Related
I have been working on some boot/recovery ROM rebuilds for the Garmin/Asus Garminfone A50 (T-Mobile), as well as the scripts and instructions... I'm not sure where to host them.
I personally don't want to host them myself, and was wondering if there is a repository of sorts.
At the moment, I have the following:
* The tools necessary (dump_image & flash_image) to dump the firmware from the phone
* The scripts necessary to unpack/repack the boot/recovery ROM's (modified to support the Garminfone's different address layout). Linux based.
* Pre-built boot and recovery images that give permanent root and mount the system/data partitions as r/w by default.
* Instructions on how to do it yourself, complete with some tech info on the layut of the Garminfone boot/recovery images and how to verify before you flash it that it built properly.
* Instructions on how to flash the phone without risking bricking it, since there is no hardware key combo to get into recovery and a fastboot that's not fully implemented. The technique goes like:
- Verify with a hex editor that the proper addresses are in the header
- Flash the new boot image to recovery
- Reboot into recovery to make sure it boots the new boot image properly
- Flash the rooted recovery image to the recovery partition
- Reboot into recovery once more and verify that works
- Flash the tested boot image to the boot partition
- Reboot normally and have fun
That method works fairly well, and unless you target the wrong partition, and gives you a 99.9% success rate
I'm going to post what I can on the Wiki (as far as instructions go), but it would be nice if I had a place to put the tool set as well.
I'd rather not use one of the temporary sites like Mediafire or what not, since files on those sites have a tendency to disappear.
Please no PM's on having me send them the files directly. I don't have a heck of a lot of spare time and don't want to get into the habit of sending these out manually.
If you're against the typical file hosts and the files aren't too big you could try using dropbox or sugarsync and sharing the links.
Can I ask you a question? I have a Kyocera ZIO M6000 and have the openzio clockworkmod 2.5.1.1 port that only works with "fastboot boot openzio-recovery" and we have tried flashing to our recovery partition with no success. What will it take to break the tether and reboot recovery locally without fastboot?
Sent from my Zio using XDA App
merwin said:
I have been working on some boot/recovery ROM rebuilds for the Garmin/Asus Garminfone A50 (T-Mobile), as well as the scripts and instructions... I'm not sure where to host them.
I personally don't want to host them myself, and was wondering if there is a repository of sorts.
At the moment, I have the following:
* The tools necessary (dump_image & flash_image) to dump the firmware from the phone
* The scripts necessary to unpack/repack the boot/recovery ROM's (modified to support the Garminfone's different address layout). Linux based.
* Pre-built boot and recovery images that give permanent root and mount the system/data partitions as r/w by default.
* Instructions on how to do it yourself, complete with some tech info on the layut of the Garminfone boot/recovery images and how to verify before you flash it that it built properly.
* Instructions on how to flash the phone without risking bricking it, since there is no hardware key combo to get into recovery and a fastboot that's not fully implemented. The technique goes like:
- Verify with a hex editor that the proper addresses are in the header
- Flash the new boot image to recovery
- Reboot into recovery to make sure it boots the new boot image properly
- Flash the rooted recovery image to the recovery partition
- Reboot into recovery once more and verify that works
- Flash the tested boot image to the boot partition
- Reboot normally and have fun
That method works fairly well, and unless you target the wrong partition, and gives you a 99.9% success rate
I'm going to post what I can on the Wiki (as far as instructions go), but it would be nice if I had a place to put the tool set as well.
I'd rather not use one of the temporary sites like Mediafire or what not, since files on those sites have a tendency to disappear.
Please no PM's on having me send them the files directly. I don't have a heck of a lot of spare time and don't want to get into the habit of sending these out manually.
Click to expand...
Click to collapse
I would also suggest dropbox or even id host them off my computer via ftp
Can your method work with Garminasus A10?
Merwin you still working on this?
Yeah, I am working on it still. I am still looking for a better place than dropbox or hosting off of someone's home PC...
As for the A10, if you can get me a dump of the boot and recovery images I can make one for that too... you will want to preferably use the dump_image utility to get the image and the flash_image utility to flash it.
I can probably attach those to a post with dump instructions. They're tiny.
Basically, you root your phone, copy the files to a certain location, type a couple commands to fix permissions on the executables, then run a command to dump the image.
Flashing back requires clearing the boot or recovery partition with a command and then using the flash_image command to flash it.
My method tests the new boot image first by flashing it to recovery first and rebooting into recovery to make sure the new image works. Then flash the modified recovery image to the recovery and make sure it is rooted (so you can get things up again if something does go wrong). Then you flash the new tested boot image to boot. If, for some reason, that fails, it should reboot automatically into recovery after a few boot failures. Never had to test that, since I pre-test all images I make.
hi merwin, we are a fans group of GA a10 and we trust a lot in your work! if you need any kind of help contact me! probably you are the first in the world who can flash a GA phone
Merwin, Im not completely sure which type of place your looking for if its not either ftp or online file sharing
Rapidshare
2shared
Filefront
4shared
Hi merwin,
I found this page, is that similar to your method? Hope you guys can find out something.
http://mygarminfone.blogspot.com/
afoster1003 said:
Merwin, Im not completely sure which type of place your looking for if its not either ftp or online file sharing
Rapidshare
2shared
Filefront
4shared
Click to expand...
Click to collapse
You forget one widely used protocol. Good old http on a standard web server.
Those other sites annoy me greatly, between the amount of ads, having to wait to download and daily limits, and the fact that they are temporary unless I pay. I am against them on principle.
I figure if there is enough interest, someone will step up to host them, otherwise I will just provide scripts, instructions, and technical info for people to do it themselves.
slumpz said:
Hi merwin,
I found this page, is that similar to your method? Hope you guys can find out something.
http://mygarminfone.blogspot.com/
Click to expand...
Click to collapse
You are my hero That blog has the missing pieces I need to keep going.
A couple of days ago I found some info on how to decompile the .update files which gives us the recovery image and system partition from any other phone that uses a similar format, like the Asus A10... providing a whole host of opportunities for the Asus phones that are still being maintained.
For instance, I grabbed the files from the Chinese A50 that has newer firmware.
With the info from the blog, I may be able to at least compile and integrate the newer kernel and wifi firmware (which is stored on the phone and loaded into memory at boot). The Chinese version does have newer wifi module firmware in it... whether it is compatible or not is another story.
On another note, has anyone successfully downloaded the open sources kernels from Asus? I have tried every method on their site and all but a couple of the kernel versions in the zip are corrupt. One from march extracts fine, so I may use that as a base to start with.
merwin said:
You are my hero That blog has the missing pieces I need to keep going.
A couple of days ago I found some info on how to decompile the .update files which gives us the recovery image and system partition from any other phone that uses a similar format, like the Asus A10... providing a whole host of opportunities for the Asus phones that are still being maintained.
For instance, I grabbed the files from the Chinese A50 that has newer firmware.
With the info from the blog, I may be able to at least compile and integrate the newer kernel and wifi firmware (which is stored on the phone and loaded into memory at boot). The Chinese version does have newer wifi module firmware in it... whether it is compatible or not is another story.
On another note, has anyone successfully downloaded the open sources kernels from Asus? I have tried every method on their site and all but a couple of the kernel versions in the zip are corrupt. One from march extracts fine, so I may use that as a base to start with.
Click to expand...
Click to collapse
I have, magically I might add. I downloaded the source for v.5.0.70 and managed to get it compiled. The resulting files can be found on on my blog, the one Slumpz posted(I can't post links yet, lol.)
The only problem is, I don't have much experience with anything linux. But, If you have any questions Merwin, email me, [email protected].
Here's a little how to, just check my blog, or google: How To: Build Garmin-Asus Kernel from Source.
am willing to giv a subdomain/storage ftp access on this domain for the good of the community if it helps any
Domain darkjester.net
Disk Usage 5.4 / 1500.0 MB
Bandwidth 100000 MB (100GB)
Home Root /home/a2931495
Apache ver. 2.2.13 (Unix)
PHP version 5.2.*
MySQL ver. 5.0.81-community
Activated On 2011-05-15 14:42
Status Active
Hello guys, are you still working on this.
I found out that A10 has a new firmware posted, which is versioned 5.2.7 instead of 5.0.x like the others. I wonder if there's any method to test this firmware on foreign A10 (non Chinese firmware)?
So, got an HTC Sensation 4G... meaning not much more work on the Garminfone for me.
Still trying to find time to compile everything that I have done into some semi-coherent document with the unlocked boot and recovery images. I still have the Garmin, so if someone manages a huge breakthrough then I may pick it up again. Really didn't want to get rid of the phone but there just isn't enough community development going on to make it worthwhile.
By the way, the Garminfone GPS blows every other phone away. The Sensation 4G is crap in comparison.
Is there an unlock for the SGS3 yet?
Does the Galaxy_S or the sgs2 unlock code finer work anyone know?
Well.. carriers haven't gotten the device yet so not sure. All the SGS3's that peeps have now come unlocked from Europe.
sent from my Galaxy S III
Coreym said:
Well.. carriers haven't gotten the device yet so not sure. All the SGS3's that peeps have now come unlocked from Europe.
sent from my Galaxy S III
Click to expand...
Click to collapse
+1
Mine was carrier unlocked when I received it (UK on contract with Three via Carphone Warehouse) doesn't even have a CPW CSC.
hmm...yeh...*#7465625# shows all locks off, although I was told when I bought it that it was locked...didn't have another microsim to check. Looks like my handset is like the others mentioned. Happy days...
Hi guys, well my sgs3 is locked and galaxy s unlock and sgs2 unlock respectively from helroz and chainfire dont work.
Im thinking about buying a code... unless someone have some kind of solution ?
Odia was able to unlock my SGS3 succesfully last week. He is still researching stuff using a friends phone this time so he will be releasing a guide on how to do it.
For the moment it has been reported from several users that flashing a custom kernel removes the lock.
Well I don't understand how can this be possible but you are free to try installing omega rom from the dev forum and see if that helps.
m33ts4k0z said:
Odia was able to unlock my SGS3 succesfully last week. He is still researching stuff using a friends phone this time so he will be releasing a guide on how to do it.
For the moment it has been reported from several users that flashing a custom kernel removes the lock.
Well I don't understand how can this be possible but you are free to try installing omega rom from the dev forum and see if that helps.
Click to expand...
Click to collapse
Thanks for the tip but, i've already installed the omega rom and network lock is still ON, and i think Odia did it by editing nv_data.bin.
The thing is, and i think that is why galaxy unlock of helroz doesnt work, is that the offset in the file that determine the network status are not in the same place.
And this is a problem since the app does the unlock by editing that file too.
That is just what i think , and i also dont see why flashing a kernel should remove the lock.
Coreym said:
Well.. carriers haven't gotten the device yet so not sure. All the SGS3's that peeps have now come unlocked from Europe.
sent from my Galaxy S III
Click to expand...
Click to collapse
woo.. galaxy s3 spreading fast.. and i am still with my S2.. hope Xda wont forgot to pull out S2 update..
dw4 said:
Im thinking about buying a code... unless someone have some kind of solution ?
Click to expand...
Click to collapse
For what is worth, I seem to have managed to unlock the phone, but it was not a matter of click & run an application (encrypted hashes)
http://forum.xda-developers.com/showpost.php?p=26917982&postcount=37
I haven't checked with another SIM, just checked network lock [ON] -> [OFF]. At some point while I was playing aroung and trying things I was asked to enter a code, but I didn't know about 0000000, which seems to have worked for some.
the method involved rooting the phone, installing an unbranded firmware and editing /efs/nv_data.bin. In my case, the (encrypted) hashes were stored exactly at the same offset, I don't understand why some people say they are not :?.
* backed up efs
* copied /efs/nv_data.bin to sdcard
* hex edited /efs/nv_data.bin - changed flag 0x01 for network lock to 0x00, copied the 32 byte long encrypted hash from the "off" locks (which were all the same) to the network lock hash, just in case.
* I also reset the MCC/MNC to FFFFFF
* Copied back the /sdcard/nv_data.bin to /efs
* removed the md5 hash (for some reason, the existing md5 did not match the existing file either), but it seems in my case was ok to remove it has been regenerated. Removed the old files
* chmodded /efs/nv_data.bin
* chown radio.radio the file
* rebooted-
It is much better documented elsewhere though - Proceed at your own risk!
---------- Post added at 09:48 AM ---------- Previous post was at 09:41 AM ----------
dw4 said:
And this is a problem since the app does the unlock by editing that file too.
Click to expand...
Click to collapse
As stated above, I managed to, but I did everything manually. At some point I got an unexpected "enter code" dialog that I dismissed (a issue that I solved by installing an unbranded firmware first).
- I found the encrypted hashes at the same location (NET 0x18146e).
- I did *NOT* find PERSO, but I also resetted the MCC/MNC
i also dont see why flashing a kernel should remove the lock.
Click to expand...
Click to collapse
agreed, I fail to see the relationship, but there are so many things I don't know...
Thanks iphdrunk, i'll try this.
Dont know if its a good idea tho since i've got no knowledge whatsoever of hex editing...
Thanks iphdrunk for the explanation! Do you by any chance have the time and mood to write a detailed guide on how to do this progress?
It would be ideal to start a new thread about unlocking and post the guide there. Then Odia may jump in too and help with anything.
Its 100% safe to mess with nv_data.bin because even if you screw up you can always restore a back up of that file and it will start working again.
m33ts4k0z said:
Thanks iphdrunk for the explanation! Do you by any chance have the time and mood to write a detailed guide on how to do this progress?
Click to expand...
Click to collapse
I appreciate the offer and consideration, but I would feel uncomfortable writing such a guide for several reasons: first, it would not be based on my research and findings (I just applied a quite well known method), it is heavily documented elsewhere and, finally, I may not be able to provide the deserved level of support
In any case, the skeleton of the method is here. Read those posts to get a clear overview of the process and then any other comment or disclaimer. Credits given to their respective authors
http://forum.xda-developers.com/showthread.php?t=1064978
http://forum.xda-developers.com/showthread.php?t=761045
What one needs to know is:
- you need a rooted device. Root can be otained either with the unsecure kernel method (cfr. intratech posts) or using recovery. The second one seems to be the most straighforward.
- It is nice to have busybox installed. It allows you to use cp, tar and other unix commands.
- it is mandatory to have a backup of the the /efs folder, which is the mount point of the /dev/block/mmcblk0p3, in ext4. In some guides it is advised to backup the partition at block level, using dd if=/dev/block/mmcblk0p3 of=/sdcard/mmcblk0p3.raw or something. Personally, I found that I could work with regular files. You can use adb shell or a "terminal application" typing su
- You need a backup, specially since this process can mess your IMEI and the nv_data.bin file (!). You may want to read about "Recovering IMEI" which is also related to the /efs folder.
- in that directory there is the famous nv_data.bin file, it is binary, and contains the hashes that are checked to validate unlock codes. There is a bin.md5 file (as a checksum to validate the file integrity) which, for proactical purposes, it will be recreated if missing and, finally, two (hidden) old backup copies. Unlocking is then reduced to either reverse engineering the hashes to find the code (a method which was doable when they where sha1 hashes of a 8 digit password salted with zeros) or, ignoring the hashes simply flip a bit that represents locked to unlocked.
- In recent samsung devices as well as in SGS3, the plain 20-byte long sha1 hashes are now padded and encrypted (I am not sure with which block cypher, aes?), giving you a raw 32 - byte stream that is also stored in the same place. Being able to locate the key to decrypt the encrypted hashes seems to involve patching modem.bin and / or ARM debugging, as per Odia posts.
- This means that, unlike in previous tutorials, reverse engineering the 20-byte hash using CUDA and similar approaches (ighash etc.) will not work: the program will iterate all 8-digit passwords and find that no hash matches the stored one.
- It has also been reported that a branded firmware may interfere with the unlocking process. In my case it did have some effect, although I solved it by installing an unbranded firmware.
- I concluded that, without accessing the key, the way to proceed was to reset the bit that signals that the phone is locked,
- This requires editing the file with an hex editor, looking for the pattern "Ox01, 0x00 etc" as explained above.
- I also copied the encrypted hashes of the "OFF" codes as the encrypted hash of the network lock hash. The reason for this is that the 3 were equal and could be the result of encrypting a very simple password (e.g. 0000000) with the same key.
- At offset 00180069-0018006e, there is a 5-byte stream and a "#" sign, with the carriers MCC / MNC For example 208 01 Orange France. Replace those with 0xFFFFFFFFFF
I am sorry I did not write a full guide, let me restate that the whole process is well documented and you should be able to apply the method if you understand it.
HTH
Well i made some progress, but still it seems that i cant push the edited nv_data file in place.
dw4 said:
Well i made some progress, but still it seems that i cant push the edited nv_data file in place.
Click to expand...
Click to collapse
You dont need to push it. Just copy it to place using root explorer or file explorer.
Sent from my GT-I9300 using XDA
iphdrunk said:
I appreciate the offer and consideration, but I would feel uncomfortable writing such a guide for several reasons: first, it would not be based on my research and findings (I just applied a quite well known method), it is heavily documented elsewhere and, finally, I may not be able to provide the deserved level of support
In any case, the skeleton of the method is here. Read those posts to get a clear overview of the process and then any other comment or disclaimer. Credits given to their respective authors
http://forum.xda-developers.com/showthread.php?t=1064978
http://forum.xda-developers.com/showthread.php?t=761045
What one needs to know is:
- you need a rooted device. Root can be otained either with the unsecure kernel method (cfr. intratech posts) or using recovery. The second one seems to be the most straighforward.
- It is nice to have busybox installed. It allows you to use cp, tar and other unix commands.
- it is mandatory to have a backup of the the /efs folder, which is the mount point of the /dev/block/mmcblk0p3, in ext4. In some guides it is advised to backup the partition at block level, using dd if=/dev/block/mmcblk0p3 of=/sdcard/mmcblk0p3.raw or something. Personally, I found that I could work with regular files. You can use adb shell or a "terminal application" typing su
- You need a backup, specially since this process can mess your IMEI and the nv_data.bin file (!). You may want to read about "Recovering IMEI" which is also related to the /efs folder.
- in that directory there is the famous nv_data.bin file, it is binary, and contains the hashes that are checked to validate unlock codes. There is a bin.md5 file (as a checksum to validate the file integrity) which, for proactical purposes, it will be recreated if missing and, finally, two (hidden) old backup copies. Unlocking is then reduced to either reverse engineering the hashes to find the code (a method which was doable when they where sha1 hashes of a 8 digit password salted with zeros) or, ignoring the hashes simply flip a bit that represents locked to unlocked.
- In recent samsung devices as well as in SGS3, the plain 20-byte long sha1 hashes are now padded and encrypted (I am not sure with which block cypher, aes?), giving you a raw 32 - byte stream that is also stored in the same place. Being able to locate the key to decrypt the encrypted hashes seems to involve patching modem.bin and / or ARM debugging, as per Odia posts.
- This means that, unlike in previous tutorials, reverse engineering the 20-byte hash using CUDA and similar approaches (ighash etc.) will not work: the program will iterate all 8-digit passwords and find that no hash matches the stored one.
- It has also been reported that a branded firmware may interfere with the unlocking process. In my case it did have some effect, although I solved it by installing an unbranded firmware.
- I concluded that, without accessing the key, the way to proceed was to reset the bit that signals that the phone is locked,
- This requires editing the file with an hex editor, looking for the pattern "Ox01, 0x00 etc" as explained above.
- I also copied the encrypted hashes of the "OFF" codes as the encrypted hash of the network lock hash. The reason for this is that the 3 were equal and could be the result of encrypting a very simple password (e.g. 0000000) with the same key.
- At offset 00180069-0018006e, there is a 5-byte stream and a "#" sign, with the carriers MCC / MNC For example 208 01 Orange France. Replace those with 0xFFFFFFFFFF
I am sorry I did not write a full guide, let me restate that the whole process is well documented and you should be able to apply the method if you understand it.
HTH
Click to expand...
Click to collapse
Thanks for the long post anyway . That explains how Odia was so fast
Sent from my GT-I9300 using XDA
I tried the above method, but it seems that the phone alters the nv_data.bin upon reboot.
When i push my edited nv_data.bin to the phone (having removed all backups and the md5 file), reboot the phone, and then pull it back to my computer, here is what I notice:
The network lock byte is back to 0x01, and the MCC/MNC code gets restored somehow. The file also gets altered in a bunch of places (7471 changes if I'm not mistaken).
Code:
cmp -l nv_data.PUSHED nv_data.PULLED | wc -l
7471
Is anyone willing to speculate on what's going on here ?
PS: I haven't flashed a new firmware, but it looks like it's unbranded: (XXLE8/ IMM76D.I9300XXALE8)
Guillaume2x said:
I tried the above method, but it seems that the phone alters the nv_data.bin upon reboot.
Click to expand...
Click to collapse
Just for completeness, set the permissions on the file and chown to radio.radio
Guillaume2x said:
I tried the above method, but it seems that the phone alters the nv_data.bin upon reboot.
When i push my edited nv_data.bin to the phone (having removed all backups and the md5 file), reboot the phone, and then pull it back to my computer, here is what I notice:
The network lock byte is back to 0x01, and the MCC/MNC code gets restored somehow. The file also gets altered in a bunch of places (7471 changes if I'm not mistaken).
Code:
cmp -l nv_data.PUSHED nv_data.PULLED | wc -l
7471
Is anyone willing to speculate on what's going on here ?
PS: I haven't flashed a new firmware, but it looks like it's unbranded: (XXLE8/ IMM76D.I9300XXALE8)
Click to expand...
Click to collapse
I have exactly same problem ... I have omege V4 ROM....
iphdrunk said:
Just for completeness, set the permissions on the file and chown to radio.radio
Click to expand...
Click to collapse
Thanks for your reply. I did, I chowned and chmoded the files right after uploading them, before rebooting the phone. I'm just going to try to flash my phone with another unbranded ROM, just in case my original ROM seems unbranded but actually isn't.
Guillaume2x said:
Thanks for your reply. I did, I chowned and chmoded the files right after uploading them, before rebooting the phone. I'm just going to try to flash my phone with another unbranded ROM, just in case my original ROM seems unbranded but actually isn't.
Click to expand...
Click to collapse
After several checks and discussions, it seems that most users have a problem in the sense that:
- If the md5 file is missing, the nv_data (locked) is restored, deleting the patched one.
- If old backups are deleted, same thing (plus the risk that one may end with the nv_data.bin file with a wrong imei)
- MD5 does not seem to be a simple md5 hash (e.g as in Linux) since the existing md5 bytes one and the result of running the md5 command do not match
- No one has tried the chattr +i nv_data.bin, just to check that the restoration fails.
In my case, I managed to unlock the phone, but I did several things that I cannot easily reproduce. In short, it seems that in my case, the md5 file was somehow regenerated after copying the patched file. In previous posts, I also mentioned that, during one of the tests (without touching the sim card) I was prompted to type the unlock code (and I clicked dismiss). This was also after installing an unbranded phone.
A user via PM suggested checking the nv.log. This is interesting
Code:
Sun Jan 1 00:01:03 2012: MD5 is turned on.
Sun Jan 1 00:01:03 2012: nv_data.bin does not exist.
Sun Jan 1 00:01:03 2012: default NV restored.
Sun Jan 1 00:01:11 2012: Network lock unlock input.
Sun Jan 1 00:01:11 2012: NV data back-up begin.
Sun Jan 1 00:01:11 2012: secondary NV built
Code:
Sun Jan 1 00:05:59 2012: MD5 is turned off on 0
Sun Jan 1 00:00:39 2012: MD5 is turned off on 2
Sun Jan 1 00:09:40 2012: enabling MD5 automatically because it was off temporarily.
Sun Jan 1 00:09:40 2012: NV data back-up begin.
Sun Jan 1 00:09:40 2012: secondary NV built
As suggested there seems to be a way by which md5 check is on or off.
A curious thing is that there seems to be a "date" backward
Code:
Thu May 24 04:12:38 2012: NV data back-uped.
Sun Jan 1 00:00:06 2012: NV data back-up begin.
May to January? -- clock reset?
And finally followed by
Code:
Sun Jan 1 00:02:57 2012: NV data back-uped.
Sun Jun 3 11:46:05 2012: MD5 is turned on
June 3... For some reason, in my case the check was off?
- Can we turn on and off md5 checking?
- If md5 check is off, the nv_data is backed up and the md5 is recreated?
- if md5 check is on, the nv_data md5 is checked and if fail, restored?
Any pointers welcome.... Check your /efs/nv.log file ?
I live in Japan and after more than 6 months I have successfully and permanently rooted both my Sharp 003 SH Galapagos and the 005SH Galapagos (Softbank not Docomo). My next concern is how to SIM unlock. I have been reading the posts about hacking the nv_bin file. I have searched through all of the the files (Root FTP thank you!) but there was no such file. I am happy to send along any screenshots or data files if that helps.
Thanks in advance.
Search Sharp 003SH Root Success and Sharp 005SH Root success on Youtube for more info
Can't really help you. Don't know anything about it. But I would like to know how you ended up rooting this phone of ours.
Its not a file on the filesystem. The sim locking in these phones is in the radio image; which can be accessed when you use the custom build kernel thats in the latest rootkit (I assume thats what you are using).
See the 2ch root/ROM thread for more details, but basically it is done through ADB, manually backing up the "_modem" partition; stripping the spare/ECC bytes and then extracting the radio OS using QualcommDumpAnalyser
I have managed to extract this image, but no idea where to go from there. None of the other device info seems to apply to this (HTC, Samsung, LG, any other Android that has had its sim-lock discovered in the radio)
Advice i got from the guys on 2ch: "Qualcomm's NAND code is neither difficult, nor unique, so if you know what you are looking for its not hard"
003SH 005SH Sim unlock
Thanks very much for giving me a new direction. I'll get started on it right away and let you know how it progresses.
It just sucks that the guys who know how to unlock it are staying quiet, saying its "taboo"
FYI, stripping the Spare/ECC bytes can be done manually (i wrote a C program to do it), but there is an option in the RevSkills app to do it all for you - i recommend doing that.
Of course we face another issue once we find the actual unlock - recalculating the ECC bytes after making the change; the only way to access the radio is with raw data access.
P.S. hope you have warranty on your phones - this is very likely to brick at least one phone until we get it right
---------- Post added at 12:30 PM ---------- Previous post was at 12:24 PM ----------
In the spirit of open cooperation, here are the instructions i was given, translated and simplified
In ADB Shell, type su to get the # prompt, then:
cat /proc/mtd <Enter>
Confirm that you have the "_modem" partition available. If not, you need to reflash with the custom build kernel
Dump the image to file with the following command:
dump_image -r -D -F _modem /sdcard/backupimages/modem.img
Access this with anything as "raw dump" and all blocks will get read as ECC error, so definitely dont do this
ECC positioning is different to Linux, so take care
The following maps out how 512bytes of data and 10 bytes of ECC info are stored in a 528 byte block:
0000 - 01CF (0-463): Data
01D0 - 01D1 (464-465): Unused (0xff)
01D2 - 0201 (466-513): Data
0202 - 020B (514-523): ECC
020C - 020F (524-527): Unused (0xff)
Use RevSkills application to extract the data portions:
Menu⇒Calculators/Generators⇒Android MTD Nand remove Spare and ECC
Extract all of the Data only portions out of the raw dump, and then use QualcommDumpAnalyser to read it and split up the various parts. I did notice that i wasnt able to get the AMSS block out with QualcommDumpAnalyser - i copied that out manually by calculating the byte positions shown in QDA.
003SH bootloader key sequence?
Eternalardor,
I'd be happy to swap information. Perhaps you could shed some light on the question of the bootloader for the Sharp 003SH and 005SH? There seems to be no discernible key sequence (Power+home+Volume up etc.) to access the bootloader. I feel like I've tried them all. Can you tell me this critical piece of information?
Is a form of the USB Jig necessary to access it?
Looking forward to your response.
003SH SIM unlock
Dominik,
Here are the results of the original /proc/mtd (before rooting)
boot
cache
misc
recovery
ipl
system
persist
log
battlog
calllog
ldb
userdata
I don't see the _modem partition. Should I?
I have also included a screenshot of the results showing size. I have most of them backed up as .img files too.
FYI: .img backed up sizes. Perhaps this will help you to ponder where the _modem partition may have gone. Maybe it's been renamed?
boot 11,264KB
cache 3,072KB
misc 1,024KB
recovery 11,264KB
ipl 15,360KB
system 419,840KB
persist 30,720KB
ldb 45,056KB
userdata 405,120KB
There is no bootloader menu AFAIK. If you install the custom kernel, you will have the option of a quasi-recovery mode, by pressing the home button between 7-12 seconds after the Galapagos logo is seen (or was that the Softbank logo)
Anyway, looking at the screenshots, it seems you do not have the custom kernel.
How did you achieve root on your phone?
To do this, you need to use the "003sh_005sh_dm009sh-rootkit" from at least 5/27 (recommend _0614); which is available on the 2ch forums. This includes 2 possible ways of achieving root:
1. A modified standard kernel (boot image), which, when flashed gives you regular root access
2. A custom compiled kernel, which has full root, a bunch of power profiles, and heaps more features (inc that quasi recovery), as well as access to the "_modem" image.
Judging from your youtube videos, you speak some Japanese, so the Japanese menus in the rootkit shouldnt be much trouble.
http://www1.axfc.net/uploader/Si/so/142435
This is what i used.
Go here for help/instructions http://anago.2ch.net/test/read.cgi/android/1337845757/
And dont even think about typing in English on there, or you will be ignored and/or told to go away
This all looks familiar. I have been using the root kit (5/27) to get where I am now - step by blessed step. It was pretty straight forward BUT I have never seen the option to write to the system partition. It is in all the instructions but the only option I have with respect to the system partition is to back it up. I'm confused as to why it doesn't seem to show up for me. I am using a Japanese machine so all the characters are displayed and I can read the instructions but I can't find help anywhere as to why I don't have that particular (and critical) option. I can see a lot of new and cool options in the 6/14 release. I'm excited and would like to get it installed.
I'll let you know how it goes. Thanks for your help .... keep it coming!
And another thing
Could you explain a little more about "having" the custom kernel? Using the root kit, I wrote to the Recovery partition then the Boot partition then rebooted from the Recovery partition and all seemed well. As I said above, I have never been able to write to the System partition despite it appearing in all the instructions. I suspect that is what is holding me back from the latest and greatest custom kernel. Still, I am enjoying all the same functionality that everyone else seems to be enjoying in root. What am I missing?
Eep, you wrote to the boot partition before trying the recovery? Brave!
The steps should be:
Write image to recovery partition;
Then reboot to recovery partition (from the menu) and confirm it all works without errors.
Then write image to boot partition
And then turn off the phone, and reboot (the last part is only my instructions - you could just select "reboot to boot partition" from the menu)
You are doing this on your 005SH right? It should be the same for the 003SH, but i only have the 005SH. In the rootkit there is 2 options when you say "burn custom image":
1 カスタムビルドrootedカーネル(リカバリーキット機能付き)
2 S4080 標準rootedカーネル(簡易リカバリー機能付き)
Q 中止してメインメニューへ戻る
You must do the first one, the CUSTOM rooted kernel, to get any of the really cool features. The second option is only if you just want root access for a particular app or something. AFAIK the second option doesnt even disable MIYABI LSM, which prevents you from mounting the system dir as R/W
But either way, writing to the System dir is not important for what we are doing. You need the Custom kernel, which gives you access to the "_modem"
Edit, i just noticed in your screenshots above, you didnt even get root in ADB shell?
Type
ADB Shell<Enter>
Then type
su<enter>
The cursor should change to a #, this means root. You may get a prompt on the phone from Superuser asking you to give root access to "shell". Once you have this try the cat /proc/mtd again
jcroot003sh,
can you tell me how to root 003sh?
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
DominikB said:
Use the link i provided in my previous post
http://forum.xda-developers.com/showpost.php?p=27989085&postcount=8
You can use a translator if you dont understand Japanese, but the general instructions are in the post above yours
I translated it for a friend, but that is at work, so wont be able to put it up until monday.
Click to expand...
Click to collapse
Thank you for your replying. I will wait for your translated version. You are really a good person.
Progress
I have successfully found and dumped the "_modem" image. Exactly as you stated - forgot the "su" command in ADB. Thanks. The next problem is editing out the code. I am way above my head here so I will do some research before bugging you for a step-by-step for that.
Also, the bootloader worked. I didn't realize how to do it until I read the notes in the 6/14 release. I successfully put a previously dead phone back on it's feet EXACTLY to the point of my current phone simply by backing up and then restoring partitions through the bootloader. Very slick and easy.
Will get to work. I'll be in contact soon with my progress on the SIM unlock.
I have spent a bit of time looking at it, it certainly isnt easy (Certainly isnt a "lock=yes" section). I assume the actual locking portion is encrypted/compressed/or just compiled, because it would be too easy otherwise (be happy to be proven wrong). For starters, i cannot even find my IMEI number in the dump file... I think that this dump only includes the radio code, not the NV RAM which contains the IMEI and SIM Lock status. If that is the case then the solution should be to change the portion of the radio code that queries the NV RAM, so that it doesnt care if the SIM lock is supposed to be applied.
Extracting the spare/ECC bits out should be done with the RevSkills app; extracting the relevant portions, that is a bit of a cludge; QualcommDumpAnalyser can show the start/end positions, but doesnt extract the AMSS part (AFAIK thats where the code will be). You need to use a hex editor to cut that part out manually... And i am still not 100% sure what the block size is on this NAND.
Good luck!
And if there *are* any experienced hackers out there willing to help out, i can offer some monetary help (as will a few of my fellow Japanese smartphone owning friends) as this will be valuable for not just these 2 phones (there is an army of 007SH owners waiting on this unlock)
Shall we give the 007/009 a shot?
I can see mountains of the 007SH on the auction (mostly pink). Perhaps I should pick one up and take it for a spin. I am happy to try to do something to help out for all the help I am receiving.
Or perhaps the 009SH?
How hard would it be to crack the 007? The 009SH looks like it is supported in the latest release kit.
Thoughts?
Currently, the 003/005SH are going to be the easiest, because they have the custom kernel which allows access to the "_modem" image. To do it on the 007SH we need to build a custom kernel (compiled from the sources available on the ktai-dev site), and add the modem access code (this is in the src directory of the rootkit). Not impossible, but i dont have a Linux machine to compile the sources.
However i think that the code will be fairly universal. Once we find it on the 005SH we will know what we are looking for on the 007SH as well. That will make many people happy
Anyway, my 005SH is under warranty/anshin plan so i dont mind if it gets bricked (especially now that we can take nand backups).
First things first though - examining the 005SH modem image. Does anyone know whether the NAND is a 16kb or 128kb block size? Or is it something completely different?
P.S. The DM009SH is just the Disney Mobile version of the 003SH
Linux machine no problem
I have a Linux server running 24/7 so compiling the kernel is easy. Don't let that be the holdup. I'll keep working on the 003SH _modem image.
DominikB,
I can't open this site [anago.2ch.net/test/read.cgi/smartphone/1319287551/] on channel2 for free. This site had been moved to the past-log storehouse. So.... I even can't look at Japanese version for rooting 003sh. It is very helpful if you can show me the steps for rooting 003sh.
What all goes into signing a ROM, and why can't someone take CM and sign it as if it was from Samsung? I'm guessing it's more than copying and pasting a few files, but why can't this be done? In concept it sounds easier than unlocking the bootloader. Is it known where the files that contain the keys are? Are the keys for each device different?
PetersDrue said:
I'm not an Android developer. I'm learning C++, and I have decided to put off learning Java, although some of the syntax looks similar (except for the 100,000,000 classes required for a Java program. I do know Android is run from a virtual machine and is based off of Java and other basic knowledge.
Anyway, I love my Cyanogen Mod and I didn't pay attention to unlocking the bootloader when I first got my phone. Now I'm really missing CM 11.
I know the bootloader checks to see if the ROM is signed by Samsungnd only then will it allow the ROM to be installed. (I'm a computer and Android enthusiast, some more technical info would be appreciated with these processes).
What all goes into signing a ROM, and why can't someone take CM and sign it as if it was from Samsung? I'm guessing it's more than copying and pasting a few files, but why can't this be done? In concept it sounds easier than unlocking the bootloader.
Click to expand...
Click to collapse
Do you have the encrypted key sets available that it checks against? No? Well then...
lycwolf said:
Do you have the encrypted key sets available that it checks against? No? Well then...
Click to expand...
Click to collapse
Are the keys unique to each device?
PetersDrue said:
Are the keys unique to each device?
Click to expand...
Click to collapse
This has been asked and answered over and over again.
It's a digital signature, which means that all of the binaries are signed using the same private key, which I'm sure Samsung has well locked down.
It's a sufficiently secure methodology that the only way we could sign custom binaries would be for someone at Samsung to leak the key.
Please don't suggest brute forcing it (it'd take several thousand years), removing it (won't work), copying it from one file to another, etc.
All of these have already been suggested by those unfamiliar with the technology being used.
k1mu said:
This has been asked and answered over and over again.
It's a digital signature, which means that all of the binaries are signed using the same private key, which I'm sure Samsung has well locked down.
It's a sufficiently secure methodology that the only way we could sign custom binaries would be for someone at Samsung to leak the key.
Please don't suggest brute forcing it (it'd take several thousand years), removing it (won't work), copying it from one file to another, etc.
All of these have already been suggested by those unfamiliar with the technology being used.
Click to expand...
Click to collapse
I normally do research before I ask a question; this is an exception. I understand what ii is in general. I wouldn't suggest brute forcing. Several thousand years is most likely an understatement. The length of time exponentially increases for each added character. Removing it obviously won't work because then there is no signature to verify.
I was asking about the location because I thought it might be possible to port the key to a different ROM but I am unfamiliar with this technology.
For now simply follow the instructions and use the provided file download from the link posted below
http://forum.xda-developers.com/showpost.php?p=48392009&postcount=1
I have personaly tested this method in full on My AT&T Samsung Galaxy S4 ZOOM SM-C105AUCUAMJ2 (4.2.2 Jelly Bean)
although it should be safe to use on any AT&T Samsung Galaxy S4 ZOOM running an android version prior to Kit-Kat
All Credit for this, "exellent completely safe", Root method goes to its creator k1mu
And please Know that it is only being shared with you via his explicit permission.
EDIT:
Q&A for [ROOT] Saferoot: Root for AT&T Galaxy S4 ZOOM SM-C105AUCUAMJ2_On 4.2.2 JB
Please if you are not on an AT&T Galaxy S4 ZOOM C-150a, Feel Free to Read
but Do not seek help,instruction, or any other type of advice by posting in this thread as it is hard enough to find information about a specific device when the said device does not have a dedicated forum. Thank You for your Understanding in this.
Instructions & Advice
If ?'s arise
and time allows I will add device specific instruction as well as any advice, Please bear with me. Same as above Q&A Link
Will this same method also work on the SM-C105AUCUAMJ2?
kbracing6 said:
Will this same method also work on the SM-C105AUCUAMJ2?
Click to expand...
Click to collapse
Most Definitely as this was the reason for my post
Hey @Phatboyj420, as far as converting a raw OTA file to Odin files, here's what I can tell you. The OTA file should be filename.cfg, i.e. a cfg file. Believe it or not, this can be manipulated like an archive (like zip or rar or tar) so open that cfg file in 7zip, WinRar, or whatever. You're going to want to extract the files like (I can't guarantee this a full list, just the ones I can remember) modem.bin, NON-HLOS.bin, boot.img, recovery.img, aboot.mbn, rpm.mbn, sbl1.mbn, sbl2.mbn, sbl3.mbn (you might not have all 3, idk), and tz.mbn. Again, there may be others you need, and/or not all the ones I just listed might be necessary, they're just the ones I remember dealing with before. Oh, you're going to need to make sure the system, cache, and persdata partitions are all packed into .img.ext4 files, idk if they're like that in the OTA cfg archive.
Here's where it gets even hazier for me. So, I know from personal experience that you can take any of these files (I'll just use recovery.img for this example). In a linux terminal (I use Ubuntu for convenience's sake, my laptop has windows and ubuntu partitions) run this command:
Code:
tar -H ustar -c recovery.img > recovery.tar
So that's how you can take any one of those files I mentioned last paragraph and pack it into an Odin-flashable tar. I'm still a n00b when it comes to the linux terminal, so I can't really say the syntax for packing more than one at once.
So I guess I haven't really given you the complete process, but hopefully this is at least a decent starting point. Honestly I consider myself a hobbyist at best, not an expert. muniz_ri, who Devo7v mentioned earlier, did all the heavy work in this regard so he can probably help you much more, I just didn't want to volunteer him for the job
thisisapoorusernamechoice said:
Hey @Phatboyj420, as far as converting a raw OTA file to Odin files, here's what I can tell you. The OTA file should be filename.cfg, i.e. a cfg file. Believe it or not, this can be manipulated like an archive (like zip or rar or tar) so open that cfg file in 7zip, WinRar, or whatever. You're going to want to extract the files like (I can't guarantee this a full list, just the ones I can remember) modem.bin, NON-HLOS.bin, boot.img, recovery.img, aboot.mbn, rpm.mbn, sbl1.mbn, sbl2.mbn, sbl3.mbn (you might not have all 3, idk), and tz.mbn. Again, there may be others you need, and/or not all the ones I just listed might be necessary, they're just the ones I remember dealing with before. Oh, you're going to need to make sure the system, cache, and persdata partitions are all packed into .img.ext4 files, idk if they're like that in the OTA cfg archive.
Here's where it gets even hazier for me. So, I know from personal experience that you can take any of these files (I'll just use recovery.img for this example). In a linux terminal (I use Ubuntu for convenience's sake, my laptop has windows and ubuntu partitions) run this command:
Code:
tar -H ustar -c recovery.img > recovery.tar
So that's how you can take any one of those files I mentioned last paragraph and pack it into an Odin-flashable tar. I'm still a n00b when it comes to the linux terminal, so I can't really say the syntax for packing more than one at once.
So I guess I haven't really given you the complete process, but hopefully this is at least a decent starting point. Honestly I consider myself a hobbyist at best, not an expert. muniz_ri, who Devo7v mentioned earlier, did all the heavy work in this regard so he can probably help you much more, I just didn't want to volunteer him for the job
Click to expand...
Click to collapse
Thanks My guy,
This definately gives me a good jumping off point.
The phone shipped with JB-4.2.2 and I think there has been an AT&T OTA for KK so it would have to be a complete Firmware so thats good news.
I'm working on several projects at once so I don't know exactly when I'll get to this but when I do the first thing will be to verify whether the .img's for data/system/cache are img.ext4 or not and if not how to produce correctly.
Also I don't have a Linux Dev setup yet I'm running Windows On a 2011 Dell XPS-17_L702x with an intel 2720 quad core. So from your post I take it Ubuntu would be your suggestion for Linux Distro. and should I make a separate Linux Partition and run from it, or run from a VM-Box inside of windows? Which do you think would be most efficient?
Now that I think of it I'm going to start a dedicated thread for development discussion for this specific device. If I start the thread in the Development section for the general S$-ZOOM but title it specifically for the " AT&T-C105a_ZOOM " do you think the mods would want to move it to the general Q&A section?
" I would hope that, as it would pertain directly to the development of the specific device they would see fit to leave it in the development section.
Sorry for the randomness of my thoughts but I will link you to the thread when I get around to starting on it.
For now I'm going to get back to work on the S4_Active for My daughters B-day I intend to have it Rooted and rommed out for her. When I get that done I'll make my way back to this Project, and start the dedicated thread.
Thanks again,
" I look forward to future collaboration as it seem we share a similar Hobie at the least ",
Phatboyj
Unfortunately for the few lonely SM-C105a users still hanging on out there this does not appear to be a completely effective root. I get this in dmesg: <3>[ 2130.920856] c0 Restricted changing UID. PID = 11580(su) PPID = 11575(sh)
capt_planit said:
Unfortunately for the few lonely SM-C105a users still hanging on out there this does not appear to be a completely effective root. I get this in dmesg: <3>[ 2130.920856] c0 Restricted changing UID. PID = 11580(su) PPID = 11575(sh)
Click to expand...
Click to collapse
What is your build # because this is a fully effective root method for the ATT SM-C105a running build# SM-C105AUCUAMJ2
Please elaborate on where your dmesg is coming from.
Is it from running Saferoot to obtain Root?
Or is it from some other function you are attempting after obtaining root?
@Phatboyj420 Great to see you here--when I'm sure your S4 Zoom is long gone. Yeah, that's my build and I should point out that I get that in dmesg only for certain operations in the system folder (trying to copy modules I think). No biggie, for day to day this method works fine. I'm more interested in whatever happened with that unbrick image you were trying to make from dd. Did you ever test it? Was it effective? My current efforts are focused on developing a reliable unbrick method for our phones. Rather than the complete image I think we may need to extract and flash the original bootloader in many cases. Can you provide any feedback on this?
capt_planit said:
@Phatboyj420 Great to see you here--when I'm sure your S4 Zoom is long gone. Yeah, that's my build and I should point out that I get that in dmesg only for certain operations in the system folder (trying to copy modules I think). No biggie, for day to day this method works fine. I'm more interested in whatever happened with that unbrick image you were trying to make from dd. Did you ever test it? Was it effective? My current efforts are focused on developing a reliable unbrick method for our phones. Rather than the complete image I think we may need to extract and flash the original bootloader in many cases. Can you provide any feedback on this?
Click to expand...
Click to collapse
@ capt_planit
while I have moved on from using my [email protected] S4-Zoom, I do still have it and the dd dumps of it the problem with providing said dumps publicly is that some "idiot would inevitably flash the complete dd.image to there phone giving them an exact clone of my phone explicitly the IMEI via EFS parition are my concerns.
That being said if I know that the dd.images were to be used in a proper manner, by say a knowledgeable Dev. I would gladly supply them to further /Kickoff Development,
It sounds as if we are of like mind but I found myself at a stand still and did not recieve any response from the plea in my Sig.
But rest assured if there is something I can do to assist I will.
as far as an unbrick.img for the Zoom c105a
I did make one but have had no reason to use it to know if it works or if the SD unbrick method even works for the Zoom like it does on the Galaxy S3 that the method was originally discovered on.
Even if it does work the SD-Unbrick method only gets you to a state where Download
mode works SO unless I am mistaken and you can access adb through Download Mode witch I'm pretty sure you cant, we would still be at a stand still as there is no stock firmware publicly available for our device " Ludacris I know " but true none the less.
Edit:
1 thing we need is the OTA update from JB to KitKat available for our device we need some one to extract it before updating then and only then might we be able to create an install-able firmware for our device.
if I'm not mistaken after you download the OTA update you should be able to find it in /cache/fota just zip the entire fota folder move it to your sd-card and make it available to me and we'll make it happen from there.
If you don't want to except the update just delete it at this point and reboot.
...
...
I think this user @awwar describes an inability to access download mode>here. In anycase, I think that thread would be a great place to post your unbrick. image. I think your dd image seems too small. But if you still have it, that is what @moomoo was asking for when he started that thread. I can't provide mine, except as separate img files. My understanding is that flashing an efs image won't provide a real IMEI. I think flashing some combination of boot, system, cache (I'm surprised this would be necessary) and recovery should get the operator some kind of system. But so far it doesn't seem to work that way. Your help getting some working phone flash would be greatly appreciated. I believe, BTW that the OTA is dead...