Exchange the remote control from 2 tv boxes - Android Stick & Console AMLogic based Computers

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I have 2 android tvboxes and i want to exchange them the remote controls.
1) H9x3 with Slimbox firmware
2) VONTAR X3 with Slimbox firmware
I have the 2 files remote.conf. I tried to copy the files on /etc folder but are read only. Also there is not remote.conf files in /etc folder.
Has anyone any idea how i do that ?

Unfortunately, it's much more difficult than just copying the remote.conf files but not impossible. I've just done the same thing. Firstly, you need to be rooted. Secondly, you need to have access to the box via adb, Thirdly, you need to use a root file explorer like X-plore which is included in slimbox fw. Have a look here:
H96 MAX X3 (S905X3) [Android] - 4PDA
H96 MAX X3 (S905X3) [Android], [TV Box][Amlogic S905X3]
4pda.ru
You will definitely need a couple of hours if not more.

Thanks i will give a try. At first glance, I think the most difficult part is that it is in Russian language.

Just use Google translate. I can help you with the files for my remote to get a better idea of how they should look like.

That would be helpful.

In /vendor/etc/init/hw/init.amlogic.rc I added this line:
Code:
service remotecfg1 /vendor/bin/remotecfg -c /vendor/etc/remote_tanix.cfg -t /vendor/etc/remote_tanix.tab -d
class main
oneshot
seclabel u:r:remotecfg:s0
I added remote_tanix.cfg and remote_tanix.tab in /vendor/etc with 644 rights. remote_tanix.cfg is basically the same as remote.cfg. remote_tanix.tab was created using dmesg output after pressing the buttons on a Tanix remote which I wanted to use with my h96 max x3 box.

I think that something is wrong with my remote.tab file or something missing.
I have these errors when push buttons from remote control
Code:
[ 1175.201851] <3>[ [email protected]] meson-remote ff808040.rc: invalid custom:0xbd42df00
[ 1175.202336] <3>[ [email protected]] meson-remote ff808040.rc: cur_custom is nulll
[ 1175.207881] <3>[ [email protected]] meson-remote ff808040.rc: no valid key to handle
[ 1208.559821] <3>[ [email protected]] meson-remote ff808040.rc: invalid custom:0xf906df00
[ 1208.560346] <3>[ [email protected]] meson-remote ff808040.rc: cur_custom is nulll
[ 1208.565872] <3>[ [email protected]] meson-remote ff808040.rc: no valid key to handle
Code:
HOME -> 0xbd42df00
OK -> 0xf906df00
I used remote-0xfа00.tab from 4pda.ru seems are same remote control

Your remote code is df00 but the code of the remote tab you downloaded is fа00 assuming 0xfа00 in the file name is remote code. Check if you have 0x42 and 0x06 in the tab file. I'm positive you won't find them because otherwise you wouldn't have that error if your tab file was correct.

Perfect, you are right. I changed ff00 with df00 and detected the remote control.
I have found all buttons codes.
I think the only i must found, is the key number (2,3,4,etc.). How can i found them ?
Code:
0x54 2 #1
0x16 3 #2
0x15 4 #3
0x50 5 #4
0x12 6 #5
0x11 7 #6
0x4c 8 #7
0x0e 9 #8
0x0d 10 #9
0x0c 11 #0
If i use the following code, it will work ?
Code:
0xdf1a KEY_UP
0xdf48 KEY_DOWN
0xdf47 KEY_LEFT
0xdf07 KEY_RIGHT

Code:
0x54 2 #1
0x16 3 #2
0x15 4 #3
0x50 5 #4
0x12 6 #5
0x11 7 #6
0x4c 8 #7
0x0e 9 #8
0x0d 10 #9
0x0c 11 #0
This should work fine according to your button codes.
You can find the Linux codes in /root/vendor/usr/keylayout/Vendor_0001_Product_0001.kl
Linux key for number 1 is 2 etc.
Code:
0xdf1a KEY_UP
0xdf48 KEY_DOWN
0xdf47 KEY_LEFT
0xdf07 KEY_RIGHT
No. You erase 2 characters after 0x and replace them with the next 2.
Code:
0x1a 103 #KEY_UP
0x48 108 #KEY_DOWN
0x47 105 #KEY_LEFT
0x07 106 #KEY_RIGHT

Finally i did it. It was a bit time consuming but the result pleased me.
Thank you very much for your help !!
I will upload the 2 files if anyone want them in the future.
Also, the remote control df00 to work the 2 buttons APPLICATION_SWITCH & MEDIA_PLAY_PAUSE, i did add the line
Code:
key 0 MOUSE
in /root/vendor/usr/keylayout/Vendor_0001_Product_0001.kl
I don't know why it needed that line, but without this line, didn't detect these 2 buttons.

hello, how can i fix Enter in external keyboard, like this

Post in thread '[v7.5] Aidan's ROM [S905X] [ATV 7.1.2] (Lag & Bloat Free, Pre Rooted, Samba & Miracast) [TV NETFLIIX] 2021 Update!' https://forum.xda-developers.com/t/...tv-netfliix-2021-update.4104869/post-87228333

1) In /vendor/etc/init/hw/init.amlogic.rc add this
Code:
service remotecfg1 /vendor/bin/remotecfg -c /vendor/etc/remote.cfg -t /vendor/etc/remote_df00.tab -d
class main
oneshot
seclabel u:r:remotecfg:s0
2) Add the files remote.cfg and remote_df00.tab in /vendor/etc with 644 rights.
3) in /root/vendor/usr/keylayout/Vendor_0001_Product_0001.kl add the line
Code:
key 0 MOUSE
4) Reboot and test

vag13 said:
1) In /vendor/etc/init/hw/init.amlogic.rc add this
Code:
service remotecfg1 /vendor/bin/remotecfg -c /vendor/etc/remote.cfg -t /vendor/etc/remote_df00.tab -d
class main
oneshot
seclabel u:r:remotecfg:s0
2) Add the files remote.cfg and remote_df00.tab in /vendor/etc with 644 rights.
3) in /root/vendor/usr/keylayout/Vendor_0001_Product_0001.kl add the line
Code:
key 0 MOUSE
4) Reboot and test
Click to expand...
Click to collapse
ok thank you very much

vag13 said:
1) In /vendor/etc/init/hw/init.amlogic.rc add this
Code:
service remotecfg1 /vendor/bin/remotecfg -c /vendor/etc/remote.cfg -t /vendor/etc/remote_df00.tab -d
class main
oneshot
seclabel u:r:remotecfg:s0
2) Add the files remote.cfg and remote_df00.tab in /vendor/etc with 644 rights.
3) in /root/vendor/usr/keylayout/Vendor_0001_Product_0001.kl add the line
Code:
key 0 MOUSE
4) Reboot and test
Click to expand...
Click to collapse
I did what was written, the result did not see a negative control
Resim Yükle, Herkesle Paylaş - resimyukle.io
resimyukle.io

If I give you a teamviewer id, can you connect remotely and help?
IMG_20220805_001250
Image IMG_20220805_001250 hosted in IM.GE - Free Image Hosting - Upload Image & Share
im.ge
IMG_20220805_001354
Image IMG_20220805_001354 hosted in IM.GE - Free Image Hosting - Upload Image & Share
im.ge

I think that your remote is not same with mine.
Try to connect via adb and find the correct code of your remote https://forum.xda-developers.com/t/exchange-the-remote-control-from-2-tv-boxes.4265345/post-84891999
sarigol45 said:
If I give you a teamviewer id, can you connect remotely and help?
IMG_20220805_001250
Image IMG_20220805_001250 hosted in IM.GE - Free Image Hosting - Upload Image & Share
im.ge
IMG_20220805_001354
Image IMG_20220805_001354 hosted in IM.GE - Free Image Hosting - Upload Image & Share
im.ge
Click to expand...
Click to collapse
Sorry, i don't use teamviewer.

The remote is working on slimbox atv 12.2 rom, can you check if I upload these files here?
Can you edit these files? I uploaded the working files.
root/vendor/etc
root/vendor/etc/init/hw
root/vendor/usr/keylayout
slimbox 12.2.rar
drive.google.com

Related

MTYPE for Gsmart S1205

What is MTYPE for GSmart S1205 .
(I need becouse i`m trying install Android, if anybody can give me some tips please reply it too)
Based on htt p:/ /ww w.arm.linux.org.uk/developer/machines/ the GSmart S1205 processor mach type is 2754 (the phone has a Mediatek MT6516 / 416MHz processor).
MTYPE = Mach Type = 2754 Meditek 65XX Series mt65xx Howard Chen
But it still hangs.
Code:
[B]This is my Haret default.txt:[/B]
# Display some greeting message
print "Welcome to Handheld Reverse Engineering Tool!"
print "Some basic info about your PDA:"
print "Processor Mach Type is %d" MTYPE
print "MMU L1 descriptor table address is %08x" MMU
# MMU L1 descriptor table address is 02650000
print "Video RAM address is %08x" VRAM
# Video RAM address is 0174b000
print "Current Process ID is %d" PID
# Current Process ID is 16
#print "CPU identification register (p15 r0) is %08x" CP(15,0)
# CPU identification register (p15 r0) is 00000075
# Fill top ten scan lines (the run bar) with some color
#vfh VRAM 240*10 0x0099
# EXCEPTION while writing 00000099 to address 0174B000
set RAMADDR 0xa0000000
set MTYPE 2754
set KERNEL zImage
set initrd initrd.gz
#
# The following kernel parameters are useful
# ppp.nostart - Set ppp.nostart=1 to disable starting the ppp connection on boot
# msm_sdcc.msmsdcc_fmax - The maximum frequency (in Hz) used by the SD controller
# pm.sleep_mode - The mode used when the phone is off
# 0=Power Collapse Suspend, 1=Power Collapse, 2=Apps Sleep,
# 3=Slow Clock and Wait for Interrupt 4=Wait for Interrupt
# Default is 3, use 0 for best power savings
# board-htcvogue.panel_type - Panel type used to power the panel off and on
# 1=Hitachi 2=Topoly 3=Samsung
# clock-7x00.mddi - MDDI clock (try 0xa51 or 0xe2c)
# clock-7x00.ahb_div - Advanced Host Bus divider, default is 4
# 2 is faster but uses more power
# clock-7x00.a11 - ARM11 clock speed in MHz, best to leave this alone
# lcd.density - Defaults to 160, 128 shows more on screen
# vogue-ts.XMIN - xmin value for the touchscreen calibration. Also YMIN, XMAX, YMAX, PMIN, PMAX.
#
# Probably the only one of these you will need to change is the panel type, NZ Vogues seem to all have type 1
# US Sprint vogues usually have type 2 or 3 I think.
# Make sure you add these between the quotes on the following line and that your editor hasn't split the line up.
set cmdline "ppp.nostart=0 mddi.width=240 mddi.height=400 pm.sleep_mode=0 no_console_suspend"
boot
This is my Haret log:
Code:
Running WSAStartup
Starting gui
In initdialog
Found machine Generic ARM 926
executing startup.txt
HaRET(2)# print "Welcome to Handheld Reverse Engineering Tool!"
Welcome to Handheld Reverse Engineering Tool!
HaRET(3)# print "Some basic info about your PDA:"
Some basic info about your PDA:
HaRET(4)# print "MMU L1 descriptor table address is %08x" MMU
MMU L1 descriptor table address is 02650000
HaRET(5)# print "Video RAM address is %08x" VRAM
Video RAM address is 0174b000
HaRET(6)# print "Current Process ID is %d" PID
Current Process ID is 16
HaRET(11)# set RAMADDR 0xa0000000
HaRET(12)# set MTYPE 2754
HaRET(13)# set KERNEL zImage
HaRET(14)# set initrd initrd.gz
HaRET(35)# set cmdline "ppp.nostart=0 mddi.width=240 mddi.height=400 pm.sleep_mode=0 no_console_suspend"
HaRET(36)# boot
boot KERNEL=zImage INITRD=initrd.gz
Opening file zImage
Opening file initrd.gz
boot params: RAMADDR=a0000000 RAMSIZE=06000000 MTYPE=2754 CMDLINE='ppp.nostart=0 mddi.width=240 mddi.height=400 pm.sleep_mode=0 no_console_suspend'
Boot FB feedback: 1
Built virtual to physical page mapping
Allocated 663 pages (tags=54000000/053ce000 kernel=54001000/053cd000 initrd=54168000/05630000 index=54293000/0575b000)
Built kernel tags area
Built page index
Video buffer at 4C600000 sx=240 sy=400 mx=60 my=66
Video Phys FB=0174b000 Fonts=0575d064
[email protected]/0575e000 sj=54296000 stack=54294000/0575c000 data=54295000/0575d000 exec=0575e128
Reading 1469884 bytes...
Read complete
Reading 1222150 bytes...
Read complete
Launching to physical address 0575e010
Trampoline setup ([email protected]/200255f4/034465f4)
MMU setup: mmu=A6650000/02650000
Go Go Go...
You using Gsmart S1205?
I used your default.txt and nothing happens . its wirting "Booting Linux" and when bar is filled it just "freezed" . So i need to Soft Reset phone
Like i said "But it still hangs.", mine isn't working too. I think i need to recompile e newer kernel to the zImage.
For Gigabyte GSmart S1205 we need to compile the android-2.6.36 version, because in arch/arm/tools/mach-types file the MT65xx with the MTYPE 2754 is only there, i will try to compile it this week, hope that will work.
And not only a newer kernel is necessary, but a new HaRET compiled from source that will recognise the machine (trying to make one now).
This is not yet implemented, help needing information about MT6516 processor (GPIO table, ecc.). I will work on it.
Here i founded info
pdadb*.*net/index*.*php?m=cpu&id=a6516&c=mediatek_mt6516
remove * and paste in URL bar
Thanks, found that page a while ago, too. But would be nice to find the MT6156 processors datasheet.
For now i managed to make a patch for Haret to recognize the machine, but still it freezes:
========================================================================
Code:
diff -Naur haret/include/arch-arm.h haret-new/include/arch-arm.h
--- haret/include/arch-arm.h 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/include/arch-arm.h 2011-03-02 12:05:02.936418632 +0200
@@ -37,4 +37,7 @@
int detect();
};
+// Aliases
+class MachineMT6516 : public Machine926 {
+};
#endif // arch-arm.h
diff -Naur haret/Makefile haret-new/Makefile
--- haret/Makefile 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/Makefile 2011-03-02 12:38:27.628418500 +0200
@@ -45,7 +45,7 @@
RC = $(BASE)/bin/arm-mingw32ce-windres
RCFLAGS = -r -l 0x409 -Iinclude
-CXX = $(BASE)/bin/arm-mingw32ce-g++
+CXX = $(BASE)/bin/arm-mingw32ce-gcc
STRIP = $(BASE)/bin/arm-mingw32ce-strip
DLLTOOL = $(BASE)/bin/arm-mingw32ce-dlltool
diff -Naur haret/src/l1trace.cpp haret-new/src/l1trace.cpp
--- haret/src/l1trace.cpp 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/src/l1trace.cpp 2011-03-02 12:06:09.529418186 +0200
@@ -212,12 +212,12 @@
if (Bbit(insn)) {
addrsize = 1;
asm("swpb %0, %1, [%2]"
- : "=r" (readval)
+ : "=&r" (readval)
: "r" (writeval), "r" (newaddr));
} else {
addrsize = 4;
asm("swp %0, %1, [%2]"
- : "=r" (readval)
+ : "=&r" (readval)
: "r" (writeval), "r" (newaddr));
}
setReg(regs, mask_Rd(insn), readval);
diff -Naur haret/src/mach/arch-arm.cpp haret-new/src/mach/arch-arm.cpp
--- haret/src/mach/arch-arm.cpp 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/src/mach/arch-arm.cpp 2011-03-02 11:59:31.285419224 +0200
@@ -35,6 +35,10 @@
{
name = "Generic ARM 926";
flushCache = cpuFlushCache_arm926;
+ arm6mmu = 0;
+ archname = "MT65XX";
+ CPUInfo[0] = L"MT6516";
+ //customStartFunc = ????;
}
int
diff -Naur haret/src/mach/arch-s3.cpp haret-new/src/mach/arch-s3.cpp
--- haret/src/mach/arch-s3.cpp 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/src/mach/arch-s3.cpp 2011-03-02 12:18:06.349418721 +0200
@@ -307,7 +307,7 @@
if (SDMA_SEL) {
sdma_sel = SDMA_SEL[0];
fb_printf(fbi,"%s: SDMA_SEL=%x", __func__, sdma_sel);
- if (sdma_sel == 0xcfffffff)
+ if ((uint32)sdma_sel == 0xcfffffff)
//SDMA disabled
ctrl_count = 2;
diff -Naur haret/src/mach/machlist.txt haret-new/src/mach/machlist.txt
--- haret/src/mach/machlist.txt 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/src/mach/machlist.txt 2011-03-02 12:32:53.729419070 +0200
@@ -108,6 +108,7 @@
DX900, S3c6400 ,DX900V040, DX900
X900, S3c6400 ,V900V050, ACER_ETEN_X900
M900, S3c6410 ,M900V030;GT-I8000, ACER_TEMPO_M900
+Cougar, MT6516 ,GIGABYTE gSmart, MT65XX
PLATFORM=Jupiter
Jornada820, SA ,"HP, Jornada 820", JORNADA820
diff -Naur haret/src/memcmds.cpp haret-new/src/memcmds.cpp
--- haret/src/memcmds.cpp 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/src/memcmds.cpp 2011-03-02 12:39:37.785419504 +0200
@@ -241,11 +241,11 @@
TRY_EXCEPTION_HANDLER {
if (bitval)
{
- *(uint32*)vaddr |= (1 << bitnr - 1);
+ *(uint32*)vaddr |= ((1 << bitnr) - 1);
}
else
{
- *(uint32*)vaddr &= ~(1 << bitnr - 1);
+ *(uint32*)vaddr &= ~((1 << bitnr) - 1);
}
} CATCH_EXCEPTION_HANDLER {
Output(C_ERROR "EXCEPTION while writing bit %d at address %p",
diff -Naur haret/tools/buildmachs.py haret-new/tools/buildmachs.py
--- haret/tools/buildmachs.py 2010-11-23 18:23:03.000000000 +0200
+++ haret-new/tools/buildmachs.py 2011-03-02 12:04:38.641418478 +0200
@@ -58,6 +58,7 @@
#include "arch-imx.h"
#include "arch-sa.h"
#include "arch-msm.h"
+#include "arch-arm.h"
#include "mach-types.h"
#include "script.h" // runMemScript
========================================================================
And here is the Haret log:
Code:
===== HaRET pre-0.5.3-20110302_124009 =====
Setting KMode to true.
Old KMode was 0
Finished initializing output
Loading dynamically bound functions
Function 'AllocPhysMem' in library 'coredll' at 0x3f62364
Function 'FreePhysMem' in library 'coredll' at 0x3f623d0
Function '[email protected]@[email protected]@[email protected]' in library 'gx' at 0x2023a38
Function '[email protected]@YAHXZ' in library 'gx' at 0x2023e78
Function '[email protected]@YAPAXXZ' in library 'gx' at 0x20232f4
Function '[email protected]@YAHXZ' in library 'gx' at 0x20233b8
Function 'LoadLibraryExW' in library 'coredll' at 0x3f6250c
Function 'NLedSetDevice' in library 'coredll' at 0x3f89b2c
Function 'GetSystemPowerStatusEx2' in library 'coredll' at 0x3f68e90
Function 'SleepTillTick' in library 'coredll' at 0x3f6242c
Function 'CreateToolhelp32Snapshot' in library 'toolhelp' at 0x262605c
Function 'CloseToolhelp32Snapshot' in library 'toolhelp' at 0x262607c
Function 'Process32First' in library 'toolhelp' at 0x2626148
Function 'Process32Next' in library 'toolhelp' at 0x26261b4
Function 'Module32First' in library 'toolhelp' at 0x2626348
Function 'Module32Next' in library 'toolhelp' at 0x26263b8
Function 'Heap32ListFirst' in library 'toolhelp' at 0x2626454
Function 'Heap32ListNext' in library 'toolhelp' at 0x26264dc
Function 'Heap32First' in library 'toolhelp' at 0x2626574
Function 'Heap32Next' in library 'toolhelp' at 0x2626628
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'ace_ddi'
Unable to load library 'clkregim'
Detecting current machine
Trying to detect machine (Plat='PocketPC' OEM='GIGABYTE gSmart')
Wince reports processor: core=MediaTek name=MT6516 cat= vend=MediaTek Inc
Looking at machine Alpine
Looking at machine Apache
Looking at machine AximX50
Looking at machine AximX5
Looking at machine Beetles
Looking at machine Blueangel
Looking at machine Himalaya
Looking at machine Magician
Looking at machine Universal
Looking at machine H1910
Looking at machine H1940
Looking at machine RX1950
Looking at machine H2200
Looking at machine H3600b
Looking at machine H3700
Looking at machine H3800
Looking at machine H3900
Looking at machine H4000
Looking at machine H4300
Looking at machine H5000
Looking at machine H6340
Looking at machine HX2000
Looking at machine HX4700
Looking at machine Sable
Looking at machine Wizard
Looking at machine Hermes
Looking at machine Trinity
Looking at machine Athena
Looking at machine G500
Looking at machine Artemis
Looking at machine Herald
Looking at machine Prophet
Looking at machine RX3000
Looking at machine Treo700wx
Looking at machine Treo850w
Looking at machine Treo850e
Looking at machine e310
Looking at machine e740
Looking at machine Acer_n30
Looking at machine Mio_P550
Looking at machine Kaiser
Looking at machine Loox5xx
Looking at machine Loox400
Looking at machine MioA701
Looking at machine Wallaby
Looking at machine Raphael
Looking at machine SGH_i900
Looking at machine Leo
Looking at machine Topaz
Looking at machine Rhodium
Looking at machine Jornada9xx0
Looking at machine Acer_S200
Looking at machine M800
Looking at machine X800
Looking at machine DX900
Looking at machine X900
Looking at machine M900
Looking at machine Cougar
Detecting ram size
WinCE reports memory size 100663296 (phys=77144064 store=130306048)
Mapping mmu table
Build L1 reverse map
Found 397 uncached and 397 cached L1 mappings (ignored 1).
Not registering command IGPIO
Not registering command WG|PIO
Not registering command GPLR
Not registering command GPDR
Not registering command GAFR
Not registering command GPIO
Not registering command GPIOST
Registering command LOADLIBRARYEX
Registering command NLEDSET
Not registering command TRACE
Not registering command TRACEMASK
Not registering command TRACE2
Not registering command TRACETYPE
Not registering command TRACE2TYPE
Not registering command TRACEFORWATCH
Not registering command INSN
Not registering command INSNREENABLE
Not registering command INSNREG1
Not registering command INSNREG2
Not registering command INSN2
Not registering command INSN2REENABLE
Not registering command INSN2REG1
Not registering command INSN2REG2
Registering command KILL
Registering command PS
Registering command LSMOD
Registering command ADDR2MOD
Not registering command AC97
Not registering command ATIDBG
Not registering command EIM
Not registering command GPIO
Not registering command WB|ANK
Not registering command GPLR
Not registering command GPDR
Not registering command GPPUD
Not registering command GPSDR
Not registering command GPSPUD
Not registering command GPIOS
Not registering command GPIOSOUT
Not registering command GPIOST
Not registering command MSMCLKKHZ
Initializing for machine 'Cougar'
HaRET(1)# Welcome, this is HaRET pre-0.5.3-20110302_124009 running on WindowsCE v5.2
Minimal virtual address: 0x10000, maximal virtual address: 0x7fffffff
Detected machine Cougar/MT65XX (Plat='PocketPC' OEM='GIGABYTE gSmart')
CPU is ARM ARM arch 5TEJ stepping 5 running in system mode
Enter 'HELP' for a short command summary.
Running WSAStartup
Starting gui
In initdialog
Found machine Cougar
executing startup.txt
HaRET(1)# set RAMSIZE 0x08000000
HaRET(2)# set RAMADDR 0x08000000
HaRET(3)# set MTYPE 2754
HaRET(4)# set FBDURINGBOOT 0
HaRET(5)# set KERNEL zImage
HaRET(6)# set INITRD initrd.gz
HaRET(7)# set CMDLINE "debug rootdelay=10 root=/dev/ram0 console=tty0 mem=128M ppp.nostart=0 lcd.density=120 pm.sleep_mode=0 no_console_suspend"
HaRET(10)# print "Some basic info about your PDA:"
Some basic info about your PDA:
HaRET(11)# print "Processor Mach Type is %d" MTYPE
Processor Mach Type is 2754
HaRET(12)# print "MMU L1 descriptor table address is %08x" MMU
MMU L1 descriptor table address is 02650000
HaRET(13)# print "Video RAM address is %08x" VRAM
Video RAM address is 0174b000
HaRET(14)# print "Current Process ID is %d" PID
Current Process ID is 22
HaRET(18)# boot
boot KERNEL=zImage INITRD=initrd.gz
Opening file zImage
Opening file initrd.gz
boot params: RAMADDR=08000000 RAMSIZE=08000000 MTYPE=2754 CMDLINE='debug rootdelay=10 root=/dev/ram0 console=tty0 mem=128M ppp.nostart=0 lcd.density=120 pm.sleep_mode=0 no_console_suspend'
Boot FB feedback: 0
Built virtual to physical page mapping
Allocated 1109 pages (tags=0x54500000/0567d000 kernel=0x54501000/0567c000 initrd=0x54825000/05963000 index=0x54950000/05a8e000)
Built kernel tags area
Built page index
Tags will be at offset 0x00000100 (0xf00)
Kernel will be at offset 0x00008000 (0x323a48)
Initrd will be at offset 0x00508000 (0x12a606)
[email protected]/05a92000 sj=0x54954278 stack=0x54952000/05a90000 data=0x54953000/05a91000 exec=05a923b8
Reading 3291720 bytes...
Read complete
Reading 1222150 bytes...
Read complete
Launching to physical address 05a92288
Trampoline setup ([email protected]/2c02b994/02ccc994)
MMU setup: mmu=0xa6650000/02650000
Go Go Go...
So your Gsmart S1205 working propertly?
MrXLR8 said:
So your Gsmart S1205 working propertly?
Click to expand...
Click to collapse
Like I said "but still it freezes" . When it will work I will write it in bold, i put data here for other people to see and maybe help me in getting the needed data to build Haret for GSmart S1205 / MT6516/MTK6516 processor, the last Android Kernel (or at least the last Linux Kernel has drivers for this processor), but I need GPIO table and specific IRQs.
so? got anything working? its like month ago
), no, because the android kernel source code for the MT6516 processor is only in China, and I haven't found anyone that would share it (they don't care about license of the kernel), only found compiled kernel, i'm trying to create a source code from the processor's datasheet (more than 1500 pages) and from assembler code found in the compiled kernel. So, will take a long long time. Maybe it doesn't worth to run Android on this type of processor, who knows....
I managed to extract the make config of the kernel compilation and initramfs.cpio
can i help you with something , or can you leave your email or skype?
s1205 Android
Hello. I, too, on the s1205 was unable to run. If you can please let know about your successes. Thanks in advance.
I don't suppose you could point me in the direction of a copy of the datasheet? I'm trying to make some changes on a different MT6516-based device, and I reckon a look at that datasheet could help somewhat. But the only copies I've found are on chinese forums that require some kind of virtual currency to download...
jh3141 said:
I don't suppose you could point me in the direction of a copy of the datasheet? I'm trying to make some changes on a different MT6516-based device, and I reckon a look at that datasheet could help somewhat. But the only copies I've found are on chinese forums that require some kind of virtual currency to download...
Click to expand...
Click to collapse
If you need just datasheet, I've found some docs. Can send you if you need.
how about rom extraction
hi guys, how about figuring out how to extract the flash.bin for gsmart s1205? anyone?
http://forum.xda-developers.com/showthread.php?t=708746
i don't know if this can help you, but i found a PDA with MT6516 processor, and it has android, the link to the firmware/driver ht*tp://ww*w.vkam*obi.com/a5000_refresh.rar (remowe the *)
neocska said:
i don't know if this can help you, but i found a PDA with MT6516 processor, and it has android, the link to the firmware/driver ht*tp://ww*w.vkam*obi.com/a5000_refresh.rar (remowe the *)
Click to expand...
Click to collapse
Hello. I, too have s1205 but not unable to run. If you can please let know about your successes. Thanks in advance.
Rom extraction - only from spec cable:
1. Pinout special contacts under accu:
From left to right: 1- Gnd, 2- Tx, 3-Rx, next symmetric 4 - Rx, 5 - Tx, 6 - Gnd
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Connect s1205 with Serial->USB to comp.
2. Flasher:
h..p://4pda.ru/forum/dl/post/1011438/SP_Flash_Tool_v1.1110.00_new_mcp.7z
3. run flasher
2. go to tab "Read back"
3. remove all task button "remove"
4. press button "Add"
5. 2 Click on stroke - select where save dump, press "save", in textbox "Length" - write 0х10000000
6. On tab "baudrate" select speed (std 115200 b/s, can 460?)
7. See in comp manag number of com port of cable and write this number in number port in flasher.
8. Press "Read back" and get rom(1) file without ext.
Do not start memory test in flasher!!! it's destroy you s1205.

Guide logcat, links and some tools. 17-1-13

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I did a small search on how to logcat and fix the problems found. I thought wy dont put this in a thread sow others can find some good links and info on 1 place. I mainly put in the links and info i found using the search option: ¨logcat¨
Yes use the search option first before you go and ask things.
This thread/post is alsow just great for my self to haha. I´ll post it in my main thread and be able to find this good stuff fast.
Here go´s my small guide i put to gether reading on XDA. This will go about logcat bootloop and logcat on device.
Sow i almost got my cm9 rom working.. But still get a bootloop.:crying:
I start the command when the bootanimation starts. Ore it wont work. ADB needs to be started on the device.(To be clear on this i start terminal in Linux.) This is the command i use to start logcat:
adb logcat *:E, *:W > errandwarn.txt
For me the file is made in the home dir.:good:
-To stop running a logcat you can use the option: control + C stops adb log.
Logcat on you´re device:
This can be usefull if you have Android running.
Download terminal if you dont have one.
type this in your terminal emulator :
adb logcat -v long > name of problem.txt
If you managed to get the logcat you could google the errors in it. Ore post on XDA if you cant find all the answars.. Probably a post about logcat might be best to ask!?
I made a new thread my self here:http://forum.xda-developers.com/showthread.php?p=36808921#post36808921
I wanted to see if i get respons this way and hopefully fix my problems.
Guides:
http://forum.xda-developers.com/showthread.php?t=2143254
http://forum.xda-developers.com/showthread.php?p=42139279
[GUIDE] Installing ADB/SDK and How to make a logcat: http://forum.xda-developers.com/showthread.php?t=1616059
guide How To Logcat: http://forum.xda-developers.com/showthread.php?t=1726238
guide: http://forum.xda-developers.com/showthread.php?t=1123129
Guide and tool. Logcat on pc ore device: http://forum.xda-developers.com/showthread.php?t=1987232
Logcat enable/disable Application: http://forum.xda-developers.com/showthread.php?t=1355331
[Article]Workaround for grep and Logcat, dmesg, and last_kmsg on Windows: http://forum.xda-developers.com/showthread.php?t=2076377
Tools:
logcat reader. This is for WIndows: http://forum.xda-developers.com/showthread.php?t=1618882
All in One Android Logger. For Windows and Linux: http://forum.xda-developers.com/showthread.php?p=32994107
There should be a lot more nice tools but i did not look into it more for now. Post some links if you like!
If there are any other nice guide and tools to use i really would like to ad them here. Sow please let me know
Some fixes on commen problems.
Space for me.. If posible some info on how to fix some commen problems.
To early to bumb haha
Problem 1 dpi setting:
W/SurfaceFlinger( 1042): ro.sf.lcd_density not defined, using 160 dpi by default.
Fix:
the values =120,140,160,180,200,220,240 for changing
You can use lcddensity.apk (root user) for this.
you must be added this ro.sf.lcd_density=240 in build.prop at the end.
I have this in my device.mk:
PRODUCT_PROPERTY_OVERRIDES += \
ro.product.locale.language=nl \
ro.product.locale.region=NL \
ro.system.hdmi_max_resolution=fullhd \
ro.system.hdmi_active=true \
ro.system.composite_active=true \
persist.sys.composite_resize=3 \
ro.system.component_active=false \
tcc.output.component_mode=0 \
ro.system.hdmi_portable=true \
ro.opengles.version=131072 \
persist.sys.timezone=Europe/Amsterdam \
tcc.hdmi.720p.fixed=0 \
tcc.video.call.enable=0 \
tcc.only.play.mode=1 \
tcc.show.video.fps=0 \
tcc.hwc.disable=0 \
dalvik.vm.dexopt-flags=m=y \
dalvik.vm.dexopt-data-only=1 \
ro.sf.lcd_density=240
Ore you can ad this in buid.prop of you´re already build rom.
Problem 2 write failed:
E/dalvikvm( 1914): Zip inflate: write failed: Bad file number
E/dalvikvm( 1914): Unable to extract+optimize DEX from '/system/framework/services.jar'
E/dalvikvm( 1914): Dex cache directory isn't writable: /data/dalvik-cache
E/dalvikvm( 1914): Dex cache directory isn't writable: /data/dalvik-cache
Fix:
-put:
dalvik.vm.dexopt-data-only=1 in build.prop ore in buildfile: *_device.mk
Look ad PRODUCT_PROPERTY_OVERRIDES += \ of answar 1.
-Wipe dalvik?
I did not see the error again. Im not sure if the reason for this error is 100% fixed.
Link: http://forum.cyanogenmod.org/topic/...t-cm-6-nightly-tests/page__st__-20#entry20228
Problem 3 missing file:
E/Sensors ( 1375): couldn't find 'compass' input device
E/Sensors ( 1375): open error.
E/Sensors ( 1375): AccelSensor: gsenportrait ()
E/Sensors ( 1375): couldn't find 'lightsensor-level' input device
E/Sensors ( 1375): couldn't find 'proximity' input device
W/UsageStats( 1375): Usage stats version changed; dropping
W/PackageManager( 1375): Library not found: /system/framework/com.google.widevine.software.drm.jar
Fix:
-add permission com.google.widevine.software.drm.xml to system/etc/permissions/ Continue to see logcat. Put com.google.widevine.software.drm.jar in framework folder.(com.google.widevine.software.drm.jar needed for gapps?)
I do change this stuf in my make files/device folder. In the file *.device.mk again! Could dump those 2 files in a already build rom and repack i gues.
-flash gapps..?
- I did not have the file com.google.widevine.software.drm.jar in my stock rom.. Strange.
-There seem to be more problems in this problem part but this is what i fixed sow far..

[DEV] Ubuntu Touch (Preview) for Huawei Mediapad

This is a port of Ubuntu Touch (Preview) for Huawei Mediapad tablet (s7-30xx).
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Keep in mind that:
- its experimental;
- not for daily use;
- only for developers;
- dont try install it if you have no skills at least in working with adb;
- you have to do a nandroid before installing;
- dont blame anyone for broken device
How to install (almost everything the same as for other cm9-10.1 releases):
1. Install twrp/cwm recovery.
2. Make factory reset.
3. Install the device specific part for Ubutnu.
4. Install the generic Ubuntu part.
5. Install dpi fix.
6. Reboot
7. Open terminal at PC, connect tablet via usb cable to it and enter the following commands:
Code:
adb root
Code:
adb shell
Code:
ubuntu_chroot shell
If you want to see GUI then type:
Code:
ubuntu-session
--- Enjoy the testing! --- (or not enjoy )
Download links:
- Device specific part: http://www.mediafire.com/download.php?71147ctm19763n8.
- Generic Ubuntu part: http://cdimage.ubuntu.com/ubuntu-to...c-demo/quantal-preinstalled-phablet-armhf.zip;
- DPI fix: http://www.mediafire.com/download.php?g8granxnx1q2iqt.
Working:
- Ubuntu Touch OS;
- Touchscreen;
- Display;
- ADB;
- Wifi (with manual config).
Some bad screenshots:
Nice
Is working/not working this or more things don't work?
Question : What Works?
Answer : As this is a Developer Build, dont expect much to work. The items that have been confirmed to work are;
Touchscreen
Sound (over speakers)
Display
Internet Browser
WiFi (No WPS)
Camera (Front and Back)
Video Player
ADB
Screen Brightness Controls
Automatic Brightness
Speech Driven HUD (Yes, it works)
GSM Voice (No APN Settings)
The SideStage Seems to be working
Question : What Does Not Work?
Answer : As this is a developer build, dont expect things to work properly, here are a few things that are not working
3G/4G Data
Audio Out via Headphones
HDMI
Bluetooth
Most Applications and Menus
Charging Indicator
Software Center (Note : You can install simple shell applications via apt-get install … once inside the chroot)
Most applications are placeholders
MMS
CDMA Connections
SIM Storage
Auto Rotation (Or any rotation for that matter)
Random Crashes when swiping
Notifications (All of them are placeholders)
Most Applications that do function are web apps like m.gmail.com.
NFC
Click to expand...
Click to collapse
Screenshots
Wow, this is great too bad there is no networking, otherwise it is pretty neat
One bug is that the keyboard is too big for the screen (see messaging screenshot below).
Here are screenshots via ddms:
OMG!!! Thank you!!! Can we expect more of ubuntu touch for mediapad beyond a developer preview?
Sent from my Huawei MediaPad using xda app-developers app
That was a very quick try, so dont wait too much from it. Besides ubuntu touch in very very early stage of developing.
For keyboard Its needed to adjust ubuntu-session, i havent done it in proper way.
Please don't stop developing for the Mediapad.
By the way i have been able to setup wireless connection (to open access point, cant do it for wpa2)
To do it you need from
Code:
adb shell
perform the following:
Code:
insmod /system/lib/modules/dhd.ko firmware_path=/system/etc/wifi/rtecdc-bcm4329.bin nvram_path=/system/etc/wifi/nvram-bcm4329.txt
Then go to chroot shell via
Code:
ubuntu_chroot shell
and then setup wireless connection from there (in linux way from terminal
For example:
Code:
mount -t proc proc /proc
ifconfig wlan0 up
iwconfig wlan0 mode managed
iwconfig wlan0 essid your_ssid
dhclient wlan0
or something like that.
will this work on s7-931u?
Sent from my GT-I9000 using xda app-developers app
bobo1337 said:
will this work on s7-931u?
Click to expand...
Click to collapse
Not. This build are compatible only for MediaPad S7-30*u/w
Hello, i have tried to get ubuntu touch running, but my screen stays black.
when typing ubuntu-session in adb I see two lines in response:
ubuntu-session
Redirecting output to local session logs
does not look that bad, but my screen stays black all the time
and i can not connect to the device via adb anymore.
any idea what is going on? I used the daily build from 8.03
thx and greetings
Hi
I have tried to flash one more time, here is the log of the first call of ubuntu-session after flash:
Code:
[email protected]:/ # ubuntu_chroot shell
ubuntu_chroot shell
[email protected]:/# ubuntu-session
ubuntu-session
Redirecting output to local session logs
/usr/bin/ubuntu-session: line 21: /home/phablet/.ubuntu-session/logs/ubuntu-sess
ion.log: No such file or directory
Error, do this: mount -t proc proc /proc
grep: /proc/cpuinfo: No such file or directory
Device=
Starting session bus
Started pulseaudio with pid 398 (0 secs start delay)
Started maliit-server with pid 403 (0 secs start delay)
/usr/bin/ubuntu-session: line 122: 403 Segmentation fault ${service[1]} $
arguments &>"$HOME/.ubuntu-session/logs/$binary.log"
Started qml-phone-shell with pid 410 (2 secs start delay)
Got Shell pid = 410
Started chewie_messaging_populate_menu with pid 415 (0 secs start delay)
Started friends-service with pid 420 (0 secs start delay)
/usr/bin/ubuntu-session: line 122: 410 Segmentation fault ${service[1]} $
arguments &>"$HOME/.ubuntu-session/logs/$binary.log"
Started manage-address-books.py with pid 443 (2 secs start delay)
Started ofono-setup with pid 483 (12 secs start delay)
Stopping services...
Stopping pulseaudio
/usr/bin/ubuntu-session: line 38: kill: (398) - No such process
Stopping maliit-server
/usr/bin/ubuntu-session: line 38: kill: (403) - No such process
Stopping qml-phone-shell
/usr/bin/ubuntu-session: line 38: kill: (410) - No such process
Stopping chewie_messaging_populate_menu
Stopping friends-service
Stopping manage-address-books.py
/usr/bin/ubuntu-session: line 38: kill: (443) - No such process
Stopping ofono-setup
Killing session bus...
Session stopped.
[email protected]:/#
Can anybody tell me what went wrong?
Killigrew said:
Hi
I have tried to flash one more time, here is the log of the first call of ubuntu-session after flash:
Code:
[email protected]:/ # ubuntu_chroot shell
ubuntu_chroot shell
[email protected]:/# ubuntu-session
ubuntu-session
Redirecting output to local session logs
/usr/bin/ubuntu-session: line 21: /home/phablet/.ubuntu-session/logs/ubuntu-sess
ion.log: No such file or directory
Error, do this: mount -t proc proc /proc
grep: /proc/cpuinfo: No such file or directory
Device=
Starting session bus
Started pulseaudio with pid 398 (0 secs start delay)
Started maliit-server with pid 403 (0 secs start delay)
/usr/bin/ubuntu-session: line 122: 403 Segmentation fault ${service[1]} $
arguments &>"$HOME/.ubuntu-session/logs/$binary.log"
Started qml-phone-shell with pid 410 (2 secs start delay)
Got Shell pid = 410
Started chewie_messaging_populate_menu with pid 415 (0 secs start delay)
Started friends-service with pid 420 (0 secs start delay)
/usr/bin/ubuntu-session: line 122: 410 Segmentation fault ${service[1]} $
arguments &>"$HOME/.ubuntu-session/logs/$binary.log"
Started manage-address-books.py with pid 443 (2 secs start delay)
Started ofono-setup with pid 483 (12 secs start delay)
Stopping services...
Stopping pulseaudio
/usr/bin/ubuntu-session: line 38: kill: (398) - No such process
Stopping maliit-server
/usr/bin/ubuntu-session: line 38: kill: (403) - No such process
Stopping qml-phone-shell
/usr/bin/ubuntu-session: line 38: kill: (410) - No such process
Stopping chewie_messaging_populate_menu
Stopping friends-service
Stopping manage-address-books.py
/usr/bin/ubuntu-session: line 38: kill: (443) - No such process
Stopping ofono-setup
Killing session bus...
Session stopped.
[email protected]:/#
Can anybody tell me what went wrong?
Click to expand...
Click to collapse
I got issue same you,still can't solve.
chok_thewa said:
I got issue same you,still can't solve.
Click to expand...
Click to collapse
I tried to launch Ubuntu on my MediaPad
It's work onli in wire-to-pc mode. When I disconnect a Usb-wire - I have a blank screen.
Any plans on future work on it? I read that late may build should be for daily use so I finally managed to try it. I used latest raring build but I had no luck with getting GUI working :/
Can I boot directly in, or is this Chroot only?
The install instructions include a chroot, but is that what ubuntu ends up running in? Is it possible to run without loading android into ram as well?
Thanks.

Android 10 encryption issue after rom downgrade

Hi guys, I am asking you some help due to an emergency.
I had to downgrade an Android 10 rom where I had encryption turnen on (rom).
All I did was flashing a previous (minor) version of the rom via TWRP with just a "wipe cache/dalvik".
After rebooting my pin was not recognized anymore by both Android and TWRP.
I did many tentatives and at some point I typed "default_password" as pin, when asked by Android during the boot, and there was a important change:
1. After rebooting I typed my old pin, and now Android always tells me: "The password you entered is correct, but unfortunately your data is corrupt".
2. Now when TWRP asks for the password, it accepts the old pin too. But it is "unable to mount storage".
3. The system partition's contents are now visible: before they were not showing at all. The data partition is not accessible (error decrypting…).
I have done a lot of studying and tentatives to get the phone working without formatting and losing the data, but I could not solve the issue. I don't think the data is actually corrupted, because the rom downgrade was a minor version and it did not modify anything about encryption.
Could you please point me to the right direction? I am trying to understand what could have gone wrong, and find some possible solution.
EDIT: more details and list of the attempted solutions in this post: https://forum.xda-developers.com/t/...sue-after-rom-downgrade.4168821/post-85210619
JackSlaterIV said:
After rebooting I typed my old pin, and now Android always tells me: "The password you entered is correct, but unfortunately your data is corrupt".
Click to expand...
Click to collapse
Look inside here.
jwoegerbauer said:
Look inside here.
Click to expand...
Click to collapse
Both methods cause /data to be erased, which is what I don't want. Thanks anyway.
guess if something has changed since your dirty flash, it must be something in last 16384 bytes where the crypto footer is
there are some bytes which are most likely one or eight flag(s)
Flags : 0x00000000
you can locate and copy the crypto footer like this
- check fstab for location if it says encryptable=footer (or see recovery.log)
- get partition size and calculate the offset -16384
- extract the footer to /sdcard with dd (any file name)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
on PC open that file with Hex Editor
- the crypto footer will start with magic 0xD0B5B1C* (little endian). in my case it's C5 B1 B5 D0 as it's a samsung device.
- you should also see a string aes-cbc-essiv:sha256 (in my case aes-xts)
inspect the crypto footer with python script. you can't decrypt since android uses scrypt+keymaster but it will give you a nice layout
- install python 2.7
- run that script bruteforce_stdcrypto.py
Code:
Android FDE crypto footer
-------------------------
Magic : 0xD0B5B1C4
Major Version : 1
Minor Version : 3
Footer Size : 2352 bytes
Flags : 0x00001008
Key Size : 128 bits
Failed Decrypts : 36
Crypto Type : aes-xts
Encrypted Key : 0xCCE7D93B501B400D3D81726806F92936
Salt : 0x51B68B017C2A181E3ABD0B041FBFAA14
KDF : scrypt+keymaster
N_factor : 15 (N=32768)
r_factor : 3 (r=8)
p_factor : 1 (p=2)
crypt type : PIN
FS size : 52453304
encrypted upto : 52453304
-------------------------
as you can see in your case the flags are 0x00001008 so you can easier locate that in your Hex Editor
- convert the string little endian 0x00 00 10 08 -> 08 10 00 00
- you will find that four bytes at offset 13 in the first line
- reset the flags to 00 00 00 00 and save the file
if you prefer linux you can also use that shell script for doing that. fde_crypto.sh
Before messing up your data partition do a full dump for backup purposes (because we don't know what we are doing here, encryption is complicated stuff). In case you broke something you can just adb push it later
Code:
adb pull /dev/block/bootdevice/by-name/userdata
Now, write the new crypto footer back to end of userdata partition
- copy the file back to the device (another file name)
- get partition size and calculate the offset -16384
- write the footer to offset with dd (seek)
Code:
adb push data-footer.bin /sdcard
adb shell
cd /sdcard
blockdev --getsize /dev/block/bootdevice/by-name/userdata
dd bs=512 seek=$((52453336-32)) count=32 if=data-footer.bin of=/dev/block/bootdevice/by-name/userdata
Note: i don't know if that works. indeed, that's all guesswork based on your input in pm. good luck!
Hi and thanks again. As you wrote we spoke a lot via PM before your post.
I reset the footer flags to 00 00 00 00. Then used dd as you suggested to overwrite the userdata footer.
During the first Android boot, it asked me to enter the pin, but then it failed to decrypt, and now is always showing the old message "The password you entered is correct, but unfortunately your data is corrupt" .
So looks like the flag at least reset the default mode.
And TWRP still can't decrypt the partition.
It's no surprise because, as you showed me, the userdata partition may be corrupted.
I wanted to get the updated footer back from the phone to my PC. I used this:
dd bs=512 seek=$((52453336-32)) count=32 if=/dev/block/bootdevice/by-name/userdata of=/tmp/data-footer-new.bin
32+0 records in
32+0 records out
16384 bytes (16.0KB) copied, 0.009945 seconds, 1.6MB/s
Then Adb pull tmp/data-footer-new.bin
But it started downloading a few GB of data. I checked the size via ls -l:
-rw-rw-rw- 1 root root 26856108032 Dec 20 14:04 data-footer-new.bin
What I did wrong? Is it a bug?
usage problem - this is expected behavior for dd seek. when the output file is too small or doesn't exist, a zero padding is filled to create a big file before the offset starts, where it finally starts to write the real data (32 x 512 bytes)
you have mixed up parameters skip/seek, in your case copied first 16384 bytes from userdata into the end of a big file data.footer.bin
btw the userdata partition is not corrupt per se (or at least there is no proof i could show ever) you will never find ext4 file system magic 0xEF53 on encrypted userdata, only on dm-0 (if decrypted successfully). but true, mounting is a different case, indeed mount may fail even for successfully decrypted file system (like for Redmi 5). so the safest way to know if decrypted successfully is looking for zero paddings, first 1024 bytes will have enough of it...
you can try lot of other values for this flag (0x00001000 like for LG?) or try other (undiscovered) flags. you need a lot patient and time as you are the first one trying this. also reset the failed decrypts counter as this may important for gatekeeper timeout
i recommend to decrypt straight from twrp command line, should "work" without reboot
edit: i could even imagine automatizing that with script (10 sec/attempt - min timeout)
edit 2: interesting too would be binary (or checksum) compare of userdata before/after failed attempt (without footer) to figure out if changes happen elsewhere (other than footer)
even more interesting, you could factory reset and reproduce the mistake, make a snapshot before/after and bitwise compare where the changes happen
if the key itself has changed, there is no possible way to revert as the old key is lost
but decryption should still be possible on the newer android version, all you need is working twrp that fits
edit: factory reset is maybe not the best idea! turns out for FBE file-based-encryption the KEK is stored in TEE and depending on rollback resistance (not related to version binding) master key may deleted on factory reset. FBE is introduced with Android 7.1 - your device is still running good old FDE full-disk-encryption - but who knows what additional protections Android 10 enforces? can't guarantee that KEK is encrypted by hardware-backed RSA-2048 private key and screenlock credentials only and everything is stored in crypto footer only, although the documentation doesn't indicate contradictory
aIecxs said:
usage problem - this is expected behavior for dd seek. when the output file is too small or doesn't exist, a zero padding is filled to create a big file before the offset starts, where it finally starts to write the real data (32 x 512 bytes)
you have mixed up parameters skip/seek, in your case copied first 16384 bytes from userdata into the end of a big file data.footer.bin
Click to expand...
Click to collapse
Can you confirm this is the correct command to get the new footer?
dd bs=512 skip=$((52453336-32)) count=32 if=/dev/block/bootdevice/by-name/userdata of=/tmp/data-footer-new.bin
I think that this new big file may have caused some corruption.
I want to restore the userdata partition backup, but I read it's not easy as a simple adb push: https://android.stackexchange.com/q...n-image-of-android-partition-from-my-linux-pc
Can you tell me any reliable way to do this, apart using busybox as in the above replies?
btw the userdata partition is not corrupt per se (or at least there is no proof i could show ever) you will never find ext4 file system magic 0xEF53 on encrypted userdata, only on dm-0 (if decrypted successfully). but true, mounting is a different case, indeed mount may fail even for successfully decrypted file system (like for Redmi 5). so the safest way to know if decrypted successfully is looking for zero paddings, first 1024 bytes will have enough of it...
Click to expand...
Click to collapse
Thanks for clarifying this.
you can try lot of other values for this flag (0x00001000 like for LG?) or try other (undiscovered) flags. you need a lot patient and time as you are the first one trying this. also reset the failed decrypts counter as this may important for gatekeeper timeout
i recommend to decrypt straight from twrp command line, should "work" without reboot
edit: i could even imagine automatizing that with script (10 sec/attempt - min timeout)
edit 2: interesting too would be binary (or checksum) compare of userdata before/after failed attempt (without footer) to figure out if changes happen elsewhere (other than footer)
Click to expand...
Click to collapse
Indeed I had already tried 0x00001000 and resetting the counter, before the mess up with my dd command.
Do you know any other combination I could try?
Something I could try is see what happens to /userdata if I type default_password at the first boot.
yes, that is the right command
no, you didn't mess up with big file because of= is the only thing written (and /tmp is only in RAM)
yes, simple adb push is fine and works quite well for single partition. the link is talking about something different (whole eMMC including gpt and bootloader)
no, i have no clue about the flags. the source code might help but it's above my knowledge (yet)
found some explanation for flags
https://www.0xf8.org/2019/01/analyz...axy-s7-data-partition-with-samsung-encryption
have implemented the above link, not sure if i am doing it right but have a look into script fde_crypto.sh
Hello alecxs, thanks for your last messages. Sorry for this long delay.
I did not write any update because I couldn't find anything useful in the footer and the full data images. The phone is still not in use, in a drawer.
I had tried different flags, but after each tentative I had the same result. The "system" tells that data may be corrupted and updates the flag accordingly.
I had compared before vs after data images and did not find any difference. There is only one field in the footer that is modified after each tentative: the sha256 of the footer (offset 90c).
Without further information I cannot tell what causes this issue, if the data is corrupt or not. It would be useful having a more verbose mode in the mount command, so that it shows the reason of the failed mount. I guess it's not possible.
i think it is caused by rollback resistance and you should try higher android version (that one that messed up everything) with compatible TWRP. besides recovery.log you can check dmesg and logcat for additional information
Hi again,
I am attaching dmesg and recovery log, taken from TWRP after a failed mount of the data partition, using my pin, with the crypto footer flags reset to zero.
I could not find anything, so I hope someone reading this could give me a hint.
From what I can see, anti rollback and verified boot are disabled in Mi5 and in LineageOS based roms (see here).
Regarding TWRP I always used the same version recommended by the rom developer.
EDIT: file attachment not working for me...
See them here:
dmesg.log
Shared with Dropbox
www.dropbox.com
recovery.log
Shared with Dropbox
www.dropbox.com
looks like double encryption bug. try to dump content of dm-0 and restore it to userdata, that should at least eliminate the FDE encryption. second encryption is FBE? let binwalk analyze usually there is unencrypted area
aIecxs said:
... you should try higher android version [...]
Click to expand...
Click to collapse
just as a reference: for this you would find errors like
E vold : upgrade_key failed, code -38
E Cryptfs : Failed to upgrade key
which is not the case here.
(note: yes it says "upgrade" but in my example the installed key is from a higher version so actually a downgrade would be needed - which is not possible at all.)
(see a full example and details here and google details here)
JackSlaterIV said:
Hi again,
I am attaching dmesg and recovery log, taken from TWRP after a failed mount of the data partition, using my pin, with the crypto footer flags reset to zero.
I could not find anything, so I hope someone reading this could give me a hint.
From what I can see, anti rollback and verified boot are disabled in Mi5 and in LineageOS based roms (see here).
Regarding TWRP I always used the same version recommended by the rom developer.
EDIT: file attachment not working for me...
See them here:
dmesg.log
Shared with Dropbox
www.dropbox.com
recovery.log
Shared with Dropbox
www.dropbox.com
Click to expand...
Click to collapse
the interesting part is here:
Code:
<3>[ 5.880909] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -65,app_id = 0,lstr = 12288
<3>[ 6.007678] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -71,app_id = 0,lstr = 12288
<3>[ 6.007697] QSEECOM: __qseecom_set_clear_ce_key: process_incomplete_cmd FAILED, resp.result -71
<3>[ 6.007716] QSEECOM: qseecom_create_key: Failed to create key: pipe 2, ce 0: -22
<3>[ 6.007726] QSEECOM: qseecom_ioctl: failed to create encryption key: -22
<3>[ 6.098357] scm_call failed: func id 0x72000501, ret: -2, syscall returns: 0xffffffffffffffbf, 0x0, 0x0
<3>[ 6.225071] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -71,app_id = 0,lstr = 12288
<3>[ 6.225082] QSEECOM: __qseecom_set_clear_ce_key: process_incomplete_cmd FAILED, resp.result -71
<3>[ 6.225096] QSEECOM: qseecom_create_key: Failed to create key: pipe 2, ce 0: -22
<3>[ 6.225104] QSEECOM: qseecom_ioctl: failed to create encryption key: -22
the main error is likely:
Code:
<3>[ 5.880909] QSEECOM: __qseecom_process_incomplete_cmd: fail:resp res= -65,app_id = 0,lstr = 12288
[..]
<3>[ 6.007716] QSEECOM: qseecom_create_key: Failed to create key: pipe 2, ce 0: -22
<3>[ 6.007726] QSEECOM: qseecom_ioctl: failed to create encryption key: -22
-65 means: ATTESTATION_APPLICATION_ID_MISSING whatever that means actually.
aIecxs said:
looks like double encryption bug. try to dump content of dm-0 and restore it to userdata, that should at least eliminate the FDE encryption. second encryption is FBE? let binwalk analyze usually there is unencrypted area
Click to expand...
Click to collapse
interesting idea especially as it actually can decrypt /dev/dm0 according to the recovery.log but then failing to mount it.
I would +1 here and try if you can dump the content of /dev/dm0 after trying the decryption ( e.g. when you have an ext sdcard: `dd if=/dev/dm0 of=/external_sd/dump.img bs=4096` )
Other then that it might be an issue with your blobs - either in TWRP, or the device
i think your issue is bit different and the links provided are about FBE. afaik FDE does not hold keys in TEE (except for hardware-backed RSA-2048 private key which is not flushable) so i am not sure if upgradeKey affects crypto-footer but deleteKey is clearly some keystore thing
to eliminate issues with TWRP i would do decryption test on working block encryption (and maybe try OrangeFox) only then you can determine issues with faulty crypto-footer
Hello guys, thanks for your help.
I dumped both sda14 and dm-0 partitions (using adb dump).
The dm-0 ("decrypted" partition) is a smaller binary file (26.856.091.648 bytes) vs sda14 (26.856.108.032 bytes).
I compared these binary files using HxD and they look different. dm-0 does not contain the crypto footer section (the 16384 bytes difference).
I just installed binwalk for the suggested purpose, and started analyzing dm-0 (binwalk dm-0). It is outputting something and I don't have any idea of how much time it would take to complete the task.
Let's see if I can attach a screenshot..
okay not sure binwalk may just false detect random data or it may real files. anyway you can concatenate dm-0 with crypto-footer from userdata and check what TWRP says about this garbage then
aIecxs said:
okay not sure binwalk may just false detect random data or it may real files. anyway you can concatenate dm-0 with crypto-footer from userdata and check what TWRP says about this garbage then
Click to expand...
Click to collapse
Yes indeed.
I did not find any text in the dm-0 binary.
Can you suggest me how I concatenate these files? I have dm-0 and crypto-footer in separate files. EDIT: just by using HxD.
To overwrite the partition can I use "adb push dm-0-new /dev/block/sda14"?

General Screen mirroring tool SCRCPY now supports WSA's Android 13 with clipboard access

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
If you think the Windows app SCRCPY is a useful tool you should read on, otherwise leave ...
At 1st look inside here:
Screen mirroring tool scrcpy now supports Android 13 with clipboard access
Controlling your phone from a computer gets easier
www.xda-developers.com
Then ...
Worthwhile to know that
1. Root access is not required.
2. WSA w/ Android 13 image doesn't allow wirelessly USB debugging:
3. The communication between the server (WSA emulator in this case) and client (desktop computer) is done via a socket over an adb tunnel. The server streams H.264 video of the device screen, passing it to the client to decode and display it, without buffering in order to minimize latency. The mouse and keyboard events are captured and transmitted to the server, which injects them to the Android device.
To get SCRCPY work with WSA ( Android 13 image ) you've to use a wrapper script like the one printed below ( DOS-coded ) this because SCRCPY app by default tries to connect to TCP port 5037..
@echo off & setlocal ENABLEDELAYEDEXPANSION
if ERRORLEVEL 1 ( echo FATAL: Cannot enable delayed expansion & pause & exit /B 1 )
::
:: 1. Check if WSA emulator is already up.
set "wsa_svc=WsaService.exe"
for /F "tokens=1 delims= " %%t in ('tasklist /FI "IMAGENAME eq !wsa_svc!" 2^>nul ^| findstr /I /C:"!wsa_svc!"') do (
set "proc=%%t"
if NOT "!proc!"==[] ( goto :done_wsa_check )
)
echo FATAL: WSA is not running & pause & exit /B 1
:done_wsa_check
::
:: 2. Get desktop's horizontal screen resolution.
for /f "tokens=* delims=" %%@ in ('wmic path Win32_VideoController get CurrentHorizontalResolution /format:value') do (
for /f "tokens=2 delims==" %%# in ("%%@") do ( set "HRES=%%#" )
)
:: 3. Restart ADB.
(
adb kill-server & adb devices
) 2>nul >nul
:: 4. Connect the WSA emulator.
adb disconnect >nul & adb usb & adb connect 127.0.0.1:58526
:: 5 Run Windows app scrcpy
::
:: We limit both the width and height to some value (e.g. 1024):
:: the other dimension is computed to that the device aspect ratio is preserved.
::
scrcpy --max-size !HRES! --window-width 800 --window-height 600 --window-x 100 --window-y 100
if !errorlevel! NEQ 0 ( echo FATAL: Couldn't start SCRCPY & pause & exit /B 1 )
:: 6. Wait for scrcpy has terminated -
:: Ctrl+c in the terminal or closing the window are proper ways to close scrcpy.
:chck
timeout /t 15 /nobreak >nul
tasklist | findstr /I /C:"scrcpy" >nul && goto :chck || goto :end
:end
:: 7. Switch back to USB mode:
adb disconnect >nul & adb usb
endlocal
exit /B 0
Click to expand...
Click to collapse
and you'ld preferredly name it WSAScrCpy.BAT and put it into folder where you've extracted SCRCPY-win64-v1.25.ZIP to ( example location )
and then therein launch this .BAT-file
Example SCRCPY screenshots:
BTW: For your convenience the mentioned SCRCPY build and the draft of wrapper script ( WSAScrCpy.BAT ) are attached.
Enjoy the read?​
Then give me a Like.
All Assets:
Releases · Genymobile/scrcpy
Display and control your Android device. Contribute to Genymobile/scrcpy development by creating an account on GitHub.
github.com
谢谢分享。
Code:
adb shell pm set-home-activity "com.microsoft.launcher"
设置安卓默认桌面为微软桌面,需要先安装微软桌面,不然我这边打开会黑屏。
Mod translation: To set the Android default desktop as the Microsoft desktop, you need to install the Microsoft desktop first, otherwise the screen will be black when I open it here.
jwoegerbauer said:
View attachment 5811123
If you think the Windows app SCRCPY is a useful tool you should read on, otherwise leave ...
At 1st look inside here:
Screen mirroring tool scrcpy now supports Android 13 with clipboard access
Controlling your phone from a computer gets easier
www.xda-developers.com
Then ...
Worthwhile to know that
1. Root access is not required.
2. WSA w/ Android 13 image doesn't allow wirelessly USB debugging:
View attachment 5811355
3. The communication between the server (WSA emulator in this case) and client (desktop computer) is done via a socket over an adb tunnel. The server streams H.264 video of the device screen, passing it to the client to decode and display it, without buffering in order to minimize latency. The mouse and keyboard events are captured and transmitted to the server, which injects them to the Android device.
To get SCRCPY work with WSA ( Android 13 image ) you've to use a wrapper script like the one printed below ( DOS-coded ) this because SCRCPY app by default tries to connect to TCP port 5037..
and you'ld preferredly name it WSAScrCpy.BAT and put it into folder where you've extracted SCRCPY-win64-v1.25.ZIP to ( example location )
View attachment 5812457
and then therein launch this .BAT-file
Example SCRCPY screenshots:
View attachment 5811741
View attachment 5812597
BTW: For your convenience the mentioned SCRCPY build and the draft of wrapper script ( WSAScrCpy.BAT ) are attached.
Enjoy the read?​
Then give me a Like.
Click to expand...
Click to collapse
it don't record audio right ?, but some works in OBS works perfectly

Categories

Resources