Hello there
This is a surprise, but software able to flash the phone without any computer intervention was already on it, since the beginning.
Searching for a way to install my future lag fix easily, I remember that there was an "OTA" boot mode.
I know, today nobody saw an OTA on any Galaxy S smartpone (except maybe One on the AT&T Captivate?), but the software is still there.
How does this work :
Basically Linux boots a ramdisk, loading kernel modules and running an init process who start the whole Android experience (bootmode=) or just the recovery mode (bootmode=2).
Other bootmodes are used for battery loading only and Over The Air updates.
In this case, init.rc ask init to start "/sbin/redbend_ua all".
By default this software search for software updates in /data/fota and on similar places in the /sdcard.
It could prove useful another day, but you still have to be root to ask your device to reboot in a specific bootmode
The nice part is that we can use redbend_ua manually too, to do many impossible things before :
command list, pretty comprehensive.
Code:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
Possible usages :
- Flashing the kernel without Odin or any computer
- Backuping and Restoring a whole firmware, including stock one
- Doing more than one operation before automatic reboot through a list of commands in /data/fota/command (not tested yet)
- Messing with bootloaders and bricking your phone for good
Yeah, you must be really carefull this time. Samsung made some partitions read-only for a reason
Hopefully this new tool will be used by most ROM cooker, CyanogenMod, and ClockWorkMod
I'll make a update.zip + redbend_ua template soon if nobody comes up with one.
My Twitter for next news
Joined to this post : redbend_ua working binary. (some firmware ship a new binary that does not accept command line parameters)
-----
Old post, for the record :
Our Galaxy S in Eclair firmwares come with software able to provide update Over The Air.
This firmware is in /sbin directory, which means that it's in the kernel ramdisk.
Look at the output when running the binary without argument or appropriate file:
Code:
# redbend_ua
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.zImage
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.Sbl
UA/(update_all): Check Delta : path_idx(1), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.zImage
UA/(update_all): Check Delta : path_idx(1), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.modem
UA/(update_all): Check Delta : path_idx(1), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.platform
UA/(update_all): Check Delta : path_idx(1), part_idx(3), file_path((null)), cnt(0)
fail!
Open /data/fota/fota.status
fsync after write: 0
And here is the result when you provide a fake zImage delta file:
Code:
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(1)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(1)
page_msize: 4096, phy_unit_size: 262144
UA/ Sbl delta does NOT exist! Skip.
page_msize: 4096, phy_unit_size: 262144
UA/ check_existence: /data/fota/fota_zImage
page_msize: 4096, phy_unit_size: 262144
dev: /dev/block/bml8 partition size: 0x780000
40180008: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180018: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180028: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180038: ffff ffff ffff ffff ffff ffff ffff ffff ................
signature: 0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
page_msize: 4096, phy_unit_size: 262144
UA/(backup_devbml) src: /dev/block/bml7 partition size: 0x780000
UA/(backup_devbml) dst: /dev/block/bml8 partition size: 0x780000
UA/(backup_devbml) backup 128KB at 0x0
UA/(backup_devbml) backup 128KB at 0x40000
UA/(backup_devbml) backup 128KB at 0x80000
UA/(backup_devbml) backup 128KB at 0xc0000
UA/(backup_devbml) backup 128KB at 0x100000
UA/(backup_devbml) backup 128KB at 0x140000
UA/(backup_devbml) backup 128KB at 0x180000
UA/(backup_devbml) backup 128KB at 0x1c0000
UA/(backup_devbml) backup 128KB at 0x200000
UA/(backup_devbml) backup 128KB at 0x240000
UA/(backup_devbml) backup 128KB at 0x280000
UA/(backup_devbml) backup 128KB at 0x2c0000
UA/(backup_devbml) backup 128KB at 0x300000
UA/(backup_devbml) backup 128KB at 0x340000
UA/(backup_devbml) backup 128KB at 0x380000
UA/(backup_devbml) backup 128KB at 0x3c0000
UA/(backup_devbml) backup 128KB at 0x400000
UA/(backup_devbml) backup 128KB at 0x440000
UA/(backup_devbml) backup 128KB at 0x480000
UA/(backup_devbml) backup 128KB at 0x4c0000
UA/(backup_devbml) backup 128KB at 0x500000
UA/(backup_devbml) backup 128KB at 0x540000
UA/(backup_devbml) backup 128KB at 0x580000
UA/(backup_devbml) backup 128KB at 0x5c0000
UA/(backup_devbml) backup 128KB at 0x600000
UA/(backup_devbml) backup 128KB at 0x640000
UA/(backup_devbml) backup 128KB at 0x680000
UA/(backup_devbml) backup 128KB at 0x6c0000
UA/(backup_devbml) backup 128KB at 0x700000
UA/(backup_devbml) backup 128KB at 0x740000
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
UA/(RB_ImageUpdateMain): ++
UA/(RB_ImageUpdateMain) uPartitionName[zImage]
RB_GetBlockSize: returning 0x40000 (262144)
UA/(RB_UpdateImage): ++
UA/(RB_UpdateImage): Delta file name-/data/fota/delta.zImage
unicode_to_char : zImage
pDeviceDatum.pFirstPartitionData->partition_name: zImage
pDeviceDatum.pFirstPartitionData->partition_type: 0
pDeviceDatum.pFirstPartitionData->file_system_type: 0
unicode_to_char : /data/fota/delta.zImage
RB_OpenFile: Path:/data/fota/delta.zImage | Mode: RDONLY
Successful open() *pwHandle:4
[RB] Illegal field in the delta, or that the given delta is invalid
UA/(RB_UpdateImage) return value from RB_vRM_Update: 0x80000539
UA/(RB_UpdateImage): -- ret=-2147482311
UA/(RB_ImageUpdateMain) pCustomerPartData.updated = -1, rest = -1
UA/(RB_ImageUpdateMain): -- ret=-2147482311
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xdeade002
UA/(update_all) Kernel update fail
fail!
Open /data/fota/fota.status
fsync after write: 0
Promising ! This software definitely has the ability to write on protected bml partitions.
Now wee need to find how to produce the .delta files
Sounds great Lets hope you guys can figure it all out.
I just send a message to Red Bend Software through their site.
Actually it may help to find any other delta file for their software. Without sample we won't go anywhere...
I hope they will be kind and answer!
Here is a list of interesting strings found in the binary :
Code:
UA/ Platform delta does NOT exist! Skip.
Can not open src file : %s
Can not open dst file : %s
UA/(%s) write %dbytes
UA/(%s) copy file %s->%s
fsync failed with return value: %d
fsync after write: %d
UA/ %s: %s
/dev/block/bml4
/data/fota/dump_sbl
/dev/block/bml7
/data/fota/dump_kernel
/dev/block/bml12
/data/fota/dump_modem
FOTA : Make Block Device Nodes
UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
success!
DONE
fail!
FAIL
FOTA
UA/ modem delta does NOT exist! Skip.
/data/fota/backup.modem
UA/ zImage delta does NOT exist! Skip.
/dev/block/bml8
UA/ Sbl delta does NOT exist! Skip.
UA/ERROR(%s) get dual sbl siginfo fail!!
/dev/block/bml5
UA/ERROR(%s) can't find vaild Sbl partitions
UA/ERROR(%s) SBL RAM partition alloc fail
UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
/data/fota/command
/sdcard/Android/data/temp.fota.delta/command
UA/(%s) cache download
/cache/recovery
UA/(%s) create /cache/recovery directory
/cache/recovery/command
reboot recovery
UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
SBL update fail
UA/(%s) %s
Kernel update fail
Modem update fail
Platform update fail
Post update fail
WARNNIG
Delta Not Exist
/data/fota
/sbin/images/fota.png
UA/(%s) test
Update Fail!!
/data/fota/fota.status
/data/fota/delta.Sbl
/data/fota/delta.zImage
/data/fota/delta.modem
/data/fota/delta.platform
/sdcard/Android/data/temp.fota.delta/delta.Sbl
/sdcard/Android/data/temp.fota.delta/delta.zImage
/sdcard/Android/data/temp.fota.delta/delta.modem
/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
unknown
/data/fota/fota_Sbl
/data/fota/fota_zImage
Modem
/data/fota/fota_modem
/data/fota/fota_platform
/dev/block/bml11
OFNI
main
update_all
post_update
update_platform
update_modem
update_zImage
update_Sbl
file_copy
check_existence
MakeBMLNodes
UA/(%s): +
UA/(%s): %s (%lx %x)
UA/(%s): -
UA/(%s): %s (%lx %lx)
UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
BML_GET_DEV_INFO
page_msize: %d, phy_unit_size: %d
open device file
%s: bmldevice_open failed!
%s: bmldevice_info failed!
src: %s
dst: %s partition size: 0x%x
part_size: 0x%x
failed to read from %s (%s)
read finished
read %d bytes
src: %s partition size: 0x%x
dst: %s
failed to write to %s (%s)
done
UA/(%s) src: %s
UA/(%s) dst: %s partition size: 0x%x
UA/(%s) part_size: 0x%x
UA/(%s) read finished
UA/(%s) read %d bytes
UA/(%s) src: %s partition size: 0x%x
UA/(%s) dst: %s
UA/(%s) signature: 0x%x
*WARN* %s partition is already marked as invalid!
UA/(%s) done
page at 0x%x differ!
UA/(%s) backup 128KB at 0x%x
UA/(%s): ++
UA/(%s) 0x%x
UA/ERROR(%s) Valid partition signature is not invalid
UA/(%s): --
%s, invalide magic key(%x)!!
common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
signature: 0x%x
UA/(%s) dev: %s partition size: 0x%x
UA/ERROR(%s) Signature is not validate (%x)
UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
UA/ERROR(%s) Both partition has valid or invalid signature
UA/(%s) Valid Partition-%s, Update Partition-%s
restore_file
backup_block_file
restore_devbml
backup_devbml
store_dualsbl_partition
load_partition
mark_common_recovery
find_valid_partition
check_dualpartition_validation
ram_write_block
ram_read_block
nand_write_block
nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
RB_GetBlockSize
%s: returning 0x%x (%d)
RB_ReadBackupBlock
UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) open file %s failed.
UA/ open %s file success
UA/ERROR(%s) error in read size
RB_WriteBackupBlock
UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) error in write size
RB_ImageUpdateMain
UA/(%s): ++
UA/(%s) uPartitionName[%s]
UA/(%s) pCustomerPartData.updated = %d, rest = %d
UA/(%s): -- ret=%d
RB_UpdateImage
UA/(%s): Delta file name-%s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
UA/(%s) return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
%s path: %s
temppath: %s
mkdir result: %d errno: %d
RB_CopyFile
%s: %s -> %s
NULL file name find. Abort.
Open %s ENOENT %d
Open %s failed. Abort.
read %d, but write %d, abort.
RB_DeleteFile
%s: %s
unlink value: %d, errno: %d
RB_DeleteFolder
rmdir value: %d, errno: %d
RB_CreateFolder
%s: %s, mode:0x%x
RDONLY
WRONLY
RDWR
Unknown
RB_OpenFile
%s: Path:%s | Mode:
First open() with error %d
copy dir[]=%s
remove dir[]=%s
Fail create folder, Leave RB_OpenFile
After successful creating folder, fail open() with error %d
Successful open() *pwHandle:%ld
RB_ResizeFile
%s: handle %ld, dwSize %d
%s: ret %d handle %ld %d
RB_CloseFile
%s: wHandle = %ld
RB_WriteFile
%s: Handle:%ld , Pos:%ld , Size: %ld
lseek failed with return value: %d
Failed with return value: %d
Bytes Write: %d
fsync Failed with return value: %d
fsync after write: %d
RB_ReadFile
%s: Handle:%ld , Pos:%ld , Size: %ld
read failed with return value: %d
RB_GetFileSize
%s: %ld
lseek errno: %d
Returning Size = 0x%x
RB_Unlink
unlink failed with return value: %d
unlink with return value: %d
RB_Link
symlink failed with return value: %d, errno: %d
symlink with return value: %d
RB_VerifyLinkReference
readlink failed with return value: %d
not same linked path
same linked path
RB_GetFileType
stat failed with return value: %d errno: %d
sbuf.st_mode: %d
S_ISREG(sbuf.st_mode): %d
S_ISLNK(sbuf.st_mode): %d
stat->st_mode = symbolic link file
stat->st_mode = regular file
failed to lstat, err : %d
a2ch
%s : %d
Wrong attribute value: %d
a2ch : %c
chtoa
RB_SetFileAttributes
stat failed with return value: %d
sbuf.st_mode value: %d
ui8pAttribs value: %s
ui32AttribSize value: %ld
attrib_user value: %d
attrib_group value: %d
attrib_other value: %d
att_type value: %d
sbuf.st_mode | attrib: %d
chmod failed with return value: %d
chmod with return value: %d
pUserId value: %s
user_id value: %d
aGroupId value: %s
pGroupId value: %s
group_id value: %d
failed chown %d
success chown %d
RB_FSUpdateMain
UA/(%s) Partition name(%s), mount point(%s)
UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
return value from RB_vRM_Update: 0x%x
%s/flagsFile
return value from unlink(%s): 0x%x
Installing software
Don't turn off the
phone and
connect the power
cable as possible.
System updated &
reboot now
gui_progress
UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
UA/(%s): -- Print Percent(%d%)
%3d %%
lcd_init
%s(%d): start!
/dev/graphics/fb0
%s(%d): fb0 open fail
%s(%d): fb0 open success
%s(%d): width = %d, height = %d
%s(%d): ioctl set info fail
%s(%d): Error: failed to map framebuffer device to memory.
%s(%d): ioctl start fail
Allocation error-
Current start: %d
Current finish: %d
Requested size: %d
Allocation error:
Current start: %d
Current finish: %d
Requested size: %d
It may accept commands somehow, like those :
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
I tried writing commands in /data/fota/command and /cache/recovery/command but the program does not follow my orders
ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Wow, this is looking promising.
it seems like htc's flash_image,but much more difficult than it.
raspdeep said:
ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Click to expand...
Click to collapse
Nice raspdeep
How did you do ? Every attempt fails here (in recovery or standard mode).
Which initramfs version do you use ?
Code:
redbend_ua restore zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Ok yo don't respond but it works here to, booting on your OC kernel. Now i'll find what is different between our setups
supercurio, you are rapidly becoming one of my Android heros...
distortedloop said:
supercurio, you are rapidly becoming one of my Android heros...
Click to expand...
Click to collapse
Don't know if I can live with that
Code:
ll */*
-rwxr-xr-x 1 root curio 313888 2010-08-26 21:14 oc128uv1/redbend_ua*
-rwxr-xr-x 1 curio curio 314004 2010-08-26 21:16 XWJM5/redbend_ua*
md5sum */*
74f5793536c3cdc902ec269c3f51a165 oc128uv1/redbend_ua
b1ba258a5d673c537a95167267afd6b8 XWJM5/redbend_ua
Different binaries !
Edit : attached working redbend_ua
A diff between strings included in binaries (raw infos, not analyzed yet ^^)
Code:
--- not-working 2010-08-26 21:22:39.594984596 +0200
+++ working 2010-08-26 21:22:20.370634450 +0200
@@ -4,7 +4,6 @@
@F2A
bB,2
H{DYX
-/Q{;
/Qs;
/Qk;
/Qc;
@@ -452,71 +451,52 @@
%mB(
@ #!
!1C "
-reboot
-UA/ Platform delta does NOT exist! Skip.
-Can not open src file : %s
-Can not open dst file : %s
-UA/(%s) write %dbytes
-UA/(%s) copy file %s->%s
- fsync failed with return value: %d
- fsync after write: %d
-UA/ %s: %s
+/data/fota/delta.Sbl
/dev/block/bml4
-/data/fota/dump_sbl
+/dev/block/bml5
+/data/fota/fota_Sbl
+/data/fota/delta.zImage
/dev/block/bml7
-/data/fota/dump_kernel
+/data/fota/backup.zImage
+/data/fota/fota_zImage
+Modem
+/data/fota/delta.modem
/dev/block/bml12
+/data/fota/backup.modem
+/data/fota/fota_modem
+/data/fota/delta.platform
+/data/fota/backup.platform
+/data/fota/fota_platform
+platform delta does NOT exist! Skip.
+existence: s1[%d].existence; %d
+%s: %s
+/data/fota/dump_sbl
+/data/fota/dump_kernel
/data/fota/dump_modem
FOTA : Make Block Device Nodes
-UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
+ fsync failed with return value: %d
+ fsync after write: %d
success!
DONE
fail!
FAIL
FOTA
-UA/ modem delta does NOT exist! Skip.
-/data/fota/backup.modem
-UA/ zImage delta does NOT exist! Skip.
+modem delta does NOT exist! Skip.
+zImage delta does NOT exist! Skip.
/dev/block/bml8
-UA/ Sbl delta does NOT exist! Skip.
-UA/ERROR(%s) get dual sbl siginfo fail!!
-/dev/block/bml5
-UA/ERROR(%s) can't find vaild Sbl partitions
-UA/ERROR(%s) SBL RAM partition alloc fail
-UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
-/data/fota/command
-/sdcard/Android/data/temp.fota.delta/command
-UA/(%s) cache download
-/cache/recovery
-UA/(%s) create /cache/recovery directory
-/cache/recovery/command
-reboot recovery
-UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
-SBL update fail
-UA/(%s) %s
-Kernel update fail
-Modem update fail
-Platform update fail
-Post update fail
-WARNNIG
-Delta Not Exist
-/data/fota
-/sbin/images/fota.png
-UA/(%s) test
-Update Fail!!
+Sbl delta does NOT exist! Skip.
+get dual sbl siginfo fail!!
+can't find vaild Sbl partitions
+reboot
+gv_delta_count[%d]
+dump
+restore
+compare
/data/fota/fota.status
-/data/fota/delta.Sbl
-/data/fota/delta.zImage
-/data/fota/delta.modem
-/data/fota/delta.platform
-/sdcard/Android/data/temp.fota.delta/delta.Sbl
-/sdcard/Android/data/temp.fota.delta/delta.zImage
-/sdcard/Android/data/temp.fota.delta/delta.modem
-/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
@@ -527,29 +507,7 @@
compare <dev1> <dev2>
png [png file name]
all
-unknown
-/data/fota/fota_Sbl
-/data/fota/fota_zImage
-Modem
-/data/fota/fota_modem
-/data/fota/fota_platform
-/dev/block/bml11
OFNI
-main
-update_all
-post_update
-update_platform
-update_modem
-update_zImage
-update_Sbl
-file_copy
-check_existence
-MakeBMLNodes
-UA/(%s): +
-UA/(%s): %s (%lx %x)
-UA/(%s): -
-UA/(%s): %s (%lx %lx)
-UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
@@ -568,71 +526,67 @@
dst: %s
failed to write to %s (%s)
done
-UA/(%s) src: %s
-UA/(%s) dst: %s partition size: 0x%x
-UA/(%s) part_size: 0x%x
-UA/(%s) read finished
-UA/(%s) read %d bytes
-UA/(%s) src: %s partition size: 0x%x
-UA/(%s) dst: %s
-UA/(%s) signature: 0x%x
-*WARN* %s partition is already marked as invalid!
-UA/(%s) done
page at 0x%x differ!
-UA/(%s) backup 128KB at 0x%x
-UA/(%s): ++
-UA/(%s) 0x%x
-UA/ERROR(%s) Valid partition signature is not invalid
-UA/(%s): --
+signature: 0x%x
+*WARN* %s partition is already marked as invalid!
+backup 128KB at 0x%x
+backup 128KB at 0x%x without signature
+clear mark dev : %s partition size: 0x%x
%s, invalide magic key(%x)!!
-common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
-signature: 0x%x
-UA/(%s) dev: %s partition size: 0x%x
-UA/ERROR(%s) Signature is not validate (%x)
-UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
-UA/ERROR(%s) Both partition has valid or invalid signature
-UA/(%s) Valid Partition-%s, Update Partition-%s
-restore_file
-backup_block_file
-restore_devbml
-backup_devbml
-store_dualsbl_partition
-load_partition
+%s:clear:%s partition size: 0x%x
+%s : write and clear signature done
+%s:write:%s partition size: 0x%x
+%s: Signature is not validate (%x)
+%s signature: 0x%x
+%s +
+%s: SBL, SBL2 partition are diffierent size, check your bml device node name
+Both partition has valid or invalid signature
+Valid Partition-%s, Update Partition-%s
+Siginfo error partition $s (0x%x, 0x%x)
mark_common_recovery
+clear_dualpartition_signature
+write_dualpartition_signature
find_valid_partition
check_dualpartition_validation
-ram_write_block
-ram_read_block
-nand_write_block
-nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
+RB_Progress
+%s: (%lu %%)
+RB_GetDelta
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_GetBlockSize
%s: returning 0x%x (%d)
+RB_ReadImage
+%s: node-%s (%lx %lx)
+RB_WriteBlock
+%s: node-%s (%lx %x)
RB_ReadBackupBlock
-UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) open file %s failed.
-UA/ open %s file success
-UA/ERROR(%s) error in read size
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_WriteBackupBlock
-UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) error in write size
+%s: error in write size
+RB_ImageUpdateCommon
+uPartitionName[%s]
+%s: pCustomerPartData.updated = %d, rest = %d
RB_ImageUpdateMain
-UA/(%s): ++
-UA/(%s) uPartitionName[%s]
-UA/(%s) pCustomerPartData.updated = %d, rest = %d
-UA/(%s): -- ret=%d
-RB_UpdateImage
-UA/(%s): Delta file name-%s
+%s: backup_file is %s
+%s: size of %s(%s) is %d bytes
+RB_ImageUpdateDualPartition
+%s: backup file(%s) / Valid Partition(%s) / Update Partition(%s)
+%s : RB Image Update Fail
+%s : RB Image Update Done %s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
-UA/(%s) return value from RB_vRM_Update: 0x%x
+return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
@@ -726,8 +680,7 @@
failed chown %d
success chown %d
RB_FSUpdateMain
-UA/(%s) Partition name(%s), mount point(%s)
-UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
+%s: pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
@@ -741,9 +694,9 @@
cable as possible.
System updated &
reboot now
-gui_progress
-UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
-UA/(%s): -- Print Percent(%d%)
+Update is ok.
+Update is failed.
+Restoring...
%3d %%
lcd_init
%s(%d): start!
@@ -962,12 +915,6 @@
insufficient memory
buffer error
incompatible version
-RB_Progress
-%s: (%lu %%)
-RB_GetDelta
-%s: offset 0x%lx(%ld), size 0x%lx(%ld)
-%s: open file %s failed.
-%s: error in read size
Pure virtual function called. Are you calling virtual methods from a destructor?
libc-abort
abort() called in pid %d
@@ -1120,6 +1067,7 @@
/dev/log/main
/dev/log/radio
/proc/self/exe
+unknown
/dev/urandom
stack corruption detected: aborted
ANDROID_PROPERTY_WORKSPACE
Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).
Benjamin Dobell said:
Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).
Click to expand...
Click to collapse
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.
supercurio said:
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.
Click to expand...
Click to collapse
Unfortunately IDA Pro doesn't seem to work either. IDA Pro Free doesn't support ARM at all and I tried with IDA Pro Advanced but it seemed to have similar issues to objdump, it couldn't determine the entry point etc.
If I could just get the assembler with comments next to it that indicate which pieces of data (strings in particular) are being referenced that would make my day.
Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Anyway I can't say much more about the tools, i'm just a rookie hacker
supercurio said:
Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Click to expand...
Click to collapse
It wouldn't be a very reliable boot loader if it depended on other binaries (other than data passed to it by the primary boot loader). However the information I'm after, the Loke protocol, is definitely in there cause I can see the handshake strings I send and receive with Heimdall.
working this into SRE RIGHT NOW!!!!
--edit
scripted, and working
release coming soon!!
designgears said:
working this into SRE RIGHT NOW!!!!
Click to expand...
Click to collapse
Nice
Remember being EXTRA careful manipulating raw bml partitions. You can easily brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy
supercurio said:
Nice
Remember being EXTRA careful manipulating raw bml partition. You can easily
brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy
Click to expand...
Click to collapse
I have borked bml17 before.. was able to go into download and restore stock.
Hi guys,
If this topic is not appropriate for this section, please will the mods kindly move it to where necessary?
I was able to find another guide to root my htc desire z,
and I had to create a goldcard as the infocid was not what it supposed to be.
the guide I'm following is at:
"thinkthinkdo.com/trac/project1/wiki/g2_root_new"
However, I am running in to a few problems.
if I try to follow:
4.a. S-OFF, Super-CID, SIM-unlock, engineering hboot, clockwork recovery and root
I enter the necessary commands and I'm stuck at:
./gfree -f -b hboot-eng.img
here is what I get:
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x00015384 (86916)
Section index for section name string table: 41
String table offset: 0x000151cb (86475)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x000011cc (4556)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-gd2764ed
New .modinfo section size: 204
Attempting to power cycle eMMC... Failed. (Not fatal)
Module tried to power cycle eMMC, but could not verify write-protect status.
Searching for mmc_blk_issue_rq symbol...
- Address: c02a6a54, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02a6000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02a6a54 + 0x34c
- 0x2a000012 -> 0xea000012
Backing up current partition 18 and patching it...
Error reading input file.
#
even if I skip that section entirely and follow:
4.b. S-OFF, Super-CID, SIM-unlock, clockwork recovery and root
I'm stuck at:
./gfree -f
and the output is:
./gfree -f
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x00015384 (86916)
Section index for section name string table: 41
String table offset: 0x000151cb (86475)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x000011cc (4556)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-gd2764ed
New .modinfo section size: 204
Attempting to power cycle eMMC... Failed. (Not fatal)
Module tried to power cycle eMMC, but could not verify write-protect status.
Searching for mmc_blk_issue_rq symbol...
- Address: c02a6a54, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02a6000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02a6a54 + 0x34c
- 0x2a000012 -> 0xea000012
Backing up current partition 7 and patching it...
Error reading input file.
#
Help would really be appreciated.
Regards,
What version of gfree are you using?
You can try different versions of gfree, I think .02 had the highest success rate.
I'll have to find the reference, but different android ruu versions with different kernels require different versions of gfree if I remember correctly. Use the xda ref thread for rooting the DZ in the development section, it's highly successful.
amazinglarry311 said:
You can try different versions of gfree, I think .02 had the highest success rate.
I'll have to find the reference, but different android ruu versions with different kernels require different versions of gfree if I remember correctly. Use the xda ref thread for rooting the DZ in the development section, it's highly successful.
Click to expand...
Click to collapse
Hi guys,
I was using gfree 0.5 at the time.
I also found perhaps the same thread that you talk of for rooting the desire z.
this time, I was able to get passed that error by using gfree 0.2.
However,
I had to skip the engineering hboot thing.
because if I typed:
gfree -b -f boot-eng.img
it gave me an unknown -b option.
only:
gfree -f
worked.
I'd like to ask why I couldn't flash the engineering hboot with gfree 02?
are there any advantage to flashing the hboot?
sorry for all the questions I'm so new at this you have no idea.
Your replies would really be appreciated!
Regards,
Hi! I've been home for the last six hours trying to revert my Desire Z to stock, achieving S-ON and setting my CID back to HTC__Y13.
Now to start of, I'm not entierly sure that I need to do any of this, but this is my work phone that I decided to root yesterday and flash CM7. After this I was unable to connect to a custom APN my job use to access their intranet.
My first theory was that it for some reason required a Sense ROM, don't ask me why but troubleshooting always starts with the easiest solution. That didn't help and I figured that it, for some obscure reason, had to do with my phone now being S-OFF and using SuperCID. Since that's the only things that have changed, AFAIK.
After trying several guides, here on XDA and other forums I just can't get it to work.
gfree gives me the error;
Code:
/data/local/tmp/gfree -s on -c HTC__Y13
--secu_flag on set
--cid set. CID will be changed to: HTC__Y13
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-g6e170e7
New .modinfo section size: 204
[B]Attempting to power cycle eMMC... Failed.
Module failed to load: Operation not permitted[/B]
BUT! if I try to just change the CID it gives me;
Code:
/data/local/tmp/gfree -c HTC__Y13
--cid set. CID will be changed to: HTC__Y13
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-g6e170e7
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02adc1c, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02ad000
Kernel memory mapped to 0x40011000
Searching for brq filter...
- Address: 0xc02adc1c + 0x34c
- 0x2a000012 -> 0xea000012
Patching and backing up partition 7...
Done.
Which in my eyes looks ok. But after rebooting gfree_verify still tells me that my CID is 11111111.
I can connect to my carriers APN just fine, but work APN is a no-go.
WHAT TO DO?
in advance, many thanks!
UPDATE:I played around with a couple of other guides, and tried restoring the original backup again. Tried before but with no sucess. No idea why it gave me a bit more progress this time.
Code:
# /data/local/tmp/gfree -r part7backup-1323885190.bin
/data/local/tmp/gfree -r part7backup-1323885190.bin
--restore set. Partition 7 will be restored from file: part7backup-1323885190.bi
n
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-g6e170e7
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Write protect was successfully disabled.
Searching for mmc_blk_issue_rq symbol...
- Address: c02adc1c, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02ad000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02adc1c + 0x34c
[B] - ***WARNING***: Found fuzzy match for brq filter, but conditional branch isn't
. (0xea000012)
Backing up current partition 7 and restoring specified backup...
Error opening restore file.[/B]
UPDATE AGAIN: Installed newest OTA, started to get desperate, CID is now correct, no root, but it still tells me it's S-OFF. As far as APN connectivity I'm lost. Still no cigar.
Which Radio are you running? cause gfree needs a 26.03.xx.xx or lower (from memory) and a 1.32 rom.
-Nipqer
I'm not sure, as the update said in the first post, I went for the desperate OTA solution. And at work I called IT. Didn't want to tell them I rooted the phone, so I told them the OTA messed with my settings, told them my phone number and she probably added it to a whitelist. But it works now. Kinda regretting that I didn't try that with SuperCID and a rooted rom. Only strange thing is that I'm still S-OFF.
if you are still s-off you can just flash a custom recovery through fastboot and then a custom rom, and then call IT again
Haha, my first thoughts exactly! I'm really curious about what she did to make it work again. And why the hell use an own APN instead of VPN or just a regular login site. But then again, nothing makes sense at this company.
If I'm going to flash something again I need to wait a while. I can't be the guy with constant phone problems.