Related
I've installed Fresh ROM on my Evo Shift 4G. It worked for about a week, then the GPS stopped working (a known bug with this device and Gingerbread). I restarted the device as normal, and when it came back up all my downloaded apps and the Market were gone, and the device was in that strange indeterminate state where I'm both synced to a Gmail account and not at the same time (the Setup app appears in the Apps folder). Signing in doesn't help.
I rebooted into Clockwork Recovery (3.2.0.1), wiped data/factory reset, wiped the cache, wiped dalvik, and installed Fresh ROM again.
Once that was complete and booted, I signed in, attempted to install an app and the phone reset. There's no file manager installed nor terminal app so I can't delete things by bash. I connected over USB and tried to adb shell in, but that caused the phone to reset.
I'm stuck. Clearly something has not been properly wiped prior to installing Fresh ROM.
What do I need to do to get out of this loop?
SoopahMan said:
I've installed Fresh ROM on my Evo Shift 4G. It worked for about a week, then the GPS stopped working (a known bug with this device and Gingerbread). I restarted the device as normal, and when it came back up all my downloaded apps and the Market were gone, and the device was in that strange indeterminate state where I'm both synced to a Gmail account and not at the same time (the Setup app appears in the Apps folder). Signing in doesn't help.
I rebooted into Clockwork Recovery (3.2.0.1), wiped data/factory reset, wiped the cache, wiped dalvik, and installed Fresh ROM again.
Once that was complete and booted, I signed in, attempted to install an app and the phone reset. There's no file manager installed nor terminal app so I can't delete things by bash. I connected over USB and tried to adb shell in, but that caused the phone to reset.
I'm stuck. Clearly something has not been properly wiped prior to installing Fresh ROM.
What do I need to do to get out of this loop?
Click to expand...
Click to collapse
Sounds like you either had a bad Flash, a bad Download, or both. So redownload the Rom you choose, then Clear and Flash your device according to THESE INSTRUCTIONS .
Thanks for the response. I downloaded the ROM again and ran a check - identical to the file I downloaded previously. So, if the ROM is the culprit, then the latest version of Fresh ROM for Evo Shift does not work (4.1.1).
I followed the instructions linked, wiping the cache and dalvik-cache twice (why?), and wiping system etc prior to installing the ROM.
I'm running into the exact same issues as before - I can't install anything from the Market, and the phone resets if I connect it to a computer over USB. When it resets, it resets multiple times and when it comes back up the 4G no longer works.
If I rerun the above instructions, the 4G works again, but I'm stuck back in this loop - can't use the Market or connect it over USB or it will reset, so forth.
Could Fresh ROM 4.1.1 for Evo Shift be bad? I still suspect the real problem is something is not sufficiently wiped or setup prior to install.
In case it might help, here's an ls -al after installing Fresh Rom 4.1.1 on my phone (an HTC Evo Shift 4G after following the above install instructions).
/
drwxr-xr-x 2 root root 0 Jan 17 07:39 boot
drwxr-xr-x 4 root root 1024 Jan 17 07:41 cache
drwxrwx--x 2 root root 0 Jan 1 1970 data
drwxr-xr-x 2 root root 0 Jan 17 07:39 datadata
-rw-r--r-- 1 root root 3462 Jan 1 1970 default.prop
drwxr-xr-x 12 root root 3060 Jan 17 07:39 dev
drwxr-xr-x 2 root root 0 Jan 17 07:39 emmc
drwxr-xr-x 2 root root 0 Jan 17 07:39 etc
-rwxr-x--- 1 root root 94372 Jan 1 1970 init
-rwxr-x--- 1 root root 899 Jan 1 1970 init.rc
dr-xr-xr-x 79 root root 0 Jan 1 1970 proc
drwxr-xr-x 4 root root 0 Jan 1 1970 res
drwx------ 2 root root 0 May 15 2011 root
drwxr-x--- 2 root root 0 Jan 1 1970 sbin
drwxr-xr-x 2 root root 0 Jan 17 07:39 sd-ext
drwxrwxrwx 78 root root 32768 Jan 1 1970 sdcard
drwxr-xr-x 18 root root 0 Jan 17 07:39 sys
drwxr-xr-x 3 root root 0 Jan 1 1970 system
drwxr-xr-x 2 root root 0 Jan 17 07:45 tmp
-rw-r--r-- 1 root root 0 Jan 1 1970 ueventd.goldfish.rc
-rw-r--r-- 1 root root 4027 Jan 1 1970 ueventd.rc
-rw-r--r-- 1 root root 987 Jan 1 1970 ueventd.speedy.rc
/data
(empty)
/system
drwxr-xr-x 2 root root 0 Jan 1 1970 bin
/system/bin
(empty)
/sys
drwxr-xr-x 2 root root 0 Jan 17 07:53 android_camera
drwxr-xr-x 2 root root 0 Jan 17 07:53 android_camera_awb_cal
drwxr-xr-x 2 root root 0 Jan 17 07:53 android_touch
drwxr-xr-x 2 root root 0 Jan 17 07:53 block
drwxr-xr-x 2 root root 0 Jan 17 07:39 board_properties
drwxr-xr-x 9 root root 0 Jan 17 07:53 bus
drwxr-xr-x 2 root root 0 Jan 17 07:53 camera_led_status
drwxr-xr-x 47 root root 0 Jan 17 07:53 class
drwxr-xr-x 4 root root 0 Jan 17 07:53 dev
drwxr-xr-x 10 root root 0 Jan 17 07:39 devices
drwxr-xr-x 2 root root 0 Jan 17 07:53 firmware
drwxr-xr-x 3 root root 0 Jan 17 07:53 fs
drwxr-xr-x 6 root root 0 Jan 17 07:53 kernel
drwxr-xr-x 62 root root 0 Jan 17 07:53 module
drwxr-xr-x 2 root root 0 Jan 17 07:53 power
drwxr-xr-x 2 root root 0 Jan 17 07:53 systemlog
I can post more or other diagnostics if others have something to recommend. Really stuck here.
Is it odd that /sd-ext is at root and not located on the SD card, and a directory not a symlink?
Now that you have 10 posts you should try posting your questions in the thread for flipz's rom.So the dev can help and maybe anyone else that is running this rom. Also have you tried the a2sd remove command adb shell or from terminal emulator? See if that helps.
Sent from my PG06100 using Tapatalk
A bit more to isolate the problem:
If the phone resets (due to attempting an install from the Market or plug in from USB), 4G fails - but if I restart the phone at that point, when it reboots 4G works again. So 4G appears to be fine, it's the resets that are at the core of the issue.
I shutdown, removed the SD card, booted, and attempted to install an app and got the same reset, so it's not the SD card - it's definitely a problem somewhere on internal storage.
What else do I need to clear to clear this up?
Fresh ROM's pages say to look in /data/app and /system/app for a place where an app already exists that would cause a conflict.
Here's /data after booting the ROM and setting up a Gmail account:
lrwxrwxrwx 1 root root 14 Jan 17 07:54 app -> /system/sd/app
lrwxrwxrwx 1 root root 22 Jan 17 07:54 app-private -> /system/sd/app-private
drwx------ 5 system system 1024 Jan 6 1980 backup
drwxrwx--x 2 system system 14336 Jan 17 16:25 dalvik-cache
drwxrwx--x 161 system system 9216 Jan 17 07:57 data
drwxr-x--- 2 root log 1024 Jan 17 07:54 dontpanic
lrwxrwxrwx 1 root root 11 Jan 17 07:54 drm -> /data/local
-rw-r--r-- 1 root root 6134 Jan 6 1980 dta2sd.lg1
-rw-r--r-- 1 root root 6266 Jan 6 1980 dta2sd.lg2
-rw-r--r-- 1 root root 6266 Jan 6 1980 dta2sd.log
drwxrwxrwx 2 root root 1024 Jan 17 07:54 htcfs
drwxr-xr-x 4 root root 1024 Jan 17 07:42 jit
drwxrwx--x 4 shell shell 1024 Jan 17 07:54 local
drwxrwx--- 2 root root 12288 Jan 17 07:41 lost+found
drwxrwx--t 10 system misc 1024 Jan 17 07:55 misc
drwx------ 2 root root 1024 Jan 6 1980 property
drwx------ 3 system system 1024 Jan 17 07:55 secure
drwxrwxr-x 9 system system 1024 Jan 17 17:48 system
drwxrwx--- 3 system system 1024 Jan 17 17:14 wimax
I'd like to know if app and app-private are as expected (they appear to be the result of the ROM install, since they were completely wiped prior to installing it). The app symlink is a strange one. It points to /system/sd/app, which I can't cd to. /system/sd I can cd to, and this is all it contains:
-rw-r--r-- 1 root root 17 Aug 1 2008 placeholder
A file named placeholder. What?
I'm starting to suspect apps2sd. None of the relevant partitioning steps are in those install instructions, and they appear to be specific to the apps2sd of CyanogenMod. Google's appears to support a DOS partition, while CyanogenMod's appears to only support an ext3 partition, which I do not have.
At the same time, removing the SD card didn't change things, so color me confused.
As suggested by FdxRider you should definately post up in the Rom thread. That way you can get help resolving the issue from others running the same Rom.
It was apps2sd.
To resolve this problem, I had to:
Reboot into ClockwordModRecovery
Connect the phone to a computer over USB
In Clockwork, choose Mount Storage and choose the last option, Mount USB.
Dump anything I wanted to keep off of the SD card (most importantly, the FreshRom zip file).
Then, back in Clockwork, Advanced>Partition SD
Choose a size (they recommend 1024M)
This wipes out everything on the SD card, creates a Linux partition for apps2sd to use, marks the rest as a Windows partition.
Wait till it's done, then, still from ClockworkModRecovery:
Wipe cache, dalvik cache, system, data
Factory reset
Now Mount USB again so you can copy the FreshRom zip back onto the Windows partition (the only part that will come up on a Windows machine).
Eject on the Windows machine to ensure the copy completes, Unmount in Clockwork.
Install the ROM again
Let it boot, restart
Setup my Google Account/Gmail user
And one final thing:
As it turns out ES File Explorer is pre-installed on this ROM. That means installing it from the Market will make the phone go crazy regardless of proper setup. But I am now able to install other apps just fine from the Market (at last).
reset loop NO clockwork until factory reset
I installed Fresh 4.1.1 on my shift 4g
I went to install ROM Manager got it downloaded and it reset the phone at install.
I even tried going to the website and installing it that way. Same results.
I can't get clockwork to work, when i hold the volume down and then press power nothing happens until i release the power button then it goes directly to the Fresh install.
PLEASE HELP!!!!
---------- Post added at 05:30 AM ---------- Previous post was at 05:09 AM ----------
I got the problem solved. I used the RRU and it walked me through a recovery, part of it was yanking the battery. DUH!
Rules:
Do not post in here unless you have something constructive to say. "Thanks", "Hey this is wonderful", and any other comments like that are not wanted. They take up space and make it more difficult to find information. I'm requesting that this thread be heavily moderated. In order to work efficiently, information density must be kept high. We are all guilty of adding in a few off-topic sentances from time-to-time, but this thread is strictly business and I expect the moderators to moderate me as well.
What is this?
This is the place where we can research and develop a method to unlock the bootloader of the Verizon Galaxy SIII. Hopefully, this will be development at its finest.
Why not just buy a developer edition
GTFO! Not a single person got started developing by buying a developer phone. They started developing because they were unhappy with the features of their device and wanted something better. They wanted something more. This developer phone is a tax on developer innovation. We do not stand for that. We will break the security and we will enable XDA-Developers to do what they do best.
Until security is broken and available for everyone, this device will get updates last, users will be unhappy because there are no additional features and Samsung violates the spirit of Open Source and copyright laws. Take a look at the bottom line of GPL-Violations.org FAQ located here: http://gpl-violations.org/faq/sourcecode-faq.html
What are the goals?
Attain a bootloader recovery - 75% JTAG (the extra 25% will be for a user-friendly method)
The Galaxy S3 is bootable from SDCard. In case of emergency this is needed. We need to verify that this works on the Verizon GS3 to bring up Odin. This will set up infrastructure for research.
Attain a full stock restoration via Odin or Heimdall - 90%
For use with Odin3.
Bootloader - BOOTLOADER_I535VRALF2_618049_REV09_user_low_ship.tar.md5 - 1.97 MB - Thanks nbsdx
PDA - SCH-I535_VZW_1_20120705143513_fti2qg2lmf.zip
NEED CSC PACKAGE (MODEM, PARAMS and Other Miscellaneous partitions). This is enough to recover a device though.
To include bootloaders and recovery to a working and stock condition with the EMMC wiped entirely. Heimdall is a work in progress for this device. This will complete the infrastructure needed for research.
Collect information
This will be the longest and most difficult part of this development. The information provided by Qualcomm is not readily available. Samsung is notoriously secretive about their bootloaders. Mainly we, as a community, will generate information. Please post any relevant datasheets, theory-of-operation, or manuals which you can find.
Provide a way to remove security checks from Odin3.] 100% - insecure aboot.img which may break in the future
By removing security checks from Odin3 on the computer or the Loki daemon on the device we can flash anything through Odin or Heimdall.
Provide a way to bypass security checks within bootloaders. 200% we have two exploits, only one has been released.
This is the ultimate goal. Once we can bypass the security checks, kernels can be flashed giving us the control required to develop
Initial information
[BOOTLOADER] Locked bootloader research and news: http://forum.xda-developers.com/showthread.php?t=1756919
My own research
SBL1 is the first booting partition. Qualcomm provides the Modem partition so it comes first on the EMMC. SBL1 is the first bootloader and that is specified by Qualcomm standards. Qualcom mmake sthe primitive bootloader and allows their customers (Samsung) to make a Secondary bootloader. Samsung chose to use three secondary bootloaders.
The following 0p* are located in /dev/block/mmcblk*
0p1 = modem
Built by se.infra
HUDSON_GA_D2_USA-VZW-HARDKEY-PROD-USER
I take this to mean this Qualcomm modem was built in Hudson Georgia.
I was not able to find signatures on this block . This does NOT mean that there are no signatures on this block. The file is 33 megs. The file is unencrypted.
The modem uses the BLAST Kernerl ver : 02.04.02.02.00 Unfortunately we need someone who speaks French(???) to understand how this works http://blast.darkphpbb.com/faq.php
Judging by the contents of this file, it is an operating system of it's own including keyboard, mouse and a lot of debugging information. We need to find out more about the BLAST Kernel and this partition.
Samsung Proprietary partitions SBL1,2,3
Overall I'm not entirely familiar with this new 3 SBL setup. If someone could help me out, that would be great. This 3 SBL setup looks like they tried to adapt (slopily) their IBL+PBL+SBL setup to the Qualcomm and added overhead.
op2=sbl1
This block is signed by Samsung, we will not be able to modify it.
Some Strings we expect to see on UART are:
0p3=sbl2
This block is signed by Samsung, we will not be able to modify it.
Some of the strings we may see over UART are:
Code:
RPM loading is successful.
cancel RPM loading!
SBL2, End
SBL2, Delta
.sbl2_hw.c
sbl2_hw_init, Start
sbl2_hw_init, Delta
sbl2_hw_init_secondary, Start
h/w version : %d
sbl2_hw_init_secondary, Delta
.SBL2, Start
scatterload_region & ram_init, Start
.scatterload_region & ram_init, Delta
.sbl2_mc.c
sbl2_retrieve_shared_info_from_sbl1, Start
.sbl2_retrieve_shared_info_from_sbl1, Delta
0p4=sbl3
This block is signed by Samsung, we will not be able to modify it.
Possibly useful information:
SVC: R1-R14
FIQ:R13-R14
IRQ:R13-R14
UND:R13-R14
ABT:R13-R14
SYS:R13-R14
This block appears to be a full OS of its own. I'm not sure of its purpose.
op5= aboot
This block is signed by Samsung, we will not be able to modify it
This block contains HTML information. It would appear that it is possible to put the device into a mode where it will provide a webserver which displays state information.
This block appears to be a complete operating system
This block contains the Loke Daemon which communicates with Odin3.
0p6= rpm
This block is signed by Samsung we will not be able to modify it
0p7= boot
This is the kernel. There are several things we can do here... I belive this package itself is not signed, but the zImage itself is... here is the bootimg.cfg file
Code:
[email protected]:~/Desktop/VZWGS3$ cat ./bootimg.cfg
bootsize = 0xa00000
pagesize = 0x800
kerneladdr = 0x80208000
ramdiskaddr = 0x81500000
secondaddr = 0x81100000
tagsaddr = 0x80200100
name =
cmdline = console=null androidboot.hardware=qcom user_debug=31
It may be possible to use that cmdline variable as an exploit.
0p8= tzTrust Zone
0p9= pad
0p10= param -boot mode parameters - this could be a potential exploitation point.
0p11= efs -serial numbers
I've honestly got no clue about most of the following partitions.
0p12= modemst1
0p13= modemst2
0p14= system - Android stuff
0p15= userdata - App Stuff
0p16= persist
0p17= cache - Storage for updates
0p18= recovery - recovery partition
0p19= fota
0p20= backup
0p21= fsg
0p22= ssd
0p23= grow
External UART log from initial power up:
Code:
[1630] AST_POWERON
[ 0.000000] heap->name mm, mb->start c0000000
[ 0.000000] Reserving memory at address ea000000 size: 100000
[ 0.000000] sec_dbg_setup: [email protected]
[ 0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_size = 0x40000
[ 0.000000] etb_buf_setup: [email protected]
[ 0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_size = 0x4000
[ 0.174515] rdev_init_debugfs: Error-Bad Function Input
[ 0.174881] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[ 0.176957] sec_debug_init: enable=0
[ 0.177475] ec_debug_nit: restrt_reason: 0xdf0085c
[ .216358] msm8960_iit_cam:292]settingdone!!
[ 0.25006] i2c 2c-14: Inalid 7-bi I2C addrss 0x00
0.25237] i2c ic-14: Can' create evice at x00
[ 0.252220]i2c i2c-1: Failed o registeri2c clien cmc624 t 0x38 (-6)
[ .252250] 2c i2c-19:Can't crete deviceat 0x38
0.25433] rdevinit_debufs: Error-ad Functin Input
0.25222] max892 19-006: DVS mode disabledbecause VD0 and VI1 do not ave prope control.
[ 0.79536] ms_etm msm_tm: ETM tacing is ot enable beacaussec_debug s not enaled!
[ 0.284449 smd_chanel_probe_orker: alocation tble not iitialized
[ 0.38766] pm_untime: fil to wak up
[ 0.362032]hdmi_msm dmi_msm.1 externalcommon_stte_create sysfs grup de39e68
[ 0362673] Iside writback_drivr_init
[ 0.36275] Insidewritebackprobe
[ 1.244803] TZCOM: unable to get bus clk
[ 1.431680] cm36651_setup_reg: initial proximity value = 3
[ 1.549671] msm_otg msm_otg: request irq succeed for otg_power
[ 1.566702] mms_ts 3-0048: [TSP] ISC Ver [0xbb] [0x20] [0x20]
[ 1.571341] mms_ts 3-0048: [TSP] fw is latest. Do not update.
[ 1.583488] [__s5c73m3_probe:3818] S5C73M3 probe
[ 1.587089] [s5c73m3_sensor_probe_cb:3793] Entered
[ 1.591942] [s5c73m3_i2c_probe:3675] Entered
[ 1.596123] [s5c73m3_init_client:3381] Entered
[ 1.600579] [s5c73m3_i2c_probe:3695] Exit
[ 1.604608] [s5c73m3_sensor_probe:3726] Entered
[ 1.609095] [s5c73m3_spi_init:226] Entered
[ 1.613154] [s5c73m3_spi_probe:191] Entered
[ 1.617335] [s5c73m3_spi_probe:201] s5c73m3_spi successfully probed
[ 1.623561] [s5c73m3_sensor_probe : 3749] Probe_done!!
[ 1.672638] mmc0: No card detect facilities available
[ 1.682984] aat1290a_led_probe : Probe
[ 1.693850] msm_soc_platform_init
[ 1.697298] msm_afe_afe_probe
[ 1.843064] msm_asoc_pcm_new
[ 1.849748] msm_asoc_pcm_new
[ 2.023134] set_dload_mode <1> ( c00176d4 )
[ 2.052220] cypress_touchkey 16-0020: Touchkey FW Version: 0x06
[ 2.123851] init: /init.qcom.rc: 466: invalid command '/system/bin/log'
[ 2.129620] init: /init.qcom.rc: 573: ignored duplicate definition of service 'sdcard'
[ 2.137402] init: /init.qcom.rc: 586: ignored duplicate definition of service 'ftm_ptt'
[ 2.145490] init: /init.target.rc: 73: ignored duplicate definition of service 'thermald'
[ 2.154677] init: could not open /dev/keychord
[ 2.239951] init: Device Encryption status is (0)!!
[ 2.243705] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p15 (ext4):::::
[ 2.251823] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p15
[ 2.588921] init: [disk_config] ext_check ->ok
[ 2.611597] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p17 (ext4):::::
[ 2.617762] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p17
[ 2.655333] init: [disk_config] ext_check -> ok
[ 2.664947] init: [disk_config] :::: fsck -> /dev/block/mmcblk0p11 (ext4):::::
[ 2.671081] init: [disk_config] ext_check -> /system/bin/e2fsck -v -y /dev/block/mmcblk0p11
[ 2.704532] init: [disk_config] ext_check -> ok
[ 3.259056] init: cannot find '/system/etc/install-recovery.sh', disabling 'flash_recovery'
[ 3.270471] init: cannot find '/system/bin/dmbserver', disabling 'dmb'
External UART log from battery-pull and reinsert
Code:
[1630] AST_POWERON
[ 0.000000] heap->name mm, mb->start c0000000
[ 0.000000] Reserving memory at address ea000000 size: 100000
[ 0.000000] sec_dbg_setup: [email protected]
[ 0.000000] sec_dbg_setup: secdbg_paddr = 0x88d90004
[ 0.000000] sec_dbg_setup: secdbg_size = 0x40000
[ 0.000000] etb_buf_setup: [email protected]
[ 0.000000] etb_buf_setup: secdbg_paddr = 0x8fffb9c0
[ 0.000000] etb_buf_setup: secdbg_size = 0x4000
[ 0.174484] rdev_init_debugfs: Error-Bad Function Input
[ 0.174851] AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
[ 0.176926] sec_debug_init: enable=0
[ 0.177445] sc_debug_iit: restat_reason 0xdf0086c
[ 0216206] [sm8960_int_cam:299]setting one!!
[ 0.217915 select_req_plan:ACPU PVS:Nominal
0.25206] i2c ic-14: Invaid 7-bit 2C addres 0x00
[ 0.25207] i2c i2-14: Can'tcreate deice at 0x0
[ 0252250] 2c i2c-19 Failed t register 2c clientcmc624 at0x38 (-16
[ 0252250] ic i2c-19: an't creae device t 0x38
[ 0.25243] rdev_iit_debugs: Error-Bd Functio Input
[ 0.25292] max895 19-0060:DVS modesdisabled ecause VI0 and VID do not hve propercontrols.
[ 0.29536] msmetm msm_em: ETM trcing is nt enable!
[ 0.35797] pm_rntime: fal to wakeupllcation tale not intialized
[ .362093] dmi_msm hmi_msm.1:external_ommon_stae_create:sysfs grop de39e60
[ 0.62734] Inide writeack_driverinit
[ 0.36285] Inside riteback_robe
[ 1.244803] TZCOM: unable to get bus clk
possible exploitations
Possible entry point MODEM - Someone with a JTAG setup test viability of modifying a single byte on /dev/block/mmcblk0p1
Possible entry point PARAMS - Samsung stores their boot parameters in PARAMS partition. It may be possible to modify PARAMS for insecure boot
Possible entry point BOOT - Modify CMDLINE parameter to load information from another location.
Possible entry point BOOT - We may be able to shove an insecure bootloader into memory, boot into that, and then use the recovery partition as our kernel partition. Bauwks 2nd U-Boot. U-Boot is available for the Exynos 4412, we need to find one for Qualcomm.
Possible entry point SYSTEM - It may be possible to use a 2nd init hack from this partition to load custom kernels into memory and reboot the kernel.
Current tasks
What do all of these partitions do?
Do we have a SDCard based recovery?
Where can we find an Odin3 CSC Flash?
Testing methods above is required
You may want to try using google translate for the French website. I gave it a shot and it translates pretty well. See attached (sorry, I'm not a developer, but am trying to help in anyway I can). You can also try this url, but you may need to re-enter yourself
http://translate.google.com/transla...tf=1&u=http://blast.darkphpbb.com/faq.php#f42
What I am looking into is the upload mode available in Odin. It has no signature checks from what I can tell. Also do you mean a stock Odin file which we do have.
Sent from my SCH-I535 using Tapatalk 2
Adam, appreciate you keeping us up to date. As an electrical/systems engineer the journey is great learning experience for me and all.
I'm not sure if you've come across this document. It talks about the MSM7xxx series security capabilities. I couldn't find one for the MSM8xxx, but this may give some insight into how Qualcomm approaches security.
MSM7xxx
Edit: Looks like you are aware of the concepts from your reference about IBL,PBL,SBL.
Not sure if this will be any help, but found this regarding the blast kernel:
http://www.anyclub.org/2012/06/how-to-add-more-physical-ram-memory.html
how to add more physical RAM memory section to Blast Kernel in the MDM9200/MDM9600
Blast Kernel has the capability to take more than one contiguous physical RAM space (section) and use it for its own system memory. In order to add more RAM mem section to Blast, the customer need to modify blast_config.c file.
Here is the example of adding 4MB additional RAM mem section.
In blast_config.c,
struct phys_mem_pool_config pool_configs[] __attribute__((weak)) = {
{"DEFAULT_PHYSPOOL", //name
{
{0x00c00000, 0x02f00000}, // 47MB, the first mem section
{0x00700000, 0x00400000} // adding 4MB, QC default value is {0}
}
},
In this example, additional 4MB is added starting from 0x700000 physical address offset.
Please note the start address has to be physical address.
By adding the second mem section, the Blast Kernel can now use 51MB in total, while it used only 47MB before adding the 4MB mem section
Click to expand...
Click to collapse
Found this http://code.google.com/p/blastkernel/ (locked down though, I couldn't get access) which was linked from here (also in french but translated through google) but I'm unsure as to if it is related to the blastkernel you are looking for as all the links for the source code are now broken.
Also, while looking through the vz source I found that the person responsible for a lot the vzw specific code also helped to develop this http://www.uclinux.org/ so maybe some of that source might be of some help too.
There are relatively large pins between the processor and the other larger chip on the back side of the board. I'm not sure what I'm looking at, but it's definitely communications of some kind. These were taken with the battery out of the device when plugged into USB. Each set starts a new unplug-plugin sequence.
Code:
:�0�0�0
�0
�0
�0
�0��0
�0
�0��0
�0��0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0��0�0
�0
�0
�0
�0
�0
�0 x
:�0�0�0
�0
�0
�0
�0��0
�0��0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0��0
�0
�0 z
�0
p
:�0�0�0
�0
�0
�0��0
�0�0
�0
�0
�0
�0
�0
�0��0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0
�0��0
�0
�0 �
�0�
This is from another pin on the back. As soon as plugged in, a series of 2's come out at 115200BPS:
Code:
22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222
Here's another one:
Code:
2"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""B""B""B""B"DB"DB"DB"D""D""D""D""D""�
All of these were located between the processor and SDCard. I must examine these bettter. In particular, there are two points at the corner of the processor just above where my needle is located in this picture.
Code:
U��UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU�UUU��JUU��UUUU��UUU��Z���UUUU���UUUUU���UUUUUU���UUUU���UUUUUUٙ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
These points seem to be what I'm looking for. as far as UART.. Especially that last one. It moves just as you'd expect start-up checks to move, random strings of characters... While not intelligable in the above, after figuring out the bitrate I'm sure something will come through.
I need to analyze the bitrate at this point. I'm quitting for the night though.
I am at the wrong baud rate, but I think I pulled up some valuable boot data from the processor.
Just a sidenote - some of these testpoints might be CLK/PWM signals, the one with serie of "2222" seems like this.
Also - if UART coming out of FSA muxer is 115200bps - the same debug line, on testpoint before FSA must be aswell 115200bps. Unless bootloader output goes to other port with different baud rate, which sounds unlikely.
Rebellos said:
Just a sidenote - some of these testpoints might be CLK/PWM signals, the one with serie of "2222" seems like this.
Also - if UART coming out of FSA muxer is 115200bps - the same debug line, on testpoint before FSA must be aswell 115200bps. Unless bootloader output goes to other port with different baud rate, which sounds unlikely.
Click to expand...
Click to collapse
You're right about the 2's.. it's probly a sync signal or something....ie...
Code:
00000010
However, I don't believe the UART is all consistant. Here's my reasoning. Samsung does not control the processor or the initial bootloader on the processor. I've spoken to some engineers and they are frustrated because things must be sent to Qualcomm to get work done on the bootloaders. It's highly likely that they simply change the bps of the UART to match the Samsung standard.
Thanks to Josh Groce at MobileTechVideos for the heads up on this trick: I was able to mount the Qualcomm Modem partition which I also belive to be the PBL as a FAT partition
Code:
[email protected]:~/Desktop/VZWGS3$ sudo mount ./0p1 ./p1
[email protected]:~/Desktop/VZWGS3$ ls -l ./p1
total 16
drwxr-xr-x 2 root root 16384 Jul 5 2011 image
[email protected]:~/Desktop/VZWGS3$ ls -l ./p1/image
total 42464
-rwxr-xr-x 1 root root 244 Jun 15 08:33 dsps.b00
-rwxr-xr-x 1 root root 160 Jun 15 08:33 dsps.b01
-rwxr-xr-x 1 root root 147456 Jun 15 08:33 dsps.b02
-rwxr-xr-x 1 root root 31872 Jun 15 08:33 dsps.b03
-rwxr-xr-x 1 root root 6220 Jun 15 08:33 dsps.b04
-rwxr-xr-x 1 root root 13824 Jun 15 08:33 dsps.b05
-rwxr-xr-x 1 root root 404 Jun 15 08:33 dsps.mdt
-rwxr-xr-x 1 root root 180 Jun 15 07:50 dxhdcp2.b00
-rwxr-xr-x 1 root root 6520 Jun 15 07:50 dxhdcp2.b01
-rwxr-xr-x 1 root root 135168 Jun 15 07:50 dxhdcp2.b02
-rwxr-xr-x 1 root root 2100 Jun 15 07:50 dxhdcp2.b03
-rwxr-xr-x 1 root root 6700 Jun 15 07:50 dxhdcp2.mdt
-rwxr-xr-x 1 root root 308 Jun 15 08:33 modem.b00
-rwxr-xr-x 1 root root 6600 Jun 15 08:33 modem.b01
-rwxr-xr-x 1 root root 21960368 Jun 15 08:33 modem.b02
-rwxr-xr-x 1 root root 4962049 Jun 15 08:33 modem.b03
-rwxr-xr-x 1 root root 1358104 Jun 15 08:33 modem.b04
-rwxr-xr-x 1 root root 72208 Jun 15 08:33 modem.b06
-rwxr-xr-x 1 root root 707124 Jun 15 08:33 modem.b07
-rwxr-xr-x 1 root root 1044 Jun 15 08:25 modem_f1.b00
-rwxr-xr-x 1 root root 7060 Jun 15 08:25 modem_f1.b01
-rwxr-xr-x 1 root root 2676 Jun 15 08:25 modem_f1.b02
-rwxr-xr-x 1 root root 954800 Jun 15 08:25 modem_f1.b03
-rwxr-xr-x 1 root root 575208 Jun 15 08:25 modem_f1.b04
-rwxr-xr-x 1 root root 246484 Jun 15 08:25 modem_f1.b05
-rwxr-xr-x 1 root root 94208 Jun 15 08:25 modem_f1.b06
-rwxr-xr-x 1 root root 13568 Jun 15 08:25 modem_f1.b07
-rwxr-xr-x 1 root root 11212 Jun 15 08:25 modem_f1.b08
-rwxr-xr-x 1 root root 9548 Jun 15 08:25 modem_f1.b09
-rwxr-xr-x 1 root root 68223 Jun 15 08:25 modem_f1.b10
-rwxr-xr-x 1 root root 113468 Jun 15 08:25 modem_f1.b13
-rwxr-xr-x 1 root root 164412 Jun 15 08:25 modem_f1.b14
-rwxr-xr-x 1 root root 3604 Jun 15 08:25 modem_f1.b21
-rwxr-xr-x 1 root root 28156 Jun 15 08:25 modem_f1.b22
-rwxr-xr-x 1 root root 19136 Jun 15 08:25 modem_f1.b23
-rwxr-xr-x 1 root root 74360 Jun 15 08:25 modem_f1.b25
-rwxr-xr-x 1 root root 49740 Jun 15 08:25 modem_f1.b26
-rwxr-xr-x 1 root root 84476 Jun 15 08:25 modem_f1.b29
-rwxr-xr-x 1 root root 1064 Jun 15 08:25 modem_f1.fli
-rwxr-xr-x 1 root root 8104 Jun 15 08:25 modem_f1.mdt
-rwxr-xr-x 1 root root 1044 Jun 15 08:25 modem_f2.b00
-rwxr-xr-x 1 root root 7060 Jun 15 08:25 modem_f2.b01
-rwxr-xr-x 1 root root 2676 Jun 15 08:25 modem_f2.b02
-rwxr-xr-x 1 root root 955792 Jun 15 08:25 modem_f2.b03
-rwxr-xr-x 1 root root 579032 Jun 15 08:25 modem_f2.b04
-rwxr-xr-x 1 root root 239892 Jun 15 08:25 modem_f2.b05
-rwxr-xr-x 1 root root 94208 Jun 15 08:25 modem_f2.b06
-rwxr-xr-x 1 root root 13568 Jun 15 08:25 modem_f2.b07
-rwxr-xr-x 1 root root 11212 Jun 15 08:25 modem_f2.b08
-rwxr-xr-x 1 root root 9580 Jun 15 08:25 modem_f2.b09
-rwxr-xr-x 1 root root 68223 Jun 15 08:25 modem_f2.b10
-rwxr-xr-x 1 root root 116188 Jun 15 08:25 modem_f2.b13
-rwxr-xr-x 1 root root 158012 Jun 15 08:25 modem_f2.b14
-rwxr-xr-x 1 root root 3604 Jun 15 08:25 modem_f2.b21
-rwxr-xr-x 1 root root 28156 Jun 15 08:25 modem_f2.b22
-rwxr-xr-x 1 root root 19200 Jun 15 08:25 modem_f2.b23
-rwxr-xr-x 1 root root 74360 Jun 15 08:25 modem_f2.b25
-rwxr-xr-x 1 root root 49756 Jun 15 08:25 modem_f2.b26
-rwxr-xr-x 1 root root 84476 Jun 15 08:25 modem_f2.b29
-rwxr-xr-x 1 root root 1064 Jun 15 08:25 modem_f2.fli
-rwxr-xr-x 1 root root 8104 Jun 15 08:25 modem_f2.mdt
-rwxr-xr-x 1 root root 6908 Jun 15 08:33 modem.mdt
-rwxr-xr-x 1 root root 276 Jun 15 08:24 q6.b00
-rwxr-xr-x 1 root root 6580 Jun 15 08:24 q6.b01
-rwxr-xr-x 1 root root 3447760 Jun 15 08:24 q6.b03
-rwxr-xr-x 1 root root 1653278 Jun 15 08:24 q6.b04
-rwxr-xr-x 1 root root 757840 Jun 15 08:24 q6.b05
-rwxr-xr-x 1 root root 14472 Jun 15 08:24 q6.b06
-rwxr-xr-x 1 root root 6856 Jun 15 08:24 q6.mdt
-rwxr-xr-x 1 root root 180 Jun 15 07:50 tzapps.b00
-rwxr-xr-x 1 root root 6520 Jun 15 07:50 tzapps.b01
-rwxr-xr-x 1 root root 503808 Jun 15 07:50 tzapps.b02
-rwxr-xr-x 1 root root 452 Jun 15 07:50 tzapps.b03
-rwxr-xr-x 1 root root 6700 Jun 15 07:50 tzapps.mdt
-rwxr-xr-x 1 root root 212 Jun 15 07:44 wcnss.b00
-rwxr-xr-x 1 root root 140 Jun 15 07:44 wcnss.b01
-rwxr-xr-x 1 root root 8360 Jun 15 07:44 wcnss.b02
-rwxr-xr-x 1 root root 1778532 Jun 15 07:44 wcnss.b04
-rwxr-xr-x 1 root root 352 Jun 15 07:44 wcnss.mdt
[email protected]:~/Desktop/VZWGS3$
tz - is the trustzone, normal qualcomm
cache - should not be the dalvik cache, dalvik cache should be on teh userdata partition now on. (Could be wrong, dont have the device). Cache should be almost strictly for updates and recovery use now.
boot itself is signed, not the zImage.
I believe hopping on the developer device is a better option, not only is it made for such, it's also not purchasing a phone within Verizon's sales network (my favorite part of it all)
But google slapped on the GPLv3 i believe. And since GPL allows multiple licenses then the TIVO clause would still apply. Correct me if I am wrong.
Adam you may want to look at this its found in otacert.zip in this folder
http://db.tt/f4QYrK8x
Sent from my SCH-I535 using Tapatalk 2
In the uart dump in the op, the line stamped at 1.57 seems interesting. Looks like the modem (assuming that's still where the activity is going on then) is checking firmware. Makes me think that there might be something there that could be captured. I wonder where it is confirming the fw is updated.
This might not be useful, but it seems interesting.
Sent from my SCH-I535 using Xparent ICS Tapatalk 2
Why not try the Samsung flash utility instead of Odin.
Sent from my SCH-I535 using Tapatalk 2
tpike said:
In the uart dump in the op, the line stamped at 1.57 seems interesting. Looks like the modem (assuming that's still where the activity is going on then) is checking firmware.
Click to expand...
Click to collapse
Usually the firmware is loaded and checked in modem by modem RTOS kernel. But I don't know what modem (BP/CP) is used in the Verizon S3...
Errata to OP:
/efs partition on qualcomm models is as far as i know empty (not used)
AdamLange said:
Errata to OP:
/efs partition on qualcomm models is as far as i know empty (not used)
Click to expand...
Click to collapse
Many people on the forums here have stated IMEI information is stored in a file within /efs (at least on GSM models?) but I can't confirm myself.
There are several threads about attempting to restore lost IMEIs that might have more info.
papi92 said:
Adam you may want to look at this its found in otacert.zip in this folder
http://db.tt/f4QYrK8x
Sent from my SCH-I535 using Tapatalk 2
Click to expand...
Click to collapse
That's just the public key VZW uses to sign updates. Not of use to us.
I was playing around with Odin3. I'm a Linux guy so this was exploration for me.... I was able to make my own Odin package with signed Samsung images under Linux and flash it with Odin3 under Windows.
Code:
[email protected]:~/Desktop/Untitled Folder$ tar -cf OdinCustom.tar recovery.img boot.img
[email protected]:~/Desktop/Untitled Folder$ md5sum -t OdinCustom.tar >> OdinCustom.tar
[email protected]:~/Desktop/Untitled Folder$ mv ./OdinCustom.tar ./OdinCustom.tar.md5
[email protected]:~/Desktop/Untitled Folder$
The first command create a TAR (Tape ARchive format) of a recovery.img and a boot.img in a file called OdinCustom.tar. Then appends the MD5 to the end of the package. The third command renames it to OdinCustom.tar.md5. The resulting file is flashable by Odin.
This could prove useful if we can find another Qualcomm device which has a bootloader signed by Samsung.
Also, Odin3 has a cool inf file which can be modified to change the title and characteristics of Odin3 http://i49.tinypic.com/352q7t0.png
I found something in the qualcomm bootloader (first partition which is a fat32 and appears to be unsigned) in the tzapps.b02 file which may or may not be of use. apparently they are looking for something called "/file/file.dat" and it contains dummy data for executive test suite. May be a possible exploit.
Also, this is a very important excerpt from the Qualcomm manual mentioned earlier... http://www.scribd.com/doc/51789612/80-V9038-15-APPLICATION-NOTE-MSM7XXX-QFUSES-AND-SECURITY
Code:
The PBL performs the following functions during a cold boot:
■Performs the minimal hardware setup required for PBL execution
■Reads off-chip boot configuration data from the flash memory
■Processes configuration data setting up clocks and memory access based on this data
■Loads the QCSBL image from the flash memory into the RAM
■Authenticates the QCSBL image if authentication is enabled
■Branches execution to the QCSBL image
Reads off-chip boot configuration data from the flash memory!
I spent a lot of time tonight looking at the individual files on the MODEM partition. I got nowhere except to possibly add a test file I mentioned above. It was alot of data to go through. that MODEM is 60 megs!
So, I started loooking at the SBL1 file. Now, it appears that this file runs linearly and tells a story as it goes through...
Code:
[email protected]:~/Desktop/VZWGS3$ strings ./0p2|head -n 200
: 2q
: 4q
`" 2q
: 4q
: 4q
(R '
(R '
(R '
~}|{zyxwvvutsrqqponnmllkjjihhgffeddccbaa``__^^]]\\[[ZZYYXXWWVVUUUTTSSRRRQQPPPOOONNMMMLLLKKKJJJIIIHHHGGGGFFFEEEDDDDCCCCBBBBAAA
/!(
/!(0
/!(0
/!(
SDCC4 HAL v2.0.1
boot_error_handler.c
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
boot_pbl_authenticator.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_config.c
boot_config.c
*Image Loaded by %s, Start on 0x%x
Data Abort
boot_mc.c
boot_error_handler.c
*BOOT
SCL_SBL1_STACK_BASE-SCL_SBL1_STACK_SIZE
boot_error_handler.c
boot_flash_dev_if.c
boot_flash_dev_if.c
boot_flash_dev_if.c
boot_flash_dev_sdcc_if.c
boot_flash_dev_sdcc_if.c
boot_flash_dev_sdcc.c
boot_flash_init, Start
boot_flash_init, Delta
boot_flash_target.c
boot_flash_trans_sdcc.c
*[email protected]
boot_flash_trans_sdcc.c
boot_fota_restore_partition, Start
boot_fota_restore_partition, Delta
boot_fota_restore_partition, Start
restore_fota_partition fail
boot_fota_restore_partition, Delta
boot_error_handler.c
boot_error_handler.c
boot_loader.c
*[email protected]
*[email protected]
boot_pbl_authenticator.c
boot_pbl_v1.c
boot_pbl_v1.c
boot_pbl_v1.c
Prefetch Abort
boot_error_handler.c
boot_rollback_version.c
boot_flash_dev_sdcc.c
boot_error_handler.c
Undefined
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_flash_dev_sdcc.c
boot_sdcc_hotplug.c
EFI PART
%sp%lu
%sh%d
%s%c%lu
*[email protected]
boot_sdcc_hotplug.c
boot_sdcc_hotplug.c
read fail
*hdev open fail: fota
hdev open fail: dest
size fail: src
size fail: too big
read fail: src
read fail: dest
write fail: signature clear
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*[email protected]
*|@-
boot_sdcc_hotplug.c
%sp%lu
*[email protected]
*[email protected]
SBL1, End
SBL1, Delta
*[email protected]
sbl1_check_device_temp, Start
sbl1_check_device_temp, Delta
sbl1_hw.c
sbl1_hw_init, Start
sbl1_hw_init, Delta
*SBL1, Start
scatterload_region && ram_init, Start
*scatterload_region && ram_init, Delta
sbl1_mc.c
sbl1_mc.c
*[email protected]
*[email protected]
*[email protected]
*{%u}
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
[email protected]
[email protected]
SBL2 Image Loaded, Delta
SBL1
DSP1
RAMFS1
SBL2
DSP2
RAMFS2
SBL3
ADSP_Q5
NONE
NANDPRG
NORPRG
HASH
QCSBL
FSBL
OSBL
APPSBL
OEM_SBL
EHOSTDL
APPS_KERNEL
BACKUP_RAMFS
APPS
AMSS
SSD_KEYS
fs_hotplug_api.c
Assertion phy_hdev != NULL failed
boot_flash_trans_sdcc
boot_flash_trans_sdcc_factory
boot_flash_dev_sdcc
HAL_SBI_SSBI_V2_PMIC_ARBITER
fs_hotplug_iter.c
Assertion 0 failed
fs_hotplug_legacy_hdev.c
Assertion phy_hdev->legacy_hdev != NULL failed
fs_hotplug_partition.c
Assertion parti->is_locked == 0 failed
Assertion parti->is_formatting == 0 failed
Assertion parti->is_locked == 1 failed
Assertion parti->is_formatting == 1 failed
Assertion parti->ref_cnt >= 1 failed
Assertion hdev_name != NULL failed
Assertion parti != NULL failed
fs_hotplug_dev_state.c
Assertion phy_hdev->dev_state == HPDEV_UNDISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_DISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED || phy_hdev->dev_state == HPDEV_LOCKED || phy_hdev->dev_state == HPDEV_FORMATTING || phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_MOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED failed
fs_hotplug_poll.c
Assertion phy_hdev->bdev_handle == NULL failed
Assertion phy_hdev->parti_list == NULL failed
Assertion phy_hdev->hdev_list == NULL failed
fs_blockdev_devnull_driver.c
Assertion devnull_ops != NULL failed
/hdev/dev.null
BDEV_DEVNULL_DRIVER
BDEV_SD_DRIVER
/hdev/sdc1
/hdev/sdc2
/hdev/sdc3
/hdev/sdc4
fs_blockdev_sd_driver.c
Assertion sdcc_ops != NULL failed
fs_hotplug_parser.c
Assertion blk_cnt != 0 failed
fs_blockdev_sd.c
Assertion sd_data != NULL failed
Assertion handle != NULL failed
Assertion sdcc_handle != NULL failed
Assertion bytes_per_block != NULL failed
Assertion blocks != NULL failed
Assertion bdev != NULL failed
Assertion dev->driveno < max_sd_slots failed
@@@@@@@@@[email protected]@@@@@@@@@@@@@@@@@
Format: Log Type - Time(microsec) - Message
Log type: B - since boot(excluding boot rom). D - delta
OVERFLOW
........
Particularly "boot_fota_restore_partition, Start". It looks like one of the first things the GS3 does is check for information to be updated on FOTA partition. Whatever it choses to do, it performs security checks on the size, and a few other things.
I believe it then loads SBL2 as the rest of the partitions do not have this message.. "SBL2 Image Loaded, Delta".
SBL2:
Code:
[email protected]:~/Desktop/VZWGS3$ strings ./0p3
SVC: R1-R14
FIQ:R13-R14
IRQ:R13-R14
UND:R13-R14
ABT:R13-R14
SYS:R13-R14
[email protected]
K{DiF
K{DiF
D(b(F
hu)AF
019Ud
3F*[email protected]
G [email protected]
&_F F
h/F F
fJF)F F&`NF
F 9"
pJpO
: 4q
: 6q
: 8q
! 6q
`" 2q
: 4q
pG hJ
G [email protected]
bNE
G [email protected]
G [email protected]
j8D b F
02:Ud
3F*[email protected]
CreT
#L|D
!L|D
F)F F
5EC/
x0(
02bUm
#\b\cTI
FAF F
F!h
b h
G jv
G [email protected]
G [email protected]
,pp
2F!F
G [email protected]
1JzD
2FhF
2FiF
: 4q
: 6q
: 8q
bF9FN
RAIAK
bF9FN
RAIAK
bF9FN
~}|{zyxwvvutsrqqponnmllkjjihhgffeddccbaa``__^^]]\\[[ZZYYXXWWVVUUUTTSSRRRQQPPPOOONNMMMLLLKKKJJJIIIHHHGGGGFFFEEEDDDDCCCCBBBBAAA
! 3[B
[email protected]
[email protected]
SDCC4 HAL v2.0.1
pGxG
.boot_error_handler.c
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
.boot_auth_if.c
.boot_auth_if.c
.boot_sbl_authenticator.c
.boot_clobber_prot.c
.boot_clobber_prot_local.c
boot_clobber_prot.c
boot_clobber_prot_local.c
boot_config_data_table_init, Start
.boot_config_data_table_init, Delta
.boot_config.c
.boot_config.c
.Image Loaded by %s, Start on 0x%x
Data Abort
Ufw}3{
O*2PC~
[email protected]
.boot_mc.c
.0:ALL
.boot_error_handler.c
.BOOT
SCL_SBL2_STACK_BASE-SCL_SBL2_STACK_SIZE
.boot_error_handler.c
.boot_flash_dev_if.c
.boot_flash_dev_if.c
.boot_flash_dev_if.c
.boot_flash_dev_sdcc_if.c
.boot_flash_dev_sdcc_if.c
.boot_flash_dev_sdcc.c
boot_flash_init, Start
boot_flash_init, Delta
.boot_flash_target.c
.boot_flash_trans_sdcc.c
[email protected]
.boot_flash_trans_sdcc.c
.boot_hash.c
.boot_hash_if.c
.boot_hash_if.c
.boot_sys_loader.c
.boot_error_handler.c
.boot_error_handler.c
.boot_loader.c
.boot_loader.c
.boot_logger_ram.c
[email protected]
[email protected]
BRPMSignal SBL1 to Jump to RPM FW
.boot_sys_loader.c
.boot_pbl_v1.c
.boot_pbl_v1.c
.boot_pbl_v1.c
.boot_pbl_v1.c
Prefetch Abort
.boot_error_handler.c
.boot_rollback_version.c
.boot_sbl_authenticator.c
.boot_flash_dev_sdcc.c
[email protected]
.boot_ddr_info.c
.boot_sbl_authenticator.c
.boot_error_handler.c
Undefined
[email protected]
[email protected]
[email protected]
[email protected]
RDDL
Testing DDR Read/Write.
.Testing DDR Read/Write: Memory map.
Testing DDR Read/Write: Data lines.
Testing DDR Read/Write: Address lines.
Testing DDR Read/Write: Own-address algorithm.
Testing DDR Read/Write: Walking-ones algorithm.
Testing DDR Deep Power Down.
Testing DDR Deep Power Down: Entering deep power down.
Testing DDR Deep Power Down: In deep power down.
Testing DDR Deep Power Down: Exiting deep power down.
Testing DDR Deep Power Down: Read/write pass.
Testing DDR Self Refresh.
.Testing DDR Self Refresh: Write pass.
Testing DDR Self Refresh: Read pass.
Testing DDR Self Refresh: Entering self refresh.
Testing DDR Self Refresh: In self refresh.
Testing DDR Self Refresh: Exiting self refresh.
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
.boot_flash_dev_sdcc.c
[email protected]
.CDT
.Error: Platform ID EEPROM is not programmed
boot_config_data.c
.boot_sdcc_hotplug.c
[email protected]
EFI PART
%sp%lu
%sh%d
%s%c%lu
[email protected]
.boot_sdcc_hotplug.c
.boot_sdcc_hotplug.c
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
.|@-
.boot_sdcc_hotplug.c
%sp%lu
[email protected]
[email protected]
[email protected]
0!0
[email protected]
RPM loading is successful.
cancel RPM loading!
SBL2, End
SBL2, Delta
.sbl2_hw.c
sbl2_hw_init, Start
sbl2_hw_init, Delta
sbl2_hw_init_secondary, Start
h/w version : %d
sbl2_hw_init_secondary, Delta
.SBL2, Start
scatterload_region & ram_init, Start
.scatterload_region & ram_init, Delta
.sbl2_mc.c
sbl2_retrieve_shared_info_from_sbl1, Start
.sbl2_retrieve_shared_info_from_sbl1, Delta
.sbl2_mc.c
[email protected]
.sbl2_config.c
[email protected]
.boot_hash.c
[email protected]
[email protected]
[email protected]
[email protected]
.SHA256
[email protected]
LOGM
.{%u}
Tz Execution, Start
Tz Execution, Delta
pG B
0pGO
!pGO
sbl2_ddr_init
DalEnv
TargetCfg
SHA1
DEBUG
SW_ID
HW_ID
OEM_ID
SHA256
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
DEV_SDC1
DEV_SDC2
DEV_SDC3
DEV_SDC4
CHAN_SDC1
CHAN_SDC2
CHAN_SDC3
CHAN_SDC4
[email protected]
[email protected]
SBL3 Image Loaded, Delta
RPM Image Loaded, Delta
TZ Image Loaded, Delta
boot_auth
boot_hash
SBL1
DSP1
RAMFS1
SBL2
DSP2
RAMFS2
SBL3
ADSP_Q5
NONE
NANDPRG
NORPRG
HASH
QCSBL
FSBL
OSBL
APPSBL
OEM_SBL
EHOSTDL
APPS_KERNEL
BACKUP_RAMFS
APPS
AMSS
SSD_KEYS
fs_hotplug_api.c
Assertion phy_hdev != NULL failed
boot_flash_trans_sdcc
boot_flash_trans_sdcc_factory
boot_flash_dev_sdcc
fs_hotplug_iter.c
Assertion 0 failed
fs_hotplug_legacy_hdev.c
Assertion phy_hdev->legacy_hdev != NULL failed
fs_hotplug_partition.c
Assertion parti->is_locked == 0 failed
Assertion parti->is_formatting == 0 failed
Assertion parti->is_locked == 1 failed
Assertion parti->is_formatting == 1 failed
Assertion parti->ref_cnt >= 1 failed
Assertion hdev_name != NULL failed
Assertion parti != NULL failed
fs_hotplug_dev_state.c
Assertion phy_hdev->dev_state == HPDEV_UNDISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_DISCOVERED failed
Assertion phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED || phy_hdev->dev_state == HPDEV_LOCKED || phy_hdev->dev_state == HPDEV_FORMATTING || phy_hdev->dev_state == HPDEV_UNMOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_MOUNTED failed
Assertion phy_hdev->dev_state == HPDEV_UNINITIALIZED failed
fs_hotplug_poll.c
Assertion phy_hdev->bdev_handle == NULL failed
Assertion phy_hdev->parti_list == NULL failed
Assertion phy_hdev->hdev_list == NULL failed
fs_blockdev_devnull_driver.c
Assertion devnull_ops != NULL failed
/hdev/dev.null
BDEV_DEVNULL_DRIVER
BDEV_SD_DRIVER
/hdev/sdc1
/hdev/sdc2
/hdev/sdc3
/hdev/sdc4
fs_blockdev_sd_driver.c
Assertion sdcc_ops != NULL failed
fs_hotplug_parser.c
Assertion blk_cnt != 0 failed
fs_blockdev_sd.c
Assertion sd_data != NULL failed
Assertion handle != NULL failed
Assertion sdcc_handle != NULL failed
Assertion bytes_per_block != NULL failed
Assertion blocks != NULL failed
Assertion bdev != NULL failed
Assertion dev->driveno < max_sd_slots failed
@@@@@@@@@[email protected]@@@@@@@@@@@@@@@@@
Format: Log Type - Time(microsec) - Message
Log type: B - since boot(excluding boot rom). D - delta
OVERFLOW
AT24C128BN
:Hg~
D{L0
*gRn
0D,l}
b=Fe-+
gW6y
South Korea1
Suwon City1
Samsung Corporation1
DMC1#0!
Samsung AttestationCA cert1%0#
[email protected]
120614224636Z
320609224636Z0
KR1!0
Samsung Attestation CERT1
Suwon City1
Samsung Corporation1
South Korea1
04 0000 OEM_ID1%0#
[email protected]
05 0001E0C8 SW_SIZE1
06 0000 MODEL_ID1
07 0001 SHA2561"0
01 0000000000000005 SW_ID1"0
02 006B10E100000000 HW_ID1"0
03 0000000000000000 DEBUG0
y$_$
[OLW'}
Q^<T
&#xk#
z0x0:
3010/
)http://crl.qdst.com/crls/qctdevattest.crl0
6p5o
%e>I`
<dQ=#
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
120412114438Z
320407114438Z0
South Korea1
Suwon City1
Samsung Corporation1
DMC1#0!
Samsung AttestationCA cert1%0#
[email protected]
&bMb
%pWj\
`0^0
#7ie
?f{M
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
120412114438Z
320407114438Z0
South Korea1
Suwon City1
Samsung Corporation1
DMC1
Samsung Root CA cert1%0#
[email protected]
U)_|e}f
^AZp
<0:0
v)BT
zd0u
=j[P
As for SBL2. It looks like it starts up, performs security checks, then it can jump to "RPM" partition ", "RPM loading is successful.
cancel RPM loading!, .BRPM", "Signal SBL1 to Jump to RPM FW", This may be Odin, or some other undiscovered mode I'm not sure yet and it looks like "ABOOT" is actually Odin's partition... What is RPM?
It then executes "TZ" or "Trust Zone" which I need to do some reading on...
More to come later. It's late and I need to get some rest.
{i} PARAMS
AdamOutler said:
possible exploitations
Possible entry point PARAMS - Samsung stores their boot parameters in PARAMS partition. It may be possible to modify PARAMS for insecure boot
Click to expand...
Click to collapse
The PARAMS partition (from an adb dump) contains almost all 0's. Here are the first 32 bytes
(layed out in hex offsets of 0x00000000 && 0x00000010):
Code:
00000000 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
00000010 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
From what I understand, each occurance of 01 indicates a boot_mode variable that the SBL reads*. The rest of the file, about 10,485,739bytes of data, can contain information for other variables such as debug_level and switch_sel and maybe more, but I have too look more into dissembling the SBL patition image (sbl2.img) to see what other variables there are. I'll report back as soon as I have any more info on that.
*See this link for more info on the param.blk:
http://epiccm.blogspot.com/p/stock-firmware.html
I think its interesting that from an adb dump, BOOT, EFS, FOTA and PARAMS are all the same size. Only BOOT and PARAMS contain any data though. EFS and FOTA must be loaded from the BOOT partition depending on the boot variables loaded in the PARAMS partition, but I may be wrong on that.
As for booting from SDcard here's a link on how it was done with the Epic 4G:
http://epiccm.blogspot.com/2012/01/multiboot-android-for-debuggingtesting.html
The instructions seem like they should work, especially since they had to use kexec to load from the SDcard and the SGS3 will have to do the same for now. I haven't built this yet, but I will give it a go as soon as I have a spare moment.
EDIT: this might be what you're looking for as far as booting from SD --> http://forum.xda-developers.com/showthread.php?t=1774795 END EDIT
I am currently manually going through each hex offset in IDA and seaching for commands to disassemble aboot.img, I haven't gotten very far as this is extremely time intensive.
I can post any dissasm DB's that anyone wants. They can get rather large though.
On a side note, I'm using IDAPro6.1 for disassembly of the adb dumped partitions. If you have any pointers on using IDA for debugging/disassembling android partitions, that would be fantastic. I have an arm toolchain, but beyond that IDA I've only had experience poking at Window$ crap.
Ta,
ALQI
recovery kernel log
The recovery kernel log is in this path:
/data/log/recovery_kernel_log.txtI'd post it in a code section here but it's just too long.
There's a few other interesting logs in that path as well.
As I understand it, this seems to be the log from the kernel loaded during the bootloader/Odin mode boot. Could reveal some of the variables set in the params partition. Plus it has juicy hex offsets for all kinds of things.
It's quite verbose.
K sleepy time now.
Ta,
ALQI
Hi (Posting here as I am not yet permitted to in dev section)
I need to get access to the /dev/voc* devices which come from the vocpcm.c code from olher HTC kernel releases.
It looks like it was meant to work with qdsp5 DSP and I am not sure whether I should assume it works
So, I added it to the kernel and once running, I can see the devices
ls -al /dev/voc*
crw-rw-rw- 1 root root 10, 49 Jul 28 21:18 /dev/voc_rx_playback
crw-rw-rw- 1 root root 10, 50 Jul 28 21:18 /dev/voc_rx_record
crw-rw-rw- 1 root root 10, 47 Jul 28 21:18 /dev/voc_tx_playback
crw-rw-rw- 1 root root 10, 48 Jul 28 21:18 /dev/voc_tx_record
But it looks like they really aren't mapping to the DSP as I get no audio from and when i try and tail the file, I get
[email protected]:/dev # tail voc_rx_playback
tail voc_rx_playback
tail: can't open 'voc_rx_playback': No such device
tail: no files
Which is a different result than on my working HTC Tattoo.
Any ideas here as to whether I might need to do something more to get it working with qdsp6 or whether I need a different handset etc
As far as I know, these devices are completely different (and different concept) from the voice uplink and voice downlink that comes with the 2 way recording patch. Is that right ?
cheers
Mark
Hi Guys
I'm new to the Forum and start with asking a question - apologize for that, I know that it's impolite.
I'm pretty desperate at the moment. Tried to switch on my Galaxy Nexus some days ago and it did not start. If I try to switch it on (long button press), the google logo appears for about 72 seconds, then "something" happens on the screen (usually the logo becomes brighter and horizontal lines appear on the screen). And that's it.
There's no clear reason why the mobile is broken now.
The big problem is that I have lots of pictures of my little boy on that device, from his birth until now (it's his first birthday tomorrow). These pics are very very important to me, the only pictures I have from his birth. I did not backup those pictures - I'm stupid :crying:. So my goal is to rescue those images from the device somehow. Currently I'm spending every free second to read and learn how to recover those images...
Device info:
Galaxy Nexus, Tuna Maguro 16GB
HW Version: 9
Bootloader Version: PRIMEMD04
Baseband Version: I9250XXLJ1
Everything is stock version, Android 4.4.2 (I think), stock bootloader
What I've tried so far:
- Installed fastload / ADB on Ubuntu 14.04 from repo. Manually installed ADB 1.0.32 as well.
- I can boot the device into Fastboot / Rescue / Odin mode, that works.
- Tried to clear the cache. It hangs after "Formatting /cache". No "completed" message. If I go to the recovery menu now, I get a couple of messages which say
"E:failed to mount /cache (Invalid argument)"
and then lots of "Can't mount /cache/recovery/log" messages.
If I boot in Rescue Mode, select "apply update from ADB" and connect the mobile to the PC:
Code:
[ 502.524071] usb 1-5: new high-speed USB device number 3 using ehci-pci
[ 502.657321] usb 1-5: New USB device found, idVendor=18d1, idProduct=d001
[ 502.657330] usb 1-5: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[ 502.657348] usb 1-5: Product: Galaxy Nexus
[ 502.657352] usb 1-5: Manufacturer: samsung
[ 502.657355] usb 1-5: SerialNumber: (redacted)
So it gets detected, at least.
Then:
Code:
$ ./adb get-state
sideload
$ ./adb devices -l
List of devices attached
(serial redacted) sideload usb:1-5
$ ./adb backup -all
adb: unable to connect for backup
$ ./adb bugreport
error: closed
$ ./adb shell pwd
error: closed
$ ./adb logcat
- waiting for device -
^C
I've downloaded the stock yakju ROM from the google dev website (can't post links, sorry).
There are a bunch of files in that archive:
Code:
$ ll
total 298996
drwxr-x--- 2 m m 4096 Aug 21 2013 ./
drwxr-xr-x 7 m m 4096 Aug 30 23:50 ../
-rw-r----- 1 m m 2363392 Aug 21 2013 bootloader-maguro-primemd04.img
-rw-r----- 1 m m 956 Aug 21 2013 flash-all.bat
-rwxr-x--x 1 m m 827 Aug 21 2013 flash-all.sh*
-rwxr-x--x 1 m m 785 Aug 21 2013 flash-base.sh*
-rw-r----- 1 m m 291192953 Aug 21 2013 image-yakju-jwr66y.zip
-rw-r----- 1 m m 12583168 Aug 21 2013 radio-maguro-i9250xxlj1.img
Code:
$ zipinfo image-yakju-jwr66y.zip
Archive: image-yakju-jwr66y.zip
Zip file size: 291192953 bytes, number of entries: 5
?rw-r--r-- 2.0 unx 4481024 b- defN 09-Jan-01 00:00 boot.img
?rw-r--r-- 2.0 unx 5042176 b- defN 09-Jan-01 00:00 recovery.img
?rw-r--r-- 2.0 unx 485561008 b- defN 09-Jan-01 00:00 system.img
-rw------- 2.0 unx 140860420 b- defN 13-Aug-13 22:56 userdata.img
-rw-r----- 2.0 unx 93 b- defN 13-Aug-13 16:00 android-info.txt
So my questions are:
Am I doing the right thing here? I Hope that this is a software problem and the hardware is ok.
If yes, which of those file(s) should I flash to the device, without risking loss of data?
Can you think of any other possibility to recover the data? Clockwork mod or TWRP maybe? Or a custom sideload script (inside the uploaded zip file).
I've read that flashing a custom bootloader wipes the device - so maybe CW / TWRP is not a good idea.
Thank you very very much in advance for your help.
Matt
backupnoob said:
Hi Guys
I'm new to the Forum and start with asking a question - apologize for that, I know that it's impolite.
I'm pretty desperate at the moment. Tried to switch on my Galaxy Nexus some days ago and it did not start. If I try to switch it on (long button press), the google logo appears for about 72 seconds, then "something" happens on the screen (usually the logo becomes brighter and horizontal lines appear on the screen). And that's it.
There's no clear reason why the mobile is broken now.
The big problem is that I have lots of pictures of my little boy on that device, from his birth until now (it's his first birthday tomorrow). These pics are very very important to me, the only pictures I have from his birth. I did not backup those pictures - I'm stupid :crying:. So my goal is to rescue those images from the device somehow. Currently I'm spending every free second to read and learn how to recover those images...
Device info:
Galaxy Nexus, Tuna Maguro 16GB
HW Version: 9
Bootloader Version: PRIMEMD04
Baseband Version: I9250XXLJ1
Everything is stock version, Android 4.4.2 (I think), stock bootloader
What I've tried so far:
- Installed fastload / ADB on Ubuntu 14.04 from repo. Manually installed ADB 1.0.32 as well.
- I can boot the device into Fastboot / Rescue / Odin mode, that works.
- Tried to clear the cache. It hangs after "Formatting /cache". No "completed" message. If I go to the recovery menu now, I get a couple of messages which say
"E:failed to mount /cache (Invalid argument)"
and then lots of "Can't mount /cache/recovery/log" messages.
If I boot in Rescue Mode, select "apply update from ADB" and connect the mobile to the PC:
Code:
[ 502.524071] usb 1-5: new high-speed USB device number 3 using ehci-pci
[ 502.657321] usb 1-5: New USB device found, idVendor=18d1, idProduct=d001
[ 502.657330] usb 1-5: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[ 502.657348] usb 1-5: Product: Galaxy Nexus
[ 502.657352] usb 1-5: Manufacturer: samsung
[ 502.657355] usb 1-5: SerialNumber: (redacted)
So it gets detected, at least.
Then:
Code:
$ ./adb get-state
sideload
$ ./adb devices -l
List of devices attached
(serial redacted) sideload usb:1-5
$ ./adb backup -all
adb: unable to connect for backup
$ ./adb bugreport
error: closed
$ ./adb shell pwd
error: closed
$ ./adb logcat
- waiting for device -
^C
I've downloaded the stock yakju ROM from the google dev website (can't post links, sorry).
There are a bunch of files in that archive:
Code:
$ ll
total 298996
drwxr-x--- 2 m m 4096 Aug 21 2013 ./
drwxr-xr-x 7 m m 4096 Aug 30 23:50 ../
-rw-r----- 1 m m 2363392 Aug 21 2013 bootloader-maguro-primemd04.img
-rw-r----- 1 m m 956 Aug 21 2013 flash-all.bat
-rwxr-x--x 1 m m 827 Aug 21 2013 flash-all.sh*
-rwxr-x--x 1 m m 785 Aug 21 2013 flash-base.sh*
-rw-r----- 1 m m 291192953 Aug 21 2013 image-yakju-jwr66y.zip
-rw-r----- 1 m m 12583168 Aug 21 2013 radio-maguro-i9250xxlj1.img
Code:
$ zipinfo image-yakju-jwr66y.zip
Archive: image-yakju-jwr66y.zip
Zip file size: 291192953 bytes, number of entries: 5
?rw-r--r-- 2.0 unx 4481024 b- defN 09-Jan-01 00:00 boot.img
?rw-r--r-- 2.0 unx 5042176 b- defN 09-Jan-01 00:00 recovery.img
?rw-r--r-- 2.0 unx 485561008 b- defN 09-Jan-01 00:00 system.img
-rw------- 2.0 unx 140860420 b- defN 13-Aug-13 22:56 userdata.img
-rw-r----- 2.0 unx 93 b- defN 13-Aug-13 16:00 android-info.txt
So my questions are:
Am I doing the right thing here? I Hope that this is a software problem and the hardware is ok.
If yes, which of those file(s) should I flash to the device, without risking loss of data?
Can you think of any other possibility to recover the data? Clockwork mod or TWRP maybe? Or a custom sideload script (inside the uploaded zip file).
I've read that flashing a custom bootloader wipes the device - so maybe CW / TWRP is not a good idea.
Thank you very very much in advance for your help.
Matt
Click to expand...
Click to collapse
Hello and thank you for using XDA Assist.
We cannot provide technical support nor can other members reply to your posts here on XDA Assist but fortunately there is an XDA area dedicated to the Samsung Galaxy Nexus family at http://forum.xda-developers.com/galaxy-nexus which would be a good starting place. I suggest you post your question with all relevant details (Tuna and Maguro are not identical!) in the friendly Q&A forum there at http://forum.xda-developers.com/galaxy-nexus/help where the experts familiar with your device will be best able to guide you.
Good luck!
Ok, thank you very much Mike, will ask there.
Hi there,
I am trying to flash the 8.1.0 (OPM1.171019.012, Jan 2018) for pixel but it failed with the following message:
Code:
wiping userdata...
/usr/local/bin/mke2fs failed with status 1
mke2fs failed: 1
I searched Google and found the problem occurred in Pixel 2 and the workaround is to flash dtbo.img but I couldn't find it in the factory images for Pixel ( I have downloaded images for 8.1 and 8.0 ).
Could someone offered me some help? Thanks.
hellobbn said:
Hi there,
I am trying to flash the 8.1.0 (OPM1.171019.012, Jan 2018) for pixel but it failed with the following message:
Code:
wiping userdata...
/usr/local/bin/mke2fs failed with status 1
mke2fs failed: 1
I searched Google and found the problem occurred in Pixel 2 and the workaround is to flash dtbo.img but I couldn't find it in the factory images for Pixel ( I have downloaded images for 8.1 and 8.0 ).
Could someone offered me some help? Thanks.
Click to expand...
Click to collapse
I have met exactly the same problem, are you using a mac or linux ? I am using mac and my solution is as follows:
1) download the latest platform tools, and place all ota/factory files under the same folder
2) edit flash_all.sh, change all fastboot to ./fastboot
The following is the directory structure:
[email protected]:~/Downloads/pixel/sailfish-opm1.171019.012 $-> ls -l
total 3680832
[email protected] 1 tesla staff 6096039 Jan 9 19:51 Magisk-v15.2.zip
[email protected] 1 tesla staff 2470501 Jan 9 20:02 MagiskManager-v5.5.3.apk
[email protected] 1 tesla staff 315051 Dec 14 06:00 NOTICE.txt
[email protected] 1 tesla staff 2581412 Dec 14 05:58 adb
[email protected] 4 tesla staff 128 Dec 14 05:59 api
-rw-r--r-- 1 tesla staff 29607142 Jan 1 2009 boot.img
-rw-r--r-- 1 tesla staff 33021952 Dec 19 08:33 bootloader-sailfish-8996-012001-1711091153.img
[email protected] 1 tesla staff 60512 Dec 14 05:58 dmtracedump
[email protected] 1 tesla staff 810388 Dec 14 05:58 e2fsdroid
[email protected] 1 tesla staff 306332 Dec 14 05:58 etc1tool
[email protected] 1 tesla staff 1380616 Dec 14 05:58 fastboot
-rw-r--r-- 1 tesla staff 997 Dec 19 08:33 flash-all.bat
-rwxr-xr-x 1 tesla staff 977 Jan 10 23:02 flash-all.sh
-rwxr-xr-x 1 tesla staff 898 Dec 19 08:33 flash-base.sh
[email protected] 1 tesla staff 17544 Dec 14 05:58 hprof-conv
-rw-r--r-- 1 tesla staff 1411963519 Dec 19 08:33 image-sailfish-opm1.171019.012.zip
[email protected] 3 tesla staff 96 Dec 14 05:58 lib
[email protected] 1 tesla staff 161884 Dec 14 05:58 make_f2fs
[email protected] 1 tesla staff 771876 Dec 14 05:58 mke2fs
[email protected] 1 tesla staff 1184 Dec 14 05:58 mke2fs.conf
[email protected] 2 tesla staff 64 Jan 10 21:47 platform-tools
-rw-r--r-- 1 tesla staff 58695680 Dec 19 08:33 radio-sailfish-8996-130091-1710201747.img
[email protected] 1 tesla staff 720088 Dec 14 05:58 sload_f2fs
[email protected] 1 tesla staff 38 Dec 14 05:58 source.properties
[email protected] 1 tesla staff 1274436 Dec 14 05:58 sqlite3
[email protected] 6 tesla staff 192 Dec 14 05:58 systrace
[email protected] 1 tesla staff 31690752 Jan 9 20:04 twrp-3.2.1-0-sailfish.img
-rwxrwxrwx 1 tesla staff 9164052 Dec 6 08:15 twrp-pixel-installer-sailfish-3.2.0-0.zip
[email protected] 1 tesla staff 11711021 Jan 9 19:58 twrp-pixel-installer-sailfish-3.2.1-0.zip
-rw-r--r-- 1 tesla staff 263172256 Jan 1 2009 vendor.img
churchmice said:
I have met exactly the same problem, are you using a mac or linux ? I am using mac and my solution is as follows:
1) download the latest platform tools, and place all ota/factory files under the same folder
2) edit flash_all.sh, change all fastboot to ./fastboot
The following is the directory structure:
[email protected]:~/Downloads/pixel/sailfish-opm1.171019.012 $-> ls -l
total 3680832
[email protected] 1 tesla staff 6096039 Jan 9 19:51 Magisk-v15.2.zip
[email protected] 1 tesla staff 2470501 Jan 9 20:02 MagiskManager-v5.5.3.apk
[email protected] 1 tesla staff 315051 Dec 14 06:00 NOTICE.txt
[email protected] 1 tesla staff 2581412 Dec 14 05:58 adb
[email protected] 4 tesla staff 128 Dec 14 05:59 api
-rw-r--r-- 1 tesla staff 29607142 Jan 1 2009 boot.img
-rw-r--r-- 1 tesla staff 33021952 Dec 19 08:33 bootloader-sailfish-8996-012001-1711091153.img
[email protected] 1 tesla staff 60512 Dec 14 05:58 dmtracedump
[email protected] 1 tesla staff 810388 Dec 14 05:58 e2fsdroid
[email protected] 1 tesla staff 306332 Dec 14 05:58 etc1tool
[email protected] 1 tesla staff 1380616 Dec 14 05:58 fastboot
-rw-r--r-- 1 tesla staff 997 Dec 19 08:33 flash-all.bat
-rwxr-xr-x 1 tesla staff 977 Jan 10 23:02 flash-all.sh
-rwxr-xr-x 1 tesla staff 898 Dec 19 08:33 flash-base.sh
[email protected] 1 tesla staff 17544 Dec 14 05:58 hprof-conv
-rw-r--r-- 1 tesla staff 1411963519 Dec 19 08:33 image-sailfish-opm1.171019.012.zip
[email protected] 3 tesla staff 96 Dec 14 05:58 lib
[email protected] 1 tesla staff 161884 Dec 14 05:58 make_f2fs
[email protected] 1 tesla staff 771876 Dec 14 05:58 mke2fs
[email protected] 1 tesla staff 1184 Dec 14 05:58 mke2fs.conf
[email protected] 2 tesla staff 64 Jan 10 21:47 platform-tools
-rw-r--r-- 1 tesla staff 58695680 Dec 19 08:33 radio-sailfish-8996-130091-1710201747.img
[email protected] 1 tesla staff 720088 Dec 14 05:58 sload_f2fs
[email protected] 1 tesla staff 38 Dec 14 05:58 source.properties
[email protected] 1 tesla staff 1274436 Dec 14 05:58 sqlite3
[email protected] 6 tesla staff 192 Dec 14 05:58 systrace
[email protected] 1 tesla staff 31690752 Jan 9 20:04 twrp-3.2.1-0-sailfish.img
-rwxrwxrwx 1 tesla staff 9164052 Dec 6 08:15 twrp-pixel-installer-sailfish-3.2.0-0.zip
[email protected] 1 tesla staff 11711021 Jan 9 19:58 twrp-pixel-installer-sailfish-3.2.1-0.zip
-rw-r--r-- 1 tesla staff 263172256 Jan 1 2009 vendor.img
Click to expand...
Click to collapse
Thank you for your help, it seems the
Code:
brew cask install android-platform-tools
in macOS doesn't link all the necessary files and I finally solved it using the following command:
Code:
ln -s /usr/local/Caskroom/android-platform-tools/27.0.1/platform-tools/mke2fs /usr/local/bin/mke2fs
hellobbn said:
Thank you for your help, it seems the
Code:
brew cask install android-platform-tools
in macOS doesn't link all the necessary files and I finally solved it using the following command:
Code:
ln -s /usr/local/Caskroom/android-platform-tools/27.0.1/platform-tools/mke2fs /usr/local/bin/mke2fs
Click to expand...
Click to collapse
Thanks this was a god sent :good:
Hey guys, I'm running into the same error. Any help would be great.
I tried editing flash_all.sh, and changed all fastboot to ./fastboot and then I got an error trying to perform my flash_all command.
What's this brew cask stuff? lol. If anyone can explain this a little further so I can flash P, that would be great.
Edit* actually, looks like once I removed the -w from the script (and stopped a full wipe) everything flashed just fine. Odd.
hellobbn said:
Thank you for your help, it seems the
Code:
brew cask install android-platform-tools
in macOS doesn't link all the necessary files and I finally solved it using the following command:
Code:
ln -s /usr/local/Caskroom/android-platform-tools/27.0.1/platform-tools/mke2fs /usr/local/bin/mke2fs
Click to expand...
Click to collapse
Hey I just got this error when updating my Pixel 2 to Pie and I wanted to try this solution but I have a question. Was there already a mke2fs entry in /usr/local/bin when you linked them? Or was it only in your platform-tools directory? My platform-tools directory lies at ~/android/platform-tools and contains the mke2fs binaries but there is no entry at /usr/local/bin and I'm not sure if your linking solution would work in that scenario or not (not a UNIX wiz over here). I hope to hear back from you soon, thank you.
Shamestick
Edit: I decided not to wait for a reply and just try the symbolic link and running the commands, it worked haha. Thanks agian
I'm running linux and I have the same issue trying to flash my Nexus 6P. I figured out already about the symlink before reading this thread, however, I now get this:
/tmp/TemporaryFile-g1yMBU: Unimplemented ext2 library function while setting up superblock
/usr/lib/android-sdk/platform-tools/mke2fs failed with status 1
mke2fs failed: 1
error: Cannot generate image for userdata
Click to expand...
Click to collapse
Any suggestions? I will keep tinkering until someone replies with a possible solution.
hexxamillion said:
I'm running linux and I have the same issue trying to flash my Nexus 6P. I figured out already about the symlink before reading this thread, however, I now get this:
Any suggestions? I will keep tinkering until someone replies with a possible solution.
Click to expand...
Click to collapse
Well.. tinkering did me some good. I figured downloading the platform-tools would be the solution. I just had issues trying to find it. If you just go to the android sdk site you really only see the studio download wich does not help for this. I stumbled on another post that had this link which helped. https://developer.android.com/studio/releases/platform-tools
The ubuntu repo that has the android-platform-tools is minimal and missing tons. I just copied everything from the platform-tools I downloaded into the path /usr/lib/android-sdk/platform-tools. It even included mke2fs. I ran the flash-all.sh again and everything was magic.
fastboot erase userdata
fastboot update image-*
ozz1386 said:
fastboot erase userdata
fastboot update image-*
Click to expand...
Click to collapse
Two line of cmd, nothing more nothing less. that fixed my issue.
thanks you are a hero :laugh:
I've got this issue when updating ADT-3 to most recent Android 11 Developer Preview.
This problem comes when system-wide mke2fs is used.
I have most recent SDK Platform Tools installed standalone:
Code:
$ whereis mke2fs
mke2fs: /usr/sbin/mke2fs /etc/mke2fs.conf /home/astar/dev/android/sdk/platform-tools/mke2fs.conf /home/astar/dev/android/sdk/platform-tools/mke2fs /usr/share/man/man8/mke2fs.8.gz
System-wide:
Code:
$ mke2fs -V
mke2fs 1.45.3 (14-Jul-2019)
Using EXT2FS Library version 1.45.3
Standalone:
Code:
$ /home/astar/dev/android/sdk/platform-tools/mke2fs -V
mke2fs 1.45.4 (23-Sep-2019)
Using EXT2FS Library version v1.45.4-867-g4bc58792
So, to solve this issue proper mke2fs should be in the PATH.
It's possible to workaround using symlink as mentioned above, but more elegant solution without messing with system is to temporary update PATH variable (Use proper path to platform tools instead of "/home/astar/dev/android/sdk/platform-tools/"):
Code:
$ export PATH=/home/astar/dev/android/sdk/platform-tools/:$PATH
$ /home/astar/dev/android/sdk/platform-tools/mke2fs -V
mke2fs 1.45.4 (23-Sep-2019)
Using EXT2FS Library version v1.45.4-867-g4bc58792
$ ./flash-all.sh
hexxamillion said:
Well.. tinkering did me some good. I figured downloading the platform-tools would be the solution. I just had issues trying to find it. If you just go to the android sdk site you really only see the studio download wich does not help for this. I stumbled on another post that had this link which helped. https://developer.android.com/studio/releases/platform-tools
The ubuntu repo that has the android-platform-tools is minimal and missing tons. I just copied everything from the platform-tools I downloaded into the path /usr/lib/android-sdk/platform-tools. It even included mke2fs. I ran the flash-all.sh again and everything was magic.
Click to expand...
Click to collapse
Just in case someone has this problem I was getting this error when trying to fastboot format userdata in a Xiaomi A2 and this did it !