Comments (43)
mah8050
commented on May 27, 2024
2
Ok I'm in
It was updated to the latest firmware (1.68.1) so it used that magic number to login but after some try and not letting it boot completely suddenly it gave up on giving magic number and I could log in using password provided by the html file, that file is a great work. after checking version number again realized that it changed into (1.64.4) and app says update available!
I've binwaked through the mtd4 and other partitions and it seems that there is no DER Certificate.
So i think I can Flash :)))
If you needed more details about L09A I would be happy to help
from xiaoai-patch.
duhow
commented on May 27, 2024
1
Hi @hillbicks ,
This set of scripts and patches removes all XiaoAI propietary software and allows to install other open-source programs, build during the process.
Some of them include MPD music server, Upmpdcli, and Snapcast, both Snapserver and Snapclient, allowing to send music to speaker and act as server, with other speakers with same image being as client, thus allowing multi-room audio open source :)
This repo is for personal usage, but the end goal is to have a "local alexa-like smart speaker" powered by open source only (or mostly).
from xiaoai-patch.
hillbicks
commented on May 27, 2024
1
Dude, that is huge news. There are so many people actually looking for a device like this. Decent speaker with voice assistant capabilities without cloud services attached to it. It's basically the missing hardware for a lot of software projects.
I was not aware there is any hardware available which would be able to run snapcast, let alone one that is a smart speaker. I hope it's ok if I ask a couple more questions? If you're not comfortable, no worries, I understand, since it is just for your personal usage.
- Which versions of the xioai devices have you tested this with? EDIT: I guess it is the smart speaker that came out last year, right?
- What voice assistant system do you want to implement? I recently looked at rhasspy, but currently hardware, especially mics wihtout beamforming seem to be the problem. I would expect the hardware from xiaomi to be better in this regard. And if your process allows other opensource software to be run on this device, getting rhasspy as a client should at least be possible
- I would love to tinker around with this as well if that's not an issue for you.
Let me know if that would be of interest to you, would love to help out here.
EDIT: Another question: After looking at the files, I guess your building an image file and using the miio tools to deliver the image file as a software update after getting the token?
from xiaoai-patch.
hillbicks
commented on May 27, 2024
1
Alright, last post for today. either minicom didn't work or I missed a parameter. Using putty/screen I was able to interrupt autoboot and get into the u-boot command line interface
axg_s420_v1_gva#printenv
EnableSelinux=enforcing
active_slot=normal
adb_setting=if itest ${factory_mode} == 1; then run clr_adb_debuggable;else run set_adb_debuggable;fi;
baudrate=115200
bcb_cmd=get_valid_slot;
boot_part=boot
bootargs=rootfstype=ramfs init=/init ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000 mtdblock.ro_fspart=system mtdblock.ro_fspart_2nd=chrome loglevel=0 quiet logo=,loaded,androidboot.selinux=enforcing androidboot.firstboot=1 jtag=disable androidboot.hardware=amlogic androidboot.bootloader=U-Boot 2015.01-gfe79c6daed-dirty androidboot.build.expect.baseband=N/A androidboot.slot_suffix=normal defendkey=0x08300000,0x100000 androidboot.serialno=29432/A0SF66176 androidboot.deviceid=29432/A0SF66176 androidboot.country=WW android.debuggable=1 android.secure=0 console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000 androidboot.rpmb_state=0
bootcmd=run storeboot
bootdelay=1
bootloader_version=U-Boot 2015.01-gfe79c6daed-dirty
clr_adb_debuggable=echo disable adb debug prop;setenv bootargs ${bootargs} android.debuggable=0 android.secure=1;setenv bootargs ${bootargs} console=ttyS9,115200 no_console_suspend;
cmdline_keys=if keyman init 0x1234; then if keyman read deviceid ${loadaddr} str; then setenv bootargs ${bootargs} androidboot.serialno=${deviceid};setenv serial ${deviceid};else setenv bootargs ${bootargs} androidboot.serialno=1234567890;setenv serial 1234567890;fi;if keyman read mac ${loadaddr} str; then setenv bootargs ${bootargs} mac=${mac} androidboot.mac=${mac};fi;if keyman read deviceid ${loadaddr} str; then setenv bootargs ${bootargs} androidboot.deviceid=${deviceid};fi;if keyman read lang ${loadaddr} str; then setenv bootargs ${bootargs} androidboot.lang=${lang};fi;if keyman read country ${loadaddr} str; then setenv bootargs ${bootargs} androidboot.country=${country};fi;if keyman read locale_lang ${loadaddr} str; then setenv bootargs ${bootargs} androidboot.locale.lang=${locale_lang};fi;if keyman read locale_region ${loadaddr} str; then setenv bootargs ${bootargs} androidboot.locale.region=${locale_region};fi;fi;
country=WW
deviceid=29432/A0SF66176
dtb_mem_addr=0x1000000
factory_mode=0
factory_reset_poweroff_protect=echo wipe_data=${wipe_data}; echo wipe_cache=${wipe_cache};if test ${wipe_data} = failed; then run storeargs;if mmcinfo; then run recovery_from_sdcard;fi;if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;fi; if test ${wipe_cache} = failed; then run storeargs;if mmcinfo; then run recovery_from_sdcard;fi;if usb start 0; then run recovery_from_udisk;fi;run recovery_from_flash;fi;
fdt_high=0x20000000
firstboot=1
identifyWaitTime=750
initargs=rootfstype=ramfs init=/init ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000 mtdblock.ro_fspart="system" mtdblock.ro_fspart_2nd="chrome" loglevel=0 quiet
irremote_update=if irkey 2500000 0xe31cfb04 0xb748fb04; then echo read irkey ok!; if itest ${irkey_value} == 0xe31cfb04; then run update;else if itest ${irkey_value} == 0xb748fb04; then run update;\
fi;fi;fi;
jtag=disable
loadaddr=1080000
preboot=run bcb_cmd; run factory_reset_poweroff_protect;run upgrade_check;run storeargs;run adb_setting;run switch_bootmode;
reboot_mode=cold_boot
recovery_from_backup=setenv bootargs ${bootargs} console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000;setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part={recovery_part} recovery_offset={recovery_offset}; ubi part data; ubi getVolName data 0; ubifsmount ubi0:${volName}; ubifsload ${dtb_mem_addr} .data/dtb.img; ubifsload ${loadaddr} .data/recovery.img; wipeisb; bootm ${loadaddr};
recovery_from_flash=setenv bootargs ${bootargs} console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000;setenv bootargs ${bootargs} aml_dt=${aml_dt} recovery_part={recovery_part} recovery_offset={recovery_offset};if imgread kernel ${recovery_part} ${loadaddr} ${recovery_offset}; then wipeisb; bootm ${loadaddr}; fi
recovery_from_sdcard=if fatload mmc 0 ${loadaddr} aml_autoscript; then autoscr ${loadaddr}; fi;if fatload mmc 0 ${loadaddr} recovery.img; then if fatload mmc 0 ${dtb_mem_addr} dtb.img; then echo sd dtb.img loaded; fi;wipeisb; bootm ${loadaddr};fi;
recovery_from_udisk=if fatload usb 0 ${loadaddr} aml_autoscript; then autoscr ${loadaddr}; fi;if fatload usb 0 ${loadaddr} recovery.img; then if fatload usb 0 ${dtb_mem_addr} dtb.img; then echo udisk dtb.img loaded; fi;wipeisb; bootm ${loadaddr};fi;
recovery_offset=0
recovery_part=recovery
rpmb_state=0
sdc_burning=sdc_burn ${sdcburncfg}
sdcburncfg=aml_sdc_burn.ini
serial=29432/A0SF66176
set_adb_debuggable=echo enable adb debug prop;setenv bootargs ${bootargs} android.debuggable=1 android.secure=0;setenv bootargs ${bootargs} console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000;
stderr=serial
stdin=serial
stdout=serial
storeargs=get_bootloaderversion;setenv bootargs ${initargs} logo=${display_layer},loaded,androidboot.selinux=${EnableSelinux} androidboot.firstboot=${firstboot} jtag=${jtag}; setenv bootargs ${bootargs} androidboot.hardware=amlogic androidboot.bootloader=${bootloader_version} androidboot.build.expect.baseband=N/A;setenv bootargs ${bootargs} androidboot.slot_suffix=${active_slot};setenv bootargs ${bootargs} defendkey=0x08300000,0x100000;run cmdline_keys;
storeboot=if imgread kernel ${boot_part} ${loadaddr}; then bootm ${loadaddr}; fi;run update;
switch_bootmode=get_rebootmode;if test ${reboot_mode} = factory_reset; then run recovery_from_flash;else if test ${reboot_mode} = update; then run update;else if test ${reboot_mode} = cold_boot; then run try_auto_burn; else if test ${reboot_mode} = fastboot; then fastboot;fi;fi;fi;fi;
try_auto_burn=update 700 750;
update=run usb_burning; run sdc_burning; if mmcinfo; then run recovery_from_sdcard;fi;if usb start 0; then run recovery_from_udisk;fi;if itest ${upgrade_step} == 4; then run recovery_from_backup;else if itest ${upgrade_step} == 3; then run recovery_from_flash;fi;fi
upgrade_check=echo recovery_status=${recovery_status};if itest.s "${recovery_status}" == "in_progress"; then run storeargs; run recovery_from_flash;else fi;echo upgrade_step=${upgrade_step}; if itest ${upgrade_step} == 3; then run storeargs; run update;else if itest ${upgrade_step} == 4; then run storeargs; run update;fi;fi;
upgrade_key=if gpio input GPIOAO_3; then echo detect upgrade key; run update;fi;
upgrade_step=2
usb_burning=update 1000 3500
wipe_cache=successful
wipe_data=successful
Environment size: 6574/65532 bytes
I'm too tired to to look further today, but I think we're in business 🚀
from xiaoai-patch.
duhow
commented on May 27, 2024
1
Everything is GNU/Linux in the end 😂
The other speakers also use an Android boot image / based in OpenWRT.
from xiaoai-patch.
duhow
commented on May 27, 2024
1
Still testing. Here's some output. Don't run them at the moment, looks like if missing the "android" envs, device is kind of factory restarted?
axg_s420_v1_gva#imgread kernel boot 1080000
[imgread]szTimeStamp[2020090314331755]
[imgread]secureKernelImgSz=0x9a3000
axg_s420_v1_gva#env set bootargs 'rootfstype=ramfs init=/bin/ash ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000 mtdblock.ro_fspart=system mtdblock.ro_fspart_2nd=chrome loglevel=7 console=ttyS0,115200'
axg_s420_v1_gva#bootm 1080000
aml log : R-2048 check pass!
aml log : R2048 check pass!
aml log : R2048 check pass!
aml log : R2048 check pass!
avb2: 0
save_power_post ...
avb2: 0
## Booting Android Image at 0x01080000 ...
reloc_addr =1dedc780
copy done
[store]Is good fdt check header, no need decrypt!
load dtb from 0x1000000 ......
Amlogic Multi-DTB tool
Single DTB detected
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x02121a00
Loading Ramdisk to 1db42000, end 1deb1800 ... OK
Loading Device Tree to 000000001db33000, end 000000001db411af ... OK
fdt_fixup_memory_banks, reg:0000000000000000
Starting kernel ...
uboot time: 63101625 us
domain-0 init dvfs: 1
[ 0.000000@0] Booting Linux on physical CPU 0x0
[ 0.000000@0] Linux version 4.9.113-04598-gde6945f522b7-dirty (ming.liu@droid16-sz) (gcc version 6.3.1 20170109 (Linaro GCC 6.3-2017.02) ) #81 SMP PREEMPT Thu Sep 3 14:18:06 CST 2020
[ 0.000000@0] Boot CPU: AArch64 Processor [410fd034]
[ 0.000000@0] efi: Getting EFI parameters from FDT:
[ 0.000000@0] efi: UEFI not found.
[ 0.000000@0] 07400000 - 07500000, 1024 KB, ramoops@0x07400000
[ 0.000000@0] __reserved_mem_alloc_size, start:0x0000000005000000, end:0x0000000005400000, len:4 MiB
[ 0.000000@0] 05000000 - 05400000, 4096 KB, linux,secmon
[ 0.000000@0] cma: Reserved 8 MiB at 0x000000001f800000
[ 0.000000@0] psci: probing for conduit method from DT.
[ 0.000000@0] psci: PSCIv1.0 detected in firmware.
[ 0.000000@0] psci: Using standard PSCI v0.2 function IDs
[ 0.000000@0] psci: MIGRATE_INFO_TYPE not supported.
[ 0.000000@0] psci: SMC Calling Convention v1.1
[ 0.000000@0] percpu: Embedded 26 pages/cpu @ffffffc01f750000 s68632 r8192 d29672 u106496
[ 0.000000@0] Detected VIPT I-cache on CPU0
[ 0.000000@0] CPU features: enabling workaround for ARM erratum 845719
[ 0.000000@0] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 129024
[ 0.000000@0] Kernel command line: rootfstype=ramfs init=/bin/ash ramoops.pstore_en=1 ramoops.record_size=0x8000 ramoops.console_size=0x4000 mtdblock.ro_fspart=system mtdblock.ro_fspart_2nd=chrome loglevel=7 console=ttyS0,115200 reboot_mode=cold_boot
[ 0.000000@0]
[ 0.000000@0] PID hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.000000@0] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
[ 0.000000@0] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes)
[ 0.000000@0] Memory: 480040K/524288K available (9468K kernel code, 1222K rwdata, 2508K rodata, 3776K init, 635K bss, 31960K reserved, 12288K cma-reserved)
[ 0.000000@0] Virtual kernel memory layout:
[ 0.000000@0] modules : 0xffffff8000000000 - 0xffffff8008000000 ( 128 MB)
[ 0.000000@0] vmalloc : 0xffffff8008000000 - 0xffffffbebfff0000 ( 250 GB)
[ 0.000000@0] .text : 0xffffff8009080000 - 0xffffff80099c0000 ( 9472 KB)
[ 0.000000@0] .rodata : 0xffffff80099c0000 - 0xffffff8009c40000 ( 2560 KB)
[ 0.000000@0] .init : 0xffffff8009c40000 - 0xffffff8009ff0000 ( 3776 KB)
[ 0.000000@0] .data : 0xffffff8009ff0000 - 0xffffff800a121a00 ( 1223 KB)
[ 0.000000@0] .bss : 0xffffff800a121a00 - 0xffffff800a1c06dc ( 636 KB)
[ 0.000000@0] fixed : 0xffffffbefe7fb000 - 0xffffffbefec00000 ( 4116 KB)
[ 0.000000@0] PCI I/O : 0xffffffbefee00000 - 0xffffffbeffe00000 ( 16 MB)
[ 0.000000@0] vmemmap : 0xffffffbf00000000 - 0xffffffc000000000 ( 4 GB maximum)
[ 0.000000@0] 0xffffffbf00000000 - 0xffffffbf00800000 ( 8 MB actual)
[ 0.000000@0] memory : 0xffffffc000000000 - 0xffffffc020000000 ( 512 MB)
[ 0.000000@0] can't find symbol:arm_dma_alloc
[ 0.000000@0] can't find symbol:__alloc_from_contiguous
[ 0.000000@0] can't find symbol:cma_allocator_alloc
[ 0.000000@0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000@0] Preemptible hierarchical RCU implementation.
[ 0.000000@0] Build-time adjustment of leaf fanout to 64.
[ 0.000000@0] RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=4.
[ 0.000000@0] RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=4
[ 0.000000@0]
[ 0.000000@0] **********************************************************
[ 0.000000@0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000@0] ** **
[ 0.000000@0] ** trace_printk() being used. Allocating extra memory. **
[ 0.000000@0] ** **
[ 0.000000@0] ** This means that this is a DEBUG kernel and it is **
[ 0.000000@0] ** unsafe for production use. **
[ 0.000000@0] ** **
[ 0.000000@0] ** If you see this message and you are not debugging **
[ 0.000000@0] ** the kernel, report this immediately to your vendor! **
[ 0.000000@0] ** **
[ 0.000000@0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000@0] **********************************************************
[ 0.000000@0] NR_IRQS:64 nr_irqs:64 0
[ 0.000000@0] irq_meson_gpio: 100 to 8 gpio interrupt mux initialized
[ 0.000000@0] axg_aoclkc_init: register ao clk ok!
[ 0.000000@0] axg_amlogic_init_sdemmc: register amlogic sdemmc clk
[ 0.000000@0] axg_amlogic_init_sdemmc: register amlogic sdemmc clk
[ 0.000000@0] axg_amlogic_init_media: register meson media clk
[ 0.000000@0] axg_amlogic_init_misc: register amlogic axg misc clks
[ 0.000000@0] axg_amlogic_init_misc:
[ 4.166002@0] asoc-aml-card auge_sound: control 2:0:0:I2SIn CLK:0 is already present
[ 4.168123@0] snd_tdm ff642000.audiobus:tdmb: ASoC: Failed to add I2SIn CLK: -16
[ 4.175447@0] aml_dai_tdm_probe, failed add snd tdm controls
[ 4.181057@0] asoc-aml-card auge_sound: control 2:0:0:I2SIn CLK:0 is already present
[ 4.188735@0] snd_tdm ff642000.audiobus:tdmc: ASoC: Failed to add I2SIn CLK: -16
[ 4.196058@0] aml_dai_tdm_probe, failed add snd tdm controls
[ 4.201872@0] master_mode(1), binv_p(0), binv_c(1), finv(0) out_skew(1), in_skew(3)
[ 4.210163@0] asoc-aml-card auge_sound: multicodec <-> TDM-A mapping ok
[ 4.215879@0] master_mode(1), binv_p(0), binv_c(1), finv(1) out_skew(1), in_skew(3)
[ 4.223956@0] asoc-aml-card auge_sound: multicodec <-> TDM-B mapping ok
[ 4.230014@0] master_mode(1), binv_p(0), binv_c(1), finv(1) out_skew(1), in_skew(3)
[ 4.238149@0] asoc-aml-card auge_sound: multicodec <-> TDM-C mapping ok
[ 4.244530@0] asoc-aml-card auge_sound: dummy <-> ff642000.audiobus:pdm mapping ok
[ 4.253824@0] snd_card_add_kcontrols card:ffffffc01d6d0018
[ 4.257083@0] effect_v2 is not init
[ 4.260484@0] Failed to add VAD controls
[ 4.264645@0] GACT probability NOT on
[ 4.268018@0] Mirror/redirect action on
[ 4.271825@0] u32 classifier
[ 4.274616@0] Actions configured
[ 4.278174@0] Netfilter messages via NETLINK v0.30.
[ 4.283328@0] nf_conntrack version 0.5.0 (4096 buckets, 16384 max)
[ 4.289473@0] ctnetlink v0.93: registering with nfnetlink.
[ 4.295436@2] xt_time: kernel timezone is -0000
[ 4.299160@2] ipip: IPv4 and MPLS over IPv4 tunneling driver
[ 4.305601@3] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 4.310391@3] arp_tables: arp_tables: (C) 2002 David S. Miller
[ 4.315924@3] Initializing XFRM netlink socket
[ 4.321029@3] NET: Registered protocol family 10
[ 4.326252@3] mip6: Mobile IPv6
[ 4.327990@3] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 4.333768@3] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 4.341021@3] NET: Registered protocol family 17
[ 4.344145@3] NET: Registered protocol family 15
[ 4.348680@3] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 4.361782@3] Bluetooth: RFCOMM TTY layer initialized
[ 4.366674@3] Bluetooth: RFCOMM socket layer initialized
[ 4.371955@3] Bluetooth: RFCOMM ver 1.11
[ 4.375805@3] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 4.381232@3] Bluetooth: BNEP filters: protocol multicast
[ 4.386585@3] Bluetooth: BNEP socket layer initialized
[ 4.391669@3] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 4.397708@3] Bluetooth: HIDP socket layer initialized
[ 4.402826@3] NET: Registered protocol family 35
[ 4.407849@3] Registered swp emulation handler
[ 4.411795@3] Registered cp15_barrier emulation handler
[ 4.416946@3] Registered setend emulation handler
[ 4.421651@3] disable EAS feature
[ 4.425867@1] registered taskstats version 1
[ 4.440087@1] dwc3 ff500000.dwc3: Configuration mismatch. dr_mode forced to host
[ 4.946539@1] aml_vrtc rtc: setting system clock to 2015-01-01 00:01:08 UTC (1420070468)
[ 4.949559@1] dwc_otg: usb0: type: 2 speed: 0, config: 0, dma: 0, id: 0, phy: ffe09000, ctrl: 0
[ 5.057932@2] dwc_otg: Core Release: 3.10a
[ 5.057994@2] dwc_otg: Setting default values for core params
[ 5.062139@2] dwc_otg: curmode: 0, host_only: 0
[ 5.078970@2] dwc_otg: Using Buffer DMA mode
[ 5.078994@2] dwc_otg: OTG VER PARAM: 1, OTG VER FLAG: 1
[ 5.082873@2] dwc_otg: Working on port type = SLAVE
[ 5.087705@2] dwc_otg: Dedicated Tx FIFOs mode
[ 5.094204@0] thermal thermal_zone0: binding zone soc_thermal with cdev thermal-cpufreq-0 failed:-22
[ 5.101290@0] cpucore_cooling_register, max_cpu_core_num:4
[ 5.113131@0] gxbb_pm: enter meson_pm_probe!
[ 5.113166@0] no vddio3v3_en pin[ 5.114810@0] pm-meson aml_pm: Can't get switch_clk81
[ 5.119877@0] gxbb_pm: meson_pm_probe done
[ 5.12430v 5.130528@0] meson_uart ff803000.serial: ttyS0 use xtal(8M) 24000000 change 115200 to 115200
[ 5.135515@0] Freeing unused kernel memory: 3776K
[ 5.147793@0] init: property init
[ 5.147876@0] init: reading config file
[ 5.150064@0] init: processing action 0xaae0f910 (early-init)
[ 5.155065@0] init: starting 'ueventd'
[ 5.159288@0] init: command 'start' r=0
[ 5.163053@0] init: command 'mount' r=0
[ 5.166796@0] init: command 'mount' r=0
[ 5.168962@1] init: starting ueventd
[ 5.169477@1] init: /sys/ rule /sys/devices/virtual/input/input* enable
[ 5.169491@1] init: /sys/ rule /sys/devices/virtual/input/input* poll_delay
[ 5.169502@1] init: /sys/ rule /sys/devices/virtual/usb_composite/* enable
[ 5.173694@1] init: adding platform device ffd0f0d0.watchdog
[ 5.174178@1] init: adding platform device reg-dummy
[ 5.174940@1] init: adding platform device cpu_iomap
[ 5.175292@1] init: adding platform device 7400000.ramoops
[ 5.175636@1] init: adding platform device bt-dev
[ 5.176273@1] init: adding platform device dummy
[ 5.224228@0] init: com
[ 8.268349@3]
[ 8.268349@3] aml_pdm_dai_set_sysclk, pdm_sysclk:133333203 pdm_dclk:3071998, dclk_srcpll:24575982
[ 8.273448@3] aml_pdm_dai_prepare, pdm_dclk:3072000, osr:192, rate:16000 filter mPde:1
[ 8.281112@3] aml_pdm_ctrl, lane mask:0xf, channels:2, channels mask:0x3, bypass:0
[ 8.288950@3] asoc-aml-card auge_sound: PDM Capture start
[ 8.296094@3] input: mic_state as /devices/virtual/input/input2
laying WAVE '/usr/share/empty.wav' : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo
link failed File exists
link failed Read-only file system
link failed Read-only file system
link failed Read-only file system
link failed Read-only file system
link failed Read-only file system
link failed No such file or directory
[ 8.496235@3] 8821cs: loading out-of-tree module taints kernel.
[ 8.595707@3] ######platform_wifi_power_on:
[ 8.595763@3] aml_wifi wifi: [extern_wifi_set_enable] WIFI Disable! 465
[ 9.123306@3] aml_wifi wifi: [extern_wifi_set_enable] WIFI Enable! 465
[ 9.636666@0] meson-mmc: sdio: resp_timeout,vstat:0xa1ff2800,virqc:3fff
[ 9.637642@0] meson-mmc: sdio: err: wait for irq service, bus_fsm:0x8
[ 9.645146@0] meson-mmc: sdio: resp_timeout,vstat:0xa1ff2800,virqc:3fff
[ 9.650576@0] meson-mmc: sdio: err: wait for irq service, bus_fsm:0x8
[ 9.661706@0] meson-mmc: sdio: resp_timeout,vstat:0x9dff0800,virqc:3fff
[ 9.663514@0] meson-mmc: sdio: err: wait for desc write back, bus_fsm:0x7
[ 9.671020@3] meson-aml-mmc ffe05000.sdio: card claims to support voltages below defined range
[ 9.699337@3] meson-mmc: actual_clock :400000, HHI_nand: 0x80
[ 9.699447@3] meson-mmc: [meson_mmc_clk_set_rate_v3] after clock: 0x1000033c
[ 9.727252@3] meson-aml-mmc ffe05000.sdio: divider requested rate 100000000 != actual rate 99999903: ret=0
[ 9.731253@3] meson-mmc: actual_clock :99999903, HHI_nand: 0x80
[ 9.737123@3] meson-mmc: [meson_mmc_clk_set_rate_v3] after clock: 0x1000034a
[ 9.744113@3] meson-mmc: Data 1 aligned delay is 0
[ 9.748850@3] meson-mmc: sdio: clk 99999903 tuning start
[ 9.763410@3] meson-mmc: sdio: adj_win: < 0 1 2 3 4 5 7 8 >
[ 9.763439@3] meson-mmc: sdio: best_win_start =0, best_win_size =6
[ 9.769485@3] meson-mmc: sdio: sd_emmc_regs->gclock=0x1000034a,sd_emmc_regs->gadjust=0x32000
[ 9.777853@3] meson-mmc: delay1:0x0, delay2:0x0
[ 9.783697@3] sdio: new ultra high speed SDR50 SDIO card at address 0001
[ 9.788974@3] sdio: clock 99999903, 4-bit-bus-width
[ 9.794350@1] meson-mmc: [sdio_reinit] finish
[ 9.980697@3] Miso kernel module inited
[ 10.313376@1] init: '/bin/logwrapper' exited with status 0
[ 10.313509@1] init: command 'exec' r=0
[ 10.317623@1] init: executing '/system/bin/ifconfig'
[ 11.174281@3] start_addr=(0x8000), end_addr=(0x10000), buffer_size=(0x8000), smp_number_max=(4096)
[ 11.202171@3] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 11.215558@2] init: '/system/bin/ifconfig' exited with status 0
[ 11.215940@2] init: command 'exec' r=0
[ 11.219884@2] init: executing '/system/bin/iw'
command failed: No such device (-19)
[ 11.263601@0] init: '/system/bin/iw' exited with status 237
[ 11.263747@0] init: command 'exec' r=237
[ 11.268399@0] init: starting 'wpa_supplicant'
[ 11.272302@0] init: command 'start' r=0
Serial Number: bin
Initializing random number generator...
[ 12.041472@2] unifykey: key_unify_init() already inited!
[ 12.041624@2] unifykey: name_store() 1302, name deviceid, 8
[ 12.046927@2] unifykey: name_store() 1311
[ 12.067588@2] unifykey: name: deviceid, size 15
[ 12.107315@2] capability: warning: `dhcpcd' uses 32-bit capabilities (legacy support in use)
[ 12.620677@1] BT_RADIO going: off
[ 12.620715@1] AML_BT: going OFF
[ 12.847739@1] BT_RADIO going: on
[ 12.847775@1] AML_BT: going ON
[ 13.134872@0] configfs-gadget ff400000.dwc2_a: failed to start amlogic: -19
from xiaoai-patch.
duhow
commented on May 27, 2024
I'm testing with LX06 originally. LX01 also works, but need some tweaks on the image/process.
The newer speaker L09G would be also interesting, as it improves in hardware resources, but i'm having issues with serial being blocked by the system, so didn't made any progress in there.
Also i'm blocked with LX05 as I cannot flash properly the image to the system, it may be signed or something weird.
Voice audio can be powered by multiple TTS or just external audios. I'm playing around with espeak, nanotts, Google TTS...
But Voice Assistant itself is something to be written from scratch, can be a simple script to interact with Home Assistant text commands. Just think that there's not enough room for Python at the partition, so unless we build something with MicroPython and if it works... Probably should be moving to C programs.
So, no Rhasspy, Kalliope, Leon or Mycroft. That's something a Raspberry Pi can provide, but that would force to change the whole board, and I'm just playing around with the speaker one.
Of course I'm open to PRs and contributions if you want :)
from xiaoai-patch.
duhow
commented on May 27, 2024
The process for installing this program, is to extract the original image - from same Flash Memory dd or some update, then use it as "base", and perform the modifications on a new squashfs image. Finally just flash the new "update" to the other partition - speaker contains 2 partitions with bootloader and system in order to rollback to previous.
As I've told earlier, I'm removing all the propietary programs, so miio is also unavailable. But you can comment part of the process to keep that programs and run them.
from xiaoai-patch.
hillbicks
commented on May 27, 2024
partition size makes sense, hadn't thought about that. Even having a wifi speaker with snapcast is still a huge improvement in terms of hardware and a good starting point I think.
I thought you were already at the stage of development where you're flashing the updated image via miio, that's at least how I've done it for the xiaomi vacuums that I own. But I guess you're using the serial ports to access it, or in case of the L09G, trying to access it.
Since I couldn't find the LX06, I ordered the L09G and see what I can figure out, although I don't have high hopes for that, since I have zero experience with this kind of hardware reverse engineering. I also took the liberty to ask in the dustcloud telegram channel if anybody is already working on a L09G. If we're lucky, one of the dudes responsible for originally rooting the xiaomi vacuum is interested. I already offered donating a device to him, since I'm profiting from his work for some time now (3 vacuums with rooted firmware)
from xiaoai-patch.
duhow
commented on May 27, 2024
Yep, in this case the flashing is done by having access to serial port, to the Linux console.
I was inspired by the CVE-2020-10263 and started testing from there - seriously, why is that a CVE? 😂
from xiaoai-patch.
hillbicks
commented on May 27, 2024
Oh wow, that is a good find! Really strange that this is listed as CVE. I just joined the telegram channel for dustcloud and linking the CVE resulted in the exact same reactions. WHY THE FUCK is that a CVE?
I also wrote the authors of the CVE, asking whether they looked at the L09G. But judging from the responses I got in the telegram channel for dustcloud, I don't have high hopes for the L09G. It seems that xiaomi is cracking down on the new vacuums they're releasing, so we might have no luck there, but let's see.
Have you enabled ssh on the fallback partition or how are you reflashing new builds onto the device? While I wait for the L09G to arrive, I'll read up on the dustcloud docs, they should give good insight into the xiaomi architecture. Any other resources you can recommend in the meantime?
from xiaoai-patch.
duhow
commented on May 27, 2024
Beware this is not related to dustcloud, as that is meant only for vacuums. It would be possible to add some offline agent to have miio control anyway, but i'm not interested on it - yet. Maybe i'll need to rely on it for the Infrared control but still need to research more on that.
At the moment I'm just focusing on what programs or services can I use to make the voice assistant itself. So far the combination would be something like:
Porcupine > ALSA record (Opus?) > websocat > External Vosk API server > jq > Home Assistant or NanoTTS
Probably need to deploy some small CLI/tools for Home Assistant, and I'm still having problems with websocat connecting but not sending the data to server.
If you check the scripts, you'll see the patching enables SSH on the image, so if you just flash the patched image on both partitions, you'll have SSH enabled permanently.
from xiaoai-patch.
hillbicks
commented on May 27, 2024
Oh yeah, sure, I'm aware of that. I just mentioned it, because there are likely some similarities between the device groups that we can look at. And the miio tools should probably come into play if everything else is running and you want to go "public" with it. I guess flashing via UART is not a viable option for most people :p
One step at a time I guess, I'm just excited about the possibilities this hardware can provide and most importantly for me personally, whether the L09G can even be accessed at all. That is going to be the first challenge and probably the biggest one.
from xiaoai-patch.
hillbicks
commented on May 27, 2024
Alright, just got the L09G and took it apart, fortunately that's very easy. It seems the UART port on the front are not actually connected to the board, so I removed the board from the speaker and connected the actual pins on the back of the board. When you tried to connect via serial, did you use the holes on the front or the pins on the back?
For my first test, I just used tape to attach TX, RX and GND and lo and behold, I got a serial connection. Well, sort of, it seems I can't get the serial speed right. Tried the usual ones: 1200, 2400, 4800, 9600, 19200, 38400, 57600, and 115200. What are you using for the LX06?
But I can see some boot messages, just not something that is readable and it stops after the boot is finished.
I'll solder the pins for UART now, just taping it doesn't really cut it.
UART Front
https://i.imgur.com/uKn6U1a.png
UART Back
https://i.imgur.com/0fwQnEq.png
EDIT: I got a serial connection. Using tape was a bad idea 😁 But the ground port is a bitch, solder point came loose again.
U-Boot 2015.01-gfe79c6daed-dirty (Aug 27 2020 - 14:13:41)
from xiaoai-patch.
hillbicks
commented on May 27, 2024
Alright, this is all I got now. Will have a more detailed look later.
AXG:BL1:d1dbf2:a4926f;FEAT:F0DC31BC:2000;POC:F;EMMC:800;NAND:0;READ:0;0.0;0.0;CHK:0;
sdio debug board detected
TE: 140564
BL2 Built : 11:48:35, Mar 10 2020. axg gf91bf0a - jenkins@walle02-sh
set vcck to 1050 mv
set vddee to 950 mv
Board ID = 3
CPU clk: 1200MHz
DDR low power enabled
DDR3 chl: Rank0 16bit @ 912MHz
bist_test rank: 0 1d 00 3a 26 0b 41 1a 00 34 28 0f 42 00 00 00 00 00 00 00 00 00 00 00 00 693 - PASS
Rank0: 512MB(auto)-2T-13
AddrBus test pass!
NAND init
Load FIP HDR from NAND, src: 0x0000c000, des: 0x01700000, size: 0x00004000, part: 0
Load BL3x from NAND, src: 0x00010000, des: 0x01704000, size: 0x000afc00, part: 0
NOTICE: BL31: v1.3(release):d5a9e97
NOTICE: BL31: Built : 17:38:06, Mar 12 2020
NOTICE: BL31: AXG secure boot!
NOTICE: BL31: BL33 decompress pass
OPS=0x43
[Image: axg_v1.1.3489-8f09446 2020-03-12 13:58:51 jenkins@walle02-sh]
25 0c 43 00 52 d3 09 cf 88 9e 44 51 47 2e ee 46
bl30:axg ver: 9 mode: 0
bl30:axg thermal0
[0.015886 Inits done]
secure task start!
high task start!
low task start!
ERROR: Error initializing runtime service opteed_fast
U-Boot 2015.01-gfe79c6daed-dirty (Aug 27 2020 - 14:13:41)
DRAM: 512 MiB
Relocation Offset is: 1eec3000
mmu cfg end: 0x20000000
mmu cfg end: 0x20000000
register usb cfg[0][1] = 000000001ff74ad0
aml_i2c_init_port init regs for 0
NAND: get_sys_clk_rate_mtd() 292, clock setting 200!
bus cycle0: 6,timing: 7
NAND device id: 98 da 90 15 76 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 2Gib TC58NVG1S3HBAI4 )
get_sys_clk_rate_mtd() 292, clock setting 200!
m3_nand_adjust_timing() sys_clk_rate 200, bus_c 6, bus_t 7
oob_fill_cnt =32 oob_size =64, bch_bytes =14
ecc mode:6 ecc_page_num=2 eep_need_oobsize=16
plane_num=1 writesize=0x800 ecc.size=0x200 bch_mode=1
oob avail size 6
Creating 1 MTD partitions on "A revision NAND 2Gib TC58NVG1S3HBAI4 ":
0x000000000000-0x000000200000 : "bootloader"
A revision NAND 2Gib TC58NVG1S3HBAI4 initialized ok
get_sys_clk_rate_mtd() 292, clock setting 200!
bus cycle0: 6,timing: 7
NAND device id: 98 da 90 15 76 16
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A revision NAND 2Gib TC58NVG1S3HBAI4 )
get_sys_clk_rate_mtd() 292, clock setting 200!
m3_nand_adjust_timing() sys_clk_rate 200, bus_c 6, bus_t 7
oob_fill_cnt =32 oob_size =64, bch_bytes =14
ecc mode:6 ecc_page_num=2 eep_need_oobsize=16
PLANE change!
plane_num=1 writesize=0x800 ecc.size=0x200 bch_mode=1
aml_nand_init :oobmul=1,oobfree.length=8,oob_size=64
oob avail size 8
nbbt=20
nenv=24
nkey=32
ndtb=40
nddr=44
bbt_start=20 env_start=24 key_start=32 dtb_start=40 ddr_start=44
nbbt: info size=0x800 max_scan_blk=24, start_blk=20
nbbt : phy_blk_addr=20, ec=0, phy_page_addr=0, timestamp=1
nbbt free list:
blockN=21, ec=-1, dirty_flag=0
blockN=22, ec=-1, dirty_flag=0
blockN=23, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1132: page_num=1
aml_nand_scan_rsv_info 1135
nbbt valid addr: 280000
aml_nand_bbt_check 1256 bbt is valid, reading.
aml_nand_read_rsv_info:444,read nbbt info to 280000
nenv: info size=0x10000 max_scan_blk=32, start_blk=24
nenv : phy_blk_addr=25, ec=1, phy_page_addr=0, timestamp=4
nenv free list:
blockN=24, ec=1, dirty_flag=1
blockN=26, ec=-1, dirty_flag=0
blockN=27, ec=-1, dirty_flag=0
blockN=28, ec=-1, dirty_flag=0
blockN=29, ec=-1, dirty_flag=0
blockN=30, ec=-1, dirty_flag=0
blockN=31, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1132: page_num=32
aml_nand_scan_rsv_info 1135
nenv valid addr: 330000
nkey: info size=0x8000 max_scan_blk=40, start_blk=32
nkey : phy_blk_addr=33, ec=0, phy_page_addr=0, timestamp=2
nkey free list:
blockN=32, ec=0, dirty_flag=1
blockN=34, ec=-1, dirty_flag=0
blockN=35, ec=-1, dirty_flag=0
blockN=36, ec=-1, dirty_flag=0
blockN=37, ec=-1, dirty_flag=0
blockN=38, ec=-1, dirty_flag=0
blockN=39, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1132: page_num=16
aml_nand_scan_rsv_info 1135
nkey valid addr: 420000
ndtb: info size=0x20000 max_scan_blk=44, start_blk=40
ndtb : phy_blk_addr=40, ec=0, phy_page_addr=0, timestamp=1
ndtb free list:
blockN=41, ec=-1, dirty_flag=0
blockN=42, ec=-1, dirty_flag=0
blockN=43, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1132: page_num=64
aml_nand_scan_rsv_info 1135
ndtb valid addr: 500000
nddr: info size=0x800 max_scan_blk=46, start_blk=44
nddr : phy_blk_addr=-1, ec=0, phy_page_addr=0, timestamp=0
nddr free list:
blockN=44, ec=-1, dirty_flag=0
blockN=45, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1132: page_num=1
nddr valid addr: fffffffffffe0000
aml_nand_rsv_info_check_except_bbt 1226 NO nddr exist
tpl: off 8388608, size 8388608
NAND bbt detect factory Bad block at c000000
NAND bbt detect factory Bad block at c020000
Creating 7 MTD partitions on "A revision NAND 2Gib TC58NVG1S3HBAI4 ":
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001a00000 : "recovery"
0x000001a00000-0x000002600000 : "boot"
0x000002600000-0x000003600000 : "system"
0x000003600000-0x000007a00000 : "chrome"
0x000007a00000-0x000007e00000 : "factory"
0x000007e00000-0x000010000000 : "data"
NAND bbt detect factory Bad block at c000000
NAND bbt detect factory Bad block at c020000
A revision NAND 2Gib TC58NVG1S3HBAI4 initialized ok
MMC: aml_priv->desc_buf = 0x000000001dec1760
aml_priv->desc_buf = 0x000000001dec3aa0
SDIO Port B: 0, SDIO Port C: 1
uboot env amlnf_env_read : ####
aml_nand_read_rsv_info:444,read nenv info to 330000
In: serial
Out: serial
Err: serial
aml log : internal sys error!
reboot_mode=cold_boot
Start read misc partition datas!
[burnup]Rd:Up sz 0x440 to align 0x1000
[store]Err:mtd_find_phy_off_by_lgc_off,L116:device(misc) is err
[store]Err:do_store_read,L1775:Fail in find phy addr by logic off (0x0),ret(1)
[burnup]Err:store_read_ops,L101:cmd failed, ret=1, [store read misc 0x1deb1a78 0x0 0x1000]
failed to store read misc.
get_valid_slot - get_valid_slot
Usage:
get_valid_slot
This command will choose valid slot to boot up which saved in misc
partition by mark to decide whether execute command!
So you can execute command: get_valid_slot
active_slot is normal
cmd: imgread dtb boot ${dtb_mem_addr}
[imgread]szTimeStamp[2020102317353714]
[imgread]MTD pageShift 11, writesz 0x800
aml log : R-2048 check pass!
aml log : R2048 check pass!
[imgread]Enc dtb sz 0xc000
Amlogic Multi-DTB tool
Single DTB detected
Start read misc partition datas!
[burnup]Rd:Up sz 0x440 to align 0x1000
[store]Err:mtd_find_phy_off_by_lgc_off,L116:device(misc) is err
[store]Err:do_store_read,L1775:Fail in find phy addr by logic off (0x0),ret(1)
[burnup]Err:store_read_ops,L101:cmd failed, ret=1, [store read misc 0x1deb1888 0x0 0x1000]
failed to store read misc.
get_valid_slot - get_valid_slot
Usage:
get_valid_slot
This command will choose valid slot to boot up which saved in misc
partition by mark to decide whether execute command!
So you can execute command: get_valid_slot
wipe_data=successful
wipe_cache=successful
recovery_status=
upgrade_step=2
s_version: U-Boot 2015.01-gfe79c6daed-dirty
amlkey_init() enter!
amlnf_key_read: ####
amlnf_key_read key data len too much
aml_nand_read_rsv_info:444,read nkey info to 420000
[EFUSE_MSG]keynum is 4
[KM]Error:f[key_manage_query_size]L515:key[mac] not programed yet
[KM]Error:f[key_manage_query_size]L515:key[lang] not programed yet
[KM]Error:f[key_manage_query_size]L515:key[locale_lang] not programed yet
[KM]Error:f[key_manage_query_size]L515:key[locale_region] not programed yet
enable adb debug prop
InUsbBurn
noSof
Hit Enter or space or Ctrl+C key to stop autoboot -- : 0
[imgread]szTimeStamp[2020102317353714]
[imgread]secureKernelImgSz=0x8bd800
[burnup]Rd:Up sz 0x7bd800 to align 0x1000
aml log : R-2048 check pass!
aml log : R2048 check pass!
aml log : R2048 check pass!
aml log : R2048 check pass!
avb2: 0
save_power_post ...
avb2: 0
## Booting Android Image at 0x01080000 ...
reloc_addr =1dedc2e0
copy done
Kernel command line: rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000
[store]Is good fdt check header, no need decrypt!
load dtb from 0x1000000 ......
Amlogic Multi-DTB tool
Single DTB detected
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x02121a00
Loading Ramdisk to 1dc27000, end 1deb1000 ... OK
Loading Device Tree to 000000001dc18000, end 000000001dc261af ... OK
fdt_fixup_memory_banks, reg:0000000000000000
Starting kernel ...
uboot time: 2986545 us
[ 0.000000@0] 07400000 - 07500000, 1024 KB, ramoops@0x07400000
[ 0.000000@0] 05000000 - 05400000, 4096 KB, linux,secmon
domain-0 init dvfs: 1
[ 0.223877@1] clkmsr ffd18004.meson_clk_msr: failed to get msr ring reg0
[ 0.272878@1] dmi: Firmware registration failed.
[ 1.210081@1] Initramfs unpacking failed: junk in compressed archive
[ 1.272689@1] mtdoops: mtd device (mtddev=name/number) must be supplied
[ 1.286066@1] ff803000.serial: clock gate not found
[ 1.293567@1] amlogic-new-usb3 ffe09080.usb3phy: This phy has no usb port
[ 1.302158@1] cyttsp 1-0010: Failed to read block!
[ 1.302234@1] cyttsp 1-0010: Failed to read block!
[ 1.306093@1] cyttsp 1-0010: Failed get Cyttsp Touch FW ID!
[ 1.317353@1] meson-mmc: >>>>>>>>hostbase ffffff80082c0000, dmode
[ 1.584256@3] request_irq error ret=-22
[ 1.584337@3] dev_pm_set_wake_irq failed: -22
[ 1.586868@3] page_trace_module_init, create sysfs failed
[ 2.543579@3] asoc-aml-card auge_sound: control 2:0:0:I2SIn CLK:0 is already present
[ 2.545698@3] snd_tdm ff642000.audiobus:tdmb: ASoC: Failed to add I2SIn CLK: -16
[ 2.553016@3] aml_dai_tdm_probe, failed add snd tdm controls
[ 2.558626@3] asoc-aml-card auge_sound: control 2:0:0:I2SIn CLK:0 is already present
[ 2.566299@3] snd_tdm ff642000.audiobus:tdmc: ASoC: Failed to add I2SIn CLK: -16
[ 2.573627@3] aml_dai_tdm_probe, failed add snd tdm controls
[ 3.224517@0] thermal thermal_zone0: binding zone soc_thermal with cdev thermal-cpufreq-0 failed:-22
[ 3.2;mount normal partition
UBI device number 6, total 32 LEBs (4063232 bytes, 3.9 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
UBI device number 7, total 1038 LEBs (131801088 bytes, 125.7 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
/dev/ubi7_0 /cache ubifs rw,relatime 0 0
/cache is already mounted
ctrl_interface=/data/wifi
/data/misc/bluedroid/bt_config.conf
[ 4.558880@3] unifykey: name: mac_bt, size 17
and wifi mac changes,seting new wifi MAC addr.
[ 4.708164@3] unifykey: key_unify_init() already inited!
[ 4.720826@1] unifykey: name: mac_wifi, size 17
wifi mac is exit.
set system prompt languge to xx-WW
mic enter mute mode
Error: Write failed
Error: Write failed
[0101/010009.435096:WARNING:client_auth_manager.cc(87)] Pref service not available. This should only happen in tests.
Playing WAVE '/usr/share/empty.wav' : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo
link failed File exists
link failed Read-only file system
link failed Read-only file system
link failed Read-only file system
link failed Read-only file system
link failed Read-only file system
link failed No such file or directory
[ 6.612330@3] 8821cs: loading out-of-tree module taints kernel.
[ 6.711754@3] ######platform_wifi_power_on:
[ 6.711810@3] aml_wifi wifi: [extern_wifi_set_enable] WIFI Disable! 465
[ 7.236157@3] aml_wifi wifi: [extern_wifi_set_enable] WIFI Enable! 465
[ 7.749481@0] meson-mmc: sdio: resp_timeout,vstat:0xa1ff2800,virqc:3fff
[ 7.750457@0] meson-mmc: sdio: err: wait for irq service, bus_fsm:0x8
[ 7.757880@0] meson-mmc: sdio: resp_timeout,vstat:0xa1ff2800,virqc:3fff
[ 7.763392@0] meson-mmc: sdio: err: wait for irq service, bus_fsm:0x8
[ 7.774431@0] meson-mmc: sdio: resp_timeout,vstat:0x9dff0800,virqc:3fff
[ 7.776330@0] meson-mmc: sdio: err: wait for desc write back, bus_fsm:0x7
[ 7.783784@3] meson-aml-mmc ffe05000.sdio: card claims to support voltages below defined range
[ 7.812118@3] meson-mmc: actual_clock :400000, HHI_nand: 0x80
[ 7.812230@3] meson-mmc: [meson_mmc_clk_set_rate_v3] after clock: 0x1000033c
[ 7.839706@3] meson-aml-mmc ffe05000.sdio: divider requested rate 100000000 != actual rate 99999903: ret=0
[ 7.843710@3] meson-mmc: actual_clock :99999903, HHI_nand: 0x80
[ 7.849580@3] meson-mmc: [meson_mmc_clk_set_rate_v3] after clock: 0x1000034a
[ 7.856568@3] meson-mmc: Data 1 aligned delay is 0
[ 7.861304@3] meson-mmc: sdio: clk 99999903 tuning start
[ 7.875394@3] meson-mmc: sdio: adj_win: < 0 1 2 3 4 5 7 8 >
[ 7.875423@3] meson-mmc: sdio: best_win_start =0, best_win_size =6
[ 7.881478@3] meson-mmc: sdio: sd_emmc_regs->gclock=0x1000034a,sd_emmc_regs->gadjust=0x32000
[ 7.889831@3] meson-mmc: delay1:0x0, delay2:0x0
[ 7.895600@3] sdio: new ultra high speed SDR50 SDIO card at address 0001
[ 7.900969@3] sdio: clock 99999903, 4-bit-bus-width
[ 7.906369@0] meson-mmc: [sdio_reinit] finish
[ 8.099881@0] Miso kernel module inited
[ 8.450434@1] init: '/bin/logwrapper' exited with status 0
[ 8.450567@1] init: command 'exec' r=0
[ 8.454704@1] init: executing '/system/bin/ifconfig'
[ 9.299965@3] start_addr=(0x8000), end_addr=(0x10000), buffer_size=(0x8000), smp_number_max=(4096)
[ 9.333961@0] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 9.344392@2] init: '/system/bin/ifconfig' exited with status 0
[ 9.344777@2] init: command 'exec' r=0
[ 9.348506@2] init: executing '/system/bin/iw'
command failed: No such device (-19)
[ 9.404366@3] init: '/system/bin/iw' exited with status 237
[ 9.404501@3] init: command 'exec' r=237
[ 9.408991@3] init: starting 'wpa_supplicant'
[ 9.412999@3] init: command 'start' r=0
Serial Number: A0SF66176
Initializing random number generator...
[ 10.195598@3] unifykey: key_unify_init() already inited!
[ 10.195719@3] unifykey: name_store() 1302, name deviceid, 8
[ 10.208107@3] unifykey: name_store() 1311
[ 10.221560@0] unifykey: name: deviceid, size 15
[ 10.271223@2] capability: warning: `dhcpcd' uses 32-bit capabilities (legacy support in use)
[ 11.252859@2] configfs-gadget ff400000.dwc2_a: failed to start amlogic: -19
[ 11.273853@0] BT_RADIO going: off
[ 11.273889@0] AML_BT: going OFF
from xiaoai-patch.
hillbicks
commented on May 27, 2024
I just relized the L09G runs android., so that's going to be interesting.
I guess the LX06 runs GNU linux, right?
from xiaoai-patch.
duhow
commented on May 27, 2024
Heya @hillbicks ! Do you have any news with this speaker?
Just got the new L15A and I'm struggling to find the TTL connectors in here.. 😂
from xiaoai-patch.
hillbicks
commented on May 27, 2024
Hey,
nope, unfortunately not. After several days of trial and error I gave up. I couldn't figure out a way to get past the autoboot prompt and start a shell with the device, but I'm pretty sure that's just due to my lack of knowledge and fear of bricking the damn thing.
So, if you have any suggestions or tips to share, I'm all ears.
As for the TTL connectors, maybe they learned and removed them?
from xiaoai-patch.
duhow
commented on May 27, 2024
Not at all. They remain the 3 connectors, but somehow I burned my CP2102 by testing multiple pins.
Fortunately I have a backup. :)
The next day I brick L15A into a bootloop. 😬
I'll try do another check to L09G but I expect the same certificate / signature protection set.
If you want to implement this I suggest you find a LX06 and we can check if this is still working (no new firmware version installed with this signature protection)
from xiaoai-patch.
hillbicks
commented on May 27, 2024
Well, if you're also testing the L09G as well, I guess I'll wait a bit and see if you're able to get further than me before I buy the LX06. I'm having a hard time finding the LX06 online, it only seems to be available in some shops in India.
Do you already have the L09G?
from xiaoai-patch.
duhow
commented on May 27, 2024
Yep, I have 5 different models :)
https://m.es.aliexpress.com/item/4001310651216.html
from xiaoai-patch.
mah8050
commented on May 27, 2024
Good work guys.
Im really interested in your progress.
I have a L09A which is chinese version of L09G
she talks chinese and I have no clue how to talk to her :)
so its really good to try to create something that anyone can speak to
and I like to help
for start I have checked amlogic documents and I want to see if its possible to use factory tools to read partitions or not
links are here:
http://openlinux.amlogic.com:8000/download/A113/
http://openlinux2.amlogic.com/download/doc/
ps: I have access to tools like nand flash reader and smd work station
from xiaoai-patch.
duhow
commented on May 27, 2024
@mah8050 Interesting, so the same model L09A (Art) is Chinese while the G is Global and the public name is different...
So far we didn't manage to access the shell, looks like the input is somehow blocked.
Regarding these amlogic tools, I'm not familiar, but we can easily dump and write the MTD partitions with dd, no other programs are required. Despite the LX06 for example includes some write_mtd program.
from xiaoai-patch.
duhow
commented on May 27, 2024
@hillbicks from your post I'm checking that you have Uboot bootdelay enabled, so you can interrupt the boot process and get to the Uboot menu, you could do dump operations in there.
Hit Enter or space or Ctrl+C key to stop autoboot -- : 0
I'm not seeing this option at the moment, I didn't pair the speaker to Wifi, not sure about your setup.
I found this envs include jtag=disable which are sent to the Linux Kernel run, and disable the user input. You may check in there.
from xiaoai-patch.
duhow
commented on May 27, 2024
WOOOOT - looks like by switching off and on quick again I got into this reboot_mode=cold_boot and allowed me to interrupt and get the Uboot menu!
from xiaoai-patch.
duhow
commented on May 27, 2024
axg_s420_v1_gva#env print jtag
jtag=disable
axg_s420_v1_gva#jtagon apao 1
efuse_pw_en: 0x0
WARNING! efuse bits is disabled
Enable A53 JTAG to AO
still nothing.
from xiaoai-patch.
duhow
commented on May 27, 2024
Some other output, but still can't write to the console. I'm starting to think that this will require soldering an USB header and do via adb? Hope not :(
axg_s420_v1_gva#env print bootargs
bootargs=init="/bin/busybox sh" loglevel=7 console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000 emergency
axg_s420_v1_gva#run bootcmd
[imgread]szTimeStamp[2020090314331755]
[imgread]secureKernelImgSz=0x9a3000
aml log : R-2048 check pass!
aml log : R2048 check pass!
aml log : R2048 check pass!
aml log : R2048 check pass!
avb2: 0
save_power_post ...
avb2: 0
## Booting Android Image at 0x01080000 ...
reloc_addr =1dedc5d0
copy done
[store]Is good fdt check header, no need decrypt!
load dtb from 0x1000000 ......
Amlogic Multi-DTB tool
Single DTB detected
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x02121a00
Loading Ramdisk to 1db41000, end 1deb0800 ... OK
Loading Device Tree to 000000001db32000, end 000000001db401af ... OK
fdt_fixup_memory_banks, reg:0000000000000000
Starting kernel ...
uboot time: 154375038 us
[ 0.000000@0] Booting Linux on physical CPU 0x0
[ 0.000000@0] Linux version 4.9.113-04598-gde6945f522b7-dirty (ming.liu@droid16-sz) (gcc version 6.3.1 20170109 (Linaro GCC 6.3-2017.02) ) #81 SMP PREEMPT Thu Sep 3 14:18:06 CST 2020
[ 0.000000@0] Boot CPU: AArch64 Processor [410fd034]
[ 0.000000@0] earlycon: aml_uart0 at MMIO 0x00000000ff803000 (options '')
[ 0.000000@0] bootconsole [aml_uart0] enabled
[ 0.000000@0] efi: Getting EFI parameters from FDT:
[ 0.000000@0] efi: UEFI not found.
[ 0.000000@0] 07400000 - 07500000, 1024 KB, ramoops@0x07400000
[ 0.000000@0] __reserved_mem_alloc_size, start:0x0000000005000000, end:0x0000000005400000, len:4 MiB
[ 0.000000@0] 05000000 - 05400000, 4096 KB, linux,secmon
[ 0.000000@0] cma: Reserved 8 MiB at 0x000000001f800000
[ 0.000000@0] psci: probing for conduit method from DT.
[ 0.000000@0] psci: PSCIv1.0 detected in firmware.
[ 0.000000@0] psci: Using standard PSCI v0.2 function IDs
[ 0.000000@0] psci: MIGRATE_INFO_TYPE not supported.
[ 0.000000@0] psci: SMC Calling Convention v1.1
[ 0.000000@0] percpu: Embedded 26 pages/cpu @ffffffc01f750000 s68632 r8192 d29672 u106496
[ 0.000000@0] Detected VIPT I-cache on CPU0
[ 0.000000@0] CPU features: enabling workaround for ARM erratum 845719
[ 0.000000@0] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 129024
[ 0.000000@0] Kernel command line: init="/bin/busybox sh" loglevel=7 console=ttyS0,115200 no_console_suspend earlycon=aml_uart,0xff803000 emergency reboot_mode=cold_boot
[ 0.000000@0]
[ 0.000000@0] PID hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.000000@0] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
[ 0.000000@0] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes)
[ 0.000000@0] Memory: 480040K/524288K available (9468K kernel code, 1222K rwdata, 2508K rodata, 3776K init, 635K bss, 31960K reserved, 12288K cma-reserved)
[ 0.000000@0] Virtual kernel memory layout:
[ 0.000000@0] modules : 0xffffff8000000000 - 0xffffff8008000000 ( 128 MB)
[ 0.000000@0] vmalloc : 0xffffff8008000000 - 0xffffffbebfff0000 ( 250 GB)
[ 0.000000@0] .text : 0xffffff8009080000 - 0xffffff80099c0000 ( 9472 KB)
[ 0.000000@0] .rodata : 0xffffff80099c0000 - 0xffffff8009c40000 ( 2560 KB)
[ 0.000000@0] .init : 0xffffff8009c40000 - 0xffffff8009ff0000 ( 3776 KB)
[ 0.000000@0] .data : 0xffffff8009ff0000 - 0xffffff800a121a00 ( 1223 KB)
[ 0.000000@0] .bss : 0xffffff800a121a00 - 0xffffff800a1c06dc ( 636 KB)
[ 0.000000@0] fixed : 0xffffffbefe7fb000 - 0xffffffbefec00000 ( 4116 KB)
[ 0.000000@0] PCI I/O : 0xffffffbefee00000 - 0xffffffbeffe00000 ( 16 MB)
[ 0.000000@0] vmemmap : 0xffffffbf00000000 - 0xffffffc000000000 ( 4 GB maximum)
[ 0.000000@0] 0xffffffbf00000000 - 0xffffffbf00800000 ( 8 MB actual)
[ 0.000000@0] memory : 0xffffffc000000000 - 0xffffffc020000000 ( 512 MB)
[ 0.000000@0] can't find symbol:arm_dma_alloc
[ 0.000000@0] can't find symbol:__alloc_from_contiguous
[ 0.000000@0] can't find symbol:cma_allocator_alloc
[ 0.000000@0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000@0] Preemptible hierarchical RCU implementation.
[ 0.000000@0] Build-time adjustment of leaf fanout to 64.
[ 0.000000@0] RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=4.
[ 0.000000@0] RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=4
[ 0.000000@0]
[ 0.000000@0] **********************************************************
[ 0.000000@0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000@0] ** **
[ 0.000000@0] ** trace_printk() being used. Allocating extra memory. **
[ 0.000000@0] ** **
[ 0.000000@0] ** This means that this is a DEBUG kernel and it is **
[ 0.000000@0] ** unsafe for production use. **
[ 0.000000@0] ** **
[ 0.000000@0] ** If you see this message and you are not debugging **
[ 0.000000@0] ** the kernel, report this immediately to your vendor! **
[ 0.000000@0] ** **
[ 0.000000@0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000@0] **********************************************************
[ 0.000000@0] NR_IRQS:64 nr_irqs:64 0
[ 0.000000@0] irq_meson_gpio: 100 to 8 gpio interrupt mux initialized
[ 0.000000@0] axg_aoclkc_init: register ao clk ok![ 0.000000@0] axg_amlogic_init_sdemmc: register amlogic sdemmc clk
[ 0.000000@0] axg_amlogic_init_sdemmc: register amlogic sdemmc clk
[ 0.000000@0] axg_amlogic_init_media: register meson media clk
[ 0.000000@0] axg_amlogic_init_misc: register amlogic axg misc clks
[ 0.000000@0] axg_amlogic_init_misc: register amlogic sdemmc clk
[ 0.000000@0] axg_clkc_init initialization complete
[ 0.000000@0] arm_arch_timer: Architected cp15 timer(s) run
[ 2.351819@1] NAND bbt detect factory Bad block at c000000
[ 2.351849@1] aml_nand_add_partition:392 factory bad addr=600
[ 2.357480@1] NAND bbt detect factory Bad block at c020000
[ 2.362975@1] aml_nand_add_partition:392 factory bad addr=601
[ 2.388135@1] Creating 7 MTD partitions on "nandnormal":
[ 2.388165@1] 0x000000800000-0x000001000000 : "tpl"
[ 2.396888@2] 0x000001000000-0x000001a00000 : "recovery"
[ 2.402862@3] 0x000001a00000-0x000002600000 : "boot"
[ 2.408643@3] 0x000002600000-0x000003600000 : "system"
[ 2.415334@3] 0x000003600000-0x000007a20000 : "chrome"
[ 2.423468@3] NAND bbt detect factory Bad block at 5040000
[ 2.438235@3] 0x000007a20000-0x000007e20000 : "factory"
[ 2.445393@3] 0x000007e20000-0x000010000000 : "data"
[ 2.465592@3] NAND bbt detect factory Bad block at c000000
[ 2.465660@3] NAND bbt detect factory Bad block at c020000
[ 2.492502@3] nandnormal initialized ok
[ 2.492581@3] aml_ubootenv_init: register env chardev
[ 2.496161@3] aml_ubootenv_init: register env chardev OK
[ 2.501101@3] amlnf_dtb_init: register dtb cdev
[ 2.505931@3] amlnf_dtb_init: register dtd cdev OK
[ 2.510229@3] mtd_nand_probe 267 , err = 0
[ 2.515058@3] aml_vrtc rtc: rtc core: registered aml_vrtc as rtc0
[ 2.520609@3] input: aml_vkeypad as /devices/platform/rtc/input/input1
[ 2.527451@3] unifykey: storage in base: 0xffffffc005000000
[ 2.532320@3] unifykey: storage out base: 0xffffffc005040000
[ 2.537940@3] unifykey: storage block base: 0xffffffc005080000
[ 2.543679@3] unifykey: probe done!
[ 2.547700@3] unifykey: no efuse-version set, use default value: -1
[ 2.553353@3] unifykey: key unify config unifykey-num is 13
[ 2.558963@3] unifykey: key unify fact unifykey-num is 13
[ 2.564211@3] unifykey: unifykey_devno: f300000
[ 2.569015@2] unifykey: device unifykeys created ok
[ 2.573617@2] unifykey: aml_unifykeys_init done!
[ 2.578603@2] amlkaraoke init success!
[ 2.582424@2] meson_wdt ffd0f0d0.watchdog: start watchdog
[ 2.587175@2] meson_wdt ffd0f0d0.watchdog: creat work queue for watch dog
[ 2.594316@3] meson_wdt ffd0f0d0.watchdog: AML Watchdog Timer probed done
[ 2.600896@3] amlogic rfkill init
[ 2.604177@3] enter bt_probe of_node
[ 2.607451@3] not get gpio_en
[ 2.610351@3] not get gpio_hostwake
[ 2.613791@3] not get gpio_btwakeup
[ 2.617251@3] power on valid level is high[ 2.621135@3] bt: power_on_pin_OD = 0;
[ 2.624840@3] bt: power_off_flag = 1;
[ 2.628462@3] dis power down = 0;
[ 2.658190@3] request_irq error ret=-22
[ 2.658268@3] dev_pm_set_wake_irq failed: -22
[ 2.660807@3] page_trace_module_init, create sysfs failed
[ 2.671101@3] [AW20072] LED AW20072 Driver Ver 2.2
[ 2.686169@3] AW20072 1-003b: [AW20072] chip ID is 0x18
[ 2.710908@3] defendkey defendkey: Reserved memory is not enough!
[ 2.711382@3] defendkey: probe of defendkey failed with error -22
[ 2.719615@3] tas5805_parse_dts pdata->pdn_pin = 417!
[ 2.724997@3] asoc debug: aml_audio_controller_probe-130
[ 2.728547@3] aml_tdm_platform_probe, tdm ID = 0, lane_cnt = 4
[ 2.733531@3] snd_tdm ff642000.audiobus:tdma: lane_mask_out = 2, lane_oe_mask_out = 0
[ 2.741304@3] snd_tdm ff642000.audiobus:tdma: neither mclk_pad nor mclk2pad set
[ 2.748657@3] aml_tdm_platform_probe(), share en = 1[ 2.753219@3] No channel mask node Channel_Mask
[ 2.758019@3] aml_tdm_platform_probe, tdm ID = 1, lane_cnt = 4
[ 2.763520@3] snd_tdm ff642000.audiobus:tdmb: lane_mask_out = 1, lane_oe_mask_out = 0
[ 2.771510@3] aml_tdm_platform_probe(), share en = 1[ 2.775982@3] No channel mask node Channel_Mask
[ 2.780743@3] aml_tdm_platform_probe, tdm ID = 2, lane_cnt = 4
[ 2.786292@3] snd_tdm ff642000.audiobus:tdmc: lane_mask_out = 1, lane_oe_mask_out = 0
[ 2.794269@3] TDM id 2 output clk enable:1
[ 2.798191@3] aml_tdm_platform_probe(), share en = 1[ 2.802801@3] No channel mask node Channel_Mask
[ 2.808755@3] aml_spdif_platform_probe, register soc platform
[ 2.813650@3] snd_pdm ff642000.audiobus:pdm: check whether to update pdm chipinfo
[ 2.820760@3] default set lane_mask_in as all lanes.
[ 2.825326@3] aml_pdm_platform_probe pdm filter mode from dts:1
[ 2.831206@3] aml_pdm_platform_probe, register soc platform
[ 2.837215@3] audio-ddr-manager ff642000.audiobus:ddr_manager: 0, irqs toddr 14, frddr 17
[ 2.844875@3] audio-ddr-manager ff642000.audiobus:ddr_manager: 1,
[ 5.443525@3] ubi7: scanning is finished
[ 5.448716@0] ubi7: attached mtd7 (name "data", size 129 MiB)
[ 5.448831@0] ubi7: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 5.455849@0] ubi7: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 5.462733@0] ubi7: VID header offset: 2048 (aligned 2048), data offset: 4096
[ 5.469798@0] ubi7: good PEBs: 1037, bad PEBs: 2, corrupted PEBs: 0
[ 5.476012@0] ubi7: user volume: 1, internal volumes: 1, max. volumes count: 128
[ 5.483356@0] ubi7: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 66472384
[ 5.492409@0] ubi7: available PEBs: 0, total reserved PEBs: 1037, PEBs reserved for bad PEB handling: 38
[ 5.501818@1] ubi7: background thread "ubi_bgt7d" started, PID 1436
[ 5.506637@0] UBIFS (ubi7:0): background thread "ubifs_bgt7_0" started, PID 1439
UBI device number 7, total 1037 LEBs (131674112 bytes, 125.6 MiB), available 0 LEBs (0 bytes), L[ 5.524276@2] UBIFS (ubi7:0): recovery needed
EB size 126976 bytes (124.0 KiB)
[ 5.601281@1] UBIFS (ubi7:0): recovery completed
[ 5.601441@1] UBIFS (ubi7:0): UBIFS: mounted UBI device 7, volume 0, name "cache"
[ 5.607709@1] UBIFS (ubi7:0): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[ 5.617704@1] UBIFS (ubi7:0): FS size: 124944384 bytes (119 MiB, 984 LEBs), journal size 6221824 bytes (5 MiB, 49 LEBs)
[ 5.628395@1] UBIFS (ubi7:0): reserved for root: 4952683 bytes (4836 KiB)
[ 5.635124@1] UBIFS (ubi7:0): media format: w4/r0 (latest is w4/r0), UUID B57309F6-AB04-4AA3-B266-8B3B9D46DB8A, small LPT model
/dev/ubi7_0 /cache ubifs rw,relatime 0 0
/cache is already mounted
ctrl_interface=/data/wifi
/data/misc/bluedroid/bt_config.conf
[ 6.084655@1] unifykey: amlkey_init_gen() enter!
[ 6.084717@1] aml_nand_read_rsv_info:431,read nkey info at 420000
[ 6.092588@1] unifykey: amlkey_init_gen() storagekey_info.buffer=ffffffc005080000, storagekey_info.size = 8000!
[ 6.099959@1] unifykey: name_store() 1302, name mac_bt, 6
[ 6.105066@1] unifykey: name_store() 1311
[ 6.119698@3] unifykey: name: mac_bt, size 17
and wifi mac changes,seting new wifi MAC addr.
[ 6.176697@1] file system registered
[ 6.176862@1] assign_ffs_buffer FFS_BUFFER_MAX=100!!!
[ 6.240206@2] unifykey: key_unify_init() already inited!
[ 6.240334@2] unifykey: name_store() 1302, name mac_wifi, 8
[ 6.245558@2] unifykey: name_store() 1311
[ 6.259914@3] unifykey: name: mac_wifi, size 17
and wifi mac changes,seting new wifi MAC addr.
set system prompt languge to en-US
[ 6.442874@2] logd.auditd: start
[ 6.442937@2] logd.klogd: 6253014376
[1231/160241.580712:WARNING:client_auth_manager.cc(87)] Pref service not available. This should only happen in tests.
[ 6.710932@3]
[ 6.710932@3] aml_pdm_dai_set_sysclk, pdm_sysclk:133333203 pdm_dclk:3071998, dclk_srcpll:24575982
[ 6.715990@3] aml_pdm_dai_prepare, pdm_dclk:3072000, osr:192, rate:16000 filter mode:1
[ 6.723694@3] aml_pdm_ctrl, lane mask:0xf, channels:2, channels mask:0x3, bypass:0
[ 6.731538@3] asoc-aml-card auge_sound: PDM Capture start
[ 6.738658@3] input: mic_state as /devices/virtual/input/input2
Playing WAVE '/usr/share/empty.wav' : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo
link failed File exists
link failed Read-only file system
link failed Read-only file system
link failed Read-only file system
link failed Read-only file system
link failed Read-only file system
link failed No such file or directory
[ 6.937754@3] 8821cs: loading out-of-tree module taints kernel.
[ 7.037557@3] ######platform_wifi_power_on:
[ 7.037613@3] aml_wifi wifi: [extern_wifi_set_enable] WIFI Disable! 465
[ 7.577963@3] aml_wifi wifi: [extern_wifi_set_enable] WIFI Enable! 465
[ 8.091368@0] meson-mmc: sdio: resp_timeout,vstat:0xa1ff2800,virqc:3fff
[ 8.092342@0] meson-mmc: sdio: err: wait for irq service, bus_fsm:0x8
[ 8.099769@0] meson-mmc: sdio: resp_timeout,vstat:0xa1ff2800,virqc:3fff
[ 8.105276@0] meson-mmc: sdio: err: wait for irq service, bus_fsm:0x8
[ 8.116396@0] meson-mmc: sdio: resp_timeout,vstat:0x9dff0800,virqc:3fff
[ 8.118215@0] meson-mmc: sdio: err: wait for desc write back, bus_fsm:0x7
[ 8.125655@3] meson-aml-mmc ffe05000.sdio: card claims to support voltages below defined range
[ 8.153987@3] meson-mmc: actual_clock :400000, HHI_nand: 0x80
[ 8.154098@3] meson-mmc: [meson_mmc_clk_set_rate_v3] after clock: 0x1000033c
[ 8.180485@3] meson-aml-mmc ffe05000.sdio: divider requested rate 100000000 != actual rate 99999903: ret=0
[ 8.184492@3] meson-mmc: actual_clock :99999903, HHI_nand: 0x80
[ 8.190355@3] meson-mmc: [meson_mmc_clk_set_rate_v3] after clock: 0x1000034a
[ 8.197342@3] meson-mmc: Data 1 aligned delay is 0
[ 8.202084@3] meson-mmc: sdio: clk 99999903 tuning start
[ 8.216147@3] meson-mmc: sdio: adj_win: < 0 1 2 3 4 5 7 8 >
[ 8.216175@3] meson-mmc: sdio: best_win_start =0, best_win_size =6
[ 8.222217@3] meson-mmc: sdio: sd_emmc_regs->gclock=0x1000034a,sd_emmc_regs->gadjust=0x32000
[ 8.230576@3] meson-mmc: delay1:0x0, delay2:0x0
[ 8.236422@3] sdio: new ultra high speed SDR50 SDIO card at address 0001
[ 8.241709@3] sdio: clock 99999903, 4-bit-bus-width
[ 8.247140@1] meson-mmc: [sdio_reinit] finish
[ 8.440015@2] Miso kernel module inited
[ 9.619243@2] start_addr=(0x8000), end_addr=(0x10000), buffer_size=(0x8000), smp_number_max=(4096)
[ 9.652930@1] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 9.666218@0] init: '/system/bin/ifconfig' exited with status 0
[ 9.666587@0] init: command 'exec' r=0
[ 9.670558@0] init: executing '/system/bin/iw'
command failed: No such device (-19)
[ 9.714246@0] init: '/system/bin/iw' exited with status 237
[ 9.714372@0] init: command 'exec' r=237
[ 9.719102@0] init: starting 'wpa_supplicant'
[ 9.722900@0] init: command 'start' r=0
[ 9.723369@3] init: Created socket '/dev/socket/wpa_wlan0' with mode '660', user '1008', group '1008'
[ 9.735438@0] init: executing '/sbin/populate_sn.sh'
[ 9.788424@0] init: '/sbin/populate_sn.sh' exited with status 0
Serial Number: bin
Initializing random number generator...
[ 10.495749@3] unifykey: key_unify_init() already inited!
[ 10.495901@3] unifykey: name_store() 1302, name deviceid, 8
[ 10.501141@3] unifykey: name_store() 1311
[ 10.517479@2] unifykey: name: deviceid, size 15
[ 10.541806@1] capability: warning: `dhcpcd' uses 32-bit capabilities (legacy support in use)
[ 11.213431@3] BT_RADIO going: off
[ 11.213466@3] AML_BT: going OFF
[ 11.442394@3] BT_RADIO going: on
[ 11.442428@3] AML_BT: going ON
[ 11.551645@1] configfs-gadget ff400000.dwc2_a: failed to start amlogic: -19
from xiaoai-patch.
duhow
commented on May 27, 2024
Almost there! Looks like this time /bin/sh had some issue.
axg_s420_v1_gva#env set bootargs console=ttyAMA1,115200 console=ttyAMA0,115200 console=ttyS0,115200 init=/bin/sh loglevel=7 console=tty0
axg_s420_v1_gva#run bootcmd
[imgread]szTimeStamp[2020090314331755]
[imgread]secureKernelImgSz=0x9a3000
aml log : R-2048 check pass!
aml log : R2048 check pass!
aml log : R2048 check pass!
aml log : R2048 check pass!
avb2: 0
save_power_post ...
avb2: 0
## Booting Android Image at 0x01080000 ...
reloc_addr =1dedc5d0
copy done
[store]Is good fdt check header, no need decrypt!
load dtb from 0x1000000 ......
Amlogic Multi-DTB tool
Single DTB detected
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x02121a00
Loading Ramdisk to 1db41000, end 1deb0800 ... OK
Loading Device Tree to 000000001db32000, end 000000001db401af ... OK
fdt_fixup_memory_banks, reg:0000000000000000
Starting kernel ...
uboot time: 70490310 us
domain-0 init dvfs: 1
[ 0.000000@0] Booting Linux on physical CPU 0x0
[ 0.000000@0] Linux version 4.9.113-04598-gde6945f522b7-dirty (ming.liu@droid16-sz) (gcc version 6.3.1 20170109 (Linaro GCC 6.3-2017.02) ) #81 SMP PREEMPT Thu Sep 3 14:18:06 CST 2020
[ 0.000000@0] Boot CPU: AArch64 Processor [410fd034]
[ 0.000000@0] efi: Getting EFI parameters from FDT:
[ 0.000000@0] efi: UEFI not found.
[ 0.000000@0] 07400000 - 07500000, 1024 KB, ramoops@0x07400000
[ 0.000000@0] __reserved_mem_alloc_size, start:0x0000000005000000, end:0x0000000005400000, len:4 MiB
[ 0.000000@0] 05000000 - 05400000, 4096 KB, linux,secmon
[ 0.000000@0] cma: Reserved 8 MiB at 0x000000001f800000
[ 0.000000@0] psci: probing for conduit method from DT.
[ 0.000000@0] psci: PSCIv1.0 detected in firmware.
[ 0.000000@0] psci: Using standard PSCI v0.2 function IDs
[ 0.000000@0] psci: MIGRATE_INFO_TYPE not supported.
[ 0.000000@0] psci: SMC Calling Convention v1.1
[ 0.000000@0] percpu: Embedded 26 pages/cpu @ffffffc01f750000 s68632 r8192 d29672 u106496
[ 0.000000@0] Detected VIPT I-cache on CPU0
[ 0.000000@0] CPU features: enabling workaround for ARM erratum 845719
[ 0.000000@0] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 129024
[ 0.000000@0] Kernel command line: console=ttyAMA1,115200 console=ttyAMA0,115200 console=ttyS0,115200 init=/bin/sh loglevel=7 console=tty0 reboot_mode=cold_boot
[ 0.000000@0]
[ 0.000000@0] PID hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.000000@0] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
[ 0.000000@0] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes)
[ 0.000000@0] Memory: 480040K/524288K available (9468K kernel code, 1222K rwdata, 2508K rodata, 3776K init, 635K bss, 31960K reserved, 12288K cma-reserved)
[ 0.000000@0] Virtual kernel memory layout:
[ 0.000000@0] modules : 0xffffff8000000000 - 0xffffff8008000000 ( 128 MB)
[ 0.000000@0] vmalloc : 0xffffff8008000000 - 0xffffffbebfff0000 ( 250 GB)
[ 0.000000@0] .text : 0xffffff8009080000 - 0xffffff80099c0000 ( 9472 KB)
[ 0.000000@0] .rodata : 0xffffff80099c0000 - 0xffffff8009c40000 ( 2560 KB)
[ 0.000000@0] .init : 0xffffff8009c40000 - 0xffffff8009ff0000 ( 3776 KB)
[ 0.000000@0] .data : 0xffffff8009ff0000 - 0xffffff800a121a00 ( 1223 KB)
[ 0.000000@0] .bss : 0xffffff800a121a00 - 0xffffff800a1c06dc ( 636 KB)
[ 0.000000@0] fixed : 0xffffffbefe7fb000 - 0xffffffbefec00000 ( 4116 KB)
[ 0.000000@0] PCI I/O : 0xffffffbefee00000 - 0xffffffbeffe00000 ( 16 MB)
[ 0.000000@0] vmemmap : 0xffffffbf00000000 - 0xffffffc000000000 ( 4 GB maximum)
[ 0.000000@0] 0xffffffbf00000000 - 0xffffffbf00800000 ( 8 MB actual)
[ 0.000000@0] memory : 0xffffffc000000000 - 0xffffffc020000000 ( 512 MB)
[ 0.000000@0] can't find symbol:arm_dma_alloc
[ 0.000000@0] can't find symbol:__alloc_from_contiguous
[ 0.000000@0] can't find symbol:cma_allocator_alloc
[ 0.000000@0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000@0] Preemptible hierarchical RCU implementation.
[ 0.000000@0] Build-time adjustment of leaf fanout to 64.
[ 0.000000@0] RCU restricting CPUs from NR_CPUS=8 to nr_cpu_ids=4.
[ 0.000000@0] RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=4
[ 0.000000@0]
[ 0.000000@0] **********************************************************
[ 0.000000@0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000@0] ** **
[ 0.000000@0] ** trace_printk() being used. Allocating extra memory. **
[ 0.000000@0] ** **
[ 0.000000@0] ** This means that this is a DEBUG kernel and it is **
[ 0.000000@0] ** unsafe for production use. **
[ 0.000000@0] ** **
[ 0.000000@0] ** If you see this message and you are not debugging **
[ 0.000000@0] ** the kernel, report this immediately to your vendor! **
[ 0.000000@0] ** **
[ 0.000000@0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000@0] **********************************************************
[ 0.000000@0] NR_IRQS:64 nr_irqs:64 0
[ 0.000000@0] irq_meson_gpio: 100 to 8 gpio interrupt mux initialized
[ 0.000000@0] axg_aoclkc_init: register ao clk ok!
[ 0.000000@0] axg_amlogic_init_sdemmc: register amlogic sdemmc clk
[ 0.000000@0] axg_amlogic_init_sdemmc: register amlogic sdemmc clk
[ 0.000000@0] axg_amlogic_init_media: register meson media clk
[ 0.000000@0] axg_amlogic_init_misc: register amlogic axg misc clks
[ 0.000000@0] axg_amlogic_init_misc: register amlogic sdemmc clk
[ 0.000000@0] axg_clkc_init initialization complete
[ 0.000000@0] arm_arch_timer: Architected cp15 timer(s) running at 24.00MHz (phys).
[ 0.000000@0] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x588fe9dc0, max_idle_ns: 440795202592 ns
[ 0.000004@0] sched_clock: 56 bits at 24MHz, resolution 411s287@2] defendkey defendkey: Reserved memory is not enough!
[ 3.261769@2] defendkey: probe of defendkey failed with error -22
[ 3.270030@2] tas5805_parse_dts pdata->pdn_pin = 417!
[ 3.275426@2] asoc debug: aml_audio_controller_probe-130
[ 3.278910@2] aml_tdm_platform_probe, tdm ID = 0, lane_cnt = 4
[ 3.283910@2] snd_tdm ff642000.audiobus:tdma: lane_mask_out = 2, lane_oe_mask_out = 0
[ 3.291765@2] snd_tdm ff642000.audiobus:tdma: neither mclk_pad nor mclk2pad set
[ 3.299093@2] aml_tdm_platform_probe(), share en = 1[ 3.303624@2] No channel mask node Channel_Mask
[ 3.308442@2] aml_tdm_platform_probe, tdm ID = 1, lane_cnt = 4
[ 3.313936@2] snd_tdm ff642000.audiobus:tdmb: lane_mask_out = 1, lane_oe_mask_out = 0
[ 3.321976@2] aml_tdm_platform_probe(), share en = 1[ 3.326401@2] No channel mask node Channel_Mask
[ 3.331199@2] aml_tdm_platform_probe, tdm ID = 2, lane_cnt = 4
[ 3.336703@2] snd_tdm ff642000.audiobus:tdmc: lane_mask_out = 1, lane_oe_mask_out = 0
[ 3.344686@2] TDM id 2 output clk enable:1
[ 3.348565@2] aml_tdm_platform_probe(), share en = 1[ 3.353223@2] No channel mask node Channel_Mask
[ 3.359160@1] aml_spdif_platform_probe, register soc platform
[ 3.364030@1] snd_pdm ff642000.audiobus:pdm: check whether to update pdm chipinfo
[ 3.371147@1] default set lane_mask_in as all lanes.
[ 3.375710@1] aml_pdm_platform_probe pdm filter mode from dts:1
[ 3.381593@1] aml_pdm_platform_probe, register soc platform
[ 3.387601@1] audio-ddr-manager ff642000.audiobus:ddr_manager: 0, irqs toddr 14, frddr 17
[ 3.395249@1] audio-ddr-manager ff642000.audiobus:ddr_manager: 1, irqs toddr 15, frddr 18
[ 3.403336@1] audio-ddr-manager ff642000.audiobus:ddr_manager: 2, irqs toddr 16, frddr 19
[ 3.411884@1] loopback ff642000.audiobus:loopback@0: check whether to update loopback chipinfo
[ 3.420031@1] datain_src:4, datain_chnum:6, datain_chumask:3f
[ 3.425732@1] datalb_src:2, datalb_chnum:2, datalb_chmask:3
[ 3.431330@1] datain_lane_mask:0x7, datalb_lane_mask:0x1
[ 3.436681@1] datalb_format: 1, chmask for lanes: 0x3
[ 3.442009@1] loopback_platform_probe, p_loopback->id:0 register soc platform
[ 3.449485@1] resample_platform_probe
[ 3.452686@1] resample_clk_set, resample_pll:24575982, sclk:12287991, clk:12287991
[ 3.459884@1] audio_ddr_mngr: aml_set_resample(), toddr NULL
[ 3.465485@1] resample id = 0, new resample = 0, resample_module = 3
[ 3.473257@1] Register vad
[ 3.474803@1] check whether to update sound card init data
[ 3.480850@1] tas5805 0-002c: tas5805_init!
[ 4.164832@0] asoc-aml-card auge_sound: control 2:0:0:I2SIn CLK:0 is already present
[ 4.166952@0] snd_tdm ff642000.audiobus:tdmb: ASoC: Failed to add I2SIn CLK: -16
[ 4.174297@0] aml_dai_tdm_probe, failed add snd tdm controls
[ 4.179901@0] asoc-aml-card auge_sound: control 2:0:0:I2SIn CLK:0 is already present
[ 4.187583@0] snd_tdm ff642000.audiobus:tdmc: ASoC: Failed to add I2SIn CLK: -16
[ 4.194910@0] aml_dai_tdm_probe, failed add snd tdm controls
[ 4.200733@0] master_mode(1), binv_p(0), binv_c(1), finv(0) out_skew(1), in_skew(3)
[ 4.209037@0] asoc-aml-card auge_sound: multicodec <-> TDM-A mapping ok
[ 4.214708@0] master_mode(1), binv_p(0), binv_c(1), finv(1) out_skew(1), in_skew(3)
[ 4.222854@0] asoc-aml-card auge_sound: multicodec <-> TDM-B mapping ok
[ 4.228879@0] master_mode(1), binv_p(0), binv_c(1), finv(1) out_skew(1), in_skew(3)
[ 4.237003@0] asoc-aml-card auge_sound: multicodec <-> TDM-C mapping ok
[ 4.243338@0] asoc-aml-card auge_sound: dummy <-> ff642000.audiobus:pdm mapping ok
[ 4.252916@3] snd_card_add_kcontrols card:ffffffc01ca74018
[ 4.255895@3] effect_v2 is not init
[ 4.259361@3] Failed to add VAD controls
[ 4.263508@3] GACT probability NOT on
[ 4.266875@3] Mirror/redirect action on
[ 4.270641@3] u32 classifier
[ 4.273475@3] Actions configured
[ 4.277024@3] Netfilter messages via NETLINK v0.30.
[ 4.282146@3] nf_conntrack version 0.5.0 (4096 buckets, 16384 max)
[ 4.288340@3] ctnetlink v0.93: registering with nfnetlink.
[ 4.294078@2] xt_time: kernel timezone is -0000
[ 4.298089@2] ipip: IPv4 and MPLS over IPv4 tunneling driver
[ 4.304514@2] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 4.309277@2] arp_tables: arp_tables: (C) 2002 David S. Miller
[ 4.314836@2] Initializing XFRM netlink socket
[ 4.319974@0] NET: Registered protocol family 10
[ 4.325346@0] mip6: Mobile IPv6
[ 4.326808@0] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 4.332699@0] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 4.340083@0] NET: Registered protocol family 17
[ 4.342978@0] NET: Registered protocol family 15
[ 4.347542@0] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 4.360691@0] Bluetooth: RFCOMM TTY layer initialized
[ 4.365538@0] Bluetooth: RFCOMM socket layer initialized
[ 4.370814@0] Bluetooth: RFCOMM ver 1.11
[ 4.374675@0] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 4.380089@0] Bluetooth: BNEP filters: protocol multicast
[ 4.385462@0] Bluetooth: BNEP socket layer initialized
[ 4.390530@0] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 4.396582@0] Bluetooth: HIDP socket layer initialized
[ 4.401707@0] NET: Registered protocol family 35
[ 4.406697@0] Registered swp emulation handler
[ 4.410727@0] Registered cp15_barrier emulation handler
[ 4.415866@0] Registered setend emulation handler
[ 4.420521@0] disable EAS feature
[ 4.4
4[ 6.751849@2] unifykey: key_unify_init() already inited!
[ 6.751995@2] unifykey: name_store() 1302, name mac_wifi, 8
[ 6.757236@2] unifykey: name_store() 1311
[ 6.771525@1] unifykey: name: mac_wifi, size 17
[ 6.968091@3] logd.auditd: start
[ 6.968170@3] logd.klogd: 6935579086
[ 7.225033@2]
[ 7.225033@2] aml_pdm_dai_set_sysclk, pdm_sysclk:133333203 pdm_dclk:3071998, dclk_srcpll:24575982
[ 7.230137@2] aml_pdm_dai_prepare, pdm_dclk:3072000, osr:192, rate:16000 filter mode:1
[ 7.237841@2] aml_pdm_ctrl, lane mask:0xf, channels:2, channels mask:0x3, bypass:0
[ 7.238197@2] asoc-aml-card auge_sound: PDM Capture start
[ 7.240532@2] input: mic_state as /devices/virtual/input/input2
[ 7.434680@1] 8821cs: loading out-of-tree module taints kernel.
[ 7.534296@1] ######platform_wifi_power_on:
[ 7.534370@1] aml_wifi wifi: [extern_wifi_set_enable] WIFI Disable! 465
[ 8.064681@1] aml_wifi wifi: [extern_wifi_set_enable] WIFI Enable! 465
[ 8.578021@0] meson-mmc: sdio: resp_timeout,vstat:0xa1ff2800,virqc:3fff
[ 8.579016@0] meson-mmc: sdio: err: wait for irq service, bus_fsm:0x8
[ 8.586499@0] meson-mmc: sdio: resp_timeout,vstat:0xa1ff2800,virqc:3fff
[ 8.591951@0] meson-mmc: sdio: err: wait for irq service, bus_fsm:0x8
[ 8.603225@0] meson-mmc: sdio: resp_timeout,vstat:0x9dff0800,virqc:3fff
[ 8.604888@0] meson-mmc: sdio: err: wait for desc write back, bus_fsm:0x7
[ 8.612381@1] meson-aml-mmc ffe05000.sdio: card claims to support voltages below defined range
[ 8.640637@1] meson-mmc: actual_clock :400000, HHI_nand: 0x80
[ 8.640755@1] meson-mmc: [meson_mmc_clk_set_rate_v3] after clock: 0x1000033c
[ 8.668548@1] meson-aml-mmc ffe05000.sdio: divider requested rate 100000000 != actual rate 99999903: ret=0
[ 8.672591@1] meson-mmc: actual_clock :99999903, HHI_nand: 0x80
[ 8.678448@1] meson-mmc: [meson_mmc_clk_set_rate_v3] after clock: 0x1000034a
[ 8.685435@1] meson-mmc: Data 1 aligned delay is 0
[ 8.690174@1] meson-mmc: sdio: clk 99999903 tuning start
[ 8.705168@1] meson-mmc: sdio: adj_win: < 0 1 2 3 4 5 7 8 >
[ 8.705212@1] meson-mmc: sdio: best_win_start =0, best_win_size =6
[ 8.711256@1] meson-mmc: sdio: sd_emmc_regs->gclock=0x1000034a,sd_emmc_regs->gadjust=0x32000
[ 8.719616@1] meson-mmc: delay1:0x0, delay2:0x0
[ 8.725502@1] sdio: new ultra high speed SDR50 SDIO card at address 0001
[ 8.730744@1] sdio: clock 99999903, 4-bit-bus-width
[ 8.736124@2] meson-mmc: [sdio_reinit] finish
[ 8.928058@0] Miso kernel module inited
[ 10.099877@0] start_addr=(0x8000), end_addr=(0x10000), buffer_size=(0x8000), smp_number_max=(4096)
[ 10.128907@1] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 10.159425@2] init: '/system/bin/iw' exited with status 237
[ 10.159569@2] init: command 'exec' r=237
[ 10.164052@2] init: starting 'wpa_supplicant'
[ 10.168290@2] init: command 'start' r=0
[ 10.168824@3] init: Created socket '/dev/socket/wpa_wlan0' with mode '660', user '1008', group '1008'
[ 10.180704@2] init: executing '/sbin/populate_sn.sh'
[ 10.226831@2] init: '/sbin/populate_sn.sh' exited with status 0
[ 10.227226@2] init: command 'exec' r=0
[ 10.231082@2] init: executing '/bin/sh'
[ 10.258101@3] meson_uart ff803000.serial: ttyS0 use xtal(8M) 24000000 change 115200 to 115200
Serial Number: bin
[ 10.273672@1] init: '/bin/sh' exited with status 0
[ 10.943376@1] unifykey: key_unify_init() already inited!
[ 10.943560@1] unifykey: name_store() 1302, name deviceid, 8
[ 10.948798@1] unifykey: name_store() 1311
[ 10.966653@2] unifykey: name: deviceid, size 15
[ 11.008344@1] capability: warning: `dhcpcd' uses 32-bit capabilities (legacy support in use)
[ 11.624240@1] BT_RADIO going: off
[ 11.624299@1] AML_BT: going OFF
[ 11.853059@1] BT_RADIO going: on
[ 11.853114@1] AML_BT: going ON
[ 11.985070@3] configfs-gadget ff400000.dwc2_a: failed to start amlogic: -19
from xiaoai-patch.
mah8050
commented on May 27, 2024
Good progress
About usb header and getting access to adb
I realized somewhere in documents it said they use something similar to fastboot in android but with extra commands available
And that recovery partition is interesting, do you think we can boot into recovery like android devices? Even get access to shell?
from xiaoai-patch.
duhow
commented on May 27, 2024
@mah8050 uboot mentions fastboot and there's also another possibility to insert data via USB.
I tried changing boot_part to recovery and factory, factory does not even work, recovery reboots itself after 2-3 minutes.
There's also a cmd to set "android debug" in uboot.
from xiaoai-patch.
mah8050
commented on May 27, 2024
Today I had time to poke around my speaker a bit
and guess what, I have login prompt
sdio debug board detected
TE: 23724
BL2 Built : 15:46:00, Sep 29 2019. axg g8667414 - sentao.gao@droid08-bj
set vcck to 1140 mv
set vddee to 1070 mv
Board ID = 1
CPU clk: 1200MHz
DDR low power enabled
DDR DQS-calibration enabled
DDR scramble enabled
DDR3 chl: Rank0 16bit @ 792MHz - PASS
Rank0: 128MB-2T-11
DataBus test pass!
AddrBus test pass!
NAND init
chk page: 00000500
chk page: 00000540
chk page: 00000580
chk page: 000005c0
bbt blk:00000014
bbt page:00000000
0000000000000000000000000000000000000000000000000000000000000000
Load FIP HDR from NAND, src: 0x0000c000, des: 0x01700000, size: 0x00004000
Load BL3x from NAND, src: 0x00010000, des: 0x01704000, size: 0x00080000
NOTICE: BL31: v1.3(release):87b5e26
NOTICE: BL31: Built : 11:33:44, Apr 10 2020
NOTICE: BL31: AXG normal boot!
NOTICE: BL31: BL33 decompress pass
[Image: axg_v1.1.3268-b93dd79 2017-12-01 14:22:18 huan.biao@droid12]
OPS=0x43
9f e 90 e4 59 3 8b 90 f5 2c 1a d0 bl30:axg ver: 9 mode: 0
bl30:axg thermal0
[0.014405 Inits done]
secure task start!
high task start!
low task start!
ERROR: Error initializing runtime service opteed_fast
U-Boot 2015.01 (Apr 26 2020 - 13:41:31), Build: jenkins-Mico_l09a_ota_publish-67
DRAM: 128 MiB
Relocation Offset is: 06f17000
register usb cfg[0][1] = 0000000007f89658
NAND: nand id: 0xc8 0xd1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: c8 d1 80 95 40 7f
NAND device: Manufacturer ID: 0xc8, Chip ID: 0xc8 (Gigadevice ESMT SLC 128MiB 3.3V 8-bit F59L1G81Mxxx)
oob avail size 6
Creating 1 MTD partitions on "ESMT SLC 128MiB 3.3V 8-bit F59L1G81Mxxx":
0x000000000000-0x000000200000 : "bootloader"
ESMT SLC 128MiB 3.3V 8-bit F59L1G81Mxxx initialized ok
nand id: 0xc8 0xd1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: c8 d1 80 95 40 7f
NAND device: Manufacturer ID: 0xc8, Chip ID: 0xc8 (Gigadevice ESMT SLC 128MiB 3.3V 8-bit F59L1G81Mxxx)
PLANE change!
aml_nand_init :oobmul=1,oobfree.length=8,oob_size=64
oob avail size 8
bbt_start=20 env_start=24 key_start=32 dtb_start=40
nbbt: info size=0x400 max_scan_blk=24, start_blk=20
nbbt : phy_blk_addr=20, ec=0, phy_page_addr=0, timestamp=1
nbbt free list:
blockN=21, ec=-1, dirty_flag=0
blockN=22, ec=-1, dirty_flag=0
blockN=23, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=1
aml_nand_scan_rsv_info 1254
nbbt valid addr: 280000
aml_nand_bbt_check 1389 bbt is valid, reading.
aml_nand_read_rsv_info:397,read nbbt info to 280000
nenv: info size=0x10000 max_scan_blk=32, start_blk=24
nenv : phy_blk_addr=24, ec=25, phy_page_addr=0, timestamp=51
nenv free list:
blockN=25, ec=24, dirty_flag=1
blockN=26, ec=-1, dirty_flag=0
blockN=27, ec=-1, dirty_flag=0
blockN=28, ec=-1, dirty_flag=0
blockN=29, ec=-1, dirty_flag=0
blockN=30, ec=-1, dirty_flag=0
blockN=31, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=32
aml_nand_scan_rsv_info 1254
nenv valid addr: 300000
nkey: info size=0x8000 max_scan_blk=40, start_blk=32
nkey : phy_blk_addr=32, ec=0, phy_page_addr=0, timestamp=1
nkey free list:
blockN=33, ec=-1, dirty_flag=0
blockN=34, ec=-1, dirty_flag=0
blockN=35, ec=-1, dirty_flag=0
blockN=36, ec=-1, dirty_flag=0
blockN=37, ec=-1, dirty_flag=0
blockN=38, ec=-1, dirty_flag=0
blockN=39, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=16
aml_nand_scan_rsv_info 1254
nkey valid addr: 418000
ndtb: info size=0x20000 max_scan_blk=44, start_blk=40
ndtb : phy_blk_addr=40, ec=0, phy_page_addr=0, timestamp=1
ndtb free list:
blockN=41, ec=-1, dirty_flag=0
blockN=42, ec=-1, dirty_flag=0
blockN=43, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=64
aml_nand_scan_rsv_info 1254
ndtb valid addr: 500000
tpl: off 8388608, size 8388608
Creating 6 MTD partitions on "ESMT SLC 128MiB 3.3V 8-bit F59L1G81Mxxx":
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001600000 : "boot0"
0x000001600000-0x000001c00000 : "boot1"
0x000001c00000-0x000004400000 : "system0"
0x000004400000-0x000006c00000 : "system1"
0x000006c00000-0x000008000000 : "data"
ESMT SLC 128MiB 3.3V 8-bit F59L1G81Mxxx initialized ok
aml_key_init 170
MMC:
uboot env amlnf_env_read : ####
aml_nand_read_rsv_info:397,read nenv info to 300000
In: serial
Out: serial
Err: serial
InUsbBurn
noSof
Hit Enter or space or Ctrl+C key to stop autoboot -- : 0
Saving Environment to aml-storage...
uboot env amlnf_env_save : ####
aml_nand_save_rsv_info:656, nenv: valid=1, pages=32
aml_nand_save_rsv_info:716,save info to 310000
aml_nand_write_rsv:520,write info to 310000
[burnup]Rd:Up sz 0x403f48 to align 0x1000
save_power_post ...
## Booting Android Image at 0x01080000 ...
reloc_addr =70343f0
copy done
load dtb from 0x1000000 ......
Amlogic multi-dtb tool
Cannot find legal dtb!
ERROR: image is not a fdt - must RESET the board to recover.
load dtb from 0x75303f0 ......
Amlogic multi-dtb tool
Single dtb detected
amlkey_init() enter!
amlnf_key_read key data len too much
aml_nand_read_rsv_info:397,read nkey info to 418000
[EFUSE_MSG]keynum is 4
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x0187f808
Loading Ramdisk to 06ea2000, end 070045c1 ... OK
Loading Device Tree to 0000000006e97000, end 0000000006ea1f47 ... OK
Starting kernel ...
uboot time: 1645971 us
domain-0 init dvfs: 4
[ 0.229519@0] not match wifi_pwm_config node
[ 0.542260@1] ff803000.serial: clock gate not found
[ 0.549652@1] amlogic-new-usb3 ffe09080.usb3phy: This phy has no usb port
[ 0.726930@0] adr fault isr
[ 1.445278@2] hub 2-0:1.0: config failed, hub doesn't have any ports! (err -19)
LED AW20072
[ 1.975673@2] AW20072 0-003b: [AW20072] leds_aw20072_module_init : get hwen pin error.
Board ID 1
curr_boot is boot0
Booting from boot0
/dev/mtdblock4 is ready now.
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Please press Enter to activate this console.
micocfg[1098]: cfg get: success: /usr/share/mico/system.cfg k:model v:L09A
micocfg[1098]: cfg get: success: /data[ 9.086124@0] name: mac_wifi, size 17
/etc/device.info k:board_id v:0
[ 9.095912@1] name: mac_bt, size 17
micocfg[1113]: cfg get: success: /usr/share/mico/system.cfg k:model v:L09A
micocfg[1113]: cfg get: success: /usr/share/mico/system.cfg k:buildts v:1618799981
micocfg[1115]: cfg get: success: /usr/share/mico/system.cfg k:model v:L09A
micocfg[1115]: cfg get: success: /usr/share/mico/system.cfg k:model v:L09A
micocfg[1116]: cfg get: success: /usr/share/mico/system.cfg k:model v:L09A
micocfg[1116]: bt_enable_set argv[1] 1
micocfg[1116]: cfg update success: /data/bt/bluetooth.cfg k:enable v:1
micocfg[1116]: cfg set string free tmp
micocfg[1117]: cfg get: success: /usr/share/mico/system.cfg k:model v:L09A
micocfg[1117]: cfg get: success: /data/etc/messaging.cfg k:super_admin v:1771462696
micocfg[1118]: cfg get: success: /usr/share/mico/system.cfg k:model v:L09A
micocfg[1118]: cfg update success: /data/etc/miio.cfg k:registed v:true
micocfg[1118]: cfg set string free tmp
ledserver[1165]: Build Time: Apr 19 2021 03:10:01
ledserver[1165]: starting
ledserver[1165]: LedType_AW20072
ledserver[1165]: cfg get: success: /data/etc/nightmode.cfg k:total v:night
ledserver[1165]: cfg get: success: /data/etc/nightmode.cfg k:light v:night
ledserver[1165]: cfg get: success: /data/etc/nightmode.cfg k:volume v:night
ledserver[1165]: cfg get: success: /data/etc/nightmode.cfg k:start v:22:00
ledserver[1165]: cfg get: success: /data/etc/nightmode.cfg k:stop v:06:00
ledserver[1165]: handle_show start
ledserver[1165]: start_show effect_id is 4 is_working is 0
ledserver[1165]: start_show end
ledserver[1165]: thread_push_led start
ledserver[1165]: handle_show stop
ledserver[1165]: thread_push_led end
crond[1207]: crond (busybox 1.27.2) started, log level 5
ledserver[1165]: light_show_control 4
ledserver[1165]: open_light start
ledserver[1165]: ledtype 2
ledserver[1165]: light_show_effect 4
ledserver[1165]: open_light end
[ 11.816224@0] adr fault isr
[ 11.816254@0] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:97
[ 11.821857@0] in_atomic(): 1, irqs_disabled(): 128, pid: 1253, name: mipns-xiaomi
[ 11.829271@0] Preemption disabled at:[<ffffff8009413740>] mpll_set_rate+0x60/0x1f0
[ 12.424702@0] pdm_dclk is : 0
[ 12.480875@3] configfs-gadget ff400000.dwc2_a: failed to start amlogic: -19
[ 13.840958@3] pdm_dclk is : 0
[ 13.841608@0] invalid toddr src
L09A login: root
magic[release]: 27446/A0QH497384206839F
password:
each time I enter a login name (like 'root') it makes different magic[release] code
I think each time it needs a different password to log in.
first part of magic number is my S/N which is 27446/A0QH49738
from xiaoai-patch.
dgiron-midokura
commented on May 27, 2024
But you have this input from openwrt boot
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Please press Enter to activate this console.
How did you get this?
from xiaoai-patch.
mah8050
commented on May 27, 2024
Just connected serial port and hit enter while booting.
It seems that the firmware is completely different in L09A as it has much less Storage and less RAM
PS: Something got my attention during playing with boot and trying to login
i hit enter just after
Please press Enter to activate this console.
and typed root in login prompt
and got this:
login[959]: dsa verify sign len 0, digest(len 22) 27446/A0QH497384EC136F
login[959]: DSA_verify err error:0D07207B:lib(13):func(114):reason(123)!
login[959]: dsa verify failed
login[959]: pam_authenticate call failed: Authentication failure (7)
from xiaoai-patch.
dgiron-midokura
commented on May 27, 2024
Right. So maybe the system is also different, like... Maybe this is Google provided, not Xiaomi image or content at all?
If so, then there's nothing to do here - hard mode. 😂
from xiaoai-patch.
mah8050
commented on May 27, 2024
clearly something is different:
mine is:
Creating 6 MTD partitions on "ESMT SLC 128MiB 3.3V 8-bit F59L1G81Mxxx":
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001600000 : "boot0"
0x000001600000-0x000001c00000 : "boot1"
0x000001c00000-0x000004400000 : "system0"
0x000004400000-0x000006c00000 : "system1"
0x000006c00000-0x000008000000 : "data"
ESMT SLC 128MiB 3.3V 8-bit F59L1G81Mxxx initialized ok
and yours is:
[ 2.362975@1] aml_nand_add_partition:392 factory bad addr=601
[ 2.388135@1] Creating 7 MTD partitions on "nandnormal":
[ 2.388165@1] 0x000000800000-0x000001000000 : "tpl"
[ 2.396888@2] 0x000001000000-0x000001a00000 : "recovery"
[ 2.402862@3] 0x000001a00000-0x000002600000 : "boot"
[ 2.408643@3] 0x000002600000-0x000003600000 : "system"
[ 2.415334@3] 0x000003600000-0x000007a20000 : "chrome"
[ 2.423468@3] NAND bbt detect factory Bad block at 5040000
[ 2.438235@3] 0x000007a20000-0x000007e20000 : "factory"
[ 2.445393@3] 0x000007e20000-0x000010000000 : "data"
[ 2.465592@3] NAND bbt detect factory Bad block at c000000
[ 2.465660@3] NAND bbt detect factory Bad block at c020000
[ 2.492502@3] nandnormal initialized ok
That would make me sad, I really hope to make the speaker Speak in an understandable language :((
from xiaoai-patch.
duhow
commented on May 27, 2024
Don't get confused, thing here is that L09A may work with this repo project, while L09G not! 😂
Looks like the same structure of dual boot partitions.
You may try this to get the root password.
mi_passwd.html.txt
After that, dump/backup all the mtd partitions in your computer, and analyze whether they are signed or not with binwalk.
from xiaoai-patch.
duhow
commented on May 27, 2024
That's great news @mah8050 ! I suggest let's close this issue - no longer a "snapcast question", and let's work on this in a separate issue for L09A . Please create it and I'll detail you the operations to do.
from xiaoai-patch.
radekson
commented on May 27, 2024
Is there anyone else trying to break the L09G?
from xiaoai-patch.
ds2k5
commented on May 27, 2024
Hi radekson,
I am trying.... but no success until yet
from xiaoai-patch.
dragar
commented on May 27, 2024
Is there anything new about the L09G?
from xiaoai-patch.
ds2k5
commented on May 27, 2024
Is there anything new about the L09G?
No sorry not from my side!
My I will have time after XMas to "restart"
Do you have experience with buspirate 3.6 may I can get one
may it is possible to grab the frimware from the L09G with this "device" ?
from xiaoai-patch.
duhow
commented on May 27, 2024
The firmware is already located from several days ago.
https://cdn.cnbj1.fds.api.mi-img[.]com/xiaoqiang/rom/l09g/mico_l09g_6c5c9_1.44.27.bin
If any of you do any findings or progress in L09G, please open a new issue.
from xiaoai-patch.
duhow
commented on May 27, 2024
For the people interested in L09G, you may want to have a look at #49 (comment) :)
from xiaoai-patch.
Related Issues (20)
- toolchain might be better to use armv8l instead of armv7a HOT 1
- Information gathering for voice assistant implementation via porcupine and vosk HOT 10
- [Workaround] hardcoded wifi mac address is used for LX01 HOT 3
- Xiaoai Speaker Play - L05B HOT 19
- Hack into my new LX06 HOT 26
- wget2: certificate verify failed HOT 1
- mpd: Input latency for AUX input HOT 2
- Build for package 'sndio' not completed HOT 2
- AS05G HOT 15
- Docker container exits with error "Build for package 'glibc' not completed" HOT 5
- I tried to connect procupine to MQTT, but failed.
- L09G HOT 60
- bluealsa-aplay v4 not working HOT 1
- `porcupine_launcher` does not work with recent Home Assistant HOT 1
- Trying on L09b Xiaoai Art Battery HOT 10
- Good smart speaker with good sound quality and easy to flash? HOT 3
- LX06 network configuration HOT 3
- TLS issue with listener due to not current date HOT 1
- remote firmware update HOT 2
- Lx01 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xiaoai-patch.