Hello there
This is a surprise, but software able to flash the phone without any computer intervention was already on it, since the beginning.
Searching for a way to install my future lag fix easily, I remember that there was an "OTA" boot mode.
I know, today nobody saw an OTA on any Galaxy S smartpone (except maybe One on the AT&T Captivate?), but the software is still there.
How does this work :
Basically Linux boots a ramdisk, loading kernel modules and running an init process who start the whole Android experience (bootmode=) or just the recovery mode (bootmode=2).
Other bootmodes are used for battery loading only and Over The Air updates.
In this case, init.rc ask init to start "/sbin/redbend_ua all".
By default this software search for software updates in /data/fota and on similar places in the /sdcard.
It could prove useful another day, but you still have to be root to ask your device to reboot in a specific bootmode
The nice part is that we can use redbend_ua manually too, to do many impossible things before :
command list, pretty comprehensive.
Code:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
Possible usages :
- Flashing the kernel without Odin or any computer
- Backuping and Restoring a whole firmware, including stock one
- Doing more than one operation before automatic reboot through a list of commands in /data/fota/command (not tested yet)
- Messing with bootloaders and bricking your phone for good
Yeah, you must be really carefull this time. Samsung made some partitions read-only for a reason
Hopefully this new tool will be used by most ROM cooker, CyanogenMod, and ClockWorkMod
I'll make a update.zip + redbend_ua template soon if nobody comes up with one.
My Twitter for next news
Joined to this post : redbend_ua working binary. (some firmware ship a new binary that does not accept command line parameters)
-----
Old post, for the record :
Our Galaxy S in Eclair firmwares come with software able to provide update Over The Air.
This firmware is in /sbin directory, which means that it's in the kernel ramdisk.
Look at the output when running the binary without argument or appropriate file:
Code:
# redbend_ua
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.zImage
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.Sbl
UA/(update_all): Check Delta : path_idx(1), part_idx(0), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.zImage
UA/(update_all): Check Delta : path_idx(1), part_idx(1), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.modem
UA/(update_all): Check Delta : path_idx(1), part_idx(2), file_path((null)), cnt(0)
UA/ check_existence: /sdcard/Android/data/temp.fota.delta/delta.platform
UA/(update_all): Check Delta : path_idx(1), part_idx(3), file_path((null)), cnt(0)
fail!
Open /data/fota/fota.status
fsync after write: 0
And here is the result when you provide a fake zImage delta file:
Code:
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
UA/(MakeBMLNodes): mknod path=/dev/block/bml4, dev_no=35076
UA/(MakeBMLNodes): mknod path=/dev/block/bml5, dev_no=35077
UA/(MakeBMLNodes): mknod path=/dev/block/bml7, dev_no=35079
UA/(MakeBMLNodes): mknod path=/dev/block/bml8, dev_no=35080
UA/(MakeBMLNodes): mknod path=/dev/block/bml11, dev_no=35083
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
UA/ check_existence: /data/fota/delta.Sbl
UA/(update_all): Check Delta : path_idx(0), part_idx(0), file_path((null)), cnt(0)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/(update_all): Check Delta : path_idx(0), part_idx(1), file_path(/data/fota/delta.zImage), cnt(1)
UA/ check_existence: /data/fota/delta.modem
UA/(update_all): Check Delta : path_idx(0), part_idx(2), file_path((null)), cnt(1)
UA/ check_existence: /data/fota/delta.platform
UA/(update_all): Check Delta : path_idx(0), part_idx(3), file_path((null)), cnt(1)
page_msize: 4096, phy_unit_size: 262144
UA/ Sbl delta does NOT exist! Skip.
page_msize: 4096, phy_unit_size: 262144
UA/ check_existence: /data/fota/fota_zImage
page_msize: 4096, phy_unit_size: 262144
dev: /dev/block/bml8 partition size: 0x780000
40180008: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180018: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180028: ffff ffff ffff ffff ffff ffff ffff ffff ................
40180038: ffff ffff ffff ffff ffff ffff ffff ffff ................
signature: 0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
page_msize: 4096, phy_unit_size: 262144
UA/(backup_devbml) src: /dev/block/bml7 partition size: 0x780000
UA/(backup_devbml) dst: /dev/block/bml8 partition size: 0x780000
UA/(backup_devbml) backup 128KB at 0x0
UA/(backup_devbml) backup 128KB at 0x40000
UA/(backup_devbml) backup 128KB at 0x80000
UA/(backup_devbml) backup 128KB at 0xc0000
UA/(backup_devbml) backup 128KB at 0x100000
UA/(backup_devbml) backup 128KB at 0x140000
UA/(backup_devbml) backup 128KB at 0x180000
UA/(backup_devbml) backup 128KB at 0x1c0000
UA/(backup_devbml) backup 128KB at 0x200000
UA/(backup_devbml) backup 128KB at 0x240000
UA/(backup_devbml) backup 128KB at 0x280000
UA/(backup_devbml) backup 128KB at 0x2c0000
UA/(backup_devbml) backup 128KB at 0x300000
UA/(backup_devbml) backup 128KB at 0x340000
UA/(backup_devbml) backup 128KB at 0x380000
UA/(backup_devbml) backup 128KB at 0x3c0000
UA/(backup_devbml) backup 128KB at 0x400000
UA/(backup_devbml) backup 128KB at 0x440000
UA/(backup_devbml) backup 128KB at 0x480000
UA/(backup_devbml) backup 128KB at 0x4c0000
UA/(backup_devbml) backup 128KB at 0x500000
UA/(backup_devbml) backup 128KB at 0x540000
UA/(backup_devbml) backup 128KB at 0x580000
UA/(backup_devbml) backup 128KB at 0x5c0000
UA/(backup_devbml) backup 128KB at 0x600000
UA/(backup_devbml) backup 128KB at 0x640000
UA/(backup_devbml) backup 128KB at 0x680000
UA/(backup_devbml) backup 128KB at 0x6c0000
UA/(backup_devbml) backup 128KB at 0x700000
UA/(backup_devbml) backup 128KB at 0x740000
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xffffffff
UA/(RB_ImageUpdateMain): ++
UA/(RB_ImageUpdateMain) uPartitionName[zImage]
RB_GetBlockSize: returning 0x40000 (262144)
UA/(RB_UpdateImage): ++
UA/(RB_UpdateImage): Delta file name-/data/fota/delta.zImage
unicode_to_char : zImage
pDeviceDatum.pFirstPartitionData->partition_name: zImage
pDeviceDatum.pFirstPartitionData->partition_type: 0
pDeviceDatum.pFirstPartitionData->file_system_type: 0
unicode_to_char : /data/fota/delta.zImage
RB_OpenFile: Path:/data/fota/delta.zImage | Mode: RDONLY
Successful open() *pwHandle:4
[RB] Illegal field in the delta, or that the given delta is invalid
UA/(RB_UpdateImage) return value from RB_vRM_Update: 0x80000539
UA/(RB_UpdateImage): -- ret=-2147482311
UA/(RB_ImageUpdateMain) pCustomerPartData.updated = -1, rest = -1
UA/(RB_ImageUpdateMain): -- ret=-2147482311
page_msize: 4096, phy_unit_size: 262144
common mark dev : /dev/block/bml8 partition size: 0x780000
0xdeade002
UA/(update_all) Kernel update fail
fail!
Open /data/fota/fota.status
fsync after write: 0
Promising ! This software definitely has the ability to write on protected bml partitions.
Now wee need to find how to produce the .delta files
Sounds great Lets hope you guys can figure it all out.
I just send a message to Red Bend Software through their site.
Actually it may help to find any other delta file for their software. Without sample we won't go anywhere...
I hope they will be kind and answer!
Here is a list of interesting strings found in the binary :
Code:
UA/ Platform delta does NOT exist! Skip.
Can not open src file : %s
Can not open dst file : %s
UA/(%s) write %dbytes
UA/(%s) copy file %s->%s
fsync failed with return value: %d
fsync after write: %d
UA/ %s: %s
/dev/block/bml4
/data/fota/dump_sbl
/dev/block/bml7
/data/fota/dump_kernel
/dev/block/bml12
/data/fota/dump_modem
FOTA : Make Block Device Nodes
UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
success!
DONE
fail!
FAIL
FOTA
UA/ modem delta does NOT exist! Skip.
/data/fota/backup.modem
UA/ zImage delta does NOT exist! Skip.
/dev/block/bml8
UA/ Sbl delta does NOT exist! Skip.
UA/ERROR(%s) get dual sbl siginfo fail!!
/dev/block/bml5
UA/ERROR(%s) can't find vaild Sbl partitions
UA/ERROR(%s) SBL RAM partition alloc fail
UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
/data/fota/command
/sdcard/Android/data/temp.fota.delta/command
UA/(%s) cache download
/cache/recovery
UA/(%s) create /cache/recovery directory
/cache/recovery/command
reboot recovery
UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
SBL update fail
UA/(%s) %s
Kernel update fail
Modem update fail
Platform update fail
Post update fail
WARNNIG
Delta Not Exist
/data/fota
/sbin/images/fota.png
UA/(%s) test
Update Fail!!
/data/fota/fota.status
/data/fota/delta.Sbl
/data/fota/delta.zImage
/data/fota/delta.modem
/data/fota/delta.platform
/sdcard/Android/data/temp.fota.delta/delta.Sbl
/sdcard/Android/data/temp.fota.delta/delta.zImage
/sdcard/Android/data/temp.fota.delta/delta.modem
/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
unknown
/data/fota/fota_Sbl
/data/fota/fota_zImage
Modem
/data/fota/fota_modem
/data/fota/fota_platform
/dev/block/bml11
OFNI
main
update_all
post_update
update_platform
update_modem
update_zImage
update_Sbl
file_copy
check_existence
MakeBMLNodes
UA/(%s): +
UA/(%s): %s (%lx %x)
UA/(%s): -
UA/(%s): %s (%lx %lx)
UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
BML_GET_DEV_INFO
page_msize: %d, phy_unit_size: %d
open device file
%s: bmldevice_open failed!
%s: bmldevice_info failed!
src: %s
dst: %s partition size: 0x%x
part_size: 0x%x
failed to read from %s (%s)
read finished
read %d bytes
src: %s partition size: 0x%x
dst: %s
failed to write to %s (%s)
done
UA/(%s) src: %s
UA/(%s) dst: %s partition size: 0x%x
UA/(%s) part_size: 0x%x
UA/(%s) read finished
UA/(%s) read %d bytes
UA/(%s) src: %s partition size: 0x%x
UA/(%s) dst: %s
UA/(%s) signature: 0x%x
*WARN* %s partition is already marked as invalid!
UA/(%s) done
page at 0x%x differ!
UA/(%s) backup 128KB at 0x%x
UA/(%s): ++
UA/(%s) 0x%x
UA/ERROR(%s) Valid partition signature is not invalid
UA/(%s): --
%s, invalide magic key(%x)!!
common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
signature: 0x%x
UA/(%s) dev: %s partition size: 0x%x
UA/ERROR(%s) Signature is not validate (%x)
UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
UA/ERROR(%s) Both partition has valid or invalid signature
UA/(%s) Valid Partition-%s, Update Partition-%s
restore_file
backup_block_file
restore_devbml
backup_devbml
store_dualsbl_partition
load_partition
mark_common_recovery
find_valid_partition
check_dualpartition_validation
ram_write_block
ram_read_block
nand_write_block
nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
RB_GetBlockSize
%s: returning 0x%x (%d)
RB_ReadBackupBlock
UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) open file %s failed.
UA/ open %s file success
UA/ERROR(%s) error in read size
RB_WriteBackupBlock
UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
UA/ERROR(%s) error in write size
RB_ImageUpdateMain
UA/(%s): ++
UA/(%s) uPartitionName[%s]
UA/(%s) pCustomerPartData.updated = %d, rest = %d
UA/(%s): -- ret=%d
RB_UpdateImage
UA/(%s): Delta file name-%s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
UA/(%s) return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
%s path: %s
temppath: %s
mkdir result: %d errno: %d
RB_CopyFile
%s: %s -> %s
NULL file name find. Abort.
Open %s ENOENT %d
Open %s failed. Abort.
read %d, but write %d, abort.
RB_DeleteFile
%s: %s
unlink value: %d, errno: %d
RB_DeleteFolder
rmdir value: %d, errno: %d
RB_CreateFolder
%s: %s, mode:0x%x
RDONLY
WRONLY
RDWR
Unknown
RB_OpenFile
%s: Path:%s | Mode:
First open() with error %d
copy dir[]=%s
remove dir[]=%s
Fail create folder, Leave RB_OpenFile
After successful creating folder, fail open() with error %d
Successful open() *pwHandle:%ld
RB_ResizeFile
%s: handle %ld, dwSize %d
%s: ret %d handle %ld %d
RB_CloseFile
%s: wHandle = %ld
RB_WriteFile
%s: Handle:%ld , Pos:%ld , Size: %ld
lseek failed with return value: %d
Failed with return value: %d
Bytes Write: %d
fsync Failed with return value: %d
fsync after write: %d
RB_ReadFile
%s: Handle:%ld , Pos:%ld , Size: %ld
read failed with return value: %d
RB_GetFileSize
%s: %ld
lseek errno: %d
Returning Size = 0x%x
RB_Unlink
unlink failed with return value: %d
unlink with return value: %d
RB_Link
symlink failed with return value: %d, errno: %d
symlink with return value: %d
RB_VerifyLinkReference
readlink failed with return value: %d
not same linked path
same linked path
RB_GetFileType
stat failed with return value: %d errno: %d
sbuf.st_mode: %d
S_ISREG(sbuf.st_mode): %d
S_ISLNK(sbuf.st_mode): %d
stat->st_mode = symbolic link file
stat->st_mode = regular file
failed to lstat, err : %d
a2ch
%s : %d
Wrong attribute value: %d
a2ch : %c
chtoa
RB_SetFileAttributes
stat failed with return value: %d
sbuf.st_mode value: %d
ui8pAttribs value: %s
ui32AttribSize value: %ld
attrib_user value: %d
attrib_group value: %d
attrib_other value: %d
att_type value: %d
sbuf.st_mode | attrib: %d
chmod failed with return value: %d
chmod with return value: %d
pUserId value: %s
user_id value: %d
aGroupId value: %s
pGroupId value: %s
group_id value: %d
failed chown %d
success chown %d
RB_FSUpdateMain
UA/(%s) Partition name(%s), mount point(%s)
UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
return value from RB_vRM_Update: 0x%x
%s/flagsFile
return value from unlink(%s): 0x%x
Installing software
Don't turn off the
phone and
connect the power
cable as possible.
System updated &
reboot now
gui_progress
UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
UA/(%s): -- Print Percent(%d%)
%3d %%
lcd_init
%s(%d): start!
/dev/graphics/fb0
%s(%d): fb0 open fail
%s(%d): fb0 open success
%s(%d): width = %d, height = %d
%s(%d): ioctl set info fail
%s(%d): Error: failed to map framebuffer device to memory.
%s(%d): ioctl start fail
Allocation error-
Current start: %d
Current finish: %d
Requested size: %d
Allocation error:
Current start: %d
Current finish: %d
Requested size: %d
It may accept commands somehow, like those :
img [partition name] [delta file] [device node] [temp path]
fs [partition name] [delta file] [mount point] [temp path]
all
dump <source dev> <dest file>
restore <source file> <dest dev>
compare <dev1> <dev2>
png [png file name]
all
I tried writing commands in /data/fota/command and /cache/recovery/command but the program does not follow my orders
ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Wow, this is looking promising.
it seems like htc's flash_image,but much more difficult than it.
raspdeep said:
ok it works when i flashed zImage
Code:
# redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
redbend_ua restore /sdcard/jm5.zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: /sdcard/jm5.zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Click to expand...
Click to collapse
Nice raspdeep
How did you do ? Every attempt fails here (in recovery or standard mode).
Which initramfs version do you use ?
Code:
redbend_ua restore zImage /dev/block/bml7
RedBend Update Agent 6,1,14,1
FOTA : Make Block Device Nodes
lcd_init(498): start!
lcd_init(507): fb0 open success
lcd_init(514): width = 480, height = 800
page_msize: 4096, phy_unit_size: 262144
src: zImage
dst: /dev/block/bml7 partition size: 0x780000
part_size: 0x780000
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 262144 bytes
read 247184 bytes
read finished
Ok yo don't respond but it works here to, booting on your OC kernel. Now i'll find what is different between our setups
supercurio, you are rapidly becoming one of my Android heros...
distortedloop said:
supercurio, you are rapidly becoming one of my Android heros...
Click to expand...
Click to collapse
Don't know if I can live with that
Code:
ll */*
-rwxr-xr-x 1 root curio 313888 2010-08-26 21:14 oc128uv1/redbend_ua*
-rwxr-xr-x 1 curio curio 314004 2010-08-26 21:16 XWJM5/redbend_ua*
md5sum */*
74f5793536c3cdc902ec269c3f51a165 oc128uv1/redbend_ua
b1ba258a5d673c537a95167267afd6b8 XWJM5/redbend_ua
Different binaries !
Edit : attached working redbend_ua
A diff between strings included in binaries (raw infos, not analyzed yet ^^)
Code:
--- not-working 2010-08-26 21:22:39.594984596 +0200
+++ working 2010-08-26 21:22:20.370634450 +0200
@@ -4,7 +4,6 @@
@F2A
bB,2
H{DYX
-/Q{;
/Qs;
/Qk;
/Qc;
@@ -452,71 +451,52 @@
%mB(
@ #!
!1C "
-reboot
-UA/ Platform delta does NOT exist! Skip.
-Can not open src file : %s
-Can not open dst file : %s
-UA/(%s) write %dbytes
-UA/(%s) copy file %s->%s
- fsync failed with return value: %d
- fsync after write: %d
-UA/ %s: %s
+/data/fota/delta.Sbl
/dev/block/bml4
-/data/fota/dump_sbl
+/dev/block/bml5
+/data/fota/fota_Sbl
+/data/fota/delta.zImage
/dev/block/bml7
-/data/fota/dump_kernel
+/data/fota/backup.zImage
+/data/fota/fota_zImage
+Modem
+/data/fota/delta.modem
/dev/block/bml12
+/data/fota/backup.modem
+/data/fota/fota_modem
+/data/fota/delta.platform
+/data/fota/backup.platform
+/data/fota/fota_platform
+platform delta does NOT exist! Skip.
+existence: s1[%d].existence; %d
+%s: %s
+/data/fota/dump_sbl
+/data/fota/dump_kernel
/data/fota/dump_modem
FOTA : Make Block Device Nodes
-UA/(%s): mknod path=%s, dev_no=%u
Failed to open %s: %s
Open %s
lseek failed with return value: %d
read failed with return value: %d
+ fsync failed with return value: %d
+ fsync after write: %d
success!
DONE
fail!
FAIL
FOTA
-UA/ modem delta does NOT exist! Skip.
-/data/fota/backup.modem
-UA/ zImage delta does NOT exist! Skip.
+modem delta does NOT exist! Skip.
+zImage delta does NOT exist! Skip.
/dev/block/bml8
-UA/ Sbl delta does NOT exist! Skip.
-UA/ERROR(%s) get dual sbl siginfo fail!!
-/dev/block/bml5
-UA/ERROR(%s) can't find vaild Sbl partitions
-UA/ERROR(%s) SBL RAM partition alloc fail
-UA/ERROR(%s) RB_ImageUpdateMain Fail ret=(0x%d)
-/data/fota/command
-/sdcard/Android/data/temp.fota.delta/command
-UA/(%s) cache download
-/cache/recovery
-UA/(%s) create /cache/recovery directory
-/cache/recovery/command
-reboot recovery
-UA/(%s): Check Delta : path_idx(%d), part_idx(%d), file_path(%s), cnt(%d)
-SBL update fail
-UA/(%s) %s
-Kernel update fail
-Modem update fail
-Platform update fail
-Post update fail
-WARNNIG
-Delta Not Exist
-/data/fota
-/sbin/images/fota.png
-UA/(%s) test
-Update Fail!!
+Sbl delta does NOT exist! Skip.
+get dual sbl siginfo fail!!
+can't find vaild Sbl partitions
+reboot
+gv_delta_count[%d]
+dump
+restore
+compare
/data/fota/fota.status
-/data/fota/delta.Sbl
-/data/fota/delta.zImage
-/data/fota/delta.modem
-/data/fota/delta.platform
-/sdcard/Android/data/temp.fota.delta/delta.Sbl
-/sdcard/Android/data/temp.fota.delta/delta.zImage
-/sdcard/Android/data/temp.fota.delta/delta.modem
-/sdcard/Android/data/temp.fota.delta/delta.platform
RedBend Update Agent %s
commands:
img [partition name] [delta file] [device node] [temp path]
@@ -527,29 +507,7 @@
compare <dev1> <dev2>
png [png file name]
all
-unknown
-/data/fota/fota_Sbl
-/data/fota/fota_zImage
-Modem
-/data/fota/fota_modem
-/data/fota/fota_platform
-/dev/block/bml11
OFNI
-main
-update_all
-post_update
-update_platform
-update_modem
-update_zImage
-update_Sbl
-file_copy
-check_existence
-MakeBMLNodes
-UA/(%s): +
-UA/(%s): %s (%lx %x)
-UA/(%s): -
-UA/(%s): %s (%lx %lx)
-UA/(%s): memcpy(0x%x, 0x%x, 0x%x)
%07x:
%02x
%02x
@@ -568,71 +526,67 @@
dst: %s
failed to write to %s (%s)
done
-UA/(%s) src: %s
-UA/(%s) dst: %s partition size: 0x%x
-UA/(%s) part_size: 0x%x
-UA/(%s) read finished
-UA/(%s) read %d bytes
-UA/(%s) src: %s partition size: 0x%x
-UA/(%s) dst: %s
-UA/(%s) signature: 0x%x
-*WARN* %s partition is already marked as invalid!
-UA/(%s) done
page at 0x%x differ!
-UA/(%s) backup 128KB at 0x%x
-UA/(%s): ++
-UA/(%s) 0x%x
-UA/ERROR(%s) Valid partition signature is not invalid
-UA/(%s): --
+signature: 0x%x
+*WARN* %s partition is already marked as invalid!
+backup 128KB at 0x%x
+backup 128KB at 0x%x without signature
+clear mark dev : %s partition size: 0x%x
%s, invalide magic key(%x)!!
-common mark dev : %s partition size: 0x%x
dev: %s partition size: 0x%x
-signature: 0x%x
-UA/(%s) dev: %s partition size: 0x%x
-UA/ERROR(%s) Signature is not validate (%x)
-UA/(%s) SBL, SBL2 partition are diffierent size, check your bml device node name
-UA/ERROR(%s) Both partition has valid or invalid signature
-UA/(%s) Valid Partition-%s, Update Partition-%s
-restore_file
-backup_block_file
-restore_devbml
-backup_devbml
-store_dualsbl_partition
-load_partition
+%s:clear:%s partition size: 0x%x
+%s : write and clear signature done
+%s:write:%s partition size: 0x%x
+%s: Signature is not validate (%x)
+%s signature: 0x%x
+%s +
+%s: SBL, SBL2 partition are diffierent size, check your bml device node name
+Both partition has valid or invalid signature
+Valid Partition-%s, Update Partition-%s
+Siginfo error partition $s (0x%x, 0x%x)
mark_common_recovery
+clear_dualpartition_signature
+write_dualpartition_signature
find_valid_partition
check_dualpartition_validation
-ram_write_block
-ram_read_block
-nand_write_block
-nand_read_block
bmldevice_get_size
Image size is bigger than partition!
reading NAND page
BML_UNLOCK_ALL
writing NAND page
6,1,14,1
+RB_Progress
+%s: (%lu %%)
+RB_GetDelta
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_GetBlockSize
%s: returning 0x%x (%d)
+RB_ReadImage
+%s: node-%s (%lx %lx)
+RB_WriteBlock
+%s: node-%s (%lx %x)
RB_ReadBackupBlock
-UA/(%s): %s: offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) open file %s failed.
-UA/ open %s file success
-UA/ERROR(%s) error in read size
+%s: offset 0x%lx(%ld), size 0x%lx(%ld)
+%s: open file %s failed.
+%s: error in read size
RB_WriteBackupBlock
-UA/(%s): offset 0x%lx(%ld), size 0x%lx(%ld)
-UA/ERROR(%s) error in write size
+%s: error in write size
+RB_ImageUpdateCommon
+uPartitionName[%s]
+%s: pCustomerPartData.updated = %d, rest = %d
RB_ImageUpdateMain
-UA/(%s): ++
-UA/(%s) uPartitionName[%s]
-UA/(%s) pCustomerPartData.updated = %d, rest = %d
-UA/(%s): -- ret=%d
-RB_UpdateImage
-UA/(%s): Delta file name-%s
+%s: backup_file is %s
+%s: size of %s(%s) is %d bytes
+RB_ImageUpdateDualPartition
+%s: backup file(%s) / Valid Partition(%s) / Update Partition(%s)
+%s : RB Image Update Fail
+%s : RB Image Update Done %s
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
-UA/(%s) return value from RB_vRM_Update: 0x%x
+return value from RB_vRM_Update: 0x%x
unicode_to_char
%s : %s
RecursiveFolderCreater
@@ -726,8 +680,7 @@
failed chown %d
success chown %d
RB_FSUpdateMain
-UA/(%s) Partition name(%s), mount point(%s)
-UA/(%s) pCustomerPartData.updated = %ld, rest = %ld
+%s: pCustomerPartData.updated = %ld, rest = %ld
pDeviceDatum.pFirstPartitionData->partition_name: %s
pDeviceDatum.pFirstPartitionData->partition_type: %d
pDeviceDatum.pFirstPartitionData->file_system_type: %d
@@ -741,9 +694,9 @@
cable as possible.
System updated &
reboot now
-gui_progress
-UA/(%s): ++ uPercent(%d%), gv_delta_count=(%ld)
-UA/(%s): -- Print Percent(%d%)
+Update is ok.
+Update is failed.
+Restoring...
%3d %%
lcd_init
%s(%d): start!
@@ -962,12 +915,6 @@
insufficient memory
buffer error
incompatible version
-RB_Progress
-%s: (%lu %%)
-RB_GetDelta
-%s: offset 0x%lx(%ld), size 0x%lx(%ld)
-%s: open file %s failed.
-%s: error in read size
Pure virtual function called. Are you calling virtual methods from a destructor?
libc-abort
abort() called in pid %d
@@ -1120,6 +1067,7 @@
/dev/log/main
/dev/log/radio
/proc/self/exe
+unknown
/dev/urandom
stack corruption detected: aborted
ANDROID_PROPERTY_WORKSPACE
Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).
Benjamin Dobell said:
Whilst we're talking about retrieving information from binaries...
Does anyone know any good disassembly tools. I managed to compile objdump for ARM (ELF) and run it on the Galaxy S secondary bootloader but it only partially works. It doesn't look like it is handling the binary layout correctly. It's unsure how much of the binary is data and how much is actual instructions so it ends up converting the whole thing to instructions (most of which are obviously bogus).
Click to expand...
Click to collapse
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.
supercurio said:
Under Linux i use the minimalist tool named "strings". You can learn so much just by reading strings extracted ^^.
Otherwise you have IDA Pro (Windows), which is very powerful.
Benjamin, like you i found objdump quite challenging to use.. and.. not that fun.
Click to expand...
Click to collapse
Unfortunately IDA Pro doesn't seem to work either. IDA Pro Free doesn't support ARM at all and I tried with IDA Pro Advanced but it seemed to have similar issues to objdump, it couldn't determine the entry point etc.
If I could just get the assembler with comments next to it that indicate which pieces of data (strings in particular) are being referenced that would make my day.
Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Anyway I can't say much more about the tools, i'm just a rookie hacker
supercurio said:
Do you think Sbl.bin is a single unique binary ?
Considering everything that this Second Boot Loader is able to do, i would not be surprised if it's more complex than that.
Click to expand...
Click to collapse
It wouldn't be a very reliable boot loader if it depended on other binaries (other than data passed to it by the primary boot loader). However the information I'm after, the Loke protocol, is definitely in there cause I can see the handshake strings I send and receive with Heimdall.
working this into SRE RIGHT NOW!!!!
--edit
scripted, and working
release coming soon!!
designgears said:
working this into SRE RIGHT NOW!!!!
Click to expand...
Click to collapse
Nice
Remember being EXTRA careful manipulating raw bml partitions. You can easily brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy
supercurio said:
Nice
Remember being EXTRA careful manipulating raw bml partition. You can easily
brick your phone for good writing bad data in place of first and second bootloader.
NON-RECOVERABLE
please say that to every potential redbend_ua users
This was the required warning, now enjoy
Click to expand...
Click to collapse
I have borked bml17 before.. was able to go into download and restore stock.
At this point, I do NOT know of a means to install the modified SPLASH2 images. Please read, and if you can offer any insight, feel free. I do not have a device and am limited to a level that I depend on those with knowledge and a device to progress to much further.Download the zip at the bottom of this post.
Extract it to a new folder.
Drag the "bootloader-angler-angler-02.01.img" on to the "Nexus6P-Injector-v1.1.bat" file.
I future proof things that I make, so WHEN a new bootloader comes out, use that one and not the one currently provided.The splash2 image binary will be extracted from the bootloader.img or from any file that has the exact characteristics of this encoding.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
The program will automatically open a folder containing an 'Images' folder, containing all of the images extracted. It will also contain the cut out splash.bin, and a batch file that will rebuild every image in the 'Images' folder. Please try all of this before asking any questions. It is pretty self explanatory. You don't even have to have your phone hooked up. Play with it.
Click below if you want to see what this new folder will look like...
Edit or replace any of the png's that you want to in the 'Images' folder.
Click on the "Rebuild Images Folder.bat" file whenever you are done or happy.
Whenever you run this batch file, every image in the 'Images' folder is encoded into the Modified-SPLASH.bin. You can run the batch file, then change more of the images, it does not matter. Everytime you run this batch file, it simply overwrites and encodes every image in the 'Images' folder into the "Modified-SPLASH.bin". Pretty simple?When you encode a image or however many you change, you get a screen like this:
The green just means that the image in the folder has changed and has been injected into the modified bin file. If you change the resolution, it will be red. However, it will still be encoded by the program. It is just a warning, because I have no means to test, and you must rely on the forums to see what daredevils do in surprisingly fruitful trials.
Everything is pretty much self explanatory as mentioned above. I've figured out the encodings and decodings once again, does anyone else actually work on this stuff? There is no menu or cursor, because it is simple. You drag any file onto the batch file. It can be your family picture, a system image, or a already completed modified bin. If there is nothing in the file, you will be told. The program leaves whatever file you drag on it alone, it is scanned for a SPLASH2!! header, and cuts out (copies) the necessary splash.bin.
Nexus6Pcodec.c
Code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <windows.h>
#include "zlib.h"
#include "lodepng.h"
#include "Nexus6Pcodec.h"
uint8_t *FindSplashFile(FILE *input, uint64_t *start, uint64_t *end){
uint32_t numberOfImages = 0, lastOffset = 0, lastSize = 0;
int readByte;
uint8_t pos = 0;
uint8_t *data = NULL;
fseek(input, 0, SEEK_SET);
while ((readByte = fgetc(input)) != EOF){
if (readByte == splashHeader[pos]){
if (pos == 31){
*start = (ftell(input) - 32);
fseek(input, *start + 36, SEEK_SET);
if(fread(&numberOfImages, 1, 4, input) != 4){
fprintf(stderr, "ERROR: Reading Input File (no. of images).\n");
fclose(input);
exit(EXIT_FAILURE);
}
fseek(input, *start + 40 + ((numberOfImages - 1) * 52) + 44, SEEK_SET );
if(fread(&lastOffset, 1 , 4, input) != 4){
fprintf(stderr, "ERROR: Reading Input File (last offset).\n");
fclose(input);
exit(EXIT_FAILURE);
}
if(fread(&lastSize, 1, 4, input) != 4){
fprintf(stderr, "ERROR: Reading Input File (last size).\n");
fclose(input);
exit(EXIT_FAILURE);
}
*end = *start + (uint64_t)lastOffset + (uint64_t)lastSize;
fseek(input, *start, SEEK_SET);
data = (uint8_t*)malloc(*end - *start);
if(data == NULL){
fprintf(stderr, "ERROR: Allocating Memory (data)\n");
fclose(input);
exit(EXIT_FAILURE);
}
if(fread(data, 1, *end - *start, input) != *end - *start){
fprintf(stderr, "ERROR: Reading Input File (data).\n");
fclose(input);
exit(EXIT_FAILURE);
}
return data;
} else {
pos++;
continue;
}
}
pos = 0;
}
return 0;
}
uint32_t GetSize(FILE *fp){
uint32_t i = 0, cur = ftell(fp);
fseek(fp, 0, SEEK_END);
i = ftell(fp);
fseek(fp, cur, SEEK_SET);
return i;
}
void DrawHead(void){
HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
uint8_t i = 0;
SetConsoleTextAttribute(hConsole, TOPCOLOR);
printf("%c", 218);
for(i = 0; i < 79; i++){
printf("%c", 196);
}
printf("-_-%c%c\n", 196, 191);
printf("%c ", 179);
SetConsoleTextAttribute(hConsole, BLUE);
printf("N");
SetConsoleTextAttribute(hConsole, RED);
printf("E");
SetConsoleTextAttribute(hConsole, YELLOW);
printf("X");
SetConsoleTextAttribute(hConsole, BLUE);
printf("U");
SetConsoleTextAttribute(hConsole, GREEN);
printf("S");
SetConsoleTextAttribute(hConsole, RED);
printf(" 6");
SetConsoleTextAttribute(hConsole, YELLOW);
printf("P");
SetConsoleTextAttribute(hConsole, TOPTEXTCOLOR);
printf(" Image Injector v%s %c\n", version, 179);
printf("%c Written By:", 179);
SetConsoleTextAttribute(hConsole, GREEN);
printf("makers_mark");
SetConsoleTextAttribute(hConsole, TOPTEXTCOLOR);
printf("@xda ");
SetConsoleTextAttribute(hConsole, TOPCOLOR);
printf("%c\n", 179);
printf("%c", 192);
for(i = 0; i < 83; i++){
printf("%c", 196);
}
printf("%c\n", 217);
SetConsoleTextAttribute(hConsole, COLOR);
return;
}
int decode(FILE *originalBin, const uint8_t *path, HANDLE hConsole){
uint32_t i, numberOfImages = 0;
uint64_t cur;
int color;
uint32_t k = 0;
uint8_t pngName[512] = {0};
FILE *txt = NULL;
uint8_t command[512] = {0};
uint8_t exeFile[512] = {0};
fseek(originalBin, 36, SEEK_SET);
if((fread(&numberOfImages, 1, 4, originalBin)) != 4){
fprintf(stderr, "ERROR: Reading The Number Of Images.\n");
fclose(originalBin);
return 0;
}
pHeader headers[numberOfImages];
sprintf((char*)command, "%s\\Rebuild Images Folder.bat", path);
if ((txt = fopen((const char*)command, "w")) == NULL){
fclose(txt);
fclose(originalBin);
fprintf(stderr, "\n%s could not be opened.\n", command);
return 0;
}
printf(" Image Name W x H Offset Size Decoded Size \n");
UNDERSCORE;
color = INVERSE(COLOR);
uint8_t four = 0;
for( i = 0; i < numberOfImages; i++, four++, k = 0 ){
if (four == PATTERN){
color = INVERSE(color);
four = 0;
}
SetConsoleTextAttribute(hConsole, color);
if((fread(&headers[i].name, 1, 32, originalBin) != 32) ||
(fread(&headers[i].width, 1, 4, originalBin) != 4 ) ||
(fread(&headers[i].height, 1, 4, originalBin) != 4 ) ||
(fread(&headers[i].bpp, 1, 4, originalBin) != 4 ) ||
(fread(&headers[i].offset, 1, 4, originalBin) != 4 ) ||
(fread(&headers[i].size, 1, 4, originalBin) != 4 )){
fprintf(stderr, "ERROR: Reading Header Data.\n");
fclose(originalBin);
return 0;
}
if(headers[i].bpp != 24){
fprintf(stderr, "\n32 bpp isn't supported yet. When they acutally use it, I will include it.\n");
fclose(originalBin);
return 0;
}
headers[i].decodedSize = headers[i].width * headers[i].height * 3;
cur = ftell(originalBin);
fseek(originalBin, headers[i].offset + 10, SEEK_SET);
uint8_t j = 0;
while((headers[i].gzName[j++] = fgetc(originalBin)) != '\0'){};
fseek(originalBin, headers[i].offset, SEEK_SET);
sprintf((char*)pngName, "%s\\%s\\%s.png", path, IMAGES_DIR, headers[i].name);
printf("Decoding %s..", headers[i].name);
uint8_t buffer[headers[i].size];
uint8_t *rawBGRimage;
rawBGRimage = (uint8_t*)malloc((uint32_t)headers[i].decodedSize);
if(rawBGRimage == NULL){
fprintf(stderr, "ERROR: Allocating Memory (raw bgr image)\n");
fclose(originalBin);
return 0;
}
if(fread(&buffer, 1, sizeof(buffer), originalBin) != headers[i].size){
fprintf(stderr, "ERROR: Reading Encoded File.\n");
fclose(originalBin);
return 0;
}
dec(buffer, rawBGRimage, (uint32_t)headers[i].size, (uint32_t)headers[i].decodedSize);
uint8_t old = 0;
while( k < headers[i].decodedSize ){
old = rawBGRimage[k];
rawBGRimage[k] = rawBGRimage[k + 2];
rawBGRimage[k + 2] = old;
k += 3;
}
headers[i].crc32 = crc32(0L, Z_NULL, 0);
headers[i].crc32 = crc32(headers[i].crc32, rawBGRimage, headers[i].decodedSize);
printf("Writing PNG..");
lodepng_encode24_file((char*)pngName, rawBGRimage, (unsigned)headers[i].width, (unsigned)headers[i].height);
printf("\r %2d.%-32s %4d x %-4d %10d %10d %12d \n", i + 1, headers[i].name, headers[i].width, headers[i].height, headers[i].offset, headers[i].size, headers[i].decodedSize);
free(rawBGRimage);
fseek(originalBin, cur, SEEK_SET);
fprintf(txt, ":: %s %d %d %d %d %d %d %d %d %ld %s %s\n", headers[i].name, headers[i].width, headers[i].height, headers[i].offset, headers[i].size, headers[i].crc32, headers[i].bpp, headers[i].decodedSize, gzNewHeaderp.os, gzNewHeaderp.time, headers[i].gzName, pngName);
}
fclose(originalBin);
GetModuleFileName(NULL, (LPSTR)exeFile, 512);
fprintf(txt, "\[email protected] con cols=86 lines=%d&echo off\ntitle Nexus6P Image Injector v%s\n\"%s\" -n %d -b \"\%%~dpnx0\" && 2>nul del \"%%~dp0\\%s\"\npause>nul\n", numberOfImages + 20, version, exeFile, numberOfImages, MODIFIEDBIN);
fclose(txt);
SetConsoleTextAttribute(hConsole, COLOR);
UNDERSCORE;
SetConsoleTextAttribute(hConsole, __INFO_);
printf("%s", path);
FinishLineSpaces((uint8_t)strlen((const char*)path));
BLANKLINE;
printf("This folder above contains an 'Images' folder.(The parent folder should of opened on \n");
printf("your screen). Inside of the 'Images' folder is all of the PNG's that were extracted \n");
printf("from your original file. Change/replace any images you want, but do not change the \n");
printf("name, or the location of the PNG's. Run the 'Rebuild Images Folder.bat' file when you\n");
printf("are finished editing the images and ready to make a new Splash.bin. \n");
BLANKLINE;
printf("You can rebuild the folder as many times as you want. \n");
printf("The output file, %s, is just rewritten/overwritten each time with", MODIFIEDBIN);
FinishLineSpaces(strlen((const char*)MODIFIEDBIN) + 63);
printf("what is currently in the 'Images' folder. \n");
SetConsoleTextAttribute(hConsole, COLOR);
return 1;
}
pHeader *ReadID(FILE *bat, uint8_t numberOfImages){
pHeader *new;
new = malloc(numberOfImages * 618);
if(new == NULL){
return(NULL);
}
memset(new, 0, numberOfImages * 618);
uint8_t i = 0;
while(fscanf(bat, "%*s %s %ld %ld %ld %ld %ld %ld %ld %ld %ld %s %[^\n]",
new[i].name, (long int*)&new[i].width, (long int*)&new[i].height, (long int*)&new[i].offset,
(long int*)&new[i].size, (long int*)&new[i].crc32, (long int*)&new[i].bpp, (long int*)&new[i].decodedSize,
(long int*)&new[i].os, (long int*)&new[i].time, new[i].gzName, new[i].pathToPNG) == 12){i++;}
return new;
}
uint32_t GetWidth(FILE *pngFile){
uint32_t width;
fseek(pngFile, 16, SEEK_SET);
if(fread(&width, 1, 4, pngFile) != 4){
fprintf(stderr, "\nERROR: Reading PNG Width\n");
return 0;
}
return(SWAP32(width));
}
uint32_t GetHeight(FILE *pngFile){
uint32_t height;
fseek(pngFile, 20, SEEK_SET);
if(fread(&height, 1, 4, pngFile) != 4){
fprintf(stderr, "\nERROR: Reading PNG Height\n");
return 0;
}
return(SWAP32(height));
}
int BuildImages(uint8_t *build, uint8_t numberOfImages, uint8_t brute, HANDLE hConsole){
uint32_t i = 0;
int color;
uint8_t resolutionChanges = 0;
FILE *bat = NULL;
if ((bat = fopen((const char*)build, "r")) == NULL){
fprintf(stderr, "ERROR: Opening Batch File\n");
return 0;
}
pHeader *old = ReadID(bat, numberOfImages);
fclose(bat);
if(old == NULL){
fprintf(stderr, "ERROR: Allocating Memeory (headers).\n");
return 0;
}
uint8_t oldPixel = 0, four = 0;
uint32_t k = 0;
FILE *modifiedBin = NULL;
FILE *originalBin = NULL;
uint8_t *headerTemplate;
uint32_t headerSize;
if ((modifiedBin = fopen((const char*)MODIFIEDBIN, "wb")) == NULL){
fprintf(stderr, "ERROR: Failed To Open File\n%s\n", MODIFIEDBIN);
return 0;
}
if ((originalBin = fopen((const char*)ORIGINALBIN, "rb")) == NULL){
fprintf(stderr, "ERROR: Failed To Open File\n%s\n", ORIGINALBIN);
fclose(modifiedBin);
return 0;
}
uint32_t modifiedSize = 0, originalSize = GetSize(originalBin);
headerSize = old[0].offset;
headerTemplate = (uint8_t*)malloc(headerSize);
if(headerTemplate == NULL){
fclose(originalBin);
fclose(modifiedBin);
unlink(MODIFIEDBIN);
fprintf(stderr, "\nERROR: Allocating Memory (header temp).\n");
return 0;
}
memset(headerTemplate, 0, headerSize);
if((fread(headerTemplate, 1, headerSize, originalBin)) != headerSize){
fclose(originalBin);
fclose(modifiedBin);
unlink(MODIFIEDBIN);
fprintf(stderr, "\nERROR: Reading File (original bin).\n");
return 0;
}
if((fwrite(headerTemplate, 1, headerSize, modifiedBin)) != headerSize){
fclose(originalBin);
fclose(modifiedBin);
unlink(MODIFIEDBIN);
fprintf(stderr, "\nERROR: Writing File (header temp).\n");
return 0;
}
printf(" Image Name W x H Offset Size Decoded Size \n");
UNDERSCORE;
color = INVERSE(COLOR);
for( i = 0 ; i < numberOfImages; k = 0, i++, four++){
printf("Decoding PNG..");
uint32_t width = 0, height = 0, crcrc = 0, offset = 0;
uint8_t *decodedPNG;
FILE *pngFile = NULL;
if ((pngFile = fopen((const char*)old[i].pathToPNG, "rb")) == NULL){
fprintf(stderr, "ERROR: Opening Png File\n%s\n", old[i].pathToPNG);
fclose(modifiedBin);
fclose(originalBin);
unlink(MODIFIEDBIN);
return 0;
}
width = GetWidth(pngFile);
height = GetHeight(pngFile);
if((width < 1) || (height <1)){
fclose(modifiedBin);
fclose(originalBin);
unlink(MODIFIEDBIN);
fclose(pngFile);
return 0;
}
const uint32_t rawBytes = width * height * 3;
if (four == PATTERN){
color = INVERSE(color);
four = 0;
}
SetConsoleTextAttribute(hConsole, color);
decodedPNG = (uint8_t*)malloc(rawBytes);
if(decodedPNG == NULL){
fclose(originalBin);
fclose(modifiedBin);
unlink(MODIFIEDBIN);
fprintf(stderr, "\nERROR: Allocating Memory (decoded png).\n");
return 0;
}
lodepng_decode24_file(&decodedPNG, (uint32_t*)&width, (uint32_t*)&height , (const char*)old[i].pathToPNG);
fclose(pngFile);
crcrc = crc32(0L, Z_NULL, 0);
crcrc = crc32(crcrc, decodedPNG, rawBytes);
printf("Swapping Color Order..");
while( k < rawBytes ){
oldPixel = decodedPNG[k];
decodedPNG[k] = decodedPNG[k + 2];
decodedPNG[k + 2] = oldPixel;
k += 3;
}
offset = ftell(modifiedBin);
memcpy(&headerTemplate[40 + (i * 52) + 44], &offset, 4);
if((crcrc == old[i].crc32) && (!brute)){
free(decodedPNG);
printf("Image Unchanged, Copying Data..");
fseek(originalBin, old[i].offset, SEEK_SET);
uint8_t *buff = (uint8_t*)malloc(old[i].size);
if(buff == NULL){
fclose(originalBin);
fclose(modifiedBin);
unlink(MODIFIEDBIN);
fprintf(stderr, "\nERROR: Allocating Memory (copy original buffer).\n");
return 0;
}
if((fread(buff, 1, old[i].size, originalBin)) != old[i].size){
fclose(originalBin);
fclose(modifiedBin);
unlink(MODIFIEDBIN);
fprintf(stderr, "\nERROR: Reading File (copy original buffer).\n");
return 0;
}
if((fwrite(buff, 1, old[i].size, modifiedBin)) != old[i].size){
fclose(originalBin);
fclose(modifiedBin);
unlink(MODIFIEDBIN);
fprintf(stderr, "\nERROR: Writing File (copy original buffer).\n");
return 0;
}
free(buff);
printf("\r %2d.%-32s %4d x %-4d %10d %10d %12d \n", i + 1, old[i].name, width, height, offset, old[i].size, old[i].decodedSize);
} else {
uint32_t compressedSize = 0;
printf("Encoding Image..");
uint8_t *buff = (uint8_t*)malloc((rawBytes * 1.1) + 12);
if(buff == NULL){
fclose(originalBin);
fclose(modifiedBin);
unlink(MODIFIEDBIN);
fprintf(stderr, "\nERROR: Allocating Memory (encode buffer).\n");
return 0;
}
gzNewHeaderp.name = old[i].gzName;
gzNewHeaderp.os = old[i].os;
gzNewHeaderp.time = old[i].time;
buff = enc(decodedPNG, rawBytes , buff, (rawBytes * 1.1) + 12, 9, &compressedSize);
if((fwrite(buff, 1, compressedSize, modifiedBin)) != compressedSize){
fclose(originalBin);
fclose(modifiedBin);
unlink(MODIFIEDBIN);
fprintf(stderr, "\nERROR: Writing File (encode buffer).\n");
return 0;
}
memcpy(&headerTemplate[40 + ( i * 52) + 48], &compressedSize, 4);
free(buff);
free(decodedPNG);
SetConsoleTextAttribute(hConsole, INVERSE(__INFO_));
if((width != old[i].width) || (height != old[i].height)){
SetConsoleTextAttribute(hConsole, WARNING);
resolutionChanges++;
memcpy(&headerTemplate[40 + ( i * 52) + 32], &width , 4);
memcpy(&headerTemplate[40 + ( i * 52) + 36], &height, 4);
}
printf("\r %2d.%-32s %4d x %-4d %10d %10d %12d \n", i + 1, old[i].name, width, height, offset, compressedSize, rawBytes);
}
}
uint8_t l = 0;
for(l = 0; l < 85; l++){
printf("%c", 196);
}
printf("\n");
SetConsoleTextAttribute(hConsole, COLOR);
if (resolutionChanges){
BLANKLINE;
SetConsoleTextAttribute(hConsole, WARNING);
if (resolutionChanges == 1){
printf("The Resolution Changed With The Image In Red! It has been newly encoded. \n");
} else {
printf("The Resolution Changed With The %d Images In Red!They have been newly encoded. ", resolutionChanges);
if(resolutionChanges < 10){
printf(" \n");
} else {
printf("\n");
}
}
printf("IT MAY NOT BE SAFE TO FLASH THIS FILE!! \n");
printf("PLEASE KNOW WHAT YOU ARE DOING!! \n");
SetConsoleTextAttribute(hConsole, COLOR);
BLANKLINE;
} else {
printf("SUCCESS!! \n");
printf("You Can Flash The File 'Modified-SPLASH.bin' in fastboot. \n");
}
fseek(modifiedBin, 0, SEEK_SET);
if((fwrite(headerTemplate, 1, headerSize, modifiedBin)) != headerSize){
fclose(modifiedBin);
unlink(MODIFIEDBIN);
fclose(originalBin);
}
free(headerTemplate);
modifiedSize = GetSize(modifiedBin);
SetConsoleTextAttribute(hConsole, __INFO_);
printf(" %c", 218);
for(l = 0; l < 38; l++){
printf("%c", 196);
}
printf("%c \n", 191);
printf(" %cOriginal Size: %8d bytes, %4.2f MB%c \n", 179, originalSize, (float)originalSize/(float)1024/(float)1024, 179);
printf(" %cModified Size: %8d bytes, %4.2f MB%c \n", 179, modifiedSize, (float)modifiedSize/(float)1024/(float)1024, 179);
printf(" %c", 192);
for(i = 0; i < 38; i++){
printf("%c", 196);
}
printf("%c \n", 217);
BLANKLINE;
printf(" Press and key to exit...... \n");
fclose(modifiedBin);
fclose(originalBin);
return 1;
}
void FinishLineSpaces(uint8_t alreadyTaken){
uint8_t a = 1;
for (a = 1; a < SCREENWIDTH - alreadyTaken; a++){
printf(" ");
}
printf("\n");
}
int8_t CheckBinOffsets(FILE *modifiedFile){
uint32_t numberOfImages = 0;
uint32_t i = 0;
uint16_t data = 0;
const uint16_t magic = 0x8b1f;
uint32_t offset = 0, match = 0;
fseek(modifiedFile, 36, SEEK_SET);
if((fread(&numberOfImages, 1, 4, modifiedFile)) != 4){
fprintf(stderr, "\nERROR: Reading File (check bin offsets).\n");
return -1;
}
for(i = 0; i < numberOfImages ; i++){
fseek(modifiedFile, 40 + (i * 52) + 44, SEEK_SET);
if((fread(&offset, 1, 4, modifiedFile)) != 4){
fprintf(stderr, "\nERROR: Reading File (offset).\n");
return -1;
}
fseek(modifiedFile, offset, SEEK_SET);
if((fread(&data , 1, 2, modifiedFile)) != 2){
fprintf(stderr, "\nERROR: Reading File (two byte header).\n");
return -1;
}
if(data == magic){match++;}
}
return match - numberOfImages;
}
int32_t main(int32_t argc, char **argv){
int32_t c;
uint8_t numberOfImages = 0, brute = 0;
uint8_t splash[32] = {0};
uint8_t *path = NULL, *inputFile = NULL, *build = NULL;
FILE *input = NULL;
uint8_t command[512];
HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
CONSOLE_SCREEN_BUFFER_INFO consoleInfo;
CONSOLE_CURSOR_INFO cursor;
cursor.dwSize = 1;
cursor.bVisible = FALSE;
SetConsoleCursorInfo(hConsole, &cursor);
WORD originalColor;
GetConsoleScreenBufferInfo(hConsole, &consoleInfo);
originalColor = consoleInfo.wAttributes;
SetConsoleTextAttribute(hConsole, COLOR);
DrawHead();
while ((c = getopt (argc, (char**)argv, "i:I:p:P:b:B:n:N")) != -1){
switch(c)
{
case 'i':
case 'I':
inputFile = (uint8_t*)optarg;
break;
case 'p':
case 'P':
path = (uint8_t*)optarg;
break;
case 'b':
build = (uint8_t*)optarg;
break;
case 'B':
build = (uint8_t*)optarg;
brute = 1;
break;
case 'n':
case 'N':
numberOfImages = atoi(optarg);
break;
}
}
if(build){
int ret = BuildImages(build, numberOfImages, brute, hConsole);
if(ret){
FILE *modifiedBin = NULL;
if ((modifiedBin = fopen((const char*)MODIFIEDBIN, "rb")) == NULL){
fclose(modifiedBin);
fprintf(stderr, "%s could not be opened.\n", MODIFIEDBIN);
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
if ((CheckBinOffsets(modifiedBin)) != 0){
fclose(modifiedBin);
fprintf(stderr, "Error in writing offsets.\n");
unlink(MODIFIEDBIN);
ret = 0;
}
}
SetConsoleTextAttribute(hConsole, originalColor);
return ret;
}
if((input = fopen((const char*)inputFile, "rb")) == NULL){
fprintf(stderr, "%s cound not be opened to read.", inputFile);
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
if((fread(&splash, 1, 32, input)) != 32){
fprintf(stderr, "\nERROR: Reading File (splash).\n");
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
uint8_t *data = NULL;
uint64_t start = 0, end = 0;
FILE *workingFile = NULL;
sprintf((char*)command,"%s\\%s", path , ORIGINALBIN );
if((workingFile = fopen((const char*)command, "wb")) == NULL){
fclose(workingFile);
fprintf(stderr, "\n%s\\%s could not be opened.\n", path, ORIGINALBIN);
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
if (strncmp((const char*)splash, (const char*)splashHeader, 32) != 0 ){
if ((data = FindSplashFile(input, &start, &end)) != NULL){
fclose(input);
if((fwrite(data, 1 , end - start, workingFile)) != end - start){
fclose(workingFile);
fprintf(stderr, "ERROR: Writing File (cut splash).\n");
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
fclose(workingFile);
if ((workingFile = fopen((const char*)command, "rb")) == NULL){
fclose(workingFile);
fprintf(stderr, "%s could not be opened.\n", command);
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
} else {
printf("No SPLASH2!! header found in file.\n%s\nPress any key to exit.\n", inputFile);
fclose(workingFile);
fclose(input);
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
} else {
uint32_t sizeFile = GetSize(input);
data = (uint8_t*)malloc(sizeFile);
if(data == NULL){
fclose(workingFile);
fclose(input);
fprintf(stderr, "ERROR: Allocating Memory (original splash file copy).\n");
return 0;
}
fseek(input, 0, SEEK_SET);
if((workingFile = fopen((const char*)command, "wb")) == NULL){
fclose(workingFile);
fprintf(stderr, "%s could not be opened.\n", command);
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
if((fread(data, 1, sizeFile, input)) != sizeFile){
fclose(workingFile);
fprintf(stderr,"ERROR: Read Fail (data)\n");
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
if((fwrite(data, 1, sizeFile, workingFile)) != sizeFile){
fclose(workingFile);
fprintf(stderr,"ERROR: Write Fail (data)\n");
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
free(data);
fclose(input);
fclose(workingFile);
if ((workingFile = fopen((const char*)command, "rb")) == NULL){
fclose(workingFile);
fprintf(stderr, "%s could not be opened.\n", command);
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
}
if ((CheckBinOffsets(workingFile)) != 0){
fclose(workingFile);
fprintf(stderr, "Initial offset check revealed invalid magic numbers.\n");
SetConsoleTextAttribute(hConsole, originalColor);
exit(EXIT_FAILURE);
}
if (decode(workingFile, path, hConsole)){
sprintf((char*)command, "start \"\" \"%s\\\"", path);
system((const char*)command);
}
printf("Press and key to exit...... \n");
SetConsoleTextAttribute(hConsole, originalColor);
return EXIT_SUCCESS;
}
Nexus6Pcodec.h
Code:
#define PATTERN 5
#define SCREENWIDTH 86
#define BACKGROUNDCOLOR 0x00
#define MERGEBACKGROUND(x) ((BACKGROUNDCOLOR & 0xf0) | (x & 0x0f))
#define COLOR MERGEBACKGROUND(0xbb)
#define TOPCOLOR MERGEBACKGROUND(0xbb)
#define TOPTEXTCOLOR MERGEBACKGROUND(0Xbb)
#define BLUE MERGEBACKGROUND(0x09)
#define RED MERGEBACKGROUND(0x0c)
#define YELLOW MERGEBACKGROUND(0x0e)
#define GREEN MERGEBACKGROUND(0x0a)
#define WARNING 0xcf
#define __INFO_ MERGEBACKGROUND(0xaa)
#define __HIGHLIGHT_ MERGEBACKGROUND(0xee)
#define SIZEOFLONGINT 4
#define MODIFIEDBIN "Modified-SPLASH.bin"
#define ORIGINALBIN "Original-SPLASH.bin"
#define IMAGES_DIR "Images"
#define BLOCKSIZE 512
#define SWAP32(x) (( x >> 24 )&0xff) | ((x << 8)&0xff0000) | ((x >> 8)&0xff00) | ((x << 24)&0xff000000)
#define INVERSE(x) ( (x & 0x0F)<<4 | (x & 0xF0)>>4 )
#define BLANKLINE printf(" \n")
#define UNDERSCORE printf("_____________________________________________________________________________________\n")
typedef struct {
uint8_t name[33];
uint32_t width;
uint32_t height;
uint32_t bpp;
uint32_t offset;
uint32_t size;
uint8_t gzName[37];
uint32_t time;
uint32_t os;
uint32_t decodedSize;
uint32_t crc32;
uint8_t pathToPNG[512];
} pHeader;
uint8_t *FindSplashFile(FILE*, uint64_t*, uint64_t*);
uint32_t GetSize(FILE*);
void DrawHead(void);
uint8_t *dec(uint8_t*, uint8_t*, uint32_t, uint32_t);
uint8_t *enc(uint8_t*, uint32_t, uint8_t*, uint32_t, int, uint32_t*);
int decode(FILE*, const uint8_t*, HANDLE);
pHeader *ReadID(FILE*, uint8_t);
uint32_t GetWidth(FILE*);
uint32_t GetHeight(FILE*);
int BuildImages(uint8_t*, uint8_t, uint8_t, HANDLE);
void FinishLineSpaces(uint8_t);
int8_t CheckBinOffsets(FILE*);
int32_t main(int32_t, char**);
gz_header gzNewHeaderp;
uint8_t version[] = "1.1";
const uint8_t splashHeader[] = "SPLASH2!!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
uint8_t *dec(uint8_t *source, uint8_t *dest, uint32_t srclen, uint32_t dstlen){
int rtn;
z_stream zStream = {0};
zStream.zalloc = Z_NULL;
zStream.zfree = Z_NULL;
zStream.opaque = Z_NULL;
zStream.total_in = zStream.avail_in = srclen;
zStream.total_out = zStream.avail_out = dstlen;
zStream.next_in = (uint8_t*)source;
zStream.next_out = (uint8_t*)dest;
rtn = inflateInit2(&zStream, 16 + MAX_WBITS);
if (rtn != Z_OK){
fprintf(stderr, "Error: Initialising Decoder\n");
(void)inflateEnd(&zStream);
return NULL;
}
rtn = inflateGetHeader(&zStream, &gzNewHeaderp);
if (rtn != Z_OK){
fprintf(stderr, "Error: Reading Header\n");
(void)inflateEnd(&zStream);
return NULL;
}
rtn = inflate(&zStream, Z_FINISH);
if (rtn != Z_STREAM_END){
fprintf(stderr, "Error: Decoding\n");
(void)inflateEnd(&zStream);
return NULL;
}
(void)inflateEnd(&zStream);
return dest;
}
uint8_t *enc(uint8_t *source, uint32_t srclen , uint8_t *dest, uint32_t dstlen, int level, uint32_t *compressedSize){
int rtn;
z_stream zStream = {0};
zStream.total_in = zStream.avail_in = srclen;
zStream.total_out = zStream.avail_out = dstlen;
zStream.next_in = (uint8_t*)source;
zStream.next_out = dest;
zStream.zalloc = Z_NULL;
zStream.zfree = Z_NULL;
zStream.opaque = Z_NULL;
rtn = deflateInit2(&zStream, level, Z_DEFLATED, 16 + MAX_WBITS, 8, Z_DEFAULT_STRATEGY);
if (rtn != Z_OK){
fprintf(stderr, "Error: Initialising Encoder\n");
(void)deflateEnd(&zStream);
return NULL;
}
rtn = deflateSetHeader(&zStream, &gzNewHeaderp);
if (rtn != Z_OK){
fprintf(stderr, "Error: Writing Header\n");
(void)deflateEnd(&zStream);
return NULL;
}
rtn = deflate(&zStream, Z_FINISH);
if (rtn != Z_STREAM_END){
fprintf(stderr, "Error: Encoding\n");
(void)deflateEnd(&zStream);
return NULL;
}
*compressedSize = zStream.total_out;
(void)deflateEnd(&zStream);
return dest;
}
Added to Nexus 6P index thread:
[INDEX] Huawei Nexus 6P
makers_mark said:
Code:
future source
Click to expand...
Click to collapse
so just flash and the warning boot is gone
Code:
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
adbd is already running as root
Pulling first 64 bytes of each partition, and comparing the results with the target data.
Please wait...
Press any key to exit and delete all of the temporary partition files...
Check Partitions.bat seems to find nothing here.
Log: https://www.dropbox.com/s/rfq2qqnu308zm8z/log.txt?dl=0
gandharva said:
Code:
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
adbd is already running as root
Pulling first 64 bytes of each partition, and comparing the results with the target data.
Please wait...
Press any key to exit and delete all of the temporary partition files...
Check Partitions.bat seems to find nothing here.
Log: https://www.dropbox.com/s/rfq2qqnu308zm8z/log.txt?dl=0
Click to expand...
Click to collapse
I hope that's wrong. For a long time some manufacturers have put the splash screen and vendor related images in a easily identifiable partition. Google (nexus) just started doing this with the n5 and n6. The whole point, from what I could infer, was to be able to allow 2nd parties to change images specific to their brand. The way Google does it, is by transporting the encoded images via the bootloader, to their own partition. That may not be the case anymore (it is definitely transported by the bootloader but it may be in aboot partition or another that is not modifiable, or it may simply be in a file in the system partition). With that batch file, I just check the first parts of every partition, it may not be the same as it usually is, and be combined somewhere in one. It sucks not having a 6p, because it is on there some where. Thank you, would you mind trying another test tomorrow by pm?
Sure, just send me the script or whatever you want me to check.
gandharva said:
Sure, just send me the script or whatever you want me to check.
Click to expand...
Click to collapse
Thanks, here it is. This pulls every partition except userdata and uses my FindSplash function from my program that locates the header inside of a file. (instead of FC). Here is the source of myfc.c
Code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
int32_t FindSplashFile(FILE *input){
int readByte;
uint8_t pos = 0;
uint32_t start = 0;
const uint8_t splashHeader[] = "SPLASH2!!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
// const uint8_t splashHeader[] = {128, 0, 8, 0, 4, 0 , 0 ,0,10,243,1,0,4,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,75,4,0,0};
fseek(input, 0, SEEK_SET);
while ((readByte = fgetc(input)) != EOF){
if (readByte == splashHeader[pos]){
if (pos == 31){
start = ftell(input) - 32;
fprintf(stderr, "\nSPLASH2!! header found at byte %d, %08x\n\n", start, start);
return 1;
} else {
pos++;
continue;
}
}
pos = 0;
}
return 0;
}
int32_t main(int32_t argc, char **argv){
int c = 0;
uint8_t *inputFile;
FILE *input = NULL;
while ((c = getopt (argc, (char**)argv, "i:I:")) != -1){
switch(c)
{
case 'i':
case 'I':
inputFile = (uint8_t*)optarg;
break;
}
}
if ((input = fopen((const char*)inputFile, "rb")) == NULL){
fclose(input);
fprintf(stderr, "File could not be opened.\n");
return 0;
}
return FindSplashFile(input);
}
Hopefully you'll find this info useful...
Contents of log.txt from Check Partitions
Checking mmcblk0p1 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.001 secs (64000 bytes/sec)
4 KB/s (64 bytes in 0.013s)
Checking mmcblk0p2 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
6 KB/s (64 bytes in 0.010s)
Checking mmcblk0p3 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.007 secs (9142 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p4 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p5 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.008 secs (8000 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p6 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
5 KB/s (64 bytes in 0.012s)
Checking mmcblk0p7 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.007 secs (9142 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p8 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
6 KB/s (64 bytes in 0.010s)
Checking mmcblk0p9 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.007 secs (9142 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p10 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
4 KB/s (64 bytes in 0.014s)
Checking mmcblk0p11 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p12 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
5 KB/s (64 bytes in 0.012s)
Checking mmcblk0p13 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p14 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
10 KB/s (64 bytes in 0.006s)
Checking mmcblk0p15 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.008 secs (8000 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p16 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.003 secs (21333 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p17 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p18 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p19 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
4 KB/s (64 bytes in 0.013s)
Checking mmcblk0p20 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
10 KB/s (64 bytes in 0.006s)
Checking mmcblk0p21 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.004 secs (16000 bytes/sec)
10 KB/s (64 bytes in 0.006s)
Checking mmcblk0p22 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.007 secs (9142 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p23 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
5 KB/s (64 bytes in 0.012s)
Checking mmcblk0p24 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.008 secs (8000 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p25 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
6 KB/s (64 bytes in 0.010s)
Checking mmcblk0p26 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.003 secs (21333 bytes/sec)
12 KB/s (64 bytes in 0.005s)
Checking mmcblk0p27 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
15 KB/s (64 bytes in 0.004s)
Checking mmcblk0p28 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.003 secs (21333 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p29 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
6 KB/s (64 bytes in 0.010s)
Checking mmcblk0p30 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p31 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
8 KB/s (64 bytes in 0.007s)
Checking mmcblk0p32 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.001 secs (64000 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p33 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
6 KB/s (64 bytes in 0.010s)
Checking mmcblk0p34 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.003 secs (21333 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p35 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.007 secs (9142 bytes/sec)
4 KB/s (64 bytes in 0.013s)
Checking mmcblk0p36 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p37 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.001 secs (64000 bytes/sec)
12 KB/s (64 bytes in 0.005s)
Checking mmcblk0p38 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p39 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p40 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.001 secs (64000 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p41 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.008 secs (8000 bytes/sec)
8 KB/s (64 bytes in 0.007s)
Checking mmcblk0p42 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p43 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
12 KB/s (64 bytes in 0.005s)
Checking mmcblk0p44 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.001 secs (64000 bytes/sec)
8 KB/s (64 bytes in 0.007s)
Checking mmcblk0rpmb partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
4 KB/s (64 bytes in 0.013s)
Partition listing from DiskInfo app
* modem [mmcblk0p1] (/firmware) [vfat]
Used: 47.2 MB, Free: 32.8 MB, Total space: 80 MB
* sbl1 [mmcblk0p2] Not mounted
* sdi [mmcblk0p3] Not mounted
* tz [mmcblk0p4] Not mounted
* rpm [mmcblk0p5] Not mounted
* hyp [mmcblk0p6] Not mounted
* pmic [mmcblk0p7] Not mounted
* DDR [mmcblk0p8] Not mounted
* sec [mmcblk0p9] Not mounted
* aboot [mmcblk0p10] Not mounted
* pmicbak [mmcblk0p11] Not mounted
* sbl1bak [mmcblk0p12] Not mounted
* tzbak [mmcblk0p13] Not mounted
* rpmbak [mmcblk0p14] Not mounted
* hypbak [mmcblk0p15] Not mounted
* abootbak [mmcblk0p16] Not mounted
* devinfo [mmcblk0p17] Not mounted
* fsg [mmcblk0p18] Not mounted
* limits [mmcblk0p19] Not mounted
* modemst1 [mmcblk0p20] Not mounted
* modemst2 [mmcblk0p21] Not mounted
* apdp [mmcblk0p22] Not mounted
* msadp [mmcblk0p23] Not mounted
* keymaster [mmcblk0p24] Not mounted
* cmnlib [mmcblk0p25] Not mounted
* keymasterbak [mmcblk0p26] Not mounted
* cmnlibbak [mmcblk0p27] Not mounted
* dpo [mmcblk0p28] Not mounted
* fsc [mmcblk0p29] Not mounted
* ssd [mmcblk0p30] Not mounted
* oeminfo [mmcblk0p31] Not mounted
* persist [mmcblk0p32] (/persist) [ext4]
Used: 5 MB, Free: 3 MB, Total space: 8 MB
* metadata [mmcblk0p33] Not mounted
* boot [mmcblk0p34] Not mounted
* recovery [mmcblk0p35] Not mounted
* oem [mmcblk0p36] Not mounted
* vendor [mmcblk0p37] (/vendor) [ext4]
Used: 193 MB, Free: 6.6 MB, Total space: 200 MB
* Cache [mmcblk0p38] (/cache) [ext4]
Used: 7.7 MB, Free: 92.3 MB, Total space: 100 MB
* misc [mmcblk0p39] Not mounted
* keystore [mmcblk0p40] Not mounted
* frp [mmcblk0p41] Not mounted
* persistent [mmcblk0p42] Not mounted
* System [mmcblk0p43] (/system) [ext4]
Used: 1018 MB, Free: 2 GB, Total space: 3 GB
* Data (userdata) [mmcblk0p44] (/data) [ext4]
Used: 33.2 GB, Free: 21.5 GB, Total space: 54.7 GB
* mmcblk0rpmb [mmcblk0rpmb] Not mounted
zamula said:
Hopefully you'll find this info useful...
Contents of log.txt from Check Partitions
Checking mmcblk0p1 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.001 secs (64000 bytes/sec)
4 KB/s (64 bytes in 0.013s)
Checking mmcblk0p2 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
6 KB/s (64 bytes in 0.010s)
Checking mmcblk0p3 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.007 secs (9142 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p4 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p5 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.008 secs (8000 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p6 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
5 KB/s (64 bytes in 0.012s)
Checking mmcblk0p7 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.007 secs (9142 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p8 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
6 KB/s (64 bytes in 0.010s)
Checking mmcblk0p9 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.007 secs (9142 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p10 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
4 KB/s (64 bytes in 0.014s)
Checking mmcblk0p11 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p12 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
5 KB/s (64 bytes in 0.012s)
Checking mmcblk0p13 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p14 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
10 KB/s (64 bytes in 0.006s)
Checking mmcblk0p15 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.008 secs (8000 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p16 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.003 secs (21333 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p17 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p18 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p19 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
4 KB/s (64 bytes in 0.013s)
Checking mmcblk0p20 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
10 KB/s (64 bytes in 0.006s)
Checking mmcblk0p21 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.004 secs (16000 bytes/sec)
10 KB/s (64 bytes in 0.006s)
Checking mmcblk0p22 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.007 secs (9142 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p23 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
5 KB/s (64 bytes in 0.012s)
Checking mmcblk0p24 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.008 secs (8000 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p25 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
6 KB/s (64 bytes in 0.010s)
Checking mmcblk0p26 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.003 secs (21333 bytes/sec)
12 KB/s (64 bytes in 0.005s)
Checking mmcblk0p27 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
15 KB/s (64 bytes in 0.004s)
Checking mmcblk0p28 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.003 secs (21333 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p29 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
6 KB/s (64 bytes in 0.010s)
Checking mmcblk0p30 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.005 secs (12800 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p31 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
8 KB/s (64 bytes in 0.007s)
Checking mmcblk0p32 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.001 secs (64000 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p33 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
6 KB/s (64 bytes in 0.010s)
Checking mmcblk0p34 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.003 secs (21333 bytes/sec)
6 KB/s (64 bytes in 0.009s)
Checking mmcblk0p35 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.007 secs (9142 bytes/sec)
4 KB/s (64 bytes in 0.013s)
Checking mmcblk0p36 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.006 secs (10666 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p37 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.001 secs (64000 bytes/sec)
12 KB/s (64 bytes in 0.005s)
Checking mmcblk0p38 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p39 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p40 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.001 secs (64000 bytes/sec)
7 KB/s (64 bytes in 0.008s)
Checking mmcblk0p41 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.008 secs (8000 bytes/sec)
8 KB/s (64 bytes in 0.007s)
Checking mmcblk0p42 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
5 KB/s (64 bytes in 0.011s)
Checking mmcblk0p43 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
12 KB/s (64 bytes in 0.005s)
Checking mmcblk0p44 partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.001 secs (64000 bytes/sec)
8 KB/s (64 bytes in 0.007s)
Checking mmcblk0rpmb partition...
1+0 records in
1+0 records out
64 bytes transferred in 0.002 secs (32000 bytes/sec)
4 KB/s (64 bytes in 0.013s)
Partition listing from DiskInfo app
* modem [mmcblk0p1] (/firmware) [vfat]
Used: 47.2 MB, Free: 32.8 MB, Total space: 80 MB
* sbl1 [mmcblk0p2] Not mounted
* sdi [mmcblk0p3] Not mounted
* tz [mmcblk0p4] Not mounted
* rpm [mmcblk0p5] Not mounted
* hyp [mmcblk0p6] Not mounted
* pmic [mmcblk0p7] Not mounted
* DDR [mmcblk0p8] Not mounted
* sec [mmcblk0p9] Not mounted
* aboot [mmcblk0p10] Not mounted
* pmicbak [mmcblk0p11] Not mounted
* sbl1bak [mmcblk0p12] Not mounted
* tzbak [mmcblk0p13] Not mounted
* rpmbak [mmcblk0p14] Not mounted
* hypbak [mmcblk0p15] Not mounted
* abootbak [mmcblk0p16] Not mounted
* devinfo [mmcblk0p17] Not mounted
* fsg [mmcblk0p18] Not mounted
* limits [mmcblk0p19] Not mounted
* modemst1 [mmcblk0p20] Not mounted
* modemst2 [mmcblk0p21] Not mounted
* apdp [mmcblk0p22] Not mounted
* msadp [mmcblk0p23] Not mounted
* keymaster [mmcblk0p24] Not mounted
* cmnlib [mmcblk0p25] Not mounted
* keymasterbak [mmcblk0p26] Not mounted
* cmnlibbak [mmcblk0p27] Not mounted
* dpo [mmcblk0p28] Not mounted
* fsc [mmcblk0p29] Not mounted
* ssd [mmcblk0p30] Not mounted
* oeminfo [mmcblk0p31] Not mounted
* persist [mmcblk0p32] (/persist) [ext4]
Used: 5 MB, Free: 3 MB, Total space: 8 MB
* metadata [mmcblk0p33] Not mounted
* boot [mmcblk0p34] Not mounted
* recovery [mmcblk0p35] Not mounted
* oem [mmcblk0p36] Not mounted
* vendor [mmcblk0p37] (/vendor) [ext4]
Used: 193 MB, Free: 6.6 MB, Total space: 200 MB
* Cache [mmcblk0p38] (/cache) [ext4]
Used: 7.7 MB, Free: 92.3 MB, Total space: 100 MB
* misc [mmcblk0p39] Not mounted
* keystore [mmcblk0p40] Not mounted
* frp [mmcblk0p41] Not mounted
* persistent [mmcblk0p42] Not mounted
* System [mmcblk0p43] (/system) [ext4]
Used: 1018 MB, Free: 2 GB, Total space: 3 GB
* Data (userdata) [mmcblk0p44] (/data) [ext4]
Used: 33.2 GB, Free: 21.5 GB, Total space: 54.7 GB
* mmcblk0rpmb [mmcblk0rpmb] Not mounted
Click to expand...
Click to collapse
Will you try the program up one post? It will take awhile, and not produce a log. Not using a log seemed the best decision when pulling whole partitions, because adb-usb is slow and I felt the need to show action on the screen. It doesn't matter though, because when a partition is found containing the header, it will tell you even if you just let it run. There will also be no partition folder created, instead each partition is pulled to the directory you run the bat file from, and when there is no match inside, it is deleted. The only partition(s) remaining in the folder will have the match, and if the console is still up, it would've been announced when it was found as well as at the end.
I'm pretty sure, after looking at the fastboot source on github, that they are using the new partition slot(s), or partition provisioning A/B. No big deal, except for now since they haven't released it yet.
OK, used your new tool and found the corresponding partitions. mmcblk0p10 (aboot) and mmcblk0p16 (abootbak) both hold pictures, but mmcblk0p16 seems to be some sort of backup and it misses some pics. So it's mmcblk0p10 that needs to be altered.
Pics from mmcblk0p10: https://www.dropbox.com/s/stnewd0jkn6d355/Images_mmcblk0p10.rar?dl=0
Pics from mmcblk0p16: https://www.dropbox.com/s/calt8u27kan7cdp/Images_mmcblk0p16.rar?dl=0
I tried this but when I attempt to flash the modified splash in fastboot it says "Permission Denied"
gandharva said:
OK, used your new tool and found the corresponding partitions. mmcblk0p10 (aboot) and mmcblk0p16 (abootbak) both hold pictures, but mmcblk0p16 seems to be some sort of backup and it misses some pics. So it's mmcblk0p10 that needs to be altered.
Pics from mmcblk0p10: https://www.dropbox.com/s/stnewd0jkn6d355/Images_mmcblk0p10.rar?dl=0
Pics from mmcblk0p16: https://www.dropbox.com/s/calt8u27kan7cdp/Images_mmcblk0p16.rar?dl=0
Click to expand...
Click to collapse
Thanks a bunch for that, but I must ask, did you let it run all of the way through (or stop after mmcblk0p16)?. I am almost positive that this needs to be flashed using the new fastboot to a slot in the aboot partition. When looking at the fastboot.cpp source, there are a some changes specifically for the angler. This fastboot hasn't been released yet, but here is a screenshot of what the "help" menu tentatively looks like:
At this point, in all reality, most people will probably start weighing whether it is worth the risk of even changing any image if you have to alter a bootloader partition slot. And I would not blame you. But, on the other hand, it is awesome that there is a fail-safe aboot backup! Don't know if you noticed, but that mmcblk0p16-abootbak, contains fallback images. It actually is complete, see how the resolution is dumbed down on most of the images, and that the pause/continue images are condensed and renamed. Also, the ic_google_logo is trimmed very short (height) and probably only has the "Google" logo, sans complete fullscreen black background. This tells a lot more than you may actually realize. Like different resolution may be used, at least for the logo.
Will you, or anyone else for that matter, send me both partitions that had these in them? There is nothing special, like IMEI in them, everyone's will be identical. I'd like to understand how these slots work, because there is absolutely nothing written about them that I have found. But if there is some kind of pointer in the partition, I will find it, and hopefully find a slot name.
makers_mark said:
Thanks a bunch for that, but I must ask, did you let it run all of the way through (or stop after mmcblk0p16)?.
Click to expand...
Click to collapse
Welcome! I stopped at mmcblk0p43 because it took to long to read out /system and i had to go to work.
makers_mark said:
Will you, or anyone else for that matter, send me both partitions that had these in them? There is nothing special, like IMEI in them, everyone's will be identical. I'd like to understand how these slots work, because there is absolutely nothing written about them that I have found. But if there is some kind of pointer in the partition, I will find it, and hopefully find a slot name.
Click to expand...
Click to collapse
Check your Messages.
If I'm following this thread and understanding it as well couldn't one create custom images as a method to get rid of the orange triangle screen by duplicating the appropriate Google Sans text image and saving it to a file name whose image data was originally the file that housed the triangle image?
A bit of a ghetto fabulous work around to kill the appears of the warning message but of I'm following this thread accurately isn't that a potentiality?
I'll grab the attachments and run them here as well.
gandharva said:
Welcome! I stopped at mmcblk0p43 because it took to long to read out /system and i had to go to work.
Check your Messages.
Click to expand...
Click to collapse
Thanks, once again, but there was nothing noteworthy in either aboot or abootbak. I found more of an explanation on the slots, but I apparently was wrong in thinking that they were just splits in any given partition. You have been great (even running the suspect partitions back through the main program), not to many would of done that without direction. Will you check 43 though? If not that's perfectly fine! This is the line you need to change in the batch file with a text editor if you feel like it.
Code:
Change this line:
for /l %%t in (1,1,43) do (
To:
for /l %%t in (43,1,43) do (
It will just pull the /system partition and check it.
mostyle said:
If I'm following this thread and understanding it as well couldn't one create custom images as a method to get rid of the orange triangle screen by duplicating the appropriate Google Sans text image and saving it to a file name whose image data was originally the file that housed the triangle image?
A bit of a ghetto fabulous work around to kill the appears of the warning message but of I'm following this thread accurately isn't that a potentiality?
I'll grab the attachments and run them here as well.
Click to expand...
Click to collapse
There still lies the problem of where to put it. The aboot partition is the dead soul in your phone that awakens upon boot and sets up initial functionality and then loads the kernel, then dies. I like your insight, but there still is a little bit of data directly after the complete splash2.bin. It appears to be something that sets up nand. Even looking at the fastboot source, unlock critical "seems" to be able to let you edit the bootloader partitions, bypassing all signature checks. If that is the case and it's that easy, that extra data could easily be moved to tail the splash. There is even plenty of room in aboot to move it quite a bit. But that is wishful thinking, because I don't see how they could totally do away with un-modifiable bootloader partitions like that with an apparent movement towards security.
Typically, when the splash (and associated images) are changeable, they are in their own partition and you wouldn't have to worry about anything being overwritten. You could even have a splash that was smaller than the existing one, and after flashing the new one, those leftover bytes from the old one don't matter. It is because it is a file format that is very adamant about what it wants, and what goes where (it is pretty much how all file formats work). So when it knows the data for the last image is at (insert number) this exact byte, that's it. The extra "garbage" doesn't matter, and is never seen. When you go to substitute data (a) in place of data (b), they would have to be the exact same size because of the no room for extra data, stemming from the nand setup the very following byte. On top of that, there has never been an editable aboot partition when it comes even to Nexus (that I know of). This is very odd, and reminiscent of when I first got into the thrill of finding these encodings with the Nexus 7 2. I could get the images out, but there was no way to change them, because they were in aboot, and with the secure boot loader that checks the "competency" of the previous bootloader caller, it wasn't possible. (Anything is possible, it's just no one figured it out). Since the Nexus 5,5x,6,&9 they have all been editable and moved away from strict bootloader encoding. And those have been in a file format, JUST like this where you have your header...offset....size...name...in whatever order..
To anyone that wants to understand this encoding (since I haven't explained it yet), read below.
The format used in encoding these images is zipped with gzip. When Google released the image, I saw the SPLASH2!! header in the bootloader. It had the tale-tail signs of a format (offset, size, width, height...). You can even do this, use a hex editor and go to the offset that is listed by the program for any image (in the cutout splash.bin). Copy from there the number of bytes that is listed in the "size". Save that file as whichever image it is for easy reference, and add the extension .zip on it. Unzip it with 7-zip or gzip, and viola, you get the image in a BGR24 raw format.
I went above an beyond though, you have to when you can't test yourself. With Gzips there is an optional filename for the extracted zips, as well as a unix time stamp, and an indicator as to what type of machine actually compressed the data. I made all of this data transfer to the encoding of the image to be injected, it sounds easy but it wasn't. The goal, as always when doing this, was to make a program that could take the original encoding and change every single image in it, then build an encoder that produces an EXACTLY identical file.
Using 7-zip did the job initially (for decoding), but the data was off when encoding (no matter what setting), it was more of a quick novelty do decode. In the "Rebuild Images" batch file that is created, if you change "-b" to "-B" it will force every image to be injected (if the crc32 of any image didn't change, the existing encoding in the splash.bin was copied from the original file for speed). The filesize is the exact same, but more importantly (to me), the two files were binary twins.
Having said all of that, I think there may be one last hope as far as I can help (and it doesn't involve the bootloader partition). It was somewhat questionable when I realized what type of encoding this was. Typically there is very little "thought" by the device to process images on boot. They are usually encoded in a run-length manner which is super fast and efficient. This however has to be unzipped and then displayed. At first I said to myself, this must be really fast like nothing before (because of the max compression), or there is a driver built into the firmware to directly handle the zlib (which may be the case too).
There is the possibility that the images transported are decoded and stored somewhere else on the device in there unzipped BGR24 format. It doesn't seem logical, but neither does gzipping an image that needs to be pulled at the drop of a hat with minimal processing power. I will find the most obscure 16 or 32 bytes of data in one of the raw images and post a program to search for that set in all the partitions. Feel free to participate, but if that doesn't produce anything, I'm out! Kidding, but I will ask a moderator to move this thread to the Q&A if they don't do it anyways:cyclops:
I am including the "aboot.cab", which is an ELF, directly from the bootloader downloaded from google. This is not the partition checker for a not so random set of bytes. This is strictly for future reference and also to see if insight might come from a lurker:good:
how to flash the modified-splash.bin to bootloader,please help me thanks
makers_mark said:
Will you check 43 though?
Click to expand...
Click to collapse
Here we go! Took forever... But as you see, nothing found. -> mmcblk0p10 is the way to go.
Code:
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
adbd is already running as root
Pulling each partition, except userdata, and searching for SPLASH2!! header.
Please wait...
Checking mmcblk0p43 partition...
6291456+0 records in
6291456+0 records out
3221225472 bytes transferred in 3736.895 secs (862005 bytes/sec)
5846 KB/s (3221225472 bytes in 538.080s)
Drücken Sie eine beliebige Taste . . .
Let mine run over night and awoke to a match in p10 and p16.
If these partition dumps (exactly the same file size too) would be of use I'll be happy to share..
gandharva said:
Here we go! Took forever... But as you see, nothing found. -> mmcblk0p10 is the way to go.
Click to expand...
Click to collapse
:good:
mostyle said:
Let mine run over night and awoke to a match in p10 and p16.
If these partition dumps (exactly the same file size too) would be of use I'll be happy to share..
Click to expand...
Click to collapse
Thanks for giving it a shot! Gandharva has already provided both of the files to me, and they'll be the same.
This is my last stand ! This program at the bottom will pull every partition, and search for 32 specific bytes of an decoded gzip that might be residing somewhere. The bytes that I'm searching for is the very top of the "lock_state" image that gets decoded (they're highlighted in blue). Here it is below, feel free to participate, and if not, thanks for everything else!
No partition folder will be created. All partitions will be dd'd to the device, pulled to your computer, deleted from the device (not your partition, but the copy from dd), then checked on your PC for a match. If there isn't a match, the partition will be deleted from your computer as well. When a match is found, it will be displayed, and displayed again at the very end. It is NOT important to watch this work because if there is a match, the partition with the match will still be in the folder in the end, and the screen will still be up. Fingers crossed.:fingers-crossed:Source: myfc.c
Code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
int32_t FindSplashFile(FILE *input, uint8_t *inputFile){
int readByte;
uint8_t pos = 0;
unsigned long int cur = 0;
const uint8_t rawBGRchunk[] = { 44, 106, 106, 106, 148, 148, 148, 189, 189, 189, 221, 221, 221, 240, 240, 240,
252, 252, 252, 255, 255, 255, 252, 252, 252, 240, 240, 240, 221, 221, 221, 189};
fseek(input, 0, SEEK_SET);
while ((readByte = fgetc(input)) != EOF){
cur++;
if (readByte == rawBGRchunk[pos]){
if (pos == 31){
fprintf(stderr, "\n\n\n\n\"lock_state\" Raw image found in %s at byte %ld!\n\n\n\n\n", inputFile, cur - 32);
fclose(input);
return 1;
} else {
pos++;
continue;
}
} else if (readByte == (int)*rawBGRchunk){
pos = 1;
continue;
}
pos = 0;
}
fclose(input);
return 0;
}
int32_t main(int32_t argc, char **argv){
int c = 0;
uint8_t *inputFile;
FILE *input = NULL;
while ((c = getopt (argc, (char**)argv, "i:I:")) != -1){
switch(c)
{
case 'i':
case 'I':
inputFile = (uint8_t*)optarg;
break;
}
}
if ((input = fopen((const char*)inputFile, "rb")) == NULL){
fclose(input);
fprintf(stderr, "File could not be opened.\n");
return 0;
}
return FindSplashFile(input, inputFile);
}
Source batch file:
Code:
@echo off
title Partition Puller
set "device_dir=sdcard"
set "partitionfind=mmcblk0"
set "match="
:getpartitions
adb -d kill-server
adb -d root
if not defined device_dir echo(Device dir is undefined&goto :eof
if "[%device_dir%]"=="[]" echo(Device dir is undefined&goto :eof
echo(Pulling all partitions (minus userdata) and searching for 32 specific bytes
echo(of the raw ^"lock_state^" image that is in BGR24 format.
echo(
echo(Please wait...
for /f "skip=1 tokens=4" %%t in ('adb -d shell cat /proc/partitions^|findstr /rxic:".*%partitionfind%.*"') do (
call echo(Pulling %%t partition...
call adb -d shell dd if=/dev/block/%%t of=/%device_dir%/%%t
call adb -d pull "/%device_dir%/%%t" "%~dp0\%%t"
call adb -d shell rm "/%device_dir%/%%t"
call myfc -i "%%t" &&call del "%~dp0\%%t"||call :Match %%t
)
if defined match echo(Match found in %match%
pause
adb -d kill-server
goto :eof
:Match
set "match=%match% %1"
goto :eof