[U-Boot] Use u-boot to recover bricked NVIDIA SHIELD TV.
I am curious if there is a possibility to recover a wrongly flashed NVIDIA SHIELD TV device by flashing u-boot instead of cboot and mounting the emmc in uboot to do some repairs. If I lose keys for widevine I won't care I just would like to know if this or any remedy is possible when stuck in APX mode after a wrongly flashed system. My device is past the warranty date so an RMA is not an option. Even if I could possibly flash linux4tegra it would still be better than having a bricked device stuck in an unusable state. Any help is immensely appreciated.
Please help u-boot community and or anyone at NVIDIA.
Tried APX flashing the same as I flash my Jetson TX1 devkit. Log below.
sudo ./tegraflash.py --bl cboot.bin --bct bct_e2530.cfg --odmdata 0x84000 --bldtb tegra210-foster-e-p2530-0930-e02-00.dtb --applet nvtboot_recovery.bin --cmd "flash;reboot" --cfg flash_t210_android_sdmmc.xml --chip 0x21 Welcome to Tegra Flash version 1.0.0 Type ? or help for help and q or quit to exit Use ! to execute system commands
[ 0.0000 ] Generating RCM messages [ 0.0017 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 --download rcm nvtboot_recovery.bin 0 0 [ 0.0033 ] RCM 0 is saved as rcm_0.rcm [ 0.0043 ] RCM 1 is saved as rcm_1.rcm [ 0.0043 ] List of rcm files are saved in rcm_list.xml [ 0.0044 ] [ 0.0044 ] Signing RCM messages [ 0.0060 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key [ 0.0076 ] Assuming zero filled SBK key [ 0.0255 ] [ 0.0256 ] Copying signature to RCM mesages [ 0.0273 ] tegrarcm --chip 0x21 --updatesig rcm_list_signed.xml [ 0.0299 ] [ 0.0299 ] Parsing partition layout [ 0.0317 ] tegraparser --pt flash_t210_android_sdmmc.xml [ 0.0341 ] [ 0.0341 ] Creating list of images to be signed [ 0.0358 ] tegrahost --chip 0x21 --partitionlayout flash_t210_android_sdmmc.bin --list images_list.xml [ 0.0444 ] [ 0.0445 ] Generating signatures [ 0.0460 ] tegrasign --key None --list images_list.xml --pubkeyhash pub_key.key [ 0.0477 ] Assuming zero filled SBK key [ 0.4273 ] [ 0.4291 ] tegrabct --bct bct_e2530.cfg --chip 0x21 [ 0.4308 ] Copying Sdram info from 0 to 1 set [ 0.4339 ] Copying Sdram info from 1 to 2 set [ 0.4339 ] Copying Sdram info from 2 to 3 set [ 0.4339 ] [ 0.4340 ] Updating boot device parameters [ 0.4356 ] tegrabct --bct bct_e2530.bct --chip 0x21 --updatedevparam flash_t210_android_sdmmc.bin [ 0.4371 ] Warning: No sdram params [ 0.4374 ] [ 0.4374 ] Updating bl info [ 0.4391 ] tegrabct --bct bct_e2530.bct --chip 0x21 --updateblinfo flash_t210_android_sdmmc.bin --updatesig images_list_signed.xml [ 0.4418 ] [ 0.4419 ] Updating secondary storage information into bct [ 0.4435 ] tegraparser --pt flash_t210_android_sdmmc.bin --chip 0x21 --updatecustinfo bct_e2530.bct [ 0.4453 ] [ 0.4454 ] Updating Odmdata [ 0.4469 ] tegrabct --bct bct_e2530.bct --chip 0x21 --updatefields Odmdata = 0x84000 [ 0.4484 ] Warning: No sdram params [ 0.4486 ] [ 0.4487 ] Get Signed section bct [ 0.4502 ] tegrabct --bct bct_e2530.bct --chip 0x21 --listbct bct_list.xml [ 0.4520 ] [ 0.4520 ] Signing BCT [ 0.4536 ] tegrasign --key None --list bct_list.xml --pubkeyhash pub_key.key [ 0.4551 ] Assuming zero filled SBK key [ 0.4563 ] [ 0.4563 ] Updating BCT with signature [ 0.4578 ] tegrabct --bct bct_e2530.bct --chip 0x21 --updatesig bct_list_signed.xml [ 0.4597 ] [ 0.4598 ] Copying signatures [ 0.4613 ] tegrahost --chip 0x21 --partitionlayout flash_t210_android_sdmmc.bin --updatesig images_list_signed.xml [ 0.4628 ] Run tegrabct to update tboot signature in bct [ 0.4639 ] Run tegrabct to update tboot signature in bct [ 0.4811 ] [ 0.4811 ] Updating BFS information [ 0.4829 ] tegrabct --bct bct_e2530.bct --chip 0x21 --updatebfsinfo flash_t210_android_sdmmc.bin [ 0.4848 ] [ 0.4849 ] Boot Rom communication [ 0.4864 ] tegrarcm --chip 0x21 --rcm rcm_list_signed.xml [ 0.4880 ] BR_CID: 0x621010015c6561861800000010fd8140 [ 0.4890 ] RCM version 0X13 [ 0.4890 ] Boot Rom communication failed [ 0.4890 ] Error: Return value 3 Command tegrarcm --chip 0x21 --rcm rcm_list_signed.xml
Would these commands work in production mode even though the bootloader was previously unlocked? (Assuming all TX1 chip id's are 0x21)
tegrarcm --download ebt cboot.bin 0 0
or
sudo ./tegraflash.py --bl ./t210ref/cboot.bin --applet nvtboot_recovery.bin --chip 0x21 --cmd "write USP blob"
On Sun, Jun 18, 2017 at 6:46 PM, Matthew Gorski matt.gorski@gmail.com wrote:
I am curious if there is a possibility to recover a wrongly flashed NVIDIA SHIELD TV device by flashing u-boot instead of cboot and mounting the emmc in uboot to do some repairs. If I lose keys for widevine I won't care I just would like to know if this or any remedy is possible when stuck in APX mode after a wrongly flashed system. My device is past the warranty date so an RMA is not an option. Even if I could possibly flash linux4tegra it would still be better than having a bricked device stuck in an unusable state. Any help is immensely appreciated.
Please help u-boot community and or anyone at NVIDIA.
Tried APX flashing the same as I flash my Jetson TX1 devkit. Log below.
sudo ./tegraflash.py --bl cboot.bin --bct bct_e2530.cfg --odmdata 0x84000 --bldtb tegra210-foster-e-p2530-0930-e02-00.dtb --applet nvtboot_recovery.bin --cmd "flash;reboot" --cfg flash_t210_android_sdmmc.xml --chip 0x21 Welcome to Tegra Flash version 1.0.0 Type ? or help for help and q or quit to exit Use ! to execute system commands
[ 0.0000 ] Generating RCM messages [ 0.0017 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 --download rcm nvtboot_recovery.bin 0 0 [ 0.0033 ] RCM 0 is saved as rcm_0.rcm [ 0.0043 ] RCM 1 is saved as rcm_1.rcm [ 0.0043 ] List of rcm files are saved in rcm_list.xml [ 0.0044 ] [ 0.0044 ] Signing RCM messages [ 0.0060 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key [ 0.0076 ] Assuming zero filled SBK key [ 0.0255 ] [ 0.0256 ] Copying signature to RCM mesages [ 0.0273 ] tegrarcm --chip 0x21 --updatesig rcm_list_signed.xml [ 0.0299 ] [ 0.0299 ] Parsing partition layout [ 0.0317 ] tegraparser --pt flash_t210_android_sdmmc.xml [ 0.0341 ] [ 0.0341 ] Creating list of images to be signed [ 0.0358 ] tegrahost --chip 0x21 --partitionlayout flash_t210_android_sdmmc.bin --list images_list.xml [ 0.0444 ] [ 0.0445 ] Generating signatures [ 0.0460 ] tegrasign --key None --list images_list.xml --pubkeyhash pub_key.key [ 0.0477 ] Assuming zero filled SBK key [ 0.4273 ] [ 0.4291 ] tegrabct --bct bct_e2530.cfg --chip 0x21 [ 0.4308 ] Copying Sdram info from 0 to 1 set [ 0.4339 ] Copying Sdram info from 1 to 2 set [ 0.4339 ] Copying Sdram info from 2 to 3 set [ 0.4339 ] [ 0.4340 ] Updating boot device parameters [ 0.4356 ] tegrabct --bct bct_e2530.bct --chip 0x21 --updatedevparam flash_t210_android_sdmmc.bin [ 0.4371 ] Warning: No sdram params [ 0.4374 ] [ 0.4374 ] Updating bl info [ 0.4391 ] tegrabct --bct bct_e2530.bct --chip 0x21 --updateblinfo flash_t210_android_sdmmc.bin --updatesig images_list_signed.xml [ 0.4418 ] [ 0.4419 ] Updating secondary storage information into bct [ 0.4435 ] tegraparser --pt flash_t210_android_sdmmc.bin --chip 0x21 --updatecustinfo bct_e2530.bct [ 0.4453 ] [ 0.4454 ] Updating Odmdata [ 0.4469 ] tegrabct --bct bct_e2530.bct --chip 0x21 --updatefields Odmdata = 0x84000 [ 0.4484 ] Warning: No sdram params [ 0.4486 ] [ 0.4487 ] Get Signed section bct [ 0.4502 ] tegrabct --bct bct_e2530.bct --chip 0x21 --listbct bct_list.xml [ 0.4520 ] [ 0.4520 ] Signing BCT [ 0.4536 ] tegrasign --key None --list bct_list.xml --pubkeyhash pub_key.key [ 0.4551 ] Assuming zero filled SBK key [ 0.4563 ] [ 0.4563 ] Updating BCT with signature [ 0.4578 ] tegrabct --bct bct_e2530.bct --chip 0x21 --updatesig bct_list_signed.xml [ 0.4597 ] [ 0.4598 ] Copying signatures [ 0.4613 ] tegrahost --chip 0x21 --partitionlayout flash_t210_android_sdmmc.bin --updatesig images_list_signed.xml [ 0.4628 ] Run tegrabct to update tboot signature in bct [ 0.4639 ] Run tegrabct to update tboot signature in bct [ 0.4811 ] [ 0.4811 ] Updating BFS information [ 0.4829 ] tegrabct --bct bct_e2530.bct --chip 0x21 --updatebfsinfo flash_t210_android_sdmmc.bin [ 0.4848 ] [ 0.4849 ] Boot Rom communication [ 0.4864 ] tegrarcm --chip 0x21 --rcm rcm_list_signed.xml [ 0.4880 ] BR_CID: 0x621010015c6561861800000010fd8140 [ 0.4890 ] RCM version 0X13 [ 0.4890 ] Boot Rom communication failed [ 0.4890 ] Error: Return value 3 Command tegrarcm --chip 0x21 --rcm rcm_list_signed.xml
Hi Matthew,
On 18 June 2017 at 16:46, Matthew Gorski matt.gorski@gmail.com wrote:
I am curious if there is a possibility to recover a wrongly flashed NVIDIA SHIELD TV device by flashing u-boot instead of cboot and mounting the emmc in uboot to do some repairs. If I lose keys for widevine I won't care I just would like to know if this or any remedy is possible when stuck in APX mode after a wrongly flashed system. My device is past the warranty date so an RMA is not an option. Even if I could possibly flash linux4tegra it would still be better than having a bricked device stuck in an unusable state. Any help is immensely appreciated.
I don't know but am interested also. I think I asked once and was told that you have to solder things to the shield or add a separate board to get access to UART and I lost interest at that point. I need to practice my soldering.
- Simon [snip]
On 06/18/2017 04:46 PM, Matthew Gorski wrote:
I am curious if there is a possibility to recover a wrongly flashed NVIDIA SHIELD TV device by flashing u-boot instead of cboot and mounting the emmc in uboot to do some repairs.
The NVIDIA SHIELD TV is a production Android device, and hence I'm pretty sure it has boot security enabled. This security also applies to the USB recovery mode protocol, so I don't believe you'll be able to communicate with the device unless you know the system's keys, which I assume you don't.
There is some support for flashing generic upstream Linux onto the NVIDIA SHIELD tablet, but I believe that relies on making (at least some of) the modifications from a running system, so if your system isn't booting, I don't expect this will work either. Just in case it's useful, see:
For reference, that last link is for the shield portable, not the tablet. But yes, it requires a working bootloader of some form, not really helpful here. I've always just stuck with the default fastboot, never been brave enough to try to get u-boot working due to an almost certain perma-brick chance. We've never got mainline Linux booting on the tablet due to lack of a proper dtb. There was a very basic one made by gnurou for like 3.17, but a change to the framebuffer stack nullified that and I haven't been able to rebuild a proper one for the new format.
On Jun 19, 2017 10:53, "Stephen Warren" swarren@wwwdotorg.org wrote:
On 06/18/2017 04:46 PM, Matthew Gorski wrote:
I am curious if there is a possibility to recover a wrongly flashed NVIDIA SHIELD TV device by flashing u-boot instead of cboot and mounting the emmc in uboot to do some repairs.
The NVIDIA SHIELD TV is a production Android device, and hence I'm pretty sure it has boot security enabled. This security also applies to the USB recovery mode protocol, so I don't believe you'll be able to communicate with the device unless you know the system's keys, which I assume you don't.
There is some support for flashing generic upstream Linux onto the NVIDIA SHIELD tablet, but I believe that relies on making (at least some of) the modifications from a running system, so if your system isn't booting, I don't expect this will work either. Just in case it's useful, see:
On Mon, Jun 19, 2017 at 11:53 AM, Stephen Warren swarren@wwwdotorg.org wrote:
On 06/18/2017 04:46 PM, Matthew Gorski wrote:
I am curious if there is a possibility to recover a wrongly flashed NVIDIA SHIELD TV device by flashing u-boot instead of cboot and mounting the emmc in uboot to do some repairs.
The NVIDIA SHIELD TV is a production Android device, and hence I'm pretty sure it has boot security enabled. This security also applies to the USB recovery mode protocol, so I don't believe you'll be able to communicate with the device unless you know the system's keys, which I assume you don't.
There is some support for flashing generic upstream Linux onto the NVIDIA SHIELD tablet, but I believe that relies on making (at least some of) the modifications from a running system, so if your system isn't booting, I don't expect this will work either. Just in case it's useful, see:
Thanks for chiming in Simon and Stephen. I appreciate you both taking the time out of your busy day to answer. I figured the boot security was preventing communication to the USB recovery mode protocol. I tried tegrarcm just to see if I could read the bct and no go. Seems this happens quite a bit and there is no way to recover and NVIDIA will not do any repairs after the warranty expiration date. Would have been nice if fastboot could have recognized I used the wrong package :/ Maybe a crc check to see if the system images match up to the correct device.
Is there anyway to determine what mode I am currently in with tegrarcm (assuming I can even get communication)?
Operating Mode: 0x3 (developer mode)
Simon the soldering solution sounds interesting. If someone can elaborate on that just for reference that would be great. Ive always wanted UART on foster. Thanks again guys for your input. I'll try a few tricks just to see what happens and report back.
On Mon, Jun 19, 2017 at 12:22 PM, Matthew Gorski matt.gorski@gmail.com wrote:
On Mon, Jun 19, 2017 at 11:53 AM, Stephen Warren swarren@wwwdotorg.org wrote:
On 06/18/2017 04:46 PM, Matthew Gorski wrote:
I am curious if there is a possibility to recover a wrongly flashed NVIDIA SHIELD TV device by flashing u-boot instead of cboot and mounting the emmc in uboot to do some repairs.
The NVIDIA SHIELD TV is a production Android device, and hence I'm pretty sure it has boot security enabled. This security also applies to the USB recovery mode protocol, so I don't believe you'll be able to communicate with the device unless you know the system's keys, which I assume you don't.
There is some support for flashing generic upstream Linux onto the NVIDIA SHIELD tablet, but I believe that relies on making (at least some of) the modifications from a running system, so if your system isn't booting, I don't expect this will work either. Just in case it's useful, see:
Thanks for chiming in Simon and Stephen. I appreciate you both taking the time out of your busy day to answer. I figured the boot security was preventing communication to the USB recovery mode protocol. I tried tegrarcm just to see if I could read the bct and no go. Seems this happens quite a bit and there is no way to recover and NVIDIA will not do any repairs after the warranty expiration date. Would have been nice if fastboot could have recognized I used the wrong package :/ Maybe a crc check to see if the system images match up to the correct device.
Is there anyway to determine what mode I am currently in with tegrarcm (assuming I can even get communication)?
Operating Mode: 0x3 (developer mode)
Simon the soldering solution sounds interesting. If someone can elaborate on that just for reference that would be great. Ive always wanted UART on foster. Thanks again guys for your input. I'll try a few tricks just to see what happens and report back.
Okay definitely locked down, no communication with APX USB recovery device
in production mode. Error: Return value 3 = No communication with USB device (even if APX is recognized in linux):
tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key Assuming zero filled SBK key
[1467528.418181] usb 2-1.3: Product: APX [1467528.418185] usb 2-1.3: Manufacturer: NVIDIA Corp.
sudo ./tegraflash.py --bl cboot.bin --applet nvtboot_recovery.bin --chip 0x21 --cmd "write USP blob"
Welcome to Tegra Flash version 1.0.0 Type ? or help for help and q or quit to exit Use ! to execute system commands
[ 0.0655 ] Generating RCM messages [ 0.0803 ] tegrarcm --listrcm rcm_list.xml --chip 0x21 --download rcm nvtboot_recovery.bin 0 0 [ 0.0819 ] RCM 0 is saved as rcm_0.rcm [ 0.0951 ] RCM 1 is saved as rcm_1.rcm [ 0.0952 ] List of rcm files are saved in rcm_list.xml [ 0.0952 ] [ 0.0952 ] Signing RCM messages [ 0.1080 ] tegrasign --key None --list rcm_list.xml --pubkeyhash pub_key.key [ 0.1097 ] Assuming zero filled SBK key [ 0.1301 ] [ 0.1302 ] Copying signature to RCM mesages [ 0.1318 ] tegrarcm --chip 0x21 --updatesig rcm_list_signed.xml [ 0.1484 ] [ 0.1484 ] Boot Rom communication [ 0.1500 ] tegrarcm --chip 0x21 --rcm rcm_list_signed.xml [ 0.1515 ] BR_CID: 0x621010015c6561861800000010fd8140 [ 0.1526 ] RCM version 0X13 [ 0.1526 ] Boot Rom communication failed [ 0.1526 ] Error: Return value 3 Command tegrarcm --chip 0x21 --rcm rcm_list_signed.xml
On Mon, Jun 19, 2017 at 11:53 AM, Stephen Warren swarren@wwwdotorg.org wrote:
On 06/18/2017 04:46 PM, Matthew Gorski wrote:
I am curious if there is a possibility to recover a wrongly flashed NVIDIA SHIELD TV device by flashing u-boot instead of cboot and mounting the emmc in uboot to do some repairs.
The NVIDIA SHIELD TV is a production Android device, and hence I'm pretty sure it has boot security enabled. This security also applies to the USB recovery mode protocol, so I don't believe you'll be able to communicate with the device unless you know the system's keys, which I assume you don't.
There is some support for flashing generic upstream Linux onto the NVIDIA SHIELD tablet, but I believe that relies on making (at least some of) the modifications from a running system, so if your system isn't booting, I don't expect this will work either. Just in case it's useful, see:
Here is a thought I would gladly give anyone that has access to the needed device keys access to my build system and they could shell in and wget the private key to flash and then delete (my last ditch effort at a hail mary recovery)
participants (4)
-
Aaron Kling -
Matthew Gorski -
Simon Glass -
Stephen Warren