Projects

Bricking and unbricking Vontar X96 mini

7 Comments

So I bought a media player again. It’s Vontar X96 mini with 1GB RAM and 8GB eMMC and according to rule “Don’t turn it on, take it apart!” it’s exactly what I did:

After assembling and turning it on, Android 7 popped up but this was not my target OS. I wanted to use LibreELEC so I followed installation howto: downloaded and burned latest image to SD card, replaced dtb file with gxl_p212_1g.dtb, and run reboot update from Android terminal.

Box rebooted into working LibreELEC, nice! Now I wanted to burn it into internal eMMC so I run installtointernal despite a big red warning on howto page and warning in the script itself, rebooted and… I got sad. The LED was blinking red-blue and the box stopped booting. I tried all voodoo  recovery instructions (holding reset button, powering from both usb and adapter, with HDMI, without it…) to boot into upload mode where the box would be detected by a PC and I would use USB Burning Tool but nothing helped. I also wrote to the seller to get help, they’ve sent me USB Burning Tool, factory image and Upgrade instruction which was nice but it didn’t work either.

So I hooked up serial interface to see what’s going on insideand the result was following:

GXL:BL1:9ac50e:a1974b;FEAT:ADFC318C;POC:3;RCY:0;EMMC:0;READ:0;0.0;CHK:0;
TE: 100781

BL2 Built : 20:32:17, Sep 8 2017. 
gxl g6296b83 - xiaobo.gu@droid12

set vcck to 1120 mv
set vddee to 1070 mv
Board ID = 2
CPU clk: 1200MHz
DQS-corr enabled
DDR scramble enabled
DDR3 chl: Rank0 16bit @ 792MHz
Rank0: 1024MB(auto)-2T-11
DataBus test pass!
AddrBus test pass!
-s
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01100000, size: 0x0000d600
Load bl31 from eMMC, src: 0x00020200, des: 0x05100000, size: 0x0002c600
Load bl33 from eMMC, src: 0x00050200, des: 0x01000000, size: 0x00065e00
NOTICE: BL3-1: v1.0(release):a625749
NOTICE: BL3-1: Built : 11:25:15, Aug 25 2017
[BL31]: GXL CPU setup!
NOTICE: BL31: BL33 decompress pass
mpu_config_enable:ok
[Image: gxl_v1.1.3243-377db0f 2017-09-07 11:28:58 qiufang.dai@droid07]
OPS=0xa2
0 a4 b0 46 ef c9 98 14 5e dc ac 58 [0.326773 Inits done]
secure task start!
high task start!
low task start!
ERROR: Error initializing runtime service opteed_fast


U-Boot 2015.01-g2d1a155-dirty (Oct 08 2017 - 12:02:50)

DRAM: 1 GiB
Relocation Offset is: 36eb3000
register usb cfg[0][1] = 0000000037f5a960
[CANVAS]canvas init
boot_device_flag : 1
Nand PHY Ver:1.01.001.0006 (c) 2013 Amlogic Inc.
init bus_cycle=6, bus_timing=7, system=5.0ns
reset failed
get_chip_type and ret:fffffffe
get_chip_type and ret:fffffffe
chip detect failed and ret:fffffffe
nandphy_init failed and ret=0xfffffff1
MMC: aml_priv->desc_buf = 0x0000000033eb36b0
aml_priv->desc_buf = 0x0000000033eb59d0
SDIO Port B: 0, SDIO Port C: 1
emmc/sd response timeout, cmd8, status=0x1ff2800
emmc/sd response timeout, cmd55, status=0x1ff2800
init_part() 293: PART_TYPE_AML
[mmc_init] mmc init success
dtb magic edfe0dd0
 Amlogic multi-dtb tool
 Single dtb detected
start dts,buffer=0000000033eb8200,dt_addr=0000000033eb8200
 Amlogic multi-dtb tool
 Single dtb detected
parts: 11
00: logo 0000000002000000 1
01: recovery 0000000002000000 1
02: rsv 0000000000800000 1
03: tee 0000000000800000 1
04: crypt 0000000002000000 1
05: misc 0000000002000000 1
06: boot 0000000002000000 1
07: system 0000000080000000 1
08: cache 0000000020000000 2
09: data ffffffffffffffff 4
"Synchronous Abort" handler, esr 0x96000210
ELR: 37ec0b44
LR: 37ec0afc
x0 : 0000000033f38210 x1 : 000000000000000c
x2 : 0000000037f443f9 x3 : 0000000000000004
x4 : 0000000000000000 x5 : 0000000033f383a0
x6 : 0000000033ec13b0 x7 : 0000000000000020
x8 : 0000000000000034 x9 : 0000000000000000
x10: 000000000000000f x11: 0000000037f38d00
x12: 0000000000000000 x13: 0000000000000000
x14: 0000000000000000 x15: 0000000000000000
x16: 0000000000000000 x17: 0000000000000000
x18: 0000000033ea2e28 x19: 000000000000000a
x20: 0000000000000000 x21: 0000000033eb8200
x22: 0000000000000000 x23: 0000000033ebe6bc
x24: 0000000037f72000 x25: 0000000000000000
x26: 0000000000006468 x27: 0000000000000000
x28: 000000000000000a x29: 0000000033e92b70

Resetting CPU ...

resetting ...
GXL:BL1:9ac50e:a1974b;FEAT:ADFC318C;POC:3;RCY:0;EMMC:0;READ:0;0.0;CHK:0;
TE: 100780

BL2 Built : 20:32:17, Sep 8 2017. 
gxl g6296b83 - xiaobo.gu@droid12

set vcck to 1120 mv
set vddee to 1070 mv
Board ID = 2
CPU clk: 1200MHz
DQS-corr enabled
DDR scramble enabled
DDR3 chl: Rank0 16bit @ 792MHz
Rank0: 1024MB(auto)-2T-11
DataBus test pass!
AddrBus test pass!
-s
Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000
New fip structure!
Load bl30 from eMMC, src: 0x00010200, des: 0x01100000, size: 0x0000d600
Load bl31 from eMMC, src: 0x00020200, des: 0x05100000, size: 0x0002c600
Load bl33 from eMMC, src: 0x00050200, des: 0x01000000, size: 0x00065e00
NOTICE: BL3-1: v1.0(release):a625749
NOTICE: BL3-1: Built : 11:25:15, Aug 25 2017
[BL31]: GXL CPU setup!
NOTICE: BL31: BL33 decompress pass
mpu_config_enable:ok
[Image: gxl_v1.1.3243-377db0f 2017-09-07 11:28:58 qiufang.dai@droid07]
OPS=0xa2
0 a4 b0 46 ef c9 98 14 5e dc ac 58 [0.326738 Inits done]
secure task start!
high task start!
low task start!
ERROR: Error initializing runtime service opteed_fast


U-Boot 2015.01-g2d1a155-dirty (Oct 08 2017 - 12:02:50)

DRAM: 1 GiB
Relocation Offset is: 36eb3000
register usb cfg[0][1] = 0000000037f5a960
[CANVAS]canvas init
boot_device_flag : 1
Nand PHY Ver:1.01.001.0006 (c) 2013 Amlogic Inc.
init bus_cycle=6, bus_timing=7, system=5.0ns
reset failed
get_chip_type and ret:fffffffe
get_chip_type and ret:fffffffe
chip detect failed and ret:fffffffe
nandphy_init failed and ret=0xfffffff1
MMC: aml_priv->desc_buf = 0x0000000033eb36b0
aml_priv->desc_buf = 0x0000000033eb59d0
SDIO Port B: 0, SDIO Port C: 1
emmc/sd response timeout, cmd8, status=0x1ff2800
emmc/sd response timeout, cmd55, status=0x1ff2800
init_part() 293: PART_TYPE_AML
[mmc_init] mmc init success
dtb magic edfe0dd0
 Amlogic multi-dtb tool
 Single dtb detected
start dts,buffer=0000000033eb8200,dt_addr=0000000033eb8200
 Amlogic multi-dtb tool
 Single dtb detected
parts: 11
00: logo 0000000002000000 1
01: recovery 0000000002000000 1
02: rsv 0000000000800000 1
03: tee 0000000000800000 1
04: crypt 0000000002000000 1
05: misc 0000000002000000 1
06: boot 0000000002000000 1
07: system 0000000080000000 1
08: cache 0000000020000000 2
09: data ffffffffffffffff 4
"Synchronous Abort" handler, esr 0x96000210
ELR: 37ec0b44
LR: 37ec0afc
x0 : 0000000033f38210 x1 : 000000000000000c
x2 : 0000000037f443f9 x3 : 0000000000000004
x4 : 0000000000000000 x5 : 0000000033f383a0
x6 : 0000000033ec13b0 x7 : 0000000000000020
x8 : 0000000000000034 x9 : 0000000000000000
x10: 000000000000000f x11: 0000000037f38d00
x12: 0000000000000000 x13: 0000000000000000
x14: 0000000000000000 x15: 0000000000000000
x16: 0000000000000000 x17: 0000000000000000
x18: 0000000033ea2e28 x19: 000000000000000a
x20: 0000000000000000 x21: 0000000033eb8200
x22: 0000000000000000 x23: 0000000033ebe6bc
x24: 0000000037f72000 x25: 0000000000000000
x26: 0000000000006468 x27: 0000000000000000
x28: 000000000000000a x29: 0000000033e92b70

Resetting CPU ...

resetting ...

The box was in a boot loop without accepting any input or keystrokes. Some guides suggest to short out some pins on flash chip but my eMMC has BGA package so this was not possible. I randomly shorted out some resistors and capacitors nearby the eMMC but without luck. I was afraid I’ll need to use JTAG which seemed quite hard to solder and there were no howtos for using this method. Then I took some time to rethink this.

The point of shorting out pins is to avoid detecting the eMMC and to force the main chip boot into upload mode. So to avoid detecting it, it should be enough to break the communication by grounding some of the DATA, CLK or CMD lanes. So again I took ampermeter (to see if I’m not grounding power lane), attached one probe to GND and with the other one I was probing pins around the eMMC chip. After few tries, the status LED stayed blue and the board got detected, bingo!

For those with the same board, it was this pin:

Now it was just a piece of cake, I connected it to Windows machine, grounded pin again and used the upload utility:

Of course I tried to run and install LibreELEC to eMMC again but this time it worked and I wasn’t able to simulate the boot loop again, even with uploading garbage to /dev/dtb.

Hope this guide will help someone, if you have some questions or ideas please leave a comment.

Bye!

 

7 thoughts on “Bricking and unbricking Vontar X96 mini”

  1. Hello Danmman
    I have the same probem.
    Can you show which pin must I shorten with GND on picture please ??

    Reply

  2. Hello,
    I Already short to ground like your picture, but my light still got red and when i use USB Burning Tool I got Error on 2% Proced..
    can you help me to explain more detail about all process because i’m not to much understand.

    Thx Danman

    Reply

    1. If your box is detected (it must be when you are able to get to 2%) then it has to be some different problem. Maybe your eMMC is damaged, I don’t know.

      Reply

  3. I change my image with”x96mini_20171202″ and the process now error at 7% ([0x32030201]Uboot/Get result/DiskInitial error)

    Reply

  4. Hello…
    My Problem Solved by this trick…thx
    i think my emmc was problem so after flashing done the problem now is boot loop

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *