[R&D] Android bootloader on ATIV S - Windows Phone 8 Development and Hacking

Introduction
After realizing that Samsumg uses the same keys to sign Android and WP8 binaries and that ATIV S has the same hardware as Snapdragon S4 SGS3, I thought about flashing SGS3 bootloader and them have access to ODIN which would permit a new set of possibilities.
Flashing ABOOT
The first step is flashing Samsumg signed ABOOT from SGS3, it's based on the (L)ittle (K)ernel and provides ODIN and fastboot.
The current issue, is flashing the ABOOT partition on top of the UEFI one from ATIV S. For this we have two possibilities:
Reverse engineer the SMD format
Create a new flasher software based on the existing one
The SMD format
Reversing SMD format seems easiest, for this I created smdc, an SMD compiler which takes a "recipe" as input.
smdc can be found at the end of this thread on GitHub.
Note: All offsets and values are based on the GT-I8750_XXBME1_R_SIGNED ROM which can be found on the forums.
Header format:
Code:
struct SMDHeader
{
CHAR Magic[16]; // Magic - 'WP8_EMMC_MainOS' 00
CHAR DeviceName[16]; // Device Name - 'GT-I8750_SIGN' 00 00 00
QWORD EndOffset; // Offset of the last byte in the file
DWORD Unknown1; // 0x16161616
DWORD PartitionCount; // Number of partitions in the "partition table"
QWORD DataStartAddress; // Offset of the data of the first partition in the file
CHAR Version[8]; // ROM Version - 'BME1' 00 00 00 00
CHAR Unknown2[16]; // Unknown
CHAR Hash[16]; // Hash of the entire file with this field zeroed
};
After the header comes the "partition table" which starts at 0x200.
Partition Table Entry format:
Code:
struct PTEntry
{
CHAR Name[16]; // Partition name
DWORD NandAddress; // Address at the eMMC
DWORD NandSize; // Size in block of 512 bytes on the eMMC
DWORD DataOffset; // Offset of the data in the file
DWORD DataSize; // Size of the data in the file
DWORD IsPresentSignature; // Not sure, name taken from WOLF smd-tool - 0x1F1F1F1F
DWORD PartitionIndex; // Index of the partition, starts at 0
DWORD FileSystem; // Not sure, name taken from WOLF smd-tool
DWORD Zero; // Unknown
CHAR Hash[16]; // MD5 hash of the partition data in the file
};
At 0x30C00, starts the signature blocks, each take 0x8000 bytes and starts with Ra000FF.
Take note that this isn't Ra000FF container format used in older phones.
Current format:
Code:
struct HashEntry
{
CHAR Magic[8]; // Magic - 'Ra000FF' 0B
DWORD Size; // Size of block¹ minus 0xA4
// Unknown fields until 0x20, zeroes until 0x64
};
¹: The "block" is the bytes starting at 0x64 that lasts until all bytes become 0
Links
GitHub repository: https://github.com/greenboxal/AtivKangTools

Reserved.

Code:
Open WP8 SMD image at : D:\!WP8\Ativ_S\FirmWare\GT-I8750_ XXBME1\test_I8750.wp8
Open WP8 SMD image at : D:\!WP8\Ativ_S\FirmWare\GT-I8750_OXXAMB1_P.csc
[Channel 0] Start Download Success !!
[Channel 0] Start AskSamsungUEFIDwonloadVersion !!
[Channel 0] UEFI version is 10 !!
[Channel 0] Start AskSecurityType !!
[Channel 0] Device Security Enable and Secure Binary!!
[Channel 0] Start AskDeviceType !!
[Channel 0] AskDeviceType is Product !!
[Channel 0] Channel Write CSC data Start!!
[Channel 0] Channel Write SER CSC data Success!!
[Channel 0] SetChecksumResultPass Success !!
[Channel 0] Channel Get GPT info !!
[Channel 0] Channel Get GPT WritePartitionData !!
[Channel 0] Channel Get SBL1 info !!
[Channel 0] Channel Get SBL1 WritePartitionData !!
[Channel 0] Channel SBL1 Write fail !!
[Channel 0] Binary Download complete!!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Maybe a bug in the program disassembly SMD-tool from
-W_O_L_F-

Still needs to research and implement the hash block writing.

thought you might find this intereting.. http://forum.xda-developers.com/showthread.php?t=2345860
There is a really detailed post around here if you look for QDL mode (Qualcomm Download Mode). I was tinking about doin something like this on my 8x

Booting from SD would solve all problems, but I don't know how to force brick my ROM.
Also I don't know how to reach QDL.

spavlin said:
Code:
Open WP8 SMD image at : D:\!WP8\Ativ_S\FirmWare\GT-I8750_ XXBME1\test_I8750.wp8
Open WP8 SMD image at : D:\!WP8\Ativ_S\FirmWare\GT-I8750_OXXAMB1_P.csc
[Channel 0] Start Download Success !!
[Channel 0] Start AskSamsungUEFIDwonloadVersion !!
[Channel 0] UEFI version is 10 !!
[Channel 0] Start AskSecurityType !!
[Channel 0] Device Security Enable and Secure Binary!!
[Channel 0] Start AskDeviceType !!
[Channel 0] AskDeviceType is Product !!
[Channel 0] Channel Write CSC data Start!!
[Channel 0] Channel Write SER CSC data Success!!
[Channel 0] SetChecksumResultPass Success !!
[Channel 0] Channel Get GPT info !!
[Channel 0] Channel Get GPT WritePartitionData !!
[Channel 0] Channel Get SBL1 info !!
[Channel 0] Channel Get SBL1 WritePartitionData !!
[Channel 0] Channel SBL1 Write fail !!
[Channel 0] Binary Download complete!!
View attachment 2394557
Maybe a bug in the program disassembly SMD-tool from
-W_O_L_F-
Click to expand...
Click to collapse
SBL1 has broken signature

Actually it doesn't have a signature attached on the SMD, I didn't implement it yet

Wow, What an interesting new It sounds like a second "HD2", and if it really happen, it would be even hotter with wp8.

greenboxal said:
Booting from SD would solve all problems, but I don't know how to force brick my ROM.
Also I don't know how to reach QDL.
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=820275 might help...you can try using the resistor jig.

any update of this project?

Isn't easier to make the contrary (gs3 with wp8)?

coroneta said:
any update of this project?
Click to expand...
Click to collapse
I'm currently working on my final exams, soon I'll be back on the project
gigsaw said:
Isn't easier to make the contrary (gs3 with wp8)?
Click to expand...
Click to collapse
Theoretically yes, but if I need to change something on Android to run on ATIV S I can do it easily, on the other side, WP8 isn't open source, so we can't do it without involving binary patching.
Also, I only have an ATIV S.

Do you have any progress?
Sent from my GT-I8750 using Tapatalk

Was anybody able to flash android on ativ s?

Just gonna call @GoodDayToDie here. He might know something.

3dsxlboy said:
Just gonna call @GoodDayToDie here. He might know something.
Click to expand...
Click to collapse
could we just ****ing stop bumping this thread?
The devs will post here if any progress is made, we don't need some random brony to constantly ask devs for any progress.
if you want an android device you should've bought one instead of buying the ativ s.

dude even Lumia 520 hav Qualcomm snapdragon S4+ so r u saying that would to be possible to run android on it? and it hav adreno 305 witch is the same of moto G

Luiz Guilherme Pereira said:
dude even Lumia 520 hav Qualcomm snapdragon S4+ so r u saying that would to be possible to run android on it? and it hav adreno 305 witch is the same of moto G
Click to expand...
Click to collapse
Never possible due to secure bootloaders. Even you cant flash any WP Rom on Nokia.

Related

[Heimdall] Repartitioning Problem. C++ Developers required. Offering UnBrickable Mod.

I'm here to recruit help from XDA-Developers for open-source development. I can offer UnBrickable Mod to any Developer who thinks they can help with this C++ issue. This will allow you to play with Loki (the device's side of Odin/Heimdall) and not worry about it.
The only thing keeping the Linux and Mac platforms from being better then Windows at developing ROMs and other firmware is Heimdall's ability to repartition. Once this barrier is broken down, we will have an entire open source chain for developing and Linux will be the premeire platform for developing on Samsung devices. There will be no reason to use Closed Source Windows, Odin, or Samsung Drivers... This is the last barrier.
I am offering debug logs which show the UART output during the flashing of Heimdall and Odin.
here are Heimdall logs/uart logs: http://pastebin.com/srhG7yJA
here are Odin Uart Logs: http://pastebin.com/AiKspmxR UART coming soon.
Here are both Heimdall and Odin USB logs via Wireshark.
http://www.mediafire.com/file/2wccdcuf87q2i3l/odinheimdallUSBLog.zip
Benjamin Dobell has set up code for Heimdall here: https://github.com/Benjamin-Dobell/Heimdall/
This is not a bounty thread. It is an open source development/improvement thread. I have spoken to Benjamin Dobell, the creator of Heimdall, and he is too busy with a new job and working loads of overtime hours. He has approved of this action. Fixing this issue with Heimdall will allow the entire Samsung community to utilize Heimdall as a total replacement for Odin on all platforms.
What's my role/interest in this? I want Linux to be as good or better then Windows.. I'm an Open Source guy. I'm also not good at C++ programming language. I understand the headers, but not the CPP files. I can provide debugging and beta testing though. I've created the cross-platform Heimdall One-Click . I brought UnBrickable Mod to the Captivate and the only thing left in the entire open-source chain of software from complete destruction of data on the device to completely stock is getting Heimdall to repartition.
Once this final hurdle in Heimdall is completed, we've got a full open-source stack of cross-platform, community-based software by XDA-Developers for XDA-Developers and users. Open-Source software will be able to provide more then closed source software, and once again XDA-Developers will prove that we can do things better then the Manufacturers.
There is an issue tracking system here: https://github.com/Benjamin-Dobell/Heimdall/issues
I believe the underlying cause of all 3 of the existing issues in the Heimdall Repostiory lies with Heimdall's ability to repartition.
issue 21: "Failed to confirm end of file transfer sequence!" signifies that the information sent overran the partition area and therefore it never responded that the end was confirmed.
Issue 19: "Could not find end of file or end of file transfer, something similar." Likely the same as issue 21.
Issue 14: "Expected file part index" again, dealing with partition tables. "ERROR: Expected file part index: 0 Received: 1"
I believe all three of these issues could be worked into a single "Heimdall Repartitioning" issue for the reasons stated above.
I got some experience in C++ and Java...
once I get home ill take a look at the heimdall source, and give it a shot.
Smasher816 said:
I got some experience in C++ and Java...
once I get home ill take a look at the heimdall source, and give it a shot.
Click to expand...
Click to collapse
Hey great.. I have a special test setup with UART output.
First I totally thrashed my partition table by uploading the Bada OS SBL.. This SBL rewites partition tables. Then I used the HIBL to unbrick my phone and load a proper SBL. This is the UART during booting up to "Download Mode".
Code:
-------------------------------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
-------------------------------------------------------------
Calling IBL Stage2 ...OK
Testing DRAM1 ...OK
iRAM reinit ...OK
cleaning OTG context ...OK
Chain of Trust has been successfully compromised.
Begin unsecure download now...
0x00000000BL3 EP: 0x40244000
Download complete, hold download mode key combination.
Starting BL3 in...
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Modified by Rebell
Build On: Jun 8 2011 21:44:47
-----------------------------------------------------------
Re_partition: magic code(0xffffffff)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 7
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : *unknown id* (0x9)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : *unknown id* (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 7
===============================
ID : *unknown id* (0x1)
ATTR : RW SLC (0x1001)
FIRST_UNIT : 8
NO_UNITS : 796
===============================
ID : *unknown id* (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 804
NO_UNITS : 716
===============================
ID : *unknown id* (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1520
NO_UNITS : 372
===============================
ID : *unknown id* (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1892
NO_UNITS : 56
===============================
ID : *unknown id* (0x18)
ATTR : RW SLC (0x1001)
FIRST_UNIT : 1948
NO_UNITS : 56
===============================
FlashDevOpen 232: Error(nErr=0x80000002)
j4fs_open 136: Error(nErr=0x40000000)
loke_init: j4fs_open failed..
init_fuel_gauge: vcell = 4051mV, soc = 82
check_quick_start_condition_with_charger- Voltage: 4051.25000, Linearized[55/70/85], Capacity: 85
init_fuel_gauge: vcell = 4051mV, soc = 82, rcomp = d01f
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xffffffff,0x80040001)
nps status file does not exist..
nps status is incorrect!! set default status.(completed)
nps status=0x504d4f43
PMIC_IRQ1 = 0x3c
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0x40
PMIC_STATUS2 = 0x2c
get_debug_level current debug level is 0x0.
get_debug_level current debug level is 0x0.
get_debug_level current debug level is 0x0.
aries_process_platform: Debug Level Invalid
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xffffffff,0x80040001)
nps status file does not exist..
nps status is incorrect!! set default status.(completed)
nps status=0x504d4f43
==> Welcome to ARIES!
==> Entering usb download mode..
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Error : Current Mode is Host
EP2: 0, 2, 0; len=7
EP2: 0, 2, 0; len=7
sug: IN EP asserted
I gave the command in Heimdall to repartition and flash the boot.bin to partition 1.
Code:
heimdall flash --repartition --pit ./part.pit --1 ./boot.bin
At this point it should have downloaded the partition, saved it, and then heimdall should request the partition back and use that as its guide.
The boot.bin is only 1 block long so this log is short.
Code:
- Odin is connected!
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xffffffff,0x80040001)
j4fs_write_file_bootloader 192: Error(nErr=0x40000000)
process_packet: request id(100), data id(0)
process_rqt_init: platform number(0x0), revision(0x0)
process_packet: request id(100), data id(1)
process_packet: request id(100), data id(2)
process_packet: request id(103), data id(0)
process_rqt_close: xmit completed!
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xffffffff,0x80040001)
j4fs_write_file_bootloader 192: Error(nErr=0x40000000)
process_packet: request id(103), data id(1)
process_rqt_close: target reset!
ARIES MAGIC_ADDR=0x0 / INFORM5=0x12345678
and this is the log from Heimdall
Code:
Initialising connection...
Detecting device...
Claiming interface...
Attempt failed. Detaching driver...
Claiming interface again...
Setting up interface...
Beginning session...
Handshaking with Loke...
Ending session...
Rebooting device...
Re-attaching kernel driver...
At this point the device "resets" and attempts to boot from the bootloader.
If you need any testing let me know. I can compile source, I can get UART logs. I can repartition the heck out of this device as it is UnBrickable and my test phone.
I believe the device uses the SBL> prompt when it is in download mode.. You can see from this UART log that the device attempted to "saveenv" but it could not. http://code.google.com/p/badadroid/...ompare_logs/SBL_mode_help.txt?spec=svn61&r=57
It also returned the same "FlashDevRead 63 error)
The final action the device needs to do is "savepart" if the partition tables were saved after the pit were uploaded then it would be good to go. There are several other commands as well.. "addpart" and "removepart".. If it comes to using this, let me know. I've worked with Benjamin Dobell's libpit before and I can help out greatly with repartitioning as I've worked extensively in the SBL prompt.
I'm not sure how the Download Mode works exactly, but if it uses the SBL prompt, then I can write pseudocode of how it should work.
This probably isn't going to help much, but it may be a start.
I figured the best way to solve this would be to find the differences between a successful Odin flash and an unsuccessful Heimdall flash. So I delved right in to the wireshark dumps. It seems likely that Heimdall is missing a step.
I do not understand the protocol (yet), but I can see the raw data in the stream. In the Heimdall process, there is some protocol traffic, then the entire PIT file is sent, then some more protocol traffic, then the kernel data is sent. But in the Odin process, there is some protocol traffic, then the entire PIT file is sent, then some more protocol traffic, then the PIT file is sent again in 512 byte chunks, then some protocol traffic (more than usual), and then the kernel data is sent.
At the moment, I can't be sure if this is functionally equivalent or not. I'll need to do quite a bit of deciphering on the protocol to get up to speed on what's really going on. Unfortunately, this is the sort of thing that's easiest if one can watch the action in real time, but as I only have my one phone that I need for work, that's not really an option for me at this time.
Hopefully, I'll return with more info after I've absorbed the communication layer details to see what the non-data chatter actually is.
Could that extra protocol data possibly be Odin commanding delete partitions and add partitions? I'm hypothesizing... nothing more. I see some similarities to the UART logs during SBL> prompt and Odin, so I'm thinking that maybe the SBL prompt is used, or at least some of the methods... In this thread you can see all of the SBL commands http://forum.xda-developers.com/showthread.php?t=1209288
Sure it's from an Infuse, but they're all based on i9000 which is like the mother of our entire generation of devices. The SBLs are interchangeable with different entry points for each "version".
AdamOutler said:
Could that extra protocol data possibly be Odin commanding delete partitions and add partitions? I'm hypothesizing... nothing more. I see some similarities to the UART logs during SBL> prompt and Odin, so I'm thinking that maybe the SBL prompt is used, or at least some of the methods... In this thread you can see all of the SBL commands http://forum.xda-developers.com/showthread.php?t=1209288
Sure it's from an Infuse, but they're all based on i9000 which is like the mother of our entire generation of devices. The SBLs are interchangeable with different entry points for each "version".
Click to expand...
Click to collapse
I have a feeling that it is using the SBL prompt somehow after the flash because everything else seems pretty much identical (besides the timing). If anyone needs to understand the protocol then I recommend just looking at Heimdall's source code, in particular the packet header files store all the constants that are sent and received over USB.
Found the problem - the End Transfer packet is missing. There is also some additional strangeness, though.
Heimdall:
Packet 1: 65 00 00 00 (Init pit transfer)
Packet 2: 65 00 00 00 02 00 00 00 D0 06 00 00 (Want to send 1744 bytes)
Packet 3: [full contents of pit]
Packet 4: 66 00 00 00 (Init file transfer - probably starting the kernel send)​
Odin:
Packet 1: 65 00 00 00 (Init pit transfer)
Packet 2: 65 00 00 00 02 00 00 00 D0 06 00 00 (Want to send 1744 bytes)
Packet 3: [full contents of pit]
Packet 4: 65 00 00 00 03 00 00 00 D0 06 00 00 (Finished sending 1744 bytes)​
The odd part is what odin does next, after the "finished sending":
Packet 5: 65 00 00 00 01 00 00 00 (Dump pit file)
Packet 6: 65 00 00 00 02 00 00 00 00 00 00 00 (Sending chunk 0)
Packet 7: [first 512 bytes of pit]
Packet 8: 65 00 00 00 02 00 00 00 01 00 00 00 (Sending chunk 1)
Packet 9: [next 512 bytes of pit]
Packet 10: 65 00 00 00 02 00 00 00 02 00 00 00 (Sending chunk 2)
Packet 11: [next 512 bytes of pit]
Packet 12: 65 00 00 00 02 00 00 00 03 00 00 00 (Sending chunk 3)
Packet 13: [next 512 bytes of pit]
- repeat for 8 chunks - data past the end of the actual pit file is sent as zeroes -
Packet 22: 65 00 00 00 03 00 00 00 (Done)
Packet 23: 66 00 00 00 (Init file transfer - probably kernel)​
I couldn't begin to tell you why any of this exists at all, but my strong suspicion is that duplicating the Odin behavior will make Heimdall work properly.
So, Adam, the first thing I would try would be to simply add the "finished sending" packet. Try recompiling with this replacement for BridgeManager.cpp and this additional file EndPitFilePacket.h in the project.
psych0phobia said:
So, Adam, the first thing I would try would be to simply add the "finished sending" packet. Try recompiling with this replacement for BridgeManager.cpp and this additional file EndPitFilePacket.h in the project.
Click to expand...
Click to collapse
That did it! Problem solved!
1.I uploaded the Bada bootloaders to my device in order to totally destroy my partition tables.
2.I tried to flash with heimdall 1.3 and it did not work to restore
3.I compiled and installed the new 1.3modified version
4.I flashed with heimdall 1.3modified and it worked
to be sure I repeated the Bada bootloaders once again. The only thing wrong with my device now is that it has no /efs/ partition... which is understandable because bada turned the OneNAND into it's *****.
Great job psych0phobia If you need anything from me just let me know. I mean anything ...
Let me know when you can spare your device so I can modify it. Please push this change upstream.
Here's the UART log
Code:
[���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Uart negotiation Error
-------------------------------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
-------------------------------------------------------------
Calling IBL Stage2 ...OK
Testing DRAM1 ...OK
iRAM reinit ...OK
cleaning OTG context ...OK
Chain of Trust has been successfully compromised.
Begin unsecure download now...
0x00000000BL3 EP: 0x40244000
Download complete, hold download mode key combination.
Starting BL3 in...
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Modified by Rebell
Build On: Jun 8 2011 21:44:47
-----------------------------------------------------------
Re_partition: magic code(0x0)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
board partition information update.. source: 0x0
.Done.
read 1 units.
==== PARTITION INFORMATION ====
ID : IBL+PBL (0x0)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 0
NO_UNITS : 1
===============================
ID : PIT (0x1)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1
NO_UNITS : 1
===============================
ID : EFS (0x14)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 2
NO_UNITS : 40
===============================
ID : SBL (0x3)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 42
NO_UNITS : 5
===============================
ID : SBL2 (0x4)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 47
NO_UNITS : 5
===============================
ID : PARAM (0x15)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 52
NO_UNITS : 20
===============================
ID : KERNEL (0x6)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 72
NO_UNITS : 30
===============================
ID : RECOVERY (0x7)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 102
NO_UNITS : 30
===============================
ID : FACTORYFS (0x16)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 132
NO_UNITS : 1146
===============================
ID : DBDATAFS (0x17)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1278
NO_UNITS : 536
===============================
ID : CACHE (0x18)
ATTR : RW STL SLC (0x1101)
FIRST_UNIT : 1814
NO_UNITS : 140
===============================
ID : MODEM (0xb)
ATTR : RO SLC (0x1002)
FIRST_UNIT : 1954
NO_UNITS : 50
===============================
loke_init: j4fs_open success..
load_lfs_parameters valid magic code and version.
reading nps status file is successfully!.
nps status=0x504d4f43
load_debug_level reading debug level from file successfully(0x574f4c44).
init_fuel_gauge: vcell = 4192mV, soc = 90
check_quick_start_condition_with_charger- Voltage: 4192.50000, Linearized[77/92/100], Capacity: 94
init_fuel_gauge: vcell = 4192mV, soc = 90, rcomp = d01f
reading nps status file is successfully!.
nps status=0x504d4f43
PMIC_IRQ1 = 0x28
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x0
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0x40
PMIC_STATUS2 = 0x2c
get_debug_level current debug level is 0x574f4c44.
aries_process_platform: Debug Level Low
keypad_scan: key value ----------------->= 0x0
CONFIG_ARIES_REV:48 , CONFIG_ARIES_REV03:48
reading nps status file is successfully!.
nps status=0x504d4f43
==> Welcome to ARIES!
==> Entering usb download mode..
DISPLAY_PATH_SEL[MDNIE 0x1]is on
MDNIE setting Init start!!
vsync interrupt is off
video interrupt is off
[fb0] turn on
MDNIE setting Init end!!
Error : Current Mode is Host
EP2: 0, 2, 0; len=7
EP2: 0, 2, 0; len=7
sug: IN EP asserted
- Odin is connected!
set_nps_update_start: set nps start flag successfully.
process_packet: request id(100), data id(0)
process_rqt_init: platform number(0x0), revision(0x0)
process_packet: request id(100), data id(1)
process_packet: request id(100), data id(2)
process_packet: request id(101), data id(0)
process_packet: request id(101), data id(2)
process_packet: request id(101), data id(3)
[FNW: ] STL read to partition ID: 20
Done.
read 25 units.
partition_backup: efs. meta data=3(units), real size=6553600
.....Done.
read 5 units.
partition_backup: sbl. buf=0x46e00000, size=1310720(bytes)
.....Done.
read 5 units.
partition_backup: sbl2. buf=0x46f40000, size=1310720(bytes)
fsr_bml_format_device start
set_dynamic_partition: pit magic code=0x12349876
bbm format success
bbm_erase_all: step 1. Start unit=1, End unit=2.
.
bbm_erase_all: step 1. Start unit=52, End unit=2004.
..............................................................................................................................................................................................................................................
bbm eraseall success.
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
partitions loading success
Erasing: 1 to 2
.
bbm erase part success
.Done.
Written 1 units.
current percent: 0 (1/1110)
board partition information update.. source: 0x403ee838
Erasing: 2 to 42
........................................
bbm erase part success
[FNW: ] STL formatted (partition ID: 20)
[FNW:INF] nVol : 0, partition_id : 20, stSTLInfo.nTotalLogScts : 12800, buf :0x46400000
TotalLogSct : 12800, size : 6553600
Done.
Written 25 units.
current percent: 2 (26/1110)
Erasing: 42 to 47
.....
bbm erase part success
.....Done.
Written 5 units.
current percent: 2 (31/1110)
Erasing: 47 to 52
.....
bbm erase part success
.....Done.
Written 5 units.
current percent: 3 (36/1110)
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(5445016), id(6), final(1)
Save Image (KERNEL) to flash ......
Erasing: 72 to 102
..............................
bbm erase part success
.....................Done.
Written 21 units.
current percent: 5 (57/1110)
current write_count=1
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(12582912), efs_clear(0), boot_update(0), final(1)
xmit_complete_phone: cp partition found!(11)
Save Image (MODEM) to flash ......
Erasing: 1954 to 2004
..................................................
bbm erase part success
................................................Done.
Written 48 units.
current percent: 9 (105/1110)
current write_count=1
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(104857600), id(22), final(0)
Save Image (FACTORYFS) to flash ......
Erasing: 132 to 1278
..............................................................................................................................................................................................................................................
bbm erase part success
[FNW: ] STL formatted (partition ID: 22)
[FNW:INF] nVol : 0, partition_id : 22, stSTLInfo.nTotalLogScts : 569344, buf :0x46400000
TotalLogSct : 204800, size : 104857600
Done.
Written 394 units.
current percent: 45 (505/1110)
current write_count=1
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(104857600), id(22), final(0)
Save Image (FACTORYFS) to flash ......
[FNW:INF] nVol : 0, partition_id : 22, stSTLInfo.nTotalLogScts : 569344, buf :0x46400000
TotalLogSct : 204800, size : 104857600
Done.
Written 394 units.
current percent: 81 (905/1110)
current write_count=2
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(58163200), id(22), final(1)
Save Image (FACTORYFS) to flash ......
[FNW:INF] nVol : 0, partition_id : 22, stSTLInfo.nTotalLogScts : 569344, buf :0x46400000
TotalLogSct : 113600, size : 58163200
Done.
Written 219 units.
current percent: 101 (1127/1110)
current write_count=3
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(1376256), id(23), final(1)
Save Image (DBDATAFS) to flash ......
Erasing: 1278 to 1814
..............................................................................................................................................................................................................................................
bbm erase part success
[FNW: ] STL formatted (partition ID: 23)
[FNW:INF] nVol : 0, partition_id : 23, stSTLInfo.nTotalLogScts : 263168, buf :0x46400000
TotalLogSct : 2688, size : 1376256
Done.
Written 6 units.
current percent: 102 (1133/1110)
current write_count=1
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(1245184), id(24), final(1)
Save Image (CACHE) to flash ......
Erasing: 1814 to 1954
............................................................................................................................................
bbm erase part success
[FNW: ] STL formatted (partition ID: 24)
[FNW:INF] nVol : 0, partition_id : 24, stSTLInfo.nTotalLogScts : 64000, buf :0x46400000
TotalLogSct : 2432, size : 1245184
Done.
Written 5 units.
current percent: 102 (1138/1110)
current write_count=1
save param.blk, size: 5268
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xfffff,0x80040001)
j4fs_write_file_bootloader 192: Error(nErr=0x40000000)
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(262144), id(0), final(1)
Save Image (IBL+PBL) to flash ......
binary version: EVT1.
boot.bin is the one-binary.
relocate & fusing continue..
completed.
Erasing: 0 to 1
.
bbm erase part success
.Done.
Written 1 units.
current percent: 102 (1139/1110)
current write_count=1
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(1310720), id(3), final(1)
Save Image (SBL) to flash ......
=== SBL signature information ===
File Size : 677052
=================================
read part info
id = 0x3
attr = 0x1002
first unin = 0x2a
number units = 0x5
pages per unit = 0x40
n1st page = 0xa80, page offset = 0x13f, len = 0x48
read part info
id = 0x4
attr = 0x1002
first unin = 0x2f
number units = 0x5
pages per unit = 0x40
n1st page = 0xbc0, page offset = 0x13f, len = 0x48
Found bootable SBL ID: 4
save SBL partition id: 3
Erasing: 42 to 47
.....
bbm erase part success
.....Done.
Written 5 units.
current percent: 103 (1144/1110)
current write_count=1
save sbl id: 3 / erase sbl id: 4
.
process_packet: request id(102), data id(0)
process_packet: request id(102), data id(2)
process_packet: request id(102), data id(3)
process_rqt_xmit: size(872448), id(21), final(1)
Save Image (PARAM) to flash ......
FlashDevClose 262: Error(nErr=0x80040001)
Erasing: 52 to 72
....................
bbm erase part success
[FNW: ] STL formatted (partition ID: 21)
[FNW:INF] nVol : 0, partition_id : 21, stSTLInfo.nTotalLogScts : 2560, buf :0x46400000
TotalLogSct : 1704, size : 872448
Done.
Written 4 units.
current percent: 103 (1148/1110)
current write_count=1
set_nps_update_start: set nps start flag successfully.
process_packet: request id(103), data id(0)
process_rqt_close: xmit completed!
set_nps_update_completed: set nps completed flag successfully.
process_packet: request id(103), data id(1)
process_rqt_close: target reset!
ARIES MAGIC_ADDR=0x0 / INFORM5=0x12345678
1
-----------------------------------------------------------
Samsung Primitive Bootloader (PBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
-----------------------------------------------------------
+n1stVPN 2688
+nPgsPerBlk 64
PBL found bootable SBL: Partition(3).
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Non Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Board Name: ARIES REV 03
Build On: Jun 8 2011 21:44:47
-----------------------------------------------------------
Re_partition: magic code(0x0)
[PAM: ] ++FSR_PAM_Init
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] OneNAND nMID=0xec : nDID=0x50
[PAM: ] --FSR_PAM_Init
fsr_bml_load_partition: pi->nNumOfPartEntry = 12
......... everything after this is standard data... just included this far to show it booted.
Everything worked..
Would you like WireShark to verify things?
As far as logging, the only thing I could see is this:
Code:
FlashDevRead 63: Error(offset,length,j4fs_end,nErr)=(0x40000,0x1000,0xfffff,0x80040001)
j4fs_write_file_bootloader 192: Error(nErr=0x40000000)
which means it tried to read some garbage from the OneNAND and failed.
AdamOutler said:
That did it! Problem solved!
1.I uploaded the Bada bootloaders to my device in order to totally destroy my partition tables.
2.I tried to flash with heimdall 1.3 and it did not work to restore
3.I compiled and installed the new 1.3modified version
4.I flashed with heimdall 1.3modified and it worked
to be sure I repeated the Bada bootloaders once again. The only thing wrong with my device now is that it has no /efs/ partition... which is understandable because bada turned the OneNAND into it's *****.
Great job psych0phobia If you need anything from me just let me know. I mean anything ...
Let me know when you can spare your device so I can modify it. Please push this change upstream.
Click to expand...
Click to collapse
Yay for a properly working Heimdall! Once this fix gets officially implemented I'll update my Heimdall =D
How much do you charge to make the Captivate Unbrickable? X3
I have a darn huge iq... Classified as genius level... Yet, try as I might, cannot make head or tail of Adams post...
Sent from my cell phone. DUH.
psycho2097 said:
I have a darn huge iq... Classified as genius level... Yet, try as I might, cannot make head or tail of Adams post...
Sent from my cell phone. DUH.
Click to expand...
Click to collapse
Don't give me credit... this is the real genius here...
psych0phobia said:
So, Adam, the first thing I would try would be to simply add the "finished sending" packet. Try recompiling with this replacement for BridgeManager.cpp and this additional file EndPitFilePacket.h in the project.
Click to expand...
Click to collapse
Basically, heimdall could not repartition the OneNAND. I identifed the problem, provided detailed debug level information and asked for help. psych0phobia looked at the Odin/Loki protocol, learned it, found the differences between Odin and Heimdall based on the output of both programs and then wrote the fix. Make sure you thank him. Thank Benjamin Dobell as well, he wrote Heimdall in the first place.
now... if you want to compile it under Linux... open a terminal and copy-pasta.
Code:
sudo apt-get install build-essential curl git
mkdir heimdall
cd heimdall
git clone https://github.com/Benjamin-Dobell/Heimdall.git
cd Heimdall/heimdall
curl http://android.merseine.us/BridgeManager.cpp> ./BridgeManger.cpp
curl http://android.merseine.us/EndPitFilePacket.h >./EndPitFilePacket.h
cd ..
cd ..
cd libpit
./configure
make
cd ..
cd heimdall
./configure
make
sudo make install
This will give Heimdall the ability to fully recover a bad partition table.
NOTE: This should only be used until a version greater then Heimdall 1.3.0 is released.
Yea, kinda got that part.... So my understanding would be now we can successfully flash nexus s. Firmware without screwing everything up... Right? In layman-geek's terms, not super-duper-mega-geek terms....
Sent from my cell phone. DUH.
psycho2097 said:
Yea, kinda got that part.... So my understanding would be now we can successfully flash nexus s. Firmware without screwing everything up... Right? In layman-geek's terms, not super-duper-mega-geek terms....
Sent from my cell phone. DUH.
Click to expand...
Click to collapse
I wont say anything about nexus s just yet... We have a 100% open-source, DIY, and free method of restoring a device to stock. Linux, UnBrickable Mod and heimdall.
In other words....
In yo face jtag
whiteguypl said:
In other words....
In yo face jtag
Click to expand...
Click to collapse
Hell yeah! 3 cheers 4 the unbrickable mod!
Sent from my cell phone. DUH.
Just thought I should let you guys know that I've pushed the source for the 1.3.1 updates to Github and it includes a fix, thanks psych0phobia! 1.3.1 also includes substantially improved no-reboot functionality that allows Heimdall to detect and use an existing session (i.e. previous operation with the --no-reboot parameter). Basically this means that you can do things like dump your PIT and then flash your phone without rebooting in between.
I should note that I kind of forgot to update the make files So it won't actually build on Linux/OS X until I do that when I get home (at work now). Windows users can give it whirl though.

Samsung s3 i9300 & Note2 N7100 & i9500 s4 Dead boot solution & imei null solution s3

Samsung s3 i9300 & Note2 N7100 & i9500 s4 Dead boot solution & imei null solution s3
Samsung s3 i9300 & Note2 N7100 & i9500 s4 Dead boot repair solution & imei null solution only for i9300
Procedure:
* Download samsung s3 boot card maker Here
* Extract it on desktop
* Take a card reader insert memory card into the card reader nd connect it to the pc
* From the extracted folder run Diskdump2.exe
* Select generic storage Device. pictures below follw it
* Now to write the scripts folle the below given picr
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Now done yu are succesfully created Dead boot memorycard
To continue further
Requerments:
* Z3X samsung Box or SPT Box (i used z3x)
* special UART Cable (300k or 500k uartcable)
* Download teraterm-4.78 From Here
* Fully charged battery
Dead boot Reapairing procedure
* Download nd extract teraterm-4.78 on desktop
* From extracted folder run ttermpro.exe there select serial port nd change the serial port to z3x serial
port lik below givin in the picr
*After Select The Serial Port Press Ok Button den Go To Setup Click Serial Port Option
Select Baud Rate 115200 Then Press Ok Button lik below givn in the picr
* Now insert the created boot card to the mobile
* Connect the Uart cable via z3x box
* Now Insert the battery nd wait for 5min if the procces didnt start discnnt the mobile close ttermpro agin try it.
* if it run success yu vil the result below given lik this.
pit_check_integrity: invalid pit.(0x0)
pit_check_integrity: invalid pit.(0x0)
update_guid_partition_table: There is no pit binary.
fsd_reclaim 1283: MST is not recognized(mst.magic=0x0)
fsd_reclaim 1284: MST is not recognized
fsd_reclaim 1599: Error(nErr=0x0)
fsd_reclaim 1604: j4fs_rw_start is set to default value(128KB)
j4fs_open 153: Error(nErr=0x40000000)
j4fs_read_file_bootloader 355: j4fs panic
load_j4fs_param: 'param.j4fs' does not exist, make new one..
j4fs_write_file_bootloader 184: j4fs panic
fail
j4fs_read_file_bootloader 355: j4fs panic
load_j4fs_param: debug level file does not exist..*INCORRECT!*
init_fuel_gauge: battery is not detected, do not init fuelgauge
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL2:0x3b
init_microusb_ic: MUIC: CONTROL2:0x3a
PMIC_ID = 0x2
PMIC_IRQSRC = 0x0
PMIC_STATUS1 = 0x10
PMIC_STATUS2 = 0x0
PMIC_PWRON = 0x2
PMIC_IRQ1 = 0x27
PMIC_IRQ2 = 0x0
s5p_check_keypad: keypad value=0x0
s5p_check_reboot_mode: INFORM3 = 0 ... skip
s5p_check_upload: MAGIC CODE=d1b0f038
microusb_get_attached_device: STATUS1:0x3c, 2:0x0
s5p_check_download: update mode=0
j4fs_read_file_bootloader 355: j4fs panic
s5p_check_tzsw: invalid tzsw type! dummy?
scr_draw_image: draw 'download_error.jpg'...
j4fs_read_file_bootloader 355: j4fs panic
read_param_file: 'download_error.jpg' j4fs read failed!
fimd_div:13, div:1, FB_SOURCE_CLOCK:800000000, FB_PIXEL_CLOCK:57153600
a2, 60, 90,
Click to expand...
Click to collapse
* if yu get this error at the end [Patch Stop] This is not Rom Code. yu cant fix yur mobile yu have to change yur emmc chip
TN default
<OK>
<OK>
[DVFS] INT(1) : 0
DRAM Type : LPDDR2 8G
[DVFS] MIF(3) : 0
[EPLL][VPLL][CLK_DIV] OK
<OK>
[LOCK SW/HW]ARM:0/0 INT:0/0 G3D:0/0 MIF:0/0 SHIFT:0/0
[DVFS] ARM(0) : 5
[DVFS] INT(1) : 0
[DVFS] G3D(2) : 0
[DVFS] MIF(3) : 0
[SD_INIT
SDMMC_HighSpeedONE]
SD_READ: 20000 20000 0x40008000 -> 668484 usec
<OK>
Inp32(uAddr) : 0xea00007e
FW Booting
[Patch Stop] This is not Rom Code.
Click to expand...
Click to collapse
* After done this yur mobile must me n download mode or white screen if white screen manually put into download mode.
* After dead boot repair mine white screen i manually put into download mode pir below
* Now update your mobile with factory firmware with PIT file lik below given n the picr.Factory firmware Download Here
* After update complete yur mobile may not have imei .imei null or yur mobile will not boot bcoz of dead boot repair. yur efs must be corrupted
* To Fix this prob first root yur mobile Download from here (flash it through odin select as odin)
* Now Download this EfS repair file nd flash it through odin select as odin yur mobile must boot
but the imei become lik this 004999010640000
I9300_Repair_efs.tar.rar
* if yur imei is null yu cant repair using this box so 1st yu have to repair the efs using above givn file. if yur imei bcome lik tis oly (004999010640000) yu can repair using z3x or othr samsung tool
* Now follw the picr to repair imei problem.
* After IMEI Repair
I hope this post wil helpful for lotz of dem :laugh::laugh::laugh::laugh::laugh::laugh: :good::good:
​
Thank you for your great solution.
I have revive several i9300 by your solution.
But i have facing 1 big problem, the phone which i revive by this method only have Emergency Call after upgrade the firmware to official samsung 4,3 roms. phone was okay when under 4.1.2 firmware. (XXEMA2)
Imei is good n Serial is good. (Some phones have Serial 000000000).
another issue is Phone dun have product name under download mode.
neusys said:
Thank you for your great solution.
I have revive several i9300 by your solution.
But i have facing 1 big problem, the phone which i revive by this method only have Emergency Call after upgrade the firmware to official samsung 4,3 roms. phone was okay when under 4.1.2 firmware. (XXEMA2)
Imei is good n Serial is good. (Some phones have Serial 000000000).
another issue is Phone dun have product name under download mode.
Click to expand...
Click to collapse
For Emergency Call fix run Samsung tool there repair/ run network repair
for serial nubr 000000 fix yu hav to repair baseband 1st try to write serial nubr using samsung tool or repair using asanam dongle.
Still same hardware issue may b
Well done. Thanks for your help again. All problem have been solved.
Do i need to create new memory card for note2 N7100 ?
is it the same procedure for note2 N7100 also ?
Hey Man (or more likely to be a woman )
Don't you think it is a bad idea to post your imei in public?
Bad things can happen
done all the steps but process wont start
i got dead s3 and i followed all the above steps and im using spt box for the final process but nothings happend.
i waited for 15 minuts,tried many times but same..?
any help..?
how about for N7100, is there same procedure and same SDCARD used on i9300 ?
n 7100 with no rom
i have an n7100 that looks exactly as your s3 in the two pictures. when i turn it on it shows the exact scrambled image,and when entered in boot mode,this is what i get:
ODIN MODE (red)
PRODUCT NAME: GT-N7100
CUSTOM BINARYDOWNLOAD: No
CURENT BINARY:Samsung Official
SYSTEM STATUS: Custom
KNOX WARANTY VOID: 0
AP SWREV:
THAT IS THE EXACT MESAGE,NOTHING PLUS OR MINUS
when i flash whit odin,it sais no pit partition. i need help with the files and procedure
super thx
carabus.adrian.daniel said:
i have an n7100 that looks exactly as your s3 in the two pictures. when i turn it on it shows the exact scrambled image,and when entered in boot mode,this is what i get:
ODIN MODE (red)
PRODUCT NAME: GT-N7100
CUSTOM BINARYDOWNLOAD: No
CURENT BINARY:Samsung Official
SYSTEM STATUS: Custom
KNOX WARANTY VOID: 0
AP SWREV:
THAT IS THE EXACT MESAGE,NOTHING PLUS OR MINUS
when i flash whit odin,it sais no pit partition. i need help with the files and procedure
Click to expand...
Click to collapse
yours may b a hardware issue . emmc chip problem yu hav to replace it
neusys said:
how about for N7100, is there same procedure and same SDCARD used on i9300 ?
Click to expand...
Click to collapse
yes same procedure
n7100 stuck in download mode
jamesjerss said:
yours may b a hardware issue . emmc chip problem yu hav to replace it
Click to expand...
Click to collapse
thankyou for the reply,i found someone to change it for 40 $. i hope it will work after...
carabus.adrian.daniel said:
thankyou for the reply,i found someone to change it for 40 $. i hope it will work after...
Click to expand...
Click to collapse
So if you get this no PIT file message search for android 4.3 Pit file for your phone and flash from odin with rom and pit file both.
I don't think it is a hardware problem.
i have few s3 i9300 which did not show any respond. whats the problem ?
Very useful, thanks.
how to create sd card because i cant follow the photos because they are deleted . anyone tell me how ?
prablem
hello thank you for your help I have done everything that you have wroten but is give me error different like this
[LOCK SW/HW]ARM:0/0 INT:0/0 G3D:0/0 MIF:0/0 SHIFT:0/0
[DVFS] ARM(0) : 5
[DVFS] INT(1) : 0
[DVFS] G3D(2) : 0
[DVFS] MIF(3) : 0
[SD_INIT
SDMMC_HighSpeedONE]
SD_READ: 20000 20000 0x40008000 -> 440042 usec
<OK>
Inp32(uAddr) : 0x53525353
LINUX Bootingøq!?
---------- Post added at 10:53 AM ---------- Previous post was at 10:46 AM ----------
Hello thank you for your help I have done everything that you have wroten but is give me error different like this
[LOCK SW/HW]ARM:0/0 INT:0/0 G3D:0/0 MIF:0/0 SHIFT:0/0
[DVFS] ARM(0) : 5
[DVFS] INT(1) : 0
[DVFS] G3D(2) : 0
[DVFS] MIF(3) : 0
[SD_INIT
SDMMC_HighSpeedONE]
SD_READ: 20000 20000 0x40008000 -> 440042 usec
<OK>
Inp32(uAddr) : 0x53525353
LINUX Bootingøq!?[/QUOTE]
please help me I have 2 samsung galaxy s3 the same problem
neusys said:
Well done. Thanks for your help again. All problem have been solved.
Do i need to create new memory card for note2 N7100 ?
is it the same procedure for note2 N7100 also ?
Click to expand...
Click to collapse
Hello I have fix samsung s3 and it show only emergency call how did u fix the emergency call please
Hi, jamesjerss, first of all thx for sharing this information, it really help! thx agn. but now im facing some issue for N7100, for I9300 there is no any problem. when i use the same method for N7100, it will shwo up this error, kindly help.
pit_check_integrity: invalid pit.(0x0)
pit_check_integrity: invalid pit.(0x0)
update_guid_partition_table: There is no pit binary.
fsd_reclaim 1283: MST is not recognized(mst.magic=0x0)
fsd_reclaim 1284: MST is not recognized
fsd_reclaim 1599: Error(nErr=0x0)
fsd_reclaim 1604: j4fs_rw_start is set to default value(128KB)
j4fs_open 153: Error(nErr=0x40000000)
j4fs_read_file_bootloader 355: j4fs panic
load_j4fs_param: 'param.j4fs' does not exist, make new one..
j4fs_write_file_bootloader 184: j4fs panic
fail
j4fs_read_file_bootloader 355: j4fs panic
load_j4fs_param: debug level file does not exist..*INCORRECT!*
init_fuel_gauge: fuelgauge power ok
init_fuel_gauge: POR status
fuelgauge_por: POR start: vcell(3886), vfocv(3918), soc(66)
fuelgauge_por: update SDI parameter
fuelgauge_por: RCOMP(0x87), TEMPCO(0x930)
fuelgauge_por: POR finish: vcell(3887), vfocv(3951), soc(61)
get_table_soc: vcell(3887) is caculated to t-soc(67.89)
init_fuel_gauge: start: vcell(3887), vfocv(3951), soc(61), table soc(67)
init_fuel_gauge: finish: vcell(3887), vfocv(3951), soc(61), table soc(67)
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL1:0x1b
init_microusb_ic: MUIC: CONTROL2:0x3b
init_microusb_ic: MUIC: CONTROL2:0x3a
PMIC_ID = 0x2
PMIC_IRQSRC = 0x0
PMIC_STATUS1 = 0x10
PMIC_STATUS2 = 0x0
PMIC_PWRON = 0x2
PMIC_IRQ1 = 0xc
PMIC_IRQ2 = 0x0
s5p_check_keypad: keypad value=0x0
s5p_check_reboot_mode: INFORM3 = 0 ... skip
s5p_check_upload: MAGIC CODE=7d98e8c0
microusb_get_attached_device: STATUS1:0x3d, 2:0x0
s5p_check_download: update mode=0
j4fs_read_file_bootloader 355: j4fs panic
s5p_check_tzsw: invalid tzsw type! dummy?
scr_draw_image: draw 'download_error.jpg'...
j4fs_read_file_bootloader 355: j4fs panic
read_param_file: 'download_error.jpg' j4fs read failed!
fimd_div:13, div:1, FB_SOURCE_CLOCK:800000000, FB_PIXEL_CLOCK:57153600
[ERROR:LCD] s6e8ax0_read_id : s6e8ax0_read() failed
Thnkyou
Sent from my Nexus 4 using Tapatalk

Rooting MediaTek Based Linux Smart TV

Hi Guys,
I am looking for methods to get root on my Linux smart tv. Anyone have any ideas?
I ran metasploit against it and had no luck, it did find some open ports for upnp and something
called twonkymedia but I was not able to get anywhere with that.
I have a Hisense LTDN50K220GWUS (Hisense 50H5GB) Smart TV that is running what appears to be a customized version of "Opera TV OS"
Its running on "Linux-3.0.13" and is using Uboot, I tried connecting a usb keyboard to the ports and pounding escape and other buttons
but that didn't get me anywhere.
Using Binwalk I was able to extract so info from a rom firmware image:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
613 0x265 Unix path: /DTV/ROMCODE/NANDBOOT/V01.00
778954 0xBE2CA ELF, 32-bit LSB relocatable, ARM, version 1 (SYSV)
779300 0xBE424 Unix path: /home/gfkfcmo/CMO/MTK5651_US_II_WFD/vm_linux/chiling/uboot/drv_lib/mt5880/inc
1188782 0x1223AE UBI volume ID header, version: 1, type: 1, volume id: 0, size: 0
1190830 0x122BAE UBIFS superblock node, CRC: 0x50BF95C5, flags: 0x0, min I/O unit size: 2048, erase block size: 126976, erase block count: 1016, max erase blocks: 3271, format version: 4, compression type: lzo
1321902 0x142BAE UBIFS master node, CRC: 0xCC5C7044, highest inode: 2313, commit number: 0
1452974 0x162BAE UBIFS master node, CRC: 0xC06C8559, highest inode: 2313, commit number: 0
2632671 0x282BDF XML document, version: "1.0"
2633575 0x282F67 XML document, version: "1.0"
2636223 0x2839BF XML document, version: "1.0"
2637455 0x283E8F XML document, version: "1.0"
{{{ TRUNKATED }}}
132181160 0x7E0ECA8 Unix path: /mtk94064/p4_views/yaocheng.fei/ws_*<
132236386 0x7E1C462 Unix path: /i686/bin/../sysroot/usr/include
132240154 0x7E1D31A Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*=
132277477 0x7E264E5 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132295801 0x7E2AC79 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132320817 0x7E30E31 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132336687 0x7E34C2F Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132337438 0x7E34F1E Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132362676 0x7E3B1B4 Base64 standard index table
132404806 0x7E45646 Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132432505 0x7E4C279 mcrypt 2.5 encrypted data, algorithm: "N", keysize: 440 bytes, mode: "\",
132462804 0x7E538D4 Base64 standard index table
132499502 0x7E5C82E Unix path: /proj/mtk94064/p4_views/yaocheng.fei/ws_*<
132532241 0x7E64811 mcrypt 2.5 encrypted data, algorithm: "N", keysize: 440 bytes, mode: "\",
132547032 0x7E681D8 Unix path: /mtk94064/p4_views/yaocheng.fei/ws_*<
133142037 0x7EF9615 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
133142057 0x7EF9629 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
133599305 0x7F69049 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
134172625 0x7FF4FD1 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
134360038 0x8022BE6 Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 7064247 bytes, 126 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:46:16
141462558 0x86E8C1E Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 27403340 bytes, 1215 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:47:38
168987734 0xA128C56 Squashfs filesystem, little endian, version 4.0, compression:gzip (non-standard type definition), size: 27403340 bytes, 1215 inodes, blocksize: 131072 bytes, created: 2015-01-13 09:47:38
196508814 0xBB67C8E uImage header, header size: 64 bytes, header CRC: 0x2C8E13D2, created: 2015-01-13 09:35:35, image size: 2060549 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x5A54C3A0, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
196508878 0xBB67CCE LZO compressed data
196508929 0xBB67D01 uImage header, header size: 64 bytes, header CRC: 0xCB5E2D0F, created: 2015-01-13 09:35:33, image size: 3839076 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x354C5FF1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
197183535 0xBC0C82F SHA256 hash constants, little endian
198761115 0xBD8DA9B uImage header, header size: 64 bytes, header CRC: 0x2C8E13D2, created: 2015-01-13 09:35:35, image size: 2060549 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x5A54C3A0, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
198761179 0xBD8DADB LZO compressed data
198761230 0xBD8DB0E uImage header, header size: 64 bytes, header CRC: 0xCB5E2D0F, created: 2015-01-13 09:35:33, image size: 3839076 bytes, Data Address: 0x7FC0, Entry Point: 0x8000, data CRC: 0x354C5FF1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.0.13"
199435836 0xBE3263C SHA256 hash constants, little endian
The Firmware can be found here, its a zipped *.pkg file http://hisense-usa.com/support/firmware/50H5G_V00.01.130a.F0113_us.zip
If it helps I also have the ports that metasploit was able to find on it"
Code:
10.0.0.76 unknown 8060 tcp
10.0.0.76 upnp 9085 tcp TwonkyMedia UPnP UPnP 1.0; pvConnect SDK 1.0; Twonky SDK 1.1
10.0.0.76 13000 tcp
10.0.0.76 tcpwrapped 56789 tcp
10.0.0.76 tcpwrapped 56790 tcp
Hi,
@borillion_star Did you find a way to extract the .pkg file ?
Yes I did you can you binwalk, and it can extract the files from the pkg. Vache if you need help let me know.
Hi
How did you progress with rooting?
I would like to do the same to LTDN**K720WTSEU
And your post is the only lead I got.
The
Good luck
tommyk999 said:
Hi
How did you progress with rooting?
I would like to do the same to LTDN**K720WTSEU
And your post is the only lead I got.
The
Good luck
Click to expand...
Click to collapse
@tommyk999 and @vache The pkg files do not contain any files such as /etc/shadow or /etc/passwd that can be used to get the root account password.
I think the only way is to try and dump the tv firmware, there appears to be a serial or uart on the mainboard but I have not had the chance to try that yet.
borillion_star said:
Yes I did you can you binwalk, and it can extract the files from the pkg. Vache if you need help let me know.
Click to expand...
Click to collapse
Yes, i was able to unpack firmware using binwalk.
Still looking into filesystem to find some backdoors.
App for rooting hisense TV, it may help you.
https://mega.nz/#!twYhHZhS!ZW_fdid_P4OtlcqwHCO5Z5nNlYM1cOEluYDrLrE0qM4
Sent from my SM-N910F using Tapatalk
Any update on progress? Would be possible to connect raspberry pi with already rooted firmware to go around stock firmware? So you won't void warranty and when anything goes wrong you just disconnect raspb. Pi and go with stock.
Sent from my SM-N910F using Tapatalk
tommyk999 said:
App for rooting hisense TV, it may help you.
https://mega.nz/#!twYhHZhS!ZW_fdid_P4OtlcqwHCO5Z5nNlYM1cOEluYDrLrE0qM4
Sent from my SM-N910F using Tapatalk
Click to expand...
Click to collapse
Because I don't know where this came from, and what it will do to to my computer if I try to run anything in it, or on my tv. I am going to take a look at it figure it out.
Probably going to be a couple days until I get to it.
As for the Raspberry Pi, yes you can always connect any device over HDMI and disconnect it without changing the TV firmware in any way. That somewhat defeats the goal
of rooting the linux running on the tv though.
borillion_star said:
Because I don't know where this came from, and what it will do to to my computer if I try to run anything in it, or on my tv. I am going to take a look at it figure it out.
Probably going to be a couple days until I get to it.
As for the Raspberry Pi, yes you can always connect any device over HDMI and disconnect it without changing the TV firmware in any way. That somewhat defeats the goal
of rooting the linux running on the tv though.
Click to expand...
Click to collapse
That zip file actually contains a root for HiSense TV's running android. You can tell because of the adb.exe and the apk file types. It doesn't apply here.
I did purchase a logic board for this TV with the power board off of ebay. There is something on it that is marked as a UART with 3.3V.
I will power it up and see what I can read out white its booting, and post when I am able.
I got some pdf file it is in chinese for led65k720uc, it is getting interestin at the end i think it describes how to get acces to the system with some description. hope this would help you.
https://mega.nz/#!sggVSJaS
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Found some info on led42k220 but have to find a way how to translate pdf from Chinese to English
https://drive.google.com/file/d/0B7GyFV1vAMbRUkt0LW9kRjUzQ1E/view?usp=docslist_api
Sent from my SM-N910F using Tapatalk
tommyk999 said:
App for rooting hisense TV, it may help you.
https://mega.nz/#!twYhHZhS!ZW_fdid_P4OtlcqwHCO5Z5nNlYM1cOEluYDrLrE0qM4
Sent from my SM-N910F using Tapatalk
Click to expand...
Click to collapse
Looks like it's for AndroidTV, while mine runs OperaTV.
I will keep looking hope I found something with opera
Sent from my SM-N910F using Tapatalk
What type is Chinese equivalent to 50k220gwus?
Sent from my SM-N910F using Tapatalk
Mouse/keyboard works on browser, but nothing to do here.
I'm trying to repack firmware after changing some interesting files to check if we can do something interesting.
I first get squashfs filesystem using dd command, then tried to mount it but no luck.
So i used unsquashfs to unpack it (like binwalk did)
Then i used mksquashfs to repack it and used dd to inject file again in upgrade_loader.pkg
OperaTV is new for me, i have to learn how it works before going further.
--------------------------------------------------------------------------------------------------------------------
Firmware Analazing (from 40EC591)
Partitions :
3rdw (Apps ?) (ext4 - /dev/mmcblk0p12 - dev/mmcblk0p11)
3rdp (Apps ?) (squashfs - dev/mmcblk0p11)
uImage (kernel - /dev/mmcblk0p5)
rootfs.bin (squashfs - /dev/mmcblk0p7)
pq.bin (? - /dev/mmcblk0p16)
aq.bin (? - /dev/mmcblk0p17)
adsp.bin (? - /dev/mmcblk0p21)
facsetdata.bin (? - /dev/mmcblk0p25)
uboot.bin (bootloader - /dev/mmcblk0p1)
uenv.bin (? - /dev/mmcblk0p2)
logo.bin (? - /dev/mmcblk0p18)
default_db.bin (? - /dev/mmcblk0p23)
hdmi_2_0_hdcp.bin (? - /dev/mmcblk0p24)

Unlocking LGUP features for fun and profit

I wasn't sure where to post this. If this is better posted somewhere else, please tell me or move it.
LGUP comes in different variants. Dev, LAB, Store, 3rdParty.
Depending on the variant you're running, different features are exposed by your model.dll.
If you hack LGUP, you can unlock features!
Hacked LGUP:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Store LGUP:
I've tested the 'DUMP' function to see if the unlocked features are actually working, and yes, it works:
Unfortunatly, LG has implemented checks to prevent you from just modifying your LGUP.exe or LGUP_8994.dll to expose these features.
LG uses a temporary file to pass the features from the DLL to the application.
So it's just a matter of pausing LGUP at the right time, changing the file and voila.
I did it this way:
Load LGUP.exe in IDA (Interactive Disassembler),
Wait until it's done analyzing.
Set debugger to windbg. (F9)
Run the application (F9) one-time to fix the memory addresses..
You will get popups about exceptions, pass them to the application and continue running.
Exit LGUP.
Set break-point to loc_6989F. (if you can't find the location, search for string UI_Config.lgl, go to the code-xref where it's used and break there).
Run application.
When application stops at the breakpoint, open "C:\Program Files (x86)\LG Electronics\LGUP\model\8994\UI_Config.lgl" in a text-editor.
Find/replace "LAB" with "Store".
Save the file.
Continue running the application.
Tada, unlocked features!
holy crap, this is actually really helpful!
I've found another way to do this.
LGUP uses signature verification to prevent you from just hex-editing the files.
The LGUP.exe verifies the model.dll and the model.dll verifies the LGUP.exe.
I've patched this out of my model/8994/LGUP_8994.dll and modified LGUP.exe to look for strUser="DEV" instead of strUser="Store".
Now I can just start lgup.exe and get the 'Dev' functions.
I'm not sure how to distribute this.
I don't think I should just distribute modified versions of LGs software. This will make LG unhappy.
But I'm also not sure how to distribute binary patches in a way that's easy to use for others.
Here are my patches:
--- LGUP.exe (1.14.0.3)
Code:
@@ -2227,7 +2227,7 @@
00008b20: 0445 0400 0f84 4201 0000 8b96 5445 0400 .E....B.....TE..
00008b30: 8b3d fcf0 4300 6884 5144 0052 ffd7 8945 .=..C.h.QD.R...E
00008b40: dc85 c074 518b 8e40 0100 00e8 6047 0100 [email protected]`G..
-00008b50: 85c0 751b 8945 e068 f4c5 4400 8d45 e050 ..u..E.h..D..E.P
+00008b50: 85c0 eb1b 8945 e068 f4c5 4400 8d45 e050 .....E.h..D..E.P
00008b60: c786 3001 0000 0100 0000 e82d d602 00ff ..0........-....
00008b70: 55dc 83f8 ff75 1f68 f4c5 4400 8d4d d851 U....u.h..D..M.Q
00008b80: c786 3001 0000 0100 0000 c745 d800 0000 ..0........E....
@@ -7486,7 +7486,7 @@
0001d3d0: 55d8 53c7 45a4 3000 0000 895d a889 5dac U.S.E.0....]..].
0001d3e0: c745 b002 0000 0089 5db4 897d b889 7dc0 .E......]..}..}.
0001d3f0: 895d c489 5dc8 895d d089 55bc c745 cc00 .]..]..]..U..E..
-0001d400: 0100 00ff 1544 f443 003d 0901 0b80 7f69 .....D.C.=.....i
+0001d400: 0100 00ff 1544 f443 00b8 0000 0000 eb69 .....D.C.......i
0001d410: 7460 3d26 2009 8074 523d 0400 0b80 7444 t`=& ..tR=....tD
0001d420: 3d00 010b 8075 5dff 15d8 f043 003d 0001 =....u]....C.=..
0001d430: 0b80 741f 3d03 000b 8074 183d 0100 0b80 ..t.=....t.=....
@@ -18056,7 +18056,7 @@
00046870: 696f 6e00 504f 5349 5449 4f4e 0000 0000 ion.POSITION....
00046880: 6e58 506f 7300 0000 6e59 506f 7300 0000 nXPos...nYPos...
00046890: 6e57 6964 7468 0000 5355 5050 4f52 5400 nWidth..SUPPORT.
-000468a0: 7374 7255 7365 7200 5354 4f52 4500 0000 strUser.STORE...
+000468a0: 7374 7255 7365 7200 4445 5600 0000 0000 strUser.DEV.....
000468b0: 534f 4654 5741 5245 5f53 5441 5449 4300 SOFTWARE_STATIC.
000468c0: 534f 4654 5741 5245 5f43 5452 4c00 0000 SOFTWARE_CTRL...
000468d0: 4649 4c45 5f54 5950 455f 4558 0000 0000 FILE_TYPE_EX....
model/8994/LGUP_8994.dll:
Code:
@@ -6451,7 +6451,7 @@
00019320: 55d8 53c7 45a4 3000 0000 895d a889 5dac U.S.E.0....]..].
00019330: c745 b002 0000 0089 5db4 897d b889 7dc0 .E......]..}..}.
00019340: 895d c489 5dc8 895d d089 55bc c745 cc00 .]..]..]..U..E..
-00019350: 0100 00e8 3439 1a00 3d09 010b 807f 6774 ....49..=.....gt
+00019350: 0100 00e8 3439 1a00 b800 0000 00eb 6774 ....49........gt
00019360: 5e3d 2620 0980 7450 3d04 000b 8074 423d ^=& ..tP=....tB=
00019370: 0001 0b80 755b ff15 0c05 1e10 3d00 010b ....u[......=...
00019380: 8074 1e3d 0300 0b80 7417 3d01 000b 8074 .t.=....t.=....t
This looks very promising
So i can modify it to do all this my self or have u made a moded one we can download
TheMadScientist420 said:
This looks very promising
So i can modify it to do all this my self or have u made a moded one we can download
Click to expand...
Click to collapse
You should do this yourself for now.
I don't think I should distribute modded versions of other peoples copyrighted work.
Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:
RolF2 said:
Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:
Click to expand...
Click to collapse
That's great to hear!
Good idea to just search for those bytes and replace them.
If other people had succes with this I'm curious to hear about it.
Good tool to backup partitons before bootloader unlock and after, to see whats changed
i dont know i cant follow whats going on i got to the point of searching for b8 00 00 00 00 eb but cant edit it
RolF2 said:
Thanks for instructions one more time!
As h850 user i had to patch LGUP.exe as per your instructions and /model/Common/LGUP_Common.dll (just searched for "3d 09 01 0b 80 7f" and replaced with "b8 00 00 00 00 eb") .
:good:
Click to expand...
Click to collapse
so i found this line of hex but cant edit it
You can't save changes in hex editor? Then run hex editor as administrator, or copy files for editing to another disk and try again.
Just curious... Does anybody know what the "boarddownload" option does?? Does that backup the motherboards firmware or bios or something?? Sorry if the question sounds dumb. Im not a developer or anything.
OK, looks like too quiet here. We can dump all partitions from phone by "dump" function, also there's "partition dl" function - so looks like we can flash only one partition to phone... Problem is that program is crashing when i try to flash back dumped partition ... so how to convert dumped partition image to flashable img as simple renaming to img does'n work ?
RolF2 said:
OK, looks like too quiet here. We can dump all partitions from phone by "dump" function, also there's "partition dl" function - so looks like we can flash only one partition to phone... Problem is that program is crashing when i try to flash back dumped partition ... so how to convert dumped partition image to flashable img as simple renaming to img does'n work ?
Click to expand...
Click to collapse
it isn't a problem with the image, it's a problem with the patch... we should really look into how to fix this
@smitel
can you try "partition dl" function in IDA ?
Honestly Annoying said:
it isn't a problem with the image, it's a problem with the patch... we should really look into how to fix this
Click to expand...
Click to collapse
How do you know it's a problem with the patch?
RolF2 said:
@smitel
can you try "partition dl" function in IDA ?
Click to expand...
Click to collapse
What do you mean?
Figure out what it does/wants?
Look at your crash?
FWIW, I get "Error: General exception error in _initializeProcess()" when I try 'PARTITION DL'.
I'm guessing the 'DUMP' function produces a raw dump of the blockdevice, where 'PARTITION DL' requires a particular header (as in .TOT or .MBN) to define what gets flashed where.
FWIW, I find the following functions in my LGUP_8994.dll:
Code:
v5 = sub_1000B4F0(v4, (int)"REFURBISH", v3);
v8 = sub_1000B4F0(v7, (int)"UPGRADE", v6);
v11 = sub_1000B4F0(v10, (int)"CHIPERASE", v9);
v14 = sub_1000B4F0(v13, (int)"BOARDDOWNLOAD", v12);
if ( (v14 || v2 < 0xD || (LOBYTE(v14) = v2 != 13, v14)) && sub_1000C6A0(v1, "PROCESS_FAC_BOARDDOWNLOAD") )
if ( sub_1000C6A0(v1, "PROCESS_CS_WEBDOWNLOAD") )
if ( sub_1000C6A0(v1, "PROCESS_MBNBUILD") && sub_1000C6A0(v1, "TOT BUILD") )
if ( sub_1000C6A0(v1, "RECOVERY") )
if ( sub_1000C6A0(v1, "DOWNGRADE") )
if ( sub_1000C6A0(v1, "SCRIPT") && sub_1000C6A0(v1, "PROCESS_FAC_SCR") )
if ( sub_1000C6A0(v1, "PROCESS_FAC_UPGRADE") )
if ( sub_1000C6A0(v1, "PRL/ERI WRITE") && sub_1000C6A0(v1, "PRL UPDATE") )
if ( sub_1000C6A0(v1, "PRL/ERI READ") && sub_1000C6A0(v1, "PRL READ") )
if ( sub_1000C6A0(v1, "PHONESETTING") )
if ( sub_1000C6A0(v1, "PARTITION DL") )
if ( sub_1000C6A0(v1, "PB BACKUP") )
if ( sub_1000C6A0(v1, "PB RESTORE") )
if ( sub_1000C6A0(v1, "FOTA UPGRADE") )
if ( !sub_1000C6A0(v1, "DUMP") )
I try if I can follow the 'path' to understand what code gets called, but it's not very clear to me.
Every 'if' just results in a
Code:
*(_DWORD *)(v16 + 88) = 48;
}
else
{
*(_DWORD *)(v16 + 88) = 47;
}
}
else
{
*(_DWORD *)(v16 + 88) = 46;
But I haven't been able to follow what happens with it.
Here's a list of what functions are which 'ID'.
Code:
DUMP = 48 / 30h;
FOTA UPGRADE = 47 / 2Fh
PB RESTORE = 46 / 2Eh
PB BACKUP = 45 / 2Dh
PARTITION DL = 44 / 2Ch
PHONESETTING = 8 / 8h
PRL/ERI READ / PRL READ = 43 / 2Bh
PRL/ERI WRITE / PRL WRITE = 42 / 2Ah
PROCESS_FAC_UPGRADE = 0 / 0h
SCRIPT / PROCESS_FAC_SCR = 2 / 2h
DOWNGRADE = 41 / 29h
RECOVERY = 6 / 6h
PROCESS_MBNBUILD / TOT BUILD = 40 / 28h
PROCESS_CS_WEBDOWNLOAD = special
v15 = *(_DWORD *)(v16 + 1364);
if ( v15 == 3 )
*(_DWORD *)(v16 + 88) = 17;
else
*(_DWORD *)(v16 + 88) = 2 * (v15 == 5) + 16;
PROCESS_FAC_BOARDDOWNLOAD / BOARDDOWNLOAD = 7 / 7h
CHIPERASE = 32 / 20h
UPGRADE = 15 / Fh
REFURBISH = 9 / 9h
I was hoping to find a switch/case somewhere that would consume all these possibilities, but only find a partial one.
In sub_10081930() I see:
Code:
switch ( v1 )
{
case 40:
result = sub_10081570(this);
break;
case 45:
result = sub_1007E440(this);
break;
case 46:
result = sub_100807A0();
break;
case 2:
result = (*(int (**)(void))(*(_DWORD *)this + 60))();
break;
default:
result = sub_10083A70(this);
break;
}
And in this sub_1007E440() I see references to 'PB Backup', so this is one switch/case.
FWIW, when I rename my modemst1_COM7 to modemst1_COM7.tot I get error: "Error: TOT file is invalid[1]".
This message gets outputted by sub_1004CD20().
This might help with finding how/where stuff gets processed.
smitel said:
FWIW, when I rename my modemst1_COM7 to modemst1_COM7.tot I get error: "Error: TOT file is invalid[1]".
This message gets outputted by sub_1004CD20().
This might help with finding how/where stuff gets processed.
Click to expand...
Click to collapse
the .tot is a whole list of files i dont think renaming one partition to tot would work
it sucks i look at all ure guys partition and it a twrp heaven fro restore. i still cant get the patch to work.
i wonder if old lg firmware extractor or diagtool could repack these into a .tot format though it between the two of them they made all my hard brick restore images and carp for g2 g3 g4
i couldnt find a updated firehose bin for my g4 but still made a complete debrick image
---------- Post added at 10:22 AM ---------- Previous post was at 10:17 AM ----------
smitel said:
How do you know it's a problem with the patch?
What do you mean?
Figure out what it does/wants?
Look at your crash?
FWIW, I get "Error: General exception error in _initializeProcess()" when I try 'PARTITION DL'.
I'm guessing the 'DUMP' function produces a raw dump of the block device, where 'PARTITION DL' requires a particular header (as in .TOT or .MBN) to define what gets flashed where.
Click to expand...
Click to collapse
man if i can get this patch to work for me. im not so good in this area of Hex edit.
its been a long time. lol old nes roms. i thing with all these dumps I could get them repacked into a tot format that lgflashtool could use. in my case, i don't have a zva firmware released and i think i could put one together here
maybe you could explain to me better how to patch this i try searching can't find it half the time when i do even as adminstrator i cant edit the hex code.

[HOW TO][DISCUSSION] UnBrick Samsung Galaxy Tab 2

There are more possibilities how to repair Hardbrick Samsung Galaxy Tab 2:
* For those who damaged boot loader can try Running stock U-Boot from SD Card
* For those who have HW fault like eMMC bug can participate on development Running entire system from SD Card
The second one may be solve later with help of some experienced people.
Run stock U-Boot from SD Card
Requirements
* Hardbrick Samsung Galaxy Tab 2 (GT-P5100). This can be recognized that it don't do nothing, charging not working, power button do nothing, recovery not working. More info How To Unbrick Your Galaxy Tab!
* SD Card Support UHS-I UHS104 (SDR104), with is not easy to determine with Card support this format and with not. I tried many cards and label UHS-I is not enough so i asked SanDisk support they recommended SanDisk Extreme. I bought SanDisk Extreme 32GB, and this card is working. I would say that every card 90MB/s+ should work.
step 0 not for Linux
Windows
* Install drivers for OMAP 4430 Guide / Drivers inside OMAPFlash download
* VirtualBox with Linux
* Set VirtualBox to capture OMAP 4430
* Download win iso burner
step 1
Windows & Linux
* Download [omapboot](https://github.com/LukasTomek/omapboot) to Linux
* Download [ Debrick dump imgs](https://forum.xda-developers.com/showpost.php?p=65114419&postcount=2)
step 2
Prepare SD card
Windows
Usewin iso burner to write Debrick dump imgs to Sd Card.
Linux
Write Debrick dump imgs to Sd Card.
Be careful to use right device sdX
Code:
dd if=debrick.img of=/dev/sdX
step 3
In Linux Run
Code:
[email protected]:/home/lukas/SamsungP5100/omapboot# python3 omapboot.py -b
you will see:
Code:
[email protected]:/home/lukas/SamsungP5100/omapboot# python3 omapboot.py -b
Boot from MMC1 interface selected.
Waiting for omap44 device.
* Connect Tablet to PC
* Press Power button for long time approximately 10s
* You should see this in command line:
Code:
Boot from MMC1 interface selected.
Waiting for omap44 device.
Model: 4430
ROM revision: 0x04
CH: enabled
Underdocumented ASIC subblock #18: 00
IDEN: 0xE5FD23CE0F5FDF902D7EDA9B4D848D687F62372A
MPKH: 0xB585ACF1DD15B06A74813BFDDD6ECD64227CE4C90658C65B4C53AC229B4C6DC0
CRC0: 0x9C669AD9
CRC0: 0x682ADCCF
recevied ASIC ID banner:
Model: 4430
ROM revision: 0x04
CH: enabled
Underdocumented ASIC subblock #18: 00
IDEN: 0xE5FD23CE0F5FDF902D7EDA9B4D848D687F62372A
MPKH: 0xB585ACF1DD15B06A74813BFDDD6ECD64227CE4C90658C65B4C53AC229B4C6DC0
CRC0: 0x9C669AD9
CRC0: 0x682ADCCF
Giving x-loader a chance to come up...Probably loaded!
* Tablet should start to some firmware recovery mode see picture
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
* You should be able to use ODIN to repair internal memory, in my case ODIN stop in the half of loading, I probably have eMMC bug.
Running entire system from SD Card
I'm trying to modify U-Boot and Kernel to load entire system from SD Card. Some have done it Say hi to "CyanoBoot" -- a 2nd bootloader/w menu aka "ub2" different device same CPU.
First step of boot is loading x-loader. The x-loader is signed so we have to use original one from Samsung. After some peripheral initialization x-loader copy u-boot to ram checking for magic constant as copied code and execute it. This is the place where we can change u-boot to boot from SD Card, because x-loader load u-boot from the same device as was loaded him.
u-boot source
Do anyone have u-boot source from Samsung?
I used this Guide and copy something from Nook device u-boot source because they made boot from SD Card on same CPU OMAP4430. And lge_p920 from LG Open-source repository. Do anyone have better idea?
How to compile
[u-boot source](https://gogs.lukastomek.info/lukas/u-boot)
[Building U-BOOT #(for Blaze)](http://omappedia.org/wiki/4AJ.2.5_OMAP4_Jelly_Bean_Release_Notes)
Kernel
I'm using Stock boot.img from O2C-P5100XXDMJ2-20131203002840.zip package. Do anyone have kernel booting from SD Card?
Prepare Debrick.img
Rewrite part of Image Files
Write recovery.img to specific address in debrick_changed.img address 0x2C00000 write in hex or dec depend on system (seek=$((0x1800000)) for linux) (seek=46137344 for Windows).
You need to rewrite:
x-loader (MLO) 0x20000
u-boot (Sbl.bin) 0x1800000
boot.img 0x2400000
recovery.img 0x2C00000
Code:
dd if=C:\temp\Tablet\sdCardDebrick\recovery.img of=C:\temp\Tablet\sdCardDebrick\debrick_changed.img seek=$((0x1800000)) oflag=seek_bytes conv=notrunc
UART Debugging
Pin 21 of [Samsung Galaxy Tab 30 Pin Dock Connector Pinout](https://forum.xda-developers.com/showthread.php?t=1118986) is output of debug messages for x-loader and u-boot (port UART4). I would like send Kernel debug output to this port. Anyone know how to do it?[/HTML]I’m using UB232R for conecting to PC.
Output from debugging:
Code:
ŕ<0>
Texas Instruments X-Loader 1.41 (Apr 10 2013 - 20:55:49)
Starting OS Bootloader from MMC/SD1 ...
U-Boot 1.1.4-g01076139-dirty (Jan 8 2019 - 14:49:13)
U-Boot code: 80E80000 -> 80EAA870 BSS: -> 80F2F964
Load address: 0x80e80000
DRAM: 2048 MB
Flash: 0 kB
Using default environment
In: serial
Out: serial
Err: serial
Initializing SD(0) Slot.
ptbl slot: SD:(0).
8192 20M EFS
49152 2M SBL1
53248 2M SBL2
57344 8M PARAM
73728 8M KERNEL
90112 8M RECOVERY
106496 700M CACHE
1540096 20M MODEM
1581056 1400M FACTORYFS
4448256 12343M DATAFS
29728734 512M HIDDEN
efi partition table:
bootcmd booti mmc0ptbl slot: SD:(0).
8192 20M EFS
49152 2M SBL1
53248 2M SBL2
57344 8M PARAM
73728 8M KERNEL
90112 8M RECOVERY
106496 700M CACHE
1540096 20M MODEM
1581056 1400M FACTORYFS
4448256 12343M DATAFS
29728734 512M HIDDEN
Net: KS8851SNL
arch_number = 0x00000870
board rev = 0x00000000
env_t = 0x00000000
boot_params = 0x80000100
DRAM bank = 0x00000000
-> start = 0x80000000
-> size = 0x80000000
ethaddr = 00:00:00:00:00:00
ip_addr = 128.247.77.90
baudrate = 115200 bps
81200000: 52444e41 2144494f 0046add8 80008000 ANDROID!..F.....
81200010: 000b63a5 81000000 00000000 80f00000 .c..............
81200020: 80000100 00000800 00000000 00000000 ................
81200030: 00000000 00000000 00000000 00000000 ................
81200040: 736e6f63 3d656c6f 4f797474 31312c32 console=ttyO2,11
81200050: 30303235 6d20386e 313d6d65 4d343230 5200n8 mem=1024M
81200060: 646e6120 64696f72 746f6f62 6e6f632e androidboot.con
81200070: 656c6f73 7974743d 7620324f 3d6d6172 sole=ttyO2 vram=
kernel @ 80008000 (4632024)
ramdisk @ 81000000 (746405)
timed out in wait_for_bb: I2C_STAT=1000
I2C read: I/O error
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
ŕ<0>
This look like kernel is executed but no more info. I tried set ttyO0 - ttyO4 ttyS0 - 4 but no difference to get output from kernel. Do anyone have some idea how to get kernel output or what is wrong?
I realize I'm four years later with this, but I hope you see my message, because I'm also trying to get u-boot working on the Samsung Galaxy Tab 2 and I saw the repository with your work so far, but for some reason it isn't up anymore, so could you re-upload it maybe if it isn't too much effort?
If anyone is still interested; I managed to patch the stock bootloader from Samsung (Sbl.bin), so that more verbose logging from UART4 is working and booting entirely from the SD card is also working: https://github.com/mspitteler/espresso-sbl

Categories

Resources