Bl301 injection, problems, help,

I could start it! Funny thing: it started loading the old installation of CE that remains in the NAND. It disregarded the SDcard content.

So I understand that it used the bootloader from the sdcard then loaded directly into the main partition of the NAND, right?

Anyway, just rebooted the device and now I can’t start it again :rofl:
If I can start it again and it loads CE, is there any method that I can use from SSH to recover it definitely?

Yes it is. You can disable bl301 in ce settings. Then the original bootloader is restored.

Hi Portisch, it worked! Restored the bootloader from the backup though the CE menu and now it boots again without the short.

Now, the question is: is there any way to make bl301 work on this one? Was this caused because I f***ed it up with the last command? or do I have to totally forget about bl301 for this device?

Many thanks for your support!

Just FTR, maybe it can help somebody else: these are the pins that worked for me for the (fake) Tanix TX3 S905x3:

It is a little bit tricky to get it boot with this method. More than short the pins and turn the power on, for me worked by turning the power on and short them just 1 or 2 seconds after for just the shortest time possible. Then it booted.

Good that your device is back to live!

FYI: Additional to short the pins u need the uSD prepared by burncardmaker in the slot. Then the bootloader on the uSD is started.

It’s hard to solve the issue when I don’t own the hardware. Also I think the u-boot source is not available for this device. Or is there any SDK out there for this TX3 S905X3?
Maybe they have something changed from standard Amlogic software/hardware what we would need to find out.

You have a UART adapter? There should be a 4 pin header on the pcb what have: gnd, 3v3, tx and rx pins. So if you are able to make a UART log, inject bl301 again and then make a log to maybe see why it stuck on boot.

@Portisch apparently I managed to brick a TX3 16/2 that I bought from Aliexpress.
Coreelec boot fine, then I tried to inject bl301 which succeed:

CoreELEC-Sala:~ # inject_bl301
Starting bootloader blob BL301 injection tool...

This tool can be used to update the bootloader
blob BL301 of the vendor bootloader on the internal
eMMC. This bootloader blob BL301 is customized by
Team CoreELEC to support all wake-up features like
CEC, Wake-On-LAN, IR, and GPIO wake-up from
suspend or power off state!

Device serial number: 2b0b0100011d10000006333150525250
Using CPU type SM1 (2b): S905X3, S905D3
Using binary type because of CoreELEC DT-ID: Generic
Using /dev/bootloader as bootloader partition

Did not find Amlogic image v2 header magic!
Found a valid Amlogic v3 ToC header (0x10210)
Amlogic magic:                  AA640001
Serial Number:                  12345678
Flags:                          0

TOC ENTRY #0
UUID:                           9766FD3D89BEE849AE5D78A140608213
Offset Address:                 0x68000 (absolute: 0x78210)
Size:                           0xFD70
Flags:                          0x0
Found BL30 blob image at:       0x00078210
Amlogic magic:                  @AML
Old signature bl30:             C8F04691B675B6A870705D801E9FD54D80A20A1A4B278BC18C2546FDF98F538C
Using bl301 blob:               Generic_2b_bl301.bin
Use config.ini value:           remotewakeup = 0xbf40fe01
Use config.ini value:           decode_type = 0x00
Use config.ini value:           remotewakeupmask = 0xffffffff
New signature bl30:             46D63B3A8248E011C1BFA0E730C11AE052F36B68060D9F163D5CEF3BF43C7F6B
BL301.bin needs to be updated on eMMC

Please confirm to write the bootloader blob BL301 to
the internal eMMC! Please ensure to update first the device
to the last vendor firmware! And remember if the vendor
firmware get updated you have to do this step again as the
bootloader blob will be overwritten!

Continue? [y/n] y
Make backup of vendor bootloader to: /flash/2b0b0100011d10000006333150525250_bl301.bin

Finished update of BL3* blobs on internal eMMC!
Please reboot device now and enjoy the new CoreELEC wake-up features!

CoreELEC-Sala:~ # reboot
CoreELEC-Sala:~ #

But then Uboot crash, check this log:

Any clue?

First thank you for the good UART log!

It looks like something is a fake about your hardware:

Load BL3X from eMMC, src: 0x00078200, des: 0x01768000, size: 0x000f8200, part: 0
0.0;M3 CHK:0;cm4_sp_mode 0
[Image: g12a_v1.1.3394-7d43064d5 2020-05-07 15:37:06 gongwei.chen@droid11-sz]

S905X3 is SM1, G12B. Not G12A!?

So it inject the the wrong architecture.
So what is the fake? The SoC? The serial number?
Or they use a wrong u-boot at all!?
As there is no source available it’s not possible to say what is wrong.

When you was able to restore your device I can advice you some hints how we can test it if it is a G12A.

In order to recover, I need to short the pin mentioned above, then it is enough to use a normal burnt Coreelec image? Or shall I flash some uboot in boot partition of SD?

Create a recovery uSD with burncardmaker. Insert it into the slot, short eMMC and power on. Keep the short till the recovery is started on screen.
After recovery u can run CE again from uSD with the toothpick method like u used before.

When the recovery is finished and u are able to boot ce again I can give you some commands to try injection again. DON’T USE just the injection, it will break booting again!

Also please post a UART log again when it is recovered and booting into CE.

where can I find the recovery uSD?
Anyhow, the box boot coreelec with s905x3 2g dtb, so I do not think the SoC is fake.
What the inject_bl301 check to understand which blob to flash?

The cpu serial shows SM1 0x2b:

But your bootloader use G12A (0x28). This is not SM1. So your bootloader is not correct configured. inject_bl301 do inject the SM1 blob but the G12A should be in your case.

Search the internet how to recover your device with use of burncardmaker. When your finished we can manually inject the G12A blob of you want.

Ok, @Meiden recovered it, but apparently via an image in the eMMC, even if I do not understand how it is possible

@Meiden I hit your same problem, can you tell me if you have used a recovery firmware?

@Portisch Is it possible to use also USB burning tool for restoring?

Hello mate. I used a sdcard for this and followed the steps described here:

The firmware that I used is this one:

http://www.mediafire.com/file/jenswqit5vpvuvu/%E4%B8%AD%E6%80%A7BZ-TX3-20191130.img/file

I understand that you can burn directly the image using the Amlogic Burncard maker, but as long as I’m using Linux, the first option was more suitable for me.
Then, as I said, exactly as your are explaining, I am not even sure if the sdcard is being used, because in the two recoveries that I’ve made (and you are confirming me that you had same experience), even with the sdcard inserted the system was booted into the emmc and I could access to the old CE installation untouched. The I disabled Bl301 injection directly from the GUI (CoreELEC menu from the settings -> Hardware). I don’t have an explanation for this behavior either.

Hope this helps. Please feel free to ask any other specific question that you may have.

PS: @Portisch funny thing about this crap box: I’ve discovered that IR wakeup and shutdown is working OOB, so no need to use Bl301 injection. I understand that this has already a modified u-boot for that purpose and the injection simply doesn’t work and it isn’t needed. LOL.

The how-to clear said:

Some Amlogic devices do have problems with wake-up from suspend/power off by IR remote, CEC or WOL, this is related to a poorly configured bootloader.

This is the reason for the new tool that we have created, inject_bl301!

So if you don’t have any issue with the current configuration the vendor provide just don’t use it!

@Menion

I took a look into my SM1 device and it also use the ‘g12a’ blob:

Load FIP HDR from eMMC, src: 0x00010200, des: 0x01700000, size: 0x00004000, part: 0
Load BL3X from eMMC, src: 0x00078200, des: 0x01768000, size: 0x00110000, part: 0
bl2z: ptr: 05129330, size: 00001e40
0.0;M3 CHK:0;cm4_sp_mode 0
MVN_1=0x00000000
MVN_2=0x00000000
[Image: g12a_v1.1.3389-92241b5 2019-07-02 17:22:49 luan.yuan@droid15-sz]
OPS=0x10
ring efuse init
2b 0c 10 00 01 2d 16 00 00 01 33 30 43 57 50 50 
[1.009550 Inits done]
CoreELEC secure task start!
CoreELEC high task start!
CoreELEC low task start!
run into bl31
NOTICE:  BL31: v1.3(release):4fc40b1
NOTICE:  BL31: Built : 15:57:33, May 22 2019
NOTICE:  BL31: G12A normal boot!
NOTICE:  BL31: BL33 decompress pass

But your version is much newer: Image: g12a_v1.1.3394-7d43064d5 2020-05-07 15:37:06 gongwei.chen@droid11-sz

I need to look what I can find if something is changed.

@Portisch do you want the backup dump of original bl301?

Yes, please. When you have recovered your device just dump it like with

cd ~/backup
dd if=/dev/bootloader of=bootloader.bin
sync

Then share your ~/backup/bootloader.bin somewhere please.
Also a full UART log of the bootloader will help!

I need to get first all newest bootloader blobs to see if something changed about BL301 since 05.2020.

Hi Portisch, thanks for ur great work!
After running inject_bl301 on a “Magicsee N5” the box looped in boot with some error i reminded from the UART like “chip_id wrong”. Unfortunately i forgot to save the log :frowning: Maybe i will brick my box again later :wink:
With “USB Burning Tool” i was able to get back to a running state where i could determine throu “cat /proc/cpuinfo” that my chip seems to be:

Serial		: 210dc400cab3aa6b2f1467f5e0e76623
model name	: Amlogic S905L rev d
Hardware	: Amlogic
Revision	: 0400

The attachment is the expected bootloader.bin from dd command of the running box restored with latest factory-firmware: bootloader.bin (4 MB)

BTW do u know running aml-flash-tool for mac or do the linux aml-flash-tool will compile just fine and do the job under mac?

A log would be helpful. Also what dtb you use for this device. Maybe there is something missing for S905L as I never had one.

1 Like

I used the gxl_p212_2g dtb. Bricked it again :wink:

https://pastebin.com/vyjzj117

Desoldered the UART-Cable just recently :frowning:
What kind of log u need?

My eMMC-Shortening-Solution:
https://pasteboard.co/JGPWMJk.jpg

About | FAQ | Terms of Service | Privacy Policy | Legal Notice