Develop Bugs

Changing BootSplash

hello,
i am trying to change the bootsplash of my PDA and now i am stuck.
this is what i have done so far:
- i dumped the ROM (with pdocread)
- i managed to find the offset of the bootsplash image
- i got the password to enable writing to TrueFFS with pdocwrite -u
- i write the new image back to the rom with pdocwrite offset
- after soft/hardreset my changes are still there (i checked this with pdocread offset), so writing to DOC works and the offset is correct and no second image exists...
but... the original splash still appears
anybody able to tell me whats going wrong here?
thanks

modified/pached hpRUU.exe for ipaq hw6915.

modified/pached hpRUU.exe?
--------------------------------------------------------------------------------
i would like to know if somebody here already have patched or modified the original hpRUU.exe for the ipaq hw69xx series in order to allow uploading a different ROM-image(e.g different language etc.) to the device.
as far as i know it would be enough to disable the pre-check and jump directly to the start of the flashing routine itself.
i tried In each method this already by myself, but it seems it isn't as easy as i thought.
any help is appreciated...
In the appendix has HP iPAQ hw6900 Mobile Messenger Series ROM Update
BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...18&mode=2&taskId=135&swItem=PSG_I23843-109104
1.download GSM BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...sId=1822489&swLang=8&taskId=135&swEnvOID=2067
2.download all ROM BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...18&mode=2&taskId=135&swItem=PSG_I23843-109104
my icq:381-821-742
my msn:[email protected]
Now,my ipaq hw6915 reatar On demonstrates NO GSM underneath the screen !
Under the picture was I has attempted a method, is not all good .
best regards,
Caoxt

What means do some people know to be possible backup GSM RADIO?
What means do some people know to be possible backup GSM RADIO?
caoxt said:
modified/pached hpRUU.exe?
--------------------------------------------------------------------------------
i would like to know if somebody here already have patched or modified the original hpRUU.exe for the ipaq hw69xx series in order to allow uploading a different ROM-image(e.g different language etc.) to the device.
as far as i know it would be enough to disable the pre-check and jump directly to the start of the flashing routine itself.
i tried In each method this already by myself, but it seems it isn't as easy as i thought.
any help is appreciated...
In the appendix has HP iPAQ hw6900 Mobile Messenger Series ROM Update
BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...18&mode=2&taskId=135&swItem=PSG_I23843-109104
1.download GSM BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...sId=1822489&swLang=8&taskId=135&swEnvOID=2067
2.download all ROM BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...18&mode=2&taskId=135&swItem=PSG_I23843-109104
my icq:381-821-742
my msn:[email protected]
Now,my ipaq hw6915 reatar On demonstrates NO GSM underneath the screen !
Under the picture was I has attempted a method, is not all good .
best regards,
Caoxt
Click to expand...
Click to collapse

Continuation ......................
Continuation ...............

same here
I had same problem with sable_ruu.exe and even though I had
*correct* radio rom, it could not re-flash it after previous flash
failure

Has the warm-hearted person to solve the problem again .
Hi,Please look at here:
http://forum.xda-developers.com/showthread.php?t=353414

Recent clue, Similarly passes on 6915
Recent clue, Similarly passes on 6915
Specially orders reads to flash RADIO has the help:
password
set
erase
task
lw
rtask
The HP IPAQ 6515 uses the boot loader2 password to unlock the full help menu in the serial console interface. It does not allow access to more commands than before and simply shows help for more commands.
If you are interested in viewing the commands there are a couple of passwords that would unlock it depending on your exact 6515 model.
• BOOTLOADER
• BEETLES
• 0000000000000000 - (16 x 0s) password for level 1 which unlocks additional RUU functions
Personally, both BOOTLOADER and 0000000000000000 worked fine for me on a HP IPAQ 6515e and you can enter level 1 directly with 0000000000000000
USB>password BOOTLOADER
HTCSPass.<Y-HTCEUSB>password 0000000000000000
HTCSPass1.CM^EHTCEUSB>
If you typed the wrong password, you will get
USB>password 0000000000000000
HTCSInvalid password
Similarly passes on 6915 !
This is a use MTTY Connection of me exploring the IPAQ 6515e’s bootloader firmware
USB>? full
Available monitor commands are:
? [command] [full]
h [command] [full]
r [[register] [[=] [hex_value]]]
eb Addr
eh Addr
ew Addr
mb [StartAddr [Count [Filler]]]
mh [StartAddr [Count [Filler]]]
mw [StartAddr [Count [Filler]]]
string [Type [String]]
info [Type [Value]]
password [string]
l [path_name [startAddr offset ["cp"]]]
lnb nb-file [StartAddr [Length [SkipOffset ["cp"]]]]
ppdl [startAddr offset["cp"]]
s StartAddr Count Pattern...
map
cp reg# OPC_2 CRm [value]
stress [Type [Count(Hex)]]
d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
s2d
set [Type [Value]]
task [Type [Value [Value1]]]
shmsg [Row [Col ["String"]]]
rbmc [FileName [StartAddr [Len]]]
erase [StartAddr [Len]]
wdata [StartAddr [Len]]
checksum [StartAddr [Len]]
prouter [PortID1[Baud1[PortID2[Baud2]]]]
lw [path_name [startAddr offset ["cp"]]]
rtask [Type [Value]]
rroute [UART Path1[Baud Rate1[UART Path2[Baud Rate2]]]]
USB>? set
Usage:
set [Type [Value]]
Set control flags.
Type(hex) : Control function types.
Value(hex) : Setting values for types.
If value is not given, default is 0.
Type 0(Echo on/off): 1(on) and 0(off).
Type 1(Operation mode): 1(auto) and 0(user).
Type 2(Back color on/off): 1(on) and 0(off).
Type 3(Inverse on/off): 1(on) and 0(off).
Type 4(Front color value): 16 bits data
Type 5(Background color value): 16 bits data
Type 6(Set color of screen): Fill color to whole screen one time.
Type 8(COMM queue flag): 0(TX_RX disable),1(RX enable),2(TX enable) and 3(TX_RX enable).
Type 1E(RUU command read/write flag): 1(unlock) and 0(lock).
Current flag settings:
Type 0(Echo flag): cEchoFlag=(0x1).
Type 1(Operation mode flag): cOpModeFlag=(0x0).
Type 2(Back color flag): cBackColorShowFlag=(0x1).
Type 3(Inverse flag): cShowInverseFlag=(0x0).
Type 4(Front color): g_wFColor=(0x0).
Type 5(Background color): g_wBColor=(0xFFFF).
Type 6(Set color of screen): None.
Type 8(COMM queue flag): g_cCommQueueFlag=(0x0).
Type 1E(RUU command read/write flag): g_cRUUCommandRWFlag=(0x0).
USB>? info
Usage:
info [Type [Value]]
Type(hex) 0: Get platform name(16 bytes) and [value](hex) is ignore.
Type(hex) 1: Get bootloader version(16 bytes) and [value](hex) is ignore.
Type(hex) 2: Get device CID(8 bytes CID with 8 bytes dummy data(0x20)) and [value](hex) is ignore.
USB>info 4
HTCS L?3?HTCE
USB>info 5
USB>info 0
BEETLES
USB>info 1
0.21
USB>info 2
USB>info 8
USB>? rtask
Usage:
rtask [Type [Value]]
Type(hex) 0: Reset radio and [value](hex) is ignore.
Type(hex) 1: Turn on radio, lease use type 3 and 4 instead.
Type(hex) 2: Turn off radio and [value](hex) is ignore.
Type(hex) 3: Run radio image and [value](hex) is ignore.
Type(hex) 4: Run radio bootloader and [value](hex) is ignore.
Type(hex) 7: Radio AT Command Debug.
Type(hex) 8: GSM trace route.
Type(hex) 9: Run radio external bootloader and [value](hex) is ignore.
Type(hex) A: Radio image flash by external bootloader and [value](hex) is ignore.
Type(hex) C: Select debug path.
Type(hex) D: Radio AT Command with GSM trace route.
Type(hex) 10: Set radio external boot UART mode(fast(1)/normal(0)).
USB>? task
Usage:
task [Type [Value [Value1]]]
Type,Value and Value1 are both DWORD(hex).
Value and Value1 are ignore in some case.
Type(hex) 0: Do hardware clear boot with delay time and [value](hex) is a delay time(unit is ms).
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
Type(hex) 8: Software reset with delay time and [value](hex) is a delay time(unit is ms).
Type(hex) 3C: Set terminal COM port baud rate.
Type(hex) 46: Force BT enter test mode.
USB>? lnbs
Usage:
lnbs nb-file [StartAddr [Length [SkipOffset ["cp"]]]]
Download nb file to ROM.
StartAddr : Start address for downloading(default=80000000).
Length : Length for downloading(default=FFFFFFFF).
SkipOffset : SkipOffset for downloading(default=00040000).
cp : Compare image with file data only.
USB>? d2s
Usage:
d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
Backup memory to storage.
StartAddr : Start address for backup(0xA0040000).
Len : Length of memory will be backup. And if not given value, it will be
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).
Type : Which storage(cf/sd) type will be selected(cf).
Append : Backup methods(a/).
SkipStartAddr : Start address of skip area(0x0).
SkipLen : Skip length(0x0).
Skip area must be less than or equal to one block size of flash.
Skip area must not over two blocks, must inside one block.
Nand flash: Skip area size need be page boundary.
Nor flash: Skip area size need be DWORD boundary.
DOC flash: Skip area size need equal to MBLOCKLEN(32kB).
USB>? s2d
Usage:
s2d
Restore memory from storage.
USB>? lw
The same as "l" command, but download to radio flash memory.
Usage:
lw [path_name [startAddr offset ["cp"]]]
Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).
USB>? password
Usage:
password [string]
Enter the password string to enable full help and command functions.
Enter the password string1 to enable some command functions related to RUU.
USB>rtask 8
GSM Trace Route.
Wait 2413 ms
USB>rtask 1
Please use type 3 and 4 instead.
USB>? task 32
Syntax error!
Usage:
? [command] [full]
Helps on command.
When no command is given, output a list of normal commands.
If "full" option used, display all commands(need password enable).
But if one command is given, It will show the command usage method.
USB>? erase
Usage:
erase [StartAddr [Len]]
Erase the contain of flash ROM.
StartAddr : Start address of ROM(default(hex)=A0040000).
Len : How many bytes will be erased(default(hex)=40000).
USB>rtask a
Radio image flash by external bootloader.
HTCS??6ú??HTCE
The IPAQ froze and I had to reboot the IPAQ before I could reconnect.
USB>password 0000000000000000
HTCSPass1.CM??HTCEUSB>? rtask
Usage:
rtask [Type [Value]]
Type(hex) 0: Reset radio and [value](hex) is ignore.
Type(hex) 1: Turn on radio, lease use type 3 and 4 instead.
Type(hex) 2: Turn off radio and [value](hex) is ignore.
Type(hex) 3: Run radio image and [value](hex) is ignore.
Type(hex) 4: Run radio bootloader and [value](hex) is ignore.
Type(hex) 7: Radio AT Command Debug.
Type(hex) 8: GSM trace route.
Type(hex) 9: Run radio external bootloader and [value](hex) is ignore.
Type(hex) A: Radio image flash by external bootloader and [value](hex) is ignore.
Type(hex) C: Select debug path.
Type(hex) D: Radio AT Command with GSM trace route.
Type(hex) 10: Set radio external boot UART mode(fast(1)/normal(0)).
USB>rtask a
Radio image flash by external bootloader.
2.12.00484830000EF23CB887AC20E08199E335&HTCE
Links
• HOWTO: Change serial number and model number for HP IPAQ 6515
• HP IPAQ 6515 Bootloader password
• HP IPAQ 6510 / 6515 dead GSM after failed Firmware upgrade
http://blogs.unbolt.net/index.php/brinley/2007/07/09/howto_change_serial_number_and_model_num_6515
http://blogs.unbolt.net/index.php/brinley/2007/08/12/hp_ipaq_6515_bootloader_password
http://blogs.unbolt.net/index.php/brinley/2007/07/31/ipaq_6515_dead_gsm_after_failed_firmware

Continuation.....................................

caoxt said:
Continuation.....................................
Click to expand...
Click to collapse
Here:http://forum.xda-developers.com/showthread.php?t=337975&page=10#91
http://forum.xda-developers.com/showthread.php?t=337975&page=10#99

i downloaded ipaq hw 69xx english_update_unit.zip into my ipaq hw6915 and the phone just went of showing just the hp logo, serial/usb and v g 39. pls what can i do to revive my phone. i will appreciate any assistaance. my mail box is [email protected]

Asus ABI Decompiler+Compiler (Updated 20090622)

This tool can be used to either decompile or compile ROMs for various Asus devices that used the ABI firmware format (Can also be used in O2 XDA Zest ). The current version can support P835 unencrypted ABI, and even encrypted ABI from updater EXE! Current finding is this tool also supports unreleased Garmin-Asus ROMs!
Thanks (Especially )Harshal and Leon in AsusPda for testing.
Usage:
- Decompiling ROM
1. p835abisplit2 <abi/exe file>
2. os.nb0 and extrom.img released (Only for Pre-P835 devices), os.nb0 cab be processed by imgfsfromnb or osnbtool, extrom.img can be processed by WinImage.
- Compiling ROM
1. First rename the new os.nb0 to os-new.nb0, and rename extrom.img to extrom-new.img (If the new files do not exist, then the compiler will use the parts from original ROM)
2. p835abisplit2 /b <abi/exe file>
3. out.abi releases, which can be used to flash directly (Only for Pre-P835 devices or Post-P835 devices with unencrypted ROM).
4. If you input the updater EXE to p835abisplit2, it will also produce out.exe with region locked patched which can be used to flash your new ROM directly on devices with any region!
- Note when building ROM
1. If you need to modify XIP, make sure the modded XIP is the same size as the original one before merging back to nb0, otherwise booting will fail
2. For Pre-P835 devices, current version can create big-storage ROMs with variable size of imgfs. If the new OS is smaller than the original one, the freed space will be allocated to user space (The left part as shown in Memory setting) after flashing. However the user space display will only reflect the change on second flash.
3. For Post-P835 devices, all partitions must be exactly same size with the original one (i.e. you need to pad the partition before putting it back), otherwise the device won't boot.
4. For Pre-P835 devices, you can modify ExtROM as you like, but not remove or rebuild the image file, otherwise you may get a brick! (Not able to enter bootloader)
Final Warning: Customizing a ROM always has risks, I won't be responsible for any damages lead to your custom ROM!
Release Notes:
v2.40:
- Added support for M930
v2.32:
- Support extraction of encrypted ABI file resource from P835 updater exe
- Support reconstruction of P835 updater exe
- When rebuild to exe, the produced out.exe is patched to install in devices of any region.
V2.20:
- Support extration and rebuilding of P835 ABI file (Note that not for ABI inside EXE)
- When rebuild with exe, OUT.EXE will be produced for direct flashing

starkwong said:
This tool can be used to either decompile or compile ROMs for various Asus devices that used the ABI firmware format (Can also be used in O2 XDA Zest ).
Thanks Harshal and Leon in AsusPda for testing.
Usage:
- Decompiling ROM
1. p565abisplit2 <abi/exe file>
2. os.nb0 and extrom.img released, os.nb0 cab be processed by imgfsfromnb or osnbtool, extrom.img can be processed by WinImage.
- Compiling ROM
1. First rename the new os.nb0 to os-new.nb0, and rename extrom.img to extrom-new.img (If the new files do not exist, then the compiler will use the parts from original ROM)
2. p565abisplit2 /b <abi/exe file>
3. out.abi releases, which can be used to flash directly.
- Note when building ROM
1. If you need to modify XIP, make sure the modded XIP is the same size as the original one before merging back to nb0, otherwise booting will fail
2. OS part doesn't need to be the same size as the original. If the new OS is smaller than the original one, the freed space will be allocated to user space (The left part as shown in Memory setting) after flashing. However the user space display will only reflect the change on second flash.
3. You can modify ExtROM as you like, but not remove or rebuild the image file, otherwise you may get a brick! (Not able to enter bootloader)
Final Warning: Customizing a ROM always has risks, I won't be responsible for any damages lead to your custom ROM!. Moreover, don't use it in P835 abi, it won't work
Click to expand...
Click to collapse
Nice we all waiting for it

Many Congrats for successfully ripping through the ROM !!
Partition offsets and checksums reported by the tool are :
Part #0002 sz:0003e000=>0003e000 cs:625f94b2=>625f94b2 of:000003a0=>000003a0
Part #0004 sz:00100000=>00100000 cs:ffe5f731=>ffe5f731 of:0003e3a0=>0003e3a0
Part #0103 sz:00452a8c=>00452a8c cs:99f65978=>99f65978 of:0013e3a0=>0013e3a0
Part #0104 sz:000fffc0=>000fffc0 cs:5e03943f=>5e03943f of:00590e2c=>00590e2c
Part #0005 sz:07e00000=>07e00000 cs:674f4072=>674f4072 of:00690dec=>00690dec
Part #0013 sz:00a00000=>00a00000 cs:56994bf9=>56994bf9 of:08490dec=>08490dec
I am a little scared to use this tool for following reasons :
1. Actually, the IMGFS & ExtROM offsets are '00690dfc' & '08490dfc' respectively.
2. Checksums( 674f4072, 56994bf9....) can not be located in the Header.
3. The Adler32 checksum for the ExtROM is '5ff94bfa', while your tool reports '56994bf9'.
Any clues ?

rishi2504 said:
Many Congrats for successfully ripping through the ROM !!
Partition offsets and checksums reported by the tool are :
Part #0002 sz:0003e000=>0003e000 cs:625f94b2=>625f94b2 of:000003a0=>000003a0
Part #0004 sz:00100000=>00100000 cs:ffe5f731=>ffe5f731 of:0003e3a0=>0003e3a0
Part #0103 sz:00452a8c=>00452a8c cs:99f65978=>99f65978 of:0013e3a0=>0013e3a0
Part #0104 sz:000fffc0=>000fffc0 cs:5e03943f=>5e03943f of:00590e2c=>00590e2c
Part #0005 sz:07e00000=>07e00000 cs:674f4072=>674f4072 of:00690dec=>00690dec
Part #0013 sz:00a00000=>00a00000 cs:56994bf9=>56994bf9 of:08490dec=>08490dec
I am a little scared to use this tool for following reasons :
1. Actually, the IMGFS & ExtROM offsets are '00690dfc' & '08490dfc' respectively.
2. Checksums( 674f4072, 56994bf9....) can not be located in the Header.
3. The Adler32 checksum for the ExtROM is '5ff94bfa', while your tool reports '56994bf9'.
Any clues ?
Click to expand...
Click to collapse
Tool works properrly.No harm is trying

starkwong, is there any tool to decompile P835's ROM in the same way?

New version posted.
rishi2504:
The image checksum is not calculated by plain Adler32, actually is uses the same formula as older Asus ROMs, however it is not a one-time calculation.
Checksums are inside header, given you decoded it correctly.

starkwong, here's what I get when trying to decompile a ROM:
Code:
v2.40 (Jun 16 2009 19:56:06)
ExtractABI(): Trying to load G5_ALL_V4.11.0_V3.6.12.P2_Ship_WWE_app_MYS00_V2.3.6.exe...
Module loaded, searching for BIN resource...
Found matching resource at BIN #211!
GetPartitions(): Getting Partition Information...
*** Encrypted ABI detected
ABI Version 0x00030012
Project Name: G5
Partition Type: 000f [email protected]
Partition Type: 000e [email protected]
Partition Type: 000e [email protected]
Partition Type: 0004 [email protected]
Partition Type: 0004 [email protected]
Partition Type: 000f [email protected]
Partition Type: 000f [email protected]
Partition Type: 0102 damage [email protected]
Partition Type: 0005 UnKnown [email protected]
Partition Type: 0002 [email protected]
Partition Type: 0003 [email protected]
ProcessABI(): Writing OS data...
* BIN(P835) Image Detected
Warning: OS.nb0/flash.bin is not a NB image, not modifying MSFLSH50 headers
ProcessABI(): No ExtROM partition found.
OK!
So it seems that partitions are not detected correctly, there's no os.nb0 at the output, and the flash.bin apperars to be of no use. Even when I found imgfs partition inside of it, there's still something wrong with it, e.g. bad start block offset, and everything else is also broken.
Can you help me with this?

In fact it is correct, as Asus uses B000FF image on P835, not a plain NB0 image.
You need to use osnbtool to get a nb0 with extra bytes, then use nbsplit -data 2048 -extra 8 to get a nb0 with sector size 0x800.

ginkage said:
starkwong, here's what I get when trying to decompile a ROM:
Code:
v2.40 (Jun 16 2009 19:56:06)
ExtractABI(): Trying to load G5_ALL_V4.11.0_V3.6.12.P2_Ship_WWE_app_MYS00_V2.3.6.exe...
Module loaded, searching for BIN resource...
Found matching resource at BIN #211!
GetPartitions(): Getting Partition Information...
*** Encrypted ABI detected
ABI Version 0x00030012
Project Name: G5
Partition Type: 000f [email protected]
Partition Type: 000e [email protected]
Partition Type: 000e [email protected]
Partition Type: 0004 [email protected]
Partition Type: 0004 [email protected]
Partition Type: 000f [email protected]
Partition Type: 000f [email protected]
Partition Type: 0102 damage [email protected]
Partition Type: 0005 UnKnown [email protected]
Partition Type: 0002 [email protected]
Partition Type: 0003 [email protected]
ProcessABI(): Writing OS data...
* BIN(P835) Image Detected
Warning: OS.nb0/flash.bin is not a NB image, not modifying MSFLSH50 headers
ProcessABI(): No ExtROM partition found.
OK!
So it seems that partitions are not detected correctly, there's no os.nb0 at the output, and the flash.bin apperars to be of no use. Even when I found imgfs partition inside of it, there's still something wrong with it, e.g. bad start block offset, and everything else is also broken.
Can you help me with this?
Click to expand...
Click to collapse
B000FF image cannot be modified without osnbtool or viewbin or cvrtbin tool..For Ext ROM there is no partition in the abi file which can b read as .nb0 Ext ROM is inside the OS and is not as a partition.So what the output u get from the tool is correct.Whatever ROMs u saw mine are from using the same tool
I hope this clarifies.

starkwong, Thank you so much, it worked perfectly!

Can't use this tool on my Asus M530w. Getting this message:
Copyright(C) 2009 Studio KUMA(starkwong). All rights reserved
v2.40 (Jun 16 2009 19:56:06)
ExtractABI(): Trying to load nk.abi...
Failed loading as module (193). Perhaps ABI?
Trying as ABI directly...
Creating file mapping...
GetPartitions(): Getting Partition Information...
Error: AES Key not suitable for this ROM

unencrypted vers encrypted
There is little bit mess in description.
If you will use unecrypted rom + p835abisplit2 you will get os.nb0.
With encrypted rom + p835abisplit2 you will get flash.bin.

starkwong said:
4. For Pre-P835 devices, you can modify ExtROM as you like, but not remove or rebuild the image file, otherwise you may get a brick! (Not able to enter bootloader)
Click to expand...
Click to collapse
Hi,
Can i add my own cab/xml files to this Ext_ROM, after removing the files not needed ?

rishi2504 said:
Hi,
Can i add my own cab/xml files to this Ext_ROM, after removing the files not needed ?
Click to expand...
Click to collapse
Don't bother dude , figured it out ...

Is there anyway I can extract the flash.bin file from a .abi file using this tool?
My P835 is unable to upgrade from the SD card with the .abi file on it.. so I wanted to extract the flash.bin and see if I can use the QPST tool to update the image with flash.bin file..

Sorry if I'm being stupid here (not unusual!). I'm trying to use this tool to get a .abi file out of O2's "Xda_Zest Firmware Update_V7.7.0S.WWE20.00_M4.6.5.P7_V2.1.4 GBR20.exe" so I can stick it on the SD card and flash the ROM, but of course I'm only ending up with the two files you mention, os.nb0 and extrom.img, no .ABI file. I can look in the extrom.img file with winrar, but the file only contains FINDMA~1.000 (300 bytes), 000dummy.001 (0 bytes) and _setup.xml (1205 bytes).
Plainly I'm thick - where am I going wrong, and how do I get the .ABI file?

[REF] bml* partition layout

LAYOUT MAPPING COMPLETE! THANKS EVERYONE!​
based on XXJF5 stock 2.1#1
256 KB -- bml1, contain boot.bin (262144 bytes), Primary Boot Loader (low-level hardware initialization)
256 KB -- bml2, contains PIT file first 512 bytes
10240 KB -- bml3 /dev/block/stl3 /efs
1280 KB -- bml4 contain Sbl.bin (1310720 bytes) Secondary Boot Loader (loads the Linux kernel and passes the necessary arguments)
1280KB -- bml5 contains Secondary Boot Loader (for recovery, ect)
5120KB -- bml6 param.lfs /mnt/.lfs j4fs
7680KB -- bml7 contain zImage and initramfs
7680KB -- bml8 empty
293376KB -- bml9 factoryfs.rfs ( /system RFS Partition) /dev/block/stl9
137216KB -- bml10 dbdata.rfs ( /dbdata RFS Partition) /dev/block/stl10
35840KB -- bml11 cache.rfs ( /cache RFS Partition) /dev/block/stl11
12800KB -- bml12 modem.bin

Hello husq510
Thanks for this infos, i'll follow this thread closely because i'm looking for the place where ServiceMode settings are stored.

anyone tried writing to the bml directly?

husq510 said:
bash-3.2# ls -al /dev/block/bml*
1280 KB -- bml4 kernel (zImage)
293376KB -- bml9 factoryfs.rfs ( /system RFS Partition)
Click to expand...
Click to collapse
interesting. so ive dd the bml4 and bml9 of optus australia stock 19000DTJF3. now anyone want to point me in the direction of creating an odin package out of it.

i whoner .... how can bml4 be the zImage? bml4=1.2MB, zImage=5.8MB ?? also if it should just contain the kernel without initram, it's still about 2.6MB? any idea?

jodue said:
i whoner .... how can bml4 be the zImage? bml4=1.2MB, zImage=5.8MB ?? also if it should just contain the kernel without initram, it's still about 2.6MB? any idea?
Click to expand...
Click to collapse
you are right, cant be. then kernel must be in some other bml place, seems bml7.
gandalf:~/Desktop/android/bml ackie$ grep "booting the kernel" *
Binary file bml7.dump matches
gandalf:~/Desktop/android/bml ackie$ hexdump -n 128 bml7.dump | grep "e1a0 0000 e1a0"
0000000 0000 e1a0 0000 e1a0 0000 e1a0 0000 e1a0
0000020 0002 ea00 [2818 016f] [0000 0000] [a510 005b] <- zimage magic number 0x016F2818, start at 0x0, end at 0x005b10a5
0000030 7001 e1a0 8002 e1a0 2000 e10f 0003 e312
0000040 0001 1a00 0017 e3a0 3456 ef12 2000 e10f
0000050 20c0 e382 f002 e121 0000 0000 0000 0000
0000060 00d0 e28f 307e e890 0001 e050 000a 0a00
0000070 5000 e085 6000 e086 c000 e08c 2000 e082
0000080
Offset into zImage Value Description
0x24 0x016F2818 Magic number used to identify this is an ARM Linux zImage
0x28 start address The address the zImage starts at
0x2C end address The address the zImage ends at
so if you start at 0x0 of bml7 and read untill offset inside 0x2c for XXJF5 is 0x005b10a5 you have your zImage.

husq510 said:
so if you start at 0x0 of bml7 and read untill offset inside 0x2c for XXJF5 is 0x005b10a5 you have your zImage.
Click to expand...
Click to collapse
so is it safe to assume after 0x005b10a5 is the ram disk?

Hello Folks.
I found some interesting bits in bml12.
"Service Mode" datas strings are in it, like show these example :
Code:
strings ./bml12 | grep Diamond
[SND] TurnON UtaAudioModifyHf(prev_Diamond_mode:0x%x)
`[SND]DiamondVoice_GetMode : path = 0x%x, Diamond_mode = 0x%x
`[SND]DiamondVoice_GetMode : Diamond_mode = 0x%x
[SND]DiamondVoiceTXcfgMSG
`[SND] DiamondVoice_RxInit : DiamondVoice_Mode_v = 0x%x
Diamond Solution
[9] Diamond Solution
[SND]DiamondVoice_Config : DiamondVoice_Mode_v = 0x%x, Diamond_mode= 0x%x
strings ./bml12 | grep DEBUG
MN_GPS_DEBUG_INFO_CNF
GPS_DEBUG_INFO_CNF
[1] DEBUG SCREEN
[2] DEBUG INFO
DEBUG INFO
DEBUG MSG 115200
DEBUG MSG SETTING FAIL
DEBUG MSG 921600
DEBUG MSG ON
DEBUG MSG OFF
AUDIO_LIB_DSP_DEBUG_GRP1
AUDIO_LIB_DSP_DEBUG_GRP2
AUDIO_LIB_DSP_DEBUG_GRP3
AUDIO_LIB_DSP_DEBUG_GRP4
AUDIO_LIB_DSP_DEBUG_GRP5
AUD_LIB_DSP_DEBUG
IPC_MISC_PHONE_DEBUG
IPC_MISC_DEBUG_LEVEL
IPC_SVC_DEBUG_DUMP
IPC_SVC_DEBUG_STRING

And I found my IMEI number in bml3
edit :
+ some MAC hardware address too (but not the Wifi one)
+ the HW Version : MP 0.800
I guess that bml3 is device-specific.
But I don't know if it's the source of specific values or just contains copy of hardware-related data.
In the first case, modifying bml3 would allow to change IMEI or other sensitive values ^^

nonato said:
so is it safe to assume after 0x005b10a5 is the ram disk?
Click to expand...
Click to collapse
nope, to extract the ram disk, u hv to find the magic number of gz and extract the gzip image out... i was able to get the directory listing of the ramdisk but not the content..
the other problem is after u get the ramdisk and do any modifications, u hv to reverse the process.. not an easy job but if anyone found a solution, please share.
anyone try writing to the bml directly? dd doesnt seem to work
anyway, its possible to extract the image and use odin to flash after tar but if can write to bml directly, clockworkmod can effectively backup/restore the kernel.. (just a thought)

raspdeep said:
nope, to extract the ram disk, u hv to find the magic number of gz and extract the gzip image out... i was able to get the directory listing of the ramdisk but not the content..
the other problem is after u get the ramdisk and do any modifications, u hv to reverse the process.. not an easy job but if anyone found a solution, please share.
anyone try writing to the bml directly? dd doesnt seem to work
anyway, its possible to extract the image and use odin to flash after tar but if can write to bml directly, clockworkmod can effectively backup/restore the kernel.. (just a thought)
Click to expand...
Click to collapse
No, you cant write directly to bml.
Data write to a sector involves following sequence of low-level flash operations:
1. Block copy for back-up
2. Block erase
3. Copy back for non-modified pages
4. Writing the sector data to the modified page
These sequences of operations are not atomic, so a write request to this block device driver is prone to data corruption. For this reason, read-only file systems such as CRAMFS are adequate to run on top of this block device driver.

use this small script to extract your current zImage:
offset=`dd if=/dev/block/bml7 bs=1 skip=44 count=4 2>/dev/null| hexdump -e '1/4 "%d"' -e '"\n"'`
echo $offset
dd if=/dev/block/bml7 bs=1 count=$offset of=/sdcard/zImage_backup

husq510 said:
use this small script to extract your current zImage:
Click to expand...
Click to collapse
nice, thanks for sharing that!

i just extracted initramfs from bml7, file attached, unzip and cpio -i
some file differs from leshak:
modules/dpram.ko
modules/multipdp.ko
modules/dhd.ko
modules/stgloc
initramfs/init.rc
.info/rootfs.info
default.prop
init.smdkc110.sh
sbin/recovery
sbin/init

how do u extract this?
gunzip -c initrd-cpio.zip | cpio -i does not work.. gave errors

how did you dump and make the zip file you have attached?
thanks,
husq510 said:
i just extracted initramfs from bml7, file attached, unzip and cpio -i
some file differs from leshak:
modules/dpram.ko
modules/multipdp.ko
modules/dhd.ko
modules/stgloc
initramfs/init.rc
.info/rootfs.info
default.prop
init.smdkc110.sh
sbin/recovery
sbin/init
Click to expand...
Click to collapse

raspdeep said:
how do u extract this?
gunzip -c initrd-cpio.zip | cpio -i does not work.. gave errors
Click to expand...
Click to collapse
[email protected] you have to use unzip instead gzip, cuz forum dislike .gz format, so I had to use standard zip.
mkdir initramfs
mv initrd-cpio.zip initramfs
cd initramfs
unzip initrd-cpio.zio
cat initrd.cpio | cpio -i --no-absolute-filenames

Hey, did somebody already tried to dump one or some bml partitions and restore them later ?
I guess this could be the ultimate backup tool.

I took a look into this and found that
bml2 : PIT file is here
bml5 : Sbl.bin is here
I opened it with a Hexeditor and compared with things from the firmware.
My device is running on JP3, froyo, at the moment.

thanks i will update first post. layout mapping is complete now!

[How to] Determine dd Parameters For All LG G4 Models

[How to] determine dd parameters for all LG G4 models
IMPORTANT:
Only for advanced users!
You are an advanced user if you know exactly what you are doing.
You are an advanced user if you know what to do if something went wrong.
You are NOT an advanced user if you know how to do copy+paste.
You can bring your smartphone into a state, so it no longer works.
I am not responsible for anything. The following instructions are only suggestions.
Hello,
everyone knows how to root the LG G4 with the "low effort root" method.
They copied the system partition to an ".img" file, rooted it and copied it back to the "system" partition.
Many users wonder how to get the right parameters for the "dd" commands.
Please read the complete guide and be sure that you understand it until you execute a command!
Information:
Code:
dd if=/inputfile bs=8192 count=12345 of=/outputfile
if = Input File
of = Output File
bs = Blocksize in bytes (default is 512 - to increase copy speed use multiple of 512 e.g. 8192)
count = how many blocks
skip = skip blocks before start reading
seek = skip blocks before start writing
more info: http://man7.org/linux/man-pages/man1/dd.1.html
There are different models of the LG G4 on the market.
We know that the system partition is different depending on the model of the G4.
As an example I will show you how to calculate the parameters for the LG G4 H815 (International Model).
What you need:
Windows with Send_Command.exe
Instructions:
At first we need to know where the "system" partition starts (first sector) and how big it is (partition size).
I used the first method to find these values. But I recommend the second method because it's easier.
First method (difficult method, extracting the GPT and using "gdisk" in linux to read the partition info)
What you need:
Linux with "gdisk" installed
Instructions:
Put your smartphone to "Download Mode" and connect it to the Send_Command.exe command prompt.
We need to copy the partition table to the internal storage.
The partition table of GPT (GUID Partition Table) has a size of 16384 bytes and starts at LBA2.
Each LBA has a size of 512 bytes. Because we start at LBA0 we need to add 1024 bytes.
In summary 16384 + 1024 = 17408 (bytes).
Execute the following command:
Code:
dd if=/dev/block/mmcblk0 bs=1 count=17408 of=/data/media/0/gpt_backup.img
Enter "LEAVE" to restart your phone.
You will find the (very small) file "gpt_backup.img" on your internal storage.
Switch to Linux:
Copy the file to your Linux and open the terminal. Then type this:
Code:
gdisk /yourpath/gpt_backup.img
Some warnings will occur. Ignore them.
You will see:
Code:
Command (? for help):
Enter "p" and hit "enter".
You will get a list of the partitions.
Scroll up a bit and check that you see:
"Logical sector size: 512 bytes"
Scroll down and look for the "system" partition.
You will find a line similar to this:
Code:
47 884736 9363455 4.0GiB FFFF system
Now you know the number of the "system" partition is "47".
You will see:
Code:
Command (? for help):
Type "i" and hit "enter".
You will be asked the partition number.
Enter it and hit "enter".
You will see something conatining lines similar to this:
Code:
First sector: 884736
Last sector: 9363455
Partition size: 8478720
Partition name: 'system'
We need the values from "First sector" and "Partition size".
Second method (easier method, just using "adb shell" to read the partition info)
What you need:
adb shell
usb debugging enabled
To get the "logical sector size" use:
cat /sys/block/mmcblk0/queue/logical_block_size
It should be 512
smason said:
To find in any smartphone the offset and the size of /system:
$ adb shell
[email protected]:/ $ ls -la /dev/block/bootdevice/by-name/system
ls -la /dev/block/bootdevice/by-name/system
lrwxrwxrwx root root 2015-01-02 10:50 system -> /dev/block/mmcblk0p47
[email protected]:/ $ cd /sys/block/mmcblk0/mmcblk0p47
cd /sys/block/mmcblk0/mmcblk0p47
[email protected]:/sys/block/mmcblk0/mmcblk0p47 $ cat start
cat start
884736
[email protected]:/sys/block/mmcblk0/mmcblk0p47 $ cat size
cat size
8478720
[email protected]:/sys/block/mmcblk0/mmcblk0p47 $
so:
offset = 512 * 884736 = 452984832
partition size = 512 * 8478720 = 4341104640
Cheers!
Click to expand...
Click to collapse
So "first sector" is the value from "cat start" (884736).
The "partiton size" is the value from "cat size" (8478720).
Now the mathematics (using the values from above):
Logical sector size = 512 (I never saw something different on LG G4 smartphones)
Assuming bs=8192
skip and seek: "First sector" * "Logical sector size" / bs
884736 * 512 / 8192 = 55296
count: "Partition size" * "Logical sector size" / bs
8478720 * 512 / 8192 = 529920
That was an example for the H815 (International Model).
Use your own values to calulate the "dd" parameters!
Back to Windows:
Put your smartphone to "Download Mode" and connect it to the Send_Command.exe command prompt.
Now you can copy your "system" partition to "system.img" with the following command:
Code:
dd if=/dev/block/mmcblk0 bs=8192 skip=55296 count=529920 of=/data/media/0/system.img
Replace the values with the ones you calculated for your model!
Now you could copy the "system.img" to your Linux and root it or do everything else you want.
Important: Do NOT delete the original "system.img" from your internal storage as long as you are not 100% sure your G4 is stable.
If your modifications don't work, you can copy back the original "system" partition (with "dd").
To copy the modified "system_changed.img" back to the "system" partition use the following command:
Code:
dd if=/data/media/0/system_changed.img bs=8192 seek=55296 count=529920 of=/dev/block/mmcblk0
Replace the values with the ones you calculated for your model!
Important: Be sure to use "skip" when reading and "seek" when writing.
The "dd" command should take about a minute.
Did the instructions help you?
Please give a "Thanks!"
Thank you

Hi,
thanks for this great post.
I just have one question. With your formulas and using 8K block size, I get a floating point number as result. So I used a block size of 4K instead, and I get an even number. This seems better to me so I went with it, as I believe smaller block sizes are always ok?
I'm just wondering one thing which seems not right to me. My system partition is reported to be 2.5GB:
Partition number (1-42): 39
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: A8725BAA-9E45-B2F8-8FA3-8C972F60F0CF
First sector: 836608 (at 408.5 MiB)
Last sector: 6074573 (at 2.9 GiB)
Partition size: 5237966 sectors (2.5 GiB)
Attribute flags: 1000000000000000
Partition name: 'system'
So with the formulas:
FACTOR 512 / 4096 = 0.125
skip and seek: "First sector" * "Logical sector size" / bs
836608 *FACTOR = 104576
count: "Partition size" * "Logical sector size" / bs
8478720 * FACTOR = 1059840
If I now run the dd command:
dd if=/dev/block/mmcblk0 bs=4096 skip=104576 count=1059840 of=/storage/external_SD/system.img
I get a file system.img which is 4096 MB. Should it not be 2.5GB as my original system partition?
If I use bs=512 (the default) and type
dd if=/dev/block/mmcblk0 bs=512 skip=836608 count=8478720 of=/storage/external_SD/system.img
I get a system.img of the right size (bit over 2.5GB).
I think the block size to use for "skip" is to be specified with the option ibs=XXX, not bs=XXX which only applies to "count" (according to man dd). I tried the ibs option, but the command then just doesn't work on Send_Command.exe. It doesn't even print an error but simply returns immediately.
Cheers
Jen

Hi,
which phone do you have?
Your calculation seems wrong. It's ok to use BS with 4k. I could be a bit slower then 8k, but that doesn't matter.
BUT: Look at your "count" value. Your partition size is 5237966. You used 8478720 (the value from my G4(H815EU) example). Thats wrong!!!
How to calculate with 1k and your values:
bs=1024
skip=836608*512/1024=418304
count=5237966*512/1024=2618983
Please check my calulation!!!
It's interesting, that the Send_Command shell has access to your external sd card...
I think the block size to use for "skip" is to be specified with the option ibs=XXX, not bs=XXX which only applies to "count" (according to man dd).
Click to expand...
Click to collapse
No. "bs" is the right parameter.
If you use "bs" it sets "ibs" and "obs" to the value of "bs".
Just do "dd --help" on a linux system for more details.

Hi Dominik,
oh my, how embarrassing I actually did take the wrong value from the example you posted. I used my value (the 5237966) for calculating the parameters with bs=8K, and got a floating value, so tried 4K instead... and the wrong value must have snug in. Oups.
I also get floating value on 4K now that you've pointed my mistake out:
5237966 * 512/4096= 654745.75
If I rounded this up, would this not mean that I copy a tiny bit of the next partition on the image? And if I then use the image to restore, would I not run the risk to damage something in the following partition?
Anyway, it's not a huge drama as I can just use bs=512 and it works.
Yes I have access to the SD card, the image also has copied there successfully. I was also surprised because I read in the forums that it's not possible.
I found it out with the "df" command, as the SD was listed there. I needed to use it because there's no room on my internal storage (it's a ridiculous 8GB on the LG H735) to store the image there.
My system partition is only 2.5GB so I don't think I have to reformat, but you are right it would be better to use ext4.

Ok
I removed my information about formatting the sd card.
You dont't have to format it. FAT32 is ok.
So you can use your sd card on systems which don't support ext4 too.

I have the LG G4S (H735). It's unusable without rooting as it only has 8GB internal memory. That's why I'm trying to root it now.

jen.magnolis said:
I have the LG G4S (H735). It's unusable without rooting as it only has 8GB internal memory. That's why I'm trying to root it now.
Click to expand...
Click to collapse
Ok, good luck.
Please open a new thread if you have questions about rooting your phone.
Or is there already one? Maybe these?
http://forum.xda-developers.com/g4/help/rooting-lg-h735-g4-beat-t3192491
http://forum.xda-developers.com/g4/general/lg-g4s-world-root-lg-devices-t3231759/page7
Oh. Just saw that you are already there

dominik-p said:
Ok, good luck.
Please open a new thread if you have questions about rooting your phone.
Or is there already one? Maybe these?
http://forum.xda-developers.com/g4/help/rooting-lg-h735-g4-beat-t3192491
http://forum.xda-developers.com/g4/general/lg-g4s-world-root-lg-devices-t3231759/page7
Oh. Just saw that you are already there
Click to expand...
Click to collapse
I just created a new thread too to focus on the particular problem I have:
http://forum.xda-developers.com/g4/general/rooting-lg-g4s-h735-t3243549

this guide helped in dumping boot and recovery partitions.
thank you very much sir! i successfully dumped my boot and recovery partition using dd in my mediatek device by following your guide.

sparksthedev said:
thank you very much sir! i successfully dumped my boot and recovery partition using dd in my mediatek device by following your guide.
Click to expand...
Click to collapse
Congratulations
Did you use the first (more komplex) oder the second method for your device?
I saw that you had problems in this thread:
http://forum.xda-developers.com/showthread.php?p=65907557#post65907557
And you wrote a guide for MTK devices here:
http://forum.xda-developers.com/general/general/guide-dumping-boot-img-recovery-img-t3339530
This doesn't work with the LG G4, but I think it will help many others.
Thank you

My sister asked me to root her phone. It seems more complicated than anything I did in the past (HTC Wildfire, Galaxy Core Plus, Xperia M4A).
I tried this tutorial and it kinda worked, but I can't mount image I got, so it's useless (image, not tutorial!).
Phone is LG-H736 (Beat). I got this result in gdisk:
Code:
Partition number (1-42): 39
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: A9520AE6-ABC6-F107-E8FE-B37C4C30CB77
First sector: 836608 (at 408.5 MiB)
Last sector: 6074573 (at 2.9 GiB)
Partition size: 5237966 sectors (2.5 GiB)
Attribute flags: 1000000000000000
Partition name: 'system'
The 8K bs gave me floating point result, so I used 0,5K.
So the dd command were:
Code:
dd if=/dev/block/mmcblk0 bs=512 skip=836608 count=5237966 of=/storage/external_SD/system.img
BTW, I had access to SDCard and I didn't need to open ports...
EDIT: I got the system.img. The problem was I haven't got enough space on SD card.
But now I bricked it...
https://forum.xda-developers.com/g4/help/softbricked-g4-beat-lg-h735-t3959237