Hi to all,
Update on 17.02.2013, WP8 LEO ROM development
I am developing a new WP8 ROM for LEO and can access all WP8 STORE apps
as HTC apps, apps, games, music and podcasts, under the name of MARKETPLACE
Up to now all music and podcasts work ok but for HTC apps, apps and games
there is a pop up of comparibility warning as can be seen in the following screen shots
In the ROM are also included all WP8 lock screens, wallpapers and sounds, and more items
I hope to develop this LEO ROM as further as posible
//// ROM Screen Shots ////
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
End of 17.02.2013 update
********************************
Update on 28.12.2012, The WP8 Partitions
The WP8 Partitions, as identified up to now
There are 28 [0x1C] in total, 21 [0x15] Read-Only and 7 Read-Write
READ-ONLY SECTION START
Device Provisioning Partition (FIRST READ-ONLY)
01 DPP 16384 Unknown FS
QUALCOMM 8960 SPECIFIC READ-ONLY PARTITIONS
Modem golden file system - MUST FOLLOW DPP
02 MODEM_FSG 6144 Unknown FS
Secure Software Download
03 SSD 16 Unknown FS
Bootloaders
04 SBL1 3000 Unknown FS
05 SBL2 3000 Unknown FS
06 SBL3 4096 Unknown FS
07 UEFI 5000 Unknown FS
08 RPM 1000 Unknown FS
09 TZ 1000 Unknown FS
fTPM Application
0A WINSECAPP 1024 Unknown FS
Bootloaders Backup Section (Sizes must match)
0B BACKUP_SBL1 3000 Unknown FS
0C BACKUP_SBL2 3000 Unknown FS
0D BACKUP_SBL3 4096 Unknown FS
0E BACKUP_UEFI 5000 Unknown FS
0F BACKUP_RPM 1000 Unknown FS
10 BACKUP_TZ 1000 Unknown FS
fTPM Application Backup Section (Sizes must match)
11 BACKUP_WINSECAPP 1024 Unknown FS
UEFI Variable Services Partitions - Read-Only
12 UEFI_BS_NV 512 Unknown FS
13 UEFI_NV 512 Unknown FS
ACPI table storage
14 PLAT 16384 FAT
EFI System Partition (LAST READ-ONLY)
15 EFIESP 131072 FAT ByteAlignment 0x4000000
READ-ONLY SECTION END
START QUALCOMM 8960 SPECIFIC READ-WRITE PARTITIONS
Modem live file systems
16 MODEM_FS1 6144 FAT ByteAlignment 0x4000000
17 MODEM_FS2 6144 FAT
UEFI Variable Services Partitions - Read-Write
18 UEFI_RT_NV 512 FAT
19 UEFI_RT_NV_RPMB 256 FAT
END QUALCOMM 8960 SPECIFIC READ-WRITE PARTITIONS
MICROSOFT READ-WRITE PARTITIONS
1A MMOS 8192 FAT
1B MainOS 1343488 NTFS ByteAlignment 0x800000
1C Data 0x4000 NTFS ByteAlignment 0x800000
END MICROSOFT READ-WRITE PARTITIONS
SectorSize 512 bytes
ChunkSize 128 Kb
End of 28.12.2012 update
********************************
This thread is devoted to WP8 ROM analysis
.
.
1. The hTC structure of WP8 ROM version 1.00
.
.
A. The Block structure of the WP8 UEFI_signed.nbh
.
.
1st Block, the new file header // Identical to RUU, except 2 bytes
.
.
Start 0x00000000 End 0x000001FF Length 0x200 bytes
.
0x00000000 [email protected]$ // file name ID
.
0x00000008 0x008F // word:ID [TBN]
.
0x0000000A 0x0500 // word:0x05 [TBN]
.
0x00000014 1.00.401.24 // ROM version
.
0x0000001F 0x08 // byte:0x08 [TBN]
.
0x00000020 PM232000* // Device ID [TBN]
.
0x00000040 WWE // ROM language
.
0x000000D0 HTC__001 // CID list start
.
0x000000D8 HTC__203 // CID list
.
... ... // CID list
.
0x00000120 HTC__K18 // CID list end
.
.
.
.
2nd Block // [TBN]
.
.
Start 0x00000200 End 0x0001001FF Length 0x100000 bytes
.
.
.
.
3rd Block // Identical to the 3rd Block of RUU [TBN]
.
.
Start 0x00100200 End 0x0003067FF Length 0x206600 bytes
.
.
.
.
4th Block // Identical to the 10th Block of RUU [TBN]
.
.
Start 0x000306800 End 0x000322662 Length 0x1BE63 bytes
.
This block ends with non unicode text hTCVer001.532.009 and a trailing 0x0A
.
.
5th Block // Identical to the 11th Block of RUU [TBN]
.
.
Start 0x000322663 End 0x0004594D1 Length 0x136E6F bytes
.
This block ends with non unicode text hTCVer001.532.010 and a trailing 0x0A
.
.
6th Block // Identical to the 12th Block of RUU [TBN]
.
.
Start 0x0004594D2 End 0x00063A129 Length 0x1E0C58 bytes
.
This block ends with non unicode text hTCVer001.532.015 and a trailing 0x0A
.
.
7th Block // [TBN]
.
.
Start 0x00063A12A End 0x00081E815 Length 0x1E46EC bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
.
.
B. The Block structure of the WP8 RUU_signed.nbh
.
.
1st Block, the new file header // Identical to UEFI, except 2 bytes
.
.
Start 0x00000000 End 0x000001FF Length 0x200 bytes
.
0x00000000 [email protected]$ // File name ID
.
0x00000008 0x008F // word:ID [TBN]
.
0x0000000A 0x0A00 // word:0x0A [TBN]
.
0x00000014 1.00.401.24 // ROM version
.
0x0000001F 0x13 // byte:0x13 [TBN]
.
0x00000040 WWE // ROM language
.
0x000000D0 HTC__001 // CID list start
.
0x000000D8 HTC__203 // CID list
.
... ... // CID list
.
0x00000120 HTC__K18 // CID list end
.
.
.
.
2nd Block // [TBN]
.
.
Start 0x00000200 End 0x0001001FF Length 0x100000 bytes
.
.
.
.
3rd Block // Identical to the 3rd Block of UEFI [TBN]
.
.
Start 0x00100200 End 0x0003067FF Length 0x206600 bytes
.
.
4th Block // the Radio part 01 (Holds hTC certificates)
.
.
Start 0x000306800 End 0x00031E815 Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
5th Block // the Radio part 02 (Holds hTC certificates)
.
.
Start 0x00031E816 End 0x00033682B Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
6th Block // the Radio part 03 (Holds hTC certificates)
.
.
Start 0x00033682C End 0x00034E841 Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
7th Block // the Radio part 04 (Holds hTC certificates)
.
.
Start 0x00034E842 End 0x000366857 Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
8th Block // the Radio part 05 (Holds hTC certificates)
.
.
Start 0x000366858 End 0x00037E86D Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
9th Block // the Radio part 06 (Holds hTC certificates)
.
.
Start 0x00037E86E End 0x000396883 Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
10th Block // Identical to the 4th Block of UEFI [TBN]
.
.
Start 0x000396884 End 0x0003B26E6 Length 0x1BE63 bytes
.
This block ends with non unicode text hTCVer001.532.009, an 0x0D and a trailing 0x0A
.
.
11th Block // Identical to the 5th Block of UEFI [TBN]
.
.
Start 0x0003B26E7 End 0x0004E9555 Length 0x136E6F bytes
.
This block ends with non unicode text hTCVer001.532.010 and a trailing 0x0A
.
.
12th Block // Identical to the 6th Block of UEFI [TBN]
.
.
Start 0x0004E9556 End 0x0006CA1AD Length 0x1E0C58 bytes
.
This block ends with non unicode text hTCVer001.532.015 and a trailing 0x0A
.
.
13th Block // the WP8 image
.
.
Start 0x0006CA1AE End 0x00322D53EF Length 0x31C0B242 bytes
.
This block will be developed in more detail
.
.
.
Both will be more detailed in the next posts #2 and #3
.
.
Notes
,
,
1. that there are certain differences between hTC and Nokia structures
.
2. all info is provided on a development base only
.
.
Regards, ansar
UEFI.nbh ROM detailed amalysis development
This post is reserved
RUU.nbh ROM detailed analysis development
Also this post is reserved
xuantunt said:
How to extract? OSBuilder?
Click to expand...
Click to collapse
no, you can't use osbuilder because this rom isn't built like other winCE's roms (wm6.x, wp7). This rom has got his own filesystem (I think it should be ReFS), and his own structure. You have to wait because some developers are digging into it. Right now we only know that the system structure is similar to a Windows PC, even drivers are in sys format (this is a bad news for those who are waiting a porting to older devices).
gigsaw said:
no, you can't use osbuilder because this rom isn't built like other winCE's roms (wm6.x, wp7). This rom has got his own filesystem (I think it should be ReFS), and his own structure. You have to wait because some developers are digging into it. Right now we only know that the system structure is similar to a Windows PC, even drivers are in sys format (this is a bad news for those who are waiting a porting to older devices).
Click to expand...
Click to collapse
I know what's exactly in it! It has 2 user profiles (default & public), a windows folder + system32 folder. And *.sys drivers.
Regards
(I don't know how, but I have a dump!)
gigsaw said:
no, you can't use osbuilder because this rom isn't built like other winCE's roms (wm6.x, wp7). This rom has got his own filesystem (I think it should be ReFS), and his own structure. You have to wait because some developers are digging into it. Right now we only know that the system structure is similar to a Windows PC, even drivers are in sys format (this is a bad news for those who are waiting a porting to older devices).
Click to expand...
Click to collapse
Main partitions are always NTFS
ultrashot said:
Main partitions are always NTFS
Click to expand...
Click to collapse
Maybe it looks like the XBOX FS
They are really W8 NTFS
Guys, please keep the chat relevant to dev work, thread cleaned.
Thanks.
I've linked diamondback/flemmard n other deva to this thread, as you're not the only ones with this problem, android is updates HTC are using the same method
So as you can see this isn't specifically windows related
madman0817 said:
I know enough [email protected]/JS/java/c++ to get me through the door. How can I help and where do I start?
Click to expand...
Click to collapse
Wow, you should work in the Pentagon with this knowledge
And should hack every KGB server.
A few tidbits that might help you guys further. WP8 kernel overview can be found here: Windows Phone 8 Kernel Architecture
It seems to differ also from W8 with that way that the user mode driver model is not supported, just KMDF & WDM kernel mode drivers. Packages are developed by installing The Windows Driver Kit (WDK) and top of that couple of specific WP8 kits. There is user mode only for applications which the OEM installs.
Sorry, it's not much, but that's all info that has floated my way..
Hi to all,
The identified up to now WP8 image partitions are listed in #1 post
Regards, ansar
Jiihaa said:
A few tidbits that might help you guys further. WP8 kernel overview can be found here: Windows Phone 8 Kernel Architecture
It seems to differ also from W8 with that way that the user mode driver model is not supported, just KMDF & WDM kernel mode drivers. Packages are developed by installing The Windows Driver Kit (WDK) and top of that couple of specific WP8 kits. There is user mode only for applications which the OEM installs.
Sorry, it's not much, but that's all info that has floated my way..
Click to expand...
Click to collapse
it is not differ . its WOA ( windows on arm ) with some additions ( becose its a phone lol )
1. codebase of gui is shared with 7.8 - you really thought they will rewrite it? becose of it and becose Its a phone where you dont need explorer.exe subsystem. some additions was made into os composition . its more similar to - windows embended then windows RT (WOA ) . biggest example of embended roots is - Image update process . in WP8 system partition with main os - read only ntfs . in order to write something there - system reboots into Windows PE enviroment.. rest of the system is damn similar . even SXS in place lol . ( atleast package structures clearly indicates on that ).
2. disabling kernel mode for all apps is expectable . in early 2012 they sayd. that they did it to minimise of potential security impact in bugged OEM SOFTWARE . or you really think - they does not noticed security hole in HTC connection manager or some OEM software which helps in jailbreak os .. ofc they know it
can anyone give me a link to the ROM. I've been looking for a link but all seem either dead, or the ROM is damaged and cant extract the nbh properly.
There's an Apollo bring up guide floating on the net, which pretty clear states the differences.
Info on WP8 LEO ROM development
Hi to all,
I am developing a WP8 ROM for LEO, see post #1
Regards, ansar
ansar.ath.gr said:
Hi to all,
I am developing a WP8 ROM for LEO, see post #1
Regards, ansar
Click to expand...
Click to collapse
I read somewhere that the drivers for WP7 and WP8 were different.
Did you have to write new drivers in order to make it work??
ansar.ath.gr said:
Hi to all,
Update on 17.02.2013, WP8 LEO ROM development
I am developing a new WP8 ROM for LEO and can access all WP8 STORE apps
as HTC apps, apps, games, music and podcasts, under the name of MARKETPLACE
Up to now all music and podcasts work ok but for HTC apps, apps and games
there is a pop up of comparibility warning as can be seen in the following screen shots
In the ROM are also included all WP8 lock screens, wallpapers and sounds, and more items
I hope to develop this LEO ROM as further as posible
Regards, ansar
Click to expand...
Click to collapse
Seriously Ansar,
Now i am not doubting you here ..i am just looking with eyes wide open .. Is that really windows 8.. wow .. Looking at your screenshots looks like you have made some pretty good progress..People must be going crazy in wait ..
See you soon with a beta build ..
Best
wV
warriorvibhu said:
Seriously Ansar,
Now i am not doubting you here ..i am just looking with eyes wide open .. Is that really windows 8.. wow .. Looking at your screenshots looks like you have made some pretty good progress..People must be going crazy in wait ..
See you soon with a beta build ..
Best
wV
Click to expand...
Click to collapse
it's very interesting to see a "non compatible phone" from WP7 running WP8, clearly Microsoft lied to us in the face about the upgrade process to jump from winphone7 to winphone8.
Related
Attn : Jeff summer
First thks for your effort for creating the cook rom page.
Just lock in the page and found out you have the Tmobile 4.00.10 rom cooking rom included in your web page http://cuba.calyx.nl/~jsummers/ROMkitchen/, But after downloaded and flash, the additional software is not included in the files in the selected windows.
thks again :wink:
OCMAX said:
Just lock in the page and found out you have the Tmobile 4.00.10 rom cooking rom included in your web page http://cuba.calyx.nl/~jsummers/ROMkitchen/, But after downloaded and flash, the additional software is not included in the files in the selected windows.quote]
Ohoh. Small mistake on my part. Fixed...
Click to expand...
Click to collapse
Hi Jeff,
Thanks for providing a wonderful site, but I would like to find from you is that, the T-Mobile v4.00.10 ROM does it come clean in terms of no customization like the today plug-in just like the 4.00.05?
In the Asia 02 XDA, it seems to have some problem with the T-Mobile v4.00.10 probably due to the customization of the setup.
I have tried the one located here, just thinking that if yours would be the PLAIN v4.00.10?
Thanks again for the wonderful setup and site.
I just tried to cook a rom and I got this error:
Warning: fopen(../../download/jaqpailv/log.html): failed to open stream: Not a directory in /home/jsummers/public_html/ROMkitchen/processor.php on line 104
Warning: fputs(): supplied argument is not a valid stream resource in /home/jsummers/public_html/ROMkitchen/processor.php on line 105
Warning: fclose(): supplied argument is not a valid stream resource in /home/jsummers/public_html/ROMkitchen/processor.php on line 106
Warning: rename(rom.exe,../../download/jaqpailv/rom.exe): Not a directory in /home/jsummers/public_html/ROMkitchen/processor.php on line 110
Thanks!
No working at all
Just tested: works for me... Maybe a glitch...
Worked for me yesterday evening too!
Many thanks Jeff!
Geoff
Wasn't working for me this morning, but seems to work fine right now...
Jeff-Kitchen is OK now :lol:
Thanks
Not working again?
Not for 3.17?
Warning: OS type not detected, you may need to set tounicode variable manuallywrite xip block starting at 81800000, with 24 fileswrite xip block starting at 81940000, with 0 filesheader : No such file or directoryError creating new rom.
Hope somebody will fix this. :wink:
Re: Not working again?
OCMAX said:
Not for 3.17?
Warning: OS type not detected, you may need to set tounicode variable manuallywrite xip block starting at 81800000, with 24 fileswrite xip block starting at 81940000, with 0 filesheader : No such file or directoryError creating new rom.
Hope somebody will fix this. :wink:
Click to expand...
Click to collapse
Works fine for me...:
Code:
Warning: OS type not detected, you may need to set tounicode variable manually
no files for configid 26220739
write xip block starting at 81800000, with 3 files
write xip block starting at 81980000, with 190 files
this rom seems to be 3.17.03 ENG 2003-05-15 o2euro
this bootloader seems to be V5.22 2003-05-15 17:46:55
80000000 - 80040000 -- bootloader 0 files 1 modules
80040000 - 8026a804 -- kernel 13 files 11 modules
802c2000 - 8057d330 9 OS 15 files 32 modules
80580000 - 8075a69c 8 SHELL 79 files 27 modules
80780000 - 80a13b04 7 BROWSING 9 files 14 modules
80a40000 - 80d8a33c 6 COREAPPS 46 files 30 modules
80dc0000 - 80ebd150 5 SYNC 12 files 22 modules
80ec0000 - 810388e0 4 24MAPPS 13 files 13 modules
81080000 - 81348248 3 24MCONSUMER 69 files 1 modules
81400000 - 814019a4 -- xip chain 10 xip entries
81440000 -817f6f14 1 MISC 209 files 40 modules
81800000 - 818ffff0 10 XDA_DEVELOPERS1 3 files 0 modules
81900000 - 81925800 -- bitmap : f9fff9ff .. f9fff9ff
81940000 - 81960278 -- operator rom 10 files81980000 -
81e205c8 11 XDA_DEVELOPERS2 190 files 0 modules
../rom.exe: found a preamble of 31232 bytes adding: English/NK.nbf (deflated 51%)
My friend's box is back up !
There was a problem which caused workspace directories not to be deleted under some circumstances, which caused the 'all workspaces are busy' problem. If all is well this problem is now also fixed.
--
Jeff
First of all without yor kitchen we will not eat, thank you.
I suggest if you can put a version or last update date so the visitor check if there is a changes and highlite the new lines.
Thanks.
Sigh,
And back down again...
Guess we'll have to wait for it to come back up.
http://cuba.calyx.nl/~jsummers/ROMkitchen/
Hi! Jeff
Thks for your time, effort you spent to create the web page.
I'm being using 3.17 cook rom it for a few weeks. and is wonderful.
Any chances that U fit in the 3.20 rom to your page?
thks in advance. :wink:
FYI:
Jeff's kitchen seems fine now...
Jeff, your kitchen is fantastic!! Thanks for all the great work!
@ Jeff. Thanks for the great work. Decided to try out the new anti-theft feature and received this when cooking:
echo Warning: OS type not detected, you may need to set tounicode variable manuallywrite xip block starting at 81740000, with 3 fileswrite xip block starting at 81b00000, with 144 files!!! your rom is not known to me: md5: 1cd007bbffa268b12b7968cabb7cc75fthis bootloader seems to be V5.22 2003-05-15 17:46:55no operator rom found80000000 - 80040000 -- bootloader 0 files 1 modules80040000 - 8015d5cc 9 XIPKERNEL 5 files 5 modules80180000 - 80375bdc 8 KERNEL 10 files 14 modules80380000 - 8064306c 7 OS 20 files 36 modules80670000 - 80be66a8 6 SHELL 107 files 88 modules80c00000 - 8102ce98 5 BROWSING 11 files 36 modules81050000 - 813ef114 4 COREAPPS 95 files 44 modules81400000 - 815d2238 3 EXAPPS 34 files 7 modules815f0000 - 8171bc7c 2 PHONE 56 files 19 modules81740000 - 8177ffec 10 XDA_DEVELOPERS1 3 files 0 modules81780000 - 81781c34 -- xip chain 11 xip entries817c0000 - 81ae4338 1 MISC 109 files 42 modules81b00000 - 81eadc2c 11 XDA_DEVELOPERS2 144 files 0 modules81ec0000 - 81ee5800 -- bitmap : f9fff9ff .. f9fff9ff adding: NK.nb1zip I/O error: No space left on devicezip error: Output file write failure (write error on zip file)
Hey guys, I've been interested in getting AOSP running on the Captivate, just like the NexusS. Since I now have an UnBrickable Phone, I figured I'd flash the firmware, but it didn't work. I need a new partition table. I found that the partitions are hidden within the bootloader image, so that didn't work... There is no direct upload without proper partitioning and the partition tables are not in the same format. I was talking to Rebellos and he said it would be possible... Then he came up with the mod out of the blue.
The linux commands used were as follows, the sleep is added so you can copy and paste.
Code:
sudo smdk-usbdl -f ./HIBL.bin -a D0020000
sleep 3
sudo smdk-usbdl -f ./nexus_sbl.bin -a 33040000
which loads the HIBL to memory address 0xD0020000 and the SBL to memory Address 0x33040000. At this point it is executed by the HIBL and....
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
All buttons worked properly! this means there is no work for volume+ volume - or power... There will probly be something else though.
I asked Rebellos to explain here so we can all learn something. I'm attaching the HIBL and the SBL to this post.
Warning: Since unlocking NexusS requires format of the MoviNAND and SDCard be prepaired to format all information on your phone, including EFS. Have a backup of all critical information.
Some general (and less-general) stuff about bootloaders analyse:
How to extract SBL from fused image?
(as the one in Nexus S, where IBL, PBL and SBL are together in bootloader.img)
Bootloaders are usually aligned to memory blocks of size like 4, 8, 16, 32KBs. The gaps between them are filled with 0x00 bytes.
SBL is the largest bootloader, so the thing is to open file in hex editor (personally I prefer XVI32), find the largest solid block of data and erase everything before first non-zero byte block. This way you've got Sbl.bin image.
Why is correct entry point (EP) of bootloader so important?
It comes out from ARM specification. Enough to say is that in most of cases code is non-relocatable
More info: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka3698.html
How to find correct bootloader EP?
In all SGS series SBLs I've seen so far EP is always written on 0x20 offset of SBL image, 32bit int in Little Endian notation.
Taking as example Nexus S SBL, in hex editor following bytes are:
Code:
00 00 04 33
So correct EP = 0x33040000
Way more complicated thing is when (as we can see in Samsung Waves) SBL (BL3) does not have entrypoint in file. Then it's mainly matter of correct analyse and some guessing.
Most of string pointers are stored and used in ARM assembly this way:
Code:
<code>
LDR R4, [some_string_ptr] ;this means LoaD Register (or Load Data Register) from given address, which means we are loading address of some_string
<code>
some_string_ptr DW some_string
some_string DB "string_example"
some_string_ptr will be valid pointer only when code is loaded into valid location (data stored under some_string_ptr doesn't change)
The fastest way is to load such code into any address in IDA disassembler, find few string pointers and see on which address are these pointing. Remember that LDR are also used to obtain CPU SFRs (Special Function Registers) addresses and constant data (this is matter of practice). Example:
We have loaded code under 0x10000000, some random LDRs taken from code:
LDR R0, 0x43000204
LDR R3, 0x12345678 ;looks like magic-const
LDR R8, 0xABCDABCD ;this one also
LDR R1, 0xFFFFFFFF ;looks like error return value or bit mask
LDR R1, 0xE0010000 ;doesn't match the rest, SFR probably (always keep CPU reference manual opened)
LDR R2, 0x43122508
LDR R0, 0x4311270A
LDR R0, 0x430F0100
The rest of LDR are in 0x43****** area, code entrypoint is usually aligned, as I said before, so first entrypoint try would be 0x43000000. You'll recognize you've got valid entrypoint by IDA properly matching strings X-refs to LDR instructions.
Example of code with invalid entrypoint:
Code:
TEXT:4148EA20 LDR R1, =0x42593D59
TEXT:4148EA24 MOV R0, R4
The same code, with valid entrypoint:
Code:
TEXT:4248EA20 LDR R1, =pSecBootFixedSeedKey ; "Fixed one for Samsung 3G platform. This"...
TEXT:4248EA24 MOV R0, R4
Got any more questions? Suggestions? Problems? Feel free to ask here or PM me.
First.
Pls post a bit more detailed instructns... would love 2 try this out wen my unbrickable cappy gets here n Monday.
Sent from my Transformer TF101 using XDA Premium App
psycho2097 where did you send yours to have it done at?
BloodSkin said:
psycho2097 where did you send yours to have it done at?
Click to expand...
Click to collapse
To me. You can also pm Connexion2005. He's done the mod as well.
Apparently the Nexus S works with odin, but it's not flashing for some reason... I was able to get the partition table here.. see attached file: http://forum.xda-developers.com/attachment.php?attachmentid=709328&stc=1&d=1315096743
Boot the nexus S bootloader as above, while holding VOL+ and VOL-, then use heimdall to download the part.pit.
AdamOutler said:
To me. You can also pm Connexion2005. He's done the mod as well. I'm still working with it..
Apparently the Nexus S works with odin, but it's not flashing for some reason... I was able to get the partition table here.. see attached file: http://forum.xda-developers.com/attachment.php?attachmentid=709328&stc=1&d=1315096743
Boot the nexus S bootloader as above, while holding VOL+ and VOL-, then use heimdall to download the part.pit.
Click to expand...
Click to collapse
Why not try Heimdall? Or have you already?
Kyuta Syuko said:
Why not try Heimdall? Or have you already?
Click to expand...
Click to collapse
I tried. read above.. I used heimdall to download the partition table... however there is a problem with heimdall's repartitioning ability.
Awesome, I love that someone is working on this and that AdamOutler is one of the ones leading the pack. You have done some great things on the development side of the Captivate and I know you actually work on these things instead of bringing the idea to light but never really going anywhere with it. I am very excited to watch the progress on this. Good luck.
AdamOutler said:
I tried. read above.. I used heimdall to download the partition table... however there is a problem with heimdall's repartitioning ability.
Click to expand...
Click to collapse
Guess I missed that last part. What kinda problem?
Kyuta Syuko said:
Guess I missed that last part. What kinda problem?
Click to expand...
Click to collapse
Not quite sure.. it seems to not be able to set the partition in stone. I contacted Benjamin Dobell about it. Its a problem with heimdall
This is a bit different though.. even Odin fails in this case. I am still working with it.
AdamOutler said:
Not quite sure.. it seems to not be able to set the partition in stone. I contacted Benjamin Dobell about it. Its a problem with heimdall
This is a bit different though.. even Odin fails in this case. I am still working with it.
Click to expand...
Click to collapse
I only asked because I personally prefer to use Heimdall over Odin. It's how I flash back to stock and how I flashed from 2.2 to 2.3 =|
Is it just the Windows version of Heimdall that has this problem or is it all variations? I use it on my laptop running Kubuntu since it likes to detect my phone better.
Kyuta Syuko said:
I only asked because I personally prefer to use Heimdall over Odin. It's how I flash back to stock and how I flashed from 2.2 to 2.3 =|
Is it just the Windows version of Heimdall that has this problem or is it all variations? I use it on my laptop running Kubuntu since it likes to detect my phone better.
Click to expand...
Click to collapse
I run Ubuntu primarily and I have all other platforms in virtual machines. It's a problem with Heimdall's ability to repartition.
AdamOutler said:
I run Ubuntu primarily and I have all other platforms in virtual machines. It's a problem with Heimdall's ability to repartition.
Click to expand...
Click to collapse
I figured you ran some Linux Distro =| Well at least I'm not experiencing any issues with my phone currently... Hope he gets that fixed soon. Sorry to derail the topic =/
I'm trying to flash some Nexus S firmware. Odin does not seem to work, it fails at repartitioning even with the part.pit I downloaded using Heimdall.... So I did some research and found that the device requires fastboot unlock or upload of firmware before I can unlock it for use with Odin...
To get Fastboot, i followed instrutctions on the Nexus S forums.... Instead of pushing power on, I simply held the proper key combination (Power + Volume up) while uploading the SBL.
I've never used fastboot and I can't quite figure out why it's not working. I see "FASTBOOT MODE" on my screen.
Here's what I see in my UART Debug window
Code:
��������������������������������������������������������������������������������
Uart negotiation Error
-------------------------------------------------------------
Hummingbird Interceptor Boot Loader (HIBL) v1.0
Copyright (C) Rebellos 2011
-------------------------------------------------------------
Calling IBL Stage2 ...OK
Testing DRAM1 ...OK
iRAM reinit ...OK
cleaning OTG context ...OK
Chain of Trust has been successfully compromised.
Begin unsecure download now...
0x00000000BL3 EP: 0x33040000
Download complete, hold download mode key combination.
Starting BL3 in...
Set cpu clk. from 400MHz to 800MHz.
IROM e-fused - Secure Boot Version.
-----------------------------------------------------------
Samsung Secondary Bootloader (SBL) v3.0
Copyright (C) Samsung Electronics Co., Ltd. 2006-2010
Board Name: HERRING REV 03 (JTAG)
Build On: Jan 20 2011 17:19:41
-----------------------------------------------------------
MMC MAG8DE 15264 MB
Re_partition: magic code(0xffffffff)
Muxed OneNAND 512MB (0x50) Sync
Scanning Bad Block .......
Bad Block 2047 (0)
Partitions loading success
Read image(PARAM) from flash .......
Done
init_fuel_gauge: vcell = 4193mV, soc = 100
PMIC_IRQ1 = 0xe8
PMIC_IRQ2 = 0x0
PMIC_IRQ3 = 0x1
PMIC_IRQ4 = 0x0
PMIC_STATUS1 = 0xc0
PMIC_STATUS2 = 0x2c
PMIC_STATUS3 = 0xff
PMIC_STATUS4 = 0xff
PMIC_STATUS5 = 0xff
PMIC_SMPL = 0x80
Key scan = 0x50
keypad_scan: handler name = fastboot
Check Power Key ... Skip!
BOOT_MODE_FASTBOOT (HW_RST(0x00000001), INFORM(0x00000000))
So that says I just booted into fastboot
I see this in the linux "lsusb" command
Code:
Bus 001 Device 122: ID 18d1:4e20 Google Inc.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x18d1 Google Inc.
idProduct 0x4e20
bcdDevice 1.00
iManufacturer 1 Google, Inc
iProduct 2 Android 1.0
iSerial 3 30325181F24700EC
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 32
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xc0
Self Powered
MaxPower 50mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 66
bInterfaceProtocol 3
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 255 Vendor Specific Class
bDeviceSubClass 66
bDeviceProtocol 3
bMaxPacketSize0 64
bNumConfigurations 1
can't get debug descriptor: Connection timed out
Device Status: 0x0001
Self Powered
So obviously, it's detecting as a Google device now..
however...
Code:
[email protected]:~/Desktop/nexus firmware$ fastboot oem unlock
< waiting for device >
I can't seem to do the fastboot commands with this. Any ideas?
Dang just lost internet at work. I'm no pro but I saw a topic on the nexus section that seemed to indicate people had problems with this command in LiNux but running it in windows fixed the problem for about 3 people. Best of luck!
edit :internet back! here was the topic: http://forum.xda-developers.com/showthread.php?t=685449
Sent from my GT-I9000 using Tapatalk
The waiting for device command typically means it's not being seen correctly. Type fastboot devices and see if you see anything. Fastboot is what I'll be playing with when I return from the trip. Nexus S firmware is the purest Android experience possible on any phone. This would be a major breakthrough and more importantly, make the Captivate the first in line for Android updates just as the Nexus S is.
Also if fastboot works, it's very easy to make a one click Nexus S firmware installer with the flash all command fastboot has.
Awesome stuff.
Sent from my SGH-I897 using XDA Premium App
And now im back on stock
Sent from my SAMSUNG-SGH-I897 using xda premium
If you get the unbrickable mod to work on your phone then wouldn't you be able to flash a sense rom that has the same resolution as the galaxy s.
Sent from my GT-I9000 using XDA Premium App
ameedi600 said:
If you get the unbrickable mod to work on your phone then wouldn't you be able to flash a sense rom that has the same resolution as the galaxy s.
Sent from my GT-I9000 using XDA Premium App
Click to expand...
Click to collapse
Endless capabilities
Sent from my SAMSUNG-SGH-I897 using xda premium
Brief synopsis
Bootloader unlock isn't likely. Amazon provide the facility to unlock the bootloader, but there is no way of getting the key.
The program which is locking the bootloader appears to be specific to MediaTek and Amazon, therefore, there isn't any source code.
The partitions with an Android bootimg header are all signed with two Amazon certificates. This includes the Little Kernel (LK) and the kernel itself.
The preloader is custom built for Amazon. The preloader doesn't respond to SP Flash Tool because it's constantly in a reboot loop when in 'META mode'. I presume it's intentional; a different version can however be installed (See 'However...').
However...
@bibikalka has found some strings in tz.img refering to a bootloader unlock. There is an amzn_unlock_verify function in lk too.
There must be a is a way to get the preloader to work properly with SP Flash Tool. However, this won't allow you custom ROMs, just reinstall Amazon's software. The software installed is still verified during the boot process. See this unbrick guide to install a different preloader. The preloader is not signed or checked by the boot process.
There is a small chance some part of the boot process could be fooled.
Downgrade potential
An anti-rollback program appears to have been built in to the bootloader which prevents any attempt at downgrading the software on the device. This is rather irritating, and means that downgrading is almost impossible. Only the preloader seems to be unaffected by this anti-rollback system – so, if you attempted to downgrade, and caused your device to become bricked, then you can restore the version you left.
Note that I vaguely reference to the preloader, uboot and lk collectively as 'the bootloader'.
Original post
I previously had downloaded the 5.0.1 and 5.1.1 LK versions, and thought, why not run these through binwalk?
For the old, 5.0.1 bootloader, putting lk.bin through binwalk gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204256 0x31DE0 SHA256 hash constants, little endian
292292 0x475C4 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
330144 0x509A0 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
330752 0x50C00 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
334248 0x519A8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
339912 0x52FC8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
341028 0x53424 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
350360 0x55898 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
351732 0x55DF4 Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
353656 0x56578 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
369736 0x5A448 CRC32 polynomial table, little endian
397548 0x610EC LZMA compressed data, properties: 0x91, dictionary size: 33554432 bytes, uncompressed size: 134217728 bytes
Whilst the 5.1.1 bootloader's lk.bin gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204960 0x320A0 SHA256 hash constants, little endian
293720 0x47B58 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
332024 0x510F8 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/cry
332628 0x51354 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/mem
336096 0x520E0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/asn
341712 0x536D0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/evp
342820 0x53B24 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/obj
352064 0x55F40 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/x50
353420 0x5648C Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
355344 0x56C10 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
371656 0x5ABC8 CRC32 polynomial table, little endian
So there you go! The bootloader uses OpenSSL to check the partition against two DER format certificates. Ignore the LZMA header for now; binwalk thinks almost everything is LZMA compressed.
Can you run binwalk with -e and post the 5.1.1 certs here
benwaffle said:
Can you run binwalk with -e and post the 5.1.1 certs here
Click to expand...
Click to collapse
Look at the thread about the 5.1.1 lk.bin in this forum and download the binary so you can run binwalk on it yourself.
Here is the lk.bin file, zipped. You can try and run '-e' on this binary.
The extracted certificates appear to contain format strings for decompression/compression error and debug messages. It doesn't look right. But the top of the files are valid certificate headers (or appear to be to the untrained eye).
Thanks @benwaffle.
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
bibikalka said:
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
Click to expand...
Click to collapse
Thanks @bibikalka!
Yes – Amazon must have a way of flashing firmware. I wonder if there is a JTAG header on the board as well. The Fire HD 6 had a 'JDEBUG' port, as seen in iFixit's teardown photographs: https://www.ifixit.com/Teardown/Kindle+Fire+HD+6+Teardown/29815#s70239
There might be a bootloader unlock then! It might need someone to decompile uboot to see how to trigger the unlock.
I've only managed to get the preloader_prod.img at this moment in time (I haven't taken preloader.img off). The SHA256 hash starts at around 95% (117KB out of 121KB) of the file, according to binwalk.
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
stargo said:
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
Click to expand...
Click to collapse
How interesting. Thanks @stargo! I've updated the OP accordingly to your findings. Yes, it seems more complex than previously thought. I'll upload my 5.1.1 rpmb binary soon.
Hi there! As se en within I read mtk is a very hard platform to work with, because they are very closed, and they hardly ever release any source, so most Roms are ports of a similar decide. I'll have a search for a device with this same soc to ser if i can come back with related info. That's why I'm surprised we have cm here!
Disclaimer:
newflasher tool was made for testing and educational purposes, ME is not responsible for what you do on/with your device using newflasher, you must agree that you using newflasher on your own risk, I am not responsible if you brick your device or anything else!
How to use:
OPTIONAL STEP 1:
- if you have missing flash driver just double click exe and confirm driver extraction, an exe will become available, run it and install driver.
OPTIONAL STEP 2:
- this step is optional, this step dump trim area, you can do this and keep those file somewhere on your pc in case you hard brick your device so give it to servicians to repair your phone.
STEP 1:
- Download right firmware for your device using XperiFirm tool, put newflasher.exe into firmware dir created by XperiFirm tool. Before you double click newflasher.exe do in mind something, newflasher tool is programed to flash everything found in the same dir!!! So tool flash all .ta files, all .sin files, boot delivery (whole boot folder), partition.zip, in short all files found in dir! If you no want to flash something just move file which you no want to flash OUT OF FOLDER! Partition.zip .sin files can be flashed only if you extract partition.zip into newly created folder called partition!
STEP 2:
- To start flashing phone put your phone into flash mode, double click newflasher.exe and wait wait wait until your device gets flashed, thats it. Look into log to see if something goes wrong! If all right you are done. If not post your log so I can look!
SOME MORE THINGS:
"You do not need to unlock bootloader or to root the phone if you want to flash a stock firmware from XperiFirm.
There are no files in the stock firmware that need to be deleted. Prompts will ask you to skip some files.
Feel free to press N to every prompt since:
- TA dumping it's not related with DRM keys.
- Flash persist_* files only if you know what you are doing, since you will lose your attest keys. Backup persist partition.
If you need the firmware on both A and B slot use fastboot commands to choose the inactive partion and re-flash."
Happy flashing!
Supported platforms:
- Newflasher is working on Windows, Linux, Android and Darwin, just chose right newflasher binary. With Android version you can flash phone by using another phone!
Changelog:
- version 1: Sorry a lot of work is done in pre pre alpha version and I can't count every changes, just folow development process about version 1, a lot of work is done before it started working. One esential change was done to tool improvement and it is described in one of the my posts related to moving function "erase:" to the section before function "flash:", it is realy improvement and more safer than in time when it was at the start of flashing routine.
- version v2 (15.Aug.2017)
Implemented free disk space safety check, it was missing and danger in case flashing process gets interupted because of the lack of the free disk space needed for sin extractions and temporary files. I have also include GordonGate flash driver prompt so in case somebody have missing flash drivers, simple need to double click exe and folow drivers archive extraction procedure, later need to install these drivers trought Windos device mannager. Also I have implemented an realy pre pre alpha version of the maybe non working trim (why maybe? Because I don't own xzp so can't test) area dump routine, in case it is working we can dump some esentials trim area units from device (probably not a full dump as like it was on every oldest xperia models - no permissions for dumping drm key unit)
- version v3 (23.09.2017)
Some more security checks, it's now a bit safer than v2
- version v4 (21.10.2017)
Updated trim area dumper, now it stores log to the trimarea.log but dump is now in .ta format and writen to the 01.ta and 02.ta
- version v5 (22.10.2017)
Updated trim area dumper, add progress meter, fix y-n prompt (thanks @pbarrette)
- version v6 (22.10.2017)
Updated trim area dumper
- version v7 (23.10.2017)
Updated trim area dumper, newflasher redesigned a bit, fix new partitioning for Oreo
- version v8 (24.10.2017)
Fix trim area dumper
- version v9 & v10 (25.10.2017)
Workaorunds on trim area dumper
- version v11 (07.04.2018)
Support for 2018 devices
- version v12 (29.04.2018)
Try fix doublefree bug/crash (most noticed on Linux 64 bit binary)
- version v13 (01.05.2018)
Fix doublefree bug/crash by removing dynamic allocation from function get_reply
- version v14 & v15 (12.06.2019)
Sony XPeria 1 support added.
- version v16 (16.06.2019)
LUN0 detection optimized.
- version v17 (24.06.2019)
LUN0 detection bug fixed.
- version v18 (10.08.2019)
Untested fix for https://forum.xda-developers.com/cr...wflasher-xperia-command-line-t3619426/page105
Using builtin mkdir instead of calling it trought system call
- version v19 (08.10.2019)
Implemented prompt for flashing persist partition; print skipped .sin files
- version v20 (13.12.2019)
implemented prompt for flashing bootloader,bluetooth,dsp,modem,rdimage to booth a,b slots
- version v21 (29.06.2020)
implemented battery level status check before flashing, flashing bootloader,bluetooth,dsp,modem,rdimage to booth a,b slots is mandatory now and is flashed by default right now, more info, try fix previously reported isue on sync and powerdown command reported 2-3 years ago so I have disabled it and now enabled for test, implemented Macos support (curently need to be tested! If you have plan to test please flash only cache.sin DO NOT flash the rest because of safety for your device!)
- version v22 (30.06.2020)
trying to fix battery capacity retrieval
- version v23 (04.07.2020)
removed battery capacity retrieval (not going to work that way), fix trim area dump file name, new gordongate drivers
- version v24 (04.07.2020)
new feature - now you can run newflasher from script or console with your own command, e.g. newflasher getvar:Emmc-info , I didn't tested all the list of commands, if you do it share them with us!
- version v25 (09.07.2020)
New trim area dump tool, with this change trim area dump is created in 3 secconds. Do in mind this not dump protected units like drm key...etc! Some changes in scripting feature from v24
- version v26 (10.07.2020)
Added 4 diferent reboot modes, reboot to android, reboot to fastboot, reboot to bootloader, power off
- version v27 (11.07.2020) (not yet released)
Workaround in mac libusb
- version v28 (12.07.2020)
Workaround to sync response bug; Fully implemented support for Mac. I'm tested myself on mac 10.14 but confirmed working on mac 10.15 too
- version v29 (12.07.2020)
Mac proper libusb deinitialisation
- version v30 (13.07.2020)
Preparation for Debian packaging; I'm noticed that hex modified arm64 fake pie binary is not working so its now compiled with ndk and its true pie binary now
- version v31 (14.07.2020)
Fix cosmetic bug https://forum.xda-developers.com/showpost.php?p=83056693&postcount=1212 which might confuse somebody
- version 32, not yet released
- version 33 (30.07.2020)
Allow bootloader unlocking with newflasher; Try fix sync response bug for win and darwin too
- version 34 (08.08.2020)
Added support for 32bit sized trim area units (as trim area api changed in xperia mark 2 line) (not yet released because of bug)
- version 35 (08.08.2020)
Updated support for 32bit sized trim area units (as trim area api changed in xperia mark 2 line); Move trim area dumps out of root folder so it not get acidentaly flashed, dumps is now inside folder tadump
- version 36 (27.08.2020)
Some improvements and and possible bug fixes
- version 37 (09.12.2020)
Added support for Xperia 5 II with emmc instead of ufs (not working)
- version 38 (10.12.2020)
Fixed impropper implementation from v37
- version 39 (13.12.2020)
Since mark 2 devices protocol is changed a bit and on some devices OKAY reply is not in separated usb poacket, instead it is merged with data packet, added support for it
- version 40 (03.01.2021)
Temporary solution for determining partition 0 sin file caused by two diferent emmc csd info we found recently on mark 2 devices
- version 41 (03.01.2021)
Removed temporary solution from version 41 so right lun0 sin file get flashed and seccond lun0 get skipped or booth skipped if lun0 sin file do not match device storage size
- version 42 (11.03.2021)
Fix bug in flashing booth slots when current slot is A, thanks to @chrisrg for discovering bug!
- version 43 (12.06.2021)
Support for Mark 3 devices
- version 44 (19.06.2021)
Fully Mark III device implementation
- version 45 (20.06.2021)
Implemented battery level check and prompt user to take a risk and continue flashing or stop flasing if battery level is less than 15 percent
- version 46 (08.07.2021)
Fix problem with filenames which contain "_other", it need to be always flashed to the diferent slot
- version 47 (15.07.2021)
Removed prompt for persist.sin flashing, now its by default skip. Implemented bootloader log retrieval at the end of flashing for better understanding when something goes wrong. Implemented firmware log history retrieval for those who want to know history of the flashed firmwares
- version 48 (19.07.2021)
Flash bootloader,bluetooth,dsp,modem,rdimage to booth slots only on a,b devices
- version 49 (31.07.2021)
Support for XQ-BT41
- version 50 (12.08.2021)
Workin progress on asynchronous usb to make it more like synchronous, added progress bar during send-receive usb packets and more logging. Increased usb timeout to 2 minute. Trying fix sync command at the end of flashing as reported here -> https://github.com/munjeni/newflasher/issues/42
- version 51 (12.08.2021)
Fix empry line printed while receiving usb packets, thanks @elukyan
- version 52 (01.10.2021)
Implemented userprompt for keeping userdata, thanks @OhayouBaka for figuring out! Removed bootloader log retrieval
- version 53, 54, 55 (20.0822022)
Fix trimarea dumper crash on big endian machines, update building makefiles
Credits:
- without @tanipat and his pc companion debug logs this tool will never be possible! Thank you a lot for your time providing me logs! (by the influence of others, He was disappointed me with last post, but I still appreciate his help and can't forget it)
- without @thrash001 who helped testing our tool I never be continue building our tool since I don't have device for testing, thanks mate!
- didn't forgot @beenoliu, thanks mate for testing!
- thanks to @porphyry for testing linux version!
- thanks to @Snow_Basinger for providing sniff log from 2018 device and for testing on his 2018 device
- thanks to @frantisheq for testing newflasher on his 2018 device and for notify about doublefree bug
- thanks to @serajr for providing me some logs which helped me to figure out some things related to 2018 devices
- thanks to @noelex for helping in Xperia 1 implementation
- thanks to @Meloferz for testing on his xperia 1 mark II
- thanks to github contributors, testers and reporters: vog, noelex, TheSaltedFish, solarxraft, pbarrette, MartinX3, kholk
- thanks to Chirayu Desai for tracking addition to Debian and thanks to vog for initiating all that
- thanks to @elukyan for testing and providing me usb sniff logs for mark 3 devices imlementation, thank you so much
Common errors and how to solve:
https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/post-72610228
Source code:
https://github.com/munjeni/newflasher
let me start for you and report
here my log..
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
ERROR: TIMEOUT: failed with error code 997 as follows:
▄berlappender E/A-Vorgang wird verarbeitet.
- Error writing command!
Drücken Sie eine beliebige Taste . . .
Common errors and what you need to do:
ERROR: TIMEOUT: failed with error code 997 as follows:
Overlapped I/O operation is in progress.
FIX --------> https://forum.xda-developers.com/t/tool-newflasher-xperia-command-line-flasher.3619426/post-84603931
Error, didn't got signature OKAY reply! Got reply: FAILFailed to verify cms
FIX---------> Make sure to flash right rom model e.g. if your device is SO-01L you need to flash rom model SO-01L or e.g. your phone is H8314 you need to flash rom H8314 ... etc, otherwise you might hardbrick your phone!
Bootloop caused by rooback protection e.g. by flashing an OLD rom over NEWER one e.g. you have android 11 and want back to android 10 that will bootloop your phone if your phone have rollback protection
https://forum.xda-developers.com/t/...-xq-at51-with-flashtool.4119707/post-84509417
in short explanation your bootloader need to be unlocked. Than by relocking bootloader rollback index (rollback protection) is reset to zero. Than you can flash oldest rom because index in that case is zero so you won't get bootloop related to rollback protection.
It was confirmed working:
https://forum.xda-developers.com/t/...-xq-at51-with-flashtool.4119707/post-84637803
https://forum.xda-developers.com/t/...-xq-at51-with-flashtool.4119707/post-84673613
If neither help you to solve problem you should read boot log to get idea, use this command line option for newflasher:
newflasher Read-TA:2:2050
what I got
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#6&3a757eec&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: Universal Serial Bus controllers
Device Instance Id: USB\VID_0FCE&PID_B00B\6&3A757EEC&0&1
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
A device attached to the system is not functioning.
- Error reaply! Device didn't replied with OKAY or DATA
Press any key to continue . . .
wait for others to report
Hm, you successfully wrote command but error on reaply Lets see new version is out
Today I have free time for development, I don't know when I will get free time again, so guys if you hurry to have flasher I am here and waiting. I do not have 2017 device model so I can't test, so can't continue development without your tests
Driver is the right.
here the next:
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
ERROR: TIMEOUT: failed with error code 997 as follows:
▄berlappender E/A-Vorgang wird verarbeitet.
- Successfully write 0x0 bytes to handle.
- Error writing command!
Drücken Sie eine beliebige Taste . . .
Strange! Maybe run as admin is need?
It would be great if tanipat debug newflasher with monitoring studio so I can compare whats going on? New version is out again.
Edit:
Curent version is safe so you no need to care for brick! Tool currently nothing write to internal mem! I will tell when it is ready for flashing! Now its just pre pre alpha version, only read from phone
in the windows devicemanager is it correct as "SOMC Flash Device"
the next one:
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
ERROR: TIMEOUT: failed with error code 997 as follows:
▄berlappender E/A-Vorgang wird verarbeitet.
- Error write! Need nBytes: 0x18 but done: 0x0
- Error writing command!
Drücken Sie eine beliebige Taste . . .
Can you right click on .exe and run as admin?
the same
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
ERROR: TIMEOUT: failed with error code 997 as follows:
▄berlappender E/A-Vorgang wird verarbeitet.
- Error write! Need nBytes: 0x18 but done: 0x0
- Error writing command!
Drücken Sie eine beliebige Taste . . .
---------- Post added at 08:42 PM ---------- Previous post was at 08:41 PM ----------
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
- Successfully write 0x18 bytes to handle.
- Successfully read 0xd bytes from handle.
Raw input [0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
get_reaply:[0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
- Successfully write 0xe bytes to handle.
- Successfully read 0x9 bytes from handle.
Raw input [0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
get_reaply:[0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
- Successfully write 0xe bytes to handle.
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
Ein an das System angeschlossenes Gerõt funktioniert nicht.
- Successfully read 0x0 bytes from handle.
Raw input [0x0]:
- Error reaply: less than 4!
Drücken Sie eine beliebige Taste . . .
Sorry, i must disconnect the device for the next start
Thanks a lot! Seems some good progress here! I had set timeout to 60 secconds, seems it was not enought and caused timeout, now I have set to 120 secconds and donesome small modification, hope we get luck now, new version is out
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
- Successfully write 0x18 bytes to handle.
- Successfully read 0xd bytes from handle.
Raw input [0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
- Successfully write 0xe bytes to handle.
- Successfully read 0x9 bytes from handle.
Raw input [0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
- Successfully write 0xe bytes to handle.
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
Ein an das System angeschlossenes Gerõt funktioniert nicht.
- Error reaply: less than 4!
Drücken Sie eine beliebige Taste . . .
and this, without disconect a view seconds later again start the exe
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
- Successfully write 0x18 bytes to handle.
ERROR: TIMEOUT: failed with error code 997 as follows:
▄berlappender E/A-Vorgang wird verarbeitet.
- Error reaply: less than 4!
Drücken Sie eine beliebige Taste . . .
Hmm strange realy. See https://www.lifewire.com/how-to-fix-code-31-errors-2623184 its seems your driver is not working propertly, maybe you have old flashtool driver and not one for newer device (which can be installed by installing sony pc companion software), I have no idea by now, unable to figure out why that happens Did you flashed by sony pc companion your device allready and you are sure it is working, can you confirm? Probably if you allready installed flashtool driver you will need to uninstall and reinstall pc companion, have no idea by now what might be a problem
so, i have erase the driver. restart windows, install the flashtool driver. start the exe:
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
- Successfully write 0x18 bytes to handle.
- Successfully read 0xd bytes from handle.
Raw input [0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
- Successfully write 0xe bytes to handle.
- Successfully read 0x9 bytes from handle.
Raw input [0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
- Successfully write 0xe bytes to handle.
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
Ein an das System angeschlossenes Gerõt funktioniert nicht.
- Error reaply: less than 4!
Drücken Sie eine beliebige Taste . . .
now i erase the driver, restart windows and let windows install the driver over windows.
(i hope you can undersood my english)
Many thanks! Yes I understand you. I must go now, hope somebody figure out if driver is problem or bug in my tool, see you guys tommorow
New version is out, let me know please! I have researched a bit, seems get overlapped result caused some problems and returns imediatelly before thing complete, I have set to "wait complete" hope it is ok now
good morning, so i have reinstall sony companion and start the repair, the new driver is isntall but:
Code:
--------------------------------------------------------
newflasher.exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&15c311e1&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&15C311E1&0&2
- Successfully write 0x18 bytes to handle.
- Successfully read 0xd bytes from handle.
Raw input [0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
- Successfully write 0xe bytes to handle.
- Successfully read 0x9 bytes from handle.
Raw input [0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
- Successfully write 0xe bytes to handle.
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
Ein an das System angeschlossenes Gerõt funktioniert nicht.
- Error reaply: less than 4!
Raw input [0x0]:
Drücken Sie eine beliebige Taste . . .
---------- Post added at 10:27 AM ---------- Previous post was at 10:18 AM ----------
and this is from my windows7 32bit pc, only sony companion is install.
Code:
--------------------------------------------------------
newflasher (2).exe by Munjeni @ 2017
--------------------------------------------------------
Device path: \\?\usb#vid_0fce&pid_b00b#5&448f588&0&1#{a5dcbf10-6530-11d2-901f-00
c04fb951ed}
Class Description: USB-Controller
Device Instance Id: USB\VID_0FCE&PID_B00B\5&448F588&0&1
- Successfully write 0x18 bytes to handle.
- Successfully read 0xd bytes from handle.
Raw input [0xD]:
00000000 4F 4B 41 59 31 30 34 38 35 37 36 30 30 OKAY104857600
- Successfully write 0xe bytes to handle.
- Successfully read 0x9 bytes from handle.
Raw input [0x9]:
00000000 4F 4B 41 59 47 38 31 34 31 OKAYG8141
- Successfully write 0xe bytes to handle.
ERROR: GetOverlapped_in_Result: failed with error code 31 as follows:
Ein an das System angeschlossenes Gerõt funktioniert nicht.
- Error reaply: less than 4!
Raw input [0x0]:
Drücken Sie eine beliebige Taste . . .