xiaoai-patch
xiaoai-patch copied to clipboard
duhow
S12A (aka MDZ-25-DT Xiaomi Mi AI Speaker 1 Gen )
Hi everyone!
Is it possible to flash this Xiaomi AI Speaker?
UART: soldered, J31 USB: not soldered, J32
Printenv
s12#printenv
aml_dt=xiaomi_s12a_v01
baudrate=115200
board_id=2
boot_failcnt=0
boot_failed=if itest ${boot_failcnt} == 1; then setenv boot_failcnt 2; setenv boot_part boot1; else if itest ${boot_failcnt} == 2; then setenv boot_failcnt 1; setenv boot_part boot0; else run set_boot_flag;fi;fi;
boot_part=boot0
bootargs=rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend quiet earlycon=aml_uart,0xff803000 jtag=apao reboot_mode=cold_boot uboot=U-Boot 2015.01 (Feb 28 2019 - 04:51:12)
bootcmd=run storeboot
bootdelay=1
deviceid=18090/981388144
dtb_mem_addr=0x1000000
factory_detect=if keyman read deviceid ${loadaddr} str; then echo HAVE SN Code ...; else echo Switch to boot1 system, because of NOT found SN Code ...; setenv boot_failcnt 2; setenv boot_part boot1; fi;
fdt_high=0x20000000
firstboot=1
identifyWaitTime=1000
initargs=rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend quiet earlycon=aml_uart,0xff803000
jtag=apao
loadaddr=1080000
preboot=run storeargs;if test ${reboot_mode} = cold_boot; then run try_auto_burn; fi;
product_model=S1202
reboot_mode=cold_boot
rpmb_state=0
set_boot_flag=if test ${boot_part} = boot0; then setenv boot_failcnt 1; else setenv boot_failcnt 2; fi;
stderr=serial
stdin=serial
stdout=serial
storeargs=setenv bootargs ${initargs} jtag=${jtag}; setenv bootargs ${bootargs} reboot_mode=${reboot_mode} uboot=${version};keyman init 0x1234;
storeboot=if test ${reboot_mode} = cold_boot; then run set_boot_flag; run factory_detect; else run boot_failed; fi; saveenv; if imgread kernel ${boot_part} ${loadaddr}; then bootm ${loadaddr}; fi; reset;
try_auto_burn=update 500 1000;
ubootenv_version=1
upgrade_step=2
version=U-Boot 2015.01 (Feb 28 2019 - 04:51:12)
Environment size: 1775/65532 bytes
Boot log
AXG:BL1:d95c53:a4926f;FEAT:E0DC318C:2000;POC:F;EMMC:800;NAND:0;READ:0;0.0;CHK:0;
sdio debug board detected
TE: 22920
BL2 Built : 18:30:39, Aug 28 2018. axg g56303a2-dirty - liang.yang@droid11-sz
set vcck to 1140 mv
set vddee to 1070 mv
Board ID = 2
CPU clk: 1200MHz
DDR low power enabled
DDR3 chl: Rank0 16bit @ 792MHz
bist_test rank: 0 31 0b 57 37 12 5d 2a 03 52 37 14 5b 00 00 00 00 00 00 00 00 00 00 00 00 612 - PASS
Rank0: 256MB(auto)-2T-11
AddrBus test pass!
NAND init
page0 page0->bbt:
0000000000000000000000000000000000000000000000000000000000000000
page0 bbt:
0000000000000000000000000000000000000000000000000000000000000000
Load FIP HDR from NAND, src: 0x0000c000, des: 0x01700000, size: 0x00004000
Load BL3x from NAND, src: 0x00010000, des: 0x01704000, size: 0x00080000
NOTICE: BL31: v1.3(release):a1a8551
NOTICE: BL31: Built : 15:59:55, Nov 9 2017
NOTICE: BL31: AXG normal boot!
NOTICE: BL31: BL33 decompress pass
[Image: axg_v1.1.3268-b93dd79 2017-12-01 14:22:18 huan.biao@droid12]
OPS=0x42
27 9 7d d2 e8 27 94 9c c7 5e bd 72 bl30:axg ver: 9 mode: 0
bl30:axg thermal0
[0.014529 Inits done]
secure task start!
high task start!
low task start!
ERROR: Error initializing runtime service opteed_fast
U-Boot 2015.01 (Feb 28 2019 - 04:51:12), Build: jenkins-Mico_s12a_ota_publish-312
DRAM: 256 MiB
Relocation Offset is: 0ef17000
register usb cfg[0][1] = 000000000ff89590
NAND: nand id: 0xec 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: ec f1 0 95 42 c6
NAND device: Manufacturer ID: 0xec, Chip ID: 0xec (Samsung M Generation NAND 1Gib FS33ND01GS108TFI0)
oob avail size 6
Creating 1 MTD partitions on "M Generation NAND 1Gib FS33ND01GS108TFI0":
0x000000000000-0x000000200000 : "bootloader"
M Generation NAND 1Gib FS33ND01GS108TFI0 initialized ok
nand id: 0xec 0xf1
128MiB, SLC, page size: 2048, OOB size: 64
NAND device id: ec f1 0 95 42 c6
NAND device: Manufacturer ID: 0xec, Chip ID: 0xec (Samsung M Generation NAND 1Gib FS33ND01GS108TFI0)
PLANE change!
aml_nand_init :oobmul=1,oobfree.length=8,oob_size=64
oob avail size 8
bbt_start=20 env_start=24 key_start=32 dtb_start=40
nbbt: info size=0x400 max_scan_blk=24, start_blk=20
nbbt : phy_blk_addr=20, ec=0, phy_page_addr=0, timestamp=1
nbbt free list:
blockN=21, ec=-1, dirty_flag=0
blockN=22, ec=-1, dirty_flag=0
blockN=23, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=1
aml_nand_scan_rsv_info 1254
nbbt valid addr: 280000
aml_nand_bbt_check 1389 bbt is valid, reading.
aml_nand_read_rsv_info:397,read nbbt info to 280000
nenv: info size=0x10000 max_scan_blk=32, start_blk=24
nenv : phy_blk_addr=25, ec=65, phy_page_addr=0, timestamp=132
nenv free list:
blockN=24, ec=65, dirty_flag=1
blockN=26, ec=-1, dirty_flag=0
blockN=27, ec=-1, dirty_flag=0
blockN=28, ec=-1, dirty_flag=0
blockN=29, ec=-1, dirty_flag=0
blockN=30, ec=-1, dirty_flag=0
blockN=31, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=32
aml_nand_scan_rsv_info 1254
nenv valid addr: 330000
nkey: info size=0x8000 max_scan_blk=40, start_blk=32
nkey : phy_blk_addr=33, ec=0, phy_page_addr=0, timestamp=2
nkey free list:
blockN=32, ec=0, dirty_flag=1
blockN=34, ec=-1, dirty_flag=0
blockN=35, ec=-1, dirty_flag=0
blockN=36, ec=-1, dirty_flag=0
blockN=37, ec=-1, dirty_flag=0
blockN=38, ec=-1, dirty_flag=0
blockN=39, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=16
aml_nand_scan_rsv_info 1254
nkey valid addr: 420000
ndtb: info size=0x20000 max_scan_blk=44, start_blk=40
ndtb : phy_blk_addr=40, ec=2, phy_page_addr=0, timestamp=5
ndtb free list:
blockN=41, ec=1, dirty_flag=1
blockN=42, ec=-1, dirty_flag=0
blockN=43, ec=-1, dirty_flag=0
aml_nand_scan_rsv_info 1251: page_num=64
aml_nand_scan_rsv_info 1254
ndtb valid addr: 500000
tpl: off 8388608, size 8388608
NAND bbt detect factory Bad block at 22e0000
aml_nand_add_partition:1794 factory bad addr=117
NAND bbt detect factory Bad block at 4060000
aml_nand_add_partition:1794 factory bad addr=203
NAND bbt detect factory Bad block at 5a00000
aml_nand_add_partition:1794 factory bad addr=2d0
NAND bbt detect factory Bad block at 74c0000
NAND bbt detect factory Bad block at 7fe0000
Creating 6 MTD partitions on "M Generation NAND 1Gib FS33ND01GS108TFI0":
0x000000800000-0x000001000000 : "tpl"
0x000001000000-0x000001800000 : "boot0"
0x000001800000-0x000002000000 : "boot1"
0x000002000000-0x000004020000 : "system0"
NAND bbt detect factory Bad block at 22e0000
0x000004020000-0x000006060000 : "system1"
NAND bbt detect factory Bad block at 4060000
NAND bbt detect factory Bad block at 5a00000
0x000006060000-0x000008000000 : "data"
NAND bbt detect factory Bad block at 74c0000
NAND bbt detect factory Bad block at 7fe0000
M Generation NAND 1Gib FS33ND01GS108TFI0 initialized ok
aml_key_init 170
MMC:
uboot env amlnf_env_read : ####
aml_nand_read_rsv_info:397,read nenv info to 330000
In: serial
Out: serial
Err: serial
[store]To run cmd[amlnf dtb_read 0x1000000 0x20000]
sub cmd dtb
new argv[1] dtb_read
do_dtb_ops(): argc 4
arg 0: amlnf
arg 1: dtb_read
arg 2: 0x1000000
arg 3: 0x20000
do_dtb_ops() read
amlnf_dtb_read: ####
aml_nand_read_rsv_info:397,read ndtb info to 500000
do_dtb_ops(): 131072 bytes read : OK
Amlogic multi-dtb tool
GZIP format, decompress...
Multi dtb detected
Multi dtb tool version: v2 .
Support 5 dtbs.
aml_dt soc: xiaomi platform: s12a variant: v01
dtb 0 soc: xiaomi plat: s12 vari: v1
dtb 1 soc: xiaomi plat: s12a vari: v01
dtb 2 soc: xiaomi plat: s12c vari: v01
dtb 3 soc: xiaomi plat: s12c vari: v02
dtb 4 soc: xiaomi plat: s12c vari: v03
Find match dtb: 1
amlkey_init() enter!
amlnf_key_read key data len too much
aml_nand_read_rsv_info:397,read nkey info to 420000
[EFUSE_MSG]keynum is 4
InUsbBurn
noSof
Hit Enter or space or Ctrl+C key to stop autoboot -- : 1 0
HAVE SN Code ...
Saving Environment to aml-storage...
uboot env amlnf_env_save : ####
aml_nand_save_rsv_info:656, nenv: valid=1, pages=32
release_free_node 61: bitmap=1fffff
release_free_node 74: bitmap=1ffff7
aml_nand_save_rsv_info:716,save info to 300000
aml_nand_write_rsv:520,write info to 300000
[burnup]Rd:Up sz 0x3a6440 to align 0x1000
save_power_post ...
## Booting Android Image at 0x01080000 ...
reloc_addr =f0344e0
copy done
load dtb from 0x1000000 ......
Amlogic multi-dtb tool
Single dtb detected
Uncompressing Kernel Image ... OK
kernel loaded at 0x01080000, end = 0x017a7808
Loading Ramdisk to 0eead000, end 0f004974 ... OK
Loading Device Tree to 000000000eea2000, end 000000000eeac807 ... OK
Starting kernel ...
uboot time: 1816794 us
domain-0 init dvfs: 4
[ 0.277382@3] ff803000.serial: clock gate not found
[ 0.336929@0] nand: Could not find valid JEDEC parameter page; aborting
[ 0.342049@0] nand: Could not find valid JEDEC parameter page; aborting
get key is 0x00 , curr_boot is boot1
Booting from boot1
/dev/mtdblock5 is ready now.
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Please press Enter to activate this console.
[ 5.731325@1] cyttsp 0-0008: Failed to request firmware touch.cyacd
[ 5.731959@1] cyttsp 0-0008: Failed to update firmware;
[ 7.105936@2] i2c i2c-1: [aml_i2c_xfer] error ret = -5 (-EIO)
[ 7.106063@2] i2c i2c-1: token 1, master_no(1) 300K addr 0x3c
[ 7.581380@0] name: mac_wifi, size 17
[ 7.597039@1] name: mac_bt, size 17
crond[1095]: crond (busybox 1.27.2) started, log level 5
BusyBox v1.27.2 () built-in shell (ash)
_____ _ _____ ___ ___ _____
| ||_| ___ ___ | __||_ | |_ || _ |
| | | || || _|| . | |__ | _| |_ | _|| |
|_|_|_||_||___||___| |_____||_____||___||__|__|
-------------------------------------------------
Reboot (SNAPSHOT, 70-1-1)
-------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
It should be supported, but I don't have any units to test. Feel free to build the image and flash it. Make sure to backup current flash!
Note this seems to be s12a , I don't know if there is any hardware difference.
I changed the issue title because the device is defined as S12A everywhere.
The USB connector was soldered:
Firmware was updated via chinese ai speaker app to s12a_mico_firmware_4babb_1.76.54.bin I modded this firmware with following settings:
- username and password is root
- uart console enabled
- ssh daemon enabled by default
- no DSA_verify with serial number and etc
BusyBox v1.27.2 () built-in shell (ash)
_____ _ _____ ___ ___ _____
| ||_| ___ ___ | __||_ | |_ || _ |
| | | || || _|| . | |__ | _| |_ | _|| |
|_|_|_||_||___||___| |_____||_____||___||__|__|
-------------------------------------------------
ROM Type:release / Ver:1.76.54
-------------------------------------------------
root@S12A:/#
File was uploaded to temporary storage and will be deleted in 1 week
Additional info
uboot settings
root@S12A:/# fw_env -p
[ubootenv] key: [aml_dt]
[ubootenv] value: [xiaomi_s12a_v01]
[ubootenv] key: [baudrate]
[ubootenv] value: [115200]
[ubootenv] key: [board_id]
[ubootenv] value: [2]
[ubootenv] key: [boot_failcnt]
[ubootenv] value: [0]
[ubootenv] key: [boot_failed]
[ubootenv] value: [if itest ${boot_failcnt} == 1; then setenv boot_failcnt 2; setenv boot_part boot1; else if itest ${boot_failcnt} == 2; then setenv boot_failcnt 1; setenv boot_part boot0; else run set_boot_flag;fi;fi;]
[ubootenv] key: [boot_part]
[ubootenv] value: [boot1]
[ubootenv] key: [bootargs]
[ubootenv] value: [rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend quiet earlycon=aml_uart,0xff803000 jtag=apao reboot_mode=normal uboot=U-Boot 2015.01 (Sep 06 2019 - 07:13:45)]
[ubootenv] key: [bootcmd]
[ubootenv] value: [run storeboot]
[ubootenv] key: [bootdelay]
[ubootenv] value: [15]
[ubootenv] key: [deviceid]
[ubootenv] value: [18090/981388144]
[ubootenv] key: [dtb_mem_addr]
[ubootenv] value: [0x1000000]
[ubootenv] key: [factory_detect]
[ubootenv] value: [if keyman read deviceid ${loadaddr} str; then echo HAVE SN Code ...; else echo Switch to boot1 system, because of NOT found SN Code ...; setenv boot_failcnt 2; setenv boot_part boot1; fi;]
[ubootenv] key: [fdt_high]
[ubootenv] value: [0x20000000]
[ubootenv] key: [firstboot]
[ubootenv] value: [1]
[ubootenv] key: [identifyWaitTime]
[ubootenv] value: [1000]
[ubootenv] key: [initargs]
[ubootenv] value: [rootfstype=ramfs init=/init console=ttyS0,115200 no_console_suspend quiet earlycon=aml_uart,0xff803000 ]
[ubootenv] key: [jtag]
[ubootenv] value: [apao]
[ubootenv] key: [loadaddr]
[ubootenv] value: [1080000]
[ubootenv] key: [preboot]
[ubootenv] value: [run storeargs;if test ${reboot_mode} = cold_boot; then run try_auto_burn; fi;]
[ubootenv] key: [product_model]
[ubootenv] value: [S1202]
[ubootenv] key: [reboot_mode]
[ubootenv] value: [normal]
[ubootenv] key: [rpmb_state]
[ubootenv] value: [0]
[ubootenv] key: [set_boot_flag]
[ubootenv] value: [if test ${boot_part} = boot0; then setenv boot_failcnt 1; else setenv boot_failcnt 2; fi;]
[ubootenv] key: [stderr]
[ubootenv] value: [serial]
[ubootenv] key: [stdin]
[ubootenv] value: [serial]
[ubootenv] key: [stdout]
[ubootenv] value: [serial]
[ubootenv] key: [storeargs]
[ubootenv] value: [setenv bootargs ${initargs} jtag=${jtag}; setenv bootargs ${bootargs} reboot_mode=${reboot_mode} uboot=${version};keyman init 0x1234;]
[ubootenv] key: [storeboot]
[ubootenv] value: [if test ${reboot_mode} = cold_boot; then run set_boot_flag; run factory_detect; else run boot_failed; fi; saveenv; if imgread kernel ${boot_part} ${loadaddr}; then bootm ${loadaddr}; fi; reset;]
[ubootenv] key: [try_auto_burn]
[ubootenv] value: [update 500 1000;]
[ubootenv] key: [ubootenv_version]
[ubootenv] value: [1]
[ubootenv] key: [upgrade_step]
[ubootenv] value: [2]
[ubootenv] key: [version]
[ubootenv] value: [U-Boot 2015.01 (Sep 06 2019 - 07:13:45)]
uboot commands U-Boot 2015.01 (Sep 06 2019 - 07:13:45) aarch64-none-elf-gcc (crosstool-NG linaro-1.13.1-4.8-2013.11 - Linaro GCC 2013.10) 4.8.3 20131111 (prerelease) GNU ld (crosstool-NG linaro-1.13.1-4.8-2013.11 - Linaro GCC 2013.10) 2.23.2.20130610 Linaro 2013.10-4
? - alias for 'help'
aml_sysrecovery- Burning with amlogic format package from partition sysrecovery
amlmmc - AMLMMC sub system
amlnf - aml mtd nand sub-system
autoscr - run script from memory
base - print or set address offset
booti - boot arm64 Linux Image image from memory
bootm - boot application image from memory
chpart - change active partition
clkmsr - Amlogic measure clock
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
dcache - enable or disable data cache
defenv_reserv- reserve some specified envs after defaulting env
echo - echo args to console
efuse - efuse commands
efuse_user- efuse user space read write ops
emmc - EMMC sub system
env - environment handling commands
exit - exit script
false - do nothing, unsuccessfully
fdt - flattened device tree utility commands
forceupdate- forceupdate
get_rebootmode- get reboot mode
get_version- get uboot version
go - start application at address 'addr'
gpio - query and control gpio pins
help - print command description/usage
icache - enable or disable instruction cache
imgread - Read the image from internal flash with actual size
itest - return true/false on integer compare
jtagoff - disable jtag
jtagon - enable jtag
keyman - Unify key ops interfaces based dts cfg
keyunify- key unify sub-system
loadb - load binary file over serial line (kermit mode)
loadx - load binary file over serial line (xmodem mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mw - memory write (fill)
mwm - mw mask function
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
open_scp_log- print SCP messgage
printenv- print environment variables
query - SoC query commands
read_temp- cpu temp-system
reboot - set reboot mode and reboot system
reset - Perform RESET of the CPU
rpmb_state- RPMB sub-system
rsvmem - reserve memory
run - run commands in an environment variable
saradc - saradc sub-system
saradc_12bit- saradc sub-system
saveenv - save environment variables to persistent storage
sdc_burn- Burning with amlogic format package in sdmmc
sdc_update- Burning a partition with image file in sdmmc card
set_trim_base- cpu temp-system
set_usb_boot- set usb boot mode
setenv - set environment variables
showvar - print local hushshell variables
sleep - delay execution for some time
store - STORE sub-system
systemoff- system off
temp_triming- cpu temp-system
test - minimal test like /bin/sh
true - do nothing, successfully
unpackimg- un pack logo image into pictures
update - Enter v2 usbburning mode
usb - USB sub-system
usb_burn- Burning with amlogic format package in usb
usb_update- Burning a partition with image file in usb host
usbboot - boot from USB device
version - print monitor, compiler and linker version
vpp - vpp sub-system
watchdog- enable or disable watchdog
write_trim- cpu temp-system
write_version- cpu temp-system
Привет. Не сохранились ли у тебя файлы с прошивкой этого хитрого китайского девайса?
Hi I came across your post on GitHub regarding the Xiaomi Mi AI Speaker (S12A / MDZ-25-DT) and saw that you had shared a modified firmware file (s12a_mico_firmware_4babb_1.76.54.bin). Unfortunately, the download link is no longer available. Would you be willing to re-upload the file or share a new download link? I’m currently trying to restore or modify my speaker, and your work would be incredibly helpful. Thank you i
