I expect followed C++ code:
iReturn=RIL_DevSpecific(hRil, (BYTE *)"AT+CSQ\r", (DWORD)7);
can send AT command by RIL_DevSpecific, but fail.
can anyone correct above code and be sent successfully.
Thank.
you expect wrong.
Code:
DWORD cmd= 0x25;
RIL_DevSpecific(hRil, &cmd, sizeof(cmd));
will perform device specific command '0x25', which is 'at+creg=2'
Related
In the Excalibur forum we are struggling to flash a file to a particular offset in NAND (samsung onedisk flash). The file is 4Mbyte and was dumped with bkondisk (by itsme). Deploying pof's ideas, I have patched Excalibur SPL which bypasses vendor/model and signature checking and raises security level to 0. Using this SPL the flash commands can be used w/o restrictions
A similar patched bootloader exists for Vox S710. That SPL includes same commands as the Excalibur SPL.
The SPL offers 2 commands to interactively flash files from MTTY: ls ("load signed"??) and lnbs ("load new binary signed"??)
Afaik the commands are invoked as:
Code:
lnbs [pathname [StartAddr [Length [SkipOffset ["cp"]]]]]
ls [pathname [StartAddr [Length [SkipOffset ["cp"]]]]]
The question is what format the files must have and how to figure out start address. I found some info in the Hermes Wiki. I also suggested Excalibur various tests:
1. The file test3.nbs in this case has a 0x20 byte header ("R000FF") which includes data blocksize and signature size and flag. But somehow it doesn't like the start address of which I also don't know how to figure it out for the various ROM parts. How was that done for Hermes? (reversing SPL or sniffing USB)
Code:
Cmd>lnbs test3.nbs 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test3.nbs"
:F=test3.nbs
start download
S
HAddress A0000000h Length 0040034Dh
Start Address out of boundary
checking image header
2. The file test.nb w/o any header, just the 4MB binary file with no modifications
Code:
Cmd>ls test.nb 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test.nb"
:F=test.nb
start download
S
HAddress A0000000h Length 00400000h
Start Address out of boundary
checking image header
3. The file test2.nbh with a full .nbh header and given type 0x300 (GSM Radio code, although the 4MB file also includes config and simlock data etc.). This was actually the most succesful since it passed mosts tests in the SPL. So it seems a valid file, but it couldn't be confirmed that anything was flashed at all.
Code:
Cmd>lnbs test2.nbh 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test2.nbh"
:F=test2.nbh
start download
S
HAddress 00000000h Length 0040054Dh
Start Address out of boundary
checking image headerFirst MTTY record empty
Image Download Finish... please check your image
Please reset the device to restart the program!!
DownloadImage success.
Can anyone with more knowledge about this subject please drop some feedback? Thx!
Cheers
JockyW
Edit: I totally forgot about the wdata command which is used by the official RUU. It can not be used interactive from MTTY, but it is possible to use it from self written programs. I think the idea is that only signed .nbh files (which include ROM type information in the header) can use be flashed using this command:
Code:
wdata length checksum
Once all data and the last signature (flag == 2) has been sent to SDRAM and all CRC and sig checks are passed the flashing process starts. The funny thing is that the help text of wdata suggests that also unsigned data can be flashed or be dropped at any memory location. Is this intentional deceiving by HTC ??
Code:
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
while flashing test2.nbh, wlan data doesn't be modified.
jockyw2001's question is very important to find our wi-fi back. plz help us!Thanks!
details about our problem and what we have done can be seen at http://forum.xda-developers.com/showthread.php?t=328690
jockyw2001
You may use method imei-check - they for flash of the area CID have changed address of the flash splash screen - hereinafter they form file nbh (consists only of splash screen) with necessary area CID.
arc said:
jockyw2001
You may use method imei-check - they for flash of the area CID have changed address of the flash splash screen - hereinafter they form file nbh (consists only of splash screen) with necessary area CID.
Click to expand...
Click to collapse
Ah great! You've got a link as well? Thx!
Hi jocky,
interesting thing..
why don;t u try its utils for the above and check..
issue pdcocread -l command and get the header and rom address.
then try with lnbs or ls command to flash back.From whatever I know, lnb and lnbs/ls command can b used when yr device is Super CID.
While flahing ROM, RUU issues set le 1 command and write the ROM using wdata command.You can check these things, with USB monitor
hdubli
The commands lnb and lnbs different -
lnb - load the unsigned code.
lnbs- load signed code -have other structure and headline
hdubli said:
issue pdcocread -l command and get the header and rom address.
then try with lnbs or ls command to flash back.From whatever I know, lnb and lnbs/ls command can b used when yr device is Super CID.
Click to expand...
Click to collapse
hi,
pdocread -l returns:
Code:
>pdocread.exe -l
58.82M (0x3ad1000) DSK1:
| 2.09M (0x217400) Part00
| 3.20M (0x333000) Part01
| 53.53M (0x3586800) Part02
59.31M (0x3b4f000) DSK2:
| 59.06M (0x3b0e800) Part00
...
You mean the values in parantheses?
On excalibur only signed data is accepted by ls or lnbs (dunno the difference between the two. Anyone?).
I disassembled spl and found the startaddress boundary check routine. In it I see the hardcoded nand address boundaries which have no resemblance whatsoever with pdocread.
I'm now checking arc's hint to patch splash screen flashroutine in same way as imei-check does it. I just hope I can use ls and lnbs (with USPL of course), since that would be far more comfortable
This is the error:
Install system fs image: /home/fede/cm10.1/out/target/product/p350/system.img
/home/fede/cm10.1/out/target/product/p350/system.img+ maxsize=214106112 blocksize=135168 total=150186432 reserve=2162688
Package target files: /home/fede/cm10.1/out/target/product/p350/obj/PACKAGING/target_files_intermediates/cm_p350-target_files-eng.fede.zip
Package OTA: /home/fede/cm10.1/out/target/product/p350/cm_p350-ota-eng.fede.zip
device/lge/p350/releasetools/ota_from_target_files -v \
-p /home/fede/cm10.1/out/host/linux-x86 \
-k build/target/product/security/testkey \
--backup=true \
--override_device=pecan,p350,p355 \
--extras_file=build/tools/releasetools/extras.txt \
/home/fede/cm10.1/out/target/product/p350/obj/PACKAGING/target_files_intermediates/cm_p350-target_files-eng.fede.zip /home/fede/cm10.1/out/target/product/p350/cm_p350-ota-eng.fede.zip
Given a target-files zipfile, produces an OTA package that installs
that build. An incremental OTA is produced if -i is given, otherwise
a full OTA is produced.
Usage: ota_from_target_files [flags] input_target_files output_ota_package
-b (--board_config) <file>
Deprecated.
-k (--package_key) <key> Key to use to sign the package (default is
the value of default_system_dev_certificate from the input
target-files's META/misc_info.txt, or
"build/target/product/security/testkey" if that value is not
specified).
For incremental OTAs, the default value is based on the source
target-file, not the target build.
-i (--incremental_from) <file>
Generate an incremental OTA using the given target-files zip as
the starting build.
-w (--wipe_user_data)
Generate an OTA package that will wipe the user data partition
when installed.
-n (--no_prereq)
Omit the timestamp prereq check normally included at the top of
the build scripts (used for developer OTA packages which
legitimately need to go back and forth).
-e (--extra_script) <file>
Insert the contents of file at the end of the update script.
-a (--aslr_mode) <on|off>
Specify whether to turn on ASLR for the package (on by default).
--backup <boolean>
Enable or disable the execution of backuptool.sh.
Disabled by default.
--override_device <device>
Override device-specific asserts. Can be a comma-separated list.
-p (--path) <dir>
Prepend <dir>/bin to the list of places to search for binaries
run by this script, and expect to find jars in <dir>/framework.
-s (--device_specific) <file>
Path to the python module containing device-specific
releasetools code.
-x (--extra) <key=value>
Add a key/value pair to the 'extras' dict, which device-specific
extension code may look at.
-v (--verbose)
Show command lines being executed.
-h (--help)
Display this usage message and exit.
** option --extras_file not recognized **
make: *** [/home/fede/cm10.1/out/target/product/p350/cm_p350-ota-eng.fede.zip] Error 2
This is at the end, when generating OTA zip file.
Any clue?
Thanks.
Sorry for necroying, Did u solve this issue? thanks
I am doing R&D on FOTA(Firmware Update Over the Air) using Nexus 7-Wifi(grouper). For which I followed the following steps.
1. Downloaded the android source from source.android.com for v 4.2.2_r1 and v 4.3_r1
2. Downloaded the binaries for grouper, extract it to my source folder.
3. Then I compiled the source code using following commands.
i. source build/envsetup.sh
ii. lunch full_grouper-userdebug
iii. make -j8 dist
4. After few tries, I had success in compiling the source for Nexus 7(grouper).
5. I got following files in $out/source_4.2.2/dist folder
-----------------------------------------------
adb*
android-common-carousel.jar
android-common.jar
android-info.txt
android-support-v13.jar
android-support-v4.jar
android-support-v7-gridlayout.jar
build.prop
com.android.nfc_extras.jar
fastboot*
full_grouper-apps-eng.root.zip
full_grouper-emulator-eng.root.zip
full_grouper-img-eng.root.zip
full_grouper-ota-eng.root.zip
full_grouper-symbols-eng.root.zip
full_grouper-target_files-eng.root.zip
gpl_source.tgz
guava.jar
installed-files.txt
jsr305.jar
mkbootfs*
mkbootimg*
mkyaffs2image*
mp4parser.jar
package-stats.txt
ramdisk.img
signapk.jar
vendor_owner_info.txt
-----------------------------------------------
6. Then I generated my own keys using /development/tools/make_key tool for media, testkey, releasekey, shared, platform.
Assume my keys are locate at /keys folder.
7. Then I created a signed target zip file using following command.
/source/build/tools/releasetools/sign_target_files_apks -v -p ../host/linux-x86 -d /keys full_grouper-target_files-eng.root.zip signed_target_files.zip
8. From signed target zip file I create
/source/build/tools/releasetools/img_from_target_files -v -p ../host/linux-x86 signed_target_files.zip signed_img_from_target_files.zip
9. Then I flashed the signed_img_from_target_files.zip using fastboot command using the following script:
----------------------------------------------------------------------
fastboot oem unlock
fastboot erase boot
fastboot erase cache
fastboot erase recovery
fastboot erase system
fastboot erase userdata
fastboot reboot-bootloader
sleep 10
fastboot -w update signed_img_from_target_files.zip
----------------------------------------------------------------------
10. The device gets flashed well and is working, but I am getting an log while flashing in which it is unable to find boot.sig, system.sig and recovery.sig
11. Now the otacerts.zip file contains a testkey which is not the one that I signed it with.
file located at "/system/etc/security/otacerts.zip" on device.
12. Now since the otacerts.zip is signed with the default key it gives a mismatch error which I tried to flash an OTA update which is signed by the my custom key.
Now my doubt is:
How can I add boot.sig, recovery.sig and system.sig to signed_img_from_target_files.zip?
Is there anything I am doing wrong?
Does the recovery checks the current ROM keys from "/system/etc/security/otacerts.zip"?
What is the correct procedure to sign the OTA update?
i am posting this reply just for people who are looking for help too,
you need to explicitly define "BUILD_SECURE := true" in your device make file so that android/build/core/Makefile will use device/*/$(TARGET_DEVICE)/releasekey.x509.pem for OTA_PUBLIC_KEYS
I downloaded firmware (G8441_Service Exchange Unit_1309-6969_47.1.A.2.281_R2B) using flashtool 64 and extracted the newflasher files to the folder. When I run newflasher.exe I get the following error:
Code:
Device path: \\?\usb#vid_0fce&pid_b00b#6&df2ee03&0&6#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: Universal Serial Bus devices
Device Instance Id: USB\VID_0FCE&PID_B00B\6&DF2EE03&0&6
Optional step! Type 'y' and press ENTER if you want dump trim area, or type 'n' and press ENTER to skip.
Do in mind this doesn't dump drm key since sake authentifiction is need for that!
n
ERROR: GetOverLapped_out_Result: failed with error code 1 as follows:
Incorrect function.
- Error write! Need nBytes: 0x18 but done: 0x0
nBytes[0x0]:
- Error writing command getvar:max-download-size!
End. You can disconnect your device when you close newflasher.exe
Press any key to continue . . .
Hello everyone,
I wanted to breakfast for my Device, but it seems that the Command is not being found.
Already typed in the "source build/envsetup.sh" Command. I am on Manjaro