How to decode WhatsApp crypt8 db-files.. - Android Apps and Games

get the key from "data/data/com.whatsapp/files/key" once and latest db-backup from "sdcard/Whatsapp/Databases/msgstore.db.crypt8", then execute in bash:
hexdump -e '2/1 "%02x"' key | cut -b 253-316 > tmp/aes.txt
hexdump -e '2/1 "%02x"' key | cut -b 221-252 > tmp/iv.txt
dd if=msgstore.db.crypt8 of=tmp/msgstore.db.crypt8.nohdr ibs=67 skip=1 &> /dev/null
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in tmp/msgstore.db.crypt8.nohdr -K $(cat tmp/aes.txt) -iv $(cat tmp/iv.txt) > tmp/msgstore.gz
gzip -cdq tmp/msgstore.gz >msgstore.db
source: http://party3d.com/2014/12/16/nachste-whatsapp-version-bereits-geknackt/

cyb3r said:
get the key from "data/data/com.whatsapp/files/key" once and latest db-backup from "sdcard/Whatsapp/Databases/msgstore.db.crypt8", then execute in bash:
hexdump -e '2/1 "%02x"' key | cut -b 253-316 > tmp/aes.txt
hexdump -e '2/1 "%02x"' key | cut -b 221-252 > tmp/iv.txt
dd if=msgstore.db.crypt8 of=tmp/msgstore.db.crypt8.nohdr ibs=67 skip=1 &> /dev/null
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in tmp/msgstore.db.crypt8.nohdr -K $(cat tmp/aes.txt) -iv $(cat tmp/iv.txt) > tmp/msgstore.gz
gzip -cdq tmp/msgstore.gz >msgstore.db
source: http://party3d.com/2014/12/16/nachste-whatsapp-version-bereits-geknackt/
Click to expand...
Click to collapse
I dont know if I am doing it right. This is what I did:
1. Created a tmp folder in /sdcard
2. Opened adb shell and tried to execute the above
3. Executed the first three commands
On the 4th command, I got an error sh: openssl: not found
When I checked the tmp directory I made, I was able to see the aes.txt (65.00B), iv.txt (33.00B), msgstore.db.crypt8.nohdr (485KB) and msgstore.gz (0.00B)
Screenshots attached.
Appreciate some clarity on the topic. Thank you.

use this guide http://forum.xda-developers.com/showthread.php?t=2362386 in order to install OpenSSL on your android device and thus have openssl command on the shell.

albenex said:
use this guide http://forum.xda-developers.com/showthread.php?t=2362386 in order to install OpenSSL on your android device and thus have openssl command on the shell.
Click to expand...
Click to collapse
Thanks but I am new to all this. Two more questions:
1. Can this be installed in adb so that I can run it from PC command line
2. Is there an app that where i can run the ssl commands?

albenex said:
use this guide http://forum.xda-developers.com/showthread.php?t=2362386 in order to install OpenSSL on your android device and thus have openssl command on the shell.
Click to expand...
Click to collapse
Somehow I copied the data/local/ssl to /data/local/ssl on the device.
But not data/local/bin to /system/bin. it says operation failed and in adb shell also it is unable to copy with the CAT command.
Please advice.

mac_see said:
Somehow I copied the data/local/ssl to /data/local/ssl on the device.
But not data/local/bin to /system/bin. it says operation failed and in adb shell also it is unable to copy with the CAT command.
Please advice.
Click to expand...
Click to collapse
i've successfuly made these steps on my rooted 4.4 slimkat rom nexus 5 using Es File Explorer with root (supersu) permissions. check your root and/or your file manager.

albenex said:
i've successfuly made these steps on my rooted 4.4 slimkat rom nexus 5 using Es File Explorer with root (supersu) permissions. check your root and/or your file manager.
Click to expand...
Click to collapse
Which steps are you referring to? copying data/local/bin to /system/bin or the initial steps in post1 of cyb3r?
---------- Post added at 06:38 AM ---------- Previous post was at 06:35 AM ----------
mali_ said:
Your database will most probably be corrupt for the new crypt 8 format. It's not working even if you get the resultant db file after executing the above commands. Sqlite doesn't open the database after decryption.
Click to expand...
Click to collapse
No. That should not be the reason. I got the resultant db file but with zero bytes. I got msgstore.db.crypt8.nohdr (485KB) and msgstore.gz (0.00B). Please refer the attachment I posted before. For some reason, I am not able to execute the openssl command and for this, I installed the tool suggested by albenex and for that too I am having issues copying data/local/bin to /system/bin. The ssl folder got copied but not the bin

mali_ said:
The initial steps in post1 of cyb3r. If you know how to do it, please tell me. The resultant database doesn't open in sqlite. You can check it for yourself.
Click to expand...
Click to collapse
I am confused now and not getting you.
I did the first three steps and when I executed the last step, I got an error sh: openssl: not found on below statement
Code:
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in tmp/msgstore.db.crypt8.nohdr -K $(cat tmp/aes.txt) -iv $(cat tmp/iv.txt) > tmp/msgstore.gz
dont know how to get this done

Doesn't work for me, after all the process the gz file is wrong:
Code:
[email protected]:~# gzip -cdq msgstore.gz >msgstore.db
gzip: msgstore.gz: unexpected end of file
Note: I'm working in one PC, uploaded crypt8 file to a folder and NOT working with /tmp/ so my paths are corrects.
Regards

doubt
I lay on the subject. Where should I put the key and msgstore.db using Cygwin64 on windows? When I try to use the commands , I get the following message: hexdump : key : No such file or directory . If you can help this noob , I would be eternally grateful .

doubt
Hi , Mali . Thank you for answer. I put in the bin folder and keeps giving error. Is it coz I'm using Windows on the Mac , through bootcamp ? If so , you know you have another way to do this ? by mac maybe.
thank you very much once again.

doubt
mali_ said:
Open command prompt and navigate to the bin folder and execute those commands. Don't do it through cygwin terminal. Do it through command prompt. Make sure openssl is inside the bin folder. Good luck.
Click to expand...
Click to collapse
I just try the windows prompt and keeps giving error. The openssl is inside the folder, but can not get past the first line.
When you say to navigate to the folder , it would be using the command: "cd C: \ cygwin64 \ bin " and then the commands mentioned in the topic ? they did it and did not work.
Excuse my ignorance and thanks for the help .

doubt
mali_ said:
Yes,
cd C:\cygwin64\bin
without spaces.
What command are you running after this and what error are you getting?
Click to expand...
Click to collapse
I'm using this: hexdump -e '2/1 "%02x"' key | cut -b 253-316 > tmp/aes.txt
See the images using the 2 programs.

doubt
mali_ said:
That's why you're getting the error. Do this one by one, copy and paste.
hexdump -e '2/1 "%02x"' key | cut -b 253-316 > aes.txt
hexdump -e '2/1 "%02x"' key | cut -b 221-252 > iv.txt
dd if=msgstore.db.crypt8 of=msgstore.db.crypt8.nohdr ibs=67 skip=1
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K aes.txt -iv iv.txt > msgstore.gz
gzip -cdq msgstore.gz > msgstore.db
Let me know of the results.
Click to expand...
Click to collapse
Yay! Now is working. Funny, was doing copying the first post . I did not notice any change.
Now it is giving error in this line :
openssl enc -AES -256 - cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K aes.txt -iv iv.txt > msgstore.gz
"non -hex digit
invalid hex iv value "
thank you !!!!!!

doubt
Giving still the same error .
I'm typing this : openssl enc -AES -256 - cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K aes.txt -iv a9d97adc77efaf9773c6602048d50fa0 > msgstore.gz
this:
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in msgstore.db.crypt8.nohdr -K aes.txt -iv a9d97adc77efaf9773c6602048d50fa0 > msgstore.gz

yesssss
Mali , was replacing the aes.txt for his number.
thank you very muchhhhhhhh!

It's working for me with in cygwin, even getting "unexpected end of file" error decompressing, the resultant file is a correct sqlite database.
Thanks

mali_ said:
Do it on your computer. Use cygwin and install openssl. It will work.
Click to expand...
Click to collapse
I have not cygwin so far but what i tries is this. I Installed openssl-0.9.8k_X64.zip from https://code.google.com/p/openssl-for-windows/downloads/list and then tried the below command and I got an error unknown option 'aex.txt'
Code:
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in tmp/msgstore.db.crypt8.nohdr -K $(cat tmp/aes.txt) -iv $(cat tmp/iv.txt) > tmp/msgstore.gz
error is
Code:
unknown option 'aex.txt'
screenshot attached
What am i doing wrong?

mali_ said:
All the tables are viewable in sqlite browser? Do you see your messages? It opens with sqlite but there is no data.
Click to expand...
Click to collapse
Yes, correct sqlite file means correct not only the extension.
prntscr.com/5jlnjl
Sorry I can't paste links.
Regards

mac_see said:
I have not cygwin so far but what i tries is this. I Installed openssl-0.9.8k_X64.zip from and then tried the below command and I got an error unknown option 'aex.txt'
Code:
openssl enc -aes-256-cbc -d -nosalt -nopad -bufsize 16384 -in tmp/msgstore.db.crypt8.nohdr -K $(cat tmp/aes.txt) -iv $(cat tmp/iv.txt) > tmp/msgstore.gz
error is
Code:
unknown option 'aex.txt'
screenshot attached
What am i doing wrong?
Click to expand...
Click to collapse
You forgot the $ before (cat tmp/aes.txt) that's because you get "unknown option 'aes.txt)
Regards

Related

[Q] nvflash/APX mode help

Calling all developers with extensive knowledge of NVflash
I know NVflash commands but I have never tried to run NVflash on a device with an encrypted bootloader nor have I had to try to source all the necessary files so I have some questions.
1. Would the following command be correct? Because even this simple sync command is exiting with a failure.
nvflash --bl bootloader.bin --sbk [boot key here] --sync
2. Is the bootloader.bin file universal or is it device specific? Where do I find one, can I edit one to work, etc?
I am working with the Acer Iconia A200 which is relatively new so no one has cracked NVflash on it yet so any help at all would be greatly appreciated.
Thanks!
I don't have extensive knowledge, but I did watch a youtube video once. Nvflash is used on several devices, so check out the acer/zoom/transformer forums. I think it also has some roots in graphics cards, so some of the tweaker forums might have some useful insight about syntax.
Code:
Nvflash started
nvflash action [options]
action (one or more) =
--help (or -h)
displays this page
--cmdhelp cmd(or -ch)
displays command help
--resume (or -r)
send the following commands to an already-running bootloader
--quiet (or -q)
surpress excessive console output
--wait (or -w)
waits for a device connection (currently a USB cable)
--create
full initialization of the target device using the config file
--download N filename
download partition filename to N
--setboot N
sets the boot partition to partition N
--format_partition N
formats contents of partition N
--read N filename
reads back partition N into filename
--getpartitiontable filename
reads back the partition table into filename
--getbit filename
reads back BIT into filename
--getbct
reads back the BCT from mass storage
--odm C Data
ODM custom 32bit command 'C' with associated 32bit data
--go
continues normal execution of the downloaded bootloader
options =
--configfile filename
indicates the configuration file used with the following commands:
--create, --format_all
--bct filename
indicates the file containing the BCT
--sbk 0x00000000 00000000 00000000 00000000
indicates the secure boot key for the target device
--bl filename
downloads and runs the bootloader specified by filename
--odmdata N
sets 32bit customer data into a field in the BCT, either hex or
decimal
--diskimgopt N
sets 32bit data required for disk image convertion tool
--format_all
formats all existing partitions on the target device using the config file,
including partitions and the bct
--setbootdevtype S
sets the boot device type fuse value for the device name.
allowed device name string mentioned below:
emmc, nand_x8, nand_x16, nor, spi
--setbootdevconfig N
sets the boot device config fuse value either hex or decimal
--verifypart N
verifies data for partition id = N specified. N=-1
indicates all partitions
Intended to be used with --create command only.
--setbct
updates the chip specific settings of the BCT in mass storage to
the bct supplied,used with --create, should not be with --read,and
--format(delete)_all,format(delete)_partition,--download, and--read
--sync
issues force sync commad
--rawdeviceread S N filename
reads back N sectors starting from sector S into filename
--rawdevicewrite S N filename
writes back N sectors from filename to device starting from sector S
Here's what I use
nvflash --bct transformer.bct --setbct --configfile flash.cfg --bl bootloader.bin --odmdata [device specific odm data] --sbk [mysterious sbk] --sync
All the files are device specific and the flash.cfg is where all the partitions and sizes are specified. Nvidia used to have a developers website that had a generic HC and GB rom. I flashed it, but was configured for different screen sizes/trackpad, etc.
If you are going to format the device, then you will use the --create flag and I think you need the flash.cfg file.
Thanks! I am primarily after --read and --getpartitiontable so that I can create a stock backup so those that brick have a recovery option. Sounds like the most important part now for me is getting the correct files together. I have the SBK though unconfirmed.
I personally have never used --odmdata, do you have any insite into that command?
My previous device, the Dell Streak 7, had a fully unlocked NVflash so there was no SBK or anything like that to worry about. I miss those times
I thought the omdata were device specific things like memory configuration? Not sure how important it is for reading partitions.
The other thing with nvflash is once you start it, you can send more commands with the resume command:
Nvflash sbk bootloader etc
Nvflash -r --read 6 blah blah
Nvflash -r -- read 7 blah blah
...
Nvflash -r --go
Or something like that...
sent while running with scissors
I don't really know because at least on the Dell Streak 7 it was a command I never used and I never saw used by others either. Hopefully someone has incite somewhere on how to get the files I need.
If you have root you should be able to read the BCT and bootloader from the device with dd and then decrypt them.
I have root and an unlocked bootloader. Please explain. DD? I have Windows 7 and Linux at my disposal.
Thanks!
Wetzel402 said:
I have root and an unlocked bootloader. Please explain. DD? I have Windows 7 and Linux at my disposal.
Thanks!
Click to expand...
Click to collapse
Yes, dd.
Copy some raw data from the block device on the device, something like
Code:
# /system/bin/dd if=/dev/block/mmcblk0 bs=512 count=13312 of=/sdcard/data.raw
Then transfer the dump to the computer and extract the BCT and boot loader.
I started writing a description but it quickly started to get long and it is late...
So you get a small ugly script that shows the steps instead.
This requires openssl, dd and hexdump.
Code:
#!/bin/bash
#This script extracts the BCT and bootloader out of a dd dump of the block device on a tegra 2 device
#The first 6.5M should be enough, something like:
#/system/bin/dd if=/dev/block/mmcblk0 bs=512 count=13312 of=/sdcard/data.raw
#SBK written together
#e.g. 0xDEADBEEF 0xBAADF00D 0xCAFEFEED 0xBADDCAFE => "DEADBEEFBAADF00DCAFEFEEDBADDCAFE"
SBK="DEADBEEFBAADF00DCAFEFEEDBADDCAFE"
#Input file
raw_file="data.raw"
#Output files
bct_file="out.bct"
bl_file="bootloader.bin"
echo "Extrating the BCT data"
dd if=$raw_file of=bct_encrypted.bin bs=16 count=254 skip=1 2> /dev/null
echo "Decrypting the BCT data"
openssl aes-128-cbc -K $SBK -iv 0 -d -in bct_encrypted.bin -out bct_decrypt.tmp -nopad
dd if=bct_decrypt.tmp of=out.bct bs=16 count=254 seek=1 2> /dev/null
rm bct_decrypt.tmp
rm bct_encrypted.bin
#Read some general information
bct_version="$(hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' $bct_file)"
block_size=$((2 ** $(hexdump -n 4 -s 0x24 -e '1/4 "%u"' $bct_file)))
page_size=$((2 ** $(hexdump -n 4 -s 0x28 -e '1/4 "%u"' $bct_file)))
odm_data=$(hexdump -n 4 -s 0xFE4 -e '1/4 "0x%08x\n"' $bct_file)
#Boot loader 1
bl_start_block=$(hexdump -n 4 -s 0xA98 -e '1/4 "%u\n"' $bct_file)
bl_length=$(hexdump -n 4 -s 0xAA0 -e '1/4 "%u\n"' $bct_file)
if [ "$bct_version" != "0x20001" ]; then
echo "ERROR: Unexpected BCT version: $bct_version"
exit 1
fi
echo "Block size: $block_size"
echo "Page size: $page_size"
echo "Boot loader 1 start block: $bl_start_block"
echo "Boot loader 1 length $bl_length"
echo "ODM Data: $odm_data"
echo "Extracting the booot loader"
bl_start_byte=$(( $(($bl_start_block - 64)) * $block_size ))
bl_padded_length=$(( $bl_length + $((16 - $(($bl_length % 16)) ))))
echo "Extracting $bl_padded_length starting at offset $bl_start_byte"
dd bs=1 if=$raw_file of="bootloader.enc" skip=$bl_start_byte count=$bl_padded_length 2> /dev/null
echo "Decrypting boot loader"
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
dd if=bootloader.tmp of=$bl_file bs=$bl_length count=1 2> /dev/null
I may have gotten the block to byte convertion wrong, it is correct for the offsets on the device I have, but we will see.
Currently way over my head considering I just finally figured out mount commands
I will start doing some research on the topic to learn more and before you know it I should have the files I need
I did get the bct file but the bootloader.bin file is not working. With this line:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
I keep getting an error "option 0 doesn't exist". Any ideas? Also when you have some time could you please explain what exactly all of this is doing? I understand very little of this syntax because I am quite noobish with Linux.
Thanks!
Wetzel402 said:
I did get the bct file but the bootloader.bin file is not working. With this line:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
I keep getting an error "option 0 doesn't exist". Any ideas?
Click to expand...
Click to collapse
That looks like you don't have SBK set (so it is trying to use "-iv" as key, and then don't know what to do with the leftover 0).
The steps must be performed in order and in the same shell as some of them are depending on variables set by previous steps.
Wetzel402 said:
Also when you have some time could you please explain what exactly all of this is doing? I understand very little of this syntax because I am quite noobish with Linux.
Click to expand...
Click to collapse
Sure, it is mostly just about reading some values at known offsets.
Code:
dd if=$raw_file of=bct_encrypted.bin bs=16 count=254 skip=1
Will read 254 blocks of 16 bytes, skiping one block from $raw_file into bct_encrypted.bin. So we are reading bytes 16-4080 into bct_encrypted.bin.
We are skipping the first 16 bytes since this is a checksum (CMAC) and not part of the encrypted data, so bringing that along would mess up the decryption of the next 16 byte due to the cipher block chaining.
Code:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bct_encrypted.bin -out bct_decrypt.tmp -nopad
Decrypt the content of bct_encrypted.bin using the SBK and store the decryped data in bct_decrypt.tmp.
Code:
dd if=bct_decrypt.tmp of=out.bct bs=16 count=254 seek=1
We skipped the first 16 bytes previously, so the decrypted data is a bit incorretly offset.
So this takes bct_decrypt.tmp and writes it to out.bct offset 16 bytes so that we get a 4080 bytes file again.
Code:
bct_version="$(hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' $bct_file)"
Reads the version field of the BCT, this is a 32bit integer at offset 0x20.
I would expect the version to be 0x20001.
Code:
block_size=$((2 ** $(hexdump -n 4 -s 0x24 -e '1/4 "%u"' $bct_file)))
Reads the block size field in the BCT, also a 32bit integer, at offset 0x24.
The block and page size is stored in log2, so then we need to raise 2 to the value we found to get the actual block/page size.
For example, if we found the value 14 the block size is 2**14 = 16384.
Code:
#Boot loader 1
bl_start_block=$(hexdump -n 4 -s 0xA98 -e '1/4 "%u\n"' $bct_file)
bl_length=$(hexdump -n 4 -s 0xAA0 -e '1/4 "%u\n"' $bct_file)
Read start block and size of the first boot loader (the BCT file have space for four boot loaders)
Code:
bl_start_byte=$(( $(($bl_start_block - 64)) * $block_size ))
We have the start position of the boot loader in blocks, but we need it in bytes.
So multiply the block number with the block size. Unfortunatly this is not quite right, so we need to offset it a bit.
Code:
bl_padded_length=$(( $bl_length + $((16 - $(($bl_length % 16)) ))))
The encryption used, AES 128, works on blocks of 16 bytes, but there is no guarantee that the length of the boot loader is a multiple of 16 so we need to pad it to make sure it is.
Code:
dd bs=1 if=$raw_file of="bootloader.enc" skip=$bl_start_byte count=$bl_padded_length
Cut the encrypted boot loader out of the $raw_file.
Code:
openssl aes-128-cbc -K $SBK -iv 0 -d -in bootloader.enc -out bootloader.tmp -nopad
Decrypt it
Code:
dd if=bootloader.tmp of=$bl_file bs=$bl_length count=1
And take only the actual length of the decrypted data, discarding the extra padding data we took just to make it an even number of 16 byte blocks.
Very impressive
Prior to this I have messed mostly with kitchens, cd, and mount so this is definitely a learning experience for me. After you described these commands I am convinced I could use most of these minus the fact I would have no clues what values to use in them
Thanks! I will have to try rerunning everything and see if I can get the bootloader.bin to come out.
Here is my terminal output after copying and pasting in your script.
Code:
[email protected]:~# cd /root/Desktop
[email protected]:~/Desktop# SBK="B8A4C201EB6FF106EB00150430772103"
[email protected]:~/Desktop#
[email protected]:~/Desktop# #Input file
[email protected]:~/Desktop# raw_file="data.raw"
[email protected]:~/Desktop#
[email protected]:~/Desktop# #Output files
[email protected]:~/Desktop# bct_file="out.bct"
[email protected]:~/Desktop# bl_file="bootloader.bin"
[email protected]:~/Desktop#
[email protected]:~/Desktop# echo "Extrating the BCT data"
Extrating the BCT data
[email protected]:~/Desktop# dd if=$raw_file of=bct_encrypted.bin bs=16 count=254 skip=1 2> /dev/null
[email protected]:~/Desktop#
[email protected]:~/Desktop# echo "Decrypting the BCT data"
Decrypting the BCT data
[email protected]:~/Desktop# openssl aes-128-cbc -K $SBK -iv 0 -d -in bct_encrypted.bin -out bct_decrypt.tmp -nopad
[email protected]:~/Desktop# dd if=bct_decrypt.tmp of=out.bct bs=16 count=254 seek=1 2> /dev/null
[email protected]:~/Desktop# rm bct_decrypt.tmp
[email protected]:~/Desktop# rm bct_encrypted.bin
[email protected]:~/Desktop#
[email protected]:~/Desktop#
[email protected]:~/Desktop# #Read some general information
[email protected]:~/Desktop# bct_version="$(hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' $bct_file)"
[email protected]:~/Desktop# block_size=$((2 ** $(hexdump -n 4 -s 0x24 -e '1/4 "%u"' $bct_file)))
[email protected]:~/Desktop# page_size=$((2 ** $(hexdump -n 4 -s 0x28 -e '1/4 "%u"' $bct_file)))
I don't understand the page size line enough to know what is going wrong or to change things but after that line displays the terminal exists without errors.
Any ideas?
Wetzel402 said:
I don't understand the page size line enough to know what is going wrong or to change things but after that line displays the terminal exists without errors.
Any ideas?
Click to expand...
Click to collapse
You are probably hitting the exit in BCT version check, since you are running it directly in the shell that would make the terminal dissapear.
What does out.bct look like?
What does
Code:
hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' out.bct
give?
That was the problem.
Code:
[email protected]:~# cd /root/Desktop
[email protected]:~/Desktop# hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' out.bct
0xf16cb00b
So I modified the following line:
Code:
[email protected]:~/Desktop# if [ "$bct_version" != "0xf16cb00b" ]; then
Everything ran and out came the bootloader.bin. This should be the correct file then? Also the other two files (bootloader.enc&.tmp) were stepping stones to the final product (bootloader.bin) and are not needed correct?
When I get home from work if I have time I will try the following and see if life is good
Code:
nvflash --bl bootloader.bin --getbct --bct out.bct --sbk 0xB8A4C201 0xEB6FF106 0xEB001504 0x30772103 --go
nvflash -r --getpartitiontable partition.txt
Wetzel402 said:
That was the problem.
Code:
[email protected]:~# cd /root/Desktop
[email protected]:~/Desktop# hexdump -n 4 -s 0x20 -e '1/4 "0x%x\n"' out.bct
0xf16cb00b
So I modified the following line:
Code:
[email protected]:~/Desktop# if [ "$bct_version" != "0xf16cb00b" ]; then
Everything ran and out came the bootloader.bin. This should be the correct file then?
Click to expand...
Click to collapse
I would not expect a different version, I think it is more likely the decryption failed.
Could you make the data.raw file available to me?
Here it is.
Wetzel402 said:
Here it is.
Click to expand...
Click to collapse
The data looks ok, but it can not be decrypted using that key so you must have the wrong SBK.
Assuming it follows the same format as the Iconia A500 that SBK would belong to a device with UID 042800484400D057, is this the UID of your device?
Yes that is correct. So you think Acer is using a different encryption method?
I tried the NVflash commands anyway and it doesn't run. Exits with the standard failure.
Wetzel402 said:
Yes that is correct. So you think Acer is using a different encryption method?
Click to expand...
Click to collapse
Depending on what you mean, maybe and no. They are maybe allocating the SBK differently, but the encryption in still AES128.
Wetzel402 said:
I tried the NVflash commands anyway and it doesn't run. Exits with the standard failure.
Click to expand...
Click to collapse
Nvflash uses the key you give it to encrypt the command before sending it to the device, then the decrypts the command using the builtin key. If those two does not match the result will not be a recognizable command.
Depending on how you got the UID it may be worth trying a different way, some devices does not report the UID as their USB serial number.
Save this as apxuid.c and compile this using gcc -Wall -pedantic -o apxuid apxuid.c -lusb-1.0. Then run ./apxuid directly after starting the device is in apx-mode and see if you get the same UID.
Code:
#include <libusb-1.0/libusb.h>
#include <stdio.h>
#include <stdint.h>
int main(void)
{
unsigned char data[64];
int received_length;
int r = 1;
libusb_context* ctx = NULL;
libusb_device_handle* dev_handle = NULL;
libusb_init(&ctx);
dev_handle = libusb_open_device_with_vid_pid(ctx, 0x0955, 0x7820);
if(dev_handle)
{
r = libusb_bulk_transfer(dev_handle, 0x81, data, sizeof(data), &received_length, 10000);
if (r == 0)
{
if(received_length == 8)
{
printf("uid: %#016lx\n", *(uint64_t*)data);
}
else
{
r = 1;
printf("Error: We got %d bytes of data insetad of the 8 bytes we expected...\n", received_length);
}
}
else
{
printf("Error: USB read failed!\n");
}
libusb_release_interface(dev_handle, 0);
}
else
{
printf("Error: Failed to open device!\n");
}
libusb_exit(ctx);
return r;
}

[TOOLS] MTKIMG : Unpack / Repack boot.img, recovery.img and logo.bin for MTK device

Hello,
For a personal project a write a simple tools to unpack/repack boot.img, recovery.img and logo.bin of Mediatek cpu based devices named MTKIMG. MTK add specific header on each blocs in image so common tools could not unpack/repack properly. Also every tools i found do not correspond to my need.
Here is the the MTKIMG characteristics :
Write in C, open-source.
Portable : Linux, Cygwin, Windows (MAC is currently under port).
Only one executable for unpack/repack.
Support unpack/repack boot.img and recovery.img.
Support unpack/repack logo.bin
Keep the original image size at repack time.
Handle kernel and ramdisk with or without MTK header.
Automatic ramdisk decompression.
Option to keep or remove MTK headers.
Check for valid "ARM Linux zImage" kernel.
Check for valid "GZIP" ramdisk.
Check for overflow if kernel or ramdisk is too big at repack time.
Option to set compression rate for ramdisk.
Easy to use, all parameters are defaulted.
Easy to build on every platform.
Got simple test-suite.
Documentation available.
Version :
Status : Bêta
Version : 0.44
Update : 2015/07/20
Source code :
https://github.com/rom1nux/mtkimg
Releases (Linux, Cygwin, Windows) :
https://github.com/rom1nux/mtkimg/tree/master/releases
OSX version are currently under port (Please, thanks sambwel)
Hope this help (Sorry for my bad english)
Hi
Did you used anything from @carliv or @bgcngm projects ( source / binarys ) ?
Or is this a full new project?
Since you didn't added any source link,,, (github / bitbucket ?)
cheers
Hello superdragonpt,
Did you used anything from @carliv or @bgcngm projects ( source / binarys ) ?
Click to expand...
Click to collapse
MTKIMG is write in C from scratch. I do not use anything other than "find", "gzip" and "cpio" utilities.
I know bgcngm's pearl scripts (mtk-tools) but it does not fit my needs.
I dont know carliv's bash scripts , i dont know if it support MTK header bloc.
Or is this a full new project?
Click to expand...
Click to collapse
Yes it's a full new project, It's write MTKIMG for my need first, but i told myself that it could help other.
Since you didn't added any source link,,, (github / bitbucket ?)
Click to expand...
Click to collapse
If MTKIMG got interests i probably create git repo.
Thanks for your remarks
rom1nux said:
Hello superdragonpt,
MTKIMG is write in C from scratch. I do not use anything other than "find", "gzip" and "cpio" utilities.
I know bgcngm's pearl scripts (mtk-tools) but it does not fit my needs.
I dont know carliv's bash scripts , i dont know if it support MTK header bloc.
Yes it's a full new project, It's write MTKIMG for my need first, but i told myself that it could help other.
If MTKIMG got interests i probably create git repo.
Thanks for your remarks
Click to expand...
Click to collapse
Thanks for answering
I have some MTK devices here, i'll test this tool Compatibility across the Mtk SoC's i own.
Keep it up
Cheers
I have some MTK devices here, i'll test this tool Compatibility across the Mtk SoC's i own.
Click to expand...
Click to collapse
Good news !
For information i put source code under GPL3 license and i create a dedicated GiHub repository as you suggest : https://github.com/rom1nux/mtkimg
Feel free to come to help
Good Work Mate ....looking forward to it
edit : any 32 bit system tool ??
Hello [email protected],
Thank for your interest.
edit : any 32 bit system tool ??
Click to expand...
Click to collapse
I got only 64bits OS but i can install Cygwin32 and VirtualBox 32 bits OS if needed but it's very easy to build.
Hello,
I test MTKIMG and it work well, but now i search information about MTK logo partition format, i see the MTK header on it but dont know how to parse images.
More preciselly i want to know information about header of the logo partition (like size of image, etc...) the header after the MTK header.
Did you have this kind of information ?
Thank in advance
Hello,
I find some information about logo.bin image :
- The first 512 bytes are the MTK header Magic (0x88168858) + Size + "LOGO"
- After, i found logo partition header is formated like :
Code:
Offset (B) | Size (B) | Description
--------------------------------------------------------
0 | 4 | Logos count
4 | 4 | Size of bloc (=MTK header image size)
8 | 4 | Logo_0 offset
12 | 4 | Logo_1 offset
8+(n*4) | 4 | Logo_n offset
... | ... | ?
--------------------------------------------------------
Logo_0 offset | Logo_1-Logo_0 offset | Logo_0 gzip content
Logo_1 offset | Logo_2-Logo_3 offset | Logo_1 gzip content
... | ... | Logo_n gzip content
--------------------------------------------------------
I dont know how to find the size of each logo, did you have this information ?
This looks great. I would love to be able to run this on my Mac. I don't think it should be hard to get it working but I'm not familiar with C so I don't know what to change to make it build. Let me know what I can do to help!
Hello sambwel,
I would love to be able to run this on my Mac. I don't think it should be hard to get it working but I'm not familiar with C so I don't know what to change to make it build. Let me know what I can do to help!
Click to expand...
Click to collapse
Happy to read this
You only need "gcc" and "make" for instance (i found this on the web) :
Installing recent XCode versions confusingly enough does not automatically install the command line tools. To install the command line tools when they're not automatically installed;
Start XCode.
Go to XCode/Preferences.
Click the "Downloads" tab.
Click "Components".
Click "Install" on the command line tools line.
That will install the command line tools and make them accessible from a regular command line.
Click to expand...
Click to collapse
Be sure gcc and make are in your PATH environment variable, and after, open a terminal on your MAC in the source folder and hit command :
Code:
make
If you get "Unsupported platform" message it's a good news, i'm going to do minor correction to the source code for this error after lunch. (Put your building log here if you want)
Thanks for your help
No worries mate, familiar with linux and building things from source, just not familiar with C code Here's the output when I try make:
Code:
sambwel:mtkimg sambwel$ make
MTKIMG LINUX MAKE by rom1nux
Create directory build ...
Building C file build/info.o ...
gcc -c -Wall src/info.c -o build/info.o
In file included from src/info.h:34,
from src/info.c:24:
src/main.h:51:3: warning: #warning "Unsupported platform !"
Building C file build/main.o ...
gcc -c -Wall src/main.c -o build/main.o
In file included from src/main.c:24:
src/main.h:51:3: warning: #warning "Unsupported platform !"
src/main.c: In function ‘main’:
src/main.c:54: error: ‘APP_PLATFORM’ undeclared (first use in this function)
src/main.c:54: error: (Each undeclared identifier is reported only once
src/main.c:54: error: for each function it appears in.)
make: *** [build/main.o] Error 1
Hello sambwel
sambwel said:
No worries mate, familiar with linux and building things from source
Click to expand...
Click to collapse
Cool, good new, I know nothing about MAC
sambwel said:
..., just not familiar with C code Here's the output when I try make:
Click to expand...
Click to collapse
OK, i'm going to add MAC platform specifics to main.h this afternoon (I have not been able to do yesterday, sorry).
I tell you when i the modification is done.
Thanks a lot for your help
superdragonpt said:
Thanks for answering
I have some MTK devices here, i'll test this tool Compatibility across the Mtk SoC's i own.
Keep it up
Cheers
Click to expand...
Click to collapse
I made a similar simple script in dash format that should work on device:
Code:
#!/sbin/sh
bootonetofive() {
busybox dd if=${1}.img of=1 bs=512 count=4 conv=notrunc
busybox dd if=${1}.img of=${1}-header bs=512 skip=4 conv=notrunc
busybox dd if=${1}-header of=2 bs=512 count=1 conv=notrunc
busybox dd if=${1}-header of=${1}-header-k_header bs=512 skip=1 conv=notrunc
initrd=`hexdump -C ${1}-header-k_header | grep -m1 "ROOTFS" | cut -d " " -f 1`
if [ -z ${initrd} ]; then
initrd=`hexdump -C ${1}-header-k_header | grep -m1 "RECOVERY" | cut -d " " -f 1`
FLSH=recovery
fi
initrdbin=`printf "%d\n" 0x${initrd}`
intrdsec=`expr ${initrdbin} / 512`
busybox dd if=${1}-header-k_header of=3 bs=512 count="${intrdsec}" conv=notrunc
busybox dd if=${1}-header-k_header of=${1}-header-k_header-kernel bs=512 skip="${intrdsec}" conv=notrunc
busybox dd if=${1}-header-k_header-kernel of=4 bs=512 count=1 conv=notrunc
busybox dd if=${1}-header-k_header-kernel of=5 bs=512 skip=1 conv=notrunc
}
AddPadd() {
if [ ${krnsz} != ${nwkrnsz} ]; then
krnsz=`du -B 1 3 | cut -f 1`
nwkrnsz=`du -B 1 3-new | cut -f 1`
if [ ${krnsz} -gt ${nwkrnsz} ]; then
pddng=`expr ${krnsz} - ${nwkrnsz}`
busybox dd if=/dev/zero of=padd bs=1 count=${pddng} conv=notrunc
cat padd >> 3-new
else
nwsz=`expr ${nwkrnsz} / 512 + 1`
busybox dd if=/dev/zero of=3 bs=512 count="${nwsz}" conv=notrunc
fi
AddPadd
else
echo "kernels are already the same size"
exit 0
fi
if [ ${pddng:-0} != "0" ]; then
if [ ${nwsz:-0} != "0" ]; then
echo "new kernel is larger"
else
echo "kernels are now the same size"
fi
exit 0
fi
}
addserialno() {
printf "androidboot.serialno=" > serno
dd if=/dev/block/mmcblk0p1 of=barcode bs=16 count=1
cat serno barcode > serialno
dd if=1 of=1_1 bs=16 count=7
dd if=1 of=1_2 bs=16 skip=7
dd if=1_2 of=1_3 bs=1 skip=37
cat 1_1 serialno 1_3 > 1_new
}
unpackramd() {
mkdir work 2> /dev/null
cd work
busybox gzip -dc ../5 2> /dev/null | cpio -i 2> /dev/null
cd ${crdr}
}
repackramd() {
cd work
find . | cpio -o -H newc 2> /dev/null | gzip -9 > ../5-new 2> /dev/null
rm -rf *
cd ${crdr}
}
bootfivetoone() {
cat 1 2 3 4 5 > new-${1:-boot}.img
}
crdr=`pwd`
bootonetofive ${1:-boot}
rm ${1:-boot}-*
if [ -f 3-new ]; then
AddPadd
cp 3-new 3
fi
if [ ${2:-NA} = "split" ]; then
unpackramd
echo "modify what you need to in ${crdr}/work then"
echo "press enter y to continue or any key to exit"
read cntn
if [ ${cntn:-n} = "y" ]; then
repackramd
cp 5-new 5
else
exit 0
fi
fi
if [ ${2-NA} = "serial" ]; then
addserialno
cp 1_new 1
fi
bootfivetoone ${1:-boot}
echo "All Done new .img created... ${crdr}/new-${1:-boot}.img"
# 1 header
# 2 k_header
# 3 kernel
# 4 r-header
# 5 ramdisk
FLSHPRT=`ls -la /dev/block/platform/mtk-msdc.0/by-name | grep ${FLSH:-boot} | awk -F " " '{print $NF}'`
if [ ${2:-no} = "flash" ]; then
dd if=${crdr}/new-${1:-boot}.img of=/dev/block/${FLSHPRT}
fi
Attached as a txt.
It just needs busybox installed. Only used it with the new MT6732/52 SoCs. I could use someone testing it with others to see if it's universal. (Only setup for gzipped ramdisks, should be able to add in the others.)
To run it is for example.
sh ./splitboot.sh boot split to split boot.img (and open ramdisk)
sh ./splitboot.sh boot flash to flash boot.img
sh ./splitboot.sh boot serial to take the barcode value from proinfo partition and uses it as serial number (only seems to work with AOSP)
It works with *.img and automatically identifies if it's a boot or recovery img.
HypoTurtle said:
I made a similar simple script in dash format that should work on device:
Code:
#!/sbin/sh
bootonetofive() {
busybox dd if=${1}.img of=1 bs=512 count=4 conv=notrunc
busybox dd if=${1}.img of=${1}-header bs=512 skip=4 conv=notrunc
busybox dd if=${1}-header of=2 bs=512 count=1 conv=notrunc
busybox dd if=${1}-header of=${1}-header-k_header bs=512 skip=1 conv=notrunc
initrd=`hexdump -C ${1}-header-k_header | grep -m1 "ROOTFS" | cut -d " " -f 1`
if [ -z ${initrd} ]; then
initrd=`hexdump -C ${1}-header-k_header | grep -m1 "RECOVERY" | cut -d " " -f 1`
FLSH=recovery
fi
initrdbin=`printf "%d\n" 0x${initrd}`
intrdsec=`expr ${initrdbin} / 512`
busybox dd if=${1}-header-k_header of=3 bs=512 count="${intrdsec}" conv=notrunc
busybox dd if=${1}-header-k_header of=${1}-header-k_header-kernel bs=512 skip="${intrdsec}" conv=notrunc
busybox dd if=${1}-header-k_header-kernel of=4 bs=512 count=1 conv=notrunc
busybox dd if=${1}-header-k_header-kernel of=5 bs=512 skip=1 conv=notrunc
}
AddPadd() {
if [ ${krnsz} != ${nwkrnsz} ]; then
krnsz=`du -B 1 3 | cut -f 1`
nwkrnsz=`du -B 1 3-new | cut -f 1`
if [ ${krnsz} -gt ${nwkrnsz} ]; then
pddng=`expr ${krnsz} - ${nwkrnsz}`
busybox dd if=/dev/zero of=padd bs=1 count=${pddng} conv=notrunc
cat padd >> 3-new
else
nwsz=`expr ${nwkrnsz} / 512 + 1`
busybox dd if=/dev/zero of=3 bs=512 count="${nwsz}" conv=notrunc
fi
AddPadd
else
echo "kernels are already the same size"
exit 0
fi
if [ ${pddng:-0} != "0" ]; then
if [ ${nwsz:-0} != "0" ]; then
echo "new kernel is larger"
else
echo "kernels are now the same size"
fi
exit 0
fi
}
addserialno() {
printf "androidboot.serialno=" > serno
dd if=/dev/block/mmcblk0p1 of=barcode bs=16 count=1
cat serno barcode > serialno
dd if=1 of=1_1 bs=16 count=7
dd if=1 of=1_2 bs=16 skip=7
dd if=1_2 of=1_3 bs=1 skip=37
cat 1_1 serialno 1_3 > 1_new
}
unpackramd() {
mkdir work 2> /dev/null
cd work
busybox gzip -dc ../5 2> /dev/null | cpio -i 2> /dev/null
cd ${crdr}
}
repackramd() {
cd work
find . | cpio -o -H newc 2> /dev/null | gzip -9 > ../5-new 2> /dev/null
rm -rf *
cd ${crdr}
}
bootfivetoone() {
cat 1 2 3 4 5 > new-${1:-boot}.img
}
crdr=`pwd`
bootonetofive ${1:-boot}
rm ${1:-boot}-*
if [ -f 3-new ]; then
AddPadd
cp 3-new 3
fi
if [ ${2:-NA} = "split" ]; then
unpackramd
echo "modify what you need to in ${crdr}/work then"
echo "press enter y to continue or any key to exit"
read cntn
if [ ${cntn:-n} = "y" ]; then
repackramd
cp 5-new 5
else
exit 0
fi
fi
if [ ${2-NA} = "serial" ]; then
addserialno
cp 1_new 1
fi
bootfivetoone ${1:-boot}
echo "All Done new .img created... ${crdr}/new-${1:-boot}.img"
# 1 header
# 2 k_header
# 3 kernel
# 4 r-header
# 5 ramdisk
FLSHPRT=`ls -la /dev/block/platform/mtk-msdc.0/by-name | grep ${FLSH:-boot} | awk -F " " '{print $NF}'`
if [ ${2:-no} = "flash" ]; then
dd if=${crdr}/new-${1:-boot}.img of=/dev/block/${FLSHPRT}
fi
Attached as a txt.
It just needs busybox installed. Only used it with the new MT6732/52 SoCs. I could use someone testing it with others to see if it's universal.
To run it is for example.
sh ./splitboot.sh boot split to split boot.img (and open ramdisk)
sh ./splitboot.sh boot flash to flash boot.img
sh ./splitboot.sh boot serial to take the barcode value from proinfo partition and uses it as serial number (only seems to work with AOSP)
It works with *.img and automatically identifies if it's a boot or recovery img.
Click to expand...
Click to collapse
Good
But for those SoC, we use the inbuilt tool.
(not for general public)
So yours and this one, is always good alternative
cheers
Hello
So yours and this one, is always good alternative
Click to expand...
Click to collapse
Yes good alternative, i take look when i can, but HypoTurtle you should probably create a dedicated thread for your tools.
sambwel,
Normally we just have to adjust "main.h" and "Makefile" for porting to OSX platform.
(I put notes in the files headers)
main.h
I add 'define' test to detect OSX platform (APP_PLATFORM/APP_OSX). I don't know if this work. I leave the APP_ARCH (32/64bits) test as-it but i don't know if this work on OSX (it's not very important for now, we can correct after)
Makefile
I add "Darwin" detection mechanism for OSX.
I start to add options to unpack/repack logo.bin, this use "zlib" and "libpng1.6", you can disable this to don't be bother with externals dependencies. In Makefile, put LOGO_SUPPORT=0 in the LINUX/CYGWIN/OSX section (Line ~92) for first build.
Big Thanks for your help
Okay, good news! mtkimg builds and runs now! I did have to put LOGO_SUPPORT=0 in the Makefile otherwise I get the error "error: png.h: No such file or directory".
So I did a quick test to see if it works. info and unpack seem to work correctly (tested on ~7mb stock boot.img). However when I repack the same image the result is a ~4.3gb boot.img!! Not sure what happened... headers are intact on the new image. No more time to test right now but I will check back here soon.
Hip Ha ! Good news !
For the size, look at the "image.cfg" if the size is right
You can use '-v' and '-d' options to see what append and look at the "layout" part display on the screen.
(Suspect image.cfg not being read correctly, i'm goind to look about "End of line" on MAC.
Many thanks for your try
Hello,
I push the MTKIMG Bêta 0.38 with compiled version for (Linux64,Cygwin64 and Windows64) that support logo unpacking. (logo repack in progres...)
Have fun.....

[GUIDE][SCRIPT] rsync backup over USB + adb with Lineage 14.x

Hello together,
as Lineage 13.0+ already includes the rsync binary, backing up the phone via rsync over USB + adb is fast and convenient. The only "downside" is that you need a phone with root access.
While everything worked fine for months with Lineage 13.0, rsync gave strange error messages on the client after updating to Lineage 14.1.
Output on the PC side looked like this:
Code:
+ adb shell 'umask 077 && rsync --daemon --no-detach --log-file=/storage/emulated/0/rsyncd/rsyncd.log --config=/mnt/secure/rsyncd.conf' &
@RSYNCD: 31.0
Notice the "@RSYNCD: 31.0" protocol tag in the output.
To make a long story short, "rsync --daemon" on the phone side thinks it's invoked via inetd.
rsync's "inetd mode" gets activated automatically if the stdin of the rsync process is a socket. There's no way to switch that off. Probably the internal semantics how adb shell works changed a bit in Android Nougat.
Luckily there's a workaround in the adb shell command: Allocate a pty with the "-t" option.
The original invocation line
Code:
adb shell 'umask 077 && rsync --daemon --no-detach --log-file=/storage/emulated/0/rsyncd/rsyncd.log --config=/mnt/secure/rsyncd.conf' &
becomes
Code:
adb shell -t -t 'umask 077 && rsync --daemon --no-detach --log-file=/storage/emulated/0/rsyncd/rsyncd.log --config=/mnt/secure/rsyncd.conf' &
Notice the double '-t' in there: This forces the allocation of a PTY, it won't work with a single '-t' if the adb shell command is forked into background with '&'.
Here's the complete backup script for a Galaxy S5, adapt the exclusion list to your needs:
Code:
#!/bin/bash
set -u
BASEDIR=/data/MY_BACKUP_DESTINATION
TARGET=$BASEDIR/android
# generate random secret
secret=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev)
#log to logger
exec 2>&1 | logger
if ! test -d "$TARGET"; then
echo "could not find directory: $TARGET"
exit 1
fi
set -x
LOCALPORT=5000
RSYNCPORT=873
echo "Waiting for device"
adb wait-for-device
adb root
adb wait-for-device
adb shell "umask 077 && test ! -d /storage/emulated/0/rsyncd && mkdir -p /storage/emulated/0/rsyncd"
adb shell "umask 077 && printf 'backup:$secret\n' > /mnt/secure/rsyncd.secrets"
adb shell "umask 077 && printf 'address = 127.0.0.1\npid file = /mnt/secure/rsyncd.pid\nuid = root\ngid = root\n[root_all]\n\tpath = /\n\thosts allow = 127.0.0.1\n\tauth users = backup\n\tsecrets file = /mnt/secure/rsyncd.secrets\n' > /mnt/secure/rsyncd.conf"
adb shell -t -t "umask 077 && rsync --daemon --no-detach --log-file=/storage/emulated/0/rsyncd/rsyncd.log --config=/mnt/secure/rsyncd.conf" &
# give rsync daemon time to start
sleep 2
adb forward tcp:$LOCALPORT tcp:$RSYNCPORT
RSYNC_PASSWORD=$secret rsync -av --delete \
--exclude /dev \
--exclude /acct \
--exclude /sys \
--exclude /mnt/sdcard \
--exclude /mnt/user/0 \
--exclude /mnt/runtime \
--exclude /mnt/media_rw \
--exclude /proc \
--exclude '/data/media/0/Android/data/net.osmand.plus/files/*.obf' \
--exclude /data/media/0/Android/data/net.osmand.plus/files/wiki \
--exclude /data/data/org.cyanogenmod.gello.browser/cache/Cache \
--exclude /data/media/0/Movies \
--exclude /data/media/0/Music \
--exclude /data/dalvik-cache \
--exclude /storage/emulated \
--exclude /storage/0000-000A \
rsync://[email protected]:$LOCALPORT/root_all/ $TARGET/
: rc $?
adb forward --remove tcp:$LOCALPORT
# kill rsyncd
adb shell 'test -f /mnt/secure/rsyncd.pid && kill $(cat /mnt/secure/rsyncd.pid)'
# remove temporary files
adb shell rm -f /mnt/secure/rsyncd.conf /mnt/secure/rsyncd.pid /mnt/secure/rsyncd.secrets
The script is based on this blog post originally:
https://blog.josefsson.org/2015/11/28/automatic-android-replicant-backup-over-usb-using-rsync/
Hope this saves others some time when migrating to Lineage 14.x
Cheers,
Thomas
A real genius post. I was stuck at passing -t flag.
Thanks!
@thomasjfox are you still using this method on LineageOS 18? Has anything changed in the intervening time?
I am able to get the daemon to start, and to use rsync from within the ADB shell, but from my PC I can't get rsync to connect. adb forwarding --list reveals that my port forwarding is set up correctly. I get the error:
rsync: safe_read failed to read 1 bytes [Receiver]: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(285) [Receiver=3.1.3]

Can somebody help me with this shell script?

Basically what I want to do is convert this into batch script for windows and by using Linux Binaries from Sourceforge create a script that basically does the same thing except it doesnt have to be pushed into my Phone's system it works directly in windows using ADB commands!
The script in question looks like this
Spoiler: THIS Script
Bash:
#adb shell mkdir /data/media/0/PartitionImages
#adb push .\backupPartitions.sh /data/media/0/PartitionImages/backupPartitions.sh
#adb shell chmod 0755 /data/media/0/PartitionImages/backupPartitions.sh
#adb shell /data/media/0/PartitionImages/backupPartitions.sh
#adb pull /data/media/0/PartitionImages .\PartitionImages
max_blocks=102400
names=""
compress=0
while getopts "h?bzn:" opt; do
case "$opt" in
h|\?)
echo "Usage $0 [-z] [-b MaxBlocks] [-n partition1 ] [-n partition2 ]"
echo " options:"
echo "-z optional to tar.gz the output folder default=false"
echo "-b 102400 optional maximum number of blocks of the partition - 0 will dump all partitions default=$max_blocks"
echo "-n partitionName... optional - one or more partitions to dump"
exit 0
;;
z) compress=1
;;
b) max_blocks=$OPTARG
;;
n) names+=" $OPTARG"
;;
esac
done
script=$(readlink -f "$0")
script_path=$(dirname "$script")
serial=$(cat /sys/class/android_usb/f_accessory/device/iSerial)
serial_date=$serial/$(date +"%Y_%m_%d_%H_%M_%S")
output_path=$script_path/$serial_date
echo "********************************"
echo "Backup partitions TO $output_path"
echo "********************************"
mkdir -p $output_path
part_dir=$(find /dev/block/platform -name by-name)
partitions=$(ls -la $part_dir | awk '{if ( $10 == "->") print $9 ">" $11 }')
getprop > $output_path/build.prop
echo "Id Name Size MD5" > $output_path/partitions.txt
for f in $partitions
do
part_id=$(echo $f | sed 's/^[^>]*>\/dev\/block\///')
part_name=$(echo $f | sed 's/>.*//')
size=$(cat /proc/partitions | awk -v p=$part_id '{if ( $4 == p ) print $3}')
checksum="0"
skip=0
if [ $max_blocks -gt 0 -a $size -gt $max_blocks ]
then
skip=1
echo "Skipping $part_name Id $part_id due to size"
else
if [ "$names" -ne "" ]
then
if echo $names | grep -w $part_name > /dev/null; then
skip=0
else
skip=1
echo "Skipping $part_name Id $part_id"
fi
fi
fi
if [ "$skip" -eq "0" ]
then
echo "Processing $part_name Id $part_id Size $size";
dd if=/dev/block/$part_id of=$output_path/$part_name.img
checksum=$(md5sum -b $output_path/$part_name.img | sed 's/ .*//')
fi
echo "$part_id $part_name $size $checksum" >> $output_path/partitions.txt
done
if [ "$compress" -eq "1" ]
then
cd $script_path
tar cz $serial_date > $output_path.tar.gz
rm -rf $output_path
fi
its from an old Xda Dev thread original post and author
givitago​​
I tried by guidelines from an "Appendix N. Converting DOS Batch Files to Shell Scripts" from another site to turn the shell script variables into batch script ones but since I got no experience with either of them my attempt turned into an amalgamation of the two's code in one..
Spoiler: it turned Into THIS
Code:
::adb shell mkdir /data/media/0/PartitionImages
::adb push .\backupPartitions.sh /data/media/0/PartitionImages/backupPartitions.sh
::adb shell chmod 0755 /data/media/0/PartitionImages/backupPartitions.sh
::adb shell /data/media/0/PartitionImages/backupPartitions.sh
::adb pull /data/media/0/PartitionImages .\PartitionImages
%max_blocks==102400
%names==""
%compress==0
while getopts "h?bzn:" opt; do
case "$opt" in
h|\?)
echo "Usage $0 [-z] [-b MaxBlocks] [-n partition1 ] [-n partition2 ]"
echo " options:"
echo "-z optional to tar.gz the output folder default=false"
echo "-b 102400 optional maximum number of blocks of the partition - 0 will dump all partitions default=$max_blocks"
echo "-n partitionName... optional - one or more partitions to dump"
exit 0
;;
z) compress=1
;;
b) max_blocks=$OPTARG
;;
n) names+=" $OPTARG"
;;
esac
done
%script%==%(echo %CD% "%0")
%script_path%==(dirname "%script")
%serial%==%(adb shell cat /sys/class/android_usb/f_accessory/device/iSerial)
%serial_date%==%serial% /%(date +"%Y_%m_%d_%H_%M_%S")
%output_path%==%script_path%/%serial_date%
echo "********************************"
echo "Backup partitions TO $output_path"
echo "********************************"
mkdir -p %output_path%
%part_dir%==%(adb shell find /dev/block/platform -name by-name)
%partitions%==%(ls -la %part_dir% | awk '{if ( %10 == "->") print %9 ">" %11 }')
adb shell getprop > %output_path%/build.prop
echo "Id Name Size MD5" > %output_path%/partitions.txt
for %%i in %partitions do
%part_id=%(echo %f | sed 's/^[^>]*>\/dev\/block\///')
%part_name=%(echo %f | sed 's/>.*//')
%size=%(adb shell cat /proc/partitions | awk -v p==%part_id% '{if ( %4 == p ) print %3}')
checksum="0"
skip==0
if [ %max_blocks -gt 0 -a %size -gt %max_blocks ]
then
skip=1
echo "Skipping %part_name% Id %part_id% due to size"
else
if [ "%names" -ne "" ]
then
if echo %names | grep -w %part_name% > /dev/null; then
skip==0
else
skip==1
echo "Skipping %part_name% Id %part_id%"
fi
fi
fi
if [ "$skip" -eq "0" ]
then
echo "Processing %part_name% Id %part_id% Size %size";
'adb shell pull' /dev/block/%part_id% %output_path%/%part_name%.img
checksum==%(md5sum -b %output_path%/%part_name%.img | sed 's/ .*//')
fi
echo "%part_id% %part_name% %size %checksum" >> %output_path%/partitions.txt
done
if [ "%compress" -eq "1" ]
then
cd %script_path%
tar cz %serial_date% > %output_path%.tar.gz
rm -rf %output_path%
fi
additionally I have pretty much all linux commands's binaries on the same folder as the .bat script so as long as the syntax is correct and nothing finniky going on it should work technically but since I got no experience I can't do this on my own...
You may use the DOS script used here
[TOOL][ADB][WIN]Android Partitions Backupper / Cloner
Hi all, wrote a Windows CMD script that backups / clones partitions of an Android device via ADB because I wasn't content with any 3rd-party APK what claims to do this job. The backups /clones are stored on Windows computer as...
forum.xda-developers.com
as a template.
jwoegerbauer said:
You may use the DOS script used here
[TOOL][ADB][WIN]Android Partitions Backupper / Cloner
Hi all, wrote a Windows CMD script that backups / clones partitions of an Android device via ADB because I wasn't content with any 3rd-party APK what claims to do this job. The backups /clones are stored on Windows computer as...
forum.xda-developers.com
as a template.
Click to expand...
Click to collapse
I have tried that script itself and it failed at "DM-Verity" and SELinux enforcement also for some reason no logs at all in temp folder

How to Unpack Boot Image and remove LG RCT and Triton Lgv20 (Linux & root only)

STANDARD DISCLAIMER: I am not responsible for any damages caused to your phone. Use this guide at your own risk there is no warranty or guarantee.
I only know how to do this in Linux in the terminal. This has only been done on Stock Oreo 8.0, may not work on Nougat never tested. This mod will speed up your phone. We are going to remove a very small program "rctd" that's buried in the phones boot image file. Also there is an antivirus scanner burred in the boot image, it slows the phone down by scanning every file.
This guide is my notes on what I did to remove LG RCT from my H910 Lgv20. But you can use this guide to remove LG RCT from your Lgv20.
guide updated on 6-28-22
Requirements:
Root/Twrp
Lgv20
Stock Oreo 8.0
Linux
You can just copy and paste the commands in the Linux terminal.
In the Linux terminal paste:
install: abootimg
Ubuntu: sudo apt-get install abootimg
Arch: yay -S abootimg
install: fastboot & adb
Ubuntu: sudo apt-get install android-tools-adb android-tools-fastboot
Arch: sudo pacman -S android-tools
Reboot phone into twrp. Connect phone via usb cable. In the Linux terminal paste:
sudo su
mkdir /tmp/test
cd /tmp/test
Get your boot.img
adb shell dd if=/dev/block/bootdevice/by-name/boot of=/tmp/boot.img
adb pull /tmp/boot.img /tmp/test
sync
ls
the boot.img should be on your computer in /tmp/test/
You can unplug the usb cable from the phone. But stay in twrp we will need that later.
abootimg -x /tmp/test/boot.img
mkdir /tmp/test/initrd
cd /tmp/test/initrd
cat ../initrd.img | gunzip | cpio -vid
Going to remove rctd and lge_fota updates & comment out LG RCT access also going to comment out lge_handle_panic. And comment out triton service. You should be able to just copy all and paste all at once. Also I found a speed tweak by changing dalvik.vm.dex2oat-Xmx=512m to dalvik.vm.dex2oat-Xmx=256m will increase speed of phone.
rm /tmp/test/initrd/sbin/bnrd
rm /tmp/test/initrd/sbin/rctd
rm /tmp/test/initrd/sbin/lge_fota
sed -i '605 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '964 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '20 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '790 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '1029 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '1057,1058 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '1067 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '10 s/^/#/' /tmp/test/initrd/nonplat_seapp_contexts
sed -i '485 s/^/#/' /tmp/test/initrd/nonplat_property_contexts
sed -i '1343 s/^/#/' /tmp/test/initrd/nonplat_file_contexts
sed -i '129 s/^/#/' /tmp/test/initrd/init.msm8996_core.rc
sed -i '133 s/^/#/' /tmp/test/initrd/init.msm8996_core.rc
sed -i '137 s/^/#/' /tmp/test/initrd/init.msm8996_core.rc
sed -i '141 s/^/#/' /tmp/test/initrd/init.msm8996_core.rc
sed -i '145 s/^/#/' /tmp/test/initrd/init.msm8996_core.rc
sed -i '7,13 s/^/#/' /tmp/test/initrd/init.elsa.power.rc
sed -i '17 s/^/#/' /tmp/test/initrd/init.elsa.power.rc
sed -i '19,29 s/^/#/' /tmp/test/initrd/init.elsa.power.rc
sed -i '32,33 s/^/#/' /tmp/test/initrd/init.elsa.power.rc
sed -i '83,105 s/^/#/' /tmp/test/initrd/init.elsa.power.rc
sed -i '232,233 s/^/#/' /tmp/test/initrd/init.elsa_core.rc
you can check to make sure it worked with this command
clear
ls /tmp/test/initrd/sbin/bnrd
ls /tmp/test/initrd/sbin/rctd
ls /tmp/test/initrd/sbin/lge_fota
sed -n 605p /tmp/test/initrd/nonplat_file_contexts
sed -n 964p /tmp/test/initrd/nonplat_file_contexts
sed -n 20p /tmp/test/initrd/nonplat_file_contexts
sed -n 790p /tmp/test/initrd/nonplat_file_contexts
sed -n 1029p /tmp/test/initrd/nonplat_file_contexts
sed -n 1057,1058p /tmp/test/initrd/nonplat_file_contexts
sed -n 1067p /tmp/test/initrd/nonplat_file_contexts
sed -n 10p /tmp/test/initrd/nonplat_seapp_contexts
sed -n 485p /tmp/test/initrd/nonplat_property_contexts
sed -n 1343p /tmp/test/initrd/nonplat_file_contexts
sed -n 129p /tmp/test/initrd/init.msm8996_core.rc
sed -n 133p /tmp/test/initrd/init.msm8996_core.rc
sed -n 137p /tmp/test/initrd/init.msm8996_core.rc
sed -n 141p /tmp/test/initrd/init.msm8996_core.rc
sed -n 145p /tmp/test/initrd/init.msm8996_core.rc
sed -n 7,13p /tmp/test/initrd/init.elsa.power.rc
sed -n 17p /tmp/test/initrd/init.elsa.power.rc
sed -n 19,29p /tmp/test/initrd/init.elsa.power.rc
sed -n 32,33p /tmp/test/initrd/init.elsa.power.rc
sed -n 83,105p /tmp/test/initrd/init.elsa.power.rc
sed -n 232,233p /tmp/test/initrd/init.elsa_core.rc
This is what it should look like. If not, then do not flash the modded myboot.img. I am not 100% sure all Lgv20 boot images are the same. I am 99% sure they should be the same, but just in case.
ls: cannot access '/tmp/test/initrd/sbin/bnrd': No such file or directory
ls: cannot access '/tmp/test/initrd/sbin/rctd': No such file or directory
ls: cannot access '/tmp/test/initrd/sbin/lge_fota': No such file or directory
#/dev/block/platform/.*/by-name/rct u:object_r:rct_block_device:s0
#/dev/rct u:object_r:rct_device:s0
#/(system/vendor|vendor)/bin/triton u:object_r:triton_exec:s0
#/sys/devices/system/cpu/triton(/.*)? u:object_r:sysfs_triton:s0
#/dev/triton:io u:object_r:triton_device:s0
#/dev/socket/bnrd u:object_r:bnrd_socket:s0
#/dev/socket/ccmd u:object_r:ccmd_socket:s0
#/system/bin/ccmd u:object_r:ccmd_exec:s0
#user=_app seinfo=platform name=com.lge.rctprovider domain=platform_app type=app_data_file
#sys.lge.rooted u:object_r:system_prop:s0
#/sys/module/lge_handle_panic/parameters/gen_modem_panic u:object_r:sysfs_gen_modem_panic:s0
# write /sys/module/lge_handle_panic/parameters/cancel_boot_lockup_detect 1
# write /sys/module/lge_handle_panic/parameters/pause_boot_lockup_detect 1
# write /sys/module/lge_handle_panic/parameters/pause_boot_lockup_detect 0
# write /sys/module/lge_handle_panic/parameters/cancel_boot_lockup_detect 1
# write /sys/module/lge_handle_panic/parameters/powerctl_lockup_detect ${sys.powerctl}
#service triton /system/vendor/bin/triton
# class main
# user root
# group system
# socket triton-client stream 660 system system
# disabled
# oneshot
# start triton
# write /sys/devices/system/cpu/triton/debug 16
# write /sys/devices/system/cpu/triton/enable 1
# write /sys/devices/system/cpu/triton/enforce 0
# write /sys/devices/system/cpu/triton/cur_policy 0
# chown system system /sys/devices/system/cpu/triton/enable
# chmod 664 /sys/devices/system/cpu/triton/enable
# chmod 600 /sys/devices/system/cpu/triton/aevents
# chmod 600 /sys/devices/system/cpu/triton/bevents
# chown system system /sys/devices/system/cpu/triton/cur_policy
# chmod 664 /sys/devices/system/cpu/triton/cur_policy
# chmod 664 /sys/devices/system/cpu/triton/debug
# chown system system /sys/devices/system/cpu/triton/enable
# chmod 644 /sys/devices/system/cpu/triton/enable
#service fg-dump /vendor/bin/sh /vendor/bin/fg_dump.sh 10 /data/logger/fg.log
# user root
# group root system
# class main
# disabled
# oneshot
#on property:persist.service.fg.enable=0
# stop fg-dump
#on property:persist.service.fg.enable=1
# restart fg-dump
#on property:persist.service.fg.enable=2
# restart fg-dump
#on property:persist.service.fg.enable=3
# restart fg-dump
#on property:persist.service.fg.enable=4
# restart fg-dump
#on property:persist.service.fg.enable=5
# restart fg-dump
#on property:persist.service.fg.enable=6
# restart fg-dump
#on property:persist.service.fg.enable=99
# restart fg-dump
# setprop ro.ssbd.session /dev/block/bootdevice/by-name/eksst
# export HALLIC_STATUS_PATH /sys/class/switch/smartcover/state
continue making the myboot.img
find . | cpio --create --format='newc' | gzip > ../myinitd.img
cd /tmp/test
nano bootimg.cfg
delete the first line move everything up one line
bootsize = 0x19b15d3
ctrl-x y enter
make the modded myboot.img file
abootimg --create myboot.img -f bootimg.cfg -k zImage -r myinitd.img
plug usb cable back into phone. Phone should still be in twrp.
Going to write all zeros to fota and rct device. Updates and LG RCT devices we don't need them. And going to remvoe the dumpstate file it saves the logcat logs to the eMMC drive and slows down the phone a lot. The logcat files will still be saved to ram up to 4M but they will be deleted when you restart or it runs out of ram. This will speed up the phone removing dumpstate. Also there is a speed tweak need to change five lines in the build.prop file.
Note: If you have already used Auto_Debloat you may get some error messages file not found that's okay. It just means Auto_Debloat took care of the files for you.
mkfs.ntfs /dev/block/bootdevice/by-name/fota
mkfs.fat /dev/block/bootdevice/by-name/rct
adb shell umount -l /system
adb shell mount /system
adb shell rm /system/vendor/bin/subsystem_ramdump
adb shell rm /system/bin/dumpstate
adb shell rm /system/etc/init/dumpstate.rc
adb shell rm /system/bin/ccmd
adb shell rm /system/vendor/bin/triton
adb shell rm /system/vendor/bin/fg_dump.sh
adb shell mount /persist
adb shell rm /persist/rct
adb shell rm /persist/rct.cfg
adb shell umount -l /persist
adb shell umount -l /system
wipe dalvik cache and cache
reboot phone into bootloader aka fastboot from twrp
fastboot flash boot myboot.img
fastboot reboot
exit out of root user
exit
You can unplug usb cable now done.
And that is what I did to remove LG RCT from my Lgv20 phone. One thing to note is that you can not flash a new kernel to the boot.img or you will loose the modded boot.img everything will be reset back to default. If you need to flash a Kernel then just mod the boot.img again afterwards.
If for some reason your phone does not boot anymore, we are going to flash the original boot.img
Power off the Lgv20, or remove battery. Hold volume down while plugging in the usb cable.
sudo su
cd /tmp/test
fastboot flash boot boot.img
fastboot reboot
exit out of root user
exit
done
reserved

Categories

Resources