Database Develop

Tattoo Custom Recovery Image

I'm starting this thread to document the work on creating a custom recovery image for the Tattoo.
The main goal is to provide a recovery image that will serve as the launchpad for flashing custom roms.
The Tattoo Custom Recovery Image will provide:
1) A way to use an update.zip signed with test-keys (already accomplished);
2) A way to perform a full backup of mtd2,mtd3,mtd4 and mtd5 (boot,system,cache and data).
3) A way to perform a full restore of the backup achieved by 2);
4) Adb support (already accomplished);
4.1) Adb shell support.
I'm open to input about using nandroid. Right now, without a S-OFF/ENG SPL this looks useless.
Also, if you have any other special need for recovery, please feel free to express it

Alpha release
Tattoo's Custom Recovery Image, Alpha Release
This first release includes:
- ADB enabled recovery
- ADB enabled root shell
- Accept update.zip signed with test keys
- All partitions mounted
- Custom recovery program (the last two options are stubs, not really working yet)
- Included in /sbin: busybox, flash_image and BART
- I've not used BART and, at the moment, cannot attest if it works or not.
- Backup script in /sbin/backup.sh
- Restore script in /sbin/restore.sh
With this custom recovery you can now do a full backup of your unit, by dumping the mtd block devices to your sdcard. Afterwards, you can use flash_image to recover your Tattoo to it's previous state.
I'm releasing this image as is. This is not a point-and-click recovery tool. If you don't know what you're doing, you can seriously damage your unit. The only reason I'm releasing this is in an effort to provide other devs with a way to easily recover their units, back to day-to-day configuration, while experimenting with them.
To flash:
Copy TCRI.alpha.img to /sdcard.
Run "flash_image recovery /sdcard/TCRI.alpha.img"
To reboot into recovery (quickest way)
adb reboot recovery
Please comment

thanks for you work

i try to flahs and get permission denied, do you know why?

flash_image: permission denied

chusen said:
i try to flahs and get permission denied, do you know why?
Click to expand...
Click to collapse
Partition remounted writeable from a fresh rebooted system with the tattoo-hack.ko module inserted??
But I'm sure you did that before because of:
I'm releasing this image as is. This is not a point-and-click recovery tool. If you don't know what you're doing...
Click to expand...
Click to collapse
;-)
-bm-

Thank you very much for your excellent job

Someone could install custom alpha recovery?
thx

@-bm-:yes I will try that way since the beginning. i mount with rw permissions /system and /data. i know is not a point-and-click recovery tool but i think i need more permissions but where?

Where did you guys get your flash_image binary from ?
The error you're getting is from flash_image, not from my recovery image.
I'll attach the flash_image I've been using to this post.
Please tell me if this solves your problem. You need tattoo-hack.ko module inserted, if you're using a release kernel.
Edit: You have the correct permissions in your flash_image binary, right ? After pushing it to the device, don't forget to chmod 755

It works I like drawing, jejeje.
Backup and Restore functionality appears to have no further
The adb root shell is perfect
Very good Work
for when the beta version? and the final version? lol

I try to dump the system userdata and boot.img and when i try to extract with unyasffs and i get this when i try to extract system.img
Code:
4 [main] unyaffs 3940 handle_exceptions: Exception: STATUS_ACCESS_VIOLATION
644 [main] unyaffs 3940 open_stackdumpfile: Dumping stack trace to unyaffs.exe.stackdump
and this with others
Code:
broken image file

Code:
[email protected]:~/Tattoo/images/boot/1$ ../../unpack.pl ./boot.1.img
Page size: 2048 (0x00000800)
Kernel size: 1899580 (0x001cfc3c)
Ramdisk size: 160952 (0x000274b8)
Second size: 0 (0x00000000)
Board name:
Command line: no_console_suspend=1 console=null
Writing boot.1.img-kernel ... complete.
Writing boot.1.img-ramdisk.gz ... complete.
528 blocks
[ boot.1.img-ramdisk.gz decompressed to boot.img-ramdisk ]
My image dumping script is OK
Take a look here: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images
The boot.img is not a yaffs2 image. It's a special format, comprised by a 2k header, a kernel image and a ramdisk.
The system.img is a yaffs2 image. From unyaffs's homepage: "Unyaffs is a program to extract files from a yaffs file system image. Now it can only extract images created by mkyaffs2image."
Chusen, I think it would be better to create a new thread for this, since it doesn't concern the custom recovery image directly.

Thank god for custom recovery!
Now we can really start cooking ROMs... gonna break out the tools tonight and get Android 1.6/2.1 sources ready to compile.

leon1984 said:
for when the beta version? and the final version? lol
Click to expand...
Click to collapse
You tell me
Next in line is to tie the backup/restore scripts to the UI, which won't be too hard.
Later, I may mess around with nandroid and bart, to see if they provide something more than my scripts.
Afterwards, when we have some custom roms available, I may create a downloader/updater option, to make it easier to install those.
Also, I'm taking requests for new features

suggestions about scripts
Excellent work, mainfram3. Thank you.
I have extracted the img file, and check backup.sh and restore.sh scripts. The code for checking sdcard remaining space is done. Here it is:
Code:
## TEST: Check free space in sdcard
NEED_KB="200000"
REM_KB=`du /sdcard | awk '{print $6}'`
if [ ${REM_KB%K} -lt $NEED_KB ]; then echo "Not enough space in /sdcard, exiting"; exit; fi
backup space min set to 200MB.
There is another suggestion about restore.sh. Because of backing up img to /sdcard/Backup, $1 might not be needed, right?

mainfram3 said:
Code:
[email protected]:~/Tattoo/images/boot/1$ ../../unpack.pl ./boot.1.img
Page size: 2048 (0x00000800)
Kernel size: 1899580 (0x001cfc3c)
Ramdisk size: 160952 (0x000274b8)
Second size: 0 (0x00000000)
Board name:
Command line: no_console_suspend=1 console=null
Writing boot.1.img-kernel ... complete.
Writing boot.1.img-ramdisk.gz ... complete.
528 blocks
[ boot.1.img-ramdisk.gz decompressed to boot.img-ramdisk ]
My image dumping script is OK
Take a look here: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images
The boot.img is not a yaffs2 image. It's a special format, comprised by a 2k header, a kernel image and a ramdisk.
The system.img is a yaffs2 image. From unyaffs's homepage: "Unyaffs is a program to extract files from a yaffs file system image. Now it can only extract images created by mkyaffs2image."
Chusen, I think it would be better to create a new thread for this, since it doesn't concern the custom recovery image directly.
Click to expand...
Click to collapse
and if you want to extract the boot.img here are the two scripts you need to fully extract the kernel(zImage) and ramdisk
split_bootimg.pl
and
extract-ramdisk.sh
they are attached below

jamezelle:
extract-ramdisk.sh missed #!, and the ramdisk zip file should be passed to $1 of this script.

mainfram3 said:
1) A way to use an update.zip signed with test-keys (already accomplished);
Click to expand...
Click to collapse
Hi mainfram3,
I don't want to jack your thread - could you add a little elaboration on this point, or provide a URL so I can learn a little more? The SPL on the phone (oem-78 or fastboot mode) accepts updates signed with the test key from the SDK? (Or some other key?) (On the Eris, the "rom.zip" files unpacked by the RUU are prepended with a mystery blob of 256 bytes - s'pose it could be a mic/sig, but if that's what it is, it don't appear to be in a standard DSA/RSA format, and those .zip files are not signed using the .apk/.jar manifest-signing method)
FYI here's an entertaining story of an epic fail in a related area. After reviewing the fastboot sources from the android tree, I decided that I wanted to spy on the (Windows) RUU update program by sniffing the USB bus - in particular to see if it was explicitly passing signatures in .sig files. (That's an undocumented command-line behavior in fastboot.)
Turns out that recent versions of libpcap and Wireshark allow for USB bus capture on Linux - and using the "usbmon" kernel module in Ubuntu 8.04 LTS, sniffing the USB (5k packet size) seems to work without hitch, even at USB 2.0 speeds. So I took it one step further, and installed WIn Xp SP3 in a QEMU VM on the Ubuntu machine, with the intention of running the RUU updater inside the Xp VM and sniffing the USB bus in the host OS (Linux) machine.
The result? QEMU/Win Xp VM can talk to the phone in either fastboot or adb mode, but bluescreens as soon as you start to move data at any appreciable rate. Doesn't seem to be dependent on whether monitoring is taking place. I might try putting the phone behind a cheapo USB 1.1 hub, and see if that helps, but for the moment I am stopped out on this hack.
bftb0

cn.fyodor said:
jamezelle:
extract-ramdisk.sh missed #!, and the ramdisk zip file should be passed to $1 of this script.
Click to expand...
Click to collapse
it works yea sorry about the
#/bin/sh
i didnt write the scripts btw

[HOWTO] Create your own boot/recovery images

After releasing my custom recovery and boot images several people have messaged me about how to create these images.
First, you need to read this article, carefully: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images. It explains the format of these images. I suggest you try to extract the kernel and the ramdisk with a hex editor, as it will help you understand how the format works.
Afterwards, for convenience, you can use the two scripts provided in that page: unpack-bootimg.pl and repack-bootimg.pl.
You should now have two files, the kernel and the ramdisk.
Extract the contents of the ramdisk with:
Code:
gunzip -c ramdisk.cpio.gz | cpio -i
You can now proceed to alter what you wish, in the ramdisk.
For repacking, I use the tools provided in the Android 1.6 SDK. You need to download it from http://developer.htc.com/. After compiling the SDK, you should have (among others) these two tools: mkbootfs and mkbootimg.
To recreate the ramdisk, use the following command (assumes ramdisk in ramdisk folder):
Code:
mkbootfs ramdisk | gzip > ramdisk.gz
And now, to recreate the image:
Code:
mkbootfs [b]--base 0x2e00000[/b] --cmdline 'cmdline: no_console_suspend=1 console=null' --kernel kernel.gz --ramdisk ramdisk.gz -o my_new_boot_image.img
The only tricky part, and where I guess everyone is having problems, is with the --base 0x2e00000 option. This is the base address for the kernel and, without this, your Tattoo will hang at boot.
Do not try to create custom images unless you are fully aware of what you're doing. YOU CAN BRICK YOUR DEVICE
Best of luck

Thanks a lot mainfram3!
I'll base CoburnROM's boot.img off yours, and then we'll go from there.
All we need now is a how to on make your own system.img (either taking a RUU system and gutting the crap out of it or using one that a member has precompiled as a base) and we'll be set for cookin' ROMs with gas. Want fries with dat?
Thanks a million!

Cool! You have dispeled the clouds.
mf3: How did you know that base address of the kernel? I repacked the boot.img file without the option '--base xxx', that's why this one bricked my tattoo i think.

Thanks, you did the great job.
BTW, I break through this cloud by using HEX editor to comparing your image and mime and found that the kernel address, ramdisk address are different. But I don't know why... Would you mind to tell us why and how you find it??

huchengtw said:
Thanks, you did the great job.
BTW, I break through this cloud by using HEX editor to comparing your image and mime and found that the kernel address, ramdisk address are different. But I don't know why... Would you mind to tell us why and how you find it??
Click to expand...
Click to collapse
See at kernel sources at the file:
arch\arm\mach-msm\include\mach\memory.h
.....
/* physical offset of RAM */
#if defined(CONFIG_ARCH_MSM7225) || defined(CONFIG_ARCH_MSM7625)
#define PHYS_OFFSET UL(0x02E00000)
.....
I think there it is ......
cya

Well, actually I got the base address from looking at bootimg.h, to understand the structure of the header in the image files.
I then figured out the the kernel base address in the boot.img and recovery.img from the rom.zip (from the RUU) and compared it against the kernel address in the images I was creating. After that, I adjusted the arguments to mkbootimg so that it would generate a file with the same address as the originals.

i am trying to put together a recovery for the Sholes XT701. obviously i am missing this base offset because it hangs at boot. i was looking in the memory.h file and see the following but this is for the ram. where can i find the base offset for the kernel? that is what i need right?
Code:
#elif defined(CONFIG_MACH_SHOLES_UMTS) || defined(CONFIG_MACH_MAPPHONE)
#define PHYS_OFFSET UL(0x80C00000)

do you have a bootimg.h ? mainfram3 got his information from there...

Did you tried to put all in a rom.zip and replace the one that comes with Ruu WWE? IF the addresses are the same maybe it will flash your custom rom.
mainfram3 said:
Well, actually I got the base address from looking at bootimg.h, to understand the structure of the header in the image files.
I then figured out the the kernel base address in the boot.img and recovery.img from the rom.zip (from the RUU) and compared it against the kernel address in the images I was creating. After that, I adjusted the arguments to mkbootimg so that it would generate a file with the same address as the originals.
Click to expand...
Click to collapse

sorry,but how to create recovery.img?
is boot.img==recovery.img?

mainfram3 said:
And now, to recreate the image:
Code:
mkbootfs [b]--base 0x2e00000[/b] --cmdline 'cmdline: no_console_suspend=1 console=null' --kernel kernel.gz --ramdisk ramdisk.gz -o my_new_boot_image.img
Click to expand...
Click to collapse
Hi,
isn't it mkbootimg instead of mkbootfs to create an image?
Moreover, the script repack-bootimg.pl doesn't work for me. But your method using mkbootfs works well.
Thanks.

can an expert help me out? I have 2 recoveries, both of which can be flashed to my phone without any problem, except I have troubles using them.
Recovery X can be used without any problem, all the options work and I can perform nandroid backup and restore perfectly fine. However, it's missing the option to flash a custom rom from the memory card.
Recovery Y supports all the options, including the option to flash a custom rom from the memory card. However, it's not made specifically for my phone, which means that none of the buttons on my phone work. Therefore, I can only navigate through the options up or down, but I can't select it or go back.
My phone is a chinese clone btw, the brand is STAR A1000. That's why there aren't many properly made recoveries available for it. Anyway, since Recovery X works, I was wondering if someone could just compare the 2 recoveries and just change the button mappings on Recovery Y, as you can simply take the button mapping from Recovery X and that's it?
I dunno how to do it and don't wanna risk bricking my phone or anything, so if someone can kindly help me out that would be great.

I don't have this phone, but isn't there a keychars.pl file under /usr/"don't know the name anymore"/? there are files assigning an action to a pressed key - you just have to compare the keychars file from X and Y and change the Y keychars accordingly. Hope that helps, since I also never did this before.

Oh well I didn't know that
I dunno anything about creating a recovery or boot image. All I know is how to flash it and root the phone, i.e just the basic stuff.......
would you be able to help me compare the files and make the changes?
Here's the link to the files:
http://forum.xda-developers.com/attachment.php?attachmentid=740516&d=1317801095
http://forum.xda-developers.com/attachment.php?attachmentid=737495&d=1317534773
the first link is the recovery that is currently working for me, but doesn't have the option to flash a firmware from the memory card. It's a modified version of the ClockworkMod Recovery v4.0.0.5.
as for the 2nd link, please extract just the "a1000.img" recovery. My phone is the STAR A1000 and that's the recovery that contains all the options, except the buttons don't work on it. It's also in chinese but I can read it. So ya, I just need someone to remap the buttons that work in the "cw.img" recovery and copy that to the "a1000.img" recovery....

[DEV][TOOLS] Unpack Repack boot.img (Kernel) Files And Modify Ramdisk

Hello!
This is -at least I hope it is- an easy to follow guide on how to unpack boot.img files (aka custom kernels) and modify the ramdisk.
Now, why would you want to do that?
First and simplest thing that comes to mind is for editing the kernel boot logo (the one that appears before the boot animation).
There are also a lot of other things you can edit in the ramdisk, but they require a bit more advanced knowledge, so we won't talk about them here.
Requirements:
1. Linux (any form will do, for example virtual box etc)
2. Perl (already included in Ubuntu, me thinks)
3. The Xperia Boot Tools package attached in this post
4. The mkbootimg binary (I already compiled it for Linux x86 and included it in the attachment)
5. Reading this post VERY VERY VERY carefully
Step 1: The mkbootimg binary
Let's install mkbootimg (we need it in order to repack the boot.img).
In a terminal window, cd to the directory where you extracted the mkbootimg file and type:
Code:
[B][I]sudo cp mkbootimg /bin/[/I][/B]
And then
Code:
[B][I]sudo chmod 755 /bin/mkbootimg[/I][/B]
Done!
* After first command, terminal will ask for your user password, type it, press enter and the command will be executed immediately.
Step 2: Splitting the boot.img
At this point, we need a boot.img file to play with.
Pick your favorite custom kernel and get the .img.
Place it in a folder along with the 2 perl scripts from the attached package.
In a terminal window, cd to the above-mentioned folder.
Next, type this command:
Code:
[B][I]perl split_bootimg.pl boot.img[/I][/B]
The command will return something like this:
Page size: 2048 (0x00000800)
Kernel size: 3132176 (0x002fcb10)
Ramdisk size: 3484496 (0x00352b50)
Second size: 0 (0x00000000)
Board name:
Command line:
Writing boot.img-kernel ... complete.
Writing boot.img-ramdisk.gz ... complete.
Now the kernel is successfully extracted to your current directory.
It consists of 2 files: boot.img-kernel and boot.img-ramdisk.gz.
Step 3: Unpacking ramdisk
So we unvealed the ramdisk in our previous step but it is still of no use to us, so we need to un-gzip and then un-cpio it.
In the same terminal window as before, type:
Code:
[I][B]mkdir ramdisk[/B]
Code:
[B]cd ramdisk[/B]
Code:
[B]gzip -dc ../boot.img-ramdisk.gz | cpio -i[/B][/I]
Last command will return something like:
10503 blocks
Our ramdisk is unpacked now in the newly created /ramdisk folder.
Step 4: Editing ramdisk files
Now you can edit the contents of the ramdisk.
BE EXTREMELY CAREFUL AND NEVER EVER DO ANYTHING "JUST 'CAUSE"...
You need to be fully aware of what you're doing.
Good news is, changing the logo.rle (the static boot logo image) is fairly easy.
You just need to replace it with your .rle file.
I am not going to explain how to make your own .rle files right now.
Feel free to have a look at this thread for more info.
However, I attach the stock SE boot logo in case anyone misses it when he's on custom kernel.
IMPORTANT: Don't accidentally add irrelevant files to the ramdisk directory as cpio will include them too and your new boot.img will be useless.
Also, bear in mind:
DooMLoRD said:
there is a bug in the semc S1 bootloader... sometimes if the boot.img isnt of a correct size then the device will not boot... the workaround is to add a "filler" file (which is say 512KB file with junk data) to the ramdisk so as to increase the size of the final boot.img file...
thanks to jerpelea for this incredible tip... i must have wasted atleast 10-15 hrs trying to figure out why my kernel failed to boot
Click to expand...
Click to collapse
Step 5: Repack the ramdisk
Now that's all done, we need to pack the kernel back up into a flashable img file.
First, we will pack the ramdisk back to it's original state.
In the same terminal window as before, type:
Code:
[B][I]find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz[/I][/B]
Step 6: Repack the boot.img
In our last step, back into the terminal we go to use the "repack-bootimg" perl script that will give us our brand new boot.img.
Make sure to cd to the directory that the perl scripts are, much like in Step 1.
Type this command:
Code:
[B][I]perl repack-bootimg.pl '/.../.../.../boot.img-kernel' '/.../.../.../ramdisk' newboot.img[/I][/B]
Of course, replace /.../.../ with the path to the boot.img-kernel file and the ramdisk directory respectively.
All done! Your new img is newboot.img and is ready to be flashed!
ADVICE: Use fastboot boot and not fastboot flash boot the first time, to test that the new kernel boots. If all is well, proceed with the actual flashing!
FAQ:
- Can I do this on Windows?
- Not that I know of, no. You can use Vmware or VirtualBox to install a raw Ubuntu image (pure command line) on your Windows PC though.
- Great! How can I do this then?
- Wish I knew! I have a Linux partition on my PC, it has been like that forever. Google is your friend!
- This is so complicated, is there an easier way? Can you make a zip for me to use in recovery?
-
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
- OK, don't get upset. Can you do it for me?
- I will have to say no, because I know that the minute word gets out that I take requests, I will be overwhelmed.
Took me several hours to figure all this out but it will take you less than 10 minutes to do it yourself if you carefully follow the instructions.
- I think this or that is wrong and it should be like this or that.
- Thank you very much for correcting me! I am still learning! Please post your corrections here or PM me and I will update the thread ASAP!
References:
- HOWTO: Unpack, Edit, and Re-Pack Boot Images
- How to Port Android to Another Device
- [How-To] Make custom bootscreen/bootlogo (image to rle)/(rle to image)
Thanks to:
- Riyal for giving me the idea to get into this.
- pvyParts because without him I'd only be "pulling Irises"...
Cheers!

Thank you very much. I've been looking for something like this.
Anyways, use VirtualBox instead of VMware. It's a thousand times better.

or try pendrivelinux,boot linux from windows..great tutorial,gonna try it
so everyone can be doomlord
question,if i manage to change boot image and repack the it back,is there any chance for me to "brick" the kernel?
Sent from my LT18i

Locked Bootloader
Hello Iridaki,
many thanks for your apports (this and the init.d script). I'm actually user from a Spanish forum called www.htcmania.com (you may have heard about thedr0idboy, which is a Neo developer) and we were trying to pack kernels in order to flash it in locked bootloader devices or at least try to create an Overclock module for stock kernel that can be flashed in locked devices.
Do you think we can use this to achieve this goal? I just hate Arc S with it's damn 1.4 GHz processor :S. It was released only a month after I got my Arc.
Many thanks for your time and your efforts!!
P.D: a girl developer!!!

rashid.fairus said:
so everyone can be doomlord
question,if i manage to change boot image and repack the it back,is there any chance for me to "brick" the kernel?
Click to expand...
Click to collapse
Nah, it takes a lot more to be DoomLord..!!!
If there are no errors in the cmd, boot.img should be OK.
By using flashboot boot command, the kernel is sent to the phone and it tries to boot it. It's not flashing it, so if it fails, it immediately goes back to previous kernel.
So don't worry! Imagine that until I found the correct script, I had tried more or less 10 crapernels (crappy kernels)!!!
iR¡[email protected]!* via Tapatalk

iridaki said:
Nah, it takes a lot more to be DoomLord..!!!
If there are no errors in the cmd, boot.img should be OK.
By using flashboot boot command, the kernel is sent to the phone and it tries to boot it. It's not flashing it, so if it fails, it immediately goes back to previous kernel.
So don't worry! Imagine that until I found the correct script, I had tried more or less 10 crapernels (crappy kernels)!!!
iR¡[email protected]!* via Tapatalk
Click to expand...
Click to collapse
looks like our themes and apps forum have a new section,kernel theming,,(iridaki,you have purple theme for apps and roms,how about kernel?)
Sent from my LT18i

A big thanks, iridaki!
I was looking forward to such thread.
I did also a lot of search on google too, but somehow I couldn't find any match.
I am an experienced Linux user, so that shouldn't be a problem for me.
I'll try everything this weekend.
Afaik, CWM is also stored in the kernel, so is it possible to modify it with the tool?
I don't want to have a step by step guide, just a reference would be great (of course if you know one).
Anyway, thanks for your great contributions in XDA.
Sent from my LT18i using xda premium

OMG... :-o Iris you are a genius.
Sent from my Arc S LT18i using Xda Premium App

glaudrem said:
Hello Iridaki,
many thanks for your apports (this and the init.d script). I'm actually user from a Spanish forum called www.htcmania.com (you may have heard about thedr0idboy, which is a Neo developer) and we were trying to pack kernels in order to flash it in locked bootloader devices or at least try to create an Overclock module for stock kernel that can be flashed in locked devices.
Do you think we can use this to achieve this goal? I just hate Arc S with it's damn 1.4 GHz processor :S. It was released only a month after I got my Arc.
Many thanks for your time and your efforts!!
P.D: a girl developer!!!
Click to expand...
Click to collapse
currently we cant use custom kernels on locked bootloader...
there is a way to make overclock module for stock kernel... i am looking into that possibility & i have contacted a few devs... i will work on it when i get time...
@Iris
there is a bug in the semc S1 bootloader... sometimes if the boot.img isnt of a correct size then the device will not boot... the workaround is to add a "filler" file (which is say 512KB file with junk data) to the ramdisk so as to increase the size of the final boot.img file...
thanks to jerpelea for this incredible tip... i must have wasted atleast 10-15 hrs trying to figure out why my kernel failed to boot

DooMLoRD said:
@Iris
there is a bug in the semc S1 bootloader... sometimes if the boot.img isnt of a correct size then the device will not boot... the workaround is to add a "filler" file (which is say 512KB file with junk data) to the ramdisk so as to increase the size of the final boot.img file...
thanks to jerpelea for this incredible tip... i must have wasted atleast 10-15 hrs trying to figure out why my kernel failed to boot
Click to expand...
Click to collapse
Great tip indeed!!! Added to the OP!
I haven't come across the issue yet because I am only editing some tweaks and the logo.rle but say someone uses a much smaller logo and deletes some scripts, would he need to use a filler file, even if it is for 20-30 KB?
THANKS!

iridaki said:
Great tip indeed!!! Added to the OP!
I haven't come across the issue yet because I am only editing some tweaks and the logo.rle but say someone uses a much smaller logo and deletes some scripts, would he need to use a filler file, even if it is for 20-30 KB?
THANKS!
Click to expand...
Click to collapse
size of logo doesnt really matter... just the final size of the boot.img matters...
btw the logo.rle must have correct permissions (644)

DooMLoRD said:
size of logo doesnt really matter... just the final size of the boot.img matters...
btw the logo.rle must have correct permissions (644)
Click to expand...
Click to collapse
Yes, but if the logo.rle is replaced with a smaller one in size, ramdisk size is reduced accordingly, isn't it?
Permissions are taken care of while unpacking/repacking.
Overall, this guide works, since I've sorted everything out, hasn't failed me yet!
dp94 said:
Afaik, CWM is also stored in the kernel, so is it possible to modify it with the tool?
I don't want to have a step by step guide, just a reference would be great (of course if you know one).
Anyway, thanks for your great contributions in XDA.
Click to expand...
Click to collapse
My initial response would have to be: I have no idea!
However, tell me what exactly do you want to edit. Images, colors, features?
I'll look into it, currently I have never been in involved with recovery.
theduke89 said:
OMG... :-o Iris you are a genius.
Click to expand...
Click to collapse
I have my moments.

Presumably, kernel.sin can be renamed to boot.img for splitting without problems, or am I missing something pertinent to SE?

LenAsh said:
Presumably, kernel.sin can be renamed to boot.img for splitting without problems, or am I missing something pertinent to SE?
Click to expand...
Click to collapse
NOOOOOOO!!
DoomLord has released a .sin unpacker. Unpack the kernel.sin with it, then repack it with my script.
iR¡[email protected]!* via Tapatalk

Found that previously, but the repacker doesn't work. I think the script he published is a hack of something else and may have errors.

LenAsh said:
Found that previously, but the repacker doesn't work. I think the script he published is a hack of something else and may have errors.
Click to expand...
Click to collapse
Well, no, the script is OK, it's just made to work with the particular unpacker I included in the package. You need to edit it a wee bit to work with the sin unpacker. If I get some time in the weekend, I'll look into it too.
iR¡[email protected]!* via Tapatalk

Magic, thanks Iris. I recall the unpacking is fine, it is just repacking that doesn't yield either a boot.img OR kernel.sin due to the mixed file names/folders etc. It's been a few months since I tried... forgive me. All I was doing at the time was taking a stock Neo kernel and making it insecure. Which is dead easy normally. done it plenty with other phones, but SE .sin files threw me.

iridaki said:
My initial response would have to be: I have no idea!
However, tell me what exactly do you want to edit. Images, colors, features?
I'll look into it, currently I have never been in involved with recovery.
Click to expand...
Click to collapse
Just to change the colors, rename options, maybe integrate some features into one option.
I have really tried to search a lot, here in XDA & Google, but I have no idea.

dp94 said:
Just to change the colors, rename options, maybe integrate some features into one option.
I have really tried to search a lot, here in XDA & Google, but I have no idea.
Click to expand...
Click to collapse
You would have to rebuild CWM from sources or so i believe. dont ask me how either as i've not a clue
LenAsh said:
Magic, thanks Iris. I recall the unpacking is fine, it is just repacking that doesn't yield either a boot.img OR kernel.sin due to the mixed file names/folders etc. It's been a few months since I tried... forgive me. All I was doing at the time was taking a stock Neo kernel and making it insecure. Which is dead easy normally. done it plenty with other phones, but SE .sin files threw me.
Click to expand...
Click to collapse
use this tool
http://forum.xda-developers.com/showthread.php?t=1262656
and then you will have a kernel and ramdisk and then it is just like any other boot img i had to edit it to make it unpack the ramdisk aswell. ( had to remove the ../ right after the gzip command )
basicaly use the file in that post instead of iridakis "split_bootimg.pl"
Pvy

I can change the boot logo now. Thanks very much.. I'm using doomlord kernel, but I love SE original boot logo. Finally I managed to change it. Thanks again. I just follow the instruction and it works. The reduce in size of boot.img didn't cause any problem at all... ;-)
Sent from my LT15i using xda premium

G925V Downgrade and Bootloader Unlock Possible! Progress so far. Devs please help!!

Hi everyone and thanks for your time. I will get straight to the point:
All these tests were made on G925V 5.1.1 , rooted with eng boot. (Look at my profile for my post on how to downgrade from 7.0 ,and all below, to 5.1.1 and for for root turorial)
-The samsung downgrade mechanism relies on a flag set in the different partitions to determine its version.
- The phone looks for the flag "SYSMAGIC X" where X is the version. (Starting from 0, meaning SYSMAGIC 0= version 1)
-The following partitions have the flag:
*BOTA0 <----gets its files from sboot.bin (bootloader first partition)
* BOTA1 <-------gets its files from cm.bin (bootloader second partition)
*BOOT <----- from boot.img
*CACHE <-----from cache.img
*RECOVERY <----from recovery.img
*SYSTEM <------from system.img
*sdb <---- which is the bootloader as a whole I believe, don't quote me in this, just a deduction.
All these files can be accessed through a full tar or by dumping them using dd if of.
Bota0, bota1, boot, system,recovery,cache..etc can be found in :
/dev/block/platform/15570000.ufs/by-name
Putting any of these in a hex editor, you will find the line "SYSMAGIC 3" (in my case for 5.1.1, binary version 4).
If you dump /dev/block/sda18 , edit with hex editor and edit the SYSMAGIC to one version lower. Save then dd back to sda18, reboot the phone and guess what?
SYSTEM REV. CHECK FAIL. DEVICE:3 BINARY:2.
All this is assumption but the line is there and it seems to pass every check and just assumes thats the version.
Hope someone can take it further. I unfortunately bricked my s6 writing the wrong partiton back over the bootloader...and well...bad bootloader....no more download mode.
Be careful, devs please help. Anyone with a device willing to use as a ginny pig, pm me.

dragoodwael said:
Hi everyone and thanks for your time. I will get straight to the point:
All these tests were made on G925V 5.1.1 , rooted with eng boot. (Look at my profile for my post on how to downgrade from 7.0 ,and all below, to 5.1.1 and for for root turorial)
-The samsung downgrade mechanism relies on a flag set in the different partitions to determine its version.
- The phone looks for the flag "SYSMAGIC X" where X is the version. (Starting from 0, meaning SYSMAGIC 0= version 1)
-The following partitions have the flag:
*BOTA0 <----gets its files from sboot.bin (bootloader first partition)
* BOTA1 <-------gets its files from cm.bin (bootloader second partition)
*BOOT <----- from boot.img
*CACHE <-----from cache.img
*RECOVERY <----from recovery.img
*SYSTEM <------from system.img
*sdb <---- which is the bootloader as a whole I believe, don't quote me in this, just a deduction.
All these files can be accessed through a full tar or by dumping them using dd if of.
Bota0, bota1, boot, system,recovery,cache..etc can be found in :
/dev/block/platform/15570000.ufs/by-name
Putting any of these in a hex editor, you will find the line "SYSMAGIC 3" (in my case for 5.1.1, binary version 4).
If you dump /dev/block/sda18 , edit with hex editor and edit the SYSMAGIC to one version lower. Save then dd back to sda18, reboot the phone and guess what?
SYSTEM REV. CHECK FAIL. DEVICE:3 BINARY:2.
All this is assumption but the line is there and it seems to pass every check and just assumes thats the version.
Hope someone can take it further. I unfortunately bricked my s6 writing the wrong partiton back over the bootloader...and well...bad bootloader....no more download mode.
Be careful, devs please help. Anyone with a device willing to use as a ginny pig, pm me.
Click to expand...
Click to collapse
That is great news. What else do you know of the magic bytes at the footer of the system image?
I'm going to look into this.
All of those partitions, probably even the cache partition with it's metadata file from the CSC, have points that have access to the private signing key burned into the Trust Zone firmware.

Hi, I followed your tut on downgrading my SM-G925V to 5.1.1 and also got root which was great, but I guess its pretty worthless as its only temporary til reboot, has there been any further progress on permanent root on the G925v? Great work btw all involved!

[Guide]Extracting Stock firmware files using Huawei Update Extractor/splitupdate

There seems to be a little confusion on how to do this and I've written down how to in many posts now so I figure I'd just write it down in a little guide.
What you need:
Firmware update.zip from http://pro-teammt.ru/firmware-database/
Windows only: Huawei Update Extractor
Linux/Mac(?)/(Windows too): splitupdate perl script (requires perl)
Direct link: https://mega.nz/#!4PBknJrK!iZQDI4ti6ERmQJC6afgUGTSvHHKcm9KFz9okmwwez3I
Source: https://github.com/marcominetti/split_updata.pl/tree/f5f415262be3487de28321b49dcb69d947897bf1
(Or my 'special' version https://mega.nz/#!NS4VnL7Q!5GMn-soCf_WMW6fZANd-TDzxjQkZW2LynEQtJ_TlUdU which extracts
to the same folder as 'splitupdate' instead of 'output/', and includes a mount script (Linux only, maybe Mac?) for extraction of files of the different images)
Archive extractor of your choice (7zip, winrar, winzip and so on.)
Firmware build
First you need to determine what your current firmware is, this can be done by going to 'Settings -> System -> About Phone' on your phone. Check 'Build Number'.
Mine says:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
BLA-L29 8.0.0.132(C636) (Replace 8.0.0. with C636 and add a B infront of 132 )
This can be translated into BLA-L29C636B132.
Now we have our current firmware!
Info on Nougat -> Oreo
As of Oreo the partitions changed a little.
'Boot' partition was split into 'ramdisk' and 'kernel'.
'Recovery' partition was split into 'recovery_ramdisk', 'recovery_vendor' and 'recovery_vbmeta', and shares the 'kernel' partition with 'ramdisk'.
The one's you probably want to flash are 'ramdisk' and 'recovery_ramdisk'. (Ramdisk is where Magisk/SuperSU goes, recovery_ramdisk is where TWRP goes)
Firmware update.zip
In this example I will be using my firmware, BLA-L29C636B132.
First start by going to http://pro-teammt.ru/firmware-database/ and enter your full firmware in the 'Enter model', click on Find Model.
This is what it will look like after you have searched. Locate the row that says FullOTA-MF and click on the 'update' link in that row.
When it's downloaded, open update.zip in your choice of archive manager and extract UPDATE.app to your desktop or somewhere easy to find.
Huawei Update Extractor:
Download Huawei Update Extractor from the link above, it's attached to first post in that thread I linked to (v0.9.9.5).
Extract the zip to your desktop (Or Downloads folder).
Enter the newly created folder that should be named 'HuaweiUpdateExtractor_0.9.9.5', and run HuaweiUpdateExtractor.exe.
Start by going to the 'Settings' tab and uncheck 'Verify header checksum'.
(Something is wrong with the header of erecovery_ramdisk, also it's mispelled to erecovery_ramdis, or maybe character limit? The partition on phone is named correctly. This does not need to be unchecked on Nougat firmware)
Then go back to the 'Extract' tab and click on the button that says '...' and open your UPDATE.APP
Rightclick on the file you want to extract and click on 'Extract Selected', this will bring up a dialog where you choose where to extract to.
After this you can flash the file using fastboot. Take 'ramdisk' for example.
Make sure you have adb & fastboot installed (https://forum.xda-developers.com/showthread.php?t=2317790)
Open up a command prompt and connect phone, reboot to fastboot mode using: usb plugged in, power + vol down, release power when phone vibrates.
Or you can use the command 'adb reboot bootloader'.
Make sure phone is recognized in fastboot mode with the command: 'fastboot devices', it should show up as a fastboot device.
Next we can flash RAMDISK.img using: 'fastboot flash ramdisk RAMDISK.img'.
On Nougat you would extract 'BOOT' from UPDATE.APP and flash using:
'fastboot flash boot BOOT.img'
Linux/Mac(?)(and Windows with perl installed, I use Strawberry Perl)
First download the splitupdate zip from above.
Extract it and enter the extracted 'split' folder, open a terminal and:
'chmod +x splitupdate'
'chmod +x crc'
Now put your UPDATE.APP in the 'split' folder and open a terminal and use the following command:
'./splitupdate UPDATE.APP file_to_extract'. If you write 'file_to_extract' or anything that is or is not in the UPDATE.APP it will list all images in it.
Typing './splitupdate UPDATE.APP' will extract all files in UPDATE.APP
It will output files to the newly created 'output' folder. The filtering is not perfect. If you use './splitupdate UPDATE.APP RAMDISK', it will extract all images with RAMDISK in its name, so you will get RAMDISK.img and RECOVERY_RAMDISK.img. This is fine for me as the original script extracted everything, which takes long for the larger images.
And if you use the 'special' version:
'chmod +x simg2img'
'chmod +x mount.sh'
I edited the splitupdate script for the 'special' version just to make it easier for me as I like to check SYSTEM, VENDOR, PROCDUCT and those images for changes.
So it made it easier if it extracted directly to the root of 'split' folder instead of 'output', then I could run the mount.sh script directly.
To use mount.sh, first edit the script and replace YOUR_SUDO_PASSWORD_HERE with your password or remove 'echo YOUR_SUDO_PASSWORD_HERE | ' and input password manually when it asks.
Then simply extract SYSTEM.img (or Product, vendor, odm whichever you like) and './mount.sh SYSTEM' (yes, no extension).
This will convert SYSTEM.img to SYSTEM.raw and mount it to 'split_folder/SYSTEM/' as a loop device, it will also chmod 777 everything in SYSTEM/.
Linux ADB and Fastboot
Use google for this one. ADB usually works fine right away, Fastboot might get 'no permissions' and need to be run as sudo if it's missing udev permissions/entries.
You can make fastboot work without sudo but it's easier to google it as it might get lengthy and there are a lot of different distros of linux (I use Ubuntu)

Hi ante0, i have downloaded the bla a09 8.0.0.109 c567 which is the recent update for my US mate 10 pro version, i was using hisuite to update my phone which is failing but i was able to grab the update which it down loaded and it has the following files in it, bla-a09_hw_usa( which contains update_full_BLA-A09_hw_usa, public( which contains update_data_full_public), update.zip which contains update.app and other xml files, i have already bl unlocked and rooted with supersu but i wanted to install magisk and i installed twrp and tried sideloading magisk but it fails stating boot image already modified and advised flask stock boot, so which files do i need to flash and what are the fastboot commands to do so and i was also thinking about complete bl lock just to make it look like new phone and how do i do that, please direct me, thank you.

I think to update you'll need to:
A) Unroot your supersu.
B) Restore stock boot and restore your stock recovery with guide in OP and with the firmware files actually installed on your phone.
Then you could root oreo with magisk.

oslo83 said:
I think to update you'll need to:
A) Unroot your supersu.
B) Restore stock boot and restore your stock recovery with guide in OP and with the firmware files actually installed on your phone.
Then you could root oreo with magisk.
Click to expand...
Click to collapse
there lies my problem, i am trying to flash an updated stock firmware than the one that came with my phone, i have unrooted supersu and deleted supersu app and dont have root anymore confirmed by rootcheck apps, since my boot is already patched once magisk wont flash and advising me to flash stock boot image but i dont know which to flash as with oreo there seems to be different partitions and i dont know commands other than basic fastbbot commands to flash stuff.

ok so i was able to flash ramdisk, recovery and system and boot back to OS ( i have earlier erased system by mistake) and i have flashed system.img from updated firmware but version still shows old one, and i am trying to use funkyhuawei erecovery method to flash the updated firmware and when i boot to erecovery to update but the update button is missing and i just have rebbot, wipe date/fr and wipe cache, so what do i need to flash and commands for it in order to make erecovery work and i have update button enabled, thank you.

lingarajug said:
ok so i was able to flash ramdisk, recovery and system and boot back to OS ( i have earlier erased system by mistake) and i have flashed system.img from updated firmware but version still shows old one, and i am trying to use funkyhuawei erecovery method to flash the updated firmware and when i boot to erecovery to update but the update button is missing and i just have rebbot, wipe date/fr and wipe cache, so what do i need to flash and commands for it in order to make erecovery work and i have update button enabled, thank you.
Click to expand...
Click to collapse
If you can, use the HWOTA method instead. It's free and found: https://forum.xda-developers.com/mate-10/how-to/guide-mate-10-flash-oreo-update-package-t3716814
If you can't use HWOTA and have to use Funky:
You seem to be in normal Recovery. You should see a button that says 'Download latest firmware', the one you're describing is showing buttons that are in normal Recovery.
Are you booting using Usb plugged in + vol up + power?

For some reason my phone would only boot to revovery and not erecocery, anyway i used hisuite method and was able to flash new firmware. Thank you.

I've just unbricked my Mate 10 pro via this method. Thank you Sir.

Not sure if this is the right place but where can I find the original Huawei OS it was shipped with? I installed Lineage and want to go back to Factory.
I just want to .img file. I have only unlocked the bootloader not rooted the phone.
Lack of camera and other features means I need to get back.
Any ideas?

elviss0812345 said:
I've just unbricked my Mate 10 pro via this method. Thank you Sir.
Click to expand...
Click to collapse
You bricked your device because you don't know what you are doing,not because of this guide.Oh,and i thought KangRom was responsible for bricking you device....anyone else to blame ?

My phone was bricked because of Lineage OS, and i unbricked with this guide. Read my post first.
Pretoriano80 said:
You bricked your device because you don't know what you are doing,not because of this guide.Oh,and i thought KangRom was responsible for bricking you device....anyone else to blame ?
Click to expand...
Click to collapse

elviss0812345 said:
My phone was bricked because of Lineage OS, and i unbricked with this guide. Read my post first.
Click to expand...
Click to collapse
lol,i've read "bricked"... .I apologize for that!:good:

There is no way at least for the US version to find firmwares shipped with phone until now, i figured it out by connecting phone to hisuite on PC and it showed update available and i clicked update and waited until download part of update process completed and then i went to documents folder and hisuite and the app stores the download there and it will have 3 zip files, u can copy them to a different place because once the update completes those files are deleted. Might be the same for other models if supported by hisuite.

Here https://playstoreappinstall.com/play-store-for-huawei/ more info

@lingaraguj not already listed there :
http://pro-teammt.ru/firmware-database/?firmware_model=ALP
?

oslo83 said:
@lingaraguj not already listed there :
http://pro-teammt.ru/firmware-database/?firmware_model=ALP
?
Click to expand...
Click to collapse
US version firmware not listed, lots of international versions though.

can i flash everything in UPDATE.APP to go back to fully stock.
if i can what is the fastboot command for every one of them files like "fastboot flash ramdisk RAMDISK.img'?
ive mate 10 pro.

lex71 said:
Not sure if this is the right place but where can I find the original Huawei OS it was shipped with? I installed Lineage and want to go back to Factory.
I just want to .img file. I have only unlocked the bootloader not rooted the phone.
Lack of camera and other features means I need to get back.
Any ideas?
Click to expand...
Click to collapse
It should say your current firmware (besides Lineage) in Settings -> (System?) -> About.
dark3bod said:
can i flash everything in UPDATE.APP to go back to fully stock.
if i can what is the fastboot command for every one of them files like "fastboot flash ramdisk RAMDISK.img'?
ive mate 10 pro.
Click to expand...
Click to collapse
It's better to use:
https://forum.xda-developers.com/mate-10/how-to/guide-mate-10-flash-oreo-update-package-t3716814
I'm not sure if symlinks will be set up correctly if you flash images directly. And some partitions can't be flashed from fastboot (like the erecovery ones)

ante0 said:
It should say your current firmware (besides Lineage) in Settings -> (System?) -> About.
It's better to use:
https://forum.xda-developers.com/mate-10/how-to/guide-mate-10-flash-oreo-update-package-t3716814
I'm not sure if symlinks will be set up correctly if you flash images directly. And some partitions can't be flashed from fastboot (like the erecovery ones)
Click to expand...
Click to collapse
@ante0
This man is a legend.........
I would like to express my gratitude in you answering my pms and assisting to get the device up and running.
If ever am in Sweden:silly: ill definitely buy you beeeeeeeeeeeeeeeeeeeeeeers
Thanks for the patience and the help you bring to us noobs bricking these bloody Mate 9's

Im now on lineage os. I didnt flash twrp and magisk. Can i only flash stock system.img to get fully stock. Or i have to flash ramdisk and boot first before system.img