Troubleshooting Roku TV boot loop

RokuTV

After trying the easy stuff (soft reset, hard reset, etc) I decided to dig deeper. First, locate the debug pins and get the tap setup. Helpfully they were clearly labeled and pre-soldered, however I needed to add a little bit more solder to get the wires to stick well enough:

Then route those through a FTDI device:

Once the correct baud rate was found (brute force FTW), we finally see what’s going on as the TV is stuck in a boot loop:

UART_115200
Jul 23 2019 13:43:52
Version 1.0087
Straps:0862
ML-Chip ID:000722c5
MP

AC_ON
MIU0_DQS-OK
BIST0-OK
#_DV Device ID - 6d61000005500722c51bba
.........efuse ok
BBT: Read @ 0x00000000
Bad blocks: 007b 049d
NAND: Remapping Firmware partition using BBT 07721000
NAND: Remapping Rescue partition using BBT 01721000

Boot firmware partition
SWUP Magic Offset 06fe0000
preuboot Jun 25 2021 00:13:02
BBT: Read @ 0x00000000
Bad blocks: 007b 049d
NAND: Remapping Rescue partition using BBT 07721000

Check uboot in partition 0
Decrypt ATF
Decrypt OPTEE
Setup EL3 vector vode
Boot ATF
NOTICE:  BL3-1: v1.1(debug):
NOTICE:  BL3-1: Built : 11:54:56, Jun 22 2021
INFO:    warmboot return address : 5e301c00
INFO:    BL3-1: Initializing runtime services
ERROR:   From args : smp boot address not pass from teeloader
INFO:     [Booting] mstar_send_magic_ATF 349
INFO:    BL3-1: Initializing BL3-2
[Ramlog] ramlog_init init success

INFO:    BL3-1: Preparing for EL3 exit to normal world
INFO:    BL3-1: Next image address = 0x30c00000
INFO:    BL3-1: Next image spsr = 0x1d3
INFO:    BIN1_32bit mode Jun 22 2021 11:54:54
INFO:    R1 0
INFO:    R2 0
INFO:    R3 0

starting addr 303EFFE0 303EFF60 303EFF60 303EDF50 303F0000 30D86E2C
monitor len: 00577458
uboot_loadaddr: 30C00000
ramsize: 11190000 31180000 20000000


U-Boot 2011.06 (Dec 03 2021 - 23:29:48)

LIBCODE:Utopia LIBVER:2.1638574183 BUILDDATE:2021120323msIR_Initialize
[Utopia][SYS]: Function = SYSOpen, Line = 1655, current resource pri_shm content is: 0
[Utopia][SYS]: Function = SYSOpen, Line = 1674, [SYS INFO] OPEN INSTANCE...
create instance at 30602EC0 with private size 108 bytes at 30602F10
[Utopia][MIU]: [MIU INFO] miu opencreate instance at 30602F80 with private size 152 bytes at 30602FD0
create instance at 30603070 with private size 60 bytes at 306030C0

uboot held at [303EDF50~31190000],size=00DA20B0
DRAM:  273.6 MiB
Now running in RAM - U-Boot at: 30C00000
NAND:  CIS is found @Blk1
FCIE is set to 62MHz
initialize_roku_bbt
Found BBT table in block 0
Read BBT contents from block 0
Bad blocks:   123 (@ 0x00F60000), 1181 (@ 0x093A0000)
nand_remap_swupbbt
NAND: Remapping Active partition using BBT 0x07721000
512 MiB
Customer ID: 2

Now, we research these details. Just getting started….