Related
Hi,
Maybe someone here knows a solutions to this one:
When you go to bootloader on the XDA II you can use a serial cable to talk to it. However you can also dock your device in the cradle again and it will allow a USB connection to the bootloader prompt. However, with Windows it will start the wceusbsh.sys driver for active sync. In Linux it loads the generic serial USB driver, which allows you to connect to the bootloader with a terminal program.
Question is: does anyone know how to prevent the wceusbsh.sys driver to load, but instead load the serial usb driver (so you can use hyperterminal for example) OR how you can programmatically talk to the device through the wceusbsh.sys driver without any actuall active sync on the side of the device (that is running the bootloader and presenting a USB> prompt)
If I'm not clear let me know.
Thanks,
(not really sure) but maybe this may help: http://www.lvr.com/usbfaq.htm
What I tried so far is edit the INF file for the wireless modem with the vendor and equipment IDs for the bootloader mode. Then remove the active sync driver from the Device manager and try to add the INF manually. That doesn't work without the device connected. And once you connect the device it immediately installs the windows driver again.
ys, that is what I encountered too.
maybe completely remove everything from \windows\inf that has some relation to active sync?
maybe the trick is to set the correct vendor/product id:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/modem/hh/modem/modem6_0ox3.asp
( trying now, requires reboot .. maybe a good sign )
Code:
[Version]
Signature="$Windows NT$"
Class=Ports
ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318}
Provider=%XDADEV%
LayoutFile=layout.inf
DriverVer=10/15/1999,5.0.2153.1
[Manufacturer]
%XDADEV%=XDADEV
[XDADEV]
%XDAUSBSER%=Reader, USB\VID_0BB4&PID_00CE
[Reader_Install.NTx86]
;Windows2000
[DestinationDirs]
DefaultDestDir=12
Reader.NT.Copy=12
[Reader.NT]
CopyFiles=Reader.NT.Copy
AddReg=Reader.NT.AddReg
[Reader.NT.Copy]
usbser.sys
[Reader.NT.AddReg]
HKR,,DevLoader,,*ntkern
HKR,,NTMPDriver,,usbser.sys
HKR,,EnumPropPages32,,"MsPorts.dll,SerialPortPropPageProvider"
[Reader.NT.Services]
AddService = usbser, 0x00000002, Service_Inst
[Service_Inst]
DisplayName = %Serial.SvcDesc%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 3 ; SERVICE_DEMAND_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\usbser.sys
LoadOrderGroup = Base
[Strings]
XDADEV = "XDA Developers"
XDAUSBSER = "XDA Serial over USB"
Serial.SvcDesc = "XDA USB Serial emulation driver"
one step further, now activesync no longer works, and I do see a broken 'COM3'.
got it to work programmatically - see http://www.xs4all.nl/~itsme/projects/xda/xda-ii.html - the xda2dmp tool.
allows you to dump either windows ce, or gsm memory, via serial port or usb
Ok, so we haven't had quite as much luck yet as we would have liked, but I think as we continue to try out different approaches we will have some luck. I think it might be beneficial for us to have a an overview of what has been tried and what has been attempted thus far. So here is a list of things people have tried (please feel free to add anything that I may have left out or accidentally overlooked).
Registry Edit to access Zune storage
I believe this was the first approach that people took to gaining access to the KIN, and this link provides a great walkthrough.
Bitpim
This is a pretty good overview of what has been attempted through Bitpim. Recently some have even tried using some other software, namely CDMA Workshop, (Look at the last post of the page.) I would suggest that we also try a couple more:
RevSkills
UniCDMA
Nvidia Tegra Flash
I forgot this when I first posted.
OpenZDK
This was another potential since much of the hardware, namely the processor is the same on both the kin and zune.
Looking for clues in the log files
To put it simply in the hidden menu there is an option to have system log s emailed to you. I tried reading through some and noticed some of the events and files that the KIN uses, but have not had any luck yet.
FTP
This link is the same as the link for the Log Files above.
Export/Import in hidden Menu
Once again, the linked used here is the same one for Log Files and FTP.
Please add anything that I may have left out, either different approaches or links to helpful information. I haven't had a chance to tinker with RevSkills too much yet, but it looks real promising.
Ah, we mods like these threads. Keep it up. Stickied.
The hidden import feature becomes active if you create a contact while using
qpst. It imports but I don't know where it put that info.
Interesting to note is that None of my phone entered contacts show up in qpst.
It is like that directory is mapped to some other place.
I was able to create directories and added txt files using qpst that remain even after power cycling the phone. I haven't found any of this using the phone yet.
I am getting the same results as you when I use the EFS manager and service programming. I can create files and make changes and they last after reboot.
I find it odd that when I export contacts from the hidden menu the file is visible in windows explorer if I have edited the registry as noted in the first post. I find this odd because everything else that is visible on the device using this method is related to the Zune, i.e. photos, music, and videos.
I have started looking back at some of the log files that I had the phone email me through the hidden menu and I have found some AT commands for the phone along with some other information. Here is a little bit of one file that I just started sorting through. The formatting isn't perfect because the log files have a lot of unreadable characters, but I have bolded files and commands. I also left everything in the case (upper and lower) as I found it in the file. The name of this file is:
MICROSOFT-PMX-DEBUGSTRINGPROVIDER-CHANNEL.02.clg
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_PRE_UPDATE
MPM_BB_USB_DRIVER_LOAD_UPDATE_EVENT, dwWaitTime: -1
MPM_Util:USB Client 1 has been Loaded
MPM_Util:USB Client 2 has been !UnLoaded!
CDMA Radio Updeate: Text stored version : v0.4.727
CDMA Radio Update:Registry Key version: v0.4.727
CDMA Radio Update: Current Modem version: v0.4.727
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_PRE_UPDATE
MPM_MainsSmThread
MPM_BB_UPDATE_REQ_EVENT - No modem update is needed
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_END_RSTISR_REQ_EVENT, dwWaitTime: -1
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_END_RSTISR_REQ_EVENT MODEM RESET ISR Init Completed.
MPM_MainsSmThread
MPM_BB_STATE_NORMAL_ON_POST_UPDATE
MPM_POWER_ON_REQ_EVENT, dwWaitTime: -1
RILNDIS: GetPacketInterface Initialize = c117d634
Shutdown = c117c4e4
RILDrv : i : Accumulated response (1) : <cr><lf>
IOPTMODE: 6 <cr><lf>
RILDrv : i : Sending cmd: ATV0E0X3 <cr>
RILDrv : t : LoadEriData : Opening file
\RoamingIndicator\eri.bin
RILDrv : i : Accumulated response (1) : ATV0E0X3 <cr> 0 <cr>
RILDrv : t : LoadEriData:
\RoamingIndicator\eri.bin not exist. Err 0x00000002
RILDrv : i : Sending cmd:
AT+cstt=0, 1, 75, 85, 95, 100 <cr>
RILDrv : t : LoadEriData: Opening file
\Windows\eri.bin
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv : i : Sending cmd :
AT+CSTT=1,1,18,22,26,30 <cr>
PMIC Boot cookie: rb7262h
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv : i : Sending cmd :
AT+CSQT=1<cr>
RILDrv : i : Accumulated response (1) : 0 <cr>
RILDrv:i: Sending cmd:
AT+GMI; +GMM; +GMR; +CKEYPAD?25<cr>
RILDrv:i: Accumulated response: +CKEYPAD:25
RILDrv:i: Accumulated response (2): equesting :
IUSBON, USBST, New PLMST, timestamp, 10, 2,2944 <cr><lf>
RILDrv:i:Accumulated response(1): +IQMIREADY <cr><lf>
+IUSBON<cr><lf>+IECHO: Requesting:IUSBON, USBST,
New PLMST, timestamp, 10, 2, 2944 <cr><lf>
RILDrv:i: ParseNotificationOEM: +IQMIREADY: SetEvent for QMI Init
RILDrv:i: Accumulated response(1): +IUSBON<cr><lf> +IECHO:
Requesting: IUSBON, USBST, New PLMST, timestamp, 10, 2, 2944<cr><lf>
RILDrv:i: Accumulated response(1): +IECHO:
Requesting: IUSBON, USBST, New PLMST, timestamp, 10, 2, 2944<cr><lf>
RilDrv:arseGetEquipmentInfo Modem Version: 727
I found out one more thing, if you use the s+l+power comination when the phone is powered off and connected to the computer another USB device is found. I just found this thanks to conflipper's early work We will have to come up with some sort of driver for this now.
Here is the name of the device and the hardware IDs
Microsoft Pink Bootstrap
USB\VID_045E&PID_2345&REV_0000
USB\VID_045E&PID_2345
I also just found this hardware id when having the computer turned off and plugged into the pc. When I hold down u+s+b+power Windows finds another device with the following name and hardware IDs (According to what I have found online this VID is Nvidia.) So this might be where we can use the tegra chipset stuff.
APX
USB\VID_0955&PID_7416&REV_0103
USB\VID_0955&PID_7416
Thought I would also add that my phone is currently unusable, but on the positive side, I wouldn't found those other two usb hardware IDs if this hadn't happened. Sidenote, I was using QPST Configuration program, and I right clicked on the my phone in the active phones tab. I then clicked on "Configure service to port mapping..." and added one property (unforturnately, I can no longer go back to the window because the program doesn't recognize my phone now). At this point, my phone rebooted and is now stuck trying to boot up.
I don't think it is completely bricked, but I fear that until we pull a rom it is probably useless because it is stuck in a constant cycle trying to reboot. The only way to stop this is to remove the battery. I have since tried using the various key combinations provided by conflipper and have found that the bootstrapper combination (s+l+power) would probably work if we had a rom. I then tried the hard reset combination (c+b+power) which initially looks like it might work but then it gets stuck in the cycle of rebooting.
I am going to continue working on it, hoping that somehow now that I might have some extra sort of access to hardware, but I am afraid my contributions may be limited until we are able to pull a rom.
Sorry to hear that. There has to be a way of getting it out of the loop.
RevSkills Hardware Log.
Diag Port Supported Command List.
7E - TRS FRM MSG supported.
5A - CHECK AKEY supported.
59 - EFS CMD supported.
58 - GET IS95B supported.
57 - SET MAX SUP CH supported.
56 - SUP WALSH CODES supported.
55 - FER INFO supported.
51 - GET FEATURES supported.
49 - READ PRL supported.
47 - UNKNOWN unknown response:
45 - GET CDMA RSSI unknown response:
44 - CHANGE SERIAL MODE unknown response:
43 - GET PARAMETER unknown response:
42 - UNKNOWN unknown response:
40 - SET PILOTS unknown response:
3F - GET STATE unknown response:
3E - UNKNOWN unknown response:
3D - CONF SLEEP unknown response:
3C - GET PACKET SEQNO unknown response:
22 - DISPLAY EMU supported.
04 - PEEK DWORD supported.
03 - PEEK WORD supported.
02 - PEEK BYTE supported.
01 - Show ESN supported.
00 - Version Info supported.
Click to expand...
Click to collapse
(the phone rebooted many times while doing this test, hence the unknown responses).
I tested more of the options provided by the free version of Revskills and it was kind of funny to see how the keyboard emulator worked, but only for numbers.
After all the reboots and so, i got some hex descriptions for errors in a new folder, called Err. Uploaded a new screenshot from that folder contents.
Easy CDMA just lets you browse the filesystem we already know.... not so much fun.
Little update.
You seem to be able to enter the recovery mode holding the U S B + power option but, as i tried right now, also using "Volume -" + power as stated for other tegra devices. Can't check if that loads ok on the computer, as i dont have the usb cable here right now.
OOPS I made a mistake. I am not seeing anything using windows 7 using u+S+B and power up. Should I disable zune, change registry for zune back to normal etc??
You shouldn't have to because the device has a different hardware id, so the drivers installed for the zune portion aren't applicable. Try turning your phone off, plugging in the usb cable and then using the key combinations. If the new hardware message box doesn't appear, you should still see an unkown device in device manager.
Also you have to hold the u+s+b+power for a few seconds before it will be recognized. When I have done this the screen stays blank on my phone and the only way I know it is working is through Windows.
Using Windows 7 OS. I had to uninstall the zune driver located in portable devices in the device manager then it found new APX device and i was able to point to the NVIDIA driver. Tried ruining the phone (Flashing android to it) as in another thread but it also got stuck on the flashing prompt. Restarted phone normally and the windows found another device and loaded the zune drivers back.
Incidently, holding the volume down and power on does the same as the U+S+B+Power and is easier on the fingers.
Thanks and keep up the great work.
I again may have spoken to soon. I cannot duplicate the above scenario anymore.
I also can no longer transfer pictures taken with my phone on to my pc. I can add pictures to the phone from pc and back but not the ones taken with the camera. Originally I could with zune software. The folders for uploaded pictures are different then the ones taken with the phone. I really think that I screwed something in the phone up by playing with qpst and others.
I'm not sure about what you did there, but in my testing & curiosity purposes trials, i wasnt able to alter the device (do a write to memory), so i doubt that qpst or the others did it for you.
Also, according to coinflipper notes, the kin has several layers, including the SBL that is the one operating with the os directly (the "Ms Pink bootstrap" device), not the recovery mode, which basically put us handling a modem....
I'm trying some things, but no results yet... gonna take some time....
I have changed the USB password and added contacts (somewhere) while writing to the device using qpst. I changed the password to 000001. Is this a different part of memory I am fooling with?
Thanks
I am not sure. I have no previous experience with any phone deving nor Qualcomm tools. Just pointed what coinflipper said.
I said "basically a modem", cause you got diag(nostics) mode within a com port, and some users (in other posts) showed logs with AT commands.
I'm working with some tools to connect to the device, but using the driver we all got (zune software). Not promising anything, just peeking around some tests.
@mcdietz
Here I pasted a public output of the linux command "lsusb -vv" (ultraverbose) where Kin (factory default settings) values are.
http://pastebin.com/rZscb9wz
Is useful for usb access to the kin. Use at will.
I have been testing usb connections to the kin devices (the ones we used in this forum) and i checked this:
Kin mode (normal Zune mode):
- Using MTP protocol:
-- You can browse files/folders/track related to Zune values using the lib-mtp tools in the system you like.
-- You can format the device (zune related folders) & delete zune files using the lib-mtp tools.
-- You can't download files from the device using the lib-mtp tools (kin doesn't allow you to)
-- You can't upload files to the device using the lib-mtp tools (kin doesn't allow you to)
- Using raw USB:
-- You can Write & Read values to the device (Kin VID 0x045e, PID 0x0641). Protocol allowed: MTP
Click to expand...
Click to collapse
Of course, Zune software does use this mode and is allowed to write to the filesystem. But that's because before doing so, it uses MTP protocol values to send and receive crypto values based on JANUS from Microsoft (Microsoft DRM for Mobile Devices) and after crypto relationships, the usb commands enable the "Connected" window at the Kin.
Capturing and replaying this values over usb does not work (ever) and does not work for the kin (had to try), so no go-go from here. Also, we cannot know if it would be able (dreaming after bypassing the DRM) to go outside the pictures/music/etc folders.
On the other hand, MTP tools reports that our little friend is able to reproduce the following files:
Firmware file
MediaCard
Abstract Playlist file
Abstract Album file
JPEG file
Microsoft Windows Media Video
MPEG-4 Part 14 Container Format (Audio+Video Emphasis)
Advanced Audio Coding (AAC)/MPEG-2 Part 7/MPEG-4 Part 3
MPEG-4 Part 14 Container Format (Audio Emphasis)
Microsoft Advanced Systems Format
Microsoft Windows Media Audio
ISO MPEG-1 Audio Layer 3
Click to expand...
Click to collapse
Where firmware is strange and good but the question is... how to upload the firmwares files (you can get zune firmwares from the net) to the zune software on the device (and run them)?.
It's more interesting when you notice that firmwares contain "Zboot.bin" which is "Tegra device bootloader" but, sadly, doesnt work with nvflash because of what I said below. Those updates are WinCE updates too...
APX mode (nvidia "flashing" mode), with or without Nvidia driver.
- Using nvflash
-- You can't start flashing due to writing to usb error
-- Following attemps block the nvflash and device access.
- Using raw USB:
-- You can't Write or Read values to the device (APX VID 0x0955, PID 0x7416). Protocol allowed: None
Click to expand...
Click to collapse
This matches the post where coinflipper told us that you cannot dump the rom image.
Microsoft Pink Bootstrap (No driver):
- Using raw USB:
-- You can Write & Read values to the device (Kin VID 0x045e, PID 0x2345). Protocol allowed: Unknown
-- Phone answers "01" to all the write requests i did (from "00" to "FF").
Click to expand...
Click to collapse
markspace. com/kin/
Here's some software that was developed for it, but I'm guessing it is only client end?
I'm not allowed to link, so assemble the spaces yourself please
The link for the download (direct) , being for Mac(only) is:
http://www.markspace.com/kin/download.php
But you must register to get an activation code from the main page (posted by shlhu). It will need internet access to activate the software during installation and reboot after it.
Requires Itunes (for audio sync), Iphoto (for image, also have started it once), and Quicktime (for video).
I tested it with a fresh installed Snow Leopard and i can say that it works. I dunno how it does (without zune installed), but it works.
Unfortunately, i wasnt able to analyze the usb transmission there, so i cant compare with the windows one. If it can skip the JANUS drm, then we may have a chance. If it is the same process as windows... we are done... lol.
I finally found some time to inspect the NST board for a spare UART and the search was successful!
The serial port can be accessed on U2713, pin 2 is RX, pin 3 is TX, device node is /dev/ttyS1.
I use it with a 3.3V USB-to-UART adapter, but any voltage between 1.2 and 3.6 should be fine, thanks to the TI voltage-level translator TXB0104.
There is also a second uart connected to J151 (ttyS0), but that one has no voltage-level-translator and runs with 2V. (TX is on pin 9 of J151, no idea where RX is).
I'm still trying to redirect the boot console to ttyS1, i think i have to recompile uboot.
/edit:
Patching u-boot worked, I have the boot console on ttyS1.
Good job!
I wanted to look for this sometime, but you beat me to it.
ttyS0 is for the (cell phone) radio
ttyS1 is for the Bluetooth.
Could the connector place there be for JTAG?
Renate NST said:
Good job!
I wanted to look for this sometime, but you beat me to it.
Click to expand...
Click to collapse
I wanted to do this since my last failed kernel porting attempt. I hope it helps me debugging non succesfully booting configurations.
ttyS0 is for the (cell phone) radio
ttyS1 is for the Bluetooth.
Click to expand...
Click to collapse
Is that an actual android standard, or just some leftovers from the reference platform the nst and nook color are based on (the remains in the init.rc)?
Could the connector place there be for JTAG?
Click to expand...
Click to collapse
I think the JTAG is more probably on J151 together with ttyS0, than on U2713.
ttyS0 was the standard console, and it would make more sense that the J151 was used as debug-port.
mali100 said:
The serial port can be accessed on U2713, pin 2 is RX, pin 3 is TX, device node is /dev/ttyS1.
I use it with a 3.3V USB-to-UART adapter, but any voltage between 1.2 and 3.6 should be fine, thanks to the TI voltage-level translator TXB0104.
Click to expand...
Click to collapse
Mali,
My USB-to-UART adapter needs 3.3V (to set “upper voltage” level)
Could you help, where can I get in on Nook board?
Renate NST said:
ttyS0 is for the (cell phone) radio
ttyS1 is for the Bluetooth.
Click to expand...
Click to collapse
Do you know any devices that can be connected to this ports? It would be great to enable only Bluetooth or even cell phone.
ApokrifX said:
Mali,
My USB-to-UART adapter needs 3.3V (to set “upper voltage” level)
Could you help, where can I get in on Nook board?
Click to expand...
Click to collapse
You can use pin 1 of U2713, it's connected to VCCb on the TXB0104. Altough the voltage is disabled when the nook sleeps, but that shouldn't be a problem.
mali100 said:
You can use pin 1 of U2713, it's connected to VCCb on the TXB0104. Altough the voltage is disabled when the nook sleeps, but that shouldn't be a problem.
Click to expand...
Click to collapse
Ok... But it's gotta be 3.3V somewhere, right?
ApokrifX said:
Ok... But it's gotta be 3.3V somewhere, right?
Click to expand...
Click to collapse
Quick! Break the laws of physics and pull power from a penny!
I haven't had a driving need to use this until I tried an upgrade to 1.2 and got a boot loop.
There are various versions of u-boot.bin.
The easiest way to patch it is to simply search for ttyS0 and replace the two occurrences with ttyS1.
ttyS0 appears also in env.txt inside uRamdisk (and uRecRam).
I found a old fax that has the 10 pin connector that fits on the Nook.
I might try to put it on. For now I have the soldered wires.
In any case, the 1.2 boot loops and the last message is:
Code:
binder: 988:1039 transaction failed 29189
I've screwed with a lot of things on my Nook, but the "update" should have wiped about everything.
Just a short update:
I soldered in the connector successfully. It looks nice.
The level converter to standard 9 pin "RS-232" is simple and cheesy, 2 resistors and a transistor.
It works fine though. I can see the boot up.
After that I can switch to logcat over ADB over USB.
Here's a really poor photo of my setup.
My next cell phone must have auto-focus and macro mode.
Excellent setup, especially for the ribbon cable! It seems something nice its going to happen in the next days
Just a bit of an update.
If you want to do your own level shifting you've got access to two UARTs.
The MSP stuff is I2C to the MSP430 microprocessor that handles the touch screen.
You could eavesdrop on that and have a little multitouch pad.
I'm still trying to see which of the rest of the pins are for JTAG on U151.
The other 4 pins on U2713 are 3.3 level but don't come from the TXB0104 level shifter.
The JTAG stuff is apparently on the 22 pin, 0.5 mm pitch CON6.
The four side buttons are on CON6 too.
I've looked at this a bit and I've determined that using UART2 is a dead end.
The TXB0104 is neither powered nor enabled until late in the boot sequence.
Using the default UART1 is a much better choice.
Yes, you could modify things to use UART2 over UART1 but it's an uphill battle.
u-boot has a nice command interface where you can do lots of stuff (edited a bit):
Code:
Texas Instruments X-Loader 1.41 (Dec 7 2012 - 14:34:26)
Starting OS Bootloader from EMMC ...
U-Boot 1.1.4-carbon1.2_1.2.1.24^{} (Dec 7 2012 - 14:34:22)
OMAP3630-GP rev 2, CPU-OPP2 L3-165MHz
OMAP3621-Gossamer 1.2 Version + mDDR (Boot NAND)
DRAM: 256 MB
In: serial
Out: serial
Err: serial
Hardware arch: GOSSAMER rev: EVT3
Power button is not pressed
pmic watchdog time 0
Power Button Active
gossamer charger init
Booting from eMMC
OMAP36XX GOSSAMER # help
? - alias for 'help'
autoscr - run script from memory
base - print or set address offset
battery - gas gauge BQ27520 info
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
calc - perform mathematical operation
charger - charger BQ24073 info
clock - Manage system clocks
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
date - get/set/reset date & time
echo - echo args to console
epd tests dspon dspoff image1 image2
exit - exit script
fastboot- use USB Fastboot protocol
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
fatsave - save binary file to a dos filesystem
ggflash - flash bq27500 from .dffs script
go - start application at address 'addr'
gpio - set/display gpio pins
help - print online help
ibatck - used to track battery id
ibus - Select i2c Bus
icrc32 - checksum calculation
iloop - infinite loop on address range
imd - i2c memory display
iminfo - print header information for application image
imm - i2c memory modify (auto-incrementing)
imw - memory write (fill)
inm - memory modify (constant address)
iprobe - probe to discover valid I2C chip addresses
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing)
mmcinit - initialize mmc
mmc - Read/write/Erase mmc
mspflash- used to flash a new msp430 firmware file
mtest - simple RAM test
mw - memory write (fill)
nm - memory modify (constant address)
printenv- print environment variables
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
setenvmem - set environment variable from memory
sleep - delay execution for some time
test - minimal test like /bin/sh
version - print monitor version
OMAP36XX GOSSAMER #
Just adding the battery pinout to the diagram for completeness.
Excellent! I recently bought a JTAG (http://www.ebay.co.uk/itm/Altera-FP...al_Components_Supplies_ET&hash=item257fc5c582)
I will give it a go... is there anything you'd like me to do?
Cheers
Heres a quick hack to talk to uboot over UART2
Edit: all that's different is enabling the TXB0104 by setting gpio 37 high instead of low.
and redefining the uarts so 2 is used instead of 1.
includes the OP's patch so kernel logs show after boot also.
this second version fixes autoboot. UART2 gets a spurious byte which needs to be cleared otherwise autoboot never works.
This patch is meant to be applied without the first one, i put the uart numbers back to normal and just changed the index of which gets used for console.
I also enabled ^C checking for the case where bootdelay is zero, you can't lock yourself out of u-boot by messing with the env variables. ( Guess why I decided to do this?
NB: There is a third uart, uart3. one of the sets of pins it can be muxed onto are the usbhs0_data0 and 1 pins.
these go to the tps65921, which also has a uart mode , whereby we could have uart access over the usb pins without cracking the case.
droid phones had something similar, called emu-uart. i will look into this more when i get a nook with a working usb port.
Hubitat elevation is a smart home hub (Z-Wave/Zigbee/IP). The primary advantage of the device comparing to numerous commercial products is its ability to work without a cloud connection. Unfortunately, Hubitat folks restricted access to the device, so out of the box your tinkering abilities are virtually non-existent. We're going to fix this in this rooting guide.
Hubitat Elevation hardware is built around Amlogic A113X SoC, and it is very similar to Amlogic s420 and s400 boards. It is based on a standard Android architecture and it runs linaro. The bootloader is U-Boot, but the boot timeout is set to zero, so you cannot get to the U-Boot shell/console.
To root the device using this method you will need:
- 3.3v USB to serial adapter
- Some electronics skills
- Linux/Development skills
(Apologies, this guide is not a step-by-step process for for unskilled users)
Rooting Hubitat Elevation C7:
- Open your Hubitat Elevation (there are 4 screws on the botton under rubber pads). Exactly in the middle of the board, you will see an unmarked test point. This is the recovery/bootloader mode switch. If you connect it to the ground and then plug the device into a USB port, your compluter should detect new USB device (Amlogic bootloader port).
- On the component side of the board, find four test points in a row (marked 2TP1.. 2TP4). This is Amlogic UART. 2TP2 is RX 2TP3 is TX (115200,8,N,1). Use a 3.3v USB to serial adapter to connect. If properly connected, you will be able to see boot log and interact with the console.
- You can use pyamlboot to boot from USB. Boot images can be generated using meta-meson (github.com/superna9999/meta-meson). Elevation C4 uses Amlogic A113X, so you need to build for Amlogic s420 or Amlogic s400 board. You need, at a minimum, to build two USB bootloader files (u-boot.bin.usb.bl2 and u-boot.bin.usb.tpl) for pyamlboot.
- Booting U-boot over USB using pyamlboot will get you into u-boot console. From there you can boot Linux kernel from USB, MMC, or set bootdelay for Hubitat's u-boot so you can interrupt the Hubitat's U-boot and get access to its console.
- To set bootdelay option for Hubitat's u-boot, just read environment located at MMC offset 0x27400000 (or MMC block #0x13A000) into memory, edit bootdelay, and write it back to the MMC. This will get you access hubitat's uboot console.
- boot Linux from boot or recovery partitions with edited command line that gives you shell access.
- Once you get root shell, just create a new user, add it to /etc/sudoers, and remove iptables rule in /etc that blocks inbound SSH port. You will not be able to log in to Hubitat Elevation over SSH.
Enjoy the tinkering freedom!
P.S.: Anyone with a password cracker and a beefy GPU, please recover passwords for root and hub users from MD5 hashes in /etc/shadow
I'm looking to go through this now but I have an older Hubitat version. I'd assume the process will be similar though. Is this something that would work for connect to the UART? https://www.amazon.com/Adapter-Seri...+USB+to+serial+adapter&qid=1608139326&sr=8-15
Does anyone have a dump of the firmware?
I have made some progress using the main post as a jumping off point. If anyone is interested in this board message me. I would love to work on this with someone. I am new to hardware hacking.
I have no access to adb while booting. When I get a serial connection it's the primary bootloaders output, when it switches to kernel I get nothing.
I have tried changing kernel's cmdline to use ttyHS0 instead of ttyMSM0 but no luck.
Turns out you don't need a serial output to read a failed kernel log. If your kernel version is above 3.9 there's something called pstore driver which copies kernel output to a temporary location on ram which you can access via locating to /sys/fs/pstore/.