Related
Hi.
i need a litle help in hex convert.
in Bepe threads i fond this.
- nb file: 0x000001F5: short value + 0x48 (e.g: 0xA7+0x48=0xEF)
- nb file: 0x000001FB: short value + 0x48
A7 00 + 0x48 = EF 00
DB 05 + 0x48 = 23 06
i dont know if that is correct or not but if yes wath the value for this?
A2 01 + 0x48 = ??????
Thx and regards
I think you are not adding the columns correctly here. See your examples below along with a base 10 (the way we normally count) example (notice the numbers are lined up just as you would if you were adding base 10 numbers, from the least significant column to the most significant column, right to left)
A7 00 DB 05 100 (base 10 example)
+ 48 + 48 + 10
-------- ------ ----
A7 48 DB 4D 110
A7 + 48 does add to EF, but that is leaving out 2 entire orders of significance at the end of the A7 00 number.
So, the answer to your next question then would be:
A2 01
+ 48
------
A2 49
Also, just FYI here, the Calculator program that comes w/ Windows based computers will do Hex arithmetic for you. To get it to hex mode, start the Calculator, click on the View menu and choose Scientific. The calculator will then change it's view so that you can do Hex, Decimal (base 10), Octal or Binary arithmetic.
Hope that makes sense. If not, ask and I'll try to do a better job explaining.
I'm trying to hack my in car satnav, it runs CE and I'm able to decompile one of the binary images and see some of the applications that the device runs, however I am trying to decompile the OS binary and the same decompile process will not work.
Anyone got any thoughts on what to try?
Oh it's an SH4 device btw and the ROM etc is loaded from DVD.
Thanks in advance for any help.
Cheers
Quick one,
E:\>ImgfsToDump.exe 07AVNe.bin
ImgfsToDump 2.0 RC 3
guidBootSignature: 42 30 30 30 46 46 A 0 0 6 80 FC C2 4F 0 0
dwFSVersion: 10800600
dwSectorsPerHeaderBlock: 99000000
dwRunsPerFileHeader: 09000002
dwBytesPerHeader: 01000900
dwChunksPerSector: 2B0009D0
dwFirstHeaderBlockOffset: 58000940
dwDataBlockSize: 40880356
szCompressionType:
dwFreeSectorCount: 97000000
dwHiddenSectorCount: 45000002
dwUpdateModeFlag: DC434543
Compression DLL does not support compression type ''!
Anyone that can point me in the right direction would be appreciated
Hello people,
Are there any tools for viewing and editing the amss.bin?
HEX Editor...
IDA...
Brain.
Best Regards
adfree said:
HEX Editor...
IDA...
Brain.
Best Regards
Click to expand...
Click to collapse
with revskill i got this with amss.bin
#define UNLOADED_FILE 1
#include <idc.idc>
static main() {
MakeName(0x00079B70, "Memcmp");
MakeName(0x00062160, "Memcpy");
MakeName(0x0022E924, "Memcpy");
MakeName(0x0006216B, "Memcpy_Generic");
MakeName(0x0022E92F, "Memcpy_Generic");
MakeName(0x000621D0, "__rt_udiv");
MakeName(0x00079F8C, "__rt_udiv");
MakeName(0x00062334, "strlen");
MakeName(0x0007A2C4, "strlen");
MakeName(0x00070DB2, "diag_sp");
MakeName(0x00062298, "strcmp");
MakeName(0x0007A1D8, "strcmp");
MakeName(0x0007A360, "strncpy");
MakeName(0x00072502, "diag_pkt");
MakeName(0x00062F00, "__rt_div0");
MakeName(0x0007D324, "__rt_div0");
MakeName(0x00062F10, "__32__rt_raise");
MakeName(0x0007F1F8, "__32__rt_raise");
MakeName(0x00ACC3A8, "rex_int_lock_32");
MakeName(0x00072330, "subsys_getid");
MakeName(0x0007A548, "vsprintf");
MakeName(0x00062004, "MemClr");
MakeName(0x0022E7C8, "MemClr");
MakeName(0x000725CC, "diag_subsystem");
MakeName(0x0006EC72, "diag_hdlr");
MakeName(0x000726D2, "diag_hdlr");
MakeName(0x00083D86, "diag_hdlr");
MakeName(0x00085432, "diag_hdlr");
}
What about it ?
@Tigrouzen, no segment found at 0x00079B70 etc
amss it's regular elf with a bunch of segments
Code:
Name : LOAD
Start : 0x001E7000
End : 0x001EE000
Length: 0x00007000
----------------------
Name : LOAD
Start : 0x001F0000
End : 0x001F1000
Length: 0x00001000
----------------------
Name : LOAD
Start : 0x001F2000
End : 0x005D8000
Length: 0x003E6000
----------------------
Name : LOAD
Start : 0x005D8000
End : 0x00CDB000
Length: 0x00703000
----------------------
Name : LOAD
Start : 0x00CDB000
End : 0x00D11000
Length: 0x00036000
----------------------
Name : LOAD
Start : 0x00D11000
End : 0x00DAF000
Length: 0x0009E000
----------------------
Name : LOAD
Start : 0x00DAF000
End : 0x00DB9000
Length: 0x0000A000
----------------------
Name : LOAD
Start : 0x00DB9000
End : 0x00E9B000
Length: 0x000E2000
----------------------
Name : LOAD
Start : 0x00E9C000
End : 0x01BF9000
Length: 0x00D5D000
----------------------
Name : LOAD
Start : 0x01BF9000
End : 0x01D05000
Length: 0x0010C000
----------------------
Name : LOAD
Start : 0x01FF0000
End : 0x01FF006C
Length: 0x0000006C
----------------------
Name : LOAD
Start : 0xB0000000
End : 0xB0010CE7
Length: 0x00010CE7
----------------------
Name : LOAD
Start : 0xB0040000
End : 0xB0057000
Length: 0x00017000
----------------------
Name : LOAD
Start : 0xB0100000
End : 0xB0107207
Length: 0x00007207
----------------------
Name : LOAD
Start : 0xB0140000
End : 0xB01401B8
Length: 0x000001B8
----------------------
Name : LOAD
Start : 0xB0200000
End : 0xB0208CF3
Length: 0x00008CF3
----------------------
Name : LOAD
Start : 0xB0240000
End : 0xB024028C
Length: 0x0000028C
----------------------
Name : LOAD
Start : 0xB0400000
End : 0xB040DBE8
Length: 0x0000DBE8
----------------------
Name : LOAD
Start : 0xB0600000
End : 0xB0602000
Length: 0x00002000
----------------------
Name : LOAD
Start : 0xB0602000
End : 0xB0604000
Length: 0x00002000
----------------------
Name : LOAD
Start : 0xF0000000
End : 0xF001F878
Length: 0x0001F878
----------------------
Name : LOAD
Start : 0xF0020000
End : 0xF0026000
Length: 0x00006000
load amss.bin with TriX, dump decoded stage (elf format) and analyze with disassembler (e.g. IDA)
Ok guys i extract certificate from Amss S8530 XEJL2, bootloader segments full info fsbl sbl...
Also i can dump complete NAND and find segment and algorith for RC1 too
This is appscompressed.bin algorythme
0x01ca7750 RIPEMD128+160+MD4
0x01ca7750 SEAL+MD4 key
appcomp hash :
SHA1 : EB55C6690ACAF40BB2F845313F58BFE9C3BC529D
SHA224 : AAC3E2B65CC9F33BB7EDDA3DEB541CA9E8919422CC179B4D2B49F39BAE008F00
SHA256 : 580D3DB21E41A9FE588AE544266040FABA8AF044E739971E77F2B1272323D0B6
SHA256-HTC : A44BC029D7F952750003D9695ED7B464E446D34EEF5BD9665487E4C2BF81F669
MD4 : B3BD8310FF2C4C05E2044FD491814792
MD5 : 7220779D1094C5F7789094DC75BA4E9E
CRC16 (0x1189) : F4EA
CRC30 (Block: 0x1000, Page: 0x200) : 0BD214AA
CRC30 (Block: 0x2000, Page: 0x400) : 0A28A17A
CRC32 (0xEDB88320) : 313F4EF2
CRC32 (0x04C11DB7) : 90B01704
CRC32 HTC (0xEDB88320) : B55B60A7
ECC Reed Solomon (parity 10) : 43702DA1FDAC4DB2023B
ECC BCH Micron 3 byte : 818144
ECC Hamming Toshiba (8 bit - 0x200 bytes) : C00FC3
ECC Hamming (8 bit - 0x200 bytes) : FF3CF3
ECC Hamming (16 bit - 0x200 bytes) : 3FCFFC
Amss algo :
0x0007fce0 CRC-16 norm
0x0007fee0 CRC-16 inv
0x0007f8e0 CRC-30
0x0007eb50 CRC30 Function
0x00b66194 CRC-32
0x00b66394 CRC32 Function
0x000800e0 CRC-32 Xilinx
0x0007eb58 CRC32 Xilinx Function
0x000800e4 CRC32 Xilinx Function
0x00c3c490 DES RAW Spbox
0x00c39381 RSA PKCS SHA1/RIPEND Digest
0x00c39390 MD2 S
0x00463548 SHA2 table
0x008fcc88 SHA2 table
0x00b6eb14 ZDeflate
0x0041a28c SHA1+MD4+MD5 init
0x008fcb08 SHA1+MD4+MD5 init
0x00c3d7f8 SHA1+MD4+MD5 init
0x0041a29c SHA1+MD4+MD5 key1
0x008fcb18 SHA1+MD4+MD5 key1
0x00c3d808 SHA1+MD4+MD5 key1
0x001a9844 SHA1+MD4+MD5 key2
0x0041ac1c SHA1+MD4+MD5 key2
0x008fcb1c SHA1+MD4+MD5 key2
0x001a9848 SHA1+MD4+MD5 key3
0x0041ac20 SHA1+MD4+MD5 key3
0x008fcb20 SHA1+MD4+MD5 key3
0x00463648 SHA2 init table
0x008fcd88 SHA2 init table
0x00c3d80c SHA2 init table
0x0046364c SHA2 init table
0x008fcd8c SHA2 init table
0x00c3d810 SHA2 init table
0x00419980 RIPEMD128+160+MD4
0x008fcaf8 RIPEMD128+160+MD4
0x00bdcca0 RIPEMD128+160+MD4
0x001a9844 MD5
0x0041ac1c MD5
0x008fcb1c MD5
0x00419980 SEAL+MD4 key
0x008fcaf8 SEAL+MD4 key
0x00bdcca0 SEAL+MD4 key
0x004fc7af HTC PUBLIC KEY
E9079DBB2452104990982132470BA20B7C795D1B4690B718B62FCD38D71D4E458FAF320374B89D5236C79BD57D2BA2D3508A4A605B0D48CB8CA5478BFE4D7D32AB0AE072BC367A9615F002D5023A617B422FEC1EF8DAD772D75E9C4F06EF624B864699A3F080D1B8E192B921D159852B2DC798F752B4F1FA529FF123D9963F73
0x00708134 Sober 128
0x00c3cd90 Sober 128 SBox
Possible algos little endian: 45
0x00315f6c AES te
Possible algos big endian: 1
Amss hash :
SHA1 : C59C5785E823E5E1CA9BE05DB6F55F8C8AC1BBA3
SHA224 : 5F50CED13C1204068E443919706B53D866271DAB1CFB5A9CB07A953CAE008F00
SHA256 : D86C7634FE07806D3B87701EC7F72F25DAAFAC7C40CA1D370C1ABA5840C091C0
SHA256-HTC : 120F70AECE78B8DCF69DCD79F020AB00AE17572123BA21274D6F6EE280774A09
MD4 : 7703DF5B1074392D4B91ECA23BAC9D92
MD5 : 22197F8AAD6A2CB4394E1B4E63EB843C
CRC16 (0x1189) : FAC5
CRC30 (Block: 0x1000, Page: 0x200) : 311AE4C7
CRC30 (Block: 0x2000, Page: 0x400) : 295DFC29
CRC32 (0xEDB88320) : 8DB21A34
CRC32 (0x04C11DB7) : 7B94B6A4
CRC32 HTC (0xEDB88320) : 08450BBC
ECC Reed Solomon (parity 10) : A04D69B134A126F3FD15
ECC BCH Micron 3 byte : 000000
ECC Hamming Toshiba (8 bit - 0x200 bytes) : FFFFFF
ECC Hamming (8 bit - 0x200 bytes) : FFFFFF
ECC Hamming (16 bit - 0x200 bytes) : FFFFFF
Amms certificat :
https://rapidshare.com/files/3061245812/1.cer
Well, the main idea was ..., to get some tools with which the amss.bin for bada v1.2 and v2 can be modified to work for the American/Australian version of the wave. Looks like there are some hardware differences and this file is containing information needed for the RF module.
Looks like there are some hardware differences and this file is containing information needed for the RF module
Click to expand...
Click to collapse
No idea if Hardware differences, but I'm pretty sure there are different Config/Calibration data...
Check out NV items... AMSS + NV items = Qualcomm related part...
http://www.samsunguniverse.com/forum/s8500-can-work-with-qualcomm-tools-t199.html
You could take an look on FCC documents for maybe Hardware check...
Best Regards
I think gambal refers to UMTS bands, Europe is different than in America.
UMTS bands in America are 850 - 1900
UMTS bands in Europe are 2100
bada 1.2 and above only works with Euro bands (these updates hasn't oficially released in America), so as we know the file "amss.bin" contains the parameters that define which bands to work, would be good to try to edit the information to compile a new "amss.bin" to work with American bands ..
Many Americans would be happy!
...would be good to try to edit the information to compile a new "amss.bin" to work with American bands ...
Click to expand...
Click to collapse
But you are really sure that not NV items differ?
Maybe easier to compare NV items...
Best Regards
You mean to compare amss NV items from a 1.0 American firmware and another 1.2 European firmware?
I was import to a .Qcn file a list of NV items of my mobile (bada 1.0 american), i will compare with another one of 1.2.
It's posible to create more NV items if is necesary?
sorry for double post.
i've compared NV items of my phone, first with a 1.0 american firmware then with a 1.2 European firmware..
EDIT: thought that there were no differences because the file size was identical, but looking more attentively i find some, i will continue researching,
You tried QPST or which Tool?
And are sure there are no differences?
I have 2x S8500... with QPST difference 10 NV items + one S8500 has 10 more
Content not checked... too lazy at this time.
Best Regards
Edit 1.
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 305
Click to expand...
Click to collapse
File Summary:
Phone Model: 19 [QSC6270/QSC6240], Configuration Name: default, Total NV Item Count: 319
Click to expand...
Click to collapse
And these are only the "official" NV items... and not the hidden one...
Example...
Code:
NV item: [B]2608[/B] [NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I], index 0
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 0: 12 3d fc ff 9c 3c fc ff 26 3c fc ff b0 3b fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 1: 34 3b fc ff af 3a fc ff 2a 3a fc ff a6 39 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 2: 22 39 fc ff 9f 38 fc ff 0c 38 fc ff 65 37 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 3: be 36 fc ff 18 36 fc ff 73 35 fc ff ce 34 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 4: 2a 34 fc ff 87 33 fc ff e5 32 fc ff 43 32 fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 5: a2 31 fc ff 01 31 fc ff 61 30 fc ff c2 2f fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 6: 23 2f fc ff 85 2e fc ff 85 2e fc ff 85 2e fc ff
NV_GSM_850_AMPM_MASTER_TBL_SEG8_F1_I 7: 85 2e fc ff 85 2e fc ff 85 2e fc ff 85 2e fc ff
sorry for my english, I mean to say that i find some differences..
between 2 firmwares, I find 40 differents NV items using "RF NV items Manager" program.
Example:
European 1.2 Firm:
Code:
NV item: 5059 [NV_WCDMA_2100_TX_LIN_MASTER_0_ENH_I], index 0
NV item: 5061 [NV_WCDMA_900_TX_PDM_LIN_0_ENH_I], index 0
American 1.0 Firm:
Code:
NV item: 5064 [NV_WCDMA_1900_TX_PDM_LIN_0_ENH_I], index 0
NV item: 5060 [NV_WCDMA_800_TX_PDM_LIN_0_ENH_I], index 0
(it's look like these items manage the umts network)
This are 2 items of 40 that I find.. So, I imported all 40 1.0 American Firmware Nv Items to the 1.2 Euro Firmwared Phone, (using previous modified .QCN file) then, i restart the device, but nothing happen, still no find UMTS network... But i want believe that we are close to find the solution
If I use PSAS to Display the new added NV items, these appear as "inactive item" and those already on the phone appears lile "bad parameter"
not know what else I can try...
Even if NV items count is different. Dump of NV area will be always the same in size. Area in oneNAND reserved for NV data is constant, and in most it's just empty space, filled with zeros.
Is it possible to dump whole NV items list using QPST? Can you guys do that and send dumps to me?
If not please search for following NV items and send me values you get (if you get any)
Int id 556
Int id 5
Int id 7
Int id 1403
String id 254
String id 387
String id 388
String id 256
String id 197
I want to prove some theory just taken from Bada kernel and need few different values to compare. These should contain Timezone, Locale and SimBlock settings. (If these NV items are even available)
Please send me PMs with dumps if you get any. Thanks in advance.
Tell me when you are ready "amms.bin" to "bada 2.0" so I can put it on my phone. I'm from Argentina. Thank you very much!
Rebellos said:
Int id 556
Int id 5
Int id 7
Int id 1403
Click to expand...
Click to collapse
With "PSAS" display "Inactive Item", and with "RV NV item manager" i don't these id's..
@adfree
Hey, if I wrote in phone (with "RV NV item manager") some NV items, is not take any effect... does exist another step to "activate" these items or some? maybe in Stune have to add any parameter? or maybe the "QPST Service program" tool..
I have fear of breaking the handset really... I just wan't to calibrate the UMTS bands, need these:
WCDMA_II_PCS_1900
WCDMA_V_850
http://forum.xda-developers.com/showpost.php?p=12436452&postcount=1
Other way to access NV items.
Now you can backup with sTune for instance... folders:
Code:
[B]NV
nvm[/B]
EXTREME Caution!
Some IDs are protected... so you can maybe write/activate, but not easily remove change = brick...
Best Regards
a little question..
there is a firmware of S8530 which has bada 1.2 and 850/900/2100Mhz 3g bands capable... there are firmwares prepared for Brazil and Australia.
it's posible to flash that amss.bin in a S8500 with bada 1.2?
I tried this, but the bootloader says "error erase amms"
amss.bin in a S8500 with bada 1.2?
Click to expand...
Click to collapse
If I remember correct, then yes...
Maybe not all combinations...
BUT check Multiloader ... adresses are different...
So you have to edit...
Later more.
Maybe give Link to this S8530 Firmware, so I can take an look or try for you...
Best Regards
As most of you probably are, ever since i've tried CM11, i've been searching for a "stable" KitKat rom. Didn't have much luck, but i thought i'll share my findings
First up is Gummy Rom from Team Gummy, which i didn't even see in the Android Development subforum. They're doing nightlies for the P930, but seem to have some problems right now, as the last nightly is dated 01-05-2014. You can check those out at
http://old.androidfilehost.com/main/Team_Gummy/p930/nightly/
Second one is MoKee, of which navik did a 4.3 build, but they also have KitKat nightlies for the P930.
http://download.mfunz.com/?device=p930
On to what you'll probably want to know.. do these roms work? well... kinda...
The MoKee "Release" from 01-18-2014 is pretty stable, fast and has some neat additions from CM and (possibly) AOKP. You can even finally restore your backups from Titanium, as MoKee lets you choose where to install (!) an apk... change that to internal from default and ALL apps install correctly like they should. Now for the downside... you can probably guess... yup, camera's broken *sad face panda*... you can start up any cam-app and it will show the image from the sensor, but as soon as you take a shot, it will FC and save a 2KB file in your DCIM folder...
oh, and it has some chinese crapware (baidu) installed, but you can easily remove these with Titanium Backup.
On to the second Rom... Gummy Rom from Team Gummy...it's a lean build based on AOSP with a few picks from CM, AOKP and PA, mostly visual stuff from aokp (center clock etc.) and HALO/PIE from PA. It's helluvalot fast and after a quick adb push for the newest adreno drivers, i can even play Asphalt 8 on High Details. Downside on this rom... apk install error galore, no XDA-app, some games don't install, browser crashes often, absolutely not a daily driver...
have fun experimenting, have you found something else? would like to know ^^
thanks for ur support and is like no much user+dev on this device! threads emty to compere to other devices....
dreaming of getting another device:crying:
I will have to try the later one myself, thanks for posting the info. The biggest issue is that cm is not stable so anything built on that rom is bound to have issues. Most people are sticking with jb for the time being until a better KitKat is available.
As far as activity on this forum, this is not a nexus device but it does have a fair following.
Sent using XDA Premium HD app
Nz
I thought I would look at the Mokee kernel, so the camera errors out like
Code:
I/QualcommCameraHardware( 147): stopPreviewInternal: old frame thread completed.
I/QualcommCameraHardware( 147): stopPreviewInternal X: 0
V/QualcommCameraHardware( 147): updatePictureDimension: 3264x2448 <- 960x720
V/QualcommCameraHardware( 147): initRaw E: picture size=3264x2448
V/QualcommCameraHardware( 147): initRaw: initializing mRawHeap.
E/QualcommCameraHardware( 147): ION allocation failed
E/QualcommCameraHardware( 147): do_mmap: Open device /dev/pmem_smipool failed!
E/QualcommCameraHardware( 147): ERROR : initraw , createSnapshotMemory failed
E/QualcommCameraHardware( 147): initRaw failed. Not taking picture.
E/CAM_AndroidCameraManagerImpl( 3247): take picture failed.
W/dalvikvm( 3247): threadid=16: thread exiting with uncaught exception (group=0x4156ec80)
E/AndroidRuntime( 3247): FATAL EXCEPTION: Camera Handler Thread
E/AndroidRuntime( 3247): Process: com.android.camera2, PID: 3247
E/AndroidRuntime( 3247): java.lang.RuntimeException: takePicture failed
A good picture taken with CM11 looks like
Code:
I/QualcommCameraHardware( 146): stopPreviewInternal: old frame thread completed.
I/QualcommCameraHardware( 146): stopPreviewInternal X: 0
V/QualcommCameraHardware( 146): updatePictureDimension: 3264x2448 <- 960x720
V/QualcommCameraHardware( 146): initRaw E: picture size=3264x2448
V/QualcommCameraHardware( 146): initRaw: initializing mRawHeap.
E/QualcommCameraHardware( 146): bool android::QualcommCameraHardware::createSnapshotMemory(int, int, bool, int) Raw memory index: 0 , fd is 67
E/QualcommCameraHardware( 146): Received following info for raw mapped data:0x44840000,handle:0x121eb48, size:11985408,release:0x405d6941
E/QualcommCameraHardware( 146): Registering buffer 0 with fd :67 with kernel
V/QualcommCameraHardware( 146): use_all_chnls = 0
As you can see the "ION allocation failed" is the obvious fail point, now where that is logged is the next big secret.. qcom/camera/qcamera2/hal/QCameraMemory.cpp has a log with the message in it, but changing the message seems to have no affect..
Other things I have tried, I have tried compiling the mokee with the hardware and kernel folders from CM11 - the camera still fails, so it must be with the device / vendor folders.
nz
Hey guys, as the title says I successfully changed my GWA2 CSC from DBT to XAR, but ran into some problems. The watch boots up normally and I can use it, install apps from the Galaxy Store, etc. but I am stuck on version R820XXU1ASHF/Tizen 4.0.0.6. My phone shows a 30.68MB update to BTG1, and it can download it and start installing it but when it gets to 97%, the watch resets and boots up the old (ASHF) firmware. Moreover, Samsung Pay says that it can't start since I've "modified my watch," but I think this can be due to the very old firmware.
I've already tried changing to another CSC (both to AUT and the original EUR) and reflashing the ASHF firmware but to no avail. I originally came from R820XXU1BTA1 but I can't find that anywhere.
What can I do to fix this? I've also found the firmware files on some paid sites, and I'd pay since it's nothing significant, but I'm really not sure if those are real. Has anyone here bought firmware from them? Can anyone set me up with anything even one version newer than what I have? I've been searching for hours but I seem to have hit a dead end.
I bought a firmware on Fullstockfirmware and it works fine. I can host R820XXU1BTF3.zip if you need, but i'm new member, can't post link.
---------- Post added at 05:20 PM ---------- Previous post was at 05:17 PM ----------
https://drive.google.com/file/d/1LmJ9uJl644ePVnwabkGt_swDY961B_Ds/view?usp=drivesdk
Here is a link for the firmware
Noname761 said:
I bought a firmware on Fullstockfirmware and it works fine. I can host R820XXU1BTF3.zip if you need, but i'm new member, can't post link.
---------- Post added at 05:20 PM ---------- Previous post was at 05:17 PM ----------
https://drive.google.com/file/d/1LmJ9uJl644ePVnwabkGt_swDY961B_Ds/view?usp=drivesdk
Here is a link for the firmware
Click to expand...
Click to collapse
Thank you so much! You're a godsend! I flashed this in a heartbeat.
The update to BTG1 and SPay still don't work, but BTF1 is a way better point to be stuck on.
Plus, I checked my Knox bit, and it is not set. Maybe I messed something up (file permissions, line terminators, etc.) in /csa...
with this firmware i have samsung pay, but i can't test it because my bank is not supported. and the ecg and blood pressure works with 23.tpk and shm caranava. oh and nothing for the firmware. it's normal to share on a sharing forum ?
Noname761 said:
with this firmware i have samsung pay, but i can't test it because my bank is not supported. and the ecg and blood pressure works with 23.tpk and shm caranava. oh and nothing for the firmware. it's normal to share on a sharing forum
Click to expand...
Click to collapse
Could you by any chance give me the output of the following command? You don't need the combination firmware or root to run it.
Code:
sdb shell "ls -l /csa/csc/csc-active-customer.inf /csa/imei/prodcode.dat && hexdump -C /csa/csc/csc-active-customer.inf && hexdump -C /csa/imei/prodcode.dat"
My output looks like this:
Code:
-rwxrwxr-x 1 root system_share 3 Aug 12 10:27 /csa/csc/csc-active-customer.inf
-rw-rw-r-- 1 root system_share 14 Aug 11 15:23 /csa/imei/prodcode.dat
00000000 58 41 52 |XAR|
00000003
00000000 53 4d 2d 52 38 32 30 4e 5a 4b 41 58 41 52 |SM-R820NZKAXAR|
0000000e
here is mine
Code:
-rwxrwxr-x 1 root system_share 3 Aug 8 19:26 /csa/csc/csc-active-customer.inf
-rw-rw-r-- 1 root system_share 14 Aug 7 07:53 /csa/imei/prodcode.dat
00000000 58 45 46 |XEF|
00000003
00000000 53 4d 2d 52 38 32 30 4e 5a 53 41 58 45 46 |SM-R820NZSAXEF|
0000000e
Noname761 said:
here is mine
Code:
-rwxrwxr-x 1 root system_share 3 Aug 8 19:26 /csa/csc/csc-active-customer.inf
-rw-rw-r-- 1 root system_share 14 Aug 7 07:53 /csa/imei/prodcode.dat
00000000 58 45 46 |XEF|
00000003
00000000 53 4d 2d 52 38 32 30 4e 5a 53 41 58 45 46 |SM-R820NZSAXEF|
0000000e
Click to expand...
Click to collapse
Thanks for all your help, alas I can't find what's wrong with my watch...
before updating, i used the combination firmware to change my CSC and then i flash a stock firmware. I made the updates with wearable and I finally flash the version 4.0.0.8.
IMHO this is Rollback Prevention crap.. of Bootloader sboot.bin...
If Firmware is lower... Alphabet knowledge and count from 0 - 10 is enough skills...
Additional Infos can be taken from here:
http://fota-cloud-dn.ospserver.net/firmware/XAR/SM-R820/version.xml
I see ASHF... and you confirmed it fount FOTA delta package... :good: :good:
Now check Bootloader Version...
Code:
sdb shell
Code:
cat /proc/cmdline
To bypass you need same or higher Firmware...
Post result of Command...
And I could try to help you...
IMHO BTF3 is not valid FOTA base in XAR chain...
BTD3 or something like this was before on XAR...
BTG1 not leaked yet... otherwise we would do this.
Best Regards
adfree said:
IMHO this is Rollback Prevention crap.. of Bootloader sboot.bin...
If Firmware is lower... Alphabet knowledge and count from 0 - 10 is enough skills...
Additional Infos can be taken from here:
http://fota-cloud-dn.ospserver.net/firmware/XAR/SM-R820/version.xml
I see ASHF... and you confirmed it fount FOTA delta package... :good: :good:
Now check Bootloader Version...
Code:
sdb shell
Code:
cat /proc/cmdline
To bypass you need same or higher Firmware...
Post result of Command...
And I could try to help you...
IMHO BTF3 is not valid FOTA base in XAR chain...
BTD3 or something like this was before on XAR...
BTG1 not leaked yet... otherwise we would do this.
Best Regards
Click to expand...
Click to collapse
Code:
sh-3.2$ cat /proc/cmdline
console=ram loglevel=4 bootmode=ramdisk root=/dev/ram0 rw model=SM-R820 boot_ver=R820XXU1BTA1 hw_rev=05 sec_debug.enable=0 sec_debug.enable_user=0 tizenboot.sec_atd.tty=/dev/ttySAC0 tizenboot.emmc_checksum=0 tizenboot.dram_info=01,06,00,0.75G tizenboot.log=0x9b010000,0x200000,0x7f309,0x7ff90 tizenboot.boottime=1230ms tizenboot.sales_code=XAR warrantybit=0 sec_debug.bin=N lcdtype=0x402484 ess_setup=0x9b000000 [email protected] [email protected] DynSysLog=0 uart_sel=AP pmic_info=11 oops=panic [email protected] sec_debug.chipidfail_cnt=0 sec_debug.lpitimeout_cnt=0 sec_debug.cache_err_cnt=0 sec_debug.lpddr4_size=0.75 tizenboot.recovery_offset=1056512 tizenboot.carrierid_offset=1049156 tizenboot.carrierid= sec_debug.reset_reason=7 sec_debug.pwroffsrc=0x0 sec_debug.pwronsrc=0x8 sec_debug.rst_stat=0x20000000 tizenboot.verified_kern=1 tizenboot.fota_bl_status=none
I also found something interesting in /var/log/last_update.log which I will also attach to this post
Code:
UA/ERROR(SS_IMGVerfiyPartition) SS_IMGVerfiyPartition - SHA mismatch with SRC [/dev/mmcblk0p7] Expected [ffa4a910] Actual [ffa4a938]
UA/ERROR(SS_SetUpgradeState) FAILED to upgrade Cause:[0xd19]
I have pulled the delta.tar from the device and it seems that mmcblk0p7 is a ramdisk. I thought I'd replace the SHA value and pull the ole switcharoo but I can't find it anywhere
Code:
boot_ver=R820XXU1BTA1
This is the Knockout...
FOTA selfcheck detect that Bootloader not valid for ASHF Firmware...
Valid in case of FOTA crap...
BTA1 is inside FOTA chain of XAR CSC aka Sales Code:
http://fota-cloud-dn.ospserver.net/firmware/XAR/SM-R820/version.xml
Code:
R820XXU1BTA1/R820OXA1BTA1
Easiest way IMHO to flash whole BTA1 Firmware...
Best Regards
Thanks, I'll see if I can get my hands on that version...
@g511
Please check your Private Message... I sent you PM...
Best Regards
Hy guys.
Anyone can help me. I changed CSC and Samsung pay now is on the watch. The problem are two:
1- Samsung doesn't work because "the watch is modified"
2- doesn't work the upgrade. I download the update but doesn't install
Searching for a solution.
Thanks
@stampatori
Please, it is more helpfull if you give FULL details...
MINIMUM to know Model Name... Nobody here have Crystal Ball...
SM-R820?
Or LTE device like SM-R825F?
Or?
Best Regards
@adfree
Sorry.....?
My watch is a GWA2
SM-R820
Tizen 4.0.0.6
Firmware R820XXU1ASHF
@g511 search "techno proz change csc on watch active 2" on YOUTUBE and just follow. 100% works ! I did it 3 days ago and evrything is perfect !
Hello
I have the same problem with my NEW active 2 watch, I don´t know why it is happening, because my watch is NEW. I found this log in /opt/var/log/last_update.log
Code:
UA/(deleteNode): There is only one node. The list can't be made empty UA/ERROR(SS_FSVerifyNode) SS_FSVerifyNode - SHA mismatch with SRC - PATH [system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal] Expected [fff7d41c] Actual [fff7d430]
UA/ERROR(SS_SetUpgradeState) FAILED to upgrade Cause:[0xd15]
UA/ERROR(SS_AppendNode) Bad Nodes, Failed to pass verification - [Delta Path - /opt/usr/data/fota/save/delta.tar][OldPath - system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal] [NewPath - system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal]
UA/(tar_free_cfg_table): Free TAR CFG TABLE
UA/ERROR(SS_FSVerifyPartition) FS Verification Failed PartIndex: [4]
UA/(SS_FSClearNodes): Free Nodes idx=4
UA/(update_all): CSC verify failUA/(save_cause): save_cause entered, 0xd15
UA/(print_error_cause): The update failed because data was corrupted during update of device.UA/(save_cause): save_cause leaved!
UA/(main): [update_all ret=64537]
UA/(main): Result=64537
UA/(save_result): save_result entered, result=0xfc19
UA/(save_result): save_result leaved!
this is my /proc/cmdline
Code:
console=ram loglevel=4 bootmode=ramdisk root=/dev/ram0 rw model=SM-R825FS boot_ver=R825FXXU1ASJ3 hw_rev=05 sec_debug.enable=0 sec_debug.enable_user=0 tizenboot.sec_atd.tty=/dev/ttySAC0 tizenboot.emmc_checksum=0 tizenboot.dram_info=01,06,00,1.50G tizenboot.log=0x9b010000,0x200000,0x0,0xaba tizenboot.boottime=2140ms tizenboot.sales_code=COM warrantybit=0 sec_debug.bin=N lcdtype=0x402484 ess_setup=0x9b000000 [email protected] [email protected] DynSysLog=0 uart_sel=AP pmic_info=11 oops=panic [email protected] sec_debug.chipidfail_cnt=0 sec_debug.lpitimeout_cnt=0 sec_debug.cache_err_cnt=0 sec_debug.lpddr4_size=1.50 tizenboot.recovery_offset=1056512 tizenboot.carrierid_offset=1049156 tizenboot.carrierid= sec_debug.reset_reason=9 sec_debug.pwroffsrc=0x10 sec_debug.pwronsrc=0x1 sec_debug.rst_stat=0x10000 tizenboot.cp_reserved_mem=off tizenboot.verified_kern=1 tizenboot.fota_bl_status=none
this is my csc-active-customer.inf
Code:
sh-3.2$ hexdump -C /csa/csc/csc-active-customer.inf
00000000 43 4f 4d |COM|
00000003
this is my prodcode.dat
Code:
sh-3.2$ hexdump -C /csa/imei/prodcode.dat
00000000 53 4d 2d 52 38 32 35 46 5a 4b 41 43 4f 4d |SM-R825FZKACOM|
0000000e
Do you know why i can not update my watch ?
Thanks !
@andrs1294
All i can see for now is something mismatch with CSC... but not fully understand...
COM
http://fota-cloud-dn.ospserver.net/firmware/COM/SM-R825F/version.xml
TCE
http://fota-cloud-dn.ospserver.net/firmware/TCE/SM-R825F/version.xml
Both CSC / Sales Code are in same package... region Code:
OWO...
Code:
R825FXXU1ATA1/R825F[B]OWO[/B]1ATA1/R825FXXU1ATA1
I have only OXA and OLB package with ATA1 Firmware for netOdin...
Need some more time for investigation...
Found only 1 OWO package...:
Code:
R825FXXU1[B]ASI5[/B]
Best Regards
adfree said:
@andrs1294
All i can see for now is something mismatch with CSC... but not fully understand...
Both CSC / Sales Code are in same package... region Code:
OWO...
Code:
R825FXXU1ATA1/R825F[B]OWO[/B]1ATA1/R825FXXU1ATA1
I have only OXA and OLB package with ATA1 Firmware for netOdin...
Need some more time for investigation...
Found only 1 OWO package...:
Code:
R825FXXU1[B]ASI5[/B]
Best Regards
Click to expand...
Click to collapse
Thanks @adfree for your response. Here you can find my investigation:
The error message is:
Code:
There is only one node. The list can't be made empty UA/ERROR(SS_FSVerifyNode) SS_FSVerifyNode - SHA mismatch with SRC - PATH [system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal] Expected [ff9feddc] Actual [ff9fedf0]
So, I search about SS_FSVerifyNode code on internet, I found that that code is part of libtota-1.2.2-25.1.src.rpm.
Code:
...
if (SS_LoadFile(path, &source_file) == 0) {
if (memcmp(source_file.sha1, source_sha1, SHA_DIGEST_SIZE) != 0) {
SS_Free(source_file.data);
unsigned char actualShaBuffer[41] = { 0, };
hex_digest(source_file.sha1, actualShaBuffer, SHA_DIGEST_SIZE);
LOGE("SS_FSVerifyNode - SHA mismatch with SRC - PATH [%s] Expected [%s] Actual [%s]\n",
path, sha1src, actualShaBuffer);
SS_SetUpgradeState(E_SS_FSSRCCURRUPTED); // E_SS_FSSRCCURRUPTED (0xD15) /*Could NOT update FS as SRC seems to be corrupted */
return E_SS_FAILURE;
}
}
...
It is calculating SHA1 of the file system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal and then it compares with SHA inside the csc.img/CSC.txt inside the delta.tar file. Part of the content of the csc.img/CSC.txt is
Code:
DIFF:REG:system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal:system/opt/system/csc/preconfig/TCE/usr/network/.delta_opername.db-journal:[B]a4b298726c564ea01c9f21815c864e253493c269[/B]:f185bc963d1e61e372da5f1cda21e69a0cebf3ca:diff4_.delta_opername.db-journal_CSC.delta
PaTcHCoUnT:4 0 0 0 0 0
So I think my delta_opername.db-journal was edited in some moment, So the sha resumen doesnt match.