⚡ Current Device State
Last updated: Session 34 — 2026-03-29. ⚠️ Action required at next session start: restore ABL v2.4.
| Item | State |
|---|---|
| Physical device | ✅ Fully operational. Hall sensor boot mode working. |
| Android | ✅ Booting normally (cover open) |
| ADB | ✅ Available |
| Fastboot | ⚠️ Command channel works; bulk transfer broken |
| EDL 9008 | ✅ via adb reboot edl or fastboot oem reboot-edl |
| Recovery partition | TWRP v3.7 — crypto disabled, A2 dither fix, WAIT_UPDATE added |
| BCB (misc) | Clear |
| ABL partition | ⚠️ v2.5 — broken oem detect-port. Restore v2.4 at next session start. |
| Userdata | Encrypted (FDE). Boots normally, no prompt. |
| Pristine backup | ✅ builds/backup-2026-03-16-1532-pristine/ — SHA256SUMS verified |
| Rooted backup | ✅ builds/backup-2026-03-16-1637-rooted/ — SHA256SUMS verified |
| Boot mode selection | ✅ Close cover + power on → 3 s confirm → TWRP |
🔑 Last known-good ABL: v2.4 — builds/abl/abl-v2.4.elf
🔙 Fallback ABL: v1.6 — builds/abl/abl-v1.6.elf
🗺️ Phase Status
| # | Phase | Status |
|---|---|---|
| 00 | Tooling setup | ✅ Complete |
| 01 | Device exploration | ✅ Complete |
| 02 | Rooting | ✅ Complete — Magisk v30.7, su confirmed |
| 03a | Custom UEFI ABL | ✅ Complete — v2.4: VBSendRot, hall sensor, display fix, OEM cmds |
| 03b | Compile TWRP | ✅ Stable — display + touch working (v3.3+), v3.7 current |
| 03b2 | Boot mode selection | ✅ Complete — close cover + power on → TWRP |
| 03c | A/B partition migration | 🔴 Not started |
| 04 | Acquire NA2 firmware | 🔴 Not started |
| 05 | Build adaptation | 🔴 Not started |
| 06 | Testing & iteration | 🔴 Not started |
| 07 | User installer | 🔴 Not started |
| 08 | Documentation & web | 🔴 Not started |
| 09 | Treble investigation | 🔴 Not started |
| 10a | postmarketOS (vendor kernel) | 🔴 Not started |
| 10b | Mainline kernel port | 🔴 Not started |
❓ Open Questions
- Fastboot bulk transfer root cause unknown.
download/flash/bootall hang at “Sending” on v1.0–v1.6. No usbmon trace of an actual attempt exists. Next step:tools/verify/fastboot-usbmon.sh - Whether 5-press power sequence works (blue LED now visible — worth retesting)
- Wacom stylus in TWRP (driver in kernel; not needed for basic UI interaction)
- Monochrome theme + A2 refresh built into v3.4 but not visually verified on device yet
- Whether
aes-xts-plain64software dm-crypt correctly decrypts ICE-encrypted userdata (v3.4, untested) - All
fastboot getvarvariables return FAIL (Varlist empty) — onlypartition-size:Xworks (separate GPT code path)
📜 Critical Rules — Learned the Hard Way
🧱 Boot Chain & EDL Access
- Never write BCB
boot-recoverywithout (a) a confirmed-working image AND (b) a hardware escape route that does not depend on Android booting. - Android boot is the only software path to
adb reboot edl. Any action that prevents Android from booting severs EDL 9008 access entirely. - All partition writes use EDL, not fastboot. Fastboot flash/boot hang at “Sending” — root cause unknown.
- Never flash the
xblpartition. ABL failure → EDL drop (recoverable). XBL failure → hard brick, no recovery. - EDL firehose: one
edl-runinvocation per Sahara session. But multiple writes within one invocation work fine. Always write co-dependent partitions (e.g.keymaster+userdata) in a single invocation — writing one and power-cycling breaks FDE with no software path back to 9008. - Start
edl-runbefore plugging in USB. PBL sends Sahara HELLO only once in a short window after enumeration. qcserialmust be blacklisted (/etc/modprobe.d/no-qcserial.conf). Do not remove it — it consumes the HELLO packet within ~850 ms of enumeration.
🔐 ABL, FDE & Signing
VERIFIED_BOOT=1causes05c6:f000(Qualcomm diagnostic mode). Magisk-patched boot fails AVB1 verification. Do not use.- Cmdline injection alone does not fix FDE. vold’s key derivation depends on TrustZone keymaster RoT set via
VBSendRot, not a kernel parameter. - FDE RoT changes when switching between stock and custom ABL → factory reset required. Upgrading between custom ABL versions preserves RoT.
- Always use
tools/abl-build <version>to build AND sign. Never build or sign manually. - qtestsign MUST use
-v 5for SDM636. Default-v 3produces a hash segment XBL silently rejects — device drops straight to EDL 9008 with no output. Caused hours of debugging. EnableDisplayMenumust be FALSE. EPDC hangs in UEFI context and blocks the USB event loop — fastboot never enumerates.- No UEFI protocol calls safe from fastboot context. All boot-time detection must run in
LinuxLoaderEntry()beforeEnterFastboot(). - UEFI NV variables do not survive watchdog resets.
gRT->SetVariable(NON_VOLATILE)appears to succeed but data is lost on reset.
🧠 MMIO & Hardware Register Access
- Never use raw
MmioRead32/MmioWrite32without GCD memory mapping. v2.0 incident:MmioRead32(0x03069004)on unmapped TLMM page → data abort → ABL crash → device bricked. Recovery required full battery drain + cold-boot PBL 9008 with EDL cable. - TLMM flat range (0x03000000–0x030FFFFF) is XPU-blocked from ABL. Use south tile instead:
0x03100000 + (gpio × 0x1000). Confirmed in v2.3b diagnostic: flat hangs indefinitely, south tile reads succeed instantly. - CNOC clocks are already running by ABL time — the TLMM stall is XPU access control, not clock gating. See Research: GCC/TLMM Clock Enable.
📦 TWRP Build & Recovery
- TWRP ramdisk files go in
recovery/root/device tree overlay, notPRODUCT_PACKAGES(which targets the system image). - TWRP 3.7.1 touch flags (
RECOVERY_TOUCHSCREEN_SWAP_XY,TW_INPUT_FLIP_X/Y) are dead code — Soong never wires them to compiler flags. Must patchgui.cppdirectly. - Force-relink
libminuitwrp.soafter source changes. Deleterecovery/root/system/lib64/libminuitwrp.soandobj/PACKAGING/recovery_intermediates/between builds that modify minui/ebc code. - Before flashing any new ABL, identify the last known-good version. The first 9008 session after a bad flash must restore the last known-good, not the untested new one.
- Update
builds/abl/CHANGELOG.mdorbuilds/twrp/CHANGELOG.mdbefore flashing any new build. Every version needs: what changed, outcome, root cause if failed.