Related
Okay, heres an ADVANCED tutorial for flashing your elocity a7 tablet with factory firmware software manually using the nvidia apx flash tools. The intention of providing this information is so you don't have to google to get it all in one place, w/ details pertaining to the elocity a7. YOU SHOULD always attempt to flash from android recovery FIRST before attempting these instructions. they are intended for advanced users only. please use extreme caution.
to obtain the nvidia apx flash tools follow @5[Strongino]'s instructions;
1.
3.1 Getting Nvidia Tools
- Go to http://developer.nvidia.com/tegra/devkit-250tango and download "Android 2.2 (Froyo) for Tegra 250 & Tango ONLY" (one or both Windows/ Linux)
Speedlinks (NVidia updated tools 7 feb 2011, so links would change in future)
Windows:
Code:
http://developer.download.nvidia.com...o_20110207.msi
Linux:
Code:
http://developer.download.nvidia.com...0110207.run.gz
- [WIN] the default installation location is
Code:
C:\Program Files\NVIDIA Corporation\tegra_froyo_20110207
Click to expand...
Click to collapse
okay, you have the software. i'm assuming you did this from windows; i did as there was more reported instructions for use from windows.
2
if you don't already have it, you should download the latest factory firmware for the elocity a7;
Code:
http://www.elocitynow.com/support_downloads.shtml
the latest firmware update is date February 24, 2011, and the build version is PBJ8000.2.0133.
3
what i did to setup is made a folder titled;
Code:
C:\Program Files\NVIDIA Corporation\tegra_froyo_20110207\tegrabackup
i then moved the follows files from the tegra_froyo_20110207 folder to the new \tegrabackup folder;
boot.img
bootloader.bin
recovery.img
system.img
you may wish to also move flash.bct (i did not do this step) as well, as all 5 files are factory software for a tegratablet (not the A7, don't ask me to go into details right now).
4
i then extracted the latest update.zip from elocity's website to the;
Code:
C:\Program Files\NVIDIA Corporation\tegra_froyo_20110207
folder for convenient, so that i can run the nvidia apx flash tool w/ our software in the same directory.
5
i pulled the elocity a7 partition information (so we know what partition numbers to flash our software to).
Code:
nvflash -r --getpartitiontable partitiontable.txt
6
i then updated the flash.cfg file in the same folder we're working in using that information.
download link here;
Code:
http://www.mediafire.com/?rgzshkvw369dfdr
7
i'm missing the instructions i used to format the cache partition using nvflash, but this may not be necessary; will update later.
8
i flash the new recovery.img from the update.zip provided by elocity support.
Code:
nvflash --bl bootloader.bin --download 6 recovery.img
--
thats it for flashing the latest factory recovery. i did this, and formatted the cache partition using nvflash. afterwards, when i booted to recovery it still had the recovery.c error at the bottom, but the buttons were responsive instead of flakey, and i was able to wipe cache, factory reset and apply the update.zip from my sdcard.
--
notes; partition #'s for the elocity a7, 12 partitions total, starting w/ id#2;
2 BCT - Boot Configuration Table
3 PT - Partition Table
4 EBT - Bootloader
5 NVC -
6 SOS - Recovery Kernel - recovery.img
7 LNX - System Kernel - boot.img
8 MBR - msdos partition table for the rest of the disk
9 APP - OS root filesystem - system.img
10 CAC - Cache partition (?)
11 MSC
12 ER1
13 UDA
i loosely created the flash.cfg file using the partition information available, the examples present, and calculate the partition size by multiplying the number of sector by bytes per sector in the partitiontable.txt. some details about non pertinent partitions (for me) may be incorrect in the flash config, the important thing for me is that the partition numbers are correct for our use, and the sizes should be correct so the partitions get put in the right order. i will note that there is much more space available for system, it would appear that when flashing w/ android recovery that the system partition created seems to be just the size for the system files and nothing more.
i'm wondering if one were to do a full format of the apps partition and created an zipped /system file system w/ install script if the full space would be available.. future tests.
--
dangerous experiments for those w/out sdcard access after this, as i have not read any report that flashing the system.img worked yet.
if you want to try;
Code:
nvflash --bl bootloader.bin --download 9 system.img
if you're REALLY BRAVE, try flashing the whole update.zip (extract the the nvflash folder) using this command;
Code:
nvflash --bl bootloader.bin --download 6 recovery.img --download 7 boot.img --download 9 system.img
this will flash the factory recovery, boot(kernel+ramfs), and system. until some brave soul tests these options out, we won't know for a fact its safe. in theory it should be.
my theories come with no warranties.
--
i would still suggest reading in depth (google), and studying backing up your devices partitions using nvflash. i didn't post instructions for this, as i was not able to get this to work, and was the least of my concerns w/ an already bricked tablet.
--
additional apx commands available;
Code:
Nvflash started
nvflash action [options]
action (one or more) =
--help (or -h)
displays this page
--cmdhelp cmd(or -ch)
displays command help
--resume (or -r)
send the following commands to an already-running bootloader
--quiet (or -q)
surpress excessive console output
--wait (or -w)
waits for a device connection (currently a USB cable)
--create
full initialization of the target device using the config file
--download N filename
download partition filename to N
--setboot N
sets the boot partition to partition N
--format_partition N
formats contents of partition N
--read N filename
reads back partition N into filename
--getpartitiontable filename
reads back the partition table into filename
--getbit filename
reads back BIT into filename
--getbct
reads back the BCT from mass storage
--odm C Data
ODM custom 32bit command 'C' with associated 32bit data
--go
continues normal execution of the downloaded bootloader
options =
--configfile filename
indicates the configuration file used with the following commands:
--create, --format_all
--bct filename
indicates the file containing the BCT
--sbk 0x00000000 00000000 00000000 00000000
indicates the secure boot key for the target device
--bl filename
downloads and runs the bootloader specified by filename
--odmdata N
sets 32bit customer data into a field in the BCT, either hex or
decimal
--diskimgopt N
sets 32bit data required for disk image convertion tool
--format_all
formats all existing partitions on the target device using the config file,
including partitions and the bct
--setbootdevtype S
sets the boot device type fuse value for the device name.
allowed device name string mentioned below:
emmc, nand_x8, nand_x16, nor, spi
--setbootdevconfig N
sets the boot device config fuse value either hex or decimal
--verifypart N
verifies data for partition id = N specified. N=-1
indicates all partitions
Intended to be used with --create command only.
--setbct
updates the chip specific settings of the BCT in mass storage to
the bct supplied,used with --create, should not be with --read,and
--format(delete)_all,format(delete)_partition,--download, and--read
--sync
issues force sync commad
--rawdeviceread S N filename
reads back N sectors starting from sector S into filename
--rawdevicewrite S N filename
writes back N sectors from filename to device starting from sector S
--updatebct <bctsection>
bctsection should refer to the section of the bct we are updating.
Curently we suport updates for following sections
<SDRAM> updates SdramParams and NumSdramSets fields
<DEVPARAM> updates DevParams, DevType and NumParamSets
<BOOTDEVINFO> updates BlockSizeLog2, PageSizeLog2 and PartitionSize
Very good information to learn more about these tablets.
But I would be far from surprised if this thread helps create enough bricks to build a wall
Knowledge in the hands of few is power, knowledge in the hands of many is dangerous lol.
the information is provided from personal experience from myself and other users on the xda forum. i just put it all in one place so folks can gain some insight on the subject in one thread w some continuity instead of fragments googled and lost when the browsers closed.
otherwise i think i put blunt cautions at the beginning and end of the OP.
Sent from my X10i using Tapatalk
Wonder when the Honeycomb image is going to show up on that page...
I don't think it will.
I want to try honeycomb with that. Is there anyway I can test it without briking my tablet ? Even if some parts don't work, I want to test it, at least we could get a first taste of Honeycomb on our tablet.
yeah.. actually, if you look at the nvidia ventana sdk, there is a gingerbread sdk for tegra2, just the ventana is the next generation board. not a perfect fit, but a sloppy chef job could possibly be done.
lotta folks bringing the subject of os upgrades up in every thread. almost to the point of desperate spamming.
..you could try yourself instead of waiting for others.
EDIT; my bad. you said honeycomb. none the less, youre only detracting from existing threads. please, start a new thread.
Sent from my X10i using Tapatalk
I'll try 2.3 too, why not !
Flash updated recovery using APX
Hi, bestialbub. The capacitive buttons in my Elocity A7 are flakey, both within Recovery and within the Android OS itself. The affected buttons are the Menu and Back buttons, sometimes they're responsive, other time no response at all. I'm wondering if flashing an updated Recovery via APX will remedy this (as it did in your case). BTW, I can't seem to download the Flash Tools even after creating an nVidia account. You, mentioned flashing from Windows. How did you connect your A7 to the PC for flashing, as there's no included Data Cable with the package? Thanks.
racesurg said:
Hi, bestialbub. The capacitive buttons in my Elocity A7 are flakey, both within Recovery and within the Android OS itself. The affected buttons are the Menu and Back buttons, sometimes they're responsive, other time no response at all. I'm wondering if flashing an updated Recovery via APX will remedy this (as it did in your case). BTW, I can't seem to download the Flash Tools even after creating an nVidia account. You, mentioned flashing from Windows. How did you connect your A7 to the PC for flashing, as there's no included Data Cable with the package? Thanks.
Click to expand...
Click to collapse
Found post by 5[Strogino]. Got nVidia Flash Tools and saw pic of cable. Thanks.
I have try and it get stoped at usb and android logo
my tablet is a compal 7
some help please
mira presiona el boton de encendido por unos 15- 20 seg. con eso bastara.
hextor_dark said:
mira presiona el boton de encendido por unos 15- 20 seg. con eso bastara.
Click to expand...
Click to collapse
esto solo me reinicia la maquina y ahi se queda otra vez en el logo
There is a modem for the optimus G here:
http://downloads.codefi.re/houstonn/lgog/modem/E975_E977_E976
but it is from firmware 10b. You may want to try if it works better than your firmware. In this case, it is better if you make a backup of your current modem firmware, so you can go back to your version. Here I will write instructions to backup your modem, so you can restore it if you need.
Probably some of you know this already and feel like these are old news, but maybe we can build a modem firmware library.
You need root and a way to make an adb connection to your phone. If you cannot use adb, you can always use a terminal emulator on your phone, but this makes it a bit harder to type the commands. Also, this is for people who understand what they are doing. If after reading the tutorial you don't understand what the commands do, please don't try it. Or at least don't make me responsible if your phone bricks. Here we go.
NON NEEDED STEPS: This steps are here to show why this works.
1-Connect to your phone by adb.
2- On the terminal type :
Code:
mount
You'll see the following (amongst other things):
Code:
/dev/block/platform/msm_sdcc.1/by-name/modem /firmware vfat ro,context=u:object_r:radio_efs_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=cp437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 0
This means that the partition containing the firmware is /dev/block/platform/msm_sdcc.1/by-name/modem and it is mounted at /firmware.
NEEDED STEPS
1- Connect by adb
2- On the terminal type
Code:
su
Check if confirmation is needed on the phone screen. If needed, accept.
3-
On the terminal type:
Code:
dd if=/dev/block/platform/msm_sdcc.1/by-name/modem of=/sdcard/modem.img
4-You will receive the following after some seconds:
Code:
131072+0 records in
131072+0 records out
67108864 bytes transferred in 29.959 secs (2240023 bytes/sec)
5-Type
Code:
exit
exit
adb pull /sdcard/modem.img
6-Now you have your backup.
HOW TO PACK THIS BACKUP FOR FLASH:
1-Download the file: cwm-lgog_e975-europe-10b_modem.zip from http://downloads.codefi.re/houstonn/lgog/modem/E975_E977_E976
2-Open the zip file and replace the existing modem.img with your file
3-Rename the file to something meaningful, like cwm-lgog_e975-europe-10f_modem.zip
After these steps, you should be able to flash any modem, knowing that you can go back to your old version.
You can upload the packed files here, so we can have a library. I will upload the modem from european 10f version here. I tested it and it works correctly, but I won't take any responsibility for what you do with this file.
Good luck.
All this info is obtained from examining the houstonn LGOG modem flasher from team codefire, so all thanks go to them. Thanks.
Very nice tutorial man. It will help newbies like me to back up and restore our modem.img, especially those who have F180* phones that wants or being converted to E975. Nice job. :good:
Nice,i'll add this to the Freaking Annoying Questions.
Sent from Asylum via LG E975/smart phones,dumb people.
Nice job.. Its work in e977 with 10a firmware?
Thx.
Sent from my LG-E975 using xda app-developers app
You should be able to backup your e977 modem following this tutorial.
renatonolo said:
Nice job.. Its work in e977 with 10a firmware?
Thx.
Sent from my LG-E975 using xda app-developers app
Click to expand...
Click to collapse
could you please do the same thing for the misc partition and upload it somewhere?
I saw that freegee is touching this one so please mention if your phone was opened with freegee.
sonty said:
could you please do the same thing for the misc partition and upload it somewhere?
I saw that freegee is touching this one so please mention if your phone was opened with freegee.
Click to expand...
Click to collapse
I am sorry, I am not going to upload my misc partition, as this partition contains my IMEI.
I can, however, tell you how to backup it:
Code:
dd if=/dev/block/platform/msm_sdcc.1/by-name/misc of=/sdcard/misc.img
Can I ask why you need that?
dapaua said:
I am sorry, I am not going to upload my misc partition, as this partition contains my IMEI.
Can I ask why you need that?
Click to expand...
Click to collapse
I had no idea the IMEI is also there. I asked for it because the baseband version is also stored there and it's kind of odd to know I'm flashing the modem from EU-10f and the displayed version is TW-10a. I'm still hoping to solve that issue.
Ah, OK. Tomorrow I'll check if the misc partition can be mounted, this would make editing it much easier.
dapaua said:
Ah, OK. Tomorrow I'll check if the misc partition can be mounted, this would make editing it much easier.
Click to expand...
Click to collapse
I think it is not possible to mount the misc partition.
“In any case, the misc partition isn't a "filesystem" partition as you are familiar with. It is actually just a simple data structure. In fact, only the system, cache, and userdata partitions are actually filesystem partitions, and the cache partition is only a filesystem partition part of the time -- during radio and spl updates, it also is used as a simple data structure with a header field and a payload field...”
http://forum.xda-developers.com/showpost.php?p=7254425&postcount=3
I was trying to find some additional info about this structure but without success so far.
On may F180K the misc partition has 16 777 216 Bytes. Some interesting offset:
0x8000 – 0x800E IMEI (15Bytes)
0x8800 – 0x8824 Baseband version (37Bytes)
0x9000 – 0x9024 Baseband version (37Bytes)
CyanogenMod display the last one data on the Settings->About phone->Baseband version
jumper8 said:
I think it is not possible to mount the misc partition.
“In any case, the misc partition isn't a "filesystem" partition as you are familiar with. It is actually just a simple data structure. In fact, only the system, cache, and userdata partitions are actually filesystem partitions, and the cache partition is only a filesystem partition part of the time -- during radio and spl updates, it also is used as a simple data structure with a header field and a payload field...”
http://forum.xda-developers.com/showpost.php?p=7254425&postcount=3
I was trying to find some additional info about this structure but without success so far.
On may F180K the misc partition has 16 777 216 Bytes. Some interesting offset:
0x8000 – 0x800E IMEI (15Bytes)
0x8800 – 0x8824 Baseband version (37Bytes)
0x9000 – 0x9024 Baseband version (37Bytes)
CyanogenMod display the last one data on the Settings->About phone->Baseband version
Click to expand...
Click to collapse
Thanks.
You are totally right, this partition is not a filesystem. And it is mostly empty, it's all zeros except for some bytes. Most of it are text strings, but there are some small binary parts.
I think the 0x8800 - 0x8824 part is the original firmware version.
I wouldn't touch that partition, seems too dangerous .
dapaua said:
I wouldn't touch that partition, seems too dangerous .
Click to expand...
Click to collapse
freegee touches it. I see it made a backup and the difference is that it changed some bytes to 0 (offsets 0x40-0x52), then wrote ANDROID-BOOT at offset 0x4000. the rest is the same. it seems there's nothing like a crc so basically I could write whatever I want in that version field. the bad part is that as an user you'll never know what modem version you have since its version is not stored on the modem partition. I wonder who came up with this system and what was he thinking.
thanks for the clarification. offtopic over .
sonty said:
I had no idea the IMEI is also there. I asked for it because the baseband version is also stored there and it's kind of odd to know I'm flashing the modem from EU-10f and the displayed version is TW-10a. I'm still hoping to solve that issue.
Click to expand...
Click to collapse
Some time ago I had the same issue. I solved it by modifying binary data on the misc partition. I was done this only on CM10.1 (F180K). I don’t know if it will work on other custom rom especially stock one.
Today I’ve done this one more time for preparation the following procedure. Maybe some one will use it on the future.
STEPS:
0. Backup the misc partition with your recovery. I was used CWM Advance Edition PhilZ Touch 5:
Backup and Restore-> Custom Backup and Restore->Custom Backup Job->Backup misc (*)
I’m not sure if all CWMs version support misc partition backup. TWRP not support it right now.
1. Dump the misc partition to /sdcard.
Code:
adb wait-for-device
adb root
adb shell "dd if=/dev/block/platform/msm_sdcc.1/by-name/misc of=/sdcard/misc_orig.img"
OUTPUT:
32768+0 records in
32768+0 records out
16777216 bytes transferred in 6.539 secs (2565715 bytes/sec)
2. Pull the image to your PC
Code:
adb pull /sdcard/misc_orig.img misc_orig.img
3. Edit downloaded image file by your favorite hex editor (e.g. Notepad++ with Hex-Editor plugin)
Find both baseband name strings (mine were on offset 0x8800 and 0x9000) and change them (CM10.1 use the last one to set gsm.version.baseband in file /system/bin/fetch-swv).
REMEMBER:
- Do not use regular text editor (like Notepad or vi) – they can add some extra characters to the file.
- If possible try to modify only bytes responsible for original baseband name. If the new name is shorter, simply put spaces char (0x20) to clear unwanted chars. If you need to put the longer name, be careful. I don’t know the max size for this string. There are dozens of zeros behind the baseband name on my image file. So, for testing I added extra 20 Bytes text. The new baseband name was shown without problem.
4. Push the modified image file to your phone
Code:
adb push misc_orig.img /sdcard/misc_mod.img
Check if size of the original and modified files are equal.
5. Write the modified image to the misc partition
Code:
adb shell "dd if=/sdcard/misc_mod.img of=/dev/block/platform/msm_sdcc.1/by-name/misc "
OUTPUT:
32768+0 records in
32768+0 records out
16777216 bytes transferred in 4.183 secs (4010809 bytes/sec)
6. Reboot your phone
DONE.
Hi all,
I just create a .zip to backup your modem / baseband / radio with your recovery (CWM / TWRP...)
ok as a newbie i cant figure out how to back up modem using adb... but after reading stuff what i did :
downloaded "Android Terminal Emulator" from playstore
open emulator in phone wrote as u mentioned :
su
dd if=/dev/block/platform/msm_sdcc.1/by-name/modem of=/sdcard/modem.img
after some seconds this came out :
131072+0 records in
131072+0 records out
67108864 bytes transferred in 15.229 secs
then :
exit
exit
after that i checked sdcard but there was no img file...
then i open file manager from the phone and there it was my precious :laugh:
size = 64mb... is it normal?
anyway .. made a new folder "modem" copied the img file into modem folder (using file manger) again connected the phone to pc copied the modem folder on my desktop...
hope it will help new guys here like me :good:
after installing the European kitkat I lost my LGOG E977 modem, anyone have some backup there to help me?
how to fix this?
:crying::crying::crying::crying::crying::crying::crying::crying::crying:
pedro5148 said:
after installing the European kitkat I lost my LGOG E977 modem, anyone have some backup there to help me?
how to fix this?
:crying::crying::crying::crying::crying::crying::crying::crying::crying:
Click to expand...
Click to collapse
root using towelroot. unlock and install custom recovery using freegee and flash the modem in this post via recovery: http://forum.xda-developers.com/showpost.php?p=54016773&postcount=4
akahroba said:
root using towelroot. unlock and install custom recovery using freegee and flash the modem in this post via recovery: http://forum.xda-developers.com/showpost.php?p=54016773&postcount=4
Click to expand...
Click to collapse
I already did that, did not work out ...
any more solution?
pedro5148 said:
I already did that, did not work out ...
any more solution?
Click to expand...
Click to collapse
Get back to JB and wait for your midel update
Back to JB I recovered the IMEI, but I have no carrier signal.
So do the root with towelroot, unlock custom recovery with FreeGee, do I back up EFS, and when I restart the machine it loses the IMEI.
So I install the modem and E97710b.kdz for E97710b model recover EFS and nothing happens, still no sign of the operator ...
---------- Post added at 02:22 PM ---------- Previous post was at 02:22 PM ----------
akahroba said:
Get back to JB and wait for your midel update
Click to expand...
Click to collapse
even going back to JB, I continued without the modem
I'm interested in removing the network lock from my SGA2 GT-I8610 (Samsung codename "Codina"), and while I'm a total noob regarding Android development, I do have some clue about coding and tried a bit of Googling and searching these forums here.
First of all, two useful threads as linked from this post (which was erroneously posted in a similar thread about unlocking the Ace II X GT-S7560M):
Good starting point: Backing up NV data
Partition table
My personal findings:
My serial number -- without the trailing X -- is found 4 times in cspsa.bin, as produced by following the instructions found in the first Backing up NV data post.
I stumbled across this -- especially the parameters on line 59 -- and wondered if this was any helpful. Curiously, I haven't been able to find that very same file in GitHub repos (most are forks of https://github.com/dh-harald/android_kernel_samsung_codina) based on Samsung's open source released i8610 "Codina" kernel.
There is a mention of "pff2cspsa 0.0.2 Thu Apr 12 10:19:02 2012" in cspsa.bin. Googling "pff2cspsa" yields, among few other results, http://pastebin.com/ku0WHZ1B (posted only yesterday!), which seems to be some file related to the NovaThor U8500 chipset, upon which the Ace 2 is based. That file also seems to list a couple of other cspsa related tools, such as cspsalist etc. I wonder if those tools and/or their source code can be found somewhere.
Another good starting point might be investigating if SIM unlock techniques have been found for any other NovaThor U8500 SoC-based phones, e.g. the SGS3mini. I haven't done that thoroughly yet.
Few people have reported success unlocking their SGS3minis using the Service Mode menu, where they were able to disable a network lock option called "Perso SHA256", so maybe this means that the CSPSA is somehow SHA-256 hashed or encrypted.
Feel free to comment your thoughts and/or if any of this might be worth further investigation.
One thing I haven't really found through searching: are you guys using just a hex editor to analyze cspsa.bin or are there any better tools? (E.g. is it possible to mount that thing as a loopback device on Linux?)
(Sorry for posting this to the user section -- as this is my first post, I'm not yet allowed to post to the dev section.)
discovered aswell
I found your post when I did a keyword search for 'pff2cspsa'. I'm trying to goof with my RIL at the moment.
I've found it in my CSPSA partition.
There's also 'nwm2gdf' mentioned aswell which looks like a utility.
Googling that found me some XML dump of someones packages in what seems like a Gentoo distro. It looks like theres a package called 'cspsa-tools', because the 'cspsa-tools-debuginfo' package contains nwm2gdf.
That package looks interesting & i'm going to see if I can find it now.
This is also my first post. SIgned up just to reply
The SHA-256 clue is very interesting thanks I'm gonna investigate further.
---------- Post added at 07:45 AM ---------- Previous post was at 07:11 AM ----------
Okay I've found some info:
Turns out Ericsson (ie the company that once joined up with Sony to be SonyEricsson) once upon a time released packages to manage CSPSA things. They make the chipset that the galaxy s2/3 is built on (one of them anyway).
<summary>Crash Safe Parameter Storage Area (CSPSA)</summary>
<description>
CSPSA (Crash Safe Parameter Storage Area) is a user space library developed by ST-Ericsson that provides access to the CSPSA at the end of the flash/eMMC used for storing, for example, calibrated radio and security parameters. It utilizes a raw MTD device or eMMC block device via libc to manipulate the contents in the flash/eMMC memory. All concurrent users except one are blocked until access to the underlying storage device is accessible. The CSPSA implementation provides no security concept for the data stored. Focus is on crash safeness and compatibility with production tools.
Click to expand...
Click to collapse
Now because I'm a new user I can't post external links. The captcha is F---ing me off so I'm going to obfuscate the link below:
http colon slash slash download.meego.com/live/home:/imppa/Trunk/i586/
Download all the files which mention CSPSA (theres a few down below, libcspsa ones so page down).
Also, they are rpm. If you are using a debian based system, use the 'alien' tool to convert to .deb packages with the -d switch.
Also, roll 32-bit ONLY. Forget about it if you're running 64-bit linux.
There's a bunch of handy tools there. I'm yet to goof with them but we'll see how we go.
edit: doesn't seem to work. All I'm getting is 'ERROR: CSPSA area could not be opened. Binary file not valid' when I try em on the image files I made of my CSPSA partitions.
---------- Post added at 08:08 AM ---------- Previous post was at 07:45 AM ----------
weblordpepe said:
I found your post when I did a keyword search for 'pff2cspsa'. I'm trying to goof with my RIL at the moment.
I've found it in my CSPSA partition.
There's also 'nwm2gdf' mentioned aswell which looks like a utility.
Googling that found me some XML dump of someones packages in what seems like a Gentoo distro. It looks like theres a package called 'cspsa-tools', because the 'cspsa-tools-debuginfo' package contains nwm2gdf.
That package looks interesting & i'm going to see if I can find it now.
This is also my first post. SIgned up just to reply
The SHA-256 clue is very interesting thanks I'm gonna investigate further.
---------- Post added at 07:45 AM ---------- Previous post was at 07:11 AM ----------
Okay I've found some info:
Turns out Ericsson (ie the company that once joined up with Sony to be SonyEricsson) once upon a time released packages to manage CSPSA things. They make the chipset that the galaxy s2/3 is built on (one of them anyway).
Now because I'm a new user I can't post external links. The captcha is F---ing me off so I'm going to obfuscate the link below:
http colon slash slash download.meego.com/live/home:/imppa/Trunk/i586/
Download all the files which mention CSPSA (theres a few down below, libcspsa ones so page down).
Also, they are rpm. If you are using a debian based system, use the 'alien' tool to convert to .deb packages with the -d switch.
Also, roll 32-bit ONLY. Forget about it if you're running 64-bit linux.
There's a bunch of handy tools there. I'm yet to goof with them but we'll see how we go.
edit: doesn't seem to work. All I'm getting is 'ERROR: CSPSA area could not be opened. Binary file not valid' when I try em on the image files I made of my CSPSA partitions.
Click to expand...
Click to collapse
Okay what you need to do is figure out which partition is your CSPSA partition. lets say its mmcblk009.
Install all those CSPA packages
check /etc/cspsa.conf. it will point to a file under /dev. copy your binary partition into /dev and edit the file to match the filename of your partition image.
then run: cspsa-server. It will say something like 'CSPSA0 started'.
then type cspa-cmd and you'll get a prompt
type 'help' to see stuff. but you'll want to type 'open CSPSA0'
then you can type 'ls' to see the key/value pairs for things stored in your CSPSA image file.
Bought an unlock today
I bought a network unlock today, did another NV backup, and compared the before and after states of cspsa.bin.
Some of it has changed; but around the first occurrence of the serial number, the file is surprisingly almost identical to its previous state. Now what has changed is the range from offset 0x457 (after "FF 24 00") to (excluding) 0x477. I'll take a closer look soon if anything else looks suspicious, but this might be our SIM lock...
A couple of short notes
A couple of short notes on the CSPSA tools you found:
There are not only binary RPMs, but also two RPM source packages from which they're built (which contain a spec file and an upstream tarball) -- they're at download.meego.com/live/home:/imppa/Trunk/src/ . I successfully built the upstream sources on Ubuntu 13.10 (amd64), but I had to remove the -Werror parameter from the Makefiles first. I didn't have to install any of those tools to my system (i.e. no sudo required), but I have to admit that I haven't yet built the binaries from cspsa-tools that require cspsa.h.
You don't need to copy cspsa.bin to /dev -- you can specify its location in cspsa.conf
You don't need to move cspsa.conf to /etc -- you can specify its location as a parameter to cspsa-server
The readme files provided with the sources also provide some information on the tools.
A bit of a glossary:
CSPSA -- crash safe parameter storage area
NWM -- Nokia Wireless Modem; cspsa-tools' readme.txt says
At startup of the U8500 there is a CSPSA client (cspsa2nwm) that reads
out the NWM files (if necessary) and stores them to a directory in the file
system. The original directory tree is fully re-created with original access
rights settings. These files can then be read by the modem (via MSA) to
configure itself.
Click to expand...
Click to collapse
PFF -- Parameter File Format; cspsa-tools' pff_readme.txt says
The parameter file format is a way to store parameters in a generic file
format. The advantage is that one can use common tools in Linux or windows
to parse the file structure and format. Also it is easy to use git or other
version control systems to keep track of changes in parameters.
Click to expand...
Click to collapse
GDF -- ?
The packages contain various tools to convert between those formats.
As you noted, cspa-cmd can be used to list the CSPSA's contents, and to store them to individual files, as well as exporting to a gdf file. That file can then be viewed by gdflist. That latter tool reveals that apparently my CSPSA's contents were created by nwm2gdf, and that apparently most its contents are supposed to be copied to /modem/RFHAL -- I wonder if that's really the sole purpose of the CSPSA, and if (on a functional phone) everything is also identically contained in that /modemfs/RFHAL. I'll need to do a diff of that file and that (possibly) corresponding record showing up in the gdflist output.
One more (near-trivial) note: the part of CSPSA that I had noticed in a hex editor to have changed after network unlocking is 0x477-0x457=0x20=32 bytes long. So that *could* be a SHA-256, as that would be 256 bits = 32 bytes long.
Hey, you must have done a mistake in last calculations. Actually, 32 bytes is 32 x 8 = 256 bits.
Wysłane z mojego GT-I8160 przy użyciu Tapatalka
This might be a mega necro, but is anyone by any chance even remotely interested in unlocking a phone this ancient?
I happened to have one at home which I use now as a replacement since I broke the touchscreen of my original device. In some of my free time I peeked around a bit, and managed to properly export the CSPSA entries. Sadly all this just results in a more human readable representation of hex values stored in the CSPSA, which means that without actually knowing what was stored there one must try a different approach
Sorry if this is stupid or something but I have the smartwatch 2 firmware dump file (dumped using dfu-util's upload utility (-u)) from messing around trying to get into the dfu. I succeeded. I don't know if I am allowed to upload the file so I won't yet.
So is there any linux/ubuntu based software I can use to decompile or to edit resources such as icons, images ect.?
If you would like to obtain the file I am talking about use the open smartwatch (1) project. similar way applies:
1. Have dfu-util installed
2. remove smartwatch 2 from power (miniusb plug)
3. plug in usb end that goes into computer but NOT miniusb.
4. my way to enter the dfu is to plug in the miniusb end and then hold power a split-second after you should see a blank screen but sony does not come up. let go of power.
5. you are now in dfu mode. Note: there will probably be no green bar at bottom of screen.
The command I used to dump the firmware was (I am on ubuntu-linux) dfu-util -a 0 -U -s 0x08000000
UPDATE: Find dump files at post #10
UPDATES
Update 15Jun14: files dumped are not in dfu format. No file extension is included.
Does this matter?
Also can someone find out if some dfu sample files are compatible (such as the arduino hack)?
Update: on ubuntu try using strings <FIRMWARE FILE PATH> it shows lots of jumbled text and near bottom there are random things such as things that look like version numbers etc.????
may be mod at file sw2.apk
i think it better way
Well maybe using this data we can find a way to create custom code modules for the apk file. This would mean android code could be ported to smartwatch 2 code through a heavily modded version of the app.
Like people said before me in the decompiled app there is support for firmware upgrades over Bluetooth maybe. So if the firmware is reverse engineered maybe we could program native apps or settings mods etc.
Sent from my C1505
I need help on this so if anyone can help such as convert it to source code that would be greatly appreciated
Sent from my C1505
Hi
Xtreme_FIRMWARE said:
I need help on this so if anyone can help such as convert it to source code that would be greatly appreciated
Sent from my C1505
Click to expand...
Click to collapse
Hi extreme I'm interested to help you to reverse the smartwatch 2 firmware, if you are interested I have the source of the smartwatch 2 host app
if you phone root already
you can backup apk by titanium backup
or if non root
use this link for download apk from play store
http://apps.evozi.com/apk-downloader
and insert com.sonymobile.smartconnect.smartwatch2 in web
you're got apk file and then use Android Multitool for extract and compile apk
which i extract it already but i don't know what is file i must mod
my problem is sw2 show Thai language 100%
if we found file in apk about show language in your country
i think it fix other language too.
I will attach the version I have straight from Google play soon
Edit: manu0466 is going the source shortly. so we will not need do download this.
Sent from my C1505
Hi there
manu0466 said:
Hi extreme I'm interested to help you to reverse the smartwatch 2 firmware, if you are interested I have the source of the smartwatch 2 host app
Click to expand...
Click to collapse
Any source code at all would be greatly appreciated. as I am having trouble decompiling the smartwatch 2 apk anyways.
Hope to see more. Thanks!
The Dump
This is the internal memory(soldered sdcard) and firmware dumps I made just in case anybody couldn't get them to examine.
They are attached to this post
If you use these in any other thread please credit me.
the password (just in case) is: xtreme_firmware
Hope this is useful! :good: :good:
Research
For those interested in the reverse engineering [URL="http://www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n/"This[/URL] seems promising. Checking out a few and trying hard to crack into this firmware. Sony did a good job. I also learnt that my dump might not be full firmware but once we have a method I can always dump the full firmware somehow. The dumps I have now are good enough to test for ways and maybe start with some small mods. Of course it might actually be the full firmware anyway.
Good news and keep going. Thanks for the idea and your support.
One problem. the file does not seem to be the firmware. I will try to dump the full firmware soon.
This isn't a setback! we still have the process ready!
Hmm
Hi all.
I am confused. I am not sure how to know if it is the firmware or not. at the end of this post is the latest dump (sd and firm) that I have done. Can someone find a way to make sure this is the firmware. Thanks!
again: this isn't a setback!
Xtreme_FIRMWARE said:
Sorry if this is stupid or something but I have the smartwatch 2 firmware dump file (dumped using dfu-util's upload utility (-u)) from messing around trying to get into the dfu. I succeeded. I don't know if I am allowed to upload the file so I won't yet.
So is there any linux/ubuntu based software I can use to decompile or to edit resources such as icons, images ect.?
If you would like to obtain the file I am talking about use the open smartwatch (1) project. similar way applies:
1. Have dfu-util installed
2. remove smartwatch 2 from power (miniusb plug)
3. plug in usb end that goes into computer but NOT miniusb.
4. my way to enter the dfu is to plug in the miniusb end and then hold power a split-second after you should see a blank screen but sony does not come up. let go of power.
5. you are now in dfu mode. Note: there will probably be no green bar at bottom of screen.
The command I used to dump the firmware was (I am on ubuntu-linux) dfu-util -a 0 -U -s 0x08000000
UPDATE: Find dump files at post #10
Click to expand...
Click to collapse
This is a dump from the 1st partition called "@Internal Flash". I think you also need to specify the length which should be 2MB. So that would make the command line:
./dfu-util -c 1 -i 0 a 0 -U memdump.raw -s 0x08000000:0x200000
NOTE: this is not a dfu image as it's just a HEX dump and doesn't include the ID tags to make it a valid dfu image. However if you want you can write this RAW image back to the device with:
./dfu-util -c 1 -i 0 a 0 -D memdump.raw -s 0x08000000
If memory serves me well.
The query I have is
1) what's in 0x00000000 - 0x08000000 in partition - a 0?
It seems to show values which I don't know if they are meaningful.
2) what about the eMMC partition -a 1 which is 512MB in size?
I have dumps for these too but can't flash these back as a RAW image as dfuse-address of 0x00000000 passed into the -s option are not valid.
I think that the FileSystem to the SW2 is in either of these locations above but I don't know which or how to restore from a good device to a bad device.
: )
From the scarce amount of information about their firmware and dfu the emmc is a soldered sd card and also to NEVER try to flash older versions of it. No idea why.
We may need to somehow mod the dfu to establish a connection to the areas we cannot access. But first try inputting the -s as one of the id's between. Maybe?
Sent from my C1505 using XDA Free mobile app
I get invalid dfuse address for the first command you gave. can you please tell me what I am doing wrong:
sudo dfu-util -c 1 -i 0 a 0 -U memdump.raw -s 0x08000000:0x200000
[sudo] password for ??????:
invalid dfuse address: 0x08000000:0x200000
I am working on reverse engineering the dump while also reverse engineering the protocol used for fota updates to try and get the full dfu file!!!!!!
Sent from my C1505 using XDA Free mobile app
Just for everyone's information dfu-util sees on the SW2:
Found DFU: [0fce:f0fa] devnum=0, cfg=1, intf=0, alt=0, name="@Internal Flash /0x08000000/03*016Kg,01*016Kg,01*064Kg,07*128Kg,03*016Kg,01*016Kg,01*064Kg,07*128Kg"
Found DFU: [0fce:f0fa] devnum=0, cfg=1, intf=0, alt=1, name="@eMMC /0x00000000/01*512Mg"
:good:
---------- Post added at 09:26 AM ---------- Previous post was at 09:17 AM ----------
Xtreme_FIRMWARE said:
I get invalid dfuse address for the first command you gave. can you please tell me what I am doing wrong:
sudo dfu-util -c 1 -i 0 a 0 -U memdump.raw -s 0x08000000:0x200000
[sudo] password for ??????:
invalid dfuse address: 0x08000000:0x200000
Click to expand...
Click to collapse
Looking at my exact command line I executed a couple of months back, I have to upgrade to dfu-utils release 0.7 (dfu-util.gnumonks.org/releases) and then I could execute:
sudo ./dfu-util -v -c 1 -i 0 -a 0 -s 0x08000000:0x200000 -U InternalFlash.hex -R
Hope this helps.
:good::good:
Hey all,
Anyone look at the com.sonymobile.smartconnect.smartwatch2.apk, these files in the apk look sort of interesting:
res/raw/asw.bin 607KB -- Firmware?
res/raw/bl.bin 31KB -- BootLoader?
res/raw/fat.bin 545KB -- FlashFS?
Not really sure if these can be useful in the quest to get a working firmware together. I wish we had a memory map of this thing.
AL
I'm planning to root my G4 (LGH815 Germany) running v10b-EUR-xx. Before I'm attempting to root I took a backup using the following command:
dd if=/dev/block/mmcblk0 bs=8192 skip=55296 count=529920 of=/data/media/0/system.img
Is there any way of verifying the backup img before I proceed to root so I can be sure the backup is working in case something goes wrong during rooting?
There seems to be a difference between the size of my backup and the rooted image:
My backup: 4,341,104,640
Rooted img: 4,749,520,896
Why is there such a big difference?
b3n_ said:
I'm planning to root my G4 (LGH815 Germany) running v10b-EUR-xx. Before I'm attempting to root I took a backup using the following command:
dd if=/dev/block/mmcblk0 bs=8192 skip=55296 count=529920 of=/data/media/0/system.img
Is there any way of verifying the backup img before I proceed to root so I can be sure the backup is working in case something goes wrong during rooting?
There seems to be a difference between the size of my backup and the rooted image:
My backup: 4,341,104,640
Rooted img: 4,749,520,896
Why is there such a big difference?
Click to expand...
Click to collapse
The skip argument to dd tells it to skip reading 55296 blocks. Each block is 8192 bytes which means 55296*8192 bytes are being skipped, that brings it to total of 452,984,832 bytes, which is exactly the difference you have.
As for the reliability of your backup I suggest at least mounting it to see if structure is valid and files are there.
Sent from my LG-H815 using Tapatalk
Definately try mounting it. Search for "mount android image in windows" if you are using windows, or just mount it in Linux.
kuku2004 said:
The skip argument to dd tells it to skip reading 55296 blocks. Each block is 8192 bytes which means 55296*8192 bytes are being skipped, that brings it to total of 452,984,832 bytes, which is exactly the difference you have.
As for the reliability of your backup I suggest at least mounting it to see if structure is valid and files are there.
Sent from my LG-H815 using Tapatalk
Click to expand...
Click to collapse
In this case should I re-create my backup but put a skip count of 0 in to get a full image of the current system partition? Sounds like it would make more sense to have a full image rather than just a partial?
b3n_ said:
In this case should I re-create my backup but put a skip count of 0 in to get a full image of the current system partition? Sounds like it would make more sense to have a full image rather than just a partial?
Click to expand...
Click to collapse
Really don't know but I guess there's a reason for that skip, maybe the start is something fixed (zeroed?) so it would be a waste of space reading it.
Sent from my LG-H815 using Tapatalk
kuku2004 said:
Really don't know but I guess there's a reason for that skip, maybe the start is something fixed (zeroed?) so it would be a waste of space reading it.
Sent from my LG-H815 using Tapatalk
Click to expand...
Click to collapse
Why would it be included in their image then? Maybe @autoprime could comment on this?
Sorry for the OT question, but how do I create a system.img backup without root?
creaky said:
Sorry for the OT question, but how do I create a system.img backup without root?
Click to expand...
Click to collapse
Look at the rooting thread you need to use the send_command tool and the basically revert the dd command.
b3n_ said:
Look at the rooting thread you need to use the send_command tool and the basically revert the dd command.
Click to expand...
Click to collapse
Thanks. I'll start sifting through.
So I was able to mount my image in Ubuntu and I can see all the folders/files in there. In case I have to restore, do I have to use seek=0 and I used the recommended skip when I created the image?