Looks like somebody was able to bypass EDL authorization in MiFlash tool and realeased a free version 2 weeks ago on softwarecrackguru - Xiaomi MiFlash Tool 2023.4.14.0 (No need auth) - FREE.
I was able to unbrick my Mi Mix 3, but not the way I intended, so be warned. I wanted to recover some data from my bricked phone, but as I'm new to all this stuff I didn't realize "save user data" option is completely ignored in EDL mode so the phone was reflashed with all stock ROM images and I lost my data ...
Spybot says the software is clean, so I gave it a try.
Do you guys know what are the MiFlash input files for reflashing ? I mean can the input files be modified to define only single image/partition flashing instead of everything, so MiFlash could be used similarly to QFIL's partition manager ?
With this EDL unlocked MiFlash tool having such a control would possibly make data recovery feasible for all the people keeping their paperweights waiting for a miracle like this.
--------------
I sorted it out.
MiFlash stops flashing when reaching an .img file from the ROM package that is missing. So the right course of action before using MiFlash is to remove all .img files from the ROM package. Now after clicking "Flash" MiFlash will authorize EDL for firehose and stop.
This means the phone's firehose programmer is now EDL authorized so we can switch to a different EDL tool that supports serial communication, i.e. python EDL tool. I had to use the master version, because the released packages don't support serial communication.
Now read the gpt table with
Code:
python edl.py --serial printgpt --memory=ufs
There are 5 Luns and quite a lot of partitions. The ROM package contains only 14 images, so you need to know on which Lun the specific partition is located as this parameter is needed for the EDL tool to write the partition.
Spoiler: GPT output from EDL tool
d:\Program_files\edl-master>python edl.py --serial printgpt --memory=ufs
Capstone library is missing (optional).
Keystone library is missing (optional).
No module named 'Cryptodome'
Qualcomm Sahara / Firehose Client V3.61 (c) B.Kerler 2018-2023.
main
main - [LIB]: ←[33mPlease first install libusb_win32 driver from Zadig←[0m
main - Trying with no loader given ...
main - Waiting for the device
Detected 0x5c6:0x9008 device at: COM5
main - Device detected
DeviceClass - Warning !
main - Mode detected: firehose
main - Trying to connect to firehose loader ...
firehose - Nop succeeded.
firehose - INFO: Chip serial num: ******************
firehose - Supported Functions: program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt
firehose -
firehose
firehose - [LIB]: ←[33mCouldn't detect MaxPayloadSizeFromTargetinBytes←[0m
firehose
firehose - [LIB]: ←[33mCouldn't detect TargetName←[0m
firehose - TargetName=Unknown
firehose - MemoryName=UFS
firehose - Version=1
firehose - Trying to read first storage sector...
firehose - Running configure...
firehose - Storage report:
firehose - total_blocks:29906944
firehose - block_size:4096
firehose - page_size:4096
firehose - num_physical:6
firehose - manufacturer_id:462
firehose - serial_num:************
firehose - fw_version:100
firehose - mem_type:UFS
firehose - prod_name:***************
firehose_client - Supported functions:
-----------------
program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt
Parsing Lun 0:
GPT Table:
-------------
switch: Offset 0x0000000000006000, Length 0x0000000000004000, Flags 0x0000000000000000, UUID 7d81dbc1-999f-f9d9-7843-dfd416d93510, Type 0x6a4afef7, Active False
ssd: Offset 0x000000000000a000, Length 0x0000000000008000, Flags 0x0000000000000000, UUID f48ed0a5-4fa4-3c1c-2adc-a8692f5b0949, Type 0x2c86e742, Active False
bk01: Offset 0x0000000000012000, Length 0x000000000006e000, Flags 0x0000000000000000, UUID 350e5125-165c-34c6-6baa-3509043b2456, Type 0x7b00b63b, Active False
bk02: Offset 0x0000000000080000, Length 0x0000000000040000, Flags 0x0000000000000000, UUID d3fc7a73-e8b4-b69f-2178-d2a9df507fb2, Type 0x53e5b8de, Active False
bk03: Offset 0x00000000000c0000, Length 0x0000000000040000, Flags 0x0000000000000000, UUID 6fe7b6af-edaa-4ecd-cbc7-ad4b22ae8f18, Type 0x7c7e2b25, Active False
keystore: Offset 0x0000000000100000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID 7e04ea69-f805-0928-458b-d741f122ae5a, Type 0xde7d4029, Active False
frp: Offset 0x0000000000180000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID c82bf96e-050f-dd98-0793-c0afd610375e, Type 0x91b72d4d, Active False
bk04: Offset 0x0000000000200000, Length 0x0000000000200000, Flags 0x0000000000000000, UUID 71b306e0-d231-45d3-ef87-55255552af10, Type 0x3fb510f6, Active False
misc: Offset 0x0000000000400000, Length 0x0000000000400000, Flags 0x0000000000000000, UUID a2126ef2-56bd-83f5-c9ca-10e288404fb8, Type 0x82acc91f, Active False
logfs: Offset 0x0000000000800000, Length 0x0000000000800000, Flags 0x0000000000000000, UUID 25d0b4a2-60ad-c92a-40c7-5ab28b3b5d03, Type 0xbc0330eb, Active False
oops: Offset 0x0000000001000000, Length 0x0000000001000000, Flags 0x0000000000000000, UUID 522f2690-3b07-5f18-b59f-9af29ee69ffb, Type 0xc549751f, Active False
devinfo: Offset 0x0000000002000000, Length 0x0000000001000000, Flags 0x0000000000000000, UUID e4fcd6bf-fc97-723f-4701-05c9835e515a, Type 0x65addcf4, Active False
vm-data: Offset 0x0000000003000000, Length 0x0000000000400000, Flags 0x0000000000000000, UUID 6401d6fb-830f-3bbf-0f5f-3d77c89f27c5, Type 0xfbf20211, Active False
bk05: Offset 0x0000000003400000, Length 0x0000000000c00000, Flags 0x0000000000000000, UUID cfd1e573-d826-f514-fe85-87b040370651, Type 0x4ef51ebc, Active False
persist: Offset 0x0000000004000000, Length 0x0000000004000000, Flags 0x0000000000000000, UUID c4745f63-799b-3688-c41f-fbd6d47c2443, Type 0x6c95e238, Active False
persistbak: Offset 0x0000000008000000, Length 0x0000000004000000, Flags 0x0000000000000000, UUID d24b6b90-33d3-6c2e-c363-afb8801c242f, Type 0x6c95e238, Active False
logdump: Offset 0x000000000c000000, Length 0x0000000004000000, Flags 0x0000000000000000, UUID ce52b805-9f17-ddac-e117-0ce06f43c16b, Type 0x5af80809, Active False
minidump: Offset 0x0000000010000000, Length 0x0000000008000000, Flags 0x0000000000000000, UUID be076dbb-c5bf-a99c-e26f-0c1ec8171a66, Type 0x71d24153, Active False
cust: Offset 0x0000000018000000, Length 0x0000000034000000, Flags 0x0000000000000000, UUID 483aae4f-60fa-e077-628a-c11814ef2d8f, Type 0xc3008246, Active False
recovery: Offset 0x000000004c000000, Length 0x0000000004000000, Flags 0x0000000000000000, UUID f3dba1f3-22ca-d970-90b9-25368239b9e6, Type 0x9d72d4e4, Active False
cache: Offset 0x0000000050000000, Length 0x0000000010000000, Flags 0x0000000000000000, UUID 07421523-8635-bce1-c14d-398d214db6b4, Type 0x5594c694, Active False
userdata: Offset 0x0000000060000000, Length 0x0000001c257fb000, Flags 0x0000000000000000, UUID bae3af9d-82e3-3723-4177-25db83e1bf8a, Type 0x1b81e7e6, Active False
Total disk size:0x0000001c8581c000, sectors:0x0000000001c8581c
Parsing Lun 1:
GPT Table:
-------------
xbl_config_a: Offset 0x0000000000006000, Length 0x0000000000080000, Flags 0x1000000000000000, UUID 02c90b8d-fb24-6a43-b846-5566df63a4ba, Type 0x5a325ae4, Active False
xbl_a: Offset 0x0000000000086000, Length 0x0000000000700000, Flags 0x1000000000000000, UUID 9da5770e-4cc6-0315-472c-ed072104e50c, Type 0xdea0ba2c, Active False
Total disk size:0x000000000081c000, sectors:0x000000000000081c
Parsing Lun 2:
GPT Table:
-------------
xbl_config_b: Offset 0x0000000000006000, Length 0x0000000000080000, Flags 0x1000000000000000, UUID f56d0d8a-1886-f474-3a82-6c38045486da, Type 0x5a325ae4, Active False
xbl_b: Offset 0x0000000000086000, Length 0x0000000000700000, Flags 0x1000000000000000, UUID 53d534c1-15f4-1597-88a5-7a07e1fe9d0f, Type 0xdea0ba2c, Active False
Total disk size:0x000000000081c000, sectors:0x000000000000081c
Parsing Lun 3:
GPT Table:
-------------
bk31: Offset 0x0000000000006000, Length 0x0000000000008000, Flags 0x1000000000000000, UUID 42571d89-6b77-fcf8-ca79-5dbd7fffddd1, Type 0xd37a3651, Active False
cdt: Offset 0x000000000000e000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID d8d3ec0e-0513-27a2-3441-ca9d03368b8e, Type 0xa19f205f, Active False
bk32: Offset 0x000000000002e000, Length 0x00000000000d8000, Flags 0x1000000000000000, UUID 50f693b6-0134-980e-e451-0e26da7bfedf, Type 0x97312b22, Active False
ddr: Offset 0x0000000000106000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 1afe59f2-0a19-c46c-175a-d9919ab5db4d, Type 0x20a0c19c, Active False
bk33: Offset 0x0000000000206000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID b026d82c-c8a7-32c4-747c-c915c1ed96a9, Type 0x6ce93c62, Active False
Total disk size:0x000000000201c000, sectors:0x000000000000201c
Parsing Lun 4:
GPT Table:
-------------
sec: Offset 0x0000000000006000, Length 0x0000000000008000, Flags 0x1000000000000000, UUID 4dd9acc6-7de0-2f0c-c35c-d9fc22c813d8, Type 0x303e6ac3, Active False
limits: Offset 0x000000000000e000, Length 0x0000000000008000, Flags 0x1000000000000000, UUID ad6ac38b-98fd-8ed1-54a2-a8b2e9dc5ea7, Type 0x10a0c19c, Active False
bk41: Offset 0x0000000000016000, Length 0x000000000002a000, Flags 0x1000000000000000, UUID 1303d7f7-3405-c406-9f3a-4a8aef1580f8, Type 0x2191e897, Active False
qupfw_a: Offset 0x0000000000040000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID e65f6d39-4b32-c1b7-f0fc-3ef10898778c, Type 0x21d1219f, Active False
qupfw_b: Offset 0x0000000000060000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID e72cfde5-ca32-ac60-90ef-2669fabd1ef4, Type 0x7e2f513d, Active False
apdp: Offset 0x0000000000080000, Length 0x0000000000040000, Flags 0x1000000000000000, UUID 3868f72a-98b0-c1b7-2557-308f509a71dc, Type 0xe6e98da2, Active False
msadp: Offset 0x00000000000c0000, Length 0x0000000000040000, Flags 0x1000000000000000, UUID 079ef9ec-bb13-abc9-f7a3-db9eb41fd7e4, Type 0xed9e8101, Active False
vbmeta: Offset 0x0000000000100000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID 3532fa54-99f6-0ac9-a891-fdd54c352c50, Type 0x4b7a15d6, Active False
bk42: Offset 0x0000000000120000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID dadfaa81-8ead-a673-46c2-aec06eb8d8ea, Type 0x9d30b727, Active False
storsec_a: Offset 0x0000000000140000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID 314eaa40-9265-3485-9721-447e4a4ef662, Type 0x2db45fe, Active False
storsec_b: Offset 0x0000000000160000, Length 0x0000000000020000, Flags 0x1000000000000000, UUID 862f2152-3161-51f8-8d46-96901d1b0054, Type 0xe59f3f13, Active False
devcfg_a: Offset 0x0000000000180000, Length 0x0000000000040000, Flags 0x1000000000000000, UUID daa34916-76fa-2b44-8c2c-a397cd327464, Type 0xf65d4b16, Active False
devcfg_b: Offset 0x00000000001c0000, Length 0x0000000000040000, Flags 0x1000000000000000, UUID 83191580-2d2b-d45a-d6d5-78fffa2c8482, Type 0xefd49359, Active False
aop_a: Offset 0x0000000000200000, Length 0x0000000000080000, Flags 0x1000000000000000, UUID 1188f9ca-36e3-af20-cf91-5795436b3f8f, Type 0xd69e90a5, Active False
aop_b: Offset 0x0000000000280000, Length 0x0000000000080000, Flags 0x1000000000000000, UUID 9c5b70f5-fe11-84fb-be19-a689e57fcacb, Type 0x5d825d4, Active False
bk43: Offset 0x0000000000300000, Length 0x0000000000080000, Flags 0x1000000000000000, UUID 09c3f7aa-2aaa-55d7-c87c-90dc5bbb453b, Type 0x68852b76, Active False
bk44: Offset 0x0000000000380000, Length 0x0000000000080000, Flags 0x1000000000000000, UUID e7a9ef2a-f77a-eaad-c1c6-8a6f8e42a117, Type 0xed08ab2a, Active False
cmnlib_a: Offset 0x0000000000400000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 9e79b5e5-1e28-ac77-6acd-d173ff416236, Type 0x73471795, Active False
cmnlib_b: Offset 0x0000000000500000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID bd3d4ed5-1769-0f60-e437-561dbbb18031, Type 0xb8af4f43, Active False
cmnlib64_a: Offset 0x0000000000600000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 4faeab40-09c8-b3ef-11f0-d6ad008e37d7, Type 0x8ea64893, Active False
cmnlib64_b: Offset 0x0000000000700000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 49f8bed0-f8a6-684f-8f31-cfb928680259, Type 0x3864ba83, Active False
keymaster_a: Offset 0x0000000000800000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 2b6818e7-45c5-4853-10c0-2d5c369aef6c, Type 0xa11d2a7c, Active False
keymaster_b: Offset 0x0000000000900000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 685a9ed5-e903-631d-9004-becfb15930b8, Type 0xe8df5a85, Active False
bluetooth: Offset 0x0000000000a00000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID be83e86e-8fe7-edb8-ef43-fb566a0a90d9, Type 0x6cb747f1, Active False
bk45: Offset 0x0000000000b00000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 0a219d39-46a2-822e-1d71-d1f3c719d624, Type 0x1079ad2f, Active False
bk54: Offset 0x0000000000c00000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 6e0b1a93-572c-b2d7-1c82-0402eaef2647, Type 0x9b4bb33c, Active False
bk55: Offset 0x0000000000d00000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 5a12d8e9-10aa-6b66-6620-dcad08e5e3c4, Type 0x234d2de7, Active False
dip: Offset 0x0000000000e00000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 83ec09a2-75a7-0972-cece-34275578a511, Type 0x4114b077, Active False
bk46: Offset 0x0000000000f00000, Length 0x0000000000100000, Flags 0x1000000000000000, UUID 35787d77-5a44-82ce-daa8-2f69fa7474fb, Type 0x71b28ec7, Active False
sti: Offset 0x0000000001000000, Length 0x0000000000200000, Flags 0x1000000000000000, UUID 80bd4228-2b74-8b45-02ea-2920981add0b, Type 0xaa9a5c4c, Active False
toolsfv: Offset 0x0000000001200000, Length 0x0000000000200000, Flags 0x1000000000000000, UUID f8566f8d-9022-93df-a69a-ee8dfaa73f08, Type 0x97745aba, Active False
abl_a: Offset 0x0000000001400000, Length 0x0000000000200000, Flags 0x1000000000000000, UUID 4d9a720f-dc52-0775-f958-1039fc840aab, Type 0xbd6928a1, Active False
abl_b: Offset 0x0000000001600000, Length 0x0000000000200000, Flags 0x1000000000000000, UUID 8b87050f-7171-7495-a675-81fe9ea6ddf2, Type 0x9f68daa1, Active False
tz_a: Offset 0x0000000001800000, Length 0x0000000000400000, Flags 0x1000000000000000, UUID 5ab1c014-4746-8851-0a35-0c2e59460dc3, Type 0xa053aa7f, Active False
tz_b: Offset 0x0000000001c00000, Length 0x0000000000400000, Flags 0x1000000000000000, UUID ca70c1c6-2096-7e5f-f8f5-bccb490616c6, Type 0x1d5075d8, Active False
fsg: Offset 0x0000000002000000, Length 0x0000000000800000, Flags 0x1000000000000000, UUID dd21baaa-0872-41e0-52f4-b3583f4fb4ce, Type 0x638ff8e2, Active False
dtbo: Offset 0x0000000002800000, Length 0x0000000000800000, Flags 0x1000000000000000, UUID 55983161-9b66-db35-833f-77cc1df946d9, Type 0x24d0d418, Active False
hyp_a: Offset 0x0000000003000000, Length 0x0000000000800000, Flags 0x1000000000000000, UUID ad03b4ed-4867-3592-31d6-8debc90d27a2, Type 0xe1a6a689, Active False
spunvm: Offset 0x0000000003800000, Length 0x0000000000800000, Flags 0x1000000000000000, UUID 2b7d35df-1150-6321-8bc0-cd614098da8b, Type 0xe42e2b4c, Active False
ifaa: Offset 0x0000000004000000, Length 0x0000000002000000, Flags 0x1000000000000000, UUID 42bda3ca-c779-8b92-ef42-292b77cd9ee3, Type 0x1db287d7, Active False
hyp_b: Offset 0x0000000006000000, Length 0x0000000000800000, Flags 0x1000000000000000, UUID 64b031e2-d5b1-94e8-4fba-7c4376ec16ba, Type 0xdf718c12, Active False
splash: Offset 0x0000000006800000, Length 0x0000000001800000, Flags 0x1000000000000000, UUID 02399957-f538-dcfb-aec4-4fdd7647bba6, Type 0xad99f201, Active False
logo: Offset 0x0000000008000000, Length 0x0000000002000000, Flags 0x1000000000000000, UUID cbdbbdb8-de28-a9fa-4972-06d375d7986b, Type 0xe5947ddb, Active False
dsp: Offset 0x000000000a000000, Length 0x0000000002000000, Flags 0x1000000000000000, UUID d602692f-b165-b319-b4a3-b88f5241a1bd, Type 0x7efe5010, Active False
boot: Offset 0x000000000c000000, Length 0x0000000004000000, Flags 0x1000000000000000, UUID f223d682-3eb4-6f35-ca2c-9ca5e206ad8c, Type 0x20117f86, Active False
modem: Offset 0x0000000010000000, Length 0x000000000c000000, Flags 0x1000000000000000, UUID 16d12797-a639-7418-93e8-4be93086eaaa, Type EFI_BASIC_DATA, Active False
vendor: Offset 0x000000001c000000, Length 0x0000000040000000, Flags 0x1000000000000000, UUID acc39909-b102-f662-c470-ae840afef0c7, Type 0x97d7b011, Active False
system: Offset 0x000000005c000000, Length 0x00000000e0000000, Flags 0x1000000000000000, UUID 5e5b64a3-bd50-13ed-c2ba-1562457c5d91, Type 0x97d7b011, Active False
Total disk size:0x000000014001c000, sectors:0x000000000014001c
Parsing Lun 5:
GPT Table:
-------------
fsc: Offset 0x0000000000006000, Length 0x0000000000040000, Flags 0x0000000000000000, UUID 1ef3d2eb-bc2f-8ff9-0d53-a1b7ed8dcf1a, Type 0x57b90a16, Active False
bk51: Offset 0x0000000000046000, Length 0x00000000000ba000, Flags 0x0000000000000000, UUID 620a660a-b98f-45fe-33e6-b582998a21a6, Type 0x694be4bc, Active False
bk52: Offset 0x0000000000100000, Length 0x0000000000100000, Flags 0x0000000000000000, UUID b5478014-e432-e718-7020-ee6caf789d45, Type 0x3b02c43f, Active False
ImageFv: Offset 0x0000000000200000, Length 0x0000000000200000, Flags 0x0000000000000000, UUID 3fea9e2d-b97b-9402-ee1e-c61f78a4549d, Type 0x17911177, Active False
bk53: Offset 0x0000000000400000, Length 0x0000000000400000, Flags 0x0000000000000000, UUID 904020b3-5bbe-f9be-ad9b-1cc4adcfb1d3, Type 0xdd6dc330, Active False
modemst1: Offset 0x0000000000800000, Length 0x0000000000800000, Flags 0x0000000000000000, UUID 77565145-fc11-c12e-8038-980d9ade2325, Type 0xebbeadaf, Active False
modemst2: Offset 0x0000000001000000, Length 0x0000000000800000, Flags 0x0000000000000000, UUID 5216a65d-d84b-718b-806c-6c93d7c2a83f, Type 0xa288b1f, Active False
Total disk size:0x000000000201c000, sectors:0x000000000000201c
d:\Program_files\edl-master>
Now I could flash the single partition, but I don't know which. Could anybody help me here ? Is it vendor or system maybe ? Also I wonder if the idea as a whole (to reflash only a single partition to get the phone out of the bootloop) is correct ?
Related
Hello there
This is a surprise, but software able to flash the phone without any computer intervention was already on it, since the beginning.
Searching for a way to install my future lag fix easily, I remember that there was an "OTA" boot mode.
I know, today nobody saw an OTA on any Galaxy S smartpone (except maybe One on the AT&T Captivate?), but the software is still there.
How does this work :
Basically Linux boots a ramdisk, loading kernel modules and running an init process who start the whole Android experience (bootmode=) or just the recovery mode (bootmode=2).
Other bootmodes are used for battery loading only and Over The Air updates.
In this case, init.rc ask init to start "/sbin/redbend_ua all".
By default this software search for software updates in /data/fota and on similar places in the /sdcard.
It could prove useful another day, but you still have to be root to ask your device to reboot in a specific bootmode
The nice part is that we can use redbend_ua manually too, to do many impossible things before :
command list, pretty comprehensive.
Code:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
Possible usages :
- Flashing the kernel without Odin or any computer
- Backuping and Restoring a whole firmware, including stock one
- Doing more than one operation before automatic reboot through a list of commands in /data/fota/command (not tested yet)
- Messing with bootloaders and bricking your phone for good
Yeah, you must be really carefull this time. Samsung made some partitions read-only for a reason
Hopefully this new tool will be used by most ROM cooker, CyanogenMod, and ClockWorkMod
I'll make a update.zip + redbend_ua template soon if nobody comes up with one.
My Twitter for next news
Joined to this post : redbend_ua working binary. (some firmware ship a new binary that does not accept command line parameters)
-----
Old post, for the record :
Our Galaxy S in Eclair firmwares come with software able to provide update Over The Air.
This firmware is in /sbin directory, which means that it's in the kernel ramdisk.
Look at the output when running the binary without argument or appropriate file:
Code:
# redbend_ua
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.zImage
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.Sbl
UA/(update_all): Check Delta : path_idx(1), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.zImage
UA/(update_all): Check Delta : path_idx(1), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.modem
UA/(update_all): Check Delta : path_idx(1), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.platform
UA/(update_all): Check Delta : path_idx(1), part_idx(3), file_path((null)), cnt(0)
fail!
Open /data/fota/fota.status
fsync after write: 0
And here is the result when you provide a fake zImage delta file:
Code:
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(1)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(1)
page_msize: 4096, phy_unit_size: 262144
UA/ Sbl delta does NOT exist! Skip.
page_msize: 4096, phy_unit_size: 262144
UA/ check_existence: /data/fota/fota_zImage
page_msize: 4096, phy_unit_size: 262144
dev: /dev/block/bml8 partition size: 0x780000
40180008: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180018: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180028: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180038: ffff ffff ffff ffff ffff ffff ffff ffff ................
signature: 0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
page_msize: 4096, phy_unit_size: 262144
UA/(backup_devbml) src: /dev/block/bml7 partition size: 0x780000
UA/(backup_devbml) dst: /dev/block/bml8 partition size: 0x780000
UA/(backup_devbml) backup 128KB at 0x0
UA/(backup_devbml) backup 128KB at 0x40000
UA/(backup_devbml) backup 128KB at 0x80000
UA/(backup_devbml) backup 128KB at 0xc0000
UA/(backup_devbml) backup 128KB at 0x100000
UA/(backup_devbml) backup 128KB at 0x140000
UA/(backup_devbml) backup 128KB at 0x180000
UA/(backup_devbml) backup 128KB at 0x1c0000
UA/(backup_devbml) backup 128KB at 0x200000
UA/(backup_devbml) backup 128KB at 0x240000
UA/(backup_devbml) backup 128KB at 0x280000
UA/(backup_devbml) backup 128KB at 0x2c0000
UA/(backup_devbml) backup 128KB at 0x300000
UA/(backup_devbml) backup 128KB at 0x340000
UA/(backup_devbml) backup 128KB at 0x380000
UA/(backup_devbml) backup 128KB at 0x3c0000
UA/(backup_devbml) backup 128KB at 0x400000
UA/(backup_devbml) backup 128KB at 0x440000
UA/(backup_devbml) backup 128KB at 0x480000
UA/(backup_devbml) backup 128KB at 0x4c0000
UA/(backup_devbml) backup 128KB at 0x500000
UA/(backup_devbml) backup 128KB at 0x540000
UA/(backup_devbml) backup 128KB at 0x580000
UA/(backup_devbml) backup 128KB at 0x5c0000
UA/(backup_devbml) backup 128KB at 0x600000
UA/(backup_devbml) backup 128KB at 0x640000
UA/(backup_devbml) backup 128KB at 0x680000
UA/(backup_devbml) backup 128KB at 0x6c0000
UA/(backup_devbml) backup 128KB at 0x700000
UA/(backup_devbml) backup 128KB at 0x740000
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
UA/(RB_ImageUpdateMain): ++
UA/(RB_ImageUpdateMain) uPartitionName[zImage]
RB_GetBlockSize: returning 0x40000 (262144)
UA/(RB_UpdateImage): ++
UA/(RB_UpdateImage): Delta file name-/data/fota/delta.zImage
unicode_to_char : zImage
pDeviceDatum.pFirstPartitionData->partition_name: zImage
pDeviceDatum.pFirstPartitionData->partition_type: 0
pDeviceDatum.pFirstPartitionData->file_system_type: 0
unicode_to_char : /data/fota/delta.zImage
RB_OpenFile: Path:/data/fota/delta.zImage | Mode: RDONLY
Successful open() *pwHandle:4
[RB] Illegal field in the delta, or that the given delta is invalid
UA/(RB_UpdateImage) return value from RB_vRM_Update: 0x80000539
UA/(RB_UpdateImage): -- ret=-2147482311
UA/(RB_ImageUpdateMain) pCustomerPartData.updated = -1, rest = -1
UA/(RB_ImageUpdateMain): -- ret=-2147482311
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xdeade002
UA/(update_all) Kernel update fail
fail!
Open /data/fota/fota.status
fsync after write: 0
Promising ! This software definitely has the ability to write on protected bml partitions.
Now wee need to find how to produce the .delta files
Sounds great Lets hope you guys can figure it all out.
I just send a message to Red Bend Software through their site.
Actually it may help to find any other delta file for their software. Without sample we won't go anywhere...
I hope they will be kind and answer!
Here is a list of interesting strings found in the binary :
Code:
UA/ Platform delta does NOT exist! Skip.
Can not open src file : %s
Can not open dst file : %s
UA/(%s) write %dbytes
UA/(%s) copy file %s->%s
fsync failed with return value: %d
fsync after write: %d
UA/ %s: %s
/dev/block/bml4
/data/fota/dump_sbl
/dev/block/bml7
/data/fota/dump_kernel
/dev/block/bml12
/data/fota/dump_modem
FOTA : Make Block Device Nodes
UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
success!
DONE
fail!
FAIL
FOTA
UA/ modem delta does NOT exist! Skip.
/data/fota/backup.modem
UA/ zImage delta does NOT exist! Skip.
/dev/block/bml8
UA/ Sbl delta does NOT exist! Skip.
UA/ERROR(%s) get dual sbl siginfo fail!!
/dev/block/bml5
UA/ERROR(%s) can't find vaild Sbl partitions
UA/ERROR(%s) SBL RAM partition alloc fail
UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
/data/fota/command
/sdcard/Android/data/temp.fota.delta/command
UA/(%s) cache download
/cache/recovery
UA/(%s) create /cache/recovery directory
/cache/recovery/command
reboot recovery
UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
SBL update fail
UA/(%s) %s
Kernel update fail
Modem update fail
Platform update fail
Post update fail
WARNNIG
Delta Not Exist
/data/fota
/sbin/images/fota.png
UA/(%s) test
Update Fail!!
/data/fota/fota.status
/data/fota/delta.Sbl
/data/fota/delta.zImage
/data/fota/delta.modem
/data/fota/delta.platform
/sdcard/Android/data/temp.fota.delta/delta.Sbl
/sdcard/Android/data/temp.fota.delta/delta.zImage
/sdcard/Android/data/temp.fota.delta/delta.modem
/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
unknown
/data/fota/fota_Sbl
/data/fota/fota_zImage
Modem
/data/fota/fota_modem
/data/fota/fota_platform
/dev/block/bml11
OFNI
main
update_all
post_update
update_platform
update_modem
update_zImage
update_Sbl
file_copy
check_existence
MakeBMLNodes
UA/(%s): +
UA/(%s): %s (%lx %x)
UA/(%s): -
UA/(%s): %s (%lx %lx)
UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
BML_GET_DEV_INFO
page_msize: %d, phy_unit_size: %d
open device file
%s: bmldevice_open failed!
%s: bmldevice_info failed!
src: %s
dst: %s partition size: 0x%x
part_size: 0x%x
failed to read from %s (%s)
read finished
read %d bytes
src: %s partition size: 0x%x
dst: %s
failed to write to %s (%s)
done
UA/(%s) src: %s
UA/(%s) dst: %s partition size: 0x%x
UA/(%s) part_size: 0x%x
UA/(%s) read finished
UA/(%s) read %d bytes
UA/(%s) src: %s partition size: 0x%x
UA/(%s) dst: %s
UA/(%s) signature: 0x%x
*WARN* %s partition is already marked as invalid!
UA/(%s) done
page at 0x%x differ!
UA/(%s) backup 128KB at 0x%x
UA/(%s): ++
UA/(%s) 0x%x
UA/ERROR(%s) Valid partition signature is not invalid
UA/(%s): --
%s, invalide magic key(%x)!!
common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
signature: 0x%x
UA/(%s) dev: %s partition size: 0x%x
UA/ERROR(%s) Signature is not validate (%x)
UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
UA/ERROR(%s) Both partition has valid or invalid signature
UA/(%s) Valid Partition-%s, Update Partition-%s
restore_file
backup_block_file
restore_devbml
backup_devbml
store_dualsbl_partition
load_partition
mark_common_recovery
find_valid_partition
check_dualpartition_validation
ram_write_block
ram_read_block
nand_write_block
nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
RB_GetBlockSize
%s: returning 0x%x (%d)
RB_ReadBackupBlock
UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) open file %s failed.
UA/ open %s file success
UA/ERROR(%s) error in read size
RB_WriteBackupBlock
UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) error in write size
RB_ImageUpdateMain
UA/(%s): ++
UA/(%s) uPartitionName[%s]
UA/(%s) pCustomerPartData.updated = %d, rest = %d
UA/(%s): -- ret=%d
RB_UpdateImage
UA/(%s): Delta file name-%s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
UA/(%s) return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
%s path: %s
temppath: %s
mkdir result: %d errno: %d
RB_CopyFile
%s: %s -> %s
NULL file name find. Abort.
Open %s ENOENT %d
Open %s failed. Abort.
read %d, but write %d, abort.
RB_DeleteFile
%s: %s
unlink value: %d, errno: %d
RB_DeleteFolder
rmdir value: %d, errno: %d
RB_CreateFolder
%s: %s, mode:0x%x
RDONLY
WRONLY
RDWR
Unknown
RB_OpenFile
%s: Path:%s | Mode:
First open() with error %d
copy dir[]=%s
remove dir[]=%s
Fail create folder, Leave RB_OpenFile
After successful creating folder, fail open() with error %d
Successful open() *pwHandle:%ld
RB_ResizeFile
%s: handle %ld, dwSize %d
%s: ret %d handle %ld %d
RB_CloseFile
%s: wHandle = %ld
RB_WriteFile
%s: Handle:%ld , Pos:%ld , Size: %ld
lseek failed with return value: %d
Failed with return value: %d
Bytes Write: %d
fsync Failed with return value: %d
fsync after write: %d
RB_ReadFile
%s: Handle:%ld , Pos:%ld , Size: %ld
read failed with return value: %d
RB_GetFileSize
%s: %ld
lseek errno: %d
Returning Size = 0x%x
RB_Unlink
unlink failed with return value: %d
unlink with return value: %d
RB_Link
symlink failed with return value: %d, errno: %d
symlink with return value: %d
RB_VerifyLinkReference
readlink failed with return value: %d
not same linked path
same linked path
RB_GetFileType
stat failed with return value: %d errno: %d
sbuf.st_mode: %d
S_ISREG(sbuf.st_mode): %d
S_ISLNK(sbuf.st_mode): %d
stat->st_mode = symbolic link file
stat->st_mode = regular file
failed to lstat, err : %d
a2ch
%s : %d
Wrong attribute value: %d
a2ch : %c
chtoa
RB_SetFileAttributes
stat failed with return value: %d
sbuf.st_mode value: %d
ui8pAttribs value: %s
ui32AttribSize value: %ld
attrib_user value: %d
attrib_group value: %d
attrib_other value: %d
att_type value: %d
sbuf.st_mode | attrib: %d
chmod failed with return value: %d
chmod with return value: %d
pUserId value: %s
user_id value: %d
aGroupId value: %s
pGroupId value: %s
group_id value: %d
failed chown %d
success chown %d
RB_FSUpdateMain
UA/(%s) Partition name(%s), mount point(%s)
UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
return value from RB_vRM_Update: 0x%x
%s/flagsFile
return value from unlink(%s): 0x%x
Installing software
Don't turn off the
phone and
connect the power
cable as possible.
System updated &
reboot now
gui_progress
UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
UA/(%s): -- Print Percent(%d%)
%3d %%
lcd_init
%s(%d): start!
/dev/graphics/fb0
%s(%d): fb0 open fail
%s(%d): fb0 open success
%s(%d): width = %d, height = %d
%s(%d): ioctl set info fail
%s(%d): Error: failed to map framebuffer device to memory.
%s(%d): ioctl start fail
Allocation error-
Current start: %d
Current finish: %d
Requested size: %d
Allocation error:
Current start: %d
Current finish: %d
Requested size: %d
It may accept commands somehow, like those :
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
I tried writing commands in /data/fota/command and /cache/recovery/command but the program does not follow my orders
ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Wow, this is looking promising.
it seems like htc's flash_image,but much more difficult than it.
raspdeep said:
ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Click to expand...
Click to collapse
Nice raspdeep
How did you do ? Every attempt fails here (in recovery or standard mode).
Which initramfs version do you use ?
Code:
redbend_ua restore zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Ok yo don't respond but it works here to, booting on your OC kernel. Now i'll find what is different between our setups
supercurio, you are rapidly becoming one of my Android heros...
distortedloop said:
supercurio, you are rapidly becoming one of my Android heros...
Click to expand...
Click to collapse
Don't know if I can live with that
Code:
ll */*
-rwxr-xr-x 1 root curio 313888 2010-08-26 21:14 oc128uv1/redbend_ua*
-rwxr-xr-x 1 curio curio 314004 2010-08-26 21:16 XWJM5/redbend_ua*
md5sum */*
74f5793536c3cdc902ec269c3f51a165 oc128uv1/redbend_ua
b1ba258a5d673c537a95167267afd6b8 XWJM5/redbend_ua
Different binaries !
Edit : attached working redbend_ua
A diff between strings included in binaries (raw infos, not analyzed yet ^^)
Code:
--- not-working 2010-08-26 21:22:39.594984596 +0200
+++ working 2010-08-26 21:22:20.370634450 +0200
@@ -4,7 +4,6 @@
@F2A
bB,2
H{DYX
-/Q{;
/Qs;
/Qk;
/Qc;
@@ -452,71 +451,52 @@
%mB(
@ #!
!1C "
-reboot
-UA/ Platform delta does NOT exist! Skip.
-Can not open src file : %s
-Can not open dst file : %s
-UA/(%s) write %dbytes
-UA/(%s) copy file %s->%s
- fsync failed with return value: %d
- fsync after write: %d
-UA/ %s: %s
+/data/fota/delta.Sbl
/dev/block/bml4
-/data/fota/dump_sbl
+/dev/block/bml5
+/data/fota/fota_Sbl
+/data/fota/delta.zImage
/dev/block/bml7
-/data/fota/dump_kernel
+/data/fota/backup.zImage
+/data/fota/fota_zImage
+Modem
+/data/fota/delta.modem
/dev/block/bml12
+/data/fota/backup.modem
+/data/fota/fota_modem
+/data/fota/delta.platform
+/data/fota/backup.platform
+/data/fota/fota_platform
+platform delta does NOT exist! Skip.
+existence: s1[%d].existence; %d
+%s: %s
+/data/fota/dump_sbl
+/data/fota/dump_kernel
/data/fota/dump_modem
FOTA : Make Block Device Nodes
-UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
+ fsync failed with return value: %d
+ fsync after write: %d
success!
DONE
fail!
FAIL
FOTA
-UA/ modem delta does NOT exist! Skip.
-/data/fota/backup.modem
-UA/ zImage delta does NOT exist! Skip.
+modem delta does NOT exist! Skip.
+zImage delta does NOT exist! Skip.
/dev/block/bml8
-UA/ Sbl delta does NOT exist! Skip.
-UA/ERROR(%s) get dual sbl siginfo fail!!
-/dev/block/bml5
-UA/ERROR(%s) can't find vaild Sbl partitions
-UA/ERROR(%s) SBL RAM partition alloc fail
-UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
-/data/fota/command
-/sdcard/Android/data/temp.fota.delta/command
-UA/(%s) cache download
-/cache/recovery
-UA/(%s) create /cache/recovery directory
-/cache/recovery/command
-reboot recovery
-UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
-SBL update fail
-UA/(%s) %s
-Kernel update fail
-Modem update fail
-Platform update fail
-Post update fail
-WARNNIG
-Delta Not Exist
-/data/fota
-/sbin/images/fota.png
-UA/(%s) test
-Update Fail!!
+Sbl delta does NOT exist! Skip.
+get dual sbl siginfo fail!!
+can't find vaild Sbl partitions
+reboot
+gv_delta_count[%d]
+dump
+restore
+compare
/data/fota/fota.status
-/data/fota/delta.Sbl
-/data/fota/delta.zImage
-/data/fota/delta.modem
-/data/fota/delta.platform
-/sdcard/Android/data/temp.fota.delta/delta.Sbl
-/sdcard/Android/data/temp.fota.delta/delta.zImage
-/sdcard/Android/data/temp.fota.delta/delta.modem
-/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
@@ -527,29 +507,7 @@
compare <dev1> <dev2>
png [png file name]
all
-unknown
-/data/fota/fota_Sbl
-/data/fota/fota_zImage
-Modem
-/data/fota/fota_modem
-/data/fota/fota_platform
-/dev/block/bml11
OFNI
-main
-update_all
-post_update
-update_platform
-update_modem
-update_zImage
-update_Sbl
-file_copy
-check_existence
-MakeBMLNodes
-UA/(%s): +
-UA/(%s): %s (%lx %x)
-UA/(%s): -
-UA/(%s): %s (%lx %lx)
-UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
@@ -568,71 +526,67 @@
dst: %s
failed to write to %s (%s)
done
-UA/(%s) src: %s
-UA/(%s) dst: %s partition size: 0x%x
-UA/(%s) part_size: 0x%x
-UA/(%s) read finished
-UA/(%s) read %d bytes
-UA/(%s) src: %s partition size: 0x%x
-UA/(%s) dst: %s
-UA/(%s) signature: 0x%x
-*WARN* %s partition is already marked as invalid!
-UA/(%s) done
page at 0x%x differ!
-UA/(%s) backup 128KB at 0x%x
-UA/(%s): ++
-UA/(%s) 0x%x
-UA/ERROR(%s) Valid partition signature is not invalid
-UA/(%s): --
+signature: 0x%x
+*WARN* %s partition is already marked as invalid!
+backup 128KB at 0x%x
+backup 128KB at 0x%x without signature
+clear mark dev : %s partition size: 0x%x
%s, invalide magic key(%x)!!
-common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
-signature: 0x%x
-UA/(%s) dev: %s partition size: 0x%x
-UA/ERROR(%s) Signature is not validate (%x)
-UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
-UA/ERROR(%s) Both partition has valid or invalid signature
-UA/(%s) Valid Partition-%s, Update Partition-%s
-restore_file
-backup_block_file
-restore_devbml
-backup_devbml
-store_dualsbl_partition
-load_partition
+%s:clear:%s partition size: 0x%x
+%s : write and clear signature done
+%s:write:%s partition size: 0x%x
+%s: Signature is not validate (%x)
+%s signature: 0x%x
+%s +
+%s: SBL, SBL2 partition are diffierent size, check your bml device node name
+Both partition has valid or invalid signature
+Valid Partition-%s, Update Partition-%s
+Siginfo error partition $s (0x%x, 0x%x)
mark_common_recovery
+clear_dualpartition_signature
+write_dualpartition_signature
find_valid_partition
check_dualpartition_validation
-ram_write_block
-ram_read_block
-nand_write_block
-nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
+RB_Progress
+%s: (%lu %%)
+RB_GetDelta
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_GetBlockSize
%s: returning 0x%x (%d)
+RB_ReadImage
+%s: node-%s (%lx %lx)
+RB_WriteBlock
+%s: node-%s (%lx %x)
RB_ReadBackupBlock
-UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) open file %s failed.
-UA/ open %s file success
-UA/ERROR(%s) error in read size
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_WriteBackupBlock
-UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) error in write size
+%s: error in write size
+RB_ImageUpdateCommon
+uPartitionName[%s]
+%s: pCustomerPartData.updated = %d, rest = %d
RB_ImageUpdateMain
-UA/(%s): ++
-UA/(%s) uPartitionName[%s]
-UA/(%s) pCustomerPartData.updated = %d, rest = %d
-UA/(%s): -- ret=%d
-RB_UpdateImage
-UA/(%s): Delta file name-%s
+%s: backup_file is %s
+%s: size of %s(%s) is %d bytes
+RB_ImageUpdateDualPartition
+%s: backup file(%s) / Valid Partition(%s) / Update Partition(%s)
+%s : RB Image Update Fail
+%s : RB Image Update Done %s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
-UA/(%s) return value from RB_vRM_Update: 0x%x
+return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
@@ -726,8 +680,7 @@
failed chown %d
success chown %d
RB_FSUpdateMain
-UA/(%s) Partition name(%s), mount point(%s)
-UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
+%s: pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
@@ -741,9 +694,9 @@
cable as possible.
System updated &
reboot now
-gui_progress
-UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
-UA/(%s): -- Print Percent(%d%)
+Update is ok.
+Update is failed.
+Restoring...
%3d %%
lcd_init
%s(%d): start!
@@ -962,12 +915,6 @@
insufficient memory
buffer error
incompatible version
-RB_Progress
-%s: (%lu %%)
-RB_GetDelta
-%s: offset 0x%lx(%ld), size 0x%lx(%ld)
-%s: open file %s failed.
-%s: error in read size
Pure virtual function called. Are you calling virtual methods from a destructor?
libc-abort
abort() called in pid %d
@@ -1120,6 +1067,7 @@
/dev/log/main
/dev/log/radio
/proc/self/exe
+unknown
/dev/urandom
stack corruption detected: aborted
ANDROID_PROPERTY_WORKSPACE
Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).
Benjamin Dobell said:
Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).
Click to expand...
Click to collapse
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.
supercurio said:
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.
Click to expand...
Click to collapse
Unfortunately IDA Pro doesn't seem to work either. IDA Pro Free doesn't support ARM at all and I tried with IDA Pro Advanced but it seemed to have similar issues to objdump, it couldn't determine the entry point etc.
If I could just get the assembler with comments next to it that indicate which pieces of data (strings in particular) are being referenced that would make my day.
Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Anyway I can't say much more about the tools, i'm just a rookie hacker
supercurio said:
Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Click to expand...
Click to collapse
It wouldn't be a very reliable boot loader if it depended on other binaries (other than data passed to it by the primary boot loader). However the information I'm after, the Loke protocol, is definitely in there cause I can see the handshake strings I send and receive with Heimdall.
working this into SRE RIGHT NOW!!!!
--edit
scripted, and working
release coming soon!!
designgears said:
working this into SRE RIGHT NOW!!!!
Click to expand...
Click to collapse
Nice
Remember being EXTRA careful manipulating raw bml partitions. You can easily brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy
supercurio said:
Nice
Remember being EXTRA careful manipulating raw bml partition. You can easily
brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy
Click to expand...
Click to collapse
I have borked bml17 before.. was able to go into download and restore stock.
I'm the creator of Heimdall the cross platform Galaxy S flashing tool. I was wondering if any one has attempted to flash a Galaxy Tab using my tool?
I suspect that the protocol for flashing the Galaxy Tab is identical. However, I don't have access to a Galaxy Tab so I'm unable to test myself. I would love to add the Galaxy Tab to the list of officially supported devices if someone can confirm it works.
EDIT: Just realised I never updated this post. Heimdall has officially supported the Galaxy Tab for a while now.
I might be able to do it if I find some better firmware to flash. Not sure yet.
Sent from my SCH-I800 using XDA App
I'll give it a try later today. I'm a Linux zealot.
Install notes for Linux + a question
sorry -- wrong thread. No clue how to delete, but I don't want to cross-post so just ignore this.
I compiled and tried using it to flash a modem.bin, but got an error. Heres the console output:
Code:
$ heimdall flash --pit P1_20100909.pit --modem modem.bin
Heimdall, Copyright (c) 2010, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Claiming interface... Failed. Attempting to detach driver...
Claiming interface again... Success
Setting up interface... Success
Beginning session...
Handshaking with Loke... Success
Unexpected device info response!
Expected: 180 or 0
Received:3
Ending session...
Rebooting device...
Re-attaching kernel driver...
rotohammer, thanks for that. It seems as the initialisation process might be slightly different for the Galaxy Tab. Unfortunately the spot where it failed is the exact spot in the protocol that I have basically no clue about. The Galaxy S sends either 180 or 0, which is perhaps some sort of flags indicating the state of the device. Technically the flash could continue past there regardless of the value received but it's a bit of a safety net feature to stop right away.
I'll see if I can get my hands on a Galaxy Tab so I can get Heimdall working for Galaxy Tab users as well.
Works great
For those of you interested, I've modified the Heimdall source on Linux to accept the device info value of 3 and I have successfully flashed 2 different full firmwares on my T-Mobile Tab, as well as many individual files. It works much faster than Odin, and a lot less flaky. I let Benjamin know so he can include support in an upcoming release.
Thanks for the good work, Ben and Roto
Can Heimdall dump partititions from flash for backup?
Technomancer said:
Can Heimdall dump partititions from flash for backup?
Click to expand...
Click to collapse
It can dump, but the dumps, just like those from Odin, aren't very useful. Its a limitation on the exporting function of the phone software.
rotohammer said:
It can dump, but the dumps, just like those from Odin, aren't very useful. Its a limitation on the exporting function of the phone software.
Click to expand...
Click to collapse
I suppose the partitions are not mounted in the "downloading" mode, so any dumps from Heimdall should be better than dumps made using dd from the shell?
rotohammer said:
It can dump, but the dumps, just like those from Odin, aren't very useful. Its a limitation on the exporting function of the phone software.
Click to expand...
Click to collapse
Hi Rotohammer!
Great work again
What did you use as chip-type and chip-id for dumping? I.e.
Code:
heimdall dump --chip-type ??? --chip-id ??? --output <filename>
Volker1 said:
What did you use as chip-type and chip-id for dumping?
Click to expand...
Click to collapse
Code:
heimdall dump --chip-type NAND --chip-id 0 --output hdump.img
I wrote a simple too to display information about PIT files (attached). The factory-installed PIT (/dev/block/bml2) on my T-Mobile US tab is identical to the one known as P1_20100909.pit and reads:
Code:
$ ./PITinfo bml2.dump
Contents of PIT file:bml2.dump
---------------------------------------------------------------------------
file magic = 0x12349876 (expected value)
Unknown data: 0x135d800 0x1 0 0x1331e17 0x2cf560
Number of partitions = 14 (not the usual value)
Partition #1
Usual content: boot.bin, the primary boot loader (low-level hardware initialization)
partition entry type: 0 0 (normal partition)
ID = 0; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [IBL+PBL.........................]
file name = [boot.bin........................................................]
Partition #2
Usual content: partition information table (PIT)
partition entry type: 0 0 (normal partition)
ID = 0x1; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [PIT.............................]
file name = [................................................................]
Partition #3
Usual content: efs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x14; flags = 0x2 (rfs file system); unknown: 0
size = 40 blocks of 256 * 512 bytes = 5242880 B = 5120 kB = 5 MB
unknown string: [........]
partition name = [EFS.............................]
file name = [efs.rfs.........................................................]
Partition #4
Usual content: Sbl.bin, the secondary boot loader (loads linux kernel)
partition entry type: 0 0 (normal partition)
ID = 0x3; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL.............................]
file name = [sbl.bin.........................................................]
Partition #5
Usual content: backup of secondary boot loader
partition entry type: 0 0 (normal partition)
ID = 0x4; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL2............................]
file name = [sbl.bin.........................................................]
Partition #6
Usual content: param.lfs /mnt/.lfs j4fs
partition entry type: 0 0 (normal partition)
ID = 0x15; flags = 0x2 (rfs file system); unknown: 0
size = 20 blocks of 256 * 512 bytes = 2621440 B = 2560 kB = 2 MB
unknown string: [........]
partition name = [PARAM...........................]
file name = [param.lfs.......................................................]
Partition #7
Usual content: zImage, the linux kernel
partition entry type: 0 0 (normal partition)
ID = 0x6; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [KERNEL..........................]
file name = [zImage..........................................................]
Partition #8
Usual content: recovery.bin, the backup copy of zImage/initramfs
partition entry type: 0 0 (normal partition)
ID = 0x7; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [RECOVERY........................]
file name = [zImage..........................................................]
Partition #9
Usual content: factoryfs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x16; flags = 0x2 (rfs file system); unknown: 0
size = 1320 blocks of 256 * 512 bytes = 173015040 B = 168960 kB = 165 MB
unknown string: [........]
partition name = [FACTORYFS.......................]
file name = [factoryfs.rfs...................................................]
Partition #10
Usual content: dbdata.rfs
partition entry type: 0 0 (normal partition)
ID = 0x17; flags = 0x2 (rfs file system); unknown: 0
size = 348 blocks of 256 * 512 bytes = 45613056 B = 44544 kB = 43 MB
unknown string: [........]
partition name = [DBDATAFS........................]
file name = [dbdata.rfs......................................................]
Partition #11
Usual content: cache.rfs
partition entry type: 0 0 (normal partition)
ID = 0x18; flags = 0x2 (rfs file system); unknown: 0
size = 140 blocks of 256 * 512 bytes = 18350080 B = 17920 kB = 17 MB
unknown string: [........]
partition name = [CACHE...........................]
file name = [cache.rfs.......................................................]
Partition #12
Usual content: modem.bin
partition entry type: 0 0 (normal partition)
ID = 0x8; flags = 0; unknown: 0
size = 64 blocks of 256 * 512 bytes = 8388608 B = 8192 kB = 8 MB
unknown string: [........]
partition name = [MODEM...........................]
file name = [modem.bin.......................................................]
Partition #13
Usual content: Unknown
partition entry type: 0 2 (unknown value)
ID = 0; flags = 0x1; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [l.e. .(.]
partition name = [MOVINAND..)...*...p.i.t.........]
file name = [movinand.mst........D.:.\.2.4.....P.1.\.4... .S.M.D. .i.m.a.g.e.]
Partition #14
Usual content: Unknown
partition entry type: 1 1 (past-the-end marker)
ID = 0x8; flags = 0; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [........]
partition name = [................................]
file name = [................................................................]
I want to flash the Euro firmware (I'm back in Europe right now) by flashing P1000XWJJ4 (and then flash P1000XXJK5 on top). The P1_add_hidden.pit reads:
Code:
$ ./PITinfo P1_add_hidden.pit
Contents of PIT file:P1_add_hidden.pit
---------------------------------------------------------------------------
file magic = 0x12349876 (expected value)
Unknown data: 0x1 0 0x411e17 0x12fae0 0x43d800
Number of partitions = 15 (not the usual value)
Partition #1
Usual content: boot.bin, the primary boot loader (low-level hardware initialization)
partition entry type: 0 0 (normal partition)
ID = 0; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [IBL+PBL.........................]
file name = [boot.bin........................................................]
Partition #2
Usual content: partition information table (PIT)
partition entry type: 0 0 (normal partition)
ID = 0x1; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [PIT.............................]
file name = [................................................................]
Partition #3
Usual content: efs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x14; flags = 0x2 (rfs file system); unknown: 0
size = 40 blocks of 256 * 512 bytes = 5242880 B = 5120 kB = 5 MB
unknown string: [........]
partition name = [EFS.............................]
file name = [efs.rfs.........................................................]
Partition #4
Usual content: Sbl.bin, the secondary boot loader (loads linux kernel)
partition entry type: 0 0 (normal partition)
ID = 0x3; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL.............................]
file name = [sbl.bin.........................................................]
Partition #5
Usual content: backup of secondary boot loader
partition entry type: 0 0 (normal partition)
ID = 0x4; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL2............................]
file name = [sbl.bin.........................................................]
Partition #6
Usual content: param.lfs /mnt/.lfs j4fs
partition entry type: 0 0 (normal partition)
ID = 0x15; flags = 0x2 (rfs file system); unknown: 0
size = 20 blocks of 256 * 512 bytes = 2621440 B = 2560 kB = 2 MB
unknown string: [........]
partition name = [PARAM...........................]
file name = [param.lfs.......................................................]
Partition #7
Usual content: zImage, the linux kernel
partition entry type: 0 0 (normal partition)
ID = 0x6; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [KERNEL..........................]
file name = [zImage..........................................................]
Partition #8
Usual content: recovery.bin, the backup copy of zImage/initramfs
partition entry type: 0 0 (normal partition)
ID = 0x7; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [RECOVERY........................]
file name = [zImage..........................................................]
Partition #9
Usual content: factoryfs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x16; flags = 0x2 (rfs file system); unknown: 0
size = 1320 blocks of 256 * 512 bytes = 173015040 B = 168960 kB = 165 MB
unknown string: [........]
partition name = [FACTORYFS.......................]
file name = [factoryfs.rfs...................................................]
Partition #10
Usual content: dbdata.rfs
partition entry type: 0 0 (normal partition)
ID = 0x17; flags = 0x2 (rfs file system); unknown: 0
size = 348 blocks of 256 * 512 bytes = 45613056 B = 44544 kB = 43 MB
unknown string: [........]
partition name = [DBDATAFS........................]
file name = [dbdata.rfs......................................................]
Partition #11
Usual content: cache.rfs
partition entry type: 0 0 (normal partition)
ID = 0x18; flags = 0x2 (rfs file system); unknown: 0
size = 140 blocks of 256 * 512 bytes = 18350080 B = 17920 kB = 17 MB
unknown string: [........]
partition name = [CACHE...........................]
file name = [cache.rfs.......................................................]
Partition #12
Usual content: modem.bin
partition entry type: 0 0 (normal partition)
ID = 0x8; flags = 0; unknown: 0
size = 64 blocks of 256 * 512 bytes = 8388608 B = 8192 kB = 8 MB
unknown string: [........]
partition name = [MODEM...........................]
file name = [modem.bin.......................................................]
Partition #13
Usual content: Unknown
partition entry type: 0 2 (unknown value)
ID = 0x3; flags = 0x1; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [l.e. .(.]
partition name = [HIDDEN.D..)...*...p.i.t.........]
file name = [hidden.rfs.t........D.:.\.2.4.....P.1.\.4... .S.M.D. .i.m.a.g.e.]
Partition #14
Usual content: Unknown
partition entry type: 1 1 (past-the-end marker)
ID = 0x8; flags = 0; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [........]
partition name = [................................]
file name = [................................................................]
Partition #15
Usual content: Unknown
partition entry type: 0 2 (unknown value)
ID = 0; flags = 0x1; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [........]
partition name = [MOVINAND........................]
file name = [movinand.mst....................................................]
But it seems like I can't flash movinand.mst with heimdall. Note that it is present in the P1000XWJJ4 firmware file. So I guess I'm better off going the VirtualBox->Win32->Odin route?
Compile on Mac OS X
I've just successfully compiled libusb and Heimdall on Mac OS X.
I needed to set an environment variable by hand so that the "configure" of Heimdall detected libusb:
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
Oh, and of course this source code modification is necessary for the Galaxy Tab to be supported:
main.cpp line 252:
if (unknown != 180 && unknown != 0 && unknown != 3)
Disclaimer: I haven't had time to try flashing anything yet.
I finally found the courage to flash my T-Mo US tab to Euro version. I made my own Franken-rom by combining P1000XWJJ4 with P1000XXJK5. Specifically, I
1. decompressed P1000XWJJ4.rar
2. took boot.bin, Sbl.bin, and dbdata.rfs from P1000XWJJ4/P1000XWJJ4_SERJJ2_XXJID/P1000XWJJ4-REV03-ALL-CL639474.tar.md5 (a tar archive despite the wrong ending)
3. decompressed P1000XXJK5.rar
4. took zImage, cache.rfs, factoryfs.rfs, modem.bin, and param.lfs from P1000XXJK5/P1000OXAJK5.tar
5. P1_20100909.pit
Then I rebooted my tab in download mode, plugged it into my PC's USB, and then flashed
Code:
$ ./heimdall flash --pit P1_20100909.pit --factoryfs factoryfs.rfs --cache cache.rfs --dbdata dbdata.rfs --boot boot.bin --secondary Sbl.bin --param param.lfs --kernel zImage --modem modem.bin
Heimdall, Copyright (c) 2010, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Claiming interface... Failed. Attempting to detach driver...
Claiming interface again... Success
Setting up interface... Success
Beginning session...
Handshaking with Loke... Success
Downloading device's PIT file...
PIT file download sucessful
Uploading factory filesytem
Factory filesytem upload successful
Uploading cache
Cache upload successful
Uploading data database
Data database upload successful
Uploading primary bootloader
Primary bootloader upload successful
Uploading secondary bootloader
Secondary bootloader upload successful
Uploading param.lfs
param.lfs upload successful
Uploading kernel
Kernel upload successful
Uploading modem
Modem upload successful
Ending session...
Rebooting device...
Re-attaching kernel driver...
I had my German SIM card in and after some booting I ended up with a perfectly working German-localized Euro tab. Switching the language back to US Englisch works fine, too.
Volker1 said:
But it seems like I can't flash movinand.mst with heimdall. Note that it is present in the P1000XWJJ4 firmware file.
Click to expand...
Click to collapse
It is also present in JK2. So I guess in the end you decided not to flash movinand.mst, right ? Unless you used Odin and Heimdall ?
daniel.weck said:
It is also present in JK2. So I guess in the end you decided not to flash movinand.mst, right ? Unless you used Odin and Heimdall ?
Click to expand...
Click to collapse
Alright it looks like you guys have found one more file that Heimdall is technically capable of flashing but doesn't implement. I presume I'm missing quite a few files that the protocol supports, at least that's what the following list of utilised file identifiers would seem to indicate:
Code:
enum
{
kFilePrimaryBootloader = 0x00,
kFileSecondaryBootloader = 0x03,
kFileKernel = 0x06,
kFileParamLfs = 0x15,
kFileFactoryFilesystem = 0x16,
kFileDatabaseData = 0x17,
kFileCache = 0x18
};
I can easily add support for movinand.mst if I can find out what file identifier it uses. Unfortunately I don't have a Galaxy Tab and I need access to one in order to find out.
It's zero, if we trust the output of the PIT reader utility:
http://forum.xda-developers.com/showpost.php?p=9471190&postcount=14
Benjamin Dobell said:
Alright it looks like you guys have found one more file that Heimdall is technically capable of flashing but doesn't implement. I presume I'm missing quite a few files that the protocol supports, at least that's what the following list of utilised file identifiers would seem to indicate:
Code:
enum
{
kFilePrimaryBootloader = 0x00,
kFileSecondaryBootloader = 0x03,
kFileKernel = 0x06,
kFileParamLfs = 0x15,
kFileFactoryFilesystem = 0x16,
kFileDatabaseData = 0x17,
kFileCache = 0x18
};
I can easily add support for movinand.mst if I can find out what file identifier it uses. Unfortunately I don't have a Galaxy Tab and I need access to one in order to find out.
Click to expand...
Click to collapse
Well 0 is the primary bootloader, so right now I'm not trusting it.
Does anyone have any idea what the contents of movinand.mst is? Because I just figured out how to flash the recovery partition directly.
EDIT: And the EFS.
NOTE: the log below pertains to KB5...I haven't had time yet to look into KB6.
http://www.samfirmware.com/WEBPROTECT-p1010.htm
ro.build.display.id=FROYO.XWKB5
ro.build.version.sdk=8
ro.build.version.release=2.2.1
ro.build.date=Thu Feb 17 19:34:43 KST 2011
I'm going to unpack the various RFS archives, to see what's new. I've got a GT-P1000 Galaxy Tab (wifi+3G), so I'm not going to flash with Heimdall (let alone Odin ).
I made backups for factoryfs.rfs / dbdata.rfs etc. using the usual bit-by-bit "dd" -based method, and I've got a trusty TitaniumBackup archive ready, just in case
I notice that TV-out seems to be gone, and FM radio appears to be available. Hardware DSP support seems more present too. (read content logs below for more information)
TAR contents:
Code:
p1wifi_20110128_r10_00.pit (4 KB) (see PIT-info dumped below)
GT-P1010-CSC-SERKB3/
cache.rfs (10.9 MB) (see content listing below)
movinand.mst (51MB) (can be extracted with [URL="http://movitool.ntd.homelinux.org/trac/movitool/"]MoviTool[/URL], based on [URL="http://forum.xda-developers.com/showpost.php?p=9481702&postcount=30"]Volker1's method[/URL])
P1010XWKB5-REV03-ALL-low-CL913814/
boot.bin (256 KB)
cache.rfs (672 KB)
normalboot.img (4.3 MB)
param.lfs (612 KB)
recovery.img (4.3 MB)
Sbl.bin (1.2 MB)
system.rfs (331 MB)
userdata.rfs (1.2 MB)
Output from Volker1's PIT-info utility:
Code:
Contents of PIT file: p1wifi_20110128_r10_00.pit
---------------------------------------------------------------------------
file magic = 0x12349876 (expected value)
Unknown data: 0 0 0 0 0
Number of partitions = 13 (usual value)
Partition #1
Usual content: boot.bin, the primary boot loader (low-level hardware initialization)
partition entry type: 0 0 (normal partition)
ID = 0; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [IBL+PBL.........................]
file name = [boot.bin........................................................]
Partition #2
Usual content: partition information table (PIT)
partition entry type: 0 0 (normal partition)
ID = 0x1; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [PIT.............................]
file name = [p1wifi.pit......................................................]
Partition #3
Usual content: efs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x14; flags = 0x2 (rfs file system); unknown: 0
size = 40 blocks of 256 * 512 bytes = 5242880 B = 5120 kB = 5 MB
unknown string: [........]
partition name = [EFS.............................]
file name = [efs.rfs.........................................................]
Partition #4
Usual content: Sbl.bin, the secondary boot loader (loads linux kernel)
partition entry type: 0 0 (normal partition)
ID = 0x3; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL.............................]
file name = [sbl.bin.........................................................]
Partition #5
Usual content: backup of secondary boot loader
partition entry type: 0 0 (normal partition)
ID = 0x4; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL2............................]
file name = [sbl.bin.........................................................]
Partition #6
Usual content: param.lfs /mnt/.lfs j4fs
partition entry type: 0 0 (normal partition)
ID = 0x15; flags = 0x2 (rfs file system); unknown: 0
size = 20 blocks of 256 * 512 bytes = 2621440 B = 2560 kB = 2 MB
unknown string: [........]
partition name = [PARAM...........................]
file name = [param.lfs.......................................................]
Partition #7
Usual content: zImage, the linux kernel
partition entry type: 0 0 (normal partition)
ID = 0x5; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [NORMALBOOT......................]
file name = [normalboot.img..................................................]
Partition #8
Usual content: recovery.bin, the backup copy of zImage/initramfs
partition entry type: 0 0 (normal partition)
ID = 0x8; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [RECOVERY........................]
file name = [recovery.img....................................................]
Partition #9
Usual content: factoryfs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x16; flags = 0x2 (rfs file system); unknown: 0
size = 1430 blocks of 256 * 512 bytes = 187432960 B = 183040 kB = 178 MB
unknown string: [........]
partition name = [SYSTEM..........................]
file name = [system.rfs......................................................]
Partition #10
Usual content: dbdata.rfs
partition entry type: 0 0 (normal partition)
ID = 0x17; flags = 0x2 (rfs file system); unknown: 0
size = 302 blocks of 256 * 512 bytes = 39583744 B = 38656 kB = 37 MB
unknown string: [........]
partition name = [USERDATA........................]
file name = [userdata.rfs....................................................]
Partition #11
Usual content: cache.rfs
partition entry type: 0 0 (normal partition)
ID = 0x18; flags = 0x2 (rfs file system); unknown: 0
size = 140 blocks of 256 * 512 bytes = 18350080 B = 17920 kB = 17 MB
unknown string: [........]
partition name = [CACHE...........................]
file name = [cache.rfs.......................................................]
Partition #12
Usual content: modem.bin
partition entry type: 0 2 (unknown value)
ID = 0x3; flags = 0x1; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [........]
partition name = [HIDDEN.D........................]
file name = [hidden.rfs.t....................................................]
Partition #13
Usual content: Unknown
partition entry type: 0 2 (unknown value)
ID = 0; flags = 0x1; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [........]
partition name = [MOVINAND........................]
file name = [movinand.mst....................................................]
The usual CSC cache.rfs content:
Code:
/dbdata/svox/de-DE_gl0_sg.bin
/dbdata/svox/de-DE_ta.bin
/dbdata/svox/en-GB_kh0_sg.bin
/dbdata/svox/en-GB_ta.bin
/dbdata/svox/en-US_lh0_sg.bin
/dbdata/svox/en-US_ta.bin
/dbdata/svox/es-ES_ta.bin
/dbdata/svox/es-ES_zl0_sg.bin
/dbdata/svox/fr-FR_nk0_sg.bin
/dbdata/svox/fr-FR_ta.bin
/dbdata/svox/it-IT_cm0_sg.bin
/dbdata/svox/it-IT_ta.bin
/system/csc/feature.xml
/system/csc/contents.db
/system/csc/others.xml
/system/csc/sales_code.dat
/system/csc/customer.xml
/system/app/MusicODC.apk
/system/T9DB/qwerty_fi.kdb
/system/T9DB/phonepad_cs.kdb
/system/T9DB/qwerty_da.kdb
/system/T9DB/Samsung_400_PLlsUN_xt9.ldb
/system/T9DB/phonepad_lt.kdb
/system/T9DB/Samsung_400_TRlsUN_xt9.ldb
/system/T9DB/Samsung_400_DEusUN_xt9.ldb
/system/T9DB/Samsung_400_ETlsUN_xt9.ldb
/system/T9DB/Samsung_400_ENubUN_xt9.ldb
/system/T9DB/Samsung_400_SVusUN_xt9.ldb
/system/T9DB/qwerty_sv.kdb
/system/T9DB/Samsung_400_DAlsUN.ldb
/system/T9DB/phonepad_uk.kdb
/system/T9DB/phonepad_it.kdb
/system/T9DB/phonepad_el.kdb
/system/T9DB/qwerty_hu.kdb
/system/T9DB/qwerty_es.kdb
/system/T9DB/Samsung_400_UKlsUN_xt9.ldb
/system/T9DB/qwerty_fr.kdb
/system/T9DB/qwerty_et.kdb
/system/T9DB/Samsung_400_SKlsUN_xt9.ldb
/system/T9DB/phonepad_no.kdb
/system/T9DB/qwerty_nl.kdb
/system/T9DB/qwerty_lt.kdb
/system/T9DB/Samsung_400_LVlsUN_xt9.ldb
/system/T9DB/Samsung_400_ITlsUN_xt9.ldb
/system/T9DB/Samsung_400_PTlsUN_xt9.ldb
/system/T9DB/phonepad_da.kdb
/system/T9DB/Samsung_400_HUlsUN_xt9.ldb
/system/T9DB/Samsung_400_ELlsUN_xt9.ldb
/system/T9DB/phonepad_et.kdb
/system/T9DB/Samsung_400_KKlsUN_xt9.ldb
/system/T9DB/phonepad_es.kdb
/system/T9DB/qwerty_sk.kdb
/system/T9DB/phonepad_nl.kdb
/system/T9DB/qwerty_pt.kdb
/system/T9DB/Samsung_400_ESlsUN_xt9.ldb
/system/T9DB/Samsung_400_CSlsUN_xt9.ldb
/system/T9DB/phonepad_ru.kdb
/system/T9DB/phonepad_tr.kdb
/system/T9DB/qwerty_tr.kdb
/system/T9DB/phonepad_de.kdb
/system/T9DB/Samsung_400_FIlsUN_xt9.ldb
/system/T9DB/phonepad_ko.kdb
/system/T9DB/phonepad_fr.kdb
/system/T9DB/phonepad_fi.kdb
/system/T9DB/qwerty_ru.kdb
/system/T9DB/phonepad_en.kdb
/system/T9DB/qwerty_en.kdb
/system/T9DB/qwerty_cs.kdb
/system/T9DB/qwerty_el.kdb
/system/T9DB/Samsung_400_NOlsUN.ldb
/system/T9DB/Samsung_400_RUlsUN_xt9.ldb
/system/T9DB/qwerty_kk.kdb
/system/T9DB/qwerty_no.kdb
/system/T9DB/qwerty_uk.kdb
/system/T9DB/phonepad_lv.kdb
/system/T9DB/phonepad_pl.kdb
/system/T9DB/Samsung_400_NLlsUN_xt9.ldb
/system/T9DB/phonepad_sv.kdb
/system/T9DB/phonepad_sk.kdb
/system/T9DB/Samsung_400_LTlsUN_xt9.ldb
/system/T9DB/qwerty_pl.kdb
/system/T9DB/qwerty_de.kdb
/system/T9DB/Samsung_400_FRlsUN_xt9s.ldb
/system/T9DB/qwerty_ko.kdb
/system/T9DB/qwerty_lv.kdb
/system/T9DB/phonepad_pt.kdb
/system/T9DB/qwerty_it.kdb
/system/T9DB/phonepad_hu.kdb
/system/CSCFiles.txt
/system/SW_Configuration.xml
Changes in /system/app/ :
Removed DailyBriefing, Ebook, Mms, MobileTrackerEngineTwo, MobileTrackerUI, OtaProvisioningService, SamsungWidget_WeatherClock, SoundRecorder, signin, syncmldm, wipereceiver, wssomacp
Added PhoneCrashNotifier, PopupuiReceiverf, qik, qikhelp, skype
Changes in /system/bin/ :
Too many to list, but here are some notable ones:
Removed BCM4329B1_002.002.023.0534.0590.hcd (the driver for the multi-function Broadcom BCM-4329 chipset, also removed in /etc/wifi/ etc.), akmd2 (the multi-sensor driver, now split into several sub-daemons: geomagnetic, gyroscope, temperature, light, orientation, pressure, proximity, etc.)
Notable changes in /system/etc/ :
Added audio/codec/FMRadioEar.ini, audio/codec/FMRadioSpk.ini, and FM-radio stuff in /etc/firmware/ and /lib/libfmradio_jni.so (the Texas Intruments BRF6350 chip supports FM radio...but I don't think that /system/app/ contains an FM tuner application).
Notable addition: /lib/dsp/ + /lib/libOMX*.so + /lib/libVendor_ti_OMX*.so + lib/libaomx_*.so (Texas Intruments OMX/DSP, hardware encoding/decoding of 720p AMR, WB-AMR, AAC, h264, WMA, WMV, MP3, MPEG4, Flac, AC3, S263, etc.)
Code:
720p_h264vdec_sn.dll64P
720p_mp4vdec_sn.dll64P
720p_mp4venc_sn.dll64P
baseimage.dof
baseimage.map
chromasuppress.l64p
conversions.dll64P
dctn_dyn.dll64P
ddspbase_tiomap3430.dof64P
dfgm.dll64P
dynbase_tiomap3430.dof64P
eenf_ti.l64P
h264vdec_sn.dll64P
h264venc_sn.dll64P
ipp_sn.dll64P
jpegdec_sn.dll64P
jpegenc_sn.dll64P
m4venc_sn.dll64P
monitor_tiomap3430.dof64P
mp3dec_sn.dll64P
mp4v720parcdec_sn.dll64P
mp4varcdec_sn.dll64P
mp4vdec_sn.dll64P
mpeg4aacdec_sn.dll64P
mpeg4aacenc_sn.dll64P
mpeg4aridec_sn.dll64P
nbamrdec_sn.dll64P
nbamrenc_sn.dll64P
postprocessor_dualout.dll64P
qosdyn_3430.dll64P
ringio.dll64P
star.l64P
usn.dll64P
vpp_sn.dll64P
wbamrdec_sn.dll64P
wbamrenc_sn.dll64P
wmadec_sn.dll64P
wmv9dec_sn.dll64P
yuvconvert.l64p
Wifi access point doesn't seem very well protected (/etc/wifi/softap/hostapd.conf):
SSID = AndroidAP (not broadcast)
IP = 192.168.43.1
PASS = "password" (WPA)
By the way, the Wifi interface is different than on the fully-featured Tab: tiwlan0 (the access point is tiap0)
Nice let us know what's new and how you make out
This is great news and I am looking forward to your project, thanks!!!
Heads-up: original post updated with PIT partition structure and TAR contents.
Original post updated with further information (FM radio, DSP, etc.). None of this is authoritative, obviously. I am just making plain observations. I haven't even seen the manufacturer's specifications yet for this device.
Splice/combine the ROM with a P1000 ROM?
Cool. Does this mean that your aim to splice/combine the ROM with a P1000 ROM to create a custom Android 2.2.1 ROM WITH 3G capabilities, that is compatible with P1000?
And in that case, it sure would be nice to keep most of what has been removed from /system/* in the P1010 ROM, of course.
Very interesting, thanks for posting the analysis.
I wonder whether GL drivers are any newer than from P1000 ROMs.
And GPS daemon?
Also, interesting about these split sensor drivers.
edit
hmm, interesting, the GL drivers are for SGX530 not 540 like in normal tab.
And the CPU in 1010 is OMAP3 not Hummingbird.
KB6 now online @ Samfirmware.
I'm too busy to look into it though.
Hi,
I just got the Wifi version. How can I check the ROM version?
does the P1010 still have a gps radio?
jackfrostn said:
does the P1010 still have a gps radio?
Click to expand...
Click to collapse
Yes. Only differences between 3g and wifi model:
- no 3G radio
- less powerful CPU/GPU on wifi model (thus can't play HD/Full HD video)
- and off course, wifi model is cheaper
could someone try getting the skype and qik files working
any update on the ROMs progress?
bthoven said:
Yes. Only differences between 3g and wifi model:
- no 3G radio
- less powerful CPU/GPU on wifi model (thus can't play HD/Full HD video)
- and off course, wifi model is cheaper
Click to expand...
Click to collapse
Actually it CAN play HD video. It can record 720p movies so it would only make sense it'd be able to play them. I watch 720p episodes of Breaking Bad on mine.
Sent from my GT-P1010 using XDA Premium App
himmelhauk said:
Actually it CAN play HD video. It can record 720p movies so it would only make sense it'd be able to play them. I watch 720p episodes of Breaking Bad on mine.
Sent from my GT-P1010 using XDA Premium App
Click to expand...
Click to collapse
Yes, it can play 720p lower bitrate whilst the 3G version can play higher bit rate, and also 1080p.
bthoven said:
Yes, it can play 720p lower bitrate whilst the 3G version can play higher bit rate, and also 1080p.
Click to expand...
Click to collapse
Actually it is worth making a correction here as well, it plays 1080 just fine as well, at least for me.
Out of curiousity, where did you see that the wifi has a different CPU/GPU than the GSM/CDMA versions? I'm not finding that info anywhere.
chrisliphart said:
Out of curiousity, where did you see that the wifi has a different CPU/GPU than the GSM/CDMA versions? I'm not finding that info anywhere.
Click to expand...
Click to collapse
In all the TI OMAP libraries and kernel in the ROM?
skype for p1010 wifi
Skype will work with regular rom.i used it all day today
Yes, it does have gps radio on there. Well mine does anyway (in the uk)
Hello every one,
not sure if this the right place to ask but i really need help.
I am attempting to gather some data on Galaxy Nexus i9250 Android v4.3 CPU ARMv7.I am trying to use ARM Streamline but it provides the following error:
ARM Processor PMU event counters have been detected, however the event counters are reading zeroes. Event counters include those counters listed in the counter configuration options dialog under the core name but exclude the cycle counter (Clock:Cycles) as it is controlled by a dedicated counter. It is possible that the PMU configuration bit DBGEN has not been enabled, and counter values subsequently will always read as zero. To remedy, please update your firmware or Linux kernel to enable DBGEN.
after some search i found similar problem: on freescale
which suggest some modification to the SDER Secure Debug Enable Register, Security Extensions.
i do not know what to so i found a file perf_event in kernel source but not sure where to start.
i found out on infocenter of arm for ARM11 that i should use
// MRC p15, 0, <Rd>, CRn, CRm, opCode_2 ; base
MRC p15, 0, <Rd>, c15, c12, 0 ; Read Performance Monitor Control Register
MCR p15, 0, <Rd>, c15, c12, 0 ; Write Performance Monitor Control Register
this is in perf_event_v6.c kernel folder like this:
static inline unsigned long
armv6_pmcr_read(void)
{
u32 val;
asm volatile("mrc p15, 0, %0, c15, c12, 0" : "=r"(val));
return val;
}
since i'm using version arm7 so i should modify perf_event_v7.c
and my guessing that i should use c9 instead of c15 because this is the option used there and mentioned in the Cortex Reference manual for EX:
c9 registers
Table 4-10 shows the CP15 system control registers you can access when CRn is c9.
Table 4-10 c9 register summary
Op1 CRm Op2 Name Type Reset Description
0 c12 0 PMCR RW 0x41093000 Performance Monitor Control Register
1 PMCNTENSET RW 0x00000000 Count Enable Set Register
2 PMCNTENCLR RW 0x00000000 Count Enable Clear Register
3 PMOVSR RW - Overflow Flag Status Register
4 PMSWINC WO - Software Increment Register
5 PMSELR RW 0x00000000 Event Counter Selection Register
so it should be :
MRC p15, 0, <Rd>, c9, c12, 0 ; Read Performance Monitor Control Register
MCR p15, 0, <Rd>, c9, c12, 0 ; Write Performance Monitor Control Register
and
MRC p15, 0, <Rd>, c9, c12, 5 ; Read PMSELR Register
MCR p15, 0, <Rd>, c9, c12, 5 ; Write PMSELR Register
and to choose the event:
EXPORT pmn_config
; Sets the event for a programmable counter to record
; void pmn_config(unsigned counter, uint32_t event)
; counter (in r0) = Which counter to program (e.g. 0 for PMN0, 1 for PMN1)
; event (in r1) = The event code (from appropriate TRM or ARM Architecture Reference Manual)
pmn_config PROC
AND r0, r0, #0x1F ; Mask to leave only bits 4:0
MCR p15, 0, r0, c9, c12, 5 ; Write PMSELR Register
ISB ; Synchronize context
MCR p15, 0, r1, c9, c13, 1 ; Write PMXEVTYPER Register
BX lr
ENDP
the steps i should follow are as follow:
The following procedure should be followed:
Disable performance counters
Set what each event counter will count
Set cycle counter tick rate
Reset performance counters
Enable performance counters
Call function to profile
Disable performance counters
Read out performance counters
Check that performance counters did not overflow
i also found this EX:
following this code on google_code DirectPMUCodeGCC
i found on e2e support site that Galaxy Nexus is a secure device by checking the DBGAUTHSTATUS
i should push DBGEN or NIDEN high.
but i still did not know how to do it.
Any help?
Ok Guy's for one reason or another im stuck Hard Bricked ith only EDL to work with i have the firehose ive got the gpt layout ...
Qualcomm Sahara / Firehose Client V3.60 (c) B.Kerler 2018-2022.
main - Trying with no loader given ...
main - Waiting for the device
main - Device detected
main - Mode detected: firehose
main - Trying to connect to firehose loader ...
firehose_client
firehose_client - [LIB]: [33mNo --memory option set, we assume "eMMC" as default ..., if it fails, try using "--memory" with "UFS","NAND" or "spinor" instead ![0m
firehose - TargetName=MSM8953
firehose - MemoryName=eMMC
firehose - Version=1
firehose - Trying to read first storage sector...
firehose - Running configure...
firehose - Storage report:
firehose - total_blocks:61071360
firehose - block_size:512
firehose - page_size:512
firehose - num_physical:3
firehose - mfr_id:21
firehose - serial_num:2714670647
firehose - fw_version:3
firehose - mem_type:eMMC
firehose - prod_name:QX63AB
firehose_client - Supported functions:
-----------------
Parsing Lun 0:
GPT Table:
-------------
sbl1_a: Offset 0x0000000000020000, Length 0x0000000000080000, Flags 0x1004000000000068, UUID d451e441-843a-035e-57e9-4bafe9102104, Type 0xdea0ba2c, Active True
sbl1_b: Offset 0x00000000000a0000, Length 0x0000000000080000, Flags 0x1000000000000068, UUID 71c8b985-079f-d9e2-9d33-41918c11115d, Type 0x77036cd4, Active False
rpm_a: Offset 0x0000000000120000, Length 0x0000000000040000, Flags 0x1004000000000168, UUID 48405021-8344-3347-c2a3-bd73f902dcc1, Type 0x98df793, Active True
rpm_b: Offset 0x00000000001a0000, Length 0x0000000000040000, Flags 0x1000000000000168, UUID 7e148b06-a71a-a882-68c1-c8b3c6237cf4, Type 0x77036cd4, Active False
tz_a: Offset 0x0000000000220000, Length 0x00000000001c0000, Flags 0x1004000000001168, UUID 1a627e77-af05-0d38-0b50-7d6e9e71dcc5, Type 0xa053aa7f, Active True
tz_b: Offset 0x0000000000420000, Length 0x00000000001c0000, Flags 0x1000000000001168, UUID 8f0a1903-f395-2210-394a-c5e08e4e3b58, Type 0x77036cd4, Active False
devcfg_a: Offset 0x0000000000620000, Length 0x0000000000010000, Flags 0x1004000000001168, UUID 0bf3ffa4-f642-6c2c-a344-2ae4118019e1, Type 0xf65d4b16, Active True
devcfg_b: Offset 0x0000000000660000, Length 0x0000000000010000, Flags 0x1000000000001168, UUID f16e8ef6-6383-0642-d8c6-7e55baa4e168, Type 0x77036cd4, Active False
aboot_a: Offset 0x00000000006a0000, Length 0x0000000000180000, Flags 0x1004000000001168, UUID 9f8ceba7-c21a-e1db-adc1-a4e76fd1bdc8, Type 0x400ffdcd, Active True
aboot_b: Offset 0x0000000000820000, Length 0x0000000000180000, Flags 0x1000000000001168, UUID 160f33ee-e215-caf6-99d0-e9d2f0882de4, Type 0x77036cd4, Active False
cmnlib_a: Offset 0x00000000009a0000, Length 0x0000000000100000, Flags 0x1004000000000068, UUID 5378f3bd-0a56-3152-f354-339adb036d3a, Type 0x73471795, Active True
cmnlib_b: Offset 0x0000000000aa0000, Length 0x0000000000100000, Flags 0x1000000000000068, UUID 10bd90b6-458d-dc70-44a9-4fda24974de1, Type 0x77036cd4, Active False
cmnlib64_a: Offset 0x0000000000ba0000, Length 0x0000000000100000, Flags 0x1004000000000068, UUID 34e28a74-41d8-26e6-2cf9-6c5f12aae64f, Type 0x8ea64893, Active True
cmnlib64_b: Offset 0x0000000000ca0000, Length 0x0000000000100000, Flags 0x1000000000000068, UUID 166f1ce6-c3aa-924d-5b91-9781fe31c64a, Type 0x77036cd4, Active False
keymaster_a: Offset 0x0000000000da0000, Length 0x0000000000100000, Flags 0x1004000000000068, UUID 89e071d4-ac46-f85f-8ab4-54f6fb6bbde6, Type 0xe8b7cf6e, Active True
keymaster_b: Offset 0x0000000000ea0000, Length 0x0000000000100000, Flags 0x1000000000000068, UUID bebc8ca7-dfdf-fe11-64a1-0c09d3c931f2, Type 0x77036cd4, Active False
prov_a: Offset 0x0000000000fa0000, Length 0x0000000000030000, Flags 0x1004000000000068, UUID aca6eff1-5d5c-a01f-6990-99d251c034e9, Type 0xd05e0fc0, Active True
prov_b: Offset 0x0000000000fe0000, Length 0x0000000000030000, Flags 0x1000000000000068, UUID 6c7f77df-3e55-07ca-2156-4630d0775ebb, Type 0x77036cd4, Active False
modem_a: Offset 0x0000000001020000, Length 0x0000000006400000, Flags 0x1004000000000048, UUID 3d412ef1-bcf8-8228-34cc-f477a9c91693, Type EFI_BASIC_DATA, Active True
modem_b: Offset 0x0000000007420000, Length 0x0000000006400000, Flags 0x1000000000000048, UUID 774f960b-2f61-d485-8798-43648c7210d6, Type 0x77036cd4, Active False
fsc: Offset 0x000000000d820000, Length 0x0000000000001000, Flags 0x0000000000000058, UUID a7ce746e-1439-1e60-37a4-84d6686203df, Type 0x57b90a16, Active False
ssd: Offset 0x000000000d821000, Length 0x0000000000002000, Flags 0x0000000000000008, UUID c342f3d5-bd4a-ce7c-2eba-33108b9a0824, Type 0x2c86e742, Active False
dsp_a: Offset 0x000000000d823000, Length 0x0000000001000000, Flags 0x0004000000000048, UUID 93df5534-0905-1e56-e33b-e15c71464e27, Type EFI_BASIC_DATA, Active True
dsp_b: Offset 0x000000000e823000, Length 0x0000000001000000, Flags 0x0000000000000048, UUID f809bf34-e913-cf3e-2313-abfa795ed028, Type 0x77036cd4, Active False
DDR: Offset 0x000000000f840000, Length 0x0000000000008000, Flags 0x1000000000000058, UUID 30c86667-112f-3a6a-b1f0-7a567cc89652, Type 0x20a0c19c, Active False
utags: Offset 0x000000000f860000, Length 0x0000000000080000, Flags 0x0000000000000020, UUID 917b1209-adfa-d3a6-0c80-bd42bf4dd018, Type 0x1dd40d18, Active False
utagsBackup: Offset 0x000000000f8e0000, Length 0x0000000000080000, Flags 0x0000000000000000, UUID 5fcad0b6-4673-5e8b-f015-d07be88d37ce, Type 0xc490f39c, Active False
modemst1: Offset 0x000000000f960000, Length 0x0000000000200000, Flags 0x0000000000000018, UUID eda04c0b-a732-4fa0-d928-f61f78edd851, Type 0xebbeadaf, Active False
modemst2: Offset 0x000000000fb60000, Length 0x0000000000200000, Flags 0x0000000000000018, UUID 0d85a2f0-27ec-53c0-9cf4-10ca3d66e5e2, Type 0xa288b1f, Active False
fsg_a: Offset 0x000000000fd60000, Length 0x0000000000c00000, Flags 0x1004000000000058, UUID a75d8f05-bb54-6100-f8df-caa534c3184b, Type 0x638ff8e2, Active True
fsg_b: Offset 0x0000000010960000, Length 0x0000000000c00000, Flags 0x1000000000000058, UUID c8ac2422-4a61-db30-d2a4-009b6da0b0cc, Type 0x77036cd4, Active False
persist: Offset 0x0000000011560000, Length 0x0000000002000000, Flags 0x0000000000000020, UUID aaf73c71-09c8-3892-13a5-94ce6aafd06c, Type 0x6c95e238, Active False
persist2: Offset 0x0000000013560000, Length 0x0000000000800000, Flags 0x0000000000000020, UUID 2aa7201c-91c0-a503-579f-c0d246b61df7, Type 0x6c95e238, Active False
frp: Offset 0x0000000013d60000, Length 0x0000000000080000, Flags 0x0000000000000028, UUID cd30e5ba-d974-decb-9590-3698ca79b2d4, Type 0x91b72d4d, Active False
cid: Offset 0x0000000013de0000, Length 0x0000000000020000, Flags 0x0000000000000020, UUID 19c735fb-0e73-73fc-5171-5be32d69fba3, Type 0x459abd04, Active False
logo_a: Offset 0x0000000013e00000, Length 0x0000000001000000, Flags 0x0004000000000048, UUID ed1d2c5e-ee5e-4af8-8ece-5cc98b7d7ae2, Type 0x20117f86, Active True
logo_b: Offset 0x0000000014e00000, Length 0x0000000001000000, Flags 0x0000000000000048, UUID 07f14720-0e2c-8f53-bafe-662b0ce340db, Type 0x77036cd4, Active False
carrier: Offset 0x0000000015e00000, Length 0x0000000001000000, Flags 0x0000000000000018, UUID addb7b6b-f6fe-3702-dc9b-e4379357909c, Type 0xc63d32d8, Active False
metadata: Offset 0x0000000016e00000, Length 0x0000000001000000, Flags 0x0000000000000018, UUID 19ac4004-7b65-e2b0-00a6-27c49b87c97f, Type 0xa877b68d, Active False
kpan: Offset 0x0000000017e00000, Length 0x0000000000800000, Flags 0x0000000000000008, UUID a67ba3df-aafc-e933-48eb-531554019207, Type 0x56465e10, Active False
boot_a: Offset 0x0000000018600000, Length 0x0000000002000000, Flags 0x103f000000000148, UUID b15c3b9f-e462-94dc-dbc3-0bf4103f69e2, Type 0x20117f86, Active True
boot_b: Offset 0x000000001b600000, Length 0x0000000002000000, Flags 0x1000000000000148, UUID d6c709db-c83e-0a0b-6bab-690002f03d41, Type 0x77036cd4, Active False
dtbo_a: Offset 0x000000001e600000, Length 0x0000000000800000, Flags 0x1004000000000048, UUID 5b4a24c2-ebc4-c08b-cfae-feeaaef2611f, Type 0x24d0d418, Active True
dtbo_b: Offset 0x000000001ee00000, Length 0x0000000000800000, Flags 0x1000000000000048, UUID 2b93a98f-e232-74fd-0342-d40ef6f4ccba, Type 0x77036cd4, Active False
recovery_a: Offset 0x000000001f600000, Length 0x0000000004000000, Flags 0x1004000000000048, UUID e32968c1-9eea-2fa3-a26b-53fe0778d8dc, Type 0x9d72d4e4, Active True
recovery_b: Offset 0x0000000023600000, Length 0x0000000004000000, Flags 0x1000000000000048, UUID 6cba25e9-b54d-da34-e02c-adca6fedbfaf, Type 0x77036cd4, Active False
misc: Offset 0x0000000027600000, Length 0x0000000000100000, Flags 0x0000000000000020, UUID 861dd04d-3866-7f3e-4460-06274c4263ce, Type 0x82acc91f, Active False
mota: Offset 0x0000000027700000, Length 0x0000000000080000, Flags 0x0000000000000008, UUID a9684491-1073-c3b9-59d9-f730c5847155, Type EFI_BASIC_DATA, Active False
syscfg: Offset 0x0000000027780000, Length 0x0000000000080000, Flags 0x0000000000000008, UUID be2dd370-7dd5-75fe-9992-71a818d5923c, Type 0x98df793, Active False
logs: Offset 0x0000000027800000, Length 0x0000000000200000, Flags 0x0000000000000008, UUID 656b4e0c-03a8-dc61-6b2c-ffc1386972ff, Type 0x33ca947a, Active False
apdp: Offset 0x0000000027a00000, Length 0x0000000000040000, Flags 0x1000000000000048, UUID f590d623-c129-b1ad-902e-9fed3116c10c, Type 0xe6e98da2, Active False
msadp: Offset 0x0000000027a40000, Length 0x0000000000040000, Flags 0x1000000000000048, UUID 56c0151a-3a05-ffaf-ff7b-b4d4513e8b49, Type 0xed9e8101, Active False
dpo: Offset 0x0000000027a80000, Length 0x0000000000002000, Flags 0x1000000000000008, UUID 902e2619-1edd-17e5-2d60-a3e138417666, Type 0x11406f35, Active False
devinfo: Offset 0x0000000027a82000, Length 0x0000000000080000, Flags 0x1000000000000028, UUID 276192cf-8fbf-7910-666f-3aa65b4b44de, Type 0x1b81e7e6, Active False
vbmeta_a: Offset 0x0000000027b02000, Length 0x0000000000010000, Flags 0x1004000000000048, UUID 1b5d48cc-cb95-9826-a0ae-6e99855e0443, Type 0x4b7a15d6, Active True
vbmeta_b: Offset 0x0000000027b12000, Length 0x0000000000010000, Flags 0x1000000000000048, UUID 61685bd7-196c-7275-3b25-92cd54cda287, Type 0x77036cd4, Active False
padA: Offset 0x0000000027b40000, Length 0x00000000004c0000, Flags 0x0000000000000008, UUID 53a79682-5605-f710-b0a6-f32e9a015ca9, Type EFI_BASIC_DATA, Active False
hw: Offset 0x0000000028000000, Length 0x0000000000800000, Flags 0x00000000000000a0, UUID ea24b520-3666-f1f8-2022-14acecd8f514, Type 0xb2d77ec0, Active False
sp: Offset 0x0000000028800000, Length 0x0000000000800000, Flags 0x00000000000000a0, UUID 93284f6d-c670-a696-ccb8-8f5b02605540, Type 0x40aef62a, Active False
super: Offset 0x0000000029000000, Length 0x0000000244000000, Flags 0x0000000000000048, UUID 23174131-ecd6-f560-916f-9578a7b77415, Type 0x97d7b011, Active False
userdata: Offset 0x000000026d000000, Length 0x00000004dabfbe00, Flags 0x0000000000000018, UUID 4c646ee0-7dec-5b49-f050-ef9cadf22e13, Type 0x1b81e7e6, Active False
Total disk size:0x0000000747c00000, sectors:0x0000000003a3e000
Click to expand...
Click to collapse
Please Someone with this phone brave enough to Read a their partitions from the phone and upload them i would be indebted for a very very long time.
EDIT 1. My Bootloader is unlocked
Why don't you use the lolinet partitions?, if you have the firehorse you can open qfil and use partition manager and flash them