[Q] nvflash/APX mode help - Android Software/Hacking General [Developers Only]

Calling all developers with extensive knowledge of NVflash
I know NVflash commands but I have never tried to run NVflash on a device with an encrypted bootloader nor have I had to try to source all the necessary files so I have some questions.
1. Would the following command be correct? Because even this simple sync command is exiting with a failure.
nvflash --bl bootloader.bin --sbk [boot key here] --sync
2. Is the bootloader.bin file universal or is it device specific? Where do I find one, can I edit one to work, etc?
I am working with the Acer Iconia A200 which is relatively new so no one has cracked NVflash on it yet so any help at all would be greatly appreciated.
Thanks!

I don't have extensive knowledge, but I did watch a youtube video once. Nvflash is used on several devices, so check out the acer/zoom/transformer forums. I think it also has some roots in graphics cards, so some of the tweaker forums might have some useful insight about syntax.
Code:
Nvflash started
nvflash action [options]
action (one or more) =
--help (or -h)
displays this page
--cmdhelp cmd(or -ch)
displays command help
--resume (or -r)
send the following commands to an already-running bootloader
--quiet (or -q)
surpress excessive console output
--wait (or -w)
waits for a device connection (currently a USB cable)
--create
full initialization of the target device using the config file
--download N filename
download partition filename to N
--setboot N
sets the boot partition to partition N
--format_partition N
formats contents of partition N
--read N filename
reads back partition N into filename
--getpartitiontable filename
reads back the partition table into filename
--getbit filename
reads back BIT into filename
--getbct
reads back the BCT from mass storage
--odm C Data
ODM custom 32bit command 'C' with associated 32bit data
--go
continues normal execution of the downloaded bootloader
options =
--configfile filename
indicates the configuration file used with the following commands:
--create, --format_all
--bct filename
indicates the file containing the BCT
--sbk 0x00000000 00000000 00000000 00000000
indicates the secure boot key for the target device
--bl filename
downloads and runs the bootloader specified by filename
--odmdata N
sets 32bit customer data into a field in the BCT, either hex or
decimal
--diskimgopt N
sets 32bit data required for disk image convertion tool
--format_all
formats all existing partitions on the target device using the config file,
including partitions and the bct
--setbootdevtype S
sets the boot device type fuse value for the device name.
allowed device name string mentioned below:
emmc, nand_x8, nand_x16, nor, spi
--setbootdevconfig N
sets the boot device config fuse value either hex or decimal
--verifypart N
verifies data for partition id = N specified. N=-1
indicates all partitions
Intended to be used with --create command only.
--setbct
updates the chip specific settings of the BCT in mass storage to
the bct supplied,used with --create, should not be with --read,and
--format(delete)_all,format(delete)_partition,--download, and--read
--sync
issues force sync commad
--rawdeviceread S N filename
reads back N sectors starting from sector S into filename
--rawdevicewrite S N filename
writes back N sectors from filename to device starting from sector S
Here's what I use
nvflash --bct transformer.bct --setbct --configfile flash.cfg --bl bootloader.bin --odmdata [device specific odm data] --sbk [mysterious sbk] --sync
All the files are device specific and the flash.cfg is where all the partitions and sizes are specified. Nvidia used to have a developers website that had a generic HC and GB rom. I flashed it, but was configured for different screen sizes/trackpad, etc.
If you are going to format the device, then you will use the --create flag and I think you need the flash.cfg file.

Thanks! I am primarily after --read and --getpartitiontable so that I can create a stock backup so those that brick have a recovery option. Sounds like the most important part now for me is getting the correct files together. I have the SBK though unconfirmed.
I personally have never used --odmdata, do you have any insite into that command?
My previous device, the Dell Streak 7, had a fully unlocked NVflash so there was no SBK or anything like that to worry about. I miss those times

I thought the omdata were device specific things like memory configuration? Not sure how important it is for reading partitions.
The other thing with nvflash is once you start it, you can send more commands with the resume command:
Nvflash sbk bootloader etc
Nvflash -r --read 6 blah blah
Nvflash -r -- read 7 blah blah
...
Nvflash -r --go
Or something like that...
sent while running with scissors

I don't really know because at least on the Dell Streak 7 it was a command I never used and I never saw used by others either. Hopefully someone has incite somewhere on how to get the files I need.

If you have root you should be able to read the BCT and bootloader from the device with dd and then decrypt them.

I have root and an unlocked bootloader. Please explain. DD? I have Windows 7 and Linux at my disposal.
Thanks!

Wetzel402 said:
I have root and an unlocked bootloader. Please explain. DD? I have Windows 7 and Linux at my disposal.
Thanks!
Click to expand...
Click to collapse
Yes, dd.
Copy some raw data from the block device on the device, something like
Code:
# /system/bin/dd if=/dev/block/mmcblk0 bs=512 count=13312 of=/sdcard/data.raw
Then transfer the dump to the computer and extract the BCT and boot loader.
I started writing a description but it quickly started to get long and it is late...
So you get a small ugly script that shows the steps instead.
This requires openssl, dd and hexdump.
Code:
#!/bin/bash
#This script extracts the BCT and bootloader out of a dd dump of the block device on a tegra 2 device
#The first 6.5M should be enough, something like:
#/system/bin/dd if=/dev/block/mmcblk0 bs=512 count=13312 of=/sdcard/data.raw
#SBK written together
#e.g. 0xDEADBEEF 0xBAADF00D 0xCAFEFEED 0xBADDCAFE => "DEADBEEFBAADF00DCAFEFEEDBADDCAFE"
SBK="DEADBEEFBAADF00DCAFEFEEDBADDCAFE"
#Input file
raw_file="data.raw"
#Output files
bct_file="out.bct"
bl_file="bootloader.bin"
echo "Extrating the BCT data"
dd if=$raw_file of=bct_encrypted.bin bs=16 count=254 skip=1 2> /dev/null
echo "Decrypting the BCT data"
openssl aes-128-cbc -K $SBK -iv 0 -d -in bct_encrypted.bin -out bct_decrypt.tmp -nopad
dd if=bct_decrypt.tmp of=out.bct bs=16 count=254 seek=1 2> /dev/null
rm bct_decrypt.tmp
rm bct_encrypted.bin
#Read some general information
bct_version="$(hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' $bct_file)"
block_size=$((2 ** $(hexdump -n 4 -s 0x24 -e '1/4 "%u"' $bct_file)))
page_size=$((2 ** $(hexdump -n 4 -s 0x28 -e '1/4 "%u"' $bct_file)))
odm_data=$(hexdump -n 4 -s 0xFE4 -e '1/4 "0x%08x\n"' $bct_file)
#Boot loader 1
bl_start_block=$(hexdump -n 4 -s 0xA98 -e '1/4 "%u\n"' $bct_file)
bl_length=$(hexdump -n 4 -s 0xAA0 -e '1/4 "%u\n"' $bct_file)
if [ "$bct_version" != "0x20001" ]; then
echo "ERROR: Unexpected BCT version: $bct_version"
exit 1
fi
echo "Block size: $block_size"
echo "Page size: $page_size"
echo "Boot loader 1 start block: $bl_start_block"
echo "Boot loader 1 length $bl_length"
echo "ODM Data: $odm_data"
echo "Extracting the booot loader"
bl_start_byte=$(( $(($bl_start_block - 64)) * $block_size ))
bl_padded_length=$(( $bl_length + $((16 - $(($bl_length % 16)) ))))
echo "Extracting $bl_padded_length starting at offset $bl_start_byte"
dd bs=1 if=$raw_file of="bootloader.enc" skip=$bl_start_byte count=$bl_padded_length 2> /dev/null
echo "Decrypting boot loader"
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
dd if=bootloader.tmp of=$bl_file bs=$bl_length count=1 2> /dev/null
I may have gotten the block to byte convertion wrong, it is correct for the offsets on the device I have, but we will see.

Currently way over my head considering I just finally figured out mount commands
I will start doing some research on the topic to learn more and before you know it I should have the files I need

I did get the bct file but the bootloader.bin file is not working. With this line:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
I keep getting an error "option 0 doesn't exist". Any ideas? Also when you have some time could you please explain what exactly all of this is doing? I understand very little of this syntax because I am quite noobish with Linux.
Thanks!

Wetzel402 said:
I did get the bct file but the bootloader.bin file is not working. With this line:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
I keep getting an error "option 0 doesn't exist". Any ideas?
Click to expand...
Click to collapse
That looks like you don't have SBK set (so it is trying to use "-iv" as key, and then don't know what to do with the leftover 0).
The steps must be performed in order and in the same shell as some of them are depending on variables set by previous steps.
Wetzel402 said:
Also when you have some time could you please explain what exactly all of this is doing? I understand very little of this syntax because I am quite noobish with Linux.
Click to expand...
Click to collapse
Sure, it is mostly just about reading some values at known offsets.
Code:
dd if=$raw_file of=bct_encrypted.bin bs=16 count=254 skip=1
Will read 254 blocks of 16 bytes, skiping one block from $raw_file into bct_encrypted.bin. So we are reading bytes 16-4080 into bct_encrypted.bin.
We are skipping the first 16 bytes since this is a checksum (CMAC) and not part of the encrypted data, so bringing that along would mess up the decryption of the next 16 byte due to the cipher block chaining.
Code:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bct_encrypted.bin -out bct_decrypt.tmp -nopad
Decrypt the content of bct_encrypted.bin using the SBK and store the decryped data in bct_decrypt.tmp.
Code:
dd if=bct_decrypt.tmp of=out.bct bs=16 count=254 seek=1
We skipped the first 16 bytes previously, so the decrypted data is a bit incorretly offset.
So this takes bct_decrypt.tmp and writes it to out.bct offset 16 bytes so that we get a 4080 bytes file again.
Code:
bct_version="$(hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' $bct_file)"
Reads the version field of the BCT, this is a 32bit integer at offset 0x20.
I would expect the version to be 0x20001.
Code:
block_size=$((2 ** $(hexdump -n 4 -s 0x24 -e '1/4 "%u"' $bct_file)))
Reads the block size field in the BCT, also a 32bit integer, at offset 0x24.
The block and page size is stored in log2, so then we need to raise 2 to the value we found to get the actual block/page size.
For example, if we found the value 14 the block size is 2**14 = 16384.
Code:
#Boot loader 1
bl_start_block=$(hexdump -n 4 -s 0xA98 -e '1/4 "%u\n"' $bct_file)
bl_length=$(hexdump -n 4 -s 0xAA0 -e '1/4 "%u\n"' $bct_file)
Read start block and size of the first boot loader (the BCT file have space for four boot loaders)
Code:
bl_start_byte=$(( $(($bl_start_block - 64)) * $block_size ))
We have the start position of the boot loader in blocks, but we need it in bytes.
So multiply the block number with the block size. Unfortunatly this is not quite right, so we need to offset it a bit.
Code:
bl_padded_length=$(( $bl_length + $((16 - $(($bl_length % 16)) ))))
The encryption used, AES 128, works on blocks of 16 bytes, but there is no guarantee that the length of the boot loader is a multiple of 16 so we need to pad it to make sure it is.
Code:
dd bs=1 if=$raw_file of="bootloader.enc" skip=$bl_start_byte count=$bl_padded_length
Cut the encrypted boot loader out of the $raw_file.
Code:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
Decrypt it
Code:
dd if=bootloader.tmp of=$bl_file bs=$bl_length count=1
And take only the actual length of the decrypted data, discarding the extra padding data we took just to make it an even number of 16 byte blocks.

Very impressive
Prior to this I have messed mostly with kitchens, cd, and mount so this is definitely a learning experience for me. After you described these commands I am convinced I could use most of these minus the fact I would have no clues what values to use in them
Thanks! I will have to try rerunning everything and see if I can get the bootloader.bin to come out.

Here is my terminal output after copying and pasting in your script.
Code:
[email protected]:~# cd /root/Desktop
[email protected]:~/Desktop# SBK="B8A4C201EB6FF106EB00150430772103"
[email protected]:~/Desktop#
[email protected]:~/Desktop# #Input file
[email protected]:~/Desktop# raw_file="data.raw"
[email protected]:~/Desktop#
[email protected]:~/Desktop# #Output files
[email protected]:~/Desktop# bct_file="out.bct"
[email protected]:~/Desktop# bl_file="bootloader.bin"
[email protected]:~/Desktop#
[email protected]:~/Desktop# echo "Extrating the BCT data"
Extrating the BCT data
[email protected]:~/Desktop# dd if=$raw_file of=bct_encrypted.bin bs=16 count=254 skip=1 2> /dev/null
[email protected]:~/Desktop#
[email protected]:~/Desktop# echo "Decrypting the BCT data"
Decrypting the BCT data
[email protected]:~/Desktop# openssl aes-128-cbc -K $SBK -iv 0 -d -in bct_encrypted.bin -out bct_decrypt.tmp -nopad
[email protected]:~/Desktop# dd if=bct_decrypt.tmp of=out.bct bs=16 count=254 seek=1 2> /dev/null
[email protected]:~/Desktop# rm bct_decrypt.tmp
[email protected]:~/Desktop# rm bct_encrypted.bin
[email protected]:~/Desktop#
[email protected]:~/Desktop#
[email protected]:~/Desktop# #Read some general information
[email protected]:~/Desktop# bct_version="$(hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' $bct_file)"
[email protected]:~/Desktop# block_size=$((2 ** $(hexdump -n 4 -s 0x24 -e '1/4 "%u"' $bct_file)))
[email protected]:~/Desktop# page_size=$((2 ** $(hexdump -n 4 -s 0x28 -e '1/4 "%u"' $bct_file)))
I don't understand the page size line enough to know what is going wrong or to change things but after that line displays the terminal exists without errors.
Any ideas?

Wetzel402 said:
I don't understand the page size line enough to know what is going wrong or to change things but after that line displays the terminal exists without errors.
Any ideas?
Click to expand...
Click to collapse
You are probably hitting the exit in BCT version check, since you are running it directly in the shell that would make the terminal dissapear.
What does out.bct look like?
What does
Code:
hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' out.bct
give?

That was the problem.
Code:
[email protected]:~# cd /root/Desktop
[email protected]:~/Desktop# hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' out.bct
0xf16cb00b
So I modified the following line:
Code:
[email protected]:~/Desktop# if [ "$bct_version" != "0xf16cb00b" ]; then
Everything ran and out came the bootloader.bin. This should be the correct file then? Also the other two files (bootloader.enc&.tmp) were stepping stones to the final product (bootloader.bin) and are not needed correct?
When I get home from work if I have time I will try the following and see if life is good
Code:
nvflash --bl bootloader.bin --getbct --bct out.bct --sbk 0xB8A4C201 0xEB6FF106 0xEB001504 0x30772103 --go
nvflash -r --getpartitiontable partition.txt

Wetzel402 said:
That was the problem.
Code:
[email protected]:~# cd /root/Desktop
[email protected]:~/Desktop# hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' out.bct
0xf16cb00b
So I modified the following line:
Code:
[email protected]:~/Desktop# if [ "$bct_version" != "0xf16cb00b" ]; then
Everything ran and out came the bootloader.bin. This should be the correct file then?
Click to expand...
Click to collapse
I would not expect a different version, I think it is more likely the decryption failed.
Could you make the data.raw file available to me?

Here it is.

Wetzel402 said:
Here it is.
Click to expand...
Click to collapse
The data looks ok, but it can not be decrypted using that key so you must have the wrong SBK.
Assuming it follows the same format as the Iconia A500 that SBK would belong to a device with UID 042800484400D057, is this the UID of your device?

Yes that is correct. So you think Acer is using a different encryption method?
I tried the NVflash commands anyway and it doesn't run. Exits with the standard failure.

Wetzel402 said:
Yes that is correct. So you think Acer is using a different encryption method?
Click to expand...
Click to collapse
Depending on what you mean, maybe and no. They are maybe allocating the SBK differently, but the encryption in still AES128.
Wetzel402 said:
I tried the NVflash commands anyway and it doesn't run. Exits with the standard failure.
Click to expand...
Click to collapse
Nvflash uses the key you give it to encrypt the command before sending it to the device, then the decrypts the command using the builtin key. If those two does not match the result will not be a recognizable command.
Depending on how you got the UID it may be worth trying a different way, some devices does not report the UID as their USB serial number.
Save this as apxuid.c and compile this using gcc -Wall -pedantic -o apxuid apxuid.c -lusb-1.0. Then run ./apxuid directly after starting the device is in apx-mode and see if you get the same UID.
Code:
#include <libusb-1.0/libusb.h>
#include <stdio.h>
#include <stdint.h>
int main(void)
{
unsigned char data[64];
int received_length;
int r = 1;
libusb_context* ctx = NULL;
libusb_device_handle* dev_handle = NULL;
libusb_init(&ctx);
dev_handle = libusb_open_device_with_vid_pid(ctx, 0x0955, 0x7820);
if(dev_handle)
{
r = libusb_bulk_transfer(dev_handle, 0x81, data, sizeof(data), &received_length, 10000);
if (r == 0)
{
if(received_length == 8)
{
printf("uid: %#016lx\n", *(uint64_t*)data);
}
else
{
r = 1;
printf("Error: We got %d bytes of data insetad of the 8 bytes we expected...\n", received_length);
}
}
else
{
printf("Error: USB read failed!\n");
}
libusb_release_interface(dev_handle, 0);
}
else
{
printf("Error: Failed to open device!\n");
}
libusb_exit(ctx);
return r;
}

Related

[Q] What does the option "-s" used for in "make_ext4fs" ?

Hello,
I'm trying to make /system to ext4 image and boot up
I found that in system/extras/ext4_utils/mkuserimg.sh, the command is
make_ext4fs -s -l $SIZE -a $LABEL $OUTPUT_FILE $SRC_DIR
the out image with option "-s" cannot be mounted when bootup
but without the "-s" option, image can be mounted successful
I checked the image diff, the image with "-s" add crc header and spare format, so it definitly cannot be mounted directly , right ?
My question is : what the option "-s" used for ? Am I need this option in my experiment ?
Thanks
As far as i know -s = silent mode "no shell lines displayed during execution"
GchildT said:
As far as i know -s = silent mode "no shell lines displayed during execution"
Click to expand...
Click to collapse
Appriciate your reply
But, are you sure?... the option '-s' indeed pased as 'spare' in source code, and the out image cannot be mounted...
-s is sparse
you need to use the simg2img tool
This is what we do at work (TI)
From: omappedia.org/wiki/Using_EMMC_on_OMAP4_devices
./simg2img system.img system.img.raw
mkdir tmp
sudo mount -t ext4 -o loop system.img.raw tmp/
<<change stuff>>
sudo ./make_ext4fs -s -l 512M -a system system.img.new tmp/
sudo umount tmp
rm -rf tmp
Hope this helps
/chris
PS: The forum won't let me link the URL above
ufgeek said:
-s is sparse
you need to use the simg2img tool
This is what we do at work (TI)
From: omappedia.org/wiki/Using_EMMC_on_OMAP4_devices
./simg2img system.img system.img.raw
mkdir tmp
sudo mount -t ext4 -o loop system.img.raw tmp/
<<change stuff>>
sudo ./make_ext4fs -s -l 512M -a system system.img.new tmp/
sudo umount tmp
rm -rf tmp
Hope this helps
/chris
PS: The forum won't let me link the URL above
Click to expand...
Click to collapse
If you don't mind me asking,
What does simg2img do exactly? and what would be the potential risk if not using -s option?
steeldusk said:
If you don't mind me asking,
What does simg2img do exactly? and what would be the potential risk if not using -s option?
Click to expand...
Click to collapse
I figured it out. simg2img is just a bin file to strip sparsed image and make non-sparsed image, and not using -s just build system without any header. so as long as you can burn image to a right partition, you don't need -s option
make_ext4fs -s -l command
This is how i make my ext4 images. I did not got to test on real device my self yet.
Im building my images from cm source btw. This is the command i use to build recovery: make -j4 recoveryimage
After i build a image i run the make_ext4fs command.(userdata.img and system.img seem to be ext4 build by default for me)
make_ext4fs -s -l 1073741824 -a data out/target/product/m805_892x/userdata.img out/target/product/m805_892x/data
make_ext4fs -s -l 10485760 -a data out/target/product/m805_892x/boot.img out/target/product/m805_892x/data
make_ext4fs -s -l 10485760 -a data out/target/product/m805_892x/recovery.img out/target/product/m805_892x/data
make_ext4fs -s -l 314572800 -a data out/target/product/m805_892x/system.img out/target/product/m805_892x/data
gives:
Creating filesystem with parameters:
Size: 314572800
Block size: 4096
Blocks per group: 32768
Inodes per group: 6400
Inode size: 256
Journal blocks: 1200
Label:
Blocks: 76800
Block groups: 3
Reserved block group size: 23
Created filesystem with 911/19200 inodes and 31635/76800 blocks
Install system fs image: out/target/product/m805_892x/system.img
out/target/product/m805_892x/system.img+out/target/product/m805_892x/obj/PACKAGING/recovery_patch_intermediates/recovery_from_boot.p total size is 126213892
[email protected]:~/ICS$
I my BoardConfig i have this:
BOARD_BOOTIMAGE_PARTITION_SIZE := 10485760
BOARD_RECOVERYIMAGE_PARTITION_SIZE := 10485760
BOARD_SYSTEMIMAGE_PARTITION_SIZE := 314572800
BOARD_USERDATAIMAGE_PARTITION_SIZE := 1073741824
(Google for: build android from source if you dont get what im doing..)
The sizes need to be in bytes it seems.
DD dump you´re partitions and you see the amount of bytes.
Just edding some nice info to a old post
what of for a 128mb phone
ufgeek said:
-s is sparse
you need to use the simg2img tool
This is what we do at work (TI)
From: omappedia.org/wiki/Using_EMMC_on_OMAP4_devices
./simg2img system.img system.img.raw
mkdir tmp
sudo mount -t ext4 -o loop system.img.raw tmp/
<<change stuff>>
sudo ./make_ext4fs -s -l 512M -a system system.img.new tmp/
sudo umount tmp
rm -rf tmp
Hope this helps
/chris
PS: The forum won't let me link the URL above
Click to expand...
Click to collapse
my phone refuses to flash the image and i think its because of its size 145mb. how do i create a system.img for a 12mb internal memory phone
$ make_ext4fs
Expected filename after options
make_ext4fs [ -l <len> ] [ -j <journal size> ] [ -b <block_size> ]
[ -g <blocks per group> ] [ -i <inodes> ] [ -I <inode size> ]
[ -L <label> ] [ -f ] [ -a <android mountpoint> ]
[ -S file_contexts ]
[ -z | -s ] [ -t ] [ -w ] [ -c ] [ -J ]
<filename> [<directory>]
All is very simply
-s sparse (cut empty bytes)
-l len (size image)

[ROM] I9001XXKPU_XXKPH_OXAKP1 Oryginal Open

I9001XXKPU XXKPH OXAKP1
Flash + Odin :
hotfile.com/dl/140028931/367f5c4/i9001XXKPU_XXKPH_OXAKP1.rar.html
Regards!
Wish there was any change log available for stock rom updates...
Sent from my GT-I9001 using XDA App
Make them yourself, like I did:
1. Unzip/rar the file (just ignore the error)
2. Unpack system with Diskinternal Linux Reader
3. Compare the two with whatever file/dir compare tool you like (I use copyto for binary folder compare and ultracompare for file compare)
Good luck!
Regards,
Nika.
Sorry, first link have damaged MD5 checksums inside.
new one tested :
hotfile.com/dl/140028931/367f5c4/i9001XXKPU_XXKPH_OXAKP1.rar.html
I also edited first.
Lol, and I was trying to figure out why unpacking the smd did not work... thanks!
For whomever wants to know, you can extract an smd using this script (Linux or Cygwin):
Code:
#!/bin/bash
base=0
length=1
while (( length > 0 ))
do
# calculate Length
let "skip = base + 18"
length=`hexdump -e '"%d"' -s ${skip} -n 2 ${1}`
let "length = length * 65536"
let "skip = base + 16"
length2=`hexdump -e '"%d"' -s ${skip} -n 2 ${1}`
let "length += length2"
let "length = length / 512" # Number of 512-Byte blocks
# calculate offset
let "skip = base + 22"
offset=`hexdump -e '"%d"' -s ${skip} -n 2 ${1}`
let "offset = offset * 65536"
let "skip = base + 20"
offset2=`hexdump -e '"%d"' -s ${skip} -n 2 ${1}`
let "offset += offset2"
let "offset = offset / 512" # Number of 512-Byte blocks
# save header in case of first loop
if (( base == 0 ))
then
dd if=${1} bs=512 of=header count=${offset}
fi
# extract filename
let "skip = base + 32"
filename=`dd if=${1} skip=${skip} count=16 bs=1 2>/dev/null`
# and finally: extract image
if (( length > 0 ))
then
echo "Length: ${length}"
echo "Offset: ${offset}"
echo "Filename: ${filename}"
dd if=${1} bs=512 of=${filename} skip=${offset} count=${length} 2>/dev/null
fi
# next header
let "base += 64"
done

How to decode WhatsApp crypt8 db-files..

get the key from "data/data/com.whatsapp/files/key" once and latest db-backup from "sdcard/Whatsapp/Databases/msgstore.db.crypt8", then execute in bash:
hexdump -e '2/1 "%02x"' key | cut -b 253-316 > tmp/aes.txt
hexdump -e '2/1 "%02x"' key | cut -b 221-252 > tmp/iv.txt
dd if=msgstore.db.crypt8 of=tmp/msgstore.db.crypt8.nohdr ibs=67 skip=1 &> /dev/null
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in tmp/msgstore.db.crypt8.nohdr -K $(cat tmp/aes.txt) -iv $(cat tmp/iv.txt) > tmp/msgstore.gz
gzip -cdq tmp/msgstore.gz >msgstore.db
source: http://party3d.com/2014/12/16/nachste-whatsapp-version-bereits-geknackt/
cyb3r said:
get the key from "data/data/com.whatsapp/files/key" once and latest db-backup from "sdcard/Whatsapp/Databases/msgstore.db.crypt8", then execute in bash:
hexdump -e '2/1 "%02x"' key | cut -b 253-316 > tmp/aes.txt
hexdump -e '2/1 "%02x"' key | cut -b 221-252 > tmp/iv.txt
dd if=msgstore.db.crypt8 of=tmp/msgstore.db.crypt8.nohdr ibs=67 skip=1 &> /dev/null
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in tmp/msgstore.db.crypt8.nohdr -K $(cat tmp/aes.txt) -iv $(cat tmp/iv.txt) > tmp/msgstore.gz
gzip -cdq tmp/msgstore.gz >msgstore.db
source: http://party3d.com/2014/12/16/nachste-whatsapp-version-bereits-geknackt/
Click to expand...
Click to collapse
I dont know if I am doing it right. This is what I did:
1. Created a tmp folder in /sdcard
2. Opened adb shell and tried to execute the above
3. Executed the first three commands
On the 4th command, I got an error sh: openssl: not found
When I checked the tmp directory I made, I was able to see the aes.txt (65.00B), iv.txt (33.00B), msgstore.db.crypt8.nohdr (485KB) and msgstore.gz (0.00B)
Screenshots attached.
Appreciate some clarity on the topic. Thank you.
use this guide http://forum.xda-developers.com/showthread.php?t=2362386 in order to install OpenSSL on your android device and thus have openssl command on the shell.
albenex said:
use this guide http://forum.xda-developers.com/showthread.php?t=2362386 in order to install OpenSSL on your android device and thus have openssl command on the shell.
Click to expand...
Click to collapse
Thanks but I am new to all this. Two more questions:
1. Can this be installed in adb so that I can run it from PC command line
2. Is there an app that where i can run the ssl commands?
albenex said:
use this guide http://forum.xda-developers.com/showthread.php?t=2362386 in order to install OpenSSL on your android device and thus have openssl command on the shell.
Click to expand...
Click to collapse
Somehow I copied the data/local/ssl to /data/local/ssl on the device.
But not data/local/bin to /system/bin. it says operation failed and in adb shell also it is unable to copy with the CAT command.
Please advice.
mac_see said:
Somehow I copied the data/local/ssl to /data/local/ssl on the device.
But not data/local/bin to /system/bin. it says operation failed and in adb shell also it is unable to copy with the CAT command.
Please advice.
Click to expand...
Click to collapse
i've successfuly made these steps on my rooted 4.4 slimkat rom nexus 5 using Es File Explorer with root (supersu) permissions. check your root and/or your file manager.
albenex said:
i've successfuly made these steps on my rooted 4.4 slimkat rom nexus 5 using Es File Explorer with root (supersu) permissions. check your root and/or your file manager.
Click to expand...
Click to collapse
Which steps are you referring to? copying data/local/bin to /system/bin or the initial steps in post1 of cyb3r?
---------- Post added at 06:38 AM ---------- Previous post was at 06:35 AM ----------
mali_ said:
Your database will most probably be corrupt for the new crypt 8 format. It's not working even if you get the resultant db file after executing the above commands. Sqlite doesn't open the database after decryption.
Click to expand...
Click to collapse
No. That should not be the reason. I got the resultant db file but with zero bytes. I got msgstore.db.crypt8.nohdr (485KB) and msgstore.gz (0.00B). Please refer the attachment I posted before. For some reason, I am not able to execute the openssl command and for this, I installed the tool suggested by albenex and for that too I am having issues copying data/local/bin to /system/bin. The ssl folder got copied but not the bin
mali_ said:
The initial steps in post1 of cyb3r. If you know how to do it, please tell me. The resultant database doesn't open in sqlite. You can check it for yourself.
Click to expand...
Click to collapse
I am confused now and not getting you.
I did the first three steps and when I executed the last step, I got an error sh: openssl: not found on below statement
Code:
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in tmp/msgstore.db.crypt8.nohdr -K $(cat tmp/aes.txt) -iv $(cat tmp/iv.txt) > tmp/msgstore.gz
dont know how to get this done
Doesn't work for me, after all the process the gz file is wrong:
Code:
[email protected]:~# gzip -cdq msgstore.gz >msgstore.db
gzip: msgstore.gz: unexpected end of file
Note: I'm working in one PC, uploaded crypt8 file to a folder and NOT working with /tmp/ so my paths are corrects.
Regards
doubt
I lay on the subject. Where should I put the key and msgstore.db using Cygwin64 on windows? When I try to use the commands , I get the following message: hexdump : key : No such file or directory . If you can help this noob , I would be eternally grateful .
doubt
Hi , Mali . Thank you for answer. I put in the bin folder and keeps giving error. Is it coz I'm using Windows on the Mac , through bootcamp ? If so , you know you have another way to do this ? by mac maybe.
thank you very much once again.
doubt
mali_ said:
Open command prompt and navigate to the bin folder and execute those commands. Don't do it through cygwin terminal. Do it through command prompt. Make sure openssl is inside the bin folder. Good luck.
Click to expand...
Click to collapse
I just try the windows prompt and keeps giving error. The openssl is inside the folder, but can not get past the first line.
When you say to navigate to the folder , it would be using the command: "cd C: \ cygwin64 \ bin " and then the commands mentioned in the topic ? they did it and did not work.
Excuse my ignorance and thanks for the help .
doubt
mali_ said:
Yes,
cd C:\cygwin64\bin
without spaces.
What command are you running after this and what error are you getting?
Click to expand...
Click to collapse
I'm using this: hexdump -e '2/1 "%02x"' key | cut -b 253-316 > tmp/aes.txt
See the images using the 2 programs.
doubt
mali_ said:
That's why you're getting the error. Do this one by one, copy and paste.
hexdump -e '2/1 "%02x"' key | cut -b 253-316 > aes.txt
hexdump -e '2/1 "%02x"' key | cut -b 221-252 > iv.txt
dd if=msgstore.db.crypt8 of=msgstore.db.crypt8.nohdr ibs=67 skip=1
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K aes.txt -iv iv.txt > msgstore.gz
gzip -cdq msgstore.gz > msgstore.db
Let me know of the results.
Click to expand...
Click to collapse
Yay! Now is working. Funny, was doing copying the first post . I did not notice any change.
Now it is giving error in this line :
openssl enc -AES -256 - cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K aes.txt -iv iv.txt > msgstore.gz
"non -hex digit
invalid hex iv value "
thank you !!!!!!
doubt
Giving still the same error .
I'm typing this : openssl enc -AES -256 - cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K aes.txt -iv a9d97adc77efaf9773c6602048d50fa0 > msgstore.gz
this:
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K aes.txt -iv a9d97adc77efaf9773c6602048d50fa0 > msgstore.gz
yesssss
Mali , was replacing the aes.txt for his number.
thank you very muchhhhhhhh!
It's working for me with in cygwin, even getting "unexpected end of file" error decompressing, the resultant file is a correct sqlite database.
Thanks
mali_ said:
Do it on your computer. Use cygwin and install openssl. It will work.
Click to expand...
Click to collapse
I have not cygwin so far but what i tries is this. I Installed openssl-0.9.8k_X64.zip from https://code.google.com/p/openssl-for-windows/downloads/list and then tried the below command and I got an error unknown option 'aex.txt'
Code:
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in tmp/msgstore.db.crypt8.nohdr -K $(cat tmp/aes.txt) -iv $(cat tmp/iv.txt) > tmp/msgstore.gz
error is
Code:
unknown option 'aex.txt'
screenshot attached
What am i doing wrong?
mali_ said:
All the tables are viewable in sqlite browser? Do you see your messages? It opens with sqlite but there is no data.
Click to expand...
Click to collapse
Yes, correct sqlite file means correct not only the extension.
prntscr.com/5jlnjl
Sorry I can't paste links.
Regards
mac_see said:
I have not cygwin so far but what i tries is this. I Installed openssl-0.9.8k_X64.zip from and then tried the below command and I got an error unknown option 'aex.txt'
Code:
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in tmp/msgstore.db.crypt8.nohdr -K $(cat tmp/aes.txt) -iv $(cat tmp/iv.txt) > tmp/msgstore.gz
error is
Code:
unknown option 'aex.txt'
screenshot attached
What am i doing wrong?
Click to expand...
Click to collapse
You forgot the $ before (cat tmp/aes.txt) that's because you get "unknown option 'aes.txt)
Regards

[TOOLS] MTKIMG : Unpack / Repack boot.img, recovery.img and logo.bin for MTK device

Hello,
For a personal project a write a simple tools to unpack/repack boot.img, recovery.img and logo.bin of Mediatek cpu based devices named MTKIMG. MTK add specific header on each blocs in image so common tools could not unpack/repack properly. Also every tools i found do not correspond to my need.
Here is the the MTKIMG characteristics :
Write in C, open-source.
Portable : Linux, Cygwin, Windows (MAC is currently under port).
Only one executable for unpack/repack.
Support unpack/repack boot.img and recovery.img.
Support unpack/repack logo.bin
Keep the original image size at repack time.
Handle kernel and ramdisk with or without MTK header.
Automatic ramdisk decompression.
Option to keep or remove MTK headers.
Check for valid "ARM Linux zImage" kernel.
Check for valid "GZIP" ramdisk.
Check for overflow if kernel or ramdisk is too big at repack time.
Option to set compression rate for ramdisk.
Easy to use, all parameters are defaulted.
Easy to build on every platform.
Got simple test-suite.
Documentation available.
Version :
Status : Bêta
Version : 0.44
Update : 2015/07/20
Source code :
https://github.com/rom1nux/mtkimg
Releases (Linux, Cygwin, Windows) :
https://github.com/rom1nux/mtkimg/tree/master/releases
OSX version are currently under port (Please, thanks sambwel)
Hope this help (Sorry for my bad english)
Hi
Did you used anything from @carliv or @bgcngm projects ( source / binarys ) ?
Or is this a full new project?
Since you didn't added any source link,,, (github / bitbucket ?)
cheers
Hello superdragonpt,
Did you used anything from @carliv or @bgcngm projects ( source / binarys ) ?
Click to expand...
Click to collapse
MTKIMG is write in C from scratch. I do not use anything other than "find", "gzip" and "cpio" utilities.
I know bgcngm's pearl scripts (mtk-tools) but it does not fit my needs.
I dont know carliv's bash scripts , i dont know if it support MTK header bloc.
Or is this a full new project?
Click to expand...
Click to collapse
Yes it's a full new project, It's write MTKIMG for my need first, but i told myself that it could help other.
Since you didn't added any source link,,, (github / bitbucket ?)
Click to expand...
Click to collapse
If MTKIMG got interests i probably create git repo.
Thanks for your remarks
rom1nux said:
Hello superdragonpt,
MTKIMG is write in C from scratch. I do not use anything other than "find", "gzip" and "cpio" utilities.
I know bgcngm's pearl scripts (mtk-tools) but it does not fit my needs.
I dont know carliv's bash scripts , i dont know if it support MTK header bloc.
Yes it's a full new project, It's write MTKIMG for my need first, but i told myself that it could help other.
If MTKIMG got interests i probably create git repo.
Thanks for your remarks
Click to expand...
Click to collapse
Thanks for answering
I have some MTK devices here, i'll test this tool Compatibility across the Mtk SoC's i own.
Keep it up
Cheers
I have some MTK devices here, i'll test this tool Compatibility across the Mtk SoC's i own.
Click to expand...
Click to collapse
Good news !
For information i put source code under GPL3 license and i create a dedicated GiHub repository as you suggest : https://github.com/rom1nux/mtkimg
Feel free to come to help
Good Work Mate ....looking forward to it
edit : any 32 bit system tool ??
Hello [email protected],
Thank for your interest.
edit : any 32 bit system tool ??
Click to expand...
Click to collapse
I got only 64bits OS but i can install Cygwin32 and VirtualBox 32 bits OS if needed but it's very easy to build.
Hello,
I test MTKIMG and it work well, but now i search information about MTK logo partition format, i see the MTK header on it but dont know how to parse images.
More preciselly i want to know information about header of the logo partition (like size of image, etc...) the header after the MTK header.
Did you have this kind of information ?
Thank in advance
Hello,
I find some information about logo.bin image :
- The first 512 bytes are the MTK header Magic (0x88168858) + Size + "LOGO"
- After, i found logo partition header is formated like :
Code:
Offset (B) | Size (B) | Description
--------------------------------------------------------
0 | 4 | Logos count
4 | 4 | Size of bloc (=MTK header image size)
8 | 4 | Logo_0 offset
12 | 4 | Logo_1 offset
8+(n*4) | 4 | Logo_n offset
... | ... | ?
--------------------------------------------------------
Logo_0 offset | Logo_1-Logo_0 offset | Logo_0 gzip content
Logo_1 offset | Logo_2-Logo_3 offset | Logo_1 gzip content
... | ... | Logo_n gzip content
--------------------------------------------------------
I dont know how to find the size of each logo, did you have this information ?
This looks great. I would love to be able to run this on my Mac. I don't think it should be hard to get it working but I'm not familiar with C so I don't know what to change to make it build. Let me know what I can do to help!
Hello sambwel,
I would love to be able to run this on my Mac. I don't think it should be hard to get it working but I'm not familiar with C so I don't know what to change to make it build. Let me know what I can do to help!
Click to expand...
Click to collapse
Happy to read this
You only need "gcc" and "make" for instance (i found this on the web) :
Installing recent XCode versions confusingly enough does not automatically install the command line tools. To install the command line tools when they're not automatically installed;
Start XCode.
Go to XCode/Preferences.
Click the "Downloads" tab.
Click "Components".
Click "Install" on the command line tools line.
That will install the command line tools and make them accessible from a regular command line.
Click to expand...
Click to collapse
Be sure gcc and make are in your PATH environment variable, and after, open a terminal on your MAC in the source folder and hit command :
Code:
make
If you get "Unsupported platform" message it's a good news, i'm going to do minor correction to the source code for this error after lunch. (Put your building log here if you want)
Thanks for your help
No worries mate, familiar with linux and building things from source, just not familiar with C code Here's the output when I try make:
Code:
sambwel:mtkimg sambwel$ make
MTKIMG LINUX MAKE by rom1nux
Create directory build ...
Building C file build/info.o ...
gcc -c -Wall src/info.c -o build/info.o
In file included from src/info.h:34,
from src/info.c:24:
src/main.h:51:3: warning: #warning "Unsupported platform !"
Building C file build/main.o ...
gcc -c -Wall src/main.c -o build/main.o
In file included from src/main.c:24:
src/main.h:51:3: warning: #warning "Unsupported platform !"
src/main.c: In function ‘main’:
src/main.c:54: error: ‘APP_PLATFORM’ undeclared (first use in this function)
src/main.c:54: error: (Each undeclared identifier is reported only once
src/main.c:54: error: for each function it appears in.)
make: *** [build/main.o] Error 1
Hello sambwel
sambwel said:
No worries mate, familiar with linux and building things from source
Click to expand...
Click to collapse
Cool, good new, I know nothing about MAC
sambwel said:
..., just not familiar with C code Here's the output when I try make:
Click to expand...
Click to collapse
OK, i'm going to add MAC platform specifics to main.h this afternoon (I have not been able to do yesterday, sorry).
I tell you when i the modification is done.
Thanks a lot for your help
superdragonpt said:
Thanks for answering
I have some MTK devices here, i'll test this tool Compatibility across the Mtk SoC's i own.
Keep it up
Cheers
Click to expand...
Click to collapse
I made a similar simple script in dash format that should work on device:
Code:
#!/sbin/sh
bootonetofive() {
busybox dd if=${1}.img of=1 bs=512 count=4 conv=notrunc
busybox dd if=${1}.img of=${1}-header bs=512 skip=4 conv=notrunc
busybox dd if=${1}-header of=2 bs=512 count=1 conv=notrunc
busybox dd if=${1}-header of=${1}-header-k_header bs=512 skip=1 conv=notrunc
initrd=`hexdump -C ${1}-header-k_header | grep -m1 "ROOTFS" | cut -d " " -f 1`
if [ -z ${initrd} ]; then
initrd=`hexdump -C ${1}-header-k_header | grep -m1 "RECOVERY" | cut -d " " -f 1`
FLSH=recovery
fi
initrdbin=`printf "%d\n" 0x${initrd}`
intrdsec=`expr ${initrdbin} / 512`
busybox dd if=${1}-header-k_header of=3 bs=512 count="${intrdsec}" conv=notrunc
busybox dd if=${1}-header-k_header of=${1}-header-k_header-kernel bs=512 skip="${intrdsec}" conv=notrunc
busybox dd if=${1}-header-k_header-kernel of=4 bs=512 count=1 conv=notrunc
busybox dd if=${1}-header-k_header-kernel of=5 bs=512 skip=1 conv=notrunc
}
AddPadd() {
if [ ${krnsz} != ${nwkrnsz} ]; then
krnsz=`du -B 1 3 | cut -f 1`
nwkrnsz=`du -B 1 3-new | cut -f 1`
if [ ${krnsz} -gt ${nwkrnsz} ]; then
pddng=`expr ${krnsz} - ${nwkrnsz}`
busybox dd if=/dev/zero of=padd bs=1 count=${pddng} conv=notrunc
cat padd >> 3-new
else
nwsz=`expr ${nwkrnsz} / 512 + 1`
busybox dd if=/dev/zero of=3 bs=512 count="${nwsz}" conv=notrunc
fi
AddPadd
else
echo "kernels are already the same size"
exit 0
fi
if [ ${pddng:-0} != "0" ]; then
if [ ${nwsz:-0} != "0" ]; then
echo "new kernel is larger"
else
echo "kernels are now the same size"
fi
exit 0
fi
}
addserialno() {
printf "androidboot.serialno=" > serno
dd if=/dev/block/mmcblk0p1 of=barcode bs=16 count=1
cat serno barcode > serialno
dd if=1 of=1_1 bs=16 count=7
dd if=1 of=1_2 bs=16 skip=7
dd if=1_2 of=1_3 bs=1 skip=37
cat 1_1 serialno 1_3 > 1_new
}
unpackramd() {
mkdir work 2> /dev/null
cd work
busybox gzip -dc ../5 2> /dev/null | cpio -i 2> /dev/null
cd ${crdr}
}
repackramd() {
cd work
find . | cpio -o -H newc 2> /dev/null | gzip -9 > ../5-new 2> /dev/null
rm -rf *
cd ${crdr}
}
bootfivetoone() {
cat 1 2 3 4 5 > new-${1:-boot}.img
}
crdr=`pwd`
bootonetofive ${1:-boot}
rm ${1:-boot}-*
if [ -f 3-new ]; then
AddPadd
cp 3-new 3
fi
if [ ${2:-NA} = "split" ]; then
unpackramd
echo "modify what you need to in ${crdr}/work then"
echo "press enter y to continue or any key to exit"
read cntn
if [ ${cntn:-n} = "y" ]; then
repackramd
cp 5-new 5
else
exit 0
fi
fi
if [ ${2-NA} = "serial" ]; then
addserialno
cp 1_new 1
fi
bootfivetoone ${1:-boot}
echo "All Done new .img created... ${crdr}/new-${1:-boot}.img"
# 1 header
# 2 k_header
# 3 kernel
# 4 r-header
# 5 ramdisk
FLSHPRT=`ls -la /dev/block/platform/mtk-msdc.0/by-name | grep ${FLSH:-boot} | awk -F " " '{print $NF}'`
if [ ${2:-no} = "flash" ]; then
dd if=${crdr}/new-${1:-boot}.img of=/dev/block/${FLSHPRT}
fi
Attached as a txt.
It just needs busybox installed. Only used it with the new MT6732/52 SoCs. I could use someone testing it with others to see if it's universal. (Only setup for gzipped ramdisks, should be able to add in the others.)
To run it is for example.
sh ./splitboot.sh boot split to split boot.img (and open ramdisk)
sh ./splitboot.sh boot flash to flash boot.img
sh ./splitboot.sh boot serial to take the barcode value from proinfo partition and uses it as serial number (only seems to work with AOSP)
It works with *.img and automatically identifies if it's a boot or recovery img.
HypoTurtle said:
I made a similar simple script in dash format that should work on device:
Code:
#!/sbin/sh
bootonetofive() {
busybox dd if=${1}.img of=1 bs=512 count=4 conv=notrunc
busybox dd if=${1}.img of=${1}-header bs=512 skip=4 conv=notrunc
busybox dd if=${1}-header of=2 bs=512 count=1 conv=notrunc
busybox dd if=${1}-header of=${1}-header-k_header bs=512 skip=1 conv=notrunc
initrd=`hexdump -C ${1}-header-k_header | grep -m1 "ROOTFS" | cut -d " " -f 1`
if [ -z ${initrd} ]; then
initrd=`hexdump -C ${1}-header-k_header | grep -m1 "RECOVERY" | cut -d " " -f 1`
FLSH=recovery
fi
initrdbin=`printf "%d\n" 0x${initrd}`
intrdsec=`expr ${initrdbin} / 512`
busybox dd if=${1}-header-k_header of=3 bs=512 count="${intrdsec}" conv=notrunc
busybox dd if=${1}-header-k_header of=${1}-header-k_header-kernel bs=512 skip="${intrdsec}" conv=notrunc
busybox dd if=${1}-header-k_header-kernel of=4 bs=512 count=1 conv=notrunc
busybox dd if=${1}-header-k_header-kernel of=5 bs=512 skip=1 conv=notrunc
}
AddPadd() {
if [ ${krnsz} != ${nwkrnsz} ]; then
krnsz=`du -B 1 3 | cut -f 1`
nwkrnsz=`du -B 1 3-new | cut -f 1`
if [ ${krnsz} -gt ${nwkrnsz} ]; then
pddng=`expr ${krnsz} - ${nwkrnsz}`
busybox dd if=/dev/zero of=padd bs=1 count=${pddng} conv=notrunc
cat padd >> 3-new
else
nwsz=`expr ${nwkrnsz} / 512 + 1`
busybox dd if=/dev/zero of=3 bs=512 count="${nwsz}" conv=notrunc
fi
AddPadd
else
echo "kernels are already the same size"
exit 0
fi
if [ ${pddng:-0} != "0" ]; then
if [ ${nwsz:-0} != "0" ]; then
echo "new kernel is larger"
else
echo "kernels are now the same size"
fi
exit 0
fi
}
addserialno() {
printf "androidboot.serialno=" > serno
dd if=/dev/block/mmcblk0p1 of=barcode bs=16 count=1
cat serno barcode > serialno
dd if=1 of=1_1 bs=16 count=7
dd if=1 of=1_2 bs=16 skip=7
dd if=1_2 of=1_3 bs=1 skip=37
cat 1_1 serialno 1_3 > 1_new
}
unpackramd() {
mkdir work 2> /dev/null
cd work
busybox gzip -dc ../5 2> /dev/null | cpio -i 2> /dev/null
cd ${crdr}
}
repackramd() {
cd work
find . | cpio -o -H newc 2> /dev/null | gzip -9 > ../5-new 2> /dev/null
rm -rf *
cd ${crdr}
}
bootfivetoone() {
cat 1 2 3 4 5 > new-${1:-boot}.img
}
crdr=`pwd`
bootonetofive ${1:-boot}
rm ${1:-boot}-*
if [ -f 3-new ]; then
AddPadd
cp 3-new 3
fi
if [ ${2:-NA} = "split" ]; then
unpackramd
echo "modify what you need to in ${crdr}/work then"
echo "press enter y to continue or any key to exit"
read cntn
if [ ${cntn:-n} = "y" ]; then
repackramd
cp 5-new 5
else
exit 0
fi
fi
if [ ${2-NA} = "serial" ]; then
addserialno
cp 1_new 1
fi
bootfivetoone ${1:-boot}
echo "All Done new .img created... ${crdr}/new-${1:-boot}.img"
# 1 header
# 2 k_header
# 3 kernel
# 4 r-header
# 5 ramdisk
FLSHPRT=`ls -la /dev/block/platform/mtk-msdc.0/by-name | grep ${FLSH:-boot} | awk -F " " '{print $NF}'`
if [ ${2:-no} = "flash" ]; then
dd if=${crdr}/new-${1:-boot}.img of=/dev/block/${FLSHPRT}
fi
Attached as a txt.
It just needs busybox installed. Only used it with the new MT6732/52 SoCs. I could use someone testing it with others to see if it's universal.
To run it is for example.
sh ./splitboot.sh boot split to split boot.img (and open ramdisk)
sh ./splitboot.sh boot flash to flash boot.img
sh ./splitboot.sh boot serial to take the barcode value from proinfo partition and uses it as serial number (only seems to work with AOSP)
It works with *.img and automatically identifies if it's a boot or recovery img.
Click to expand...
Click to collapse
Good
But for those SoC, we use the inbuilt tool.
(not for general public)
So yours and this one, is always good alternative
cheers
Hello
So yours and this one, is always good alternative
Click to expand...
Click to collapse
Yes good alternative, i take look when i can, but HypoTurtle you should probably create a dedicated thread for your tools.
sambwel,
Normally we just have to adjust "main.h" and "Makefile" for porting to OSX platform.
(I put notes in the files headers)
main.h
I add 'define' test to detect OSX platform (APP_PLATFORM/APP_OSX). I don't know if this work. I leave the APP_ARCH (32/64bits) test as-it but i don't know if this work on OSX (it's not very important for now, we can correct after)
Makefile
I add "Darwin" detection mechanism for OSX.
I start to add options to unpack/repack logo.bin, this use "zlib" and "libpng1.6", you can disable this to don't be bother with externals dependencies. In Makefile, put LOGO_SUPPORT=0 in the LINUX/CYGWIN/OSX section (Line ~92) for first build.
Big Thanks for your help
Okay, good news! mtkimg builds and runs now! I did have to put LOGO_SUPPORT=0 in the Makefile otherwise I get the error "error: png.h: No such file or directory".
So I did a quick test to see if it works. info and unpack seem to work correctly (tested on ~7mb stock boot.img). However when I repack the same image the result is a ~4.3gb boot.img!! Not sure what happened... headers are intact on the new image. No more time to test right now but I will check back here soon.
Hip Ha ! Good news !
For the size, look at the "image.cfg" if the size is right
You can use '-v' and '-d' options to see what append and look at the "layout" part display on the screen.
(Suspect image.cfg not being read correctly, i'm goind to look about "End of line" on MAC.
Many thanks for your try
Hello,
I push the MTKIMG Bêta 0.38 with compiled version for (Linux64,Cygwin64 and Windows64) that support logo unpacking. (logo repack in progres...)
Have fun.....

mitm on android emulator: a howto

Hello all,
I'd like to braindump how I managed to make android emulator v30 work with mitm, hope that helps someone.
Since it was not possible to neither write nor make writable the /system partition, I decided to roll my own system.img and that actually worked. I'm not going to upload a script because I might not remember 100%, but I'll going to descibe the steps in full, even though they exist elsewhere. The commands might not be exact, too, so if there's a typo you'll need to figure it out yourself.
Also, it will be a bit confusing because I shall refer to 2 files named system.img, one is the 2G file that comes with android, the other is 700M or something file that you will be creating in the process. I'll refer them as #1 and #2.
1. What is needed: android studio and emulator, linux, xattr, https://github.com/LonelyFool/lpunpack_and_lpmake , https://github.com/tytso/e2fsprogs, mitmproxy, parted. Build these github projects, you'll need their binaries in the process.
also, 'mkdir build' somewhere.
2. Find system.img (#1) in your android studio installation, then extract the system partition:
$ losetup -f system.img
$ losetup -a | grep system.img
/dev/loop5
$ partprobe /dev/loop5
$ ls /dev/loop5p*
/dev/loop5p1 /dev/loop5p2
$ lpunpack_and_lpmake/bin/lpunpack /dev/loop5p2 build
$ ls build
system.img system-ext.img product.img vendor.img
$ losetup -d /dev/loop5
3. Make system.img (#2) writable and usable. This is ext4 crunched with feature shared_blocks, which makes it not really writable even in theory, as it deduplicates identical blocks in the filesystem. You'll need to convert that to a normal ext4, but, there's not enough space to do that operation. So you'll need to expand the partition to accomodate for this. How much? Empirically, I added 30M to a 700M partition:
$ ls -l system.img
700000000 # for example
$ e2fsprogs/resize/resize2fs system.img 730M
$ ls -l system.img
730000000 # for example
$ e2fsprogs/e2fsck/e2fsck -f system.img
$ e2fsprogs/e2fsck/e2fsck -E unshared_blocks system.img
$ e2fsprogs/e2fsck/e2fsck -f system.img
4. Modify the now writable partiton to your heart's content (we're still with system.img #2 here). I needed to add just one file, mitmproxy-ca-cert.cer . According to the mitmproxy docs, the name must be the hash of the certificate:
$ losetup -f system.img
$ losetup -a | grep system.img
/dev/loop6
$ mount /dev/loop6 /mnt
$ hashed_name=`openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.cer | head -1
$ echo $hashed_name
c8750f0d
$ cp mitmproxy-ca-cert.cer /mnt/system/ext/security/cacerts/$hashed_name.0
$ cd /mnt/system/ext/security/cacerts/
$ chmod 644 $hashed_name.0
Now check if your android has extra attributes in these certificate files. Mine does:
$ xattr 00abcde.0 # some random certificate
security.selinux
$ xattr -p security.selinux 00abcde.0
ubject_r:system_security_cacerts_file:s0
if yes, you'll need it on this file too:
$ xattr -w security.selinux ubject_r:system_security_cacerts_file:s0 $hashed_name.0
and be done with the partition
$ umount /mnt
$ losetup -d /dev/loop6
5. Create new super-partition, the one we used as /dev/loop5p2. You'll need the file sizes of your .img partitions, and your command to create a super.img file will look like this:
$ cat repack
#!/bin/sh
P=/android/super/1
~/src/lpunpack_and_lpmake/bin/lpmake --metadata-size 65536 --super-name super --metadata-slots 2 --device super:2496462848 --group main:2647101440 \
--partition system:readonly:786432000:main --image system=$P/system.img \
--partition system_ext:readonly:131952640:main --image system_ext=$P/system_ext.img \
--partition product:readonly:1468575744:main --image product=$P/product.img \
--partition vendor:readonly:102739968:main --image vendor=$P/vendor.img \
--output $P/super2.img
the interesting numbers are the corresponding partition sizes (in --partition), and, if f ex you increased the system.img #2 to 30M in the step 3, the number in --device:super should be the size of /dev/loop5p2 in bytes plus at least these 30M (but also okay if a bit more).
6. Finally, create a new system.img #1 . Create a backup copy of it, and then append some 30M there, and fix the partition
$ dd if=/dev/zero of=system-new.img flags=append bs=1M size=30
$ losetup -f system-new.img
$ losetup -a | grep system-new.img
/dev/loop7
$ parted /dev/loop7
GNU Parted 3.3
Using /dev/loop7
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p
Model: Loopback device (loopback)
Disk /dev/loop7: 2444MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1049kB 2097kB 1049kB vbmeta
2 2097kB 2443MB 2441MB super
you will need to expand the partion 2 to the max (plus minus same 30M). If is fails fix the number and retry:
(parted) resizepart 2 24460MB
Error: The location 24460MB is outside of the device /dev/loop7.
and finally copy data back:
$ partprobe /dev/loop7
$ dd if=super.img of=/dev/loop7p2 bs=1M
$ losetup -d /dev/loop7
and that's it. After that, rename system-new.img to system.img, and hopefully the emulator could run this new image.
Also, to check that the certificate is there and recognized, go to the setting/certificates/trusted certificates, the mitmproxy one should be in the list.
Hopefully this will be helpful.
Cheers!
/dk

Categories

Resources