Database Info

Idea to hack SPL(let's discuss)

At the last few steps before booting the linux kernel, SPL will read the value in booting image which determines where the kernel will be loaded to.
In desire it looks like below.
Code:
RAM:8E00F5F4 MOV R4, boot_img_header_addr
RAM:8E00F5FC LDR R0, [R4,#0xC]
RAM:8E00F600 BL ioremap
RAM:8E00F604 MOV R2, R0
RAM:8E00F608 MOV R0, R5
RAM:8E00F60C MOV R1, R7
RAM:8E00F610 LDR R3, [R4,#8]
RAM:8E00F614 BL partition_read_some
RAM:8E00F618 RSB R2, R7, #0
RAM:8E00F61C LDR R3, [R4,#8]
RAM:8E00F620 SUB R3, R3, #1
RAM:8E00F624 ADD R3, R3, R7
RAM:8E00F628 AND R3, R2, R3
RAM:8E00F62C ADD R7, R3, R7
RAM:8E00F630 LDR R0, [R4,#0x14]
RAM:8E00F634 BL ioremap
RAM:8E00F638 MOV R2, R0
RAM:8E00F63C MOV R0, R5
RAM:8E00F640 MOV R1, R7
RAM:8E00F644 LDR R3, [R4,#0x10]
RAM:8E00F648 BL partition_read_some
RAM:8E00F64C B loc_8E00F65C
So if we can set a value which it maps just to 0x8e00f64c it will overwrite the code which is about to execute so we can patch SPL.
ioremap function I reversed is in the attachment.
Can we do this? Someone did similar thing on G2.
Refer this youself.
showthread.php?t=559806

Wish i could help with this but unfortunatly i have no knowledge of these things (yet). Anyway, i looks like a promising start considering the linked topic. It's about time we get proper access to this phone, it was a big let down discovering an "open" OS soo much locked down.

Ultimately it is a shame that HTC make it harder and harder for dev's to gain access to the relevant areas of the phone that they need in order for us all to enjoy the baked goodness! Is a shame that android was designed to be open but the phones are become far more closed!

But how would we flash this if we cant flash through fastboot?

We are able to flash kernels on the desire.
But are we not able to flash a Death-SPL with the permament recovery?
I think we can but we can not extract the SPL from Desire so we cant patch it .... =( i read something similar i think sorry if im wrong

allready tried that. didnt work like it does for the htc hero

and why? ..... =)

i guess because of ioremap. but we can cut the hboot.nb0 at the offset we want to patch something in. add the patch at the end of it and then we remap it to 000x8e0000 then it should patch in our changes at the offset we want.
going to try it ...
-----
i cant get it load on the offset 0x8e000000 its like ioremap is a protection against that.

not at this offset either ?
0x8e00f64c

adam235 said:
i guess because of ioremap. but we can cut the hboot.nb0 at the offset we want to patch something in. add the patch at the end of it and then we remap it to 000x8e0000 then it should patch in our changes at the offset we want.
going to try it ...
-----
i cant get it load on the offset 0x8e000000 its like ioremap is a protection against that.
Click to expand...
Click to collapse
Good Luck
edit: just realised.. you updated the post to say it wont work

on the htc hero it was possible to map it to 0x8F000000 when you set the kernel base to 0x00000000. but i think htc removed the values inside the ioremap struct so thats its not possible anymore. on desire hboot the offset 0x00000000 gets remaped to 0xAE000000 and i couldnt bruteforce a usefull offset

doh...

hm i just wanted to proof my thinking and pasted in the hero struct into the code from the first post and the result was diffrent as expected:
~/Android $ ./ioremap 00000000
00000000 af000000
which means the base 0x00000000 should also work for the htc desire but i allready tried that one and it didnt work.
thats the code im trying to patch in @ 0x8E00F634
.section ".text", #alloc, #execinstr
.align
.start:
ldr r0, newcommandset
ldr r1, dest
str r0, [r1, #0]
ldmfd sp!,{r4-r8,pc}
newcommandset:
.word 0x8E07B348
dest:
.word 0x8E0174D0
Click to expand...
Click to collapse
but after i boot the kernel. i see the output of a call that comes after 0x8E00F634 which means my code wasnt patched in.

do you get any errors ?

@adam
Can you try to directly call a subroutine which meant to unlock or something interesting?
Or can someone find a exploit in SPL?

my code doesnt get executed so i cant call anything ...
like the hero radio, the desire radio got some security i cant bypass. i can send commands like [email protected]=11111111 but the radio just returns a error. the only way to bypass the checks is to patch the radio like it was done with the hero.

adam235 said:
hm i just wanted to proof my thinking and pasted in the hero struct into the code from the first post and the result was diffrent as expected:
~/Android $ ./ioremap 00000000
00000000 af000000
which means the base 0x00000000 should also work for the htc desire but i allready tried that one and it didnt work.
thats the code im trying to patch in @ 0x8E00F634
but after i boot the kernel. i see the output of a call that comes after 0x8E00F634 which means my code wasnt patched in.
Click to expand...
Click to collapse
Well, this code should expand oem command list and it do not change PC. And I see some co-processor instructions before jumping to kernel and I dont know what they do. So when you return, where is it going to?

the problem is that if my code works, the jmp to the kernel entrypoint should never be reached, as my code gets executed right after my code gets copied from the boot partition to 0x8E00F634. then it should patch in the extended command va and return back to the hboot. thats why im patching in this opcode: ldmfd sp!,{r4-r8,pc}.
the co processor code you see prepares everything for the jmp to the kernel (mmu init) but i dont know any details as normaly you dont want to reach this location.

[dev] real MAC wifi reading

Hi devs, I have idea for MAC reading. First, I know real MAC is located in SPL (I know this becouse I'm tried), I'm tried to read MAC from kernel side but problem is reading SPL becouse board-photon.h have defined:
Code:
#define MSM_MEM1_BASE 0x00000000
#define MSM_LINUX_BASE_OFFSET 0x00200000
#define MSM_PHOTON_LINUX1_BASE (MSM_MEM1_BASE + MSM_LINUX_BASE_OFFSET) /* 2MB alignment */
#define MSM_PHOTON_LINUX1_SIZE (MSM_MEM1_SIZE - MSM_LINUX_BASE_OFFSET)
SPL have size of 0x80000 and we skipped it. My idea is:
- patch haret to copy some SPL addreses (addrese where is wifi nvs ram) to another memory location
- read these location from kernel side
or
- edit kernel code to read this location or edit kernel to copy SPL to an memory location
What you think? Maybe you have idea how to read SPL?

i think there is solutions easier than SPL to get MAC addr

real mac == winMo?

i have an idea, but not tested yet:
simply remove "macaddr=00:11:22:33:44:55\n" from htc_wifi_nvs.c
recompile
it should work now
(my guess is the driver already read the good address, but we overwrite it with bad value)

No, I'm tried without static nvs! Only sense I think is reading these nvs from memory, but if we want to read this we must have access to first 0x80000 bytes (SPL), or maybe adding kernel code (command line parameter), or maybe DEX call (I dont know if is possible)
See picture, you will see where is nvs in spl, also you will see we have defined static_nvs diferent than nvs in spl!

you're totaly right.
and htc_wifi_nvs.c for liberty is extracting the NVS from bootloader.
i think the address we have is wrong:
This is the address for Liberty:
#define ATAG_MSM_WIFI 0x57494649 /* MSM WiFi */
Click to expand...
Click to collapse
For our bootloader, it must be different. i'll investigate.

Is the MAC in startup.txt used by Android?
If that is the case, may it is more easy to write a WinMo app that adjusts the startup.txt with the MAC know by WinMo.
Or is that to easy?

-r0bin- said:
you're totaly right.
and htc_wifi_nvs.c for liberty is extracting the NVS from bootloader.
Click to expand...
Click to collapse
I think is not from bootloader becouse liberty bootloader start at 0x0 and is size < 1M, but ok, good thing is - you understand me, and I thk you for it!
We need to read:
- start at 0x65720
- read 0x239 bute

munjeni said:
I think is not from bootloader becouse liberty bootloader start at 0x0 and is size of 1M, but ok, good thing is - you understand me, and I thk you for it!
We need to read:
- start at 0x65720
- read 0x239 bute
Click to expand...
Click to collapse
thanks, but what address do you dump? (0x65720 is only the offset)
how do you create this memory dump?

I showed you how I do it, but you're not ...attention to my post. I'll tell you, unlike you who is hiding information
see this link how I dump memmory.
Code:
976 // cardsharing smem dump
977 /*int i;
978 int x[1000];
979 printk("Battery hex smem dump: ");
980 for (i=0; i<1000; i++)
981 {
982 x[i] = readl(MSM_SHARED_RAM_BASE + 0xfc000 + i) & 0x000000ff;
983 printk("%02x", x[i]);
984 }
985 printk("\n");*/
Problem is: we not have access to spl!

Maybe from this way:
msm_nand_read: 65720 239
Code:
msm_nand_read(struct mtd_info *mtd, loff_t from, size_t len,
size_t *retlen, u_char *buf)
{
int ret;
struct mtd_oob_ops ops;
/* printk("msm_nand_read %llx %x\n", from, len); */
ops.mode = MTD_OOB_PLACE;
ops.len = len;
ops.retlen = 0;
ops.ooblen = 0;
ops.datbuf = buf;
ops.oobbuf = NULL;
ret = msm_nand_read_oob(mtd, from, &ops);
*retlen = ops.retlen;
return ret;
}
return wifi_nvs;
What you think?

munjeni said:
but if we want to read this we must have access to first 0x80000 bytes (SPL)
Click to expand...
Click to collapse
first 0x80000 bytes of what? memory?
munjeni said:
See picture, you will see where is nvs in spl, also you will see we have defined static_nvs diferent than nvs in spl!
Click to expand...
Click to collapse
how did you generated this picture?
i mean, what address did you used?

yes, of memory
haret: pwf spl.dump 0x0 0x80000
Program used to read spl.dump is: X&D hex editor
Program used to screen capture is: FastStone Capture
From kernel side I'm tried to dump android memory (spl from 0x0 len 0x80000), but without success, I think is not possible in this time, we need modifications to do that!

oook i got it!
physical address = 0x65720
thats sounds easy!
and you cannot dump memory like this under Linux, it uses virtual address!!!

ok, good if is easy! Please report here if you got it and how you got it, I need that knownledge for my future development, ok?

munjeni said:
ok, good if is easy! Please report here if you got it and how you got it, I need that knownledge for my future development, ok?
Click to expand...
Click to collapse
under android, when i use this func: "phys_to_virt(0x65720)" it gives me this virtual address: 0xbfe65720
unfortunately system crash when i try to access it.
there must be another way...

maybe is empty virtual (or we not have permisions to read) becouse we skipped first 0x100000 (board_photon.h) from psychical, hmm I not understand why crashed? I'm also tried and also with crashing. If I'm right MSM_SHARED_RAM_BASE is psychical and other defined in board_photon.h is also psychical?

found by schlund:
https://gitorious.org/linux-on-winc...ter/arch/arm/mach-msm/board-htcleo-wifi-nvs.c
on HTC Leo, they read SMEM and can retrieve MAC addr, it is encrypted by CRC32

good! But maybe we also need to change hardcoded_nvs bassed on picture. Are you got mac from smem after crc decode? I've not tried to read

actually it's not the real MAC addr, its a random one
regarding the real NVS data from hardware:
- either the bootloader memory has a special protection
- either we are using the wrong RAM virtual address
- either we dont have the good access method

[Q] Porting ANDROID to PXA310 Plat

I want to bring-up ANDROID on a PXA310 custom platform designed by me, it is not a commercial platform available on the market.
I have already ported to the platform WINDOWS CE 5, so I am using Haret.exe in order to start a linux kernel stored on the SD card.
the linux kernel, zImage, is compiled with support for PXA310 and littleton and zylonite development boards by Marvell because my platform is based on these reference designs.
I have enabled also CONFIG_DEBUG_LL in order to see debug messages before linux console is enabled over debug serial port that is STUART in my case like for littleton.
So I am using the littleton as machine ID in the Haret.exe Default.txt script file and so I can see the first low level messages when decompressing the zImage into Image at zrleaddr-y position in RAM.
I can see also low level messages coming from the first stages of the uncompressed linux code where it looks up for the CPU ID and for the
MACHINE ID.
So for example if I put a unsupported MACHINE ID in the Default.txt, I can see an error message on the serial debug port.
But after I don't see anything.
Consider that I have not yet implemented LCD driver in the kernel.
The problem is that the system now is stuck somewhere, I don't know where .
It looks like after the jump to start_kernel I don't see any other messages.
I don't see the banner of linux kernel like the version.
I am pretty sure that all the following code of the Kernel startup entry point in /linux-2.6.29/arch/arm/kernel/head.s is executed as I can put traces and then I see them over serial debug port:
.section ".text.head", "ax"
ENTRY(stext)
msr cpsr_c, #PSR_F_BIT | PSR_I_BIT | SVC_MODE @ ensure svc mode
@ and irqs disabled
mrc p15, 0, r9, c0, c0 @ get processor id
bl __lookup_processor_type @ r5=procinfo r9=cpuid
movs r10, r5 @ invalid processor (r5=0)?
beq __error_p @ yes, error 'p'
bl __lookup_machine_type @ r5=machinfo
movs r8, r5 @ invalid machine (r5=0)?
beq __error_a @ yes, error 'a'
bl __vet_atags
bl __create_page_tables
/*
* The following calls CPU specific code in a position independent
* manner. See arch/arm/mm/proc-*.S for details. r10 = base of
* xxx_proc_info structure selected by __lookup_machine_type
* above. On return, the CPU will be ready for the MMU to be
* turned on, and r0 will hold the CPU control register value.
*/
ldr r13, __switch_data @ address to jump to after
@ mmu has been enabled
adr lr, __enable_mmu @ return (PIC) address
//bl __my_trace_over_debug_port
add pc, r10, #PROCINFO_INITFUNC
ENDPROC(stext)
why do the CONFIG_DEBUG_LL messages print out to the right serial port while 'printk' messages don't come out? do they go to a different port?
any suggestion?
Thanks!
Marco

Sensorhub and Note 2 recovery maintainers

Please compile, if possible, your embedded recovery kernels without the sensorhub defconfig options.
CONFIG_SENSORS_SSP=y
CONFIG_SENSORS_SYSFS=y
CONFIG_SENSORS_SSP_ACCELEROMETER_POSITION=7
CONFIG_SENSORS_SSP_GYROSCOPE_POSITION=7
CONFIG_SENSORS_SSP_MAGNETOMETER_POSITION=7
CONFIG_SENSORS_SSP_LSM330=y
CONFIG_SENSORS_SSP_CM36651=y
CONFIG_SENSORS_SSP_AK8963C=y
CONFIG_SENSORS_SSP_BMP182=y
CONFIG_SENSORS_SSP_AT32UC3L0128=y
CONFIG_SENSORS_SSP_SENSORHUB=y
The kernel flashes over the sensorhub firmware on every single entry of recovery, and rebooting into the normal kernel, if the embedded kernel firmware mismatches the live hardware firmware. I consider this dangerous because firstly I don't know what happens if a firmware flash fails on boot, and secondly, the whole procedure is done over the I2C bus and takes about 22 seconds, increasing the boot time (and recovery entry) dramatically. The firmware changes relatively often and we have like 4 different versions out there in the wild at this moment and they will surely increase.
Off-topic: The sensorhub is a new dedicated micro-controller chip found on the Note 2 which handles all device sensors, instead of them being handled by the main CPU itself. The point of the thing is to offload that work from the CPU to vastly improve battery life.

Thank you a lot for the feedback and input about this issue
When compiling recoveries, we get the binary (recovery file) and the kernel. Sorry if I seem noob here, but I do not compile kernels, I am only used to cwm source. And in the recovery binary sources, there is no sensors flashed, it is the kernel that is repacked with it.
Now, if I take a recovery.img as it is outputted when compiled from cm10 sources, that is packed with a cm10 kernel, the recovery will boot without a delay.
However, that will break exfat support since we cannot insmod the external modules
So, the only choice is to repack the recovery ramdisk with a stock Samsung kernel, and that's what I do in my recoveries. However, this seems to induce the boot delay for people using custom kernels built around some sources (redpill, Perseus)
These recoveries repacked with a Samsung kernel will run fine along stock kernels and Note2core custom kernel (also a 4.1.2 source).
One of the potential causes is this part of code I believe (have no Note 2 to debug it)
drivers/sensor/ak8963.c
Code:
if (retry_count < 5) {
retry_count++;
pr_warn("############################################");
pr_warn("%s, retry_count=%d\n", __func__, retry_count);
pr_warn("############################################");
goto retry;
} else {
There is a check routine repeated 5 times, and on each repeat count a goto loop. The retry loop restarts much above in the code
retry:
Code:
#ifdef FACTORY_TESTstatic int ak8963c_selftest(struct akm8963_data *ak_data, int *sf){
.
.
.
retry:
/* read device info */
i2c_smbus_read_i2c_block_data(ak_data->this_client,
AK8963_REG_WIA, 2, buf);
pr_info("%s: device id = 0x%x, info = 0x%x\n",
__func__, buf[0], buf[1]);
/* set ATSC self test bit to 1 */
i2c_smbus_write_byte_data(ak_data->this_client,
AK8963_REG_ASTC, 0x40);
/* start self test */
i2c_smbus_write_byte_data(ak_data->this_client,
AK8963_REG_CNTL1,
AK8963_CNTL1_SELF_TEST);
/* wait for data ready */
while (1) {
msleep(20);
if (i2c_smbus_read_byte_data(ak_data->this_client,
AK8963_REG_ST1) == 1) {
break;
}
}
i2c_smbus_read_i2c_block_data(ak_data->this_client,
AK8963_REG_HXL, sizeof(buf), buf);
/* set ATSC self test bit to 0 */
i2c_smbus_write_byte_data(ak_data->this_client,
AK8963_REG_ASTC, 0x00);
x = buf[0] | (buf[1] << 8);
y = buf[2] | (buf[3] << 8);
z = buf[4] | (buf[5] << 8);
/* Hadj = (H*(Asa+128))/256 */
x = (x*(ak_data->asa[0] + 128)) >> 8;
y = (y*(ak_data->asa[1] + 128)) >> 8;
z = (z*(ak_data->asa[2] + 128)) >> 8;
pr_info("%s: self test x = %d, y = %d, z = %d\n",
__func__, x, y, z);
if ((x >= -200) && (x <= 200))
pr_info("%s: x passed self test, expect -200<=x<=200\n",
__func__);
else
pr_info("%s: x failed self test, expect -200<=x<=200\n",
__func__);
if ((y >= -200) && (y <= 200))
pr_info("%s: y passed self test, expect -200<=y<=200\n",
__func__);
else
pr_info("%s: y failed self test, expect -200<=y<=200\n",
__func__);
if ((z >= -3200) && (z <= -800))
pr_info("%s: z passed self test, expect -3200<=z<=-800\n",
__func__);
else
pr_info("%s: z failed self test, expect -3200<=z<=-800\n",
__func__);
sf[0] = x;
sf[1] = y;
sf[2] = z;
if (((x >= -200) && (x <= 200)) &&
((y >= -200) && (y <= 200)) &&
((z >= -3200) && (z <= -800))) {
pr_info("%s, Selftest is successful.\n", __func__);
return 1;
} else {
if (retry_count < 5) {
retry_count++;
pr_warn("############################################");
pr_warn("%s, retry_count=%d\n", __func__, retry_count);
pr_warn("############################################");
goto retry;
}
These are many retries using a non efficient goto loop.
Basically, here's the current possibilities I see:
- if we repack the recovery with your kernel or redpill, people will get delay issues on stock ROMs/Kernels
- if we use cm10 kernel: no delays but we loose exfat support
- if we use note2core kernel we'll probably loose exfat support
- if I recompile kernel from samsung sources without the sensors, it seems it will also break exfat
So, at the end I do not see a good choice that will satisfy every one. Either I wait for Samsung to release their sources so that you fix the kernel or I repack with 2 kernels: Samsung stock and redpill, so people can chose
Hope I am not getting it all wrong, but that's how I understand it

All that code is totally irrelevant and has nothing to do with the issue. I also don't understand what you want to say about that loop? Goto is inefficient? Nonsense.
The firmware flash and logic happens in /drivers/sensorhub/ssp_firmware.c and its just a few lines of code. The whole flash process is logged in kmsg at boot so you can just retrieve that and see for yourself.
And you're missing the point, as long as you embed ANY kernel with the sensorhub drivers, they will flash it. There are stock kernels out there with versions 91100, 92600, 92800, 102600 (just from the top of my head, might differ). If you use any recovery kernel whose version mismatches the boot.img kernel firmware, you will get the issue.
And to be honest, I don't understand what the fuss is about fixing it, TWRP includes now a kernel with exFat and removed sensor drivers. You just have to do the same.
Phil3759 said:
Either I wait for Samsung to release their sources so that you fix the kernel
Click to expand...
Click to collapse
There is nothing to fix from the live kernel side, I hope you understand that...

AndreiLux said:
All that code is totally irrelevant and has nothing to do with the issue. I also don't understand what you want to say about that loop? Goto is inefficient? Nonsense.
The firmware flash and logic happens in /drivers/sensorhub/ssp_firmware.c and its just a few lines of code. The whole flash process is logged in kmsg at boot so you can just retrieve that and see for yourself.
And you're missing the point, as long as you embed ANY kernel with the sensorhub drivers, they will flash it. There are stock kernels out there with versions 91100, 92600, 92800, 102600 (just from the top of my head, might differ). If you use any recovery kernel whose version mismatches the boot.img kernel firmware, you will get the issue.
And to be honest, I don't understand what the fuss is about fixing it, TWRP includes now a kernel with exFat and removed sensor drivers. You just have to do the same.
There is nothing to fix from the live kernel side, I hope you understand that...
Click to expand...
Click to collapse
AndreiLux said:
Sorry but you're a bit out of bound here with accusing kernel developers and doing such claims about the source of the issue while you seem pretty ignorant about the technical aspects of the problem.
As I said and explained in the thread you linked, the problem lies with the recovery and not the boot kernel. You're the one who will have to adapt your embedded kernel that you include here.
Click to expand...
Click to collapse
You also seem a bit ignorant about recoveries
TWRP doesn't included any custom kernel with exfat support. It comes with cm9 kernel and maybe now cm10.1 since they moved sources to 4.2 recently. Their source is just the android/bootable/recovery part built around cyanogenmod source. CM kernel, as I said in my answer, doesn't flash the sensors that's why there is no delay. That's the only reason why twrp won't have the delay. I can also include cm10 kernel and no more delays, but say good bye to exfat.
TWRP includes native exfat support where as CM and AOKP choose to not include it in their source (thus cwm) because it is not legal (MS patent). Only thing cwm devs can do:
- import twrp source for exfat support and break the MS patent
- use Samsung genuine kernel to get exfat support
So, not an easy decision / move as you suggest

Phil3759 said:
TWRP doesn't included any custom kernel with exfat support. It comes with cm9 kernel and maybe now cm10.1 since they moved sources to 4.2 recently. Their source is just the android/bootable/recovery part built around cyanogenmod source. CM kernel, as I said in my answer, doesn't flash the sensors that's why there is no delay. That's the only reason why twrp won't have the delay. I can also include cm10 kernel and no more delays, but say good bye to exfat.
TWRP includes native exfat support where as CM and AOKP choose to not include it in their source (thus cwm) because it is not legal (MS patent). Only thing cwm devs can do:
- import twrp source for exfat support and break the MS patent
- use Samsung genuine kernel to get exfat support
So, not an easy decision / move as you suggest
Click to expand...
Click to collapse
Sorry but almost everything you said its wrong.
TWRP includes a modified CM kernel with added exFat and since I've made Bigbiff aware, also removes the sensorhub drivers.
CM kernel, as I said in my answer, doesn't flash the sensors that's why there is no delay.
Click to expand...
Click to collapse
The CM kernel is based on the Samsung sources and has the flash logic intact, because it's obviously needed in the OS to even have functioning sensors. It's not flashing in your case because you have matching firmwares, and that's all.
Sorry but I suggest you inform yourself here a bit more, I've explained it pretty clearly yet you seem to be ranting about things which are just not correct.

delete

[ROM][7.1.2][i9305]Unofficial LineageOS 14.1 by Exynos4 Team

[ROM][7.1.2][i9305]Unofficial LineageOS 14.1 by Exynos4 Team
Code:
/*
* Your warranty is now void.
*
* I am not responsible for bricked devices, dead SD cards,
* thermonuclear war, or you getting fired because the alarm app failed. Please
* do some research if you have any concerns about features included in this ROM
* before flashing it! YOU are choosing to make these modifications, and if
* you point the finger at me for messing up your device, I will laugh at you.
*/
What is Exynos4 Team?
The Exynos4 team is composed of the current maintainers for T0LTE/T0LTEKOR for both LineageOS and Resurrection Remix.
(@Option58, @kozmo21 and @PoisonNinja)
Difference between this and official Lineage 14.1
This is more like a bleeding edge build. Upcoming changes/fixes will show up here first, and eventually make it into Lineage official. So, if you want the latest and greatest changes for the Note 2 and than ported to the i9305, if possible, flash this instead of official.
Due to LineageOS rules, if you are switching between official and unofficial builds you will have to clean flash.
Exynos4 Team like to say thanks to:
The great developer community out there. We've had a lot of help from other people.
- the LineageOS team
- the Galaxy S3 LineageOS maintainer github.com/fourkbomb.
- the NamelessROM project github.com/namelessrom.
- xda users for testing and bug reports.
And I want to say thanks to:
PoisonNinja and Option58, who helped me a lot to set up the device tree and vendor blobs for that Exynos4 rom,
which is mainly created or grown out of the hwc idea.
and credits to @p.a.n for his work and providing his changes and patches.
Working
Graphics
Wifi
Data
RIL
Bluetooth (?!?)
Sensors
Vibration
Camera
NFC
Audio
Video Playback
Not working/Bugs/Unknown
[*]GPS is not working currently Fix is in second post!!
Bluetooth audio (may or may not work for you), please check and report back
MTP crashes when uninstalling an app
Installation
Read the FAQ to familiarize yourself with any issues that may come up
Make sure you're using the latest TWRP version
Download and copy latest rom version to the phone, preferably on internal storage
Factory reset in TWRP (Very important! Do not skip)
Format system, cache, dalvik, data
Flash unofficial LineageOS 14.1
Flash Gapps
Optional: Flash root package
Reboot
Be patient. The first boot will take between 5 - 15 minutes.
See the FAQ to avoid common issues
For updates, it's OK to dirty flash. If you experience any issues however, it is recommended that you clean flash.
Download
lineage-14.1-20170618-UNOFFICIAL-i9305-HWC.zip: June 18, 2017
6/18/2017 (i9305)
Sync with the latest Lineage sources
Hardware composer fixes
[*] Switch back to proprietary RIL 4.4 blobs
Properly fixed screencast
Lots of security patches in the kernel
Temporarily switched SELinux to permissive
XDA:DevDB Information
LineageOS 14.1 by Exynos4 Team, ROM for the Samsung SIII LTE (i9305)
Contributors
PoisonNinja, Option58, kozmo21, LineageOS team
Source Code: https://github.com/Exynos4
ROM OS Version: 7.x Nougat
Based On: LineageOS
Version Information
Status: Beta
Created 2017-06-18
Last Updated 2017-06-18

Just a few info
Root
LineageOS removed builtin root, so you need to flash the root package linked above.
Please test especially calls, incoming and outgoing, mobile data and bluetooth.
The rom/build is based on pans vendor proprietary (ril) blobs and should improve our ril and hopefully fix our reboot problem.
Kernel is set to permissive at the moment. Stickt version also ok.
Please also test bluetooth (audio transfer), because I am not sure, whether it works correct.
GPS is currently not working. Will try to fix that with one of the next builds.
Edit: previous GPS fix is working and solve the problem. Changes will be added in next update.
You can also find it here attached fixed in version: 0702
Other than the HWC and blob changes, the rom is based on pure lineageos sources/repos.

if I need another one

I'm getting bootloops with that build (it doesn't reach far enough for adb to pull the logs). I tried building a build with older blobs yesterday. My build was getting SIGSEGV caused by ks. I'll try building a non hwc version using your blobs and i9305 repository.

I also noticed some reboots, but none anymore during the last night. So I assume that the reboots could not be solved with changing the blobs and also not with that different ril sources/blobs. I doubt that the reboots will be gone with a non hwc version, but we will see. Beside of that are the other things working? Calls, mobile data etc?

Non hwc version booted ok. at_distributor is having problems :
Code:
06-19 03:06:25.941 2812 2812 F libc : CANNOT LINK EXECUTABLE "/system/bin/at_distributor": cannot locate symbol "supportExpandedNV" referenced by "/system/bin/at_distributor"...
06-19 03:06:25.941 2812 2812 F libc : Fatal signal 6 (SIGABRT), code -6 in tid 2812 (at_distributor)
but RIL works anyway (at least SMS). I'll try replacing it with stock i9305 at_distributor. I've got one reboot but I didn't launch logcat/kmsg before and had only short last_kmsg. We should try replacing the blobs with the stock i9305 ones because for now they are mixed. We could give a shot to persist.radio.apm_sim_not_pwdn=1 in system.prop too. I haven't tested anything beside RIL reboots (I'm testing it during night and hoping it will manage to reboot before next day because for daily usage I'm going back to the last stable rom).

Many thanks and when you managed to solve the mix up and your tests are ok, it would be good, if you can upload your changes to github. Think it doesn't make sense that we do all the work twice
Edit: seems to be again or still:
Code:
Kernel panic - not syncing: Fatal exception
and I think caused because of:
Code:
<6>[ 184.685341] c0 mdm_hsic_pm_notify_event: unblock request
<6>[ 184.685375] c0 notify_modem_fatal or shutdown
<6>[ 184.685403] c0 ap2mdm_status is high
<6>[ 184.685425] c0 ap2mdm_errfatal is high
<6>[ 184.685449] c0 mdm2ap_status is low
<6>[ 184.685471] c0 mdm2ap_errfatal is low
<6>[ 184.685492] c0 During shutdown, return notify_modem_fatal

rodman01 said:
Many thanks and when you managed to solve the mix up and your tests are ok, it would be good, if you can upload your changes to github. Think it doesn't make sense that we do all the work twice
Edit: seems to be again or still:
Code:
Kernel panic - not syncing: Fatal exception
and I think caused because of:
Code:
<6>[ 184.685341] c0 mdm_hsic_pm_notify_event: unblock request
<6>[ 184.685375] c0 notify_modem_fatal or shutdown
<6>[ 184.685403] c0 ap2mdm_status is high
<6>[ 184.685425] c0 ap2mdm_errfatal is high
<6>[ 184.685449] c0 mdm2ap_status is low
<6>[ 184.685471] c0 mdm2ap_errfatal is low
<6>[ 184.685492] c0 During shutdown, return notify_modem_fatal
Click to expand...
Click to collapse
Don't worry, I'll upload when I have something that's worth uploading. If you got
Code:
<6>[ 184.685425] c0 ap2mdm_errfatal is high
then the issue is still there.
Update
at_distributor from stock references the same function (supportExpandedNV) so the problem rather doesn't lie in the at_distributor itself but in a missing file that contains the missing function.
Update 2
Replacing ks blob with i9305 stock one alone won't work. That leads to the problem that @p.a.n had (https://forum.xda-developers.com/showpost.php?p=64395738&postcount=218) (https://forum.xda-developers.com/showpost.php?p=64448961&postcount=269)

mtr_ said:
Update 2
Replacing ks blob with i9305 stock one alone won't work. That leads to the problem that @p.a.n had (https://forum.xda-developers.com/showpost.php?p=64395738&postcount=218) (https://forum.xda-developers.com/showpost.php?p=64448961&postcount=269)
Click to expand...
Click to collapse
There is a simple solution (or hack to be more precise) to this and I believe I`ve also described it somewhere here - open the ks binary with some binary editor, find the connect string (it should be there twice) and replace it something else with the same length (I used xonnect).
This is a linker related problem, ks contains symbol connect, which replaces connect from libc (I hope it is there, if not it is some other system library), but with a totally different functionality, which causes a crash. Don`t ask me why this is happening in one environment and in other (the old one), I don`t know.

Maybe this last_kmsg looks better now?
Code:
Samsung S-Boot 4.0 for GT-I9305 (Sep 12 2014 - 13:40:58)
EXYNOS4412(EVT 1.1) / 2044MB / 0MB / Rev 2 / I9305XXUFNI3 /(PKG_ID 0xb070018)
BOOTLOADER VERSION : I9305XXUFNI3
PMIC rev = PASS2(4)
BUCK1OUT(vdd_mif) = 0x05
BUCK3DVS1(vdd_int) = 0x20
cardtype: 0x00000007
SB_MMC_HS_52MHZ_1_8V_3V_IO
mmc->card_caps: 0x00000311
mmc->host_caps: 0x00000311
[mmc] capacity = 30777344
MODEL_NAME:{{GT-I9305}}
eMMC_SERIAL_NUMBER:{{1501004D4147344642F74A00ABD19F03}}
- read_bl1
pit_check_signature (PIT) valid.
initialize_ddi_data: usable! (4:0xe)
[RPMB] emmc_rpmb_open:
Get DATA success.
[RPMB] emmc_rpmb_close:
initialize_rpmb_data: usable! (GT-I9305:VERSION_-+A3)
PARAM ENV VERSION: v1.0..
set_charger_current: chg curr(3f), in curr(17)
set_charger_state: buck(1), chg(1), reg(0x05)
microusb_get_attached_device: STATUS1:0x3f, 2:0x00
set_auto_current: ta_state(0), curr(700)
init_fuelgauge: fuelgauge power ok
init_fuelgauge: POR status
fuelgauge_por: POR start: vcell(3975), vfocv(4026), soc(79)
fuelgauge_por: update SDI M0 parameter
fuelgauge_por: RCOMP(0x0063), TEMPCO(0x0930)
fuelgauge_por: POR finish: vcell(3977), vfocv(4085), soc(73)
get_table_soc: vcell(3976) is caculated to t-soc(75.735)
init_fuelgauge: start: vcell(3976), vfocv(4081), soc(73), table soc(75)
init_fuelgauge: finish: vcell(3976), vfocv(4081), soc(73), table soc(75)
init_microusb_ic: before MUIC: CDETCTRL:0x2d
init_microusb_ic: after MUIC: CDETCTRL:0x2d
init_microusb_ic: MUIC: CONTROL1:0x00
init_microusb_ic: MUIC: CONTROL1:0x00
init_microusb_ic: MUIC: CONTROL2:0x3b
init_microusb_ic: MUIC: CONTROL2:0x3b
PMIC_ID = 0x02
PMIC_IRQSRC = 0x00
PMIC_IRQ1 = 0x02
PMIC_IRQ2 = 0x00
PMIC_IRQ1M = 0xff
PMIC_IRQ2M = 0xff
PMIC_STATUS1 = 0x13
PMIC_STATUS2 = 0x00
PMIC_PWRON = 0x01
PMIC_RTCINT = 0x11
PMIC_RTCINTM = 0x3f
s5p_check_keypad: 0x100000
s5p_check_reboot_mode: INFORM3 = 0 ... skip
s5p_check_upload: MAGIC(0xc1d0c0d6), RST_STAT(0x10000)
microusb_get_attached_device: STATUS1:0x3f, 2:0x00
s5p_check_download: 0
microusb_get_attached_device: STATUS1:0x3f, 2:0x00
check_pm_status: charger is not detected
check_pm_status: voltage(3978) is ok
cmu_div:1, div:7, src_clk:800000000, pixel_clk:38102400
s5p_dsim_display_config: VIDEO MODE
a2, 60, 90,
<start_checksum:481>CHECKSUM_HEADER_SECTOR :4096
<start_checksum:483>offset:50, size:6296
<start_checksum:485>CHECKSUM_HEADER_INFO : NeedChecksum:0 PartNo:20
Not Need Movinand Checksum
Movinand Checksum Confirmation Pass
[mobi_drv] add: 0x43e52500, size: 3933
MobiCore INIT response = 0
MobiCore RTM has initialized!
MobiCore IDLE flag = 0
MobiCore driver address 43e52500, size = 3933
MobiCore RTM Notified back!
MobiCore Driver loaded and RTM IDLE!
MobiCore RTM has been uninitialized!
load_kernel: loading boot image from 106496..
Verify_Binary_Signature: failed.
pit_check_signature (BOOT) invalid.
Set invalid sign flag
No need to update kernel type.
SMC Num = 0x83000001
mobismc success!!! [ret = 0]
[s5p_check_sboot_version_rpmb]cur_version:VERSION_-+A3, rpmb_version:VERSION_-+A3
rpmb_version:51, cur_version:51
ATAG_CORE: 5 54410001 0 0 0
ATAG_MEM: 4 54410002 20000000 40000000
ATAG_MEM: 4 54410002 20000000 60000000
ATAG_MEM: 4 54410002 20000000 80000000
ATAG_MEM: 4 54410002 1FC00000 A0000000
ATAG_SERIAL: 4 54410006 42f74a00 abd19f03
ATAG_INITRD2: 4 54420005 42000000 17b548
ATAG_REVISION: 3 54410007 2
check_rustproof [0]
ATAG_CMDLINE: b1 54410009 'console=ram loglevel=4 androidboot.baseband=mdm sec_debug.level=0 sec_watchdog.sec_pet=5 androidboot.debug_level=0x4f4c [email protected] [email protected] [email protected] s3cfb.bootloaderfb=0x5ec00000 lcdtype=96 consoleblank=0 lpj=3981312 vmalloc=176m oops=panic pmic_info=67 cordon=471c411f44a4d1cb9c99510ec7e578a1 connie=GT-I9305_OPEN_EUR_10e569b8255514f00b8793d908e78a26 androidboot.emmc_checksum=3 androidboot.boot_salescode= androidboot.odin_download=1 androidboot.bootloader=I9305XXUFNI3 androidboot.selinux=enforcing androidboot.warranty_bit=1 androidboot.sec_atd.tty=/dev/ttySAC2 androidboot.serialno=42f74a00abd19f03 snd_soc_core.pmdown_time=1000'
ATAG_NONE: 0 0
Starting kernel at 0x40008000...
SWITCH_SEL(3)

p.a.n said:
There is a simple solution (or hack to be more precise) to this and I believe I`ve also described it somewhere here - open the ks binary with some binary editor, find the connect string (it should be there twice) and replace it something else with the same length (I used xonnect).
This is a linker related problem, ks contains symbol connect, which replaces connect from libc (I hope it is there, if not it is some other system library), but with a totally different functionality, which causes a crash. Don`t ask me why this is happening in one environment and in other (the old one), I don`t know.
Click to expand...
Click to collapse
Thanks for hint, I know that you don't work on i9305 anymore. Isn't that connect that comes internally in ks used somewhere ? After all they had to have a reason to place an internal function like that. After you left the development, it seems that the current ks that is being used in LineageOS based roms seems to be taken from other device. The current situation is as follows: the modem crashes from time to time, ks during that crash is having issues during SAHARA protocol file transfer. I don't know whether it is the modem that causes the ks crash, or ks that causes modem crash.
rodman01 said:
Maybe this last_kmsg looks better now?
Click to expand...
Click to collapse
The pasted log contains only what happened after reboot. It shows the next boot. If you wanted to show a crash, it isn't saved. It could be truncated, because last_kmsg has limited buffer (for most of the modem issues it was just too small to show everything). You can use the methods to capture logs I posted somewhere else.

yes I noticed this too after pulling another one.
But with my current used blobs I do not have that:
Code:
<6>[ 184.685425] c0 ap2mdm_errfatal is high
anymore, but still reboots and:
Code:
<6>[ 1581.571051] c0 mdm_subsys_powerup: mdm modem restart timed out.
<0>[ 1581.571210] c0 Kernel panic - not syncing: subsystem_restart_wq_func[eac9d720]: Failed to powerup external_modem!

rodman01 said:
yes I noticed this too after pulling another one.
But with my current used blobs I do not have that:
Code:
<6>[ 184.685425] c0 ap2mdm_errfatal is high
anymore, but still reboots and:
Code:
<6>[ 1581.571051] c0 mdm_subsys_powerup: mdm modem restart timed out.
<0>[ 1581.571210] c0 Kernel panic - not syncing: subsystem_restart_wq_func[eac9d720]: Failed to powerup external_modem!
Click to expand...
Click to collapse
Still not good. Have you tried modyfing the stock ks as @p.a.n wrote ? I think that the blobs can be swapped on already installed Android, without recompiling everything. Doing adb push should work too. Something like: adb root, adb remount, adb push, reboot.

I know that this is not good.
No I haven't, I have no such editor and haven't searched for it. Have you tried that already?

rodman01 said:
I know that this is not good.
No I haven't, I have no such editor and haven't searched for it. Have you tried that already?
Click to expand...
Click to collapse
Any hex editor should be enough (for Windows you could try https://mh-nexus.de/en/hxd/ ). I haven't tried yet, I returned to stock rom.

mtr_ said:
Thanks for hint, I know that you don't work on i9305 anymore. Isn't that connect that comes internally in ks used somewhere ? After all they had to have a reason to place an internal function like that. After you left the development, it seems that the current ks that is being used in LineageOS based roms seems to be taken from other device. The current situation is as follows: the modem crashes from time to time, ks during that crash is having issues during SAHARA protocol file transfer. I don't know whether it is the modem that causes the ks crash, or ks that causes modem crash.
Click to expand...
Click to collapse
I actually do work on it, just don`t publish, since I was under impression that the official version is fine and the problem you are describing here is caused by old version of modem. I didn`t want to change it, so I solved the problem by using the KitKat RIL with the modification I mentioned.
As far as I know the connect symbol in the ks binary is used only internaly (and shouldn`t be exported at all). It seems like a simple name colision, which was handled differently in KitKat. I`ve been using the modified ks for a long time and it doesn`t seem to have any negative side effect.
I`ll try to put together all the changes against the official code I have and publish again some of my builds. LineageOS 14.1 is quite stable on my device, so I hope this will help you. I just cannnot promise, when this will be, since I am pretty bussy now (more I`ve ever been).

I am uploading at the moment a new test build, where in my logcat no at distributor error and no SIGABRT error or message is to be seen at the moment. Maybe someone is around who is willing to test it....?!?

New test build is uploaded now.
Its based on todays leos sources and nameless/crazyweasel 3.0 vendor/blobs.
Download
lineage-14.1-20170621-UNOFFICIAL-i9305-hwc.zip: https://www.androidfilehost.com/?fid=673368273298966239
Please report back about reboots and or any other error or bug.
GPS is fixed and should work now.

p.a.n said:
I actually do work on it, just don`t publish, since I was under impression that the official version is fine and the problem you are describing here is caused by old version of modem. I didn`t want to change it, so I solved the problem by using the KitKat RIL with the modification I mentioned.
Click to expand...
Click to collapse
Lucky. It seems that by doing that you avoided the RIL problems (and thus saved time ). The thing worth mentioning is that there are quite new stock releases available (I9305XXSFQ series).
rodman01 said:
New test build is uploaded now.
Its based on todays leos sources and nameless/crazyweasel 3.0 vendor/blobs.
Please report back about bootloops and or any other error or bug.
GPS is fixed and should work now.
Click to expand...
Click to collapse
Tested, unfortunately bootloops. Did you try it after a dirty flash or a clean one ?
I made a non hwc build with https://github.com/CrazyWeasel/proprietary_vendor_samsung/tree/n-3.0/i9305 and modified ks from https://github.com/p-an/android_device_samsung_i9305/blob/cm-14.1/proprietary/system/bin/ks . ks works, at_distributor doesn't whine about missing symbol, but that it can't connect to ATD.
Code:
06-22 04:24:28.916 5290 5290 V AT_Distributor_diag: can't connect to atd socket
06-22 04:24:29.046 5293 5293 V AT_Distributor_diag: ConnectToATD
I was running the build for an hour, so not long enough to tell whether the modem issue appears. 4:50 AM, time to get back to stock

I had a reboot during the night too. And now, since the last half an hour, several reboots again. So I would say, this test version is almost unusable at the moment. Did a clean flash after changing to crazyweasel blobs.