Posts by permheaddamage

permheaddamage

I got a hint from apritzel of adding earlycon to bootargs.

Now I get this output:

Code

petrel-p1:/ $ su
petrel-p1:/ # insmod /storage/1803-1707/bootsd.ko
INFO:    BL3-1: Next image address = 0x93b00000
INFO:    BL3-1: Next image spsr = 0x3c5


U-Boot 2022.10 (Jul 09 2023 - 11:53:35 +0000) Allwinner Technology

CPU:   Allwinner H6 (SUN50I)
Model: Beelink GS1
DRAM:  1 GiB
Core:  53 devices, 17 uclasses, devicetree: separate
WDT:   Not starting watchdog@7020400
MMC:   mmc@4020000: 0, mmc@4022000: 1
Loading Environment from FAT... ** Bad device specification mmc 1 **
In:    serial@5000000
Out:   serial@5000000
Err:   serial@5000000
Net:   No ethernet found.
Hit any key to stop autoboot:  0
switch to partitions #0, OK
mmc0 is current device
Scanning mmc 0:1...
Found /extlinux/extlinux.conf
Retrieving file: /extlinux/extlinux.conf
1:      LibreELEC
Retrieving file: /KERNEL
append: boot=UUID=1803-1707 disk=UUID=e74196e7-acc6-47fe-9d35-e547de3eae47 quiet console=ttyS0,115200                 console=tty1 earlycon=uart,mmio32,0x05000000 memmap=128M@0x48000000
Retrieving file: /sun50i-h6-beelink-gs1.dtb
Moving Image from 0x40080000 to 0x40200000, end=417c0000
## Flattened Device Tree blob at 8fa00000
   Booting using the fdt blob at 0x8fa00000
   Loading Device Tree to 0000000089ff4000, end 0000000089fffb09 ... OK

Starting kernel ...

[    0.000000] Unable to handle kernel ttbr address size fault at virtual address 0000000040d84520
[    0.000000] Mem abort info:
[    0.000000]   ESR = 0x0000000086000000
[    0.000000]   EC = 0x21: IABT (current EL), IL = 32 bits
[    0.000000]   SET = 0, FnV = 0
[    0.000000]   EA = 0, S1PTW = 0
[    0.000000]   FSC = 0x00: ttbr address size fault
[    0.000000] [0000000040d84520] user address but active_mm is swapper
[    0.000000] Internal error: Oops: 0000000086000000 [#1] PREEMPT SMP
[    0.000000] Modules linked in:
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.1.19 #1
[    0.000000] Hardware name: Beelink GS1 (DT)
[    0.000000] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    0.000000] pc : 0x40d84520
[    0.000000] lr : paging_init+0x44c/0x598
[    0.000000] sp : ffff8000093f3d10
[    0.000000] x29: ffff8000093f3d10 x28: ffff800008f42000 x27: 0000000000000007
[    0.000000] x26: 0000000040210000 x25: ffff80000948ddb8 x24: ffff800008fc5c54
[    0.000000] x23: ffff80000954b000 x22: ffff800008f42000 x21: ffff800008fb2000
[    0.000000] x20: 00007ffff93b3000 x19: 0000000040d84520 x18: fffffbfffda39000
[    0.000000] x17: 0000000000000000 x16: 0000000000000000 x15: 00000000411c0000
[    0.000000] x14: 0040000000000041 x13: 0040000000000001 x12: ffffffffc11c0000
[    0.000000] x11: fffffbfffda39e00 x10: 0068000000000703 x9 : 0000000080000000
[    0.000000] x8 : 0000000000000001 x7 : 0068000000000f03 x6 : 0000000000000080
[    0.000000] x5 : 0000ffffc1220000 x4 : 0001000000000000 x3 : ffff800008f42000
[    0.000000] x2 : 0000000000000000 x1 : 00000000417b1000 x0 : 00007ffff93b3000
[    0.000000] Call trace:
[    0.000000]  0x40d84520
[    0.000000]  setup_arch+0x240/0x534
[    0.000000]  start_kernel+0x80/0x61c
[    0.000000]  __primary_switched+0xb4/0xbc
[    0.000000] Unable to handle kernel ttbr address size fault at virtual address 0000000040d84510
[    0.000000] Mem abort info:
[    0.000000]   ESR = 0x0000000096000000
[    0.000000]   EC = 0x25: DABT (current EL), IL = 32 bits
[    0.000000]   SET = 0, FnV = 0
[    0.000000]   EA = 0, S1PTW = 0
[    0.000000]   FSC = 0x00: ttbr address size fault
[    0.000000] Data abort info:
[    0.000000]   ISV = 0, ISS = 0x00000000
[    0.000000]   CM = 0, WnR = 0
[    0.000000] [0000000040d84510] user address but active_mm is swapper

Display More

I called disable_nonboot_cpus() in stock kernel to shutdown all other core before jumping into new uboot.

ATF has reserved 16M secure memory at 0x48000000~0x49000000 which is not accessible by EL1. For convenience I configured CFG_SYS_SDRAM_BASE 0x80000000 and memory size 1GB. I also add /memreserve/ in dts file to leave this hole alone.

permheaddamage

Quote from jernej

permheaddamage as I said, secure boot is totally out of my league, but there are people on IRC (#linux-sunxi at OFTC) who researched it and are probably able to help you.

Thanks Jernej,

After I enabled CONFIG_POSITION_INDEPENDENT in uboot config and added a function to disable icache/mmu:

Code

ENTRY(save_boot_params)
    mrs    x0, sctlr_el1
    bic    x0, x0, #1 << 2       // clear SCTLR.C
    bic    x0, x0, #1            // clear mmu
    msr    sctlr_el1, x0
    isb
    b    save_boot_params_ret    /* back to my caller */
ENDPROC(save_boot_params)

I am able to boot this modified LE uboot. It has some problem to get information from the incompatible sunxi SPL.

At least it can load the kernel file from sd card and boot it. But it stopped at that "Starting Kernel". Now it's time to see what's wrong with Kernel.

Basicall I am using the stock firmware as a giant bootloader.. Now the sequence is:

BL31: Stock SPL(zidoo signed)

BL33: Stock Uboot(zidoo signed)

Stock Kernel(zidoo signed), Now it's like BL34?

LE Uboot(non secure), maybe BL35...

LE Kernel(non secure)

permheaddamage

all right, at least the uart0 helloworld bin works

sunxi-tools/uart0-helloworld-sdboot.c at master · linux-sunxi/sunxi-tools

A collection of command line tools for ARM devices with Allwinner SoCs. - sunxi-tools/uart0-helloworld-sdboot.c at master · linux-sunxi/sunxi-tools

github.com

So at least I can make this ko load vmlinux into multiple pages of physical memory, then make a bootloader to assemble those page to 0x40008000...

But first I will see whether I can make it jump to mainline uboot. (NOPE, mainline uboot is designed to start from EL3, but now I only have EL1)

permheaddamage

Update: I am able to use a ko to trigger EL3 firmware's boot from another address.

This is my code:

Code

#define ARM_SVC_RUNNSOS                         0x8000ff04
static int sunxi_boot(phys_addr_t addr)
{
    return invoke_smc_fn(ARM_SVC_RUNNSOS, addr, 0, 0);
}

static int __init boot_init(void)
{
    printk("blob virt:0x%lx\n", bin2c_u_boot_spl_bin);
    maddr = __get_free_pages(GFP_KERNEL,get_order(32768));
    if(maddr)
    {
        printk("vmalloc_virt=0x%lx\n", maddr);
        printk("vmalloc_phys=0x%lx\n", virt_to_phys(maddr));
        memcpy(maddr, bin2c_u_boot_spl_bin, sizeof(bin2c_u_boot_spl_bin));
        sunxi_boot(virt_to_phys(maddr));
    }
    return 0;
}

Display More

invoke_smc_fn is defined at:

drivers/char/sunxi-sysinfo/smc_call.S · 南宁橡芮科技有限公司/H6-BSP3.10-linux - Gitee

Allwinner H6 BSP linux 3.10

gitee.com

It sends an interrupt to EL3 and make the handler erase EL1 state and boot a new EL1 system.

EL3 Handler is at:

H6-BSP4.9-brandy/arm-trusted-firmware-1.0/services/arm/arm_svc_setup.c at ceec41bced9047a61df5caa6322376dd278aac6f · Allwinner-Homlet/H6-BSP4.9-brandy

beta version, not final release. Contribute to Allwinner-Homlet/H6-BSP4.9-brandy development by creating an account on GitHub.

github.com

I use the LE u-boot-spl.bin as boot image, but it seems not working..

Do not know whether it is wrong image format or wrong memory operation. Perhaps spl is built non-relocatable and must be put to a fixed address to start?

Or I should try vmlinux binary directly? vmlinux is so big, I must find a contigus 22mb memory in physical memory.. kernel virtual address is killing me...

permheaddamage

After a lot of reading on Allwinner's secure boot documents and source code, I find something interesting:

1. An old thread

H3-Soc boot rom security & E-Fuse

Hi, I bought nanopi_neo boards (for my hobby projects). I am learning about security. I am able to dump e-Fuse area at uboot stage. But i can't modify it (i…

forum.armbian.com

Spitfire says after he flashes all 0xff to H3's rotpk efuse, it boots. Efuse is OTP, I can not revert my efuse to 0, but I should be able to flash it again to all 0xff. Hope it also works for H6.

2. There is a kernel driver sunxi-sysinfo in the 3.10 kernel source code which matches my board:

https://gitee.com/nnxr/H6-BSP3.1…r/sunxi-sysinfo
This driver exposes a file device /dev/sunxi_soc_info and 2 chararcter classes /sys/class/sys_info + /sys/class/key_info

I tested on my board, all 3 works fine. I can get all information it is designed to give. Write function is not exposed.

This driver uses standard arm instruction "smc #0" to switch from EL1(Kernel) to EL3(TEE).

3. I find a EL3 smc handler source code of Allwinner
https://github.com/Allwinner-Homl…vc_setup.c#L221

If my board's EL3 firmware is compiled from this source code, that means I should be able to invoke smc command ARM_SVC_EFUSE_WRITE to write efuse.

4. My board does not check Kmod's signature. So I can modify this sunxi-sysinfo driver, add some new API to invoke a smc call to write all 0xff to rotpk, compile and insmod to run it..

5. If I succeeded, stock fw would be dead because sunxi spl only ignores rotpk if it is all 0 when it switches to uboot:

https://github.com/Allwinner-Homl…rom_main.c#L591
Mainline uboot-with-spl should be OK because it uses other security design.

Of course if the chip planted sbrom is doing the same thing as this spl sbrom, the board would be a brick..

permheaddamage

Quote from VLouis

Hi, usually the e-fuse is OTP type ("Electrical Fuse, A one-time programmable memory"), can be write only once. I don't have the documentation of that Allwinner SOC, is not impossible to be in this case is something different, but usually this is the way how the e-fuse works.

Tried it. I am not able to access SID in Linux even when I am root. devmem always return 0 for the registers.

Guess this is expected because OPTEE is designed to act like this..

There is a key file in root folder but it is a public key and purpose is unknown.

Code

petrel-p1:/ $ cat /rsa.pk
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnmf9BzIu+lpk5Kmo3yzh
ZuGGP1pBRmZS1112Q2nEESsdcLlXGKNcAdbWsH+ZAKSXnDecUFJ+kuPvnXUsWNev
QT7vuxEgxBX20wch+CL66RTzMSgtqWy6eO79y2uMVrmv4Kz0tSpzTZs8tVfRvKp4
3wpiofNMxzYjj3X3hWPfSoFpKKWZepbyutla1lveySwhey2Xv6aB7PSXg5xKXGsp
AhE+fuUvBqCfUiit84AGbno5B/oYtgm0/R/7viOeQoooIpBJO3IqRxM1HqVrPepK
OFxA99iybTmJkqatWm8na7ZqTz6/vLYVHVLMNl8/b88KOeLPyVIt3qeM9m7TU8IS
nQIDAQAB
-----END PUBLIC KEY-----

permheaddamage

Another thought: Since that user "petrel-p1" in serial console of stock fw has root previlege, maybe I can compile a Linux executable to play with efuse there.

If the efuse can be written again, I can write secure boot control bit 0 to disable it.

permheaddamage

Last try：

Built a beelink gs1 image with one line "CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0=y" attached to uboot config:

LibreELEC.tv/projects/Allwinner/bootloader/config at master · LibreELEC/LibreELEC.tv

Just enough OS for KODI. Contribute to LibreELEC/LibreELEC.tv development by creating an account on GitHub.

github.com

Plus a patch file to make the TOC0 key item has the same vendor id I extracted from stock fw upgrade tf card.

Diff

--- /tools/sunxi_toc0.c    2023-06-26 13:28:52.150080327 +0000
+++ /tools/sunxi_toc0.c    2023-06-26 13:28:25.507170419 +0000
@@ -207,6 +207,7 @@
                 RSA *root_key, RSA *fw_key)
 {
     struct toc0_key_item *key_item = (void *)buf;
+    key_item->vendor_id = 0x00EFE800;
     uint8_t digest[SHA256_DIGEST_LENGTH];
     int ret = EXIT_FAILURE;
     unsigned int sig_len;

During building it asks for a private key file

build.LibreELEC-H6.arm-11.0-devel/build/u-boot-2022.10/root_key.pem

I have to manually generate a RSA key and hope Zidoo left public key empty in efuse.

The generated image is correctly packed with TOC0 header, and makes the board go into FEL mode...

So this is a secured board and I give up. Damn..

Thank you jernej

permheaddamage

What I find today:

1. sunxi-fel can get this information by "version" command:

AWUSBFEX soc=00001728(H6) 00000001 ver=0001 44 08 scratchpad=00027e00 00000000 00000000

"version" command only works once after power on, then board is dead and do not accept any next command. Replug usb will get error saying device is not reporting its id.

Any other command will put it into same state even when 1st time I run it. Wondering whether this is because I am using windows 11.

2. Stock firmware TF card has TOC0 header uboot. I built a H6 LE 11.0.1 image and find the u-boot-sunxi-with-spl.bin in build folder(It seems to be tanix tx6 bin because it is compiled last and has overwritten all previous ones). I tried to convert it to TOC0 header using scripts at:

TOC0 - linux-sunxi.org

With this Sd card, it stopped booting from emmc and went into fel mode...

Does this mean zidoo has enabled secure boot in efuse and it is not worthy to dig deeper...

permheaddamage

Quote from jernej

did you unzip it before flashing?

Yes I tried both gz and img files with multiple tools..

LE sd creator, usbimager, etcher

permheaddamage

There is a usb2.0 type a port marked by "USB/OTG" on the box shell.

By pressing “2” in serial console or pressing the hardware button on the board next to flash chip while power on, it can enter the fel mode.

With a usb a-c cable to my computer, Windows device manager shows an unknown device "USB\VID_1F3A&PID_EFE8&REV_02;3"

Studying how to install sunxi-tools to windows..

maybe I can use my nanopc-t4 with armbian to run sunxi-tools

permheaddamage

It turns out Zidoo changed design in 2018...

Those 2017 pictures are with DDR4 ram, but my "China Version" has DDR3 ram, exactly same chip as Beelink GS1.

UART is already popped out so I saved some soldering work. BTW, TX/RX are actually reversed.

This is the uart log:

Code

[295]HELLO! BOOT0 is starting!
[298]sbrom commit : fe74891e7937253e1c219626615607da4ad37a02

[315]PMU: AXP806
[317]vdd-sys vol:980mv
[320]set pll start
[322]set pll end
[324]try to probe rtc region
[326]rtc[0] value = 0x00000000
[329]rtc[1] value = 0x00000000
[332]rtc[2] value = 0x00000000
[335]rtc[3] value = 0x00000000
[338]rtc[4] value = 0x00000000
[341]rtc[5] value = 0x00000000
[344]flag=0x00000000
[346]DRAM VERSION IS V2_5
[349]PMU:Set DDR Vol 1200mV OK.
[352]DRAM CLK =912 MHZ
[354]DRAM Type =7 (3:DDR3,4:DDR4,6:LPDDR2,7:LPDDR3)
[359]DRAM zq value: 003b3bfb
[365]IPRD=00580058--PGCR0=00000f5d--PLL=b0004b00
[370]DRAM SIZE =2048 M,para1 = 000030fa,para2 = 08001000
[378]DRAM simple test OK.
[381]init dram ok, size=2048M
[384]init heap
[385][mmc]: mmc driver ver 2017-03-14 13:56
[390][mmc]: mmc 2 bias 00000004
[398][mmc]: ***Try MMC card 2***
[419][mmc]: MMC 5.0
[421][mmc]: HSDDR52/DDR50 4 bit
[424][mmc]: 50000000 Hz
[427][mmc]: 15028 MB
[429][mmc]: ***SD/MMC 2 init OK!!!***
[553]read toc1 from emmc 32800 sector
[556]OLD version: 0.0
[558]NEW version: 0.0
[561]probe root certif
[566]enter the two key ladder pk check!
[571]certif valid: the root key is valid
[817]find scp key stored in root certif
[828]set arisc reset to de-assert state
[950]find monitor key stored in root certif
[955]ready to run monitor
[1078]find optee key stored in root certif
[1086]ready to run optee
[1209]find boot key stored in root certif
[1334]find recovery key stored in root certif
[1460]find u-boot key stored in root certif
[1482]ready to run u-boot
[1487]sbromsw_toc1_traverse find out all items
[1491]monitor entry=0x48000000
[1494]uboot entry=0x4a000000
[1497]optee entry=0x48600000
[1500]0xffffffff 0xffffffff
[1503]0xff18ffff 0xffffffff
[1506]0xff0e14ff 0xffffffff
[1508]0x1718ffff 0xffffff18
[1511]0x0e22ffff 0xffffffff
[1514]0x1a1affff 0xffffffff
[1519]drm_region_ofs = 944, bitmap_ofs = 241664, bitmap_write_len = 20480
[1526]storage_type=2
[1528]dram = 2048 M
INFO:    Configuring SPC Controller
NOTICE:  BL3-1: v1.0(debug):7408d88
NOTICE:  BL3-1: Built : 20:42:28, Aug 29 2017
NOTICE:  BL3-1 commit: 7408d88f80cb14038350a8f55a280fd0c4caf626

INFO:    BL3-1: Initializing runtime services
NOTICE:  secure os exist
INFO:    BL3-1: Initializing BL3-2
INFO:    BL3-1: Preparing for EL3 exit to normal world
INFO:    BL3-1: Next image address = 0x4a000000
INFO:    BL3-1: Next image spsr = 0x1d3


U-Boot 2014.07 (Sep 27 2017 - 11:02:27) Allwinner Technology

uboot commit : f1305b8180811ad316c35a2fcc8341c2b12c34fe

secure enable bit: 1
secure mode: with secureos
I2C:   ready
[1.585]pmbus:   ready
u0:f8441b39
[1.585][ARISC] :arisc initialize
[1.609][ARISC] :arisc para ok
[SCP] :sunxi-arisc driver begin startup 2
[SCP] :arisc version: [v0.3.13]
[SCP] :sunxi-arisc driver v1.10 is starting
[1.623][ARISC] :sunxi-arisc driver startup succeeded
[1.624]PMU: AXP806
[1.624]PMU: AXP806 found
[1.624]bat_vol=0, ratio=0
axp=axp806, supply=bldo2, vol=1800
axp=, supply=, vol=0
[1.628]set power on vol to default
[1.628]dcdca_vol = 1000, onoff=1
[1.632]aldo2_vol = 3300, onoff=1
[1.636]find power_sply to end
[1.640]dcdca_vol = 1100, onoff=1
[1.641]PMU: cpux 888 Mhz,AXI=296 Mhz
PLL6=600 Mhz,AHB1=200 Mhz, APB1=150Mhz MBus=400Mhz
DRAM:  2 GiB
[1.643]fdt addr: 0xb6ccef20
[1.643]gd->fdt_size: 0x187a0
Relocation Offset is: 75d77000
gic: sec monitor mode
[box standby] read rtc = 0x0
[box standby] start_type = 0x1
[box standby] to kernel
ir boot recovery not used
[1.753][key recovery] no key press.
[1.753]power on cpu1
[1.753][cpu1]task entry
[1.753][cpu1]PowerBus = 0( 2:vBus 3:acBus other: not exist)
[1.753][cpu1]no battery exist
[1.753]start
[cpu1]drv_disp_init
[cpu1]init_clocks: finish init_clocks.
[1.763]power on cpu2
workmode = 0,storage type = 2
[1.763]MMC:      2
[1.763][mmc]: mmc driver ver 2017-09-4 10:12:00
[1.763][cpu2]task entry
[1.764][cpu1]HDMI 2.0 driver init start!
[1.765][cpu2]ready to work
[1.766][mmc]: get sdc_ex_dly_used 2, use auto tuning sdly
[cpu1]__clk_enable: clk is null.
[1.776][mmc]: card2 io is 1.8V.
[1.779][cpu1]hdmi cec clk enable failed!
[1.782][mmc]: get sdc2 sdc_tm4_hs200_max_freq 150.
[1.785][cpu1]enable ddc_scl pin
[1.790][mmc]: get sdc2 sdc_tm4_hs400_max_freq 100.
[1.793][cpu1]enable ddc_sda pin
SUNXI SD/MMC: 2[1.800][cpu1]enable hmid cec pin

[1.810][mmc]: media type 0x8000000
[1.810][mmc]: Try MMC card 2
[1.811][cpu2]cpu 2 enter wfi mode
[1.829][mmc]: host caps: 0x1ef
[1.829][mmc]: MID 000011 PSN 63cb2e71
[1.829][mmc]: PNM 016G70 -- 0x30-31-36-47-37
[1.829][mmc]: PRV 0.0
[1.829][mmc]: MDT m-12 y-2017
[1.829][mmc]: MMC v5.0
[1.830][mmc]: bus_width      : 8 bit
[1.833][mmc]: user capacity  : 15028 MB
[1.837][mmc]: SD/MMC 2 init OK!!!
[1.841][mmc]: Best spd md: 4-HS400, freq: 3-100000000
[1.845][mmc]: EOL Info(Rev blks): Normal
[1.848][mmc]: Wear out(type A): [1.851][mmc]: 0%-10% life time used
[1.854][mmc]: Wear out(type B): [1.857][mmc]: Not defined
[1.859][mmc]: End mmc_init_boot
[1.862]sunxi flash init ok
used mbr [0], count = 15
[1.867]try to burn key
read item0 copy0
the secure storage item0 copy0 is good
no item name key_burned_flag in the map
sunxi storage read fail
sunxi secure storage has no flag
[1.883]usb burn from boot
delay time 0
[1.892]usb prepare ok
[cpu1]pwm_request: reg = 0x300a000. pwm = 1.
[cpu1]request pwm success, pwm = 1.
[cpu1]speed=200000, slave=16
[cpu1]drv_disp_init finish
[cpu1]name in map hdcpkey
[cpu1]the secure storage item1 copy0 is good
[cpu1]len=4096
[cpu1]name=hdcpkey
[cpu1]len=288
[cpu1]encrypt=1
[cpu1]write_protect=0
[cpu1]******************
[cpu1]push hdcp key finish!
[cpu1]get format[40a] for type[4]
[cpu1]get format[20b] for type[2]
[cpu1]main-hpd:count=1,sel=0,type=4
[cpu1]invalid display config
[cpu1]edid all null
[cpu1]save_int_to_kernel disp.tv_vdid(0x0) code:<no error>
[2.137][cpu1][HDMI2.0]CEA VIC=16: [2.140][cpu1]1920x1080p[2.142][cpu1]@60 Hz [2.144][cpu1]16:9, [2.145][cpu1]0-bpp [2.147][cpu1]YCbCr-444
[2.149][cpu1]BT709
[2.262][cpu1]attched ok, mgr0<-->dev0
[2.262][cpu1]type,mode,fmt,bits,eotf,cs=4,10,yuv444,undef,0,257
[cpu1]save_int_to_kernel disp.boot_disp(0x40a) code:<no error>
[cpu1]save_int_to_kernel disp.init_disp(0x20b0000) code:<no error>
[cpu1]invalid display config
[cpu1]save disp device failed
[cpu1]size=0x384000, ram_size=0x80000000, FRAME_BUFFER_SIZE=0x1000000
[2.272]end
[cpu1]advert_enable not set
[cpu1]save_string_to_kernel disp.boot_fb0(bf000000,500,2d0,20,1400,0,0,500,2d0). ret-code:<no error>
[2.284][cpu1]boot logo from boot_package/toc1 item display ok
[2.340][cpu1]cpu 1 enter wfi mode
[2.693]overtime
[2.696]do_burn_from_boot usb : no usb exist
--------fastboot partitions--------
-total partitions:15-
-name-        -start-       -size-
bootloader  : 1000000       1000000
env         : 2000000       1000000
boot        : 3000000       2000000
system      : 5000000       60000000
verity_block: 65000000      1000000
misc        : 66000000      1000000
recovery    : 67000000      2000000
sysrecovery : 69000000      60000000
private     : c9000000      1000000
alog        : ca000000      4000000
Reserve0    : ce000000      1000000
Reserve1    : cf000000      2000000
Reserve2    : d1000000      1000000
cache       : d2000000      30000000
UDISK       : 2000000       0
-----------------------------------
not suppert programmer
base bootcmd=run setargs_nand boot_normal
bootcmd set setargs_mmc
misc partition found
[2.755]to be run cmd=run setargs_mmc boot_normal
mac string is 00:00:00:00:00:00
no item name wifi_mac in the map
sunxi storage read fail
no item name bt_mac in the map
sunxi storage read fail
no item name selinux in the map
sunxi storage read fail
no item name specialstr in the map
sunxi storage read fail
check user data form private
updataed mac = 80:0A:80:52:47:C4
[2.788][mmc]: hsddr 2-50000000
[2.790][mmc]: hs200 4-150000000
[2.793][mmc]: hs400 3-100000000
[2.796][mmc]: get max-frequency ok 150000000 Hz
[2.800][mmc]: 0 0 0: 0 0 0
[2.802][mmc]: get max-frequency ok 100000000 Hz
[2.810]drm_base=0xbb000000
[2.810]drm_size=0x5000000
[2.812]update dtb dram start
[2.815]update dtb dram  end
serial is: 0c000141091e3c2c058b
name in map widevine
the secure storage item2 copy0 is good
len=4096
name=widevine
len=128
encrypt=1
write_protect=1
******************
[2.832]key install finish
Net:   phy_mode=rgmii, phy_interface=6
eth0
Warning: failed to set MAC address

[2.845]inter uboot shell
Hit any key to stop autoboot:  0
[2.847]read partition: boot or recovery
[2.958]sunxi flash read :offset 3000000, 18272099 bytes OK
Kernel load addr 0x40080000 size 13490 KiB
Kernel command line: selinux=1 androidboot.selinux=enforcing cma=64M, use it to update bootargs
RAM disk load addr 0x41000000 size 3330 KiB
total_len=17225728
task_id is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
task_id is 0
task_id is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
xx is 0
[3.253]ready to boot
[3.253]check cpu power status
[3.253]cpu2 has poweroff
[3.253]cpu1 has poweroff
[3.257]prepare for kernel
[3.257]check cpu power status
[3.257]cpu2 has poweroff
[3.257]cpu1 has poweroff
[3.257][mmc]: mmc exit start
[3.280][mmc]: mmc 2 exit ok
[3.280]
Starting kernel ...

INFO:    BL3-1: Next image address = 0x40080000
INFO:    BL3-1: Next image spsr = 0x3c5
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 3.10.65 (hepeng@ZidooServer) (gcc version 4.9.3 20150113 (prerelease) (Linaro GCC 4.9-2015.01-3) ) #1 SMP PREEMPT Fri Jan 12 15:58:57 CST 2018
[    0.000000] CPU: AArch64 Processor [410fd034] revision 4
[    0.000000] Machine: sun50iw6
[    0.000000] bootconsole [earlycon0] enabled
petrel-p1:/ $

Display More

Insert LE tf card will get me same uart output and still boot into Android on internal emmc at /dev/block/mmcblk0.

The LE card is recognized by the stock firmware at /dev/block/mmcblk1. It is not mounted in the console display printed by "df -h", but can be seen in Android file manager.

I am going to create a card with phoenixcard and see what's the magic there..

stock firmware image tf card written by phoenixcard will get this boot message:

Code

[337]HELLO! BOOT0 is starting!
[340]sbrom commit : fe74891e7937253e1c219626615607da4ad37a02

[357]PMU: AXP806
[359]vdd-sys vol:980mv
[362]set pll start
[364]set pll end
[366]try to probe rtc region
[368]rtc[0] value = 0x00000000
[371]rtc[1] value = 0x00000000
[374]rtc[2] value = 0x00000000
[377]rtc[3] value = 0x00000000
[380]rtc[4] value = 0x00000000
[383]rtc[5] value = 0x00000000
[386]flag=0x00000000
[388]DRAM VERSION IS V2_5
[391]PMU:Set DDR Vol 1200mV OK.
[394]PMU:Set DDR Vol 1200mV OK.
[412]DRAM CLK =912 MHZ
[414]DRAM Type =7 (3:DDR3,4:DDR4,6:LPDDR2,7:LPDDR3)
[419]DRAM zq value: 003b3bfb
[425]IPRD=00590059--PGCR0=00000f5d--PLL=b0004b00
[430]DRAM SIZE =2048 M,para1 = 000030fa,para2 = 08001000
[438]DRAM simple test OK.
[441]init dram ok, size=2048M
[444]init heap
[445][mmc]: mmc driver ver 2017-03-14 13:56
[449][mmc]: sdc0 spd mode error, 2
[453][mmc]: mmc 0 bias 00000000
[461][mmc]: Wrong media type 0x00000000
[465][mmc]: ***Try SD card 0***
[474][mmc]: HSSDR52/SDR25 4 bit
[477][mmc]: 50000000 Hz
[480][mmc]: 3768 MB
[482][mmc]: ***SD/MMC 0 init OK!!!***
[668]read toc1 from emmc 32800 sector

Display More

It gives "sdc0 spd mode error, 2", then turn to boot from mmc0(tf card) instead of mmc2(emmc).

@jernej Any clue?

permheaddamage

Tried Etcher too, still no boot from tf card. Directly boot into android on emmc..

permheaddamage

Thanks Jernej, I see your post of TX6.

Since Tanix TX6 can boot from the SD card

Tanix TX6 is H6 based Android TV Box and it can boot from SD cards prepared with PhoenixCard. It should be possible to make it work with Armbian too, right? I…

forum.armbian.com

I think maybe I am facing the same problem. Zidoo H6 is equipped with DDR4 RAM.

I will have a try to see whether these 4 pads are uart pins when I have time. It looks there is no other test points possible to be uart on this board.

permheaddamage

Quote from jernej

Then try that image? Zidoo won't gain official support.

I have had a try, it does not boot from the libreelec tf card.

Press the reset button at end of AV socket will make it restore factory firmware..

What's the difference between Libreelec SD creator and phoenixcard?

permheaddamage · Rock Pi4 Plus permheaddamage June 19, 2023 at 7:43 AM

installed latest stable 11.0.1 onto my NanoPC-T4(RK3399) yesterday. Everything is perfect except the audio passthrough.

There is no passthrough options in settings->system->audio.

AVR is Denon X540BT

permheaddamage

Here is picture of circuit board:

ZIDOO H6 PRO Android 7.0 Allwinner H6 2/16GB AC WiFi Gig Lan BT4 L1 Widevine

Today something new and little different ZIDOO H6 PRO Android 7.0 Allwinner H6 2/16GB AC WiFi Gig Lan BT4 Has been a long while since we have had a Allwinner…

forum.xda-developers.com

The stock firmware update guide indicates it is able to boot from tf card.

https://www.zidoo.tv/Support/support_guide/guide_target/JT4n%2Bv0V3qHeq7k9e%5Bld%5D3ulg%3D%3D.html

permheaddamage

Zidoo h6 is probably the first allwinner h6 tv box on market. Zidoo abandoned it just half a year later and left many blocking issues in the stock firmware.

HW is: Allwinner H6 soc, 2gb ram, 16gb emmc, axp805 pmic, ap6255 wifi+bt, rtl8211e gigalan

Product link: https://www.zidoo.tv/Product/spec/m…FMcQ%3D%3D.html

Latest stock firmware: http://forum.zidoo.tv/index.php?thre…-release.45219/

The HW spec looks very much like Beelink GS1, except for the wifi chip.

Posts by permheaddamage

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?

Rock Pi4 Plus

Is it possible to run libreelec on zidoo h6 pro?

Is it possible to run libreelec on zidoo h6 pro?