Hi all,
Here I'll describe every Hack/Mod/Discovery i'll do on my phone,
the Samsung Galaxy Next/Mini/Pop GT-S5570.
ASSUMPTION : I will not install CWM.
I've already made some experiments, and bricked the phone...
... but i'm still going on.
I'll log every step i made - while expecting a repaired device from service.
Every suggestion from other experience are welcome!
Summary & Status
--------------------------------------------------------------------------------------------------
This is the summary/status of the work i made - direct on the phone (Configuration, APKs, Mods, ...)
1) Root the phone AND ADB demon. [post 3]
2) Add Essential APKs. [post 3]
3) Remove/Replace Stock applications. [post 6]
4) Got a personalized Restore. [post 6]
5) my device is back, with new GB ROM ... and personalized /system. [post 58]
--------------------------------------------------------------------------------------------------
This is the summary/status of every experiment i do with the ROM ...
1) use of ADB and related tools. [post 7]
2) backup copy of /system folder [post 7]/URL]
3) dump of partitions. [URL="http://forum.xda-developers.com/showpost.php?p=17900113&postcount=7"][post 7]
4) extract the list of partitions. [post 8]
Analizing the dumped files...
5) the dumped images can be flashed with odin !!! [post TODO]
6) extract the /system filesystem. [post 9]
7) extract the boot & recovey images. [post 12]
8) after extracting boot images...rebuild them (thanks to Doc_cheilvenerdi.org ) [post 32] and [post 40]
9) add ext4 FileSystem and busybox! (thanks to Doc_cheilvenerdi.org ) [post 44]
10) moved /data to SD !! (thanks to Doc_cheilvenerdi.org ) [post 50] and [post 52]
after explaining here how to modify the boot.img, Doc_cheilvenerdi.org wrote some exellent guides to describe his methods to to add ext4 support and move /data to SD and then move /system to SD. He also guides you in hacking the initial logos and animations and gaining root privileges on every ROM(here the IT source). Since he's not only a master in hacking and developing, but he explain it all, this 3ds are a must read !!Only... they're in italian languages... (need help in translation, please)
ToDo
...) share my PC connection to device (Reverse-Tethering) - investigation starts in [post 59]
...) understand and investigate init*** files in ramdisk ( apart from init.rc, when are they started? what they'll do ?).
...) understand and investigate the APK install process
...) understand and investigate the android framework.
...) move /data/apps/ /data/data and /data/dal***-cache to SD (should be simple, after Doc effort !!)
...) load and adapt my dumped images to androind_x86 (porting to PC/VM of android) [post ...]
--------------------------------------------------------------------------------------------------
>>> OPENED QUESTIONS <<<
1.a) why some apk copied in /system/app/ does not work ? they do not appere in the apps list ...
1.b) why some apk removed from /system/app/ cannot be installed after the delete ?
2) where in ROMS are stored the set up of the Launcher ? i.e. the widget and icons appearing after a wipe ?
3) why bloatware removed from /system are present in the dumped BML12 ? where the 'they are removed' inormation are stored ?
please see also my considerations in [post27]
4) how files inside BML13 for /data and BL14 for /cache can be extracted ?
please see also my considerations in [post27]
5) what are MIBIB, QCSBL, OEMSBL, AMSS, EFS2, NVBACKUP, APPSBL, PARAM, FOTA partitions ?
6) why the kernel has a gziped part in it ?
=======================================================================================
stepph said:
1) Root the phone AND ADB demon.
Click to expand...
Click to collapse
I used SuperOneClick tool. Its easy.
Only remeber to root also the adb shell, in order to be able to acess as super user.
As you use the tool, the SuperUser.apk is added to your ROM.
This tool make a window appear every time an apps need root access, and you have a log.
Even if you reset the device, the rooting and SU will survive.
=======================================================================================
stepph said:
2) Add Essential APKs.
Click to expand...
Click to collapse
I install RootExplorer, ES_FileManager in order to be able to navigate in the filesystem.
With rooting, i can also mount /system as R/W... and RootExplorer also indicate the mountpoint of some folders...
Eploring the FS, I notice :
/system/apps - where the preloade apks are. Some are systems apps (unknow), some are apps that i have in the apps folder.
/cache - where tempoarary data are stored.
/data - where apps save info
=======================================================================================
... continue in [post 6]...
3x. Would you like to tell how you modify the recovery.img and boot.img?
dongbincpp said:
3x. Would you like to tell how you modify the recovery.img and boot.img?
Click to expand...
Click to collapse
at now i'm studing on that...
... reading "HOWTO: Unpack, Edit, and Re-Pack Boot Images".
stepph said:
3) Remove/Replace Stock applications.
Click to expand...
Click to collapse
So I manage to remove (and backup on SD and then o my PC) the unused apk
from /systems/apps/
Some APKs have odex file (that are a way to speed up loading...) - the unused one to be removed too.
After a wipe - I noticed that the apks are DEFINITELY removed - WOW i delete something from the ROM of my phone...
If i put the backup copy of the removed files back, they still work.
Instead, if i try to install them, some of them does not work anymore (why?)
I notice the SuperUser apks too... so I try to add different apk here, or change the old one with an updated version...
So when i'll wipe the phone i'll get it with what i want.
Sometimes it works, sometimes i got errors on startup, sometimes the device ignore the new apps (??)
=======================================================================================
stepph said:
4) Got a personalized Restore.
Click to expand...
Click to collapse
When I wipe the phone, widget and links are the defult ones... how can i modify this ??
I notice dat inside /data/ folder are stored the Launcher dta & options - inside a *.db file.
So i can save & restore what i set.
But i still not understand where the setting are recorder on wipe...
=======================================================================================
... continue in [post 7]...
stepph said:
1) use of ADB and related tools.
Click to expand...
Click to collapse
great ... it is like a shell working on my terminal...
i'm not so experienced with linux command, buti'll try
I also use adb mask control, thas has a GUI to rapidly make some operation.
so i push sqlite and a new version of busybox on my device
stepph said:
2) backup copy of /system folder
Click to expand...
Click to collapse
playing with mount and my adb shell, i found:
Code:
d rwx r-x r-x root root 2011-09-09 10:10 acct
d r-x --- --- root root 2011-09-09 10:10 config
d rwx r-x r-x root root 1970-01-01 01:00 lib
d rwx --- --- root root 2011-05-02 04:40 root
d rwx r-x --- root root 1970-01-01 01:00 sbin
d rwx rwx --x system system 2011-09-09 10:10 persist
d rwx r-x r-x root root 2011-09-09 10:12 dev mount from tmpfs
d r-x r-x r-x root root 1970-01-01 01:00 proc mount from proc
d rwx r-x r-x root root 1970-01-01 01:00 sys mount from sysfs
d rwx rwx --- system cache 2011-09-09 10:10 cache mount from /dev/stl14 (rfs)
d rwx rwx --x system system 2011-09-09 10:10 data mount from /dev/stl13 (rfs)
d rwx r-x r-x root root 2011-09-09 10:10 system mount from /dev/stl12 (rfs)
d rwx rwx r-x root system 2011-09-09 10:10 mnt
/mnt/asec ??
/mnt/sdcard ??
/mnt/secure ??
l rwx rwx rwx root root 2011-09-09 10:10 d link from /sys/kernel/debug
l rwx rwx rwx root root 2011-09-09 10:10 etc link from /system/etc
l rwx rwx rwx root root 2011-09-09 10:10 sdcard link from /mnt/sdcard
i simply make a backup of files in / and of /system/ on my PC...
since other folders have 'strange' mountpoints... i let them apart for now.
stepph said:
3) dump of partitions.
Click to expand...
Click to collapse
i found this list: cat proc/partition/
Code:
major minor #blocks name
137 0 513024 bml0/c
137 1 1536 bml1
137 2 512 bml2
137 3 768 bml3
137 4 25600 bml4
137 5 9216 bml5
137 6 5120 bml6
137 7 2048 bml7
137 8 8192 bml8
137 9 8192 bml9
137 10 768 bml10
137 11 6144 bml11
137 12 222464 bml12
137 13 192768 bml13
137 14 29696 bml14
138 12 214784 stl12
138 13 185600 stl13
138 14 25856 stl14
179 0 1927168 mmcblk0
179 1 1926144 mmcblk0p1
so i start with cat /dev/bml0 >/sdcard/bml0.img
and so on for each BML to 14.
Then i try with STL... and I brick my PHONE !!!
Reading around...
>>>> DO NOT TRY TO ACCESS TO STL5<<<<
Now my phone is at service for repairing - i hope they accept warranty -
I'll continue my investigations on the BMLxx.img files...
=======================================================================================
... continue in [post 8] - without phone - ...
Now, i have the segunt dumped images:
Code:
0 513024 bml0/c
1 1536 bml1
2 512 bml2
3 768 bml3
4 25600 bml4
5 9216 bml5
6 5120 bml6
7 2048 bml7
8 8192 bml8
9 8192 bml9
10 768 bml10
11 6144 bml11
12 222464 bml12
13 192768 bml13
14 29696 bml14
an easy check prove me that the first and bigger one is simply the join on the others... so first of all i look for some indication about the partitioning of BML0, from which the others are derived.
With a hex editor, I found :
Code:
00081000h: AA 73 EE 55 DB BD 5E E3 03 00 00 00 0E 00 00 00 ªsîUÛ½^ã........
00081010h: 30 3A 4D 49 42 49 42 00 00 00 00 00 00 00 00 00 0:MIBIB.........
00081020h: 00 00 00 00 06 00 00 00 12 10 FF 00 30 3A 51 43 ..........ÿ.0:QC
00081030h: 53 42 4C 00 00 00 00 00 00 00 00 00 06 00 00 00 SBL.............
00081040h: 02 00 00 00 12 10 FF 00 30 3A 4F 45 4D 53 42 4C ......ÿ.0:OEMSBL
00081050h: 31 00 00 00 00 00 00 00 08 00 00 00 03 00 00 00 1...............
00081060h: 12 10 FF 00 30 3A 41 4D 53 53 00 00 00 00 00 00 ..ÿ.0:AMSS......
00081070h: 00 00 00 00 0B 00 00 00 64 00 00 00 12 10 FF 00 ........d.....ÿ.
00081080h: 30 3A 45 46 53 32 00 00 00 00 00 00 00 00 00 00 0:EFS2..........
00081090h: 6F 00 00 00 24 00 00 00 01 11 FF 00 30 3A 4E 56 o...$.....ÿ.0:NV
000810a0h: 42 41 43 4B 55 50 00 00 00 00 00 00 93 00 00 00 BACKUP......“...
000810b0h: 14 00 00 00 01 11 FF 00 30 3A 41 50 50 53 42 4C ......ÿ.0:APPSBL
000810c0h: 00 00 00 00 00 00 00 00 A7 00 00 00 08 00 00 00 ........§.......
000810d0h: 12 10 FF 00 30 3A 41 50 50 53 00 00 00 00 00 00 ..ÿ.0:APPS......
000810e0h: 00 00 00 00 AF 00 00 00 20 00 00 00 12 10 FF 00 ....¯... .....ÿ.
000810f0h: 30 3A 52 45 43 4F 56 45 52 59 00 00 00 00 00 00 0:RECOVERY......
00081100h: CF 00 00 00 20 00 00 00 12 10 FF 00 30 3A 50 41 Ï... .....ÿ.0:PA
00081110h: 52 41 4D 00 00 00 00 00 00 00 00 00 EF 00 00 00 RAM.........ï...
00081120h: 03 00 00 00 12 10 FF 00 30 3A 46 4F 54 41 00 00 ......ÿ.0:FOTA..
00081130h: 00 00 00 00 00 00 00 00 F2 00 00 00 18 00 00 00 ........ò.......
00081140h: 01 10 FF 00 30 3A 53 59 53 41 50 50 53 00 00 00 ..ÿ.0:SYSAPPS...
00081150h: 00 00 00 00 0A 01 00 00 65 03 00 00 01 11 FF 00 ........e.....ÿ.
00081160h: 30 3A 44 41 54 41 00 00 00 00 00 00 00 00 00 00 0:DATA..........
00081170h: 6F 04 00 00 F1 02 00 00 01 11 FF 00 30 3A 43 41 o...ñ.....ÿ.0:CA
00081180h: 43 48 45 00 00 00 00 00 00 00 00 00 60 07 00 00 CHE.........`...
00081190h: 74 00 00 00 01 11 FF 00 FF FF FF FF FF FF FF FF t.....ÿ.ÿÿÿÿÿÿÿÿ
i.e.
Code:
[I]name[/I] [I]start[/I] [I]len[/I] [I]??[/I]
MIBIB 00000000 00000600 12 10
QCSBL 00000600 00000200 12 10
OEMSBL 00000800 00000300 12 10
AMSS 00000B00 00006400 12 10
EFS2 00006F00 00002400 01 11
NVBACKUP 00009300 00001400 01 11
APPSBL 0000A700 00000800 12 10
APPS 0000AF00 00002000 12 10
RECOVERY 0000CF00 00002000 12 10
PARAM 0000EF00 00000300 12 10
FOTA 0000F200 00001800 01 10
SYSAPPS 00010A00 00036500 01 11
DATA 00046F00 0002F100 01 11
CACHE 00076000 00007400 01 11
that is not only the list of the partition of BML0 in BML1..14, with the correspondant sizes, but also the name of each - they match with what i read in some posts !!
Here it is also some binary tags for ech BML; and adding a quick examiation of the head of each file, i get the following table of preliminary infos:
Code:
Disk MB KB bytes Name flags FSR_STL note Start Lenght
/dev/bml0: 525 513.024 525.336.576
/dev/bml1: 1 1.536 1.572.864 MIBIB 12 10 00000000 00000600
/dev/bml2: 0 512 524.288 QCSBL 12 10 00000600 00000200
/dev/bml3: 0 768 786.432 OEMSBL 12 10 00000800 00000300
/dev/bml4: 26 25.600 26.214.400 AMSS 12 10 ELF 00000B00 00006400
/dev/bml5: 9 9.216 9.437.184 EFS2 01 11 X dev/stl5 ! Attento! 00006F00 00002400
/dev/bml6: 5 5.120 5.242.880 NVBACKUP 01 11 X dev/stl6 (empty) 00009300 00001400
/dev/bml7: 2 2.048 2.097.152 APPSBL 12 10 arm11boot ? 0000A700 00000800
/dev/bml8: 8 8.192 8.388.608 APPS 12 10 ANDROID! - boot image 0000AF00 00002000
/dev/bml9: 8 8.192 8.388.608 RECOVERY 12 10 ANDROID! - recovery image 0000CF00 00002000
/dev/bml10: 1 768 786.432 PARAM 12 10 0000EF00 00000300
/dev/bml11: 6 6.144 6.291.456 FOTA 01 10 empty 0000F200 00001800
/dev/bml12: 217 222.464 227.803.136 SYSAPPS 01 11 X /dev/stl12 - /system (rfs) 00010A00 00036500
/dev/bml13: 197 192.768 197.394.432 DATA 01 11 X /dev/stl13 - /data (rfs) 00046F00 0002F100
/dev/bml14: 30 29.696 30.408.704 CACHE 01 11 X /dev/stl14 - /cache (rfs) 00076000 00007400
================================================== =====================================
... continue in post 9 - without phone - ...
First, i work on the BML12, that is the file related to /system folder.
I read a lot of stuff about Samsung BML, STL, RFS, and so on...
My understanding is that BML is the layer of block level devices,
and STL is the 'file system like' layer on it. I read also that STL are FAT compatible, and that images can be opened with MagicISO.
So i found in BML12.img file the signature MSWIN4.1, cut the previus part (two byte more) and i get a fat-12 image.
MagicISO was able to extract this files.
I compare the extracted /system folder wit the backup i done directly from the phone ... SURPRISE... the files i removed from ROM are there again !! why this ??
On the other side i wander where the others files in original filesystem are...
Same tecnich on BML13 & BML14 for /data and /cach partition does'n work at all -- why ?
=======================================================================================
... continue in post 12 - without phone - ...
stepph
wat ur doing here is great.
but didn u notice a few other mini threads here already..a few roms n cm7?
http://forum.xda-developers.com/showthread.php?t=1167750
http://forum.xda-developers.com/showthread.php?t=1176927
there are other threads too
---------- Post added at 02:01 PM ---------- Previous post was at 01:52 PM ----------
stepph said:
1.a) why some apk copied in /system/app/ does not work ? they do not appere in the apps list ...
Click to expand...
Click to collapse
I dont think u can install any app as a system, think u can only replace an already existing system app with another of ur wish by renaming the app correctly and replacing it in /system/app
1.b) why some apk removed from /system/app/ cannot be installed after the delete ?
Click to expand...
Click to collapse
u cannot install app as a system app. as said abv u can only replace them.
3) why bloatware removed from /system are present in the dumped BML12 ? where the 'they are removed' inormation are stored ?
Click to expand...
Click to collapse
maybe u need to remove them frm the dalvik-cache too
----edit------
clearly I have not played with my phone enough to be answering such questions.
roofrider said:
stepph wat ur doing here is great.
but didn u notice a few other mini threads here already..a few roms n cm7?
http://forum.xda-developers.com/showthread.php?t=1167750
http://forum.xda-developers.com/showthread.php?t=1176927
there are other threads too
Click to expand...
Click to collapse
Thank you for the links,
I notice that already...but none of them talk about HOW it was made...
... i don't want a " download and install " work, but explain to everybody what i do.
roofrider said:
I dont think u can install any app as a system, think u can only replace an already existing system app with another of ur wish by renaming the app correctly and replacing it in /system/app
u cannot install app as a system app. as said abv u can only replace them.
maybe u need to remove them frm the dalvik-cache too
Click to expand...
Click to collapse
Ok, it was what i think about 1st & 2nd point...I'll look for technical infos about those 'system' apps.
About the 3rd, you may be right if it was about a running device; but i worked on dumped images, so VM cache should not be involved... i'll investigate.
About Boot.img and Recovery.img
I tested this method on my duped BML files, and on some downloaded ROM.
in bootimg.h - from Android SDK (so i suppose, but i found in this forum)
Code:
#define BOOT_MAGIC "ANDROID!"
#define BOOT_MAGIC_SIZE 8
#define BOOT_NAME_SIZE 16
#define BOOT_ARGS_SIZE 512
struct boot_img_hdr
{
unsigned char magic[BOOT_MAGIC_SIZE];
unsigned kernel_size; /* size in bytes */
unsigned kernel_addr; /* physical load addr */
unsigned ramdisk_size; /* size in bytes */
unsigned ramdisk_addr; /* physical load addr */
unsigned second_size; /* size in bytes */
unsigned second_addr; /* physical load addr */
unsigned tags_addr; /* physical addr for kernel tags */
unsigned page_size; /* flash page size we assume */
unsigned unused[2]; /* future expansion: should be 0 */
unsigned char name[BOOT_NAME_SIZE]; /* asciiz product name */
unsigned char cmdline[BOOT_ARGS_SIZE];
unsigned id[8]; /* timestamp / checksum / sha1 / etc */
};
/*
** +-----------------+
** | boot header | 1 page
** +-----------------+
** | kernel | n pages
** +-----------------+
** | ramdisk | m pages
** +-----------------+
** | second stage | o pages
** +-----------------+
**
** n = (kernel_size + page_size - 1) / page_size
** m = (ramdisk_size + page_size - 1) / page_size
** o = (second_size + page_size - 1) / page_size
**
** 0. all entities are page_size aligned in flash
** 1. kernel and ramdisk are required (size != 0)
** 2. second is optional (second_size == 0 -> no second)
** 3. load each element (kernel, ramdisk, second) at
** the specified physical address (kernel_addr, etc)
** 4. prepare tags at tag_addr. kernel_args[] is
** appended to the kernel commandline in the tags.
** 5. r0 = 0, r1 = MACHINE_TYPE, r2 = tags_addr
** 6. if second_size != 0: jump to second_addr
** else: jump to kernel_addr
So i opened my file, and found
Code:
414E4452 4F494421 C8F42E00 00806013 0E143000 00006014 00000000 00005014 00016013 00100000 00000000 ...
that is
Code:
00000000 struct BOOT_IMG_HDR
00000000 magic[8] ANDROID!
00000008 DWORD kernel_size 3077320
0000000C DWORD kernel_addr 325091328
00000010 DWORD ramdisk_size 3150862
00000014 DWORD ramdisk_addr 341835776
00000018 DWORD second_size 0
0000001C DWORD second_addr 340787200
00000020 DWORD tags_addr 325058816
00000024 DWQRD page_size 4096
00000028 unused[2] 0
00000030 name[16] 0
00000040 cmdline[512] 0
00000240 id[8] xxxxxxx
so i calculate
Code:
n = (3077320 + 4096 - 1) / 4096 = 752
m = (3150862 + 4096 - 1) / 4096 = 770
o = (0 + 4096 - 1) / 4096 = 0
** +-----------------+
** | boot header | 1 page = 0 to 4095 (h00000FFF)
** +-----------------+
** | kernel | 752 pages = 4096 to 4096+752*4096 = 3084287 (h002F0FFF)
** +-----------------+
** | ramdisk | 770 pages = 3084288 to 3084288+770*4096 = 2378055679 (h8DBE3FFF)
** +-----------------+
so i spli the file in 3 parts : header, kernel, and ramdisk.
NOTE: at offset 18825 (h4989) i find 1F 8F that is the head of a gzipped file..
so i split kernel in kernel.head and kernel.gz => decompressed in kernel.tail.
This worked, sinc in decompressed part i found readable strings...
Ramdisk is ramdisk.cpio.gz, so i was able to decompress it and get the filesystems loaded on start.
There are many interesting files...
TASS.rle and TASS-HUI.rle (the original logo, and the logo for italy - HUI is my region)
init and init.rc - and some other script file, that i saw on root folder of my devices
some folders with bins, and so on...
When i use this method with dumped Recovery.img and downloaded ClockWorkMod_recovery.img, i get i working...
So i'll investigate about differences in ramdisk files of those...
=======================================================================================
... continued in [post 14] - without phone - ...
I'm neither an Android, nor a Linux expert but I'll try to answer your questions to the best of my knowledge:
1.a) why some apk copied in /system/app/ does not work ? they do not appere in the apps list ...
Click to expand...
Click to collapse
Some system apks don't have a registered activity (meaning they don't have a UI), so they won't appear in your launcher, also (and take this with a grain of salt), I've personally found that some of the apks placed in /system/app/ need to be installed too.
1.b) why some apk removed from /system/app/ cannot be installed after the delete ?
Click to expand...
Click to collapse
Dunno about this one, but I'd dare say that it has something to do with the extra files that are placed in other folders, What apps have you had this problem with?, maybe we can find out why they have that behavior
2) where in ROMS are stored the set up of the Launcher ? i.e. the widget and icons appearing after a wipe ?
Click to expand...
Click to collapse
If they're not wiped they have to be either in the system partition or in the SD
3) why bloatware removed from /system are present in the dumped BML12 ? where the 'they are removed' inormation are stored ?
Click to expand...
Click to collapse
Taken from the link you put on the BML mapping thread:
What you generally see is that BML partitions contain 'static' data (bootloaders, boot / recovery images) and STL partitions contain 'live' filesystem (on android: /system, /data, /cache, /efs, /dbdata). The idea is that things directly on an BML partition don't change very often and wear leveling isn't required. Read/write filesystems however, do benefit from wear leveling and are thus placed on an STL partition.
Click to expand...
Click to collapse
4) how files inside BML13 for /data and BL14 for /cache can be extracted ?
Click to expand...
Click to collapse
You'd have to find out the partition's filesystem, I believe it's a Samsung propietary FS so you're out of luck with that one
5) what are MIBIB, QCSBL, OEMSBL, AMSS, EFS2, NVBACKUP, APPSBL, PARAM, FOTA partitions ?
Click to expand...
Click to collapse
Way above my paygrade!!
6) why the kernel has a gziped part in it ?
Click to expand...
Click to collapse
See 5
Great !!
thank you Akath19 for your contribution....
I want to continue this discussion with details on some topics...if you or someone else is able to contribute.
-------------------------------------------------------------------------
1.a) why some apk copied in /system/app/ does not work ? they do not appere in the apps list ...
A : Some system apks don't have a registered activity (meaning they don't have a UI), so they won't appear in your launcher, also (and take this with a grain of salt), I've personally found that some of the apks placed in /system/app/ need to be installed too.
Click to expand...
Click to collapse
1.b) why some apk removed from /system/app/ cannot be installed after the delete ?
A: Dunno about this one, but I'd dare say that it has something to do with the extra files that are placed in other folders, What apps have you had this problem with?, maybe we can find out why they have that behavior
Click to expand...
Click to collapse
In /system/apps i find some different kind of apps...
- those without icon, not appearing in the 'GUI' - (the app folder in launche) - i call them of 'system type' and i do not touch them.
- apps with icon, implementing important functions - gallery, phone, launcher, etc...
- Google Apps
- some other samsung/provider apps
- some 'generic' app - Analog clock, Dual clock, some widget... (i think they are inserted as demo of capabilities)
Many of those apps have related .odex file.
REMOVING Apps - and restore them
I removed the apps that i do not need - and backup the on my sdcard.
If i want to restore them, i can adb push them a their previus place, and this is the only method for odexed ones.
As alternative to reinstall i tried to do 'normal' install for the apps without .odex ... this also mean that they will be installed in /data/apps,
and they are moved from system STL12 to data STL13 - different partitions, with impact on free space)
This doesn't work for many of the apps - ??
ADDING Apps
I want to add some apps - in order to find them installed after a wipe.
This works with some apps, doesnot with others... some apps (TitaniumBackup) generate a force close on power on...
I suppose that apps in system/apps have to be differrent from those in /data/apps...
-------------------------------------------------------------------------
2) where in ROMS are stored the set up of the Launcher ? i.e. the widget and icons appearing after a wipe ?
A: If they're not wiped they have to be either in the system partition or in the SD
Click to expand...
Click to collapse
They do are wiped... so the infos are written in /data/data/(somefolder)...
But the preloade info - those appearing after a wipe - where are they ?
I suppose that a wipe completely erase /data and not preload its contents...or a part of /data is restored after a wipe ? how ??
-------------------------------------------------------------------------
3) why bloatware removed from /system are present in the dumped BML12 ? where the 'they are removed' inormation are stored ?
a: Taken from the link you put on the BML mapping thread:
What you generally see is that BML partitions contain 'static' data (bootloaders, boot / recovery images) and STL partitions contain 'live' filesystem (on android: /system, /data, /cache, /efs, /dbdata). The idea is that things directly on an BML partition don't change very often and wear leveling isn't required. Read/write filesystems however, do benefit from wear leveling and are thus placed on an STL partition.
Click to expand...
Click to collapse
This is the description of 'driver level' to access to the phisical chip...
STL are a layer up the BML, adding a wear leveling services, enabling secure r/w of bits...
I understand that in a BML dump is contained the STL dump.
This does'n explain why the apps i removed are still present in dump
(unless i make a mistake, and dumepd before removing ??)
-------------------------------------------------------------------------
4) how files inside BML13 for /data and BL14 for /cache can be extracted ?
A: You'd have to find out the partition's filesystem, I believe it's a Samsung propietary FS so you're out of luck with that one
Click to expand...
Click to collapse
You are right... unless we find the source of RFS, in order to be compiled for linux, the only way i have to correctly mount, is on my device - that support RFS.
RFS is reported to be FAT compatible, in fact i was able to extract files form BML12 - aftre some editing - with MagicISO. I suppose that this SW read it as a FAT12 partition - or at least, I found a valid FAT12 heder.
This method does'not work with BML13 and BML14, thas seem to have many FAT12 section in it - but each unreadable.
-------------------------------------------------------------------------
... continue in [post 24] - with Doc_cheilvenerdi.org great contribution
No worries man, I'm also really interested in learning and this is a much better way than just downloading and flashing files.
Anyways, on to the discussion:
stepph said:
REMOVING Apps - and restore them
I removed the apps that i do not need - and backup the on my sdcard.
If i want to restore them, i can adb push them a their previus place, and this is the only method for odexed ones.
As alternative to reinstall i tried to do 'normal' install for the apps without .odex ... this also mean that they will be installed in /data/apps,
and they are moved from system STL12 to data STL13 - different partitions, with impact on free space)
This doesn't work for many of the apps - ??
Click to expand...
Click to collapse
Well if the apps are odexed, they won't work (not even if you install them), 'cause you'd need to deodex them first before trying to install them (learned this the hard way while theming my stock Phone.apk)
For the other apps I guess trying on a case by case basis would be the answer, give me a list of the apps that don't work I'll try to figure out why.
stepph said:
ADDING Apps
I want to add some apps - in order to find them installed after a wipe.
This works with some apps, doesnot with others... some apps (TitaniumBackup) generate a force close on power on...
I suppose that apps in system/apps have to be differrent from those in /data/apps...
Click to expand...
Click to collapse
Personally I don't use TB, I think manually saving apks and configs works better, also I've heard numerous horror stories regarding TB.
What I do in order to keep stuff after a wipe is, I make a small CWM flashable zip that has all the info that I want to keep, and I just flash it after wiping.
stepph said:
They do are wiped... so the infos are written in /data/data/(somefolder)...
But the preloade info - those appearing after a wipe - where are they ?
I suppose that a wipe completely erase /data and not preload its contents...or a part of /data is restored after a wipe ? how ??
stepph said:
I don't exactly know if this is true but I'd dare say some settings are saved inside the apk itself, so that the user has some "default" settings ready available
Also, no part of /data/ is restored after a wipe.
stepph said:
This is the description of 'driver level' to access to the phisical chip...
STL are a layer up the BML, adding a wear leveling services, enabling secure r/w of bits...
I understand that in a BML dump is contained the STL dump.
This does'n explain why the apps i removed are still present in dump
(unless i make a mistake, and dumepd before removing ??)
Click to expand...
Click to collapse
I guess this question would need someone extremely knowledgeable about the underlying subsystem (someone like Darky), but IMHO the phone must copy the STL contents into BML every certain amount of time or something like that.
stepph said:
You are right... unless we find the source of RFS, in order to be compiled for linux, the only way i have to correctly mount, is on my device - that support RFS.
RFS is reported to be FAT compatible, in fact i was able to extract files form BML12 - aftre some editing - with MagicISO. I suppose that this SW read it as a FAT12 partition - or at least, I found a valid FAT12 heder.
This method does'not work with BML13 and BML14, thas seem to have many FAT12 section in it - but each unreadable.
Click to expand...
Click to collapse
If the partitions have a true RFS FS you could just mount them as a loopback device, that's what I did in order to check the contents of BML5, if there are mutliple partitions I guess you would need to find that start and end of each and split them in order to read them
Click to expand...
Click to collapse
Click to expand...
Click to collapse
This is really what I expected from this 3d !!
Akath19 said:
For the other apps I guess trying on a case by case basis would be the answer, give me a list of the apps that don't work I'll try to figure out why.
Click to expand...
Click to collapse
I'll post the list of the removed apps... but need to wait for it since i'm without phone and - don't ask too much to my memory - i have to re-check the ones loading.
Akath19 said:
What I do in order to keep stuff after a wipe is, I make a small CWM flashable zip that has all the info that I want to keep, and I just flash it after wiping.
Click to expand...
Click to collapse
Good ... else - i do not want to use CWM - i was unable to prepare update.zip for original recovery. This could be another discussion...
Akath19 said:
I don't exactly know if this is true but I'd dare say some settings are saved inside the apk itself, so that the user has some "default" settings ready available
Also, no part of /data/ is restored after a wipe.
Click to expand...
Click to collapse
this is also my guess.
-->> and now the important part... <<---
Akath19 said:
I guess this question would need someone extremely knowledgeable about the underlying subsystem (someone like Darky), but IMHO the phone must copy the STL contents into BML every certain amount of time or something like that.
If the partitions have a true RFS FS you could just mount them as a loopback device, that's what I did in order to check the contents of BML5, if there are mutliple partitions I guess you would need to find that start and end of each and split them in order to read them
Click to expand...
Click to collapse
I tried mounting with loopback - my experiments are slowly migrating to linux - but it works only for STL12 /system. It doesn't work for others, nor splitted parts - they result in unreadbles files with unreadable filenames.
Does'n work even with bml5 ... but i probably have a corrupted dump, since after that - by reading STL5 - the phone is gone...
.
Have you gotten your phone back yet stepph, 'cause I'm eager to start tinkering with our phones but I can't do it alone!!
I got it yesterday... with a russian gingerbread FW (who knows where it was downloaded ), but without radio FW, and shutting down every minute...
... The guy of the service was not so able... and he doesn't work with 'official' FW... I have to take the phone back to him - for warranty at least.
I'm tempted to do it by myself - but if EFS is gone ?
Meanwhile, i'm working with androidx86 - a porting for PC - on a virtual machine... it seems great for testing some mods on /system - but kernel, executables, and libraries are recompiled...
And i'm tryng revskill - in order to understand AMSS - the free version seem good... but is limited...
If i get some new results, i'll post it...
(interested in matlab scripts for codig/decoding RLE logos ?)
Download the official Euro FW via checkfusdownloader and flash it through ODIN, those FWs come directly from Samsung servers so you shouldn't have a problem.
I checked out that port but I didn't quite like it (too slow for my taste).
What's revskill (forgive my ignorance)
Meanwhile I'm looking into porting voodoo kernel (from SGS) into our minis, mainly to get better audio support through voodoo sound.
(Ewww, I hate matlab!!)
Akath19 said:
Download the official Euro FW via checkfusdownloader and flash it through ODIN, those FWs come directly from Samsung servers so you shouldn't have a problem.
Click to expand...
Click to collapse
just tried...ODIN reported success, but now the phone does'nt boot anymore...
Related
Can someone please, when you can..post the at&t tilt 2 rom so that any of us who should need to go back to it for various reasons can do so!
Thank You very much!!!
If there is a fairly quick & easy way to dump it, Id be happy to. My Tilt 2 should be arriving tomorrow afternoon (EST). I'd like to get an EnergyROM on it as soon as possible, but I'd be willing to take the time to dump the stock ROM if someone could point me to the tools to do so.
ROM dump & ril
Complete dump is here Thanks & credits to herg62123.
EDIT: removed extracted ril, does not seem to work with 4.47 radio
This appears to be the Fuze ROM? Are you sure you copied the right link?
I got my Tilt 2 2 days ago, I can dump it, but I have no idea how to do that.
I should have extracted mine, but I figured you party people would be on the ball already... oh well
I can't wait for it to be available to the chefs though cause I can't use my PTT button right now, and the contacts app isn't as nice as the one that was on the Tilt 2 stock (on the 6.5 manila 2.1 Rom from NRG)
beufford12 said:
This appears to be the Fuze ROM? Are you sure you copied the right link?
Click to expand...
Click to collapse
Yes it's the full Titlt2 dump. I extracted Rhodium OEM drivers, the 4.47.25.24 radio and some other stuff. This dump is strictly for those with WVGA, clearly won't run on the Fuze as is. It's 400 MB since the original NBH is included.
How can the ROM be extracted from the phone?
Just got my Tilt2 today and noticed that the shipped ROM is build 21849.5.0.63. I believe the one posted above is perhaps a slightly earlier build.
Anyone know of a resource that has dumped the AT&T official ROM? I think I am like some others where I am a little gun-shy to flash unless I have an AT&T one to fallback on in case I need to do a warranty exchange.
l3it3r said:
I can't wait for it to be available to the chefs though cause I can't use my PTT button right now
Click to expand...
Click to collapse
ae button plus finds the ptt button. You wont have the at&t ptt service obviously, but it allows you to map it to whatever you'd like
I can confirm the build is 21849.5.0.63
I have extracted the ROMfollowing the steps at http://forum.xda-developers.com/showthread.php?t=501871
Code:
\itsutilsbin-20090515>pdocread.exe -l
461.75M (0x1cdc0000) FLASHDR
| 3.12M (0x31f000) Part00
| 4.75M (0x4c0000) Part01
| 226.75M (0xe2c0000) Part02
| 227.13M (0xe320000) Part03
7.42G (0x1db000000) DSK7:
| 7.42G (0x1dac00000) Part00
STRG handles:
handle#0 0ffa9b5e 7.42G (0x1dac00000)
handle#1 2fe19f0a 227.13M (0xe320000)
handle#2 cff4c8de 226.75M (0xe2c0000)
handle#3 cff4c8ba 4.75M (0x4c0000)
handle#4 6ff4c792 3.12M (0x31f000)
disk 0ffa9b5e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 2fe19f0a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk cff4c8de
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk cff4c8ba
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 6ff4c792
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
itsutilsbin-20090515>pdocread -w -d FLASHDR -b 0x800
-p Part00 0 0x31f000 Part00.raw
CopyTFFSToFile(0x0, 0x31f000, Part00.raw)
itsutilsbin-20090515>pdocread -w -d FLASHDR -b 0x800
-p Part01 0 0x380000 Part01.raw
CopyTFFSToFile(0x0, 0x380000, Part01.raw)
itsutilsbin-20090515>pdocread -w -d FLASHDR -b 0x800
-p Part02 0 0x4560000 Part02.raw
CopyTFFSToFile(0x0, 0x4560000, Part02.raw)
itsutilsbin-20090515>pdocread -w -d FLASHDR -b 0x800
-p Part03 0 0x8660000 Part03.raw
CopyTFFSToFile(0x0, 0x8660000, Part03.raw)
itsutilsbin-20090515>pmemdump 0x9a000000 0x80000 spl
.nb
CopyProcessMemoryToFile(00000042, 9a000000, 00080000, spl.nb)
The extracted files are sized:
Part00 3,196 KB
Part01 3584 KB
Part02 74,040 KB
Part03 137,600 KB
spl 512KB
I just want to make sure this is OK as these raw files are smaller than how big it says at the top.
I have 7-zipped the files and am sending the 112MB file to my Dropbox right now, it will take about 40 minutes to finish.
I may update this topic with the link once it is done, anyone interested please feel free to message me.
Here are the raw files:
Part00.raw
Part01.raw
Part02.raw
Part03.raw
spl.nb
It is Ultra compressed with 7-zip and available at:
::edit::
Link removed, I think I screwed up the offsets of the dump. I was wondering why the part 2 was so small.....
digitalmatrixio said:
Here are the raw files:
Part00.raw
Part01.raw
Part02.raw
Part03.raw
spl.nb
It is Ultra compressed with 7-zip and available at:
http://dl.getdropbox.com/u/62596/ATT TILT 2 ROM DUMP.7z
Click to expand...
Click to collapse
Thanks! Now the trick is to recompile into a flashable nbh file...I found a tutorial on this and will possibly try my hand at it...
pinoymutt said:
Thanks! Now the trick is to recompile into a flashable nbh file...I found a tutorial on this and will possibly try my hand at it...
Click to expand...
Click to collapse
if you look on the first page you'll the the link to where herg provides a dumped tilt2 rom. it already has the .nbh. i've downloaded it myself
noggind614 said:
if you look on the first page you'll the the link to where herg provides a dumped tilt2 rom. it already has the .nbh. i've downloaded it myself
Click to expand...
Click to collapse
The dump from Herg is build 21839 the shipped ATT build is 21849.
I am not having any luck with any of the kitchens converting the files to NBH. Maybe I'll have more luck after a good nights sleep.
digitalmatrixio said:
The dump from Herg is build 21839 the shipped ATT build is 21849.
I am not having any luck with any of the kitchens converting the files to NBH. Maybe I'll have more luck after a good nights sleep.
Click to expand...
Click to collapse
This is the tutorial I was reading through, not sure if you used the same one?
http://forum.xda-developers.com/showthread.php?t=560519
Keyboard
Can anyone verify that the keyboard layout is the same as the HTC original or will there be a need for a keyboard fix like the T-Mobs TP2 ?
mystikal87 said:
Can anyone verify that the keyboard layout is the same as the HTC original or will there be a need for a keyboard fix like the T-Mobs TP2 ?
Click to expand...
Click to collapse
will need a fix
I just tried building the nbh file and didn't have much success. Anyone else care to try?
ATT HTC Tilt 2 Keyboard
The keyboard is different. Here is a picture of it I snapped with my Fuze.
I had search lot of thread which write "busybox dd if=/system/framework/xxxx.odex of=/data/local/tmp/odex/xxx.odex bs=1 count=20 skip=52 seek=52 conv=notrunc".according to http://source.android.com document(odex/dex format), signature don't start at 0x34!
why?how to calculate is 52bytes(0x34)?THX
according to dex/odex format( http://source.android.com ),signature should start at 0x0c,not 0x34.so skip=52 seek=52 should skip = 12 seek= 12.But in lots of thread write 52 bytes,so i dont understand.
quywz said:
I had search lot of thread which write "busybox dd if=/system/framework/xxxx.odex of=/data/local/tmp/odex/xxx.odex bs=1 count=20 skip=52 seek=52 conv=notrunc".according to http://source.android.com document(odex/dex format), signature don't start at 0x34!
why?how to calculate is 52bytes(0x34)?THX
Click to expand...
Click to collapse
Did I understand you right that you want to know how 0x34 can be 52? Well, it's a hexadecimal number. Strike the '0x'(not part of the number) out and you have '34'. Hexadecimal is base 16, so it's:
4*16^0=4 and 3*16^1=48, together it makes 52.
dark_knight35 said:
Did I understand you right that you want to know how 0x34 can be 52? Well, it's a hexadecimal number. Strike the '0x'(not part of the number) out and you have '34'. Hexadecimal is base 16, so it's:
4*16^0=4 and 3*16^1=48, together it makes 52.
Click to expand...
Click to collapse
NO,according to dex/odex format( http://source.android.com ),signature should start at 0x0c,not 0x34.so skip=52 seek=52 should skip = 12 seek= 12.But in lots of thread write 52 bytes,so i dont understand.
quywz said:
I had search lot of thread which write "busybox dd if=/system/framework/xxxx.odex of=/data/local/tmp/odex/xxx.odex bs=1 count=20 skip=52 seek=52 conv=notrunc".according to http://source.android.com document(odex/dex format), signature don't start at 0x34!
why?how to calculate is 52bytes(0x34)?THX
according to dex/odex format( http://source.android.com ),signature should start at 0x0c,not 0x34.so skip=52 seek=52 should skip = 12 seek= 12.But in lots of thread write 52 bytes,so i dont understand.
Click to expand...
Click to collapse
Indeed, this is an interesting question. With the 8 "magic" bytes and the 4 bytes of the checksum, the signature should begin at 12 (0x0c), not 52.
Maybe this is related to the .odex format. I was only able to find documentation for the .dex format, and maybe the optimization process adds 40 bytes at the beginning of the file. I'll try to look into the source code, but if someone has the answer, I'll be glad to hear it as well.
EDIT : Found in libdex/DexFile.h
Code:
/*
* Header added by DEX optimization pass. Values are always written in
* local byte and structure padding. The first field (magic + version)
* is guaranteed to be present and directly readable for all expected
* compiler configurations; the rest is version-dependent.
*
* Try to keep this simple and fixed-size.
*/
struct DexOptHeader {
u1 magic[8]; /* includes version number */
u4 dexOffset; /* file offset of DEX header */
u4 dexLength;
u4 depsOffset; /* offset of optimized DEX dependency table */
u4 depsLength;
u4 optOffset; /* file offset of optimized data tables */
u4 optLength;
u4 flags; /* some info flags */
u4 checksum; /* adler32 checksum covering deps/opt */
/* pad for 64-bit alignment if necessary */
};
This additional header for optimized .dex files (.odex) is indeed 40 bytes-long.
Einril said:
Indeed, this is an interesting question. With the 8 "magic" bytes and the 4 bytes of the checksum, the signature should begin at 12 (0x0c), not 52.
Maybe this is related to the .odex format. I was only able to find documentation for the .dex format, and maybe the optimization process adds 40 bytes at the beginning of the file. I'll try to look into the source code, but if someone has the answer, I'll be glad to hear it as well.
EDIT : Found in libdex/DexFile.h
Code:
/*
* Header added by DEX optimization pass. Values are always written in
* local byte and structure padding. The first field (magic + version)
* is guaranteed to be present and directly readable for all expected
* compiler configurations; the rest is version-dependent.
*
* Try to keep this simple and fixed-size.
*/
struct DexOptHeader {
u1 magic[8]; /* includes version number */
u4 dexOffset; /* file offset of DEX header */
u4 dexLength;
u4 depsOffset; /* offset of optimized DEX dependency table */
u4 depsLength;
u4 optOffset; /* file offset of optimized data tables */
u4 optLength;
u4 flags; /* some info flags */
u4 checksum; /* adler32 checksum covering deps/opt */
/* pad for 64-bit alignment if necessary */
};
This additional header for optimized .dex files (.odex) is indeed 40 bytes-long.
Click to expand...
Click to collapse
struct DexOptHeader is 40 bytes-long,but already include magic + checksum.pls look at dexOffset which is file offset of DEX header and depsOffset which is offset of optimized DEX dependency table.so, maybe the pos of signature is magic + checksum +dexOffset +depsOffset.right?
maybe the dexOffset and depsOffset are according to device models have different value.
I copy aheader 40 bytes from classes.dex(836KB).
Code:
64 65 78 0a 30 33 35 00 a1 f6 7a 1b e6 a3 fb 35
5b d5 66 72 b8 33 36 3a 40 a1 4b ea 40 2f d3 fc
58 0e 0d 00 70 00 00 00
but In Dalvik Executable Format document,dex header is 112 bytes.
according to struct DexOptHeader, checksum = 0x70.dexOffset is so large!depsOffset is large too!
DexOptHeader seem unused.
I copy aheader 40 bytes from classes.dex(836KB).
Code:
64 65 78 0a 30 33 35 00 a1 f6 7a 1b e6 a3 fb 35
5b d5 66 72 b8 33 36 3a 40 a1 4b ea 40 2f d3 fc
58 0e 0d 00 70 00 00 00
but In Dalvik Executable Format document,dex header is 112 bytes.
according to struct DexOptHeader, checksum = 0x70.dexOffset is so large!depsOffset is large too!
DexOptHeader seem unused.
quywz said:
I copy aheader 40 bytes from classes.dex(836KB).
Code:
64 65 78 0a 30 33 35 00 a1 f6 7a 1b e6 a3 fb 35
5b d5 66 72 b8 33 36 3a 40 a1 4b ea 40 2f d3 fc
58 0e 0d 00 70 00 00 00
but In Dalvik Executable Format document,dex header is 112 bytes.
according to struct DexOptHeader, checksum = 0x70.dexOffset is so large!depsOffset is large too!
DexOptHeader seem unused.
Click to expand...
Click to collapse
Actually, you're looking at a .dex file header, not a .odex file header, so I'm not sure what you're looking for. Here there is no dexOffset, nor depsOffset, and the checksum is "a1 f6 7a 1b".
For the magic bytes + checksum, maybe these are redundant, and the optimization process only add a 40 bytes header without altering the old one.
To be sure, we would need to look into a .odex file header.
EDIT : Here are the 0x40 first bytes of systemUI.odex
Code:
000000 [B][COLOR="Red"]64 65 79 0A 30 33 36 00[/COLOR][/B] [B][COLOR="YellowGreen"]28[/COLOR][/B] 00 00 00 58 57 09 00
000010 80 57 09 00 C0 02 00 00 40 5A 09 00 38 16 01 00
000020 00 00 00 00 A2 E1 D9 FA [B][COLOR="Red"]64 65 78 0A 30 33 35 00[/COLOR][/B]
000030 E9 5F F1 ED B3 06 98 D7 80 5D 7D EF 63 7B D7 23
000040 5D 79 05 67 EF 1B 35 E7 58 57 09 00 70 00 00 00
We can see that there are indeed two sets of magic bytes, one beginning at 0 (the .odex magic bytes), and one beginning at 40 bytes (the .dex magic bytes).
As a side note, dexOffset is indeed 0x28 (40).
Einril said:
Actually, you're looking at a .dex file header, not a .odex file header, so I'm not sure what you're looking for. Here there is no dexOffset, nor depsOffset, and the checksum is "a1 f6 7a 1b".
For the magic bytes + checksum, maybe these are redundant, and the optimization process only add a 40 bytes header without altering the old one.
To be sure, we would need to look into a .odex file header.
EDIT : Here are the 0x40 first bytes of systemUI.odex
Code:
000000 [B][COLOR="Red"]64 65 79 0A 30 33 36 00[/COLOR][/B] [B][COLOR="YellowGreen"]28[/COLOR][/B] 00 00 00 58 57 09 00
000010 80 57 09 00 C0 02 00 00 40 5A 09 00 38 16 01 00
000020 00 00 00 00 A2 E1 D9 FA [B][COLOR="Red"]64 65 78 0A 30 33 35 00[/COLOR][/B]
000030 E9 5F F1 ED B3 06 98 D7 80 5D 7D EF 63 7B D7 23
000040 5D 79 05 67 EF 1B 35 E7 58 57 09 00 70 00 00 00
We can see that there are indeed two sets of magic bytes, one beginning at 0 (the .odex magic bytes), and one beginning at 40 bytes (the .dex magic bytes).
As a side note, dexOffset is indeed 0x28 (40).
Click to expand...
Click to collapse
right.
thank for your libdex/DexFile.h.
Pls take note of dexOffset is file offset of DEX header.Refer original android.policy.odex,I guess odex header format is DexOptHeader + dex's Header.now,the signature pos is dexOffset + magic(dex's magic) + checksum(dex's checksum).view original android.policy.odex,we will find dexOffset value is 0x28.so signature = 0x28 +0x8 + 0x4=0x34
quywz said:
right.
thank for your libdex/DexFile.h.
Pls take note of dexOffset is file offset of DEX header.Refer original android.policy.odex,I guess odex header format is DexOptHeader + dex's Header.now,the signature pos is dexOffset + magic(dex's magic) + checksum(dex's checksum).view original android.policy.odex,we will find dexOffset value is 0x28.so signature = 0x28 +0x8 + 0x4=0x34
Click to expand...
Click to collapse
Exactly. When optimizing an .dex file, the process adds the DexOptHeader at the beginning of the file. Thus, the resulting header is DexOptHeader + DexHeader (DexHeader beginning at 0x28), and the new position of the signature is 0x34 = 52 bytes
Einril said:
Exactly. When optimizing an .dex file, the process adds the DexOptHeader at the beginning of the file. Thus, the resulting header is DexOptHeader + DexHeader (DexHeader beginning at 0x28), and the new position of the signature is 0x34 = 52 bytes
Click to expand...
Click to collapse
THX.
Next topic.If you have time,pls help http://forum.xda-developers.com/showthread.php?p=41254960#post41254960:)
dark_knight35 said:
Did I understand you right that you want to know how 0x34 can be 52? Well, it's a hexadecimal number. Strike the '0x'(not part of the number) out and you have '34'. Hexadecimal is base 16, so it's:
4*16^0=4 and 3*16^1=48, together it makes 52.
Click to expand...
Click to collapse
If you have time,pls help http://forum.xda-developers.com/show...#post41254960:)
thx.
A little while ago, I had problems with my phone not reading the SIM. When I tried to flash the stock firmware, the application crashed, resulting in a (hopefully) softbricked phone. I tried these methods trying to get it back to life:
http://forum.xda-developers.com/showthread.php?t=1843830 (post 4)
http://forum.xda-developers.com/showthread.php?t=2069723
And I also tried the LG R&D test tool to fash the kdz (I can't find the corresponding thread right now).
I've tried all of these methods on Win7 x64, Vista x64 and XP 32bit. The all did the same thing: they got stuck at wParam=2010 Iparam=210, so I think the phone is the problem and not the computers.
I was running CM11 with an unlocked bootloader. I can turn the phone on (and not off) but I can't get it out of the update mode. I can still update the phone until wParam=2010 Iparam=210, when it gets stuck. (I also tried waiting about an hour, nothing happened). As far as I know the phone is not a developer edition.
My question is, what do I try next?
Beunhof said:
I was running CM11 with an unlocked bootloader. I can turn the phone on (and not off) but I can't get it out of the update mode. I can still update the phone until wParam=2010 Iparam=210, when it gets stuck. (I also tried waiting about an hour, nothing happened). As far as I know the phone is not a developer edition.
Click to expand...
Click to collapse
Hello, and good day,
I have the same problem as you,
I also tried several guides ranging from installing KDZ files, through adb consoles and with a program (unfortunately I've forgotten the name) that caused the LG software to detect the KDZ files as an update for the phone, like it was from their servers, so it was 'intalled in an original way'.
But whatever, none of them worked.
Also, very important, mine gets also stuck on wParam=2010 Iparam=210,
I took the phone to a service store, where they repair cellphones through "boxes", but without success, they just mentioned that it would get stuck everytime at 15-25% of the installation process.
My Optimus 4X HD status is: can only access the S/W Update screen, or, if I turn the phone On it just shows and gets stuck on the LG logo.
It has no OS or recovery...
:crying:
Edit: I forgot to mention, I tried on Win 7 x64, x32 and on Win XP sp3 x32. So obviously the problem is on the phone.
Sounds like we have the same problem, except my phone doesn't show the boot logo at all, it instantly jumps to S/W mode when I turn it on.
After some searching, I found 3 methods I haven't tried yet:
http://forum.xda-developers.com/showthread.php?t=2475045
http://forum.xda-developers.com/showthread.php?t=2085344
http://forum.xda-developers.com/showthread.php?t=2797190
When I get back from work I'll give these a try, I will report back with results.
Does anyone have more suggestions or ideas? Should I contact LG for a fix?
Beunhof said:
After some searching, I found 3 methods I haven't tried yet:
http://forum.xda-developers.com/showthread.php?t=2475045
http://forum.xda-developers.com/showthread.php?t=2085344
[*]http://forum.xda-developers.com/showthread.php?t=2797190
Does anyone have more suggestions or ideas? Should I contact LG for a fix?
Click to expand...
Click to collapse
Hello again, I checked the three methods listed above,
i didn't like the first two really, but the third one got me so I'm doing it.
This is what I did and the result (on Win XP sp3 x32)
- Downloaded a fresh P880 V20A_00.kdz
- Downloaded and Installed fresh LGUnitedMobileDriver_S50MAN311AP22_ML_WHQL_Ver_3.11.3.exe
- During the drivers Installation, XP asked me to download and install this WMFDist11-WindowsXP-X86-ENU.exe (as suposedly I needed an mtp 11 runtime whatever). All good.
- Downloaded the LG Flash Tool 2014 from the guide, and moved the .kdz into that folder.
- Opened the program following the instructions on the post and started flashing my Optimus 4X with that Tool using CSE Flash.
- The second window named LG Mobile Support Tool that poped up started the process and had 4 modules
On the third module, the program started the Installation of the firmware on my device, on the S/W Update screen, after a while it reached 10%
Well.... it's been on 10% of the Installation progress for 43 minutes now (even while writing this response...).
The phone is perfectly recognized by the PC, I just dont get why it won't progress!....
Thanks tho, that LG Tool 2014 seemed really helpful. But still bricked.
Status:
After several investigation, I've also tried the following:
- Using P880_HK_V20B_00.kdz version, didn't work.
- Flashing thru kdz-update UpTestEX_mod2_marwin.exe, didn't work.
- Once LGMobile Support Tool is open, on the Tab "Additional Characteristics" I clicked on Recovery from Update Error.
The Tool asked for the Model & Serial Number of my device, which I entered and after the program tried to connect to the phone, said that it couldn't connect to the device.
I'm now totally sure that the problem is somewhere between the communication of the Computer and the P880, because:
Either KDZ-Update or LG Mobile Support Tool always gets stuck at what seems the 10% of the process.
Any method of flashing the device gets stuck and asks to remove battery and disconnect the usb, then replace and reconnect (an attempt to re-enable connection IMO)
Changing USB port on the PC always 'reinstall' the drivers, but with no avail.
Another thing I forgot to mention before, even tho every guide on XDA says that on the flashing process we should first "Install the drivers of the LG P880 from the list on the LG Mobile Support Tool", my tool (any version downloaded) never displayed LG P880 on the list, I've always had to use the UnitedDrivers package instead.
Any thoughts?
alessocf said:
Well.... it's been on 10% of the Installation progress for 43 minutes now (even while writing this response...).
Click to expand...
Click to collapse
I got to 10% in 52 seconds and then I got a disconnect error. I gave it a try with windows enabled just to make sure but the same thing happened. Seems like a nice and fast tool, too bad it couldn't do the trick.
This attempt also failed, but I might have some usefull information now:
Code:
[22:56:11.593]Selected 7 Binary : c:\users\beunhof\desktop\fix\lgp880at-00-v20b-eur-xxx-jul-17-2013+0.dz
[22:56:11.594]DoDownload : Retry(1)
[22:56:11.595]###### Port Opend(41) ######
[22:56:11.595]Opened COM41
[22:56:11.595]=====================================================
[22:56:11.596]= DLL Info : Dec 12 2012 11:01:58
[22:56:11.596]=====================================================
[22:56:11.602] MODEL:P880
[22:56:11.605] IMEI:000000000031
[22:56:11.611] PID:0000000003001721
[22:56:11.614] SWV:LGP880AT-00-V20b-EUR-XXX-JUL-17-2013+0
[22:56:11.617][VerReq]
[22:56:11.618]Model Name : Target(P880)
[22:56:11.618][FeatureQuery]
[22:56:11.633]This firmware supports the following features:
[22:56:11.633] - Protocol Version : 3
[22:56:11.633] - CP Download : TRUE
[22:56:11.633] - AP Download : TRUE
[22:56:11.633] - ROM Download : TRUE
[22:56:11.633] - MaxPacketLength : 0x40000
[22:56:11.633] - Battery Level : 37%
[22:56:11.633] - OperatingMode : 4
[22:56:11.633] - AutoUpdateBuffer : 1
[22:56:11.633] - ThreadOn : 1
[22:56:11.633] - Flashless : 0
[22:56:11.633] - UpdateBct : 0
[22:56:11.636] Dz Information
[22:56:11.636] - Model Name : Binary(P880)
[22:56:11.636] - SWV : LGP880AT-00-V20b-262-000-JUL-17-2013+0
[22:56:11.636] - BuildTime : 2013-07-18 01:35:51
[22:56:11.636] - SecureType : 1
[22:56:11.636] - TotalFiles : 10
[22:56:11.636] Loading FLS
[22:56:11.729]IntelFlash::GetDownloadSize
[22:56:11.729] - PSI : 35316
[22:56:11.729] - EBL : 157172
[22:56:11.729] - Hardware : 172
[22:56:11.729] - Security : 2048
[22:56:11.729] - DownloadData : 20572
[22:56:11.729] - Security : 2048
[22:56:11.729] - DownloadData : 167768
[22:56:11.729] - Security : 2048
[22:56:11.729] - DownloadData : 697892
[22:56:11.729] - Security : 2048
[22:56:11.729] - DownloadData : 356380
[22:56:11.729] - Security : 2048
[22:56:11.729] - DownloadData : 7864428
[22:56:11.729] Loading CFG
[22:56:11.733]NvidiaFlash::GetDownloadSize
[22:56:11.733] - BCT : 6128
[22:56:11.733] - EBT : 1132440
[22:56:11.733] - EKS : 684
[22:56:11.733] - SOS : 8228864
[22:56:11.733] - LNX : 7120896
[22:56:11.733] - APP : 925208920
[22:56:11.733]TotalSize : 83624509
[22:56:11.733]CP Download Starting : 0
[22:56:11.733]CP Binary has been loaded(9349476)
[22:56:11.733][Intel] MemoryMap
[22:56:11.733] FlashStartAddr : 0x40000000
[22:56:11.733] CUST : StartAddress(0x63000000), Length(0x00500000) : LINUX
[22:56:11.734] CUST : StartAddress(0x38000000), Length(0x08400000) : CLONE
[22:56:11.734] CUST : StartAddress(0x30000000), Length(0x08400100) : PREFLASH
[22:56:11.734] CUST : StartAddress(0x20000000), Length(0x00500000) : USBRO_ISO
[22:56:11.734] CUST : StartAddress(0x90000000), Length(0x001FE000) : CUSTDATA
[22:56:11.734][CMD_Intel_DownloadMode]
[22:56:12.294] - Device synchronized
[22:56:12.294][Injecting PSI RAM] : 35316
[22:56:12.294] - Sending PSI RAM
[22:56:15.354] - Receiving CRC
[22:56:15.367] - Received CRC OK : 01
[22:56:15.367] - Receiving ACK
[22:56:15.379] - Received ACK : 01 00 AA
[22:56:15.379] - PSI RAM Running
[22:56:15.379][Injecting EBL] : 157172
[22:56:15.379] - Sending EBL Length
[22:56:15.389] - Receiving ACK
[22:56:15.401] - Received ACK : 0xCCCC
[22:56:15.401] - Sending EBL : 157172
[22:56:29.112] - Sending CRC : FA
[22:56:29.121] - Receiving ACK
[22:56:29.169] - Received OK : 51 A5
[22:56:29.169] - Receiving Capabilities : 76
[22:56:29.184] - Boot-loader is active
[22:56:29.184] - EBL version: XMM6260_20.21_M1S1
[22:56:29.184] - Boot mode is: 00BB
[22:56:29.184] - EBL Running
[22:56:29.184][ReqSetProtConf]
[22:56:29.184] == prot_capabilities_t ==
[22:56:29.184] - protocol_version : 11
[22:56:29.184] - package_size : 2 -> 8
[22:56:29.184] - crc_type : 1
[22:56:29.184] - skip_writeblock_tx : 0
[22:56:29.184] - compression : 11 -> 10
[22:56:29.184] - compression : 10
[22:56:29.184] - flags : 1
[22:56:29.184] - erase_sector_verify : 0
[22:56:29.185] - flash_debug : 0
[22:56:29.185] - protocol_crc : 0
[22:56:29.185] - skip_erase : 1 -> 0
[22:56:29.185] - skip_wr_pack_crc : 0
[22:56:29.185] - Sending capabilities
[22:56:29.194] - Receiving ACK
[22:56:29.208] - Received : ACK 0100
[22:56:29.208][CnfBaudChange] : 3250000
[22:56:29.208] - Sending BaudRate
[22:56:29.217] - Receiving ACK
[22:56:29.254] - Received BaudRate : 3250000
[22:56:29.254] - Changing BaudRate
[22:56:29.267] - Changed BaudRate : 3250000
[22:56:29.267][ReqFlashId]
[22:56:29.267] - Platform : 14
[22:56:29.267] - ProjectName : XMM6260
[22:56:29.267] - Sending HardWare Info
[22:56:29.276] - Receiving ACK
[22:56:29.358] - Received ACK : 0000
[22:56:29.358][ReqCfiInfo_1]
[22:56:29.358] - Sending CfiInfo1
[22:56:29.368] - Receiving CfiInfo2
[22:56:29.406] - Received CfiInfo2 : 256
[22:56:29.406][ReqCfiInfo_2]
[22:56:29.406] - Sending CfiInfo2
[22:56:29.415] - Receiving ACK
[22:56:29.429] - Received ACK : FFFF
[22:56:29.429][Downloading BOOT CORE PSI(0)] : psi.fls
[22:56:29.429][ReqSecStart]
[22:56:29.429] - BootCoreVersion : 131072
[22:56:29.429] - Sending Security Start
[22:56:29.444] - Receiving ACK
[22:56:29.529][ERROR] Type : 0041 <> 0204
[22:56:29.529] - IndErrorMsg
[22:56:29.542]File_id(34), Line_number(415), Error_class(1), Error_code(79)
[22:56:29.542]File_id(16), Line_number(617), Error_class(1), Error_code(10)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542] - Failure!
[22:56:29.542]ERROR : _Func_03_Ebl_0_ReqSecStart - Line(300)
[22:56:29.543]__Proc_NormalDownload : 0
[22:56:29.543]Error! IntelFlash:__Proc_NormalDownload
[22:56:29.544]_DoDownload : 0
[22:56:29.544]
-----------------------------------------Trace Last 100 Message-------------------------------------------------
[22:56:29.169][T000015] 43 01 00 00 4C 00 00 00 88 13 00 00 15 19 7E C...L..........
[22:56:29.184][R000086] 43 00 00 00 4C 00 00 00 BB 00 00 00 14 00 00 00 15 00 00 00 58 4D 4D 36 32 36 30 5F 32 30 2E 32 C...L...............XMM6260_20.2
[22:56:29.184] - Boot-loader is active
[22:56:29.184] - EBL version: XMM6260_20.21_M1S1
[22:56:29.184] - Boot mode is: 00BB
[22:56:29.184] - EBL Running
[22:56:29.184][ReqSetProtConf]
[22:56:29.184] == prot_capabilities_t ==
[22:56:29.184] - protocol_version : 11
[22:56:29.184] - package_size : 2 -> 8
[22:56:29.184] - crc_type : 1
[22:56:29.184] - skip_writeblock_tx : 0
[22:56:29.184] - compression : 11 -> 10
[22:56:29.184] - compression : 10
[22:56:29.184] - flags : 1
[22:56:29.184] - erase_sector_verify : 0
[22:56:29.185] - flash_debug : 0
[22:56:29.185] - protocol_crc : 0
[22:56:29.185] - skip_erase : 1 -> 0
[22:56:29.185] - skip_wr_pack_crc : 0
[22:56:29.185] - Sending capabilities
[22:56:29.185][T000101] 44 00 00 00 56 00 00 00 20 4E 00 00 CE 88 7E 02 00 86 00 4C 00 BB 00 00 00 14 00 00 00 15 00 00 D...V....N.........L............
[22:56:29.194][R000010] 44 00 00 00 56 00 00 00 D0 6E D...V....n
[22:56:29.194] - Receiving ACK
[22:56:29.196][T000015] 43 01 00 00 0C 00 00 00 88 13 00 00 E4 7C 7E C............|.
[22:56:29.208][R000022] 43 00 00 00 0C 00 00 00 02 00 86 00 02 00 01 00 89 00 03 00 B5 2C C....................,
[22:56:29.208] - Received : ACK 0100
[22:56:29.208][CnfBaudChange] : 3250000
[22:56:29.208] - Sending BaudRate
[22:56:29.208][T000029] 44 00 00 00 0E 00 00 00 20 4E 00 00 FB 9B 7E 02 00 82 00 04 00 50 97 31 00 9E 01 03 00 D........N...........P.1.....
[22:56:29.217][R000010] 44 00 00 00 0E 00 00 00 1E 5E D........^
[22:56:29.217] - Receiving ACK
[22:56:29.218][T000015] 43 01 00 00 06 00 00 00 10 27 00 00 EF B4 7E C........'.....
[22:56:29.230][R000016] 43 00 00 00 06 00 00 00 02 00 82 00 04 00 C7 FA C...............
[22:56:29.230][T000015] 43 01 00 00 04 00 00 00 88 13 00 00 58 51 7E C...........XQ.
[22:56:29.242][R000014] 43 00 00 00 04 00 00 00 50 97 31 00 9E D9 C.......P.1...
[22:56:29.242][T000015] 43 01 00 00 04 00 00 00 10 27 00 00 80 BF 7E C........'.....
[22:56:29.254][R000014] 43 00 00 00 04 00 00 00 9E 01 03 00 B7 96 C.............
[22:56:29.254] - Received BaudRate : 3250000
[22:56:29.254] - Changing BaudRate
[22:56:29.254][T000011] 45 00 00 00 50 97 31 00 F3 0E 7E E...P.1....
[22:56:29.267][R000010] 45 00 00 00 50 97 31 00 F3 0E E...P.1...
[22:56:29.267] - Changed BaudRate : 3250000
[22:56:29.267][ReqFlashId]
[22:56:29.267] - Platform : 14
[22:56:29.267] - ProjectName : XMM6260
[22:56:29.267] - Sending HardWare Info
[22:56:29.267][T000197] 44 00 00 00 B6 00 00 00 20 4E 00 00 2D 90 7E 02 00 01 08 AC 00 0E 00 00 00 00 00 00 02 00 C2 01 D........N..-...................
[22:56:29.276][R000010] 44 00 00 00 B6 00 00 00 5A DA D.......Z.
[22:56:29.276] - Receiving ACK
[22:56:29.277][T000015] 43 01 00 00 0C 00 00 00 88 13 00 00 E4 7C 7E C............|.
[22:56:29.358][R000022] 43 00 00 00 0C 00 00 00 02 00 01 08 02 00 00 00 0B 00 03 00 4F 25 C...................O%
[22:56:29.358] - Received ACK : 0000
[22:56:29.358][ReqCfiInfo_1]
[22:56:29.358] - Sending CfiInfo1
[22:56:29.359][T000027] 44 00 00 00 0C 00 00 00 20 4E 00 00 94 90 7E 02 00 84 00 02 00 00 00 86 00 03 00 D........N.................
[22:56:29.368][R000010] 44 00 00 00 0C 00 00 00 68 67 D.......hg
[22:56:29.368] - Receiving CfiInfo2
[22:56:29.369][T000015] 43 01 00 00 06 00 00 00 10 27 00 00 EF B4 7E C........'.....
[22:56:29.381][R000016] 43 00 00 00 06 00 00 00 02 00 84 00 00 01 B4 C7 C...............
[22:56:29.381][T000015] 43 01 00 00 00 01 00 00 88 13 00 00 53 D8 7E C...........S..
[22:56:29.394][R000266] 43 00 00 00 00 01 00 00 00 00 00 00 AD 00 B1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C...............................
[22:56:29.394][T000015] 43 01 00 00 04 00 00 00 10 27 00 00 80 BF 7E C........'.....
[22:56:29.406][R000014] 43 00 00 00 04 00 00 00 E3 01 03 00 7D 47 C...........}G
[22:56:29.406] - Received CfiInfo2 : 256
[22:56:29.406][ReqCfiInfo_2]
[22:56:29.406] - Sending CfiInfo2
[22:56:29.406][T000281] 44 00 00 00 0A 01 00 00 20 4E 00 00 F0 12 7E 02 00 85 00 00 01 00 00 00 00 AD 00 B1 00 00 00 00 D........N......................
[22:56:29.415][R000010] 44 00 00 00 0A 01 00 00 2E 76 D........v
[22:56:29.415] - Receiving ACK
[22:56:29.417][T000015] 43 01 00 00 0C 00 00 00 88 13 00 00 E4 7C 7E C............|.
[22:56:29.429][R000022] 43 00 00 00 0C 00 00 00 02 00 85 00 02 00 FF FF 85 02 03 00 0B 76 C....................v
[22:56:29.429] - Received ACK : FFFF
[22:56:29.429][Downloading BOOT CORE PSI(0)] : psi.fls
[22:56:29.429][ReqSecStart]
[22:56:29.429] - BootCoreVersion : 131072
[22:56:29.429] - Sending Security Start
[22:56:29.429][T002073] 44 00 00 00 0A 08 00 00 20 4E 00 00 C9 53 7E 02 00 04 02 00 08 00 00 00 00 00 00 00 00 00 00 00 D........N...S..................
[22:56:29.444][R000010] 44 00 00 00 0A 08 00 00 30 EA D.......0.
[22:56:29.444] - Receiving ACK
[22:56:29.445][T000015] 43 01 00 00 0C 00 00 00 88 13 00 00 E4 7C 7E C............|.
[22:56:29.529][R000022] 43 00 00 00 0C 00 00 00 02 00 41 00 40 00 22 00 9F 01 01 00 19 1D [email protected]".......
[22:56:29.529][ERROR] Type : 0041 <> 0204
[22:56:29.529] - IndErrorMsg
[22:56:29.529][T000015] 43 01 00 00 3E 00 00 00 88 13 00 00 03 9A 7E C...>..........
[22:56:29.542][R000072] 43 00 00 00 3E 00 00 00 4F 00 10 00 69 02 01 00 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C...>...O...i...................
[22:56:29.542]File_id(34), Line_number(415), Error_class(1), Error_code(79)
[22:56:29.542]File_id(16), Line_number(617), Error_class(1), Error_code(10)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542]File_id(0), Line_number(0), Error_class(0), Error_code(0)
[22:56:29.542] - Failure!
[22:56:29.542]ERROR : _Func_03_Ebl_0_ReqSecStart - Line(300)
[22:56:29.543]__Proc_NormalDownload : 0
[22:56:29.543]Error! IntelFlash:__Proc_NormalDownload
[22:56:29.544]_DoDownload : 0
[22:56:29.544]
-----------------------------------------Trace Last 100 Message-------------------------------------------------
[22:56:29.547]
------------------------------------------Trace Last 100 Message-------------------------------------------------
[22:56:29.547] ErrorCode(210)
Anyone an idea on what the strange hex-ish lines are? they show up just after the first error. Maybe something is encrypted? I'll google error code 10, 79 and 210 in a minute.
I lost hope and I can't bother to try the last link I posted, maybe tomorrow
Any thoughts on the log?
EDIT:
Searching the errors in the log led me here:
http://forum.xda-developers.com/showthread.php?t=2287267
http://forum.xda-developers.com/showthread.php?t=2786001
http://forum.xda-developers.com/showthread.php?t=2737915
The last one is identical to my problem, my phone also couldn't read my SIM. Sadly no one ever solved the problem here.
I think these solutions are the last resort:
http://forum.xda-developers.com/showthread.php?t=1448803
http://forum.xda-developers.com/showthread.php?t=1861942
I will give these a try later today when I get home.
Hello again,
I've checked the threads you mentioned above, as well as I've been googling to another forums. Yet no success.
Every thread where P880 gets stuck at param:207, Failure:207 or the infamous 10%; have no final solutions.
I've tried LGFlash Tool, LGFlash Tool 2014, LGSupport Tool, SmartFlash, KDZ-Update, each one w/o success and stopping at the same point.
The last and only solution I haven't yet manage to do, is using the program LGNPST v_2.2.3
I have it installed, it does recognize my P880 only on the "Emergency" tab, and automatically recognize it on COM19.
To make the flash procedure it requires a DLL and a BIN or CAB firmware, which I do not possess (I've only found .kdz and .dz firmwares)
Also, as far as I've read, the .kdz files when decrypted become .dz which when decrypted become .fls & .bin files.
That is my last hope... nobody seem to have an answer. Wish we had an ODIN for LG.
alessocf said:
To make the flash procedure it requires a DLL and a BIN or CAB firmware, which I do not possess (I've only found .kdz and .dz firmwares)
Also, as far as I've read, the .kdz files when decrypted become .dz which when decrypted become .fls & .bin files.
Click to expand...
Click to collapse
I used this method to create a .cab or .dz from a .kdz for this attempt.
Do you have a guide for the LGNPST? I can only find this thread.
A zeroed MEID could also be (part of) the problem:
If you encounter problems during flashing, upgrading or downgrading you may fall victim to your MEID/ESN being zeroed out.
The usual cause is pulling your battery while stuck on the white LG Software Update screen.
Click to expand...
Click to collapse
Thats exacly how I got bricked.
Beunhof said:
I used this method to create a .cab or .dz from a .kdz for this attempt.
Click to expand...
Click to collapse
Gonna try with that method for a.cab to use in the LGNPST, thanks.
Also, I'll try using the P880.dll that is inside the KDZ-Update folder.
Beunhof said:
Do you have a guide for the LGNPST? I can only find this thread.
Click to expand...
Click to collapse
Sorry, I can't remember where I got it, but I uploaded it to my dropbox for you, here is the link:
https://dl.dropboxusercontent.com/u/52565427/LGNPST v2.2.3.rar
It contains a Readme.txt with the instructions, its quite easy, the program looks like a suite.
Gonna report later the status. Good luck to both of us, lol.
EDIT: STATUS:
- Made a .cab file and used the P880.dll contained on the kdz-update folder for the LGNPST, the program instantly said "Finish!" and obviously, did nothing.
I'm probably doing something wrong there... but I've ran out of ideas.
Exact Same Problem!
Hi.
Looking all over the internet, the XDA forum in particular, to find a solution to my issue with my 4xHD.
It seems that I have the exact same problem as you describe; SIM not being recognised (out of the blue), eventually decided to re-flash to fix the issue (last resort after trying everything else I could find). Followed all instructions word for word; drivers installed, etc... etc... but when flashing stopped on 210... (not fully explaining, but essentially the same place it stopped for you). Waited hours, nothing happened, so forced to unplug phone. Therefore stuck on S/W mode after a failed/partial flash.
I have also attempted to complete this via every method I can find on here, but stops at the 210/10% point (depending on software being used), every time!
I love this phone and need it back up and running. If you have any luck sorting yours please update and let me know how the issue was resolved. Similarly, let me know if you have had no further luck and if I make any progress I will update you.
Cheers!
aaron_gavin said:
Hi.
Looking all over the internet, the XDA forum in particular, to find a solution to my issue with my 4xHD.
It seems that I have the exact same problem as you describe; SIM not being recognised (out of the blue), eventually decided to re-flash to fix the issue (last resort after trying everything else I could find). Followed all instructions word for word; drivers installed, etc... etc... but when flashing stopped on 210... (not fully explaining, but essentially the same place it stopped for you). Waited hours, nothing happened, so forced to unplug phone. Therefore stuck on S/W mode after a failed/partial flash.
I have also attempted to complete this via every method I can find on here, but stops at the 210/10% point (depending on software being used), every time!
I love this phone and need it back up and running. If you have any luck sorting yours please update and let me know how the issue was resolved. Similarly, let me know if you have had no further luck and if I make any progress I will update you.
Cheers!
Click to expand...
Click to collapse
Someone managed to solve. Already tried and everything.
Sup
Hello,
there is no software solution (at least known to me) for fixing this issue.
I've searched and scavenged all over the internet for a solution or at least AN EXPLANATION on why it does get stuck no matter what at 10% or Param:207.
My last resort (I'm trying it this weekend, will post later if it worked) is
a method called JTAG, where they kinda force-fix the boot software of the device connecting directly to the cellphone MoBo (for more explanation look on youtube)
Well, thats it... if it works, cheers, otherwise I'm throwing my Optimus 4X on a drawer.
Till' later.
alessocf said:
Hello,
there is no software solution (at least known to me) for fixing this issue.
I've searched and scavenged all over the internet for a solution or at least AN EXPLANATION on why it does get stuck no matter what at 10% or Param:207.
My last resort (I'm trying it this weekend, will post later if it worked) is
a method called JTAG, where they kinda force-fix the boot software of the device connecting directly to the cellphone MoBo (for more explanation look on youtube)
Well, thats it... if it works, cheers, otherwise I'm throwing my Optimus 4X on a drawer.
Till' later.
Click to expand...
Click to collapse
I will research this 'force-fix' and see if i can make any progress when i get some time off work. please update how you get on with this iff/when you try!
im feeling the same way with the phone; getting close to giving up, having tried all the software solutions word for word as described in the forums to fix it.
its strange that on all the guides when people have had similar problems as we are facing the response is usually to remove drivers+software and try again/follow the guide properly (not that im saying that a simple human error is not at fault the majority of the time). but i have not seen any posts were people have accepted that all methods have been attempted correctly and advice given regarding possible hardware faults and/or this 'force-fix' you mention.
if i am not able to fix myself i think i will consider posting a plea for someone more competent with this kind of stuff to have my phone posted to them in order to try and fix it for me. im sure that someone who is really into this kind of thing would like to have a go out of general interest, and the worst case scenario would be that i dont get my phone back (which is no use to me in its current state anyway).
cheers!
---------- Post added at 11:43 AM ---------- Previous post was at 11:22 AM ----------
aaron_gavin said:
I will research this 'force-fix' and see if i can make any progress when i get some time off work. please update how you get on with this iff/when you try!
im feeling the same way with the phone; getting close to giving up, having tried all the software solutions word for word as described in the forums to fix it.
its strange that on all the guides when people have had similar problems as we are facing the response is usually to remove drivers+software and try again/follow the guide properly (not that im saying that a simple human error is not at fault the majority of the time). but i have not seen any posts were people have accepted that all methods have been attempted correctly and advice given regarding possible hardware faults and/or this 'force-fix' you mention.
if i am not able to fix myself i think i will consider posting a plea for someone more competent with this kind of stuff to have my phone posted to them in order to try and fix it for me. im sure that someone who is really into this kind of thing would like to have a go out of general interest, and the worst case scenario would be that i dont get my phone back (which is no use to me in its current state anyway).
cheers!
Click to expand...
Click to collapse
UPDATE:
had a look at this JTAG repair method (also found a youtube video of some company touting for work, showing repair of a 4x hd - http://www.youtube.com/watch?v=5NRXhJxbtYY).
im not sure that i would want to go down that route, as they explain that it delves further into the phones software to fix issues caused by people bricking due to messing about to much after gaining root access. but i dont feel that this is the reason for the issues with my phone; had it set-up how i liked it for ages (without any real messing about after root), the issue with nonrecognition of my SIM came completely out of the blue (i attempted to re-flash to fix this; causing the stuck in s/w mode issue i now have, but the issue could quite easily be due to failing hardware as it could be an issue with the software).
in the case that it is damaged/failing hardware at fault JTAG would not be able to repair the phone, and even if it got my firmware back up and running there is no guarantee that it would recognise my SIM when i got it back.
so im not sure that i would be happy either paying someone to perform this 'fix' on my phone or paying for the hardware to attempt to fix myself, if its possible that the phone may still not work afterwards due to broken hardware. especially when you can buy a working model of our phone from places like ebay for under £100.
any thoughts or advice?
any luck/updates?
i think that i may just call it a day trying to fix this thing.
from what i have read it may be possible to fix the bootloader, thus allow to boot into recovery/fastboot/adb (hence not remaining stuck in an unflashable s/w update mode) in order to fix the phone, by using nvflash/apx mode. but it does not seem that our phones allow us access to do this.
have you had any luck with your mentioned jtag fix or otherwise?
had to get a new phone anyway (as was fed up using my old phone while trying to fix my 4x hd) - got a moto g 4g. am pretty chuffed with it for the price (enjoying screen mirroring through a miracast dongle and kitkat, etc...), but to be honest would go back to using my 4x hd if someone was able to find a fix.
any response/update would be appreciated, and if anyone thinks they can fix this issue please let me know.
cheers!
It's been a while!
Hey!
Long time since we had this issure with our 4X HD's, in fact almost a year since I had touched mine.
Was clearing out a drawer and found the brick. Which made me think, did anyone actually succeed in fixing their phone/solve this issue?
If so, I may have a bash just for the hell of it. If not, I think it's time for the bin.
:silly:
Whats Up
aaron_gavin said:
Hey!
Long time since we had this issure with our 4X HD's, in fact almost a year since I had touched mine.
Was clearing out a drawer and found the brick. Which made me think, did anyone actually succeed in fixing their phone/solve this issue?
If so, I may have a bash just for the hell of it. If not, I think it's time for the bin.
:silly:
Click to expand...
Click to collapse
Same here, didn't tried much since my last update. JTAG didn't work "cause Tegra based devices don't support it" or something like that.
Also tried with a homemade USB Jig Method, nothing happened.
My X4 is in my desktop, I use it mostly as a luxury paper holder.
Bless !.
alessocf said:
Same here, didn't tried much since my last update. JTAG didn't work "cause Tegra based devices don't support it" or something like that.
Also tried with a homemade USB Jig Method, nothing happened.
My X4 is in my desktop, I use it mostly as a luxury paper holder.
Bless !.
Click to expand...
Click to collapse
Guys, we may have a working solution: http://forum.xda-developers.com/optimus-4x-hd/general/maybe-nvflash-method-t3159853
I am currently testing it right now and until now it seems to work.
Update: It worked! My phone is booting again. Now i need to fix the IMEI and I am good.
Code:
C:\LG\\nvflash>nvflash --blob blob.bin --bct flash.bct.encrypt --setbct --configfile flash_encrypt.cfg --create --bl bootloader.bin.encrypt --go
Nvflash v1.7.75664 started
Using blob v1.1.57813ngs\Adm
rcm version 0X30001
System Information:
chip name: unknown
chip id: 0x30 major: 1 minor: 3
chip sku: 0x81
chip uid: 0x015d441469040a07
macrovision: disabled
hdcp: enabled
sbk burned: true
dk burned: true
boot device: emmc
operating mode: 4
device config strap: 0
device config fuse: 17
sdram config strap: 0
sending file: flash.bct.encrypt
- 6128/6128 bytes sent
flash.bct.encrypt sent successfully
downloading bootloader -- load address: 0x80108000 entry point: 0x80108000
sending file: bootloader.bin.encrypt
\ 1142880/1142880 bytes sent
bootloader.bin.encrypt sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 2 3
creating partition: BCT
creating partition: PT
creating partition: EBT
creating partition: LGE
creating partition: EKS
creating partition: GP1
creating partition: SOS
creating partition: LNX
creating partition: APP
creating partition: CAC
creating partition: MSC
creating partition: USP
creating partition: NVA
creating partition: UDA
creating partition: DRM
creating partition: MLT
creating partition: FOT
creating partition: CAL
creating partition: UDB
creating partition: GPT
Formatting partition 2 BCT please wait.. done!
Formatting partition 3 PT please wait.. done!
Formatting partition 4 EBT please wait.. done!
Formatting partition 5 LGE please wait.. done!
Formatting partition 6 EKS please wait.. done!
Formatting partition 7 GP1 please wait.. done!
Formatting partition 8 SOS please wait.. done!
Formatting partition 9 LNX please wait.. done!
Formatting partition 10 APP please wait.. done!
Formatting partition 11 CAC please wait.. done!
Formatting partition 12 MSC please wait.. done!
Formatting partition 13 USP please wait.. done!
Formatting partition 14 NVA please wait.. done!
Formatting partition 15 UDA please wait.. done!
Formatting partition 16 DRM please wait.. done!
Formatting partition 17 MLT please wait.. done!
Formatting partition 18 FOT please wait.. done!
Formatting partition 19 CAL please wait.. done!
Formatting partition 20 UDB please wait.. done!
Formatting partition 21 GPT please wait.. done!
done!
sending file: bootloader.bin.encrypt
\ 1142880/1142880 bytes sent
bootloader.bin.encrypt sent successfully
sending file: eks.dat
- 684/684 bytes sent
eks.dat sent successfully
sending file: recovery.img
/ 7577600/7577600 bytes sent
recovery.img sent successfully
sending file: boot.img
/ 6496256/6496256 bytes sent
boot.img sent successfully
sending file: system.img
- 687920496/687920496 bytes sent
system.img sent successfully
GoodSoul said:
Guys, we may have a working solution: http://forum.xda-developers.com/optimus-4x-hd/general/maybe-nvflash-method-t3159853
I am currently testing it right now and until now it seems to work.
Update: It worked! My phone is booting again. Now i need to fix the IMEI and I am good.
[/code]
Click to expand...
Click to collapse
Greetings :fingers-crossed:, love to hear some good news and that it worked out for you.
I'm currently downloading the software and reading on how to use it, i'll be updating on how does it go for me.
Thank you for sharing this info with us.:highfive:
UPDATE: I T - W O R K E D !, after doing the process it automatically restarted and the LG Boot Logo reanimated, and started just as factory reset.
I had some issues installing the NvidiaUsb.inf, because I'm running on Windows 10 AMD x64 bits.
Steps I followed (in case someone needs them):
1) I had to open Command Prompt using the command: shutdown /r /o /f /t 00
THIS WILL RESTART YOUR COMPUTER
2)Then go through the options: Troubleshoot > Advanced Options > and look to "Disable Driver Signature Enforcement" using F7 key.
This allowed my W10 to Install the NVIDIA USB Boot-recovery driver for Mobile devices, which later allowed me to run NvFlash succesfully.
Current Status: LG P880 Boots and Runs!, doesn't have Baseband Version or IMEI, but this is something easier to fix.
Mostly appreciated.
UPDATE: I T - W O R K E D !, after doing the process it automatically restarted and the LG Boot Logo reanimated, and started just as factory reset.
Click to expand...
Click to collapse
Yippie!
Current Status: LG P880 Boots and Runs!, doesn't have Baseband Version or IMEI, but this is something easier to fix.
Click to expand...
Click to collapse
If you know how please let me know. I tried for serveral hours to fix that problem but had no luck yet.
Mostly appreciated.
Click to expand...
Click to collapse
You are welcome.
While playing with AFTV2 tools quite a bit, I thought it'd be convenient to have some way to identify what bootloader version one has (given bricking implications & all). Doing checksums on the full TEE1 & UBOOT partitions is not very useful, because the empty area in the partitions may have junk, and that would impact the checksum. So something slightly different is needed.
Here is what I propose, one can read the first few bytes of TEE1 & UBOOT partitions, and then look at them with a hex editor. Fairly low tech, but there you go ... Unfortunately, "hexdump" is not present by default on Fire, so a few more manipulations are required. First, run this with adb (can also be read with AFTV2 tools):
Code:
adb shell
su
mkdir /sdcard/tmp/
dd if=/dev/block/mmcblk0p4 of=/sdcard/tmp/04_uboot.img
dd if=/dev/block/mmcblk0p9 of=/sdcard/tmp/09_tee1.img
cd /sdcard/tmp
md5 *.img
exit
exit
adb pull /sdcard/tmp
Then, with a hex editor (such as Frhed), look at the first few bytes of these images on your PC. On linux it's even easier, just do "cat -c 8 *.img | hexdump". You should see something like the following:
Code:
04_uboot.img: UBOOT: 88 16 88 58 [COLOR="Red"]b4 33 06 00[/COLOR] 4c 4b 00 00 "LK"
09_tee1.img: TEE1: 88 16 88 58 [COLOR="Red"]00 3c 10 00[/COLOR] 54 45 45 00 "TEE"
The 4 bytes in red are key to identify the version. Please see the table below for the data I've compiled so far. Let's add to it as more versions become available/known (if your combination is not listed, please post here):
Code:
UBOOT
d8 27 06 00 Unreleased, 5.0.0, (Build date Saturday, August 1, 2015, 10:39 PM GMT)
b4 33 06 00 5.2.2_053820 5.0.1
54 3f 06 00 5.2.2_055120 5.0.1
e4 3b 06 00 5.4.1_112720 5.1.1
38 34 06 00 5.4.2_168620 5.1.2
78 34 06 00 5.4.4_271020 5.1.4
b8 3c 06 00 5.5.2_153420 5.3.1.0
TEE1
00 3c 10 00 Unreleased, 5.0.0, (Build date Saturday, August 1, 2015, 10:39 PM GMT)
00 3c 10 00 5.2.2_053820 5.0.1
00 3c 10 00 5.2.2_055120 5.0.1
00 3c 10 00 5.4.1_112720 5.1.1
00 3c 10 00 5.4.2_168620 5.1.2
00 3c 10 00 5.4.4_271020 5.1.4
90 84 11 00 5.5.2_153420 5.3.1.0
@DoLooper, @kirito9, @sd_shadow, @Kramar111, @zeroepoch, @hwmod, @Tomsgt
unknown 5.0.1
Code:
UBOOT
54 3f 06 00 5.2.2_055120 5.0.1
TEE1
00 3c 10 00 5.2.2_055120 5.0.1
Fire originally with 5.1.3 - downgraded to 5.1.2 . uboot and tee1 are consistent with 5.1.2 .
fmc000 said:
Fire originally with 5.1.3 - downgraded to 5.1.2 . uboot and tee1 are consistent with 5.1.2 .
Click to expand...
Click to collapse
Indeed, when you downgraded, the bootloaders got overwritten and so you see 5.1.2 ! But luckily, this combination does not brick.
fmc000 said:
Fire originally with 5.1.3 - downgraded to 5.1.2 . uboot and tee1 are consistent with 5.1.2 .
Click to expand...
Click to collapse
bibikalka said:
Indeed, when you downgraded, the bootloaders got overwritten and so you see 5.1.2 ! But luckily, this combination does not brick.
Click to expand...
Click to collapse
Hence the 'special' procedure for upgrading FireOS while leaving the current bootloader intact. A standard sideload/OTA update refreshes bootloader, kernel, rom, etc.
Davey126 said:
Hence the 'special' procedure for upgrading FireOS while leaving the current bootloader intact.
Click to expand...
Click to collapse
In a strict sense, the procedure doesn't leave the bootloader intact - it first writes the newer version (which is part of the stock ROM) to later replace it back with the original one. And this "later" may be crucial - if in-between something bad happens (bad battery level, bad cable, power outage on the PC side), game over.
What's the ratio of successful vs. bricking here?
Unfortunately, nobody seems to have followed the path @Vlasp had suggested a year ago: to trim down stock ROMs to explicitly exclude bootloader files and install instructions (and possibly add su, and disable ota and ads). I understand that with FF we're no longer limited to signed ROMs, so this should be feasible, and scriptable for future ROM versions, no? (If I could extend days to 36 hours...)
steve8x8 said:
In a strict sense, the procedure doesn't leave the bootloader intact - it first writes the newer version (which is part of the stock ROM) to later replace it back with the original one. And this "later" may be crucial - if in-between something bad happens (bad battery level, bad cable, power outage on the PC side), game over.
Click to expand...
Click to collapse
True. Didn't expect a literal interpretation but appreciate the clarification and associated cautions for others.
steve8x8 said:
Unfortunately, nobody seems to have followed the path @Vlasp had suggested a year ago: to trim down stock ROMs to explicitly exclude bootloader files and install instructions (and possibly add su, and disable ota and ads).
Click to expand...
Click to collapse
This has been done for other Amazon devices (eg: 3rd gen HDX) but garnished little user interest as an alternative to custom ROMs. The misunderstanding/misuse of custom stock builds actually created bigger headaches and a few unfortunate bricks. Eventually the images stopped being maintained.
steve8x8 said:
If I could extend days to 36 hours...
Click to expand...
Click to collapse
Still searching for those elusive hours! . Same can be said for developers who struggle to maintain what is already out there. Witness the cracks in several custom ROMs that have not seen recent updates.
Great and easy way to identify bootloader version. Disappointed to find that I was on 5.3.1 bootloader, but at least I know now
Quick update (although useless since reading off the timestamps would require root which isn't available yet for 5.3.2.1 and higher - that's why I won't merge this into the checker tool yet):
Code:
fireOS-5.0.0/images/preloader.img: 20150728-232738
fireOS-5.0.1/images/preloader_prod.img: 20150730-164940
fireOS-5.1.1/images/preloader_prod.img: 20150923-180133
fireOS-5.0.1/images/preloader.img: 20150930-051243
fireOS-5.1.1/images/preloader.img: 20151202-052945
fireOS-5.1.2/images/preloader_prod.img: 20160120-094719
fireOS-5.1.4/images/preloader_prod.img: 20160217-183554
fireOS-5.1.2/images/preloader.img: 20160227-021828
fireOS-5.1.4/images/preloader.img: 20160506-045524
fireOS-5.3.1.0/images/preloader_prod.img: 20160603-023745
fireOS-5.3.2.0/images/preloader_prod.img: 20160603-023745
fireOS-5.3.1.0/images/preloader.img: 20160624-191357
fireOS-5.3.2.1/images/preloader_prod.img: 20161102-031807
fireOS-5.3.2.0/images/preloader.img: 20161104-214024
fireOS-5.3.2.1/images/preloader.img: 20161201-113631
fireOS-5.3.3.0/images/preloader_prod.img: 20170116-085533
fireOS-5.3.3.0/images/preloader.img: 20170328-012523
---------- Post added at 01:58 PM ---------- Previous post was at 01:11 PM ----------
Um, by the way, there had been reports that 5.1.3 had been rooted without downgrading to 5.1.2, if I remember correctly.
If that's your last FireOS version, may I ask you to run the bootloader tool and report back the result? Same for 5.1.2.1... Thanks
After an adventure in updating to 5.3.3.0 I have :
uboot : b0 99 0e 00
tee : not recognisable
The tablet boots, I can reload TWRP if needed but if I flash the previous bootloader I had 541 it bricks and I have to recover using the linux ISO. It looks like my tee1 partition is corrupted. Any advice on how to proceed would be good ! Thanks.
jpearn said:
After an adventure in updating to 5.3.3.0 I have :
uboot : b0 99 0e 00
tee : not recognisable
The tablet boots, I can reload TWRP if needed but if I flash the previous bootloader I had 541 it bricks and I have to recover using the linux ISO. It looks like my tee1 partition is corrupted. Any advice on how to proceed would be good ! Thanks.
Click to expand...
Click to collapse
Reflash the partition with DD?
Download the firmware update, rename it to *.zip from *.bin, and there should be something called TEE.img or something similar. Then push it to the device with "adb push /path/to/TEE.img /sdcard" Then, on the tablet or in adb shell, run 'dd if=/sdcard/TEE.img of=/dev/block/mmcblk0p9'
PorygonZRocks said:
Reflash the partition with DD?
Download the firmware update, rename it to *.zip from *.bin, and there should be something called TEE.img or something similar. Then push it to the device with "adb push /path/to/TEE.img /sdcard" Then, on the tablet or in adb shell, run 'dd if=/sdcard/TEE.img of=/dev/block/mmcblk0p9'
Click to expand...
Click to collapse
I thought this however I noted in the other gapps / root thread that it should be dd if=453_tee1.img of=/dev/block/mmcblk0p3
I'm on Ariel Fire 7 4th, so I guess the partitions are different ?
jpearn said:
I thought this however I noted in the other gapps / root thread that it should be dd if=453_tee1.img of=/dev/block/mmcblk0p3
I'm on Ariel Fire 7 4th, so I guess the partitions are different ?
Click to expand...
Click to collapse
Yes, they would be different. Make sure to use a TEE from the correct device, not one from this model.
jpearn said:
After an adventure in updating to 5.3.3.0 I have :
uboot : b0 99 0e 00
tee : not recognisable
The tablet boots, I can reload TWRP if needed but if I flash the previous bootloader I had 541 it bricks and I have to recover using the linux ISO. It looks like my tee1 partition is corrupted. Any advice on how to proceed would be good ! Thanks.
Click to expand...
Click to collapse
This thread pertains to the 5th gen Fire 7 (Ford) not the 4th gen HD 7 (Ariel).
Identifying the bootloader version is one thing, being able to decide whether a downgrade would result in a brick is another...
Is there a way, on a Fire 7 (5th), to extract the anti-r* "stepping numbers" from bootloader files/partitions that get compared with entries in RPMB (which is only accessible by the bootloader, but not the kernel)? This might save a lot of guesswork and bricks.
In lk.bin, there's "androidboot.rpmb_state=%d" right next to "androidboot.unlocked_kernel=true" and "androidboot.unlocked_kernel=false". Access seems to happen via device numbers.
OTOH, preloader_prod.img contains strings like "[RPMB] Invalid magic, re-creating..." and "[RPMB] RPMB provisioning disabled" or even a message about a skipped, invalid anti-r* state.
Too bad it seems to be impossible to watch the device boot at such an early stage. Half a MB of ARM code is not what I'd want to trace manually... extracting the preloader from its MTK wrapper seems to be the easiest part...
steve8x8 said:
Too bad it seems to be impossible to watch the device boot at such an early stage.
Click to expand...
Click to collapse
https://forum.xda-developers.com/am...bootloader-unlock-ideas-t3289721/post65585385 and some previous/next post
Thanks for the pointer to one of the missing links! Being able to track the messages down might limit the amount of machine code to be parsed...
uboot - 88 16 88 58 B8 3C 06 00 4C 4B 00 00 00 00 00
tee1 - 88 16 88 58 90 84 11 00 54 45 45 00 00 00 00
5.3.1, lol. whats a good rom for this amazon fire 5th gen?
2WR3505 said:
uboot - 88 16 88 58 B8 3C 06 00 4C 4B 00 00 00 00 00
tee1 - 88 16 88 58 90 84 11 00 54 45 45 00 00 00 00
5.3.1, lol. whats a good rom for this amazon fire 5th gen?
Click to expand...
Click to collapse
[ROM][AOSP] Fire Nexus ROM - LMY49M [22 JULY 2017] - XDA Developers
https://forum.xda-developers.com/amazon-fire/orig-development/rom-fire-nexus-rom-lmy49f-t3300714
[ROM] Lineage-12.1 [12 SEP 2017] - XDA Developers
https://forum.xda-developers.com/amazon-fire/orig-development/rom-lineage-12-1-t3639447
Thanks, i went with the nexus rom, it runs nicely
I am experiencing a data corruption related issue (possibly) with my Mi5 and I need some help.
In order to help me you need:
- Android 10 (or 9) rom with encryption enabled (FDE)
- Some previous experience with adb
I just ask you to send me the logs of the commands below:
Adb shell
hexdump -C -n1088 /dev/block/dm-0
Now in your terminal select and copy just the last line. It looks like this one:
00000430 bd 76 59 5d d1 00 0a 00 53 ef 01 00 02 00 00 00 |.vY]....S.......|
Then paste it here.
Please also send me the same line for these two commands below:
hexdump -C -n1088 /dev/block/bootdevice/by-name/userdata
hexdump -C -n1088 /dev/block/sda14
There is no sensitive data so you can safely share them here.
I need these as reference, because mine don't look like what I'd expect.
Thanks in advance for your help.