Develop Bugs

Need help for extract File from rom (first XIP block?)

Hi,
I would like to extract 2 dll from GERMAN Rom.
I am intersted to msimda.dll and msimde.192.dll and i ma interested to learn how to work with universal rom.
But it drive me crazy...
I have read all the day this forum but i can't go on.
This is my last experiment
nkge.nba is qtek german rom (decoded)
mkdir files1 files2
dump nkge.nba -o 00000400 -e 001d2100 xip1.nb <-Offset From Universal Wiki
dump nkge.nba -o 00310000 -e 002d0000 xip2.nb <-Offset From Universal Wiki
dumprom -5 -d files1 xip1.nb <-Give me an error (after 27Files) :
error decompressing 90702000L0001f68d
fwrite: Invalid argument
error writing uncompressed data
dumprom -5 -d files2 xip2.nb <-OK
I have 59 files but there are no msimge.dll and msimge.192.dll probably they are in first xip block that give me an error.
Can you help me please?
Wat i am doing wrong?
byte.

plese somebody could help me?
Just a litle information or a link to read and study. i have searched all over the forum... but i am still blocked.

Hi,
try to read this and then search on the forum for imgfs tools.
I've extracted files sucessfully with those tools but not directly from the device instead from a nbf file.
Hope this will be useful.
Sergio.

tripledes said:
Hi,
try to read this and then search on the forum for imgfs tools.
I've extracted files sucessfully with those tools but not directly from the device instead from a nbf file.
Hope this will be useful.
Sergio.
Click to expand...
Click to collapse
Yes...thankyou very much for your reply.
I have just readed these posts but i can't go on.
I have nk.nba that is my Rom image decoded with HTC64 "Extended ROM Tool.exe" .
So i am trying with dumprom.exe and with viewimgfs.exe with the procedure described by mamaich in http://forum.xda-developers.com/showthread.php?t=249836
I can't extract file.
ViewImgFs (after a lot of " Unknown header type, FS_DATA_TABLE??") stop with message:
"C:\Documents and Settings\stefano\Desktop\HTC\imgfstools>Error! ProcessFixups: cannot map dump\dhcp.dll\s15627"
And i have a "dump" directory with this structure
dhcp.dll <DIR>
eapchap.dll <DIR>
iexplore.exe <DIR>
jscript.dll <DIR>
urlmon.dll <DIR>
ws2instl.dll <DIR>
Only file with same name of directory listed before.
Can you help me with step by step indication please?

1) To extract from rom upgrade (nk.nbf):
Code:
alpinenbfdecode.pl -r nk.nbf nk.nb
mkdir files ; rdmsflsh.pl -d files nk.nb
2) To extract from device, follow instructions here, but replace "FLASHDR" for "TrueFFS" in Universal (instructions are for Hermes).
Then you get "File02.raw" which contains dumped imgfs, files can be extracted either with mamaich viewimgfs.exe or itsme rdmsflsh.pl.
3) If none of the above works, try to dump the files from the device using mamaich TestWM5.exe or Buzz's grab_it!.
Good luck

pof said:
1) To extract from rom upgrade (nk.nbf):
Code:
alpinenbfdecode.pl -r nk.nbf nk.nb
mkdir files ; rdmsflsh.pl -d files nk.nb
2) To extract from device, follow instructions here, but replace "FLASHDR" for "TrueFFS" in Universal (instructions are for Hermes).
Then you get "File02.raw" which contains dumped imgfs, files can be extracted either with mamaich viewimgfs.exe or itsme rdmsflsh.pl.
3) If none of the above works, try to dump the files from the device using mamaich TestWM5.exe or Buzz's grab_it!.
Good luck
Click to expand...
Click to collapse
Thankyou... just another info..please.
I would like to extract file fro a complete German rom.
I am trying with nk.nbf extracted from UNI_QTEK_13096_185_10900_GER_Ship.exe .
Why did you suggest to me to use "alpinenbfdecode" i have an Universal.
I decode my nbf files with
http://buzzdev.net/index.php?option=com_content&task=view&id=65&Itemid=1
is this wrong?
Sorry for my questions but i have not Perl on my pc and i would like to know if is realy necessary to install it.
So just for learning... can you tell me why is wrong the operations that i am doing?
Thankyou very much!
Bye

slevin said:
Why did you suggest to me to use "alpinenbfdecode" i have an Universal.
Click to expand...
Click to collapse
alpine, magican, universal... they use the same NBF format version, so the script is also valid to decode universal NBF files.
slevin said:
I decode my nbf files with
http://buzzdev.net/index.php?option=com_content&task=view&id=65&Itemid=1
is this wrong?
Click to expand...
Click to collapse
This produces a decoded file (.nb), same as if you would run "alpinenbfdecode.pl" with -d parameter (decode), but I suggested you to use it with -r which outputs a RAW file, because rdmsflsh.pl expects a raw file and not a decoded file.
AFAIK the decoded file contains a header while the raw file doesn't, in the German Qtek ROM you said, the header looks like this:
Code:
00000010 51 54 45 4b 5f 31 30 32 20 20 20 20 20 20 20 20 |QTEK_102 |
00000020 47 45 52 20 20 20 20 20 31 2e 33 30 2e 39 36 20 |GER 1.30.96 |
00000030 20 20 20 20 20 20 20 20 55 6e 69 76 65 72 73 61 | Universa|
00000040 6c 20 20 20 20 20 20 20 30 20 20 20 20 20 20 20 |l 0 |
00000050 37 30 30 30 30 30 30 30 31 30 30 30 30 30 20 20 |70000000100000 |
00000060 30 20 20 20 20 20 20 20 31 36 31 31 31 31 31 30 |0 16111110|
00000070 30 30 30 30 30 30 20 20 61 39 62 33 61 64 39 35 |000000 a9b3ad95|
Probably someone more experienced with the formats can tell you the exact differences, otherwise if you know a bit of programming you can look at the program's source and try to figure out yourself
slevin said:
Sorry for my questions but i have not Perl on my pc and i would like to know if is realy necessary to install it.
Click to expand...
Click to collapse
Try the other methods which do not involve using perl, if you don't success doing what you want then install perl, it's just 5 minutes to do it and you'll benefit from many .pl applications from itsme... the process to install it and all the needed modules is explained on the wiki page I pointed you before
slevin said:
So just for learning... can you tell me why is wrong the operations that i am doing?
Click to expand...
Click to collapse
Sorry I don't know for sure, probably you are using an encoded file and the program you use to extract the files from it expects a raw file, I guess you can use prepare_imgfs.exe to fix this, but I'm not sure... you should better experiment with the tools until you accomplish your goal

ThankYou
Sorry for my delay ad thankyou very much for your help.
It works fine!
Now i am going to try to replace the two dll files and then i would like to build a custom cab to put in the extended rom.
Thankyou.

Can`t extract files from imgfs from HP iPaq 1950 ROM

Hi, all! Please, help me to solve my problem
Yesterday i tried to build custom ROM image for my PDA and failed .
I made following steps:
1. I made a backup of the existing ROM using mtty and SD card. The result was the 29mb raw file
2. i downloaded the last ROM update from the HP site, extracted it and obtained the ceos.nbf file.
3. Next, i tried to use prepare_imgfs and viewimgfs utilities whith both files.
4. After using prepare_imgfs i got, as expected, the imgfs_raw_data.bin file
5. But when i used viewimgfs, it couldn`t find any data in that file! Here is it's output:
Code:
guidBootSignature: F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8 4F 31 DC
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: LZX
dwFreeSectorCount: 00013620
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000
Address: 00000200, dwBlockSignature: 00001D20
dwNextHeaderBlock: FFFBFFFF (size: FFFBFDFF)
Header type: 2F5314CE, Addr: 00000208
Unknown header type, FS_DATA_TABLE??
and more messages like that.
Can anyone tell me, where is the problem?
PS sorry for terrible English

stanru1 said:
Hi, all! Please, help me to solve my problem
Yesterday i tried to build custom ROM image for my PDA and failed .
I made following steps:
1. I made a backup of the existing ROM using mtty and SD card. The result was the 29mb raw file
2. i downloaded the last ROM update from the HP site, extracted it and obtained the ceos.nbf file.
3. Next, i tried to use prepare_imgfs and viewimgfs utilities whith both files.
4. After using prepare_imgfs i got, as expected, the imgfs_raw_data.bin file
5. But when i used viewimgfs, it couldn`t find any data in that file! Here is it's output:
Code:
guidBootSignature: F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8 4F 31 DC
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: LZX
dwFreeSectorCount: 00013620
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000
Address: 00000200, dwBlockSignature: 00001D20
dwNextHeaderBlock: FFFBFFFF (size: FFFBFDFF)
Header type: 2F5314CE, Addr: 00000208
Unknown header type, FS_DATA_TABLE??
and more messages like that.
Can anyone tell me, where is the problem?
PS sorry for terrible English
Click to expand...
Click to collapse
i would like to know an answer for this too. thanks

I found solution to extract files, but i couldn't find out how to pack it back...
To unpack files, you need:
1. the Perl interpreter
2. script, which can be found on http://forum.wce.by/viewtopic.php?p=78923#78923
3. You must replace $A and $S variables with your values:
$A is the address of the beginning of the imgfs block. It can be found using WinHex and F8AC2C9DE3D42B4DBD30916ED84F31DC signature. $S is size of imgfs block. It can be found with signature E9FDFF. You must find the table of partitions, and take 4 bytes as it's shown on the screenshot, in the reverse order. (00 C0 BD 00 -> 00BDC000)
For example, for iPaq1950 rom, taken from HP update, values are:
$I = "CEOS.nbf";
$O = "bigbrother.bin";
$A = 0x003BB55A;
$S = 0x0000BDC0;
After Perl script ends it's work you can use imgfsToDump or viewimgfs tools.
For this solution HUGE thanks to Gvr.

stanru1 said:
I found solution to extract files, but i couldn't find out how to pack it back...
To unpack files, you need:
1. the Perl interpreter
2. script, which can be found on http://forum.wce.by/viewtopic.php?p=78923#78923
3. You must replace $A and $S variables with your values:
$A is the address of the beginning of the imgfs block. It can be found using WinHex and F8AC2C9DE3D42B4DBD30916ED84F31DC signature. $S is size of imgfs block. It can be found with signature E9FDFF. You must find the table of partitions, and take 4 bytes as it's shown on the screenshot, in the reverse order. (00 C0 BD 00 -> 00BDC000)
For example, for iPaq1950 rom, taken from HP update, values are:
$I = "CEOS.nbf";
$O = "bigbrother.bin";
$A = 0x003BB55A;
$S = 0x0000BDC0;
After Perl script ends it's work you can use imgfsToDump or viewimgfs tools.
For this solution HUGE thanks to Gvr.
Click to expand...
Click to collapse
Very nice thanks.
If you find a way to repack it, it would be even better. I actually want to use this method for the hp1930. My problem is that there are no official updates for this model, so I have no shipped roms. Only a sd image dump.
What type of image is the sd dump? dnf or .bin (raw) ?

I think, it`s a raw dump. In any case, imgfs is the same on both images.

stanru1 said:
I think, it`s a raw dump. In any case, imgfs is the same on both images.
Click to expand...
Click to collapse
thanks again

any idea on how to get start address and size from a sd image? I can't find those signatures in the dump
thanks

The signatures may differ in case of the specific image. If you whant, i could look at your file, if you upload your rom into the Rapidshare or the same file-uploading service and give me the link

stanru1 said:
The signatures may differ in case of the specific image. If you whant, i could look at your file, if you upload your rom into the Rapidshare or the same file-uploading service and give me the link
Click to expand...
Click to collapse
thanks man,
I'm uploading to rapidshare right now.
the image was created using a 64mb sd so the image size might be a bit longer
edit :
this is the link: http://rapidshare.com/files/25438977/1930.rar.html

any updates on how to modify a sd image?

[LG GM730/GM735/GM750] Custom roms experiment

Hey guys,
A few people contacted me recently to ask me if I could work on new Lg devices (namely gm730/gm750) to cook custom roms and/or adapt my lg kitchen. As you may imagine, working on new devices is not an easy thing, especially when you don't own one . It's also very time consuming and that's a resource that I really tend to lack these days.
Anyways, it's not my first experience in "blind cooking", so if enough people are interested, I'll do what I can to help you.
But of course, I need people who are not afraid of bricking their device (it's not likely to happen, but we never know, and this time, I can't test myself) to experiment a few things. I'll also need answers to a few questions, so that I understand what can be done exactly.
My plans are to work on the experimental part and publish a light rom if possible (it seems that many people would like a device crapware free ). When (/if) it's done, I'll upgrade the kitchen and release it so that you can all cook roms.
Donators: oktay555, eselcuker
FAQ: see post 2

FAQ:
* What is the flash procedure ? Does it use an emergency mode ? Can it flash dz files ?
Homero2 says that lgmdp seems to work (although he didn't manage to cook a rom that can boot).
* Are GM730/GM730e/GM730f roms compatible ? If no, does it brick the device, or does it simply refuse to flash the file ?
* What about GM735 ?
* And GM750 ?
GM750 and GM730 are not totally the same, as the GM750 has a flashlight (which means that at least 1 driver should be different). I think an unified rom won't be possible.
* Can I flash a WM6.5 GM730 rom (officially named v20) on any GM730(e/f) ?
As far as I know, when you flash a gm730 wm6.5 rom, you can't go back to wm6.1 rom. Don't know why though.
* Anything else I need to know ?

I have a GM730f from Telstra in Australia
Hi Spocky,
I have a GM730f from Telstra here in Australia - I originally purchased via ebay as I was taken with the form factor and the microUSB and I'm a fan of WM not iPhones.
I have already created 4 x default RAW files from the device as per itsutils and I'm more than happy to help
I am currently in discussion with LG locally about the WM 6.5 upgrade - although it appears that this is being provided by LG from their own AU website, this would appear to have been "delayed" by needing "approval" from Telstra (carrier) before release. Or at least that's what I have been told 2 weeks ago - even though I have already recieved and email from LG advising me that it was ready.....
I have expressed some *dis-satisfaction* with LG's upgrade process and I'm questioning why it could not simply be in the form of a simplt download ROM Update, run locally across existing ActiveSync connection - we'll see what get's released?
See - "lg gm730f 6.5 techagility" in google for my results so far
Any more news and I'll post here?
Cheers,
Dave

sure GM730 != GM750
GM750 have a flashlight on behind and micro-SD position are different

Thanks for the info, I updated the faq.
@David Caddick : could you tell me the name of the rom that was downloaded by lg's updater ? (it should be somewhere in your document & settings" folder).

LG's BS Updater....
Hi Spocky,
That's what I'm getting at - this thing is crap...
There is nothing except this in the %ProgramData% folder - but do bear in mind that I have run this from a Windows 7 x64, but I appear to be getting the same thing from an XP Pro?
Directory of C:\ProgramData\LGMOBILEAX
13/12/2009 01:56 PM <DIR> .
13/12/2009 01:56 PM <DIR> ..
28/07/2009 07:30 AM 47,048 B2BLGMLauncher.exe
19/01/2010 10:06 PM <DIR> B2B_Client
19/01/2010 10:12 PM <DIR> B2C_Client
13/12/2009 01:56 PM <DIR> image
13/12/2009 01:56 PM <DIR> Language
15/01/2010 05:24 AM 59,328 LGMLauncher.exe
2 File(s) 106,376 bytes
Directory of C:\ProgramData\LGMOBILEAX\B2B_Client
19/01/2010 10:06 PM <DIR> .
19/01/2010 10:06 PM <DIR> ..
24/06/2009 07:28 AM 210,888 B2BAppUninstall.exe
15/01/2010 05:10 AM 939,968 B2BCheckApp.exe
04/05/2006 08:33 AM 53,248 CommonDL.dll
19/11/2009 08:28 AM 90,112 LGMobileDL.dll
06/10/2009 07:12 AM 24,576 LGMobileDLRapi.dll
15/01/2010 05:08 AM 499,712 LGMUpgradeDL.dll
19/01/2010 10:06 PM <DIR> LiveUpdateAgent
24/06/2009 02:40 AM 571 RA.kdz
24/06/2009 02:40 AM 49,228 RC.kdz
8 File(s) 1,868,303 bytes
Directory of C:\ProgramData\LGMOBILEAX\B2B_Client\LiveUpdateAgent
19/01/2010 10:06 PM <DIR> .
19/01/2010 10:06 PM <DIR> ..
02/01/2010 07:54 AM 124,880 B2BFileUpdateAgent.exe
1 File(s) 124,880 bytes
Directory of C:\ProgramData\LGMOBILEAX\B2C_Client
19/01/2010 10:12 PM <DIR> .
19/01/2010 10:12 PM <DIR> ..
04/11/2009 04:57 AM 206,792 B2CAppUninstall.exe
15/06/2009 07:21 AM 182,208 B2CNotiAgent.exe
19/11/2009 08:28 AM 90,112 LGMobileDL.dll
06/10/2009 07:12 AM 24,576 LGMobileDLRapi.dll
15/01/2010 05:08 AM 499,712 LGMUpgradeDL.dll
15/01/2010 05:24 AM 1,038,272 LGUserCSTool.exe
24/06/2009 02:40 AM 571 RA.kdz
24/06/2009 02:40 AM 49,228 RC.kdz
8 File(s) 2,091,471 bytes
Directory of C:\ProgramData\LGMOBILEAX\image
13/12/2009 01:56 PM <DIR> .
13/12/2009 01:56 PM <DIR> ..
19/01/2010 10:12 PM 76 dot.gif
19/01/2010 10:12 PM 483 footer.gif
19/01/2010 10:12 PM 67 header_bg.gif
19/01/2010 10:12 PM 1,799 header_logo.gif
19/01/2010 10:12 PM 699 icon_information.gif
19/01/2010 10:12 PM 709 icon_question.gif
19/01/2010 10:12 PM 724 icon_stop.gif
19/01/2010 10:12 PM 10,263 main.jpg
19/01/2010 10:12 PM 2,214 process_line.gif
19/01/2010 10:12 PM 5,753 write_phone_error.gif
10 File(s) 22,787 bytes
Directory of C:\ProgramData\LGMOBILEAX\Language
13/12/2009 01:56 PM <DIR> .
13/12/2009 01:56 PM <DIR> ..
19/01/2010 10:12 PM 33,989 lang.opt
1 File(s) 33,989 bytes
Cheers,
Dave

Output from ITSUTILS for GM730
So just to carry on a bit
Output from itsutils:
pdocread -l gives...
449.63M (0x1c1a0000) DSK1:
| 1.62M (0x19f000) Part00
| 3.13M (0x320000) Part01
| 121.25M (0x7940000) Part02
| 323.63M (0x143a0000) Part03
3.79G (0xf2e00000) DSK2:
| 3.79G (0xf2a00000) Part00
STRG handles:
handle#0 efbc29ca 3.79G (0xf2a00000)
handle#1 0ff1f93a 323.63M (0x143a0000)
handle#2 4ff66b0e 121.25M (0x7940000)
handle#3 2ffb2026 3.13M (0x320000)
handle#4 cffb204a 1.62M (0x19f000)
disk efbc29ca
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 0ff1f93a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4ff66b0e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 2ffb2026
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk cffb204a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

You said in your blog that it's downloading a 107Mb file before flashing. I assume that this file is somewhere in this folder.
Then, just before flashing, this kdz file should be extracted to a .dz file. Perhaps it's removed and the end of the flash procedure.
I hope 4pda.ru people can tell us more (they seem to know how to get/extract/flash a dz file).

spocky12 said:
Perhaps it's removed and the end of the flash procedure.
Click to expand...
Click to collapse
You're right.
To extract dz need LG-utils http://www.assembla.com/spaces/ks36...eJe5afGb/download?filename=LG-Utils-0.4.2.zip and firmware kdz.
And there is one problem - had to sew a lot of phone. As a result, we have three dead phone. In all phones replaced mainboard. The research results show a definite trend - but it is not accurate. Whether the body dies from a large number of attempts to ask, either from a large number of firmware for a small period of time, for example, for a couple of hours - 15 attempts flashing.

Hello, am Homero of the forum clublgmobile.com.
We have done some local flash evidence for the GM750 (Layla) and, you remark that have achieved it.
We use the program LGMDP EURO, admits firmwares in format DZ and DZ decompressed (mbn, bin)
I cooked a ROM but it did not work, all the phone number LG you can recover after a brick, this is done with the B2C-Utill in Emergency Mode.
To cook used the kitchen of a Toshiba, but without resulted positives, since it am doing blindly
Spocky12, you thank a lot the effort that are doing, and you understand, since I am not owner of a GM750, have a Viewty and an ARENA.

spocky12
Hello! I'm from 4pda.ru. What do you need to help?
(Bonjour! Je suis de 4pda.ru. Comment peux-moi t'aider?)

@derspy: I don't know the reason why some phones were bricked, but I'm pretty cofident in the fact that they can resist a lot of flashes. I spent nights flashing my ks20 (up to 15 times). And I think made more than 1 flash per day for 15 monthes.
@Homero: can you confirm that lgmdp works to flash a dz file on gm750 (possibly gm730) ? Did you try to only extract a kdz and flash the resulting dz in lgmdp ? Did it work ? You also say that you can recover a "bricked" phone in emergency mode. That's a good news. Could you give us a download link for the driver that you used to connect the gm750 to lgmdp ? And the full procedure to go in emergency mode and flash ?
@rus-expert: Could you answer the questions from the faq please (2nd post) ? I need to know about devices rom compatibility (gm730/e/f/735) and the best procedure to flash a dz (seems that lgmdp still works on gm750, so I guess gm730 should work too) (I think the best procedure would be in emergency mode, so that we can recover from bad flashes and that it's not dependent on a driver in windows mobile.). I also read on 4pda that when you flash a wm6.5 official rom (v20), then you can't go back to wm6.1. Is that a problem of phone dectection in your flash tool ? Is the problem also visible in emergency mode ? Is that only that the phone is not recognised by windows anymore (driver problem) ?
I need answers to those questions so that
- I choose on which rom I'll base my work (to have the most recent one for the largest number of phones)
- we can use a standard procedure to flash the phones of the few people who will test experimental roms.
Thanks

spocky12 said:
@derspy: I don't know the reason why some phones were bricked, but I'm pretty cofident in the fact that they can resist a lot of flashes. I spent nights flashing my ks20 (up to 15 times). And I think made more than 1 flash per day for 15 monthes.
Click to expand...
Click to collapse
That is such a bad feature of the GM730.
lgmdp not working for gm730. Flashing DZ with lgmdp2, KDZ - LG-utils or KDZ_FW_UPD. 730 may flash in 730e or 730f, but the back is not flashing, as well as 730e to 730f and f to e.
Just after 20 flashing can not go back to 10, phone flashing ok, but does not work. When flashing firmware 20 something changes in the NAND (judging by the logs flasher).
flashing V10 firmware:
[00:10:56:053] : Pre Nand Download
[00:10:56:053] : >>Set Trusted Mode [DLOAD_NAND_SEC_MODE] sec_mode = 1 (1=trusted 0=NonTrusted)
[00:10:56:069] : >>NandFlashInitWithFile(PARTITION TBL)
[00:10:56:100] : >>INITIALIZING AMSS (RAM)
[00:10:56:100] : >>Get Parameters [DLOAD_LGE_SUB_GET_PARAM_CMD]
[00:10:56:100] : WM_COPYDATA ёЮЅГБц єёії 3 - GET PARAMS
[00:10:56:100] : >> AMSS RAM INIT
[00:10:56:100] : [ DLOAD_LGE_SUB_RAM_NEW_INIT ]
[00:10:56:116] : ZI REGION : 125820848 bytes
[00:10:56:116] : >>Dl_AsyncWrite()
[00:10:56:116] : >> AMSS FLASHING ...
flashing V20 firmware:
[22:14:23:281] : Pre Nand Download
[22:14:23:281] : >>Set Trusted Mode [DLOAD_NAND_SEC_MODE] sec_mode = 1 (1=trusted 0=NonTrusted)
[22:14:23:296] : >>NandFlashInitWithoutFile(PARTITION TBL)
[22:14:23:296] : >> Check BCPL Status ...
[22:14:23:328] : >> BCPL On ...
[22:14:23:328] : BCPE ...
[22:14:23:328] : >> BCPL Unlocked ...
[22:14:23:328] : >> Check BCPL Status ...
[22:14:23:359] : >> BCPL Off ...
[22:14:23:359] : _NandDownload(QCSBL HEADER)
[22:14:23:359] : 1, 1
[22:14:23:359] : >>NandFlashInitWithoutFile(QCSBL HEADER)
[22:14:23:359] : >>NandFlashWrite QCSBL HEADER
[22:14:23:375] : WM_COPYDATA ёЮЅГБц єёії 3 - FINALIZE
[22:14:23:406] : _NandDownload(QCSBL)
[22:14:23:406] : 1, 1
[22:14:23:406] : >>NandFlashInitWithoutFile(QCSBL)
[22:14:23:406] : >>NandFlashWrite QCSBL
[22:14:23:625] : WM_COPYDATA ёЮЅГБц єёії 3 - FINALIZE
[22:14:23:656] : _NandDownload(OEMSBL)
[22:14:23:656] : 1, 1
[22:14:23:656] : >>NandFlashInitWithoutFile(OEMSBL HEADER)
[22:14:23:656] : >>NandFlashWrite OEMSBL
[22:14:24:718] : WM_COPYDATA ёЮЅГБц єёії 3 - FINALIZE
[22:14:24:765] : _NandDownload(OEMSBL)
[22:14:24:765] : 1, 1
[22:14:24:765] : >>NandFlashInitWithoutFile(OEMSBL HEADER)
[22:14:24:765] : >>NandFlashWrite OEMSBL
[22:14:25:812] : WM_COPYDATA ёЮЅГБц єёії 3 - FINALIZE
[22:14:25:859] : >>INITIALIZING AMSS (RAM)
[22:14:25:859] : >>Get Parameters [DLOAD_LGE_SUB_GET_PARAM_CMD]
[22:14:25:859] : WM_COPYDATA ёЮЅГБц єёії 3 - GET PARAMS
[22:14:25:875] : >> AMSS RAM INIT
[22:14:25:875] : [ DLOAD_LGE_SUB_RAM_NEW_INIT ]
[22:14:25:875] : ZI REGION : 125820848 bytes
[22:14:25:875] : >>Dl_AsyncWrite()
[22:14:25:875] : >> AMSS FLASHING ...
20 firmware unpacking dz-de .... consists of many parts flash.bin (flash.bin_00 and so on) and assembled from these parts flash.bin not unpacked in your last kitchen.
Firmware from GM735 normal and properly unpacked as well as 730 based on WM 6.1

Ok, we've broken some GM750 and when I recovered, it is good for LG
The LGMDP works. is the official program of technical maintenance. but it only works with DZ or BIN, KDZ format is no problem.
The method I do is replace the file FLASH.bin by cooking.
This is the structure of a firmware BIN
amss.mbn
amsshd.mbn
apps.mbn
appsboot.mbn
appsboothd.mbn
FLASH.bin
fwua.mbn
oemsbl.mbn
oemsblhd.mbn
partition.mbn
qcsbl.mbn
qcsblhd_cfgdata.mbn
Here you will find a manual in Spanish, my problem is I do not speak English and I use Google to translate, but I fear that translate an entire manual does not do well and this would be unreadable
http://www.clublgmobile.com/foro/(ku990)-firmware-y-hacks/flasheo-normal-y-de-emergencia-7241/
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The image belongs to a Flash for the KU990 but Layla is similar.
This is the basic method, but if all LG brick can be placed in a state of well Emergency_Download and retrieval.
I remain at your disposal for anything you need, in clublgmobile.com have a few users who are willing to brick their phones, I have learned and know to recover a smooth brick
PD:
I have lots of experience with the Viewty an ARENA, but with Win. I am a rookie.
EDIT:
MSFLSH50 I was looking for FLASH.bin, what I found in two different positions.
0x121A8F> MSFLSH500
0x4D32F3> MSFLSH50
EDIT 2:
Service Manual GM750
Read from page 156, explains the methods and tools needed flash

I have a new LG GM750 in German and would like to change it to English. Does any of you have the way to change the ROM to a customize one or perhaps an orginal one from UK for example. I will appreciate your comments, [email protected]

Flasher for .KDZ KDZ_FW_UPD (requires official B2C Client http://csmg.lgmobile.com:9002/client/app/B2CAppSetup.exe )
LGMDP2 with dll, driver and manual http://www.mediafire.com/?gmkyw31zmky
LG GM730 Service Manual http://www.mediafire.com/?j3mkmmlzmqt

There has to be a way to make gm730 work with lgmdp :
- As Homero2 said, gm750 works with it and it's almost the same phone.
- the gm730 service manual shows that it's the tool used by support service.
Homero2, could you please give us the link to the driver used by those who tried to flash your rom on lpmdp ?

Dear spocky12,
First of all thanks a lot for your effort on this subject.
I will share all we (Turkish GM735 users) know about EIGEN (GM730-GM730E-GM730F-GM735) and LAYLA (GM750) tonight. We coluld find most of things from Russian (4pda.ru) and Spanish (clublgmobile.com) forums and its so good to see that dear friends here.
*************************************************************************************************************************
I saw that there are a few methods for flashing Eigen and Layla.
One of is the same as KS20's flashing tool LGDMP.
The new version of LGDMP (1.6) supports GM730 and GM750. But I couln't flash my GM735 with LGDMP. The program could see my device and connect but couln't open "select image" or "download" page (however we see that "LGMDP is service tool" as written in GM730 service manual). But saw that GM750 can be flashed by LGDMP (http://4pda.ru/forum/index.php?showtopic=153281&st=0#entry3830967).
One of is at @derspy 's post (KDZ_FW_UPD)
Another method (LGDP2); (I tried but get an error "monitor")
http://hotfile.com/dl/25756373/0e5137e/GM730_LGDP2_method.rar.html
And another one is LG_Utils (@derspy said that it works on GM730)
http://hotfile.com/links/25894919/cbc9369/LG_Utils.rar
You may know but I share links about GM730 - 750
http://4pda.ru/forum/index.php?showtopic=140987
http://4pda.ru/forum/index.php?showtopic=143311
http://4pda.ru/forum/index.php?showtopic=153281&st=0#entry3830967
http://4pda.ru/forum/index.php?showtopic=152617&st=0&#entry3812972
http://www.clublgmobile.com/foro/(gm750)-tutoriales-manuales/drivers-y-manual-servicio/
And last, one of our friend try to flash his device (GM735) with this (http://www.mediafire.com/?o3rq54yennj) tool (I think this tool is for Incite). He could flash this rom http://www.mediafire.com/?whoa2nymywl (ROM_5.2.21815_Build_21815.5.0.50_WWE custom wm6.5 for GM730) but his device didn't open. He took the device to service and learnt that they will change the main-board under warranty (service couln't understand "illegal use").
Sorry about poor English...

This is the latest firmware for Spain
Layla_GM750_DZ_VF_Spain_V10f_NOV
This is the LGMDP 1.6
LGMDP_EURO_Ver_1_6_Build_2_4.rar - 1.83MB
This is the driver
LGSPUSBDriver_Eng_Ver_2.0.zip
Sorry the previous driver is invalid for flash, is this another, but the program LGMDP alone it detects in Emergency Mode
http://csmg.lgmobile.com:9002/swdata/USBSW/GSM/EG/LGUSBModemDriver_WHQL_ML_Ver_4.9.6_All_091203.zip

thanks for your support spocky12. we are waiting... (LG GM735)

[Q] Question about amss.bin

Hello people,
Are there any tools for viewing and editing the amss.bin?

HEX Editor...
IDA...
Brain.
Best Regards

adfree said:
HEX Editor...
IDA...
Brain.
Best Regards
Click to expand...
Click to collapse
with revskill i got this with amss.bin
#define UNLOADED_FILE 1
#include <idc.idc>
static main() {
MakeName(0x00079B70, "Memcmp");
MakeName(0x00062160, "Memcpy");
MakeName(0x0022E924, "Memcpy");
MakeName(0x0006216B, "Memcpy_Generic");
MakeName(0x0022E92F, "Memcpy_Generic");
MakeName(0x000621D0, "__rt_udiv");
MakeName(0x00079F8C, "__rt_udiv");
MakeName(0x00062334, "strlen");
MakeName(0x0007A2C4, "strlen");
MakeName(0x00070DB2, "diag_sp");
MakeName(0x00062298, "strcmp");
MakeName(0x0007A1D8, "strcmp");
MakeName(0x0007A360, "strncpy");
MakeName(0x00072502, "diag_pkt");
MakeName(0x00062F00, "__rt_div0");
MakeName(0x0007D324, "__rt_div0");
MakeName(0x00062F10, "__32__rt_raise");
MakeName(0x0007F1F8, "__32__rt_raise");
MakeName(0x00ACC3A8, "rex_int_lock_32");
MakeName(0x00072330, "subsys_getid");
MakeName(0x0007A548, "vsprintf");
MakeName(0x00062004, "MemClr");
MakeName(0x0022E7C8, "MemClr");
MakeName(0x000725CC, "diag_subsystem");
MakeName(0x0006EC72, "diag_hdlr");
MakeName(0x000726D2, "diag_hdlr");
MakeName(0x00083D86, "diag_hdlr");
MakeName(0x00085432, "diag_hdlr");
}
What about it ?

@Tigrouzen, no segment found at 0x00079B70 etc
amss it's regular elf with a bunch of segments
Code:
Name : LOAD
Start : 0x001E7000
End : 0x001EE000
Length: 0x00007000
----------------------
Name : LOAD
Start : 0x001F0000
End : 0x001F1000
Length: 0x00001000
----------------------
Name : LOAD
Start : 0x001F2000
End : 0x005D8000
Length: 0x003E6000
----------------------
Name : LOAD
Start : 0x005D8000
End : 0x00CDB000
Length: 0x00703000
----------------------
Name : LOAD
Start : 0x00CDB000
End : 0x00D11000
Length: 0x00036000
----------------------
Name : LOAD
Start : 0x00D11000
End : 0x00DAF000
Length: 0x0009E000
----------------------
Name : LOAD
Start : 0x00DAF000
End : 0x00DB9000
Length: 0x0000A000
----------------------
Name : LOAD
Start : 0x00DB9000
End : 0x00E9B000
Length: 0x000E2000
----------------------
Name : LOAD
Start : 0x00E9C000
End : 0x01BF9000
Length: 0x00D5D000
----------------------
Name : LOAD
Start : 0x01BF9000
End : 0x01D05000
Length: 0x0010C000
----------------------
Name : LOAD
Start : 0x01FF0000
End : 0x01FF006C
Length: 0x0000006C
----------------------
Name : LOAD
Start : 0xB0000000
End : 0xB0010CE7
Length: 0x00010CE7
----------------------
Name : LOAD
Start : 0xB0040000
End : 0xB0057000
Length: 0x00017000
----------------------
Name : LOAD
Start : 0xB0100000
End : 0xB0107207
Length: 0x00007207
----------------------
Name : LOAD
Start : 0xB0140000
End : 0xB01401B8
Length: 0x000001B8
----------------------
Name : LOAD
Start : 0xB0200000
End : 0xB0208CF3
Length: 0x00008CF3
----------------------
Name : LOAD
Start : 0xB0240000
End : 0xB024028C
Length: 0x0000028C
----------------------
Name : LOAD
Start : 0xB0400000
End : 0xB040DBE8
Length: 0x0000DBE8
----------------------
Name : LOAD
Start : 0xB0600000
End : 0xB0602000
Length: 0x00002000
----------------------
Name : LOAD
Start : 0xB0602000
End : 0xB0604000
Length: 0x00002000
----------------------
Name : LOAD
Start : 0xF0000000
End : 0xF001F878
Length: 0x0001F878
----------------------
Name : LOAD
Start : 0xF0020000
End : 0xF0026000
Length: 0x00006000
load amss.bin with TriX, dump decoded stage (elf format) and analyze with disassembler (e.g. IDA)

Ok guys i extract certificate from Amss S8530 XEJL2, bootloader segments full info fsbl sbl...
Also i can dump complete NAND and find segment and algorith for RC1 too
This is appscompressed.bin algorythme
0x01ca7750 RIPEMD128+160+MD4
0x01ca7750 SEAL+MD4 key
appcomp hash :
SHA1 : EB55C6690ACAF40BB2F845313F58BFE9C3BC529D
SHA224 : AAC3E2B65CC9F33BB7EDDA3DEB541CA9E8919422CC179B4D2B49F39BAE008F00
SHA256 : 580D3DB21E41A9FE588AE544266040FABA8AF044E739971E77F2B1272323D0B6
SHA256-HTC : A44BC029D7F952750003D9695ED7B464E446D34EEF5BD9665487E4C2BF81F669
MD4 : B3BD8310FF2C4C05E2044FD491814792
MD5 : 7220779D1094C5F7789094DC75BA4E9E
CRC16 (0x1189) : F4EA
CRC30 (Block: 0x1000, Page: 0x200) : 0BD214AA
CRC30 (Block: 0x2000, Page: 0x400) : 0A28A17A
CRC32 (0xEDB88320) : 313F4EF2
CRC32 (0x04C11DB7) : 90B01704
CRC32 HTC (0xEDB88320) : B55B60A7
ECC Reed Solomon (parity 10) : 43702DA1FDAC4DB2023B
ECC BCH Micron 3 byte : 818144
ECC Hamming Toshiba (8 bit - 0x200 bytes) : C00FC3
ECC Hamming (8 bit - 0x200 bytes) : FF3CF3
ECC Hamming (16 bit - 0x200 bytes) : 3FCFFC
Amss algo :
0x0007fce0 CRC-16 norm
0x0007fee0 CRC-16 inv
0x0007f8e0 CRC-30
0x0007eb50 CRC30 Function
0x00b66194 CRC-32
0x00b66394 CRC32 Function
0x000800e0 CRC-32 Xilinx
0x0007eb58 CRC32 Xilinx Function
0x000800e4 CRC32 Xilinx Function
0x00c3c490 DES RAW Spbox
0x00c39381 RSA PKCS SHA1/RIPEND Digest
0x00c39390 MD2 S
0x00463548 SHA2 table
0x008fcc88 SHA2 table
0x00b6eb14 ZDeflate
0x0041a28c SHA1+MD4+MD5 init
0x008fcb08 SHA1+MD4+MD5 init
0x00c3d7f8 SHA1+MD4+MD5 init
0x0041a29c SHA1+MD4+MD5 key1
0x008fcb18 SHA1+MD4+MD5 key1
0x00c3d808 SHA1+MD4+MD5 key1
0x001a9844 SHA1+MD4+MD5 key2
0x0041ac1c SHA1+MD4+MD5 key2
0x008fcb1c SHA1+MD4+MD5 key2
0x001a9848 SHA1+MD4+MD5 key3
0x0041ac20 SHA1+MD4+MD5 key3
0x008fcb20 SHA1+MD4+MD5 key3
0x00463648 SHA2 init table
0x008fcd88 SHA2 init table
0x00c3d80c SHA2 init table
0x0046364c SHA2 init table
0x008fcd8c SHA2 init table
0x00c3d810 SHA2 init table
0x00419980 RIPEMD128+160+MD4
0x008fcaf8 RIPEMD128+160+MD4
0x00bdcca0 RIPEMD128+160+MD4
0x001a9844 MD5
0x0041ac1c MD5
0x008fcb1c MD5
0x00419980 SEAL+MD4 key
0x008fcaf8 SEAL+MD4 key
0x00bdcca0 SEAL+MD4 key
0x004fc7af HTC PUBLIC KEY
E9079DBB2452104990982132470BA20B7C795D1B4690B718B62FCD38D71D4E458FAF320374B89D5236C79BD57D2BA2D3508A4A605B0D48CB8CA5478BFE4D7D32AB0AE072BC367A9615F002D5023A617B422FEC1EF8DAD772D75E9C4F06EF624B864699A3F080D1B8E192B921D159852B2DC798F752B4F1FA529FF123D9963F73
0x00708134 Sober 128
0x00c3cd90 Sober 128 SBox
Possible algos little endian: 45
0x00315f6c AES te
Possible algos big endian: 1
Amss hash :
SHA1 : C59C5785E823E5E1CA9BE05DB6F55F8C8AC1BBA3
SHA224 : 5F50CED13C1204068E443919706B53D866271DAB1CFB5A9CB07A953CAE008F00
SHA256 : D86C7634FE07806D3B87701EC7F72F25DAAFAC7C40CA1D370C1ABA5840C091C0
SHA256-HTC : 120F70AECE78B8DCF69DCD79F020AB00AE17572123BA21274D6F6EE280774A09
MD4 : 7703DF5B1074392D4B91ECA23BAC9D92
MD5 : 22197F8AAD6A2CB4394E1B4E63EB843C
CRC16 (0x1189) : FAC5
CRC30 (Block: 0x1000, Page: 0x200) : 311AE4C7
CRC30 (Block: 0x2000, Page: 0x400) : 295DFC29
CRC32 (0xEDB88320) : 8DB21A34
CRC32 (0x04C11DB7) : 7B94B6A4
CRC32 HTC (0xEDB88320) : 08450BBC
ECC Reed Solomon (parity 10) : A04D69B134A126F3FD15
ECC BCH Micron 3 byte : 000000
ECC Hamming Toshiba (8 bit - 0x200 bytes) : FFFFFF
ECC Hamming (8 bit - 0x200 bytes) : FFFFFF
ECC Hamming (16 bit - 0x200 bytes) : FFFFFF
Amms certificat :
https://rapidshare.com/files/3061245812/1.cer

Well, the main idea was ..., to get some tools with which the amss.bin for bada v1.2 and v2 can be modified to work for the American/Australian version of the wave. Looks like there are some hardware differences and this file is containing information needed for the RF module.

Looks like there are some hardware differences and this file is containing information needed for the RF module
Click to expand...
Click to collapse
No idea if Hardware differences, but I'm pretty sure there are different Config/Calibration data...
Check out NV items... AMSS + NV items = Qualcomm related part...
http://www.samsunguniverse.com/forum/s8500-can-work-with-qualcomm-tools-t199.html
You could take an look on FCC documents for maybe Hardware check...
Best Regards

I think gambal refers to UMTS bands, Europe is different than in America.
UMTS bands in America are 850 - 1900
UMTS bands in Europe are 2100
bada 1.2 and above only works with Euro bands (these updates hasn't oficially released in America), so as we know the file "amss.bin" contains the parameters that define which bands to work, would be good to try to edit the information to compile a new "amss.bin" to work with American bands ..
Many Americans would be happy!

...would be good to try to edit the information to compile a new "amss.bin" to work with American bands ...
Click to expand...
Click to collapse
But you are really sure that not NV items differ?
Maybe easier to compare NV items...
Best Regards

You mean to compare amss NV items from a 1.0 American firmware and another 1.2 European firmware?
I was import to a .Qcn file a list of NV items of my mobile (bada 1.0 american), i will compare with another one of 1.2.
It's posible to create more NV items if is necesary?

sorry for double post.
i've compared NV items of my phone, first with a 1.0 american firmware then with a 1.2 European firmware..
EDIT: thought that there were no differences because the file size was identical, but looking more attentively i find some, i will continue researching,

You tried QPST or which Tool?
And are sure there are no differences?
I have 2x S8500... with QPST difference 10 NV items + one S8500 has 10 more
Content not checked... too lazy at this time.
Best Regards
Edit 1.
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 305
Click to expand...
Click to collapse
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 319
Click to expand...
Click to collapse
And these are only the "official" NV items... and not the hidden one...
Example...
Code:
NV item: [B]2608[/B] [NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I], index 0
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 0: 12 3d fc ff 9c 3c fc ff 26 3c fc ff b0 3b fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 1: 34 3b fc ff af 3a fc ff 2a 3a fc ff a6 39 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 2: 22 39 fc ff 9f 38 fc ff 0c 38 fc ff 65 37 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 3: be 36 fc ff 18 36 fc ff 73 35 fc ff ce 34 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 4: 2a 34 fc ff 87 33 fc ff e5 32 fc ff 43 32 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 5: a2 31 fc ff 01 31 fc ff 61 30 fc ff c2 2f fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 6: 23 2f fc ff 85 2e fc ff 85 2e fc ff 85 2e fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 7: 85 2e fc ff 85 2e fc ff 85 2e fc ff 85 2e fc ff

sorry for my english, I mean to say that i find some differences..
between 2 firmwares, I find 40 differents NV items using "RF NV items Manager" program.
Example:
European 1.2 Firm:
Code:
NV item: 5059 [NV_WCDMA_2100_TX_LIN_MASTER_0_ENH_I], index 0
NV item: 5061 [NV_WCDMA_900_TX_PDM_LIN_0_ENH_I], index 0
American 1.0 Firm:
Code:
NV item: 5064 [NV_WCDMA_1900_TX_PDM_LIN_0_ENH_I], index 0
NV item: 5060 [NV_WCDMA_800_TX_PDM_LIN_0_ENH_I], index 0
(it's look like these items manage the umts network)
This are 2 items of 40 that I find.. So, I imported all 40 1.0 American Firmware Nv Items to the 1.2 Euro Firmwared Phone, (using previous modified .QCN file) then, i restart the device, but nothing happen, still no find UMTS network... But i want believe that we are close to find the solution
If I use PSAS to Display the new added NV items, these appear as "inactive item" and those already on the phone appears lile "bad parameter"
not know what else I can try...

Even if NV items count is different. Dump of NV area will be always the same in size. Area in oneNAND reserved for NV data is constant, and in most it's just empty space, filled with zeros.

Is it possible to dump whole NV items list using QPST? Can you guys do that and send dumps to me?
If not please search for following NV items and send me values you get (if you get any)
Int id 556
Int id 5
Int id 7
Int id 1403
String id 254
String id 387
String id 388
String id 256
String id 197
I want to prove some theory just taken from Bada kernel and need few different values to compare. These should contain Timezone, Locale and SimBlock settings. (If these NV items are even available)
Please send me PMs with dumps if you get any. Thanks in advance.

Tell me when you are ready "amms.bin" to "bada 2.0" so I can put it on my phone. I'm from Argentina. Thank you very much!

Rebellos said:
Int id 556
Int id 5
Int id 7
Int id 1403
Click to expand...
Click to collapse
With "PSAS" display "Inactive Item", and with "RV NV item manager" i don't these id's..
@adfree
Hey, if I wrote in phone (with "RV NV item manager") some NV items, is not take any effect... does exist another step to "activate" these items or some? maybe in Stune have to add any parameter? or maybe the "QPST Service program" tool..
I have fear of breaking the handset really... I just wan't to calibrate the UMTS bands, need these:
WCDMA_II_PCS_1900
WCDMA_V_850

http://forum.xda-developers.com/showpost.php?p=12436452&postcount=1
Other way to access NV items.
Now you can backup with sTune for instance... folders:
Code:
[B]NV
nvm[/B]
EXTREME Caution!
Some IDs are protected... so you can maybe write/activate, but not easily remove change = brick...
Best Regards

a little question..
there is a firmware of S8530 which has bada 1.2 and 850/900/2100Mhz 3g bands capable... there are firmwares prepared for Brazil and Australia.
it's posible to flash that amss.bin in a S8500 with bada 1.2?
I tried this, but the bootloader says "error erase amms"

amss.bin in a S8500 with bada 1.2?
Click to expand...
Click to collapse
If I remember correct, then yes...
Maybe not all combinations...
BUT check Multiloader ... adresses are different...
So you have to edit...
Later more.
Maybe give Link to this S8530 Firmware, so I can take an look or try for you...
Best Regards

Re-signing the system

Various aspects of the Nook system are signed with a signature from Barnes & Noble.
There are a few places where signatures are compared.
Various system apps used a single "shared id" and they must all have the same signature.
/system/framework/framework-res.apk must have a correct signature with respect to AndroidManifest.xml.
In any case, it's your Nook, what are you going to do?
Re-signing the system
make a full backup and make sure that it is good
create your own signature http://developer.android.com/tools/publishing/app-signing.html
make a directory for your patch
create the subdirectory META-INF\com\google\android\
put a copy of update-binary in there
write a updater-script and put it in there
create the subdirectory system\app
create the subdirectory system\framework
For each of your APKs in /system/app and also /system/framework/framework-res.apk:
unzip them somewhere
delete the whole directory META-INF from them
zip the directory
jarsigner them with your own personal signature
zipalign the APK (optional if you are lazy and don't see the point)
put it in the appropriate patch directory
Then:
zip the patch directory
copy it to your SD card
make sure that your WiFi is turned on if you are using ADB over WiFi!
recovery boot using ClockworkMod
install the patch from SD card
reboot
updater-script
Code:
# Replace signed components
mount("ext2", "/dev/block/mmcblk0p5", "/system");
package_extract_dir("system/app", "/system/app");
package_extract_dir("system/framework", "/system/framework");
unmount("/system");
# Delete packages.xml
mount("ext3", "/dev/block/mmcblk0p8", "/data");
delete("/data/system/packages.xml");
unmount("/data");
Flies in the ointment, caveats, etc...
The packages.xml contains some form of certs that have all changed.
Right now, the simplest way I know to deal with this is just to delete packages.xml.
The problem is, this will break most user applications since the user IDs will no longer agree.
The easiest thing to do is just to reinstall them.
For applications with a lot of data, it would be best to back up the configs or data.
When you first boot up, you may think that you are in a "boot loop".
The boot animation will run continuously.
If you have ADB connect still (and you had better!) you can fix this.
Your launcher application is probably causing lots of error on startup.
There are two ways to fix the problem with the launcher (or any other app)
uninstall and reinstall it
go into /data/data/com.myapp.whatever and chown everything to the user id of the application.
Code:
busybox chown -R 10011: databases
Don't chown the lib directory if there is one.
Then you should have a device that boots up normally.
Good luck, Mr. Phelps.

Renate NST said:
create your own signature http://developer.android.com/tools/publishing/app-signing.html
Click to expand...
Click to collapse
Renate,
Won’t it be easier to use Andriod media key?
If we do, we can patch packages.xml, instead of deleting it, right?
Renate NST said:
For each of your APKs in /system/app and also /system/framework/framework-res.apk:
unzip them somewhere
delete the whole directory META-INF from them
zip the directory
jarsigner them with your own personal signature
zipalign the APK (optional if you are lazy and don't see the point)
put it in the appropriate patch directory
Click to expand...
Click to collapse
I wrote a script to do just that, can be adapted easily...
Code:
@set keystore=..\keys\media.jks
@set storepass=android
@set alias=media
@set resigned_dir=.\new
@for %%i in ( .\*.apk ) do @(
echo %%i
copy %%i %resigned_dir%\%%~ni_%%~xi
zip -d %resigned_dir%\%%~ni_%%~xi META-INF\*
jarsigner -keystore %keystore% -storepass %storepass% %resigned_dir%\%%~ni_%%~xi %alias%
zipalign -f 4 %resigned_dir%\%%~ni_%%~xi %resigned_dir%\%%~ni%%~xi
del %resigned_dir%\%%~ni_%%~xi
)
@goto :eof
Just my 2 cents…
---------- Post added at 04:31 PM ---------- Previous post was at 04:22 PM ----------
Renate NST said:
...
Then you should have a device that boots up normally.
Good luck, Mr. Phelps.
Click to expand...
Click to collapse
Guys,
If you run into a problem following Renate steps, it’ll be practically impossible to troubleshot without logcat log.
It might be a bit safer to use ADB over USB then over Wireless.
Even if you run into boot loop, ADB should work still.
I’m not 100% sure, if you need framework operational to establish wireless connection (for ADB to use).
ADB over USB definitely doesn't need framework running.

Yes, of course I used a script to resign the individual APKs.
Yours is nice though.
I'm not sure what you mean by "Android media key".
Do you mean the androiddebug key?
Did you re-sign framework-res.apk too?
Well, one advantage of deleting packages.xml is that it gets rid of the cruft.
I was thinking of just writing a little utility that resolved the renumbered user ids and fixed file ownership.
P.S. WiFi works fine when the boot animation is still looping.
The loop animation just runs until something wants to use the screen.
The system is actually 100% up at that point.
It's just that your home application (a launcher probably) can't run.
You can still start an application by am start intent.
That's also a warning to not presume that your Nook is dead just because the display loops.

Renate NST said:
Yes, of course I used a script to resign the individual APKs.
Yours is nice though.
Click to expand...
Click to collapse
Thank you!
Renate NST said:
I'm not sure what you mean by "Android media key".
Do you mean the androiddebug key?
Click to expand...
Click to collapse
I don’t remember now, it was long time ago.
AFAIR, it was 4 keys
testkey -- a generic key for packages that do not otherwise specify a key.
platform -- a test key for packages that are part of the core platform.
shared -- a test key for things that are shared in the home/contacts process.
media -- a test key for packages that are part of the media/download system.
You can download them still from Google repository
http://mirror.yongbok.net/pub/pub/linux/android/repository/build/target/product/security/
Most ppl call media key androiddebug key, don’t ask me why.
Renate NST said:
Did you re-sign framework-res.apk too?
Click to expand...
Click to collapse
Not as of now. Waiting for your Reader.apk...
Renate NST said:
Well, one advantage of deleting packages.xml is that it gets rid of the cruft.
I was thinking of just writing a little utility that resolved the renumbered user ids and fixed file ownership.
Click to expand...
Click to collapse
I dunno if it recreates UserID properly.
I.e. you have apps A, B, C installed they got UserIDs 10001, 10002 & 10003 respectively.
Then you uninstall A & B and delete delete packages.xml, would C get 10003 still?
Need to test it.
Renate NST said:
P.S. WiFi works fine when the boot animation is still looping.
The loop animation just runs until something wants to use the screen.
The system is actually 100% up at that point.
Click to expand...
Click to collapse
Yep. Thanks for confirming this!
Renate NST said:
It's just that your home application (a launcher probably) can't run.
You can still start an application by am start intent.
That's also a warning to not presume that your Nook is dead just because the display loops.
Click to expand...
Click to collapse
When I see Nook booting image "with running dots", ADB is up already.
I was under impressing that’s the image ppl see while in boot loop.
ps shows it as bootanimation process
I guess, we are NOT on the same page again…

The running dots (boot animation) gets started as the system starts.
It just runs until something takes over the screen.
If it runs continuously, it could mean that the system is in a boot loop or
simply that no application is rising to the challenge to do something.
On the other hand, if the dots are running, but it hiccups and starts over from the first dot, that's a real boot loop.

Renate NST said:
The running dots (boot animation) gets started as the system starts.
It just runs until something takes over the screen.
If it runs continuously, it could mean that the system is in a boot loop or
simply that no application is rising to the challenge to do something.
On the other hand, if the dots are running, but it hiccups and starts over from the first dot, that's a real boot loop.
Click to expand...
Click to collapse
Renate,
I neither completely agree with you on bootanimation app nor want to pollute this thread with useless (IMO) discussion about it. If you want discuss it further – could you open another thread?

Well, I proved that you can take Settings.apk and SettingsProvider.apk off the emulator, sign them and install them.
There are a number of problems with that, starting out that the opening screen is white on white.
Also, my Nook seems to think it's a phone now and the hack that I did for the "n" button is broken.
I switched back to the stock version.
On the plus side, my Nook now opens with just a button press and no swiping.
I remember some people were interested in that.
It's probably something in settings.db

Renate NST said:
Well, I proved that you can take Settings.apk and SettingsProvider.apk off the emulator, sign them and install them.
Click to expand...
Click to collapse
AFAIR, everything on emulator is signed with keys I posted and nothing with B&N key - you don't need to resign.

Renate NST said:
Various aspects of the Nook system are signed with a signature from Barnes & Noble.
Click to expand...
Click to collapse
Renate,
I can write a script (Win) to do:
Parse packages.xml to find APKs run as 'shared-user name="android.media" userId="10000"'
Pull (backup) them to PC
Resign
Stop framework
Push resigned APKs to NST
Replace B&N cert reference in packages.xml to the one we used
Start framework
It might be some manual steps...
Do you think it might be useful?
And another script to restore...

First thing, I think that doing a system update to replace (as recommended in my first post) is overkill.
I wasn't sure whether simply starting and stopping the framework from the shell would be sufficient.
Apparently it is.
My only excuse is that I've bricked my Nook about 20 times and was being conservative.
What you want to sign your Nook with is your choice.
I hadn't looked into using any common signatures.
Android only mentions the single debug key in their documentation.
The emulator apks are signed with an Android signature, but not the same as the debug key.
ApokrifX said:
I can write a script (Win) to do:
Parse packages.xml to find APKs run as 'shared-user name="android.media" userId="10000"'
Click to expand...
Click to collapse
Ok, but there is also all the other sharedUserId="1000"
I'm not sure how the cert references work in packages.xml
Does it work for framework-res.apk too?

Looks like I cannot answer your question.
I guess, we can create a table [sharedUserId] – [App], [sharedUserId] – [Cert] and [Cert] - [App]
It can shed some light on how it works.
I can see same sharedUserId used with different certs, so apps should use different android users...
See below:
Don’t know how to map sharedUserId to android user yet.
My [current] understanding is:
userId "10000" and above are apps generated.
Below – for system use.
I have now:
<package name="com.bn.nook.quickstart" codePath="/system/app/QuickStartActivity.apk" system="true" ts="1217592000000" version="7" sharedUserId="1000">
<cert index="4" />
<package name="com.google.android.server.checkin" codePath="/system/app/GoogleCheckin.apk" system="true" ts="1292347460000" version="7" sharedUserId="1000">
<sigs count="1">
<cert index="13" />
Obviously, due to cert mismatch, "com.bn.nook.quickstart" & "com.google.android.server.checkin" should use different users.
---------- Post added at 09:29 PM ---------- Previous post was at 09:04 PM ----------
ApokrifX said:
Looks like I cannot answer your question.
I guess, we can create a table [sharedUserId] – [App], [sharedUserId] – [Cert] and [Cert] - [App]
It can shed some light on how it works.
Click to expand...
Click to collapse
Here we go:
Code:
0 10019 com.google.android.apps.gtalkservice /system/app/gtalkservice.apk
0 10019 com.google.android.googleapps /system/app/GoogleApps.apk
0 10019 com.google.android.providers.gmail /system/app/GmailProvider.apk
0 10019 com.google.android.providers.talk /system/app/TalkProvider.apk
0 10021 com.google.android.gm /system/app/Gmail.apk
0 10022 com.android.vending /system/app/Vending.apk
1 10002 com.android.globalsearch /system/app/GlobalSearch.apk
1 10002 com.android.googlesearch /system/app/GoogleSearch.apk
1 10002 com.android.inputmethod.latin /system/app/LatinIME.apk
1 10002 com.android.launcher /system/app/Launcher.apk
1 10002 com.android.providers.applications /system/app/ApplicationsProvider.apk
1 10002 com.android.providers.contacts /system/app/ContactsProvider.apk
1 10002 com.android.providers.userdictionary /system/app/UserDictionaryProvider.apk
10 10001 com.adobe.air /system/app/AirRuntime.apk
10 10017 de.devmil.minimaltext /data/app/mt262.apk
10 10023 com.google.android.talk /system/app/Talk.apk
11 10013 com.ngc.fora /data/app/com.ngc.fora.apk
12 10015 siir.es.adbWireless /data/app/siir.es.adbWireless-1.apk
13 1000 com.google.android.providers.subscribedfeeds /system/app/GoogleSubscribedFeedsProvider.apk
13 1000 com.google.android.server.checkin /system/app/GoogleCheckin.apk
14 10018 com.david1171.minimalistblack /data/app/com.david1171.minimalistblack-1.apk
15 10014 com.smart.swkey /data/app/SWKey21.apk
16 10030 com.asksven.betterbatterystats /data/app/com.asksven.betterbatterystats.apk
17 10027 jackpal.androidterm /data/app/jackpal.androidterm.apk
18 10029 com.googlecode.droidwall.free /data/app/com.googlecode.droidwall.free.apk
19 10016 org.adw.launcher /data/app/org.adw.launcher-1.apk
2 10026 org.coolreader /data/app/org.coolreader.apk
20 10012 com.noshufou.android.su /data/app/Superuser.apk
3 10024 berserker.android.apps.sshdroid /data/app/berserker.android.apps.sshdroid.apk
4 1000 android /system/framework/framework-res.apk
4 1000 com.android.providers.settings /system/app/SettingsProvider.apk
4 1000 com.android.providers.subscribedfeeds /system/app/AccountAndSyncSettings.apk
4 1000 com.android.settings /system/app/Settings.apk
4 1000 com.bn.app.crypto.server /system/app/CryptoServer.apk
4 1000 com.bn.authentication.svc /system/app/BnAuthenticationService.apk
4 1000 com.bn.demomode /system/app/DemoMode.apk
4 1000 com.bn.devicemanager /system/app/DeviceManager.apk
4 1000 com.bn.nook.quickstart /system/app/QuickStartActivity.apk
4 1000 com.bn.syschecksum /system/app/SysChecksum.apk
4 1000 com.bn.waveformdownloader.svc /system/app/WaveformDownloader.apk
4 10005 com.android.certinstaller /system/app/CertInstaller.apk
4 10009 com.android.packageinstaller /system/app/PackageInstaller.apk
4 1001 com.android.phone /system/app/Phone.apk
4 1001 com.android.providers.telephony /system/app/TelephonyProvider.apk
4 10011 android.tts /system/app/TtsService.apk
5 10000 com.android.gallery /system/app/Gallery.apk
5 10000 com.android.providers.downloads /system/app/DownloadProvider.apk
5 10000 com.android.providers.drm /system/app/DrmProvider.apk
5 10000 com.android.providers.media /system/app/MediaProvider.apk
5 10000 com.bn.nook.accessories /system/app/Accessories.apk
5 10000 com.bn.nook.affiledownloadservice /system/app/AFfileDownloadService.apk
5 10000 com.bn.nook.cloud.service /system/app/CloudService.apk
5 10000 com.bn.nook.community /system/app/NookCommunity.apk
5 10000 com.bn.nook.dadmin /system/app/DownloadAdmin.apk
5 10000 com.bn.nook.home /system/app/Home.apk
5 10000 com.bn.nook.library /system/app/Library.apk
5 10000 com.bn.nook.reader.activities /system/app/Reader.apk
5 10000 com.bn.nook.shop /system/app/Shop.apk
5 10000 com.bn.nook.social /system/app/Social.apk
6 10025 com.andoku.two.free /data/app/com.andoku.two.free.apk
7 10028 org.connectbot /data/app/org.connectbot.apk
8 10003 com.bn.cloud.svc /system/app/BnCloudRequestSvc.apk
8 10004 com.android.browser /system/app/Browser.apk
8 10006 com.bn.deviceregistrator /system/app/DeviceRegistrator.apk
8 10007 com.android.htmlviewer /system/app/HTMLViewer.apk
8 10008 com.android.music /system/app/Music.apk
8 10010 com.svox.pico /system/app/PicoTts.apk
9 10020 com.benhirashima.nookcolorsettings /system/app/NookColorTools.apk
ApokrifX said:
Don’t know how to map sharedUserId to android user yet.
Click to expand...
Click to collapse
Need help with this one... :crying:

Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
All of the other cert indexes go from 2 to 8.
The problem is, these are indexes into something and I don't know what/where that is.
When you change a signature, you have to change the something.
When you change signatures in most cases, the system shrugs and rebuilds packages,xml
It's mostly changing the signature on framework-res.apk (name="android") that causes the biggest problems.
For another perspective on the whole package management, try this:
Code:
dumpsys package > /sdcard/package.txt
(This generates a lot of text, hence the redirect.)

Renate NST said:
Android only mentions the single debug key in their documentation.
Click to expand...
Click to collapse
URL?
Renate NST said:
The emulator apks are signed with an Android signature, but not the same as the debug key.
Click to expand...
Click to collapse
Compared few keys (Subject Key Identifiers) out of curiosity:
Android keys
Code:
testkey 48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
shared CB:4C:7E:2C:DB:B3:F0:AD:A9:8D:AB:79:96:8D:17:2E:9D:BB:1E:D1
platform 4F:E4:A0:B3:DD:9C:BA:29:F7:1D:72:87:C4:E7:C3:8F:20:86:C2:99
media CA:29:3C:AA:8B:C0:ED:3E:54:2E:EF:42:05:A2:BF:F2:B5:7E:4D:75
NC2.1 EMU
Code:
Browser 48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
LatinIME CB:4C:7E:2C:DB:B3:F0:AD:A9:8D:AB:79:96:8D:17:2E:9D:BB:1E:D1
framework-res 4F:E4:A0:B3:DD:9C:BA:29:F7:1D:72:87:C4:E7:C3:8F:20:86:C2:99
MediaProvider CA:29:3C:AA:8B:C0:ED:3E:54:2E:EF:42:05:A2:BF:F2:B5:7E:4D:75
---------- Post added at 10:13 PM ---------- Previous post was at 10:07 PM ----------
Renate NST said:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
All of the other cert indexes go from 2 to 8.
The problem is, these are indexes into something and I don't know what/where that is.
Click to expand...
Click to collapse
Ok. Just to make sure, we are on same page again:
When cert mentioned 1st time, it got encoded right into packages.xml key="3082...9308a"
Next time it used, it's referenced by index.
Code:
<package name="com.google.android.providers.talk" codePath="/system/app/TalkProvider.apk" system="true" ts="1292347460000" version="7" sharedUserId="10019">
<sigs count="1">
<cert index="0" key="3082...9308a" />
...
<package name="com.google.android.googleapps" codePath="/system/app/GoogleApps.apk" system="true" ts="1292347460000" version="130" sharedUserId="10019">
<sigs count="1">
<cert index="0" />
Do you mean something else?
---------- Post added at 10:16 PM ---------- Previous post was at 10:13 PM ----------
Renate NST said:
Yes, the cert indexes are the same for all the things that are signed with the same signature,
but they can even be different in some cases.
All my the apps I wrote and signed with my own key are 0.
All of the system that I signed with my own key are 1.
Click to expand...
Click to collapse
Interesting...
Could you extract CERT.RSA from "the app" and "the system app" and compare, please?
---------- Post added at 10:22 PM ---------- Previous post was at 10:16 PM ----------
[/COLOR]
Renate NST said:
For another perspective on the whole package management, try this:
Code:
dumpsys package > /sdcard/package.txt
Click to expand...
Click to collapse
How do we map:
Code:
Package [com.asksven.betterbatterystats] (49ea9250):
userId=10030 gids=[1015, 3003]
to names we see with ls -l

ApokrifX said:
URL?
When cert mentioned 1st time, it got encoded right into packages.xml key="3082...9308a"
Next time it used, it's referenced by index.
Click to expand...
Click to collapse
Yup, it looks like you are 100% correct.
FWR signed signed with my key is different than an app signed with my key.
They are the same, except for the last 256 bytes which are different.
As you can see, the keys in package.xml are of different lengths
and at least in the cases that I checked are shorter than length(cert)-256 even.
Moreover the end of the keys in packages.xml don't agree with the same position.
http://developer.android.com/tools/publishing/app-signing.html
The SDK tools create the debug keystore/key with predetermined names/passwords:
Keystore name: "debug.keystore"
Keystore password: "android"
Key alias: "androiddebugkey"
Key password: "android"
CN: "CN=Android Debug,O=Android,C=US"
Click to expand...
Click to collapse
The point is not that this single key is documented, the point is that the others are not.

Renate NST said:
FWR signed signed with my key is different than an app signed with my key.
They are the same, except for the last 256 bytes which are different.
As you can see, the keys in package.xml are of different lengths
and at least in the cases that I checked are shorter than length(cert)-256 even.
Click to expand...
Click to collapse
Right.
Could you compare certs "X509v3 Subject Key Identifier", please?
Renate NST said:
Moreover the end of the keys in packages.xml don't agree with the same position.
Click to expand...
Click to collapse
I’m not sure, I get this...
Renate NST said:
The point is not that this single key is documented, the point is that the others are not.
Click to expand...
Click to collapse
---------- Post added at 11:15 PM ---------- Previous post was at 11:01 PM ----------
Looks like in certs in packages.xml are stored in pkcs8 hex format:
shared.pk8
Code:
0000000000: 30 82 04 BE 02 01 00 30 │ 0D 06 09 2A 86 48 86 F7
0000000010: 0D 01 01 01 05 00 04 82 │ 04 A8 30 82 04 A4 02 01
0000000020: 00 02 82 01 01 00 C8 C2 │ DB FD 09 4A 2D F4 5C 3F
0000000030: F1 A3 2E D2 18 05 EC 72 │ FC 58 D0 17 97 1B D0 F6
packages.xml
Code:
<cert index="2" key="3082...b2db" />
They can be easily dumped from packages.xml right into pkcs8 format, no need to get them from packages.

I know practically nothing about signing and certs specifically.
Taking this as a black box question:
Given a signed package, extract the cert with a zip tool,
how do you convert that data into something to write into packages.xml?
Yes, all the ASCII text is in both of these but the cert in the apk and the cert in packages are wildly different.
Yes, you could make a project of this and delve into the Android code to see where it all comes from but the effort seems excessive.
We know that if you delete packages.xml entirely it will get rebuilt (although not with the same non-shared ids as before).
Why not try just deleting all the certs and leaving the rest of it alone?

Renate NST said:
I know practically nothing about signing and certs specifically.
Taking this as a black box question:
Given a signed package, extract the cert with a zip tool,
how do you convert that data into something to write into packages.xml?
Click to expand...
Click to collapse
I didn’t do this part yet.
I guess, a bit fiddling with openssl or keytool will do just fine.
Renate NST said:
Yes, all the ASCII text is in both of these but the cert in the apk and the cert in packages are wildly different.
Click to expand...
Click to collapse
If you post both (from packages.xml), I’ll decrypt them.
I’m pretty sure, they are different.
Renate NST said:
Yes, you could make a project of this and delve into the Android code to see where it all comes from but the effort seems excessive.
Click to expand...
Click to collapse
Yep. There is no point.
Renate NST said:
We know that if you delete packages.xml entirely it will get rebuilt (although not with the same non-shared ids as before).
Why not try just deleting all the certs and leaving the rest of it alone?
Click to expand...
Click to collapse
I wrote already, what might be different if you do it.
IMO, just patching it might be safer...
BTW: I decoded certs from packages.xml - there 4 different ones from B&N there.

ApokrifX said:
I decoded certs from packages.xml - there 4 different ones from B&N there.
Click to expand...
Click to collapse
I still don't know what the tool is or how it operates.
I'm not saying that what is packed in an APK is different in substance from the cert in packages.xml,
I'm just saying that they are not trivially binary convertible from one to another.
If you just delete packages.xml you can either fix the non-shared user ids in packages
or fix the owners for /data/data directories.
I already have an auditing tool for resolving such user id discrepancies
and finding orphaned /data/data directories for apps that were deleted and not uninstalled.
It doesn't do anything, but it reports it so that you can.

Renate NST said:
I still don't know what the tool is or how it operates.
I'm not saying that what is packed in an APK is different in substance from the cert in packages.xml,
I'm just saying that they are not trivially binary convertible from one to another.
Click to expand...
Click to collapse
I dunno, they are trivially convertible, try for yourself:
Unzip CERT.RSA from stock Reader.apk
Obviously (or not), CERT.RSA is pkcs7 and certs in packages.xml are hex strings x509
Let’s convert pkcs7 -> x509
Code:
openssl pkcs7 -inform DER -in CERT.RSA -out CERT.PEM -print_certs
openssl x509 -inform PEM -in CERT.PEM -outform DER -out CERT.x509.DER
Now open CERT.x509.DER is any hex editor:
Code:
0000000000: 30 82 04 96 30 82 03 7E │ A0 03 02 01 02 02 09 00
0000000010: CF 3F 93 2A 95 18 91 A5 │ 30 0D 06 09 2A 86 48 86
...
0000000480: BF 46 EB 99 2F F8 A8 9A │ 1F 66 2D 91 4F 0C 93 FE
0000000490: 44 7D 2F D0 C2 CC DC F7 │ 5E 84
And compare with packages.xml
Code:
<cert index="5" key="308204963082037ea003020102020900cf3f932a951891a5300d06092a864886
…
bf46eb992ff8a89a1f662d914f0c93fe447d2fd0c2ccdcf75e84" />
Renate NST said:
If you just delete packages.xml you can either fix the non-shared user ids in packages or fix the owners for /data/data directories.
I already have an auditing tool for resolving such user id discrepancies
and finding orphaned /data/data directories for apps that were deleted and not uninstalled.
It doesn't do anything, but it reports it so that you can.
Click to expand...
Click to collapse
What about this case:
ApokrifX said:
I dunno if it recreates UserID properly.
I.e. you have apps A, B, C installed they got UserIDs 10001, 10002 & 10003 respectively.
Then you uninstall A & B and delete delete packages.xml, would C get 10003 still?
Need to test it.
Click to expand...
Click to collapse
Do we need to do anything manually or deleting packages.xml will recreates everything properly?

Well, you seem to have a handle on all this.
I've never heard of pkcs7 or any of its friends.
Deleting packages.xml will result in the non-shared user ids to be assigned in order as the APKs are discovered by the PackageManager.
User ids are only used for file permissions on /data/data as far as I know.