Database Info

Change MAC address via ActiveSync

Don't do it unless you know what it is and it is your choice
First please backup all gsmdata using backup_GSM.bat and restore using restore_GSM.bat if things go wrong, hope not to
Use at your own risk, take no responsibility for any RESPONSIBLE FOR ANY MALFUNCTIONS OR OTHER ISSUES THAT MAY OCCUR
1. Connect active sync, I connect it in guest mode
2. Run Read_MAC_adsress.bat
3. Save your old MAC address (the file orig_MAC.bin) at good location in your hard disk
4. Open newMAC.bin in any hex editor (it's your MAC address in reverse)
5. Change it as you want and save it
6. Run Write_new_MAC.bat to change MAC address
7. If you want to restore the old MAC address run restore_mac.bat
8. now soft reset
9. just wish me luck If this works for you and I hope it will
To check your MAC address: go to wireless settings > advance > MAC > see it there
I'll make an app to change it soon after the exam if this works
paradis_pal
long live Palestine

am I on the black list again?
this works on my device, and there is no risk if you backup all gsmdata using backup_GSM.bat and restore using restore_GSM.bat, but the save the gsmdata.bin in a good location

it works try it
I udpate it to the new itsutils tool and it works, I used to use the old version

Perhaps a foolish question, but what is the benefit of changing the MAC adress?

another stupid question...
thnx but what the advantage of changing mac address..?
and is mac address is IMEI ..?

an example..
If you are hacker of wi-fi connections, you can find permitted mac adress..
After you can change mac adress of your device and enter to wi-fi network.. (if wi-fi network has shield with only mac adresses)
Mac adress using for network identity and its unique on the world..
IMEI number using for gsm device identity..

Thanks for explaining!

rondol1 said:
Perhaps a foolish question, but what is the benefit of changing the MAC adress?
Click to expand...
Click to collapse
Dear sir
Please please, next time before asking a foolish question, use search and you will find a lot of answers, and not only in this forum.
Or at least read the first line (don’t do it unless you know what it is).
Thanks in advance.

ycimpir said:
If you are hacker of wi-fi connections, you can find permitted mac adress..
After you can change mac adress of your device and enter to wi-fi network.. (if wi-fi network has shield with only mac adresses)
Mac adress using for network identity and its unique on the world..
IMEI number using for gsm device identity..
Click to expand...
Click to collapse
Thanks for this answer I couldn’t answer better
Some people set their access points to certain MAC addresses, if you knew them, you can access the network (hack) for free internet at least in my case.
The problem: there are no close WiFi networks near my area, but I hack a net café using this method,
Thanks for replying

nice, thanks for this

Hello Chopin
I can't unzip file:"Cannot open file: it does not appear to be a valid archive. If you downloaded this file, try downloading the file again" Please, could you share it again??
Thanks

sorry it is rar archive I should warn
use the free program 7-zip to uncompress the files

Chopin said:
sorry it is rar archive I should warn
use the free program 7-zip to uncompress the files
Click to expand...
Click to collapse
Ok, thanks, I get it.
Regards

Hey,
It doesn't work for me.
I connect my phone and active sync is in guest mode, then i run read_mac_adsress but i can't find newMAC.bin.
Where can i find this file?
Thanks,
Steffen

sorry for the late reply, Exams
if you use wm5, install enablerapi.cab first you can find it at the pagepool changer

I assume pdocread/write are Prophet specific? I have a Kaiser. I tried backup_GSM first, but got 0 bytes, so I'm assuming it is Prophet specific. Is there anyway that I could get source code to modify for Kaiser?
I would like to change MAC addresses on my Kaiser to troubleshoot problems with our crap MAC-secured wireless network. Currently, I have to lug around my laptop to do this.
Thanks!

http://nah6.com/~itsme/cvs-xdadevtools/itsutils/

Artemis
I'm using an Artemis (Xda Orbit) and tried Read_MAC_adsress which didn't work for me either.
Using pdocread -l I get this:
62.44M (0x3e70000) TrueFFS
| 3.06M (0x30fc00) Part00
| 3.06M (0x310000) Part01
| 56.25M (0x3840000) Part02
46.97M (0x2ef8000) TrueFFS
| 3.06M (0x30fc00) Part00
| 3.06M (0x310000) Part01
| 56.25M (0x3840000) Part02
511.50k (0x7fe00) TRUEFFS
| 3.06M (0x30fc00) Part00
| 3.06M (0x310000) Part01
| 56.25M (0x3840000) Part02
5.69G (0x16c680000) DSK1:
| 5.69G (0x16c280000) Part00
20.00k (0x5000) BTD1:
| 19.00k (0x4c00) PART00
STRG handles:
handle cd94b3fe 19.00k (0x4c00)
handle 4da2e506 5.69G (0x16c280000)
handle ae9cbe2e511.50k (0x7fe00)
handle aeace2a2 46.97M (0x2ef8000)
handle 0eae22b6 56.25M (0x3840000)
handle ceae2002 3.06M (0x310000)
handle 6fb1ffa2 3.06M (0x30fc00)
disk cd94b3fe
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4da2e506
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk ae9cbe2e
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk aeace2a2
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 0eae22b6
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 15 xx 01 xx 2a xx 02 xx 09 xx 06 xx
disk ceae2002
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 15 xx 01 xx 2a xx 02 xx 09 xx 06 xx
disk 6fb1ffa2
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 15 xx 01 xx 2a xx 02 xx 09 xx 06 xx
I xx'ed out some of the numbers on the uniqueid in case I was giving something away I shouldn't.
Given that information, any chance you can point me in the right direction to finding where my MAC address is?
Thanks.

I'm not sue about youe device, acctually I'm not sure if this will work in other prophet, no one confirm
I can only assure it work only on my device
-l will list the disk only, the MAC can be found the data on the doc, not on the list
I can't help u right now but try to ask in your device section hope that someone will help you
and if please one confirm if this will read the MAC address

thanx man . i ll test it

[REQ]Capture ELF/ELFIN Device ID and CID ID (to help CyZeek)

Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).​2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer​6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked​Check that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)​6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE​7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!​1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon

Thank you Leon, im gonna post a link to this post a the rom compilation thread ( Elf/Elfin Original Roms Model Id & Cid Id List ), for the people who wants to make a request.

Any time, CyZeek
The work you're doing on ROMs DevIDs and CIDs is very important indeed, glad to help.
Yours
Leon

Thank you
After a long tima trying i managed to get the CID!
It worked fine!
Thank you
Question:
Any one knows if a non original rom ends the warranty if the device is malfunctioning?

filiperod said:
After a long tima trying i managed to get the CID!
It worked fine!
Thank you
Question:
Any one knows if a non original rom ends the warranty if the device is malfunctioning?
Click to expand...
Click to collapse
Yes it's against warranty terms. But, if your are using a cooked rom, and need service from HTC, just reflash with your original rom and no prob.

g_cKeyCardSecurityLevel = o
what does it mean?

...
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked​Check that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)​...
no - in that case nothing happens, when I try to type in "getdevinfo" and execute - system tells me - "wrong password".
what can I try to do?

Just in case you misunderstood...
5.Type:> password BsaD5SeoA <=Don't copy/paste from here!
Press:> [ENTER]
...
...
&go on with Leon's process.
Regards!

did everything as stated however no success....each UP line basically has stuff similar this written only in it....
000079: Bulk or Interrupt Transfer (UP), 04.06.2008 18:34:21.699 +0.001. Status: 0x00000000
Pipe Handle: 0x846006ec (Endpoint Address: 0x82)
Get 0x1 bytes from the device

Dude you Rock
leondaphillips
you rock so hard that i feel the love here in Dunedin New Zealand
after harting round for days with vista drivers and all the random **** life(and computers) and now my phone hits me with i have acheaved CID nowing niss thanks to this thread here the sweet code:
45 4C 46 30 31 30 30 30 30 00 00 00 00 00 00 00 ELF010000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 4F 50 4F 44 30 30 31 00 00 00 00 00 00 00 00 DOPOD001........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
phone is GSM vodafone Touch from singapore.thanks mate keep the howtos comeing.

Thankyou verymuch its a goodway

leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked​
Click to expand...
Click to collapse
Mine is FF, CID locked?
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE​
Click to expand...
Click to collapse
Cmd>getdevinfo
HTCSELF010050gUH¥HTCE
Cmd>
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
Click to expand...
Click to collapse
Mine at the 12th packet too
45 4C 46 30 31 30 30 35 30 00 00 00 00 00 00 00 ELF010050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48 54 43 5F 5F 45 31 31 00 00 00 00 00 00 00 00 HTC__E11........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............

leondaphillips
you are a genius, it worked, a million thanks. I tried other way with MTTY, snoopypro & Hexer loads of times without success & I'd given up hope!

thanks .....
good gob

elf0100050
bstar502
any one have it

where can I find rom
Where can i find rom for htc p3450 elfin
ELF010050
HTC__001

leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).​2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer​6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked​Check that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)​6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE​7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!​1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon
Click to expand...
Click to collapse
ive followed your instruction and got the ff-cid locked data.
ive tried everything but cannot make the gold card.with or without usb.

Hi
I have s621 in 3 color mode not eset and open with cid lock.
I have done all but I can not see my cid and Id.
My mtty like that what is wrong. ?
Thank you.
Code:
Cmd>password BsaD5SeoA
Pass.
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
CMD55 failed
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
SDCmd55 Command response time-out. MMC_STAT = 80
CMD55 failed
g_cKeyCardSecurityLevel = FF
Type (0x1)(Operation mode flag): cOpModeFlag=(0x0).
Type (0x2)(Back color flag): cBackColorShowFlag=(0x1).
Type (0x5)(Background color value): g_wBColor=(0xC618) (0xC0C0C0).
HTCST

Thank you OP. I used your method and found the Device ID and CID of Telus HTC Touch Dual (Neon400, Canada). See below:
4E 45 4F 4E 34 30 30 30 00 00 00 00 00 00 00 00 NEON4000........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 4C 53 30 00 00 00 00 00 00 00 00 00 00 00 00 TLS0............
00 00 00 00 ....

Hello i have cant find device id and cid can any one help me see log and also Device Monitoring give cid 000000000............
HTCST
Cmd>getdevinfo
GetDeviceCID: Error - InitDecoder
HTCSXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXh{Â&HTCE
Cmd>
leondaphillips said:
Hi Everyone
I'm posting this to help out CyZeek.
To capture ELF/ELFIN Device ID and CID ID using MTTY and USB Monitor Lite on XP SP2 and Vista x64
You will need:
1. A demo copy of USB Monitor Lite
http://www.hhdsoftware.com (the demo is fully functional for 14 days).​2. A Copy of MTTY (and you need to be basically familiar with it)
Put your Device into Boot Loader
Assuming your device is not already at the TSoD (Tricolour Screen of Death) - if it is skip this instruction and move on to the next section.
1. Press and hold your camera button
2. Press reset with stylus
3. Wait 5 seconds and release the camera button
Kill ActiveSync USB Connections - XP
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted Right Click the Active sync Icon in the system tray and select "Connection Settings"
3. Turn off USB
-or-
Kill ActiveSync USB Connections - Vista
Download and install MS Windows Mobile Device Centre from here: http://www.microsoft.com/windowsmobile/devicecenter.mspx
1. Reboot your PC with without a mobile device connected to USB.
2. After your PC has rebooted click Start -> All Programs -> Windows Mobile Device Centre
3. Hover over Mobile Device Settings and Click on Connection Settings.
4. Turn off Allow USB Connections
Connect Your Device to USB
1. Plug in the USB cable
Turn On Spoofing / packet capture
1. Install the demo version of USB Monitor Lite (DMS) and Start Device Monitoring Studio.
2. Connect your device which should be in TSoD (Tricolour Screen of Death) boot loader.
3. Click the item entitled "Pocket PC USB Sync" which activates the main screen
4. Double-Click the item entitled "Packet View" in the Session Configuration Screen.
5. Click the Start button in the selected processing region
You'll know you got this right because you will see two packets displayed:
PnP: Device Connected
Internal: Pipe Info Transfer​6. Leave the USB Monitor running
Run up MTTY, Log In and Issue “getdevinfo” Command
For details on downloading MTTY and recovering from the TSoD see this thread: http://forum.xda-developers.com/showthread.php?t=347700
1. In "Open Port Setting" Dialog Set to Port = USB
2. Flow Cont = RTC/CTS
3. Click OK
4. When a new communication page opens press Enter and the Cmd> prompt will be displayed
5. Type password BsaD5SeoA <enter> (a lot of diagnostic info will be displayed).
Somewhere near the end you should see
g_cKeyCardSecurityLevel = FF
Which will tell you that you're CID Locked​Check that USB Monitor is running (you may need to press the "continue 14 day trial" button to get the capture to continue)​6. Type getdevinfo and press <enter>
These commands are case sensitive!
Cmd>getdevinfo
HTCSELF030050œ=Ó HTCE​7. Leave MTTY running
Swap Back to USB Monitor
1. Starting at the last packet in the list, double click each row whose Direction is "Up"
2. The 12th packet from the end of the list when I did mine had the device ID and CID packet shown below.
45 4C 46 30 33 30 30 35 30 00 00 00 00 00 00 00 ELF030050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 35 00 00 00 00 00 00 00 00 T-MOB005........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- ..............
Copy and paste the text into a text file and keep for future reference as the Device ID and CID ID are useful in determining the right ROM files to use as well as the wrong ones.
To Re-Enable Boot on a Good Device
Unless you tell the device where to boot from it will go back to boot loader every time so you need to re-enable boot from ROM.
These commands are case sensitive!​1. Swap back to MTTY session
2. Type ruurun 0 <enter>
3. Type ResetDevice <enter>
Hope this helps.
Yours
Leon
Click to expand...
Click to collapse

Xperia J: fast+snappy stock kernel JB (11.2.A.0.21)

Xperia J: fast+snappy stock kernel JB (11.2.A.0.21)
The following guide shows how to build the stock sources for you
stock xperia j phone with JB.
When Foxcon adopted the drivers for the xperia j they left in
a huge amount of debug which slows down your phone.
When we finally build our own kernel (Chapter 7)
we optimize it by:
- optimizing kernel for speed (not size)
- remove a huge amount of debug from the drivers
- remove kernel core debug
- remove debug_fs
- build without module support
In my opinion the kernel feels much more snappier afterwards.
The system reacts much more fluent on user inputs and sound
has less hangs than before.
Let me hear how it feels for you and if you like it or not
Maybe you have further modifications. So please post it here.
The last section describes how you can build your own kernel patch files.
0. Prerequisites
1. Extracting the current boot image
2. Splitting the image into kernel, ramdisk and cmdline
3. Unpack the ramdisk
4. Build the sony kernel with the original kernel configuration (.config)
5. Build a new boot image
6. Flash the new boot image to the phone
7. Now for the FUN part: TUNE the sony kernel with the attached patch-file
A: Howto build a patch file by comparing a
fresh extracted kernel sources with your edited sources:
0. Prerequisites
==================
- Device needs to be rooted and bootloader unlocked !!!
- Device needs to be up to date with latest Jelly Bean release 11.2.A.0.21 !!!
- A linux machine as working environment
- free ARM compiler, lite version, EABI, URL:
sourcery.mentor.com/sgpp/lite/arm/portal/release2322
- latest Xperia Jlo sources, URL:
developer.sonymobile.com/downloads/xperia-open-source-archives/open-source-archive-for-build-11-2-a-0-21/
- phyton script 'mkelf.py' to re-/build parition image, URL:
dl-developer.sonymobile.com/tools/image_generation_script_for_Xperia_smartphones.zip
- another basic guide, URL:
developer.sonymobile.com/2011/05/06/how-to-build-a-linux-kernel
1. Extracting the current boot image
======================================
- Install Andrdoid SDK.
- Then add a path to your .bashrc file of your linux host:
linux-w49x:~/my_kernel # echo "export PATH=/root/adt-bundle-linux-x86-20130219/sdk/platform-tools:$PATH" >> ~/.bashrc
linux-w49x:~/my_kernel # . ~/.bashrc
- Enable "USB-Debugging" in the phone seetings
- Start the phone and connect via USB to your linux machine
- At first we copy the sony boot image to the sdcard of the device:
linux-w49x:~ # adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0p3 of=/sdcard/sony_boot.img
40960+0 records in
40960+0 records out
20971520 bytes transferred in 2.078 secs (10092165 bytes/sec)
- Read kernel config of your current kernel and store it on sdcard, too:
[email protected]:/ $ su
[email protected]:/ # cat /proc/config.gz > /sdcard/sony_config.gz
130|[email protected]:/ $ exit
130|[email protected]:/ $ exit
- Transfer both to your linux PC:
linux-w49x:~ # adb pull /sdcard/sony_boot.img
linux-w49x:~ # adb pull /sdcard/sony_config.gz
2. Splitting the image into kernel, ramdisk and cmdline
========================================================
- Basically the image consists of:
* 4k singed sin header with a ?x509? certificate
* kernel
* ramdisk
* cmdline parameters for the kernel
* a lot of empty space (~15 MB)
- Hexdump the image to make it human readable:
linux-w49x:~ # hexdump -C sony_boot.img > dump
linux-w49x:~ # head dump
00000000 7f 45 4c 46 01 01 01 61 00 00 00 00 00 00 00 00 |.ELF...a........|
00000010 02 00 28 00 01 00 00 00 00 80 20 00 34 00 00 00 |..(....... .4...|
00000020 00 00 00 00 00 00 00 00 34 00 20 00 03 00 00 00 |........4. .....|
00000030 00 00 00 00 01 00 00 00 00 10 00 00 00 80 20 00 |.............. .| <== Byte 9/10/11: is kernel start (after 4k sin header)
00000040 00 80 20 00 68 70 3c 00 68 70 3c 00 00 00 00 00 |.. .hp<.hp<.....| <== Byte 9/10/11: is kernel length
00000050 00 00 00 00 01 00 00 00 68 80 3c 00 00 00 40 01 |........h.<[email protected]| <== Byte 9/10/11: is ramdisk start
00000060 00 00 40 01 c6 1b 15 00 c6 1b 15 00 00 00 00 80 |[email protected]| <== Byte 9/10/11: is ramdisk length
00000070 00 00 00 00 04 00 00 00 2e 9c 51 00 00 00 00 00 |..........Q.....| <== Byte 9/10/11: is cmdline start
00000080 00 00 00 00 00 02 00 00 00 02 00 00 00 00 00 20 |............... | <== Byte 9/10/11: is cmdline length (512 characters)
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
- Now read the addresses from behind:
00 10 00 => is 0x001000
68 70 3c => is 0x3c7068
68 80 3c => is 0x3c8068
c6 1b 15 => is 0x151bc6
2e 9c 51 => is 0x519c2e
00 02 00 => is 0x000200
- NOTE: THE NUMBERS WILL BE DIFFERENT FOR YOUR st26i DEVICE !!!
- Use 'dd' to split sony_boot.img into its single parts.
- BUT use the correct numbers from your kernel here:
linux-w49x:~ # dd skip=$((0x001000)) count=$((0x3c7068)) bs=1 if=sony_boot.img of=sony_kernel.img
3960936+0 records out
3960936 bytes (4.0 MB) copied, 66.2326 s, 59.8 kB/s
linux-w49x:~ # dd skip=$((0x3c8068)) count=$((0x151bc6)) bs=1 if=sony_boot.img of=sony_ramdisk.img.gz
1383366+0 records in
1383366+0 records out
1383366 bytes (1.4 MB) copied, 23.1965 s, 59.6 kB/s
linux-w49x:~ # dd skip=$((0x519c2e)) count=$((0x000200)) bs=1 if=sony_boot.img of=sony_cmdline.img
512+0 records in
512+0 records out
512 bytes (512 B) copied, 0.00931558 s, 55.0 kB/s
3. Unpack the ramdisk
=======================
- First unzip ramdisk (should start with 0x1f 0x8b )
linux-w49x:~ # hexdump -C sony_ramdisk.img.gz | head
00000000 1f 8b 08 00 a0 a8 50 51 00 03 ec 3d 69 73 db b8 |......PQ...=is..|
00000010 92 f9 fa f4 2b b0 72 ea cd d8 ab 83 92 cf 64 ca |....+.r.......d.|
00000020 5b 2b 5b b4 ad 7a b6 e4 91 e4 1c b5 f5 4a a1 48 |[+[..z.......J.H|
00000030 48 42 99 57 78 58 f1 ce e4 bf 6f 37 c0 03 a4 a8 |HB.WxX....o7....|
00000040 83 49 66 6a 76 ca aa 38 a6 c0 ee 46 a3 bb d1 68 |.Ifjv..8...F...h|
00000050 a0 01 58 39 55 4e 95 96 a2 28 ea 61 eb 4c 85 df |..X9UN...(.a.L..|
00000060 ca 51 4b ed 2a c5 9f 37 c7 ad a3 ab f6 71 f7 38 |.QK.*..7.....q.8|
00000070 57 7e 16 fd 6e af c1 4b ca 1b af 14 b9 be 2b 8e |W~..n..K......+.|
00000080 dc ea 1c ad c1 6b 65 bf 25 5f b7 d4 d7 4a e8 85 |.....ke.%_...J..|
00000090 f4 89 da 81 d1 98 3b a6 31 63 fe a2 e1 e9 af 5e |......;.1c.....^|
linux-w49x:~ # gunzip sony_ramdisk.img.gz
- Now again, the resulting sony_ramdisk.img should start with 0x30 0x37 0x30.
- Now extract cpio archive to a directory:
linux-w49x:~ # mkdir ramdisk
linux-w49x:~ # cd ramdisk/
linux-w49x:~/ramdisk # cpio -i < ../sony_ramdisk.img
4444 blocks
linux-w49x:~/ramdisk # ls
charger init init.qcom.ril.path.sh init.s1.rc logo.rle sys
data init.Sony.rc init.qcom.sh init.target.rc logo.rle.org system
default.prop init.goldfish.rc init.qcom.usb.rc init.trace.rc proc ueventd.Sony.rc
dev init.qcom.class_core.sh init.qcom.usb.sh init.usb.rc res ueventd.goldfish.rc
fstab.msm7627a init.qcom.class_main.sh init.rc init.usbmode.sh sbin ueventd.rc
- OPTIONAL: You can now modify the ramdisk to your needs... we will
repack it later from here.
4. Build the sony kernel with the original kernel configuration (.config)
===========================================================================
In this section we will just rebuild the sony kernel with its default config.
This step is optional. You might want to SKIP THIS STEP and continue dircetly
with building the optimized kernel (Chapter 7)
- Install the mentioned ARM compiler from Mentor (for URL, see top of page)
- Extract the kernel config we fetched from the device:
linux-w49x:~ # gunzip sony_config.gz
- Extract the sony kernel:
linux-w49x:~ # tar -xf 11.2.A.0.21.tar.bz2
- Add the config to the kernel base directory:
linux-w49x:~ # cp sony_config ./kernel/.config
linux-w49x:~ # cd kernel
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make oldconfig
- OPTIONAL: reconfigure the kernel OR skip this step:
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make menuconfig
- Because the ARM compiler is pretty strict, edit the kernel Makefile in "kernel/Makefile":
- Change this part....
ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
KBUILD_CFLAGS += -Os
else
KBUILD_CFLAGS += -O2
endif
- .. by appending this to the flags:
ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
KBUILD_CFLAGS += -Os $(call cc-disable-warning,maybe-uninitialized,) $(call cc-disable-warning,implicit-function-declaration,) $(call cc-disable-warning,strict-prototypes,) $(call cc-disable-warning,unused-function,) $(call cc-disable-warning,unused-variable,)
else
KBUILD_CFLAGS += -O2 $(call cc-disable-warning,maybe-uninitialized,) $(call cc-disable-warning,implicit-function-declaration,) $(call cc-disable-warning,strict-prototypes,) $(call cc-disable-warning,unused-function,) $(call cc-disable-warning,unused-variable,)
endif
- Finally we build the kernel:
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make
- Time to grab a BIG 0xCOFFEE
5. Build a new boot image
===========================
- Collect the new kernel:
linux-w49x:~ # cp ~/kernel/arch/arm/boot/zImage my_kernel.img
- Pack a new ramdisk (or just take exsiting one)
linux-w49x:~ # cd ramdisk
linux-w49x:~/ramdisk # find . | cpio --quiet -H newc -o | gzip > ../my_ramdisk.img.gz
linux-w49x:~/ramdisk # cd ..
- Pack everything together using mkelf.py from sony (URL, see above):
linux-w49x:~ # python mkelf.py -o my_boot.img [email protected] [email protected],ramdisk [email protected],cmdline
6. Flash the new boot image to the phone
==========================================
- power off device
- vol up + attach usb = fastboot
linux-w49x:~ # fastboot flash boot ./my_boot.img
linux-w49x:~ # fastboot reboot
- If anything goes wrong you can always flash the extraced image using:
linux-w49x:~ # fastboot flash boot ./sony_image.img
linux-w49x:~ # fastboot reboot
7. Now for the FUN part: TUNE the sony kernel with the attached patch-file
=============================================================================
- Basically we disable "module support" as we have none
- Disable A LOT OF DEBUG: debugfs and various debug statments in MSM drivers
- Tune vibration period to be more gentle
- Optimize kernel size for speed and not for size
- Remove kernel and user space process debug infos
- Make sure you unpack the stock sony kernel sources. The sources need to be
fresh and clean!!!
linux-w49x:~ # tar -xf 11.2.A.0.21.tar.bz2
linux-w49x:~ # cd kernel/
- patch the performance tweaks to it. The perf_tweak.patch is appended to this post:
linux-w49x:~/kernel # patch -p3 < ../perf_tweak.patch
patching file ./kernel/power/earlysuspend.c
patching file ./Makefile
patching file ./arch/arm/mach-msm/smd_pkt.c
patching file ./arch/arm/mach-msm/sdio_cmux.c
patching file ./arch/arm/mach-msm/reset_modem.c
patching file ./arch/arm/mach-msm/qdsp5v2/mi2s.c
patching file ./arch/arm/mach-msm/qdsp5v2/audio_out.c
patching file ./arch/arm/mach-msm/modem_notifier.c
patching file ./arch/arm/mach-msm/msm_cpr-debug.c
patching file ./arch/arm/mach-msm/smd_rpcrouter.c
patching file ./arch/arm/mach-msm/ipc_router.c
patching file ./arch/arm/mach-msm/bam_dmux.c
patching file ./arch/arm/mach-msm/qdsp6/msm_q6vdec.c
patching file ./arch/arm/mach-msm/rmt_storage_client.c
patching file ./arch/arm/mach-msm/include/mach/debug_mm.h
patching file ./arch/arm/mach-msm/clock.c
patching file ./arch/arm/mach-msm/sdio_dmux.c
patching file ./arch/arm/mach-msm/msm_cpr.h
patching file ./arch/arm/mach-msm/qdsp5/audio_mp3.c
patching file ./arch/arm/mach-msm/qdsp5/audmgr.c
patching file ./arch/arm/mach-msm/qdsp5/audio_acdb.c
patching file ./arch/arm/mach-msm/qdsp5/audio_lpa.c
patching file ./arch/arm/mach-msm/pm2.c
patching file ./arch/arm/mach-msm/sdio_ctl.c
patching file ./arch/arm/mach-msm/clock-debug.c
patching file ./arch/arm/mach-msm/board-msm7627a-display.c
patching file ./arch/arm/mach-msm/vreg.c
patching file ./arch/arm/mach-msm/board-tamsui-jlo.c
patching file ./arch/arm/mach-msm/clock.h
patching file ./net/netfilter/xt_socket.c
patching file ./include/linux/vibrator_class.h
patching file ./include/linux/bma250.h
patching file ./drivers/media/common/tuners/xc4000.c
patching file ./drivers/tty/serial/msm_serial_hs.c
patching file ./drivers/vibrators/fih_vibrator.c
patching file ./drivers/vibrators/vibrator_class.c
patching file ./drivers/video/msm/msm_fb.c
patching file ./drivers/video/msm/mipi_orise.c
patching file ./drivers/bluetooth/bluesleep.c
patching file ./drivers/usb/otg/msm_otg.c
patching file ./drivers/usb/otg/msm72k_otg.c
patching file ./drivers/usb/gadget/f_diag.c
patching file ./drivers/usb/gadget/u_ctrl_hsuart.c
patching file ./drivers/usb/gadget/f_rmnet_smd_sdio.c
patching file ./drivers/usb/gadget/u_serial.c
patching file ./drivers/usb/gadget/u_bam.c
patching file ./drivers/usb/gadget/f_rmnet_smd.c
patching file ./drivers/input/keyboard/fih_gpio_keys.c
patching file ./drivers/input/keyboard/fih_power_key.c
patching file ./drivers/input/touchscreen/cyttsp_core.c
patching file ./drivers/input/sensor/qpdss702.c
patching file ./drivers/leds/fih_led.c
patching file ./drivers/net/wireless/bcmdhd/wl_linux_mon.c
patching file ./drivers/net/wireless/bcmdhd/Makefile
patching file ./drivers/net/wireless/bcmdhd/dhd_custom_gpio.c
patching file ./drivers/power/fih_bq27520_fuelgauger.c
patching file ./drivers/power/fih_msm_battery.c
patching file ./drivers/gpu/msm/adreno_postmortem.c
patching file ./drivers/gpu/msm/adreno.c
patching file ./drivers/rtc/rtc-msm.c
patching file ./.config
linux-w49x:~/kernel # ARCH=arm CROSS_COMPILE=/root/CodeSourcery/Sourcery_CodeBench_Lite_for_ARM_EABI/bin/arm-none-eabi- make
===> repeat steps 5) and 6) but use our new zImage.
A: Howto build a patch file by comparing a
fresh extracted kernel sources with your edited sources:
=========================================================
- Compare two kernel directories and create a patch from it:
linux-w49x:~ # export BASEDIR=$PWD
linux-w49x:~ # cd kernel/
linux-w49x:~/kernel # rm $BASEDIR/perf_tweak.patch
linux-w49x:~/kernel # find -name '*.c' -o -name '*.h' -o -name 'Makefile' -o -name '.config' | xargs [email protected] diff -upN $BASEDIR/kernel/@ $BASEDIR/my_kernel/@ >> $BASEDIR/perf_tweak.patch

Great Tutorial for Xperia J custom Kernel
Thanks .. Really helpful .
numbers were different in mine
dd skip=$((0x001000)) count=$((0x3da520)) bs=1 if=sony_boot.img of=sony_kernel.img
dd skip=$((0x3db520)) count=$((0x11a498)) bs=1 if=sony_boot.img of=sony_ramdisk.img.gz
dd skip=$((0x4f59b8)) count=$((0x000200)) bs=1 if=sony_boot.img of=sony_cmdline.img
I am with locked bootloader ( 1 week old JLo ) will do it as soon I unlock it.
I will also include swap support in kernel config and test .

omg it's so complicated...
have anyone finished it? Will it be released as flashable version ?

Lol ye makes me dizzy!

work on xperia J
this work on xperia J with bootloader locked

For simplicity's sake I like to build my kernels with CyanogenMod, but I'll check out your patch for some useful edits. :good:

Don't want to necro bump threads but....
Massive thanks to OP
I'd been messing around for the last day with trying to compile the .31 stock kernel from source.
Successfully used the above guide to dump the .31 kernel from phone add overclock to .31 source code (from Vengeance 1.42 source) compile, make boot.img and flash. :laugh:

Can I use this patch for the newest JB kernel? will it work?

[TOOL][WIN,LIN,AND,DARW] Super image tools | extract or make partitions RW in super partition

Disclaimer:
Super image tools was made for testing and educational purposes, ME is not responsible for what you do on/with your device using our tools, you must agree that you using our tools on your own risk, I am not responsible for anything else!
How to use superunpack:
- First step, unpack super.sin using my tool or use @IgorEisberg unsin tool
- Step two, Superunpack. On windows just drag and drop unpacked super image onto our exe to start extraction. Also you can use it from command line, from script or from etc. On Linux use it from command line. No need to set slot like it was a case on lpunpack, our tool will auto extract all slot images for you, enjoy!
- If you need to unpack partition images in RW mode add parameter 1 at the end of command line e.g. "superunpack super.img 1", than resize partition using resize2fs, repair and unshare blocks using e2fsck. Or if you unpack without rw you no need to resize or repair it, just mount it ro.
How to manualy patch super partition in under Linux:
https://forum.xda-developers.com/t/...s-rw-in-super-partition.4120963/post-87112415
Note that, superunpack is a tool for extract all logical partitions from super image or directly from super partition.
How to use superrepack:
adb push superrepack.arm64_pie /data/local/tmp
adb shell
su
cd /data/local/tmp
mv superrepack.arm64_pie superrepack
chmod 755 superrepack
stop
./superrepack /dev/block/bootdevice/by-name/super system_a
sync
reboot
Note that, superrepack is a tool to convert logical RO partitions iside your phone super partition to RW mode without extracting anything, all things is done on the fly directly inside super partition/image! In this example system_a partiton is converted to the rw mode, if you need other partitions to rw just change system_a argument. Or if you need all partitions to rw mode do it without partition rw argumet e.g: "./superrepack /dev/block/bootdevice/by-name/super". YOU MUST RUN TOOL 4-5 TIMES UNTIL ALL ERRORS DISAPEARS!!! One of the well known errors is: "Couldn't clone file: Could not allocate block in ext2 filesystem". Look at /data/local/tmp/script.log each time and make sure it not contain any error otherwise you are not done things right and partition is not repaired yet!!! More info -> https://forum.xda-developers.com/t/...s-rw-in-super-partition.4120963/post-84966715
Platform:
- Superunpack is working on Windows, Linux, Android, Darwin11, just chose right binary.
- Superrepack is working only under android
Changelog:
- version 1 (21.Jun.2020), initial version
- version 1.1 (22.Jun.2020), dump file format detection, partition size correction in case ext4, partition group detection, have extraction progress bar, improvements
- version 2 (03.04.2021) implemented possibility to extract partition images to rw mode using Superunpack & I have made new tool called Superrepack
- version 2 (04.04.2021) implemented arguments so you would do conversion on single partition instead of doing it on all partitions
- version 3 (04.04.2021) implemented return codes and implemented output logs to be more scripting friendly
- version 4 - not released
- version 5 (08.04.2021) implemented resize and repair partitions after switching to rw mode. Implemented build script for building resize2fs, e2fsck, simg2ims, img2simg, lptools
- version 6 (08.04.2021) better loop device detection and setup
- version 7 (08.04.2021) fix selinux status detection
- version 8 (15.04.2021) fix loop device setup in superrepack
- version 9 (16.04.2021) make losetup android compatible
- version 10 - not released
- version 11 (01.05.2021) simplified, removed needs for parameter rw, implemented dm-verity disabler
- version 12 (05.05.2021) make old logs always deleted before fresh log is created, this prevent concentation with old logs
- version 13 (06.05.2021) make linux version so you should do the things on your super partition dump in linux machine
- version 14 (07.05.2021) fix compilation mess between linux and android
- version 15 (08.05.2021) use libselinux to determine and set selinux to permissive mode instead of popening getenforce-setenforce tools
Credits:
- me and me
Source code:
- source code -> https://github.com/munjeni/super_image_dumper

munjeni said:
hardcoded, no external libs, no android libs.
- my source code, later
Click to expand...
Click to collapse
Yet Another great tool!! :highfive:
Thanks!

New version is out, v11, it now detect file format, partition size correction in case ext4, partition group detection, have extraction progress bar, and it looks like:
Code:
---------------------------------------------------------
Super image dumper v_11 (by expert :) munjeni @ xda 2020)
---------------------------------------------------------
LpMetadataGeometry magic = 0x616c4467
LpMetadataGeometry struct size = 0x34
LpMetadataGeometry sha256 = 12FF55F0ABA7B506F25CB5DA5DCA09344234E8DF1D9C93AE82A499D98019467E
LpMetadataGeometry metadata_max_size = 0x10000
LpMetadataGeometry metadata_slot_count = 0x3
LpMetadataGeometry logical_block_size = 0x1000
LpMetadataHeader magic = 0x414c5030
LpMetadataHeader major_version = 10
LpMetadataHeader minor_version = 0
LpMetadataHeader header_size = 0x80
LpMetadataHeader header sha256 = CCF4F5D07842AAAE7C1B87F0E025512CF7AEA426D477B1E5175DA3D74F9B1C8C
LpMetadataHeader tables_size = 0x2e8
LpMetadataHeader tables sha256 = 52578668F89D8BCDA1BD1F748F2F69ED874C10A7062C85EF9970EE05D90161B1
LpMetadataHeader partitions offset = 0x0
LpMetadataHeader partitions num_entries = 0x8
LpMetadataHeader partitions entry_size = 0x34
LpMetadataHeader extents offset = 0x1a0
LpMetadataHeader extents num_entries = 0x5
LpMetadataHeader extents entry_size = 0x18
LpMetadataHeader groups offset = 0x218
LpMetadataHeader groups num_entries = 0x3
LpMetadataHeader groups entry_size = 0x30
LpMetadataHeader block_devices offset = 0x2a8
LpMetadataHeader block_devices num_entries = 0x1
LpMetadataHeader block_devices entry_size = 0x40
Partitions = 5 used, 3 not used, total 8
partition_1_name = system_a
attributes = 0x1
first_extent_index = 0x0
num_extents = 0x1
group_index = 0x1
partition_group = somc_dynamic_partitions_a
extent num_sectors = 0x336390 (0x66c72000 bytes total)
extent target_type = 0x0
extent target_data = 0x800 (dumping offset = 0x100000)
extent target_source = 0x0
Filetype EXT4. EXT4 size = 0x6526c000
Dumping system_a.ext4 ...
....................................................
....................................................
....................................................
..............................................
partition_2_name = system_b
attributes = 0x1
first_extent_index = 0x1
num_extents = 0x1
group_index = 0x2
partition_group = somc_dynamic_partitions_b
extent num_sectors = 0xab178 (0x1562f000 bytes total)
extent target_type = 0x0
extent target_data = 0x337000 (dumping offset = 0x66e00000)
extent target_source = 0x0
Filetype EXT4. EXT4 size = 0x150b3000
Dumping system_b.ext4 ...
..........................................
partition_3_name = product_a
attributes = 0x1
first_extent_index = 0x2
num_extents = 0x1
group_index = 0x1
partition_group = somc_dynamic_partitions_a
extent num_sectors = 0x2b62b8 (0x56c57000 bytes total)
extent target_type = 0x0
extent target_data = 0x3e2800 (dumping offset = 0x7c500000)
extent target_source = 0x0
Filetype EXT4. EXT4 size = 0x5565b000
Dumping product_a.ext4 ...
....................................................
....................................................
....................................................
..............
partition_4_name = product_b (not unused)
attributes = 0x1
first_extent_index = 0x3
num_extents = 0x0
group_index = 0x2
partition_group = somc_dynamic_partitions_b
extent num_sectors = NULL
extent target_type = NULL
extent target_data = NULL
extent target_source = NULL
Skipping dump.
partition_5_name = vendor_a
attributes = 0x1
first_extent_index = 0x3
num_extents = 0x1
group_index = 0x1
partition_group = somc_dynamic_partitions_a
extent num_sectors = 0x186d58 (0x30dab000 bytes total)
extent target_type = 0x0
extent target_data = 0x699000 (dumping offset = 0xd3200000)
extent target_source = 0x0
Filetype EXT4. EXT4 size = 0x30141000
Dumping vendor_a.ext4 ...
....................................................
............................................
partition_6_name = vendor_b (not unused)
attributes = 0x1
first_extent_index = 0x4
num_extents = 0x0
group_index = 0x2
partition_group = somc_dynamic_partitions_b
extent num_sectors = NULL
extent target_type = NULL
extent target_data = NULL
extent target_source = NULL
Skipping dump.
partition_7_name = odm_a
attributes = 0x1
first_extent_index = 0x4
num_extents = 0x1
group_index = 0x1
partition_group = somc_dynamic_partitions_a
extent num_sectors = 0xa60 (0x14c000 bytes total)
extent target_type = 0x0
extent target_data = 0x820000 (dumping offset = 0x104000000)
extent target_source = 0x0
Filetype EXT4. EXT4 size = 0x132000
Dumping odm_a.ext4 ...
partition_8_name = odm_b (not unused)
attributes = 0x1
first_extent_index = 0x5
num_extents = 0x0
group_index = 0x2
partition_group = somc_dynamic_partitions_b
extent num_sectors = NULL
extent target_type = NULL
extent target_data = NULL
extent target_source = NULL
Skipping dump.
Press any key to continue . . .
If you need to mount ext4 partition on Linux you need to mount partition RO or it will not mount!

I'm not one of those who make paid software and promote on xda, my work is always free. Even I'm always providing source code for free, source code of this tool is here -> https://github.com/munjeni/super_image_dumper , enjoy!

munjeni said:
I'm not one of those who make paid software and promote on xda, my work is always free. Even I'm always providing source code for free, source code of this tool is here -> https://github.com/munjeni/super_image_dumper , enjoy!
Click to expand...
Click to collapse
You are the best and I and many others thank you for make life so easy for us. :highfive:
PS: I will send you a PM with something you may find interesting and useful. :fingers-crossed:

Can I make this tool for remake oem.sin?
I have fw Xperia docomo bundling,and many bloatware,so I wont to remake oem.sin and deleted any bloatware, can I?
??sorry my English por????

paijoe88 said:
Can I make this tool for remake oem.sin?
I have fw Xperia docomo bundling,and many bloatware,so I wont to remake oem.sin and deleted any bloatware, can I?
?sorry my English por??
Click to expand...
Click to collapse
No you can't. Tool is unpacker only, it extracts oem from super image but doesn't reconstruct it back to super image. Even there is no known tool to make valid sin back because of signature.

Seems readonly partitions like oem, system, vendor...etc can be set to read-write mode via LP_PARTITION_ATTR overiding LpMetadataPartition.attributes 1 with 0. Anybody tried android version of this tool? E.g. dump block device e.g. /dev/block/bootdevice/super
RO flags (0x1), when it is set to 0x0 its RW mode, but header sha256 checksums of the LpMetadataGeometry and LpMetadataHeader also need to be modified in case we overvrite flags with RW mode!
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000003080 73 79 73 74 65 6D 5F 61 00 00 00 00 00 00 00 00 system_a........
000003090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000030A0 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
0000030B0 01 00 00 00 73 79 73 74 65 6D 5F 62 00 00 00 00 ....system_b....
0000030C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000030D0 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ................
0000030E0 01 00 00 00 02 00 00 00 70 72 6F 64 75 63 74 5F ........product_
0000030F0 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a...............
000003100 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
000003110 02 00 00 00 01 00 00 00 01 00 00 00 70 72 6F 64 ............prod
000003120 75 63 74 5F 62 00 00 00 00 00 00 00 00 00 00 00 uct_b...........
000003130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000003140 01 00 00 00 03 00 00 00 00 00 00 00 02 00 00 00 ................
Click to expand...
Click to collapse

Removed fake pie binary and made new true pie 64 bit binary for android. With it you can dump your super partition on your own phone e.g.
Code:
adb push superunpack.arm64_pie /data/local/tmp
adb shell
su
cd /data/local/tmp
chmod 755 superunpack.arm64_pie
./superunpack.arm64_pie /dev/block/bootdevice/by-name/super
and whola all ext4 partitonins from your super partition is extracted to the /data/local/tmp folder.

bump. Any news regarding forcing system to be read/write in Android 10 ?
Thanks for your hard work @munjeni

See post 8.
In most case if you change those byte vbmeta protection will do a bootloop, so I think no way to set it to force rw except if you unlock bootloader and disable vbmeta protection trought fastboot (more info -> https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/post-84509179)

munjeni said:
Seems readonly partitions like oem, system, vendor...etc can be set to read-write mode via LP_PARTITION_ATTR overiding LpMetadataPartition.attributes 1 with 0. Anybody tried android version of this tool? E.g. dump block device e.g. /dev/block/bootdevice/super
RO flags (0x1), when it is set to 0x0 its RW mode, but header sha256 checksums of the LpMetadataGeometry and LpMetadataHeader also need to be modified in case we overvrite flags with RW mode!
Click to expand...
Click to collapse
I replaced all 4 occurences of these three bytes in my super.img like you suggested and flashed it to my phone.
It didn't boot probably due to the invalid sha256 checksums as you predicted.
Which bytes I must hex edit in the extracted system.ext4 in order to make it rw? I was thinking maybe the shared_blocks feature?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

You should read this to get idea -> https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout
TO be honest I never modified RO partitions. it can be probably done using parted, fsck and similar tools so you no need to do it by hexediting, try google a bit for idea I realy don't know

TO be honest I never modified RO partitions. it can be probably done using parted, fsck and similar tools so you no need to do it by hexediting, try google a bit for idea I realy don't know
Click to expand...
Click to collapse
@munjeni thank you so much for writing this amazing superunpack tool!
Thanks to your program and thanks to another tutorial I was able to create an automated bash script that transforms all read only partitions inside super.img (system, vendor , product, etc...) into read write-able partitions again and then flash to device as a brand new super.img.
HERE is the link to new universal version

munjeni said:
Disclaimer:
Superunpack tool was made for testing and educational purposes, ME is not responsible for what you do on/with your device using superunpack, you must agree that you using superunpack on your own risk, I am not responsible for anything else!
How to use:
- First step, unpack super.sin using my tool or use @IgorEisberg unsin tool
- Step two, on windows just drag and drop unpacked super image onto our exe to start extraction. Also you can use it from command line, from script or from etc. On Linux use it from command line. No need to set slot like it was a case on lpunpack, our tool will auto extract all slot images for you, enjoy!
Platform:
- Superunpack is working on Windows, Linux, Android, Darwin11, just chose right superunpack binary.
Changelog:
- version 10 (21.Jun.2020), initial version
- version 11 (22.Jun.2020), dump file format detection, partition size correction in case ext4, partition group detection, have extraction progress bar, improvements
Credits:
- not right now
Source code:
- tool is based on just this header, the rest of things is myself implemented - hardcoded, no external libs, no android libs.
- my source code -> https://github.com/munjeni/super_image_dumper
Click to expand...
Click to collapse
Wow, this is pretty impressive my friend. Big props!! Just curious, what's the difference with "this" utility(superunpack) and the standard android lpunpack?

bynarie said:
Wow, this is pretty impressive my friend. Big props!! Just curious, what's the difference with "this" utility(superunpack) and the standard android lpunpack?
Click to expand...
Click to collapse
Diferencie is that my tool not use any external dependencies so can be build easily as a static binary. Seccond diferencie is its easy to use, just drag and drop file to extract. I'm not tried lpunpack so I can't tell the exact diferencie, you tell me

munjeni said:
Diferencie is that my tool not use any external dependencies so can be build easily as a static binary. Seccond diferencie is its easy to use, just drag and drop file to extract. I'm not tried lpunpack so I can't tell the exact diferencie, you tell me
Click to expand...
Click to collapse
lpunpack:
works with sparse files
creates .img files
gives zero text output so you don't know what's happening under the hood
extracts all partitions even the empty ones
Superunpack:
works with raw files
creates .ext4 files
gives lots of text info so you know exactly what's going on
only extracts the partitions that are not empty
These are the main differences that I noticed.

Hey friend I get this error can you help me out?
[Novice alert]

lebigmac said:
lpunpack:
works with sparse files
creates .img files
gives zero text output so you don't know what's happening under the hood
extracts all partitions even the empty ones
Superunpack:
works with raw files
creates .ext4 files
gives lots of text info so you know exactly what's going on
only extracts the partitions that are not empty
These are the main differences that I noticed.
Click to expand...
Click to collapse
Nice !

munjeni said:
Diferencie is that my tool not use any external dependencies so can be build easily as a static binary. Seccond diferencie is its easy to use, just drag and drop file to extract. I'm not tried lpunpack so I can't tell the exact diferencie, you tell me
Click to expand...
Click to collapse
Good stuff, thank you!

How to find "hw_soc_version" for a QCom SOC?

I have an Android device with a QComm SDM680 SOC. The QCom part# of the SOC is SM6225.
How do I find the "hw_soc_version" and "soc_version" of the SDM680/SM6225 ?
I've found some general scripts that collate this type of info, like this one. But the SDM680 is not in any of those lists.
I've searched on the rooted device, grepped the kernel logs and the kernel opensource. fastboot getvar all doesn't expose this info either.
Does anybody know how to find these values?

Oh, that's easy. You just run an EDL client, they always ask the HWID.
You don't even need to have a loader for it.
On my EDL client just:
Code:
C:\>edl /l
Found EDL 9008
Serial: 12345678
HWID: 000cc0e100000000, QC: 000cc0e1, OEM: 0000, Model: 0000
Hash: 7be49b72f9e43372-23ccb84d6eccca4e-61ce16e3602ac200-8cb18b75babe6d09
You can also attach a UART while booting.
Code:
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.4-00246-S660LZB-1
S - IMAGE_VARIANT_STRING=Sdm660LA
S - OEM_IMAGE_VERSION_STRING=cibuild
S - Boot Interface: Unknown
S - Secure Boot: Off
S - Boot Config @ 0x00786070 = 0x000001c1
S - JTAG ID @ 0x00786130 = 0x000cc0e1
Note that even though this is a SDM636 the log speaks of 660, but the "JTAG ID" is the correct HWID.
Usually the certs in xbl/abl has the HW_ID in it.
Also:
Code:
Teletex string 11 3007 0000 0000 0000 0000 0000 0000 0000 0000 0000 SOC_VERS
(I've never run into this soc_version before.)
Also, AFAIK, your friendly Firehose loader repository doesn't have a loader for this.
Edit: Oh, you're not looking for the HWID?

Renate said:
Oh, that's easy. You just run an EDL client, they always ask the HWID.
You don't even need to have a loader for it.
On my EDL client just:
Code:
C:\>edl /l
Found EDL 9008
Serial: 12345678
HWID: 000cc0e100000000, QC: 000cc0e1, OEM: 0000, Model: 0000
Hash: 7be49b72f9e43372-23ccb84d6eccca4e-61ce16e3602ac200-8cb18b75babe6d09
...
Edit: Oh, you're not looking for the HWID?
Click to expand...
Click to collapse
Thanks for the tip. I checked the SAHARA output. It seems that this HWID consists of the MSM_ID+OEM+MODEL. For the SDM680 I got: HW_ID: 0x001b80e100000000 (MSM_ID=0x001b80e1 OEM_ID=0x0000 MODEL_ID=0x0000).
Looking at bkerler's qualcomm_config.py, it seems that the hw_soc_version and hwid are two different things. For example for the SDM660, the msmid entry is 0x08C0E1, with a comment that the soc_hw_version is different:
Code:
0x08C0E1: "SDM660", # 0x30060000 soc_hw_version
Renate said:
Usually the certs in xbl/abl has the HW_ID in it.
Click to expand...
Click to collapse
Even though it's about the hwid, I looked into this too. It seems that around 2016, the HWID was stored in OU fields in the certificiates in the XBL file (see pages 10-11). But after 2019, it is now stored in the metadata of the MBN image (see page 9) within the XBL file. I only mention it because I thought it might prove useful for you.
Curiously, the HWID wasn't in the certs or metadata in my stock ROM's xbl.elf. Strange.

Yahoo Mike said:
For the SDM680 I got: HW_ID: 0x001b80e100000000...
Click to expand...
Click to collapse
The good news for you is that it's not stamped OEM/model.
There's some chance that this is not SecureBoot.
Which means that any loader that's compatible with your SoC will work.
What does this say: fastboot getvar secure
What does this say: cat /proc/cpuinfo (Just the name line.)
You can also look in the DTB, either decoded or raw, it's at the beginning.
Then there's the other wrinkle that Qualcomm has SDM numbers, MSM numbers and code names for SoCs.
Maybe that cpuinfo will tell you a codename.

Renate said:
The good news for you is that it's not stamped OEM/model.
There's some chance that this is not SecureBoot.
Which means that any loader that's compatible with your SoC will work.
What does this say: fastboot getvar secure
Click to expand...
Click to collapse
I think SecureBoot is on. I've had to do a test-points recovery a few times - after I tried to run with a patched (and incorrectly signed) ABL.
In fastbootd & bootloader menus, it says SecureBoot is on. And (as you suggested) fastboot utility agrees:
Code:
C:\>fastboot getvar secure
secure: yes
Finished. Total time: 0.001s
Renate said:
What does this say: cat /proc/cpuinfo (Just the name line.)
You can also look in the DTB, either decoded or raw, it's at the beginning.
Then there's the other wrinkle that Qualcomm has SDM numbers, MSM numbers and code names for SoCs.
Maybe that cpuinfo will tell you a codename.
Click to expand...
Click to collapse
The codename is khaje.
Code:
TB128FU:/ # cat /proc/cpuinfo
Processor : AArch64 Processor rev 4 (aarch64)
...<info about 8 processors>...
Hardware : Qualcomm Technologies, Inc KHAJE
That agrees with the run-time /sys/devices/soc0/soc_id value of 518, which is "khaje" according to the stock ROM's /vendor/bin/init.qti.display_boot.sh and /vendor/bin/init.qcom.post_boot.sh.
Curiously, at the beginning of the DTB it says it's "Bengal":
Code:
00 00 00 03 00 00 00 33 00 00 00 00 51 75 61 6C .......3....Qual
63 6F 6D 6D 20 54 65 63 68 6E 6F 6C 6F 67 69 65 comm Technologie
73 2C 20 49 6E 63 2E 20 42 65 6E 67 61 6C 20 31 s, Inc. Bengal 1
47 62 20 44 44 52 20 48 44 2B 20 53 6F 43 00 00 Gb DDR HD+ SoC..
But at offset 0x2A62D0 it changes its name:
Code:
00 00 00 00 00 03 00 00 00 26 00 00 00 00 51 75 .........&....Qu
61 6C 63 6F 6D 6D 20 54 65 63 68 6E 6F 6C 6F 67 alcomm Technolog
69 65 73 2C 20 49 6E 63 2E 20 4B 68 61 6A 65 20 ies, Inc. Khaje
53 6F 43 00 00 00 00 00 00 03 00 00 00 0B 00 00 SoC.............
I can't believe how many different numbers/strings QCom has to describe a SoC: soc_id, codename, hwid, msm_id ... and the ever-elusive hw_soc_version.
Anyway, I'll load up this SoC's firehose program to bkerler's edl. I'll slip in a question about how to query the hw_soc_version. I'll post back any reply.

Yahoo Mike said:
The codename is khaje.
Click to expand...
Click to collapse
Khajeh is a city in Iran: https://en.wikipedia.org/wiki/Khajeh,_Iran
Yahoo Mike said:
Curiously, at the beginning of the DTB it says...
Click to expand...
Click to collapse
That's because you are probably looking at multiple DTBs.
You can simply grep/scan for "Qualcomm Technologies".
I don't know why they do that.
The abl scans through them and find the one that best matches.

S/N: 0x7BD1BDD5
HW ID: 0x001B80E10015006D -> HUAWEI
HASH: 0xB25DECD85D217F5D9B53DC3C42EF7846DCEF59DD3E0AF4D12606199F5099FF23D73C3AFFBE5EFBF421A81A197E41FDF5
PBL : 0x00000000
HASH TYPE: SHA384
DEV HASH: 0x0000003AC0D4
CPU : Undefined CPU: 001B80E10015006D