tofurky / tegra30_debrick

fusee-gelee payload, supporting files, and guide for debricking Tegra 3 devices (2012 Nexus 7 and Ouya)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

tegra30_debrick

Disclaimer

If you're here, there is a good chance that your Tegra 3 device is already bricked. But I am not responsible for any additional issues that may arise from the (mis)use of the code/information contained within this repository, nor can I provide support for it.

Thanks

@ktemkin / @Qyriad for their work on fusee-launcher, and @jevinskie for their Nexus 7 port of the same. Also special thanks to @ktemkin and @digetx for their help/guidance/wisdom, as I almost certainly wouldn't have succeeded in debricking my Nexus 7 without it. @pgwipeout's kernel work on Ouya allowed me to keep using mine (and retain interest in the device) over the years. Finally, Pyre on the OUYA Saviors Discord kindly shipped me a (working) Kickstarter Ouya so that I could figure out how to debrick it.

License

GNU General Public License v2.0. fusee-launcher is also released under that, so it seemed fitting.

Background

Last December I was gifted a bricked 2012 Nexus 7, but it did enumerate via APX mode, and I enjoy a challenge :)

Files

The following files are contained within this repo:

More detailed descriptions of the files can be found if you check their git history, for example nvflash_v1.13.87205_miniloader_patched's.

Other Methods

In the months it took me to finally put this repo together after working through this between February and March of 2020, an alternate method was posted to XDA Developers tailored to the Nexus 7.

The following are a couple guides based on this, the first link being the original:

It also uses @jevinskie's fusee-launcher fork, but to grab the SBK using their dump-sbk-via-usb.S payload.

The cavaet is that at least at the moment it appears to require another working device to generate the blobs.

That method is not covered here, but is probably worth trying if the steps detailed here don't work for you.

Nexus 7 (2012 WiFi) Debrick

Before attempting any of this, be sure that your tablet isn't recoverable via other means. A dead/low battery can sometimes be worked around by plugging it in to a charger and holding down the power button for 30s. Leaving it hooked up to a charger for some time (30+ minutes) can also get them to respond again. Unlike the Ouya, a bad kernel flash is recoverable by forcing the tablet into fastboot recovery with a button combo. Holding the volume down + power button for several seconds can boot into fastboot recovery mode which will allow the kernel to be reflashed. The steps below are only meant as a last resort, like if your bootloader was wiped via a botched update or similar.

Prerequisites:

  • Linux machine with:
    • free USB3 port (required for fusee-launcher) (Intel chipsets may work more reliably here)
    • (if 64-bit kernel/userland) 32-bit libraries installed (for .deb-based distros dpkg --add-architecture i386; apt update && apt install libc6:i386 libstdc++6:i386)
    • pyusb installed (for .deb-based distros apt install python3-usb)
    • fastboot installed (for .deb-based distros apt install fastboot)
    • adb installed (for .deb-based distros apt install adb)
    • cbootimage installed (for .deb-based distros apt install cbootimage)
    • recursive clone of this repository (git clone --recursive https://github.com/tofurky/tegra30_debrick.git)
  • Factory Android .zip for "nakasi". The latest is nakasi-lmy47v-factory-5a0bb059.zip. Others can be found here.
  • Some basic knowledge/familiarity with Linux command line
  • Some basic knowledge/familiarity with flashing Android (e.g. fastboot and adb)

Steps:

  1. Connect Nexus 7 to USB3 port on Linux machine via Micro-USB jack.

    • If you have reason to believe the battery may be at less than 30% capacity, let it sit there for an hour or two before proceeding. This isn't just to play it safe - the bootloader will refuse to operate in nvp3server mode if it's at <= 29%.
  2. Check output of dmesg and lsusb commands. Take note if the tablet automatically enumerates in APX mode:

    Example dmesg output showing enumeration in APX mode:
         [Sat Jul  4 12:12:44 2020] usb 2-3.4: new high-speed USB device number 86 using xhci_hcd
         [Sat Jul  4 12:12:44 2020] usb 2-3.4: New USB device found, idVendor=0955, idProduct=7330, bcdDevice= 1.03
         [Sat Jul  4 12:12:44 2020] usb 2-3.4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
         [Sat Jul  4 12:12:44 2020] usb 2-3.4: Product: APX
         [Sat Jul  4 12:12:44 2020] usb 2-3.4: Manufacturer: NVIDIA Corp.
    
    Example lsusb output showing device in APX mode:
         matt@aquos:~/devel/ouya/tegra30_debrick$ lsusb
         ...
         Bus 002 Device 086: ID 0955:7330 NVIDIA Corp. 
         ...
    
  3. If the tablet is not automatically entering APX mode, try the following to coerce it:

    • Open up a terminal window and execute dmesg -Tw. This is so you can see the USB enumeration happen in real time.
    • With the tablet plugged into the Linux machine, try holding volume up + power simultaneously for around 10-15 seconds.
    • If that doesn't work, it might help to unplug the internal battery connector. First, unplug the USB cable.
    • Follow the first few steps here to gently remove the rear cover and unplug the battery cable. If you're careful, this can be done without tools.
    • While pressing the volume up button, plug in the USB cable. It's a bit tricky with the cover removed - it should slightly "click" inwards. Using the edge of your fingernail can help. You may need to use more pressure than expected to create electrical contact. (Note: it can take several attempts to get the tablet to actually enumerate. If you continuously see USB errors in dmesg, maybe try sharper pressure on the volume up button.)
    • The tablet should then hopefully enumerate in APX mode. If it does, release the volume up button and reconnect the battery connector (leave the USB cable plugged in).
  4. From APX mode, execute fusee-launcher using uart_payload_n7.bin. Within the tegra30_debrick directory, run:

         sudo ./fusee-launcher/fusee-launcher.py ./payload/uart_payload_n7.bin -P 7330
    
    Example terminal output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo ./fusee-launcher/fusee-launcher.py ./payload/uart_payload_n7.bin -P 7330
         2020-07-04 12:16:54,982 INFO:usb.core:find(): using backend "usb.backend.libusb1"
         ​
         Important note: on desktop Linux systems, we currently require an XHCI host controller.
         A good way to ensure you're likely using an XHCI backend is to plug your
         device into a blue 'USB 3' port.
         ​
         Identified a Linux system; setting up the appropriate backend.
         intermezzo_size: 0x00000078
         target_payload_size: 0x000005ee
         Found a Tegra with Device ID: b'05163c81bc245d01'
         Stack snapshot: b'0000000000000000100000003c9f0040'
         EndpointStatus_stack_addr: 0x40009f3c
         ProcessSetupPacket SP: 0x40009f30
         InnerMemcpy LR stack addr: 0x40009f20
         overwrite_len: 0x00004f20
         overwrite_payload_off: 0x00004de0
         payload_first_length: 0x000005ee
         overwrite_payload_off: 0x00004de0
         payload_second_length: 0x00000000
         b'00a0004000300040ee05000000000000'
         Setting rcm msg size to 0x00030064
         RCM payload (len_insecure): b'64000300'
         ​
         Setting ourselves up to smash the stack...
         Payload offset of intermezzo: 0x00000074
         overwrite_payload_off: 0x00004de0
         overwrite_len: 0x00004f20
         payload_overwrite_len: 0x00004e5c
         overwrite_payload_off: 0x00004de0
         smash_padding: 0x000047f2
         overwrite_payload_off: 0x00004de0
         Uploading payload...
         txing 20480 bytes total
         txing 4096 bytes (0 already sent) to buf[0] 0x40003000
         txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
         txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
         txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
         txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
         Smashing the stack...
         sending status request with length 0x00004f20
         The USB device stopped responding-- sure smells like we've smashed its stack. :)
         Launch complete!
    
    Example output from USB serial adapter connected to the Nexus 7's UART after successfully running uart_payload_n7.bin:
         ----------------------------------------------------------------------------
         APBDEV_PMC_RST_STATUS_0: 00000000
         BIT_BootType: 00000002
         overriding getSecurityMode function to always return 3 (production non-secure)...
         writing PMC_SCRATCH0 to trigger RCM mode after soft reset...
         jumping to 0xfff01004...
    
    Example dmesg output after successfully running uart_payload_n7.bin. Note that the USB device will reset and reenumerate in APX mode:
         [Sat Jul  4 19:17:25 2020] usb 2-3.4: USB disconnect, device number 20
         [Sat Jul  4 19:17:25 2020] usb 2-3.4: new high-speed USB device number 21 using xhci_hcd
         [Sat Jul  4 19:17:26 2020] usb 2-3.4: New USB device found, idVendor=0955, idProduct=7330, bcdDevice= 1.03
         [Sat Jul  4 19:17:26 2020] usb 2-3.4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
         [Sat Jul  4 19:17:26 2020] usb 2-3.4: Product: APX
         [Sat Jul  4 19:17:26 2020] usb 2-3.4: Manufacturer: NVIDIA Corp.
    
  5. (Optional) Take a backup of the tablet's BCT with the unpatched version of nvflash for safekeeping and potential later use (i.e. use your backup instead of ./bct/nexus_7_grouper_bct.bin in subsequent steps) (Note: APX/nvflash will become unresponsive after this completes successfully - you'll need to cycle power and repeat steps 1 through 4):

         sudo ./utils/nvflash_v1.13.87205 --getbct --bct BCT_READBACK_N7.BIN --configfile ./utils/flash.cfg
    
    Example nvflash output showing success:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo ./utils/nvflash_v1.13.87205 --getbct --bct BCT_READBACK_N7.BIN --configfile ./utils/flash.cfg
         Nvflash v1.13.87205 started
         chip uid from BR is: 0x0000000000000000015d24bc813c1605
         rcm version 0X30001
         System Information:
            chip name: unknown
            chip id: 0x30 major: 1 minor: 3
            chip sku: 0x83
            chip uid: 0x0000000000000000015d24bc813c1605
            macrovision: disabled
            hdcp: enabled
            jtag: disabled
            sbk burned: true
            dk burned: true
            boot device: emmc
            operating mode: 4
            device config strap: 1
            device config fuse: 17
            sdram config strap: 0
         ​
         retrieving bct into: BCT_READBACK_N7.BIN
         BCT_READBACK_N7.BIN received successfully
    
    • If you see an error like bootloader status: Bct file not found (code: 21) message: flags: 1073893660, and you're certain that you used the unpatched nvflash, it is possible that your BCT is damaged/missing. You will need to use the BCT from this repo (./bct/nexus_7_grouper_bct.bin) and add --sync to the EBT nvflash command in step 7.
    Example nvflash output showing missing/corrupt BCT
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo ./utils/nvflash_v1.13.87205 --getbct --bct BCT_READBACK_N7.BIN --configfile ./utils/flash.cfg 
         Nvflash v1.13.87205 started
         chip uid from BR is: 0x0000000000000000015d24bc813c1605
         rcm version 0X30001
         System Information:
            chip name: unknown
            chip id: 0x30 major: 1 minor: 3
            chip sku: 0x83
            chip uid: 0x0000000000000000015d24bc813c1605
            macrovision: disabled
            hdcp: enabled
            jtag: disabled
            sbk burned: true
            dk burned: true
            boot device: emmc
            operating mode: 4
            device config strap: 1
            device config fuse: 17
            sdram config strap: 0
    
         retrieving bct into: BCT_READBACK_N7.BIN
         Failed sending command 2 NvError 1179650command failure: getbct failed (bad data)
         bootloader status: Bct file not found (code: 21) message:  flags: 1073893660
    
    • Use bct_dump to confirm that the BCT looks OK:

        bct_dump BCT_READBACK_N7.BIN
      
    Example bct_dump output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ bct_dump BCT_READBACK_N7.BIN 
         Version       = 0x00030001;
         BlockSize     = 0x00004000;
         PageSize      = 0x00000200;
         PartitionSize = 0x02000000;
         OdmData       = 0x40000000;
         # Bootloader used       = 1;
         # Bootloaders max       = 4;
         # BCT size              = 6128;
         # Hash size             = 16;
         # Crypto offset         = 16;
         # Crypto length         = 6112;
         # Max BCT search blocks = 64;
         #
         # These values are set by cbootimage using the
         # bootloader provided by the Bootloader=...
         # configuration option.
         #
         # Bootloader[0].Version      = 0x00000001;
         # Bootloader[0].Start block  = 224;
         # Bootloader[0].Start page   = 0;
         # Bootloader[0].Length       = 2150992;
         # Bootloader[0].Load address = 0x80108000;
         # Bootloader[0].Entry point  = 0x80108000;
         # Bootloader[0].Attributes   = 0x00000004;
         # Bootloader[0].Bl AES Hash  = b28ebc06accf2bcd877e444bc28d00c0;
         # Bootloader[0].RsaPssSigBl:
         ​
         SDRAM[0].MemoryType                         = NvBootMemoryType_Ddr3;
         SDRAM[0].PllMChargePumpSetupControl         = 0x00000008;
         SDRAM[0].PllMLoopFilterSetupControl         = 0x00000000;
         SDRAM[0].PllMInputDivider                   = 0x0000000c;
         ...
         SDRAM[1].McEmemArbMisc1                     = 0x78000000;
         SDRAM[1].McEmemArbRing1Throttle             = 0x001f0000;
         SDRAM[1].McEmemArbOverride                  = 0x00000080;
         SDRAM[1].McEmemArbRsv                       = 0xff00ff00;
         SDRAM[1].McClkenOverride                    = 0x00000000;
    
  6. Boot from APX to fastboot's nv3pserver mode like so:

         sudo ./utils/nvflash_v1.13.87205_miniloader_patched --setbct --bct ./bct/nexus_7_grouper_bct.bin --configfile ./utils/flash.cfg --bl ./bootloader/bootloader-grouper-4.23.img --go
    
    Example nvflash output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo ./utils/nvflash_v1.13.87205_miniloader_patched --setbct --bct ./bct/nexus_7_grouper_bct.bin --configfile ./utils/flash.cfg --bl ./bootloader/bootloader-grouper-4.23.img --go
         Nvflash v1.13.87205 started
         chip uid from BR is: 0x0000000000000000015d24bc813c1605
         rcm version 0X30001
         System Information:
            chip name: unknown
            chip id: 0x30 major: 1 minor: 3
            chip sku: 0x83
            chip uid: 0x0000000000000000015d24bc813c1605
            macrovision: disabled
            hdcp: enabled
            jtag: disabled
            sbk burned: true
            dk burned: true
            boot device: emmc
            operating mode: 3
            device config strap: 1
            device config fuse: 17
            sdram config strap: 0
         ​
         sending file: ./bct/nexus_7_grouper_bct.bin
         - 6128/6128 bytes sent
         ./bct/nexus_7_grouper_bct.bin sent successfully
         downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
         sending file: ./bootloader/bootloader-grouper-4.23.img
         - 2150992/2150992 bytes sent
         ./bootloader/bootloader-grouper-4.23.img sent successfully
         waiting for bootloader to initialize
         bootloader downloaded successfully
    
    Example UART output (Note: this is from the patched _uart.img bootloader variant, not what is shown in the above command):
         Starting Miniloader
         Transferring control to Bootloader
         hip Id: 0x30 (Handheld SOC) Major: 0x1 Minor: 0x3 SKU: 0x83
         NVRM Initialized shmoo database
         NVRM CLOCKS: PLLX0:      700000 Khz
         NVRM CLOCKS: PLLM0:      667000 Khz
         NVRM CLOCKS: PLLC0:      600000 Khz
         NVRM CLOCKS: PLLP0:      408000 Khz
         NVRM CLOCKS: PLLA0:      11289 Khz
         NVRM CLOCKS: CPU:        700000 Khz
         NVRM CLOCKS: AVP:        102000 Khz
         NVRM CLOCKS: System Bus: 102000 Khz
         NVRM CLOCKS: Memory Controller: 333500
         NVRM CLOCKS: External Memory Controller: 667000
         PMIC_detection  PINMUX_AUX_GMI_CS2_N_0 register=30
         PMIC_detection  id_value =0 RegData=0
         BoardInfo: 0x0f41:0x0a00:0x01:0x44:0x02
         KaiPmuGetCapabilities(): The power rail 33 is not mapped properly
         KaiPmuGetCapabilities(): The power rail 33 is not mapped properly
         Max77663IsRailEnabled() Rail2 is using FPS1
         Max77663IsRailEnabled() Rail9 is using FPS0
         Max77663IsRailEnabled() Rail13 is using FPS1
         Max77663IsRailEnabled() Rail13 is using FPS1
         ADJUSTED CLOCKS:
         MC clock is set to 333500 KHz
         EMC clock is set to 667000 KHz (DDR clock is at 667000 KHz)
         PLLX0 clock is set to 700000 KHz
         PLLC0 clock is set to 600000 KHz
         CPU clock is set to 700000 KHz
         System and AVP clock is set to 102000 KHz
         GraphicsHost clock is set to 163200 KHz
         3D clock is set to 111166 KHz
         2D clock is set to 111166 KHz
         Epp clock is set to 111166 KHz
         Mpe clock is set to 111166 KHz
         Vde clock is set to 272000 KHz
         Bootloader Start at:22222 ms
         read_battery_register i2c_addr=aa reg=2c
         NvOdmI2cStatus_Success
         getbatterycapacity capacity=30 
         Initializing Display
         OdmPmuApGpioGetCapabilities(): The VddRail 37 is more than registered rails
         OdmPmuApGpioGetVoltage(): The VddRail 37 is more than registered rails
         OdmPmuApGpioGetVoltage(): The VddRail 37 is more than registered rails
         OdmPmuApGpioSetVoltage(): The VddRail 37 is more than registered rails
         OdmPmuApGpioSetVoltage(): The VddRail 37 is more than registered rails
         OdmPmuApGpioSetVoltage(): The VddRail 37 is more than registered rails
         OdmPmuApGpioSetVoltage(): The VddRail 37 is more than registered rails
         Project value(0x0)
         Project value(0x0)
         Invalidate-only cache maint not supported in NvOs
         in nvrm_clocks.c, NvRmPowerModuleClockConfig pclk, state->SourceClock=6, state->actual_freq=12000, state->Divider=1
         Project value(0x0)
         in nvrm_clocks.c, NvRmPowerModuleClockConfig pclk, state->SourceClock=0, state->actual_freq=408000, state->Divider=1
         OdmPmuApGpioGetCapabilities(): The VddRail 37 is more than registered rails
         OdmPmuApGpioSetVoltage(): The VddRail 37 is more than registered rails
         OdmPmuApGpioSetVoltage(): The VddRail 37 is more than registered rails
         Project value(0x0)
         ASUS_charger_mode+
         Project value(0x0)
         asus: [smb347_hot_temp_setting] Hard Limit Hot Temperature set success !
         Exit charger mode due to Nv3pServer is active. 
         Show google logo
         show logo at 22873ms
         ​
         [bootloader] (built on Mar 21 2013, 17:12:55)
         Platform Pre Boot configuration...
         read_battery_register i2c_addr=aa reg=2c
         NvOdmI2cStatus_Success
         getbatterycapacity capacity=30 
         Entering NvFlash recovery mode / Nv3p Server
         ​
         ​
         Chip Uid: 015d24bc813c1605
    
    • If nvflash errors out with something along the lines of bootloader failed NvError 0x0, it is possible that the battery is not charged enough to continue. The tablet screen will clearly say "battery is too low". If that's the case, cycle power, let it charge, and revisit in an hour or two. The cutoff seems to be 29%.
    Example nvflash output if battery is too low (this error could happen for other reasons, too - but if your tablet has been sitting dead for a while, it's a likely culprit)
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo ./utils/nvflash_v1.13.87205_miniloader_patched --setbct --bct ./bct/nexus_7_grouper_bct.bin --configfile ./utils/flash.cfg --bl ./bootloader/bootloader-grouper-4.23.img --go
         Nvflash v1.13.87205 started
         chip uid from BR is: 0x0000000000000000015d24bc813c1605
         rcm version 0X30001
         System Information:
            chip name: unknown
            chip id: 0x30 major: 1 minor: 3
            chip sku: 0x83
            chip uid: 0x0000000000000000015d24bc813c1605
            macrovision: disabled
            hdcp: enabled
            jtag: disabled
            sbk burned: true
            dk burned: true
            boot device: emmc
            operating mode: 3
            device config strap: 1
            device config fuse: 17
            sdram config strap: 0
         ​
         sending file: ./bct/nexus_7_grouper_bct.bin
         - 6128/6128 bytes sent
         ./bct/nexus_7_grouper_bct.bin sent successfully
         downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
         sending file: ./bootloader/bootloader-grouper-4.23.img
         - 2150992/2150992 bytes sent
         ./bootloader/bootloader-grouper-4.23.img sent successfully
         waiting for bootloader to initialize
         usb read error (71): Protocol error
         bootloader failed NvError 0x0
         command failure: bootloader download failed 
    
  7. Use the currently running nv3pserver mode to reflash the bootloader to eMMC (Note: if step 5 failed due to corrupt/missing BCT, add --sync to this command. It will re-write the BCT.):

         sudo ./utils/nvflash_v1.13.87205_miniloader_patched --resume --download EBT bootloader/bootloader-grouper-4.23.img --configfile ./utils/flash.cfg
    
    Example nvflash output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo ./utils/nvflash_v1.13.87205_miniloader_patched --resume --download EBT bootloader/bootloader-grouper-4.23.img --configfile ./utils/flash.cfg 
         Nvflash v1.13.87205 started
         [resume mode]
         sending file: bootloader/bootloader-grouper-4.23.img
         - 2150992/2150992 bytes sent
         bootloader/bootloader-grouper-4.23.img sent successfully
    
    Example UART output (from patched _uart.img)
         BytesPerSector = 4096
         ​
         Start Downloading EBT
         ​
         End Downloading EBT
         ​
         !!!!!device update success!!!!!
         ​
         SocCpuMaxKHz = 1000000
         SocCpuMinKHz = 32
         PLLX0 FreqKHz = 700000
         Project value(0x0)
         Checking for android ota recovery 
         Key driver not found.. Booting OS
         ​
         Cold-booting Linux
         ​
         Platform Pre OS Boot configuration...
         Project value(0x0)
         Warning: console set to hsport (				secure world tracing won't work)
         The proc BoardInfo: 0x0f41:0x0a00:0x01:0x44:0x02
         Project value(0x0)
         mping to kernel at:47975 ms
    
    • If you had a valid kernel and system image on the device, the tablet may boot into it immediately after flashing EBT. However, this does not mean that the bootloader/BCT were successfully flashed.
    Example dmesg output if stock kernel automatically boots:
         [Sat Jul  4 23:23:00 2020] usb 2-3.4: USB disconnect, device number 66
         [Sat Jul  4 23:23:14 2020] usb 2-3.4: new high-speed USB device number 67 using xhci_hcd
         [Sat Jul  4 23:23:14 2020] usb 2-3.4: New USB device found, idVendor=18d1, idProduct=4e41, bcdDevice=99.99
         [Sat Jul  4 23:23:14 2020] usb 2-3.4: New USB device strings: Mfr=2, Product=3, SerialNumber=4
         [Sat Jul  4 23:23:14 2020] usb 2-3.4: Product: Android
         [Sat Jul  4 23:23:14 2020] usb 2-3.4: Manufacturer: Android
         [Sat Jul  4 23:23:14 2020] usb 2-3.4: SerialNumber: 015d24bc813c1605
    
    • At this point, it is necessary to perform a cold boot to verify the bootloader and BCT are properly flashed. This can be achieved by holding the power button for approximately 10 seconds. Eventually, you should see a Google logo and the tablet will continue booting into Android if kernel and system partitions are intact.
  8. Enter fastboot mode by holding the volume down and power keys for approximately 10s. While holding the buttons, the screen should go blank, briefly flash the Google logo, and then go to the screen with the Android mascot (it also says 'Start' at the top). Release the buttons:

    Example dmesg output showing fastboot enumerating:
         [Sat Jul  4 23:27:51 2020] usb 2-3.4: USB disconnect, device number 69
         [Sat Jul  4 23:27:51 2020] usb 2-3.4: new high-speed USB device number 70 using xhci_hcd
         [Sat Jul  4 23:27:51 2020] usb 2-3.4: New USB device found, idVendor=18d1, idProduct=4e40, bcdDevice= 0.00
         [Sat Jul  4 23:27:51 2020] usb 2-3.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
         [Sat Jul  4 23:27:51 2020] usb 2-3.4: Product: Android
         [Sat Jul  4 23:27:51 2020] usb 2-3.4: Manufacturer: Google, Inc
         [Sat Jul  4 23:27:51 2020] usb 2-3.4: SerialNumber: 015d24bc813c1605
    
    • From here it is possible to completely restore the stock OS using a factory .zip image. Run the following to confirm communication with the device:

        sudo fastboot devices
      
    Example fastboot output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo fastboot devices
         015d24bc813c1605	fastboot
    

Ouya Debrick

Before attempting any of this, be sure that your system isn't recoverable via other means. This could be as simple as hooking up a USB cable and running adb, or possibly plugging in a USB keyboard and attempting to enter recovery mode.

Prerequisites:

  • Linux machine with:
    • free USB3 port (required for fusee-launcher) (Intel chipsets may work more reliably here)
    • (if 64-bit kernel/userland) 32-bit libraries installed (for .deb-based distros dpkg --add-architecture i386; apt update && apt install libc6:i386 libstdc++6:i386)
    • pyusb installed (for .deb-based distros apt install python3-usb)
    • fastboot installed (for .deb-based distros apt install fastboot)
    • adb installed (for .deb-based distros apt install adb)
    • recursive clone of this repository (git clone --recursive https://github.com/tofurky/tegra30_debrick.git)
  • Ouya OTA update .zip (if you had a bad kernel flash, for example)
    • a large .7z with multiple versions can be found here
  • (if Ouya isn't automatically booting to APX) low ohm resistor (I used 47 ohm) connected to ground with an e.g. wire and/or test clip
    • if you're brave, dextrous, and very careful you might even get away with a paperclip grounded to the springy clip on the edge of the PCB
  • Some basic knowledge/familiarity with Linux command line
  • Some basic knowledge/familiarity with flashing Android (e.g. fastboot and adb)

Steps

  1. Connect Ouya to power, but leave powered off

  2. Connect Ouya to USB3 port on Linux machine via Micro-USB jack

  3. Power on Ouya and check dmesg and/or lsusb output on Linux machine. Take note if the Ouya automatically enumerates in APX mode:

    Example dmesg output showing enumeration in APX mode:
         [Thu Jul  2 16:28:11 2020] usb 2-3.3.2: new high-speed USB device number 8 using xhci_hcd
         [Thu Jul  2 16:28:11 2020] usb 2-3.3.2: New USB device found, idVendor=0955, idProduct=7030, bcdDevice= 1.03
         [Thu Jul  2 16:28:11 2020] usb 2-3.3.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
         [Thu Jul  2 16:28:11 2020] usb 2-3.3.2: Product: APX
         [Thu Jul  2 16:28:11 2020] usb 2-3.3.2: Manufacturer: NVIDIA Corp.
    
    Example lsusb output showing device in APX mode:
         matt@aquos:~/devel/ouya/tegra30_debrick$ lsusb
         ...
     	Bus 002 Device 055: ID 0955:7030 NVIDIA Corp. T30 [Tegra 3] recovery mode
         ...
    
  4. If Ouya is not automatically booting to APX mode, do the following:

    • Disassemble Ouya by removing the 4 screws on the top and carefully sliding out PCB. This iFixit teardown may be helpful.
    • Repeat steps 1 & 2 to reconnect power and Micro-USB cable
    • Taking ESD precautions, connect pin on PFET to ground via low ohm resistor (~47 ohm - other values including 0 ohm probably work)
      • Power on Ouya with button
      • Leave PFET pin grounded for approximately 2s after pressing power button. This is about the time it takes for the fan to spin up.
    • If grounding PFET pin doesn't work. There is an alternate method. Otherwise skip to the next step.
      • Short the U33 pads
      • Power on Ouya with button
      • Remove short from U33
    • Check Linux dmesg output on your PC to see if the Ouya enumerated in APX mode.
      • If it did, but reset afterwards, you've held the PFET to ground for too long.
      • If it didn't, try holding it a small amount longer.
    Example dmesg output showing success:
         [Thu Jul  2 16:28:11 2020] usb 2-3.3.2: new high-speed USB device number 8 using xhci_hcd
         [Thu Jul  2 16:28:11 2020] usb 2-3.3.2: New USB device found, idVendor=0955, idProduct=7030, bcdDevice= 1.03
         [Thu Jul  2 16:28:11 2020] usb 2-3.3.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
         [Thu Jul  2 16:28:11 2020] usb 2-3.3.2: Product: APX
         [Thu Jul  2 16:28:11 2020] usb 2-3.3.2: Manufacturer: NVIDIA Corp.
    
  5. From APX mode, execute fusee-launcher using uart_payload_ouya.bin. Within the tegra30_debrick directory, run:

         sudo ./fusee-launcher/fusee-launcher.py ./payload/uart_payload_ouya.bin -P 7030
    
    Example terminal output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo ./fusee-launcher/fusee-launcher.py ./payload/uart_payload_ouya.bin -P 7030
         2020-07-02 22:04:36,408 INFO:usb.core:find(): using backend "usb.backend.libusb1"
         ​
         Important note: on desktop Linux systems, we currently require an XHCI host controller.
         A good way to ensure you're likely using an XHCI backend is to plug your
         device into a blue 'USB 3' port.
         ​
         Identified a Linux system; setting up the appropriate backend.
         intermezzo_size: 0x00000078
         target_payload_size: 0x000005ee
         Found a Tegra with Device ID: b'0210380c06495d01'
         Stack snapshot: b'0000000000000000100000003c9f0040'
         EndpointStatus_stack_addr: 0x40009f3c
         ProcessSetupPacket SP: 0x40009f30
         InnerMemcpy LR stack addr: 0x40009f20
         overwrite_len: 0x00004f20
         overwrite_payload_off: 0x00004de0
         payload_first_length: 0x000005ee
         overwrite_payload_off: 0x00004de0
         payload_second_length: 0x00000000
         b'00a0004000300040ee05000000000000'
         Setting rcm msg size to 0x00030064
         RCM payload (len_insecure): b'64000300'
         ​
         Setting ourselves up to smash the stack...
         Payload offset of intermezzo: 0x00000074
         overwrite_payload_off: 0x00004de0
         overwrite_len: 0x00004f20
         payload_overwrite_len: 0x00004e5c
         overwrite_payload_off: 0x00004de0
         smash_padding: 0x000047f2
         overwrite_payload_off: 0x00004de0
         Uploading payload...
         txing 20480 bytes total
         txing 4096 bytes (0 already sent) to buf[0] 0x40003000
         txing 4096 bytes (4096 already sent) to buf[1] 0x40005000
         txing 4096 bytes (8192 already sent) to buf[0] 0x40003000
         txing 4096 bytes (12288 already sent) to buf[1] 0x40005000
         txing 4096 bytes (16384 already sent) to buf[0] 0x40003000
         Smashing the stack...
         sending status request with length 0x00004f20
         The USB device stopped responding-- sure smells like we've smashed its stack. :)
         Launch complete!
    
    Example output from USB serial adapter connected to Ouya's UART after successfully running uart_payload_ouya.bin:
         ----------------------------------------------------------------------------
         APBDEV_PMC_RST_STATUS_0: 00000000
         BIT_BootType: 00000002
         overriding getSecurityMode function to always return 3 (production non-secure)...
         writing PMC_SCRATCH0 to trigger RCM mode after soft reset...
         jumping to 0xfff01004...
    
    Example dmesg output after successfully running uart_payload_ouya.bin. Note that the USB device will reset and reenumerate in APX mode:
         [Thu Jul  2 16:35:48 2020] usb 2-3.3.2: USB disconnect, device number 8
         [Thu Jul  2 16:35:49 2020] usb 2-3.3.2: new high-speed USB device number 9 using xhci_hcd
         [Thu Jul  2 16:35:49 2020] usb 2-3.3.2: New USB device found, idVendor=0955, idProduct=7030, bcdDevice= 1.03
         [Thu Jul  2 16:35:49 2020] usb 2-3.3.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
         [Thu Jul  2 16:35:49 2020] usb 2-3.3.2: Product: APX
         [Thu Jul  2 16:35:49 2020] usb 2-3.3.2: Manufacturer: NVIDIA Corp.
    
  6. Boot from APX to fastboot's nv3pserver mode like so:

         sudo ./utils/nvflash_v1.13.87205_miniloader_patched --setbct --bct ./bct/ouya_rev_1.01_bct.bin --configfile ./utils/flash.cfg --bl ./bootloader/ouya_rev_1.01_2013-06-20_sigcheck_disabled.bin --go
    
    Example terminal output from nvflash command:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo ./utils/nvflash_v1.13.87205_miniloader_patched --setbct --bct ./bct/ouya_rev_1.01_bct.bin --configfile ./utils/flash.cfg --bl ./bootloader/ouya_rev_1.01_2013-06-20_sigcheck_disabled.bin --go
         Nvflash v1.13.87205 started
         chip uid from BR is: 0x0000000000000000015d49060c381002
         rcm version 0X30001
         System Information:
            chip name: unknown
            chip id: 0x30 major: 1 minor: 3
            chip sku: 0x80
            chip uid: 0x0000000000000000015d49060c381002
            macrovision: disabled
            hdcp: enabled
            jtag: disabled
            sbk burned: true
            dk burned: true
            boot device: emmc
            operating mode: 3
            device config strap: 0
            device config fuse: 0
            sdram config strap: 0
         ​
         sending file: ./bct/ouya_rev_1.01_bct.bin
         - 6128/6128 bytes sent
         ./bct/ouya_rev_1.01_bct.bin sent successfully
         downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
         sending file: ./bootloader/ouya_rev_1.01_2013-06-20_sigcheck_disabled.bin
         / 1011728/1011728 bytes sent
         ./bootloader/ouya_rev_1.01_2013-06-20_sigcheck_disabled.bin sent successfully
         waiting for bootloader to initialize
         bootloader downloaded successfully
    
    Example Ouya UART output after nvflash command:
         Bootloader AVP Init
         **********Aos DebugSemiHosting Initialized*******
         ---------------------------------------------------
         NVRM Initialized shmoo database
         NVRM CLOCKS: PLLX0:      700000 Khz
         NVRM CLOCKS: PLLM0:      800000 Khz
         NVRM CLOCKS: PLLC0:      600000 Khz
         NVRM CLOCKS: PLLP0:      408000 Khz
         NVRM CLOCKS: PLLA0:      11289 Khz
         NVRM CLOCKS: CPU:        700000 Khz
         NVRM CLOCKS: AVP:        102000 Khz
         NVRM CLOCKS: System Bus: 102000 Khz
         NVRM CLOCKS: Memory Controller: 200000
         NVRM CLOCKS: External Memory Controller: 400000
         Fake BoardInfo: 0x0c5b:0x0b01:0x04:0x43:0x03
         ADJUSTED CLOCKS:
         MC clock is set to 200000 KHz
         EMC clock is set to 400000 KHz (DDR clock is at 400000 KHz)
         PLLX0 clock is set to 700000 KHz
         PLLC0 clock is set to 600000 KHz
         CPU clock is set to 700000 KHz
         System and AVP clock is set to 102000 KHz
         GraphicsHost clock is set to 163200 KHz
         3D clock is set to 133333 KHz
         2D clock is set to 133333 KHz
         Epp clock is set to 133333 KHz
         Mpe clock is set to 133333 KHz
         Vde clock is set to 272000 KHz
         Pinmux changes applied in kernel way
         Bootloader Start at:44553 ms
         ​
         [bootloader] (built on Jun 20 2013, 22:10:09)
         Initializing Display
         Invalidate-only cache maint not supported in NvOs
         Platform Pre Boot configuration...
         Entering NvFlash recovery mode / Nv3p Server
    
  7. (Optional, but recommended) Take partition-by-partition dumps of eMMC by running:

         for partition in BCT PT EBT EKS GP1 SOS LNX APP CAC UPP MSC USP MDA GPT UDA; do sudo ./utils/nvflash_v1.13.87205_miniloader_patched --resume --read $partition $partition.bin; done
    
    • Note that the last partition, UDA (userdata), has a decent chance of hanging. If it does, it may be necessary to power cycle the Ouya. To run it as a one-off:

        sudo ./utils/nvflash_v1.13.87205_miniloader_patched --resume --read UDA UDA.bin
      
  8. If Ouya was not automatically booting to APX mode (e.g. bad kernel)

    • Reflash LNX with e.g. CWM Recovery:

        sudo ./utils/nvflash_v1.13.87205_miniloader_patched --resume --download LNX ./recovery/recovery-clockwork-6.0.4.8-ouya.img --go
      
    Example nvflash output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo ./utils/nvflash_v1.13.87205_miniloader_patched --resume --download LNX ./recovery/recovery-clockwork-6.0.4.8-ouya.img --go
         Nvflash v1.13.87205 started
         [resume mode]
         sending file: ./recovery/recovery-clockwork-6.0.4.8-ouya.img
         - 8151040/8151040 bytes sent
         ./recovery/recovery-clockwork-6.0.4.8-ouya.img sent successfully
    
    • Confirm Ouya boots into recovery (being attached to a TV via HDMI helps here):

        sudo adb devices
      
    Example adb output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo adb devices
         List of devices attached
         015d49060c381002	recovery
    
    Example dmesg output:
         [Thu Jul  2 22:49:53 2020] usb 2-3.3.2: USB disconnect, device number 35
         [Thu Jul  2 22:50:02 2020] usb 2-3.3.2: new high-speed USB device number 36 using xhci_hcd
         [Thu Jul  2 22:50:02 2020] usb 2-3.3.2: New USB device found, idVendor=18d1, idProduct=d001, bcdDevice= 2.32
         [Thu Jul  2 22:50:02 2020] usb 2-3.3.2: New USB device strings: Mfr=2, Product=3, SerialNumber=4
         [Thu Jul  2 22:50:02 2020] usb 2-3.3.2: Product: Ouya
         [Thu Jul  2 22:50:02 2020] usb 2-3.3.2: Manufacturer: Boxer8
         [Thu Jul  2 22:50:02 2020] usb 2-3.3.2: SerialNumber: 015d49060c381002
    
    • From recovery, reflash stock .zip, or adb reboot-bootloader to get to fastboot to reflash stock
  9. If Ouya was automatically booting to APX mode (i.e. bad/erased bootloader/BCT):

    • Backup LNX partition if you haven't yet done so:

        sudo ./utils/nvflash_v1.13.87205_miniloader_patched --resume --read LNX LNX.bin
      
    • Erase LNX partition via nv3pserver mode by uploading all zeroes:

        truncate -s 8M LNX_all_zeroes.bin
        sudo ./utils/nvflash_v1.13.87205_miniloader_patched --resume --download LNX LNX_all_zeroes.bin --go
      
    Example nvflash output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ truncate -s 8M LNX_all_zeroes.bin
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo ./utils/nvflash_v1.13.87205_miniloader_patched --resume --download LNX LNX_all_zeroes.bin --go
         Nvflash v1.13.87205 started
         [resume mode]
         sending file: LNX_all_zeroes.bin
         / 8388608/8388608 bytes sent
         LNX_all_zeroes.bin sent successfully
    
    • nvp3server should then try to boot Linux, and subsequently fail back to standard fastboot mode
    Example UART output:
         Start Downloading LNX
         ​
         End Downloading LNX
         SocCpuMaxKHz = 1000000
         SocCpuMinKHz = 32
         PLLX0 FreqKHz = 700000
         Checking for android ota recovery 
         Key driver not found.. Booting OS
         Cold-booting Linux
          Booting failed
         Starting Fastboot USB download protocol
         Key driver not found.. Booting OS
    
    Example dmesg output:
         [Thu Jul  2 20:36:55 2020] usb 2-3.3.2: USB disconnect, device number 20
         [Thu Jul  2 20:36:55 2020] usb 2-3.3.2: new high-speed USB device number 21 using xhci_hcd
         [Thu Jul  2 20:36:55 2020] usb 2-3.3.2: New USB device found, idVendor=0955, idProduct=7000, bcdDevice= 0.00
         [Thu Jul  2 20:36:55 2020] usb 2-3.3.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
         [Thu Jul  2 20:36:55 2020] usb 2-3.3.2: Product: Fastboot
         [Thu Jul  2 20:36:55 2020] usb 2-3.3.2: Manufacturer: NVIDIA Corp.
         [Thu Jul  2 20:36:55 2020] usb 2-3.3.2: SerialNumber: 015d49060c381002
    
    • Check to see if the device is available via fastboot (note: sudo isn't strictly necessary, but can workaround permissions issues):

        sudo fastboot devices
      
    Example fastboot output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo fastboot devices
         015d49060c381002	fastboot
    
    • Use the currently running patched fastboot to reflash the unpatched fastboot:

        sudo fastboot flash bootloader ./bootloader/ouya_rev_1.01_2013-06-20.bin
      
    Example fastboot output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ fastboot flash bootloader ./bootloader/ouya_rev_1.01_2013-06-20.bin
         target didn't report max-download-size
         sending 'bootloader' (988 KB)...
         OKAY [  0.212s]
         writing 'bootloader'...
         OKAY [  8.825s]
         finished. total time: 9.037s
    
    Example UART output:
         Cmd Rcvd: getvar:slot-count
         Response sent: OKAY
         Cmd Rcvd: getvar:slot-suffixes
         Response sent: OKAY
         Cmd Rcvd: getvar:has-slot:bootloader
         Response sent: OKAY
         Cmd Rcvd: getvar:partition-type:bootloader
         Response sent: OKAYbasic
         Cmd Rcvd: getvar:max-download-size
         Response sent: OKAY
         Cmd Rcvd: download:000f7010
         Response sent: DATA000f7010
         ​
         Response sent: OKAY
         Cmd Rcvd: flash:bootloader
         ​
         Format partition USP 
         Region=0 SD Erase start 512B-sector=2686976,512B-sector-num=65536 Response sent: OKAY
    
    • Reboot into newly flashed bootloader:

        sudo fastboot reboot-bootloader
      
    Example fastboot output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo fastboot reboot-bootloader 
         rebooting into bootloader...
         OKAY [  0.004s]
         finished. total time: 0.104s
    
    • Reflash the Ouya kernel with the backup that was made earlier with nvflash:

        sudo fastboot flash boot LNX.bin
      
    Example fastboot output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo fastboot flash boot LNX.bin
         target didn't report max-download-size
         sending 'boot' (8192 KB)...
         OKAY [  2.552s]
         writing 'boot'...
         OKAY [  2.683s]
         finished. total time: 5.235s
    
    • Boot into "new" kernel:

        sudo fastboot continue
      
    Example fastboot output:
         matt@aquos:~/devel/ouya/tegra30_debrick$ sudo fastboot continue
         resuming boot...
         OKAY [  0.004s]
         finished. total time: 0.004s
    

About

fusee-gelee payload, supporting files, and guide for debricking Tegra 3 devices (2012 Nexus 7 and Ouya)

License:GNU General Public License v2.0


Languages

Language:C 98.0%Language:Makefile 2.0%