Related
Just like it says in the thread title, I was wondering if anybody -- in particular, any linux users -- had tried using heimdall yet? I'm too new to both the Galaxy family of phones and odin/heimdall to try it myself yet.
thanks.
This is just a repeat of what I said in the official heimdall thread:
I just tried using it with the SGS2. Nothing radical, since I have zero experience with heimdall and Galaxy phones.
1) I put the phone into download mode, following instructions I got here.
2) I connected the phone to my fedora 11 install (yes, I'm way behind the times!)
3) I ran lsusb and got:
Bus 001 Device 002: ID 04e8:685d Samsung Electronics Co., Ltd
It doesn't mention the words "mobile phone" as I think it does for the S1, but I may be wrong about that.
4) I ran:
heimdall close-pc-screen --verbose
according to instructions earlier in this thread (page 26).
5) I got:
Failed to detect compatible device
Anything new on that?
Would be great for us Linux-Only-Nerdys
Thanks
Ali
aliander said:
Anything new on that?
Would be great for us Linux-Only-Nerdys
Thanks
Ali
Click to expand...
Click to collapse
Sorry guys I don't have a Galaxy S II to develop with so I haven't been able to make the necessary changes to support the Galaxy S II. If anyone has one they want to donate that would be fantastic, but that's probably not all that likely
Benjamin Dobell said:
Sorry guys I don't have a Galaxy S II to develop with so I haven't been able to make the necessary changes to support the Galaxy S II. If anyone has one they want to donate that would be fantastic, but that's probably not all that likely
Click to expand...
Click to collapse
I just tested heimdall a bit with the SGSII.
At least, kernel flash works.
Modifications needed:
BridgeManager.h: device ID is 685D not 6601 (maybe add a switch for sgs2)
main.cpp: getUnknown is 131072, not 0 (again, maybe switch)
and it'll work.
I'd also suggest a switch for "--no-reboot" ;-)
Let me know if you would prefer a diff or w/e like that..
Disclaimer: I did NOT test this thoroughly, this is AT YOUR OWN RISK - flashing CAN destroy your device.
Kernel flashing does work tho
ps: I'd have prefered giving you a GT-I9100 but that's a little over my budget right now
bad stuff:
x64 linux binary http://www.multiupload.com/A1R7SDUFZM
more bad stuff:
ive put it in a diff cause i'm not so lazy today:
https://github.com/kangsterizer/Heimdall/commit/86e9b66d4ec5b415b3a8d2d310f9ce7633679a16
bilboa1 said:
I just tested heimdall a bit with the SGSII.
At least, kernel flash works.
Modifications needed:
BridgeManager.h: device ID is 685D not 6601 (maybe add a switch for sgs2)
main.cpp: getUnknown is 131072, not 0 (again, maybe switch)
and it'll work.
I'd also suggest a switch for "--no-reboot" ;-)
Let me know if you would prefer a diff or w/e like that..
Disclaimer: I did NOT test this thoroughly, this is AT YOUR OWN RISK - flashing CAN destroy your device.
Kernel flashing does work tho
ps: I'd have prefered giving you a GT-I9100 but that's a little over my budget right now
bad stuff:
x64 linux binary http://www.multiupload.com/A1R7SDUFZM
more bad stuff:
ive put it in a diff cause i'm not so lazy today:
https://github.com/kangsterizer/Heimdall/commit/86e9b66d4ec5b415b3a8d2d310f9ce7633679a16
Click to expand...
Click to collapse
I have tried compiling this on two different machines -- one Fedora 11 and one Fedora 14. Both result in the same error, and sadly, I'm not experienced enough to figure it out
Here's the badness:
depbase=`echo source/BridgeManager.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
g++ -DHAVE_CONFIG_H -I. -I/usr/include/libusb-1.0 -g -O2 -MT source/BridgeManager.o -MD -MP -MF $depbase.Tpo -c -o source/BridgeManager.o source/BridgeManager.cpp &&\
mv -f $depbase.Tpo $depbase.Po
source/BridgeManager.cpp:57:47: error: ‘kPidGalaxySDownloadMode’ is not a member of ‘Heimdall::BridgeManager’
make[1]: *** [source/BridgeManager.o] Error 1
I'd be grateful for any suggestions, although I fully understand that you all have lives elsewhere!
I think you need to look more up to find the cause, you are surely missing some devel packages
godutch said:
I think you need to look more up to find the cause, you are surely missing some devel packages
Click to expand...
Click to collapse
I'm sure it's something stupid. On both laptops I have run:
yum groupinstall "Development Tools"
yum install rpmdevtools
I also installed the kernel source rpm.
try installing the libusb-devel packages
Got it there is an error in the patch. I can't make a diff for you but it's easy to change in heimdall/source/BridgeManager.h change the enum section around line 67 like this:
enum
{
kPidGalaxyS2DownloadMode = 0x685D,
kPidGalaxySDownloadMode = 0x6601,
kPidGalaxySInternational = 0x681C,
kPidGalaxySNewInternational = 0x681D,
kPidVibrantCanadaBell = 0x6877
};
Thanks a lot, godutch! That worked and got me as far as the next error:
Failed to get D-Bus connection: Failed to connect to socket /org/freedesktop/systemd1/private: Connection refused
Luckily Dr. Hotdog seems to have a fix for that here. Thanks all
It seemed to install all right, but when I run:
heimdall close-pc-screen
I get:
Failed to detect compatible device
Is this to be expected? I.e. does that functionality work with the SGS2 or do I have more problems I need to investigate?
What's the output of lsusb with the sgs connected?
Bus 005 Device 002: ID 0a5c:2110 Broadcom Corp. Bluetooth Controller
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 005: ID 04e8:685d Samsung Electronics Co., Ltd
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
anybody tried installing this kernel:
http://forum.xda-developers.com/showthread.php?t=1060673
with this pre-compiled heimdall?
I just didn't want to break my shiny new toy
And I do not have windows, of course!
elban said:
anybody tried installing this kernel:
http://forum.xda-developers.com/showthread.php?t=1060673
with this pre-compiled heimdall?
I just didn't want to break my shiny new toy
And I do not have windows, of course!
Click to expand...
Click to collapse
yeah i did, it works - but of course i can't give any warranty if something goes wrong
bilboa1 said:
I just tested heimdall a bit with the SGSII.
At least, kernel flash works.
Modifications needed:
BridgeManager.h: device ID is 685D not 6601 (maybe add a switch for sgs2)
main.cpp: getUnknown is 131072, not 0 (again, maybe switch)
and it'll work.
I'd also suggest a switch for "--no-reboot" ;-)
Let me know if you would prefer a diff or w/e like that..
Disclaimer: I did NOT test this thoroughly, this is AT YOUR OWN RISK - flashing CAN destroy your device.
Kernel flashing does work tho
ps: I'd have prefered giving you a GT-I9100 but that's a little over my budget right now
bad stuff:
x64 linux binary http://www.multiupload.com/A1R7SDUFZM
more bad stuff:
ive put it in a diff cause i'm not so lazy today:
https://github.com/kangsterizer/Heimdall/commit/86e9b66d4ec5b415b3a8d2d310f9ce7633679a16
Click to expand...
Click to collapse
hello
when I try to flash a kernel, I get:
Failed to detect compatible device
lsusb gives:
Bus 001 Device 007: ID 04e8:685e Samsung Electronics Co., Ltd
maybe the problem is the different usb ID?
elban said:
hello
when I try to flash a kernel, I get:
Failed to detect compatible device
lsusb gives:
Bus 001 Device 007: ID 04e8:685e Samsung Electronics Co., Ltd
maybe the problem is the different usb ID?
Click to expand...
Click to collapse
sorry guys, me stupid, I wasn't in download mode!
flashed supercurio kernel succesfully, now I'm rooted and with cifs, all without needing to run windows!
thanks very much!
just wanted to let you know that with this heimdall I've successfully flashed CFROOT in this thread:
http://forum.xda-developers.com/showthread.php?t=1103399
very very nice!
https://github.com/kangsterizer/Heimdall/
Please correct:
- heimdall/source/BridgeManager.cpp
56:
Code:
const DeviceIdentifier BridgeManager::supportedDevices[BridgeManager::kSupportedDeviceCount] = {
DeviceIdentifier(BridgeManager::kVidSamsung, BridgeManager::kPidGalaxySDownloadMode)
to:
56:
Code:
const DeviceIdentifier BridgeManager::supportedDevices[BridgeManager::kSupportedDeviceCount] = {
DeviceIdentifier(BridgeManager::kVidSamsung, BridgeManager::kPidGalaxyS2DownloadMode)
OR:
- heimdall/source/BridgeManager.h
69:
Code:
kPidGalaxyS2DownloadMode = 0x685D
to:
69:
Code:
kPidGalaxySDownloadMode = 0x685D
Hello, every SD build users,
Savan told me a method about how to get the real WiFi MAC address from the kernel (i.e. the same MAC address you see on WM6.5).
However, we need to get the memory dump of HSPL running WM6.5 and your real MAC address, so Savan can find out the MAC offset and write it to kernel for getting the real WiFi MAC address.
I'm running NAND ROM now and I'm lazy (have no free time) to flash back to WM6.5 just for dumping HSPL and then flash back to MAGLDR later.
Thus, I would like to request helps from you, the SD build users running WM6.5.
If you can help, please use the following steps to dump the HSPL. Thanks.
Backup your original "startup.txt" in Android folder.
Place the following command in "startup.txt".
Code:
pwf hspl.dump 0x0 0x100000
Start HaRET and it will automatically run the above command.
Check if file hspl.dump exists in your SD card.
Send me hspl.dump and your real WiFi MAC address you see on WM6.5.
Reference: http://htc-linux.org/wiki/index.php?title=HaRET_Documentation#HaRET_commands
Update:
We can get the real WiFi MAC address from SPL/HSPL when using SD builds on WM. (Please use r12 kernel if you want to try it.)
However, we cannot get the real WiFi MAC when using MAGLDR and cLK bootloaders.
here you are:
MAC
00-23-76-8e-23-dc
let us know... thank
Marco
Real MAC:
38: E7: D8: 8E: 27: 6D
Thank you very much to marco.palumbi and kajos.
The correct command is 'pwf hspl.dump 0x0 0x100000'.
Hello marco.palumbi and kajos,
Thanks for your help.
Which version of HSPL do you use?
Is it SPL 2.08.HSPL?
I can find 0023768E23DC at 0xFC028 when HEX editing marco.palumbi's hspl.dump. (Nothing at 0x90028.)
But I can find 38E7D88E276D at 0x90028 and 0xFC028 when HEX editing kajos' hspl.dump.
These two memory dumps seem to be different in terms of format.
When I add 0x90028 or 0xFC028 to kernel source code, I still cannot read MAC address from kernel.
Maybe Savan and I miss something.
I'm trying different possible methods.
tytung said:
Hello marco.palumbi and kajos,
Thanks for your help.
Which version of HSPL do you use?
Is it SPL 2.08.HSPL?
Click to expand...
Click to collapse
My Bootloader shows SPL-3.03.0000
I don't use HSPL
R 2.15.50.14
G 15.42.50.11U
D 3.14.04666
is HSPL necessary for this?
Hi tytung,
I have the latest official HTC rom installed on my Italian EU device.
booting the device with vol- pressed I read:
PB81100 HX-BC
SPL-3.03.0000 XE
MicroP(LED) 0x05
MicroP(TOUCH) 0x30
let me know if you need more information
Thanks to both of you.
I'm not sure whether SPL and HSPL have different format.
I changed my HD2 to HSPL 2.08 in order to install MAGLDR and flash NAND ROM.
And the new kernel with real MAC fix doesn't work for me on my NAND ROM.
WiFi MAC = ff:ff:ff:ff:ff:ff and bootloop.
Savan, the kernel developer of HTC Photon (HD Mini, another WM6.5 phone), told me that his real MAC fix may only work with SD build.
...but you've detected the realMAC at 0xFC028.
May be there a different way for implementing this?
Hi!
My MAC: 7C-61-93-33-F1-CF
With Power and Vol- i get:
PB81100 HX-BC
SPL-2.08.HSPL 8G XE
0x50
CotullaHSPL 0x50
hi
I am not expert on the HD2 device but I have some experience with embedded systems.
just to better understand and give some help.
the problem can be splitted in two steps:
1) find from somwhere in the device the assigned MAC addres. this seems to be at memory phisycal address 0xFC028 on kajos and mine device.
2) modify the kernel driver in order to use the address retrived from the prvious step.
tytung, which step is failing in your implementation?
to debug you can try
a) to printk() the phisical addres at 0xFC028 (so you can see it on dmesg)
b) modify the ETH kerrnel driver to use a string passed as kernel command line.
the last could be a easy solution for SD users becouse this way they can put the MAC on startup.txt...
zboq said:
Hi!
My MAC: 7C-61-93-33-F1-CF
With Power and Vol- i get:
PB81100 HX-BC
SPL-2.08.HSPL 8G XE
0x50
CotullaHSPL 0x50
Click to expand...
Click to collapse
Thank you.
I can find 7C619333F1CF at 0x90028 and 0xFC028 when HEX editing your hspl.dump.
marco.palumbi said:
hi
I am not expert on the HD2 device but I have some experience with embedded systems.
just to better understand and give some help.
the problem can be splitted in two steps:
1) find from somwhere in the device the assigned MAC addres. this seems to be at memory phisycal address 0xFC028 on kajos and mine device.
2) modify the kernel driver in order to use the address retrived from the prvious step.
tytung, which step is failing in your implementation?
to debug you can try
a) to printk() the phisical addres at 0xFC028 (so you can see it on dmesg)
b) modify the ETH kerrnel driver to use a string passed as kernel command line.
the last could be a easy solution for SD users becouse this way they can put the MAC on startup.txt...
Click to expand...
Click to collapse
I am not expert on the HD2 device either.
Here is my kernel diff. http://pastebin.com/HeSUAd5Y
What I cannot ensure is values of MSM_SPLHOOD_BASE and id_base.
According to your three spl.dump files, I think id_base = 0xFC028.
I don't know how to determine MSM_SPLHOOD_BASE.
Savan used IOMEM(0xF9500000) in his kernel, but he let me try IOMEM(0xF9200000).
I tried both and had the same result.
dmesg
Code:
<6>[ 3.489532] wifi_nvs_init
<4>[ 3.489562] id1 = 0xffffffff
<4>[ 3.489593] id2 = 0xffffffff
<4>[ 3.489593] id3 = 0xffffffff
<6>[ 3.489624] Device Wifi Mac Address by cardsharing-x: macaddr=ff:ff:ff:ff:ff:ff
I can boot into Android, but it reboots itself later. (I always enable WiFi.)
Update:
Doesn't the original kernel support set cmdline "rel_path=Android wifi.mac=00:11:22:33:44:55" in startup.txt?
kajos said:
...but you've detected the realMAC at 0xFC028.
May be there a different way for implementing this?
Click to expand...
Click to collapse
Maybe the real MAC patch only works for SD build because we get memory dump when running WinMo 6.5.
I tested new kernel on NAND with MAGLDR installed.
And the kernel cannot read SPL or have different address offset.
Here is my r12 beta2 kernel including the above real MAC patch.
You can try it on SD build.
I'm testing your new kernel and all i can say now is that i have my real mac address.
Edit:
I'm getting 60mA on standby so i'm going back to hastarin 8.6
No thanks left today
I'll do it tomorrow
I'm using MccMBoxmaX GS V9
http://forum.xda-developers.com/showthread.php?t=1038694
...and I'm getting no WIFI with r12beta2, but no wifi-error - it only can find no network
Is there a (universal) way, using this AutoMAC?
I can confirm that the MAC works for me too with r12beta2.
I get the correct one.
tytung,
I made some tests.
I am able to read the mac address from android in user space.
from the shell I issue this command:
devmem 0xFC028 64
the result for me is :
0x0000DC238E762300
that is my MAC.
devmem is part of busybox and read (and writes) phisycal memory using the /dev/mem device
can please try what is the results on your device?
regarding "wifi.mac=00:11:22:33:44:55" in startup.txt i think that it is not supported by the kernel itself.
in some android ROM this command line parameter is used by an userspace application somwhere during android boot to change values in /proc/calibration.
can you please point me to your latests kernel sources (the r11)?
i would like to give a look to them.
tytung said:
Maybe the real MAC patch only works for SD build because we get memory dump when running WinMo 6.5.
I tested new kernel on NAND with MAGLDR installed.
And the kernel cannot read SPL or have different address offset.
Here is my r12 beta2 kernel including the above real MAC patch.
You can try it on SD build.
Click to expand...
Click to collapse
Thank tytung for looking after the SD build user we need more stable kernel .. seems now u are the one that really focus on it !
Sent from my HD2 Bliss using XDA App
kajos said:
No thanks left today
I'll do it tomorrow
I'm using MccMBoxmaX GS V9
http://forum.xda-developers.com/showthread.php?t=1038694
...and I'm getting no WIFI with r12beta2, but no wifi-error - it only can find no network
Is there a (universal) way, using this AutoMAC?
Click to expand...
Click to collapse
My kernel needs a new /system/bin/wpa_supplicant.
You can get it from http://nexus-hd2.googlecode.com/files/kernel_tytung_r12_beta1_update.zip
And remember to set the permissions.
Code:
adb shell chown 0:2000 /system/bin/wpa_supplicant
adb shell chmod 755 /system/bin/wpa_supplicant
marco.palumbi said:
I can confirm that the MAC works for me too with r12beta2.
I get the correct one.
tytung,
I made some tests.
I am able to read the mac address from android in user space.
from the shell I issue this command:
devmem 0xFC028 64
the result for me is :
0x0000DC238E762300
that is my MAC.
devmem is part of busybox and read (and writes) phisycal memory using the /dev/mem device
can please try what is the results on your device?
regarding "wifi.mac=00:11:22:33:44:55" in startup.txt i think that it is not supported by the kernel itself.
in some android ROM this command line parameter is used by an userspace application somwhere during android boot to change values in /proc/calibration.
can you please point me to your latests kernel sources (the r11)?
i would like to give a look to them.
Click to expand...
Click to collapse
In r12 beta1:
# devmem 0xFC028 64
devmem 0xFC028 64
0xFFFF7FFFFFFFFFFF
Cotulla said "MAGLDR doesn't replace OSPL/HSPL. It runs in the chain after."
http://forum.xda-developers.com/showthread.php?t=893618
Not sure what he means exactly.
I think the kernel cannot access SPL when using MAGLDR and NAND ROM.
Maybe the memory space is overwritten by MAGLDR after HSPL's task is done.
My r11 kernel info: http://forum.xda-developers.com/showpost.php?p=10429937&postcount=3
Git: http://gitorious.org/~tytung/linux-on-wince-htc/tytungs-hastarins-linux_on_wince_htc
http://theteamk.x10.mx/index.php?topic=153.0
The Team K Developers have started the work on fota to end the prolonged wait of android on wave 525.developers r requested to please post some codings so that the project can be completed soon.please keep dis thread development focussed and clean.
After a lot of research the forum users have found the brcm2133.elf and wave 525 fota which can be decoded using IDA PRO DISASSEMBLER.
Anyone who can help can come forward and help
Thanks
I HAVE FOUND BCM21331.elf IN SAMSUNG CORBY s3653w FIRMWARE FILE. THERE IS ALSO WEBKIT.elf. DOWNLOAD IT FROM HERE(it is contained in firmware):
Click to expand...
Click to collapse
Please.
Need BCM21331.elf for study...
Where to download?
You can write PM. :angel:
Thanx in advance.
Best Regards
adfree said:
Please.
Need BCM21331.elf for study...
Where to download?
You can write PM. :angel:
Thanx in advance.
Best Regards
Click to expand...
Click to collapse
http://mediafire.com/?uxhiu82ffwcrvue
u can download brcm21331 from the above link.it is present in the SAMSUNG CORBY s3653w FIRMWARE FILE
Thanks
It seems BCM21331.elf of S3653WDXJG2 is apps_compressed.bin... not Bootfiles...
http://forum.xda-developers.com/showthread.php?t=1325713
Code:
ELF_MAP
BCM21331.csi 9 MB
BCM21331.elf 327 MB
BCM21331.map 125 MB
BCM21331.sym 41 KB
WEBKIT.elf 167 MB
Seen from S3850... but no valid Downloadlink...
Best Regards
reply
adfree said:
It seems BCM21331.elf of S3653WDXJG2 is apps_compressed.bin... not Bootfiles...
http://forum.xda-developers.com/showthread.php?t=1325713
Code:
ELF_MAP
BCM21331.csi 9 MB
BCM21331.elf 327 MB
BCM21331.map 125 MB
BCM21331.sym 41 KB
WEBKIT.elf 167 MB
Seen from S3850... but no valid Downloadlink...
Best Regards
Click to expand...
Click to collapse
i didnt understand
did mediafire say that the download link was not valid
anyway i will upload the elf file today( i have downloaded it )
i dont think that the elf file is apps compressed.bin
u can check it out yourself after i upload the file
Thanks
request
i also request the moderators and administrators to make this thread sticky
Thanks
anyway i will upload the elf file today( i have downloaded it )
Click to expand...
Click to collapse
NO. Thank you.
I have this file. :angel:
But this is apps_compressed.bin... NOT Bootloader and it is only 1 file of 3 or 4 files...
Missing, because maybe helpfull...
Code:
BCM21331.csi
BCM21331.map
BCM21331.sym
So it is maybe less helpfull to find correct ""FOTA values"" to make such output + more...
http://forum.xda-developers.com/showthread.php?t=1496729
Best Regards
i am not really well versed with the coding
do u need BCM21331.csi
BCM21331.map
BCM21331.sym files ?
Thanks
anyway here is the brcm21331.elf for all other devs
http://d-h.st/VMs
Thanks
devs please help and contribute to this thread
i am using ida pro to decode the brcm21331.elf but need help on how to use this software
Thanks
Again...
Check this Thread...
http://forum.xda-developers.com/showthread.php?t=1496729
From S8500...
Code:
#include "BL3.h"
unsigned long c_[B]MemMMUCacheEnable[/B][] = { [COLOR="Red"]0xaab9f874,[/COLOR] 0 };
unsigned long c_[B]disp_FOTA_Init[/B][] = { [COLOR="Red"]0xbfab9174[/COLOR], 0 };
unsigned long c_[B]disp_FOTA_Printf[/B][] = { [COLOR="Red"]0xb69c410b[/COLOR], 0 };
unsigned long c_[B]OemSysGetSystemInfo[/B][] = { [COLOR="Red"]0xc3ac31a5[/COLOR], 0 };
unsigned long *fun_crc[i_endMarker] = {c_MemMMUCacheEnable,
c_disp_FOTA_Init,
c_disp_FOTA_Printf,
c_OemSysGetSystemInfo
};
This is what you need to find... MINIMUM.
This what we can find in BL3_univ.elf + BL3_univ.map
These files are from BOOTLOADER...
BCM21331.elf is ELF file of apps_compressed.bin...
You can NOT find this text in BCM21331.elf
Code:
MemMMUCacheEnable
disp_FOTA_Init
disp_FOTA_Printf
OemSysGetSystemInfo
So I am pretty sure... 51 % that BCM21331.elf is WRONG file to find correct values...
Anyway. With study of BCM21331.elf maybe someone can better understand how SHP/MOCHA Security etc. work...
Good luck.
Best Regards
adfree said:
Again...
Check this Thread...
http://forum.xda-developers.com/showthread.php?t=1496729
From S8500...
Code:
#include "BL3.h"
unsigned long c_[B]MemMMUCacheEnable[/B][] = { [COLOR="Red"]0xaab9f874,[/COLOR] 0 };
unsigned long c_[B]disp_FOTA_Init[/B][] = { [COLOR="Red"]0xbfab9174[/COLOR], 0 };
unsigned long c_[B]disp_FOTA_Printf[/B][] = { [COLOR="Red"]0xb69c410b[/COLOR], 0 };
unsigned long c_[B]OemSysGetSystemInfo[/B][] = { [COLOR="Red"]0xc3ac31a5[/COLOR], 0 };
unsigned long *fun_crc[i_endMarker] = {c_MemMMUCacheEnable,
c_disp_FOTA_Init,
c_disp_FOTA_Printf,
c_OemSysGetSystemInfo
};
This is what you need to find... MINIMUM.
This what we can find in BL3_univ.elf + BL3_univ.map
These files are from BOOTLOADER...
BCM21331.elf is ELF file of apps_compressed.bin...
You can NOT find this text in BCM21331.elf
Code:
MemMMUCacheEnable
disp_FOTA_Init
disp_FOTA_Printf
OemSysGetSystemInfo
So I am pretty sure... 51 % that BCM21331.elf is WRONG file to find correct values...
Anyway. With study of BCM21331.elf maybe someone can better understand how SHP/MOCHA Security etc. work...
Good luck.
Best Regards
Click to expand...
Click to collapse
Thanks for the clarification.
In the FOTA editing,are you guys using asm coding language ?
What minimum do i need to find?
Thanks
This whole thread and idea is wrong at this moment. FOTA exploit has been confirmed to work only for bootloaders of S8500 and S8530. There is no clue if there's such security flaw present in 525 - ergo, you should start with looking for security hole, and then writing exploit to utilise it instead of writing exploit without even knowing if there's anything to exploit literally.
FOTA exploit has been confirmed to work only for bootloaders of S8500 and S8530. There is no clue if there's such security flaw present in 525 - ergo, you should start with looking for security hole...
Click to expand...
Click to collapse
We all know it was looooooong way between first text output and later magic things with FOTA for S8500 and S8530... like zImage start for Android and so on...
http://forum.xda-developers.com/showthread.php?t=1020444
Short look into GT-S5250_Training_Manual_SW.ppt
1.
FOTA file used...
Code:
bplib_S5250OpenEuropeSlav.fota
Chance "high" to generate text ouput. :angel:
1.1
Broadcom Mobile Trace Terminal
Click to expand...
Click to collapse
Not found yet... maybe same like WinComm...
2.
Btw...
_uart_bootloader
Code:
boot1a.img
boot1b.img
boot2.img
onenandboot_4k.img
What is this? Found in
Code:
S5250XEJI4.rar
S5250XEJI6.rar
I have NO Broadcom devices for tests... also NOT in future...
Find your own solution, with your own way...
Best Regards
P.S.:
If way found for zImage start... you need your own/new Broadcom team...
Sorry.
Thank you everyone for any input you are giving
Rebellos thank u very much that fact was an eye opner
I will be really grateful to u guys if you can tell me on how u guys came to know the security loophole.Any kind of help is greatly acknowleged.Again I would like to thank adsfree and rebellos for their contributions to this thread and the facts
I've made a 20 minutes exercise - I downloaded bootfiles from S5250 (S5250XXJK2) and disassembled boot2.img using a guess that the bootloader is loaded at 83E00000. Easily found FOTA code similar to S8500. The binary is loaded from flash address 07E00000 to RAM 85200000 and executed there if the BPDZ marker is available (apps and fota file is checked as well), just as in S8500. The difference is switch arm32 and thumb mode.
In the attachment I've provide a sample fota file along with asm sources. That's all I can help. There's so much more things to be handled since this moment, but it's your job if you are to be capable of continuing any porting project. Please be aware that this is a hopeless task and you do it for fun and exploring. A finished port is not likely to be ever achieved unless you have a device with exactly same board (not only microcontroller, but display, radio, camera, wifi, sensors, etc) as another android device.
canu guys tell me how u decoded boot2.img
i mean using which software and how did u get the code
please help
Thanks
Maybe you could try what mijoma attached...
S5250_src.zip
Especially this file:
S5250_fota_base.fota
Feedback help if it work or not...
Best Regards
u did not understand what i said
i asked how u decoded boot2.img and using which software and how did you get the code
u did not understand what i said
Click to expand...
Click to collapse
Few answers are given...
Now mijoma offered FIRST solution for testing...
S5250_fota_base.fota
Now waiting for someones test feedback...
mijoma has NO broadcom device for testing...
Me too...
So you or other S5250 users...
I have also asked in German Thread...
http://www.handy-faq.de/forum/samsu...sion_download_freigegeben-11.html#post2541317
I can also not seen here in your Thread test result...
http://androbada525.hj.cx/index.php/topic,153.15.html
Best Regards
Hello folks! how are you doing?
Since we've seen Alpha kernel is still an alpha and we need to provide developers with every detail of our device we can.
I've decided to search through threads and get some commands from there to gather the information required:
You can gather these data by downloading Terminal Emulator from the market or by properly installing Google SDK and doing an adb shell then running the commands.
If commands do not seem to work at first glance, please reboot the phone then try again running the commands below.
Edit 1:
For all the people having problems not mentioned on the bug list, please report the problems in this spreadsheet
https://docs.google.com/spreadsheet/ccc?key=0AkQTVc3TvAUxdFNBOWFFRzNneWRHcW56MEtLVGJqdVE#gid=0
There are several sheets to fill with the mentioned problems
Edit 2:
For all users who might have problem gathering Tegra Revision, Speedo ID, CPU Process, Core Process; please install leaked rom / AtrICS, reboot and try searching again.
Else; please send me the dmesg command output via PM and I'll upload the results.
Please note that I'll discard dmesg from kernels that are not the leaked and/or 3.1
---
Identify Memory type:
Grab a terminal then run after a reboot
Code:
su -
dmesg | grep LPDDR2
Types of Memory
LPDDR2 MR5: 0x0003 (0x0303) = Elpida (Manufactuer)
LPDDR2 MR6: 0x0000 (0x0000) \
LPDDR2 MR7: 0x0000 (0x0000) / = 50nm
LPDDR2 MR8: 0x0054 (0x5454) = 1GB
LPDDR2 MR5: 0x0003 (0x0303) = Elpida (Manufactuer)
LPDDR2 MR6: 0x0001 (0x0101)\
LPDDR2 MR7: 0x0000 (0x0000)/ = 40nm
LPDDR2 MR8: 0x0054 (0x5454) = 1GB
LPDDR2 MR5: 0x0006 (0x0606) = Hynix (Manufacuter)
LPDDR2 MR6: 0x0000 (0x0000)\
LPDDR2 MR7: 0x0000 (0x0000)/ = 54nm (Note that this is still 54nm for MR7 = 0x0001 (0x0101))
LPDDR2 MR8: 0x0054 (0x5454) = 1GB
---
Identify which Panel Type do we have:
After a fresh reboot
Grab a terminal
Code:
su -
dmesg | grep atag
or
Code:
su -
dmesg | grep panel
Examples:
Code:
dmesg | grep atag
mot_parse_atag_motorola: panel type: 0x80000740
or
Code:
dmesg | grep panel
<6>[ 0.000000] parse_tag_motorola: panel_size: 0x740
---
Identify Tegra Revision:
Code:
su -
dmesg | grep Tegra
then search for something similar to
Code:
"Tegra Revision: AXX prime"
---
Well, let's see if we can help Atrix Kernel Team to improve the kernel with this useful information
Also, if anybody would like to contribute showing how to gather more data; that'd be awesome and I'll edit this post
Thanks guys, have a good day!
You are the man!!!....good work my friend...:good:
Thanks for this.
Thanks
This is super helpful. Now if I can just get my post count up high enough to post to dev forums....
Types of Memory
LPDDR2 MR5: 0x0003 (0x0303) = Elpida (Manufactuer)
LPDDR2 MR6: 0x0000 (0x0000) \
LPDDR2 MR7: 0x0000 (0x0000) / = 50nm
LPDDR2 MR8: 0x0054 (0x5454) = 1GB
Identify which Panel Type do we have:
dmesg | grep panel
<6>[ 0.000000] parse_tag_motorola: panel_size: 0x740
However, using command: "dmesg | grep Tegra" doesnt give me anything close to any revision information.
Seems like you ran dmesg a little too late. You need to run it as soon as possible upon bootup.
ravilov said:
Seems like you ran dmesg a little too late. You need to run it as soon as possible upon bootup.
Click to expand...
Click to collapse
Is it supposed to be a capital T in tegra? I rebooted several times and get the same stuff every time
I tried dmesg | grep revision
and got this:
CPU: ARMv7 Processor [411fc090] revision 0 (ARMv7), cr=10c53c7d.
vintage47 said:
Is it supposed to be a capital T in tegra? I rebooted several times and get the same stuff every time
Click to expand...
Click to collapse
No idea, but you can use grep -i Tegra, that should make capitalization irrelevant.
Solved, I was looking on dmesg from old kernel
--------------------------------------------------------------------------------------------------------------------------
Hello,
how I find the Tegra Revision, Speedo ID, CPU Process, Core Process that request Kristianp in my dmesg? I am stupid or it show diferent?
best regards,
Ferenc.
I cant find the tegra revision either. I can see the first thing in the log, but not the tegra revision.
Do after a fresh reboot in leaked kernel and Rom ( 10.1 epinter is mine)
Reboot when SD Card is present
Dear JhonnyX:
As I cannot write in the Google Docs Spreadsheet, please find the information from my Atrix Below. The Bug is the reboot when entering deep sleep with SD card inserted.
Sorry but I could not find my Atrix Revision on the early dmesg.
Best regards
Javier
ingelectronico said:
Dear JhonnyX:
As I cannot write in the Google Docs Spreadsheet, please find the information from my Atrix Below. The Bug is the reboot when entering deep sleep with SD card inserted.
Sorry but I could not find my Atrix Revision on the early dmesg.
Best regards
Javier
Click to expand...
Click to collapse
PM'ed you regarding the missing info
Also, users who might have spreadsheet access problem, please let me know via PM.
new fields
I want to add my info on the modem drops spreadsheet.
How do I find what values my phone has for these fields?
Speedo ID
CPU Process
Core Process
CPU governor
Connect the phone to usb and activate adb. Reboot. As soon as finished reboot, use adb shell and type dmesg > /mnt/sdcard/dmesg.txt
Now search that file.
This has been answered many tines before.
Next time use search
Enviado desde mi MB860 usando Tapatalk 2
To be continued
Sounds promising =D
Sorry I am unable to find working stock kernel source code, one from http://dl-developer.sonymobile.com/code/copylefts/6.2.A.1.100.tar.bz2 fail to compile at start, so I can not continue, no want to waste my time fixing it since I need excatly the same kernel source which will produce excatly the same binary - stock kernel, probably that will not be happen since sony public source is broken so I can not produce the same binary + later: new modules needed for kexec, sorry guys I stopping now. Our soc going to iritate me a lot
I can just compile it.
Using doomlords prebuilt toolchain
Sent from my C2 using xda app-developers app
nickholtus said:
I can just compile it.
Using doomlords prebuilt toolchain
Sent from my C2 using xda app-developers app
Click to expand...
Click to collapse
Did you tried latest Sony archive? I dont know why but when I "make defconfig" and than do "make" compilation asking me for a lot of defconfig related things - chooses, seems archive from Sony is corupted? Tried riogrande**defconfig, tried allso defconfig which I using, no one working. There asking me for x86 things which is ...no logic
If some one have locked bootloader and have "unlock allowed - no", please give me TA backup! To get TA backup simple install http://www.flashtool.net/download.php and do:
1. install it
2. run it
3. click file menu -> switch to pro
4. click to adwance menu -> trim area -> s1 -> backup
5. post your dump here
Thanks!
You can find many TA backups here.
Gesendet von meinem Xperia S mit Tapatalk
djolivier said:
You can find many TA backups here.
Gesendet von meinem Xperia S mit Tapatalk
Click to expand...
Click to collapse
Missin inposible with ta http://forum.xda-developers.com/showpost.php?p=49958520&postcount=687 only maybe kexec can do a job
Maybe hashcode could help for kexec on locked bootloader. He seems to make it work on several locked device(motorola,latest samsung).
munjeni said:
Sorry I am unable to find working stock kernel source code, one from http://dl-developer.sonymobile.com/code/copylefts/6.2.A.1.100.tar.bz2 fail to compile at start, so I can not continue, no want to waste my time fixing it since I need excatly the same kernel source which will produce excatly the same binary - stock kernel, probably that will not be happen since sony public source is broken so I can not produce the same binary + later: new modules needed for kexec, sorry guys I stopping now. Our soc going to iritate me a lot
Click to expand...
Click to collapse
Sir, I can confirm that its compiling. [TOOLCHAIN- arm-eabi-4.4.3 ] without any changes made in Makefile for now. Which toolchain are you using?
Cheers,
AJ
@munjeni as of now,Xperia U tree and P tree are using ARM-EABI-4.4.3
You can git clone it from here --> www.github.com/Abhinav1997/arm-eabi-4.4-3 and push it over to prebuilts/gcc/linux-x86/arm
So,if you still get errors,modify the toolchain line to : "arm-eabi-4.4.3/bin/arm-eabi-"
Hope it helps
Abhinav2 said:
Sir, I can confirm that its compiling. [TOOLCHAIN- arm-eabi-4.4.3 ] without any changes made in Makefile for now. Which toolchain are you using?
Cheers,
AJ
Click to expand...
Click to collapse
Sorry my wrong :laugh: I executed by this way:
make ARCH=arm CROSS_COMPILE=/root/gitstvari/android_prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi- riogrande_lotus_defconfig
make
instead of
make ARCH=arm CROSS_COMPILE=/root/gitstvari/android_prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi- riogrande_lotus_defconfig
make ARCH=arm CROSS_COMPILE=/root/gitstvari/android_prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin/arm-eabi-
Ok will continue.
Here is git https://github.com/munjeni/stock_jb_kexec_kernel_for_locked_bootloader/commits/master
lsmod
kexec_load 28179 0 - Live 0x00000000
procfs_rw 2435 0 - Live 0x00000000
Click to expand...
Click to collapse
status
[email protected]:/data/local/tmp # grep kexec_driver /dev/devices
grep kexec_driver /dev/devices
grep: /dev/devices: No such file or directory
2|[email protected]:/data/local/tmp # kexec --load zImage --initrd=initrd.gz --mem-m
in=0x3000000 --command-line="$(cat /proc/cmdline)"
initrd=initrd.gz --mem-min=0x3000000 --command-line="$(cat /proc/cmdline)" <
kernel: 0x401c7008 kernel_size: 35f1f8
kexec_load: entry = 0x3008000 flags = 280000
nr_segments = 3
segment[0].buf = 0xe75090
segment[0].bufsz = 210
segment[0].mem = 0x3001000
segment[0].memsz = 1000
segment[1].buf = 0x401c7008
segment[1].bufsz = 35f1f8
segment[1].mem = 0x3008000
segment[1].memsz = 360000
segment[2].buf = 0x40529008
segment[2].bufsz = 47e538
segment[2].mem = 0x3d7d000
segment[2].memsz = 47f000
kexec_load failed: Function not implemented
entry = 0x3008000 flags = 280000
nr_segments = 3
segment[0].buf = 0xe75090
segment[0].bufsz = 210
segment[0].mem = 0x3001000
segment[0].memsz = 1000
segment[1].buf = 0x401c7008
segment[1].bufsz = 35f1f8
segment[1].mem = 0x3008000
segment[1].memsz = 360000
segment[2].buf = 0x40529008
segment[2].bufsz = 47e538
segment[2].mem = 0x3d7d000
segment[2].memsz = 47f000
255|[email protected]:/data/local/tmp # cat /dev/kexec_driver
Click to expand...
Click to collapse
Progress:
[72371.535949] Kexec: KDS_entry : '3008000'
[72371.535980] Kexec: KDS_nr_segments : '3'
[72371.535980] Kexec: KDS_segment : '1afe8a8'
[72371.535980] Kexec: KDS_kexec_flags : '280004'
[72371.536010] Kexec: - Starting kexec_load...
[72371.599609] Kexec: - ---- kexec_load - result : '0'
[72392.445739] Kexec:-----------------------------------------------------
[72392.445800] Kexec: REBOOT DEVICE !!!
[72392.445953] Starting new kernel
[72392.446044] Bye!
Click to expand...
Click to collapse
Remaining thing is - need to reserve memory for storing hardboot atags, hope I can store them in the same memory like used on my kernel, if not than will investigate something
I wouldn't want to disturb devs working, but I think it would be interesting to follow this.
And btw, if you are still wondering about RCK_H, it's encrypted with unsalted SHA-256 hash
wan5xp said:
Maybe hashcode could help for kexec on locked bootloader. He seems to make it work on several locked device(motorola,latest samsung).
Click to expand...
Click to collapse
Who? Where?
mirhl said:
I wouldn't want to disturb devs working, but I think it would be interesting to follow this.
And btw, if you are still wondering about RCK_H, it's encrypted with unsalted SHA-256 hash
Click to expand...
Click to collapse
Probably some one found something and posted them, but post is deleted http://forum.xda-developers.com/show....php?t=1196932 why?
munjeni said:
Probably some one found something and posted them, but post is deleted http://forum.xda-developers.com/show....php?t=1196932 why?
Click to expand...
Click to collapse
your link was bad
but what posts should have been deleted? Can't see anything wrong
mirhl said:
your link was bad
but what posts should have been deleted? Can't see anything wrong
Click to expand...
Click to collapse
These is copy paste link, so I can not open broken link, tried to append 1196932 to the http://forum.xda-developers.com/newreply.php?do=newreply&p= but thats not link which pointing to the post related to the "arcievied unlock thing"... some one say that there is thread where some guys found unlock procedure for "unlock allowed = no", so I can not see these thread