[Q] Error free Script.bin to Script.fex conversion? - Android Q&A, Help & Troubleshooting

bin2fex conversion typo's
When converting script.bin to script.fex it shows
port? instead of portower
Extracted COMMON _SYS_CONFIG100000.fex with ext4_unpacker
and ext2explore shows portower but I get random junk symbols appearing throught the whole text like
;rtp_screen_size : ±íÆÁÄ»³ß´ç£¬ÒÔб¶Ô½Ç·½Ïò³¤¶ÈΪ׼£¬ÒÔ´çΪµ¥Î»
;tp_regidity_level : ±íÆÁÄ»µÄÓ²¶È£¬ÒÔÖ¸¸²°´Ñ¹£¬Ì§Æðʱ¿ªÊ¼¼Æʱ£¬¶àÉÙ¸ö10msʱ¼äµ¥Î»Ö®ºó£¬Ó²¼þ²É¼¯²»µ½Êý¾ÝΪ׼£»
; ͨ³££¬ÎÒÃǽ¨ÒéµÄÆÁ£¬5´çÆÁÉèΪ5,7´çÆÁÉèΪ7£¬
; ¶ÔÓÚijЩ¹©Ó¦ÉÌÌṩµÄÆÁ£¬Ó²¶È¿ÉÄܲ»ºÏÒªÇó£¬ÐèÒªÊʶȵ÷Õû
instead of
rtp_screen_size = 5
rtp_regidity_level = 5
is there any known error free converter that has been verified via checksums for doing bin to fex and vice-versa?

Related

All Hurricane ROMS in one place!!!

I would ask all active members to upload or share their collection of roms for Hurricane. I bricked my hurr 2 years from now and yesterday i got one so i would like to try as many roms as possible, and it will be great for all to share roms!!! I found several on this forum (lazaj's, saleng's, shadow's) but i think that there is more!!! So share your collection!!!
Here i found some on forum:
hurricane unlock, patch and upgrade wm 6.1(selang09) ***
Link: http://www.megaupload.com/?d=JLO5H1L7
Thread: http://forum.xda-developers.com/showthread.php?t=475286
Opinion: Good one, but chinese language everywhere! After u change main lang. still some apps name stay in chinese and options too!
wm6.1 for hurricane (with Bluetooth and INFRARED RAY problems solved)0415update!!!
Link: http://rapidshare.com/files/100934508/5x6_wm6.1_0319.rar
Thread: http://forum.xda-developers.com/showthread.php?t=378607
Opinion: Didn't tried!
WM 6 Graphite rom, how to get WMPlayer in English (now in Polish)
Link: http://rapidshare.com/files/108676266/wm6_2_2.zip
Thread: http://forum.xda-developers.com/archive/index.php/t-384972.html
Opinion: Using this one right now! Seems ok, works nice, nice look, except incoming calls didn't show up!!! Very bad bug!
Wm 6.1 Pl/eng
Link: http://rapidshare.com/files/131860280/wm_6_1_by_Lazaj007.zip
Thread: http://forum.xda-developers.com/showthread.php?t=410739
Opinion: Tried before Graphite eng edition, works great, looks great... Main lang polski, after lang change WMP stay in polski! But still ok!
WM6 for SPV C550
Link: http://rapidshare.com/files/56833250/566.zip
Thread: http://forum.xda-developers.com/showthread.php?t=330709
Opinion: Never tried!
And one pack with SPL 1.00.84 & soft spl (nb, nbf), IPL 1.00.15, GSM DATA (hex and dec), bootloader commands, splsplit... etc!
Link: http://rapidshare.com/files/427352270/data_hurricane.rar
Info: This last files can help u to unbrick your hurricane (BUT AVOID TO BRICK IT), i found it on pda2u.ru , and thanks them for that! Special thanks to member SAXON!
I found many links for ROMs but those which is here have alive links! Someone with good upload speed can reup them again in one pack and post a link here!
ENJOY!
I would like to have a non T-Mobile German version (can be a shipped ROM). Have not found any yet, only those that are available at www.shipped-roms.com Have to live with de-branding this as it seems.
Possibly someone with any of the following devices can do a "r2sd all" backup of the ROM?
imate SP4M
Orange C550
Qtek 8200 (the Russian/English is available as RUU)
Thanks for this link tobbbie !
Btw, in selang's rom SMS Send don't work! So, it is useless!!! :S
I have tested all ROM´s below for SDA II, but for me lazaj007 is the best of all
Thanks to lazaj007
Did anyone care to pick up some ROM cooking for that device? I did not succeed in getting the .BIN files manipulated correctly - and I think I have a collection of nearly all ROM tools now :-(
howto convert .bin to .nb0 and back
Foreword:
.BIN files are not all the same by their nature (of course not by content). There are
.bin that are used to identify the bare binary content of the various partitions (you mostly see those)
.bin that are used to flash a ROM to the device. This looks somehow historic though, the format is already described by itsme at: http://www.xs4all.nl/~itsme/projects/xda/wince-flashfile-formats.html. It seems to me that some non HTC devices are still using this format.
The osnbtool.exe (from Weisun at PDACLAN.COM) does not work for any purpose regarding .bin files
at least not for Hurricane.
- The -sp option cuts only the B000F\0a header but does not reconstruct the blocks of the .bin file.
Mind that small .bin files (smaller than 0x1c00000) are treated correctly as there is only one block.
- The -2bin option creates an incorrect .bin header (sets a weird total length) and sets totally confused
block-load addresses for the created blocks of 64k (0x10000) size. Check it with viewbin.exe if you like.
Reference for the filestructure by itsme:
http://www.xs4all.nl/~itsme/projects/xda/wince-flashfile-formats.html
The splitrom.pl (itsme romtools) seems not be able to read the content of any .bin file I have fed to it.
Neither for .BIN files created for Hurricane nor those for Typhoon, I always get:
cmd> splitrom.pl <binfile>
B000FF image: 82040000-84c40000, entrypoint: 00000000
!!! your rom is not known to me: md5: a520f0d1093b36f0a3cfd9323ea99155
this bootloader seems to be No bootloader present
no xipchain found
no bootloader found
no operator rom found
no bitmap found
I am rather sure it should handle everything correctly but I am too stupid to debug .pl :-(
So the only thing that works and will re-create a flash-able .BIN file from a .nb0 is listed below:
convert .bin to .nb0:
enter: viewbin -r <binfile>, you get something like:
Image Start = 0x82040000, length = 0x02C00000
Record [ 0] : Start = 0x82040000, Length = 0x01C00000, Chksum = 0x00000000
Record [ 1] : Start = 0x83C40000, Length = 0x01000000, Chksum = 0x00000000
Record [ 2] : Start = 0x00000000, Length = 0x00000000, Chksum = 0x00000000
Start address = 0x00000000
The above has two blocks of data and a termination block.
The checksum = 0 effectively disables upload checking (so potentially dangerous).
The size just fits the Hurricane's SPL "l" (load) command buffer, as you get when loading a ROM:
"clean up the image temp buffer at 0x8C080000 Length 0x01C40000 "
The blocks can be smaller than 0x1c40000 but not bigger obviously.
then convert to nb0, enter: cvrtbin.exe -r -a <imgstart> -l <length> -w 32 <binfile>
for above viewbin output: cvrtbin.exe -r -a 82040000 -l 2c00000 -w 32 <binfile>
mind to omit the 0x for the start and address, replace <binfile> with your filename, then you get a resulting file from <original-name.bin> to <original-name.nb0> which can further be decomposed and edited with standard ROM tools
convert .nb0 to .bin:
enter: xipbin.exe <input.nb0> <start-in-nb0> <output.bin> <loadaddress>
to get back something flashable like above: xipbin.exe <input.nb0> 0 <output.bin> 82040000
mind to omit the 0x for the loadaddress, replace <"file"> with your filenames
to recheck if the created BIN file is usable, startup the viewbin again
enter: viewbin -r <binfile> you now get something like:
Image Start = 0x82040000, length = 0x02C00000
Record [ 0] : Start = 0x82040000, Length = 0x00040000, Chksum = 0x0208CC79
...many entries deleted...
Record [175] : Start = 0x84C00000, Length = 0x00040000, Chksum = 0x0177FB3C
Record [176] : Start = 0x00000000, Length = 0x00000000, Chksum = 0x00000000
Start address = 0x00000000
Done.
Looks quite different - but this is ok! The loading process in MTTY indocates the loading of each above block with a sequence of |*, so with these many blocks the upload to the device is giving feedback and thus is not tempting people to interrupt it.
I have done my tests with the 566.zip linked in the first post of this thread, but this should work with any .BIN file from the other ROMs as well. So I will continue to see if I can recycle any of the WM6 Roms for inserting my imgfs created for Tornado. As before the imgfs still the XIP is loaded and I know too little about this yet (especially in connection to the imgfs and how close these two are linked) - I am prepared to see non booting device states quite a lot. Luckily there is nothing done to the early boot chain (IPL and SPL) so I can always get back to the bootloader and start over again.
I hope to get a first indication that imgfs is mounted correctly in the "old" XIP before I have to replace the OEMdriver parts in my Tornado ROM.
I just checked if I can still use this flash-method for the Tornado - and it works as well. So the created "os-new.nb" in the OUT directory can be converted to .BIN and then flashed inside MTTY with the "l" command. Not that I like this method - but it works as well.
Tobbbie, you have here a very good research! To bad this device is out of use!

[BUG REPORTING] DizzyDen's IMEIme IMEI Generator

BUG REPORTING:
This program was initially ineteded to generate a unique IMEI based on your device S/N and update Dev's install zip files... it has become so much more, and as such there are many functions involved in this process.
Due to the complexity the program has taken on... far beyond what I initially intended... to report bugs please try to use the following as a template:
Function attempting: i.e. Updating ROM... In Place Upgrade... Update framework saved on computer... etc.
Error Messages: any error message you receive... or the last message you saw prior to the issue.
End result: i.e. TelephonyManager updated, ROM not... TelephonyManager updated framework.jar not... etc....
Environment: ROM in same folder as !IMEIme.exe... ROM on same drive as IMEIme.exe... ROM on different drive... etc. (same for framework if updating framework instead)
!IMEIme.ini settings: you can put your entire ini file if you'd like.
If you could take notes of EXACTLY what buttons you click on which prompt it would be EXTREMELY helpful...
As I said, this program has taken on functions I initially had not imagined including... the more features added, the more complex testing and tracking bugs becomes... I don't want to include a bunch of messages just for the sake of letting you know where in the code you are... would not be beneficial to you... more buttons to click for no reason, etc.
The more detailed you can be, the quicker I can see what is happening... otherwise I have to try to duplicate what I think you are doing when you get the error.
Everyone should click "Thanks" on bug report posts... they have been instrumental in getting the program where it is so far.
RESERVED...
Adverse effects after running
First off, thanks for a wonderful application! Your app did in fact correctly give my Kindle a IDEI number, but it seems to have adverse effects.
Function attempting: Tried both in place Rom and update device and now attempting to use app with sound
Error Messages: Unfortunately DSP Manager has stopped (repeatably on any app)
End result: No sound and music apps crash. Some apps work but many do not. (I can provide logcat if needed)
Environment: Kindle Fire running cm9 using Hashcodes 3.0 Kernal latest (11) update.
!IMEIme.ini settings:
Use_In_Place = 0
Use_Previous_Patch = 0
Use_Serial_Number = 0
Use_MAC_Address = 0
Use_Manual_Input = 1
Encrypt_IMEI = 0
Use_IMEI(15) = 0
Use_ADB = 1
Use_ADB(usb) = 1
Use_ADB(WiFi) = 0
Clean_Up = 1
Include_Patch = 1
Device_Manufacturer = TI
Manufacturer_Device = Blaze
Device_Model = Full Android on Blaze or SDP
Build_Fingerprint = google/passion/passion:2.3.6/GRK39F/189904:user/release-keys
LCD_Density =
WiFi_IP_Address =
IMEI = 00127948612384612
Although I have tried multiple settings and configurations. I am sort of a noob so sorry if this is a silly problem.
Having looked into this... I can tell you there's nothing that the IMEI Generator does that would cause the issues you are seeing. I would recommend flashing a non-IMEI'd ROM for testing... then either do in place IMEI generation or running the IMEI Generator against the same ROM you flash.
For what you are doing... there are 2 files that are being modified, and neither should cause FC issues...
/sysem/build.prop for the manufacture, device, and build fingerprint
/system/framework/framework.jar is being extracted and edited to patch the IMEI in the GetDeviceID() function in android/telephony/TelephonyManager.smali and recompiled.
Clearing cache and dalvik cache may be something to try.
Thanks! Clearing both caches AFTER the install made it work great. I had been clearing all of the memory beforehand but it did not work. My apps now work great!
Motorola Razr GSM (SPDREM_U_01.6.7.2-180_SPU-19-TA-11.6_SIGNEuropeAustraliaEMEA_USASPDRICSRTGB_HWp2b_Service1FF) ICS.
I deodexed framework.jar because application seems to not work on odex files (as stock is), anyway new deodexed framework have not /com/android/internal/telephony/gsm/GSMPhone.smali file?! (or dir!!) infact !IMEIme 2.2.0.2 tell me about this issue (no GSMPhone.smali found). framework patched do not present diffecence between original one. exactly the same. no /android/telephony/TelephonyManager.smali mod applied.
I tryied to patch framework by "update device" + adb usb, with no device connected i choosed my framework.jar in my pc.
[Settings]
Use_In_Place = 1
Use_Previous_Patch = 0
Use_Serial_Number = 1
Use_MAC_Address = 0
Use_Manual_Input = 1
Encrypt_IMEI = 0
New_Type = 1
Use_IMEI(15) = 0
Use_ADB = 1
Use_ADB(usb) = 1
Use_ADB(WiFi) = 0
Clean_Up = 1
Include_Patch = 0
Device_Manufacturer =
Manufacturer_Device =
Device_Model =
Build_Fingerprint =
LCD_Density =
WiFi_IP_Address =
IMEI = 02546451548481584
stock framework.odex, jar and my deodexed framework attached.
Yes... due to another user trying to use the generator on a device with a framework.odex file instead of framework.jar I am looking into the most effective method of handling that situation. As of now... the generator will not work for you to patch imei functionality into the framework on these devices.
i deodexed also framework.jar but no way to patch it, GSMPhone.smali is missing totally even in backsmalied odex too!!!!
I decided to apply the patch manually, but without this file and TelephonyManager.smali not regoular i was thinking about hard mod by motorola?! do you know something about?
Pls man, give me an hand, show me the way, backsmali it you too http://forum.xda-developers.com/attachment.php?attachmentid=1634550&d=1357865096
I'm looking into the method to implement the imei into this.
do you mean into TelephonyManager.smali? I'm looking on it too. Seems so strange this framework...
Actually... looking through to find the best call to implement the patch into... TelephonyManager was the original method... but there may be better places to patch it.
Code:
invoke-direct {p0}, Landroid/telephony/TelephonyManager;->getSubscriberInfo()Lcom/android/internal/telephony/IPhoneSubInfo;
move-result-object v2
invoke-interface {v2}, Lcom/android/internal/telephony/IPhoneSubInfo;->getDeviceId()Ljava/lang/String;
All does make sense now:
http://grepcode.com/file/repository...nternal/telephony/IPhoneSubInfo.java?av=f#174
BUT, where is com.android.internal.telephony.iphonesubinfo!?!?! seems not present... all "internal" dir is missing here, backsmali fault or my fault?!
hiiii
hi,
any news of this? =)
This is the best software for this!
I'm working on the best solution... I understand the desire for this... but I want to ensure the method I choose is the best overall... and to ensure I can properly detect which method to implement during the operation.
If you could zip your entire /system/framework folder and add your /system/build.prop file it would help me test some things I've been putting together for odexed systems.
attaching files
DizzyDen said:
If you could zip your entire /system/framework folder and add your /system/build.prop file it would help me test some things I've been putting together for odexed systems.
Click to expand...
Click to collapse
Hi, Im attaching my files.
You can download here: w w w . 4 s h a r e d . c o m / z i p / j Q n n 9 8 _ B / s y s t e m . h t m l
Thanks for the help
Error ...
Hi Dizzy
I tried to use your update, but have a error ... My device is Motorola Razr XT910 with 4.0.4
after I choose the "framework.jar" he return this error:
Line 3710 (File: ".....\IMEI\!IMEIme.exe");
Error: Variable used without being declared.
After this the program close without any click to exit ..
Im, attaching a print screen
Tnx a lot man
waldirsp11 said:
Hi Dizzy
I tried to use your update, but have a error ... My device is Motorola Razr XT910 with 4.0.4
after I choose the "framework.jar" he return this error:
Line 3710 (File: ".....\IMEI\!IMEIme.exe");
Error: Variable used without being declared.
After this the program close without any click to exit ..
Im, attaching a print screen
Tnx a lot man
Click to expand...
Click to collapse
fixed... I guess nobody has been using the "Use Previous Fix" option for a while. New version uploaded... thank you for the bug report. The screen shots really helped track it down.
another error...
Hi DizzyDen,
I want to add an IMEI to my "SUPERPAD 6", but after the window: "IMEI is..." is displayed, then popup an autoit error window:
Line 3710 (File "..."): Error: Variable used without being declared.
Can you help?
Ponozka said:
Hi DizzyDen,
I want to add an IMEI to my "SUPERPAD 6", but after the window: "IMEI is..." is displayed, then popup an autoit error window:
Line 3710 (File "..."): Error: Variable used without being declared.
Can you help?
Click to expand...
Click to collapse
Before I start looking into this... note that the IMEI generator does not support de-odexing odexed systems yet... I would suggest using it on the ROM then flashing it to the device and let the device odex it again.

restoring whatsapp db after repair

whatsapp chat backup got corrupted and chats were unable to restore. Thanks to whatsapp db key xtractor i pulled the crypt key decrypted the db to .db form. opened up whatsapp xtract and it auto repaired my db.
the following msg appears for this db alone.
H:\Whatsapp_Xtract_V2.2_2012-11-17>python "H:\Whatsapp_Xtract_V2.2_2012-11-17\whatsapp_xtract.py" H:\Whatsapp_Xtract_V2.2_2012-11-17\msgstore.db
Python Version 2.x
Android mode!
printing output to H:\Whatsapp_Xtract_V2.2_2012-11-17\msgstore.db.html ...
Traceback (most recent call last):
File "H:\Whatsapp_Xtract_V2.2_2012-11-17\whatsapp_xtract.py", line 2453, in <module>
main(sys.argv[1:])
File "H:\Whatsapp_Xtract_V2.2_2012-11-17\whatsapp_xtract.py", line 1921, in main
linkimage = findfile ("IMG", y.media_size, y.local_url, date, 2)
File "H:\Whatsapp_Xtract_V2.2_2012-11-17\whatsapp_xtract.py", line 1266, in findfile
timestamptoday = int(str(time.mktime(datetime.datetime.strptime(date, "%Y%m%d").timetuple()))[:-2])
File "C:\Python27\lib\_strptime.py", line 332, in _strptime
(data_string, format))
ValueError: time data 'N/A' does not match format '%Y%m%d'
Press any key to continue . . .
the db is readable in whatsapp viewer but db does not get restored in whatsapp gets stuck at 32%
this error does not happen for any other db file. i am not sure where the error is. kindly help

Radio img extractor

Hello ... so i have an Radio.img and i know inside there are this files
(bootloader) Validating 'radio.default.xml'
(bootloader) Committing 'radio.default.xml'
(bootloader) - flashing 'NON-HLOS.bin' to 'modem'
(bootloader) - flashing 'fsg.mbn' to 'fsg'
(bootloader) - erasing 'modemst1'
(bootloader) - erasing 'modemst2'.
How can i extract NON-HLOS and fsg ? thanks in advance ...
I know this is an ancient thread, but it's still the first search result, so I figured a solution could help anyone else that stumbles upon this..
I made a quick and dirty extractor that works at least for motorola edge 2021 xt2141 radio images. These files seem to start with magic "SINGLE_N_LONELY" and end with "LONELY_N_SINGLE". Filenames are provided, followed by the length of the contents (in little endian), then the contents.
This script will try to open radio.img in the current dir if a filename is not provided. Dumped files will go right in the working dir, so be careful. File content reading isn't done in chunks here, so be mindful of memory usage. Likely not an issue, but you can code in some chunking if needed.
Code:
#!/usr/bin/env python
import io
import sys
# supply filename as argument or default to 'radio.img'
try:
filename = sys.argv[1]
except IndexError:
filename = 'radio.img'
with open(filename, 'rb') as f:
magic = f.read(0x100).strip(b'\0').decode()
print(magic)
assert magic == 'SINGLE_N_LONELY'
while True:
# filename
fn = f.read(0xF0).strip(b'\0').decode()
print(fn)
if fn == 'LONELY_N_SINGLE':
break
# size of file in little endian
f.seek(0x08, io.SEEK_CUR)
l = int.from_bytes(f.read(0x08), 'little')
print(l)
# warning: not reading in chunks...
# warning: outputs to working dir
with open(fn, 'wb') as o:
o.write(f.read(l))
# seek remainder
rem = 0x10 - (l % 0x10)
if rem < 0x10:
f.seek(rem, io.SEEK_CUR)
# seek until next filename
while not f.read(0x10).strip(b'\0'):
continue
# rewind back to start of filename
f.seek(-0x10, io.SEEK_CUR)
Note the resulting images will likely be in sparse format. You'll need simg2img to convert to raw images if you're trying to mount or otherwise manhandle the images.
If interested in dumping carrier profiles (from inside the fsg image), EfsTools has an extractMbn function. Not sure how to reassemble though. https://github.com/JohnBel/EfsTools
ziddey said:
I know this is an ancient thread, but it's still the first search result, so I figured a solution could help anyone else that stumbles upon this..
I made a quick and dirty extractor that works at least for motorola edge 2021 xt2141 radio images. These files seem to start with magic "SINGLE_N_LONELY" and end with "LONELY_N_SINGLE". Filenames are provided, followed by the length of the contents (in little endian), then the contents.
This script will try to open radio.img in the current dir if a filename is not provided. Dumped files will go right in the working dir, so be careful. File content reading isn't done in chunks here, so be mindful of memory usage. Likely not an issue, but you can code in some chunking if needed.
Code:
#!/usr/bin/env python
import io
import sys
# supply filename as argument or default to 'radio.img'
try:
filename = sys.argv[1]
except IndexError:
filename = 'radio.img'
with open(filename, 'rb') as f:
magic = f.read(0x100).strip(b'\0').decode()
print(magic)
assert magic == 'SINGLE_N_LONELY'
while True:
# filename
fn = f.read(0xF0).strip(b'\0').decode()
print(fn)
if fn == 'LONELY_N_SINGLE':
break
# size of file in little endian
f.seek(0x08, io.SEEK_CUR)
l = int.from_bytes(f.read(0x08), 'little')
print(l)
# warning: not reading in chunks...
# warning: outputs to working dir
with open(fn, 'wb') as o:
o.write(f.read(l))
# seek remainder
rem = 0x10 - (l % 0x10)
if rem < 0x10:
f.seek(rem, io.SEEK_CUR)
# seek until next filename
while not f.read(0x10).strip(b'\0'):
continue
# rewind back to start of filename
f.seek(-0x10, io.SEEK_CUR)
Note the resulting images will likely be in sparse format. You'll need simg2img to convert to raw images if you're trying to mount or otherwise manhandle the images.
If interested in dumping carrier profiles (from inside the fsg image), EfsTools has an extractMbn function. Not sure how to reassemble though. https://github.com/JohnBel/EfsTools
Click to expand...
Click to collapse
Thanks for making python script to unpack these SINGLE_N_LONELY header files(bootloader.img, radio.img, singleimage.bin, gpt.bin) from Moto Stock ROM zips.
But why reading filename only 240 bytes and skipping 8 bytes instead of reading whole 248 bytes?
This guy wrote to read 248 bytes instead https://forum.xda-developers.com/t/...t-of-the-moto-g-5g-plus.4371213/post-87807175
I also made quick and dirty unpacked using Lua 5.3 at https://forum.xda-developers.com/t/...t-of-the-moto-g-5g-plus.4371213/post-87931915
I guess one of us has to post this to github, since I can't find any Open Source tool to unpack this simple format image files.
Currently, only star tool that we can find from some of blankflash files(eg. this) and imjtool can unpack these SINGLE_N_LONELY header files as far as I know. But I guess these are not Open Source.
Thanks
HemanthJabalpuri said:
But why reading filename only 240 bytes and skipping 8 bytes instead of reading whole 248 bytes?
This guy wrote to read 248 bytes instead https://forum.xda-developers.com/t/...t-of-the-moto-g-5g-plus.4371213/post-87807175
Click to expand...
Click to collapse
Ah neat. I only used xt2141 radio images as reference for approximating the file format. It's been a while, but I think based on the actual positioning of the filenames in the images I was testing, I wasn't sure if the final 8 bytes were part of the filename or padding.
Likewise, I wasn't sure of how padding works after the file data, so I just did a dumb seek and rewind.

MAGISK - Amlogic TVBOX Boot Patch Tutorial - Written Guide to accompany video.

Formatting is screwy, suggest to view it here:
How to patch AMLogic TV Boxes boot partition to enable Magisk to function properly.
Last Updated: 2021-08-17 Written by: effgee These instructions are how to patch a boot image for Amlogic based boxes, specifically of the X96 type to enable Magisk to function properly. The instructions are generalized and may work for any Amlogic boxes. These are written instructions based on th...
rentry.co
XDA doesnt let me upload .txt or .md files. sigh.
Pdf attached but meh..
Video can be downloaded on the 4pda forums, or alternatively here:
185.77 MB file on MEGA
mega.nz
The 4pda forums are Russian only and some of the files there you must have an account first to download, hence the Mega video link.
All research and discovery due to Chela_vek and others involved on the 4pda forums.
I've just made it a bit more digestible, to assist more people.
# How to patch AMLogic TV Boxes boot partition to enable Magisk to function properly.
Last Updated: 2021-08-17
Written by: effgee
These instructions are how to patch a boot image for Amlogic based boxes, specifically of the X96 type to enable Magisk to function properly. The instructions are generalized and may work for any Amlogic boxes.
- These are written instructions based on the video (video is named "bandicam.mp4" in that thread) presented here.
- https://4pda.to/forum/index.php?showtopic=774072&st=25020#entry91068157
- The video, while very thorough, does not perform all the steps in the optimal order. There will be some backtracking which can be a bit confusing.
I have done this procedure for:
- X96 Max Plus q2, X96Max_Plus_Q2_20201209-1446.img firmware
- X96 Air Extreme, CONCEPTUM rebrand 4/32 stock firmware (when mentioning "my edits" it is indicative for this particular firmware)
Both of these were accomplished using Magisk v.23
[h3]Pre-requisites [/h3]
Before starting, you need:
- The original boot.img from your firmware, or TWRP backup of the boot (not bootloader) partition.
- Install Magisk Manager on the device.
- Open Magisk manager. Click install. (Root not needed, you will have Magisk root after.)
- You should have an option to use "Recovery Mode", select it.
- Choose "Select and Patch a file". Feed it your original boot.img.
- Magisk will put a "Magisk Patched" boot.img in your downloads.
- The next hex editing steps are performed on the "Magisk Patched" boot.img
Hexeditor Settings
16 bytes per row (The usual for most editors)
That is 16 columns of XX.
___
[h3]Video 0:00 to 2:00 [/h3]
- Open the Magisk modified boot.img in your hex editor.
- Go to offset ``[code single]00000B50[/code]``
- Get the values of the first 3 columns.
- ``[code single] 0C 81 97 [/code]`` for this particular file.
- Reverse their order,
- ``[code single] 97 81 0C [/code]``
- Open up windows calculator and put it into programmer / hex mode.
- With the calculator, add the reversed value,
- ``[code single] 97 81 0C [/code]`[code single] + [/code]`[code single]840[/code]`[code single] = [/code]`[code single]97 89 4C[/code]``
- In the hex editor. Go to the calculated position in the file (from beginning of the file) and step back 1 byte/column and get the address:
- ``[code single]97894B[/code]`` This is the END position.
- Search in the file for ``[code single]1F8B08[/code]`[code single], found at: [/code]`[code single]77BC[/code]`[code single] & [/code]`[code single]9D1800[/code]``
- We want the first occurrence from the beginning of file
- ``[code single]77BC[/code]`` is our START position.
This information comes in handy later.
___
[h3]Video 2:02[/h3]
[h4]Extract the kernel from the image[/h4]
- Open the boot.img in 7zip and extract it.
- You will get an error about extra data beyond the payload you can safely ignore it as long as it extracts the file.
- If 7zip refuses to extract the file, extract it using the Uniextract utility.
- Uniextract will create a bunch of files, one of them named 'kernel.
- Then use 7zip to extract it that 'kernel' file. You will probably get an error about payload data which can be safely ignored.
- Name the extracted kernel file "k"
- This is important as we are stripping the file name from the gzipped file during the following edit and the filename affects the lenghts of the bytes!
- Load the "k" file into the hex editor.
[h4]Replacing skip_initramfs with want_initramfs in the kernel[/h4]
- Search for ``[code single]736B69705F696E697472616D6673[/code]`[code single] and replace with [/code]`[code single]77616E745F696E697472616D6673[/code]`` in the "k" file in hex.
- This searches for ``[code single]skip_initramfs[/code]`[code single] and replaces it with [/code]`[code single]want_initramfs[/code]``.
[h4]Recompress the kernel[/h4]
- Using cygwin or Linux for Windows subsystem or a linux box, recompress the kernel
- ``[code single]gzip -9 k[/code]`` this should create a k.gz file. (Yes, the -9 is important.)
[h4]Zeroing out the filename from the compressed kernel[/h4]
- Load the newly created file ``[code single]k.gz[/code]`` into the hexeditor.
- The very top row has some data that identifies the filename in the gz file. We must remove this information, and if you named the kernel anything but exactly 'k' before you gzipped it, these bytes will be different. Go back and do it again.
- On the first row fill with zeros, positions ``[code single]03[/code]`[code single] through [/code]`[code single]07[/code]`` on first row.
- On the same first row, select ``[code single]0A[/code]`[code single] and [/code]`[code single]0B[/code]`` & delete those bytes.
- This finishes removing filename headers from the gzipped kernel. ``[code single]k.gz[/code]``
- Save the k.gz file.
[h4]Get length of k.gz (Compressed, modified kernel image)[/h4]
- Select all and copy the length. k.gz LENGTH ``[code single]971182[/code]``
- Note down the length of the file we will use it a bit later.
[h3]Video 3:45[/h3]
___
[h3]Video 3:46[/h3]
[h4]Creation of the zim file (zImage)[/h4]
This is where the video becomes a bit unclear and it appears there are extra unnecessary steps. I have tried to simplify it.
- Go back to the boot.img loaded in the hex editor.
- From the first segment, get your end position, ``[code single]97894B[/code]``
- Go to that offset position and right below it there should be a couple rows of data, then a few (1 or 2) to many (10-20!) rows of only zeros.
- What you want to do is select blocks from ``[code single]840[/code]`` to the last full row of all zeros.
- In my file it is positions ``[code single]840[/code]`[code single] TO [/code]`[code single]978FFF[/code]``.
- In the demo video it is ``[code single]840[/code]`[code single] to [/code]`[code single]91D7FF[/code]``.
- Each boot.img will be different.
- Copy those blocks and create a new file ``[code single]zim[/code]`` and paste them there.
[h3]Video 4:41[/h3]
___
[h3]Video 4:42[/h3]
[h3]Editing the zim file.[/h3]
- In the ``[code single]zim[/code]`` file you pasted the previously copied blocks into...
- Search for ``[code single]1F8B08[/code]``
- In my file and the demo video, it is FOUND at: ``[code single]6F7C[/code]`` = KERN_START_POSITION
- From the previously found length of the ``[code single]k.gz[/code]`[code single] data: [/code]`[code single]971182[/code]`[code single]
- Using the KERN_START_POSITION ([/code]`[code single]6F7C[/code]`[code single]) as offset go to k.gz LENGTH ([/code]`[code single]971182[/code]``) amount of blocks forward.
- This offset can be named POINTER_ONE, take note of it.
- In the demo video the jumped to position is: ``[code single]91CEDD[/code]`` = POINTER_ONE
- In my file the jumped to position is: ``[code single]9780FE [/code]`` = POINTER_ONE
- From POINTER_ONE offset, zero it and any remaining bytes in that row.
- From POINTER_ONE offset, go back one byte.
- This will be the final position when we paste k.gz data into this file. Note it down
- Demo file: Back one byte position = 91CDDC
- My file: Back one byte position = 9780FD
[h3]Video 5:25[/h3]
[h5]Updating POINTER_ONE record.[/h5]
- From POINTER_ONE row, go down 2 rows and look at the first 3 bytes.
- Insert the reversed POINTER_ONE offset into those first three bytes.
- EX: POINTER_ONE offset ``[code single]91CEDD[/code]`[code single], reverse it to [/code]`[code single]DDCD91[/code]``
- On my edit, it already matched so nothing to do here.
[h3]Video 5:39[/h3]
[h5]Getting the second pointer[/h5]
- The second pointer is 4 steps back from POINTER_ONE offset.
- Call this the POINTER_TWO offset. Write it down.
- ex: POINTER_ONE offset =``[code single]91CEDD[/code]`[code single], Go back 4 bytes & POINTER_TWO offset = [/code]`[code single]91CED9[/code]``
- Note down POINTER_TWO offset as well as reverse it
- POINTER_TWO offset = ``[code single]91CED9[/code]`[code single] then REVERSED = [/code]`[code single]D9 CE 91[/code]``
[h3]Video 5:49[/h3]
[h5]Updating POINTER_TWO record.[/h5]
- Go to offset 300.
- Edit offsets ``[code single]30C[/code]`[code single], [/code]`[code single]30D[/code]`[code single], [/code]`[code single]30F[/code]`[code single] to match REVERSED POINTER_TWO offset. ex. [/code]`[code single]D9 CE 91[/code]``
- On my edit, it already matched so nothing to do here.
[h3]Video 6:17[/h3]
[h5]Inserting k.gz into zim file[/h5]
- In zim file.
- Select blocks from KERN_START_POSITION (``[code single]6F7C[/code]`[code single]) to POINTER_ONE offset, back 1 byte ex; [/code]`[code single]91CDDC[/code]``
- Delete the selection.
- Go to k.gz file, ctrl+a and copy.
- Back to zim file and paste the copied data from the position that you deleted ex. ``[code single]6F7C[/code]``.
- Ensure that it inserts (not overwrites) and the row containing the POINTER_ONE record points to the exact end of the pasted data.
- Save zim file if everything is ok.
[h3]Video 7:05[/h3]
[h5]Inserting zim into boot.img file[/h5]
- In the zim file, select all and copy.
- Go to boot.img file.
- If the instructions were followed exactly, you will still have a selection of data used to copy and paste the inital zim file.
- ex. Offsets ``[code single]840[/code]`[code single] to [/code]`[code single]91D7FF[/code]``
- Paste the copied zim data into this selection, using OVERWRITE not insert.
- The idea is the file from the edited zim data must fit exactly into the boot.img selection.
- Save the boot.img somewhere, suggest to use a new file.
# And that's it, its done.
- Flash this file via TWRP to the boot partition.
- If it doesn't work, watch the video again and read carefully the "Editing the zim file." and down instructions.
-effgee
Big thanks to Chela_vek (and anyone else involved) who figured out what was need to get Magisk running on these Amlogic boxes.
Reserved.
i must patched both boot.img and recovery.img to make magisk work on amlogic T972, but stock recovery not working with update anymore
havent try this method, cause script and video not same, hard to follow

Categories

Resources