Develop Bugs

Need help for extract File from rom (first XIP block?)

Hi,
I would like to extract 2 dll from GERMAN Rom.
I am intersted to msimda.dll and msimde.192.dll and i ma interested to learn how to work with universal rom.
But it drive me crazy...
I have read all the day this forum but i can't go on.
This is my last experiment
nkge.nba is qtek german rom (decoded)
mkdir files1 files2
dump nkge.nba -o 00000400 -e 001d2100 xip1.nb <-Offset From Universal Wiki
dump nkge.nba -o 00310000 -e 002d0000 xip2.nb <-Offset From Universal Wiki
dumprom -5 -d files1 xip1.nb <-Give me an error (after 27Files) :
error decompressing 90702000L0001f68d
fwrite: Invalid argument
error writing uncompressed data
dumprom -5 -d files2 xip2.nb <-OK
I have 59 files but there are no msimge.dll and msimge.192.dll probably they are in first xip block that give me an error.
Can you help me please?
Wat i am doing wrong?
byte.

plese somebody could help me?
Just a litle information or a link to read and study. i have searched all over the forum... but i am still blocked.

Hi,
try to read this and then search on the forum for imgfs tools.
I've extracted files sucessfully with those tools but not directly from the device instead from a nbf file.
Hope this will be useful.
Sergio.

tripledes said:
Hi,
try to read this and then search on the forum for imgfs tools.
I've extracted files sucessfully with those tools but not directly from the device instead from a nbf file.
Hope this will be useful.
Sergio.
Click to expand...
Click to collapse
Yes...thankyou very much for your reply.
I have just readed these posts but i can't go on.
I have nk.nba that is my Rom image decoded with HTC64 "Extended ROM Tool.exe" .
So i am trying with dumprom.exe and with viewimgfs.exe with the procedure described by mamaich in http://forum.xda-developers.com/showthread.php?t=249836
I can't extract file.
ViewImgFs (after a lot of " Unknown header type, FS_DATA_TABLE??") stop with message:
"C:\Documents and Settings\stefano\Desktop\HTC\imgfstools>Error! ProcessFixups: cannot map dump\dhcp.dll\s15627"
And i have a "dump" directory with this structure
dhcp.dll <DIR>
eapchap.dll <DIR>
iexplore.exe <DIR>
jscript.dll <DIR>
urlmon.dll <DIR>
ws2instl.dll <DIR>
Only file with same name of directory listed before.
Can you help me with step by step indication please?

1) To extract from rom upgrade (nk.nbf):
Code:
alpinenbfdecode.pl -r nk.nbf nk.nb
mkdir files ; rdmsflsh.pl -d files nk.nb
2) To extract from device, follow instructions here, but replace "FLASHDR" for "TrueFFS" in Universal (instructions are for Hermes).
Then you get "File02.raw" which contains dumped imgfs, files can be extracted either with mamaich viewimgfs.exe or itsme rdmsflsh.pl.
3) If none of the above works, try to dump the files from the device using mamaich TestWM5.exe or Buzz's grab_it!.
Good luck

pof said:
1) To extract from rom upgrade (nk.nbf):
Code:
alpinenbfdecode.pl -r nk.nbf nk.nb
mkdir files ; rdmsflsh.pl -d files nk.nb
2) To extract from device, follow instructions here, but replace "FLASHDR" for "TrueFFS" in Universal (instructions are for Hermes).
Then you get "File02.raw" which contains dumped imgfs, files can be extracted either with mamaich viewimgfs.exe or itsme rdmsflsh.pl.
3) If none of the above works, try to dump the files from the device using mamaich TestWM5.exe or Buzz's grab_it!.
Good luck
Click to expand...
Click to collapse
Thankyou... just another info..please.
I would like to extract file fro a complete German rom.
I am trying with nk.nbf extracted from UNI_QTEK_13096_185_10900_GER_Ship.exe .
Why did you suggest to me to use "alpinenbfdecode" i have an Universal.
I decode my nbf files with
http://buzzdev.net/index.php?option=com_content&task=view&id=65&Itemid=1
is this wrong?
Sorry for my questions but i have not Perl on my pc and i would like to know if is realy necessary to install it.
So just for learning... can you tell me why is wrong the operations that i am doing?
Thankyou very much!
Bye

slevin said:
Why did you suggest to me to use "alpinenbfdecode" i have an Universal.
Click to expand...
Click to collapse
alpine, magican, universal... they use the same NBF format version, so the script is also valid to decode universal NBF files.
slevin said:
I decode my nbf files with
http://buzzdev.net/index.php?option=com_content&task=view&id=65&Itemid=1
is this wrong?
Click to expand...
Click to collapse
This produces a decoded file (.nb), same as if you would run "alpinenbfdecode.pl" with -d parameter (decode), but I suggested you to use it with -r which outputs a RAW file, because rdmsflsh.pl expects a raw file and not a decoded file.
AFAIK the decoded file contains a header while the raw file doesn't, in the German Qtek ROM you said, the header looks like this:
Code:
00000010 51 54 45 4b 5f 31 30 32 20 20 20 20 20 20 20 20 |QTEK_102 |
00000020 47 45 52 20 20 20 20 20 31 2e 33 30 2e 39 36 20 |GER 1.30.96 |
00000030 20 20 20 20 20 20 20 20 55 6e 69 76 65 72 73 61 | Universa|
00000040 6c 20 20 20 20 20 20 20 30 20 20 20 20 20 20 20 |l 0 |
00000050 37 30 30 30 30 30 30 30 31 30 30 30 30 30 20 20 |70000000100000 |
00000060 30 20 20 20 20 20 20 20 31 36 31 31 31 31 31 30 |0 16111110|
00000070 30 30 30 30 30 30 20 20 61 39 62 33 61 64 39 35 |000000 a9b3ad95|
Probably someone more experienced with the formats can tell you the exact differences, otherwise if you know a bit of programming you can look at the program's source and try to figure out yourself
slevin said:
Sorry for my questions but i have not Perl on my pc and i would like to know if is realy necessary to install it.
Click to expand...
Click to collapse
Try the other methods which do not involve using perl, if you don't success doing what you want then install perl, it's just 5 minutes to do it and you'll benefit from many .pl applications from itsme... the process to install it and all the needed modules is explained on the wiki page I pointed you before
slevin said:
So just for learning... can you tell me why is wrong the operations that i am doing?
Click to expand...
Click to collapse
Sorry I don't know for sure, probably you are using an encoded file and the program you use to extract the files from it expects a raw file, I guess you can use prepare_imgfs.exe to fix this, but I'm not sure... you should better experiment with the tools until you accomplish your goal

ThankYou
Sorry for my delay ad thankyou very much for your help.
It works fine!
Now i am going to try to replace the two dll files and then i would like to build a custom cab to put in the extended rom.
Thankyou.

[App] RGUber v1.21a, RGUOrder v1.4

Purpose:
This purpose of this VBScript is to process and organize data in RGU/REG files to remove duplicates, identify faulty entries, and move entries to ascending alphabetical order (the same way it is displayed in a registry editor).
Requirements:
Windows Scripting Host (included in most versions of windows)
rgucomp.exe and cereg400.dll located somewhere in your path (same folder as the script probably won't work if the script is run from another folder)
.reg and .rgu files are expected to be UTF-16LE with BOM
Usage:
Drag a .rgu, .reg, or .hv onto RGUber.vbs OR run "wscript.exe RGUber.vbs example.rgu"
Details:
When an rgu|reg file is specified, RGUber will:
1) create backup of input file
2) rename input file to boot.rgu
3) use rgucomp to convert it to *.hv
4) use rgucomp to convert new .hv to original rgu path\name
5) Reorder all keys in ascending alphabetical order and all values for each key in ascending alphabetical order with default value first
When an hv file is specified, RGUber will:
1) use rgucomp to convert it to *.rgu
2) Reorder all keys in ascending alphabetical order and all values for each key in ascending alphabetical order with default value first
Options
Open RGUber.vbs in your favorite text editor. All options are set at the beginning with (hopefully) meaningful descriptions.
Code:
'//Path to rgucomp (leave this as default if rgucomp.exe is located in your system path)
Const RGUCOMP = "rgucomp.exe"
'//Path to notepad, only needed if %OPENAFTER% is true
Const NOTEPAD = "notepad.exe"
'//The following options can be set to True/False or 0/1
'//Organize registry entries in ascending alphabetical order
Const REORDER = True
'//Open in %NOTEPAD% after conversion is done
Const OPENAFTER = False
'//Save any errors from rgu -> hv conversion
Const LOGERRORS = True
'//Save a backup copy of %INPUTRGU% as "%INPUTRGU%_Backup.rgu"
Const BACKUPRGU = True
Other info
If target file already exists, RGUber will ask if you want to overwrite.
Text files (the MS way) typically contain CRLF for next line. Output from rgucomp.exe contains many CRCRLF. RGUber removes the extra CR.
I have very few comments in the code. If requested, I will upload another copy with as many detailed comments as I can manage.
I tried to code this as efficiently as VBScript can possibly be. I kept getting errors when trying to run 'rgucomp.exe -b -nologo' so instead of running it directly, RGUber creates a bat file, executes it, then deletes it.
On my AMD Phenom 9600 with Vista64 and 3 SATA in Raid5, RGUber completes rgu->hv->rgu of 2084 lines in <3s
RGUber always saves output from rgu->hv conversion but deletes the file if there were no errors.
RGUber crashes on files with no reg entries (e.g. empty app.reg in an EXT package that does not add any registry entries)
Changelog:
v1.21a
Values are now sorted in alphabetical order for each key
v1.2
Replaced Organize function with one from RGUOrder
Lost ability to reorder values for each key (To be readded in next version)
v1.1
Fixed a bug with removing hashdata from output (RGUber would mix data from two keys under one)
Changed sorting algorith with a much faster one
v1.02
Added option to remove RegistryUpdate key from rgucomp output
Fixed a typo where RGUber was not removing the system attribute from input rgu files
v1.01
Fixed typo where RGUber was waiting for backup file instead of log file
Change 'Done' msgbox to one that shows beginning time and ending time
v1.0
Initial Release
RGUOrder v1.4
This script will only reorder the contents of an rgu without processing with RGUComp, thereby keeping comments and delete key entries. RGUComp/cereg400.dll are not needed to use this app.
Changelog:
v1.4
Fixed a bug where if the original rgu did not end with a new line then the last entry after being sorted would be lost.
Fixed two bugs where only the first 25 tabs and first 25 spaces would be removed before sorting (This did not affect data integrity or performance, but the checksum would be different each time you run the output back through RGUOrder until all the original tabs/spaces were removed)
Added code to prevent multiple entries of the same key from being reordered
Fixed other miscellaneous bugs/oddities introduced with v1.3
v1.3
Added code to add a delete key for each subkey of a deleted key so that when reordered, the key deletion isn't broken
v1.2
Fixed a bug where the last key processed was being concatenated to another with no CRLF producing an invalid rgu file

I'm not sure if this relates to your app but I have a small question:
If a dumped a rom (raw, not kitchen type) and removed several apps/programs but did not clean the registry (very tedious), will this help me clean it up (remove dead paths, etc)?
And if so, how will it know just by dragging the .hv file? I mean how will your app know if a registry entry does not have the app/program included in the rom anymore?
Please forgive me if my question does not relate to your app

There is no way for my app to know, it isnt that smart
It would take an extensive app/database to know which keys are related to which apps.

Thanks for this post

updated to v1.1
v1.02 had a bug in the code which removed hash data from output which made it mix data from the key before it with the key after it
If I ever get around to updating again, I will use hvedit instead of rgucomp

I get an error.
Script: D:\RGUber.vbs
Line: 136
Char: 2
Error: File not found
Code: 800A0035
Source: Microsoft VBScript runtime error
Any reason why?
I attach the file i want to sort alphabetically.

I have no idea
It worked for me with no problem (file attached)
Please tell me the location of RGUber.vbs and of 51329f91-0017-4364-bcff-e032c5d45b01.rgu

Great application bro!!
Only limitation is that I have to put reg400.dll and rgucomp in C:\windows

c_shekhar said:
Great application bro!!
Only limitation is that I have to put reg400.dll and rgucomp in C:\windows
Click to expand...
Click to collapse
yeah, I tried to get around that but I didn't find anything feasible with vbscript :-/
Actually, they don't have to go in C:\windows
I reinstall windows regularly so I keep as many apps portable as I can. I have a bin folder on another partition that I add to the system path variable after a new install for stuff like this.

selyb said:
yeah, I tried to get around that but I didn't find anything feasible with vbscript :-/
Actually, they don't have to go in C:\windows
I reinstall windows regularly so I keep as many apps portable as I can. I have a bin folder on another partition that I add to the system path variable after a new install for stuff like this.
Click to expand...
Click to collapse
can you elaborate this a bit more. Because I too would like a similar arranfements...

My C:\ partition has Vista64
My F:\ partition has all my documents, downloads, music, movies, etc and a folder F:\bin\
F:\bin contains >100 downloaded command line programs and vbs scripts that I have written including
RGUber.vbs
lame.exe
rgucomp.exe
cereg400.dll
FixVTS.exe
faad.exe
nuerecmod.exe
Tag.exe
find Advanced System Properties (I can't remember how, it's different for XP/Vista/7) go to the Advanced tab and hit the Environment Variables button
Under system variables, scroll down to 'Path', double click it. This defines your 'system path'. It contains a list of folders separated by semicolon ";". At the end, add a semicolon and the path to the folder you want to add (e.g. ;F:\bin) after that, hit ok. XP may need to reboot to reflect the change but I'm not sure. Vista and 7 are affected immediately.
With this setup, you can open a command prompt in any folder on your computer and type "RGUber.vbs xyz.rgu" and it would work as if all the files are in that folder.

Thanks a lot bro!!!
I am grateful...

I'd really like to use this, but unfortunately I get this error regardless of the app.reg I drag onto the script:
Script: C:\RGUber\RGUber.vbs
Line: 232
Char: 3
Error: The system cannot find the path specified.
Code: 80070003
Source: (null)
Thanks if you can advise.

Quetzecotyl said:
I'd really like to use this, but unfortunately I get this error regardless of the app.reg I drag onto the script:
Script: C:\RGUber\RGUber.vbs
Line: 232
Char: 3
Error: The system cannot find the path specified.
Code: 80070003
Source: (null)
Thanks if you can advise.
Click to expand...
Click to collapse
Hmmm... this line asks the system for what is in the %temp% variable and attempts to change the working directory to the result.
Open RGUber.vbs in notepad and go to line 232
Modify
Code:
WSH.CurrentDirectory = WSH.Environment("SYSTEM")("temp")
to
Code:
WSH.CurrentDirectory = "C:\RGUber\"
then try again

Works great after your fix, selyb. Thank you for this useful app and your many helpful contributions to the Kaiser forums.

Quetzecotyl said:
Works great after your fix, selyb. Thank you for this useful app and your many helpful contributions to the Kaiser forums.
Click to expand...
Click to collapse
Yeah, I may relocate from Kaiser forums to Rhodium. I have an AT&T Tilt 2 in the mail to me ATM

Grats on getting a Rhodium. Found a question after using it for a while. This is just one example of such behavior, but why does:
Code:
[HKEY_CURRENT_USER\Software\HTC\TaskManager\ExclusiveList\System]
"CMBandSwitching.exe"=dword:0
get turned into:
Code:
"CMBandSwitching.exe"=dword:0
How do I make it regard CURRENT_USER keys?

Quetzecotyl said:
Grats on getting a Rhodium. Found a question after using it for a while. This is just one example of such behavior, but why does:
Code:
[HKEY_CURRENT_USER\Software\HTC\TaskManager\ExclusiveList\System]
"CMBandSwitching.exe"=dword:0
get turned into:
Code:
"CMBandSwitching.exe"=dword:0
How do I make it regard CURRENT_USER keys?
Click to expand...
Click to collapse
I had this problem with an earlier version. If you are using v1.1 then please attach the original rgu/reg. I have tried and I can't seem to reproduce it since I fixed it already.

Please, replace rgucomp with hvedit . I really need your help because rgucomp doesn't work for me . Thanks in advance .

tomcug said:
Please, replace rgucomp with hvedit . I really need your help because rgucomp doesn't work for me . Thanks in advance .
Click to expand...
Click to collapse
why doesn't rgucomp work? I would be surprised to learn that hvedit will work when rgucomp won't.

[JB stock] how to disable permanently noise reduction?

Hi, I've a S2 with JB stock and I'm trying to permanently disable noise reduction, according to the solution
proposed by tarobun (so, I have to edit phone.odex in my /system/app directory and modify 32 84 2F 00 12 13 into 32 84 2F 00 12 03)
But in /system/app directory I dont't find this file! I only have these files with similar names:
Phone_Util_U1_EUR_OPEN.apk
Phone_Util_U1_EUR_OPEN.odex
PhoneErrService.apk
PhoneErrService.odex
Phonesky.apk
And none of them contains the string mentioned above.
I'm doing something wrong? Please help me!

Ministry76 said:
Hi, I've a S2 with JB stock and I'm trying to permanently disable noise reduction, according to the solution
proposed by tarobun (so, I have to edit phone.odex in my /system/app directory and modify 32 84 2F 00 12 13 into 32 84 2F 00 12 03)
But in /system/app directory I dont't find this file! I only have these files with similar names:
Phone_Util_U1_EUR_OPEN.apk
Phone_Util_U1_EUR_OPEN.odex
PhoneErrService.apk
PhoneErrService.odex
Phonesky.apk
And none of them contains the string mentioned above.
I'm doing something wrong? Please help me!
Click to expand...
Click to collapse
Have you tried SecPhone.apk?
Sent from my Dominated PurifieD S4

Have you control in Preload folder?

Mate they are not the file you mentioned .. its called secphone.apk in preload folder and this is an old trick btw that all sammy custom roms have which are up to date
Sent from my GT-I9100 using XDA Premium 4 mobile app

Mac Address Getting Reset on Reboot

I wiped /data/misc/ to get out of a recovery bootloop. Turns out that doing so breaks the wifi mac address in CM. I'm able to temporarily set my address in /data/wifi/misc/config:
Code:
echo "cur_etheraddr=XX:XX:XX:XX:XX:XX" > /data/misc/wifi/config
The problem is that when I reboot, that file goes back to 00:00:00:00:00:00.
Digging around CM kernel source showed me what files are important.
Code:
CONFIG_BCMDHD_FW_PATH="/system/etc/firmware/fw_bcmdhd.bin"
CONFIG_BCMDHD_NVRAM_PATH="/system/etc/wifi/bcmdhd.cal"
CONFIG_BCMDHD_CONFIG_PATH="/data/misc/wifi/config"
/system/etc/wifi/bcmdhd.cal is showing a good mac address.
I KDZ'ed back to stock and everything worked great there. As soon as I flashed CM14.1 again it didn't work. It isn't a problem with the build, since it was working until I wiped /data/misc/.
Does anyone know how to fix this? I'm curious what config says on a working device, so could someone tell me what it says for them? I want to know 1) if /data/misc/wifi/config exists and 2) if it shows a real mac address or a bunch of zeros. I can't get CM file manager to open the file, so here's how to do it in adb:
Code:
adb shell "su 0 cat '/data/misc/wifi/config'"
What files are in /data/misc/wifi?
I'm not really looking for a workaround, since I could add that first script to a startup script or something. I want a permanent fix that won't go away next time I flash a rom.
Sorry for the long post. Any help would be appreciated. I've spend hours on this already.

Hi!
I also use your workaround now and i automated it, so thanks for ending my pain for the moment, but i would also like to see a permanent fix for this. I tried every available stock rom and all available methods to aply it to bring back what cm seams to be depending on for setting the mac - but no success. To me this looks like a bug - not a very common one, but still a bug because the stock roms do not have any problem at all, only cm does.
br, Martin

theprogramguy said:
Does anyone know how to fix this? I'm curious what config says on a working device, so could someone tell me what it says for them? I want to know 1) if /data/misc/wifi/config exists and 2) if it shows a real mac address or a bunch of zeros.
.
Click to expand...
Click to collapse
I am on RR ROM which is CM based
What I can say is yes this file exists and yes it contains my real MAC address
theprogramguy said:
What files are in /data/misc/wifi?
.
Click to expand...
Click to collapse
[email protected]:/ # ls -la /data/misc/wifi
total 152
drwxrwx--- 4 wifi wifi 4096 2016-12-14 08:12 .
drwxrwx--t 32 system misc 4096 2016-12-04 19:44 ..
-rw-r--r-- 1 system wifi 32 2015-01-02 02:58 config
-rw-rw---- 1 system wifi 21 2015-01-22 07:44 entropy.bin
-rw-rw---- 1 system wifi 252 2016-11-17 15:05 hostapd.conf
-rw------- 1 system system 868 2016-11-14 08:33 ipconfig.txt
-rw------- 1 system system 29695 2016-12-13 11:04 networkHistory.txt
-rw-rw---- 1 wifi wifi 219 2015-01-22 07:44 p2p_supplicant.conf
drwxrwx--- 2 wifi wifi 4096 2015-01-22 07:44 sockets
-rw------- 1 system system 41 2016-11-17 14:54 softap.conf
drwxrwx--- 2 wifi wifi 4096 2015-01-02 02:58 wpa_supplicant
-rw-rw---- 1 wifi wifi 1647 2016-12-14 08:12 wpa_supplicant.conf
[email protected]:/ #
My first thought was that the mac address is generated from the misc partition but as far as I can see it seems to be not. At least I can't find a string matching my current mac.
interesting is that I searched the misc partition (I love Linux and the tool strings) and found my imei written in there..
Well as you wrote you haven't the problem on stock:
Do you cleaned out the WiFi config file before when testing stock? Afaik it should be cleaned out automatically though but just to be sure.. What happens when you delete that file on stock and reboot? Will it get regenerated?
You identified it that the ROM sources are the reason good. But I don't think you should look at the kernel sources only. Check the CM sources as well I believe here you will get better findings.
.

steadfasterX said:
[email protected]:/ # ls -la /data/misc/wifi
total 152
drwxrwx--- 4 wifi wifi 4096 2016-12-14 08:12 .
drwxrwx--t 32 system misc 4096 2016-12-04 19:44 ..
-rw-r--r-- 1 system wifi 32 2015-01-02 02:58 config
-rw-rw---- 1 system wifi 21 2015-01-22 07:44 entropy.bin
-rw-rw---- 1 system wifi 252 2016-11-17 15:05 hostapd.conf
-rw------- 1 system system 868 2016-11-14 08:33 ipconfig.txt
-rw------- 1 system system 29695 2016-12-13 11:04 networkHistory.txt
-rw-rw---- 1 wifi wifi 219 2015-01-22 07:44 p2p_supplicant.conf
drwxrwx--- 2 wifi wifi 4096 2015-01-22 07:44 sockets
-rw------- 1 system system 41 2016-11-17 14:54 softap.conf
drwxrwx--- 2 wifi wifi 4096 2015-01-02 02:58 wpa_supplicant
-rw-rw---- 1 wifi wifi 1647 2016-12-14 08:12 wpa_supplicant.conf
[email protected]:/ #
Click to expand...
Click to collapse
Here's mine. It seems practically the same just missing hostapd.conf. I think I've seen it here before though.
h811:/ # ls -la /data/misc/wifi
total 44
drwxrwx--- 4 wifi wifi 4096 2016-12-14 17:07 .
drwxrwx--t 39 system misc 4096 2014-12-31 19:21 ..
-rw-r--r-- 1 system wifi 32 2016-12-12 18:32 config
-rw-rw---- 1 system wifi 21 2016-12-13 03:15 entropy.bin
-rw------- 1 system system 166 2016-12-13 03:25 ipconfig.txt
-rw------- 1 system system 3814 2016-12-14 17:07 networkHistory.txt
-rw-rw---- 1 wifi wifi 237 2014-12-31 19:26 p2p_supplicant.conf
drwxrwx--- 2 wifi wifi 4096 2016-12-13 03:15 sockets
-rw------- 1 system system 49 2014-12-31 19:25 softap.conf
drwxrwx--- 2 wifi wifi 4096 2014-12-31 19:21 wpa_supplicant
-rw-rw---- 1 wifi wifi 949 2016-12-14 17:07 wpa_supplicant.conf
steadfasterX said:
My first thought was that the mac address is generated from the misc partition but as far as I can see it seems to be not. At least I can't find a string matching my current mac.
Click to expand...
Click to collapse
Maybe it matches the mac in /system/etc/wifi/bcmdhd.cal (macaddr=)? I found that I had a slightly different one there.
steadfasterX said:
You identified it that the ROM sources are the reason good. But I don't think you should look at the kernel sources only. Check the CM sources as well I believe here you will get better findings.
Click to expand...
Click to collapse
https://github.com/CyanogenMod/android_device_lge_g4-common/blob/cm-14.1/hwaddrs/getmac.c
I found this earlier and it shows CM mounting misc and doing something with /data/misc/wifi/config. I thought it was reading config, but it looks like it's actually writing it there after reading it from somewhere else in misc. That would explain why it gets reset. Do you understand where it's reading from? I'm having a hard time reading C.
Specifically this part:
Code:
int fd1, fd2;
char macbyte;
char macbuf[3];
int i;
fd1 = open("/dev/block/bootdevice/by-name/misc",O_RDONLY);
fd2 = open("/data/misc/wifi/config",O_WRONLY|O_CREAT|O_TRUNC,S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
write(fd2,"cur_etheraddr=",14);
for (i = 0; i<6; i++) {
lseek(fd1,0x3000+i,SEEK_SET);
lseek(fd2,0,SEEK_END);
read(fd1,&macbyte,1);
sprintf(macbuf,"%02x",macbyte);
write(fd2,&macbuf,2);
if (i!=5) write(fd2,":",1);
}
It looks like our bluetooth mac is getting set in the same way later on.
I'm thinking about setting up a CM build environment again and playing with my own builds to try to see what's up.
steadfasterX said:
interesting is that I searched the misc partition (I love Linux and the tool strings) and found my imei written in there..
Click to expand...
Click to collapse
Nice. I just looked at what CM is reporting my IMEI as, to see if it got reset, but it looks good. I know that cell data is still working, so I'd expect my IMEI to be right.
steadfasterX said:
Well as you wrote you haven't the problem on stock:
Do you cleaned out the WiFi config file before when testing stock? Afaik it should be cleaned out automatically though but just to be sure.. What happens when you delete that file on stock and reboot? Will it get regenerated?
Click to expand...
Click to collapse
I didn't try that. I was in a hurry to get back to CM so I could set it up for daily use. I'll try doing stuff like that soon if we don't figure have anything else to go on. It's getting too late to do it here tonight.
Yesterday I tried to extract misc.img from the kdz but none of the tools I found were able to successfully do it. Something was corrupt. My plan was to look at it or flash it in fastboot and see if anything changes.

GOT IT!
It's actually pretty simple, but I've never done anything quite like this before.
Overview:
Make an img of misc
Edit it in a hex editor
Overwrite misc with the img
Reboot
You could do this entirely on your phone, but I'll walk you through doing it using adb on your computer.
1. Make an img of misc and pull it to your computer.
Code:
adb shell "su -c 'dd if=/dev/block/bootdevice/by-name/misc of=/sdcard/misc.img'"
adb pull /sdcard/misc.img
2. Edit misc.img in a hex editor (I used HexEdit on Windows)
Find the hex offset 3000. Now edit 3000-3005 with your wifi mac address. For example "00 90 3D F1 A2 31".
The bluetooth mac address appears to be stored at 4000, so you could set it there if you wanted/needed to.
3. Write the img
Code:
adb push misc.img /sdcard/misc_edited.img
adb shell "su -c 'dd if=/sdcard/misc_edited.img of=/dev/block/bootdevice/by-name/misc'"
4. Reboot
Code:
adb reboot
If it all works, it's okay to delete the img files we left in /sdcard
Code:
adb shell "rm /sdcard/misc*.img"

Makes totally sense! Just for your information the file in
/system/etc/wifi/bcmdhd.cal
contains a mac address but it is not the same as in the Wi-Fi config file
Thanks for sharing this walkthrough it will help others having the same issue

Thank you!!
You are a MF genius!!! I have the same problem but with an LG G3 Beat, and I wanted to know if this works the same with my device. Thank you bro!

Galaxy Watch Active2 SM-R820: Can't do OTAs after changing CSC

Hey guys, as the title says I successfully changed my GWA2 CSC from DBT to XAR, but ran into some problems. The watch boots up normally and I can use it, install apps from the Galaxy Store, etc. but I am stuck on version R820XXU1ASHF/Tizen 4.0.0.6. My phone shows a 30.68MB update to BTG1, and it can download it and start installing it but when it gets to 97%, the watch resets and boots up the old (ASHF) firmware. Moreover, Samsung Pay says that it can't start since I've "modified my watch," but I think this can be due to the very old firmware.
I've already tried changing to another CSC (both to AUT and the original EUR) and reflashing the ASHF firmware but to no avail. I originally came from R820XXU1BTA1 but I can't find that anywhere.
What can I do to fix this? I've also found the firmware files on some paid sites, and I'd pay since it's nothing significant, but I'm really not sure if those are real. Has anyone here bought firmware from them? Can anyone set me up with anything even one version newer than what I have? I've been searching for hours but I seem to have hit a dead end.

I bought a firmware on Fullstockfirmware and it works fine. I can host R820XXU1BTF3.zip if you need, but i'm new member, can't post link.
---------- Post added at 05:20 PM ---------- Previous post was at 05:17 PM ----------
https://drive.google.com/file/d/1LmJ9uJl644ePVnwabkGt_swDY961B_Ds/view?usp=drivesdk
Here is a link for the firmware

Noname761 said:
I bought a firmware on Fullstockfirmware and it works fine. I can host R820XXU1BTF3.zip if you need, but i'm new member, can't post link.
---------- Post added at 05:20 PM ---------- Previous post was at 05:17 PM ----------
https://drive.google.com/file/d/1LmJ9uJl644ePVnwabkGt_swDY961B_Ds/view?usp=drivesdk
Here is a link for the firmware
Click to expand...
Click to collapse
Thank you so much! You're a godsend! I flashed this in a heartbeat.
The update to BTG1 and SPay still don't work, but BTF1 is a way better point to be stuck on.
Plus, I checked my Knox bit, and it is not set. Maybe I messed something up (file permissions, line terminators, etc.) in /csa...

with this firmware i have samsung pay, but i can't test it because my bank is not supported. and the ecg and blood pressure works with 23.tpk and shm caranava. oh and nothing for the firmware. it's normal to share on a sharing forum ?

Noname761 said:
with this firmware i have samsung pay, but i can't test it because my bank is not supported. and the ecg and blood pressure works with 23.tpk and shm caranava. oh and nothing for the firmware. it's normal to share on a sharing forum
Click to expand...
Click to collapse
Could you by any chance give me the output of the following command? You don't need the combination firmware or root to run it.
Code:
sdb shell "ls -l /csa/csc/csc-active-customer.inf /csa/imei/prodcode.dat && hexdump -C /csa/csc/csc-active-customer.inf && hexdump -C /csa/imei/prodcode.dat"
My output looks like this:
Code:
-rwxrwxr-x 1 root system_share 3 Aug 12 10:27 /csa/csc/csc-active-customer.inf
-rw-rw-r-- 1 root system_share 14 Aug 11 15:23 /csa/imei/prodcode.dat
00000000 58 41 52 |XAR|
00000003
00000000 53 4d 2d 52 38 32 30 4e 5a 4b 41 58 41 52 |SM-R820NZKAXAR|
0000000e

here is mine
Code:
-rwxrwxr-x 1 root system_share 3 Aug 8 19:26 /csa/csc/csc-active-customer.inf
-rw-rw-r-- 1 root system_share 14 Aug 7 07:53 /csa/imei/prodcode.dat
00000000 58 45 46 |XEF|
00000003
00000000 53 4d 2d 52 38 32 30 4e 5a 53 41 58 45 46 |SM-R820NZSAXEF|
0000000e

Noname761 said:
here is mine
Code:
-rwxrwxr-x 1 root system_share 3 Aug 8 19:26 /csa/csc/csc-active-customer.inf
-rw-rw-r-- 1 root system_share 14 Aug 7 07:53 /csa/imei/prodcode.dat
00000000 58 45 46 |XEF|
00000003
00000000 53 4d 2d 52 38 32 30 4e 5a 53 41 58 45 46 |SM-R820NZSAXEF|
0000000e
Click to expand...
Click to collapse
Thanks for all your help, alas I can't find what's wrong with my watch...

before updating, i used the combination firmware to change my CSC and then i flash a stock firmware. I made the updates with wearable and I finally flash the version 4.0.0.8.

IMHO this is Rollback Prevention crap.. of Bootloader sboot.bin...
If Firmware is lower... Alphabet knowledge and count from 0 - 10 is enough skills...
Additional Infos can be taken from here:
http://fota-cloud-dn.ospserver.net/firmware/XAR/SM-R820/version.xml
I see ASHF... and you confirmed it fount FOTA delta package... :good: :good:
Now check Bootloader Version...
Code:
sdb shell
Code:
cat /proc/cmdline
To bypass you need same or higher Firmware...
Post result of Command...
And I could try to help you...
IMHO BTF3 is not valid FOTA base in XAR chain...
BTD3 or something like this was before on XAR...
BTG1 not leaked yet... otherwise we would do this.
Best Regards

adfree said:
IMHO this is Rollback Prevention crap.. of Bootloader sboot.bin...
If Firmware is lower... Alphabet knowledge and count from 0 - 10 is enough skills...
Additional Infos can be taken from here:
http://fota-cloud-dn.ospserver.net/firmware/XAR/SM-R820/version.xml
I see ASHF... and you confirmed it fount FOTA delta package... :good: :good:
Now check Bootloader Version...
Code:
sdb shell
Code:
cat /proc/cmdline
To bypass you need same or higher Firmware...
Post result of Command...
And I could try to help you...
IMHO BTF3 is not valid FOTA base in XAR chain...
BTD3 or something like this was before on XAR...
BTG1 not leaked yet... otherwise we would do this.
Best Regards
Click to expand...
Click to collapse
Code:
sh-3.2$ cat /proc/cmdline
console=ram loglevel=4 bootmode=ramdisk root=/dev/ram0 rw model=SM-R820 boot_ver=R820XXU1BTA1 hw_rev=05 sec_debug.enable=0 sec_debug.enable_user=0 tizenboot.sec_atd.tty=/dev/ttySAC0 tizenboot.emmc_checksum=0 tizenboot.dram_info=01,06,00,0.75G tizenboot.log=0x9b010000,0x200000,0x7f309,0x7ff90 tizenboot.boottime=1230ms tizenboot.sales_code=XAR warrantybit=0 sec_debug.bin=N lcdtype=0x402484 ess_setup=0x9b000000 [email protected] [email protected] DynSysLog=0 uart_sel=AP pmic_info=11 oops=panic [email protected] sec_debug.chipidfail_cnt=0 sec_debug.lpitimeout_cnt=0 sec_debug.cache_err_cnt=0 sec_debug.lpddr4_size=0.75 tizenboot.recovery_offset=1056512 tizenboot.carrierid_offset=1049156 tizenboot.carrierid= sec_debug.reset_reason=7 sec_debug.pwroffsrc=0x0 sec_debug.pwronsrc=0x8 sec_debug.rst_stat=0x20000000 tizenboot.verified_kern=1 tizenboot.fota_bl_status=none
I also found something interesting in /var/log/last_update.log which I will also attach to this post
Code:
UA/ERROR(SS_IMGVerfiyPartition) SS_IMGVerfiyPartition - SHA mismatch with SRC [/dev/mmcblk0p7] Expected [ffa4a910] Actual [ffa4a938]
UA/ERROR(SS_SetUpgradeState) FAILED to upgrade Cause:[0xd19]
I have pulled the delta.tar from the device and it seems that mmcblk0p7 is a ramdisk. I thought I'd replace the SHA value and pull the ole switcharoo but I can't find it anywhere

Code:
boot_ver=R820XXU1BTA1
This is the Knockout...
FOTA selfcheck detect that Bootloader not valid for ASHF Firmware...
Valid in case of FOTA crap...
BTA1 is inside FOTA chain of XAR CSC aka Sales Code:
http://fota-cloud-dn.ospserver.net/firmware/XAR/SM-R820/version.xml
Code:
R820XXU1BTA1/R820OXA1BTA1
Easiest way IMHO to flash whole BTA1 Firmware...
Best Regards

Thanks, I'll see if I can get my hands on that version...

@g511
Please check your Private Message... I sent you PM...
Best Regards

Hy guys.
Anyone can help me. I changed CSC and Samsung pay now is on the watch. The problem are two:
1- Samsung doesn't work because "the watch is modified"
2- doesn't work the upgrade. I download the update but doesn't install
Searching for a solution.
Thanks

@stampatori
Please, it is more helpfull if you give FULL details...
MINIMUM to know Model Name... Nobody here have Crystal Ball...
SM-R820?
Or LTE device like SM-R825F?
Or?
Best Regards

@adfree
Sorry.....?
My watch is a GWA2
SM-R820
Tizen 4.0.0.6
Firmware R820XXU1ASHF

@g511 search "techno proz change csc on watch active 2" on YOUTUBE and just follow. 100% works ! I did it 3 days ago and evrything is perfect !

Hello
I have the same problem with my NEW active 2 watch, I don´t know why it is happening, because my watch is NEW. I found this log in /opt/var/log/last_update.log
Code:
UA/(deleteNode): There is only one node. The list can't be made empty UA/ERROR(SS_FSVerifyNode) SS_FSVerifyNode - SHA mismatch with SRC - PATH [system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal] Expected [fff7d41c] Actual [fff7d430]
UA/ERROR(SS_SetUpgradeState) FAILED to upgrade Cause:[0xd15]
UA/ERROR(SS_AppendNode) Bad Nodes, Failed to pass verification - [Delta Path - /opt/usr/data/fota/save/delta.tar][OldPath - system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal] [NewPath - system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal]
UA/(tar_free_cfg_table): Free TAR CFG TABLE
UA/ERROR(SS_FSVerifyPartition) FS Verification Failed PartIndex: [4]
UA/(SS_FSClearNodes): Free Nodes idx=4
UA/(update_all): CSC verify failUA/(save_cause): save_cause entered, 0xd15
UA/(print_error_cause): The update failed because data was corrupted during update of device.UA/(save_cause): save_cause leaved!
UA/(main): [update_all ret=64537]
UA/(main): Result=64537
UA/(save_result): save_result entered, result=0xfc19
UA/(save_result): save_result leaved!
this is my /proc/cmdline
Code:
console=ram loglevel=4 bootmode=ramdisk root=/dev/ram0 rw model=SM-R825FS boot_ver=R825FXXU1ASJ3 hw_rev=05 sec_debug.enable=0 sec_debug.enable_user=0 tizenboot.sec_atd.tty=/dev/ttySAC0 tizenboot.emmc_checksum=0 tizenboot.dram_info=01,06,00,1.50G tizenboot.log=0x9b010000,0x200000,0x0,0xaba tizenboot.boottime=2140ms tizenboot.sales_code=COM warrantybit=0 sec_debug.bin=N lcdtype=0x402484 ess_setup=0x9b000000 [email protected] [email protected] DynSysLog=0 uart_sel=AP pmic_info=11 oops=panic [email protected] sec_debug.chipidfail_cnt=0 sec_debug.lpitimeout_cnt=0 sec_debug.cache_err_cnt=0 sec_debug.lpddr4_size=1.50 tizenboot.recovery_offset=1056512 tizenboot.carrierid_offset=1049156 tizenboot.carrierid= sec_debug.reset_reason=9 sec_debug.pwroffsrc=0x10 sec_debug.pwronsrc=0x1 sec_debug.rst_stat=0x10000 tizenboot.cp_reserved_mem=off tizenboot.verified_kern=1 tizenboot.fota_bl_status=none
this is my csc-active-customer.inf
Code:
sh-3.2$ hexdump -C /csa/csc/csc-active-customer.inf
00000000 43 4f 4d |COM|
00000003
this is my prodcode.dat
Code:
sh-3.2$ hexdump -C /csa/imei/prodcode.dat
00000000 53 4d 2d 52 38 32 35 46 5a 4b 41 43 4f 4d |SM-R825FZKACOM|
0000000e
Do you know why i can not update my watch ?
Thanks !

@andrs1294
All i can see for now is something mismatch with CSC... but not fully understand...
COM
http://fota-cloud-dn.ospserver.net/firmware/COM/SM-R825F/version.xml
TCE
http://fota-cloud-dn.ospserver.net/firmware/TCE/SM-R825F/version.xml
Both CSC / Sales Code are in same package... region Code:
OWO...
Code:
R825FXXU1ATA1/R825F[B]OWO[/B]1ATA1/R825FXXU1ATA1
I have only OXA and OLB package with ATA1 Firmware for netOdin...
Need some more time for investigation...
Found only 1 OWO package...:
Code:
R825FXXU1[B]ASI5[/B]
Best Regards

adfree said:
@andrs1294
All i can see for now is something mismatch with CSC... but not fully understand...
Both CSC / Sales Code are in same package... region Code:
OWO...
Code:
R825FXXU1ATA1/R825F[B]OWO[/B]1ATA1/R825FXXU1ATA1
I have only OXA and OLB package with ATA1 Firmware for netOdin...
Need some more time for investigation...
Found only 1 OWO package...:
Code:
R825FXXU1[B]ASI5[/B]
Best Regards
Click to expand...
Click to collapse
Thanks @adfree for your response. Here you can find my investigation:
The error message is:
Code:
There is only one node. The list can't be made empty UA/ERROR(SS_FSVerifyNode) SS_FSVerifyNode - SHA mismatch with SRC - PATH [system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal] Expected [ff9feddc] Actual [ff9fedf0]
So, I search about SS_FSVerifyNode code on internet, I found that that code is part of libtota-1.2.2-25.1.src.rpm.
Code:
...
if (SS_LoadFile(path, &source_file) == 0) {
if (memcmp(source_file.sha1, source_sha1, SHA_DIGEST_SIZE) != 0) {
SS_Free(source_file.data);
unsigned char actualShaBuffer[41] = { 0, };
hex_digest(source_file.sha1, actualShaBuffer, SHA_DIGEST_SIZE);
LOGE("SS_FSVerifyNode - SHA mismatch with SRC - PATH [%s] Expected [%s] Actual [%s]\n",
path, sha1src, actualShaBuffer);
SS_SetUpgradeState(E_SS_FSSRCCURRUPTED); // E_SS_FSSRCCURRUPTED (0xD15) /*Could NOT update FS as SRC seems to be corrupted */
return E_SS_FAILURE;
}
}
...
It is calculating SHA1 of the file system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal and then it compares with SHA inside the csc.img/CSC.txt inside the delta.tar file. Part of the content of the csc.img/CSC.txt is
Code:
DIFF:REG:system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal:system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal:[B]a4b298726c564ea01c9f21815c864e253493c269[/B]:f185bc963d1e61e372da5f1cda21e69a0cebf3ca:diff4_.delta_opername.db-journal_CSC.delta
PaTcHCoUnT:4 0 0 0 0 0
So I think my delta_opername.db-journal was edited in some moment, So the sha resumen doesnt match.