Related
hi, i recieved a eris from a friend of mine with the intentions on fixing it and using it. when i power it on there's just a black backlit screen.. no splash, nothing. if i plug usb in it goes to a htc screen with 4 triangles in the corners. i've tried the ruu update and it gives an 110 error at the end saying something about files not found, i unhooked the usb and it went to a white screen with hboot 1.49 , n s-on n all that stuff.. and it showed info from the ruu, and it showed that the system and boot(or recovery, i cant remember exactly) failed and they were red. i can connect with fastboot but not with adb.. is there anything i can do to atleast get the phone working.. fastboot oem boot doesnt work for me, it just gives a long list of errors
fastboot will do nothing useful for you if you have the 1.49.0000 S-ON bootloader.
The basic definition of a brick for the Eris is this:
1.49.0000 S-ON bootloader + no recovery + non-booting OS = brick
So, let's review.
1) You have 1.49.0000 S-ON. There is no PB00IMG.zip available to you that can change that using Hboot (without performing some magic with a custom recovery first), and fastboot is worthless with S-ON. So, no go there.
2) You didn't mention (or your description was lacking detail) what happens when you try to go into the Hboot menu (cold start with Vol-Down+End). From there you might be able use the menu to try to launch the recovery boot, to see whether (a) it is the stock recovery, (b) it is a custom recovery, or (c) it fails to start. You should try that next.
If that doesn't work, try a cold start with Vol-Up + End. (You need to keep holding both the buttons down until the screen lights up). That is an alternate way to get to the recovery (when a 1.49.xxxx bootloader is on the phone).
If you have a "stock" recovery, you will see a splash screen with an image of the phone and a triangle with an exclamation point in it. (Pressing Vol-Up+End after you see that splash screen will show a blue menu). If you have Amon_RA's custom recovery, you will see a green menu.
3) If your kernel boots, but the OS is "hanging", there is a remote possibility that you can initiate a factory reset from the "hung" OS. This is a long shot, but you power up the phone normally and then press together Vol-Up+Send+End after waiting a couple of minutes. This might make it bootable. (As I said, "long shot". The fact that you have 1.49.0000 on the phone suggests that the prior owner tried some things - and apparently failed at it.)
bftb0
thanks for the response
i tried all of that just now and all i get is a black backlit screen unless i connect usb which gives me a black screen with HTC n four exclamation point triangles in the corners. and there isnt anything i can do from that screen and its bricked huh?
SoSicWiTiT said:
thanks for the response
i tried all of that just now and all i get is a black backlit screen unless i connect usb which gives me a black screen with HTC n four exclamation point triangles in the corners. and there isnt anything i can do from that screen and its bricked huh?
Click to expand...
Click to collapse
That's not a very good sign. I will say, however, that it is very strange that you can get the phone into RUU mode but not have a working bootloader - those two observations are mutually exclusive.
For grins, you could check to see if perhaps your Vol-Up/Vol-Down keys are broken by doing the following:
- Cold start the phone by pressing Send + End simultaneously (make sure to press Send first so that you are not initiating a normal boot; hold both keys down until the screen lights up). Make sure you pull the battery and have the USB cable disconnected when you pull the battery before you try this (to insure that the phone is "really" off).
If that works, the phone will be in Fastboot mode. You might be able to get into Hboot (but not recovery if your Vol-Up/Vol-down keys are broken) at that point with the command
Code:
fastboot reboot-bootloader
from a USB-connected PC.
Under normal circumstances, you can navigate from Fastboot Mode to Hboot and then from there to the Recovery boot - but this requires working Vol-Up or Vol-Down keys.
There is a very, very slim chance that if you can get Hboot launched this way (that is "fastboot reboot-bootloader")... and try to apply the Leak-V3 "PB00IMG.zip" file. If I recall correctly, you don't need Vol-Up/Vol-Down to apply an HTC PB00IMG.zip file - just the trackball press.
I'm not optimistic though - I think that the Leak-V3 (and all other Leak PB00IMG.zip) files probably will just fail with "Main Version is Older Messages".
As for other avenues of approach, there are no publicly known exploits of the RUU mode (= oem-78 mode).
Good luck
well
actually after staying up n working at it for 48 hours, i'm halfway done with a solution...and maybe the first ruu exploit.
i decided to run the 2.1 RUU and after it does its install wizard thing, i navigated to the temp folder where it installed all the files. i took the root rom (pb00img.zip) n renamed it to "rom.zip" then over wrote the version in the temp folder and started the ruu (clicked next and what not).. it failed as usual with error 110.. but afterward i noticed my phone says
pb00100 xc ENG S-OFF
HBOOT-1.49.2000
and before i did the file swap and ruu it said
pb00100 XC ENG S-ON
HBOOT-1.49.0000
so now i might be able to flash a custom recovery thru fastboot since i have s-off now
if not.. still.. its progress
Hmmm, interesting.
Whether or not that qualifies as new behavior sort of depends on what your "friend" did to the phone prior to getting it into the nearly bricked state. If they had previously run the jcase "Flash any RUU" method, then the Root ROM would have "taken" with the Hboot method... although in your case, since you "couldn't get there from here", my hat's off to you for a clever way of making the best of what you have!
Since you have the S-off bootloader, you might be tempted to direct-boot Amon_Ra without even bothering to flash it:
Code:
fastboot boot recovery-RA-Eris-v1.6.2.img
to see if your phone springs to life... congrats if you see a menu!
bftb0 said:
Since you have the S-off bootloader, you might be tempted to direct-boot Amon_Ra without even bothering to flash it:
Code:
fastboot boot recovery-RA-Eris-v1.6.2.img
to see if your phone springs to life... congrats if you see a menu!
Click to expand...
Click to collapse
i did that right after i seen it say "S-OFF". i get to the menu but when i try to flash a rom it gives me an error after formatting system.
Code:
E:Can't symlink /system/xbin/arp
E:Failure at line 65:
symlink /system/xbin/busybox SYS
TEM:xbin/arp
and after hours or more reading, everything is pointing to the boot and system partitions being corrupted by a bad flash of some sort.
i think i might have hit the end of the road..
EDIT
i managed to somehow get all the regular hboot, fastboot, n recovery to work and flashed amon_ra and can get to it from volup+power.. even got the 3 skateboarding droids on normal power on..
but cant flash any roms , from amon's ( gives the error above )or pb00img from hboot (at the end has "failed-PU" next to system..)
any idea's?
I have a couple ideas (still typing them up) ... in the meantime, if you boot Amon_RA and then open up a shell from the PC ("adb shell") and then
- check the output of "dmesg" to insure that the MTD partition table is still intact; you should see something like this towards the beginning of the boot log:
Code:
NAND_EBI2_ECC_BUF_CFG: 1ff
flash_id: 5501bcec size 20000000
Creating 6 MTD partitions on "msm_nand":
0x00001ff60000-0x000020000000 : "misc"
0x000002c60000-0x000003160000 : "recovery"
0x000003160000-0x0000033e0000 : "boot"
0x0000033e0000-0x00000dde0000 : "system"
0x00000dde0000-0x000015fe0000 : "cache"
0x000015fe0000-0x00001ff60000 : "userdata"
- try mounting (in turn) each of /system, /data, /sdcard, e.g.:
Code:
mount /sdcard
mount /data
mount /system
/cache should already be mounted.
Which mounts fail?
bftb0
The scenario you describe has come up before - or at least very similar symptoms.
Note that Nandroid restore will fail because it uses standard Unix tools such as "rm" to clear filesystems, so if a partition will not mount because of a corruption issue, nandroid will fail. I suppose that the same thing is true of the /sbin/recovery utility running underneath the booted recovery kernel (but I have not read the source code to verify that it is attempting to "mount" the filesystems first - if it didn't do that, it would need to understand the raw format details of yaffs2, and I think that is a stretch).
Unfortunately the filesystem formatting tools provided by Amon_RA do not include tools for repairing the mtd (NAND flash) - they are for the SD card/ extN filesystems. It is my impression, however, that the "yaffs2" filesystem is "format free" - meaning that a clean (Flash memory) "yaffs2" filesystem is simply a bunch of zero'ed pages - no superblocks, or Inode lists, - none of that. This suggests that the equivalent of "dd if=/dev/zero of=/dev/mtd/mtdNNN bs=..." could "repair" a yaffs2 file system by simply wiping it... but let's try something a little less crude than that (see below).
I had one of the file systems in my phone in this state at one time and I was able to repair the problem by reflashing the Root ROM - otoh, XDA user "stick" tried this and it seemed to produce a permanent brick in his case, so I am reluctant to recommend you do that. (You might, however, want to perform the jcase "Flash any RUU" hack to the "misc" partition so that you have flexibility to apply any PB00IMG.zip file)
Because the "flash_image" tool (in /sbin/flash_image in Amon_RA) writes both boot images and yaffs2 image files to arbitrary mtd partitions (and raw binary files to "misc"!), there is a chance that it is merely the equivalent of "dd for the MTD device" - so that you could "repair" a corrupted yaffs2 filesystem by simply overwriting it with a valid yaffs2 image file. The repair strategy here would be to:
- Unpack any PB00IMG.zip file and move the contents to a folder on the SD card. (Verify the md5sums of the files on the SD card before you use them - use this reference)
- Use "flash_image" from Amon_RA to flash the corresponding image file for the offending ("won't mount") partition, e.g.
Code:
flash_image system /sdcard/unpacked-PB00IMG/system.img
If this succeeds, see if you can "mount /system".
bftb0
PS Don't try flashing "system.img" using fastboot. However it is engineered (by the HTC bootloader) it will fail due to space issues. It is possible that the HTC bootloader uses the /cache partition to temporarily stage the file, which is only 130 MB compared to 159.5 MB for the /system partition - but whatever the explanation, the experimental result is that that on the Eris, you can not flash /system from fastboot. All the other partitions, no problem - but not the /system partition.
thanks,
i tried what you suggested and it let me mount all 3 of those partitions, and i tried using flash_image to flash the system.img i extracted and in return got a million and one errors..
starting with mtd: ECC error soft 0 hard 1 (continuing until about a hundred something)
then
mtd: not writing bad block at (basically the entire /system hex range)
then finally
error writing system: no space left on device
SoSicWiTiT said:
thanks,
i tried what you suggested and it let me mount all 3 of those partitions, and i tried using flash_image to flash the system.img i extracted and in return got a million and one errors..
starting with mtd: ECC error soft 0 hard 1 (continuing until about a hundred something)
then
mtd: not writing bad block at (basically the entire /system hex range)
then finally
error writing system: no space left on device
Click to expand...
Click to collapse
Was the partition table information correct? (I have seen innocuous "write error" messages on my phone, but they only occurred on regular block boundaries - not for every page; but in that case I don't think I ever saw an "out of space" message. Assuming everything was performed correctly, your phone is behaving as if large blocks of flash memory are being skipped due to "bad blocks")
Did you unmount the filesystems prior to doing the writes?
That is very mystifying.
If you can mount /system, or /data, what happens when you go in and do a
Code:
mount /system
cd /system
rm -rf /system/*
mount /data
cd /data
rm -rf /data/*
cd /
If those succeed, unmount everything
Code:
cd /
for x in /system /data /sdcard ; do
umount $x
done
Run an Amon_RA "wipe data/factory reset", and try and flash a ROM.
???
bftb0
One other thing you could try - I have never used it, so I don't know what effect it will have - is to use fastboot mode to erase the "system" and "data" partitions, and see if that has any effect on your ability to flash a ROM.
In fastboot (boot w/ Send+End) mode:
Code:
fastboot erase system
fastboot erase data
And then afterward boot into Amon_RA and try flashing a ROM.
I suppose you could also erase the boot partition this way, but you probably ought to do them one at a time just to minimize erase operations - and then if an operation fails in Amon_RA, examine the log file at
Code:
adb shell cat /cache/recovery/log
to see if it provides further elaboration on the nature of the error(s).
bftb0
Something else to try:
The symptoms you have (esp. since it appears that /system and /data will mount correctly) appear as if you "run out of space" when flashing ROMs to NAND. I suppose that could occur if somehow a bunch of pages in flash memory got (erroneously) marked invalid. Unless there is some means to clear flash memory so that bad page indicators are cleared, there is no way to reclaim those pages. (It is my impression that brand new NAND flash chips are already programmed with bad pages pre-marked)
It would be nice if the partition erase function of fastboot actually performed the page reclaim/retesting/re-marking operation - but there is no way to know whether that happens, as the HTC bootloader acts as the interpreter of "fastboot commands" passed over the wire (USB). It is free to implement whatever bad page management strategy that HTC desires - and frankly, a "never reclaim bad pages" policy is fairly reasonable when you consider that most consumer phones are flashed perhaps only 3 or 4 times in their lifetime - if that.
Something to try: if you perform a manual wipe of either /system or /data (after mounting them), do a "df" to see how much free space the kernel thinks they have - for a normal phone, that should be pretty darn close to the partition size. E.G.
Code:
> adb shell
# mount /system
# df /system
# mount /data
# df /data
# umount /system
# umount /data
# exit
>
If it seems "short" by a substantial amount, try installing a "small footprint" ROM, such as CELBFroyo 3.2 - it only uses about 100216 KB (97.9 MB).
Just a thought; I realize this is grasping at straws, but there is little for you to lose (which you knew right from the get-go).
bftb0
wow seriously i appreciate all the help you've provided , you need a donate button lol.
the system partition is 66% used (bad blocks im guessing) after a format leaving 59,648 useable
but the data partition is fine with 1% used. and 162,176 usable
but i havent lost all hope yet and this is entertaining me.
custom mtd maybe..swap /data to mtdblock3 (the bad one, system) and and /system to mtdblock5 (where data currently is).. or use a memory card idk?
here's where i got the idea
http://forum.xda-developers.com/showthread.php?t=717874
SoSicWiTiT said:
the system partition is 66% used (bad blocks im guessing) after a format leaving 59,648 useable
Click to expand...
Click to collapse
Holy crap!
For grins, could you do a "cat /proc/yaffs" and post up the section for the "system" partition? (You need /system to be mounted when you run that command).
Here's what mine looks like after performing an erase with fastboot, booting into Amon_RA, and then mounting it:
Code:
Device 1 "system"
startBlock......... 0
endBlock........... 1359
totalBytesPerChunk. 2048
nDataBytesPerChunk. 2048
chunkGroupBits..... 0
chunkGroupSize..... 1
nErasedBlocks...... 1359
nReservedBlocks.... 5
blocksInCheckpoint. 0
nTnodesCreated..... 0
nFreeTnodes........ 0
nObjectsCreated.... 200
nFreeObjects....... 96
nFreeChunks........ 86976
nPageWrites........ 0
nPageReads......... 0
nBlockErasures..... 0
nGCCopies.......... 0
garbageCollections. 0
passiveGCs......... 0
nRetriedWrites..... 0
nShortOpCaches..... 10
nRetireBlocks...... 0
eccFixed........... 0
eccUnfixed......... 0
tagsEccFixed....... 0
tagsEccUnfixed..... 0
cacheHits.......... 0
nDeletedFiles...... 0
nUnlinkedFiles..... 0
nBackgroudDeletions 0
useNANDECC......... 1
isYaffs2........... 1
inbandTags......... 0
I wonder what your "nRetireBlocks" count is.
I only poked around in the HTC "msm_7k" kernel code a little while ago for some clues, so I'm no expert. There does not seem to be any useful knobs to turn by using mount options.
Because Flash filesystems have to deal with new bad pages as they develop, I'll bet the phone could be completely fixed if there was a way to clear the bad pages - ( if they were actually bad, then on the first write use the write would fail, the pages would be marked bad, and the FS driver would recover gracefully - just as normally happens).
But as you say, that would probably require a custom kernel at the minimum with patches to the mtd driver. I do wonder if the kernel driver for the MTD device exposes any hooks (ioctls, etc) that would let you write a (privileged) userspace app which could wipe the raw pages status info.
This YAFFs doc suggests that certain tuning operations can be performed by writing options to /proc/yaffs, including control of tracing. One of the things that seems possible to control is the number of write attempts per page.
I'll have a look at your URL; no promises, though.
bftb0
[ Edit ] PS - do you have any idea what your friend did to get the phone in this state? Maybe flashing a ROM with really, really low battery? It seems hard to believe that an actual hardware problem occurred - moreover, this is not the first phone where very similar symptoms were exhibited.
I'm wondering if a busybox with mtd-utils compiled in might be of some assistance; in particular the "flash_eraseall" tool. (Perhaps use it with the "-N" option?)
lookit recent versions of the "flash_erase.c" code (excerpted from above Git link):
Code:
static void display_help (void)
{
printf("Usage: %s [options] MTD_DEVICE <start block> <block count>\n"
"Erase blocks of the specified MTD device.\n"
"Specify a count of 0 to erase to end of device.\n"
"\n"
" -j, --jffs2 format the device for jffs2\n"
[COLOR=green][B] " -N, --noskipbad don't skip bad blocks\n"[/B][/COLOR]
" -u, --unlock unlock sectors before erasing\n"
" -q, --quiet display progress messages\n"
" --silent same as --quiet\n"
" --help display this help and exit\n"
" --version output version information and exit\n",
PROGRAM_NAME);
}
(I don't have that version of busybox - I see references made to it in a few posts here on XDA, but I don't know it's origin or where to get it)
bftb0
[ Edit ] looked around for a bit and couldn't find anything pre-built; looks like you might have to build mtd-utils using the NDK for Android. Time for bed for me; here's the link to the mtd-utils project.
i found out that my friend installed rom manager n clockwork recovery and did a flash that failed then ran the 2.1 ruu thinking it would fix it. and that's how the phone got to the state i started with.
i actually got a rom to flash (kinda) with some info from that link i posted. i patched my recovery with files from that link which gave it a custom mtd (table) , i shrunk cache and used the extra space to make up for the bad blocks in system and bind mounted cache to and ext partition on my sd card... and all would be great BUT i realized that the boot partition is corrupt too.. ( which makes sense, since clockwork is known to corrupt both)
so my solution was to flash boot.img to recovery and just boot normally with volup+powerand use amon ra by "fastboot boot " if i need to.
but i cant flash the zip file that patches the kernel to boot using the custom mtd because it's script copies,unpacks,patches then repacks boot.img from /boot but my boot.img is on recovery so im either going to have to edit the .sh in the zip or have someone do the whole custom mtd thing and use the same mtdpartmap.txt and have them nandbackup then give me the boot.img from the backup folder so i can flash it to recovery.
OR have someone manually patch my boot.img file... but i highly doubt i'm going to be able to figure that out or find anyone todo it.
and i'll post the system section of that command in a second.
SoSicWiTiT said:
i found out that my friend installed rom manager n clockwork recovery and did a flash that failed then ran the 2.1 ruu thinking it would fix it. and that's how the phone got to the state i started with.
i actually got a rom to flash (kinda) with some info from that link i posted. i patched my recovery with files from that link which gave it a custom mtd (table) , i shrunk cache and used the extra space to make up for the bad blocks in system and bind mounted cache to and ext partition on my sd card... and all would be great BUT i realized that the boot partition is corrupt too.. ( which makes sense, since clockwork is known to corrupt both)
so my solution was to flash boot.img to recovery and just boot normally with volup+powerand use amon ra by "fastboot boot " if i need to.
but i cant flash the zip file that patches the kernel to boot using the custom mtd because it's script copies,unpacks,patches then repacks boot.img from /boot but my boot.img is on recovery so im either going to have to edit the .sh in the zip or have someone do the whole custom mtd thing and use the same mtdpartmap.txt and have them nandbackup then give me the boot.img from the backup folder so i can flash it to recovery.
OR have someone manually patch my boot.img file... but i highly doubt i'm going to be able to figure that out or find anyone todo it.
and i'll post the system section of that command in a second.
Click to expand...
Click to collapse
I was going to say, holy crap that's a lot of work - but then I've been struggling for a couple hours trying to build mtd-utils (or at least "flash_erase"). I've got all the Makefiles happy (by dropping non-essential parts of the build that require "libuuid"), but now I'm struggling with the linker/toolchain issues to try to avoid the hassles of dynamic link libraries for Amon_RA.
I still think that whatever it is that Clockwork does to get all those flash pages marked as if they are bad is a software error or some sort - so that if you can get
flash_eraseall -N
to do its thing on mtd3, you will recover all those "bad" pages in the system partition. (It is hard to believe that massive physical damage to eeprom would only show up in one or two logical partitions).
Cheers.
bftb0
FWIW,
SoSicWiTiT said:
OR have someone manually patch my boot.img file... but i highly doubt i'm going to be able to figure that out or find anyone todo it.
Click to expand...
Click to collapse
Have a look at this android-dls.com tutorial if you haven't already seen it. Use "split_bootimg.pl" to split apart the boot image into the kernel and compressed ramdisk, and then the ramdisk is just a gzipp'ed "cpio" archive.
The hardest bit about this is finding a verstion of "mkbootimg" - there are some floating around on XDA, or you can build it from the github sources.
It's not too bad, the only secret sauce is the load address for the Eris, which is 0x11200000
This is an excerpt from a shell script I use for repacking boot images - it's the essential part (everything else in the script is just glue).
Code:
mkbootimg --kernel ${_KFIL} --ramdisk new-${_RAMDGZ} --cmdline 'no_console_suspend=1 console=null' --base 0x11200000 --output new-${_BNAM}
i edited the shell script thats supposed to patch it to the best of my abilities (changed all boot.img txt to recovery.img) and it has mkbootimg and everything it needs in the zip, so im going to replace the script in the zip and try flashing it...
and something weird just happened.. i forgot i put boot.img for my rom on /recovery . so in shell just now, i typed reboot recovery expecting amon RA and the phone booted into the os???
even though i patched amon ra with custom mtd to install the rom ( system :300,000 - enough to skip bad blocks, cache: 30,000 ) my boot.img is mtd is set to see 176,000 right?
EDIT
i think i flashed that zip with my version of the script earlier to see what happened and i guess it worked..
Code:
C:\droid\tools>adb shell
sh-3.2# df /system
df /system
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/block/mtdblock3 307200 229296 77904 75% /system
sh-3.2# df /cache
df /cache
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/block/mtdblock4 61440 36500 24940 59% /cache
sh-3.2# df /data
df /data
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/block/mtdblock5 101888 2608 99280 3% /data
sh-3.2#
Partitions are something we usually don't need to mess with - probably shouldn't mess with. That said - to understand how things work, it would be nice to peek around and look. I have enough experience with linux to be dangerous but not enough to answer my question on the gtab. I know there are multiple partititons - clockwork mod can wipe some. I see when I do nvflash that a bunch of partitions are restored. When we repartition with clockwork we set the size of only one partition to 2040 and the swap partition to 0 - what about all the others? Now, if I use terminal emulator or can get up to what I think is the root directory. In linux I could use fdisk -l and it would show me the various partitions. It doesn't produce any output here. I'm sure I just don't understand the structure so I'm not phrasing the command properly. There is also probably another place that would clue me in as to what partitions are mounted where but I don't know it. Anyone have any ideas for me?
I live in Japan and after more than 6 months I have successfully and permanently rooted both my Sharp 003 SH Galapagos and the 005SH Galapagos (Softbank not Docomo). My next concern is how to SIM unlock. I have been reading the posts about hacking the nv_bin file. I have searched through all of the the files (Root FTP thank you!) but there was no such file. I am happy to send along any screenshots or data files if that helps.
Thanks in advance.
Search Sharp 003SH Root Success and Sharp 005SH Root success on Youtube for more info
Can't really help you. Don't know anything about it. But I would like to know how you ended up rooting this phone of ours.
Its not a file on the filesystem. The sim locking in these phones is in the radio image; which can be accessed when you use the custom build kernel thats in the latest rootkit (I assume thats what you are using).
See the 2ch root/ROM thread for more details, but basically it is done through ADB, manually backing up the "_modem" partition; stripping the spare/ECC bytes and then extracting the radio OS using QualcommDumpAnalyser
I have managed to extract this image, but no idea where to go from there. None of the other device info seems to apply to this (HTC, Samsung, LG, any other Android that has had its sim-lock discovered in the radio)
Advice i got from the guys on 2ch: "Qualcomm's NAND code is neither difficult, nor unique, so if you know what you are looking for its not hard"
003SH 005SH Sim unlock
Thanks very much for giving me a new direction. I'll get started on it right away and let you know how it progresses.
It just sucks that the guys who know how to unlock it are staying quiet, saying its "taboo"
FYI, stripping the Spare/ECC bytes can be done manually (i wrote a C program to do it), but there is an option in the RevSkills app to do it all for you - i recommend doing that.
Of course we face another issue once we find the actual unlock - recalculating the ECC bytes after making the change; the only way to access the radio is with raw data access.
P.S. hope you have warranty on your phones - this is very likely to brick at least one phone until we get it right
---------- Post added at 12:30 PM ---------- Previous post was at 12:24 PM ----------
In the spirit of open cooperation, here are the instructions i was given, translated and simplified
In ADB Shell, type su to get the # prompt, then:
cat /proc/mtd <Enter>
Confirm that you have the "_modem" partition available. If not, you need to reflash with the custom build kernel
Dump the image to file with the following command:
dump_image -r -D -F _modem /sdcard/backupimages/modem.img
Access this with anything as "raw dump" and all blocks will get read as ECC error, so definitely dont do this
ECC positioning is different to Linux, so take care
The following maps out how 512bytes of data and 10 bytes of ECC info are stored in a 528 byte block:
0000 - 01CF (0-463): Data
01D0 - 01D1 (464-465): Unused (0xff)
01D2 - 0201 (466-513): Data
0202 - 020B (514-523): ECC
020C - 020F (524-527): Unused (0xff)
Use RevSkills application to extract the data portions:
Menu⇒Calculators/Generators⇒Android MTD Nand remove Spare and ECC
Extract all of the Data only portions out of the raw dump, and then use QualcommDumpAnalyser to read it and split up the various parts. I did notice that i wasnt able to get the AMSS block out with QualcommDumpAnalyser - i copied that out manually by calculating the byte positions shown in QDA.
003SH bootloader key sequence?
Eternalardor,
I'd be happy to swap information. Perhaps you could shed some light on the question of the bootloader for the Sharp 003SH and 005SH? There seems to be no discernible key sequence (Power+home+Volume up etc.) to access the bootloader. I feel like I've tried them all. Can you tell me this critical piece of information?
Is a form of the USB Jig necessary to access it?
Looking forward to your response.
003SH SIM unlock
Dominik,
Here are the results of the original /proc/mtd (before rooting)
boot
cache
misc
recovery
ipl
system
persist
log
battlog
calllog
ldb
userdata
I don't see the _modem partition. Should I?
I have also included a screenshot of the results showing size. I have most of them backed up as .img files too.
FYI: .img backed up sizes. Perhaps this will help you to ponder where the _modem partition may have gone. Maybe it's been renamed?
boot 11,264KB
cache 3,072KB
misc 1,024KB
recovery 11,264KB
ipl 15,360KB
system 419,840KB
persist 30,720KB
ldb 45,056KB
userdata 405,120KB
There is no bootloader menu AFAIK. If you install the custom kernel, you will have the option of a quasi-recovery mode, by pressing the home button between 7-12 seconds after the Galapagos logo is seen (or was that the Softbank logo)
Anyway, looking at the screenshots, it seems you do not have the custom kernel.
How did you achieve root on your phone?
To do this, you need to use the "003sh_005sh_dm009sh-rootkit" from at least 5/27 (recommend _0614); which is available on the 2ch forums. This includes 2 possible ways of achieving root:
1. A modified standard kernel (boot image), which, when flashed gives you regular root access
2. A custom compiled kernel, which has full root, a bunch of power profiles, and heaps more features (inc that quasi recovery), as well as access to the "_modem" image.
Judging from your youtube videos, you speak some Japanese, so the Japanese menus in the rootkit shouldnt be much trouble.
http://www1.axfc.net/uploader/Si/so/142435
This is what i used.
Go here for help/instructions http://anago.2ch.net/test/read.cgi/android/1337845757/
And dont even think about typing in English on there, or you will be ignored and/or told to go away
This all looks familiar. I have been using the root kit (5/27) to get where I am now - step by blessed step. It was pretty straight forward BUT I have never seen the option to write to the system partition. It is in all the instructions but the only option I have with respect to the system partition is to back it up. I'm confused as to why it doesn't seem to show up for me. I am using a Japanese machine so all the characters are displayed and I can read the instructions but I can't find help anywhere as to why I don't have that particular (and critical) option. I can see a lot of new and cool options in the 6/14 release. I'm excited and would like to get it installed.
I'll let you know how it goes. Thanks for your help .... keep it coming!
And another thing
Could you explain a little more about "having" the custom kernel? Using the root kit, I wrote to the Recovery partition then the Boot partition then rebooted from the Recovery partition and all seemed well. As I said above, I have never been able to write to the System partition despite it appearing in all the instructions. I suspect that is what is holding me back from the latest and greatest custom kernel. Still, I am enjoying all the same functionality that everyone else seems to be enjoying in root. What am I missing?
Eep, you wrote to the boot partition before trying the recovery? Brave!
The steps should be:
Write image to recovery partition;
Then reboot to recovery partition (from the menu) and confirm it all works without errors.
Then write image to boot partition
And then turn off the phone, and reboot (the last part is only my instructions - you could just select "reboot to boot partition" from the menu)
You are doing this on your 005SH right? It should be the same for the 003SH, but i only have the 005SH. In the rootkit there is 2 options when you say "burn custom image":
1 カスタムビルドrootedカーネル(リカバリーキット機能付き)
2 S4080 標準rootedカーネル(簡易リカバリー機能付き)
Q 中止してメインメニューへ戻る
You must do the first one, the CUSTOM rooted kernel, to get any of the really cool features. The second option is only if you just want root access for a particular app or something. AFAIK the second option doesnt even disable MIYABI LSM, which prevents you from mounting the system dir as R/W
But either way, writing to the System dir is not important for what we are doing. You need the Custom kernel, which gives you access to the "_modem"
Edit, i just noticed in your screenshots above, you didnt even get root in ADB shell?
Type
ADB Shell<Enter>
Then type
su<enter>
The cursor should change to a #, this means root. You may get a prompt on the phone from Superuser asking you to give root access to "shell". Once you have this try the cat /proc/mtd again
jcroot003sh,
can you tell me how to root 003sh?
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
DominikB said:
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
Click to expand...
Click to collapse
Thank you for your replying. I will wait for your translated version. You are really a good person.
Progress
I have successfully found and dumped the "_modem" image. Exactly as you stated - forgot the "su" command in ADB. Thanks. The next problem is editing out the code. I am way above my head here so I will do some research before bugging you for a step-by-step for that.
Also, the bootloader worked. I didn't realize how to do it until I read the notes in the 6/14 release. I successfully put a previously dead phone back on it's feet EXACTLY to the point of my current phone simply by backing up and then restoring partitions through the bootloader. Very slick and easy.
Will get to work. I'll be in contact soon with my progress on the SIM unlock.
I have spent a bit of time looking at it, it certainly isnt easy (Certainly isnt a "lock=yes" section). I assume the actual locking portion is encrypted/compressed/or just compiled, because it would be too easy otherwise (be happy to be proven wrong). For starters, i cannot even find my IMEI number in the dump file... I think that this dump only includes the radio code, not the NV RAM which contains the IMEI and SIM Lock status. If that is the case then the solution should be to change the portion of the radio code that queries the NV RAM, so that it doesnt care if the SIM lock is supposed to be applied.
Extracting the spare/ECC bits out should be done with the RevSkills app; extracting the relevant portions, that is a bit of a cludge; QualcommDumpAnalyser can show the start/end positions, but doesnt extract the AMSS part (AFAIK thats where the code will be). You need to use a hex editor to cut that part out manually... And i am still not 100% sure what the block size is on this NAND.
Good luck!
And if there *are* any experienced hackers out there willing to help out, i can offer some monetary help (as will a few of my fellow Japanese smartphone owning friends) as this will be valuable for not just these 2 phones (there is an army of 007SH owners waiting on this unlock)
Shall we give the 007/009 a shot?
I can see mountains of the 007SH on the auction (mostly pink). Perhaps I should pick one up and take it for a spin. I am happy to try to do something to help out for all the help I am receiving.
Or perhaps the 009SH?
How hard would it be to crack the 007? The 009SH looks like it is supported in the latest release kit.
Thoughts?
Currently, the 003/005SH are going to be the easiest, because they have the custom kernel which allows access to the "_modem" image. To do it on the 007SH we need to build a custom kernel (compiled from the sources available on the ktai-dev site), and add the modem access code (this is in the src directory of the rootkit). Not impossible, but i dont have a Linux machine to compile the sources.
However i think that the code will be fairly universal. Once we find it on the 005SH we will know what we are looking for on the 007SH as well. That will make many people happy
Anyway, my 005SH is under warranty/anshin plan so i dont mind if it gets bricked (especially now that we can take nand backups).
First things first though - examining the 005SH modem image. Does anyone know whether the NAND is a 16kb or 128kb block size? Or is it something completely different?
P.S. The DM009SH is just the Disney Mobile version of the 003SH
Linux machine no problem
I have a Linux server running 24/7 so compiling the kernel is easy. Don't let that be the holdup. I'll keep working on the 003SH _modem image.
DominikB,
I can't open this site [anago.2ch.net/test/read.cgi/smartphone/1319287551/] on channel2 for free. This site had been moved to the past-log storehouse. So.... I even can't look at Japanese version for rooting 003sh. It is very helpful if you can show me the steps for rooting 003sh.
Hi,
I used to know a way to dump a raw range of data (i.e. specifying start/end in hex address) from a block device which I used to do from data recovery days, but I can't remember what it is. I have been googling for about an hour and it's driving me nuts! Can anybody help?
FYI, I am trying to grab data from an unknown range of data on the nand layout for the Xperia Play but this is a general linux/busybox question. For details on what I'm doing check here.
Thanks so much in advance.
EDIT: Nevermind, I've discovered that the range I'm trying to read is a protected area. Mods please close if possible.
cat is more like a parser, dd is capable of dealing with raw data.
http://www.linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/
http://linux.die.net/man/1/dd
Yeah I figured it would be done with dd, though I can't find any device that represents the "entire" mtd/nand - only mtd# for existing partitions exposed by the kernel. If i could find a "root mtd" device I could use skip and count parameters of dd to read what I want.
Regardless, I don't really need help with this specifically anymore - my problem seems to be specific to the Xperia Play. I am basically trying to resize the partitions (which I did previously on the X10) and I have exposed an unknown ~100MB+ that goes between userdata and cache, but I can't read or write to it at all no matter what I do.
I think what I'm trying to get is a protected area for DRM or something which I want to shift (so I can give space from cache to userdata). I/we need to make kernel or bootloader changes for the device.
Thanks for the help anyway.
I have a Samsung and Samsung is the probably the only one brand that adopt a different partition system for mtd; but remember that dd just copies everything, free space included, if with dd you are copying a filesystem with a total of 100MB and only 40MB are in use, you end up having a 100MB image file with dd.
Yeah I know it's a raw by-sector mirror/dump tool. Well what I did was edit the kernel to only create one entire partition taking the complete nand storage and then tried to dd from that, it works for a long time then once it hits this special "protected" area around ~800MB offset it spams a lot of "I/O Error" messages but doesn't fill these with zero's or anything (using conv=noerror), then once it passes the protected area it successfully dumps the rest (which is where the cache partition for the zeus would go).
OK, I have another question now. I found that this unknown 133MB has about 53MB of data in there, somewhere in the middle, which grabs fine. But the resulting file is not 133MB so I don't know the offset. Can I use dd or another tool to grab this partition while filling I/O errors with zero's? I have googled a lot and couldn't find anything.
Nevermind *facepalm* I use conv=noerror,sync. http://www.mkssoftware.com/docs/man1/dd.1.asp
Hi
Since ever I noticed a weird thing on XMP: /cache partition is always almost empty.
Yes, I checked many times during a long time, it's like is never used.
Code:
$ df
/cache 101.5M 1.1M 100.4M 4096
I have only an empty lost+found dir and two files under recovery dir:
Code:
# ls
-rw-r--r-- root root 105 2012-12-15 02:07 last_install
-rw-r----- root root 3214 2012-12-22 10:36 last_log
For example, in a previous phone /cache was actively used by market for downloading packages before installing them.
Here on XMP I can't upgrade also small packages (40+ megs free on /data) 'cause they're downloaded in /data and fill it before being upgraded, and /cache remains always empty.
In addition, if for some reason playstore crashes while downloading a big app (30megs+), it leaves my /data (almost)full and I must remove by hand a large temporary file from /data/system.
Well, /data is used instead of /cache, 100mb wasted in this way.
Someone else finds experiences the same behaviour?
I was thinking about a linking trick to use that space (for dalvick or swap...), but I'd prefer it would be correctly used by system.
Infos: SK17i, stock .587, root, locked BL, link2sd.
Thanks, bye.
Same in Xperia Mini
Well, this isn't nice...
some ideas
Hello! I was doing several searches and come to some results:
Note: I will not try it on my phone (Xperia Mini Pro) because I'm still an apprentice to flash and modify it, and secondly I have no resources to change my phone if something goes wrong. Finally, sorry for the grammatical errors, I do not speak English natively.
The following are links taken from different forums / blogs (neither is my property).
The general idea is the same, use parted (or any similar app) to edit the partitions inside the phone.
One of the problems that arise and I have doubts about is, what is the file system of internal partitions? ext3?. is something that I have to keep reading.
This is the first blog I found where it gives a possible procedure to follow:
http://aarondiep.blogspot.com.ar/2011/11/resize-partition-on-android.html
Here's a post where one of the users that modify his partitions and, later, returned to stock status.
http://www.droidforums.net/forum/htc-droid-eris/78650-internal-storage-partitions-screwed-up.html
Here is a guide on how you use parted (includes screenshots) BUT IT DOES WITH THE SD CARD
http://mobilecon.info/how-to-partition-sdcard-using-parted-partition.html
Finally, a tool for YAFFS2 file system:
http://forum.xda-developers.com/showthread.php?t=1645412
I hope these links are useful. I really would like to use optimally all the hardware of the phone.
Exitos!! :laugh:
Hi!
Thanks for your interest!
Resizing partitions, I read time ago, is a really critical operation.
I expect to have /cache partition as it has been made, the problem is that apps do not use it!
Resizing that block device to, let's say, zero, would give space to other partitions, but we'd lack a cache.
I definitely believe one of master questions is: where the hell does playstore download packages before installing?
During a big upgrade (let's say angry birds Rio 30+ megs) with df I only see /data growing (and /cache always empty), but after a lot of searching for newest and biggest files (busybox ls -ltrh, busybox ls -Shl) I could not find where they are put.
Once found this download location (no, it's not /data/data/com.android.vending/cache/main), would be easy to bind /cache to this dir.
Apk files from Google Play is downloaded to: data/data/com.android.providers.downloads/cache/
Wysyłane z mojego SK17i za pomocą Tapatalk 2
Hi
Many thanks for this tip!
Well, it's true apk are downloaded there.
BUT I see a strange behaviour: when I recieve the "low memory" (space on /data partition) notification, the apk suddenly disappears! :what:
In logs I see a lot of "couldn't openat chache: no such file or directory" immediately before low space notification log line...
You can use cache as swap if your kernel support it..
Sent from my Walkie'Talkie
Hi
Well, i symlinked /data/data/com.android.providers.downloads/cache to /cache/cache, and the partition is now correctly used by play store.
Is really strange that this is not a system default, btw.
EDIT: the /cache/cache was regularly erased by system, I symlinked /data/data/com.android.providers.downloads/cache to /cache and all is ok now.
EDIT2: you must previously remove (rmdir) the existing /data/data/com.android.providers.downloads/cache!
Could you put the exact command?
luchoz said:
Could you put the exact command?
Click to expand...
Click to collapse
Code:
ln -s /data/data/com.android.providers.downloads/cache /cache
:good:
thank you!!
would use XD
New info!!
http://forum.xda-developers.com/showthread.php?t=1959691
Really interesting