Develop Bugs

[DEVs ONLY] Flash Galaxy S without computer : introducing redbend_ua

Hello there
This is a surprise, but software able to flash the phone without any computer intervention was already on it, since the beginning.
Searching for a way to install my future lag fix easily, I remember that there was an "OTA" boot mode.
I know, today nobody saw an OTA on any Galaxy S smartpone (except maybe One on the AT&T Captivate?), but the software is still there.
How does this work :
Basically Linux boots a ramdisk, loading kernel modules and running an init process who start the whole Android experience (bootmode=) or just the recovery mode (bootmode=2).
Other bootmodes are used for battery loading only and Over The Air updates.
In this case, init.rc ask init to start "/sbin/redbend_ua all".
By default this software search for software updates in /data/fota and on similar places in the /sdcard.
It could prove useful another day, but you still have to be root to ask your device to reboot in a specific bootmode
The nice part is that we can use redbend_ua manually too, to do many impossible things before :
command list, pretty comprehensive.
Code:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
Possible usages :
- Flashing the kernel without Odin or any computer
- Backuping and Restoring a whole firmware, including stock one
- Doing more than one operation before automatic reboot through a list of commands in /data/fota/command (not tested yet)
- Messing with bootloaders and bricking your phone for good
Yeah, you must be really carefull this time. Samsung made some partitions read-only for a reason
Hopefully this new tool will be used by most ROM cooker, CyanogenMod, and ClockWorkMod
I'll make a update.zip + redbend_ua template soon if nobody comes up with one.
My Twitter for next news
Joined to this post : redbend_ua working binary. (some firmware ship a new binary that does not accept command line parameters)
-----
Old post, for the record :
Our Galaxy S in Eclair firmwares come with software able to provide update Over The Air.
This firmware is in /sbin directory, which means that it's in the kernel ramdisk.
Look at the output when running the binary without argument or appropriate file:
Code:
# redbend_ua
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.zImage
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.Sbl
UA/(update_all): Check Delta : path_idx(1), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.zImage
UA/(update_all): Check Delta : path_idx(1), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.modem
UA/(update_all): Check Delta : path_idx(1), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.platform
UA/(update_all): Check Delta : path_idx(1), part_idx(3), file_path((null)), cnt(0)
fail!
Open /data/fota/fota.status
fsync after write: 0
And here is the result when you provide a fake zImage delta file:
Code:
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(1)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(1)
page_msize: 4096, phy_unit_size: 262144
UA/ Sbl delta does NOT exist! Skip.
page_msize: 4096, phy_unit_size: 262144
UA/ check_existence: /data/fota/fota_zImage
page_msize: 4096, phy_unit_size: 262144
dev: /dev/block/bml8 partition size: 0x780000
40180008: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180018: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180028: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180038: ffff ffff ffff ffff ffff ffff ffff ffff ................
signature: 0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
page_msize: 4096, phy_unit_size: 262144
UA/(backup_devbml) src: /dev/block/bml7 partition size: 0x780000
UA/(backup_devbml) dst: /dev/block/bml8 partition size: 0x780000
UA/(backup_devbml) backup 128KB at 0x0
UA/(backup_devbml) backup 128KB at 0x40000
UA/(backup_devbml) backup 128KB at 0x80000
UA/(backup_devbml) backup 128KB at 0xc0000
UA/(backup_devbml) backup 128KB at 0x100000
UA/(backup_devbml) backup 128KB at 0x140000
UA/(backup_devbml) backup 128KB at 0x180000
UA/(backup_devbml) backup 128KB at 0x1c0000
UA/(backup_devbml) backup 128KB at 0x200000
UA/(backup_devbml) backup 128KB at 0x240000
UA/(backup_devbml) backup 128KB at 0x280000
UA/(backup_devbml) backup 128KB at 0x2c0000
UA/(backup_devbml) backup 128KB at 0x300000
UA/(backup_devbml) backup 128KB at 0x340000
UA/(backup_devbml) backup 128KB at 0x380000
UA/(backup_devbml) backup 128KB at 0x3c0000
UA/(backup_devbml) backup 128KB at 0x400000
UA/(backup_devbml) backup 128KB at 0x440000
UA/(backup_devbml) backup 128KB at 0x480000
UA/(backup_devbml) backup 128KB at 0x4c0000
UA/(backup_devbml) backup 128KB at 0x500000
UA/(backup_devbml) backup 128KB at 0x540000
UA/(backup_devbml) backup 128KB at 0x580000
UA/(backup_devbml) backup 128KB at 0x5c0000
UA/(backup_devbml) backup 128KB at 0x600000
UA/(backup_devbml) backup 128KB at 0x640000
UA/(backup_devbml) backup 128KB at 0x680000
UA/(backup_devbml) backup 128KB at 0x6c0000
UA/(backup_devbml) backup 128KB at 0x700000
UA/(backup_devbml) backup 128KB at 0x740000
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
UA/(RB_ImageUpdateMain): ++
UA/(RB_ImageUpdateMain) uPartitionName[zImage]
RB_GetBlockSize: returning 0x40000 (262144)
UA/(RB_UpdateImage): ++
UA/(RB_UpdateImage): Delta file name-/data/fota/delta.zImage
unicode_to_char : zImage
pDeviceDatum.pFirstPartitionData->partition_name: zImage
pDeviceDatum.pFirstPartitionData->partition_type: 0
pDeviceDatum.pFirstPartitionData->file_system_type: 0
unicode_to_char : /data/fota/delta.zImage
RB_OpenFile: Path:/data/fota/delta.zImage | Mode: RDONLY
Successful open() *pwHandle:4
[RB] Illegal field in the delta, or that the given delta is invalid
UA/(RB_UpdateImage) return value from RB_vRM_Update: 0x80000539
UA/(RB_UpdateImage): -- ret=-2147482311
UA/(RB_ImageUpdateMain) pCustomerPartData.updated = -1, rest = -1
UA/(RB_ImageUpdateMain): -- ret=-2147482311
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xdeade002
UA/(update_all) Kernel update fail
fail!
Open /data/fota/fota.status
fsync after write: 0
Promising ! This software definitely has the ability to write on protected bml partitions.
Now wee need to find how to produce the .delta files

Sounds great Lets hope you guys can figure it all out.

I just send a message to Red Bend Software through their site.
Actually it may help to find any other delta file for their software. Without sample we won't go anywhere...
I hope they will be kind and answer!

Here is a list of interesting strings found in the binary :
Code:
UA/ Platform delta does NOT exist! Skip.
Can not open src file : %s
Can not open dst file : %s
UA/(%s) write %dbytes
UA/(%s) copy file %s->%s
fsync failed with return value: %d
fsync after write: %d
UA/ %s: %s
/dev/block/bml4
/data/fota/dump_sbl
/dev/block/bml7
/data/fota/dump_kernel
/dev/block/bml12
/data/fota/dump_modem
FOTA : Make Block Device Nodes
UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
success!
DONE
fail!
FAIL
FOTA
UA/ modem delta does NOT exist! Skip.
/data/fota/backup.modem
UA/ zImage delta does NOT exist! Skip.
/dev/block/bml8
UA/ Sbl delta does NOT exist! Skip.
UA/ERROR(%s) get dual sbl siginfo fail!!
/dev/block/bml5
UA/ERROR(%s) can't find vaild Sbl partitions
UA/ERROR(%s) SBL RAM partition alloc fail
UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
/data/fota/command
/sdcard/Android/data/temp.fota.delta/command
UA/(%s) cache download
/cache/recovery
UA/(%s) create /cache/recovery directory
/cache/recovery/command
reboot recovery
UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
SBL update fail
UA/(%s) %s
Kernel update fail
Modem update fail
Platform update fail
Post update fail
WARNNIG
Delta Not Exist
/data/fota
/sbin/images/fota.png
UA/(%s) test
Update Fail!!
/data/fota/fota.status
/data/fota/delta.Sbl
/data/fota/delta.zImage
/data/fota/delta.modem
/data/fota/delta.platform
/sdcard/Android/data/temp.fota.delta/delta.Sbl
/sdcard/Android/data/temp.fota.delta/delta.zImage
/sdcard/Android/data/temp.fota.delta/delta.modem
/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
unknown
/data/fota/fota_Sbl
/data/fota/fota_zImage
Modem
/data/fota/fota_modem
/data/fota/fota_platform
/dev/block/bml11
OFNI
main
update_all
post_update
update_platform
update_modem
update_zImage
update_Sbl
file_copy
check_existence
MakeBMLNodes
UA/(%s): +
UA/(%s): %s (%lx %x)
UA/(%s): -
UA/(%s): %s (%lx %lx)
UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
BML_GET_DEV_INFO
page_msize: %d, phy_unit_size: %d
open device file
%s: bmldevice_open failed!
%s: bmldevice_info failed!
src: %s
dst: %s partition size: 0x%x
part_size: 0x%x
failed to read from %s (%s)
read finished
read %d bytes
src: %s partition size: 0x%x
dst: %s
failed to write to %s (%s)
done
UA/(%s) src: %s
UA/(%s) dst: %s partition size: 0x%x
UA/(%s) part_size: 0x%x
UA/(%s) read finished
UA/(%s) read %d bytes
UA/(%s) src: %s partition size: 0x%x
UA/(%s) dst: %s
UA/(%s) signature: 0x%x
*WARN* %s partition is already marked as invalid!
UA/(%s) done
page at 0x%x differ!
UA/(%s) backup 128KB at 0x%x
UA/(%s): ++
UA/(%s) 0x%x
UA/ERROR(%s) Valid partition signature is not invalid
UA/(%s): --
%s, invalide magic key(%x)!!
common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
signature: 0x%x
UA/(%s) dev: %s partition size: 0x%x
UA/ERROR(%s) Signature is not validate (%x)
UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
UA/ERROR(%s) Both partition has valid or invalid signature
UA/(%s) Valid Partition-%s, Update Partition-%s
restore_file
backup_block_file
restore_devbml
backup_devbml
store_dualsbl_partition
load_partition
mark_common_recovery
find_valid_partition
check_dualpartition_validation
ram_write_block
ram_read_block
nand_write_block
nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
RB_GetBlockSize
%s: returning 0x%x (%d)
RB_ReadBackupBlock
UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) open file %s failed.
UA/ open %s file success
UA/ERROR(%s) error in read size
RB_WriteBackupBlock
UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) error in write size
RB_ImageUpdateMain
UA/(%s): ++
UA/(%s) uPartitionName[%s]
UA/(%s) pCustomerPartData.updated = %d, rest = %d
UA/(%s): -- ret=%d
RB_UpdateImage
UA/(%s): Delta file name-%s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
UA/(%s) return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
%s path: %s
temppath: %s
mkdir result: %d errno: %d
RB_CopyFile
%s: %s -> %s
NULL file name find. Abort.
Open %s ENOENT %d
Open %s failed. Abort.
read %d, but write %d, abort.
RB_DeleteFile
%s: %s
unlink value: %d, errno: %d
RB_DeleteFolder
rmdir value: %d, errno: %d
RB_CreateFolder
%s: %s, mode:0x%x
RDONLY
WRONLY
RDWR
Unknown
RB_OpenFile
%s: Path:%s | Mode:
First open() with error %d
copy dir[]=%s
remove dir[]=%s
Fail create folder, Leave RB_OpenFile
After successful creating folder, fail open() with error %d
Successful open() *pwHandle:%ld
RB_ResizeFile
%s: handle %ld, dwSize %d
%s: ret %d handle %ld %d
RB_CloseFile
%s: wHandle = %ld
RB_WriteFile
%s: Handle:%ld , Pos:%ld , Size: %ld
lseek failed with return value: %d
Failed with return value: %d
Bytes Write: %d
fsync Failed with return value: %d
fsync after write: %d
RB_ReadFile
%s: Handle:%ld , Pos:%ld , Size: %ld
read failed with return value: %d
RB_GetFileSize
%s: %ld
lseek errno: %d
Returning Size = 0x%x
RB_Unlink
unlink failed with return value: %d
unlink with return value: %d
RB_Link
symlink failed with return value: %d, errno: %d
symlink with return value: %d
RB_VerifyLinkReference
readlink failed with return value: %d
not same linked path
same linked path
RB_GetFileType
stat failed with return value: %d errno: %d
sbuf.st_mode: %d
S_ISREG(sbuf.st_mode): %d
S_ISLNK(sbuf.st_mode): %d
stat->st_mode = symbolic link file
stat->st_mode = regular file
failed to lstat, err : %d
a2ch
%s : %d
Wrong attribute value: %d
a2ch : %c
chtoa
RB_SetFileAttributes
stat failed with return value: %d
sbuf.st_mode value: %d
ui8pAttribs value: %s
ui32AttribSize value: %ld
attrib_user value: %d
attrib_group value: %d
attrib_other value: %d
att_type value: %d
sbuf.st_mode | attrib: %d
chmod failed with return value: %d
chmod with return value: %d
pUserId value: %s
user_id value: %d
aGroupId value: %s
pGroupId value: %s
group_id value: %d
failed chown %d
success chown %d
RB_FSUpdateMain
UA/(%s) Partition name(%s), mount point(%s)
UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
return value from RB_vRM_Update: 0x%x
%s/flagsFile
return value from unlink(%s): 0x%x
Installing software
Don't turn off the
phone and
connect the power
cable as possible.
System updated &
reboot now
gui_progress
UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
UA/(%s): -- Print Percent(%d%)
%3d %%
lcd_init
%s(%d): start!
/dev/graphics/fb0
%s(%d): fb0 open fail
%s(%d): fb0 open success
%s(%d): width = %d, height = %d
%s(%d): ioctl set info fail
%s(%d): Error: failed to map framebuffer device to memory.
%s(%d): ioctl start fail
Allocation error-
Current start: %d
Current finish: %d
Requested size: %d
Allocation error:
Current start: %d
Current finish: %d
Requested size: %d
It may accept commands somehow, like those :
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
I tried writing commands in /data/fota/command and /cache/recovery/command but the program does not follow my orders

ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished

Wow, this is looking promising.

it seems like htc's flash_image,but much more difficult than it.

raspdeep said:
ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Click to expand...
Click to collapse
Nice raspdeep
How did you do ? Every attempt fails here (in recovery or standard mode).
Which initramfs version do you use ?

Code:
redbend_ua restore zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Ok yo don't respond but it works here to, booting on your OC kernel. Now i'll find what is different between our setups

supercurio, you are rapidly becoming one of my Android heros...

distortedloop said:
supercurio, you are rapidly becoming one of my Android heros...
Click to expand...
Click to collapse
Don't know if I can live with that
Code:
ll */*
-rwxr-xr-x 1 root curio 313888 2010-08-26 21:14 oc128uv1/redbend_ua*
-rwxr-xr-x 1 curio curio 314004 2010-08-26 21:16 XWJM5/redbend_ua*
md5sum */*
74f5793536c3cdc902ec269c3f51a165 oc128uv1/redbend_ua
b1ba258a5d673c537a95167267afd6b8 XWJM5/redbend_ua
Different binaries !
Edit : attached working redbend_ua

A diff between strings included in binaries (raw infos, not analyzed yet ^^)
Code:
--- not-working 2010-08-26 21:22:39.594984596 +0200
+++ working 2010-08-26 21:22:20.370634450 +0200
@@ -4,7 +4,6 @@
@F2A
bB,2
H{DYX
-/Q{;
/Qs;
/Qk;
/Qc;
@@ -452,71 +451,52 @@
%mB(
@ #!
!1C "
-reboot
-UA/ Platform delta does NOT exist! Skip.
-Can not open src file : %s
-Can not open dst file : %s
-UA/(%s) write %dbytes
-UA/(%s) copy file %s->%s
- fsync failed with return value: %d
- fsync after write: %d
-UA/ %s: %s
+/data/fota/delta.Sbl
/dev/block/bml4
-/data/fota/dump_sbl
+/dev/block/bml5
+/data/fota/fota_Sbl
+/data/fota/delta.zImage
/dev/block/bml7
-/data/fota/dump_kernel
+/data/fota/backup.zImage
+/data/fota/fota_zImage
+Modem
+/data/fota/delta.modem
/dev/block/bml12
+/data/fota/backup.modem
+/data/fota/fota_modem
+/data/fota/delta.platform
+/data/fota/backup.platform
+/data/fota/fota_platform
+platform delta does NOT exist! Skip.
+existence: s1[%d].existence; %d
+%s: %s
+/data/fota/dump_sbl
+/data/fota/dump_kernel
/data/fota/dump_modem
FOTA : Make Block Device Nodes
-UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
+ fsync failed with return value: %d
+ fsync after write: %d
success!
DONE
fail!
FAIL
FOTA
-UA/ modem delta does NOT exist! Skip.
-/data/fota/backup.modem
-UA/ zImage delta does NOT exist! Skip.
+modem delta does NOT exist! Skip.
+zImage delta does NOT exist! Skip.
/dev/block/bml8
-UA/ Sbl delta does NOT exist! Skip.
-UA/ERROR(%s) get dual sbl siginfo fail!!
-/dev/block/bml5
-UA/ERROR(%s) can't find vaild Sbl partitions
-UA/ERROR(%s) SBL RAM partition alloc fail
-UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
-/data/fota/command
-/sdcard/Android/data/temp.fota.delta/command
-UA/(%s) cache download
-/cache/recovery
-UA/(%s) create /cache/recovery directory
-/cache/recovery/command
-reboot recovery
-UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
-SBL update fail
-UA/(%s) %s
-Kernel update fail
-Modem update fail
-Platform update fail
-Post update fail
-WARNNIG
-Delta Not Exist
-/data/fota
-/sbin/images/fota.png
-UA/(%s) test
-Update Fail!!
+Sbl delta does NOT exist! Skip.
+get dual sbl siginfo fail!!
+can't find vaild Sbl partitions
+reboot
+gv_delta_count[%d]
+dump
+restore
+compare
/data/fota/fota.status
-/data/fota/delta.Sbl
-/data/fota/delta.zImage
-/data/fota/delta.modem
-/data/fota/delta.platform
-/sdcard/Android/data/temp.fota.delta/delta.Sbl
-/sdcard/Android/data/temp.fota.delta/delta.zImage
-/sdcard/Android/data/temp.fota.delta/delta.modem
-/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
@@ -527,29 +507,7 @@
compare <dev1> <dev2>
png [png file name]
all
-unknown
-/data/fota/fota_Sbl
-/data/fota/fota_zImage
-Modem
-/data/fota/fota_modem
-/data/fota/fota_platform
-/dev/block/bml11
OFNI
-main
-update_all
-post_update
-update_platform
-update_modem
-update_zImage
-update_Sbl
-file_copy
-check_existence
-MakeBMLNodes
-UA/(%s): +
-UA/(%s): %s (%lx %x)
-UA/(%s): -
-UA/(%s): %s (%lx %lx)
-UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
@@ -568,71 +526,67 @@
dst: %s
failed to write to %s (%s)
done
-UA/(%s) src: %s
-UA/(%s) dst: %s partition size: 0x%x
-UA/(%s) part_size: 0x%x
-UA/(%s) read finished
-UA/(%s) read %d bytes
-UA/(%s) src: %s partition size: 0x%x
-UA/(%s) dst: %s
-UA/(%s) signature: 0x%x
-*WARN* %s partition is already marked as invalid!
-UA/(%s) done
page at 0x%x differ!
-UA/(%s) backup 128KB at 0x%x
-UA/(%s): ++
-UA/(%s) 0x%x
-UA/ERROR(%s) Valid partition signature is not invalid
-UA/(%s): --
+signature: 0x%x
+*WARN* %s partition is already marked as invalid!
+backup 128KB at 0x%x
+backup 128KB at 0x%x without signature
+clear mark dev : %s partition size: 0x%x
%s, invalide magic key(%x)!!
-common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
-signature: 0x%x
-UA/(%s) dev: %s partition size: 0x%x
-UA/ERROR(%s) Signature is not validate (%x)
-UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
-UA/ERROR(%s) Both partition has valid or invalid signature
-UA/(%s) Valid Partition-%s, Update Partition-%s
-restore_file
-backup_block_file
-restore_devbml
-backup_devbml
-store_dualsbl_partition
-load_partition
+%s:clear:%s partition size: 0x%x
+%s : write and clear signature done
+%s:write:%s partition size: 0x%x
+%s: Signature is not validate (%x)
+%s signature: 0x%x
+%s +
+%s: SBL, SBL2 partition are diffierent size, check your bml device node name
+Both partition has valid or invalid signature
+Valid Partition-%s, Update Partition-%s
+Siginfo error partition $s (0x%x, 0x%x)
mark_common_recovery
+clear_dualpartition_signature
+write_dualpartition_signature
find_valid_partition
check_dualpartition_validation
-ram_write_block
-ram_read_block
-nand_write_block
-nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
+RB_Progress
+%s: (%lu %%)
+RB_GetDelta
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_GetBlockSize
%s: returning 0x%x (%d)
+RB_ReadImage
+%s: node-%s (%lx %lx)
+RB_WriteBlock
+%s: node-%s (%lx %x)
RB_ReadBackupBlock
-UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) open file %s failed.
-UA/ open %s file success
-UA/ERROR(%s) error in read size
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_WriteBackupBlock
-UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) error in write size
+%s: error in write size
+RB_ImageUpdateCommon
+uPartitionName[%s]
+%s: pCustomerPartData.updated = %d, rest = %d
RB_ImageUpdateMain
-UA/(%s): ++
-UA/(%s) uPartitionName[%s]
-UA/(%s) pCustomerPartData.updated = %d, rest = %d
-UA/(%s): -- ret=%d
-RB_UpdateImage
-UA/(%s): Delta file name-%s
+%s: backup_file is %s
+%s: size of %s(%s) is %d bytes
+RB_ImageUpdateDualPartition
+%s: backup file(%s) / Valid Partition(%s) / Update Partition(%s)
+%s : RB Image Update Fail
+%s : RB Image Update Done %s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
-UA/(%s) return value from RB_vRM_Update: 0x%x
+return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
@@ -726,8 +680,7 @@
failed chown %d
success chown %d
RB_FSUpdateMain
-UA/(%s) Partition name(%s), mount point(%s)
-UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
+%s: pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
@@ -741,9 +694,9 @@
cable as possible.
System updated &
reboot now
-gui_progress
-UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
-UA/(%s): -- Print Percent(%d%)
+Update is ok.
+Update is failed.
+Restoring...
%3d %%
lcd_init
%s(%d): start!
@@ -962,12 +915,6 @@
insufficient memory
buffer error
incompatible version
-RB_Progress
-%s: (%lu %%)
-RB_GetDelta
-%s: offset 0x%lx(%ld), size 0x%lx(%ld)
-%s: open file %s failed.
-%s: error in read size
Pure virtual function called. Are you calling virtual methods from a destructor?
libc-abort
abort() called in pid %d
@@ -1120,6 +1067,7 @@
/dev/log/main
/dev/log/radio
/proc/self/exe
+unknown
/dev/urandom
stack corruption detected: aborted
ANDROID_PROPERTY_WORKSPACE

Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).

Benjamin Dobell said:
Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).
Click to expand...
Click to collapse
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.

supercurio said:
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.
Click to expand...
Click to collapse
Unfortunately IDA Pro doesn't seem to work either. IDA Pro Free doesn't support ARM at all and I tried with IDA Pro Advanced but it seemed to have similar issues to objdump, it couldn't determine the entry point etc.
If I could just get the assembler with comments next to it that indicate which pieces of data (strings in particular) are being referenced that would make my day.

Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Anyway I can't say much more about the tools, i'm just a rookie hacker

supercurio said:
Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Click to expand...
Click to collapse
It wouldn't be a very reliable boot loader if it depended on other binaries (other than data passed to it by the primary boot loader). However the information I'm after, the Loke protocol, is definitely in there cause I can see the handshake strings I send and receive with Heimdall.

working this into SRE RIGHT NOW!!!!
--edit
scripted, and working
release coming soon!!

designgears said:
working this into SRE RIGHT NOW!!!!
Click to expand...
Click to collapse
Nice
Remember being EXTRA careful manipulating raw bml partitions. You can easily brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy

supercurio said:
Nice
Remember being EXTRA careful manipulating raw bml partition. You can easily
brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy
Click to expand...
Click to collapse
I have borked bml17 before.. was able to go into download and restore stock.

Heimdall (Cross-Platform Flashing Tool) - Galaxy Tab?

I'm the creator of Heimdall the cross platform Galaxy S flashing tool. I was wondering if any one has attempted to flash a Galaxy Tab using my tool?
I suspect that the protocol for flashing the Galaxy Tab is identical. However, I don't have access to a Galaxy Tab so I'm unable to test myself. I would love to add the Galaxy Tab to the list of officially supported devices if someone can confirm it works.
EDIT: Just realised I never updated this post. Heimdall has officially supported the Galaxy Tab for a while now.

I might be able to do it if I find some better firmware to flash. Not sure yet.
Sent from my SCH-I800 using XDA App

I'll give it a try later today. I'm a Linux zealot.

Install notes for Linux + a question
sorry -- wrong thread. No clue how to delete, but I don't want to cross-post so just ignore this.

I compiled and tried using it to flash a modem.bin, but got an error. Heres the console output:
Code:
$ heimdall flash --pit P1_20100909.pit --modem modem.bin
Heimdall, Copyright (c) 2010, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Claiming interface... Failed. Attempting to detach driver...
Claiming interface again... Success
Setting up interface... Success
Beginning session...
Handshaking with Loke... Success
Unexpected device info response!
Expected: 180 or 0
Received:3
Ending session...
Rebooting device...
Re-attaching kernel driver...

rotohammer, thanks for that. It seems as the initialisation process might be slightly different for the Galaxy Tab. Unfortunately the spot where it failed is the exact spot in the protocol that I have basically no clue about. The Galaxy S sends either 180 or 0, which is perhaps some sort of flags indicating the state of the device. Technically the flash could continue past there regardless of the value received but it's a bit of a safety net feature to stop right away.
I'll see if I can get my hands on a Galaxy Tab so I can get Heimdall working for Galaxy Tab users as well.

Works great
For those of you interested, I've modified the Heimdall source on Linux to accept the device info value of 3 and I have successfully flashed 2 different full firmwares on my T-Mobile Tab, as well as many individual files. It works much faster than Odin, and a lot less flaky. I let Benjamin know so he can include support in an upcoming release.

Thanks for the good work, Ben and Roto

Can Heimdall dump partititions from flash for backup?

Technomancer said:
Can Heimdall dump partititions from flash for backup?
Click to expand...
Click to collapse
It can dump, but the dumps, just like those from Odin, aren't very useful. Its a limitation on the exporting function of the phone software.

rotohammer said:
It can dump, but the dumps, just like those from Odin, aren't very useful. Its a limitation on the exporting function of the phone software.
Click to expand...
Click to collapse
I suppose the partitions are not mounted in the "downloading" mode, so any dumps from Heimdall should be better than dumps made using dd from the shell?

rotohammer said:
It can dump, but the dumps, just like those from Odin, aren't very useful. Its a limitation on the exporting function of the phone software.
Click to expand...
Click to collapse
Hi Rotohammer!
Great work again
What did you use as chip-type and chip-id for dumping? I.e.
Code:
heimdall dump --chip-type ??? --chip-id ??? --output <filename>

Volker1 said:
What did you use as chip-type and chip-id for dumping?
Click to expand...
Click to collapse
Code:
heimdall dump --chip-type NAND --chip-id 0 --output hdump.img

I wrote a simple too to display information about PIT files (attached). The factory-installed PIT (/dev/block/bml2) on my T-Mobile US tab is identical to the one known as P1_20100909.pit and reads:
Code:
$ ./PITinfo bml2.dump
Contents of PIT file:bml2.dump
---------------------------------------------------------------------------
file magic = 0x12349876 (expected value)
Unknown data: 0x135d800 0x1 0 0x1331e17 0x2cf560
Number of partitions = 14 (not the usual value)
Partition #1
Usual content: boot.bin, the primary boot loader (low-level hardware initialization)
partition entry type: 0 0 (normal partition)
ID = 0; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [IBL+PBL.........................]
file name = [boot.bin........................................................]
Partition #2
Usual content: partition information table (PIT)
partition entry type: 0 0 (normal partition)
ID = 0x1; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [PIT.............................]
file name = [................................................................]
Partition #3
Usual content: efs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x14; flags = 0x2 (rfs file system); unknown: 0
size = 40 blocks of 256 * 512 bytes = 5242880 B = 5120 kB = 5 MB
unknown string: [........]
partition name = [EFS.............................]
file name = [efs.rfs.........................................................]
Partition #4
Usual content: Sbl.bin, the secondary boot loader (loads linux kernel)
partition entry type: 0 0 (normal partition)
ID = 0x3; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL.............................]
file name = [sbl.bin.........................................................]
Partition #5
Usual content: backup of secondary boot loader
partition entry type: 0 0 (normal partition)
ID = 0x4; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL2............................]
file name = [sbl.bin.........................................................]
Partition #6
Usual content: param.lfs /mnt/.lfs j4fs
partition entry type: 0 0 (normal partition)
ID = 0x15; flags = 0x2 (rfs file system); unknown: 0
size = 20 blocks of 256 * 512 bytes = 2621440 B = 2560 kB = 2 MB
unknown string: [........]
partition name = [PARAM...........................]
file name = [param.lfs.......................................................]
Partition #7
Usual content: zImage, the linux kernel
partition entry type: 0 0 (normal partition)
ID = 0x6; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [KERNEL..........................]
file name = [zImage..........................................................]
Partition #8
Usual content: recovery.bin, the backup copy of zImage/initramfs
partition entry type: 0 0 (normal partition)
ID = 0x7; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [RECOVERY........................]
file name = [zImage..........................................................]
Partition #9
Usual content: factoryfs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x16; flags = 0x2 (rfs file system); unknown: 0
size = 1320 blocks of 256 * 512 bytes = 173015040 B = 168960 kB = 165 MB
unknown string: [........]
partition name = [FACTORYFS.......................]
file name = [factoryfs.rfs...................................................]
Partition #10
Usual content: dbdata.rfs
partition entry type: 0 0 (normal partition)
ID = 0x17; flags = 0x2 (rfs file system); unknown: 0
size = 348 blocks of 256 * 512 bytes = 45613056 B = 44544 kB = 43 MB
unknown string: [........]
partition name = [DBDATAFS........................]
file name = [dbdata.rfs......................................................]
Partition #11
Usual content: cache.rfs
partition entry type: 0 0 (normal partition)
ID = 0x18; flags = 0x2 (rfs file system); unknown: 0
size = 140 blocks of 256 * 512 bytes = 18350080 B = 17920 kB = 17 MB
unknown string: [........]
partition name = [CACHE...........................]
file name = [cache.rfs.......................................................]
Partition #12
Usual content: modem.bin
partition entry type: 0 0 (normal partition)
ID = 0x8; flags = 0; unknown: 0
size = 64 blocks of 256 * 512 bytes = 8388608 B = 8192 kB = 8 MB
unknown string: [........]
partition name = [MODEM...........................]
file name = [modem.bin.......................................................]
Partition #13
Usual content: Unknown
partition entry type: 0 2 (unknown value)
ID = 0; flags = 0x1; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [l.e. .(.]
partition name = [MOVINAND..)...*...p.i.t.........]
file name = [movinand.mst........D.:.\.2.4.....P.1.\.4... .S.M.D. .i.m.a.g.e.]
Partition #14
Usual content: Unknown
partition entry type: 1 1 (past-the-end marker)
ID = 0x8; flags = 0; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [........]
partition name = [................................]
file name = [................................................................]
I want to flash the Euro firmware (I'm back in Europe right now) by flashing P1000XWJJ4 (and then flash P1000XXJK5 on top). The P1_add_hidden.pit reads:
Code:
$ ./PITinfo P1_add_hidden.pit
Contents of PIT file:P1_add_hidden.pit
---------------------------------------------------------------------------
file magic = 0x12349876 (expected value)
Unknown data: 0x1 0 0x411e17 0x12fae0 0x43d800
Number of partitions = 15 (not the usual value)
Partition #1
Usual content: boot.bin, the primary boot loader (low-level hardware initialization)
partition entry type: 0 0 (normal partition)
ID = 0; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [IBL+PBL.........................]
file name = [boot.bin........................................................]
Partition #2
Usual content: partition information table (PIT)
partition entry type: 0 0 (normal partition)
ID = 0x1; flags = 0; unknown: 0
size = 1 blocks of 256 * 512 bytes = 131072 B = 128 kB = 0 MB
unknown string: [........]
partition name = [PIT.............................]
file name = [................................................................]
Partition #3
Usual content: efs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x14; flags = 0x2 (rfs file system); unknown: 0
size = 40 blocks of 256 * 512 bytes = 5242880 B = 5120 kB = 5 MB
unknown string: [........]
partition name = [EFS.............................]
file name = [efs.rfs.........................................................]
Partition #4
Usual content: Sbl.bin, the secondary boot loader (loads linux kernel)
partition entry type: 0 0 (normal partition)
ID = 0x3; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL.............................]
file name = [sbl.bin.........................................................]
Partition #5
Usual content: backup of secondary boot loader
partition entry type: 0 0 (normal partition)
ID = 0x4; flags = 0; unknown: 0
size = 5 blocks of 256 * 512 bytes = 655360 B = 640 kB = 0 MB
unknown string: [........]
partition name = [SBL2............................]
file name = [sbl.bin.........................................................]
Partition #6
Usual content: param.lfs /mnt/.lfs j4fs
partition entry type: 0 0 (normal partition)
ID = 0x15; flags = 0x2 (rfs file system); unknown: 0
size = 20 blocks of 256 * 512 bytes = 2621440 B = 2560 kB = 2 MB
unknown string: [........]
partition name = [PARAM...........................]
file name = [param.lfs.......................................................]
Partition #7
Usual content: zImage, the linux kernel
partition entry type: 0 0 (normal partition)
ID = 0x6; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [KERNEL..........................]
file name = [zImage..........................................................]
Partition #8
Usual content: recovery.bin, the backup copy of zImage/initramfs
partition entry type: 0 0 (normal partition)
ID = 0x7; flags = 0; unknown: 0
size = 30 blocks of 256 * 512 bytes = 3932160 B = 3840 kB = 3 MB
unknown string: [........]
partition name = [RECOVERY........................]
file name = [zImage..........................................................]
Partition #9
Usual content: factoryfs.rfs
partition entry type: 0 0 (normal partition)
ID = 0x16; flags = 0x2 (rfs file system); unknown: 0
size = 1320 blocks of 256 * 512 bytes = 173015040 B = 168960 kB = 165 MB
unknown string: [........]
partition name = [FACTORYFS.......................]
file name = [factoryfs.rfs...................................................]
Partition #10
Usual content: dbdata.rfs
partition entry type: 0 0 (normal partition)
ID = 0x17; flags = 0x2 (rfs file system); unknown: 0
size = 348 blocks of 256 * 512 bytes = 45613056 B = 44544 kB = 43 MB
unknown string: [........]
partition name = [DBDATAFS........................]
file name = [dbdata.rfs......................................................]
Partition #11
Usual content: cache.rfs
partition entry type: 0 0 (normal partition)
ID = 0x18; flags = 0x2 (rfs file system); unknown: 0
size = 140 blocks of 256 * 512 bytes = 18350080 B = 17920 kB = 17 MB
unknown string: [........]
partition name = [CACHE...........................]
file name = [cache.rfs.......................................................]
Partition #12
Usual content: modem.bin
partition entry type: 0 0 (normal partition)
ID = 0x8; flags = 0; unknown: 0
size = 64 blocks of 256 * 512 bytes = 8388608 B = 8192 kB = 8 MB
unknown string: [........]
partition name = [MODEM...........................]
file name = [modem.bin.......................................................]
Partition #13
Usual content: Unknown
partition entry type: 0 2 (unknown value)
ID = 0x3; flags = 0x1; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [l.e. .(.]
partition name = [HIDDEN.D..)...*...p.i.t.........]
file name = [hidden.rfs.t........D.:.\.2.4.....P.1.\.4... .S.M.D. .i.m.a.g.e.]
Partition #14
Usual content: Unknown
partition entry type: 1 1 (past-the-end marker)
ID = 0x8; flags = 0; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [........]
partition name = [................................]
file name = [................................................................]
Partition #15
Usual content: Unknown
partition entry type: 0 2 (unknown value)
ID = 0; flags = 0x1; unknown: 0
size = 0 blocks of 0 * 512 bytes = 0 B = 0 kB = 0 MB
unknown string: [........]
partition name = [MOVINAND........................]
file name = [movinand.mst....................................................]
But it seems like I can't flash movinand.mst with heimdall. Note that it is present in the P1000XWJJ4 firmware file. So I guess I'm better off going the VirtualBox->Win32->Odin route?

Compile on Mac OS X
I've just successfully compiled libusb and Heimdall on Mac OS X.
I needed to set an environment variable by hand so that the "configure" of Heimdall detected libusb:
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
Oh, and of course this source code modification is necessary for the Galaxy Tab to be supported:
main.cpp line 252:
if (unknown != 180 && unknown != 0 && unknown != 3)
Disclaimer: I haven't had time to try flashing anything yet.

I finally found the courage to flash my T-Mo US tab to Euro version. I made my own Franken-rom by combining P1000XWJJ4 with P1000XXJK5. Specifically, I
1. decompressed P1000XWJJ4.rar
2. took boot.bin, Sbl.bin, and dbdata.rfs from P1000XWJJ4/P1000XWJJ4_SERJJ2_XXJID/P1000XWJJ4-REV03-ALL-CL639474.tar.md5 (a tar archive despite the wrong ending)
3. decompressed P1000XXJK5.rar
4. took zImage, cache.rfs, factoryfs.rfs, modem.bin, and param.lfs from P1000XXJK5/P1000OXAJK5.tar
5. P1_20100909.pit
Then I rebooted my tab in download mode, plugged it into my PC's USB, and then flashed
Code:
$ ./heimdall flash --pit P1_20100909.pit --factoryfs factoryfs.rfs --cache cache.rfs --dbdata dbdata.rfs --boot boot.bin --secondary Sbl.bin --param param.lfs --kernel zImage --modem modem.bin
Heimdall, Copyright (c) 2010, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Claiming interface... Failed. Attempting to detach driver...
Claiming interface again... Success
Setting up interface... Success
Beginning session...
Handshaking with Loke... Success
Downloading device's PIT file...
PIT file download sucessful
Uploading factory filesytem
Factory filesytem upload successful
Uploading cache
Cache upload successful
Uploading data database
Data database upload successful
Uploading primary bootloader
Primary bootloader upload successful
Uploading secondary bootloader
Secondary bootloader upload successful
Uploading param.lfs
param.lfs upload successful
Uploading kernel
Kernel upload successful
Uploading modem
Modem upload successful
Ending session...
Rebooting device...
Re-attaching kernel driver...
I had my German SIM card in and after some booting I ended up with a perfectly working German-localized Euro tab. Switching the language back to US Englisch works fine, too.

Volker1 said:
But it seems like I can't flash movinand.mst with heimdall. Note that it is present in the P1000XWJJ4 firmware file.
Click to expand...
Click to collapse
It is also present in JK2. So I guess in the end you decided not to flash movinand.mst, right ? Unless you used Odin and Heimdall ?

daniel.weck said:
It is also present in JK2. So I guess in the end you decided not to flash movinand.mst, right ? Unless you used Odin and Heimdall ?
Click to expand...
Click to collapse
Alright it looks like you guys have found one more file that Heimdall is technically capable of flashing but doesn't implement. I presume I'm missing quite a few files that the protocol supports, at least that's what the following list of utilised file identifiers would seem to indicate:
Code:
enum
{
kFilePrimaryBootloader = 0x00,
kFileSecondaryBootloader = 0x03,
kFileKernel = 0x06,
kFileParamLfs = 0x15,
kFileFactoryFilesystem = 0x16,
kFileDatabaseData = 0x17,
kFileCache = 0x18
};
I can easily add support for movinand.mst if I can find out what file identifier it uses. Unfortunately I don't have a Galaxy Tab and I need access to one in order to find out.

It's zero, if we trust the output of the PIT reader utility:
http://forum.xda-developers.com/showpost.php?p=9471190&postcount=14
Benjamin Dobell said:
Alright it looks like you guys have found one more file that Heimdall is technically capable of flashing but doesn't implement. I presume I'm missing quite a few files that the protocol supports, at least that's what the following list of utilised file identifiers would seem to indicate:
Code:
enum
{
kFilePrimaryBootloader = 0x00,
kFileSecondaryBootloader = 0x03,
kFileKernel = 0x06,
kFileParamLfs = 0x15,
kFileFactoryFilesystem = 0x16,
kFileDatabaseData = 0x17,
kFileCache = 0x18
};
I can easily add support for movinand.mst if I can find out what file identifier it uses. Unfortunately I don't have a Galaxy Tab and I need access to one in order to find out.
Click to expand...
Click to collapse

Well 0 is the primary bootloader, so right now I'm not trusting it.
Does anyone have any idea what the contents of movinand.mst is? Because I just figured out how to flash the recovery partition directly.
EDIT: And the EFS.

Memory addresses/Memory Map for RAM, OneNAND, etc.

I am too dumb to find correct region... adresses...
But 2 ways...
1.
JTAG
Not solved yet...
2.
Via Command... + WinComm...
http://forum.xda-developers.com/showpost.php?p=12798324&postcount=3
Code:
[B]Memcpy[/B] address length
Example:
Memcpy 0x00000000 0x100
On U700 I can dump RAM on 0... but not on S8500...
Any suggestions?
Thanx.
Best Regards
Edit.:
Found in ELFs:
SDRAM_START_ADDR 0x20000000
SDRAM_END_ADDR 0x6CFFFFFF
See Screenshots. If Debug Level is Mid or High... but I don't understand, what my handset say to me...
On U700 in Debug Level Low possible to read something... on S8500 no success yet.
But maybe my fault.

Have you find the secret upload mode?
If you go to Fota in internals menu and Type something in there than bada crashes and you have got the upload mode (light bluascreen than only restart with key). but how to communicate with the device, i had not found any tool on the GSPN from samsung.

Try to memcpy RAM from 0x20000000 and 0x40000000 in S8500/8530.
Under the first one address you should find 128MB (0x8000000) of oneDRAM and under the second one 256MB (0x10000000) of SDRAM.

Rebellos said:
Try to memcpy RAM from 0x20000000 and 0x40000000 in S8500/8530.
Under the first one address you should find 128MB (0x8000000) of oneDRAM and under the second one 256MB (0x10000000) of SDRAM.
Click to expand...
Click to collapse
A small doubt:
http://dev.odroid.com/wiki/odroid-t/pds/FrontPage/s_blockdiagram.jpg
Does LPDDR1 corresponds to SDRAM?

jake792 said:
A small doubt:
http://dev.odroid.com/wiki/odroid-t/pds/FrontPage/s_blockdiagram.jpg
Does LPDDR1 corresponds to SDRAM?
Click to expand...
Click to collapse
SDRAM is kind of RAM, widely used in computers nowadays
http://en.wikipedia.org/wiki/Synchronous_dynamic_random_access_memory
LPDDR is subtype of SDRAM designed for mobile phones, that is Low-Power Ram.
I'm not sure if thats LPDDR1 or LPDDR2 in Waves.

Thanx.Also since total amount of ram is 384mb.. lesser availibility of free ram would be there.

Bump...
I have not managed problem to dump memory...
Maybe in RAM it is possible to catch some uncompressed data...
Thanx in advance.
Best Regards

Blub...
Problem 1 unsolved to read from handset via Command in bada:
Code:
[B]Memcpy[/B] address length
Memory Map...Partition Table etc. would be interesting for me in 2013...
Maybe start with Partition Table...
I need more space for apps_compressed.bin in bada 2 XXLA1...
Other ideas decrease for instance OSP partition... for test...
I have now access to edit direct in Binary Bootloader... aka boot_loader.mbn.
My skills to understand source or ELF files are very very EXTREME limited.
Maybe S8500 and S8530 have easy "partition Block" like partition.bin from S8600...
Thanx for reading.
Best Regards
Edit 1.
In ELF it is easier to find...
Code:
FLASH_MODEM_START_ADDR 0x00400000
FLASH_MODEM_END_ADDR 0x01100000
FLASH_CODE_START_ADDR 0x01100000
FLASH_CODE_END_ADDR (0x03100000+FLASH_FOTA_HOLE_RESERVED_SIZE)
FLASH_CODE_COMPRESS_START_OFFSET 0x800
Hmm.
Code:
01100000
I could check Little Endian... in boot_loader.mbn

XPKG5 need other addresses for RC1 and RC2
Also MBUKI...
I need this to identify addresses in Boot...
Best Regards

http://forum.xda-developers.com/showpost.php?p=20188325&postcount=369
Code:
// firmware qmd ver start addr max length
{ S8500v12 | BADA_APPS, 0x03050000, 0x01100000, 0x03500000 },
{ S8500v12 | BADA_RSRC1, 0x04070000, 0x04800000, 0x06F00000 },
{ S8500v12 | BADA_RSRCS, 0x04070000, 0x0B700000, 0x00F00000 },
{ S8530v12 | BADA_APPS, 0x03050000, 0x01300000, 0x03500000 },
{ S8530v12 | BADA_RSRC1, 0x04070000, 0x04A00000, 0x05000000 },
{ S8530v12 | BADA_RSRCS, 0x04070000, 0x09A00000, 0x00F00000 },
{ S8500v20 | BADA_APPS, 0x04020000, 0x01100000, 0x02000000 },
{ S8500v20 | BADA_RSRC1, 0x05020000, 0x05D00000, 0x05A00000 },
{ S8500v20 | BADA_RSRCS, 0x05020000, 0x03A00000, 0x02300000 },
{ S8530v20 | BADA_APPS, 0x04020000, 0x01300000, 0x02000000 },
{ S8530v20 | BADA_RSRC1, 0x05020000, 0x03600000, 0x04100000 },
{ S8530v20 | BADA_RSRCS, 0x05020000, 0x07700000, 0x01E00000 },
{ S8600 | BADA_APPS, 0x04020000, 0x08000000, 0x02000000 },
{ S8600 | BADA_RSRC1, 0x05020000, 0x0A200000, 0x03200000 },
{ S8600 | BADA_RSRCS, 0x05020000, 0x0D400000, 0x02800000 },
{ S7250D | BADA_APPS, 0x04020000, 0x00E00000, 0x01F00000 },
{ S7250D | BADA_RSRC1, 0x05020000, 0x02F00000, 0x01E00000 },
{ S7250D | BADA_RSRCS, 0x05020000, 0x04D00000, 0x01C00000 },
Perfect overview, very helpfull.
Big thanx b.kubica :good:
Best Regards

Memo to me...
Code:
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co..
Build On: Jun 8 2011 21:44:47
-----------------------------------------------------------
Re_partition: magic code(0x0)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->[B]nNumOfPartEntry = 7[/B]
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : *unknown id* (0x9)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : *unknown id* (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 7
===============================
ID : *unknown id* (0x1)
ATTR : RW SLC (0x1001)
FIRST_UNIT : 8
NO_UNITS : 796
===============================
ID : *unknown id* (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 804
NO_UNITS : 716
===============================
ID : *unknown id* (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1520
NO_UNITS : 372
===============================
ID : *unknown id* (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1892
NO_UNITS : 56
===============================
ID : *unknown id* (0x18)
ATTR : RW SLC (0x1001)
FIRST_UNIT : 1948
NO_UNITS : 56
===============================
It is possible to "identify" partitons on OneNAND via SBL from I9000 etc...
pi->nNumOfPartEntry = 7
bada Bootloader shows something like this:
Code:
[BM : ] FSR_BML_GetFullPartI() is completed
[BM : ] stPartI.nNumOfPartEntry : 7
[BM : ] 1th PartEntrt(nAttr:0x1002)(nID:0x0)
[BM : ] [1th] pPEntry->n1stVun : 1
[BM : ] [1th] [B]pPEntry->nNumOfUnits : 7[/B]
[BM : ] [1th] pPEntry->nLoadAddr : 0x0
+-------------------------------+
| Bootloader Shadowing FINISHED |
+-------------------------------+
Launch Image at 0x42480000
Catched via UART cable... + JTAG...
Will play little bit with
I9000_s1_odin_20100512.pit
and
I9000_s1_odin_20100803.pit
Tasks for 2014...
Learning more about Partitions...
Best Regards
Edit 1.
Short modified I9000_s1_odin_20100512.pit...
Code:
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : IBL+PBL (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : PIT (0x1)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 1
===============================
ID : EF[COLOR="Red"]1[/COLOR] (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 2
NO_UNITS : 40
===============================
ID : SB[COLOR="Red"]1[/COLOR] (0x3)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 42
NO_UNITS : 5
===============================
ID : SBL[COLOR="Red"]1[/COLOR] (0x4)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 47
NO_UNITS : 5
===============================
ID : PARA[COLOR="Red"]1[/COLOR] (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 52
NO_UNITS : 20
===============================
ID : KERNE[COLOR="Red"]1[/COLOR] (0x6)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 72
NO_UNITS : 30
===============================
ID : RECOVER[COLOR="Red"]1[/COLOR] (0x7)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 102
NO_UNITS : 30
===============================
ID : FACTORYF[COLOR="Red"]1[/COLOR] (0x16)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 132
NO_UNITS : 1146
===============================
ID : DBDATAF[COLOR="Red"]1[/COLOR] (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1278
NO_UNITS : 536
===============================
ID : CACH[COLOR="Red"]1[/COLOR] (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1814
NO_UNITS : 140
===============================
ID : MODE[COLOR="Red"]1[/COLOR] (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1954
NO_UNITS : 50
===============================
RO I think should mean read only
RW = read/write
SLC and STL
NO_UNITS = Number of ... maybe... not sure

STL = Section Translation Layer (Google for BML FSR and BML STL by Samsung)
unit = 256kB or so
No idea what's SLC, "Single Level Cell" doesn't make much sense here
Probably answer is in there - https://github.com/supercurio/samsung_fsr

About SLC, etc, I wrote something about this here:
http://forum.xda-developers.com/showpost.php?p=33359041&postcount=6
I think the relevant info is in the links...

http://forum.xda-developers.com/showthread.php?t=816449
Found this usefull thread about PIT...
2014 I will play little bit Partition file PIT.
Ideas.
1.
Modifying PIT to 1 partition over the whole size... in my case 512 MB...
To write maxbe Fulldumps...
If this is nonsense during few Security limitations...
2.
Increasing first Partition to write 4 MB boot.bin... to solve this Security thingie...
http://forum.xda-developers.com/showthread.php?t=1250270
So maybe then bada Boot restoreable with SBL...
Summary...
Units seems Blocks... seems 256 KB size...
So I need instead 1 Unit... 16 for Partition 1...
Later more, I will try to "convert" this info from here now:
Code:
==== PARTITION INFORMATION ====
ID : *unknown id* (0x9)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
Taken from here:
http://forum.xda-developers.com/showpost.php?p=49033160&postcount=11
Best Regards
Edit 1.
So bada Partition table/info looks like this... S8500..
Little bit explained... later more
Code:
==========================
ID
ATTR
FIRST_UNIT 0
NO_UNITS 1
00000000-00040000
[B]256 KB[/B]
==========================
ID
ATTR
FIRST_UNIT 1
NO_UNITS 7
00040000-001C0000
1792 KB [B]2 MB[/B]
1835008 Byte
==========================
ID
ATTR
FIRST_UNIT 8
NO_UNITS 796
203776 KB [B]203 MB[/B]
208666624 Byte
==========================
ID
ATTR
FIRST_UNIT 804
NO_UNITS 716
183296 KB [B]183 MB[/B]
187695104 Byte
==========================
ID
ATTR
FIRST_UNIT 1520
NO_UNITS 372
95232 KB [B]95 MB[/B]
97517568 Byte
==========================
ID
ATTR
FIRST_UNIT 1892
NO_UNITS 56
14336 KB [B]14 MB[/B]
14680064 Byte
==========================
ID
ATTR
FIRST_UNIT 1948
NO_UNITS 56
14336 KB [B]14 MB[/B]
14680064 Byte
===========================

Code:
<6>Scanning device for bad blocks
<7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x92 addr8 0x0
<6>OneNAND eraseblock 146 is an initial bad block
<7>onenand_bbt_wait: ecc 0xaaaa ctrl 0x0400 intr 0x8080 addr1 0x5cc addr8 0x0
<6>OneNAND eraseblock 1484 is an initial bad block
<6>OneNAND eraseblock 2047 is an initial bad block
<5>Creating 11 MTD partitions on "(null)":
<5>0x00001f000000-0x00001f500000 : "nv_data"
<5>0x000000400000-0x000009800000 : "fw_block"
<5>0x000000400000-0x000000600000 : "dbl"
<5>0x000000600000-0x000001380000 : "amss"
<5>0x000001300000-0x000003600000 : "apps"
<5>0x000003600000-0x000007700000 : "rsrc1"
<5>0x000007700000-0x000009500000 : "csc"
<5>0x000009500000-0x000009800000 : "fota"
<5>0x000009800000-0x000018f00000 : "stl1"
<5>0x000018f00000-0x00001ec00000 : "stl2"
<5>0x00001ec00000-0x00001f000000 : "secdata"
S8530 UART Log... with latest Android from volk204...
Later I will compare S8500...
Best Regards

S8530 SD-Version ZenDroKat
/proc/mtd
Code:
dev: size erasesize name
mtd0: 00500000 00040000 "nv_data"
mtd1: 09400000 00040000 "fw_block"
mtd2: 00200000 00040000 "dbl"
mtd3: 00d80000 00040000 "amss"
mtd4: 02300000 00040000 "apps"
mtd5: 04100000 00040000 "rsrc1"
mtd6: 01e00000 00040000 "csc"
mtd7: 00300000 00040000 "fota"
mtd8: 0f700000 00040000 "stl1"
mtd9: 05d00000 00040000 "stl2"
mtd10: 00400000 00040000 "secdata"
/proc/partitions
Code:
major minor #blocks name
31 0 5120 mtdblock0
31 1 151552 mtdblock1
31 2 2048 mtdblock2
31 3 13824 mtdblock3
31 4 35840 mtdblock4
31 5 66560 mtdblock5
31 6 30720 mtdblock6
31 7 3072 mtdblock7
31 8 252928 mtdblock8
31 9 95232 mtdblock9
31 10 4096 mtdblock10
253 0 488284 zram0
179 0 1912832 mmcblk0
179 1 602112 mmcblk0p1
179 2 401408 mmcblk0p2
179 3 909311 mmcblk0p3
179 16 1024 mmcblk0boot1
179 8 1024 mmcblk0boot0
179 24 15632384 mmcblk1
179 25 11330560 mmcblk1p1
179 26 18432 mmcblk1p2
179 27 563200 mmcblk1p3
179 28 3719168 mmcblk1p4

http://download.tizen.org/releases/daily/1.0/sbs/
Oh, about PIT...
Check content of file:
lutil.tar.gz
Attached...
Best Regards
Edit 1.
Oh, maybe this helps me to unterstand more...
PIT/XML files
=============
You can convert a PIT file to XML format as follows:
./pit2xml pit/SLP_ALL_Ver04.pit SLP_ALL_Ver04.xml
and back again:
./xml2pit SLP_ALL_Ver04.xml SLP_ALL_Ver04.pit
The relevant data in the file should remain the same.
The XML for SLP_ALL_Ver04.pit looks like this:
Click to expand...
Click to collapse
Edit 2.
According to this example:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<root>
<partition Name="ipl+recovery" FileName="ipl-recovery.bin" DeltaName="" BlockSize="256" BlockLength="2"/>
<partition Name="pit" FileName="pit" DeltaName="" ID="1" BlockSize="256" BlockLength="2"/>
<partition Name="csa" FileName="csa" DeltaName="" ID="2" BlockSize="256" BlockLength="32"/>
<partition Name="u-boot" FileName="u-boot-whdr.bin" DeltaName="" ID="3" BlockSize="256" BlockLength="4"/>
<partition Name="u-boot_bak" FileName="u-boot-whdr.bin" DeltaName="" ID="4" BlockSize="256" BlockLength="4"/>
<partition Name="params" FileName="params" DeltaName="" ID="5" BlockSize="256" BlockLength="4"/>
<partition Name="config" FileName="config" DeltaName="" ID="6" BlockSize="256" BlockLength="8"/>
<partition Name="kernel" FileName="uImage" DeltaName="" ID="7" BlockSize="256" BlockLength="28"/>
<partition Name="kernel_bak" FileName="uImage" DeltaName="" ID="8" BlockSize="256" BlockLength="28"/>
<partition Name="log" FileName="log" DeltaName="" ID="9" BlockSize="256" BlockLength="5"/>
<partition Name="modem" FileName="modem.img" DeltaName="" BinType="1" ID="10" BlockSize="256" BlockLength="64"/>
<partition Name="qboot" FileName="qboot" DeltaName="" ID="11" BlockSize="256" BlockLength="240"/>
<partition Name="UBI" FileName="ubi.img" DeltaName="" ID="12" Attribute="1" BlockSize="256" BlockLength="1627"/>
<partition Name="movinand" FileName="movinand.bin" DeltaName="" DevType="2" Attribute="1"/>
<partition Name="csc" FileName="rfs_part4.csc" DeltaName="" DevType="2" ID="4" Attribute="1"/>
</root>
I will try to "convert":
Code:
I9000_s1_odin_20100512.pit
I9000_s1_odin_20100803.pit
First by hand and my low brain...

Code:
===============================
ID : CACHE (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1814
NO_UNITS : [B]130[/B]
===============================
ID : MODEM (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1944
NO_UNITS : [B]60[/B]
===============================
Aha...
increased reserved space for AMSS... in:
I9000_s1_odin_20100512.pit
Need this for stupid tests... to start with patched SBL...
Best Regards

didn't they already understood and documented every possible part of pit file format?

didn't they already understood
Click to expand...
Click to collapse
Thanx for Link, never seen before...
No idea yet, how easy it is to use... for me.
At the moment for me it is easier to use my little brain + WinHex + example from Samsung Tizen team... in XML Format.
And I am on the older Stuff like I9000 PIT... OneNAND... not eMMC/moviNAND...
No Encryption...
Best Regards
Edit 1.
Short tested this:
http://jenkins.casual-dev.com/job/Analyze PIT File/build
Used this PIT from I9000...
I9000_s1_odin_20100512.pit
Code:
-----BEGIN PIT ANALYSIS-----
PIT Name: TA
PIT Parameter: àú
PIT Parameter: ØC
Entry Count: 13
File Type: 

--- Entry #0 ---
ID: 0 Partition Name: IBL+PBL param: S param: e param: r param: v param: e param: r param: \ param: 9 param: 0 param: \ param: T param: o
Filename: boot.bin param: i param: n param: n param: ; param: C param: : param: \ param: P param: r param: o param: g
Block Size: 1 (512B)
Block range: 256 - 256 (hex 0x100 - 0x100)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:6684783 Size: 2097268 FOTA: param: a param: m param: param: F param: i param: l param: e param: s param: \ param: E param: S param: T param: s param: o param: f
The IBL+PBL param: S param: e param: r param: v param: e param: r param: \ param: 9 param: 0 param: \ param: T param: o partition, identified as partition number 0, is 512B in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as boot.bin param: i param: n param: n param: ; param: C param: : param: \ param: P param: r param: o param: g.The partition carries a filesize of 2097268 and an offset of 6684783.
--- Entry #1 ---
ID: 1 Partition Name: PIT
Filename: param: ries.pit
Block Size: 1 (512B)
Block range: 256 - 256 (hex 0x100 - 0x100)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The PIT partition, identified as partition number 1, is 512B in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as param: ries.pit.
--- Entry #2 ---
ID: 20 Partition Name: EFS
Filename: efs.rfs
Block Size: 40 (20.5kB)
Block range: 256 - 295 (hex 0x100 - 0x127)
FilesystemType: 0 PartType: 2 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The EFS partition, identified as partition number 20, is 20.5kB in size and carries a raw format. This partition resides on the Bootloader section of the AP undocumented. It identifies itself to Odin as efs.rfs.
--- Entry #3 ---
ID: 3 Partition Name: SBL
Filename: sbl.bin
Block Size: 5 (2.6kB)
Block range: 256 - 260 (hex 0x100 - 0x104)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The SBL partition, identified as partition number 3, is 2.6kB in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as sbl.bin.
--- Entry #4 ---
ID: 4 Partition Name: SBL2
Filename: sbl.bin
Block Size: 5 (2.6kB)
Block range: 256 - 260 (hex 0x100 - 0x104)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The SBL2 partition, identified as partition number 4, is 2.6kB in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as sbl.bin.
--- Entry #5 ---
ID: 21 Partition Name: PARAM
Filename: param.lfs
Block Size: 20 (10.2kB)
Block range: 256 - 275 (hex 0x100 - 0x113)
FilesystemType: 0 PartType: 2 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The PARAM partition, identified as partition number 21, is 10.2kB in size and carries a raw format. This partition resides on the Bootloader section of the AP undocumented. It identifies itself to Odin as param.lfs.
--- Entry #6 ---
ID: 6 Partition Name: KERNEL
Filename: zImage
Block Size: 30 (15.4kB)
Block range: 256 - 285 (hex 0x100 - 0x11d)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The KERNEL partition, identified as partition number 6, is 15.4kB in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as zImage.
--- Entry #7 ---
ID: 7 Partition Name: RECOVERY
Filename: zImage
Block Size: 30 (15.4kB)
Block range: 256 - 285 (hex 0x100 - 0x11d)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The RECOVERY partition, identified as partition number 7, is 15.4kB in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as zImage.
--- Entry #8 ---
ID: 22 Partition Name: FACTORYFS
Filename: factoryfs.rfs
Block Size: 1146 (586.8kB)
Block range: 256 - 1401 (hex 0x100 - 0x579)
FilesystemType: 0 PartType: 2 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The FACTORYFS partition, identified as partition number 22, is 586.8kB in size and carries a raw format. This partition resides on the Bootloader section of the AP undocumented. It identifies itself to Odin as factoryfs.rfs.
--- Entry #9 ---
ID: 23 Partition Name: DBDATAFS
Filename: dbdata.rfs
Block Size: 536 (274.4kB)
Block range: 256 - 791 (hex 0x100 - 0x317)
FilesystemType: 0 PartType: 2 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The DBDATAFS partition, identified as partition number 23, is 274.4kB in size and carries a raw format. This partition resides on the Bootloader section of the AP undocumented. It identifies itself to Odin as dbdata.rfs.
--- Entry #10 ---
ID: 24 Partition Name: CACHE
Filename: cache.rfs
Block Size: 140 (71.7kB)
Block range: 256 - 395 (hex 0x100 - 0x18b)
FilesystemType: 0 PartType: 2 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The CACHE partition, identified as partition number 24, is 71.7kB in size and carries a raw format. This partition resides on the Bootloader section of the AP undocumented. It identifies itself to Odin as cache.rfs.
--- Entry #11 ---
ID: 11 Partition Name: MODEM
Filename: modem.bin
Block Size: 50 (25.6kB)
Block range: 256 - 305 (hex 0x100 - 0x131)
FilesystemType: 0 PartType: 0 DevType: 0 BinType: 0
Offset:0 Size: 0 FOTA:
The MODEM partition, identified as partition number 11, is 25.6kB in size and carries a raw format. This partition resides on the Raw section of the AP undocumented. It identifies itself to Odin as modem.bin.
--- Entry #12 ---
[B]ID: 11 Partition Name:
Filename:
Block Size: 0 (0B)
Block range: 0 - -1 (hex 0x0 - 0xffffffff)
FilesystemType: 0 PartType: 0 DevType: 1 BinType: 1
Offset:0 Size: 0 FOTA:
The partition, identified as partition number 11, is 0B in size and carries a raw format. This partition resides on the Raw section of the CP NAND.
[/B]
-----END PIT ANALYSIS-----
Helpfull to understand maybe last few Bytes of PIT...
Anyway... output not 100 % correct, because Blocksize is 256 KB, instead 512 Byte...
Its the difference between eMCC/moviNAND versus OneNAND...

[Q] Question about amss.bin

Hello people,
Are there any tools for viewing and editing the amss.bin?

HEX Editor...
IDA...
Brain.
Best Regards

adfree said:
HEX Editor...
IDA...
Brain.
Best Regards
Click to expand...
Click to collapse
with revskill i got this with amss.bin
#define UNLOADED_FILE 1
#include <idc.idc>
static main() {
MakeName(0x00079B70, "Memcmp");
MakeName(0x00062160, "Memcpy");
MakeName(0x0022E924, "Memcpy");
MakeName(0x0006216B, "Memcpy_Generic");
MakeName(0x0022E92F, "Memcpy_Generic");
MakeName(0x000621D0, "__rt_udiv");
MakeName(0x00079F8C, "__rt_udiv");
MakeName(0x00062334, "strlen");
MakeName(0x0007A2C4, "strlen");
MakeName(0x00070DB2, "diag_sp");
MakeName(0x00062298, "strcmp");
MakeName(0x0007A1D8, "strcmp");
MakeName(0x0007A360, "strncpy");
MakeName(0x00072502, "diag_pkt");
MakeName(0x00062F00, "__rt_div0");
MakeName(0x0007D324, "__rt_div0");
MakeName(0x00062F10, "__32__rt_raise");
MakeName(0x0007F1F8, "__32__rt_raise");
MakeName(0x00ACC3A8, "rex_int_lock_32");
MakeName(0x00072330, "subsys_getid");
MakeName(0x0007A548, "vsprintf");
MakeName(0x00062004, "MemClr");
MakeName(0x0022E7C8, "MemClr");
MakeName(0x000725CC, "diag_subsystem");
MakeName(0x0006EC72, "diag_hdlr");
MakeName(0x000726D2, "diag_hdlr");
MakeName(0x00083D86, "diag_hdlr");
MakeName(0x00085432, "diag_hdlr");
}
What about it ?

@Tigrouzen, no segment found at 0x00079B70 etc
amss it's regular elf with a bunch of segments
Code:
Name : LOAD
Start : 0x001E7000
End : 0x001EE000
Length: 0x00007000
----------------------
Name : LOAD
Start : 0x001F0000
End : 0x001F1000
Length: 0x00001000
----------------------
Name : LOAD
Start : 0x001F2000
End : 0x005D8000
Length: 0x003E6000
----------------------
Name : LOAD
Start : 0x005D8000
End : 0x00CDB000
Length: 0x00703000
----------------------
Name : LOAD
Start : 0x00CDB000
End : 0x00D11000
Length: 0x00036000
----------------------
Name : LOAD
Start : 0x00D11000
End : 0x00DAF000
Length: 0x0009E000
----------------------
Name : LOAD
Start : 0x00DAF000
End : 0x00DB9000
Length: 0x0000A000
----------------------
Name : LOAD
Start : 0x00DB9000
End : 0x00E9B000
Length: 0x000E2000
----------------------
Name : LOAD
Start : 0x00E9C000
End : 0x01BF9000
Length: 0x00D5D000
----------------------
Name : LOAD
Start : 0x01BF9000
End : 0x01D05000
Length: 0x0010C000
----------------------
Name : LOAD
Start : 0x01FF0000
End : 0x01FF006C
Length: 0x0000006C
----------------------
Name : LOAD
Start : 0xB0000000
End : 0xB0010CE7
Length: 0x00010CE7
----------------------
Name : LOAD
Start : 0xB0040000
End : 0xB0057000
Length: 0x00017000
----------------------
Name : LOAD
Start : 0xB0100000
End : 0xB0107207
Length: 0x00007207
----------------------
Name : LOAD
Start : 0xB0140000
End : 0xB01401B8
Length: 0x000001B8
----------------------
Name : LOAD
Start : 0xB0200000
End : 0xB0208CF3
Length: 0x00008CF3
----------------------
Name : LOAD
Start : 0xB0240000
End : 0xB024028C
Length: 0x0000028C
----------------------
Name : LOAD
Start : 0xB0400000
End : 0xB040DBE8
Length: 0x0000DBE8
----------------------
Name : LOAD
Start : 0xB0600000
End : 0xB0602000
Length: 0x00002000
----------------------
Name : LOAD
Start : 0xB0602000
End : 0xB0604000
Length: 0x00002000
----------------------
Name : LOAD
Start : 0xF0000000
End : 0xF001F878
Length: 0x0001F878
----------------------
Name : LOAD
Start : 0xF0020000
End : 0xF0026000
Length: 0x00006000
load amss.bin with TriX, dump decoded stage (elf format) and analyze with disassembler (e.g. IDA)

Ok guys i extract certificate from Amss S8530 XEJL2, bootloader segments full info fsbl sbl...
Also i can dump complete NAND and find segment and algorith for RC1 too
This is appscompressed.bin algorythme
0x01ca7750 RIPEMD128+160+MD4
0x01ca7750 SEAL+MD4 key
appcomp hash :
SHA1 : EB55C6690ACAF40BB2F845313F58BFE9C3BC529D
SHA224 : AAC3E2B65CC9F33BB7EDDA3DEB541CA9E8919422CC179B4D2B49F39BAE008F00
SHA256 : 580D3DB21E41A9FE588AE544266040FABA8AF044E739971E77F2B1272323D0B6
SHA256-HTC : A44BC029D7F952750003D9695ED7B464E446D34EEF5BD9665487E4C2BF81F669
MD4 : B3BD8310FF2C4C05E2044FD491814792
MD5 : 7220779D1094C5F7789094DC75BA4E9E
CRC16 (0x1189) : F4EA
CRC30 (Block: 0x1000, Page: 0x200) : 0BD214AA
CRC30 (Block: 0x2000, Page: 0x400) : 0A28A17A
CRC32 (0xEDB88320) : 313F4EF2
CRC32 (0x04C11DB7) : 90B01704
CRC32 HTC (0xEDB88320) : B55B60A7
ECC Reed Solomon (parity 10) : 43702DA1FDAC4DB2023B
ECC BCH Micron 3 byte : 818144
ECC Hamming Toshiba (8 bit - 0x200 bytes) : C00FC3
ECC Hamming (8 bit - 0x200 bytes) : FF3CF3
ECC Hamming (16 bit - 0x200 bytes) : 3FCFFC
Amss algo :
0x0007fce0 CRC-16 norm
0x0007fee0 CRC-16 inv
0x0007f8e0 CRC-30
0x0007eb50 CRC30 Function
0x00b66194 CRC-32
0x00b66394 CRC32 Function
0x000800e0 CRC-32 Xilinx
0x0007eb58 CRC32 Xilinx Function
0x000800e4 CRC32 Xilinx Function
0x00c3c490 DES RAW Spbox
0x00c39381 RSA PKCS SHA1/RIPEND Digest
0x00c39390 MD2 S
0x00463548 SHA2 table
0x008fcc88 SHA2 table
0x00b6eb14 ZDeflate
0x0041a28c SHA1+MD4+MD5 init
0x008fcb08 SHA1+MD4+MD5 init
0x00c3d7f8 SHA1+MD4+MD5 init
0x0041a29c SHA1+MD4+MD5 key1
0x008fcb18 SHA1+MD4+MD5 key1
0x00c3d808 SHA1+MD4+MD5 key1
0x001a9844 SHA1+MD4+MD5 key2
0x0041ac1c SHA1+MD4+MD5 key2
0x008fcb1c SHA1+MD4+MD5 key2
0x001a9848 SHA1+MD4+MD5 key3
0x0041ac20 SHA1+MD4+MD5 key3
0x008fcb20 SHA1+MD4+MD5 key3
0x00463648 SHA2 init table
0x008fcd88 SHA2 init table
0x00c3d80c SHA2 init table
0x0046364c SHA2 init table
0x008fcd8c SHA2 init table
0x00c3d810 SHA2 init table
0x00419980 RIPEMD128+160+MD4
0x008fcaf8 RIPEMD128+160+MD4
0x00bdcca0 RIPEMD128+160+MD4
0x001a9844 MD5
0x0041ac1c MD5
0x008fcb1c MD5
0x00419980 SEAL+MD4 key
0x008fcaf8 SEAL+MD4 key
0x00bdcca0 SEAL+MD4 key
0x004fc7af HTC PUBLIC KEY
E9079DBB2452104990982132470BA20B7C795D1B4690B718B62FCD38D71D4E458FAF320374B89D5236C79BD57D2BA2D3508A4A605B0D48CB8CA5478BFE4D7D32AB0AE072BC367A9615F002D5023A617B422FEC1EF8DAD772D75E9C4F06EF624B864699A3F080D1B8E192B921D159852B2DC798F752B4F1FA529FF123D9963F73
0x00708134 Sober 128
0x00c3cd90 Sober 128 SBox
Possible algos little endian: 45
0x00315f6c AES te
Possible algos big endian: 1
Amss hash :
SHA1 : C59C5785E823E5E1CA9BE05DB6F55F8C8AC1BBA3
SHA224 : 5F50CED13C1204068E443919706B53D866271DAB1CFB5A9CB07A953CAE008F00
SHA256 : D86C7634FE07806D3B87701EC7F72F25DAAFAC7C40CA1D370C1ABA5840C091C0
SHA256-HTC : 120F70AECE78B8DCF69DCD79F020AB00AE17572123BA21274D6F6EE280774A09
MD4 : 7703DF5B1074392D4B91ECA23BAC9D92
MD5 : 22197F8AAD6A2CB4394E1B4E63EB843C
CRC16 (0x1189) : FAC5
CRC30 (Block: 0x1000, Page: 0x200) : 311AE4C7
CRC30 (Block: 0x2000, Page: 0x400) : 295DFC29
CRC32 (0xEDB88320) : 8DB21A34
CRC32 (0x04C11DB7) : 7B94B6A4
CRC32 HTC (0xEDB88320) : 08450BBC
ECC Reed Solomon (parity 10) : A04D69B134A126F3FD15
ECC BCH Micron 3 byte : 000000
ECC Hamming Toshiba (8 bit - 0x200 bytes) : FFFFFF
ECC Hamming (8 bit - 0x200 bytes) : FFFFFF
ECC Hamming (16 bit - 0x200 bytes) : FFFFFF
Amms certificat :
https://rapidshare.com/files/3061245812/1.cer

Well, the main idea was ..., to get some tools with which the amss.bin for bada v1.2 and v2 can be modified to work for the American/Australian version of the wave. Looks like there are some hardware differences and this file is containing information needed for the RF module.

Looks like there are some hardware differences and this file is containing information needed for the RF module
Click to expand...
Click to collapse
No idea if Hardware differences, but I'm pretty sure there are different Config/Calibration data...
Check out NV items... AMSS + NV items = Qualcomm related part...
http://www.samsunguniverse.com/forum/s8500-can-work-with-qualcomm-tools-t199.html
You could take an look on FCC documents for maybe Hardware check...
Best Regards

I think gambal refers to UMTS bands, Europe is different than in America.
UMTS bands in America are 850 - 1900
UMTS bands in Europe are 2100
bada 1.2 and above only works with Euro bands (these updates hasn't oficially released in America), so as we know the file "amss.bin" contains the parameters that define which bands to work, would be good to try to edit the information to compile a new "amss.bin" to work with American bands ..
Many Americans would be happy!

...would be good to try to edit the information to compile a new "amss.bin" to work with American bands ...
Click to expand...
Click to collapse
But you are really sure that not NV items differ?
Maybe easier to compare NV items...
Best Regards

You mean to compare amss NV items from a 1.0 American firmware and another 1.2 European firmware?
I was import to a .Qcn file a list of NV items of my mobile (bada 1.0 american), i will compare with another one of 1.2.
It's posible to create more NV items if is necesary?

sorry for double post.
i've compared NV items of my phone, first with a 1.0 american firmware then with a 1.2 European firmware..
EDIT: thought that there were no differences because the file size was identical, but looking more attentively i find some, i will continue researching,

You tried QPST or which Tool?
And are sure there are no differences?
I have 2x S8500... with QPST difference 10 NV items + one S8500 has 10 more
Content not checked... too lazy at this time.
Best Regards
Edit 1.
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 305
Click to expand...
Click to collapse
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 319
Click to expand...
Click to collapse
And these are only the "official" NV items... and not the hidden one...
Example...
Code:
NV item: [B]2608[/B] [NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I], index 0
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 0: 12 3d fc ff 9c 3c fc ff 26 3c fc ff b0 3b fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 1: 34 3b fc ff af 3a fc ff 2a 3a fc ff a6 39 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 2: 22 39 fc ff 9f 38 fc ff 0c 38 fc ff 65 37 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 3: be 36 fc ff 18 36 fc ff 73 35 fc ff ce 34 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 4: 2a 34 fc ff 87 33 fc ff e5 32 fc ff 43 32 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 5: a2 31 fc ff 01 31 fc ff 61 30 fc ff c2 2f fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 6: 23 2f fc ff 85 2e fc ff 85 2e fc ff 85 2e fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 7: 85 2e fc ff 85 2e fc ff 85 2e fc ff 85 2e fc ff

sorry for my english, I mean to say that i find some differences..
between 2 firmwares, I find 40 differents NV items using "RF NV items Manager" program.
Example:
European 1.2 Firm:
Code:
NV item: 5059 [NV_WCDMA_2100_TX_LIN_MASTER_0_ENH_I], index 0
NV item: 5061 [NV_WCDMA_900_TX_PDM_LIN_0_ENH_I], index 0
American 1.0 Firm:
Code:
NV item: 5064 [NV_WCDMA_1900_TX_PDM_LIN_0_ENH_I], index 0
NV item: 5060 [NV_WCDMA_800_TX_PDM_LIN_0_ENH_I], index 0
(it's look like these items manage the umts network)
This are 2 items of 40 that I find.. So, I imported all 40 1.0 American Firmware Nv Items to the 1.2 Euro Firmwared Phone, (using previous modified .QCN file) then, i restart the device, but nothing happen, still no find UMTS network... But i want believe that we are close to find the solution
If I use PSAS to Display the new added NV items, these appear as "inactive item" and those already on the phone appears lile "bad parameter"
not know what else I can try...

Even if NV items count is different. Dump of NV area will be always the same in size. Area in oneNAND reserved for NV data is constant, and in most it's just empty space, filled with zeros.

Is it possible to dump whole NV items list using QPST? Can you guys do that and send dumps to me?
If not please search for following NV items and send me values you get (if you get any)
Int id 556
Int id 5
Int id 7
Int id 1403
String id 254
String id 387
String id 388
String id 256
String id 197
I want to prove some theory just taken from Bada kernel and need few different values to compare. These should contain Timezone, Locale and SimBlock settings. (If these NV items are even available)
Please send me PMs with dumps if you get any. Thanks in advance.

Tell me when you are ready "amms.bin" to "bada 2.0" so I can put it on my phone. I'm from Argentina. Thank you very much!

Rebellos said:
Int id 556
Int id 5
Int id 7
Int id 1403
Click to expand...
Click to collapse
With "PSAS" display "Inactive Item", and with "RV NV item manager" i don't these id's..
@adfree
Hey, if I wrote in phone (with "RV NV item manager") some NV items, is not take any effect... does exist another step to "activate" these items or some? maybe in Stune have to add any parameter? or maybe the "QPST Service program" tool..
I have fear of breaking the handset really... I just wan't to calibrate the UMTS bands, need these:
WCDMA_II_PCS_1900
WCDMA_V_850

http://forum.xda-developers.com/showpost.php?p=12436452&postcount=1
Other way to access NV items.
Now you can backup with sTune for instance... folders:
Code:
[B]NV
nvm[/B]
EXTREME Caution!
Some IDs are protected... so you can maybe write/activate, but not easily remove change = brick...
Best Regards

a little question..
there is a firmware of S8530 which has bada 1.2 and 850/900/2100Mhz 3g bands capable... there are firmwares prepared for Brazil and Australia.
it's posible to flash that amss.bin in a S8500 with bada 1.2?
I tried this, but the bootloader says "error erase amms"

amss.bin in a S8500 with bada 1.2?
Click to expand...
Click to collapse
If I remember correct, then yes...
Maybe not all combinations...
BUT check Multiloader ... adresses are different...
So you have to edit...
Later more.
Maybe give Link to this S8530 Firmware, so I can take an look or try for you...
Best Regards

[FFU][UPE-DEV]Structure Full Flash Update Image for WP7 Devices

Structure Full Flash Update Image (.FFU) for Windows Phone 7 Device
Full Flash Update - This is a System Flash Image for update WP7 Device. We upgrade this OS, example in tool UpdateWP.exe(from Zune catalog in PC).
In Part SDLR, from general ROM structure, we have too more files and modules, which reads the image system and its syntax.
Physical Flash Layout:
HashTable.blob
Partition Table Info
User Store Space
Bootloader/Modem -> (amss, fsbl, osbl, etc.)
SLDR
NK
IMGFS
User Store Space
Partition Table Info (ImageFlash) - example:
Code:
[FullFlash]
Version = 1.0
MigrateUserSettings = False
UpdateType = Normal
DevicePlatformID = {5B8F8B62-8E55-4531-8D70-15269B68C43E}
FormatUserStore = True
[BinaryRegion]
Size = 24924572
Name = Modem
[Store]
SectorSize = 2048
Name = OS
SectorCount = 479296
ID = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
[Partition]
UsedSectors = 2590
Name = SLDR
PartitionType = 32
BootDataSize = 12
TotalSectors = 3136
TargetStore = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
[Partition]
UsedSectors = 2540
Name = NK
PartitionType = 35
BootDataSize = 12
TotalSectors = 2944
TargetStore = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
[Partition]
UsedSectors = 66059
Name = IMGFS
PartitionType = 37
TotalSectors = 70719
TargetStore = {ACE7CC5C-5F30-474b-A662-989B9B9DBA90}
More Information:
.ffu (Full Flash Update) file format (XML) will be used to pass information to the Zune software on which partitions are to be updated, etc. FFUs are signed just as .cabs are signed and only an .ffu which passes validation against the certificates on-device will be allowed to update a device.
Click to expand...
Click to collapse
Nokser

What does this mean?
Can install custom rom, downgrade bootloader?