Develop Bugs

[GUIDE] Extract .rfs files

I came from HTC Hero to the Samsung Galaxy S GT-I9000
So I had never problems with cooking something up, but in the Galaxy I faced .rfs files and a flashing tool I can't use on linux...
So I searched through some boards to find a way to extract the .rfs files here a working guide for the S I9000.
What you need
Linux (tested with Debian testing)
It's pretty simple, execute this commands as root on your computer
SHORT WAY (thanks to mimocan)
Code:
# mount -o loop factory.rfs /some_dir
LOOOONG WAY
Attatch the rfs file to the loop device
Code:
# losetup /dev/loop0 /somedir/factoryfs.rfs
Create a directory to mount the device
Code:
# mkdir /somedir/mnt
Mount the device
Code:
# mount /dev/loop0 /somedir/mnt
the content of the rfs is NOT saved on the sdcard! you have to copy it!
Now you can copy the content from the /sdcard/tmp directory to the sdcard
Code:
# cp -R /somedir/mnt /somedir/factoryfs
hope this is helpful for someone

Code:
#mount -o loop factory.rfs /some_dir
should do the same

This works because rfs is based on vfat.
But have you ever tried this on cache.rfs or dbdata.rfs?
The mounted folder is empty. The cache.rfs in my case was around 1.2 mb.
Maybe the 1.2 mb are journaling data rfs uses?
I also tried mounting cache.rfs and dbdata.rfs directly on my sgs without any luck.
Since the phone has built in rfs drivers it should be able to mount it.

psternx said:
This works because rfs is based on vfat.
But have you ever tried this on cache.rfs or dbdata.rfs?
The mounted folder is empty. The cache.rfs in my case was around 1.2 mb.
Maybe the 1.2 mb are journaling data rfs uses?
I also tried mounting cache.rfs and dbdata.rfs directly on my sgs without any luck.
Since the phone has built in rfs drivers it should be able to mount it.
Click to expand...
Click to collapse
If you open the cache.rfs or dbdata.rfs from a PDA build (tested I900XXJP3) in a hexeditor you will see they are empty, just the headers and a lot of zeros

Have you been able to modify something from a rfs file and save it?

Actually Cache.rfs file in CSC is a renamed update.zip. At least with a few firmwares I have tried. So just open it with, for example, 7-zip and you can browse the files.

deleted............

Tried to mount a cache.rfs and got a "Device or resource busy".
Then tried to open it trough MagicISO, and voilá, I got the CSC files I needed

Now im into modifying factoryfs.rfs and hoping you can give me some tips.
Alt1
mount -o loop factoryfs.rfs directory & Copy files to a new place and edit them but how to create a .rfs from that point?
Alt2
sudo mount -v -o rw,loop,uid=$UID factoryfs.rfs Directory
Edit the files , umount the .rfs . Mount it again but the the changes are gone.
How do you do it?
Thanks.

a-son said:
Now im into modifying factoryfs.rfs and hoping you can give me some tips.
Alt1
mount -o loop factoryfs.rfs directory & Copy files to a new place and edit them but how to create a .rfs from that point?
Alt2
sudo mount -v -o rw,loop,uid=$UID factoryfs.rfs Directory
Edit the files , umount the .rfs . Mount it again but the the changes are gone.
How do you do it?
Thanks.
Click to expand...
Click to collapse
for me, i'll definitelty mod it elsewhere

ykk_five said:
for me, i'll definitelty mod it elsewhere
Click to expand...
Click to collapse
Thanks for answer.
Alt 1 i suppose you mean. But how to create the .rfs ?

a-son said:
Thanks for answer.
Alt 1 i suppose you mean. But how to create the .rfs ?
Click to expand...
Click to collapse
yess!!!!
how to recompile the .rfs ?????

KBJ911 said:
yess!!!!
how to recompile the .rfs ?????
Click to expand...
Click to collapse
BUMP!
Actually some cache.rfs aren't simple renamed zipfiles, as they (i.e. multi-csc) also contains more stuff
So I loopmounted rw the vfat cache.rfs, extracted and modified the contained sec_csc.zip (this one IS an update.zip structured file...)
But when I put it inside, sync, unmount and mount again to verify stuff, I got a corrupted filesystem and a corrupted zip file.
Any clue to successfully modify contents of such .rfs ?

mopodo said:
I came from HTC Hero to the Samsung Galaxy S GT-I9000
So I had never problems with cooking something up, but in the Galaxy I faced .rfs files and a flashing tool I can't use on linux...
So I searched through some boards to find a way to extract the .rfs files here a working guide for the S I9000.
What you need
Linux (tested with Debian testing)
It's pretty simple, execute this commands as root on your computer
SHORT WAY (thanks to mimocan)
Code:
# mount -o loop factory.rfs /some_dir
LOOOONG WAY
Attatch the rfs file to the loop device
Code:
# losetup /dev/loop0 /somedir/factoryfs.rfs
Create a directory to mount the device
Code:
# mkdir /somedir/mnt
Mount the device
Code:
# mount /dev/loop0 /somedir/mnt
the content of the rfs is NOT saved on the sdcard! you have to copy it!
Now you can copy the content from the /sdcard/tmp directory to the sdcard
Code:
# cp -R /somedir/mnt /somedir/factoryfs
hope this is helpful for someone
Click to expand...
Click to collapse
Is there a way to convert it back to rfs?

@all
Is there a way to convert it back to rfs?

criskelo said:
@all
Is there a way to convert it back to rfs?
Click to expand...
Click to collapse
If you used the shortway # mount -o loop factory.rfs /some_dir
than you can modify the files in some_dir.
when finished simple un mount the some_dir and the files are saved in the factory.rfs
Then tar and md5 the factory.rfs and you can flash it with odin

in windows use "magiciso" to extract .rfs

lownoise said:
Then tar and md5 the factory.rfs and you can flash it with odin
Click to expand...
Click to collapse
I lost at there, what does that means?

From linux
fastcx said:
I lost at there, what does that means?
Click to expand...
Click to collapse
From the linux command line you have to use
tar -cf filename.tar factory.rfs
md5sum filename.tar >filename.tar.md5

If you have extracted it with MagicISO and now just want to create it back to factoryfs.rfs can I do this with Cygwin and what would the command line be?

Builing your own Ouya Kernel

Hi,
I made a tutorial explaining how to compile the ouya's kernel from scratch.
I made this tutorial because I needed to enable the nfs protocol versions 3 and 4 to use file shares from my Synology NAS. The ouya's kernel enabled by default only comes with version 2 and i had problems to mount my NFS shares.
Let's start. my english is not very good then ignore the grammatical errors.
Let's first download the required files. I'm on the premise that you have an ubuntu linux installed on your machine.
*** DOWNLOAD OUYA FIRMWARE ***
1. Open your browser and type:
https://devs.ouya.tv/api/firmware_builds
2. Search for a string like this:
http://cds.t2z5c2q6.hwcdn.net/ota/RC-OUYA-1.2.1084-r1_ota.zip (this is the latest version of ouya firmware)
3. Download it:
$ wget http://cds.t2z5c2q6.hwcdn.net/ota/RC-OUYA-1.2.1084-r1_ota.zip
2. Create a directory an put the file there:
$ mkdir ouyafiles
4. unzip it:
$ unzip RC-OUYA-1.2.1084-r1_ota.zip
5. Now you have a lot of files and directories. We need only one. The name of file is: boot.img. We need to unzip this file to retrieve the ramdisk file that will be needed along with the compiled kernel. For this we need to download the following perl script:
$ wget http://www.enck.org/tools/split_bootimg_pl.txt
5. Rename the script and change the permissions to execute:
$ mv split_bootimg_pl.txt split_bootimg.pl
$ chmod 755 split_bootimg.pl
6. Run this command to unpack the file:
$ ./split_bootimg.pl boot.img
7. Now you have 2 files: boot.img-kernel and boot.img-ramdisk.gz. We only need the boot.img-ramdisk.gz. Lets unzip this again and rename the unzipped file:
$ gzip -dc ../boot.img-ramdisk.gz | cpio -i
$ mv boot.img-ramdisk ramdisk
8. OK. Now you have this file. We will use it later in the tutorial.
*** DOWNLOAD ANDROID NDK ***
1. Open the Browser and paste this URL: http://developer.android.com/tools/sdk/ndk/index.html
2. Download the Linux 64-bit (x86) package file:
$ wget http://dl.google.com/android/ndk/android-ndk-r9d-linux-x86_64.tar.bz2
3. Unzip it:
$ tar -jxvf android-ndk-r9d-linux-x86_64.tar.bz2
4. Rename the unzipped directory to "ndk":
$ mv android-ndk-r9d ndk
5. Load the environment variables:
$ export CROSS_COMPILE=/your_home_directory/ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86_64/bin/arm-linux-androideabi-
$ export ARCH=arm
Obs.: (remember the /your_home_directory/ is the default home directory that you user in linux uses to work).
*** DOWNLOAD THE OUYA KERNEL SOURCE ***
1. Open your browser and go to this URL:
https://github.com/ouya/ouya_1_1-kernel
2. In the right side of the page you will have a download button called "Download ZIP". Click and Download it.
3. Unpack it and rename the unzipped directory to "kernel"
4. Maybe the /kernel/drivers/pci/Kconfig file will corrupt before unzip the file. Kconfig is a symbolic link. Remove it and Download again using the command inside the kernel/drivers/pci/ directory:
$ wget https://raw.githubusercontent.com/ouya/ouya_1_1-kernel/master/drivers/pci/Kconfig
6. Now you have the default ouya kernel for compile!
*** RECOVER .CONFIG FILE FROM OUYA ***
1. You need to retrieve a file that is in ouya. To retrieve the file you need install the package android-tools-adb. use the following command:
$ sudo apt-get install android-tools-adb
2. Now you have to connect your ouya via usb. By default your ouya don't enable adb. You need to go to DEVELOPMENT screen on your ouya and enable “ADB: ON”.
3. Fine. Now test if the adb is connecting. Try this commands:
$ adb start-server
$ adb devices (this will show something like this “1234567890ABCDEF device”)
PS.: if no devices appears... you need to search in the internet about “how to use adb to connect android devices”
4. Now you will pull the config file:
$ adb pull /proc/config.gz config.gz (this will pull config.gz to your computer)
5. Unzip it and copy to kernel directory:
$ gunzip config.gz
$ cp config /your_home_directory/kernel/.config
6. Now your kernel is ready to compile. We're ensuring that the standards are consistent settings. From now on it is your responsibility to enable and disable kernel configurations.
*** REBUILDING KERNEL ***
1. Go to Kernel Directory:
$ cd /your_home_directory/kernel/
2. Make sure to run the environment variables CROSS_COMPILE and ARCH described above in the tutorial.
$ export CROSS_COMPILE=/your_home_directory/ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86_64/bin/arm-linux-androideabi-
$ export ARCH=arm
3. Use this command to change some settings:
$ make menuconfig
4. Use this command to build the kernel after you change your new settings:
$ make
5. Some warnings will display in your console... its normal.
6. if the process run ok you 'll have a bzImage file under the directory kernel/arch/arm/boot
7. copy this file to the same directory where you store the ramdisk file.
*** UPLOAD THE NEW KERNEL AND THE RAMDISK TO OUYA ***
1. You will need to install the fastboot on linux using this command:
$ apt-get install android-tools-fastboot
2. Now you have to reboot your device in bootloader mode:
$ adb reboot-bootloader
3. You can check if you devices enters in this mode using this command:
$ fastboot devices
4. If it works. You can upload your new kernel and the default ramdisk:
$ fastboot flash:raw boot ./zImage ./ramdisk
The system should now boot with your custom kernel installed!

*** DOWNLOAD OUYA FIRMWARE ***
$ mv boot.img-ramdisk ramdisk
Click to expand...
Click to collapse
Why do we need this? Can't we simply copy it from an existing OUYA machine?
ndk/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86_64/bin/arm-linux-androideabi-
Click to expand...
Click to collapse
The current android-ndk-r10e only has androideabi-4.8 and androideabi-4.9. Can I use them, too?
Edit: I got an error ("unknown CPU architecture") with android-ndk-r10e and arm-linux-androideabi-4.8 so I used android-ndk-r9d with arm-linux-androideabi-4.6, and that worked.
6. if the process run ok you 'll have a bzImage file
Click to expand...
Click to collapse
It's actually a zImage file (without the b).
Thank you so much for the tutorial!

Setting up a self-signed (restrictive) recovery for self-signed ROMs

Has anyone installed self signed ROMs using the method described in this blog http://mjg59.dreamwidth.org/31765.html? The goal is to install a self signed image that allows you to only install images signed by a key you generate yourself to avoid the giant security hole caused by custom recoveries that don't check signatures.
Here's the overview :
First: Unlock your bootloader. /data will be wiped.
Second: Get a copy of the stock recovery.img for your device.
Third: Grab mkbootimg from here and build it. Run unpackbootimg against recovery.img.
Fourth: Generate some keys. Get this script and run it.
Fifth: zcat recovery.img-ramdisk.gz | cpio -id to extract your recovery image ramdisk. Do this in an otherwise empty directory.
Sixth: Get DumpPublicKey.java from here and run it against the .x509.pem file generated in step 4. Replace /res/keys from the recover image ramdisk with the output. Include the "v2" bit at the beginning.
Seventh: Repack the ramdisk image (find . | cpio -o -H newc | gzip > ../recovery.img-ramdisk.gz) and rebuild recovery.img with mkbootimg.
Eighth: Write the new recovery image to your device
Ninth: Get signapk from here and build it. Run it against the ROM you want to sign, using the keys you generated earlier. Make sure you use the -w option to sign the whole zip rather than signing individual files.
Tenth: Relock your bootloader
Eleventh: Boot into recovery mode and sideload your newly signed image.
Click to expand...
Click to collapse
I have the 8" Tab (SM-T310) and want to try it. Anyone know if there's an official source of stock recovery images? I have the 4.4.2 update.zip from an OTA update I never installed (my tablet's still on stock 4.2.2), can the recovery somehow be extracted from that? Since I'm still on 4.2.2, I don't need to unlock the bootloader, right? Can I use Heimdall to put the new recovery on the tab?

Here's my step by step if anyone else is crazy enough to try this.
First: Unlock your bootloader. /data will be wiped.
Click to expand...
Click to collapse
Skipped so far, running 4.2.2 which from what I've been reading I think isn't locked.
Second: Get a copy of the stock recovery.img for your device.
Click to expand...
Click to collapse
Grabbed the update from Kies (on Windows VM):
Agreed to Kies update when I plugged in the tablet.
Watched my temp folder (from windows search bar enter %temp%) until tmp*.tmp.zipfolder showed up (wait for tmp*.tmp file to download and get converted to a zip, then it unzips into zipfolder automatically), unplugged the tablet immediately as it booted into download mode, copied tmp*.tmp.zipfolder somewhere else (desktop) before Kies cancelled the update process and deleted the temp files.
Third: Grab mkbootimg from here and build it. Run unpackbootimg against recovery.img.
Click to expand...
Click to collapse
Source is on github: osm0sis/mkbootimg From here on I'm using linux.
cd into mkbootimg folder and run "make"
run
Code:
./unpackbootimg -i recovery.img -o rec
(rec is the folder I unpacked to, make the folder first or it'll segfault)
Fourth: Generate some keys. Get this script and run it.
Click to expand...
Click to collapse
Saved script (posted below, can't post links yet...) to "make_key.sh", then
Code:
chmod +x make_key.sh
to make it executable.
Ran script, usage: /make_key.sh <name> <subject> [<keytype>]
subject must be in the format "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com" (look up "Create CSR using OpenSSL Without Prompt (Non-Interactive)" for what all that means)
Fifth: zcat recovery.img-ramdisk.gz | cpio -id to extract your recovery image ramdisk. Do this in an otherwise empty directory.
Click to expand...
Click to collapse
Make a directory, cd into it, run
Code:
zcat recovery.img-ramdisk.gz | cpio -id
with recovery.img-ramdisk.gz pointing to where your file is (mine was ../recovery.img-ramdisk.gz).
Sixth: Get DumpPublicKey.java from here and run it against the .x509.pem file generated in step 4. Replace /res/keys from the recover image ramdisk with the output. Include the "v2" bit at the beginning.
Click to expand...
Click to collapse
Not sure why he's using a different DumpPublicKey.java than the one that's in the mkbootimg git... but it's in the "libmincrypt/tools/DumpPublicKey.java" that was in the mkbootimg git, I didn't see any differences using diff.
Running
Code:
javac DumpPublicKey.java
tells me I need BouncyCastleProvider. And now I'm stuck.
Downloaded the Bouncy Castle jar and put it in the same folder as DumpPublicKey.java and ran
Code:
javac -cp bcprov-jdk15on-152.jar DumpPublicKey.java
echo "Main-Class: DumpPublicKey" > manifest.txt
jar cvfm DumpPublicKey.jar manifest.txt DumpPublicKey.java
Then running
Code:
java com.android.dumpkey.DumpPublicKey
gave me various class not found errors and I ended up with a file structure like this trying to make it find the bouncy castle. Annnnnd I'm stuck.
.
├── bcprov-jdk15on-152.jar
├── com
│** └── android
│**** └── dumpkey
│****** ├── bcprov-jdk15on-152.jar
│****** ├── DumpPublicKey.class
│****** ├── DumpPublicKey.jar
│****** ├── DumpPublicKey.java
│****** └── manifest.txt
├── DumpPublicKey.class
├── DumpPublicKey.java
└── manifest.txt
I obviously don't know how to java at all.... any suggestions?

I just needed to put the "-cp" in the java command as well as the javac command.
Code:
java -cp .:./bcprov-jdk15on-152.jar com.android.dumpkey.DumpPublicKey
The full command is
Code:
java -cp .:./bcprov-jdk15on-152.jar com.android.dumpkey.DumpPublicKey /path/to/key.x509.pem > keys
After deleting stuff and testing, I found I only needed files in these locations:
.
├── bcprov-jdk15on-152.jar
├── com
│** └── android
│** └── dumpkey
│** ├── DumpPublicKey.class
│** └── DumpPublicKey.jar
├── DumpPublicKey.java
└── manifest.txt
Then I replaced the "/res/keys" file with the "keys" file I just made.
Seventh: Repack the ramdisk image (find . | cpio -o -H newc | gzip > ../recovery.img-ramdisk.gz) and rebuild recovery.img with mkbootimg.
Click to expand...
Click to collapse
From the folder that the ramdisk image was extracted into, run
Code:
find . | cpio -o -H newc | gzip > ../recovery.img-ramdisk.gz
mkbootimg needs offsets that were printed when I ran unpackbootimg:
BOARD_KERNEL_CMDLINE
BOARD_KERNEL_BASE 10000000
BOARD_NAME
BOARD_PAGE_SIZE 2048
BOARD_KERNEL_OFFSET 00008000
BOARD_RAMDISK_OFFSET 01000000
BOARD_TAGS_OFFSET 00000100
Still in the folder where I unpacked the recovery image (mkbootimg is one directory up)
Code:
../mkbootimg --kernel recovery.img-zImage --ramdisk recovery.img-ramdisk.gz --base 10000000 --pagesize 2048 --kernel_offset 00008000 --ramdisk_offset 01000000 --tags_offset 00000100 -o newrecovery.img

Eighth: Write the new recovery image to your device
Click to expand...
Click to collapse
This thread says Heimdall 1.4.0 works for T31x: http://forum.xda-developers.com/showthread.php?t=2522091
Oh how nice, Heimdall 1.4.1 is in my package manager.
Connect device and restart in download mode (held the "HOME" button, "Volume Down" and "Power" all at the same time (for about 5 seconds). Hit the "Volume Up" to enter download mode when prompted.)
Code:
sudo heimdall flash --verbose --no-reboot --RECOVERY recovery.img
Ninth: Get signapk from here and build it. Run it against the ROM you want to sign, using the keys you generated earlier. Make sure you use the -w option to sign the whole zip rather than signing individual files.
Click to expand...
Click to collapse
signapk is on github in android/platform_build/tools. And it gives more bouncy castle errors. Put bcpkix-jdk15on-152.jar and bcprov-jdk15on-152.jar in the signapk folder and run
Code:
javac -cp .:./bcprov-jdk15on-152.jar:./bcpkix-jdk15on-152.jar SignApk.java
echo "Main-Class: SignApk" > manifest.txt
jar cvfm SignApk.jar manifest.txt SignApk.java
make directory com/android/signapk/ and move in all the *.class files and the SignApk.jar
Code:
java -cp .:./bcprov-jdk15on-152.jar:./bcpkix-jdk15on-152.jar com.android.signapk.SignApk /path/to/key.x509.pem /path/to/key.pk8 ../original.zip ../signed.zip
I just replaced the recovery in the OTA with the recovery with my keys from earlier, then rezipped it before signing. And after starting sideloading I noticed I left the "-w" option off the signing command, so I made another file with "-w".
Sideloaded with:
Code:
adb reboot recovery
(then volume down to select apply update from ADB)
adb sideload signed.zip
Then saw:
loading: 'update.zip'
sending: 'update.zip' <completion percent>
(might have to do some adb stopping/starting or adb usb beforehand to make it work, I was getting "error: closed" at first. If it just sits on "loading" something's wrong, as I found out last night when I waited hours for "loading" to turn into something else.)
After the file finished uploading, In terminal I got the response "* failed to write data 'protocol fault (couldn't read status): Success' *"
And on the device I got (for a few seconds before it showed only the sad robot on its back). Then after a couple minutes it rebooted back into recovery.
E: Footer is wrong
E: Footer is wrong
E: Signature verification failed
Installation aborted
So I tried again, but this time selected the option to wipe the cache before adb sideload. Then I tried again, using the update.zip that I forgot to add the "-w" option when signing. So far all fails.

I have no idea if the issue is how the recovery was flashed or what, so I'm doing it manual...
Code:
adb shell
su
#first backup current recovery
dd if=/dev/block/mmcblk0p10 of=/sdcard/recoverybk.img
adb pull /sdcard/recoverybk.img
# now push and dd my signed recovery
adb push /sdcard/recovery.img
dd if=/sdcard/recovery.img of=/dev/block/mmcblk0p10
And still having the same signature verification issue.
Edit: I went back and unpacked the recovery I pulled off the device (unpackbootimg), and it looks like somehow I managed to run mkbootimg with the old ramdisk image.
New problem with the new recovery: "E:failed to load keys". Maybe it had something to do with using ec keys just for funsies. So I remade the keys with the default, redumped into the ramdisk image, rebuild/reflashed recovery, resigned the update.zip. Now it's back to the "footer is wrong, signature verification failed" error.
But this is still trying to use the OTA 4.4.something update, not a full ROM. What's it do with Cyanogen?
First attempt: Download Cyanogen and sideload it (unmodified)
E:failed to verify whole-file signature
E:signature verification failed
Ok, expected behavior, it's not signed with my keys.
Attempt 2: sign Cyanogen with my keys and sideload it
Install from ADB complete!! Success!!

@user0002,
great thread! have you considered assembling a toolkit/suite for this process?
Thanks.
m

moonbutt74 said:
@user0002,
great thread! have you considered assembling a toolkit/suite for this process?
Thanks.
m
Click to expand...
Click to collapse
Hmmm... that's a good idea.

[Guides & Links] how to root ASUS ZenPad 3 8.0 (Z581KL)

This procedure supplements what was posted on 2ch.
this procedure is for firmware v3.3.18 or less.
If your firmware is v3.3.20, you may be able to downgrade to v3.3.18 with the procedure described at the end of this post.
for necessary files, download from the follwoing URL.
hZtZtpsZ://wZwZwZ.axfc.net/u/3777377
Z←remove
(PASS Z581KL)　(差分＝Difference，キーワード＝KEYWORD，ダウンロード＝Download，こちら＝HERE，cacheに置くもの＝Things to put in the cache)
1.extract boot image
turn on debug mode.
then, reboot recovery mode.
Code:
$ adb reboot recovery
after that, mount the system using the terminal volume button and the power button.
Code:
$ adb push dirtycow /tmp/
$ adb push run-as /tmp/
$ adb shell
[email protected]_1:/ $ cd /tmp
[email protected]_1:/tmp $ chmod 777 dirtycow
[email protected]_1:/tmp $ chmod 777 run-as
[email protected]_1:/tmp $ ./dirtycow ./run-as /system/bin/run-as
[email protected]_1:/tmp $ run-as
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit
transfer boot.img to PC.
Code:
$ adb pull /tmp/boot.img ./
2.unpacking the boot.img
"mkbootimg_tools-master" is useful because it outputs log of ramdisk size.
(However, binary "mkbootfs" and "mkbootimg" are 32-bit versions.
if your environment is 64-bit, you need to bring 64-bit binaries from CarlivImageKitchen64 etc)
for example, using mkbootimg_tools-master looks like this:
Code:
$ ./mkboot bootimg_source/boot.img bootimg_output
Unpack & decompress bootimg_source/boot.img to bootimg_output
kernel : kernel
ramdisk : ramdisk
page size : 2048
kernel size : 29041019
[COLOR="Red"]ramdisk size : 2924316 <- refer to this value later[/COLOR]
base : 0x80000000
kernel offset : 0x00008000
ramdisk offset : 0x01000000
tags offset : 0x00000100
cmd line : console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 earlyprintk vmalloc=256M build_version=3
ramdisk is gzip format.
Unpack completed.
directories after unpacking boot.img looks like this:
bootimg_output
|--ramdisk
|--kernel
`--others(img_info,ramdisk.packed,etc)
3.install SuperSU manually
overwrite the contents of "initrd差分.7z" under directory "ramdisk".
("su" is an empty directory, but also to put it under "ramdisk")
(for "sbin", you only need to add launch_daemon.sh without deleting the existing files)
(permissions on files/directories should be the same as original or other file/directories)
4.repacking the boot.img
for example, using mkbootimg_tools-master looks like this:
Code:
$ ./mkboot bootimg_output boot_patched.img
mkbootimg from bootimg_output/img_info.
kernel : kernel
ramdisk : new_ramdisk
page size : 2048
kernel size : 29041019
ramdisk size : 2924316
base : 0x80000000
kernel offset : 0x00008000
ramdisk offset : 0x01000000
tags offset : 0x00000100
cmd line : console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 earlyprintk vmalloc=256M build_version=3
ramdisk is gzip format.
Repack image utility by [email protected]
Check and add the kernel
Check and add the ramdisk
Build the new image
'boot_patched.img' successfully repacked
Kernel size: 29041019, [COLOR="Magenta"][COLOR="Red"]new ramdisk size: 2924316[/COLOR][/COLOR], test_patched.img: 31969280.
test_patched.img has been created.
...
at this time, it is necessary to adjust so that the value of "new ramdisk size" becomes
the same value as "ramdisk size" when unpack.
if the size of "ramdisk" is different from when unpacked, Z581KL will not start.
therefore, deleting unnnecessary files stored under ramdisk/res/images/charger and adding dummy files.
(the difference of about several bytes seems to be no problem)
(once wrong boot.img is written, Z581KL will no start until you write the original boot.img)
however, the size of the original boot.img and the modified boot.img can be different.
(in my environment, the original boot.img was about 67MB, while the modifyed boot.img was
about 32MB)
5.insert modified boot.img
using dirtycow, adb push, and dd, insert the modified boot.img into the /dev/block/mmcblk0p41
also, put "su.img" and "SuperSU.apk" in /cache
then,reboot Z581KL.
"Verification Error" is always displayed when starting up, but if you wait for a while
it will start normally.
that's all.
**********************
Firmware downgrade procedure
1. your firmware is v3.3.20.0
2. download firmware from asus's support page. (UL-P008-WW-3.3.18.0-user.zip)
3. rename the zip file ( UL-P008-WW-3.3.18.0-user.zip -> UL-P008-WW-5.3.9.0-user.zip )
4. Place the zip file in an arbitrary directory on the SD card and insert this SD card into Z581KL
5. The update dialog is displayed as it is ( or it is displayed when restarted )
If the firmware is v 5 or higher (currently v 5.3.9.0 is published),
this procedure may indicate an error and the downgrade may fail.
In that case, for now I have no choice but to give up ...

I am sorry if my comment sounds unprofessional. Can you express steps 2-5 in a vulgar manner. Is mkbootimg a tool? ttps://forum.xda-developers.com/android/software-hacking/development-mkbootimg-tools-t2895954

I am experiencing permission denied while performing: adb pull /tmp/boot.img ./
i.imgur.com/TSO0v1g.png

About mkbootimg it is right.
Download all files with ZIP from GitHub's "Clone or download" button described in that URL.
About "adb pull" command, sorry.
Before doing it, you need to change the permissions of boot.img to 777.
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit

By the way, I would like you to tell me.
Is there a procedure like this that you successfully downgraded the firmware?
1. your firmware is v3.3.20.0
2. download firmware from asus's support page. (UL-P008-WW-3.3.18.0-user.zip)
3. rename the zip file ( UL-P008-WW-3.3.18.0-user.zip -> UL-P008-WW-5.3.9.0-user.zip )
4. Place the zip file in an arbitrary directory on the SD card and insert this SD card into Z581KL
5. The update dialog is displayed as it is ( or is it displayed when restarted? )

yamada_2501 said:
By the way, I would like you to tell me.
Is there a procedure like this that you successfully downgraded the firmware?
1. your firmware is v3.3.20.0
2. download firmware from asus's support page. (UL-P008-WW-3.3.18.0-user.zip)
3. rename the zip file ( UL-P008-WW-3.3.18.0-user.zip -> UL-P008-WW-5.3.9.0-user.zip )
4. Place the zip file in an arbitrary directory on the SD card and insert this SD card into Z581KL
5. The update dialog is displayed as it is ( or is it displayed when restarted? )
Click to expand...
Click to collapse
Correct. This is exactly what I've done. My factory firmware was v3.3.20.0. I downloaded the 3.3.18.0 firmware from ASUS website and rename it to the 5.3.9.0 firmware. I was able to downgrade the system using the standard procedures.
---------- Post added at 04:11 AM ---------- Previous post was at 03:55 AM ----------
yamada_2501 said:
About mkbootimg it is right.
Download all files with ZIP from GitHub's "Clone or download" button described in that URL.
About "adb pull" command, sorry.
Before doing it, you need to change the permissions of boot.img to 777.
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit
Click to expand...
Click to collapse
Thank you. I was able to successfully pull that boot.img. However, is there any mkbootimg alternative for windows. It seems like a linux system tool.
---------- Post added at 04:20 AM ---------- Previous post was at 04:11 AM ----------
yamada_2501 said:
About mkbootimg it is right.
Download all files with ZIP from GitHub's "Clone or download" button described in that URL.
About "adb pull" command, sorry.
Before doing it, you need to change the permissions of boot.img to 777.
[email protected]_1:/tmp # dd if=/dev/block/mmcblk0p41 of=/tmp/boot.img
[email protected]_1:/tmp # chmod 777 /tmp/boot.img
[email protected]_1:/tmp # exit
[email protected]_1:/tmp $ exit
Click to expand...
Click to collapse
I was able to find this post (ttps://forum.xda-developers.com/redmi-1s/general/guide-unpack-repack-kernel-t2908458). I am not sure if it work. Would you please verify and please post the steps. When I use this tool, I am getting a intrid folder instead of ramdisk folder as describe in your post. The link below is what I have. The red boxed files are the original files. Green arrowed file is the original boot.img
i.imgur.com/8d05Zis.png
Also, would you please provide the codes you used in step 5.
Update:
I was somehow able to push boot.img and the other two files in by modifying step 1's code. However, I think the boot.img I created has an error. Perhaps because of sizing error. I am not able to start the machine. Now, is stuck at fastboot options menu. How can I get back to the recovery menu and perhaps push the original boot.img back.

If you connect to the PC with the fastboot menu activated,
and execute the " fastboot reboot recovery " command on the PC,
will not you get to the recovery menu?

yamada_2501 said:
If you connect to the PC with the fastboot menu activated,
and execute the " fastboot reboot recovery " command on the PC,
will not you get to the recovery menu?
Click to expand...
Click to collapse
No, when I execute that command, it shows me a bunch of options as shown in the screenshot below.
i.imgur.com/ZJsh5Ub.png

Sorry, I can only think about this as other means....
1.Power off your device
2.pressing and holding Volume Down and Power Button at the same time
3.Boot in recovery mode
1.Power off your device
2.pressing and holding Volume Up and Power Button at the same time
3.Boot in Fast boot options menu
4.select "USB debug mode"
１．Boot in Fast boot options menu
2.Use fastboot command from PC to start Z581KL from original boot.img on PC
-> fastboot boot ./boot.img

yamada_2501 said:
Sorry, I can only think about this as other means....
1.Power off your device
2.pressing and holding Volume Down and Power Button at the same time
3.Boot in recovery mode
1.Power off your device
2.pressing and holding Volume Up and Power Button at the same time
3.Boot in Fast boot options menu
4.select "USB debug mode"
１．Boot in Fast boot options menu
2.Use fastboot command from PC to start Z581KL from original boot.img on PC
-> fastboot boot ./boot.img
Click to expand...
Click to collapse
The combination button will not get me to the recovery mode. USB debugging mode requires a OS system. I've been trying to flash/boot the original boot.img from my computer but it has some permission error.
i.imgur.com/rmK65Z9.png
Is it possible to get this permission error fix and flash or boot the original boot.img?

I already upgraded to Nougat 5.3.9.0. Could I downgrade to 3.3.18 without bricking it?

I could get blueborne to work on JP_V5.5.0_220170616.
But shell whose uid=bluetooth is seemingly useless for rooting...
Does anyone know how to get root from bluetooth shell?

is there any guide to flash a ww rom over operator rom?
thanks

How to insert the modified boot.img into the /dev/block/mmcblk0p41 by using dirtycow, adb push, and dd?

tomo_ward said:
How to insert the modified boot.img into the /dev/block/mmcblk0p41 by using dirtycow, adb push, and dd?
Click to expand...
Click to collapse
His original instruction left out commands to acquire permission to access boot.img. Read the reply threads between yamada and me. He addressed the instruction to acquire the permission. In order to insert the modified boot.img, you re-execute step 1, but instead of doing an adb pull on the last command of step 1, do an adb push.
However, the issue of this guide is the fact that you need to push the boot.img out, unpack and repack it. The risk of this is that the chance of you getting wrong modified size boot.img. There is no way to re-acquire permission to replace the wrong boot.img with the original one once you can't boot into the system; therefore, you end up with a Z581Kl that just do not boot. I had to send mine Z581KL back to factory in order to fix the effect.
If you are willing to take the risk and does success, please provide the boot.img you have successfully modified. That will definitely be a gospel.

thank you.
I'll try to get Root my Z581KL

Should I change file permission of patched_boot.img before run "dd" command?
[email protected]_1:/tmp # chmod 777 /tmp/patched_boot.img #Do I need?
[email protected]_1:/tmp # dd if=/tmp/patched_boot.img of=/dev/block/mmcblk0p41

Was anyone able to get a boot.img that works?

Cannot download the needed ZIP file.
Any backup?

Uqbar said:
Cannot download the needed ZIP file.
Any backup?
Click to expand...
Click to collapse
None has it any more?

Repack Stock Firmware with Android 10 for Odin

I am trying to de-bload/modify the original stock firmware and flash it to my phone using odin without installing TWRP. I have already successfully flashed Magisks this way. However, all the guides I found on modifying the system.img seem to be outdated and do not work anymore.
Here is my current workflow (all on Debian 10)
Code:
tar xvf AP_*.tar.md5 #from original stock rom package or magisk_patched_*.tar) into sub-directory
lz4 -d system.img.lz4
simg2img system.img system.raw.img #either the Debian version or fresh compile from https://github.com/anestisb/android-simg2img
mkdir sys
sudo mount -t ext4 -o loop system.raw.img sys/
# Do a bunch of changes in the mounted image e.g. delete Samsung bloatware
sudo umount sys/
img2simg system.raw.img system.img
lz4 -B6 --content-size system.img system.img.lz4
tar --owner=1000 --group=1000 -H ustar -cvf AP_modified.tar *
md5sum -t AP_modified.tar >> AP_modified.tar
mv AP_modified.tar AP_modified.tar.md5
Unfortunately, the resulting file does not work because odin hangs or odin finishes and the phone is stuck in a boot loop. Anybody knows what I am missing here. Bootloader is unlocked, as I said, I could successfully flash the modified AP_* from magisk.