Related
For investigation I'm searching for oldest Firmware...
At the moment I found "only".
S8500XXJB6.rar
Differences:
1.
Few adresses not same in Multiloader
2.
Not running on my handset... accept amss.bin
3.
TriX can't extract anything...
PSAS can't decrypt apps_compressed.bin
4.
Bootloader different
Best Regards
older firmware, like S8500XXJB6 is a bit different (is much closer in structure to S8000)
ad. 2, i assume you have newer bootloader in phone (it won't accept older one)
ad. 3, shp, csc file signature is a bit different (will be fixed soon). FS file is just fat16 image (TriX support fat images via FATe plugin, i have no idea fat images was used before, i will add FATe plugin in next build)
ad. 4, if someone still has that firmware in phone is very luky guy. I can bet with jet android port can be ported to it with any problem - JB6 bootloader is not crypted.
5.
Rsrc2_S8500(Low).rc2 works also in JI5 for instance...
Different Boot Pics... maybe this helps to identify location of each Pic.
Battery...
Samsung Logo...
.
.
.
Maybe we find out, which Format... maybe also QMG.
Best Regards
you can already extract rc2 files
use the same program that is used for older samsungs
this one if I'm not wrong
http://code.google.com/p/samsung-firmware-tools/
I've used Tool WinImage for extraction of *.FFS... renamed into *.img
Usefull also for FFS of other bada handsets like:
S5250
S5330
S5750
S7230
In CSC of S8500XXJB6 I navigate via 005C00 to see where folder/file is.
Best Regards
Still problem.
That I can't bypass Bootloader Security...
Not with Multiloader nor with JTAG...
My knowledge how Boot is correct written + activated... = 0
I saw some other Firmware from other models... it seems IMRC is still used...
Maybe someone found Algo or Tool to decode RC1.
Thanx.
Best Regards
Blub...
XXJB6 unfinished mission...
2 new Firmware good for research.
XXJEB as bada 1.x Firmware... nearly all Certs removeable...
Only Integrity check for *.so files left.
For bada 2.x
XPKG5 very interesting...
Only bad, I can't find where these 2 last Certs are stored?
Code:
SamsungSBRootCA.cer
Samsung_RootCA.crt
Best Regards
New attempt with JTAG... but again failed... :crying:
Magic is now CMM Script...
BUT I have only ELF from XXJEB...
Maybe this is the reason why Multiloader not flash XXJB6 Bootloader...
Now I could learn more about CMM...
To flash correct file to correct address...
Or maybe way to extract RC1 ... because old IMRC Algo...
Not sure if maybe broken for other Samsung handsets...
Best REgards
Hmm, I can see S8000 Jet use for RC1 also IMRC...
Maybe possible to flash RC1 XXJB6 to S8000, then copy content from handset...
Best Regards
Please help.
I am searching for friendly S8000 Jet User.
Can someone confirm working Command:
Code:
FmSecureMode off
And I wish content of S8000 folder System please.
See here what I mean:
http://forum.xda-developers.com/showpost.php?p=12436452&postcount=1
Thanx in advance.
Best Regards
http://forum.xda-developers.com/showpost.php?p=34508619&postcount=132
Now I have own S8000 Jet...
First try to flash RC1 from XXJB6 fail...
NAK_invalid_len
Need more knowledge about S8000...
Best Regards
Edit 1.
Maybe no chance... I have forgotten to check size...
Rsrc_S8000_Open_Benelux_OCE.rc1 is 80 MB
Rsrc_S8500_Open_Europe_Common.rc1 is 100 MB
Maybe S8000 not reserved 100 MB for RC1... :crying:
Edit 2.
I have removed 20 MB...
S8000 Jet start with reduced XXJB6 RC1
Now I copy System folder...
Maybe few files corrupted and over 20 MB missing...
But better then nothing. :victory:
http://forum.xda-developers.com/showpost.php?p=34518982&postcount=34
Okay, second attempt successfully read few files from XXJB2 RC1...
And I found limit for RC1 in S8000...
Code:
> FLASH_RSRC1_SIZE : [B]0X04B00000[/B]
> FLASH_RSRC1_START_ADDR : 0X03700000
> FLASH_RSRC1_END_ADDR : 0X08200000
So ""80 MB"" ...
Will check older Firmware, maybe more place in other Versions reserved...
Best Regards
http://www.mediafire.com/?um7dr5ufti7h0dx
Here is folder with RBMs from XXJB6.
Also not all are visible with Wave_Remaker...
Few are funny and interessting...
Later I will upload more... but again.
During small reservation of S8000 I was only able to flash 75 MB of 100 MB from RC1.
Maybe also few files are corrupt... Not checked all.
Best Regards
I'm trying to collect few other Firmware from other Samsung devices...
U700 IMRC seems other algo maybe...
Bluescreen ... on S8000
FmMountVolume
Fm_FS_LFS
FM_PARTITION_LFS_C
Next try is M8910 RC1...
Btw. I have forgotten XXJC5 is also IMRC and bigger then XXJB6...
Later more...
Best Regards
Edit 1.
M8910 RC1 without problems work on S8000...
Remember only end.bin last 1024 Byte have to be modified for correct addresses...
Edit 2.
S5620 RC1 tested...
It seems more compatible then U700 RC1 but also loop...
Maybe if I can disable Animation Power ON then chance to check next Error...
New Year... New attempt
Bootfiles Mixed with XXJEB...
boot_loader.mbn from XXJEB
dbl.mbn from XXJB6
Multiloader can flash this combination and it seems XXJEB then work...
I hope if I manage to understand how to use Binary instead ELF in CMM Script, then maybe I am 1 day able to flash Boot from XXJB6...
Best Regards
IMRC related... there are more Samsung devices with IMRC compressed RC1...
Code:
RC1(IMRC) compatible size
S8000 x 75/80
S8500 XXJB6 x 100+
M8910 x 75/?
S5620 -
U700 -
F480 -
S5510 -
S7350 -
G800
U900
I am not sure if different IMRC Versions... because mandatory few RBM files needed in System folder...
Best Regards
Edit 1.
Sometimes I can see Power ONOFF Animation...
Edit 2.
It seems IMRC different Versions... see first 8 Byte...
F480 for instance compared with S8500...
I think at 0x14 4 Bytes for DEcompressed size stored... Little Endian
yes, the header is different.
index - also. but it is clear.
the compression algorithm - still a mystery
PHP:
//magick //always1 //index_type //size??? //count //array of tail size or offset
G80LXEIE1 0x43524D49 0x00001000 0x0000000B 0x00000006 0x02464A38 0x00002466 0x00000000 0x00000338 0x000004A0 0x000007C8 0x00000924 0x00000BA4 0x00000CFC 0x00000F94 0x000010E4
U70BXEIF1 0x43524D49 0x00001000 0x0000000B 0x00000006 0x01E5BB48 0x00001E5D 0x00000000 0x00000338 0x00000498 0x00000774 0x000008B8 0x00000BC4 0x00000D28 0x00000EF8 0x00001028
F480XEHE1 0x43524D49 0x00001000 0x0000000C 0x00000006 0x01A55024 0x00001A56 0x00000170 0x0000030F 0x0000013A 0x000002F6 0x00000147 0x000002B6 0x000000E4 0x00000295 0x00000144
F48FXEID1 0x43524D49 0x00001000 0x0000000C 0x00000006 0x01EF4A6C 0x00001EF5 0x0000016C 0x000002E7 0x0000014B 0x00000335 0x0000012D 0x000002A1 0x000000E0 0x00000277 0x0000013F
S5510XEIJ1 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x01CC581C 0x00001CC6 0x00000165 0x00000358 0x000000AE 0x00000277 0x000000BD 0x00000284 0x0000015D 0x00000327 0x000000EC
S735EXEII2 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x02A74E80 0x00002A75 0x00000147 0x0000033A 0x000000D4 0x000002A0 0x000000B5 0x0000027E 0x00000125 0x00000315 0x00000111
S8500XXJB6 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x09BF64A0 0x00009BF7 0x00000141 0x000002DC 0x00000116 0x00000280 0x0000014B 0x000002FB 0x00000155 0x000002D4 0x00000124
U90UXEIE3 0x43524D49 0x00001000 0x0000000C 0x00000006 0x032BAF08 0x000032BB 0x00000168 0x0000030B 0x0000012F 0x000002C3 0x0000013F 0x000002D0 0x00000103 0x00000272 0x000000D0
I don't understand if RC1 is decompressed by Bootloader or by apps_compressed.bin...
QMD in Header is in later Firmware from S8500...
Short tested...
I can change this in RC1...
QAB
S8500 starts normal...
If I try to change all 3 letters... then short Bluescreen... But I can't see Error message fast enough... maybe later...
I have changed into 123 instead QMD...
Will check again... Maybe I can capture Bluescreen...
Video or something else...
Later I will try this with S800 and IMRC textstring...
I want to identify if Boot or apps_c task to decompress RC1...
Best Regards
Edit 1.
I hope Pic is readable... Tested with Debug Level high and on XXJEB S8500...
Looks like something like this...
Code:
QuramMduceRFlashInitM((void*)pFotaRsrcCompHeader[QURAM_RSRC_BIN_TYPE_LFS]
Found in apps_compressed.bin...
Hmmmmmmmmmmmm. In theory it seems I don't need Bootloader from XXJB6...
BUT... damn apps_compressed.bin is also secured by something ugly...
Last 1024 Byte... aka end.bin...
Anyway... will now check again IMRC Header in S8000...
Maybe here also possible to force Bluescreen in Debug Level High...
Best Regards
If I destroy IMRC Header on S8000... XPJA1... Debug Mid...
Later I will try to catch all 5 Bluescreens..
Here 1/5...
Best Regards
Code:
RC1(IMRC) compatible size
S8000 x 75/80
S8500 XXJB6 x 100+
M8910 x 75/?
S5620 -
U700 -
F480 -
S5510 -
S7350 -
G800 -
U900
S5600 -
B5310 -
Found few more devices...
It seems - not ever means incompatible... I can see sometimes Power ONOFF Animation... smaller Resolution then 480 x 800... So maybe reason is smaller *.rbm files force to Reboot... Will check "later" with Debug Mid...
Best Regards
The last 3 Chars of Firmwarename are timecode...
Example JL2:
J for 2010
L for ...
ehm A is january, B is feb...
The oldest Firmware I found is XXJB6 from February 2010.
The latest from 2011...
Btw. these timecodes are Compile dates for apps_compressed.bin...
One way is to enter Internal menu. See Screenshot.
Here are little overview...
Code:
[B]S8500XXJB6[/B]
Type : Unofficial Version
Number : 1907
Builder : scm27
Host : SCMSERVANT03
Date : 2010/02/24
Time : 04:49:31
Size : 66323804 bytes
CheckSum : 0x7a1fe855
[B]S8500XXJL2[/B]
Type : Unofficial Version
Number : 362
Builder : Administrator
Host : S1-AGENT05
Date : 2010/12/23
Time : 14:24:54
Size : 82576764 bytes
CheckSum : 0x32cdbee8
[B]S8500XEKA1[/B]
Type : Unofficial Version
Number : 12
Builder : Administrator
Host : HP28076212482
Date : 2011/01/04
Time : 11:54:38
Size : 72615292 bytes
CheckSum : 0x9620d783
[B]S8500XIKA1[/B]
Type : Unofficial Version
Number : 118
Builder : dell22
Host : SCM_DELL_23
Date : 2011/01/31
Time : 20:39:15
Size : 82576764 bytes
CheckSum : 0x31f17a34
[B]S8500JPJKB1[/B]
Type : Unofficial Version
Number : 1
Builder : user
Host : SEL-E4285A63E81
Date : 2011/02/08
Time : 17:14:38
Size : 73663868 bytes
CheckSum : 0x984141f3
Best Regards
may i ask how you get build info from menu??
http://forum.xda-developers.com/showthread.php?t=906966
further infos for RC2 file is here:
http://forum.xda-developers.com/showthread.php?t=915469
It look like another way to find date for Build... under Phone info. Look under:
Softw.-Version
bada 1.x
123456blablaLISS8500blabla
The first 6 Digits seems Compile Date too. Need to be check twice...
Best Regards
hmmm....i do not have this internal menu. i saw in phone info first six digits are indeed date. maybe next 4 are time?? but my digits are 1341 wheras u have given time as 1424 for xxjl2. btw i am on xxjl2 modified for social hub premium. perhaps you have taken stock not full firmware from samfirmware.com??
hmmm....i do not have this internal menu.
Click to expand...
Click to collapse
This is correct, if you flash Rsrc2_S8500_Open_Euro_Common(Low).rc2
Menu is disabled.
If you flash Rsrc2_S8500_Open_Euro_Common(Mid).rc2
Best Regards
Very good description.
http://samsung-stuff.de/board/thread.php?threadid=24148
Big Thanx.
year
J: 2010
K: 2011
month
A: JAN
B: FEB
C: MAR
D: APR
E: MAY
F: JUN
G: JUL
H: AUG
I: SEP
J: OCT
K: NOV
L: DEC
revsision
1-9
A-
XXJL2 is from 2010, December, revision 2
Best Regards
To be precise, the bootloader decodes that and supports dates from the letter F (2006) to P (2016), Revision 1-9, A-W (case unsesitive) meaning 1-32. There's still one more letter that is parsed case unsesitive A-Z with meaning 1-26 and space, tabulation or null meaning 100, but I haven't looked close enough to know what that is.
@adfree from where did u get the mid file? why does samfirmware says never to flash with mid always low. any extra settings we need to check in multiloader? and finally are there any changes other than this internal menu? thank u for your patience
Code:
Type : Unofficial Version
Number : 194
Builder : scmdpi06
Host : DPI06
Date : 2011/04/04
Time : 15:52:32
Size : 72353148 bytes
CheckSum : 0x95f5bb78
Nice to see that in April also S8500 Firmware is compiled.
Taken from DDKD1 India.
Best Regards
no updates for s8530 since february
Code:
Type : Unofficial Version
Number : 7
Builder : Venugopal
Host : M_VENUGOPAL-LAP
Date : 2011/05/16
Time : 23:59:05
Size : 73139580 bytes
CheckSum : 0x97909654
S8500JPKE1
So also from May Firmware available...
Best Regards
It seems that a new firmware for the Wave II is available (Bada 1.2)
The Firmware is the S8530XXKC1/S8530OXAKC1 (Open Europe) it is a March 2011 build. i will flash it later the at day, bootloader and so on is in, but it is only a update firmware.
//Edit:
Better is the scrolling in dolfin (much better) and the scrolling in voluntas (a little bit better, already not smooth)
XPKG5, both S8500 and S8530...
bada 2.0 (alpha/beta)
S8530
Code:
Type : Unofficial Version
Number : 952
Builder : Administrator
Host : S1-AGENT06
Date : 2011/07/[B]19[/B]
Time : 17:22:18
Size : 39323008 bytes
CheckSum : 0xe0d0beba
S8500
Code:
Type : Unofficial Version
Number : 806
Builder : Administrator
Host : S1-AGENT08
Date : 2011/07/[B]19[/B]
Time : 17:23:23
Size : 39323004 bytes
CheckSum : 0xe09410e7
We will see when first official release will arrive.
In September or much later...
Best Regards
@ Adfree are you sure? Is the worklload so much or are they Lazy?
One way we can compare: Bada 1.2 XX versions:
1.XXJID: September
2.XXJJ9: October
3.XXJK1: November
4.XXJL2: December
(source: Samfirmware)
Four months fom beta to a stable Version....
So Bada 2.0 Stable:October?
S8500 XPKG6
Code:
Type : Unofficial Version
Number : 817
Builder : Administrator
Host : S1-AGENT08
Date : 2011/07/22
Time : 16:35:52
Size : 39323004 bytes
CheckSum : 0xe0cef3c4
S8500 XPKG7
Code:
Type : Unofficial Version
Number : 824
Builder : Administrator
Host : S1-AGENT08
Date : 2011/07/26
Time : 15:26:07
Size : 39323004 bytes
CheckSum : 0xe11b43b5
S8530 XPKH1
Code:
Type : Unofficial Version
Number : 981
Builder : Administrator
Host : S1-AGENT06
Date : 2011/08/02
Time : 16:25:54
Size : 42206592 bytes
CheckSum : 0xede5e259
So between KG6 and 7 only 4 days... from KG5 to KG6 3 days...
So theory, all 4 or 3 days new build... but this also means, that only minor changes can be... minor bugfixes...
Maybe more changes/bugfixes possible with 14 days time... between builds...
Theory... only 1 month left for September start... but it seems bugy, ehm unfinished...
So minimum 2 months... for stable Firmware...
Btw...
These leaked Firmware are very fresh... so I think direct from Testserver...
Thanx to friendly Mr. Nice Guy from Samsung for sharing.
Best Regards
Sure they are fresh FWs
Maybe if we left bada team work silently for 2 weeks we will see a good FW
As you can see from KG6 to KG7 the change made it so much stable and they have only 4 days between them
What will happen if the 4 days were 2 weeks??
Best Regards
apps.bin from official bada 2.0 SDK
Code:
Type : Unofficial Version
Number : 255
Builder : darren.ha
Host : BA-XP4
Date : 2011/08/23
Time : 21:22:09
Size : 36177276 bytes
CheckSum : 0xc8c9e8b1
S8500 XPKH3
Code:
Type : Unofficial Version
Number : 863
Builder : Administrator
Host : S1-AGENT08
Date : 2011/08/16
Time : 20:56:16
Size : 42468732 bytes
CheckSum : 0xee43ccad
S8530 XPKH3
Code:
Type : Unofficial Version
Number : 1008
Builder : superuser
Host : S1-AGENT06
Date : 2011/08/16
Time : 20:19:21
Size : 42468736 bytes
CheckSum : 0xee79fb68
Wave 3 S8600 is seen with XPKHB... maybe on IFA in Germany.
Maybe we can test this Version also an Wave 1+2...
SDK Apps are latest compiled I found yet... 2011/08/23
Best Regards
S8500MBUKI1
Code:
Type : Unofficial Version
Number : 262
Builder : Dell02
Host : SCMDELL16
Date : 2011/09/16
Time : 19:35:07
Size : 42468732 bytes
CheckSum : 0xef3c5853
S8600XXKI9
Code:
Type : Unofficial Version
Number : 952
Builder : superuser
Host : S1-AGENT05
Date : 2011/09/27
Time : 02:53:48
Size : 55050240 bytes
CheckSum : 0x0cbbad48
Latest known/downloadable Firmware yet:
S8600BOKJ1_TPLKJ1
Code:
Type : Unofficial Version
Number : 981
Builder : dpi
Host : DELL42
Date : [COLOR="Red"][B]2011/10/03[/B][/COLOR]
Time : 15:48:05
Size : 55050240 bytes
CheckSum : 0x0c9a8ca5
This means we have no idea, what is now actual status of bada 2.0... because tested Version is older then 4 weeks...
This is SDK 2.0.2 ... 2 days between latest known S8600 Firmware.
Code:
Type : Unofficial Version
Number : 338
Builder : darren.ha
Host : BA-XP4
Date : [B]2011/10/01[/B]
Time : 07:51:28
Size : 35128700 bytes
CheckSum : 0xc2e51d24
Best Regards
S8600XXKJC
Code:
Type : Unofficial Version
Number : 1096
Builder : superuser
Host : S1-AGENT05
Date : [B]2011/10/26[/B]
Time : 17:26:52
Size : 55050240 bytes
CheckSum : 0x0d3edb3f
No idea if date is same from Kies Version...
Between 2011/10/26 and today are 2 weeks...
Also no idea, if this means, if available from Kies. It is now final bada 2.0 Version...
Maybe soon, if Wave III is real available. We can see Firmware Version on device... maybe it is higher or lower XXKJC.
Best Regards
S8500XPKJ1
Code:
Type : Unofficial Version
Number : 984
Builder : Administrator
Host : S1-AGENT08
Date : [B]2011/10/05[/B]
Time : 22:44:23
Size : 42730876 bytes
CheckSum : 0xf57d5099
S8530XPKJ1
Code:
Type : Unofficial Version
Number : 1141
Builder : superuser
Host : S1-AGENT06
Date : [B]2011/10/06[/B]
Time : 00:37:37
Size : 42730880 bytes
CheckSum : 0xf580ab96
This means older then 1 month...
So again, we have no idea if Final are close, closer or in the closet... this month.
Best Regards
I need for test someone with S7250 or S8600.
Please. NOW read carefully.
Only users with testdevice aka prototype aka sample aka I don't know more meanings... BUT NOT normal Retail Version.
We found PlatformDownloader...
S8600 XXKI5
S8600 XXKJ7
and
S7250 XXKJ8
Thanx for reading.
For now please only via PM.
Private Message.
Best Regards
I have cut first 1,5 MB from whole 325 MB package...
You can start and investigate...
Someone can extract Firmware from this?
Please.
I am not smart enough...
Maybe usefull files inside...
Thanx in advance.
Best Regards
But i can open nothing
Pic 3 shows full package...
Pic 4 is attached file...
Firmware starts at 0x00177000...
But I have no idea at the moment, how encrypted or compressed...
But i can open nothing
Click to expand...
Click to collapse
I can open PlatformD_S86_KJ7v1.exe... result is visible on PlatformDownloader4.png
XP SP3
Best Regards
Maybe My Windows.it is Win 7 32 Bit
... is Win 7 32 Bit
Click to expand...
Click to collapse
Short tried with Win 7 Home... 32 bit and same succes like under my XP.
But thanx for trying.
I hope one of our experts take an look. To help extraction of Firmware, maybe interesting/helpfull files included...
Best Regards
How To choose FW Files ?
Here few words about PlatformDownloader...
Again.
I have REMOVED Firmware part...
It was tooo big to upload again...
Maybe later I'll upload all 3 files... around 800 MB...
Best Regards
http://www.mediafire.com/?vk5nl5kaxak1cic
First file...
1 of 3
PLEASE
NOT NO DON'T USE with attached handset!!!
I need someone with more brain to extract Firmware from these files...
Thanx in advance.
Other 2 from S8600 will follow...
Best Regards
static.bada.com/sdk-update/2.0.2/PlatformDownloader_S8600_KJ7.exe
static.bada.com/sdk-update/2.0.2/PlatformDownloader_S8600_KI5.exe
static.bada.com/sdk-update/2.0.2/PlatformDownloader_S7250_S7250XXKJ8_2G.exe
Maybe before bada is complete dead...
Maybe usefull for research...
Best Regards
Blowfish encryption...
But ""I"" have only S7250 file decrypted...
Now S8600 files hopefully will follow...
I wish I had bigger brain.
Best Regards
Maybe this time more luck...
Tested KI5 and KJ7 S8600
With my S8500 Update starts...
Code:
Boot Binary Download Start Ch[0]
Dbl 229.4KB OK[0.2s]
Wait reset !!
Download Start Ch[0]
Amss 16916.5KB OK[5.1s]
ERR : Apps Erase
S8500 is alive...
No idea if AMSS is really written... will check later with JTAG...
Decrypted files not found yet... seems not in Temp folder...
But now I have chance to search for... maybe with OllyDbg...
CAUTION!
Not try self if no JTAG... Risk to brick handset...
Best Regards
Code:
[BOOT_V1.0 (Jan 5 2012, 19:08:14)]
SelectBootingMode: H/W...0xe.
[BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz
+++FIMD_Drv_INITIALIZE
FIMD_Drv_ChangeMode: MDNIE_MODE
Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4
S6E63M0 : LDI_Pentile_Set_Change Pentile_Value =6c
---FIMD_Drv_INITIALIZE
---FIMD_Drv_SetWinOnOff(WIN4:1)
LCD initialize Finished
Flash_Unlock failed
Poweron status - 400
FSA9480 0x03 Register = 0
FSA9480 0x0A Register = 4
FSA9480 0x0B Register = 0
FSA9480 0x07 Register = 1f
SelectBootingMode: Boot Mode = 20...
USB charging enble
Display_LSI_Boot : disp_Main_Clean
Display_LSI_Boot : disp_Main_Clean_All
Display_LSI_Boot : disp_Main_Clean
Display_LSI_Boot : disp_Main_Clean_All
Display_LSI_Boot : disp_dimming_backlight
AST_DOWNLOAD
-----------------------------------------------------
USB BOOT Downloader for s5pc100
Copyright (c) 2005 by SAMSUNG Electronic, Inc.
V1.0 (Jan 5 2012, 19:08:15)
-----------------------------------------------------
@@@@@
@@@@@
CMD_USB_INFO
@@@@@
@@@@@
CMD_USB_SET_DBG_LVL
DloadCmdUSBDebug (1)
CMD_USB_SECURITY
CMD_USB_INFO
CMD_USB_ERASE
erase_memory() : 0x49 (0x1022000)
What?? 0x49
CMD_USB_ERASE
erase_memory() : 0x8000000 (0x1cc0000)
What?? 0x8000000
DloadResponse : NAK_INVALID_ADDR 11
CMD_USB_DEBUG
1 Default Temp folder is:
C:Temp...
Now I am searching where files extracted...
Best Regards
Code:
Boot Binary Download Start Ch[0]
ERR : NAK_NO_SEC_CODE 0
Error : Appsboot Write [0.2s]
ERR : NAK_NO_SEC_CODE 0
Tested with Retail S8600 and PlatformDownloader_S8600_KI5.exe
Code:
Boot Binary Download Start Ch[0]
Appsboot 338.7KB OK[0.8s]
OemSbl 1757.7KB OK[3.5s]
partition 24.6KB OK[0.2s]
Dbl 229.4KB OK[0.4s]
Wait reset !!
Download Start Ch[0]
Amss 16654.3KB OK[25.9s]
Apps 29622.3KB OK[43.3s]
_Open_Europe_Common 40370.2KB OK[58.9s]
(Low) 2980.3KB OK[4.6s]
_Open_Europe_Common 53870.6KB OK[153.8s]
et\kj7 wave3\ShpApp 148979.7KB OK[340.7s]
_Open_Europe_Common_OXA 37380.1KB OK[122.1s]
All files complete[753.3s]
:good:
Tested on Retail S8600 with XXLD1...
PlatformDownloader_S8600_KJ7.exe work...
Warning. Be carefully... risk to brick handset...
Now I will try if this Bootloader accept M410S or M410K apps_compressed.bin...
Best Regards
Any difference between Prototype and Normal Wave ?
Any difference between Prototype and Normal Wave ?
Click to expand...
Click to collapse
Minimum Bootloader...
“CAUTION : please do not select BOOTFILES_EVTSF folder, the sample should be dead”
Click to expand...
Click to collapse
But also Hardware could be different...
CAUTION: If your sample is not able to update camera firmware, you have to backward to XXJB5 version and
1. *#197328640#
2. Select “6. Video “
3. Select “3. Camera Firmware Update”
4. Wait for 4 min.
5. Flash latest SW again.
Click to expand...
Click to collapse
Check document:
How_to_download_S8500.doc
Best Regards
Stupid question we can flash it to S8500 ? or you tried ?
GS8530_DEFAULT_MDL_V001.exe
GS7250D_DEFAULT_MDL_V001.exe
Found this and few more...
No idea what kind of Password they accept...
For me it would be interesting to see what deliver Show Info...
Best Regards
GS8530_DEFAULT_MDL_V001.exe
GS7250D_DEFAULT_MDL_V001.exe
Click to expand...
Click to collapse
Both files attached... maybe for study...
I found necessary DLLs, but I was not able to use this ML... seems Server and/or Passwords required...
Maybe for study...
Taken from somewhere here:
ftp://82-117-232-91.gpon.sta.kh.velton.ua/../../../../../../../SAMSUNG/software/
Own risk. Be carefully...
Best Regards
Hardcore protection...
Password is:
UMTS_S8530
For GS8530_DEFAULT_MDL_V001.exe
UMTS_S7250D for GS7250D_DEFAULT_MDL_V001.exe
Best Regards
Edit 1.
For RC2 Mid file Password is:
MID_USE
Hi all.
This thread only for developers! Only! No questions - when?!!!!!!!
This is my attempt to porting android on S8600.
I wrote custom bootloader - emmcboot, based on codeaurora LK-bootloader.
Bootloader is successfully start, work and trying to load android kernel from internal
microsd card.
Now is unsuccessfully,after type message "Uncompressing Linux... done, booting the kernel." device rebooted or stopped.
[370] Panel is power on
[370] Display initialized
[370] Display logo
[370] Waiting for modem+++
[370] Waiting for modem: Done
[370] smem ram ptable found: ver: 0 len: 6
[370] scratch: 0x8000000
[370] Starting in SD mode!
[370] SD_DETECT pin : 0x0
[380] Initializing MMC host data structure and clock!
[380] Error No. 2: Failure Initializing MMC Card!
[400] Decoded CID fields:
[400] Manufacturer ID: 27
[400] OEM ID: 0x5048
[400] Product Name: SD16G
[400] Product revision: 3.0
[400] Product serial number: 7C88FF04
[400] Manufacturing date: 2 2012
[410] Serial number -[410] serial number:
[410] partition misc doesn't exist
[410] error in emmc_recovery_init
[580]
kernel @ 208000 (4132528 bytes)
[580] ramdisk @ 1200000 (175204 bytes)
[580] cmdline = 'console=null androidboot.hardware=qcom user_debug=31'
[580]
Booting Linux
[580] smem ram ptable found: ver: 0 len: 6
[580] booting linux @ 0x208000, ramdisk @ 0x1200000 (175204)
[590] cmdline: console=null androidboot.hardware=qcom user_debug=31
Uncompressing Linux... done, booting the kernel.
source code for lk-bootloader for S8600:
https://github.com/Oleg-k/LK_BOOT_S8600
To build for S8600, type: "make -j4 s8600 EMMC_BOOT=1"
Also, i got memory dump, stage - after load oemsbl and before loading my bootloader.
as we see, oemsbl decompress and load apps_compressed.bin into memory,
starting at 0x200000.
https://www.dropbox.com/s/5wf6dp5gfgudkdc/MEM_DUMP_128MB.rar
And for for understanding boot process on MSM7x30, read this:
http://tjworld.net/wiki/Android/HTC/Vision/BootProcess#BootProcess
Welcome back my friend ))
If you able to port,I 100% will buy S8600
Good Luck
I was actually going to ask you what happened to the wave 3 port. Anyway Welcome back . But a question why don't you help rebellos and volk in the wave and wave II porting ? So the porting can be a bit more better. Just my question. :good:
Sounds interesting.
1.
You found ELF files for S8600 Boot ?
2.
You found way without JTAG, or JTAG is needed to write your Boot?
Thanx in advance.
Best Regards
CONFIG_DEBUG_LL
and
CONFIG_EARLY_PRINTK
plx <3
it's my current config for my kernel:
adfree said:
Sounds interesting.
1.
You found ELF files for S8600 Boot ?
2.
You found way without JTAG, or JTAG is needed to write your Boot?
Thanx in advance.
Best Regards
Click to expand...
Click to collapse
No, don't ELF files for S8600, i wrote new bootloader for boot linux kernel.
Now i use JTAG, but if we find a way to cript my bootloader,like appsboot.mbn,we will use regular multiloader
So cool!
http://forum.xda-developers.com/showthread.php?t=1443575
Blowfish encryption
Click to expand...
Click to collapse
Maybe PlatformDownloader_S8600_KI5.exe maybe have unsecured Boot...
But I can't flash nor I have connected my S8600 with RIFF...
TPs seems to small for my big Fingers...
Best Regards
oleg_k said:
it's my current config for my kernel:
Click to expand...
Click to collapse
Thanks. I'd check debug macros and debug uart configuration. There's few UART ports in it, and maybe kernel is printing to the wrong one... though this wouldn't explain why kernel unpacker is printing something (Uncompressing and booting comes already from zImage) - this would indicate that debug port number is correct. Are you sure that kernel and ATAGs location is correct, and RAM is set up properly by LK? Maybe something bad happens when kernel proceeds to enabling MMU and caches... I'm pretty clueless. :<
I collected some links I found useful in this article: http://xda-university.com/as-a-developer/porting-android-to-non-android-devices
Especially interesting for you might be last link in "Custom bootloader" section.
No, don't ELF files for S8600, i wrote new bootloader for boot linux kernel.
Now i use JTAG, but if we find a way to cript my bootloader,like appsboot.mbn,we will use regular multiloader
Click to expand...
Click to collapse
For S8500 I found way to write direct into OneNAND at:
Code:
0x0010 0001
No need to encrypt something...
With Multiloader... choose ETC.
http://forum.xda-developers.com/showpost.php?p=37229969&postcount=37
S8600 not tested...
This is far far away from perfect... but maybe helpfull.
Need someone who is able to remove restriction from ML to use lower adresses then 0x10000...
I was only able to change text strings... in ML...
Best Regards
On first page i posted bootloader source and memory dump, stage - after load oemsbl and before loading my bootloader.
To Adfree,
S8600 don't use OneNAND, used EMMC flash memory (like sd-card).
Today I've found S8600XXKI9.zip
I have forgotten this Firmware... but I have now short compared with Bootfiles from XXKJC... BIG differences... So I think this should be nearly identical with PlatformDownloader_S8600_KI5.exe
Still unsolved to decrypt or extract content of:
PlatformDownloader_S8600_KI5.exe
and
PlatformDownloader_S8600_KJ7.exe
Best Regards
Not my S8600... but user tried PlatformDownloader_S8600_KJ7.exe
It seems it was wrong Partition Table aka partition.bin...
Code:
Boot Binary Download Start Ch[0]
Appsboot 338.7KB OK[1.1s]
OemSbl 1757.7KB OK[1.8s]
ERR : NAK_FLASH_ERROR 0
Error : [B]partition Write[/B] [0.2s]
ERR : NAK_FLASH_ERROR 0
Download Start Ch[0]
Amss 16654.3KB OK[15.6s]
Apps 29622.3KB OK[54.1s]
_Open_Europe_Common 40370.2KB OK[73.5s]
(Low) 2980.3KB OK[1.9s]
ERR : NAK_INVALID_CONTENT 0
ERR : _Open_Europe_Common Erase
Now S8600 ask for QHSUSB_DLOAD
My first idea is Qualcomm QPST now...
Or maybe if Driver used, then Multiloader will work again... for second attempt..
Found only 64 Bit Driver yet... not tested nor Thread... only attachment...
http://forum.xda-developers.com/attachment.php?attachmentid=631288&d=1308601930
Will check also QPST to check what is needed...
Best Regards
Edit 1.
More Driver...
http://forum.xda-developers.com/showpost.php?p=21911621&postcount=2
Okay...
It seems for QPST fsbl.mbn is missing...
I can remember from old MSM6250 handsets it is mandatory to have all files for QPST... because otherwise you need JTAG...
Important...
Qualcomm not use Encryption for QPST files...
This is Samsung thingie + "end.bin" last 1024 Byte...
So decrypt all Bootfiles and cut last 1024 Byte...
For fsbl.mbn I will check JTAG dump from S8600...
Best Regards
Edit 1.
http://forum.xda-developers.com/showthread.php?t=1367055
downgrade_WM6_boot.zip contain fsbl.mbn ... maybe as example...
http://forum.gsmhosting.com/vbb/f634/htc-desire-s-qhsusb_dload-driver-1436354/
Found this...
Here is also fsbl.mbn maybe not available... or...
But maybe if we can attach such S8600 we can see few infos...
Best Regards
Edit 1.
About QPST Version contain this eMMC...
Code:
4. RELEASE NOTES
...
10/27/11 QPST [B]2.7.378[/B]
1) Add support for QSC11x5 CDMA only (4073) and CDMA+GSM (4074).
2) Fix problem with eMMC Software Download not correctly patching addresses > 8 GB.
10/13/11 QPST 2.7.377
1) Fix crash when QPSTServer.config are NULs (bad format).
2) Add model ID 4072 = "APQ8064". Apps processor only, no service programming.
3) Change flash programmer name from nprg9615.hex to nprg9x15.hex.
4) Add emergency download support for user partitions.
5) Fix case where user partition download fails if the flash programmer is on a file share.
6) Fix error case when add port is used but no port is specified.
7) Fix case where restoring an EFS file doesn't work if the file was modified by QXDM.
8) In Service Programming BC SMS fix case where if user enters 32 as the service type it get written to NV as 4096.
9) Fix case where a phone will stay in "no phone" state if the phone takes > 20 seconds to reboot.
10) Take care of cases in eMMC Software Download where we try to lock the disk volume but the drive letter isn't available.
11) Fix "server busy" issue when a device connects but it's modem isn't running.
12) Insert more status message in Memory Debug app so that we can see why fast unframed dump failed.
8/17/11 QPST 2.7.375
1) Add support for MDM9615 (model 4070). Rename model 4068 to 7627A-ANDROID from SURF7627A.
Add model 4071 (7627A-WinMob). Add 1x/UMTS service programming to 4068 and 4071.
2) eMMC Software Download: Don't try to lock volume if drive letter not present.
Devices that use GPT will not mount and get a drive letter assigned.
7/22/11 QPST 2.7.374
1) Added missing file to installer to fix Service Programming problem in 2.7.373.
2) For eMMC Software Download, abort the download if a sparse="true" directive is present.
Sparse files cannot be downloaded with QPST, only with fastboot.
3) Began the process of moving QPST application and server settings from registry to
configuration files.
4) Added more error checking to EFS Explorer file drop code.
7/5/11 QPST 2.7.373
1) Add support for SURF8960 model ID 4069.
2) Fix issue with Port Enable/Disable for IP Ports.
3) NAND Software Download: Correct flash programmer descriptions for 7225A, 7625A, 7227A, and 7627A.
4) Roaming List Editor: Added two new bands LTE 24 and LTE 25.
5) eMMC Software Download:
- Fix problem where some file names print as "(null)".
- Add support for Meta Build contents.xml file ("Build Contents"). The contents file will provide the path for the
rawprogram and patch files, extra search paths, and names of flash programmer and boot image files.
- Ignore unexpected elements in schema.
- Support zeroout directive to zero parts of partitions.
- Allow usage by app of "orderly" as well as surprise removal storage devices.
- Add support for computations in the <patch> (CRC32 for GPT support), <program>, and <zeroout> directives.
6) EfsExplorer:
- Enable reset button in Efs Explorer even if target not in offline mode.
- More text description in Mode column for Efs Explorer
- Modify the list context menu of Efs-Explorer.
- If the proposed item file size copy is > 2048 bytes, warn the user and bail out.
...
Adfree,
link pls for founded S8600XXKI9.zip
link pls for founded S8600XXKI9.zip
Click to expand...
Click to collapse
http://hotfile.com/dl/145796951/79ecec6/S8600XXKI9.zip.html?lang=de
Try this. If not then I search again...
About fsbl.mbn...
I have searched for fsbl_hw.c string in 4 GB JTAG dump SAMSUNG_GTS8600_FullFlash.bin...
Can not find so I think fsbl is not or in other area...
About your Memory Dump FROM_MEM_0_128MB.bin
I am not 100 % sure but maybe read problems...
Short tried to extract Cert, but string Qualcomm is not written correct...
Q5alcomm1
qualcoem.com
Click to expand...
Click to collapse
Best Regards
I try to read again memory dump )
thanks for links...
Also,
i find,what samsung used OKL4 Microkernel 3.0 (maybe 4.0)
http://wiki.ok-labs.com/Release/3.0
About ver 4.0 --
The OKL4 Microvisor is designed from the ground up as a high-performance mobile virtualization platform. It is a microkernel-based embedded hypervisor - called a Microvisor, with a small footprint and the right combination of performance and hardware support to target mobile telephony use. The OKL4 Microvisor 4.0 is distinguished by supporting mobile virtualization, componentization, and security, enabling a new generation of applications and capabilities with impact across the mobile ecosystem.
OKL4(with Qualcomm RTOS) also used in modem AMSS
http://forum.xda-developers.com/showthread.php?t=1829915
Need overview/list with Firmware packages with Bootfiles included...
Here this is what I have...
Later I will compare if difference...
Code:
XXKI9
XXKJC
S8600BOKJ1_TPLKJ1.rar
S8600BOKK6_S8500TPLKK7_T-Mobile.rar
S8600JPKK2_S8500OJPKK2_OJP.rar
S8600ZCLA1.7z
S8600NAKL1_S8600EPLKL1
Best Regards
Hi.
I have this certain problem with my new Galaxy W. I updated it to the latest available firmware, just as I would with any other device (Odin + .OPS + 2.3.6 XEH) but the touch input does not respond to anything after that.
Any ideas?
E: Nevermind, sucker's luck.
Code:
[1.005523] melfas_mcs8000_i2c_read set data pointer fail! reg(30)
[1.005645] melfas_mcs8000_read_version : Can't find HW Ver, FW ver!
[1.006378] melfas_mcs8000_i2c_read set data pointer fail! reg(65)
[1.006500] melfas_mcs8000_read_version :Window Ver : error
[1.006561] [TSP] Read Version Failed !!
[1.006713] [TSP] ERROR : There is no valid TSP ID
[1.006835] [Melfas] ret : 0, melfas_mcs8000_ts->client name : mcs8000_i2c