Moritz Meißelbach

Sessions 16–17 — 2026-03-26b/c — ABL v1.5/TWRP v1.4 Fastboot Debug

Written by

in

Sessions 16–17 — 2026-03-26b/c

FieldValue
Dates2026-03-26
Phases03a — Custom UEFI ABL, 03b — TWRP
Duration~3.5 h combined

What Happened

  • Discovered ABL v1.5 was signed with qtestsign default -v 3 → device dropped straight to EDL 9008. Re-signed with -v 5; SHA256 changed from 64e9ad68… to 15be12dc…
  • Extended tools/abl-build: mandatory version arg, auto -v 5 signing, overwrite protection — eliminates manual signing errors
  • Flashed ABL v1.5 + pristine keymaster + pristine userdata in one EDL session (comma-separated partition list)
  • Built TWRP v1.4: TW_EXCLUDE_DEFAULT_USB_INIT, TW_INCLUDE_CRYPTO, buildvariant=eng — first attempt failed (TARGET_HW_DISK_ENCRYPTION requires libcryptfs_hw, dropped)
  • Captured full usbmon trace during fastboot session — confirmed two bugs
  • Session 17: flashed TWRP v1.4 to recovery, booted via adb reboot recovery — 5-min hang then fell back to Android; no USB, no display, no LEDs observed
  • Corrected VBSendRot compatibility claim: custom ABL’s RoT differs from stock ABL’s RoT — factory reset required on stock↔custom switch, but NOT between custom versions

usbmon Findings

Bug 1 — CmdDownload never sends DATA response

Host→Dev  "download:00001000"  → delivered (Bo status 0)
Host arms Bi (256 bytes) waiting for DATA response…
… 15 SECONDS OF SILENCE — DEVICE NEVER RESPONDS …
Bi completes: error -2 (ENOENT), 0 bytes → timeout
Host→Dev  "getvar:serialno"   → error -108 (ESHUTDOWN) — endpoint dead

The host correctly delivers the download command. The device receives it. But CmdDownload never sends the DATA acknowledgement. Root cause suspected: UEFI pool exhaustion from 256 MB total buffer allocations (FastBootBuffer 128 MB + gTxBuffer 64 MB + gRxBuffer 64 MB).

Bug 2 — Varlist empty; all getvar variables FAIL

Every getvar except partition-size (which uses a separate GPT-query path) returns FAILGetVar Variable Not found. FastbootPublishVar calls in FastbootCommandSetup are silently failing — likely same root cause as above (pool exhaustion leaves Varlist pointer corrupted).

Decisions

  • tools/abl-build now handles full pipeline — never sign ABL manually again
  • Dropped TARGET_HW_DISK_ENCRYPTION from TWRP; TW_INCLUDE_CRYPTO software path retained
  • Added CLAUDE.md constraints 8–9: always use tools/abl-build; qtestsign -v 5 is mandatory

More posts