Rules:
Do not post in here unless you have something constructive to say. "Thanks", "Hey this is wonderful", and any other comments like that are not wanted. They take up space and make it more difficult to find information. I'm requesting that this thread be heavily moderated. In order to work efficiently, information density must be kept high. We are all guilty of adding in a few off-topic sentances from time-to-time, but this thread is strictly business and I expect the moderators to moderate me as well.
What is this?
This is the place where we can research and develop a method to unlock the bootloader of the Verizon Galaxy SIII. Hopefully, this will be development at its finest.
Why not just buy a developer edition
GTFO! Not a single person got started developing by buying a developer phone. They started developing because they were unhappy with the features of their device and wanted something better. They wanted something more. This developer phone is a tax on developer innovation. We do not stand for that. We will break the security and we will enable XDA-Developers to do what they do best.
Until security is broken and available for everyone, this device will get updates last, users will be unhappy because there are no additional features and Samsung violates the spirit of Open Source and copyright laws. Take a look at the bottom line of GPL-Violations.org FAQ located here: http://gpl-violations.org/faq/sourcecode-faq.html
What are the goals?
Attain a bootloader recovery - 75% JTAG (the extra 25% will be for a user-friendly method)
The Galaxy S3 is bootable from SDCard. In case of emergency this is needed. We need to verify that this works on the Verizon GS3 to bring up Odin. This will set up infrastructure for research.
Attain a full stock restoration via Odin or Heimdall - 90%
For use with Odin3.
Bootloader - BOOTLOADER_I535VRALF2_618049_REV09_user_low_ship.tar.md5 - 1.97 MB - Thanks nbsdx
PDA - SCH-I535_VZW_1_20120705143513_fti2qg2lmf.zip
NEED CSC PACKAGE (MODEM, PARAMS and Other Miscellaneous partitions). This is enough to recover a device though.
To include bootloaders and recovery to a working and stock condition with the EMMC wiped entirely. Heimdall is a work in progress for this device. This will complete the infrastructure needed for research.
Collect information
This will be the longest and most difficult part of this development. The information provided by Qualcomm is not readily available. Samsung is notoriously secretive about their bootloaders. Mainly we, as a community, will generate information. Please post any relevant datasheets, theory-of-operation, or manuals which you can find.
Provide a way to remove security checks from Odin3.] 100% - insecure aboot.img which may break in the future
By removing security checks from Odin3 on the computer or the Loki daemon on the device we can flash anything through Odin or Heimdall.
Provide a way to bypass security checks within bootloaders. 200% we have two exploits, only one has been released.
This is the ultimate goal. Once we can bypass the security checks, kernels can be flashed giving us the control required to develop
Initial information
[BOOTLOADER] Locked bootloader research and news: http://forum.xda-developers.com/showthread.php?t=1756919
My own research
SBL1 is the first booting partition. Qualcomm provides the Modem partition so it comes first on the EMMC. SBL1 is the first bootloader and that is specified by Qualcomm standards. Qualcom mmake sthe primitive bootloader and allows their customers (Samsung) to make a Secondary bootloader. Samsung chose to use three secondary bootloaders.
The following 0p* are located in /dev/block/mmcblk*
0p1 = modem
Built by se.infra
HUDSON_GA_D2_USA-VZW-HARDKEY-PROD-USER
I take this to mean this Qualcomm modem was built in Hudson Georgia.
I was not able to find signatures on this block . This does NOT mean that there are no signatures on this block. The file is 33 megs. The file is unencrypted.
The modem uses the BLAST Kernerl ver : 02.04.02.02.00 Unfortunately we need someone who speaks French(???) to understand how this works http://blast.darkphpbb.com/faq.php
Judging by the contents of this file, it is an operating system of it's own including keyboard, mouse and a lot of debugging information. We need to find out more about the BLAST Kernel and this partition.
Samsung Proprietary partitions SBL1,2,3
Overall I'm not entirely familiar with this new 3 SBL setup. If someone could help me out, that would be great. This 3 SBL setup looks like they tried to adapt (slopily) their IBL+PBL+SBL setup to the Qualcomm and added overhead.
op2=sbl1
This block is signed by Samsung, we will not be able to modify it.
Some Strings we expect to see on UART are:
0p3=sbl2
This block is signed by Samsung, we will not be able to modify it.
Some of the strings we may see over UART are:
Code:
RPM loading is successful.
cancel RPM loading!
SBL2, End
SBL2, Delta
.sbl2_hw.c
sbl2_hw_init, Start
sbl2_hw_init, Delta
sbl2_hw_init_secondary, Start
h/w version : %d
sbl2_hw_init_secondary, Delta
.SBL2, Start
scatterload_region & ram_init, Start
.scatterload_region & ram_init, Delta
.sbl2_mc.c
sbl2_retrieve_shared_info_from_sbl1, Start
.sbl2_retrieve_shared_info_from_sbl1, Delta
0p4=sbl3
This block is signed by Samsung, we will not be able to modify it.
Possibly useful information:
SVC: R1-R14
FIQ:R13-R14
IRQ:R13-R14
UND:R13-R14
ABT:R13-R14
SYS:R13-R14
This block appears to be a full OS of its own. I'm not sure of its purpose.
op5= aboot
This block is signed by Samsung, we will not be able to modify it
This block contains HTML information. It would appear that it is possible to put the device into a mode where it will provide a webserver which displays state information.
This block appears to be a complete operating system
This block contains the Loke Daemon which communicates with Odin3.
0p6= rpm
This block is signed by Samsung we will not be able to modify it
0p7= boot
This is the kernel. There are several things we can do here... I belive this package itself is not signed, but the zImage itself is... here is the bootimg.cfg file
Code:
[email protected]:~/Desktop/VZWGS3$ cat ./bootimg.cfg
bootsize = 0xa00000
pagesize = 0x800
kerneladdr = 0x80208000
ramdiskaddr = 0x81500000
secondaddr = 0x81100000
tagsaddr = 0x80200100
name =
cmdline = console=null androidboot.hardware=qcom user_debug=31
It may be possible to use that cmdline variable as an exploit.
0p8= tzTrust Zone
0p9= pad
0p10= param -boot mode parameters - this could be a potential exploitation point.
0p11= efs -serial numbers
I've honestly got no clue about most of the following partitions.
0p12= modemst1
0p13= modemst2
0p14= system - Android stuff
0p15= userdata - App Stuff
0p16= persist
0p17= cache - Storage for updates
0p18= recovery - recovery partition
0p19= fota
0p20= backup
0p21= fsg
0p22= ssd
0p23= grow
External UART log from initial power up:
Code:
[1630] AST_POWERON
[ 0.000000] heap->name mm, mb->start c0000000
[ 0.000000] Reserving memory at address ea000000 size: 100000
[ 0.000000] sec_dbg_setup: [email protected]
[ 0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_size = 0x40000
[ 0.000000] etb_buf_setup: [email protected]
[ 0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_size = 0x4000
[ 0.174515] rdev_init_debugfs: Error-Bad Function Input
[ 0.174881] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[ 0.176957] sec_debug_init: enable=0
[ 0.177475] ec_debug_nit: restrt_reason: 0xdf0085c
[ .216358] msm8960_iit_cam:292]settingdone!!
[ 0.25006] i2c 2c-14: Inalid 7-bi I2C addrss 0x00
0.25237] i2c ic-14: Can' create evice at x00
[ 0.252220]i2c i2c-1: Failed o registeri2c clien cmc624 t 0x38 (-6)
[ .252250] 2c i2c-19:Can't crete deviceat 0x38
0.25433] rdevinit_debufs: Error-ad Functin Input
0.25222] max892 19-006: DVS mode disabledbecause VD0 and VI1 do not ave prope control.
[ 0.79536] ms_etm msm_tm: ETM tacing is ot enable beacaussec_debug s not enaled!
[ 0.284449 smd_chanel_probe_orker: alocation tble not iitialized
[ 0.38766] pm_untime: fil to wak up
[ 0.362032]hdmi_msm dmi_msm.1 externalcommon_stte_create sysfs grup de39e68
[ 0362673] Iside writback_drivr_init
[ 0.36275] Insidewritebackprobe
[ 1.244803] TZCOM: unable to get bus clk
[ 1.431680] cm36651_setup_reg: initial proximity value = 3
[ 1.549671] msm_otg msm_otg: request irq succeed for otg_power
[ 1.566702] mms_ts 3-0048: [TSP] ISC Ver [0xbb] [0x20] [0x20]
[ 1.571341] mms_ts 3-0048: [TSP] fw is latest. Do not update.
[ 1.583488] [__s5c73m3_probe:3818] S5C73M3 probe
[ 1.587089] [s5c73m3_sensor_probe_cb:3793] Entered
[ 1.591942] [s5c73m3_i2c_probe:3675] Entered
[ 1.596123] [s5c73m3_init_client:3381] Entered
[ 1.600579] [s5c73m3_i2c_probe:3695] Exit
[ 1.604608] [s5c73m3_sensor_probe:3726] Entered
[ 1.609095] [s5c73m3_spi_init:226] Entered
[ 1.613154] [s5c73m3_spi_probe:191] Entered
[ 1.617335] [s5c73m3_spi_probe:201] s5c73m3_spi successfully probed
[ 1.623561] [s5c73m3_sensor_probe : 3749] Probe_done!!
[ 1.672638] mmc0: No card detect facilities available
[ 1.682984] aat1290a_led_probe : Probe
[ 1.693850] msm_soc_platform_init
[ 1.697298] msm_afe_afe_probe
[ 1.843064] msm_asoc_pcm_new
[ 1.849748] msm_asoc_pcm_new
[ 2.023134] set_dload_mode <1> ( c00176d4 )
[ 2.052220] cypress_touchkey 16-0020: Touchkey FW Version: 0x06
[ 2.123851] init: /init.qcom.rc: 466: invalid command '/system/bin/log'
[ 2.129620] init: /init.qcom.rc: 573: ignored duplicate definition of service 'sdcard'
[ 2.137402] init: /init.qcom.rc: 586: ignored duplicate definition of service 'ftm_ptt'
[ 2.145490] init: /init.target.rc: 73: ignored duplicate definition of service 'thermald'
[ 2.154677] init: could not open /dev/keychord
[ 2.239951] init: Device Encryption status is (0)!!
[ 2.243705] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p15 (ext4):::::
[ 2.251823] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p15
[ 2.588921] init: [disk_config] ext_check ->ok
[ 2.611597] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p17 (ext4):::::
[ 2.617762] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p17
[ 2.655333] init: [disk_config] ext_check -> ok
[ 2.664947] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p11 (ext4):::::
[ 2.671081] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p11
[ 2.704532] init: [disk_config] ext_check -> ok
[ 3.259056] init: cannot find '/system/etc/install-recovery.sh', disabling 'flash_recovery'
[ 3.270471] init: cannot find '/system/bin/dmbserver', disabling 'dmb'
External UART log from battery-pull and reinsert
Code:
[1630] AST_POWERON
[ 0.000000] heap->name mm, mb->start c0000000
[ 0.000000] Reserving memory at address ea000000 size: 100000
[ 0.000000] sec_dbg_setup: [email protected]
[ 0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_size = 0x40000
[ 0.000000] etb_buf_setup: [email protected]
[ 0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_size = 0x4000
[ 0.174484] rdev_init_debugfs: Error-Bad Function Input
[ 0.174851] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[ 0.176926] sec_debug_init: enable=0
[ 0.177445] sc_debug_iit: restat_reason 0xdf0086c
[ 0216206] [sm8960_int_cam:299]setting one!!
[ 0.217915 select_req_plan:ACPU PVS:Nominal
0.25206] i2c ic-14: Invaid 7-bit 2C addres 0x00
[ 0.25207] i2c i2-14: Can'tcreate deice at 0x0
[ 0252250] 2c i2c-19 Failed t register 2c clientcmc624 at0x38 (-16
[ 0252250] ic i2c-19: an't creae device t 0x38
[ 0.25243] rdev_iit_debugs: Error-Bd Functio Input
[ 0.25292] max895 19-0060:DVS modesdisabled ecause VI0 and VID do not hve propercontrols.
[ 0.29536] msmetm msm_em: ETM trcing is nt enable!
[ 0.35797] pm_rntime: fal to wakeupllcation tale not intialized
[ .362093] dmi_msm hmi_msm.1:external_ommon_stae_create:sysfs grop de39e60
[ 0.62734] Inide writeack_driverinit
[ 0.36285] Inside riteback_robe
[ 1.244803] TZCOM: unable to get bus clk
possible exploitations
Possible entry point MODEM - Someone with a JTAG setup test viability of modifying a single byte on /dev/block/mmcblk0p1
Possible entry point PARAMS - Samsung stores their boot parameters in PARAMS partition. It may be possible to modify PARAMS for insecure boot
Possible entry point BOOT - Modify CMDLINE parameter to load information from another location.
Possible entry point BOOT - We may be able to shove an insecure bootloader into memory, boot into that, and then use the recovery partition as our kernel partition. Bauwks 2nd U-Boot. U-Boot is available for the Exynos 4412, we need to find one for Qualcomm.
Possible entry point SYSTEM - It may be possible to use a 2nd init hack from this partition to load custom kernels into memory and reboot the kernel.
Current tasks
What do all of these partitions do?
Do we have a SDCard based recovery?
Where can we find an Odin3 CSC Flash?
Testing methods above is required
You may want to try using google translate for the French website. I gave it a shot and it translates pretty well. See attached (sorry, I'm not a developer, but am trying to help in anyway I can). You can also try this url, but you may need to re-enter yourself
http://translate.google.com/transla...tf=1&u=http://blast.darkphpbb.com/faq.php#f42
What I am looking into is the upload mode available in Odin. It has no signature checks from what I can tell. Also do you mean a stock Odin file which we do have.
Sent from my SCH-I535 using Tapatalk 2
Adam, appreciate you keeping us up to date. As an electrical/systems engineer the journey is great learning experience for me and all.
I'm not sure if you've come across this document. It talks about the MSM7xxx series security capabilities. I couldn't find one for the MSM8xxx, but this may give some insight into how Qualcomm approaches security.
MSM7xxx
Edit: Looks like you are aware of the concepts from your reference about IBL,PBL,SBL.
Not sure if this will be any help, but found this regarding the blast kernel:
http://www.anyclub.org/2012/06/how-to-add-more-physical-ram-memory.html
how to add more physical RAM memory section to Blast Kernel in the MDM9200/MDM9600
Blast Kernel has the capability to take more than one contiguous physical RAM space (section) and use it for its own system memory. In order to add more RAM mem section to Blast, the customer need to modify blast_config.c file.
Here is the example of adding 4MB additional RAM mem section.
In blast_config.c,
struct phys_mem_pool_config pool_configs[] __attribute__((weak)) = {
{"DEFAULT_PHYSPOOL", //name
{
{0x00c00000, 0x02f00000}, // 47MB, the first mem section
{0x00700000, 0x00400000} // adding 4MB, QC default value is {0}
}
},
In this example, additional 4MB is added starting from 0x700000 physical address offset.
Please note the start address has to be physical address.
By adding the second mem section, the Blast Kernel can now use 51MB in total, while it used only 47MB before adding the 4MB mem section
Click to expand...
Click to collapse
Found this http://code.google.com/p/blastkernel/ (locked down though, I couldn't get access) which was linked from here (also in french but translated through google) but I'm unsure as to if it is related to the blastkernel you are looking for as all the links for the source code are now broken.
Also, while looking through the vz source I found that the person responsible for a lot the vzw specific code also helped to develop this http://www.uclinux.org/ so maybe some of that source might be of some help too.
There are relatively large pins between the processor and the other larger chip on the back side of the board. I'm not sure what I'm looking at, but it's definitely communications of some kind. These were taken with the battery out of the device when plugged into USB. Each set starts a new unplug-plugin sequence.
Code:
:�0�0�0
�0
�0
�0
�0��0
�0
�0��0
�0��0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0��0�0
�0
�0
�0
�0
�0
�0 x
:�0�0�0
�0
�0
�0
�0��0
�0��0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0��0
�0
�0 z
�0
p
:�0�0�0
�0
�0
�0��0
�0�0
�0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0��0
�0
�0 �
�0�
This is from another pin on the back. As soon as plugged in, a series of 2's come out at 115200BPS:
Code:
22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
Here's another one:
Code:
2"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""�
All of these were located between the processor and SDCard. I must examine these bettter. In particular, there are two points at the corner of the processor just above where my needle is located in this picture.
Code:
U��UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU�UUU��JUU��UUUU��UUU��Z���UUUU���UUUUU���UUUUUU���UUUU���UUUUUUٙ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
These points seem to be what I'm looking for. as far as UART.. Especially that last one. It moves just as you'd expect start-up checks to move, random strings of characters... While not intelligable in the above, after figuring out the bitrate I'm sure something will come through.
I need to analyze the bitrate at this point. I'm quitting for the night though.
I am at the wrong baud rate, but I think I pulled up some valuable boot data from the processor.
Just a sidenote - some of these testpoints might be CLK/PWM signals, the one with serie of "2222" seems like this.
Also - if UART coming out of FSA muxer is 115200bps - the same debug line, on testpoint before FSA must be aswell 115200bps. Unless bootloader output goes to other port with different baud rate, which sounds unlikely.
Rebellos said:
Just a sidenote - some of these testpoints might be CLK/PWM signals, the one with serie of "2222" seems like this.
Also - if UART coming out of FSA muxer is 115200bps - the same debug line, on testpoint before FSA must be aswell 115200bps. Unless bootloader output goes to other port with different baud rate, which sounds unlikely.
Click to expand...
Click to collapse
You're right about the 2's.. it's probly a sync signal or something....ie...
Code:
00000010
However, I don't believe the UART is all consistant. Here's my reasoning. Samsung does not control the processor or the initial bootloader on the processor. I've spoken to some engineers and they are frustrated because things must be sent to Qualcomm to get work done on the bootloaders. It's highly likely that they simply change the bps of the UART to match the Samsung standard.
Thanks to Josh Groce at MobileTechVideos for the heads up on this trick: I was able to mount the Qualcomm Modem partition which I also belive to be the PBL as a FAT partition
Code:
[email protected]:~/Desktop/VZWGS3$ sudo mount ./0p1 ./p1
[email protected]:~/Desktop/VZWGS3$ ls -l ./p1
total 16
drwxr-xr-x 2 root root 16384 Jul 5 2011 image
[email protected]:~/Desktop/VZWGS3$ ls -l ./p1/image
total 42464
-rwxr-xr-x 1 root root 244 Jun 15 08:33 dsps.b00
-rwxr-xr-x 1 root root 160 Jun 15 08:33 dsps.b01
-rwxr-xr-x 1 root root 147456 Jun 15 08:33 dsps.b02
-rwxr-xr-x 1 root root 31872 Jun 15 08:33 dsps.b03
-rwxr-xr-x 1 root root 6220 Jun 15 08:33 dsps.b04
-rwxr-xr-x 1 root root 13824 Jun 15 08:33 dsps.b05
-rwxr-xr-x 1 root root 404 Jun 15 08:33 dsps.mdt
-rwxr-xr-x 1 root root 180 Jun 15 07:50 dxhdcp2.b00
-rwxr-xr-x 1 root root 6520 Jun 15 07:50 dxhdcp2.b01
-rwxr-xr-x 1 root root 135168 Jun 15 07:50 dxhdcp2.b02
-rwxr-xr-x 1 root root 2100 Jun 15 07:50 dxhdcp2.b03
-rwxr-xr-x 1 root root 6700 Jun 15 07:50 dxhdcp2.mdt
-rwxr-xr-x 1 root root 308 Jun 15 08:33 modem.b00
-rwxr-xr-x 1 root root 6600 Jun 15 08:33 modem.b01
-rwxr-xr-x 1 root root 21960368 Jun 15 08:33 modem.b02
-rwxr-xr-x 1 root root 4962049 Jun 15 08:33 modem.b03
-rwxr-xr-x 1 root root 1358104 Jun 15 08:33 modem.b04
-rwxr-xr-x 1 root root 72208 Jun 15 08:33 modem.b06
-rwxr-xr-x 1 root root 707124 Jun 15 08:33 modem.b07
-rwxr-xr-x 1 root root 1044 Jun 15 08:25 modem_f1.b00
-rwxr-xr-x 1 root root 7060 Jun 15 08:25 modem_f1.b01
-rwxr-xr-x 1 root root 2676 Jun 15 08:25 modem_f1.b02
-rwxr-xr-x 1 root root 954800 Jun 15 08:25 modem_f1.b03
-rwxr-xr-x 1 root root 575208 Jun 15 08:25 modem_f1.b04
-rwxr-xr-x 1 root root 246484 Jun 15 08:25 modem_f1.b05
-rwxr-xr-x 1 root root 94208 Jun 15 08:25 modem_f1.b06
-rwxr-xr-x 1 root root 13568 Jun 15 08:25 modem_f1.b07
-rwxr-xr-x 1 root root 11212 Jun 15 08:25 modem_f1.b08
-rwxr-xr-x 1 root root 9548 Jun 15 08:25 modem_f1.b09
-rwxr-xr-x 1 root root 68223 Jun 15 08:25 modem_f1.b10
-rwxr-xr-x 1 root root 113468 Jun 15 08:25 modem_f1.b13
-rwxr-xr-x 1 root root 164412 Jun 15 08:25 modem_f1.b14
-rwxr-xr-x 1 root root 3604 Jun 15 08:25 modem_f1.b21
-rwxr-xr-x 1 root root 28156 Jun 15 08:25 modem_f1.b22
-rwxr-xr-x 1 root root 19136 Jun 15 08:25 modem_f1.b23
-rwxr-xr-x 1 root root 74360 Jun 15 08:25 modem_f1.b25
-rwxr-xr-x 1 root root 49740 Jun 15 08:25 modem_f1.b26
-rwxr-xr-x 1 root root 84476 Jun 15 08:25 modem_f1.b29
-rwxr-xr-x 1 root root 1064 Jun 15 08:25 modem_f1.fli
-rwxr-xr-x 1 root root 8104 Jun 15 08:25 modem_f1.mdt
-rwxr-xr-x 1 root root 1044 Jun 15 08:25 modem_f2.b00
-rwxr-xr-x 1 root root 7060 Jun 15 08:25 modem_f2.b01
-rwxr-xr-x 1 root root 2676 Jun 15 08:25 modem_f2.b02
-rwxr-xr-x 1 root root 955792 Jun 15 08:25 modem_f2.b03
-rwxr-xr-x 1 root root 579032 Jun 15 08:25 modem_f2.b04
-rwxr-xr-x 1 root root 239892 Jun 15 08:25 modem_f2.b05
-rwxr-xr-x 1 root root 94208 Jun 15 08:25 modem_f2.b06
-rwxr-xr-x 1 root root 13568 Jun 15 08:25 modem_f2.b07
-rwxr-xr-x 1 root root 11212 Jun 15 08:25 modem_f2.b08
-rwxr-xr-x 1 root root 9580 Jun 15 08:25 modem_f2.b09
-rwxr-xr-x 1 root root 68223 Jun 15 08:25 modem_f2.b10
-rwxr-xr-x 1 root root 116188 Jun 15 08:25 modem_f2.b13
-rwxr-xr-x 1 root root 158012 Jun 15 08:25 modem_f2.b14
-rwxr-xr-x 1 root root 3604 Jun 15 08:25 modem_f2.b21
-rwxr-xr-x 1 root root 28156 Jun 15 08:25 modem_f2.b22
-rwxr-xr-x 1 root root 19200 Jun 15 08:25 modem_f2.b23
-rwxr-xr-x 1 root root 74360 Jun 15 08:25 modem_f2.b25
-rwxr-xr-x 1 root root 49756 Jun 15 08:25 modem_f2.b26
-rwxr-xr-x 1 root root 84476 Jun 15 08:25 modem_f2.b29
-rwxr-xr-x 1 root root 1064 Jun 15 08:25 modem_f2.fli
-rwxr-xr-x 1 root root 8104 Jun 15 08:25 modem_f2.mdt
-rwxr-xr-x 1 root root 6908 Jun 15 08:33 modem.mdt
-rwxr-xr-x 1 root root 276 Jun 15 08:24 q6.b00
-rwxr-xr-x 1 root root 6580 Jun 15 08:24 q6.b01
-rwxr-xr-x 1 root root 3447760 Jun 15 08:24 q6.b03
-rwxr-xr-x 1 root root 1653278 Jun 15 08:24 q6.b04
-rwxr-xr-x 1 root root 757840 Jun 15 08:24 q6.b05
-rwxr-xr-x 1 root root 14472 Jun 15 08:24 q6.b06
-rwxr-xr-x 1 root root 6856 Jun 15 08:24 q6.mdt
-rwxr-xr-x 1 root root 180 Jun 15 07:50 tzapps.b00
-rwxr-xr-x 1 root root 6520 Jun 15 07:50 tzapps.b01
-rwxr-xr-x 1 root root 503808 Jun 15 07:50 tzapps.b02
-rwxr-xr-x 1 root root 452 Jun 15 07:50 tzapps.b03
-rwxr-xr-x 1 root root 6700 Jun 15 07:50 tzapps.mdt
-rwxr-xr-x 1 root root 212 Jun 15 07:44 wcnss.b00
-rwxr-xr-x 1 root root 140 Jun 15 07:44 wcnss.b01
-rwxr-xr-x 1 root root 8360 Jun 15 07:44 wcnss.b02
-rwxr-xr-x 1 root root 1778532 Jun 15 07:44 wcnss.b04
-rwxr-xr-x 1 root root 352 Jun 15 07:44 wcnss.mdt
[email protected]:~/Desktop/VZWGS3$
tz - is the trustzone, normal qualcomm
cache - should not be the dalvik cache, dalvik cache should be on teh userdata partition now on. (Could be wrong, dont have the device). Cache should be almost strictly for updates and recovery use now.
boot itself is signed, not the zImage.
I believe hopping on the developer device is a better option, not only is it made for such, it's also not purchasing a phone within Verizon's sales network (my favorite part of it all)
But google slapped on the GPLv3 i believe. And since GPL allows multiple licenses then the TIVO clause would still apply. Correct me if I am wrong.
Adam you may want to look at this its found in otacert.zip in this folder
http://db.tt/f4QYrK8x
Sent from my SCH-I535 using Tapatalk 2
In the uart dump in the op, the line stamped at 1.57 seems interesting. Looks like the modem (assuming that's still where the activity is going on then) is checking firmware. Makes me think that there might be something there that could be captured. I wonder where it is confirming the fw is updated.
This might not be useful, but it seems interesting.
Sent from my SCH-I535 using Xparent ICS Tapatalk 2
Why not try the Samsung flash utility instead of Odin.
Sent from my SCH-I535 using Tapatalk 2
tpike said:
In the uart dump in the op, the line stamped at 1.57 seems interesting. Looks like the modem (assuming that's still where the activity is going on then) is checking firmware.
Click to expand...
Click to collapse
Usually the firmware is loaded and checked in modem by modem RTOS kernel. But I don't know what modem (BP/CP) is used in the Verizon S3...
Errata to OP:
/efs partition on qualcomm models is as far as i know empty (not used)
AdamLange said:
Errata to OP:
/efs partition on qualcomm models is as far as i know empty (not used)
Click to expand...
Click to collapse
Many people on the forums here have stated IMEI information is stored in a file within /efs (at least on GSM models?) but I can't confirm myself.
There are several threads about attempting to restore lost IMEIs that might have more info.
papi92 said:
Adam you may want to look at this its found in otacert.zip in this folder
http://db.tt/f4QYrK8x
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
That's just the public key VZW uses to sign updates. Not of use to us.
I was playing around with Odin3. I'm a Linux guy so this was exploration for me.... I was able to make my own Odin package with signed Samsung images under Linux and flash it with Odin3 under Windows.
Code:
[email protected]:~/Desktop/Untitled Folder$ tar -cf OdinCustom.tar recovery.img boot.img
[email protected]:~/Desktop/Untitled Folder$ md5sum -t OdinCustom.tar >> OdinCustom.tar
[email protected]:~/Desktop/Untitled Folder$ mv ./OdinCustom.tar ./OdinCustom.tar.md5
[email protected]:~/Desktop/Untitled Folder$
The first command create a TAR (Tape ARchive format) of a recovery.img and a boot.img in a file called OdinCustom.tar. Then appends the MD5 to the end of the package. The third command renames it to OdinCustom.tar.md5. The resulting file is flashable by Odin.
This could prove useful if we can find another Qualcomm device which has a bootloader signed by Samsung.
Also, Odin3 has a cool inf file which can be modified to change the title and characteristics of Odin3 http://i49.tinypic.com/352q7t0.png
I found something in the qualcomm bootloader (first partition which is a fat32 and appears to be unsigned) in the tzapps.b02 file which may or may not be of use. apparently they are looking for something called "/file/file.dat" and it contains dummy data for executive test suite. May be a possible exploit.
Also, this is a very important excerpt from the Qualcomm manual mentioned earlier... http://www.scribd.com/doc/51789612/80-V9038-15-APPLICATION-NOTE-MSM7XXX-QFUSES-AND-SECURITY
Code:
The PBL performs the following functions during a cold boot:
■Performs the minimal hardware setup required for PBL execution
■Reads off-chip boot configuration data from the flash memory
■Processes configuration data setting up clocks and memory access based on this data
■Loads the QCSBL image from the flash memory into the RAM
■Authenticates the QCSBL image if authentication is enabled
■Branches execution to the QCSBL image
Reads off-chip boot configuration data from the flash memory!
I spent a lot of time tonight looking at the individual files on the MODEM partition. I got nowhere except to possibly add a test file I mentioned above. It was alot of data to go through. that MODEM is 60 megs!
So, I started loooking at the SBL1 file. Now, it appears that this file runs linearly and tells a story as it goes through...
Code:
[email protected]:~/Desktop/VZWGS3$ strings ./0p2|head -n 200
: 2q
: 4q
`" 2q
: 4q
: 4q
(R '
(R '
(R '
~}|{zyxwvvutsrqqponnmllkjjihhgffeddccbaa``__^^]]\\[[ZZYYXXWWVVUUUTTSSRRRQQPPPOOONNMMMLLLKKKJJJIIIHHHGGGGFFFEEEDDDDCCCCBBBBAAA
/!(
/!(0
/!(0
/!(
SDCC4 HAL v2.0.1
boot_error_handler.c
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
boot_pbl_authenticator.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_config.c
boot_config.c
*Image Loaded by %s, Start on 0x%x
Data Abort
boot_mc.c
boot_error_handler.c
*BOOT
SCL_SBL1_STACK_BASE-SCL_SBL1_STACK_SIZE
boot_error_handler.c
boot_flash_dev_if.c
boot_flash_dev_if.c
boot_flash_dev_if.c
boot_flash_dev_sdcc_if.c
boot_flash_dev_sdcc_if.c
boot_flash_dev_sdcc.c
boot_flash_init, Start
boot_flash_init, Delta
boot_flash_target.c
boot_flash_trans_sdcc.c
*[email protected]
boot_flash_trans_sdcc.c
boot_fota_restore_partition, Start
boot_fota_restore_partition, Delta
boot_fota_restore_partition, Start
restore_fota_partition fail
boot_fota_restore_partition, Delta
boot_error_handler.c
boot_error_handler.c
boot_loader.c
*[email protected]
*[email protected]
boot_pbl_authenticator.c
boot_pbl_v1.c
boot_pbl_v1.c
boot_pbl_v1.c
Prefetch Abort
boot_error_handler.c
boot_rollback_version.c
boot_flash_dev_sdcc.c
boot_error_handler.c
Undefined
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_sdcc_hotplug.c
EFI PART
%sp%lu
%sh%d
%s%c%lu
*[email protected]
boot_sdcc_hotplug.c
boot_sdcc_hotplug.c
read fail
*hdev open fail: fota
hdev open fail: dest
size fail: src
size fail: too big
read fail: src
read fail: dest
write fail: signature clear
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*|@-
boot_sdcc_hotplug.c
%sp%lu
*[email protected]
*[email protected]
SBL1, End
SBL1, Delta
*[email protected]
sbl1_check_device_temp, Start
sbl1_check_device_temp, Delta
sbl1_hw.c
sbl1_hw_init, Start
sbl1_hw_init, Delta
*SBL1, Start
scatterload_region && ram_init, Start
*scatterload_region && ram_init, Delta
sbl1_mc.c
sbl1_mc.c
*[email protected]
*[email protected]
*[email protected]
*{%u}
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
[email protected]
[email protected]
SBL2 Image Loaded, Delta
SBL1
DSP1
RAMFS1
SBL2
DSP2
RAMFS2
SBL3
ADSP_Q5
NONE
NANDPRG
NORPRG
HASH
QCSBL
FSBL
OSBL
APPSBL
OEM_SBL
EHOSTDL
APPS_KERNEL
BACKUP_RAMFS
APPS
AMSS
SSD_KEYS
fs_hotplug_api.c
Assertion phy_hdev != NULL failed
boot_flash_trans_sdcc
boot_flash_trans_sdcc_factory
boot_flash_dev_sdcc
HAL_SBI_SSBI_V2_PMIC_ARBITER
fs_hotplug_iter.c
Assertion 0 failed
fs_hotplug_legacy_hdev.c
Assertion phy_hdev->legacy_hdev != NULL failed
fs_hotplug_partition.c
Assertion parti->is_locked == 0 failed
Assertion parti->is_formatting == 0 failed
Assertion parti->is_locked == 1 failed
Assertion parti->is_formatting == 1 failed
Assertion parti->ref_cnt >= 1 failed
Assertion hdev_name != NULL failed
Assertion parti != NULL failed
fs_hotplug_dev_state.c
Assertion phy_hdev->dev_state == HPDEV_UNDISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_DISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED || phy_hdev->dev_state == HPDEV_LOCKED || phy_hdev->dev_state == HPDEV_FORMATTING || phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_MOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED failed
fs_hotplug_poll.c
Assertion phy_hdev->bdev_handle == NULL failed
Assertion phy_hdev->parti_list == NULL failed
Assertion phy_hdev->hdev_list == NULL failed
fs_blockdev_devnull_driver.c
Assertion devnull_ops != NULL failed
/hdev/dev.null
BDEV_DEVNULL_DRIVER
BDEV_SD_DRIVER
/hdev/sdc1
/hdev/sdc2
/hdev/sdc3
/hdev/sdc4
fs_blockdev_sd_driver.c
Assertion sdcc_ops != NULL failed
fs_hotplug_parser.c
Assertion blk_cnt != 0 failed
fs_blockdev_sd.c
Assertion sd_data != NULL failed
Assertion handle != NULL failed
Assertion sdcc_handle != NULL failed
Assertion bytes_per_block != NULL failed
Assertion blocks != NULL failed
Assertion bdev != NULL failed
Assertion dev->driveno < max_sd_slots failed
@@@@@@@@@[email protected]@@@@@@@@@@@@@@@@@
Format: Log Type - Time(microsec) - Message
Log type: B - since boot(excluding boot rom). D - delta
OVERFLOW
........
Particularly "boot_fota_restore_partition, Start". It looks like one of the first things the GS3 does is check for information to be updated on FOTA partition. Whatever it choses to do, it performs security checks on the size, and a few other things.
I believe it then loads SBL2 as the rest of the partitions do not have this message.. "SBL2 Image Loaded, Delta".
SBL2:
Code:
[email protected]:~/Desktop/VZWGS3$ strings ./0p3
SVC: R1-R14
FIQ:R13-R14
IRQ:R13-R14
UND:R13-R14
ABT:R13-R14
SYS:R13-R14
[email protected]
K{DiF
K{DiF
D(b(F
hu)AF
019Ud
3F*[email protected]
G [email protected]
&_F F
h/F F
fJF)F F&`NF
F 9"
pJpO
: 4q
: 6q
: 8q
! 6q
`" 2q
: 4q
pG hJ
G [email protected]
bNE
G [email protected]
G [email protected]
j8D b F
02:Ud
3F*[email protected]
CreT
#L|D
!L|D
F)F F
5EC/
x0(
02bUm
#\b\cTI
FAF F
F!h
b h
G jv
G [email protected]
G [email protected]
,pp
2F!F
G [email protected]
1JzD
2FhF
2FiF
: 4q
: 6q
: 8q
bF9FN
RAIAK
bF9FN
RAIAK
bF9FN
~}|{zyxwvvutsrqqponnmllkjjihhgffeddccbaa``__^^]]\\[[ZZYYXXWWVVUUUTTSSRRRQQPPPOOONNMMMLLLKKKJJJIIIHHHGGGGFFFEEEDDDDCCCCBBBBAAA
! 3[B
[email protected]
[email protected]
SDCC4 HAL v2.0.1
pGxG
.boot_error_handler.c
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
.boot_auth_if.c
.boot_auth_if.c
.boot_sbl_authenticator.c
.boot_clobber_prot.c
.boot_clobber_prot_local.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_config_data_table_init, Start
.boot_config_data_table_init, Delta
.boot_config.c
.boot_config.c
.Image Loaded by %s, Start on 0x%x
Data Abort
Ufw}3{
O*2PC~
[email protected]
.boot_mc.c
.0:ALL
.boot_error_handler.c
.BOOT
SCL_SBL2_STACK_BASE-SCL_SBL2_STACK_SIZE
.boot_error_handler.c
.boot_flash_dev_if.c
.boot_flash_dev_if.c
.boot_flash_dev_if.c
.boot_flash_dev_sdcc_if.c
.boot_flash_dev_sdcc_if.c
.boot_flash_dev_sdcc.c
boot_flash_init, Start
boot_flash_init, Delta
.boot_flash_target.c
.boot_flash_trans_sdcc.c
[email protected]
.boot_flash_trans_sdcc.c
.boot_hash.c
.boot_hash_if.c
.boot_hash_if.c
.boot_sys_loader.c
.boot_error_handler.c
.boot_error_handler.c
.boot_loader.c
.boot_loader.c
.boot_logger_ram.c
[email protected]
[email protected]
BRPMSignal SBL1 to Jump to RPM FW
.boot_sys_loader.c
.boot_pbl_v1.c
.boot_pbl_v1.c
.boot_pbl_v1.c
.boot_pbl_v1.c
Prefetch Abort
.boot_error_handler.c
.boot_rollback_version.c
.boot_sbl_authenticator.c
.boot_flash_dev_sdcc.c
[email protected]
.boot_ddr_info.c
.boot_sbl_authenticator.c
.boot_error_handler.c
Undefined
[email protected]
[email protected]
[email protected]
[email protected]
RDDL
Testing DDR Read/Write.
.Testing DDR Read/Write: Memory map.
Testing DDR Read/Write: Data lines.
Testing DDR Read/Write: Address lines.
Testing DDR Read/Write: Own-address algorithm.
Testing DDR Read/Write: Walking-ones algorithm.
Testing DDR Deep Power Down.
Testing DDR Deep Power Down: Entering deep power down.
Testing DDR Deep Power Down: In deep power down.
Testing DDR Deep Power Down: Exiting deep power down.
Testing DDR Deep Power Down: Read/write pass.
Testing DDR Self Refresh.
.Testing DDR Self Refresh: Write pass.
Testing DDR Self Refresh: Read pass.
Testing DDR Self Refresh: Entering self refresh.
Testing DDR Self Refresh: In self refresh.
Testing DDR Self Refresh: Exiting self refresh.
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
[email protected]
.CDT
.Error: Platform ID EEPROM is not programmed
boot_config_data.c
.boot_sdcc_hotplug.c
[email protected]
EFI PART
%sp%lu
%sh%d
%s%c%lu
[email protected]
.boot_sdcc_hotplug.c
.boot_sdcc_hotplug.c
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
.|@-
.boot_sdcc_hotplug.c
%sp%lu
[email protected]
[email protected]
[email protected]
0!0
[email protected]
RPM loading is successful.
cancel RPM loading!
SBL2, End
SBL2, Delta
.sbl2_hw.c
sbl2_hw_init, Start
sbl2_hw_init, Delta
sbl2_hw_init_secondary, Start
h/w version : %d
sbl2_hw_init_secondary, Delta
.SBL2, Start
scatterload_region & ram_init, Start
.scatterload_region & ram_init, Delta
.sbl2_mc.c
sbl2_retrieve_shared_info_from_sbl1, Start
.sbl2_retrieve_shared_info_from_sbl1, Delta
.sbl2_mc.c
[email protected]
.sbl2_config.c
[email protected]
.boot_hash.c
[email protected]
[email protected]
[email protected]
[email protected]
.SHA256
[email protected]
LOGM
.{%u}
Tz Execution, Start
Tz Execution, Delta
pG B
0pGO
!pGO
sbl2_ddr_init
DalEnv
TargetCfg
SHA1
DEBUG
SW_ID
HW_ID
OEM_ID
SHA256
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
DEV_SDC1
DEV_SDC2
DEV_SDC3
DEV_SDC4
CHAN_SDC1
CHAN_SDC2
CHAN_SDC3
CHAN_SDC4
[email protected]
[email protected]
SBL3 Image Loaded, Delta
RPM Image Loaded, Delta
TZ Image Loaded, Delta
boot_auth
boot_hash
SBL1
DSP1
RAMFS1
SBL2
DSP2
RAMFS2
SBL3
ADSP_Q5
NONE
NANDPRG
NORPRG
HASH
QCSBL
FSBL
OSBL
APPSBL
OEM_SBL
EHOSTDL
APPS_KERNEL
BACKUP_RAMFS
APPS
AMSS
SSD_KEYS
fs_hotplug_api.c
Assertion phy_hdev != NULL failed
boot_flash_trans_sdcc
boot_flash_trans_sdcc_factory
boot_flash_dev_sdcc
fs_hotplug_iter.c
Assertion 0 failed
fs_hotplug_legacy_hdev.c
Assertion phy_hdev->legacy_hdev != NULL failed
fs_hotplug_partition.c
Assertion parti->is_locked == 0 failed
Assertion parti->is_formatting == 0 failed
Assertion parti->is_locked == 1 failed
Assertion parti->is_formatting == 1 failed
Assertion parti->ref_cnt >= 1 failed
Assertion hdev_name != NULL failed
Assertion parti != NULL failed
fs_hotplug_dev_state.c
Assertion phy_hdev->dev_state == HPDEV_UNDISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_DISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED || phy_hdev->dev_state == HPDEV_LOCKED || phy_hdev->dev_state == HPDEV_FORMATTING || phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_MOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED failed
fs_hotplug_poll.c
Assertion phy_hdev->bdev_handle == NULL failed
Assertion phy_hdev->parti_list == NULL failed
Assertion phy_hdev->hdev_list == NULL failed
fs_blockdev_devnull_driver.c
Assertion devnull_ops != NULL failed
/hdev/dev.null
BDEV_DEVNULL_DRIVER
BDEV_SD_DRIVER
/hdev/sdc1
/hdev/sdc2
/hdev/sdc3
/hdev/sdc4
fs_blockdev_sd_driver.c
Assertion sdcc_ops != NULL failed
fs_hotplug_parser.c
Assertion blk_cnt != 0 failed
fs_blockdev_sd.c
Assertion sd_data != NULL failed
Assertion handle != NULL failed
Assertion sdcc_handle != NULL failed
Assertion bytes_per_block != NULL failed
Assertion blocks != NULL failed
Assertion bdev != NULL failed
Assertion dev->driveno < max_sd_slots failed
@@@@@@@@@[email protected]@@@@@@@@@@@@@@@@@
Format: Log Type - Time(microsec) - Message
Log type: B - since boot(excluding boot rom). D - delta
OVERFLOW
AT24C128BN
:Hg~
D{L0
*gRn
0D,l}
b=Fe-+
gW6y
South Korea1
Suwon City1
Samsung Corporation1
DMC1#0!
Samsung AttestationCA cert1%0#
[email protected]
120614224636Z
320609224636Z0
KR1!0
Samsung Attestation CERT1
Suwon City1
Samsung Corporation1
South Korea1
04 0000 OEM_ID1%0#
[email protected]
05 0001E0C8 SW_SIZE1
06 0000 MODEL_ID1
07 0001 SHA2561"0
01 0000000000000005 SW_ID1"0
02 006B10E100000000 HW_ID1"0
03 0000000000000000 DEBUG0
y$_$
[OLW'}
Q^<T
&#xk#
z0x0:
3010/
)http://crl.qdst.com/crls/qctdevattest.crl0
6p5o
%e>I`
<dQ=#
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
120412114438Z
320407114438Z0
South Korea1
Suwon City1
Samsung Corporation1
DMC1#0!
Samsung AttestationCA cert1%0#
[email protected]
&bMb
%pWj\
`0^0
#7ie
?f{M
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
120412114438Z
320407114438Z0
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
U)_|e}f
^AZp
<0:0
v)BT
zd0u
=j[P
As for SBL2. It looks like it starts up, performs security checks, then it can jump to "RPM" partition ", "RPM loading is successful.
cancel RPM loading!, .BRPM", "Signal SBL1 to Jump to RPM FW", This may be Odin, or some other undiscovered mode I'm not sure yet and it looks like "ABOOT" is actually Odin's partition... What is RPM?
It then executes "TZ" or "Trust Zone" which I need to do some reading on...
More to come later. It's late and I need to get some rest.
{i} PARAMS
AdamOutler said:
possible exploitations
Possible entry point PARAMS - Samsung stores their boot parameters in PARAMS partition. It may be possible to modify PARAMS for insecure boot
Click to expand...
Click to collapse
The PARAMS partition (from an adb dump) contains almost all 0's. Here are the first 32 bytes
(layed out in hex offsets of 0x00000000 && 0x00000010):
Code:
00000000 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
00000010 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
From what I understand, each occurance of 01 indicates a boot_mode variable that the SBL reads*. The rest of the file, about 10,485,739bytes of data, can contain information for other variables such as debug_level and switch_sel and maybe more, but I have too look more into dissembling the SBL patition image (sbl2.img) to see what other variables there are. I'll report back as soon as I have any more info on that.
*See this link for more info on the param.blk:
http://epiccm.blogspot.com/p/stock-firmware.html
I think its interesting that from an adb dump, BOOT, EFS, FOTA and PARAMS are all the same size. Only BOOT and PARAMS contain any data though. EFS and FOTA must be loaded from the BOOT partition depending on the boot variables loaded in the PARAMS partition, but I may be wrong on that.
As for booting from SDcard here's a link on how it was done with the Epic 4G:
http://epiccm.blogspot.com/2012/01/multiboot-android-for-debuggingtesting.html
The instructions seem like they should work, especially since they had to use kexec to load from the SDcard and the SGS3 will have to do the same for now. I haven't built this yet, but I will give it a go as soon as I have a spare moment.
EDIT: this might be what you're looking for as far as booting from SD --> http://forum.xda-developers.com/showthread.php?t=1774795 END EDIT
I am currently manually going through each hex offset in IDA and seaching for commands to disassemble aboot.img, I haven't gotten very far as this is extremely time intensive.
I can post any dissasm DB's that anyone wants. They can get rather large though.
On a side note, I'm using IDAPro6.1 for disassembly of the adb dumped partitions. If you have any pointers on using IDA for debugging/disassembling android partitions, that would be fantastic. I have an arm toolchain, but beyond that IDA I've only had experience poking at Window$ crap.
Ta,
ALQI
recovery kernel log
The recovery kernel log is in this path:
/data/log/recovery_kernel_log.txtI'd post it in a code section here but it's just too long.
There's a few other interesting logs in that path as well.
As I understand it, this seems to be the log from the kernel loaded during the bootloader/Odin mode boot. Could reveal some of the variables set in the params partition. Plus it has juicy hex offsets for all kinds of things.
It's quite verbose.
K sleepy time now.
Ta,
ALQI
Related
Introduction
This is the 10th device to receive UnBrickable Mod! Lets go back to where it all started. It was proposed by XDA Member js22 that a device could be recovered without JTAG, using only it's native hardware. After months upon months of research, reading debug logs, reverse engineering of hardware and software, we came up with a solution.. Since I was the first to do it, I called it UnBrickable Mod. XDA Member Rebellos then reverse engineered a portion of the IBL into what is known as the HIBL(Hummingbird Interceptor BootLoader). We decided to call it this because the process goes like this: With UBM applied, the processor requests a code download from USB. We feed it the HIBL which reuses IBL code to authenticate with the Hummingbird's secure booting chain, then the Interceptor bootloader calls back and reuses the same IROM Download code used to download it, but we bypass security checks. This "Interception" of the boot sequence is why UnBrickable Mod works. The HIBL has proven to be so powerful and multipurpose that we've been able to package it into a one-click which works with ALL S5PC110 based devices with USB download capabilities.
I'd like to thank pdx 528e for donating the Infuse4G for this modification. This modification would not have been possible on this particular device without total removal of the processor.
After we verify this modification works This will be a replacement for JTAG. How could it possibly be better then JTAG? Let's count the ways....
1. The only part required is a wire.
2. No shipping time.
3. No cost for a box to interface the computer.
4. Permanent.
5. Can be done as a preventive measure.
6. Gives the ability to test new Bootloaders temporarily.
7. Allows development of the entire system.
8. Removes worry about flashing and acts as a backup.
After performing this mod:
Remove the battery, replace the battery, your phone will connect to the computer via USB and await commands. Otherwise it will pretty much act like an Infuse 4G. See the Special Instructions section.
Modification
You will need:
1. Get someone who knows what they're doing with a soldering iron. If they don't know what flux is, then they don't know what they're doing. You can send me a PM(my username @gmail.com) or Connexion2005(aka MobileTechVideos.com).
2. soldering iron - make sure it's sharp, if it's not sharp, then sharpen it, flux it and retin it.
3. flux
4. solder
5. tweezers
6. A relay (for the wire contained within)
getting started:
You will need a very small peice of wire. Tear apart the relay unravel the coil within and grab about 12cm~ of wire. The fact that it comes from a relay is important because relays generally have very small wire which are individually treated with a non-conductive coating.
Take the 12cm~ wire from the relay and tin the very edge of it. No more then 1/32". If you tin more then 1mm, cut off the excess. It is desirable to have a slight bit of excess solder on the tip of this wire.
performing the modification:
1. tear apart your phone... remove six(6) #1 phillips screws from the back. Then you can separate the back from the front. Make sure to take out your SIM and external SDCard before you do this.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2. Remove the two(2) screws and four(4) electric connections securing the mainboard into the unit and remove the board.
3. remove the EM shield from the processor side.
4. remove xOM5 resistor.
5. Bridge the active side of xOM5 to the active side of xOM3. Most of the resistors in the top row will also work.
6. *OPTIONAL* for Bootloader development you will want UART output. You can use these points to a connection outside the device for UART. These points are exposed when the mainboard is secured to the unit. They are located on the JTAG port.
7. Reassemble the device.
Special Instructions
This replaces the battery charging sequence. The normal battery charging sequence can be activated by holding power for 4 seconds.
To turn on the device, and operate in normal mode, you must hold the power button for 5 seconds.
3 button Download mode works as usual, however you must not have the S5PC110 drivers installed on the computer. You can use your custom rom menu option, adb reboot download, or use a terminal to "reboot download". 301Kohm Factory Mode JIGs work as well, but you must press power to bypass the S5PC110 mode.
Conclusion
Congratulations. You now have a device which works like a KIT-S5PC110 with an OM Value of 29. Now get to developing some serious custom software.
reading material
Creating your own Samsung Bootloaders: http://forum.xda-developers.com/showthread.php?t=1233273
KIT-S5PC110 manual: http://www.mediafire.com/?94krzvvxksvmuxh
how to use DNW: http://tinyurl.com/dnw-how-to
Flash using openOCD and DNW: http://www.arm9board.net/wiki/index.php?title=Flash_using_OpenOCD_and_DNW
another DNW example: http://www.boardset.com/products/mv6410.php
ODroid dev center: http://dev.odroid.com/projects/uboot/wiki/#s-7.2
drivers and utilities
This will be an ever expanding list
Windows Drivers http://forum.xda-developers.com/attachment.php?attachmentid=678937&d=1312590673
Windows Download Tool DNW: http://forum.xda-developers.com/attachment.php?attachmentid=678938&d=1312590673
Windows Command Line tool: http://forum.xda-developers.com/showpost.php?p=17202523&postcount=27
Linux DNW Utility: http://dev.odroid.com/projects/uboot/wiki/#s-7.2
Linux ModeDetect tool: http://code.google.com/p/hummingbird-hibl/downloads/list
Linux Automated UnBricker:http://code.google.com/p/hummingbird-hibl/downloads/list
firmware
Bootloader Hello World by Rebellos http://forum.xda-developers.com/attachment.php?attachmentid=698077&d=1314105521
UnBrick tool http://forum.xda-developers.com/showthread.php?t=1242466
At this time I have not performed this modification. If you are in a pinch, please use this method. I will be performing this mod on my own device shortly.
We confirmed this device has got another iROM build, this means different HW revision of CPU.
HIBL for that will be released soon.
U are a genius Adam
Sent from my SAMSUNG-SGH-I997 using xda premium
JordanElliott said:
U are a genius Adam
Sent from my SAMSUNG-SGH-I997 using xda premium
Click to expand...
Click to collapse
I second that. I'm ready to send my phone in.
I'm not a developer but I try to play one on XDA. Seriously I'm not a developer. DlevROM Yo!
Thanks. But my wife wont let me touch hers...
Edit. Her phone...LOL..
Sent from my SAMSUNG-SGH-I897 using XDA App
To much trouble .....but thanks anyway
Sent from my SAMSUNG-SGH-I997 using xda premium
To bad i'm a perfectionist that doesn't know how to solder; my baby is to new to put her through this lol.
Sent from my SGH-I997 using xda premium
oh man glad to see this here thanks
It would be good to mention a recommendation on soldering iron power. I mean I have 75 watt irons, and 150/400 watt guns, I like to use a bigger than needed iron because it reduces the heat up time and if you get it the first time reduces damage but only if you get it exactly at the right time.
But I wouldn't put any of those big tools near a computer or phone. I'd say 15 Watts is plenty, 25 is manageable if you are good and the to is sharp and clean, these small electronics are soldered with infrared and aren't even designed to have an iron used on them. Keep that in mind if you consider this mod! This can be tricky stuff that can damage your hardware.
Adam, has any progress been made on the galaxy s to boot Meego or Linux? I know you can install Linux to the sd card and run it along side Android using terminal emulator to access it like you posted in the captivate section a while back but I never saw it running with a GUI on the phone, if you Jeanne a way to accesses fluxbox with the phones touch screen, that would be cool even if I can't boot stair into Linux yet.
This is really great thx so does it mean the infuse can be like the hd2 run almost all the popular Smartphone operating systems ?
leeroy1034 said:
This is really great thx so does it mean the infuse can be like the hd2 run almost all the popular Smartphone operating systems ?
Click to expand...
Click to collapse
What it means is that if you are a developer that wants to develop a way to do those things you can do it without fear or bricking. I doubt it will lead to the infuse being the next hd2 but its a step in the direction.
I'm just hoping it means more roms to get my flashing addiction fix
Sent from my SAMSUNG-SGH-I997 using XDA App
The_Zodiac said:
I'm just hoping it means more roms to get my flashing addiction fix
Sent from my SAMSUNG-SGH-I997 using XDA App
Click to expand...
Click to collapse
I hope it leads to Meego for the infuse, I kinda dislike Android, its too slow, too fractured, we shouldn't need all this super fast hardware to get a smooth experience. but I have never used Meego. Even with a lack of a huge app market it has to be better than lame ios or win phone7.
Wow, reading these threads and the custom bootloaders threads makes me realize how much smarter some of you are than me. I can only thank you for your work done and time given to the community. Great work to everyone involved!
AJerman said:
Wow, reading these threads and the custom bootloaders threads makes me realize how much smarter some of you are than me.
Click to expand...
Click to collapse
Personally...
Naah, I've just got loads of time to waste for pretty useless things (mainly, once per few months something useful like HIBL comes out) :d
https://m.google.com/app/plus/mp/217/#~loop:aid=z12pxpqbdlikhv0rj04cd5gbiz3wg5eqqjg&view=activity
Ok. I'm having a problem. We have USB debug mode..
Code:
Bus 001 Device 035: ID 04e8:1234 Samsung Electronics Co., Ltd
It is enumerating properly in Linux.
It is uploading the HIBL properly as well.
Code:
[email protected]:~/Desktop$ sudo smdk-usbdl -a d0020000 -f ./HIBL.bin
SMDK42XX,S3C64XX USB Download Tool
Version 0.20 (c) 2004,2005,2006 Ben Dooks <[email protected]>
S3C64XX Detected!
=> found device: bus 001, dev 034
=> loaded 24576 bytes from ./HIBL.bin
=> Downloading 24586 bytes to 0xd0020000
=> Data checksum 5d9c
=> usb_bulk_write() returned 24586
[email protected]:~/Desktop$
However, the device does not un-enumerate and re-enumerate as it usually does after receiving and executing the HIBL.
Here is the UART output from uploading HIBL.
Code:
Insert an OTG cable into the connector!
����
Uart negotiation Error
����
Here is a typical boot.
Code:
Uart negotiation Error
Insert an OTG cable into the connector!
Enumeration TimeOut Error
1
-----------------------------------------------------------
Samsung Primitive Bootloader (PBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------
+n1stVPN 2688
+nPgsPerBlk 64
PBL found bootable SBL: Partition(3).
MAX8893_REG_ONOFF return val 1
MAX8893_REG_DISCHARGE return val ff
MAX8893_REG_LSTIME return val 8
MAX8893_REG_DVSRAMP return val 9
MAX8893_REG_BUCK return val 2
MAX8893_REG_LDO1 return val 2
MAX8893_REG_LDO1 new val e
MAX8893_REG_LDO2 return val e
MAX8893_REG_LDO2 new val 10
MAX8893_REG_ONOFF return val 1
MAX8893_REG_ONOFF new val 21
MAX8893_REG_ONOFF return val 21
MAX8893_REG_ONOFF new val 31
Set cpu clk. from 400MHz to 800MHz.
OM=0x29, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Board Name: ARIES REV 03
Build On: May 19 2011 22:17:14
-----------------------------------------------------------
Re_partition: magic code(0x80040)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
Now Read Images - ID : 1
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : IBL+PBL (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : PIT (0x1)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 1
===============================
ID : EFS (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 2
NO_UNITS : 40
===============================
ID : SBL (0x3)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 42
NO_UNITS : 5
===============================
ID : SBL2 (0x4)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 47
NO_UNITS : 5
===============================
ID : PARAM (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 52
NO_UNITS : 20
===============================
ID : KERNEL (0x6)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 72
NO_UNITS : 30
===============================
ID : RECOVERY (0x7)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 102
NO_UNITS : 30
===============================
ID : FACTORYFS (0x16)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 132
NO_UNITS : 1146
===============================
ID : DBDATAFS (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1278
NO_UNITS : 536
===============================
ID : CACHE (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1814
NO_UNITS : 130
===============================
ID : MODEM (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1944
NO_UNITS : 60
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 3660mV, soc = 13
check_quick_start_condition- Voltage: 3660.0, Linearized[0/15/30], Capacity: 12
init_fuel_gauge: vcell = 3660mV, soc = 13, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1 = 0xc0
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x1
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0x0
PMIC_STATUS2 = 0x0
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48
check_download: micorusb_status1 = 0, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
lcd_power_on_ld9040
s6e63m0_c110_spi_read_byte-------------------------: 86
DA lcd ID1 = 86
s6e63m0_c110_spi_read_byte-------------------------: 48
DB lcd ID2 = 48
s6e63m0_c110_spi_read_byte-------------------------: 44
DC lcd ID3 = 44
LCD_ID == 3
Autoboot (0 seconds) in progress, press any key to stop
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit
Read BML page=, NumPgs=
FOTA Check Bit (0x871f8801)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=0x31352402 0x61dc00ec
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4
Starting kernel at 0x32000000...
Uncompressing Linux.............................................................
[ 0.000000] copy: bad source 0
[ 0.000000] mout_audss: bad source 0
[ 0.090119] KERNEL:kernel_sec_get_debug_level_from_boot=0x574f4c44
[ 0.094853] KERNEL:magic_number=0x0 DEBUG LEVEL low!!
[ 0.099864] (kernel_sec_set_upload_cause) : upload_cause set 0
[ 0.804603] irq requested hpd irq
[ 0.850107] --------A1026 i2c driver A1026_probe called
[ 0.853875] --------A1026_probe: device not supported
[ 0.859131] --------A1026_driver_init successful
[ 0.863514] --------A1026_dev_powerup called
[ 3.007976] Failed to request gpio touchkey_init:738
[ 3.011482] Failed to request gpio touchkey_init:740
[ 12.856445] init: [disk_config] initialize_mbr_flash for S1_EUR
[ 12.860891] init: [disk_config] [Disk Size (16005464064), (15630336k), secto]
[ 12.870565] init: [disk_config] calc_pte_of_disk -> start 64 num lba 2732844
[ 12.879153] init: [disk_config] calc_pte_of_disk -> start 27328512 num lba 3
[ 12.888197] init: [disk_config] compare_partition -> num_part 0 , offset (44)
[ 12.896007] init: [disk_config] [ target -> Disk0 : 13992165376 (13664224k) ]
[ 12.905162] init: [disk_config] Match partition table entry ... skip(0)
[ 12.911775] init: [disk_config] compare_partition -> num_part 1 , offset (46)
[ 12.919575] init: [disk_config] [ target -> Disk1 : 2013265920 (1966080k) 00]
[ 12.928584] init: [disk_config] Match partition table entry ... skip(1)
[ 12.935185] init: [disk_config] compare_partition -> num_part 2 , offset (47)
[ 12.942987] init: [disk_config] [ target -> Disk2 : 0 (0k) 00:00:00000000:00]
[ 12.950698] init: [disk_config] Match partition table entry ... skip(2)
[ 12.957303] init: [disk_config] compare_partition -> num_part 3 , offset (49)
[ 12.965104] init: [disk_config] [ target -> Disk3 : 0 (0k) 00:00:00000000:00]
[ 12.972811] init: [disk_config] Match partition table entry ... skip(3)
[ 12.979399] init: [disk_config] bNeedRoot : 0x00
[ 12.990828] init: cannot open '/initlogo.rle'
[ 13.075055] Failed to request FM_RESET!
[ 13.172981] init: [disk_config] :::: /dev/block/mmcblk0p1 :::::
[ 13.180732] init: [disk_config] vfat_identify -> ok
[ 13.184160] init: [disk_config] :::: /dev/block/mmcblk0p2 :::::
[ 13.190129] init: [disk_config] Error ::rfs_identify -> oem_name ()
[ 13.196466] init: [disk_config] rfs_identify -> failed
[ 13.202486] init: [disk_config] Error ::rfs_identify -> oem_name ()
[ 13.207833] init: [disk_config] rfs_identify -> failed
[ 13.213839] init: [disk_config] Error ::rfs_identify -> oem_name ()
[ 13.219189] init: [disk_config] rfs_identify -> failed
[ 13.225210] init: [disk_config] rfs_format -> /system/bin/fat.format -F 32 -
[ 13.252568] init: [disk_config] rfs_format -> ok[BIF: ] FSR VERSION: FSRM
[ 13.552104] init: cannot find '/system/bin/false', disabling 'noplaylogos'
[ 13.586570] init: cannot find '/system/etc/install-recovery.sh', disabling ''
sh: can't access tty; job control turned off
$ [ 19.506760] init: no such service 'bootanim'
[ 43.514858] init: no such service 'bootanim'
[ 61.035132] init: sys_prop: permission denied uid:1000 name:dpm.allowcamera
[ 71.204861] init: untracked pid 3290 exited
����
Uart negotiation Error
Rebellos, any ideas?
Updated 3rd post in this thread. We found out another S5PC110 iROM revision for the first time.
It's working. Excellent work Rebellos!
This log shows HIBL, then SBL going into download mode. Then a heimdall print-pit was excuted and the device rebooted.
Code:
����
Uart negotiation Error
-------------------------------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
-------------------------------------------------------------
Calling IBL Stage2 ...OK
Testing DRAM1 ...OK
iRAM reinit ...OK
cleaning OTG context ...OK
Chain of Trust has been successfully compromised.
Begin unsecure download now...
0x00000000BL3 EP: 0x40244000
Download complete, hold download mode key combination.
Starting BL3 in...
Set cpu clk. from 400MHz to 800MHz.
OM=0x29, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Modified by Rebell
Build On: Jun 8 2011 21:44:47
-----------------------------------------------------------
Re_partition: magic code(0x0)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : IBL+PBL (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : PIT (0x1)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 1
===============================
ID : EFS (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 2
NO_UNITS : 40
===============================
ID : SBL (0x3)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 42
NO_UNITS : 5
===============================
ID : SBL2 (0x4)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 47
NO_UNITS : 5
===============================
ID : PARAM (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 52
NO_UNITS : 20
===============================
ID : KERNEL (0x6)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 72
NO_UNITS : 30
===============================
ID : RECOVERY (0x7)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 102
NO_UNITS : 30
===============================
ID : FACTORYFS (0x16)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 132
NO_UNITS : 1146
===============================
ID : DBDATAFS (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1278
NO_UNITS : 536
===============================
ID : CACHE (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1814
NO_UNITS : 130
===============================
ID : MODEM (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1944
NO_UNITS : 60
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 4102mV, soc = 80
check_quick_start_condition_with_charger- Voltage: 4102.50000, Linearized[64/79/94], Capacity: 83
init_fuel_gauge: vcell = 4102mV, soc = 80, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1 = 0x28
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0x40
PMIC_STATUS2 = 0x2c
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x20
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48
reading nps status file is successfully!.
nps status=0x504d4f43
==> Welcome to ARIES!
==> Entering usb download mode..
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Error : Current Mode is Host
EP2: 0, 2, 0; len=7
EP2: 0, 2, 0; len=7
sug: IN EP asserted
Error:Invalid connection string!
Error:Invalid connection string!
- Odin is connected!
set_nps_update_start: set nps start flag successfully.
process_packet: request id(100), data id(0)
process_rqt_init: platform number(0x0), revision(0x0)
process_packet: request id(100), data id(1)
process_packet: request id(101), data id(1)
.Done.
read 1 units.
check_pit_integrity: valid pit magic code.
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(3)
process_packet: request id(103), data id(0)
process_rqt_close: xmit completed!
set_nps_update_completed: set nps completed flag successfully.
process_packet: request id(103), data id(1)
process_rqt_close: target reset!
ARIES MAGIC_ADDR=0x0 / INFORM5=0x12345678
1
-----------------------------------------------------------
Samsung Primitive Bootloader (PBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------
+n1stVPN 2688
+nPgsPerBlk 64
PBL found bootable SBL: Partition(3).
MAX8893_REG_ONOFF return val 1
MAX8893_REG_DISCHARGE return val ff
MAX8893_REG_LSTIME return val 8
MAX8893_REG_DVSRAMP return val 9
MAX8893_REG_BUCK return val 2
MAX8893_REG_LDO1 return val 2
MAX8893_REG_LDO1 new val e
MAX8893_REG_LDO2 return val e
MAX8893_REG_LDO2 new val 10
MAX8893_REG_ONOFF return val 1
MAX8893_REG_ONOFF new val 21
MAX8893_REG_ONOFF return val 21
MAX8893_REG_ONOFF new val 31
Set cpu clk. from 400MHz to 800MHz.
OM=0x29, device=OnenandMux(Audi)
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Board Name: ARIES REV 03
Build On: May 19 2011 22:17:14
-----------------------------------------------------------
Re_partition: magic code(0x0)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
Now Read Images - ID : 1
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : IBL+PBL (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : PIT (0x1)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 1
===============================
ID : EFS (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 2
NO_UNITS : 40
===============================
ID : SBL (0x3)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 42
NO_UNITS : 5
===============================
ID : SBL2 (0x4)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 47
NO_UNITS : 5
===============================
ID : PARAM (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 52
NO_UNITS : 20
===============================
ID : KERNEL (0x6)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 72
NO_UNITS : 30
===============================
ID : RECOVERY (0x7)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 102
NO_UNITS : 30
===============================
ID : FACTORYFS (0x16)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 132
NO_UNITS : 1146
===============================
ID : DBDATAFS (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1278
NO_UNITS : 536
===============================
ID : CACHE (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1814
NO_UNITS : 130
===============================
ID : MODEM (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1944
NO_UNITS : 60
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 4101mV, soc = 80
check_quick_start_condition_with_charger- Voltage: 4101.25000, Linearized[67/82/97], Capacity: 83
init_fuel_gauge: vcell = 4101mV, soc = 80, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1 = 0x0
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0x40
PMIC_STATUS2 = 0x2c
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48
check_download: micorusb_status1 = 4, key_value = 0
aries_process_platform: final s1 booting mode = 0
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
lcd_power_on_ld9040
s6e63m0_c110_spi_read_byte-------------------------: 86
DA lcd ID1 = 86
s6e63m0_c110_spi_read_byte-------------------------: 48
DB lcd ID2 = 48
s6e63m0_c110_spi_read_byte-------------------------: 44
DC lcd ID3 = 44
LCD_ID == 3
Autoboot (0 seconds) in progress, press any key to stop
get_debug_level current debug level is 0x574f4c44.
get_debug_level current debug level is 0x574f4c44.
boot_kernel: Debug Level Low
FOTA Check Bit
Read BML page=, NumPgs=
FOTA Check Bit (0x871f8801)
Load Partion idx = (6)
..............................done
Kernel read success from kernel partition no.6, idx.6.
setting param.serialnr=0x31352402 0x61dc00ec
setting param.board_rev=0x30
setting param.cmdline=console=ttySAC2,115200 loglevel=4
Starting kernel at 0x32000000...
Uncompressing Linux..............................................................................................................
[ 0.000000] copy: bad source 0
[ 0.000000] mout_audss: bad source 0
[ 0.090122] KERNEL:kernel_sec_get_debug_level_from_boot=0x574f4c44
[ 0.094863] KERNEL:magic_number=0x0 DEBUG LEVEL low!!
[ 0.099874] (kernel_sec_set_upload_cause) : upload_cause set 0
[ 0.802403] irq requested hpd irq
[ 0.846178] --------A1026 i2c driver A1026_probe called
[ 0.849942] --------A1026_probe: device not supported
[ 0.855208] --------A1026_driver_init successful
[ 0.859587] --------A1026_dev_powerup called
[ 3.004125] Failed to request gpio touchkey_init:738
[ 3.007639] Failed to request gpio touchkey_init:740
[ 12.613596] init: [disk_config] initialize_mbr_flash for S1_EUR
[ 12.617987] init: [disk_config] [Disk Size (16005464064), (15630336k), sector_size 512 :: num_lba 31260672 ]
[ 12.627716] init: [disk_config] calc_pte_of_disk -> start 64 num lba 27328448 next : 27328512
[ 12.636293] init: [disk_config] calc_pte_of_disk -> start 27328512 num lba 3932160 next : 31260672
[ 12.645348] init: [disk_config] compare_partition -> num_part 0 , offset (446)(0x1be)
[ 12.653148] init: [disk_config] [ target -> Disk0 : 13992165376 (13664224k) 00:0c:00000040:01a0ffc0 ]
[ 12.662313] init: [disk_config] Match partition table entry ... skip(0)
[ 12.668924] init: [disk_config] compare_partition -> num_part 1 , offset (462)(0x1ce)
[ 12.676721] init: [disk_config] [ target -> Disk1 : 2013265920 (1966080k) 00:0c:01a10000:003c0000 ]
[ 12.685729] init: [disk_config] Match partition table entry ... skip(1)
[ 12.692391] init: [disk_config] compare_partition -> num_part 2 , offset (478)(0x1de)
[ 12.700135] init: [disk_config] [ target -> Disk2 : 0 (0k) 00:00:00000000:00000000 ]
[ 12.707841] init: [disk_config] Match partition table entry ... skip(2)
[ 12.714454] init: [disk_config] compare_partition -> num_part 3 , offset (494)(0x1ee)
[ 12.722244] init: [disk_config] [ target -> Disk3 : 0 (0k) 00:00:00000000:00000000 ]
[ 12.729962] init: [disk_config] Match partition table entry ... skip(3)
[ 12.736538] init: [disk_config] bNeedRoot : 0x00
[ 12.748654] init: cannot open '/initlogo.rle'
[ 12.832898] Failed to request FM_RESET!
[ 12.931189] init: [disk_config] :::: /dev/block/mmcblk0p1 :::::
[ 12.938955] init: [disk_config] vfat_identify -> ok
[ 12.942398] init: [disk_config] :::: /dev/block/mmcblk0p2 :::::
[ 12.948354] init: [disk_config] Error ::rfs_identify -> oem_name ()
[ 12.954696] init: [disk_config] rfs_identify -> failed
[ 12.960739] init: [disk_config] Error ::rfs_identify -> oem_name ()
[ 12.966056] init: [disk_config] rfs_identify -> failed
[ 12.972089] init: [disk_config] Error ::rfs_identify -> oem_name ()
[ 12.977424] init: [disk_config] rfs_identify -> failed
[ 12.983432] init: [disk_config] rfs_format -> /system/bin/fat.format -F 32 -S 4096 -s 4 /dev/block/mmcblk0p2
[ 13.009915] init: [disk_config] rfs_format -> ok[BIF: ] FSR VERSION: FSR_1.2.1p1_b139_RTM
[ 13.310236] init: cannot find '/system/bin/false', disabling 'noplaylogos'
[ 13.337944] init: cannot find '/system/etc/install-recovery.sh', disabling 'flash_recovery'
sh: can't access tty; job control turned off
$ [ 19.257644] init: no such service 'bootanim'
[ 39.060649] init: sys_prop: permission denied uid:1000 name:wifi.interface
[ 44.151646] init: no such service 'bootanim'
the commands run were:
Code:
sudo smdk-usbdl -a d0020000 -f ./Infuse_HIBL_3.bin
sudo smdk-usbdl -a d40244000 -f ./Sbl.bin
You can get these pre-release binaries here: http://www.mediafire.com/file/yewg81mwdklb357/HIBLandSblBinaries.zip
Everything is working but I have not yet tested flashing. Flashing should go off without a hitch. You will use Odin 1.7 or 1.8.
If you want to known more about the boot sequence for this platform), you can refer the following document:
R19UH0036EJ0600.pdf (1 chip, which can be downloaded from http://www.renesas.eu/products/soc/assp/mobile/emma_mobile/emma_mobile_ev/index.jsp)
Appendix C: Boot loader in ROM
I assume you have U-boot source code. If you don’t, you can download here:
http://dl.dropbox.com/u/60117641/u-boot-bspgb-110801.tar.gz
this is the one Renesas officially released. Livall and Smallart (two of the manufacturers of tablets based on Renesas SoC) both modified it.
I'll explain a "Smallart" firmware update package first:
sdboot.bin: is a pre-loader that used only in sd card boot mode, the source code in board/emxx/emev/mini-boot/, and the lowlevel-init.S is also compiled
uboot-sd.bin is u-boot
uImage: this is the common Linux kernel image, it include a initial RAM disk image, so it can boot without root file system, it is only used in recovery mode.
update.zip: It include uboot-emmc, uImage and root fs, which will be extracted into eMMC flash during installation.
Please understand that your package is not the “Run time “ image, it is used to install Android on eMMC flash, all the “Run time” files are in “update.zip”
A "Livall" update package is composed of:
sdboot.bin: this is same as Smallart, it is pre-loader
uboot-sd.bin: this is also same, uboot
uImage4: this is the image both for sd card boot and copied to eMMC flash
cramfs4: this is a cramfs type root fs image, it will be loaded as a ramdisk in Android installation.
uboot4.bin: this is the boot loader for eMMC boot, it will be copied to eMMC flash
android-fs4.tar.gz: this is android filesystem
ff4: this is the eMMC partition table.
Trying a build, in my env where I have the Android NDK (release 6) toolchain installed.
> export CROSS_COMPILE=arm-linux-androideabi-
> tar xzf u-boot-bspgb-110801.tar.gz
> cd u-boot
1) For an eMMC boot
> make distclean
> make emev_emmc_config
> make
This was succesfull. Got these files:
-rwxr-xr-x 1 root root 390296 Feb 2 05:47 u-boot.srec
-rw-r--r-- 1 root root 114797 Feb 2 05:47 u-boot.map
-rwxr-xr-x 1 root root 130068 Feb 2 05:47 u-boot.bin
-rwxr-xr-x 1 root root 453562 Feb 2 05:47 u-boot
-rw-r--r-- 1 root root 19488 Feb 2 05:47 System.map
-rw-r--r-- 1 root root 138260 Feb 2 05:47 u-boot-emmc.bin
2) For an SD boot:
> make distclean
> make emev_sd_line_config
> make
-rwxr-xr-x 1 root root 389442 Feb 2 06:08 u-boot.srec
-rw-r--r-- 1 root root 129784 Feb 2 06:08 uboot-sd.bin
-rw-r--r-- 1 root root 114675 Feb 2 06:08 u-boot.map
-rwxr-xr-x 1 root root 129784 Feb 2 06:08 u-boot.bin
-rwxr-xr-x 1 root root 447246 Feb 2 06:08 u-boot
-rw-r--r-- 1 root root 19523 Feb 2 06:08 System.map
-rwxr-xr-x 1 root root 8312 Feb 2 06:08 sdboot.bin
Note here the "sdboot.bin", which is the "mini-boot" as referred in the datasheet.
--- EDIT ---
Apply the next patch, if your board have 512MB DDR memory.
Code:
index 707d2d4..2e4a767 100644
--- a/board/emxx/emev/lowlevel_init_val.h
+++ b/board/emxx/emev/lowlevel_init_val.h
@@ -22,7 +22,7 @@
#define EMXX_PWC_CHANGE_CORE
#ifndef CONFIG_EMXX_UNUSE_AB
-#define EMXX_READ_VERSION
+/*#define EMXX_READ_VERSION*/
#endif
/*****************************************************
@@ -228,13 +228,13 @@
#define MEMC_REQSCH_VAL 0x0000001f
-#define MEMC_DDR_CONFIGF_VAL 0x8e000004
+#define MEMC_DDR_CONFIGF_VAL 0x8e000008
#define MEMC_DDR_CONFIGA1_VAL 0x5c4a4517
#define MEMC_DDR_CONFIGA2_ES1 0x8800a840
#define MEMC_DDR_CONFIGA2_ES2 0x8800aa60
#define MEMC_DDR_CONFIGA2_ES3 0x8800a840
-#define MEMC_DDR_CONFIGR3_VAL1 0xc11a0000
+#define MEMC_DDR_CONFIGR3_VAL1 0xc12c0000
#define MEMC_DDR_CONFIGC1_VAL1 0x40400043
#define MEMC_DDR_CONFIGC2_VAL1 0x0000001d
Let me explain the boot sequence in slight higher detail, u-boot can be compiled with different configuration:
emev_emmc_config
emev_sd_config
emev_sd_line_config
EM/EV ROM boot code exist in 0xFFFF_0000, and it use internal SRAM 0xF000_0000
This ROM boot code will load mini-boot to SRAM and jump to 0xF000_0000
For SD boot mode, miniboot is sdboot.bin in SD card root directory
For eMMC boot: miniboot is the first 8K bytes in mmcblk0p1
Miniboot load the remained part
SD boot:
Load rest of u-boot (uboot-sd.bin to DDR#0x4100_8000)
Load kernel image (uImage to DDR#0x4000_7fc0)
Load ram disk (cramfs to DDR#0x4600_0000), this is optional due to compile option
eMMC boot:
Load rest of u-boot (mmcblk0p1#0x0000_2000-0x0004_0000 to DDR#0x4100_8000)
Load kernel image (mmcblk0p2 to DDR#0x4000_7fc0)
Then jump to u-boot
There will be different boot arguments from u-boot, the definition of which can be found in the u-boot code, in include/configs/emev.h:
Code:
...
#define CONFIG_CRAMFSCMD "setenv bootargs root=/dev/null noinitrd init=/linuxrc console=ttyS0,115200n8n SELINUX_INIT=no \$(cfg_ddr) ro video=qfb: ip=none rootflags=physaddr=0x00500000\;bootm 00080000"
#ifdef CONFIG_EMXX_SDBOOT_LINE /* SD boot linesystem */
#define CONFIG_EXT3CMD "setenv bootargs root=/dev/null noinitrd init=/linuxrc console=ttyS0,115200n8n SELINUX_INIT=no [email protected] rw video=qfb: ip=none rootflags=physaddr=0x46000000\;bootm 40007fc0"
#else
#define CONFIG_EXT3CMD "setenv bootargs root=\$(ext3_root) noinitrd init=/linuxrc console=ttyS0,115200n8n SELINUX_INIT=no \$(cfg_ddr) rw video=qfb: ip=none rootfstype=ext3 rootwait\;bootm 40007fc0"
#endif
...
If you mount mount cramfs to your file system, out of a "Livall" typical update package (which includes botha a "cramfs4" file and an "install.sh" script), you can see how the install script is invoked:
Code:
sudo mkdir /mnt/cramfs
sudo mount -o loop cramfs4 /mnt/cramfs
ls -l /mnt/cramfs/linuxrc
lrwxrwxrwx 1 root root 11 1970-01-01 01:00 /mnt/cramfs/linuxrc -> bin/busybox
cd /mnt/cramfs/etc/init.d/
cat rcS
...
INSTALL_SH=`ls /tmp/sd/install.sh`
if [ "$INSTALL_SH" = "/tmp/sd/install.sh" ]; then
/tmp/sd/install.sh
fi
...
Note how the boot command inlcudes "init=/linuxrc", which points to a standard busybox executable. This will by default invoke the "::sysinit:/etc/init.d/rcS" action.
I hope this information can help the Renesas community ...
The bootloader source code, including a README for the Renesas EM EV2 platform, is shared onto a public GitHub repository too:
https://github.com/ffxx68/RenesasEV2-bootloader
Hey Folks,
My apologies if this should be in a different forum.
Read the "efffen-manual" when using the AAHK software. The unit went through about 7 minutes of scripts on option 1 (Hack Ace), then stopped in <waiting for device>. Been like this for now 20 minutes. Screen is black, unit appears to be off, Power button does nothing. Only orange charging light is blinking. Oh, and one other thing, When it got to this point, the windows system had a balloon popup about the Motorola (or did it say qualcom) device not recognized. Suggestions?
Here is the code thus far.
Ace Advanced Hack Kit [Linux/OSX/Windows] attn1 2011/2012
___________________________
MAIN MENU | |
| Only ONE Menu Step to: |
1 - Hack Ace <----------------------------+ * S-OFF |
| * SIM Unlock |
2 - DONATE (Encouraged, but optional) | * SuperCID |
http://psas.revskills.de/?q=goldcard | * Root |
http://www.eff.org/ | * Busybox |
| |
**********************************************************************
o - Options Menu (Return to Stock, Flash radios, etc)
**********************************************************************
t - Toggle Flash Method - current method is fastbootRUU
*********************************************************************
q - Quit
[Select and press Enter]1
/sdcard/PD98IMG.zip: No such file or directory
rm failed for /sdcard/PD98IMG.zip, No such file or directory
1867 KB/s (4359771 bytes in 2.279s)
pkg: /data/local/tmp/stericson.busybox-1.apk
Success
1878 KB/s (19240 bytes in 0.010s)
2596 KB/s (4564992 bytes in 1.717s)
2790 KB/s (3737600 bytes in 1.308s)
2644 KB/s (557962 bytes in 0.206s)
683 KB/s (9796 bytes in 0.014s)
2442 KB/s (572752 bytes in 0.229s)
2678 KB/s (134401 bytes in 0.049s)
909 KB/s (13968 bytes in 0.015s)
ro.build.version.release=2.3.3
Setting up for Gingerbread restore...
2554 KB/s (2801664 bytes in 1.071s)
2717 KB/s (2830336 bytes in 1.017s)
2407 KB/s (285981 bytes in 0.116s)
2685 KB/s (285981 bytes in 0.104s)
1 file(s) copied.
Linux version 2.6.35.10-gd2564fb ([email protected]) (gcc version 4.4.0 (GCC) )
#1 PREEMPT Thu Jun 9 14:33:05 CST 2011
Kernel version is Gingerbread... Using fre3vo to temproot...
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property...
fb_fix_screeninfo:
id: msmfb
smem_start: 802160640
smem_len: 3145728
type: 0
type_aux: 0
visual: 2
xpanstep: 0
ypanstep: 1
line_length: 1920
mmio_start: 0
accel: 0
fb_var_screeninfo:
xres: 480
yres: 800
xres_virtual: 480
yres_virtual: 1600
xoffset: 0
yoffset: 0
bits_per_pixel: 32
activate: 16
height: 106
width: 62
rotate: 0
grayscale: 0
nonstd: 0
accel_flags: 0
pixclock: 0
left_margin: 0
right_margin: 0
upper_margin: 0
lower_margin: 0
hsync_len: 0
vsync_len: 0
sync: 0
vmode: 0
Buffer offset: 00000000
Buffer size: 8192
Scanning region faa90000...
Scanning region fab80000...
Scanning region fac70000...
Scanning region fad60000...
Scanning region fae50000...
Scanning region faf40000...
Scanning region fb030000...
Scanning region fb120000...
Scanning region fb210000...
Scanning region fb300000...
Scanning region fb3f0000...
Scanning region fb4e0000...
Scanning region fb5d0000...
Scanning region fb6c0000...
Scanning region fb7b0000...
Scanning region fb8a0000...
Scanning region fb990000...
Scanning region fba80000...
Scanning region fbb70000...
Potential exploit area found at address fbb80e00:200.
Exploiting device...
/dev/block/vold/179:65 /mnt/sdcard vfat rw,dirsync,nosuid,nodev,noexec,relatime,
uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharse
t=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
HTC android goldcard tool Copyright (C) 2011, Wayne D. Hoxsie Jr.
Original code by B. Kerler. Special thanks to ATTN1 and the XDA team.
Donations can be made to the Electronic Frontier Foundation:
http://www.eff.org/
or to B. Kerler:
http://psas.revskills.de/
0+1 records in
0+1 records out
384 bytes transferred in 0.004 secs (96000 bytes/sec)
--set_version set. VERSION will be changed to: 1.31.405.6
Misc partition is "/dev/block/mmcblk0p17"
Patching and backing up misc partition...
Starting update process....
< waiting for device >
erasing 'cache'... OKAY [ 0.163s]
finished. total time: 0.164s
Be patient - sending update ...
sending 'zip' (18223 KB)... OKAY [ 3.071s]
writing 'zip'... INFOadopting the signature contained in this i
mage...
INFOsignature checking...
INFOzip header checking...
INFOzip info parsing...
INFOchecking model ID...
INFOchecking custom ID...
INFOchecking main version...
INFOstart image[boot] unzipping & flushing...
INFO[RUU]UZ,boot,0
INFO[RUU]UZ,boot,31
INFO[RUU]UZ,boot,68
INFO[RUU]UZ,boot,99
INFO[RUU]UZ,boot,100
INFO[RUU]WP,boot,0
INFO[RUU]WP,boot,100
INFOstart image[recovery] unzipping & flushing...
INFO[RUU]UZ,recovery,0
INFO[RUU]UZ,recovery,20
INFO[RUU]UZ,recovery,44
INFO[RUU]UZ,recovery,66
INFO[RUU]UZ,recovery,89
INFO[RUU]UZ,recovery,100
INFO[RUU]WP,recovery,0
INFO[RUU]WP,recovery,100
INFOstart image[radio] unzipping & flushing...
INFO[RUU]UZ,radio,0
INFO[RUU]UZ,radio,8
INFO[RUU]UZ,radio,13
INFO[RUU]UZ,radio,20
INFO[RUU]UZ,radio,25
INFO[RUU]UZ,radio,33
INFO[RUU]UZ,radio,41
INFO[RUU]UZ,radio,49
INFO[RUU]UZ,radio,57
INFO[RUU]UZ,radio,62
INFO[RUU]UZ,radio,70
INFO[RUU]UZ,radio,79
INFO[RUU]UZ,radio,86
INFO[RUU]UZ,radio,94
INFO[RUU]UZ,radio,99
INFO[RUU]UZ,radio,100
INFO[RUU]WP,radio,0
INFO[RUU]WP,radio,6
INFO[RUU]WP,radio,14
INFO[RUU]WP,radio,19
INFO[RUU]WP,radio,27
INFO[RUU]WP,radio,36
INFO[RUU]WP,radio,44
INFO[RUU]WP,radio,51
INFO[RUU]WP,radio,59
INFO[RUU]WP,radio,68
INFO[RUU]WP,radio,76
INFO[RUU]WP,radio,85
INFO[RUU]WP,radio,95
INFO[RUU]WP,radio,100
OKAY [108.400s]
finished. total time: 111.472s
rebooting...
finished. total time: 0.172s
Radio downgrade complete - starting next process - please be patient...
Linux version 2.6.32.21-gf3f553d ([email protected]) (gcc version 4.4.0 (GCC) )
#1 PREEMPT Thu Oct 28 13:24:11 CST 2010
major abra-cadabra going on, please be patient.....
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-gf3f553d
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02a9e00, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02a9000
Kernel memory mapped to 0x40000000
Searching for brq filter...
- Address: 0xc02a9e00 + 0x34c
- 0x2a000012 -> 0xea000012
Patching and backing up partition 7...
Error opening copy file.
Error opening copy file.
^^^^^^^^^^^^
I- NORMAL ERROR HERE -I
patience - rebooting
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21
New .modinfo section size: 196
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02db21c, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02db000
Kernel memory mapped to 0x40009000
Searching for brq filter...
- Address: 0xc02db21c + 0x34c
- 0x2a000012 -> 0xea000012
Patching and backing up partition 7...
patching secu_flag: 0
Done.
board_spade.disable_uart2=0 board_spade.usb_h2w_sw=0 board_spade.disable_sdcard=
0 diag.enabled=0 board_spade.debug_uart=0 smisize=0 userdata_sel=0 androidboot.e
mmc=true androidboot.baseband=26.03.02.26_M androidboot.cid=CWS__001 androidboo
t.batt_poweron=good_battery androidboot.carrier=ATT androidboot.mid=PD9812000 en
able_zcharge=1 androidboot.keycaps=qwerty androidboot.mode=recovery androidboot.
serialno=HT14JT200132 androidboot.bootloader=0.85.0024 zygote_oneshot=off kmemle
ak=off no_console_suspend=1
push: tools/afr/system/app/Superuser.apk -> /system/app/Superuser.apk
push: tools/afr/system/bin/su -> /system/bin/su
2 files pushed. 0 files skipped.
2045 KB/s (609587 bytes in 0.291s)
dmagent mmcamera_test su
dmesg monkey surfaceflinger
ifconfig printenv wpa_supplicant
S-OFF, ROOT and Clockworkmod recovery complete
Be patient - installing updated radio and AAHK ENG Hboot...
Starting update process....
< waiting for device >
Greech said:
Hey Folks,
My apologies if this should be in a different forum.
Read the "efffen-manual" when using the AAHK software. The unit went through about 7 minutes of scripts on option 1 (Hack Ace), then stopped in <waiting for device>. Been like this for now 20 minutes. Screen is black, unit appears to be off, Power button does nothing. Only orange charging light is blinking. Oh, and one other thing, When it got to this point, the windows system had a balloon popup about the Motorola (or did it say qualcom) device not recognized. Suggestions?
Here is the code thus far.
Ace Advanced Hack Kit [Linux/OSX/Windows] attn1 2011/2012
___________________________
MAIN MENU | |
| Only ONE Menu Step to: |
1 - Hack Ace <----------------------------+ * S-OFF |
| * SIM Unlock |
2 - DONATE (Encouraged, but optional) | * SuperCID |
http://psas.revskills.de/?q=goldcard | * Root |
http://www.eff.org/ | * Busybox |
| |
**********************************************************************
o - Options Menu (Return to Stock, Flash radios, etc)
**********************************************************************
t - Toggle Flash Method - current method is fastbootRUU
*********************************************************************
q - Quit
[Select and press Enter]1
/sdcard/PD98IMG.zip: No such file or directory
rm failed for /sdcard/PD98IMG.zip, No such file or directory
1867 KB/s (4359771 bytes in 2.279s)
pkg: /data/local/tmp/stericson.busybox-1.apk
Success
1878 KB/s (19240 bytes in 0.010s)
2596 KB/s (4564992 bytes in 1.717s)
2790 KB/s (3737600 bytes in 1.308s)
2644 KB/s (557962 bytes in 0.206s)
683 KB/s (9796 bytes in 0.014s)
2442 KB/s (572752 bytes in 0.229s)
2678 KB/s (134401 bytes in 0.049s)
909 KB/s (13968 bytes in 0.015s)
ro.build.version.release=2.3.3
Setting up for Gingerbread restore...
2554 KB/s (2801664 bytes in 1.071s)
2717 KB/s (2830336 bytes in 1.017s)
2407 KB/s (285981 bytes in 0.116s)
2685 KB/s (285981 bytes in 0.104s)
1 file(s) copied.
Linux version 2.6.35.10-gd2564fb ([email protected]) (gcc version 4.4.0 (GCC) )
#1 PREEMPT Thu Jun 9 14:33:05 CST 2011
Kernel version is Gingerbread... Using fre3vo to temproot...
fre3vo by #teamwin
Please wait...
Attempting to modify ro.secure property...
fb_fix_screeninfo:
id: msmfb
smem_start: 802160640
smem_len: 3145728
type: 0
type_aux: 0
visual: 2
xpanstep: 0
ypanstep: 1
line_length: 1920
mmio_start: 0
accel: 0
fb_var_screeninfo:
xres: 480
yres: 800
xres_virtual: 480
yres_virtual: 1600
xoffset: 0
yoffset: 0
bits_per_pixel: 32
activate: 16
height: 106
width: 62
rotate: 0
grayscale: 0
nonstd: 0
accel_flags: 0
pixclock: 0
left_margin: 0
right_margin: 0
upper_margin: 0
lower_margin: 0
hsync_len: 0
vsync_len: 0
sync: 0
vmode: 0
Buffer offset: 00000000
Buffer size: 8192
Scanning region faa90000...
Scanning region fab80000...
Scanning region fac70000...
Scanning region fad60000...
Scanning region fae50000...
Scanning region faf40000...
Scanning region fb030000...
Scanning region fb120000...
Scanning region fb210000...
Scanning region fb300000...
Scanning region fb3f0000...
Scanning region fb4e0000...
Scanning region fb5d0000...
Scanning region fb6c0000...
Scanning region fb7b0000...
Scanning region fb8a0000...
Scanning region fb990000...
Scanning region fba80000...
Scanning region fbb70000...
Potential exploit area found at address fbb80e00:200.
Exploiting device...
/dev/block/vold/179:65 /mnt/sdcard vfat rw,dirsync,nosuid,nodev,noexec,relatime,
uid=1000,gid=1015,fmask=0702,dmask=0702,allow_utime=0020,codepage=cp437,iocharse
t=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
tmpfs /mnt/sdcard/.android_secure tmpfs ro,relatime,size=0k,mode=000 0 0
HTC android goldcard tool Copyright (C) 2011, Wayne D. Hoxsie Jr.
Original code by B. Kerler. Special thanks to ATTN1 and the XDA team.
Donations can be made to the Electronic Frontier Foundation:
http://www.eff.org/
or to B. Kerler:
http://psas.revskills.de/
0+1 records in
0+1 records out
384 bytes transferred in 0.004 secs (96000 bytes/sec)
--set_version set. VERSION will be changed to: 1.31.405.6
Misc partition is "/dev/block/mmcblk0p17"
Patching and backing up misc partition...
Starting update process....
< waiting for device >
erasing 'cache'... OKAY [ 0.163s]
finished. total time: 0.164s
Be patient - sending update ...
sending 'zip' (18223 KB)... OKAY [ 3.071s]
writing 'zip'... INFOadopting the signature contained in this i
mage...
INFOsignature checking...
INFOzip header checking...
INFOzip info parsing...
INFOchecking model ID...
INFOchecking custom ID...
INFOchecking main version...
INFOstart image[boot] unzipping & flushing...
INFO[RUU]UZ,boot,0
INFO[RUU]UZ,boot,31
INFO[RUU]UZ,boot,68
INFO[RUU]UZ,boot,99
INFO[RUU]UZ,boot,100
INFO[RUU]WP,boot,0
INFO[RUU]WP,boot,100
INFOstart image[recovery] unzipping & flushing...
INFO[RUU]UZ,recovery,0
INFO[RUU]UZ,recovery,20
INFO[RUU]UZ,recovery,44
INFO[RUU]UZ,recovery,66
INFO[RUU]UZ,recovery,89
INFO[RUU]UZ,recovery,100
INFO[RUU]WP,recovery,0
INFO[RUU]WP,recovery,100
INFOstart image[radio] unzipping & flushing...
INFO[RUU]UZ,radio,0
INFO[RUU]UZ,radio,8
INFO[RUU]UZ,radio,13
INFO[RUU]UZ,radio,20
INFO[RUU]UZ,radio,25
INFO[RUU]UZ,radio,33
INFO[RUU]UZ,radio,41
INFO[RUU]UZ,radio,49
INFO[RUU]UZ,radio,57
INFO[RUU]UZ,radio,62
INFO[RUU]UZ,radio,70
INFO[RUU]UZ,radio,79
INFO[RUU]UZ,radio,86
INFO[RUU]UZ,radio,94
INFO[RUU]UZ,radio,99
INFO[RUU]UZ,radio,100
INFO[RUU]WP,radio,0
INFO[RUU]WP,radio,6
INFO[RUU]WP,radio,14
INFO[RUU]WP,radio,19
INFO[RUU]WP,radio,27
INFO[RUU]WP,radio,36
INFO[RUU]WP,radio,44
INFO[RUU]WP,radio,51
INFO[RUU]WP,radio,59
INFO[RUU]WP,radio,68
INFO[RUU]WP,radio,76
INFO[RUU]WP,radio,85
INFO[RUU]WP,radio,95
INFO[RUU]WP,radio,100
OKAY [108.400s]
finished. total time: 111.472s
rebooting...
finished. total time: 0.172s
Radio downgrade complete - starting next process - please be patient...
Linux version 2.6.32.21-gf3f553d ([email protected]) (gcc version 4.4.0 (GCC) )
#1 PREEMPT Thu Oct 28 13:24:11 CST 2010
major abra-cadabra going on, please be patient.....
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-gf3f553d
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02a9e00, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02a9000
Kernel memory mapped to 0x40000000
Searching for brq filter...
- Address: 0xc02a9e00 + 0x34c
- 0x2a000012 -> 0xea000012
Patching and backing up partition 7...
Error opening copy file.
Error opening copy file.
^^^^^^^^^^^^
I- NORMAL ERROR HERE -I
patience - rebooting
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21
New .modinfo section size: 196
Attempting to power cycle eMMC... OK.
Searching for mmc_blk_issue_rq symbol...
- Address: c02db21c, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02db000
Kernel memory mapped to 0x40009000
Searching for brq filter...
- Address: 0xc02db21c + 0x34c
- 0x2a000012 -> 0xea000012
Patching and backing up partition 7...
patching secu_flag: 0
Done.
board_spade.disable_uart2=0 board_spade.usb_h2w_sw=0 board_spade.disable_sdcard=
0 diag.enabled=0 board_spade.debug_uart=0 smisize=0 userdata_sel=0 androidboot.e
mmc=true androidboot.baseband=26.03.02.26_M androidboot.cid=CWS__001 androidboo
t.batt_poweron=good_battery androidboot.carrier=ATT androidboot.mid=PD9812000 en
able_zcharge=1 androidboot.keycaps=qwerty androidboot.mode=recovery androidboot.
serialno=HT14JT200132 androidboot.bootloader=0.85.0024 zygote_oneshot=off kmemle
ak=off no_console_suspend=1
push: tools/afr/system/app/Superuser.apk -> /system/app/Superuser.apk
push: tools/afr/system/bin/su -> /system/bin/su
2 files pushed. 0 files skipped.
2045 KB/s (609587 bytes in 0.291s)
dmagent mmcamera_test su
dmesg monkey surfaceflinger
ifconfig printenv wpa_supplicant
S-OFF, ROOT and Clockworkmod recovery complete
Be patient - installing updated radio and AAHK ENG Hboot...
Starting update process....
< waiting for device >
Click to expand...
Click to collapse
Please come to the IRC channel in my signature. That is Hack Kit support channel
Bricked n suckss
i need help my htc inspire was in process of rooting w/t ace hackn power went out on installing radio100 and its stayed on black backround w/t rooted HTC logo and dats all it does witch 4 logos in evry corner
please help
Hello,
I'm trying to port Ubuntu Touch for Photon Q. I'm posting in this section, because the error I get is generic. My phone fails to boot. The display flickers several times and last_kmsg contains the following message multiple times (the number is consistent with the number of flickers):
Code:
[ 13.802716,0] mdp4_calc_req_mdp_clk: src_h is zero!
[ 13.807477,0] mdp4_overlay_borderfill_stage_down: no base layer at mixer=1
Can someone please tell me what might be causing this error?
Thank you!
Some more information from the log:
Code:
E/Adreno200-GSL( 1138): <ioctl_kgsl_driver_entry:402>: open(/dev/kgsl-3d0) failed: errno 2. No such file or directory
But the device is there:
Code:
ls -l /dev/kgsl*
crw-rw-rw- 1 root root 241, 1 Nov 26 01:08 /dev/kgsl-2d0
crw-rw-rw- 1 root root 241, 2 Nov 26 01:08 /dev/kgsl-2d1
crw-rw-rw- 1 root root 241, 0 Nov 26 01:08 /dev/kgsl-3d0
Hi all,
I have tried to follow the instructions for fixing a bootloop here.
I am using Linux Mint 18.3 as my laptop OS.
I can push the bootit..ko file on to the device but when I run insmod I get this error message:
Code:
error: protocol fault (no status)
I think it is because TWRP crashes before the command can complete and the device starts rebooting.
I can see the device is connected on doing
Code:
adb devices
List of devices attached
015d29955b3ffe11 recovery
and I can even see the contents of the / directory:
Code:
blimey~/work/android_roms/recovery_images $ adb shell ls -ltr /
__bionic_open_tzdata: couldn't find any tzdata when looking for localtime!
__bionic_open_tzdata: couldn't find any tzdata when looking for GMT!
__bionic_open_tzdata: couldn't find any tzdata when looking for posixrules!
-rw-r--r-- 1 root root 4603 Jan 1 1970 ueventd.rc
-rw-r--r-- 1 root root 2520 Jan 1 1970 ueventd.cardhu.rc
drwxr-xr-x 5 root root 0 Jan 1 1970 twres
drwxr-xr-x 3 root root 0 Jan 1 1970 system
-rw-r--r-- 1 root root 9438 Jan 1 1970 service_contexts
-rw-r--r-- 1 root root 120253 Jan 1 1970 sepolicy
-rw-r--r-- 1 root root 52 Jan 1 1970 selinux_version
-rw-r--r-- 1 root root 578 Jan 1 1970 seapp_contexts
drwxr-x--- 2 root root 0 Jan 1 1970 sbin
drwxr-xr-x 3 root root 0 Jan 1 1970 res
-rw-r--r-- 1 root root 2920 Jan 1 1970 property_contexts
drwxr-xr-x 3 root root 0 Jan 1 1970 license
-rwxr-x--- 1 root root 1327 Jan 1 1970 init.recovery.usb.rc
-rwxr-x--- 1 root root 2814 Jan 1 1970 init.rc
-rwxr-x--- 1 root root 305668 Jan 1 1970 init
-rw-r----- 1 root root 1839 Jan 1 1970 fstab.cardhu
-rw-r--r-- 1 root root 11473 Jan 1 1970 file_contexts
-rw-r--r-- 1 root root 3044 Jan 1 1970 default.prop
drwxr-xr-x 2 root root 0 Jan 1 1970 data
lrwxrwxrwx 1 root root 13 Jan 1 1970 charger -> /sbin/healthd
dr-xr-xr-x 103 root root 0 Jan 1 1970 proc
drwxrwxr-x 2 root shell 60 Jan 8 01:17 tmp
drwxr-xr-x 13 root root 0 Jan 8 01:17 sys
drwxr-xr-x 2 root root 0 Jan 8 01:17 sideload
drwxr-xr-x 2 root root 0 Jan 8 01:17 recovery
drwxr-xr-x 11 root root 3500 Jan 8 01:17 dev
drwxr-xr-x 2 root root 0 Jan 8 01:17 boot
drwxrwxrwx 2 root root 0 Jan 8 01:17 sdcard
drwxr-xr-x 2 root root 0 Jan 8 01:17 etc
drwx------ 2 root root 0 Jan 1 2016 root
drwxrwx--- 6 system cache 4096 May 21 2017 cache
If I try to ls the file contents after pushing the bootit.ko file to check it has definitely been copied the TWRP always crashes before the command can complete (I'm guessing) and it reboots again ad infinitum.
I really don't know what else to try so any suggestions are real welcome. Thanks in advance.
Try adb shell insmod sdcard/bootit.ko
Wouldn't that entail pushing the bootit.ko to /sdcard?
I tried this:
Code:
[email protected] ~/work/android_roms/recovery_images $ adb push bootit.ko /sdcard/
672 KB/s (27690 bytes in 0.040s)
[email protected] ~/work/android_roms/recovery_images $ adb shell insmod /sdcard/bootit.ko
error: protocol fault (no status)
...but no joy, it seems like it exits TWRP before it can finish doing insmod. Also I'm not convinced the bootit.ko file is being saved to disk after each push. Am I right?
..
So I made a shell script to execute the two commands one after the other and I now got the screen with the 3 icons in the middle of the screen: RCK,Android,WipeData.
I did the following comands from that screen:
Code:
[email protected]~/work/android_roms/recovery_images $ sudo fastboot devices
[sudo] password for blimey:
015d29955b3ffe11 fastboot
[email protected]~/work/android_roms/recovery_images $ sudo fastboot erase misc
erasing 'misc'...
OKAY [ 1.044s]
finished. total time: 1.044s
[email protected]~/work/android_roms/recovery_images $ sudo fastboot erase cache
******** Did you mean to fastboot format this partition?
erasing 'cache'...
OKAY [ 2.276s]
finished. total time: 2.276s
But after this when running fastboot devices I get no output:
Code:
[email protected]~/work/android_roms/recovery_images $ sudo fastboot devices
[email protected]~/work/android_roms/recovery_images $ sudo fastboot devices
[email protected]~/work/android_roms/recovery_images $ sudo fastboot devices
[email protected]~/work/android_roms/recovery_images $ sudo fastboot devices
I think the battery has died so I'll recharge and give it another go tomorrow.
Care to share the script?
berndblb said:
Care to share the script?
Click to expand...
Click to collapse
Sure - see attached file, just need .txt removed from the filename.
So I picked up where I left off and this what I got:
Code:
blimey~/work/android_roms/recovery_images $ sudo fastboot devices
015d29955b3ffe11 fastboot
blimey~/work/android_roms/recovery_images $ sudo fastboot erase system
******** Did you mean to fastboot format this partition?
erasing 'system'...
OKAY [ 2.813s]
finished. total time: 2.813s
blimey~/work/android_roms/recovery_images $ sudo fastboot erase recovery
erasing 'recovery'...
OKAY [ 1.970s]
finished. total time: 1.970s
blimey~/work/android_roms/recovery_images $ sudo fastboot -w
Creating filesystem with parameters:
Size: 61415620608
Block size: 4096
Blocks per group: 32768
Inodes per group: 8192
Inode size: 256
Journal blocks: 32768
Label:
Blocks: 14994048
Block groups: 458
Reserved block group size: 1024
Created filesystem with 11/3751936 inodes and 281560/14994048 blocks
Creating filesystem with parameters:
Size: 448790528
Block size: 4096
Blocks per group: 32768
Inodes per group: 6848
Inode size: 256
Journal blocks: 1712
Label:
Blocks: 109568
Block groups: 4
Reserved block group size: 31
Created filesystem with 11/27392 inodes and 3534/109568 blocks
erasing 'userdata'...
OKAY [ 88.674s]
sending 'userdata' (141163 KB)...
OKAY [ 24.116s]
writing 'userdata'...
OKAY [ 1.483s]
erasing 'cache'...
REBOOTED THE TABLET manually HERE as per the instructions
Code:
FAILED (command write failed (Protocol error))
finished. total time: 476.548s
[email protected] ~/work/android_roms/recovery_images $ sudo fastboot erase boot
erasing 'boot'...
OKAY [ 2.020s]
finished. total time: 2.020s
[email protected] ~/work/android_roms/recovery_images $ sudo fastboot erase misc
erasing 'misc'...
OKAY [ 1.007s]
finished. total time: 1.007s
[email protected] ~/work/android_roms/recovery_images $ sudo fastboot erase cache
******** Did you mean to fastboot format this partition?
erasing 'cache'...
OKAY [ 1.740s]
finished. total time: 1.740s
[email protected] ~/work/android_roms/recovery_images $ sudo fastboot -i 0x0B05 flash system ./AsusFirmware/TF700K_all_WW_USER_V5.0.4.17.raw
erasing 'system'...
OKAY [ 2.411s]
sending 'system' (755707 KB)...
OKAY [125.324s]
writing 'system'...
OKAY [ 2.987s]
finished. total time: 130.722s
NO BLUE BAR OBSERVED ON TABLET
TABLET CONTINUES SHOWING THE 3 ICONS: RCK, ANDROID and WIPE DATA
Code:
[email protected]~/work/android_roms/recovery_images $ sudo fastboot -i 0x0B05 reboot
rebooting...
Nothing happening, the tablet screen remains the same with the 3 icons.
Is the boot.blob file contained within TF700K_all_WW_USER_V5.0.4.17.raw?
I think this .raw file is the wrong file, I found a different file for my SKU on the Asus website which contains the contents in the attached screenshot. Is it blob or boot.img I should use?
Yes, flash the blob and only the blob, no extension on the file name. That should do it
So I tried that but I got this result:
Code:
[email protected] ~/work/android_roms/recovery_images $ sudo fastboot -i 0x0B05 flash system blob
erasing 'system'...
OKAY [ 2.313s]
sending 'system' (1781 KB)...
OKAY [ 1.121s]
writing 'system'...
FAILED (remote: (InvalidState))
finished. total time: 7.059s
The blue bar did appear this time but in addition to the error there is some red text in the top left corner saying "Signature mismatch"
I've googled for a solution, some people suggested here https://forum.xda-developers.com/showthread.php?t=2417097 that the system image might be the wrong version for this bootloader version (I think ).
So I downloaded the original version of the system image from http://drivers.softpedia.com/get/JOYSTICK-GAMEPAD-WHEELS-and-TABLETS/ASUS/ASUS-Transformer-Pad-Infinity-TF700T-Firmware-10611410-WW.shtml which matched the version number displayed in the bootloader and after flashing that blob hey presto its working again!!!:laugh::laugh::laugh:
Thanks a bloody million for your guidance and patience!!