Tegra X1 (Pixel C "dragon") debrick?

[24mu13]

Do you think in principle could work also for Tegra X1?

[tofurky]

the original fusee-gelee was tailored to tegra x1. the one from jevinskie included here as a git submodule is tailored towards tegra30.

the payload here (uart_payload.c) will ONLY work on tegra30. it was originally written for x1 by ktemkin though, see https://github.com/tofurky/tegra30_debrick/blob/master/payload/ipatch_rcm_sample.c https://github.com/tofurky/tegra30_debrick/blob/master/payload/t210.h for the unmodified code.

you can probably take the missing macros (since i don't have a copy of registers.h) from uart_payload.c

i am not sure what or any equivalent there is to nvflash for the x1 - nvflash from this repo is ancient (2013). sorry i can't be of more help, i do not have experience with any other tegra chips. maybe there's some stuff on xda developers or similar?

[24mu13]

Thank you for the info.
No unfortunately I found nothing on XDA.

Yes, seems nvflash does not work with X1 (see https://github.com/NVIDIA/tegrarcm) but still I don't understand how to put Pixel C on RCM mode as described for the original work. Is it simply the equivalent of fasboot mode? I will ask directly to the author...

[pgwipeout]

Good Morning, From the command line: reboot forced-recovery should put it into RCM mode.

…

On Fri, Jan 14, 2022 at 3:34 AM Samuel ***@***.***> wrote: Thank you for the info. No unfortunately I found nothing on XDA. Yes, seems nvflash <https://http.download.nvidia.com/tegra-public-appnotes/flashing-tools.html> does not work with X1 (see https://github.com/NVIDIA/tegrarcm) but still I don't understand how to put Pixel C on RCM mode as described on original work by jevinskie. Is simply the equivalent of fasboot mode? I will try again... — Reply to this email directly, view it on GitHub <#7 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFWB7I7GN4ANXARMWWDF7LUV7NZHANCNFSM5L3MVEWQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[24mu13]

Thank you for the tip, unfortunately fastboot reboot forced-recovery is not a valid command on my Pixel C.
I could only run fastboot reboot or fastboot reboot-bootloader.

Good Morning, From the command line: reboot forced-recovery should put it into RCM mode.

[pgwipeout]

No, it would have to be an adb shell command.
If you chainload u-boot you can do it manually with a pair of mm commands to the pmu block.
If you can fastboot boot a recovery image you can do it from there as it exposes adb as well.

[24mu13]

If you chainload u-boot you can do it manually with a pair of mm commands to the pmu block.

Very interesting: that's exactly the meaning of shofel2 exploit, right?
So, the ability to chainload u-boot... but my question is how could I run the exploit, having only fastboot working?

[hydrogenium2020-official]

Thank you for the tip, unfortunately fastboot reboot forced-recovery is not a valid command on my Pixel C. I could only run fastboot reboot or fastboot reboot-bootloader.

Good Morning, From the command line: reboot forced-recovery should put it into RCM mode.

Hello, I think this blog might be suitable for you. https://yifan.lu/2022/06/17/unbricking-shield-tv-2015-with-a-bootrom-exploit/