[Guide][MOD] Hide unlocked Bootloader warning boot screen - LG V20 Guides, News, & Discussion
.
This fix is for those who want to get rid of the annoying Red Corruption warning screen!!.
Disclaimer: You apply the fix at your own risk. I'm not responsible for any software or hardware damage it can lead. The only thing i can assure is that i've tested fix on my lg v20 F800s with DirtySanta Bootloader unlocked, and it work just fine.
Disclaimer 2: I don't provide any technical support for my fix through PM. So, please don't write PM about other devices. I share what i'm doing for myself .. and have no intention to do it to devices i don't have.
The trick:
This fix is not really fixes the problem, but it just replace the warning with the lg logo. so the boot time still higher as it is.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The raw_resources on our V20 is the equivalent partition to imgdata, but they use RLE images that has no header like BMP or JPEG, so we can't easily replace it like Nexus 5X ...
The trick that i use is changing the addresses of the warning images with the one of lg logo by patching raw_resources.bin file with Hex Workshop.
Here is a short description of steps to follow if you want to do the same for other devices:
1. download the KDZ firmware of your device.
2. extract the raw_resources.bin from it.
3. download and install Hex Workshop
3. open the raw_resources.bin with Hex Workshop
4. find the addresse of "lglogo_image" and copy it. (see the example image below)
5. find the 2 addresses of "verifiedboot_red_01" and "verifiedboot_red_02" and replace with the adrresse of "lglogo_image". ( respect the exact place!)
6. save your changes
7. put the raw_resources.bin incide the flash zip (you can use my attached flash zip).
8. flash the zip with TWRP.
9. reboot your device.
Attached: flash zip for my f800s OREO firmware
It looks like my 100$ refurbished ls997 has a f800s motherboard.
4shared said:
.
This fix is for those who want to get rid of the annoying Red Corruption warning screen!!.
Disclaimer: You apply the fix at your own risk. I'm not responsible for any software or hardware damage it can lead. The only thing i can assure is that i've tested fix on my lg v20 ls997 with DirtySanta Bootloader unlocked, and it work just fine.
Disclaimer 2: I don't provide any technical support for my fix through PM. So, please don't write PM about other devices. I share what i'm doing for myself .. and have no intention to do it to devices i don't have.
The trick:
This fix is not really fixes the problem, but it just replace the warning with the lg logo. so the boot time still higher as it is.
The raw_resources on our V20 is the equivalent partition to imgdata, but they use RLE images that has no header like BMP or JPEG, so we can't easily replace it like Nexus 5X ...
The trick that i use is changing the addresses of the warning images with the one of lg logo by patching raw_resources.bin file with Hex Workshop.
Here is a short description of steps to follow if you want to do the same for other devices:
1. download the KDZ firmware of your device.
2. extract the raw_resources.bin from it.
3. download and install Hex Workshop
3. open the raw_resources.bin with Hex Workshop
4. find the addresse of "lglogo_image" and copy it. (see the example image below)
5. find the 2 addresses of "verifiedboot_red_01" and "verifiedboot_red_02" and replace with the adrresse of "lglogo_image". ( respect the exact place!)
6. save your changes
7. put the raw_resources.bin incide the flash zip (you can use my attached flash zip).
8. flash the zip with TWRP.
9. reboot your device.
Attached: flash zip for my ls997 OREO firmware
Click to expand...
Click to collapse
Works on my H918 it does the warning but only in green text then shows lg logo
Speed gain ???
can we freely remove lines frome this file or the file size is important to the device to boot correctly, i guess by removing those lines we can disable this verification of aboot partition and gain a big boot speed ???
How are you on an Oreo firmware with a rooted ls997 when there are no roms that are Oreo for this model? Just wondering. I am stuck on Nougat and your rooted Oreo ls997 confuses me lol
Thanks @4shared for his great work.
Using his instructions I've patched the image for H990DS and F800K so far.
You can find the flashable zips here:
https://forum.xda-developers.com/v20/development/rom-h990ds-oreo-flashable-t3853735/post78503108
lingo2012 said:
Works on my H918 it does the warning but only in green text then shows lg logo
Click to expand...
Click to collapse
you can upload the flasheable zip? please
@4shared do you plan to share your Oreo rom for LS997?
He hasnt responded since he posted this.
Made one for the at&t H910 oreo not sure if it will work on nougat though. Works great on my H910 running alpha omega oreo. https://mega.nz/#!okADVKoB!N1W6kbYMbpXZpjuEgO1vIuELI_EV5ivUwQoM8gQM7_g
Thank you everyone,
I am glad that's my post is useful for someone .
--------------------
For rooting oreo I used a f800l kdz by using this method: Post
Again DO IT AT YOUR OWN RISK
-------------------
Currently i'm trying to port the H-ROM G7 PORT from g5 ...yes it boots but still not stable, still filled with BUGS
Edit:
Sorry guys, it looks like my 100$ refurbished ls997 has a f800s motherboard
4shared said:
Thank you everyone,
I am glad that's my post is useful for someone .
--------------------
For rooting oreo I used a f800l kdz by using this method: Post
Again DO IT AT YOUR OWN RISK
-------------------
Currently i'm trying to port the H-ROM G7 PORT from g5 ...yes it boots but still not stable, still filled with BUGS
Edit:
Sorry guys, it looks like my 100$ refurbished ls997 has a f800s motherboard
Click to expand...
Click to collapse
Was wondering how. Would have been epyk if on the real.
4shared said:
.
This fix is for those who want to get rid of the annoying Red Corruption warning screen!!.
Disclaimer: You apply the fix at your own risk. I'm not responsible for any software or hardware damage it can lead. The only thing i can assure is that i've tested fix on my lg v20 F800s with DirtySanta Bootloader unlocked, and it work just fine.
Disclaimer 2: I don't provide any technical support for my fix through PM. So, please don't write PM about other devices. I share what i'm doing for myself .. and have no intention to do it to devices i don't have.
The trick:
This fix is not really fixes the problem, but it just replace the warning with the lg logo. so the boot time still higher as it is.
View attachment 4667087
The raw_resources on our V20 is the equivalent partition to imgdata, but they use RLE images that has no header like BMP or JPEG, so we can't easily replace it like Nexus 5X ...
The trick that i use is changing the addresses of the warning images with the one of lg logo by patching raw_resources.bin file with Hex Workshop.
Here is a short description of steps to follow if you want to do the same for other devices:
1. download the KDZ firmware of your device.
2. extract the raw_resources.bin from it.
3. download and install Hex Workshop
3. open the raw_resources.bin with Hex Workshop
4. find the addresse of "lglogo_image" and copy it. (see the example image below)
5. find the 2 addresses of "verifiedboot_red_01" and "verifiedboot_red_02" and replace with the adrresse of "lglogo_image". ( respect the exact place!)
6. save your changes
7. put the raw_resources.bin incide the flash zip (you can use my attached flash zip).
8. flash the zip with TWRP.
9. reboot your device.
View attachment 4667088
Attached: flash zip for my f800s OREO firmware
It looks like my 100$ refurbished ls997 has a f800s motherboard.
Click to expand...
Click to collapse
Cold be useful https://github.com/ehem/lgetools/wiki/LG-V10
You've got an interesting experiment here. Problem is with things at this stage I see too much potential for malicious mischief, and insufficient gain to assist right now.
At the start of raw_resources is the string "BOOT_IMAGE_RLE". Almost certainly "RLE" stands for run-length encoding. Problem is, as mentioned in the Wikipedia article, there is lots of variation in what is called run-length encoding. If we could at least identify the start and end of some of the images we could think about doing something interesting.
The table of contents starts at 0x1000 (4KB or the second block). The end of the table is likely either indicated by the null entry or assumed to end at 0x2000 (8KB or the third block). In a handy example the longest entry title I found was "system_recovery_factoryreset_image" as this is 34 bytes, this means at least 36 bytes are reserved for the string, though 40 is more likely (there may be a requirement to have a null byte terminator) and there could be 28 bytes of data though 24 is a bit more likely.
24 bytes is a noticeable amount of data. That could be 6 32-bit numbers, or 3 64-bit numbers. At a minimum there would need to be a starting index, and either an end or a length. For "lglogo_image" I notice the first 4 bytes are "0x00 0x20 0x00 0x00". If this is little-endian (common for i386, AMD64 or ARM), then this would be "0x00002000" which looks suspiciously like the starting offset of the image data.
The issue then is what the other 20 bytes are? One of them is either an end offset or a length (note: a length might be encoded as a frame-count). One of them might well be a delay, in which case setting that one to zero would speed startup.
At offset 0x2000 of a handy raw_resources file the data starts with a few repeats of "0xFF 00 00 00". The byte sequence "0x00 00 00" could well be an encoding of black, in which case the 0xFF could be a count of 255 or 256 pixels. Looking through the file, I see a number of "0x01 xx xx xx" sequences, but no "0x00 xx xx xx" sequences. In which case it isn't likely that 1 is being added to the count, and those are 255 black pixels.
That is what I can come up with from looking at an example without spending a bunch more time analyzing the data. Alas I've got 15 things which need me to spend time on them. I'm curious as to what kind of startup animations are going to show up...
Okay, bit more analysis since I've actually kind of been wanting to be able to modify raw_resources (having my name/image on phone start would be kind of neat).
The initial header appears to have 5 fields:
Code:
struct rrheader {
char magic[16]="BOOT_IMAGE_RLE\x00\x00";
uint32_t entrycount;
uint32_t unknown;
char devicename[16];
uint32_t dataend;
};
The magic string is simply an identifier. Clearly suggestive of run-length encoding. The entrycount is the number of images stored in raw_resources. The unknown is a value which I don't know the meaning of, could instead be a pair of 16-bit numbers, but I suspect a single 32-bit little-endian is more likely. The devicename is something like "elsa_global_com". dataend identifies the complete length of all the data in raw_resources.
At offset 0x1000 (think LBA 1) the image headers start. The format is:
Code:
struct imageheader {
char name[40];
uint32_t dataoffset;
uint32_t expect;
uint32_t width;
uint32_t height;
char unknown[8];
}
Name is effectively a filename, such as "lglogo_image" or "verifiedboot_red_01". I'm pretty sure this string is what the code is searching for when trying to display an image. dataoffset is a byte offset from the begining of raw_resources. expect is a count of RLE entries worth of data, as such LGE/Qualcomm's software would multiply this by 4 and read that many bytes.
width and height are pretty obvious. The size of the image. I suspect the unknown is a pair of 4-byte integers, but I'm unsure of this. Presently I've got no idea of what it does. I'd love to have someone try modifying this value and see what it does.
5 images take roughly 250KB of space each: lglogo_image, verifiedboot_orange_01, verifiedboot_orange_02, verifiedboot_red_01, and verifiedboot_red_02. If you wanted to save space in raw_resources, you might merge verifiedboot_orange_01 with verifiedboot_orange_02, and similar for verifiedboot_red_0[12]. A number of the other images are also pairs which differ only by the unknown field, these pairs could be merged by setting their dataoffset values to the same value, thus freeing up more space.
My analysis in the previous post was on the money. The format is really dumb RLE. This is simple to encode, but doesn't offer very good compression ratios. These entries are 4-bytes long (expect counts these entries, not individual bytes). The first byte is a number value indicating a number of repeats, a 1 will result in 1 pixel of the color indicated by the next 3 bytes, a 2 will result in 2 pixels of the color, etc. The value 0 might well be untested, but it might cause 0 pixels of that color, 256 pixels of that color, 65536 pixels of that color, or perhaps a software crash.
The raw_resources sample I found had the color data in the order blue-green-red.
I'm attaching a simple Python 3 script which will decode a raw_resources image. Each portion will be dumped into a file matching the name in the image header. The format is "PPM" which is horribly inefficient, but easy to generate and modify by hand. Figure lglogo_image.ppm is 14MB for a 760x1544 image. The unknown in the image header will be emitted near the top of the PPM file (PPM is a text format, you can look at the raw data in a text editor). The data from the overall header including the raw unknown value will be emitted in a ".notes" text file matching the filename of the raw_resources image file.
Have fun with the knowledge.
Props to @4shared for the finding attached here you can find same fix for LS997 Sprint ZV7 Nougat. (warning image strings replaced with quick_lglogo_image)
Thanks.I have tried this on my vs995 and it works great. It should be OK on us996 because my raw img is from a us996 kdz
emdroidle said:
You've got an interesting experiment here. Problem is with things at this stage I see too much potential for malicious mischief, and insufficient gain to assist right now.
Click to expand...
Click to collapse
I'm still rather concerned about the potential to hide that the phone has been rooted/modified and then being sold as unmodified. I am though interested in the capability to replace the startup image with my own.
I suspect the unknown in the main raw_resources header may be some sort of version code. Alternatively it could be some magic values. Elsewhere I found a thread with a G4 raw_resources image. The first byte was 0x02, while the layout of the file pointed towards a 2KB block size. Add 9 and it could be interpreted as a shift value for the block size (2+9=11; 1<<11=2048), for the V20 that byte is 0x03 so 3+9=12, 1<<12=4096.
More of the image entry fields filled in:
Code:
struct imageheader {
char name[40];
uint32_t dataoffset;
uint32_t expect;
uint32_t width;
uint32_t height;
uint32_t unknown;
uint32_t screenoffset;
}
I'm quite sure "screenoffset" is a count of lines down from the top of screen specifying where the image should be placed. For the LG logo image in one version of raw_resources the value is decimal 160, which is specifying to place the image at the top of the main screen area and skipping the "second screen" (this is a crucial insight when interpretting the value).
I'm still unsure what the unknown is. I'll hazard a guess that it is some sort of flag value. The verified boot orange and red files have this set to 0x0064. The NT_TYPE_* files have 0x00E1. The most common value is 0x0000.
One other puzzle is left, how is the background color set? Several strategies come to mind. Reading a pixel in one of the corners and using that as background color is one. Another is to copy the whole border pattern outwards so everything ends up matching the border (this would explain why almost every image has at least 1 entire pixel of border).
I'm pretty sure the image rendering procedure is start on line $screenoffset, and dump the image into the center of the screen.
A fair bit of what I've seen in the data is rather odd. I'm left wondering whether LGE's tools for working with raw_resources are very primative, buggy or something else. Perhaps it is mostly being done by hand given some of the inconsistency. Is there a genuine need for borders (often wide) on all the images?
All the images start at multiples of 0x1000 (4096). This could be required by limitations of the bootloader environment, alternatively this could be LGE Engineering hasn't had time to correct this limitation. I'm a bit concerned violating this could have the potential to crash the bootloader...
There are a number of ways to free a great deal of space in raw_resources. Of note while they have different screenoffset values, the pair factory_reset_no_???_image and factory_reset_yes_???_image have identical payload data. Point them to the same address in raw_resources and you would free some space there. I also see how the factory_reset_???_line_image files could be merged, at which point the space used by factory_reset_1st_line_image could be freed. I don't know about some, but the battery_insert_nt_module_image is clearly for the G5 and not the V20 (reusing resources is one of the ways you save on your Engineering budget). Shrinking the large borders off various images would also save quite a bit of space.
I am interested in trying to produce my own version of raw_resources. Due to the ethics concern mentioned above, anything done by me will show overt indications of being in orange/red boot state.
I'm attaching an updated version of rrdecode I've been working on as part of the process of analyzing raw_resources. This includes 2 variants. The PPM variant outputs NetPBM format files, I'm a bit worried viewers for this format may be rare, but if you've got one it can be a handy format. The PNG variant will output PNG files once the Python Imaging Library is installed. This is a much more commonly used format so there are zillions of viewers out there.
MD5: 8616b271853fa974fec7f1d3ea838da6
SHA1: 78ebf2bb028d18bb571db92dc8af3d0bdd622bc0
SHA512: 07845b06d8cb9ab9be2de2caf380cae96772b81613e1dbd79e20f979c94c74ff96af33e1c41869226bbc54cf740354862c58bfd54cc4947c2ec4425641fa15da
does anyone have a description of how to repack the raw_resources.bin again
emdroidle said:
I'm still rather concerned about the potential to hide that the phone has been rooted/modified and then being sold as unmodified. I am though interested in the capability to replace the startup image with my own.
I suspect the unknown in the main raw_resources header may be some sort of version code. Alternatively it could be some magic values. Elsewhere I found a thread with a G4 raw_resources image. The first byte was 0x02, while the layout of the file pointed towards a 2KB block size. Add 9 and it could be interpreted as a shift value for the block size (2+9=11; 1<<11=2048), for the V20 that byte is 0x03 so 3+9=12, 1<<12=4096.
More of the image entry fields filled in:
Code:
struct imageheader {
char name[40];
uint32_t dataoffset;
uint32_t expect;
uint32_t width;
uint32_t height;
uint32_t unknown;
uint32_t screenoffset;
}
I'm quite sure "screenoffset" is a count of lines down from the top of screen specifying where the image should be placed. For the LG logo image in one version of raw_resources the value is decimal 160, which is specifying to place the image at the top of the main screen area and skipping the "second screen" (this is a crucial insight when interpretting the value).
I'm still unsure what the unknown is. I'll hazard a guess that it is some sort of flag value. The verified boot orange and red files have this set to 0x0064. The NT_TYPE_* files have 0x00E1. The most common value is 0x0000.
One other puzzle is left, how is the background color set? Several strategies come to mind. Reading a pixel in one of the corners and using that as background color is one. Another is to copy the whole border pattern outwards so everything ends up matching the border (this would explain why almost every image has at least 1 entire pixel of border).
I'm pretty sure the image rendering procedure is start on line $screenoffset, and dump the image into the center of the screen.
A fair bit of what I've seen in the data is rather odd. I'm left wondering whether LGE's tools for working with raw_resources are very primative, buggy or something else. Perhaps it is mostly being done by hand given some of the inconsistency. Is there a genuine need for borders (often wide) on all the images?
All the images start at multiples of 0x1000 (4096). This could be required by limitations of the bootloader environment, alternatively this could be LGE Engineering hasn't had time to correct this limitation. I'm a bit concerned violating this could have the potential to crash the bootloader...
There are a number of ways to free a great deal of space in raw_resources. Of note while they have different screenoffset values, the pair factory_reset_no_???_image and factory_reset_yes_???_image have identical payload data. Point them to the same address in raw_resources and you would free some space there. I also see how the factory_reset_???_line_image files could be merged, at which point the space used by factory_reset_1st_line_image could be freed. I don't know about some, but the battery_insert_nt_module_image is clearly for the G5 and not the V20 (reusing resources is one of the ways you save on your Engineering budget). Shrinking the large borders off various images would also save quite a bit of space.
I am interested in trying to produce my own version of raw_resources. Due to the ethics concern mentioned above, anything done by me will show overt indications of being in orange/red boot state.
I'm attaching an updated version of rrdecode I've been working on as part of the process of analyzing raw_resources. This includes 2 variants. The PPM variant outputs NetPBM format files, I'm a bit worried viewers for this format may be rare, but if you've got one it can be a handy format. The PNG variant will output PNG files once the Python Imaging Library is installed. This is a much more commonly used format so there are zillions of viewers out there.
MD5: 8616b271853fa974fec7f1d3ea838da6
SHA1: 78ebf2bb028d18bb571db92dc8af3d0bdd622bc0
SHA512: 07845b06d8cb9ab9be2de2caf380cae96772b81613e1dbd79e20f979c94c74ff96af33e1c41869226bbc54cf740354862c58bfd54cc4947c2ec4425641fa15da
Click to expand...
Click to collapse
Anything new? Did you manage to change the picture?
Also... I wonder if the crash possibility you're speaking about could lead to something more useful...
sexmaschine said:
does anyone have a description of how to repack the raw_resources.bin again
Click to expand...
Click to collapse
i didn't have to repack it after modifying it with a hex editor. i just modified an installation zip to install it.
Related
[DEV][M10] Decompiling M10 (Sense) images
The problem Since HTC introduced Sense 3.5, themers faced a huge problem. The previously used software "M10Tools" wouldn't work with the new version of Sense. Flemmard and me tried countless hours decoding the new image format, but without any success. The new image format is totally diferent to anything else previously seen. I made this thread to search for help from all the awesome devs on XDA, hoping that we might find one who can help. The history Let me start this with some introduction to the m10 format itself. The images I am talking about are parts of one big file - the m10 file. We usually have multiple images per m10 file, but the number doesn't really matter. Together with the raw image data we get a set of meta information. We are not exactly sure what the values mean, but we can guess the meaning from the history of the old, decodable images. We used to have information like width, height, payload of the image and an integer indicating what kind of image type we have. We know the actual image type for a few of these intergers, but with Sense 3.5, 3.6 and 4.0 HTC added at least two new types. The facts We don't have any hard facts for these image types but looking at the "old" image types, we can guess a few things: The images are in a format the GPU can render directly (Like s3tc, ATC, QTC, etc) (At least this used to be the case, might have changed) Images are most likely compressed. The ratio between assumed size (based on meta data) and the actual data size indicates some heavy compression. The data itself obviously looks compressed too. There are no headers or any other help. It is just raw data. We don't know exactly how the decoded images actually look like, so we can't say what the images display. However, due to latest archievements we "might" know this for images from Sense 3.5 and 3.6 if needed. The handling software side is all in a few libs and NOT in smali / java, so we can't look for stuff there, however we have the libs, so if someone is pro with assembler he might find out something I will provide a download which contains several chunks of image data and the according meta data. If you consider working on this, please do not refrain from thinking about super simple solutions, we worked so long on this that we might be totally confused. One thing though, this might sound arrogant, but this here really is only for people who have some decent knowledge about file formats, image compression or OpenGL. The image types Here is a list of image type we already know ( remember, we don't know where the numbers come from, might be some enum in native code or so) Type 4: Raw RGB Type 6: Raw RGBA (still used rather often) Type 8: ATC RGB (doesn't seem to be used at all anymore) Type 9: ATC RGBA Explicit (doesn't seem to be used at all anymore) As you can see we got types WITH and WITHOUT alpha encoding. Here is the list of UNKNOWN formats: Type 13 (used way less than type 14, so maybe no alpha?) Type 14 (this is the most used type, so I assume this one supports alpha encoding) When thinking about what the data might be, don't throw away crazy ideas like "The data is S3TC /ATC /whatever but compressed again by some 'normal' compression algorithm". Maybe they just replaced type 8 and 9 with an additional compression on top of these types. The meta data Okay, so now lets talk about the meta data we get together with the actual data: We get 4 more or less known chunks of information per image (plus a few unknown things) Image type (described earlier) (Example: 6) Image width (Example: 98) Image height (Example: 78) A more complex value containing multiple values at once. Example: "98:78:0:30576" We used to know the meaning of three of these values. However we are not sure for the new images. Lets explain the old meaning first: 98: Width, same value as the value above 78: Height, same value as the value above 0: It's always 0, we have no idea what it means, but since it's static we didn't care 30576: this used to be the data size. This image has a resolution of 98*78 = 7644 pixels. With a data size of 30576 that means we got 4bytes per pixel. Lets take a look at the new images now. We still get the same information, however the meaning seems to have changed a bit: Image type (described earlier) (Example: 14) Image width (Example: 997) Image height (Example: 235) A more complex value containing multiple values at once. Example: "1000:236:0:118000" This is the assumed new meaning 1000: Width, but rounded up to a multiple of 4 236: Height, but rounded up to a multiple of 4 0: It's always 0, we have no idea what it means, but since it's static we didn't care 118000: this value is now exactly half of the rounded resolution (1000 * 236 / 2 = 118000) This would mean only half a byte per pixel. One big problem here: the actual data size does not match this value at all! The data is way smaller than this value, which indicates that it got compressed a second time Now lets talk about some very important piece of information: HTC uses the SAME image formats on BOTH a Tegra 3 and a Qualcomm Snapdragon S4. This obviously means that both Tegra and Snapdragon need to be able to handle this. However, also keep in mind that HTC bought S3 graphics and thefore might got some advantages here. You can find a statistic on the used formats in the download, it's an Excel sheet with two diagrams showing the usage. Now this was a long post, I hope someone is still reading this and might have some ideas about what's going on here. Feel free to ask any questions concerning this. I am also available in #virtuousrom on Freenode, per PM here or via email: diamondback [at] virtuousrom [dot] com Download: The download contains a bunch of unknown images of types 13 and 14 together with their meta data (like explained above) Download image pack
Solution After some digging I estimated that the data is compressed with fastlz [0]. Also so if you decompress it, you get exactly Width*Height bytes of data. I dont know the format this data is in, but i guess its the same the uncompressed data (type 8 or 9 or so?) was. Maybe someone could check up on that. [0] http://fastlz.org/
onlyolli said: After some digging I estimated that the data is compressed with fastlz [0]. Also so if you decompress it, you get exactly Width*Height bytes of data. I dont know the format this data is in, but i guess its the same the uncompressed data (type 8 or 9 or so?) was. Maybe someone could check up on that. [0] http://fastlz.org/ Click to expand... Click to collapse You are indeed right. We actually found the same a few hours ago What a weird conincidence... :victory: Type 4 and 6 are changed, they are zipped now too. Which actually breaks backwards compatibility with older Sense versions... Inside of the zipped data are ETC images, which also explains how they can use the same on S4 and Tegra 3. The type 14 actually contains TWO images, both ETC. Since ETC doesn't support alpha one is the image and one is an alpha mask... Funny trick HTC!
Zune Backup Format
Pre-thought: Zune Backups are located C:\Users\???\AppData\Local\Microsoft\Windows Phone Update\ The Zune Backup format seems to be following (under PhoneGUID\RestorePoint\BackupInstanceGUID\Data): Each Data.X.dat.hash is a SHA-1 hash of Data.X.dat, and the Manifest.xml.hash is as well of Manifest.xml. I believe the entire contents of the files are AES encrypted and they certainly contain RUU IMGFS SLDR etc. At least we have a starting point. I'm doing to take all .DATs combine them and tinker with maybe trying to find a working filesystem out of it. Feel free to comment, constructively and without criticism. I wouldn't recommend copy /b *.dat dump.bin as that would 'accidently' combine say Data.1148.dat, Data.1149.dat, Data.115.dat, Data.1150.dat OUT OF ORDER. I'd rather write a small script to rename files prepending them all to 0000-padding. (Programmers will know) *Edit* A quickie script grabbed online (slight mod) <?php error_reporting(-1); //What? Quick CLI-tool to rename the file extensions of multiple files (in working directory) matching the pattern. //Author? ZuZi //Date? 2013/02/14 //Revised for quick scripting by Yuji Saeki if($argv[1] && $argv[2]){ foreach (glob("*.$argv[1]") as $filename) { $newfilename = explode(".", $filename); $newfilename = $newfilename[0] . "." . str_pad($newfilename[1], 4, "0", STR_PAD_LEFT) . "." . $newfilename[2]; echo ("Renaming $filename to $newfilename\n"); rename("$filename", "$newfilename"); } }else usage: *.dat DumpName\n\n"); ?> Then you can copy /b *.dat Dump.bin for example. *Edit* Offset 0x00000000 word points to encryption type (ChainingMode) while adding 0x10 will point to encryption algorithm SHA1. Trying to work out AES block right now, and of course other bytes in that 'header' block (0). Maybe if someone who has an unlocked phone (waiting for goldcard tools to arrive) can look at filesystem driver for WP? If anyone wants to do anything I'd recommend starting with a very fresh phone, smaller backups around 500MB and below then. My current backup is about 7GB. >_>; Well lucky me for 32GB DDR3 2,400 eh? *Edit* Haven't determined much anything else but I did notice one thing. Hard Reset to immediate backup with no modification, twice, dumps differed significantly in content, I believe a salt or password used in the encryption algorithms is generated on an install basis. If anyone can reverse engineer UpdateWS(?) or whatever it is that sends backups to PC from Phone we might could figure out how it determines a password.
[Tut] Android one-click utils in VB.Net
Hello guys, I know there are multiple guides like this one on the forums, but I guessed: Why should one just have tutorials in Batch and C#? I can program in VB, why not share it? First: This guide will contain some code out of my own program (Universal Android Toolkit) but only the free stuff So, I guess I'll start off. Prerequisites:What will you need? Microsoft Visual Studio (2008, 2010 or 2012) for Windows Desktop. I'll provide links. A computer with at least 1GB RAM, a P4 @ 2.8GHz, 128MB Graphics chip/card, some basic knowledge of ADB commands (You'll learn them here, I guess...) A cup of coffee or whatever your favorite warm beverage is. Oh, and some decent music would be good. Setting things up:As I've already done this a while back, I cannot provide screenshots, but I'll do my best to explain things. First, download Visual Studio 2012 for Windows Desktop and open the installer. It should look somewhat like this, just with a big 'START' button at the bottom. { "lightbox_close": "Close", "lightbox_next": "Next", "lightbox_previous": "Previous", "lightbox_error": "The requested content cannot be loaded. Please try again later.", "lightbox_start_slideshow": "Start slideshow", "lightbox_stop_slideshow": "Stop slideshow", "lightbox_full_screen": "Full screen", "lightbox_thumbnails": "Thumbnails", "lightbox_download": "Download", "lightbox_share": "Share", "lightbox_zoom": "Zoom", "lightbox_new_window": "New window", "lightbox_toggle_sidebar": "Toggle sidebar" } Once you have installed that, it is advisory, that you download the .Net framework 3.5, 4.0 and 4.5 .Net 3.5 (Includes 2.0, 3.0 and 3.5 SP1 .Net 4.0 .Net 4.5 Once you have installed those, you should bookmark this page and restart your computer. Then, move to the next step. Creating a New Project:Open up Visual Studio. You will be welcomed by a screen, which looks somewhat like this: Click on 'New Project...' You will then see this type of screen: Select 'Windows Forms Application' and give it a name. You may name it whatever you want. You can also change the location it should be stored in. I'll change the name to Android One-Click Tutorial and I'll leave the default location as it is. Once you have done that, hit OK and wait for the project to load up. One-Click, Here we Come!: Once the project has loaded, you will see a screen like this (Depending on which version of VS you are using..) You may name the form however you want. I'll name it the same as the project. Once you have given it a name, you'll want to resize the form to the desired size and give it an icon. Please excuse the weird highlights, I'm using my old laptop, because my computer broke and my mouse died with it. Then debug the program, to make sure it is how you want it to be. If it's OK for you, then let's get to downloading all the ADB-Stuff. Download the ADT bundle from here and then download the platform-tools. You might want another cup of coffee for this. Sadly, I can't drink anything warm or with caffeine, because I had an operation to my mouth yesterday (Friday the 07th of June 2013) so feel free to drink one on me Once it is done downloading, extract the archive to your computer. I'll just put it in my Documents folder. Once everything is extracted, move to the sdk\platform-tools folder. Make sure that the files 'adb.exe', 'AdbWinApi.dll', 'AdbWinUsbApi.dll' and 'fastboot.exe' are present. If they are, go back to Visual Studio and go to the properties of the project (Project ->> <Project Name> properties) and move to 'Resources'. Change the resource type from Strings to Files. Then, add the four files from above to the resources. Once all that is done, we can start coding. So go ahead and double-click on the form, so that the code file shows up. It'll look like this: Type in the following over Public Class Form1: Code: Imports System.IO Imports System.Threading Imports System.Windows.Forms.DialogResult Now, as this program is supposedly going to be used by others, probably people without knowledge of coding, and therefore people without ADB, etc., we want the program to look for our files and copy them if necessary. We want to do this right at the beginning of the program, so we'll do it the Form1 Load Event. Type the following code: Code: If Not Directory.Exists("ADB") Then Directory.CreateDirectory("ADB") Else If Not File.Exists("ADB\adb.exe") Then File.WriteAllBytes("ADB\adb.exe", My.Resources.adb) End If If Not File.Exists("ADB\AdbWinApi.dll") Then File.WriteAllBytes("ADB\AdbWinApi.dll", My.Resources.AdbWinApi) End If If Not File.Exists("ADB\AdbWinUsbApi.dll") Then File.WriteAllBytes("ADB\AdbWinUsbApi.dll", My.Resources.AdbWinUsbApi) End If If Not File.Exists("ADB\fastboot.exe") Then File.WriteAllBytes("ADB\fastboot.exe", My.Resources.fastboot) End If End If The code folder should now look something like this: Ok. So now debug the program and check in the project's \bin folder for a folder named ADB and check if all the files were created accordingly. If your folder looks like mine: You've done a great job! So you can already give yourself a pat on the back! Now, to move on to the next step: Adding Buttons and Commands: Move back to the designer and add a few buttons like I've done. The buttons I've created will: Back up the device Restore the device Install an app Push a file Now, we want to create four more forms. One for the backup, one for the restore, one for the install app and one for pushing a file. Hit CTRL+SHIFT+A to add new items. You can name the forms however you want. I created some with pretty self-explaining names: Now, double-click on each button in Form1 to create a new code block in the code file. Once you have done that, copy the following codes into each code block. Button1_Click Code: Backup.Show() Me.Hide() Button2_Click Code: Restore.Show() Me.Hide() Button3_Click Code: Install.Show() Me.Hide() Button4_Click Code: Push.Show() Me.Hide() Now open up the Backup form. We'll start here. You can close the Form1-files. Start designing the form as you wish. Here's how I've done it: If you're using the same design as me, you might want to use the same code. NOTE: I rarely use the .Net components in the Toolbox. Only for static operations. For things like dialog boxes, I use pure code. This is working code. I have debugged and tested! Code: Imports System.IO Public Class Backup Private Sub Backup_Load(sender As Object, e As EventArgs) Handles MyBase.Load TextBox2.Text = "Backup_From_" & Date.Now.ToShortTimeString If Not Directory.Exists(TextBox1.Text) Then Directory.CreateDirectory(TextBox1.Text) End If End Sub Private Sub Backup_FormClosing(sender As Object, e As EventArgs) Handles MyBase.FormClosing Form1.Show() End Sub Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click Dim FolderBrowse As New FolderBrowserDialog FolderBrowse.Description = "Select the destination of where you wish your backup to be saved to." _ & "Note: Please do not choose locations with spaces in the directories. These may cause errors!" FolderBrowse.ShowNewFolderButton = True Dim DialogRes As DialogResult = FolderBrowse.ShowDialog If DialogRes = Windows.Forms.DialogResult.OK Then TextBox1.Text = FolderBrowse.SelectedPath End If End Sub Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click Shell("""ADB\adb.exe"" backup -f" & TextBox1.Text & "\" & TextBox2.Text & "-apk -system -full -all", AppWinStyle.NormalFocus, True, 30000) End Sub End Class Once you have that done, move to the next form. This, in my case, is Restore. To keep the thread clear, I'll carry on in post #2.
Ok, now let's get on with Restore. Open up the file, and again, design it as you want. If you're using the same design as me, it is advisory, that you use the same code. Here is the code I used: Code: Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click Dim OpenFile As New OpenFileDialog OpenFile.InitialDirectory = My.Computer.FileSystem.SpecialDirectories.Desktop OpenFile.Multiselect = False OpenFile.Filter = "AB (Android Backups)|*.ab" OpenFile.SupportMultiDottedExtensions = False OpenFile.Title = "Select the Android Backup (*.ab) file to restore your device from..." Dim DialogRes As DialogResult = OpenFile.ShowDialog() If DialogRes = Windows.Forms.DialogResult.OK Then TextBox1.Text = OpenFile.FileName End If End Sub Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click Shell("""ADB\adb.exe"" restore " & TextBox1.Text, AppWinStyle.NormalFocus, True, 30000) End Sub Private Sub Restore_FormClosing(sender As Object, e As EventArgs) Handles MyBase.FormClosing Form1.Show() End Sub And now we're ready to move to the third form. As usual; if you're using the same design as me, you'll want to use the same code as me. I'd like to note: I'll explain all the code in post #3. The third form (Install an App) will be a bit different than the others. Here, we'll give the user the opportunity to select an entire folder which contains .apk files and then with a mouse-click, the app will install the desired APK. Note the ListBox, That is where all the APKs will be listed. (Hence the name 'ListBox'.) I have pulled some APKs from my phone and have put them in a folder (C:\APKs). We will use this folder to list all the available APKs in the listbox. But before we do that, here is the code for the form. Again, nothing is imported here. Code: Private Sub Install_FormClosing(sender As Object, e As EventArgs) Handles MyBase.FormClosing Form1.Show() End Sub Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click Dim FolderBrowse As New FolderBrowserDialog FolderBrowse.Description = "Select the folder containing your APK files." FolderBrowse.RootFolder = Environment.SpecialFolder.DesktopDirectory FolderBrowse.ShowNewFolderButton = False Dim DialogRes As DialogResult = FolderBrowse.ShowDialog() If DialogRes = Windows.Forms.DialogResult.OK Then For Each Item As String In My.Computer.FileSystem.GetFiles(FolderBrowse.SelectedPath) ListBox1.Items.Add(Item) Next End If End Sub Private Sub ListBox1_SelectedIndexChanged(sender As Object, e As EventArgs) Handles ListBox1.SelectedIndexChanged Shell("""ADB\adb.exe"" install " & ListBox1.SelectedItem.ToString, AppWinStyle.NormalFocus, True, 30000) End Sub And here are some pictures of the code in action: FolderBrowserDialog (FolderBrowse): The list of apps (ListBox): Ok. We're almost done with our One-Click utility! We've only got one more form and we'll do that in a dash! Then I'll get to explaining what everything means. Though most of it is pretty much self-explanatory, I'd rather go over it. Move on to the last form, and the same rules apply. This form will be using the same method as the Install form - Using a ListBox to display files. Here is the code: Code: Private Sub Push_FormClosing(sender As Object, e As EventArgs) Handles MyBase.FormClosing Form1.Show() End Sub Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click Dim FolderBrowse As New FolderBrowserDialog FolderBrowse.Description = "Select the folder containing the file/s you want to push to the device..." FolderBrowse.ShowNewFolderButton = False FolderBrowse.RootFolder = Environment.SpecialFolder.DesktopDirectory Dim DialogRes As DialogResult = FolderBrowse.ShowDialog() If DialogRes = Windows.Forms.DialogResult.OK Then For Each Item As String In My.Computer.FileSystem.GetFiles(FolderBrowse.SelectedPath) ListBox1.Items.Add(Item) Next End If End Sub Private Sub ListBox1_SelectedIndexChanged(sender As Object, e As EventArgs) Handles ListBox1.SelectedIndexChanged Shell("""ADB\adb.exe"" push " & ListBox1.SelectedItem & " " & TextBox1.Text, AppWinStyle.NormalFocus, True, 30000) End Sub Cool! We've got our first One-Click-Utility done in Visual Basic.Net! This is pretty awesome, don't you think? I may have to re-do this thread, but for the moment it'll do, I guess. Move down to the third post, to read all about what what piece of code does.
What Does What Piece of Code Mean and do? In this post, I'll go over what which piece of code does. The practical thing about Visual Basic, is that it uses a lot of words used in the English language. That means: If you can speak English fluently, you can code in Visual Basic quite decently. But nevertheless, I'll go over each bit, and that bit by bit. Of course, if you have questions, I'm happy to answer. What does 'Imports' Mean and do? Imports In Visual Basic, as in pretty much every other programming language, has references it uses to communicate to the OS (Operating System). But, although referenced data is there, it is not entirely available to each form. So you must import that data to the form, where it is needed. You can imagine 'Import' as if you were importing freight from another country - With the only difference, that you're importing data. If you're familiar with C++, #includes <stdio.h> is the same as if you were using Imports System.IO in Visual Basic. If, Else, ElseIf and End If What will be explained here, is the If-Statement. Every programming and scripting language has an If-Statement - Even if it is used with a different name. Basically, what an If-Statement does, is check whether specific criteria is met by a clause you typed. For example: Code: If File.Exists("C:\HelloWorld.vb") Then MessageBox.Show("The file exists!") Else MessageBox.Show("The file doesn't exist!") End If This piece of code checks if a specific file exists. If it exists, it will throw a message box saying that the file exists. Else, it will throw a message box saying it doesn't exist. Make sense? But then we have ElseIf. Using ElseIf can make the code more precise. For example: Imagine you have a form with a text box, and you want to determine whether that text box contains, say http:// or ftp://, you'd type something like this: Code: Dim Text As String = TextBox1.Text (We'll get to Dim in a moment) If Text.Contains("http://") Then MessageBox.Show("The text box contains http://") ElseIf text.Contains("ftp://") Then MessageBox.Show("The text box contains ftp://") Else MessageBoz.Show("The text box doesn't contain http:// or ftp://") End If End If basically just terminates the If-Statement. I don't have an example for this in C++, but I guess you guys are smart enough to get what I mean What does Dim mean? This is probably the easiest thing to explain, in this entire tutorial: All Dim does and means, is Declare. It declares a variable with a type. I think in C++, you'd write something like Code: int a = 16; Where the equivalent in VB is: Code: Dim a As Integer = 16 Sure, it's a bit more to write, but the code is easier to understand. Which is all VB is about: Easy coding. For Each X As String In... Whaa? Well, here we've gotten to a stage, which I only learned a few months ago, and I've been programming in Visual Basic for five years, now. Basically, For Each is kind of like an If-Statement. It searches for specific criteria. If that criteria is met, the code will be executed. I'll use an example from the program written above: Code: For Each Item As String In My.Computer.FileSystem.GetFiles("C:\Windows") This searches for files (FileSystem.GetFiles("") ) and returns these to a variable (Item) as a string value. Code: Next The Next statement tells the computer to move to the next piece of code. And last but not least: Shell? But wait.. I know that from somewhere, don't I? Yup, you do! Shell is just a command prompt or terminal (Whatever you prefer). All it does, is it executes commands as the computer's shell and it gets a bit more low-level as other commands. For example: Code: Shell("") This would execute a simple program, without any command line arguments (Command Line Args). Code: Shell("""adb.exe"" install") This would execute a specific file (In this case adb.exe) and would add a command line arg. Which gives you more flexibility and it allows you to interact with the shell-executable. But the Shell Function can do more than that. It is also still a part of the program, which means it can still tell the program what to do. For example: Code: Shell("""ADB\adb.exe"" install " & ListBox1.SelectedItem.ToString, AppWinStyle.NormalFocus, True, 30000) This piece of code executes adb.exe, with a command line arg, but adds to the shell (CMD) window. AppWinStyle: This determines how the CMD window is shown. In this example, we used NormalFocus, which puts the CMD window in the foreground and focuses on it. So the user can immediately interact with it, if necessary. Where True is: True or False determine whether the program should wait until the shell operation is completed, before moving on to the next step of code. And ultimately, this is also what the integer (Whole number) behind it is for. The number (Must be an integer!) determines how long the program should wait until the program should execute the next line of code, in milliseconds. And that was that, I guess. If you feel I've missed something out, or you don't understand something, fell free to let me know and I'll it it to the list. I'll add the project to my GitHub, so you can all download it. Once I have the time, I'll re-design the posts, but at the moment, I think it'll do (Mods: If you think I should, I'll do it right away! )
Downloads: Download the source code (And pre-compiled binary) from my GitHub. https://github.com/Beatsleigher/OneClickUtil This is licensed under the GPL3.0, so feel free to do with it as you wish I probably won't add to this project, but that should stop you! Happy developing!
--- Reserved #4 ---
mfastboot.exe flash partition gpt.bin mfastboot.exe flash motoboot motoboot.img mfastboot.exe flash logo logo.bin mfastboot.exe flash boot boot.img mfastboot.exe flash recovery recovery.img mfastboot.exe flash system system.img_sparsechunk.0 mfastboot.exe flash system system.img_sparsechunk.1 mfastboot.exe flash system system.img_sparsechunk.2 mfastboot.exe flash modem NON-HLOS.bin mfastboot.exe erase modemst1 mfastboot.exe erase modemst2 mfastboot.exe flash fsg fsg.mbn mfastboot.exe erase cache mfastboot.exe erase userdata pause mfastboot.exe reboot ---------- Post added at 01:51 PM ---------- Previous post was at 01:48 PM ---------- Plz help me to execute above codes on a button press event I know how to add mfastboot.exe
Quite useful thanks
coldflid said: Quite useful thanks Click to expand... Click to collapse You're welcome I'm thinking of doing something similar for Java. Should keep people occupied
Looking forward to it
ADB Bruteforcer I have made a Android Debugging Bridge 0000 to 9999 bruteforcer, With this I will make a nice interface for it, When I'm done, I will upload it somewhere at XDA. Thanks 4 ur upload!
This just one of the great wonders. Nice Job .. Greeting from Mawcot Inc
dear @Beatsleigher first of all i wold like to thanks you for such a nice guide i have some questions please answer it 1st. how to use multiple adb commands with one button for example ( adb kill-server , adb start-server ) 2nd how to print information to a textbox or label for example if i want to see the connected adb devices and i use (adb devices ) so i want to print connected devices into a text box thanks
zameer_yus said: dear @Beatsleigher first of all i wold like to thanks you for such a nice guide i have some questions please answer it 1st. how to use multiple adb commands with one button for example ( adb kill-server , adb start-server ) 2nd how to print information to a textbox or label for example if i want to see the connected adb devices and i use (adb devices ) so i want to print connected devices into a text box thanks Click to expand... Click to collapse This is a pretty old thread to resurrect. I only saw your reply by chance. I'm not an active member of this community anymore, just as with all tech-related things. Those are rudimentary questions. If you're interested in programming, you should read up on some tutorials. Everything you need to find the answers to those questions is written on MSDN. Furthermore, the information provided in this thread is outdated. I recommend you check out @regaw_leinad's AndroidLib or my JDroidLib The documentation for both of these libraries can be found on my website. Good luck with programming. Just don't read these tutorials and documentations and go from there. Depending on which language you want to use, read the maintainer's website (e.g.: MSDN, or Oracle's JavaDoc) and read their tutorials. They'll teach you the basics, best practises, dos and donts, and more. NOTE: I will not be providing support for this tutorial any longer. I have since moved on, and don't see any value in helping people make their lives more complicated than necessary. There are plenty libraries out there which allow you to do much more than I showed in this tutorial, and are easier for beginners, as they show you the best-practises of the language anyway.
How does WeChat store animated emojis (stickers)?
Hi, I hope this is the right section for app-specific questions (if not, please move the thread)... My wife recently got into that sticker/emoji-collecting-thing on WeChat (god knows why) and she would like to use the WeChat stickers on other messengers like Whatsapp (or have access to the image files in general). There are millions of tutorials how to make your own animated stickers for WeChat, but unfortunately there is zero information how to get them out of WeChat... Apparently everything is stored in the folder "Phone\tencent\MicroMsg\--some-md5-like-number--\emoji". Therein are subfolders like "com.tencent.xin.emoticon.NAME", I guess for each sticker creator, and the image files themselves have cryptic filenames like "fd0476f63c51690b88dd17d9be63af1c" without any extension. The good news is that PNGs and JPGs are saved "natively" - such files can be easily recognized by any image viewer via the header. However, animated stickers (typically discernible by the much larger file size) are apparently stored in a kind of proprietary format. It's not GIF or any image format I know of (or rather tried it with), it's also not a common compressed container, and the hex editor doesn't reveal anything useful, just densely packed gibberish... Is there any kind of documentation on how WeChat stores animated images and how they can be converted back into something useful like GIF?
I was wondering this as well. I did the same digging as the OP, with one thing to add. I took a look at one of the said files – this one is 13Kb and about 1kb from the beginning there is a 648-byte xml rdf metadata tag. It shows that whatever this thing is, it was made with Photoshop. I took out the id's and hashes: Code: <rdf:Description rdf:about="" xmlns:xmpMM="http ://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http ://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http ://ns.adobe.com/xap/1.0/" xmpMM:eek:riginalDocumentID="xmp.did:…" xmpMM:DocumentID="xmp.did:…" xmpMM:InstanceID="xmp.iid:…" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:…" stRef:documentID="adobe:docid:photoshop:…"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
Looking for the same answer
It's been forever since this question was posted, but I still kinda want to know. I don't think anyone's figured out how. XD;;
Nope, I gave up and urged my wife to find a new hobby
Drats, the stickers are so adorable tho... iiOTL
The files are stored in the WXAM format (an in-house proprietary format). The most I found was this post detailing an exploit for WXGF (that's the name of the format), which includes POC code in Python (see zip at end of post) that encrypts a file to WXGF. In it, you can see the code calculating the encryption key - which, I imagine the way to decrypt them would be to do the opposite (obviously) Python: imei = '358035085174146' key = hashlib.md5(imei).hexdigest()[0:16] cipher = AES.new(key, AES.MODE_ECB) result[0:1024] = cipher.encrypt(buffer[0:1024]) As for converting the unencrypted file - whether Android or Windows, it's contained in a dll or so file. On Windows, the decompilation code can be found at Code: C:\Program Files (x86)\Tencent\WeChat\WXAMDecoder.dll , while on Android it can be found at Code: libwechatcommon.so Particularly on Android, the Java class located in Code: com.tencent.mm.plugin.gif.MMWXGFJNI contains the java -> native implementation, with functions such as Code: nativePic2Wxam() As for documenting the internal native code -> It's too much past my ability / time at the moment. Maybe this can be for someone for another day~ That being said, decryption isn't impossible as you saw above, related to IMEI and AES keys. The particular function you were looking for was - sadly, using it would be a bit hard. But I imagine that you could take the so file, wire it up to an Android app with the same declarations here, and pass in the Wxam file in a byte[] array to get the result back -> You wouldn't have to know the internal code for that either, and since the type is byte[], we don't need to even reverse engineer the code to see what it supplied. Clearly it is a byte[] array of the files contents. Code: public static native byte[] nativeWxamToGif(byte[] bArr); In fact, now that I think about it, I'd like to try it myself now and see what happens lol. Edit: Yup, it works. I just decoded a few files. Working on decryption now. Sorry, I can't share it since I don't wanna get in trouble. But there's the information above ^^ If you can make Android apps and know enough, it's not hard
BBRecon said: The files are stored in the WXAM format (an in-house proprietary format). The most I found was this post detailing an exploit for WXGF (that's the name of the format), which includes POC code in Python (see zip at end of post) that encrypts a file to WXGF. In it, you can see the code calculating the encryption key - which, I imagine the way to decrypt them would be to do the opposite (obviously) Python: imei = '358035085174146' key = hashlib.md5(imei).hexdigest()[0:16] cipher = AES.new(key, AES.MODE_ECB) result[0:1024] = cipher.encrypt(buffer[0:1024]) As for converting the unencrypted file - whether Android or Windows, it's contained in a dll or so file. On Windows, the decompilation code can be found at Code: C:\Program Files (x86)\Tencent\WeChat\WXAMDecoder.dll , while on Android it can be found at Code: libwechatcommon.so Particularly on Android, the Java class located in Code: com.tencent.mm.plugin.gif.MMWXGFJNI contains the java -> native implementation, with functions such as Code: nativePic2Wxam() As for documenting the internal native code -> It's too much past my ability / time at the moment. Maybe this can be for someone for another day~ That being said, decryption isn't impossible as you saw above, related to IMEI and AES keys. The particular function you were looking for was - sadly, using it would be a bit hard. But I imagine that you could take the so file, wire it up to an Android app with the same declarations here, and pass in the Wxam file in a byte[] array to get the result back -> You wouldn't have to know the internal code for that either, and since the type is byte[], we don't need to even reverse engineer the code to see what it supplied. Clearly it is a byte[] array of the files contents. Code: public static native byte[] nativeWxamToGif(byte[] bArr); In fact, now that I think about it, I'd like to try it myself now and see what happens lol. Edit: Yup, it works. I just decoded a few files. Working on decryption now. Sorry, I can't share it since I don't wanna get in trouble. But there's the information above ^^ If you can make Android apps and know enough, it's not hard Click to expand... Click to collapse I'm using nativeWxamToGif(), but I keep getting a return value of null. Do you know if it is still supposed to work? I tried the libwechatcommon.so in wechat versions 7 and 8 and still no luck. My decryption code is almost the same as the encryption code. The only difference is that I strip off the trailing 0-pad and then reuse the imei-generated (using my own imei) key to decrypt. Were you able to use nativePic2Wxam? The signature is too complex so it's too hard for me to guess what parameters to pass in. Code: private static native int nativePic2Wxam(String paramString1, String paramString2, int paramInt1, int paramInt2, int paramInt3, int paramInt4, int paramInt5); Since I don't know how to use nativePic2Wxam, I'm just blindly trusting you that I should be able to decrypt one of the wxgf into wxam and then use nativeWxamToGif() to convert it to a gif. But I'm not sure why my gifs are always null. I think I do have the libwechatcommon.so lib working because I am able to use other simple functions such as the following: Code: public static native int nativeRewindBuffer(long paramLong); public static native int nativeUninit(long paramLong); Does nativeWxamToGif() return null if the input byte array is invalid wxam or something?
Reverse Engineering Android Boot Process - Need Help
Tl;dr = I have studied the boot process. I understand the Qualcomm SOC boot process PBL > SBL/XBL > And so on. I am trying to get a disassembly of the SBL. I dumped the EMMC and can view all its partitions. Now I am stuck at the 80 bytes header containing the "Loading Address". I can't figure out where and how the processor jumps to this loading address. Greetings XDA community. This post is more relevant to the developers and power users of android and people who work as embedded developers/security researchers/reverse engineers in general. Background - I am deeply interested in OSDev and running my own code on the hardware I own. Just like I am building my own bootloader for my PC, I had also been wanting to study the android boot processs for quite some time. In the last few days I got to it and found that the whole low level ecosystem of Android, iOS and Smartphones is really toxic and full of proprietary stuff. But I am still determined to make my own bootloader for my smartphone even if it only displays the good old "Hello World" on that little black display. I am not concerned about bricking my few phones as they are pretty much useless to me now and can be used for RE purposes. Some Useful Links - https://blog.quarkslab.com/analysis-of-qualcomm-secure-boot-chains.html , https://alephsecurity.com/2018/01/22/qualcomm-edl-1/ , https://lineageos.org/engineering/Qualcomm-Firmware/ Technicals - I copied the whole EMMC from my rooted phone (Xiaomi Mi4) and studied the boot process. So apparently the boot process goes something like PBL --> SBL --> And so on... I found the partition labelled SBL in the dump. I am trying to get code execution at the lowest level possible but it seems I might not be able to resurrect the phone easily if I mess with the SBL (as the phone might not even go into EDL mode then). So I am first considering taking control after the SBL (and before Aboot) with my own code (even if it includes some certificate/proprietary blobs from the manufacturer). But for this I have to understand what exactly the SBL is doing in my particular processor's case. So in the SBL partition is an 80 byte header (source : http://vm1.duckdns.org/Public/Qualcomm-Secure-Boot/Qualcomm-Secure-Boot.htm). This header contains a loading address for the processor. What I can't figure out is how the processor jumps to this address. The source mentions to "remove the header and then load the file in IDA Pro" but what file are they talking about (The EMMC dump? The partition? Something else?). How does the CPU use this loading address? In my particular phone the loading address is : 00 C0 00 F8 ( https://imgur.com/a/ngfFsj5 ) Please shed some light on this issue.
Hello! As I understand it, we are talking about SBL images. I also tried decompiling the SBL in IDA Pro, but in my case I didn't remove the header and everything works fine. The SBL is taken from the Redmi Note 5A firmware update. I hope this information helps you Sorry for the first post, the Google Translate builtin to Chrome do it
vigilante_stark said: How does the CPU use this loading address? In my particular phone the loading address is : 00 C0 00 F8 Click to expand... Click to collapse The load address should be a 64 bit address, so that's probably the slide address. The full load address should be something like 0xFFFFFFFFF800c000. Not a 100% sure but try it out.