Automatic poweroff or reboot after flashing

[vog]

I'd like to improve the final step after flashing, and to continue what has apparently been prepared, but disabled, in the source. Namely, to support:

• Poweroff after flashing
• Reboot into bootloader after flashing (This is what I'm mostly interested in!)
• Reboot into OS after flashing

@munjeni Would you mind to quickly share your knowledge about this? For example:

• Do you have any idea why the current poweroff code, if enabled, doesn't have any effect on the device? (At least the device doesn't complain about the command itself.)
• Are you aware of any reboot commands? I tried variants like reboot, reboot:bootloader, etc., but always get an error message via USB that the command doesn't exist.
• Slightly related: Regarding bootloader / fastboot, are you aware of an OEM command the switches into flashmode? (See also my question on XDA)

[munjeni]

It not going to work on some devices, thats why I disabled it. After command sync there is no response on some devices. And there is also no reboot code, at least it not exist on flashtool https://github.com/Androxyde/Flashtool/blob/master/src/flashsystem/CommandFlasher.java

Regarding your question on xda command is fastboot reboot, fastboot reboot recovery, fastboot reboot bootloader.

[vog]

Sorry for the confusion, but my last question was about entering the flashmode (green), not about leaving it.

None of the fastboot reboot ... commands enter the flashmode (green). The reboot only into bootloader (blue), recovery or OS. That's why I was wondering if there is any Sony-specific fastboot oem ... command for that.

[munjeni]

You mean fastboot mode (green)? I realy don't know. I'm used frequently only 3 reboot command above.

[munjeni]

I'm unsure but trim area I think contain "reboot reason" unit, for example factory reset, normal boot,,,etc, for example to restart in diferent mode you must write reboot reason first and than call reboot, just guesing. Try research more there!

[vog]

Do you have any documentation and/or pointers for me? Or, is trial & error the only viable strategy here?

[munjeni]

See for example boot log from my xperia z1 compact (log retrieved from trim area unit 0802):

`[140] USB init ept @ 0x7c848000 [160] TA config read from GPT: 0x10 blocks of size 0x20000 @ 0x20000 S1 BOOT (1270-3115 S1_Boot_MSM8974_Rhine1.2_LA1.04_19)

[190] soc_ver: 0x20002, pmic_ver: 3.1 [200] die_id: 0x575c830, oem_product_id: 0x4, otp_lock: 0x155 PBA ID: 1273-2775 (3) Startup flags: [ONKEY PRESSED]Warmboot reason: [COLDBOOT][WARNING IN FAC 0x15 CODE 0x3 @ S1/boot/src/s1boot_lib_api.c:794]: Controlled rooting handling failed!`

"Startup flags" I'm believing is inside trim area (can't tell you if that is true since I never researched about something like that), or maybe inside GPT. If above cases is true newflasher implementation would be in two steps:

1. write "startup flag" to the trim area | GPT
2. send command reboot

Bootoader on next boot will look for startup reason and boot device into mode referenced by startup reason. Text above is just quesing! You will need to research more, I don't have documentation and probably you will not find any documentation, and I don't have free time for researching, I'm bussy with something diferent and with my daily life and job so can't help you much. Search xda forum or google for getting idea. Newflasher is done without any documentation, I didn't owned device when I made newflasher, peoples from xda tested newflasher during my coding, newflasher is hardcoded by my look to usb sniff log during flashing, so no documentaion for any of my work, its just done spontaneously.

[vog]

@munjeni Thanks for sharing your experience!

I think this is a lot more involved and risky to test than I initially thought, especially if one needs to modify the TA and not just the GPT. Unfortunately, this requires more time than I have, too.

So let's keep this issue documented as a feature that would be nice to have, but whose benefit perhaps doesn't outweigh the implementation effort, at least for now.

[munjeni]

Hi, I'm believing thing which you are looking for (startup flag) is probably inside unit 0x10471 (66673) https://github.com/newflasher/newflasher/blob/master/newflasher.c#L2087

[vog]

Good catch! That sounds plausible.

Alas, I have no idea how to fetch or set that unit, or how to observe it, on my Xperia XA2. Please note that the "dump trim area" function doesn't seem to work properly here: It took "forever", so I had to cancel it. I always used newflasher without that optional step.

[munjeni]

Yes I know, thats because newflasher loop trought two trim area partitions from range 0 to 0x80000, problem is USB_TIMEOUT which need to be propertly set, or if there is better idea it would be welcome! So looping trought trim area is equal to 2 0x80000 USB_TIMEOUT which seems consume a lot of time. Writing to trim area is very dangerous, writing something wrong cause hard brick, so be carefull with it! Rerading trim area is limited, bootloader allow only specific range to be read, protected units like drm key e.g. from range 0x10000 is protected from read, so we will need to revisit which range can be read and change fixed value 0x80000 to that range, and whole async read - write function need to be modified e.g. replace USB_TIMEOUT to an reasonable value and also implement an function which will catch "unit not exist" which will reduce timeout wait time in case unit not exist or can't be read.

[munjeni]

Can you upload tadump.log to the www.pastebin.com ?

[vog]

I'll rerun the dump on the device tonight.

[vog]

The tool ran for 30 minutes, then failed with a Segmentation fault. The tadump.log was not fully written because of that, most likely this could have been fixed by disabling output buffering.

I was unable to upload tadump.log to pastebin due to their 512 KiB limit (the log is larger: 3.4 MiB). Instead I zipped the log and attached it to this ticket:

• tadump.zip

The tool also created 01.t (162694 bytes) and 02.t (8192 bytes).

$ time newflasher
--------------------------------------------------------
            newflasher v18 by Munjeni @ 2017/2019           
--------------------------------------------------------

Determining available free space:

[...]

Optional step! Type 'y' and press ENTER if you want dump trim area, or type 'n' 
Do in mind this doesn't dump drm key since sake authentifiction is need for that
y
 - Writing log to tadump.log
 - Writing trim area dump to 01.t
.
............................................................
............................................................
....................................... - Writing trim area dump to 02.t
.
Segmentation fault

real    30m4.896s
user    0m2.892s
sys     0m10.060s

[munjeni]

01.ta and 02.ta is trim area partitions dump, there is two partitions. Based on https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject and https://vovkos.github.io/doxyrest/samples/libusb-sphinxdoc/group_libusb_asyncio.html I see now timeout need to be in milisecconds but I thinked it was in microsecconds so I have wrongly defined USB_TIMEOUT on line https://github.com/newflasher/newflasher/blob/master/newflasher.c#L337 , hope this commit https://github.com/newflasher/newflasher/commit/3328b0a006384bf0e6982798ff402e0357b6128f fix isue? Probably now newflasher will process trough usb much faster.

Edit: I'm reverted commit, its not working, cause this isue https://github.com/newflasher/newflasher/issues/24

[munjeni]

Looping trought 160000 (reading 2 partitions trought loop in range 0 to 80000) consume 30 minutes? 1600 secconds / 160000 = each loop of ~11ms , that mean there is no timeouts on bulk transfer and I think 30 minutes is expected and ok. But why newflasher crash at end I have no idea right now.

[munjeni]

Powerdown command confirmed working perfectly https://forum.xda-developers.com/showpost.php?p=82980715&postcount=1173 . I'm believing we can achieve diferent boot-reboot command via trim are unit 0x8FD, more info:

define TA_BOOT_CONFIG 2301 //0x8FD in hex

/ TA_BOOT_CONFIG partition ids /

define REBOOT_MODE_MARM_PARTID_MODEM 0x00000005

define REBOOT_MODE_AARM_PARTID_APPS 0x00000003

define REBOOT_MODE_ADSP_PARTID_ADSP 0x00000008

define BOOTCFG_MAGIC0 0xac

define BOOTCFG_MAGIC1 0xbd

define BOOTCFG_STARTUPREASON 0x81

define BOOTCFG_PARTITION_OVERRIDE 0x82

/ ta_boot_config structure / typedef struct _ta_boot_config_t { unsigned long startup_reason; unsigned long marm_partition_id; unsigned long aarm_partition_id; unsigned long adsp_partition_id; } ta_boot_config_t;

ifdef MISCTA_BOOTCONF_V0

int miscta_read_ta_boot_config(ta_boot_config_t data); int miscta_write_ta_boot_config(const ta_boot_config_t data);

endif

int miscta_read_ta_startupreason(unsigned int *reason); int miscta_write_ta_startupreason(unsigned int reason);

[munjeni]

Hi, I'm fixed our issue with https://github.com/newflasher/newflasher/commit/bf73f4e5425096cfd1208aa16bfc8708b4c049e6 , now all reboot mode is available.

[munjeni]

Seems some devices fail to respond on Sync command, anybody have idea what might be wrong there? I'm reopening issue again.

[munjeni]

Its working now.