Hello, I have some question regarding moding AMSS based on Android system.
1. With my analysis, there are two SHA160 hash under AMSS header section. Does anybody know the way to calc these two hash?
- I was able to modify RECOVERY section with mkbootimg.
I thought generating hash for AMSS might be same as hash for RECOVERY.
But, RECOVERY section only included one SHA160 hash but AMSS has two.
2. Alternatively, I thought I could alter bootloader to skip the integrity check.
Which bootloader should I modify to do this job?
- I found that my phone has 3 different Bootloade: DBL, FSBL, OSBL
DBL : 128KB
FSBL : 256KB
OSBL : 1152KB
I would like to share the information about the phone but I cannot tell the name of the phone because of a circumstance.
All I can say is that the phone is based on Snapdragon(Qualcomm).
Moreover, since this phone is not from known company, no one would have information anyway.
However, I think I could upload bootloaders from the binary.
Although my question might sound vogue, I hope there is someone who could help me to solve the problem
Thank you very much.
hmm... no one can help this problem?
This post is to collect and share everything there is to know about Odin v1.52. Collecting information from your knowledge and experience. Sharing by using the section titles to search particular information.
What do these options do? What do they effect on the device? If you know something or have experience with it, spill the info. If there is a link to another post, use the section title and add the link. I attached a screenshot of it and program.
***Important*****
For this to work right......
To Post. Copy the section title from the OP and give your response. ex.
Odin3 v1.52/Option/Re-Partition
This is ....or what I know about it.............
Then to find the info, search with that section title from the OP in the post to retrieve results
Search post:
Odin3 v1.52/Option/Re-Partition
Here are the sections..............
Odin3 v1.52/Developer
Odin3 v1.52/Uses
Odin3 v1.52/General
Odin3 v1.52/ID:Com
Odin3 v1.52/Option/
Odin3 v1.52/Option/Re-Partition
Odin3 v1.52/Option/Auto Reboot
Odin3 v1.52/Option/F. Reset Time
Odin3 v1.52/Option/Dump
Odin3 v1.52/Option/Dump/AP Ram
Odin3 v1.52/Option/Dump/AP Nand
Odin3 v1.52/Option/Dump/ID
Odin3 v1.52/Option/Phone EFS Clear
Odin3 v1.52/Option/Phone Bootloader Update
Odin3 v1.52/Message
Odin3 v1.52/Control Panel
Odin3 v1.52/Control Panel/Start
Odin3 v1.52/Control Panel/Reset
Odin3 v1.52/Pit
Odin3 v1.52/Files [Download]
Odin3 v1.52/Files [Download]/PDA
Odin3 v1.52/Files [Download]/Phone
Odin3 v1.52/Files [Download]/CSC
Odin3 v1.52/Files [Download]/ETC
Odin3 v1.52/File [Dump]
Odin3 v1.52/File [Dump]/Dump
Good day and God bless!
Odin3 v1.52/Developer
Interesting info about the program and where it came from
Link
http://androidforums.com/samsung-i7500/9078-what-odin.html#post373495
"I'm pretty sure Dejan did not write this tool. Someone can correct me here if I am wrong.
There is a string in 3.95:
"c:\Documents and Settings\seungbum223.kang\My Documents\Visual Studio 2008\Projects\MultiOdin\Release\MultiOdin.pdb"
A quick search turns up a patent application "APPARATUS AND METHOD FOR UPDATING BOOT LOGO IMAGE IN PORTABLE TERMINAL" by "Jeong-Hwan Min and Seung-Bum Kang" for "SAMSUNG ELECTRONICS CO., LTD."
So I'm pretty sure that MultiOdin is from Samsung, which means no source is available. It sure would be nice to reverse engineer what it is doing so we don't need odin anymore."
Odin3 v1.52/Pit
Odin3 v1.52/Pit
9.What is the .pit file? Why are there different versions?
There are now three different versions of the .pit file. 513.pit, 512.pit and 803.pit. 513.pit only works for early firmwares and should not be used anymore. The 512.pit file is used for all Android 2.1 Eclair firmwares and the Android 2.2 Froyo firmwares up to and including the I9000XXJP3 firmware. Several sources now indicate that the 803.pit file solves several problems with the Froyo firmwares released after XXJP3 (i.e. I9000ZSJP2 and I9000XXJPC) compared to the 512.pit file and should be used when flashing those.
What exactly the pit file actually does is somewhat unclear. Initially, it was believed to be responsible for mapping partition sizes but it has recently been suggested that the .pit maps certain files to certain partitions. Since Odin is closed source we cannot be sure at the moment.
http://forum.xda-developers.com/showthread.php?t=723596
Odin3 v1.52/Pit
Odin3 v1.52/Pit
"There is very little technical information on PIT files , so this thread is an attempt to find out some real details about PIT files, and perhaps eventually be able to create our own PIT files (by modifying Samsung ones, probably).
First, what we think we know PIT files do:
- PIT files only affect the 'STL' devices. That is, it affects the OneNAND and not the MoviNAND.
- PIT files appear to control the sizing (and maybe number) of STL devices that appear in Linux.
- PIT files appear to be used by Odin to map filenames inside .tar archives to STL partitions.
STL files are quite small, at under 2KB in size. Most of the file is made up of 0s. I have tried to compare the differences between the 512 513 and 803 PIT files we have available.
All the PIT files start with 76 98 34 12 0D - probably a signature to show it is a PIT file.
[Unimportant]
The 803 PIT file then has 00s all the way to the next common point. The 512 and 513 both have common data till the next common point - but this can't be too important as the 803 just has 00s.
The next common bit seems to read the following:
"oft IBL+PBL Server\90\To boot.bin inn; C:\Program Files\ESTsof
This probably indicates something to Odin. Strange that it has C:\Program Files\ - build path for the PIT file?
Next we have some 0s with common 1s inside them, followed by the word PIT, then more 0s, and then ries.pit. All common from here on with the words 'EFS' and 'efs.rfs'. Probably telling odin to map the efs.rfs file to the 'EFS' token. Tokens probably defined either in the kernel, or in the closed source STL library. More of the same of this, with 'SBL' 'sbl.bin', 'SBL2' 'sbl.bin' -- Both SBL and SBL2 map to the same sbl.bin file?
'PARAM' to 'param.lfs'
'KERNEL' to 'zImage'
'RECOVERY' to 'zImage' (this one is interesting - could we have seperate zImage and recovery? Could save some RAM here!)
[/Unimportant]
And now we'r onto the actual changes between the PIT files. 'FACTORYFS' maps to 'factoryfs.rfs'. However, before the FACTORYFS token, there are some bytes that likely control the partition sizes.
FACTORYFS
803 : A2 04 : 41476
512 : 7A 04 : 31236
513 : CA 04 : 51716
DBDATA
803 : F0 01 : 61441
512 : 18 02 : 6146
513 : C8 01 : 51201
CACHE
803 : 8C
512 : 8C
513 : 8C
MODEM
803 : 32
512 : 32
513 : 32
So there we have it. The only real changes between the PIT files are some seemingly garbage header information in 512/513 that is missing from 803, and FACTORYFS and DBDATA have different numbers -- probably sizes.
So assuming FACTORYFS maps onto /system, we can see that the only differences in the PIT files is moving space back and forwards between /dbdata and /system. The numbers themselves don't mean anything to me - can anybody work it out? "
http://www.galaxyroot.com/tag/pit/
plz help me , my GT-i9000 can active recovery mode and downloading mode but boths Odin3 v1.3 , v1.52 , v1.7 can't recognize my phone when i plug USB cable
my system information :
model number : GT-i9000
firmware ver : 2.2
Baseband Ver : I9000DTJP3
Kernel Ver : [email protected] #7
Build number: FROYO.DTJP5
thanks !!
my usb cable is good (tested)
So I was able to make a decompressed extracted dump of the UEFI cab update package. After extracting the 2_UEFI.bin file from the cab update, I ran it through some PC bios extraction tools. Just my luck it worked.
This package is only partially extracted. And readable.
MORE STUFF ON POST#2
here is picture attached here
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
PLEASE MAKE NO!!!! ATTEMPT TO FLASH ANY OF THESE FILES. UNLESS YOU KNOW WHAT YOUR DOING.
FULL DUMP CAN BE DOWNLOADED HERE
View attachment UEFI-VOL-DUMP.zip
Here are some strings from EBL module that was extracted from a Vondafone UEFI update cab.
EblCheckRefurbishResult
[FAT_ERROR] fat_get_next_cluster: allocate %d bytes for FAT table sector buffer fail!
[FAT_ERROR] fat_get_next_cluster: read FAT table sector[%d] fail!
fat_read_disk [FAT_ERROR] fat_get_skip_cluster: allocate %d bytes for FAT table sector buffer fail!
[FAT_ERROR] fat_get_skip_cluster: read FAT table sector[%d] fail!
[FAT_ERROR] fat_open_file: can not alloc heap for the file description!
[SSD-PLAT] ReadSector failed, please probe removable media first.
[SSD-PLAT] ReadSector failed, please probe removable media first.
[SSD-PLAT] WriteSector failed, please probe removable media first.
[SSD-PLAT] WriteSector failed, please probe removable media first.
EblEMMCInformation: Not found hTC Sdcc extention protocol!! (%r)
EblEMMCInformation: Not found hTC Sdcc extention protocol!! (%r)
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol(&gQcomPmicVregProtocolGuid, 0, (void**)&PmicVregProtocol))
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol(&gQcomPmicVregProtocolGuid, 0, (void**)&PmicVregProtocol))
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol (&gEfiCpuArchProtocolGuid, 0, (void **)&CpuArch))
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol (&gEfiTzeLoaderProtocolGuid, 0, (void**)&TzeLoader))
[SECURITY] TZ_HTC_SVC_READ_SIMLOCK_MASK modified ret = %d, mask = 0x%X
[SECURITY] TZ_HTC_SVC_READ_SIMLOCK_MASK modified ret = %d, mask = 0x%X
[SECURITY] TZ_HTC_SVC_UPDATE_SIMLOCK: TZ NOT return updating record index
[SECURITY] TZ_HTC_SVC_UPDATE_SIMLOCK: TZ NOT return updating record index
[SECURITY] secure_get_simlock_upgrade_magic, ret=%d (0x%x, 0x%x, 0x%x)
[SECURITY] secure_get_simlock_upgrade_magic, ret=%d (0x%x, 0x%x, 0x%x)
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT set magic (0x%X, %d) ret = %d
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT set magic (0x%X, %d) ret = %d
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT get magic 0x%X 0x%X ret = %d
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT get magic 0x%X 0x%X ret = %d
hash: %a 2 [1: sha1 | 2: sha256] [src address] [src len] [digest addr] [digest len]
hash: %a 2 [1: sha1 | 2: sha256] [src address] [src len] [digest addr] [digest len]
aes: %a 3 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [iv addr] [key addr] [src addr] [len] [dest addr]
aes: %a 3 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [iv addr] [key addr] [src addr] [len] [dest addr]
aes encryption with SW key: %a 8 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [key id] [iv addr] [src addr] [len] [dest addr]
aes encryption with SW key: %a 8 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [key id] [iv addr] [src addr] [len] [dest addr]
set ddr mpu config: %a 11 [index] [read vmid mask] [write vmid mask] [start] [end]
set ddr mpu config: %a 11 [index] [read vmid mask] [write vmid mask] [start] [end]
enable_hw_auth
disable_jtag
blow_boot_cfg
blow_sec_key
hide_hwkey
checksbl1
je board_evm
evm
EVM8960
ke board_evm2
evm2
EVM28960
board_evita
evita
EVITA board_accord_wl
accord_wl
PM2310000
board_accord_wr
accord_wr
PM2330000
board_accord_u
accord_u
PM2320000
board_accord_ul
accord_ul
PM2321000
board_accord_td
accord_td
PM2350000
[ERR] partition_update offset is not emmc sector[%d] aligment! Offset[%d]
htc_pg_sanity_check pg %a: calculated checksum 0x%x is mismatched (header checksum 0x%x)
pg %a: calculated checksum 0x%x is mismatched (header checksum 0x%x)
htc_pg_hdr_get
htc_pg_hdr_set
htc_pg_part_hdr_get
htc_pg_alloc_map
htc_pg_find_best_alloc
htc_pg_alloc
htc_pg_part_reduce_size
htc_pg_fix_part_hdr_add
htc_pg_part_hdr_set
htc_pg_part_traverse
htc_pg_link_size
htc_pg_part_update
htc_pg_part_clear
htc_pg_part_read
htc_pg_update_crc
htc_pg_part_modify
htc_pg_part_modify:
part %a,
offset %d,
len %d,
is_erase %d,
update_crc %d
htc_pg_part_modify:
part %a,
offset %d,
len %d,
is_erase %d,
update_crc %d
htc_pg_free_size
htc_pg_part_crc
check_pgfs
check_boardinfo
chipset_setting_init
chipset_reset
chipset_get_device_id
chipset_set_device_id
read_simlock
write_simlock
EMBEDDED BOOT LOADER COMMANDLINE INTERFACE
I think some of the more experienced gurus form the Windows Mobile days can input more knowledge here.
EblBoardInfoCommand
write_simlock_password
read_simlock_password
radio_init_secure_smem
ClearSimLockCode
AddSimLockCode
EnableSimLock
DisableSimLock
HTC
USB BLDR
HandleSetupPkt
HandleUSBEvent
**** Both TX and RX needs to be queued, but only one can be queued. SOMETHING MAY GO WRONG **** OnBoard_USB_Init OnBoard_USB_Write
**** Both TX and RX needs to be queued, but only one can be queued. SOMETHING MAY GO WRONG ****
OnBoard_USB_Read
detectUsbCable
0 . 0 . 0 . 0
PIKS
MSM8960
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
No Media
Media changed
Access Denied
Write Protected
Not started
Already started
Aborted
Unsupported
Not Found
Warning
Delete
Failure
Warning
Write Failure
No Response
Bad Buffer Size
No mapping
Warning Unknown Glyph
Warning Buffer Too Small
Volume Full
Invalid Parameter
ICMP Error
TFTP Error
Load Error
Device Error
Protocol Error
Out of Resources
Success
Volume Corrupt
Time out
Not Ready
Snapdragon S4 Processor
GPT PARTITIONS
FFFFFFFF-FFFF-FFFF-FFFF-000000000010
540B4740-D799-497D-9F02-B36D2E958EB0
B7A9BDA8-368C-46BC-B2C7-67501F0E6B52
9183C552-0934-4FD6-AF26-13FE14244223
320D3B19-80D9-467A-99BC-AB2B85287574
A053AA7F-40B8-4B1C-BA08-2F68AC71A4F4
E35F99CF-0025-4252-A608-CAAA1289CAF4
69B4201F-A5AD-45EB-9F49-45B38CCDAEF5
0732095D-CD4E-4492-B229-28D4ECCEC1B6
F0B4F48B-AEBA-4ECF-9142-5DC30CDC3E77
E5C3DF3F-556D-478e-AFE3-DABA98C52897
EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
098DF793-D712-413D-9D4E-89D711772228
400FFDCD-22E0-47E7-9A23-F16ED9382388
DEA0BA2C-CBDD-4805-B4F9-F428251C3E98
E6536BC2-6DA4-495D-A83B-79F93701E799
638FF8E2-22C9-E33B-8F5D-0E81686A68CB
0A288B1F-22C9-E33B-8F5D-0E81686A68CB
EBBEADAF-22C9-E33B-8F5D-0E81686A68CB
3A6A228E-FC35-4A46-A869-4C511F7CE5EC
6BB94537-7D1C-44D0-9DFE-6D77C011DBFC
8C6B52AD-8A9E-4398-AD09-AE916E53AE2D
2373E6C7-FCBE-42B1-B44A-10DDAF18388D
543C031A-4CB6-4897-BFFE-4B485768A8AD
530C3197-F4D2-408F-B886-778ED6CDFDAD
05E044DF-92F1-4325-B69E-374A82E97D6E
74DA3EE7-D422-487C-A573-CE03C261362F
A44D2E89-8B5A-4F42-8FE5-FD36333A3BFF
PARTITION IMAGES
%a:\hTCIMG\QC\MSM8960\%04x\rfg_0.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_1.img
%a:\hTCIMG\QC\MSM8960\%04x\modem_st1.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_2.img
%a:\hTCIMG\QC\MSM8960\%04x\modem_st2.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_3.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_4.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_5.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_6.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_7.img
%a:\hTCIMG\QC\MSM8960\%04x\disk.img
%a:\hTCIMG\QC\MSM8960\%04x\radio.img
%a:\hTCIMG\QC\MSM8960\%04x\sbl1.mbn
%a:\hTCIMG\QC\MSM8960\%04x\sbl2.mbn
%a:\hTCIMG\QC\MSM8960\%04x\sbl3.mbn
%a:\hTCIMG\QC\MSM8960\%04x\uefi.mbn
%a:\hTCIMG\QC\MSM8960\%04x\rpm.mbn
%a:\hTCIMG\QC\MSM8960\%04x\winsecapp.mbn
%a:\hTCIMG\QC\MSM8960\%04x\tz.mbn
%a:\hTCIMG\QC\MSM8960\%04x\gpt_main0.bin
%a:\hTCIMG\QC\MSM8960\%04x\fat16.bin
%a:\hTCIMG\QC\MSM8960\%04x\MainOS.bin
%a:\hTCIMG\QC\MSM8960\%04x\fat_FFU.bin
%a:\hTCIMG\QC\MSM8960\%04x\UserData.bin
%a:\hTCIMG\QC\MSM8960\%04x\sdata.bin
%a:\hTCIMG\QC\MSM8960\%04x\misc.bin
%a:\hTCIMG\QC\MSM8960\%04x\mfg.bin
%a:\hTCIMG\QC\MSM8960\%04x\modem_fsg.bin
%a:\hTCIMG\QC\MSM8960\%04x\dpp.bin
%a:\hTCIMG\QC\MSM8960\%04x\efiesp.bin
%a:\hTCIMG\QC\MSM8960\%04x\eblogs.bin
RUU CONFIGURATION
THESE VARABLES CAN BE USED TO IN THE ACDUCONF.TXT
[getvzwmid] Query VZW model ID
[getmeid] Query device MEID vzwisLTE
[getdevinfo] Return device Model ID and CID to RUU
[getimei] Return device IMEI to RUU
[blversion] Return bootloader version to RUU wdata
[readconfig ] Read i-th config data or read all config data if no i supplied getmeid getvzwmid
[task TaskNum] Executing task command
[set SetNum SetValue] Executing set command password ResetDevice
[ResetDevice] Reseting the device
[wdata Length Checksum] Writing NBH file format data to device
[ruustart] Enter RUU special command mode
[progress Percentage] Show progress bar and percentage on screen for RUU use readconfig Ask radio to start refurbish startrefurbish getimei task blversion
[password PassWord] RUU password verification getdevinfo progress set Check the refurbish result checkrefurbishresult
[vzwisLTE] Check the device is LTE or not ruustart
FixVoltageMSMC1
FixVoltageMSMC2
KitlIP DCVSParam[0]
DCVSParam[1]
DCVSParam[2]
DCVSParam[3]
DCVSParam[4]
DCVSParam[5]
DebugMethod
PowerSavingDisable
DriverDisable
FixedIdleTime
DriverLocalZone
PagingPoolSize
DebugFlag
DriverFlag
PassiveKitlDbg
HookDebug
ApSwitch
KitlNetMask
FixFreqLevel
USBFlags
RadioDebugFlags
SensorDebugFlags
BootloaderFlags
DLLLowFlags
DummyFlags
SpyFlags
DllBreakPoint
DemFatalCount
AutoFocusTest
DebugBattery
secure erase secure trim
QUALCOMM OEM
STILL NOT SURE ABOUT THESE STRINGS
Q6:
VDDCX:
Krait:
RFSKUIDField_D0
RFSKUIDField_D1
RFSKUIDField_D2
RFSKUIDField_D3
RFSKUIDField_D4
RFSKUIDField_D5
RFSKUIDField_D6
RFSKUIDField_D7
EngineerID
KEK
PK
DPP
HTC OEM SECURE KEYS
fs0:\SecureBootPolicy.p7b
db pDPP.enc
OEM_DB_CLEAR.enc
OEM_KEK_CLEAR.enc
OEM_PK_CLEAR.enc
OEM_DBX_CLEAR.enc
PCBIDField
FunctionSKUField
ssd
delfile
crwfile
fs0:\enc.img
fs0:\ori.img
SKUIDChecksum
fs0:\OEM_dbx_2011.bin
fs0:\OEM_db_2012.bin
fs0:\OEM_KEK.bin
fs0:\OEM_PK.bin
fs3:\pDPP.tmp
fs3:\OEM_DB_CLEAR.tmp
fs3:\OEM_KEK_CLEAR.tmp
fs3:\OEM_PK_CLEAR.tmp
fs3:\OEM_DBX_CLEAR.tmp
var midr
fs0:\keystore.dat
v
w
dbx
CurrentPolicy
QULCOMM SECURE
RFG_0
SBL1
MODEM_FS1
RFG_1
SBL2
MODEM_FS2
RFG_2
SBL3
RFG_3
RFG_4
RFG_5
RFG_6
RFG_7
SDATA
MISC
MODEM_FSG
UEFI
RPM
RADIO
BDP
WINSECAPP
DPP
EFIESP
EBLOGS
MainOS
PLAT
TZ
Data
X
ROM UPDATE UTILITY
HTCIMAGE
GPT_HEADER TOUCH_FW_UPDATE
ACDUIMG.nbh
ACDUNV.nbh
ACDUDIAG.nbh
ACDUCONF.txt
ACDUDIAG.nbh
HTCIMAGE
simunlock
more.
HTCIMAGE
simunlock.
spcustom
prkey
wvkey_lv1
dpkey.
tamper
prmkey
wvkey_lv3.
sbl1_update
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\Ebl.dll....
More info on the tools used to dump the UEFI can be found here Thanks to CodeRush
I have moved on to using PhoenixTool. Many options to choose from including inserting SLIC, SLP, key and RW file. Full customization of ACPI, OEM, RSDT XSDT tables. Preserve module size andmany more features.
any use? I'm a noob.
fengsam said:
any use? I'm a noob.
Click to expand...
Click to collapse
Using RUU configuration script in the ACDUCONF.txt would probably solve some issues with not being able to flash a rom because of incorrect model number issues.
for instance i cannot flash a factory rom on my device because the text that shows up on boot loader screen is incorrect. do to some of the Microsoft developer updates. for Windows embedded compact and handheld sdk updates that have been pushed to my device.
so using this [getdevinfo] should in theory return the ruu with the correct device info. the radio, dpp. and boot partitions that are in the RUUs contain the device info that have to match for the. i just so happens that those config files can be changed without harming the signed.nbh (technically there are not signed images at all. only mostly encrypted. but still unsigned.) I have not been able to dig up any documentation for use of ACDUCONF.txt and how it should be properly used. but similar ruu config file usage has documented us since the early windows mobile all the way up until windows phone 7. its only up until yesterday that this information has been presented to the public.
I am 99% convinced that HTC 8x uefi is can be configured to dual-boot, boot-android, right now with the UEFI that i extracted modules can be altered, replaced new ones can be inserted and at the same time. be resigned. only issue is creating an nbh. I think some old windows mobile tools can sign the image and a goldcard can b used on a usb thumb drive. The HD2 USB Y Cable dongles is OEM approved to be used with the htc accord and has the code written within the uefi bios image its self.
HTC uefi is very similar to Intels edk2 which is based from Edk II DevKit(Sourceforge.net), which is based off of Tianocore. Many of the packages are compattable. [MdePkg]
Though it is not tianocore some of there packages are still based off of the tianocore edk2 platform. along with many of the other edkII development projects on http://www.sourceforge.net.
Also there is strings i found that allowed the use of using a JAVACARD dongle. Which with a JAVACARD you can achieve s-off, and security unlock. (well at least in the case of Android devices.)
Then again who has ever seen a windows phone 8 uefi broken down like this before. none. or at least that i can find. Closest i found was from forums in China, and original source was being shared for Huawei W1 and W2.
fengsam said:
any use? I'm a noob.
Click to expand...
Click to collapse
No ,
@grilledcheesesandwich What PC BIOS Extraction tools did you use?
compu829 said:
@grilledcheesesandwich What PC BIOS Extraction tools did you use?
Click to expand...
Click to collapse
i forgot who made the tools. but i found them on mydigitallife.com forums. there called UEFIExtract.exe and UEFITool.exe the extractions are not perfect and the rebuilding still is not working 100% on 8x uefi .the process request files that only exist within the phones memory.
sent from the moon
grilledcheesesandwich said:
i forgot who made the tools. but i found them on mydigitallife.com forums. there called UEFIExtract.exe and UEFITool.exe the extractions are not perfect and the rebuilding still is not working 100% on 8x uefi .the process request files that only exist within the phones memory.
sent from the moon
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=1966327
@grilledcheesesandwich What tool are you using to browse the UEFI BIOS (like you see in the screenshots?) Also, you need to use 7zip to extract the zip file to get to the tarball...it's not compatible with the built-in windows zip utility
compu829 said:
@grilledcheesesandwich What tool are you using to browse the UEFI BIOS (like you see in the screenshots?) Also, you need to use 7zip to extract the zip file to get to the tarball...it's not compatible with the built-in windows zip utility
Click to expand...
Click to collapse
i tarballed the bios after i extracted it so i could browse it in a flatview
grilledcheesesandwich said:
i tarballed the bios after i extracted it so i could browse it in a flatview
Click to expand...
Click to collapse
Problem is, even if you manage to repack the different modules, (You could Use Andys Tool for that, I got into Bios modding some time ago ) the phone will detect it and since the signature has been broken it won't flash. But I am quite interested in the volume dump since I have a HTC 8S motherboard stuck in recovery mode because I tried to flash the 8X rom on it, with the 8S signature ('t was an accident) You could try to get the offset you need to change with UIFR by Donovan http://donovan6000.blogspot.de/2014/02/universal-ifr-extractor.html
cheers, hutchinsane_
@grilledcheesesandwich I noticed lol.
From what I can gather, if one uses the Y-Cable method to flash the HTC 8x, it bypasses the signature checking done by the standard RUU. I do know that the nbh files for the HTC 8x are unencrypted. I have always wondered about hand-editing the mainOS partition to enable a developer unlock for our devices. The only issue is that I have the T-Mobile variant, which has AWS HSPA+ enabled and unlocked. This radio firmware is not in the standard RUU for the EURASIA ROMS, so I never bothered with it because I Can't lose AWS support.
hutchinsane_ said:
Problem is, even if you manage to repack the different modules, (You could Use Andys Tool for that, I got into Bios modding some time ago ) the phone will detect it and since the signature has been broken it won't flash. But I am quite interested in the volume dump since I have a HTC 8S motherboard stuck in recovery mode because I tried to flash the 8X rom on it, with the 8S signature ('t was an accident) You could try to get the offset you need to change with UIFR by Donovan http://donovan6000.blogspot.de/2014/02/universal-ifr-extractor.html
cheers, hutchinsane_
Click to expand...
Click to collapse
ok here is what i have so far. Ideas are still out there.
I need to find a tool that can extract a perfect capsule. from the uefi. even though the uegi binary partition is write protected. the capsule may be writeable. no need to worry about signatures and keys as long as the capsule is back to its origiinal size and expands as normal after being flashed to the device. also no alteratiin can been done to Security module within the capsule. thats ok because all the modules are contained within there own class and to do not require signature verification. this has worked with Intel and Amtel Uefi bios. From what i can tell Htc8x has an embedded amtel at24c128bn eeprom security chip present and if there eeprom is as easy as there tpm (trusted platform module) being used for security validation in uefi bios boot process used on pc motherboards we should in some theory be the case here too.
My overal plan is not to only expand the new development into custom roms. the plan is to fully defy microsofts most secure mobile retail device by handing them a fully customizeable device without loosing the featured security.
To my knowledge every htc 8x has the built in feature to change usb connection mode when pluged in to a pc. the only reason we cannot use this feature the same feature offered in pre android 4.3 devices is because the value in the registry is set to disableDialogmenu and the value is set to (1). i think if we can change this to (0) wen will have a popup menu present when plugging in to a pc. i found this key earlier today while searching my phones registry. i will post up this key later.
Another is Andrid. HTC One S Ville U has identical hardware. believe this the hboot for ville U is built just like the uefi for the 8x. so close in fact like you can cee the ebl module refrences the ville u. ok so heres more. when i tore apart ruu ville u i found the exact same files that exist withing the ruu accord. the files im refering to are the platform info files that check for firmware cimpatibility. the only alteration needed would be to replace the secure boot binaries in the ville u rom.zip and inject my certificates i have been holding onto.
i have 2 platform verification keys (pvk) i have found from encrypted jtag nand dumps. probably useless. itsva good refrence start on a possible challenge with DPP partition.
l
self signing certs is not a problem. i have everything to work around the issue of kek db dbx ovk and pvk keys and certificates. found a dev who put together a wpdeveloper pack that creats all needed certificates for wp soc oem ihv developemt and also remotly sets up all the needed requirements and resources to build and flash a signed ffu. i can assure hyc 8x ffu exist. but the only way to get a qualcomm accord u full flash uodate is to build it. you do not have to be an oem to build a ffu. there is a process to doing this. all you need is to create an empty zip archive labeled corrextly likr how nokia ffus look. add a specific xml soap scripts. similar to.the ones for cab update checks. mainly the cabs that are labeled emptypackage.
ive came across a few but not enough. i think a workaround would he microsoft cabinet sdk. to rebuild. whats missing. the cab that contaijes all the xml provision licenses is needed for the ffu build. as well. now the documentation on the wpoem site says you need the phone image design tool to build a ffu........o darn dead end.... nope the is another way. some confedientel ihv documents demonstrate like rhe above mentoned empty zip file correctly labeled with correct xml scemas layed out then added to the zip. you must setup your pc environment with microsoft client connextion to redmond. they validate you contoso build zip is accurate and if doen correctly you will returned with a fully built full flash update package. theres lots i didnt not mention. i should not.
so any ways. back to the topic. once i can find all the correct libraries to correctly rebuild this uefi all options will be on the table. moke like endless opportunities in customizations and features. well almost.
litsvofbwork needs done. anybody else has gots guts to conqueror with me head over to mydigitallife and sure uobthere endless threads on uedi bios hacking.
i completely sandboxied hck adk win sdk win kits wpsdk ack and vs2013. zi
ffutool.exe & ffuresources.dll
sent from the moon
compu829 said:
@grilledcheesesandwich I noticed lol.
From what I can gather, if one uses the Y-Cable method to flash the HTC 8x, it bypasses the signature checking done by the standard RUU. I do know that the nbh files for the HTC 8x are unencrypted. I have always wondered about hand-editing the mainOS partition to enable a developer unlock for our devices. The only issue is that I have the T-Mobile variant, which has AWS HSPA+ enabled and unlocked. This radio firmware is not in the standard RUU for the EURASIA ROMS, so I never bothered with it because I Can't lose AWS support.
Click to expand...
Click to collapse
i have a rom that supports aws hspa. its not directly tmobile its a wwe rom. also mine is also a tmobile usa variant. and the weird part is its not the same as the other usa versions mine has full lte and gsm support and at one time was sim unlocked. the serial number traced back to being built in germany and was sold here in the usa
I IM GOING TO HELP EVERYONE OUT HERE AND HOST MY COLLECTION OF HTC8X ROMS. AND 8S ROMS.. I keephearing that there is only 2 versions available for the 8x. im going to give everybody at least 6.
Sent from my Galaxy Nexus using XDA Free mobile app
hutchinsane_ said:
Problem is, even if you manage to repack the different modules, (You could Use Andys Tool for that, I got into Bios modding some time ago ) the phone will detect it and since the signature has been broken it won't flash. But I am quite interested in the volume dump since I have a HTC 8S motherboard stuck in recovery mode because I tried to flash the 8X rom on it, with the 8S signature ('t was an accident) You could try to get the offset you need to change with UIFR by Donovan http://donovan6000.blogspot.de/2014/02/universal-ifr-extractor.html
cheers, hutchinsane_
Click to expand...
Click to collapse
ifr extractor does not work with a htc 8x uefi binary. i got an error instantly i might be doing something wrong. i will do more ttesting with that one.
i heard there was some uefi bios devrlopement going on with the htc one. it may be possibkr to incorporate some of there knowledge into this project. the boards have some similarities minus the processor cores ram and so on. i do know that msm8960 code is compattable with msm8260a htc8x and apq8064 htc one, dna, and ny fAvorite my ifc6410 qualcomm snapdragon 600 itx motjerboard.
if you have the uefi cab update for your htc8s i could eztract a dump of it for you and send it back.
@
compu829 said:
radio software version is 1.17b.32.19.14_15.62b.32.19
Firmware revision is 3030.0.34101.531
UEFI bootloader version is 0.0.3030.0(173542)
Chipset is the 8260A
Interestingly enough, in the about page is a spot that says "IMS: Not Registered"...I wonder if they are slipped in Wi-Fi calling support and didn't tell anyone?
from the HTC screen:
PM2322002 P S WP8 I
SBL1-303.000.R15
SBL2-303.000.110
SBL3-303.000.008
RPM-303.CRC.76B
TZ-303.000.241
UEFI-0.0.3030.0(173542)
OS-3.41.531.01
eMMC SMS 14910MB F-15
CID T-MOB010
Radio-1.17b.32.19.14_15.62b.32.19
MSM8260A v3.2.1-p1 0x707910e1
Krait:Nom Q6:Fast VDDCX:SLOW 0x30400
Touch FWS1:1195017,13106,41434467
Vdd_dig - 0.5v, 0x4
Click to expand...
Click to collapse
nice only difference is mine is nom slow. I have a a rom that is almost identical too. what i have found out is that some of the nbh htc windows phone 8 roms floating around out there are incorrectly labeled even the 512kb headers are wrong too. when tearing down and dissecting some of these. it seems as though the partitions change. for instance i have 2 identical extractions and on one change all permissions to alow remote users and any nt or network admin or authority to full control. let all the ruu files give 100% internet access through your firewall. now copy run the ruu in dependency walker and find all the files that the ruu is Depends on. most are in windows active sync installer the others are in you phone. and need to be extracted to and copied to the ruu folder. why am i telling you this? you probably know this being a senior member.
on that note. Ive noticed that the 8s and 8x are obviously different than legacy windows mobile mainly due to gpt guid partition format. within system files from my phone and 8x ruu i have found references to Leo, hd2, Shubert, startrek, Hermes, and a few others. which that lead me into researching how wm, wince, wp7 and ec2013 devices were built using Microsoft sdk's. from what i can see to the best of my knowledge is that newer platforms still use the some of the same source as older designs and even though bsp kits for older builds are not one click compatible with the ec2013, shuffle a few files around and match the folder structures & alter some lines of code for embedded compact and one will just have incorporated classic features into a brand new operating system. i do not believe Qualcomm or Microsoft are hiding easter eggs. my guess is it was all htc. ok so last year i bought an evo shift. yea yea funny haha. i was bored so i got this phone, unlocked it, raw dumped every partition and hex away. in the hboot 7630 build i found strings that referenced windows ce. i never took it any further than that. but i can see now that htc has sloppy source control. or they did this on purpose to see if anybody would catch on.
ok back to wp8. i will make this part quick. the wp8.1 sdk leaked emulator dump OEMprovisioning.exe app can be executed on x64 bit win8.1 desktop pc. strange. i found some registry keys and drivers that allows my phone to run applications in win32 compatibility mode. enough said. i still do not know how it and be incorporated into apps.
about wifi calling. mine says ims not registered too. i dont care on mine. its only purpose to be hacked.
i need to do some work on file write/read app. it some what works. start tiles disappear an it broke my wifi. i need to incorporate the app into a file manager maybe GoodDayToDie's webserver app.
Sent from my Galaxy Nexus using XDA Free mobile app
The above is way above my understanding but I have a 8X that I'm more than willing to test with. Let me know if you need some testing
utopiate said:
The above is way above my understanding but I have a 8X that I'm more than willing to test with. Let me know if you need some testing
Click to expand...
Click to collapse
kind of dangerous if you ask me. if your phone is already bricked and its just lying around as DEAD WEIGHT then whats the worst that could happen. let me throw some stuff together. what is theconditin of your phone?
Sent from my Galaxy Nexus using XDA Free mobile app
Its in fine working order running the dev preview and so a but buggy. I'm just about to get a new phone so I don't mind testing with it
try the hawaei w1 rom flashing method.
i found some registry keys that refrence simpleio.efi in the tmobile variant 8x
Sent from my Galaxy Nexus using XDA Free mobile app
Hi guys I have a Lenovo Tab2 A7-30F (16GB) that I rooted succesfully but ended up bootlooping when I tried swapping the recovery. I know I shouldve made a backup but I didnt however the tab will respond to SP Flash but not ADB or Fastboot.
Im only an intermediate user but Im starting to get to grips with Linux on my dualboot PC
I believe I've got 4 options available as the lady in my life brought me another Lenovo tab A7-20F (8GB) (succesfully rooted aswell kingroot swapped out for SU thanks to a guide found on your site)not quite the same model I know but as far as I can tell the only differences seems to be Capacity and recovery 30F had uk text in recovery 20F seems to be Chinese writing both from UK shops and have a Mediatek 8127 QC 1.3Ghz cpu
Available Resources
Win 10 & Ubuntu
Lenovo T2 A720F (Rooted Functional)
Various Lenovo Zips (but scatterfiles dont seem to be setup correct)
A730F Source code
SPFlash, MTK Droid tools, Android Studio
Me (guidance and education appreciated but by no means clueless) not afraid to go in at the deep end
OPTIONS
SP FLASH
Source Code
SD Card Boot
SP FLASH
1. I have found an update zip and Source code with a scatter file for the tab but the layout appears to be wrong but dont really understand HEX codes but the Partitions seems in the file maybe comparing and modifying the layout might make SP Flash happy with it
2. Scatter from A7-20 tried this option but unable to produce the scatter as its still complaining about root shell, Iv tried ADB insecure but doesnt seem to help (Im no expert so guidance would be appreciated. I am aware that id probably end up with half the capacity if this option would work for me)
Source Code
I got the source code of the lenovo site but being fairly new to linux not exactly sure how to turn it into usable images from what I gather repo and jackchain would be useful tools in that situation although I may of understood this wrong. Im willing to try this option as I do enjoy working with linux bot ubuntu and kali
SD Card Booting
Havent really looked into this method but stands to reason if I could get the tab to boot Iv got a chance of restoring the tab. Im quite happy to experiment maybe even adapt CWM or TKIP to the tab. I always find the best way to learn is from mistakes in the past Iv rooted android phones Samsung GS3 and had no difficulty, but this is the first time Iv found myself in this situation and feel that its fixable with the resources available.
Thanks in advance sorry for the essay.
Si
I would like to learn more about android as I have a keen interest with linux and would like to beable to maybe one day be competent enough to port apps maybe even create them. anyone with the time and knowledge to spare would get an extra xmas card this year
Did you find a solution? Mine is also only recognized by SP Flash Tool, but the tool wouldn't accept the scatter file from Stock ROM
Here is my Scatter, it is not recognized by any version of SP Flash Tool
Code:
############################################################################################################## General Setting #
PRELOADER 0x40000
MBR 0x0
EBR1 0x80000
PRO_INFO 0x100000
NVRAM 0x400000
PROTECT_F 0x900000
PROTECT_S 0x1300000
SECCFG 0x1d00000
UBOOT 0x1d20000
BOOTIMG 0x1d80000
RECOVERY 0x2d80000
SEC_RO 0x3d80000
MISC 0x4380000
LOGO 0x4400000
EXPDB 0x4700000
TEE1 0x5100000
TEE2 0x5600000
KB 0x5b00000
DKB 0x5c00000
ANDROID 0x5d00000
CACHE 0x65d00000
USRDATA 0x6db00000
Please help me, I wan't to see my tablet alive again.
Can no one help me?
i have the same problem
Lenovo TAB 2 A7-30 3G
is stuck on boot and restarting
how can i solve this problem
i cant find the proper rom>