Develop Bugs

Can`t extract files from imgfs from HP iPaq 1950 ROM

Hi, all! Please, help me to solve my problem
Yesterday i tried to build custom ROM image for my PDA and failed .
I made following steps:
1. I made a backup of the existing ROM using mtty and SD card. The result was the 29mb raw file
2. i downloaded the last ROM update from the HP site, extracted it and obtained the ceos.nbf file.
3. Next, i tried to use prepare_imgfs and viewimgfs utilities whith both files.
4. After using prepare_imgfs i got, as expected, the imgfs_raw_data.bin file
5. But when i used viewimgfs, it couldn`t find any data in that file! Here is it's output:
Code:
guidBootSignature: F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8 4F 31 DC
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: LZX
dwFreeSectorCount: 00013620
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000
Address: 00000200, dwBlockSignature: 00001D20
dwNextHeaderBlock: FFFBFFFF (size: FFFBFDFF)
Header type: 2F5314CE, Addr: 00000208
Unknown header type, FS_DATA_TABLE??
and more messages like that.
Can anyone tell me, where is the problem?
PS sorry for terrible English

stanru1 said:
Hi, all! Please, help me to solve my problem
Yesterday i tried to build custom ROM image for my PDA and failed .
I made following steps:
1. I made a backup of the existing ROM using mtty and SD card. The result was the 29mb raw file
2. i downloaded the last ROM update from the HP site, extracted it and obtained the ceos.nbf file.
3. Next, i tried to use prepare_imgfs and viewimgfs utilities whith both files.
4. After using prepare_imgfs i got, as expected, the imgfs_raw_data.bin file
5. But when i used viewimgfs, it couldn`t find any data in that file! Here is it's output:
Code:
guidBootSignature: F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8 4F 31 DC
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: LZX
dwFreeSectorCount: 00013620
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000
Address: 00000200, dwBlockSignature: 00001D20
dwNextHeaderBlock: FFFBFFFF (size: FFFBFDFF)
Header type: 2F5314CE, Addr: 00000208
Unknown header type, FS_DATA_TABLE??
and more messages like that.
Can anyone tell me, where is the problem?
PS sorry for terrible English
Click to expand...
Click to collapse
i would like to know an answer for this too. thanks

I found solution to extract files, but i couldn't find out how to pack it back...
To unpack files, you need:
1. the Perl interpreter
2. script, which can be found on http://forum.wce.by/viewtopic.php?p=78923#78923
3. You must replace $A and $S variables with your values:
$A is the address of the beginning of the imgfs block. It can be found using WinHex and F8AC2C9DE3D42B4DBD30916ED84F31DC signature. $S is size of imgfs block. It can be found with signature E9FDFF. You must find the table of partitions, and take 4 bytes as it's shown on the screenshot, in the reverse order. (00 C0 BD 00 -> 00BDC000)
For example, for iPaq1950 rom, taken from HP update, values are:
$I = "CEOS.nbf";
$O = "bigbrother.bin";
$A = 0x003BB55A;
$S = 0x0000BDC0;
After Perl script ends it's work you can use imgfsToDump or viewimgfs tools.
For this solution HUGE thanks to Gvr.

stanru1 said:
I found solution to extract files, but i couldn't find out how to pack it back...
To unpack files, you need:
1. the Perl interpreter
2. script, which can be found on http://forum.wce.by/viewtopic.php?p=78923#78923
3. You must replace $A and $S variables with your values:
$A is the address of the beginning of the imgfs block. It can be found using WinHex and F8AC2C9DE3D42B4DBD30916ED84F31DC signature. $S is size of imgfs block. It can be found with signature E9FDFF. You must find the table of partitions, and take 4 bytes as it's shown on the screenshot, in the reverse order. (00 C0 BD 00 -> 00BDC000)
For example, for iPaq1950 rom, taken from HP update, values are:
$I = "CEOS.nbf";
$O = "bigbrother.bin";
$A = 0x003BB55A;
$S = 0x0000BDC0;
After Perl script ends it's work you can use imgfsToDump or viewimgfs tools.
For this solution HUGE thanks to Gvr.
Click to expand...
Click to collapse
Very nice thanks.
If you find a way to repack it, it would be even better. I actually want to use this method for the hp1930. My problem is that there are no official updates for this model, so I have no shipped roms. Only a sd image dump.
What type of image is the sd dump? dnf or .bin (raw) ?

I think, it`s a raw dump. In any case, imgfs is the same on both images.

stanru1 said:
I think, it`s a raw dump. In any case, imgfs is the same on both images.
Click to expand...
Click to collapse
thanks again

any idea on how to get start address and size from a sd image? I can't find those signatures in the dump
thanks

The signatures may differ in case of the specific image. If you whant, i could look at your file, if you upload your rom into the Rapidshare or the same file-uploading service and give me the link

stanru1 said:
The signatures may differ in case of the specific image. If you whant, i could look at your file, if you upload your rom into the Rapidshare or the same file-uploading service and give me the link
Click to expand...
Click to collapse
thanks man,
I'm uploading to rapidshare right now.
the image was created using a 64mb sd so the image size might be a bit longer
edit :
this is the link: http://rapidshare.com/files/25438977/1930.rar.html

any updates on how to modify a sd image?

Serial cable instead USB ? UART...

As I'm new to Samsung handsets...
Someone tried to play with serial cable and Qualcomm Tools like Memory Debug for instance?
Download Mode not allow USB Diag for Qualcomm... only Samsung Modem is still alive in Download Mode. So Question is. If serial cable, maybe chance to dump something as you can port to UART...
Best Regards

delete.......

I use usb->serial-ttl 3.3V converter with 528K resistor on pins 4-5 for outputing diag message. And you need JIG with 301K resistor for entering to download mode.
Click to expand...
Click to collapse
http://forum.xda-developers.com/showpost.php?p=12689198&postcount=181
Thanx for this info, but tooo difficult for me to understand.
Please help to make such cable for research... or maybe their are existing cables to buy?
I need something like this:
http://www.badanation.de/topic.php?t=1616&page=fst_unread&highlight=widerstand
Such Pictures would be nice:
http://h-3.abload.de/img/p1000660eei7.jpg
I need FULL Pinout please for S8500.
Thanx in advance.
Best Regards

You mean cable/plug for enter download mode? You can buy it. For example in Poland I can buy this for 12 zlotys = 3 euro + delivery costs.
I found that, for Galaxy S, but is possible this is the same
forum.xda-developers.com/showthread.php?t=819551

I "need" alternate cable for communication between PC and S8500.
Also FULL Pinout is welcome.
Best Regards

http://forum.xda-developers.com/showthread.php?t=820275
Here seems few infos... maybe also work for S8500.
Best Regards

After I saw successfully log from srg.mstr.
Thank you very much.
http://forum.xda-developers.com/showpost.php?p=13426392&postcount=183
Less then 1 Euro for male Connector:
http://www.conrad.de/ce/de/product/733923/MICRO-USB-STECKER-TYP-B-5POL/SHOP_AREA_40306
So I will buy few Connectors...
Now I will make checklist for other parts and prices. As I have no cables at home to cut...
Best Regards

TX<-->2
RX<-->3
GND<-->5
resistor between 4<-->5
http://forum.xda-developers.com/showpost.php?p=13293404&postcount=174

Will try to make such cable this year... in 2013 really.
Checklist...
http://www.conrad.de/ce/de/product/...Kabelmontage-ohne-Gehaeuse-BKL-Electronic-Inh
.
.
.
Best Regards

Will try to make such cable this year...
Click to expand...
Click to collapse
Uupsi, only 2 months left... but I have found other way for Bootlog...
via JTAG RAM dump... something above 0x40000000...
Looks like this:
http://forum.xda-developers.com/showpost.php?p=47037737&postcount=34
Best Regards

2013 soon over... but Mission UART is not over...
New attempt... for 2014...
It seems now "cheap" USB stuff available... based on PL2303... symbolic Photo attached...
According to this Pic...
http://forum.xda-developers.com/showpost.php?p=13426392&postcount=183
Other idea is to solder direct to RX TX and GND on PCB... instead resistor...
Maybe...
Best Regards

Short tested with 3 wires soldered direct to RX TX and Ground under battery/label...
Hmm... first test failed with WinComm... maybe my settings are wrong, will try other Tool for Logging...
Best Regards
Btw...
Never seen S5250 or S8600 user trying to capture data over UART...

:silly:
Code:
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] FSR_PAM_InitNANDController Success!!
[PAM: ] --FSR_PAM_Init
[BM : ] FSR_BML_GetFullPartI() is completed
[BM : ] stPartI.nNumOfPartEntry : 7
[BM : ] 1th PartEntrt(nAttr:0x1002)(nID:0x0)
[BM : ] [1th] pPEntry->n1stVun : 1
[BM : ] [1th] pPEntry->nNumOfUnits : 7
[BM : ] [1th] pPEntry->nLoadAddr : 0x0
+-------------------------------+
| Bootloader Shadowing FINISHED |
+-------------------------------+
Launch Image at 0x42480000
[BOOT_V1.0 (May 28 2010, 21:22:23)]
SelectBootingMode: H/W...0xe.
[BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz
+++FIMD_Drv_INITIALIZE
FIMD_Drv_ChangeMode: MDNIE_MODE
Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4
S6E63M0 : LDI_Pentile_Set_Change Pentile_Value =6c
---FIMD_Drv_INITIALIZE
---FIMD_Drv_SetWinOnOff(WIN4:1)
LCD initialize Finished
Flash_Unlock failed
Poweron status - c0
FSA9480 0x03 Register = 0
FSA9480 0x0A Register = 0
FSA9480 0x0B Register = 0
FSA9480 0x07 Register = 1f
Used WinComm as Tool...
Stupid me not realized that TX connect to RX and RX to TX... :cyclops:
Best Regards

Code:
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] FSR_PAM_InitNANDController Success!!
[PAM: ] --FSR_PAM_Init
bl3_info_block 1 and 2 not found, Load BL3
+-------------------------------+
| Bootloader Shadowing FINISHED |
+-------------------------------+
Launch Image at 0x42080000
[BOOT_V1.0 (Jan 5 2012, 19:08:14)]
SelectBootingMode: H/W...0xe.
[BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz
+++FIMD_Drv_INITIALIZE
FIMD_Drv_ChangeMode: MDNIE_MODE
Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4
S6E63M0 : LDI_Pentile_Set_Change Pentile_Value =6c
---FIMD_Drv_INITIALIZE
---FIMD_Drv_SetWinOnOff(WIN4:1)
LCD initialize Finished
Flash_Unlock failed
Poweron status - 0
FSA9480 0x03 Register = 0
FSA9480 0x0A Register = 4
FSA9480 0x0B Register = 0
FSA9480 0x07 Register = 1f
Display_LSI_Boot : disp_Main_Clean
Display_LSI_Boot : disp_Main_Clean_All
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_dimming_backlight
LDI_S6E63M0_Set_Brightness is Return (Level: 1)
Display_LSI_Boot : disp_dimming_backlight
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
+SDHC_Open(Ch0)
univ_SD_MEM_PowerOnDevice() : Power On
univ_SD_MEM_PowerOnDevice(ch0) : MASSMEMORY_EN Power On
[SDHC] MPLL source clock from SYSCON : 667000000Hz
[SDHC] SDHC(ch0) source clock from SYSCON : 47642000Hz
[SDHC] SDHC(ch0) Operating Clock : 372203Hz
[SDHC][MMC]byte mode
SD_MEM_Phy_CMD2(ch0) : CID(127~0) : 0x150100, 0x4d324731, 0x44441655, 0x3c7886d
SD_MEM_Phy_Check_moviNAND_Version(ch0) : PRV - 0x16
MMC_Spec = 4
----------------CSD Version 1.0--------in low level-------------
channel: [0]
One Block Size: [512]Byte
Total card Block Count = [4014080]
Total card Capacity Size = [1960]MB
---------------------------------------------------
SD_HostCtrl_IssueCommand[ch0] not SDclk off, cmd13, SD_CLK_CTRL:0x400f
SD_MEM_Phy_TransferState(ch0) :High: Tx : SD_FeedBackClock_BasicDelay
SD_MEM_Phy_TransferState(ch0) :High: Rx : SD_FeedBackClock_InverterDelay
[SDHC] MPLL source clock from SYSCON : 667000000Hz
[SDHC] SDHC(ch0) source clock from SYSCON : 47642000Hz
[SDHC] SDHC(ch0) Operating Clock : 47642000Hz
SD_HostCtrl_IssueCommand[ch0] not SDclk off, cmd13, SD_CLK_CTRL:0xf
SD_HostCtrl_IssueCommand[ch0] not SDclk off, cmd13, SD_CLK_CTRL:0xf
-SDHC_Open(Ch0)
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
DRV_modem_reset!!!!!!!!!!!!!!!!!
DRV_Send_DBL!!!!!!!!!!!!!!!!!
[DLOAD] Download Completed !!!
DRV_Wait_ModemInit!!!!!!!!!!!!!!!!!
DRV_CopyQSCBootBinary!!!!!!!!!!!!!!!!!
DRV_Send_BootBinaryCopyComplete!!!!!!!!!!!!!!!!!
DRV_Modem_BootingStart retry count = 0.
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Display_LSI_Boot : disp_Main_Dload_Update
Display_LSI_Boot : disp_Main_Dload_Message
Uncompressing Linux... done, booting the kernel.
<6>Initializing cgroup subsys cpu
<5>Linux version 3.0.86-g5b25f8d ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #1 PREEMPT Tue Nov 5 22:35:53 CET 2013
CPU: ARMv7 Processor [412fc082] revision 2 (ARMv7), cr=10c53c7d
CPU: VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: wave
Memory policy: ECC disabled, Data cache writeback
CPU S5PV210/S5PC110 (id 0x43110222)
<7>s5pv210_init_clocks: initializing clocks
<6>S3C24XX Clocks, Copyright 2004 Simtec Electronics
<4>s3c24xx_register_clock: new clock sclk_csis, id -1, dev (null) uses same enable bit as mout_csis, id -1, dev (null)
<4>s3c24xx_register_clock: new clock lcd, id -1, dev (null) uses same enable bit as sclk_fimd, id -1, dev (null)
<4>s3c24xx_register_clock: new clock mfc, id -1, dev (null) uses same enable bit as sclk_mfc, id -1, dev (null)
<4>s3c24xx_register_clock: new clock iis, id 0, dev (null) uses same enable bit as i2s_v50, id 0, dev (null)
<7>s5pv210_setup_clocks: registering clocks
<7>s5pv210_setup_clocks: clkdiv0 = 14131330, clkdiv1 = 00400400
<7>s5pv210_setup_clocks: xtal is 24000000
<6>S5PV210: PLL settings, A=800000000, M=667000000, E=80000000 V=54000000<6>S5PV210: ARMCLK=800000000, HCLKM=200000000, HCLKD=166750000
HCLKP=133400000, PCLKM=100000000, PCLKD=83375000, PCLKP=66700000
<6>sclk_dmc: source is mout_mpll (1), rate is 166750000
<6>sclk_onenand: source is hclk_dsys (1), rate is 83375000
<6>sclk: source is mout_mpll (6), rate is 133400000
<6>sclk: source is mout_mpll (6), rate is 66700000
<6>sclk: source is mout_mpll (6), rate is 66700000
<6>sclk: source is mout_mpll (6), rate is 66700000
<6>sclk_mixer: source is sclk_dac (0), rate is 54000000
<6>sclk_fimc: source is ext_xtal (0), rate is 24000000
<6>sclk_fimc: source is ext_xtal (0), rate is 24000000
<6>sclk_fimc: source is ext_xtal (0), rate is 24000000
<6>sclk_cam: source is xusbxti (1), rate is 24000000
<6>sclk_cam: source is ext_xtal (0), rate is 24000000
<6>sclk_fimd: source is mout_mpll (6), rate is 133400000
<6>sclk_mmc: source is mout_mpll (6), rate is 51307692
<6>sclk_mmc: source is mout_mpll (6), rate is 47642857
<6>sclk_mmc: source is mout_mpll (6), rate is 47642857
<6>sclk_mmc: source is mout_mpll (6), rate is 47642857
<6>sclk_mfc: source is sclk_a2m (0), rate is 200000000
<6>sclk_fimg2d: source is sclk_a2m (0), rate is 200000000
<6>sclk: source is mout_mpll (1), rate is 66700000
<6>sclk_csis: source is ext_xtal (0), rate is 24000000
<6>sclk_spi: source is mout_epll (7), rate is 80000000
<6>sclk_spi: source is mout_epll (7), rate is 80000000
<6>sclk_pwi: source is ext_xtal (0), rate is 24000000
<6>sclk_pwm: source is ext_xtal (0), rate is 24000000
<6>sclk_mdnie: source is mout_mpll (6), rate is 166750000
<6>sclk_mdnie_pwm: source is ext_xtal (0), rate is 24000000
<6>s5p: 11534336 bytes system memory reserved for mfc at 0x24500000, 0-bank base(0x24500000)
<6>s5p: 11534336 bytes system memory reserved for mfc at 0x4f3f4000, 1-bank base(0x4f3f4000)
<6>s5p: 11534336 bytes system memory reserved for fimc0 at 0x4e8f4000, 1-bank base(0x4e8f4000)
<6>s5p: 11534336 bytes system memory reserved for fimc2 at 0x4ddf4000, 1-bank base(0x4ddf4000)
<6>s5p: 4194304 bytes system memory reserved for jpeg at 0x24500000, 0-bank base(0x24500000)
<6>s5p: 7680000 bytes system memory reserved for fimd at 0x4d6a1000, 1-bank base(0x4d6a1000)
<7>On node 0 totalpages: 72621
<7> Normal zone: 1534 pages used for memmap
<7> Normal zone: 0 pages reserved
<7> Normal zone: 71087 pages, LIFO batch:15
<7>pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
<7>pcpu-alloc: [0] 0
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 71087
<5>Kernel command line: init=/init loglevel=4
<6>PID hash table entries: 2048 (order: 1, 8192 bytes)
<6>Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
<6>Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
<6>Memory: 69MB 214MB 0MB = 283MB total
<5>Memory: 272496k/325052k available, 17988k reserved, 0K highmem
<5>Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xff000000 - 0xffe00000 ( 14 MB)
vmalloc : 0xf0000000 - 0xfc000000 ( 192 MB)
lowmem : 0xc0000000 - 0xeff00000 ( 767 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.init : 0xc0008000 - 0xc0617000 (6204 kB)
.text : 0xc0617000 - 0xc0ce8000 (6980 kB)
.data : 0xc0ce8000 - 0xc0d34880 ( 307 kB)
.bss : 0xc0d348a4 - 0xc0e76ad8 (1289 kB)
<6>SLUB: Genslabs=11, HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
<6>Preemptible hierarchical RCU implementation.
<6>NR_IRQS:339
<6>VIC @fc000000: id 0x00041192, vendor 0x41
<6>VIC @fc010000: id 0x00041192, vendor 0x41
<6>VIC @fc020000: id 0x00041192, vendor 0x41
<6>VIC @fc030000: id 0x00041192, vendor 0x41
<6>mult[140737]
<6>max_delta_ns[2937815369]
<6>min_delta_ns[30517]
<6>rate[32768]
<6>HZ[256]
<6>Console: colour dummy device 80x30
<6>console [tty0] enabled
<6>Calibrating delay loop... <c>795.12 BogoMIPS (lpj=1554432)
<6>pid_max: default: 32768 minimum: 301
<6>Mount-cache hash table entries: 512
<6>Initializing cgroup subsys debug
<6>Initializing cgroup subsys cpuacct
<6>Initializing cgroup subsys freezer
<6>CPU: Testing write buffer coherency: ok
<6>hw perfevents: enabled with ARMv7 Cortex-A8 PMU driver, 5 counters available
<6>print_constraints: dummy:
<6>NET: Registered protocol family 16
<6>ram_console: got buffer at 4ff00400, size fec00
<6>ram_console: uncorrectable error in header
<6>ram_console: no valid data in buffer (sig = 0xfeffdfff)
<6>console [ram-1] enabled
<6>S5PC110 Hardware version : EVT1
<6>HWREV is 0xf
S3C Power Management, Copyright 2004 Simtec Electronics
<6>pmstats at 4ffff000
<3>invalid media device
<3>invalid media device
<6>hw-breakpoint: debug architecture 0x4 unsupported.
<6>S5PV210: Initializing architecture
<6>s3c24xx-pwm s3c24xx-pwm.0: tin at 66700000, tdiv at 66700000, tin=divclk, base 0
<6>s3c24xx-pwm s3c24xx-pwm.1: tin at 66700000, tdiv at 66700000, tin=divclk, base 8
<6>s3c24xx-pwm s3c24xx-pwm.2: tin at 66700000, tdiv at 66700000, tin=divclk, base 12
<6>s3c24xx-pwm s3c24xx-pwm.3: tin at 66700000, tdiv at 66700000, tin=divclk, base 16
<6>print_constraints: pd_audio_supply: 5000 mV normal
<6>print_constraints: pd_cam_supply: 5000 mV normal
<6>print_constraints: pd_tv_supply: 5000 mV normal
<6>print_constraints: pd_lcd_supply: 5000 mV normal
<6>print_constraints: pd_g3d_supply: 5000 mV normal
<6>print_constraints: pd_mfc_supply: 5000 mV normal
<6>bio: create slab <bio-0> at 0
<5>SCSI subsystem initialized
<6>usbcore: registered new interface driver usbfs
<6>usbcore: registered new interface driver hub
<6>usbcore: registered new device driver usb
<6>i2c-gpio i2c-gpio.4: using pins 247 (SDA) and 246 (SCL)
<6>i2c-gpio i2c-gpio.5: using pins 203 (SDA) and 204 (SCL)
<3>max8998 6-0066: No interrupt base specified, no interrupts
<3>i2:10, buck2_idx:0
<6>print_constraints: VALIVE_1.2V: 1200 mV
<6>print_constraints: VUSB_1.1V: 1100 mV
<6>print_constraints: VADC_3.3V: 3300 mV
<6>print_constraints: VTF_2.8V: 2800 mV
<6>print_constraints: VLCD_1.8V: 1800 mV
<6>print_constraints: VUSB_3.3V: 3300 mV
<6>print_constraints: VCC_2.8V_PDA: 2800 mV
<6>print_constraints: CAM_AF_2.8V: 2800 mV
<6>print_constraints: CAM_SENSOR_1.2V: 1200 mV
<6>print_constraints: CAM_SENSOR_A2.8V: 2800 mV
<6>print_constraints: CAM_ISP_1.8V: 1800 mV
<6>print_constraints: CAM_ISP_HOST_2.8V: 2800 mV
<6>print_constraints: VGA_DVDD_1.8V: 1800 mV
<6>print_constraints: VCC_3.0V_LCD: 2800 <--> 3200 mV at 3200 mV
<6>print_constraints: VDD_ARM: 750 <--> 1500 mV at 1200 mV
<6>print_constraints: VDD_INT: 750 <--> 1500 mV at 1100 mV
<6>print_constraints: VCC_1.8V: 1800 mV
<6>print_constraints: CAM_ISP_CORE_1.2V: 1200 mV
<6>print_constraints: USB_VBUS_AP:
<6>print_constraints: USB_VBUS_CP:
<6>i2c-gpio i2c-gpio.6: using pins 206 (SDA) and 209 (SCL)
<6>i2c-gpio i2c-gpio.7: using pins 201 (SDA) and 202 (SCL)
<6>i2c-gpio i2c-gpio.8: using pins 42 (SDA) and 43 (SCL)
<6>i2c-gpio i2c-gpio.11: using pins 114 (SDA) and 98 (SCL)
<6>i2c-gpio i2c-gpio.12: using pins 199 (SDA) and 200 (SCL)
<6>s3c-i2c s3c2440-i2c.0: i2c-0: S3C I2C adapter
<6>s3c-i2c s3c2440-i2c.1: i2c-1: S3C I2C adapter
<6>s3c-i2c s3c2440-i2c.2: i2c-2: S3C I2C adapter
<6>Advanced Linux Sound Architecture Driver Version 1.0.24.
<6>Bluetooth: Core ver 2.16
<6>NET: Registered protocol family 31
<6>Bluetooth: HCI device and connection manager initialized
<6>Bluetooth: HCI socket layer initialized
<6>Bluetooth: L2CAP socket layer initialized
<6>Bluetooth: SCO socket layer initialized
<6>Switching to clocksource clock_source_systimer
<6>cfg80211: Calling CRDA to update world regulatory domain
<6>Switched to NOHz mode on CPU #0
<6>NET: Registered protocol family 2
<6>IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
<6>TCP established hash table entries: 16384 (order: 5, 131072 bytes)
<6>TCP bind hash table entries: 16384 (order: 4, 65536 bytes)
<6>TCP: Hash tables configured (established 16384 bind 16384)
<6>TCP reno registered
<6>UDP hash table entries: 256 (order: 0, 4096 bytes)
<6>UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
<6>NET: Registered protocol family 1
<6>PMU: registered new PMU device of type 0
<4>clk_get: could not find clock emu_src_ck for dev s5pv210_etb_device+0x0/0x100 (etb)
<6>wake enabled for irq 165
<6>wake disabled for irq 165
<6>S5PV210 ADC driver, (c) 2010 Samsung Electronics
<6>Loaded driver for PL330 DMAC-0 s3c-pl330
<6> DBUFF-64x8bytes Num_Chans-8 Num_Peri-2 Num_Events-32
<6>Loaded driver for PL330 DMAC-1 s3c-pl330
<6> DBUFF-8x4bytes Num_Chans-8 Num_Peri-32 Num_Events-32
<6>Loaded driver for PL330 DMAC-2 s3c-pl330
<6> DBUFF-8x4bytes Num_Chans-8 Num_Peri-32 Num_Events-32
<6>ashmem: initialized
<6>ROMFS MTD (C) 2007 Red Hat, Inc.
<7>yaffs: yaffs built Nov 5 2013 22:34:00 Installing.
<6>msgmni has been set to 532
<6>io scheduler noop registered
<6>io scheduler deadline registered
<6>io scheduler row registered (default)
<6>io scheduler cfq registered
<6>io scheduler sio registered
MDNIE INIT ..........
<6>S3C MDNIE Driver, (c) 2010 Samsung Electronics
MDNIE INIT SUCCESS Addr : 0xf003c000
IELCD INIT ..........
<6>S3C IELCD Driver, (c) 2010 Samsung Electronics
IELCD INIT SUCCESS Addr : 0xf0040000
<6>s3cfb s3cfb: [fb2] dma: 0x4db06000, cpu: 0xf0400000, size: 0x002ee000
<6>FIMD src sclk = 166750000
<6>s3cfb s3cfb: pixclock adjusted from 39019 to 41979
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x84), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x90), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x94), data(0xfff)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x98), data(0x5c)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x9c), data(0x10)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0xac), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0xb4), data(0x3ff)
[mDNIe] mDNIe_Set_Mode: current_mDNIe_UI(6), current_mDNIe_OutDoor_OnOff(0)
<6>s3cfb_late_resume is called
<6>FIMD src sclk = 166750000
<6>s3cfb s3cfb: pixclock adjusted from 41979 to 41979
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x84), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x90), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x94), data(0xfff)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x98), data(0x5c)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0x9c), data(0x10)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0xac), data(0x0)
<6>[mDNIe] mDNIe_tuning_initialize: addr(0xb4), data(0x3ff)
[mDNIe] mDNIe_Set_Mode: current_mDNIe_UI(6), current_mDNIe_OutDoor_OnOff(0)
<3>panel_reset_lcd
<6>s3cfb_late_resume is complete
<6>s3cfb s3cfb: registered successfully
<6>s5pv210-uart.0: s3c2410_serial0 at MMIO 0xe2900000 (irq = 16) is a S3C6400/10
<6>s5pv210-uart.1: s3c2410_serial1 at MMIO 0xe2900400 (irq = 20) is a S3C6400/10
<6>s5pv210-uart.3: s3c2410_serial3 at MMIO 0xe2900c00 (irq = 28) is a S3C6400/10
PA FB = 0x4DB06000, bits per pixel = 32
screen width=480 height=800 va=0xedb06000 pa=0x4db06000
xres_virtual = 480, yres_virtual = 1600, xoffset = 0, yoffset = 0
fb_size=3072000
Back frameBuffer[0].VAddr=edc7d000 PAddr=4dc7d000 size=1536000
No space for NV12 video carveout
<6>brd: module loaded
<6>loop: module loaded
<6>Android kernel panic handler initialized (bind=kpanic)
<6>sec_jack_probe : Registering jack driver
<6>wake enabled for irq 38
<6>sec_jack_init_jack_state<6>sec_jack_set_micbias_state: HWREV=15, on=1
<6>handle_jack_not_inserted
<6>sec_jack_set_micbias_state: HWREV=15, on=0
<6>sec_jack_set_micbias_state: HWREV=15, on=0
<6>wake enabled for irq 167
<6>fsa9480 7-0025: dev1: 0x4, dev2: 0x0
<4>i2c-core: driver [fsa9480] using legacy suspend method
<4>i2c-core: driver [fsa9480] using legacy resume method
<6>modem_io_init done
<6>[MODEM] bp_irq() - PHONE_ACTIVE interrupt, 1 occurence
<6>wake enabled for irq 47
<6>wake enabled for irq 43
<6>modemctl probed
<6>Muxed OneNAND 512MB 1.8V 16-bit (0x50)
<6>OneNAND version = 0x013e
<7>Chip support all block unlock
<7>Chip has 4KiB pagesize
<7>Chip has cache program feature
<6>Scanning device for bad blocks
<7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x1dd addr8 0x0
<6>OneNAND eraseblock 477 is an initial bad block
<7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x6cf addr8 0x0
<6>OneNAND eraseblock 1743 is an initial bad block
<7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x73f addr8 0x0
<6>OneNAND eraseblock 1855 is an initial bad block
<6>OneNAND eraseblock 2047 is an initial bad block
<5>Creating 2 MTD partitions on "(null)":
<5>0x00001e700000-0x00001ec00000 : "nv_data"
<5>0x000003300000-0x000003600000 : "fota"
<6>tl2796: c0, b-6bea38dc, got v 2051000, factory wants 2051000
<6>tl2796: c1, b-7f519b2b, got v 2044000, factory wants 2044000
<6>tl2796: c2, b-ae797fc2, got v 1491000, factory wants 1491000
<6>tl2796_probe successfully probed
<6>PPP generic driver version 2.4.2
<6>PPP Deflate Compression module registered
<6>PPP BSD Compression module registered
<6>PPP MPPE Compression module registered
<6>NET: Registered protocol family 24
<6>tun: Universal TUN/TAP device driver, 1.6
<6>tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
<6>s3c-udc : S3C HS USB Device Controller Driver, (c) 2008-2009 Samsung Electronics
s3c-udc : version 15 March 2009 (DMA Mode)
<6>android_usb gadget: Mass Storage Function, version: 2009/09/11
<6>android_usb gadget: Number of LUNs=2
<6> lun0: LUN: removable file: (no medium)
<6> lun1: LUN: removable file: (no medium)
<6>android_usb gadget: android_usb ready
<7>Registered gadget driver 'android_usb'
<6>input: gpio-keys as /devices/platform/gpio-keys.0/input/input0
<6>input: s5pv210-keypad as /devices/platform/s5pv210-keypad/input/input1
<6>usbcore: registered new interface driver xpad
<6>usbcore: registered new interface driver usb_acecad
<6>acecad: v3.2:USB Acecad Flair tablet driver
<6>usbcore: registered new interface driver aiptek
<6>aiptek: v2.3 (May 2, 2007):Aiptek HyperPen USB Tablet Driver (Linux 2.6.x)
<6>aiptek: Bryan W. Headley/Chris Atenasio/Cedric Brun/Rene van Paassen
<6>usbcore: registered new interface driver gtco
GTCO usb driver version: 2.00.0006<6>usbcore: registered new interface driver hanwang
<6>usbcore: registered new interface driver kbtab
<6>kbtab: v0.0.2:USB KB Gear JamStudio Tablet driver
<6>usbcore: registered new interface driver wacom
<6>wacom: v1.52:USB Wacom tablet driver
<6>input: mxt224_ts_input as /devices/virtual/input/input2
<6>Atmel MXT224 2-004a: family = 0x80, variant = 0x1, version = 0x16, build = 171
<6>bma023 5-0038: bma023 found
<6>bma023 5-0038: al_version=2, ml_version=1
<6>input: accelerometer_sensor as /devices/virtual/input/input3
<3>gp2a: proximity val = 1
<6>input: proximity as /devices/virtual/input/input4
<6>input: orientation_sensor as /devices/virtual/input/input5
<6>max8998-rtc max8998-rtc: RTC CHIP NAME: max8998-rtc
S3C24XX RTC, (c) 2004,2006 Simtec Electronics
<6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling
<6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling
<6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling
<6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling
<6>using rtc device, s3c, for alarms<6>s3c-rtc s3c2410-rtc: rtc core: registered s3c as rtc0
<6>i2c /dev entries driver
<6>lirc_dev: IR Remote Control driver registered, major 251
<6>IR NEC protocol handler initialized
<6>IR RC5(x) protocol handler initialized
<6>IR RC6 protocol handler initialized
<6>IR JVC protocol handler initialized
<6>IR Sony protocol handler initialized
<6>IR RC5 (streamzap) protocol handler initialized
<6>IR LIRC bridge handler initialized
<6>Linux video capture interface: v2.00
<6>mfc_init: <6>S5PC110 MFC Driver, (c) 2009 Samsung Electronics
<6>S3C JPEG Driver, (c) 2007 Samsung Electronics
<6>JPEG driver for S5PV210
<4>i2c-core: driver [s5p_ddc] using legacy suspend method
<4>i2c-core: driver [s5p_ddc] using legacy resume method
<4>i2c-core: driver [Si4709] using legacy suspend method
<4>i2c-core: driver [Si4709] using legacy resume method
<6>device-mapper: uevent: version 1.0.3
<6>device-mapper: ioctl: 4.20.0-ioctl (2011-02-02) initialised: [email protected]
<6>Bluetooth: HCI UART driver ver 2.2
<6>Bluetooth: HCI H4 protocol initialized
<6>cpuidle: using governor ladder
<6>cpuidle: using governor menu
<6>sdhci: Secure Digital Host Controller Interface driver
<6>sdhci: Copyright(c) Pierre Ossman
<6>s3c-sdhci s3c-sdhci.0: clock source 0: hsmmc (133400000 Hz)
<6>s3c-sdhci s3c-sdhci.0: clock source 2: sclk_mmc (51307692 Hz)
<6>mmc0: SDHCI controller on samsung-hsmmc [s3c-sdhci.0] using ADMA
<6>s3c-sdhci s3c-sdhci.1: clock source 0: hsmmc (133400000 Hz)
<6>s3c-sdhci s3c-sdhci.1: clock source 2: sclk_mmc (47642857 Hz)
<6>mmc1: SDHCI controller on samsung-hsmmc [s3c-sdhci.1] using ADMA
<6>s3c-sdhci s3c-sdhci.2: clock source 0: hsmmc (133400000 Hz)
<6>s3c-sdhci s3c-sdhci.2: clock source 2: sclk_mmc (47642857 Hz)
<6>mmc2: SDHCI controller on samsung-hsmmc [s3c-sdhci.2] using ADMA
<6>usbcore: registered new interface driver usbhid
<6>usbhid: USB HID core driver
<6>logger: created 256K log 'log_main'
<6>logger: created 256K log 'log_events'
<6>logger: created 256K log 'log_radio'
<6>logger: created 256K log 'log_system'
<6>zram: num_devices not specified. Using default: 1
<6>zram: Creating 1 devices ...
<6>WM8994 Audio Codec 0.1
wm8994_extensions: initializing driver v10
<6>s3c_idma_preallocate_buffer: VA-f00c0000 PA-C0000000 163840bytes
<6>asoc: WM8994 PAIFRX <-> samsung-i2s.0 mapping ok
<6>ALSA device list:
<6> #0: smdkc110
<6>oprofile: using arm/armv7
<6>GACT probability NOT on
<6>Mirror/redirect action on
<6>u32 classifier
<6> Actions configured
<6>Netfilter messages via NETLINK v0.30.
<6>nf_conntrack version 0.5.0 (4257 buckets, 17028 max)
<6>ctnetlink v0.93: registering with nfnetlink.
<6>NF_TPROXY: Transparent proxy support initialized, version 4.1.0
<6>NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
<6>xt_time: kernel timezone is -0000
<6>ip_tables: (C) 2000-2006 Netfilter Core Team
<6>arp_tables: (C) 2002 David S. Miller
<6>TCP cubic registered
<6>NET: Registered protocol family 10
<6>mmc0: new high speed MMC card at address 0001
<6>Mobile IPv6
<6>ip6_tables: (C) 2000-2006 Netfilter Core Team
<6>mmcblk0: mmc0:0001 M2G1DD 1.91 GiB
<6>IPv6 over IPv4 tunneling driver
<6> mmcblk0: p1 p2 p3
<6>NET: Registered protocol family 17
<6>NET: Registered protocol family 15
<6>Bluetooth: RFCOMM TTY layer initialized
<6>Bluetooth: RFCOMM socket layer initialized
<6>Bluetooth: RFCOMM ver 1.11
<6>Bluetooth: BNEP (Ethernet Emulation) ver 1.3
<6>Bluetooth: HIDP (Human Interface Emulation) ver 1.2
<6>NET: Registered protocol family 35
<6>VFP support v0.3: implementor 41 architecture 3 part 30 variant c rev 2
<6>ThumbEE CPU extension supported.
<6>s5pv210_cpufreq_init: S5PV210 cpu-freq driver
<6>regulator_init_complete: pd_mfc_supply: disabling
<6>regulator_init_complete: pd_tv_supply: disabling
<6>regulator_init_complete: pd_cam_supply: disabling
## wifi_probe
wifi_set_power = 1
wifi_set_carddetect = 1
<4>mmc1: queuing unknown CIS tuple 0x80 (50 bytes)
<4>mmc1: queuing unknown CIS tuple 0x80 (7 bytes)
<4>mmc1: queuing unknown CIS tuple 0x80 (3 bytes)
<6>mmc1: new SDIO card at address 0001
F1 signature read @0x18000000=0x9934329
DHD: dongle ram size is set to 294912(orig 294912)
wl_create_event_handler thr:3d started
dhd_attach thr:3e started
dhd_attach thr:3f started
dhd_attach thr:40 started
Broadcom Dongle Host Driver: register interface [wlan0] MAC: 00:90:4c:11:22:33
Dongle Host Driver, version 5.90.195.104
Compiled in drivers/net/wireless/bcmdhd on Nov 5 2013 at 22:34:41
wifi_set_power = 0
=========== WLAN placed in RESET ========
<6>s3c-rtc s3c2410-rtc: rtc disabled, re-enabling
<6>s3c-rtc s3c2410-rtc: setting system clock to 2010-12-31 23:07:37 UTC (1293836857)
<6>FIMC0 registered successfully
<6>FIMC1 registered successfully
<6>FIMC2 registered successfully
<6>S5P TVOUT Driver, (c) 2010 Samsung Electronics
<4>clk_get: could not find clock mout_vpll_src for dev s5p_device_tvout+0x8/0xd8 (s5p-tvout)
<3>failed to find clock "mout_vpll_src"
<6>s5p-tvout s5p-tvout: hpd status: cable removed/not connected
<6>s5p_tv_probe TV Probing is done
<6>max8998_charger_probe : MAX8998 Charger Driver Loading
<6>max8998_charger_probe : pmic interrupt registered
<6>check_lpm_charging_mode : lpm_charging_mode(0)
<6>wake enabled for irq 39
<7>s3c_bat_discharge_reason : Current charge level : 50%
Current time : 6 discharging_time : 0
discharging reason : 0
<7>max8998_charging_control : USB charging enabled
<6>max8998_set_cable : status(1)
<7>max8998_charging_control : USB charging enabled
<7>s3c_bat_discharge_reason : Current charge level : 50%
Current time : 6 discharging_time : 21606
discharging reason : 0
<4>Warning: unable to open an initial console.
<7>init_post begin
<6>Freeing init memory: 6204K
<7>max8998_charging_control : USB charging enabled
OHAI, stage1 init starting
<7>s3c_bat_discharge_reason : Current charge level : 50%
Current time : 6 discharging_time : 21606
discharging reason : 0
<7>max8998_charging_control : USB charging enabled
<7>s3c_bat_discharge_reason : Current charge level : 50%
Current time : 56 discharging_time : 21606
discharging reason : 0
<7>max8998_charging_control : USB charging enabled
<3>bio too big device loop0 (2 > 0)
<3>EXT4-fs (loop0): unable to read superblock
<6>EXT4-fs (loop1): mounted filesystem with ordered data mode. Opts: (null)
<7>s3c_bat_discharge_reason : Current charge level : 50%
Current time : 80 discharging_time : 21606
discharging reason : 0
<7>max8998_charging_control : USB charging enabled
stage1 log:
Fri Dec 31 23:07:37 GMT 2010
Creating filesystem with parameters:
Size: 18874368
Block size: 4096
Blocks per group: 32768
Inodes per group: 1152
Inode size: 256
Journal blocks: 1024
Label:
Blocks: 4608
Block groups: 1
Reserved block group size: 7
Created filesystem with 11/1152 inodes and 1110/4608 blocks
Creating filesystem with parameters:
Size: 419430400
Block size: 4096
Blocks per group: 32768
Inodes per group: 6400
Inode size: 256
Journal blocks: 1600
Label:
Blocks: 102400
Block groups: 4
Reserved block group size: 31
Created filesystem with 11/25600 inodes and 3310/102400 blocks
force_recovery: 1
losetup: /dev/loop0: No such file or directory
mount: mounting /dev/loop0 on /system failed: Invalid argument
umount: can't umount /system: Invalid argument
losetup: /dev/loop2: No such device or address
losetup: /dev/loop0: No such device or address
5708 blocks
Fri Dec 31 23:09:02 GMT 2010
<3>init: cannot open '/initlogo.rle'
.
.
.
Taken from XXLA1 with zImage only... cm-10.1-wave-v2.1...
Interesting to see this...
Code:
<6>Memory: 69MB 214MB 0MB = 283MB total
<5>Memory: 272496k/325052k available, 17988k reserved, 0K highmem
<5>Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xff000000 - 0xffe00000 ( 14 MB)
vmalloc : 0xf0000000 - 0xfc000000 ( 192 MB)
lowmem : 0xc0000000 - 0xeff00000 ( 767 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.init : 0xc0008000 - 0xc0617000 (6204 kB)
.text : 0xc0617000 - 0xc0ce8000 (6980 kB)
.data : 0xc0ce8000 - 0xc0d34880 ( 307 kB)
.bss : 0xc0d348a4 - 0xc0e76ad8 (1289 kB)
Best Regards

This is my solution for now... with S8500. Tested by me.
In theory should work with S8530 too...
Later I will move to cable solution with Micro USB + Resistor...
Then hopefully this is working also with S8600 and S5250 for instance...
Best Regards

http://forum.xda-developers.com/showpost.php?p=41670635&postcount=5
In this FPM Mode... I can use AT Commands via UART...
So for now I can read and write something via UART...
Later more...
Best Regards

Made today few stupid mistakes....
510 R instead K...
Then confuse Pin 4 and 5 ...
I have 510 KOHM, but nothing happens...
Maybe not correct enough...
http://forum.xda-developers.com/showthread.php?t=820275
Code:
RID_FM_BOOT_ON_UART, /* 1 1 1 0 1 [B]619K[/B] Factory Mode Boot ON-UART */
I have used 620 KOHM with S8500 and S8600...
Factory Test Mode start ... this thingie with blue then green Screen... but nothing UART out nor input...
Maybe my wires wrong...
Will buy more Resistors...
Best Regards
Edit 1.
No idea yet, where is my mistake...
http://www.droidforums.net/forum/dr...own-motorola-factory-cable-4.html#post2234017
Backside Pinout...
I have now 510 KOHM + 13 KOHM = 523 KOHM...
Flashed to XXJEB to be sure...
Edit 2.
Check up...
My USB converter is alive...
Pin 4 and 5 should be correct, because Resistor Values working...
Will change Pin 2 and 3...

My fault...
For S8530 and S8500 now working.
Code:
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] FSR_PAM_InitNANDController Success!!
[PAM: ] --FSR_PAM_Init
bl3_info_block 1 age = 17
bl3_info_block 2 age = 18
BL3_2 Loading
+-------------------------------+
| Bootloader Shadowing FINISHED |
+-------------------------------+
Launch Image at 0x42080000
[BOOT_V1.0 (Jan 5 2012, 19:05:00)]
SelectBootingMode: H/W...0x3.
[BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz
Flash_Unlock failed
Poweron status - 20
FSA9480 0x03 Register = 1
FSA9480 0x0A Register = 0
FSA9480 0x0B Register = 8
FSA9480 0x07 Register = 1c
SelectBootingMode: Boot Mode = 1...
+++FIMD_Drv_INITIALIZE
FIMD_Drv_ChangeMode: MDNIE_MODE
Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4
---FIMD_Drv_INITIALIZE
---FIMD_Drv_SetWinOnOff(WIN4:1)
LCD initialize Finished
Display_LSI_Boot : disp_Main_Clean
Display_LSI_Boot : disp_Main_Clean_All
Display_LSI_Boot : disp_dimming_backlight
Display_LSI_Boot : disp_Normal_Init
DRV_modem_reset!!!!!!!!!!!!!!!!!
DRV_Send_DBL!!!!!!!!!!!!!!!!!
[DLOAD] Download Completed !!!
DRV_Wait_ModemInit!!!!!!!!!!!!!!!!!
DRV_CopyQSCBootBinary!!!!!!!!!!!!!!!!!
DRV_Send_BootBinaryCopyComplete!!!!!!!!!!!!!!!!!
DRV_Modem_BootingStart retry count = 0.
AST_POWERON
get_usb_sw_nv 0x40000
USBSwitch : AP
get_uart_sw_nv 0x40000
UARTSwitch : AP
My S8530 first UART output... with cable.
On XXKK5 with S8600 no luck... will try older Firmware...
Best Regards
Edit 1.
S8000 Jet
Code:
USBSwitch : AP
[BB31] VDD INT 1.2V
[BB31] VDD ARM 1.325V
ARM Clock: 400MHz --> 800MHz
[BOOT][DBG] RST_STAT 0x7E00_F904 : 0x00000001
[BOOT] ARMCLK: 800000, MPLL: 194000, HCLKX2: 266666, HCLK: 133333, PCLK: 33333
BootHWCheck: 6...
SelectBootingMode: H/W...0x6.
Poweron status - 10
pPowerOn 0 = 0xB00717E3
pPowerOn 1 = 0x0
pPowerOn 2 = 0x0
pPowerOn 3 = 0x10
pPowerOn 4 = 0x0
pPowerOn 5 = 0x0
pPowerOn 6 = 0x0
pPowerOn 7 = 0x0
pPowerOn 8 = 0x0
pPowerOn 9 = 0x0
pPowerOn 10 = 0x0
pPowerOn 11 = 0x0
pPowerOn 12 = 0x6
pPowerOn 13 = 0x0
FSA9480 0x03 Register = 1
FSA9480 0x0A Register = 0
FSA9480 0x0B Register = 8
FSA9480 0x07 Register = 1C
SelectBootingMode: Boot Mode = 1...
================================
LCD Source CLK -> MPLL(194000)
================================
uClkVal = 0x7 , uClkDir = 0x1
========================================
uVidconReg = 0x1D4 , uClkVal = 0x7
========================================
DRV_modem_reset!!!!!!!!!!!!!!!!!
DRV_Send_DBL!!!!!!!!!!!!!!!!!
[DLOAD] Download Completed !!!
DRV_Wait_MSMInit!!!!!!!!!!!!!!!!!
DRV_CopyMSMBootBinary!!!!!!!!!!!!!!!!!
DRV_Send_BootBinaryCopyComplete!!!!!!!!!!!!!!!!!
Ownership Release 0x5DFFF800, 0x0
AST_POWERON
get_usb_sw_nv 0x0
USBSwitch : AP
get_uart_sw_nv 0x0
UARTSwitch : AP
Drv_TaskEntry Start
DRV_Device_Init...
DRV_Device_Init...: DRV_hwversion = 6.
FSA9480 device ID = 40
JIT UART OFF NU_PWM_FID_SET_GPIO_PWMTOUT ok
prox_sensor_init SUCCESS~~~~~~~~~~~
[BOOT][Err] LCD_DET set PULLDOWN .
[LCD] ESD interrupt enable
acc_sensor_init SUCCESS~~~~~~~~~~~
pif_TaskEntry Start
[MODEMIF_AP_Init] NU_Create_Task pif task success
Create TESTMODE_Queue
Create testmode_task
Create TMFIFO_Queue
Create TESTMODE_RPT_Timer
brcm_bluetooth_main: Start Bluetooth Thread by BootEntry
0002 000.082 0.001.00.00:0000 SYSTEM > MochaTask: OSAL created.
0003 000.084 0.001.00.00:0000 BOOTMGR > MochaTask: OSAL created.
0004 000.091 0.001.00.00:0000 BOOTMGR > MochaTask: UART, USB, and Bluetooth created.
usb_api_open
usb_api_open
0005 000.100 0.001.00.00:0000 SYSTEM > MochaTask: DiagMgr created.
0006 000.106 0.001.00.00:0000 BOOTMGR > MochaTask: DiagMgr created.
0007 000.112 0.001.00.00:0000 EXCEPTION > __MemAllocForDebugHeap: Allocate 1200Kbytes (file OEM\OemDevFIFO.c, line 106)
0008 000.122 0.001.00.00:0000 AGENT > [__SysSecureBootRegisterPktRcvCallback:SysSecureBootPacket.c] __SysSecureBootRegisterPktRcvCallback is called!
0009 000.136 0.001.-1.-1:0000 BOOTMGR > MochaTask: EventMgr created.
0010 000.144 0.001.-1.-1:0000 BOOTMGR > MochaTask: AvMedia created.
0011 000.148 0.001.-1.-1:0000 ALL > DevGetHomeDLFlag : Address(0x0f940000) flag(0x0000ffff)
0012 000.157 0.001.-1.-1:0000 BOOTMGR > MochaTask: Clock created.
0013 000.162 0.001.-1.-1:0000 BOOTMGR > MochaTask: LED created.
0014 000.168 0.001.-1.-1:0000 BOOTMGR > MochaTask: Flip created.
0015 000.174 0.001.-1.-1:0000 SYSTEM > MochaTask: Clock, LED, Flip created.
+SDHC_Open(Ch1)
[SDHC] SDHC(ch1) Operating Clock : 378906Hz
[DS] data_srvc_task() Enter
[DS] diag_srvc_task() Enter
Diag_TaskEntry Start
I9000 tested with success...
So my cable work now with diffferent Samsung handsets...
Accept S8600 ...
Tested also with XXKJ7...
Need few days. Then test with S5250 will follow...

http://forum.xda-developers.com/showthread.php?t=1901376
I9001 is little bit similar to S8600... maybe helpfull.
Also usefull about UART:
http://forum.xda-developers.com/showthread.php?t=1209288
http://forum.xda-developers.com/showthread.php?t=1629359
Best Regards

UART on S5250 work, but not much info... yet...
Code:
AST_POWERON
*MRDY: 1
,~Booting Completed
This is output, if DL Mode...
Code:
AST_DOWNLOAD
I can set UART Logging temporary...
More text...
Best Regards

[Q] Question about amss.bin

Hello people,
Are there any tools for viewing and editing the amss.bin?

HEX Editor...
IDA...
Brain.
Best Regards

adfree said:
HEX Editor...
IDA...
Brain.
Best Regards
Click to expand...
Click to collapse
with revskill i got this with amss.bin
#define UNLOADED_FILE 1
#include <idc.idc>
static main() {
MakeName(0x00079B70, "Memcmp");
MakeName(0x00062160, "Memcpy");
MakeName(0x0022E924, "Memcpy");
MakeName(0x0006216B, "Memcpy_Generic");
MakeName(0x0022E92F, "Memcpy_Generic");
MakeName(0x000621D0, "__rt_udiv");
MakeName(0x00079F8C, "__rt_udiv");
MakeName(0x00062334, "strlen");
MakeName(0x0007A2C4, "strlen");
MakeName(0x00070DB2, "diag_sp");
MakeName(0x00062298, "strcmp");
MakeName(0x0007A1D8, "strcmp");
MakeName(0x0007A360, "strncpy");
MakeName(0x00072502, "diag_pkt");
MakeName(0x00062F00, "__rt_div0");
MakeName(0x0007D324, "__rt_div0");
MakeName(0x00062F10, "__32__rt_raise");
MakeName(0x0007F1F8, "__32__rt_raise");
MakeName(0x00ACC3A8, "rex_int_lock_32");
MakeName(0x00072330, "subsys_getid");
MakeName(0x0007A548, "vsprintf");
MakeName(0x00062004, "MemClr");
MakeName(0x0022E7C8, "MemClr");
MakeName(0x000725CC, "diag_subsystem");
MakeName(0x0006EC72, "diag_hdlr");
MakeName(0x000726D2, "diag_hdlr");
MakeName(0x00083D86, "diag_hdlr");
MakeName(0x00085432, "diag_hdlr");
}
What about it ?

@Tigrouzen, no segment found at 0x00079B70 etc
amss it's regular elf with a bunch of segments
Code:
Name : LOAD
Start : 0x001E7000
End : 0x001EE000
Length: 0x00007000
----------------------
Name : LOAD
Start : 0x001F0000
End : 0x001F1000
Length: 0x00001000
----------------------
Name : LOAD
Start : 0x001F2000
End : 0x005D8000
Length: 0x003E6000
----------------------
Name : LOAD
Start : 0x005D8000
End : 0x00CDB000
Length: 0x00703000
----------------------
Name : LOAD
Start : 0x00CDB000
End : 0x00D11000
Length: 0x00036000
----------------------
Name : LOAD
Start : 0x00D11000
End : 0x00DAF000
Length: 0x0009E000
----------------------
Name : LOAD
Start : 0x00DAF000
End : 0x00DB9000
Length: 0x0000A000
----------------------
Name : LOAD
Start : 0x00DB9000
End : 0x00E9B000
Length: 0x000E2000
----------------------
Name : LOAD
Start : 0x00E9C000
End : 0x01BF9000
Length: 0x00D5D000
----------------------
Name : LOAD
Start : 0x01BF9000
End : 0x01D05000
Length: 0x0010C000
----------------------
Name : LOAD
Start : 0x01FF0000
End : 0x01FF006C
Length: 0x0000006C
----------------------
Name : LOAD
Start : 0xB0000000
End : 0xB0010CE7
Length: 0x00010CE7
----------------------
Name : LOAD
Start : 0xB0040000
End : 0xB0057000
Length: 0x00017000
----------------------
Name : LOAD
Start : 0xB0100000
End : 0xB0107207
Length: 0x00007207
----------------------
Name : LOAD
Start : 0xB0140000
End : 0xB01401B8
Length: 0x000001B8
----------------------
Name : LOAD
Start : 0xB0200000
End : 0xB0208CF3
Length: 0x00008CF3
----------------------
Name : LOAD
Start : 0xB0240000
End : 0xB024028C
Length: 0x0000028C
----------------------
Name : LOAD
Start : 0xB0400000
End : 0xB040DBE8
Length: 0x0000DBE8
----------------------
Name : LOAD
Start : 0xB0600000
End : 0xB0602000
Length: 0x00002000
----------------------
Name : LOAD
Start : 0xB0602000
End : 0xB0604000
Length: 0x00002000
----------------------
Name : LOAD
Start : 0xF0000000
End : 0xF001F878
Length: 0x0001F878
----------------------
Name : LOAD
Start : 0xF0020000
End : 0xF0026000
Length: 0x00006000
load amss.bin with TriX, dump decoded stage (elf format) and analyze with disassembler (e.g. IDA)

Ok guys i extract certificate from Amss S8530 XEJL2, bootloader segments full info fsbl sbl...
Also i can dump complete NAND and find segment and algorith for RC1 too
This is appscompressed.bin algorythme
0x01ca7750 RIPEMD128+160+MD4
0x01ca7750 SEAL+MD4 key
appcomp hash :
SHA1 : EB55C6690ACAF40BB2F845313F58BFE9C3BC529D
SHA224 : AAC3E2B65CC9F33BB7EDDA3DEB541CA9E8919422CC179B4D2B49F39BAE008F00
SHA256 : 580D3DB21E41A9FE588AE544266040FABA8AF044E739971E77F2B1272323D0B6
SHA256-HTC : A44BC029D7F952750003D9695ED7B464E446D34EEF5BD9665487E4C2BF81F669
MD4 : B3BD8310FF2C4C05E2044FD491814792
MD5 : 7220779D1094C5F7789094DC75BA4E9E
CRC16 (0x1189) : F4EA
CRC30 (Block: 0x1000, Page: 0x200) : 0BD214AA
CRC30 (Block: 0x2000, Page: 0x400) : 0A28A17A
CRC32 (0xEDB88320) : 313F4EF2
CRC32 (0x04C11DB7) : 90B01704
CRC32 HTC (0xEDB88320) : B55B60A7
ECC Reed Solomon (parity 10) : 43702DA1FDAC4DB2023B
ECC BCH Micron 3 byte : 818144
ECC Hamming Toshiba (8 bit - 0x200 bytes) : C00FC3
ECC Hamming (8 bit - 0x200 bytes) : FF3CF3
ECC Hamming (16 bit - 0x200 bytes) : 3FCFFC
Amss algo :
0x0007fce0 CRC-16 norm
0x0007fee0 CRC-16 inv
0x0007f8e0 CRC-30
0x0007eb50 CRC30 Function
0x00b66194 CRC-32
0x00b66394 CRC32 Function
0x000800e0 CRC-32 Xilinx
0x0007eb58 CRC32 Xilinx Function
0x000800e4 CRC32 Xilinx Function
0x00c3c490 DES RAW Spbox
0x00c39381 RSA PKCS SHA1/RIPEND Digest
0x00c39390 MD2 S
0x00463548 SHA2 table
0x008fcc88 SHA2 table
0x00b6eb14 ZDeflate
0x0041a28c SHA1+MD4+MD5 init
0x008fcb08 SHA1+MD4+MD5 init
0x00c3d7f8 SHA1+MD4+MD5 init
0x0041a29c SHA1+MD4+MD5 key1
0x008fcb18 SHA1+MD4+MD5 key1
0x00c3d808 SHA1+MD4+MD5 key1
0x001a9844 SHA1+MD4+MD5 key2
0x0041ac1c SHA1+MD4+MD5 key2
0x008fcb1c SHA1+MD4+MD5 key2
0x001a9848 SHA1+MD4+MD5 key3
0x0041ac20 SHA1+MD4+MD5 key3
0x008fcb20 SHA1+MD4+MD5 key3
0x00463648 SHA2 init table
0x008fcd88 SHA2 init table
0x00c3d80c SHA2 init table
0x0046364c SHA2 init table
0x008fcd8c SHA2 init table
0x00c3d810 SHA2 init table
0x00419980 RIPEMD128+160+MD4
0x008fcaf8 RIPEMD128+160+MD4
0x00bdcca0 RIPEMD128+160+MD4
0x001a9844 MD5
0x0041ac1c MD5
0x008fcb1c MD5
0x00419980 SEAL+MD4 key
0x008fcaf8 SEAL+MD4 key
0x00bdcca0 SEAL+MD4 key
0x004fc7af HTC PUBLIC KEY
E9079DBB2452104990982132470BA20B7C795D1B4690B718B62FCD38D71D4E458FAF320374B89D5236C79BD57D2BA2D3508A4A605B0D48CB8CA5478BFE4D7D32AB0AE072BC367A9615F002D5023A617B422FEC1EF8DAD772D75E9C4F06EF624B864699A3F080D1B8E192B921D159852B2DC798F752B4F1FA529FF123D9963F73
0x00708134 Sober 128
0x00c3cd90 Sober 128 SBox
Possible algos little endian: 45
0x00315f6c AES te
Possible algos big endian: 1
Amss hash :
SHA1 : C59C5785E823E5E1CA9BE05DB6F55F8C8AC1BBA3
SHA224 : 5F50CED13C1204068E443919706B53D866271DAB1CFB5A9CB07A953CAE008F00
SHA256 : D86C7634FE07806D3B87701EC7F72F25DAAFAC7C40CA1D370C1ABA5840C091C0
SHA256-HTC : 120F70AECE78B8DCF69DCD79F020AB00AE17572123BA21274D6F6EE280774A09
MD4 : 7703DF5B1074392D4B91ECA23BAC9D92
MD5 : 22197F8AAD6A2CB4394E1B4E63EB843C
CRC16 (0x1189) : FAC5
CRC30 (Block: 0x1000, Page: 0x200) : 311AE4C7
CRC30 (Block: 0x2000, Page: 0x400) : 295DFC29
CRC32 (0xEDB88320) : 8DB21A34
CRC32 (0x04C11DB7) : 7B94B6A4
CRC32 HTC (0xEDB88320) : 08450BBC
ECC Reed Solomon (parity 10) : A04D69B134A126F3FD15
ECC BCH Micron 3 byte : 000000
ECC Hamming Toshiba (8 bit - 0x200 bytes) : FFFFFF
ECC Hamming (8 bit - 0x200 bytes) : FFFFFF
ECC Hamming (16 bit - 0x200 bytes) : FFFFFF
Amms certificat :
https://rapidshare.com/files/3061245812/1.cer

Well, the main idea was ..., to get some tools with which the amss.bin for bada v1.2 and v2 can be modified to work for the American/Australian version of the wave. Looks like there are some hardware differences and this file is containing information needed for the RF module.

Looks like there are some hardware differences and this file is containing information needed for the RF module
Click to expand...
Click to collapse
No idea if Hardware differences, but I'm pretty sure there are different Config/Calibration data...
Check out NV items... AMSS + NV items = Qualcomm related part...
http://www.samsunguniverse.com/forum/s8500-can-work-with-qualcomm-tools-t199.html
You could take an look on FCC documents for maybe Hardware check...
Best Regards

I think gambal refers to UMTS bands, Europe is different than in America.
UMTS bands in America are 850 - 1900
UMTS bands in Europe are 2100
bada 1.2 and above only works with Euro bands (these updates hasn't oficially released in America), so as we know the file "amss.bin" contains the parameters that define which bands to work, would be good to try to edit the information to compile a new "amss.bin" to work with American bands ..
Many Americans would be happy!

...would be good to try to edit the information to compile a new "amss.bin" to work with American bands ...
Click to expand...
Click to collapse
But you are really sure that not NV items differ?
Maybe easier to compare NV items...
Best Regards

You mean to compare amss NV items from a 1.0 American firmware and another 1.2 European firmware?
I was import to a .Qcn file a list of NV items of my mobile (bada 1.0 american), i will compare with another one of 1.2.
It's posible to create more NV items if is necesary?

sorry for double post.
i've compared NV items of my phone, first with a 1.0 american firmware then with a 1.2 European firmware..
EDIT: thought that there were no differences because the file size was identical, but looking more attentively i find some, i will continue researching,

You tried QPST or which Tool?
And are sure there are no differences?
I have 2x S8500... with QPST difference 10 NV items + one S8500 has 10 more
Content not checked... too lazy at this time.
Best Regards
Edit 1.
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 305
Click to expand...
Click to collapse
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 319
Click to expand...
Click to collapse
And these are only the "official" NV items... and not the hidden one...
Example...
Code:
NV item: [B]2608[/B] [NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I], index 0
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 0: 12 3d fc ff 9c 3c fc ff 26 3c fc ff b0 3b fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 1: 34 3b fc ff af 3a fc ff 2a 3a fc ff a6 39 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 2: 22 39 fc ff 9f 38 fc ff 0c 38 fc ff 65 37 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 3: be 36 fc ff 18 36 fc ff 73 35 fc ff ce 34 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 4: 2a 34 fc ff 87 33 fc ff e5 32 fc ff 43 32 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 5: a2 31 fc ff 01 31 fc ff 61 30 fc ff c2 2f fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 6: 23 2f fc ff 85 2e fc ff 85 2e fc ff 85 2e fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 7: 85 2e fc ff 85 2e fc ff 85 2e fc ff 85 2e fc ff

sorry for my english, I mean to say that i find some differences..
between 2 firmwares, I find 40 differents NV items using "RF NV items Manager" program.
Example:
European 1.2 Firm:
Code:
NV item: 5059 [NV_WCDMA_2100_TX_LIN_MASTER_0_ENH_I], index 0
NV item: 5061 [NV_WCDMA_900_TX_PDM_LIN_0_ENH_I], index 0
American 1.0 Firm:
Code:
NV item: 5064 [NV_WCDMA_1900_TX_PDM_LIN_0_ENH_I], index 0
NV item: 5060 [NV_WCDMA_800_TX_PDM_LIN_0_ENH_I], index 0
(it's look like these items manage the umts network)
This are 2 items of 40 that I find.. So, I imported all 40 1.0 American Firmware Nv Items to the 1.2 Euro Firmwared Phone, (using previous modified .QCN file) then, i restart the device, but nothing happen, still no find UMTS network... But i want believe that we are close to find the solution
If I use PSAS to Display the new added NV items, these appear as "inactive item" and those already on the phone appears lile "bad parameter"
not know what else I can try...

Even if NV items count is different. Dump of NV area will be always the same in size. Area in oneNAND reserved for NV data is constant, and in most it's just empty space, filled with zeros.

Is it possible to dump whole NV items list using QPST? Can you guys do that and send dumps to me?
If not please search for following NV items and send me values you get (if you get any)
Int id 556
Int id 5
Int id 7
Int id 1403
String id 254
String id 387
String id 388
String id 256
String id 197
I want to prove some theory just taken from Bada kernel and need few different values to compare. These should contain Timezone, Locale and SimBlock settings. (If these NV items are even available)
Please send me PMs with dumps if you get any. Thanks in advance.

Tell me when you are ready "amms.bin" to "bada 2.0" so I can put it on my phone. I'm from Argentina. Thank you very much!

Rebellos said:
Int id 556
Int id 5
Int id 7
Int id 1403
Click to expand...
Click to collapse
With "PSAS" display "Inactive Item", and with "RV NV item manager" i don't these id's..
@adfree
Hey, if I wrote in phone (with "RV NV item manager") some NV items, is not take any effect... does exist another step to "activate" these items or some? maybe in Stune have to add any parameter? or maybe the "QPST Service program" tool..
I have fear of breaking the handset really... I just wan't to calibrate the UMTS bands, need these:
WCDMA_II_PCS_1900
WCDMA_V_850

http://forum.xda-developers.com/showpost.php?p=12436452&postcount=1
Other way to access NV items.
Now you can backup with sTune for instance... folders:
Code:
[B]NV
nvm[/B]
EXTREME Caution!
Some IDs are protected... so you can maybe write/activate, but not easily remove change = brick...
Best Regards

a little question..
there is a firmware of S8530 which has bada 1.2 and 850/900/2100Mhz 3g bands capable... there are firmwares prepared for Brazil and Australia.
it's posible to flash that amss.bin in a S8500 with bada 1.2?
I tried this, but the bootloader says "error erase amms"

amss.bin in a S8500 with bada 1.2?
Click to expand...
Click to collapse
If I remember correct, then yes...
Maybe not all combinations...
BUT check Multiloader ... adresses are different...
So you have to edit...
Later more.
Maybe give Link to this S8530 Firmware, so I can take an look or try for you...
Best Regards

[Q] For help in need of Korean version of the 4.12root, please do me a favor.

For help in need of Korean version of the 4.12root, please do me a favor.

all right,last time f160's rooting guide was found on cafe.naver.com,but i don't understand korean.

Can you post the link?
Unlike F180, F160 has unlocked bootloader, so all you need is push binaries to obtain the root.

Tim4 said:
Can you post the link?
Unlike F180, F160 has unlocked bootloader, so all you need is push binaries to obtain the root.
Click to expand...
Click to collapse
I don't know what is binary, can you help me to solve the root problem

Tim4 said:
Can you post the link?
Unlike F180, F160 has unlocked bootloader, so all you need is push binaries to obtain the root.
Click to expand...
Click to collapse
Thanks for help.
we are appreciated that if you can provide the rooting files

Tim4 said:
Can you post the link?
Unlike F180, F160 has unlocked bootloader, so all you need is push binaries to obtain the root.
Click to expand...
Click to collapse
sorry,but you are wrong.f160's bl is locked.

My friend own F160 and he says its unlocked, not sure who is right, he says all you need is root and install custom recovery.
Anyway, i found the F160 JB root on naver, and its not suitable for our device.

Tim4 said:
My friend own F160 and he says its unlocked, not sure who is right, he says all you need is root and install custom recovery.
Anyway, i found the F160 JB root on naver, and its not suitable for our device.
Click to expand...
Click to collapse
i'm sure f160's bl is locked.and f160's tot(kdz unpack) file can be extracted.f160 root tool only can read .tot file.can't read .dz file.
i wonder someone can change it?

Tim4 said:
My friend own F160 and he says its unlocked, not sure who is right, he says all you need is root and install custom recovery.
Anyway, i found the F160 JB root on naver, and its not suitable for our device.
Click to expand...
Click to collapse
hello,can you read this article?it mentioned how to unpack the .dz file.if the .dz file can be extracted,i think the rest is easy.
"처음 사이트를 열었던 의도와는 사뭇 다르게 부트로더라던가 부트로더 언락쪽에 관심을 가지게 되다보니 이제는 별것도 다 하게되네요.
옵2x 부트로더 락을 깬 내용을 xda에 올렸더니 부트로더 락이 걸린 옵티머스 4x에 대해서 부트로더락을 봐달라는 연락을 받았습니다. 옵티머스4x는 테그라3 AP를 사용하는데 옵2x와는 다르게 nvflash마져 SBK 락이 걸려있습니다. 옵2x는 nvflash의 SBK락이 걸려있지 않기때문에 부트로더 변조가 가능한 케이스지만 옵티머스 4x는 nvflash 자체를 아예 사용하지 못하도록 SBK락이 걸려있으므로 부트로더 락을 깨는게 초장부터 호락호락하지 않지요.
그러면 테그라3에 대한 락을 깨는것이 불가능하냐 하면 그렇지 않은 모양입니다. nvflash의 헛점을 이용해서 최근에 락을 깬 사례가 존재합니다
http://androidroot.mobi/2012/05/27/introducing-wheelie-nvflash-for-asus-transformer-tf101-b70/
ASUS Transformer TF101 B70 nvflash 락 깨기
nvflash에 보안구멍이 있던게 아니네요. 트랜스포머의 경우에 SBK가 유출되었고, 이를 통해서 nvflash를 사용가능하게 된 것입니다. 다만 최신의 nvflash의 경우 프로토콜이 바뀌어 이 부분을 파혜쳐서 결국 nvflash를 쓸 수 있게 되었다는 것입니다.
아무튼 옵티머스 4x 기기도 없지만 궁금해서 ^^;; 한번 살펴보았습니다.
우선 kdz파일을 찾아보았고 손쉽게 구할 수 있었습니다.
http://csmg.lgmobile.com:9002/swdata/WEBSW/LGP880/ANEUBK/V10A_00/V10A_00.kdz
그런데 이 kdz 파일을 LGExtract로 풀어보면 *.dz 확장자를 가진 파일만 덜렁 나옵니다. 어라? 이것은 안드로원때 kdz파일 압축을 풀면 나오던 그 파일 형식인 것으로 생각되었습니다. dzextract라는 알려진 툴이 있기때문에 그것으로 풀어보려 했지만 실패. 파일 형식이 조금 다른 형태이더군요.
그러나 dz 파일 형식이라는 점이 바로 힌트가 됩니다. 변형된 dz파일일 것으로 생각되어서 dz 파일의 형식에 관한 문서를 검색해봤습니다. 얼핏 dz 파일은 zlib 혹은 gzip으로 압축된 형식이라는 사실을 알고있었기 때문이죠.
검색해보니 다음과 같은 링크가 나옵니다
http://www.frenchcoder.com/dzextract-lg-dz-file-format-and-extract-tool-lg-ks20/
구 dz 파일은 제 기억대로 gzip 형식으로 압축이 되어 있는 형태입니다.
이 형식과 거의 다르지 않을 것이라는 가정에서 dz 파일을 xxd / hexdump로 살펴보았습니다.
(사실은 문서 찾아보지 않고 먼저 xxd로 덤프했었습니다 gzip 혹은 zlib인 것을 확인하기 위해 문서를 검색했습니다)
0000200: 3012 9578 4346 4700 0000 0000 0000 0000 0..xCFG.........
0000210: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000220: 0000 0000 666c 6173 682e 6366 6700 0000 ....flash.cfg...
0000230: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000240: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000260: 0000 0000 8211 0000 f002 0000 7f00 c935 ...............5
0000270: ae4b 5a54 8a31 cffc 8148 2ef9 0000 0000 .KZT.1...H......
0000280: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000290: 0000 0000 0000 0000 0000 0000 0000 0000 ................
... (생략)
0000400: 7801 d597 db6b db30 14c6 dff5 5718 f4bc x....k.0....W...
0000410: 20c9 3765 1058 2e6d 1f96 b661 69c7 a014 .7e.X.m...ai...
0000420: e338 6ad0 ea4b 66bb a5d9 5fbf 23d9 d4da .8j..Kf..._.#...
0000430: 6cc6 7271 6079 b3f9 1ce9 e7ef e8f8 3b0f l.rq`y........;.
0000440: 6bf1 2a23 f188 cadd 568c 8a75 9244 48a6 k.*#....V..u.DH.
0000450: 4519 a691 18d9 083d 6cc3 bc94 a5cc d247 E......=l......G
0000460: 9486 8918 4da6 7748 ae47 ac7a 6095 6565 ....M.wH.G.z`.ee
0000470: 1065 e993 dc04 65b8 8a05 0ae3 388b 42f5 .e....e.....8.B.
0000480: 40b0 cd62 19ed 4685 f8f1 22d2 5286 317a @..b..F...".R.1z
0000490: 92b1 2876 4529 9240 afb7 0a0b 19a1 42fe ..(vE)[email protected]
위와 같이 그럴듯한 파일 이름이 보입니다. flash.cfg가 파일 이름인 것이고,
0x400 주소부터 아마도 gzip 데이터일 것으로 추측되었습니다.
그래서 이 부분을 잘라서 압축을 풀려고 시도하였습니다.
7801로 시작하는 부분은 바로 zlib 레벨 1로 압축되어있는 것입니다. 여기에 gzip의 헤더가 빠져있는 것으로 보이므로 다음과 같이 gzip 헤더를 붙이고 압축을 기본 유닉스 유틸로 풀 수 있습니다.
printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" |cat - flash.cfg.raw |gzip -dc >flash.cfg
빙고!! 압축이 풀려버립니다. 그리고 flash.cfg는 예상대로 정상적으로 압축이 풀린 다음과 같은 내용이 들어있습니다.
[device]
type=sdmmc
instance=3
[partition]
name=BCT
id=2
type=boot_config_table
allocation_policy=sequential
filesystem_type=basic
size=3145728
file_system_attribute=0
partition_attribute=0
allocation_attribute=8
percent_reserved=0
...
(생략)
flash.cfg의 md5sum은 다음과 같습니다.
7f00c935ae4b5a548a31cffc81482ef9 flash.cfg
위의 dz 서브파일 헤더 부분의 파란색 값과 완전히 일치합니다.
녹색은 파일의 크기이며, 노랑색은 압축된 파일의 크기이고, 이 값도 모두 일치합니다.
bct 및 bootloader.bin도 차례대로 압축을 풀어보았습니다. 확인할 길은 없지만 모두 정상적으로 압축이 풀렸을 것으로 생각됩니다.
http://forum.xda-developers.com/showthread.php?t=1960422 xda에는 자세한 내용은 생략하고 포스팅했습니다~
첨부파일
dzextract.exe는 binoffset.c파일의 소스를 변형하여서 만든 dz extractor입니다.
사용법은
dzectract.exe my.dz LNX > boot.gz # 파티션 이름을 지정하면 해당 파티션을 추출합니다.
zcat boot.gz > boot.img # 압축은 zcat으로 풀 수 있습니다. 그냥 압축을 풀면 오류가 나니 주의하시길.
[출처] 옵티머스 4x kdz 파일 분석 (dz 압축풀기 실행파일 추가) (Android Hackers) |작성자 영구땡칠"

Ok ill translate it, but im in middle of the Code Geass (Im really slow, i know) so you need to wait i end the last season.

I very much hope that there will be root on 4.1.2. (for f180l)

Tim4 said:
Ok ill translate it, but im in middle of the Code Geass (Im really slow, i know) so you need to wait i end the last season.
Click to expand...
Click to collapse
thank you.

Ok, im taking a little rest from anime, so checked the link.
He says KDZ of Optimus 4X contains .dz file, and if you try to extract it with DZextract, it will fail.
But, the structure still pretty same with old .dz files, so he just did few changes and its worked.
Hah, and most interesting thing, he already posted it on xda: http://forum.xda-developers.com/showthread.php?t=1960422

Tim4 said:
Ok, im taking a little rest from anime, so checked the link.
He says KDZ of Optimus 4X contains .dz file, and if you try to extract it with DZextract, it will fail.
But, the structure still pretty same with old .dz files, so he just did few changes and its worked.
Hah, and most interesting thing, he already posted it on xda: http://forum.xda-developers.com/showthread.php?t=1960422
Click to expand...
Click to collapse
interesting.thanks for your translation,so,we can extract the .dz file?

100% Working WiFi Monitor Mode

This article will first describe how to locate the Monitor mode code in Nexus 5 firmware (hammerhead-ktu84p-factory-35ea0277, bootloader-hammerhead-hhz11k : c32f8bec310c659c1296739b00c6a8ac). Then, we will try to understand what it does (its functionalities). Finally, you will have to find bugs by yourself because I didn't find any...so far !
Note: Terms (Non-)Secure world & (Non-)Secure state are used as synonyms. Term Normal world is also used as synonym of Non-Secure world.
I. Quick introduction to ARM Security Extensions
"The Security Extensions define two security states: Secure state and Non-secure state. All instruction execution takes place either in Secure state or in Non-secure state.[...] The Security Extensions also define an additional processor mode, Monitor mode, that provides a bridge between software running in Non-secure state and software running in Secure state."
"The Secure Monitor Call exception is implemented only as part of the Security Extensions. The Secure Monitor Call instruction, SMC , requests a Secure Monitor function, causing the processor to enter Monitor mode."
"When an exception is taken, processor execution is forced to an address that corresponds to the type of exception. This address is called the exception vector for that exception. A set of exception vectors comprises eight consecutive word-aligned memory addresses, starting at an exception base address. These eight vectors form a vector table."
-- ARM Architecture Reference Manual ARMv7-A
II. OpenSource TrustZone examples
Trusted Execution Environment (TEE) is the "small" secure kernel executed in Secure state. The Monitor code is part of the TEE code.
To get an idea of how the Monitor code works, we can take a look at two TrustZone examples:
Cortex-A9 TrustZone example by ARM : a simple example of secure and non-secure code that communicates through Monitor mode.
OP-TEE by STMicroelectronics : an Open Source TEE 1.0 implementation.
After studying these code samples, we can clearly distinguish two parts in Monitor code:
Monitor mode initialization: called once, at TEE initialization time.
In this code, we can notice two specific instructions :
Monitor Vector Base Address Register (MVBAR) setup: MVBAR contains the Monitor vector table address. Both samples use the same instructions to setup MVBAR :
MCR p15, 0, $RX,c12,c0, 1
where $RX is a pointer to the monitor mode's vector table.
SP register setup: the Monitor mode stack address is set into SP register. This register is banked, which means this value will be automatically restored next time the processor enters in Monitor mode.
Exception vectors: called when an exception is taken to Monitor mode.
Both samples implement a simple Secure Monitor Call (SMC) handler that switches between the normal and secure worlds when a SMC call is made. As SMC handler is an entry point to the Secure state, it would be interesting to analyze it in Nexus 5 firmware.
III. Extracting Nexus 5 firmware
We know that the Monitor code may be embedded into the TEE image. In the case of Nexus 5, this image can be extracted from stock ROM.
h t t p s: / / w w w . y o u t u b e . c o m /w a t c h ? v = h 6 c K G j X K S j I
h t t p s : / / w w w . y o u t u b e . c o m / w a t c h ? v = P R K y k F U Q K m 0
Once downloaded, we use a small tool to unpack bootloader-hammerhead-hhz11k.img file. One of extracted files is an ELF ARM binary named "tz".
IV. Nexus 5 Monitor mode code
To analyze the Nexus 5 TrustZone binary, we can use IDA Demo 6.6.
Given that setting up MVBAR is very specific to the monitor mode's initialization code, we use it to locate the Monitor mode's initialization code in Nexus 5 TrustZone binary.
Using IDA regex search in code disassembly, we look for the instruction used to write MVBAR :
MCR[[:space:]]+p15, 0, [^,]+,c12,c0, 1
This search returns only 3 occurrences, and one of them also sets the SP register. These instructions are expected to be found in Monitor mode initialization code.
IV.1. Monitor mode initialization function
Here's the disassembly of the Monitor mode initialization code :
LOAD:FE80DB4C init_monitor
LOAD:FE80DB4C MSR CPSR_c, #0xD6 ; switch to Monitor mode
LOAD:FE80DB50 LDR R0, =monitor_vector_table ; load monitor vector table ptr into R0
LOAD:FE80DB54 MCR p15, 0, R0,c12,c0, 1 ; write R0 to MVBAR
LOAD:FE80DB58 BL sub_FE80DB88 ; initialize Non-Secure world
LOAD:FE80DB5C LDR SP, =0xFE82B700
LOAD:FE80DB60 MRC p15, 0, R0,c0,c0, 5 ; write MPIDR value to R0
LOAD:FE80DB64 AND R0, R0, #0xFF ; keep Affinity level 0 : current virtual CPU id
LOAD:FE80DB68 MOV R1, #0x200
LOAD:FE80DB6C MUL R1, R1, R0 ; compute stack offset for current vCPU
LOAD:FE80DB70 SUB SP, SP, R1 ; setup Monitor stack register SP
LOAD:FE80DB74 MOV R0, #0b100
LOAD:FE80DB78 MCR p15, 0, R0,c1,c1, 0 ; set FIQ flag in SCR register
LOAD:FE80DB7C ISB SY ; flush the pipeline in the processor
LOAD:FE80DB80 MSR CPSR_c, #0xD3 ; switch to Supervisor mode
LOAD:FE80DB84 BX LR
LOAD:FE80DB84 ; End of function init_monitor
We will now proceed to a detailed analysis of each step.
IV.1.A Switch to Monitor mode
MSR instruction moves an immediate value (here 0xD6) to a Special register (here CPSR_c).
LOAD:FE80DB4C MSR CPSR_c, #0xD6 ; switch to Monitor mode
The Current Program Status Register (CPSR) holds processor status and control information. CPSR with "_c" suffix enables writing of bits<0:7> of CPSR (ARM Ref. B9.3.11). This bitfield controls the processor mode and exception masks.
We can use a simple IDAPython script to replace the immediate value 0xD6 with symbols documented in ARM Ref. (B1-1148) :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from idautils import *
from idaapi import *
from idc import *
Message("%s starting...\n" % __file__)
CPSR_C_enum_id = GetEnum("CPSR_C_enum")
if CPSR_C_enum_id == BADADDR:
CPSR_C_enum_id = AddEnum(-1, "CPSR_C_enum", hexflag())
SetEnumBf(CPSR_C_enum_id,1);
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_USR", 0b10000, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_FIQ", 0b10001, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_IRQ", 0b10010, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_SVC", 0b10011, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_MON", 0b10110, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_ABT", 0b10111, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_HYP", 0b11010, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_UND", 0b11011, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_MODE_SYS", 0b11111, 0x1F)
AddConstEx(CPSR_C_enum_id,"CPSR_THUMB", 0x20, 0x20)
AddConstEx(CPSR_C_enum_id,"CPSR_MASK_FIQ", 0x40, 0x40)
AddConstEx(CPSR_C_enum_id,"CPSR_MASK_IRQ", 0x80, 0x80)
ea = MinEA()
while True:
ea= FindText(ea, SEARCH_DOWN|SEARCH_NEXT|SEARCH_REGEX, 0, 0, " (CPS|MSR) ")
if ea == BADADDR:
break
mnem = GetMnem(ea)
if mnem == "MSR":
if GetOpnd(ea, 0) == "CPSR_c" and GetOpType(ea, 1) == o_imm:
OpEnumEx(ea, 1, CPSR_C_enum_id, 0)
Message("%s MSR CPSR_c, %s\n" % (hex(ea),GetOpnd(ea, 1)))
elif mnem == "CPS":
OpEnumEx(ea, 0, CPSR_C_enum_id, 0)
Message("%s CPS %s\n" % (hex(ea),GetOpnd(ea, 0)))
else:
Message("Unrecognized instruction @ %s : %s\n" % (hex(ea), GetDisasm(ea)))
ea = NextHead(ea)
Message("Done!\n")
view rawida-armv7a-cpsr_c.py hosted with ❤ by GitHub
Thus, the instruction becomes:
LOAD:FE80DB4C MSR CPSR_c, #CPSR_MODE_MON OR CPSR_MASK_FIQ OR CPSR_MASK_IRQ ; switch to Monitor mode
This instruction switches the processor to Monitor mode. It also sets CPSR.F and CPSR.I bits to mask FIQ and IRQ exceptions, meaning they cannot be taken.
IV.1.B Setup MVBAR
The Move to Coprocessor from ARM core register instruction (MCR) passes the value of an ARM core register (here R0) to a coprocessor (here CP15).
LOAD:FE80DB50 LDR R0, =monitor_vector_table ; load monitor vector table ptr into R0
LOAD:FE80DB54 MCR p15, 0, R0,c12,c0, 1 ; write R0 to MVBAR
CP15 c12 register is present on an ARMv7-A implementation that includes Security Extensions. This instruction writes R0 value to MVBAR. R0 contains a pointer to Monitor vector table. We will describe this table later.
IV.1.C Initialize Non-Secure world
The function sub_FE80DB88 is called to initialize the Non-Secure world context:
LOAD:FE80DB88 sub_FE80DB88
LOAD:FE80DB88 MRC p15, 0, R1,c1,c0, 0 ; read Secure SCTLR
LOAD:FE80DB8C MOV R0, #SCR_NS OR SCR_FW OR SCR_AW ; #0x31
LOAD:FE80DB90 MCR p15, 0, R0,c1,c1, 0 ; switch to Non-Secure (NS) state
LOAD:FE80DB94 ISB SY
LOAD:FE80DB98 MCR p15, 0, R1,c1,c0, 0 ; write Secure SCTLR value to NS SCTLR
LOAD:FE80DB9C MOV R0, #0
LOAD:FE80DBA0 MCR p15, 2, R0,c0,c0, 0 ; clear CSSELR
LOAD:FE80DBA4 MCR p15, 0, R0,c2,c0, 0 ; clear TTBR0
LOAD:FE80DBA8 MCR p15, 0, R0,c2,c0, 1 ; clear TTBR1
LOAD:FE80DBAC MCR p15, 0, R0,c2,c0, 2 ; clear TTBCR
LOAD:FE80DBB0 MCR p15, 0, R0,c3,c0, 0 ; clear DACR
LOAD:FE80DBB4 MCR p15, 0, R0,c5,c0, 0 ; clear DFSR
LOAD:FE80DBB8 MCR p15, 0, R0,c5,c0, 1 ; clear IFSR
LOAD:FE80DBBC MCR p15, 0, R0,c5,c1, 0 ; clear ADFSR
LOAD:FE80DBC0 MCR p15, 0, R0,c5,c1, 1 ; clear AIFSR
LOAD:FE80DBC4 MCR p15, 0, R0,c6,c0, 0 ; clear DFAR
LOAD:FE80DBC8 MCR p15, 0, R0,c6,c0, 2 ; clear IFAR
LOAD:FE80DBCC MCR p15, 0, R0,c7,c4, 0 ; clear PAR
LOAD:FE80DBD0 MCR p15, 0, R0,c10,c2, 0 ; clear PRRR
LOAD:FE80DBD4 MCR p15, 0, R0,c10,c2, 1 ; clear NMRR
LOAD:FE80DBD8 MCR p15, 0, R0,c10,c4, 0 ; clear "MMUDMTR" ?
LOAD:FE80DBDC MCR p15, 0, R0,c10,c4, 1 ; clear "MMUDCPR" ?
LOAD:FE80DBE0 LDR R1, =dword_FE82B8CC ; load Non-Secure VBAR ptr to R1
LOAD:FE80DBE4 LDR R0, [R1]
LOAD:FE80DBE8 MCR p15, 0, R0,c12,c0, 0 ; write Non-Secure VBAR
LOAD:FE80DBEC MOV R0, #0
LOAD:FE80DBF0 STR R0, [R1] ; clear Non-Secure VBAR ptr
LOAD:FE80DBF4 MCR p15, 0, R0,c13,c0, 0 ; clear FCSEIDR
LOAD:FE80DBF8 MCR p15, 0, R0,c13,c0, 1 ; clear CONTEXTIDR
LOAD:FE80DBFC MCR p15, 0, R0,c13,c0, 2 ; clear TPIDRURW
LOAD:FE80DC00 MCR p15, 0, R0,c13,c0, 3 ; clear TPIDRURO
LOAD:FE80DC04 MCR p15, 0, R0,c13,c0, 4 ; clear TPIDRPRW
LOAD:FE80DC08 MOV R0, #SCR_FW OR SCR_AW ; #0x30
LOAD:FE80DC0C MCR p15, 0, R0,c1,c1, 0 ; switch back to Secure state
LOAD:FE80DC10 ISB SY
LOAD:FE80DC14 BX LR
LOAD:FE80DC14 ; End of function sub_FE80DB88
First, the security state is switched to Non-Secure. Then, the coprocessor registers banked in both security states (ARM Ref. Banked system control registers) are initialized to zero. Finally, the security state is switched back to Secure.
IV.1.D Setup SP register
On ARMv7-A, Multiprocessor Affinity Register (MPIDR) holds the processor identification information. In this register, bits<0:7> are the affinity level 0 (Aff0). This number represents the current CPU id. Here, this id is used to compute the stack address of current CPU, which is then stored into SP register. The stack size for each CPU is 0x200 bytes.
LOAD:FE80DB5C LDR SP, =0xFE82B700
LOAD:FE80DB60 MRC p15, 0, R0,c0,c0, 5 ; write MPIDR value to R0
LOAD:FE80DB64 AND R0, R0, #0xFF ; keep Affinity level 0 : current virtual CPU id
LOAD:FE80DB68 MOV R1, #0x200
LOAD:FE80DB6C MUL R1, R1, R0 ; compute stack offset for current vCPU
LOAD:FE80DB70 SUB SP, SP, R1 ; setup Monitor stack register SP
IV.1.E Route FIQ exceptions to Monitor mode
CP15 c1 register is present on an ARMv7-A implementation that includes Security Extensions. This instruction sets bit<2> (0x4) in Secure Configuration Register (SCR), which means FIQ exceptions are now taken to Monitor mode.
LOAD:FE80DB74 MOV R0, #0b100 ; SCR.FIQ
LOAD:FE80DB78 MCR p15, 0, R0,c1,c1, 0 ; set FIQ flag in SCR register
LOAD:FE80DB7C ISB SY ; flush the pipeline in the processor
We can also notice that bit<0> (SCR.NS : Non-Secure) is not set, meaning current execution state is Secure.
IV.1.F Switch back to Supervisor mode
This instruction switches the processor to Supervisor mode, and sets FIQ & IRQ mask bits.
LOAD:FE80DB80 MSR CPSR_c, #CPSR_MODE_SVC OR CPSR_MASK_FIQ OR CPSR_MASK_IRQ ; switch to Supervisor mode
Monitor mode setup is now complete. Monitor code can then be entered through its exception vector table.
IV.2. Monitor Exception Vector Table
The Monitor exception vector table defines exception vectors to handle exceptions taken to Monitor Mode.
Its structure is described in ARM Ref. (B1-1167) :
The vector table entries
Thank to the Monitor initialization code, we know the address of Nexus 5's Monitor exception vector table:
LOAD:FE80CEE0 monitor_vector_table
LOAD:FE80CEE0 B dead_loop ; not used
LOAD:FE80CEE4 ; ---------------------------------------------------------------------------
LOAD:FE80CEE4 B dead_loop ; not used
LOAD:FE80CEE8 ; ---------------------------------------------------------------------------
LOAD:FE80CEE8 B smc_handler ; Secure Monitor Call
LOAD:FE80CEEC ; ---------------------------------------------------------------------------
LOAD:FE80CEEC B dead_loop ; Prefetch Abort
LOAD:FE80CEF0 ; ---------------------------------------------------------------------------
LOAD:FE80CEF0 B dead_loop ; Data Abort
LOAD:FE80CEF4 ; ---------------------------------------------------------------------------
LOAD:FE80CEF4 B dead_loop ; not used
LOAD:FE80CEF8 ; ---------------------------------------------------------------------------
LOAD:FE80CEF8 B sub_FE80CF24 ; IRQ interrupt
LOAD:FE80CEFC ; ---------------------------------------------------------------------------
LOAD:FE80CEFC B sub_FE80CFB4 ; FIQ interrupt
LOAD:FE80CEFC ; End of function monitor_vector_table
We can see that 3 exception handlers are configured: SMC, FIQ, IRQ. Others are dead loops.
IV.3. Secure Monitor Call handler function
HLOS (non-Secure state) can call the TrustZone API (Secure state) using the SMC instruction to trigger a Secure Monitor Call exception. This exception is taken to the Monitor mode, which switches the processor to Secure Supervisor mode to proceed the call. When called TrustZone function returns, a second SMC exception is triggered, so the processor enters Monitor mode again. Finally, the Monitor mode returns results to the calling function (Non-Secure state).
The Monitor mode acts as a bridge between Non-Secure state and Secure state. It's designed to handle calls initiated from the Non-Secure state only.
The exception vector dedicated to SMC exceptions is a pointer to a function at offset 0x08 in Monitor Exception Vector Table.
In this function, which will be named SMC handler, the very first instruction checks if an exception occurred in Secure or Non-Secure state (When the processor is in Monitor mode, the processor is in Secure state regardless of the value of the SCR.NS bit).
LOAD:FE80D028 smc_handler
LOAD:FE80D028
LOAD:FE80D028 varg_r0 = -0x10
LOAD:FE80D028 varg_r1 = -0xC
LOAD:FE80D028 varg_r2 = -8
LOAD:FE80D028 varg_r3 = -4
LOAD:FE80D028
LOAD:FE80D028 STMFD SP!, {R0-R3}
LOAD:FE80D02C MRC p15, 0, R0,c1,c1, 0 ; read SCR register
LOAD:FE80D030 TST R0, #1 ; test SCR.NS bit
LOAD:FE80D034 BEQ loc_FE80D210 ; jump if SCR.NS==0
When an exception is taken to the Monitor mode, CPSR.{A,I, F} bits are set to 1, meaning Abort, IRQ and FIQ exceptions can no longer be taken.
IV.3.A. Call to Secure World
If SCR.NS bit is set, it means the Non-Secure world wants to call the Secure world. We will now analyze the operations performed by the SMC handler until the exception return to the Secure world.
IV.3.A.a Setup current security state
This first step configures the Secure Configuration Register (SCR). Bits<1:3> (SCR.IRQ || SCR.FIQ || SCR.EA) are set to route IRQ, FIQ, and External Abort exceptions to Monitor mode. But the Non-Secure bit<0> is not set. So, this core will still be in the Secure state if it exits Monitor mode.
LOAD:FE80D038 MOV R0, #SCR_IRQ OR SCR_FIQ OR SCR_EA ; 0b1110
LOAD:FE80D03C MCR p15, 0, R0,c1,c1, 0 ; write SCR with SCR.NS==0
LOAD:FE80D040 ISB SY ; Instruction Synchronization Barrier
LOAD:FE80D040 ; flushes the pipeline in the processor
IV.3.A.b Monitor calls
On a HLOS like Android, SMC exceptions are triggered by the Secure Channel Manager (SCM), implemented in Linux kernel.
A quick look at its source code tells us {R0-R3} registers hold arguments of SMC calls. We also learn that R0 is a bitfield that can be defined by the following macro:
#define SCM_ATOMIC(svc, cmd, n) (((((svc) << 10)|((cmd) & 0x3ff)) << 12) | \
SCM_CLASS_REGISTER | \
SCM_MASK_IRQS | \
(n & 0xf))
With svc the service identifier, cmd the command identifier, and n the argument count of the SMC call.
In SMC handler, R0 value is first shifted right by 12. Based on the SCM_ATOMIC macro definition, resulting R0 value represents a service identifier svc and a command identifier cmd defined as ((svc) << 10)|((cmd) & 0x3ff).
Then R0 value is tested against several immediate values. For each case, a specific function is called if values match.
LOAD:FE80D048 MOV R2, R0,LSR#12 ; extract service & command identifiers
LOAD:FE80D04C MOV R1, #0x402 ; SCM_SVC_BOOT::SCM_CMD_TERMINATE_PC
LOAD:FE80D050 CMP R1, R2
LOAD:FE80D054 LDMEQFD SP!, {R1-R3}
LOAD:FE80D058 BEQ sub_FE80D360
LOAD:FE80D05C MOV R1, #0xC05 ; SCM_SVC_UTIL::CACHE_BUFFER_DUMP_COMMAND_ID
LOAD:FE80D060 CMP R1, R2
LOAD:FE80D064 LDMEQFD SP!, {R1-R3}
LOAD:FE80D068 BEQ sub_FE80D68C
LOAD:FE80D06C MOV R1, #0x404 ; SCM_SVC_BOOT::4
LOAD:FE80D070 CMP R1, R2
LOAD:FE80D074 LDMEQFD SP!, {R1-R3}
LOAD:FE80D078 BEQ sub_FE80D72C
LOAD:FE80D07C MOV R1, #0x1401 ; SCM_SVC_IO::SCM_IO_READ
LOAD:FE80D080 CMP R1, R2
LOAD:FE80D084 LDMEQFD SP!, {R1-R3}
LOAD:FE80D088 BEQ sub_FE80D5AC
LOAD:FE80D08C MOV R1, #0x1402 ; SCM_SVC_IO::SCM_IO_WRITE
LOAD:FE80D090 CMP R1, R2
LOAD:FE80D094 LDMEQFD SP!, {R1-R3}
LOAD:FE80D098 BEQ sub_FE80D5CC
LOAD:FE80D09C MOV R1, #0x3404 ; SCM_SVC_DCVS:CVS_CMD_EVENT
LOAD:FE80D0A0 CMP R1, R2
LOAD:FE80D0A4 LDMEQFD SP!, {R1-R3}
LOAD:FE80D0A8 BEQ sub_FE80D64C
LOAD:FE80D0AC MOV R1, #0x1403 ; SCM_SVC_IO::TZ_RESET_ID
LOAD:FE80D0B0 CMP R1, R2
LOAD:FE80D0B4 LDMEQFD SP!, {R1-R3}
LOAD:FE80D0B8 BEQ sub_FE80D5EC
LOAD:FE80D0BC MOV R1, #0x1404 ; SCM_SVC_IO::TZ_UPDATE_ID
LOAD:FE80D0C0 CMP R1, R2
LOAD:FE80D0C4 LDMEQFD SP!, {R1-R3}
LOAD:FE80D0C8 BEQ sub_FE80D618
LOAD:FE80D0CC MOV R1, #0x2401 ; SCM_SVC_PWR::SCM_IO_DISABLE_PMIC_ARBITER
LOAD:FE80D0D0 CMP R1, R2
LOAD:FE80D0D4 LDMEQFD SP!, {R1-R3}
LOAD:FE80D0D8 BEQ sub_FE80D74C
As Linux kernel itself initiates a lot of SMC calls, we explore Linux sources to enumerate service and command identifiers passed to SMC calls. Thereby, we will get more information on corresponding functions without reversing them.
Immediate value Service ID (imm>>10) Command ID (imm&0x3ff) Function description
0x402 SCM_SVC_BOOT SCM_CMD_TERMINATE_PC Put current core in low power state
0xC05 SCM_SVC_UTIL CACHE_BUFFER_DUMP_COMMAND_ID Dump the L1 and L2 caches on panic
0x404 SCM_SVC_BOOT 4 Dummy function, returns to Non-Secure world
0x1401 SCM_SVC_IO SCM_IO_READ Dummy function, returns to Non-Secure world
0x1402 SCM_SVC_IO SCM_IO_WRITE Dummy function, returns to Non-Secure world
0x3404 SCM_SVC_DCVS DCVS_CMD_EVENT Handle some Dynamic Clock and Voltage Scaling (DCVS) See also event definitions
0x1403 SCM_SVC_IO TZ_RESET_ID Related to GPU power management
0x1404 SCM_SVC_IO TZ_UPDATE_ID Related to GPU power management
0x2401 SCM_SVC_PWR SCM_IO_DISABLE_PMIC_ARBITER "Force the SPMI PMIC arbiter to shutdown so that no more SPMI transactions are sent from the MSM to the PMIC."
All these functions have the same epilogue:
LOAD:FE80D738 MOV R3, #SCR_NS OR SCR_FIQ OR SCR_AW ; 0b100101
LOAD:FE80D73C MCR p15, 0, R3,c1,c1, 0 ; write SCR : switch to Non-Secure state
LOAD:FE80D740 ISB SY
LOAD:FE80D744 MOV R3, #0 ; clear R3 to avoid leak
LOAD:FE80D748 MOVS PC, LR ; restore Non-Secure PC & CPSR from LR_mon & SPSR_mon
These instructions switch the processor to Non-Secure state and restore PC & CPSR to perform an exception return.
So SMC calls associated with these specific command/service IDs are kind of "Monitor calls", entirely handled in Monitor mode.
But if R0 value does not match these IDs, the execution continues in Monitor mode.
IV.3.A.c TrustZone lock
If the call has not been handled yet, Monitor code tries to acquire a lock to ensure that only one core at a time enters in TrustZone.
First, current CPU id is retrieved from MPIDR. Then, this value is incremented (because 0 means not locked) and used as lock value.
LOAD:FE80D0E0 LDR R1, =tz_lock
LOAD:FE80D0E4 MRC p15, 0, R2,c0,c0, 5 ; read MPIDR register
LOAD:FE80D0E8 AND R2, R2, #0xFF ; extract Aff0 from MPIDR
LOAD:FE80D0EC ADD R2, R2, #1
LOAD:FE80D0F0
LOAD:FE80D0F0 loc_FE80D0F0 ; CODE XREF: smc_handler+D8j
LOAD:FE80D0F0 LDREX R0, [R1] ; read current tz_lock value
LOAD:FE80D0F4 CMP R0, #0 ; test if TrustZone is locked
LOAD:FE80D0F8 STREXEQ R0, R2, [R1] ; if not locked, try to lock TrustZone
LOAD:FE80D0FC CMPEQ R0, #0 ; test if TrustZone is now locked
LOAD:FE80D100 BNE loc_FE80D0F0 ; retry if TrustZone is still not locked
LOAD:FE80D104 DMB SY ; Data Memory Barrier acts as a memory barrier
Then, it tries to acquire the TrustZone lock. This implementation is very similar to the example provided in ARM Ref. (D7.3.1 Acquiring a lock).
It relies on synchronization primitives (LDREX/STREX) to support exclusive accesses to memory shared between cores.
Once the lock is acquired, the current core is the only one running in TrustZone, and the execution can continue.
IV.3.A.d Pre-exception status
LR_mon and SPSR_mon are both banked registers. Their values are generated by the exception entry. LR_mon contains the return address in Non-Secure world (right after the SMC instruction). The purpose of SPSR_mon is to record the pre-exception value of the CPSR.
LOAD:FE80D108 LDR R0, =NS_core_status ; secure area to store Non-Secure (NS) status
LOAD:FE80D10C MOV R1, LR ; read NS return address (LR_mon)
LOAD:FE80D110 MRS R2, SPSR ; read NS CPSR (SPSR_mon)
LOAD:FE80D114 STMIA R0, {R1,R2} ; write LR_mon & SPSR_mon
These two registers are saved in Secure memory to be restored later on exception return.
IV.3.A.e IRQ interruption flag
Then a DWORD at a static address is unconditionally cleared:
LOAD:FE80D118 LDR R1, =tz_irq_interrupted
LOAD:FE80D11C MOV R0, #0
LOAD:FE80D120 STR R0, [R1] ; clear tz_irq_interrupted value
By looking at cross-references, we notice this DWORD is set to 1 in the IRQ handler of Monitor mode. But in both handlers (SMC & IRQ), when an exception returns to the Non-Secure world, the returned value (in R0) is set to 1 if this DWORD is not null.
Futhermore, we can have a look at how SCM interprets the value returned by a SMC call:
#define SCM_INTERRUPTED 1
do {
asm volatile(
__asmeq("%0", "r0")
__asmeq("%1", "r0")
__asmeq("%2", "r1")
__asmeq("%3", "r2")
#ifdef REQUIRES_SEC
".arch_extension sec\n"
#endif
"smc #0 @ switch to secure world\n"
: "=r" (r0)
: "r" (r0), "r" (r1), "r" (r2)
: "r3");
} while (r0 == SCM_INTERRUPTED);
SCM will reiterate each SMC call while the returned value is 1.
We can deduce that this DWORD indicates if the exception return is due to an IRQ interrupt. TrustZone Whitepaper (3.3.3 Secure interrupts) says ARM recommends the use of IRQ as a Normal world interrupt source. That's why IRQ interrupts are handled in the Normal world.
IV.3.A.f Configure Secure world MMU
Next block of instructions modifies the translation table of Secure MMU (ARM Ref. B3.1 About the VMSA) if two conditions are met:
--

Wouldn't it be easier to provide the link?
http://www.fredericb.info/2014/12/analysis-of-nexus-5-monitor-mode.html