Related
Hey everyone
I've been working on learning C++, so I can refresh some of the existing tools, add some nice features, make them adhere more to the standards, etc.
This is the first fruits of my labor, this program analyzes an .dio, .fat, .nbh, .nb, .nb0, or .payload, reads out partition info to the screen, and dumps the uldr.bin, xip.bin, and imgfs.bin partitions. It should be compatible with any HTC ROM, and any other ROM that does not need to be run through nbsplit.
It does so without generating an intermediate .extra or .payload like the mamaich/tadzio toolset, and i've tried to keep an eye on speed, so it should be pretty fast.
Usage is "nbimagetool.exe -c filename.nb" - alternatively you can run the program with no parameters for some help output.
-c switch is optional, it strips the leading free space from imgfs.bin, so that it is compatible with imgfstodump (most IMGFS partitions have free space at the beginning, and the imgfsfromnb tool strips this automatically)
The idea for this tool is mostly to be used in a Kitchen, during the dumping process, for a nice fast dump Please let me know any errors you might run into!
UPDATED! Added .dio and .fat support
.5pre3 here, new support for asus roms
DONE:
* Added .nbh support
* Added .dio support
TODO:
* Add support for .bin
* Fix whatever bugs you might find
CHANGELOG:
.1 Initial Release - supports .nb .payload .nb0
.2 Added .nbh support
.3 Added output of .nbh info when dumping
.4 Added support for .dio and .fat, fixed a bug that might trigger in rare circumstances
Please no feature requests at this time, thanks
Visual example of program usage:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Sample .nbh output:
Thanks Da_G for this new thread
Thanks for the tool da_g.
Does it works for our old is gold wizard too?
Thanks Da_G
Very nice, except, that we DO need nbsplit in most cases (nbsplit -kaiser) -> kaiser, diamond, topaz, blackstone, raphael etc...
Thanks for the tool da_g.
@CRACING:
You tell me!
@adwinp:
I think you misunderstand, when I say it doesn't need nbsplit I mean as a seperate program, it has algorithms to handle the 'nbsplit' process internally, without generating intermediate files and, it automatically detects the 'extra' data so you don't need to feed it parameters like -kaiser, -hermes, etc.
Thanks Da_G... good you are ...
Posted a screenshot that should give a clearer explanation
Congratulations bro
Nice works as always !
Tom
Thanks my friend, nice tool, everything works fine
It's work!!, I have already try with my modified MBR from old Eten M600 ROM payload.
Compatibility Mode: ACTIVE
os.fat opened for reading, size 45914624 bytes.
MBR Signature is a match! Valid .nb
Size of Data Chunk: 512 bytes
Size of Extra Chunk: 0 bytes
Partition 1: BootInd : 0
Partition 1: FirstHead : 2
Partition 1: FirstSector : 1
Partition 1: FirstTrack : 0
Partition 1: FileSystem : 32 (ULDR)
Partition 1: LastHead : 31
Partition 1: LastSector : 1
Partition 1: LastTrack : 71
Partition 1: StartSector(L) : 2
Partition 1: TotalSectors(L): 2302 (1178624 bytes)
Partition 2: BootInd : 0
Partition 2: FirstHead : 0
Partition 2: FirstSector : 1
Partition 2: FirstTrack : 72
Partition 2: FileSystem : 35 (XIP RAMIMAGE)
Partition 2: LastHead : 31
Partition 2: LastSector : 1
Partition 2: LastTrack : 159
Partition 2: StartSector(L) : 2304
Partition 2: TotalSectors(L): 2816 (1441792 bytes)
Partition 3: BootInd : 0
Partition 3: FirstHead : 0
Partition 3: FirstSector : 1
Partition 3: FirstTrack : 160
Partition 3: FileSystem : 37 (IMGFS)
Partition 3: LastHead : 31
Partition 3: LastSector : 129
Partition 3: LastTrack : 39
Partition 3: StartSector(L) : 5120
Partition 3: TotalSectors(L): 78080 (39976960 bytes)
Partition 4: BootInd : 0
Partition 4: FirstHead : 0
Partition 4: FirstSector : 129
Partition 4: FirstTrack : 40
Partition 4: FileSystem : 4 (MS-DOS 16-bit FAT)
Partition 4: LastHead : 31
Partition 4: LastSector : 1
Partition 4: LastTrack : 127
Partition 4: StartSector(L) : 83200
Partition 4: TotalSectors(L): 412416 (211156992 bytes)
Total Number of Logical Sectors: 495614
Total Size of Image in bytes: 253754368
Writing uldr.bin
Writing xip.bin
Writing imgfs.bin
Thanks Da_G for all your hard work.
Great work nice addition to the tools.
Da_G said:
@adwinp:
I think you misunderstand, when I say it doesn't need nbsplit I mean as a seperate program, it has algorithms to handle the 'nbsplit' process internally, without generating intermediate files and, it automatically detects the 'extra' data so you don't need to feed it parameters like -kaiser, -hermes, etc.
Click to expand...
Click to collapse
Yes I did.
Just tested. Very nice piece of work. Except that xip size doesn't match.
Dumps fine, but is bigger than original.
I might've screwed my partition signature.
Anyways, the natural path to follow would be to write
uldr+ xip + imgfs header + imgfs (+extra) --> nb?
Apart from nbh support, you might want to ADD the code into the nbimagetool instead of coding a separate tool.
Why 2 tools when we can have 1?
Everything can be managed via switches, for example
nbimagetool -o outfile.nb(h) -x xip.bin -u uldr.bin -i imgfs.bin ...
;]
If you're really bored, you can also add other sections, like radio, splash.
It's basically the same code, except for different offsets (0x600)
What was the difference in xip.bin's? (Aside from the size) - was it just free space at the end (FF's evenly divisble by sector size) - if so, the existing toolset strips free space from things. I can make the -c switch strip it from xip.bin as well if necessary (although xipport.exe dumps fine with free space left at the end...)
Re: .nbh/.bin support, yeah, I plan to add it into the tool rather than a seperate tool
Da_G said:
What was the difference in xip.bin's? (Aside from the size) - was it just free space at the end (FF's evenly divisble by sector size) - if so, the existing toolset strips free space from things. I can make the -c switch strip it from xip.bin as well if necessary (although xipport.exe dumps fine with free space left at the end...)
Re: .nbh/.bin support, yeah, I plan to add it into the tool rather than a seperate tool
Click to expand...
Click to collapse
Yes, it's just free space.
I've checked every file's hash and it's consistent, so no worries.
I try to use this tool with OS.nb
OS.nb from X1i official rom
Code:
nbImageTool.exe OS.nb
CreateFileMapping() error: 5
Press the enter key to exit.
Da_G said:
@CRACING:
You tell me!
Click to expand...
Click to collapse
Works perfect for Wizard's official OS.nb ( Extracted both imgfs.bin and XIP.bin ) but as of protected OS.nb, only the XIP.bin will be useful.
Extraction of imgfs.bin worked fine using ELF(in) Hybrid Kitchen ( My Fav ).
Extraction of XIP.bin worked fine using bepe's XIP dumping tool.
Thanks....
Best Regards
X1iser:
Are you running in vista/windows 7 with UAC on? It sounds like the OS isn't allowing my app access to the file in the location you have it in. Try running it in administrator mode
It work in administrator mode thanks
Simple question: do you planning to create a multidevice kitchen ?
Hi friends,
This Guide might be Helpful for all Xperia device Users/Developers
1.First you need to download these 4 files
a)FTF extractor
b)META-INF folder and ROOTING files
c)7zip
d)Notepad++(Optional)
2.Extract ftf extractor anywhere you like
3.Open the *FTF file with 7Zip
You'll see these files and folders
Code:
META-INF
adsp.sin
amss.sin
amss_fs_urushi.sin
apps_log.sin
cache.sin
fota0.sin
fota1.sin
kernel.sin
loader.sin
system.sin
userdata.sin
4.Extract system.sin to the folder where you extraxt ftf-extractor.
5.Press SHIFT+RIGHT CLICK on the empty space of the folder.You'll see a dialog like this
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
6.select OPEN COMMAND WINDOW HERE
7.Type
Code:
aIUP.exe system.sin 4096 system
8.If this not work for you use 2048 or 8192 instead of 4096:good:
9.You'll see
Code:
C:\ftf_extractor>aIUP.exe system.sin 4096 system
UnPacking system.sin to system ...
done.
C:\ftf_extractor>
Congratulation now you have extracted System from the ftf file
10.Now open the downloaded META-INF AND ROOT.zip
then,go to system and cut
Code:
app
xbin
bin
and pasteit in your extracted system folder (In step 9)
***Now your rom is rooted*****
OR
You can use Kitchen to ROOT YOUR ROM
11.Then Move your Rooted system folder to the META-INF ZIP
***Now you have made a flashable zip file****
13.(Optional)go to META-INF/com/google/android/updater-script and edit it with Notepad++
:fingers-crossed::fingers-crossed::fingers-crossed::fingers-crossed:Thats all:victory::victory::victory::victory::victory:
Lastly, Hit THANKS if you like it... and rate this thread 5-STAR
Knight47
Big thanks, very big thx
Very good method but (?) how do I flash a zip if i dont have cmw (recovery will not work without root and root wont work without recovery ) installed? how would i put that back in to phone (locked boot loader )
Thanks :good:
Command on Adb refuse- to not permitted
marcoplo said:
Big thanks, very big thx
Very good method but (?) how do I flash a zip if i dont have cmw (recovery will not work without root and root wont work without recovery ) installed? how would i put that back in to phone (locked boot loader )
Thanks :good:
Command on Adb refuse- to not permitted
Click to expand...
Click to collapse
Actually i think this guide is for those who want to make their rom. So these roms are only for rooted user.
Like CM7 for rooted devices, this guide is teaching how to make rooted cm7.
---------------------------------------------
If there's a method to make rooted ftf, then rooting problem solved.
zhuhang said:
Actually i think this guide is for those who want to make their rom. So these roms are only for rooted user.
Like CM7 for rooted devices, this guide is teaching how to make rooted cm7.
---------------------------------------------
If there's a method to make rooted ftf, then rooting problem solved.
Click to expand...
Click to collapse
so sorry my misreading so cancel that, it was late
Step 9, extracting the system.sin with aIUP.exe ist working fine BUT where can I find the extracted files? There is no new folder or files created.
skycamefalling said:
Step 9, extracting the system.sin with aIUP.exe ist working fine BUT where can I find the extracted files? There is no new folder or files created.
Click to expand...
Click to collapse
Is it extracting exactly? When I try it with any page size (512, 1024, 2048, 4096, 8192, 16384, 32768 etc) it types "error page size"
papacarla said:
Is it extracting exactly? When I try it with any page size (512, 1024, 2048, 4096, 8192, 16384, 32768 etc) it types "error page size"
Click to expand...
Click to collapse
It's extracting with 4096 and runs fine. After that the software shows "done" just like in the screenshot.
But then I cannot find the folder where the files are being extracted. I've searched the whole HDD but to no avail.
skycamefalling said:
It's extracting with 4096 and runs fine. After that the software shows "done" just like in the screenshot.
But then I cannot find the folder where the files are being extracted. I've searched the whole HDD but to no avail.
Click to expand...
Click to collapse
could you check again what does the software shows before done?
My one shows "done" too, but it shows "error page size" before "done"
papacarla said:
could you check again what does the software shows before done?
My one shows "done" too, but it shows "error page size" before "done"
Click to expand...
Click to collapse
Me TOO.
Microsoft Windows [版本 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
D:\ftf_extractor>aIUP.exe system.sin 4096 system
UnPacking system.sin to system ...
Error: Page size parameter is wrong.
done.
D:\ftf_extractor>aIUP.exe system.sin 2048 system
UnPacking system.sin to system ...
Error: Page size parameter is wrong.
done.
D:\ftf_extractor>aIUP.exe system.sin 8192 system
UnPacking system.sin to system ...
Error: Page size parameter is wrong.
done.
D:\ftf_extractor>aIUP.exe system.sin 4096 system
UnPacking system.sin to system ...
Error: Page size parameter is wrong.
done.
D:\ftf_extractor>
ri7672 said:
Me TOO.
Click to expand...
Click to collapse
Same command execution. I've send same log to topic starter and here is his answer:
Knight47 said:
papacarla said:
Knight47 said:
papacarla said:
Hi, thank you for your guide.
I have some problem with ftf extractor
when I'm executing the step 7 of the guide I'm getting next:
HTML:
C:\FTF_ROM_root\ftf_extractor>aIUP.exe sy
stem.sin 4096 system
UnPacking system.sin to system ...
Error: Page size parameter is wrong.
done.
C:\FTF_ROM_root\ftf_extractor>aIUP.exe sy
stem.sin 2048 system
UnPacking system.sin to system ...
Error: Page size parameter is wrong.
done.
C:\FTF_ROM_root\ftf_extractor>aIUP.exe sy
stem.sin 8192 system
UnPacking system.sin to system ...
Error: Page size parameter is wrong.
done.
C:\FTF_ROM_root\ftf_extractor>
So, How you could see I tried to change the page size but there is error anyway.
What I'm doing wrong?
Thank you
Click to expand...
Click to collapse
Use 2048 or 8192 instead odds 4096
Sent from my ST18i using Tapatalk 2
Click to expand...
Click to collapse
I'd did it already. you can see it on html code window
Click to expand...
Click to collapse
Then try 16384 ,(16384x2) ,(16384x4)
definitely There should be a compression value
for Xperia ray ,neo,neo v, arc,arc s - 4096
Xperia mini,mini-pro,live etc-2048
Take care,
Knight47
Click to expand...
Click to collapse
So, I tried until 524288 of page size :cyclops:. It does not work anyway.
This method only work for pre 2012 phones which use yaffs2
2012 phones use ext4. This method won't work anymore
Yeah the sin file EXT4, i just use the SIN viewer to find it out.
Just got my XAS yesterday.
Took me sometime to get this extracted, lol.
Anyways, Here:
(1)
My FTF test is the APAC LT26w_6.1.A.1.58
Using winrar on extracting the system.sin in the FTF
(does not really matter if you use 7zip or winzip, the FT is version 2.0, host to extract is DOS)
(2)
Use sin2raw.exe with 1gig argument since the ext4 and sin is 500mb plus (thats enough for me)
Code:
sin2raw system.sin system.ext4 1G
(3)
once you have your system.ext4, use the ext2explore.exe to save the files outside
This image shows only that it is EXT4, i did not use this tool to dump
nice guide. i was able to root and personalize my own stock rom. thanks.
This extraction method will not work on Xperias using ext4 (S, acro S, ion ... )
Since Xperia acro S is ext4, not yaffs, ur method will never work.
Use flashtool > sin editor > dump data (get a ext4 file)
Use ext2read to extract the system.ext4 file.
http://sourceforge.net/projects/ext2read/
I've posted this on XS thread.
Where's the META-INF zip mention in step 11?
zhuhang said:
This extraction method will not work on Xperias using ext4 (S, acro S, ion ... )
Since Xperia acro S is ext4, not yaffs, ur method will never work.
Use flashtool > sin editor > dump data (get a ext4 file)
Use ext2read to extract the system.ext4 file.
http://sourceforge.net/projects/ext2read/
I've posted this on XS thread.
Click to expand...
Click to collapse
Can you give me the full guide? Which files/folders that we should extract from system.ext4, how can we turn those files/folders into flashable ROM, I want this to try rooting the 2.55 firmware
Thanks in advance.
Thread temporary closed.
How to unbrick of hard bricked the Mi Band 3
(with | without NFC)
Last Updated: 07.04.2019
Warning
Proceed at your own risk !!!
It may also damage the internal electronics of the device (meganic damage, electrostatic discharge, etc.) !!!
I'm not responsible for permanently bricked your the MB3!!!
(Tested on two the Mi Band 3 without NFC, version CN, HW v0.18.3.2)
Introduction This thread contains instructions for unbrick the Mi Band 3 (after flash wrong firmware through bluetooth), using the SPI Flash programmer to program the correct firmware, directly into to the SPI flash memory on the PCB of the Mi Band 3. The DA14681 processor boots executable firmware directly from this flash memory, which contains a boot loader, calibration and other production data, and executable firmware that is updated via bluetooth.
Known issues
Need to open the cover body of Mi Band 3.
When the body of the Mi Band 3 is opened, waterproofness is lost.
Need special equipment (Micro soldering station, programmer for SPI flash memory, and etc.).
You will need
Hard bricked the Mi Band 3 (bricked after flash wrong firmware through bluetooth)
Micro soldering station, with 0.2mm tip
SPI Flash programmer for programming correct firmware into internal SPI flash memory.
Control software for SPI Flash programmer (Flashrom / FT2232-SPI-Prog)
Hex editor for editing full dump bin file of the SPI flash memory.
Correct firmware file for the Mi Band 3
Procedure
How opening the cover body of Mi Band 3.
Follow this thread to open the Mi Band 3 cover body How to open the body cover of Mi Band 3 (with | without NFC)
How to connect to the SPI flash memory
The Mi Band 3 contains the SPI flash memory GD25LQ32 32Mbit on the PCB. Unfortunately, there are no testpoints available on the PCB (maybe possible under the LCD), for easy contacting of the SPI flash memory. It is necessary to contact the terminal wire directly on the SPI flash memory package.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Example of connecting to the SPI flash memory (for single use unbrick):
Or a better connection solution (for continuous tests):
How to connect to the SPI programmer (circuit diagram of the SPI Flash programmer)
You can use one of these programmers (FT2232 Programmers) based on FT2232 chipset to program the SPI Flash memory on the Mi band 3.I used my own circuit diagram with FT2232H, see. the circuit diagram below. The SPI Flash memory (GD25LQ32) on the Mi band 3 has supply voltage of 1.8V !!! The SPI interface of this memory is 3.3V tolerant. The Mi Band 3 battery 3.8V must be disconnected when programming the SPI flash memory GD25LQ32, otherwise the Mi Band 3 processor blocks communication over the SPI interface.
Control software for SPI Flash programmer (You can use one of these Flashrom or FT2232-SPI-Prog)
# Flashrom (utility for flash BIOS/EFI/coreboot/firmware/optionROM images)Dowonload tool: View attachment Flashrom_v1.0.1-rc2.zip Windows (v1.0.1-rc2) / Ubuntu (v0.9.9+r1954-1)
You install drivers (Windows) for Flashrom / FT2232H SPI Flash programmer using tool: Zadig libusb-win32.
Flashrom requires these libraries "libusb-win32" !!!
Tool the Flashrom directly natively supports of the GD25LQ32 Flash memory.* Reading of the flash memory GD25LQ32:Command: flashrom -p ft2232_spi:type=2232H,port=A
You check the presence of the GD25LQ32 Falsh Memory (Found GigaDevice flash chip "GD25LQ32" (4096 kB, SPI) on ft2232_spi) !!!* Reading of the flash memory GD25LQ32:Command: flashrom -p ft2232_spi:type=2232H,port=A -c GD25LQ32 -r MB3_FullFlash_brick.bin
"MB3_FullFlash_brick.bin" is the output file.* Erasing of the flash memory GD25LQ32:Command: flashrom -p ft2232_spi:type=2232H,port=A -c GD25LQ32 -E* Writing of the flash memory GD25LQ32:Command: flashrom -p ft2232_spi:type=2232H,port=A -c GD25LQ32 -w MB3_FullFlash_unbrick.bin
You make sure that Flash Memory has been verified (Verifying flash... VERIFIED) !!!# FT2232-SPI-Prog (SPI Flash Programmer based on FTDI chips in MPSSE mode)Dowonload tool: Windows (v0.1.13.0) / Ubuntu (v0.1.6.0)
FT2232-SPI-Prog does not require special drivers and uses native drivers from FTDI (Windows): Virtual COM port (VCP) drivers
Tool the FT2232-SPI-Prog does not support the GD25LQ32 Flash memory directly, you can use "M25PX32" type and set the "Ignore Device ID" control.
In case of problems with communication with the GD25LQ32 Flash Memory, you can set the communication slowdown by turning on "Disable Quad Mode".
Also, do not forget to select the memory address range "Start Address" and "End Address".* Instructions to control the FT2232-SPI-Prog can be found here: FT2232-SPI-Prog
How to unbrick of hard bricked the Mi Band 3
You read out the Mi Band 3 GD25LQ32 SPI Flash memory full data range and save it to a file such as "MB3_FullFlash_brick.bin". This GD25LQ32 SPI Flash memory, which contains a boot loader, calibration and other production data (serial number), and executable firmware that is updated via bluetooth. These data are unique to the device and it is necessary to backup !!! Read the GD25LQ32 SPI Flash memory again, repeatedly and compare the files to see if the memory read is correct !!!
Open "MB3_FullFlashFlash_brick.bin" in any HEX editor and go to address 4000 and paste the correct firmware from this address. After paste the correct firmware, save the file for example as "MB3_FullFlashFlash_unbrick.bin".
Write the file "MB3_FullFlashFlash_unbrick.bin" back to the GD25LQ32 SPI Flash memory.
It is recommended that you also reload Firmware, Resources and Font files via Bluetooth after unbrick. This will prevent the Mi Band 3 instability !!!
That is all
If you can't get unbrick the Mi Band 3, you can try uploading "Full Dump Flash Images for the Mi Band 3". Unfortunately, you will permanently lost your calibration and other production data (serial number), which is irreversible. However, the Mi Band 3 bracelet will be functional.
Mirror:
[UNBRICK] Mi Band 3 (with | without NFC) - geekdoing.com
Edit-- after studying a couple days I understand why no modification to the images would work, which is due to AVB. I have a lot more studying to do and I will explain better. This thread is currently a mess of notes from a noob picking a kind lady's brain
Hello All~!
This is an effort to understand what exactly is going on with the files contained in the boot.img from our shield --edit to understand this on the shield, we must understand the other images as well (dtb, vbmeta. and the "staging blob" that comes with the shield)
ImgUtil
Miss @Renate has developed a wonderful tool to allow us to see the contents of our boot.img by placing her tool in the same folder as the boot.img and running this code:
Code:
imgutil.exe /v /l boot.img
Spoiler: SHOW
STOCK BOOT IMAGE:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
DEV BOOT IMAGE:
IMAGES THAT COME WITH SHIELD
This was only possible Thanks to Renate.
AVB NOTES:
Finally figured out how to actually use the avb tool.. I feel stupid. Copy this script and make a new file called avbtool
Per this link I learned how to make an empty vbmeta with the tool, i had to add "python" to the front
Code:
python avbtool make_vbmeta_image --flags 2 --padding_size 4096 --output vbmeta_disabled.img
That allowed me to generate an empty vbmeta
The avbtool help menu:
View attachment 5792745
Signing boot images for Android Verified Boot (AVB) [v8]
Various Android devices support Android Verified Boot (AVB). A part of this is more commonly known as dm-verity, which verifies system (and vendor) partition integrity. AVB can however also verify boot images, and stock firmwares generally...
forum.xda-developers.com
super helpful
Boot Flow | Android Open Source Project
source.android.com
There can be image signing with vbmeta and/or AVB on the image itself.
Whether these are enforced is another question and can most easily be determined by experimenting.
Most people grab a boot image out of a partition. The whole partition.
In the days before AVB0 signing this meant you might copy a 64M partition and get 24M of actual image and 40M of zeroes.
In the days after AVB0 signing this meant you get 24M of actual image, 2k of signing, 40M of zeroes and an itty-bitty AVB0 footer.
That AVB0 footer is a pesky detail.
You can see it if you have the whole partition and use a hex editor at the very end (size-4096).
As Magisk deals with boot images I should double check what they do. I believe they don't modify the AVB0 footer at all.
Using my EDL client edl.exe there is the /t option to trim an image to the real ~24M live bit.
In imgutil.exe there is the /p option to strip padding.
If your fastboot works fine, you have a nice recovery and you feel confident you can experiment.
You can trim your stock boot image of its padding using imgutil.exe (which I believe leaves the AVB0 header intact), then:
Code:
fastboot erase boot
fastboot flash boot mytrimmedstock.img
You can even trim away the AVB0 header (using the address shown in imgutil.exe) and see if that works with erase, flash.
Then there is the vbmeta. That is a check on things too, whether enforced or not is also a question.
You can often replace it with an disabled vbmeta image.
Your dtb is in a separate partition.
On my main device it's on the kernel. I modify (in hex instead of dtc round-tripping) it to not verify /vendor.
@Renate Thank You, Seriously For Your Time. I was Just Looking at your EDL tool! I am going to play with all of this now. I cannot even begin to tell you how happy this has made me.
This is the link to her edl tool
EDL Utility
i deleted the vbmeta link that was originally listed here. ordinarily i would leave the comment up for knowledge, but I don't want anyone to get off the path. We need to learn the avb tools and generate our own, not use others due to the cryptographic hashes associated with each image that chains to the "staging" blob
Hi @Renate May I bother you again? I am stuck on two parts,
You mention editing the dtb to not verify /vendor could you help me to understand how to do that?
I threw my dtb.img into HXD and searched for "vendor" and it brought up this
Spoiler: SHOW
but I am unsure if this is what I need or what to change it to?
Also I wanted to try to do what you say here "You can even trim away the AVB0 header (using the address shown in imgutil.exe) and see if that works with erase, flash."
I took that to mean use imgutil.exe to /d the Header1 file? Is that wrong? I tried all these but I cannot figure out on my own how to do it
Spoiler: SHOW
>.> i at least figured out the padding part
No, I'm not saying that you have to change dtb.
In today's world you can "modify" things by using Magisk modules (and not modifying /system) or by burning your bridges and just modifying /system.
If you do that you'll have to get rid of all verification (and FEC if present) and you it make updates impossible without reverting back to stock.
Your choices are influenced by what the OEM offers for updates and how much you want to sink your teeth into swamp critters.
Looking at a dtb in raw hex will make you go blind.
You should use dtc to disassemble/assemble.
It's probably not on your device but it is in any Linux.
I use my own dtbview.exe (not ready for prime-time) to get a dump with addresses.
If you like (for learning) post your dtb.
@Renate this is the dtb image, and thank you for telling me about dtc LOL I will get that installed in my ubuntu VM.
Also @Renate is this the right tool?
Spoiler: SHOW
Yeah, that's the right tool.
I don't know if the mysterious new header on Android is part of Linux or not.
So your dtb partition is 2M
The end of actual data is 7c394, so basically 1/4 of the partition.
But it's also AVB signed, look at offset 7d000
And its silly footer at 1fffc0
Here's the listing for your edification
Spoiler: DTC FOR WINDOWS
I came across this dtc tool for windows made by amlogic, it was originally shared here, bundled with other things
How to Extract a Device Tree File from Android Firmware Files - CNX Software
Up to now, all our cheap Android devices were based on older Linux kernel (3.0.x, 3.4.x) that still used board files (arch/arm/board, but we've recently
www.cnx-software.com
Spoiler: SHOW
I extracted just it
dtc-tool.exe
drive.google.com
I checked it on virus total
VirusTotal
VirusTotal
www.virustotal.com
@Renate Hi, I'm going to probably bother you till you block me...
But could you explain to me how you were able to take that dtb image I shared with you to turn it into the text file? I tried to use the dtc tool in linux and on windows but I cannot figure out how to get the listing like you did.
Here's what I was trying
jenneh said:
Blob has incorrect magic number
Click to expand...
Click to collapse
Yeah, it does!
That's what I've been fighting about. They decided to add some header.
Some dtb's have multiple separate models built in. Why? I have no idea.
Instead of ye olde fashioned "a dtb is that period" they decided to put in a header.
I'm sure that's it's documented somewhere.
If you are just doing this for your own amusement, knock the first 128 bytes off the file and it can be disassembled.
@Renate I Really Am doing this for my own fun. But For A Total Noob, can you explain what this means? "knock the first 128 bytes off the file and it can be disassembled" I'm so very sorry. I have always been intrigued with disassembly but I do not know very much
Somebody at Android decided for whatever reason to extend the Linux DTB by putting another header before it.
Obviously Linux doesn't know or care what Android does.
If you look at offset 0x80 you'll see the normal signature of 0xd00feed (in bigend).
We can discuss whether that's politically questionable, but that's the way it is.
@Renate I guess what I am having trouble understanding, is where are these offsets that you are pointing me to with all this valuable information? Like you said here "If you look at offset 0x80 you'll see the normal signature of 0xd00feed (in bigend)."
When I look at the offsets in the text file I don't see anything called 0x80 it's the same trouble for me to fully understand what you were telling me earlier
Spoiler: SHOW
"But it's also AVB signed, look at offset 7d000
And its silly footer at 1fffc0"
How do I see these offsets that you so awesomely took the time to point out?
jenneh said:
When I look at the offsets in the text file I don't see anything called 0x80...
Click to expand...
Click to collapse
When you look at something like this you're looking at a raw chunk of memory.
As such, every bit of it, err, every byte of it has an address.
The first byte is zero and it goes up from there.
"0x80" is hex 80, (i.e. 128 bytes) into the file.
Renate said:
When you look at something like this you're looking at a raw chunk of memory.
As such, every bit of it, err, every byte of it has an address.
The first byte is zero and it goes up from there.
"0x80" is hex 80, (i.e. 128 bytes) into the file.
Click to expand...
Click to collapse
Does that mean these first 8 lines of offsets are the the first bytes? Is this what I would want to blank out to remove the header?
So, look at the line with 00000080: d0 0d fe ed, "doodfeed"!
It's not a question of "blanking" it's a question of "skipping".
Although I don't o-fish-ally release it, here is modfile.exe: modfile
Code:
C:\>copy dtb dtb-short
C:\>modfile dtb-short /s 80
Renate said:
So, look at the line with 00000080: d0 0d fe ed, "doodfeed"!
Click to expand...
Click to collapse
Gosh, Thank You. "d0 0d fe ed, "doodfeed"!" This, this did it for me to Understand. Haha. Thank You for the modfile tool as [email protected]@!
I got to get some sleep, but rest assured I will be back tomorrow to bother you even more!
@Renate Good Morning!! THANK YOU for helping me to learn how to "Skip" the erroneous header! This is something I Literally would never have learned Without You! Your modfile tool is so Neat! Also appreciate the Semantics!!
FIRST QUESTION! How do I produce a text output file similar to the one you shared with me? As in one that has all the offsets at the beginning of the line?
I ran this command after the skip (It finally worked yay!! No magic number problem!!):
Code:
dtc-tool.exe -I dtb -o dtb.txt dtb.img
I got this output text, which is noticeably missing the offsets that your copy provided.
Spoiler: SHOW
Spoiler: DTC MANUAL
Here is the manual for other people learning:
manual.txt « Documentation - dtc/dtc.git - The Device Tree Compiler
git.kernel.org
Spoiler: I SAW BOOTLOADER.
SECOND QUESTION! Theoretically, if I wanted to add a new Bootloader to be able to run windows, Would that be done in here? Or more specifically, somewhere in the DTS? We don't have to go into technical specifics yet... unless you want to but is it possible?
THIRD QUESTION! When I was learning how to flash the images onto the Shield, Nvidia made mentions to use this command to flash the "staging blob" I have always wondered Why and What is this, is it needed do you know?
Spoiler: SHOW
Thank you as always for your time
Unlocking bootloader on vivo MTK devices
This thread is intended for vivo MTK devices only. However you might have seen some of the threads for unlocking vivo bootloader but it might not work for you. So let's begin our tutorial
!! WARNING !!
THIS STEP WILL ERASE YOUR USERDATA, SO MAKE SURE YOU HAVE BACKED UP ALL YOUR DATA BEFORE EXECUTING THISRequirements:
This is needed to make it work!
1. MTK Driver
2. Python (latest)
3. UsbDK
4. MTKClient
5. Zip extractor like 7zip
Set up all the requirements:
1. Install Python
1.1. Open Python that you have download1.2. Tick a box called "add to PATH"1.3. Install2. Install UsbDK
2.1. Make sure you have downloaded UsbDk according to your architecture2.2. Double click the installation file and install3. Install MediaTek Drivers
3.1. Download zip that I attach on this thread3.2. Use your zip extractor app and extract the zip3.3. After extract, you will see 3 files inside, choose "cdc-acm.inf" and right click3.4. Select "Install drivers" and follow all instructions4. Setup MTKClient
4.1. They're many version releases on the github, download the source code zip from the latest version4.2. Use your extractor app and extract it into a folder4.3. Go into that folder and open command prompt from there4.4. Simply type "pip3 install -r requirements.txt" on the cmd and enter. Wait for it to finish4.5. Close the cmd
Steps to unlock:
1. Go to mtkclient folder and open cmd from the folder
2. Type "python3 mtk da seccfg unlock"
3. Prepare your phone, make sure it's turn off
4. Connect your phone to PC with volume combination, hold both volume button and connect
5. Hold it until you heard usb connection sound and release it
6. Wait until it succeed
7. If successful, disconnect your device and turn it on
8. You will see a message saying "Orange state bla bla", ignore it
9. If it keeps rebooting, just wait for it to enter recovery and it will ask you to factory reset your device
10. Factory reset it and you're done!
You've finally unlocked your vivo bootloader
Tested devices:
1. vivo Y20 2021/Y12s (PD2036F)
2. vivo Y17/Y15/Y12 (PD1901)
3. vivo Y1s (PD2014F)
4. vivo Y91C (MTK)(PD1818HF)
However vivo have patched the BROM mode(something like download mode on mtk) on the latest update. But I have solution for that issue!
NeonzGamingYT said:
However vivo have patched the BROM mode(something like download mode on mtk) on the latest update. But I have solution for that issue!
Click to expand...
Click to collapse
way
NeonzGamingYT said:
However vivo have patched the BROM mode(something like download mode on mtk) on the latest update. But I have solution for that issue!
Click to expand...
Click to collapse
Seems like you don't?
so i was trying to use mtk client with your command. i'm not sure why my windows don't recognize python3 as installed and redirected me to microsoft store, so i used just python command which should ran python 3.11.2 on my pc. But when i did that it didn't really let me do that saying that "da" flag not found
Code:
mtk client\mtkclient-1.52>python mtk da seccfg unlock
usage: mtk [-h]
{printgpt,gpt,r,rl,rf,rs,ro,w,wf,wl,wo,e,es,footer,reset,dumpbrom,dumppreloader,payload,crash,brute,gettargetconfig,peek,stage,plstage,xflash}
...
mtk: error: argument cmd: invalid choice: 'da' (choose from 'printgpt', 'gpt', 'r', 'rl', 'rf', 'rs', 'ro', 'w', 'wf', 'wl', 'wo', 'e', 'es', 'footer', 'reset', 'dumpbrom', 'dumppreloader', 'payload', 'crash', 'brute', 'gettargetconfig', 'peek', 'stage', 'plstage', 'xflash')
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021
Also i'm trying to make it work with vivo v25e which uses Mediatek MT8781 Helio G99 (6nm) (if you can believe description)
if i run adb toolkit it shows me this info for my phone
Code:
Device: V2201
Model: V2201
Brand: vivo
Android: 13
Firmware: TP1A.220624.014
Security Patch: 2023-02-01
also this is behaviour for my phone on the 4ths step
4. Connect your phone to PC with volume combination, hold both volume button and connect
Click to expand...
Click to collapse
at first it shows first line in device manager then second and then disappears at all, is this normal behaviour?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Is there any chances for me to unlock bootloader or i should just give up for now? Also i'm very sorry if i miss something obvious.
twq_bought_a_shit_phone said:
so i was trying to use mtk client with your command. i'm not sure why my windows don't recognize python3 as installed and redirected me to microsoft store, so i used just python command which should ran python 3.11.2 on my pc. But when i did that it didn't really let me do that saying that "da" flag not found
Code:
mtk client\mtkclient-1.52>python mtk da seccfg unlock
usage: mtk [-h]
{printgpt,gpt,r,rl,rf,rs,ro,w,wf,wl,wo,e,es,footer,reset,dumpbrom,dumppreloader,payload,crash,brute,gettargetconfig,peek,stage,plstage,xflash}
...
mtk: error: argument cmd: invalid choice: 'da' (choose from 'printgpt', 'gpt', 'r', 'rl', 'rf', 'rs', 'ro', 'w', 'wf', 'wl', 'wo', 'e', 'es', 'footer', 'reset', 'dumpbrom', 'dumppreloader', 'payload', 'crash', 'brute', 'gettargetconfig', 'peek', 'stage', 'plstage', 'xflash')
MTK Flash/Exploit Client V1.52 (c) B.Kerler 2018-2021
Click to expand...
Click to collapse
i got the same error
First i think if you got vivo device is most likely patched. If not what version of mtk exploit is it using
I see you're using security patch dated 2023-02-01 which most likely won't work
ko_hi said:
First i think if you got vivo device is most likely patched. If not what version of mtk exploit is it using
I see you're using security patch dated 2023-02-01 which most likely won't work
Click to expand...
Click to collapse
honestly i was trying to lock the bootloader just so i won't touch these stuff and my phone is not even vivo it's oppo a5s