Various aspects of the Nook system are signed with a signature from Barnes & Noble.
There are a few places where signatures are compared.
Various system apps used a single "shared id" and they must all have the same signature.
/system/framework/framework-res.apk must have a correct signature with respect to AndroidManifest.xml.
In any case, it's your Nook, what are you going to do?
Re-signing the system
make a full backup and make sure that it is good
create your own signature http://developer.android.com/tools/publishing/app-signing.html
make a directory for your patch
create the subdirectory META-INF\com\google\android\
put a copy of update-binary in there
write a updater-script and put it in there
create the subdirectory system\app
create the subdirectory system\framework
For each of your APKs in /system/app and also /system/framework/framework-res.apk:
unzip them somewhere
delete the whole directory META-INF from them
zip the directory
jarsigner them with your own personal signature
zipalign the APK (optional if you are lazy and don't see the point)
put it in the appropriate patch directory
Then:
zip the patch directory
copy it to your SD card
make sure that your WiFi is turned on if you are using ADB over WiFi!
recovery boot using ClockworkMod
install the patch from SD card
reboot
updater-script
Code:
# Replace signed components
mount("ext2", "/dev/block/mmcblk0p5", "/system");
package_extract_dir("system/app", "/system/app");
package_extract_dir("system/framework", "/system/framework");
unmount("/system");
# Delete packages.xml
mount("ext3", "/dev/block/mmcblk0p8", "/data");
delete("/data/system/packages.xml");
unmount("/data");
Flies in the ointment, caveats, etc...
The packages.xml contains some form of certs that have all changed.
Right now, the simplest way I know to deal with this is just to delete packages.xml.
The problem is, this will break most user applications since the user IDs will no longer agree.
The easiest thing to do is just to reinstall them.
For applications with a lot of data, it would be best to back up the configs or data.
When you first boot up, you may think that you are in a "boot loop".
The boot animation will run continuously.
If you have ADB connect still (and you had better!) you can fix this.
Your launcher application is probably causing lots of error on startup.
There are two ways to fix the problem with the launcher (or any other app)
uninstall and reinstall it
go into /data/data/com.myapp.whatever and chown everything to the user id of the application.
Code:
busybox chown -R 10011: databases
Don't chown the lib directory if there is one.
Then you should have a device that boots up normally.
Good luck, Mr. Phelps.
Renate NST said:
create your own signature http://developer.android.com/tools/publishing/app-signing.html
Click to expand...
Click to collapse
Renate,
Won’t it be easier to use Andriod media key?
If we do, we can patch packages.xml, instead of deleting it, right?
Renate NST said:
For each of your APKs in /system/app and also /system/framework/framework-res.apk:
unzip them somewhere
delete the whole directory META-INF from them
zip the directory
jarsigner them with your own personal signature
zipalign the APK (optional if you are lazy and don't see the point)
put it in the appropriate patch directory
Click to expand...
Click to collapse
I wrote a script to do just that, can be adapted easily...
Code:
@set keystore=..\keys\media.jks
@set storepass=android
@set alias=media
@set resigned_dir=.\new
@for %%i in ( .\*.apk ) do @(
echo %%i
copy %%i %resigned_dir%\%%~ni_%%~xi
zip -d %resigned_dir%\%%~ni_%%~xi META-INF\*
jarsigner -keystore %keystore% -storepass %storepass% %resigned_dir%\%%~ni_%%~xi %alias%
zipalign -f 4 %resigned_dir%\%%~ni_%%~xi %resigned_dir%\%%~ni%%~xi
del %resigned_dir%\%%~ni_%%~xi
)
@goto :eof
Just my 2 cents…
---------- Post added at 04:31 PM ---------- Previous post was at 04:22 PM ----------
Renate NST said:
...
Then you should have a device that boots up normally.
Good luck, Mr. Phelps.
Click to expand...
Click to collapse
Guys,
If you run into a problem following Renate steps, it’ll be practically impossible to troubleshot without logcat log.
It might be a bit safer to use ADB over USB then over Wireless.
Even if you run into boot loop, ADB should work still.
I’m not 100% sure, if you need framework operational to establish wireless connection (for ADB to use).
ADB over USB definitely doesn't need framework running.
Yes, of course I used a script to resign the individual APKs.
Yours is nice though.
I'm not sure what you mean by "Android media key".
Do you mean the androiddebug key?
Did you re-sign framework-res.apk too?
Well, one advantage of deleting packages.xml is that it gets rid of the cruft.
I was thinking of just writing a little utility that resolved the renumbered user ids and fixed file ownership.
P.S. WiFi works fine when the boot animation is still looping.
The loop animation just runs until something wants to use the screen.
The system is actually 100% up at that point.
It's just that your home application (a launcher probably) can't run.
You can still start an application by am start intent.
That's also a warning to not presume that your Nook is dead just because the display loops.
Renate NST said:
Yes, of course I used a script to resign the individual APKs.
Yours is nice though.
Click to expand...
Click to collapse
Thank you!
Renate NST said:
I'm not sure what you mean by "Android media key".
Do you mean the androiddebug key?
Click to expand...
Click to collapse
I don’t remember now, it was long time ago.
AFAIR, it was 4 keys
testkey -- a generic key for packages that do not otherwise specify a key.
platform -- a test key for packages that are part of the core platform.
shared -- a test key for things that are shared in the home/contacts process.
media -- a test key for packages that are part of the media/download system.
You can download them still from Google repository
http://mirror.yongbok.net/pub/pub/linux/android/repository/build/target/product/security/
Most ppl call media key androiddebug key, don’t ask me why.
Renate NST said:
Did you re-sign framework-res.apk too?
Click to expand...
Click to collapse
Not as of now. Waiting for your Reader.apk...
Renate NST said:
Well, one advantage of deleting packages.xml is that it gets rid of the cruft.
I was thinking of just writing a little utility that resolved the renumbered user ids and fixed file ownership.
Click to expand...
Click to collapse
I dunno if it recreates UserID properly.
I.e. you have apps A, B, C installed they got UserIDs 10001, 10002 & 10003 respectively.
Then you uninstall A & B and delete delete packages.xml, would C get 10003 still?
Need to test it.
Renate NST said:
P.S. WiFi works fine when the boot animation is still looping.
The loop animation just runs until something wants to use the screen.
The system is actually 100% up at that point.
Click to expand...
Click to collapse
Yep. Thanks for confirming this!
Renate NST said:
It's just that your home application (a launcher probably) can't run.
You can still start an application by am start intent.
That's also a warning to not presume that your Nook is dead just because the display loops.
Click to expand...
Click to collapse
When I see Nook booting image "with running dots", ADB is up already.
I was under impressing that’s the image ppl see while in boot loop.
ps shows it as bootanimation process
I guess, we are NOT on the same page again…
The running dots (boot animation) gets started as the system starts.
It just runs until something takes over the screen.
If it runs continuously, it could mean that the system is in a boot loop or
simply that no application is rising to the challenge to do something.
On the other hand, if the dots are running, but it hiccups and starts over from the first dot, that's a real boot loop.
Renate NST said:
The running dots (boot animation) gets started as the system starts.
It just runs until something takes over the screen.
If it runs continuously, it could mean that the system is in a boot loop or
simply that no application is rising to the challenge to do something.
On the other hand, if the dots are running, but it hiccups and starts over from the first dot, that's a real boot loop.
Click to expand...
Click to collapse
Renate,
I neither completely agree with you on bootanimation app nor want to pollute this thread with useless (IMO) discussion about it. If you want discuss it further – could you open another thread?
Well, I proved that you can take Settings.apk and SettingsProvider.apk off the emulator, sign them and install them.
There are a number of problems with that, starting out that the opening screen is white on white.
Also, my Nook seems to think it's a phone now and the hack that I did for the "n" button is broken.
I switched back to the stock version.
On the plus side, my Nook now opens with just a button press and no swiping.
I remember some people were interested in that.
It's probably something in settings.db
Renate NST said:
Well, I proved that you can take Settings.apk and SettingsProvider.apk off the emulator, sign them and install them.
Click to expand...
Click to collapse
AFAIR, everything on emulator is signed with keys I posted and nothing with B&N key - you don't need to resign.
Renate NST said:
Various aspects of the Nook system are signed with a signature from Barnes & Noble.
Click to expand...
Click to collapse
Renate,
I can write a script (Win) to do:
Parse packages.xml to find APKs run as 'shared-user name="android.media" userId="10000"'
Pull (backup) them to PC
Resign
Stop framework
Push resigned APKs to NST
Replace B&N cert reference in packages.xml to the one we used
Start framework
It might be some manual steps...
Do you think it might be useful?
And another script to restore...
First thing, I think that doing a system update to replace (as recommended in my first post) is overkill.
I wasn't sure whether simply starting and stopping the framework from the shell would be sufficient.
Apparently it is.
My only excuse is that I've bricked my Nook about 20 times and was being conservative.
What you want to sign your Nook with is your choice.
I hadn't looked into using any common signatures.
Android only mentions the single debug key in their documentation.
The emulator apks are signed with an Android signature, but not the same as the debug key.
ApokrifX said:
I can write a script (Win) to do:
Parse packages.xml to find APKs run as 'shared-user name="android.media" userId="10000"'
Click to expand...
Click to collapse
Ok, but there is also all the other sharedUserId="1000"
I'm not sure how the cert references work in packages.xml
Does it work for framework-res.apk too?
Looks like I cannot answer your question.
I guess, we can create a table [sharedUserId] – [App], [sharedUserId] – [Cert] and [Cert] - [App]
It can shed some light on how it works.
I can see same sharedUserId used with different certs, so apps should use different android users...
See below:
Don’t know how to map sharedUserId to android user yet.
My [current] understanding is:
userId "10000" and above are apps generated.
Below – for system use.
I have now:
<package name="com.bn.nook.quickstart" codePath="/system/app/QuickStartActivity.apk" system="true" ts="1217592000000" version="7" sharedUserId="1000">
<cert index="4" />
<package name="com.google.android.server.checkin" codePath="/system/app/GoogleCheckin.apk" system="true" ts="1292347460000" version="7" sharedUserId="1000">
<sigs count="1">
<cert index="13" />
Obviously, due to cert mismatch, "com.bn.nook.quickstart" & "com.google.android.server.checkin" should use different users.
---------- Post added at 09:29 PM ---------- Previous post was at 09:04 PM ----------
ApokrifX said:
Looks like I cannot answer your question.
I guess, we can create a table [sharedUserId] – [App], [sharedUserId] – [Cert] and [Cert] - [App]
It can shed some light on how it works.
Click to expand...
Click to collapse
Here we go:
Code:
0 10019 com.google.android.apps.gtalkservice /system/app/gtalkservice.apk
0 10019 com.google.android.googleapps /system/app/GoogleApps.apk
0 10019 com.google.android.providers.gmail /system/app/GmailProvider.apk
0 10019 com.google.android.providers.talk /system/app/TalkProvider.apk
0 10021 com.google.android.gm /system/app/Gmail.apk
0 10022 com.android.vending /system/app/Vending.apk
1 10002 com.android.globalsearch /system/app/GlobalSearch.apk
1 10002 com.android.googlesearch /system/app/GoogleSearch.apk
1 10002 com.android.inputmethod.latin /system/app/LatinIME.apk
1 10002 com.android.launcher /system/app/Launcher.apk
1 10002 com.android.providers.applications /system/app/ApplicationsProvider.apk
1 10002 com.android.providers.contacts /system/app/ContactsProvider.apk
1 10002 com.android.providers.userdictionary /system/app/UserDictionaryProvider.apk
10 10001 com.adobe.air /system/app/AirRuntime.apk
10 10017 de.devmil.minimaltext /data/app/mt262.apk
10 10023 com.google.android.talk /system/app/Talk.apk
11 10013 com.ngc.fora /data/app/com.ngc.fora.apk
12 10015 siir.es.adbWireless /data/app/siir.es.adbWireless-1.apk
13 1000 com.google.android.providers.subscribedfeeds /system/app/GoogleSubscribedFeedsProvider.apk
13 1000 com.google.android.server.checkin /system/app/GoogleCheckin.apk
14 10018 com.david1171.minimalistblack /data/app/com.david1171.minimalistblack-1.apk
15 10014 com.smart.swkey /data/app/SWKey21.apk
16 10030 com.asksven.betterbatterystats /data/app/com.asksven.betterbatterystats.apk
17 10027 jackpal.androidterm /data/app/jackpal.androidterm.apk
18 10029 com.googlecode.droidwall.free /data/app/com.googlecode.droidwall.free.apk
19 10016 org.adw.launcher /data/app/org.adw.launcher-1.apk
2 10026 org.coolreader /data/app/org.coolreader.apk
20 10012 com.noshufou.android.su /data/app/Superuser.apk
3 10024 berserker.android.apps.sshdroid /data/app/berserker.android.apps.sshdroid.apk
4 1000 android /system/framework/framework-res.apk
4 1000 com.android.providers.settings /system/app/SettingsProvider.apk
4 1000 com.android.providers.subscribedfeeds /system/app/AccountAndSyncSettings.apk
4 1000 com.android.settings /system/app/Settings.apk
4 1000 com.bn.app.crypto.server /system/app/CryptoServer.apk
4 1000 com.bn.authentication.svc /system/app/BnAuthenticationService.apk
4 1000 com.bn.demomode /system/app/DemoMode.apk
4 1000 com.bn.devicemanager /system/app/DeviceManager.apk
4 1000 com.bn.nook.quickstart /system/app/QuickStartActivity.apk
4 1000 com.bn.syschecksum /system/app/SysChecksum.apk
4 1000 com.bn.waveformdownloader.svc /system/app/WaveformDownloader.apk
4 10005 com.android.certinstaller /system/app/CertInstaller.apk
4 10009 com.android.packageinstaller /system/app/PackageInstaller.apk
4 1001 com.android.phone /system/app/Phone.apk
4 1001 com.android.providers.telephony /system/app/TelephonyProvider.apk
4 10011 android.tts /system/app/TtsService.apk
5 10000 com.android.gallery /system/app/Gallery.apk
5 10000 com.android.providers.downloads /system/app/DownloadProvider.apk
5 10000 com.android.providers.drm /system/app/DrmProvider.apk
5 10000 com.android.providers.media /system/app/MediaProvider.apk
5 10000 com.bn.nook.accessories /system/app/Accessories.apk
5 10000 com.bn.nook.affiledownloadservice /system/app/AFfileDownloadService.apk
5 10000 com.bn.nook.cloud.service /system/app/CloudService.apk
5 10000 com.bn.nook.community /system/app/NookCommunity.apk
5 10000 com.bn.nook.dadmin /system/app/DownloadAdmin.apk
5 10000 com.bn.nook.home /system/app/Home.apk
5 10000 com.bn.nook.library /system/app/Library.apk
5 10000 com.bn.nook.reader.activities /system/app/Reader.apk
5 10000 com.bn.nook.shop /system/app/Shop.apk
5 10000 com.bn.nook.social /system/app/Social.apk
6 10025 com.andoku.two.free /data/app/com.andoku.two.free.apk
7 10028 org.connectbot /data/app/org.connectbot.apk
8 10003 com.bn.cloud.svc /system/app/BnCloudRequestSvc.apk
8 10004 com.android.browser /system/app/Browser.apk
8 10006 com.bn.deviceregistrator /system/app/DeviceRegistrator.apk
8 10007 com.android.htmlviewer /system/app/HTMLViewer.apk
8 10008 com.android.music /system/app/Music.apk
8 10010 com.svox.pico /system/app/PicoTts.apk
9 10020 com.benhirashima.nookcolorsettings /system/app/NookColorTools.apk
ApokrifX said:
Don’t know how to map sharedUserId to android user yet.
Click to expand...
Click to collapse
Need help with this one... :crying:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
All of the other cert indexes go from 2 to 8.
The problem is, these are indexes into something and I don't know what/where that is.
When you change a signature, you have to change the something.
When you change signatures in most cases, the system shrugs and rebuilds packages,xml
It's mostly changing the signature on framework-res.apk (name="android") that causes the biggest problems.
For another perspective on the whole package management, try this:
Code:
dumpsys package > /sdcard/package.txt
(This generates a lot of text, hence the redirect.)
Renate NST said:
Android only mentions the single debug key in their documentation.
Click to expand...
Click to collapse
URL?
Renate NST said:
The emulator apks are signed with an Android signature, but not the same as the debug key.
Click to expand...
Click to collapse
Compared few keys (Subject Key Identifiers) out of curiosity:
Android keys
Code:
testkey 48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
shared CB:4C:7E:2C:DB:B3:F0:AD:A9:8D:AB:79:96:8D:17:2E:9D:BB:1E:D1
platform 4F:E4:A0:B3:DD:9C:BA:29:F7:1D:72:87:C4:E7:C3:8F:20:86:C2:99
media CA:29:3C:AA:8B:C0:ED:3E:54:2E:EF:42:05:A2:BF:F2:B5:7E:4D:75
NC2.1 EMU
Code:
Browser 48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
LatinIME CB:4C:7E:2C:DB:B3:F0:AD:A9:8D:AB:79:96:8D:17:2E:9D:BB:1E:D1
framework-res 4F:E4:A0:B3:DD:9C:BA:29:F7:1D:72:87:C4:E7:C3:8F:20:86:C2:99
MediaProvider CA:29:3C:AA:8B:C0:ED:3E:54:2E:EF:42:05:A2:BF:F2:B5:7E:4D:75
---------- Post added at 10:13 PM ---------- Previous post was at 10:07 PM ----------
Renate NST said:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
All of the other cert indexes go from 2 to 8.
The problem is, these are indexes into something and I don't know what/where that is.
Click to expand...
Click to collapse
Ok. Just to make sure, we are on same page again:
When cert mentioned 1st time, it got encoded right into packages.xml key="3082...9308a"
Next time it used, it's referenced by index.
Code:
<package name="com.google.android.providers.talk" codePath="/system/app/TalkProvider.apk" system="true" ts="1292347460000" version="7" sharedUserId="10019">
<sigs count="1">
<cert index="0" key="3082...9308a" />
...
<package name="com.google.android.googleapps" codePath="/system/app/GoogleApps.apk" system="true" ts="1292347460000" version="130" sharedUserId="10019">
<sigs count="1">
<cert index="0" />
Do you mean something else?
---------- Post added at 10:16 PM ---------- Previous post was at 10:13 PM ----------
Renate NST said:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
Click to expand...
Click to collapse
Interesting...
Could you extract CERT.RSA from "the app" and "the system app" and compare, please?
---------- Post added at 10:22 PM ---------- Previous post was at 10:16 PM ----------
[/COLOR]
Renate NST said:
For another perspective on the whole package management, try this:
Code:
dumpsys package > /sdcard/package.txt
Click to expand...
Click to collapse
How do we map:
Code:
Package [com.asksven.betterbatterystats] (49ea9250):
userId=10030 gids=[1015, 3003]
to names we see with ls -l
ApokrifX said:
URL?
When cert mentioned 1st time, it got encoded right into packages.xml key="3082...9308a"
Next time it used, it's referenced by index.
Click to expand...
Click to collapse
Yup, it looks like you are 100% correct.
FWR signed signed with my key is different than an app signed with my key.
They are the same, except for the last 256 bytes which are different.
As you can see, the keys in package.xml are of different lengths
and at least in the cases that I checked are shorter than length(cert)-256 even.
Moreover the end of the keys in packages.xml don't agree with the same position.
http://developer.android.com/tools/publishing/app-signing.html
The SDK tools create the debug keystore/key with predetermined names/passwords:
Keystore name: "debug.keystore"
Keystore password: "android"
Key alias: "androiddebugkey"
Key password: "android"
CN: "CN=Android Debug,O=Android,C=US"
Click to expand...
Click to collapse
The point is not that this single key is documented, the point is that the others are not.
Renate NST said:
FWR signed signed with my key is different than an app signed with my key.
They are the same, except for the last 256 bytes which are different.
As you can see, the keys in package.xml are of different lengths
and at least in the cases that I checked are shorter than length(cert)-256 even.
Click to expand...
Click to collapse
Right.
Could you compare certs "X509v3 Subject Key Identifier", please?
Renate NST said:
Moreover the end of the keys in packages.xml don't agree with the same position.
Click to expand...
Click to collapse
I’m not sure, I get this...
Renate NST said:
The point is not that this single key is documented, the point is that the others are not.
Click to expand...
Click to collapse
---------- Post added at 11:15 PM ---------- Previous post was at 11:01 PM ----------
Looks like in certs in packages.xml are stored in pkcs8 hex format:
shared.pk8
Code:
0000000000: 30 82 04 BE 02 01 00 30 │ 0D 06 09 2A 86 48 86 F7
0000000010: 0D 01 01 01 05 00 04 82 │ 04 A8 30 82 04 A4 02 01
0000000020: 00 02 82 01 01 00 C8 C2 │ DB FD 09 4A 2D F4 5C 3F
0000000030: F1 A3 2E D2 18 05 EC 72 │ FC 58 D0 17 97 1B D0 F6
packages.xml
Code:
<cert index="2" key="3082...b2db" />
They can be easily dumped from packages.xml right into pkcs8 format, no need to get them from packages.
I know practically nothing about signing and certs specifically.
Taking this as a black box question:
Given a signed package, extract the cert with a zip tool,
how do you convert that data into something to write into packages.xml?
Yes, all the ASCII text is in both of these but the cert in the apk and the cert in packages are wildly different.
Yes, you could make a project of this and delve into the Android code to see where it all comes from but the effort seems excessive.
We know that if you delete packages.xml entirely it will get rebuilt (although not with the same non-shared ids as before).
Why not try just deleting all the certs and leaving the rest of it alone?
Renate NST said:
I know practically nothing about signing and certs specifically.
Taking this as a black box question:
Given a signed package, extract the cert with a zip tool,
how do you convert that data into something to write into packages.xml?
Click to expand...
Click to collapse
I didn’t do this part yet.
I guess, a bit fiddling with openssl or keytool will do just fine.
Renate NST said:
Yes, all the ASCII text is in both of these but the cert in the apk and the cert in packages are wildly different.
Click to expand...
Click to collapse
If you post both (from packages.xml), I’ll decrypt them.
I’m pretty sure, they are different.
Renate NST said:
Yes, you could make a project of this and delve into the Android code to see where it all comes from but the effort seems excessive.
Click to expand...
Click to collapse
Yep. There is no point.
Renate NST said:
We know that if you delete packages.xml entirely it will get rebuilt (although not with the same non-shared ids as before).
Why not try just deleting all the certs and leaving the rest of it alone?
Click to expand...
Click to collapse
I wrote already, what might be different if you do it.
IMO, just patching it might be safer...
BTW: I decoded certs from packages.xml - there 4 different ones from B&N there.
ApokrifX said:
I decoded certs from packages.xml - there 4 different ones from B&N there.
Click to expand...
Click to collapse
I still don't know what the tool is or how it operates.
I'm not saying that what is packed in an APK is different in substance from the cert in packages.xml,
I'm just saying that they are not trivially binary convertible from one to another.
If you just delete packages.xml you can either fix the non-shared user ids in packages
or fix the owners for /data/data directories.
I already have an auditing tool for resolving such user id discrepancies
and finding orphaned /data/data directories for apps that were deleted and not uninstalled.
It doesn't do anything, but it reports it so that you can.
Renate NST said:
I still don't know what the tool is or how it operates.
I'm not saying that what is packed in an APK is different in substance from the cert in packages.xml,
I'm just saying that they are not trivially binary convertible from one to another.
Click to expand...
Click to collapse
I dunno, they are trivially convertible, try for yourself:
Unzip CERT.RSA from stock Reader.apk
Obviously (or not), CERT.RSA is pkcs7 and certs in packages.xml are hex strings x509
Let’s convert pkcs7 -> x509
Code:
openssl pkcs7 -inform DER -in CERT.RSA -out CERT.PEM -print_certs
openssl x509 -inform PEM -in CERT.PEM -outform DER -out CERT.x509.DER
Now open CERT.x509.DER is any hex editor:
Code:
0000000000: 30 82 04 96 30 82 03 7E │ A0 03 02 01 02 02 09 00
0000000010: CF 3F 93 2A 95 18 91 A5 │ 30 0D 06 09 2A 86 48 86
...
0000000480: BF 46 EB 99 2F F8 A8 9A │ 1F 66 2D 91 4F 0C 93 FE
0000000490: 44 7D 2F D0 C2 CC DC F7 │ 5E 84
And compare with packages.xml
Code:
<cert index="5" key="308204963082037ea003020102020900cf3f932a951891a5300d06092a864886
…
bf46eb992ff8a89a1f662d914f0c93fe447d2fd0c2ccdcf75e84" />
Renate NST said:
If you just delete packages.xml you can either fix the non-shared user ids in packages or fix the owners for /data/data directories.
I already have an auditing tool for resolving such user id discrepancies
and finding orphaned /data/data directories for apps that were deleted and not uninstalled.
It doesn't do anything, but it reports it so that you can.
Click to expand...
Click to collapse
What about this case:
ApokrifX said:
I dunno if it recreates UserID properly.
I.e. you have apps A, B, C installed they got UserIDs 10001, 10002 & 10003 respectively.
Then you uninstall A & B and delete delete packages.xml, would C get 10003 still?
Need to test it.
Click to expand...
Click to collapse
Do we need to do anything manually or deleting packages.xml will recreates everything properly?
Well, you seem to have a handle on all this.
I've never heard of pkcs7 or any of its friends.
Deleting packages.xml will result in the non-shared user ids to be assigned in order as the APKs are discovered by the PackageManager.
User ids are only used for file permissions on /data/data as far as I know.
Related
Hi,
I would like to extract 2 dll from GERMAN Rom.
I am intersted to msimda.dll and msimde.192.dll and i ma interested to learn how to work with universal rom.
But it drive me crazy...
I have read all the day this forum but i can't go on.
This is my last experiment
nkge.nba is qtek german rom (decoded)
mkdir files1 files2
dump nkge.nba -o 00000400 -e 001d2100 xip1.nb <-Offset From Universal Wiki
dump nkge.nba -o 00310000 -e 002d0000 xip2.nb <-Offset From Universal Wiki
dumprom -5 -d files1 xip1.nb <-Give me an error (after 27Files) :
error decompressing 90702000L0001f68d
fwrite: Invalid argument
error writing uncompressed data
dumprom -5 -d files2 xip2.nb <-OK
I have 59 files but there are no msimge.dll and msimge.192.dll probably they are in first xip block that give me an error.
Can you help me please?
Wat i am doing wrong?
byte.
plese somebody could help me?
Just a litle information or a link to read and study. i have searched all over the forum... but i am still blocked.
Hi,
try to read this and then search on the forum for imgfs tools.
I've extracted files sucessfully with those tools but not directly from the device instead from a nbf file.
Hope this will be useful.
Sergio.
tripledes said:
Hi,
try to read this and then search on the forum for imgfs tools.
I've extracted files sucessfully with those tools but not directly from the device instead from a nbf file.
Hope this will be useful.
Sergio.
Click to expand...
Click to collapse
Yes...thankyou very much for your reply.
I have just readed these posts but i can't go on.
I have nk.nba that is my Rom image decoded with HTC64 "Extended ROM Tool.exe" .
So i am trying with dumprom.exe and with viewimgfs.exe with the procedure described by mamaich in http://forum.xda-developers.com/showthread.php?t=249836
I can't extract file.
ViewImgFs (after a lot of " Unknown header type, FS_DATA_TABLE??") stop with message:
"C:\Documents and Settings\stefano\Desktop\HTC\imgfstools>Error! ProcessFixups: cannot map dump\dhcp.dll\s15627"
And i have a "dump" directory with this structure
dhcp.dll <DIR>
eapchap.dll <DIR>
iexplore.exe <DIR>
jscript.dll <DIR>
urlmon.dll <DIR>
ws2instl.dll <DIR>
Only file with same name of directory listed before.
Can you help me with step by step indication please?
1) To extract from rom upgrade (nk.nbf):
Code:
alpinenbfdecode.pl -r nk.nbf nk.nb
mkdir files ; rdmsflsh.pl -d files nk.nb
2) To extract from device, follow instructions here, but replace "FLASHDR" for "TrueFFS" in Universal (instructions are for Hermes).
Then you get "File02.raw" which contains dumped imgfs, files can be extracted either with mamaich viewimgfs.exe or itsme rdmsflsh.pl.
3) If none of the above works, try to dump the files from the device using mamaich TestWM5.exe or Buzz's grab_it!.
Good luck
pof said:
1) To extract from rom upgrade (nk.nbf):
Code:
alpinenbfdecode.pl -r nk.nbf nk.nb
mkdir files ; rdmsflsh.pl -d files nk.nb
2) To extract from device, follow instructions here, but replace "FLASHDR" for "TrueFFS" in Universal (instructions are for Hermes).
Then you get "File02.raw" which contains dumped imgfs, files can be extracted either with mamaich viewimgfs.exe or itsme rdmsflsh.pl.
3) If none of the above works, try to dump the files from the device using mamaich TestWM5.exe or Buzz's grab_it!.
Good luck
Click to expand...
Click to collapse
Thankyou... just another info..please.
I would like to extract file fro a complete German rom.
I am trying with nk.nbf extracted from UNI_QTEK_13096_185_10900_GER_Ship.exe .
Why did you suggest to me to use "alpinenbfdecode" i have an Universal.
I decode my nbf files with
http://buzzdev.net/index.php?option=com_content&task=view&id=65&Itemid=1
is this wrong?
Sorry for my questions but i have not Perl on my pc and i would like to know if is realy necessary to install it.
So just for learning... can you tell me why is wrong the operations that i am doing?
Thankyou very much!
Bye
slevin said:
Why did you suggest to me to use "alpinenbfdecode" i have an Universal.
Click to expand...
Click to collapse
alpine, magican, universal... they use the same NBF format version, so the script is also valid to decode universal NBF files.
slevin said:
I decode my nbf files with
http://buzzdev.net/index.php?option=com_content&task=view&id=65&Itemid=1
is this wrong?
Click to expand...
Click to collapse
This produces a decoded file (.nb), same as if you would run "alpinenbfdecode.pl" with -d parameter (decode), but I suggested you to use it with -r which outputs a RAW file, because rdmsflsh.pl expects a raw file and not a decoded file.
AFAIK the decoded file contains a header while the raw file doesn't, in the German Qtek ROM you said, the header looks like this:
Code:
00000010 51 54 45 4b 5f 31 30 32 20 20 20 20 20 20 20 20 |QTEK_102 |
00000020 47 45 52 20 20 20 20 20 31 2e 33 30 2e 39 36 20 |GER 1.30.96 |
00000030 20 20 20 20 20 20 20 20 55 6e 69 76 65 72 73 61 | Universa|
00000040 6c 20 20 20 20 20 20 20 30 20 20 20 20 20 20 20 |l 0 |
00000050 37 30 30 30 30 30 30 30 31 30 30 30 30 30 20 20 |70000000100000 |
00000060 30 20 20 20 20 20 20 20 31 36 31 31 31 31 31 30 |0 16111110|
00000070 30 30 30 30 30 30 20 20 61 39 62 33 61 64 39 35 |000000 a9b3ad95|
Probably someone more experienced with the formats can tell you the exact differences, otherwise if you know a bit of programming you can look at the program's source and try to figure out yourself
slevin said:
Sorry for my questions but i have not Perl on my pc and i would like to know if is realy necessary to install it.
Click to expand...
Click to collapse
Try the other methods which do not involve using perl, if you don't success doing what you want then install perl, it's just 5 minutes to do it and you'll benefit from many .pl applications from itsme... the process to install it and all the needed modules is explained on the wiki page I pointed you before
slevin said:
So just for learning... can you tell me why is wrong the operations that i am doing?
Click to expand...
Click to collapse
Sorry I don't know for sure, probably you are using an encoded file and the program you use to extract the files from it expects a raw file, I guess you can use prepare_imgfs.exe to fix this, but I'm not sure... you should better experiment with the tools until you accomplish your goal
ThankYou
Sorry for my delay ad thankyou very much for your help.
It works fine!
Now i am going to try to replace the two dll files and then i would like to build a custom cab to put in the extended rom.
Thankyou.
Purpose:
This purpose of this VBScript is to process and organize data in RGU/REG files to remove duplicates, identify faulty entries, and move entries to ascending alphabetical order (the same way it is displayed in a registry editor).
Requirements:
Windows Scripting Host (included in most versions of windows)
rgucomp.exe and cereg400.dll located somewhere in your path (same folder as the script probably won't work if the script is run from another folder)
.reg and .rgu files are expected to be UTF-16LE with BOM
Usage:
Drag a .rgu, .reg, or .hv onto RGUber.vbs OR run "wscript.exe RGUber.vbs example.rgu"
Details:
When an rgu|reg file is specified, RGUber will:
1) create backup of input file
2) rename input file to boot.rgu
3) use rgucomp to convert it to *.hv
4) use rgucomp to convert new .hv to original rgu path\name
5) Reorder all keys in ascending alphabetical order and all values for each key in ascending alphabetical order with default value first
When an hv file is specified, RGUber will:
1) use rgucomp to convert it to *.rgu
2) Reorder all keys in ascending alphabetical order and all values for each key in ascending alphabetical order with default value first
Options
Open RGUber.vbs in your favorite text editor. All options are set at the beginning with (hopefully) meaningful descriptions.
Code:
'//Path to rgucomp (leave this as default if rgucomp.exe is located in your system path)
Const RGUCOMP = "rgucomp.exe"
'//Path to notepad, only needed if %OPENAFTER% is true
Const NOTEPAD = "notepad.exe"
'//The following options can be set to True/False or 0/1
'//Organize registry entries in ascending alphabetical order
Const REORDER = True
'//Open in %NOTEPAD% after conversion is done
Const OPENAFTER = False
'//Save any errors from rgu -> hv conversion
Const LOGERRORS = True
'//Save a backup copy of %INPUTRGU% as "%INPUTRGU%_Backup.rgu"
Const BACKUPRGU = True
Other info
If target file already exists, RGUber will ask if you want to overwrite.
Text files (the MS way) typically contain CRLF for next line. Output from rgucomp.exe contains many CRCRLF. RGUber removes the extra CR.
I have very few comments in the code. If requested, I will upload another copy with as many detailed comments as I can manage.
I tried to code this as efficiently as VBScript can possibly be. I kept getting errors when trying to run 'rgucomp.exe -b -nologo' so instead of running it directly, RGUber creates a bat file, executes it, then deletes it.
On my AMD Phenom 9600 with Vista64 and 3 SATA in Raid5, RGUber completes rgu->hv->rgu of 2084 lines in <3s
RGUber always saves output from rgu->hv conversion but deletes the file if there were no errors.
RGUber crashes on files with no reg entries (e.g. empty app.reg in an EXT package that does not add any registry entries)
Changelog:
v1.21a
Values are now sorted in alphabetical order for each key
v1.2
Replaced Organize function with one from RGUOrder
Lost ability to reorder values for each key (To be readded in next version)
v1.1
Fixed a bug with removing hashdata from output (RGUber would mix data from two keys under one)
Changed sorting algorith with a much faster one
v1.02
Added option to remove RegistryUpdate key from rgucomp output
Fixed a typo where RGUber was not removing the system attribute from input rgu files
v1.01
Fixed typo where RGUber was waiting for backup file instead of log file
Change 'Done' msgbox to one that shows beginning time and ending time
v1.0
Initial Release
RGUOrder v1.4
This script will only reorder the contents of an rgu without processing with RGUComp, thereby keeping comments and delete key entries. RGUComp/cereg400.dll are not needed to use this app.
Changelog:
v1.4
Fixed a bug where if the original rgu did not end with a new line then the last entry after being sorted would be lost.
Fixed two bugs where only the first 25 tabs and first 25 spaces would be removed before sorting (This did not affect data integrity or performance, but the checksum would be different each time you run the output back through RGUOrder until all the original tabs/spaces were removed)
Added code to prevent multiple entries of the same key from being reordered
Fixed other miscellaneous bugs/oddities introduced with v1.3
v1.3
Added code to add a delete key for each subkey of a deleted key so that when reordered, the key deletion isn't broken
v1.2
Fixed a bug where the last key processed was being concatenated to another with no CRLF producing an invalid rgu file
I'm not sure if this relates to your app but I have a small question:
If a dumped a rom (raw, not kitchen type) and removed several apps/programs but did not clean the registry (very tedious), will this help me clean it up (remove dead paths, etc)?
And if so, how will it know just by dragging the .hv file? I mean how will your app know if a registry entry does not have the app/program included in the rom anymore?
Please forgive me if my question does not relate to your app
There is no way for my app to know, it isnt that smart
It would take an extensive app/database to know which keys are related to which apps.
Thanks for this post
updated to v1.1
v1.02 had a bug in the code which removed hash data from output which made it mix data from the key before it with the key after it
If I ever get around to updating again, I will use hvedit instead of rgucomp
I get an error.
Script: D:\RGUber.vbs
Line: 136
Char: 2
Error: File not found
Code: 800A0035
Source: Microsoft VBScript runtime error
Any reason why?
I attach the file i want to sort alphabetically.
I have no idea
It worked for me with no problem (file attached)
Please tell me the location of RGUber.vbs and of 51329f91-0017-4364-bcff-e032c5d45b01.rgu
Great application bro!!
Only limitation is that I have to put reg400.dll and rgucomp in C:\windows
c_shekhar said:
Great application bro!!
Only limitation is that I have to put reg400.dll and rgucomp in C:\windows
Click to expand...
Click to collapse
yeah, I tried to get around that but I didn't find anything feasible with vbscript :-/
Actually, they don't have to go in C:\windows
I reinstall windows regularly so I keep as many apps portable as I can. I have a bin folder on another partition that I add to the system path variable after a new install for stuff like this.
selyb said:
yeah, I tried to get around that but I didn't find anything feasible with vbscript :-/
Actually, they don't have to go in C:\windows
I reinstall windows regularly so I keep as many apps portable as I can. I have a bin folder on another partition that I add to the system path variable after a new install for stuff like this.
Click to expand...
Click to collapse
can you elaborate this a bit more. Because I too would like a similar arranfements...
My C:\ partition has Vista64
My F:\ partition has all my documents, downloads, music, movies, etc and a folder F:\bin\
F:\bin contains >100 downloaded command line programs and vbs scripts that I have written including
RGUber.vbs
lame.exe
rgucomp.exe
cereg400.dll
FixVTS.exe
faad.exe
nuerecmod.exe
Tag.exe
find Advanced System Properties (I can't remember how, it's different for XP/Vista/7) go to the Advanced tab and hit the Environment Variables button
Under system variables, scroll down to 'Path', double click it. This defines your 'system path'. It contains a list of folders separated by semicolon ";". At the end, add a semicolon and the path to the folder you want to add (e.g. ;F:\bin) after that, hit ok. XP may need to reboot to reflect the change but I'm not sure. Vista and 7 are affected immediately.
With this setup, you can open a command prompt in any folder on your computer and type "RGUber.vbs xyz.rgu" and it would work as if all the files are in that folder.
Thanks a lot bro!!!
I am grateful...
I'd really like to use this, but unfortunately I get this error regardless of the app.reg I drag onto the script:
Script: C:\RGUber\RGUber.vbs
Line: 232
Char: 3
Error: The system cannot find the path specified.
Code: 80070003
Source: (null)
Thanks if you can advise.
Quetzecotyl said:
I'd really like to use this, but unfortunately I get this error regardless of the app.reg I drag onto the script:
Script: C:\RGUber\RGUber.vbs
Line: 232
Char: 3
Error: The system cannot find the path specified.
Code: 80070003
Source: (null)
Thanks if you can advise.
Click to expand...
Click to collapse
Hmmm... this line asks the system for what is in the %temp% variable and attempts to change the working directory to the result.
Open RGUber.vbs in notepad and go to line 232
Modify
Code:
WSH.CurrentDirectory = WSH.Environment("SYSTEM")("temp")
to
Code:
WSH.CurrentDirectory = "C:\RGUber\"
then try again
Works great after your fix, selyb. Thank you for this useful app and your many helpful contributions to the Kaiser forums.
Quetzecotyl said:
Works great after your fix, selyb. Thank you for this useful app and your many helpful contributions to the Kaiser forums.
Click to expand...
Click to collapse
Yeah, I may relocate from Kaiser forums to Rhodium. I have an AT&T Tilt 2 in the mail to me ATM
Grats on getting a Rhodium. Found a question after using it for a while. This is just one example of such behavior, but why does:
Code:
[HKEY_CURRENT_USER\Software\HTC\TaskManager\ExclusiveList\System]
"CMBandSwitching.exe"=dword:0
get turned into:
Code:
"CMBandSwitching.exe"=dword:0
How do I make it regard CURRENT_USER keys?
Quetzecotyl said:
Grats on getting a Rhodium. Found a question after using it for a while. This is just one example of such behavior, but why does:
Code:
[HKEY_CURRENT_USER\Software\HTC\TaskManager\ExclusiveList\System]
"CMBandSwitching.exe"=dword:0
get turned into:
Code:
"CMBandSwitching.exe"=dword:0
How do I make it regard CURRENT_USER keys?
Click to expand...
Click to collapse
I had this problem with an earlier version. If you are using v1.1 then please attach the original rgu/reg. I have tried and I can't seem to reproduce it since I fixed it already.
Please, replace rgucomp with hvedit . I really need your help because rgucomp doesn't work for me . Thanks in advance .
tomcug said:
Please, replace rgucomp with hvedit . I really need your help because rgucomp doesn't work for me . Thanks in advance .
Click to expand...
Click to collapse
why doesn't rgucomp work? I would be surprised to learn that hvedit will work when rgucomp won't.
Hi, I've a S2 with JB stock and I'm trying to permanently disable noise reduction, according to the solution
proposed by tarobun (so, I have to edit phone.odex in my /system/app directory and modify 32 84 2F 00 12 13 into 32 84 2F 00 12 03)
But in /system/app directory I dont't find this file! I only have these files with similar names:
Phone_Util_U1_EUR_OPEN.apk
Phone_Util_U1_EUR_OPEN.odex
PhoneErrService.apk
PhoneErrService.odex
Phonesky.apk
And none of them contains the string mentioned above.
I'm doing something wrong? Please help me!
Ministry76 said:
Hi, I've a S2 with JB stock and I'm trying to permanently disable noise reduction, according to the solution
proposed by tarobun (so, I have to edit phone.odex in my /system/app directory and modify 32 84 2F 00 12 13 into 32 84 2F 00 12 03)
But in /system/app directory I dont't find this file! I only have these files with similar names:
Phone_Util_U1_EUR_OPEN.apk
Phone_Util_U1_EUR_OPEN.odex
PhoneErrService.apk
PhoneErrService.odex
Phonesky.apk
And none of them contains the string mentioned above.
I'm doing something wrong? Please help me!
Click to expand...
Click to collapse
Have you tried SecPhone.apk?
Sent from my Dominated PurifieD S4
Have you control in Preload folder?
Mate they are not the file you mentioned .. its called secphone.apk in preload folder and this is an old trick btw that all sammy custom roms have which are up to date
Sent from my GT-I9100 using XDA Premium 4 mobile app
I wiped /data/misc/ to get out of a recovery bootloop. Turns out that doing so breaks the wifi mac address in CM. I'm able to temporarily set my address in /data/wifi/misc/config:
Code:
echo "cur_etheraddr=XX:XX:XX:XX:XX:XX" > /data/misc/wifi/config
The problem is that when I reboot, that file goes back to 00:00:00:00:00:00.
Digging around CM kernel source showed me what files are important.
Code:
CONFIG_BCMDHD_FW_PATH="/system/etc/firmware/fw_bcmdhd.bin"
CONFIG_BCMDHD_NVRAM_PATH="/system/etc/wifi/bcmdhd.cal"
CONFIG_BCMDHD_CONFIG_PATH="/data/misc/wifi/config"
/system/etc/wifi/bcmdhd.cal is showing a good mac address.
I KDZ'ed back to stock and everything worked great there. As soon as I flashed CM14.1 again it didn't work. It isn't a problem with the build, since it was working until I wiped /data/misc/.
Does anyone know how to fix this? I'm curious what config says on a working device, so could someone tell me what it says for them? I want to know 1) if /data/misc/wifi/config exists and 2) if it shows a real mac address or a bunch of zeros. I can't get CM file manager to open the file, so here's how to do it in adb:
Code:
adb shell "su 0 cat '/data/misc/wifi/config'"
What files are in /data/misc/wifi?
I'm not really looking for a workaround, since I could add that first script to a startup script or something. I want a permanent fix that won't go away next time I flash a rom.
Sorry for the long post. Any help would be appreciated. I've spend hours on this already.
Hi!
I also use your workaround now and i automated it, so thanks for ending my pain for the moment, but i would also like to see a permanent fix for this. I tried every available stock rom and all available methods to aply it to bring back what cm seams to be depending on for setting the mac - but no success. To me this looks like a bug - not a very common one, but still a bug because the stock roms do not have any problem at all, only cm does.
br, Martin
theprogramguy said:
Does anyone know how to fix this? I'm curious what config says on a working device, so could someone tell me what it says for them? I want to know 1) if /data/misc/wifi/config exists and 2) if it shows a real mac address or a bunch of zeros.
.
Click to expand...
Click to collapse
I am on RR ROM which is CM based
What I can say is yes this file exists and yes it contains my real MAC address
theprogramguy said:
What files are in /data/misc/wifi?
.
Click to expand...
Click to collapse
[email protected]:/ # ls -la /data/misc/wifi
total 152
drwxrwx--- 4 wifi wifi 4096 2016-12-14 08:12 .
drwxrwx--t 32 system misc 4096 2016-12-04 19:44 ..
-rw-r--r-- 1 system wifi 32 2015-01-02 02:58 config
-rw-rw---- 1 system wifi 21 2015-01-22 07:44 entropy.bin
-rw-rw---- 1 system wifi 252 2016-11-17 15:05 hostapd.conf
-rw------- 1 system system 868 2016-11-14 08:33 ipconfig.txt
-rw------- 1 system system 29695 2016-12-13 11:04 networkHistory.txt
-rw-rw---- 1 wifi wifi 219 2015-01-22 07:44 p2p_supplicant.conf
drwxrwx--- 2 wifi wifi 4096 2015-01-22 07:44 sockets
-rw------- 1 system system 41 2016-11-17 14:54 softap.conf
drwxrwx--- 2 wifi wifi 4096 2015-01-02 02:58 wpa_supplicant
-rw-rw---- 1 wifi wifi 1647 2016-12-14 08:12 wpa_supplicant.conf
[email protected]:/ #
My first thought was that the mac address is generated from the misc partition but as far as I can see it seems to be not. At least I can't find a string matching my current mac.
interesting is that I searched the misc partition (I love Linux and the tool strings) and found my imei written in there..
Well as you wrote you haven't the problem on stock:
Do you cleaned out the WiFi config file before when testing stock? Afaik it should be cleaned out automatically though but just to be sure.. What happens when you delete that file on stock and reboot? Will it get regenerated?
You identified it that the ROM sources are the reason good. But I don't think you should look at the kernel sources only. Check the CM sources as well I believe here you will get better findings.
.
steadfasterX said:
[email protected]:/ # ls -la /data/misc/wifi
total 152
drwxrwx--- 4 wifi wifi 4096 2016-12-14 08:12 .
drwxrwx--t 32 system misc 4096 2016-12-04 19:44 ..
-rw-r--r-- 1 system wifi 32 2015-01-02 02:58 config
-rw-rw---- 1 system wifi 21 2015-01-22 07:44 entropy.bin
-rw-rw---- 1 system wifi 252 2016-11-17 15:05 hostapd.conf
-rw------- 1 system system 868 2016-11-14 08:33 ipconfig.txt
-rw------- 1 system system 29695 2016-12-13 11:04 networkHistory.txt
-rw-rw---- 1 wifi wifi 219 2015-01-22 07:44 p2p_supplicant.conf
drwxrwx--- 2 wifi wifi 4096 2015-01-22 07:44 sockets
-rw------- 1 system system 41 2016-11-17 14:54 softap.conf
drwxrwx--- 2 wifi wifi 4096 2015-01-02 02:58 wpa_supplicant
-rw-rw---- 1 wifi wifi 1647 2016-12-14 08:12 wpa_supplicant.conf
[email protected]:/ #
Click to expand...
Click to collapse
Here's mine. It seems practically the same just missing hostapd.conf. I think I've seen it here before though.
h811:/ # ls -la /data/misc/wifi
total 44
drwxrwx--- 4 wifi wifi 4096 2016-12-14 17:07 .
drwxrwx--t 39 system misc 4096 2014-12-31 19:21 ..
-rw-r--r-- 1 system wifi 32 2016-12-12 18:32 config
-rw-rw---- 1 system wifi 21 2016-12-13 03:15 entropy.bin
-rw------- 1 system system 166 2016-12-13 03:25 ipconfig.txt
-rw------- 1 system system 3814 2016-12-14 17:07 networkHistory.txt
-rw-rw---- 1 wifi wifi 237 2014-12-31 19:26 p2p_supplicant.conf
drwxrwx--- 2 wifi wifi 4096 2016-12-13 03:15 sockets
-rw------- 1 system system 49 2014-12-31 19:25 softap.conf
drwxrwx--- 2 wifi wifi 4096 2014-12-31 19:21 wpa_supplicant
-rw-rw---- 1 wifi wifi 949 2016-12-14 17:07 wpa_supplicant.conf
steadfasterX said:
My first thought was that the mac address is generated from the misc partition but as far as I can see it seems to be not. At least I can't find a string matching my current mac.
Click to expand...
Click to collapse
Maybe it matches the mac in /system/etc/wifi/bcmdhd.cal (macaddr=)? I found that I had a slightly different one there.
steadfasterX said:
You identified it that the ROM sources are the reason good. But I don't think you should look at the kernel sources only. Check the CM sources as well I believe here you will get better findings.
Click to expand...
Click to collapse
https://github.com/CyanogenMod/android_device_lge_g4-common/blob/cm-14.1/hwaddrs/getmac.c
I found this earlier and it shows CM mounting misc and doing something with /data/misc/wifi/config. I thought it was reading config, but it looks like it's actually writing it there after reading it from somewhere else in misc. That would explain why it gets reset. Do you understand where it's reading from? I'm having a hard time reading C.
Specifically this part:
Code:
int fd1, fd2;
char macbyte;
char macbuf[3];
int i;
fd1 = open("/dev/block/bootdevice/by-name/misc",O_RDONLY);
fd2 = open("/data/misc/wifi/config",O_WRONLY|O_CREAT|O_TRUNC,S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
write(fd2,"cur_etheraddr=",14);
for (i = 0; i<6; i++) {
lseek(fd1,0x3000+i,SEEK_SET);
lseek(fd2,0,SEEK_END);
read(fd1,&macbyte,1);
sprintf(macbuf,"%02x",macbyte);
write(fd2,&macbuf,2);
if (i!=5) write(fd2,":",1);
}
It looks like our bluetooth mac is getting set in the same way later on.
I'm thinking about setting up a CM build environment again and playing with my own builds to try to see what's up.
steadfasterX said:
interesting is that I searched the misc partition (I love Linux and the tool strings) and found my imei written in there..
Click to expand...
Click to collapse
Nice. I just looked at what CM is reporting my IMEI as, to see if it got reset, but it looks good. I know that cell data is still working, so I'd expect my IMEI to be right.
steadfasterX said:
Well as you wrote you haven't the problem on stock:
Do you cleaned out the WiFi config file before when testing stock? Afaik it should be cleaned out automatically though but just to be sure.. What happens when you delete that file on stock and reboot? Will it get regenerated?
Click to expand...
Click to collapse
I didn't try that. I was in a hurry to get back to CM so I could set it up for daily use. I'll try doing stuff like that soon if we don't figure have anything else to go on. It's getting too late to do it here tonight.
Yesterday I tried to extract misc.img from the kdz but none of the tools I found were able to successfully do it. Something was corrupt. My plan was to look at it or flash it in fastboot and see if anything changes.
GOT IT!
It's actually pretty simple, but I've never done anything quite like this before.
Overview:
Make an img of misc
Edit it in a hex editor
Overwrite misc with the img
Reboot
You could do this entirely on your phone, but I'll walk you through doing it using adb on your computer.
1. Make an img of misc and pull it to your computer.
Code:
adb shell "su -c 'dd if=/dev/block/bootdevice/by-name/misc of=/sdcard/misc.img'"
adb pull /sdcard/misc.img
2. Edit misc.img in a hex editor (I used HexEdit on Windows)
Find the hex offset 3000. Now edit 3000-3005 with your wifi mac address. For example "00 90 3D F1 A2 31".
The bluetooth mac address appears to be stored at 4000, so you could set it there if you wanted/needed to.
3. Write the img
Code:
adb push misc.img /sdcard/misc_edited.img
adb shell "su -c 'dd if=/sdcard/misc_edited.img of=/dev/block/bootdevice/by-name/misc'"
4. Reboot
Code:
adb reboot
If it all works, it's okay to delete the img files we left in /sdcard
Code:
adb shell "rm /sdcard/misc*.img"
Makes totally sense! Just for your information the file in
/system/etc/wifi/bcmdhd.cal
contains a mac address but it is not the same as in the Wi-Fi config file
Thanks for sharing this walkthrough it will help others having the same issue
Thank you!!
You are a MF genius!!! I have the same problem but with an LG G3 Beat, and I wanted to know if this works the same with my device. Thank you bro!
Hey guys, as the title says I successfully changed my GWA2 CSC from DBT to XAR, but ran into some problems. The watch boots up normally and I can use it, install apps from the Galaxy Store, etc. but I am stuck on version R820XXU1ASHF/Tizen 4.0.0.6. My phone shows a 30.68MB update to BTG1, and it can download it and start installing it but when it gets to 97%, the watch resets and boots up the old (ASHF) firmware. Moreover, Samsung Pay says that it can't start since I've "modified my watch," but I think this can be due to the very old firmware.
I've already tried changing to another CSC (both to AUT and the original EUR) and reflashing the ASHF firmware but to no avail. I originally came from R820XXU1BTA1 but I can't find that anywhere.
What can I do to fix this? I've also found the firmware files on some paid sites, and I'd pay since it's nothing significant, but I'm really not sure if those are real. Has anyone here bought firmware from them? Can anyone set me up with anything even one version newer than what I have? I've been searching for hours but I seem to have hit a dead end.
I bought a firmware on Fullstockfirmware and it works fine. I can host R820XXU1BTF3.zip if you need, but i'm new member, can't post link.
---------- Post added at 05:20 PM ---------- Previous post was at 05:17 PM ----------
https://drive.google.com/file/d/1LmJ9uJl644ePVnwabkGt_swDY961B_Ds/view?usp=drivesdk
Here is a link for the firmware
Noname761 said:
I bought a firmware on Fullstockfirmware and it works fine. I can host R820XXU1BTF3.zip if you need, but i'm new member, can't post link.
---------- Post added at 05:20 PM ---------- Previous post was at 05:17 PM ----------
https://drive.google.com/file/d/1LmJ9uJl644ePVnwabkGt_swDY961B_Ds/view?usp=drivesdk
Here is a link for the firmware
Click to expand...
Click to collapse
Thank you so much! You're a godsend! I flashed this in a heartbeat.
The update to BTG1 and SPay still don't work, but BTF1 is a way better point to be stuck on.
Plus, I checked my Knox bit, and it is not set. Maybe I messed something up (file permissions, line terminators, etc.) in /csa...
with this firmware i have samsung pay, but i can't test it because my bank is not supported. and the ecg and blood pressure works with 23.tpk and shm caranava. oh and nothing for the firmware. it's normal to share on a sharing forum ?
Noname761 said:
with this firmware i have samsung pay, but i can't test it because my bank is not supported. and the ecg and blood pressure works with 23.tpk and shm caranava. oh and nothing for the firmware. it's normal to share on a sharing forum
Click to expand...
Click to collapse
Could you by any chance give me the output of the following command? You don't need the combination firmware or root to run it.
Code:
sdb shell "ls -l /csa/csc/csc-active-customer.inf /csa/imei/prodcode.dat && hexdump -C /csa/csc/csc-active-customer.inf && hexdump -C /csa/imei/prodcode.dat"
My output looks like this:
Code:
-rwxrwxr-x 1 root system_share 3 Aug 12 10:27 /csa/csc/csc-active-customer.inf
-rw-rw-r-- 1 root system_share 14 Aug 11 15:23 /csa/imei/prodcode.dat
00000000 58 41 52 |XAR|
00000003
00000000 53 4d 2d 52 38 32 30 4e 5a 4b 41 58 41 52 |SM-R820NZKAXAR|
0000000e
here is mine
Code:
-rwxrwxr-x 1 root system_share 3 Aug 8 19:26 /csa/csc/csc-active-customer.inf
-rw-rw-r-- 1 root system_share 14 Aug 7 07:53 /csa/imei/prodcode.dat
00000000 58 45 46 |XEF|
00000003
00000000 53 4d 2d 52 38 32 30 4e 5a 53 41 58 45 46 |SM-R820NZSAXEF|
0000000e
Noname761 said:
here is mine
Code:
-rwxrwxr-x 1 root system_share 3 Aug 8 19:26 /csa/csc/csc-active-customer.inf
-rw-rw-r-- 1 root system_share 14 Aug 7 07:53 /csa/imei/prodcode.dat
00000000 58 45 46 |XEF|
00000003
00000000 53 4d 2d 52 38 32 30 4e 5a 53 41 58 45 46 |SM-R820NZSAXEF|
0000000e
Click to expand...
Click to collapse
Thanks for all your help, alas I can't find what's wrong with my watch...
before updating, i used the combination firmware to change my CSC and then i flash a stock firmware. I made the updates with wearable and I finally flash the version 4.0.0.8.
IMHO this is Rollback Prevention crap.. of Bootloader sboot.bin...
If Firmware is lower... Alphabet knowledge and count from 0 - 10 is enough skills...
Additional Infos can be taken from here:
http://fota-cloud-dn.ospserver.net/firmware/XAR/SM-R820/version.xml
I see ASHF... and you confirmed it fount FOTA delta package... :good: :good:
Now check Bootloader Version...
Code:
sdb shell
Code:
cat /proc/cmdline
To bypass you need same or higher Firmware...
Post result of Command...
And I could try to help you...
IMHO BTF3 is not valid FOTA base in XAR chain...
BTD3 or something like this was before on XAR...
BTG1 not leaked yet... otherwise we would do this.
Best Regards
adfree said:
IMHO this is Rollback Prevention crap.. of Bootloader sboot.bin...
If Firmware is lower... Alphabet knowledge and count from 0 - 10 is enough skills...
Additional Infos can be taken from here:
http://fota-cloud-dn.ospserver.net/firmware/XAR/SM-R820/version.xml
I see ASHF... and you confirmed it fount FOTA delta package... :good: :good:
Now check Bootloader Version...
Code:
sdb shell
Code:
cat /proc/cmdline
To bypass you need same or higher Firmware...
Post result of Command...
And I could try to help you...
IMHO BTF3 is not valid FOTA base in XAR chain...
BTD3 or something like this was before on XAR...
BTG1 not leaked yet... otherwise we would do this.
Best Regards
Click to expand...
Click to collapse
Code:
sh-3.2$ cat /proc/cmdline
console=ram loglevel=4 bootmode=ramdisk root=/dev/ram0 rw model=SM-R820 boot_ver=R820XXU1BTA1 hw_rev=05 sec_debug.enable=0 sec_debug.enable_user=0 tizenboot.sec_atd.tty=/dev/ttySAC0 tizenboot.emmc_checksum=0 tizenboot.dram_info=01,06,00,0.75G tizenboot.log=0x9b010000,0x200000,0x7f309,0x7ff90 tizenboot.boottime=1230ms tizenboot.sales_code=XAR warrantybit=0 sec_debug.bin=N lcdtype=0x402484 ess_setup=0x9b000000 [email protected] [email protected] DynSysLog=0 uart_sel=AP pmic_info=11 oops=panic [email protected] sec_debug.chipidfail_cnt=0 sec_debug.lpitimeout_cnt=0 sec_debug.cache_err_cnt=0 sec_debug.lpddr4_size=0.75 tizenboot.recovery_offset=1056512 tizenboot.carrierid_offset=1049156 tizenboot.carrierid= sec_debug.reset_reason=7 sec_debug.pwroffsrc=0x0 sec_debug.pwronsrc=0x8 sec_debug.rst_stat=0x20000000 tizenboot.verified_kern=1 tizenboot.fota_bl_status=none
I also found something interesting in /var/log/last_update.log which I will also attach to this post
Code:
UA/ERROR(SS_IMGVerfiyPartition) SS_IMGVerfiyPartition - SHA mismatch with SRC [/dev/mmcblk0p7] Expected [ffa4a910] Actual [ffa4a938]
UA/ERROR(SS_SetUpgradeState) FAILED to upgrade Cause:[0xd19]
I have pulled the delta.tar from the device and it seems that mmcblk0p7 is a ramdisk. I thought I'd replace the SHA value and pull the ole switcharoo but I can't find it anywhere
Code:
boot_ver=R820XXU1BTA1
This is the Knockout...
FOTA selfcheck detect that Bootloader not valid for ASHF Firmware...
Valid in case of FOTA crap...
BTA1 is inside FOTA chain of XAR CSC aka Sales Code:
http://fota-cloud-dn.ospserver.net/firmware/XAR/SM-R820/version.xml
Code:
R820XXU1BTA1/R820OXA1BTA1
Easiest way IMHO to flash whole BTA1 Firmware...
Best Regards
Thanks, I'll see if I can get my hands on that version...
@g511
Please check your Private Message... I sent you PM...
Best Regards
Hy guys.
Anyone can help me. I changed CSC and Samsung pay now is on the watch. The problem are two:
1- Samsung doesn't work because "the watch is modified"
2- doesn't work the upgrade. I download the update but doesn't install
Searching for a solution.
Thanks
@stampatori
Please, it is more helpfull if you give FULL details...
MINIMUM to know Model Name... Nobody here have Crystal Ball...
SM-R820?
Or LTE device like SM-R825F?
Or?
Best Regards
@adfree
Sorry.....?
My watch is a GWA2
SM-R820
Tizen 4.0.0.6
Firmware R820XXU1ASHF
@g511 search "techno proz change csc on watch active 2" on YOUTUBE and just follow. 100% works ! I did it 3 days ago and evrything is perfect !
Hello
I have the same problem with my NEW active 2 watch, I don´t know why it is happening, because my watch is NEW. I found this log in /opt/var/log/last_update.log
Code:
UA/(deleteNode): There is only one node. The list can't be made empty UA/ERROR(SS_FSVerifyNode) SS_FSVerifyNode - SHA mismatch with SRC - PATH [system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal] Expected [fff7d41c] Actual [fff7d430]
UA/ERROR(SS_SetUpgradeState) FAILED to upgrade Cause:[0xd15]
UA/ERROR(SS_AppendNode) Bad Nodes, Failed to pass verification - [Delta Path - /opt/usr/data/fota/save/delta.tar][OldPath - system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal] [NewPath - system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal]
UA/(tar_free_cfg_table): Free TAR CFG TABLE
UA/ERROR(SS_FSVerifyPartition) FS Verification Failed PartIndex: [4]
UA/(SS_FSClearNodes): Free Nodes idx=4
UA/(update_all): CSC verify failUA/(save_cause): save_cause entered, 0xd15
UA/(print_error_cause): The update failed because data was corrupted during update of device.UA/(save_cause): save_cause leaved!
UA/(main): [update_all ret=64537]
UA/(main): Result=64537
UA/(save_result): save_result entered, result=0xfc19
UA/(save_result): save_result leaved!
this is my /proc/cmdline
Code:
console=ram loglevel=4 bootmode=ramdisk root=/dev/ram0 rw model=SM-R825FS boot_ver=R825FXXU1ASJ3 hw_rev=05 sec_debug.enable=0 sec_debug.enable_user=0 tizenboot.sec_atd.tty=/dev/ttySAC0 tizenboot.emmc_checksum=0 tizenboot.dram_info=01,06,00,1.50G tizenboot.log=0x9b010000,0x200000,0x0,0xaba tizenboot.boottime=2140ms tizenboot.sales_code=COM warrantybit=0 sec_debug.bin=N lcdtype=0x402484 ess_setup=0x9b000000 [email protected] [email protected] DynSysLog=0 uart_sel=AP pmic_info=11 oops=panic [email protected] sec_debug.chipidfail_cnt=0 sec_debug.lpitimeout_cnt=0 sec_debug.cache_err_cnt=0 sec_debug.lpddr4_size=1.50 tizenboot.recovery_offset=1056512 tizenboot.carrierid_offset=1049156 tizenboot.carrierid= sec_debug.reset_reason=9 sec_debug.pwroffsrc=0x10 sec_debug.pwronsrc=0x1 sec_debug.rst_stat=0x10000 tizenboot.cp_reserved_mem=off tizenboot.verified_kern=1 tizenboot.fota_bl_status=none
this is my csc-active-customer.inf
Code:
sh-3.2$ hexdump -C /csa/csc/csc-active-customer.inf
00000000 43 4f 4d |COM|
00000003
this is my prodcode.dat
Code:
sh-3.2$ hexdump -C /csa/imei/prodcode.dat
00000000 53 4d 2d 52 38 32 35 46 5a 4b 41 43 4f 4d |SM-R825FZKACOM|
0000000e
Do you know why i can not update my watch ?
Thanks !
@andrs1294
All i can see for now is something mismatch with CSC... but not fully understand...
COM
http://fota-cloud-dn.ospserver.net/firmware/COM/SM-R825F/version.xml
TCE
http://fota-cloud-dn.ospserver.net/firmware/TCE/SM-R825F/version.xml
Both CSC / Sales Code are in same package... region Code:
OWO...
Code:
R825FXXU1ATA1/R825F[B]OWO[/B]1ATA1/R825FXXU1ATA1
I have only OXA and OLB package with ATA1 Firmware for netOdin...
Need some more time for investigation...
Found only 1 OWO package...:
Code:
R825FXXU1[B]ASI5[/B]
Best Regards
adfree said:
@andrs1294
All i can see for now is something mismatch with CSC... but not fully understand...
Both CSC / Sales Code are in same package... region Code:
OWO...
Code:
R825FXXU1ATA1/R825F[B]OWO[/B]1ATA1/R825FXXU1ATA1
I have only OXA and OLB package with ATA1 Firmware for netOdin...
Need some more time for investigation...
Found only 1 OWO package...:
Code:
R825FXXU1[B]ASI5[/B]
Best Regards
Click to expand...
Click to collapse
Thanks @adfree for your response. Here you can find my investigation:
The error message is:
Code:
There is only one node. The list can't be made empty UA/ERROR(SS_FSVerifyNode) SS_FSVerifyNode - SHA mismatch with SRC - PATH [system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal] Expected [ff9feddc] Actual [ff9fedf0]
So, I search about SS_FSVerifyNode code on internet, I found that that code is part of libtota-1.2.2-25.1.src.rpm.
Code:
...
if (SS_LoadFile(path, &source_file) == 0) {
if (memcmp(source_file.sha1, source_sha1, SHA_DIGEST_SIZE) != 0) {
SS_Free(source_file.data);
unsigned char actualShaBuffer[41] = { 0, };
hex_digest(source_file.sha1, actualShaBuffer, SHA_DIGEST_SIZE);
LOGE("SS_FSVerifyNode - SHA mismatch with SRC - PATH [%s] Expected [%s] Actual [%s]\n",
path, sha1src, actualShaBuffer);
SS_SetUpgradeState(E_SS_FSSRCCURRUPTED); // E_SS_FSSRCCURRUPTED (0xD15) /*Could NOT update FS as SRC seems to be corrupted */
return E_SS_FAILURE;
}
}
...
It is calculating SHA1 of the file system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal and then it compares with SHA inside the csc.img/CSC.txt inside the delta.tar file. Part of the content of the csc.img/CSC.txt is
Code:
DIFF:REG:system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal:system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal:[B]a4b298726c564ea01c9f21815c864e253493c269[/B]:f185bc963d1e61e372da5f1cda21e69a0cebf3ca:diff4_.delta_opername.db-journal_CSC.delta
PaTcHCoUnT:4 0 0 0 0 0
So I think my delta_opername.db-journal was edited in some moment, So the sha resumen doesnt match.