Database Info

[DEV][M10] Decompiling M10 (Sense) images

The problem
Since HTC introduced Sense 3.5, themers faced a huge problem. The previously used software "M10Tools" wouldn't work with the new version of Sense.
Flemmard and me tried countless hours decoding the new image format, but without any success. The new image format is totally diferent to anything else previously seen.
I made this thread to search for help from all the awesome devs on XDA, hoping that we might find one who can help.
The history
Let me start this with some introduction to the m10 format itself.
The images I am talking about are parts of one big file - the m10 file. We usually have multiple images per m10 file, but the number doesn't really matter.
Together with the raw image data we get a set of meta information. We are not exactly sure what the values mean, but we can guess the meaning from the history of the old, decodable images.
We used to have information like width, height, payload of the image and an integer indicating what kind of image type we have. We know the actual image type for a few of these intergers, but with Sense 3.5, 3.6 and 4.0 HTC added at least two new types.
The facts
We don't have any hard facts for these image types but looking at the "old" image types, we can guess a few things:
The images are in a format the GPU can render directly (Like s3tc, ATC, QTC, etc) (At least this used to be the case, might have changed)
Images are most likely compressed. The ratio between assumed size (based on meta data) and the actual data size indicates some heavy compression. The data itself obviously looks compressed too.
There are no headers or any other help. It is just raw data.
We don't know exactly how the decoded images actually look like, so we can't say what the images display. However, due to latest archievements we "might" know this for images from Sense 3.5 and 3.6 if needed.
The handling software side is all in a few libs and NOT in smali / java, so we can't look for stuff there, however we have the libs, so if someone is pro with assembler he might find out something
I will provide a download which contains several chunks of image data and the according meta data.
If you consider working on this, please do not refrain from thinking about super simple solutions, we worked so long on this that we might be totally confused.
One thing though, this might sound arrogant, but this here really is only for people who have some decent knowledge about file formats, image compression or OpenGL.
The image types
Here is a list of image type we already know ( remember, we don't know where the numbers come from, might be some enum in native code or so)
Type 4: Raw RGB
Type 6: Raw RGBA (still used rather often)
Type 8: ATC RGB (doesn't seem to be used at all anymore)
Type 9: ATC RGBA Explicit (doesn't seem to be used at all anymore)
As you can see we got types WITH and WITHOUT alpha encoding.
Here is the list of UNKNOWN formats:
Type 13 (used way less than type 14, so maybe no alpha?)
Type 14 (this is the most used type, so I assume this one supports alpha encoding)
When thinking about what the data might be, don't throw away crazy ideas like "The data is S3TC /ATC /whatever but compressed again by some 'normal' compression algorithm". Maybe they just replaced type 8 and 9 with an additional compression on top of these types.
The meta data
Okay, so now lets talk about the meta data we get together with the actual data:
We get 4 more or less known chunks of information per image (plus a few unknown things)
Image type (described earlier) (Example: 6)
Image width (Example: 98)
Image height (Example: 78)
A more complex value containing multiple values at once.
Example: "98:78:0:30576"
We used to know the meaning of three of these values. However we are not sure for the new images. Lets explain the old meaning first:
98: Width, same value as the value above
78: Height, same value as the value above
0: It's always 0, we have no idea what it means, but since it's static we didn't care
30576: this used to be the data size. This image has a resolution of 98*78 = 7644 pixels. With a data size of 30576 that means we got 4bytes per pixel.
Lets take a look at the new images now. We still get the same information, however the meaning seems to have changed a bit:
Image type (described earlier) (Example: 14)
Image width (Example: 997)
Image height (Example: 235)
A more complex value containing multiple values at once.
Example: "1000:236:0:118000"
This is the assumed new meaning
1000: Width, but rounded up to a multiple of 4
236: Height, but rounded up to a multiple of 4
0: It's always 0, we have no idea what it means, but since it's static we didn't care
118000: this value is now exactly half of the rounded resolution (1000 * 236 / 2 = 118000)
This would mean only half a byte per pixel. One big problem here: the actual data size does not match this value at all!
The data is way smaller than this value, which indicates that it got compressed a second time
Now lets talk about some very important piece of information: HTC uses the SAME image formats on BOTH a Tegra 3 and a Qualcomm Snapdragon S4.
This obviously means that both Tegra and Snapdragon need to be able to handle this. However, also keep in mind that HTC bought S3 graphics and thefore might got some advantages here.
You can find a statistic on the used formats in the download, it's an Excel sheet with two diagrams showing the usage.
Now this was a long post, I hope someone is still reading this and might have some ideas about what's going on here.
Feel free to ask any questions concerning this.
I am also available in #virtuousrom on Freenode, per PM here or via email: diamondback [at] virtuousrom [dot] com
Download:
The download contains a bunch of unknown images of types 13 and 14 together with their meta data (like explained above)
Download image pack

Solution
After some digging I estimated that the data is compressed with fastlz [0]. Also so if you decompress it, you get exactly Width*Height bytes of data. I dont know the format this data is in, but i guess its the same the uncompressed data (type 8 or 9 or so?) was. Maybe someone could check up on that.
[0] http://fastlz.org/

onlyolli said:
After some digging I estimated that the data is compressed with fastlz [0]. Also so if you decompress it, you get exactly Width*Height bytes of data. I dont know the format this data is in, but i guess its the same the uncompressed data (type 8 or 9 or so?) was. Maybe someone could check up on that.
[0] http://fastlz.org/
Click to expand...
Click to collapse
You are indeed right. We actually found the same a few hours ago What a weird conincidence... :victory:
Type 4 and 6 are changed, they are zipped now too. Which actually breaks backwards compatibility with older Sense versions...
Inside of the zipped data are ETC images, which also explains how they can use the same on S4 and Tegra 3.
The type 14 actually contains TWO images, both ETC. Since ETC doesn't support alpha one is the image and one is an alpha mask...
Funny trick HTC!

Zune Backup Format

Pre-thought: Zune Backups are located C:\Users\???\AppData\Local\Microsoft\Windows Phone Update\
The Zune Backup format seems to be following (under PhoneGUID\RestorePoint\BackupInstanceGUID\Data):
Each Data.X.dat.hash is a SHA-1 hash of Data.X.dat, and the Manifest.xml.hash is as well of Manifest.xml. I believe the entire contents of the files are AES encrypted and they certainly contain RUU IMGFS SLDR etc. At least we have a starting point. I'm doing to take all .DATs combine them and tinker with maybe trying to find a working filesystem out of it. Feel free to comment, constructively and without criticism. I wouldn't recommend copy /b *.dat dump.bin as that would 'accidently' combine say Data.1148.dat, Data.1149.dat, Data.115.dat, Data.1150.dat OUT OF ORDER. I'd rather write a small script to rename files prepending them all to 0000-padding. (Programmers will know)
*Edit* A quickie script grabbed online (slight mod)
<?php
error_reporting(-1);
//What? Quick CLI-tool to rename the file extensions of multiple files (in working directory) matching the pattern.
//Author? ZuZi
//Date? 2013/02/14
//Revised for quick scripting by Yuji Saeki
if($argv[1] && $argv[2]){
foreach (glob("*.$argv[1]") as $filename) {
$newfilename = explode(".", $filename);
$newfilename = $newfilename[0] . "." . str_pad($newfilename[1], 4, "0", STR_PAD_LEFT) . "." . $newfilename[2];
echo ("Renaming $filename to $newfilename\n");
rename("$filename", "$newfilename");
}
}else
usage: *.dat DumpName\n\n");
?>
Then you can copy /b *.dat Dump.bin for example.
*Edit*
Offset 0x00000000 word points to encryption type (ChainingMode) while adding 0x10 will point to encryption algorithm SHA1. Trying to work out AES block right now, and of course other bytes in that 'header' block (0).
Maybe if someone who has an unlocked phone (waiting for goldcard tools to arrive) can look at filesystem driver for WP?
If anyone wants to do anything I'd recommend starting with a very fresh phone, smaller backups around 500MB and below then. My current backup is about 7GB. >_>; Well lucky me for 32GB DDR3 2,400 eh?
*Edit*
Haven't determined much anything else but I did notice one thing. Hard Reset to immediate backup with no modification, twice, dumps differed significantly in content, I believe a salt or password used in the encryption algorithms is generated on an install basis. If anyone can reverse engineer UpdateWS(?) or whatever it is that sends backups to PC from Phone we might could figure out how it determines a password.

[Tut] Android one-click utils in VB.Net

Hello guys,
I know there are multiple guides like this one on the forums, but I guessed: Why should one just have tutorials in Batch and C#? I can program in VB, why not share it?
First: This guide will contain some code out of my own program (Universal Android Toolkit) but only the free stuff
So, I guess I'll start off.
Prerequisites:​What will you need?
Microsoft Visual Studio (2008, 2010 or 2012) for Windows Desktop. I'll provide links.
A computer with at least 1GB RAM, a P4 @ 2.8GHz, 128MB Graphics chip/card, some basic knowledge of ADB commands (You'll learn them here, I guess...)
A cup of coffee or whatever your favorite warm beverage is.
Oh, and some decent music would be good.
Setting things up:​As I've already done this a while back, I cannot provide screenshots, but I'll do my best to explain things.
First, download Visual Studio 2012 for Windows Desktop and open the installer.
It should look somewhat like this, just with a big 'START' button at the bottom.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Once you have installed that, it is advisory, that you download the .Net framework 3.5, 4.0 and 4.5
.Net 3.5 (Includes 2.0, 3.0 and 3.5 SP1
.Net 4.0
.Net 4.5
Once you have installed those, you should bookmark this page and restart your computer.
Then, move to the next step.
Creating a New Project:​Open up Visual Studio. You will be welcomed by a screen, which looks somewhat like this:
Click on 'New Project...'
You will then see this type of screen:
Select 'Windows Forms Application' and give it a name. You may name it whatever you want. You can also change the location it should be stored in. I'll change the name to Android One-Click Tutorial and I'll leave the default location as it is.
Once you have done that, hit OK and wait for the project to load up.
One-Click, Here we Come!:​
Once the project has loaded, you will see a screen like this (Depending on which version of VS you are using..)
You may name the form however you want. I'll name it the same as the project.
Once you have given it a name, you'll want to resize the form to the desired size and give it an icon.
Please excuse the weird highlights, I'm using my old laptop, because my computer broke and my mouse died with it.
Then debug the program, to make sure it is how you want it to be.
If it's OK for you, then let's get to downloading all the ADB-Stuff.
Download the ADT bundle from here and then download the platform-tools.
You might want another cup of coffee for this. Sadly, I can't drink anything warm or with caffeine, because I had an operation to my mouth yesterday (Friday the 07th of June 2013) so feel free to drink one on me
Once it is done downloading, extract the archive to your computer. I'll just put it in my Documents folder.
Once everything is extracted, move to the sdk\platform-tools folder. Make sure that the files 'adb.exe', 'AdbWinApi.dll', 'AdbWinUsbApi.dll' and 'fastboot.exe' are present. If they are, go back to Visual Studio and go to the properties of the project (Project ->> <Project Name> properties) and move to 'Resources'. Change the resource type from Strings to Files.
Then, add the four files from above to the resources.
Once all that is done, we can start coding.
So go ahead and double-click on the form, so that the code file shows up.
It'll look like this:
Type in the following over Public Class Form1:
Code:
Imports System.IO
Imports System.Threading
Imports System.Windows.Forms.DialogResult
Now, as this program is supposedly going to be used by others, probably people without knowledge of coding, and therefore people without ADB, etc., we want the program to look for our files and copy them if necessary.
We want to do this right at the beginning of the program, so we'll do it the Form1 Load Event.
Type the following code:
Code:
If Not Directory.Exists("ADB") Then
Directory.CreateDirectory("ADB")
Else
If Not File.Exists("ADB\adb.exe") Then
File.WriteAllBytes("ADB\adb.exe", My.Resources.adb)
End If
If Not File.Exists("ADB\AdbWinApi.dll") Then
File.WriteAllBytes("ADB\AdbWinApi.dll", My.Resources.AdbWinApi)
End If
If Not File.Exists("ADB\AdbWinUsbApi.dll") Then
File.WriteAllBytes("ADB\AdbWinUsbApi.dll", My.Resources.AdbWinUsbApi)
End If
If Not File.Exists("ADB\fastboot.exe") Then
File.WriteAllBytes("ADB\fastboot.exe", My.Resources.fastboot)
End If
End If
The code folder should now look something like this:
Ok. So now debug the program and check in the project's \bin folder for a folder named ADB and check if all the files were created accordingly.
If your folder looks like mine: You've done a great job! So you can already give yourself a pat on the back!
Now, to move on to the next step:
Adding Buttons and Commands:​
Move back to the designer and add a few buttons like I've done. The buttons I've created will:
Back up the device
Restore the device
Install an app
Push a file
Now, we want to create four more forms. One for the backup, one for the restore, one for the install app and one for pushing a file.
Hit CTRL+SHIFT+A to add new items.
You can name the forms however you want.
I created some with pretty self-explaining names:
Now, double-click on each button in Form1 to create a new code block in the code file.
Once you have done that, copy the following codes into each code block.
Button1_Click
Code:
Backup.Show()
Me.Hide()
Button2_Click
Code:
Restore.Show()
Me.Hide()
Button3_Click
Code:
Install.Show()
Me.Hide()
Button4_Click
Code:
Push.Show()
Me.Hide()
Now open up the Backup form. We'll start here. You can close the Form1-files.
Start designing the form as you wish. Here's how I've done it:
If you're using the same design as me, you might want to use the same code.
NOTE: I rarely use the .Net components in the Toolbox. Only for static operations. For things like dialog boxes, I use pure code.
This is working code. I have debugged and tested!
Code:
Imports System.IO
Public Class Backup
Private Sub Backup_Load(sender As Object, e As EventArgs) Handles MyBase.Load
TextBox2.Text = "Backup_From_" & Date.Now.ToShortTimeString
If Not Directory.Exists(TextBox1.Text) Then
Directory.CreateDirectory(TextBox1.Text)
End If
End Sub
Private Sub Backup_FormClosing(sender As Object, e As EventArgs) Handles MyBase.FormClosing
Form1.Show()
End Sub
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
Dim FolderBrowse As New FolderBrowserDialog
FolderBrowse.Description = "Select the destination of where you wish your backup to be saved to." _
& "Note: Please do not choose locations with spaces in the directories. These may cause errors!"
FolderBrowse.ShowNewFolderButton = True
Dim DialogRes As DialogResult = FolderBrowse.ShowDialog
If DialogRes = Windows.Forms.DialogResult.OK Then
TextBox1.Text = FolderBrowse.SelectedPath
End If
End Sub
Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click
Shell("""ADB\adb.exe"" backup -f" & TextBox1.Text & "\" & TextBox2.Text & "-apk -system -full -all", AppWinStyle.NormalFocus, True, 30000)
End Sub
End Class
Once you have that done, move to the next form. This, in my case, is Restore.
To keep the thread clear, I'll carry on in post #2.

Ok, now let's get on with Restore.
Open up the file, and again, design it as you want.
If you're using the same design as me, it is advisory, that you use the same code.
Here is the code I used:
Code:
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
Dim OpenFile As New OpenFileDialog
OpenFile.InitialDirectory = My.Computer.FileSystem.SpecialDirectories.Desktop
OpenFile.Multiselect = False
OpenFile.Filter = "AB (Android Backups)|*.ab"
OpenFile.SupportMultiDottedExtensions = False
OpenFile.Title = "Select the Android Backup (*.ab) file to restore your device from..."
Dim DialogRes As DialogResult = OpenFile.ShowDialog()
If DialogRes = Windows.Forms.DialogResult.OK Then
TextBox1.Text = OpenFile.FileName
End If
End Sub
Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click
Shell("""ADB\adb.exe"" restore " & TextBox1.Text, AppWinStyle.NormalFocus, True, 30000)
End Sub
Private Sub Restore_FormClosing(sender As Object, e As EventArgs) Handles MyBase.FormClosing
Form1.Show()
End Sub
And now we're ready to move to the third form. As usual; if you're using the same design as me, you'll want to use the same code as me.
I'd like to note: I'll explain all the code in post #3.
The third form (Install an App) will be a bit different than the others. Here, we'll give the user the opportunity to select an entire folder which contains .apk files and then with a mouse-click, the app will install the desired APK.
Note the ListBox, That is where all the APKs will be listed. (Hence the name 'ListBox'.)
I have pulled some APKs from my phone and have put them in a folder (C:\APKs). We will use this folder to list all the available APKs in the listbox.
But before we do that, here is the code for the form. Again, nothing is imported here.
Code:
Private Sub Install_FormClosing(sender As Object, e As EventArgs) Handles MyBase.FormClosing
Form1.Show()
End Sub
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
Dim FolderBrowse As New FolderBrowserDialog
FolderBrowse.Description = "Select the folder containing your APK files."
FolderBrowse.RootFolder = Environment.SpecialFolder.DesktopDirectory
FolderBrowse.ShowNewFolderButton = False
Dim DialogRes As DialogResult = FolderBrowse.ShowDialog()
If DialogRes = Windows.Forms.DialogResult.OK Then
For Each Item As String In My.Computer.FileSystem.GetFiles(FolderBrowse.SelectedPath)
ListBox1.Items.Add(Item)
Next
End If
End Sub
Private Sub ListBox1_SelectedIndexChanged(sender As Object, e As EventArgs) Handles ListBox1.SelectedIndexChanged
Shell("""ADB\adb.exe"" install " & ListBox1.SelectedItem.ToString, AppWinStyle.NormalFocus, True, 30000)
End Sub
And here are some pictures of the code in action:
FolderBrowserDialog (FolderBrowse):
The list of apps (ListBox):
Ok. We're almost done with our One-Click utility!
We've only got one more form and we'll do that in a dash! Then I'll get to explaining what everything means. Though most of it is pretty much self-explanatory, I'd rather go over it.
Move on to the last form, and the same rules apply.
This form will be using the same method as the Install form - Using a ListBox to display files.
Here is the code:
Code:
Private Sub Push_FormClosing(sender As Object, e As EventArgs) Handles MyBase.FormClosing
Form1.Show()
End Sub
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
Dim FolderBrowse As New FolderBrowserDialog
FolderBrowse.Description = "Select the folder containing the file/s you want to push to the device..."
FolderBrowse.ShowNewFolderButton = False
FolderBrowse.RootFolder = Environment.SpecialFolder.DesktopDirectory
Dim DialogRes As DialogResult = FolderBrowse.ShowDialog()
If DialogRes = Windows.Forms.DialogResult.OK Then
For Each Item As String In My.Computer.FileSystem.GetFiles(FolderBrowse.SelectedPath)
ListBox1.Items.Add(Item)
Next
End If
End Sub
Private Sub ListBox1_SelectedIndexChanged(sender As Object, e As EventArgs) Handles ListBox1.SelectedIndexChanged
Shell("""ADB\adb.exe"" push " & ListBox1.SelectedItem & " " & TextBox1.Text, AppWinStyle.NormalFocus, True, 30000)
End Sub
Cool! We've got our first One-Click-Utility done in Visual Basic.Net! This is pretty awesome, don't you think? I may have to re-do this thread, but for the moment it'll do, I guess.
Move down to the third post, to read all about what what piece of code does.

What Does What Piece of Code Mean and do?
In this post, I'll go over what which piece of code does. The practical thing about Visual Basic, is that it uses a lot of words used in the English language. That means: If you can speak English fluently, you can code in Visual Basic quite decently.
But nevertheless, I'll go over each bit, and that bit by bit. Of course, if you have questions, I'm happy to answer.
What does 'Imports' Mean and do?​
Imports
In Visual Basic, as in pretty much every other programming language, has references it uses to communicate to the OS (Operating System).
But, although referenced data is there, it is not entirely available to each form. So you must import that data to the form, where it is needed.
You can imagine 'Import' as if you were importing freight from another country - With the only difference, that you're importing data.
If you're familiar with C++, #includes <stdio.h> is the same as if you were using Imports System.IO in Visual Basic.
If, Else, ElseIf and End If​
What will be explained here, is the If-Statement. Every programming and scripting language has an If-Statement - Even if it is used with a different name.
Basically, what an If-Statement does, is check whether specific criteria is met by a clause you typed.
For example:
Code:
If File.Exists("C:\HelloWorld.vb") Then
MessageBox.Show("The file exists!")
Else
MessageBox.Show("The file doesn't exist!")
End If
This piece of code checks if a specific file exists.
If it exists, it will throw a message box saying that the file exists. Else, it will throw a message box saying it doesn't exist. Make sense?
But then we have ElseIf.
Using ElseIf can make the code more precise.
For example: Imagine you have a form with a text box, and you want to determine whether that text box contains, say http:// or ftp://, you'd type something like this:
Code:
Dim Text As String = TextBox1.Text (We'll get to Dim in a moment)
If Text.Contains("http://") Then
MessageBox.Show("The text box contains http://")
ElseIf text.Contains("ftp://") Then
MessageBox.Show("The text box contains ftp://")
Else
MessageBoz.Show("The text box doesn't contain http:// or ftp://")
End If
End If basically just terminates the If-Statement. I don't have an example for this in C++, but I guess you guys are smart enough to get what I mean
What does Dim mean?​
This is probably the easiest thing to explain, in this entire tutorial: All Dim does and means, is Declare. It declares a variable with a type.
I think in C++, you'd write something like
Code:
int a = 16;
Where the equivalent in VB is:
Code:
Dim a As Integer = 16
Sure, it's a bit more to write, but the code is easier to understand. Which is all VB is about: Easy coding.
For Each X As String In... Whaa?​
Well, here we've gotten to a stage, which I only learned a few months ago, and I've been programming in Visual Basic for five years, now.
Basically, For Each is kind of like an If-Statement. It searches for specific criteria. If that criteria is met, the code will be executed.
I'll use an example from the program written above:
Code:
For Each Item As String In My.Computer.FileSystem.GetFiles("C:\Windows")
This searches for files (FileSystem.GetFiles("") ) and returns these to a variable (Item) as a string value.
Code:
Next
The Next statement tells the computer to move to the next piece of code.
And last but not least:
Shell? But wait.. I know that from somewhere, don't I?​
Yup, you do! Shell is just a command prompt or terminal (Whatever you prefer). All it does, is it executes commands as the computer's shell and it gets a bit more low-level as other commands.
For example:
Code:
Shell("")
This would execute a simple program, without any command line arguments (Command Line Args).
Code:
Shell("""adb.exe"" install")
This would execute a specific file (In this case adb.exe) and would add a command line arg. Which gives you more flexibility and it allows you to interact with the shell-executable.
But the Shell Function can do more than that. It is also still a part of the program, which means it can still tell the program what to do.
For example:
Code:
Shell("""ADB\adb.exe"" install " & ListBox1.SelectedItem.ToString, AppWinStyle.NormalFocus, True, 30000)
This piece of code executes adb.exe, with a command line arg, but adds to the shell (CMD) window.
AppWinStyle: This determines how the CMD window is shown. In this example, we used NormalFocus, which puts the CMD window in the foreground and focuses on it. So the user can immediately interact with it, if necessary.
Where True is: True or False determine whether the program should wait until the shell operation is completed, before moving on to the next step of code. And ultimately, this is also what the integer (Whole number) behind it is for. The number (Must be an integer!) determines how long the program should wait until the program should execute the next line of code, in milliseconds.
And that was that, I guess.
If you feel I've missed something out, or you don't understand something, fell free to let me know and I'll it it to the list.
I'll add the project to my GitHub, so you can all download it.
Once I have the time, I'll re-design the posts, but at the moment, I think it'll do
(Mods: If you think I should, I'll do it right away! )

Downloads:
Download the source code (And pre-compiled binary) from my GitHub.
https://github.com/Beatsleigher/OneClickUtil
This is licensed under the GPL3.0, so feel free to do with it as you wish
I probably won't add to this project, but that should stop you!
Happy developing!

--- Reserved #4 ---

mfastboot.exe flash partition gpt.bin mfastboot.exe flash motoboot motoboot.img mfastboot.exe flash logo logo.bin mfastboot.exe flash boot boot.img mfastboot.exe flash recovery recovery.img mfastboot.exe flash system system.img_sparsechunk.0 mfastboot.exe flash system system.img_sparsechunk.1 mfastboot.exe flash system system.img_sparsechunk.2 mfastboot.exe flash modem NON-HLOS.bin mfastboot.exe erase modemst1 mfastboot.exe erase modemst2 mfastboot.exe flash fsg fsg.mbn mfastboot.exe erase cache mfastboot.exe erase userdata pause mfastboot.exe reboot
---------- Post added at 01:51 PM ---------- Previous post was at 01:48 PM ----------
Plz help me to execute above codes on a button press event
I know how to add mfastboot.exe

Quite useful thanks

coldflid said:
Quite useful thanks
Click to expand...
Click to collapse
You're welcome
I'm thinking of doing something similar for Java. Should keep people occupied

Looking forward to it

ADB Bruteforcer
I have made a Android Debugging Bridge 0000 to 9999 bruteforcer,
With this I will make a nice interface for it,
When I'm done, I will upload it somewhere at XDA.
Thanks 4 ur upload!

This just one of the great wonders. Nice Job .. Greeting from Mawcot Inc

dear @Beatsleigher first of all i wold like to thanks you for such a nice guide
i have some questions please answer it
1st. how to use multiple adb commands with one button
for example ( adb kill-server , adb start-server )
2nd how to print information to a textbox or label
for example if i want to see the connected adb devices and i use (adb devices ) so i want to print connected devices into a text box
thanks

zameer_yus said:
dear @Beatsleigher first of all i wold like to thanks you for such a nice guide
i have some questions please answer it
1st. how to use multiple adb commands with one button
for example ( adb kill-server , adb start-server )
2nd how to print information to a textbox or label
for example if i want to see the connected adb devices and i use (adb devices ) so i want to print connected devices into a text box
thanks
Click to expand...
Click to collapse
This is a pretty old thread to resurrect. I only saw your reply by chance.
I'm not an active member of this community anymore, just as with all tech-related things.
Those are rudimentary questions. If you're interested in programming, you should read up on some tutorials.
Everything you need to find the answers to those questions is written on MSDN.
Furthermore, the information provided in this thread is outdated. I recommend you check out @regaw_leinad's AndroidLib or my JDroidLib The documentation for both of these libraries can be found on my website.
Good luck with programming. Just don't read these tutorials and documentations and go from there.
Depending on which language you want to use, read the maintainer's website (e.g.: MSDN, or Oracle's JavaDoc) and read their tutorials. They'll teach you the basics, best practises, dos and donts, and more.
NOTE: I will not be providing support for this tutorial any longer. I have since moved on, and don't see any value in helping people make their lives more complicated than necessary. There are plenty libraries out there which allow you to do much more than I showed in this tutorial, and are easier for beginners, as they show you the best-practises of the language anyway.

How does WeChat store animated emojis (stickers)?

Hi,
I hope this is the right section for app-specific questions (if not, please move the thread)...
My wife recently got into that sticker/emoji-collecting-thing on WeChat (god knows why) and she would like to use the WeChat stickers on other messengers like Whatsapp (or have access to the image files in general). There are millions of tutorials how to make your own animated stickers for WeChat, but unfortunately there is zero information how to get them out of WeChat... Apparently everything is stored in the folder "Phone\tencent\MicroMsg\--some-md5-like-number--\emoji". Therein are subfolders like "com.tencent.xin.emoticon.NAME", I guess for each sticker creator, and the image files themselves have cryptic filenames like "fd0476f63c51690b88dd17d9be63af1c" without any extension. The good news is that PNGs and JPGs are saved "natively" - such files can be easily recognized by any image viewer via the header. However, animated stickers (typically discernible by the much larger file size) are apparently stored in a kind of proprietary format. It's not GIF or any image format I know of (or rather tried it with), it's also not a common compressed container, and the hex editor doesn't reveal anything useful, just densely packed gibberish...
Is there any kind of documentation on how WeChat stores animated images and how they can be converted back into something useful like GIF?

I was wondering this as well. I did the same digging as the OP, with one thing to add. I took a look at one of the said files – this one is 13Kb and about 1kb from the beginning there is a 648-byte xml rdf metadata tag. It shows that whatever this thing is, it was made with Photoshop. I took out the id's and hashes:
Code:
<rdf:Description rdf:about="" xmlns:xmpMM="http ://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http ://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http ://ns.adobe.com/xap/1.0/" xmpMM:eek:riginalDocumentID="xmp.did:…" xmpMM:DocumentID="xmp.did:…" xmpMM:InstanceID="xmp.iid:…" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:…" stRef:documentID="adobe:docid:photoshop:…"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

Looking for the same answer

It's been forever since this question was posted, but I still kinda want to know. I don't think anyone's figured out how. XD;;

Nope, I gave up and urged my wife to find a new hobby

Drats, the stickers are so adorable tho... iiOTL

The files are stored in the WXAM format (an in-house proprietary format). The most I found was this post detailing an exploit for WXGF (that's the name of the format), which includes POC code in Python (see zip at end of post) that encrypts a file to WXGF. In it, you can see the code calculating the encryption key - which, I imagine the way to decrypt them would be to do the opposite (obviously)
Python:
imei = '358035085174146'
key = hashlib.md5(imei).hexdigest()[0:16]
cipher = AES.new(key, AES.MODE_ECB)
result[0:1024] = cipher.encrypt(buffer[0:1024])
As for converting the unencrypted file - whether Android or Windows, it's contained in a dll or so file.
On Windows, the decompilation code can be found at
Code:
C:\Program Files (x86)\Tencent\WeChat\WXAMDecoder.dll
, while on Android it can be found at
Code:
libwechatcommon.so
Particularly on Android, the Java class located in
Code:
com.tencent.mm.plugin.gif.MMWXGFJNI
contains the java -> native implementation, with functions such as
Code:
nativePic2Wxam()
As for documenting the internal native code -> It's too much past my ability / time at the moment. Maybe this can be for someone for another day~ That being said, decryption isn't impossible as you saw above, related to IMEI and AES keys.
The particular function you were looking for was - sadly, using it would be a bit hard. But I imagine that you could take the so file, wire it up to an Android app with the same declarations here, and pass in the Wxam file in a byte[] array to get the result back -> You wouldn't have to know the internal code for that either, and since the type is byte[], we don't need to even reverse engineer the code to see what it supplied. Clearly it is a byte[] array of the files contents.
Code:
public static native byte[] nativeWxamToGif(byte[] bArr);
In fact, now that I think about it, I'd like to try it myself now and see what happens lol.
Edit: Yup, it works. I just decoded a few files. Working on decryption now. Sorry, I can't share it since I don't wanna get in trouble. But there's the information above ^^ If you can make Android apps and know enough, it's not hard

BBRecon said:
The files are stored in the WXAM format (an in-house proprietary format). The most I found was this post detailing an exploit for WXGF (that's the name of the format), which includes POC code in Python (see zip at end of post) that encrypts a file to WXGF. In it, you can see the code calculating the encryption key - which, I imagine the way to decrypt them would be to do the opposite (obviously)
Python:
imei = '358035085174146'
key = hashlib.md5(imei).hexdigest()[0:16]
cipher = AES.new(key, AES.MODE_ECB)
result[0:1024] = cipher.encrypt(buffer[0:1024])
As for converting the unencrypted file - whether Android or Windows, it's contained in a dll or so file.
On Windows, the decompilation code can be found at
Code:
C:\Program Files (x86)\Tencent\WeChat\WXAMDecoder.dll
, while on Android it can be found at
Code:
libwechatcommon.so
Particularly on Android, the Java class located in
Code:
com.tencent.mm.plugin.gif.MMWXGFJNI
contains the java -> native implementation, with functions such as
Code:
nativePic2Wxam()
As for documenting the internal native code -> It's too much past my ability / time at the moment. Maybe this can be for someone for another day~ That being said, decryption isn't impossible as you saw above, related to IMEI and AES keys.
The particular function you were looking for was - sadly, using it would be a bit hard. But I imagine that you could take the so file, wire it up to an Android app with the same declarations here, and pass in the Wxam file in a byte[] array to get the result back -> You wouldn't have to know the internal code for that either, and since the type is byte[], we don't need to even reverse engineer the code to see what it supplied. Clearly it is a byte[] array of the files contents.
Code:
public static native byte[] nativeWxamToGif(byte[] bArr);
In fact, now that I think about it, I'd like to try it myself now and see what happens lol.
Edit: Yup, it works. I just decoded a few files. Working on decryption now. Sorry, I can't share it since I don't wanna get in trouble. But there's the information above ^^ If you can make Android apps and know enough, it's not hard
Click to expand...
Click to collapse
I'm using nativeWxamToGif(), but I keep getting a return value of null. Do you know if it is still supposed to work? I tried the libwechatcommon.so in wechat versions 7 and 8 and still no luck.
My decryption code is almost the same as the encryption code. The only difference is that I strip off the trailing 0-pad and then reuse the imei-generated (using my own imei) key to decrypt.
Were you able to use nativePic2Wxam? The signature is too complex so it's too hard for me to guess what parameters to pass in.
Code:
private static native int nativePic2Wxam(String paramString1, String paramString2, int paramInt1, int paramInt2, int paramInt3, int paramInt4, int paramInt5);
Since I don't know how to use nativePic2Wxam, I'm just blindly trusting you that I should be able to decrypt one of the wxgf into wxam and then use nativeWxamToGif() to convert it to a gif. But I'm not sure why my gifs are always null.
I think I do have the libwechatcommon.so lib working because I am able to use other simple functions such as the following:
Code:
public static native int nativeRewindBuffer(long paramLong);
public static native int nativeUninit(long paramLong);
Does nativeWxamToGif() return null if the input byte array is invalid wxam or something?

Reverse Engineering Android Boot Process - Need Help

Tl;dr = I have studied the boot process. I understand the Qualcomm SOC boot process PBL > SBL/XBL > And so on. I am trying to get a disassembly of the SBL. I dumped the EMMC and can view all its partitions. Now I am stuck at the 80 bytes header containing the "Loading Address". I can't figure out where and how the processor jumps to this loading address.
Greetings XDA community. This post is more relevant to the developers and power users of android and people who work as embedded developers/security researchers/reverse engineers in general.
Background - I am deeply interested in OSDev and running my own code on the hardware I own. Just like I am building my own bootloader for my PC, I had also been wanting to study the android boot processs for quite some time. In the last few days I got to it and found that the whole low level ecosystem of Android, iOS and Smartphones is really toxic and full of proprietary stuff. But I am still determined to make my own bootloader for my smartphone even if it only displays the good old "Hello World" on that little black display. I am not concerned about bricking my few phones as they are pretty much useless to me now and can be used for RE purposes.
Some Useful Links - https://blog.quarkslab.com/analysis-of-qualcomm-secure-boot-chains.html , https://alephsecurity.com/2018/01/22/qualcomm-edl-1/ , https://lineageos.org/engineering/Qualcomm-Firmware/
Technicals - I copied the whole EMMC from my rooted phone (Xiaomi Mi4) and studied the boot process. So apparently the boot process goes something like PBL --> SBL --> And so on... I found the partition labelled SBL in the dump. I am trying to get code execution at the lowest level possible but it seems I might not be able to resurrect the phone easily if I mess with the SBL (as the phone might not even go into EDL mode then). So I am first considering taking control after the SBL (and before Aboot) with my own code (even if it includes some certificate/proprietary blobs from the manufacturer). But for this I have to understand what exactly the SBL is doing in my particular processor's case. So in the SBL partition is an 80 byte header (source : http://vm1.duckdns.org/Public/Qualcomm-Secure-Boot/Qualcomm-Secure-Boot.htm). This header contains a loading address for the processor. What I can't figure out is how the processor jumps to this address. The source mentions to "remove the header and then load the file in IDA Pro" but what file are they talking about (The EMMC dump? The partition? Something else?). How does the CPU use this loading address? In my particular phone the loading address is : 00 C0 00 F8 (
https://imgur.com/a/ngfFsj5
) Please shed some light on this issue.

Hello! As I understand it, we are talking about SBL images. I also tried decompiling the SBL in IDA Pro, but in my case I didn't remove the header and everything works fine. The SBL is taken from the Redmi Note 5A firmware update.
I hope this information helps you
Sorry for the first post, the Google Translate builtin to Chrome do it

vigilante_stark said:
How does the CPU use this loading address? In my particular phone the loading address is : 00 C0 00 F8
Click to expand...
Click to collapse
The load address should be a 64 bit address, so that's probably the slide address. The full load address should be something like 0xFFFFFFFFF800c000. Not a 100% sure but try it out.