logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

How to Access NAND and Recover Data from Xiaomi Vacuum Mop 2S in Fastboot/Maskrom Mode?

thecrow159 165 2
ADVERTISEMENT
Report a violation of the law
Reply | New topic
  • #1 21741424
    thecrow159
    Level 2  
    Hi everyone,
    I own a Xiaomi Vacuum Mop 2S. The robot vacuum no longer responds to commands and is no longer reachable via the app after sitting idle and charging for about a year.

    When I connected it to my computer via USB, I managed to access fastboot mode. Running
    Code: text Expand Select all Copy to clipboard
    fastboot getvar all

    gave me the following output:
    Code: text Expand Select all Copy to clipboard
    
C:\Users\emiliano>fastboot getvar all
(bootloader) version:0.4
(bootloader) version-bootloader:U-Boot 2017.09-g7b42f99-dirty
(bootloader) version-baseband:N/A
(bootloader) product:evb_rk3308
(bootloader) serialno:3*******4
(bootloader) secure:yes
(bootloader) max-download-size:0x04000000
(bootloader) logical-block-size:0x200
(bootloader) erase-block-size:0xffffffff
(bootloader) partition-type:uboot:U-Boot
(bootloader) partition-type:trust:U-Boot
(bootloader) partition-type:security:U-Boot
(bootloader) partition-type:misc:U-Boot
(bootloader) partition-type:boot_a:U-Boot
(bootloader) partition-type:boot_b:U-Boot
(bootloader) partition-type:system_a:U-Boot
(bootloader) partition-type:system_b:U-Boot
(bootloader) partition-type:vbmeta_a:U-Boot
(bootloader) partition-type:vbmeta_b:U-Boot
(bootloader) partition-type:userdata:U-Boot
(bootloader) partition-size:uboot:0x200000
(bootloader) partition-size:trust:0x200000
(bootloader) partition-size:security:0x200000
(bootloader) partition-size:misc:0x100000
(bootloader) partition-size:boot_a:0xa00000
(bootloader) partition-size:boot_b:0xa00000
(bootloader) partition-size:system_a:0x2600000
(bootloader) partition-size:system_b:0x2600000
(bootloader) partition-size:vbmeta_a:0x100000
(bootloader) partition-size:vbmeta_b:0x100000
(bootloader) partition-size:userdata:0x617be00
(bootloader) unlocked:no
(bootloader) off-mode-charge:not implemented
(bootloader) battery-voltage:not implemented
(bootloader) variant:userdebug
(bootloader) battery-soc-ok:no
(bootloader) is-userspace:no
(bootloader) slot-count:2
(bootloader) has-slot:uboot:no
(bootloader) has-slot:trust:no
(bootloader) has-slot:security:no
(bootloader) has-slot:misc:no
(bootloader) has-slot:boot:yes
(bootloader) has-slot:system:yes
(bootloader) has-slot:vbmeta:yes
(bootloader) has-slot:userdata:no
(bootloader) current-slot:a
(bootloader) slot-suffixes:a,b
(bootloader) slot-successful:a:no
(bootloader) slot-successful:b:no
(bootloader) slot-unbootable:a:yes
(bootloader) slot-unbootable:b:yes
(bootloader) slot-retry-count:a:0
(bootloader) slot-retry-count:b:0


    From what I can tell, the bootloader is locked, so reflashing any firmware isn’t possible.
    If possible, I’d like to dump the NAND memory to recover the stored calibration data and user parameters.

    I haven’t been able to locate a UART interface on the motherboard, not even using an oscilloscope. However, after gaining access to the NAND, I managed to boot the device in maskrom mode.
    In this mode, though, I can’t read the NAND because I don’t have a proper loader to boot the robot in emergency mode.

    RKDevTool screenshot showing Download Boot Fail error in MASKROM mode

    Here are the main component codes I’ve identified:

    RAM: NT5CC128M16JR-EK

    SoC: RK3308B

    NAND: XTX PN27G02BBGITG

    I’ve tried several loaders using rkDevTool, but the writing process always fails.
    Any suggestions?

    Oh, and I’ve also purchased a second identical robot, hoping to clone its firmware to bring the first one back to life.

    Thanks in advance for any help!

    White Xiaomi Vacuum Mop 2S robot cleaner on a dark floor surface
  • ADVERTISEMENT
  • #2 21744005
    JuniorS
    Level 20  
    Have you tried rkdeveloptool ? :

    Code: text Expand Select all Copy to clipboard
    bash
rkdeveloptool ld
rkdeveloptool rfi
rkdeveloptool rl 0x0 0x800000 dump_bootloader.bin


    You can also dump the entire eMMC:

    Code: text Expand Select all Copy to clipboard
    bash
rkdeveloptool rl 0x0 0x617be00 dump_userdata.img

    Identify the loader (MiniLoaderAll.bin)
    Download from Xiaomi firmware or from OTA update and load it into RAM.

    Code: text Expand Select all Copy to clipboard
    bash
rkdeveloptool db MiniLoaderAll.bin


    and only now you can use rkdeveloptool to read the partition....



    If you dump the NAND then use binwalk, dd, photorec, foremost to analyse and recover the data.

    If anything there is encrypted then access will be limited.
    Generally fastboot does not give access to NAND and certainly not in your case. You must go into mascrom mode and use rkdeveloptool.


    Look for the test point next to NAND or SoC - the small pad may be marked "TP" or "REC". If it is unlabelled because there are some, look for pads without description one of them leads to BootROM pins.
    It is often activated by shorting to ground....
  • #3 21744642
    thecrow159
    Level 2  
    >>21744005 Hi, thank you for your reply.

    The command
    Code: text Expand Select all Copy to clipboard
     rkdeveloptool ld 
    gives:
    Code: text Expand Select all Copy to clipboard
     command is invalid! 


    Code: text Expand Select all Copy to clipboard
     rkdevtool rfi 
    and
    Code: text Expand Select all Copy to clipboard
     rkdeveloptool rl 0x0 0x800000 dump_bootloader.bin 
    both hang without results until the board reboots and exits from maskrom mode. I'm successfully entering into maskrom mode short-circuiting NAND pin to GND, but NAND isn't readable.

    Finger holds a thin wire shorting pins on a black PCB with electronic components.

    Thank you.
Reply | New topic
Report a violation of the law
ADVERTISEMENT