[REF] Investigation Into PIT Files - Galaxy S I9000 Android Development

There is very little technical information on PIT files , so this thread is an attempt to find out some real details about PIT files, and perhaps eventually be able to create our own PIT files (by modifying Samsung ones, probably).
First, what we think we know PIT files do:
- PIT files only affect the 'STL' devices. That is, it affects the OneNAND and not the MoviNAND.
- PIT files appear to control the sizing (and maybe number) of STL devices that appear in Linux.
- PIT files appear to be used by Odin to map filenames inside .tar archives to STL partitions.
STL files are quite small, at under 2KB in size. Most of the file is made up of 0s. I have tried to compare the differences between the 512 513 and 803 PIT files we have available.
All the PIT files start with 76 98 34 12 0D - probably a signature to show it is a PIT file.
[Unimportant]
The 803 PIT file then has 00s all the way to the next common point. The 512 and 513 both have common data till the next common point - but this can't be too important as the 803 just has 00s.
The next common bit seems to read the following:
"oft IBL+PBL Server\90\To boot.bin inn; C:\Program Files\ESTsof
This probably indicates something to Odin. Strange that it has C:\Program Files\ - build path for the PIT file?
Next we have some 0s with common 1s inside them, followed by the word PIT, then more 0s, and then ries.pit. All common from here on with the words 'EFS' and 'efs.rfs'. Probably telling odin to map the efs.rfs file to the 'EFS' token. Tokens probably defined either in the kernel, or in the closed source STL library. More of the same of this, with 'SBL' 'sbl.bin', 'SBL2' 'sbl.bin' -- Both SBL and SBL2 map to the same sbl.bin file?
'PARAM' to 'param.lfs'
'KERNEL' to 'zImage'
'RECOVERY' to 'zImage' (this one is interesting - could we have seperate zImage and recovery? Could save some RAM here!)
[/Unimportant]
And now we'r onto the actual changes between the PIT files. 'FACTORYFS' maps to 'factoryfs.rfs'. However, before the FACTORYFS token, there are some bytes that likely control the partition sizes.
FACTORYFS
803 : A2 04 : 41476
512 : 7A 04 : 31236
513 : CA 04 : 51716
DBDATA
803 : F0 01 : 61441
512 : 18 02 : 6146
513 : C8 01 : 51201
CACHE
803 : 8C
512 : 8C
513 : 8C
MODEM
803 : 32
512 : 32
513 : 32
So there we have it. The only real changes between the PIT files are some seemingly garbage header information in 512/513 that is missing from 803, and FACTORYFS and DBDATA have different numbers -- probably sizes.
So assuming FACTORYFS maps onto /system, we can see that the only differences in the PIT files is moving space back and forwards between /dbdata and /system. The numbers themselves don't mean anything to me - can anybody work it out?

The numbers are little-endian, so you need to read them backwards per bytes. So instead of A12 it's actually 120A, etc. If you do so, you can see that the difference between 803 and 512 are actually minor, 40 "units" are shifted between probably DBDATA and SYSTEM.
Btw: doesn't the heimdal project klnow something about the pit files?

Nice, that gives us
FACTORYFS
803 : 04 A2 : 1186
512 : 04 7A : 1146
513 : 04 CA : 1226
DBDATA
803 : 01 F0 : 496
512 : 02 18 : 536
513 : 01 C8 : 456
1186+496=1682
1146+536=1682
1226+456=1682
So we have a match.
Now to work out why the fat.format can work with 536, but not with 496
EDIT: Also, need to determine why some roms require certain PIT files. Only possibility I can see is that junk in the header - could be some type of allow list for firmwares. The 803 PIT should therefore work on all firmwares, since it just has 00s. Maybe.

In 803.pit (compared to the .512 one) the system partition size has been increased by 10MB, while DBDATA partition size has been decreased the same amount (10MB).
PS: Dump the BML2 partition. The dump contains current partition mapping.
Hope this helps

RyanZA said:
Nice, that gives us
FACTORYFS
803 : 04 A2 : 1186
512 : 04 7A : 1146
513 : 04 CA : 1226
DBDATA
803 : 01 F0 : 496
512 : 02 18 : 536
513 : 01 C8 : 456
1186+496=1682
1146+536=1682
1226+456=1682
So we have a match.
Now to work out why the fat.format can work with 536, but not with 496
EDIT: Also, need to determine why some roms require certain PIT files. Only possibility I can see is that junk in the header - could be some type of allow list for firmwares. The 803 PIT should therefore work on all firmwares, since it just has 00s. Maybe.
Click to expand...
Click to collapse
I think the main cause is that some firmwares simply don't fit in the space reserved for them. Some of the m have larger system, some of them have larger dbdata partitions. Only a guess though, I think I start flashing pit files just for fun...

RazvanG said:
In 803.pit (compared to the .512 one) the system partition size has been increased by 10MB, while DBDATA partition size has been decreased the same amount (10MB).
Hope this helps
Click to expand...
Click to collapse
10MB = 40 units... That would give us 1 unit = 256kbyte. Nice.

So this means:
BOOT (bml01) = 01 = 1 = 0.25 MB (bootloader)
PIT (bml02) = 01 = 1 = 0,25 MB (the partition table)
EFS (bml03) = 28 = 40 = 10 MB (imei data and such)
SBL (bml04) = 05 = 5 = 1,25 MB (secondary bootloader)
SBL2 (bml05) = 05 = 5 = 1,25 MB (secondary bootloader backup)
PARAM (bml06) = 14 = 20 = 5 MB (the images shown when something is wrong)
KERNEL (bml07) = 1E = 30 = 7,5 MB (kernel image)
RECOVERY (bml08) = 1E = 30 = 7,5 MB (kernel image backup)
FACTORYFS (bml09) = 47A = 1146 = 286,5 MB (/system)
DBDATA (bml10) = 218 = 536 = 134 MB (/dbdata)
CACHE (bml11) = 8C = 140 = 35 MB (/cache)
MODEM (bml12) = 32 = 50 = 12,5 MB (software for wireless)
total: 501 MB

sztupy said:
I think the main cause is that some firmwares simply don't fit in the space reserved for them. Some of the m have larger system, some of them have larger dbdata partitions. Only a guess though, I think I start flashing pit files just for fun...
Click to expand...
Click to collapse
Not sure how true this can be -- Take 512 vs 513 for example. Newer Eclair roms stopped working on 513, and required 512. However, 513 has a smaller dbdata and larger system than 512. Since we know that a clean rom when flashed has a /dbdata of around 2mb, or 1% or so of available space, it can't be space related.
Must be more to than simple space allocations.
EDIT: And 501MB means we have space left over. Where is it hiding?

RyanZA said:
Not sure how true this can be -- Take 512 vs 513 for example. Newer Eclair roms stopped working on 513, and required 512. However, 513 has a smaller dbdata and larger system than 512. Since we know that a clean rom when flashed has a /dbdata of around 2mb, or 1% or so of available space, it can't be space related.
Must be more to than simple space allocations.
EDIT: And 501MB means we have space left over. Where is it hiding?
Click to expand...
Click to collapse
Yes, but the flashed dbdata.rfs was probably actually a large partition, that didn't fit into the allocated space.
Yes, the missing 11MB is strange, unless there is a 1MB "safety" gap between two partition (12 partitions = 11 gaps), or some other data.
EDIT: No, dumped BML0, it's only 501MB in length. The missing part might still be some space needed for the BML and STL to work.

Hi. I'm sorry for hijacking this thread but I need professional help from some geniuses (genii) and apparently you guys are firmware gurus.
Once you guys figure out how PIT files work, can you please help me figure out how to force flash Korean firmware onto an international phone without bricking it? The reason why I would like to do this, is because the Korean version has some really nice features for example native call recording (3rd party call recorders have bad quality). I made a thread for it here
Thanks a lot, köszönöm szépen!

Galaxy S I9000 PIT structure:
512.pit
PBL: 256KB (Primitive Bootloader)
PIT: 256KB
EFS: 10240KB (Non Volatile Memory)
SBL(1): 1280KB (Primary)
SBL(2): 1280KB (Backup)
PARAM: 5120KB
KERNEL(1): 7680KB (Primary)
KERNEL(2): 7680KB (Backup)
FACTORYFS: 293376KB
DBDATAFS: 137216KB
CACHE: 35840KB
MODEM: 12800KB
Total: 513024KB
513.pit
PBL: 256KB
PIT: 256KB
EFS: 10240KB
SBL(1): 1280KB
SBL(2): 1280KB
PARAM: 5120KB
KERNEL(1): 7680KB
KERNEL(2): 7680KB
FACTORYFS: 313856KB
DBDATAFS: 116736KB
CACHE: 35840KB
MODEM: 12800KB
Total: 513024KB
803.pit
PBL: 256KB
PIT: 256KB
EFS: 10240KB
SBL(1): 1280KB
SBL(2): 1280KB
PARAM: 5120KB
KERNEL(1): 7680KB
KERNEL(2): 7680KB
FACTORYFS: 303616KB
DBDATAFS: 126976KB
CACHE: 35840KB
MODEM: 12800KB
Total: 513024KB
In case there is backup blocks (e.g SBL and Kernel, Odin flashes them both while executing the flashing process).

dillovic said:
Hi. I'm sorry for hijacking this thread but I need professional help from some geniuses (genii) and apparently you guys are firmware gurus.
Once you guys figure out how PIT files work, can you please help me figure out how to force flash Korean firmware onto an international phone without bricking it? The reason why I would like to do this, is because the Korean version has some really nice features for example native call recording (3rd party call recorders have bad quality). I made a thread for it here
Thanks a lot, köszönöm szépen!
Click to expand...
Click to collapse
Galaxy S M110S is completely different hardware.
All other I9000 variants use Infineon X-Gold 616 baseband (Modem), while M110S uses Qualcomm baseband chip.

Made a try modifying the PIT file, to add more space to /dbdata and take away space from /system. I added around 25MB extra space to /dbdata.
Wasn't that hard actually, and I didn't encounter many problems (except the fact that the values are for the bare bml device, from which the stl has an extra 4-10% overhead so instead of the originally planed 35MB I could only spare 25).
If anyone's interested I can upload the modified pit and rom files.
Some remarks / questions:
- If we use the bare BML device instead of the STL I know we lose wear leveling (at least according to the rfs docs from samsung), but can't we use yaffs or similar on those devices? Or what if we (can we?) use cramfs for the /system on the BML, to gain even more space we could use for the /dbdata partition?
- The overhead the STL has seems a bit random to me. /system and /dbdata has a 4% overhead, while /cache a 10% one.

I'd be careful about resizing the partitions manually. Samsung should have aligned the partitions for best performance.
I'm not sure if its a placebo, but PIT 512 seems faster to me than PIT 803.

hardcore said:
I'd be careful about resizing the partitions manually. Samsung should have aligned the partitions for best performance.
I'm not sure if its a placebo, but PIT 512 seems faster to me than PIT 803.
Click to expand...
Click to collapse
Aligning should not be terribly hard -- we already specify using 256kb pieces instead of raw bytes. The alignment therefore is somewhere between 256kb and 4mb. If we align for 4mb, we align for everything smaller too. So as long as the numbers used are cleanly divisible by 4*4=16, it will be correctly aligned.
Flashing a PIT file with repartition checked seems to (according to docs) reset the wear leveling (the current record of what was written where, I guess), so you should not tick repartition if you are flashing many times in a row. (Many times is probably some very big number.)
I can't see why we couldn't use YAFFS or similar filesystem. Might work really well. I've got no experience setting up YAFFS though, and I don't believe it is trivial.

RyanZA said:
Aligning should not be terribly hard -- we already specify using 256kb pieces instead of raw bytes. The alignment therefore is somewhere between 256kb and 4mb. If we align for 4mb, we align for everything smaller too. So as long as the numbers used are cleanly divisible by 4*4=16, it will be correctly aligned.
Flashing a PIT file with repartition checked seems to (according to docs) reset the wear leveling (the current record of what was written where, I guess), so you should not tick repartition if you are flashing many times in a row. (Many times is probably some very big number.)
I can't see why we couldn't use YAFFS or similar filesystem. Might work really well. I've got no experience setting up YAFFS though, and I don't believe it is trivial.
Click to expand...
Click to collapse
I wonder if it is possible to make very small /system partition, and move it to mmcblk0 - since it is read only, performance will be ok. And make large dbdata partition, and keep /data/data there. That may be the ultimate lag fix
Sent from my GT-I9000 using XDA App

vitalij said:
I wonder if it is possible to make very small /system partition, and move it to mmcblk0 - since it is read only, performance will be ok. And make large dbdata partition, and keep /data/data there. That may be the ultimate lag fix
Sent from my GT-I9000 using XDA App
Click to expand...
Click to collapse
It is possible, but how would you flash a firmware then?
We are quickly approaching the 'throw it all away, and start from scratch with our own tools and bootloader.

RyanZA said:
It is possible, but how would you flash a firmware then?
We are quickly approaching the 'throw it all away, and start from scratch with our own tools and bootloader.
Click to expand...
Click to collapse
So are u guys planning to release the new galaxy s series phone??
You should rename it to galaxy-xda

So, from the info you have gathered, is there any point in using a PIT file when repartition is not checked?

huxflux2003 said:
So, from the info you have gathered, is there any point in using a PIT file when repartition is not checked?
Click to expand...
Click to collapse
I don't really see much point, but than again PIT file will tell odin (if your flashing pda) explicitly where the kernel should be flashed.
Also, I noticed that kernel partition is only 7.5-6 mb. Doest it mean that we cant use larger kernels (cos I think voodoo might me larger - hence the screen tear on boot).

Related

oldest Firmware maybe mandatory for Research - XXJB6

For investigation I'm searching for oldest Firmware...
At the moment I found "only".
S8500XXJB6.rar
Differences:
1.
Few adresses not same in Multiloader
2.
Not running on my handset... accept amss.bin
3.
TriX can't extract anything...
PSAS can't decrypt apps_compressed.bin
4.
Bootloader different
Best Regards
older firmware, like S8500XXJB6 is a bit different (is much closer in structure to S8000)
ad. 2, i assume you have newer bootloader in phone (it won't accept older one)
ad. 3, shp, csc file signature is a bit different (will be fixed soon). FS file is just fat16 image (TriX support fat images via FATe plugin, i have no idea fat images was used before, i will add FATe plugin in next build)
ad. 4, if someone still has that firmware in phone is very luky guy. I can bet with jet android port can be ported to it with any problem - JB6 bootloader is not crypted.
5.
Rsrc2_S8500(Low).rc2 works also in JI5 for instance...
Different Boot Pics... maybe this helps to identify location of each Pic.
Battery...
Samsung Logo...
.
.
.
Maybe we find out, which Format... maybe also QMG.
Best Regards
you can already extract rc2 files
use the same program that is used for older samsungs
this one if I'm not wrong
http://code.google.com/p/samsung-firmware-tools/
I've used Tool WinImage for extraction of *.FFS... renamed into *.img
Usefull also for FFS of other bada handsets like:
S5250
S5330
S5750
S7230
In CSC of S8500XXJB6 I navigate via 005C00 to see where folder/file is.
Best Regards
Still problem.
That I can't bypass Bootloader Security...
Not with Multiloader nor with JTAG...
My knowledge how Boot is correct written + activated... = 0
I saw some other Firmware from other models... it seems IMRC is still used...
Maybe someone found Algo or Tool to decode RC1.
Thanx.
Best Regards
Blub...
XXJB6 unfinished mission...
2 new Firmware good for research.
XXJEB as bada 1.x Firmware... nearly all Certs removeable...
Only Integrity check for *.so files left.
For bada 2.x
XPKG5 very interesting...
Only bad, I can't find where these 2 last Certs are stored?
Code:
SamsungSBRootCA.cer
Samsung_RootCA.crt
Best Regards
New attempt with JTAG... but again failed... :crying:
Magic is now CMM Script...
BUT I have only ELF from XXJEB...
Maybe this is the reason why Multiloader not flash XXJB6 Bootloader...
Now I could learn more about CMM...
To flash correct file to correct address...
Or maybe way to extract RC1 ... because old IMRC Algo...
Not sure if maybe broken for other Samsung handsets...
Best REgards
Hmm, I can see S8000 Jet use for RC1 also IMRC...
Maybe possible to flash RC1 XXJB6 to S8000, then copy content from handset...
Best Regards
Please help.
I am searching for friendly S8000 Jet User.
Can someone confirm working Command:
Code:
FmSecureMode off
And I wish content of S8000 folder System please.
See here what I mean:
http://forum.xda-developers.com/showpost.php?p=12436452&postcount=1
Thanx in advance.
Best Regards
http://forum.xda-developers.com/showpost.php?p=34508619&postcount=132
Now I have own S8000 Jet...
First try to flash RC1 from XXJB6 fail...
NAK_invalid_len
Need more knowledge about S8000...
Best Regards
Edit 1.
Maybe no chance... I have forgotten to check size...
Rsrc_S8000_Open_Benelux_OCE.rc1 is 80 MB
Rsrc_S8500_Open_Europe_Common.rc1 is 100 MB
Maybe S8000 not reserved 100 MB for RC1... :crying:
Edit 2.
I have removed 20 MB...
S8000 Jet start with reduced XXJB6 RC1
Now I copy System folder...
Maybe few files corrupted and over 20 MB missing...
But better then nothing. :victory:
http://forum.xda-developers.com/showpost.php?p=34518982&postcount=34
Okay, second attempt successfully read few files from XXJB2 RC1...
And I found limit for RC1 in S8000...
Code:
> FLASH_RSRC1_SIZE : [B]0X04B00000[/B]
> FLASH_RSRC1_START_ADDR : 0X03700000
> FLASH_RSRC1_END_ADDR : 0X08200000
So ""80 MB"" ...
Will check older Firmware, maybe more place in other Versions reserved...
Best Regards
http://www.mediafire.com/?um7dr5ufti7h0dx
Here is folder with RBMs from XXJB6.
Also not all are visible with Wave_Remaker...
Few are funny and interessting...
Later I will upload more... but again.
During small reservation of S8000 I was only able to flash 75 MB of 100 MB from RC1.
Maybe also few files are corrupt... Not checked all.
Best Regards
I'm trying to collect few other Firmware from other Samsung devices...
U700 IMRC seems other algo maybe...
Bluescreen ... on S8000
FmMountVolume
Fm_FS_LFS
FM_PARTITION_LFS_C
Next try is M8910 RC1...
Btw. I have forgotten XXJC5 is also IMRC and bigger then XXJB6...
Later more...
Best Regards
Edit 1.
M8910 RC1 without problems work on S8000...
Remember only end.bin last 1024 Byte have to be modified for correct addresses...
Edit 2.
S5620 RC1 tested...
It seems more compatible then U700 RC1 but also loop...
Maybe if I can disable Animation Power ON then chance to check next Error...
New Year... New attempt
Bootfiles Mixed with XXJEB...
boot_loader.mbn from XXJEB
dbl.mbn from XXJB6
Multiloader can flash this combination and it seems XXJEB then work...
I hope if I manage to understand how to use Binary instead ELF in CMM Script, then maybe I am 1 day able to flash Boot from XXJB6...
Best Regards
IMRC related... there are more Samsung devices with IMRC compressed RC1...
Code:
RC1(IMRC) compatible size
S8000 x 75/80
S8500 XXJB6 x 100+
M8910 x 75/?
S5620 -
U700 -
F480 -
S5510 -
S7350 -
G800
U900
I am not sure if different IMRC Versions... because mandatory few RBM files needed in System folder...
Best Regards
Edit 1.
Sometimes I can see Power ONOFF Animation...
Edit 2.
It seems IMRC different Versions... see first 8 Byte...
F480 for instance compared with S8500...
I think at 0x14 4 Bytes for DEcompressed size stored... Little Endian
yes, the header is different.
index - also. but it is clear.
the compression algorithm - still a mystery
PHP:
//magick //always1 //index_type //size??? //count //array of tail size or offset
G80LXEIE1 0x43524D49 0x00001000 0x0000000B 0x00000006 0x02464A38 0x00002466 0x00000000 0x00000338 0x000004A0 0x000007C8 0x00000924 0x00000BA4 0x00000CFC 0x00000F94 0x000010E4
U70BXEIF1 0x43524D49 0x00001000 0x0000000B 0x00000006 0x01E5BB48 0x00001E5D 0x00000000 0x00000338 0x00000498 0x00000774 0x000008B8 0x00000BC4 0x00000D28 0x00000EF8 0x00001028
F480XEHE1 0x43524D49 0x00001000 0x0000000C 0x00000006 0x01A55024 0x00001A56 0x00000170 0x0000030F 0x0000013A 0x000002F6 0x00000147 0x000002B6 0x000000E4 0x00000295 0x00000144
F48FXEID1 0x43524D49 0x00001000 0x0000000C 0x00000006 0x01EF4A6C 0x00001EF5 0x0000016C 0x000002E7 0x0000014B 0x00000335 0x0000012D 0x000002A1 0x000000E0 0x00000277 0x0000013F
S5510XEIJ1 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x01CC581C 0x00001CC6 0x00000165 0x00000358 0x000000AE 0x00000277 0x000000BD 0x00000284 0x0000015D 0x00000327 0x000000EC
S735EXEII2 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x02A74E80 0x00002A75 0x00000147 0x0000033A 0x000000D4 0x000002A0 0x000000B5 0x0000027E 0x00000125 0x00000315 0x00000111
S8500XXJB6 0x43524D49 0x02000400 0x00001000 0x0000000C 0x00000006 0x09BF64A0 0x00009BF7 0x00000141 0x000002DC 0x00000116 0x00000280 0x0000014B 0x000002FB 0x00000155 0x000002D4 0x00000124
U90UXEIE3 0x43524D49 0x00001000 0x0000000C 0x00000006 0x032BAF08 0x000032BB 0x00000168 0x0000030B 0x0000012F 0x000002C3 0x0000013F 0x000002D0 0x00000103 0x00000272 0x000000D0
I don't understand if RC1 is decompressed by Bootloader or by apps_compressed.bin...
QMD in Header is in later Firmware from S8500...
Short tested...
I can change this in RC1...
QAB
S8500 starts normal...
If I try to change all 3 letters... then short Bluescreen... But I can't see Error message fast enough... maybe later...
I have changed into 123 instead QMD...
Will check again... Maybe I can capture Bluescreen...
Video or something else...
Later I will try this with S800 and IMRC textstring...
I want to identify if Boot or apps_c task to decompress RC1...
Best Regards
Edit 1.
I hope Pic is readable... Tested with Debug Level high and on XXJEB S8500...
Looks like something like this...
Code:
QuramMduceRFlashInitM((void*)pFotaRsrcCompHeader[QURAM_RSRC_BIN_TYPE_LFS]
Found in apps_compressed.bin...
Hmmmmmmmmmmmm. In theory it seems I don't need Bootloader from XXJB6...
BUT... damn apps_compressed.bin is also secured by something ugly...
Last 1024 Byte... aka end.bin...
Anyway... will now check again IMRC Header in S8000...
Maybe here also possible to force Bluescreen in Debug Level High...
Best Regards
If I destroy IMRC Header on S8000... XPJA1... Debug Mid...
Later I will try to catch all 5 Bluescreens..
Here 1/5...
Best Regards
Code:
RC1(IMRC) compatible size
S8000 x 75/80
S8500 XXJB6 x 100+
M8910 x 75/?
S5620 -
U700 -
F480 -
S5510 -
S7350 -
G800 -
U900
S5600 -
B5310 -
Found few more devices...
It seems - not ever means incompatible... I can see sometimes Power ONOFF Animation... smaller Resolution then 480 x 800... So maybe reason is smaller *.rbm files force to Reboot... Will check "later" with Debug Mid...
Best Regards

bTerm - bada terminal application

http://code.google.com/p/badadroid/downloads/detail?name=bTerm_v0.13.zip&can=2&q=
sample bada terminal application. Connected device is detected automatically.
Available commands:
open - open the COM port
close - close the COM port
dump <address> <length> - dump NAND area
dumpram <address> <length> - dump RAM area
run <path_to_file> - execute the code from file
exit - terminate program
Keep in mind reading from invalid address cause Data Abort exception occurs.
Click to expand...
Click to collapse
Thank you very much b.kubica
As my brain is too small to try/understand all things.
Maybe others have tried?
Thanx in advance.
Best Regards
I am too stupid to read RAM...
http://forum.xda-developers.com/showthread.php?t=1093565
Maybe we can find in RAM uncompressed bada 2.0 stuff or for instance content of *.rbm files...
Maybe someone can please help me.
Thanx in advance.
Best Regards
bTerm works (for now) only in download mode. though implementation via AT command should be possible
Run executable
Hello, is run file implemented?
I tried to run programs on GT8500 (FW 1.2), and always get error like this:
>run Solitaires.exe
term_send: only sent 0 bytes of 8210
term_receive: ReadFile returned error!
OK - 0
>run LyricLegend.exe
term_send: only sent 0 bytes of 8209
term_receive: ReadFile returned error!
OK - 0
I needs a way for running console programs on device for unit testing. Is bTerm suitable for this task?
RealGred said:
I needs a way for running console programs on device for unit testing. Is bTerm suitable for this task?
Click to expand...
Click to collapse
Damn. No! It is not. And no, it is not possible in any other way.
http://code.google.com/p/badadroid/downloads/detail?name=bTerm_v0.15.zip&can=2&q=
New Version v0.15
Thank you.
Still unsolved problem because toooo small brain... which area to enter for RAM?
Best Regards
both 0x40000000 and 0x20000000 are valid start addresses
Any idea how to patch apps_compressed.bin of S8500BUKI1 to try this on bada 2.0
I know how to decyrept and encyrept with wave remaker
Also i have a little knowledge in using hex-editior
I can flash back XXJEE bootloader for its security hole
I just need address and data to write
Best Regards
follow these posts
http://forum.xda-developers.com/showpost.php?p=17872425&postcount=383
http://forum.xda-developers.com/showpost.php?p=17876128&postcount=385
I have only bada_term.fota from v0.11
Results...
In v0.13
Code:
>dumpram 20000000 100000
dumping 1.0 MB at 0x20000000: 14%
Error receiving packet (8192 bytes at 0x20026000). Received 0 bytes only.
>dumpram 40000000 100000
dumping 1.0 MB at 0x40000000: 16%
Error receiving packet (8192 bytes at 0x4002A000). Received 0 bytes only.
>dumpram 41000000 100000
dumping 1.0 MB at 0x41000000: 16%
Error receiving packet (8192 bytes at 0x4102A000). Received 0 bytes only.
>dumpram 42000000 100000
dumping 1.0 MB at 0x42000000: 16%
Error receiving packet (8192 bytes at 0x4202A000). Received 0 bytes only.
>dumpram 43000000 100000
dumping 1.0 MB at 0x43000000: 16%
Error receiving packet (8192 bytes at 0x4302A000). Received 0 bytes only.
>dumpram 44000000 100000
dumping 1.0 MB at 0x44000000: 16%
Error receiving packet (8192 bytes at 0x4402A000). Received 0 bytes only.
I can't read more then 177 KB...
I can see such text like:
is_dirty
is_syncing
.
.
.
With v0.15 seems no successfully connection possible.
close report success, but check false and commands also...
Code:
>open
COM5 port opened with success
>check
Phone response FAIL
My PC is XP powered.
Firmware is JE7... old T-Mobile bada 1.x...
Thanx.
Best Regards
u need to compile fota from sources - it is frequently updated so there is no sense to put assembled one in badadroid downloads
u need to compile fota from sources
Click to expand...
Click to collapse
Sorry, I'm an user. Not an Coder or user with Coding skills.
So my head explode before compiling something successfully.
There is enough space to upload FOTA + corresponding bTerm Version.
Maybe FOTA here as attachment.
Please.
Thanx.
Best Regards
fair enough
http://badadroid.googlecode.com/files/bada_term.zip
>open
COM5 port opened with success
>check
Phone response OK
Click to expand...
Click to collapse
Thank you very much, now v0.15 works on my XP with the new FOTA.
First success
Code:
>dumpram 20000000 8000000
dumping 128.0 MB at 0x20000000: 100%
Seems the 128 MB unit as bigger range interrupt...
I'll try now at 0x40000000
Best Regards
Edit 1.
Result:
Code:
>dumpram 40000000 10000000
dumping 256.0 MB at 0x40000000: 59%
Connection failed!
Abandoning dump with total received 0x0997C000 bytes.
Size is now around 157 MB...
Anyway...
I have some files for study.
Big thanx.
maybe I set to small timer intervals. I will increase it in next release
btw, u can start now dump from 0x4997C000 and then combine it with previous one
b.kubica said:
maybe I set to small timer intervals. I will increase it in next release
btw, u can start now dump from 0x4997C000 and then combine it with previous one
Click to expand...
Click to collapse
Working on S8530 ?
yes if you have correct fota assembled
b.kubica said:
yes if you have correct fota assembled
Click to expand...
Click to collapse
Its seem's my Xp have some PATH problem cant find COM says COM0, tested in another comp Win7 worked, Thank you.
its not path problem - looks like you have not installed samsung drivers
could you check something for me? connect phone in download mode, open regedit and go to HKLM\HARDWARE\DEVICEMAP\SERIALCOMM and send me all values stored in this key
b.kubica said:
its not path problem - looks like you have not installed samsung drivers
could you check something for me? connect phone in download mode, open regedit and go to HKLM\HARDWARE\DEVICEMAP\SERIALCOMM and send me all values stored in this key
Click to expand...
Click to collapse
Reinstalled driver properly now works but check fail
Compiled bada_term.asm on BADA2.01
Flashin bada_term.fota
DLMODE
i tried also CHARGING 0 same
; FOTA_SHADOWING equ 1
CHARGING_CONTROL equ 1
include 'S8530JPKA1.inc'
include 'macros.inc'
include 'vars.inc'
include 'functions.inc'
Maybe i need other firmeware ?
Im on original Orange firmware bada 1.2

Security related Questions

SecretKey.key
Any idea what this is for?
Searched little bit through folder Security...
Found in S8500XPKJ1.
Best Regards
For quick insight:
Main function is SpkiDispatch , it does create this file by calling SpkiSaveMasterSecretKey, together with that key it does create directories
"/Security/Log/"
"/Security/Log/Cert/"
"/Security/CM"
SpkiSaveMasterSecretKey does use functions
SecFrameGetIMEI
SpkiBase64Decode
SecCrDecodeRSAPublicKeyEx
Whole "Spki" functions family seems to be related with OS certificate manager. And yeah, looks like it is based on IMEI, or does include IMEI itself.
//edit:
Oh yes, string which is hardcoded into APPS and is being decoded by Base64 during runtime (probably kind of init state of the key) is
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKyA2m2/PTRbsv9Y+39R6wroIniRv3nAUcOPH6dhg/9+2sCoWk0BgDtmfNMtUpueEzAr1OmAtxIfxt+gcaaFGDTr2NiY4ML9NhIv0frmlEsE8CLZFcMLYnCaeo7IMpDhnkUJA/aFhm42hmHM//e9sW2zOeN/oFrZ6wH7BEJmVEpQIDAQAB
Click to expand...
Click to collapse
from the looks of that string - I think you're looking at ... ahem wait for it ... a secret key -- or perhaps one half of a public/private key pair. Something that AES128 would be perfect for... good luck cracking that one.
Compared between S8500 and S8530... both on KJ1:
Code:
535730310093C300064D4F42494C45C5000431303234C60080
Something human readable like this:
Code:
SW01 MOBILEÅ 1024
So first 25 Bytes are for header...
Then 128 Bytes...
Hmmm... 128 Bytes could be RSA 1024 encrypted...
Best Regards
Factory Production Mode
This seems interesting... for me...
Tested on XXJEB...
If I play with Developer Commands... for instance:
Code:
> *> cmd="[B]CheckFPM[/B]"
> DevGetHomeDLFlag : Address(0x1dcc0000) flag(0xffffffff)
> RbmCHCheckHomeDLFlag : FLAG value=0x8,result=0
> *> return value = -1 (0xFFFFFFFF)
Code:
> *> cmd="[B]EnableFPM[/B]"
> DevGetHomeDLFlag : Address(0x1dcc0000) flag(0xffffffff)
> DevSetHomeDLFlag : Address(0x1dcc0000) flag(0x0000fff7)
> DevGetHomeDLFlag : Address(0x1dcc0000) flag(0x0000fff7)
> RbmCHEnableHomeDLFlag : FLAG value=0xfff7,result=1
> *> return value = 1 (0x00000001)
and...
Result is, after next Boot Wave starts with this funny Screen blue, then green... known by wrong key combination...
If I have changed to Qualcomm before... I can also write NV items via QPST...
Maybe here are more funny Flags possible... Check in JTAG dump at 0x1DCC0000...
Best Regards
I have found reason, how Wave checks "valid" apps_compressed.bin... also Boot...
Multiloader or every Flashing action writes own 512 Byte Info Block...
You can find them in 512 MB Full dump... from JTAG or from Ram Dump eXtractor:
http://forum.xda-developers.com/showpost.php?p=39658811&postcount=23
Search for this HEX value...
Code:
3412CDAB02000000
Now you can see your PC name... and your Country too...
your own IP address is also stored...
The other data are from last 1024 Bytes from boot_loader.mbn and apps_compressed.bin... parts of it... later more...
Sometimes I can see this... no idea yet why... or what:
Code:
Init Case 2
or
Code:
C#O#D#E Set
Hmmm... if I see this about Code... searching for and I find this in Boot...
Code:
Samsung:UNLOCK-KEY:/Security/Disabled
Fixed one for Samsung 3G platform. This string should be long ecnough maximum length is 128 bytes
[B]A#D#D#R[/B] Set C#O#D#E Set
Hmmm, will try later...
Anyway, with this I have solved my BIG problem after M210S Firmware...
For now only with JTAG possible, but maybe later other solution... for instance via FOTA...
Best Regards
Code:
gHostInfo.pComputerName =
gHostInfo.pIP =
gHostInfo.pLocation = Germany
gHostInfo.pToolVer =
gHostInfo.uDatePC =
Nand Read ECC count 0, Retry total count 0
=================================
BootDebugBuffNandWrite
=================================
Taken from S8000 Jet dump...
Here more clear what Multiloader writes from your private data...
Best Regards
I'm trying to remove this from MultiLoader V5.67.exe...
Found in .exe
Code:
GetLocaleInfo
GetComputerName
Leads to kernel32.dll ...
Maybe I can find something else...
GetDateFormat crashes Multiloader...
Also
GetCalendarInfoA
To change into Set... I think its dangerous not to kill my Windows...
Best Regards
Edit 1.
GetComputerNameW for Unicode instead GetComputerNameA
Now Multiloader only writes first Character of your Computername... :angel:
Back to the Info Block with 512 Byte....
With Command PrtSecBoot
Code:
> SecBoot : slot num(2), mass production(0), verSecurity(2), slot age(3)
> SecBoot : invalid binary key detected
> SecBoot : slot age(3) Usb Version("S8530+XX+LA1"), usb age(1), Usb Creation time stamp "42/01/05 10:05"
> SecBoot : Code Version(""), code age(1), Code Creation time stamp ""
> SecBoot : Code Download device time("00/01/01 00:00:GMT"), host PC time("43/06/06 15:23:GMT")
> SecBoot : Used Downloading Tool is FastMultiLoader 0 5.6.7
> SecBoot : Download hostname("[COLOR="Red"][B]yourPCname[/B][/COLOR]"), location("Germany"), ip(1x3.1x3.9.xx)
> SecBoot : SysInfo change device time("00/01/01 00:00:GMT"), host PC time("00/01/01 00:00:GMT"), tool ver(""), change Method(0), age(0)
In this Info Block are stored 2 RSA 512 Signatures from Boot and 1 from apps_compressed.bin... from apps_c the second RSA 512 Sig... see here:
http://forum.xda-developers.com/showpost.php?p=38088383&postcount=68
I was able to try few things...
I can manipulate
verSecurity(2), slot age(3)
Click to expand...
Click to collapse
But tried to find
mass production(0)
Click to expand...
Click to collapse
tool ver("")
Click to expand...
Click to collapse
Here I can see Init Case 2... so this should be position for ... also:
C#O#D#E Set
I think this is set, if Unlock via Code... in theory...
A#D#D#R
No idea yet...
Maybe in this Info Block it is possible to complete disable Security check...
Best Regards
Little progress...
I am able to erase/overwrite address in 512 MB OneNAND manually via sending Commands...
http://forum.xda-developers.com/showpost.php?p=42919458&postcount=31
For now only 2000+ Bytes in FOTA area tested...
Code:
7E02EE[B]00005009[/B]8000...
7E00DD[B]00005009[/B]0008...
0x9500000 from XXLA1 S8530...
Later I hope I can erase this damn Info Block to repair my S8530 with M210S Firmware... without JTAG...
Best Regards
1.
How to find IMEI in JTAG dump?
1.1
Where is EFS address ...
2.
Contains sysinfo IMEI ?
2.1
How to find sysinfo in JTAG dump?
bada 1.x if Wave alive... in Security folder...
Then it is possible to search for in dump...
But it seems not on every Firmware on same position...
sysinfo is 6560 Bytes (19A0 HEX ) ...
Will do few tests with XXJL2... maybe laaaaaater I can identify IMEI and/or sysinfo in strange unkown JTAG dumps...
Best Regards
Edit 1.
For study maybe this:
S8500_Full512MB_IMEI_38178104728484_NandEC50_Alive
Test 1.
Search by text + Unicode... (if IMEI is correct in name...)
14 Digits instead 15...
Test 2.
Converting into NV item 550 Format...
083A...
Edit 2.
Maybe little progress... to find sysinfo in dump...
Found Header before... but there is no unique Header... with Joker between 3000 or 0 hits...
Different positions maybe "randomly" or apps_compressed Version specific...
To be sure I'm now downloading XXJF5 to compare with dump...
Strange...
I have remove sysinfo from my own JTAG dump, written back dump...
sysinfo restored or rebuild or copied from somewhere else?
Because 1:1 same...
Next attempt, to remove "Info Block" from 1FFC5000...
This is so strange...
Best Regards
http://forum.xda-developers.com/showpost.php?p=43436279&postcount=6
I'm using now this as template...
Changed only at 1FFC5000...
Then flash complete XXJL2 for compare...
Result is working S8500...
sysinfo is generated different...
And Imiation_IMEI.dat file is different...
Now will try to check few "INFO Blocks"... and compare results...
if sysinfo and/or Imiation_IMEI.dat will be different..
Best Regards
1.
How to find IMEI in JTAG dump?
1.1
Where is EFS address ...
Click to expand...
Click to collapse
Sometimes my brain works slooow...
1.
IMEI is stored in Format used in QC handsets 15 + years...
Near "MP" ... Hardwareversion...
1.1
Header of EFS seems:
Code:
ABEFCDAB
So address is:
0x1E700000
In older Firmware where Hardwareversion is PV... instead MP 2.000 or MP 1.000
Here I will check later again with open eyes... to find IMEI.
For now I will do some tests with replace ... to fully start foreign JTAG dumps to learn more about sysinfo...
Best Regards
Tested with S8500 and S8530 JTAG dumps... (on S8500)...
Attached PFS contain sysinfo and Imiation_IMEI.dat...
This force apps_compressed.bin to start with IM.. not active...
If NAND/Header Info at 0x1FFC5000 will be removed/deleted...
With RIFF JTAG for instance erase 0x1FFC 0000 to end...
For repair and educational purpose... only.
How to decrypt sysinfo?
Whole file ?
Parts of it ?
Best Regards
Little progress...
https://code.google.com/p/badadroid/source/browse/trunk/FOTA
100 years later I am able to compile these examples...
Easy under Windows 7 tested with FASMARM:
http://forum.xda-developers.com/showpost.php?p=46788023&postcount=35
I have tried with XXJEE Boot... because I need bada 1 for find sysinfo for my studies...
Very interesting.
In syssec.uniqueKey.bin I have found now S/N ...
S/N is also on Label under battery... before Samsung killed Service via Kies. It was also helpfull to download Firmware...
I was ever wondering, why I am not able to find S/N...
Anyway. These FOTA examples helps me to increase my little brain.
For now tested only these:
Code:
[B]dump[/B]_netlock_info.fota
[B]dump[/B]_unique_keys.fota
nv_[B]dump[/B].fota
Next will be write_netlock_info.ASM...
Maybe this is what I think...
Yes, I know about FLOCK. But I need this for my JTAG Fullflash journey ... and for my little brain to understand how this work...
Btw.
I have no device here with SIM or Netlock...
To look into decrypted sysinfo and see the SHA1 Hashes is also possible via these FOTAs...
Thanx.
Best Regards
Few tests later...
It seems I have to play with DEcrypted sysinfo...
http://forum.xda-developers.com/showpost.php?p=47851350&postcount=49
First test failed with write_netlock_info.ASM before...
I have used DEcrypted Version, but nothing happens...
Maybe again my fault... anyway... tiny little step forward.
1 Goal is to identify sysinfo in JTAG dump... but here I need encrypted sysinfo...
Best Regards
Aha...
The reason is not only IMEI, because normally you can find IMEI in JTAG dump, but it seems Wave can not find anymore correct sysinfo... if fulldump from other Wave is flashed via JTAG.
http://forum.xda-developers.com/showpost.php?p=47851350&postcount=49
Result is working handset without IMEI... but this no problem...
Will check if now S/N is my or also gone with the other FOTAs...
But now I can flash 512 MB Fulldump WITHOUT modification of this file...
Then restore/rebuild sysinfo via bterm + correct FOTA...
Later more.
Best Regards
"Strange"...
sysinfo contain more then 1 or 2 SHA1 Hashes...
The others looks like "not available/not active" or something...
I have no handset with Lock...
I have only compared few DEcrypted sysinfo...
Simple copy and Paste not activate the Locks...
Later more...
Best Regards
Interesting...
Unique Key known from Header Info...
Stored in 512 MB OneNAND...
Is written into MBR (512 Byte) of moviNAND...
http://forum.xda-developers.com/showpost.php?p=49989727&postcount=68
If OneNAND is full erased, by JTAG RIFF for instance... Then text instead number:
Code:
PRODUCTCODEINVALID
Hmmmm, maybe this helps me later to restore sysinfo from JTAG dumps...
Best Regards

Android port for Samsung WAVE3 (GT-S8600)

Hi all.
This thread only for developers! Only! No questions - when?!!!!!!!
This is my attempt to porting android on S8600.
I wrote custom bootloader - emmcboot, based on codeaurora LK-bootloader.
Bootloader is successfully start, work and trying to load android kernel from internal
microsd card.
Now is unsuccessfully,after type message "Uncompressing Linux... done, booting the kernel." device rebooted or stopped.
[370] Panel is power on
[370] Display initialized
[370] Display logo
[370] Waiting for modem+++
[370] Waiting for modem: Done
[370] smem ram ptable found: ver: 0 len: 6
[370] scratch: 0x8000000
[370] Starting in SD mode!
[370] SD_DETECT pin : 0x0
[380] Initializing MMC host data structure and clock!
[380] Error No. 2: Failure Initializing MMC Card!
[400] Decoded CID fields:
[400] Manufacturer ID: 27
[400] OEM ID: 0x5048
[400] Product Name: SD16G
[400] Product revision: 3.0
[400] Product serial number: 7C88FF04
[400] Manufacturing date: 2 2012
[410] Serial number -[410] serial number:
[410] partition misc doesn't exist
[410] error in emmc_recovery_init
[580]
kernel @ 208000 (4132528 bytes)
[580] ramdisk @ 1200000 (175204 bytes)
[580] cmdline = 'console=null androidboot.hardware=qcom user_debug=31'
[580]
Booting Linux
[580] smem ram ptable found: ver: 0 len: 6
[580] booting linux @ 0x208000, ramdisk @ 0x1200000 (175204)
[590] cmdline: console=null androidboot.hardware=qcom user_debug=31
Uncompressing Linux... done, booting the kernel.
source code for lk-bootloader for S8600:
https://github.com/Oleg-k/LK_BOOT_S8600
To build for S8600, type: "make -j4 s8600 EMMC_BOOT=1"
Also, i got memory dump, stage - after load oemsbl and before loading my bootloader.
as we see, oemsbl decompress and load apps_compressed.bin into memory,
starting at 0x200000.
https://www.dropbox.com/s/5wf6dp5gfgudkdc/MEM_DUMP_128MB.rar
And for for understanding boot process on MSM7x30, read this:
http://tjworld.net/wiki/Android/HTC/Vision/BootProcess#BootProcess
Welcome back my friend ))
If you able to port,I 100% will buy S8600
Good Luck
I was actually going to ask you what happened to the wave 3 port. Anyway Welcome back . But a question why don't you help rebellos and volk in the wave and wave II porting ? So the porting can be a bit more better. Just my question. :good:
Sounds interesting.
1.
You found ELF files for S8600 Boot ?
2.
You found way without JTAG, or JTAG is needed to write your Boot?
Thanx in advance.
Best Regards
CONFIG_DEBUG_LL
and
CONFIG_EARLY_PRINTK
plx <3
it's my current config for my kernel:
adfree said:
Sounds interesting.
1.
You found ELF files for S8600 Boot ?
2.
You found way without JTAG, or JTAG is needed to write your Boot?
Thanx in advance.
Best Regards
Click to expand...
Click to collapse
No, don't ELF files for S8600, i wrote new bootloader for boot linux kernel.
Now i use JTAG, but if we find a way to cript my bootloader,like appsboot.mbn,we will use regular multiloader
So cool!
http://forum.xda-developers.com/showthread.php?t=1443575
Blowfish encryption
Click to expand...
Click to collapse
Maybe PlatformDownloader_S8600_KI5.exe maybe have unsecured Boot...
But I can't flash nor I have connected my S8600 with RIFF...
TPs seems to small for my big Fingers...
Best Regards
oleg_k said:
it's my current config for my kernel:
Click to expand...
Click to collapse
Thanks. I'd check debug macros and debug uart configuration. There's few UART ports in it, and maybe kernel is printing to the wrong one... though this wouldn't explain why kernel unpacker is printing something (Uncompressing and booting comes already from zImage) - this would indicate that debug port number is correct. Are you sure that kernel and ATAGs location is correct, and RAM is set up properly by LK? Maybe something bad happens when kernel proceeds to enabling MMU and caches... I'm pretty clueless. :<
I collected some links I found useful in this article: http://xda-university.com/as-a-developer/porting-android-to-non-android-devices
Especially interesting for you might be last link in "Custom bootloader" section.
No, don't ELF files for S8600, i wrote new bootloader for boot linux kernel.
Now i use JTAG, but if we find a way to cript my bootloader,like appsboot.mbn,we will use regular multiloader
Click to expand...
Click to collapse
For S8500 I found way to write direct into OneNAND at:
Code:
0x0010 0001
No need to encrypt something...
With Multiloader... choose ETC.
http://forum.xda-developers.com/showpost.php?p=37229969&postcount=37
S8600 not tested...
This is far far away from perfect... but maybe helpfull.
Need someone who is able to remove restriction from ML to use lower adresses then 0x10000...
I was only able to change text strings... in ML...
Best Regards
On first page i posted bootloader source and memory dump, stage - after load oemsbl and before loading my bootloader.
To Adfree,
S8600 don't use OneNAND, used EMMC flash memory (like sd-card).
Today I've found S8600XXKI9.zip
I have forgotten this Firmware... but I have now short compared with Bootfiles from XXKJC... BIG differences... So I think this should be nearly identical with PlatformDownloader_S8600_KI5.exe
Still unsolved to decrypt or extract content of:
PlatformDownloader_S8600_KI5.exe
and
PlatformDownloader_S8600_KJ7.exe
Best Regards
Not my S8600... but user tried PlatformDownloader_S8600_KJ7.exe
It seems it was wrong Partition Table aka partition.bin...
Code:
Boot Binary Download Start Ch[0]
Appsboot 338.7KB OK[1.1s]
OemSbl 1757.7KB OK[1.8s]
ERR : NAK_FLASH_ERROR 0
Error : [B]partition Write[/B] [0.2s]
ERR : NAK_FLASH_ERROR 0
Download Start Ch[0]
Amss 16654.3KB OK[15.6s]
Apps 29622.3KB OK[54.1s]
_Open_Europe_Common 40370.2KB OK[73.5s]
(Low) 2980.3KB OK[1.9s]
ERR : NAK_INVALID_CONTENT 0
ERR : _Open_Europe_Common Erase
Now S8600 ask for QHSUSB_DLOAD
My first idea is Qualcomm QPST now...
Or maybe if Driver used, then Multiloader will work again... for second attempt..
Found only 64 Bit Driver yet... not tested nor Thread... only attachment...
http://forum.xda-developers.com/attachment.php?attachmentid=631288&d=1308601930
Will check also QPST to check what is needed...
Best Regards
Edit 1.
More Driver...
http://forum.xda-developers.com/showpost.php?p=21911621&postcount=2
Okay...
It seems for QPST fsbl.mbn is missing...
I can remember from old MSM6250 handsets it is mandatory to have all files for QPST... because otherwise you need JTAG...
Important...
Qualcomm not use Encryption for QPST files...
This is Samsung thingie + "end.bin" last 1024 Byte...
So decrypt all Bootfiles and cut last 1024 Byte...
For fsbl.mbn I will check JTAG dump from S8600...
Best Regards
Edit 1.
http://forum.xda-developers.com/showthread.php?t=1367055
downgrade_WM6_boot.zip contain fsbl.mbn ... maybe as example...
http://forum.gsmhosting.com/vbb/f634/htc-desire-s-qhsusb_dload-driver-1436354/
Found this...
Here is also fsbl.mbn maybe not available... or...
But maybe if we can attach such S8600 we can see few infos...
Best Regards
Edit 1.
About QPST Version contain this eMMC...
Code:
4. RELEASE NOTES
...
10/27/11 QPST [B]2.7.378[/B]
1) Add support for QSC11x5 CDMA only (4073) and CDMA+GSM (4074).
2) Fix problem with eMMC Software Download not correctly patching addresses > 8 GB.
10/13/11 QPST 2.7.377
1) Fix crash when QPSTServer.config are NULs (bad format).
2) Add model ID 4072 = "APQ8064". Apps processor only, no service programming.
3) Change flash programmer name from nprg9615.hex to nprg9x15.hex.
4) Add emergency download support for user partitions.
5) Fix case where user partition download fails if the flash programmer is on a file share.
6) Fix error case when add port is used but no port is specified.
7) Fix case where restoring an EFS file doesn't work if the file was modified by QXDM.
8) In Service Programming BC SMS fix case where if user enters 32 as the service type it get written to NV as 4096.
9) Fix case where a phone will stay in "no phone" state if the phone takes > 20 seconds to reboot.
10) Take care of cases in eMMC Software Download where we try to lock the disk volume but the drive letter isn't available.
11) Fix "server busy" issue when a device connects but it's modem isn't running.
12) Insert more status message in Memory Debug app so that we can see why fast unframed dump failed.
8/17/11 QPST 2.7.375
1) Add support for MDM9615 (model 4070). Rename model 4068 to 7627A-ANDROID from SURF7627A.
Add model 4071 (7627A-WinMob). Add 1x/UMTS service programming to 4068 and 4071.
2) eMMC Software Download: Don't try to lock volume if drive letter not present.
Devices that use GPT will not mount and get a drive letter assigned.
7/22/11 QPST 2.7.374
1) Added missing file to installer to fix Service Programming problem in 2.7.373.
2) For eMMC Software Download, abort the download if a sparse="true" directive is present.
Sparse files cannot be downloaded with QPST, only with fastboot.
3) Began the process of moving QPST application and server settings from registry to
configuration files.
4) Added more error checking to EFS Explorer file drop code.
7/5/11 QPST 2.7.373
1) Add support for SURF8960 model ID 4069.
2) Fix issue with Port Enable/Disable for IP Ports.
3) NAND Software Download: Correct flash programmer descriptions for 7225A, 7625A, 7227A, and 7627A.
4) Roaming List Editor: Added two new bands LTE 24 and LTE 25.
5) eMMC Software Download:
- Fix problem where some file names print as "(null)".
- Add support for Meta Build contents.xml file ("Build Contents"). The contents file will provide the path for the
rawprogram and patch files, extra search paths, and names of flash programmer and boot image files.
- Ignore unexpected elements in schema.
- Support zeroout directive to zero parts of partitions.
- Allow usage by app of "orderly" as well as surprise removal storage devices.
- Add support for computations in the <patch> (CRC32 for GPT support), <program>, and <zeroout> directives.
6) EfsExplorer:
- Enable reset button in Efs Explorer even if target not in offline mode.
- More text description in Mode column for Efs Explorer
- Modify the list context menu of Efs-Explorer.
- If the proposed item file size copy is > 2048 bytes, warn the user and bail out.
...
Adfree,
link pls for founded S8600XXKI9.zip
link pls for founded S8600XXKI9.zip
Click to expand...
Click to collapse
http://hotfile.com/dl/145796951/79ecec6/S8600XXKI9.zip.html?lang=de
Try this. If not then I search again...
About fsbl.mbn...
I have searched for fsbl_hw.c string in 4 GB JTAG dump SAMSUNG_GTS8600_FullFlash.bin...
Can not find so I think fsbl is not or in other area...
About your Memory Dump FROM_MEM_0_128MB.bin
I am not 100 % sure but maybe read problems...
Short tried to extract Cert, but string Qualcomm is not written correct...
Q5alcomm1
qualcoem.com
Click to expand...
Click to collapse
Best Regards
I try to read again memory dump )
thanks for links...
Also,
i find,what samsung used OKL4 Microkernel 3.0 (maybe 4.0)
http://wiki.ok-labs.com/Release/3.0
About ver 4.0 --
The OKL4 Microvisor is designed from the ground up as a high-performance mobile virtualization platform. It is a microkernel-based embedded hypervisor - called a Microvisor, with a small footprint and the right combination of performance and hardware support to target mobile telephony use. The OKL4 Microvisor 4.0 is distinguished by supporting mobile virtualization, componentization, and security, enabling a new generation of applications and capabilities with impact across the mobile ecosystem.
OKL4(with Qualcomm RTOS) also used in modem AMSS
http://forum.xda-developers.com/showthread.php?t=1829915
Need overview/list with Firmware packages with Bootfiles included...
Here this is what I have...
Later I will compare if difference...
Code:
XXKI9
XXKJC
S8600BOKJ1_TPLKJ1.rar
S8600BOKK6_S8500TPLKK7_T-Mobile.rar
S8600JPKK2_S8500OJPKK2_OJP.rar
S8600ZCLA1.7z
S8600NAKL1_S8600EPLKL1
Best Regards

Sony Xperia M/M Dual General & Development (links updated 13/10/2013)

Trying to start a first port of call for a General & Development Thread for these phones and to make things a little more organised so here we are links provided below a for a range of mods and development that's started and by the look of how it's going its gonna be really busy full of development so please be nice here and if you have any suggestions or tips or hints please feel free to add them in here for our fellow M/M Dual users and developers to see.
Links will be updated on a regular basis
Xperia M Regional Codes (provided by SharpnShiny)
http://forum.xda-developers.com/showthread.php?t=2456622
Full Root for Xperia M (credits to xzn and team for this)
http://forum.xda-developers.com/showthread.php?t=2457174
Root For c2004/2005 models (dual SIM) thanks ernvs
http://forum.xda-developers.com/showthread.php?t=2477254 or http://forum.xda-developers.com/showthread.php?t=2479359 guide by waledac
Stock firmware thread (by Doomlord) and Recovery Test (thanks to alivanov79 on page 12)
Firmware Version: 15.1.A.1.9
customization ID: 1274-3888_IN
model: C1904
http://forum.xda-developers.com/showthread.php?t=2410913
Stock Firmware 15.1.C.1.17 C1904 (Tutorial within thread on how to flash it and thanks to jeremarfil24)
http://forum.xda-developers.com/showthread.php?t=2463870
Stock Xperia M Kernel (thanks n1kolaa)
https://github.com/n1kolaa/andorid_kernel_sony_Nicki
Full internal dump and stock kernel (thanks alvinhochun)
https://dl.dropboxusercontent.com/u/39080136/c1905/loop0p17.img
https://dl.dropboxusercontent.com/u/39080136/c1905/probably_stock_kernel.bin
Bootloader Unlocking (provided by Sony) *WARNING* Will erase everything on phone and set back to factory so backup apps etc
http://unlockbootloader.sonymobile.com
AOSP File/Build by Sony of first firmware
http://developer.sonymobile.com/dow...ves/open-source-archive-for-build-15-1-a-1-9/
Thanks to cian for sharing the links and thanks to jeremarfil24 for these mods
Honami Settings For Xperia M
http://forum.xda-developers.com/showthread.php?p=46042519
Honami SystemUI for Xperia™ M
http://forum.xda-developers.com/showthread.php?p=46042247
Stock kernel with cwm recovery (thanks to alvinhochun)
http://forum.xda-developers.com/showthread.php?t=2480556
Tool to add CWM recovery to any kernel including Xperia M(thanks to alvinhochun)
http://forum.xda-developers.com/showthread.php?t=2481864
Few links for Mods and guide to flashing 4.2.2 dual SIM firmware to c1904/1905 and rooting guide (thanks to jeremarfil24)
http://forum.xda-developers.com/showthread.php?p=46427950
Sent from My Sony Xperia M C1905
Good thread, there's a lot tutorial out there for xperia M
Sent from my C1905 using xda app-developers app
I've currently just removed full root from my phone as I noticed stamina mode was not working so it was either the root or busybox or possibly the rootfix not 100% sure if this was the cause but I've reverted back to factory and stamina is now working
Thought I would share this info
Sent from my C1905 using xda app-developers app
i shered xperia m kernel on github! https://github.com/n1kolaa/andorid_kernel_sony_Nicki
Not my work but i found these too,
Honami Settings For Xperia M
http://forum.xda-developers.com/showthread.php?p=46042519
Honami SystemUI for Xperia™ M
http://forum.xda-developers.com/showthread.php?p=46042247
dunc4n88 said:
I've currently just removed full root from my phone as I noticed stamina mode was not working so it was either the root or busybox or possibly the rootfix not 100% sure if this was the cause but I've reverted back to factory and stamina is now working
Thought I would share this info
Sent from my C1905 using xda app-developers app
Click to expand...
Click to collapse
What do u mean? My stamina mode still work after root and remount reboot fix, u mean estimated time? If so the estimated time always recalibrated depend user usage time
Sorry for my bad englisj
Sent from my C1905 using xda app-developers app
Partitions information of internal storage
I dumped the internal storage (`cat /dev/block/mmcblk0 > full.img`) and tried to get some useful information from that. Took me ages to do that. Since I dumped the file on-line, userdata and cache partitions are dirty, but that doesn't affect much, does it huh?
Strangely both the GPT partition tables have corrupted CRC, but they looks fine so I just used it.
Anyway I don't have any experience hacking emmc devices, but let's see if I'm helpful:
Code:
GPT fdisk (gdisk) version 0.8.1
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk full.img: 7733248 sectors, 3.7 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Partition table holds up to 28 entries
First usable sector is 34, last usable sector is 7733214
Partitions will be aligned on 256-sector boundaries
Total free space is 107998 sectors (52.7 MiB)
Number Start (sector) End (sector) Size Code Name
1 256 4351 2.0 MiB FFFF TA
2 4352 4607 128.0 KiB FFFF sbl1
3 4608 5119 256.0 KiB FFFF sbl2
4 5120 5631 256.0 KiB FFFF s1sbl2
5 5632 6655 512.0 KiB FFFF sbl3
6 6656 7679 512.0 KiB FFFF aboot
7 7680 8703 512.0 KiB FFFF tz
8 8704 8959 128.0 KiB FFFF alt_sbl1
9 8960 9471 256.0 KiB FFFF alt_sbl2
10 9472 9983 256.0 KiB FFFF alt_s1sbl2
11 9984 11007 512.0 KiB FFFF alt_sbl3
12 11008 12031 512.0 KiB FFFF alt_aboot
13 12032 13055 512.0 KiB FFFF alt_tz
14 13056 14079 512.0 KiB FFFF rpm
15 14080 15103 512.0 KiB FFFF alt_rpm
16 16384 49151 16.0 MiB 8300 LTALabel
17 49152 90111 20.0 MiB FFFF boot
18 90112 221183 64.0 MiB 0700 modem
19 221184 227327 3.0 MiB FFFF modemst1
20 229376 235519 3.0 MiB FFFF modemst2
21 237568 243711 3.0 MiB FFFF fsg
22 243712 253951 5.0 MiB FFFF ramdump
23 253952 286719 16.0 MiB FFFF FOTAKernel
24 286720 294911 4.0 MiB 8300 persist
25 294912 2752511 1.2 GiB 8300 system
26 2752512 3264511 250.0 MiB 8300 cache
27 3268608 7634910 2.1 GiB 8300 userdata
Partitions content attempt to be identified with `file`:
Code:
full.img: x86 boot sector; partition 1: ID=0xee, starthead 0, startsector 1, 7733247 sectors, extended partition table (last)\011, code offset 0x0
loop0p1.img: DOS executable (block device driver)
loop0p2.img: data
loop0p3.img: data
loop0p4.img: data
loop0p5.img: data
loop0p6.img: Hitachi SH big-endian COFF object, not stripped
loop0p7.img: data
loop0p8.img: data
loop0p9.img: data
loop0p10.img: data
loop0p11.img: data
loop0p12.img: Hitachi SH big-endian COFF object, not stripped
loop0p13.img: data
loop0p14.img: data
loop0p15.img: data
loop0p16.img: Linux rev 1.0 ext4 filesystem data, UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (extents) (large files)
loop0p17.img: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
loop0p18.img: x86 boot sector, code offset 0x3c, OEM-ID "MSDOS5.0", sectors/cluster 32, root entries 512, Media descriptor 0xf8, sectors/FAT 17, heads 255, sectors 131072 (volumes > 32 MB) , serial number 0xbc614e, unlabeled, FAT (16 bit)
loop0p19.img: data
loop0p20.img: data
loop0p21.img: data
loop0p22.img: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
loop0p23.img: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
loop0p24.img: Linux rev 1.0 ext2 filesystem data (mounted or unclean), UUID= xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (extents) (large files) (huge files)
loop0p25.img: Linux rev 1.0 ext4 filesystem data, UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (extents) (large files)
loop0p26.img: Linux rev 1.0 ext4 filesystem data, UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (needs journal recovery) (extents) (large files)
loop0p27.img: Linux rev 1.0 ext4 filesystem data, UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (needs journal recovery) (extents) (large files)
Meaningful guess of what the partitions may contain (actually pretty obvious):
p17 (boot) - Kernel? Binary code which starts the kernel? vmlinux? (*) My copy: https://dl.dropboxusercontent.com/u/39080136/c1905/loop0p17.img
p23 (FOTAKernel) - Same as above, but downloaded by FOTA for update purpose
p24 (persist) - Mounted as `/persist`, ext2
p25 (system) - System partition, mounted as `/system`, ext4
p26 (cache) - Cache partition, mounted as `/cache`, ext4
p27 (userdata) - Data partition, mounted as `/data`, ext4
(*) For my firmware 15.1.C.1.17, at offset 0x3db7 you can find "Uncompressing Linux...", and at offset 0x4053 you can find the gzip magic number. So...
Code:
$ tail -c +16468 loop0p17.img |gunzip > blah.bin
gzip: stdin: decompression OK, trailing garbage ignored
... I think this dumped the stock kernel. Uploaded it here: https://dl.dropboxusercontent.com/u/39080136/c1905/probably_stock_kernel.bin
The partition is probably the vmlinux.
I hope I can do something to find the initrd, can't find it yet...
ariw182 said:
What do u mean? My stamina mode still work after root and remount reboot fix, u mean estimated time? If so the estimated time always recalibrated depend user usage time
Sorry for my bad englisj
Sent from my C1905 using xda app-developers app
Click to expand...
Click to collapse
I've re-rooted the phone now just me thinking it wasn't working but after re-root it does still work, im glad the system dumps are coming in mine failed dumping to sdcard and havent had time to try through adb
Sent from my C1905 using xda premium
Oh I am such an idiot... the initrd is just also inside the boot partition...
Found yet another gzip magic number at 0x55aadc, so extract it:
Code:
$ tail -c +5614301 loop0p17.img |gunzip > second.bin
gzip: stdin: decompression OK, trailing garbage ignored
$ file second.bin
second.bin: ASCII cpio archive (SVR4 with no CRC)
So here is the CPIO file: https://dl.dropboxusercontent.com/u/39080136/c1905/initrd.cpio
The ramdisk content in tar format if you need: https://dl.dropboxusercontent.com/u/39080136/c1905/initrd.tar
I believe this is enough to build a bootable image for fastboot for unlocked bootloader, isn't it?
Anyone who has installed the test cwm recovery try downloading an app from play market called X-parts and use the option to reboot to recovery, try and report please
Sent from my C1905 using xda premium
Just a thought for cwm recovery what about trying to use ROM Manager to install cwm recovery, would this work?
Edit
Doesn't work just tried
Sent from my C1905 using xda premium
For the recovery, i think this link (http://forum.xda-developers.com/showthread.php?t=2075562) will be useful :silly:
and since our device's specs are almost identical with xperia L which gets CM 10.2 (cmiiw), i think there is a chance that xperia L's CM 10.2 can be ported to our device, we just need an experienced developer who want to help or a noob who want to learn :silly: huehuehhehuhe
DPI
Hi,
I was wonering if i could change the Dpi in the prop build??
And is there going to be a Full Thread for Xperia M? (please)
My Phone-Xperia M
Build-15.1.B.0.2
Status-Unlocked/Rooted
Loads of Apps removed (184 Remaining)
gavanid said:
Hi,
I was wonering if i could change the Dpi in the prop build??
And is there going to be a Full Thread for Xperia M? (please)
My Phone-Xperia M
Build-15.1.B.0.2
Status-Unlocked/Rooted
Loads of Apps removed (184 Remaining)
Click to expand...
Click to collapse
Hi and welcome, there are requests put in for a thread but nothing yet so I made this one to try and organise things abit,
Dpi probably could be changed in build prop, look for the line that has dpi in it and change the value can't remember if it's the higher their value the more smaller the screen goes but back up your build prop before editing it try rom toolbox to edit the build prop, also did you do a full root with the root fix after installing busybox?
Sent from my C1905 using xda premium
DPI
dunc4n88 said:
Hi and welcome, there are requests put in for a thread but nothing yet so I made this one to try and organise things abit,
Dpi probably could be changed in build prop, look for the line that has dpi in it and change the value can't remember if it's the higher their value the more smaller the screen goes but back up your build prop before editing it try rom toolbox to edit the build prop, also did you do a full root with the root fix after installing busybox?
Sent from my C1905 using xda premium
Click to expand...
Click to collapse
There is no DPI in the prop build but it doesn't matter
the dpi is at 240 anyway. i used the android hardware info app to find all info
OK, so I've been trying to boot/reflash the dumped stock kernel as a test, but all I've got is failure. Here're some notes I've taken:
About the kernel cmdline:
Kernel cmdline:
- As seen in boot.elf:
Code:
console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3
- As seen in /proc/cmdline:
Code:
console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 msm_rtb.filter androidboot.emmc=true androidboot.bootloader=s1 oemandroidboot.s1boot=1271-1024_S1_Boot_MSM_8227_5 androidboot.serialno=********** ta_info=1,16,256 startup=0x00000001 warmboot=0x77665502 oemandroidboot.imei=**************** oemandroidboot.phoneid=0000:**************** oemandroidboot.babe1234=00000000 androidboot.baseband=msm
(IMEI and serial censored)
What? `r=0x3F ehci-hcd.park=3` is gone?
Click to expand...
Click to collapse
About attempting to use `fastboot boot` to boot the dumped kernel (may be invalid, so if someone want to try it just try):
Enter fastboot: Hold `Volume Up` when connecting USB cable, OR use `adb reboot-bootloader`
Visual identification: Blue LED on
version-bootloader: S1_Boot_MSM_8227_5
version-baseband: 1272-2325_15.1.C.1.17
product: C1905
Tried commands:
Code:
fastboot boot boot.elf
> Blue LED stays on, no response to power button, need to remove battery.
Code:
fastboot boot probably_stock_kernel.bin initrd.cpio
> Blue LED stays on, no response to power button, need to remove battery.
Code:
fastboot boot boot.elf -c "console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3"
> Blue LED stays on, no response to power button, need to remove battery.
Code:
fastboot boot probably_stock_kernel.bin initrd.cpio -c "console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3"
> Blue LED stays on, no response to power button, need to remove battery.
Code:
fastboot boot boot.elf -c "console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3" -b 0x80208000
> Blue LED stays on, no response to power button, need to remove battery.
Code:
fastboot boot probably_stock_kernel.bin initrd.cpio -c "console=ttyHSL0,115200,n8 androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3" -b 0x80208000
> Blue LED stays on, no response to power button, need to remove battery.
Click to expand...
Click to collapse
About attempting to flash the dumped kernel back to the device:
Code:
fastboot flash boot boot.elf
> FAILED (remote: image is not a boot image)
OMG I really don't want to make a boot image with `mkbootimg`, even though soft bricks can be fixed with a reflash, that means I'll need to restore all my userdata once again.
Click to expand...
Click to collapse
Can anyone help me?
alvinwong_1234 said:
OK, so I've been trying to boot/reflash the dumped stock kernel as a test, but all I've got is failure. Here're some notes I've taken:
About the kernel cmdline:
About attempting to use `fastboot boot` to boot the dumped kernel (may be invalid, so if someone want to try it just try):
About attempting to flash the dumped kernel back to the device:
Can anyone help me?
Click to expand...
Click to collapse
When I check for updates on my phone via pc update service it tells me to connect phone with volume down pressed for fastboot have you tried that? But the led doesn't go blue it flashes red then Amber when I do it could this be flashmode on these devices?
Sent from my C1905 using xda premium
dunc4n88 said:
When I check for updates on my phone via pc update service it tells me to connect phone with volume down pressed for fastboot have you tried that? But the led doesn't go blue it flashes red then Amber when I do it could this be flashmode on these devices?
Sent from my C1905 using xda premium
Click to expand...
Click to collapse
Yes this is flash mode!
Sent from my C1904 using xda app-developers app
alvinwong_1234 said:
Can anyone help me?
Click to expand...
Click to collapse
Are you checked this? http://forum.xda-developers.com/showthread.php?t=2334045
As I saw through fastboot can flash only .img not .elf image file
Boot image with CWM recovery (need to be flashed, unlocked bootloader only)
http://forum.xda-developers.com/showthread.php?t=2473813

Categories

Resources