Mifare card emulation - NFC Hacking

Based on this article "nelenkov.blogspot.fr/2012/10/emulating-pki-smart-card-with-cm91.html", i'm trying to emulate mifare card managing APDU on android (cyanogen9, on nexus S).
According to the APDU received, my application should answer the right APDU, thus simulating the mifare behaviour.
However receiving a specific APDU give me weird behavior.
For example with rfidiot reading a mifare card (just block 1 after auth) give me:
Code:
#rfidiot-cli.py -d -r1 select mf key a FFFFFFFFFFFF mf auth a 0 mf dump 1 1
> FF CA 00 00 00
< CD EA 7D 2B 90 0
Tag ID: CDEA7D2B
ATR: 3B8F8001804F0CA000000306030001000000006A
Setting Mifare Key A: FFFFFFFFFFFF
Authenticating to sector 00 with Mifare Key A (FFFFFFFFFFFF)
> FF 82 20 00 06 FF FF FF FF FF FF
< [] 90 0
> FF 88 00 00 60 00
< [] 90 0
OK
Dumping data blocks 01 to 01:
> FF 88 00 01 60 00
< [] 90 0
> FF B0 00 01 01
< [] 6C 10
> FF B0 00 01 10
< 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0
01: 00000000000000000000000000000000 ................
Then reading my app emulating the mifare, i got a wrong comportment:
Code:
#rfidiot-cli.py -d -r1 select mf key a FFFFFFFFFFFF mf auth a 0 mf dump 1 1
> FF CA 00 00 00
< 08 F0 82 65 90 0
Tag ID: 08F08265
ATR: 3B80800101
Setting Mifare Key A: FFFFFFFFFFFF
Authenticating to sector 00 with Mifare Key A (FFFFFFFFFFFF)
> FF 82 20 00 06 FF FF FF FF FF FF
< [] 90 0
> FF 88 00 00 60 00
< [] 90 0
OK
Dumping data blocks 01 to 01:
> FF 88 00 01 60 00
< [] 90 0
> FF B0 00 01 01
< [] 69 81
Failed: Command incompatible with file structure
An error appear on FF B0 00 01 01 APDU command. And i don't know where the 6981 APDU command comes from..
In the logcat, i have an error on the transeive, just when it try to catch the FF B0 00 01 01 APDU command...
Does someone can help me on this "bug" ?

Hi,
Mifare Classic cards do not use ISO 7816-4 APDUs. Thus, you cannot emulate such a card using your Nexus S.
The APDUs you use to access the Mifare Classic card in your example (those starting with FF...) are commands that you send to the Mifare reader chip. The Mifare reader then translates them to Mifare Classic commands (some weired non-standard-compliant partly encrypted protocol). Also the error code you see is generated by the reader that was unable to communicate with your phone using the Mifare Classic protocol.
br
Michael

Hi guys,
Can we edit data on mifire cards with our phones? And if so, how? I just by accident put my student id card under my phone and when phone beeped i freaked out ;d now im having fun, so im wondering if i can edit my card? Just to mess a little..

xhenga said:
Hi guys,
Can we edit data on mifire cards with our phones? And if so, how? I just by accident put my student id card under my phone and when phone beeped i freaked out ;d now im having fun, so im wondering if i can edit my card? Just to mess a little..
Click to expand...
Click to collapse
Yep, you can write Mifare clasic tags, if you have an device with an NXP nfc chip, and the tag is not write-protected or encrypted....devices with a broadcom nfc chip can write nfc forum 1-4 compatible tags (also not write-protected and not encrypted ). ....
However you can use apps like NFC ReTag to start some activities even if your tag is write-protected or encrypted

Related

Qualcomm Tools and S8500/S8530 and now S8600

If you switch to QC and install correct drivers you have access.
Tested successfully few Tools:
PSAS
QPST
QXDM
NV items are possible to backup.
Read/write NV also possible...
SPC is 000 000
Security Password seems FFFFFFFFFFFFFFFF
I tested in PSAS... other SP leads to restart.
But Memory access is blocked.
Download Mode uses only Samsung Driver, not QC...
Goal would be to access/dump memory via Bootloader...
Best Regards
Samsung locked down the Wave more so than there android offering due to the proprietary nature of Bada, to be honest i really dont know how to solve that issue? is there any other folk with Jtag boxes that might give us there two cents?
Maybe we should play with Qualcomm stuff. To log something like GPIO.
HWTP for instance, but shows at this time only for older models...
see Screenshot from EF81... you can save to Text file...
Other usefull Tool could be QXDM.
I was able once to log something from S8500, but I have forgotten how...
Best Regards
HWTP can make Text output... here only from EF81, but:
GPIO 13 LCD_BCKLT_PWM
GPIO 84 FUEL_GAUGE_TXD
and more...
As HWTP is based on QXDM, I think QXDM is able to do this also... for S8500.
Question is only how.
Best Regards
Edit 1.
I've changed in Settings.Ini from HWTP MSM Identifier to:
0x4015E0E
Now I have access to the menu...
But I think its not correct... as GPIO is handled in GPIONameList.ini
Attached is from S8500 too, but again, this could be crap.
WARNING: according to changes in this file phones' id can change.
Click to expand...
Click to collapse
Also Limit is 98... no idea how many GPIOs are in modern handset...
QXDM Logging work... with S8500.
Code:
MSG Factory Test Mode/High
15:31:24.222 QMochaBattery_fuel_gauge.c 01512
[B]Fuel Gauge[/B] SOC I2C Read Sucess, reg 0x4
Best Regards
Maybe soon we have more skilled QC users with S8600.
Welcome.
Best Regards
have you got FTM program for FTM mode ?
https://rapidshare.com/files/3344313793/qpst_ftm_eval_6.10_818.rar
QPST I found 2.7.368
QXDM 3.12.714
Both untested with S8600...
have you got FTM program for FTM mode ?
Click to expand...
Click to collapse
I think this is older stuff, removed from QPST... since 2006 or something like this.
Thanx.
Best Regards
QPST saved my little Bu..
I've lost all my NV items and was not able to restore Full dump via JTAG...
But step by step my S8500 is now alive again.
I can confirm, that all NV items are restoreable, which I have backuped via QPST.
Around 306...
Maybe it depend if full erased like my handset... if writeprotected or something like this...
Best Regards
What will happen with network lock if i change imei to all zeros with this tools? Is it calculated in real time and it depends from imei or it is just in some protected part of phone? Is any other way for unlocking with this tools?
Adfree I know that you don't support unlocking, but I have my phone more than 12 months, I don't have warranty any more and i want to start using custom firmwares and to learn something new. Unlocking is to expensive for me.
Please help me if you can, i would be very grateful, off course i'm respecting your work and your attitude very much and i will delete my post immediately if you want.
Many thanks.
hi adfree,
i have a problem with my phone, Kies doesnt recognize my phone's firmware and says my device is not supported for firmware upgrades even i have the official Bada 1.2 firmware for Philippines.
My previous firmware is S8500XXKL6 Bada 2.0 but since there's a lot of bugs on this firmware, ive switched back to the official Bada 1.2 firmware from Ph.
First, ive flashed to DXKE1 full firmware (CSC is Open Asia) then i flashed to DXKF1 with a CSC of XTC (one of the CSC for Philippines).
Ive checked my Product Code but my product code in Kies registry is S8500BAAKOR.
What's wrong with my phone that's why Kies doesnt recognized my firmware? Is that because of the wrong Product Code?
Can i modify the product code in Kies registry in change KOR to XTC?
Pls advise.
Thanks
Can i answer please ?
Thank you
Go to this topic : http://forum.xda-developers.com/showthread.php?t=1333956&highlight=hack
It is Adfree Tutorial so don't worry
Best Regards
Please, can someone confirm.
How to set S8600 to work in Qualcomm Mode?
Thanx in advance.
Sorry, I can't try self... no S8600.
Best Regards
According to this...
http://forum.xda-developers.com/showpost.php?p=24208953&postcount=56
I was able to set my S8500 to Test Mode...
No idea yet. For what it is...
Simple... WinComm shows:
Code:
__OemNvGetStringModem: ModemNv Item id is 10071, return GT-S8600HKAXEF
__OemNvGetIntModem: ModemNv Item id is 10072, return 65535
So I have used RevSkills to set NV item 2758 to 01...
Before it was 00
Maybe 02 is also Mode? No idea yet.
But first succes for me. Now my S8500 can work again with Kies.
If I used faked S8600 apps_compressed...
Before my F. Kies not connected on 2 PCs if I have changed my apps_compressed...
Best Regards
At the moment I am playing with Jet S8000...
Here it is possible to access EFS via QPST...
Best Regards
About S8600...
I have NOT found way or Code to set S8600 in Qualcomm Mode...
Maybe someone else have an idea...
Thanx in advance.
Best Regards
Edit 1.
http://forum.xda-developers.com/showpost.php?p=30900694&postcount=222
QPST Build 378 ...
Found for S8600... later more...
Best Regards
Edit 1.
Code:
*#8720#
AP USB / CP USB.
:good:
Taken from here:
http://www.mysamsungwave.com/index.php?topic=85.0
Now I was able to backup NV items...
In "alternate Mode" EFS Explorer shows all folders on S8600...
Also short tested QXDM... but with old Version...
Best Regards
Related with adfree post in other thread about bluetooth in S8530 investigation I come to this one I have installed QXDM and tested. I have just ubuntu; QXDM tested in WinXP over VirtualBox
Steps in S8500:
-*#8720# to activate "Qualcomm mode" (again to return to normal mode)
-Qualcomm drivers from this thread (Files.rar attachment)
-Looking for NV items related with bluetooth, found this
http://forum.xda-developers.com/showthread.php?p=33233244&highlight=bluetooth#post33233244
2839^"Bluetooth Active"^"Factory*"
2840^"Bluetooth Visible"^"Factory*"
2841^"Bluetooth SAP Enable"^"Factory*
4525^"Bluetooth Disabled"^"Debug*"
But they seem not active in S8500: QXDM Read button says "NV Status Error Received: Item Inactive". BlueTooth logs shows no info, not even mac address.
So Bluetooth in S8500 seem just managed by bcm4329 chip.
Maybe with QXDM we can get some "other processor logs" related with Bluetooth operations, but I am not very confident about that
NV Status Error Received: Item Inactive
Click to expand...
Click to collapse
Caution!
QXDM shows you little overview about "standard" NV items...
OEMs like Samsung can do their own stuff...
But since 2001 I think, really Standard NV items are:
NV item 447 for Bluetooth address
and IMEI
NV item 550
This is also working for S8500 + S8530 and many other handsets in year 2013... Qualcomm based.
If you activate an inactive NV item. Then you could do bad things to your handset...
Because few items then brick your handset... Bootcycle for instance...
It is really hard to erase or change few NV items, because WRITE Protection and few other ugly Security thingies... remember IMEI...
You can backup few NV items with QPST... as QCN file... with Tool Software Download BACKUP
Result looks like this:
Code:
File Version: Major 2, Minor 0, Revision 0
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 305
Phone Model 19 [QSC6270/QSC6240] Configurations:
Configuration Name: default
Mobile Properties:
ESN: 0xDEADD00D
Phone Model: 19 [QSC6270/QSC6240]
NV Major: 0
NV Minor: 0
SW Version: Q6270B-KPUBL-1.5.45072S
Client Name: QPST Software Download 2.7.0.348
Feature Mask:
Bit 9: F_PREFERRED_ROAMING_BIT
Bit 11: F_DIAG_ORIG_CALL_BIT
Bit 46: F_UI_SHOW_DROP_CALL_BIT
Bit 48: F_UI_PWR_KEY_ALT_BIT
Bit 81: F_DS_BIT
Bit 91: F_UI_PRL_VER_BIT
Bit 94: F_MULTIPLE_RINGER_TYPES_BIT
Bit 109: F_MC_TIMER_FIX_BIT
Bit 150: F_LPM_BIT
Bit 171: F_IS683A_PRL_BIT
Bit 200: F_NV_TWO_NAMS_RL_SMALL_BIT
Bit 206: F_ODIE_FONT_BIT
Bit 216: F_EVRC_BIT
Bit 269: F_TCXO_CLOCK_BIT
Bit 281: F_UART_POWERDOWN_BIT
Bit 283: F_FAST_WARMUP_BIT
Bit 296: F_SBI_BIT
Bit 300: F_EVRC_ADSP_BIT
Bit 301: F_VOCODER_MANAGER_BIT
Bit 335: F_AUTOBAUD_BIT
Bit 336: F_512KBYTE_RAM_BIT
Bit 340: F_UI_ANIMATE_CHARGE_BIT
Bit 341: F_NSOTASP_BIT
Bit 350: F_UI_DL_ROAM_MSG_BIT
Bit 358: F_MINIBROWSER_BIT
Bit 363: Unknown
Bit 367: Unknown
Bit 371: Unknown
Bit 375: Unknown
Bit 376: Unknown
Bit 377: Unknown
Bit 379: Unknown
Bit 380: Unknown
Bit 381: Unknown
Bit 387: Unknown
Bit 390: Unknown
Bit 391: Unknown
Bit 423: Unknown
Bit 424: Unknown
Total Set Bits: 39 of 432
Roaming Lists:
NV Items:
NV item: 10 [NV_PREF_MODE_I], index 0
NV_PREF_MODE_I 0: 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_PREF_MODE_I 1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_PREF_MODE_I 2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_PREF_MODE_I 3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_PREF_MODE_I 4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_PREF_MODE_I 5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_PREF_MODE_I 6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_PREF_MODE_I 7: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV item: 256 [NV_PRL_ENABLED_I], index 0
NV_PRL_ENABLED_I 0: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NV_PRL_ENABLED_I 1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
I have no idea, how good XP work in Virtual machine...
Its dangerous to have accident during read/write access to NV...
For instance I can only repair few mistakes with JTAG...
Best Regards

[Q/HELP]Samsung GT-I5510 bml partition mapping

TOPIC IS CLOSED
How to dump bml files
IMPORTANT:
Please any GT-I5510 user dump bml5, bml11 and bml14. How to dump:
You need root your phone via oneclickroot. And then via any terminal or adb shell
Code:
su
dd if=/dev/block/bml5 of=/sdcard/bml5.img
dd if=/dev/block/bml11 of=/sdcard/bml11.img
dd if=/dev/block/bml14 of=/sdcard/bml14.img
Then copy to your computer and upload.
Add info about your model and country/world region.
Current status:
Code:
bml1 mibib
bml2 qcsbl
bml3 oemsbl
bml4 amss
bml5 ????????FSR_STL
bml6 empty or empty rfs partition
bml7 empty or stuff added clockwork recovery or similar softwrate
bml8 arm11boot
bml9 boot.img + initramfs?
bml10 recovery
bml11 ???????? ....................MOT............................ON.....
bml12 system.rfs
bml13 data.rfs
bml14 ????????FSR_STL
Anything useful:
Code:
cat /proc/partitions
major minor #blocks name
137 0 513024 bml0/c
137 1 1536 bml1
137 2 512 bml2
137 3 768 bml3
137 4 25600 bml4
137 5 24832 bml5
137 6 5120 bml6
137 7 25600 bml7
137 8 2048 bml8
137 9 10240 bml9
137 10 10240 bml10
137 11 768 bml11
137 12 195840 bml12
137 13 184320 bml13
137 14 25600 bml14
Ops File:
Code:
0,mibib
1,qcsbl
2,oemsbl
3,amss
4,arm11boot
5,boot
6,recovery
7,system
8,data
9,csc
10,
GT-I5510L_kernel\kernel\include\linux\fsr_if.h:
Code:
#ifndef __KERNEL__
/*Warning*/
/*If you modify BML, you must check this definition*/
/*****************************************************************************/
/* Partition Entry ID of BML_LoadPIEntry() */
/* Partition Entry ID from 0 to 0x0FFFFFFF is reserved in BML */
/* Following ID is the pre-defined value and User can use Partition Entry ID */
/* from PARTITION_USER_DEF_BASE */
/*****************************************************************************/
#define PARTITION_ID_NBL 0 ///< NAND bootloader stage 1, 2
#define PARTITION_ID_BOOTLOADER 1 ///< NAND bootloader stage 3
#define PARTITION_ID_BOOT_PARAMETER 2 ///< NAND bootloader parameter of stage 3
#define PARTITION_ID_COPIEDOS 3 ///< OS image copied from NAND flash memory to RAM
#define PARTITION_ID_ROOT_FILESYSTEM 4 ///< OS image loaded on demand
#define PARTITION_ID_BMLAREA5 5 ///< BML area 5
#define PARTITION_ID_BMLAREA6 6 ///< BML area 6
#define PARTITION_ID_BMLAREA7 7 ///< BML area 7
#define PARTITION_ID_BMLAREA8 8 ///< BML area 8
#define PARTITION_ID_BMLAREA9 9 ///< BML area 9
#define PARTITION_ID_BMLAREA10 10 ///< BML area 10
#define PARTITION_ID_BMLAREA11 11 ///< BML area 11
#define PARTITION_ID_BMLAREA12 12 ///< BML area 12
#define PARTITION_ID_BMLAREA13 13 ///< BML area 13
#define PARTITION_ID_BMLAREA14 14 ///< BML area 14
#define PARTITION_ID_BMLAREA15 15 ///< BML area 15
#define PARTITION_ID_BMLAREA16 16 ///< BML area 16
#define PARTITION_ID_BMLAREA17 17 ///< BML area 17
#define PARTITION_ID_BMLAREA18 18 ///< BML area 18
#define PARTITION_ID_BMLAREA19 19 ///< BML area 19
#define PARTITION_ID_FILESYSTEM0 20 ///< file system 0
#define PARTITION_ID_FILESYSTEM1 21 ///< file system 1
#define PARTITION_ID_FILESYSTEM2 22 ///< file system 2
#define PARTITION_ID_FILESYSTEM3 23 ///< file system 3
#define PARTITION_ID_FILESYSTEM4 24 ///< file system 4
#define PARTITION_ID_FILESYSTEM5 25 ///< file system 5
#define PARTITION_ID_FILESYSTEM6 26 ///< file system 6
#define PARTITION_ID_FILESYSTEM7 27 ///< file system 7
#define PARTITION_ID_FILESYSTEM8 28 ///< BML area 18
#define PARTITION_ID_FILESYSTEM9 29 ///< BML area 19
#define PARTITION_ID_FILESYSTEM10 30 ///< file system 0
#define PARTITION_ID_FILESYSTEM11 31 ///< file system 1
#define PARTITION_ID_FILESYSTEM12 32 ///< file system 2
#define PARTITION_ID_FILESYSTEM13 33 ///< file system 3
#define PARTITION_ID_FILESYSTEM14 34 ///< file system 4
#define PARTITION_ID_FILESYSTEM15 35 ///< file system 5
#define MAX_STL_PARTITIONS (PARTITION_ID_FILESYSTEM7 - PARTITION_ID_FILESYSTEM0 + 1)
Code:
cat /proc/mounts
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
/dev/stl14 /cache rfs rw,nosuid,nodev,relatime,vfat,llw,check=no,gid/uid/rwx,iocharset=utf8 0 0
/dev/stl13 /data rfs rw,nosuid,nodev,relatime,vfat,llw,check=no,gid/uid/rwx,iocharset=utf8 0 0
/dev/stl12 /system rfs ro,relatime,vfat,log_off,check=no,gid/uid/rwx,iocharset=utf8 0 0
/dev/block/vold/179:1 /mnt/sdcard vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,g id=1015,fmask=0002,dmask=0002,allow_utime=0020,cod epage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:1 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,g id=1015,fmask=0002,dmask=0002,allow_utime=0020,cod epage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
/dev/block/dm-0 /mnt/asec/com.levelup.bw.forecast-1 vfat ro,dirsync,nosuid,nodev,noexec,relatime,uid=1000,f mask=0222,dmask=0222,codepage=cp437,iocharset=iso8 859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/dm-1 /mnt/asec/com.google.zxing.client.android-1 vfat ro,dirsync,nosuid,nodev,noexec,relatime,uid=1000,f mask=0222,dmask=0222,codepage=cp437,iocharset=iso8 859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/dm-2 /mnt/asec/ymst.android.homeswitcherfroyo-1 vfat ro,dirsync,nosuid,nodev,noexec,relatime,uid=1000,f mask=0222,dmask=0222,codepage=cp437,iocharset=iso8 859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/dm-3 /mnt/asec/com.keramidas.TitaniumBackup-1 vfat ro,dirsync,nosuid,nodev,noexec,relatime,uid=1000,f mask=0222,dmask=0222,codepage=cp437,iocharset=iso8 859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/dm-4 /mnt/asec/com.dolphin.browser-1 vfat ro,dirsync,nosuid,nodev,noexec,relatime,uid=1000,f mask=0222,dmask=0222,codepage=cp437,iocharset=iso8 859-1,shortname=mixed,utf8,errors=remount-ro 0 0
Code:
cat /proc/LinuStoreIII/bmlinfo
FSR VERSION: FSR_1.2.1p1_b139_RTM
minor position size units id
1: 0x00000000-0x00180000 0x00180000 6 1
2: 0x00180000-0x00200000 0x00080000 2 2
3: 0x00200000-0x002c0000 0x000c0000 3 3
4: 0x002c0000-0x01bc0000 0x01900000 100 4
5: 0x01bc0000-0x03400000 0x01840000 97 23
6: 0x03400000-0x03900000 0x00500000 20 25
7: 0x03900000-0x05200000 0x01900000 100 5
8: 0x05200000-0x05400000 0x00200000 8 6
9: 0x05400000-0x05e00000 0x00a00000 40 7
10: 0x05e00000-0x06800000 0x00a00000 40 8
11: 0x06800000-0x068c0000 0x000c0000 3 9
12: 0x068c0000-0x12800000 0x0bf40000 765 21
13: 0x12800000-0x1dc00000 0x0b400000 720 22
14: 0x1dc00000-0x1f500000 0x01900000 100 24
(0)(0) bad mapping information
No BadUnit RsvUnit
Dumped bml blocks:
bml1-11,14
bml12,13
BML7.img HEX CODE(Begin)
Code:
0000:0000 | 41 4E 44 52 4F 49 44 21 00 78 22 00 00 80 20 00 19 3E 0B 00 00 00 20 01 00 00 00 00 00 00 10 01 00 01 20 00 00 08 00 00 00 00 00 00 00 00 | ANDROID!.x"... ..>.... ........... ...........
0000:002E | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6D 65 6D 3D 32 31 31 4D 20 63 6F 6E 73 6F 6C 65 3D 74 74 79 4D 53 4D 32 2C 31 31 35 | ..................mem=211M console=ttyMSM2,115
0000:005C | 32 30 30 6E 38 20 61 6E 64 72 6F 69 64 62 6F 6F 74 2E 68 61 72 64 77 61 72 65 3D 71 63 6F 6D 20 63 6F 6E 73 6F 6C 65 3D 74 74 79 55 53 42 | 200n8 androidboot.hardware=qcom console=ttyUSB
0000:008A | 43 4F 4E 53 4F 4C 45 30 20 61 6E 64 72 6F 69 64 62 6F 6F 74 2E 63 6F 6E 73 6F 6C 65 3D 74 74 79 55 53 42 43 4F 4E 53 4F 4C 45 30 00 00 00 | CONSOLE0 androidboot.console=ttyUSBCONSOLE0...
0000:00B8 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ..............................................
0000:00E6 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ..............................................
0000:0114 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ..............................................
0000:0142 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ..............................................
0000:0170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ..............................................
0000:019E | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ..............................................
0000:01CC | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ..............................................
0000:01FA | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ..............................................
0000:0228 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 68 EA 91 90 97 91 5C 97 96 B1 E1 22 48 42 4D BD AC AB 6F 00 00 | .........................hê....\..±á"HBM½¬«o..
0000:0256 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ..............................................
Bml mapping is almost done.
Sent from my GT-I5510 using XDA Premium App
Here is kernel and ramdisk extracted from bml7 that willing uploaded.
megaupload.com/?d=4VRFR1G3
Could you extract the recovery partition?.
Here is the recovery.img that I got from a stock image.
WillingMagic can you post de final partition layout please?. Very thanks!. Cheers.
bml9 - boot image confirmed
bml10 - recovery confirmed
I had tried running clockworkmod earlier with some other recovery.
So my bml7 is showing the contents of clockworks partition. So, not sure if bml7 is param.fs, but it gets written to by clockworkmod!!
Just checked on a friend's brand new 551.
The bml7 partition is empty :
All FF FF FF FFFFFFFFFFFFFFFFFFFFFFFF s
Checked on another phone.
By default bml7 is empty (all FFs)
Seems that all of us have tried some stuff like clockwork, so the data on bml7
Does anyone have a working flash_image binary (that works on 551)?
I am trying to flash my partitions with a few changed images, but unable to flash
Maybe you friend have different model or maybe branded roms have different layout? I use latest open rom XWKA7 from Samsung. If anybody use those rom please upload your bml partition.
I tried build clockworld recovery, but may build don`t work, I can`t flash it on my phone. I also tried upload moddified PDA.tar.md5 via Odin, but also hang when i tried. But good news I didn`t bricked my phone .
Nope.... checked with another phone at a Samsung showroom.
bml7 is confirmed to be blank - all FFs
We probably had bml7 with some stuff because of running Clockwormod.
Also, as you have issues in booting with your image, how about taking another route?
Lets try to modify basic things like default.prop or init scripts and rewriting to the partition. We could progress from there.
I have tried to do the same, but flash_image does not work. If you have a working version for bml, let me know
I out for few days because my laptop power supply is broken.
IMPORTANT:
Please any GT-I5510 user dump bml6 and bml7. How to dump:
You need root your phone via oneclickroot. And then via any terminal or adb shell
su
dd if=/dev/block/bml7 of=/sdcard/bml7.img
dd if=/dev/block/bml6 of=/sdcard/bml6.img
Then copy to your computer and upload.
Add info about your model and country/world region.
Sent from my GT-I5510 using XDA Premium App
Well, what are partition bml6 and bml7 for?. My bml7 have ramdisk and kernel files. I will upload the files soon.
Here are my bml's:
bml6: h**p://tinyurl.com/6c6yxzh
bml7: h**p://tinyurl.com/62ly9lw
Model: I5510
Firmware version: DDJK4
Country: India.
I would be glad to help for any other thing....and eagerly waiting for gingerbread!!!!
Anyone know how to enter in Bootloader - Fastboot mode?. I tried with "W" + Power but don't work.
For bootloader :
1. Attach usb cable. Start adb.
adb shell
su
reboot bootloader
2. Start terminal
su
reboot bootloader
3. Shut down phone
Press 'Q' key on keypad + Power button
Keep pressed till phone restarts
Thanks buddy. But...
1. I haven't root access in adb shell i don't know why. I rooted my phone with Super One Click 1.7 but don't work adb shell with root permissions unless i click in "Root Shell" in the same program. In this case, adb shell is rooted but temporarily, not permantly.
2. In terminal i have root access but when i execute "su" and "reboot bootloader", the phone reboot normally as if nothing had happened. I guess the bootloader is locked.
3.When i push Q + power, the phone enter in Download mode, not in Bootloader mode.
I guess the phone is not full rooted.
551 does not have fastboot
So, reboot bootloader opens up download mode!!
The "Bootloader" mode is not present.
You successful rooted your phone, on official roms you can`t get root access via adb direct, only indirect way via su, all apps which need root works fine. I don`t think the bootloader is protected or encrypt. Some phones doesn`t support fastboot, because they use different block system like Callisto. Fastboot require mtd block, but Callisto use bml and stl blocks, so fastboot can`t work.
Thank you very much for your answers!. Stupid fastboot.....

[ASK] Link2SD for galaxy W

I wanna ask,
is galaxy w need link2sd installed?
what setting that would be good if installing link2sd?
Actually it depends on how much applications you want being installed on your phone but yes it worths installing it for at least 5 reasons:
Being able to mount to your computer your SD cards using the debug mode without stopping the applications that you should have moved to the SD card using the native App2SD.
Not being limited by the size of the /data partition because of the *.dex files generated for the dalvik cache.
You can move any kind of applications even those that are not movable to SD!
Link2SD includes free utilities like conversion of system application to user application (and vice versa) that you'll have to pay for with other solutions like Titanium Backup.
Avoiding slow downs because of the loop mounts created (Just run the "mount" command from an adb shell or terminal and you'll see).
Indeed I noticed a global slow down of my phone after I've started getting more and more applications being installed and beside I'm using some other tool to avoid push services and other unwanted background processes to be started by some applications, I've come to the conclusion that too many loop mounts because of the native App2SD is not good either (I suspect it takes over the RAM).
Actually the Link2SD FAQ will give you all the good reasons why to use it:
http://www.link2sd.info/faq
Recommendations:
I'd like to also share share my experience (I may move the following to another thread):
Recommend microSD cards:
Regarding the microSD card you can use even a 32 GB class 10.
The ones I recommend (32 GB class 10) are Samsung, SanDisk, Transcend (Those Transcend ones made in Korea are logically made by Samsung, the ones made in China are made by SanDisk).
Partitionning and formatting:
The tough part is the partitioning and formatting.
Out of the box, all the microSD cards are partitioned and formatted so that they are aligned with their erase block size (it can be 8 MiB, 12 MiB...)
Thus you'll have to consult so you'll know the erase block size:
the Linaro flash card survey:
https://wiki.linaro.org/WorkingGroups/Kernel/Projects/FlashCardSurvey
the corresponding flashbench mailing list
http://lists.linaro.org/mailman/listinfo/flashbench-results
You can also use the flashbench tool to figure it out.
The problem is that you cannot create or resize the FAT32 partition using Windows (even with minitool partition or paragon partition manager), nor with Linux by using gparted or other because you won't get your partitions aligned with the erase blocks and thus you'll get bad performances and faster wearing of your card.
Backup:
Before formatting do a raw backup of the first 16 MiB (for the partitions table and the FAT32 description) using busybox dd on the phone itself or dd on Linux.
For example on the phone:
dd if=/dev/block/mmcblk1 of=/sdcard/mmcblk1-orig-1st-16MiB.img bs=4M count=4
Also you must keep using the default cluster size of 32 kiB because of optimization done at the level of Android and because smaller cluster size will mean more memory taken from the RAM - Actually the FAT is loaded in the RAM, so you must keep it not too big.
Formulas:
Then decide how much you need for the Link2SD partition - You can start with 1 GiB or so, personally I use about 2 GiB. You can check how much space is taken by the asec images to decide...
Now here comes some math (The formulas are to be used in LibreOffice Calc):
Partitioning:
We need to define the new size for the FAT32 partition at the beginning so it is aligned with the erase block size and so that the File Allocation Tables are located between the special offsets (especially true with SanDisk - for example the FAT must be located between the offsets at 4 MiB and 12 MiB, that's why most SD card have 4 MiB unpartitioned free space at the beginning).
Code:
new_fat32_partition_size = MROUND(whole_microsd_size - wanted_link2sd_partition_size + fat32_start_offset ; erase_block_size) - fat32_start_offset
With:
whole_microsd_size: The actual total size of the card - You can get it using fdisk.
wanted_link2sd_partition_size: The size you'd like for the Link2SD partition.
fat32_start_offset: The offset where the 1st FAT32 partition starts.
erase_block_size: The erase block size.
So for example for a SanDisk microSDHC 32 GB Class 10, we have an erase block size of 12 MiB (actually 3 times 4 MiB) and a FAT description that has to start at the offset at 4 MiB and then next erase block that starts at the offset at 12 MiB.
Therefore you'll have:
Code:
new_fat32_partition_size = MROUND(30,101,504 kiB - 1,061,376 kiB + 4,194,304 kiB ; erase_block_size) - 12 582 912 kiB = 30,101,504 kiB
Therefore using fdisk you should get something like the following when printing the partitions (p) - Don't forget to disable the DOS compatibility flag and use the sector as the unit:
Code:
Disk /dev/mmcblk0: 31.9 GB, 31914983424 bytes
4 heads, 16 sectors/track, 973968 cylinders, total 62333952 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9a064f9d
Device Boot Start End Blocks Id System
/dev/mmcblk0p1 8192 60211199 30101504 c W95 FAT32 (LBA)
/dev/mmcblk0p2 60211200 62333951 1061376 83 Linux
FAT32 formatting:
In order to use mkdosfs 3.0.9 or later with the right amount of reserved sectors so the root directory and data will start exactly at the next erase block offset.
The idea is to make so that the FATs ends exactly before that offset, but for that we need to know the size of one FAT.
Here is the formula based on mkdosfs source code, to calculate that needed number of reserved sectors:
Code:
total_number_of_sectors = total_number_of_blocks * block_size / sector_size
number_of_sectors_for_fats_and_data = total_number_of_sectors - MROUND(default_number_of_reserved_sectors ; cluster_size)
number_of_clusters = (number_of_sectors_for_fats_and_data * sector_size + number_of_fats * 8) / (cluster_size * sector_size + number_of_fats * 4)
fat_size = MROUND(CEILING((number_of_clusters + 2) * 4 / sector_size ; 1) ; cluster_size)
root_directory_offset = default_number_of_reserved_sectors + number_of_fats * fat_size
aligned_root_directory_offset = MROUND(root_directory_offset ; erase_block_size * 1024^2 / sector_size)
number_of_reserved_sectors = aligned_root_directory_offset - root_directory_offset + default_number_of_reserved_sectors
With:
sector_size: 512 bytes (Standard value)
block_size: 1,024 bytes (Standard value)
total_number_of_blocks: new_fat32_partition_size in kiB
default_number_of_reserved_sectors: 64 (can be 32)
cluster_size: 64 sectors (i.e. 32 kiB)
number_of_fats: 2 (Standard value)
So for example for that same card you'll get:
Code:
total_number_of_sectors = 60,203,008
number_of_reserved_sectors = 1,664
Therefore here is the command to format the FAT32 partition:
Code:
$> sudo mkdosfs -F 32 -s 64 -R 1664 -n EXTERNAL_SD -v /dev/mmcblk0p1
mkdosfs 3.0.9 (31 Jan 2010)
/dev/mmcblk0p1 has 4 heads and 16 sectors per track,
logical sector size is 512,
using 0xf8 media descriptor, with 60203008 sectors;
file system has 2 32-bit FATs and 64 sectors per cluster.
FAT size is 7360 sectors, and provides 940416 clusters.
There are 1664 reserved sectors.
Volume ID is 8aa89e36, volume label EXTERNAL_SD.
You can see that each FAT takes less than 3.6 MiB, so with 2 FATs and the reserved sector the FAT description takes less than 8 MiB.
You can then check using hexdump if indeed the root directory starts at the the 12 MiB offset (knowing that the partition begin at the 4 MiB offset - indeed 12 = 4 + 8).
For that let's read the first 13 MiB of the card:
Code:
$> sudo hd -n $[13*1024*1024] /dev/mmcblk0
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 82 |................|
000001c0 03 00 0c f8 95 a3 00 20 00 00 00 a0 96 03 00 f8 |....... ........|
000001d0 96 a3 83 1b f3 28 00 c0 96 03 00 64 20 00 00 00 |.....(.....d ...|
000001e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00400000 eb 58 90 6d 6b 64 6f 73 66 73 00 00 02 40 80 06 |[email protected]|
00400010 02 00 00 00 00 f8 00 00 10 00 04 00 00 00 00 00 |................|
00400020 00 a0 96 03 c0 1c 00 00 00 00 00 00 02 00 00 00 |................|
00400030 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00400040 00 00 29 e5 a5 dc 46 45 58 54 45 52 4e 41 4c 5f |..)...FEXTERNAL_|
00400050 53 44 46 41 54 33 32 20 20 20 0e 1f be 77 7c ac |SDFAT32 ...w|.|
00400060 22 c0 74 0b 56 b4 0e bb 07 00 cd 10 5e eb f0 32 |".t.V.......^..2|
00400070 e4 cd 16 cd 19 eb fe 54 68 69 73 20 69 73 20 6e |.......This is n|
00400080 6f 74 20 61 20 62 6f 6f 74 61 62 6c 65 20 64 69 |ot a bootable di|
00400090 73 6b 2e 20 20 50 6c 65 61 73 65 20 69 6e 73 65 |sk. Please inse|
004000a0 72 74 20 61 20 62 6f 6f 74 61 62 6c 65 20 66 6c |rt a bootable fl|
004000b0 6f 70 70 79 20 61 6e 64 0d 0a 70 72 65 73 73 20 |oppy and..press |
004000c0 61 6e 79 20 6b 65 79 20 74 6f 20 74 72 79 20 61 |any key to try a|
004000d0 67 61 69 6e 20 2e 2e 2e 20 0d 0a 00 00 00 00 00 |gain ... .......|
004000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
004001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00400200 52 52 61 41 00 00 00 00 00 00 00 00 00 00 00 00 |RRaA............|
00400210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
004003e0 00 00 00 00 72 72 41 61 7e 59 0e 00 03 00 00 00 |....rrAa~Y......|
004003f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00400400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00400c00 eb 58 90 6d 6b 64 6f 73 66 73 00 00 02 40 80 06 |[email protected]|
00400c10 02 00 00 00 00 f8 00 00 10 00 04 00 00 00 00 00 |................|
00400c20 00 a0 96 03 c0 1c 00 00 00 00 00 00 02 00 00 00 |................|
00400c30 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00400c40 00 00 29 e5 a5 dc 46 45 58 54 45 52 4e 41 4c 5f |..)...FEXTERNAL_|
00400c50 53 44 46 41 54 33 32 20 20 20 0e 1f be 77 7c ac |SDFAT32 ...w|.|
00400c60 22 c0 74 0b 56 b4 0e bb 07 00 cd 10 5e eb f0 32 |".t.V.......^..2|
00400c70 e4 cd 16 cd 19 eb fe 54 68 69 73 20 69 73 20 6e |.......This is n|
00400c80 6f 74 20 61 20 62 6f 6f 74 61 62 6c 65 20 64 69 |ot a bootable di|
00400c90 73 6b 2e 20 20 50 6c 65 61 73 65 20 69 6e 73 65 |sk. Please inse|
00400ca0 72 74 20 61 20 62 6f 6f 74 61 62 6c 65 20 66 6c |rt a bootable fl|
00400cb0 6f 70 70 79 20 61 6e 64 0d 0a 70 72 65 73 73 20 |oppy and..press |
00400cc0 61 6e 79 20 6b 65 79 20 74 6f 20 74 72 79 20 61 |any key to try a|
00400cd0 67 61 69 6e 20 2e 2e 2e 20 0d 0a 00 00 00 00 00 |gain ... .......|
00400ce0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00400df0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00400e00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
004d0000 f8 ff ff 0f ff ff ff 0f f8 ff ff 0f ff ff ff 0f |................|
004d0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00868000 f8 ff ff 0f ff ff ff 0f f8 ff ff 0f ff ff ff 0f |................|
00868010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00c00000 45 58 54 45 52 4e 41 4c 5f 53 44 08 00 00 52 b3 |EXTERNAL_SD...R.|
We can see that indeed the root partition starts at the offset 0x00c00000 which is 12 MiB!
Also note that 0x00400000 is the 4 MiB offset, the beginning of the FAT32 partition...
You can try the hexdump against the backup you did and you'll see that the factory formatting is also with a number of reserved sector so that the root directory is aligned. For example I've found the root directory at the 12 MiB offset (of course) and for that they use 1,170 reserved sector (I've decoded the hexdump to get that value) which matches the formula. They also set 8,192 hidden sectors - that's more for compatibility with some cameras, we don't care here...
Link2SD formatting:
I use ext4 for that partition, I've got inspiration from http://blogofterje.wordpress.com/2012/01/14/optimizing-fs-on-sd-card/, however I'm not sure if indeed using the stride and the stripe-width options is really needed:
Code:
[FONT=Courier New]$ sudo mkfs.ext4 -O ^has_journal -E stride=4,stripe-width=512 -b 4096 -L Link2SD /dev/mmcblk0p2
mke2fs 1.41.14 (22-Dec-2010)
Filesystem label=Link2SD
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=4 blocks, Stripe width=512 blocks
66384 inodes, 265344 blocks
13267 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=272629760
9 block groups
32768 blocks per group, 32768 fragments per group
7376 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 30 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.[/FONT]
Anyway I consider the Link2SD partition is going to be used much more for read than write and we need the same file system that is used on the other partitions of the phone (i.e. ext4).
I hope it's not too complicated and that will help
Some other references:
http://android.bytearrays.com/android/align-your-sdcard-fat-and-ext-partition/
http://www.bradfordembedded.com/2011/12/format-an-sd-card-with-8-mib-aligned-partitions/
http://www.olpcnews.com/forum/index.php?topic=4993.0
http://www.patriotmemory.com/forums...ite-speed-by-aligning-FAT32&p=41521#post41521
http://forum.xda-developers.com/showthread.php?t=1224408
What a long and completed answer
I'll read and try to understand the way one-by-one. Thanks for sharing your knowledge!
Sent from my GT-I8150 using Tapatalk 2
v0rt3x said:
Actually it depends on how much applications you want being installed on your phone but yes it worths installing it for at least 5 reasons:
Being able to mount to your computer your SD cards using the debug mode without stopping the applications that you should have moved to the SD card using the native App2SD.
Not being limited by the size of the /data partition because of the *.dex files generated for the dalvik cache.
You can move any kind of applications even those that are not movable to SD!
Link2SD includes free utilities like conversion of system application to user application (and vice versa) that you'll have to pay for with other solutions like Titanium Backup.
Avoiding slow downs because of the loop mounts created (Just run the "mount" command from an adb shell or terminal and you'll see).
Indeed I noticed a global slow down of my phone after I've started getting more and more applications being installed and beside I'm using some other tool to avoid push services and other unwanted background processes to be started by some applications, I've come to the conclusion that too many loop mounts because of the native App2SD is not good either (I suspect it takes over the RAM).
Actually the Link2SD FAQ will give you all the good reasons why to use it:
http://www.link2sd.info/faq
Recommendations:
I'd like to also share share my experience (I may move the following to another thread):
Recommend microSD cards:
Regarding the microSD card you can use even a 32 GB class 10.
The ones I recommend (32 GB class 10) are Samsung, SanDisk, Transcend (Those Transcend ones made in Korea are logically made by Samsung, the ones made in China are made by SanDisk).
Partitionning and formatting:
The tough part is the partitioning and formatting.
Out of the box, all the microSD cards are partitioned and formatted so that they are aligned with their erase block size (it can be 8 MiB, 12 MiB...)
Thus you'll have to consult so you'll know the erase block size:
the Linaro flash card survey:
https://wiki.linaro.org/WorkingGroups/Kernel/Projects/FlashCardSurvey
the corresponding flashbench mailing list
http://lists.linaro.org/mailman/listinfo/flashbench-results
You can also use the flashbench tool to figure it out.
The problem is that you cannot create or resize the FAT32 partition using Windows (even with minitool partition or paragon partition manager), nor with Linux by using gparted or other because you won't get your partitions aligned with the erase blocks and thus you'll get bad performances and faster wearing of your card.
Backup:
Before formatting do a raw backup of the first 16 MiB (for the partitions table and the FAT32 description) using busybox dd on the phone itself or dd on Linux.
For example on the phone:
dd if=/dev/block/mmcblk1 of=/sdcard/mmcblk1-orig-1st-16MiB.img bs=4M count=4
Also you must keep using the default cluster size of 32 kiB because of optimization done at the level of Android and because smaller cluster size will mean more memory taken from the RAM - Actually the FAT is loaded in the RAM, so you must keep it not too big.
Formulas:
Then decide how much you need for the Link2SD partition - You can start with 1 GiB or so, personally I use about 2 GiB. You can check how much space is taken by the asec images to decide...
Now here comes some math (The formulas are to be used in LibreOffice Calc):
Partitioning:
We need to define the new size for the FAT32 partition at the beginning so it is aligned with the erase block size and so that the File Allocation Tables are located between the special offsets (especially true with SanDisk - for example the FAT must be located between the offsets at 4 MiB and 12 MiB, that's why most SD card have 4 MiB unpartitioned free space at the beginning).
Code:
new_fat32_partition_size = MROUND(whole_microsd_size - wanted_link2sd_partition_size + fat32_start_offset ; erase_block_size) - fat32_start_offset
With:
whole_microsd_size: The actual total size of the card - You can get it using fdisk.
wanted_link2sd_partition_size: The size you'd like for the Link2SD partition.
fat32_start_offset: The offset where the 1st FAT32 partition starts.
erase_block_size: The erase block size.
So for example for a SanDisk microSDHC 32 GB Class 10, we have an erase block size of 12 MiB (actually 3 times 4 MiB) and a FAT description that has to start at the offset at 4 MiB and then next erase block that starts at the offset at 12 MiB.
Therefore you'll have:
Code:
new_fat32_partition_size = MROUND(30,101,504 kiB - 1,061,376 kiB + 4,194,304 kiB ; erase_block_size) - 12 582 912 kiB = 30,101,504 kiB
Therefore using fdisk you should get something like the following when printing the partitions (p) - Don't forget to disable the DOS compatibility flag and use the sector as the unit:
Code:
Disk /dev/mmcblk0: 31.9 GB, 31914983424 bytes
4 heads, 16 sectors/track, 973968 cylinders, total 62333952 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9a064f9d
Device Boot Start End Blocks Id System
/dev/mmcblk0p1 8192 60211199 30101504 c W95 FAT32 (LBA)
/dev/mmcblk0p2 60211200 62333951 1061376 83 Linux
FAT32 formatting:
In order to use mkdosfs 3.0.9 or later with the right amount of reserved sectors so the root directory and data will start exactly at the next erase block offset.
The idea is to make so that the FATs ends exactly before that offset, but for that we need to know the size of one FAT.
Here is the formula based on mkdosfs source code, to calculate that needed number of reserved sectors:
Code:
total_number_of_sectors = total_number_of_blocks * block_size / sector_size
number_of_sectors_for_fats_and_data = total_number_of_sectors - MROUND(default_number_of_reserved_sectors ; cluster_size)
number_of_clusters = (number_of_sectors_for_fats_and_data * sector_size + number_of_fats * 8) / (cluster_size * sector_size + number_of_fats * 4)
fat_size = MROUND(CEILING((number_of_clusters + 2) * 4 / sector_size ; 1) ; cluster_size)
root_directory_offset = default_number_of_reserved_sectors + number_of_fats * fat_size
aligned_root_directory_offset = MROUND(root_directory_offset ; erase_block_size * 1024^2 / sector_size)
number_of_reserved_sectors = aligned_root_directory_offset - root_directory_offset + default_number_of_reserved_sectors
With:
sector_size: 512 bytes (Standard value)
block_size: 1,024 bytes (Standard value)
total_number_of_blocks: new_fat32_partition_size in kiB
default_number_of_reserved_sectors: 64 (can be 32)
cluster_size: 64 sectors (i.e. 32 kiB)
number_of_fats: 2 (Standard value)
So for example for that same card you'll get:
Code:
total_number_of_sectors = 60,203,008
number_of_reserved_sectors = 1,664
Therefore here is the command to format the FAT32 partition:
Code:
$> sudo mkdosfs -F 32 -s 64 -R 1664 -n EXTERNAL_SD -v /dev/mmcblk0p1
mkdosfs 3.0.9 (31 Jan 2010)
/dev/mmcblk0p1 has 4 heads and 16 sectors per track,
logical sector size is 512,
using 0xf8 media descriptor, with 60203008 sectors;
file system has 2 32-bit FATs and 64 sectors per cluster.
FAT size is 7360 sectors, and provides 940416 clusters.
There are 1664 reserved sectors.
Volume ID is 8aa89e36, volume label EXTERNAL_SD.
You can see that each FAT takes less than 3.6 MiB, so with 2 FATs and the reserved sector the FAT description takes less than 8 MiB.
You can then check using hexdump if indeed the root directory starts at the the 12 MiB offset (knowing that the partition begin at the 4 MiB offset - indeed 12 = 4 + 8).
For that let's read the first 13 MiB of the card:
Code:
$> sudo hd -n $[13*1024*1024] /dev/mmcblk0
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 82 |................|
000001c0 03 00 0c f8 95 a3 00 20 00 00 00 a0 96 03 00 f8 |....... ........|
000001d0 96 a3 83 1b f3 28 00 c0 96 03 00 64 20 00 00 00 |.....(.....d ...|
000001e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00400000 eb 58 90 6d 6b 64 6f 73 66 73 00 00 02 40 80 06 |[email protected]|
00400010 02 00 00 00 00 f8 00 00 10 00 04 00 00 00 00 00 |................|
00400020 00 a0 96 03 c0 1c 00 00 00 00 00 00 02 00 00 00 |................|
00400030 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00400040 00 00 29 e5 a5 dc 46 45 58 54 45 52 4e 41 4c 5f |..)...FEXTERNAL_|
00400050 53 44 46 41 54 33 32 20 20 20 0e 1f be 77 7c ac |SDFAT32 ...w|.|
00400060 22 c0 74 0b 56 b4 0e bb 07 00 cd 10 5e eb f0 32 |".t.V.......^..2|
00400070 e4 cd 16 cd 19 eb fe 54 68 69 73 20 69 73 20 6e |.......This is n|
00400080 6f 74 20 61 20 62 6f 6f 74 61 62 6c 65 20 64 69 |ot a bootable di|
00400090 73 6b 2e 20 20 50 6c 65 61 73 65 20 69 6e 73 65 |sk. Please inse|
004000a0 72 74 20 61 20 62 6f 6f 74 61 62 6c 65 20 66 6c |rt a bootable fl|
004000b0 6f 70 70 79 20 61 6e 64 0d 0a 70 72 65 73 73 20 |oppy and..press |
004000c0 61 6e 79 20 6b 65 79 20 74 6f 20 74 72 79 20 61 |any key to try a|
004000d0 67 61 69 6e 20 2e 2e 2e 20 0d 0a 00 00 00 00 00 |gain ... .......|
004000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
004001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00400200 52 52 61 41 00 00 00 00 00 00 00 00 00 00 00 00 |RRaA............|
00400210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
004003e0 00 00 00 00 72 72 41 61 7e 59 0e 00 03 00 00 00 |....rrAa~Y......|
004003f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00400400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00400c00 eb 58 90 6d 6b 64 6f 73 66 73 00 00 02 40 80 06 |[email protected]|
00400c10 02 00 00 00 00 f8 00 00 10 00 04 00 00 00 00 00 |................|
00400c20 00 a0 96 03 c0 1c 00 00 00 00 00 00 02 00 00 00 |................|
00400c30 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00400c40 00 00 29 e5 a5 dc 46 45 58 54 45 52 4e 41 4c 5f |..)...FEXTERNAL_|
00400c50 53 44 46 41 54 33 32 20 20 20 0e 1f be 77 7c ac |SDFAT32 ...w|.|
00400c60 22 c0 74 0b 56 b4 0e bb 07 00 cd 10 5e eb f0 32 |".t.V.......^..2|
00400c70 e4 cd 16 cd 19 eb fe 54 68 69 73 20 69 73 20 6e |.......This is n|
00400c80 6f 74 20 61 20 62 6f 6f 74 61 62 6c 65 20 64 69 |ot a bootable di|
00400c90 73 6b 2e 20 20 50 6c 65 61 73 65 20 69 6e 73 65 |sk. Please inse|
00400ca0 72 74 20 61 20 62 6f 6f 74 61 62 6c 65 20 66 6c |rt a bootable fl|
00400cb0 6f 70 70 79 20 61 6e 64 0d 0a 70 72 65 73 73 20 |oppy and..press |
00400cc0 61 6e 79 20 6b 65 79 20 74 6f 20 74 72 79 20 61 |any key to try a|
00400cd0 67 61 69 6e 20 2e 2e 2e 20 0d 0a 00 00 00 00 00 |gain ... .......|
00400ce0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00400df0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00400e00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
004d0000 f8 ff ff 0f ff ff ff 0f f8 ff ff 0f ff ff ff 0f |................|
004d0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00868000 f8 ff ff 0f ff ff ff 0f f8 ff ff 0f ff ff ff 0f |................|
00868010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00c00000 45 58 54 45 52 4e 41 4c 5f 53 44 08 00 00 52 b3 |EXTERNAL_SD...R.|
We can see that indeed the root partition starts at the offset 0x00c00000 which is 12 MiB!
Also note that 0x00400000 is the 4 MiB offset, the beginning of the FAT32 partition...
You can try the hexdump against the backup you did and you'll see that the factory formatting is also with a number of reserved sector so that the root directory is aligned. For example I've found the root directory at the 12 MiB offset (of course) and for that they use 1,170 reserved sector (I've decoded the hexdump to get that value) which matches the formula. They also set 8,192 hidden sectors - that's more for compatibility with some cameras, we don't care here...
Link2SD formatting:
I use ext4 for that partition, I've got inspiration from http://blogofterje.wordpress.com/2012/01/14/optimizing-fs-on-sd-card/, however I'm not sure if indeed using the stride and the stripe-width options is really needed:
Code:
[FONT=Courier New]$ sudo mkfs.ext4 -O ^has_journal -E stride=4,stripe-width=512 -b 4096 -L Link2SD /dev/mmcblk0p2
mke2fs 1.41.14 (22-Dec-2010)
Filesystem label=Link2SD
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=4 blocks, Stripe width=512 blocks
66384 inodes, 265344 blocks
13267 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=272629760
9 block groups
32768 blocks per group, 32768 fragments per group
7376 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 30 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.[/FONT]
Anyway I consider the Link2SD partition is going to be used much more for read than write and we need the same file system that is used on the other partitions of the phone (i.e. ext4).
I hope it's not too complicated and that will help
Some other references:
http://android.bytearrays.com/android/align-your-sdcard-fat-and-ext-partition/
http://www.bradfordembedded.com/2011/12/format-an-sd-card-with-8-mib-aligned-partitions/
http://www.olpcnews.com/forum/index.php?topic=4993.0
http://www.patriotmemory.com/forums...ite-speed-by-aligning-FAT32&p=41521#post41521
http://forum.xda-developers.com/showthread.php?t=1224408
Click to expand...
Click to collapse
what a nice answer... It's too complicated, but I think I can understand overall of that.. thanks mate
USB storage
Galaxy W has an internal USB Storage. Link2sd failed to move apps that have big database or library (like sygic) to the external memory but instead it was moved to the internal USB storage. How do I make Link2sd to move all the large apps to the external memory? Thanks in advance
Scootster said:
Galaxy W has an internal USB Storage. Link2sd failed to move apps that have big database or library (like sygic) to the external memory but instead it was moved to the internal USB storage. How do I make Link2sd to move all the large apps to the external memory? Thanks in advance
Click to expand...
Click to collapse
Swap the storage so that your external_sd will change place with the internal storage
Pressing "Thanks" button will be much appreciated if user's posts useful for you
swapped memory
reddvilzz said:
Swap the storage so that your external_sd will change place with the internal storage
Pressing "Thanks" button will be much appreciated if user's posts useful for you
Click to expand...
Click to collapse
I swapped memory before this but the phone perform not very good. It lagged very much in switching from one task to another.
If memory was to swapped, then there is no use for Link2sd isn't it? because all apps were installed directly to. external memory. Does memory card needs to be in 2 partition?
No, swapped ish juz useless trick and could break ur sd card.
Dwama said:
No, swapped ish juz useless trick and could break ur sd card.
Click to expand...
Click to collapse
What are you talking about?
There are 2 meanings of the word 'swap' for the W:
The 1st meaning is creating a swapfile and/or swap partition.
The 2nd meaning is to change the mount points of the internal SD and the external SD so that Android thought the external SD is the internal one (mounted at /sdcard) and the internal SD gets mounted to the external point ( /sdcard/external_sd)
The 1st meaning is the dangerous one. The 2nd meaning is instead very useful.
-- xda app / CM9b3 / DXKL1 / Galaxy W --

[DEV] Oem channel Id Modifier

Hi everydbody,
i'm working on a software to change oem and channel id for windows store (8.0, maybe 8.1...)
i've managed to see surface pick, or lenovo pick on my asus vivotab, but i don't know other oem channel ID.
in order o make a database, i need help !
could you go to: (win+R)
%localappdata%\Packages\WinStore_cw5n1h2txyewy\AC\Microsoft\Windows Store\Cache\0
and post in reply this file with your pc model in comment :
0-Channel-https∺∯∯next-services.apps.microsoft.com∯browse∯6.2.9200-1∯670∯Channel.dat
this file doesnt contain any personal data, juste channel and Oem ID
thanks!
feherneoh said:
09 AA 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Lenovo B560
Click to expand...
Click to collapse
Hi ferneoh
thank you, if you replace 09 AA 98 by 97 C5 98 for exemple you willhave access to samsung picks.... but i can't download from oem store for now...
My Surface RT only have file "0-Channel-https∺∯∯next-services.apps.microsoft.com∯browse∯6.2.9200-1∯670∯Channel∯Surface%20RT.dat"
ฺู™  0 0 0 0 1 0 9 8 9 4
That all from it.
That file is a binary data file. Opening it notepad doesnt represent the actual data (although it does attempt to parse it as plain text anyway).
I'd love to be able to use this to install Nokia's proprietary apps onto my Surface... please make this happen!
Anyone looked into this, yet?

Bus pass?

Hi just wondering if there is anything I could do to make this card expiry date longer?
It expired on Tuesday. Anything I could do?
** TagInfo scan (version 2.00) 2014-04-13 14:07:30 **
-- INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
MIFARE DESFire EV1 (MF3ICD41)
# DESFire Applications:
ITSO public transport application
Provision of citizen services #0
* UK National Smartcard Project
Provision of citizen services #1
* UK National Smartcard Project
Provision of citizen services #2
* UK National Smartcard Project
Provision of citizen services #3
* UK National Smartcard Project
Provision of citizen services #4
* UK National Smartcard Project
-- NDEF ------------------------------
# NFC data set storage not present:
Maximum NDEF storage size after format: 4094 bytes
-- EXTRA ------------------------------
# Memory information:
Size: 4 kB
Available: 2.2 kB
# IC detailed information:
Capacitance: 17 pF
# Version information:
Vendor ID: NXP
Hardware info:
* Type/subtype: 0x01/0x01
* Version: 1.0
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-2 and -3
Software info:
* Type/subtype: 0x01/0x01
* Version: 1.4
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-3 and -4
Batch no: 0xBA44D7C6C0
Production date: week 38, 2013
# Authentication information:
Default PICC master key
-- TECH ------------------------------
# Technologies supported:
ISO/IEC 7816-4 compatible
Native DESFire APDU framing
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.IsoDep, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.IsoDep
* Maximum transceive length: 261 bytes
* Default maximum transceive time-out: 6000 ms
* Extended length APDUs supported
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 6000 ms
MIFARE Classic support present in Android
# Detailed protocol information:
ID: 04:81:68:7A:62:36:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x067577810280
* Max. accepted frame size: 64 bytes (FSCI: 5)
* Supported receive rates:
- 106, 212, 424, 848 kbit/s (DR: 1, 2, 4, 8)
* Supported send rates:
- 106, 212, 424, 848 kbit/s (DS: 1, 2, 4, 8)
* Different send and receive rates supported
* SFGT: 604.1 us (SFGI: 1)
* FWT: 77.33 ms (FWI: 8)
* NAD not supported
* CID supported
* Historical bytes: 0x80 |.|
# Memory content:
PICC level (Application ID 0x000000)
* Default PICC master key
* PICC key configuration:
- PICC key changeable
- PICC key required for:
~ directory list access: no
~ create/delete applications: no
- Configuration changeable
- PICC key version: 0
Application ID 0xA00216 (ITSO public transport application)
* Default master key
* Key configuration:
- 2 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: no
- Configuration changeable
- Master key required for changing a key
* 16 files present
- File ID 0x00: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 21 7D 00 40 80 00 01 FE C3 58 A9 00 00 00 00 |.!}[email protected]|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 88 8A A2 62 42 8F 00 00 08 00 00 |........bB......|
[0030] 00 08 00 03 F8 2D 68 29 2A 9E 24 2C A3 3A BF 00 |.....-h)*.$,.:..|
- File ID 0x01: Backup data, 192 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 1C 01 00 F0 8A A2 62 00 00 00 10 00 FF 00 00 00 |......b.........|
[0010] 00 00 00 02 D1 00 00 1F FF F0 01 00 00 FF 02 72 |...............r|
[0020] BD 00 00 46 1C 2B 6D 39 E9 0E 19 4C 00 00 00 00 |...F.+m9...L....|
[0030] 1C 01 00 F0 8A 9E 7F 00 00 00 10 00 FF 00 00 00 |................|
[0040] 00 00 00 02 D1 00 00 1F FF F0 10 00 00 FF 02 71 |...............q|
[0050] 6F 00 00 5C 44 E0 F5 CF E5 28 41 4B 00 00 00 00 |o..\D....(AK....|
[0060] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0090] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[00A0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[00B0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x02: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x03: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x04: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x05: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x06: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x07: Backup data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 23 09 00 00 88 B4 2F 03 F8 29 C8 00 00 00 00 00 |#...../..)......|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 FA 00 31 A7 00 35 00 F7 87 A1 DB 89 65 EF AC |...1..5......e..|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x08: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x09: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0A: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0B: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0C: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0D: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 21 11 00 00 7F FE 40 02 62 6A CF 80 00 8A 8F 40 |[email protected]@|
[0010] 00 FF 00 00 00 00 04 1A 10 00 14 84 00 63 35 97 |.............c5.|
[0020] 00 03 F8 2D 69 00 00 07 32 E0 A5 26 84 E7 BE 4F |...-i...2..&...O|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0E: Standard data, 64 bytes
~ Communication: with MAC
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 18 01 FF 00 7F 00 00 00 00 00 00 00 00 00 00 00 |................|
[0010] 00 00 00 00 00 00 00 00 00 FA 00 31 A7 00 35 01 |...........1..5.|
[0020] 34 8F B7 B5 63 93 CE 08 00 00 00 00 00 00 00 00 |4...c...........|
[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- File ID 0x0F: Standard data, 32 bytes
~ Communication: plain
~ Read key: free access
~ Write key: key #1
~ Read/Write key: key #1
~ Change key: blocked
~ Contents:
[0000] 18 11 63 35 97 01 27 02 02 56 04 07 04 01 00 00 |..c5..'..V......|
[0010] 40 10 08 07 00 00 54 FD 00 00 00 00 00 00 00 00 |@.....T.........|
Application ID 0xF40110
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40111
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40112
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40113
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
Application ID 0xF40114
* Default master key
* Key configuration:
- 3 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Master key required for changing a key
* No files present
--------------------------------------
Click to expand...
Click to collapse
Thx
Sent from my C6833 using Tapatalk
This would be considered fraud which is not accepted here on XDA. You're on your own, mate, both in finding the solution to this and in the cell after you get caught.
Cheers!
Thats seriously illegal my friend.
Sent from my SAMSUNG-SGH-I337 using XDA Premium 4 mobile app
Thats seriously illegal my friend.
Click to expand...
Click to collapse
+1 to this .
Thank u
Sent from my SAMSUNG-SGH-I337 using XDA Premium 4 mobile app
How can i get this files from my bus card ? i have phone with nfc and rooted. whic program actually thx
GT-I9500 cihazımdan Tapatalk kullanılarak gönderildi
It is illegal, you know ? We can't help you, but let me give you some tips: you should find a timestamp on the ticket. Find it, find out how it's calculated, and you're on your way (as long as the part containing the timestamp isn't write-protected).
Once you find the problem, I highly suggest you to report the problem to those concerned by the vulnerability, so that they can fix the problem, and maybe reward you somehow
I have already worked in this very field, it is a rather fascinating one !
Edit:
How can i get this files from my bus card ? i have phone with nfc and rooted. whic program actually thx
Click to expand...
Click to collapse
@ahmetozgur I just published an app on here called UltraManager. If your bus card is a Mifare Ultralight tag, you can use my app for the purpose. Otherwise, there are some good apps on Google Play, just look for "NFC tag reader"
How did you get such a detailed information about that card?
Diogo Recharte said:
How did you get such a detailed information about that card?
Click to expand...
Click to collapse
omg so many people asking such simple questions
HEY OP
What card is that ??
im interested in people disposing of beatiful desfire cards xD
i wonder if i can wipe it..
Diogo Recharte said:
How did you get such a detailed information about that card?
Click to expand...
Click to collapse
The application used to capture this card information was TagInfo by NXP. It is available from the Play Store here: https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=en
Hello . I live in Madrid (Spain), and I have a transportation voucher. I would like "hack" it, but I would like know for where I can start haha I saw _darkjoker_ said : "you should find a timestamp on the ticket" . How can I do it? I downloaded the program TagInfo by NXP but I need an app where I can change the information of the chip. Is there an app? Because when you buy another month the store clerk swipes the card through a machine NFC ...
If anyone knows anything about this, comment it
Thanks
Hello. Quick question about a ISO 14443-3A id card. Does it support GPS? In other words can it be tracked by GPS? May be a dumb question, but I am not familiar with how the technology works and I'm trying to figure out capabilities. Thanks in advance
GadgetMonger said:
Hello. Quick question about a ISO 14443-3A id card. Does it support GPS? In other words can it be tracked by GPS? May be a dumb question, but I am not familiar with how the technology works and I'm trying to figure out capabilities. Thanks in advance
Click to expand...
Click to collapse
nfc is near field communication, the way it works is there is an antenna/coil inside the tag/card that when next to a tag reader gets a charge from it, giving power to the ic on the card. so the card cannot be directly tracked by gps. BUT, it is possible to have gps enabled tag readers which could track you every time you get close enough to one.
Hello,
Most bus pass technology uses desfire cards with two logical addresses one is public for all the world to see and the other is private , the private sector is encrypted and is updated everytime you put money on it or use it. Also as a duel layer defence most implementations of this technology uses back to base system which means everytime you tap it the card is used to query a database to verify that there is money for the trip and to check if the card is currently being used for a trip.
In NSW Australia we have opal cards they work by storing the balance information and activity in public storage so you can check it through a NFC enabled device and then storing the cards sensitive information in private storage that only the readers at stations and in top up locations can use. Every time we tap on the balance on the card is checked with a database and updated locally when needed then at the end of the trip the cards balance is updated from the central database to the card.
So I don't believe you can simply add more time ( or money) to most bus pass cards.
MRCaratacus said:
Hello,
Most bus pass technology uses desfire cards with two logical addresses one is public for all the world to see and the other is private , the private sector is encrypted and is updated everytime you put money on it or use it. Also as a duel layer defence most implementations of this technology uses back to base system which means everytime you tap it the card is used to query a database to verify that there is money for the trip and to check if the card is currently being used for a trip.
In NSW Australia we have opal cards they work by storing the balance information and activity in public storage so you can check it through a NFC enabled device and then storing the cards sensitive information in private storage that only the readers at stations and in top up locations can use. Every time we tap on the balance on the card is checked with a database and updated locally when needed then at the end of the trip the cards balance is updated from the central database to the card.
So I don't believe you can simply add more time ( or money) to most bus pass cards.
Click to expand...
Click to collapse
Did you ever work out a way to add money to the card? Im in nsw too and i have a school opal card so i dont have to pay anyway but im interested.
Unfortunately no , unless you hack into the database and locate your cards identifier then add money from the central DB , there is no way you can "hack" more money on the card , and even if you could the moment you tapped on it would always take the databases values as correct and either adjust your cards balance or detect the fraud and lock the card down.
Might have a solution but...
buckofive said:
The application used to capture this card information was TagInfo by NXP. It is available from the Play Store here:]https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=en
Click to expand...
Click to collapse
It's illegal and we cannot help you in doing what you want.
In theory if you use an app like Mifare classic tool, that has a tool to compare dumps, you can get what changed like time, money or whatever. But that must be done if its with testing nfc cards and just for getting knowledge, not money.
hello
i have nfc card which i use it in university restaurant to pay a lunch could i hack it and but more money
pls help me
can't he overwrite the hex for the date, e.g. Production date: week 38, 2013 -> Week 38, 2018 ?
abood.456 said:
hello
i have nfc card which i use it in university restaurant to pay a lunch could i hack it and but more money
pls help me
Click to expand...
Click to collapse
thats fraud.

Categories

Resources