Session 32 — 2026-03-29c
| Field | Value |
|---|---|
| Date | 2026-03-29 |
| Phase | 03b2 — Boot mode selection (EDL cable RE) |
| Duration | ~3 h |
Stock ABL GetBootIntoMode — Reverse Engineered
Found via "BootIntoDload detected. [%u ms]" string at file offset 0x3538f. Function GetBootIntoMode at VA 0x01bf8:
- Reads PMIC PON reason (logs cold_boot, PON1, KPDPWR, USB, DC flags)
- Polls proprietary Qualcomm protocol vtable at offset 0xf8 — 100 times in tight loop
- Value 8 = likely OCP (Other Charging Port) from PMIC APSD — what D+/GND short cable registers
- All 100 polls == 8 (first path) →
BootIntoFastboot - All 100 polls == 8 (second path) →
BootIntoRecovery - ≥50 polls == 8 (early exit) →
BootIntoDload→ EDL 9008
Protocol GUID is in BSS (VA 0x53c08 — all zeros in binary, filled at runtime by XBL DXE drivers). Cannot be recovered statically.
v2.5 — All Protocol Calls Hang from Fastboot
Tested three protocol calls from fastboot oem detect-port — all hang the device:
EFI_USBFN_IO_PROTOCOL->DetectPort()— USB controller conflictEFI_CHARGER_EX_PROTOCOL->GetChargerPresence()— charger hardware conflictEFI_QCOM_PMIC_PON_PROTOCOL->GetPonReason()— unexpectedly hangs too
Conclusion: no UEFI protocol calls are safe from fastboot context. Detection must happen in LinuxLoaderEntry() before EnterFastboot() is called — same location as hall sensor code. The stock ABL does exactly this in its GetBootIntoMode function.
v2.4 remains last-known-good. v2.5 to be restored to v2.4 at next session start.