Develop Bugs

[DEVs ONLY] Flash Galaxy S without computer : introducing redbend_ua

Hello there
This is a surprise, but software able to flash the phone without any computer intervention was already on it, since the beginning.
Searching for a way to install my future lag fix easily, I remember that there was an "OTA" boot mode.
I know, today nobody saw an OTA on any Galaxy S smartpone (except maybe One on the AT&T Captivate?), but the software is still there.
How does this work :
Basically Linux boots a ramdisk, loading kernel modules and running an init process who start the whole Android experience (bootmode=) or just the recovery mode (bootmode=2).
Other bootmodes are used for battery loading only and Over The Air updates.
In this case, init.rc ask init to start "/sbin/redbend_ua all".
By default this software search for software updates in /data/fota and on similar places in the /sdcard.
It could prove useful another day, but you still have to be root to ask your device to reboot in a specific bootmode
The nice part is that we can use redbend_ua manually too, to do many impossible things before :
command list, pretty comprehensive.
Code:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
Possible usages :
- Flashing the kernel without Odin or any computer
- Backuping and Restoring a whole firmware, including stock one
- Doing more than one operation before automatic reboot through a list of commands in /data/fota/command (not tested yet)
- Messing with bootloaders and bricking your phone for good
Yeah, you must be really carefull this time. Samsung made some partitions read-only for a reason
Hopefully this new tool will be used by most ROM cooker, CyanogenMod, and ClockWorkMod
I'll make a update.zip + redbend_ua template soon if nobody comes up with one.
My Twitter for next news
Joined to this post : redbend_ua working binary. (some firmware ship a new binary that does not accept command line parameters)
-----
Old post, for the record :
Our Galaxy S in Eclair firmwares come with software able to provide update Over The Air.
This firmware is in /sbin directory, which means that it's in the kernel ramdisk.
Look at the output when running the binary without argument or appropriate file:
Code:
# redbend_ua
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.zImage
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.Sbl
UA/(update_all): Check Delta : path_idx(1), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.zImage
UA/(update_all): Check Delta : path_idx(1), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.modem
UA/(update_all): Check Delta : path_idx(1), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.platform
UA/(update_all): Check Delta : path_idx(1), part_idx(3), file_path((null)), cnt(0)
fail!
Open /data/fota/fota.status
fsync after write: 0
And here is the result when you provide a fake zImage delta file:
Code:
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(1)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(1)
page_msize: 4096, phy_unit_size: 262144
UA/ Sbl delta does NOT exist! Skip.
page_msize: 4096, phy_unit_size: 262144
UA/ check_existence: /data/fota/fota_zImage
page_msize: 4096, phy_unit_size: 262144
dev: /dev/block/bml8 partition size: 0x780000
40180008: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180018: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180028: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180038: ffff ffff ffff ffff ffff ffff ffff ffff ................
signature: 0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
page_msize: 4096, phy_unit_size: 262144
UA/(backup_devbml) src: /dev/block/bml7 partition size: 0x780000
UA/(backup_devbml) dst: /dev/block/bml8 partition size: 0x780000
UA/(backup_devbml) backup 128KB at 0x0
UA/(backup_devbml) backup 128KB at 0x40000
UA/(backup_devbml) backup 128KB at 0x80000
UA/(backup_devbml) backup 128KB at 0xc0000
UA/(backup_devbml) backup 128KB at 0x100000
UA/(backup_devbml) backup 128KB at 0x140000
UA/(backup_devbml) backup 128KB at 0x180000
UA/(backup_devbml) backup 128KB at 0x1c0000
UA/(backup_devbml) backup 128KB at 0x200000
UA/(backup_devbml) backup 128KB at 0x240000
UA/(backup_devbml) backup 128KB at 0x280000
UA/(backup_devbml) backup 128KB at 0x2c0000
UA/(backup_devbml) backup 128KB at 0x300000
UA/(backup_devbml) backup 128KB at 0x340000
UA/(backup_devbml) backup 128KB at 0x380000
UA/(backup_devbml) backup 128KB at 0x3c0000
UA/(backup_devbml) backup 128KB at 0x400000
UA/(backup_devbml) backup 128KB at 0x440000
UA/(backup_devbml) backup 128KB at 0x480000
UA/(backup_devbml) backup 128KB at 0x4c0000
UA/(backup_devbml) backup 128KB at 0x500000
UA/(backup_devbml) backup 128KB at 0x540000
UA/(backup_devbml) backup 128KB at 0x580000
UA/(backup_devbml) backup 128KB at 0x5c0000
UA/(backup_devbml) backup 128KB at 0x600000
UA/(backup_devbml) backup 128KB at 0x640000
UA/(backup_devbml) backup 128KB at 0x680000
UA/(backup_devbml) backup 128KB at 0x6c0000
UA/(backup_devbml) backup 128KB at 0x700000
UA/(backup_devbml) backup 128KB at 0x740000
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
UA/(RB_ImageUpdateMain): ++
UA/(RB_ImageUpdateMain) uPartitionName[zImage]
RB_GetBlockSize: returning 0x40000 (262144)
UA/(RB_UpdateImage): ++
UA/(RB_UpdateImage): Delta file name-/data/fota/delta.zImage
unicode_to_char : zImage
pDeviceDatum.pFirstPartitionData->partition_name: zImage
pDeviceDatum.pFirstPartitionData->partition_type: 0
pDeviceDatum.pFirstPartitionData->file_system_type: 0
unicode_to_char : /data/fota/delta.zImage
RB_OpenFile: Path:/data/fota/delta.zImage | Mode: RDONLY
Successful open() *pwHandle:4
[RB] Illegal field in the delta, or that the given delta is invalid
UA/(RB_UpdateImage) return value from RB_vRM_Update: 0x80000539
UA/(RB_UpdateImage): -- ret=-2147482311
UA/(RB_ImageUpdateMain) pCustomerPartData.updated = -1, rest = -1
UA/(RB_ImageUpdateMain): -- ret=-2147482311
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xdeade002
UA/(update_all) Kernel update fail
fail!
Open /data/fota/fota.status
fsync after write: 0
Promising ! This software definitely has the ability to write on protected bml partitions.
Now wee need to find how to produce the .delta files

Sounds great Lets hope you guys can figure it all out.

I just send a message to Red Bend Software through their site.
Actually it may help to find any other delta file for their software. Without sample we won't go anywhere...
I hope they will be kind and answer!

Here is a list of interesting strings found in the binary :
Code:
UA/ Platform delta does NOT exist! Skip.
Can not open src file : %s
Can not open dst file : %s
UA/(%s) write %dbytes
UA/(%s) copy file %s->%s
fsync failed with return value: %d
fsync after write: %d
UA/ %s: %s
/dev/block/bml4
/data/fota/dump_sbl
/dev/block/bml7
/data/fota/dump_kernel
/dev/block/bml12
/data/fota/dump_modem
FOTA : Make Block Device Nodes
UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
success!
DONE
fail!
FAIL
FOTA
UA/ modem delta does NOT exist! Skip.
/data/fota/backup.modem
UA/ zImage delta does NOT exist! Skip.
/dev/block/bml8
UA/ Sbl delta does NOT exist! Skip.
UA/ERROR(%s) get dual sbl siginfo fail!!
/dev/block/bml5
UA/ERROR(%s) can't find vaild Sbl partitions
UA/ERROR(%s) SBL RAM partition alloc fail
UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
/data/fota/command
/sdcard/Android/data/temp.fota.delta/command
UA/(%s) cache download
/cache/recovery
UA/(%s) create /cache/recovery directory
/cache/recovery/command
reboot recovery
UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
SBL update fail
UA/(%s) %s
Kernel update fail
Modem update fail
Platform update fail
Post update fail
WARNNIG
Delta Not Exist
/data/fota
/sbin/images/fota.png
UA/(%s) test
Update Fail!!
/data/fota/fota.status
/data/fota/delta.Sbl
/data/fota/delta.zImage
/data/fota/delta.modem
/data/fota/delta.platform
/sdcard/Android/data/temp.fota.delta/delta.Sbl
/sdcard/Android/data/temp.fota.delta/delta.zImage
/sdcard/Android/data/temp.fota.delta/delta.modem
/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
unknown
/data/fota/fota_Sbl
/data/fota/fota_zImage
Modem
/data/fota/fota_modem
/data/fota/fota_platform
/dev/block/bml11
OFNI
main
update_all
post_update
update_platform
update_modem
update_zImage
update_Sbl
file_copy
check_existence
MakeBMLNodes
UA/(%s): +
UA/(%s): %s (%lx %x)
UA/(%s): -
UA/(%s): %s (%lx %lx)
UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
BML_GET_DEV_INFO
page_msize: %d, phy_unit_size: %d
open device file
%s: bmldevice_open failed!
%s: bmldevice_info failed!
src: %s
dst: %s partition size: 0x%x
part_size: 0x%x
failed to read from %s (%s)
read finished
read %d bytes
src: %s partition size: 0x%x
dst: %s
failed to write to %s (%s)
done
UA/(%s) src: %s
UA/(%s) dst: %s partition size: 0x%x
UA/(%s) part_size: 0x%x
UA/(%s) read finished
UA/(%s) read %d bytes
UA/(%s) src: %s partition size: 0x%x
UA/(%s) dst: %s
UA/(%s) signature: 0x%x
*WARN* %s partition is already marked as invalid!
UA/(%s) done
page at 0x%x differ!
UA/(%s) backup 128KB at 0x%x
UA/(%s): ++
UA/(%s) 0x%x
UA/ERROR(%s) Valid partition signature is not invalid
UA/(%s): --
%s, invalide magic key(%x)!!
common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
signature: 0x%x
UA/(%s) dev: %s partition size: 0x%x
UA/ERROR(%s) Signature is not validate (%x)
UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
UA/ERROR(%s) Both partition has valid or invalid signature
UA/(%s) Valid Partition-%s, Update Partition-%s
restore_file
backup_block_file
restore_devbml
backup_devbml
store_dualsbl_partition
load_partition
mark_common_recovery
find_valid_partition
check_dualpartition_validation
ram_write_block
ram_read_block
nand_write_block
nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
RB_GetBlockSize
%s: returning 0x%x (%d)
RB_ReadBackupBlock
UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) open file %s failed.
UA/ open %s file success
UA/ERROR(%s) error in read size
RB_WriteBackupBlock
UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) error in write size
RB_ImageUpdateMain
UA/(%s): ++
UA/(%s) uPartitionName[%s]
UA/(%s) pCustomerPartData.updated = %d, rest = %d
UA/(%s): -- ret=%d
RB_UpdateImage
UA/(%s): Delta file name-%s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
UA/(%s) return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
%s path: %s
temppath: %s
mkdir result: %d errno: %d
RB_CopyFile
%s: %s -> %s
NULL file name find. Abort.
Open %s ENOENT %d
Open %s failed. Abort.
read %d, but write %d, abort.
RB_DeleteFile
%s: %s
unlink value: %d, errno: %d
RB_DeleteFolder
rmdir value: %d, errno: %d
RB_CreateFolder
%s: %s, mode:0x%x
RDONLY
WRONLY
RDWR
Unknown
RB_OpenFile
%s: Path:%s | Mode:
First open() with error %d
copy dir[]=%s
remove dir[]=%s
Fail create folder, Leave RB_OpenFile
After successful creating folder, fail open() with error %d
Successful open() *pwHandle:%ld
RB_ResizeFile
%s: handle %ld, dwSize %d
%s: ret %d handle %ld %d
RB_CloseFile
%s: wHandle = %ld
RB_WriteFile
%s: Handle:%ld , Pos:%ld , Size: %ld
lseek failed with return value: %d
Failed with return value: %d
Bytes Write: %d
fsync Failed with return value: %d
fsync after write: %d
RB_ReadFile
%s: Handle:%ld , Pos:%ld , Size: %ld
read failed with return value: %d
RB_GetFileSize
%s: %ld
lseek errno: %d
Returning Size = 0x%x
RB_Unlink
unlink failed with return value: %d
unlink with return value: %d
RB_Link
symlink failed with return value: %d, errno: %d
symlink with return value: %d
RB_VerifyLinkReference
readlink failed with return value: %d
not same linked path
same linked path
RB_GetFileType
stat failed with return value: %d errno: %d
sbuf.st_mode: %d
S_ISREG(sbuf.st_mode): %d
S_ISLNK(sbuf.st_mode): %d
stat->st_mode = symbolic link file
stat->st_mode = regular file
failed to lstat, err : %d
a2ch
%s : %d
Wrong attribute value: %d
a2ch : %c
chtoa
RB_SetFileAttributes
stat failed with return value: %d
sbuf.st_mode value: %d
ui8pAttribs value: %s
ui32AttribSize value: %ld
attrib_user value: %d
attrib_group value: %d
attrib_other value: %d
att_type value: %d
sbuf.st_mode | attrib: %d
chmod failed with return value: %d
chmod with return value: %d
pUserId value: %s
user_id value: %d
aGroupId value: %s
pGroupId value: %s
group_id value: %d
failed chown %d
success chown %d
RB_FSUpdateMain
UA/(%s) Partition name(%s), mount point(%s)
UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
return value from RB_vRM_Update: 0x%x
%s/flagsFile
return value from unlink(%s): 0x%x
Installing software
Don't turn off the
phone and
connect the power
cable as possible.
System updated &
reboot now
gui_progress
UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
UA/(%s): -- Print Percent(%d%)
%3d %%
lcd_init
%s(%d): start!
/dev/graphics/fb0
%s(%d): fb0 open fail
%s(%d): fb0 open success
%s(%d): width = %d, height = %d
%s(%d): ioctl set info fail
%s(%d): Error: failed to map framebuffer device to memory.
%s(%d): ioctl start fail
Allocation error-
Current start: %d
Current finish: %d
Requested size: %d
Allocation error:
Current start: %d
Current finish: %d
Requested size: %d
It may accept commands somehow, like those :
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
I tried writing commands in /data/fota/command and /cache/recovery/command but the program does not follow my orders

ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished

Wow, this is looking promising.

it seems like htc's flash_image,but much more difficult than it.

raspdeep said:
ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Click to expand...
Click to collapse
Nice raspdeep
How did you do ? Every attempt fails here (in recovery or standard mode).
Which initramfs version do you use ?

Code:
redbend_ua restore zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Ok yo don't respond but it works here to, booting on your OC kernel. Now i'll find what is different between our setups

supercurio, you are rapidly becoming one of my Android heros...

distortedloop said:
supercurio, you are rapidly becoming one of my Android heros...
Click to expand...
Click to collapse
Don't know if I can live with that
Code:
ll */*
-rwxr-xr-x 1 root curio 313888 2010-08-26 21:14 oc128uv1/redbend_ua*
-rwxr-xr-x 1 curio curio 314004 2010-08-26 21:16 XWJM5/redbend_ua*
md5sum */*
74f5793536c3cdc902ec269c3f51a165 oc128uv1/redbend_ua
b1ba258a5d673c537a95167267afd6b8 XWJM5/redbend_ua
Different binaries !
Edit : attached working redbend_ua

A diff between strings included in binaries (raw infos, not analyzed yet ^^)
Code:
--- not-working 2010-08-26 21:22:39.594984596 +0200
+++ working 2010-08-26 21:22:20.370634450 +0200
@@ -4,7 +4,6 @@
@F2A
bB,2
H{DYX
-/Q{;
/Qs;
/Qk;
/Qc;
@@ -452,71 +451,52 @@
%mB(
@ #!
!1C "
-reboot
-UA/ Platform delta does NOT exist! Skip.
-Can not open src file : %s
-Can not open dst file : %s
-UA/(%s) write %dbytes
-UA/(%s) copy file %s->%s
- fsync failed with return value: %d
- fsync after write: %d
-UA/ %s: %s
+/data/fota/delta.Sbl
/dev/block/bml4
-/data/fota/dump_sbl
+/dev/block/bml5
+/data/fota/fota_Sbl
+/data/fota/delta.zImage
/dev/block/bml7
-/data/fota/dump_kernel
+/data/fota/backup.zImage
+/data/fota/fota_zImage
+Modem
+/data/fota/delta.modem
/dev/block/bml12
+/data/fota/backup.modem
+/data/fota/fota_modem
+/data/fota/delta.platform
+/data/fota/backup.platform
+/data/fota/fota_platform
+platform delta does NOT exist! Skip.
+existence: s1[%d].existence; %d
+%s: %s
+/data/fota/dump_sbl
+/data/fota/dump_kernel
/data/fota/dump_modem
FOTA : Make Block Device Nodes
-UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
+ fsync failed with return value: %d
+ fsync after write: %d
success!
DONE
fail!
FAIL
FOTA
-UA/ modem delta does NOT exist! Skip.
-/data/fota/backup.modem
-UA/ zImage delta does NOT exist! Skip.
+modem delta does NOT exist! Skip.
+zImage delta does NOT exist! Skip.
/dev/block/bml8
-UA/ Sbl delta does NOT exist! Skip.
-UA/ERROR(%s) get dual sbl siginfo fail!!
-/dev/block/bml5
-UA/ERROR(%s) can't find vaild Sbl partitions
-UA/ERROR(%s) SBL RAM partition alloc fail
-UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
-/data/fota/command
-/sdcard/Android/data/temp.fota.delta/command
-UA/(%s) cache download
-/cache/recovery
-UA/(%s) create /cache/recovery directory
-/cache/recovery/command
-reboot recovery
-UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
-SBL update fail
-UA/(%s) %s
-Kernel update fail
-Modem update fail
-Platform update fail
-Post update fail
-WARNNIG
-Delta Not Exist
-/data/fota
-/sbin/images/fota.png
-UA/(%s) test
-Update Fail!!
+Sbl delta does NOT exist! Skip.
+get dual sbl siginfo fail!!
+can't find vaild Sbl partitions
+reboot
+gv_delta_count[%d]
+dump
+restore
+compare
/data/fota/fota.status
-/data/fota/delta.Sbl
-/data/fota/delta.zImage
-/data/fota/delta.modem
-/data/fota/delta.platform
-/sdcard/Android/data/temp.fota.delta/delta.Sbl
-/sdcard/Android/data/temp.fota.delta/delta.zImage
-/sdcard/Android/data/temp.fota.delta/delta.modem
-/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
@@ -527,29 +507,7 @@
compare <dev1> <dev2>
png [png file name]
all
-unknown
-/data/fota/fota_Sbl
-/data/fota/fota_zImage
-Modem
-/data/fota/fota_modem
-/data/fota/fota_platform
-/dev/block/bml11
OFNI
-main
-update_all
-post_update
-update_platform
-update_modem
-update_zImage
-update_Sbl
-file_copy
-check_existence
-MakeBMLNodes
-UA/(%s): +
-UA/(%s): %s (%lx %x)
-UA/(%s): -
-UA/(%s): %s (%lx %lx)
-UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
@@ -568,71 +526,67 @@
dst: %s
failed to write to %s (%s)
done
-UA/(%s) src: %s
-UA/(%s) dst: %s partition size: 0x%x
-UA/(%s) part_size: 0x%x
-UA/(%s) read finished
-UA/(%s) read %d bytes
-UA/(%s) src: %s partition size: 0x%x
-UA/(%s) dst: %s
-UA/(%s) signature: 0x%x
-*WARN* %s partition is already marked as invalid!
-UA/(%s) done
page at 0x%x differ!
-UA/(%s) backup 128KB at 0x%x
-UA/(%s): ++
-UA/(%s) 0x%x
-UA/ERROR(%s) Valid partition signature is not invalid
-UA/(%s): --
+signature: 0x%x
+*WARN* %s partition is already marked as invalid!
+backup 128KB at 0x%x
+backup 128KB at 0x%x without signature
+clear mark dev : %s partition size: 0x%x
%s, invalide magic key(%x)!!
-common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
-signature: 0x%x
-UA/(%s) dev: %s partition size: 0x%x
-UA/ERROR(%s) Signature is not validate (%x)
-UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
-UA/ERROR(%s) Both partition has valid or invalid signature
-UA/(%s) Valid Partition-%s, Update Partition-%s
-restore_file
-backup_block_file
-restore_devbml
-backup_devbml
-store_dualsbl_partition
-load_partition
+%s:clear:%s partition size: 0x%x
+%s : write and clear signature done
+%s:write:%s partition size: 0x%x
+%s: Signature is not validate (%x)
+%s signature: 0x%x
+%s +
+%s: SBL, SBL2 partition are diffierent size, check your bml device node name
+Both partition has valid or invalid signature
+Valid Partition-%s, Update Partition-%s
+Siginfo error partition $s (0x%x, 0x%x)
mark_common_recovery
+clear_dualpartition_signature
+write_dualpartition_signature
find_valid_partition
check_dualpartition_validation
-ram_write_block
-ram_read_block
-nand_write_block
-nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
+RB_Progress
+%s: (%lu %%)
+RB_GetDelta
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_GetBlockSize
%s: returning 0x%x (%d)
+RB_ReadImage
+%s: node-%s (%lx %lx)
+RB_WriteBlock
+%s: node-%s (%lx %x)
RB_ReadBackupBlock
-UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) open file %s failed.
-UA/ open %s file success
-UA/ERROR(%s) error in read size
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_WriteBackupBlock
-UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) error in write size
+%s: error in write size
+RB_ImageUpdateCommon
+uPartitionName[%s]
+%s: pCustomerPartData.updated = %d, rest = %d
RB_ImageUpdateMain
-UA/(%s): ++
-UA/(%s) uPartitionName[%s]
-UA/(%s) pCustomerPartData.updated = %d, rest = %d
-UA/(%s): -- ret=%d
-RB_UpdateImage
-UA/(%s): Delta file name-%s
+%s: backup_file is %s
+%s: size of %s(%s) is %d bytes
+RB_ImageUpdateDualPartition
+%s: backup file(%s) / Valid Partition(%s) / Update Partition(%s)
+%s : RB Image Update Fail
+%s : RB Image Update Done %s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
-UA/(%s) return value from RB_vRM_Update: 0x%x
+return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
@@ -726,8 +680,7 @@
failed chown %d
success chown %d
RB_FSUpdateMain
-UA/(%s) Partition name(%s), mount point(%s)
-UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
+%s: pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
@@ -741,9 +694,9 @@
cable as possible.
System updated &
reboot now
-gui_progress
-UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
-UA/(%s): -- Print Percent(%d%)
+Update is ok.
+Update is failed.
+Restoring...
%3d %%
lcd_init
%s(%d): start!
@@ -962,12 +915,6 @@
insufficient memory
buffer error
incompatible version
-RB_Progress
-%s: (%lu %%)
-RB_GetDelta
-%s: offset 0x%lx(%ld), size 0x%lx(%ld)
-%s: open file %s failed.
-%s: error in read size
Pure virtual function called. Are you calling virtual methods from a destructor?
libc-abort
abort() called in pid %d
@@ -1120,6 +1067,7 @@
/dev/log/main
/dev/log/radio
/proc/self/exe
+unknown
/dev/urandom
stack corruption detected: aborted
ANDROID_PROPERTY_WORKSPACE

Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).

Benjamin Dobell said:
Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).
Click to expand...
Click to collapse
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.

supercurio said:
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.
Click to expand...
Click to collapse
Unfortunately IDA Pro doesn't seem to work either. IDA Pro Free doesn't support ARM at all and I tried with IDA Pro Advanced but it seemed to have similar issues to objdump, it couldn't determine the entry point etc.
If I could just get the assembler with comments next to it that indicate which pieces of data (strings in particular) are being referenced that would make my day.

Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Anyway I can't say much more about the tools, i'm just a rookie hacker

supercurio said:
Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Click to expand...
Click to collapse
It wouldn't be a very reliable boot loader if it depended on other binaries (other than data passed to it by the primary boot loader). However the information I'm after, the Loke protocol, is definitely in there cause I can see the handshake strings I send and receive with Heimdall.

working this into SRE RIGHT NOW!!!!
--edit
scripted, and working
release coming soon!!

designgears said:
working this into SRE RIGHT NOW!!!!
Click to expand...
Click to collapse
Nice
Remember being EXTRA careful manipulating raw bml partitions. You can easily brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy

supercurio said:
Nice
Remember being EXTRA careful manipulating raw bml partition. You can easily
brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy
Click to expand...
Click to collapse
I have borked bml17 before.. was able to go into download and restore stock.

KB6 ROM (Android 2.2.1) @ Samfirmware for the GT-P1010 (wifi-only Galaxy Tab)

NOTE: the log below pertains to KB5...I haven't had time yet to look into KB6.
http://www.samfirmware.com/WEBPROTECT-p1010.htm
ro.build.display.id=FROYO.XWKB5
ro.build.version.sdk=8
ro.build.version.release=2.2.1
ro.build.date=Thu Feb 17 19:34:43 KST 2011
I'm going to unpack the various RFS archives, to see what's new. I've got a GT-P1000 Galaxy Tab (wifi+3G), so I'm not going to flash with Heimdall (let alone Odin ).
I made backups for factoryfs.rfs / dbdata.rfs etc. using the usual bit-by-bit "dd" -based method, and I've got a trusty TitaniumBackup archive ready, just in case
I notice that TV-out seems to be gone, and FM radio appears to be available. Hardware DSP support seems more present too. (read content logs below for more information)
TAR contents:
Code:
p1wifi_20110128_r10_00.pit (4 KB) (see PIT-info dumped below)
GT-P1010-CSC-SERKB3/
cache.rfs (10.9 MB) (see content listing below)
movinand.mst (51MB) (can be extracted with [URL="http://movitool.ntd.homelinux.org/trac/movitool/"]MoviTool[/URL], based on [URL="http://forum.xda-developers.com/showpost.php?p=9481702&postcount=30"]Volker1's method[/URL])
P1010XWKB5-REV03-ALL-low-CL913814/
boot.bin (256 KB)
cache.rfs (672 KB)
normalboot.img (4.3 MB)
param.lfs (612 KB)
recovery.img (4.3 MB)
Sbl.bin (1.2 MB)
system.rfs (331 MB)
userdata.rfs (1.2 MB)
Output from Volker1's PIT-info utility:
Code:
Contents of PIT file: p1wifi_20110128_r10_00.pit
---------------------------------------------------------------------------
file magic = 0x12349876 (expected value)
Unknown data: 0 0 0 0 0
Number of partitions = 13 (usual value)
Partition #1
Usual content: boot.bin, the primary boot loader (low-level hardware initialization)
partition entry type: 0 0 (normal partition)
ID = 0; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [IBL+PBL.........................]
file name = [boot.bin........................................................]
Partition #2
Usual content: partition information table (PIT)
partition entry type: 0 0 (normal partition)
ID = 0x1; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [PIT.............................]
file name = [p1wifi.pit......................................................]
Partition #3
Usual content: efs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x14; flags = 0x2 (rfs file system); unknown: 0
size = 40 blocks of 256 * 512 bytes = 5242880 B = 5120 kB = 5 MB
unknown string: [........]
partition name = [EFS.............................]
file name = [efs.rfs.........................................................]
Partition #4
Usual content: Sbl.bin, the secondary boot loader (loads linux kernel)
partition entry type: 0 0 (normal partition)
ID = 0x3; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL.............................]
file name = [sbl.bin.........................................................]
Partition #5
Usual content: backup of secondary boot loader
partition entry type: 0 0 (normal partition)
ID = 0x4; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL2............................]
file name = [sbl.bin.........................................................]
Partition #6
Usual content: param.lfs /mnt/.lfs j4fs
partition entry type: 0 0 (normal partition)
ID = 0x15; flags = 0x2 (rfs file system); unknown: 0
size = 20 blocks of 256 * 512 bytes = 2621440 B = 2560 kB = 2 MB
unknown string: [........]
partition name = [PARAM...........................]
file name = [param.lfs.......................................................]
Partition #7
Usual content: zImage, the linux kernel
partition entry type: 0 0 (normal partition)
ID = 0x5; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [NORMALBOOT......................]
file name = [normalboot.img..................................................]
Partition #8
Usual content: recovery.bin, the backup copy of zImage/initramfs
partition entry type: 0 0 (normal partition)
ID = 0x8; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [RECOVERY........................]
file name = [recovery.img....................................................]
Partition #9
Usual content: factoryfs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x16; flags = 0x2 (rfs file system); unknown: 0
size = 1430 blocks of 256 * 512 bytes = 187432960 B = 183040 kB = 178 MB
unknown string: [........]
partition name = [SYSTEM..........................]
file name = [system.rfs......................................................]
Partition #10
Usual content: dbdata.rfs
partition entry type: 0 0 (normal partition)
ID = 0x17; flags = 0x2 (rfs file system); unknown: 0
size = 302 blocks of 256 * 512 bytes = 39583744 B = 38656 kB = 37 MB
unknown string: [........]
partition name = [USERDATA........................]
file name = [userdata.rfs....................................................]
Partition #11
Usual content: cache.rfs
partition entry type: 0 0 (normal partition)
ID = 0x18; flags = 0x2 (rfs file system); unknown: 0
size = 140 blocks of 256 * 512 bytes = 18350080 B = 17920 kB = 17 MB
unknown string: [........]
partition name = [CACHE...........................]
file name = [cache.rfs.......................................................]
Partition #12
Usual content: modem.bin
partition entry type: 0 2 (unknown value)
ID = 0x3; flags = 0x1; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [........]
partition name = [HIDDEN.D........................]
file name = [hidden.rfs.t....................................................]
Partition #13
Usual content: Unknown
partition entry type: 0 2 (unknown value)
ID = 0; flags = 0x1; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [........]
partition name = [MOVINAND........................]
file name = [movinand.mst....................................................]
The usual CSC cache.rfs content:
Code:
/dbdata/svox/de-DE_gl0_sg.bin
/dbdata/svox/de-DE_ta.bin
/dbdata/svox/en-GB_kh0_sg.bin
/dbdata/svox/en-GB_ta.bin
/dbdata/svox/en-US_lh0_sg.bin
/dbdata/svox/en-US_ta.bin
/dbdata/svox/es-ES_ta.bin
/dbdata/svox/es-ES_zl0_sg.bin
/dbdata/svox/fr-FR_nk0_sg.bin
/dbdata/svox/fr-FR_ta.bin
/dbdata/svox/it-IT_cm0_sg.bin
/dbdata/svox/it-IT_ta.bin
/system/csc/feature.xml
/system/csc/contents.db
/system/csc/others.xml
/system/csc/sales_code.dat
/system/csc/customer.xml
/system/app/MusicODC.apk
/system/T9DB/qwerty_fi.kdb
/system/T9DB/phonepad_cs.kdb
/system/T9DB/qwerty_da.kdb
/system/T9DB/Samsung_400_PLlsUN_xt9.ldb
/system/T9DB/phonepad_lt.kdb
/system/T9DB/Samsung_400_TRlsUN_xt9.ldb
/system/T9DB/Samsung_400_DEusUN_xt9.ldb
/system/T9DB/Samsung_400_ETlsUN_xt9.ldb
/system/T9DB/Samsung_400_ENubUN_xt9.ldb
/system/T9DB/Samsung_400_SVusUN_xt9.ldb
/system/T9DB/qwerty_sv.kdb
/system/T9DB/Samsung_400_DAlsUN.ldb
/system/T9DB/phonepad_uk.kdb
/system/T9DB/phonepad_it.kdb
/system/T9DB/phonepad_el.kdb
/system/T9DB/qwerty_hu.kdb
/system/T9DB/qwerty_es.kdb
/system/T9DB/Samsung_400_UKlsUN_xt9.ldb
/system/T9DB/qwerty_fr.kdb
/system/T9DB/qwerty_et.kdb
/system/T9DB/Samsung_400_SKlsUN_xt9.ldb
/system/T9DB/phonepad_no.kdb
/system/T9DB/qwerty_nl.kdb
/system/T9DB/qwerty_lt.kdb
/system/T9DB/Samsung_400_LVlsUN_xt9.ldb
/system/T9DB/Samsung_400_ITlsUN_xt9.ldb
/system/T9DB/Samsung_400_PTlsUN_xt9.ldb
/system/T9DB/phonepad_da.kdb
/system/T9DB/Samsung_400_HUlsUN_xt9.ldb
/system/T9DB/Samsung_400_ELlsUN_xt9.ldb
/system/T9DB/phonepad_et.kdb
/system/T9DB/Samsung_400_KKlsUN_xt9.ldb
/system/T9DB/phonepad_es.kdb
/system/T9DB/qwerty_sk.kdb
/system/T9DB/phonepad_nl.kdb
/system/T9DB/qwerty_pt.kdb
/system/T9DB/Samsung_400_ESlsUN_xt9.ldb
/system/T9DB/Samsung_400_CSlsUN_xt9.ldb
/system/T9DB/phonepad_ru.kdb
/system/T9DB/phonepad_tr.kdb
/system/T9DB/qwerty_tr.kdb
/system/T9DB/phonepad_de.kdb
/system/T9DB/Samsung_400_FIlsUN_xt9.ldb
/system/T9DB/phonepad_ko.kdb
/system/T9DB/phonepad_fr.kdb
/system/T9DB/phonepad_fi.kdb
/system/T9DB/qwerty_ru.kdb
/system/T9DB/phonepad_en.kdb
/system/T9DB/qwerty_en.kdb
/system/T9DB/qwerty_cs.kdb
/system/T9DB/qwerty_el.kdb
/system/T9DB/Samsung_400_NOlsUN.ldb
/system/T9DB/Samsung_400_RUlsUN_xt9.ldb
/system/T9DB/qwerty_kk.kdb
/system/T9DB/qwerty_no.kdb
/system/T9DB/qwerty_uk.kdb
/system/T9DB/phonepad_lv.kdb
/system/T9DB/phonepad_pl.kdb
/system/T9DB/Samsung_400_NLlsUN_xt9.ldb
/system/T9DB/phonepad_sv.kdb
/system/T9DB/phonepad_sk.kdb
/system/T9DB/Samsung_400_LTlsUN_xt9.ldb
/system/T9DB/qwerty_pl.kdb
/system/T9DB/qwerty_de.kdb
/system/T9DB/Samsung_400_FRlsUN_xt9s.ldb
/system/T9DB/qwerty_ko.kdb
/system/T9DB/qwerty_lv.kdb
/system/T9DB/phonepad_pt.kdb
/system/T9DB/qwerty_it.kdb
/system/T9DB/phonepad_hu.kdb
/system/CSCFiles.txt
/system/SW_Configuration.xml
Changes in /system/app/ :
Removed DailyBriefing, Ebook, Mms, MobileTrackerEngineTwo, MobileTrackerUI, OtaProvisioningService, SamsungWidget_WeatherClock, SoundRecorder, signin, syncmldm, wipereceiver, wssomacp
Added PhoneCrashNotifier, PopupuiReceiverf, qik, qikhelp, skype
Changes in /system/bin/ :
Too many to list, but here are some notable ones:
Removed BCM4329B1_002.002.023.0534.0590.hcd (the driver for the multi-function Broadcom BCM-4329 chipset, also removed in /etc/wifi/ etc.), akmd2 (the multi-sensor driver, now split into several sub-daemons: geomagnetic, gyroscope, temperature, light, orientation, pressure, proximity, etc.)
Notable changes in /system/etc/ :
Added audio/codec/FMRadioEar.ini, audio/codec/FMRadioSpk.ini, and FM-radio stuff in /etc/firmware/ and /lib/libfmradio_jni.so (the Texas Intruments BRF6350 chip supports FM radio...but I don't think that /system/app/ contains an FM tuner application).
Notable addition: /lib/dsp/ + /lib/libOMX*.so + /lib/libVendor_ti_OMX*.so + lib/libaomx_*.so (Texas Intruments OMX/DSP, hardware encoding/decoding of 720p AMR, WB-AMR, AAC, h264, WMA, WMV, MP3, MPEG4, Flac, AC3, S263, etc.)
Code:
720p_h264vdec_sn.dll64P
720p_mp4vdec_sn.dll64P
720p_mp4venc_sn.dll64P
baseimage.dof
baseimage.map
chromasuppress.l64p
conversions.dll64P
dctn_dyn.dll64P
ddspbase_tiomap3430.dof64P
dfgm.dll64P
dynbase_tiomap3430.dof64P
eenf_ti.l64P
h264vdec_sn.dll64P
h264venc_sn.dll64P
ipp_sn.dll64P
jpegdec_sn.dll64P
jpegenc_sn.dll64P
m4venc_sn.dll64P
monitor_tiomap3430.dof64P
mp3dec_sn.dll64P
mp4v720parcdec_sn.dll64P
mp4varcdec_sn.dll64P
mp4vdec_sn.dll64P
mpeg4aacdec_sn.dll64P
mpeg4aacenc_sn.dll64P
mpeg4aridec_sn.dll64P
nbamrdec_sn.dll64P
nbamrenc_sn.dll64P
postprocessor_dualout.dll64P
qosdyn_3430.dll64P
ringio.dll64P
star.l64P
usn.dll64P
vpp_sn.dll64P
wbamrdec_sn.dll64P
wbamrenc_sn.dll64P
wmadec_sn.dll64P
wmv9dec_sn.dll64P
yuvconvert.l64p
Wifi access point doesn't seem very well protected (/etc/wifi/softap/hostapd.conf):
SSID = AndroidAP (not broadcast)
IP = 192.168.43.1
PASS = "password" (WPA)
By the way, the Wifi interface is different than on the fully-featured Tab: tiwlan0 (the access point is tiap0)

Nice let us know what's new and how you make out

This is great news and I am looking forward to your project, thanks!!!

Heads-up: original post updated with PIT partition structure and TAR contents.

Original post updated with further information (FM radio, DSP, etc.). None of this is authoritative, obviously. I am just making plain observations. I haven't even seen the manufacturer's specifications yet for this device.

Splice/combine the ROM with a P1000 ROM?
Cool. Does this mean that your aim to splice/combine the ROM with a P1000 ROM to create a custom Android 2.2.1 ROM WITH 3G capabilities, that is compatible with P1000?
And in that case, it sure would be nice to keep most of what has been removed from /system/* in the P1010 ROM, of course.

Very interesting, thanks for posting the analysis.
I wonder whether GL drivers are any newer than from P1000 ROMs.
And GPS daemon?
Also, interesting about these split sensor drivers.
edit
hmm, interesting, the GL drivers are for SGX530 not 540 like in normal tab.
And the CPU in 1010 is OMAP3 not Hummingbird.

KB6 now online @ Samfirmware.
I'm too busy to look into it though.

Hi,
I just got the Wifi version. How can I check the ROM version?

does the P1010 still have a gps radio?

jackfrostn said:
does the P1010 still have a gps radio?
Click to expand...
Click to collapse
Yes. Only differences between 3g and wifi model:
- no 3G radio
- less powerful CPU/GPU on wifi model (thus can't play HD/Full HD video)
- and off course, wifi model is cheaper

could someone try getting the skype and qik files working

any update on the ROMs progress?

bthoven said:
Yes. Only differences between 3g and wifi model:
- no 3G radio
- less powerful CPU/GPU on wifi model (thus can't play HD/Full HD video)
- and off course, wifi model is cheaper
Click to expand...
Click to collapse
Actually it CAN play HD video. It can record 720p movies so it would only make sense it'd be able to play them. I watch 720p episodes of Breaking Bad on mine.
Sent from my GT-P1010 using XDA Premium App

himmelhauk said:
Actually it CAN play HD video. It can record 720p movies so it would only make sense it'd be able to play them. I watch 720p episodes of Breaking Bad on mine.
Sent from my GT-P1010 using XDA Premium App
Click to expand...
Click to collapse
Yes, it can play 720p lower bitrate whilst the 3G version can play higher bit rate, and also 1080p.

bthoven said:
Yes, it can play 720p lower bitrate whilst the 3G version can play higher bit rate, and also 1080p.
Click to expand...
Click to collapse
Actually it is worth making a correction here as well, it plays 1080 just fine as well, at least for me.

Out of curiousity, where did you see that the wifi has a different CPU/GPU than the GSM/CDMA versions? I'm not finding that info anywhere.

chrisliphart said:
Out of curiousity, where did you see that the wifi has a different CPU/GPU than the GSM/CDMA versions? I'm not finding that info anywhere.
Click to expand...
Click to collapse
In all the TI OMAP libraries and kernel in the ROM?

skype for p1010 wifi
Skype will work with regular rom.i used it all day today

Yes, it does have gps radio on there. Well mine does anyway (in the uk)

Memory addresses/Memory Map for RAM, OneNAND, etc.

I am too dumb to find correct region... adresses...
But 2 ways...
1.
JTAG
Not solved yet...
2.
Via Command... + WinComm...
http://forum.xda-developers.com/showpost.php?p=12798324&postcount=3
Code:
[B]Memcpy[/B] address length
Example:
Memcpy 0x00000000 0x100
On U700 I can dump RAM on 0... but not on S8500...
Any suggestions?
Thanx.
Best Regards
Edit.:
Found in ELFs:
SDRAM_START_ADDR 0x20000000
SDRAM_END_ADDR 0x6CFFFFFF
See Screenshots. If Debug Level is Mid or High... but I don't understand, what my handset say to me...
On U700 in Debug Level Low possible to read something... on S8500 no success yet.
But maybe my fault.

Have you find the secret upload mode?
If you go to Fota in internals menu and Type something in there than bada crashes and you have got the upload mode (light bluascreen than only restart with key). but how to communicate with the device, i had not found any tool on the GSPN from samsung.

Try to memcpy RAM from 0x20000000 and 0x40000000 in S8500/8530.
Under the first one address you should find 128MB (0x8000000) of oneDRAM and under the second one 256MB (0x10000000) of SDRAM.

Rebellos said:
Try to memcpy RAM from 0x20000000 and 0x40000000 in S8500/8530.
Under the first one address you should find 128MB (0x8000000) of oneDRAM and under the second one 256MB (0x10000000) of SDRAM.
Click to expand...
Click to collapse
A small doubt:
http://dev.odroid.com/wiki/odroid-t/pds/FrontPage/s_blockdiagram.jpg
Does LPDDR1 corresponds to SDRAM?

jake792 said:
A small doubt:
http://dev.odroid.com/wiki/odroid-t/pds/FrontPage/s_blockdiagram.jpg
Does LPDDR1 corresponds to SDRAM?
Click to expand...
Click to collapse
SDRAM is kind of RAM, widely used in computers nowadays
http://en.wikipedia.org/wiki/Synchronous_dynamic_random_access_memory
LPDDR is subtype of SDRAM designed for mobile phones, that is Low-Power Ram.
I'm not sure if thats LPDDR1 or LPDDR2 in Waves.

Thanx.Also since total amount of ram is 384mb.. lesser availibility of free ram would be there.

Bump...
I have not managed problem to dump memory...
Maybe in RAM it is possible to catch some uncompressed data...
Thanx in advance.
Best Regards

Blub...
Problem 1 unsolved to read from handset via Command in bada:
Code:
[B]Memcpy[/B] address length
Memory Map...Partition Table etc. would be interesting for me in 2013...
Maybe start with Partition Table...
I need more space for apps_compressed.bin in bada 2 XXLA1...
Other ideas decrease for instance OSP partition... for test...
I have now access to edit direct in Binary Bootloader... aka boot_loader.mbn.
My skills to understand source or ELF files are very very EXTREME limited.
Maybe S8500 and S8530 have easy "partition Block" like partition.bin from S8600...
Thanx for reading.
Best Regards
Edit 1.
In ELF it is easier to find...
Code:
FLASH_MODEM_START_ADDR 0x00400000
FLASH_MODEM_END_ADDR 0x01100000
FLASH_CODE_START_ADDR 0x01100000
FLASH_CODE_END_ADDR (0x03100000+FLASH_FOTA_HOLE_RESERVED_SIZE)
FLASH_CODE_COMPRESS_START_OFFSET 0x800
Hmm.
Code:
01100000
I could check Little Endian... in boot_loader.mbn

XPKG5 need other addresses for RC1 and RC2
Also MBUKI...
I need this to identify addresses in Boot...
Best Regards

http://forum.xda-developers.com/showpost.php?p=20188325&postcount=369
Code:
// firmware qmd ver start addr max length
{ S8500v12 | BADA_APPS, 0x03050000, 0x01100000, 0x03500000 },
{ S8500v12 | BADA_RSRC1, 0x04070000, 0x04800000, 0x06F00000 },
{ S8500v12 | BADA_RSRCS, 0x04070000, 0x0B700000, 0x00F00000 },
{ S8530v12 | BADA_APPS, 0x03050000, 0x01300000, 0x03500000 },
{ S8530v12 | BADA_RSRC1, 0x04070000, 0x04A00000, 0x05000000 },
{ S8530v12 | BADA_RSRCS, 0x04070000, 0x09A00000, 0x00F00000 },
{ S8500v20 | BADA_APPS, 0x04020000, 0x01100000, 0x02000000 },
{ S8500v20 | BADA_RSRC1, 0x05020000, 0x05D00000, 0x05A00000 },
{ S8500v20 | BADA_RSRCS, 0x05020000, 0x03A00000, 0x02300000 },
{ S8530v20 | BADA_APPS, 0x04020000, 0x01300000, 0x02000000 },
{ S8530v20 | BADA_RSRC1, 0x05020000, 0x03600000, 0x04100000 },
{ S8530v20 | BADA_RSRCS, 0x05020000, 0x07700000, 0x01E00000 },
{ S8600 | BADA_APPS, 0x04020000, 0x08000000, 0x02000000 },
{ S8600 | BADA_RSRC1, 0x05020000, 0x0A200000, 0x03200000 },
{ S8600 | BADA_RSRCS, 0x05020000, 0x0D400000, 0x02800000 },
{ S7250D | BADA_APPS, 0x04020000, 0x00E00000, 0x01F00000 },
{ S7250D | BADA_RSRC1, 0x05020000, 0x02F00000, 0x01E00000 },
{ S7250D | BADA_RSRCS, 0x05020000, 0x04D00000, 0x01C00000 },
Perfect overview, very helpfull.
Big thanx b.kubica :good:
Best Regards

Memo to me...
Code:
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co..
Build On: Jun 8 2011 21:44:47
-----------------------------------------------------------
Re_partition: magic code(0x0)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->[B]nNumOfPartEntry = 7[/B]
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : *unknown id* (0x9)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : *unknown id* (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 7
===============================
ID : *unknown id* (0x1)
ATTR : RW SLC (0x1001)
FIRST_UNIT : 8
NO_UNITS : 796
===============================
ID : *unknown id* (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 804
NO_UNITS : 716
===============================
ID : *unknown id* (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1520
NO_UNITS : 372
===============================
ID : *unknown id* (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1892
NO_UNITS : 56
===============================
ID : *unknown id* (0x18)
ATTR : RW SLC (0x1001)
FIRST_UNIT : 1948
NO_UNITS : 56
===============================
It is possible to "identify" partitons on OneNAND via SBL from I9000 etc...
pi->nNumOfPartEntry = 7
bada Bootloader shows something like this:
Code:
[BM : ] FSR_BML_GetFullPartI() is completed
[BM : ] stPartI.nNumOfPartEntry : 7
[BM : ] 1th PartEntrt(nAttr:0x1002)(nID:0x0)
[BM : ] [1th] pPEntry->n1stVun : 1
[BM : ] [1th] [B]pPEntry->nNumOfUnits : 7[/B]
[BM : ] [1th] pPEntry->nLoadAddr : 0x0
+-------------------------------+
| Bootloader Shadowing FINISHED |
+-------------------------------+
Launch Image at 0x42480000
Catched via UART cable... + JTAG...
Will play little bit with
I9000_s1_odin_20100512.pit
and
I9000_s1_odin_20100803.pit
Tasks for 2014...
Learning more about Partitions...
Best Regards
Edit 1.
Short modified I9000_s1_odin_20100512.pit...
Code:
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : IBL+PBL (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : PIT (0x1)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 1
===============================
ID : EF[COLOR="Red"]1[/COLOR] (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 2
NO_UNITS : 40
===============================
ID : SB[COLOR="Red"]1[/COLOR] (0x3)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 42
NO_UNITS : 5
===============================
ID : SBL[COLOR="Red"]1[/COLOR] (0x4)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 47
NO_UNITS : 5
===============================
ID : PARA[COLOR="Red"]1[/COLOR] (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 52
NO_UNITS : 20
===============================
ID : KERNE[COLOR="Red"]1[/COLOR] (0x6)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 72
NO_UNITS : 30
===============================
ID : RECOVER[COLOR="Red"]1[/COLOR] (0x7)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 102
NO_UNITS : 30
===============================
ID : FACTORYF[COLOR="Red"]1[/COLOR] (0x16)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 132
NO_UNITS : 1146
===============================
ID : DBDATAF[COLOR="Red"]1[/COLOR] (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1278
NO_UNITS : 536
===============================
ID : CACH[COLOR="Red"]1[/COLOR] (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1814
NO_UNITS : 140
===============================
ID : MODE[COLOR="Red"]1[/COLOR] (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1954
NO_UNITS : 50
===============================
RO I think should mean read only
RW = read/write
SLC and STL
NO_UNITS = Number of ... maybe... not sure

STL = Section Translation Layer (Google for BML FSR and BML STL by Samsung)
unit = 256kB or so
No idea what's SLC, "Single Level Cell" doesn't make much sense here
Probably answer is in there - https://github.com/supercurio/samsung_fsr

About SLC, etc, I wrote something about this here:
http://forum.xda-developers.com/showpost.php?p=33359041&postcount=6
I think the relevant info is in the links...

http://forum.xda-developers.com/showthread.php?t=816449
Found this usefull thread about PIT...
2014 I will play little bit Partition file PIT.
Ideas.
1.
Modifying PIT to 1 partition over the whole size... in my case 512 MB...
To write maxbe Fulldumps...
If this is nonsense during few Security limitations...
2.
Increasing first Partition to write 4 MB boot.bin... to solve this Security thingie...
http://forum.xda-developers.com/showthread.php?t=1250270
So maybe then bada Boot restoreable with SBL...
Summary...
Units seems Blocks... seems 256 KB size...
So I need instead 1 Unit... 16 for Partition 1...
Later more, I will try to "convert" this info from here now:
Code:
==== PARTITION INFORMATION ====
ID : *unknown id* (0x9)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
Taken from here:
http://forum.xda-developers.com/showpost.php?p=49033160&postcount=11
Best Regards
Edit 1.
So bada Partition table/info looks like this... S8500..
Little bit explained... later more
Code:
==========================
ID
ATTR
FIRST_UNIT 0
NO_UNITS 1
00000000-00040000
[B]256 KB[/B]
==========================
ID
ATTR
FIRST_UNIT 1
NO_UNITS 7
00040000-001C0000
1792 KB [B]2 MB[/B]
1835008 Byte
==========================
ID
ATTR
FIRST_UNIT 8
NO_UNITS 796
203776 KB [B]203 MB[/B]
208666624 Byte
==========================
ID
ATTR
FIRST_UNIT 804
NO_UNITS 716
183296 KB [B]183 MB[/B]
187695104 Byte
==========================
ID
ATTR
FIRST_UNIT 1520
NO_UNITS 372
95232 KB [B]95 MB[/B]
97517568 Byte
==========================
ID
ATTR
FIRST_UNIT 1892
NO_UNITS 56
14336 KB [B]14 MB[/B]
14680064 Byte
==========================
ID
ATTR
FIRST_UNIT 1948
NO_UNITS 56
14336 KB [B]14 MB[/B]
14680064 Byte
===========================

Code:
<6>Scanning device for bad blocks
<7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x92 addr8 0x0
<6>OneNAND eraseblock 146 is an initial bad block
<7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x5cc addr8 0x0
<6>OneNAND eraseblock 1484 is an initial bad block
<6>OneNAND eraseblock 2047 is an initial bad block
<5>Creating 11 MTD partitions on "(null)":
<5>0x00001f000000-0x00001f500000 : "nv_data"
<5>0x000000400000-0x000009800000 : "fw_block"
<5>0x000000400000-0x000000600000 : "dbl"
<5>0x000000600000-0x000001380000 : "amss"
<5>0x000001300000-0x000003600000 : "apps"
<5>0x000003600000-0x000007700000 : "rsrc1"
<5>0x000007700000-0x000009500000 : "csc"
<5>0x000009500000-0x000009800000 : "fota"
<5>0x000009800000-0x000018f00000 : "stl1"
<5>0x000018f00000-0x00001ec00000 : "stl2"
<5>0x00001ec00000-0x00001f000000 : "secdata"
S8530 UART Log... with latest Android from volk204...
Later I will compare S8500...
Best Regards

S8530 SD-Version ZenDroKat
/proc/mtd
Code:
dev: size erasesize name
mtd0: 00500000 00040000 "nv_data"
mtd1: 09400000 00040000 "fw_block"
mtd2: 00200000 00040000 "dbl"
mtd3: 00d80000 00040000 "amss"
mtd4: 02300000 00040000 "apps"
mtd5: 04100000 00040000 "rsrc1"
mtd6: 01e00000 00040000 "csc"
mtd7: 00300000 00040000 "fota"
mtd8: 0f700000 00040000 "stl1"
mtd9: 05d00000 00040000 "stl2"
mtd10: 00400000 00040000 "secdata"
/proc/partitions
Code:
major minor #blocks name
31 0 5120 mtdblock0
31 1 151552 mtdblock1
31 2 2048 mtdblock2
31 3 13824 mtdblock3
31 4 35840 mtdblock4
31 5 66560 mtdblock5
31 6 30720 mtdblock6
31 7 3072 mtdblock7
31 8 252928 mtdblock8
31 9 95232 mtdblock9
31 10 4096 mtdblock10
253 0 488284 zram0
179 0 1912832 mmcblk0
179 1 602112 mmcblk0p1
179 2 401408 mmcblk0p2
179 3 909311 mmcblk0p3
179 16 1024 mmcblk0boot1
179 8 1024 mmcblk0boot0
179 24 15632384 mmcblk1
179 25 11330560 mmcblk1p1
179 26 18432 mmcblk1p2
179 27 563200 mmcblk1p3
179 28 3719168 mmcblk1p4

http://download.tizen.org/releases/daily/1.0/sbs/
Oh, about PIT...
Check content of file:
lutil.tar.gz
Attached...
Best Regards
Edit 1.
Oh, maybe this helps me to unterstand more...
PIT/XML files
=============
You can convert a PIT file to XML format as follows:
./pit2xml pit/SLP_ALL_Ver04.pit SLP_ALL_Ver04.xml
and back again:
./xml2pit SLP_ALL_Ver04.xml SLP_ALL_Ver04.pit
The relevant data in the file should remain the same.
The XML for SLP_ALL_Ver04.pit looks like this:
Click to expand...
Click to collapse
Edit 2.
According to this example:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<root>
<partition Name="ipl+recovery" FileName="ipl-recovery.bin" DeltaName="" BlockSize="256" BlockLength="2"/>
<partition Name="pit" FileName="pit" DeltaName="" ID="1" BlockSize="256" BlockLength="2"/>
<partition Name="csa" FileName="csa" DeltaName="" ID="2" BlockSize="256" BlockLength="32"/>
<partition Name="u-boot" FileName="u-boot-whdr.bin" DeltaName="" ID="3" BlockSize="256" BlockLength="4"/>
<partition Name="u-boot_bak" FileName="u-boot-whdr.bin" DeltaName="" ID="4" BlockSize="256" BlockLength="4"/>
<partition Name="params" FileName="params" DeltaName="" ID="5" BlockSize="256" BlockLength="4"/>
<partition Name="config" FileName="config" DeltaName="" ID="6" BlockSize="256" BlockLength="8"/>
<partition Name="kernel" FileName="uImage" DeltaName="" ID="7" BlockSize="256" BlockLength="28"/>
<partition Name="kernel_bak" FileName="uImage" DeltaName="" ID="8" BlockSize="256" BlockLength="28"/>
<partition Name="log" FileName="log" DeltaName="" ID="9" BlockSize="256" BlockLength="5"/>
<partition Name="modem" FileName="modem.img" DeltaName="" BinType="1" ID="10" BlockSize="256" BlockLength="64"/>
<partition Name="qboot" FileName="qboot" DeltaName="" ID="11" BlockSize="256" BlockLength="240"/>
<partition Name="UBI" FileName="ubi.img" DeltaName="" ID="12" Attribute="1" BlockSize="256" BlockLength="1627"/>
<partition Name="movinand" FileName="movinand.bin" DeltaName="" DevType="2" Attribute="1"/>
<partition Name="csc" FileName="rfs_part4.csc" DeltaName="" DevType="2" ID="4" Attribute="1"/>
</root>
I will try to "convert":
Code:
I9000_s1_odin_20100512.pit
I9000_s1_odin_20100803.pit
First by hand and my low brain...

Code:
===============================
ID : CACHE (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1814
NO_UNITS : [B]130[/B]
===============================
ID : MODEM (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1944
NO_UNITS : [B]60[/B]
===============================
Aha...
increased reserved space for AMSS... in:
I9000_s1_odin_20100512.pit
Need this for stupid tests... to start with patched SBL...
Best Regards

didn't they already understood and documented every possible part of pit file format?

didn't they already understood
Click to expand...
Click to collapse
Thanx for Link, never seen before...
No idea yet, how easy it is to use... for me.
At the moment for me it is easier to use my little brain + WinHex + example from Samsung Tizen team... in XML Format.
And I am on the older Stuff like I9000 PIT... OneNAND... not eMMC/moviNAND...
No Encryption...
Best Regards
Edit 1.
Short tested this:
http://jenkins.casual-dev.com/job/Analyze PIT File/build
Used this PIT from I9000...
I9000_s1_odin_20100512.pit
Code:
-----BEGIN PIT ANALYSIS-----
PIT Name: TA
PIT Parameter: àú
PIT Parameter: ØC
Entry Count: 13
File Type: 

--- Entry #0 ---
ID: 0 Partition Name: IBL+PBL param: S param: e param: r param: v param: e param: r param: \ param: 9 param: 0 param: \ param: T param: o
Filename: boot.bin param: i param: n param: n param: ; param: C param: : param: \ param: P param: r param: o param: g
Block Size: 1 (512B)
Block range: 256 - 256 (hex 0x100 - 0x100)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:6684783 Size: 2097268 FOTA: param: a param: m param: param: F param: i param: l param: e param: s param: \ param: E param: S param: T param: s param: o param: f
The IBL+PBL param: S param: e param: r param: v param: e param: r param: \ param: 9 param: 0 param: \ param: T param: o partition, identified as partition number 0, is 512B in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as boot.bin param: i param: n param: n param: ; param: C param: : param: \ param: P param: r param: o param: g.The partition carries a filesize of 2097268 and an offset of 6684783.
--- Entry #1 ---
ID: 1 Partition Name: PIT
Filename: param: ries.pit
Block Size: 1 (512B)
Block range: 256 - 256 (hex 0x100 - 0x100)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The PIT partition, identified as partition number 1, is 512B in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as param: ries.pit.
--- Entry #2 ---
ID: 20 Partition Name: EFS
Filename: efs.rfs
Block Size: 40 (20.5kB)
Block range: 256 - 295 (hex 0x100 - 0x127)
FilesystemType: 0 PartType: 2 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The EFS partition, identified as partition number 20, is 20.5kB in size and carries a raw format. This partition resides on the Bootloader section of the AP undocumented. It identifies itself to Odin as efs.rfs.
--- Entry #3 ---
ID: 3 Partition Name: SBL
Filename: sbl.bin
Block Size: 5 (2.6kB)
Block range: 256 - 260 (hex 0x100 - 0x104)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The SBL partition, identified as partition number 3, is 2.6kB in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as sbl.bin.
--- Entry #4 ---
ID: 4 Partition Name: SBL2
Filename: sbl.bin
Block Size: 5 (2.6kB)
Block range: 256 - 260 (hex 0x100 - 0x104)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The SBL2 partition, identified as partition number 4, is 2.6kB in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as sbl.bin.
--- Entry #5 ---
ID: 21 Partition Name: PARAM
Filename: param.lfs
Block Size: 20 (10.2kB)
Block range: 256 - 275 (hex 0x100 - 0x113)
FilesystemType: 0 PartType: 2 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The PARAM partition, identified as partition number 21, is 10.2kB in size and carries a raw format. This partition resides on the Bootloader section of the AP undocumented. It identifies itself to Odin as param.lfs.
--- Entry #6 ---
ID: 6 Partition Name: KERNEL
Filename: zImage
Block Size: 30 (15.4kB)
Block range: 256 - 285 (hex 0x100 - 0x11d)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The KERNEL partition, identified as partition number 6, is 15.4kB in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as zImage.
--- Entry #7 ---
ID: 7 Partition Name: RECOVERY
Filename: zImage
Block Size: 30 (15.4kB)
Block range: 256 - 285 (hex 0x100 - 0x11d)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The RECOVERY partition, identified as partition number 7, is 15.4kB in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as zImage.
--- Entry #8 ---
ID: 22 Partition Name: FACTORYFS
Filename: factoryfs.rfs
Block Size: 1146 (586.8kB)
Block range: 256 - 1401 (hex 0x100 - 0x579)
FilesystemType: 0 PartType: 2 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The FACTORYFS partition, identified as partition number 22, is 586.8kB in size and carries a raw format. This partition resides on the Bootloader section of the AP undocumented. It identifies itself to Odin as factoryfs.rfs.
--- Entry #9 ---
ID: 23 Partition Name: DBDATAFS
Filename: dbdata.rfs
Block Size: 536 (274.4kB)
Block range: 256 - 791 (hex 0x100 - 0x317)
FilesystemType: 0 PartType: 2 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The DBDATAFS partition, identified as partition number 23, is 274.4kB in size and carries a raw format. This partition resides on the Bootloader section of the AP undocumented. It identifies itself to Odin as dbdata.rfs.
--- Entry #10 ---
ID: 24 Partition Name: CACHE
Filename: cache.rfs
Block Size: 140 (71.7kB)
Block range: 256 - 395 (hex 0x100 - 0x18b)
FilesystemType: 0 PartType: 2 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The CACHE partition, identified as partition number 24, is 71.7kB in size and carries a raw format. This partition resides on the Bootloader section of the AP undocumented. It identifies itself to Odin as cache.rfs.
--- Entry #11 ---
ID: 11 Partition Name: MODEM
Filename: modem.bin
Block Size: 50 (25.6kB)
Block range: 256 - 305 (hex 0x100 - 0x131)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The MODEM partition, identified as partition number 11, is 25.6kB in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as modem.bin.
--- Entry #12 ---
[B]ID: 11 Partition Name:
Filename:
Block Size: 0 (0B)
Block range: 0 - -1 (hex 0x0 - 0xffffffff)
FilesystemType: 0 PartType: 0 DevType: 1 BinType: 1
Offset:0 Size: 0 FOTA:
The partition, identified as partition number 11, is 0B in size and carries a raw format. This partition resides on the Raw section of the CP NAND.
[/B]
-----END PIT ANALYSIS-----
Helpfull to understand maybe last few Bytes of PIT...
Anyway... output not 100 % correct, because Blocksize is 256 KB, instead 512 Byte...
Its the difference between eMCC/moviNAND versus OneNAND...

[FFU][UPE-DEV]Structure Full Flash Update Image for WP7 Devices

Structure Full Flash Update Image (.FFU) for Windows Phone 7 Device
Full Flash Update - This is a System Flash Image for update WP7 Device. We upgrade this OS, example in tool UpdateWP.exe(from Zune catalog in PC).
In Part SDLR, from general ROM structure, we have too more files and modules, which reads the image system and its syntax.
Physical Flash Layout:
HashTable.blob
Partition Table Info
User Store Space
Bootloader/Modem -> (amss, fsbl, osbl, etc.)
SLDR
NK
IMGFS
User Store Space
Partition Table Info (ImageFlash) - example:
Code:
[FullFlash]
Version = 1.0
MigrateUserSettings = False
UpdateType = Normal
DevicePlatformID = {5B8F8B62-8E55-4531-8D70-15269B68C43E}
FormatUserStore = True
[BinaryRegion]
Size = 24924572
Name = Modem
[Store]
SectorSize = 2048
Name = OS
SectorCount = 479296
ID = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
[Partition]
UsedSectors = 2590
Name = SLDR
PartitionType = 32
BootDataSize = 12
TotalSectors = 3136
TargetStore = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
[Partition]
UsedSectors = 2540
Name = NK
PartitionType = 35
BootDataSize = 12
TotalSectors = 2944
TargetStore = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
[Partition]
UsedSectors = 66059
Name = IMGFS
PartitionType = 37
TotalSectors = 70719
TargetStore = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
More Information:
.ffu (Full Flash Update) file format (XML) will be used to pass information to the Zune software on which partitions are to be updated, etc. FFUs are signed just as .cabs are signed and only an .ffu which passes validation against the certificates on-device will be allowed to update a device.
Click to expand...
Click to collapse
Nokser

What does this mean?
Can install custom rom, downgrade bootloader?

[FFU][UPE-DEV]Structure Full Flash Update Image for HTC Mazaa

Structure Full Flash Update Image (.FFU) for Windows Phone 7 HTC Mazaa
Full Flash Update - This is a System Flash Image for update WP7 Device. We upgrade this OS, example in tool UpdateWP.exe(from Zune catalog in PC).
In Part SDLR, from general ROM structure, we have too more files and modules, which reads the image system and its syntax.
Physical Flash Layout:
HashTable.blob
Partition Table Info
User Store Space
Bootloader/Modem -> (amss, fsbl, osbl, etc.)
BSP
SLDR1
SLDR2
NK
USP
DPP
IMGFS
PADUSER
User Store
Partition Table Info (ImageFlash):
Code:
[FullFlash]
Version = 1.0
MigrateUserSettings = False
UpdateType = Clean
Description =
DevicePlatformID = {2527F725-F4B7-404e-8379-F0CAE045AAB8}
FormatUserStore = False
[BinaryRegion]
Size = 27547389
Name = Modem
[Store]
SectorSize = 512
Name = OS
SectorCount = 62324736
ID = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 1
Name = BSP
PartitionType = 41
BootDataSize = 12
TotalSectors = 512
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 10199
Name = SLDR1
PartitionType = 32
BootDataSize = 12
TotalSectors = 13260
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 10199
Name = SLDR2
PartitionType = 32
BootDataSize = 12
TotalSectors = 13260
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 8107
Name = NK
PartitionType = 35
BootDataSize = 12
TotalSectors = 11776
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 0
Name = USP
PartitionType = 27
TotalSectors = 6912
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 1
Name = DPP
PartitionType = 41
TotalSectors = 512
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 528254
Name = IMGFS
PartitionType = 37
TotalSectors = 1028088
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 0
Name = PADUSER
PartitionType = 42
TotalSectors = 8
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
[Partition]
UsedSectors = 0
UseAllSpace = True
Name = User
PartitionType = 4
TotalSectors = 0
TargetStore = {7EF3850B-A401-4699-9821-7A4C483F6BAA}
More Information:
.ffu (Full Flash Update) file format (XML) will be used to pass information to the Zune software on which partitions are to be updated, etc. FFUs are signed just as .cabs are signed and only an .ffu which passes validation against the certificates on-device will be allowed to update a device.
Click to expand...
Click to collapse
Nokser

shape of the above
the program is doing what
thanks

Can downgrade spl 5 with this??

Magpir said:
Can downgrade spl 5 with this??
Click to expand...
Click to collapse
+1 for this

what does this do?

hmm... this has been around for weeks Nokser, but thanks!