Related
Has anybody got just the EE4 Baseband/Radio Update? I have searched to no end, and can't find it. Thanks!
Question. Post in general
Sent from my SCH-I510 using XDA Premium App
AFAIK, There is no modem file you can flash. You have to apply the OTA update to get it. There is currently no way to pull the modem off the phone, and what is in the OTA is not a complete modem file and cannot be flashed in odin.
Check out this thread: http://forum.xda-developers.com/showthread.php?p=14644392
If the guy's PIT reading is correct, we should be able to pull an EE4 radio for you that could be flashed with Odin.
I'd be happy to pull and post, but I think there's a large risk of losing radio function for an unknown time if the concept is wrong, since there's nothing out there to correct it with. The risk of flashing with Odin would be entirely on you.
Hope that's more helpful than not.
distortedloop said:
Check out this thread: http://forum.xda-developers.com/showthread.php?p=14644392
If the guy's PIT reading is correct, we should be able to pull an EE4 radio for you that could be flashed with Odin.
I'd be happy to pull and post, but I think there's a large risk of losing radio function for an unknown time if the concept is wrong, since there's nothing out there to correct it with. The risk of flashing with Odin would be entirely on you.
Hope that's more helpful than not.
Click to expand...
Click to collapse
It helps, thanks! I'd forgotten how hard Samsung's were to flash radio's, it's so much easier with HTC phones! If you or anybody ends up being able to do it, that'd be awesome! I assume I can't just flash the EE4 update over Gummy's 1.5 ROM to get the new radio, or can I?
danalo1979 said:
Question. Post in general
Sent from my SCH-I510 using XDA Premium App
Click to expand...
Click to collapse
Too late, it's already here If the mods want to move it, they can, no worries!
californiarailroader said:
It helps, thanks! I'd forgotten how hard Samsung's were to flash radio's, it's so much easier with HTC phones! If you or anybody ends up being able to do it, that'd be awesome! I assume I can't just flash the EE4 update over Gummy's 1.5 ROM to get the new radio, or can I?
Click to expand...
Click to collapse
Actually, it's not any harder on Sammies, in my opinion, it's just we don't have a released radio to flash. Odin or fastboot flash, not too much difference, other than the hassles of getting Odin to work if you're on a Mac.
In theory, you could modify the update file to just patch the radio and not do the rest. Also, since it's a patch, you have to have on the phone what it expects to be patching or you'd end up with a big mess if you bypassed that safety check in the updater-script.
The problem is that stock recovery won't run it once you mod it because it won't pass the signature (we have the 3e recovery, the old v2 didn't check) check. I think I read somewhere that CWR wouldn't run it either.
It's a hassle, but the best thing right now would be backup with Titanium, flash stock ED2, then apply the EE4 update, then flash your Gummy, restore your backup.
distortedloop said:
Actually, it's not any harder on Sammies, in my opinion, it's just we don't have a released radio to flash. Odin or fastboot flash, not too much difference, other than the hassles of getting Odin to work if you're on a Mac.
In theory, you could modify the update file to just patch the radio and not do the rest. Also, since it's a patch, you have to have on the phone what it expects to be patching or you'd end up with a big mess if you bypassed that safety check in the updater-script.
The problem is that stock recovery won't run it once you mod it because it won't pass the signature (we have the 3e recovery, the old v2 didn't check) check. I think I read somewhere that CWR wouldn't run it either.
It's a hassle, but the best thing right now would be backup with Titanium, flash stock ED2, then apply the EE4 update, then flash your Gummy, restore your backup.
Click to expand...
Click to collapse
Thanks, I think that's probably the best way too, either that or wait for the radio, which might take a while.
http://forum.xda-developers.com/showthread.php?t=1108885&highlight=stock+ed2
Is that the right ED2 to flash?
distortedloop said:
Check out this thread: http://forum.xda-developers.com/showthread.php?p=14644392
If the guy's PIT reading is correct, we should be able to pull an EE4 radio for you that could be flashed with Odin.
I'd be happy to pull and post, but I think there's a large risk of losing radio function for an unknown time if the concept is wrong, since there's nothing out there to correct it with. The risk of flashing with Odin would be entirely on you.
Hope that's more helpful than not.
Click to expand...
Click to collapse
Btw i had pulled the pit info by using hiemdall print-pit.
I've got the full pit on my laptop. But am mobile atm.
Sent from my SCH-I510 using XDA Premium App
Okay, I disabled the lagfix, then flashed stock ED2, but when I try to download the EE4 update it keeps failing, is Samsung having problems or did I do something wrong?
Nevermind, all fixed
c0ns0le said:
Btw i had pulled the pit info by using hiemdall print-pit.
I've got the full pit on my laptop. But am mobile atm.
Sent from my SCH-I510 using XDA Premium App
Click to expand...
Click to collapse
Pulling the PIT is one of the few things I can do reliable with Heimdall. I still have a copy in my terminal buffer from while I was trying to upgrade to EE4 from stock ED1. Problem is I haven't bothered to try to figure out how to translate it into a dd command.
Could probably figure it out, some of it's very obvious, but any info on the translation would be appreciated:
Code:
MBP1:~ dave$ heimdall print-pit
Heimdall v1.0.2b, Copyright (c) 2010-2011, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au
Claiming interface... Success
Setting up interface... Success
Beginning session...
Handshaking with Loke... Success
Downloading device's PIT file...
PIT file download sucessful
Entry Count: 14
Unknown 1: 16898048
Unknown 2: 1
Unknown 3: 0
Unknown 4: 0
Unknown 5: 7703
Unknown 6: 255
Unknown 7: 62464
Unknown 8: 22
--- Entry #0 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 0
Partition Flags: 0 (R)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 1
Unknown 3: 6684783
Unknown 4: 2097268
Partition Name: IBL+PBL
Filename: boot.bin
--- Entry #1 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 1
Partition Flags: 0 (R)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 1
Unknown 3: 0
Unknown 4: 0
Partition Name: PIT
Filename:
--- Entry #2 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 20
Partition Flags: 2 (R/W)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 40
Unknown 3: 0
Unknown 4: 0
Partition Name: EFS
Filename: efs.rfs
--- Entry #3 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 13
Partition Flags: 1 (R)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 12
Unknown 3: 0
Unknown 4: 0
Partition Name: EFS2
Filename: nvblock.bin
--- Entry #4 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 3
Partition Flags: 0 (R)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 5
Unknown 3: 0
Unknown 4: 0
Partition Name: SBL
Filename: sbl.bin
--- Entry #5 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 4
Partition Flags: 0 (R)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 5
Unknown 3: 0
Unknown 4: 0
Partition Name: SBL2
Filename: sbl.bin
--- Entry #6 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 21
Partition Flags: 2 (R/W)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 20
Unknown 3: 0
Unknown 4: 0
Partition Name: PARAM
Filename: param.lfs
--- Entry #7 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 6
Partition Flags: 0 (R)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 30
Unknown 3: 0
Unknown 4: 0
Partition Name: KERNEL
Filename: zImage
--- Entry #8 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 7
Partition Flags: 0 (R)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 30
Unknown 3: 0
Unknown 4: 0
Partition Name: RECOVERY
Filename: recovery.bin
--- Entry #9 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 22
Partition Flags: 2 (R/W)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 1380
Unknown 3: 0
Unknown 4: 0
Partition Name: FACTORYFS
Filename: factoryfs.rfs
--- Entry #10 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 23
Partition Flags: 2 (R/W)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 430
Unknown 3: 0
Unknown 4: 0
Partition Name: DBDATAFS
Filename: dbdata.rfs
--- Entry #11 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 11
Partition Flags: 0 (R)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 48
Unknown 3: 0
Unknown 4: 0
Partition Name: LTEMODEM
Filename: lte_modem.bin
--- Entry #12 ---
Unused: No
Partition Type: 0 (RFS)
Partition Identifier: 12
Partition Flags: 0 (R)
Unknown 2: 0
Partition Block Size: 256
Partition Block Count: 2
Unknown 3: 0
Unknown 4: 0
Partition Name: CPMODEM
Filename: cp_modem.bin
--- Entry #13 ---
Unused: No
Partition Type: 2 (EXT4)
Partition Identifier: 0
Partition Flags: 1 (R)
Unknown 2: 0
Partition Block Size: 0
Partition Block Count: 0
Unknown 3: 7602273
Unknown 4: 7274601
Partition Name: MOVINAND
Filename: movinand.bin
Ending session...
Rebooting device...
I spent some time in analyzing of flash layout. The comprehensive description below attempts to map each byte of the flash and describes way to extract it.
I would be glad if somebody could provide more detailed info about bootloader, signatures, DRM etc.
Patches are welcome.
Code:
mmcblk0 layout
All dumps were done on Asus Eee Pad Transformer Infinity TF700T, 64GB version, firmware 9.4.5.26, locked
mmcblk0 off-partition section
Offset: 0 (0x0)
Size: 38273024 (0x2480000)
Read command: busybox dd if=/dev/block/mmcblk0 of=/mnt/sdcard/mmcblk0pre1.img bs=524288 count=73
Offset: 0 (0x0)
Size: 3670016 (0x380000)
Contains: Zeroes
Purpose: Unknown
Extract command: dd if=mmcblk0pre1.img of=mmcblk0pre1s1.img bs=3670016 count=1
Process command: tr -d '\0' <mmcblk0pre1s1.img >mmcblk0pre1s1nz.img # mmcblk0pre1s1nz.img must be empty file
Offset: 3670016 (0x380000)
Contains: Recovery kernel image followed by zeroes
Size: 8388608 (0x800000)
Extract command: dd if=mmcblk0pre1.img of=mmcblk0pre1s2.img bs=524288 skip=7 count=16
Process commands:
perl split_bootimg.pl mmcblk0pre1s2.img
mkdir mmcblk0pre1s2.img-ramdisk
cd mmcblk0pre1s2.img-ramdisk
zcat ../mmcblk0pre1s2.img-ramdisk.gz | cpio -i
cd ..
# end Process commands
Offset: 12058624 (0xb80000)
Contains: Regular boot kernel image followed by zeroes
Size: 8388608 (0x800000)
Extract command: dd if=mmcblk0pre1.img of=mmcblk0pre1s3.img bs=524288 skip=23 count=16
Process commands:
perl split_bootimg.pl mmcblk0pre1s3.img
mkdir mmcblk0pre1s3.img-ramdisk
cd mmcblk0pre1s3.img-ramdisk
zcat ../mmcblk0pre1s3.img-ramdisk.gz | cpio -i
cd ..
# end Process commands
Offset: 20447232 (0x1380000)
Contains: Block of 16 bytes followed by 0x2de0 hexadecimal numbers followed by FF
Size: 12288 (0x3000)
Extract command: dd if=mmcblk0pre1.img of=mmcblk0pre1s4.img bs=524288 skip=39
Vital data:
Extract command: dd if=mmcblk0pre1s4.img of=mmcblk0pre1s4ss2.img bs=4096 skip=3
Binary part of vital data:
Extract command: dd if=mmcblk0pre1s4ss1.img of=mmcblk0pre1s4ss1ch1.img bs=16 count=1
Hexadecimal part of vital data:
Extract command: dd if=mmcblk0pre1s4ss1.img of=mmcblk0pre1s4ss1ch2.img bs=16 count=734 skip=1
Process command: unhex <mmcblk0pre1s4ss1ch2.img >mmcblk0pre1s4ss1ch2bin.img
FF part of vital data:
Extract command: dd if=mmcblk0pre1s4ss1.img of=mmcblk0pre1s4ss1ch3.img bs=16 skip=735
Process command: tr -d '\377' <mmcblk0pre1s4ss1ch3.img >mmcblk0pre1s4ss1ch3nff.img # mmcblk0pre1s4ss1ch3nff.img must be empty file
Zeroes:
Extract command: dd if=mmcblk0pre1s4.img of=mmcblk0pre1s4ss1.img bs=4096 count=3
Process command: tr -d '\0' <mmcblk0pre1s4ss2.img >mmcblk0pre1s4ss2nz.img # mmcblk0pre1s4ss2nz.img must be empty file
Purpose: Probably encrypted bootloader
mmcblk0p1
Offset: 38273024 (0x2480000)
Size: 805306368 (0x30000000)
File system size: 196608 * 4096 = 805306368 (fully occupies partition)
Format: Linux ext4 filesystem
Mounted at: /system
Mount options: read only, extended attributes, ACL
Permissions: only root can manipulate
Contains: Base system and embedded applications
Purpose: Base system
mmcblk0p2
Offset: 843579392 (0x32480000)
Size: 448790528 (0x1ac00000)
File system size: 109568 * 4096 = 448790528 (fully occupies partition)
Format: Linux ext4 filesystem
Mounted at: /cache
Mount options: read/write, no SUID, no device nodes, no atime
Permissions: only root can manipulate, UID system and GID cache can read and write
Contains: Cache
Purpose: Application cache
Note: The volume has the same UUID as mmcblk0p1
mmcblk0p3
Offset: 1292369920 (0x4d080000)
Size: 2097152 (0x200000)
File system size: 512 * 4096 = 2097152 (fully occupies partition)
Linux rev 1.0 ext3 filesystem
Not mounted
Permissions: GID system can manipulate
Contains: Empty file system
Purpose: Recovery /misc
Referenced by: /system/lib/libandroid_runtime.so recovery ramdisk: /etc/recovery.fstab
Note: File system is referenced in recovery as emmc, not ext3!
mmcblk0p4
Offset: 1294467072 (0x4d280000)
Size: 855638016 (0x33000000)
File system size: 208896 * 4096 = 855638016
Linux rev 1.0 ext3 filesystem
Not mounted
Permissions: GID system can manipulate
Contains: Empty file system
Purpose: Recovery /staging
Referenced by: recovery ramdisk: init.rc /etc/recovery.fstab
mmcblk0p5
Offset: 2150105088 (0x80280000)
Size: 5242880 (0x500000)
File system size: 5092 * 1024 = 5147488
Format: FAT32 file system, no partition table, MS-DOS "Non-system disk" boot block
Not mounted
Permissions: only root can manipulate
Contains: File system with files:
Serial numbers (ISN, PPID, SSN, UUID)
Calibration data (AL3010 light sensor, AMI304 magnetic sensor, KXTF9 motion sensor)
Purpose: Device specific unique system data, mounted as /btmac during Android boot
Referenced by: /system/bin/wifimacwriter /system/bin/brcm_patchram_plus /system/bin/sensors-config /system/bin/sixpair ramdisk: /init recovery ramdisk: /etc/recovery.fstab /init
mmcblk0p5 off file-system area
Offset in section: 5147488 (0x4e8b60)
Size: 28672 (0x7000)
Read command: busybox dd if=/dev/block/mmcblk0p5 of=/mnt/sdcard/mmcblk0p5s2.img bs=1024 skip=5092
Process command: tr -d '\0' <mmcblk0p5s2.img >mmcblk0p5s2nz.img # mmcblk0p5s2nz.img must be empty file
mmcblk0p6
Offset: 2155347968 (0x80780000)
Size: 524288 (0x80000)
Format: binary data
Permissions: UID drm can manipulate
Contains: 208 bytes of binary data, the rest are zeroes
Purpose: DRM, probably contains encrypted DRM key
Referenced by: /system/bin/wvdrmserver /system/vendor/lib/drm/libdrmwvmplugin.so
mmcblk0p7
Offset: 2155872256 (0x80800000)
Size: 5242880 (0x500000)
Format: empty
Contains: Zeroes
Purpose: Unknown
mmcblk0p8
Offset: 2161115136 (0x80d00000)
Size: 61415620608 (0xe4ca80000)
File system size: 14994040 * 4096 = 61415587840
Format: Linux ext4 filesystem
Mounted at: /data
Mount options: read/write, no SUID, no device nodes, no atime
Permissions: only root can manipulate, read and write are directory specific
Contains: User applications, user data, and virtual internal SD card
Note: /data/media is mounted via UID/GID stripping FUSE as /mnt/sdcard
mmcblk0p8 off file-system area
Offset in section: 61415587840 (0xe4ca78000)
Size: 32768 (0x8000)
Read command: busybox dd if=/dev/block/mmcblk0p8 of=/mnt/sdcard/mmcblk0p8s2.img bs=4096 skip=14994040
mmcblk0 off-partition section
Offset: 63576735744 (0xecd780000)
Size: 524288 (0x80000)
Read command: busybox dd if=/dev/block/mmcblk0 of=/mnt/sdcard/mmcblk0post8.img bs=524288 skip=121263
Process command: tr -d '\0' <mmcblk0p8s2.img >mmcblk0p8s2nz.img # mmcblk0p8s2nz.img must be empty file
Offset: 63576735744 (0xecd780000)
Offset in section: 0 (0x0)
Size: 507392 (0x7be00)
Contains: Zeroes
Purpose: Unknown
Extract command: dd if=mmcblk0post8.img of=mmcblk0post8s1.img bs=507392 count=1
Process command: tr -d '\0' <mmcblk0post8s1.img >mmcblk0post8s1nz.img # mmcblk0post8s1nz.img must be empty file
Offset: 63577243136 (0xecd7fbe00)
Offset in section: 507392 (0x7be00)
Size: 16896 (0x4200)
Contains: EFI Partition table (partition names: APP, CAC, MSC, USP, PER, YTU, CRA, UDA)
Extract command: dd if=mmcblk0post8.img of=mmcblk0post8s2.img bs=512 skip=991
Purpose: Partition table
Total size of mmcblk0: 63577260032 (0xecd800000)
Notes:
can manipulate = can read, write partition vital data, only root can mount
can read, write = can read, write partition file system contents
Read commands are ran on the Transformer
Extract and process commands are run anywhere, with pre-read image file in the current directory.
You need dd with large files support. Vanilla dd on TF700T does not support large files. Busybox dd does.
Dropbox link to Asus_Transformer_Infinity_TF700T/flash_layout.txt
Wow, thanks for this detailed analysis - much more detailed than mine.
So what can I add to your research?
Tegra-based systems have another partition table, which has a proprietary layout and an unknown purpose (maybe just important for NVFlash and for flashing blobs?). Looking at the flash.cfg in the NVFlash package from AndroidRoot.mobi, we can get the Tegra partition layout and partition names:
Partition number 1 is missing in the list, maybe it contains the extremely well-hidden APX mode recovery code or even the answer to life, the universe and everything.
The following 3 partitions are located at the beginning of mmcblk0 and their contents are apparently encrypted with a device-specific key. For some reason, with ICS-based ROMs it reads as all zeros; in JB-based ROMs additional mmcblk0boot0 and mmcblk0boot1 partitions appear which together cover this area. The "bricksafe.img" in the nvflash guide covers these 3 partitions.
2 BCT: Tegra Boot Configuration Table - 3145728 bytes
3 PT: Tegra Partition Table - 524288 bytes
4 EBT: Bootloader - 8388608 bytes
You already know the following 2:
5 SOS: Recovery kernel - 8388608 bytes
6 LNX: Linux kernel - 8388608 bytes
Then some more funny ones:
7 CER: I think this stands for "Certificate" and contains the bootloader unlock token. - 8388608 bytes. If I calculated correctly, this is at 0x1380000 into mmcblk0. Saved as "unlock-token.img" in the nvflash guide.
8 IMG: no idea what this is for - 8388608 bytes
9 GP1: space for a GPT partition table, maybe unused - 1048576 bytes
Now the regular partitions follow (p1 to p8):
10 APP: p1 = /system (Android OS)
11 CAC: p2 = /cache (for communication between Android and recovery)
12 MSC: p3 ="misc", whatever that is. On the TF101 it was used for bootloader commands.
13 USP: p4 = The update staging partition. Update blobs are copied here and flashed to the correct partition by the bootloader.
14 PER: p5 = device-specific config in a FAT filesystem
15 YTU: p6 = Apparently the DRM key. Confirmed to be overwritten with 0 by the unlocking process.
16 CRA: p7 = unknown (reserved for crash dumps?)
17 UDA: p8 = /data (Android user data)
And finally:
18 GPT: the EFI partition table that is actually used by the kernel
Well, it seems, that something (ICS stock kernel, hardware) hides contents of the first (at most) 0x380000 bytes of flash.
I am locked, and I have some token at 0x1380000 as well.
I am still thinking about a way to unlock, keep access to nvflash, and upgrade to JB keeping DRM working, even at cost of using stock system. That is why I wanted to backup and analyze everything and find all keys and signatures.
It would be also nice to know, whether there are areas of flash with hardware or kernel write lock.
utx said:
Well, it seems, that something (ICS stock kernel, hardware) hides contents of the first (at most) 0x380000 bytes of flash.
I am locked, and I have some token at 0x1380000 as well.
Click to expand...
Click to collapse
Yes, before unlocking I had something very similar to you there - a 16 byte header followed by some hexdump. I don't know what it was. It was overwritten by the unlock process with a 4 byte data block prefixed with a "-SIGNED-BY-SIGNBLOB-" header and followed by 256 bytes of what looks like a digital signature, very similar to the signed update blobs.
utx said:
I am still thinking about a way to unlock, keep access to nvflash, and upgrade to JB keeping DRM working, even at cost of using stock system. That is why I wanted to backup and analyze everything and find all keys and signatures.
Click to expand...
Click to collapse
Definitely back up the YTU partition before unlocking (p6) and then make the nvflash backups - but maybe the key must match something that is broken by the unlocking process, or it is renewed periodically, etc., so it might not help. Maybe try using DRM before unlocking and watch if the content of the partition changes over time.
utx said:
It would be also nice to know, whether there are areas of flash with hardware or kernel write lock.
Click to expand...
Click to collapse
Never tried to write directly to the block device - too scared to break something.
---------- Post added at 09:32 PM ---------- Previous post was at 09:28 PM ----------
Another small addition:
Note: /data/media is mounted via UID/GID stripping FUSE as /mnt/sdcard
Click to expand...
Click to collapse
This FUSE trick also makes /mnt/sdcard case-insensitive.
I just thought of something. What if you launched a data recovery process and recovered the DRM keys for the device?
ostar2 said:
I just thought of something. What if you launched a data recovery process and recovered the DRM keys for the device?
Click to expand...
Click to collapse
How do you define "data recovery process"? You cannot recover data that has been overwritten.
_that said:
How do you define "data recovery process"? You cannot recover data that has been overwritten.
Click to expand...
Click to collapse
Well, if the DRM partition is write enabled, it may be possible to restore its contents, if you backed it up before unlock (it is probably per-device unique). But it could be insufficient. Locked bootloader can be different than unlocked bootloader, and may drop cipher needed for DRM decihering. It is just a theory. Somebody could proof it or falsify, if:
1) Backed all accessible data before unlock.
2) Unlocked (and to be safe, also made brickproof image).
3) Recovered the data creates in step 1.
Will DRM work then? Or did we need the contents of (currently inaccessible) locked stock data of the first megabytes?
But I see no way, how to back-up first megabytes of locked device (on ICS; JB is not as interesting for us, once you upgrade to JB, you cannot create brickproof image for nvflash).
I even don't know, which part of the subsystem causes these megabytes being reported as zeroes. Is it stock Asus ICS kernel? Is it bootloader? Is it a hardware lock on the flash device?
Good idea, but what I meant by "Data Recovey". Is restoring the deleted data from that filesystem/partition.
ostar2 said:
Good idea, but what I meant by "Data Recovey". Is restoring the deleted data from that filesystem/partition.
Click to expand...
Click to collapse
I see, so I assume you assume you had a backup before.
Somebody (maybe you?) could try roughly the following sequence:
- get new TF700
- update to 9.4.5.26. if it's already newer, forget nvflash, but the rest could still work.
- root it using debugfs
- make a backup of /dev/block/mmcblk0p6
- do some DRM-dependent stuff and check that it works
- after some days, make another backup of /dev/block/mmcblk0p6 and compare if anything has changed. If the key is static, maybe restoring after unlocking could work. If not, chances are high that it doesn't work.
- unlock (this erases mmcblk06 and voids warranty)
- optional, but very useful: install AndroidRoot hacked bootloader to make blobs for nvflash, then use nvflash to backup all partitions
- restore backup of /dev/block/mmcblk0p6
- try if DRM still works
_that said:
I see, so I assume you assume you had a backup before.
Somebody (maybe you?) could try roughly the following sequence:
- get new TF700
- update to 9.4.5.26. if it's already newer, forget nvflash, but the rest could still work.
- root it using debugfs
- make a backup of /dev/block/mmcblk0p6
- optional, but very useful: install AndroidRoot hacked bootloader to make blobs for nvflash, then use nvflash to backup all partitions
- do some DRM-dependent stuff and check that it works
- after some days, make another backup of /dev/block/mmcblk0p6 and compare if anything has changed. If the key is static, maybe restoring after unlocking could work. If not, chances are high that it doesn't work.
- unlock (this erases mmcblk06 and voids warranty)
- restore backup of /dev/block/mmcblk0p6
- try if DRM still works
Click to expand...
Click to collapse
To install AndroidRoot bootloader and by that getting nvflash blobs, you have to unlock first... The order of your steps is therefore wrong.
firetech said:
To install AndroidRoot bootloader and by that getting nvflash blobs, you have to unlock first... The order of your steps is therefore wrong.
Click to expand...
Click to collapse
Oops, thanks for noticing. I edited my post.
what if we were to read from the NAND externally (RAW)....xbox 360 style...wouldn't that be the same as nvflash....
except that the three partitions in question are encrypted with a key that is probably unique per Tegra...
2 BCT: Tegra Boot Configuration Table - 3145728 bytes
3 PT: Tegra Partition Table - 524288 bytes
4 EBT: Bootloader - 8388608 bytes
but I would suppose it wouldn't be a problem since a raw flash would restore everything back to normal...even if we can't read it..the CPU can..and that's all that matters.
---------- Post added at 11:21 AM ---------- Previous post was at 11:13 AM ----------
never mind...its a BGA
_that said:
I see, so I assume you assume you had a backup before.
Somebody (maybe you?) could try roughly the following sequence:
- get new TF700
- update to 9.4.5.26. if it's already newer, forget nvflash, but the rest could still work.
- root it using debugfs
- make a backup of /dev/block/mmcblk0p6
- do some DRM-dependent stuff and check that it works
- after some days, make another backup of /dev/block/mmcblk0p6 and compare if anything has changed. If the key is static, maybe restoring after unlocking could work. If not, chances are high that it doesn't work.
- unlock (this erases mmcblk06 and voids warranty)
- optional, but very useful: install AndroidRoot hacked bootloader to make blobs for nvflash, then use nvflash to backup all partitions
- restore backup of /dev/block/mmcblk0p6
- try if DRM still works
Click to expand...
Click to collapse
Correct order maybe.
- get new TF700
- update to 9.4.5.26.
- root it using debugfs
- make a backup of /dev/block/*.*
- unlock (this erases mmcblk06 and voids warranty)
- install AndroidRoot hacked bootloader to make blobs for nvflash
- restore backup of /dev/block/mmcblk0p6
- try if DRM still works
Q1:If i backed up 9.4.5.26 all block image.After i updated 9.4.5.30 can i get the nvflash blob from backed up images?No way to dig out the blob key from the backup?
W3ber said:
Q1:If i backed up 9.4.5.26 all block image.After i updated 9.4.5.30 can i get the nvflash blob from backed up images?No way to dig out the blob key from the backup?
Click to expand...
Click to collapse
No way - the BCT, bootloader, etc. is not visible to the kernel at all (so it's not included in your images), and I don't know which kind of magic the blob creation tool uses, but I assume it's more than reading stuff from the nand.
All important information/ links will be moved to an INFO thread, since this is a question thread, we do not need it anymore.
Still looking.
Bump, can anyone help?
Saw this page:
forum.xda-developers .com/showthread.php?t=1959445
Was wondering if it's worth a shot.
Kernel released by Huawei.
For kernel/Rom Developers, Huawei has released the kernel for the Huawei Prism II online.
Attached is a notepad document with the links in them, since I am not allowed to post links. I apologize for the inconvenience.
ALSO
For anyone else with a Huawei device that has not released their kernel, I used the email format below:
Emal 1:
I would like the source code for my phone that is available to me. I am an android developer, and it would be useful to me if I have the
source code(that is offerred by Huawei).
The reply you will get:
Dear Customer,
Thank you for contacting Huawei device. The open source is under our technical department to make. Since the procedure is a little more complex, so please kindly be a little patient. We will keep you informed once available.Once again thank you for contacting Huawei device.
Best Regards.
Huawei Device Customer Care Team.
Give them 2-3 days, then E-mail once again! Be persistent!
2nd email:
Any new information about the source code?
The reply I got:
Dear Customer,
Thank you for contacting Huawei device. Please kindly check the source code link for your reference:
(link given above)
Once again thank you for contacting Huawei device.
Best Regards.
Huawei Device Customer Care Team.
Parted/FDisk Output on /dev/block/mmcblk0
streetdev22 said:
Bump, can anyone help?
Saw this page:
forum.xda-developers .com/showthread.php?t=1959445
Was wondering if it's worth a shot.
Click to expand...
Click to collapse
Tried the guide on my Prism II. Parted gave me an error. Possible reason for parted error is explained here: http://forum.xda-developers.com/showthread.php?t=2169709.
However, fdisk worked, but it doesn't clearly identify the partitons:
Edited to include gdisk output
parted:
Code:
parted /dev/block/mmcblk0
GNU Parted 1.8.8.1.179-aef3
Using /dev/block/mmcblk0
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
print
print
Error: Unable to satisfy all constraints on the partition.
fdisk:
Code:
[email protected]:/ # fdisk -l /dev/block/mmcblk0
fdisk -l /dev/block/mmcblk0
Disk /dev/block/mmcblk0: 3909 MB, 3909091328 bytes
1 heads, 16 sectors/track, 477184 cylinders
Units = cylinders of 16 * 512 = 8192 bytes
Device Boot Start End Blocks Id System
/dev/block/mmcblk0p1 * 1 3 20 4d Unknown
Partition 1 does not end on cylinder boundary
/dev/block/mmcblk0p2 3 41 300 45 Unknown
Partition 2 does not end on cylinder boundary
/dev/block/mmcblk0p3 41 16681 133120 c Win95 FAT32 (LBA)
Partition 3 does not end on cylinder boundary
/dev/block/mmcblk0p4 16681 477184 3684031+ 5 Extended
Partition 4 does not end on cylinder boundary
/dev/block/mmcblk0p5 16897 18432 12288 6a Unknown
/dev/block/mmcblk0p6 18433 18944 4096 46 Unknown
/dev/block/mmcblk0p7 18945 19456 4096 63 GNU HURD or SysV
/dev/block/mmcblk0p8 19457 19840 3072 58 Unknown
/dev/block/mmcblk0p9 19969 20352 3072 4a Unknown
/dev/block/mmcblk0p10 20481 20864 3072 4b Unknown
/dev/block/mmcblk0p11 20993 21504 4096 47 Unknown
/dev/block/mmcblk0p12 21505 22528 8192 48 Unknown
/dev/block/mmcblk0p13 22529 25088 20480 60 Unknown
/dev/block/mmcblk0p14 25089 25600 4096 6c Unknown
/dev/block/mmcblk0p15 25601 50176 196608 83 Linux
/dev/block/mmcblk0p16 50177 60416 81920 83 Linux
/dev/block/mmcblk0p17 60417 191488 1048576 83 Linux
/dev/block/mmcblk0p18 191489 338944 1179648 83 Linux
/dev/block/mmcblk0p19 338945 477184 1105920 6b Unknown
gdisk:
Code:
[email protected]:/ # gdisk -l /dev/block/mmcblk0
gdisk -l /dev/block/mmcblk0
GPT fdisk (gdisk) version 0.8.4
Partition table scan:
MBR: MBR only
BSD: not present
APM: not present
GPT: not present
***************************************************************
Found invalid GPT and valid MBR; converting MBR to GPT format.
***************************************************************
Exact type match not found for type code 4D00; assigning type code for
'Linux filesystem'
Exact type match not found for type code 4500; assigning type code for
'Linux filesystem'
Exact type match not found for type code 6A00; assigning type code for
'Linux filesystem'
Exact type match not found for type code 4600; assigning type code for
'Linux filesystem'
Exact type match not found for type code 6300; assigning type code for
'Linux filesystem'
Exact type match not found for type code 5800; assigning type code for
'Linux filesystem'
Exact type match not found for type code 4A00; assigning type code for
'Linux filesystem'
Exact type match not found for type code 4B00; assigning type code for
'Linux filesystem'
Exact type match not found for type code 4700; assigning type code for
'Linux filesystem'
Exact type match not found for type code 4800; assigning type code for
'Linux filesystem'
Exact type match not found for type code 6000; assigning type code for
'Linux filesystem'
Exact type match not found for type code 6C00; assigning type code for
'Linux filesystem'
Exact type match not found for type code 6B00; assigning type code for
'Linux filesystem'
Warning! Main partition table overlaps the first partition by 33 blocks!
You will need to delete this partition or resize it in another utility.
Warning! Secondary partition table overlaps the last partition by
33 blocks!
You will need to delete this partition or resize it in another utility.
Disk /dev/block/mmcblk0: 7634944 sectors, 3.6 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): E271C8D6-2001-435D-A466-BEFE7ED158CD
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 7634910
Partitions will be aligned on 1-sector boundaries
Total free space is 9599 sectors (4.7 MiB)
Number Start (sector) End (sector) Size Code Name
1 1 40 20.0 KiB 8300 Linux filesystem
2 41 640 300.0 KiB 8300 Linux filesystem
3 641 266880 130.0 MiB 0700 Microsoft basic data
5 270336 294911 12.0 MiB 8300 Linux filesystem
6 294912 303103 4.0 MiB 8300 Linux filesystem
7 303104 311295 4.0 MiB 8300 Linux filesystem
8 311296 317439 3.0 MiB 8300 Linux filesystem
9 319488 325631 3.0 MiB 8300 Linux filesystem
10 327680 333823 3.0 MiB 8300 Linux filesystem
11 335872 344063 4.0 MiB 8300 Linux filesystem
12 344064 360447 8.0 MiB 8300 Linux filesystem
13 360448 401407 20.0 MiB 8300 Linux filesystem
14 401408 409599 4.0 MiB 8300 Linux filesystem
15 409600 802815 192.0 MiB 8300 Linux filesystem
16 802816 966655 80.0 MiB 8300 Linux filesystem
17 966656 3063807 1024.0 MiB 8300 Linux filesystem
18 3063808 5423103 1.1 GiB 8300 Linux filesystem
19 5423104 7634943 1.1 GiB 8300 Linux filesystem
[email protected]:/ #
Partition Layout
streetdev22 said:
Recently rooted and unlocked the bootloader on my Huawei Prism II, but there is no custom recovery nor custom roms for this phone. I have tried determing the partition layout in order to dump the recovery, but I am unable to do so.
Tried earlier versions of romdump, but they returned with a segmentation failure.
Click to expand...
Click to collapse
I believe I've found the partition layout based on the /etc/recovery_mmc.fstab extracted from mmcblk0p13, but am not sure. The excerpt of my /etc/recovery_mmc.fstab file from mmcblk0p13 shows some partition names correlated to device names. Could someone verify this is a legitimate way to determine the partition layout? I've also attached the whole recovery_mmc.fstab file.
recovery_mmc.fstab excerpt:
Code:
/boot emmc /dev/block/mmcblk0p12
/cache ext4 /dev/block/mmcblk0p15
# /* < DTS2012062603367 lizhigang 20120626 begin */
/data ext4 /dev/block/mmcblk0p18 length=-16384
#/* < DTS2012062603367 lizhigang 20120626 end */
/recovery emmc /dev/block/mmcblk0p13
/misc emmc /dev/block/mmcblk0p7
/sdcard vfat /dev/block/mmcblk1p1 /dev/block/mmcblk1
/system ext4 /dev/block/mmcblk0p17
/sys_boot vfat /dev/block/mmcblk0p3
/fat vfat /dev/block/mmcblk0p3
/HWUserData vfat /dev/block/mmcblk0p19
#/*< DTS2012020804291 weizhonghui 20120208 begin */
/cust ext4 /dev/block/mmcblk0p16
#/* DTS2012020804291 weizhonghui 20120208 end >*/
#/* DTS2012011906026 chendeng 20120120 end > */
# /* DTS2012031506621 lishubin 20120321 end > */
Easier to read (joined fdisk and the recovery_mmc.fstab)
Code:
Device Boot Start End Blocks Id System
/dev/block/mmcblk0p1 * 1 3 20 4d Unknown /sdcard
/dev/block/mmcblk0p2 3 41 300 45 Unknown
/dev/block/mmcblk0p3 41 16681 133120 c Win95 FAT32 (LBA) /sys_boot and /fat
/dev/block/mmcblk0p4 16681 477184 3684031+ 5 Extended
/dev/block/mmcblk0p5 16897 18432 12288 6a Unknown
/dev/block/mmcblk0p6 18433 18944 4096 46 Unknown
/dev/block/mmcblk0p7 18945 19456 4096 63 GNU HURD or SysV /misc
/dev/block/mmcblk0p8 19457 19840 3072 58 Unknown
/dev/block/mmcblk0p9 19969 20352 3072 4a Unknown
/dev/block/mmcblk0p10 20481 20864 3072 4b Unknown
/dev/block/mmcblk0p11 20993 21504 4096 47 Unknown
/dev/block/mmcblk0p12 21505 22528 8192 48 Unknown /boot
/dev/block/mmcblk0p13 22529 25088 20480 60 Unknown /recovery
/dev/block/mmcblk0p14 25089 25600 4096 6c Unknown
/dev/block/mmcblk0p15 25601 50176 196608 83 Linux /cache
/dev/block/mmcblk0p16 50177 60416 81920 83 Linux /cust
/dev/block/mmcblk0p17 60417 191488 1048576 83 Linux /system
/dev/block/mmcblk0p18 191489 338944 1179648 83 Linux /data
/dev/block/mmcblk0p19 338945 477184 1105920 6b Unknown /HWUserData
Very nice!
Correlates with the hints found in other files as seen above, so I think we have successfully found the partition layout! I will take a look when my device gets here(originally was working on my relative's phone, but now I purchased it for myself). If this method is confirmed,we can to port CWM, thank you all!! After CWM, we should be able to make custom ROMs freely.
streetdev22 said:
Correlates with the hints found in other files as seen above, so I think we have successfully found the partition layout! I will take a look when my device gets here(originally was working on my relative's phone, but now I purchased it for myself). If this method is confirmed,we can to port CWM, thank you all!! After CWM, we should be able to make custom ROMs freely.
Click to expand...
Click to collapse
Great. I'm glad that someone can verify part of the partition layout. Hopefully, this means that the new information is credible too.
Prism 2 said:
Great. I'm glad that someone can verify part of the partition layout. Hopefully, this means that the new information is credible too.
Click to expand...
Click to collapse
How exactly did you extract the file? Did you extract it from mmcblk0p13? Have the device on hand, so I am trying to verify the findings.
Thanks.
Unpacking Recovery Image
streetdev22 said:
How exactly did you extract the file? Did you extract it from mmcblk0p13? Have the device on hand, so I am trying to verify the findings.
Thanks.
Click to expand...
Click to collapse
First, I made a selective backup using a google store app called Online Nandroid Backup https://play.google.com/store/apps/details?id=com.h3r3t1c.onnandbup&hl=en to make a backup on the "recovery" partition. Even though the app does not specify which block it copies, I believe the app makes a backup of /dev/block/mmcblk0p13 because it uses /system/partlayout4nandroid to determine the partition layout. If you look at the "cat /system/partlayout4nandroid" output below, you'll see that mmcblk0p13 corresponds to recovery.
Then I transferred the recovery.img from the sdcard to my computer.
From there, I followed the directions in Step 1 and Step 2 of http://www.imajeenyus.com/computer/20130301_android_tablet/android/unpack_repack_recovery_image.html to unpack and extract recovery.img.
Online Nandroid Backup Partition Layout:
Code:
[email protected]:/ # cat /system/partlayout4nandroid
cat /system/partlayout4nandroid
dev: size erasesize name
mmcblk0p1: 010000 000000 "modem"
mmcblk0p2: 000008 000000 "ssd"
mmcblk0p3: 000080 000000 "sbl1"
mmcblk0p4: 000100 000000 "sbl2"
mmcblk0p5: 000200 000000 "sbl3"
mmcblk0p6: 000200 000000 "aboot"
mmcblk0p7: 000200 000000 "rpm"
mmcblk0p8: 000200 000000 "tz"
mmcblk0p9: 002800 000000 "pad"
mmcblk0p10: 000c00 000000 "fsg"
mmcblk0p11: 002000 000000 "persist"
mmcblk0p12: 002800 000000 "boot"
[B]mmcblk0p13: 002800 000000 "recovery"[/B]
mmcblk0p14: 0b8000 000000 "system"
mmcblk0p15: 0d0000 000000 "cache"
mmcblk0p16: 000c00 000000 "modemst1"
mmcblk0p17: 000c00 000000 "modemst2"
mmcblk0p18: 040000 000000 "tombstones"
mmcblk0p19: 000400 000000 "misc"
mmcblk0p20: 001000 000000 "logo"
mmcblk0p21: 001000 000000 "logo2"
mmcblk0p22: 54c000 000000 "userdata"
mmcblk0p23: 00ffef 000000 "grow"
[email protected]:/ #
Probably correct.
My father(the owner of the phone) has once again left on a trip, so I will have to wait until Monday/Tuesday, when I receive my phone, to confirm these results.
My only issue with this is is why nandroid shows a different partition layout then what is shown in other files.
If partition 13 is recovery, there is no coincidence that you would find that fstab file in the extracted recovery.
Do you mind dumping all the extracted files from the recovery and uploading them to 4shared, mediafire, or any other cloud service as a compressed file(zip, tar)? I think the file is not coincidental, and that we have indeed found the partition layout(or at least the important partitions for our purposes).
Also, try dumping the boot partition that is currently identified (block 12) without using online nandroid backup(I think via dd should still work) and see if you can find similar files to that explained in the guide(.png, ramdisk directory, etc). If these files match up to what would be typically found in a boot.img or recovery.img, then the layout is most likely correct.
If these files match up to typical boot.img or recovery.img files, we can test the layout by changing something simple like a background before working on serious stuff.
Also, thanks for helping! Once we conclusively identify that this partition layout is correct, we can start to port clockworkmod.
streetdev22 said:
My father(the owner of the phone) has once again left on a trip, so I will have to wait until Monday/Tuesday, when I receive my phone, to confirm these results.
My only issue with this is is why nandroid shows a different partition layout then what is shown in other files.
If partition 13 is recovery, there is no coincidence that you would find that fstab file in the extracted recovery.
Do you mind dumping all the extracted files from the recovery and uploading them to 4shared, mediafire, or any other cloud service as a compressed file(zip, tar)? I think the file is not coincidental, and that we have indeed found the partition layout(or at least the important partitions for our purposes).
Also, try dumping the boot partition that is currently identified (block 12) without using online nandroid backup(I think via dd should still work) and see if you can find similar files to that explained in the guide(.png, ramdisk directory, etc). If these files match up to what would be typically found in a boot.img or recovery.img, then the layout is most likely correct.
If these files match up to typical boot.img or recovery.img files, we can test the layout by changing something simple like a background before working on serious stuff.
Also, thanks for helping! Once we conclusively identify that this partition layout is correct, we can start to port clockworkmod.
Click to expand...
Click to collapse
The extracted files in partition 13 can be found in post #44 of http://forum.xda-developers.com/showthread.php?t=2546455&page=5 labeled as "ramdisk.tar.bz2". I will make a dump of the boot partition using dd and run the tests tomorrow.
Looks validated, Also more tools
There are other guides on the matter of porting cyanogenmod..for example
http://wiki.cyanogenmod.org/w/Doc:_porting_intro
which even mentions a recovery.fstab file in recovery.img! So, that means the partition layout in the fstab file you found is most likely correct.
Another guide:
http://xda-university.com/as-a-developer/porting-clockworkmod-recovery-to-a-new-device
Also, there is an automated tool to porting cyanogenmod for new devices..
http://builder.clockworkmod.com/ (I would recommend avoiding the touch recovery for now, simple is all we need and we don't need more complications)
I am really feeling pretty confident about the partition layout found in the recovery.fstab, because one guide mentions it to be found in the recovery.img!
I would recommend making the changes to a recovery.img instead, because boot.img is still kinda scary (possible bricking )
Also, I think there is a command to try booting from a recovery.img without flashing the .img to the actual partition.
I think the command is mentioned here: http://forum.xda-developers.com/showthread.php?t=2233477
fastboot boot recovery.img is the command and it will not overwrite your existing recovery.
By using this command, you can try booting the stock recovery you extracted(to validate that we have a stock recovery available if we need it), and then boot the recovery.img you make with small edits, and then boot the recovery.img made from the automated CWM porter.
Thank you for replying so fast! We have made real progress in the last few days.
Edit:In the ramdisk that was extracted, another fstab exists on the root of the directory that is named fstab.msm7627, which is the same name from the file I located in post 1! They are the same file! I think this is validated.
Testing Recovery Partition
streetdev22 said:
I would recommend making the changes to a recovery.img instead, because boot.img is still kinda scary (possible bricking )
Also, I think there is a command to try booting from a recovery.img without flashing the .img to the actual partition.
I think the command is mentioned here: http://forum.xda-developers.com/showthread.php?t=2233477
fastboot boot recovery.img is the command and it will not overwrite your existing recovery.
By using this command, you can try booting the stock recovery you extracted(to validate that we have a stock recovery available if we need it), and then boot the recovery.img you make with small edits, and then boot the recovery.img made from the automated CWM porter.
Click to expand...
Click to collapse
I've made
a regular recovery.img using "dd if=/dev/block/mmcblk0p13 of=/sdcard/recovery.img" to make a copy of the recovery partition
a test recovery.img that is the same in every way to the original recovery.img except that all the images under /res/images is rotated 90 degrees. You can see the difference yourself by looking in res.rar attached below.
a clockworkmod recovery image from the clockworkmod recovery builder website
These images can be found attached below:
recovery.rar = original Huawei recovery image
recovery-test.rar = edited recovery image
recovery.img = clockworkmod recovery automatic builder image from http://jenkins.cyanogenmod.com/job/recovery/52069/
Unfortunately, I cannot test this image myself, because I do not want to unlock my bootloader yet.
If anyone with a rooted, unlocked Huawei Prism 2 is interested in helping to further the development of recovery roms for the Prism 2, I have made 3 tests to see if
the recovery partition is located in /dev/block/mmcblk0p13
the command "fastboot boot recovery.img", which we will be using extensively, can be used to boot the specified image file
the Clockworkmod Recovery image made from automated CWM porter successfully boots
The files you will need are provided below. I've also given instructions to the best of my ability without actually having done this.
To test if the recovery partition is located in /dev/block/mmcblk0p13:
Go into fastboot mode (step 2f in post #1 of http://forum.xda-developers.com/showthread.php?t=2546455)
Download the recovery.rar file below and extract it to get recovery.img.
Open up terminal
change directory to where you extracted recovery.img
type
Code:
fastboot boot recovery.img
See if phone boot into recovery
Next we test an edited recovery.img to see if "fastboot boot recovery.img" is truly letting us boot the image we've specified.
To find out, we're going to use the edited recovery.img and do pretty much the same thing except now with recovery-test.img:
Go into fastboot mode (step 2f in post #1 of http://forum.xda-developers.com/showthread.php?t=2546455)
Download the recovery-test.rar file below and extract it to get recovery-test.img.
Open up terminal
change directory to where you extracted recovery-test.img
type
Code:
fastboot boot recovery-test.img
See if any pictures are upside down (the battery symbol, numbers, or the android robot)
After completing the 2 tasks above, and verifying that we have a valid original recovery.img and that we can use
Code:
fastboot boot recovery.img
to boot a specific image file, we can start testing a very, very, very EXPERIMENTAL Clockworkmod Recovery image using fastboot. I would not rely on this image to make backups and I honestly do not know what kind of damage it might inflict on the phone so make a backup of everything before starting.
output from CWM automatic recovery builder: http://jenkins.cyanogenmod.com/job/recovery/52069/
To test if this CWM recovery image will boot and have the right partition layout:
Go into fastboot mode (step 2f in post #1 of http://forum.xda-developers.com/showthread.php?t=2546455)
Download the recovery.img.
Open up terminal
change directory to where you downloaded recovery.img
type
Code:
fastboot boot recovery.img
If the cwm recovery image boots, type
Code:
mount
See if /sdcard is mounted to the right partition)
If you're feeling lucky, make a backup to /sdcard **this step can cause damage to phone if /sdcard is mounted to the wrong partition**
Thanks for volunteering and bringing the Huawei Prism 2 one step closer to custom roms.
Will test as soon as I get the phone.
I should be getting my phone in the mail Tuesday-Wednesday, but I will test as soon as I get it in the mail and I get my bootloader unlocked. I shouldn't have an issue booting it, since it will boot without effecting my current recovery partition. Hopefully the cwm recovery boots as well.
streetdev22 said:
I should be getting my phone in the mail Tuesday-Wednesday, but I will test as soon as I get it in the mail and I get my bootloader unlocked. I shouldn't have an issue booting it, since it will boot without effecting my current recovery partition. Hopefully the cwm recovery boots as well.
Click to expand...
Click to collapse
Great! I really hope it works. Let me know if I can help with anything in the meantime.
Getting my phone today
My phone is coming today! I will let you know the results either later today or tomorrow. Also, could you pull a build.prop using ADB from your phone? This guy needs it: http://forum.xda-developers.com/showthread.php?p=49494728
niceeeee
Prism 2 said:
Great! I really hope it works. Let me know if I can help with anything in the meantime.
Click to expand...
Click to collapse
I tried them today and they work fine siiiiir. both booted while i was stuck in a boot loop from deleting my settins apk
Cjantolak said:
I tried them today and they work fine siiiiir. both booted while i was stuck in a boot loop from deleting my settins apk
Click to expand...
Click to collapse
Thats good news! Could you state specifically which 2 of the 3 images booted though? I'm assuming the original (recovery.rar file) and the edited (recovery-test.rar file) recovery.images, but want to make sure
In other words, did you test the clockworkmod recovery image?
first two
Prism 2 said:
Thats good news! Could you state specifically which 2 of the 3 images booted though? I'm assuming the original (recovery.rar file) and the edited (recovery-test.rar file) recovery.images, but want to make sure
In other words, did you test the clockworkmod recovery image?
Click to expand...
Click to collapse
I did just boot the clockworkmod recovery and i just booted up fine. os is running as it should other than the whole missing settings app. im stuck without root, without wifi, and usb debugging.
adb not installing the app either so idk.
Thanks for straightening out the confusion. Can you check the mounted partitions are correct? Afterwards you can use update.zip to install your settings.apk
---------- Post added at 01:11 AM ---------- Previous post was at 01:04 AM ----------
Never mind about checking the partition layout. I just remembered you don't have adb. I will try to make a better recovery image.
Hello.
I have a Samsung Relay that is rebranded by Cellular One of North East AZ. They have a fancy super thin sticker over the Tmobile logo on the glass. lol... But the firmware in the device is branded by Cellular One.
I cannot find that firmware anywhere and want to know if anyone has any directions on how to back up the firmware so It could be loaded onto a t-mobile Relay to "brand" it for Cellular One.
Appreciate any help you can offer.
Thanks.
(I normally play in CDMA world, but I moved to po dunk nothing ville and VZW Sucks here, so had to go with Cell One. First real experience with GSM)
I've never done this before and I'm not 100% sure if it can be done. But there probably are ways if you're clever enough. So here's what I would try if I were in your position:
1. Check if there's a way to dump it with Odin. You can google around to see if it's possible but I'm pretty sure it's a feature in Odin (Whether our phone supports it is another story). You would have to boot into download mode, (vol down + home + power when powering on) and then follow whatever directions you find for dumping a rom. Just make sure you don't flash anything to your device. And make sure you know what you're doing with Odin because it can brick your phone if you push the wrong buttons.
2. The other way to do it is to dump your partition contents with the dd command (I would do it through an adb shell). This would require you to have root. I'm not sure of how to get root without modifying your ROM (kind of defeats the purpose of what you're trying to do if we have to change the ROM) but there are usually ways to get a temp root. Not sure how to do it on our phone but maybe someone else can help you with that part. Or maybe do some googling. The dd part I've at least done for the boot partition. Basically what you want to do is open an adb shell and run:
"ls -l /dev/block/platform/msm_sdcc.1/by-name/"
This will give you a list of all the partition name symlinks and show you the block devices they point to. For example, when I was getting boot.img I found that the "boot" symlink pointed to "/dev/block/mmcblk0p7". Find all the partitions you want to image in this list and figure out which block devices they point to.
The next part is to figure out how big each of the partitions is. You can find this in /proc/partitions. So from your adb shell you would run:
"cat /proc/partitions"
This will print out all of your flash block devices (look at the ones you were interested in from above). The 3rd column in this list will be the # of blocks in the partition. I believe the block size is 1k (1024 bytes). For example, my boot partition was 10240 blocks which comes out to 10 Megs, which sounds about right. The 1k assumption also agrees with the total device flash size, which is 7634944 blocks (mmcblk0) which is just under the 8GB they say the phone has. So I'm pretty confident about the block size.
So now we're at the part where things get a little hairy. I'm assuming you've found some way to get root in your adb shell. Be very careful with these dd commands and if you don't know what you're doing, don't do it. You would want to run something like the following:
"dd if=/dev/block/<partition name> of=/storage/sdCard/<name of image file> bs=1024 count=<# of blocks for partition you found in /proc/partions>"
You would do this for each partition you want dumped.
Again, be careful if you decide to try and do any of this stuff (especially with the dd commands, if you mix up the in file and out file you can brick your device). But like I said this worked for me to get boot.img and I was able to extract it and get the kernel and ramdisk. Hope this helps and sorry I don't know more about getting you a temp root without modifying your ROM.
Jeff
Can you send me a screenshot of your about phone screen?
Sent from my SGH-T699 using Tapatalk
hello everyone,
i resurrection this thread so bring some information to pepole who want to backup stock rom so they can flash it back with odin.
i constructed a list of partitions names/partition location nb./partition block size for a refreance of what to backup:
block size partition block location partition name
7634944 /dev/block/mmcblk0 Whole SSD on Device
2048 /dev/block/mmcblk0p5 aboot
6144 /dev/block/mmcblk0p20 backup
10240 /dev/block/mmcblk0p7 boot
860160 /dev/block/mmcblk0p17 cache
13952 /dev/block/mmcblk0p11 efs
10240 /dev/block/mmcblk0p19 fota
3072 /dev/block/mmcblk0p21 fsg
5120 /dev/block/mmcblk0p23 grow
61440 /dev/block/mmcblk0p1 modem
3072 /dev/block/mmcblk0p12 modemst1
3072 /dev/block/mmcblk0p13 modemst2
512 /dev/block/mmcblk0p9 pad
10240 /dev/block/mmcblk0p10 param
8192 /dev/block/mmcblk0p16 persist
10240 /dev/block/mmcblk0p18 recovery
512 /dev/block/mmcblk0p6 rpm
128 /dev/block/mmcblk0p2 sbl1
256 /dev/block/mmcblk0p3 sbl2
512 /dev/block/mmcblk0p4 sbl3
8 /dev/block/mmcblk0p22 ssd
1228800 /dev/block/mmcblk0p14 system
512 /dev/block/mmcblk0p8 tz
5386240 /dev/block/mmcblk0p15 userdata
so all you have to do is to use this command via terminal:
"dd if=/dev/block/<partition name> of=/storage/sdCard/<name of image file> bs=1024 count=<# of blocks for partition>"
you can cnange "sdCard" for "extSdCard" if you wish.
this will make you the raw imgae of all partitions and then you will need to use tar in linux to make a tar.md5 file for odin.
use the commands below in terimanl to do so:
"tar -H ustar -c image1 image2 image3 etc... > package_name.tar"
"md5sum -t package_name.tar >> package_name.tar"
"mv package_name.tar package_name.tar.md5"
remember you will need superuser on you phone to do this, also the commands are without the quotation mark.
the only thing left to know is what partitions you must backup to beable to restore fully to stock with/without data.
i know you should backup the boot/efs/recovery/system partitions for clean stock + userdata/cache if you want your data back.
does anybody know of other critical partitions to backup?
I have been try to build TWRP for SM-J737S today, finally i got it.
but when I flash it, It say to me "could not do normal boot invalid ramdisk length".
I wanted to fix it, but I couldn't get any information from google
No one may have mentioned it because it is too simple a matter for some people, but I need help with it.
please help me
Post your recovery.
We're not Carnac the Magnificent.
here's my recovery file
Your ramdisk looks ok, it spans from 11c5800 to 2005182.
You have a DTB from 2005800 to 20a0cac
In Android header type 0 (which you have) a DTB should be snuck in after the kernel.
Surely you meant Android header type 2?
Do you have your stock recovery?
I can't sure what is Android header type.
I think I need more study to find what i did wrong...
thanks for your help.
here's stock recovery
Your stock recovery is type 0 and has the dtb after the ramdisk too.
I guess that must be ok for your device, but it seems non-standard.
I'll take another look.
I'm still scratching my head.
In ye olde times pagesize (quantization on Android images) was 4096.
Then they became appalled at the waste of potentially 2048 bytes on a 30 Meg image.
So some folks changed the pagesize to 4096. (Savings!)
Then people decided to park non-header-referenced things after the image.
Oh, boy.
Like AVB0 signatures. These were quantized to 4096 even if the page size was 2048.
So now your (stock) image puts the DTB after the referenced parts of the image.
It's quantized to 2048 (the page size).
It also has this "DTBH" header that I've never seen before.
But we do find 5 (five) dtbs (just in case you want to load this on another model).
And after that in the stock image, we find (at a 2048 quantization) a "SEANDROIDENFORCESignerVer02".
Who the heck knows what that is.
Then there is the obvious issue: Youre recovery is over 32 MB.
Is the partition that big?
surely I need to chack partition size.
I'm trying to get root..
Code:
GPT fdisk (gdisk) version 0.8.4 Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk mmcblk0: 61071360 sectors, 29.1 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 52444E41-494F-2044-4D4D-43204449534B
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 61071326
Partitions will be aligned on 1024-sector boundaries
Total free space is 18365 sectors (9.0 MiB)
Number Start (sector) End (sector) Size Code Name
1 8192 16383 4.0 MiB 0700 BOTA0
2 16384 24575 4.0 MiB 0700 BOTA1
3 24576 65535 20.0 MiB 0700 EFS
4 65536 81919 8.0 MiB 0700 CPEFS
5 81920 90111 4.0 MiB 0700 m9kefs1
6 90112 98303 4.0 MiB 0700 m9kefs2
7 98304 106495 4.0 MiB 0700 m9kefs3
8 106496 108543 1024.0 KiB 0700 NAD_REFER
9 108544 124927 8.0 MiB 0700 PARAM
10 124928 190463 32.0 MiB 0700 BOOT
11 190464 268287 38.0 MiB 0700 RECOVERY
12 268288 272383 2.0 MiB 0700 DTBO
13 272384 452607 88.0 MiB 0700 RADIO
14 452608 453631 512.0 KiB 0700 PERSISTENT
15 453632 455679 1024.0 KiB 0700 MISC
16 455680 463871 4.0 MiB 0700 STEADY
17 463872 475135 5.5 MiB 0700 RESERVED2
18 475136 6422527 2.8 GiB 0700 SYSTEM
19 6422528 7454719 504.0 MiB 0700 VENDOR
20 7454720 7864319 200.0 MiB 0700 ODM
21 7864320 8478719 300.0 MiB 0700 CACHE
22 8478720 8499199 10.0 MiB 0700 HIDDEN
23 8499200 8540159 20.0 MiB 0700 OMR
24 8540160 8550399 5.0 MiB 0700 CP_DEBUG
25 8550400 8591359 20.0 MiB 0700 NAD_FW
26 8591360 61061119 25.0 GiB 0700 USERDATA
as you can see, RECOVERY partition is bigger then 38mb.
I have no idea what the problem is
Ok, looking around it seems like that error is just what it says.
There seems to be some hard limit on the size of ramdisks for recovery.
Code:
ramdisk 14,940,546
ungzipped ramdisk 34,343,936
I'm not sure if they mean the gzipped ramdisk or the ungzipped ramdisk (raw cpio).
You've got the kitchen sink in there.
How about getting rid of 99% of that terminfo junk?
You really want the Python stuff?
I tried to make ramdisk smaller today, but I failed.
I couldn't figure out which files were important and which ones weren't.
Actually, I'm used to using linux, but I know very little about Android system
Can you tell me what I should do or search?
@voskresenie
Well, here's a shot for you. I removed all the terminfo and Python stuff.
I had to manually extract the DTB and stick it on the end.
Give it a shot. It weighs in at less than 32MB
now it doesn't say "could not do normal boot invalid ramdisk length", but I can see black screen and irregularly flashing backlight.
is it possible that I solve the ramdisk size problem in the source code?
I think I need to change setting and rebuild TWRP..
Hmm, did you check to see if you had ADB?
Renate said:
Hmm, did you check to see if you had ADB?
Click to expand...
Click to collapse
adb doesn't work.
actually, windows says USB device recognition failure
It could be that I screwed up or that there was an actual problem in your TWRP build.
Are you testing this by fastboot boot recovery.img?
Or are you doing fastboot flash recovery recovery.img?
If you are doing the first one have you tried with the stock recovery image to make sure that works?
most of samsung devices don't have fastboot.
instead of fastboot, they have download mode.
I think the work that i do is play same role fastboot flash recovery recovery.img
It probably looks like separating partitions by file name.
If I use a name other than recovery.img or boot.img, the flash fails.
Did I mention that I hate Samsung and wouldn't take one if you gave it to me?
I did mention that the stock has some custom signature at the end.
Try booting the stock recovery file that you posted like you are trying to boot your TWRP. Does it work?
If it works you can try truncating it yourself to 27,123,712 bytes, 0x019DE000
See if that runs.
If you can't truncate it, I could post it.