Related
Current version: !IMEIme 2.2.0.4
Bug Fix
Fixed bug in use previous patch that could result in variable used before declared error.
Changed processing order when custom patches were to be used
The program will now process custom patches prior to editing framework.jar and build.prop edits. With new kernel patches requiring a new build.prop users would lose build.prop edits if the kernel was included in custom patches, the program will now patch any user modifications, then process IMEI generation and build.prop edits.
Updated to work with ROMs that do not include GSMPhone.smali
Recently, many ROMs are not including GSM phone utilities in framework.jar. I have added testing for missing GSMPhone.smali and patching via TelephonyManager.smali if necessary.
UPDATED FILES UPLOADED
MANY of the support files have been updated to the newer versions (smali, baksmali, adb and components).
I encourage you to delete all files in your existing IMEI Generator folder and use the new !IMEIMe.exe to generate the files necessary.
The devices.dat file if you've used the previous version has several issues that prevents the device model from being correctly patched on many of the devices. This has been fixed here and in the device list thread.
There is a known issue with the GUI when your screen settings are set at 125% in Control Panel - Appearance and Personalization - Display... I will work on fixing that in the next release.
Bug reporting thread for !IMEIme
Device list thread
New features:
Will patch GSMPhone.smali if present in framework... patches TelephonyManager.smali otherwise.
I chose this method since more ROMs are coming out for wifi tablets that do not have GSM phone information included in framework.jar. I was playing with CM10.1 and discovered GSMPhone.smali is not present, thus I was getting unable to patch GSMPhone.smali error, and there was no patching for an IMEI. In all honesty... this should be irrelevent, since IMEI is only utilized in cellular communications on GSM phones... however... some applications MAY (xda free does) require an IMEI to work, even on wifi only devices.
ODEX files still in the works
odex file support... I think this solution will work on odex file systems as long as the patching is done on the ROM prior to flashing to device (anyone using odexed system please let us know) and I am working on in place patching on odexed systems... however, I am not completely comfortable since there is a lot of work done by the device itself during odexing of the modified files... I am very hesitant since any mistake could render a bricked device and I don't have a system to test with prior to release.
Previous Important Changes
The new version of the IMEI Generator will no longer overwrite your existing devices.dat file with the current. To use new devices.dat file, delete the old one prior to running the program, or download the new one and unzip it in the IMEI Generator directory.
Device Communications not necessary in certain situations
If you select to Update ROM, using Serial Number based IMEI and do not select Encrypt IMEI, the program will no longer need to communicate with the device when performing its tasks. The framework.jar patch will not hard patch the IMEI in this situation as before. This is useful for patching a ROM for distribution to multiple people, since they will all maintain unique IMEI's. This is accomplished with the following change in the framework.jar
Code:
/com/android/internal/telephony/gsm/GSMPhone.smali
.method public getDeviceId()Ljava/lang/String;
[b]changed[/b] iget-object v0, p0, Lcom/android/internal/telephony/gsm/GSMPhone;->mImei:Ljava/lang/String;
[b]to[/b] sget-object v1, Landroid/os/Build;->SERIAL:Ljava/lang/String;
prior to patching in code to prepend "0"
.method public getDeviceSvn()Ljava/lang/String;
[b]changed[/b] iget-object v0, p0, Lcom/android/internal/telephony/gsm/GSMPhone;->mImeiSv:Ljava/lang/String;
[b]to[/b] sget-object v1, Landroid/os/Build;->SERIAL:Ljava/lang/String;
prior to patching in code to prepend "0"
To try to explain the above a little...
The above is always changed, no matter what IMEI generation method you select...
If you select Serial Number and New Type IMEI and not Encrypt: no other patching is done for the IMEI... this can be implemented on many devices, since each will have a unique serial number.
If you select Serial Number and do not select New Type: additional code is added to format the IMEI to the old standard ("00-" and "-"s)... this can be implemented on many devices for same reason.
If you select MAC Address or Encrypt (or both): additional code is added that results in the IMEI being hard coded, this makes it very much device specific.
If you select MAC Address or Encrypt (or both) and do not select New Type: additional code is added that results in the IMEI being hard coded as well as code to format the IMEI, this makes it very much device specific.
Use Custom Patch NOTE: This is only used when patching a ROM
This is going to take some major explanation, since I ran into so many possible scenarios...
One thing of note... the only additional lines added to updater-script will be for files in the base directory
The order of processing is:
1. Original ROM updater-script and files
2. Custom Patch zip file
3. Custom Patch folder
The program will utilize folders (from Patch zip file or Patch folder itself) named modboot, modsys, or system (not case sensitive in windows) as well as files in the base folder
Any files in modboot will be moved to the root of the **ROM**-IMEI.zip file and lines added to updater-script as needed
Any files in modsys will be moved to the system directory of the **ROM**-IMEI.zip file
If Custom Patch is checked...
/META-INF/com/google/android/updater-script is extracted from the ROM
the program will ask you to select the Custom Patch Folder
If there is a zip file present in the folder the program will ask if you want to use it
You have 3 options, "Yes", "No" or "Cancel"
Yes = Use the zip file
No = Don't use it, select another
Cancel = Don't use a zip file
If you use a zip file, it will extract the zip file and process the updater-script in it for any additional lines needed
After the above, any non-zip files and modboot, modsys and system directories in the Patch Folder will be processed
I chose this order so you can have a "go to" patch zip file, and test other additions by using the file, folder options prior to including them in the zip.
Example here:
I have my custom patches in folder /CM7/UserMods with these contents:
/META-INF
/modboot
/modsys
patch.zip
The program processes patch.zip first, then overwrites any files with the files in modboot and modsys
It also processes /META-INF/com/google/android/updater-script for any lines extracting files to /boot and adds them to the original ROM updater-script if not already there.
It then adds lines for any files originally in /modboot to updater-script to extract them to /boot
"New IMEI Type" of IMEI which no longer has the "-"s in it, but maintain backward compatibility for those who already have IMEI's generated or prefer the old style. When the new type is selected in the GUI:
NOTE: Per the IMEI standards... Using a single 0 prepended to the IMEI indicates a TEST IMEI for a country with 3 digit international code... while it should have no implications to us since we are not on a cell... it may provide potential country validity issues... I will monitor this and resort to 00 prefix in the new type of IMEI if necessary.
ADDITIONAL NOTE: Per the IMEI standards... For devices without an IMEI, they are to provide a unique serial number to be used... This program modifies framework.jar to allow this.
I am now patching framework.jar in the /com/android/internal/telephony/gsm/GSMPhone.smali file instead of /android/telephony/TelephonyManager.smali (this change is what allows the information to display in the about tablet information)
I am renaming and patching 2 functions... getDeviceID() and getDeviceSvn()
By patching the two functions in this file... the IMEI now shows in Settings... About Tablet... Status... no longer have to use external program or dial *#06# to verify the device is patched.
getDeviceID() shows it in IMEI
getDeviceSvn() shows it in IMEI SVN
You can rename or copy !IMEIme.ini to IMEIme.ini and the program will work.... useful for *nix users and probably mac users... since they have issues with special char actors (!)... While I like to use it in windows to keep the executable and ini file at the top of the file list in windows explorer... anyway...
The program looks for IMEIme.ini first and uses it if present... if it is not... it then looks for !IMEIme.ini (which will be there... because the program installs the generic !IMEIme.ini if it isn't ) This also provides a good way to keep your ini.. and see the new settings in the compiled in ini.
GUI selection and related ini setting
GUI: New IMEI Type
INI Setting:
New_Type =
; If 0 then the old type of "00-XXXXXX-YYYYYY-ZZZ" will be used
; If 1 then the new type of "00XXXXXXYYYYYYZZZ" will be used
BUG FIX
No known or reported bugs to work out.
!IMEIme.ini file default settings and explanation:
Code:
;The setting options are 1 (use the option) or 0 (don't use the option)
;WiFi IP Address can be set to your Nook's IP address here to a default to use
;IMEI can be set to a default here... you can also set the seed you use for generation
;Setting Device_Manufacturer to anything will result in an edit to build.prop setting the entered manufacturer
;IF Device_Manufacturer is NOT blank then:
;Setting Manufacturer_Device to anything will result in an edit to build.prop setting the entered device
;
;NOTE: ONLY Device_Manufacturer is necessary for this edit... there have been no software that appears to
; require a device edit
;
;Setting LCD_Density will result in build.prop edit for this setting regardless of Device_Manufacturer setting
;
;Set all options in [Settings] section at the bottom
[Settings_Explained]
Use_In_Place = 1
; If 0 Disable In Place patching... useful for those who always update AOSP ROM files and never patches on device framework.jar
; If 1 Enables In Place patching if ADB is working
Use_Previous_Patch = 0
; If 0 Ignore IMEI.fix
; If 1 AND IMEI.fix exists... use it for patching
Use_Serial_Number = 1
; If 0 then do not base IMEI off of Device Serial Number
; If 1 then base IMEI off of Device Serial Number
; NOTE: This takes priority over Use_MAC_Address
Use_MAC_Address = 0
; If 0 then do not base IMEI off of Device MAC Address
; If 1 then base IMEI off of of DeOvice MAC Address (last 5 hex words) (2 bytes = 1 hex word)
; 0A is converted to 010, FF is converted to 255 etc.
; NOTE: Use_Serial_Number takes priority
Use_Manual_Input = 1
; If 0 then Manual Input disabled
; If 1 then Manual Input enabled
Encrypt_IMEI = 1
; If 0 then uses actual data for IMEI... i.e. Serial Number (last 15 digits) or MAC Address (last 5 hex words) is actual IMEI
; If 1 then program encrypts data for IMEI generation... hiding actual Device data
New_Type = 1
; If 0 then the old type of "00-XXXXXX-YYYYYY-ZZZ" will be used
; If 1 then the new type of "00XXXXXXYYYYYYZZZ" will be used
Use_ADB = 1
; If 0 then ADB is disabled... this will prevent In-Place updating from working all together
; If 1 then ADB is enabled... In-Place will work... IF adb is working on your device
; NOTE: This takes priority over Use_ADB(usb) and Use_ADB(WiFi)
Use_ADB(usb) = 1
; If 0 then ADB via USB connection is disabled... I use this since some ROM's have Debug Mode issues
; If 1 then ADB via USB is enabled and attempted first
; NOTE: Use_ADB takes priority over Use_ADB(usb) and Use_ADB(WiFi)
Use_ADB(WiFi) = 1
; If 0 then ADB via WiFi connection is disabled
; If 1 then ADB via WiFi is enabled... I use this since some ROM's have Debug Mode issues
; NOTE: Use_ADB takes priority over Use_ADB(usb) and Use_ADB(WiFi)
Clean_Up = 1
; If 0 then the program will leave all support files when cleaning up and exiting
; If 1 then the program will delete all support files when cleaning up and exiting if none of them
; existed at program start
Include_Patch = 0
; If 0 then custom patches is disabled
; If 1 then the program will prompt for custom patches to include
Device_Manufacturer =
; If blank then the program will not edit build.prop
; If anything other than blank the program will edit build.prop to include manufacturer
Manufacturer_Device =
; If blank then the program will not include device in build.prop edit
; IF anything other than blank the program will include device in build.prop edit
; NOTE: No build.prop edit will occur if Device_Manufacturer is blank
Device_Model =
; If blank then the program will not include model in build.prop edit
; IF anything other than blank the program will include model in build.prop edit
; NOTE: No build.prop edit will occur if Device_Manufacturer is blank
Build_Fingerprint =
; If blank then the program will not include Build Fingerprint in build.prop edit
; IF anything other than blank the program will include Build Fingerprint in build.prop edit
; NOTE: This edit will occur even if Device_Manufacturer is blank
LCD_Density =
; If blank then the program will not include LCD Density in build.prop edit
; IF anything other than blank the program will include LCD Density in build.prop edit
; NOTE: This edit will occur even if Device_Manufacturer is blank
WiFi_IP_Address =
; You can enter the default Device IP address here... especially useful if you are only using this on one device...
; or if you keep seperate folders for each device you use (!IMEIme.exe and !IMEIme.ini must be in each folder)...
; i.e. folder for "sister" containing the program and ini file at minimum.
; If blank the program will prompt you for the IP address of the device to establish ADB WiFi connection
IMEI =
; Enter a base 10 (integer) and it will be used as the IMEI (duplicated until 15 digits is reached)
; Enter your "seed" and the program will generate an IMEI based off of it
; NOTE: If you try to generate the old GENERIC IMEI the program will not do it
[Settings]
Use_In_Place = 0
Use_Previous_Patch = 0
Use_Serial_Number = 1
Use_MAC_Address = 0
Use_Manual_Input = 1
Encrypt_IMEI = 0
New_Type = 1
Use_IMEI(15) = 0
Use_ADB = 1
Use_ADB(usb) = 1
Use_ADB(WiFi) = 1
Clean_Up = 1
Include_Patch = 1
Device_Manufacturer =
Manufacturer_Device =
Device_Model =
Build_Fingerprint =
LCD_Density =
WiFi_IP_Address =
IMEI =
Credits:
mthe0ry: Credit for the original IMEI patches released for us Nookers(TM). His original thread is here...
martian21: Took mthe0ry's work and maintained it for releases of CM7, upeating it for each nightly that needed a new one. Martian21's thread.
HacDan on irc.freenodes.net #nookcolor for helping me figure out patching GSMphone.smali instead of TelephonyManager.smali
Thank you's:
paleh0rse: I believe was the first to download and test this program... I think the first bug report too... helped many users with suggestions regarding their apps.
mr_fosi: Continues testing and reporting despite no need to. Tested a few private beta builds to help iron out a significant issue. Also providing information regarding Phone App *#06# IMEI test.
martian21: Set the wheels turning. Provides invaluable feedback and suggestions. He is an invaluable tester and Q&A guy. Thanks for dangling that bait
mellopete: Provided the very first bug report... prompted me to include necessary files in the program itself.
TheMainCat, 12paq and frankusb: Provided bug reports leading me to look at why some Windows versions didn't run the program initially.
Nayla1977: Bug report regarding a mistyped EndIf in my source.
jdexheimer: Bug report that lead me to find a problem with folders with spaces in them.
LinuxParadigm: Bug report regarding missmatching If - EndIf's.
BitingChaos: first public post to get me back on target.
dillweed, garrisj and many others: for PM's indicating the importance of this solution.
lemdaddy for reporting the bug that we tracked down to the java version and reporting back that it was the java version causing issues.
adusumilli for reporting the bug where IMEI was generated as "00-cat: c-an't o-pen"
topcaser for being persistent enough with the bug causing In-Place to fail in certain situations.
HacDan on IRC for leading me in the right direction to impliment the patching of GSMphone.smali.
We are all adults, if we break our toys... we only have ourselves to blame and we may have to buy new ones... (this will NOT break your Nook... I PROMISE you that! but it may break some of your apps... more on that later in post)
BUG REPORTING:
This program was initially ineteded to generate a unique IMEI based on your device S/N and update Dev's install zip files... it has become so much more, and as such there are many functions involved in this process.
Due to the complexity the program has taken on... far beyond what I initially intended... to report bugs please try to use the following as a template:
Function attempting: i.e. Updating ROM... In Place Upgrade... Update framwork saved on computer... etc.
Error Messages: any error message you receive... or the last message you saw prior to the issue.
End result: i.e. GSMphone.smali updated, ROM not... GSMphone.smali updated framework.jar not... etc....
Environment: ROM in same folder as IMEIme.exe... ROM on same drive as IMEIme.exe... ROM on different drive... etc. (same for framework if updating framework instead)
!IMEIme.ini settings: you can put your entire ini file if you'd like.
If you could take notes of EXACTLY what which selection in the GUI you have selected and any buttons you click on which prompt it would be EXTREMELY helpful...
As I said, this program has taken on functions I initially had not imagined including... the more features added, the more complex testing and tracking bugs becomes... I don't want to include a bunch of messages just for the sake of letting you know where in the code you are... would not be beneficial to you... more buttons to click for no reason, etc.
The more detailed you can be, the quicker I can see what is happening... otherwise I have to try to duplicate what I think you are doing when you get the error.
mr_fosi and martian21 have been very tedious in reporting bugs... I greatly appreciate their testing despite not needing to, and the manner in which they document what is going on....
Everyone should click "Thanks" on their bug report posts... they have been instrumental in getting the program where it is so far.
Background:
Some developers require a unique number that is supposed to be provided by hardware manufacturers that is unique to every device. This unique number (IMEI) is extremely important in devices utilizing cellular communications.
Since B&N has not registered IMEI numbers for the Nooks, the AOS's we are using do not acquire it as they do in other Android devices.
The developers that require a unique IMEI have been less than receptive of our devices and past methods to provide functionality to utilize their apps.
I decided to provide what I believe to be a viable solution to this problem.
What this program is:
It is a method to provide a unique IMEI (with reasonable certainty) for our Nooks.
It IS intended to be a supplement until IMEI is addressed in dev's ROM's.
It IS viable for Froyo... CM7... CM9... CM10...Honeycomb... MIUI.... AOKP... and others.
I can't think of any reason it will not work with ANY ROM you choose to utilize... if you run across one... just let me know and I'll see if I can't fix that.
What this program is not and does not do:
This is not a perfect solution to our Nook specific issues. Let me make it PERFECTLY CLEAR there is NO PERFECT SOLUTION We are generating an IMEI from something else... I use TEST IMEI patterns based off of our device serial number, to ensure apk devs wouldn't come down on us.
It is not targeting any specific AOS.
It is not guaranteed to be accepted by any other developers.
It is not intended to be the end all, beat all solution.
It is not intended to dissuade other developers from providing what they feel is a better method.
It will not cause any programs to show in the market. That has to be dealt with via APK developers and/or build.prop Manufacturer strings.
Potential issues:
There is NO legitimate solution to the IMEI issue we Nookers (TM) face... unless a group desires to register a block of them for our use... thus I am generating TEST IMEI's... ideal... no, but the only method available to us.
While I feel, with significant certainty, there will be no negative consequences from apk devs in general, I cannot speak for them, or their logic. This can easily be disabled by them again. That is on them, not me or us. By the same token, they can decide to stop providing their service for cause, I still have no control over that.
Above, I emphasize “with reasonable certainty” due to the fact that, in theory, you can wind up with an IMEI that 9 other Nooks that use this software has. That can only happen if the other 9 owners use this program and have a serial number within the same 10 as yours. This is even less likely with the New IMEI Type since it is using the right most 16 digits of a device serial number (and we know they all start with 2)
If everyone who has the same beginning 15 digits utilizes this program to generate an IMEI, you will all wind up with the same IMEI. Given the number of Nooks out there compared to the number of user's hacking them.... I find it extremely difficult to believe, with a reasonable certainty, that any 2 (much less 10) devices would ever wind up with the same IMEI generated by this program. This is prevented when using the New IMEI Type
What this program does/is capable of:
It allows you to extract framework.jar from a developers update zip file.
It will allow you to pull framework.jar from your Nook or use an existing framework.jar already stored on your computer.
It will generate an IMEI based on your Nook's serial number (or MAC Address) if adb is working on your system. If you have issues running adb via USB (ADB(USB)), it provides the opportunity to utilize adb via WiFi (ADB(WiFi)) for any computer-device communications.
It will provide you a method to manually input your serial number if you cannot connect to the device via adb. You can also input a “seed” (easy to remember word or phrase) and generate an IMEI based on the ASCII codes of the text you enter.
It will edit /com/android/internal/telephony/gsm/GSMPhone.smali to rename any existing getDeviceId() and getDeviceSvn() function to getDeviceId2() getDeviceSvn2() and append the patch to end of that file. NOTE: When the program "smali's" the resulting GSMphone.smali... it relocates the appended function to be before the renamed function.
It will save the patch as IMEI.fix, thus allowing you to utilize it for subsequent runs of the program. A caveat to this is... if you run it from the same folder on a friend's Nook... it will overwrite your original one if it is in the same folder or they will have the same IMEI as you do if you use Previous Run.
It will offer to push the patched framework.jar to your Nook... IF you opted to pull framework.jar from your Nook AND adb successfully worked to do that. This facilates in place upgrading.
It will backup the existing developers zip file appending “-IMEI” to it, distinguishing it is one this program has been used on. It will update this file, not the original developers file.
If there are issues with file names that become duplicate in a case insensitive OS such that windows is, it will warn you of this case and not remove the updated framework.jar to facilitate manual updating of the zip file.
Caveats:
This program is known to work on Java version 1.6.0_23 and known NOT to work on version 1.6.0_17 or earlier. If your system seems to work fine... but the nook does not give you an IMEI number... check your java version by typing this in a DOS window (start-run and type in cmd):
java -version
this will tell you the version of java you are running.
Java must be on your system. It must be in your system's path statement, or this program must be in the java/bin folder. It is possible that you must have java 32 bit version, this is being researched.
It will very likely break your swype, or any other app that utilizes IMEI for validation and you have used previous methods to circumvent their validation process.
It will likely break the same software if/when developers include a fix to the Nook IMEI situation in their AOS. Unless you opt to use this method again on their AOS to ensure you maintain the IMEI you used my program to generate.
Since I have opted to utilize test formed IMEI's to prevent duplicating someone's “real device” IMEI, software developers can easily shut us down again. That is their option. I am trying to provide a solution that is acceptable to both sides of the fence.
Closing statement:
As I desire to make this program as beneficial as possible... PLEASE provide any feedback and/or bug reports... just don't continue to push your ideals once it has been discussed... beating dead horses gets tiresome and just wastes precious time.
112 downloads of 2.2.0.3 with bug when pervious fix was selected
1686 downloads of 2.2.0.2 with no bugs reported
141 downloads of 2.2.0.1 with CM10 in place bug that would cause BBSOB and never boot
197 downloads of 2.2.0.0 (that actually appeared to be 2.1.0.4 in the zip) with a few minor bugs... mostly in custom patching
648 downloads of 2.1.0.3 with known GT for GameLoft issues
1123 downloads of 2.1 with no known bugs
182 downloads of 2.0a with a Generic IMEI bug
1919 downloads of 1.9 with no bug reports
3131 downloads of 1.8 with all bug reports being for non-nook devices
80 downloads of 1.7 with no bug reports
600 downloads of 1.6 with a couple of reports of In-Place update bug
880 downloads of 1.5a with 0 bug reports
148 downloads of 1.5 with a bug that could result in IMEI being generated without being properly formed.
36 downloads of 1.4 with a bug that could result in IMEI of "cat: can't open".
258 downloads of 1.3 with 0 bug reports... time to move on with next feature.
1618 downloads of 1.1 and the only bug noted has been tracked to the user's Java version.
12,758 downloads prior to the current version.
Bug reporting thread for !IMEIme
Device list thread
Looks like I have something new to mess with tomorrow night... thanks for working this, we owe ya!
Been looking forward to this! Thanks for your hard work DizzyDen.
Tested it out however it isn't finding 7zip. I've tried both the 64-bit and the 32-bit version (on 64-bit Windows 7). I'm probably doing something wrong if so please feel free to enlighten me
Martian21
martian21 said:
Been looking forward to this! Thanks for your hard work DizzyDen.
Tested it out however it isn't finding 7zip. I've tried both the 64-bit and the 32-bit version (on 64-bit Windows 7). I'm probably doing something wrong if so please feel free to enlighten me
Martian21
Click to expand...
Click to collapse
It wasn't you... there's something weird with the API to the fileopendialog that changes the working directory... a TEMPORARY work around is to copy the zip file to the folder you are running the program from.
Updating to beta 2 to auto extract support files on run.
Beta 2 is up... OP updated... note the bold text... for now the zip file must be in the same folder as IMEIme.exe
That will be fixed shortly.
Updated to beta 3. OP updated.
Fixed file browse for update file.
Improved cleanup behind itself before exiting...
removes helper files
removes framework.jar
removes classes.dex
removes out folder
removes system folder (the one used to add framework.jar to the zip file)
Still debating ability to allow manual input of the IMEI or a serial number... but those that want to do it will probably figure out how to do it manually... its REALLY not that hard.
Will add random IMEI generation as an option. The only purpose I see for this is for those who don't want to use the generic IMEI and cannot get adb working... even with the included adb in this program.
Feedback and bug reports are welcome and will help improve the program.
Thank you for this
I had to copy my AdbWinApi.dll for it to work. It did not put the new framework.jar in the zip though. It made the files, but didn't update the zip. I moved it to the root of my drive and ran it as administrator, but it still didn't update the zip. I am using Windows 7 x64. I used the IMEI.fix file and updated the zip myself. Thanks again for this nice tool.
mellopete said:
I had to copy my AdbWinApi.dll for it to work. It did not put the new framework.jar in the zip though. It made the files, but didn't update the zip. I moved it to the root of my drive and ran it as administrator, but it still didn't update the zip. I am using Windows 7 x64. I used the IMEI.fix file and updated the zip myself. Thanks again for this nice tool.
Click to expand...
Click to collapse
Did you use something prior to b3 ?
There was an issue I discovered that was preventing appending IMEI.fix to TelephoneProvider.smali that was fixed in b3.
I did my development on windows64 so that shouldn't be an issue.
As for the dll... I hadn't experience issues with that... but I can certainly add it to the program.
Both adb dll's will be included in all releases after b3.
Good job!
Can you explain more about how rom is being affected?and what to check?
Sent from my phiremod for Nook using Tapatalk
DizzyDen said:
Did you use something prior to b3 ?
There was an issue I discovered that was preventing appending IMEI.fix to TelephoneProvider.smali that was fixed in b3.
I did my development on windows64 so that shouldn't be an issue.
As for the dll... I hadn't experience issues with that... but I can certainly add it to the program.
Both adb dll's will be included in all releases after b3.
Click to expand...
Click to collapse
b3 is the first one I tried. I didn't look at the classes.dex before it was deleted. I will check.
RASTAVIPER said:
Good job!
Can you explain more about how rom is being affected?and what to check?
Sent from my phiremod for Nook using Tapatalk
Click to expand...
Click to collapse
Read here http://forum.xda-developers.com/showthread.php?t=1004102
TelephonyManager.smali did not change.
mellopete said:
TelephonyManager.smali did not change.
Click to expand...
Click to collapse
Please make sure b3 is the one you are using. When you originally posted... the thread was showing 0 downloads of that file.... or just wait a few minutes... beta 4 is on its way shortly.
To ensure TelephonyManager.smali is not changed you need to look in two places.... the easiest way is to search for getDeviceID
If it worked correctly you should find 2 instances... the first is the original function and my program renames it to getDeviceID2()... the second should be the one !IMEMe adds to the end of TelephonyManager.smali
Additionally... could you check and see if your run is actually overwriting update zip file.... see if there is a update ".zip.tmp" file left over... if it is there... the zipping is running into an issue overwriting the original file... I thought I had that issue worked out... but may need to add a check for that within my program.
I d/l b4, dropped it in a directory with just the .zip for n87 and ran it (win7 pro 64-bit). It errored out and here's the play-by-play of each of the windows which popped up one immediately after the other:
- I was warned about you being an unverified software publisher, which I OKed.
- "Windows cannot find 'java'. Make sure you typed the name correctly, and then try again." I OKed this one as well.
- window titled "DizzyDen's IMEI Generator" containing: "Return Code is:0 and Error Code is: 1"
- window titled "DizzyDen's IMEI Generator" containing: "Java is required on your system. You can download the current version from http://java.com"
I have JRE6 on my machine, though it is not in the system PATH.
Oh, and there were files for 7za, adb, .dll's and .jar files left behind.
mr_fosi said:
I d/l b4, dropped it in a directory with just the .zip for n87 and ran it (win7 pro 64-bit). It errored out and here's the play-by-play of each of the windows which popped up one immediately after the other:
- I was warned about you being an unverified software publisher, which I OKed.
- "Windows cannot find 'java'. Make sure you typed the name correctly, and then try again." I OKed this one as well.
- window titled "DizzyDen's IMEI Generator" containing: "Return Code is:0 and Error Code is: 1"
- window titled "DizzyDen's IMEI Generator" containing: "Java is required on your system. You can download the current version from http://java.com"
I have JRE6 on my machine, though it is not in the system PATH.
Oh, and there were files for 7za, adb, .dll's and .jar files left behind.
Click to expand...
Click to collapse
java will need to be in your path... I have no way of including all possible locations of where it could be installed... and it is way too big to include with my program.
The left over files is due to the program exiting when it did... I will fix that in next beta... should have waited until java was tested to extract them... or have it perform cleanup before exiting on any errors... sorry bout that.... you can leave them... when you have successful run (or run beta 5 or later) it will clean them up.
For now you may have to run as administrator.... I will try to add code to avoid this in the short future.
BTW. Nowhere does getDeviceID does it say that it must be a well formed IMEI.
nemith said:
BTW. Nowhere does getDeviceID does it say that it must be a well formed IMEI.
Click to expand...
Click to collapse
As much as I admire your work... I am honored that you are even checking this out.
I do understand that as of now it is not required... but I figure if I utilize standards (as much as there are anyway) we may avoid future issues if dev's start checking for well formed IMEI's.
I figure if I'm going to make this... I might as well make it right.
As far as I can determine... if a sw dev implemented IMEI checks, the only thing that could cause them to shut down someone using this would be to check that it is a "TEST" IMEI... but I don't see that happening, because hardware manufacturers do use these in testing.
DizzyDen said:
java will need to be in your path... I have no way of including all possible locations of where it could be installed... and it is way too big to include with my program.
Click to expand...
Click to collapse
Roger that. Should the instructions then note either the required change to PATH or that the file must be run in the user's jre#\bin directory?
DizzyDen said:
The left over files is due to the program exiting when it did... I will fix that in next beta...
Click to expand...
Click to collapse
I figured as much, but thought you should know.
DizzyDen said:
For now you may have to run as administrator...
Click to expand...
Click to collapse
I ran it this way and got the same behavior.
I'll keep a lookout for further versions, test them and report.
Beta 5 is up... OP updated to include Java requirements... thank you mr_fosi for pointing this out.
RASTAVIPER said:
Good job!
Can you explain more about how rom is being affected?and what to check?
Sent from my phiremod for Nook using Tapatalk
Click to expand...
Click to collapse
Did you find the information in the thread linked in response to your questions?
TY mellopete for that.
- Plugged NC into USB port.
- Copied new B5 exe and n87 zip to java\jre6\bin directory.
- Ran exe as admin.
- Prompted for .zip check ("is this correct") and it was, so I OKed it. Not OKing it gave me the option to browse for the file, which I cancelled, resulting in a termination of the prog with a few more dialogs. Any extracted files were cleaned up an prog close, except for adb.exe (which I deal with below).
- Re-ran, exe, chose the detected n87 .zip.
- Displayed correct serial.
- Displayed correct generated 17-digit IMEI.
- Dialog contents "Modifying" gave error "Unable to open file", which I OKed.
- Several more dialogs flew by in rapid succession without error, ending with "Updating ROM" overlaid by "Updated ROM file has been saved as: cm_encore_full-87-IMEI.zip".
- Not all ancillary files were cleaned up. Two files remained: 1) IMEI.fix, a plain txt file containing the correct code to insert the generated IMEI and 2)adb.exe which could not be removed because it was still running the devices server. Running "adb kill-server" in the java\jre6\bin directory allowed me to remove adb.exe.
- A check of the modified smali showed only one instance of "getDeviceId" indicating that the smali had not been modified to add the code to spoof the IMEI.
I would also not have been able to eject my NC, had I tried, until I killed the adb server. Looks like one more line of code to add before cleanup.
BUG REPORTING:
This program was initially ineteded to generate a unique IMEI based on your device S/N and update Dev's install zip files... it has become so much more, and as such there are many functions involved in this process.
Due to the complexity the program has taken on... far beyond what I initially intended... to report bugs please try to use the following as a template:
Function attempting: i.e. Updating ROM... In Place Upgrade... Update framework saved on computer... etc.
Error Messages: any error message you receive... or the last message you saw prior to the issue.
End result: i.e. TelephonyManager updated, ROM not... TelephonyManager updated framework.jar not... etc....
Environment: ROM in same folder as !IMEIme.exe... ROM on same drive as IMEIme.exe... ROM on different drive... etc. (same for framework if updating framework instead)
!IMEIme.ini settings: you can put your entire ini file if you'd like.
If you could take notes of EXACTLY what buttons you click on which prompt it would be EXTREMELY helpful...
As I said, this program has taken on functions I initially had not imagined including... the more features added, the more complex testing and tracking bugs becomes... I don't want to include a bunch of messages just for the sake of letting you know where in the code you are... would not be beneficial to you... more buttons to click for no reason, etc.
The more detailed you can be, the quicker I can see what is happening... otherwise I have to try to duplicate what I think you are doing when you get the error.
Everyone should click "Thanks" on bug report posts... they have been instrumental in getting the program where it is so far.
RESERVED...
Adverse effects after running
First off, thanks for a wonderful application! Your app did in fact correctly give my Kindle a IDEI number, but it seems to have adverse effects.
Function attempting: Tried both in place Rom and update device and now attempting to use app with sound
Error Messages: Unfortunately DSP Manager has stopped (repeatably on any app)
End result: No sound and music apps crash. Some apps work but many do not. (I can provide logcat if needed)
Environment: Kindle Fire running cm9 using Hashcodes 3.0 Kernal latest (11) update.
!IMEIme.ini settings:
Use_In_Place = 0
Use_Previous_Patch = 0
Use_Serial_Number = 0
Use_MAC_Address = 0
Use_Manual_Input = 1
Encrypt_IMEI = 0
Use_IMEI(15) = 0
Use_ADB = 1
Use_ADB(usb) = 1
Use_ADB(WiFi) = 0
Clean_Up = 1
Include_Patch = 1
Device_Manufacturer = TI
Manufacturer_Device = Blaze
Device_Model = Full Android on Blaze or SDP
Build_Fingerprint = google/passion/passion:2.3.6/GRK39F/189904:user/release-keys
LCD_Density =
WiFi_IP_Address =
IMEI = 00127948612384612
Although I have tried multiple settings and configurations. I am sort of a noob so sorry if this is a silly problem.
Having looked into this... I can tell you there's nothing that the IMEI Generator does that would cause the issues you are seeing. I would recommend flashing a non-IMEI'd ROM for testing... then either do in place IMEI generation or running the IMEI Generator against the same ROM you flash.
For what you are doing... there are 2 files that are being modified, and neither should cause FC issues...
/sysem/build.prop for the manufacture, device, and build fingerprint
/system/framework/framework.jar is being extracted and edited to patch the IMEI in the GetDeviceID() function in android/telephony/TelephonyManager.smali and recompiled.
Clearing cache and dalvik cache may be something to try.
Thanks! Clearing both caches AFTER the install made it work great. I had been clearing all of the memory beforehand but it did not work. My apps now work great!
Motorola Razr GSM (SPDREM_U_01.6.7.2-180_SPU-19-TA-11.6_SIGNEuropeAustraliaEMEA_USASPDRICSRTGB_HWp2b_Service1FF) ICS.
I deodexed framework.jar because application seems to not work on odex files (as stock is), anyway new deodexed framework have not /com/android/internal/telephony/gsm/GSMPhone.smali file?! (or dir!!) infact !IMEIme 2.2.0.2 tell me about this issue (no GSMPhone.smali found). framework patched do not present diffecence between original one. exactly the same. no /android/telephony/TelephonyManager.smali mod applied.
I tryied to patch framework by "update device" + adb usb, with no device connected i choosed my framework.jar in my pc.
[Settings]
Use_In_Place = 1
Use_Previous_Patch = 0
Use_Serial_Number = 1
Use_MAC_Address = 0
Use_Manual_Input = 1
Encrypt_IMEI = 0
New_Type = 1
Use_IMEI(15) = 0
Use_ADB = 1
Use_ADB(usb) = 1
Use_ADB(WiFi) = 0
Clean_Up = 1
Include_Patch = 0
Device_Manufacturer =
Manufacturer_Device =
Device_Model =
Build_Fingerprint =
LCD_Density =
WiFi_IP_Address =
IMEI = 02546451548481584
stock framework.odex, jar and my deodexed framework attached.
Yes... due to another user trying to use the generator on a device with a framework.odex file instead of framework.jar I am looking into the most effective method of handling that situation. As of now... the generator will not work for you to patch imei functionality into the framework on these devices.
i deodexed also framework.jar but no way to patch it, GSMPhone.smali is missing totally even in backsmalied odex too!!!!
I decided to apply the patch manually, but without this file and TelephonyManager.smali not regoular i was thinking about hard mod by motorola?! do you know something about?
Pls man, give me an hand, show me the way, backsmali it you too http://forum.xda-developers.com/attachment.php?attachmentid=1634550&d=1357865096
I'm looking into the method to implement the imei into this.
do you mean into TelephonyManager.smali? I'm looking on it too. Seems so strange this framework...
Actually... looking through to find the best call to implement the patch into... TelephonyManager was the original method... but there may be better places to patch it.
Code:
invoke-direct {p0}, Landroid/telephony/TelephonyManager;->getSubscriberInfo()Lcom/android/internal/telephony/IPhoneSubInfo;
move-result-object v2
invoke-interface {v2}, Lcom/android/internal/telephony/IPhoneSubInfo;->getDeviceId()Ljava/lang/String;
All does make sense now:
http://grepcode.com/file/repository...nternal/telephony/IPhoneSubInfo.java?av=f#174
BUT, where is com.android.internal.telephony.iphonesubinfo!?!?! seems not present... all "internal" dir is missing here, backsmali fault or my fault?!
hiiii
hi,
any news of this? =)
This is the best software for this!
I'm working on the best solution... I understand the desire for this... but I want to ensure the method I choose is the best overall... and to ensure I can properly detect which method to implement during the operation.
If you could zip your entire /system/framework folder and add your /system/build.prop file it would help me test some things I've been putting together for odexed systems.
attaching files
DizzyDen said:
If you could zip your entire /system/framework folder and add your /system/build.prop file it would help me test some things I've been putting together for odexed systems.
Click to expand...
Click to collapse
Hi, Im attaching my files.
You can download here: w w w . 4 s h a r e d . c o m / z i p / j Q n n 9 8 _ B / s y s t e m . h t m l
Thanks for the help
Error ...
Hi Dizzy
I tried to use your update, but have a error ... My device is Motorola Razr XT910 with 4.0.4
after I choose the "framework.jar" he return this error:
Line 3710 (File: ".....\IMEI\!IMEIme.exe");
Error: Variable used without being declared.
After this the program close without any click to exit ..
Im, attaching a print screen
Tnx a lot man
waldirsp11 said:
Hi Dizzy
I tried to use your update, but have a error ... My device is Motorola Razr XT910 with 4.0.4
after I choose the "framework.jar" he return this error:
Line 3710 (File: ".....\IMEI\!IMEIme.exe");
Error: Variable used without being declared.
After this the program close without any click to exit ..
Im, attaching a print screen
Tnx a lot man
Click to expand...
Click to collapse
fixed... I guess nobody has been using the "Use Previous Fix" option for a while. New version uploaded... thank you for the bug report. The screen shots really helped track it down.
another error...
Hi DizzyDen,
I want to add an IMEI to my "SUPERPAD 6", but after the window: "IMEI is..." is displayed, then popup an autoit error window:
Line 3710 (File "..."): Error: Variable used without being declared.
Can you help?
Ponozka said:
Hi DizzyDen,
I want to add an IMEI to my "SUPERPAD 6", but after the window: "IMEI is..." is displayed, then popup an autoit error window:
Line 3710 (File "..."): Error: Variable used without being declared.
Can you help?
Click to expand...
Click to collapse
Before I start looking into this... note that the IMEI generator does not support de-odexing odexed systems yet... I would suggest using it on the ROM then flashing it to the device and let the device odex it again.
I Have decided that this thread has served it's purpose and will now be closed to future posts. Please direct and 'non' SHV-E160L post's to
Brixfix V2
Please can all Ongoing jobs/works migrate to the above thread.
-----------Final Notes--------------
It has been mentioned many times that i should go back and correct the information below, i started to correct a few post's then realized i was removing the flavour in change of colour and size, parts of this thread documents my mistakes, assumptions and general lack of understanding of how we NOOBS post on XDA, It's with that in mind that i have decided to leave the mistakes in, so you can see in writing what i gained from the support of other Devs here.
Now, if you are NOOB in anyway or have a few questions please click HELP
If you are bricked and need help, read this thread first, there is NO one CLICK solution for anything, even this mentioned device.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So you Brixed/bricced/BOD/QDL/EDLOAD/QHS-USB/05c6:9008/05c6:9025/ your device? Need a Oil and brush , Need help, follow this
One, Rules
Two, Understanding
--------------------------------------------------------------------------
Tip From the Author,
Some of you may have noticed that i did not start the original thread with a question, I did something my mentor taught me at around 9 years old but didn't put into good use until much later in life.
The tip is write things down as a question for yourself, in the writing process you get to pass the information past the part of your brain that interprets information, virtual sounding board, before posting as a question for others.
--------------------------------------------------------------------------
New Tools for debricking, goto
Brixfix V2
---------------------------Further Info Info -----------------------------
** I have Since Fixed the device and developed soultions for non shv-e160l devices. Prior posts are undergoing edit's for corrections.
** if you want the glory shot, sorry you will just have to read through.
** If you are selling this as a solution, dont. I know who you are.
---------------------------Original Post-----------------------------
Hi All
As i mentioned on this thread http://forum.xda-developers.com/showthread.php?p=32231827#post32231827 i will be attempting to come up with a home grown debrick solution for a SHV-E160L samsung note from korea.
I will use the forum to document what i am doing, i am very new to this so correct me please if i am wrong. I have never done Android dev work at any time but i have a very good understanding of the logic behind it all. `
Things i Have :-
Phone ( SHV-E160L)
bus pirate v3 with jtag firmware
openocd compiled on ubuntu and centos 6
smd jtag adapter and relay wire ( magnetic wire)
things i still need :-
openocd target config file for MSM8660 Snapdragon cpu (and a better understanding of eMMC access, how to load boot loaders either into ram or eMMC or trigger fail over boot to sc-card, USB via software or X0M/Boot pins)
assembled jtag (it's the smallest soldering i've ever seen)
.PIT file for 32GB model (if someone could pull the .PIT file from a working unit I would be happy, specify your radio/kernel versions when uploading)
micro fine solder iron tip and 20w iron (i've got 60w but too high for this type of work)
Does anyone have a idea of the SD-CARD partition layout, files for snapdragon devices, google has given me much for other devices but not a snapdragon .
Another question, I've used the USB jig to trigger 301K mode USB-Factory and seen no activity in dmesg for usb devices, i've yet to try windows, does windows/linux behave in a different way when it comes to usb , as in windows see's the qualcom usb mode but not linux ? does the usb client device always start the comms?
using the 615K usb jig i get nothing too, no pbl message from samsung (hence i am led to think is's the pbl/sbl thats damaged)
My understanding up boot is as follows
iROM code
This loads basic settings to boot the PBL (iROM is in rom) the PBL is loaded into radio(modem) cpu and then loads the SBL(s)
PBL/SBL stored in eMMC at address ????? (need to document the address for the masked access to eMMC and jtag/openocd access unmasked access)
Once the SBL is loaded you with have the ODIN mode (USB/UART)
from what i can see of commercial JTAG boxes is the access the radio cpu via jtag, write a new PBL/SBL to the eMMC then halt/reset cpu which now loads the new bootloaders, (resurrect dead body)
The openocd TAP id for the cpu should be 0x105310E1 but thats a number i got from a riff box log, not any actual testing ( still need to solder the fine pitch connector)
Here is a log from a riff box, not sure if the address's are usable accross to opencd
Taken from gsm-forums:-
Open serial port...OK
Connecting to the RIFF Box...OK
Firmware Version: 1.33, JTAG Manager Version: 1.44
Selected Resurrector: [Samsung E160K V1.0.4535.7001]
Connecting to the dead body...OK
Detected dead body ID: 0x105310E1 - IGNORED!
Set I/O Voltage reads as 1.79V, TCK Frequency is RTCK
Adaptive Clocking RTCK Sampling is: [Sample at MAX]
Resurrection sequence started.
Establish communication with the phone...OK
Initializing internal hardware configuration...OK
Uploading resurrector data into memory...OK
Starting communication with resurrector...OK
Detected an Initialized FLASH1 Chip, ID: 0x0015/0x0000 (KTS00M, 0x0003AB400000 Bytes = 14.68 GB)
Detected an Initialized FLASH2 Chip, ID: 0x0015/0x0000 (KTS00M, 0x000000200000 Bytes = 2.00 MB)
Flashing the dead body...OK
Resurrection complete!
Click to expand...
Click to collapse
I did notice one thing, the riff box opens the serial port, i wonder if they load PBL+SBL into memory, reset the cpu, then using the serial connection activate download mode ? (like on the captive)
I also dont know how the cpu (jtag TAP id? ) and flash variables translate accross to openocd as ive not found a target config file yet ( or my searching is wrong)
in the full stock Firmware I was able to extract the .tar file which contained,
Code:
amss.bin <-- application cpu boot files ?
boot.img <-- kernel/initrd ramdrive
mdm.bin <-- modem cpu boot files
recovery.img <--- recovery image
system.img.ext4 <---- rest of the system applications
so i think we have the two cpu firmware/boot loaders in the .bin files, these bin files are just fat32 images, to access in ubuntu use
Code:
mount -o loop mdm.bin /mnt/mdmmountlocation
My guess is my first approach is getting the right PBL/SBL into the system and getting some feed back via uart, i have the jtag pinouts and further reserach says there is a UART2 on the jtag header, so when soldering up my jtag adapter i will include all pins if i can and sniff for serial logic, i happen to have a Open source logic sniffer, great tool as i do a lot of hacking into serial devices like scales and till printers .
back to topic.
When i do get to the jtag part at a minimum i should have access to the modem radio, afaik jtag devices connect in chains and most of the IC's that have jtag on the phones board all should link to the master device (i am thinking it's the modem cpu, no application) and that the Two cpu's share the eMMC memory some how, or it could be one cpu loads it into the other (it is connected via jtag down the chain) .
hopefully someone could correct me there.
Most of this is theory and my guess work, correct me if you find a mistake. most of the research is only over a few days too so i am far from finished there, does not help that most of the users speak a language that google translate just does not have a flair for.
Most of the info seems to suggest the modem cpu is the first inline so i decided to look further into the files there, notice the mdm.bin file is 23Mb, thats large, when mounted i notice the is a folder called 'image' ( amms.bin has folder called IMAGE , note the case difference, dont yet know whay)
in image folder we have :-
Code:
1.3M Sep 30 13:07 AMSS.MBN
35K Sep 30 13:07 DBL.MBN
2.2M Sep 30 13:07 DSP1.MBN
19M Sep 30 13:07 DSP2.MBN
40 Sep 30 13:07 EFS1.MBN
40 Sep 30 13:07 EFS2.MBN
40 Sep 30 13:07 EFS3.MBN
295K Sep 30 13:07 OSBL.MBN
Ah, i see amss.mbm , that must be the boot loader for the application cpu, DBL.MBM seems to be the PBL , OSBL.MBM could be the SBL
then there is the DSP/EFS files, I did do the command strings on all the files,
DBL.MBM does not have any text in the file that points to being able to do UART on boot, all text seems internal like pointers and references to the original build files e.g
Code:
D:\Q1LGT_MDM\MDM9600\modem_proc\core\boot\secboot2\dbl\target\mdm9x00\src\dbl_ddr.c
9x00B-SCAQSVZM-31613102
D:\Q1LGT_MDM\MDM9600\modem_proc\core\boot\secboot2\dbl\target\mdm9x00\src\dbl_sahara.c
but it also does contain data like this
Code:
auth_image
@[email protected]
@configure_hw
@flash_init
l0:eek:SBL
load_osbl_img
@DBL, Start
hw_init
so it looks more likley that dbl is first in the chain, it refers to loading osbl and configure hardware, i wonder if it means USB/UART at this stage or setting up ram and other GPIO's
in OSBL.MBM we have more interesting text
Code:
MbP?
Unable to attached to ChipInfo DAL
SAMSUNG
TOSHIBA
Flash: Failed to do initialization for probe!
ONFIx
0:ALL
Flash: Multi 2X page read not supported!
Flash: Multi 2X page write not supported!
boot_qdsps
OSBL
hw_init
hw_init_secondary
OSBL, Start
create_vector_table
ram_init
retrieve_shared
clobber_add_protection
mmu_flush_cache
OSBL, End
OSBL, Delta
osbl_sahara_load_amss
osbl_sahara_load_dsp1
osbl_sahara_load_dsp2
osbl_sahara_load_ramfs1
osbl_sahara_load_ramfs2
osbl_sahara_load_ramfs3
smem_boot_init
so it is looking more and more like DBL then SBL which then loads all of the other parts , also if you notice EFS1/2/3 are all tiny 40byte files, now i see why, they are loaded as ram-drives, so i assume those file set out the basic EFS file system in the ram.
again from research the boot stages are often counted as 3, i am assuming the real first part is in rom of the cpu (is this what triggers the qualcom download mode ) that loads DBL from eMMC and chain loads SBL
Now looking around the riff forums i see the list the info in a different way
Code:
Partition 0
SBL1
SBL2
Partition 1
RPM
SBL3
eMMC APPSBoot
TZ
.PIT
Click to expand...
Click to collapse
TZ i think is Trusted Zone
RPM - Power manager ?
now how this translates to file name from full flash and to mmcblk0p1 partitions i have yet to find out, i still dont have a .PIT file from a 32gb model
More updates to come,
regards
DarkSpr1te
CPU Boot order updates
So my digging has taken me back round to some of me early searching which i forgot about , hardware level seems to support the qualcom usb mode, but it can be disabled by manufacturer, so even if you find a resistor to the BOOT_CONFIG GPIO and ground it , it still may not work, and you could toast your board. once the qfuse is gone for that track, the maker can now use the gpio for anything else, it no longer controls the iROM branch choice ( CPU:do i start usb first or last?), it my thinking that on the first board sent out by the designers for a final production run ( those first public devices) they keep the option open to print off DEV models by changing the resistors/value of while the hardware stays same, not to be confused with dev board, that is pin/track simlar but is used to design the software mainly, sometimes hardware debug but as you change the hardware between the dev platform and production this is less helpful, google new.intrinsyc.com and apq8060, they produce a dev board that is the same as the device we hold, but everything is broken out for testing so don't expect to see this left in a bar for you to e-bay.
EDIT:
Above I refer to a dev phone and dev board, these are SURF and FFA, FFA is form factor accurate and SURF is Subscriber Unit Reference.
Here is the link, http://forum.xda-developers.com/showthread.php?t=1856327
Now from what i see, it's the same(edit:simlar) X0M pin setup as other phones, ground the right pin, reverse boot order, but this maybe two pins in the snapdragon,
[copied from other link]
Simplified table:
Code:
------------------------------------------------------------------
BC[5:0] Mapping
------------------------------------------------------------------
0b00000 Emergency Boot from SDC3 (SD) followed by USB-HS
0b00001 SDC3 followed by SDC1 (eMMC)
0b00010 SDC3 followed by SDC2 (if used)
0b00011 SDC1 (eMMC)
Click to expand...
Click to collapse
So if 0b00000 is EM boot and the docs say the the two gpio's that control this (if qfuse not blown) are taken high then it's 0b00011, so grounding those two resistors should give us 0b00000 or EM boot, the cpu docs also say they are internally grounded, the schematic says the voltage goes throught a 10k resistor, so grounding that side of the resistor that 'goes' to the cpu should change the boot order, but before trying this out, remember if you get the live side of the resistor the is no resistor between your probe and ground, that full current, short, blown, no more johnny 5.
Have you managed to unbrick the E160L?
darkspr1te said:
So my digging has taken me back round to some of me early searching which i forgot about , hardware level seems to support the qualcom usb mode, but it can be disabled by manufacturer, so even if you find a resistor to the BOOT_CONFIG GPIO and ground it , it still may not work, and you could toast your board. once the qfuse is gone for that track, the maker can now use the gpio for anything else, it no longer controls the iROM branch choice ( CPU:do i start usb first or last?), it my thinking that on the first board sent out by the designers for a final production run ( those first public devices) they keep the option open to print off DEV models by changing the resistors/value of while the hardware stays same, not to be confused with dev board, that is pin/track simlar but is used to design the software mainly, sometimes hardware debug but as you change the hardware between the dev platform and production this is less helpful, google new.intrinsyc.com and apq8060, they produce a dev board that is the same as the device we hold, but everything is broken out for testing so don't expect to see this left in a bar for you to e-bay.
Here is the link, http://forum.xda-developers.com/showthread.php?t=1856327
Now from what i see, it's the same(edit:simlar) X0M pin setup as other phones, ground the right pin, reverse boot order, but this maybe two pins in the snapdragon,
[copied from other link]
Simplified table:
Code:
------------------------------------------------------------------
BC[5:0] Mapping
------------------------------------------------------------------
0b00000 Emergency Boot from SDC3 (SD) followed by USB-HS
0b00001 SDC3 followed by SDC1 (eMMC)
0b00010 SDC3 followed by SDC2 (if used)
0b00011 SDC1 (eMMC)
So if 0b00000 is EM boot and the docs say the the two gpio's that control this (if qfuse not blown) are taken high then it's 0b00011, so grounding those two resistors should give us 0b00000 or EM boot, the cpu docs also say they are internally grounded, the schematic says the voltage goes throught a 10k resistor, so grounding that side of the resistor that 'goes' to the cpu should change the boot order, but before trying this out, remember if you get the live side of the resistor the is no resistor between your probe and ground, that full current, short, blown, no more johnny 5.
Click to expand...
Click to collapse
I think my E160L got a real brick today after I tried to flash a modified Rom downloaded from a Chinese forum. It can not be powered on after rebooting (installed successfully). I desperately need advice now on how to deal with it.
Jeff_GTA said:
I think my E160L got a real brick today after I tried to flash a modified Rom downloaded from a Chinese forum. It can not be powered on after rebooting (installed successfully). I desperately need advice now on how to deal with it.
Click to expand...
Click to collapse
Do you have any backups like nandroid ? does the 3 button boot still work ?
Regards
Have you looked into using ort-jtag. It's only about $150 (USD).
I've been looking into this myself for low-level debugging/bootloader development on SGH-T959V and SGH-I717.
All three of these devices are supported by ort-jtag and have header connectors for the jtag pins.
So I'm also getting some of these from digi-key, and making a small receptacle, much like in AdamOutler's captivate bootloader development thread. (search for k-ww)
Again, ort-jtag does support the SHV-E160L. (search that link for SHV-E160L)
PBL Dump - I think
So ive been doing some tests.
I think i managed to dump the PBL
i dumped memory and a strings search return this
Code:
pbl_error_handler.c
pbl_flash_nand.c
pbl_flash.c
dload.c
pbl_flash_nand.c
pbl_flash_onenand.c
pbl_auth\secboot_rsa_math.c
pbl_error_handler.c
pbl_auth.c
pbl_auth.c
pbl_auth.c
pbl_auth.c
pbl_auth.c
pbl_mc.c
pbl_mc.c
pbl_error_handler.c
and
Code:
qhsusb\src\dci\qhsusb_dci.c
}^PBL_DloadVER1.0
!8}^
}]^}^
Q`omm
z8}]
DEBUG
SW_ID
OEM_ID
pbl_flash_onfi.c
pbl_flash_nand.c
pbl_flash_sflashc.c
pbl_loader.c
pbl_flash_sdcc.c
pbl_auth.c
pbl_auth\secboot.c
pbl_auth\secboot_x509.c
QUALCOMM COPYRIGHT 2009BOOT ROM VERSION: 1.4QHSUSB VERSION: 00.00.08
BOOT ROM AUTHOR: DHAVAL PATEL
07 0000 SHA1
does any one want the dump that can reverse it ?
Dumps & execute address
I also need the help of other SHV-E160? owners, i need dumps from working phones, i managed to create a 8660_msimage.mbn and flashed it, but i was using i717 bootloaders and i dont think they will work, i need working dumps from working phones, starting with partition table layout, sbl1.mbn and sbl2.mbn
Does anyone know if the is is correct
SBL1 exec address 0x2A000000
SBL2 exec address 0x2E000000
as i can upload the sbl to 0x2a000000 but not the sbl2 to 0x2e000000
i can also upload the tz.mbn to 0x2a020000
i am trying to use sec boot 3 based call stack but am unsure of the real exec values
Ive seen in another post these values
"
It looks like ours deviates slightly from this.
If the headers are to be believed,
TZ is loaded at 0x2A000000
SBL3 is loaded at 0x8FF00000
APPSBL/aboot is loaded at 0x88E00000
"
the post is
http://forum.xda-developers.com/showpost.php?p=30057296&postcount=243
it does explain why i cant load into 0x2e000000
Progress
So today i made real progress, I have been able to flash a basic program to allow me to access the EMMC, i have taken a full backup and now i need to start scanning the dump for need information,
I still need help from other users so please if you are will to provide me dumps of your working device that would help me a great deal
So Part One is a sucess, I have been able to flash my own code and power on the galaxy note. next step is rebuilding the emmc partition tables, testdisk can find the partitions but is not alowing me to write a non standard partition table (which emmc seems to be formatted with)
Thanks
darkspr1te
help QPST Software Download
Hi,
I'm stuck with the same problem can you tell me what image you use to the phone. I stuck here. I' m really don't know what to do?
Thank you for your help.
tyllerdurdent said:
Hi,
I'm stuck with the same problem can you tell me what image you use to the phone. I stuck here. I' m really don't know what to do?
Thank you for your help.
Click to expand...
Click to collapse
First thing i must say is dont flash your phone just yet!! walking blindly into this could render your phone useless due to certain data being lost for good.
if you still wish to continue i will upload a basic guide and files. My method is still in development, it has many bugs ( i flashed the phone with i717 roms, working, SHV-E120 roms, working, N7000 rom complete fail)
But first some questions,
Which model phone is it?
what happened to get you to the point of needing the flash ? ( i ask so i can trace why the bricks are happening and hopefully fix it)
thank you for your help, I will be waiting your method and your files.
Thank you so much for your help.
My phone is a samsung galaxy note SHV-E160L korean version.
what happen was:
I tried to upgrade the firmware with kies and suddenly the program crash. My phone enter in an error issue with the firmware and said use emergency recovery mode.
I tried the recovery several times (uninstalling kies and install it again but that never work).
So, I download odin and this files to restore the original firmware:
CSC - GT-N7000-MULTI-CSC-OZSLPF.tar.md5
Phone - MODEM_N7000XXLR1_REV_05_CL1144476.tar.md5
Bootloader- N7000_APBOOT_N7000ZSLPF_CL558430_REV02_user_low_sh ip.tar.md5
PDA - N7000_CODE_N7000ZSLPF_CL558430_REV02_user_low_ship .tar.md5
Pit for 16GB - Q1_20110914_16GB.pit
I connect my phone and try to install the firmware again, but odin fail and my samsung became a nice brick.
The phone currently does not turn on, the phone is in download mode and I install QPST and the program recognize the system in download mode.
I want to try your method because other information I collected said that I have to send it to guarantee.
Can I install i717 rom in the E160L?
I will be waiting for your post because sincerely I don't know how to repair it.
Thank you so much.
Hello darkspr1te
First of all, nice work there (though I didn't understood most of the things there, but seems there is some good work going on on our SHV-E160's
On your comment;
( i flashed the phone with i717 roms, working, SHV-E120 roms, working, N7000 rom complete fail)
Does that mean that i717 roms can work on the SHV-E160 devices? Please share if that is the case.
The geeky bits
tyllerdurdent said:
Thank you so much for your help.
My phone is a samsung galaxy note SHV-E160L korean version.
what happen was:
I tried to upgrade the firmware with kies and suddenly the program crash. My phone enter in an error issue with the firmware and said use emergency recovery mode.
I tried the recovery several times (uninstalling kies and install it again but that never work).
So, I download odin and this files to restore the original firmware:
CSC - GT-N7000-MULTI-CSC-OZSLPF.tar.md5
Phone - MODEM_N7000XXLR1_REV_05_CL1144476.tar.md5
Bootloader- N7000_APBOOT_N7000ZSLPF_CL558430_REV02_user_low_sh ip.tar.md5
PDA - N7000_CODE_N7000ZSLPF_CL558430_REV02_user_low_ship .tar.md5
Pit for 16GB - Q1_20110914_16GB.pit
I connect my phone and try to install the firmware again, but odin fail and my samsung became a nice brick.
The phone currently does not turn on, the phone is in download mode and I install QPST and the program recognize the system in download mode.
I want to try your method because other information I collected said that I have to send it to guarantee.
Can I install i717 rom in the E160L?
I will be waiting for your post because sincerely I don't know how to repair it.
Thank you so much.
Click to expand...
Click to collapse
Ok, as i said it's still a work in progress at the moment.
I used the i717 bootloaders (thats why we have a brick as it's not getting to the aboot loader or little kernel as some other refer to it) and E160 modem and application cpu as my first target is getting odin mode back.
I was able to also use the E120 bootloaders (screen was messed up though )
I've just got home from a very long shift so i will do a full and clear write up ( STILL a work in progress ) tomorrow (20th)
but i will explain the basic now as you do need to download large files before we continue.
First you need to download the same firmware as you were originally on before the brick, The reason is because between versions i suspect there is minor changes in partition tables (that why the n7000 roms brick )
If you dont have the latest QPST (2.7.3xx or higher ) please google for it now, there are many sites that offer it. (links will folllow tomorrow)
also down load :-
ABOOT_SGH-I717M_I717MUGLA2_user_CL875155_REV00.tar (or tar.md5 )
i717-GB-Modem.tar (or .md5)
now my initital work was based off a chinese link for the A820L
http://blog.csdn.net/su_ky/article/details/7773273
To save you the time of many hours of translation and cross reference here is the quick run down
When the phone is in QDLoad mode its because the PBL (Stored in ROM , read only memory) could not start SBL1 or SBL2 , it stores the error in IRAM location 0x3FF18 and then goes to QDLoad fail mode. At this point it has tried uart, sd-card before hand and those failed too.
IRAM is the small built in memory of the MSM8660 CPU, it has not initiated the main SYSTEM ram yet so our memory space ro running code is 87k and 256k (refer to document 8960_boot_architecture.pdf found the unlock bootloaders section.
Now because our partition table and or our bootloaders are damaged (or we have emmc brick bug) we have to rewrite that data again to revive our bricks.
This is where it gets hard, and where my warnings now come into play.
right now you must think of the EMMC chip (its the name for the internal SD-CARD we boot from and store our normal data, imei and all the other data of the system, it is just a sc-card with better security for our purpose)
This emmc chip holds all of you settings for phone function and we must not loose that,
But...
we have to write data to the chip to boot again, I am not fully aware of all the memory locations so this is assumptions on my part.
we are going to write a basic bootloader that turns the whole phone into a sd-card, then write new bootloaders
using QPST we upload 8660_msimage.mbn (its a out of the box emmc factory image) this file is ment for setting up of dev versions of the phone, it made up of the following parts
sector 0 partition table or (partition0.bin AFTER patching with info from patch0.xml) I do not have a real copy of the original of this, it can be pulled from a working SVH-E160x using the code at the end.
after the MBR (which is the first part of the partiton make up, EBR follows, we can have 3 primary partitions and the fourth is a extended which is just another partiton table pointing to the next EBR and so on, upto 29 parititons i think)
anyway, after the MBR is SBL1, which chainloads SBL2 then that side loads RPM, gets a go signal then loads SBL3, when SBL3 is done most of the device hardware has been mapped into the cpu's memory table, SDRAM is now ready for larger code,
aboot now loads
some of the above loading functions occur at the same time and some wait on go signals from other code in other CPU's and some fail due corruption and or security check fails( JTAG users can watch the memory as it changes and halt, change data and continue which is why JTAGers's have more power , we dont have loader outputting data yet so no feed back, hence the brick)
when aboot is loaded we now have access to odin, so thats the goal, get aboot loaded for now who cares about the rest of the funtions.
we do need to care about those function later so thats why we will backup the entire system, i dont know if this will really work when restored and bring back all of our settings, thats later,
So onto the writing and possibly overwriting of important information, WARNING, i dont know yet if we are overwriting imei or simalr data yet so proceed at your own risk.
We will get the required from factory (qualcomm test or dev board not samsung factory in the box for consumer) from the MUI phone firmware
http://bigota.d.miui.com/QDN43/Mioneplus_QDN43_fastboot_Android_4.0_d3d83nmdk2.zip
from this zip we want 8660_msimage.mbn, patch0.xml, partition0.bin MPRG8660.hex ( this file is uploaded first, its a serial bootloader that is loaded at 0x2a000000 (start of PBL IRAM space 256k in size) and that setups a emmc to command access (we use revskill to upload the same file and dump memory , sadly ive not found a way of pulling the entire emmc to a backup, if we can figure that out we can pull the entire boot chain, fix it and send it back with what ever versions we desire, for now revskill is used to read the PBL error so we can at least see why we cant boot, not quite jtag but best we got ))
so now we have a phone running a basic bit of code that allows us to use code sent to serial port to write (possibly read) the emmc
we then use QPST to write the 8660_msimage.mbn as a one to one copy to the very start of the emmc , reboot phone and then when the phone restarts, it sets up the ram, some hardware (charging system, you will now notice your phone gets warmer that before when plugged in) and gives us direct access to the emmc as if it was a sd-card
at this point you could move the phone to any pc and it's just a sd-card branded qualcomm
BUT at this point the pc or any other computer you connect it too only see's the partition table contained in the 8660_msimage.mbn file , you other data is there so i advise the next step you MUST do.
connect the phone to a linux computer (use a live cd or live usb if you are not a normal linux user)
you will then run the following command
Code:
dd if=/dev/sd? of=/mount/location/shv-e160-full-emmc.bin bs=512
? is the letter of the drive , use dmesg and look for sdb or sdc , if you dont understand this part then i would suggest waiting for a possible script/one click solution. right now i am still booting only 1 in 20 boots and do not yet know why the boots fail and why some work.
of=/mount... this is where you will place the entire 16GB (32GB for 32gb models ) which should be a one to one copy of the system
the bs=512 is very important, it's block size, again, if you dont understand then maybe wait.
Thats enough for now, i am going to spend a hour or two working on some theories i came up with today.
user with working phones, please google how to backup parts of your phone, this may happen to you so it's best to backup asap !!!
from the blog.csd site a script to grab the partition table data, if a working usr could please run this and post the file, it does not contain user data only the partiton table and a direct 1 to 1 restore for any phone, i think it possible to write that direct back to a QDLoad mode phone, re write the bootloaders from linux and bingo working phone. i dont have backups as it's not my phone, it belongs to a client who knows i like to tinker with electronics.
anyway, once i have the partition file i can overlay it on my test phone (which i can activate QSLoad at any time, hence it's unbrick-able dev mode)
once the partition file is written to my phone, i can build a script to backup your important data, write known working bootloaders, and reboot the phone into a usable device.
here is the script in python (user linux live cd with a copy of adb, just google adb linux pack, there is a windows and linux allin one pack)
or you can get the original from the link above, i've not tested this as i dont have a device in adb mode but i've read through it and it looks sound but never tested by me.
Well i hope that enlightens you, am sorry i dont have a all in one solution for you, it's still a dev project and most of the information i have has only been collected over the past week, i only discovered it's QSDload after getting a msm8660 schematic and i still dont know what i am trully shorting out to trigger the QSDload when ever i want, even when it's booted
If any one from the unbrickable project(s) want to get in touch to share info i would be happy, i am also sure this is a usable solution for HTC phones as well
oh and one last thing
i read only a hour ago (via cell phone while in a car so not 100%) that once the phone is in QSDload and stays in QSDload on every power cycle then we can write the partition table to a SD-CARD and it will boot that, i have not tested that yet, i will try and see if the 8660_msimage.mbn file written to a sd-card works
I also suspect that some of my good boots have been when i've mixed up the sdcard with system.img.ext4 etc on it with the one with just update.zip on it. it's one my list of things to check , any suggestions are welcome as to how i correctly format the card (heads,cylinders, block size etc)
ok folks, hope this helps
COPY TEXT BELOW ONLY INTO A FILE AND RUN WITH PYTHON (linux is easier, may be possible to use a vm box, i am but linux is my main os and windows is the vm)
Code:
import os
from struct import *
def mbr():
global offset, partitions
os.popen("adb shell su -c 'dd if=/dev/block/mmcblk0 of=/cache/partition0.bin bs=512 count=1'").close()
os.popen("adb shell su -c 'cp /cache/partition0.bin /sdcard/partition0.bin'").close()
os.popen("adb pull /sdcard/partition0.bin .").close()
f = open("partition0.bin", 'rb')
data = f.read()
f.close()
partitions = [ ]
n=0
while True:
buf = data[446+(16*n):446+(16*(n+1))]
partition = dict(zip(('boot', 'id', 'start', 'size'), unpack('4I', buf)))
partition['type'] = "MBR"
n += 1
partition['no'] = n
partitions.append(partition)
if partition['id'] == 5:
offset = partition['start']
break
def ebr():
global offset, partitions
n = 0
while True:
a = 0
os.popen("adb shell su -c 'dd if=/dev/block/mmcblk0 of=/cache/ebr bs=512 count=1 skip=" + str(offset+n) + "\'").close()
n += 1
os.popen("adb shell su -c 'dd if=/cache/ebr of=/cache/partition0.bin bs=512 count=1 seek=" + str(n) + "'").close()
os.popen("adb shell su -c 'cp /cache/ebr /sdcard/partition0.bin'").close()
os.popen("adb pull /sdcard/partition0.bin .").close()
f = open("partition0.bin", 'rb')
data = f.read()
f.close()
while True:
buf = data[446+16*a:446+16*(a+1)]
partition = dict(zip(('boot', 'id', 'start', 'size'), unpack('4I', buf)))
if partition['id'] == 5:
break
if partition['id'] == 0:
return
partition['type'] = "EBR"
partition['no'] = n
partition['start'] += n-1+offset
partitions.append(partition)
a += 1
if __name__ == "__main__":
mbr()
ebr()
os.popen("adb shell su -c 'cp /cache/partition0.bin /sdcard/partition0.bin'").close()
os.popen("adb pull /sdcard/partition0.bin .").close()
for part in partitions:
print "%s %2i, Boot: 0x%02X, Id: 0x%02X, Start: 0x%08X (%8i), Size: 0x%08X (%8i, %8i KB)" % (part['type'], part['no'], part['boot'],part['id'], part['start'], part['start'], part['size'], part['size'], part['size']/2)
Click to expand...
Click to collapse
beginning
thank you for your help,
I currently have the qpst version 2.7 build 373. You think is enough of download the same version of Chinese post QPST.2.7.374.rar
I will begin to download the other files required and I will be commenting my progress.
Thank you so much for your help, i really appreciate that you share you r knowledge.
Requests
While i try some theories if othe users could possibly provide me with :-
Original partition table via script above and also via adb
use
adb and run
Code:
cat /proc/partitions > /sdcard/partitions.txt
fdisk -l /dev/block/mmcblk0 > /sdcard/fdisklist.txt
mount > /sdcard/mountlist.txt
Then on the pc side using ADB again do the following
Code:
adb pull /sdcard/partitions.txt
adb pull /sdcard/fdisklist.txt
adb pull /sdcard/mountlist.txt
and post those files.
there are many posts on it so wont repeat but later will add a link.
along with some spell checks :laugh:
if you can dump the boot loaders from a original e160x too as my data started currupt.
i also need to talk to someone who can assist me in writing a program to take the pit file and turn it into this
Code:
<?xml version="1.0" ?>
<data>
<!--NOTE: Sector size is 512bytes-->
<program file_sector_offset="0" filename="" label="SMD_HDR" num_partition_sectors="65536" physical_partition_number="0" size_in_KB="32768.0" start_sector="1"/>
<program file_sector_offset="0" filename="sbl1.mbn" label="SBL1" num_partition_sectors="1000" physical_partition_number="0" size_in_KB="500.0" start_sector="65537"/>
<program file_sector_offset="0" filename="sbl2.mbn" label="SBL2" num_partition_sectors="3000" physical_partition_number="0" size_in_KB="1500.0" start_sector="66537"/>
<program file_sector_offset="0" filename="rpm.mbn" label="RPM" num_partition_sectors="1000" physical_partition_number="0" size_in_KB="500.0" start_sector="69559"/>
<program file_sector_offset="0" filename="sbl3.mbn" label="SBL3" num_partition_sectors="4096" physical_partition_number="0" size_in_KB="2048.0" start_sector="70559"/>
<program file_sector_offset="0" filename="aboot.mbn" label="ABOOT" num_partition_sectors="5000" physical_partition_number="0" size_in_KB="2500.0" start_sector="74655"/>
<program file_sector_offset="0" filename="" label="BOOT" num_partition_sectors="20480" physical_partition_number="0" size_in_KB="10240.0" start_sector="79655"/>
<program file_sector_offset="0" filename="tz.mbn" label="TZ" num_partition_sectors="1000" physical_partition_number="0" size_in_KB="500.0" start_sector="100135"/>
<program file_sector_offset="0" filename="partition0.bin" label="MBR" num_partition_sectors="1" physical_partition_number="0" size_in_KB="0.5" start_sector="0"/>
<program file_sector_offset="1" filename="partition0.bin" label="EXT" num_partition_sectors="22" physical_partition_number="0" size_in_KB="11.0" start_sector="69537"/>
</data>
Click to expand...
Click to collapse
*edit
the partiton0.bin provided below is 8.5kb (.5kb MBR, 8kb EBR) and in raw_program0.xml bove it say 0.5kb and 11kb, making that file 11.5kb, i dont know if the A810 has larger or smaller EBR than us, it could be they pulled extra, in my reading of the dumps i've seen lots of padded 0's after files (between sbl2/ebr/rpm) anyway if you just copy paste it will throw a error, ive got it set at 0.5 and 8.
EDIT:- Do not use this file, ive uploaded newer files later on.
some of the questions i need to answer are :-
1. what is the first partition, it's dos, around 105mb and labled smd_hdr and is filled with smd_hdr.bin (or mbn)
2. what are the real sector locations of the files, above you will see the rawpartiton0.xml file, this tells QPST where in the emmc to put the data num_partiton_sectors does match data from the pit files, but i dont know the real offsets yet, (samsung or htc could put the rest of the partiton table in cpu qfuse data areas and not write it to the emmc to confuse us and write the real files to another location and use the pit file as a base+offset calculation)
start_sector is the real location on the emmc, where it starts writing the file.
at the end is partiton locations(its a generic file containing the first few byes of default partition table, patch0.xml then updates this data), i dont have our device specific figures yet, i also dont fully understand patch0.xml and the difference in figures used.
if we have a backup of each of the different version of android partitons we could just write that in replacement of partiton0.bin and we dont need patch0.xml, this file sole job to alter the generic files, oem's have the choice of changing this data.
Code:
<?xml version="1.0" ?>
<patches>
<!--NOTE: This is an ** Autogenerated file **-->
<!--NOTE: Patching is in little endian format, i.e. 0xAABBCCDD will look like DD CC BB AA in the file or on disk-->
<!--NOTE: This file is used by Trace32 - So make sure to add decimals, i.e. 0x10-10=0, *but* 0x10-10.=6.-->
<patch byte_offset="506" filename="partition0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="0" value="NUM_DISK_SECTORS-208801." what="Update MBR with the length of the EXT Partition."/>
<patch byte_offset="506" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="0" value="NUM_DISK_SECTORS-208801." what="Update MBR with the length of the EXT Partition."/>
<patch byte_offset="458" filename="partition0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="16" value="NUM_DISK_SECTORS-1695744." what="Update final partition with actual size."/>
<patch byte_offset="458" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="208816" value="NUM_DISK_SECTORS-1695744." what="Update final partition with actual size."/>
</patches>
Click to expand...
Click to collapse
please note that it's two lines of the same code except one is partition0.bin and the other is DISK,
Do we need both? i know if i dont add the partiton0 section used in raw_program.xml then the drive is blank in linux,
now it's my understanding that the ebr comes as the forth partiton and it point to the next one , above in patch0.xml it start at NUM_DISK_SECTORS-1695744
i am still trying to better understand these figures,
Well time to grab coffee, i guess it's a dev night in.
the file MPRG8660.HEX can be renamed EMMCBLD.HEX and it triggers QPST to always look for a QDLoad mode phone and not debug, you can place all the files you need in one folder, i advise you to keep the originals in one location and only extract what your need to your worrking folder, copy emmcswdowload.exe from the QPST folder there too, we might need to do command line work, ive read that you can pre-create images in emmcswdownload (the same way 8660_msimage.mbn was created ) that you could just drop onto a phone once it's in emmc sd-card mode, almost a one click.
More info, plus help offered
Your welcome tyllerdurdent,
I am going to be putting a few hours into the dev from now actually for if you want assistance then no problems,
I also advise the following, download ubuntu live cd, it has a lot of tools your going to need to extract data you require, if we go step by step we might be good, i did a lot of test writing before i got my first boot, and that again only happens one in 20, i dont know why.
the rawpartiton0.xml above is incorrect for our devices as it states the first partion is 32mb, (i think it's ment to be amss.mbn, or NON-HLOS.mbn , our pit file which i did extract from my emmc dump says it's 105mb. i am confused and to why rawpartiton0.xml says the first bootloader is at start_sector="65537" but fdisk shows it as start 204801, i think someone needs to show me how to convert from blocks to sectors,
in patch0.xml it says
Code:
<patch byte_offset="506" filename="partition0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="0" value="NUM_DISK_SECTORS-208801." what="Update MBR with the length of the EXT Partition."/>
Click to expand...
Click to collapse
208801 is where we have our ebr start,
i also think the IROM based pbl, sbl etc use the partition types in some way, why else have so many types? can any one explain that
this is a fdisk view of what i think our partition table looks like
Code:
Device Boot Start End Blocks Id System
/dev/sdb1 1 204800 102400 c W95 FAT32 (LBA)
/dev/sdb2 * 204801 205800 500 4d QNX4.x
/dev/sdb3 205801 208800 1500 51 OnTrack DM6 Aux1
/dev/sdb4 208801 208801 0 5 Extended
/dev/sdb5 212992 213991 500 47 Unknown
/dev/sdb6 221184 225279 2048 45 Unknown
/dev/sdb7 229376 234375 2500 4c Unknown
/dev/sdb8 237568 258047 10240 48 Unknown
/dev/sdb9 262144 263143 500 46 Unknown
/dev/sdb10 270336 271335 500 5d Unknown
/dev/sdb11 278528 279527 500 91 Unknown
/dev/sdb12 286720 307199 10240 93 Amoeba
/dev/sdb13 311296 511999 100352 c W95 FAT32 (LBA)
/dev/sdb14 516096 522239 3072 4a Unknown
/dev/sdb15 524288 530431 3072 4b Unknown
/dev/sdb16 532480 538623 3072 58 Unknown
/dev/sdb17 540672 741375 100352 8f Unknown
/dev/sdb18 745472 751615 3072 59 Unknown
/dev/sdb19 753664 759807 3072 5a Unknown
/dev/sdb20 761856 29843455 14540800 5b Unknown
/dev/sdb21 770048 790527 10240 ab Darwin boot
/dev/sdb22 794624 815103 10240 60 Unknown
/dev/sdb23 819200 839679 10240 94 Amoeba BBT
/dev/sdb24 843776 3911679 1533952 a5 FreeBSD
/dev/sdb25 3915776 8114175 2099200 a6 OpenBSD
/dev/sdb26 8118272 8736767 309248 a8 Darwin UFS
/dev/sdb27 8740864 9005055 132096 a9 NetBSD
/dev/sdb28 9011200 10035199 512000 95 Unknown
/dev/sdb29 10035200 30777343 10371072 90 Unknown
Oh, download wxdhex or wimlar program, you going to need a hex editor that can load BIG files , 16gb worth
i717-GB-Modem.zip IS THE SAME AS TAR?
i717-GB-Modem.zip 21.35 MB 7 0 2012-06-30 08:45:11
I could not find the i717-gb as tar file but I find it as a zip file. but I'm not sure about thif the contents are correct. Could you check
http://d-h.st/1aP
i717-GB-Modem.zip contents
META-INF
COM
GOOGLE
ANDROID
update-binary
updater-script
TMP
amss.bin
mdm.bin
Blocks and sectors
This may explain it , the different figure in the xml files
Because sectors are logical on the drive (Logical Block Addressing = LBA) you need to convert between LBA and physical (file system) sectors. This is pretty easy to do:
First - get a table of the start and end sectors of the partition table:
Code:
[[email protected] ~]# fdisk -lu /dev/hda
Disk /dev/hda: 120.0 GB, 120034123776 bytes
255 heads, 63 sectors/track, 14593 cylinders, total 234441648 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/hda1 * 63 208844 104391 83 Linux
/dev/hda2 208845 4401809 2096482+ 83 Linux
/dev/hda3 4401810 8482319 2040255 82 Linux swap
/dev/hda4 8482320 234436544 112977112+ 5 Extended
/dev/hda5 8482383 29447144 10482381 83 Linux
/dev/hda6 29447208 50411969 10482381 83 Linux
/dev/hda7 50412033 52516484 1052226 83 Linux
/dev/hda8 52516548 234436544 90959998+ 83 Linux
Use this to determine what partition the bad sector is in. In this case 232962120 is inside the start and end values for /dev/hda5
NOTE: This is in partition 5 - ignore partition 4 as it is the extended partition. Any block from partitions 5 through 8 will also be in partition 4, but you want the real partition, not the extended partition.
Next, calculate the file system block using the formula:
b = (int)((L-S)*512/B)
where:
b = File System block number B = File system block size in bytes (almost always is 4096) L = LBA of bad sector S = Starting sector of partition as shown by fdisk -lu and (int) denotes the integer part.
For example:
The reported sector from the smart log above is 232962120, thus:
((14858312 - 8482383) * 512) / 4096 = 796991.125
^Bad Sec. ^Start Sec. ^Cha Ching! This is the sector!
(Use the block number from the smart test section, not from the smart error log section. They are using different methods of reporting file system vs. physical blocks.)
((BadBLock - StartPartition) * 512) / 4096
You can just paste this into Google as a template
Any fraction left indicates the problem sector is in the mid or latter part of the block (which contains a number of sectors). Ignore the fraction and just use the integer.
Next, use debugfs to locate the inode and then file associated with that sector:
Click to expand...
Click to collapse
[[email protected]]# debugfs
debugfs 1.35 (28-Feb-2004)
debugfs: open /dev/hda5
debugfs: icheck 796991
Block Inode number
796991 <block not found>
debugfs: quit
Ah! It didn't give the inode! It if did, you could have found the file with:
[[email protected]]# debugfs
debugfs 1.35 (28-Feb-2004)
debugfs: open /dev/hda5
debugfs: icheck 796991
Block Inode number
796991 41032
debugfs: ncheck 41032
Inode Pathname
41032 /S1/R/H/714197568-714203359/H-R-714202192-16.gwf
So what the heck? Why no inode? Well, remember how it said the sector might be bad?
Click to expand...
Click to collapse
the above copied from
http://timelordz.com/wiki/SMART_Rewriting_Bad_Sectors
i have a feeling we may need to shift our files (the basic files need to start odin are listed in rawpatch0 above, i dont know if that 100% true but it was the only files i wrote on by first sucess)
also
http://forum.xda-developers.com/showthread.php?p=31843525&postcount=13
in the above link they talk about the header of the qualcomm file
+------------+
|Dbl-preamble|
+------------+
|Dbl-header |
+------------+
|Dbl.bin |
+------------+
Click to expand...
Click to collapse
and
data_ptr = autodetectpage;
*data_ptr = sbl_header.codeword;
data_ptr++;
*data_ptr = sbl_header.magic;
data_ptr++;
*data_ptr = AUTODETECT_PAGE_SIZE_MAGIC_NUM;
Click to expand...
Click to collapse
now i used this in a way to find my bootloaders (i717 by this time, not shve-160l )
and to find the partitons
you will see in a hex editor at the start of each boot loader
something else to think about, my lack of success that last two days to produce a boot could be because my partitons are not clean , thats is to say if i write my sbl1 to 1000, and the trailing 0000 of the partition definition of my 99 block ebr/mbr ends at 999 , if i have dirt data between 999 and 1000 the cpu/pbl my interpret that as code(some of my boots is brick, some are into QDLoad, i have no pattern yet) , something i must test or confirm, or just worry about.
tyllerdurdent said:
i717-GB-Modem.zip 21.35 MB 7 0 2012-06-30 08:45:11
I could not find the i717-gb as tar file but I find it as a zip file. but I'm not sure about thif the contents are correct. Could you check
http://d-h.st/1aP
i717-GB-Modem.zip contents
META-INF
COM
GOOGLE
ANDROID
update-binary
updater-script
TMP
amss.bin
mdm.bin
Click to expand...
Click to collapse
Yes thats correct
updater script btw contains text, binary is the flashing exe i think,
Code:
run_program("/sbin/dd", "if=/tmp/mdm.bin", "of=/dev/block/mmcblk0p17");
run_program("/sbin/dd", "if=/tmp/amss.bin", "of=/dev/block/mmcblk0p13");
Click to expand...
Click to collapse
and a google of a simlar sansung product the skyrocket gives me a simlar pit layout
Device Name Size Part Name ODIN tar file Mount Point
mmcblk0boot0 512KB (empty) n/a (empty partition)
mmcblk0boot1 512KB (empty) n/a (empty partition)
mmcblk0p1 100MB SMD_HDR (partition info)
mmcblk0p2 500KB SBL1 sbl1.mbn
mmcblk0p3 1500KB SBL2 sbl2.mbn
mmcblk0p4 1KB (unnamed partition with '55 AA' MBR signature)
mmcblk0p5 500KB RPM rpm.mbn
mmcblk0p6 2MB SBL3 sbl3.mbn
mmcblk0p7 2500KB ABOOT aboot.mbn
mmcblk0p8 10MB BOOT boot.img
mmcblk0p9 500KB TZ tz.mbn
mmcblk0p10 500KB SSD n/a (empty partition)
mmcblk0p11 500KB PIT celox.pit
mmcblk0p12 10MB PARAM param.lfs
mmcblk0p13 98MB MODEM amss.bin /system/etc/firmware/misc
mmcblk0p14 3MB MSM_ST1 efs.img
mmcblk0p15 3MB MSM_ST2 n/a
mmcblk0p16 3MB MSM_FSG n/a
mmcblk0p17 98MB MDM mdm.bin /system/etc/firmware/misc_mdm
mmcblk0p18 3MB M9K_EFS1 efsclear1.bin
mmcblk0p19 3MB M9K_EFS2 efsclear2.bin
mmcblk0p20 3MB M9K_FSG n/a
mmcblk0p21 10MB DEVENC enc.img.ext4 /efs
mmcblk0p22 10MB RECOVERY recovery.img
mmcblk0p23 3MB FOTA n/a
mmcblk0p24 598MB SYSTEM system.img.ext4 /system
mmcblk0p25 2GB USERDATA userdata.img.ext4 /data
mmcblk0p26 302MB CACHE cache.img.ext4 /cache
mmcblk0p27 129MB TOMBSTONES tomb.img.ext4 /tombstones
mmcblk0p28 11.2GB UMS ums.rfs /mnt/sdcard
Click to expand...
Click to collapse
Other files
contents of the i717 boot loaders i used
ABOOT_SGH-I717M_I717MUGLA2_user_CL875155_REV00
Code:
527K Jan 6 2012 aboot.mbn
115K Jan 6 2012 rpm.mbn
72K Jan 6 2012 sbl1.mbn
111K Jan 6 2012 sbl2.mbn
601K Jan 6 2012 sbl3.mbn
117K Jan 6 2012 tz.mbn
other files pulled from
ABOOT_SGH-I717M_I717MUGLA2_user_CL875155_REV00 (no bootloader but all the other system files )
After a long time search i think i can do a custom rom along with a CWM Recovery for TURBO X HIVE III tablet, but i need ORIGINAL boot.img, kernel.img, misc.img, recovery.img, system.img dump. I will do it myself, but in my Turbo X Hive III tablet i do not have original Andoid OS 4.1.1. I already put it on this nice tablet C.M.10.1 but with some other kernel from another tablet and i screw up the touchscreen drivers. From what i understand some of them are integrated in kernel, but i do not have the original kernel image! For those who wants to help to update this tablet (offcourse must have this device) i will upload a tool that can be easily dump .img for our needs! If more people want to develop something nice for this tablet i will provide more details on what we need to do or what i already did! But for now i will wait and see.....!!!
For the tool dump click HERE
Understanding!
Learning things first (optional).
All this is OPTIONAL for you to learn. If you don’t want to learn it then move on down to the instructions!
Understanding NAND layout:
Your NAND chips is broken into "partitions" or parts if you will call it that.
Each one of these servers a purpose. Here are all the partitions of a RockChip ROM.
Loader.bin - this is low in NAND and special. You can flash it but cannot dump it.
parameter - this file tells the loader how NAND memory is split up into partitions.
misc.img - this is a special area that tells the recovery system what to do on boot.
boot.img - this is the boot section and basically is the ram disk the kernel uses to boot.
kernel.img - this is of course the kernel.
cache.img - this is an area APPs store information like Google Play for instance.
kpanic.img - this is a special area for use by the kernel.
metadata.img - this is a NEW area for KitKat only. It does not exist in pre-kitkat ROMs. It's used for Encryption.
recovery.img - this is like boot.img but boots the recovery menu system.
system.img - this is the system OS.
backup.img - I am not sure what this is. It started showing up with Rockchip ROMs but does not appear to do anything.
But it might be work backing up anyway.
userdata.img - this is where APPs get installed, user accounts are stored, databases, etc. This area if erased losses all your user installed apps, settings, etc. A factory data reset erases this area.
user.img - This is the remaining NAND space and is set aside as the Internal SDcard.
Please note, many APPs like games, etc store stuff here! Erasing this you can lose data! This is also erased on a factory reset.
So based on the above what parts are a stock ROM?
Loader.bin
parameter
boot.img
kernel.img
misc.img
recovery.img
system.img
As you can see a stock ROM is just that! No user data!
Erasing NAND with the flash tool and flashing a stock ROM gives you a empty like new device as if you just bought it.
OK so some basics there. Now let’s look at the parameter file.
It's important because we will be using this to DUMP NAND memory.
I do not need to make you an expert on this but you need to know a few things.
If we look at this area of a parameter file, you will see the partitions I listed above!
Both the ones that hold a stock ROM images as well as ones that are created to be used by the system.
Here is an example of a parameter file for a kitkat ROM.
[email protected](misc),[email protected](kernel),[email protected](boot),[email protected](recovery),[email protected](backup),[email protected](cache),[email protected](userdata),[email protected](metadata),[email protected](kpanic),[email protected](system),[email protected](user)
So what do those number mean in from of each partition name like boot for instance?
First all these numbers are in hex. Second the numbers are blocks of 512 bytes!
let's look at boot..
[email protected](boot)
The first number 0x00006000 is the size of the partition.
The second number 0x0000a000 is the offset into the NAND chip from 0 location (start of the NAND chip).
But remember all these numbers are in 512 blocks.
If you wanted to know the size in bytes then do this math in your PC calculator.
REMEMBER to have the calculator set to HEX!!!
Enter 6000 and now multiply by 200 (fyi 200 hex is 512 decimal).
You will get C00000. Want to see that it decimal? In the calculator just click Dec and it will convert it!
So what we have is 12,582,912 bytes! Basically that is 12 megabytes.
Alright you can do that same math if you wanted to know the offset into NAND in decimal bytes.
Why is all this important? Well if gets you up to speed later when we calculate internal SDcard.
You don't need to know this but it might help you understand if you were to do things on your own.
___________________________________
Instructions for dumping....
Before we begin let’s get familiar with the tool.
In the download run the ROM_Dumper_Tool.exe.
When it opens you will notice 3 tabs at the top.
Download image - this is for flashing ROMs
Upgrade Firmware - this is for lashing single .img ROMs. I won’t be going into this area for as we don’t use it for dumping.
Advanced Function - This is for dumping and doing some NICE stuff! We will be in here all the time for this procedure.
Note: Anytime we dump a partition the tool always makes a file called ExportImage.img in a folder called Ouptut.
So every time we dump a different partition it will overwrite that file unless we rename them first!
Don't forget that please.
OK first lets dump the basic flashable ROM:
To do ANY dumping we need to dump the parameter file of the ROM from NAND.
Why? because we need the start (offset) and count (size) of the partition or we can’t dump anything.
1) Click the advance functions tab.
2) At the bottom is the "export image" button and to empty boxes, Start and Count.
3) To get the parameter file put a 0 in the start box and a 2 in the count.
4) Now press the export image button.
5) Now we need to make this a real parameter file! Rename the file to parameter.txt
6) We need to clean it up a bit. Open in Windows note pad ONLY!!! Do not open in MS word or anything else or it won’t work!
Also you may need to turn on word wrap to see everything (format menu, select word wrap checked).
7) The first line you will see something like this:
PARMi FIRMWARE_VER:4.1.1
Delete all the junk in front of the word FIRMWARE so it looks like this now:
FIRMWARE_VER:4.1.1
8) clean up ending junk. At the end you will see this word:
(user)
After it will be some junk. Delete everything after (user) including any blank space.
When done make sure to hit enter once so there is a new line after (user)
9) Save the cleaned up parameter file but leave it open as we need it to continue.
Now let’s start dumping!
We will do system.img to start with as an example.
1) Look at the parameter file and find (system) and the numbers before it. Example:
[email protected](system)
REMEMBER the number before @ is the COUNT and the number after the @ is the START!
2) Copy the number after the @ example: 0x00484000 into the start box of the advanced tab in the tool.
3) Copy the number before the @ example: 0x00180000 into the count box of the advanced tab in the tool.
4) Press the export image button and wait for it to complete.
5) Go into the Output folder and rename the file ExportImage.ing to system.img
Now we just repeat the steps 1-5 above for
misc.img
kernel.img
boot.img
recovery.img
backup.img (This can be optional but do it anyway especially if this is a first REAL stock ROM dump as we may need it).
Remember to always use the numbers in front of each name! Don't forget to change those or you won’t have a good dump.
Also remember after each dump, to rename ExportImage.img to the proper name of the image you dumped!
Each time you press Export Image, it will overwrite the existing ExportImage file unless you rename it!
When you’re done you should have the basic ROM dump.
misc.img, kernel.img, boot.img, recovery.img, system.img, and backup.img.
You can now use the flash tool 2.1 or the flash tool 1.37 to flash these.
_________________________________
Dumping userdata, cache, metadata, kpanic:
For a user backup the above 4 should be dumped.
We will start with userdata
This is basically the same as above except can take longer depending on how big your user data partition is.
This will be larger than any other partition so far as most devices have at least 1GB or more!
1) Again look at the parameter file and find (userdata) and the numbers before it. Example:
[email protected](userdata)
REMEMBER the number before @ is the COUNT and the number after the @ is the START!
2) Copy the number after the @ example: 0x00080000 into the start box of the advanced tab in the tool.
3) Copy the number before the @ example: 0x00400000 into the count box of the advanced tab in the tool.
4) Press the export image button and wait for it to complete.
5) Go into the Output folder and rename the file ExportImage.ing to userdata.img
Again repeat above for cache, kpanic, metadata.
if your parameter file does not have metadata then no need to dump this as it does not exist.
Remember only KitKat ROMs have this so do not worry if you don’t have it.
_________________________________
Finally to the hardest part but it is not really that hard. Dumping "user" which is internal SDcard.
Note: if you have a 32GB NAND or something large like that, this might not be worth your time!
Just back up internal SDcard another way (file copy) as it will probably be faster.
One way I like to do it is turn on MASS Storage in settings and enable USB to the PC.
Then I just copy the files to the PC.
For restore after flashing a ROM and userdata, I do the same thing and copy the files back to internal sd BEFORE running any apps that need that data on internal SDcard!
Dumping 32GB and flashing a large internal SDcard takes a LONG TIME! If most of your internal SDcard is empty,
dumping and flashing still writes ALL 32GB anyway so it's a waste of time to do this unless you have a LOT on internal SD.
So there is a trade-off... YOU decide which best works for you!
*********
So to back this area up we have to work some things out.
You will notice the parameter file for (user) has no SIZE number just the offset!
Example: [email protected](user)
the [email protected] simply says to use the remaining NAND as all of user (internal SDcard).
Thus to dump it we must calculate the size! To do this we must know how big our NAND chip is.
First put the number after the @ into the start box so we don't forget example: 0x00604000
This is just like the other parts we did above. We need the start point for user (internal SDcard).
Now let’s find out the size of the NAND chip.
In the advanced tab click the Read Flash Info button.
On the right it will display information but we are interested in this:
Flash Size: XXXXX MB
Where XXXXX is the size of your flash chip "page" size.
For instance my "other androidrk3066 device" says 8192 MB.
BUT WAIT! We also have to see how many pages of NAND we have.
Look at the line Flash CS:
If yours has a 0 then that is all you have 8GB
If CS says something like 0 1 2 3 (That’s 4 pages)
Then you have 4 pages of 8GB or 32GB NAND. If it says 0 1 then you have 2 pages or 16GB NAND and so on.
So whatever your size is multiple that by number of pages!
Example my "other rk3066 android device" stick says:
Flash Size 8528 MB
Flash CS: 0
Thus my full NAND size is 8528 as there is only 1 page
(yes the 0 is a page! The first page starts at 0 and a 1 is the 2nd page).
My "other rk3066 android device" says this:
Flash Size 8192 MB
Flash CS: 0 1 2 3
Thus I would take 8192 and multiply by 4 pages = 32768 MB NAND size.
So we now have our total NAND size!
Now a little more math but easy if you follow my instructions.
First we must make the size in MB a REAL GB number (not a MB number in 1000's).
I am going to use 8192 MB (8GB) NAND as an example. (It only had 1 page e.g. Flash CS: 0)
1) Open your PC calculator and again make sure it is set to programmer mode!
2) Make sure your set to Dec (decimal) not Hex mode!!!
2) Type in your NAND size you read or calculated with pages from the tool. My example 8192.
3) Multiply that by 1024. My example 8192 x 1024 = 8388608
4) Now do that one more time and multiply 8388608 by 1024. My example 8388608 x 1024 = 8589934592
5) Now divide this number by 512. My example 8589934592 / 512 = 16777216
So you know what all this math did was take the proper number of bytes and divide them into 512 blocks.
This is what is needed by the flash tool and parameter file!
6) Now press the Hex button on the left of the calculator to convert this to a hex number. My example came to 1000000 Hex.
7) OK now we know the total size of our NAND chip in 512 byte blocks in Hex format!
8) Now take this number and subtract the "start" that what was shown in the parameter file.
In my example parameter file I had [email protected](user) so my start is 604000 (we don’t use the beginning 0's).
So again my example 1000000 - 604000 = 9FC000
We now have our user (internal SDcard) size! It is 9FC000 in hex!!!
9) Enter this number into the count box of the tool. Again my example is 9FC000
BUT we need to enter it in the format the tool needs and that is hex!
Just add the 0x at beginning of the number so the tool knows it's hex. Again my example is now 0x9FC000
Just a note: 0's in front of any hex number are ignored. So 0x009fc000 is the same as 0x9fc000.
10) Make sure as I said above, you also entered the start number! Again in my example 0x00604000
11) Press the export image button and wait for it to finish. Depending on size this could be a long time!
12) Done forget to rename the ExpoertImage.img to user.img!
We are DONE! We now have a flashable FULL backup of the entire NAND chip!
What you should have in the output folder, if you did everything above dumping EVERYTHING is:
parameter.txt
backup.img
boot.img
cache.img
kernel.img
kpanic.img
metadata.img (optional if you had that and were on KitKat)
misc.img
recovery.img
system.img
user.img (internal SDcard)
userdata.img
__________________________________
Flashing your dump:
OK so now you have dumped the ROM and other items and you want to flash them back.
Well we can’t use the 2.1 RK tool! Why? Because it has 2 bugs in it.
1) Flashing userdata. It works but will error at 50% every time.
It actually does flash 100% but due to a math bug in the program it counts to 50% instead of 100%.
2) It won’t flash user (internal SD). If you try it says it did it but it doesn’t.
It returns success instantly so obviously it doesn’t flash anything.
If you did not backup user (Internal SD) then feel free to flash with the 2.1 tool and you will be OK even with the error at 50%.
However I setup the old 1.37 flash tool for you. All of the lines for each image is there.
I even have them checked by default for you.
In the download there is a flasher tool folder. Just run the flash tool from there.
Uncheck anything you didn’t backup or items you don’t want to flash.
Note: if you leave something checked you did not backup or the .img is not in the Output folder, you will get an error.
I left boot loader unchecked as there is no reason to flash that!
OK so that’s it!
Specs!
In case somebody not know what device is about: Turbo-X, 10.1", 1280 x 800 pixels resolution, IPS panel, Front Camera 0.3 Mp, Back Camera 2.0, Android 4.1 Jelly Bean, CPU - Dual Core ARM Cortex A9 at 1.5 GHz, Internal Storage 16 GB, RAM -1 GB, WiFi, Bluetooth, Mini HDMI, Micro usb 2.0 host, microSD card slot, Li-Ion 6600 mah with Android 4.1.1, 3.0.8+ Kernel !
Battery
Also for those who have some problem with battery i found this one that is even better then original HERE
Some other toolkit that i find!
Special thanks to Zeus and Faheem! With their tools you can Check Device, Wipe data, fastboot wipe, Reset user lock, Reset gmail, Reboot device, Fix camera, install usb driver and many other cool stuff!
HERE
My dear friend Seby, i can help you without any problem and maybe we can open a new development thread for this old tablet because i already did a custom rom with a great help from a greek friend Panagiotis! So we will talk in PM about that!
Hello,can i have more information about this rom?
I must fix my brother's tablet ,stuck on bootloader.
It's exactly the same model as the author's of the current thread.
does anybody know how to enter fastboot mode in a turbox hive iii tablet it stuck in boot logo screen and i cannot do anything. If there is something I can do please tell me.
thanks
Hi guys, I am asking you some help due to an emergency.
I had to downgrade an Android 10 rom where I had encryption turnen on (rom).
All I did was flashing a previous (minor) version of the rom via TWRP with just a "wipe cache/dalvik".
After rebooting my pin was not recognized anymore by both Android and TWRP.
I did many tentatives and at some point I typed "default_password" as pin, when asked by Android during the boot, and there was a important change:
1. After rebooting I typed my old pin, and now Android always tells me: "The password you entered is correct, but unfortunately your data is corrupt".
2. Now when TWRP asks for the password, it accepts the old pin too. But it is "unable to mount storage".
3. The system partition's contents are now visible: before they were not showing at all. The data partition is not accessible (error decrypting…).
I have done a lot of studying and tentatives to get the phone working without formatting and losing the data, but I could not solve the issue. I don't think the data is actually corrupted, because the rom downgrade was a minor version and it did not modify anything about encryption.
Could you please point me to the right direction? I am trying to understand what could have gone wrong, and find some possible solution.
EDIT: more details and list of the attempted solutions in this post: https://forum.xda-developers.com/t/...sue-after-rom-downgrade.4168821/post-85210619
JackSlaterIV said:
After rebooting I typed my old pin, and now Android always tells me: "The password you entered is correct, but unfortunately your data is corrupt".
Click to expand...
Click to collapse
Look inside here.
jwoegerbauer said:
Look inside here.
Click to expand...
Click to collapse
Both methods cause /data to be erased, which is what I don't want. Thanks anyway.
guess if something has changed since your dirty flash, it must be something in last 16384 bytes where the crypto footer is
there are some bytes which are most likely one or eight flag(s)
Flags : 0x00000000
you can locate and copy the crypto footer like this
- check fstab for location if it says encryptable=footer (or see recovery.log)
- get partition size and calculate the offset -16384
- extract the footer to /sdcard with dd (any file name)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
on PC open that file with Hex Editor
- the crypto footer will start with magic 0xD0B5B1C* (little endian). in my case it's C5 B1 B5 D0 as it's a samsung device.
- you should also see a string aes-cbc-essiv:sha256 (in my case aes-xts)
inspect the crypto footer with python script. you can't decrypt since android uses scrypt+keymaster but it will give you a nice layout
- install python 2.7
- run that script bruteforce_stdcrypto.py
Code:
Android FDE crypto footer
-------------------------
Magic : 0xD0B5B1C4
Major Version : 1
Minor Version : 3
Footer Size : 2352 bytes
Flags : 0x00001008
Key Size : 128 bits
Failed Decrypts : 36
Crypto Type : aes-xts
Encrypted Key : 0xCCE7D93B501B400D3D81726806F92936
Salt : 0x51B68B017C2A181E3ABD0B041FBFAA14
KDF : scrypt+keymaster
N_factor : 15 (N=32768)
r_factor : 3 (r=8)
p_factor : 1 (p=2)
crypt type : PIN
FS size : 52453304
encrypted upto : 52453304
-------------------------
as you can see in your case the flags are 0x00001008 so you can easier locate that in your Hex Editor
- convert the string little endian 0x00 00 10 08 -> 08 10 00 00
- you will find that four bytes at offset 13 in the first line
- reset the flags to 00 00 00 00 and save the file
if you prefer linux you can also use that shell script for doing that. fde_crypto.sh
Before messing up your data partition do a full dump for backup purposes (because we don't know what we are doing here, encryption is complicated stuff). In case you broke something you can just adb push it later
Code:
adb pull /dev/block/bootdevice/by-name/userdata
Now, write the new crypto footer back to end of userdata partition
- copy the file back to the device (another file name)
- get partition size and calculate the offset -16384
- write the footer to offset with dd (seek)
Code:
adb push data-footer.bin /sdcard
adb shell
cd /sdcard
blockdev --getsize /dev/block/bootdevice/by-name/userdata
dd bs=512 seek=$((52453336-32)) count=32 if=data-footer.bin of=/dev/block/bootdevice/by-name/userdata
Note: i don't know if that works. indeed, that's all guesswork based on your input in pm. good luck!
Hi and thanks again. As you wrote we spoke a lot via PM before your post.
I reset the footer flags to 00 00 00 00. Then used dd as you suggested to overwrite the userdata footer.
During the first Android boot, it asked me to enter the pin, but then it failed to decrypt, and now is always showing the old message "The password you entered is correct, but unfortunately your data is corrupt" .
So looks like the flag at least reset the default mode.
And TWRP still can't decrypt the partition.
It's no surprise because, as you showed me, the userdata partition may be corrupted.
I wanted to get the updated footer back from the phone to my PC. I used this:
dd bs=512 seek=$((52453336-32)) count=32 if=/dev/block/bootdevice/by-name/userdata of=/tmp/data-footer-new.bin
32+0 records in
32+0 records out
16384 bytes (16.0KB) copied, 0.009945 seconds, 1.6MB/s
Then Adb pull tmp/data-footer-new.bin
But it started downloading a few GB of data. I checked the size via ls -l:
-rw-rw-rw- 1 root root 26856108032 Dec 20 14:04 data-footer-new.bin
What I did wrong? Is it a bug?
usage problem - this is expected behavior for dd seek. when the output file is too small or doesn't exist, a zero padding is filled to create a big file before the offset starts, where it finally starts to write the real data (32 x 512 bytes)
you have mixed up parameters skip/seek, in your case copied first 16384 bytes from userdata into the end of a big file data.footer.bin
btw the userdata partition is not corrupt per se (or at least there is no proof i could show ever) you will never find ext4 file system magic 0xEF53 on encrypted userdata, only on dm-0 (if decrypted successfully). but true, mounting is a different case, indeed mount may fail even for successfully decrypted file system (like for Redmi 5). so the safest way to know if decrypted successfully is looking for zero paddings, first 1024 bytes will have enough of it...
you can try lot of other values for this flag (0x00001000 like for LG?) or try other (undiscovered) flags. you need a lot patient and time as you are the first one trying this. also reset the failed decrypts counter as this may important for gatekeeper timeout
i recommend to decrypt straight from twrp command line, should "work" without reboot
edit: i could even imagine automatizing that with script (10 sec/attempt - min timeout)
edit 2: interesting too would be binary (or checksum) compare of userdata before/after failed attempt (without footer) to figure out if changes happen elsewhere (other than footer)
even more interesting, you could factory reset and reproduce the mistake, make a snapshot before/after and bitwise compare where the changes happen
if the key itself has changed, there is no possible way to revert as the old key is lost
but decryption should still be possible on the newer android version, all you need is working twrp that fits
edit: factory reset is maybe not the best idea! turns out for FBE file-based-encryption the KEK is stored in TEE and depending on rollback resistance (not related to version binding) master key may deleted on factory reset. FBE is introduced with Android 7.1 - your device is still running good old FDE full-disk-encryption - but who knows what additional protections Android 10 enforces? can't guarantee that KEK is encrypted by hardware-backed RSA-2048 private key and screenlock credentials only and everything is stored in crypto footer only, although the documentation doesn't indicate contradictory
aIecxs said:
usage problem - this is expected behavior for dd seek. when the output file is too small or doesn't exist, a zero padding is filled to create a big file before the offset starts, where it finally starts to write the real data (32 x 512 bytes)
you have mixed up parameters skip/seek, in your case copied first 16384 bytes from userdata into the end of a big file data.footer.bin
Click to expand...
Click to collapse
Can you confirm this is the correct command to get the new footer?
dd bs=512 skip=$((52453336-32)) count=32 if=/dev/block/bootdevice/by-name/userdata of=/tmp/data-footer-new.bin
I think that this new big file may have caused some corruption.
I want to restore the userdata partition backup, but I read it's not easy as a simple adb push: https://android.stackexchange.com/q...n-image-of-android-partition-from-my-linux-pc
Can you tell me any reliable way to do this, apart using busybox as in the above replies?
btw the userdata partition is not corrupt per se (or at least there is no proof i could show ever) you will never find ext4 file system magic 0xEF53 on encrypted userdata, only on dm-0 (if decrypted successfully). but true, mounting is a different case, indeed mount may fail even for successfully decrypted file system (like for Redmi 5). so the safest way to know if decrypted successfully is looking for zero paddings, first 1024 bytes will have enough of it...
Click to expand...
Click to collapse
Thanks for clarifying this.
you can try lot of other values for this flag (0x00001000 like for LG?) or try other (undiscovered) flags. you need a lot patient and time as you are the first one trying this. also reset the failed decrypts counter as this may important for gatekeeper timeout
i recommend to decrypt straight from twrp command line, should "work" without reboot
edit: i could even imagine automatizing that with script (10 sec/attempt - min timeout)
edit 2: interesting too would be binary (or checksum) compare of userdata before/after failed attempt (without footer) to figure out if changes happen elsewhere (other than footer)
Click to expand...
Click to collapse
Indeed I had already tried 0x00001000 and resetting the counter, before the mess up with my dd command.
Do you know any other combination I could try?
Something I could try is see what happens to /userdata if I type default_password at the first boot.
yes, that is the right command
no, you didn't mess up with big file because of= is the only thing written (and /tmp is only in RAM)
yes, simple adb push is fine and works quite well for single partition. the link is talking about something different (whole eMMC including gpt and bootloader)
no, i have no clue about the flags. the source code might help but it's above my knowledge (yet)
found some explanation for flags
https://www.0xf8.org/2019/01/analyz...axy-s7-data-partition-with-samsung-encryption
have implemented the above link, not sure if i am doing it right but have a look into script fde_crypto.sh
Hello alecxs, thanks for your last messages. Sorry for this long delay.
I did not write any update because I couldn't find anything useful in the footer and the full data images. The phone is still not in use, in a drawer.
I had tried different flags, but after each tentative I had the same result. The "system" tells that data may be corrupted and updates the flag accordingly.
I had compared before vs after data images and did not find any difference. There is only one field in the footer that is modified after each tentative: the sha256 of the footer (offset 90c).
Without further information I cannot tell what causes this issue, if the data is corrupt or not. It would be useful having a more verbose mode in the mount command, so that it shows the reason of the failed mount. I guess it's not possible.
i think it is caused by rollback resistance and you should try higher android version (that one that messed up everything) with compatible TWRP. besides recovery.log you can check dmesg and logcat for additional information
Hi again,
I am attaching dmesg and recovery log, taken from TWRP after a failed mount of the data partition, using my pin, with the crypto footer flags reset to zero.
I could not find anything, so I hope someone reading this could give me a hint.
From what I can see, anti rollback and verified boot are disabled in Mi5 and in LineageOS based roms (see here).
Regarding TWRP I always used the same version recommended by the rom developer.
EDIT: file attachment not working for me...
See them here:
dmesg.log
Shared with Dropbox
www.dropbox.com
recovery.log
Shared with Dropbox
www.dropbox.com
looks like double encryption bug. try to dump content of dm-0 and restore it to userdata, that should at least eliminate the FDE encryption. second encryption is FBE? let binwalk analyze usually there is unencrypted area
aIecxs said:
... you should try higher android version [...]
Click to expand...
Click to collapse
just as a reference: for this you would find errors like
E vold : upgrade_key failed, code -38
E Cryptfs : Failed to upgrade key
which is not the case here.
(note: yes it says "upgrade" but in my example the installed key is from a higher version so actually a downgrade would be needed - which is not possible at all.)
(see a full example and details here and google details here)
JackSlaterIV said:
Hi again,
I am attaching dmesg and recovery log, taken from TWRP after a failed mount of the data partition, using my pin, with the crypto footer flags reset to zero.
I could not find anything, so I hope someone reading this could give me a hint.
From what I can see, anti rollback and verified boot are disabled in Mi5 and in LineageOS based roms (see here).
Regarding TWRP I always used the same version recommended by the rom developer.
EDIT: file attachment not working for me...
See them here:
dmesg.log
Shared with Dropbox
www.dropbox.com
recovery.log
Shared with Dropbox
www.dropbox.com
Click to expand...
Click to collapse
the interesting part is here:
Code:
<3>[ 5.880909] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -65,app_id = 0,lstr = 12288
<3>[ 6.007678] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -71,app_id = 0,lstr = 12288
<3>[ 6.007697] QSEECOM: __qseecom_set_clear_ce_key: process_incomplete_cmd FAILED, resp.result -71
<3>[ 6.007716] QSEECOM: qseecom_create_key: Failed to create key: pipe 2, ce 0: -22
<3>[ 6.007726] QSEECOM: qseecom_ioctl: failed to create encryption key: -22
<3>[ 6.098357] scm_call failed: func id 0x72000501, ret: -2, syscall returns: 0xffffffffffffffbf, 0x0, 0x0
<3>[ 6.225071] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -71,app_id = 0,lstr = 12288
<3>[ 6.225082] QSEECOM: __qseecom_set_clear_ce_key: process_incomplete_cmd FAILED, resp.result -71
<3>[ 6.225096] QSEECOM: qseecom_create_key: Failed to create key: pipe 2, ce 0: -22
<3>[ 6.225104] QSEECOM: qseecom_ioctl: failed to create encryption key: -22
the main error is likely:
Code:
<3>[ 5.880909] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -65,app_id = 0,lstr = 12288
[..]
<3>[ 6.007716] QSEECOM: qseecom_create_key: Failed to create key: pipe 2, ce 0: -22
<3>[ 6.007726] QSEECOM: qseecom_ioctl: failed to create encryption key: -22
-65 means: ATTESTATION_APPLICATION_ID_MISSING whatever that means actually.
aIecxs said:
looks like double encryption bug. try to dump content of dm-0 and restore it to userdata, that should at least eliminate the FDE encryption. second encryption is FBE? let binwalk analyze usually there is unencrypted area
Click to expand...
Click to collapse
interesting idea especially as it actually can decrypt /dev/dm0 according to the recovery.log but then failing to mount it.
I would +1 here and try if you can dump the content of /dev/dm0 after trying the decryption ( e.g. when you have an ext sdcard: `dd if=/dev/dm0 of=/external_sd/dump.img bs=4096` )
Other then that it might be an issue with your blobs - either in TWRP, or the device
i think your issue is bit different and the links provided are about FBE. afaik FDE does not hold keys in TEE (except for hardware-backed RSA-2048 private key which is not flushable) so i am not sure if upgradeKey affects crypto-footer but deleteKey is clearly some keystore thing
to eliminate issues with TWRP i would do decryption test on working block encryption (and maybe try OrangeFox) only then you can determine issues with faulty crypto-footer
Hello guys, thanks for your help.
I dumped both sda14 and dm-0 partitions (using adb dump).
The dm-0 ("decrypted" partition) is a smaller binary file (26.856.091.648 bytes) vs sda14 (26.856.108.032 bytes).
I compared these binary files using HxD and they look different. dm-0 does not contain the crypto footer section (the 16384 bytes difference).
I just installed binwalk for the suggested purpose, and started analyzing dm-0 (binwalk dm-0). It is outputting something and I don't have any idea of how much time it would take to complete the task.
Let's see if I can attach a screenshot..
okay not sure binwalk may just false detect random data or it may real files. anyway you can concatenate dm-0 with crypto-footer from userdata and check what TWRP says about this garbage then
aIecxs said:
okay not sure binwalk may just false detect random data or it may real files. anyway you can concatenate dm-0 with crypto-footer from userdata and check what TWRP says about this garbage then
Click to expand...
Click to collapse
Yes indeed.
I did not find any text in the dm-0 binary.
Can you suggest me how I concatenate these files? I have dm-0 and crypto-footer in separate files. EDIT: just by using HxD.
To overwrite the partition can I use "adb push dm-0-new /dev/block/sda14"?