Develop Bugs

[Q] Question about amss.bin

Hello people,
Are there any tools for viewing and editing the amss.bin?

HEX Editor...
IDA...
Brain.
Best Regards

adfree said:
HEX Editor...
IDA...
Brain.
Best Regards
Click to expand...
Click to collapse
with revskill i got this with amss.bin
#define UNLOADED_FILE 1
#include <idc.idc>
static main() {
MakeName(0x00079B70, "Memcmp");
MakeName(0x00062160, "Memcpy");
MakeName(0x0022E924, "Memcpy");
MakeName(0x0006216B, "Memcpy_Generic");
MakeName(0x0022E92F, "Memcpy_Generic");
MakeName(0x000621D0, "__rt_udiv");
MakeName(0x00079F8C, "__rt_udiv");
MakeName(0x00062334, "strlen");
MakeName(0x0007A2C4, "strlen");
MakeName(0x00070DB2, "diag_sp");
MakeName(0x00062298, "strcmp");
MakeName(0x0007A1D8, "strcmp");
MakeName(0x0007A360, "strncpy");
MakeName(0x00072502, "diag_pkt");
MakeName(0x00062F00, "__rt_div0");
MakeName(0x0007D324, "__rt_div0");
MakeName(0x00062F10, "__32__rt_raise");
MakeName(0x0007F1F8, "__32__rt_raise");
MakeName(0x00ACC3A8, "rex_int_lock_32");
MakeName(0x00072330, "subsys_getid");
MakeName(0x0007A548, "vsprintf");
MakeName(0x00062004, "MemClr");
MakeName(0x0022E7C8, "MemClr");
MakeName(0x000725CC, "diag_subsystem");
MakeName(0x0006EC72, "diag_hdlr");
MakeName(0x000726D2, "diag_hdlr");
MakeName(0x00083D86, "diag_hdlr");
MakeName(0x00085432, "diag_hdlr");
}
What about it ?

@Tigrouzen, no segment found at 0x00079B70 etc
amss it's regular elf with a bunch of segments
Code:
Name : LOAD
Start : 0x001E7000
End : 0x001EE000
Length: 0x00007000
----------------------
Name : LOAD
Start : 0x001F0000
End : 0x001F1000
Length: 0x00001000
----------------------
Name : LOAD
Start : 0x001F2000
End : 0x005D8000
Length: 0x003E6000
----------------------
Name : LOAD
Start : 0x005D8000
End : 0x00CDB000
Length: 0x00703000
----------------------
Name : LOAD
Start : 0x00CDB000
End : 0x00D11000
Length: 0x00036000
----------------------
Name : LOAD
Start : 0x00D11000
End : 0x00DAF000
Length: 0x0009E000
----------------------
Name : LOAD
Start : 0x00DAF000
End : 0x00DB9000
Length: 0x0000A000
----------------------
Name : LOAD
Start : 0x00DB9000
End : 0x00E9B000
Length: 0x000E2000
----------------------
Name : LOAD
Start : 0x00E9C000
End : 0x01BF9000
Length: 0x00D5D000
----------------------
Name : LOAD
Start : 0x01BF9000
End : 0x01D05000
Length: 0x0010C000
----------------------
Name : LOAD
Start : 0x01FF0000
End : 0x01FF006C
Length: 0x0000006C
----------------------
Name : LOAD
Start : 0xB0000000
End : 0xB0010CE7
Length: 0x00010CE7
----------------------
Name : LOAD
Start : 0xB0040000
End : 0xB0057000
Length: 0x00017000
----------------------
Name : LOAD
Start : 0xB0100000
End : 0xB0107207
Length: 0x00007207
----------------------
Name : LOAD
Start : 0xB0140000
End : 0xB01401B8
Length: 0x000001B8
----------------------
Name : LOAD
Start : 0xB0200000
End : 0xB0208CF3
Length: 0x00008CF3
----------------------
Name : LOAD
Start : 0xB0240000
End : 0xB024028C
Length: 0x0000028C
----------------------
Name : LOAD
Start : 0xB0400000
End : 0xB040DBE8
Length: 0x0000DBE8
----------------------
Name : LOAD
Start : 0xB0600000
End : 0xB0602000
Length: 0x00002000
----------------------
Name : LOAD
Start : 0xB0602000
End : 0xB0604000
Length: 0x00002000
----------------------
Name : LOAD
Start : 0xF0000000
End : 0xF001F878
Length: 0x0001F878
----------------------
Name : LOAD
Start : 0xF0020000
End : 0xF0026000
Length: 0x00006000
load amss.bin with TriX, dump decoded stage (elf format) and analyze with disassembler (e.g. IDA)

Ok guys i extract certificate from Amss S8530 XEJL2, bootloader segments full info fsbl sbl...
Also i can dump complete NAND and find segment and algorith for RC1 too
This is appscompressed.bin algorythme
0x01ca7750 RIPEMD128+160+MD4
0x01ca7750 SEAL+MD4 key
appcomp hash :
SHA1 : EB55C6690ACAF40BB2F845313F58BFE9C3BC529D
SHA224 : AAC3E2B65CC9F33BB7EDDA3DEB541CA9E8919422CC179B4D2B49F39BAE008F00
SHA256 : 580D3DB21E41A9FE588AE544266040FABA8AF044E739971E77F2B1272323D0B6
SHA256-HTC : A44BC029D7F952750003D9695ED7B464E446D34EEF5BD9665487E4C2BF81F669
MD4 : B3BD8310FF2C4C05E2044FD491814792
MD5 : 7220779D1094C5F7789094DC75BA4E9E
CRC16 (0x1189) : F4EA
CRC30 (Block: 0x1000, Page: 0x200) : 0BD214AA
CRC30 (Block: 0x2000, Page: 0x400) : 0A28A17A
CRC32 (0xEDB88320) : 313F4EF2
CRC32 (0x04C11DB7) : 90B01704
CRC32 HTC (0xEDB88320) : B55B60A7
ECC Reed Solomon (parity 10) : 43702DA1FDAC4DB2023B
ECC BCH Micron 3 byte : 818144
ECC Hamming Toshiba (8 bit - 0x200 bytes) : C00FC3
ECC Hamming (8 bit - 0x200 bytes) : FF3CF3
ECC Hamming (16 bit - 0x200 bytes) : 3FCFFC
Amss algo :
0x0007fce0 CRC-16 norm
0x0007fee0 CRC-16 inv
0x0007f8e0 CRC-30
0x0007eb50 CRC30 Function
0x00b66194 CRC-32
0x00b66394 CRC32 Function
0x000800e0 CRC-32 Xilinx
0x0007eb58 CRC32 Xilinx Function
0x000800e4 CRC32 Xilinx Function
0x00c3c490 DES RAW Spbox
0x00c39381 RSA PKCS SHA1/RIPEND Digest
0x00c39390 MD2 S
0x00463548 SHA2 table
0x008fcc88 SHA2 table
0x00b6eb14 ZDeflate
0x0041a28c SHA1+MD4+MD5 init
0x008fcb08 SHA1+MD4+MD5 init
0x00c3d7f8 SHA1+MD4+MD5 init
0x0041a29c SHA1+MD4+MD5 key1
0x008fcb18 SHA1+MD4+MD5 key1
0x00c3d808 SHA1+MD4+MD5 key1
0x001a9844 SHA1+MD4+MD5 key2
0x0041ac1c SHA1+MD4+MD5 key2
0x008fcb1c SHA1+MD4+MD5 key2
0x001a9848 SHA1+MD4+MD5 key3
0x0041ac20 SHA1+MD4+MD5 key3
0x008fcb20 SHA1+MD4+MD5 key3
0x00463648 SHA2 init table
0x008fcd88 SHA2 init table
0x00c3d80c SHA2 init table
0x0046364c SHA2 init table
0x008fcd8c SHA2 init table
0x00c3d810 SHA2 init table
0x00419980 RIPEMD128+160+MD4
0x008fcaf8 RIPEMD128+160+MD4
0x00bdcca0 RIPEMD128+160+MD4
0x001a9844 MD5
0x0041ac1c MD5
0x008fcb1c MD5
0x00419980 SEAL+MD4 key
0x008fcaf8 SEAL+MD4 key
0x00bdcca0 SEAL+MD4 key
0x004fc7af HTC PUBLIC KEY
E9079DBB2452104990982132470BA20B7C795D1B4690B718B62FCD38D71D4E458FAF320374B89D5236C79BD57D2BA2D3508A4A605B0D48CB8CA5478BFE4D7D32AB0AE072BC367A9615F002D5023A617B422FEC1EF8DAD772D75E9C4F06EF624B864699A3F080D1B8E192B921D159852B2DC798F752B4F1FA529FF123D9963F73
0x00708134 Sober 128
0x00c3cd90 Sober 128 SBox
Possible algos little endian: 45
0x00315f6c AES te
Possible algos big endian: 1
Amss hash :
SHA1 : C59C5785E823E5E1CA9BE05DB6F55F8C8AC1BBA3
SHA224 : 5F50CED13C1204068E443919706B53D866271DAB1CFB5A9CB07A953CAE008F00
SHA256 : D86C7634FE07806D3B87701EC7F72F25DAAFAC7C40CA1D370C1ABA5840C091C0
SHA256-HTC : 120F70AECE78B8DCF69DCD79F020AB00AE17572123BA21274D6F6EE280774A09
MD4 : 7703DF5B1074392D4B91ECA23BAC9D92
MD5 : 22197F8AAD6A2CB4394E1B4E63EB843C
CRC16 (0x1189) : FAC5
CRC30 (Block: 0x1000, Page: 0x200) : 311AE4C7
CRC30 (Block: 0x2000, Page: 0x400) : 295DFC29
CRC32 (0xEDB88320) : 8DB21A34
CRC32 (0x04C11DB7) : 7B94B6A4
CRC32 HTC (0xEDB88320) : 08450BBC
ECC Reed Solomon (parity 10) : A04D69B134A126F3FD15
ECC BCH Micron 3 byte : 000000
ECC Hamming Toshiba (8 bit - 0x200 bytes) : FFFFFF
ECC Hamming (8 bit - 0x200 bytes) : FFFFFF
ECC Hamming (16 bit - 0x200 bytes) : FFFFFF
Amms certificat :
https://rapidshare.com/files/3061245812/1.cer

Well, the main idea was ..., to get some tools with which the amss.bin for bada v1.2 and v2 can be modified to work for the American/Australian version of the wave. Looks like there are some hardware differences and this file is containing information needed for the RF module.

Looks like there are some hardware differences and this file is containing information needed for the RF module
Click to expand...
Click to collapse
No idea if Hardware differences, but I'm pretty sure there are different Config/Calibration data...
Check out NV items... AMSS + NV items = Qualcomm related part...
http://www.samsunguniverse.com/forum/s8500-can-work-with-qualcomm-tools-t199.html
You could take an look on FCC documents for maybe Hardware check...
Best Regards

I think gambal refers to UMTS bands, Europe is different than in America.
UMTS bands in America are 850 - 1900
UMTS bands in Europe are 2100
bada 1.2 and above only works with Euro bands (these updates hasn't oficially released in America), so as we know the file "amss.bin" contains the parameters that define which bands to work, would be good to try to edit the information to compile a new "amss.bin" to work with American bands ..
Many Americans would be happy!

...would be good to try to edit the information to compile a new "amss.bin" to work with American bands ...
Click to expand...
Click to collapse
But you are really sure that not NV items differ?
Maybe easier to compare NV items...
Best Regards

You mean to compare amss NV items from a 1.0 American firmware and another 1.2 European firmware?
I was import to a .Qcn file a list of NV items of my mobile (bada 1.0 american), i will compare with another one of 1.2.
It's posible to create more NV items if is necesary?

sorry for double post.
i've compared NV items of my phone, first with a 1.0 american firmware then with a 1.2 European firmware..
EDIT: thought that there were no differences because the file size was identical, but looking more attentively i find some, i will continue researching,

You tried QPST or which Tool?
And are sure there are no differences?
I have 2x S8500... with QPST difference 10 NV items + one S8500 has 10 more
Content not checked... too lazy at this time.
Best Regards
Edit 1.
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 305
Click to expand...
Click to collapse
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 319
Click to expand...
Click to collapse
And these are only the "official" NV items... and not the hidden one...
Example...
Code:
NV item: [B]2608[/B] [NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I], index 0
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 0: 12 3d fc ff 9c 3c fc ff 26 3c fc ff b0 3b fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 1: 34 3b fc ff af 3a fc ff 2a 3a fc ff a6 39 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 2: 22 39 fc ff 9f 38 fc ff 0c 38 fc ff 65 37 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 3: be 36 fc ff 18 36 fc ff 73 35 fc ff ce 34 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 4: 2a 34 fc ff 87 33 fc ff e5 32 fc ff 43 32 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 5: a2 31 fc ff 01 31 fc ff 61 30 fc ff c2 2f fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 6: 23 2f fc ff 85 2e fc ff 85 2e fc ff 85 2e fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 7: 85 2e fc ff 85 2e fc ff 85 2e fc ff 85 2e fc ff

sorry for my english, I mean to say that i find some differences..
between 2 firmwares, I find 40 differents NV items using "RF NV items Manager" program.
Example:
European 1.2 Firm:
Code:
NV item: 5059 [NV_WCDMA_2100_TX_LIN_MASTER_0_ENH_I], index 0
NV item: 5061 [NV_WCDMA_900_TX_PDM_LIN_0_ENH_I], index 0
American 1.0 Firm:
Code:
NV item: 5064 [NV_WCDMA_1900_TX_PDM_LIN_0_ENH_I], index 0
NV item: 5060 [NV_WCDMA_800_TX_PDM_LIN_0_ENH_I], index 0
(it's look like these items manage the umts network)
This are 2 items of 40 that I find.. So, I imported all 40 1.0 American Firmware Nv Items to the 1.2 Euro Firmwared Phone, (using previous modified .QCN file) then, i restart the device, but nothing happen, still no find UMTS network... But i want believe that we are close to find the solution
If I use PSAS to Display the new added NV items, these appear as "inactive item" and those already on the phone appears lile "bad parameter"
not know what else I can try...

Even if NV items count is different. Dump of NV area will be always the same in size. Area in oneNAND reserved for NV data is constant, and in most it's just empty space, filled with zeros.

Is it possible to dump whole NV items list using QPST? Can you guys do that and send dumps to me?
If not please search for following NV items and send me values you get (if you get any)
Int id 556
Int id 5
Int id 7
Int id 1403
String id 254
String id 387
String id 388
String id 256
String id 197
I want to prove some theory just taken from Bada kernel and need few different values to compare. These should contain Timezone, Locale and SimBlock settings. (If these NV items are even available)
Please send me PMs with dumps if you get any. Thanks in advance.

Tell me when you are ready "amms.bin" to "bada 2.0" so I can put it on my phone. I'm from Argentina. Thank you very much!

Rebellos said:
Int id 556
Int id 5
Int id 7
Int id 1403
Click to expand...
Click to collapse
With "PSAS" display "Inactive Item", and with "RV NV item manager" i don't these id's..
@adfree
Hey, if I wrote in phone (with "RV NV item manager") some NV items, is not take any effect... does exist another step to "activate" these items or some? maybe in Stune have to add any parameter? or maybe the "QPST Service program" tool..
I have fear of breaking the handset really... I just wan't to calibrate the UMTS bands, need these:
WCDMA_II_PCS_1900
WCDMA_V_850

http://forum.xda-developers.com/showpost.php?p=12436452&postcount=1
Other way to access NV items.
Now you can backup with sTune for instance... folders:
Code:
[B]NV
nvm[/B]
EXTREME Caution!
Some IDs are protected... so you can maybe write/activate, but not easily remove change = brick...
Best Regards

a little question..
there is a firmware of S8530 which has bada 1.2 and 850/900/2100Mhz 3g bands capable... there are firmwares prepared for Brazil and Australia.
it's posible to flash that amss.bin in a S8500 with bada 1.2?
I tried this, but the bootloader says "error erase amms"

amss.bin in a S8500 with bada 1.2?
Click to expand...
Click to collapse
If I remember correct, then yes...
Maybe not all combinations...
BUT check Multiloader ... adresses are different...
So you have to edit...
Later more.
Maybe give Link to this S8530 Firmware, so I can take an look or try for you...
Best Regards

Mifare Desfire ev1

Hi,
I am trying to clone or modify this card that I have. I do not have the keys. Is it possible? What can I do with it?
I am basically trying to clone it so it works with my phone case as it is too thick.. I'm open to melting the card and taking the internals out just to get it to work too, any suggestions?
See below for the dump:
** TagInfo scan (version 4.11.59 [β4011059]) 2016-01-04 11:09:14 **
-- INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
MIFARE DESFire EV1 (MF3ICD41)
# DESFire Applications:
1 unknown application
-- NDEF ------------------------------
# NFC data set storage not present:
Maximum NDEF storage size after format: 4094 bytes
-- EXTRA ------------------------------
# Memory information:
Size: 4 kB
Available: 4.0 kB
# IC detailed information:
Capacitance: 17 pF
# Version information:
Vendor ID: NXP
Hardware info:
* Type/subtype: 0x01/0x01
* Version: 1.0
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-2 and -3
Software info:
* Type/subtype: 0x01/0x01
* Version: 1.4
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-3 and -4
Batch no: 0xBA4450B120
Production date: week 10, 2013
-- TECH ------------------------------
# Technologies supported:
ISO/IEC 7816-4 compatible
Native DESFire APDU framing
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.IsoDep, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.IsoDep
* Maximum transceive length: 261 bytes
* Default maximum transceive time-out: 618 ms
* Extended length APDUs not supported
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms
# Detailed protocol information:
ID: 04:43:8B:5A:56:2C:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x06757781028000
* Max. accepted frame size: 64 bytes (FSCI: 5)
* Supported receive rates:
- 106, 212, 424, 848 kbit/s (DR: 1, 2, 4, 8)
* Supported send rates:
- 106, 212, 424, 848 kbit/s (DS: 1, 2, 4, 8)
* Different send and receive rates supported
* SFGT: 604.1 us (SFGI: 1)
* FWT: 77.33 ms (FWI: 8)
* NAD not supported
* CID supported
* Historical bytes: 0x80 |.|
# Memory content:
PICC level (Application ID 0x000000)
* PICC key configuration:
- AES key
- PICC key changeable
- PICC key required for:
~ directory list access: no
~ create/delete applications: yes
- Configuration changeable
- PICC key version: 129
Application ID 0x000001
* Key configuration:
- 14 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Key itself required for changing a key
* 1 file present
- File ID 0x00: Standard data, 384 bytes
~ Communication: with MAC
~ Read key: key #1
~ Write key: key #2
~ Read/Write key: key #2
~ Change key: master key
~ (No access)
--------------------------------------

As application 0x000001 is using 3DES keys, it may be possible (I'm curious too) to crack the read/write key because its using 3DES and not something stronger like AES
lawonga said:
Hi,
I am trying to clone or modify this card that I have. I do not have the keys. Is it possible? What can I do with it?
I am basically trying to clone it so it works with my phone case as it is too thick.. I'm open to melting the card and taking the internals out just to get it to work too, any suggestions?
See below for the dump:
** TagInfo scan (version 4.11.59 [β4011059]) 2016-01-04 11:09:14 **
-- INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
MIFARE DESFire EV1 (MF3ICD41)
# DESFire Applications:
1 unknown application
-- NDEF ------------------------------
# NFC data set storage not present:
Maximum NDEF storage size after format: 4094 bytes
-- EXTRA ------------------------------
# Memory information:
Size: 4 kB
Available: 4.0 kB
# IC detailed information:
Capacitance: 17 pF
# Version information:
Vendor ID: NXP
Hardware info:
* Type/subtype: 0x01/0x01
* Version: 1.0
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-2 and -3
Software info:
* Type/subtype: 0x01/0x01
* Version: 1.4
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-3 and -4
Batch no: 0xBA4450B120
Production date: week 10, 2013
-- TECH ------------------------------
# Technologies supported:
ISO/IEC 7816-4 compatible
Native DESFire APDU framing
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.IsoDep, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.IsoDep
* Maximum transceive length: 261 bytes
* Default maximum transceive time-out: 618 ms
* Extended length APDUs not supported
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms
# Detailed protocol information:
ID: 04:43:8B:5A:56:2C:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x06757781028000
* Max. accepted frame size: 64 bytes (FSCI: 5)
* Supported receive rates:
- 106, 212, 424, 848 kbit/s (DR: 1, 2, 4, 8)
* Supported send rates:
- 106, 212, 424, 848 kbit/s (DS: 1, 2, 4, 8)
* Different send and receive rates supported
* SFGT: 604.1 us (SFGI: 1)
* FWT: 77.33 ms (FWI: 8)
* NAD not supported
* CID supported
* Historical bytes: 0x80 |.|
# Memory content:
PICC level (Application ID 0x000000)
* PICC key configuration:
- AES key
- PICC key changeable
- PICC key required for:
~ directory list access: no
~ create/delete applications: yes
- Configuration changeable
- PICC key version: 129
Application ID 0x000001
* Key configuration:
- 14 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Key itself required for changing a key
* 1 file present
- File ID 0x00: Standard data, 384 bytes
~ Communication: with MAC
~ Read key: key #1
~ Write key: key #2
~ Read/Write key: key #2
~ Change key: master key
~ (No access)
--------------------------------------
Click to expand...
Click to collapse

If you get it, please tell us.

I guess no one manage to do this and my EV3 would be even harder to do so ...so no luck I suppose
My application ID is 0x000000 (PICC)

Anyway to configure CEC remote commands from TV?

Hi
I love my firestick, it does so much more than what my previous raspberry pi (running kodi) could do. However one thing the pi could do was offer perfect CEC control via my TV's remote and one goal I have is to use a single (harmony) remote to control my entire AV setup.
The firestick does offer some level of CEC support but seems to vary hugely between different TVs, in my case on my Panasonic plasma tx-p42g30 I can only get the play/pause button to work (edit: the rewind, fast forward and stop buttons also work). So something is working but maybe not mapped properly?
Surely there must be somekind of file which can be edited to help map the CEC controls correctly? can anyone shed any light?

I had problems with a Panasonic TX-L37GN13 too.
CEC is called Viera-Cast on Panasonic TV's.
Perhaps we should create an topic in the developer board from amazon.
Where are you from? The US support should be much better then EU support.
Greetings by Idijt

I_did_it_just_tmrrow said:
I had problems with a Panasonic TX-L37GN13 too.
CEC is called Viera-Cast on Panasonic TV's.
Perhaps we should create an topic in the developer board from amazon.
Where are you from? The US support should be much better then EU support.
Greetings by Idijt
Click to expand...
Click to collapse
Whatever you think might get the ball rolling, it's one of those things before rooting was more accessible I'd assumed it'd be locked out feature to mod, but presumably with root it's a possibility now? I recall on the raspberry Pi i copied over a certain config file to enable additional buttons on my TV remote so hoping the same can be done.
I'm from the UK

My Panasonic XXX is currently not here.
Can you try to:
1. enable adb
2. open adb on a pc and type in
Code:
adb shell
or
Code:
adb shell
3. enable Panasonic's CEC and make sure you can use the less commands wich are usable
4a. type in shell
Code:
su
if you had root
4b. type in the shell
Code:
cat /proc/bus/input/devices
and tell us the output
5. There should be a line wich a named input, like input8 or input3.
6. type in the shell
Code:
cat THE_WHOLE_PATH_TO_THAT_INPUT_FILE
and tell us if he react if press on valid (working) buttons and non working buttons.
If there are some hieroglyphics with the non working buttons, we should be able to mention theese buttons in the right keyfiles.
Greetings by Idijt

I_did_it_just_tmrrow said:
I had problems with a Panasonic TX-L37GN13 too.
CEC is called Viera-Cast on Panasonic TV's.
Perhaps we should create an topic in the developer board from amazon.
Where are you from? The US support should be much better then EU support.
Greetings by Idijt
Click to expand...
Click to collapse
I_did_it_just_tmrrow said:
My Panasonic XXX is currently not here.
Can you try to:
1. enable adb
2. open adb on a pc and type in
Code:
adb shell
or
Code:
adb shell
3. enable Panasonic's CEC and make sure you can use the less commands wich are usable
4a. type in shell
Code:
su
if you had root
4b. type in the shell
Code:
cat /proc/bus/input/devices
and tell us the output
5. There should be a line wich a named input, like input8 or input3.
6. type in the shell
Code:
cat THE_WHOLE_PATH_TO_THAT_INPUT_FILE
and tell us if he react if press on valid (working) buttons and non working buttons.
If there are some hieroglyphics with the non working buttons, we should be able to mention theese buttons in the right keyfiles.
Greetings by Idijt
Click to expand...
Click to collapse
I've tried the commands via ADBfire and opening the adb shell - on 'su' I get a not found error (I don't have root)
On the 'cat /proc/bus/input/devices' command I get the following:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

godsakes said:
I've tried the commands via ADBfire and opening the adb shell - on 'su' I get a not found error (I don't have root)
On the 'cat /proc/bus/input/devices' command I get the following:
Click to expand...
Click to collapse
Why did you stop at Step 5?
Like I told you, do step 6,
Code:
cat /devices/virtual/input/input1
and tell us if he react if you press on valid (working) buttons and/or non working buttons.
If there are some hieroglyphics with the non working buttons, we should be able to mention theese buttons in the right keyfiles.
I can not check this before weekend.
Perhaps you dont have the right to "cat" the input1 without su/without root, but I think you should.
Greetings by Idijt

I_did_it_just_tmrrow said:
Why did you stop at Step 5?
Like I told you, do step 6,
Code:
cat /devices/virtual/input/input1
and tell us if he react if you press on valid (working) buttons and/or non working buttons.
If there are some hieroglyphics with the non working buttons, we should be able to mention theese buttons in the right keyfiles.
I can not check this before weekend.
Perhaps you dont have the right to "cat" the input1 without su/without root, but I think you should.
Greetings by Idijt
Click to expand...
Click to collapse
I'm afraid I get "no such file or directory" with that command...
Point me to the safest rooting guide and I'll give it a another try once rooted

godsakes said:
I'm afraid I get "no such file or directory" with that command...
Click to expand...
Click to collapse
Perhaps you need to mount the system partition to rw (read, write) and it is currently ro (read only).
To change this mount you need root but you should be able to read thethe read the input.
Please make again the first cat step and be sure, that you cat in the next step the right input + path from the amazon-cec device.
Perhaps the inputs are connected to devices on device startup.
godsakes said:
Point me to the safest rooting guide and I'll give it a another try once rooted
Click to expand...
Click to collapse
Point youself to the, perhaps availible, right rooting method or guide. Sorry but this is your device, you know your current stock FW and this is not the thread topic.
I own a stick with root, but hardware rooted with emmc adapter. If you life in germany or a neighbour country I can help you.
I hope we can leave this topic by its own topic
It really could be possible to add some keys from the tv remote.
Greetings by Idijt

Ok, I've since used king root to root the stick
Now when i type 'SU' the command line does indicate the user (if that's the right word?) is root
But I still get the same error... could you just double check I've done the right commands

Your commands seems to be right. I am not the 100% Linux pro but I am 80% sure that I do that on this way with a Xiaomi Bluetooth Controller.
Can list the area's?
Code:
su
ls /devices/
ls /devices/virtual/
ls /devices/virtual/input/
Each line after the other.
If that not work, tell us. You can check this too with another Input and device. Did you got always that error?
ByTheWay: you can just Copy the Text out of the shell/adb and put them here into a Code Block. This also very nice for people who are searching for some words.
Any other here who can help us?
Greetings by Idijt

I_did_it_just_tmrrow said:
Your commands seems to be right. I am not the 100% Linux pro but I am 80% sure that I do that on this way with a Xiaomi Bluetooth Controller.
Can list the area's?
Code:
su
ls /devices/
ls /devices/virtual/
ls /devices/virtual/input/
Each line after the other.
If that not work, tell us. You can check this too with another Input and device. Did you got always that error?
ByTheWay: you can just Copy the Text out of the shell/adb and put them here into a Code Block. This also very nice for people who are searching for some words.
Any other here who can help us?
Greetings by Idijt
Click to expand...
Click to collapse
same error with all 3 of those commands, I've tried a couple of variations of the previous step but again same error
Code:
[email protected]:/ $ su
su
[email protected]:/ # ls /devices/
ls /devices/
/devices/: No such file or directory
1|[email protected]:/ # ls /devices/virtual/
ls /devices/virtual/
/devices/virtual/: No such file or directory
1|[email protected]:/ # ls /devices/virtual/input/
ls /devices/virtual/input/
/devices/virtual/input/: No such file or directory
1|[email protected]:/ # cat /proc/bus/input/devices
cat /proc/bus/input/devices
I: Bus=0005 Vendor=0000 Product=0000 Version=0008
N: Name="amazon_touch"
P: Phys=
S: Sysfs=/devices/virtual/input/input0
U: Uniq=
H: Handlers=event0
B: PROP=0
B: EV=b
B: KEY=400 0 0 0 0 0 0 0 0 0 0
B: ABS=2650000 1000000
I: Bus=0003 Vendor=0000 Product=0000 Version=0001
N: Name="amazon-cec"
P: Phys=
S: Sysfs=/devices/virtual/input/input1
U: Uniq=
H: Handlers=kbd event1
B: PROP=0
B: EV=3
B: KEY=3ff 0 0 400000 2fc000 c3060 0 0 0 10004 210000 192 40000c01 9e3781 0 8010
0000 10000002
I: Bus=0005 Vendor=0000 Product=0000 Version=0008
N: Name="kcmouse"
P: Phys=
S: Sysfs=/devices/virtual/input/input2
U: Uniq=
H: Handlers=mouse0 event2
B: PROP=0
B: EV=7
B: KEY=70000 0 0 0 0 0 0 0 0
B: REL=103
[email protected]:/ # cat /devices/virtual/input/input2
cat /devices/virtual/input/input2
tmp-mksh: cat: /devices/virtual/input/input2: No such file or directory
1|[email protected]:/ # cat devices/virtual/input/input1
cat devices/virtual/input/input1
tmp-mksh: cat: devices/virtual/input/input1: No such file or directory
1|[email protected]:/ # cat //devices/virtual/input/input1
cat //devices/virtual/input/input1
tmp-mksh: cat: //devices/virtual/input/input1: No such file or directory
1|[email protected]:/ #

All u have here is
[email protected]:/ # ls -la /sys/devices/virtual/input/input1/
drwxr-xr-x root root 2016-06-23 22:39 capabilities
drwxr-xr-x root root 2016-06-23 22:39 event1
drwxr-xr-x root root 2016-06-23 22:39 id
-r--r--r-- root root 4096 2016-06-23 22:39 modalias
-r--r--r-- root root 4096 2016-06-23 22:39 name
-r--r--r-- root root 4096 2016-06-23 22:39 phys
drwxr-xr-x root root 2016-06-23 22:39 power
-r--r--r-- root root 4096 2016-06-23 22:39 properties
lrwxrwxrwx root root 2016-06-23 22:39 subsystem -> ../../../../class/input
-rw-r--r-- root root 4096 2016-06-23 22:39 uevent
-r--r--r-- root root 4096 2016-06-23 22:39 uniq
BTW.
I've also got hard times with CEC with my sammy 40c650 . Only FF and REW are recogized by AFTS .
There is clear visibility on triggered events but no visibility on direct input (lack of tool)
[email protected]:/ # getevent -li /dev/input/event1
Can't enable monotonic clock reporting: Invalid argument
add device 1: /dev/input/event1
bus: 0003
vendor 0000
product 0000
version 0001
name: "amazon-cec"
location: ""
id: ""
version: 1.0.1
events:
KEY (0001): KEY_ESC KEY_ENTER KEY_DOT KEY_F5
KEY_KPENTER KEY_UP KEY_PAGEUP KEY_LEFT
KEY_RIGHT KEY_DOWN KEY_PAGEDOWN KEY_MUTE
KEY_VOLUMEDOWN KEY_VOLUMEUP KEY_POWER KEY_PAUSE
KEY_STOP KEY_HELP KEY_MENU KEY_BACK
KEY_EJECTCD KEY_PLAYPAUSE KEY_RECORD KEY_REWIND
KEY_FASTFORWARD KEY_SOUND KEY_MEDIA KEY_UNKNOWN
KEY_OPTION* KEY_INFO KEY_FAVORITES KEY_EPG
KEY_SUBTITLE KEY_ANGLE KEY_RED KEY_GREEN
KEY_YELLOW KEY_BLUE KEY_CHANNELUP KEY_CHANNELDOWN
KEY_LAST KEY_CONTEXT_MENU KEY_NUMERIC_0 KEY_NUMERIC_1
KEY_NUMERIC_2 KEY_NUMERIC_3 KEY_NUMERIC_4 KEY_NUMERIC_5
KEY_NUMERIC_6 KEY_NUMERIC_7 KEY_NUMERIC_8 KEY_NUMERIC_9
input props:
<none>
Output on button pressing (only FF and REW give out anything)
[email protected]:/ # getevent -l /dev/input/event1
Can't enable monotonic clock reporting: Invalid argument
EV_KEY KEY_REWIND DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_REWIND UP
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_FASTFORWARD DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_FASTFORWARD UP
EV_SYN SYN_REPORT 00000000

The correct input device for cec on your FireStick is: /dev/input/event1.
If you want to change the behavior of your remote keys you can create a file named amazon-cec.kl under: /system/usr/keylayout.
However, don't know how this is on the FireTV and FireTV2. On the FireTV2 i don't get any responses using getevent and evtest and i dont own a FireTv Gen 1.
Edit:
Haven't seen the last post. Try using evtest on /dev/input/event1. It shows you the keycodes so you can assign them in the layout file.
for my old tv it would look like this:
Code:
# Copyright (C) 2010 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Custom Keylayout for Sony Bravia KDL-*EX72* cec function on FireStick
# NOTE
# This mainly mapps menu to the options button and home to the home button,
# additionaly we assign keys to the special buttons (red, blue, info etc.).
# To make our life easier we just assign F1-F7 to those keys.
# Comments contain original values as per evtest /dev/input/event1
# NOTE: F1-F7 seem to not get passed to Kodi!? As Workaround we use A-F
key 96 DPAD_CENTER #KPEnter (Real Enter)
key 103 DPAD_UP #Up
key 105 DPAD_LEFT #Left
key 106 DPAD_RIGHT #Right
key 108 DPAD_DOWN #Down
key 128 MEDIA_STOP #Stop
key 139 HOME WAKE_DROPPED #Menu
key 158 BACK WAKE_DROPPED #Back
key 164 MEDIA_PLAY_PAUSE #PlayPause
key 168 MEDIA_REWIND #Rewind
key 208 MEDIA_FAST_FORWARD #Fast Forward
key 357 MENU #Option
key 358 F #Info - KEY_INFO
key 365 E #EPG - KEY_EPG
#key 370 SUBTITLE #Subtitle - KEY_SUBTITLE
key 398 A #Red Button - KEY_RED
key 399 B #Green Button - KEY_GREEN
key 400 C #Yellow Button - KEY_YELLOW
key 401 D #Blue Button - KEY_BLUE
key 402 PAGE_UP #Channel Up
key 403 PAGE_DOWN #Channel Down
key 512 0 #Numeric 0
key 513 1 #Numeric 1
key 514 2 #Numeric 2
key 515 3 #Numeric 3
key 516 4 #Numeric 4
key 517 5 #Numeric 5
key 518 6 #Numeric 6
key 519 7 #Numeric 7
key 520 8 #Numeric 8
key 521 9 #Numeric 9

Reading the above 2 posts and using the command 'getevent -1 /dev/input/event1'
I can get some reporting - but only for the buttons already recognised (play, rewind, fastforward, stop), I also have a play/pause button on my remote but it's recognised as the same command as the play button
Code:
[email protected]:/ $ su
su
[email protected]:/ # getevent -l /dev/input/event1
getevent -l /dev/input/event1
Can't enable monotonic clock reporting: Invalid argument
EV_KEY KEY_PLAYPAUSE DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_PLAYPAUSE UP
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_REWIND DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_REWIND UP
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_STOP DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_STOP UP
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_FASTFORWARD DOWN
EV_SYN SYN_REPORT 00000000
EV_KEY KEY_FASTFORWARD UP
EV_SYN SYN_REPORT 00000000

Try using evtest and look if the keycodes are indentical or not and remap them how you like.
I dont recommend using getevent for other use than getting the correct input device. If you press some button it only shows some kind of default value for the keyevent reported from your input device.
If you use evtest on /dev/input/event1 you can see what i mean by looking at the top of the output.

@WheelchairArtist done & done
[email protected]:/ # evtest /dev/input/event1
Input driver version is 1.0.1
Input device ID: bus 0x3 vendor 0x0 product 0x0 version 0x1
Input device name: "amazon-cec"
Supported events:
Event type 0 (Sync)
Event type 1 (Key)
Event code 1 (Esc)
Event code 28 (Enter)
Event code 52 (Dot)
Event code 63 (F5)
Event code 96 (KPEnter)
Event code 103 (Up)
Event code 104 (PageUp)
Event code 105 (Left)
Event code 106 (Right)
Event code 108 (Down)
Event code 109 (PageDown)
Event code 113 (Mute)
Event code 114 (VolumeDown)
Event code 115 (VolumeUp)
Event code 116 (Power)
Event code 119 (Pause)
Event code 128 (Stop)
Event code 138 (Help)
Event code 139 (Menu)
Event code 158 (Back)
Event code 161 (EjectCD)
Event code 164 (PlayPause)
Event code 167 (Record)
Event code 168 (Rewind)
Event code 208 (Fast Forward)
Event code 213 (Sound)
Event code 226 (Media)
Event code 240 (Unknown)
Event code 357 (Option)
Event code 358 (Info)
Event code 364 (Favorites)
Event code 365 (EPG)
Event code 370 (Subtitle)
Event code 371 (Angle)
Event code 398 (Red)
Event code 399 (Green)
Event code 400 (Yellow)
Event code 401 (Blue)
Event code 402 (ChannelUp)
Event code 403 (ChannelDown)
Event code 405 (Last)
Event code 438 (?)
Event code 512 (?)
Event code 513 (?)
Event code 514 (?)
Event code 515 (?)
Event code 516 (?)
Event code 517 (?)
Event code 518 (?)
Event code 519 (?)
Event code 520 (?)
Event code 521 (?)
Testing ... (interrupt to exit)
Event: time 452.538264, type 1 (Key), code 139 (Menu), value 0
Event: time 452.538274, -------------- Report Sync ------------
Event: time 462.140498, type 1 (Key), code 139 (Menu), value 1
Event: time 462.140507, -------------- Report Sync ------------
Event: time 478.609635, type 1 (Key), code 357 (Option), value 0
Event: time 478.609643, -------------- Report Sync ------------
Event: time 490.073024, type 1 (Key), code 357 (Option), value 1
Event: time 490.073032, -------------- Report Sync ------------
Event: time 503.634929, type 1 (Key), code 357 (Option), value 0
Event: time 503.634937, -------------- Report Sync ------------
Event: time 513.041136, type 1 (Key), code 168 (Rewind), value 1
Event: time 513.041146, -------------- Report Sync ------------
Event: time 513.260947, type 1 (Key), code 168 (Rewind), value 0
Event: time 513.260955, -------------- Report Sync ------------
Event: time 514.352655, type 1 (Key), code 208 (Fast Forward), value 1
Event: time 514.352663, -------------- Report Sync ------------
Event: time 514.576434, type 1 (Key), code 208 (Fast Forward), value 0
Event: time 514.576442, -------------- Report Sync ------------
there is no amazon-cec.kl under /system/usr/keylayout/ (also tested all in https://source.android.com/devices/input/key-layout-files.html) . I've downloaded Sony Bravia amazon-cec ,rebooted and nothing changed . Also creating Vendor_0000_Product_0000_Version_0001.kl keylayout (same as detected device ) give nothing ... no new button recognized ever .

Did u gave the amazon-cec file the right permissions and set the right owner? Also make sure to not forget the .kl at the end.
Also in my file the buttons u pressed (as seen in your post) are mapped the exact same way.
You could try to switch keycodes 139 and 208 to see if the layout file works.

Just for the record, today i updated my amazon-cec.kl file because it didn't work with my new stick on android 5, maybe that was your problem with my file?
If you still need/want to remap the buttons here is the new file (removed depracted WAKE_DROPPED flag and remapped Subtitle to G):
Code:
# Copyright (C) 2010 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Custom Keylayout for Sony Bravia KDL-*EX72* cec function on FireStick
# NOTE
# This mainly mapps menu to the options button and home to the home button,
# additionaly we assign keys to the special buttons (red, blue, info etc.).
# To make our life easier we just assign F1-F8 to those keys.
# Comments contain original values as per evtest /dev/input/event1
# NOTE: F1-F8 seem to not get passed to Kodi!? As Workaround we use A-G
key 96 DPAD_CENTER #KPEnter (Real Enter)
key 103 DPAD_UP #Up
key 105 DPAD_LEFT #Left
key 106 DPAD_RIGHT #Right
key 108 DPAD_DOWN #Down
key 128 MEDIA_STOP #Stop
key 139 HOME #Menu
key 158 BACK #Back
key 164 MEDIA_PLAY_PAUSE #PlayPause
key 208 MEDIA_REWIND #Rewind
key 168 MEDIA_FAST_FORWARD #Fast Forward
key 357 MENU #Option
key 358 F #Info - KEY_INFO
key 365 E #EPG - KEY_EPG
key 370 G #Subtitle - KEY_SUBTITLE
key 398 A #Red Button - KEY_RED
key 399 B #Green Button - KEY_GREEN
key 400 C #Yellow Button - KEY_YELLOW
key 401 D #Blue Button - KEY_BLUE
key 402 PAGE_UP #Channel Up
key 403 PAGE_DOWN #Channel Down
key 512 0 #Numeric 0
key 513 1 #Numeric 1
key 514 2 #Numeric 2
key 515 3 #Numeric 3
key 516 4 #Numeric 4
key 517 5 #Numeric 5
key 518 6 #Numeric 6
key 519 7 #Numeric 7
key 520 8 #Numeric 8
key 521 9 #Numeric 9
I switched the Rewind and FastForward buttons so you can check if it gets accepted.
You could also check logcat for any hints:
Code:
logcat | grep amazon-cec

smartcard cloning problem

Hello
i want to clone a smartcard member card. Another Cards i solve to cloning. But the another member card not. I use acr122u with kali linux and nfc-list and mfoc and mfuk
Here the ssh session output:
nfc-list -t
nfc-list uses libnfc 1.7.1
NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 48
UID (NFCID1): 0e 45 xx xx xx xx xx
SAK (SEL_RES): 20
ATS: 37 33 91 xx xx xx xx xx
[email protected]:~# nfc-list -v
nfc-list uses libnfc 1.7.1
NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 48
* UID size: double
* bit frame anticollision supported
UID (NFCID1): 0e 45 xx xx xx xx xx
SAK (SEL_RES): 20
* Compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092
ATS: 37 33 91 xx xx xx xx xx
* Max Frame Size accepted by PICC: 128 bytes
* Bit Rate Capability:
* PICC to PCD, DS=2, bitrate 212 kbits/s supported
* PICC to PCD, DS=4, bitrate 424 kbits/s supported
* PCD to PICC, DR=2, bitrate 212 kbits/s supported
* PCD to PICC, DR=4, bitrate 424 kbits/s supported
* Frame Waiting Time: 154.7 ms
* Start-up Frame Guard Time: 0.6041 ms
* Historical bytes Tk: 5a 43 56 XX XX
* Proprietary format
Fingerprinting based on MIFARE type Identification Procedure:
* SmartMX with 7 Byte UID
Other possible matches based on ATQA & SAK values:
* JCOP31 v2.4.1
* JCOP31 v2.2
0 Felica (212 kbps) passive target(s) found.
0 Felica (424 kbps) passive target(s) found.
0 ISO14443B passive target(s) found.
0 ISO14443B' passive target(s) found.
0 ISO14443B-2 ST SRx passive target(s) found.
0 ISO14443B-2 ASK CTx passive target(s) found.
0 Jewel passive target(s) found.
[email protected]:~# mfoc -O output.mfd
mfoc: ERROR: only Mifare Classic is supported
Did anybody know this problem? can i clone this mifare card??
greats

Modifying System Files to Add a Key Layout File

Greetings Everyone,
Device: OnePlus 7T
Goal: To create a new Key Layout File (.kl) in /system/usr/keylayout for my Xbox Elite 2 Controller. Currently its using the Generic key layout file since its product ID doesn't have a matching key layout file. This maps the double square button to "back" and really interferes with the gameplay (Destiny 2 on Stadia, can't summon sparrow or ghost and can't access the director).
I have the vendor and product ID's of the new controller, the only issue is adding the new key layout file into the keylayout directory. I can't get past the read only issue in that folder. I do have root via magisk. I've tried renaming files in the folder locally using Root Explorer and pushing via adb (read only and dm-verity issues occur). Neither work. I can't remount to make the system writable either(due to the verity issues).
Weird thing that happened, I modified a similar key layout file (same vendor ID but different product ID) in that same directory and the modification stuck. For some reason the read only restrictions were lifted briefly somehow. Can't really explain why that happened. Opened via Gamepad Tester app, modified the contents, told it to save and it saved. If I could recreate that somehow to rename the file I modified to the correct product ID, I'd be golden, but the read only restrictions have everything locked back down.
If anyone has some pro tips, I'd be very very thankful. I have been working on this for over 6 hours to no avail.
Thanks again for your potential and extremely appreciated help!

Modifying system is no go, your best shot is to create a magisk module.
Maybe this might be something you're interested in.
https://forum.xda-developers.com/apps/magisk/module-1controller-1-module-to-support-t3865889
If the layout isn't there, you could try asking the OP or adding the .kl here and zip the module up.
https://github.com/Magisk-Modules-Repo/OneController/tree/master/system/usr/keylayout
(Note: I have no idea if this magisk module uses an up to date template)

Lossyx said:
Modifying system is no go, your best shot is to create a magisk module.
Maybe this might be something you're interested in.
https://forum.xda-developers.com/apps/magisk/module-1controller-1-module-to-support-t3865889
If the layout isn't there, you could try asking the OP or adding the .kl here and zip the module up.
https://github.com/Magisk-Modules-Repo/OneController/tree/master/system/usr/keylayout
(Note: I have no idea if this magisk module uses an up to date template)
Click to expand...
Click to collapse
Thanks for the reply Lossyx!
Those links are very promising. The layout is not in one of those listed. I had already created the layout I need to test out. About to go to bed soon(night shift this weekend) but I'll figure out how to make the module with the updated layout and I'll post my results later.
Pretty excited to try it out! Thanks again.

Well Lossyx, you sir are a genius!
The Majisk Module you linked above worked! I removed all the keylayout files in the original module, added my new layout for the Xbox Elite 2 Controller, updated the update-binary, zipped and flashed. Every button now works as expected. Only issue, if you want to call it that, when I look at the modules in Majisk, it just shows info not provided for the new module. I updated the module.prop file to reflect the new changes but its not being read for some reason. Like I said, not really an issue since it works.
Recap for anyone interested: The goal was to use my Xbox Elite 2 Wireless controller on my OnePlus 7T to play Destiny 2 on Stadia.
-I rooted by booting with TWRP via ADB to get the boot.img. Used Magisk Canary to patch this image and flashed the new image to boot.
-Once rooted, I used the MajiskHide Props Config to create new props to make Apps think "Pixel 4" was the model and manufacturer was "Google" (required to load Stadia on phone as Stadia is currently restricted to Pixel 4 and Pixel 3, although it runs great with the new props on the OnePlus 7T).
-Thanks to Lossyx, I updated https://forum.xda-developers.com/apps/magisk/module-1controller-1-module-to-support-t3865889 OneController to add the new kaylayout file for the Xbox Elite 2 Controller. Deleted all other keylayouts in that module, added the new layout, updated update-binary, zipped then flashed.
If anyone has any questions about what I did, please let me know and I'll help as much as my limited experience allows. Thanks again to Lossyx, couldn't have don't it without him!!!!
New KeyLayout info: file name = Vendor_045e_Product_0b05.kl
In the file:
# Copyright (C) 2019 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# XBox Elite Wireless Controller - Elite 2 - Bluetooth
#
# Mapping according to https://developer.android.com/training/game-controllers/controller-input.html
key 304 BUTTON_A
key 305 BUTTON_B
key 307 BUTTON_X
key 308 BUTTON_Y
key 310 BUTTON_L1
key 311 BUTTON_R1
# Triggers.
axis 0x0a LTRIGGER
axis 0x09 RTRIGGER
# Left and right stick.
# The reported value for flat is 128 out of a range from -32767 to 32768, which is absurd.
# This confuses applications that rely on the flat value because the joystick actually
# settles in a flat range of +/- 4096 or so.
axis 0x00 X flat 4096
axis 0x01 Y flat 4096
axis 0x02 Z flat 4096
axis 0x05 RZ flat 4096
key 317 BUTTON_THUMBL
key 318 BUTTON_THUMBR
# Hat.
axis 0x10 HAT_X
axis 0x11 HAT_Y
# Mapping according to https://www.kernel.org/doc/Documentation/input/gamepad.txt
# Two overlapping rectangles
key 158 BUTTON_SELECT
# Hamburger - 3 parallel lines
key 315 BUTTON_START
# Xbox key
key 316 BUTTON_MODE

I have the same Devices 7T/Elite2, the same problems and now they belong to the past. Damn Boy, it worked!
THATS why i love XDA

Would you mind helping me out? I'm sure this is a silly question, but what did you mean by "updated update-binary"? I see the file that you're talking about in the Magisk Module, but what exactly am I updating in that file?
alc8traz said:
Well Lossyx, you sir are a genius!
The Majisk Module you linked above worked! I removed all the keylayout files in the original module, added my new layout for the Xbox Elite 2 Controller, updated the update-binary, zipped and flashed. Every button now works as expected. Only issue, if you want to call it that, when I look at the modules in Majisk, it just shows info not provided for the new module. I updated the module.prop file to reflect the new changes but its not being read for some reason. Like I said, not really an issue since it works.
Recap for anyone interested: The goal was to use my Xbox Elite 2 Wireless controller on my OnePlus 7T to play Destiny 2 on Stadia.
-I rooted by booting with TWRP via ADB to get the boot.img. Used Magisk Canary to patch this image and flashed the new image to boot.
-Once rooted, I used the MajiskHide Props Config to create new props to make Apps think "Pixel 4" was the model and manufacturer was "Google" (required to load Stadia on phone as Stadia is currently restricted to Pixel 4 and Pixel 3, although it runs great with the new props on the OnePlus 7T).
-Thanks to Lossyx, I updated https://forum.xda-developers.com/apps/magisk/module-1controller-1-module-to-support-t3865889 OneController to add the new kaylayout file for the Xbox Elite 2 Controller. Deleted all other keylayouts in that module, added the new layout, updated update-binary, zipped then flashed.
If anyone has any questions about what I did, please let me know and I'll help as much as my limited experience allows. Thanks again to Lossyx, couldn't have don't it without him!!!!
New KeyLayout info: file name = Vendor_045e_Product_0b05.kl
In the file:
# Copyright (C) 2019 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# XBox Elite Wireless Controller - Elite 2 - Bluetooth
#
# Mapping according to https://developer.android.com/training/game-controllers/controller-input.html
key 304 BUTTON_A
key 305 BUTTON_B
key 307 BUTTON_X
key 308 BUTTON_Y
key 310 BUTTON_L1
key 311 BUTTON_R1
# Triggers.
axis 0x0a LTRIGGER
axis 0x09 RTRIGGER
# Left and right stick.
# The reported value for flat is 128 out of a range from -32767 to 32768, which is absurd.
# This confuses applications that rely on the flat value because the joystick actually
# settles in a flat range of +/- 4096 or so.
axis 0x00 X flat 4096
axis 0x01 Y flat 4096
axis 0x02 Z flat 4096
axis 0x05 RZ flat 4096
key 317 BUTTON_THUMBL
key 318 BUTTON_THUMBR
# Hat.
axis 0x10 HAT_X
axis 0x11 HAT_Y
# Mapping according to https://www.kernel.org/doc/Documentation/input/gamepad.txt
# Two overlapping rectangles
key 158 BUTTON_SELECT
# Hamburger - 3 parallel lines
key 315 BUTTON_START
# Xbox key
key 316 BUTTON_MODE
Click to expand...
Click to collapse