disassemble HTC bootloader - Windows Mobile Development and Hacking General

Hi there,
I am trying to get Linux running on a handheld which uses the HTC bootloader and it would be great if one of the gurus here could give me some hints about using IDA on the bootloader (to find out how buttons and USB are controlled).
The handheld is Dell Axim X50 (PXA270, big ASIC,some CPLD, beside that pretty standard)-for more hardware details take a look at: http://handhelds.org/moin/moin.cgi/DellAximX50
I already identified where the bootloader loads itself into RAM and configures and enables the MMU, I modified the available .idc script (for PXA2xx-regs) to show me nice synonymes instead of the raw register addresses. I traced a little bit through the code - but only seeing lots of operations on RAM addresses and very few (far too few IMO) and very general operations on processor registers doesn't help much. I expect that the register addresses are partly loaded from RAM instead of beeing hard coded.
So now to my question: is there a way to "copy" the into RAM loaded ROM parts in IDA? I mean so that IDA can actually find the data which is supposed to be in RAM right before MMU is enabled and that I can see references to the GPIO/ASIC/CPLD addresses and to the string data (which would greatly help in identifying the useful functions).
Thanks for any hints or advices!

pphoenixx said:
The handheld is Dell Axim X50 (PXA270, big ASIC,some CPLD, beside that pretty standard)-for more hardware details take a look at: http://handhelds.org/moin/moin.cgi/DellAximX50
Click to expand...
Click to collapse
Hi,
a lot of information can be obtained without any disassembling.
I'm curious, if have the "dump gpio" haret output somewhere ?

here you go:
http://www.bfamily.us/~richard/tmp/arm/gpio_map.xml
Code:
GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER
------------------+-------------------+-------------------+------------------
0 I 0 0 RE FE | 21 O 1 1 | 42 O 0 0 | 63 O 0 0
1 I 1 0 | 22 O 0 0 | 43 O 0 0 | 64 O 0 0
2 O 1 0 | 23 O 0 2 | 44 O 0 0 | 65 O 0 0
3 O 1 0 | 24 O 1 2 | 45 O 0 0 | 66 O 0 0
4 O 1 0 | 25 O 0 2 | 46 I 1 2 | 67 O 0 0
5 I 1 0 | 26 I 1 1 | 47 O 0 1 | 68 O 0 0
6 I 1 0 | 27 I 0 0 | 48 O 1 2 | 69 O 0 0
7 I 1 0 | 28 O 0 0 | 49 O 1 2 | 70 O 0 0
8 I 1 0 | 29 O 0 0 | 50 O 1 2 | 71 O 0 0
9 O 1 1 | 30 O 0 0 | 51 O 1 2 | 72 O 0 0
10 O 0 1 | 31 O 0 0 | 52 I 1 0 | 73 O 0 0
11 I 0 0 RE FE | 32 O 0 0 | 53 O 1 0 | 74 O 0 0
12 I 1 0 RE FE | 33 O 1 2 | 54 O 1 2 | 75 O 0 0
13 I 0 0 RE | 34 O 0 0 | 55 O 1 2 | 76 O 0 0
14 I 1 0 RE FE | 35 O 0 0 | 56 I 1 1 | 77 O 0 0
15 O 1 2 | 36 O 1 0 | 57 I 1 1 | 78 O 1 2
16 O 0 0 | 37 O 0 0 | 58 O 0 0 | 79 O 1 2
17 O 1 2 | 38 I 0 0 | 59 O 0 0 | 80 O 1 2
18 I 1 1 | 39 O 0 0 | 60 O 0 0 | 81 O 0 0
19 O 1 0 | 40 O 0 0 | 61 O 0 0 | 82 O 0 0
20 O 1 1 | 41 O 0 0 | 62 O 0 0 | 83 I 0 0 RE FE
There is already much accomplished - A 2.6.15-rc7 kernel boots without problem, working framebuffer and I can activate IRDA and use it for console.. everything directly connected to the PXA is no issue; the ASIC and CPLDs are my major problem right now - that's why I throw myself into disassembling.

pphoenixx said:
There is already much accomplished - A 2.6.15-rc7 kernel boots without problem, working framebuffer and I can activate IRDA and use it for console.. everything directly connected to the PXA is no issue; the ASIC and CPLDs are my major problem right now - that's why I throw myself into disassembling.
Click to expand...
Click to collapse
Ok. You are using PXA270 SDIO.
We are also moving forward, but have some problems with the framebuffer.
http://wiki.xda-developers.com/index.php?pagename=UniversalResearch
http://wiki.xda-developers.com/index.php?pagename=UniversalProgress
Do you know how the wifi chip is connected ? Is it on pcmcia ?
FYI, we have a weird CPLD too.

cr2 said:
Do you know how the wifi chip is connected ? Is it on pcmcia ?
FYI, we have a weird CPLD too.
Click to expand...
Click to collapse
well, looking at
Code:
HaRET(29)# pd 0x48000014 1
48000014 | 00000003 | ....
PC Card Is Present
This bit must be written by software when either PC Card is inserted into a
socket.
0 = No PC Card inserted
1 = PC Card inserted
0 R/W NOS
PC Card Interface Number of Sockets
0 = 1 socket
1 = 2 sockets
Click to expand...
Click to collapse
one could assume that at least something is sitting on pcmcia. and if I write a 0x0 in there - WIFI is suddenly gone while the device remains responsive (= hasn't crashed). So at least on the axim, I suppose it's on pcmcia.

pphoenixx said:
Code:
HaRET(29)# pd 0x48000014 1
48000014 | 00000003 | ....
Click to expand...
Click to collapse
The same here. But i can zero it while running over wlan.

Maybe you disabled something else and WIFI is connected via USB1.1 (try to disable USB)? or your WIFI chip is connected via socket 1 (which can't be disabled) - I tried to write a 0x1 in there (no PC CARD) and WIFI remained operational, it's only gone when I completly disabled socket2 (0x0).

It's pcmcia for sure on axim.
If you have the same driver, tiacxwln.dll Version: 2.0.53(NDIS)
Create an empty file: tiacxwln_testmode.txt and put it in your WINDOWS directory and soft-reboot -- on Axim, the driver looks for that file and if it exists the wifi hardware isn't claimed anymore (propably to easly test other drivers or launch special testmode drivers..). WinCE kicks in and recognizes an unknown networking device connected to PCMCIA socket 2.

pphoenixx said:
Create an empty file: tiacxwln_testmode.txt and put it in your WINDOWS directory and soft-reboot -- on Axim, the driver looks for that file and if it exists the wifi hardware isn't claimed anymore (propably to easly test other drivers or launch special testmode drivers..). WinCE kicks in and recognizes an unknown networking device connected to PCMCIA socket 2.
Click to expand...
Click to collapse
ACX100 is used by most PDAs through the PCMCIA (or SDIO) interface.
Unfortunately, the acx100.sf.net driver supports only pci and usb...
ACX100 could be partially initialized on HTC Blueangel, but it is not working yet.
-----
\Storage Card\tiacxwln_testmode.txt
\SD Card\tiacxwln_testmode.txt
\windows\tiacxwln_testmode.txt

Related

Did anyone try running haret on a smartphone?

I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
When I started haret I've got an error message :
EXCEPTION reading coprocessor 15 register 0
twice.
And the detected cpu type is unknown
Anyway i could start the application and open a tcp port
Here is the result of dump cp(0) :
c00: ffffffd2 | c08: ffffffd2
c01: ffffffd2 | c09: ffffffd2
c02: ffffffd2 | c10: ffffffd2
c03: ffffffd2 | c11: ffffffd2
c04: ffffffd2 | c12: ffffffd2
c05: ffffffd2 | c13: ffffffd2
c06: ffffffd2 | c14: ffffffd2
c07: ffffffd2 | c15: ffffffd2
And here is the result of dump mmu:
----- Virtual address map -----
Descriptor flags legend:
C: Cacheable
B: Bufferable
0..3: Access Permissions (for up to 4 slices):
0: Supervisor mode Read
1: Supervisor mode Read/Write
2: User mode Read
3: User mode Read/Write
Error: EXCEPTION reading coprocessor 15 register 2
MMU 1st level descriptor table is at FFFFC000
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
Error: EXCEPTION CAUGHT AT MEGABYTE 0!
ffffffff | | | End of virtual address space
It seems that haret is having problem trying to read the CPU registeries,
what could be the problem?
So it means that I have to patch the source of haret before I can use it on a smartphone?
Or is it because of smartphone security policies? something about user-mode, kernel-mode in
wince?
I'm quite a nub but I think I have to know what to read first before I start reading books. Any info or help is appreciated.
aybabtu said:
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
When I started haret I've got an error message :
EXCEPTION reading coprocessor 15 register 0
...
Any info or help is appreciated.
Click to expand...
Click to collapse
You can try to add this code the the assembler file
and call the functions directly. Worked for
me with wince2.11, where i also had problems:
export |cp15_0|
|cp15_0| proc
mrc p15, 0, r0, c0, c0, 0
mov pc, lr
endp
export |cp15_2|
|cp15_2| proc
mrc p15, 0, r0, c2, c0, 0
mov pc, lr
endp
export |cp15_13|
|cp15_13| proc
mrc p15, 0, r0, c13, c0, 0
mov pc, lr
endp
aybabtu said:
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
Click to expand...
Click to collapse
Don't forget to post at least the 'dump gpio', FB address,
'dump mmu' and 'pd 0x41300004 4' here when
haret works
cr2 said:
... 'dump gpio', FB address,
'dump mmu' and 'pd 0x41300004 4'
Click to expand...
Click to collapse
Thank you for your help.
I signed the code with a privileged certification, then dump gpio and
physical address worked.
Code:
#dump gpio :
GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER
------------------+-------------------+-------------------+------------------
0 I 0 0 FE | 21 I 0 0 | 42 I 1 1 | 63 I 1 0 FE
1 I 0 0 RE FE | 22 O 1 0 | 43 O 1 2 | 64 O 1 0
2 I 0 0 RE | 23 O 0 0 | 44 I 1 1 | 65 O 1 0
3 I 0 0 RE FE | 24 O 0 0 | 45 O 1 2 | 66 O 1 0
4 I 0 0 RE | 25 O 0 0 | 46 I 1 2 | 67 I 1 0 FE
5 I 1 0 FE | 26 I 1 0 | 47 O 1 1 | 68 I 1 0
6 O 0 1 | 27 I 1 0 | 48 I 1 0 | 69 I 0 0
7 I 1 0 | 28 I 1 1 | 49 O 1 2 | 70 I 1 0
8 O 1 1 | 29 I 0 1 | 50 O 1 0 | 71 I 1 0
9 I 1 0 | 30 O 0 2 | 51 O 0 0 | 72 I 1 0 FE
10 I 1 0 FE | 31 O 0 2 | 52 I 1 0 | 73 O 1 0
11 I 1 0 | 32 I 1 0 | 53 I 1 0 | 74 O 0 0
12 I 1 0 RE FE | 33 O 1 2 | 54 O 0 0 | 75 O 1 0
13 I 0 0 RE FE | 34 I 1 1 | 55 O 1 0 | 76 O 0 0
14 I 0 0 RE FE | 35 I 0 1 | 56 O 0 0 | 77 O 0 0
15 O 1 2 | 36 I 0 0 | 57 I 1 0 | 78 O 1 2
16 I 1 0 | 37 I 0 1 | 58 O 0 0 | 79 I 1 2
17 O 1 2 | 38 I 0 0 | 59 O 0 0 | 80 O 1 2
18 I 1 1 | 39 O 1 2 | 60 O 1 0 | 81 I 1 1
19 O 1 0 | 40 O 0 0 | 61 O 1 0 | 82 O 1 1
20 O 1 0 | 41 O 0 0 | 62 O 1 0 | 83 I 1 2
#pd 0x41300004 4 :
41300004 | 00017bef | .{..
(What is so special about these four bytes?)
Then I tried to apply your code, but i don't know where should I call those fumctions, I tried calling them right before cpuDetect() or put it inside cpu-pxa.cpp and call them before cpuGetCP(), same effect.
The error message box doesn't show up but there is no message in the wince side console (detected cpu type),
then the same exception show up when I telnet it and when I dump any cp other then cp0.
phrack #63 - Hacking Windows CE said:
...
; SetProcessorMode.s
AREA |.text|, CODE, ARM
EXPORT |SetProcessorMode|
|SetProcessorMode| PROC
mov r1, lr ; different modes use different lr - save it
msr cpsr_c, r0 ; assign control bits of CPSR
mov pc, r1 ; return
END
...
Most of Pocket PC ROMs were builded with Enable Full Kernel Mode option, so all applications appear to run in kernel mode. The first 5 bits of the Psr register is 0x1F when debugging, that means the ARM processor runs in system mode. This value defined in nkarm.h:
// ARM processor modes
#define USER_MODE 0x10 // 0b10000
#define FIQ_MODE 0x11 // 0b10001
#define IRQ_MODE 0x12 // 0b10010
#define SVC_MODE 0x13 // 0b10011
#define ABORT_MODE 0x17 // 0b10111
#define UNDEF_MODE 0x1b // 0b11011
#define SYSTEM_MODE 0x1f // 0b11111
...
Click to expand...
Click to collapse
I guess smartphone is a little bit different from pocketpc?
Oh, btw I have to specify the address 0x81a00000 when I dumped the
rom using itsme's pmemdump, so it means that 0x81a00000 is mapped to 0x0?
I'd better start reading the ARM reference manual.
aybabtu said:
(What is so special about these four bytes?)
Click to expand...
Click to collapse
This is a ClocKENable (CKEN) register, so you have:
LCD,I2C,ICP,MMC,USB,NSSP,I2S,BTUART,FFUART,STUART,
SSP,AC97,PWM1,PWM0
enabled.
Then I tried to apply your code, but i don't know where should I call those fumctions
Click to expand...
Click to collapse
Add them to the wince/asmstuff.asm file,
and modify the cpuGetCP function in
wince/s-cpu.cpp to
Code:
uint32 cpuGetCP (uint cp, uint regno)
{
uint32 result=0xffffffff;
int ok=0;
if (cp > 15)
return 0xffffffff;
if (cp==15)
{
ok=1;
SetKMode (TRUE);
cli ();
switch (regno)
{
case 0:
result=cp15_0();
break;
case 2:
result=cp15_2();
break;
case 13:
result=cp15_13();
break;
default:
ok=0;
break;
}
sti ();
SetKMode (FALSE);
}
if (!ok) Output (L"Invalid register read cp=%d regno=%d\n",cp,regno);
return result;
uint32 value;
selfmod [0] = 0xee100010 | (cp << 8) | (regno << 16);
if (!FlushSelfMod ("read"))
return 0xffffffff;
__try
{
value = ((uint32 (*) ())&selfmod) ();
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Complain (C_ERROR ("EXCEPTION reading coprocessor %d register %d"), cp, regno);
value = 0xffffffff;
}
return value;
Oh, btw I have to specify the address 0x81a00000 when I dumped the
rom using itsme's pmemdump, so it means that 0x81a00000 is mapped to 0x0?
Click to expand...
Click to collapse
Maybe, but how did you come to using this address ?
The 'dump gpio' shows that the phone is not using the
builtin LCD pins. Then there must be a
video chipset in the phone. Interesting,
because even HTC is saving money on that.
I tried adding SetKMode to the original function, it worked without
calling your functions.
would there be any possible problem?
Maybe, but how did you come to using this address ?
Click to expand...
Click to collapse
Well I got a leaked dump out rom and tried to extract it with itsme's tool.
and i got something similar to these:
Code:
img 00000000 : hdr=81d5352c base=81a00000 commandlineoffset=81a00000
img 00640000 : hdr=82c40878 base=81a00000 commandlineoffset=81a00000
img 01300000 : hdr=82d02dd8 base=81a00000 commandlineoffset=81a00000
img 01380000 : hdr=8356d204 base=81a00000 commandlineoffset=81a00000
there must be a video chipset in the phone
Click to expand...
Click to collapse
There is a MediaQ MQ2100-JBE chipset inside, i'll look for info for this chipset later. And yes this phone is interesting, low price for it's high specification compared to other same generation phones but crappy customer service .
I'll post the result of dump mmu to the point it crash a little bit later.
aybabtu said:
I tried adding SetKMode to the original function, it worked without
calling your functions.
would there be any possible problem?
Click to expand...
Click to collapse
Unlikely.
Well I got a leaked dump
Click to expand...
Click to collapse
Then you can just lookup the static remapping
table.
There is a MediaQ MQ2100-JBE chipset inside, i'll look for info for this chipset later.
Click to expand...
Click to collapse
The datasheet is available here
www.handhelds.org/platforms/hp/ipaq-h22xx/mq-lcd-interface-appnote.pdf
And the mapping table dumped out using itsme's pmemmap:
Code:
v81a00000-83a00000 -> p00000000-02000000
v86000000-86100000 -> pe0000000-e0100000
v86100000-86200000 -> p48000000-48100000
v86200000-88200000 -> p40000000-42000000
v8c000000-8e000000 -> pa0000000-a2000000
v9a300000-9a400000 -> p04000000-04100000
v9c300000-9c400000 -> p08000000-08100000
v9f600000-9f700000 -> p0c000000-0c100000
v9f800000-9f900000 -> p14000000-14100000
Dumped it out and i can only tell that the first 32MB is my rom data.
And many info you gave me which I don't fully understand, guess I have to
read much more before I can thtink about running linux on this phone,
at least I know what to read now.
On a side note, it jumps to 1000h at the beginning of the rom likes the others
wince devices, but starting from 1000h, the content matches the dumped out
NK.exe kernel without the PE header(?).
Wasn't there supposed to be a 256K bootloader?
And at the end of the rom, there are 2 copies of 256K code, in which I found
strings of the bootloader in it, and the second copy is 1 byte different from
the first one, 1:0x00 2:0x01, in the middle of the code.
I'm not sure these are Mitac only layout, just put it here in case anyone
knows.
Oh and there is a Atmel MEGA16L-8MI Microcontroller inside,
don't know what it exactly does but I found strings related to this
in the 'bootloader portion'.
aybabtu said:
And the mapping table dumped out using itsme's pmemmap:
Click to expand...
Click to collapse
v81a00000-83a00000 -> p00000000-02000000
32MB ROM
v86000000-86100000 -> pe0000000-e0100000
Weird.
v86100000-86200000 -> p48000000-48100000
PXA26x Memory Controller
v86200000-88200000 -> p40000000-42000000
PXA26x Peripherals
v8c000000-8e000000 -> pa0000000-a2000000
32MB SDRAM
v9a300000-9a400000 -> p04000000-04100000
v9c300000-9c400000 -> p08000000-08100000
v9f600000-9f700000 -> p0c000000-0c100000
v9f800000-9f900000 -> p14000000-14100000
mmaped devices.
And many info you gave me which I don't fully understand, guess I have to
read much more before I can thtink about running linux on this phone
Click to expand...
Click to collapse
You can also dump/decode the registry and identify the
use of the serial ports.
Your GPIO table suggests that the PXA MMC
controller is used.
Looks good
aybabtu said:
Oh and there is a Atmel MEGA16L-8MI Microcontroller inside,
don't know what it exactly does but I found strings related to this
in the 'bootloader portion'.
Click to expand...
Click to collapse
Battery monitoring or something like that,
maybe keyboard controller.
aybabtu said:
On a side note, it jumps to 1000h at the beginning of the rom likes the others
wince devices, but starting from 1000h, the content matches the dumped out
NK.exe kernel without the PE header(?).
Wasn't there supposed to be a 256K bootloader?
Click to expand...
Click to collapse
Not all wince devices have a bootloader,
wince2.11 and wince2005 un universal for example.
You can also look with 'strings -el' for
other useful strings.
v86000000-86100000 -> pe0000000-e0100000
Weird.
Click to expand...
Click to collapse
Seems to be that 16MB PXA26X NAND Flash ROM
aybabtu said:
v86000000-86100000 -> pe0000000-e0100000
Weird.
Click to expand...
Click to collapse
Seems to be that 16MB PXA26X NAND Flash ROM
Click to expand...
Click to collapse
Built-in ? BTW, does this device support SD cards or only MMC ?
Built-in ? BTW, does this device support SD cards or only MMC ?
Click to expand...
Click to collapse
Built-in, It should be the M-System DiskOnChip MD3831-D16-V3Q18-T inside.
Support both.
And this phone does not support bluetooth, but the clock to BTUART is
enabled :?:
aybabtu said:
And this phone does not support bluetooth, but the clock to BTUART is
enabled :?:
Click to expand...
Click to collapse
It is a normal UART, not blue at all , Himalaya
uses it for the serial cable.
That's not exactly the datasheet of
mq2100...
archive.org show that this was available
for downloads.. oh well
Put the list of all components and the known
information to wiki. That can help other people.

Linux on the Wizard

Hi.
Has anyone tried to make linux/familiar boot on the Wizard yet?
Any luck?
mind said:
Hi.
Has anyone tried to make linux/familiar boot on the Wizard yet?
Any luck?
Click to expand...
Click to collapse
Oh this looks interesting. What could you do with a linux boot?
mind said:
Has anyone tried to make linux/familiar boot on the Wizard yet?
Click to expand...
Click to collapse
Have you tried to run haret ?
If it works, can you post the
framebuffer address and 'dump mmu' here ?
It might take a bit longer for anything like this to appear, but it would be interesting when it does.
I haven't tried it. The reason for my question was that I'm going to do some development work for Opie (opie.handhelds.org), and need a machine that boots and runs familiar to test stuff. And I would like to get me a wizard
Familiar has a list of machines tested on familiar ( booting or not ). But only Wallaby (XDA), Himalaya (XDA II), Blueangel (XDA III) and Universal (MDA Pro) are listed.
So if anyone in this forum wich has a wizard and would like to try out linux/opie on it; please let me know if it boots!!!
There are a lot of advantages having linux on you're XDA instead of windows mobile. The most obvious being that if you're stuck in some corner ( lets say mp3 audio over bt isn't working ), you could always do some work on the ( BlueZ ) code you're self to try to fix the problem. Also there's alot of cool software available that you don't have on WM.
And oh, you're free
Best regards,
mind said:
Familiar has a list of machines tested on familiar ( booting or not ). But only Wallaby (XDA), Himalaya (XDA II), Blueangel (XDA III) and Universal (MDA Pro) are listed.
Click to expand...
Click to collapse
The only machine where Linux WORKS right now
is Blueangel (with GPE, never seen reports about opie). Himalaya, Universal and Magician need some work. Alpine should work with some
effort too.
Wallaby is not really working (no SD) because
nobody is interested in writing this driver.
Power management (i.e. suspend) is missing now.
So if anyone in this forum wich has a wizard and would like to try out linux/opie on it; please let me know if it boots!!!
Click to expand...
Click to collapse
To run opie, you need a running kernel, which does not exist. To write the kernel it is necessary to run 'haret'. So, the first step
is to try 'haret' !
To run opie, you need a running kernel, which does not exist. To write the kernel it is necessary to run 'haret'. So, the first step
is to try 'haret' !
Click to expand...
Click to collapse
Just tried it. Haret starts, but prints out the message "Exception reading coprocessor 15 register .." I can connect to Haret on port 9999 and can issue some commands like "dump mmu" but there's not much info there...:
Code:
descriptor flags legend:
C: Cacheable
B: Bufferable
0..3: Access Permissions (for up to 4 slices):
0: Supervisor mode Read
1: Supervisor mode Read/Write
2: User mode Read
3: User mode Read/Write
Error: EXCEPTION reading coprocessor 15 register 2
MMU 1st level descriptor table is at FFFFC000
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
00000000 | | | UNMAPPED
ffffffff | | | End of virtual address sp
richardt007 said:
Haret starts, but prints out the message "Exception reading coprocessor 15 register .." I can connect to Haret on port 9999 and can issue some commands like "dump mmu" but there's not much info there...:
Click to expand...
Click to collapse
Then you need to sign haret with the "priviledged certificate". Read more here:
http://forum.xda-developers.com/viewtopic.php?t=30399&start=0
Can you tell me how to do that in a little more detail than what's described in the thread? I managed to compile the latest haret.exe using wine and the msvc package. Do I need to alter the asm-files (and which one?) with the code-snippet in that thread or is it a little more complicated than that? Would like to contribute though...
richardt007 said:
Can you tell me how to do that in a little more detail than what's described in the thread?
Click to expand...
Click to collapse
No, it seems that you don't need to change anything, only to sign the executable.
Don't ask me how, i don't know exactly
I've tried makecert.exe with wine-0.9.1 and
it works. You should look into the archives
on this site or read the microsoft documentation.
cr2 said:
Don't ask me how, i don't know exactly
Click to expand...
Click to collapse
There is an explanation now at the end of this
thread.
I managed to get some output from haret, although don't know the validity of the output.
1. I had to modify the asmstuff.asm to include the cp_0, cp_2 and cp_13 calls in order to get rid of the exception ( GetLastError returned 120=ERROR_CALL_NOT_IMPLEMENTED)
2. Called the cp_2 from _cpu_get_cp.
3. Signed the executable using signcode.exe from the Smartphone 2003 SDK (have no clue if this was needed at all)
Here is some output from the output, can somebody help out to interpret it?
Code:
HaRET(3)# dump gpio
GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER
------------------+-------------------+-------------------+------------------
0 O 1 0 | 21 I 0 0 | 42 O 0 0 | 63 O 0 2
1 O 0 0 | 22 I 0 0 | 43 I 0 0 | 64 I 0 0
2 I 1 0 | 23 I 0 0 | 44 I 0 0 | 65 I 0 2 FE
3 I 0 0 | 24 I 0 0 | 45 I 0 0 | 66 I 0 3
4 I 0 0 | 25 I 0 0 | 46 I 0 0 | 67 I 0 3
5 I 0 0 | 26 I 0 0 | 47 O 0 0 | 68 I 0 3
6 I 0 0 | 27 I 0 0 | 48 I 0 0 | 69 I 0 1
7 I 0 0 | 28 I 0 0 | 49 I 0 2 | 70 I 0 0
8 I 0 0 | 29 I 0 0 | 50 I 0 3 | 71 I 0 2
9 I 0 0 | 30 I 0 0 | 51 O 0 3 | 72 I 0 0
10 I 0 0 | 31 I 0 0 | 52 O 0 3 | 73 I 0 2
11 I 0 0 | 32 I 0 0 FE | 53 O 0 1 | 74 I 0 3
12 I 0 0 | 33 I 1 0 | 54 O 0 0 | 75 I 0 3
13 I 0 0 | 34 I 0 0 FE | 55 O 0 2 | 76 I 0 3
14 I 0 0 | 35 O 0 0 | 56 O 0 0 | 77 I 0 1
15 I 0 0 | 36 O 0 0 | 57 O 0 2 | 78 I 0 0
16 I 0 3 | 37 O 0 0 | 58 O 0 3 | 79 I 0 2
17 I 0 3 | 38 O 0 0 | 59 I 0 3 | 80 I 0 0
18 I 0 3 | 39 O 0 0 | 60 I 0 3 | 81 I 0 2
19 I 0 1 | 40 O 0 0 | 61 I 0 1 | 82 I 0 3
20 I 0 0 | 41 O 0 0 | 62 I 0 0 | 83 I 0 3
Code:
HaRET(2)# print "%x" VRAM
20001020
Dump mmu gives a lot of lines, have no idea what the most relevant part of it is, so here a snippet:
Code:
HaRET(7)# dump mmu
----- Virtual address map -----
Descriptor flags legend:
C: Cacheable
B: Bufferable
0..3: Access Permissions (for up to 4 slices):
0: Supervisor mode Read
1: Supervisor mode Read/Write
2: User mode Read
3: User mode Read/Write
MMU 1st level descriptor table is at 10360000
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
00000000 | | | UNMAPPED
02000000 | | | UNMAPPED
02101000 | 10463000 | CB0000 | Small page (4K)
...
...
29fff000 | 12b4b000 | CB3 | Small page (4K)
2a000000 | | | UNMAPPED
Then it stops, with the progress bar somewhere at 40%. had to give it a soft reset. So what's the next step...?
richardt007 said:
I managed to get some output from haret, although don't know the validity of the output.
Here is some output from the output, can somebody help out to interpret it?
Click to expand...
Click to collapse
I have looked in the docs, wizard has TI OMAP processor, and haret 'gpio' knows only about
PXA. So , this table is probably useless.
Code:
HaRET(2)# print "%x" VRAM
20001020
From omap730.h:
#define OMAP730_SRAM_START 0x20000000
So your VRAM is in the OMAP built-in SRAM.
Code:
HaRET(7)# dump mmu
MMU 1st level descriptor table is at 10360000
Your RAM starts at 0x10000000.
At least 4MB for the kernel & stuff.
Code:
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
02101000 | 10463000 | CB0000 | Small page (4K)
The page in RAM mapped for some system purposes.
Then it stops, with the progress bar somewhere at 40%. had to give it a soft reset.
Click to expand...
Click to collapse
It's normal, "dump mmu" in haret is buggy
So what's the next step...?
Click to expand...
Click to collapse
It is interesting to find out where is your ROM mapped.
You can also sign the itsutils and try to dump the memory with these tools.
Read the linux-omap documentation and code
and dump the OMAP registers. You can also
try to find out from the wince dlls what other
chips are used in this phone.
You can also sign the itsutils and try to dump the memory with these tools.
Click to expand...
Click to collapse
Signing itsutils was not enough unfortunately, as I had to change the security policy (policy ID=4097) from 1 to 2 to allow RAPI calls.
(see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnppcgen/html/wmdeploy.asp)
After that, itsutils ran like a charm:
Code:
c:\src\itsutils\build>pmemmap
v82000000-83000000 -> p00000000-01000000
v8a000000-8a400000 -> p13c00000-14000000
v8c000000-8fc00000 -> p10000000-13c00000
v90000000-90100000 -> p20000000-20100000
v98000000-98100000 -> pfff00000-00000000 (huh?)
v98100000-98200000 -> p04000000-04100000
v98400000-98500000 -> p06000000-06100000
v98500000-98600000 -> p40000000-40100000
A simple process list, 'pps -t' showed _alot_ of .dll's being used (mainly by device.exe, naturally)
Code:
c:\src\itsutils\build>pps
handle n base kern user heap exe
0ddf5fba 5 20000000 0.0 8.2 0 rapiclnt -drndis_peer
0dfb5706 2 0e000000 0.0 0.0 0 elatepushservice.exe
0dfdf8ce 11 1a000000 0.0 0.5 0 repllog.exe /sched /remote /h
0e0f03ba 2 10000000 0.0 0.0 0 sddaemon.exe
0fbb4002 2 c2000000 0.0 0.0 0 NK.EXE
2e0a2402 8 14000000 0.0 0.0 0 srvtrust.exe 80
4de65d06 10 18000000 0.0 0.0 0 cprog.exe -n
4e3767c2 10 08000000 0.0 2.1 0 shell32.exe 50
6fba4bfa 12 04000000 0.0 37.8 0 filesys.exe
8dfb56e2 2 1c000000 0.0 0.0 0 PowerTray.exe
8e91ce1a 107 06000000 0.0 1.8 0 device.exe 20
adf78e9e 1 1e000000 0.0 0.0 0 WiFiTray.exe
ae0b6dc2 11 12000000 0.0 0.0 0 connmgr.exe 70
ae54049a 15 0a000000 0.0 0.0 0 gwes.exe 30
ce376c4a 20 0c000000 0.0 0.0 0 services.exe 60
edc4dd32 9 22000000 0.0 0.0 0 tmail.exe -RunInBKG
ee040e02 1 16000000 0.0 0.0 0 poutlook.exe
0 ........ 0.0 50.4 0 total
The list of partitions is completely unclear to me:
Code:
c:\src\itsutils\build>pdocread -l
57.00M TrueFFS
| 3.06M Part00
| 2.88M Part01
| 51.06M Part02
48.23M TrueFFS
| 3.06M Part00
| 2.88M Part01
| 51.06M Part02
10.00M TRUEFFS
| 3.06M Part00
| 2.88M Part01
| 51.06M Part02
483.88M DSK1:
| 483.70M Part00
STRG handles: afb7d5fe
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
(483.70M) ce9ec2da
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 10.00M) 0eae8ede
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 48.23M) 0fb2bf42
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 fe 04 01 02 1c 32 08 ee 0d 07 05 4d
( 51.06M) efb2bd82
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 fe 04 01 02 1c 32 08 ee 0d 07 05 4d
( 2.88M) cfb2bd5e
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 fe 04 01 02 1c 32 08 ee 0d 07 05 4d
( 3.06M)
This machine has 128Mb of ROM, is there anyway I can read this using itsutils? pmemdump can successfully read only after 0x82000000 and prints out "Attempt to access invalid address"...
I dumped the first 16Megs after 0x82000000 and there's all kind of garbage, same like on the maui device. (marxx printed the first 8192 bytes in the above thread). Unfortunately, arm-wince-pe-objdump says "File format not recognized" on both dumps... What am I missing here?
richardt007 said:
arm-wince-pe-objdump says "File format not recognized" on both dumps... What am I missing here?
Click to expand...
Click to collapse
arm-wince-pe-objdump expects a PE binary, so
it is necessary to tell it that we have a raw binary dump.
arm-wince-pe-objdump -D -b binary -m arm dump.file
I have found this information about Linux
on HTC Typhoon:
http://vivien.chappelier.free.fr/typhoon/index.html
I was going to recomend a kernel built with omap 730 support, since the 850 seems to just be a 730 with edge. TI's site isn't to informational about the other circuits built into the omap850, or 730.
I have not been able to get the bootloader thing to do a single useful thing. I only get the tricolored screen. When pluged into the usb I get it saying usb in the corner. I set my mini sd up for the omap 730 image off the above site, but no dice.
My phone is the wiza 100 I beleive (cingular 8125).
YAY! PROGRESS! i will join you guys, when i find out more about how memory is organised. TI supports linux on the omap, maybe if we asked... :/
I never have any luck with the installing the damn toolchains, they never come with any instructions, or limited instructions. But I think I may have it. I nticed a lot of you are better coders and embedded developers than I I hope to learn a lot from you. Also, if there are any tutorials you can provide links to to help me learn, that would be perfect.

[Q] Phone keeps waking up - TyphooN CyanogenMod 7 vs. HyperDroidGBX-v12

I've gone from Typhoon CyanogenMod to HyperDroidGBX-v12 and it seems that Hyperdroid keeps connecting to wifi in intervals and waking up the phone which has taken a lot more battery over night than CyanogenMod did. I love the speed of Hyperdroid so I was wondering if there is anything I can do?
When I switched the phone on using Cyanogen I saw him switch off the mobile data connection and switch on wifi. Hyperdroid doesn't seem to manage it like that. Can I customize this?
edit: I found the option under wireless to switch if off when the phone is asleep but I don't think he's doing as he's told (my phone is male, in case you're wondering)...
I've attached a screen of my phone over night with HyperDroid. It kept waking up without the screen being on. I assume that's the root of all evil...
The only app that syncs on my phone atm is the GMail app, no facebook or others.
Any suggestions?
Thanks
edit:
I've searched some more and there were people who's wireless went to sleep when they didn't want it to, the opposite of my problem. I've done a clean install of HyperDroid again and the problem persists, at least the wireless not switching off. Since that worked with CyanogenMod I assume that's the root cause. I'm surprised this hasn't picked up on before, assuming other people have the same problem.
I guess I'd like to know if there are any simple file swaps I can perform like changing drivers between the two mods?
editv2:
Wireless seems to at least switch off now. I tried killing inactive apps. I'll see what happens from here.
Usually it's apps polling for updates.
This includes Facebook, Twitter etc. Are you using Google Latitude? That can wake the device every few minutes.
To check for wakelocks
Code:
cat /proc/wakelocks
It happened again last night that the phone appears awake for quite some time. I've got the wakelocks (which I don't know how to interpret). I'll post them and a screenshot of battery. I'm hoping to either hear a solution or that it's normal.
It seems like he had a much more quiet night tonight. I wish I had paid more attention to it while using Cyanogen. I've installed the battery current widget so that should be interesting as well.
Cheers.
Code:
name count expire_count wake_count active_since total_time sleep_time max_time last_cha
nge
"alarm" 957 0 0 0 23959014779 21546905463 384429936 9723528995498
"wlan_wake" 19027 0 49 0 86119018687 44324798717 1083984373 9683300205212
"main" 17 0 0 0 7736565871862 0 5511280593319 9680620426163
"event4-252" 34973 0 0 0 3475555677 0 6408692 9680155307754
"msmfb_idle_lock" 54032 0 0 0 4743530364 0 278686529 9680154453261
"ds2746-battery" 667 0 0 0 9070099039 8503753803 39886474 9679912631970
"alarm_rtc" 562 8 0 0 63026972383 63025843229 1034118654 8779276859239
"KeyEvents" 35993 0 0 0 4014678958 84869382 86914061 9679667270643
"event3-252" 216 0 0 0 124999996 73455813 16967773 9679666141493
"gpio_input" 52 0 9 0 528106698 122161869 10437012 9679665958387
"event5-252" 284 0 0 0 16235353 0 762939 9675881534557
"usb_mass_storage" 1 0 0 0 229509429930 0 229509429930 9228090579970
"power-supply" 135 0 0 0 70007320 41687016 2685547 9673667392715
"power-supply" 7 0 0 0 6774905 3875733 2532958 9673667209609
"power-supply" 7 0 0 0 10894774 2655028 5859375 9673667087539
"wlan_rx_wake" 1078 1078 0 0 1729369137961 185800921021 21577879641 9670940219862
"qmi" 17 17 0 0 8471907985 1995538327 509357909 9670940189344
"SMD_DATA5" 563 563 120 0 491717996183 412869000741 9329598383 9670940189344
"event0-252" 35776 0 0 0 2916259736 0 3112793 9603342624641
"gpio_kp" 83 0 2 0 14742034892 22491454 1275268561 9585008335097
"AudioHardwareQSDOut" 16 0 0 0 94738861105 704864502 20176086427 8977790592174
"audio_pcm_suspend" 14 0 0 0 211352722187 422058099 35328094487 8977790500621
"audio_pcm_idle" 14 0 0 0 211352630634 0 35328094487 8977790500621
"SMD_RPCCALL" 7382 0 555 0 636077998 468994259 26184081 8977783267956
"rpc_read" 214 0 0 0 6530761 457767 1831054 8977783237438
"ApmCommandThread" 56 0 0 0 1433898924 0 895629880 8825111423477
"radio-interface" 38 0 0 0 41765899679 4004455570 1961944580 8786906162243
"rpc_read" 4429 0 0 0 192779566 184631377 244141 8779275638536
"rpc-interface" 537 0 0 0 889831583 863678015 41290284 8239455598513
"rpc_read" 535 0 0 0 1028228754 170288083 348480225 8239453920046
"AudioHardwareQSDIn" 9 0 0 0 147654846199 0 32158020026 7760196196386
"proximity" 1 1 0 0 3892520753 0 3892520753 5763470148164
"event1-252" 8 0 0 0 274658 0 91552 5734318414763
"mmc_delayed_work" 3 2 0 0 13576922628 0 8541424561 5511892785725
"msm_camera" 2 0 0 0 12680633542 0 10539916988 5504792504962
"msm_camera_wake" 2 0 0 0 12680633542 0 10539916988 5504792504962
"s5k3e2fx" 2 0 0 0 12293823244 0 10387512209 5504791894611
"flashlight" 1 0 0 0 116271973 0 116271973 5472884484944
"rpc_read" 2 0 0 0 70556639 0 41900634 56937371906
"event2-252" 0 0 0 0 0 0 0 0
"SMD_DATA7" 0 0 0 0 0 0 0 0
"SMD_DATA6" 0 0 0 0 0 0 0 0
"port_list" 0 0 0 0 0 0 0 0
"vbus_present" 0 0 0 0 0 0 0 0
"msm_serial_hs_dma" 0 0 0 0 0 0 0 0
"msm_serial_hs_rx" 0 0 0 0 0 0 0 0
"audiojack" 0 0 0 0 0 0 0 0
"headset" 0 0 0 0 0 0 0 0
"microp_i2c_present" 0 0 0 0 0 0 0 0
"rpc_server" 0 0 0 0 0 0 0 0
"rpc_read" 0 0 0 0 0 0 0 0
"vdec_suspend" 0 0 0 0 0 0 0 0
"vdec_idle" 0 0 0 0 0 0 0 0
"i2c" 0 0 0 0 0 0 0 0
"unknown_wakeups" 0 0 0 0 0 0 0 0
"deleted_wake_locks" 193 0 0 0 117065426 0 32287599 0
"kgsl" 2981 0 0 1068695066 4845796179890 688535376655 128397308351 9725263797740
"PowerManagerService" 1061 0 0 52465057371 7525105867782 1338152315208 5239685516362 96738674
65953
"vbus_present" 2 1 0 740221282954 5984945089112 108139678944 5244723806158 8986111270887
"SMD_DS" 176 176 0 0 103807277355 31379227646 1803994144 9680271884899
#

Unofficial cyanogenmod7.2.0 rc for malata t8 mcc nvflash mode with sod fixed

[only mcc models
First flash ota 20110524 to return at original cwm and do wipe data and wipe partion cache
This will make clean instalation
unrar archivehttp://www.mediafire.com/?adu3kmqhxkb8hfi
run nv flash
go recovery
format system
wipe dalvik cache
mount usb
copy update
copy gapps
copy kernel
flash them with same way
done
lcd density at 120
Stable with pershoot tweaks preload
Major bug have been fixed
Sound improved with beats audio
external sdcard fixed
Sleep fixed
Hd video and mkv video format playable with external. Player like mx video
System improved with init.d tweks
new theme ics
camera work with skype
bravia engine drivers added
set 775 permission system/etc/be photo
set 775 permission system/etc/be movie
Kill app via long press choice will help you
To my daughter Jan
malata t8 unofficial cyanogenmod 7.2.0 RC nvflash mode for mcc device
congratulation goes whyberg for that wonderfull work
Click to expand...
Click to collapse
Click to expand...
Click to collapse
Use at your own risk its not my responsibility if brick your device
download firmware
http://www.mediafire.com/?p66bpjp1qeug6vs
download latest gapps
http://www.mediafire.com/?zglnipcv34kdt49
Click to expand...
Click to collapse
unpacks the archive
includes device "-" + "power" (APX mode)
running the batch file download [1GB | 512MB]
after the device goes into overdrive long press power off
includes device "+" + "power" (recovery mode)
now you must input and export usb cable in & out with usb mount from recovery mode until computer regognize your tablet as storage
copy the update zip and gapps zip into
pour through recovery archive with firmware update-cm-7.2.0-RC0-smb_a9701-KANG-signed.zip & and latest gapps on SDCARD
set after "install from SDcard" both before reboot
Click to expand...
Click to collapse
libcamera.so.ziphttp://forum.xda-developers.com/attachment.php?attachmentid=896892&d=1328950465
Installetion via ADB
1. unzip libcamera.so.zip
2. adb remount
3. adb push libcamera.so /system/lib/libcamera.so
Manual
With root explorer paste libcamera.so into
System/lib and give read write permission as the other
Before reboot
Via recovery(libcamera.so-update.zip)http://forum.xda-developers.com/attachment.php?attachmentid=896903&d=1328951238
Skype 2.6.0.95 version worked!!!
Gtalk video not! but in`s not a camera problem...
Click to expand...
Click to collapse
not working
video accelerator
as all gtablet must install externall video code
like
mxvideo apk
Click to expand...
Click to collapse
Best flash player with this rom is 10.3
Working you tube like a charm
New google play without errors
http://i.minus.com/1331477283/iiYu2AW7DQxVWHgoI7qIbA/dJCxyuh2eNq0W.apk
Click to expand...
Click to collapse
you must be carefull
do not partion sd
do not fix permission
it may brick
enjoy
Click to expand...
Click to collapse
confirmed working!!!!!!!
Thanks geowolf........ youre the man
I'd go as far as to say.... Best Malata zpad t8 rom I've found and was easy to install (as per instructions above you need to install zip files BEFORE first boot)
Shame about no camera. Does anyone know of a fix?
I'm off to 4pda. ru to check for updates
camera fix found
hXXp://cyanogenmod.googlecode.com/issues/attachment?aid=44480005000&name=CM07CameraFix.zip&token=HIEuD7abnRfewkHvEaa8YkZSjZg%3A1328138144361
just copy .so files over /system/lib using root explorer and set permissions same as other files
reboot
install included camera.apk if needed
Happy days
Anything for us poor mcb owners?
Hello,
I have an evolio neura tablet, which I understand is the romanian version of malata zpad t8, how do I know which serial I have, because as for as I understand there are two types of models MCB and MCC.
-also because I am new to the android family can someone explain step by step how to upgrade the rom?
Thanks
cociuba said:
Hello,
I have an evolio neura tablet, which I understand is the romanian version of malata zpad t8, how do I know which serial I have, because as for as I understand there are two types of models MCB and MCC.
-also because I am new to the android family can someone explain step by step how to upgrade the rom?
Thanks
Click to expand...
Click to collapse
Hello
There three models mca. Which doesn't use interval memory and was the easy way to upgrade any ron
Mcb its little confuse what type of nand type are use in previous update of official firmware was problem to install mcc nand type sound errors and. Not compatible firmsware
Only if know what type of you use proceed to this
and mcc with interval memory the things are very dangerous .this nvflash regognize your interval memory as SD card and sdcatd turns as emcc folder
Ihave test it to emmc models.
Under the tap of sim card has the type of memory that you use
Open the tap. And has a specification note with numbers
Something like that ( emmc34567886)
i cant find the serial under the gsm tap, is there another posibility of finding it?
cociuba said:
i cant find the serial under the gsm tap, is there another posibility of finding it?
Click to expand...
Click to collapse
At settings
About option
Give a report
Hi geowolf,
Many thanks for what you're doing.
I also have an evolio neura - malata zpad t8 rebranded.
In the "about tablet" option I only have:
Model number - Evopad
Android version - 2.2
Baseband version - R2A11
Kernel version - 2.6.32.0-00252-gf1df521-dirty [email protected] #5
Build number - 20110712_EW
Hope it helps.
Also do you think that we could get ics on this?
Thank you!
this is the result from using one of the updates for the tablet, it seems that the update uses the emmc.bat
c:\neura\neura [email protected]>download_EMMC_1G.bat
c:\neura\neura [email protected]>"nvflash.exe" --bct Malata_a02_12Mhz_H5PS1G83EFR-S6C_ 333Mhz_1GB_emmc_THGBM1G6D4EBAI4_x8.bct --setbct --bl bootloader.bin --configfile android_fastboot_emmc_full_more.cfg --odmdata 0x3c0c0011 --create --go
Nvflash started
rcm version 0X20001
System Information:
chip name: t20
chip id: 0x20 major: 1 minor: 3
chip sku: 0x8
chip uid: 0x171411c040a08297
macrovision: disabled
hdcp: enabled
sbk burned: false
dk burned: false
boot device: emmc
operating mode: 3
device config strap: 0
device config fuse: 0
sdram config strap: 0
sending file:Malata_a02_12Mhz_H5PS1G83EFR-S6C_333Mhz_1GB_emmc_THGBM1G6D4EBAI4_x8.bct - 4080/4080 bytes sent
Malata_a02_12Mhz_H5PS1G83EFR-S6C_333Mhz_1GB_emmc_THGBM1G6D4EBAI4_x8.bct sent successfully
odm data: 0x3c0c0011
downloading bootloader -- load address: 0x108000 entry point: 0x108000
sending file: bootloader.bin
945472/945472 bytes sent
bootloader.bin sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
Click to expand...
Click to collapse
EE
bungadudu said:
Hi geowolf,
Many thanks for what you're doing.
I also have an evolio neura - malata zpad t8 rebranded.
In the "about tablet" option I only have:
Model number - Evopad
Android version - 2.2
Baseband version - R2A11
Kernel version - 2.6.32.0-00252-gf1df521-dirty [email protected] #5
Build number - 20110712_EW
Hope it helps.
Also do you think that we could get ics on this?
Thank you!
Click to expand...
Click to collapse
One more
Is rooted ?
If open root directory with root explorer is any directory like emmc. emmb ....
China Malata 3g models are mmc
But Russian 3q models has been moderate with erricson 3g spare even are, or not 3g
Maybe and the Romanian models has been modified
With 3g
Try with root explorer to find mount points
And from market android system info has an option to find mount points
Check it out .
Its to early for ice cream
cant find the mount points but I attached diskstat and partition file
diskstat
7 0 loop0 0 0 0 0 0 0 0 0 0 0 0
7 1 loop1 0 0 0 0 0 0 0 0 0 0 0
7 2 loop2 0 0 0 0 0 0 0 0 0 0 0
7 3 loop3 0 0 0 0 0 0 0 0 0 0 0
7 4 loop4 0 0 0 0 0 0 0 0 0 0 0
7 5 loop5 0 0 0 0 0 0 0 0 0 0 0
7 6 loop6 0 0 0 0 0 0 0 0 0 0 0
7 7 loop7 0 0 0 0 0 0 0 0 0 0 0
179 48 mmcblk3 17433 44474 1532199 120670 136737 577806 3635982 18924640 0 1974930 19139480
179 49 mmcblk3p1 4495 282 286484 26080 3 0 6 20 0 15010 26080
179 50 mmcblk3p2 12 61 290 10 133 6864 27988 57350 0 11350 57360
179 51 mmcblk3p3 9 61 278 20 8 1 36 550 0 550 570
179 52 mmcblk3p4 0 0 0 0 0 0 0 0 0 0 0
179 53 mmcblk3p5 0 0 0 0 0 0 0 0 0 0 0
179 54 mmcblk3p6 9475 27970 846506 75240 115761 534552 2610508 14212670 0 1796540 14288720
179 55 mmcblk3p7 5 0 10 10 0 0 0 0 0 10 10
179 56 mmcblk3p8 3432 16100 398591 19310 20832 36389 997444 4654050 0 276190 4766740
254 0 dm-0 40 0 1066 340 0 0 0 0 0 130 340
254 1 dm-1 805 0 74867 14710 0 0 0 0 0 7710 14710
254 2 dm-2 34 0 478 30 0 0 0 0 0 30 30
254 3 dm-3 406 0 37090 4450 0 0 0 0 0 2180 4450
254 4 dm-4 80 0 6210 1040 0 0 0 0 0 330 1040
254 5 dm-5 118 0 6850 3190 0 0 0 0 0 810 3190
254 6 dm-6 635 0 47366 5750 0 0 0 0 0 2640 5750
Click to expand...
Click to collapse
partition
major minor #blocks name
7 0 2111 loop0
7 1 48888 loop1
7 2 2111 loop2
7 3 30177 loop3
7 4 4190 loop4
7 5 7308 loop5
7 6 24980 loop6
179 48 15648768 mmcblk3
179 49 327680 mmcblk3p1
179 50 65536 mmcblk3p2
179 51 32768 mmcblk3p3
179 52 1 mmcblk3p4
179 53 32768 mmcblk3p5
179 54 2097152 mmcblk3p6
179 55 8192 mmcblk3p7
179 56 13081600 mmcblk3p8
254 0 2110 dm-0
254 1 48888 dm-1
254 2 2110 dm-2
254 3 30177 dm-3
254 4 4189 dm-4
254 5 7308 dm-5
254 6 24979 dm-6
Click to expand...
Click to collapse
cociuba said:
cant find the mount points but I attached diskstat and partition file
diskstat
partition
Click to expand...
Click to collapse
The most important is that previous update you use was emmc
ok, so I can use your build?
if yes please explain one more time the steps, thanks.
also is it possible to use clockworkmod? or how can i make a backup of the rom that I am using
Hello All!
I build this rom from Cyanogen source +
1. kernel from Pershoot(MegaMonstr
2. MDM modems patch (my malata wifi version + F3607GW module with GPS)
3. Camera patch for Skype form toshiba ac100
4. /dev/hands
There are additional wishes?
Sorry for my english
@whyberg -does gsm work?
cociuba said:
@whyberg -does gsm work?
Click to expand...
Click to collapse
voice? i don't know, F3607gw can't support voice calls
gprs/edge/umts data worked well
whyberg said:
Hello All!
I build this rom from Cyanogen source +
1. kernel from Pershoot(MegaMonstr
2. MDM modems patch (my malata wifi version + F3607GW module with GPS)
3. Camera patch for Skype form toshiba ac100
4. /dev/hands
There are additional wishes?
Sorry for my english
Click to expand...
Click to collapse
thanks for all
great job
the post belong to you from now
it would greatfull if post your libcamera .so for working skype
thanks we wait for this long time
i hope for the next...
I will soon test your rom, but I would like to know if something goes wrong can I revert to the stock rom, and how?
thanks for your work.
ps: is it possible to install the rom from a linux machine (ubuntu)?
geowolf1000 said:
thanks for all
great job
the post belong to you from now
it would greatfull if post your libcamera .so for working skype
thanks we wait for this long time
i hope for the next...
Click to expand...
Click to collapse
View attachment libcamera.so.zip
Installetion via ADB
1. unzip libcamera.so.zip
2. adb remount
3. adb push libcamera.so /system/lib/libcamera.so
Via recovery(View attachment libcamera.so-update.zip)
Skype from market last version worked!!!
Gtalk video not! but in`s not a camera problem...
cociuba said:
I will soon test your rom, but I would like to know if something goes wrong can I revert to the stock rom, and how?
thanks for your work.
ps: is it possible to install the rom from a linux machine (ubuntu)?
Click to expand...
Click to collapse
Download stock rom from hardware developer website and reinstall it
What device you have?
My working computer under debian

Custom firmware on Axon 7s

Hello,
My Axon 7s (the dual cam one) (https://www.gsmarena.com/zte_axon_7s-8658.php) has an overheating issue. The battery melts dows super fast and the phone heats up alot even in standby with no sim card and wi-fi enabled. Factory reset did not helped at all. It is Android 7.1.1, ZTE2018V1.1.0B11. Is there any way to install custom firmware or update the stock one, ore anything else that will help prevent this issue?
Thanks!
no its not possible
It sounds like a bad battery more than a software issue. The Axon 7s does have some comments online saying it overheats frequently however.
If you're comfortable in doing so and your warranty has expired; I would try replacing the battery and maybe even the thermal paste inside.
After resetting the phone, the problem disappeared. It was cool for 2-3 hours. Then I logged in my google account, installed Viber and it started heating and draining the battery again. The Phone is 4 months old. Never played games on it. Only Facebook and Viber. I had another Axon 7 (without "s") before with the same problem. Changed the battery 2 times and nothing happened. Still discharges super fast...
Markovo said:
After resetting the phone, the problem disappeared. It was cool for 2-3 hours. Then I logged in my google account, installed Viber and it started heating and draining the battery again. The Phone is 4 months old. Never played games on it. Only Facebook and Viber. I had another Axon 7 (without "s") before with the same problem. Changed the battery 2 times and nothing happened. Still discharges super fast...
Click to expand...
Click to collapse
Had the same problem - in my case MediaServer locked up upon a corrupt MP4 file and utilitzed 1 core at 100% constantly. That caused my phone to overheat. Battery life was terrible.
Try to hook your phone up to your computer and open "ADB shell" and type "top -m 10" - you will see the top 10 processes that cause CPU utilization. If there is a process that hogs your CPU you know where to look closer. I found out that a corrupt MP4 video file was the culprit. After deleting it and a reboot my phone was fixed and felt lie new. Hope that helps...
I used ADB Shell too show the processes.
Here is the result:
Code:
Load: 3.33 / 3.59 / 3.64
CPU usage from 51297ms to 39789ms ago (2020-05-13 12:06:18.533 to 2020-05-13 12:06:30.042):
0.9% 2504/kworker/u8:10: 0% user + 0.9% kernel
0.6% 2599/system_server: 0.2% user + 0.4% kernel / faults: 58 minor
0.5% 53/ksmd: 0% user + 0.5% kernel
0.5% 7125/kworker/u8:11: 0% user + 0.5% kernel
0.5% 8893/kworker/u8:0: 0% user + 0.5% kernel
0.4% 16/ksoftirqd/2: 0% user + 0.4% kernel
0.2% 2426/gx_fpd: 0% user + 0.2% kernel
0.2% 3238/com.android.systemui: 0.2% user + 0% kernel / faults: 7 minor
0.1% 42/smem_native_rpm: 0% user + 0.1% kernel
0.1% 2963/thermal-engine: 0.1% user + 0% kernel
0.1% 6642/com.google.android.webview:s: 0.1% user + 0% kernel
0.1% 7323/kworker/0:2: 0% user + 0.1% kernel
0.1% 7703/kworker/2:5: 0% user + 0.1% kernel
0% 20/ksoftirqd/3: 0% user + 0% kernel
0% 34/kworker/0:1: 0% user + 0% kernel
0% 348/cfinteractive: 0% user + 0% kernel
0% 464/servicemanager: 0% user + 0% kernel / faults: 1 minor
0% 614/[email protected]: 0% user + 0% kernel
0% 635/healthd: 0% user + 0% kernel
0% 3390/com.android.phone: 0% user + 0% kernel / faults: 4 minor
0% 7695/kworker/3:4: 0% user + 0% kernel
0% 8940/kworker/2:1: 0% user + 0% kernel
1.3% TOTAL: 0.1% user + 0.8% kernel + 0% iowait + 0.3% irq + 0.1% softirq
Code:
Tasks: 580 total, 1 running, 573 sleeping, 0 stopped, 2 zombie
Mem: 3860956k total, 3633324k used, 227632k free, 117192k buffers
Swap: 1048572k total, 0k used, 1048572k free, 1886212k cached
400%cpu 2%user 1%nice 7%sys 390%idle 0%iow 0%irq 0%sirq 0%host
 PID USER PR NI VIRT RES SHR S[%CPU] %MEM TIME+ ARGS 
2551 system 18 -2 2.5G 284M 186M S 5.0 7.5 0:26.34 system_server
6370 shell 20 0 11M 3.0M 1.7M R 4.0 0.0 0:01.31 top -n 10
6068 root 20 0 0 0 0 S 0.6 0.0 0:00.21 [kworker/u8:12]
464 logd 30 10 24M 4.6M 1.4M S 0.6 0.1 0:03.44 logd
347 root RT 0 0 0 0 S 0.6 0.0 0:01.27 [cfinteractive]
895 root 20 0 0 0 0 S 0.3 0.0 0:01.05 [kworker/u8:10]
622 system RT 0 86M 3.3M 2.3M S 0.3 0.0 0:01.36 android.hardwar+
287 root 20 0 0 0 0 S 0.3 0.0 0:00.26 [kworker/u8:9]
54 root 25 5 0 0 0 S 0.3 0.0 0:00.40 [ksmd]
47 root RT 0 0 0 0 S 0.3 0.0 0:00.55 [irq/263-cpr3]
6354 shell 20 0 13M 1.0M 776K S 0.0 0.0 0:00.04 adbd --root_sec+
6194 system 20 0 2.1G 39M 19M S 0.0 1.0 0:00.06 com.zte.emode
6132 u0_a30 20 0 2.1G 59M 34M S 0.0 1.5 0:01.79 com.android.mms
6128 root RT 0 0 0 0 D 0.0 0.0 0:00.54 [mdss_fb0]
6120 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/3:5]
6104 system 20 0 2.1G 43M 23M S 0.0 1.1 0:00.11 zte.com.cn.alar+
6087 u0_a115 20 0 2.1G 38M 18M S 0.0 1.0 0:00.10 com.qualcomm.ti+
6077 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/u8:16]
6076 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/u8:15]
[?25h[?25h0.0 0.0 0:00.00 [kworker/u8:14]
Code:
Tasks: 577 total, 1 running, 570 sleeping, 0 stopped, 2 zombie
Mem: 3860956k total, 3630552k used, 230404k free, 117216k buffers
Swap: 1048572k total, 0k used, 1048572k free, 1886212k cached
400%cpu 1%user 0%nice 4%sys 395%idle 0%iow 0%irq 0%sirq 0%host
 PID USER PR NI VIRT RES SHR S[%CPU] %MEM TIME+ ARGS 
6385 shell 20 0 11M 3.0M 1.7M R 4.3 0.0 0:00.63 top -n 10
6354 shell 20 0 13M 0.9M 788K S 0.3 0.0 0:00.06 adbd --root_sec+
6068 root 20 0 0 0 0 S 0.3 0.0 0:00.60 [kworker/u8:12]
622 system RT 0 86M 3.2M 2.3M S 0.3 0.0 0:01.72 android.hardwar+
347 root RT 0 0 0 0 S 0.3 0.0 0:01.38 [cfinteractive]
54 root 25 5 0 0 0 S 0.3 0.0 0:00.67 [ksmd]
12 root 20 0 0 0 0 S 0.3 0.0 0:00.66 [ksoftirqd/1]
7 root 20 0 0 0 0 S 0.3 0.0 0:01.33 [rcu_preempt]
6194 system 20 0 2.1G 39M 19M S 0.0 1.0 0:00.06 com.zte.emode
6132 u0_a30 20 0 2.1G 59M 34M S 0.0 1.5 0:01.81 com.android.mms
6128 root RT 0 0 0 0 D 0.0 0.0 0:00.65 [mdss_fb0]
6120 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/3:5]
6104 system 20 0 2.1G 43M 23M S 0.0 1.1 0:00.11 zte.com.cn.alar+
6087 u0_a115 20 0 2.1G 38M 18M S 0.0 1.0 0:00.10 com.qualcomm.ti+
6077 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/u8:16]
6076 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/u8:15]
6075 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/u8:14]
6069 root 20 0 0 0 0 S 0.0 0.0 0:00.16 [kworker/u8:13]
6066 root 20 0 0 0 0 S 0.0 0.0 0:00.00 [kworker/u8:11]
6045 root 20 0 0 0 0 S 0.0 0.0 0:00.02 [kworker/1:5]
It seems alright to me...

Categories

Resources