Better Mobile App

boot.img unpacking question.

I can't seem to get the boot.img file to unpack, regardless of what tool I use or what os. I typically get the results below. the long term goal is to edit the boot.img to allow the next7p to use ext3 /system as opposed to cramfs, and give full read/write. It has been done by Wendal Chen on a different but similar tablet. (Both are rk29xx tablets.)
Any help would be appreciated.
I have been able to create a "custom" rom, which has root and SU, but you cannot write to the /system.
the boot.img from my custom rom is 598k The boot.img pulled from the tablet
is 4096K i get the same issues from both.
Code:
Welcome to the ZTE Racer kitchen by TigTex!
If you aren't using Windows XP, you might need to run this as admin
Make sure you have boot.img on the same folder as this file
Press 1 to decompress the ramdisk and kernel from boot.img
Press 2 to build the boot.img from the ramdisk folder and boot.img-kerne
Press q to exit
Type 1,2 or q and press ENTER: 1
Android Magic not found in boot.img. Giving up.
******kernel and ramdisk extracted!******
* Kernel is the "boot.img-kernel" file *
* Ramdisk is on gzip + cpio *
* YOU CAN ONLY EDIT RAMDISK ON LINUX *
* original img backed up as oldboot.img *
*****************************************
Press 1 to decompress the ramdisk and kernel from boot.img
Press 2 to build the boot.img from the ramdisk folder and boot.img-kerne
Press q to exit
Type 1,2 or q and press ENTER:
Ok so let's try the android kitchen
Here is the show boot.img information
Code:
Working folder's boot.img information
-------------------------------------
Kernel Size : 559903 bytes
Kernel Base Address : 0x00000000
Ramdisk Size : 2090599168 bytes
Ramdisk Load Address : 0x65545c0b
Second Stage Size : 779876570 bytes
Second Stage Load Address : 0xe1906573
Page Size : 84348953 bytes
ASCIIZ Product Name : (None)
Command Line: (None)
Press Enter to continue
And now the attempt to extract first using w option...
Code:
Working folder found
Android header not found at start of boot.img
Warning: Android header not located anywhere in boot.img
Kernel found at offset 84348953 in boot.img
Making folder BOOT-EXTRACTED ...
Extracting kernel ...
Extracting ramdisk ...
Error: No ramdisk folder found!
Press Enter to continue
Ok so lets try the other option in the menu.
Code:
Press Enter to continue
Android header not found at start of boot.img
Warning: Android header not located anywhere in boot.img
Kernel found at offset 84348953 in boot.img
Extracting kernel ...
Extracting ramdisk ...
Error: No ramdisk folder found!
Contents of bootimg_010612_234100:
total 0
-rw-r--r-- 1 0 2012-01-06 23:41 zImage
Press Enter to continue
The zImage file it writes is 0k in size.
Here is the first line from the boot.img looking at it in the hexeditor.
Code:
00000000 4b 52 4e 4c 3a 93 08 00 1f 8b 08 00 00 00 00 00 KRNL:"...<......
From what I have read the kernel is supposedly starting at 1f 8b.....
getting the error that the Ramdisk is not there, it is almost like it is not a complete boot.img file. More so if I look at boot.img in a hexeditor and lookup that address. (Sigh) I keep plugging away.
any help is appreciated.

Dochoppy said:
I can't seem to get the boot.img file to unpack, regardless of what tool I use or what os. I typically get the results below. the long term goal is to edit the boot.img to allow the next7p to use ext3 /system as opposed to cramfs, and give full read/write. It has been done by Wendal Chen on a different but similar tablet. (Both are rk29xx tablets.)
Any help would be appreciated.
I have been able to create a "custom" rom, which has root and SU, but you cannot write to the /system.
the boot.img from my custom rom is 598k The boot.img pulled from the tablet
is 4096K i get the same issues from both.
Code:
Welcome to the ZTE Racer kitchen by TigTex!
If you aren't using Windows XP, you might need to run this as admin
Make sure you have boot.img on the same folder as this file
Press 1 to decompress the ramdisk and kernel from boot.img
Press 2 to build the boot.img from the ramdisk folder and boot.img-kerne
Press q to exit
Type 1,2 or q and press ENTER: 1
Android Magic not found in boot.img. Giving up.
******kernel and ramdisk extracted!******
* Kernel is the "boot.img-kernel" file *
* Ramdisk is on gzip + cpio *
* YOU CAN ONLY EDIT RAMDISK ON LINUX *
* original img backed up as oldboot.img *
*****************************************
Press 1 to decompress the ramdisk and kernel from boot.img
Press 2 to build the boot.img from the ramdisk folder and boot.img-kerne
Press q to exit
Type 1,2 or q and press ENTER:
Ok so let's try the android kitchen
Here is the show boot.img information
Code:
Working folder's boot.img information
-------------------------------------
Kernel Size : 559903 bytes
Kernel Base Address : 0x00000000
Ramdisk Size : 2090599168 bytes
Ramdisk Load Address : 0x65545c0b
Second Stage Size : 779876570 bytes
Second Stage Load Address : 0xe1906573
Page Size : 84348953 bytes
ASCIIZ Product Name : (None)
Command Line: (None)
Press Enter to continue
And now the attempt to extract first using w option...
Code:
Working folder found
Android header not found at start of boot.img
Warning: Android header not located anywhere in boot.img
Kernel found at offset 84348953 in boot.img
Making folder BOOT-EXTRACTED ...
Extracting kernel ...
Extracting ramdisk ...
Error: No ramdisk folder found!
Press Enter to continue
Ok so lets try the other option in the menu.
Code:
Press Enter to continue
Android header not found at start of boot.img
Warning: Android header not located anywhere in boot.img
Kernel found at offset 84348953 in boot.img
Extracting kernel ...
Extracting ramdisk ...
Error: No ramdisk folder found!
Contents of bootimg_010612_234100:
total 0
-rw-r--r-- 1 0 2012-01-06 23:41 zImage
Press Enter to continue
The zImage file it writes is 0k in size.
Here is the first line from the boot.img looking at it in the hexeditor.
Code:
00000000 4b 52 4e 4c 3a 93 08 00 1f 8b 08 00 00 00 00 00 KRNL:"...<......
From what I have read the kernel is supposedly starting at 1f 8b.....
getting the error that the Ramdisk is not there, it is almost like it is not a complete boot.img file. More so if I look at boot.img in a hexeditor and lookup that address. (Sigh) I keep plugging away.
any help is appreciated.
Click to expand...
Click to collapse
Dsixda's kitchen has this feature, (un/re-pack) boot.img built in. Makes for very easy editing. Also helps for making your ROM.
Sent from my PC36100 using xda premium

jamieg71 said:
Dsixda's kitchen has this feature, (un/re-pack) boot.img built in. Makes for very easy editing. Also helps for making your ROM.
Sent from my PC36100 using xda premium
Click to expand...
Click to collapse
That's what he said he used, but the kitchen does not support boot.img of his device's format. A lot of the cheaper tablets use a special format but I have seen Wiki guides on how they are built and extracted.

Any chance you know a link to one of the guides? I will also start searching on like tablets.

Dochoppy said:
Any chance you know a link to one of the guides? I will also start searching on like tablets.
Click to expand...
Click to collapse
Google for the "cmp738a" by Craig. It's a really ****ty tablet that I owned for one day. It uses cramfs like yours, and there are some links on how to unpack and create a ROM. Use terms like "cmp738a unpack ROM"

Dsixda: First thanks for your kitchen tool really it is a great piece of work, I am sure you are under appreciated for it.
After you told me to do some searches I did, then I looked back over everything I had been reading.
I can say I feel like an idiot. I was letting the big picture blot out the details so to speak.
Almost literally all I had to do was remove 3-4 bytes from the header, and ungzip the file...cpio etc etc.
I was stuck in the train of thought that I had to "unpack the boot.img" file first, then ungzip it...

Dochoppy said:
Dsixda: First thanks for your kitchen tool really it is a great piece of work, I am sure you are under appreciated for it.
After you told me to do some searches I did, then I looked back over everything I had been reading.
I can say I feel like an idiot. I was letting the big picture blot out the details so to speak.
Almost literally all I had to do was remove 3-4 bytes from the header, and ungzip the file...cpio etc etc.
I was stuck in the train of thought that I had to "unpack the boot.img" file first, then ungzip it...
Click to expand...
Click to collapse
You mean it's like any other boot.img except for the extra bytes at the beginning and a different header (instead of "ANDROID!" - the actual header the kitchen looks for)?

Well yes and no. The kitchen still does not extract the boot.img correctly, zImage is created as a 0k file, and the ramdisk is still not extracted.

Ok I am still missing something here.

Ok I am still missing something here.
dsixda-
Could you take a look at the boot.img file and tell me what I may be missing?
http://www.mediafire.com/?n9an9o5vmjida1c
I would appreciate it very much.

Dochoppy said:
Ok I am still missing something here.
dsixda-
Could you take a look at the boot.img file and tell me what I may be missing?
http://www.mediafire.com/?n9an9o5vmjida1c
I would appreciate it very much.
Click to expand...
Click to collapse
It's not going to work in the kitchen, what are you trying to do? It is missing the "ANDROID!" magic header and the rest of the file is in a garbled format. You'll need to Google for the solution for your device. I can't offer much help, sorry.

I understand that much. When you do a file boot.img command in linux it just comes back as DATA.
I'm not so much concerned with being able to use the kitchen on it as just being able to unpack and pack the file correctly, and completely.
Thanks for taking a peak at it.

Can you upload to dropbox and let me know. I was working on an experimental tool to do this, so an unknown device would be good to check.. I might be some time in getting back to you though
Sent from my HTC Desire using Tapatalk

Droidzone-
Drop box link
http://dl.dropbox.com/u/56600275/boot.img
Media fire link if that doesn't work.
http://www.mediafire.com/?n9an9o5vmjida1c
Thanks for taking a peak.

Could you also provide the full name of the tablet, manufacturer, and possibly a link to the device?

The tablet in question is the nextbook 7 premium
marketed in the US by E-fun. Website is www.nextbookusa.com
on the front of the page there is a link to the latest firmware which the current version of DocHoppy Rom is based on.
Thanks again for taking a peak at it.
I know this much, the boot.img file it's self once unpacked from the update.img file
is a gziped cpio file, with odd header and footer bits. I have been able to unpack the file (removing header info to make it gzip recognizable), and then using 7zip of all things to unpack the cpio portion. That is where I get hung up at. I need to unpack it correctly so it can be rebuilt correctly. By doing it the way I have, you can't rebuild the file properly.

Update:
After alot of research, and trial and error, I was able to correctly unpack and repack the boot.img. I flashed the repack to my tablet, and successfully booted.
Next step is to modify init.rc and convert /system to ext3.
I will keep you posted.

Do document what you did so that it helps someone else later
Sent from my HTC Desire using Tapatalk

I'm having a similar problem, posted about here. I don't understand why the Android magic number isn't making it into my kernel. I thought the kernel compile would be straightforward, but sheesh...

Dochoppy said:
Update:
After alot of research, and trial and error, I was able to correctly unpack and repack the boot.img. I flashed the repack to my tablet, and successfully booted.
Next step is to modify init.rc and convert /system to ext3.
I will keep you posted.
Click to expand...
Click to collapse
Hi, i am trying to extract a boot.img without the Android header too. What have you done to extract it?
Regards.

[Dev] Kboot release (Stable), boot multiple kernel/os

Hi,
Here a release of kboot.
Kboot permit to boot multiple os with different kernel.
It's based on a buildroot environment.
The source to make your own kboot filesystem are available here
The kernel source are available here
You can download the install archive :
ARCHIVE VERSIONS
0.0. Unstable release. Freeze bug. Install release ARCHIVE (Obsolete)
0.1. Fix freeze. Python bytecode generation (pyc files) is naturally not friend with squashfs. Install release ARCHIVE (Obsolete)
0.2. STABLE Release. Display timeout, migration from squashfs to initramfs. Install release ARCHIVE
The archive looks like :
zImage and initramfs.cpio.gz to flash in SDE menu
a directory kboot which contain:
conf directory : configuration file
os directory : os to boot
images directory : background menu image
Installation
Kboot directory
Copy the kboot directory on your archos in /mnt/storage/, you should have this path /mnt/storage/kboot. The path should be exactly the same otherwise kboot will not be launched
Flash zImage and initramfs.cpio.gz
Follow this link to setup SDE on your archos http://forum.xda-developers.com/showthread.php?t=930197
After Reboot
You should have the following screen. Note: after installing Kboot the device permanently reboot in Kboot.
The main menu will display the os put in os directory (see in Configuration OS boot menu to see how to include your os), advanced menu and halt.
Boot menu
OS boot menu
I have tried to make things simple. To add an OS, all you need is to create a directory in /mnt/storage/kboot/os/ and put in this newly created directory the files zImage and initramfs.cpio.gz.
Important, the name should be exactly zImage and initramfs.cpio.gz, if one file is missing or misnamed the menu item don't appear
For example, the menu above have the following content in /mnt/storage/kboot/os :
Code:
/mnt/storage/kboot/os/Android Froyo:
drwxrwxrwx 2 2000 2000 4096 Feb 27 23:42 .
drwxrwxrwx 5 2000 2000 4096 Feb 28 15:02 ..
-rw-rw-rw- 1 2000 2000 726520 Feb 27 23:39 initramfs.cpio.gz
-rw-rw-rw- 1 2000 2000 2564460 Feb 27 23:39 zImage
/mnt/storage/kboot/os/Android Honeycomb:
drwxrwxrwx 2 2000 2000 4096 Feb 27 16:46 .
drwxrwxrwx 5 2000 2000 4096 Feb 28 15:02 ..
-rw-rw-rw- 1 2000 2000 0 Feb 27 13:42 initramfs.cpio.gz
-rw-rw-rw- 1 2000 2000 0 Feb 27 13:42 zImage
/mnt/storage/kboot/os/UrukDroid 1.6:
drwxrwxrwx 2 2000 2000 4096 Feb 28 15:03 .
drwxrwxrwx 5 2000 2000 4096 Feb 28 15:02 ..
-rw-rw-rw- 1 2000 2000 2874800 Jan 3 19:41 initramfs.cpio.gz
-rw-rw-rw- 1 2000 2000 2302252 Jan 3 19:26 zImage
Note : for specific kernel you can add a file named cmdline containing kernel parameters
Advanced boot menu
Boot init : boot into android, if android kernel was uninstalled, this item didn't appear
Boot recovery : boot into recovery
Soft boot : For details about omap soft reboot see the discussion here
Configuration
There is a configuration file in kboot/conf directory named config.ini. This file is divided into 3 section
init
telnet : 1 to enable telnet, 0 to disable
usbip : set the ip address of usb ethernet interface
Code:
[init]
telnet = 1
usbip = 192.168.10.1
kboot
last_selection : enable (1) or disable (0) the boot by default of the last selectioned entry after a configured timeout
last_selection_timeout : timeout in second
softboot : enable or disable softboot menu
title_font_size : set the title font size
menu_font_size : set the menu font size
title_color : title color in r,g,b format
menu_item_color : menu unselected color in r,g,b format
menu_item_selected_color : menu selected color in r,g,b format
Code:
[kboot]
# boot last selection if no key pressed after 30 seconds
last_selection = 1
last_selection_timeout = 30
# enable soft boot menu (bootloader dev only)
softboot = 1
# some tuning
title_font_size = 36
menu_font_size = 32
# change the color, R,G,B format
title_color = 255,255,255
menu_item_color = 92,97,98
menu_item_selected_color = 0,0,255
softboot
item<n> : the boot sequence wanted
Code:
[softboot]
# put a list of items to display in Soft boot menu
# item<n> = sequence
item1 = uart,usb,mmc1,mmc2
item2 = uart,usb
item3 = mmc1,mmc2
background image
To customize the background image, just replace the file kboot/images/bkg.png with your own and adapt if necessary the size and the font color.
BUGS
Feedbacks are welcome

Cool stuff bro!

Unfortunately it's not working on the A70S, as we only have 800x480 and therefor need a diff picture.

It seems to be good.I have tested it on my A101 and it can boot both openaos and urukdroid.
Thanks.
EDIT:Sorry, Urukdroid cannot boot.It stay at the boot animationan and always show that.

fzelle said:
Unfortunately it's not working on the A70S, as we only have 800x480 and therefor need a diff picture.
Click to expand...
Click to collapse
As an early release I didn't take the time to put the different resolution. The background image have a 1500x1200 resolution, so on 101 it didn't display right too. However kboot adapt resolution for corresponding board. kboot didn't boot on 70s or display wrong the background image ?
MarsCarmen said:
EDIT:Sorry, Urukdroid cannot boot.It stay at the boot animationan and always show that.
Click to expand...
Click to collapse
I have to test urukdroid on mine.

The menu is not readable because the resolution adaption is not doing what it should do.

fzelle said:
The menu is not readable because the resolution adaption is not doing what it should do.
Click to expand...
Click to collapse
I have uploaded a new archive here.
Replace rootfs.squashfs with the new one. Fixed : resolution was wrong for 70S and 70H*.
The zImage in new archive should be flashed, it seems to fix the random freeze.

MarsCarmen said:
EDIT:Sorry, Urukdroid cannot boot.It stay at the boot animationan and always show that.
Click to expand...
Click to collapse
I have to say sorry again that Kboot can boot Urukdroid properly.It was because I copied my backup file to my archos by using MY PC.That is why I cannot boot urukdroid.Maybe I didn't find the real cause. I'm now using Kboot to boot Urukdroid and Openaos.
Really very well!!
Sorry For My Bad English

@alephzain:
Copied the whole kboot dir and flashed the new initrams and zimage.
Looks still as before.

fzelle said:
@alephzain:
Copied the whole kboot dir and flashed the new initrams and zimage.
Looks still as before.
Click to expand...
Click to collapse
. Kernel natively support usb gadget ethernet, when kboot is launched a telnetd is started, an interface usb0 is configured with ip address 192.168.10.1.
if you are on linux it should automatically detect this and on your pc an ifconfig let appear usb0 interface. On your pc type :
Code:
ifconfig usb0 192.168.10.2 netmask 255.255.255.0 up
telnet -l root 192.168.10.1
.
If you can paste a ps output, to see if it detect you board correctly.

Found a Live Linux to use in a vm.
ps output starts with :
{init} /bin/sh /init A70S 07 /dev/mmcblk1p1 /dev/mmcblk0p1

fzelle said:
Found a Live Linux to use in a vm.
ps output starts with :
{init} /bin/sh /init A70S 07 /dev/mmcblk1p1 /dev/mmcblk0p1
Click to expand...
Click to collapse
Its fixed now . Replace rootfs by this one

alephzain said:
Its fixed now . Replace rootfs by this one
Click to expand...
Click to collapse
Please adapt the first post also so that future users have the correct files.
Maybe add a version number....
---------- Post added at 04:27 PM ---------- Previous post was at 04:12 PM ----------
This may be a stupid question but why do you need a squashed fs that contains (when unsquashed) about 30Mb on files including python?
it should be possible to trim that down and put all the scripts and support libs in the initramfs so that you only need to flash the kernel and initramfs and nothing else.

Working now.
If now someone could come with the possibility for booting older stock FW,
would be great.

fzelle said:
Working now.
If now someone could come with the possibility for booting older stock FW,
would be great.
Click to expand...
Click to collapse
Not really possible because the stock firmware (initramfs) always uses the same location for the root file system.
You could do it but it needs some changes to the initramfs that is placed in the dirs.

wdl1908 said:
This may be a stupid question but why do you need a squashed fs that contains (when unsquashed) about 30Mb on files including python?
it should be possible to trim that down and put all the scripts and support libs in the initramfs so that you only need to flash the kernel and initramfs and nothing else.
Click to expand...
Click to collapse
Files on first post have been updated, but you're right a better presentation to avoid confusion is necessary.
Simply because I use python (pygame which use sdl) to code Kboot. Python lib dir is about 13M ... . A minimal filesystem (compressed initramfs) for kboot work is about 8M + ~2M for the kernel give 10M, and it's too big to flash in SDE max 8M. But if i can optimize the size ... I will do

alephzain thanks for the sources on gitorious, I hope I have some time in the weekend to try it out
divx118

@divx118:
And could you then make a initramfs.cpio.gz that direktly boots into CM7?

Hi,
im just about testing...
But sadly I can't get it to work.
Each time the menu starts up i can navigate nicely though the menues.
But whenever I select an entry - noting happens
After that I can still navigate ONCE (up or down) to the next entry and then the device freezes.
It doesn't matter wich entry i select as it seems. I tested Boot init, and my custom entries (UrukDroid and BullRC) yet. But all behave the same.
Any ideas ?
Btw: I tested it with the acutal squashfs and the one packed in the zip (even they seemed to be the same in size)
EDIT:
SOLUTION: I had usb cable attached (since flash) and that made it freeze - juts removed the cable and all is fine
Thanks and gr8 work - was looking for this since ages

fzelle said:
@divx118:
And could you then make a initramfs.cpio.gz that direktly boots into CM7?
Click to expand...
Click to collapse
Yes, no problem.

SOLUTION CUSTOM ROM -Turbo X Hive 3 - rk3066 device tablet

After a long time search i think i can do a custom rom along with a CWM Recovery for TURBO X HIVE III tablet, but i need ORIGINAL boot.img, kernel.img, misc.img, recovery.img, system.img dump. I will do it myself, but in my Turbo X Hive III tablet i do not have original Andoid OS 4.1.1. I already put it on this nice tablet C.M.10.1 but with some other kernel from another tablet and i screw up the touchscreen drivers. From what i understand some of them are integrated in kernel, but i do not have the original kernel image! For those who wants to help to update this tablet (offcourse must have this device) i will upload a tool that can be easily dump .img for our needs! If more people want to develop something nice for this tablet i will provide more details on what we need to do or what i already did! But for now i will wait and see.....!!!
For the tool dump click HERE​

Understanding!
​Learning things first (optional).
All this is OPTIONAL for you to learn. If you don’t want to learn it then move on down to the instructions!
Understanding NAND layout:
Your NAND chips is broken into "partitions" or parts if you will call it that.
Each one of these servers a purpose. Here are all the partitions of a RockChip ROM.
Loader.bin - this is low in NAND and special. You can flash it but cannot dump it.
parameter - this file tells the loader how NAND memory is split up into partitions.
misc.img - this is a special area that tells the recovery system what to do on boot.
boot.img - this is the boot section and basically is the ram disk the kernel uses to boot.
kernel.img - this is of course the kernel.
cache.img - this is an area APPs store information like Google Play for instance.
kpanic.img - this is a special area for use by the kernel.
metadata.img - this is a NEW area for KitKat only. It does not exist in pre-kitkat ROMs. It's used for Encryption.
recovery.img - this is like boot.img but boots the recovery menu system.
system.img - this is the system OS.
backup.img - I am not sure what this is. It started showing up with Rockchip ROMs but does not appear to do anything.
But it might be work backing up anyway.
userdata.img - this is where APPs get installed, user accounts are stored, databases, etc. This area if erased losses all your user installed apps, settings, etc. A factory data reset erases this area.
user.img - This is the remaining NAND space and is set aside as the Internal SDcard.
Please note, many APPs like games, etc store stuff here! Erasing this you can lose data! This is also erased on a factory reset.
So based on the above what parts are a stock ROM?
Loader.bin
parameter
boot.img
kernel.img
misc.img
recovery.img
system.img
As you can see a stock ROM is just that! No user data!
Erasing NAND with the flash tool and flashing a stock ROM gives you a empty like new device as if you just bought it.
OK so some basics there. Now let’s look at the parameter file.
It's important because we will be using this to DUMP NAND memory.
I do not need to make you an expert on this but you need to know a few things.
If we look at this area of a parameter file, you will see the partitions I listed above!
Both the ones that hold a stock ROM images as well as ones that are created to be used by the system.
Here is an example of a parameter file for a kitkat ROM.
[email protected](misc),[email protected](kernel),[email protected](boot),[email protected](recovery),[email protected](backup),[email protected](cache),[email protected](userdata),[email protected](metadata),[email protected](kpanic),[email protected](system),[email protected](user)
So what do those number mean in from of each partition name like boot for instance?
First all these numbers are in hex. Second the numbers are blocks of 512 bytes!
let's look at boot..
[email protected](boot)
The first number 0x00006000 is the size of the partition.
The second number 0x0000a000 is the offset into the NAND chip from 0 location (start of the NAND chip).
But remember all these numbers are in 512 blocks.
If you wanted to know the size in bytes then do this math in your PC calculator.
REMEMBER to have the calculator set to HEX!!!
Enter 6000 and now multiply by 200 (fyi 200 hex is 512 decimal).
You will get C00000. Want to see that it decimal? In the calculator just click Dec and it will convert it!
So what we have is 12,582,912 bytes! Basically that is 12 megabytes.
Alright you can do that same math if you wanted to know the offset into NAND in decimal bytes.
Why is all this important? Well if gets you up to speed later when we calculate internal SDcard.
You don't need to know this but it might help you understand if you were to do things on your own.
___________________________________
Instructions for dumping....
Before we begin let’s get familiar with the tool.
In the download run the ROM_Dumper_Tool.exe.
When it opens you will notice 3 tabs at the top.
Download image - this is for flashing ROMs
Upgrade Firmware - this is for lashing single .img ROMs. I won’t be going into this area for as we don’t use it for dumping.
Advanced Function - This is for dumping and doing some NICE stuff! We will be in here all the time for this procedure.
Note: Anytime we dump a partition the tool always makes a file called ExportImage.img in a folder called Ouptut.
So every time we dump a different partition it will overwrite that file unless we rename them first!
Don't forget that please.
OK first lets dump the basic flashable ROM:
To do ANY dumping we need to dump the parameter file of the ROM from NAND.
Why? because we need the start (offset) and count (size) of the partition or we can’t dump anything.
1) Click the advance functions tab.
2) At the bottom is the "export image" button and to empty boxes, Start and Count.
3) To get the parameter file put a 0 in the start box and a 2 in the count.
4) Now press the export image button.
5) Now we need to make this a real parameter file! Rename the file to parameter.txt
6) We need to clean it up a bit. Open in Windows note pad ONLY!!! Do not open in MS word or anything else or it won’t work!
Also you may need to turn on word wrap to see everything (format menu, select word wrap checked).
7) The first line you will see something like this:
PARMi FIRMWARE_VER:4.1.1
Delete all the junk in front of the word FIRMWARE so it looks like this now:
FIRMWARE_VER:4.1.1
8) clean up ending junk. At the end you will see this word:
(user)
After it will be some junk. Delete everything after (user) including any blank space.
When done make sure to hit enter once so there is a new line after (user)
9) Save the cleaned up parameter file but leave it open as we need it to continue.
Now let’s start dumping!
We will do system.img to start with as an example.
1) Look at the parameter file and find (system) and the numbers before it. Example:
[email protected](system)
REMEMBER the number before @ is the COUNT and the number after the @ is the START!
2) Copy the number after the @ example: 0x00484000 into the start box of the advanced tab in the tool.
3) Copy the number before the @ example: 0x00180000 into the count box of the advanced tab in the tool.
4) Press the export image button and wait for it to complete.
5) Go into the Output folder and rename the file ExportImage.ing to system.img
Now we just repeat the steps 1-5 above for
misc.img
kernel.img
boot.img
recovery.img
backup.img (This can be optional but do it anyway especially if this is a first REAL stock ROM dump as we may need it).
Remember to always use the numbers in front of each name! Don't forget to change those or you won’t have a good dump.
Also remember after each dump, to rename ExportImage.img to the proper name of the image you dumped!
Each time you press Export Image, it will overwrite the existing ExportImage file unless you rename it!
When you’re done you should have the basic ROM dump.
misc.img, kernel.img, boot.img, recovery.img, system.img, and backup.img.
You can now use the flash tool 2.1 or the flash tool 1.37 to flash these.
_________________________________
Dumping userdata, cache, metadata, kpanic:
For a user backup the above 4 should be dumped.
We will start with userdata
This is basically the same as above except can take longer depending on how big your user data partition is.
This will be larger than any other partition so far as most devices have at least 1GB or more!
1) Again look at the parameter file and find (userdata) and the numbers before it. Example:
[email protected](userdata)
REMEMBER the number before @ is the COUNT and the number after the @ is the START!
2) Copy the number after the @ example: 0x00080000 into the start box of the advanced tab in the tool.
3) Copy the number before the @ example: 0x00400000 into the count box of the advanced tab in the tool.
4) Press the export image button and wait for it to complete.
5) Go into the Output folder and rename the file ExportImage.ing to userdata.img
Again repeat above for cache, kpanic, metadata.
if your parameter file does not have metadata then no need to dump this as it does not exist.
Remember only KitKat ROMs have this so do not worry if you don’t have it.
_________________________________
Finally to the hardest part but it is not really that hard. Dumping "user" which is internal SDcard.
Note: if you have a 32GB NAND or something large like that, this might not be worth your time!
Just back up internal SDcard another way (file copy) as it will probably be faster.
One way I like to do it is turn on MASS Storage in settings and enable USB to the PC.
Then I just copy the files to the PC.
For restore after flashing a ROM and userdata, I do the same thing and copy the files back to internal sd BEFORE running any apps that need that data on internal SDcard!
Dumping 32GB and flashing a large internal SDcard takes a LONG TIME! If most of your internal SDcard is empty,
dumping and flashing still writes ALL 32GB anyway so it's a waste of time to do this unless you have a LOT on internal SD.
So there is a trade-off... YOU decide which best works for you!
*********
So to back this area up we have to work some things out.
You will notice the parameter file for (user) has no SIZE number just the offset!
Example: [email protected](user)
the [email protected] simply says to use the remaining NAND as all of user (internal SDcard).
Thus to dump it we must calculate the size! To do this we must know how big our NAND chip is.
First put the number after the @ into the start box so we don't forget example: 0x00604000
This is just like the other parts we did above. We need the start point for user (internal SDcard).
Now let’s find out the size of the NAND chip.
In the advanced tab click the Read Flash Info button.
On the right it will display information but we are interested in this:
Flash Size: XXXXX MB
Where XXXXX is the size of your flash chip "page" size.
For instance my "other androidrk3066 device" says 8192 MB.
BUT WAIT! We also have to see how many pages of NAND we have.
Look at the line Flash CS:
If yours has a 0 then that is all you have 8GB
If CS says something like 0 1 2 3 (That’s 4 pages)
Then you have 4 pages of 8GB or 32GB NAND. If it says 0 1 then you have 2 pages or 16GB NAND and so on.
So whatever your size is multiple that by number of pages!
Example my "other rk3066 android device" stick says:
Flash Size 8528 MB
Flash CS: 0
Thus my full NAND size is 8528 as there is only 1 page
(yes the 0 is a page! The first page starts at 0 and a 1 is the 2nd page).
My "other rk3066 android device" says this:
Flash Size 8192 MB
Flash CS: 0 1 2 3
Thus I would take 8192 and multiply by 4 pages = 32768 MB NAND size.
So we now have our total NAND size!
Now a little more math but easy if you follow my instructions.
First we must make the size in MB a REAL GB number (not a MB number in 1000's).
I am going to use 8192 MB (8GB) NAND as an example. (It only had 1 page e.g. Flash CS: 0)
1) Open your PC calculator and again make sure it is set to programmer mode!
2) Make sure your set to Dec (decimal) not Hex mode!!!
2) Type in your NAND size you read or calculated with pages from the tool. My example 8192.
3) Multiply that by 1024. My example 8192 x 1024 = 8388608
4) Now do that one more time and multiply 8388608 by 1024. My example 8388608 x 1024 = 8589934592
5) Now divide this number by 512. My example 8589934592 / 512 = 16777216
So you know what all this math did was take the proper number of bytes and divide them into 512 blocks.
This is what is needed by the flash tool and parameter file!
6) Now press the Hex button on the left of the calculator to convert this to a hex number. My example came to 1000000 Hex.
7) OK now we know the total size of our NAND chip in 512 byte blocks in Hex format!
8) Now take this number and subtract the "start" that what was shown in the parameter file.
In my example parameter file I had [email protected](user) so my start is 604000 (we don’t use the beginning 0's).
So again my example 1000000 - 604000 = 9FC000
We now have our user (internal SDcard) size! It is 9FC000 in hex!!!
9) Enter this number into the count box of the tool. Again my example is 9FC000
BUT we need to enter it in the format the tool needs and that is hex!
Just add the 0x at beginning of the number so the tool knows it's hex. Again my example is now 0x9FC000
Just a note: 0's in front of any hex number are ignored. So 0x009fc000 is the same as 0x9fc000.
10) Make sure as I said above, you also entered the start number! Again in my example 0x00604000
11) Press the export image button and wait for it to finish. Depending on size this could be a long time!
12) Done forget to rename the ExpoertImage.img to user.img!
We are DONE! We now have a flashable FULL backup of the entire NAND chip!
What you should have in the output folder, if you did everything above dumping EVERYTHING is:
parameter.txt
backup.img
boot.img
cache.img
kernel.img
kpanic.img
metadata.img (optional if you had that and were on KitKat)
misc.img
recovery.img
system.img
user.img (internal SDcard)
userdata.img
__________________________________
Flashing your dump:
OK so now you have dumped the ROM and other items and you want to flash them back.
Well we can’t use the 2.1 RK tool! Why? Because it has 2 bugs in it.
1) Flashing userdata. It works but will error at 50% every time.
It actually does flash 100% but due to a math bug in the program it counts to 50% instead of 100%.
2) It won’t flash user (internal SD). If you try it says it did it but it doesn’t.
It returns success instantly so obviously it doesn’t flash anything.
If you did not backup user (Internal SD) then feel free to flash with the 2.1 tool and you will be OK even with the error at 50%.
However I setup the old 1.37 flash tool for you. All of the lines for each image is there.
I even have them checked by default for you.
In the download there is a flasher tool folder. Just run the flash tool from there.
Uncheck anything you didn’t backup or items you don’t want to flash.
Note: if you leave something checked you did not backup or the .img is not in the Output folder, you will get an error.
I left boot loader unchecked as there is no reason to flash that!
OK so that’s it!​

Specs!
In case somebody not know what device is about: Turbo-X, 10.1", 1280 x 800 pixels resolution, IPS panel, Front Camera 0.3 Mp, Back Camera 2.0, Android 4.1 Jelly Bean, CPU - Dual Core ARM Cortex A9 at 1.5 GHz, Internal Storage 16 GB, RAM -1 GB, WiFi, Bluetooth, Mini HDMI, Micro usb 2.0 host, microSD card slot, Li-Ion 6600 mah with Android 4.1.1, 3.0.8+ Kernel !

Battery
Also for those who have some problem with battery i found this one that is even better then original HERE​

Some other toolkit that i find!
Special thanks to Zeus and Faheem! With their tools you can Check Device, Wipe data, fastboot wipe, Reset user lock, Reset gmail, Reboot device, Fix camera, install usb driver and many other cool stuff!
HERE​

My dear friend Seby, i can help you without any problem and maybe we can open a new development thread for this old tablet because i already did a custom rom with a great help from a greek friend Panagiotis! So we will talk in PM about that!

Hello,can i have more information about this rom?
I must fix my brother's tablet ,stuck on bootloader.
It's exactly the same model as the author's of the current thread.

does anybody know how to enter fastboot mode in a turbox hive iii tablet it stuck in boot logo screen and i cannot do anything. If there is something I can do please tell me.
thanks

How to extract kallsyms from u-boot of S6(aarch64)?

Hi, I need help.
Long time ago I was looking for a way to extract kallsyms from boot/zImage (Android) without running the kernel (statically).
I found this:
at github.com look for fi01/kallsymsprint
This worked and served well for ARM32 kernels. It was able to find and extract kallsyms (offset + function name). It was limited to known 6 patterns of kallsyms locations, but still was better than nothing.
Now, new devices are coming (Samsung S6 Series, for example) based on ARM64 (aarch64). It is UBOOT images, with uncompressed kernel. The tool (above) does not work anymore.
I was trying to do some manual work and figured out following:
0xffffffc000206000 is offset of the first 3 kallsyms functions, so I was able to find where kallsyms_addresses table starts.
It was found at aarch64.img (SM-G920 kernel) at offset from 0xc19800 to 0xc96088 (size is 510088 or 0x7C888). There are 0xF911 (63761) symbols (11 F9 00 00), and kallsyms_num_syms is located at 0xc96090 (after 0x78 (120) zero bytes after table ends).
Next data block of something starts at 0xc96190
Looks like all sections inside kernel are 32-byte aligned.
I was able to find some text part at 0x007d5f90.
Something that looks like some table (maybe not related) at 0x08403504.
Another table at 0x00e8eb20 - 0x00eb6a00.
Update:
kallsyms_in_memory_addresses 0xc19790
kallsyms_in_memory_num_syms 0x0000f911 (at 0xc96090)
kallsyms_in_memory_names 0xc96190
kallsyms_type_table ? 0xd56198
kallsyms_in_memory_markers 0xd56990
kallsyms_token_table 0xd56d90
Who can give any idea how to modify the kallsymsprint code or explain how to find and extract the kallsyms?

Radio img extractor

Hello ... so i have an Radio.img and i know inside there are this files
(bootloader) Validating 'radio.default.xml'
(bootloader) Committing 'radio.default.xml'
(bootloader) - flashing 'NON-HLOS.bin' to 'modem'
(bootloader) - flashing 'fsg.mbn' to 'fsg'
(bootloader) - erasing 'modemst1'
(bootloader) - erasing 'modemst2'.
How can i extract NON-HLOS and fsg ? thanks in advance ...

I know this is an ancient thread, but it's still the first search result, so I figured a solution could help anyone else that stumbles upon this..
I made a quick and dirty extractor that works at least for motorola edge 2021 xt2141 radio images. These files seem to start with magic "SINGLE_N_LONELY" and end with "LONELY_N_SINGLE". Filenames are provided, followed by the length of the contents (in little endian), then the contents.
This script will try to open radio.img in the current dir if a filename is not provided. Dumped files will go right in the working dir, so be careful. File content reading isn't done in chunks here, so be mindful of memory usage. Likely not an issue, but you can code in some chunking if needed.
Code:
#!/usr/bin/env python
import io
import sys
# supply filename as argument or default to 'radio.img'
try:
filename = sys.argv[1]
except IndexError:
filename = 'radio.img'
with open(filename, 'rb') as f:
magic = f.read(0x100).strip(b'\0').decode()
print(magic)
assert magic == 'SINGLE_N_LONELY'
while True:
# filename
fn = f.read(0xF0).strip(b'\0').decode()
print(fn)
if fn == 'LONELY_N_SINGLE':
break
# size of file in little endian
f.seek(0x08, io.SEEK_CUR)
l = int.from_bytes(f.read(0x08), 'little')
print(l)
# warning: not reading in chunks...
# warning: outputs to working dir
with open(fn, 'wb') as o:
o.write(f.read(l))
# seek remainder
rem = 0x10 - (l % 0x10)
if rem < 0x10:
f.seek(rem, io.SEEK_CUR)
# seek until next filename
while not f.read(0x10).strip(b'\0'):
continue
# rewind back to start of filename
f.seek(-0x10, io.SEEK_CUR)
Note the resulting images will likely be in sparse format. You'll need simg2img to convert to raw images if you're trying to mount or otherwise manhandle the images.
If interested in dumping carrier profiles (from inside the fsg image), EfsTools has an extractMbn function. Not sure how to reassemble though. https://github.com/JohnBel/EfsTools

ziddey said:
I know this is an ancient thread, but it's still the first search result, so I figured a solution could help anyone else that stumbles upon this..
I made a quick and dirty extractor that works at least for motorola edge 2021 xt2141 radio images. These files seem to start with magic "SINGLE_N_LONELY" and end with "LONELY_N_SINGLE". Filenames are provided, followed by the length of the contents (in little endian), then the contents.
This script will try to open radio.img in the current dir if a filename is not provided. Dumped files will go right in the working dir, so be careful. File content reading isn't done in chunks here, so be mindful of memory usage. Likely not an issue, but you can code in some chunking if needed.
Code:
#!/usr/bin/env python
import io
import sys
# supply filename as argument or default to 'radio.img'
try:
filename = sys.argv[1]
except IndexError:
filename = 'radio.img'
with open(filename, 'rb') as f:
magic = f.read(0x100).strip(b'\0').decode()
print(magic)
assert magic == 'SINGLE_N_LONELY'
while True:
# filename
fn = f.read(0xF0).strip(b'\0').decode()
print(fn)
if fn == 'LONELY_N_SINGLE':
break
# size of file in little endian
f.seek(0x08, io.SEEK_CUR)
l = int.from_bytes(f.read(0x08), 'little')
print(l)
# warning: not reading in chunks...
# warning: outputs to working dir
with open(fn, 'wb') as o:
o.write(f.read(l))
# seek remainder
rem = 0x10 - (l % 0x10)
if rem < 0x10:
f.seek(rem, io.SEEK_CUR)
# seek until next filename
while not f.read(0x10).strip(b'\0'):
continue
# rewind back to start of filename
f.seek(-0x10, io.SEEK_CUR)
Note the resulting images will likely be in sparse format. You'll need simg2img to convert to raw images if you're trying to mount or otherwise manhandle the images.
If interested in dumping carrier profiles (from inside the fsg image), EfsTools has an extractMbn function. Not sure how to reassemble though. https://github.com/JohnBel/EfsTools
Click to expand...
Click to collapse
Thanks for making python script to unpack these SINGLE_N_LONELY header files(bootloader.img, radio.img, singleimage.bin, gpt.bin) from Moto Stock ROM zips.
But why reading filename only 240 bytes and skipping 8 bytes instead of reading whole 248 bytes?
This guy wrote to read 248 bytes instead https://forum.xda-developers.com/t/...t-of-the-moto-g-5g-plus.4371213/post-87807175
I also made quick and dirty unpacked using Lua 5.3 at https://forum.xda-developers.com/t/...t-of-the-moto-g-5g-plus.4371213/post-87931915
I guess one of us has to post this to github, since I can't find any Open Source tool to unpack this simple format image files.
Currently, only star tool that we can find from some of blankflash files(eg. this) and imjtool can unpack these SINGLE_N_LONELY header files as far as I know. But I guess these are not Open Source.
Thanks

HemanthJabalpuri said:
But why reading filename only 240 bytes and skipping 8 bytes instead of reading whole 248 bytes?
This guy wrote to read 248 bytes instead https://forum.xda-developers.com/t/...t-of-the-moto-g-5g-plus.4371213/post-87807175
Click to expand...
Click to collapse
Ah neat. I only used xt2141 radio images as reference for approximating the file format. It's been a while, but I think based on the actual positioning of the filenames in the images I was testing, I wasn't sure if the final 8 bytes were part of the filename or padding.
Likewise, I wasn't sure of how padding works after the file data, so I just did a dumb seek and rewind.