Develop Bugs

HTC Kernel I2C

Hi, right been looking at the Hero CDMA Kernel trying to get direct access to the light sensor.
I know its part of I2C, and have found some documentation, but its completely over my head! Anyone smarter than me know what this means/how to use it?
Thanks
Usually, i2c devices are controlled by a kernel driver. But it is also
possible to access all devices on an adapter from userspace, through
the /dev interface. You need to load module i2c-dev for this.
Each registered i2c adapter gets a number, counting from 0. You can
examine /sys/class/i2c-dev/ to see what number corresponds to which adapter.
I2C device files are character device files with major device number 89
and a minor device number corresponding to the number assigned as
explained above. They should be called "i2c-%d" (i2c-0, i2c-1, ...,
i2c-10, ...). All 256 minor device numbers are reserved for i2c.
C example
=========
So let's say you want to access an i2c adapter from a C program. The
first thing to do is "#include <linux/i2c-dev.h>". Please note that
there are two files named "i2c-dev.h" out there, one is distributed
with the Linux kernel and is meant to be included from kernel
driver code, the other one is distributed with lm_sensors and is
meant to be included from user-space programs. You obviously want
the second one here.
Now, you have to decide which adapter you want to access. You should
inspect /sys/class/i2c-dev/ to decide this. Adapter numbers are assigned
somewhat dynamically, so you can not even assume /dev/i2c-0 is the
first adapter.
Next thing, open the device file, as follows:
int file;
int adapter_nr = 2; /* probably dynamically determined */
char filename[20];
sprintf(filename,"/dev/i2c-%d",adapter_nr);
if ((file = open(filename,O_RDWR)) < 0) {
/* ERROR HANDLING; you can check errno to see what went wrong */
exit(1);
}
When you have opened the device, you must specify with what device
address you want to communicate:
int addr = 0x40; /* The I2C address */
if (ioctl(file,I2C_SLAVE,addr) < 0) {
/* ERROR HANDLING; you can check errno to see what went wrong */
exit(1);
}
Well, you are all set up now. You can now use SMBus commands or plain
I2C to communicate with your device. SMBus commands are preferred if
the device supports them. Both are illustrated below.
__u8 register = 0x10; /* Device register to access */
__s32 res;
char buf[10];
/* Using SMBus commands */
res = i2c_smbus_read_word_data(file,register);
if (res < 0) {
/* ERROR HANDLING: i2c transaction failed */
} else {
/* res contains the read word */
}
/* Using I2C Write, equivalent of
i2c_smbus_write_word_data(file,register,0x6543) */
buf[0] = register;
buf[1] = 0x43;
buf[2] = 0x65;
if ( write(file,buf,3) != 3) {
/* ERROR HANDLING: i2c transaction failed */
}
/* Using I2C Read, equivalent of i2c_smbus_read_byte(file) */
if (read(file,buf,1) != 1) {
/* ERROR HANDLING: i2c transaction failed */
} else {
/* buf[0] contains the read byte */
}
IMPORTANT: because of the use of inline functions, you *have* to use
'-O' or some variation when you compile your program!
Full interface description
==========================
The following IOCTLs are defined and fully supported
(see also i2c-dev.h):
ioctl(file,I2C_SLAVE,long addr)
Change slave address. The address is passed in the 7 lower bits of the
argument (except for 10 bit addresses, passed in the 10 lower bits in this
case).
ioctl(file,I2C_TENBIT,long select)
Selects ten bit addresses if select not equals 0, selects normal 7 bit
addresses if select equals 0. Default 0. This request is only valid
if the adapter has I2C_FUNC_10BIT_ADDR.
ioctl(file,I2C_PEC,long select)
Selects SMBus PEC (packet error checking) generation and verification
if select not equals 0, disables if select equals 0. Default 0.
Used only for SMBus transactions. This request only has an effect if the
the adapter has I2C_FUNC_SMBUS_PEC; it is still safe if not, it just
doesn't have any effect.
ioctl(file,I2C_FUNCS,unsigned long *funcs)
Gets the adapter functionality and puts it in *funcs.
ioctl(file,I2C_RDWR,struct i2c_rdwr_ioctl_data *msgset)
Do combined read/write transaction without stop in between.
Only valid if the adapter has I2C_FUNC_I2C. The argument is
a pointer to a
struct i2c_rdwr_ioctl_data {
struct i2c_msg *msgs; /* ptr to array of simple messages */
int nmsgs; /* number of messages to exchange */
}
The msgs[] themselves contain further pointers into data buffers.
The function will write or read data to or from that buffers depending
on whether the I2C_M_RD flag is set in a particular message or not.
The slave address and whether to use ten bit address mode has to be
set in each message, overriding the values set with the above ioctl's.
Other values are NOT supported at this moment, except for I2C_SMBUS,
which you should never directly call; instead, use the access functions
below.
You can do plain i2c transactions by using read(2) and write(2) calls.
You do not need to pass the address byte; instead, set it through
ioctl I2C_SLAVE before you try to access the device.
You can do SMBus level transactions (see documentation file smbus-protocol
for details) through the following functions:
__s32 i2c_smbus_write_quick(int file, __u8 value);
__s32 i2c_smbus_read_byte(int file);
__s32 i2c_smbus_write_byte(int file, __u8 value);
__s32 i2c_smbus_read_byte_data(int file, __u8 command);
__s32 i2c_smbus_write_byte_data(int file, __u8 command, __u8 value);
__s32 i2c_smbus_read_word_data(int file, __u8 command);
__s32 i2c_smbus_write_word_data(int file, __u8 command, __u16 value);
__s32 i2c_smbus_process_call(int file, __u8 command, __u16 value);
__s32 i2c_smbus_read_block_data(int file, __u8 command, __u8 *values);
__s32 i2c_smbus_write_block_data(int file, __u8 command, __u8 length,
__u8 *values);
All these transactions return -1 on failure; you can read errno to see
what happened. The 'write' transactions return 0 on success; the
'read' transactions return the read value, except for read_block, which
returns the number of values read. The block buffers need not be longer
than 32 bytes.
The above functions are all macros, that resolve to calls to the
i2c_smbus_access function, that on its turn calls a specific ioctl
with the data in a specific format. Read the source code if you
want to know what happens behind the screens.
Click to expand...
Click to collapse

Surely if you want to use the light sensor in an application, the correct path is via API calls, or do you have other intentions?
Regards,
Dave

Ideally yes, but when you use the API to get the light sensor values, you get the accelerometer values instead! Interesting its similar on the Samsung Moment, asking for the light sensor values returns the compass values!
Seems neither HTC or Samsung know what they are doing!

[DEVs ONLY] Flash Galaxy S without computer : introducing redbend_ua

Hello there
This is a surprise, but software able to flash the phone without any computer intervention was already on it, since the beginning.
Searching for a way to install my future lag fix easily, I remember that there was an "OTA" boot mode.
I know, today nobody saw an OTA on any Galaxy S smartpone (except maybe One on the AT&T Captivate?), but the software is still there.
How does this work :
Basically Linux boots a ramdisk, loading kernel modules and running an init process who start the whole Android experience (bootmode=) or just the recovery mode (bootmode=2).
Other bootmodes are used for battery loading only and Over The Air updates.
In this case, init.rc ask init to start "/sbin/redbend_ua all".
By default this software search for software updates in /data/fota and on similar places in the /sdcard.
It could prove useful another day, but you still have to be root to ask your device to reboot in a specific bootmode
The nice part is that we can use redbend_ua manually too, to do many impossible things before :
command list, pretty comprehensive.
Code:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
Possible usages :
- Flashing the kernel without Odin or any computer
- Backuping and Restoring a whole firmware, including stock one
- Doing more than one operation before automatic reboot through a list of commands in /data/fota/command (not tested yet)
- Messing with bootloaders and bricking your phone for good
Yeah, you must be really carefull this time. Samsung made some partitions read-only for a reason
Hopefully this new tool will be used by most ROM cooker, CyanogenMod, and ClockWorkMod
I'll make a update.zip + redbend_ua template soon if nobody comes up with one.
My Twitter for next news
Joined to this post : redbend_ua working binary. (some firmware ship a new binary that does not accept command line parameters)
-----
Old post, for the record :
Our Galaxy S in Eclair firmwares come with software able to provide update Over The Air.
This firmware is in /sbin directory, which means that it's in the kernel ramdisk.
Look at the output when running the binary without argument or appropriate file:
Code:
# redbend_ua
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.zImage
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.Sbl
UA/(update_all): Check Delta : path_idx(1), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.zImage
UA/(update_all): Check Delta : path_idx(1), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.modem
UA/(update_all): Check Delta : path_idx(1), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.platform
UA/(update_all): Check Delta : path_idx(1), part_idx(3), file_path((null)), cnt(0)
fail!
Open /data/fota/fota.status
fsync after write: 0
And here is the result when you provide a fake zImage delta file:
Code:
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(1)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(1)
page_msize: 4096, phy_unit_size: 262144
UA/ Sbl delta does NOT exist! Skip.
page_msize: 4096, phy_unit_size: 262144
UA/ check_existence: /data/fota/fota_zImage
page_msize: 4096, phy_unit_size: 262144
dev: /dev/block/bml8 partition size: 0x780000
40180008: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180018: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180028: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180038: ffff ffff ffff ffff ffff ffff ffff ffff ................
signature: 0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
page_msize: 4096, phy_unit_size: 262144
UA/(backup_devbml) src: /dev/block/bml7 partition size: 0x780000
UA/(backup_devbml) dst: /dev/block/bml8 partition size: 0x780000
UA/(backup_devbml) backup 128KB at 0x0
UA/(backup_devbml) backup 128KB at 0x40000
UA/(backup_devbml) backup 128KB at 0x80000
UA/(backup_devbml) backup 128KB at 0xc0000
UA/(backup_devbml) backup 128KB at 0x100000
UA/(backup_devbml) backup 128KB at 0x140000
UA/(backup_devbml) backup 128KB at 0x180000
UA/(backup_devbml) backup 128KB at 0x1c0000
UA/(backup_devbml) backup 128KB at 0x200000
UA/(backup_devbml) backup 128KB at 0x240000
UA/(backup_devbml) backup 128KB at 0x280000
UA/(backup_devbml) backup 128KB at 0x2c0000
UA/(backup_devbml) backup 128KB at 0x300000
UA/(backup_devbml) backup 128KB at 0x340000
UA/(backup_devbml) backup 128KB at 0x380000
UA/(backup_devbml) backup 128KB at 0x3c0000
UA/(backup_devbml) backup 128KB at 0x400000
UA/(backup_devbml) backup 128KB at 0x440000
UA/(backup_devbml) backup 128KB at 0x480000
UA/(backup_devbml) backup 128KB at 0x4c0000
UA/(backup_devbml) backup 128KB at 0x500000
UA/(backup_devbml) backup 128KB at 0x540000
UA/(backup_devbml) backup 128KB at 0x580000
UA/(backup_devbml) backup 128KB at 0x5c0000
UA/(backup_devbml) backup 128KB at 0x600000
UA/(backup_devbml) backup 128KB at 0x640000
UA/(backup_devbml) backup 128KB at 0x680000
UA/(backup_devbml) backup 128KB at 0x6c0000
UA/(backup_devbml) backup 128KB at 0x700000
UA/(backup_devbml) backup 128KB at 0x740000
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
UA/(RB_ImageUpdateMain): ++
UA/(RB_ImageUpdateMain) uPartitionName[zImage]
RB_GetBlockSize: returning 0x40000 (262144)
UA/(RB_UpdateImage): ++
UA/(RB_UpdateImage): Delta file name-/data/fota/delta.zImage
unicode_to_char : zImage
pDeviceDatum.pFirstPartitionData->partition_name: zImage
pDeviceDatum.pFirstPartitionData->partition_type: 0
pDeviceDatum.pFirstPartitionData->file_system_type: 0
unicode_to_char : /data/fota/delta.zImage
RB_OpenFile: Path:/data/fota/delta.zImage | Mode: RDONLY
Successful open() *pwHandle:4
[RB] Illegal field in the delta, or that the given delta is invalid
UA/(RB_UpdateImage) return value from RB_vRM_Update: 0x80000539
UA/(RB_UpdateImage): -- ret=-2147482311
UA/(RB_ImageUpdateMain) pCustomerPartData.updated = -1, rest = -1
UA/(RB_ImageUpdateMain): -- ret=-2147482311
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xdeade002
UA/(update_all) Kernel update fail
fail!
Open /data/fota/fota.status
fsync after write: 0
Promising ! This software definitely has the ability to write on protected bml partitions.
Now wee need to find how to produce the .delta files

Sounds great Lets hope you guys can figure it all out.

I just send a message to Red Bend Software through their site.
Actually it may help to find any other delta file for their software. Without sample we won't go anywhere...
I hope they will be kind and answer!

Here is a list of interesting strings found in the binary :
Code:
UA/ Platform delta does NOT exist! Skip.
Can not open src file : %s
Can not open dst file : %s
UA/(%s) write %dbytes
UA/(%s) copy file %s->%s
fsync failed with return value: %d
fsync after write: %d
UA/ %s: %s
/dev/block/bml4
/data/fota/dump_sbl
/dev/block/bml7
/data/fota/dump_kernel
/dev/block/bml12
/data/fota/dump_modem
FOTA : Make Block Device Nodes
UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
success!
DONE
fail!
FAIL
FOTA
UA/ modem delta does NOT exist! Skip.
/data/fota/backup.modem
UA/ zImage delta does NOT exist! Skip.
/dev/block/bml8
UA/ Sbl delta does NOT exist! Skip.
UA/ERROR(%s) get dual sbl siginfo fail!!
/dev/block/bml5
UA/ERROR(%s) can't find vaild Sbl partitions
UA/ERROR(%s) SBL RAM partition alloc fail
UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
/data/fota/command
/sdcard/Android/data/temp.fota.delta/command
UA/(%s) cache download
/cache/recovery
UA/(%s) create /cache/recovery directory
/cache/recovery/command
reboot recovery
UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
SBL update fail
UA/(%s) %s
Kernel update fail
Modem update fail
Platform update fail
Post update fail
WARNNIG
Delta Not Exist
/data/fota
/sbin/images/fota.png
UA/(%s) test
Update Fail!!
/data/fota/fota.status
/data/fota/delta.Sbl
/data/fota/delta.zImage
/data/fota/delta.modem
/data/fota/delta.platform
/sdcard/Android/data/temp.fota.delta/delta.Sbl
/sdcard/Android/data/temp.fota.delta/delta.zImage
/sdcard/Android/data/temp.fota.delta/delta.modem
/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
unknown
/data/fota/fota_Sbl
/data/fota/fota_zImage
Modem
/data/fota/fota_modem
/data/fota/fota_platform
/dev/block/bml11
OFNI
main
update_all
post_update
update_platform
update_modem
update_zImage
update_Sbl
file_copy
check_existence
MakeBMLNodes
UA/(%s): +
UA/(%s): %s (%lx %x)
UA/(%s): -
UA/(%s): %s (%lx %lx)
UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
BML_GET_DEV_INFO
page_msize: %d, phy_unit_size: %d
open device file
%s: bmldevice_open failed!
%s: bmldevice_info failed!
src: %s
dst: %s partition size: 0x%x
part_size: 0x%x
failed to read from %s (%s)
read finished
read %d bytes
src: %s partition size: 0x%x
dst: %s
failed to write to %s (%s)
done
UA/(%s) src: %s
UA/(%s) dst: %s partition size: 0x%x
UA/(%s) part_size: 0x%x
UA/(%s) read finished
UA/(%s) read %d bytes
UA/(%s) src: %s partition size: 0x%x
UA/(%s) dst: %s
UA/(%s) signature: 0x%x
*WARN* %s partition is already marked as invalid!
UA/(%s) done
page at 0x%x differ!
UA/(%s) backup 128KB at 0x%x
UA/(%s): ++
UA/(%s) 0x%x
UA/ERROR(%s) Valid partition signature is not invalid
UA/(%s): --
%s, invalide magic key(%x)!!
common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
signature: 0x%x
UA/(%s) dev: %s partition size: 0x%x
UA/ERROR(%s) Signature is not validate (%x)
UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
UA/ERROR(%s) Both partition has valid or invalid signature
UA/(%s) Valid Partition-%s, Update Partition-%s
restore_file
backup_block_file
restore_devbml
backup_devbml
store_dualsbl_partition
load_partition
mark_common_recovery
find_valid_partition
check_dualpartition_validation
ram_write_block
ram_read_block
nand_write_block
nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
RB_GetBlockSize
%s: returning 0x%x (%d)
RB_ReadBackupBlock
UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) open file %s failed.
UA/ open %s file success
UA/ERROR(%s) error in read size
RB_WriteBackupBlock
UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) error in write size
RB_ImageUpdateMain
UA/(%s): ++
UA/(%s) uPartitionName[%s]
UA/(%s) pCustomerPartData.updated = %d, rest = %d
UA/(%s): -- ret=%d
RB_UpdateImage
UA/(%s): Delta file name-%s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
UA/(%s) return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
%s path: %s
temppath: %s
mkdir result: %d errno: %d
RB_CopyFile
%s: %s -> %s
NULL file name find. Abort.
Open %s ENOENT %d
Open %s failed. Abort.
read %d, but write %d, abort.
RB_DeleteFile
%s: %s
unlink value: %d, errno: %d
RB_DeleteFolder
rmdir value: %d, errno: %d
RB_CreateFolder
%s: %s, mode:0x%x
RDONLY
WRONLY
RDWR
Unknown
RB_OpenFile
%s: Path:%s | Mode:
First open() with error %d
copy dir[]=%s
remove dir[]=%s
Fail create folder, Leave RB_OpenFile
After successful creating folder, fail open() with error %d
Successful open() *pwHandle:%ld
RB_ResizeFile
%s: handle %ld, dwSize %d
%s: ret %d handle %ld %d
RB_CloseFile
%s: wHandle = %ld
RB_WriteFile
%s: Handle:%ld , Pos:%ld , Size: %ld
lseek failed with return value: %d
Failed with return value: %d
Bytes Write: %d
fsync Failed with return value: %d
fsync after write: %d
RB_ReadFile
%s: Handle:%ld , Pos:%ld , Size: %ld
read failed with return value: %d
RB_GetFileSize
%s: %ld
lseek errno: %d
Returning Size = 0x%x
RB_Unlink
unlink failed with return value: %d
unlink with return value: %d
RB_Link
symlink failed with return value: %d, errno: %d
symlink with return value: %d
RB_VerifyLinkReference
readlink failed with return value: %d
not same linked path
same linked path
RB_GetFileType
stat failed with return value: %d errno: %d
sbuf.st_mode: %d
S_ISREG(sbuf.st_mode): %d
S_ISLNK(sbuf.st_mode): %d
stat->st_mode = symbolic link file
stat->st_mode = regular file
failed to lstat, err : %d
a2ch
%s : %d
Wrong attribute value: %d
a2ch : %c
chtoa
RB_SetFileAttributes
stat failed with return value: %d
sbuf.st_mode value: %d
ui8pAttribs value: %s
ui32AttribSize value: %ld
attrib_user value: %d
attrib_group value: %d
attrib_other value: %d
att_type value: %d
sbuf.st_mode | attrib: %d
chmod failed with return value: %d
chmod with return value: %d
pUserId value: %s
user_id value: %d
aGroupId value: %s
pGroupId value: %s
group_id value: %d
failed chown %d
success chown %d
RB_FSUpdateMain
UA/(%s) Partition name(%s), mount point(%s)
UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
return value from RB_vRM_Update: 0x%x
%s/flagsFile
return value from unlink(%s): 0x%x
Installing software
Don't turn off the
phone and
connect the power
cable as possible.
System updated &
reboot now
gui_progress
UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
UA/(%s): -- Print Percent(%d%)
%3d %%
lcd_init
%s(%d): start!
/dev/graphics/fb0
%s(%d): fb0 open fail
%s(%d): fb0 open success
%s(%d): width = %d, height = %d
%s(%d): ioctl set info fail
%s(%d): Error: failed to map framebuffer device to memory.
%s(%d): ioctl start fail
Allocation error-
Current start: %d
Current finish: %d
Requested size: %d
Allocation error:
Current start: %d
Current finish: %d
Requested size: %d
It may accept commands somehow, like those :
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
I tried writing commands in /data/fota/command and /cache/recovery/command but the program does not follow my orders

ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished

Wow, this is looking promising.

it seems like htc's flash_image,but much more difficult than it.

raspdeep said:
ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Click to expand...
Click to collapse
Nice raspdeep
How did you do ? Every attempt fails here (in recovery or standard mode).
Which initramfs version do you use ?

Code:
redbend_ua restore zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Ok yo don't respond but it works here to, booting on your OC kernel. Now i'll find what is different between our setups

supercurio, you are rapidly becoming one of my Android heros...

distortedloop said:
supercurio, you are rapidly becoming one of my Android heros...
Click to expand...
Click to collapse
Don't know if I can live with that
Code:
ll */*
-rwxr-xr-x 1 root curio 313888 2010-08-26 21:14 oc128uv1/redbend_ua*
-rwxr-xr-x 1 curio curio 314004 2010-08-26 21:16 XWJM5/redbend_ua*
md5sum */*
74f5793536c3cdc902ec269c3f51a165 oc128uv1/redbend_ua
b1ba258a5d673c537a95167267afd6b8 XWJM5/redbend_ua
Different binaries !
Edit : attached working redbend_ua

A diff between strings included in binaries (raw infos, not analyzed yet ^^)
Code:
--- not-working 2010-08-26 21:22:39.594984596 +0200
+++ working 2010-08-26 21:22:20.370634450 +0200
@@ -4,7 +4,6 @@
@F2A
bB,2
H{DYX
-/Q{;
/Qs;
/Qk;
/Qc;
@@ -452,71 +451,52 @@
%mB(
@ #!
!1C "
-reboot
-UA/ Platform delta does NOT exist! Skip.
-Can not open src file : %s
-Can not open dst file : %s
-UA/(%s) write %dbytes
-UA/(%s) copy file %s->%s
- fsync failed with return value: %d
- fsync after write: %d
-UA/ %s: %s
+/data/fota/delta.Sbl
/dev/block/bml4
-/data/fota/dump_sbl
+/dev/block/bml5
+/data/fota/fota_Sbl
+/data/fota/delta.zImage
/dev/block/bml7
-/data/fota/dump_kernel
+/data/fota/backup.zImage
+/data/fota/fota_zImage
+Modem
+/data/fota/delta.modem
/dev/block/bml12
+/data/fota/backup.modem
+/data/fota/fota_modem
+/data/fota/delta.platform
+/data/fota/backup.platform
+/data/fota/fota_platform
+platform delta does NOT exist! Skip.
+existence: s1[%d].existence; %d
+%s: %s
+/data/fota/dump_sbl
+/data/fota/dump_kernel
/data/fota/dump_modem
FOTA : Make Block Device Nodes
-UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
+ fsync failed with return value: %d
+ fsync after write: %d
success!
DONE
fail!
FAIL
FOTA
-UA/ modem delta does NOT exist! Skip.
-/data/fota/backup.modem
-UA/ zImage delta does NOT exist! Skip.
+modem delta does NOT exist! Skip.
+zImage delta does NOT exist! Skip.
/dev/block/bml8
-UA/ Sbl delta does NOT exist! Skip.
-UA/ERROR(%s) get dual sbl siginfo fail!!
-/dev/block/bml5
-UA/ERROR(%s) can't find vaild Sbl partitions
-UA/ERROR(%s) SBL RAM partition alloc fail
-UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
-/data/fota/command
-/sdcard/Android/data/temp.fota.delta/command
-UA/(%s) cache download
-/cache/recovery
-UA/(%s) create /cache/recovery directory
-/cache/recovery/command
-reboot recovery
-UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
-SBL update fail
-UA/(%s) %s
-Kernel update fail
-Modem update fail
-Platform update fail
-Post update fail
-WARNNIG
-Delta Not Exist
-/data/fota
-/sbin/images/fota.png
-UA/(%s) test
-Update Fail!!
+Sbl delta does NOT exist! Skip.
+get dual sbl siginfo fail!!
+can't find vaild Sbl partitions
+reboot
+gv_delta_count[%d]
+dump
+restore
+compare
/data/fota/fota.status
-/data/fota/delta.Sbl
-/data/fota/delta.zImage
-/data/fota/delta.modem
-/data/fota/delta.platform
-/sdcard/Android/data/temp.fota.delta/delta.Sbl
-/sdcard/Android/data/temp.fota.delta/delta.zImage
-/sdcard/Android/data/temp.fota.delta/delta.modem
-/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
@@ -527,29 +507,7 @@
compare <dev1> <dev2>
png [png file name]
all
-unknown
-/data/fota/fota_Sbl
-/data/fota/fota_zImage
-Modem
-/data/fota/fota_modem
-/data/fota/fota_platform
-/dev/block/bml11
OFNI
-main
-update_all
-post_update
-update_platform
-update_modem
-update_zImage
-update_Sbl
-file_copy
-check_existence
-MakeBMLNodes
-UA/(%s): +
-UA/(%s): %s (%lx %x)
-UA/(%s): -
-UA/(%s): %s (%lx %lx)
-UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
@@ -568,71 +526,67 @@
dst: %s
failed to write to %s (%s)
done
-UA/(%s) src: %s
-UA/(%s) dst: %s partition size: 0x%x
-UA/(%s) part_size: 0x%x
-UA/(%s) read finished
-UA/(%s) read %d bytes
-UA/(%s) src: %s partition size: 0x%x
-UA/(%s) dst: %s
-UA/(%s) signature: 0x%x
-*WARN* %s partition is already marked as invalid!
-UA/(%s) done
page at 0x%x differ!
-UA/(%s) backup 128KB at 0x%x
-UA/(%s): ++
-UA/(%s) 0x%x
-UA/ERROR(%s) Valid partition signature is not invalid
-UA/(%s): --
+signature: 0x%x
+*WARN* %s partition is already marked as invalid!
+backup 128KB at 0x%x
+backup 128KB at 0x%x without signature
+clear mark dev : %s partition size: 0x%x
%s, invalide magic key(%x)!!
-common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
-signature: 0x%x
-UA/(%s) dev: %s partition size: 0x%x
-UA/ERROR(%s) Signature is not validate (%x)
-UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
-UA/ERROR(%s) Both partition has valid or invalid signature
-UA/(%s) Valid Partition-%s, Update Partition-%s
-restore_file
-backup_block_file
-restore_devbml
-backup_devbml
-store_dualsbl_partition
-load_partition
+%s:clear:%s partition size: 0x%x
+%s : write and clear signature done
+%s:write:%s partition size: 0x%x
+%s: Signature is not validate (%x)
+%s signature: 0x%x
+%s +
+%s: SBL, SBL2 partition are diffierent size, check your bml device node name
+Both partition has valid or invalid signature
+Valid Partition-%s, Update Partition-%s
+Siginfo error partition $s (0x%x, 0x%x)
mark_common_recovery
+clear_dualpartition_signature
+write_dualpartition_signature
find_valid_partition
check_dualpartition_validation
-ram_write_block
-ram_read_block
-nand_write_block
-nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
+RB_Progress
+%s: (%lu %%)
+RB_GetDelta
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_GetBlockSize
%s: returning 0x%x (%d)
+RB_ReadImage
+%s: node-%s (%lx %lx)
+RB_WriteBlock
+%s: node-%s (%lx %x)
RB_ReadBackupBlock
-UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) open file %s failed.
-UA/ open %s file success
-UA/ERROR(%s) error in read size
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_WriteBackupBlock
-UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) error in write size
+%s: error in write size
+RB_ImageUpdateCommon
+uPartitionName[%s]
+%s: pCustomerPartData.updated = %d, rest = %d
RB_ImageUpdateMain
-UA/(%s): ++
-UA/(%s) uPartitionName[%s]
-UA/(%s) pCustomerPartData.updated = %d, rest = %d
-UA/(%s): -- ret=%d
-RB_UpdateImage
-UA/(%s): Delta file name-%s
+%s: backup_file is %s
+%s: size of %s(%s) is %d bytes
+RB_ImageUpdateDualPartition
+%s: backup file(%s) / Valid Partition(%s) / Update Partition(%s)
+%s : RB Image Update Fail
+%s : RB Image Update Done %s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
-UA/(%s) return value from RB_vRM_Update: 0x%x
+return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
@@ -726,8 +680,7 @@
failed chown %d
success chown %d
RB_FSUpdateMain
-UA/(%s) Partition name(%s), mount point(%s)
-UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
+%s: pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
@@ -741,9 +694,9 @@
cable as possible.
System updated &
reboot now
-gui_progress
-UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
-UA/(%s): -- Print Percent(%d%)
+Update is ok.
+Update is failed.
+Restoring...
%3d %%
lcd_init
%s(%d): start!
@@ -962,12 +915,6 @@
insufficient memory
buffer error
incompatible version
-RB_Progress
-%s: (%lu %%)
-RB_GetDelta
-%s: offset 0x%lx(%ld), size 0x%lx(%ld)
-%s: open file %s failed.
-%s: error in read size
Pure virtual function called. Are you calling virtual methods from a destructor?
libc-abort
abort() called in pid %d
@@ -1120,6 +1067,7 @@
/dev/log/main
/dev/log/radio
/proc/self/exe
+unknown
/dev/urandom
stack corruption detected: aborted
ANDROID_PROPERTY_WORKSPACE

Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).

Benjamin Dobell said:
Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).
Click to expand...
Click to collapse
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.

supercurio said:
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.
Click to expand...
Click to collapse
Unfortunately IDA Pro doesn't seem to work either. IDA Pro Free doesn't support ARM at all and I tried with IDA Pro Advanced but it seemed to have similar issues to objdump, it couldn't determine the entry point etc.
If I could just get the assembler with comments next to it that indicate which pieces of data (strings in particular) are being referenced that would make my day.

Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Anyway I can't say much more about the tools, i'm just a rookie hacker

supercurio said:
Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Click to expand...
Click to collapse
It wouldn't be a very reliable boot loader if it depended on other binaries (other than data passed to it by the primary boot loader). However the information I'm after, the Loke protocol, is definitely in there cause I can see the handshake strings I send and receive with Heimdall.

working this into SRE RIGHT NOW!!!!
--edit
scripted, and working
release coming soon!!

designgears said:
working this into SRE RIGHT NOW!!!!
Click to expand...
Click to collapse
Nice
Remember being EXTRA careful manipulating raw bml partitions. You can easily brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy

supercurio said:
Nice
Remember being EXTRA careful manipulating raw bml partition. You can easily
brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy
Click to expand...
Click to collapse
I have borked bml17 before.. was able to go into download and restore stock.

Multiloader checksum check FFS

hi guys I'm doing some research on samsung's firmware files...
is there any good disassembler in here?
We need to know how is the checksum at the end of FFS // APP files calculated!
That's very important...
is there anyone who can help?

im sorry im not but maybe a frined of mine...
why is so important?
its hard to do?
if you give a link with a tutorial may be in some days i will be able to help...
i have programmed in c in the past...
cheers

I am a C programmer (university student) but we need disassemblers here, no programmers atm

Guys I don't know if you understand that the solution to this problem is CRUCIAL for the realization of custom firmwares!!
Trust me! Find some windows (desktop) disassembler as soon as possible!!
thanks

Type : Unofficial Version
Number : 41
Builder : HP05
Host : SCMHP05
Date : 2010/05/28
Time : 21:49:29
Size : 81790332 bytes
CheckSum : 0x259b3fc5
View
Click to expand...
Click to collapse
Hmmm. Whole file is smaller... 50.856.960...
apps_compressed.bin
Decrypted with PSAS... but I can't decompress...
Anyway.
CRC32 (32 bit) could be used...
The Question could be, where the content starts and ends correct to fit size to make crc32...
Best Regards

wait u're talking about the apps_compressed...
while I'm talking about the ffs/app files...which have a 16byte checksum in the footer!

Sorry. I'm thinking loud. As I thought they used for all files same CRC or Hash...
I compared for instance Rsrc2_S8500(Mid).rc2 and Rsrc2_S8500(Low).rc2.
As 1 Byte at Start leads to 16 Byte change at end of file... So maybe MD5 too used by Multiloader.
Again. I'm thinking loud.
Best Regards

No progress. But few Screenshots for better understanding...
If we manipulate *.FFS we can't flash. (ALL other files protected too...)
Test 1.
I changed 1 useless Byte...
Somewhere blabla.jad in blabla.jam
Multiloader 5.64 accept to choose my file. But Error message if I press Download.
Test 2.
I add 1 Byte at the end of file. To check if some crap or if whole file is checked...
Result:
Multiloader 5.64 not allow to choose this file.
Both files tested also via Multiloader 5.62. And this Versions not allow both files to choose.
See Screenshots for Error messages.
Ideas...
Maybe disable CRC Check in Multiloader...
Or find other way to flash and check if Wave self checks Manipulation of files. Or only Multiloader is the bottleneck.
Maybe it is more complex... as I found via Internal menu the Info I've posted above... in Wave self. If Wave have selfcheck...
Best Regards

hi,
I'm not sure if you're hear about fmtBADA plugin for TriX - I wrote it few days ago (it is very simple but quite usefull). It parse any bada firmware file (*ffs, amss, ShpApp etc), so we can easly manipulate with it. After all program recalculate checksum, update all needed values so we can put file back to phone using multiuploader

b.kubica said:
hi,
I'm not sure if you're hear about fmtBADA plugin for TriX - I wrote it few days ago (it is very simple but quite usefull). It parse any bada firmware file (*ffs, amss, ShpApp etc), so we can easly manipulate with it. After all program recalculate checksum, update all needed values so we can put file back to phone using multiuploader
Click to expand...
Click to collapse
what u talking about?
let us know more...
I made lots of research on ffs and app files...

I put some files at NokiX site (check my homepage), so you can play with firmware files quite easily. GUI is qt based so you need to download Qt libraries for the first time. Two packages you will find in bada subdir - program and scripts.
Start program, at General tab select input and output file (e.g. FFS PFS ShpApp,amss). Go to the Scripts tab and load scripts you want to fire up.
For the first time I reccomend you to try fs_shell script - it is simly command line script to edit filesystem images (ffs,pfs,shpapp). You can list, dump delete rename files, adding is not supported yet (but can be easy implemented - scripts are written in pure C).
Before asking just play with it
br,
Bartek

ok then I don't need it already made more
thanks to a russian friend, I probably solved the checksum problem
good news will come the next days

Nice. I have extracted *.FFS and ShpApp.app files.
I'm blind to find the Button where Rename or Delete is stored to output file.
How to save my changes to file?
Best Regards
Edit:
Maybe my fault...
I have bada_scripts_20110104.zip.
Will look into bada_20110106.zip

kubica no reason to make a new script, I'll post something in the next days if it's ok to you, take care about the amss
if you want to do it for personal reason, no problem of course

nevermind, script was already done
you're working on some kind of file system tool, right? We're lucky guys FS images have very simply structure (as you know), only one md5 checksum on it, kewl
One of TriX most advantage is work on stages ( e.g. amss is parsed to elf, elf is parsed to memory segments, than we can edit them and TriX roll back to amss again).
adfree, yes I uploaded today latest version (can be found in repository also). As I said it is only text version (command line), more like programmer preview, and it was not designed as end user tool.
faenil, you asked about dissasembler - have you tried IDA? ( quite expensive though ). I tried in trix hack amss (resize memory segments, add own routines), all works fine, now it's time to investigate functions (some of them can be located with locate script).
Another question - ok, it's sad bootloader is crypted with RSA, but I guess is stored in flash decoded. What if we try to access nand directly using Flash_Read/Write? I can't find flash access routines in amss but i did't look
deeply...

b.kubica said:
nevermind, script was already done
you're working on some kind of file system tool, right? We're lucky guys FS images have very simply structure (as you know), only one md5 checksum on it, kewl
One of TriX most advantage is work on stages ( e.g. amss is parsed to elf, elf is parsed to memory segments, than we can edit them and TriX roll back to amss again).
adfree, yes I uploaded today latest version (can be found in repository also). As I said it is only text version (command line), more like programmer preview, and it was not designed as end user tool.
faenil, you asked about dissasembler - have you tried IDA? ( quite expensive though ). I tried in trix hack amss (resize memory segments, add own routines), all works fine, now it's time to investigate functions (some of them can be located with locate script).
Another question - ok, it's sad bootloader is crypted with RSA, but I guess is stored in flash decoded. What if we try to access nand directly using Flash_Read/Write? I can't find flash access routines in amss but i did't look
deeply...
Click to expand...
Click to collapse
I'm not that experienced unfortunately I needed a disassembler (person) not a disassembler (software)
btw I needed it to discover that it was md5 and on which bytes it was computed and I discovered this yesterday evening
So now we know everything about ffs and app
Still have to understand the new values in pfs header...if you already know that raise your hand
Btw, yes I'm working on something like that I won't have time now to do the GUI, so I'll probably leave it as an "experienced users only" for the moment...
I've got lots to study for university, and some programming projects to end (for uni too) so my spare time is almost finished and I still have to release a custom firmware for i8910 and a software for that firmware for Symbian...
damn I'm full of things to do xD
I'll send u a pm though, if you want to chat a lil

all file footer looks the same
typedef struct s_bada_footer // last 1024 bytes
{
unsigned int magic; // always 0xABCDABCD
unsigned int addr; // nand(?) address
unsigned int unk0; // SBZ (=Should Be Zero)
char name[32]; // e.g. S8500
char ext[8]; // e.g. mbn, ffs
unsigned int unk1[5]; // some flags, values, to be checked later
t_cert_info info; // crypto data ( zeroed if file is not crypted )
char md5sum[16]; // MD5 sum of image ( without footer )
char padd[424]; // padding bytes, SBZ
} t_bada_priv;
typedef struct t_cert_info // 512 bytes
{
unsigned int magic; // 0x79461379
char cert0[324]; // ...
unsigned int magic; // 0x79461379
unsigned int length; // crypted length ( without footer )
char cert1[16]; // exist in image also at ( length - 0x10 ) position
char publickey[64]; // ?
char name[64]; // e.g. S8500+XX+JEE
char tool[32]; // TkToolVer famous string
}
headers are different. boot_loader, Apps, Rsrc1, Rsrc2, fota and CSC don't have header.
dbl and Amss have 0x200 bytes header.
ShpApp, Factory FS, Partial FS have 0x60 bytes header
Code:
typedef struct s_bada_object
{
unsigned int offset;
unsigned int length;
char name[24];
} t_bada_object;
typedef struct s_bada_hdr200
{
unsigned int magic; // 0x12345678
unsigned int count; // count of objects below
char padd[24]; // padding bytes
t_bada_object[15]; // not used SBZ
} t_bada_hdr200;
typedef struct s_bada_hdr60
{
wchar_t name[16]; // UCS-2 name
unsigned int unk0[14]; // unknown
char padd[8]; // FF FF FF
} t_bada_hdr200;
from my observations, unk0 fields in FS system header are not *SO* important - I just preserve original values, removed files I want from factory FS, and put file back to phone

all file footer looks the same
Code:
typedef struct s_bada_footer // last 1024 bytes
{
unsigned int magic; // always 0xABCDABCD
unsigned int addr; // nand(?) address
unsigned int unk0; // SBZ (=Should Be Zero)
char name[32]; // e.g. S8500
char ext[8]; // e.g. mbn, ffs
unsigned int unk1[5]; // some flags, values, to be checked later
t_cert_info info; // crypto data ( zeroed if file is not crypted )
char md5sum[16]; // MD5 sum of image ( without footer )
char padd[424]; // padding bytes, SBZ
} t_bada_priv;
typedef struct t_cert_info // 512 bytes
{
unsigned int magic; // 0x79461379
char cert0[324]; // ...
unsigned int magic; // 0x79461379
unsigned int length; // crypted length ( without footer )
char cert1[16]; // exist in image also at ( length - 0x10 ) position
char publickey[64]; // ?
char name[64]; // e.g. S8500+XX+JEE
char tool[32]; // TkToolVer famous string ;)
}
headers are different. boot_loader, Apps, Rsrc1, Rsrc2, fota and CSC don't have header.
dbl and Amss have 0x200 bytes header.
ShpApp, Factory FS, Partial FS have 0x60 bytes header
Code:
typedef struct s_bada_object
{
unsigned int offset;
unsigned int length;
char name[24];
} t_bada_object;
typedef struct s_bada_hdr200
{
unsigned int magic; // 0x12345678
unsigned int count; // count of objects below
char padd[24]; // padding bytes
t_bada_object[15]; // not used SBZ
} t_bada_hdr200;
typedef struct s_bada_hdr60
{
wchar_t name[16]; // UCS-2 name
unsigned int unk0[14]; // unknown
char padd[8]; // FF FF FF
} t_bada_hdr200;
from my observations, unk0 fields in FS system header are not *SO* important - I just preserve original values, removed files I want from factory FS, and put file back to phone

CSC has got its header, it's just that there are more files into 1
after about half the file, we come back to the same plain structure

very simple ( 2KB ) partial file system in attachment, all values from header preserved
Code:
FileSystem Shell
---------------------------
<1.> List Files
<2.> Get File
<3.> Put File
<4.> Delete File
<5.> Rename File
<6.> Dump all files
<0.> Quit
Type Size Flags Name
DIR 0x00000000 0x00000000 /Arggh
FILE 0x00000000 0x00000000 /Arggh/it_works.txt

HD2 Android board ID

I have been reading quite a lot regarding android-porting and notes to OEMs on writing bootloaders for android. However, due to the current situation of port on HD2, i have a small problem that is, stock android init recommends the bootloader to pass a hardware identifier string which it will use to do init. I know i cannot explain perfectly as english is not my native language, here is a quote from android-porting group:
After the kernel boot is complete, the init program in the Android root file system gets started. This program parses and executes the scripts init.rc and init.XYZ.rc, where XYZ is the name given by the hardware vendor. The XYZ has to be specified as a value for the kernel parameter “androidboot.hardware=XYZ”. The init program uses this parameter to know the name of the script it has to start. On the goldfish target, XYZ is goldfish. On HTC Desire, XYZ is bravo. ie. "androidboot.hardware=bravo" is included in the kernel cmdline, so init.bravo.rc is executed alongside.
Click to expand...
Click to collapse
I have seen roms using bravo, htcleo, leo as their hardware identifier tags. However using either one of them as static string in cLK would be impartial for either. As of MAGLDR, it passes no cmdline (as far as i've seen) since it uses the yaffs2 boot structure and there is no cmdline it attaches statically. This could also mean that the current kernels instead of depending on the bootloader supplied info, use spaghetti code which makes assumption that it is running on a leo board, which is a deterrent if we are to merge the leo codebase with mainline code such as cm-kernel.
The current possibile solutions for cLK i have brainstormed over are:
1) Let it go as it is and do not include the hardware parameter.
2) Cleanup kernel space, script file names in roms, include the hardware parameter.
3) Leave the script names as it is, cleanup kernel code and let the user supply the hardware string through fastboot.
Q) What about MAGLDR ? it is closed source, we cannot change the kernel commandline in it !
A) Ever since we had NAND boot on HD2, the devs included a special kernel atag that would signal that the kernel is booting through NAND, so if this particular atag is found then the kernel would use a static hardware string.
Code:
*ptr++ = 4; // Size of this atag. atag[0]
*ptr++ = 0x4C47414D; // NAND boot atag. atag[1]
*ptr++ = 0x004b4c63; // cLK sign tag. atag[2]
*ptr++ = 16; // cLK version tag. atag[3]
All this logic could be wrapped inside something like "#ifdef TARGET_HTCLEO" to make it more clean till i notify cotulla about this on irc and he does the needful before the mag 2.0 release.
This exact thing was put into light some time ago by Charansingh but had no proper outcome, the thread stands dead with no actual agreement between chefs.
I tried my best and read as much as i could before writting down this post, if you have any suggestions, insights, solution, correction. Please PM me and i will update this post.

I just don't get it sorry

Hi Rick,
I'm not a dev, I only try to understand how Android works by reading your sources of cLK
But in order to be "Android compliant" it should be better to include a hardware parameter.
Now if I have correctly understood your post, this hardware parameter is stored by the boot structure on native Android devices.
In HD2, yaffs2 is used and there is no need to specify any parameters with it.
But on native Android devices, how is the boot structure? yaffs2 is also used? or this an other?

I dont really know too much but when im porting bravo roms with the the get prop=bravo i change it to leo to make it boot.

john_matrix said:
Hi Rick,
I'm not a dev, I only try to understand how Android works by reading your sources of cLK
But in order to be "Android compliant" it should be better to include a hardware parameter.
Now if I have correctly understood your post, this hardware parameter is stored by the boot structure on native Android devices.
In HD2, yaffs2 is used and there is no need to specify any parameters with it.
But on native Android devices, how is the boot structure? yaffs2 is also used? or this an other?
Click to expand...
Click to collapse
The boot structure on native devices including on cLK is as follows:
Code:
#define BOOT_MAGIC "ANDROID!"
#define BOOT_MAGIC_SIZE 8
#define BOOT_NAME_SIZE 16
#define BOOT_ARGS_SIZE 512
struct boot_img_hdr
{
unsigned char magic[BOOT_MAGIC_SIZE];
unsigned kernel_size; /* size in bytes */
unsigned kernel_addr; /* physical load addr */
unsigned ramdisk_size; /* size in bytes */
unsigned ramdisk_addr; /* physical load addr */
unsigned second_size; /* size in bytes */
unsigned second_addr; /* physical load addr */
unsigned tags_addr; /* physical addr for kernel tags */
unsigned page_size; /* flash page size we assume */
unsigned unused[2]; /* future expansion: should be 0 */
unsigned char name[BOOT_NAME_SIZE]; /* asciiz product name */
unsigned char cmdline[BOOT_ARGS_SIZE]; /* kernel cmdline */
unsigned id[8]; /* timestamp / checksum / sha1 / etc */
};
/*
** +-----------------+
** | boot header | 1 page
** +-----------------+
** | kernel | n pages
** +-----------------+
** | ramdisk | m pages
** +-----------------+
** | second stage | o pages
** +-----------------+
**
** n = (kernel_size + page_size - 1) / page_size
** m = (ramdisk_size + page_size - 1) / page_size
** o = (second_size + page_size - 1) / page_size
**
*/
The cmdline argument is stored in the boot.img (for native devices and cLK) but cotulla felt that using yaffs2 is easier for testing many kernels, however you need a cwr zip package to flash a kernel in magldr, as using dwi.exe will format the phone while for cLK you can do "fastboot erase boot" and "fastboot boot zImage initrd.gz". However for cLK, the initramfs has to be reflashed with the new kernel.

Thank you Rick to reply me
Is the HD2 boot "trick" can be explain by the utilization of YAFFS2 for the whole HD2 NAND instead of EXT for native Android devices?
For example, maybe you need to specify the hardware parameter if you use EXT on the HD2 NAND (I don't know if this is possible?)
Correct me if I'm wrong (certainly )
Edit: for me, this is better to use fastboot commands in order to "manipulate" my HD2 but for the other users, I don't know. Maybe they can say to us.

Mifare Desfire ev1

Hi,
I am trying to clone or modify this card that I have. I do not have the keys. Is it possible? What can I do with it?
I am basically trying to clone it so it works with my phone case as it is too thick.. I'm open to melting the card and taking the internals out just to get it to work too, any suggestions?
See below for the dump:
** TagInfo scan (version 4.11.59 [β4011059]) 2016-01-04 11:09:14 **
-- INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
MIFARE DESFire EV1 (MF3ICD41)
# DESFire Applications:
1 unknown application
-- NDEF ------------------------------
# NFC data set storage not present:
Maximum NDEF storage size after format: 4094 bytes
-- EXTRA ------------------------------
# Memory information:
Size: 4 kB
Available: 4.0 kB
# IC detailed information:
Capacitance: 17 pF
# Version information:
Vendor ID: NXP
Hardware info:
* Type/subtype: 0x01/0x01
* Version: 1.0
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-2 and -3
Software info:
* Type/subtype: 0x01/0x01
* Version: 1.4
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-3 and -4
Batch no: 0xBA4450B120
Production date: week 10, 2013
-- TECH ------------------------------
# Technologies supported:
ISO/IEC 7816-4 compatible
Native DESFire APDU framing
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.IsoDep, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.IsoDep
* Maximum transceive length: 261 bytes
* Default maximum transceive time-out: 618 ms
* Extended length APDUs not supported
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms
# Detailed protocol information:
ID: 04:43:8B:5A:56:2C:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x06757781028000
* Max. accepted frame size: 64 bytes (FSCI: 5)
* Supported receive rates:
- 106, 212, 424, 848 kbit/s (DR: 1, 2, 4, 8)
* Supported send rates:
- 106, 212, 424, 848 kbit/s (DS: 1, 2, 4, 8)
* Different send and receive rates supported
* SFGT: 604.1 us (SFGI: 1)
* FWT: 77.33 ms (FWI: 8)
* NAD not supported
* CID supported
* Historical bytes: 0x80 |.|
# Memory content:
PICC level (Application ID 0x000000)
* PICC key configuration:
- AES key
- PICC key changeable
- PICC key required for:
~ directory list access: no
~ create/delete applications: yes
- Configuration changeable
- PICC key version: 129
Application ID 0x000001
* Key configuration:
- 14 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Key itself required for changing a key
* 1 file present
- File ID 0x00: Standard data, 384 bytes
~ Communication: with MAC
~ Read key: key #1
~ Write key: key #2
~ Read/Write key: key #2
~ Change key: master key
~ (No access)
--------------------------------------

As application 0x000001 is using 3DES keys, it may be possible (I'm curious too) to crack the read/write key because its using 3DES and not something stronger like AES
lawonga said:
Hi,
I am trying to clone or modify this card that I have. I do not have the keys. Is it possible? What can I do with it?
I am basically trying to clone it so it works with my phone case as it is too thick.. I'm open to melting the card and taking the internals out just to get it to work too, any suggestions?
See below for the dump:
** TagInfo scan (version 4.11.59 [β4011059]) 2016-01-04 11:09:14 **
-- INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
MIFARE DESFire EV1 (MF3ICD41)
# DESFire Applications:
1 unknown application
-- NDEF ------------------------------
# NFC data set storage not present:
Maximum NDEF storage size after format: 4094 bytes
-- EXTRA ------------------------------
# Memory information:
Size: 4 kB
Available: 4.0 kB
# IC detailed information:
Capacitance: 17 pF
# Version information:
Vendor ID: NXP
Hardware info:
* Type/subtype: 0x01/0x01
* Version: 1.0
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-2 and -3
Software info:
* Type/subtype: 0x01/0x01
* Version: 1.4
* Storage size: 4096 bytes
* Protocol: ISO/IEC 14443-3 and -4
Batch no: 0xBA4450B120
Production date: week 10, 2013
-- TECH ------------------------------
# Technologies supported:
ISO/IEC 7816-4 compatible
Native DESFire APDU framing
ISO/IEC 14443-4 (Type A) compatible
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.IsoDep, android.nfc.tech.NfcA, android.nfc.tech.NdefFormatable]
android.nfc.tech.NdefFormatable
android.nfc.tech.IsoDep
* Maximum transceive length: 261 bytes
* Default maximum transceive time-out: 618 ms
* Extended length APDUs not supported
android.nfc.tech.NfcA
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms
# Detailed protocol information:
ID: 04:43:8B:5A:56:2C:80
ATQA: 0x4403
SAK: 0x20
ATS: 0x06757781028000
* Max. accepted frame size: 64 bytes (FSCI: 5)
* Supported receive rates:
- 106, 212, 424, 848 kbit/s (DR: 1, 2, 4, 8)
* Supported send rates:
- 106, 212, 424, 848 kbit/s (DS: 1, 2, 4, 8)
* Different send and receive rates supported
* SFGT: 604.1 us (SFGI: 1)
* FWT: 77.33 ms (FWI: 8)
* NAD not supported
* CID supported
* Historical bytes: 0x80 |.|
# Memory content:
PICC level (Application ID 0x000000)
* PICC key configuration:
- AES key
- PICC key changeable
- PICC key required for:
~ directory list access: no
~ create/delete applications: yes
- Configuration changeable
- PICC key version: 129
Application ID 0x000001
* Key configuration:
- 14 (3)DES keys
- Master key changeable
- Master key required for:
~ directory list access: no
~ create/delete files: yes
- Configuration changeable
- Key itself required for changing a key
* 1 file present
- File ID 0x00: Standard data, 384 bytes
~ Communication: with MAC
~ Read key: key #1
~ Write key: key #2
~ Read/Write key: key #2
~ Change key: master key
~ (No access)
--------------------------------------
Click to expand...
Click to collapse

If you get it, please tell us.

I guess no one manage to do this and my EV3 would be even harder to do so ...so no luck I suppose
My application ID is 0x000000 (PICC)