2000-2006 Netfilter Core Team <6>arp_tables: (C) 2002 David S. Miller <6>TCP cubic registered <6>NET: Registered protocol family 10 <6>mmc0: new high speed MMC card at address 0001 <6>Mobile IPv6 <6>ip6_tables: (C) 2000-2006 Netfilter Core Team <6>mmcblk0: mmc0:0001 M2G1DD 1.91 GiB <6>IPv6 over IPv4 tunneling driver <6> mmcblk0: p1 p2 p3 <6>NET: Registered protocol family 17 <6>NET: Registered protocol family 15 <6>Bluetooth: RFCOMM TTY layer initialized <6>Bluetooth: RFCOMM socket layer initialized <6>Bluetooth: RFCOMM ver 1.11 <6>Bluetooth: BNEP (Ethernet Emulation) ver 1.3 <6>Bluetooth: HIDP (Human Interface Emulation) ver 1.2 <6>NET: Registered protocol family 35 <6>VFP support v0.3: implementor 41 architecture 3 part 30 variant c rev 2 <6>ThumbEE CPU extension supported. <6>s5pv210_cpufreq_init: S5PV210 cpu-freq driver <6>regulator_init_complete: pd_mfc_supply: disabling <6>regulator_init_complete: pd_tv_supply: disabling <6>regulator_init_complete: pd_cam_supply: disabling ## wifi_probe wifi_set_power = 1 wifi_set_carddetect = 1 <4>mmc1: queuing unknown CIS tuple 0x80 (50 bytes) <4>mmc1: queuing unknown CIS tuple 0x80 (7 bytes) <4>mmc1: queuing unknown CIS tuple 0x80 (3 bytes) <6>mmc1: new SDIO card at address 0001 F1 signature read @0x18000000=0x9934329 DHD: dongle ram size is set to 294912(orig 294912) wl_create_event_handler thr:3d started dhd_attach thr:3e started dhd_attach thr:3f started dhd_attach thr:40 started Broadcom Dongle Host Driver: register interface [wlan0] MAC: 00:90:4c:11:22:33 Dongle Host Driver, version 5.90.195.104 Compiled in drivers/net/wireless/bcmdhd on Nov 5 2013 at 22:34:41 wifi_set_power = 0 =========== WLAN placed in RESET ======== <6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling <6>s3c-rtc s3c2410-rtc: setting system clock to 2010-12-31 23:07:37 UTC (1293836857) <6>FIMC0 registered successfully <6>FIMC1 registered successfully <6>FIMC2 registered successfully <6>S5P TVOUT Driver, (c) 2010 Samsung Electronics <4>clk_get: could not find clock mout_vpll_src for dev s5p_device_tvout+0x8/0xd8 (s5p-tvout) <3>failed to find clock "mout_vpll_src" <6>s5p-tvout s5p-tvout: hpd status: cable removed/not connected <6>s5p_tv_probe TV Probing is done <6>max8998_charger_probe : MAX8998 Charger Driver Loading <6>max8998_charger_probe : pmic interrupt registered <6>check_lpm_charging_mode : lpm_charging_mode(0) <6>wake enabled for irq 39 <7>s3c_bat_discharge_reason : Current charge level : 50% Current time : 6 discharging_time : 0 discharging reason : 0 <7>max8998_charging_control : USB charging enabled <6>max8998_set_cable : status(1) <7>max8998_charging_control : USB charging enabled <7>s3c_bat_discharge_reason : Current charge level : 50% Current time : 6 discharging_time : 21606 discharging reason : 0 <4>Warning: unable to open an initial console. <7>init_post begin <6>Freeing init memory: 6204K <7>max8998_charging_control : USB charging enabled OHAI, stage1 init starting <7>s3c_bat_discharge_reason : Current charge level : 50% Current time : 6 discharging_time : 21606 discharging reason : 0 <7>max8998_charging_control : USB charging enabled <7>s3c_bat_discharge_reason : Current charge level : 50% Current time : 56 discharging_time : 21606 discharging reason : 0 <7>max8998_charging_control : USB charging enabled <3>bio too big device loop0 (2 > 0) <3>EXT4-fs (loop0): unable to read superblock <6>EXT4-fs (loop1): mounted filesystem with ordered data mode. Opts: (null) <7>s3c_bat_discharge_reason : Current charge level : 50% Current time : 80 discharging_time : 21606 discharging reason : 0 <7>max8998_charging_control : USB charging enabled stage1 log: Fri Dec 31 23:07:37 GMT 2010 Creating filesystem with parameters: Size: 18874368 Block size: 4096 Blocks per group: 32768 Inodes per group: 1152 Inode size: 256 Journal blocks: 1024 Label: Blocks: 4608 Block groups: 1 Reserved block group size: 7 Created filesystem with 11/1152 inodes and 1110/4608 blocks Creating filesystem with parameters: Size: 419430400 Block size: 4096 Blocks per group: 32768 Inodes per group: 6400 Inode size: 256 Journal blocks: 1600 Label: Blocks: 102400 Block groups: 4 Reserved block group size: 31 Created filesystem with 11/25600 inodes and 3310/102400 blocks force_recovery: 1 losetup: /dev/loop0: No such file or directory mount: mounting /dev/loop0 on /system failed: Invalid argument umount: can't umount /system: Invalid argument losetup: /dev/loop2: No such device or address losetup: /dev/loop0: No such device or address 5708 blocks Fri Dec 31 23:09:02 GMT 2010 <3>init: cannot open '/initlogo.rle' . . . Taken from XXLA1 with zImage only... cm-10.1-wave-v2.1... Interesting to see this... Code: <6>Memory: 69MB 214MB 0MB = 283MB total <5>Memory: 272496k/325052k available, 17988k reserved, 0K highmem <5>Virtual kernel memory layout: vector : 0xffff0000 - 0xffff1000 ( 4 kB) fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB) DMA : 0xff000000 - 0xffe00000 ( 14 MB) vmalloc : 0xf0000000 - 0xfc000000 ( 192 MB) lowmem : 0xc0000000 - 0xeff00000 ( 767 MB) modules : 0xbf000000 - 0xc0000000 ( 16 MB) .init : 0xc0008000 - 0xc0617000 (6204 kB) .text : 0xc0617000 - 0xc0ce8000 (6980 kB) .data : 0xc0ce8000 - 0xc0d34880 ( 307 kB) .bss : 0xc0d348a4 - 0xc0e76ad8 (1289 kB) Best Regards
This is my solution for now... with S8500. Tested by me. In theory should work with S8530 too... Later I will move to cable solution with Micro USB + Resistor... Then hopefully this is working also with S8600 and S5250 for instance... Best Regards
http://forum.xda-developers.com/showpost.php?p=41670635&postcount=5 In this FPM Mode... I can use AT Commands via UART... So for now I can read and write something via UART... Later more... Best Regards
Made today few stupid mistakes.... 510 R instead K... Then confuse Pin 4 and 5 ... I have 510 KOHM, but nothing happens... Maybe not correct enough... http://forum.xda-developers.com/showthread.php?t=820275 Code: RID_FM_BOOT_ON_UART, /* 1 1 1 0 1 [B]619K[/B] Factory Mode Boot ON-UART */ I have used 620 KOHM with S8500 and S8600... Factory Test Mode start ... this thingie with blue then green Screen... but nothing UART out nor input... Maybe my wires wrong... Will buy more Resistors... Best Regards Edit 1. No idea yet, where is my mistake... http://www.droidforums.net/forum/dr...own-motorola-factory-cable-4.html#post2234017 Backside Pinout... I have now 510 KOHM + 13 KOHM = 523 KOHM... Flashed to XXJEB to be sure... Edit 2. Check up... My USB converter is alive... Pin 4 and 5 should be correct, because Resistor Values working... Will change Pin 2 and 3...
My fault... For S8530 and S8500 now working. Code: [PAM: ] OneNAND physical base address : 0xb0000000 [PAM: ] OneNAND virtual base address : 0xb0000000 [PAM: ] FSR_PAM_InitNANDController Success!! [PAM: ] --FSR_PAM_Init bl3_info_block 1 age = 17 bl3_info_block 2 age = 18 BL3_2 Loading +-------------------------------+ | Bootloader Shadowing FINISHED | +-------------------------------+ Launch Image at 0x42080000 [BOOT_V1.0 (Jan 5 2012, 19:05:00)] SelectBootingMode: H/W...0x3. [BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz Flash_Unlock failed Poweron status - 20 FSA9480 0x03 Register = 1 FSA9480 0x0A Register = 0 FSA9480 0x0B Register = 8 FSA9480 0x07 Register = 1c SelectBootingMode: Boot Mode = 1... +++FIMD_Drv_INITIALIZE FIMD_Drv_ChangeMode: MDNIE_MODE Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4 ---FIMD_Drv_INITIALIZE ---FIMD_Drv_SetWinOnOff(WIN4:1) LCD initialize Finished Display_LSI_Boot : disp_Main_Clean Display_LSI_Boot : disp_Main_Clean_All Display_LSI_Boot : disp_dimming_backlight Display_LSI_Boot : disp_Normal_Init DRV_modem_reset!!!!!!!!!!!!!!!!! DRV_Send_DBL!!!!!!!!!!!!!!!!! [DLOAD] Download Completed !!! DRV_Wait_ModemInit!!!!!!!!!!!!!!!!! DRV_CopyQSCBootBinary!!!!!!!!!!!!!!!!! DRV_Send_BootBinaryCopyComplete!!!!!!!!!!!!!!!!! DRV_Modem_BootingStart retry count = 0. AST_POWERON get_usb_sw_nv 0x40000 USBSwitch : AP get_uart_sw_nv 0x40000 UARTSwitch : AP My S8530 first UART output... with cable. On XXKK5 with S8600 no luck... will try older Firmware... Best Regards Edit 1. S8000 Jet Code: USBSwitch : AP [BB31] VDD INT 1.2V [BB31] VDD ARM 1.325V ARM Clock: 400MHz --> 800MHz [BOOT][DBG] RST_STAT 0x7E00_F904 : 0x00000001 [BOOT] ARMCLK: 800000, MPLL: 194000, HCLKX2: 266666, HCLK: 133333, PCLK: 33333 BootHWCheck: 6... SelectBootingMode: H/W...0x6. Poweron status - 10 pPowerOn 0 = 0xB00717E3 pPowerOn 1 = 0x0 pPowerOn 2 = 0x0 pPowerOn 3 = 0x10 pPowerOn 4 = 0x0 pPowerOn 5 = 0x0 pPowerOn 6 = 0x0 pPowerOn 7 = 0x0 pPowerOn 8 = 0x0 pPowerOn 9 = 0x0 pPowerOn 10 = 0x0 pPowerOn 11 = 0x0 pPowerOn 12 = 0x6 pPowerOn 13 = 0x0 FSA9480 0x03 Register = 1 FSA9480 0x0A Register = 0 FSA9480 0x0B Register = 8 FSA9480 0x07 Register = 1C SelectBootingMode: Boot Mode = 1... ================================ LCD Source CLK -> MPLL(194000) ================================ uClkVal = 0x7 , uClkDir = 0x1 ======================================== uVidconReg = 0x1D4 , uClkVal = 0x7 ======================================== DRV_modem_reset!!!!!!!!!!!!!!!!! DRV_Send_DBL!!!!!!!!!!!!!!!!! [DLOAD] Download Completed !!! DRV_Wait_MSMInit!!!!!!!!!!!!!!!!! DRV_CopyMSMBootBinary!!!!!!!!!!!!!!!!! DRV_Send_BootBinaryCopyComplete!!!!!!!!!!!!!!!!! Ownership Release 0x5DFFF800, 0x0 AST_POWERON get_usb_sw_nv 0x0 USBSwitch : AP get_uart_sw_nv 0x0 UARTSwitch : AP Drv_TaskEntry Start DRV_Device_Init... DRV_Device_Init...: DRV_hwversion = 6. FSA9480 device ID = 40 JIT UART OFF NU_PWM_FID_SET_GPIO_PWMTOUT ok prox_sensor_init SUCCESS~~~~~~~~~~~ [BOOT][Err] LCD_DET set PULLDOWN . [LCD] ESD interrupt enable acc_sensor_init SUCCESS~~~~~~~~~~~ pif_TaskEntry Start [MODEMIF_AP_Init] NU_Create_Task pif task success Create TESTMODE_Queue Create testmode_task Create TMFIFO_Queue Create TESTMODE_RPT_Timer brcm_bluetooth_main: Start Bluetooth Thread by BootEntry 0002 000.082 0.001.00.00:0000 SYSTEM > MochaTask: OSAL created. 0003 000.084 0.001.00.00:0000 BOOTMGR > MochaTask: OSAL created. 0004 000.091 0.001.00.00:0000 BOOTMGR > MochaTask: UART, USB, and Bluetooth created. usb_api_open usb_api_open 0005 000.100 0.001.00.00:0000 SYSTEM > MochaTask: DiagMgr created. 0006 000.106 0.001.00.00:0000 BOOTMGR > MochaTask: DiagMgr created. 0007 000.112 0.001.00.00:0000 EXCEPTION > __MemAllocForDebugHeap: Allocate 1200Kbytes (file OEM\OemDevFIFO.c, line 106) 0008 000.122 0.001.00.00:0000 AGENT > [__SysSecureBootRegisterPktRcvCallback:SysSecureBootPacket.c] __SysSecureBootRegisterPktRcvCallback is called! 0009 000.136 0.001.-1.-1:0000 BOOTMGR > MochaTask: EventMgr created. 0010 000.144 0.001.-1.-1:0000 BOOTMGR > MochaTask: AvMedia created. 0011 000.148 0.001.-1.-1:0000 ALL > DevGetHomeDLFlag : Address(0x0f940000) flag(0x0000ffff) 0012 000.157 0.001.-1.-1:0000 BOOTMGR > MochaTask: Clock created. 0013 000.162 0.001.-1.-1:0000 BOOTMGR > MochaTask: LED created. 0014 000.168 0.001.-1.-1:0000 BOOTMGR > MochaTask: Flip created. 0015 000.174 0.001.-1.-1:0000 SYSTEM > MochaTask: Clock, LED, Flip created. +SDHC_Open(Ch1) [SDHC] SDHC(ch1) Operating Clock : 378906Hz [DS] data_srvc_task() Enter [DS] diag_srvc_task() Enter Diag_TaskEntry Start I9000 tested with success... So my cable work now with diffferent Samsung handsets... Accept S8600 ... Tested also with XXKJ7... Need few days. Then test with S5250 will follow...
http://forum.xda-developers.com/showthread.php?t=1901376 I9001 is little bit similar to S8600... maybe helpfull. Also usefull about UART: http://forum.xda-developers.com/showthread.php?t=1209288 http://forum.xda-developers.com/showthread.php?t=1629359 Best Regards
UART on S5250 work, but not much info... yet... Code: AST_POWERON *MRDY: 1 ,~Booting Completed This is output, if DL Mode... Code: AST_DOWNLOAD I can set UART Logging temporary... More text... Best Regards
Could a dev help edit libWFD_ENGINE.so to get mirroring on modded devices.Guide here!
Hi I'm carrying this over from this thread http://forum.xda-developers.com/showthread.php?t=2421642 The guys here managed to patch their libWFD_ENGINE.so file so they could connect to all share cast on Rooted/Modded devices. Unfortunately no one posted for the l900 note 2 but instructions where given to do this on any device. 1. download and install IDA Pro 2. download and install WinHEx 3. download and install any text compare util 4. Open patched and unpatched version lib file of the same device (any device) with IDA 5. get text output of both files to the text compare utility 6. find the 3 differences. analyze where they are in the file (look for seacrhable text patterns) 7. open YOUR device's unpacthed lib file with IDA pro 8. find the correspondances found on step 6 in your own file. 9. note the line number (hex address) of each 3 correspondances 10. now open all 3 files on Winhex 11. jump to the noted hex addresses and change the bytes according to the difference of 2 files of the same device. 12. make the change on your own file and save. Thanks to mrmrmrmr for quick guide. So what I have attached here is libWFD_Engine.so (Sprint note 2 4.3) unpatched and was hopping someone would be able to patch it with the above instructions an example of the changes needed to be made from the S4 libWFD_Engine.so below. org_s4: text:00012644 CBNZ R0, loc_12652 patched_s4: text:00012644 MOVS R0, #0 org_s4: text:00022D50 LDR R3, [R7] patched_s4: text:00022D50 MOVS R3, #0 org_s4: text:00026B1C CMP R0, #0 patched_s4: text:00026B1C CMP R0, #0x10 Thanks
gersrt said: Hi I'm carrying this over from this thread http://forum.xda-developers.com/showthread.php?t=2421642 The guys here managed to patch their libWFD_ENGINE.so file so they could connect to all share cast on Rooted/Modded devices. Unfortunately no one posted for the l900 note 2 but instructions where given to do this on any device. 1. download and install IDA Pro 2. download and install WinHEx 3. download and install any text compare util 4. Open patched and unpatched version lib file of the same device (any device) with IDA 5. get text output of both files to the text compare utility 6. find the 3 differences. analyze where they are in the file (look for seacrhable text patterns) 7. open YOUR device's unpacthed lib file with IDA pro 8. find the correspondances found on step 6 in your own file. 9. note the line number (hex address) of each 3 correspondances 10. now open all 3 files on Winhex 11. jump to the noted hex addresses and change the bytes according to the difference of 2 files of the same device. 12. make the change on your own file and save. Thanks to mrmrmrmr for quick guide. So what I have attached here is libWFD_Engine.so (Sprint note 2 4.3) unpatched and was hopping someone would be able to patch it with the above instructions an example of the changes needed to be made from the S4 libWFD_Engine.so below. org_s4: text:00012644 CBNZ R0, loc_12652 patched_s4: text:00012644 MOVS R0, #0 org_s4: text:00022D50 LDR R3, [R7] patched_s4: text:00022D50 MOVS R3, #0 org_s4: text:00026B1C CMP R0, #0 patched_s4: text:00026B1C CMP R0, #0x10 Thanks Click to expand... Click to collapse I wonder if there is a way to turn this into a 1-click action?
http://forum.xda-developers.com/showthread.php?t=2542509 I Extracted and manually placed the file with root explorer and set permissions. Works like a champ on my.... sprint note 2 synergy 4.3 rom rooted twrp Do Not Flash The File....will cause bootloop ! Only for Android 4.3
gersrt said: Hi I'm carrying this over from this thread http://forum.xda-developers.com/showthread.php?t=2421642 The guys here managed to patch their libWFD_ENGINE.so file so they could connect to all share cast on Rooted/Modded devices. Unfortunately no one posted for the l900 note 2 but instructions where given to do this on any device. 1. download and install IDA Pro 2. download and install WinHEx 3. download and install any text compare util 4. Open patched and unpatched version lib file of the same device (any device) with IDA 5. get text output of both files to the text compare utility 6. find the 3 differences. analyze where they are in the file (look for seacrhable text patterns) 7. open YOUR device's unpacthed lib file with IDA pro 8. find the correspondances found on step 6 in your own file. 9. note the line number (hex address) of each 3 correspondances 10. now open all 3 files on Winhex 11. jump to the noted hex addresses and change the bytes according to the difference of 2 files of the same device. 12. make the change on your own file and save. Thanks to mrmrmrmr for quick guide. So what I have attached here is libWFD_Engine.so (Sprint note 2 4.3) unpatched and was hopping someone would be able to patch it with the above instructions an example of the changes needed to be made from the S4 libWFD_Engine.so below. org_s4: text:00012644 CBNZ R0, loc_12652 patched_s4: text:00012644 MOVS R0, #0 org_s4: text:00022D50 LDR R3, [R7] patched_s4: text:00022D50 MOVS R3, #0 org_s4: text:00026B1C CMP R0, #0 patched_s4: text:00026B1C CMP R0, #0x10 Thanks Click to expand... Click to collapse What text comparing utility you are using? so that I can download. Thanks. Can you advise how to open and export the libWFD_ENGINE.so IDA Pro? the below is what I get from IDA Pro, which is quite different from yours. I guess I made some mistakes during the process. I have never use IDA Pro before. seg000:00002476 db 0 seg000:00002477 db 0 seg000:00002478 db 0 seg000:00002479 db 0 seg000:0000247A db 0 seg000:0000247B db 0 seg000:0000247C db 0 seg000:0000247D db 0 seg000:0000247E db 0 seg000:0000247F db 0 seg000:00002480 db 12h seg000:00002481 db 0 seg000:00002482 db 0
[Q] Cortex-A9 Performance Events Counter PMU return Zero
Hello every one,
not sure if this the right place to ask but i really need help.
I am attempting to gather some data on Galaxy Nexus i9250 Android v4.3 CPU ARMv7.I am trying to use ARM Streamline but it provides the following error:
ARM Processor PMU event counters have been detected, however the event counters are reading zeroes. Event counters include those counters listed in the counter configuration options dialog under the core name but exclude the cycle counter (Clock:Cycles) as it is controlled by a dedicated counter. It is possible that the PMU configuration bit DBGEN has not been enabled, and counter values subsequently will always read as zero. To remedy, please update your firmware or Linux kernel to enable DBGEN.
after some search i found similar problem: on freescale
which suggest some modification to the SDER Secure Debug Enable Register, Security Extensions.
i do not know what to so i found a file perf_event in kernel source but not sure where to start.
i found out on infocenter of arm for ARM11 that i should use
// MRC p15, 0, <Rd>, CRn, CRm, opCode_2 ; base
MRC p15, 0, <Rd>, c15, c12, 0 ; Read Performance Monitor Control Register
MCR p15, 0, <Rd>, c15, c12, 0 ; Write Performance Monitor Control Register
this is in perf_event_v6.c kernel folder like this:
static inline unsigned long
armv6_pmcr_read(void)
{
u32 val;
asm volatile("mrc p15, 0, %0, c15, c12, 0" : "=r"(val));
return val;
}
since i'm using version arm7 so i should modify perf_event_v7.c
and my guessing that i should use c9 instead of c15 because this is the option used there and mentioned in the Cortex Reference manual for EX:
c9 registers
Table 4-10 shows the CP15 system control registers you can access when CRn is c9.
Table 4-10 c9 register summary
Op1 CRm Op2 Name Type Reset Description
0 c12 0 PMCR RW 0x41093000 Performance Monitor Control Register
1 PMCNTENSET RW 0x00000000 Count Enable Set Register
2 PMCNTENCLR RW 0x00000000 Count Enable Clear Register
3 PMOVSR RW - Overflow Flag Status Register
4 PMSWINC WO - Software Increment Register
5 PMSELR RW 0x00000000 Event Counter Selection Register
so it should be :
MRC p15, 0, <Rd>, c9, c12, 0 ; Read Performance Monitor Control Register
MCR p15, 0, <Rd>, c9, c12, 0 ; Write Performance Monitor Control Register
and
MRC p15, 0, <Rd>, c9, c12, 5 ; Read PMSELR Register
MCR p15, 0, <Rd>, c9, c12, 5 ; Write PMSELR Register
and to choose the event:
EXPORT pmn_config
; Sets the event for a programmable counter to record
; void pmn_config(unsigned counter, uint32_t event)
; counter (in r0) = Which counter to program (e.g. 0 for PMN0, 1 for PMN1)
; event (in r1) = The event code (from appropriate TRM or ARM Architecture Reference Manual)
pmn_config PROC
AND r0, r0, #0x1F ; Mask to leave only bits 4:0
MCR p15, 0, r0, c9, c12, 5 ; Write PMSELR Register
ISB ; Synchronize context
MCR p15, 0, r1, c9, c13, 1 ; Write PMXEVTYPER Register
BX lr
ENDP
the steps i should follow are as follow:
The following procedure should be followed:
Disable performance counters
Set what each event counter will count
Set cycle counter tick rate
Reset performance counters
Enable performance counters
Call function to profile
Disable performance counters
Read out performance counters
Check that performance counters did not overflow
i also found this EX:
following this code on google_code DirectPMUCodeGCC
i found on e2e support site that Galaxy Nexus is a secure device by checking the DBGAUTHSTATUS
i should push DBGEN or NIDEN high.
but i still did not know how to do it.
Any help?