[HELP] Sertificate problem - Samsung Galaxy Watch

I'm trying to mod SHM on watch for adding rus language and trying to replace some files, but actually SDB write "security error"
After using Sertifier, sdb write "sertificate error[-14]"

Code:
-14
No additional info spit out from SDB?
I ever forgott the ...
If you choose KOO for Korea... then SHM is preinstalled...
Maybe you then need first to uninstall complete to use own Cert...
And other apps you can resign and work?
https://forum.xda-developers.com/smartwatch/gear-fit/howto-sign-sideload-tizen-applications-t3639793
Best Regards
Edit 1.
On older Versions short tried and possible... example with German text:
https://forum.xda-developers.com/showpost.php?p=82823051&postcount=665

Hm, no, i use XAR, there not preinstalled
Yes, i'm actually used sertifier from Fit2installer and it wrote an [-14] error
But thanks
About other apps soon check

And you uninstall Original TPK before... because Certs now differ...
You can look here for uninstall Commands via SDB:
https://forum.xda-developers.com/showpost.php?p=83327589&postcount=1726
I mean this:
Code:
pkgcmd -u -t tpk -n com.samsung.health.samd.bp
To be sure the old TPK with different Cert is removed from SQLite Database...
Maybe now I remember what -14 is...
IMHO this could be you trying with public Cert Privilege Level to sign Platform crap...
Remove the .admin line in manifest.xml
Again.
SDB sometimes talk to you...
There is more text visible as -14
Best Regards
Edit 1.
Here is you output for -14
https://forum.xda-developers.com/showpost.php?p=83275933&postcount=1620
Code:
__return_cb req_id[1] pkg_type[tpk] pkgid[com.samsung.health.samd.bp] key[error] val[-14] error message: :Check tizen-manifest.xml| - Current api-version = 4.0.0.8, | certificate signature level = partner||[MISMATCHED_PRIVILEGE_LEVEL]| - http://tizen.org/privilege/packagemanager.admin| >> [B][COLOR="Red"]Use at least platform signatured certificate[/COLOR][/B].||:<-7>
__return_cb req_id[1] pkg_type[tpk] pkgid[com.samsung.health.samd.bp] key[end] val[fail]
processing result : Signature error [-14] failed
Remove this from Manifest... and you can use Public Level Cert...
Code:
http://tizen.org/privilege/packagemanager[B][COLOR="Red"].admin[/COLOR][/B]

Thank you very much! It's really work, and now i compile and sign a tpk, but now...idk, but file home.mo has a multiple encode, and how to decode.. idk
But thank you

If I have time I will check, what I can do...
My old tests only with older TPKs... so maybe something changed...
Best Regards

adfree said:
If I have time I will check, what I can do...
Click to expand...
Click to collapse
Thanks, i'm translate it. It's needed only file mo convert to po and then edit.
But then...it's application starts only on my watch, but all others people has error [-12]

...but all others people has error [-12]
Click to expand...
Click to collapse
Yes. This is normal... because Cert is only valid for your own device... DUID Check...
Thanx to Samsu.g...
To bypass this problem at the moment 2 wayS...
A
User have to sign with own Certificate...
B
Rooted and/or modified Firmware... :angel:
This is what I used...
I can use Samsung Certs for all 3 Privilege Levels...
Code:
Public
Partner
Platform
"Bad"... at the moment not tested with GWA2...
Need brave tester... :angel:
Best Regards

adfree said:
Yes. This is normal... because Cert is only valid for your own device... DUID Check...
Thanx to Samsu.g...
To bypass this problem at the moment 2 wayS...
Rooted and/or modified Firmware..
Click to expand...
Click to collapse
Oh...that's bad, and now only root users may to flash my mod?
Alyway thank you

Oh...that's bad, and now only root users may to flash my mod?
Click to expand...
Click to collapse
At the moment nobody else can use your work, without resign.
Your own Certs... your own Signatures...
They are not inside Firmware.
My way is to use Samsung Certs...
They are inside for instance Combination Firmware...
IMHO 5 years old or maybe meanwhile older...
It is for instance possible to create Certs for few more devices... IMHO DUID crap...
Something like register blabla few more devices...
Sorry, this is the Security crap of Samsu.g...
They want protect Watch Faces...
Best Regards

Sorry, at the moment less time...
My plan for this month...
Root SM-R820.
At the moment I have only BTF3 Firmware Files... not the latest BTG1...
Anyway... need more time.
Best Regards

Done. :angel:
SM-R820 BTF3 Root work.
https://forum.xda-developers.com/showpost.php?p=83433641&postcount=1851
I have no BTG1 files... otherwise I would root here rootfs.img...
If I have time I will play with TPK...
Maybe German text...
Will try other Animation or remove or...
Best Regards

Rooted also SM-R830...
And as example...
https://forum.xda-developers.com/showpost.php?p=83458777&postcount=926
In these RPMs Samsu.g Certs inside...
Best Regards

Because Samsu.g seems have no plan to expand SHM to more countries... in near future...
I mean 2020...
I will spend again some time with languages...
Code:
august_BPandECG_combo_version23_PlatformSigned_mod1.tpk
Will concentrate on latest known... "29"...
Code:
september_BPandECG_combo_version29_PlatformSigned_mod1.tpk
29 have 1 more language... Portugues for Brasil...
Still I have not understand if easily I can add folder + file...
Code:
DE
Need some time to understand...
Best Regards
Edit 1.
SHM 29 TPK not configured... not paired with Phone...
IMHO this is good start... text string:
Code:
Download the app
Can be found in 2 files...
Code:
\res\locale\[B]default[/B]\LC_MESSAGES\home.mo
\res\locale\[B]en_US[/B]\LC_MESSAGES\home.mo
1:1 same content...
Hmmmmmmmmmmmmmmmmmmmmmmmmmmm....
Can I simple add folder:
Code:
de_DE
Edit 2.
Hey cool... this is working... my folder de_DE
Now doing some time cunuming thing.. to translate I find correct position...
Example...
2 times:
Code:
Download the app
First for ECG... Second for BP...
2 times:
Code:
Blood pressure
Found first... but not the second...
Change into:
Code:
Blutdruck 1
Blutdruck 2
So I can see what where is used...

Tiny Example about my German """Translation"""...
Only as "Tech Demo"...
German Umlaut not work yet...
Best Regards

Related

oldest Firmware maybe mandatory for Research - XXJB6

For investigation I'm searching for oldest Firmware...
At the moment I found "only".
S8500XXJB6.rar
Differences:
1.
Few adresses not same in Multiloader
2.
Not running on my handset... accept amss.bin
3.
TriX can't extract anything...
PSAS can't decrypt apps_compressed.bin
4.
Bootloader different
Best Regards
older firmware, like S8500XXJB6 is a bit different (is much closer in structure to S8000)
ad. 2, i assume you have newer bootloader in phone (it won't accept older one)
ad. 3, shp, csc file signature is a bit different (will be fixed soon). FS file is just fat16 image (TriX support fat images via FATe plugin, i have no idea fat images was used before, i will add FATe plugin in next build)
ad. 4, if someone still has that firmware in phone is very luky guy. I can bet with jet android port can be ported to it with any problem - JB6 bootloader is not crypted.
5.
Rsrc2_S8500(Low).rc2 works also in JI5 for instance...
Different Boot Pics... maybe this helps to identify location of each Pic.
Battery...
Samsung Logo...
.
.
.
Maybe we find out, which Format... maybe also QMG.
Best Regards
you can already extract rc2 files
use the same program that is used for older samsungs
this one if I'm not wrong
http://code.google.com/p/samsung-firmware-tools/
I've used Tool WinImage for extraction of *.FFS... renamed into *.img
Usefull also for FFS of other bada handsets like:
S5250
S5330
S5750
S7230
In CSC of S8500XXJB6 I navigate via 005C00 to see where folder/file is.
Best Regards
Still problem.
That I can't bypass Bootloader Security...
Not with Multiloader nor with JTAG...
My knowledge how Boot is correct written + activated... = 0
I saw some other Firmware from other models... it seems IMRC is still used...
Maybe someone found Algo or Tool to decode RC1.
Thanx.
Best Regards
Blub...
XXJB6 unfinished mission...
2 new Firmware good for research.
XXJEB as bada 1.x Firmware... nearly all Certs removeable...
Only Integrity check for *.so files left.
For bada 2.x
XPKG5 very interesting...
Only bad, I can't find where these 2 last Certs are stored?
Code:
SamsungSBRootCA.cer
Samsung_RootCA.crt
Best Regards
New attempt with JTAG... but again failed... :crying:
Magic is now CMM Script...
BUT I have only ELF from XXJEB...
Maybe this is the reason why Multiloader not flash XXJB6 Bootloader...
Now I could learn more about CMM...
To flash correct file to correct address...
Or maybe way to extract RC1 ... because old IMRC Algo...
Not sure if maybe broken for other Samsung handsets...
Best REgards
Hmm, I can see S8000 Jet use for RC1 also IMRC...
Maybe possible to flash RC1 XXJB6 to S8000, then copy content from handset...
Best Regards
Please help.
I am searching for friendly S8000 Jet User.
Can someone confirm working Command:
Code:
FmSecureMode off
And I wish content of S8000 folder System please.
See here what I mean:
http://forum.xda-developers.com/showpost.php?p=12436452&postcount=1
Thanx in advance.
Best Regards
http://forum.xda-developers.com/showpost.php?p=34508619&postcount=132
Now I have own S8000 Jet...
First try to flash RC1 from XXJB6 fail...
NAK_invalid_len
Need more knowledge about S8000...
Best Regards
Edit 1.
Maybe no chance... I have forgotten to check size...
Rsrc_S8000_Open_Benelux_OCE.rc1 is 80 MB
Rsrc_S8500_Open_Europe_Common.rc1 is 100 MB
Maybe S8000 not reserved 100 MB for RC1... :crying:
Edit 2.
I have removed 20 MB...
S8000 Jet start with reduced XXJB6 RC1
Now I copy System folder...
Maybe few files corrupted and over 20 MB missing...
But better then nothing. :victory:
http://forum.xda-developers.com/showpost.php?p=34518982&postcount=34
Okay, second attempt successfully read few files from XXJB2 RC1...
And I found limit for RC1 in S8000...
Code:
> FLASH_RSRC1_SIZE : [B]0X04B00000[/B]
> FLASH_RSRC1_START_ADDR : 0X03700000
> FLASH_RSRC1_END_ADDR : 0X08200000
So ""80 MB"" ...
Will check older Firmware, maybe more place in other Versions reserved...
Best Regards
http://www.mediafire.com/?um7dr5ufti7h0dx
Here is folder with RBMs from XXJB6.
Also not all are visible with Wave_Remaker...
Few are funny and interessting...
Later I will upload more... but again.
During small reservation of S8000 I was only able to flash 75 MB of 100 MB from RC1.
Maybe also few files are corrupt... Not checked all.
Best Regards
I'm trying to collect few other Firmware from other Samsung devices...
U700 IMRC seems other algo maybe...
Bluescreen ... on S8000
FmMountVolume
Fm_FS_LFS
FM_PARTITION_LFS_C
Next try is M8910 RC1...
Btw. I have forgotten XXJC5 is also IMRC and bigger then XXJB6...
Later more...
Best Regards
Edit 1.
M8910 RC1 without problems work on S8000...
Remember only end.bin last 1024 Byte have to be modified for correct addresses...
Edit 2.
S5620 RC1 tested...
It seems more compatible then U700 RC1 but also loop...
Maybe if I can disable Animation Power ON then chance to check next Error...
New Year... New attempt
Bootfiles Mixed with XXJEB...
boot_loader.mbn from XXJEB
dbl.mbn from XXJB6
Multiloader can flash this combination and it seems XXJEB then work...
I hope if I manage to understand how to use Binary instead ELF in CMM Script, then maybe I am 1 day able to flash Boot from XXJB6...
Best Regards
IMRC related... there are more Samsung devices with IMRC compressed RC1...
Code:
RC1(IMRC) compatible size
S8000 x 75/80
S8500 XXJB6 x 100+
M8910 x 75/?
S5620 -
U700 -
F480 -
S5510 -
S7350 -
G800
U900
I am not sure if different IMRC Versions... because mandatory few RBM files needed in System folder...
Best Regards
Edit 1.
Sometimes I can see Power ONOFF Animation...
Edit 2.
It seems IMRC different Versions... see first 8 Byte...
F480 for instance compared with S8500...
I think at 0x14 4 Bytes for DEcompressed size stored... Little Endian
yes, the header is different.
index - also. but it is clear.
the compression algorithm - still a mystery
PHP:
//magick //always1 //index_type //size??? //count //array of tail size or offset
G80LXEIE1 0x43524D49 0x00001000 0x0000000B 0x00000006 0x02464A38 0x00002466 0x00000000 0x00000338 0x000004A0 0x000007C8 0x00000924 0x00000BA4 0x00000CFC 0x00000F94 0x000010E4
U70BXEIF1 0x43524D49 0x00001000 0x0000000B 0x00000006 0x01E5BB48 0x00001E5D 0x00000000 0x00000338 0x00000498 0x00000774 0x000008B8 0x00000BC4 0x00000D28 0x00000EF8 0x00001028
F480XEHE1 0x43524D49 0x00001000 0x0000000C 0x00000006 0x01A55024 0x00001A56 0x00000170 0x0000030F 0x0000013A 0x000002F6 0x00000147 0x000002B6 0x000000E4 0x00000295 0x00000144
F48FXEID1 0x43524D49 0x00001000 0x0000000C 0x00000006 0x01EF4A6C 0x00001EF5 0x0000016C 0x000002E7 0x0000014B 0x00000335 0x0000012D 0x000002A1 0x000000E0 0x00000277 0x0000013F
S5510XEIJ1 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x01CC581C 0x00001CC6 0x00000165 0x00000358 0x000000AE 0x00000277 0x000000BD 0x00000284 0x0000015D 0x00000327 0x000000EC
S735EXEII2 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x02A74E80 0x00002A75 0x00000147 0x0000033A 0x000000D4 0x000002A0 0x000000B5 0x0000027E 0x00000125 0x00000315 0x00000111
S8500XXJB6 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x09BF64A0 0x00009BF7 0x00000141 0x000002DC 0x00000116 0x00000280 0x0000014B 0x000002FB 0x00000155 0x000002D4 0x00000124
U90UXEIE3 0x43524D49 0x00001000 0x0000000C 0x00000006 0x032BAF08 0x000032BB 0x00000168 0x0000030B 0x0000012F 0x000002C3 0x0000013F 0x000002D0 0x00000103 0x00000272 0x000000D0
I don't understand if RC1 is decompressed by Bootloader or by apps_compressed.bin...
QMD in Header is in later Firmware from S8500...
Short tested...
I can change this in RC1...
QAB
S8500 starts normal...
If I try to change all 3 letters... then short Bluescreen... But I can't see Error message fast enough... maybe later...
I have changed into 123 instead QMD...
Will check again... Maybe I can capture Bluescreen...
Video or something else...
Later I will try this with S800 and IMRC textstring...
I want to identify if Boot or apps_c task to decompress RC1...
Best Regards
Edit 1.
I hope Pic is readable... Tested with Debug Level high and on XXJEB S8500...
Looks like something like this...
Code:
QuramMduceRFlashInitM((void*)pFotaRsrcCompHeader[QURAM_RSRC_BIN_TYPE_LFS]
Found in apps_compressed.bin...
Hmmmmmmmmmmmm. In theory it seems I don't need Bootloader from XXJB6...
BUT... damn apps_compressed.bin is also secured by something ugly...
Last 1024 Byte... aka end.bin...
Anyway... will now check again IMRC Header in S8000...
Maybe here also possible to force Bluescreen in Debug Level High...
Best Regards
If I destroy IMRC Header on S8000... XPJA1... Debug Mid...
Later I will try to catch all 5 Bluescreens..
Here 1/5...
Best Regards
Code:
RC1(IMRC) compatible size
S8000 x 75/80
S8500 XXJB6 x 100+
M8910 x 75/?
S5620 -
U700 -
F480 -
S5510 -
S7350 -
G800 -
U900
S5600 -
B5310 -
Found few more devices...
It seems - not ever means incompatible... I can see sometimes Power ONOFF Animation... smaller Resolution then 480 x 800... So maybe reason is smaller *.rbm files force to Reboot... Will check "later" with Debug Mid...
Best Regards

Security related Questions

SecretKey.key
Any idea what this is for?
Searched little bit through folder Security...
Found in S8500XPKJ1.
Best Regards
For quick insight:
Main function is SpkiDispatch , it does create this file by calling SpkiSaveMasterSecretKey, together with that key it does create directories
"/Security/Log/"
"/Security/Log/Cert/"
"/Security/CM"
SpkiSaveMasterSecretKey does use functions
SecFrameGetIMEI
SpkiBase64Decode
SecCrDecodeRSAPublicKeyEx
Whole "Spki" functions family seems to be related with OS certificate manager. And yeah, looks like it is based on IMEI, or does include IMEI itself.
//edit:
Oh yes, string which is hardcoded into APPS and is being decoded by Base64 during runtime (probably kind of init state of the key) is
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKyA2m2/PTRbsv9Y+39R6wroIniRv3nAUcOPH6dhg/9+2sCoWk0BgDtmfNMtUpueEzAr1OmAtxIfxt+gcaaFGDTr2NiY4ML9NhIv0frmlEsE8CLZFcMLYnCaeo7IMpDhnkUJA/aFhm42hmHM//e9sW2zOeN/oFrZ6wH7BEJmVEpQIDAQAB
Click to expand...
Click to collapse
from the looks of that string - I think you're looking at ... ahem wait for it ... a secret key -- or perhaps one half of a public/private key pair. Something that AES128 would be perfect for... good luck cracking that one.
Compared between S8500 and S8530... both on KJ1:
Code:
535730310093C300064D4F42494C45C5000431303234C60080
Something human readable like this:
Code:
SW01 MOBILEÅ 1024
So first 25 Bytes are for header...
Then 128 Bytes...
Hmmm... 128 Bytes could be RSA 1024 encrypted...
Best Regards
Factory Production Mode
This seems interesting... for me...
Tested on XXJEB...
If I play with Developer Commands... for instance:
Code:
> *> cmd="[B]CheckFPM[/B]"
> DevGetHomeDLFlag : Address(0x1dcc0000) flag(0xffffffff)
> RbmCHCheckHomeDLFlag : FLAG value=0x8,result=0
> *> return value = -1 (0xFFFFFFFF)
Code:
> *> cmd="[B]EnableFPM[/B]"
> DevGetHomeDLFlag : Address(0x1dcc0000) flag(0xffffffff)
> DevSetHomeDLFlag : Address(0x1dcc0000) flag(0x0000fff7)
> DevGetHomeDLFlag : Address(0x1dcc0000) flag(0x0000fff7)
> RbmCHEnableHomeDLFlag : FLAG value=0xfff7,result=1
> *> return value = 1 (0x00000001)
and...
Result is, after next Boot Wave starts with this funny Screen blue, then green... known by wrong key combination...
If I have changed to Qualcomm before... I can also write NV items via QPST...
Maybe here are more funny Flags possible... Check in JTAG dump at 0x1DCC0000...
Best Regards
I have found reason, how Wave checks "valid" apps_compressed.bin... also Boot...
Multiloader or every Flashing action writes own 512 Byte Info Block...
You can find them in 512 MB Full dump... from JTAG or from Ram Dump eXtractor:
http://forum.xda-developers.com/showpost.php?p=39658811&postcount=23
Search for this HEX value...
Code:
3412CDAB02000000
Now you can see your PC name... and your Country too...
your own IP address is also stored...
The other data are from last 1024 Bytes from boot_loader.mbn and apps_compressed.bin... parts of it... later more...
Sometimes I can see this... no idea yet why... or what:
Code:
Init Case 2
or
Code:
C#O#D#E Set
Hmmm... if I see this about Code... searching for and I find this in Boot...
Code:
Samsung:UNLOCK-KEY:/Security/Disabled
Fixed one for Samsung 3G platform. This string should be long ecnough maximum length is 128 bytes
[B]A#D#D#R[/B] Set C#O#D#E Set
Hmmm, will try later...
Anyway, with this I have solved my BIG problem after M210S Firmware...
For now only with JTAG possible, but maybe later other solution... for instance via FOTA...
Best Regards
Code:
gHostInfo.pComputerName =
gHostInfo.pIP =
gHostInfo.pLocation = Germany
gHostInfo.pToolVer =
gHostInfo.uDatePC =
Nand Read ECC count 0, Retry total count 0
=================================
BootDebugBuffNandWrite
=================================
Taken from S8000 Jet dump...
Here more clear what Multiloader writes from your private data...
Best Regards
I'm trying to remove this from MultiLoader V5.67.exe...
Found in .exe
Code:
GetLocaleInfo
GetComputerName
Leads to kernel32.dll ...
Maybe I can find something else...
GetDateFormat crashes Multiloader...
Also
GetCalendarInfoA
To change into Set... I think its dangerous not to kill my Windows...
Best Regards
Edit 1.
GetComputerNameW for Unicode instead GetComputerNameA
Now Multiloader only writes first Character of your Computername... :angel:
Back to the Info Block with 512 Byte....
With Command PrtSecBoot
Code:
> SecBoot : slot num(2), mass production(0), verSecurity(2), slot age(3)
> SecBoot : invalid binary key detected
> SecBoot : slot age(3) Usb Version("S8530+XX+LA1"), usb age(1), Usb Creation time stamp "42/01/05 10:05"
> SecBoot : Code Version(""), code age(1), Code Creation time stamp ""
> SecBoot : Code Download device time("00/01/01 00:00:GMT"), host PC time("43/06/06 15:23:GMT")
> SecBoot : Used Downloading Tool is FastMultiLoader 0 5.6.7
> SecBoot : Download hostname("[COLOR="Red"][B]yourPCname[/B][/COLOR]"), location("Germany"), ip(1x3.1x3.9.xx)
> SecBoot : SysInfo change device time("00/01/01 00:00:GMT"), host PC time("00/01/01 00:00:GMT"), tool ver(""), change Method(0), age(0)
In this Info Block are stored 2 RSA 512 Signatures from Boot and 1 from apps_compressed.bin... from apps_c the second RSA 512 Sig... see here:
http://forum.xda-developers.com/showpost.php?p=38088383&postcount=68
I was able to try few things...
I can manipulate
verSecurity(2), slot age(3)
Click to expand...
Click to collapse
But tried to find
mass production(0)
Click to expand...
Click to collapse
tool ver("")
Click to expand...
Click to collapse
Here I can see Init Case 2... so this should be position for ... also:
C#O#D#E Set
I think this is set, if Unlock via Code... in theory...
A#D#D#R
No idea yet...
Maybe in this Info Block it is possible to complete disable Security check...
Best Regards
Little progress...
I am able to erase/overwrite address in 512 MB OneNAND manually via sending Commands...
http://forum.xda-developers.com/showpost.php?p=42919458&postcount=31
For now only 2000+ Bytes in FOTA area tested...
Code:
7E02EE[B]00005009[/B]8000...
7E00DD[B]00005009[/B]0008...
0x9500000 from XXLA1 S8530...
Later I hope I can erase this damn Info Block to repair my S8530 with M210S Firmware... without JTAG...
Best Regards
1.
How to find IMEI in JTAG dump?
1.1
Where is EFS address ...
2.
Contains sysinfo IMEI ?
2.1
How to find sysinfo in JTAG dump?
bada 1.x if Wave alive... in Security folder...
Then it is possible to search for in dump...
But it seems not on every Firmware on same position...
sysinfo is 6560 Bytes (19A0 HEX ) ...
Will do few tests with XXJL2... maybe laaaaaater I can identify IMEI and/or sysinfo in strange unkown JTAG dumps...
Best Regards
Edit 1.
For study maybe this:
S8500_Full512MB_IMEI_38178104728484_NandEC50_Alive
Test 1.
Search by text + Unicode... (if IMEI is correct in name...)
14 Digits instead 15...
Test 2.
Converting into NV item 550 Format...
083A...
Edit 2.
Maybe little progress... to find sysinfo in dump...
Found Header before... but there is no unique Header... with Joker between 3000 or 0 hits...
Different positions maybe "randomly" or apps_compressed Version specific...
To be sure I'm now downloading XXJF5 to compare with dump...
Strange...
I have remove sysinfo from my own JTAG dump, written back dump...
sysinfo restored or rebuild or copied from somewhere else?
Because 1:1 same...
Next attempt, to remove "Info Block" from 1FFC5000...
This is so strange...
Best Regards
http://forum.xda-developers.com/showpost.php?p=43436279&postcount=6
I'm using now this as template...
Changed only at 1FFC5000...
Then flash complete XXJL2 for compare...
Result is working S8500...
sysinfo is generated different...
And Imiation_IMEI.dat file is different...
Now will try to check few "INFO Blocks"... and compare results...
if sysinfo and/or Imiation_IMEI.dat will be different..
Best Regards
1.
How to find IMEI in JTAG dump?
1.1
Where is EFS address ...
Click to expand...
Click to collapse
Sometimes my brain works slooow...
1.
IMEI is stored in Format used in QC handsets 15 + years...
Near "MP" ... Hardwareversion...
1.1
Header of EFS seems:
Code:
ABEFCDAB
So address is:
0x1E700000
In older Firmware where Hardwareversion is PV... instead MP 2.000 or MP 1.000
Here I will check later again with open eyes... to find IMEI.
For now I will do some tests with replace ... to fully start foreign JTAG dumps to learn more about sysinfo...
Best Regards
Tested with S8500 and S8530 JTAG dumps... (on S8500)...
Attached PFS contain sysinfo and Imiation_IMEI.dat...
This force apps_compressed.bin to start with IM.. not active...
If NAND/Header Info at 0x1FFC5000 will be removed/deleted...
With RIFF JTAG for instance erase 0x1FFC 0000 to end...
For repair and educational purpose... only.
How to decrypt sysinfo?
Whole file ?
Parts of it ?
Best Regards
Little progress...
https://code.google.com/p/badadroid/source/browse/trunk/FOTA
100 years later I am able to compile these examples...
Easy under Windows 7 tested with FASMARM:
http://forum.xda-developers.com/showpost.php?p=46788023&postcount=35
I have tried with XXJEE Boot... because I need bada 1 for find sysinfo for my studies...
Very interesting.
In syssec.uniqueKey.bin I have found now S/N ...
S/N is also on Label under battery... before Samsung killed Service via Kies. It was also helpfull to download Firmware...
I was ever wondering, why I am not able to find S/N...
Anyway. These FOTA examples helps me to increase my little brain.
For now tested only these:
Code:
[B]dump[/B]_netlock_info.fota
[B]dump[/B]_unique_keys.fota
nv_[B]dump[/B].fota
Next will be write_netlock_info.ASM...
Maybe this is what I think...
Yes, I know about FLOCK. But I need this for my JTAG Fullflash journey ... and for my little brain to understand how this work...
Btw.
I have no device here with SIM or Netlock...
To look into decrypted sysinfo and see the SHA1 Hashes is also possible via these FOTAs...
Thanx.
Best Regards
Few tests later...
It seems I have to play with DEcrypted sysinfo...
http://forum.xda-developers.com/showpost.php?p=47851350&postcount=49
First test failed with write_netlock_info.ASM before...
I have used DEcrypted Version, but nothing happens...
Maybe again my fault... anyway... tiny little step forward.
1 Goal is to identify sysinfo in JTAG dump... but here I need encrypted sysinfo...
Best Regards
Aha...
The reason is not only IMEI, because normally you can find IMEI in JTAG dump, but it seems Wave can not find anymore correct sysinfo... if fulldump from other Wave is flashed via JTAG.
http://forum.xda-developers.com/showpost.php?p=47851350&postcount=49
Result is working handset without IMEI... but this no problem...
Will check if now S/N is my or also gone with the other FOTAs...
But now I can flash 512 MB Fulldump WITHOUT modification of this file...
Then restore/rebuild sysinfo via bterm + correct FOTA...
Later more.
Best Regards
"Strange"...
sysinfo contain more then 1 or 2 SHA1 Hashes...
The others looks like "not available/not active" or something...
I have no handset with Lock...
I have only compared few DEcrypted sysinfo...
Simple copy and Paste not activate the Locks...
Later more...
Best Regards
Interesting...
Unique Key known from Header Info...
Stored in 512 MB OneNAND...
Is written into MBR (512 Byte) of moviNAND...
http://forum.xda-developers.com/showpost.php?p=49989727&postcount=68
If OneNAND is full erased, by JTAG RIFF for instance... Then text instead number:
Code:
PRODUCTCODEINVALID
Hmmmm, maybe this helps me later to restore sysinfo from JTAG dumps...
Best Regards

CSCTools 0.1 beta for Samsung

These apps will help you dump a csc and make your own csc image!
1.convert Samsung org csc(Ra000FF) or CSC.D000FF to real csc file.
cmdline: CSCConverter.exe -d i917ATTJK2.csc.Ra000FF i917ATTJK2.csc
CSCConverter.exe -d CSC.D000FF CSC.csc
PS: if you dumped a CSC.D000FF file, app will show you CSC Max Block Count, remember this, we will use it!
2.dump csc file and have a csc script file.
cmdline: CSCBuilder.exe -d i917ATTJK2.csc i917ATTJK2.txt
3.edit files and script file, then build a new csc file.
cmdline: CSCBuilder.exe -b i917ATTJK2_new.csc i917ATTJK2.txt
4.convert csc file to D000FF.
cmdline: CSCConverter.exe -b i917ATTJK2.csc CSC_new.D000FF 42
PS: 42 is i917 CSC Partition Max Block Count, I think it's same as i8700.
5.have fun with custom csc!
PS:
UAInput.000 in CSC is like a copy file script.you can use CSCPackage.cab.pkg to do this, but make sure cab signed cert is in your custom rom.
samsung WP7 device first boot:
1.copy CSCPackage.cab.pkg to \OSRoot\UpdateBin\CSCPackage.cab.pkg.
2.run SLDR to update CSCPackage.cab.pkg to Rom.
3.boot.
USAGE:
CSCConverter -d <CSC.D000FF/CSC.Ra000FF> <CSC File>
CSCConverter -b <CSC File> <CSC.D000FF> <Max Block Count>
CSCConverter -br <CSC File> <CSC.Ra000FF> <Max Block Count> (*not completed!)
CSCBuilder -d <CSC File> <CSC Script>
CSCBuilder -b <CSC File> <CSC Script>
Best Regards
Ego Zheng
2012/02/11
thanks
4.convert csc file to D000FF.
cmdline: CSCBuilder.exe -b i917ATTJK2.csc CSC_new.D000FF 42
PS: 42 is i917 CSC Partition Max Block Count, I think it's same as i8700.
on omnia7 its the same "42"
thanks for the app's real cool
Edit:
4.convert csc file to D000FF.
cmdline: CSCConverter.exe -b i917ATTJK2.csc CSC_new.D000FF 42
PS: 42 is i917 CSC Partition Max Block Count, I think it's same as i8700.
your text was/wrong
thank you very much
Fantastic~~This reminds me of my research of Nexus S's CSC carrier info modification~
And you are Ego? I didn't recognize you yesterday in my thread...since your ID is different from DFT Forum~~sorry for that...
Good work!
GREAT! I think this is just what I wanted! If I am correct in my assumption, using CSC we can debrand our phone and make custom registry edits like interop-unlock and enable ICS without needing to build/flash a whole ROM, right?
EDIT: So I made a CSC to debrand the ATT Focus and stop the 'Now' xap from being pinned but... after sucessfully flashing it to the phone and hard-resetting nothing changed. So I guess that means the only way to apply is to build it into the ROM or send the update cab which also means you have to rebuild the ROM with your own cert...

Samsung Galaxy Watch mActive 2 (GWA2)

Last week I got my GWA2 from Germany and I'm very disappointed. Samsung Pay is still not available and changing region with SDBstarterKidv1 does not work. SDB and CSC.Manager execute without error messages on the PC but the region selection is not displayed on the watch's screen. Did Samsung block the possibility to change a region?
Why buy a watch where the advertised features are not available maybe in the future? ECG - 2020?, Fall Detection sometime, Blood Pressure - the App My BP Lab 2.0 is easy to install but does not work with the hardware, calibration stops after 10%..
Maybe Galaxy Watch Active 3 or 4 comes close to Apple watch!
Can you give maybe more details...
Model Name... Firmware Version...
What exact not work with SDB?
As you know... nobody have Crystal Ball...
Btw. I am better in German language...
Best Regards
Galaxy Watch Active 2
adfree said:
Can you give maybe more details...
Model Name... Firmware Version... SM-R820 Galaxy Watch Active 2(E8F5) UI-Ver. 1.5 Tizen-Vers. 4.0.0.6
What exact not work with SDB? ….M.E. funktioniert SDB einwandfrei, nur erfolgen keine Ausgaben auf dem Uhr-Display.
Nach dem sdb connect erfolgt keine 'Debugging RSA Key ...' durch die Active 2.
Die App 'csc-manager.csc-pre-configuration' wird ausgeführt, aber es erscheint kein Auswahl-Menü auf der Uhr.
As you know... nobody have Crystal Ball...
Btw. I am better in German language...
Best Regards
Click to expand...
Click to collapse
Freundliche Grüsse
eboeschen
Registered on 16.09. and already mocking samsung. Apple fanboy.
Sent from my SM-G975F using Tapatalk
adfree said:
Can you give maybe more details...
Model Name... Firmware Version...
What exact not work with SDB?
As you know... nobody have Crystal Ball...
Btw. I am better in German language...
Best Regards
Click to expand...
Click to collapse
While inviting another member (especially one with only one post), it is better to tell him the rules of XDA (which, as a senior member, you should also know).
English is the language to be used on XDA. If another language is to be used, the English version should be on top with the other language version following it.
eboeschen said:
Freundliche Grüsse
eboeschen
Click to expand...
Click to collapse
Please note the above guideline and refrain from using another language only.
In addition, do not edit the post you are quoting. Post yours below the quote. This will make reading easier instead of hunting in the quoted post.
Same story with me: successfully linked my PC with the watch, did "sdb shell", but "launch_app csc-manager.csc-pre-configuration" did nothing on the watch's side, although the shell says "... successfully launched"
The watch is Galaxy Watch Active 2, bought in Germany. The goal is to change the region to SER to activate SPay.
csc-manager app is indeed there:
sh-3.2$ ls
com.samsung.alarm-mobile-alert-solis com.samsung.samsung-pay-app com.samsung.w-reminder
com.samsung.alarm-solis com.samsung.samsung-pay-guide-app com.samsung.w-taskmanager
com.samsung.app-list-backup-service com.samsung.sdbd-syspopup com.samsung.watch-utils
com.samsung.app-version-sync-popup com.samsung.setting-location com.samsung.watchface
com.samsung.app-widget com.samsung.shealth_gear com.samsung.weather
com.samsung.b2-setup-wizard com.samsung.sketch com.samsung.wemail
com.samsung.bluetooth com.samsung.skmsa com.samsung.wifi
com.samsung.bluetooth-testmode com.samsung.stopwatch-wc1 com.samsung.wifi-test
com.samsung.bt-syspopup com.samsung.supl-syspopup com.samsung.windicator
com.samsung.ciss com.samsung.testmode com.samsung.wis-backup-service
com.samsung.clocksetting com.samsung.timer-wc1 com.samsung.wnotification2
com.samsung.contacts-backup-service com.samsung.tizen.bixby com.samsung.worldclock
com.samsung.daily-briefing com.samsung.tizen.bixby-provisioning csc-app
com.samsung.dqagent com.samsung.tizen.bixby-voice csc-manager
com.samsung.emergency-message com.samsung.tizen.bixby-wakeup-service health-data-service
com.samsung.factory-clientw com.samsung.tizen.iva-service ise-engine
com.samsung.factory-nfchce com.samsung.tizen.samsung-account ise-languagepack-mgr
com.samsung.flash-light com.samsung.tizen.samsung-account.ui ise-multilingual
com.samsung.fmg com.samsung.tizenseckeystring net.stc-popup
com.samsung.fmm com.samsung.tts-setting net.wc-popup
com.samsung.fota-consumer com.samsung.tzdata-update-popup net.wc-syspopup
com.samsung.gearstore com.samsung.unit-test-device nfc-manager
com.samsung.iap-galaxyapps-consumer com.samsung.unit-test-input nfc-test
com.samsung.idle-clock-emergency com.samsung.unit-test-mm org.tizen.accessibility-setting
com.samsung.idle-clock-ups com.samsung.unit-test-network org.tizen.app-selector
com.samsung.idle-service com.samsung.unit-test-sensor org.tizen.crash-syspopup
com.samsung.ime-backup-service com.samsung.update-service org.tizen.dpm-syspopup
com.samsung.iot-resource-service com.samsung.voice-tos-app org.tizen.fido-syspopup
com.samsung.knox.license-viewer com.samsung.w-calendar2 org.tizen.heremaps-uc
com.samsung.knoxcustom-exitui com.samsung.w-call org.tizen.inputmethod-setting
com.samsung.knoxenrollmentservice-efl com.samsung.w-call-settings org.tizen.isf-kbd-mode-changer
com.samsung.logs-backup-service com.samsung.w-clock-viewer org.tizen.powerkey-syspopup
com.samsung.mapcontrol com.samsung.w-contacts2 org.tizen.privacy-setting-popup
com.samsung.mdec-consumer com.samsung.w-eas-it-policy org.tizen.screen-reader
com.samsung.message com.samsung.w-emergency-keypad org.tizen.stt-engine-default
com.samsung.message-backup-service com.samsung.w-gallery org.tizen.system-syspopup
com.samsung.nfc-setting-app com.samsung.w-home org.tizen.tts-engine-default
com.samsung.nfc-syspopup com.samsung.w-input-selector org.tizen.tzdata
com.samsung.pwlock com.samsung.w-lockscreen org.tizen.widget_viewer_sdk
com.samsung.runestone-core com.samsung.w-lockscreen-setting sem_daemon
com.samsung.runestone-gear com.samsung.w-logs2 smartcard-service
com.samsung.runestone-setting com.samsung.w-manager-service smartreply-service
com.samsung.safetyvolume-syspopup com.samsung.w-media-controller w-secure-element
com.samsung.samsung-account-front com.samsung.w-music-player xwalk-service
Click to expand...
Click to collapse
Life1ess said:
Same story with me: successfully linked my PC with the watch, did "sdb shell", but "launch_app csc-manager.csc-pre-configuration" did nothing on the watch's side, although the shell says "... successfully launched"
The watch is Galaxy Watch Active 2, bought in Germany. The goal is to change the region to SER to activate SPay.
csc-manager app is indeed there:
Click to expand...
Click to collapse
did you succeed to solve this problem? it happens the same to me with my german active 2
I will upload for SM-R820:
A
Code:
COMBINATION-FT40_R820XXU1ASI2.tar.md5
B
Code:
AP_R820XXU1ASHF_usr.tar.md5
BL_R820XXU1ASHF_usr.tar.md5
CSC_OXA_R820OXA1ASHF_usr.tar.md5
C
netOdin is here since years:
https://forum.xda-developers.com/showpost.php?p=73503787&postcount=150
UNTESTED with the new devices... OWN RISK!
Maybe the good old trick still work with Combination Firmware + CSC... and Code:
Code:
*#272*719434266344#
Need "few" minutes for upload...
Best Regards
Edit 1.
Combination Firmware for SM-R820:
https://www.file-upload.net/download-13731697/COMBINATION-FT40_R820XXU1ASI2.tar.md5.7z.html
Edit 2.
Stock Firmware for CSC...
https://www.file-upload.net/download-13731710/smR820XXU1ASHF.7z.html
Any more luck in this area???
adfree said:
I will upload for SM-R820:
A
Code:
COMBINATION-FT40_R820XXU1ASI2.tar.md5
B
Code:
AP_R820XXU1ASHF_usr.tar.md5
BL_R820XXU1ASHF_usr.tar.md5
CSC_OXA_R820OXA1ASHF_usr.tar.md5
C
netOdin is here since years:
https://forum.xda-developers.com/showpost.php?p=73503787&postcount=150
UNTESTED with the new devices... OWN RISK!
Maybe the good old trick still work with Combination Firmware + CSC... and Code:
Code:
*#272*719434266344#
Need "few" minutes for upload...
Best Regards
Click to expand...
Click to collapse
Thank for you providing the files. Is there any chance to get stock for a different CSC, preferably OXE?
Did anybody have any luck with changing CSC to get Samsung Pay on their GWA2?
adfree said:
I will upload for SM-R820:
A
Code:
COMBINATION-FT40_R820XXU1ASI2.tar.md5
B
Code:
AP_R820XXU1ASHF_usr.tar.md5
BL_R820XXU1ASHF_usr.tar.md5
CSC_OXA_R820OXA1ASHF_usr.tar.md5
C
netOdin is here since years:
https://forum.xda-developers.com/showpost.php?p=73503787&postcount=150
UNTESTED with the new devices... OWN RISK!
Maybe the good old trick still work with Combination Firmware + CSC... and Code:
Code:
*#272*719434266344#
Need "few" minutes for upload...
Best Regards
Edit 1.
Combination Firmware for SM-R820:
https://www.file-upload.net/download-13731697/COMBINATION-FT40_R820XXU1ASI2.tar.md5.7z.html
Edit 2.
Stock Firmware for CSC...
https://www.file-upload.net/download-13731710/smR820XXU1ASHF.7z.html
Click to expand...
Click to collapse
Hello, I tried it but it doesn't work. It seems like after the code insert the CSC doesn't change.
In fact after the choose and the reboot in the software information there still is the old CSC code and after the stock flash Samsung Pay does not appear.
Where did you find the firmware?
@Eziooo
Can you check please Videos from this Thread...
https://forum.xda-developers.com/showpost.php?p=75846867&postcount=469
It seems like after the code insert the CSC doesn't change.
Click to expand...
Click to collapse
After watching Videos... can you please "compare"...
Because no idea what you see... nor what you set...
Best Regards
adfree said:
@Eziooo
Can you check please Videos from this Thread...
https://forum.xda-developers.com/showpost.php?p=75846867&postcount=469
After watching Videos... can you please "compare"...
Because no idea what you see... nor what you set...
Best Regards
Click to expand...
Click to collapse
I mean, I have the DBT CSC stock in my watch, I followed the steps in the first post of this thread:
https://forum.xda-developers.com/smartwatch/gear-s3/succesfully-changed-csc-to-xar-to-t3718236
but when I insert the code *#272*719434266344# (like in the video 2 you linked) and the watch reboots, I chech the software information and there still is the "DBT" at the and of the software version, like nothing changed.
And when I flash the stock firmware at the end I don't have the Samsung Pay app..
sammysams said:
Did anybody have any luck with changing CSC to get Samsung Pay on their GWA2?
Click to expand...
Click to collapse
Nop. Same German active 2 and same problem. CSC change doesn't appears on watch screen. I'm afraid my watch is ready to go back to germany
Same problem
SynStratos said:
did you succeed to solve this problem? it happens the same to me with my german active 2
Click to expand...
Click to collapse
Same problem. German GWA2 and "succesfully launched" but nothing happens. . I fight and fight, but now I'm tired...
Thank for you providing the files. Is there any chance to get stock for a different CSC, preferably OXE?
---------- Post added at 08:36 AM ---------- Previous post was at 08:29 AM ----------
Thank for you providing the files. Is there any chance to get stock for a different CSC, preferably PHE?
https://forum.xda-developers.com/showpost.php?p=80172836&postcount=793
Code:
engineer-mode-on.sh
Maybe something like this is required... to write to CSA...
OWN RISK!
If I had such device... I would log... maybe some infos available what is blocked or disabled or what failed...
Best Regards
Is somebody able to check few things?
Example from my SM-R760...
Code:
sh-3.2$ ls
apps_rw data media share
sh-3.2$ cd ..
sh-3.2$ cd /
sh-3.2$ ls
%{TZ_USER_SHARE} boot dev home lost+found mnt proc run srv tmp var
bin [B]csa[/B] etc lib media opt root sbin sys usr
sh-3.2$ cd csa
sh-3.2$ ls
00000000.authtokcont ese nv sensor wd
TEE factory prov skpm_OTA_CSR_OCF_ECC_P256
bluetooth imei prov_data skpm_sk.dat
csc lost+found recovery skpm_supported_list
sh-3.2$ cd csc
sh-3.2$ ls
csc-active-customer.inf
sh-3.2$ [B]cat /csa/csc/csc-active-customer.inf[/B]
[B]XAR[/B]
sh-3.2$ cd ..
sh-3.2$ cd imei
sh-3.2$ ls
MSL_address.dat MSL_code.dat prodcode.dat serialno.dat
sh-3.2$ [B]cat /csa/imei/prodcode.dat[/B]
SM-R760NDAA[B]XAR[/B]
sh-3.2$
A.
Good to know if CSA is accessable without Root?
Code:
cd /csa
ls
If no... Combination Firmware with Root is usefull...
If yes...
B.
Code:
cat /csa/csc/csc-active-customer.inf
In my Example you see XAR for USA...
With open eyes you can see... Production Code also contains CSC text string...
Code:
cat /csa/imei/prodcode.dat
C.
1 method for Logging is... enter Code after your action...
Code:
*#9900#
Maybe you can see by open eyes... why this fail or is blocked...
Code:
launch_app csc-manager.csc-pre-configuration
D.
You can try this and report what happens... Watch explode... your Dog or your Cat?
Code:
launch_app csc-manager.csc-verifier
Best Regards
adfree said:
Is somebody able to check few things?
Example from my SM-R760...
Code:
sh-3.2$ ls
apps_rw data media share
sh-3.2$ cd ..
sh-3.2$ cd /
sh-3.2$ ls
%{TZ_USER_SHARE} boot dev home lost+found mnt proc run srv tmp var
bin [B]csa[/B] etc lib media opt root sbin sys usr
sh-3.2$ cd csa
sh-3.2$ ls
00000000.authtokcont ese nv sensor wd
TEE factory prov skpm_OTA_CSR_OCF_ECC_P256
bluetooth imei prov_data skpm_sk.dat
csc lost+found recovery skpm_supported_list
sh-3.2$ cd csc
sh-3.2$ ls
csc-active-customer.inf
sh-3.2$ [B]cat /csa/csc/csc-active-customer.inf[/B]
[B]XAR[/B]
sh-3.2$ cd ..
sh-3.2$ cd imei
sh-3.2$ ls
MSL_address.dat MSL_code.dat prodcode.dat serialno.dat
sh-3.2$ [B]cat /csa/imei/prodcode.dat[/B]
SM-R760NDAA[B]XAR[/B]
sh-3.2$
A.
Good to know if CSA is accessable without Root?
Code:
cd /csa
ls
If no... Combination Firmware with Root is usefull...
If yes...
B.
Code:
cat /csa/csc/csc-active-customer.inf
In my Example you see XAR for USA...
With open eyes you can see... Production Code also contains CSC text string...
Code:
cat /csa/imei/prodcode.dat
C.
1 method for Logging is... enter Code after your action...
Code:
*#9900#
Maybe you can see by open eyes... why this fail or is blocked...
Code:
launch_app csc-manager.csc-pre-configuration
D.
You can try this and report what happens... Watch explode... your Dog or your Cat?
Code:
launch_app csc-manager.csc-verifier
Best Regards
Click to expand...
Click to collapse
I tried to follow your steps on my watch and this is the result:
sh-3.2$ ls
apps_rw data media share
sh-3.2$ cd ..
sh-3.2$ cd /
sh-3.2$ ls
afpc boot dev home lost+found mnt opt root sbin sys usr
bin csa etc lib media nuget proc run srv tmp var
sh-3.2$ cd csa
sh-3.2$ ls
00000000.authtokcont bluetooth ese imei prov recovery skpm_FACTORY_OCF_ECC_P256
TEE csc factory lost+found prov_data sensor wd
sh-3.2$ cd csc
sh-3.2$ ls
csc-active-customer.inf
sh-3.2$ cat /csa/csc/csc-active-customer.inf
DBTsh-3.2$ cd ..
sh-3.2$ cd imei
sh-3.2$ ls
prodcode.dat serialno.dat smsn.dat
sh-3.2$ cat /csa/imei/prodcode.dat
SM-R820NZKADBTsh-3.2$
Hope it may help you.
launch_app csc-manager.csc-verifier does nothing, the code *#9900# opens a secret menu..

[Tool] Samloader (SamFirm / Frija replacement)

Hello,
I recently wanted to download some firmware for my Samsung device, but I realized that there is no 100% open source program to do so. In fact, all the tools that claim to do so require a library that is packed by Themida (so it is difficult to check what this might be doing), in order to authenticate to the server. This is a native DLL, meaning that it is only compatible with Windows x86. Additionally, many of these tools are actually using stolen decompiled code from SamFirm, which, apart from being possibly illegal, means they would be difficult to maintain and run slowly.
So, I decided to reverse engineer Smart Switch to figure out exactly how the download is taking place, and wrote a cross-platform tool that does this without using the Windows DLL that the other tools have, making it compatible with Linux and MacOS. I also realized that the newer versions are actually using a new version of the authentication algorithm, meaning possibly at some point the old tools might stop working as Samsung drops support for it.
You can find it at:
Code:
https://github.com/nlscc/samloader
To install, go to the downloaded repository and run:
Code:
pip3 install .
See the README or look at the code for usage. You might want to know that my old github account, nm111, was unfortunately deleted, and I lost access to my old XDA account. You can see the verified email is the same however.
Feel free to use the algorithms I figured out in your own code, so long as you don't use it in proprietary programs. It is licensed under GNU GPLv3 or later.
This works for all phones, not just S10+, but I couldn't find a better forum and this is where Frija posted.
Thank you. This is pretty cool. I downloaded it now and will check it out later tonight.
Can you please do the same thing for the emergency recovery option.
Will you update your tool if it still working in the future?
This is going to be super useful for me (ATM I'm using SamFirm with wine/proton and my setup breaks often, and GUI gets in my way) since I need to download many firmwares for my reverse-engineering, so thanks!
Late for this great find, thanks to the xda article, really needed a solution outside Windows.
PS, what are the chances for spoofing a request, i.e, trying to fetch only the latest OTA from a certain CSC?
@nn000 Glad this made the front page. I have used this for a little wile now and it works great
@phhusson
This will work on windows if you use the WSL and install Ubuntu. You could probably get this working under Cygwin too.
Great work mate. Helps to gather various download. Unfortunately enough Samshung does not allow older firmware via server fetching..
Hi, thanks for this great tool as samfirm and frija are slow to download firmwares. I am trying to download firmware for galaxy watch. I can only search the firmware version but when trying to download it there is error:
filename = root.find("./FUSBody/Put/BINARY_NAME/Data").text
AttributeError: 'NoneType' object has no attribute 'text'
is there any way to modify this tool to download watch firmware too?
You are genius! Thanks for this tool. Can't wait to try this :good:
nn000 said:
Feel free to use the algorithms I figured out in your own code, so long as you don't use it in proprietary programs. It is licensed under GNU GPLv3 or later.
This works for all phones, not just S10+, but I couldn't find a better forum and this is where Frija posted.
Click to expand...
Click to collapse
Brilliant work!
Thank you very much for developing this tool and removing our dependency on Windows for such basic functionality as checking for and downloading firmware updates. Thank you also for having the foresight and generosity to publish this under the GPL.
This tool will receive a huge amount of use on my machines.
Thanks in advance, I don't know how to download the program, they would be so kind to give me a link. Thank you very much
I tried installing with the command found in the readme file
Code:
pip3 install git+https://github.com/nlscc/samloader.git
But when I type
Code:
$ samloader --help
It says "samloader: command not found"
Beautiful. Thanks for this tool!
4929york said:
I tried installing with the command found in the readme file
Code:
pip3 install git+https://github.com/nlscc/samloader.git
But when I type
Code:
$ samloader --help
It says "samloader: command not found"
Click to expand...
Click to collapse
install python first, before try
rikipy said:
install python first, before try
Click to expand...
Click to collapse
Python was installed.
How to set download location(out) in the command line
samloader download [firmware version] [phone model] [region] [out]
I tried to put \Download but it's not in the folder.
I installed python39 and git on Win10 but sill get errors
Code:
pip3 install git+https://github.com/nlscc/samloader.git
Collecting git+https://github.com/nlscc/samloader.git
Cloning https://github.com/nlscc/samloader.git to c:\users\danie\appdata\local\temp\pip-req-build-s8l3kwc6
Collecting clint
Using cached clint-0.5.1.tar.gz (29 kB)
Collecting pycryptodomex
Using cached pycryptodomex-3.9.8.tar.gz (15.6 MB)
ERROR: Command errored out with exit status 1:
command: 'c:\program files\python39\python.exe' -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\\Users\\danie\\AppData\\Local\\Temp\\pip-install-vvk574_e\\pycryptodomex\\setup.py'"'"'; __file__='"'"'C:\\Users\\danie\\AppData\\Local\\Temp\\pip-install-vvk574_e\\pycryptodomex\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base 'C:\Users\danie\AppData\Local\Temp\pip-pip-egg-info-3i7fsfut'
cwd: C:\Users\danie\AppData\Local\Temp\pip-install-vvk574_e\pycryptodomex\
Complete output (20 lines):
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "C:\Users\danie\AppData\Local\Temp\pip-install-vvk574_e\pycryptodomex\setup.py", line 457, in <module>
set_compiler_options(package_root, ext_modules)
File "C:\Users\danie\AppData\Local\Temp\pip-install-vvk574_e\pycryptodomex\compiler_opt.py", line 341, in set_compiler_options
clang = compiler_is_clang()
File "C:\Users\danie\AppData\Local\Temp\pip-install-vvk574_e\pycryptodomex\compiler_opt.py", line 251, in compiler_is_clang
return test_compilation(source, msg="clang")
File "C:\Users\danie\AppData\Local\Temp\pip-install-vvk574_e\pycryptodomex\compiler_opt.py", line 82, in test_compilation
objects = compiler.compile([fname], extra_postargs=extra_cc_options)
File "c:\program files\python39\lib\distutils\_msvccompiler.py", line 323, in compile
self.initialize()
File "c:\program files\python39\lib\distutils\_msvccompiler.py", line 220, in initialize
vc_env = _get_vc_env(plat_spec)
File "c:\program files\python39\lib\site-packages\setuptools\msvc.py", line 314, in msvc14_get_vc_env
return _msvc14_get_vc_env(plat_spec)
File "c:\program files\python39\lib\site-packages\setuptools\msvc.py", line 268, in _msvc14_get_vc_env
raise distutils.errors.DistutilsPlatformError(
distutils.errors.DistutilsPlatformError: Microsoft Visual C++ 14.0 is required. Get it with "Build Tools for Visual Studio": https://visualstudio.microsoft.com/downloads/
Testing support for clang
----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
Viper780 said:
I installed python39 and git on Win10 but sill get errors
Code:
distutils.errors.DistutilsPlatformError: Microsoft Visual C++ 14.0 is required. Get it with "Build Tools for Visual Studio": https://visualstudio.microsoft.com/downloads/
Click to expand...
Click to collapse
The problem is right there in front of you: Microsoft Visual C++ 14.0 is required. Get it with "Build Tools for Visual Studio": https://visualstudio.microsoft.com/downloads/
It's pretty annoying when there are requirements and you find out about them afterwards.
Would be good to write them to the install instructions
- python3
- git
- Buildtools for MS C++
Thanks for this, it works well! Cheers..
:highfive:
Example:
Install
Code:
pip3 install git+https://github.com/nlscc/samloader.git
Check update
Code:
samloader -m SM-G975F -r NZC checkupdate
Download
Code:
samloader -m SM-G975F -r NZC download -v G975FXXS9DTI8/G975FOXM9DTI8/G975FXXS9DTI8/G975FXXS9DTI8 -O /home/hinxnz/Downloads
Decrypt
Code:
samloader -m SM-G975F -r NZC decrypt -v G975FXXS9DTI8/G975FOXM9DTI8/G975FXXS9DTI8/G975FXXS9DTI8 -V 4 -i SM-G975F_1_20200921075534_uii8oafhih_fac.zip.enc4 -o SM-G975F_1_20200921075534_uii8oafhih_fac.zip
---------- Post added at 10:52 PM ---------- Previous post was at 10:41 PM ----------
Viper780 said:
I installed python39 and git on Win10 but sill get errors
Code:
pip3 install git+https://github.com/nlscc/samloader.git
Collecting git+https://github.com/nlscc/samloader.git
Cloning https://github.com/nlscc/samloader.git to c:\users\danie\appdata\local\temp\pip-req-build-s8l3kwc6
Collecting clint
Using cached clint-0.5.1.tar.gz (29 kB)
Collecting pycryptodomex
Using cached pycryptodomex-3.9.8.tar.gz (15.6 MB)
ERROR: Command errored out with exit status 1:
command: 'c:\program files\python39\python.exe' -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\\Users\\danie\\AppData\\Local\\Temp\\pip-install-vvk574_e\\pycryptodomex\\setup.py'"'"'; __file__='"'"'C:\\Users\\danie\\AppData\\Local\\Temp\\pip-install-vvk574_e\\pycryptodomex\\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base 'C:\Users\danie\AppData\Local\Temp\pip-pip-egg-info-3i7fsfut'
cwd: C:\Users\danie\AppData\Local\Temp\pip-install-vvk574_e\pycryptodomex\
Complete output (20 lines):
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "C:\Users\danie\AppData\Local\Temp\pip-install-vvk574_e\pycryptodomex\setup.py", line 457, in <module>
set_compiler_options(package_root, ext_modules)
File "C:\Users\danie\AppData\Local\Temp\pip-install-vvk574_e\pycryptodomex\compiler_opt.py", line 341, in set_compiler_options
clang = compiler_is_clang()
File "C:\Users\danie\AppData\Local\Temp\pip-install-vvk574_e\pycryptodomex\compiler_opt.py", line 251, in compiler_is_clang
return test_compilation(source, msg="clang")
File "C:\Users\danie\AppData\Local\Temp\pip-install-vvk574_e\pycryptodomex\compiler_opt.py", line 82, in test_compilation
objects = compiler.compile([fname], extra_postargs=extra_cc_options)
File "c:\program files\python39\lib\distutils\_msvccompiler.py", line 323, in compile
self.initialize()
File "c:\program files\python39\lib\distutils\_msvccompiler.py", line 220, in initialize
vc_env = _get_vc_env(plat_spec)
File "c:\program files\python39\lib\site-packages\setuptools\msvc.py", line 314, in msvc14_get_vc_env
return _msvc14_get_vc_env(plat_spec)
File "c:\program files\python39\lib\site-packages\setuptools\msvc.py", line 268, in _msvc14_get_vc_env
raise distutils.errors.DistutilsPlatformError(
distutils.errors.DistutilsPlatformError: Microsoft Visual C++ 14.0 is required. Get it with "Build Tools for Visual Studio": https://visualstudio.microsoft.com/downloads/
Testing support for clang
----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
Click to expand...
Click to collapse
Now install linux

Categories

Resources