Related
Hi people.
I realize that the usual response to threads like this is "read the forum" but I honestly have, I've tried several guides but I get no luck.
So if anyone would please help me out, it would be much appreciated and maybe helpful for others.
The way I've understood things is that I need to
1. Temproot
2. Downgrade using a goldcard.
Using this guide
HTML:
http://forum.xda-developers.com/showthread.php?t=1152233
I think I've managed to temp root;
1. Temproot:
C:\DHDDowngrade>root
C:\DHDDowngrade>adb push fre3vo /data/local/tmp
1195 KB/s (9796 bytes in 0.008s)
C:\DHDDowngrade>adb shell chmod 777 /data/local/tmp/fre3vo
C:\DHDDowngrade>adb shell /data/local/tmp/fre3vo -debug -start FBB00000 -end FFF
FFFFF
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property...
fb_fix_screeninfo:
id: msmfb
smem_start: 802160640
smem_len: 3145728
type: 0
type_aux: 0
visual: 2
xpanstep: 0
ypanstep: 1
line_length: 1920
mmio_start: 0
accel: 0
fb_var_screeninfo:
xres: 480
yres: 800
xres_virtual: 480
yres_virtual: 1600
xoffset: 0
yoffset: 800
bits_per_pixel: 32
activate: 16
height: 106
width: 62
rotate: 0
grayscale: 0
nonstd: 0
accel_flags: 0
pixclock: 0
left_margin: 0
right_margin: 0
upper_margin: 0
lower_margin: 0
hsync_len: 0
vsync_len: 0
sync: 0
vmode: 0
Buffer offset: 00000000
Buffer size: 8192
Scanning region fbb00000...
Potential exploit area found at address fbb7f800:1800.
Exploiting device...
I do get kicked back to the command prompt, but if I type "adb shell" I do get the "#" that I'm supposed to be getting.
Right - so far so good, right?
2. Downgrade
As instructed in the guide, I run the commands as follows
C:\DHDDowngrade>adb push misc_version /data/local/tmp
1288 KB/s (15837 bytes in 0.012s)
C:\DHDDowngrade>adb shell chmod 777 /data/local/tmp/misc_version
C:\DHDDowngrade>adb shell /data/local/tmp/misc_version -s 1.31.405.3
--set_version set. VERSION will be changed to: 1.31.405.3
Patching and backing up partition 17...
Error opening input file.
C:\DHDDowngrade>adb reboot bootloader
There is an error here, but I haven't found anyone else having this problem, and don't even know if it really is a problem.
So I've ignored it, and continued on creating a coldcard.
I've tried using Goldcard manager from the market, I've tried retrieving the reverse CID manually. I've pasted the data from the generated image file onto the card and saved. A few times I've not been able to paste PD98IMG.zip on to the card afterwards, giving me the error that the card must be formatted to work, but lastly it would let me copy. If I try reading the card, I do get the error that the card has to be formatted. My HTC also tells me theres something wrong with the SD card. I've ignored this, and booted into the bootmanager. For a split second theres a green text saying something i along the lines of "PD98IMG image not found".
And so it ends, I can't get any further.
So the questions summarized are;
1.Is this the correct order?
2.Am I rooted, even if I have to type "adb shell" to get the "#"?
3.When dowgrading, is the "Error opening input file" fatal?
4.Is the card supposed to be unreadable after pasting the hex data onto it?
Sorry for the neverending post, but getting a custom rom onto my Desire HD has been very, very hard. Unsuccesful so far. Please help me out
Best regards from Norway.
Hi there noticed no one has replied I have plenty of time to help you out the best I can. I recently did this last week and had no problems. Im still learning myself so sorry if i am not the best of help.
wow long post
After skimming your post I did notice something. I pretty sure that you need to create a gold card first. If you still have problems creating a GoldCard get back to me but here is the link:
http://www.addictivetips.com/mobile/how-to-make-gold-card-for-htc-desire-hd/
I then followed this tutorial to downgrade:
http://forum.xda-developers.com/showthread.php?t=905003
and then use the s-off tool :
http://forum.xda-developers.com/showthread.php?t=857537
hope that helps, get back to me if you need help.
I used these two guides when rooting my DHD, I also had to use a goldcard but the link for that is in the downgrade page below.
1. Downgrade
http://forum.xda-developers.com/showthread.php?t=905003
2. Root + Radio installation + Rom installation
http://forum.xda-developers.com/showthread.php?p=11557769
As far as I know, the two links above are the correct order, as long as you get the # its safe to proceed and the card should be usable after you make it into a goldcard, at least I still use mine. Oh, and you shouldn't receive any errors throughout the process, it might not be fatal but why take a chance.
ace hack kit
use the ace hack kit to steps you can't get wrong
http://www.google.com/url?sa=t&sour...sg=AFQjCNFFmKIBniFFp-RmQV7lN2Ma-n9dzQ&cad=rja
TheJokah said:
use the ace hack kit to steps you can't get wrong
http://www.google.com/url?sa=t&sour...sg=AFQjCNFFmKIBniFFp-RmQV7lN2Ma-n9dzQ&cad=rja
Click to expand...
Click to collapse
Thanks to all of you for replying.
My head was spinning after going through different tutorials and problem solutions - and I had frankly given up the whole thing.
But TheJokaH's one-click method seemed intriguing so I decided to give this one.last.shot. And it worked!
I don't know why this isn't posted as the only sticky thread at the Q&A section - because is definitely the only way to get one started with custom roms.
Thanks again!
Hello. I need help with backing up my /efs folder. I tried different methods and none seemed to work.
Phone: GT-S5660 Gio
Network Lock [OFF]
Network Subset Lock [OFF]
SP Lock [OFF]
CP Lock [OFF]
Android: 2.3.3
PDA : S5660XXKPO
PHONE : S5660XXKPA
CSC : S5660OXFKP5
Lurking the forums I tried different methods with no luck:
C:\sdk>adb shell
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ su
su
# tar zcvf /sdcard/efs-backup.tar.gz /efs
tar zcvf /sdcard/efs-backup.tar.gz /efs
tar: not found
# exit
exit
$ exit
exit
=======================
C:\sdk>adb shell
$ su
su
# busybox tar zcvf /sdcard/efs-backup.tar.gz /efs
busybox tar zcvf /sdcard/efs-backup.tar.gz /efs
tar: /efs: No such file or directory
tar: error exit delayed from previous errors
# cat /dev/block/stl3 > /sdcard/efs_dev-block-stl3.img
cat /dev/block/stl3 > /sdcard/efs_dev-block-stl3.img
/dev/block/stl3: Invalid argument
# exit
exit
$ exit
exit
This method creates efs_dev-block-stl3.img (0 bytes) and efs-backup.tar.gz (29 bytes)
=======================
EFS Pro
Checking Device Connection... Device Connected!
Restarting ADB Server... Okay!
Checking ROOT Access... Device Has ROOT Permissions!
Backing Up Device's '/efs' Folder, Please Wait...
Creating EFS Backup TAR Archive... EFS Backup Failed!
Operation Finished!
With the ISO option the program freezes.
=======================
C:\sdk>adb shell
$ su
su
# dd if=/dev/block/stl4 of=/sdcard/efs.rfs
dd if=/dev/block/stl4 of=/sdcard/efs.rfs
/dev/block/stl4: cannot open for read: Invalid argument
# exit
exit
$ exit
exit
=======================
I also tried this:
mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
/dev/stl14 /cache rfs rw,nosuid,nodev,relatime,vfat,llw,check=no,gid/uid/rwx,ioc
harset=utf8 0 0
/dev/stl13 /data rfs rw,nosuid,nodev,relatime,vfat,llw,check=no,gid/uid/rwx,ioch
arset=utf8 0 0
/dev/stl12 /system rfs ro,relatime,vfat,log_off,check=no,gid/uid/rwx,iocharset=u
tf8 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/vold/179:1 /mnt/sdcard vfat rw,dirsync,nosuid,nodev,noexec,relatime,u
id=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharset
=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/vold/179:1 /mnt/secure/asec vfat rw,dirsync,nosuid,nodev,noexec,relat
ime,uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,ioch
arset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
/dev/block/dm-0 /mnt/asec/com.sportstracklive.stopwatch-1 vfat ro,dirsync,nosuid
,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859-
1,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/block/dm-1 /mnt/asec/com.speedsoftware.rootexplorer-1 vfat ro,dirsync,nosui
d,nodev,relatime,uid=1000,fmask=0222,dmask=0222,codepage=cp437,iocharset=iso8859
-1,shortname=mixed,utf8,errors=remount-ro 0 0
$
=======================
With Root Explorer I am unable to find the /efs
Sorry for the long post, but what am I missing?
Best regards, V a L y O.
STOP!
The first rule with the Gio is not to mess with the EFS partition if you don't know what you're doing.
It is located in stl5, but you very much risk corrupting it solely by mounting and reading it.
Corruption in this case means a bricked phone or a blank IMEI, which means no phone service.
Either backup bml5, or work in recovery mode.
Thank you for the replay.
I know that messing with the stl5 can brick the phone. Well, that already happened once when I used Odin to flash a wrong 2.3.5 version. Lucky for me, It was repaired under warranty.
That's why I want to make a backup to the system files.
bml5 is backed up. Is it enough to fix the phone in case I brick it again?
Best regards, V a L y O.
now my phone have blank imei
but, i still can use it for sms, call & internet
is anyone here know how to restore it?
lucky, in indonesian imei is not requirement for gettiong mobile service service
phiexz said:
now my phone have blank imei
but, i still can use it for sms, call & internet
is anyone here know how to restore it?
lucky, in indonesian imei is not requirement for gettiong mobile service service
Click to expand...
Click to collapse
Same here! I live in the Netherlands and also have a blank IMEI(IMEI is 000000000000) but still evrything works except swype install because it requires an IMEI number. Somebody know how to fix it? maybe to use somebody elses IMEI? with /efs restore or is there an way to import my own IMEI in somebody elses /efs backup?
I installed my bought and paid for DroidSSHPro which works flawlessly on my OG DROID onto my new rooted Nexus Galaxy (stock ICS)...
The app installed and starts when I'm on wifi. My computer can ping the IP that the phone has, but when attempting to ssh to the phone, I get the following:
Bryans-MacBook-Pro:~ bbrake9764$ ssh -vvv [email protected]
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.46 [192.168.1.46] port 22.
*pauses for about 45 seconds*
debug1: connect to address 192.168.1.46 port 22: Operation timed out
ssh: connect to host 192.168.1.46 port 22: Operation timed out
I tried installing DroidWall to attempt to make rules that allow traffic, but Droidwall fails to do anything.
Has anyone had this issue? I'm using MAC OS X Lion, and have tried it with OpenBSD -current. OpenSSH 5.6p1 on the OSX and OpenSSH 6.0-beta on the OpenBSD laptop...
I'm having the same problem and found this thread by searching the Gnex forum for "ssh".
Mine also ends with at the same time as yours, 4th line in the debug output, so it's not connecting for some reason.
netstat doesn't show the port open on the phone. iptables seems to be set up to accept any connections, but I don't know for sure if iptables is really in charge on Android.
I also can't seem to ssh out from the phone. It just hangs. It does identify my computer's ssh version so at least there is some connection happening, but it gets hung right after that.
update: I'm sitting at restaurant and can ssh into my home computer over 4g. I dont know why it didn't work at home, I know the router is set up properly. I'll work on it tonight and see if I figure anything out.
I also saw a comment in the market page for quicksshd where someone said it worked on the galaxy nexus, so dont give up hope
Sent from my Galaxy Nexus using Tapatalk
yea, nothing is working... i installed droidwall to try and allow ssh in, but that did not work either... still hoping it work soon
Yeah, I can still ssh from the phone to the computer perfectly over the cell network, but it doesn't work in either direction over wifi. I've checked and rechecked all the router settings and even rebooted the router, but it won't work.
I'm no expert but I can't live without ssh so if I stumble across anything I'll let you know.
I cannot live without ssh too... and here is the kicker... if you PuTTY, it works QuickSSHD... don' t ask me why...
Just installed firebind, and was able to test and it says that port22 is open inbound and outbound... that only means the port is open... if droidssh and quicksshd are busted in any way, that may be the case...
I downloaded Firebind and it says the same. If I turn off Quicksshd and try to connect, it immediately says "connection refused", but when I turn it on, it just hangs, so it is obviously trying harder when Quicksshd is enabled. I'm going to try a different kernel if I find one. It looks like the kernels are only for 4.03 so I'll have to get a 4.03 rom and there's not much to pick from yet.
I can SSH from my linux box into my GNex. Quick question, doesn't SSHDroid default to listen on port 2222 instead of 22 ? I thought that is the case. If it is, you are trying to connect to the wrong port.
rubik said:
I can SSH from my linux box into my GNex. Quick question, doesn't SSHDroid default to listen on port 2222 instead of 22 ? I thought that is the case. If it is, you are trying to connect to the wrong port.
Click to expand...
Click to collapse
What's your phone setup? I'm trying from Linux too but I borrowed a windows box and tried putty, tried quicksshd and ssh droid, everything. What bugs me is that SSH phone to comp works, but only when not on wifi. The same setup and commands work on my Nexus One on wifi.
Sent from my Galaxy Nexus using Tapatalk
I don't know if it is related but my phone has a bigger problem... the MAC address changes on every reboot.
On the router, I had set the IP address I wanted the phone to connect to 3-4 times over the past few days. I thought I must have kept forgetting to hit "apply" until I looked a little closer tonight and realized I had set it for a different MAC address yesterday. I found it changes to a new MAC address every boot.
I found this thread where someone had that problem and Samsung replaced it. I called Verizon and after some head scratching (in which they didn't rule out a "hidden setting") they decided to swap it. I'll go to the store tomorrow instead of waiting for one to ship.
I'll report is ssh works after the swap.
fubaya said:
What's your phone setup? I'm trying from Linux too but I borrowed a windows box and tried putty, tried quicksshd and ssh droid, everything. What bugs me is that SSH phone to comp works, but only when not on wifi. The same setup and commands work on my Nexus One on wifi.
Sent from my Galaxy Nexus using Tapatalk
Click to expand...
Click to collapse
Stock 4.0.1 , locked & not rooted.
Well, I got a new phone because of the MAC address problem and while it fixed a lot of issues (crashes, lockups, battery drain etc that I had attributed to non ICS compatible apps) I still can't ssh while connected to the router from the command line or ssh to the phone with QuickSSHD, but I can connect to the computer through ConnectBot. That's not really useful to me, but at least some sshing does work.
rubik said:
I can SSH from my linux box into my GNex. Quick question, doesn't SSHDroid default to listen on port 2222 instead of 22 ? I thought that is the case. If it is, you are trying to connect to the wrong port.
Click to expand...
Click to collapse
No, I changed it to port 22. and have tried on port 2222 as well... no change.
The weird thing for me is... When I set up wireless tethering and connect my laptop to the phone, I can then SSH with no issues. Also, if my phone is connected to my wireless network, and I use PuTTY, then it works, but OpenSSH based SSH connections fail miserably. I can ping on Windows, OpenBSD, and Mac OS Lion, but OpenSSH-based SSH connections fail.
Is PuTTY OpenSSH based? I'd imagine not, considering that it connects to the phone.
I keep trying to get logcat output but I have no place to send them to. The developers of both QuickSSHd and SSHDroidPro seem out of contact. Don't know if it's because of the holidays...
I got a new router, a cheap DLink, and ssh works perfectly now. I can't understand why it didn't work with my old one, but everything was set up right and worked remotely, just not when connected to the router.
Howdy guys,
I've had the same issues with my Nexus as well, cannot ssh/sftp to the phone when on my home wifi or 3G. using QuickSSHd to open a port and I can ping the phone from my command line but apart from that I get nothing.
I think something has been blocked to prevent access to the phone.
I'm running a Peter Alfonso 4.0.3 ROM
Frustrating when I used to be able to ssh to my jailbroken iphone from practically anywhere with anything!
well..
After seeing so many people having issues with something so trivial to me (i use ssh everyday much like yourselves), i decided to give it a go (i use good old fashioned usb cable and adb when i'm at home to get a prompt, i normally ssh from the phone not to it).
installed *checks phone notification bar again to see the name of the app* SSHDroid (free on the market), fired up xterm, 'ssh -p 22 [email protected]', it says admin is the password for root, oh really, now that's great! typed it, even missed first login, typed again, logged in, works. i assume the rest also works.
Code:
valhalla% ssh -p 22 [email protected]
SSHDroid
Use 'root' on rooted devices otherwise any username works
Default password is 'admin'[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
[email protected]:/data/data/berserker.android.apps.sshdroid/home # uname -a
Linux localhost 3.0.8-cyanogenmod-25569-gc0a1566 #1 SMP PREEMPT Sat Jan 28 07:11:24 CET 2012 armv7l GNU/Linux
[email protected]:/data/data/berserker.android.apps.sshdroid/home # mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/system /system ext4 ro,relatime,barrier=1,data=ordered 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,nomblk_io_submit,data=ordered 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/cache /cache ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,nomblk_io_submit,data=ordered 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory ext4 ro,relatime,barrier=1,data=ordered 0 0
/sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0
/dev/fuse /mnt/sdcard fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
[email protected]:/data/data/berserker.android.apps.sshdroid/home # mount -o rw,remount /dev/block/platform/omap/omap_hsmmc.0/by-name/system /system
[email protected]:/data/data/berserker.android.apps.sshdroid/home # mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/system /system ext4 rw,relatime,barrier=1,data=ordered 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/userdata /data ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,nomblk_io_submit,data=ordered 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/cache /cache ext4 rw,nosuid,nodev,noatime,errors=panic,barrier=1,nomblk_io_submit,data=ordered 0 0
/dev/block/platform/omap/omap_hsmmc.0/by-name/efs /factory ext4 ro,relatime,barrier=1,data=ordered 0 0
/sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0
/dev/fuse /mnt/sdcard fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
[email protected]:/data/data/berserker.android.apps.sshdroid/home #
root over ssh achieved quite easily.
you can see running kernel is 3.0.8, rom is cm9 self built kang.
edit: oh yeah, host os is linux 3.2.2
edit2: for those who are stating openssh is the problem, well maybe it's just your current installed version of openssh that has some issues. that's what i use, and it sure works.
Code:
valhalla% pacman -Qs openssh
local/openssh 5.9p1-5
Free version of the SSH connectivity tools
I just leaned that to make this work on a Fresh installed ICS 4.0.3 in my case (Pixel ROM) on my Nexus S, I had to jump in to ther terminal emulator once and execute su - and then grant it superuser rights. Then after that SSHDroid now finish initialization, and you can SSH to it....
Hi, guys!
I've tried rooting my DesireZ using "Downgrading guide from gingerbread to froyo" (link was destroyed by forum rules)
It is really clear and easy to do guide. But I ran into a problem because I can't make a root backup after gaining Temporary root on HTC DESIRE Z (2.42.405.2). When fixsu.sh ends I am starting "Root check basic" app and it has show me the result is OK. Then I starts MyBackupPro. The first time it shows me new menu item with root operations, but after that it refusing do anything instead of message "There is no properly root access". Titanium Backup behaves in the same way: it properly starts, but does not work with system applications. The only step in the guide I have missed is "Changing version number", but I think the problem is not the case, is it true? Could you tell me please, what may be a reason?
I really fear to begin change the ROM before to have full backup...
Try a full power off. turn the phone off, pull the battery out for a minute, then turn it back on and retry the temp-root.
Sometimes the 'fastboot' feature of sense roms messes with the temp-root.
-Nipqer
Nipqer said:
Try a full power off. turn the phone off, pull the battery out for a minute, then turn it back on and retry the temp-root.
Sometimes the 'fastboot' feature of sense roms messes with the temp-root.
-Nipqer
Click to expand...
Click to collapse
unfortunately, did not help.
Here is log after I turned device:
C:\Documents and Settings\htc>adb devices
List of devices attached
HT0BHRT01025 device
C:\Documents and Settings\htc>adb shell
$ /data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
/data/local/tmp/fre3vo -debug -start FAA90000 -end FFFFFFFF
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property...
fb_fix_screeninfo:
id: msmfb
smem_start: 802160640
smem_len: 3145728
type: 0
type_aux: 0
visual: 2
xpanstep: 0
ypanstep: 1
line_length: 1920
mmio_start: 0
accel: 0
fb_var_screeninfo:
xres: 480
yres: 800
xres_virtual: 480
yres_virtual: 1600
xoffset: 0
yoffset: 800
bits_per_pixel: 32
activate: 16
height: 80
width: 48
rotate: 0
grayscale: 0
nonstd: 0
accel_flags: 0
pixclock: 0
left_margin: 0
right_margin: 0
upper_margin: 0
lower_margin: 0
hsync_len: 0
vsync_len: 0
sync: 0
vmode: 0
Buffer offset: 00000000
Buffer size: 8192
Scanning region faa90000...
Scanning region fab80000...
Scanning region fac70000...
Scanning region fad60000...
Scanning region fae50000...
Scanning region faf40000...
Scanning region fb030000...
Scanning region fb120000...
Scanning region fb210000...
Scanning region fb300000...
Scanning region fb3f0000...
Scanning region fb4e0000...
Scanning region fb5d0000...
Scanning region fb6c0000...
Scanning region fb7b0000...
Scanning region fb8a0000...
Scanning region fb990000...
Scanning region fba80000...
Potential exploit area found at address fbb52000:1000.
Exploiting device...
C:\Documents and Settings\htc>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./fixsu.sh
./fixsu.sh
# cat /system/etc/passwd
cat /system/etc/passwd
root::0:0:root:/data/local:/system/bin/sh !!ROOT is really getting!
# cat /system/etc/passwd
cat /system/etc/passwd
keychar xV4 9 0 0 0 # !!After MyBackup Pro start
#
I think the problem is the destruction of the memory area, where exploit works.
Maybe there are other ideas?
I have captured the ota zip file of R825FOWO1BTI8.
This zip file contains 5.5 tizen update with preinstalled samsung BP and ECG. I am not sure about sideloading update file to watch yet.
Updated my watch Brazilian firmware. Got 2 updates after that. My original csc XSA (OLB).
Samsung BP and ECG working.
Samsung Pay working.
https://mega.nz/file/zI0S0abK#E9IwvmanjmBXj3dLFadyk7MtrYPp8dcTIjwjfRveTw8
kazim.asghar said:
I have captured the ota zip file of R825FOWO1BTI8.
This zip file contains 5.5 tizen update with preinstalled samsung BP and ECG. I am not sure about sideloading update file to watch yet.
Updated my watch Brazilian firmware. Got 2 updates after that. My original csc XSA (OLB).
Samsung BP and ECG working.
Samsung Pay working.
https://mega.nz/file/zI0S0abK#E9IwvmanjmBXj3dLFadyk7MtrYPp8dcTIjwjfRveTw8
Click to expand...
Click to collapse
Thanks.Blood oxygen is in this firmware also...
Did your blood pressure synchronized with samsung health
dodo1515 said:
Thanks.Blood oxygen is in this firmware also...
Did your blood pressure synchronized with samsung health
Click to expand...
Click to collapse
No BP is not syncing maybe because SHM is modded.
How to check blood oxygen level?
kazim.asghar said:
No BP is not syncing maybe because SHM is modded.
How to check blood oxygen level?
Click to expand...
Click to collapse
Ok.still trying to understand how samsung is blocking the app wearable app or samsung health but it is here for sure..
My Plan for today...
It is Delta aka FOTA update related... for investigation/research... :cyclops:
I have only SM-R820... no LTE...
A
Downgrade from CTH8 DBT to BTF3 KOO
B
Use as Standalone... NO Phone...
Because I am toooo stupid to work with Phone... to catch FOTA package... on my not rooted SM-G920F
C
After FOTA file downloaded...
Plan to dump whle 4 GB eMMC. :angel:
Lets go...
Later more. :cyclops:
Best Regards
Edit 1.
Downgrade from CTH8 DBT to BTF3 successfull. :good:
Flashed all 3 files in netOdin...
Will just for fun check if BTF3 update in Standalone... DBT...
Edit 2.
As expected... FOTA update from BTF3 DBT...
Now I will flash my rooted BTF3 files for CSC change...
Edit 3.
Flashed successfully my rooted BTF3 in 2 rounds with netOdin...
Now enemenemu if I should change to KOO or XAR... hmmm... from DBT... hmmmmmmmmmmmmmmmmmmmm...
IMHO good idea to backup all files from CSA folder...
Edit 4.
Backup of all files from CSA partition for later analyse...
Code:
D:\SDB\SDB260>sdb root on
Switched to 'root' account mode
D:\SDB\SDB260>sdb pull /csa .\fota
pulled 00000000.authtokcont 100% 152 B
pulled skpm_FACTORY_OCF_ECC_P256 100% 1KB
pulled .mac.info 100% 20 B
pulled .bd_addr 100% 14 B
pulled .local_irk 100% 16 B
pulled sem_data 100% 42 B
pulled sem_sk.dat 100% 2KB
pulled ssp_data 100% 124 B
pulled csc-active-customer.inf 100% 3 B
pulled ecg_ac_test_5hz_zig 100% 17 B
pulled baro_cal_data 100% 1 B
pulled baro1_cal_data 100% 1 B
pulled hrm_eol_data 100% 149 B
pulled hrm_xtalk_data 100% 10 B
pulled ecg_ac_test_5hz_device 100% 11 B
pulled gyro_cal_data 100% 12 B
pulled wpa_supplicant.log.1 100% 256KB
pulled wpa_supplicant.log 100% 241KB
pulled dmesg.log.old 100% 395KB
pulled wd_log.old 100% 265KB
pulled wpa_supplicant.log.0 100% 256KB
pulled hostapd.log 100% 64KB
pulled wifi_mf.log 100% 22KB
pulled dmesg.log 100% 389KB
pulled wd_log 100% 124KB
pulled prodcode.dat 100% 14 B
pulled smsn.dat 100% 27 B
pulled serialno.dat 100% 11 B
pulled 00000000.authtokcont 100% 152 B
pulled battery_full_count 100% 4 B
pulled nad_data 100% 5 B
pulled hwver 100% 8 B
pulled default_bt_state 100% 1 B
pulled dfms_failhist_RDM 100% 43 B
pulled cal_date 100% 10 B
pulled default_wifi_state 100% 1 B
pulled battery_cycle 100% 4 B
pulled production_country 100% 4 B
pulled batt_cable_count 100% 3 B
pulled .nv_created 100% 0 B
pulled .ksb 100% 2 B
pulled mic_only_data 100% 15 B
pulled battery_cisd_data 100% 93 B
pulled dfms_conntest_backup 100% 2 B
pulled wpc_data 100% 5 B
pulled atd.log.old 100% 256KB
pulled hist_nv 100% 0 B
pulled fdata 100% 4 B
pulled .nv_ready 100% 0 B
pulled test_nv 100% 1KB
pulled motor_data 100% 17 B
pulled atd.log 100% 246KB
pulled default_nfc_state 100% 1 B
pulled dfms_failhist 100% 4 B
pulled earjack_count 100% 1 B
pulled echo_data 100% 8 B
pulled .imei_done 100% 1 B
pulled libdevkm.lock 100% 0 B
pulled issued.log 100% 294 B
pulled knox.dat 100% 3KB
pulled dcm.dat 100% 3KB
pulled .reset 100% 1 B
pulled dev_root.dat 100% 2KB
63 file(s) pulled. 0 file(s) skipped.
/csa 403 KB/s (2597847 bytes in 6.280s)
I made subfolder fota... this is why .\fota
Edit 5.
Skipped the pull part... because I have allready on my PC...
Push done:
Code:
D:\SDB\SDB260>sdb push csc-active-customer.inf /csa/csc/
pushed csc-active-customer.inf 100% 3 B
1 file(s) pushed. 0 file(s) skipped.
csc-active-customer.inf 0 KB/s (3 bytes in 0.200s)
D:\SDB\SDB260>sdb push prodcode.dat /csa/imei/
pushed prodcode.dat 100% 14 B
1 file(s) pushed. 0 file(s) skipped.
prodcode.dat 0 KB/s (14 bytes in 0.220s)
Now reboot... FUctory Reset...
I love to use the way over Recovery... in Reboot menu...
Edit 6.
Uuupsi... FOTA check with rooted Firmware...
But made mistake... now fighting with Korean language to connect SDB... i missed RSA... because stupid me placed into charger...
Edit 7.
Damn RSA... was forced to reboot to connect again...
IMHO I lost files from tmp folder...
Code:
D:\SDB\SDB260>sdb root on
Switched to 'root' account mode
D:\SDB\SDB260>sdb pull /tmp .\fota
pulled ttrace_tag 100% 8 B
error: failed to copy: '/tmp/keytone' is not a file
skipped: /tmp/keytone -> .\fota/keytone
pulled dbus_launch 100% 5 B
error: failed to copy: '/tmp/.ode_helper_server.socket' is not a file
skipped: /tmp/.ode_helper_server.socket -> .\fota/.ode_helper_server.socket
error: failed to copy: '/tmp/.knoxenrollmentservice-in.socket' is not a file
skipped: /tmp/.knoxenrollmentservice-in.socket -> .\fota/.knoxenrollmentservice-in.socket
error: failed to copy: '/tmp/.nfc-hce.sock' is not a file
skipped: /tmp/.nfc-hce.sock -> .\fota/.nfc-hce.sock
error: failed to copy: '/tmp/.ode_helper_server_secure.socket' is not a file
skipped: /tmp/.ode_helper_server_secure.socket -> .\fota/.ode_helper_server_secure.socket
error: failed to copy: '/tmp/.cert-server.socket' is not a file
skipped: /tmp/.cert-server.socket -> .\fota/.cert-server.socket
error: failed to copy: '/tmp/.central-key-manager-api-ocsp.sock' is not a file
skipped: /tmp/.central-key-manager-api-ocsp.sock -> .\fota/.central-key-manager-api-ocsp.sock
error: failed to copy: '/tmp/.csr-cs.socket' is not a file
skipped: /tmp/.csr-cs.socket -> .\fota/.csr-cs.socket
error: failed to copy: '/tmp/.central-key-manager-api-control.sock' is not a file
skipped: /tmp/.central-key-manager-api-control.sock -> .\fota/.central-key-manager-api-control.sock
error: failed to copy: '/tmp/.central-key-manager-api-storage.sock' is not a file
skipped: /tmp/.central-key-manager-api-storage.sock -> .\fota/.central-key-manager-api-storage.sock
error: failed to copy: '/tmp/.central-key-manager-api-encryption.sock' is not a file
skipped: /tmp/.central-key-manager-api-encryption.sock -> .\fota/.central-key-manager-api-encryption.sock
error: failed to copy: '/tmp/.csr-wp.socket' is not a file
skipped: /tmp/.csr-wp.socket -> .\fota/.csr-wp.socket
error: failed to copy: '/tmp/.device-policy-manager.sock' is not a file
skipped: /tmp/.device-policy-manager.sock -> .\fota/.device-policy-manager.sock
error: failed to copy: '/tmp/.download-provider.sock' is not a file
skipped: /tmp/.download-provider.sock -> .\fota/.download-provider.sock
error: failed to copy: '/tmp/.csr-admin.socket' is not a file
skipped: /tmp/.csr-admin.socket -> .\fota/.csr-admin.socket
pulled sm-cleanup-tmp-flag 100% 0 B
error: failed to copy: '/tmp/sn' is not a file
skipped: /tmp/sn -> .\fota/sn
error: failed to copy: '/tmp/ReactivationlockSocket' is not a file
skipped: /tmp/ReactivationlockSocket -> .\fota/ReactivationlockSocket
pulled .murphyd.pid 100% 4 B
pulled .sdbd.pid 100% 5 B
pulled .mobicore_ready 100% 0 B
pulled .muse-server.pid 100% 4 B
error: failed to copy: '/tmp/.ode.sock' is not a file
skipped: /tmp/.ode.sock -> .\fota/.ode.sock
pulled .muse_core.lock 100% 0 B
error: failed to copy: '/tmp/.muse_server_socket' is not a file
skipped: /tmp/.muse_server_socket -> .\fota/.muse_server_socket
error: failed to copy: '/tmp/.muse_server_data_socket' is not a file
skipped: /tmp/.muse_server_data_socket -> .\fota/.muse_server_data_socket
pulled .muse_server_ready 100% 0 B
pulled sdbd_initial_bt_setup 100% 1 B
error: failed to copy: '/tmp/sdbd_socket' is not a file
skipped: /tmp/sdbd_socket -> .\fota/sdbd_socket
pulled media-server 100% 15 B
error: failed to copy: '/tmp/.msgfw_socket' is not a file
skipped: /tmp/.msgfw_socket -> .\fota/.msgfw_socket
error: failed to copy: '/tmp/.pulse_debug' is not a file
skipped: /tmp/.pulse_debug -> .\fota/.pulse_debug
pulled .pa_ready 100% 0 B
error: failed to copy: '/tmp/.csr-popup.socket' is not a file
skipped: /tmp/.csr-popup.socket -> .\fota/.csr-popup.socket
error: failed to copy: '/tmp/.focus_server.socket' is not a file
skipped: /tmp/.focus_server.socket -> .\fota/.focus_server.socket
pulled .sound_server_ready 100% 0 B
pulled .focus_server_ready 100% 0 B
error: failed to copy: '/tmp/phlock' is not a file
skipped: /tmp/phlock -> .\fota/phlock
pulled .deviceBootCheck 100% 4 B
pulled at-spi-bus-launcher.log 100% 28 B
pulled shealth_pref_accessed 100% 1 B
pulled agent_fw_noti_omadm_fota_u 100% 12 B
error: failed to copy: '/tmp/agent_fw_event_omadm' is not a file
skipped: /tmp/agent_fw_event_omadm -> .\fota/agent_fw_event_omadm
pulled esd_ready 100% 0 B
pulled pressure_event.log 100% 120 B
pulled setting_service_bootup 100% 0 B
error: failed to copy: '/tmp/FOCUS.3604.1.wch' is not a file
skipped: /tmp/FOCUS.3604.1.wch -> .\fota/FOCUS.3604.1.wch
error: failed to copy: '/tmp/FOCUS.3604.1.wchr' is not a file
skipped: /tmp/FOCUS.3604.1.wchr -> .\fota/FOCUS.3604.1.wchr
pulled mm_session_3604 100% 4 B
pulled ip 100% 14 B
pulled proxy 100% 0 B
pulled config 100% 3 B
pulled status 100% 3 B
pulled 0_data-provider-master.2904 100% 52 B
27 file(s) pulled. 29 file(s) skipped.
/tmp 0 KB/s (283 bytes in 1.280s)
BTG1 Delta from BTF3 is on device...
Now I prepare to dump whole 4 GB eMMC.. to simplify the search for Delta...
Edit 8.
Seems to work to dump 4 GB eMMC with dd and netcat... but need 1 or 2 hours for final result over WiFi....
Edit 9.
Saw red ! in Korean...
IMHO still impossible to use heavy WiFi Action and Charger at same time... also on GWA2...
IMHO battery hot warning...
Edit 10.
Seems success... need to check with WinHex...
Faster dump as expected...
Code:
sh-3.2# dd if=/dev/mmcblk0 | /home/toybox-aarch64 netcat -6 0:0:0:0:0:myIP 1234
7634944+0 records in
7634944+0 records out
3909091328 bytes (3.9 GB) copied, 1184.56 s, 3.3 MB/s
If using FOTA update mechanism with Watch alone aka Standalone... WITHOUT Phone.
Then file(s) are stored in partition 18... aka User partition aka user.img
Code:
/data/fota
LTE maybe user partition somewhere else...
Hmmmm... maybe inject into user.img possible...
Hmmmmmmmmmmmmmmm... Question is how to set all flags to start FOTA...
Code:
/data/fota/download
delta.tar is here stored with weired Base64 encoded MD5 Hash... as it seems...
Logfiles + Direct Link to SServer... :angel:
Best Regards
adfree said:
If using FOTA update mechanism with Watch alone aka Standalone... WITHOUT Phone.
Then file(s) are stored in partition 18... aka User partition aka user.img
Code:
/data/fota
LTE maybe user partition somewhere else...
Hmmmm... maybe inject into user.img possible...
Hmmmmmmmmmmmmmmm... Question is how to set all flags to start FOTA...
Code:
/data/fota/download
delta.tar is here stored with weired Base64 encoded MD5 Hash... as it seems...
Logfiles + Direct Link to SServer... :angel:
Best Regards
Click to expand...
Click to collapse
I tried pushing OTA in /data/fota/download but it didn't work. I am trying to find way to use ota files to update watch.
I also tried the new way to capture firmware for phones but it didn't work for watch Firmwares.
@adfree hello you used your own rooted BTF3 firmware files for CSC change in gwa 2, 820,can you please share download link for it?
@adfree I also did detail analysis as much as I could of the csc dump you uploaded and the ota I got.
Samsung health monitor is not allowed to uninstall in firmware.
Code:
[csc packages]
count = 1
name_001 = "Samsung Health Monitor"
type_001 = "tpk"
description_001 = "path=/opt/system/csc/app/com_samsung_health_samd_bp.tpk:op=install:removable=false:disable=false"
Samsung health apk in ZTO also have Spo2 libraries. I found these lines but I dont know any thing about programming here.
Code:
tizen.org/system/model_name [%s] get_platform_str fail secspo2_api /sys/class/sensors/hrm_sensor/module AFE4920 AFE4930 SM-R820 SM-R825 SM-R830 SM-R835 Renaissance SM-R840 SM-R845 SM-R850 SM-R855 Noblesse [%s] fail
[%s] success
[%s] prj(%s) sen(%s) lib(%s) TD: %d
spo2_lib(%s), TD (%d), %d, %d(%.2f/%.2f(%d)), %d(%u/%.2f), %d(%d), [secspo2] %s,
__Initialize_SpO2_Algorithm_Parameters SpO2Algo_Deinit [%s] fail getModelName / %d secspo2_util [%s] read fail (%s) get_platform_str read_fs
Something in System_info_dm i found these interesting things
Code:
platform:tizen.org/feature/sensor.gyroscope.uncalibrated:bool TTTTTTTT
platform:tizen.org/feature/sensor.heart_rate_monitor.led_green:bool TTTTTTTT
platform:tizen.org/feature/sensor.heart_rate_monitor.led_ir:bool FFFFFFFF
I think we need a firmware dump with spo2 enabled so we can compare the differences.
Still no CTH8 nor CTI4 for netOdin... SM-R820... :crying:
I am old man... I can't wait soooooooooo long.
Plan for now....
A
Back to BTF3
B
Use my rooted BTF3 to prepare few things and undo ramdisk... so dd action...
To leave proper partitions for FOTA procedure...
C
then copy 2 files to eMMC
Code:
delta.tar
delta.ua
BTF3->BTG1... 11 MB
To have brick ehm result in short time...
D
If drunken enough and nothing forgotten...
Then I hope I can run:
Code:
fota_local_test.sh
E
Vodka...
Maybe also as first step.
Best Regards
Edit 1.
Need 3 files push to SM-R820...
Code:
sdb root on
sdb push ramdisk.img /tmp
sdb push delta.tar /opt/usr/media/
sdb push delta.ua /opt/usr/media/
Code:
sh-3.2# fota_local_test.sh
/opt/usr/media/delta.tar is exist
/opt/usr/media/delta.ua is exist
Setting fota update mode
method return time=1601698742.112388 sender=:1.6 -> destination=:1.187 serial=483 reply_serial=2
int32 0
This works so far...
I saw 2 times progress bar to 100 %...
Now I see funny red green yellow text...
Kernel Panic...
IMHO normal... will try to flash back RAMDISK with netOdin...
Edit 1.
Alive. :cyclops:
Flashed RAMDISK again with netOdin...
Repeated steps:
Code:
sdb root on
sdb push ramdisk.img /tmp
sdb shell dd if=/tmp/ramdisk.img of=/dev/mmcblk0p8
This time with RAMDISK from BTG1...
FOTA update to CTH8 running now...
ARGH...
This time I have no RAMDISK of CTH8...
So maybe will not try last step to CTI4...
Anyway.
If all correct done, then I have rooted Tizen 5.5 CTH8...
Without modifying the netOdin Files.... :silly:
Edit 2.
Tiny Panic, because in Korean Language tooo many text...
I was scared about incoming CTI4 FOTA....
So I changed CSC to DBT to better understand what I see and what I have to press... to avoid the last update... :cyclops:
Need some time, to backup... dump... etc... and prevent CTI4...
Best Regards
Less time...
Maybe later more...
Attached is Delta from SM-R820... from BTF3 to BTG1...
This is what I used to "jump" to rooted CTH8...
Maybe somebody can help me to "build" the RAMDISK...
Maybe then I can diffdingens CTH8 RAMDISK in this way...
Thanx in advance.
Best Regards
Lets do some research...
I am trying to share what I "know" about FOTA Delta... as example we can take the file from post
https://forum.xda-developers.com/showpost.php?p=83630995&postcount=12
A
Last "2 KB" in Delta TAR we can find Signature... Certs blabla...
Readable Text String:
Code:
signed by SignApk
We can ignore this...
B
Files inside... it is small update... so only few files. :good:
Code:
cm.bin
csc.img
delta.boot
delta.ramdisk1
delta.ramdisk2
delta.recovery
delta.ua
delta.upparam
rootfs.img
sboot.bin
unpack.sh
update.cfg
csc.img\CSC.txt
csc.img\CSC_attr.txt
csc.img\diff1_NaverMap.wgt_CSC.delta
csc.img\diff2_Spotify.tpk_CSC.delta
csc.img\diff3_TizenFontKaitiChina.wgt_CSC.delta
csc.img\diff4_com_samsung_health_samd_bp.tpk_CSC.delta
csc.img\diff5_SW_Configuration.xml_CSC.delta
rootfs.img\diff10_tizen-release_ROOTFS.delta
rootfs.img\diff11_slp-release.repo_ROOTFS.delta
rootfs.img\diff12_tizen-wearable-standard-snapshot.repo_ROOTFS.delta
rootfs.img\diff13_.restore_exception.list_ROOTFS.delta
rootfs.img\diff14_author-signature.xml_ROOTFS.delta
rootfs.img\diff15_add_viewer_wrap.edj_ROOTFS.delta
rootfs.img\diff16_apps_item.edj_ROOTFS.delta
rootfs.img\diff17_apps_layout.edj_ROOTFS.delta
rootfs.img\diff18_apps_page.edj_ROOTFS.delta
rootfs.img\diff19_apps_view_layout.edj_ROOTFS.delta
rootfs.img\diff1_memory.db-journal_ROOTFS.delta
rootfs.img\diff20_clock_contextual.edj_ROOTFS.delta
rootfs.img\diff21_clock_indicator.edj_ROOTFS.delta
rootfs.img\diff22_dashboard.edj_ROOTFS.delta
rootfs.img\diff23_edit.edj_ROOTFS.delta
rootfs.img\diff24_layout.edj_ROOTFS.delta
rootfs.img\diff25_page.edj_ROOTFS.delta
rootfs.img\diff26_page_clock.edj_ROOTFS.delta
rootfs.img\diff27_page_indicator.edj_ROOTFS.delta
rootfs.img\diff28_preview.edj_ROOTFS.delta
rootfs.img\diff29_scrollView.edj_ROOTFS.delta
rootfs.img\diff2_system.db-journal_ROOTFS.delta
rootfs.img\diff30_tutorial.edj_ROOTFS.delta
rootfs.img\diff31_tutorial_steps.edj_ROOTFS.delta
rootfs.img\diff32_signature1.xml_ROOTFS.delta
rootfs.img\diff33_author-signature.xml_ROOTFS.delta
rootfs.img\diff34_windicator.edj_ROOTFS.delta
rootfs.img\diff35_signature1.xml_ROOTFS.delta
rootfs.img\diff36_ffffffff00000000000000000000000a.tlbin_ROOTFS.delta
rootfs.img\diff37_ffffffff00000000000000000000000b.tlbin_ROOTFS.delta
rootfs.img\diff38_author-signature.xml_ROOTFS.delta
rootfs.img\diff39_wc-popup_ROOTFS.delta
rootfs.img\diff3_device-sec-policy_ROOTFS.delta
rootfs.img\diff40_signature1.xml_ROOTFS.delta
rootfs.img\diff41_sapd_ROOTFS.delta
rootfs.img\diff42_scsd_ROOTFS.delta
rootfs.img\diff43_test_scs_ROOTFS.delta
rootfs.img\diff44_weconnd_ROOTFS.delta
rootfs.img\diff45_libsap-client-stub-api.so.1.0.0_ROOTFS.delta
rootfs.img\diff46_libsap_client.so.0.0.0_ROOTFS.delta
rootfs.img\diff47_libweconn.so.4.1.7_ROOTFS.delta
rootfs.img\diff48_locale-archive_ROOTFS.delta
rootfs.img\diff49_ble.so_ROOTFS.delta
rootfs.img\diff4_info.ini_ROOTFS.delta
rootfs.img\diff50_bt.so_ROOTFS.delta
rootfs.img\diff51_scs.so_ROOTFS.delta
rootfs.img\diff52_tcp.so_ROOTFS.delta
rootfs.img\diff53_sap.service_ROOTFS.delta
rootfs.img\diff54_weconn.service_ROOTFS.delta
rootfs.img\diff55_mod_bt.so_ROOTFS.delta
rootfs.img\diff56_mod_cellular.so_ROOTFS.delta
rootfs.img\diff57_mod_p2p.so_ROOTFS.delta
rootfs.img\diff58_mod_sap.so_ROOTFS.delta
rootfs.img\diff59_mod_wifi.so_ROOTFS.delta
rootfs.img\diff5_os-release_ROOTFS.delta
rootfs.img\diff60_removed-file.lst_ROOTFS.delta
rootfs.img\diff61_privilege-mount.list_ROOTFS.delta
rootfs.img\diff62_usr_share_locale.squash_ROOTFS.delta
rootfs.img\diff63_resource_QNX.zip_ROOTFS.delta
rootfs.img\diff64_checksum.md5_ROOTFS.delta
rootfs.img\diff65_opt.zip_ROOTFS.delta
rootfs.img\diff66_smack_label.txt_ROOTFS.delta
rootfs.img\diff67_ugid_permission.txt_ROOTFS.delta
rootfs.img\diff68_libsap.so.1.12.0_ROOTFS.delta
rootfs.img\diff6_system_info_db_ROOTFS.delta
rootfs.img\diff7_kern_sec_info_ROOTFS.delta
rootfs.img\diff8_tima_measurement_info_ROOTFS.delta
rootfs.img\diff9_tizen-build.conf_ROOTFS.delta
rootfs.img\ROOTFS.txt
rootfs.img\ROOTFS_attr.txt
C
Code:
cm.bin
sboot.bin
Bootloader and Bootloader related file are ever 100 % full Image... FULL_IMG
D
Code:
update.cfg
Here we can see Partition Table Infos... MD5 Hashes...
Code:
BOOTLOADER sboot.bin [B]FULL_IMG[/B] /dev/mmcblk0p80 0 1921296 1921296 2e2f2c95b6c79f9499a6b1ecb2d8f4a5a434b505 9d4493e96538835f75e13510da6696bd102bb9b3
CM cm.bin [B]FULL_IMG[/B] /dev/mmcblk0p11 0 2597136 2597136 48041a45e24bb1d8490e0a11c00ce5e57826e0ef aa43a94670a4ea3aa13b5b514c59cf3a83e47568
ROOTFS rootfs.img/ DELTA_FS /dev/mmcblk0p19 0 58207558
CSC csc.img/ DELTA_FS /dev/mmcblk0p16 0 17828390
BOOT delta.boot DELTA_IMG /dev/mmcblk0p12 0 15524112 15524112 da8ecde6d6b4a048342f381765f552d39cfdd793 fadeb71ce42d2b727b8e5840234b01cf2d8e60c7
UP_PARAM delta.upparam DELTA_IMG /dev/mmcblk0p10 0 1085440 1085440 8f66a3a59b1685c9d043d9ad1df0627a85c475ed 043ae8dda424a2e9433471264201c8eb73390c79
RAMDISK1 delta.ramdisk1 DELTA_IMG /dev/mmcblk0p8 0 7340304 7340304 22af46f1186e2d63bc688ef6271fab634ca15ee6 ccf7859cd5ec61d849626fe9eae8b11ca7c8427f
RAMDISK2 delta.ramdisk2 EXTRA /dev/mmcblk0p7 0 19923216 19923216 5822281d04ac49dbb1f413acf150049533bcf758 c1161d9abedc468e0bb8a9dbeb014cee24c733a3
RECOVERY delta.recovery EXTRA /dev/mmcblk0p13 0
We can see the 3 types:
Code:
FULL_IMG
DELTA_IMG
DELTA_FS
IMG means files we know from Firmware packages...
FS IMHO Filesystem... affected csc.img and rootfs.img
E
Code:
delta.ua
This File is allready in Firmware... but newer Versions comes with delta.tar ...
Seems main part of FOTA procedure...
Best Regards
Attached package with Ramdisk from BTF3 and BTG1 inside...
Delta File
the Delta File extracted... with 7Zip
In Delta I see Header:
Code:
SSDIFF40
First few Bytes of file...
Search inside Firmware/delta.ua leades to
Code:
apply_patch [B]BSDIFF40[/B]
Now with Google more success... to find something...
https://wiki.tizen.org/Tizen_OS_Upgrade_Package_Generation_Guide
http://www.daemonology.net/bsdiff/
.
.
.
Tried on my SM-R760...
Code:
sh-3.2# xdelta3 -d -s ramdisk_BTF3.img delta decoded_new_file1
xdelta3: not a VCDIFF input: XD3_INVALID_INPUT
xdelta3: normally this indicates that the source file is incorrect
xdelta3: please verify the source file with sha1sum or equivalent
as test:
Code:
sh-3.2# xdelta3 -e -s ramdisk_BTF3.img ramdisk_BTG1.img delta_fileV1
sh-3.2# xdelta3 -vv -e -s ramdisk_BTF3.img ramdisk_BTG1.img delta_fileV1
xdelta3: input ramdisk_BTG1.img window size 7.00 MiB
xdelta3: source ramdisk_BTF3.img source size 7.00 MiB [7340304] blksize 64.0 MiB window 64.0 MiB #bufs 1 (FIFO)
xdelta3: to overwrite output file specify -f: delta_fileV1
Created file looks far away from this what i need...
Maybe somebody can help me to solve the riddle.
Thanx in advance.
Best Regards
I am toooooo blind to find the Binaries for:
https://wiki.tizen.org/Tizen_OS_Upgrade_Package_Generation_Guide
Code:
Tizen:~$ ss_bsdiff
ss_bsdiff: ss_bsdiff Version 5.0
Usage: ss_bsdiff oldfile newfile patchfile
Code:
Tizen:~$ ss_bspatch
ss_bspatch: ss_bspatch Version 1.0
Usage: ss_bspatch oldfile newfile patchfile
So other project...
https://doc.samsungmobile.com/SM-R820/TPH/doc.html
http://fota-cloud-dn.ospserver.net/firmware/TPH/SM-R820/version.xml
New plan for today...
Seems update possible direct from BTA1 to CTI4...
So I hope I can verify Under Armour Edition Files...
Best Regards
Edit 1.
Step 1.
"Reset" Bootloader sboot.bin...
Bypass Rollback Prevention crap... to flash older Bootloader to be able to be valid in FOTA mechanism.
Simple I will flash Combination Firmware.
Edit 2.
Meanwhile I have the 300 MB delta.tar ...
Need to flash BTA1...
Now creating the rooted rootfs.img
Then I need to flash Root...
Edit 3.
So I am soon ready to perform FOTA update manually from rooted BTA1... direct to CTI4... in "1 step"...
So the theory...
Edit 4.
Push 300 MB to SM-R820...
Code:
sdb push delta.tar /opt/usr/media/
Edit 5.
Code:
D:\SDB\SDB260>sdb push delta.tar /opt/usr/media/
pushed delta.tar 100% 292MB
1 file(s) pushed. 0 file(s) skipped.
delta.tar 467 KB/s (307160587 bytes in 641.761s)
Edit 6.
Code:
sh-3.2# fota_local_test.sh
/opt/usr/media/delta.tar is exist
/opt/usr/media/delta.ua is exist
Setting fota update mode
method return time=1601987367.697180 sender=:1.9 -> destination=:1.193 serial=733 reply_serial=2
int32 0
Edit 7.
I am now on rooted CTI4... dumping 4 GB eMMC with netcat...
https://www.file-upload.net/download-14339783/smR820_FOTAdelta_CTI4_to_CTJ5.7z.html
Delta File from SM-R820 CTI4 to CTJ5... FOTA.
For study...
Best Regards