So I bought a media player again. It’s Vontar X96 mini with 1GB RAM and 8GB eMMC and according to rule “Don’t turn it on, take it apart!” it’s exactly what I did:
After assembling and turning it on, Android 7 popped up but this was not my target OS. I wanted to use LibreELEC so I followed installation howto: downloaded and burned latest image to SD card, replaced dtb file with gxl_p212_1g.dtb, and run reboot update from Android terminal.
Box rebooted into working LibreELEC, nice! Now I wanted to burn it into internal eMMC so I run installtointernal despite a big red warning on howto page and warning in the script itself, rebooted and… I got sad. The LED was blinking red-blue and the box stopped booting. I tried all voodoo recovery instructions (holding reset button, powering from both usb and adapter, with HDMI, without it…) to boot into upload mode where the box would be detected by a PC and I would use USB Burning Tool but nothing helped. I also wrote to the seller to get help, they’ve sent me USB Burning Tool, factory image and Upgrade instruction which was nice but it didn’t work either.
So I hooked up serial interface to see what’s going on inside
and the result was following:
GXL:BL1:9ac50e:a1974b;FEAT:ADFC318C;POC:3;RCY:0;EMMC:0;READ:0;0.0;CHK:0; TE: 100781 BL2 Built : 20:32:17, Sep 8 2017. gxl g6296b83 - xiaobo.gu@droid12 set vcck to 1120 mv set vddee to 1070 mv Board ID = 2 CPU clk: 1200MHz DQS-corr enabled DDR scramble enabled DDR3 chl: Rank0 16bit @ 792MHz Rank0: 1024MB(auto)-2T-11 DataBus test pass! AddrBus test pass! -s Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000 New fip structure! Load bl30 from eMMC, src: 0x00010200, des: 0x01100000, size: 0x0000d600 Load bl31 from eMMC, src: 0x00020200, des: 0x05100000, size: 0x0002c600 Load bl33 from eMMC, src: 0x00050200, des: 0x01000000, size: 0x00065e00 NOTICE: BL3-1: v1.0(release):a625749 NOTICE: BL3-1: Built : 11:25:15, Aug 25 2017 [BL31]: GXL CPU setup! NOTICE: BL31: BL33 decompress pass mpu_config_enable:ok [Image: gxl_v1.1.3243-377db0f 2017-09-07 11:28:58 qiufang.dai@droid07] OPS=0xa2 0 a4 b0 46 ef c9 98 14 5e dc ac 58 [0.326773 Inits done] secure task start! high task start! low task start! ERROR: Error initializing runtime service opteed_fast U-Boot 2015.01-g2d1a155-dirty (Oct 08 2017 - 12:02:50) DRAM: 1 GiB Relocation Offset is: 36eb3000 register usb cfg[0][1] = 0000000037f5a960 [CANVAS]canvas init boot_device_flag : 1 Nand PHY Ver:1.01.001.0006 (c) 2013 Amlogic Inc. init bus_cycle=6, bus_timing=7, system=5.0ns reset failed get_chip_type and ret:fffffffe get_chip_type and ret:fffffffe chip detect failed and ret:fffffffe nandphy_init failed and ret=0xfffffff1 MMC: aml_priv->desc_buf = 0x0000000033eb36b0 aml_priv->desc_buf = 0x0000000033eb59d0 SDIO Port B: 0, SDIO Port C: 1 emmc/sd response timeout, cmd8, status=0x1ff2800 emmc/sd response timeout, cmd55, status=0x1ff2800 init_part() 293: PART_TYPE_AML [mmc_init] mmc init success dtb magic edfe0dd0 Amlogic multi-dtb tool Single dtb detected start dts,buffer=0000000033eb8200,dt_addr=0000000033eb8200 Amlogic multi-dtb tool Single dtb detected parts: 11 00: logo 0000000002000000 1 01: recovery 0000000002000000 1 02: rsv 0000000000800000 1 03: tee 0000000000800000 1 04: crypt 0000000002000000 1 05: misc 0000000002000000 1 06: boot 0000000002000000 1 07: system 0000000080000000 1 08: cache 0000000020000000 2 09: data ffffffffffffffff 4 "Synchronous Abort" handler, esr 0x96000210 ELR: 37ec0b44 LR: 37ec0afc x0 : 0000000033f38210 x1 : 000000000000000c x2 : 0000000037f443f9 x3 : 0000000000000004 x4 : 0000000000000000 x5 : 0000000033f383a0 x6 : 0000000033ec13b0 x7 : 0000000000000020 x8 : 0000000000000034 x9 : 0000000000000000 x10: 000000000000000f x11: 0000000037f38d00 x12: 0000000000000000 x13: 0000000000000000 x14: 0000000000000000 x15: 0000000000000000 x16: 0000000000000000 x17: 0000000000000000 x18: 0000000033ea2e28 x19: 000000000000000a x20: 0000000000000000 x21: 0000000033eb8200 x22: 0000000000000000 x23: 0000000033ebe6bc x24: 0000000037f72000 x25: 0000000000000000 x26: 0000000000006468 x27: 0000000000000000 x28: 000000000000000a x29: 0000000033e92b70 Resetting CPU ... resetting ... GXL:BL1:9ac50e:a1974b;FEAT:ADFC318C;POC:3;RCY:0;EMMC:0;READ:0;0.0;CHK:0; TE: 100780 BL2 Built : 20:32:17, Sep 8 2017. gxl g6296b83 - xiaobo.gu@droid12 set vcck to 1120 mv set vddee to 1070 mv Board ID = 2 CPU clk: 1200MHz DQS-corr enabled DDR scramble enabled DDR3 chl: Rank0 16bit @ 792MHz Rank0: 1024MB(auto)-2T-11 DataBus test pass! AddrBus test pass! -s Load fip header from eMMC, src: 0x0000c200, des: 0x01400000, size: 0x00004000 New fip structure! Load bl30 from eMMC, src: 0x00010200, des: 0x01100000, size: 0x0000d600 Load bl31 from eMMC, src: 0x00020200, des: 0x05100000, size: 0x0002c600 Load bl33 from eMMC, src: 0x00050200, des: 0x01000000, size: 0x00065e00 NOTICE: BL3-1: v1.0(release):a625749 NOTICE: BL3-1: Built : 11:25:15, Aug 25 2017 [BL31]: GXL CPU setup! NOTICE: BL31: BL33 decompress pass mpu_config_enable:ok [Image: gxl_v1.1.3243-377db0f 2017-09-07 11:28:58 qiufang.dai@droid07] OPS=0xa2 0 a4 b0 46 ef c9 98 14 5e dc ac 58 [0.326738 Inits done] secure task start! high task start! low task start! ERROR: Error initializing runtime service opteed_fast U-Boot 2015.01-g2d1a155-dirty (Oct 08 2017 - 12:02:50) DRAM: 1 GiB Relocation Offset is: 36eb3000 register usb cfg[0][1] = 0000000037f5a960 [CANVAS]canvas init boot_device_flag : 1 Nand PHY Ver:1.01.001.0006 (c) 2013 Amlogic Inc. init bus_cycle=6, bus_timing=7, system=5.0ns reset failed get_chip_type and ret:fffffffe get_chip_type and ret:fffffffe chip detect failed and ret:fffffffe nandphy_init failed and ret=0xfffffff1 MMC: aml_priv->desc_buf = 0x0000000033eb36b0 aml_priv->desc_buf = 0x0000000033eb59d0 SDIO Port B: 0, SDIO Port C: 1 emmc/sd response timeout, cmd8, status=0x1ff2800 emmc/sd response timeout, cmd55, status=0x1ff2800 init_part() 293: PART_TYPE_AML [mmc_init] mmc init success dtb magic edfe0dd0 Amlogic multi-dtb tool Single dtb detected start dts,buffer=0000000033eb8200,dt_addr=0000000033eb8200 Amlogic multi-dtb tool Single dtb detected parts: 11 00: logo 0000000002000000 1 01: recovery 0000000002000000 1 02: rsv 0000000000800000 1 03: tee 0000000000800000 1 04: crypt 0000000002000000 1 05: misc 0000000002000000 1 06: boot 0000000002000000 1 07: system 0000000080000000 1 08: cache 0000000020000000 2 09: data ffffffffffffffff 4 "Synchronous Abort" handler, esr 0x96000210 ELR: 37ec0b44 LR: 37ec0afc x0 : 0000000033f38210 x1 : 000000000000000c x2 : 0000000037f443f9 x3 : 0000000000000004 x4 : 0000000000000000 x5 : 0000000033f383a0 x6 : 0000000033ec13b0 x7 : 0000000000000020 x8 : 0000000000000034 x9 : 0000000000000000 x10: 000000000000000f x11: 0000000037f38d00 x12: 0000000000000000 x13: 0000000000000000 x14: 0000000000000000 x15: 0000000000000000 x16: 0000000000000000 x17: 0000000000000000 x18: 0000000033ea2e28 x19: 000000000000000a x20: 0000000000000000 x21: 0000000033eb8200 x22: 0000000000000000 x23: 0000000033ebe6bc x24: 0000000037f72000 x25: 0000000000000000 x26: 0000000000006468 x27: 0000000000000000 x28: 000000000000000a x29: 0000000033e92b70 Resetting CPU ... resetting ...
The box was in a boot loop without accepting any input or keystrokes. Some guides suggest to short out some pins on flash chip but my eMMC has BGA package so this was not possible. I randomly shorted out some resistors and capacitors nearby the eMMC but without luck. I was afraid I’ll need to use JTAG which seemed quite hard to solder and there were no howtos for using this method. Then I took some time to rethink this.
The point of shorting out pins is to avoid detecting the eMMC and to force the main chip boot into upload mode. So to avoid detecting it, it should be enough to break the communication by grounding some of the DATA, CLK or CMD lanes. So again I took ampermeter (to see if I’m not grounding power lane), attached one probe to GND and with the other one I was probing pins around the eMMC chip. After few tries, the status LED stayed blue and the board got detected, bingo!
For those with the same board, it was this pin:
Now it was just a piece of cake, I connected it to Windows machine, grounded pin again and used the upload utility:
Of course I tried to run and install LibreELEC to eMMC again but this time it worked and I wasn’t able to simulate the boot loop again, even with uploading garbage to /dev/dtb.
Hope this guide will help someone, if you have some questions or ideas please leave a comment.
Bye!
Hello Danmman
I have the same probem.
Can you show which pin must I shorten with GND on picture please ??
Hi Giorgi, try to zoom in pictures in article. There is a red line marking the pin.
Hello,
I Already short to ground like your picture, but my light still got red and when i use USB Burning Tool I got Error on 2% Proced..
can you help me to explain more detail about all process because i’m not to much understand.
Thx Danman
If your box is detected (it must be when you are able to get to 2%) then it has to be some different problem. Maybe your eMMC is damaged, I don’t know.
I change my image with”x96mini_20171202″ and the process now error at 7% ([0x32030201]Uboot/Get result/DiskInitial error)
Sorry I mean now when i flash my x96 mini always got error at 7%
Hello…
My Problem Solved by this trick…thx
i think my emmc was problem so after flashing done the problem now is boot loop
plz i have same error code in 2%…how to solve it?
Dear Danman,
I have same problem, my X96 mini LED is blue, X96 recognized by USB burning tool, but stuck at 7%:formatting. I could not load with SD card, which prepared with *.img file, HDMI on TV does not recognize Box, even LED is blue.
Do you have any suggestion??
Thanks and regards,
Thank you, a few month ago I tried everything but couldn’t get the box recognized by my PC.
With this guide I was able to reinstall the stock rom again. 👍🤗
I’m glad it helped 🙂
Hello,
I Already short to ground like your picture, but my light still got red and when i use USB Burning Tool it still not detected my device can u help me out how to make it detected?
Did you try connect serial port to see what it does?
Hello Danman first of all thanks for the information that you provided, I have a very strange issue with my X96 mini, It does not boot and LED remains red (should turn blue). Finally I found a way how to boot it up but I did not solve the problem, I found a repetitive way to boot it up and its very strange. while booting I am touching the base of the board in the area underneath the SD card port. When I simply touch it with my finger the LED turns blue and the box boots up. At first I thought it was a coincidence but I did it several times. I don’t think its a case of a dry joint but I am suspecting its a grounding issue. What do you think about it? Strange isn’t it? I am thinking of buying a more powerful power supply.
By the way after few minutes after boot up it will freeze and would need to remove the supply and do the same procedure in order to reboot.
Hello, with touch I think you cannot improve grounding, I would guess it’s a bad solder joint. Maybe ask in some electronics repair shop in your location.
Yes i think u might be right. In fact after posting the message I tried to solder some solder points. It took muck longer to freeze but still it did the same thing. I will try to see what I can do to solder al the points possible because most of them are very very tiny,
Thanks you sooooo much. My box is alive
I couldn’t have installed stock firmware back again without your post. Thank you.