AMSS, Bootloader Questions - Bada Software and Hacking General

Hi.
I've played short with amss.bin and changed 1 Byte somewhere in "useless" Text.
Multiloader seems to check this manipulation...
Any idea where in file is CRC, Hash or something like that?
Also any idea if RSA 2048 is activated for Bootloader or AMSS?
Best Regards

i have heard that in bada 1.2 roms its activated but the old ones...

Some packages include more then 2 files:
dbl.mbn
boot_loader.mbn
In T-Mobile Firmware I found also few ELF files...
decrypted_boot_loader.bin is decrypted with PSAS.
Best Regards

I think there are 3 Boot Loader.
We know only 2 files:
dbl.mbn----------------> human readable (find Text like Qualcomm)
boot_loader.mbn--------> encrypted (decrypt with PSAS for instance)
DBL------> Device Boot Loader
FSBL-----> Fail Safe Boot Loader
OSBL-----> OS Boot Loader
Check out Qualcomm manual in QPST... see Screenshots.
Check out above post from me... there are ELFs included...
Maybe start with:
BL3_univ_s.elf
If you wish Android porting.
If I'm wrong, please correct me.
Best Regards

And if wwe would dual-boot android then wich loader would we need to edit. and how would we disassemble it?

And if wwe would dual-boot android then wich loader would we need to edit. and how would we disassemble it?
Click to expand...
Click to collapse
As I saw on S8000 project it seems they "only" change boot_loader.mbn.
But it seems it was not encrypted.
This time on S8500 it is encrypted...
As we can not encrypt them, decrypt is not problem... also enough ELF files are floating around.
First Question is. How write not encrypted boot_loader.mbn to S8500 without killing the handset.
This is the very, very basic Question. Long time before """IDA"""...
So again.
RIFF Box JTAG could help to understand, if Security is low enough to write modified Bootloader back to handset.
All other things are dreams.
Best Regards
Edit 1.
But it could be, that dbl.mbn prevent modification of boot_loader.mbn.
Or other Checks are integrated to prevent easy Bootloader change.
For JTAG user... Is it possible to erase NAND from 0 to 20000 (first 2 MB).
Attention! Not best idea as much harder to write then... also with JTAG.
But is this area protected by something? RSA Keys?
Nand write protection?
Edit 2.
S8500 is 5 x bigger then S8000 boot_loader.mbn
300 KB against 1600 KB
So I'm pretty sure Samsung integrated more Security...

Hi All.
Now i playing with porting android to my s8500.
I see that the Korean m130k very similar to our S8500(shw-m120s),
see pics files from FCC site.
and now I'm looking for bootloader files for m130k.
Also, I have Riff box

@ oleg_k
Thank you very much for these interessting infos.
I will contact you later via PM as I have several Questions...
I found this:
http://www.gadgetfolder.com/samsung-galaxy-k-shw-m130k-android-smartphone.html
Best Regards

Adfree,
will be interesting to talk with you.
Regards

I've investigated JTAG dump...
First 4 MB in 2 GByte moviNAND looks like that:
Code:
000000-16BB0E Boot boot_loader.mbn (not encrypted)
16BB10-1BFF7F 337 KB 0000 (empty) part of Boot
1BFF80-1BFFFF ??? 128 Bytes (RSA ???)
1C0000-1FFFFF 256 KB FFFF (empty)
200000-244B27 DBL dbl.mbn
244B28-3FFFFF 1,7 MB FFFF (empty)
400000 AMSS amss.bin
Now I spent some time to find used boot_loader.mbn and dbl.mbn to be sure that not additional Data is written... this takes some time...
Edit:
In this Dump Version S8500+XX+JD9 is used. I hope I will find Firmware with Bootfiles for compare...
Edit 2.
S8500XXJD2.zip no Bootfiles
S8500XXJD3.zip no Bootfiles
S8500XXJD4.zip no Bootfiles
S8500XXJDA.zip no Bootfiles
S8500XXJDB.zip no Bootfiles
I found 4-5 packages with XXJDx in name... now I will download them all. Hopefully I find Bootfiles that matches S8500+XX+JD9
Edit 3.
Found only XXJDx without Bootfiles...
Last try for today is S8500XXJDZ.zip, but I have download problems... need more then 2 hours...

Good work adfree. You are great.
This seems more interesting than anothers ports.

Okay, I found in S8500XXJDZ.rar
S8500+XX+JD9
dbl from JTAG Dump is 100 % identical.
Last 1024 Bytes are not written into memory...
dumped DBL = dbl.mbn
But dumped boot_loader(.mbn) is with Changes... later more.
0-1FFFF identical
20000-??? long, long empty... FFFFFF
More infos will come later.
Best Regards

It seems much easier as I thought.
No private Data like IMEI... if not removed from JTAG Dump (first 4 MB before AMSS).
In Bootloader part is only once written Block with FF (empty). So
128 KB Block is empty.
boot_loader.mbn is split into 2 parts...
I will make JTAG template for XXJL2 as example.
This I can upload.
Best Regards

adfree said:
It seems much easier as I thought.
No private Data like IMEI... if not removed from JTAG Dump (first 4 MB before AMSS).
In Bootloader part is only once written Block with FF (empty). So
128 KB Block is empty.
boot_loader.mbn is split into 2 parts...
I will make JTAG template for XXJL2 as example.
This I can upload.
Best Regards
Click to expand...
Click to collapse
keep it up buddy.

Okay. Based on my knowledge and JTAG dump...
I have prepared template for JTAG based on XXJL BOOTFILES.
Last 1024 Bytes of decrypted files are NOT written into moviNAND, I cut them:
boot_loader.mbn_part2.bin
dbl.mbn_part2.bin
boot_loader.mbn_PART1 is filled with 1 Block FF (128 KB) at 0x20000
Result is 4 MB file... 0 - 0x400000... Bootarea before AMSS.
Position 1BFF80-1BFFFF looks really like RSA 1024...
Check first 16 Bytes of boot_loader.mbn_part2.bin
Maybe this is the MD5 Hash which should be in the Signature?
Maybe someone knows the Cert or public Key to decrypt the Signature...
XXJB6 has no Sigs...
Anyway.
Without Test if 0 - 0x400000 can replaced via JTAG, we have no progress.
Best Regards
ATTENTION! Please NOT use these files to flash with Multiloader!
You will brick your handset.
Edit.
Added S8500 XXJB6...
Added S8530 XXJK2

Hi adfree good work here!!
Sorry I can't help you, it's over my knowledge
Keep going dude

adfree said:
Last 1024 Bytes of decrypted files are NOT written into moviNAND
Click to expand...
Click to collapse
Just a correction here - the last 1024 are not encrypted in the same way as the rest of the file and they are in fact written, but to a different location
adfree said:
Position 1BFF80-1BFFFF looks really like RSA 1024...
Click to expand...
Click to collapse
I stand corrected if I'm looking at the wrong place, but it doesn't look much like a RSA key to me - it's not odd, so it's not a private exponent and MSB is not set, so it's not a modulus.

is there any easy task in this
i want to help but i am not a programmer
so what can i do????

Just a correction here - the last 1024 are not encrypted in the same way as the rest of the file and they are in fact written, but to a different location
Click to expand...
Click to collapse
Yes, interesting. Like an Log file/Flash history... if I search for tktoolver...
This is far after 500 MB...
I hope this is not relevant for Boot.
Position 1BFF80-1BFFFF looks really like RSA 1024...
Click to expand...
Click to collapse
I think this is the Signature... maybe. So boot_loader.mbn is signed by RSA 1024.
Only an idea, but I could be wrong. XXJB6 has not such 128 Byte Block.
There are also more different boot_loader.mbn possible.
Ehm, JE7 has different... called XX+JEE
I will compare few, but between JL2 and JDZ whole 128 Bytes differs...
I know this only from RSA 2048, where 256 Byte Signature for BenQ Qualcomm handsets...
Best Regards

At the moment I try to find matching Bootloader from S8530... for S8500+XX+JL2
Or other matching combination.
S8530XEJL2
S8530+XX+JK9
S8530XEJL4
S8530+XX+JK9
Maybe with S8530+XX+JL1 more luck...
I hope I will find combo, in same month. Maybe minor differences...
Best Regards
Edit.
Hmmmm, strange S8530 Bootloader most older then S8500...
S8530+XX+JK2
S8530+DD+JK3
S8530+XX+JK9
S8530+XX+JL1

Related

Internal menu

http://wenku.baidu.com/view/e27ca2c66137ee06eff91876.html
After reading this I tried Code:
*#7092463*#
Several nice Settings, infos... and tests.
Like Touchscreentest with Coordinates, look weird Pic...
Bad. Not every Firmware support this Code.
JI5 for instance no chance... Reason I think is here:
http://forum.xda-developers.com/showthread.php?t=895526
We should more investigate this file...
I saw for S8000 they were also lucky to find new Code...
http://code.google.com/p/jetdroid/wiki/JetBootloader
I think this menu is active, only other Code needed for higher Firmware...
Best Regards
It seems not the Firmware Version is mandatory...
.. it seems this menu is locked...
I compared 2 Waves with same Firmware.
First no success. Second success... but after several Flashs I lost access to Internal menu.
Now after playing with AT commands... it is back.
It seems we can unblock... I have only no idea how exactly I've unblocked Internal menu.
Best Regards
Rsrc2_S8500(Low).rc2
Rsrc2_S8500(Mid).rc2 ----> it seems this can access Internal menu
It seems *.RC2 is the Block for Internal menu.
Compare both files, you see only 1 Byte difference.
Maybe this means something like, Low Security, Middle Security... maybe there are higher Settings possible...
I will check this.
Best Regards
how come this menu exists on wave 525 regardless of firmware?
hmm, I think I'm missing something here. In all the firmwares I've downloaded not once have I seen a Rsrc2_S8500(Mid).rc2.
Can you upload yours or otherwise let us know where we can get one from please.
Also can you tell us which firmware you're running please?
Cheers in advance,
D.
you can make yours as MID or even High with Wave remaker
http://forum.xda-developers.com/showthread.php?t=1028714
Don't forget to give a thanks to ho1od
Enter Code into handset:
Code:
[B]*#33284*#[/B]
= Debug Level (Low, Midle, High)
Best Regards
adfree said:
Enter Code into handset:
Code:
[B]*#33284*#[/B]
= Debug Level (Low, Midle, High)
Best Regards
Click to expand...
Click to collapse
Cheers Adfree - that's exactly what I was looking for ... I'm gonna try figure out decent keymaps for the android port
9600 Baud and check the setting UE Awake...
Ok...
Volume + = 0x54
Volume - = 0x55
Call = 0x50
Home = 0x53
Hangup = 0x51
Camera Halfpress = 0x8e
Camera Fullpress = 0x8d
Standby = 8f
now... how to change these into values for the s3c-keypad.kl file...
duxxyuk said:
now... how to change these into values for the s3c-keypad.kl file...
Click to expand...
Click to collapse
sorry to be off topic...
but...
the Android kernel interpets things differently, you can look at the kernel dmesg log when pressing the buttons if you want to see what is attached where, but some keys don't work from fota loader yet, people not interested in the dev side (like fixing fota or kernel issues instead of trying to install android apps) should wait for a proper release.
Not sure if before... but Backup and Restore seems possible on KK5...
Searching for folder where it is stored...
Best Regards
adfree said:
Not sure if before... but Backup and Restore seems possible on KK5...
Searching for folder where it is stored...
Best Regards
Click to expand...
Click to collapse
Thanks adfree
in before firmwares backup and restore works with kies but i dont know is it
available with phone or no .
can you please tell me how can i access to this menu ? i want to test it with other firmwares
Normally the answer is in this Thread...
Anyway.
Menu is blocked if not on Debug Level Mid or High... So first step:
*#33284*#
Later set back to Low to prevent Bluescreens.
Second step is:
*#7092463*#
Then:
4 Module Setting
11 Sync
At the moment no idea where Backupfile is stored...
In WinComm I saw this:
Code:
SmlBackupRestoreDebugHistoryResult: Cannot make config file!(/User/Mass/SmlMgr/_LastBnRHistory.txt)
I will deeper research...
Please remember. At your own risk. No idea if sideeffects...
Best Regards
any try to restoring failed
the error is : Restoring fail ( Manifest error or no Manifest ! )
---------- Post added at 12:30 PM ---------- Previous post was at 12:18 PM ----------
with stune :
User > SyncML
there is some *.cfg files
what is your idea is them backup files ?
Code:
+[059]=> [622.092]Packaging Start[/Media/_SamsungBnR_/Message.bk]
+[060]=> [622.109]Packaging Finish[/Media/_SamsungBnR_/Message.bk]:[Success]
+[061]=> [622.147]Packaging Start[/Media/_SamsungBnR_/MusicSetting.bk]
+[062]=> [622.166]Packaging Finish[/Media/_SamsungBnR_/MusicSetting.bk]:[Success]
I was able to create folder:
/User/Mass/SmlMgr/
Then file is written after Backup _LastBnRHistory.txt
Maybe I am blind, can't find yet folder /Media/_SamsungBnR_/
Maybe hidden or I am blind...
At the moment toooo lazy to backup again all files and searching for *.bk extension...
Maybe later more...
About Restore...
Success, but I have nothing installed yet and no SD card...
with stune :
User > SyncML
there is some *.cfg files
see below image :
there is some *.cfg files
Click to expand...
Click to collapse
Strange, I thought they are for FOTA...
I'll update to bada 1.0 and check again...
Maybe then more success to find *.bk files...
Best Regards
XXKL6 on my S8530 shows me Total Heap Mem.
245.760K
This seems 40 MB more then on bada 1.2...
Will check S8500...
Best Regards
adfree said:
XXKL6 on my S8530 shows me Total Heap Mem.
245.760K
This seems 40 MB more then on bada 1.2...
Will check S8500...
Best Regards
Click to expand...
Click to collapse
I can confirm this number in S8500... in XXKK7, 245.760 K... It seems that S8500 and S8530 are identical in memory issues..
Cheers!
Maybe we can find this info from S8600, S7250 and so on...
S8600 should have "more"... maybe...
Best Regards
that's right adfree, my s8600 show me more!

AT Commands + other kind of Commands

In amss.bin you can find several AT Commands...
Few short tested by me:
AT+DEVEXTMEMINSCHK?
Hmmm. returns only 2
No idea, I thought something for Memory...
AT+USERMEM
Returns 0k or maybe okay
AT+HEADERINFOSHOW?
Shows for instance the Memory name...
MemoryName:KAC007021M(S8500)
Btw... This is exact what we can read on Application Processor Chip.
1 hint that RAM is integrated with S5PC110 Processor...
Best Regards
TRY at your own risk. I have no idea what could happen.
s8500 support several types of at commands.
First type is common at commands set (70 commands), including AT+CPIN, AT+CMGR etc
the second (samsung specific, 171 commands) has many useful commands like etc
s8500 support 293 at commands (including common commands like AT+CPIN, AT+CMGR, and samsung specific like AT+IMEITEST, AT+CPU also)
complete list in attachment.
Do not use if you do not know what the command is for
AT+PRODUCTCODE?
Result:
AT+PRODUCTCODE? +PRODUCTCODE: GT-S8500BAADBT
If I enter:
AT+PRODCODE
Result:
Invalid Parameter
Hmmm. I'm not up to date in using AT commands.
Is it maybe possible to change Product Code via AT Command?
How is the correct Syntax for AT+PRODCODE ?
There are more interesting Commands.
Best Regards
P.S.:
I was only in Kies Mode, maybe other results in Debug Mode possible...
AT+DEVCONINFO
MN(GT-S8500);BASE(GT-S8500);VER(S8500XXKK7/S8500OXAKK7);HIDVER(S8500XXKK7/S8500OXAKK7);PRD(GT-S8500BAADBT);SN();IMEI(3xxxxxx3);PN();TZVER(20111025);CON(AT,MTP);HVID(Osp:2097153,IntSys:2097154);LOCK(NONE);LIMIT(FALSE)
Oh, not realized before... few changes...
On previous bada 1.x... looks like this:
MN(GT-S8530);VER(S8530XXJL2/S8530OXFJK3);HIDVER(S8530XXJL2/S8530OXFJK3);PRD(GT-S8530BAASEB)
MN should be manufacturer I think... this is very funny text string.
Best Regards
Edit 1.
My fault... MN is Model Name...
Ooh, this reminds me of the days when I had a SonyEricsson T68 and K750.... Good ol days ... One thing missing from those days .. Our samsung wave telephones don't do the Bluetooth HID protocol...
How do you send these commands?
Can you post output from:
AT+DGLOCK
AT+LVOFLOCK
AT+DETALOCK
?
How do you send these commands?
Click to expand...
Click to collapse
You can choose... there are hundrets of Tools, or write your own Terminal...
Few Tools I've used for this...
Revskills very often...
WinComm
QuB...
.
.
AT+DGLOCK
AT+LVOFLOCK
AT+DETALOCK
Click to expand...
Click to collapse
I'm little wimpy old man as you know...
But as I have 0 info about this... I'm scared to lock something and brick my handset...
No idea how to unlock ...
I'll investigate more...
Google research etc. and report later more... I'll try to be on the safer site...
About DELTA files/FOTA...
http://www.megaupload.com/?d=Z53R1IVX
I have upload few of S8500.
Maybe we find Commands or way to install manually these *.cfg Deltas...
Maybe AT Command also work...
Best Regards
Edit 1.:
Found this... untested yet:
Code:
AT+FOTALOC
AT+FOTAREADY
AT+FOTASTART
Edit 2...
Or maybe more such DEV Commands...
GetFotaEngineVer
Get FOTA Engine Version
Edit 3...
Maybe for Update... beter search for something like this:
SML_DM_FUMO_STATE
Or SCOMO
SCOMO Download Complete go to ui event 1...
SCOMO...Warning!!!! Delta Over Size
DownloadAndUpdate...org.openmobilealliance.dm.firmwareupdate.devicerequest
http://www.openmobilealliance.org/t...ram/docs/ets/oma-ets-fumo-v1_0-20061215-c.pdf
I'm sure LVOFLOCK gets level of lock - doesn't overwrite anything
The same about DETALOCK (detailed lock)
Just don't remember what was the code for DGLOCK, so don't use it for now if u're scared. You won't find these in google I think, these are Samsung specific, maybe only Mocha specific.
//edit:
Btw, many of AT commands goes to AMSS, but only what AMSS do is calling Mocha function in AP corresponding to AT command and returning result. For eg LVOFLOCK make AMSS invoke Bada function (also accessible from QuB) GetLevelOfLock and get it's return value. Can you compare result of these 2 maybe?
http://electronix.ru/forum/index.php?act=attach&type=post&id=46875
Tested by me...
AT+FOTALOC?
: Others
This seems location... folder... Others
AT+FOTAREADY?
COPYRETRY
But AT+FOTASTART seems correct...
Handset reboots... like if I delete *.cfg files...
Hmmmmmmmmm.
Will log with WinComm... maybe then more info...
Best Regards
At+preconfig=2,tmb
at+lvoflock=1,0
at+factrst=0,1
at+lvoflock=0,0
600 pages FOTA OTA Command with explain :
http://www.scribd.com/doc/63560940/47/FOTA-Commands
http://www.google.fr/url?sa=t&rct=j...sg=AFQjCNFTQzBSwRrZg82TEZSOleqClg4dbA&cad=rja
AT+FOTASTART 2400258.cfg
Error...
AT+FOTASTART after Download of package, not start downloaded update.
Maybe wrong syntax or FOTA of Qualcomm part only... amss.bin...
I can't see anything with WinComm... maybe next try with QXDM... if amss related...
@ Tigrouzen
Many thanx for helpfull Links.
Best Regards
adfree said:
AT+FOTASTART 2400258.cfg
Error...
AT+FOTASTART after Download of package, not start downloaded update.
Maybe wrong syntax or FOTA of Qualcomm part only... amss.bin...
I can't see anything with WinComm... maybe next try with QXDM... if amss related...
@ Tigrouzen
Many thanx for helpfull Links.
Best Regards
Click to expand...
Click to collapse
But i remember some time Samsung change this thing like not AT+FOTAUIMODE but
AT&FOTAUIMODE
Now its work but no Carrier
In our wave AT+CPIN doesnt work but AT&CPIN works
Code:
AT+FOTALOC?
AT+FOTAREADY?
AT+FOTASTART
Short tried on bada 1.0... JE7 Firmware...
All 3 output was Error...
Okay, not included in amss...
2400258.cfg also as text String in apps_compressed...
Will play little bit with Delta... then move to XXJL2...
Best Regards
Little progress...
AT+DEVCONINFO
Code:
MN(GT-S8600);VER(S8600XXKJC/S8600DBTKJ4);HIDVER(S8600XXKJC/S8600DBTKJ4)...
My S8500...
Best Regards
Did you get S8600 fw on your S8500 !!!!
Man this JTAG playing could kill your phone
Best Regards
Nah, he got FW ID from S8600 on S8500, while S8600 ShpApp & RC may be possible to run on S8500 and vice versa, rather no way about other things. ;P
"DEVCONINFO"="MN(GT-S8600);BASE(GT-S7250);VER(S8600XXKK5/S8600DBTKL1);HIDVER(S8600XXKK5/S8600DBTKL1);PRD(GT-S8600HKADBT)
Click to expand...
Click to collapse
Many thanx to S8600 user for nice info.
Best Regards
AT+SECUKEY +SECUKEY:"DXDxxxxxxxxxxxx=="
OK
AT+AUTHKEY +AUTHKEY:FAIL
OK
AT+DEVAUTH +DEVAUTH:SUCCESS
OK
AT+CERTKEY +CERTKEY:"X5Mxxxxxxxxxxx=="
OK
AT+PASSWORDINPUT +PASSWORDINPUT:SUCCESS
OK
Found Commands in WsSyncml.so, see here:
http://forum.xda-developers.com/showpost.php?p=21541765&postcount=4
No idea yet, what it is.
Best Regards
b.kubica said:
complete list in attachment.
Click to expand...
Click to collapse
Nice post b.kubica
Are you aware of the Qualcomm commands?
AT+CLAC lists these extra commands:
$QCSIMSTAT
$QCCNMI
$QCCLR
$QCDMG - Diagnostic Mode initiation.
$QCDMR - Diagnostic Mode (Baud) Rate. at$qcdmr=? shows available baud rates, at$qcdmr? shows current baud rate
$QCDNSP
$QCDNSS
$QCTER
$QCSLOT
$QCPINSTAT
$QCPDPP - Packet Data Protocol authentication Parameters - see w w w . shapeshifter . se/2008/04/30/list-of-at-commands/
$QCPDPLT
$QCPWRDN
$QCDGEN
$BREW
$QCSYSMODE
$QCCTM
$SUSBC
$NWMDCHNG
$SHPSLEEP
Not sure what they do. All I've found so far is at$qcsysmode restarts the phone with what looks like a file list coming out on the serial port. BREW is the Qualcomm application language.
Does AT_OWANCALL exist in the ROM? That is sometimes used to set up UMTS/HSDPA connections.

[Q] How to edit .so files present in the ShpAPP Bada firmware file?

I need a disassembler to decompile and recompile .so files which I believe are Linux binaries coded in C or C++. I am on Windows Vista and I would appreciate it if anyone could help me find Linux binary decompliers for Windows. If we are able to edit these files, Cufirmwares will be a reality!
They are signed by RSA 1024...
Best Regards
We can try to research a little bit in these files... maybe we find usefull things.
But to replace or to edit them should be very tough...
Not tested by me. I've only seen files in data folder...
Anyway, you can try and report.
Best Regards
Edit 1.
Attached little overview... based on XXJL2:
Code:
SystemFS\Osp\AppControl.so
SystemFS\Osp\BluetoothAppControl.so
SystemFS\Osp\BrowserAppControl.so
SystemFS\Osp\CalendarAppControl.so
SystemFS\Osp\CameraAppControl.so
SystemFS\Osp\CommerceAppControl.so
SystemFS\Osp\ContactAppControl.so
SystemFS\Osp\data
SystemFS\Osp\FGraphicsEgl.so
SystemFS\Osp\FGraphicsOpengl.so
SystemFS\Osp\FMediaPiServer.so
SystemFS\Osp\FMessagingPiServer.so
SystemFS\Osp\FNetPiServer.so
SystemFS\Osp\FOsp.so
SystemFS\Osp\FOspPiClient.so
SystemFS\Osp\FSecurityPiServer.so
SystemFS\Osp\FSevenPiServer.so
SystemFS\Osp\FSocialPiServer.so
SystemFS\Osp\FSystemPi.so
SystemFS\Osp\FSystemPiServer.so
SystemFS\Osp\FUixPiServer.so
SystemFS\Osp\FWebPiServer.so
SystemFS\Osp\GenericAppControl.so
SystemFS\Osp\libc-newlib.so.0
SystemFS\Osp\libCurl.so
SystemFS\Osp\libeay32.so
SystemFS\Osp\libexpat.so
SystemFS\Osp\libgcc_s.so.1
SystemFS\Osp\libm-newlib.so.0
SystemFS\Osp\libstdc++.so.6
SystemFS\Osp\libwrapper.so
SystemFS\Osp\libwrapperS.so
SystemFS\Osp\libZlib.so
SystemFS\Osp\mappserver.so
SystemFS\Osp\matrix.so
SystemFS\Osp\mbase.so
SystemFS\Osp\mbaseio.so
SystemFS\Osp\mcontentS.so
SystemFS\Osp\mdevDataSyncManagerServer.so
SystemFS\Osp\MediaAppControl.so
SystemFS\Osp\MessageAppControl.so
SystemFS\Osp\mlocCommon.so
SystemFS\Osp\mlocLocationAgent.so
SystemFS\Osp\mlocS.so
SystemFS\Osp\mosp.so
SystemFS\Osp\msAccel.so
SystemFS\Osp\msclLifelogPi.so
SystemFS\Osp\msclSnsGateway.so
SystemFS\Osp\msecCredentialManagerServer.so
SystemFS\Osp\msecCryptoPi.so
SystemFS\Osp\msecPrivilegeManagerServer.so
SystemFS\Osp\msGps.so
SystemFS\Osp\msMagnetic.so
SystemFS\Osp\msProximity.so
SystemFS\Osp\msTilt.so
SystemFS\Osp\msvcConnectionManagerServer.so
SystemFS\Osp\msvcMessageAgentServer.so
SystemFS\Osp\msWeather.so
SystemFS\Osp\msysserver.so
SystemFS\Osp\MTAdaptor.so
SystemFS\Osp\newlibAdaptor.so
SystemFS\Osp\Osp.so
SystemFS\Osp\ospmemory.so
SystemFS\Osp\OspServer.so
SystemFS\Osp\SettingAppControl.so
SystemFS\Osp\ShpAppFrmwkClient.so
SystemFS\Osp\ShpGWESMEClient.so
SystemFS\Osp\ShpGWESWinSetClient.so
SystemFS\Osp\ShpScAdaptor.so
SystemFS\Osp\ShpScPushAdaptor.so
SystemFS\Osp\ShpWinServer.so
SystemFS\Osp\SignInAppControl.so
SystemFS\Osp\SnsAuthAppControl.so
SystemFS\Osp\sqlite360.so
SystemFS\Osp\ssleay32.so
SystemFS\Osp\StubDynCast.so
SystemFS\Osp\TestUtil.so
SystemFS\Osp\WidgetAppControl.so
astrotom said:
I need a disassembler to decompile and recompile .so files which I believe are Linux binaries coded in C or C++. I am on Windows Vista and I would appreciate it if anyone could help me find Linux binary decompliers for Windows. If we are able to edit these files, Cufirmwares will be a reality!
Click to expand...
Click to collapse
Only one windows disassembler works fine with ARM Elf files - it is IDA pro. Hte can be used as a hex-editor, and is well recognize elf-header (this information may be usefull), but can not disassemble arm code.
is sharing pirated programs against the forum rules????
i found IDA pro but don't know for real how to deal with it
mylove90 said:
is sharing pirated programs against the forum rules????
i found IDA pro but don't know for real how to deal with it
Click to expand...
Click to collapse
Could you please share IDA Pro? It would be a great help!
ok it is a torrent file in fact
here you go
Mod edit: Removed link to pirated software.
We need to find a way to decrypt these RSA 1024bit encryptions somehow. Research shows that RSA 1024bit is not as secure as t seems.
mylove90 said:
ok it is a torrent file in fact
here you go
Click to expand...
Click to collapse
Thanks for that! You have by no chance the latest IDA Pro 6.1? It supports ARM code debugging and Android bytecode (Dalvik) dissassembly.
made my research and it is obviously cracked before by 3 men
they used 81 Pentium 4 processors and it took from them 104 hours to make it happen
i don't see that easy at all
no i don't have 6.1
i looked for it too but i think that version supports arm processor too
don't know about other things but i'll keep looking for it
mylove90 said:
made my research and it is obviously cracked before by 3 men
they used 81 Pentium 4 processors and it took from them 104 hours to make it happen
i don't see that easy at all
Click to expand...
Click to collapse
Well, I think 10-20 core i7 processors will more than surpass the 80 pentium 4's
mylove90 said:
made my research and it is obviously cracked before by 3 men
they used 81 Pentium 4 processors and it took from them 104 hours to make it happen
i don't see that easy at all
Click to expand...
Click to collapse
You should read more carefully as you don't understand the nature of that attack. If you had the possibility to sign arbitrary data you wouldn't need to attack the private key in the first place.
Nice would be, we would known which Cert is used. Maybe in Security folder...
Or if only public key is somewhere in the NAND...
And btw... RSA 1024 private key to "generate" is tough. More then tough.
Simple example:
A-128 Byte is public key
B-128 Byte is the Signature
Signature contains Hash Value, depend on Settings in Cert... in other Words it is encrypted Hash.
MD5 or SHA1 is very often used...
Step 1.
If you know public key you can look into Signature.
You can decrypt...
Step 2.
Depend on your result... Maybe MD5 is in the Signature. Then you have 16 Byte.
Step 3.
You have to be sure, which part of Data is hashed ...
MD5 of full Data or not.
The private key is used to encrypt MD5 in my example...
So 16 Byte MD5 is encrypted by 128 Byte private key, result is the Signature:
128 Byte
Look here. This are 128 Byte:
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Okay. Looks not soooo big.
But hey, its HEX Value...
If you try to Brute Force then you have many, many MANY combinations to try.
The hardest part is to create Software for such RSA attacks...
To click 1 Button and wait maybe 3 years is not really problem.
But there is no such Software public to try it at home.
Some smart Hacker could start with RSA 32... I have forgotten which is smallest RSA allowed in Certs...
Best Regards
hahahaha
so funny the hex value code
imagine it as binary and yes it is like a nightmare to crack
astrotom said:
I need a disassembler to decompile and recompile .so files which I believe are Linux binaries coded in C or C++. I am on Windows Vista and I would appreciate it if anyone could help me find Linux binary decompliers for Windows. If we are able to edit these files, Cufirmwares will be a reality!
Click to expand...
Click to collapse
Could you describe what exactly you are planning to change there?
mijoma said:
Could you describe what exactly you are planning to change there?
Click to expand...
Click to collapse
If you dump the ShpApp file, you will find a lot of files in .so format. I thought we could dissassmble them just like any other normal binary so that I can explore into those files and see what I can change. But as adfree added, they are RSA 1024 bit encrypted files. All you will get in ASCII or unicode is non-human readable crap! *Disappointed*
astrotom said:
If you dump the ShpApp file, you will find a lot of files in .so format. I thought we could dissassmble them just like any other normal binary so that I can explore into those files and see what I can change. But as adfree added, they are RSA 1024 bit encrypted files. All you will get in ASCII or unicode is non-human readable crap! *Disappointed*
Click to expand...
Click to collapse
They are SIGNED, not encrypted. We can disassemble them. What human-readable are you expecting to see? Is assembly human-readable enough?
adfree said:
Nice would be, we would known which Cert is used. Maybe in Security folder...
Or if only public key is somewhere in the NAND...
Click to expand...
Click to collapse
Under OSP/data for each .so file there are a .htb and a .sig file, maybe that could you help you to find what are looking for.
mijoma said:
They are SIGNED, not encrypted. We can disassemble them. What human-readable are you expecting to see? Is assembly human-readable enough?
Click to expand...
Click to collapse
I tried disassembling with IDA Pro but not much help since the disassembled code contains odd characters in some places where instead, codes should have been found.
If someone knows assembly codes, maybe he can help to rewrite the disassembled code in pure C/C++

Since XXKK5 Update over the Air aka FOTA for S8500/S8530 AND S8600

S8500XXKK5 is able to update Firmware over the Air... See here:
http://forum.xda-developers.com/showpost.php?p=19663390&postcount=17
This is DELTA files stuff... Header:
BPDZ
Seen in several Firmware packages...
Main file is in:
User\Mass\SyncML\Fota\*.cfg
5 MB
Additional files are in
User\SyncML\*.cfg
You can choose later with Reminder to Backup files.
Handset creates now NEW files like apps_compressed.bin.
Around 5 Minutes... See Video:
http://www.youtube.com/watch?v=jhKquCccyD8&feature=player_embedded
Now I have dump via JTAG KKV...
I will upload soon apps_compressed.bin for study...
Best Regards
Edit 1.
CONFIRMED devices:
Code:
S8500 DBT
S8530 XEF
S8600 XEF
KKV is FOTA Demo... internal test maybe...
In apps_compressed only 1 Byte change...
http://www.megaupload.com/?d=6UKRP1YY
Attention! This is not for Multiloader, as it is decrypted allready...
Taken from JTAG dump...
Decompress possible with TriX for instance.
RC1 seems also changed...
Will check also QMD part of CSC...
Visible is Samsung Logo from RC2... it is reverse during Boot.
Best Regards
In CSC QMD part...
14 times Flight Mode into FLIGHT MODE...
RC1... not exactly sure about changes...
Both files included... maybe RC1 dump not exact cutted at end...
http://www.megaupload.com/?d=Q1L5P3BV
If Bootloader is also affected, I'll test sooooon.
Again, NOT for Multiloader, only for Research.
Best Regards
P.S.:
Yes, it is possible to make valid file for Multiloader... but...
Major changes in Boot... dbl not checked... toooo lazy now...
I have removed the 128 KB from JTAG dump for better comparing.
NOT use in Multiloader!!!
You can brick your handset.
So I think this is evidence once more, that FOTA is very powerfull...
Best Regards
Thank you Adfree for your hardwork
I think it is time for someone to continue this from that point
Of course if you can do more you are more than welcome
So compression Algorithm is in the phone FW now somewhere .....
Apps_compressed.bin or FOTA ?!!!!
this Algorithm is wanted dead or alive
Best Regards
adfree said:
Major changes in Boot... dbl not checked... toooo lazy now...
I have removed the 128 KB from JTAG dump for better comparing.
NOT use in Multiloader!!!
You can brick your handset.
So I think this is evidence once more, that FOTA is very powerfull...
Best Regards
Click to expand...
Click to collapse
Nice news there's differente boot and ive found source il be post later
They use Nucleus for crypto source, embeddedXen 3.1.3 its an virtual machine
https://rapidshare.com/files/239917171/crypto.7z
All file on your boot file adfree is in. There's complete kernel source i can upload of course now i upload just partial source. The's is 2002 revision 1.3 but i see 3.1.3 exist and some compile it need search more
Last version its 4 you can find source her :
http://embeddedxen.git.sourceforge....9c15b5bd0ccc08732577063836662835c3dc5;hb=HEAD
but our version of boot its compiled with 3.1.3 version
Tigrouzen said:
Nice news there's differente boot and ive found source il be post later
They use Nucleus for crypto source, embeddedXen 3.1.3 its an virtual machine
https://rapidshare.com/files/239917171/crypto.7z
All file on your boot file adfree is in. There's complete kernel source i can upload of course now i upload just partial source. The's is 2002 revision 1.3 but i see 3.1.3 exist and some compile it need search more
Last version its 4 you can find source her :
http://embeddedxen.git.sourceforge....9c15b5bd0ccc08732577063836662835c3dc5;hb=HEAD
but our version of boot its compiled with 3.1.3 version
Click to expand...
Click to collapse
so are u saying source code or something like on android
prok**** said:
so are u saying source code or something like on android
Click to expand...
Click to collapse
non this some source code about crypto on boot in virtual machine
Tigrouzen said:
non this some source code about crypto on boot in virtual machine
Click to expand...
Click to collapse
... tell me what all we can do by this new discovery ..
prok**** said:
... tell me what all we can do by this new discovery ..
Click to expand...
Click to collapse
Ho1od or Rebellios can take a look at and maybe find some trick its not for us but for training also for decrypting some boot system, all its important
On KK5 S8530 I was not able to download something...
DMSetup.ini
Code:
#Settings
FirmwareMaxSize=98304
I think this means maximum 98 MB for Delta... in KK5.
From bada 1.0 JE7...
Code:
FirmwareMaxSize=10485760
Btw...
In Internal Menu you can access few Settings...
http://forum.xda-developers.com/showthread.php?t=906966
Best Regards
Code:
HttpReqInternal: Proxy address is 0, so conver to NULL
HttpReqInternal : HTTP[ 0 ] - https://www.ospserver.net/device/fumo/agreement/IMEI:[B][COLOR="Red"]YOURS ! Caution[/COLOR][/B] (smlCommonHttp.c : 373)
With WinComm you can log few things...
http://forum.xda-developers.com/showthread.php?t=928170
For connection to Server your IMEI is sent...
Best Regards
those who pass me the update that does not come out more 'on Fota?
thanks
It seems nearly all files affected by this "update" to KKV...
amss.bin also few Bytes in Name changed...
Code:
Q6270B-KPUBL-9.9.99999
dbl.mbn seems only untouched file.
Except that FFS, CSC, APP is nearly impossible to compare...
Maybe in 1 of cfg are details about changes... and files involved....
@ DevilM
Not exact understand... sorry. BUT...
"We" not sure how and who is able to Download KKV...
Maybe you need luck, or maybe access limitation by:
- time... maybe only from 5 - 7 morning
- maybe only 100 "user" can access at same time Server...
I don't know. Sorry.
Best Regards
FirmwareMaxSize=98304
It's probably max 96KB for delta file.
FirmwareMaxSize=10485760
is 10MB
I found Quram compression routine in XPKJ1 FOTA module. But it's partial and very, very huge. Probably does support only one type of compression, likely for Rsrc or some libraries. Do you think it's possible for you to dump S8500XXKKV delta and send to me?
Probably FOTA updates does support following commands:
ROM:473277CC DCD aDelta_op_image_updat ; "DELTA_OP_IMAGE_UPDATE"
ROM:473277D0 DCD aDelta_op_image_upd_0 ; "DELTA_OP_IMAGE_UPDATE_COMP"
ROM:473277D4 DCD aDelta_op_image_upd_1 ; "DELTA_OP_IMAGE_UPDATE_ENGINE"
ROM:473277D8 DCD aDelta_op_file_create ; "DELTA_OP_FILE_CREATE"
ROM:473277DC DCD aDelta_op_file_overwr ; "DELTA_OP_FILE_OVERWRITE"
ROM:473277E0 DCD aDelta_op_file_modify ; "DELTA_OP_FILE_MODIFY"
ROM:473277E4 DCD aDelta_op_file_remove ; "DELTA_OP_FILE_REMOVE"
ROM:473277E8 DCD aDelta_op_symlink_cre ; "DELTA_OP_SYMLINK_CREATE"
ROM:473277EC DCD aDelta_op_symlink_ove ; "DELTA_OP_SYMLINK_OVERWRITE"
ROM:473277F0 DCD aDelta_op_symlink_mod ; "DELTA_OP_SYMLINK_MODIFY"
ROM:473277F4 DCD aDelta_op_symlink_rem ; "DELTA_OP_SYMLINK_REMOVE"
ROM:473277F8 DCD aDelta_op_dir_create ; "DELTA_OP_DIR_CREATE"
ROM:473277FC DCD aDelta_op_dir_remove ; "DELTA_OP_DIR_REMOVE"
Click to expand...
Click to collapse
guess it's enumerated from OP_IMAGE_UPDATE = 0
IMAGE_UPDATE_COMP = 1
and so on.
Also a question, have you ever met "GCE" or "GLS" magic string in some files related to compression? Looks like compression method or what.
//edit:
Some about FOTA origin probably:
http://www.ospserver.net/terms/terms.html
That server is probably defined somewhere in SystemFS.
Oh, found this in Debug folder... Logfile
Code:
FOTAMGR > QuramMduceBEraseBlock: startBlk(1), blk_num(1), idx(0), physical addr(0x01140000), size(0x00040000)
FOTAMGR > QuramMduceBWriteData: addr(0x00040000), size(0x00004000), idx(0), physical addr(0x01140000)
FOTAMGR > QuramMduceBWriteData: addr(0x00044000), size(0x0003c000), idx(0), physical addr(0x01144000)
Do you think it's possible for you to dump S8500XXKKV delta and send to me?
Click to expand...
Click to collapse
I'll sleep about.... tooo paranoid...
Only 3 user have KKV update... 2 in Germany...
IP + IMEI + I don't know what else is stored in these files...
Ah, forgotten my phonenumber...
Best Regards
From KK5 its possible to update to KK6...
And KK7 also updateable... to KKV...
XXKK5
Code:
Type : Unofficial Version
Number : 1127
Builder : superuser
Host : S1-AGENT08
Date : 2011/11/[B]22[/B]
Time : 21:04:33
Size : 42730876 bytes
CheckSum : 0xf4ff0762
XXKK6
Code:
Type : Unofficial Version
Number : 1155
Builder : superuser
Host : S1-AGENT08
Date : 2011/11/[B]25[/B]
Time : 22:35:35
Size : 42730876 bytes
CheckSum : 0xf4f72020
It seems you need exact procedure and/or its only 1 time possible after complete Flash with Multiloader... then you can download FOTA...
My steps:
1.
Firmwareupdate via Multiloader!
2.
During first initial Steps... Choose ENGLISH as language
3.
Timezone seems irrelevant... I choose Bermuda...
4.
Ok... Ok...
Now you are able to navigate in menu...
5.
WLAN/Wi-Fi ... no need of active SIM... enter your Password to establish connection to Wi-Fi
6.
Go to Settings->Accounts
Config your Samsung Account
Now you could test if ... but I think no connection... only
You need to RESTART your handset... OFF... ON
After finish of Boot, maybe wait short... then:
Settings->General->Software update
Don't forget to choose Wi-Fi
Please. I need someone to compare files.
Please after Download choose LATER... to backup folder:
Code:
User\Mass\SyncML\Fota\*.cfg
5 MB +
Additional files are in
User\SyncML\*.cfg
NOT upload public, please contact me in private via PM.
Thanx in advance.
Best Regards
After my KK5 Multiloader update... now received 3 packages...
KK5->KK6->KK7->KKV
Last one not installed yet... maybe I'll wait little bit to get KK8 or something like this.
Hmmm. Not sure how final FOTA will work... but it seems you can only jump in minor steps...
As fantasy example:
If your device has "KK1" and latest Firmware is KK9... then maybe you have to download and install first:
KK2
KK3
.
.KK8
Each package a 5 MB...
Best Regards
OTA updates are available for Germany,Italy,UK and another 2 countries i forgot only.....also OTA install of the apps
so i got 0 chance to get such updates
Best Regards
so i got 0 chance to get such updates
Click to expand...
Click to collapse
Not tested yet... if SIM card is mandatory in device... (maybe I'll remove it for test)
BUT my SIM card is not more active... all actions over Wi-Fi...
Also not many users from Europe (or Germany) reports success...
I can only count 3 user from Germany... 1 from Romania...
We will see...
I hope more user can confirm working FOTA.
Thanx.
Best Regards

Anycall Wave II M210He

Hello,
I have flashed my M210 to wave II firmware not it works untill the phone goes to stand by mode, once it is into standby mode you can't unlock or wake it up from the dark screen..
am soo screwed,
Please help.
I have flashed many firmwares, the one that comes with Anycall M210 too.. yet the same problem.
any help???
Try official firmware : http://www.hotfile.com/dl/149639410/c232cb0/M210SKRLC1_M210SSKTLC1_SKT.zip.html
I flashed this firmwhere but didn't help, the problem remain the same
What you did...please tell me step by step
Because it is official Bada 2.0 firmware for M210S,there wouldn't be a problem
Firstly, i downloaded both the firmware and the downaloder 6.67
Flashed by selected the files appropriatly
all files successfully flashed successfully except the boot files...
i have to change them with other bootfiles from wave 2 firmware and it was flashed then
but after still is the same problem
it just doean't wake up after it goes into sleep mode ....
even though i have flashed the official firmware yet no hope
anybody ?
all files successfully flashed successfully except the boot files...
i have to change them with other bootfiles from wave 2 firmware and it was flashed then
but after still is the same problem
Click to expand...
Click to collapse
M210S is different as S8530...
TDMB...
If this is no Software feature so maybe few Chips different... maybe little tiny differences in Hardware...
I think you need back BOOTFILES from M210S...
Best Regards
can anyone provide me with a proper bootfiles ?
Nimra Khan said:
can anyone provide me with a proper bootfiles ?
Click to expand...
Click to collapse
Which i gave firmware it is full firmware and bootfiles is in inside
Sometimes Bootloader change is not more easy possible... during Security...
So it could be IMPOSSIBLE with Multiloader alone to jump back to Original M210S Boot...
One Hardcore way would be repair with JTAG...
Best Regards
adfree said:
Sometimes Bootloader change is not more easy possible... during Security...
So it could be IMPOSSIBLE with Multiloader alone to jump back to Original M210S Boot...
One Hardcore way would be repair with JTAG...
Best Regards
Click to expand...
Click to collapse
Yes its not happening with multi loader, tried almost a dozelian times.
I don't know anything about JTAG
http://forum.xda-developers.com/showpost.php?p=13582911&postcount=13
RIFF Box means for instance JTAG... solder wires etc...
Sorry, no other working solution known...
Best Regards
Other direction...
I have S8530 device... to do stupid tests.
I wish I could use M210S Firmware...
Nope... not possible...
1.
Check Screenshot from ML...
Many addresses DIFFERENT... means partition table is not 1:1...
2.
I have tried several combinations with Boot change... but not possible...
dbl Error...
Best Regards
Edit.
Short tested with XPKD6 Boot...
Same result...
Soon I will try bada 1.2 Boot... maybe then more luck to change Boot to M210S...
Btw... M210S Firmware bada 1.x with Bootfiles available somewhere?
Edit 2.
Flashed XXJK2 Boot (bada 1.x)... same result...
It seems not possible with Multiloader to jump back to M210S Bootfiles... or to flash S8530 with M210S Boot...
ONLY as info yet...
Maybe this year chance to fix this...
1.
I have realized during mistake...
I have forgotten to copy dbl.mbn into folder...
That Boot Change also work only with 1 file...
boot_loader.mbn
2.
I have found way to disable RSA 1024 check of Bootloader... Maybe this makes easier to flash back M210S Boot...
But need some time for tests and more investigation...
Best Regards
I have an idea... test later...
In boot_loader.mbn of M210S Firmware is SHW-M210S instead GT-S8530 String...
Warning! Don't try it self. You could brick your handset.
Best Regards
Edit 1.
Summary...
dbl.mbn is 1:1 same file like in S8530 DBT...
Edit 2.
Progress...
Bypassed apps_compressed.bin...
My fault... it seems size check... in last 1024 Byte aka end.bin...
Now I have taken from bigger file XPKD6...
Now I need to wait for *.app and CSC finish... then I'll post result...
Edit 3.
Code:
Download Start Ch[0]
FOTA 1817.7KB OK[0.9s]
Amss 13276.7KB OK[5.2s]
Apps 27000.8KB OK[12.7s]
Rsrc1 38797.3KB OK[14.8s]
Rsrc2 2987.3KB OK[1.4s]
FFS 191692.8KB OK[340.4s]
SHPAPP 191152.1KB OK[266.4s]
CSC 58662.9KB OK[106.7s]
-deleted -
Noobish question was here
did you flashed wave 3 firm. to wave 2? are your device can boot?
Click to expand...
Click to collapse
Wave 3 aka S8600 is COMPLETE different.
S8530 and M210S are similar... minor differences in Hardware...
S8500 is in this "Family Group"...
Simple check only folder BOOTFILES...
2 files for S8500,S8530,M210S:
Code:
boot_loader.mbn
dbl.mbn
Now look into S8600 XXKJC for instance has all files...
I can see 4 files, 2 more then the other group has...
Best Regards
adfree said:
Edit 2.
Progress...
Bypassed apps_compressed.bin...
My fault... it seems size check... in last 1024 Byte aka end.bin...
Now I have taken from bigger file XPKD6...
Now I need to wait for *.app and CSC finish... then I'll post result...
Edit 3.
Code:
Download Start Ch[0]
FOTA 1817.7KB OK[0.9s]
Amss 13276.7KB OK[5.2s]
Apps 27000.8KB OK[12.7s]
Rsrc1 38797.3KB OK[14.8s]
Rsrc2 2987.3KB OK[1.4s]
FFS 191692.8KB OK[340.4s]
SHPAPP 191152.1KB OK[266.4s]
CSC 58662.9KB OK[106.7s]
Click to expand...
Click to collapse
Bypassed apps_compressed.bin...
How did you do ?
BTW phone boot now ?
Nice progress
BTW phone boot now ?
Click to expand...
Click to collapse
No.
Maybe my mistake is end.bin from XPKD6 for apps_compressed.bin...
Also I have removed some Security with TriX...
http://forum.xda-developers.com/showpost.php?p=37540321&postcount=263
S8530 seems not accept or load apps_compressed.bin from M210S ...
Tests with Debug high in RC2 file no Bluescreen...
Bootloader I have taken from XXLA1 DBT...
Maybe I should try also Boot from XPKD6...
Will make more tests next days...
Best Regards
Edit 1.
apps_compressed.bin from KRLC1 is exact:
Code:
27001856 Byte ([B]25,8 MB[/B])
XPKD6 was bigger... but maybe not good for XXLA1 Boot...
Will check now other files for best end.bin...
Edit 2.
I have forgotten KRLF1 from M210S, but same result...
---------- Post added at 05:16 AM ---------- Previous post was at 04:19 AM ----------
Little progress with XPKD6 Boot...
Now CSC is not possible in Multioloader...
But I see progress bar moving in RC2 like on S8000 Jet...
I will create CSC with Wave_Remaker... and check again RC2 with Debug Level High...
Later more.
Best Regards
Edit 3.
Compared short *.so files... seems no Radio in M210S ?
Many *.so files more or different... Maybe interesting for study...

Categories

Resources