moto-penangf
Possible BROM TestPoints G23 | penangf #1
-
|
Looking through the schematics,
Update: No test point has granted us BROM. It's probably disabled by efuse. KPCOL0:TESTED
Here's where the test point is located: Seem to force the phone into loading a special USB mode? CLK / DAT0TESTED* Located at the back of the board, cannot be accessed easily being them without a dedicated nyckel. https://www.msab.com/it/blog/mediatek-a-short-story/ UP / DOWNTESTED Positioned near the back camera, where BROM test points are usually located in Motorola phones: Could be other test points for volume buttons. |
Beta Was this translation helpful? Give feedback.
Replies: 30 comments 421 replies
-
Possible CLK and DAT0 Nyckels?Looking at the schematics, near the SoC and the eMMC there should be the eMMC TPs. Thanks to this video, I was able to identify these possible test points which could be CLK, DAT0 and CMD: They look to be just hidden, like UFS ISP Test points do: |
Beta Was this translation helpful? Give feedback.
-
|
But to do this you have to remove the protective metal shield, and this can be dangerous without special tools. |
Beta Was this translation helpful? Give feedback.
-
|
The problem would be that the some of the test points on the front would still be under the other metal shield, so we are even more limited than before. Surely UP/DOWN TPs are to try next, they should easy to access and nothing wrong should happen. |
Beta Was this translation helpful? Give feedback.
-
|
Moto E7 (XT2097) Test point is KPCOL0, and it's marked as BOOT_MODE. This doesn't say much about our device which has a different chipset, but it confirms what we thought KPCOL0 is generally used for. Moto g24 (XT2423) has a KPCOL0 test point too, and the handling of this point looks to be different than ours (could this be g24 test point though?)
Our device does not have any reference of KPCOL0 in the Keypad section, and connects directly (with 1kOmh resistance, R1316) to the bus. This could give two conclusions:
|
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 we have some useful news! Looking for some of the strings I was able to find some kernel sources:
It would be really interesting seeing how this partition reacts to changes in boot modes (fastboot, META, preloader, DA and KPCOL0) These logs are also really useful to understand which partitions does what! Maybe ask the other people on the telegram group if they can manage to find something too while you fix your device, they just need to run your backup_critical_partitions script and open the file with a text editor. |
Beta Was this translation helpful? Give feedback.
-
|
I just found something that could mean REALLY GOOD NEWS! Looking at my expdb logs, this is what i found: [SBC] Verification Fail(0x102005)
[UDL] usbdl_send_da: clean invalid da
<ASSERT> /home/queen/buildspace/workspace/STC/STC_version_build_serial_nochecksum/android_build/code/S_base/vendor/mediatek/proprietary/bootable/bootloader/preloader/platform/mt6768/src/core/download.c:line 570 0
PL fatal error...
PL delay for Long Press Reboot
[PLFM] emergency download mode(timeout: 5s).Emergency Download Mode? We absolutely need to see what happens with KPCOL0 |
Beta Was this translation helpful? Give feedback.
-
|
I can check when I restore the phone. Because now it behaves itself strangely. I hate Motorola |
Beta Was this translation helpful? Give feedback.
-
|
During phone startup, the KPCOL0 testpoint starts showing 1.6V, and when the phone is simply turned off - 0.6V. Is this normal? |
Beta Was this translation helpful? Give feedback.
-
Then why is it not detected in mtkclient as BROM when using testpoint? :( |
Beta Was this translation helpful? Give feedback.
-
Could be various reasons, our best way to know is to read the bootlogs! |
Beta Was this translation helpful? Give feedback.
-
I still haven't fixed my phone, now it's stuck at 41% and won't charge anymore, charging current drops to 0. |
Beta Was this translation helpful? Give feedback.
-
|
I wonder if this is still related to Android battery stats (so only android problem) or even stuff like keeping the phone in preloader. If it's only the first, maybe factory reset could help? |
Beta Was this translation helpful? Give feedback.
-
This is not an Android problem |
Beta Was this translation helpful? Give feedback.
-
|
When the phone is powered on and a USB cable is connected to the PC, If i then enable USB Debugging: We get the same device name as we do with KPCOL0, but with a different PID: moto-penangf/penangf-schematics#1 (comment) Do we get a special USB mode with KPCOL0? |
Beta Was this translation helpful? Give feedback.
-
Yup! I flashed everything except userdata and super to make it flash faster. It was probably something wrong in the boot partition or some other that tells the preloader what to boot, or at least this is my guess |
Beta Was this translation helpful? Give feedback.
-
I will probably make a dozen warnings in the documentation... Really shitty software |
Beta Was this translation helpful? Give feedback.
-
|
Better make the documentation to fix the issue too |
Beta Was this translation helpful? Give feedback.
-
I missed these replies. In my opinion there's some other options to be enabled first to give us UART access. Not having the moto bootloader, it's hard to check for Console mode as easily. I've found this regarding UART Would be useful to find similar resources for Mediatek based devices. |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 What's the |
Beta Was this translation helpful? Give feedback.
-
@progzone122 What did you do to short KPCOL0? And how much time did you keep the short for? I'm reading of people keeping the connection all the time during flashing on dead devices (which are not only phones) |
Beta Was this translation helpful? Give feedback.
-
|
I’m not sure, sometimes it worked when I briefly shorted the test point, and sometimes when I held it. This still needs to be tested. |
Beta Was this translation helpful? Give feedback.
-
There's so many things pointing to this TP being the one we want, we must test it as much we can when you're done with the battery issue |
Beta Was this translation helpful? Give feedback.
-
Could BROM be disabled completely?Standing to this source, Lenovo blocked brom on new devices since 2022 https://www.hovatek.com/forum/thread-45917.html What's concerning is that the device in question in this forum has the same chipset as ours, and test points seem not to work. However, moto g22 (MT6765) has released after January 2022 and has a way to access brom: https://xdaforums.com/t/how-to-boot-a-moto-g22-into-brom-mode.4695317/#post-89736563 This post from XDA claims that brom is blocked on newer devices, unless you disassemble the phone |
Beta Was this translation helpful? Give feedback.
-
|
Oh my god, why did they do that? Now I'm not sure we can unlock the bootloader without ISP Box. |
Beta Was this translation helpful? Give feedback.
-
|
Probably "For security reasons" (while leaving FRP reset doable without a PC, which is way worse). We must hope in either KPCOL0 or find an alternative spot for CLK. Would be interesting trying AMT too: https://youtu.be/wz0zW3wQzvg |
Beta Was this translation helpful? Give feedback.
-
I think they did it to make it unrepairable, especially with their shitty firmware |
Beta Was this translation helpful? Give feedback.
-
|
If we cause a flash memory read failure during phone startup, I think we can enter BROM even if it is locked. |
Beta Was this translation helpful? Give feedback.
-
|
That's what we'd want to do with CLK unfortunately, but as we know it's hard to access, unless we find a point on the front of the board (a capacitor for example) that transfers the CLK signal, we might be able to short it. When I say it's risky compared to KPCOL0 is because in this case we're dealing with the eMMC TP and not just the keypad ones, and especially their position (we might touch something else and risk frying the eMMC) |
Beta Was this translation helpful? Give feedback.
-
Fucking Motorola |
Beta Was this translation helpful? Give feedback.
-
|
Nvm, I've read it wrong |
Beta Was this translation helpful? Give feedback.
-
|
I can confirm again, there's no easy accessible point to quiet CLK, I looked at the schematics from the beginning.. Vivo Y22 has the same issue for this TP, it has to be accessed like this. |
Beta Was this translation helpful? Give feedback.
-
|
We're lucky too tbh, Moto g24 doesn't have the CLK test point at all (they document JTAG points tho, but we already have them anyway) |
Beta Was this translation helpful? Give feedback.
-
|
Good news, KPCOL0 in our scheme does not emulate any of our available buttons, this testpoint goes directly to our SOC. There is a good chance that it does provide us with some kind of mode. KPCOL1 is our volume button- |
Beta Was this translation helpful? Give feedback.
-
Are you able to pull the latest logs out to see what the phone did? |
Beta Was this translation helpful? Give feedback.
-
|
On Windows it is defined as two devices: |
Beta Was this translation helpful? Give feedback.
-
|
I don't have any idea what that would imply Maybe there was just an error using KPCOL0 last time?? |
Beta Was this translation helpful? Give feedback.
-
|
Could this help? |
Beta Was this translation helpful? Give feedback.
-
|
It'd be very funny if they disabled this flag.. |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 We might want to try something new with KPCOL0: When we cause an error in mtkclient (such as DAA_SIG_VERIFY_FAILED), the preloader throws a fatal error: What if, after we get the error in mtkclient, you start shorting KPCOL0 to GND and see if something changes? It looks like PL waits for something to happen (because of the timeout) before restarting the phone. |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 I continue seeing various sources affirming that to use KPCOL0 you need to keep it shorted either until you see BROM mode detected or until it finished flashing everything 🤔 Could you try again what you did here? https://github.com/orgs/moto-penangf/discussions/1#discussioncomment-11652779 This is our last chance for easy methods that doesn't revolve on removing shields, I wasn't able to use the crashed preloader in the 5 seconds timeframe, it just freezes instead |
Beta Was this translation helpful? Give feedback.
-
|
It goes into PCS mode, but not into BROM mode |
Beta Was this translation helpful? Give feedback.
-
|
we really have to use CLK then.. |
Beta Was this translation helpful? Give feedback.
-
Update: My guess is that it's something related to their old devices and the acronym just stayed as the vendor id. I don't know what kind of mode the phone is going into, it looks similar to what you get using either ADB or connecting the phone to transfer file (MTP?). I really have no idea how this mode could be useful to us, and if we just need to update udev rules to make it do something useful? You said somewhere that the phone is detected on windows as Midi, but this makes me wonder if you had motorola driver installed? Surely it's not BROM if the usb vendor ID is motorola, but that doesn't exclude that it could be some proprietary flash mode, which wouldn't be useful anyway for what we want. |
Beta Was this translation helpful? Give feedback.
-
It would be great if this mode could be used to flash partitions that are inaccessible to us, but we don’t know how... |
Beta Was this translation helpful? Give feedback.
-
|
We are idiots. After taking another look at the circuit, I realized that the test point can also receive incoming voltage, just like the RX test point. I measured the voltage between KPCOL and ground and found that it was 1.2V! It’s possible that since we are pulling it to GND, we are getting MIDI mode due to a logical 0? What if we apply a logical 1 instead? For example, 1.8V or 3.3V to the KPCOL0 test point? I also looked at the diagrams of other Motorola phones and KPCOL0 - it is always "Download Mode"
|
Beta Was this translation helpful? Give feedback.
-
|
It does? I remember seeing a resistor in the g24 not the g23 |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
Uh well, it's safer then, but I would still be careful if i were you in doing so if you wanted to try |
Beta Was this translation helpful? Give feedback.
-
There are some Motorola models where BROM was activated by applying 1.9V voltage to KPCOL0. I'll think about it now. |
Beta Was this translation helpful? Give feedback.
-
|
Really? Didn't know that |
Beta Was this translation helpful? Give feedback.
-
|
When KPCOL0 is shorted to GND, Fastboot opens! |
Beta Was this translation helpful? Give feedback.
-
There's also the chance we might not have to press the power button, I saw another video of the Moto g22 not using power and going In brom anyway, maybe the USB cable in kinda emulates it. Furthermore, in another video they connected the g22 to RSA without pressing any button, so I assume it went to preloader mode in that case. If all these assumptions are true, the device must have brom, it can't be just all coincidences. |
Beta Was this translation helpful? Give feedback.
-
Does G22 have MTK BL or MOTO BL? It's important |
Beta Was this translation helpful? Give feedback.
-
|
I think it has moto bootloader, but this doesn't matter since this is something related to preloader not LK |
Beta Was this translation helpful? Give feedback.
-
|
Read here the section about the boot mode, where it talks about DOWNLOAD_BOOT https://www.lieberbiber.de/2015/07/05/mediatek-details-little-kernel/ |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 also read this article https://www.lieberbiber.de/2015/07/04/mediatek-details-partitions-and-preloader/ The emergency download mode is init by preloader that reboots back into brom! This is a good thing actually, because we know that devices such as the g22 does indeed boot in preloader and not brom. And again, our button combination is tricky to test, but it should send us to brom somehow |
Beta Was this translation helpful? Give feedback.
-
|
@shomykohai Why are the antenna pads connected this way? Can this help us?
|
Beta Was this translation helpful? Give feedback.
-
|
The little dot between the lines means they are indeed connected, but uh, why would they be connected to volume buttons?? |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
But they are connected BEFORE THE RESISTORS |
Beta Was this translation helpful? Give feedback.
-
|
I am very interested in PWRKEY_SW |
Beta Was this translation helpful? Give feedback.
-
|
I really have no idea then, but could be something that might come handy to know surely |
Beta Was this translation helpful? Give feedback.
-
|
I've reviewed the circuit a hundred times, and now I can confidently say — no BROM testpoints |
Beta Was this translation helpful? Give feedback.
-
They could also do it at the hardware level |
Beta Was this translation helpful? Give feedback.
-
But that would be something they'd do to the chipset, and I think it's mediatek that decides this, while the preloader is up to the manufacturer, and we know that mt6768 can indeed go to brom |
Beta Was this translation helpful? Give feedback.
-
They might have simply not created a test point for this. The only option I see now is shorting the test points near the flash memory—that will definitely work. If only it didn’t require removing the protective shields… |
Beta Was this translation helpful? Give feedback.
-
|
Maybe there's a way to remove them easily (like with a soldering iron) without having to break them.. |
Beta Was this translation helpful? Give feedback.
-
|
If you actually do it though, don't try right away, we might want first to get a good picture of the test point to add to the documentation, and then double check if I marked them correctly |
Beta Was this translation helpful? Give feedback.
-
|
Interesting video |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 are JTAG pins connected to the eMMC ones? In the schematic they don't appear, but maybe it's safer using them than the one near the eMMC since we're sure of the pinout. Though the issue is still that you'd need to remove the shield.. |
Beta Was this translation helpful? Give feedback.
-
Most likely yes, Motorola is owned by Lenovo. |
Beta Was this translation helpful? Give feedback.
-
I wonder if this phone even has it, it almost looks like they underpowered the chip to not heat at all, the battery charging heats way more than the SoC |
Beta Was this translation helpful? Give feedback.
-
I recently bought a hot air soldering station for soldering, but I’m still not very skilled with it. I’m worried about the SMD components under the protective shields :((( Do we need to use a alloy rose metal? |
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure about that, you'd have more luck finding other sources on removing these shields. I only know they usually use heat guns, but it makes sense to worry about the components below, I imagine there's a specific technique Maybe on YouTube you'll find something |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
G13 xt2331 testpoint? |
Beta Was this translation helpful? Give feedback.
-
Uh, I don't see em? |
Beta Was this translation helpful? Give feedback.
-
|
The very first pdf file there. There is another, but it has fewer pages. Haven't compared. The 3rd is not about the board... |
Beta Was this translation helpful? Give feedback.
-
|
Ok found them, for some reason the page didn't want to load all the contents Unfortunately, we don't have a good picture of the eMMC TP, though the JTAG ones are pretty visible here This surely may come handy for further analysis! Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
Wait no, we also have the eMMC TP it seems!! I'll have to mark the TP on the documentation as not yet assessed |
Beta Was this translation helpful? Give feedback.
-
|
Alright, I was wrong, those are the audio tp. I confirm the one you sent is the clk one, as marked in the documentation too. |
Beta Was this translation helpful? Give feedback.
-
|
I booted into fastboot using testpoint and shorted it out a few times https://drive.google.com/file/d/1Tq5C-HnZZDnHuXCnw-Q_p4-cpN9uLFIy/view?usp=sharing P.S Damn GitHub doesn't want to upload the file for some reason |
Beta Was this translation helpful? Give feedback.
-
Idk, everything is mixed up there, you can't figure it out without a bottle of vodka. |
Beta Was this translation helpful? Give feedback.
-
|
Maybe try dumping the logs from fastboot, you get the new logs here! |
Beta Was this translation helpful? Give feedback.
-
Later, I already put the phone back together and went to bed. |
Beta Was this translation helpful? Give feedback.
-
|
I looked at the logs better, but I can't understand which one are the latest, because sometimes the RTC clock is set to 2010... But at least I now know which is the beginning: when it says "Preloader start". What TP did you short? KPCOL0? If so, then the logs marked as 2010 are the latest, and it means you could try using the button combo that might get us to brom! |
Beta Was this translation helpful? Give feedback.
-
Yeah, the other readily available testpoints don't do anything |
Beta Was this translation helpful? Give feedback.
-
|
I tried to do the actions:
Nothing seems to have changed, but something interesting was found in the logs |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure it was already there mmh, have you got new logs with "key 0 is pressed?" Last time it appeared 2 times. Can you try shorting KPCOL0 and hold Vol+ before connecting the USB and keep them pressed until the pc detects it? If needed, hold power too. Maybe if you put something to hold one of the buttons to free your hands it may be easier. |
Beta Was this translation helpful? Give feedback.
-
This happened in fastboot, you probably pressed Vol+. Maybe we're missing something, like that the dl keys check happens on certain conditions? Like the phone needs to be powered off completely and not reset? 🤔 |
Beta Was this translation helpful? Give feedback.
-
|
What does fastboot log if you press the power button? both from the key and from test point? |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 You can try something else too, I've found out that brom is also called in another instance: If you crash preloader and it detects KPCOL0, it should go to brom. Try crashing preloader with mtkclient and before tue crash happens, short KPCOL0 and see if the logs say either "BR cmd is disabled" or "Force brom recovery success" after PL Fatal Error |
Beta Was this translation helpful? Give feedback.
-
|
Preloader crash without it hanging can be achieved by using a wrong da file |
Beta Was this translation helpful? Give feedback.
-
|
No, it doesn't work |
Beta Was this translation helpful? Give feedback.
-
|
Sad, maybe it needs to fail to read preloader in that part. Whatever, we'll try what we were testing before, the button combination. |
Beta Was this translation helpful? Give feedback.
-
I tested some today, no luck so far... |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 I've tried myself all of this combinations, I didn't get brom, nothing. Just this |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 I almost were able to press all the keys mtk_kpd_gpio_set Already!
mtk detect key function pmic_detect_homekey MTK_PMIC_RST_KEY = 17
mtk detect key function pmic_detect_homekey pressed
key 0 is pressedI just missed the power key, it's too hard to press ugh |
Beta Was this translation helpful? Give feedback.
-
|
Reading the logs, I can see that whatever I did, it's always the power key that's missing umh, maybe we still have a chance of going to brom if the reason we can't go is because we can't press all buttons. Please check your logs to see what you get here |
Beta Was this translation helpful? Give feedback.
-
|
Could it be that in preloader the power key is assigned to another TP and when it goes to lk, it gets assigned to the actual key with the same ID? |
Beta Was this translation helpful? Give feedback.
-
|
I'm now 100% sure the download keys are pressed, because the dl keys check function calls The problem as I said it's still the same though, it doesn't detect the power key for some reason.. I'm thinking if the reason is that in the preloader initialization this prints out: "[PLFM] WDT reboot bypass power key!" Maybe we need to press the powerkey after when the phone detects being powered? Is this why they say that the power must be powered off completely to enter brom? Maybe if we try disconnecting the battery it will be easier? 🤔 I tried that too but nothing printed out, but I also pressed the power key before connecting the USB. @progzone122 when there's the chance to test this again, are you able to solder some physical big buttons to KPCOL0 and POWER TPs so it's way easier to press em? Or at least to the power button, because KPCOL0 is too important to risk ripping the pad. |
Beta Was this translation helpful? Give feedback.
-
|
Which phones on Helio G85 have a known test point? No matter how much I search - there is no information, only preloader |
Beta Was this translation helpful? Give feedback.
-
It's no different than a physical button |
Beta Was this translation helpful? Give feedback.
-
In the schematic it's wired differently, it bypasses a resistor iirc |
Beta Was this translation helpful? Give feedback.
-
One can only hope that a vulnerability will be found..... |
Beta Was this translation helpful? Give feedback.
-
I've already put the phone back together and have no desire to take it apart again. Maybe later. I'm sick of it :( |
Beta Was this translation helpful? Give feedback.
-
|
No problem, we have time |
Beta Was this translation helpful? Give feedback.
-
|
I've analyzed the schematics again and in a while I'll add to the documentation what else we can try for going to BROM! |
Beta Was this translation helpful? Give feedback.
-
Let me finish this section in the documentation and we'll ask, ok? |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 are you able to test the new information you added? Now I understand you're idea better. I'd like to know if preloader registers this as key 8, and if you're able to turn on the phone without using either TP or actual power button |
Beta Was this translation helpful? Give feedback.
-
Turns out we don't have those capacitors, but we do have those resistors! |
Beta Was this translation helpful? Give feedback.
-
It shouldn't be a problem that we don't have the caps, until we have the contacts we can still use em |
Beta Was this translation helpful? Give feedback.
-
Yes, the important thing is that we have resistors. |
Beta Was this translation helpful? Give feedback.
-
|
Just looked at one of the Samsung telephones and it uses KPCOL0 to boot into the BROM... |
Beta Was this translation helpful? Give feedback.
-
|
same problem |
Beta Was this translation helpful? Give feedback.
-
|
I guess we can only hope for a preloader bug to crash into brom at this poimt |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122, I'm speechless. That samsung phone uses the same button combo to enter emergency download mode (0 + 8 + 17), but it doesn't actually calls the method to enter it: This means that it goes into brom from somewhere else |
Beta Was this translation helpful? Give feedback.
-
|
That said, we can finally say that we don't need to test brom anymore with that combo, we'll just crash preloader using DA etc.., We shouldn't need to open the phone anymore if not for CLK or DAT0. |
Beta Was this translation helpful? Give feedback.
-
|
Maybe we could find an exploit in the preloader, and then inject a payload, but we would need help for someone who has experience in this field, like the people who contribute to mtkclient, and the people who made amonet and kamakiri |
Beta Was this translation helpful? Give feedback.
-
|
Perhaps usb2jtag can help us somehow? Because on other phones this is not available without bootloader unlock
|
Beta Was this translation helpful? Give feedback.
-
|
I don't know if it could work, we have SWJTAG, they put protections there too |
Beta Was this translation helpful? Give feedback.
-
KPCOL0 voltagesOnly charging - 1.36V |
Beta Was this translation helpful? Give feedback.
-
And that includes the SPFT too? |
Beta Was this translation helpful? Give feedback.
-
|
With spft we can only write official lk, not patched. Seccfg cannot be written at all, even with spft |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Is it just me or are these two different DA's? Because it was copied from RSA and it is exactly not broken and works in flash tool. |
Beta Was this translation helpful? Give feedback.
-
nvm.. my bad. Used save as too soon. So saved the download page, not raw... lol |
Beta Was this translation helpful? Give feedback.
-
|
I think Motorola has actually disabled BROM mode in fuse. I've tried everything I can think of, but I'm not getting anything |
Beta Was this translation helpful? Give feedback.
-
|
If you disconnect the cable that goes to the display and the bottom board - KPCOL0 is always 1.7V, but if you connect the cable back the voltage drops quickly to 1.3V and the phone turns on. |
Beta Was this translation helpful? Give feedback.
-
At that moment, when he gave out Hanshake failed, I was going through the combinations. |
Beta Was this translation helpful? Give feedback.
-
|
During invalid da, I was also able to invoke the power key |
Beta Was this translation helpful? Give feedback.
-
|
Does it seem or do mtk brute and mtk crash work differently? |
Beta Was this translation helpful? Give feedback.
-
Mmh I think i know why we can get it here: there's a check for power key (PL delay for Long Press Reboot) that is a loop and checks for it being held. We also know that the log for a key being detected only appears when the mtk_detect_key is called, hence why in fastboot and on boot we can get it to print out. We need to see if you can get it during boot too when it checks for download keys |
Beta Was this translation helpful? Give feedback.
-
I think so, I'm not sure but iirc crash is for, well, crash to brom, while brute is for dumping brom on unknown chipsets, but in our case it crashes preloader too |
Beta Was this translation helpful? Give feedback.
-
|
@progzone122 we need a better picture of the back of the motherboard, especially the JTAG and eMMC TPs. Are you able to get them? Or maybe even @R0rt1z2 can, I saw they joined so I guess you two have a plan to test stuff like TPs or UART (Assumptions that come from the blog post about fire tablet) It's important to get them before hand as we're unsure about the test points locations right now, so it's less of a risk of frying the eMMC. |
Beta Was this translation helpful? Give feedback.
-
|
Go to our Telegram group |
Beta Was this translation helpful? Give feedback.
-
I can't join unfortunately for other reasons, but I'm able to read the chat and saw what y'all said. If we get UART working too, we need to add it to the documentation. Also, as I imagined, the plan is to use test testpoints too, but we need to get them right first to avoid damage. |
Beta Was this translation helpful? Give feedback.
-
|
BROM is blocked by efuse. |
Beta Was this translation helpful? Give feedback.
BROM is blocked by efuse.
Making this just to mark an answer on the thread.