Hi,
I don't know how-to detect if a device is 32B or 32A automatically.... Logically, if we do a free command during recovery install, we can AUTOMATICALLY check if it's a 32B/A, then, we create a gile on sdcard called 32B/A, or a prop, and when it flash kernel, or wifi module or sound things, we include this prop in the script
Can anyone create this script?
[EDIT]
Many Thanks to Firerat who mades the script, and a little to me, who has the idea!
So the script is here:
Code:
#!/sbin/sh
# Idea : Artifex14
# script : Firerat => THE BEST!
# 28.06.10
ram=`free|awk '/Mem/ { print $2 }'`
if [ "ram" -gt "97884" ];
then
model=32a
echo "32a"
else
model=32b
echo "This device is a 32b"
fi
if [ "model" = "32a" ];
then
ln -s /tmp/boot.img /tmp/boot32a.img
ln -s /dev/null /tmp/boot32b.img
else
ln -s /tmp/boot.img /tmp/boot32b.img
ln -s /dev/null /tmp/boot32a.img
fi
I thought about this too. It could be done at the time the rom is flashed, but up to now I only know how to make update-script, not updater-script or update-binary. You could pack all sorts of boot images, and then, say, a system-dream, system-sapphire, and system-magic folder and depending on the board version property, flash the appropriate versions of files, at least in theory that should work, plus it prevents you from having to flash extra files just for cross-device compatibility.
jubeh said:
I thought about this too. It could be done at the time the rom is flashed, but up to now I only know how to make update-script, not updater-script or update-binary. You could pack all sorts of boot images, and then, say, a system-dream, system-sapphire, and system-magic folder and depending on the board version property, flash the appropriate versions of files, at least in theory that should work, plus it prevents you from having to flash extra files just for cross-device compatibility.
Click to expand...
Click to collapse
Can you do the script? For the updaterscript, it's OK!
et a script to run
Code:
free|awk '/Mem/ { print $2 }'
and test that, e.g.
Code:
#!/sbin/sh
# KernelPrep.sh
ram=`free|awk '/Mem/ { print $2 }'`
if [ "ram" -gt "97884" ];
then
model=32a
else
model=32b
fi
if [ "model" = "32a" ];
then
ln -s /tmp/boot.img /tmp/boot32a.img
ln -s /dev/null /tmp/boot32b.img
else
ln -s /tmp/boot.img /tmp/boot32b.img
ln -s /dev/null /tmp/boot32a.img
fi
get your updater script to run that, then copy your kernels to /tmp/
Code:
package_extract_dir("kernels", "/tmp");
or
Code:
copy_dir PACKAGE:kernels TMP:
next you can
Code:
write_raw_image("/tmp/boot.img", "boot"),
or
Code:
write_raw_image TMP:boot.img BOOT:
edit:
ps, you don't really need the second if statement, but its easier to read like that
oops , nearly forgot about the kernel modules
Code:
mount /system
install -d /system/lib/modules
ln -s /system/lib/modules /tmp/modules32a
ln -s /dev/null /tmp/modules32b
Firerat said:
et a script to run
Code:
free|awk '/Mem/ { print $2 }'
and test that, e.g.
Code:
#!/sbin/sh
# KernelPrep.sh
ram=`free|awk '/Mem/ { print $2 }'`
if [ "ram" -gt "97884" ];
then
model=32a
else
model=32b
fi
if [ "model" = "32a" ];
then
ln -s /tmp/boot.img /tmp/boot32a.img
ln -s /dev/null /tmp/boot32b.img
else
ln -s /tmp/boot.img /tmp/boot32b.img
ln -s /dev/null /tmp/boot32a.img
fi
get your updater script to run that, then copy your kernels to /tmp/
Code:
package_extract_dir("kernels", "/tmp");
or
Code:
copy_dir PACKAGE:kernels TMP:
next you can
Code:
write_raw_image("/tmp/boot.img", "boot"),
or
Code:
write_raw_image TMP:boot.img BOOT:
edit:
ps, you don't really need the second if statement, but its easier to read like that
oops , nearly forgot about the kernel modules
Code:
mount /system
install -d /system/lib/modules
ln -s /system/lib/modules /tmp/modules32a
ln -s /dev/null /tmp/modules32b
Click to expand...
Click to collapse
I'll try that, THANK!
oops typo
if [ "ram" -gt "97884" ];
should be
if [ "$ram" -gt "97884" ];
Calling all developers with extensive knowledge of NVflash
I know NVflash commands but I have never tried to run NVflash on a device with an encrypted bootloader nor have I had to try to source all the necessary files so I have some questions.
1. Would the following command be correct? Because even this simple sync command is exiting with a failure.
nvflash --bl bootloader.bin --sbk [boot key here] --sync
2. Is the bootloader.bin file universal or is it device specific? Where do I find one, can I edit one to work, etc?
I am working with the Acer Iconia A200 which is relatively new so no one has cracked NVflash on it yet so any help at all would be greatly appreciated.
Thanks!
I don't have extensive knowledge, but I did watch a youtube video once. Nvflash is used on several devices, so check out the acer/zoom/transformer forums. I think it also has some roots in graphics cards, so some of the tweaker forums might have some useful insight about syntax.
Code:
Nvflash started
nvflash action [options]
action (one or more) =
--help (or -h)
displays this page
--cmdhelp cmd(or -ch)
displays command help
--resume (or -r)
send the following commands to an already-running bootloader
--quiet (or -q)
surpress excessive console output
--wait (or -w)
waits for a device connection (currently a USB cable)
--create
full initialization of the target device using the config file
--download N filename
download partition filename to N
--setboot N
sets the boot partition to partition N
--format_partition N
formats contents of partition N
--read N filename
reads back partition N into filename
--getpartitiontable filename
reads back the partition table into filename
--getbit filename
reads back BIT into filename
--getbct
reads back the BCT from mass storage
--odm C Data
ODM custom 32bit command 'C' with associated 32bit data
--go
continues normal execution of the downloaded bootloader
options =
--configfile filename
indicates the configuration file used with the following commands:
--create, --format_all
--bct filename
indicates the file containing the BCT
--sbk 0x00000000 00000000 00000000 00000000
indicates the secure boot key for the target device
--bl filename
downloads and runs the bootloader specified by filename
--odmdata N
sets 32bit customer data into a field in the BCT, either hex or
decimal
--diskimgopt N
sets 32bit data required for disk image convertion tool
--format_all
formats all existing partitions on the target device using the config file,
including partitions and the bct
--setbootdevtype S
sets the boot device type fuse value for the device name.
allowed device name string mentioned below:
emmc, nand_x8, nand_x16, nor, spi
--setbootdevconfig N
sets the boot device config fuse value either hex or decimal
--verifypart N
verifies data for partition id = N specified. N=-1
indicates all partitions
Intended to be used with --create command only.
--setbct
updates the chip specific settings of the BCT in mass storage to
the bct supplied,used with --create, should not be with --read,and
--format(delete)_all,format(delete)_partition,--download, and--read
--sync
issues force sync commad
--rawdeviceread S N filename
reads back N sectors starting from sector S into filename
--rawdevicewrite S N filename
writes back N sectors from filename to device starting from sector S
Here's what I use
nvflash --bct transformer.bct --setbct --configfile flash.cfg --bl bootloader.bin --odmdata [device specific odm data] --sbk [mysterious sbk] --sync
All the files are device specific and the flash.cfg is where all the partitions and sizes are specified. Nvidia used to have a developers website that had a generic HC and GB rom. I flashed it, but was configured for different screen sizes/trackpad, etc.
If you are going to format the device, then you will use the --create flag and I think you need the flash.cfg file.
Thanks! I am primarily after --read and --getpartitiontable so that I can create a stock backup so those that brick have a recovery option. Sounds like the most important part now for me is getting the correct files together. I have the SBK though unconfirmed.
I personally have never used --odmdata, do you have any insite into that command?
My previous device, the Dell Streak 7, had a fully unlocked NVflash so there was no SBK or anything like that to worry about. I miss those times
I thought the omdata were device specific things like memory configuration? Not sure how important it is for reading partitions.
The other thing with nvflash is once you start it, you can send more commands with the resume command:
Nvflash sbk bootloader etc
Nvflash -r --read 6 blah blah
Nvflash -r -- read 7 blah blah
...
Nvflash -r --go
Or something like that...
sent while running with scissors
I don't really know because at least on the Dell Streak 7 it was a command I never used and I never saw used by others either. Hopefully someone has incite somewhere on how to get the files I need.
If you have root you should be able to read the BCT and bootloader from the device with dd and then decrypt them.
I have root and an unlocked bootloader. Please explain. DD? I have Windows 7 and Linux at my disposal.
Thanks!
Wetzel402 said:
I have root and an unlocked bootloader. Please explain. DD? I have Windows 7 and Linux at my disposal.
Thanks!
Click to expand...
Click to collapse
Yes, dd.
Copy some raw data from the block device on the device, something like
Code:
# /system/bin/dd if=/dev/block/mmcblk0 bs=512 count=13312 of=/sdcard/data.raw
Then transfer the dump to the computer and extract the BCT and boot loader.
I started writing a description but it quickly started to get long and it is late...
So you get a small ugly script that shows the steps instead.
This requires openssl, dd and hexdump.
Code:
#!/bin/bash
#This script extracts the BCT and bootloader out of a dd dump of the block device on a tegra 2 device
#The first 6.5M should be enough, something like:
#/system/bin/dd if=/dev/block/mmcblk0 bs=512 count=13312 of=/sdcard/data.raw
#SBK written together
#e.g. 0xDEADBEEF 0xBAADF00D 0xCAFEFEED 0xBADDCAFE => "DEADBEEFBAADF00DCAFEFEEDBADDCAFE"
SBK="DEADBEEFBAADF00DCAFEFEEDBADDCAFE"
#Input file
raw_file="data.raw"
#Output files
bct_file="out.bct"
bl_file="bootloader.bin"
echo "Extrating the BCT data"
dd if=$raw_file of=bct_encrypted.bin bs=16 count=254 skip=1 2> /dev/null
echo "Decrypting the BCT data"
openssl aes-128-cbc -K $SBK -iv 0 -d -in bct_encrypted.bin -out bct_decrypt.tmp -nopad
dd if=bct_decrypt.tmp of=out.bct bs=16 count=254 seek=1 2> /dev/null
rm bct_decrypt.tmp
rm bct_encrypted.bin
#Read some general information
bct_version="$(hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' $bct_file)"
block_size=$((2 ** $(hexdump -n 4 -s 0x24 -e '1/4 "%u"' $bct_file)))
page_size=$((2 ** $(hexdump -n 4 -s 0x28 -e '1/4 "%u"' $bct_file)))
odm_data=$(hexdump -n 4 -s 0xFE4 -e '1/4 "0x%08x\n"' $bct_file)
#Boot loader 1
bl_start_block=$(hexdump -n 4 -s 0xA98 -e '1/4 "%u\n"' $bct_file)
bl_length=$(hexdump -n 4 -s 0xAA0 -e '1/4 "%u\n"' $bct_file)
if [ "$bct_version" != "0x20001" ]; then
echo "ERROR: Unexpected BCT version: $bct_version"
exit 1
fi
echo "Block size: $block_size"
echo "Page size: $page_size"
echo "Boot loader 1 start block: $bl_start_block"
echo "Boot loader 1 length $bl_length"
echo "ODM Data: $odm_data"
echo "Extracting the booot loader"
bl_start_byte=$(( $(($bl_start_block - 64)) * $block_size ))
bl_padded_length=$(( $bl_length + $((16 - $(($bl_length % 16)) ))))
echo "Extracting $bl_padded_length starting at offset $bl_start_byte"
dd bs=1 if=$raw_file of="bootloader.enc" skip=$bl_start_byte count=$bl_padded_length 2> /dev/null
echo "Decrypting boot loader"
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
dd if=bootloader.tmp of=$bl_file bs=$bl_length count=1 2> /dev/null
I may have gotten the block to byte convertion wrong, it is correct for the offsets on the device I have, but we will see.
Currently way over my head considering I just finally figured out mount commands
I will start doing some research on the topic to learn more and before you know it I should have the files I need
I did get the bct file but the bootloader.bin file is not working. With this line:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
I keep getting an error "option 0 doesn't exist". Any ideas? Also when you have some time could you please explain what exactly all of this is doing? I understand very little of this syntax because I am quite noobish with Linux.
Thanks!
Wetzel402 said:
I did get the bct file but the bootloader.bin file is not working. With this line:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
I keep getting an error "option 0 doesn't exist". Any ideas?
Click to expand...
Click to collapse
That looks like you don't have SBK set (so it is trying to use "-iv" as key, and then don't know what to do with the leftover 0).
The steps must be performed in order and in the same shell as some of them are depending on variables set by previous steps.
Wetzel402 said:
Also when you have some time could you please explain what exactly all of this is doing? I understand very little of this syntax because I am quite noobish with Linux.
Click to expand...
Click to collapse
Sure, it is mostly just about reading some values at known offsets.
Code:
dd if=$raw_file of=bct_encrypted.bin bs=16 count=254 skip=1
Will read 254 blocks of 16 bytes, skiping one block from $raw_file into bct_encrypted.bin. So we are reading bytes 16-4080 into bct_encrypted.bin.
We are skipping the first 16 bytes since this is a checksum (CMAC) and not part of the encrypted data, so bringing that along would mess up the decryption of the next 16 byte due to the cipher block chaining.
Code:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bct_encrypted.bin -out bct_decrypt.tmp -nopad
Decrypt the content of bct_encrypted.bin using the SBK and store the decryped data in bct_decrypt.tmp.
Code:
dd if=bct_decrypt.tmp of=out.bct bs=16 count=254 seek=1
We skipped the first 16 bytes previously, so the decrypted data is a bit incorretly offset.
So this takes bct_decrypt.tmp and writes it to out.bct offset 16 bytes so that we get a 4080 bytes file again.
Code:
bct_version="$(hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' $bct_file)"
Reads the version field of the BCT, this is a 32bit integer at offset 0x20.
I would expect the version to be 0x20001.
Code:
block_size=$((2 ** $(hexdump -n 4 -s 0x24 -e '1/4 "%u"' $bct_file)))
Reads the block size field in the BCT, also a 32bit integer, at offset 0x24.
The block and page size is stored in log2, so then we need to raise 2 to the value we found to get the actual block/page size.
For example, if we found the value 14 the block size is 2**14 = 16384.
Code:
#Boot loader 1
bl_start_block=$(hexdump -n 4 -s 0xA98 -e '1/4 "%u\n"' $bct_file)
bl_length=$(hexdump -n 4 -s 0xAA0 -e '1/4 "%u\n"' $bct_file)
Read start block and size of the first boot loader (the BCT file have space for four boot loaders)
Code:
bl_start_byte=$(( $(($bl_start_block - 64)) * $block_size ))
We have the start position of the boot loader in blocks, but we need it in bytes.
So multiply the block number with the block size. Unfortunatly this is not quite right, so we need to offset it a bit.
Code:
bl_padded_length=$(( $bl_length + $((16 - $(($bl_length % 16)) ))))
The encryption used, AES 128, works on blocks of 16 bytes, but there is no guarantee that the length of the boot loader is a multiple of 16 so we need to pad it to make sure it is.
Code:
dd bs=1 if=$raw_file of="bootloader.enc" skip=$bl_start_byte count=$bl_padded_length
Cut the encrypted boot loader out of the $raw_file.
Code:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
Decrypt it
Code:
dd if=bootloader.tmp of=$bl_file bs=$bl_length count=1
And take only the actual length of the decrypted data, discarding the extra padding data we took just to make it an even number of 16 byte blocks.
Very impressive
Prior to this I have messed mostly with kitchens, cd, and mount so this is definitely a learning experience for me. After you described these commands I am convinced I could use most of these minus the fact I would have no clues what values to use in them
Thanks! I will have to try rerunning everything and see if I can get the bootloader.bin to come out.
Here is my terminal output after copying and pasting in your script.
Code:
[email protected]:~# cd /root/Desktop
[email protected]:~/Desktop# SBK="B8A4C201EB6FF106EB00150430772103"
[email protected]:~/Desktop#
[email protected]:~/Desktop# #Input file
[email protected]:~/Desktop# raw_file="data.raw"
[email protected]:~/Desktop#
[email protected]:~/Desktop# #Output files
[email protected]:~/Desktop# bct_file="out.bct"
[email protected]:~/Desktop# bl_file="bootloader.bin"
[email protected]:~/Desktop#
[email protected]:~/Desktop# echo "Extrating the BCT data"
Extrating the BCT data
[email protected]:~/Desktop# dd if=$raw_file of=bct_encrypted.bin bs=16 count=254 skip=1 2> /dev/null
[email protected]:~/Desktop#
[email protected]:~/Desktop# echo "Decrypting the BCT data"
Decrypting the BCT data
[email protected]:~/Desktop# openssl aes-128-cbc -K $SBK -iv 0 -d -in bct_encrypted.bin -out bct_decrypt.tmp -nopad
[email protected]:~/Desktop# dd if=bct_decrypt.tmp of=out.bct bs=16 count=254 seek=1 2> /dev/null
[email protected]:~/Desktop# rm bct_decrypt.tmp
[email protected]:~/Desktop# rm bct_encrypted.bin
[email protected]:~/Desktop#
[email protected]:~/Desktop#
[email protected]:~/Desktop# #Read some general information
[email protected]:~/Desktop# bct_version="$(hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' $bct_file)"
[email protected]:~/Desktop# block_size=$((2 ** $(hexdump -n 4 -s 0x24 -e '1/4 "%u"' $bct_file)))
[email protected]:~/Desktop# page_size=$((2 ** $(hexdump -n 4 -s 0x28 -e '1/4 "%u"' $bct_file)))
I don't understand the page size line enough to know what is going wrong or to change things but after that line displays the terminal exists without errors.
Any ideas?
Wetzel402 said:
I don't understand the page size line enough to know what is going wrong or to change things but after that line displays the terminal exists without errors.
Any ideas?
Click to expand...
Click to collapse
You are probably hitting the exit in BCT version check, since you are running it directly in the shell that would make the terminal dissapear.
What does out.bct look like?
What does
Code:
hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' out.bct
give?
That was the problem.
Code:
[email protected]:~# cd /root/Desktop
[email protected]:~/Desktop# hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' out.bct
0xf16cb00b
So I modified the following line:
Code:
[email protected]:~/Desktop# if [ "$bct_version" != "0xf16cb00b" ]; then
Everything ran and out came the bootloader.bin. This should be the correct file then? Also the other two files (bootloader.enc&.tmp) were stepping stones to the final product (bootloader.bin) and are not needed correct?
When I get home from work if I have time I will try the following and see if life is good
Code:
nvflash --bl bootloader.bin --getbct --bct out.bct --sbk 0xB8A4C201 0xEB6FF106 0xEB001504 0x30772103 --go
nvflash -r --getpartitiontable partition.txt
Wetzel402 said:
That was the problem.
Code:
[email protected]:~# cd /root/Desktop
[email protected]:~/Desktop# hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' out.bct
0xf16cb00b
So I modified the following line:
Code:
[email protected]:~/Desktop# if [ "$bct_version" != "0xf16cb00b" ]; then
Everything ran and out came the bootloader.bin. This should be the correct file then?
Click to expand...
Click to collapse
I would not expect a different version, I think it is more likely the decryption failed.
Could you make the data.raw file available to me?
Here it is.
Wetzel402 said:
Here it is.
Click to expand...
Click to collapse
The data looks ok, but it can not be decrypted using that key so you must have the wrong SBK.
Assuming it follows the same format as the Iconia A500 that SBK would belong to a device with UID 042800484400D057, is this the UID of your device?
Yes that is correct. So you think Acer is using a different encryption method?
I tried the NVflash commands anyway and it doesn't run. Exits with the standard failure.
Wetzel402 said:
Yes that is correct. So you think Acer is using a different encryption method?
Click to expand...
Click to collapse
Depending on what you mean, maybe and no. They are maybe allocating the SBK differently, but the encryption in still AES128.
Wetzel402 said:
I tried the NVflash commands anyway and it doesn't run. Exits with the standard failure.
Click to expand...
Click to collapse
Nvflash uses the key you give it to encrypt the command before sending it to the device, then the decrypts the command using the builtin key. If those two does not match the result will not be a recognizable command.
Depending on how you got the UID it may be worth trying a different way, some devices does not report the UID as their USB serial number.
Save this as apxuid.c and compile this using gcc -Wall -pedantic -o apxuid apxuid.c -lusb-1.0. Then run ./apxuid directly after starting the device is in apx-mode and see if you get the same UID.
Code:
#include <libusb-1.0/libusb.h>
#include <stdio.h>
#include <stdint.h>
int main(void)
{
unsigned char data[64];
int received_length;
int r = 1;
libusb_context* ctx = NULL;
libusb_device_handle* dev_handle = NULL;
libusb_init(&ctx);
dev_handle = libusb_open_device_with_vid_pid(ctx, 0x0955, 0x7820);
if(dev_handle)
{
r = libusb_bulk_transfer(dev_handle, 0x81, data, sizeof(data), &received_length, 10000);
if (r == 0)
{
if(received_length == 8)
{
printf("uid: %#016lx\n", *(uint64_t*)data);
}
else
{
r = 1;
printf("Error: We got %d bytes of data insetad of the 8 bytes we expected...\n", received_length);
}
}
else
{
printf("Error: USB read failed!\n");
}
libusb_release_interface(dev_handle, 0);
}
else
{
printf("Error: Failed to open device!\n");
}
libusb_exit(ctx);
return r;
}
Note:
This is not bootanimation, this is the splash screen (the 'Lenovo' boot logo which is displayed when device is switched ON)
This is for Lenovo Tab10.1 TB-X103F Only..
(For other devices, please send me your splash.img so that I can create a tool for you too.)
Requirements:
1. Rooted Lenovo Tab10.1 TB-X103F (any ROM)
2. Optional: Terminal Emulator app or Custom Recovery or atleast working fastboot in computer
3. You're proceeding at your own risk.
STEPS to create splash.img:
Before proceeding, make sure fastboot is setup properly in your computer (just incase something goes wrong)..
1. Download & Extract this in computer: Lenovo_Tab_10_X103F_Splash_Maker.zip
2. Make sure you have a 1280x800 resolution picture. (landscape)
3. Now rename your picture as logo.png or logo.jpg (according to its format) & replace it inside "pics" folder of the extracted folder.
4. Finally, run the 'Create_Logo.bat' to create splash.img , which you can find inside the "output" folder.
STEPS to flash splash.img:
Optional: To backup your original splash.img:
Code:
dd if=/dev/block/bootdevice/by-name/splash of=/sdcard/splash.img
(Not necessary though.. You may get it from the stock firmware itself.)
Now, Choose any one easy method:
a. To flash from recovery:
Transfer the flashable_splash.zip to your device and flash from TWRP or CWM or Philz or any other custom recovery.
b. To flash from Terminal Emulator:
Transfer the splash.img to your device's Internal Storage, Open Terminal Emulator & enter the following to flash it:
Code:
su
dd if=/sdcard/splash.img of=/dev/block/bootdevice/by-name/splash
c. To flash from Fastboot mode:
Code:
fastboot flash splash splash.img
Note:
Incase something goes wrong or device doesn't bootup, flash the stock splash.img from custom recovery or fastboot.
Credits:
1. @racereed who provided the stock splash.img of Lenovo 10.1 tablet TB-X103F
2. @bornagainpenguin and all others who have contributed for the device which has made this possible.
Hit the Thanks :good: button if it worked for you
You're welcome to post the splash images that you created..
Thanks a lot @GokulNC for the original windows guide
Linux guide
You want to install SimpleSSHD and do all steps except the first and last on a local machine.
# Backup the current splash image and use it for reference
dd if=/dev/block/bootdevice/by-name/splash of=splash-bak.img
# Convert the logo raw image to png
ffmpeg -hide_banner -f rawvideo -vcodec rawvideo -pix_fmt bgr24 -s 800x1280 -i splash-bak.img -vframes 1 -y logo.png
# Convert the battery raw image to png
ffmpeg -hide_banner -f rawvideo -vcodec rawvideo -pix_fmt bgr24 -skip_initial_bytes 3072000 -s 800x1280 -i splash-bak.img -vframes 1 -y battery.png
# Make your own images in Krita/Gimp
# Convert them to raw and join them to a splash image
ffmpeg -hide_banner -i logo.png -f rawvideo -vcodec rawvideo -pix_fmt bgr24 -s 800x1280 -y splash1.raw
ffmpeg -hide_banner -i battery.png -f rawvideo -vcodec rawvideo -pix_fmt bgr24 -s 800x1280 -y splash2.raw
cat splash1.raw splash2.raw > splash-new.img
# Apply the new splash image
dd if=splash-new.img of=/dev/block/bootdevice/by-name/splash