Database Info

[Devs Needed]Behold 2/II Updated Information for Root/ROMS

Okay I know this is not posted in the correct area as XDA is only for HTC, however in the spirit of Android and its awesome developers I thought I could bring it this way for some help. Even though the Behold 2 is not an HTC device it is the one of the fastest Android devices(faster than HERO) with a whopping 320 MB ROM. Please Devs look below and help if possible. Thanks
Ok so I have mine rooted(followed persistant root instructions through google search), there is something very interesting about the way Samsung did this. This phone has like 20 different partitionssee below, however I think I know how the phone is able to restore root and the recovery after boot. These 20 partitions include copies of each other. For example if you do su on terminal emulator and then you type "cat /proc/partitions" it will list all the partitions. Notice how some partitions have different labels but are the same size. These are the respective back ups(i think). The only partition that I know is "stl9" or "st9" is the system. (Behold 2 removes any custom recovery or temp root upon reboot)
I tried flash_image recovery and said it wasn't a recognized partition as the BH2 also does not have mtd. cat /proc/mtd produces nothing. Hope this helps.
Oh 1 last thing it seems I may have found an exploit with the device management.apk. It has the option to run a bootloader/bootstrap test, could this be exploited to install customer recovery? Its just a thought...
Can someone with root, compile busybox for install on the Behold 2. I am sorry I only have Windows 7.
So I believe if these partitions, specifically the backup could be modified then we could in theory run a script to modify the phone and then upon reboot when init.rc does it check it would load the modified recovery and custom ROM.
Terminal Output:
See the areas highlighted in BOLD. The G1 has half the number of partitions and mtd has output.
$ export PATH=/data/local/bin:$PATH
$ su
# cat proc/partitions
major minor #blocks name
137 0 513024 bml0/c
137 1 2048 bml1
137 2 512 bml2
137 3 512 bml3
137 4 1024 bml4
137 5 23040 bml5
137 6 6144 bml6
137 7 23040 bml7
137 8 6144 bml8
137 9 226304 bml9
137 10 8192 bml10
137 11 512 bml11
137 12 40960 bml12
137 13 1024 bml13
137 14 173568 bml14
138 9 210432 stl9
138 12 25088 stl12
138 14 157696 stl14
179 0 1982464 mmcblk0
179 1 1982338 mmcblk0p1
#
Click to expand...
Click to collapse

[Reserved for Space]

1 more for screenies of device management.apk

I'm nowhere near experienced enough to be considered a dev just yet but I'm switching to T-Mobile soon and if I get my hands on a Behold II I'll contribute as much as I can to development of this phone. It would be awesome to get this thing up and running on a Android 2.1 Sense ROM! If money's as tight as it is now when I switch though I might have to avoid a contract and just use my unlocked G1

This would be really awesome if executed. I'm in the process of rooting my phone as well, but I first need to find my usb cable...

Have you tried this link?
http://androidforums.com/samsung-behold-2/22470-persistant-root.html

JonInAtl said:
Have you tried this link?
http://androidforums.com/samsung-behold-2/22470-persistant-root.html
Click to expand...
Click to collapse
he already has his phone rooted, just needs to get busybox for the behold 2 i believe.
im pretty much on the same boat, i just got the phone cause it had the most ram for an android phone on t-mobile. it'll be awesome if we get custom roms onto the phone.
btw mods, i think this should be moved, or merged onto the other similar thread.
http://forum.xda-developers.com/showthread.php?t=597501

Samsung Galaxy S 4G Unlock Code Found

***** IMPORTANT ROOT IS REQUIRED BEFORE PROCEEDING *****
***** ALSO PLEASE READ CAREFULLY BEFORE ACTUALLY APPLYING STEPS *****
All right ladies and gentlemen, coders and non coders I have personally found the unlock code NOT THE FREEZE CODE only the unlock code for your Samsung Galaxy S 4G hidden in the same files as previous Vibrant phones.
Please understand this was a hard complex and still needs work procedure.
Of-course this all depends on your dedication and time but hopefully I have simplified it for you.
Steps:
1. Install "010 Hex editor" you can use trial does not have to be registered
2. Go to your SGS 4G and open a terminal emulator (free on the Market) - (Root Required)
The following steps are credit to SS2006 on a different post
*** Dont forget the (su) command *** after the second line
_____
after opening a terminal emulator type the following
cd /dev/block <enter>
su <enter> <at this point your phone will ask for superuser access ALLOW it if you already havent done so>
dd if=/dev/block/bml3 of=/sdcard/bml3.bak <enter>
Go find the file on your SD Card and transfer it to your computer
3. Open 010 Hex Editor
4. In 010 Hex Editor go to the Menus above and select VIEW>LINEFEEDS>SELECT CUSTOM>SET YOUR BYTES TO "32" Nothing Less
5. Locate the bml3.bak file you created and transfered to your computer and open it using the editor
(CREDIT TO FR0Z3N FOR CLARIFYING THE FOLLOWING 2 STEPS)
6. Using your keyboard select CRTL+F to search for a hex string, when the search window pops up select "Hex byte" in the Type field and then search for the following string below:
"FFFFFFFFFF0100000000" ALL TOGETHER, Then Hit the FIND ALL button to the right, some of you will get 2 results and others up to 10 results on your screen below
7. If you look at your Hex editor there are 3 window panes on the selected line (See Image Below)
e.g 4CCC60h <-- Offset
01 01 01 01 < -- Hex Keys
yyyyyyyyy <- ASCII text where your code is
h.t .t p / / i1201.photobucket . com /albums/ bb359/sanfranx415/unlock.jpg
8. Go through each result from the above search and you will see on the 3rd window pane (as shown on pic above) after the hex keys there is an 8 DIGIT CODE (Write this code Down) this is your unlock code NCK for your phone
Sidenote: THIS 8 DIG CODE SHOULD SHOW ON AT-LEAST ONE MORE RESULT CHECK ALL YOUR RESULTS FROM THE SEARCH ABOVE IF YOU HAVE ANY DOUBTS ( SOME OF YOU WILL HAVE YOUR CODE SHOWN AT-LEAST 2 TIMES AND SOME OF YOU WILL HAVE THE CODE SHOW MORE THAN 4 TIMES BUT YOU SHOULD NOT HAVE THAT MANY RESULTS )
**** TO INPUT THE UNLOCK NETWORK CODE DO THE FOLLOWING ****
9. Turn off your phone
10. Insert a foreign SIM card not attached to your current provider (e.g if you have T-mob use an ATT SIM CARD) and turn on your phone
11. You will be prompted to enter a Network Unlock Control Key ( Use the code above that you wrote down and type it in your phone exactly)
12. After entering your NCK please hit Unlock or GO button and you should see a screen that says "network unlock successful" and your phone should go in the main screen after your phone has been unlocked.
THATS IT FOLKS HAVE FUN
PS> If you entered an incorrect code you must of entered the wrong code or wrote it down wrong please read carefully and verify the code matches the results from above in at-least more than one instance
SHOULD ANYONE NEED HELP PM ME AND I WILL BE GLAD TO HELP
personally my SGS4G has been rooted from day 1 and wi-fi tethering enabled and now it has been Unlocked

Thanks, will try

This seems like it doesn't work. If you go to line 157028 you end up at offset 4CAC60h which is nothing but zeros. And if you go to offset 4CCC60h, there's no 01010101 value.

Ok is this BS or what? I noticed that no one else has posted here. I have tried every combination with these line #'s and I cant find any 8 digit code in the third section. con anybody tell me if this is legit?

doesnt work for me either

OMG! Sick it did work, i found it on a different line
w00t just unlocked mine!

fr0z3n said:
OMG! Sick it did work, i found it on a different line
w00t just unlocked mine!
Click to expand...
Click to collapse
Well can you share what line you found it on

I just unlocked two of them, its on different lines everytime.
Folowing are the instructions:
Open the file in Hex Editor
1.) Press - Ctrl + F
A window should open up
2.) Change the type to "Hex Bytes (h)
3.) Value: FF FF FF FF FF 01 00 00 00 00
4.) Click Find All, for me the code
the code is visible right after this, 8 digit code. For me it was repeared 9-10 times in the file.
Good luck

did it work?

No this is not BS and Yes Fr0z3N is correct I should have said look for this line value
Value: FF FF FF FF FF 01 00 00 00 00
You will find your code it takes patience but your code is there if you follow the instructions
Thanks Fr0Z3n for the clarification and more indepth analysis

Works for me, too. Thanx sanfran and fr0z3n.
Sent from my SGH-T959V using XDA App

hello, can you tell me if moving to Europe this device will work also on European 3G UMTS 900/2100 ? Thanks a lot

pipporobby said:
hello, can you tell me if moving to Europe this device will work also on European 3G UMTS 900/2100 ? Thanks a lot
Click to expand...
Click to collapse
Moving to europe has no barring at all- Once you unlock your Phone you can use it with any GSM provider in the world including Europe just switch out the sim Cards with the european SIM
The technology has not changed for 3G phones are still capable of the same frequencies its just 4G is now being used more common in the US depending on your carrier of-course either HSPA or LTE or WIMAX in the US but in Short to answer your question YES it will work
Have fun in Europe

Still no luck Ive tried it over and over the only numbers that I find that are on more than one line is 0123456789 and I doubt that is my unlock code. And I followed the instructions to the "T" Why is this not working? Also you said 2 to 10 results below and I get 160 results every time.

@droidboy: Is your Samsung Galaxy S 4G rooted?
Sent from my SGH-T959V using XDA App

sk8er_ said:
@droidboy: Is your Samsung Galaxy S 4G rooted?
Sent from my SGH-T959V using XDA App
Click to expand...
Click to collapse
Yeah I am rooted, I rooted through super one click v1.7

@Droidboy quick question did you try using any galaxy s unlock app from the market if you did and they alter your original files that came with your phone thus causing a different bak file to be outputed when you do the terminal commands as stated. You should revert if possible with the same program used or PM me and send me your bak file to see if I can help

Thanks. It worked!!
Sent from my SGH-T959V using XDA App

fr0z3n said:
I just unlocked two of them, its on different lines everytime.
Folowing are the instructions:
Open the file in Hex Editor
1.) Press - Ctrl + F
A window should open up
2.) Change the type to "Hex Bytes (h)
3.) Value: FF FF FF FF FF 01 00 00 00 00
4.) Click Find All, for me the code
the code is visible right after this, 8 digit code. For me it was repeared 9-10 times in the file.
Good luck
Click to expand...
Click to collapse
I followed these instructions after I downloaded the .bak file, used the CTRL+F to find the first instance then used F3 (Find Next) to find the other places where the code is.

Has anyone tried a AT&T sim card to see if 3G works just like it did for the Vibrant?

wifi hot spot dosent like moto...

wtf... when you need wifi access it turns out that the mac address of the phone is filtered...
to be sure, changed my laptop wifi mac to match the phone one, and guess... no access....
ok the mac address on the phone wifi, can be changed temporary, but it is a pain (and when i say pain i mean repeating pain )
so i found that actually the mac is stored in /pds/wifi/nvs_map.bin
long story short...
moto mac 11:22:33:44:55:66
relevant part in hex of the nvs_map:
Code:
00000000 01 6D 54 [b]66[/b] [b]55[/b] [b]44[/b] [b]33[/b] 01 71 54 [b]22[/b] [b]11[/b]
and changed mac aa:bb:cc:dd:ee:ff
and the relevant part in the nvs_map
Code:
00000000 01 6D 54 [b]ff[/b] [b]ee[/b] [b]dd[/b] [b]cc[/b] 01 71 54 [b]bb[/b] [b]aa[/b]
after replacing the file (ofcourse, make a backup)
the change will be permanent (or at least until restore from the backup
so choose carefully the mac address please
i tested that with success on my xt720, i suppose that the trick will work on every phone which utilize /pds/wifi/nvs_map.bin file on wlan initialization...
e.g. if there is service like
Code:
service wlan_loader /system/bin/wlan_loader \
-f /system/etc/wifi/fw_wlan1271.bin -i /system/etc/wifi/tiwlan.ini \
-e [b]/pds/wifi/nvs_map.bin[/b]
class post-zygote_services
disabled
oneshot
p.s. intensionally the post is not very user friendly. the reason is that i am afraid that if somebody do not understand really well what to do, can screw the wifi. I cannot explain in great details, but the above is more than enough if someone know about hex editors, copying files etc..

problem with MAC Wifi - Motorola Defy
peshovec said:
wtf... when you need wifi access it turns out that the mac address of the phone is filtered...
to be sure, changed my laptop wifi mac to match the phone one, and guess... no access....
ok the mac address on the phone wifi, can be changed temporary, but it is a pain (and when i say pain i mean repeating pain )
so i found that actually the mac is stored in /pds/wifi/nvs_map.bin
long story short...
moto mac 11:22:33:44:55:66
relevant part in hex of the nvs_map:
Code:
00000000 01 6D 54 [b]66[/b] [b]55[/b] [b]44[/b] [b]33[/b] 01 71 54 [b]22[/b] [b]11[/b]
and changed mac aa:bb:cc:dd:ee:ff
and the relevant part in the nvs_map
Code:
00000000 01 6D 54 [b]ff[/b] [b]ee[/b] [b]dd[/b] [b]cc[/b] 01 71 54 [b]bb[/b] [b]aa[/b]
after replacing the file (ofcourse, make a backup)
the change will be permanent (or at least until restore from the backup
so choose carefully the mac address please
i tested that with success on my xt720, i suppose that the trick will work on every phone which utilize /pds/wifi/nvs_map.bin file on wlan initialization...
e.g. if there is service like
Code:
service wlan_loader /system/bin/wlan_loader \
-f /system/etc/wifi/fw_wlan1271.bin -i /system/etc/wifi/tiwlan.ini \
-e [b]/pds/wifi/nvs_map.bin[/b]
class post-zygote_services
disabled
oneshot
p.s. intensionally the post is not very user friendly. the reason is that i am afraid that if somebody do not understand really well what to do, can screw the wifi. I cannot explain in great details, but the above is more than enough if someone know about hex editors, copying files etc..
Click to expand...
Click to collapse
----------------------------
Hi guys...
I need help to configure the nvs_map.bin... Edit the file with Hex Editor program and now the WIFI does not work. I have no backup file nvs_map.bin.
I need to get back to the Mac I had before. I have not a backup file nvs_map.bin, but if I have a backup of the MAC shown in the phone settings menu. Now I get 00:00:00:00:00:00.
Sorry. My English is bad .. I am Spanish
Thanks for the info

[UNBRICK] HTC Unbricking Project

We are proud to announce that the MyTouch 4G Slide is now UNbrickable. Users with the QHSUSB_DLOAD issue can now fully recover their phones and get them fully functional.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
​
Note: This will fix only devices which were bricked by turning S ON. And bricks caused by a damaged hboot via interrupted OTA update/RUU flash on a S-ON device. Any devices bricked with other ways are currently *not* supported. We are working on it
The "core" of the unbricking project dev team:
MOVZX
RussianBear
Fuses
Dexter93
Testing stuff and irc support:
globatron
Deceptivechaos
dburgd84
Snake_skw
Other stuff:
dmcb123
xIndirect
Hawke84​
Thanks to trevE, xHausx and the rest of the evo3d team that gave us the basic info to work on and made us curious to see if we could get something out of it. Also thanks to ief and his team @revolutionary for helping us understand the bootloaders better. We should also not forget to thank cxb01 of malshenzu.com and xda members arthurire and untrueparadox who helped in translation.

Prerequisites
a linux box/live cd with automount disabled and without unity
the appropriate package for the device
the latest RUU for your device
a device bricked by writing security flag 3 with an unsigned hboot, or caused by a damaged hboot via interrupted OTA update/RUU flash on a S-ON device
a usb cable
some basic linux experience
patience
DISCLAIMER: We do NOT guarantee that this method will work for you, or that it is flawless. We are also not responsible if your phone is completely dead after the procedure, or your house burns down because your phone exploded. You are doing this in YOUR OWN RISK.
Instructions​
NEW: Detailed video on the process. Its displaying the process on a Sensation, but its pretty much the same thing. Thanks to kgs1992
Boot the linux box and download the appropriate package for the device.
Extract the package in the home directory
Open up a terminal
Remove SIM, microSD card and battery and connect the device using the USB cable. This procedure must be done without battery
Detect the device using the script provided. Type this in the terminal
Code:
./brickdetect.sh
You should get something like sdX. We are interested on that "X"
Unplug the usb cable from the device
Backup the hboot currently in the phone by using this command. Plug the device in ONLY when asked to
Code:
sudo ./emmc_recover --backup b_hboot.img --device /dev/sdX12
Replace the "X" with the letter the script gave you
Follow the on-screen instructions from emmc_recover
Hexdump the b_hboot to check the hboot version
Code:
hexdump -C b_hboot.img |less
The output should be like this:
Code:
00000000 05 00 00 00 03 00 00 00 00 00 00 00 00 00 10 40 |[email protected]|
00000010 d8 fc 0f 00 d8 fb 0f 00 d8 fb 1f 40 00 01 00 00 |[email protected]|
00000020 d8 fc 1f 40 00 00 00 00 12 00 00 ea 31 2e 34 35 |[email protected]|
00000030 2e 31 33 31 33 00 00 00 38 32 36 30 20 53 50 4c |.1313...8260 SPL|
00000040 00 00 00 00 00 f0 20 e3 53 48 49 50 00 00 00 00 |...... .SHIP....|
00000050 00 f0 20 e3 00 f0 20 e3 48 42 4f 4f 54 2d 38 32 |.. ... .HBOOT-82|
00000060 36 30 00 00 00 f0 20 e3 38 63 61 38 33 62 37 31 |60.... .8ca83b71|
This is the typical hex of a hboot. We are interested to check if that is the hboot partition and if it is, to get to know the version. In this case it is 1.45
If in the above step you failed to identify the hboot, unplug all devices connected to that pc, reboot and try again
Unplug the device
Check again it is the right version, because if you do a mistake here, you won't be able to go back
You can only flash the same version as the one in the device.
!!!!!DO NOT ATTEMPT TO FLASH ANOTHER VERSION OR DOWNGRADE!!!IT HAS BEEN PROVEN FATAL!!!!
Flash the hboot on the device. Replace "V.VV" with hboot version (eg. 1.44, 1.45) and "X" with the one you got from the detect script. Plug the device in ONLY when asked to
Code:
sudo ./emmc_recover --flash dshotV.VV.nb0 --device /dev/sdX12 --backupafter hboot_f.nb0
Follow the on-screen instructions from emmc_recover. A successful flash should have this output:
Code:
511+1 records in
511+1 records out
1047808 bytes(1.0 MB) copied
Unplug the device, put SIM, microSD card and battery in and power on
Congratulations, the device is unbricked.
FLASH THE RUU IMMEDIATELY AFTER RECOVERING!! The device will be unstable after the recovery if you don't flash it.
Notes on the procedure:​
If the device doesn't power on, get a copy of the hboot_f.nb0 and b_hboot.img (should be located in the home directory) and contact us
The connection between the device and the pc will be unstable, and will time out. You have to be quick when doing the above, specially while flashing. If the connection times out don't panic, just unplug and replug the device
Unity and automount are known to cause issues. We recommend getting rid of both
USB3 ports do not work properly. Please plug the device in a USB2 port
How to disable automount on ubuntu
Code:
gsettings set org.gnome.desktop.media-handling automount false
Downloads
For T-Mobile MyTouch 4G slide( Doubleshot):
32bit version MD5: 50a5f503151d37ccd3160d38afa7382a
64bit version MD5: eabe6061fcded077bb4a01432e17dd0e
Don't have a linux distro installed on your pc? We highly recommend this livecd​

nice....i see this over on the sensation a lot.....so is it done or a wip

xmc wildchild22 said:
nice....i see this over on the sensation a lot.....so is it done or a wip
Click to expand...
Click to collapse
I believe the two posts above say it all
RELEASE BUMP!

hi
no experience on linux
[email protected]:~$ ./brickdetect.sh
Searching for bricked device...
The bricked device is on
Use the above node to perform operations using the emmc_recover tool
it\s not find something sdX
after i paste next command sudo ./emmc_recover --backup b_hboot.img --device /dev/sdX12
Searching for bricked device...
The bricked device is on
Use the above node to perform operations using the emmc_recover tool
[email protected]:~$ sudo ./emmc_recover --backup b_hboot.img --device /dev/sdX12
=== emmc_recover 0.2, written by Fuses =====
Messing up with device /dev/sdX12, ARE YOU SURE?
CTRL+C if not, ENTER to continue
Waiting device /dev/sdX12.......

Awesome thanks man!!!

nickmatine said:
hi
no experience on linux
[email protected]:~$ ./brickdetect.sh
Searching for bricked device...
The bricked device is on
Use the above node to perform operations using the emmc_recover tool
it\s not find something sdX
after i paste next command sudo ./emmc_recover --backup b_hboot.img --device /dev/sdX12
Searching for bricked device...
The bricked device is on
Use the above node to perform operations using the emmc_recover tool
[email protected]:~$ sudo ./emmc_recover --backup b_hboot.img --device /dev/sdX12
=== emmc_recover 0.2, written by Fuses =====
Messing up with device /dev/sdX12, ARE YOU SURE?
CTRL+C if not, ENTER to continue
Waiting device /dev/sdX12.......
Click to expand...
Click to collapse
Hey... Don't rush. You shouldn't be skipping steps or you might damage your pc for good . Check the connections and that your brick is one of the supported ones . That X should be a letter corresponding to the device
Sent from my HTC Sensation Z710e

downloads updated with fixed detection scripts. the output should be more clear now

after i put this code ./brickdetect.sh it says permision denided

sam.assad said:
after i put this code ./brickdetect.sh it says permision denided
Click to expand...
Click to collapse
Linux? try
Code:
chmod a+x brickdetect.sh
then
Code:
./brickdetect.sh

thanks for the code ..it does work but unfortunatlly i got this " device cant be detected. check connections

glecier works for?

ant0ni0 said:
glecier works for?
Click to expand...
Click to collapse
Glacier is a completely different device.
Hastily spouted for your befuddlement

Is there an IRC channel for this? My device is not being detected on the Ubuntu live CD but is on my windows 7 machine.

i have the mt4g glacier...
im running ubuntu (12.10)
i installed the files in the home directory in linux..
after i plug the phone up with no battery, etc...
and type ./brickdetect.sh
it says the device is not detected...
what am im doing wrong?

mrbubs3 said:
Is there an IRC channel for this? My device is not being detected on the Ubuntu live CD but is on my windows 7 machine.
Click to expand...
Click to collapse
yes, there is. #unbrick on irc.freenode.net
12manytimes said:
i have the mt4g glacier...
im running ubuntu (12.10)
i installed the files in the home directory in linux..
after i plug the phone up with no battery, etc...
and type ./brickdetect.sh
it says the device is not detected...
what am im doing wrong?
Click to expand...
Click to collapse
The Glacier is not supported.
Sent from the brick

I have a MT4GS that's showing in Windows as qhsusb_dload.
I tried to follow the direction in post 1, but I can't get any of my HTC phones to show in my Ubuntu VM.

GoPadge said:
I have a MT4GS that's showing in Windows as qhsusb_dload.
I tried to follow the direction in post 1, but I can't get any of my HTC phones to show in my Ubuntu VM.
Click to expand...
Click to collapse
How did you end up there?
VMs don't work btw

dexter93 said:
How did you end up there?
VMs don't work btw
Click to expand...
Click to collapse
Heh. It's a "new" phone off eBay. I already have a MT4GS on CM9 and I wanted to have a backup, so I've been stalking eBay for some good deals. This new phone is in relatively good shape, other than being bricked....
I can't install Ubuntu on my work PC (IT is sort of picky about that for some reason). But the VM has worked so far for flashing CM9 to both my HP TouchPad and my primary MT4GS. I do have an older Dell laptop that needs to have XP reinstalled anyway. I could skip that and move it to Ubuntu for good.
So I guess I'm sort of stuck on the qhsusb_dload MT4GS for now.

dexter93 said:
How did you end up there?
VMs don't work btw
Click to expand...
Click to collapse
Would a Live CD work?

Perl scripts to encrypt/decrypt adb backup files

I wrote the following attached PERL routines for reading/decrypting/decompressing and writing/encrypting/compressing adb backup format backup files.
The routines are:
backupdecrypt.pl: Decrypt (and decompress) android backup file
backupencrypt.pl: Encrypt (and decompress) android backup file
tarfix.pl: Fix broken tar files produced by android backup when using -shared flag
The first two routines allow for reading and writing to the standard ".ab" adb backup format.
Backupdecrypt.pl takes an '.ab' file as input and outputs a standard format tar file (which may be optionally gzip'd).
Backupencrypt.pl takes an arbitrary file (though typically it should be tar file) as input and outputs a standard ".ab" format backup file. Options include the ability to encrypt (or not) and deflate (or not) the backup. Also, one can automatically decompress most standard input formats before encrypting.
For encryption, passwords can be queried for or passed on the command line or read from a file.
NOTE: unfortunately the standard 'adb backup' routine seem to have a SEVERE *BUG* in it when using the '--shared' option in combination with certain other options.
First, the backup is not compressed even though the header claims it is. To get around this, backupdecrypt.pl has a --nocompress option to override the header.
Second, the encapsulated tar file is corrupted by the insertion of 4 extra bytes before every file header and before every group of 64 512-byte blocks of data.
The third routine tarfix.pl fixes this corruption and outputs a normal readable tar file. So, if you are not able to recover a valid tar backup file using backupdecrypt.pl, try doing the following:
backupdecrypt.pl --nocompress <backup.ab> <backupdata>
tarfix.pl backupdata | tar xv
Enjoy!
NOTE: I am incredibly grateful to Nikolay Elenkov for providing sample java routines and for help in understanding the encryption formats

Thanks for this. I was looking for away to peek into the backup file.

Problem decrypting
just what i was looking for, unfortunately, the tarfix.pl doesn't seem to like my backup.
Code:
[email protected]:~/Sandbox/transformerprime$ ~/bin/adbbackup/backupdecrypt.pl --nocompress backup.ab decrypted
the following is where things get funky. not recognized as a tar archive
Code:
[email protected]:~/Sandbox/transformerprime$ ~/bin/adbbackup/tarfix.pl decrypted | tar xv
Illegal binary digit ']' ignored at /home/user/bin/adbbackup/tarfix.pl line 107.
Wide character in oct at /home/user/bin/adbbackup/tarfix.pl line 107.
Illegal binary digit '�������������' ignored at /home/user/bin/adbbackup/tarfix.pl line 107.
tar: This does not look like a tar archive
tar: Skipping to next header
Illegal octal digit '8' ignored at /home/user/bin/adbbackup/tarfix.pl line 107.
Wide character in oct at /home/user/bin/adbbackup/tarfix.pl line 107.
Illegal binary digit '�������������' ignored at /home/user/bin/adbbackup/tarfix.pl line 107.
Illegal hexadecimal digit 'X' ignored at /home/user/bin/adbbackup/tarfix.pl line 107.
Illegal hexadecimal digit '' ignored at /home/user/bin/adbbackup/tarfix.pl line 107.
Illegal octal digit '9' ignored at /home/user/bin/adbbackup/tarfix.pl line 107.
Wide character in oct at /home/user/bin/adbbackup/tarfix.pl line 107.
Illegal binary digit '�������������' ignored at /home/user/bin/adbbackup/tarfix.pl line 107.
Wide character in oct at /home/user/bin/adbbackup/tarfix.pl line 107.

Fix for tarfix.pl issue
I had ran into issues with ADB backups performed under Android 4.0.4 before the JB upgrade (on a Samsung Galaxy Nexus). I did include the shared storage (accidentally or intentionally I don't remember) and I ran into this bug (Android issue 28303; sorry, I am new here and not allowed to post outside links). Some investigation revealed that while the backup was supposedly AES encrypted and "Deflate" compressed, this was only true for the first "part" of it. At around 150 MB into the file, a simple tar archive of the SD card content was appended. ADB was unable to restore any SD card content per the bug linked to above.
What I did to resolve:
Use a hex editor (HxD) to get to the start of the appended tar archive
Copy this part to a new ".tar" file
Experiment with tarfix.pl and run into the same issues as the previous poster
Look at the code and TAR file content and find out that 00 00 02 00 needs to be prepended to the tar file for tarfix.pl to do its job
Key learning was that the ADB backup tool will create plaintext, corrupted tar format backups that it cannot restore. It is problematic that while the user will believe they have an encrypted backup they can restore, they actually have a plaintext backup that they cannot restore...

Hi,
where did you get PBKDF2.pm from?
I couldnt find it in Fedora repos and the only one I got from the internat has an issue:
Undefined subroutine &Crypt:penSSL:BKDF2::derive called at ./backupdecrypt.pl line 266, <STDIN> line 1.
Thanks,
Klement

CPAN
All modules were pulled from CPAN directly (I had to use Cygwin as I was on the road), e.g. "perl -M CPAN -e shell" and then issuing "install Crypt:penSSL:BKDF2".

binaryhero said:
I had ran into issues with ADB backups performed under Android 4.0.4 before the JB upgrade (on a Samsung Galaxy Nexus). I did include the shared storage (accidentally or intentionally I don't remember) and I ran into this bug (Android issue 28303; sorry, I am new here and not allowed to post outside links). Some investigation revealed that while the backup was supposedly AES encrypted and "Deflate" compressed, this was only true for the first "part" of it. At around 150 MB into the file, a simple tar archive of the SD card content was appended. ADB was unable to restore any SD card content per the bug linked to above.
What I did to resolve:
Use a hex editor (HxD) to get to the start of the appended tar archive
Copy this part to a new ".tar" file
Experiment with tarfix.pl and run into the same issues as the previous poster
Look at the code and TAR file content and find out that 00 00 02 00 needs to be prepended to the tar file for tarfix.pl to do its job
Key learning was that the ADB backup tool will create plaintext, corrupted tar format backups that it cannot restore. It is problematic that while the user will believe they have an encrypted backup they can restore, they actually have a plaintext backup that they cannot restore...
Click to expand...
Click to collapse
I ran afoul of this (foolishly didn't finish the 30 page forum post on it before diving in ). I'm trying your perl solution now, but I'm afraid I'm unfamiliar with tar headers in a hex viewer. Could I trouble you for some pointers on how best to determine where the TAR starts? I understand there is some sort of header, but I can't figure out what to look for.
Thanks, though, the perl runs well and I'm learning alot (far more than I ever wanted, tbh) about tars,encrypted backups, adb, etc.
:good:

Thanks for your great tools! Here is some better way for unpacking?
dd if=mybackup.ab bs=1 skip=24 | openssl zlib -d > mybackup.tar
For packing (just need to add 24 butes to header (41 4E 44 52 4F 49 44 20 42 41 43 4B 55 50 0A 31 0A 31 0A 6E 6F 6E 65 0A)?
openssl zlib -in mybackup.tar -out gg.ab
Hope it helps! :good:

munjeni said:
Thanks for your great tools! Here is some better way for unpacking?
dd if=mybackup.ab bs=1 skip=24 | openssl zlib -d > mybackup.tar
For packing (just need to add 24 butes to header (41 4E 44 52 4F 49 44 20 42 41 43 4B 55 50 0A 31 0A 31 0A 6E 6F 6E 65 0A)?
openssl zlib -in mybackup.tar -out gg.ab
Hope it helps! :good:
Click to expand...
Click to collapse
Of course. You have to concatenate the created ab backup to the first 24 bytes.
Get the first 24 bytes of an unencrypted backup
Code:
dd if=mybackup.ab bs=24 count=1 of=first24
Concatenate
Code:
cp first24 backup.ab
openssl zlib -in mybackup.tar >> backup.ab
---------- Post added at 10:25 AM ---------- Previous post was at 10:21 AM ----------
binaryhero said:
All modules were pulled from CPAN directly (I had to use Cygwin as I was on the road), e.g. "perl -M CPAN -e shell" and then issuing "install Crypt:openSSL:BKDF2".
Click to expand...
Click to collapse
Says "Missing argument to -M."

You concatenation is wrong! Your command "cp" will overwrite backup.ab! You can concetate 2 files using "cat" for example "cat first24 backup.ab > new.backup.ab"
Do you have idea how I can generate timestamp of these file in "13 number" format?
<?xml version="1.0" encoding="UTF-8"?>
<recordset version="1" timestamp="1344764788434" size="61667">
<record name="back.ab" type="1" size="12662" order="1" catagory="1" id="back.ab"><packagelist><package>com.android.settings</package></packagelist></record>
</recordset>
Click to expand...
Click to collapse
Edit:
found a way for generating timestamt with 13 numbers
stat -c '%Y000' backup.ab

munjeni said:
You concatenation is wrong! Your command "cp" will overwrite backup.ab!
Click to expand...
Click to collapse
Of course, you have to use different names.

binaryhero said:
I had ran into issues with ADB backups performed under Android 4.0.4 before the JB upgrade (on a Samsung Galaxy Nexus). I did include the shared storage (accidentally or intentionally I don't remember) and I ran into this bug (Android issue 28303; sorry, I am new here and not allowed to post outside links). Some investigation revealed that while the backup was supposedly AES encrypted and "Deflate" compressed, this was only true for the first "part" of it. At around 150 MB into the file, a simple tar archive of the SD card content was appended. ADB was unable to restore any SD card content per the bug linked to above.
What I did to resolve:
Use a hex editor (HxD) to get to the start of the appended tar archive
Copy this part to a new ".tar" file
Experiment with tarfix.pl and run into the same issues as the previous poster
Look at the code and TAR file content and find out that 00 00 02 00 needs to be prepended to the tar file for tarfix.pl to do its job
Key learning was that the ADB backup tool will create plaintext, corrupted tar format backups that it cannot restore. It is problematic that while the user will believe they have an encrypted backup they can restore, they actually have a plaintext backup that they cannot restore...
Click to expand...
Click to collapse
Hi al!
I also ran into the problem, that my .ab backup created with -shared option can't be restored.
Running backupdecrypt.pl seems to work fine, but tar archive is corrpted. But not the whole file: e.g. Ark sees some files and folders both from apps and storage. When using tarfix.pl i get same errors like trogdan in 3rd post.
To me it seems, that not every file in the tar archive is corrupted. I tried with cpio to rescue at least something and it runs quite a while. It also can read files from storage folder, but fails then somewhere in the middle (to be specific: i have a TitaniumBackup folder in storage. cpio can copy some of the files from this folder, but then fails at others. i don't know, why the corrupted segment should start somewhere and not at the beginning of storage...)
binaryhero and others: could you be please more specific how you managed to repair the .ab file or at least rescued the containing files? I would like to know, how to get tarfix.pl working. Is it possible, that only segments of the .ab file are corrupted? how can i identify them?
Any help and hints are highly appreciated! Thanks in advance! LLAP _\V/, bye Marc.

marchard said:
Hi al!
I also ran into the problem, that my .ab backup created with -shared option can't be restored.
Click to expand...
Click to collapse
Create an adb backup with the apps/ folder only, and the shared/ is just the sdcard you can restore it with another adb backup or manually, for example via ftp.

scandiun said:
Create an adb backup with the apps/ folder only, and the shared/ is just the sdcard you can restore it with another adb backup or manually, for example via ftp.
Click to expand...
Click to collapse
Unfortunately dataloss occurred. that means, it is essential for me, to read somehow the content of .ab file.

marchard said:
Unfortunately dataloss occurred. that means, it is essential for me, to read somehow the content of .ab file.
Click to expand...
Click to collapse
zlib has to be able to process the ab file (considering that has no password). If zlib doesn't work, I don't know how could you workaround that, but seems impossible to me.
munjeni said:
You can concetate 2 files using "cat" for example "cat first24 backup.ab > new.backup.ab"
Click to expand...
Click to collapse
To overwrite is this operator: >
To binary append this one: >>
So in this case is being done right.

Hi all! I'm having a few problems, and not really sure where I'm going wrong so hoping you can help. I am coming from froyo (rooted) to jelly bean (not rooted), so cannot use adb backup on the froyo phone, and cannot use adb push on jelly bean (don't want to root my htc one x+). So at the moment I haven't got many options to transfer my app data from my froyo phone to jelly bean.
At the moment, my plan is to use adb pull on the froyo phone to grab my "app data" (specifically angry birds), and then use adb backup on the jelly bean phone to create a .ab file. I then use the OPs perl files to convert the .ab file to a .tar, and then extract that file (on Ubuntu 12.04), replace the app data in the extracted folder with my froyo app data, compress that back to a .tar, then use the perl file to convert back to .ab. I then use adb restore to restore the backup. However, when I then go into angry birds, its just reset and there is no save data. Can anybody see if there is anything wrong with what i'm doing?

cn198 said:
Hi all! I'm having a few problems, and not really sure where I'm going wrong so hoping you can help. I am coming from froyo (rooted) to jelly bean (not rooted), so cannot use adb backup on the froyo phone, and cannot use adb push on jelly bean (don't want to root my htc one x+). So at the moment I haven't got many options to transfer my app data from my froyo phone to jelly bean.
At the moment, my plan is to use adb pull on the froyo phone to grab my "app data" (specifically angry birds), and then use adb backup on the jelly bean phone to create a .ab file. I then use the OPs perl files to convert the .ab file to a .tar, and then extract that file (on Ubuntu 12.04), replace the app data in the extracted folder with my froyo app data, compress that back to a .tar, then use the perl file to convert back to .ab. I then use adb restore to restore the backup. However, when I then go into angry birds, its just reset and there is no save data. Can anybody see if there is anything wrong with what i'm doing?
Click to expand...
Click to collapse
I am almost 100% sure that you are generating an invalid tar file.

scandiun said:
I am almost 100% sure that you are generating an invalid tar file.
Click to expand...
Click to collapse
Is there a unique attribute applied to the original tar file then? Any idea how to generate a valid tar file?

cn198 said:
Is there a unique attribute applied to the original tar file then? Any idea how to generate a valid tar file?
Click to expand...
Click to collapse
It's not that simple. I am writing a guide based on a third party software for the purpose of Android backups. I'll post here as soon as is published. I hope to have it completed in a day our do.

scandiun said:
It's not that simple. I am writing a guide based on a third party software for the purpose of Android backups. I'll post here as soon as is published. I hope to have it completed in a day our do.
Click to expand...
Click to collapse
That sounds great, looking forward to seeing your efforts! :good: