Hi,
I am working on un-bricking my Optimus One (P500) via JTAG, and I need some additional information.
Here is what I did so far:
- created an LPT to JTAG adapter, called the wiggler
- soldered wires to the JTAG pins on the phone's board as shown here
- downloaded openOCD 0.5 and used this configuration file for the wiggler adapter
- started the giveio driver that is in the drivers/ directory of openOCD
- ran the command "openocd --f wiggler.config.file.cfg" and got the following output:
Code:
Open On-Chip Debugger 0.5.0 (2011-08-09-23:21)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.berlios.de/doc/doxygen/bugs.html
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
parport port = 0x378
trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
dcc downloads are enabled
fast memory access is enabled
6000 kHz
Info : clock speed 500 kHz
Error: JTAG scan chain interrogation failed: all zeroes
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Error: arm9.cpu: IR capture error; saw 0x00 not 0x01
Warn : Bypassing JTAG setup events due to errors
Info : Embedded ICE version 0
Error: unknown EmbeddedICE version (comms ctrl: 0x00000000)
Info : arm9: hardware has 2 breakpoint/watchpoint units
- ran "telnet localhost 4444" and tried issuing debugging commands via jtag
In general I was following the steps described in this wiki. What I saw is that they have certain binary files for their phone which I wasn't able to find for Optimus:
- the IPL and SPL bootolader image files (hboot.img)
- radio image files (radio.img)
- full recovery images
Does anyone know where can we get the same files for Optimus phones? I imagine they can be read off a working phone. Anyone knows how to do this?
Additionally, was anyone able to configure openOCD to work with the MSM7227 chip in this phone? I can't seem to get it to detect the ARM cpu inside it.
Finally, here are some photos of my LPT <-> wiggler <-> JTAG setup.
Suggestions, help, pats on the back appreciated.
Nice! I haven't seen much in the way of hardware work on our phones. I'd be interested in any progress that you make on this. I wish that I could offer more than the pat on the back, but my experience with JTAG is minimal. In any case, good luck!
Sent from my LG-P500 using XDA App
Forgive for my English... I have connected phone to jtag as me to fill in bootloader?
photo my connected i.imgur.com/vUdUV.jpg
myk777 said:
Forgive for my English... I have connected phone to jtag as me to fill in bootloader?
photo my connected i.imgur.com/vUdUV.jpg
Click to expand...
Click to collapse
my openocd.cfg
---------------------------------------------------
interface parport
parport_port 0x378
parport_cable wiggler
jtag_khz 6000
reset_config trst_and_srst srst_pulls_trst
#dream information (or something near it)
set _CHIPNAME lolololo
set _ENDIAN little
set _CPUTAPID 0x12345678
jtag newtap lololo cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID
------------------------------------------------------------
some updates
In this message I will try to summarize what we have so far...
[1]
myk777 was able to establish an LTP <-> JTAG connection via the wiggler. Here are the connections he made:
i.imgur.com/vUdUV.jpg
[2]
He also identified the to be ARM1136 with the tap ID 0x203c00e1.
OpenOCD 5.0 contains the configuration file for ARM1136 in the following location:
openocd-0.5.0/target/imx31.cfg
The full documentation for ARM1136 is available here:
google DDI0211K_arm1136_r1p5_trm.pdf
What remains to be done:
A. Configure openocd to use the wiggler and the imx31 to target the ARM1136 chip
B. Try to execute the initial bootloader code (using openocd debugger)
C. Find the binary dumps of the bootloader code for this phone, and try to rewrite it
For A I have the following suggestion:
- set the CPUTAPID=0x203c00e1
- launch openocd with something like this:
openocd -f wiggler.config.file.cfg -f target/imx31.cfg
Has failed flash memory. Has given on repair to service.
Hi guys!
This thread is the closest to my problem with Samsung Galaxy Mini S5570 model. I was on forum with this phone but there I couldn't find any "deeper" thread (most of them ends with "use RiffBox").
So, I have built Clone Wiggler, solder down wires to the JTAG pads and establish connection with bricked phone. Here is what I got from the OpenOCD after start:
Code:
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
adapter speed: 500 kHz
Info : clock speed 500 kHz
Info : JTAG tap: MSM7227.cpu tap/device found: 0x203c10e1 (mfg: 0x070, part: 0x03c1, ver: 0x2)
Warn : gdb services need one or more targets defined
Here is OpenOCD config file:
Code:
interface parport
parport_cable wiggler
adapter_khz 500
#debug_level 3
# CPU settings
set _CHIPNAME MSM7227
set _CPUTAPID 0x203c10e1
#set _ENDIAN little
jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID
And output from "jtag init" and "scan_chain" after telnet localhost 4444:
Code:
telnet localhost 4444
> jtag init
JTAG tap: MSM7227.cpu tap/device found: 0x203c10e1 (mfg: 0x070, part: 0x03c1, ver: 0x2)
> scan_chain
TapName Enabled IdCode Expected IrLen IrCap IrMask
-- ------------------- -------- ---------- ---------- ----- ----- ------
0 MSM7227.cpu Y 0x203c10e1 0x203c10e1 4 0x01 0x0f
S5570 has MSM7227 Qualcomm chip and 4Gb OneNand KAT007012C - BRTT flash. I'm aware that there is no luck with OneNAND and OpenOCD, but I still have the hope and strong will
My OpenOCD version is latest 0.6.1
Any reply is more than welcome and thanks in advance.
I have read that MSM7227 has several cores that operate separately. One core is arm9 (modem processor) and the second is arm11 (applications) ... so configuration file is changed and with this OpenOCD config, JTAG is connected to the arm9 modem processor:
Code:
interface parport
parport_cable wiggler
adapter_khz 300
reset_config trst_and_srst srst_pulls_trst
#debug_level 3
# CPU settings
set _CPUTAPID 0x203c10e1
set _TARGETNAME arm9.cpu
set _ENDIAN little
# create jtag
jtag newtap arm9 cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID
# create target
target create arm9 arm926ejs -endian $_ENDIAN -chain-position $_TARGETNAME
Here is output from the OpenOCD:
Code:
Open On-Chip Debugger 0.6.1 (2012-11-04-19:22)
Licensed under GNU GPL v2
For bug reports, read
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
adapter speed: 300 kHz
trst_and_srst srst_pulls_trst srst_gates_jtag trst_push_pull srst_open_drain
arm9
Info : clock speed 250 kHz
Info : JTAG tap: arm9.cpu tap/device found: 0x203c10e1 (mfg: 0x070, part: 0x03c1, ver: 0x2)
Info : Embedded ICE version 6
Info : arm9: hardware has 2 breakpoint/watchpoint units
After power is attached to the phone I have to press few times power button (not sure about that - screen just flashes) and then press Power + Volume down + Home buttons. Screen is still black but the phone is nicely recognized by the OpenOCD. The next step is "telnet localhost 4444". Every few seconds GDB was printing some lines so I typed in "reset" and "halt". Here are few commands to show the output:
Code:
> halt
Jazelle debug entry -- BROKEN!
invalid mode value encountered 0
ThumbEE -- incomplete support
cpsr contains invalid mode value - communication failure
Polling target failed, GDB will be halted. Polling again in 100ms
target was in unknown state when halt was requested
target state: halted
target halted in ARM state due to debug-request, current mode: Abort
cpsr: 0x200000d7 pc: 0x003679e0
MMU: disabled, D-Cache: disabled, I-Cache: disabled
Polling succeeded again
> arm9 curstate
halted
> arm9 mdb 2000 100
0x000007d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000007e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000007f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000800 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 ................
0x00000810 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 00 00 a0 e1 ................
0x00000820 02 00 00 ea 18 28 6f 01 00 00 00 00 3c 45 26 00 .....(o.....<E&.
0x00000830 01 70 a0 e1
> arm reg
System and User mode registers
r0: fffffffb r1: 002fff30 r2: 00000f80 r3: 000000ff
r4: ffffff00 r5: 000000ff r6: 003788cc r7: 0038fabc
r8: 00390320 r9: 00000000 r10: 002fffb0 r11: 00000040
r12: 00390320 sp_usr: ffffffe0 lr_usr: e1a0a002 pc: 003679e0
cpsr: 200000d7
FIQ mode shadow registers
r8_fiq: 000000db r9_fiq: 15c43000 r10_fiq: 00000070 r11_fiq: 00000000
r12_fiq: ffff000c sp_fiq: 00000000 lr_fiq: f000b4bc spsr_fiq: 00000010
Supervisor mode shadow registers
sp_svc: 00000000 lr_svc: 00017118 spsr_svc: 000000d7
Abort mode shadow registers
sp_abt: 002fff1c lr_abt: 0046c140 spsr_abt: 000000d3
IRQ mode shadow registers
sp_irq: 40000030 lr_irq: 009ee8dd spsr_irq: 00000010
Undefined instruction mode shadow registers
sp_und: fffffffc lr_und: ffff0008 spsr_und: 000000db
Well, I hope that Clone wiggler actually communicate with my hard bricked phone. What is the next step and how to unbrick the phone? Please guys give me some hint to move on because I can barely find any quality info about unbricking procedure for S5570. I'm stuck at this point.
In theory bootloader should be loaded to the memory and then written to the NAND (actually OpenNAND). Or is it possible to load a program and run it from OpenOCD to enable communication with Odin?
Thanks in advance and any feedback is more than welcome.
dbunic said:
Hi guys!
This thread is the closest to my problem with Samsung Galaxy Mini S5570 model. I was on forum with this phone but there I couldn't find any "deeper" thread (most of them ends with "use RiffBox").
So, I have built Clone Wiggler, solder down wires to the JTAG pads and establish connection with bricked phone. Here is what I got from the OpenOCD after start:
Code:
Warn : Adapter driver 'parport' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
adapter speed: 500 kHz
Info : clock speed 500 kHz
Info : JTAG tap: MSM7227.cpu tap/device found: 0x203c10e1 (mfg: 0x070, part: 0x03c1, ver: 0x2)
Warn : gdb services need one or more targets defined
Here is OpenOCD config file:
Code:
interface parport
parport_cable wiggler
adapter_khz 500
#debug_level 3
# CPU settings
set _CHIPNAME MSM7227
set _CPUTAPID 0x203c10e1
#set _ENDIAN little
jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id $_CPUTAPID
And output from "jtag init" and "scan_chain" after telnet localhost 4444:
Code:
telnet localhost 4444
> jtag init
JTAG tap: MSM7227.cpu tap/device found: 0x203c10e1 (mfg: 0x070, part: 0x03c1, ver: 0x2)
> scan_chain
TapName Enabled IdCode Expected IrLen IrCap IrMask
-- ------------------- -------- ---------- ---------- ----- ----- ------
0 MSM7227.cpu Y 0x203c10e1 0x203c10e1 4 0x01 0x0f
S5570 has MSM7227 Qualcomm chip and 4Gb OneNand KAT007012C - BRTT flash. I'm aware that there is no luck with OneNAND and OpenOCD, but I still have the hope and strong will
My OpenOCD version is latest 0.6.1
Any reply is more than welcome and thanks in advance.
Click to expand...
Click to collapse
Hello there!
Do you finished with succes?I am planning to try recover same phone but with h-jtag.
Any help welcome
szakiz said:
Hello there!
Do you finished with succes?I am planning to try recover same phone but with h-jtag.
Any help welcome
Click to expand...
Click to collapse
Unfortunately no, phone was fixed with riffbox. Thread was inactive for a while and I didn't have success with inspecting/fixing boot loader via Jtag interface. Hope you will have more luck. Cheers!
Related
Don't do it unless you know what it is and it is your choice
First please backup all gsmdata using backup_GSM.bat and restore using restore_GSM.bat if things go wrong, hope not to
Use at your own risk, take no responsibility for any RESPONSIBLE FOR ANY MALFUNCTIONS OR OTHER ISSUES THAT MAY OCCUR
1. Connect active sync, I connect it in guest mode
2. Run Read_MAC_adsress.bat
3. Save your old MAC address (the file orig_MAC.bin) at good location in your hard disk
4. Open newMAC.bin in any hex editor (it's your MAC address in reverse)
5. Change it as you want and save it
6. Run Write_new_MAC.bat to change MAC address
7. If you want to restore the old MAC address run restore_mac.bat
8. now soft reset
9. just wish me luck If this works for you and I hope it will
To check your MAC address: go to wireless settings > advance > MAC > see it there
I'll make an app to change it soon after the exam if this works
paradis_pal
long live Palestine
am I on the black list again?
this works on my device, and there is no risk if you backup all gsmdata using backup_GSM.bat and restore using restore_GSM.bat, but the save the gsmdata.bin in a good location
it works try it
I udpate it to the new itsutils tool and it works, I used to use the old version
Perhaps a foolish question, but what is the benefit of changing the MAC adress?
another stupid question...
thnx but what the advantage of changing mac address..?
and is mac address is IMEI ..?
an example..
If you are hacker of wi-fi connections, you can find permitted mac adress..
After you can change mac adress of your device and enter to wi-fi network.. (if wi-fi network has shield with only mac adresses)
Mac adress using for network identity and its unique on the world..
IMEI number using for gsm device identity..
Thanks for explaining!
rondol1 said:
Perhaps a foolish question, but what is the benefit of changing the MAC adress?
Click to expand...
Click to collapse
Dear sir
Please please, next time before asking a foolish question, use search and you will find a lot of answers, and not only in this forum.
Or at least read the first line (don’t do it unless you know what it is).
Thanks in advance.
ycimpir said:
If you are hacker of wi-fi connections, you can find permitted mac adress..
After you can change mac adress of your device and enter to wi-fi network.. (if wi-fi network has shield with only mac adresses)
Mac adress using for network identity and its unique on the world..
IMEI number using for gsm device identity..
Click to expand...
Click to collapse
Thanks for this answer I couldn’t answer better
Some people set their access points to certain MAC addresses, if you knew them, you can access the network (hack) for free internet at least in my case.
The problem: there are no close WiFi networks near my area, but I hack a net café using this method,
Thanks for replying
nice, thanks for this
Hello Chopin
I can't unzip file:"Cannot open file: it does not appear to be a valid archive. If you downloaded this file, try downloading the file again" Please, could you share it again??
Thanks
sorry it is rar archive I should warn
use the free program 7-zip to uncompress the files
Chopin said:
sorry it is rar archive I should warn
use the free program 7-zip to uncompress the files
Click to expand...
Click to collapse
Ok, thanks, I get it.
Regards
Hey,
It doesn't work for me.
I connect my phone and active sync is in guest mode, then i run read_mac_adsress but i can't find newMAC.bin.
Where can i find this file?
Thanks,
Steffen
sorry for the late reply, Exams
if you use wm5, install enablerapi.cab first you can find it at the pagepool changer
I assume pdocread/write are Prophet specific? I have a Kaiser. I tried backup_GSM first, but got 0 bytes, so I'm assuming it is Prophet specific. Is there anyway that I could get source code to modify for Kaiser?
I would like to change MAC addresses on my Kaiser to troubleshoot problems with our crap MAC-secured wireless network. Currently, I have to lug around my laptop to do this.
Thanks!
http://nah6.com/~itsme/cvs-xdadevtools/itsutils/
Artemis
I'm using an Artemis (Xda Orbit) and tried Read_MAC_adsress which didn't work for me either.
Using pdocread -l I get this:
62.44M (0x3e70000) TrueFFS
| 3.06M (0x30fc00) Part00
| 3.06M (0x310000) Part01
| 56.25M (0x3840000) Part02
46.97M (0x2ef8000) TrueFFS
| 3.06M (0x30fc00) Part00
| 3.06M (0x310000) Part01
| 56.25M (0x3840000) Part02
511.50k (0x7fe00) TRUEFFS
| 3.06M (0x30fc00) Part00
| 3.06M (0x310000) Part01
| 56.25M (0x3840000) Part02
5.69G (0x16c680000) DSK1:
| 5.69G (0x16c280000) Part00
20.00k (0x5000) BTD1:
| 19.00k (0x4c00) PART00
STRG handles:
handle cd94b3fe 19.00k (0x4c00)
handle 4da2e506 5.69G (0x16c280000)
handle ae9cbe2e511.50k (0x7fe00)
handle aeace2a2 46.97M (0x2ef8000)
handle 0eae22b6 56.25M (0x3840000)
handle ceae2002 3.06M (0x310000)
handle 6fb1ffa2 3.06M (0x30fc00)
disk cd94b3fe
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4da2e506
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk ae9cbe2e
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk aeace2a2
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 0eae22b6
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 15 xx 01 xx 2a xx 02 xx 09 xx 06 xx
disk ceae2002
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 15 xx 01 xx 2a xx 02 xx 09 xx 06 xx
disk 6fb1ffa2
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 15 xx 01 xx 2a xx 02 xx 09 xx 06 xx
I xx'ed out some of the numbers on the uniqueid in case I was giving something away I shouldn't.
Given that information, any chance you can point me in the right direction to finding where my MAC address is?
Thanks.
I'm not sue about youe device, acctually I'm not sure if this will work in other prophet, no one confirm
I can only assure it work only on my device
-l will list the disk only, the MAC can be found the data on the doc, not on the list
I can't help u right now but try to ask in your device section hope that someone will help you
and if please one confirm if this will read the MAC address
thanx man . i ll test it
Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID LockedCheck that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon
Thank you Leon, im gonna post a link to this post a the rom compilation thread ( Elf/Elfin Original Roms Model Id & Cid Id List ), for the people who wants to make a request.
Any time, CyZeek
The work you're doing on ROMs DevIDs and CIDs is very important indeed, glad to help.
Yours
Leon
Thank you
After a long tima trying i managed to get the CID!
It worked fine!
Thank you
Question:
Any one knows if a non original rom ends the warranty if the device is malfunctioning?
filiperod said:
After a long tima trying i managed to get the CID!
It worked fine!
Thank you
Question:
Any one knows if a non original rom ends the warranty if the device is malfunctioning?
Click to expand...
Click to collapse
Yes it's against warranty terms. But, if your are using a cooked rom, and need service from HTC, just reflash with your original rom and no prob.
g_cKeyCardSecurityLevel = o
what does it mean?
...
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID LockedCheck that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)...
no - in that case nothing happens, when I try to type in "getdevinfo" and execute - system tells me - "wrong password".
what can I try to do?
Just in case you misunderstood...
5.Type:> password BsaD5SeoA <=Don't copy/paste from here!
Press:> [ENTER]
...
...
&go on with Leon's process.
Regards!
did everything as stated however no success....each UP line basically has stuff similar this written only in it....
000079: Bulk or Interrupt Transfer (UP), 04.06.2008 18:34:21.699 +0.001. Status: 0x00000000
Pipe Handle: 0x846006ec (Endpoint Address: 0x82)
Get 0x1 bytes from the device
Dude you Rock
leondaphillips
you rock so hard that i feel the love here in Dunedin New Zealand
after harting round for days with vista drivers and all the random **** life(and computers) and now my phone hits me with i have acheaved CID nowing niss thanks to this thread here the sweet code:
45 4C 46 30 31 30 30 30 30 00 00 00 00 00 00 00 ELF010000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 4F 50 4F 44 30 30 31 00 00 00 00 00 00 00 00 DOPOD001........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
phone is GSM vodafone Touch from singapore.thanks mate keep the howtos comeing.
Thankyou verymuch its a goodway
leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked
Click to expand...
Click to collapse
Mine is FF, CID locked?
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE
Click to expand...
Click to collapse
Cmd>getdevinfo
HTCSELF010050gUH¥HTCE
Cmd>
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
Click to expand...
Click to collapse
Mine at the 12th packet too
45 4C 46 30 31 30 30 35 30 00 00 00 00 00 00 00 ELF010050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48 54 43 5F 5F 45 31 31 00 00 00 00 00 00 00 00 HTC__E11........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
leondaphillips
you are a genius, it worked, a million thanks. I tried other way with MTTY, snoopypro & Hexer loads of times without success & I'd given up hope!
thanks .....
good gob
elf0100050
bstar502
any one have it
where can I find rom
Where can i find rom for htc p3450 elfin
ELF010050
HTC__001
leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID LockedCheck that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon
Click to expand...
Click to collapse
ive followed your instruction and got the ff-cid locked data.
ive tried everything but cannot make the gold card.with or without usb.
Hi
I have s621 in 3 color mode not eset and open with cid lock.
I have done all but I can not see my cid and Id.
My mtty like that what is wrong. ?
Thank you.
Code:
Cmd>password BsaD5SeoA
Pass.
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
CMD55 failed
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
CMD55 failed
g_cKeyCardSecurityLevel = FF
Type (0x1)(Operation mode flag): cOpModeFlag=(0x0).
Type (0x2)(Back color flag): cBackColorShowFlag=(0x1).
Type (0x5)(Background color value): g_wBColor=(0xC618) (0xC0C0C0).
HTCST
Thank you OP. I used your method and found the Device ID and CID of Telus HTC Touch Dual (Neon400, Canada). See below:
4E 45 4F 4E 34 30 30 30 00 00 00 00 00 00 00 00 NEON4000........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 4C 53 30 00 00 00 00 00 00 00 00 00 00 00 00 TLS0............
00 00 00 00 ....
Hello i have cant find device id and cid can any one help me see log and also Device Monitoring give cid 000000000............
HTCST
Cmd>getdevinfo
GetDeviceCID: Error - InitDecoder
HTCSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXh{Â&HTCE
Cmd>
leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID LockedCheck that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon
Click to expand...
Click to collapse
Xperia J: fast+snappy stock kernel JB (11.2.A.0.21)
The following guide shows how to build the stock sources for you
stock xperia j phone with JB.
When Foxcon adopted the drivers for the xperia j they left in
a huge amount of debug which slows down your phone.
When we finally build our own kernel (Chapter 7)
we optimize it by:
- optimizing kernel for speed (not size)
- remove a huge amount of debug from the drivers
- remove kernel core debug
- remove debug_fs
- build without module support
In my opinion the kernel feels much more snappier afterwards.
The system reacts much more fluent on user inputs and sound
has less hangs than before.
Let me hear how it feels for you and if you like it or not
Maybe you have further modifications. So please post it here.
The last section describes how you can build your own kernel patch files.
0. Prerequisites
1. Extracting the current boot image
2. Splitting the image into kernel, ramdisk and cmdline
3. Unpack the ramdisk
4. Build the sony kernel with the original kernel configuration (.config)
5. Build a new boot image
6. Flash the new boot image to the phone
7. Now for the FUN part: TUNE the sony kernel with the attached patch-file
A: Howto build a patch file by comparing a
fresh extracted kernel sources with your edited sources:
0. Prerequisites
==================
- Device needs to be rooted and bootloader unlocked !!!
- Device needs to be up to date with latest Jelly Bean release 11.2.A.0.21 !!!
- A linux machine as working environment
- free ARM compiler, lite version, EABI, URL:
sourcery.mentor.com/sgpp/lite/arm/portal/release2322
- latest Xperia Jlo sources, URL:
developer.sonymobile.com/downloads/xperia-open-source-archives/open-source-archive-for-build-11-2-a-0-21/
- phyton script 'mkelf.py' to re-/build parition image, URL:
dl-developer.sonymobile.com/tools/image_generation_script_for_Xperia_smartphones.zip
- another basic guide, URL:
developer.sonymobile.com/2011/05/06/how-to-build-a-linux-kernel
1. Extracting the current boot image
======================================
- Install Andrdoid SDK.
- Then add a path to your .bashrc file of your linux host:
linux-w49x:~/my_kernel # echo "export PATH=/root/adt-bundle-linux-x86-20130219/sdk/platform-tools:$PATH" >> ~/.bashrc
linux-w49x:~/my_kernel # . ~/.bashrc
- Enable "USB-Debugging" in the phone seetings
- Start the phone and connect via USB to your linux machine
- At first we copy the sony boot image to the sdcard of the device:
linux-w49x:~ # adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0p3 of=/sdcard/sony_boot.img
40960+0 records in
40960+0 records out
20971520 bytes transferred in 2.078 secs (10092165 bytes/sec)
- Read kernel config of your current kernel and store it on sdcard, too:
[email protected]:/ $ su
[email protected]:/ # cat /proc/config.gz > /sdcard/sony_config.gz
130|[email protected]:/ $ exit
130|[email protected]:/ $ exit
- Transfer both to your linux PC:
linux-w49x:~ # adb pull /sdcard/sony_boot.img
linux-w49x:~ # adb pull /sdcard/sony_config.gz
2. Splitting the image into kernel, ramdisk and cmdline
========================================================
- Basically the image consists of:
* 4k singed sin header with a ?x509? certificate
* kernel
* ramdisk
* cmdline parameters for the kernel
* a lot of empty space (~15 MB)
- Hexdump the image to make it human readable:
linux-w49x:~ # hexdump -C sony_boot.img > dump
linux-w49x:~ # head dump
00000000 7f 45 4c 46 01 01 01 61 00 00 00 00 00 00 00 00 |.ELF...a........|
00000010 02 00 28 00 01 00 00 00 00 80 20 00 34 00 00 00 |..(....... .4...|
00000020 00 00 00 00 00 00 00 00 34 00 20 00 03 00 00 00 |........4. .....|
00000030 00 00 00 00 01 00 00 00 00 10 00 00 00 80 20 00 |.............. .| <== Byte 9/10/11: is kernel start (after 4k sin header)
00000040 00 80 20 00 68 70 3c 00 68 70 3c 00 00 00 00 00 |.. .hp<.hp<.....| <== Byte 9/10/11: is kernel length
00000050 00 00 00 00 01 00 00 00 68 80 3c 00 00 00 40 01 |........h.<[email protected]| <== Byte 9/10/11: is ramdisk start
00000060 00 00 40 01 c6 1b 15 00 c6 1b 15 00 00 00 00 80 |[email protected]| <== Byte 9/10/11: is ramdisk length
00000070 00 00 00 00 04 00 00 00 2e 9c 51 00 00 00 00 00 |..........Q.....| <== Byte 9/10/11: is cmdline start
00000080 00 00 00 00 00 02 00 00 00 02 00 00 00 00 00 20 |............... | <== Byte 9/10/11: is cmdline length (512 characters)
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- Now read the addresses from behind:
00 10 00 => is 0x001000
68 70 3c => is 0x3c7068
68 80 3c => is 0x3c8068
c6 1b 15 => is 0x151bc6
2e 9c 51 => is 0x519c2e
00 02 00 => is 0x000200
- NOTE: THE NUMBERS WILL BE DIFFERENT FOR YOUR st26i DEVICE !!!
- Use 'dd' to split sony_boot.img into its single parts.
- BUT use the correct numbers from your kernel here:
linux-w49x:~ # dd skip=$((0x001000)) count=$((0x3c7068)) bs=1 if=sony_boot.img of=sony_kernel.img
3960936+0 records out
3960936 bytes (4.0 MB) copied, 66.2326 s, 59.8 kB/s
linux-w49x:~ # dd skip=$((0x3c8068)) count=$((0x151bc6)) bs=1 if=sony_boot.img of=sony_ramdisk.img.gz
1383366+0 records in
1383366+0 records out
1383366 bytes (1.4 MB) copied, 23.1965 s, 59.6 kB/s
linux-w49x:~ # dd skip=$((0x519c2e)) count=$((0x000200)) bs=1 if=sony_boot.img of=sony_cmdline.img
512+0 records in
512+0 records out
512 bytes (512 B) copied, 0.00931558 s, 55.0 kB/s
3. Unpack the ramdisk
=======================
- First unzip ramdisk (should start with 0x1f 0x8b )
linux-w49x:~ # hexdump -C sony_ramdisk.img.gz | head
00000000 1f 8b 08 00 a0 a8 50 51 00 03 ec 3d 69 73 db b8 |......PQ...=is..|
00000010 92 f9 fa f4 2b b0 72 ea cd d8 ab 83 92 cf 64 ca |....+.r.......d.|
00000020 5b 2b 5b b4 ad 7a b6 e4 91 e4 1c b5 f5 4a a1 48 |[+[..z.......J.H|
00000030 48 42 99 57 78 58 f1 ce e4 bf 6f 37 c0 03 a4 a8 |HB.WxX....o7....|
00000040 83 49 66 6a 76 ca aa 38 a6 c0 ee 46 a3 bb d1 68 |.Ifjv..8...F...h|
00000050 a0 01 58 39 55 4e 95 96 a2 28 ea 61 eb 4c 85 df |..X9UN...(.a.L..|
00000060 ca 51 4b ed 2a c5 9f 37 c7 ad a3 ab f6 71 f7 38 |.QK.*..7.....q.8|
00000070 57 7e 16 fd 6e af c1 4b ca 1b af 14 b9 be 2b 8e |W~..n..K......+.|
00000080 dc ea 1c ad c1 6b 65 bf 25 5f b7 d4 d7 4a e8 85 |.....ke.%_...J..|
00000090 f4 89 da 81 d1 98 3b a6 31 63 fe a2 e1 e9 af 5e |......;.1c.....^|
linux-w49x:~ # gunzip sony_ramdisk.img.gz
- Now again, the resulting sony_ramdisk.img should start with 0x30 0x37 0x30.
- Now extract cpio archive to a directory:
linux-w49x:~ # mkdir ramdisk
linux-w49x:~ # cd ramdisk/
linux-w49x:~/ramdisk # cpio -i < ../sony_ramdisk.img
4444 blocks
linux-w49x:~/ramdisk # ls
charger init init.qcom.ril.path.sh init.s1.rc logo.rle sys
data init.Sony.rc init.qcom.sh init.target.rc logo.rle.org system
default.prop init.goldfish.rc init.qcom.usb.rc init.trace.rc proc ueventd.Sony.rc
dev init.qcom.class_core.sh init.qcom.usb.sh init.usb.rc res ueventd.goldfish.rc
fstab.msm7627a init.qcom.class_main.sh init.rc init.usbmode.sh sbin ueventd.rc
- OPTIONAL: You can now modify the ramdisk to your needs... we will
repack it later from here.
4. Build the sony kernel with the original kernel configuration (.config)
===========================================================================
In this section we will just rebuild the sony kernel with its default config.
This step is optional. You might want to SKIP THIS STEP and continue dircetly
with building the optimized kernel (Chapter 7)
- Install the mentioned ARM compiler from Mentor (for URL, see top of page)
- Extract the kernel config we fetched from the device:
linux-w49x:~ # gunzip sony_config.gz
- Extract the sony kernel:
linux-w49x:~ # tar -xf 11.2.A.0.21.tar.bz2
- Add the config to the kernel base directory:
linux-w49x:~ # cp sony_config ./kernel/.config
linux-w49x:~ # cd kernel
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make oldconfig
- OPTIONAL: reconfigure the kernel OR skip this step:
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make menuconfig
- Because the ARM compiler is pretty strict, edit the kernel Makefile in "kernel/Makefile":
- Change this part....
ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
KBUILD_CFLAGS += -Os
else
KBUILD_CFLAGS += -O2
endif
- .. by appending this to the flags:
ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
KBUILD_CFLAGS += -Os $(call cc-disable-warning,maybe-uninitialized,) $(call cc-disable-warning,implicit-function-declaration,) $(call cc-disable-warning,strict-prototypes,) $(call cc-disable-warning,unused-function,) $(call cc-disable-warning,unused-variable,)
else
KBUILD_CFLAGS += -O2 $(call cc-disable-warning,maybe-uninitialized,) $(call cc-disable-warning,implicit-function-declaration,) $(call cc-disable-warning,strict-prototypes,) $(call cc-disable-warning,unused-function,) $(call cc-disable-warning,unused-variable,)
endif
- Finally we build the kernel:
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make
- Time to grab a BIG 0xCOFFEE
5. Build a new boot image
===========================
- Collect the new kernel:
linux-w49x:~ # cp ~/kernel/arch/arm/boot/zImage my_kernel.img
- Pack a new ramdisk (or just take exsiting one)
linux-w49x:~ # cd ramdisk
linux-w49x:~/ramdisk # find . | cpio --quiet -H newc -o | gzip > ../my_ramdisk.img.gz
linux-w49x:~/ramdisk # cd ..
- Pack everything together using mkelf.py from sony (URL, see above):
linux-w49x:~ # python mkelf.py -o my_boot.img [email protected] [email protected],ramdisk [email protected],cmdline
6. Flash the new boot image to the phone
==========================================
- power off device
- vol up + attach usb = fastboot
linux-w49x:~ # fastboot flash boot ./my_boot.img
linux-w49x:~ # fastboot reboot
- If anything goes wrong you can always flash the extraced image using:
linux-w49x:~ # fastboot flash boot ./sony_image.img
linux-w49x:~ # fastboot reboot
7. Now for the FUN part: TUNE the sony kernel with the attached patch-file
=============================================================================
- Basically we disable "module support" as we have none
- Disable A LOT OF DEBUG: debugfs and various debug statments in MSM drivers
- Tune vibration period to be more gentle
- Optimize kernel size for speed and not for size
- Remove kernel and user space process debug infos
- Make sure you unpack the stock sony kernel sources. The sources need to be
fresh and clean!!!
linux-w49x:~ # tar -xf 11.2.A.0.21.tar.bz2
linux-w49x:~ # cd kernel/
- patch the performance tweaks to it. The perf_tweak.patch is appended to this post:
linux-w49x:~/kernel # patch -p3 < ../perf_tweak.patch
patching file ./kernel/power/earlysuspend.c
patching file ./Makefile
patching file ./arch/arm/mach-msm/smd_pkt.c
patching file ./arch/arm/mach-msm/sdio_cmux.c
patching file ./arch/arm/mach-msm/reset_modem.c
patching file ./arch/arm/mach-msm/qdsp5v2/mi2s.c
patching file ./arch/arm/mach-msm/qdsp5v2/audio_out.c
patching file ./arch/arm/mach-msm/modem_notifier.c
patching file ./arch/arm/mach-msm/msm_cpr-debug.c
patching file ./arch/arm/mach-msm/smd_rpcrouter.c
patching file ./arch/arm/mach-msm/ipc_router.c
patching file ./arch/arm/mach-msm/bam_dmux.c
patching file ./arch/arm/mach-msm/qdsp6/msm_q6vdec.c
patching file ./arch/arm/mach-msm/rmt_storage_client.c
patching file ./arch/arm/mach-msm/include/mach/debug_mm.h
patching file ./arch/arm/mach-msm/clock.c
patching file ./arch/arm/mach-msm/sdio_dmux.c
patching file ./arch/arm/mach-msm/msm_cpr.h
patching file ./arch/arm/mach-msm/qdsp5/audio_mp3.c
patching file ./arch/arm/mach-msm/qdsp5/audmgr.c
patching file ./arch/arm/mach-msm/qdsp5/audio_acdb.c
patching file ./arch/arm/mach-msm/qdsp5/audio_lpa.c
patching file ./arch/arm/mach-msm/pm2.c
patching file ./arch/arm/mach-msm/sdio_ctl.c
patching file ./arch/arm/mach-msm/clock-debug.c
patching file ./arch/arm/mach-msm/board-msm7627a-display.c
patching file ./arch/arm/mach-msm/vreg.c
patching file ./arch/arm/mach-msm/board-tamsui-jlo.c
patching file ./arch/arm/mach-msm/clock.h
patching file ./net/netfilter/xt_socket.c
patching file ./include/linux/vibrator_class.h
patching file ./include/linux/bma250.h
patching file ./drivers/media/common/tuners/xc4000.c
patching file ./drivers/tty/serial/msm_serial_hs.c
patching file ./drivers/vibrators/fih_vibrator.c
patching file ./drivers/vibrators/vibrator_class.c
patching file ./drivers/video/msm/msm_fb.c
patching file ./drivers/video/msm/mipi_orise.c
patching file ./drivers/bluetooth/bluesleep.c
patching file ./drivers/usb/otg/msm_otg.c
patching file ./drivers/usb/otg/msm72k_otg.c
patching file ./drivers/usb/gadget/f_diag.c
patching file ./drivers/usb/gadget/u_ctrl_hsuart.c
patching file ./drivers/usb/gadget/f_rmnet_smd_sdio.c
patching file ./drivers/usb/gadget/u_serial.c
patching file ./drivers/usb/gadget/u_bam.c
patching file ./drivers/usb/gadget/f_rmnet_smd.c
patching file ./drivers/input/keyboard/fih_gpio_keys.c
patching file ./drivers/input/keyboard/fih_power_key.c
patching file ./drivers/input/touchscreen/cyttsp_core.c
patching file ./drivers/input/sensor/qpdss702.c
patching file ./drivers/leds/fih_led.c
patching file ./drivers/net/wireless/bcmdhd/wl_linux_mon.c
patching file ./drivers/net/wireless/bcmdhd/Makefile
patching file ./drivers/net/wireless/bcmdhd/dhd_custom_gpio.c
patching file ./drivers/power/fih_bq27520_fuelgauger.c
patching file ./drivers/power/fih_msm_battery.c
patching file ./drivers/gpu/msm/adreno_postmortem.c
patching file ./drivers/gpu/msm/adreno.c
patching file ./drivers/rtc/rtc-msm.c
patching file ./.config
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make
===> repeat steps 5) and 6) but use our new zImage.
A: Howto build a patch file by comparing a
fresh extracted kernel sources with your edited sources:
=========================================================
- Compare two kernel directories and create a patch from it:
linux-w49x:~ # export BASEDIR=$PWD
linux-w49x:~ # cd kernel/
linux-w49x:~/kernel # rm $BASEDIR/perf_tweak.patch
linux-w49x:~/kernel # find -name '*.c' -o -name '*.h' -o -name 'Makefile' -o -name '.config' | xargs [email protected] diff -upN $BASEDIR/kernel/@ $BASEDIR/my_kernel/@ >> $BASEDIR/perf_tweak.patch
Great Tutorial for Xperia J custom Kernel
Thanks .. Really helpful .
numbers were different in mine
dd skip=$((0x001000)) count=$((0x3da520)) bs=1 if=sony_boot.img of=sony_kernel.img
dd skip=$((0x3db520)) count=$((0x11a498)) bs=1 if=sony_boot.img of=sony_ramdisk.img.gz
dd skip=$((0x4f59b8)) count=$((0x000200)) bs=1 if=sony_boot.img of=sony_cmdline.img
I am with locked bootloader ( 1 week old JLo ) will do it as soon I unlock it.
I will also include swap support in kernel config and test .
omg it's so complicated...
have anyone finished it? Will it be released as flashable version ?
Lol ye makes me dizzy!
work on xperia J
this work on xperia J with bootloader locked
For simplicity's sake I like to build my kernels with CyanogenMod, but I'll check out your patch for some useful edits. :good:
Don't want to necro bump threads but....
Massive thanks to OP
I'd been messing around for the last day with trying to compile the .31 stock kernel from source.
Successfully used the above guide to dump the .31 kernel from phone add overclock to .31 source code (from Vengeance 1.42 source) compile, make boot.img and flash. :laugh:
Can I use this patch for the newest JB kernel? will it work?
Disclaimer:
Super image tools was made for testing and educational purposes, ME is not responsible for what you do on/with your device using our tools, you must agree that you using our tools on your own risk, I am not responsible for anything else!
How to use superunpack:
- First step, unpack super.sin using my tool or use @IgorEisberg unsin tool
- Step two, Superunpack. On windows just drag and drop unpacked super image onto our exe to start extraction. Also you can use it from command line, from script or from etc. On Linux use it from command line. No need to set slot like it was a case on lpunpack, our tool will auto extract all slot images for you, enjoy!
- If you need to unpack partition images in RW mode add parameter 1 at the end of command line e.g. "superunpack super.img 1", than resize partition using resize2fs, repair and unshare blocks using e2fsck. Or if you unpack without rw you no need to resize or repair it, just mount it ro.
How to manualy patch super partition in under Linux:
https://forum.xda-developers.com/t/...s-rw-in-super-partition.4120963/post-87112415
Note that, superunpack is a tool for extract all logical partitions from super image or directly from super partition.
How to use superrepack:
adb push superrepack.arm64_pie /data/local/tmp
adb shell
su
cd /data/local/tmp
mv superrepack.arm64_pie superrepack
chmod 755 superrepack
stop
./superrepack /dev/block/bootdevice/by-name/super system_a
sync
reboot
Note that, superrepack is a tool to convert logical RO partitions iside your phone super partition to RW mode without extracting anything, all things is done on the fly directly inside super partition/image! In this example system_a partiton is converted to the rw mode, if you need other partitions to rw just change system_a argument. Or if you need all partitions to rw mode do it without partition rw argumet e.g: "./superrepack /dev/block/bootdevice/by-name/super". YOU MUST RUN TOOL 4-5 TIMES UNTIL ALL ERRORS DISAPEARS!!! One of the well known errors is: "Couldn't clone file: Could not allocate block in ext2 filesystem". Look at /data/local/tmp/script.log each time and make sure it not contain any error otherwise you are not done things right and partition is not repaired yet!!! More info -> https://forum.xda-developers.com/t/...s-rw-in-super-partition.4120963/post-84966715
Platform:
- Superunpack is working on Windows, Linux, Android, Darwin11, just chose right binary.
- Superrepack is working only under android
Changelog:
- version 1 (21.Jun.2020), initial version
- version 1.1 (22.Jun.2020), dump file format detection, partition size correction in case ext4, partition group detection, have extraction progress bar, improvements
- version 2 (03.04.2021) implemented possibility to extract partition images to rw mode using Superunpack & I have made new tool called Superrepack
- version 2 (04.04.2021) implemented arguments so you would do conversion on single partition instead of doing it on all partitions
- version 3 (04.04.2021) implemented return codes and implemented output logs to be more scripting friendly
- version 4 - not released
- version 5 (08.04.2021) implemented resize and repair partitions after switching to rw mode. Implemented build script for building resize2fs, e2fsck, simg2ims, img2simg, lptools
- version 6 (08.04.2021) better loop device detection and setup
- version 7 (08.04.2021) fix selinux status detection
- version 8 (15.04.2021) fix loop device setup in superrepack
- version 9 (16.04.2021) make losetup android compatible
- version 10 - not released
- version 11 (01.05.2021) simplified, removed needs for parameter rw, implemented dm-verity disabler
- version 12 (05.05.2021) make old logs always deleted before fresh log is created, this prevent concentation with old logs
- version 13 (06.05.2021) make linux version so you should do the things on your super partition dump in linux machine
- version 14 (07.05.2021) fix compilation mess between linux and android
- version 15 (08.05.2021) use libselinux to determine and set selinux to permissive mode instead of popening getenforce-setenforce tools
Credits:
- me and me
Source code:
- source code -> https://github.com/munjeni/super_image_dumper
munjeni said:
hardcoded, no external libs, no android libs.
- my source code, later
Click to expand...
Click to collapse
Yet Another great tool!! :highfive:
Thanks!
New version is out, v11, it now detect file format, partition size correction in case ext4, partition group detection, have extraction progress bar, and it looks like:
Code:
---------------------------------------------------------
Super image dumper v_11 (by expert :) munjeni @ xda 2020)
---------------------------------------------------------
LpMetadataGeometry magic = 0x616c4467
LpMetadataGeometry struct size = 0x34
LpMetadataGeometry sha256 = 12FF55F0ABA7B506F25CB5DA5DCA09344234E8DF1D9C93AE82A499D98019467E
LpMetadataGeometry metadata_max_size = 0x10000
LpMetadataGeometry metadata_slot_count = 0x3
LpMetadataGeometry logical_block_size = 0x1000
LpMetadataHeader magic = 0x414c5030
LpMetadataHeader major_version = 10
LpMetadataHeader minor_version = 0
LpMetadataHeader header_size = 0x80
LpMetadataHeader header sha256 = CCF4F5D07842AAAE7C1B87F0E025512CF7AEA426D477B1E5175DA3D74F9B1C8C
LpMetadataHeader tables_size = 0x2e8
LpMetadataHeader tables sha256 = 52578668F89D8BCDA1BD1F748F2F69ED874C10A7062C85EF9970EE05D90161B1
LpMetadataHeader partitions offset = 0x0
LpMetadataHeader partitions num_entries = 0x8
LpMetadataHeader partitions entry_size = 0x34
LpMetadataHeader extents offset = 0x1a0
LpMetadataHeader extents num_entries = 0x5
LpMetadataHeader extents entry_size = 0x18
LpMetadataHeader groups offset = 0x218
LpMetadataHeader groups num_entries = 0x3
LpMetadataHeader groups entry_size = 0x30
LpMetadataHeader block_devices offset = 0x2a8
LpMetadataHeader block_devices num_entries = 0x1
LpMetadataHeader block_devices entry_size = 0x40
Partitions = 5 used, 3 not used, total 8
partition_1_name = system_a
attributes = 0x1
first_extent_index = 0x0
num_extents = 0x1
group_index = 0x1
partition_group = somc_dynamic_partitions_a
extent num_sectors = 0x336390 (0x66c72000 bytes total)
extent target_type = 0x0
extent target_data = 0x800 (dumping offset = 0x100000)
extent target_source = 0x0
Filetype EXT4. EXT4 size = 0x6526c000
Dumping system_a.ext4 ...
....................................................
....................................................
....................................................
..............................................
partition_2_name = system_b
attributes = 0x1
first_extent_index = 0x1
num_extents = 0x1
group_index = 0x2
partition_group = somc_dynamic_partitions_b
extent num_sectors = 0xab178 (0x1562f000 bytes total)
extent target_type = 0x0
extent target_data = 0x337000 (dumping offset = 0x66e00000)
extent target_source = 0x0
Filetype EXT4. EXT4 size = 0x150b3000
Dumping system_b.ext4 ...
..........................................
partition_3_name = product_a
attributes = 0x1
first_extent_index = 0x2
num_extents = 0x1
group_index = 0x1
partition_group = somc_dynamic_partitions_a
extent num_sectors = 0x2b62b8 (0x56c57000 bytes total)
extent target_type = 0x0
extent target_data = 0x3e2800 (dumping offset = 0x7c500000)
extent target_source = 0x0
Filetype EXT4. EXT4 size = 0x5565b000
Dumping product_a.ext4 ...
....................................................
....................................................
....................................................
..............
partition_4_name = product_b (not unused)
attributes = 0x1
first_extent_index = 0x3
num_extents = 0x0
group_index = 0x2
partition_group = somc_dynamic_partitions_b
extent num_sectors = NULL
extent target_type = NULL
extent target_data = NULL
extent target_source = NULL
Skipping dump.
partition_5_name = vendor_a
attributes = 0x1
first_extent_index = 0x3
num_extents = 0x1
group_index = 0x1
partition_group = somc_dynamic_partitions_a
extent num_sectors = 0x186d58 (0x30dab000 bytes total)
extent target_type = 0x0
extent target_data = 0x699000 (dumping offset = 0xd3200000)
extent target_source = 0x0
Filetype EXT4. EXT4 size = 0x30141000
Dumping vendor_a.ext4 ...
....................................................
............................................
partition_6_name = vendor_b (not unused)
attributes = 0x1
first_extent_index = 0x4
num_extents = 0x0
group_index = 0x2
partition_group = somc_dynamic_partitions_b
extent num_sectors = NULL
extent target_type = NULL
extent target_data = NULL
extent target_source = NULL
Skipping dump.
partition_7_name = odm_a
attributes = 0x1
first_extent_index = 0x4
num_extents = 0x1
group_index = 0x1
partition_group = somc_dynamic_partitions_a
extent num_sectors = 0xa60 (0x14c000 bytes total)
extent target_type = 0x0
extent target_data = 0x820000 (dumping offset = 0x104000000)
extent target_source = 0x0
Filetype EXT4. EXT4 size = 0x132000
Dumping odm_a.ext4 ...
partition_8_name = odm_b (not unused)
attributes = 0x1
first_extent_index = 0x5
num_extents = 0x0
group_index = 0x2
partition_group = somc_dynamic_partitions_b
extent num_sectors = NULL
extent target_type = NULL
extent target_data = NULL
extent target_source = NULL
Skipping dump.
Press any key to continue . . .
If you need to mount ext4 partition on Linux you need to mount partition RO or it will not mount!
I'm not one of those who make paid software and promote on xda, my work is always free. Even I'm always providing source code for free, source code of this tool is here -> https://github.com/munjeni/super_image_dumper , enjoy!
munjeni said:
I'm not one of those who make paid software and promote on xda, my work is always free. Even I'm always providing source code for free, source code of this tool is here -> https://github.com/munjeni/super_image_dumper , enjoy!
Click to expand...
Click to collapse
You are the best and I and many others thank you for make life so easy for us. :highfive:
PS: I will send you a PM with something you may find interesting and useful. :fingers-crossed:
Can I make this tool for remake oem.sin?
I have fw Xperia docomo bundling,and many bloatware,so I wont to remake oem.sin and deleted any bloatware, can I?
??sorry my English por????
paijoe88 said:
Can I make this tool for remake oem.sin?
I have fw Xperia docomo bundling,and many bloatware,so I wont to remake oem.sin and deleted any bloatware, can I?
?sorry my English por??
Click to expand...
Click to collapse
No you can't. Tool is unpacker only, it extracts oem from super image but doesn't reconstruct it back to super image. Even there is no known tool to make valid sin back because of signature.
Seems readonly partitions like oem, system, vendor...etc can be set to read-write mode via LP_PARTITION_ATTR overiding LpMetadataPartition.attributes 1 with 0. Anybody tried android version of this tool? E.g. dump block device e.g. /dev/block/bootdevice/super
RO flags (0x1), when it is set to 0x0 its RW mode, but header sha256 checksums of the LpMetadataGeometry and LpMetadataHeader also need to be modified in case we overvrite flags with RW mode!
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000003080 73 79 73 74 65 6D 5F 61 00 00 00 00 00 00 00 00 system_a........
000003090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000030A0 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
0000030B0 01 00 00 00 73 79 73 74 65 6D 5F 62 00 00 00 00 ....system_b....
0000030C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000030D0 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ................
0000030E0 01 00 00 00 02 00 00 00 70 72 6F 64 75 63 74 5F ........product_
0000030F0 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a...............
000003100 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
000003110 02 00 00 00 01 00 00 00 01 00 00 00 70 72 6F 64 ............prod
000003120 75 63 74 5F 62 00 00 00 00 00 00 00 00 00 00 00 uct_b...........
000003130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000003140 01 00 00 00 03 00 00 00 00 00 00 00 02 00 00 00 ................
Click to expand...
Click to collapse
Removed fake pie binary and made new true pie 64 bit binary for android. With it you can dump your super partition on your own phone e.g.
Code:
adb push superunpack.arm64_pie /data/local/tmp
adb shell
su
cd /data/local/tmp
chmod 755 superunpack.arm64_pie
./superunpack.arm64_pie /dev/block/bootdevice/by-name/super
and whola all ext4 partitonins from your super partition is extracted to the /data/local/tmp folder.
bump. Any news regarding forcing system to be read/write in Android 10 ?
Thanks for your hard work @munjeni
See post 8.
In most case if you change those byte vbmeta protection will do a bootloop, so I think no way to set it to force rw except if you unlock bootloader and disable vbmeta protection trought fastboot (more info -> https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/post-84509179)
munjeni said:
Seems readonly partitions like oem, system, vendor...etc can be set to read-write mode via LP_PARTITION_ATTR overiding LpMetadataPartition.attributes 1 with 0. Anybody tried android version of this tool? E.g. dump block device e.g. /dev/block/bootdevice/super
RO flags (0x1), when it is set to 0x0 its RW mode, but header sha256 checksums of the LpMetadataGeometry and LpMetadataHeader also need to be modified in case we overvrite flags with RW mode!
Click to expand...
Click to collapse
I replaced all 4 occurences of these three bytes in my super.img like you suggested and flashed it to my phone.
It didn't boot probably due to the invalid sha256 checksums as you predicted.
Which bytes I must hex edit in the extracted system.ext4 in order to make it rw? I was thinking maybe the shared_blocks feature?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
You should read this to get idea -> https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout
TO be honest I never modified RO partitions. it can be probably done using parted, fsck and similar tools so you no need to do it by hexediting, try google a bit for idea I realy don't know
TO be honest I never modified RO partitions. it can be probably done using parted, fsck and similar tools so you no need to do it by hexediting, try google a bit for idea I realy don't know
Click to expand...
Click to collapse
@munjeni thank you so much for writing this amazing superunpack tool!
Thanks to your program and thanks to another tutorial I was able to create an automated bash script that transforms all read only partitions inside super.img (system, vendor , product, etc...) into read write-able partitions again and then flash to device as a brand new super.img.
HERE is the link to new universal version
munjeni said:
Disclaimer:
Superunpack tool was made for testing and educational purposes, ME is not responsible for what you do on/with your device using superunpack, you must agree that you using superunpack on your own risk, I am not responsible for anything else!
How to use:
- First step, unpack super.sin using my tool or use @IgorEisberg unsin tool
- Step two, on windows just drag and drop unpacked super image onto our exe to start extraction. Also you can use it from command line, from script or from etc. On Linux use it from command line. No need to set slot like it was a case on lpunpack, our tool will auto extract all slot images for you, enjoy!
Platform:
- Superunpack is working on Windows, Linux, Android, Darwin11, just chose right superunpack binary.
Changelog:
- version 10 (21.Jun.2020), initial version
- version 11 (22.Jun.2020), dump file format detection, partition size correction in case ext4, partition group detection, have extraction progress bar, improvements
Credits:
- not right now
Source code:
- tool is based on just this header, the rest of things is myself implemented - hardcoded, no external libs, no android libs.
- my source code -> https://github.com/munjeni/super_image_dumper
Click to expand...
Click to collapse
Wow, this is pretty impressive my friend. Big props!! Just curious, what's the difference with "this" utility(superunpack) and the standard android lpunpack?
bynarie said:
Wow, this is pretty impressive my friend. Big props!! Just curious, what's the difference with "this" utility(superunpack) and the standard android lpunpack?
Click to expand...
Click to collapse
Diferencie is that my tool not use any external dependencies so can be build easily as a static binary. Seccond diferencie is its easy to use, just drag and drop file to extract. I'm not tried lpunpack so I can't tell the exact diferencie, you tell me
munjeni said:
Diferencie is that my tool not use any external dependencies so can be build easily as a static binary. Seccond diferencie is its easy to use, just drag and drop file to extract. I'm not tried lpunpack so I can't tell the exact diferencie, you tell me
Click to expand...
Click to collapse
lpunpack:
works with sparse files
creates .img files
gives zero text output so you don't know what's happening under the hood
extracts all partitions even the empty ones
Superunpack:
works with raw files
creates .ext4 files
gives lots of text info so you know exactly what's going on
only extracts the partitions that are not empty
These are the main differences that I noticed.
Hey friend I get this error can you help me out?
[Novice alert]
lebigmac said:
lpunpack:
works with sparse files
creates .img files
gives zero text output so you don't know what's happening under the hood
extracts all partitions even the empty ones
Superunpack:
works with raw files
creates .ext4 files
gives lots of text info so you know exactly what's going on
only extracts the partitions that are not empty
These are the main differences that I noticed.
Click to expand...
Click to collapse
Nice !
munjeni said:
Diferencie is that my tool not use any external dependencies so can be build easily as a static binary. Seccond diferencie is its easy to use, just drag and drop file to extract. I'm not tried lpunpack so I can't tell the exact diferencie, you tell me
Click to expand...
Click to collapse
Good stuff, thank you!
I have an Android device with a QComm SDM680 SOC. The QCom part# of the SOC is SM6225.
How do I find the "hw_soc_version" and "soc_version" of the SDM680/SM6225 ?
I've found some general scripts that collate this type of info, like this one. But the SDM680 is not in any of those lists.
I've searched on the rooted device, grepped the kernel logs and the kernel opensource. fastboot getvar all doesn't expose this info either.
Does anybody know how to find these values?
Oh, that's easy. You just run an EDL client, they always ask the HWID.
You don't even need to have a loader for it.
On my EDL client just:
Code:
C:\>edl /l
Found EDL 9008
Serial: 12345678
HWID: 000cc0e100000000, QC: 000cc0e1, OEM: 0000, Model: 0000
Hash: 7be49b72f9e43372-23ccb84d6eccca4e-61ce16e3602ac200-8cb18b75babe6d09
You can also attach a UART while booting.
Code:
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.4-00246-S660LZB-1
S - IMAGE_VARIANT_STRING=Sdm660LA
S - OEM_IMAGE_VERSION_STRING=cibuild
S - Boot Interface: Unknown
S - Secure Boot: Off
S - Boot Config @ 0x00786070 = 0x000001c1
S - JTAG ID @ 0x00786130 = 0x000cc0e1
Note that even though this is a SDM636 the log speaks of 660, but the "JTAG ID" is the correct HWID.
Usually the certs in xbl/abl has the HW_ID in it.
Also:
Code:
Teletex string 11 3007 0000 0000 0000 0000 0000 0000 0000 0000 0000 SOC_VERS
(I've never run into this soc_version before.)
Also, AFAIK, your friendly Firehose loader repository doesn't have a loader for this.
Edit: Oh, you're not looking for the HWID?
Renate said:
Oh, that's easy. You just run an EDL client, they always ask the HWID.
You don't even need to have a loader for it.
On my EDL client just:
Code:
C:\>edl /l
Found EDL 9008
Serial: 12345678
HWID: 000cc0e100000000, QC: 000cc0e1, OEM: 0000, Model: 0000
Hash: 7be49b72f9e43372-23ccb84d6eccca4e-61ce16e3602ac200-8cb18b75babe6d09
...
Edit: Oh, you're not looking for the HWID?
Click to expand...
Click to collapse
Thanks for the tip. I checked the SAHARA output. It seems that this HWID consists of the MSM_ID+OEM+MODEL. For the SDM680 I got: HW_ID: 0x001b80e100000000 (MSM_ID=0x001b80e1 OEM_ID=0x0000 MODEL_ID=0x0000).
Looking at bkerler's qualcomm_config.py, it seems that the hw_soc_version and hwid are two different things. For example for the SDM660, the msmid entry is 0x08C0E1, with a comment that the soc_hw_version is different:
Code:
0x08C0E1: "SDM660", # 0x30060000 soc_hw_version
Renate said:
Usually the certs in xbl/abl has the HW_ID in it.
Click to expand...
Click to collapse
Even though it's about the hwid, I looked into this too. It seems that around 2016, the HWID was stored in OU fields in the certificiates in the XBL file (see pages 10-11). But after 2019, it is now stored in the metadata of the MBN image (see page 9) within the XBL file. I only mention it because I thought it might prove useful for you.
Curiously, the HWID wasn't in the certs or metadata in my stock ROM's xbl.elf. Strange.
Yahoo Mike said:
For the SDM680 I got: HW_ID: 0x001b80e100000000...
Click to expand...
Click to collapse
The good news for you is that it's not stamped OEM/model.
There's some chance that this is not SecureBoot.
Which means that any loader that's compatible with your SoC will work.
What does this say: fastboot getvar secure
What does this say: cat /proc/cpuinfo (Just the name line.)
You can also look in the DTB, either decoded or raw, it's at the beginning.
Then there's the other wrinkle that Qualcomm has SDM numbers, MSM numbers and code names for SoCs.
Maybe that cpuinfo will tell you a codename.
Renate said:
The good news for you is that it's not stamped OEM/model.
There's some chance that this is not SecureBoot.
Which means that any loader that's compatible with your SoC will work.
What does this say: fastboot getvar secure
Click to expand...
Click to collapse
I think SecureBoot is on. I've had to do a test-points recovery a few times - after I tried to run with a patched (and incorrectly signed) ABL.
In fastbootd & bootloader menus, it says SecureBoot is on. And (as you suggested) fastboot utility agrees:
Code:
C:\>fastboot getvar secure
secure: yes
Finished. Total time: 0.001s
Renate said:
What does this say: cat /proc/cpuinfo (Just the name line.)
You can also look in the DTB, either decoded or raw, it's at the beginning.
Then there's the other wrinkle that Qualcomm has SDM numbers, MSM numbers and code names for SoCs.
Maybe that cpuinfo will tell you a codename.
Click to expand...
Click to collapse
The codename is khaje.
Code:
TB128FU:/ # cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
...<info about 8 processors>...
Hardware : Qualcomm Technologies, Inc KHAJE
That agrees with the run-time /sys/devices/soc0/soc_id value of 518, which is "khaje" according to the stock ROM's /vendor/bin/init.qti.display_boot.sh and /vendor/bin/init.qcom.post_boot.sh.
Curiously, at the beginning of the DTB it says it's "Bengal":
Code:
00 00 00 03 00 00 00 33 00 00 00 00 51 75 61 6C .......3....Qual
63 6F 6D 6D 20 54 65 63 68 6E 6F 6C 6F 67 69 65 comm Technologie
73 2C 20 49 6E 63 2E 20 42 65 6E 67 61 6C 20 31 s, Inc. Bengal 1
47 62 20 44 44 52 20 48 44 2B 20 53 6F 43 00 00 Gb DDR HD+ SoC..
But at offset 0x2A62D0 it changes its name:
Code:
00 00 00 00 00 03 00 00 00 26 00 00 00 00 51 75 .........&....Qu
61 6C 63 6F 6D 6D 20 54 65 63 68 6E 6F 6C 6F 67 alcomm Technolog
69 65 73 2C 20 49 6E 63 2E 20 4B 68 61 6A 65 20 ies, Inc. Khaje
53 6F 43 00 00 00 00 00 00 03 00 00 00 0B 00 00 SoC.............
I can't believe how many different numbers/strings QCom has to describe a SoC: soc_id, codename, hwid, msm_id ... and the ever-elusive hw_soc_version.
Anyway, I'll load up this SoC's firehose program to bkerler's edl. I'll slip in a question about how to query the hw_soc_version. I'll post back any reply.
Yahoo Mike said:
The codename is khaje.
Click to expand...
Click to collapse
Khajeh is a city in Iran: https://en.wikipedia.org/wiki/Khajeh,_Iran
Yahoo Mike said:
Curiously, at the beginning of the DTB it says...
Click to expand...
Click to collapse
That's because you are probably looking at multiple DTBs.
You can simply grep/scan for "Qualcomm Technologies".
I don't know why they do that.
The abl scans through them and find the one that best matches.
S/N: 0x7BD1BDD5
HW ID: 0x001B80E10015006D -> HUAWEI
HASH: 0xB25DECD85D217F5D9B53DC3C42EF7846DCEF59DD3E0AF4D12606199F5099FF23D73C3AFFBE5EFBF421A81A197E41FDF5
PBL : 0x00000000
HASH TYPE: SHA384
DEV HASH: 0x0000003AC0D4
CPU : Undefined CPU: 001B80E10015006D