Hi There!
As requested in this topic, I promised to write an tutorial regarding on how to find your internal memory brand (to be clear, NOT your SD Storage Card brand).
This is important because there are ALOT of Rhodium Devices out there which use "Samsung" internal memory and OliNex needs to find a device which uses Hynix (or any different then samsung_kby00xxx) so they can test HardSPL for the Rhodium with it.
So...In short, read the tutorial below if you wan't to help out hardspl development AND if you're willing to, if you have internal memory that's from Hynix (or any different then samsung_kby00xxx), act as a tester for their HardSPL.
Cmonex also wrote a very short tutorial using a different program, you can scroll down a bit and read it or click here.
Originally Posted by cmonex
[SIZE=+3]PLEASE STOP POSTING YOUR FLASH INFO IF YOU ONLY HAVE THE samsung_kby00n00hm[/SIZE]
...because it gives no new information to anyone, or anything useful.
The Tutorial:
Requirements:
QMAT
Windows Mobile Device Center 6.1 for vista or ActiveSync 4.5 for Windows XP
USB Cable for connecting your phone with your pc
Warning:
I'm in no way reliable if you screw your phone up...altrough I seriously doubt that you can actually screw anything up using QMAT and just these instructions.
Step 1
Note:
As I'm personally using Vista x64 I can't explain in full length on how to disable USB Connections in ActiveSync for Windows XP.
Note2: Begin with your device NOT connected to your pc.
First we are going to disable USB connections so QMAT can succesfully communicate with your device.
To do this, open the Windows Mobile Device Center.
Click on "Mobile Device Settings" and then click on "Connection Settings".
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Untick "Allow USB Connections" in the new window that just popped up.
Click on "Ok" and then close Windows Mobile Device Center.
Step 2
Enter bootloader mode with your device, DO NOT CONNECT YOUR DEVICE JUST YET!. To do this:
* Remove the stylus from your phone then remove the back cover from the phone.
* Hold the Volume Down button.
* Use the stylus to press the reset hole.
* Or if the device was powered off, hold the volume down button and then press the power button to turn the device on.
You should see "Serial" at the bottom of the screen.
Step 3
Connect your phone to your pc using a USB cable, any USB to Mini-USB cable should be fine, just to be on the safe side you could use the USB cable from the original packaging.
The word "Serial" at the bottom of the screen should turn into "USB", also if this is your first time entering bootmode and connecting your device to the pc it should install some drivers and stuff...this is normal
Step 4
Now the real stuff begins....
Open up QMAT
Click "Hardware Forensics" at the top of the program.
Click on "Use Mobile Ports" at the sub-menu which just appeared.
Click on the tab "Modem Port (Async)"
Click on either Start USB (Vista) if you have vista, or Start Serial (XP) if you have XP.
If everything wen't ok the button you just clicked turned into "Stop USB". Just don't click it just yet
In the Textfield at the left of the buttons you type in:
"info 8" (without the quotes afcourse...) and then press return (enter).
All kinds of information should start popping up in the big textfield below.
Scroll up....and you should see something like this:
Code:
info 8
--- 2K bytes sector version ---
DEVICE NAME=*YOUR INFO HERE*
DEVICE ID=*YOUR INFO HERE*
DEVICE MAKER ID=*YOUR INFO HERE*
PAGE SIZE=*YOUR INFO HERE*
TOTAL PAGE SIZE=*YOUR INFO HERE*
BLOCK COUNT=*YOUR INFO HERE*
BLOCK PAGE=*YOUR INFO HERE*
This is what it displayed with me:
Your brand is stated after "Device Name". Now...please reply with this information if the one you're seeing is displaying ANYTHING else then samsung_kby00xxx (specially if it's stating Hynix)
You can select the text needed and copy it to a notepad file or any other text-file...or this forum afcourse
After you're finisht, hit "Stop USB" and close down QMAT.
Safely remove your device from your pc, reset it and it should start up again as normal.
Re-enable usb connection in the Windows Mobile Device Center.
Thanks to Olipro for personally giving instructions to me on how to do all of this in the first place.
Todo:
Make Video tutorial.
Works in windows 7 as well!
For those cutting edge folkies who use windows 7, it works as well.. just follow the Vista instructions. I can also confirm that it did NOTHING to any any information on my device..
BTW.. sorry guys.. mines samsung!
many thanks for the tut & here is a perhaps simpler way for some people.
1. simply download itsutils from http://nah6.com/~itsme/itsutilsbin-20090515.zip
2. extract to empty folder and make sure your device is synced.
2b. you may have to install http://hpcmonex.net/roms/enablerapinew.cab on the device.
3. goto to the above folder with cmd - if you dont know how to use cmd then i dont need you as a tester anyway (sorry no offense meant!)
4. command: pmemdump -p 0x01ffc0ac 0x4
5. if it shows ad bc 10 55 (flash deviceid) then it's hynix flash
edit: actually the first tutorial is still very useful, if "info 8" shows something other than samsung_kby00n00hm it may still be very interesting!
if you do my steps then if it shows anything other than ec bc 42 15 (which is samsung_kby00n00hm) then please let me know.
Cmonex thank you for your short tutorial.
I edited my tutorial stating explicitly that if someone finds anything other then samsung they should reply with the info
Hi,
I'm under Seven x64, and the first how to didn't word, Qmat can't find usb port.
Cmonex's solution works well, unfortunately, I have Samsung's memory
mtech said:
Same here, Samsung.
Out of curiousity, anyone get this:
BLOCK 32 (0x20) is reversed block
BLOCK 2585 (0xA19) is bad block
Partition[0], type=0x20, start=0x2, total=0x63E
Partition[1], type=0x23, start=0x640, total=0xA80
Partition[2], type=0x25, start=0x10C0, total=0x15980
Partition[3], type=0x4, start=0x16A40, total=0x24580
about BLOCK 2585 being bad?
Click to expand...
Click to collapse
Also had that. Think it's normal.
I have a TP2 WWE and the result is:
C:\0>pmemdump -p 0x01ffc0ac 0x4
Copying C:\0\itsutils.dll to WCE:\windows\itsutils.dll
01ffc0ac: ec bc 42 15 ..B.
Click to expand...
Click to collapse
Thread stuck.
Dave
monx® said:
it seems until now everybody hv samsung chipset (including me).
what about only post here if u hv other than samsung chip? so we wont get over excited when see new post here (except this post please )
Click to expand...
Click to collapse
Agreed.
I edited my start-post/tutorial and clearly stated that people only should reply if they have anything else then samsung_kby00xxx.
Can somebody explane me why need Hynix chip ? Samsung are more secured or what ?
ps: 3 pieces of TP2, all samsung chips. I remember that week or two ago, I disassembled one tp2 with damaged screen and i think it was Hynix chip on board, if it mean anything.
borce_razor said:
Can somebody explane me why need Hynix chip ? Samsung are more secured or what ?
ps: 3 pieces of TP2, all samsung chips. I remember that week or two ago, I disassembled one tp2 with damaged screen and i think it was Hynix chip on board, if it mean anything.
Click to expand...
Click to collapse
It's probably an inventory/stock issue. Vendors may not have the same flash chips in stock to use on all manufactured devices. Or there could be different factories with different components available, so one factory could be putting in Hynix flash. This is a very common practice...
Hynix/Hyundai also produces RAM and other ICs, so this may have been what you've seen on your broken TP2.
cmonex,
is it geometry/block size or mfg partition location that is different on Hynix chips?
pen-pen said:
Hi,
I'm under Seven x64, and the first how to didn't word, Qmat can't find usb port.
Cmonex's solution works well, unfortunately, I have Samsung's memory
Click to expand...
Click to collapse
if you need help with that USB thing, feel free to PM me
mtech said:
Same here, Samsung.
Out of curiousity, anyone get this:
BLOCK 32 (0x20) is reversed block
BLOCK 2585 (0xA19) is bad block
Partition[0], type=0x20, start=0x2, total=0x63E
Partition[1], type=0x23, start=0x640, total=0xA80
Partition[2], type=0x25, start=0x10C0, total=0x15980
Partition[3], type=0x4, start=0x16A40, total=0x24580
about BLOCK 2585 being bad?
Click to expand...
Click to collapse
it's normal, most nand devices ship with at least one bad block though I have some that have no bad blocks just luck really, and it's not a problem if it has a couple of them, there is enough other blocks to replace them.
shure2 said:
samsung here too, are you sure that they have used hynix memory?
Click to expand...
Click to collapse
well, looks like for topaz there was no non-samsung chips, while hspl was in testing... I know that because no tester had any issues regarding flashing itself; but as soon as I released it they started getting hynix ones. that was nice timing.
CHfish said:
Sorry for spaming the thread (I've got samsung too) but
I've got a test device from HTC - and it says "Security Unlocked" on the top line of the bootloader - is this of any interest to you?
Does this mean I might flash any (unsigned) ROM?
Further information:
Code:
RHD100 32M SS-BC
SPL-0.78.0000
MicroP-Rhodium (LED) v9
MicroP-Rhodium (KEY) v4
TURBO HW/TURBO SW
TP MFG DATA
512,524 794,844
793,200 225,198
227,846 Calibrated
CHfish
Click to expand...
Click to collapse
neat that you have a prerelease. security unlock got nothing to do with OS flashing, sorry. but it is probably also supercid, so you can flash any HTC rom (but not cooked roms).
stepw said:
It's probably an inventory/stock issue. Vendors may not have the same flash chips in stock to use on all manufactured devices. Or there could be different factories with different components available, so one factory could be putting in Hynix flash. This is a very common practice...
Hynix/Hyundai also produces RAM and other ICs, so this may have been what you've seen on your broken TP2.
cmonex,
is it geometry/block size or mfg partition location that is different on Hynix chips?
Click to expand...
Click to collapse
a nand ctl config register is different. this configs for example where to find bad block bytes in the raw read of a nand page (btw, some of the config values are different on hynix than on samsung, but the bad block one happens to be the same on both). on topaz its contents can get "corrupt" (as I dont have such a problematic device I still don't know why), and it happens that the "corrupt" contents didn't affect much except that the SSPL could not read/write nand (it thought all blocks were bad but did not attempt to write the bad block data back); I put "corrupt" in quotes as it is always the same value, not random. anyway, I fixed that on topaz in the end but I would like to see one such device on rhodium, let's see if someone comes up with one soon. I'm pretty sure rhodium has devices with hynix too (even raphael has them, but it wasn't a problem on raphael).
PS: I think the problem with it getting "corrupt" is that topaz (and rhodium probably) handles this config register differently anyway (different from raphael etc). I mean the part is different when you send a request to nand via dm with some buffers with commands and configs in them. what I don't know is exactly how this affects the hynix devices.
cmonex said:
well, looks like for topaz there was no non-samsung chips, while hspl was in testing... I know that because no tester had any issues regarding flashing itself; but as soon as I released it they started getting hynix ones. that was nice timing.
Click to expand...
Click to collapse
Uhhh...that's bad.
Don't you think people would be clever enough to understand a warning message like "check your internal memory before flashing HardSPL!"
...uhm...no...
...forget my words...just a moronic touch of confidence in mankind
cmonex said:
a nand ctl config register is different. this configs for example where to find bad block bytes in the raw read of a nand page (btw, some of the config values are different on hynix than on samsung, but the bad block one happens to be the same on both). on topaz its contents can get "corrupt" (as I dont have such a problematic device I still don't know why), and it happens that the "corrupt" contents didn't affect much except that the SSPL could not read/write nand (it thought all blocks were bad but did not attempt to write the bad block data back); I put "corrupt" in quotes as it is always the same value, not random. anyway, I fixed that on topaz in the end but I would like to see one such device on rhodium, let's see if someone comes up with one soon. I'm pretty sure rhodium has devices with hynix too (even raphael has them, but it wasn't a problem on raphael).
PS: I think the problem with it getting "corrupt" is that topaz (and rhodium probably) handles this config register differently anyway (different from raphael etc). I mean the part is different when you send a request to nand via dm with some buffers with commands and configs in them. what I don't know is exactly how this affects the hynix devices.
Click to expand...
Click to collapse
This is odd, there's a flash driver - a geometry descriptor and a set of flash related procs in SPL for each supported NAND flash type. I don't see how SPL would work at all (e.g. flash OS and such) if Hynix driver is broken/missing. There should be no need to program NAND directly in SSPL AFAIK, the driver should be taking care of setting proper flags (block status, bad block, etc...) in out-of-band portion of NAND page.
Is there a chance SPL on devices with Hynix NAND includes a Hynix driver and SPL on devices with Samsung NAND does not? They might even be the same version, but the driver could be missing in one...
stepw said:
This is odd, there's a flash driver - a geometry descriptor and a set of flash related procs in SPL for each supported NAND flash type. I don't see how SPL would work at all (e.g. flash OS and such) if Hynix driver is broken/missing. There should be no need to program NAND directly in SSPL AFAIK, the driver should be taking care of setting proper flags (block status, bad block, etc...) in out-of-band portion of NAND page.
Is there a chance SPL on devices with Hynix NAND includes a Hynix driver and SPL on devices with Samsung NAND does not? They might even be the same version, but the driver could be missing in one...
Click to expand...
Click to collapse
OK I'll try to explain a bit better... when the topaz (and rhodium) SPL boots, its nand driver code can of course handle either chip, but it relies on this nand config register having the right value on booting SPL (normally radio bootloader sets it up for SPL). this value is what changes on hynix units when or before loading SSPL, and I don't know why. - but I intend to find out
PS: the SPL binary itself is same for both types.
Is there any chance you guys will release a Samsung-only HardSPL with a big fat warning label?
Related
Ugh... I was flashing a new radio file to try to fix my speaker issue, and it locked up at 95%... apon reboot I have the tri colored screen... and I had to use the Whitescreen fix to get it to flash to 95%.... Now that I am stuck at the tri color screen I can't seem to get it to work again (since I can't get in to run the white screen fix program on my Tilt).
Any suggestions?
First things. What does it sayt on your screen. Post evry word & number you can see on the tri-color (BL) screen.
After you tell me that, I'll tell you what to do next.
In the Upper right hand corner it says RUUNBH
On the left side a little lower it says
KAIS1*0
SPL-1.56.0000
CPLD-8
At the bottom of the screen if I have USB plugged in it says USB, if nothing is plugged in it says Serial.
OK, now I'm gonna have to chew you a new A$$HOLE for a minute, so be patient!
WHY IN THE HELL WOULD YOU FLASH WITHOUT HAVING HARDSPL INSTALLED????
Okay, now that's out of the way, you have a RUU flag set in the device because you force flashed over MFG SPL.
You need to first download MTTY v1.1.6 & then do the following. *I assume you are using an XP pc. If not tell me BEFORE doing anything.
On your PC hit Ctrl, ALT, Delete. Select Task Manager & end the following processes:
1. WCESCOMM.exe
2. WCESMgr.exe
3. rapimgr.exe
Also kill any firewall that may be running & in particular any McCaffee security products.
Remove SIM & SD card, then Plug your device in, & launch MTTY.
Select flow control RTS/CTS & then select the USBCE0001 (or similar) or USB port.
Hit your enter key until you see the prompt "cmd>"
At this prompt enter only the following & exactly as it's written: info 8
It should look like this "cmd>info 8"
Please not there is a space between the word info & the number eight (8).
Post the return from the MTTY screen or PM me with it & I'll tell you the next step.
DO NOT PLAY WITH MTTY!!! It is not a toy. Do not try entering random commands, etc. MTTY can brick your device if you are not careful. I unbrick about 5 of these a day, so I have a ton of experience with MTTY & CE.
Thank you SO much for the detailed help. My only problem now is tracking down MTTY.
I apreciate the help!
You might try this thread that talks about mtty...
http://forum.xda-developers.com/showthread.php?t=371154
Got same problem with error 262
Thought i had installed hardspl but not sure now,
my tricolour screen shows the following
KAIS130 MFG
SPL-1.0.0liPof
CPLD-8
with RUUNBH in the top right corner
and info 8 shows
Cmd>info 8
--- 2K bytes sector version ---
DEVICE NAME=samsung_k9k2g08
DEVICE ID=0xAA
DEVICE MAKER ID=0xEC
PAGE SIZE=0x800
TOTAL PAGE SIZE=0x840
BLOCK COUNT=0x800
BLOCK PAGE=0x40
Checking block information
BLOCK 2 (0x2) is reversed block
BLOCK 8 (0x8) is reversed block
BLOCK 781 (0x30D) is bad block
Partition[0], type=0x20, start=0x2, total=0x63E
Partition[1], type=0x23, start=0x640, total=0x740
Partition[2], type=0x25, start=0xD80, total=0x8180
Partition[3], type=0x4, start=0x8F00, total=0x123C0
CE Total Length(with sector info) = 0x47C7800
CE CheckSum Length(without sector info) = 0x4780000
Cmd>
Any help would be greatly appreciated
torrac said:
Thought i had installed hardspl but not sure now,
my tricolour screen shows the following
KAIS130 MFG
SPL-1.0.0liPof
CPLD-8
with RUUNBH in the top right corner
and info 8 shows
Cmd>info 8
--- 2K bytes sector version ---
DEVICE NAME=samsung_k9k2g08
DEVICE ID=0xAA
DEVICE MAKER ID=0xEC
PAGE SIZE=0x800
TOTAL PAGE SIZE=0x840
BLOCK COUNT=0x800
BLOCK PAGE=0x40
Checking block information
BLOCK 2 (0x2) is reversed block
BLOCK 8 (0x8) is reversed block
BLOCK 781 (0x30D) is bad block
Partition[0], type=0x20, start=0x2, total=0x63E
Partition[1], type=0x23, start=0x640, total=0x740
Partition[2], type=0x25, start=0xD80, total=0x8180
Partition[3], type=0x4, start=0x8F00, total=0x123C0
CE Total Length(with sector info) = 0x47C7800
CE CheckSum Length(without sector info) = 0x4780000
Cmd>
Any help would be greatly appreciated
Click to expand...
Click to collapse
You are missing a ton of info. Looks like a lot of corrupt data on your device.
I would reset the device to restart in CE by clearing out the RUU Flag, (cmd>set 16 0) then give it the boot command. (cmd>boot).
After that you need to plug back in, restart Activesync & flash an OEM rom to overwrite the bad data.
You DO have HardSPL though, that is good.
If you are a Tilt user, go to http://htc.com/us & DL the ROM from Support/ Software Downloads.
Aftyer flashing the OEM ROM, redo the info 8 (cmd>info 8) & see if Bad Blocks are still reported. Let me know.
I also have the untouched roms on my 4shared site if you need to link any GS.
<3 threads like these, someones in danger and allways someone to help this is why i love xda-developers
It's completely selfish...
The ONLY reason I help is so people leave Oli, Pof, Tadzio, & many more I'm forgeting alone.
I want the really smart guys here working on new tools & ways to better utilize the technology. In past forums, if you had issues you bugged the crap out of Oli, or Pof to the point of Mania (I Know, I'm nearly there) & I don't want any of the guys to stop sharing their knowledge or their tools just because too many people can't follow direction directions.
I want brighter minds working on bigger projects, so I try & take some of the issues I can help with.
But make no mistake, I ultimately do it for ME & what I want.
GSLEON3 said:
OK, now I'm gonna have to chew you a new A$$HOLE for a minute, so be patient!
WHY IN THE HELL WOULD YOU FLASH WITHOUT HAVING HARDSPL INSTALLED????
Okay, now that's out of the way, you have a RUU flag set in the device because you force flashed over MFG SPL.
You need to first download MTTY v1.1.6 & then do the following. *I assume you are using an XP pc. If not tell me BEFORE doing anything.
On your PC hit Ctrl, ALT, Delete. Select Task Manager & end the following processes:
1. WCESCOMM.exe
2. WCESMgr.exe
3. rapimgr.exe
Also kill any firewall that may be running & in particular any McCaffee security products.
Remove SIM & SD card, then Plug your device in, & launch MTTY.
Select flow control RTS/CTS & then select the USBCE0001 (or similar) or USB port.
Hit your enter key until you see the prompt "cmd>"
At this prompt enter only the following & exactly as it's written: info 8
It should look like this "cmd>info 8"
Please not there is a space between the word info & the number eight (8).
Post the return from the MTTY screen or PM me with it & I'll tell you the next step.
DO NOT PLAY WITH MTTY!!! It is not a toy. Do not try entering random commands, etc. MTTY can brick your device if you are not careful. I unbrick about 5 of these a day, so I have a ton of experience with MTTY & CE.
Click to expand...
Click to collapse
Hi my kaiser looks like briked ! black screen ,green light, can not acces bootloader, active sync do not recognize it .. when i connect it with mtty and write any command like (info 8, set 16 0) there is a reply Invalid command ! What shoul I do to make my kaiser working ? This problem appears after unsuccesuful nuespl instaling (and dont read for what is nuespl so I have just installed it and my phone stuck, after reset my screen goes black....)
It has been a week now ? And you have posted everywhere. At some point you are going to have to admit that you killed your phone. Sorry
denco7 said:
It has been a week now ? And you have posted everywhere. At some point you are going to have to admit that you killed your phone. Sorry
Click to expand...
Click to collapse
On investigation I see what you mean - all those posts about the same issue I hope people starting out see this and take it as a warning that doing the wrong thing if you don't know what you're doing does have the capacity to ruin your phone so it's best to read up all the wiki contents and threads about flashing the Kaiser, berfore attempting to do so. On a +ve point, I think IP13 may find people here interested in buying the phone for parts.
Hey everybody,
first of all i want to say BIG THANKS for all the informative posts that helped me in the past.
Now, i'm facing a problem which seems unsolvable at the moment
It started with my USB Port Issue. The MINI USB connector did not work anymore (no power and no data connection)m because of some twisted connector pins. So i ordered a broken HTC Tytn 1 and gave it to an electrician who replaced the broken usb port of the kaiser.
The Kaiser is now repaired, usb connectors works well, but since the electrician replaced the connector, the Device does not boot anymore.
Only thing i see is the Bootload Screen which is in a flash interrupted by a screen which says: "loading.....no image file". Then it turns back to bootload modus.
I Flashed the Original HTC ROM 6.1 but it stays the same. I Flash the 1.4 M-Diamond Full it stays the same.
I tried this:
http://forum.xda-developers.com/showpost.php?p=1765045&postcount=2
The Device finally booted but once the device started to configure the OS, it switched back to the Bootloader Mode.
There is obviously no chance to get the device running!
Does anybody of you know the solution for this Problem? I don't like a 500bucks phone stuck on the boatloader screen. I mean..those colours really look nice hahahaha.. please help me
Thanks
My Log on mtty.exe
This is my Log Msg on Mtty.exe after i send the command "boot"
boot
"Fill RSVD information for block 288 to 309
Storage start sector=0x9400, total sector=0x11EC0
Storage start block=613, total block=1147
Total Bad Block in CE: 2
Erase physical block from 903 to 2032
formatstorage Bad block found: 1134
formatstorage Bad block found: 1939
si backup: Erase physical block from 2032 to 2048
Card inserted
Cmd5 CMD_TIMEOUT
SD 2.0 LC card
SD Init OK
SDFATChkConf: RhOpenFile() failed KAISCONF.txt
OEMIPLInit clear 10MB ext RAM
OEMGetUpdateMode
OEMTranslateBaseAddress 23 80000000 80000000
IPLMSG:0x8:INFO: Loading image ...
IPLMSG:0x9:INFO: Jumping to image...
OEMLaunchImage crc of Mini-Kernel:0x637924DC
OEMLaunchImage 80000000
Jump to Physical Address 10300000"
Give some of the ideas in this thread a go (especially the cmonex Hard SPL bit): http://forum.xda-developers.com/showthread.php?t=423486
If nothing work's I'll have a look tonight (if I get on my PC ... ).
Ta
Dave
ain't workin' yet!
Hey dave, thank you for your link!
I really do try to get this device running and i'm very patient, reading every single thread carefully in order to avoid messing up!
After your post, i tried this one:
"If you are using one of the pof (OliPof) or jockyw2001 Hard SPLs and still cannot boot. ref
This method is not needed if just the RUUNBH is showing on screen, for that the other solutions suffice.
Download KaisDiagTest1.zip from here. (Try here if the link doesn't work).
Format your MicroSD to Fat32 (if you havn't already done so).
Copy the KAISDIAG.NBH image file from the zip on to the root. (This is basically an SSPL patched to load from SD without booting OS.)
Insert the SD Card into the phone and turn it on.
It should say Loading / Update in progress then reboot to a screen saying SPL 1.00.OliNex.
You should then be able to flash a ROM using KaiserCustomRUU over USB as normal (see above for instructions).
Before you flash, test the connection by opening MTTY and seeing if you can select the USB option to connect to. (See above).
If your PC doesn't see the device, try a replug. Also, the USB should be plugged in all the time (except for when you replug).
If this doesn't work, please read and then post here - there may be another method waiting for testing."
It didn't work, even after Flashing the M-Diamon 1.3 (3.0) the device does not boot. Entering "boot" in mtty.exe does not help either, because the device screen slowly turns WHITE ! WHAT THE HELL?
I tried this also:
http://forum.xda-developers.com/showthread.php?t=420683
i tried 356, 329 ( this i tried first ). and after patching it i flashed m-diamond 1.4 -> no success, and original htc 6.1 -> no success.
just take a look at how my kaiser reacts :
http://rapidshare.com/files/165190998/kaiserissue.wmv
so, i've tried every hardspl from cmonex and it all remains the same, the device turns on, the bootloader screen appears it shows ( as illustrated in the video ) the spl version and so on...
here is my log from mtty.exe:
Cmd>info 8
--- 2K bytes sector version ---
DEVICE NAME=samsung_k9k2g08
DEVICE ID=0xAA
DEVICE MAKER ID=0xEC
PAGE SIZE=0x800
TOTAL PAGE SIZE=0x840
BLOCK COUNT=0x800
BLOCK PAGE=0x40
Checking block information
BLOCK 0 (0x0) is reversed block
BLOCK 1 (0x1) is reversed block
BLOCK 2 (0x2) is reversed block
BLOCK 8 (0x8) is reversed block
BLOCK 9 (0x9) is reversed block
BLOCK 10 (0xA) is reversed block
BLOCK 11 (0xB) is reversed block
BLOCK 16 (0x10) is reversed block
BLOCK 17 (0x11) is reversed block
BLOCK 18 (0x12) is reversed block
BLOCK 19 (0x13) is reversed block
BLOCK 537 (0x219) is bad block
BLOCK 608 (0x260) is bad block
BLOCK 846 (0x34E) is bad block
BLOCK 1651 (0x673) is bad block
Partition[0], type=0x20, start=0x2, total=0x63E
Partition[1], type=0x23, start=0x640, total=0x740
Partition[2], type=0x25, start=0xD80, total=0x86C0
Partition[3], type=0x4, start=0x9440, total=0x11E80
CE Total Length(with sector info) = 0x4A6A200
CE CheckSum Length(without sector info) = 0x4A20000
what's the deal with the "bad blocks" ? Damnit, i really do despair of the whole process, i tried 7-8 hours now and it doesn't seem to work!
Please, if anybody of you knows exactly! what the problem is/could be, let me know and in order to save time, feel free to contact me on msn: [email protected]
Well,
if you have a SD card, give it a shot and try to flash your original (current installed) ROM from SD by following this HOW-TO - just make sure that you use the exact same ROM as you have on the device in case it is not HARD_SPL'ed
hey, thanks for your post.
there's no way actually..i flash the original / actual rom via sd card, 100% installed but still same issue, stuck on the bootloader !
I'm not quite sure but what exactly is the second line in the bootloader which says: "SPL-1.0.OliPof". How do i get this changed?
what about the "bad blocks" in my mtty.exe log?
it is So weird that non of the (very good) sticked posts do help i guess my tilt is dead...
the BAD BLOCKS:
It seems to be normal under MTTY - I had about 4 different KAISER connected with mtty and on all of them it found some bad blocks - maybe just something it can't read due security restrictions or special formattings - OLLI P might be the right guy to ask ... he seems to be the expert on that part.
The "SPL-1.0.OliPof" tells me that your device is already HARD SPL, so, you should be able to flash any ROM.
Please, connect your device via USB to MTTY, once you are connected and pressed ENTER to get the input "C:>" type simply BOOT and hit ENTER.
BTW:
If the BOOT command does not work, try the solution in the first post of the following thread:
http://forum.xda-developers.com/showthread.php?t=371154&highlight=boot+loader+fix
That worked for me on a Tilt version of the Kaiser.
The mentioned "WCEUSBSH001" in that thread should be "USB" (depending on your MTTY version).
thanks again!
Hey Junner,
thanks for your post!
What about if the HardSPL is broken? is there any possibility to fix/renew it?
I've used mtty.exe a lot the last 10 hours . The "boot" command did fail most of the time. Some times the device bootet with the previously flashed rom (for instance the m-diamond)...but once Windows Mobile starts the "auto configure routine", the device restarts and the bootloaderscreen appears.
"Set 16 0" / "Set 14 0" ( i know if can be different depending on the device ) does not work. "Task 0" and "Task 8" ain't work either.
So, what now? As you can see: No matter! what i do...in the end i only have a bootloader screen...honestly i'm traumatized! i will NEVER be able to flash any device again HAHAHAH
btw: 4sure i tried both mtty versions. I even tried the procedure on different computers.
Please, connect your device via USB to MTTY, once you are connected and pressed ENTER to get the input "C:>" type simply BOOT and hit ENTER.
Click to expand...
Click to collapse
Hey again.
Check out the Video i uploaded. There you can see that the device will not boot
While 'glimpsing' at your video, I saw that you did not even have a DOS PROMPT in MTTY when you typed BOOT!
When connecting via MTTY, hit ENTER first once or twice and wait for the C:> afterwards type BOOT and hit ENTER again! If that does not work, try to do the exact same with the stuff mentioned above in the thread (SET 16 0) ...
IN ANY CASE: make sure you get the DOS PROMPT first in MTTY !!!
Since your phone is HARD_SPL'ed and you say you can't flash any ROM, the only one thing I can think of, is, that your electrical repair man damaged the physical ROM while working on your USB port.
It looks strange to me because if there would be a physical damage to the chip, you wouldn't be able to complete the flashing process.
What happens exactly when you try to reflash your device with a standard ROM??? What errors do you get? What does your device exactly do during flashing?
FINALLY!
Hey again.
Of course you are right, sorry for that. I had to handle recording and entering the command at the same time
I finally fixed the problem! Unfortunately i'm in a hurry right now, i will report later! Many thanks for your help so far!!!
Talk to you later!
Having the same problem!
I see you have solved your problem, and as I have the same one, please explain me how you managed to get the device working, as I am out of my wits trying to repair my Kaiser!!!
Also have the same problem with my Kaiser. Could anybody explain how to fix the no image file problem, please?
Is there any chance to solve that problem? Or do I have to throw my Kaiser away? PLEASE help me to fix it!!
HTC TyTN II
1. Wirlles DOES NOT WORK
2. Sometimes the signal does not work
3. The camera DOES NOT WORK
4. disc does not work
5. World to the keyboard does not work
Is this a software problem?
Sorry on my bad english.
konzul said:
HTC TyTN II
1. Wirlles DOES NOT WORK
2. Sometimes the signal does not work
3. The camera DOES NOT WORK
4. disc does not work
5. World to the keyboard does not work
Is this a software problem?
Sorry on my bad english.
Click to expand...
Click to collapse
Back up you data and do a hard reset. If the problems persist, you can pretty mouch assume it is a hardware problem.
Hello
I have some problems with the storge.. i have it find with MTTY
when I start my phone it won't show the radio version ect. only the boot display will work for few seconds
and it's crashs! What can i do!? I have flash some roms.
it flashes and it go but it didn't start it.
HardSPL 1.0 from oli
Rom before crash: NoThrills_WM61_GER_V3
meylan said:
Hello
I have some problems with the storge.. i have it find with MTTY
when I start my phone it won't show the radio version ect. only the boot display will work for few seconds
and it's crashs! What can i do!? I have flash some roms.
it flashes and it go but it didn't start it.
HardSPL 1.0 from oli
Rom before crash: NoThrills_WM61_GER_V3
Click to expand...
Click to collapse
Try upgrading your hardspl to 33.4 or 3.29 ,1.0 is a WM 6.0 hardspl.
I have try to upgrade Hardspl many times. And it doesn't do it
so I have try to fix my storege yesterday and then it's broke
then i want start only the lcd goes green.
no screen anymore
task 28 55aa
Format start
Fill RSVD information for block 288 to 309
Storage start sector=0x8DC0, total sector=0x12500
Storage start block=588, total block=1172
Total Bad Block in CE: 0
Erase physical block from 876 to 2048
formatstorage Bad block found: 1603
Format end
Cmd>task 2a
Format ALL start
backup SPL OK
backup MISC configuration OK
SPL start start block=288, total block of CE=1760
ERASE block 1315 FAIL !!!
Write 0xFF start page=0x4800, total page=0x1B800
SPL version and MFG TAG are same, skip it.
restore SPL OK
restore MISC configuratoin OK
restore MFG configuratoin OK
Format ALL end
Cmd>task 32
Cmd>task 37
Invalid debug log data. Please check debug log raw data in addr 0xAE100000
Cmd>task 28
Format start
Fill RSVD information for block 288 to 309
TAG NOT FOUND !!! NOT CLEAR STORAGE !!!
Format end
Cmd>erase
HTCST ÚÈÒHTCE
Cmd>erase a0040000
HTCST ÚÈÒHTCE
Cmd>checksum
Cmd>checkimage
SPL CRC checksum = 0x5507A35A
CE is None.
ExtROM is None.
Cmd>info 8
--- 2K bytes sector version ---
DEVICE NAME=samsung_k9k2g08
DEVICE ID=0xAA
DEVICE MAKER ID=0xEC
PAGE SIZE=0x800
TOTAL PAGE SIZE=0x840
BLOCK COUNT=0x800
BLOCK PAGE=0x40
Checking block information
BLOCK 8 (0x8) is reversed block
BLOCK 1315 (0x523) is bad block
OS NOT FOUND !!!
Cmd>info 7
CPLD ID=0x8
Cmd>wdatah
Command error !!!
Cmd>rtask 0
Cmd>rtask 4
Cmd>checkimage
SPL CRC checksum = 0x5507A35A
CE is None.
ExtROM is None.
Cmd>password BsaD5SeoA
Pass.
HTCST ÚÈÒHTCE
Cmd>ruurun 0
Command error !!!
Cmd>ResetDevice
what i can do ? since last command it didn't start it
try a new radio and maybe it'l work
meylan said:
what i can do ? since last command it didn't start it
Click to expand...
Click to collapse
The reason it won't start anymore is because you ran Task 2a, which, unlike previous devices, formats EVERYTHING away, including the SPL and Windows Mobile. It essentially bricks the device, as it will not boot past OEMSBL (The radio bootloader, it comes first in boot order and loads the SPL, AFAIK). As soon as the device is reset after running the Task 2a command, the device will not boot as there is no OS bootloader, nor is there anything to boot. However, Jockyw2001 has created tools which may help to recover from a task 2a. A thread concerning Task 2a bricks can be found here. Best of luck with recovering your device.
DaveTheTytnIIGuy said:
The reason it won't start anymore is because you ran Task 2a, which, unlike previous devices, formats EVERYTHING away, including the SPL and Windows Mobile. It essentially bricks the device, as it will not boot past OEMSBL (The radio bootloader, it comes first in boot order and loads the SPL, AFAIK). As soon as the device is reset after running the Task 2a command, the device will not boot as there is no OS bootloader, nor is there anything to boot. However, Jockyw2001 has created tools which may help to recover from a task 2a. A thread concerning Task 2a bricks can be found here. Best of luck with recovering your device.
Click to expand...
Click to collapse
agh f*** thanks i didn't know that...
It's normal that the device isn't detected as qualm anymore?
it display me by connecting with Pc: "DATA LINK" or so
meylan said:
agh f*** thanks i didn't know that...
It's normal that the device isn't detected as qualm anymore?
it display me by connecting with Pc: "DATA LINK" or so
Click to expand...
Click to collapse
When I manually put my phone in OEMSBL, which is what yours should be in when you turn it on right now (the light is green but the screen stays black), windows detects it in Device Manager as: ZTE NMEA Device CDMA 1X, ZTE Diagnostics Interface 6000 CDMA 1X, ZTE USB Modem 6000 CDMA 1X. It should also detect the GPS and some other stuff, but I can't find those in Device manager.
mhh i used MTTY but i can't get in download mode
what commands should I write?
meylan said:
mhh i used MTTY but i can't get in download mode
what commands should I write?
Click to expand...
Click to collapse
This kind of stuff is too complicated for me, so I can't answer that myself. However, there are many threads that talk about task 2a resets and how to recover from them. Here, here, and here are all good places to start. But keep in mind that you should NOT try anything in these threads unless you have read everything, and are absolutely sure that the tool is for your specific situation. For example, DO NOT use the FrankenKaiser version in the third link if you don't have the Radio from Hell installed.
Alternatively, you could try the XDA IRC channel, or PM jockeyw2001.
Once again, best of luck repairing your brick.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Introduction:
After months of research and development, both hardware and software... I'm happy to announce UnBrickable Mod is a matter of modifing your phone once, with a single small wire. From that point on, you can click a button to unbrick. This can even be applied to a phone which is already bricked.
This is an example from the Captivate. The procedure is the same on the Vibrant.
Instructions
You Must have UnBrickable Mod applied to your device. If you're not sure, run this tool under Linux: http://forum.xda-developers.com/showthread.php?t=1257434
This currently only works for Linux based computers or Windows based computers with proper drivers installed, with a Linux Virtual Machine, Get Ubuntu here: http://www.ubuntu.com , Get Virtualbox Here: http://www.virtualbox.org/wiki/Downloads
You must have Java installed on your computer: http://www.java.com/en/download/
Unbricking:
1. Apply UnBrickable Mod to your device:http://forum.xda-developers.com/showthread.php?t=1273083
2. Run UnBrickable Resurrector: Get it from THIS POST: http://forum.xda-developers.com/showthread.php?p=17135277#post17135277 This will only work on linux currently. Install Linux or dual boot if you have windows.
3. Run Heimdall One-Click http://forum.xda-developers.com/showthread.php?t=1278683
4. repeat steps 2 and 3 with bootloader flashing enabled (Heimdall One-Click has a safety mechanism which requires you to flash once before flashing bootloaders).
conclusion
You've unbricked the unbrickable captivate... This should not have been difficult. If it was, you should learn teh computer better... Really. And with that said, I'm happy to announce that you no longer have to flash with a fear of bricking.
HIBL
The HIBL is the key to resurrecting a S5PC110 based processor. I'm going to let Rebellos explain the inner workings of the Hummingbird Interceptor Bootloader. It's really quite amazing. While my work is more hardware and high level tasks like making things into one-clicks, Rebellos' work involves reverse software engineering, assembly language, and more...
Rebellos said:
Okay, so, what is Hummingbird Interceptor Boot Loader (HIBL)?
Basically: It allows to load any amount of data (limited by size of RAM block, the biggest one single block available is 256MB) through USB connection with PC under any specified address into memory and then execute it.
Technically: It does consist of 2 pieces fused together - BL1_stage1 and BL1_stage2.
Each stage starts from 16bytes (4 ARM WORDs) of secure boot header. In stage1 these are mandatory, in stage2 they can be random (nulled them in my code), so EntryPoint of each stage does start at its 0x10 offset.
BL1_stage1, loaded under 0xD0020000 address, is short code, digitally signed by Samsung. It has been released to break "Chain of Trust" and alter Secure Boot into Non-Secure Boot process. Literally stage1 just do some compare operations and then jumpout to BL1_stage2. (Yes, I also see no point of releasing hardware secured CPU version together with software which is bypassing it's security)
BL1_stage2, must be placed at 0xD0022000 address (it's fused together with stage1 into HIBL, so it's at 0x2000 offset of HIBL.bin) it is unsigned because Secure Boot Context, prepared by iROM (BL0) has been already ignored by stage1.
Its FASM_ARM sourcecode:
http://code.google.com/p/hummingbir...unk/HummingBirdInterceptorBootloader/HIBL.ASM
This is where the code start real work, it does begin with standard ARM core jump vector table (just to keep stick to standard, these aren't used anyway).
1. It does use I9000 BL1_stage2 functions (init_system) which I linked to it, these are used to init DMC controllers, as to this point code is executing in and working with very tiny, 96KB iRAM space, after calling this function it turns all 512MB of RAM available.
2. Make sure DMC is configured properly (write some value to address 0x40~~ memory space, then read it and compare with previously written)
3. Reinit iRAM heap to the BL0 initial state (to convince it USB dload mode haven't been called yet), by storing and restoring UART pointer only (to keep debug output flowing properly)
4. Call iROM usb_downloader function.
5. Read the address where downloaded data has been placed.
6. Jump into this address.
This, properly used provides similiar debug output (similiar, because its outdated testlog)
Code:
�������������������������������������������������� ����������������������
Uart negotiation Error
----------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
----------------------------------------
Calling IBL Stage2
DONE!
Testing BL3 area
DONE!
iRAM reinit
DONE!
Please prepare USB dltool with BL3
Starting download...
0x00000000
Desired BL3 EP: 0x40244000
Download complete, hold download mode key combination.
Starting BL3...
//OUTPUT BELOW IS COMING FROM SBL
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
It opens infinite capabilities. Instead of SBL to unbrick, Uboot can be loaded, or any armlinux kernel. It's all up to you - XDA Developers.
Click to expand...
Click to collapse
Tools
Windows32 command line app and drivers http://forum.xda-developers.com/attachment.php?attachmentid=709292&d=1315091521 (doesn't work very well... just want you to know this)
Linux one-click Resurrector: http://forum.xda-developers.com/attachment.php?attachmentid=712232&d=1315349672
Wow. i mark it! thank you for your great work!
I just resurrected a Vibrant today using the method above. This tested great. No problems to note at all.
Here's a picture of my work http://forum.xda-developers.com/showthread.php?p=17896376#post17896376
This is slightly more difficult then a captivate because there is no room to work around the resistors.
thanks to you i finally got my vibrant unbricked thanks a lot for this .....................
Aneez1990 said:
thanks to you i finally got my vibrant unbricked thanks a lot for this .....................
Click to expand...
Click to collapse
You're welcome. Glad this helped.
Very sexy work... its nice to have this as a backup and itll be Very nice once people develop ffirmware to work with the unbrickable mod, like nexus s bootloaders or wp7 or iOs or whatever... thanks again
Sent from a cell tower to the XDA server to you.
younix258 said:
Very sexy work... its nice to have this as a backup and itll be Very nice once people develop ffirmware to work with the unbrickable mod, like nexus s bootloaders or wp7 or iOs or whatever... thanks again
Sent from a cell tower to the XDA server to you.
Click to expand...
Click to collapse
I'd like to see Ubuntu. Turn these devices into a lamp server or security/web cam orsomething when were done with them.
I would also like to see work on Ubuntu. is there any work being done for that? I'm still thinking about getting the UB mod sometime soon.
Hey guys Im having a problem with step #2. It says to download Unbrickable Resurector but this post is the HIBL post with no "Unbrickable resurector" download link. Is that just an error or do I just download the file listed on the previous post called "UltimateUnbrickResurector.zip"? Thanks for any clarification...
Also, when I launch the resurector on the previous post I get the following error smdk-usbdl: not found. Do I need to have Heimdall running prior to launching the resurector? Thanks again...
Code:
Please wait.... Uploading..
-------------------------------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
-------------------------------------------------------------
Building command list
Building command list
Requesting Permission to access device/tmp/skorpnHeimdallOneClick51336EBC/Script.sh: 3: /tmp/skorpnHeimdallOneClick51336EBC/UnBrickPack/smdk-usbdl: not found
Moved this post to the "Mod" thread.
The Resurrector is not working, either because the mod was done incorrectly, or my Ubuntu machine has been setup wrong. The Resurrector keeps giving me the smdk-usbdl: not found error, but the file exists. My best guess is that the Mod was done incorrectly, either that or my Linux box is being a pain... Also noticed adb not working as well.
EDIT: Im going to go out on a limb and say this error is telling me the "usb device" has not been found, which would mean my mod did not take.
edit never mind found the answer was just wondering if it were possible to learn the wielding part of the guide on the internet and such also what type of tools would i need please and thank you
dohandrew said:
edit never mind found the answer was just wondering if it were possible to learn the wielding part of the guide on the internet and such also what type of tools would i need please and thank you
Click to expand...
Click to collapse
If you're asking, you will want to find someone more experienced.
i see where would u suggest going to ? im located in california i dont really know of a place that does welding on phones
Adam will do it for $30 + shipping, PM him.
Atleast thats what hes said (correct me if im wrong)
Adam, did you say you can do this mod for $30 + s&h?
Also, Im wondering if you upgraded to Ubuntu 11.10 yet? I just decided to upgrade before even thinking about it possibly effecting the mode detect, heimdal one click or the resurrector. You think the upgrade can break these apps any?
SkOrPn said:
Adam, did you say you can do this mod for $30 + s&h?
Also, Im wondering if you upgraded to Ubuntu 11.10 yet? I just decided to upgrade before even thinking about it possibly effecting the mode detect, heimdal one click or the resurrector. You think the upgrade can break these apps any?
Click to expand...
Click to collapse
Yes I do. No it doesn't.
AdamOutler said:
Yes I do. No it doesn't.
Click to expand...
Click to collapse
Excellent Im on 11.10, and thanks for the info...
I was able to remove the resistor and replace it with another resistor from an old samsung phone. I used a circuit writer pen from radio shack, it lays down a conductive polymer, which I used to adhere the new resistor onto the bottom spot on the board. "the resistors are so small I could not imagine being able to do this with a soldering iron. I would have probably shorted something out because the amount of solder that needs to be laid down might not even fit on an ants back (seriously!)"
Another note: when using resurector, my phone only went into download mode if I pressed on "only" the volume down button.-I hope this helps someone out there with a brick like the one I had.
Does that mean after applying this mod the vibrant will never brick at any cause ???
galaxyfitftw said:
Does that mean after applying this mod the vibrant will never brick at any cause ???
Click to expand...
Click to collapse
yes that is the meaning of this mod....is just awesome
My purpose is to locate the fastboot system, and I thought that I would start from, well, the start. Boot-up on the OMAP4430 tries many places, one is an on-chip 48kb ROM. I initially tried to read /dev/mem, but no matter what address I tried to read it would say Bad Address, so I had to make a kernel module, in which I dumped the boot ROM to a file... and it worked.
The reversion of the ROM on my bionic is 0x03 0x19
(Please read Ch 27(.4.2.1) of OMAP4430_ES2.x_PUBLIC_TRM_vY.zip )
I am more handy with ia32 assembly, not arm...
So where is fastboot? I can see a few other addresses, but if I try to map some of them, the device will reboot.. The TRM spoke of 0x08000000 for a fast boot XIP but a reboot occurs (I think) ... any ideas where to look next?
After a day of digging around, I was able to find that "fastboot"(0x08000000) address at 0x28C18 (0x28000 is the base address of the boot.rom) ... just helping out anyone else interested in looking into this. I somehow don't think that this is what I am looking for though... but atleast I do know that I am making some headway
Edit: Confirm that I am unable to read even one byte from 0x08000000 .. reboots
Edit2: Polling from the Control Register (0x4A0022C4) returned 0x00000AEF ... which means that
1) This is not a GP(General Purpose) OMAP4430
2) SYS_BOOT[5:0] is b101111 which tells us
a) to use Memory, not Peripheral boot devices
b) 1st boot device is MMC2(1)(perm) (eMMC/eSD = GPMC pins)
c) 2nd= USB-ULPI (external transceiver)
... Does the MMC mean it boots from the onboard 16gb? If so, then this might be easier to trace through than I thought...
Has anyone dumped the entire contents of that memory? or just the known partitions?
Edit3: Reading the TRM more (pg 5240) tells me that SDMMC2 only Raw mode is supported, no file system (FAT12/FAT16/FAT32) support because the purpose of this approach is to avoid the boot time penalty of searching for a file system hierarchy when it is not always necessary.
Edit4: ...and Sure enough, dumping the first 512 bytes of /dev/block/mmcblk1 shows the Bootable signature (0x55AA) at the end (0x01FE)
... I thought I read that it would just try to read in RAW mode, which makes it not want to even have such a thing, but I knew it had all those other partitions, so I figured I might have been wrong there...
A proper dump of this soon enough.. atleast I gave you guys the boot.rom from the actual OMAP4430 that would have been otherwise hard to retreive... I only wasted one day on this, not bad and I learned some ARM ASM
Edit5: Maybe I am getting ahead of myself, it is of type 0x83 ... which is Linux, not any of the FAT FS which the boot.rom supports... ?
Edit6: Well, it has the file it's looking for, not sure if it's a FAT system like it's suppose to be though, and it looks like in a 1MB dump that fastboot is in the 2nd or maybe more, partition... I still want to try to dump this "MLO" bootup file... but i have to learn about FAT fs structure, ugh...
The implications of deep hardware hacking like this make me very excited for what could be possible with the Bionic. It contains some absolutely absurd hardware for a mobile device so the sky's the limit at this point. Fantastic work! I could only dream of being able to comprehend the things that guys like you can.
Also I wonder if this thread would end up getting proper attention in the dev section.
projektorboy said:
The implications of deep hardware hacking like this make me very excited for what could be possible with the Bionic. It contains some absolutely absurd hardware for a mobile device so the sky's the limit at this point. Fantastic work! I could only dream of being able to comprehend the things that guys like you can.
Also I wonder if this thread would end up getting proper attention in the dev section.
Click to expand...
Click to collapse
I only wish I could comprehend what he is talking about. I'm glad to see a vested interest is being taken!
Sent from my DROID BIONIC
Thanks so much, Noxz for making the effort to do this!
hey, thanks finally for the responses, a full day after the initial dump and no responses... I think because it's NOT in the dev section... but I can't post a thread there until I have 10 posts... maybe I can get that privilege now, moderators?
The bad part with disassembling is that when it computes an jump in code(in ARM it's called a branch) and doesn't give a specific address, it makes finding that code very hard.. I found the text "MLO", the bootable file, in the boot.rom but nothing of the code I know referenced it yet, unfortunate because that partition is not a standard FAT fs and thus is taking a while to read, but if I did have the disassemble of the ROM code where it looks for that, or even just the file search, then I could easily see what it is reading...
Obviously knowing that fastboot and such is in the second or third partition is quite a step forward, but I need to dump this MLO file so we can read from start to finish...
I'll keep everyone posted
So this partition isn't a correct FAT fs... I don't know if being identified as a Linux partition means anything and I'm just not reading into it right, but I am having some time trying to look into these files, you can easily see the MLO file, a KEYS file, and a PRIMAPP file right at the start, or I should say the file name, but there isn't much information on where they are mapped, etc etc...
Maybe partition2 will be better? It's also identified as a Linux partition
I still have a few days to waste...
Sorry to ask dumb. But what exactly does this benefit me when flashing it?
Sent from my DROID BIONIC using Tapatalk
The current fastboot does not have several commands that is in the original source... but really, I am just interested in the entire boot procedure.. there's a few things I might like to change... The good news is because everything but the boot.rom resides on the eSD, that means we should be able to write to it very easily, so we can change quite a bit
Noxz, I am along with these guys in I would understand more if I was just dropped in the middle of Ghana :\ but I would like you to know that you have given me my 1024th item on my 'to research' list. So once I get bored with what I'm doing now, I am going to try to learn a little bit about ARM and OMAP
Hah, I understand...
I've done a bit of x86 ASM and BIOS disassembly before.. so I figured I might as well peek into this and see what is being hidden and such...
I am seeking help right now... If you know anything about the FAT filesystem... you can start by doing "dd if=/dev/block/mmcblk1p1 of=/mnt/sdcard-ext/partition1"
.. It obviously has that MLO bootup file in it as mentioned in the OMAP4430 TRM but I can't seem to trace what cluster it might be in... I have to assume that it is in fact a FAT fs... but it doesnt seem to follow any of the structures/formats I've been reading... ???
The boot rom you've dumped is the ti omap itself; the only real purpose of that is to bootstrap the bootloader. You are correct in that it's not a GP; none of the Motorola phones are -- this boot rom is what verifies the signature of the bootloader.
http://www.droid-developers.org/wiki/Booting_chain
While not exact, the above diagram will give you an overview of the layout used by Motorola phone. The short version is boot rom -> mbmloader -> mbm -> lbl -> kernel, where mbmloader is the Motorola terminology for the MLO or X-LOADER referenced in the TRM. mbm is the bootloader (motorola boot manager) and controls all actions henceforth, including fastboot (which replaced an older sbf protocol).
The CDT acts as a partition table and lists the layout of the device, including marking where the signatures are located and how often they're checked.
http://blog.opticaldelusion.org/2011/10/bionic-development-notes.html
Sorry for late answer.
Here you can find example of reversing OMAP 3430 bootrom http://hg.droid-developers.org/reverse_engineering/src/b8b881184b5f/asm
As mentioned before droid-developers wiki contain a lot of info about bootrom.
Here you can find info about bootrom itself http://www.droid-developers.org/wiki/Application_Processor_Boot_ROM
Here you can find info about security model in omap http://www.droid-developers.org/wiki/Security http://www.droid-developers.org/wiki/Secure_Services
Here you can find info about my project - emulation of early OMAP booting (including bootrom debugging) http://www.droid-developers.org/wiki/QEMU