Related
For investigation I'm searching for oldest Firmware...
At the moment I found "only".
S8500XXJB6.rar
Differences:
1.
Few adresses not same in Multiloader
2.
Not running on my handset... accept amss.bin
3.
TriX can't extract anything...
PSAS can't decrypt apps_compressed.bin
4.
Bootloader different
Best Regards
older firmware, like S8500XXJB6 is a bit different (is much closer in structure to S8000)
ad. 2, i assume you have newer bootloader in phone (it won't accept older one)
ad. 3, shp, csc file signature is a bit different (will be fixed soon). FS file is just fat16 image (TriX support fat images via FATe plugin, i have no idea fat images was used before, i will add FATe plugin in next build)
ad. 4, if someone still has that firmware in phone is very luky guy. I can bet with jet android port can be ported to it with any problem - JB6 bootloader is not crypted.
5.
Rsrc2_S8500(Low).rc2 works also in JI5 for instance...
Different Boot Pics... maybe this helps to identify location of each Pic.
Battery...
Samsung Logo...
.
.
.
Maybe we find out, which Format... maybe also QMG.
Best Regards
you can already extract rc2 files
use the same program that is used for older samsungs
this one if I'm not wrong
http://code.google.com/p/samsung-firmware-tools/
I've used Tool WinImage for extraction of *.FFS... renamed into *.img
Usefull also for FFS of other bada handsets like:
S5250
S5330
S5750
S7230
In CSC of S8500XXJB6 I navigate via 005C00 to see where folder/file is.
Best Regards
Still problem.
That I can't bypass Bootloader Security...
Not with Multiloader nor with JTAG...
My knowledge how Boot is correct written + activated... = 0
I saw some other Firmware from other models... it seems IMRC is still used...
Maybe someone found Algo or Tool to decode RC1.
Thanx.
Best Regards
Blub...
XXJB6 unfinished mission...
2 new Firmware good for research.
XXJEB as bada 1.x Firmware... nearly all Certs removeable...
Only Integrity check for *.so files left.
For bada 2.x
XPKG5 very interesting...
Only bad, I can't find where these 2 last Certs are stored?
Code:
SamsungSBRootCA.cer
Samsung_RootCA.crt
Best Regards
New attempt with JTAG... but again failed... :crying:
Magic is now CMM Script...
BUT I have only ELF from XXJEB...
Maybe this is the reason why Multiloader not flash XXJB6 Bootloader...
Now I could learn more about CMM...
To flash correct file to correct address...
Or maybe way to extract RC1 ... because old IMRC Algo...
Not sure if maybe broken for other Samsung handsets...
Best REgards
Hmm, I can see S8000 Jet use for RC1 also IMRC...
Maybe possible to flash RC1 XXJB6 to S8000, then copy content from handset...
Best Regards
Please help.
I am searching for friendly S8000 Jet User.
Can someone confirm working Command:
Code:
FmSecureMode off
And I wish content of S8000 folder System please.
See here what I mean:
http://forum.xda-developers.com/showpost.php?p=12436452&postcount=1
Thanx in advance.
Best Regards
http://forum.xda-developers.com/showpost.php?p=34508619&postcount=132
Now I have own S8000 Jet...
First try to flash RC1 from XXJB6 fail...
NAK_invalid_len
Need more knowledge about S8000...
Best Regards
Edit 1.
Maybe no chance... I have forgotten to check size...
Rsrc_S8000_Open_Benelux_OCE.rc1 is 80 MB
Rsrc_S8500_Open_Europe_Common.rc1 is 100 MB
Maybe S8000 not reserved 100 MB for RC1... :crying:
Edit 2.
I have removed 20 MB...
S8000 Jet start with reduced XXJB6 RC1
Now I copy System folder...
Maybe few files corrupted and over 20 MB missing...
But better then nothing. :victory:
http://forum.xda-developers.com/showpost.php?p=34518982&postcount=34
Okay, second attempt successfully read few files from XXJB2 RC1...
And I found limit for RC1 in S8000...
Code:
> FLASH_RSRC1_SIZE : [B]0X04B00000[/B]
> FLASH_RSRC1_START_ADDR : 0X03700000
> FLASH_RSRC1_END_ADDR : 0X08200000
So ""80 MB"" ...
Will check older Firmware, maybe more place in other Versions reserved...
Best Regards
http://www.mediafire.com/?um7dr5ufti7h0dx
Here is folder with RBMs from XXJB6.
Also not all are visible with Wave_Remaker...
Few are funny and interessting...
Later I will upload more... but again.
During small reservation of S8000 I was only able to flash 75 MB of 100 MB from RC1.
Maybe also few files are corrupt... Not checked all.
Best Regards
I'm trying to collect few other Firmware from other Samsung devices...
U700 IMRC seems other algo maybe...
Bluescreen ... on S8000
FmMountVolume
Fm_FS_LFS
FM_PARTITION_LFS_C
Next try is M8910 RC1...
Btw. I have forgotten XXJC5 is also IMRC and bigger then XXJB6...
Later more...
Best Regards
Edit 1.
M8910 RC1 without problems work on S8000...
Remember only end.bin last 1024 Byte have to be modified for correct addresses...
Edit 2.
S5620 RC1 tested...
It seems more compatible then U700 RC1 but also loop...
Maybe if I can disable Animation Power ON then chance to check next Error...
New Year... New attempt
Bootfiles Mixed with XXJEB...
boot_loader.mbn from XXJEB
dbl.mbn from XXJB6
Multiloader can flash this combination and it seems XXJEB then work...
I hope if I manage to understand how to use Binary instead ELF in CMM Script, then maybe I am 1 day able to flash Boot from XXJB6...
Best Regards
IMRC related... there are more Samsung devices with IMRC compressed RC1...
Code:
RC1(IMRC) compatible size
S8000 x 75/80
S8500 XXJB6 x 100+
M8910 x 75/?
S5620 -
U700 -
F480 -
S5510 -
S7350 -
G800
U900
I am not sure if different IMRC Versions... because mandatory few RBM files needed in System folder...
Best Regards
Edit 1.
Sometimes I can see Power ONOFF Animation...
Edit 2.
It seems IMRC different Versions... see first 8 Byte...
F480 for instance compared with S8500...
I think at 0x14 4 Bytes for DEcompressed size stored... Little Endian
yes, the header is different.
index - also. but it is clear.
the compression algorithm - still a mystery
PHP:
//magick //always1 //index_type //size??? //count //array of tail size or offset
G80LXEIE1 0x43524D49 0x00001000 0x0000000B 0x00000006 0x02464A38 0x00002466 0x00000000 0x00000338 0x000004A0 0x000007C8 0x00000924 0x00000BA4 0x00000CFC 0x00000F94 0x000010E4
U70BXEIF1 0x43524D49 0x00001000 0x0000000B 0x00000006 0x01E5BB48 0x00001E5D 0x00000000 0x00000338 0x00000498 0x00000774 0x000008B8 0x00000BC4 0x00000D28 0x00000EF8 0x00001028
F480XEHE1 0x43524D49 0x00001000 0x0000000C 0x00000006 0x01A55024 0x00001A56 0x00000170 0x0000030F 0x0000013A 0x000002F6 0x00000147 0x000002B6 0x000000E4 0x00000295 0x00000144
F48FXEID1 0x43524D49 0x00001000 0x0000000C 0x00000006 0x01EF4A6C 0x00001EF5 0x0000016C 0x000002E7 0x0000014B 0x00000335 0x0000012D 0x000002A1 0x000000E0 0x00000277 0x0000013F
S5510XEIJ1 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x01CC581C 0x00001CC6 0x00000165 0x00000358 0x000000AE 0x00000277 0x000000BD 0x00000284 0x0000015D 0x00000327 0x000000EC
S735EXEII2 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x02A74E80 0x00002A75 0x00000147 0x0000033A 0x000000D4 0x000002A0 0x000000B5 0x0000027E 0x00000125 0x00000315 0x00000111
S8500XXJB6 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x09BF64A0 0x00009BF7 0x00000141 0x000002DC 0x00000116 0x00000280 0x0000014B 0x000002FB 0x00000155 0x000002D4 0x00000124
U90UXEIE3 0x43524D49 0x00001000 0x0000000C 0x00000006 0x032BAF08 0x000032BB 0x00000168 0x0000030B 0x0000012F 0x000002C3 0x0000013F 0x000002D0 0x00000103 0x00000272 0x000000D0
I don't understand if RC1 is decompressed by Bootloader or by apps_compressed.bin...
QMD in Header is in later Firmware from S8500...
Short tested...
I can change this in RC1...
QAB
S8500 starts normal...
If I try to change all 3 letters... then short Bluescreen... But I can't see Error message fast enough... maybe later...
I have changed into 123 instead QMD...
Will check again... Maybe I can capture Bluescreen...
Video or something else...
Later I will try this with S800 and IMRC textstring...
I want to identify if Boot or apps_c task to decompress RC1...
Best Regards
Edit 1.
I hope Pic is readable... Tested with Debug Level high and on XXJEB S8500...
Looks like something like this...
Code:
QuramMduceRFlashInitM((void*)pFotaRsrcCompHeader[QURAM_RSRC_BIN_TYPE_LFS]
Found in apps_compressed.bin...
Hmmmmmmmmmmmm. In theory it seems I don't need Bootloader from XXJB6...
BUT... damn apps_compressed.bin is also secured by something ugly...
Last 1024 Byte... aka end.bin...
Anyway... will now check again IMRC Header in S8000...
Maybe here also possible to force Bluescreen in Debug Level High...
Best Regards
If I destroy IMRC Header on S8000... XPJA1... Debug Mid...
Later I will try to catch all 5 Bluescreens..
Here 1/5...
Best Regards
Code:
RC1(IMRC) compatible size
S8000 x 75/80
S8500 XXJB6 x 100+
M8910 x 75/?
S5620 -
U700 -
F480 -
S5510 -
S7350 -
G800 -
U900
S5600 -
B5310 -
Found few more devices...
It seems - not ever means incompatible... I can see sometimes Power ONOFF Animation... smaller Resolution then 480 x 800... So maybe reason is smaller *.rbm files force to Reboot... Will check "later" with Debug Mid...
Best Regards
http://code.google.com/p/badadroid/downloads/detail?name=bTerm_v0.13.zip&can=2&q=
sample bada terminal application. Connected device is detected automatically.
Available commands:
open - open the COM port
close - close the COM port
dump <address> <length> - dump NAND area
dumpram <address> <length> - dump RAM area
run <path_to_file> - execute the code from file
exit - terminate program
Keep in mind reading from invalid address cause Data Abort exception occurs.
Click to expand...
Click to collapse
Thank you very much b.kubica
As my brain is too small to try/understand all things.
Maybe others have tried?
Thanx in advance.
Best Regards
I am too stupid to read RAM...
http://forum.xda-developers.com/showthread.php?t=1093565
Maybe we can find in RAM uncompressed bada 2.0 stuff or for instance content of *.rbm files...
Maybe someone can please help me.
Thanx in advance.
Best Regards
bTerm works (for now) only in download mode. though implementation via AT command should be possible
Run executable
Hello, is run file implemented?
I tried to run programs on GT8500 (FW 1.2), and always get error like this:
>run Solitaires.exe
term_send: only sent 0 bytes of 8210
term_receive: ReadFile returned error!
OK - 0
>run LyricLegend.exe
term_send: only sent 0 bytes of 8209
term_receive: ReadFile returned error!
OK - 0
I needs a way for running console programs on device for unit testing. Is bTerm suitable for this task?
RealGred said:
I needs a way for running console programs on device for unit testing. Is bTerm suitable for this task?
Click to expand...
Click to collapse
Damn. No! It is not. And no, it is not possible in any other way.
http://code.google.com/p/badadroid/downloads/detail?name=bTerm_v0.15.zip&can=2&q=
New Version v0.15
Thank you.
Still unsolved problem because toooo small brain... which area to enter for RAM?
Best Regards
both 0x40000000 and 0x20000000 are valid start addresses
Any idea how to patch apps_compressed.bin of S8500BUKI1 to try this on bada 2.0
I know how to decyrept and encyrept with wave remaker
Also i have a little knowledge in using hex-editior
I can flash back XXJEE bootloader for its security hole
I just need address and data to write
Best Regards
follow these posts
http://forum.xda-developers.com/showpost.php?p=17872425&postcount=383
http://forum.xda-developers.com/showpost.php?p=17876128&postcount=385
I have only bada_term.fota from v0.11
Results...
In v0.13
Code:
>dumpram 20000000 100000
dumping 1.0 MB at 0x20000000: 14%
Error receiving packet (8192 bytes at 0x20026000). Received 0 bytes only.
>dumpram 40000000 100000
dumping 1.0 MB at 0x40000000: 16%
Error receiving packet (8192 bytes at 0x4002A000). Received 0 bytes only.
>dumpram 41000000 100000
dumping 1.0 MB at 0x41000000: 16%
Error receiving packet (8192 bytes at 0x4102A000). Received 0 bytes only.
>dumpram 42000000 100000
dumping 1.0 MB at 0x42000000: 16%
Error receiving packet (8192 bytes at 0x4202A000). Received 0 bytes only.
>dumpram 43000000 100000
dumping 1.0 MB at 0x43000000: 16%
Error receiving packet (8192 bytes at 0x4302A000). Received 0 bytes only.
>dumpram 44000000 100000
dumping 1.0 MB at 0x44000000: 16%
Error receiving packet (8192 bytes at 0x4402A000). Received 0 bytes only.
I can't read more then 177 KB...
I can see such text like:
is_dirty
is_syncing
.
.
.
With v0.15 seems no successfully connection possible.
close report success, but check false and commands also...
Code:
>open
COM5 port opened with success
>check
Phone response FAIL
My PC is XP powered.
Firmware is JE7... old T-Mobile bada 1.x...
Thanx.
Best Regards
u need to compile fota from sources - it is frequently updated so there is no sense to put assembled one in badadroid downloads
u need to compile fota from sources
Click to expand...
Click to collapse
Sorry, I'm an user. Not an Coder or user with Coding skills.
So my head explode before compiling something successfully.
There is enough space to upload FOTA + corresponding bTerm Version.
Maybe FOTA here as attachment.
Please.
Thanx.
Best Regards
fair enough
http://badadroid.googlecode.com/files/bada_term.zip
>open
COM5 port opened with success
>check
Phone response OK
Click to expand...
Click to collapse
Thank you very much, now v0.15 works on my XP with the new FOTA.
First success
Code:
>dumpram 20000000 8000000
dumping 128.0 MB at 0x20000000: 100%
Seems the 128 MB unit as bigger range interrupt...
I'll try now at 0x40000000
Best Regards
Edit 1.
Result:
Code:
>dumpram 40000000 10000000
dumping 256.0 MB at 0x40000000: 59%
Connection failed!
Abandoning dump with total received 0x0997C000 bytes.
Size is now around 157 MB...
Anyway...
I have some files for study.
Big thanx.
maybe I set to small timer intervals. I will increase it in next release
btw, u can start now dump from 0x4997C000 and then combine it with previous one
b.kubica said:
maybe I set to small timer intervals. I will increase it in next release
btw, u can start now dump from 0x4997C000 and then combine it with previous one
Click to expand...
Click to collapse
Working on S8530 ?
yes if you have correct fota assembled
b.kubica said:
yes if you have correct fota assembled
Click to expand...
Click to collapse
Its seem's my Xp have some PATH problem cant find COM says COM0, tested in another comp Win7 worked, Thank you.
its not path problem - looks like you have not installed samsung drivers
could you check something for me? connect phone in download mode, open regedit and go to HKLM\HARDWARE\DEVICEMAP\SERIALCOMM and send me all values stored in this key
b.kubica said:
its not path problem - looks like you have not installed samsung drivers
could you check something for me? connect phone in download mode, open regedit and go to HKLM\HARDWARE\DEVICEMAP\SERIALCOMM and send me all values stored in this key
Click to expand...
Click to collapse
Reinstalled driver properly now works but check fail
Compiled bada_term.asm on BADA2.01
Flashin bada_term.fota
DLMODE
i tried also CHARGING 0 same
; FOTA_SHADOWING equ 1
CHARGING_CONTROL equ 1
include 'S8530JPKA1.inc'
include 'macros.inc'
include 'vars.inc'
include 'functions.inc'
Maybe i need other firmeware ?
Im on original Orange firmware bada 1.2
SecretKey.key
Any idea what this is for?
Searched little bit through folder Security...
Found in S8500XPKJ1.
Best Regards
For quick insight:
Main function is SpkiDispatch , it does create this file by calling SpkiSaveMasterSecretKey, together with that key it does create directories
"/Security/Log/"
"/Security/Log/Cert/"
"/Security/CM"
SpkiSaveMasterSecretKey does use functions
SecFrameGetIMEI
SpkiBase64Decode
SecCrDecodeRSAPublicKeyEx
Whole "Spki" functions family seems to be related with OS certificate manager. And yeah, looks like it is based on IMEI, or does include IMEI itself.
//edit:
Oh yes, string which is hardcoded into APPS and is being decoded by Base64 during runtime (probably kind of init state of the key) is
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKyA2m2/PTRbsv9Y+39R6wroIniRv3nAUcOPH6dhg/9+2sCoWk0BgDtmfNMtUpueEzAr1OmAtxIfxt+gcaaFGDTr2NiY4ML9NhIv0frmlEsE8CLZFcMLYnCaeo7IMpDhnkUJA/aFhm42hmHM//e9sW2zOeN/oFrZ6wH7BEJmVEpQIDAQAB
Click to expand...
Click to collapse
from the looks of that string - I think you're looking at ... ahem wait for it ... a secret key -- or perhaps one half of a public/private key pair. Something that AES128 would be perfect for... good luck cracking that one.
Compared between S8500 and S8530... both on KJ1:
Code:
535730310093C300064D4F42494C45C5000431303234C60080
Something human readable like this:
Code:
SW01 MOBILEÅ 1024
So first 25 Bytes are for header...
Then 128 Bytes...
Hmmm... 128 Bytes could be RSA 1024 encrypted...
Best Regards
Factory Production Mode
This seems interesting... for me...
Tested on XXJEB...
If I play with Developer Commands... for instance:
Code:
> *> cmd="[B]CheckFPM[/B]"
> DevGetHomeDLFlag : Address(0x1dcc0000) flag(0xffffffff)
> RbmCHCheckHomeDLFlag : FLAG value=0x8,result=0
> *> return value = -1 (0xFFFFFFFF)
Code:
> *> cmd="[B]EnableFPM[/B]"
> DevGetHomeDLFlag : Address(0x1dcc0000) flag(0xffffffff)
> DevSetHomeDLFlag : Address(0x1dcc0000) flag(0x0000fff7)
> DevGetHomeDLFlag : Address(0x1dcc0000) flag(0x0000fff7)
> RbmCHEnableHomeDLFlag : FLAG value=0xfff7,result=1
> *> return value = 1 (0x00000001)
and...
Result is, after next Boot Wave starts with this funny Screen blue, then green... known by wrong key combination...
If I have changed to Qualcomm before... I can also write NV items via QPST...
Maybe here are more funny Flags possible... Check in JTAG dump at 0x1DCC0000...
Best Regards
I have found reason, how Wave checks "valid" apps_compressed.bin... also Boot...
Multiloader or every Flashing action writes own 512 Byte Info Block...
You can find them in 512 MB Full dump... from JTAG or from Ram Dump eXtractor:
http://forum.xda-developers.com/showpost.php?p=39658811&postcount=23
Search for this HEX value...
Code:
3412CDAB02000000
Now you can see your PC name... and your Country too...
your own IP address is also stored...
The other data are from last 1024 Bytes from boot_loader.mbn and apps_compressed.bin... parts of it... later more...
Sometimes I can see this... no idea yet why... or what:
Code:
Init Case 2
or
Code:
C#O#D#E Set
Hmmm... if I see this about Code... searching for and I find this in Boot...
Code:
Samsung:UNLOCK-KEY:/Security/Disabled
Fixed one for Samsung 3G platform. This string should be long ecnough maximum length is 128 bytes
[B]A#D#D#R[/B] Set C#O#D#E Set
Hmmm, will try later...
Anyway, with this I have solved my BIG problem after M210S Firmware...
For now only with JTAG possible, but maybe later other solution... for instance via FOTA...
Best Regards
Code:
gHostInfo.pComputerName =
gHostInfo.pIP =
gHostInfo.pLocation = Germany
gHostInfo.pToolVer =
gHostInfo.uDatePC =
Nand Read ECC count 0, Retry total count 0
=================================
BootDebugBuffNandWrite
=================================
Taken from S8000 Jet dump...
Here more clear what Multiloader writes from your private data...
Best Regards
I'm trying to remove this from MultiLoader V5.67.exe...
Found in .exe
Code:
GetLocaleInfo
GetComputerName
Leads to kernel32.dll ...
Maybe I can find something else...
GetDateFormat crashes Multiloader...
Also
GetCalendarInfoA
To change into Set... I think its dangerous not to kill my Windows...
Best Regards
Edit 1.
GetComputerNameW for Unicode instead GetComputerNameA
Now Multiloader only writes first Character of your Computername... :angel:
Back to the Info Block with 512 Byte....
With Command PrtSecBoot
Code:
> SecBoot : slot num(2), mass production(0), verSecurity(2), slot age(3)
> SecBoot : invalid binary key detected
> SecBoot : slot age(3) Usb Version("S8530+XX+LA1"), usb age(1), Usb Creation time stamp "42/01/05 10:05"
> SecBoot : Code Version(""), code age(1), Code Creation time stamp ""
> SecBoot : Code Download device time("00/01/01 00:00:GMT"), host PC time("43/06/06 15:23:GMT")
> SecBoot : Used Downloading Tool is FastMultiLoader 0 5.6.7
> SecBoot : Download hostname("[COLOR="Red"][B]yourPCname[/B][/COLOR]"), location("Germany"), ip(1x3.1x3.9.xx)
> SecBoot : SysInfo change device time("00/01/01 00:00:GMT"), host PC time("00/01/01 00:00:GMT"), tool ver(""), change Method(0), age(0)
In this Info Block are stored 2 RSA 512 Signatures from Boot and 1 from apps_compressed.bin... from apps_c the second RSA 512 Sig... see here:
http://forum.xda-developers.com/showpost.php?p=38088383&postcount=68
I was able to try few things...
I can manipulate
verSecurity(2), slot age(3)
Click to expand...
Click to collapse
But tried to find
mass production(0)
Click to expand...
Click to collapse
tool ver("")
Click to expand...
Click to collapse
Here I can see Init Case 2... so this should be position for ... also:
C#O#D#E Set
I think this is set, if Unlock via Code... in theory...
A#D#D#R
No idea yet...
Maybe in this Info Block it is possible to complete disable Security check...
Best Regards
Little progress...
I am able to erase/overwrite address in 512 MB OneNAND manually via sending Commands...
http://forum.xda-developers.com/showpost.php?p=42919458&postcount=31
For now only 2000+ Bytes in FOTA area tested...
Code:
7E02EE[B]00005009[/B]8000...
7E00DD[B]00005009[/B]0008...
0x9500000 from XXLA1 S8530...
Later I hope I can erase this damn Info Block to repair my S8530 with M210S Firmware... without JTAG...
Best Regards
1.
How to find IMEI in JTAG dump?
1.1
Where is EFS address ...
2.
Contains sysinfo IMEI ?
2.1
How to find sysinfo in JTAG dump?
bada 1.x if Wave alive... in Security folder...
Then it is possible to search for in dump...
But it seems not on every Firmware on same position...
sysinfo is 6560 Bytes (19A0 HEX ) ...
Will do few tests with XXJL2... maybe laaaaaater I can identify IMEI and/or sysinfo in strange unkown JTAG dumps...
Best Regards
Edit 1.
For study maybe this:
S8500_Full512MB_IMEI_38178104728484_NandEC50_Alive
Test 1.
Search by text + Unicode... (if IMEI is correct in name...)
14 Digits instead 15...
Test 2.
Converting into NV item 550 Format...
083A...
Edit 2.
Maybe little progress... to find sysinfo in dump...
Found Header before... but there is no unique Header... with Joker between 3000 or 0 hits...
Different positions maybe "randomly" or apps_compressed Version specific...
To be sure I'm now downloading XXJF5 to compare with dump...
Strange...
I have remove sysinfo from my own JTAG dump, written back dump...
sysinfo restored or rebuild or copied from somewhere else?
Because 1:1 same...
Next attempt, to remove "Info Block" from 1FFC5000...
This is so strange...
Best Regards
http://forum.xda-developers.com/showpost.php?p=43436279&postcount=6
I'm using now this as template...
Changed only at 1FFC5000...
Then flash complete XXJL2 for compare...
Result is working S8500...
sysinfo is generated different...
And Imiation_IMEI.dat file is different...
Now will try to check few "INFO Blocks"... and compare results...
if sysinfo and/or Imiation_IMEI.dat will be different..
Best Regards
1.
How to find IMEI in JTAG dump?
1.1
Where is EFS address ...
Click to expand...
Click to collapse
Sometimes my brain works slooow...
1.
IMEI is stored in Format used in QC handsets 15 + years...
Near "MP" ... Hardwareversion...
1.1
Header of EFS seems:
Code:
ABEFCDAB
So address is:
0x1E700000
In older Firmware where Hardwareversion is PV... instead MP 2.000 or MP 1.000
Here I will check later again with open eyes... to find IMEI.
For now I will do some tests with replace ... to fully start foreign JTAG dumps to learn more about sysinfo...
Best Regards
Tested with S8500 and S8530 JTAG dumps... (on S8500)...
Attached PFS contain sysinfo and Imiation_IMEI.dat...
This force apps_compressed.bin to start with IM.. not active...
If NAND/Header Info at 0x1FFC5000 will be removed/deleted...
With RIFF JTAG for instance erase 0x1FFC 0000 to end...
For repair and educational purpose... only.
How to decrypt sysinfo?
Whole file ?
Parts of it ?
Best Regards
Little progress...
https://code.google.com/p/badadroid/source/browse/trunk/FOTA
100 years later I am able to compile these examples...
Easy under Windows 7 tested with FASMARM:
http://forum.xda-developers.com/showpost.php?p=46788023&postcount=35
I have tried with XXJEE Boot... because I need bada 1 for find sysinfo for my studies...
Very interesting.
In syssec.uniqueKey.bin I have found now S/N ...
S/N is also on Label under battery... before Samsung killed Service via Kies. It was also helpfull to download Firmware...
I was ever wondering, why I am not able to find S/N...
Anyway. These FOTA examples helps me to increase my little brain.
For now tested only these:
Code:
[B]dump[/B]_netlock_info.fota
[B]dump[/B]_unique_keys.fota
nv_[B]dump[/B].fota
Next will be write_netlock_info.ASM...
Maybe this is what I think...
Yes, I know about FLOCK. But I need this for my JTAG Fullflash journey ... and for my little brain to understand how this work...
Btw.
I have no device here with SIM or Netlock...
To look into decrypted sysinfo and see the SHA1 Hashes is also possible via these FOTAs...
Thanx.
Best Regards
Few tests later...
It seems I have to play with DEcrypted sysinfo...
http://forum.xda-developers.com/showpost.php?p=47851350&postcount=49
First test failed with write_netlock_info.ASM before...
I have used DEcrypted Version, but nothing happens...
Maybe again my fault... anyway... tiny little step forward.
1 Goal is to identify sysinfo in JTAG dump... but here I need encrypted sysinfo...
Best Regards
Aha...
The reason is not only IMEI, because normally you can find IMEI in JTAG dump, but it seems Wave can not find anymore correct sysinfo... if fulldump from other Wave is flashed via JTAG.
http://forum.xda-developers.com/showpost.php?p=47851350&postcount=49
Result is working handset without IMEI... but this no problem...
Will check if now S/N is my or also gone with the other FOTAs...
But now I can flash 512 MB Fulldump WITHOUT modification of this file...
Then restore/rebuild sysinfo via bterm + correct FOTA...
Later more.
Best Regards
"Strange"...
sysinfo contain more then 1 or 2 SHA1 Hashes...
The others looks like "not available/not active" or something...
I have no handset with Lock...
I have only compared few DEcrypted sysinfo...
Simple copy and Paste not activate the Locks...
Later more...
Best Regards
Interesting...
Unique Key known from Header Info...
Stored in 512 MB OneNAND...
Is written into MBR (512 Byte) of moviNAND...
http://forum.xda-developers.com/showpost.php?p=49989727&postcount=68
If OneNAND is full erased, by JTAG RIFF for instance... Then text instead number:
Code:
PRODUCTCODEINVALID
Hmmmm, maybe this helps me later to restore sysinfo from JTAG dumps...
Best Regards
I need for test someone with S7250 or S8600.
Please. NOW read carefully.
Only users with testdevice aka prototype aka sample aka I don't know more meanings... BUT NOT normal Retail Version.
We found PlatformDownloader...
S8600 XXKI5
S8600 XXKJ7
and
S7250 XXKJ8
Thanx for reading.
For now please only via PM.
Private Message.
Best Regards
I have cut first 1,5 MB from whole 325 MB package...
You can start and investigate...
Someone can extract Firmware from this?
Please.
I am not smart enough...
Maybe usefull files inside...
Thanx in advance.
Best Regards
But i can open nothing
Pic 3 shows full package...
Pic 4 is attached file...
Firmware starts at 0x00177000...
But I have no idea at the moment, how encrypted or compressed...
But i can open nothing
Click to expand...
Click to collapse
I can open PlatformD_S86_KJ7v1.exe... result is visible on PlatformDownloader4.png
XP SP3
Best Regards
Maybe My Windows.it is Win 7 32 Bit
... is Win 7 32 Bit
Click to expand...
Click to collapse
Short tried with Win 7 Home... 32 bit and same succes like under my XP.
But thanx for trying.
I hope one of our experts take an look. To help extraction of Firmware, maybe interesting/helpfull files included...
Best Regards
How To choose FW Files ?
Here few words about PlatformDownloader...
Again.
I have REMOVED Firmware part...
It was tooo big to upload again...
Maybe later I'll upload all 3 files... around 800 MB...
Best Regards
http://www.mediafire.com/?vk5nl5kaxak1cic
First file...
1 of 3
PLEASE
NOT NO DON'T USE with attached handset!!!
I need someone with more brain to extract Firmware from these files...
Thanx in advance.
Other 2 from S8600 will follow...
Best Regards
static.bada.com/sdk-update/2.0.2/PlatformDownloader_S8600_KJ7.exe
static.bada.com/sdk-update/2.0.2/PlatformDownloader_S8600_KI5.exe
static.bada.com/sdk-update/2.0.2/PlatformDownloader_S7250_S7250XXKJ8_2G.exe
Maybe before bada is complete dead...
Maybe usefull for research...
Best Regards
Blowfish encryption...
But ""I"" have only S7250 file decrypted...
Now S8600 files hopefully will follow...
I wish I had bigger brain.
Best Regards
Maybe this time more luck...
Tested KI5 and KJ7 S8600
With my S8500 Update starts...
Code:
Boot Binary Download Start Ch[0]
Dbl 229.4KB OK[0.2s]
Wait reset !!
Download Start Ch[0]
Amss 16916.5KB OK[5.1s]
ERR : Apps Erase
S8500 is alive...
No idea if AMSS is really written... will check later with JTAG...
Decrypted files not found yet... seems not in Temp folder...
But now I have chance to search for... maybe with OllyDbg...
CAUTION!
Not try self if no JTAG... Risk to brick handset...
Best Regards
Code:
[BOOT_V1.0 (Jan 5 2012, 19:08:14)]
SelectBootingMode: H/W...0xe.
[BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz
+++FIMD_Drv_INITIALIZE
FIMD_Drv_ChangeMode: MDNIE_MODE
Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4
S6E63M0 : LDI_Pentile_Set_Change Pentile_Value =6c
---FIMD_Drv_INITIALIZE
---FIMD_Drv_SetWinOnOff(WIN4:1)
LCD initialize Finished
Flash_Unlock failed
Poweron status - 400
FSA9480 0x03 Register = 0
FSA9480 0x0A Register = 4
FSA9480 0x0B Register = 0
FSA9480 0x07 Register = 1f
SelectBootingMode: Boot Mode = 20...
USB charging enble
Display_LSI_Boot : disp_Main_Clean
Display_LSI_Boot : disp_Main_Clean_All
Display_LSI_Boot : disp_Main_Clean
Display_LSI_Boot : disp_Main_Clean_All
Display_LSI_Boot : disp_dimming_backlight
AST_DOWNLOAD
-----------------------------------------------------
USB BOOT Downloader for s5pc100
Copyright (c) 2005 by SAMSUNG Electronic, Inc.
V1.0 (Jan 5 2012, 19:08:15)
-----------------------------------------------------
@@@@@
@@@@@
CMD_USB_INFO
@@@@@
@@@@@
CMD_USB_SET_DBG_LVL
DloadCmdUSBDebug (1)
CMD_USB_SECURITY
CMD_USB_INFO
CMD_USB_ERASE
erase_memory() : 0x49 (0x1022000)
What?? 0x49
CMD_USB_ERASE
erase_memory() : 0x8000000 (0x1cc0000)
What?? 0x8000000
DloadResponse : NAK_INVALID_ADDR 11
CMD_USB_DEBUG
1 Default Temp folder is:
C:Temp...
Now I am searching where files extracted...
Best Regards
Code:
Boot Binary Download Start Ch[0]
ERR : NAK_NO_SEC_CODE 0
Error : Appsboot Write [0.2s]
ERR : NAK_NO_SEC_CODE 0
Tested with Retail S8600 and PlatformDownloader_S8600_KI5.exe
Code:
Boot Binary Download Start Ch[0]
Appsboot 338.7KB OK[0.8s]
OemSbl 1757.7KB OK[3.5s]
partition 24.6KB OK[0.2s]
Dbl 229.4KB OK[0.4s]
Wait reset !!
Download Start Ch[0]
Amss 16654.3KB OK[25.9s]
Apps 29622.3KB OK[43.3s]
_Open_Europe_Common 40370.2KB OK[58.9s]
(Low) 2980.3KB OK[4.6s]
_Open_Europe_Common 53870.6KB OK[153.8s]
et\kj7 wave3\ShpApp 148979.7KB OK[340.7s]
_Open_Europe_Common_OXA 37380.1KB OK[122.1s]
All files complete[753.3s]
:good:
Tested on Retail S8600 with XXLD1...
PlatformDownloader_S8600_KJ7.exe work...
Warning. Be carefully... risk to brick handset...
Now I will try if this Bootloader accept M410S or M410K apps_compressed.bin...
Best Regards
Any difference between Prototype and Normal Wave ?
Any difference between Prototype and Normal Wave ?
Click to expand...
Click to collapse
Minimum Bootloader...
“CAUTION : please do not select BOOTFILES_EVTSF folder, the sample should be dead”
Click to expand...
Click to collapse
But also Hardware could be different...
CAUTION: If your sample is not able to update camera firmware, you have to backward to XXJB5 version and
1. *#197328640#
2. Select “6. Video “
3. Select “3. Camera Firmware Update”
4. Wait for 4 min.
5. Flash latest SW again.
Click to expand...
Click to collapse
Check document:
How_to_download_S8500.doc
Best Regards
Stupid question we can flash it to S8500 ? or you tried ?
GS8530_DEFAULT_MDL_V001.exe
GS7250D_DEFAULT_MDL_V001.exe
Found this and few more...
No idea what kind of Password they accept...
For me it would be interesting to see what deliver Show Info...
Best Regards
GS8530_DEFAULT_MDL_V001.exe
GS7250D_DEFAULT_MDL_V001.exe
Click to expand...
Click to collapse
Both files attached... maybe for study...
I found necessary DLLs, but I was not able to use this ML... seems Server and/or Passwords required...
Maybe for study...
Taken from somewhere here:
ftp://82-117-232-91.gpon.sta.kh.velton.ua/../../../../../../../SAMSUNG/software/
Own risk. Be carefully...
Best Regards
Hardcore protection...
Password is:
UMTS_S8530
For GS8530_DEFAULT_MDL_V001.exe
UMTS_S7250D for GS7250D_DEFAULT_MDL_V001.exe
Best Regards
Edit 1.
For RC2 Mid file Password is:
MID_USE
Hi all.
This thread only for developers! Only! No questions - when?!!!!!!!
This is my attempt to porting android on S8600.
I wrote custom bootloader - emmcboot, based on codeaurora LK-bootloader.
Bootloader is successfully start, work and trying to load android kernel from internal
microsd card.
Now is unsuccessfully,after type message "Uncompressing Linux... done, booting the kernel." device rebooted or stopped.
[370] Panel is power on
[370] Display initialized
[370] Display logo
[370] Waiting for modem+++
[370] Waiting for modem: Done
[370] smem ram ptable found: ver: 0 len: 6
[370] scratch: 0x8000000
[370] Starting in SD mode!
[370] SD_DETECT pin : 0x0
[380] Initializing MMC host data structure and clock!
[380] Error No. 2: Failure Initializing MMC Card!
[400] Decoded CID fields:
[400] Manufacturer ID: 27
[400] OEM ID: 0x5048
[400] Product Name: SD16G
[400] Product revision: 3.0
[400] Product serial number: 7C88FF04
[400] Manufacturing date: 2 2012
[410] Serial number -[410] serial number:
[410] partition misc doesn't exist
[410] error in emmc_recovery_init
[580]
kernel @ 208000 (4132528 bytes)
[580] ramdisk @ 1200000 (175204 bytes)
[580] cmdline = 'console=null androidboot.hardware=qcom user_debug=31'
[580]
Booting Linux
[580] smem ram ptable found: ver: 0 len: 6
[580] booting linux @ 0x208000, ramdisk @ 0x1200000 (175204)
[590] cmdline: console=null androidboot.hardware=qcom user_debug=31
Uncompressing Linux... done, booting the kernel.
source code for lk-bootloader for S8600:
https://github.com/Oleg-k/LK_BOOT_S8600
To build for S8600, type: "make -j4 s8600 EMMC_BOOT=1"
Also, i got memory dump, stage - after load oemsbl and before loading my bootloader.
as we see, oemsbl decompress and load apps_compressed.bin into memory,
starting at 0x200000.
https://www.dropbox.com/s/5wf6dp5gfgudkdc/MEM_DUMP_128MB.rar
And for for understanding boot process on MSM7x30, read this:
http://tjworld.net/wiki/Android/HTC/Vision/BootProcess#BootProcess
Welcome back my friend ))
If you able to port,I 100% will buy S8600
Good Luck
I was actually going to ask you what happened to the wave 3 port. Anyway Welcome back . But a question why don't you help rebellos and volk in the wave and wave II porting ? So the porting can be a bit more better. Just my question. :good:
Sounds interesting.
1.
You found ELF files for S8600 Boot ?
2.
You found way without JTAG, or JTAG is needed to write your Boot?
Thanx in advance.
Best Regards
CONFIG_DEBUG_LL
and
CONFIG_EARLY_PRINTK
plx <3
it's my current config for my kernel:
adfree said:
Sounds interesting.
1.
You found ELF files for S8600 Boot ?
2.
You found way without JTAG, or JTAG is needed to write your Boot?
Thanx in advance.
Best Regards
Click to expand...
Click to collapse
No, don't ELF files for S8600, i wrote new bootloader for boot linux kernel.
Now i use JTAG, but if we find a way to cript my bootloader,like appsboot.mbn,we will use regular multiloader
So cool!
http://forum.xda-developers.com/showthread.php?t=1443575
Blowfish encryption
Click to expand...
Click to collapse
Maybe PlatformDownloader_S8600_KI5.exe maybe have unsecured Boot...
But I can't flash nor I have connected my S8600 with RIFF...
TPs seems to small for my big Fingers...
Best Regards
oleg_k said:
it's my current config for my kernel:
Click to expand...
Click to collapse
Thanks. I'd check debug macros and debug uart configuration. There's few UART ports in it, and maybe kernel is printing to the wrong one... though this wouldn't explain why kernel unpacker is printing something (Uncompressing and booting comes already from zImage) - this would indicate that debug port number is correct. Are you sure that kernel and ATAGs location is correct, and RAM is set up properly by LK? Maybe something bad happens when kernel proceeds to enabling MMU and caches... I'm pretty clueless. :<
I collected some links I found useful in this article: http://xda-university.com/as-a-developer/porting-android-to-non-android-devices
Especially interesting for you might be last link in "Custom bootloader" section.
No, don't ELF files for S8600, i wrote new bootloader for boot linux kernel.
Now i use JTAG, but if we find a way to cript my bootloader,like appsboot.mbn,we will use regular multiloader
Click to expand...
Click to collapse
For S8500 I found way to write direct into OneNAND at:
Code:
0x0010 0001
No need to encrypt something...
With Multiloader... choose ETC.
http://forum.xda-developers.com/showpost.php?p=37229969&postcount=37
S8600 not tested...
This is far far away from perfect... but maybe helpfull.
Need someone who is able to remove restriction from ML to use lower adresses then 0x10000...
I was only able to change text strings... in ML...
Best Regards
On first page i posted bootloader source and memory dump, stage - after load oemsbl and before loading my bootloader.
To Adfree,
S8600 don't use OneNAND, used EMMC flash memory (like sd-card).
Today I've found S8600XXKI9.zip
I have forgotten this Firmware... but I have now short compared with Bootfiles from XXKJC... BIG differences... So I think this should be nearly identical with PlatformDownloader_S8600_KI5.exe
Still unsolved to decrypt or extract content of:
PlatformDownloader_S8600_KI5.exe
and
PlatformDownloader_S8600_KJ7.exe
Best Regards
Not my S8600... but user tried PlatformDownloader_S8600_KJ7.exe
It seems it was wrong Partition Table aka partition.bin...
Code:
Boot Binary Download Start Ch[0]
Appsboot 338.7KB OK[1.1s]
OemSbl 1757.7KB OK[1.8s]
ERR : NAK_FLASH_ERROR 0
Error : [B]partition Write[/B] [0.2s]
ERR : NAK_FLASH_ERROR 0
Download Start Ch[0]
Amss 16654.3KB OK[15.6s]
Apps 29622.3KB OK[54.1s]
_Open_Europe_Common 40370.2KB OK[73.5s]
(Low) 2980.3KB OK[1.9s]
ERR : NAK_INVALID_CONTENT 0
ERR : _Open_Europe_Common Erase
Now S8600 ask for QHSUSB_DLOAD
My first idea is Qualcomm QPST now...
Or maybe if Driver used, then Multiloader will work again... for second attempt..
Found only 64 Bit Driver yet... not tested nor Thread... only attachment...
http://forum.xda-developers.com/attachment.php?attachmentid=631288&d=1308601930
Will check also QPST to check what is needed...
Best Regards
Edit 1.
More Driver...
http://forum.xda-developers.com/showpost.php?p=21911621&postcount=2
Okay...
It seems for QPST fsbl.mbn is missing...
I can remember from old MSM6250 handsets it is mandatory to have all files for QPST... because otherwise you need JTAG...
Important...
Qualcomm not use Encryption for QPST files...
This is Samsung thingie + "end.bin" last 1024 Byte...
So decrypt all Bootfiles and cut last 1024 Byte...
For fsbl.mbn I will check JTAG dump from S8600...
Best Regards
Edit 1.
http://forum.xda-developers.com/showthread.php?t=1367055
downgrade_WM6_boot.zip contain fsbl.mbn ... maybe as example...
http://forum.gsmhosting.com/vbb/f634/htc-desire-s-qhsusb_dload-driver-1436354/
Found this...
Here is also fsbl.mbn maybe not available... or...
But maybe if we can attach such S8600 we can see few infos...
Best Regards
Edit 1.
About QPST Version contain this eMMC...
Code:
4. RELEASE NOTES
...
10/27/11 QPST [B]2.7.378[/B]
1) Add support for QSC11x5 CDMA only (4073) and CDMA+GSM (4074).
2) Fix problem with eMMC Software Download not correctly patching addresses > 8 GB.
10/13/11 QPST 2.7.377
1) Fix crash when QPSTServer.config are NULs (bad format).
2) Add model ID 4072 = "APQ8064". Apps processor only, no service programming.
3) Change flash programmer name from nprg9615.hex to nprg9x15.hex.
4) Add emergency download support for user partitions.
5) Fix case where user partition download fails if the flash programmer is on a file share.
6) Fix error case when add port is used but no port is specified.
7) Fix case where restoring an EFS file doesn't work if the file was modified by QXDM.
8) In Service Programming BC SMS fix case where if user enters 32 as the service type it get written to NV as 4096.
9) Fix case where a phone will stay in "no phone" state if the phone takes > 20 seconds to reboot.
10) Take care of cases in eMMC Software Download where we try to lock the disk volume but the drive letter isn't available.
11) Fix "server busy" issue when a device connects but it's modem isn't running.
12) Insert more status message in Memory Debug app so that we can see why fast unframed dump failed.
8/17/11 QPST 2.7.375
1) Add support for MDM9615 (model 4070). Rename model 4068 to 7627A-ANDROID from SURF7627A.
Add model 4071 (7627A-WinMob). Add 1x/UMTS service programming to 4068 and 4071.
2) eMMC Software Download: Don't try to lock volume if drive letter not present.
Devices that use GPT will not mount and get a drive letter assigned.
7/22/11 QPST 2.7.374
1) Added missing file to installer to fix Service Programming problem in 2.7.373.
2) For eMMC Software Download, abort the download if a sparse="true" directive is present.
Sparse files cannot be downloaded with QPST, only with fastboot.
3) Began the process of moving QPST application and server settings from registry to
configuration files.
4) Added more error checking to EFS Explorer file drop code.
7/5/11 QPST 2.7.373
1) Add support for SURF8960 model ID 4069.
2) Fix issue with Port Enable/Disable for IP Ports.
3) NAND Software Download: Correct flash programmer descriptions for 7225A, 7625A, 7227A, and 7627A.
4) Roaming List Editor: Added two new bands LTE 24 and LTE 25.
5) eMMC Software Download:
- Fix problem where some file names print as "(null)".
- Add support for Meta Build contents.xml file ("Build Contents"). The contents file will provide the path for the
rawprogram and patch files, extra search paths, and names of flash programmer and boot image files.
- Ignore unexpected elements in schema.
- Support zeroout directive to zero parts of partitions.
- Allow usage by app of "orderly" as well as surprise removal storage devices.
- Add support for computations in the <patch> (CRC32 for GPT support), <program>, and <zeroout> directives.
6) EfsExplorer:
- Enable reset button in Efs Explorer even if target not in offline mode.
- More text description in Mode column for Efs Explorer
- Modify the list context menu of Efs-Explorer.
- If the proposed item file size copy is > 2048 bytes, warn the user and bail out.
...
Adfree,
link pls for founded S8600XXKI9.zip
link pls for founded S8600XXKI9.zip
Click to expand...
Click to collapse
http://hotfile.com/dl/145796951/79ecec6/S8600XXKI9.zip.html?lang=de
Try this. If not then I search again...
About fsbl.mbn...
I have searched for fsbl_hw.c string in 4 GB JTAG dump SAMSUNG_GTS8600_FullFlash.bin...
Can not find so I think fsbl is not or in other area...
About your Memory Dump FROM_MEM_0_128MB.bin
I am not 100 % sure but maybe read problems...
Short tried to extract Cert, but string Qualcomm is not written correct...
Q5alcomm1
qualcoem.com
Click to expand...
Click to collapse
Best Regards
I try to read again memory dump )
thanks for links...
Also,
i find,what samsung used OKL4 Microkernel 3.0 (maybe 4.0)
http://wiki.ok-labs.com/Release/3.0
About ver 4.0 --
The OKL4 Microvisor is designed from the ground up as a high-performance mobile virtualization platform. It is a microkernel-based embedded hypervisor - called a Microvisor, with a small footprint and the right combination of performance and hardware support to target mobile telephony use. The OKL4 Microvisor 4.0 is distinguished by supporting mobile virtualization, componentization, and security, enabling a new generation of applications and capabilities with impact across the mobile ecosystem.
OKL4(with Qualcomm RTOS) also used in modem AMSS
http://forum.xda-developers.com/showthread.php?t=1829915
Need overview/list with Firmware packages with Bootfiles included...
Here this is what I have...
Later I will compare if difference...
Code:
XXKI9
XXKJC
S8600BOKJ1_TPLKJ1.rar
S8600BOKK6_S8500TPLKK7_T-Mobile.rar
S8600JPKK2_S8500OJPKK2_OJP.rar
S8600ZCLA1.7z
S8600NAKL1_S8600EPLKL1
Best Regards