Can you make short instruction how to get correct adress

[b8hri11]

Can you make short instruction how to get correct adress for s905x ?

#define P_WATCHDOG_RESET (volatile unsigned int )0xFFD0F0DC
#define _clear_icache() ((void ()(void))0xffff051c)()
#define _dwc_pcd_irq() ((void ()(void))0xffff6c94)()
#define _start_bulk_transfer(pcd) ((void ()(volatile pcd_struct_t *))0xffff5604)(pcd)
#define BOOTROM_ADDR 0xFFFE0000
volatile pcd_struct_t *pcd = (pcd_struct_t *)0xfffe3918;

[PinkyAcorn]

Hi there,

I'm trying to repair bricked Xiaomi Mi Box 3 MDZ-16-AB (based on S905X-H SoC)
TV box cannot be flashed using amlogic update tool (infamous low_power error) nor recovered using uboot (no uboot shell appeared during boot)
The only solution i found is to program desoldered EMMC chip which is too unacceptable for me for now

Then i found Frédéric Basse article about hacking amlogic bootrom
Maybe i can recover my box using this exploit with a right payload?

AFAIK the only major difference (for amlogic-usbdl) between S905X and S905D3 is a SoC memory map
In amlogic-usbdl tool i found 2 hardcoded addresses and 1 hardcoded size:
LOAD_ADDR - start of embedded SoC SRAM (AHB-SRAM)
TARGET_RA_PTR - address of Return Address on a BL1 stack (placed inside of SRAM)
MAX_PAYLOAD_SIZE - size of free AHB-SRAM where payload can be placed

Payloads may need extra addresses, for example dump_bootrom_uart.S (which i'm willing to make working first) needs:
_uart_putc - address of embedded in bootroom(?) uart_putc function
_addr - start address of bootroom
_watchdog_rst - address of WATCHDOG RESET register
And size of the bootroom itself

Inside of that u-boot repo i found some info
In header cpu_config.h descibed S905X SRAM layout and bootrom start address and size

/***********************************************************
 * The following constants are GXBB definition
 **********************************************************/
#define ROMBOOT_START   0xD9040000
#define ROM_SIZE        (64*1024)
#define ROMBOOT_END     (ROMBOOT_START+ROM_SIZE)

/***********************************************************
 * AHB-SRAM Total Size 80KB, layout shown as below
 *
 * ROMCODE use the top 32KB
 *
 * [	128] 0xD901_3F80 - 0xD901_3FFF	Reserved
 * [	128] 0xD901_3F00 - 0xD901_3F7F	CPUs Boot Entry
 * [	256] 0xD901_3E00 - 0xD901_3EFF	Debug Info
 * [	512] 0xD901_3C00 - 0xD901_3DFF	eFuse mirror
 * [	 1K]	0xD901_3800 - 0xD901_3BFF	Secure Mailbox (3)
 * [	 1K]	0xD901_3400 - 0xD901_37FF	High Mailbox (2) *
 * [	 1K]	0xD901_3000 - 0xD901_33FF	High Mailbox (1) *
 * [	26K] 0xD900_C800 - 0xD901_2FFF	BL1 Stack, BSS
 * [	 1K]	0xD900_C400 - 0xD900_C7FF	NAND, USB Buffer
 * [	 1K]	0xD900_C000 - 0xD900_C3FF	Reserved
 *
 **********************************************************/

In header secure_apb.h what looks like address of WATCHDOG_RESET register

#define     AO_WATCHDOG_RESET                                  (0xc8100000 + (0x4b << 2))
#define SEC_AO_WATCHDOG_RESET                                  (0xda100000 + (0x4b << 2))
#define   P_AO_WATCHDOG_RESET                                  (volatile uint32_t *)(0xc8100000 + (0x4b << 2))

So, for S905X (probably):

LOAD_ADDR        = 0xD9000000
TARGET_RA_PTR    = somewhere inside BL1 Stack (0xD900C800 .. 0xD9012FFF)
MAX_PAYLOAD_SIZE = 0xC000, as ROMCODE use the top 32KB (80K total - 32K bootrom = 48K for payload)
_watchdog_rst    = 0xC810012C
_uart_putc       = somewhere inside bootrom (0xD9040000 .. 0xD9050000)
_addr            = 0xD9040000
bootrom size     = 0x10000

P.S. - Bricked MDZ-16-AB boot log, maybe it can help somehow?:

GXL:BL1:9ac50e:a1974b;FEAT:BDFD71BC;POC:3;RCY:0;EMMC:0;READ:0;0.0;CHK:0;
TE: 74806

BL2 Built : 13:27:37, Oct 25 2017. gxl g56b77aa - xiaobo.gu@droid12

_vcc5_power_init
rn5t567_power_init
Board ID = 1
CPU clk: 1200MHz
DQS-corr enabled
DDR scramble enabled
DDR3 chl: Rank0+1 @ 912MHz
bist_test rank: 0 19 02 31 2c 16 42 17 00 2f 31 1a 48 18 00 31 2f 18 46 17 00 2e 30 1a 46 693  rank: 1 18 03 2d 2c 17 42 17 00 2e 33 1e 48 15 02 29 2e 18 44 14 00 29 2f 16 48 693   - PASS

Rank0: 1024MB(auto)-2T-13

Rank1: 1024MB(auto)-2T-13
AddrBus test pass!
-s
emmc switch 3 ok
BL2: rpmb counter: 0x00000020
emmc switch 0 ok
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000
aml log : R1024 check pass!
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01700000, size: 0x0000d600
aml log : R1024 check pass!
Load bl31 from eMMC, src: 0x00020200, des: 0x01700000, size: 0x0002c600
aml log : R1024 check pass!
Load bl32 from eMMC, src: 0x00050200, des: 0x01700000, size: 0x00034600
aml log : R1024 check pass!
Load bl33 from eMMC, src: 0x00088200, des: 0x01700000, size: 0x00051e00
aml log : R1024 check pass!
NOTICE:  BL3-1: v1.0(release):7c45a4f
NOTICE:  BL3-1: Built : 14:09:28, Oct 13 2017
[BL31]: GXL CPU setup!
NOTICE:  BL31: GXL secure boot!
NOTICE:  BL31: BL33 decompress pass
mpu_config_enable:ok
[Image: gxl_v1.1.3255-1a77b01 2017-09-15 16:58:02 xiaobo.gu@droid12]
OPS=0x82
28 4c bc 54 fc 61 81 36 67 73 0 da [1.442766 Inits done]
secure task start!
high task start!
low task start!
INFO:    BL3-2: ATOS-V2.4-67-g26d2f32 #1 Tue Jan 23 10:10:32 UTC 2018 arm
INFO:    BL3-2: Chip: GXL Rev: B (21:B - 80:2)
INFO:    BL3-2: crypto engine DMA
INFO:    BL3-2: secure time TEE
INFO:    BL3-2: CONFIG_DEVICE_SECURE 0xb200000e


U-Boot 2015.01-g0a1e56b (Jun 21 2018 - 13:51:11), Build: jenkins-once_cts-2167

DRAM:  2 GiB
Relocation Offset is: 76edb000
register usb cfg[0][1] = 0000000077f65290
vpu: error: vpu: check dts: FDT_ERR_BADMAGIC, load default parameters
vpu: clk_level = 7
vpu: set clk: 666667000Hz, readback: 666660000Hz(0x300)
vpu: vpu_clk_gate_init_off
MMC:   aml_priv->desc_buf = 0x0000000073edb640
aml_priv->desc_buf = 0x0000000073edd960
SDIO Port B: 0, SDIO Port C: 1
emmc/sd response timeout, cmd8, status=0x3ff2800
emmc/sd response timeout, cmd55, status=0x3ff2800
original ext_csd[171] USE_WP field value is 50
ext_csd[171] USER_WP filed value after switch is 58
init_part() 293: PART_TYPE_AML
[mmc_init] mmc init success

[Raxone]

Hello.
Great research PinkyAcorn.
I don,t have any box with s905x but i have s905w, s905 and all that cpu have same sram structure.
If stock(factory) firmware for that box not have password.bin what is usb_password protect i suggest you to try fix (low_power error) with usb hub with power or another usb port and try when click Start in Usb Burn Tool immediately connect adapter power cable to box.
Can you send me log from UBT.

[PinkyAcorn]

Thanks a lot for your reply!

AFAIK my board is password protected
I found password.bin file for a very similar board, Xiaomi Mi Box S MDZ-22-AB
But it did not work on my box
I tried to connect my box with externally powered cable but got the same error (low_power)

UBT log

[Raxone]

If board is usb password protected and you have usb password amlogic-usbdl not work.

[PinkyAcorn]

I tried running amlogic-usbdl tool from frederic's repo
Log:

- exploit: starting.
- exploit: sending payload...
libusb_bulk_transfer: transferred=256, transfers left=1078
...
libusb_bulk_transfer: transferred=256, transfers left=824
- exploit: sending 823 dummy transfers...
libusb_bulk_transfer[0]: transferred=0
...
libusb_bulk_transfer[822]: transferred=0
- exploit: sending last transfer to overwrite RAM...
libusb_bulk_transfer: transferred=140
- exploit: done.

The tool ran successfully, but the magic did not happen due to incorrect addresses (TARGET_RA_PTR particularly)

But as i can tell amlogic-usbdl include password protection check

Does this mean my board doesn't have password protection or is it some kind of bug in amlogic-usbdl?

[PinkyAcorn]

GUYS!!
Something BIG just happend!

I was tinkering around with update tool from khadas utils repo

This tool is something like of Linux analog of Windows Amlogic UBT

> ./update
====>Amlogic update USB tool(Ver 1.7.2) 2018/04<=============
update	<command>	[device name]	<arg0>	<arg1>	<arg2>	...

Common Commands:
update <partition>: Burn a partition with a partition image
update <mwrite>   : Burn data to media or memory
update <mread>    : Dump a data from media or memory to pc and save as a file
update <tplcmd>   : like bulkcmd
update <bulkcmd>  : pass and exec a command platform bootloader can support
update <write>    : Down a file to memory
update <run>      : Run code from memory address
update <read>     : Dump data from memory:
update <wreg>     : set one 32bits reg:
update <rreg>     : Dump data from reg:
update <password> : unlock chip:
update <chipinfo> : get chip info at page index:
update <chipid>   : get chip id
update <bl2_boot> : boot fip format u-boot.bin

I've tried to use read command to read BOOTROM
Of course it didnt work

> ./update read 0x10000 0xd9040000
[read],value=200,index=1,len=512,ret=-71 error_msg=error sending control message: Protocol error
[read],value=200,index=1,len=512,ret=-19 error_msg=error sending control message: No such device
[read],value=200,index=1,len=512,ret=-19 error_msg=error sending control message: No such device
[update]ERR(L638):read device failed

BUT!
I've rebooted my board, then run Frédéric's amlogic-usbdl with update tool right after and...

> ./amlogic-usbdl ./payloads/dump_bootrom_uart.bin && ./update read 0x10000 0xD9000000
- exploit: starting.
- exploit: sending payload...
libusb_bulk_transfer: transferred=256, transfers left=1078
...
libusb_bulk_transfer: transferred=256, transfers left=824
- exploit: sending 823 dummy transfers...
libusb_bulk_transfer[0]: transferred=0
...
libusb_bulk_transfer[822]: transferred=0
- exploit: sending last transfer to overwrite RAM...
libusb_bulk_transfer: transferred=140
- exploit: done.

[BOOTROM DUMP APPEARED HERE]

Somehow it WORKED and printed BOOTROM dump right into my terminal

After converting this text dump to binary form i run some commands and got what looks like what Frédéric got

> sha1sum MDZ-16-AB.bootrom.bin
d3b9d047900186ad33b8db2fab1201b243c1aebe  MDZ-16-AB.bootrom.bin

> wc -c MDZ-16-AB.bootrom.bin
65536 MDZ-16-AB.bootrom.bin

> strings -13 MDZ-16-AB.bootrom.bin
auth failed, reboot...
9ac50ebe6991987
pepsi.amlogic.c
02/19/16_15:11:49
gcc version 4.8
9ac50ebe6991987

[PinkyAcorn]

I uploaded my BootROM dump there

[zhenchao]

I found a website that provides password.bin and it seems to work on all Xiaomi Amlogic chip devices, I tested that it works on MDZ-19-AA
https://androidpctv.com/tutorial-xiaomi-mi-box-restore-unbrick/