Related
In the Excalibur forum we are struggling to flash a file to a particular offset in NAND (samsung onedisk flash). The file is 4Mbyte and was dumped with bkondisk (by itsme). Deploying pof's ideas, I have patched Excalibur SPL which bypasses vendor/model and signature checking and raises security level to 0. Using this SPL the flash commands can be used w/o restrictions
A similar patched bootloader exists for Vox S710. That SPL includes same commands as the Excalibur SPL.
The SPL offers 2 commands to interactively flash files from MTTY: ls ("load signed"??) and lnbs ("load new binary signed"??)
Afaik the commands are invoked as:
Code:
lnbs [pathname [StartAddr [Length [SkipOffset ["cp"]]]]]
ls [pathname [StartAddr [Length [SkipOffset ["cp"]]]]]
The question is what format the files must have and how to figure out start address. I found some info in the Hermes Wiki. I also suggested Excalibur various tests:
1. The file test3.nbs in this case has a 0x20 byte header ("R000FF") which includes data blocksize and signature size and flag. But somehow it doesn't like the start address of which I also don't know how to figure it out for the various ROM parts. How was that done for Hermes? (reversing SPL or sniffing USB)
Code:
Cmd>lnbs test3.nbs 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test3.nbs"
:F=test3.nbs
start download
S
HAddress A0000000h Length 0040034Dh
Start Address out of boundary
checking image header
2. The file test.nb w/o any header, just the 4MB binary file with no modifications
Code:
Cmd>ls test.nb 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test.nb"
:F=test.nb
start download
S
HAddress A0000000h Length 00400000h
Start Address out of boundary
checking image header
3. The file test2.nbh with a full .nbh header and given type 0x300 (GSM Radio code, although the 4MB file also includes config and simlock data etc.). This was actually the most succesful since it passed mosts tests in the SPL. So it seems a valid file, but it couldn't be confirmed that anything was flashed at all.
Code:
Cmd>lnbs test2.nbh 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test2.nbh"
:F=test2.nbh
start download
S
HAddress 00000000h Length 0040054Dh
Start Address out of boundary
checking image headerFirst MTTY record empty
Image Download Finish... please check your image
Please reset the device to restart the program!!
DownloadImage success.
Can anyone with more knowledge about this subject please drop some feedback? Thx!
Cheers
JockyW
Edit: I totally forgot about the wdata command which is used by the official RUU. It can not be used interactive from MTTY, but it is possible to use it from self written programs. I think the idea is that only signed .nbh files (which include ROM type information in the header) can use be flashed using this command:
Code:
wdata length checksum
Once all data and the last signature (flag == 2) has been sent to SDRAM and all CRC and sig checks are passed the flashing process starts. The funny thing is that the help text of wdata suggests that also unsigned data can be flashed or be dropped at any memory location. Is this intentional deceiving by HTC ??
Code:
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
while flashing test2.nbh, wlan data doesn't be modified.
jockyw2001's question is very important to find our wi-fi back. plz help us!Thanks!
details about our problem and what we have done can be seen at http://forum.xda-developers.com/showthread.php?t=328690
jockyw2001
You may use method imei-check - they for flash of the area CID have changed address of the flash splash screen - hereinafter they form file nbh (consists only of splash screen) with necessary area CID.
arc said:
jockyw2001
You may use method imei-check - they for flash of the area CID have changed address of the flash splash screen - hereinafter they form file nbh (consists only of splash screen) with necessary area CID.
Click to expand...
Click to collapse
Ah great! You've got a link as well? Thx!
Hi jocky,
interesting thing..
why don;t u try its utils for the above and check..
issue pdcocread -l command and get the header and rom address.
then try with lnbs or ls command to flash back.From whatever I know, lnb and lnbs/ls command can b used when yr device is Super CID.
While flahing ROM, RUU issues set le 1 command and write the ROM using wdata command.You can check these things, with USB monitor
hdubli
The commands lnb and lnbs different -
lnb - load the unsigned code.
lnbs- load signed code -have other structure and headline
hdubli said:
issue pdcocread -l command and get the header and rom address.
then try with lnbs or ls command to flash back.From whatever I know, lnb and lnbs/ls command can b used when yr device is Super CID.
Click to expand...
Click to collapse
hi,
pdocread -l returns:
Code:
>pdocread.exe -l
58.82M (0x3ad1000) DSK1:
| 2.09M (0x217400) Part00
| 3.20M (0x333000) Part01
| 53.53M (0x3586800) Part02
59.31M (0x3b4f000) DSK2:
| 59.06M (0x3b0e800) Part00
...
You mean the values in parantheses?
On excalibur only signed data is accepted by ls or lnbs (dunno the difference between the two. Anyone?).
I disassembled spl and found the startaddress boundary check routine. In it I see the hardcoded nand address boundaries which have no resemblance whatsoever with pdocread.
I'm now checking arc's hint to patch splash screen flashroutine in same way as imei-check does it. I just hope I can use ls and lnbs (with USPL of course), since that would be far more comfortable
This tool can be used to either decompile or compile ROMs for various Asus devices that used the ABI firmware format (Can also be used in O2 XDA Zest ). The current version can support P835 unencrypted ABI, and even encrypted ABI from updater EXE! Current finding is this tool also supports unreleased Garmin-Asus ROMs!
Thanks (Especially )Harshal and Leon in AsusPda for testing.
Usage:
- Decompiling ROM
1. p835abisplit2 <abi/exe file>
2. os.nb0 and extrom.img released (Only for Pre-P835 devices), os.nb0 cab be processed by imgfsfromnb or osnbtool, extrom.img can be processed by WinImage.
- Compiling ROM
1. First rename the new os.nb0 to os-new.nb0, and rename extrom.img to extrom-new.img (If the new files do not exist, then the compiler will use the parts from original ROM)
2. p835abisplit2 /b <abi/exe file>
3. out.abi releases, which can be used to flash directly (Only for Pre-P835 devices or Post-P835 devices with unencrypted ROM).
4. If you input the updater EXE to p835abisplit2, it will also produce out.exe with region locked patched which can be used to flash your new ROM directly on devices with any region!
- Note when building ROM
1. If you need to modify XIP, make sure the modded XIP is the same size as the original one before merging back to nb0, otherwise booting will fail
2. For Pre-P835 devices, current version can create big-storage ROMs with variable size of imgfs. If the new OS is smaller than the original one, the freed space will be allocated to user space (The left part as shown in Memory setting) after flashing. However the user space display will only reflect the change on second flash.
3. For Post-P835 devices, all partitions must be exactly same size with the original one (i.e. you need to pad the partition before putting it back), otherwise the device won't boot.
4. For Pre-P835 devices, you can modify ExtROM as you like, but not remove or rebuild the image file, otherwise you may get a brick! (Not able to enter bootloader)
Final Warning: Customizing a ROM always has risks, I won't be responsible for any damages lead to your custom ROM!
Release Notes:
v2.40:
- Added support for M930
v2.32:
- Support extraction of encrypted ABI file resource from P835 updater exe
- Support reconstruction of P835 updater exe
- When rebuild to exe, the produced out.exe is patched to install in devices of any region.
V2.20:
- Support extration and rebuilding of P835 ABI file (Note that not for ABI inside EXE)
- When rebuild with exe, OUT.EXE will be produced for direct flashing
starkwong said:
This tool can be used to either decompile or compile ROMs for various Asus devices that used the ABI firmware format (Can also be used in O2 XDA Zest ).
Thanks Harshal and Leon in AsusPda for testing.
Usage:
- Decompiling ROM
1. p565abisplit2 <abi/exe file>
2. os.nb0 and extrom.img released, os.nb0 cab be processed by imgfsfromnb or osnbtool, extrom.img can be processed by WinImage.
- Compiling ROM
1. First rename the new os.nb0 to os-new.nb0, and rename extrom.img to extrom-new.img (If the new files do not exist, then the compiler will use the parts from original ROM)
2. p565abisplit2 /b <abi/exe file>
3. out.abi releases, which can be used to flash directly.
- Note when building ROM
1. If you need to modify XIP, make sure the modded XIP is the same size as the original one before merging back to nb0, otherwise booting will fail
2. OS part doesn't need to be the same size as the original. If the new OS is smaller than the original one, the freed space will be allocated to user space (The left part as shown in Memory setting) after flashing. However the user space display will only reflect the change on second flash.
3. You can modify ExtROM as you like, but not remove or rebuild the image file, otherwise you may get a brick! (Not able to enter bootloader)
Final Warning: Customizing a ROM always has risks, I won't be responsible for any damages lead to your custom ROM!. Moreover, don't use it in P835 abi, it won't work
Click to expand...
Click to collapse
Nice we all waiting for it
Many Congrats for successfully ripping through the ROM !!
Partition offsets and checksums reported by the tool are :
Part #0002 sz:0003e000=>0003e000 cs:625f94b2=>625f94b2 of:000003a0=>000003a0
Part #0004 sz:00100000=>00100000 cs:ffe5f731=>ffe5f731 of:0003e3a0=>0003e3a0
Part #0103 sz:00452a8c=>00452a8c cs:99f65978=>99f65978 of:0013e3a0=>0013e3a0
Part #0104 sz:000fffc0=>000fffc0 cs:5e03943f=>5e03943f of:00590e2c=>00590e2c
Part #0005 sz:07e00000=>07e00000 cs:674f4072=>674f4072 of:00690dec=>00690dec
Part #0013 sz:00a00000=>00a00000 cs:56994bf9=>56994bf9 of:08490dec=>08490dec
I am a little scared to use this tool for following reasons :
1. Actually, the IMGFS & ExtROM offsets are '00690dfc' & '08490dfc' respectively.
2. Checksums( 674f4072, 56994bf9....) can not be located in the Header.
3. The Adler32 checksum for the ExtROM is '5ff94bfa', while your tool reports '56994bf9'.
Any clues ?
rishi2504 said:
Many Congrats for successfully ripping through the ROM !!
Partition offsets and checksums reported by the tool are :
Part #0002 sz:0003e000=>0003e000 cs:625f94b2=>625f94b2 of:000003a0=>000003a0
Part #0004 sz:00100000=>00100000 cs:ffe5f731=>ffe5f731 of:0003e3a0=>0003e3a0
Part #0103 sz:00452a8c=>00452a8c cs:99f65978=>99f65978 of:0013e3a0=>0013e3a0
Part #0104 sz:000fffc0=>000fffc0 cs:5e03943f=>5e03943f of:00590e2c=>00590e2c
Part #0005 sz:07e00000=>07e00000 cs:674f4072=>674f4072 of:00690dec=>00690dec
Part #0013 sz:00a00000=>00a00000 cs:56994bf9=>56994bf9 of:08490dec=>08490dec
I am a little scared to use this tool for following reasons :
1. Actually, the IMGFS & ExtROM offsets are '00690dfc' & '08490dfc' respectively.
2. Checksums( 674f4072, 56994bf9....) can not be located in the Header.
3. The Adler32 checksum for the ExtROM is '5ff94bfa', while your tool reports '56994bf9'.
Any clues ?
Click to expand...
Click to collapse
Tool works properrly.No harm is trying
starkwong, is there any tool to decompile P835's ROM in the same way?
New version posted.
rishi2504:
The image checksum is not calculated by plain Adler32, actually is uses the same formula as older Asus ROMs, however it is not a one-time calculation.
Checksums are inside header, given you decoded it correctly.
starkwong, here's what I get when trying to decompile a ROM:
Code:
v2.40 (Jun 16 2009 19:56:06)
ExtractABI(): Trying to load G5_ALL_V4.11.0_V3.6.12.P2_Ship_WWE_app_MYS00_V2.3.6.exe...
Module loaded, searching for BIN resource...
Found matching resource at BIN #211!
GetPartitions(): Getting Partition Information...
*** Encrypted ABI detected
ABI Version 0x00030012
Project Name: G5
Partition Type: 000f [email protected]
Partition Type: 000e [email protected]
Partition Type: 000e [email protected]
Partition Type: 0004 [email protected]
Partition Type: 0004 [email protected]
Partition Type: 000f [email protected]
Partition Type: 000f [email protected]
Partition Type: 0102 damage [email protected]
Partition Type: 0005 UnKnown [email protected]
Partition Type: 0002 [email protected]
Partition Type: 0003 [email protected]
ProcessABI(): Writing OS data...
* BIN(P835) Image Detected
Warning: OS.nb0/flash.bin is not a NB image, not modifying MSFLSH50 headers
ProcessABI(): No ExtROM partition found.
OK!
So it seems that partitions are not detected correctly, there's no os.nb0 at the output, and the flash.bin apperars to be of no use. Even when I found imgfs partition inside of it, there's still something wrong with it, e.g. bad start block offset, and everything else is also broken.
Can you help me with this?
In fact it is correct, as Asus uses B000FF image on P835, not a plain NB0 image.
You need to use osnbtool to get a nb0 with extra bytes, then use nbsplit -data 2048 -extra 8 to get a nb0 with sector size 0x800.
ginkage said:
starkwong, here's what I get when trying to decompile a ROM:
Code:
v2.40 (Jun 16 2009 19:56:06)
ExtractABI(): Trying to load G5_ALL_V4.11.0_V3.6.12.P2_Ship_WWE_app_MYS00_V2.3.6.exe...
Module loaded, searching for BIN resource...
Found matching resource at BIN #211!
GetPartitions(): Getting Partition Information...
*** Encrypted ABI detected
ABI Version 0x00030012
Project Name: G5
Partition Type: 000f [email protected]
Partition Type: 000e [email protected]
Partition Type: 000e [email protected]
Partition Type: 0004 [email protected]
Partition Type: 0004 [email protected]
Partition Type: 000f [email protected]
Partition Type: 000f [email protected]
Partition Type: 0102 damage [email protected]
Partition Type: 0005 UnKnown [email protected]
Partition Type: 0002 [email protected]
Partition Type: 0003 [email protected]
ProcessABI(): Writing OS data...
* BIN(P835) Image Detected
Warning: OS.nb0/flash.bin is not a NB image, not modifying MSFLSH50 headers
ProcessABI(): No ExtROM partition found.
OK!
So it seems that partitions are not detected correctly, there's no os.nb0 at the output, and the flash.bin apperars to be of no use. Even when I found imgfs partition inside of it, there's still something wrong with it, e.g. bad start block offset, and everything else is also broken.
Can you help me with this?
Click to expand...
Click to collapse
B000FF image cannot be modified without osnbtool or viewbin or cvrtbin tool..For Ext ROM there is no partition in the abi file which can b read as .nb0 Ext ROM is inside the OS and is not as a partition.So what the output u get from the tool is correct.Whatever ROMs u saw mine are from using the same tool
I hope this clarifies.
starkwong, Thank you so much, it worked perfectly!
Can't use this tool on my Asus M530w. Getting this message:
Copyright(C) 2009 Studio KUMA(starkwong). All rights reserved
v2.40 (Jun 16 2009 19:56:06)
ExtractABI(): Trying to load nk.abi...
Failed loading as module (193). Perhaps ABI?
Trying as ABI directly...
Creating file mapping...
GetPartitions(): Getting Partition Information...
Error: AES Key not suitable for this ROM
unencrypted vers encrypted
There is little bit mess in description.
If you will use unecrypted rom + p835abisplit2 you will get os.nb0.
With encrypted rom + p835abisplit2 you will get flash.bin.
starkwong said:
4. For Pre-P835 devices, you can modify ExtROM as you like, but not remove or rebuild the image file, otherwise you may get a brick! (Not able to enter bootloader)
Click to expand...
Click to collapse
Hi,
Can i add my own cab/xml files to this Ext_ROM, after removing the files not needed ?
rishi2504 said:
Hi,
Can i add my own cab/xml files to this Ext_ROM, after removing the files not needed ?
Click to expand...
Click to collapse
Don't bother dude , figured it out ...
Is there anyway I can extract the flash.bin file from a .abi file using this tool?
My P835 is unable to upgrade from the SD card with the .abi file on it.. so I wanted to extract the flash.bin and see if I can use the QPST tool to update the image with flash.bin file..
Sorry if I'm being stupid here (not unusual!). I'm trying to use this tool to get a .abi file out of O2's "Xda_Zest Firmware Update_V7.7.0S.WWE20.00_M4.6.5.P7_V2.1.4 GBR20.exe" so I can stick it on the SD card and flash the ROM, but of course I'm only ending up with the two files you mention, os.nb0 and extrom.img, no .ABI file. I can look in the extrom.img file with winrar, but the file only contains FINDMA~1.000 (300 bytes), 000dummy.001 (0 bytes) and _setup.xml (1205 bytes).
Plainly I'm thick - where am I going wrong, and how do I get the .ABI file?
whats up guys, so i decided to unroot my g2 and i used this method to root it (http://forum.xda-developers.com/wik...sion#Rooting_the_Vision_.28G2.2FDZ.29_and_DHD) i guess i used the gfree method? and i tried doing the Returning to stock method on the same link. so i got to the part where i had to restore the partition 7 i did both methods of trying to restore the partition 7..but it resulted with error opening copied file..but i synced it anyway, still s-off....i need the s-on....but the phone does seem like its back to its original stock rom...i jsut need to have it s-on...any idea on how to turn it back on???? if i do the ota update would it make it turn back on, or would that just brick my phone?
C:\Users\Blah\Desktop\p>adb shell
# /data/local/tmp/gfree -s on -c T-MOB010
/data/local/tmp/gfree -s on -c T-MOB010
--secu_flag on set
--cid set. CID will be changed to: T-MOB010
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x00015398 (86936)
Section index for section name string table: 41
String table offset: 0x000151df (86495)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x000011cc (4556)
-- size: 0x000000c4 (196)
Kernel release: 2.6.32.17-g814e0a1
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Write protect was successfully disabled.
Searching for mmc_blk_issue_rq symbol...
- Address: c02a8d44, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02a8000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02a8d44 + 0x34c
- 0x2a000012 -> 0xea000012
Backing up current partition 7 and patching it...
Error opening copy file.
#
^---this is what happens when i try to put s-on with gfree way under the Returning to Stock on the wiki page. ( i tried both ways and the i have the same result of it saying "Error opening copy file." if anyone has encountered the same problem or have a solution for this, please it would be great, i need to get my g2 exchanged because the orientation/tilt sensor is busted...
*NVM I GOT IT*
Nvm i got it
Whatever you do, make sure you don't explain how you fixed it. That way, if someone else has the same problem in the future, you don't inadvertently help them.
futuremonkey said:
Whatever you do, make sure you don't explain how you fixed it. That way, if someone else has the same problem in the future, you don't inadvertently help them.
Click to expand...
Click to collapse
Tell it monkey! So sick of people doing that and wanting everyone to help, but then don't say what fixed it so the next person doesn't have to go through hell and back. Very selfish. This is a give and take community guys not just take take take.
Sent from my HTC Vision using XDA Premium App
uhhh, should i explain how i fixed it or what..no one even bothered trying to help me out anyway
YES PLEASE! I'm stuck with the exact same problem and I just can't figure it out.
Hello,
I wanna share some information about param.lfs. As some people I tried to study this file. I tried to port j4fs driver to linux, but with no success yet.
But I have something. For those ROM-makers who want to insert their own logo right in the file for flashing it as a part of a ROM you can do the following:
1. Prepare your jpeg file, process it through jpeg optimizer (like xat.com JPEG optimizer). Size must not exceed 3FD1(HEX), or 16337Bytes. 480x800, 72dpi
2. Load this file (jpeg) in a HEX editor (WinHex) and copy it as a block
3. Load param.lfs
4. Overwrite two blocks in param.lfs by your image (just paste block in overwrite mode). First one - from offset B4000, second one - from 7F000. To double check - overwritten blocks should start with FF D8
That's all. Tar param.lfs as it used to do: tar -H ustar -с param.lfs > param.tar
and flash it via odin as PDA, or add to firmware then. You will obtain your own logo.jpg and logo_kor.jpg in /mnt/.lfs
So, you don't need to use special scripts to change splash-screen (mount .lfs and copy your logo.img into it). It will work with any kernel. Even on stock firmware you may have your own bootlogo.
Caution: Be careful. If you make something wrong, phone won't boot, because param.lfs is used by bootloader. At least /mnt/.lfs will be empty.
You may have black screen. Anyway you will be able to enter in 3-button mode to flash stock param.lfs back.
Of course that won't change bootlogo with yellow triangle because it "resides" in sbl.bin and very dangerous to be changed.
P.S. I was going to write a patch script, but decided not to do that.
Cheers
As a newbye, I found that very interesting to read
Thank you
1.
My original logo is 18.100 bytes and wonder if 3BB0(HEX) limit is accurate :/ :\ - while $B4000-$7F000=217.088 bytes
2.
On my param.lfs image, I searched for "FFD8 FFE0" and found other position for the JFIF files
Complete signature seems to be
"FFD8 FFE0"
"0010 4A46 4946 0001" for "..JFIF.."
3.
Linux support for j4fs would be great
4.
I wanted to know how to deal such a special "behaviour" into param.lfs partition: we can create files but not overwritten files...
Code:
[alpha] adb shell
$ su
# mount -o remount,rw -t j4fs /dev/block/stl6 /mnt/.lfs
# mount | grep ".lfs"
/dev/block/mmcblk0p4 on /mnt/.lfs type j4fs (rw,relatime)
#
# cd /mnt/.lfs
# rm -f logo.jpg
rm: can't remove 'logo.jpg': Operation not permitted
# echo "1. Impossible to delete logo.jpg"
1. Impossible to delete logo.jpg
#
# cp /mnt/sdcard/logo.jpg /mnt/.lfs/logo0.jpg
# ls -l /mnt/.lfs/logo0.jpg
-rwxrwxrwx 1 root root 19524 Jan 1 1970 /mnt/.lfs/logo0.jpg
# echo "2. copy onto /mnt/.lfs/ is possible"
2. copy onto /mnt/.lfs/ is possible
#
# cp -f logo0.jpg logo.jpg
cp: can't create 'logo.jpg': File exists
# echo "3. copy onto logo.jpg is impossible"
3. copy onto logo.jpg is impossible
#
# chattr -i logo.jpg
chattr: reading flags on logo.jpg: Not a typewriter
# rm -f logo.jpg
rm: can't remove 'logo.jpg': Operation not permitted
# exit
$ exit
[alpha] echo "Really strange for a file system ?"
Really strange for a file system ?
Is there a simple way to delete logo.jpg ?
Ivan_Belarus said:
Caution: Be careful. If you make something wrong, phone won't boot, because param.lfs is used by bootloader. At least /mnt/.lfs will be empty. You may have black screen. Anyway you will be able to enter in 3-button mode to flash stock param.lfs back.
Click to expand...
Click to collapse
First of all, thanks for sharing the info.
I tried it, no dice. Seems B4000 in the param.lfs I'm using (KI8) isn't the beginning of a JPEG. Tried other addresses that start with FF D8, with and w/o Exif, to no avail. All I have is an empty .lfs folder (as you said) and a boot message saying "logo.jpg" draw failed, but it boots eventually.
What am I missing?
TIA
param.lfs I'm using: http://www.mediafire.com/file/jw0x36z04fvp4eg/param.lfs
EDIT:
Wow! It took me a couple of hours, but I've finally found it in that param.lfs (XWKI8)!!!
In XWKI8 logo.jpg starts @ 7D800. Don't go beyond the length of the file you have already (in XWKI8, +/-15K), otherwise you'll get the "draw failed" boot error and an empty /mnt/.lfs - in this case, just reflash the stock param.lfs and you'll be ok.
Works great! I can sleep now!
Once more, thx a bunch Ivan_Belarus for sharing the info!
cheers!!!
geekmarc said:
1.My original logo is 18.100 bytes and wonder if 3BB0(HEX) limit is accurate :/ :\ - while $B4000-$7F000=217.088 bytes
2.On my param.lfs image, I searched for "FFD8 FFE0" and found other position for the JFIF files
Complete signature seems to be
"FFD8 FFE0"
"0010 4A46 4946 0001" for "..JFIF.."
4.I wanted to know how to deal such a special "behaviour" into param.lfs partition: we can create files but not overwritten files...
Is there a simple way to delete logo.jpg ?
Click to expand...
Click to collapse
1. Wrong operation. I have given the offsets only: for logo.jpg and logo_kor.jpg. I you want full addressing they are: B4000-B7FCF. It comes to 3FCF+2=3FD1. The second one is: 7F000-839B2. It comes to 49B2+2=49B4. (I've written 3BB0 - sorry I looked at my own block size. Fixed)
2. Yep, the jpeg header is bigger than word FF D8. You can google for jpeg header. But main two bytes are FF D8. The end is marked by FF D9. There are many jpeg files inside. I provided offsets for two ones.
4. You may look at Init.V scripts of Siyah kernel for example (/sbin/siyah/imports.sh)- there you may find all the commands for replace logo.jpg
I attached my original param.lfs (unchanged). I used it without problems on KI8
Heh, I didnt compare different param.lfs but now I see that there are different builds of param.lfs (thnx to rizdroid). So, I guess we're able to locate quickly the required offsets via block sizes and names. We need to find two blocks of size 3FD1 (starts with FF D8, ends with FF D9) and 49B4. They will be logo.jpg and logo_kor.jpg images. Before these blocks (about -7E1) you can find text 'logo.jpg' and 'logo_kor.jpg' accordingly. Don't try to locate them only by name!
someone help me out here... im trying to do this for the galaxy nexus but whenever i open my param.lfs file in a hex editor all i get is 0's theres nothing in it
Ivan_Belarus said:
1. Wrong operation. I have given the offsets only: for logo.jpg and logo_kor.jpg. I you want full addressing they are: B4000-B7FCF. It comes to 3FCF+2=3FD1. The second one is: 7F000-839B2. It comes to 49B2+2=49B4. (I've written 3BB0 - sorry I looked at my own block size. Fixed)
2. Yep, the jpeg header is bigger than word FF D8. You can google for jpeg header. But main two bytes are FF D8. The end is marked by FF D9. There are many jpeg files inside. I provided offsets for two ones.
4. You may look at Init.V scripts of Siyah kernel for example (/sbin/siyah/imports.sh)- there you may find all the commands for replace logo.jpg
I attached my original param.lfs (unchanged). I used it without problems on KI8
Heh, I didnt compare different param.lfs but now I see that there are different builds of param.lfs (thnx to rizdroid). So, I guess we're able to locate quickly the required offsets via block sizes and names. We need to find two blocks of size 3FD1 (starts with FF D8, ends with FF D9) and 49B4. They will be logo.jpg and logo_kor.jpg images. Before these blocks (about -7E1) you can find text 'logo.jpg' and 'logo_kor.jpg' accordingly. Don't try to locate them only by name!
Click to expand...
Click to collapse
WOOOOOOOOOOOOOOOOOOO !!!!! YEAH !!!!!! :good::good::good::victory::victory::victory:
@Ivan_Belarus, Thank you very much for the guide and help !!!!!
I was stack with that process of HEXing the param.lfs you provided because the image i made is SMALLER then 16337Bytes.
So I solved the "'logo.jpg' draw failed" problem I got ( becuase I changed only part of logo.jpg ) by filling "20" ( hex value ) all the cells between after my image FF D9 ( not included) and the original logo.jpg END ( FF D9 included ) as you wrote in your post: 1st jpg end is at B7FCF and the second is at 839B2.
I used the param.rar you provided.
To be clearer, for an example, let say I got this original param.lfs HEX segment:
Code:
[COLOR="red"]FFD8[/COLOR]FFE100184578EE55184D5331DA8831930800450007[COLOR="red"]FFD9[/COLOR]
But the image i want to implant is SMALLER , so it starts with "FFD8" and ends EARLIER with "FFD9" like:
Code:
[COLOR="red"]FFD8[/COLOR]FFE1008374597335734753745[COLOR="red"]FFD9[/COLOR]
So, I need to change param.lfs HEX segment so that it will include "20" after my image "FFD9":
Code:
[COLOR="red"]FFD8[/COLOR]FFE1008374597335734753745[COLOR="red"]FFD9[/COLOR][U][COLOR="Blue"]202020202020202020[/COLOR][/U]
About the need to TAR the param.lfs, because i'm on windows I used 7zip, so no need for linux of any sort.
rizdroid said:
First of all, thanks for sharing the info.
I tried it, no dice. Seems B4000 in the param.lfs I'm using (KI8) isn't the beginning of a JPEG. Tried other addresses that start with FF D8, with and w/o Exif, to no avail. All I have is an empty .lfs folder (as you said) and a boot message saying "logo.jpg" draw failed, but it boots eventually.
What am I missing?
TIA
param.lfs I'm using: http://www.mediafire.com/file/jw0x36z04fvp4eg/param.lfs
EDIT:
Wow! It took me a couple of hours, but I've finally found it in that param.lfs (XWKI8)!!!
In XWKI8 logo.jpg starts @ 7D800. Don't go beyond the length of the file you have already (in XWKI8, +/-15K), otherwise you'll get the "draw failed" boot error and an empty /mnt/.lfs - in this case, just reflash the stock param.lfs and you'll be ok.
Works great! I can sleep now!
Once more, thx a bunch Ivan_Belarus for sharing the info!
cheers!!!
Click to expand...
Click to collapse
Sorry to resurrect a REALLY old thread, but how did you manage to flash PARAM partition. It is in my .pit file from heimdall, but when I flash the partition, I simply see the old bootscreen.
hackintosh5 said:
Sorry to resurrect a REALLY old thread, but (...) .
Click to expand...
Click to collapse
It is OK to ask questions even if the thread is sooo old
But unfortunately I can't help you.
Iluvatar2000 said:
It is OK to ask questions even if the thread is sooo old
But unfortunately I can't help you.
Click to expand...
Click to collapse
Its fine! Thanks for your time!
After following this guide, finally i can 'make fail' splash.img, but only stuck on pinguin logo
I still can't understand how to 'append 4k block' properly, its mean editing pagesize or what ?
I have edited pagesize of recovery.img with higher value; 2048 to 131072 (unpack-repack recovery.img).
Please someone help me
Thanks to @xaacnz
ArbaniZain said:
After following this guide, finally i can 'make fail' splash.img, but only stuck on pinguin logo
I still can't understand how to 'append 4k block' properly, its mean editing pagesize or what ?
I have edited pagesize of recovery.img with higher value; 2048 to 131072 (unpack-repack recovery.img).
Please someone help me
Thanks to @xaacnz
Click to expand...
Click to collapse
I have the same issue, editing splash.img worked i see penguin logo but stuck there.
PLEASE can you tell me what software you used to edit the images?