Unpack stock System.img? - Droid RAZR M Q&A, Help & Troubleshooting

Hello Moto
I've just downloaded Verizon Jelly Bean 4.1.1 by "Firmware Team".
Just to play with it a little, extract apks and test them on Galaxy SII Skyrocket.
The thing is i'm having a hard time opening system.img.
Now i've tried LinuxReader, Unyaffs and ext2explore/read but none of these can open it, they all say that it's an unrecognized image.
Do you guys know how to properly open a stock moto System.img?

lingowistico said:
Hello Moto
I've just downloaded Verizon Jelly Bean 4.1.1 by "Firmware Team".
Just to play with it a little, extract apks and test them on Galaxy SII Skyrocket.
The thing is i'm having a hard time opening system.img.
Now i've tried LinuxReader, Unyaffs and ext2explore/read but none of these can open it, they all say that it's an unrecognized image.
Do you guys know how to properly open a stock moto System.img?
Click to expand...
Click to collapse
Google for a tool called simg2img (I used the python script that appears in get first few results, there should be other versions as well). That will unpack the image into a plain ext4 image that you can mount with any Linux pc (I recommend using a virtual machine if you have windows or mac).
Happy hacking!
Sent from my XT907

aslomagic, did you try this with the firmware lingowistico is talking about? I also tried before to unpack system.img from this package, and system.img.ext4 from ICS package, and another ICS soft for XT897, and all of them give "Bad magic" error in simg2img. All of those softs are published by the same "Firmware Team" - maybe that's the case? I also tried dsixda kitchen (which also uses simg2img, but anyway...) and it also didn't work. Might be also some custom Motorola's approach to system.img....
Could you possibly help? Thanks.

micx_pl said:
aslomagic, did you try this with the firmware lingowistico is talking about? I also tried before to unpack system.img from this package, and system.img.ext4 from ICS package, and another ICS soft for XT897, and all of them give "Bad magic" error in simg2img. All of those softs are published by the same "Firmware Team" - maybe that's the case? I also tried dsixda kitchen (which also uses simg2img, but anyway...) and it also didn't work. Might be also some custom Motorola's approach to system.img....
Could you possibly help? Thanks.
Click to expand...
Click to collapse
Well, I know for a fact that those images are packed ext4, but I haven't tried specifically with that one.
Now that you mention, I think I remember signed images (like those ones) have some additional header, maybe that needs to be removed with an hex editor, or with dd of you like
If I get a chance, I'll try and report back...
Sent from my XT907

aslomagic said:
Well, I know for a fact that those images are packed ext4, but I haven't tried specifically with that one.
Now that you mention, I think I remember signed images (like those ones) have some additional header, maybe that needs to be removed with an hex editor, or with dd of you like
If I get a chance, I'll try and report back...
Click to expand...
Click to collapse
Ok, I tried, and yes, it complains it cannot find the magic (again, I'm using the python script). I modified the script to look for the magic value in the first 50Mb of the file, and if it finds it, it starts unpacking from there. Python scripts are very easy to play with
It seems to work for me, but I don't have a linux vm handy to see if it mounts correctly (I'm currently on a mac). micx_pl, can you give it a try and let me know?
I had to zip the file even though it's very small because the forum won't let me upload a .py file... who knows, just unzip it.

Holy cow! It works! You're the master I was looking for such solution everywhere, and was stunned to see barely few topics with similar problem, and no solution at all. Thanks!

micx_pl said:
Holy cow! It works! You're the master I was looking for such solution everywhere, and was stunned to see barely few topics with similar problem, and no solution at all. Thanks!
Click to expand...
Click to collapse
You're welcome, glad I could help!
Sent from my XT907

aslomagic said:
Ok, I tried, and yes, it complains it cannot find the magic (again, I'm using the python script). I modified the script to look for the magic value in the first 50Mb of the file, and if it finds it, it starts unpacking from there. Python scripts are very easy to play with
It seems to work for me, but I don't have a linux vm handy to see if it mounts correctly (I'm currently on a mac). micx_pl, can you give it a try and let me know?
I had to zip the file even though it's very small because the forum won't let me upload a .py file... who knows, just unzip it.
Click to expand...
Click to collapse
HOLY $#!+ THANKS!!! I've been trying to decompress the moto images for awhile and have never been able to do it until now

Would it be possible to modify make_ext4fs to re-sparse the image and copy the original signature?

Q9Nap said:
Would it be possible to modify make_ext4fs to re-sparse the image and copy the original signature?
Click to expand...
Click to collapse
You're welcome to try ... my guess is that it could be made to work if the image was an official, originally signed image that was unpacked by the script above or equivalent, but if you want to modify it, re-pack it and re-attach the signature, most likely the signature won't match the content. But I may be wrong, so if somebody is willing to try, best of luck to you
If your goal is just to create a packed image, but not necessarily signed (needs bootloader unlock), then I'd say it's definitely possible, search around here.

aslomagic said:
You're welcome to try ... my guess is that it could be made to work if the image was an official, originally signed image that was unpacked by the script above or equivalent, but if you want to modify it, re-pack it and re-attach the signature, most likely the signature won't match the content. But I may be wrong, so if somebody is willing to try, best of luck to you
If your goal is just to create a packed image, but not necessarily signed (needs bootloader unlock), then I'd say it's definitely possible, search around here.
Click to expand...
Click to collapse
i'm sure you're right about the signature not working on a modified image; it was just wishful thinking. the idea of course would be to inject superuser.apk and su, which wouldn't be necessary on a bootloader unlocked device.
for bootloader unlocked devices though, the ability to repack a modified image does give you another way to build custom roms. here's the code to unpack and repack images with simg2img.py and make_ext4fs:
Code:
mkdir system
./simg2img.py system.img.ext4 system.raw
sudo mount -t ext4 -o loop system.raw system/
#make changes, then:
wc -c system.raw #lists size in bytes of system.raw
sudo make_ext4fs -s -l 1234567890 -a system system.img system/ #where 1234567890 is output from wc -c
sudo umount system
rm -rf system
i've used this proecess with samsung system images, should work for moto images now too (bootloader unlocked, of course)

Yep, it's a good cheat sheet reference
Besides, on razr m and hd at least, you can also use this with safestrap without unlocking the bootloader.

aslomagic said:
Besides, on razr m and hd at least, you can also use this with safestrap without unlocking the bootloader.
Click to expand...
Click to collapse
Not sure what you mean by this; do you mean you could mount a modified system.img with safestrap? I guess it's possible since safestrap uses a system.img on the emmc, interesting idea

Q9Nap said:
Not sure what you mean by this; do you mean you could mount a modified system.img with safestrap? I guess it's possible since safestrap uses a system.img on the emmc, interesting idea
Click to expand...
Click to collapse
Yes, that's what I mean, more or less. You don't need safestrap to just mount it (use the terminal and "mount"), but you can use it to boot from it and try it.
I did this to try the Telstra image that pjcons dumped, which is pre-rooted and not signed (there it's no official signed image to date), and with a few tricks it worked without me having to unlock the bootloader.
Sent from my XT907

aslomagic said:
Google for a tool called simg2img (I used the python script that appears in get first few results, there should be other versions as well). That will unpack the image into a plain ext4 image that you can mount with any Linux pc (I recommend using a virtual machine if you have windows or mac).
Happy hacking!
Sent from my XT907
Click to expand...
Click to collapse
hello, i cant find anything on the basics of how this works, could you point me somewhere that explains it step by step or do one here. sorry of the noob question

TheWhiteChallenger said:
hello, i cant find anything on the basics of how this works, could you point me somewhere that explains it step by step or do one here. sorry of the noob question
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=1588461

CNexus said:
http://forum.xda-developers.com/showthread.php?t=1588461
Click to expand...
Click to collapse
Thanks for the link I need to go learn Linux now. Lol I dontbgt the virtual machine thing at all. Its basically a Linux emulator right?
Sent from my XT1080 using XDA Premium 4 mobile app

TheWhiteChallenger said:
Thanks for the link I need to go learn Linux now. Lol I dontbgt the virtual machine thing at all. Its basically a Linux emulator right?
Sent from my XT1080 using XDA Premium 4 mobile app
Click to expand...
Click to collapse
No need to
http://sourceforge.net/projects/androidicsjbext/

CNexus said:
No need to
http://sourceforge.net/projects/androidicsjbext/
Click to expand...
Click to collapse
oh damn it. ok first i do appreciate the help. but that sucked. that was the frist program i tryed and it gives me "unknown file format" have i just been screwing up from the begining?

Related

.rc files

can anyone send me the names of the init.devicename.rc and the unvented.device.rc? they are located in the kernel ramdisk
alex1301 said:
can anyone send me the names of the init.devicename.rc and the unvented.device.rc? they are located in the kernel ramdisk
Click to expand...
Click to collapse
Hi, here are the contents of the folder:
http://i.imgur.com/bxbK3.png
And attached is latest boot.img (kernel 3.0.8 from dzo's Aurora ICS) and the decompressed files if you need that...
i am quite ready with the rom. only thing is i have this problem.
[email protected]:~/Desktop/BootScripts$ sudo perl repack-bootimg.pl /home/ubuntu/Desktop/BootScripts /home/ubuntu/ramdisk /home/ubuntu/Desktop
1891 blocks
sh: mkbootimg: not found
repacked boot image written at /home/ubuntu/ramdisk-repack.img
but there is no file when i repack the kernel
alex1301 said:
i am quite ready with the rom. only thing is i have this problem.
[email protected]:~/Desktop/BootScripts$ sudo perl repack-bootimg.pl /home/ubuntu/Desktop/BootScripts /home/ubuntu/ramdisk /home/ubuntu/Desktop
1891 blocks
sh: mkbootimg: not found
repacked boot image written at /home/ubuntu/ramdisk-repack.img
but there is no file when i repack the kernel
Click to expand...
Click to collapse
Can you post the un packed files? I could try to repack them
I think I know what the problem is, you need to have mkbootimg... Here it is, put it in /bin and then rerun the repack script
EDIT: for some reason, attachments are always corrupt... but here it is:
http://forum.xda-developers.com/attachment.php?attachmentid=475249&d=1293574570
http://www.mediafire.com/?y5ur5lc4q7d5148
http://www.mediafire.com/?vl44nay131u8ofz
sent them please repacked back
alex1301 said:
http://www.mediafire.com/?y5ur5lc4q7d5148
http://www.mediafire.com/?vl44nay131u8ofz
sent them please repacked back
Click to expand...
Click to collapse
Here it is.
But your error was because you probably didn't have mkbootimg on your system
are you ready?
alex1301 said:
are you ready?
Click to expand...
Click to collapse
I've posted the boot.img right now
I hope there's nothing wrong with it... to repacked the files, I put all the files from your both zip files in one folder, then run repack-bootimg.pl script over boot.img-kernel as argument, is this correct?
yes man thanks. i will give you credits in the rom section.
do you know if i can use the updater script form aurora?
alex1301 said:
do you know if i can use the updater script form aurora?
Click to expand...
Click to collapse
I guess yes, the script, if I'm not wrong, only formats partitions and copies the ROM files to the appropriate locations and sets permissions... try using it, or post the ROM here and I'm sure someone can work it out if it doesn't work...
Cheers
Sent from my U8800
i will release it in a couple of minutes. so when the script is not working, someone other can fix it
have i also to replace the updater-binary?
I don't think that's needed, the binary I assume is the same for different ROMs, only the script changes... but I would to be sure good luck!
Sent from my U8800
i can't sign this bull**** apk
alex1301 said:
i can't sign this bull**** apk
Click to expand...
Click to collapse
What do you mean? I was hoping for a release today :-( good luck man...
Tomorrow I'll try posting from desire z... can you post a link for a guide? Thank you...
Sent from my U8800

Req: file - System/bin/debuggerd

Tried updating from 4.2.1 to 4.2.2.
But assert check failed returning above file in results. Somehow it's been modified. No idea when and how.
Anyone running 4.2.1, could you please provide me this file.
Thanks in anticipation.
Sent from my Nexus 7 using Tapatalk HD
gurudev32 said:
Tried updating from 4.2.1 to 4.2.2.
But assert check failed returning above file in results. Somehow it's been modified. No idea when and how.
Anyone running 4.2.1, could you please provide me this file.
Thanks in anticipation.
Sent from my Nexus 7 using Tapatalk HD
Click to expand...
Click to collapse
I have the exact same issue!
Here is the list of only apps with root access in my tab.
Carbon - App backup and restore, Solid explore, Stick mount, SuperSU, System tuner pro and Terminal Emulator.
Thought to seek out the culprit!
Sent from my Nexus 7 using Tapatalk HD
https://dl.dropbox.com/u/17326185/debuggerd
MD5: B59443115C4181F49A57C1290EE3225B
https://dl.dropbox.com/u/17326185/build.prop
MD5: D9D1855E0C90049DC410A4406B802259
Pulled this from the 4.2.1 factory image. I seem to have got past the debuggerd error message now (though I need to revert my build.prop entirely, apparently).
Included build.prop (not yet tested) from 4.2.1 image too.
Working for me and now running 4.2.2.
At your own risk, yadda yadda, not responsible for explosions or anything less terrible, blah blah.
FWIW, I had been using Stickmount and superSU.
PhoenixTank said:
Pulled this from the 4.2.1 factory image. I seem to have got past the debuggerd error message now (though I need to revert my build.prop entirely, apparently).
Included build.prop (not yet tested) from 4.2.1 image too.
Working for me and now running 4.2.2.
At your own risk, yadda yadda, not responsible for explosions or anything less terrible, blah blah.
FWIW, I had been using Stickmount and superSU.
Click to expand...
Click to collapse
Thanks Now 'm on 4.2.2
In the future, If you want to pull arbitrary file(s) from Google N7 factory images, a useful skill set is to figure out how to use "sim2img" utility and loopback mounts (Windows need not apply).
Those system.img files shipped by Google are "sparse ext4 images" - they can not be directly mounted as a loopback, but that's where the "sim2img" utility comes in
The sequence goes like this:
- use sim2img to convert Google image file to regular ext4 image file
- loopback mount reg. image file
- grab whatever files you want (and check user/GRP ownership & modes)
It really is just that easy.
The "sim2img" utility is part of the android ext4_utils toolset. See this XDA thread from the Galaxy S forums for more details. (Yes the N7 system.img files from Google are also in this format.)
cheers
PhoenixTank said:
https://dl.dropbox.com/u/17326185/debuggerd
MD5: B59443115C4181F49A57C1290EE3225B
https://dl.dropbox.com/u/17326185/build.prop
MD5: D9D1855E0C90049DC410A4406B802259
Pulled this from the 4.2.1 factory image. I seem to have got past the debuggerd error message now (though I need to revert my build.prop entirely, apparently).
Included build.prop (not yet tested) from 4.2.1 image too.
Working for me and now running 4.2.2.
At your own risk, yadda yadda, not responsible for explosions or anything less terrible, blah blah.
FWIW, I had been using Stickmount and superSU.
Click to expand...
Click to collapse
How to make it? and i will lose all data? thanks
TheRejzo said:
How to make it? and i will lose all data? thanks
Click to expand...
Click to collapse
Big thanks.
Replacing the debuggerd file allowed twrp to load the 4.2.2 update.
Also interesting, other than titanium, the only other root app on this device is Stickmount.
Did not work for me ...
I have a N7 3G and the same message when trying to update. Replaced mine with the one from the download, no change, same error.
diba320 said:
Did not work for me ...
I have a N7 3G and the same message when trying to update. Replaced mine with the one from the download, no change, same error.
Click to expand...
Click to collapse
First of all, thanks a lot to PhoenixTank who provides me the solution. :good:
In fact to make it work, I had to change the permissions allowed on that file named "debuggerd", I checked what permissions were allowed on the original file and do the same on the copied one. I did it with ES explorer in root mod.
TheRejzo said:
How to make it? and i will lose all data? thanks
Click to expand...
Click to collapse
You'd need to backup and rename the existing debuggerd then move/copy the 4.2.1 debuggerd file to /system/bin/
Then match the permissions of the old debuggerd (I think it was 644, but I wouldn't swear by it).
The OTA zip should actually go through after that, or at least tell you about a new file you need to fix. You shouldn't lose any data, but you should probably clear cache and dalvik cache.
I did most of this via adb shell, but there are root file managers that can help. If you aren't confident about doing this and how it works, my posting was not really for you. Strongly suggest reading up until you feel confident before you start changing things around in the system partition.
diba320 said:
Did not work for me ...
I have a N7 3G and the same message when trying to update. Replaced mine with the one from the download, no change, same error.
Click to expand...
Click to collapse
Unfortunately the 3G version is different to the Wifi Nexus 7, and as you've found, the files will not work.
Since I posted, Google pulled the 4.2.1 factory images from the download site - I'm not really in a good position to help you here.
The 4.2.2 factory image might be of more use if you can't source the 3G specific files. i.e. flash the new factory image.
Had this same problem. Will try solution tomorrow morning. Probably will download the links rather than trying to extract them myself (though I may leave that for a later exercise).
Would like to note that I also use StickMount as well as SixAxis Controller, Wifi Key Recovery, AppSync and LMT Launch err.
Seems like stick mount is the common one though.
Sent from my Nexus 7 using xda app-developers app
PhoenixTank said:
https://dl.dropbox.com/u/17326185/debuggerd
MD5: B59443115C4181F49A57C1290EE3225B
https://dl.dropbox.com/u/17326185/build.prop
MD5: D9D1855E0C90049DC410A4406B802259
Pulled this from the 4.2.1 factory image.
Click to expand...
Click to collapse
bftb0 said:
In the future, If you want to pull arbitrary file(s) from Google N7 factory images, a useful skill set is to figure out how to use "sim2img" utility and loopback mounts (Windows need not apply).
Those system.img files shipped by Google are "sparse ext4 images" - they can not be directly mounted as a loopback, but that's where the "sim2img" utility comes in
The sequence goes like this:
- use sim2img to convert Google image file to regular ext4 image file
- loopback mount reg. image file
- grab whatever files you want (and check user/GRP ownership & modes)
It really is just that easy.
The "sim2img" utility is part of the android ext4_utils toolset. See this XDA thread from the Galaxy S forums for more details. (Yes the N7 system.img files from Google are also in this format.)
cheers
Click to expand...
Click to collapse
Thanks guys
Those 2 files worked.
I got past "Verifying current system" and am now on 4.2.2.
I wanted to try to get the files myself as an exercise but Google pulled the 4.2.1 images from their website.
What is weird... is that I noticed a /system/bin/debuggerd.bak file that I didn't make myself, don't know what did (though StickMount seems to be the current suspect).
The weird thing is that debuggerd and debuggerd.bak were exactly the same.
FunkyELF said:
I wanted to try to get the files myself as an exercise but Google pulled the 4.2.1 images from their website.
Click to expand...
Click to collapse
oldblue910 (OP of the OTA thread) has got you covered. Select the link on the rhs of the page as appropriate for your device (nakasi/nakasig)
cheers
I want to do this, but I can't find the system/bin folder, what root explorer apps do you guys use?
EDIT: Used Total Commander, copied the permissions from old file to new and voilah! It worked.
No need to download build prop.
Now I am on 4.2.2
EDIT 2: Now WiFi only says SAVED and not CONNECTED.
Just want to say THANK YOU!! I've been researching this error since Friday and finally found the solution here! And yes, I too have Stickmount!
Rody2k6 said:
I want to do this, but I can't find the system/bin folder, what root explorer apps do you guys use?
EDIT: Used Total Commander, copied the permissions from old file to new and voilah! It worked.
No need to download build prop.
Now I am on 4.2.2
EDIT 2: Now WiFi only says SAVED and not CONNECTED.
Click to expand...
Click to collapse
Can only recommend that you clear cache and dalvik cache. I have not experienced Wifi issues since the update.
To anyone I've helped, you are very welcome and I appreciate those thanks clicks too.
bftb0 said:
In the future, If you want to pull arbitrary file(s) from Google N7 factory images, a useful skill set is to figure out how to use "sim2img" utility and loopback mounts (Windows need not apply).
Those system.img files shipped by Google are "sparse ext4 images" - they can not be directly mounted as a loopback, but that's where the "sim2img" utility comes in
The sequence goes like this:
- use sim2img to convert Google image file to regular ext4 image file
- loopback mount reg. image file
- grab whatever files you want (and check user/GRP ownership & modes)
It really is just that easy.
The "sim2img" utility is part of the android ext4_utils toolset. See this XDA thread from the Galaxy S forums for more details. (Yes the N7 system.img files from Google are also in this format.)
cheers
Click to expand...
Click to collapse
can i do the reverse ? i.e. ext4 partition back to flashable img ?
that way it would be easier to root as I just need to dump a copy of su into it then flash.
And for Windows, just get oracle virtualbox(or your favorite VM, even virtual PC should work) and boot a copy of debian
chimpanzeexda said:
can i do the reverse ? i.e. ext4 partition back to flashable img ?
that way it would be easier to root as I just need to dump a copy of su into it then flash.
And for Windows, just get oracle virtualbox(or your favorite VM, even virtual PC should work) and boot a copy of debian
Click to expand...
Click to collapse
Yes. I did exactly the same thing, but for 4.2.1. Guess I need to repeat it now for 4.2.2. Note in this case "flashable" means the fastboot way (as with the Factory ROM flashes), not via custom recovery.
Uhh let's see - the script tool used for re-packing is ./mkuserimg.sh - see the links I provided above
I need some help... I'm rather noobie. Had issue with upgrading to 4.2.2 so copied the debuggerd and build.prop files over to the system/bin directory. Still failed to upgrade. Tried it again today and now the N7 will not boot up. I can see it's on but it just stops at a blank screen. I have stock 4.2.1 w/root. Stock bootloader. I'm thinking its refusing to boot because I forgot to change the file permissions on the debuggerd file but not sure how to try and fix it. Please advise...
UPDATE: Managed to flash the system partition for 4.2.2 so hoping I'm good to go. Asked this question in another post but is it necessary to update any of the other partitions?

MoFo Root for Moto X 2013 4.4.4 is Coming - Need Help Making Rooted system.img file

So the DT 4.4.4 has root now, but it does not turn off write protection. It is a different kind of root in that what it lets you do is flash a pre-rooted system image (system.img). So you have to make any mods to the image BEFORE you flash, which is not something your average joe or joette knows how to do.
But for me at least, the Moto X didn't need much modding, just Xposed with Gravity Box, Root Cloaker and Moto Tether.
I have a Dev Ed so I don't need this exploit but I did pull all of the system images from my rooted Dev Ed. The only thing I don't know how to do is to put those into a flashable image file. Does anyone here know how to do that?
I also have the TWRP ext4 system file if that helps.
JulesJam said:
So the DT 4.4.4 has root now, but it does not turn off write protection. It is a different kind of root in that what it lets you do is flash a pre-rooted system image. So you have to make any mods to the image BEFORE you flash, which is not something your average joe or joette knows how to do.
But for me at least, the Moto X didn't need much modding, just Xposed with Gravity Box, Root Cloaker and Moto Tether.
I have a Dev Ed so I don't need this exploit but I did pull all of the system images from my rooted Dev Ed. The only thing I don't know how to do is to put those into a flashable image file. Does anyone here know how to do that?
I also have the TWRP ext4 system file if that helps.
Click to expand...
Click to collapse
thats not a boot unlock and not a write protection disable ... its just ability to install rooted custom system img ....... i think
Javajohn said:
thats not a boot unlock and not a write protection disable
Click to expand...
Click to collapse
Yes I know what it is.
Javajohn said:
... its just ability to install rooted custom system img ....... i think
Click to expand...
Click to collapse
Yes that is what I said it is.
Do you know how I can use the files I have from the system dump and TWRP nandroid ext4 file to create a flashable rooted system.img? That is what I am asking.
JulesJam said:
...
Do you know how I can use the files I have from the system dump and TWRP nandroid ext4 file to create a flashable rooted system.img? That is what I am asking.
Click to expand...
Click to collapse
edit: I misunderstood the question. Of course a CWM/TWRP flashable .zip is not a fastboot flashable system.img...
I'll 'take a stab at this'. I've done it a few times... (I'm sure there is a better guide, but I didn't attempt to find it...) You asked - please don't blame (or hate) me if I help you brick your phone... If you only modify /system, you should be able to restore using CWM/TWRP.
First, find a CWM/TWPR flashable .zip to use it's /META-INFO/ directory as a template. It's best to use a .zip made for your model (so the system mount and format work), and if you can find one for your android version even better. (Do not use an OTA .zip for this template.)
This template will likely [at least] do the following in the "/META-INFO/com/google/android/updater-script" script:
1) mount /system
2) format /system
3) copy /system directory from .zip (need to replace this directory)
4) create symlinks (might need work)
5) set permissions (probably needs work)
If you are only working on /system, then you should remove all superfluous sections (like flashing boot or the modem.)
So, first you need to prepare your new /system: In linux, take your dumped (or backup) /system and copy it to a new /system directory without symlinks. Now you have the new /system for your new flashable .zip
Then you need to modify the "updater-script" script and handle the creation of the symlinks. The easiest way to find this part of the script is locate a flashable zip (or OTA) that patches to your current model/android version. This will handle the bulk of the symlinks.
Next you need to handle the permissions in the "updater-script" script. The aforementioned .zip will also have the permissions scripted, but the root files may not be handled properly. You can find those script commands in a modern flashable zip with root 'baked in.'
Finally take your new /system and new "updater-script" and dump them in your template.... BACKUP (copy off phone) and test.
Good luck...
Ctrl-Freak said:
I'll 'take a stab at this'. I've done it a few times... (I'm sure there is a better guide, but I didn't attempt to find it...) You asked - please don't blame (or hate) me if I help you brick your phone... If you only modify /system, you should be able to restore using CWM/TWRP.
Click to expand...
Click to collapse
Yeah, I am not worrying about a brick as I can wipe my OS entirely and still get into bootloader and recovery so all is good.
Ctrl-Freak said:
First, find a CWM/TWPR flashable .zip to use it's /META-INFO/ directory as a template.
Click to expand...
Click to collapse
My TWRP nandroid of the rooted 4.4.4 system has a meta-info folder with 3 files in it - manifest.mf, cert.sf and cert.rsa.
Ctrl-Freak said:
/META-INFO/com/google/android/updater-script
Click to expand...
Click to collapse
What is this?
Ctrl-Freak said:
So, first you need to prepare your new /system: In linux, take your dumped (or backup) /system and copy it to a new /system directory without symlinks. Now you have the new /system for your new flashable .zip
Click to expand...
Click to collapse
Guess I need to learn what a symlink is first, lol!
JulesJam said:
My TWRP nandroid of the rooted 4.4.4 system has a meta-info folder with 3 files in it - manifest.mf, cert.sf and cert.rsa. !
Click to expand...
Click to collapse
I did not mean your nandroid. Find a flashable zip (made for your device/version) by someone to flash a [custom] ROM. If it flashes a ROM for your device/version, it should be a good starting point.
I looked under xda -> droid turbo and this was the only ROM I found: http://forum.xda-developers.com/dro.../moto-maxx-xt1225-cm12-0-pre-release-t3060089 It says it is for a Moto Maxx xt1225, but again it is only a template, and it might be close.
/META-INFO/com/google/android/updater-script is a text based script that controls what/how CWM / TWRP flashes. AFAIK it is within all flashable zips.
Ctrl-Freak said:
I did not mean your nandroid. Find a flashable zip (made for your device/version) by someone to flash a [custom] ROM. If it flashes a ROM for your device/version, it should be a good starting point.
Click to expand...
Click to collapse
OK thanks, I am doing this for the Moto X 2013, not DT.
Ctrl-Freak said:
/META-INFO/com/google/android/updater-script is a text based script that controls what/how CWM / TWRP flashes. AFAIK it is within all flashable zips.
Click to expand...
Click to collapse
got it.
If this is successful, would there be a way to do it on the AT&T Moto 2013 running 4.4.4?
Sent from my XT1058 using XDA Free mobile app
hexbox117 said:
If this is successful, would there be a way to do it on the AT&T Moto 2013 running 4.4.4?
Click to expand...
Click to collapse
yes, if someone has a GSM Moto X Dev Ed. I don't.
JulesJam said:
yes, if someone has a GSM Moto X Dev Ed. I don't.
Click to expand...
Click to collapse
And would we be able to use Xposed?
Sent from my XT1058 using XDA Free mobile app
hexbox117 said:
And would we be able to use Xposed?
Click to expand...
Click to collapse
Someone has to create a pre-rooted system image with Xposed installed. I think you can then add modules as long as you only do soft reboots. If you do hard reboots, you lose the modules as write protection is still on.
But someone could make a pre-rooted system image with Xposed and the modules you want installed, then it would survive hard reboots AFAIK.
I am still working on how to make a pre-rooted flashable system image, lol!
JulesJam said:
Someone has to create a pre-rooted system image with Xposed installed. I think you can then add modules as long as you only do soft reboots. If you do hard reboots, you lose the modules as write protection is still on.
But someone could make a pre-rooted system image with Xposed and the modules you want installed, then it would survive hard reboots AFAIK.
I am still working on how to make a pre-rooted flashable system image, lol!
Click to expand...
Click to collapse
Interesting. I think you should take a look at this, it sounds like it could be better than what you're trying to accomplish.
http://forum.xda-developers.com/showthread.php?p=59702152
Sent from my XT1058 using XDA Free mobile app
hexbox117 said:
Interesting. I think you should take a look at this, it sounds like it could be better than what you're trying to accomplish.
http://forum.xda-developers.com/showthread.php?p=59702152
Sent from my XT1058 using XDA Free mobile app
Click to expand...
Click to collapse
That was discussed on the DT forums, there is a problem with that on 4.4.4.
For now, the only hope is maiko1's exploit on 4.4.4.
JulesJam said:
That was discussed on the DT forums, there is a problem with that on 4.4.4.
For now, the only hope is maiko1's exploit on 4.4.4.
Click to expand...
Click to collapse
I'm not familiar with what the exploit is. Do you think you could explain it or link me to his post?
Sent from my XT1058 using XDA Free mobile app
hexbox117 said:
I'm not familiar with what the exploit is. Do you think you could explain it or link me to his post?
Click to expand...
Click to collapse
http://forum.xda-developers.com/general/paid-software/mofo-root-turbo-t3064404
So far, it is for the DT only. I want to test it on the Moto X 2013 and then the Moto X 2014. But first, a pre-rooted flashable system.img needs to be created for the Moto X 2013.
JulesJam said:
OK thanks, I am doing this for the Moto X 2013, not DT.
Click to expand...
Click to collapse
If you modify the updater-script to remove the flashing of the kernel (below), then this .zip should be perfect for your testing pleasure:
http://forum.xda-developers.com/moto-x/development/rom-krypton-v1-2-v1-3b1-6-9-2014-t2716657 (download 4.4.4 Krypton v1.4.1 )
Remove this line:
Code:
package_extract_file("boot.img", "/dev/block/platform/msm_sdcc.1/by-name/boot");
Good testing...
Ctrl-Freak said:
If you modify the updater-script to remove the flashing of the kernel (below), then this .zip should be perfect for your testing pleasure:
http://forum.xda-developers.com/moto-x/development/rom-krypton-v1-2-v1-3b1-6-9-2014-t2716657 (download 4.4.4 Krypton v1.4.1 )
Remove this line:
Code:
package_extract_file("boot.img", "/dev/block/platform/msm_sdcc.1/by-name/boot");
Good testing...
Click to expand...
Click to collapse
Thanks, I took a look at the Eclipse Moto X, which is 4.4.4 kitkat based.
http://forum.xda-developers.com/moto-x/development/rom-eclipse-moto-x-v3-2-2-4-4-2-blur-t2521509
But now that I am thinking about it, do these custom ROMs need specific kernels or can you just flash the system w/o flashing the kernel? I guess I will try it and see what happens.
If someone will give me a detailed instruction how to flash a pre-rooted firmware with xposed installed I will try to do so on my AT&T XT1053
RabbitRu said:
If someone will give me a detailed instruction how to flash a pre-rooted firmware with xposed installed I will try to do so on my AT&T XT1053
Click to expand...
Click to collapse
You have to pay $20 to get set up with the exploit, but for now, the guy is only doing Droid Turbos. It is on the paid software forum.
I am trying to see if the exploit works on the Moto X. The dev needs to get back to me but first, I need to try to create a pre-rooted system image.
JulesJam said:
You have to pay $20 to get set up with the exploit, but for now, the guy is only doing Droid Turbos. It is on the paid software forum.
I am trying to see if the exploit works on the Moto X. The dev needs to get back to me but first, I need to try to create a pre-rooted system image.
Click to expand...
Click to collapse
I don't think it will work on the 2013 X... see -> http://forum.xda-developers.com/mot...e-protection-motowpnomo-t2551113/post59731261
And remember, Beaups had an hand in the root exploit and tool for the Droid Turbo along with Jcase... So if Beaups says no, it wont help the 2013 X with 4.4.4, its a pretty sure bet that it wont.

I need certain partition dumps. #unlockthedroids

Okay, I am attempting to #unlockthedroid, but first I will need dumps from "/dev/block". What I'm trying to do is pull off @CrashXXL methods of rooting with Write Protect=1 but allowing the potential of unlocking bootloader with Sunshine. And I don't want it to be done randomly, so this is what we'll need to do in order to get that dump:
Requirements:
Rooted
Bootloader Unlocked
Firmware to be at 4-21. It's easier for me. Or if you have anything below, it'll probably work too.
Willing to spend time; this'll take a VERY long time. So you'll need to leave your phone overnight or whatever it takes for it to finish copying.
Instructions:
Turn on ADB in settings. (If done already, next step)
Get ADB and Fastboot on your computer. (If done already, next step)
Go to ADB directory
adb shell
Click to expand...
Click to collapse
dd if=/dev/block/mmcblk0p38 of=/(any directory)/(name your file anything - just remember the location combination)
Click to expand...
Click to collapse
When done, exit ADB
adb pull /(directory)/(file name)
Click to expand...
Click to collapse
Submit the file from the ADB folder to your own Google Drive, Mega, or Dropbox. Wherever you wish.
Files we currently need:
Droid Mini mmcblk0p5, 0p13, 0p33
Droid Ultra mmcblk0p5, 0p13, 0p33
Droid Maxx mmcblk0p5, 0p13, 0p33
There is also a certain block I don't know the mmc block number to, so when someone knows where partitions.mbn is then we'll be one step closer to getting my phone flashed and tested.
Thanks in advanced!
P.S.: Staff, please move this somewhere correct if where it is right now it's not.
mr_verystock said:
Okay, I am attempting to #unlockthedroid, but first I will need dumps from "/dev/block". What I'm trying to do is pull off @CrashXXL methods of rooting with Write Protect=1 but allowing the potential of unlocking bootloader with Sunshine. And I don't want it to be done randomly, so this is what we'll need to do in order to get that dump:
Requirements:
Rooted
Bootloader Unlocked
Firmware to be at 4-21. It's easier for me. Or if you have anything below, it'll probably work too.
Willing to spend time; this'll take a VERY long time. So you'll need to leave your phone overnight or whatever it takes for it to finish copying.
Instructions:
Turn on ADB in settings. (If done already, next step)
Get ADB and Fastboot on your computer. (If done already, next step)
Go to ADB directory
When done, exit ADB
Submit the file from the ADB folder to your own Google Drive, Mega, or Dropbox. Wherever you wish.
Files we currently need:
Droid Mini mmcblk0p5, 0p13, 0p33
Droid Ultra mmcblk0p5, 0p13, 0p33
Droid Maxx mmcblk0p5, 0p13, 0p33
There is also a certain block I don't know the mmc block number to, so when someone knows where partitions.mbn is then we'll be one step closer to getting my phone flashed and tested.
Thanks in advanced!
P.S.: Staff, please move this somewhere correct if where it is right now it's not.
Click to expand...
Click to collapse
various dumps https://yadi.sk/d/UnLW2G54f5Gbx
Thanks for the SU6-7 and 5-24 dumps! But just a question: can you dump for earlier versions? I can probably get it to run Sunshine and onto the bootloader unlock. Thanks though!
mr_verystock said:
Thanks for the SU6-7 and 5-24 dumps! But just a question: can you dump for earlier versions? I can probably get it to run Sunshine and onto the bootloader unlock. Thanks though!
Click to expand...
Click to collapse
I do not think that this would work, yes You can flash the 4-21 (all bootloader partitions + kernel + system) in the QLOAD mode, as You have access to the whole flash memory.
But the trusted boot chain will not let you boot earlier bootloader and system when a newer one was already there. Phone needs to be bootloader unlocked, to boot into any version.
It's worth trying. And plus, you never know what you can find if you try...
question is it possible to get a system dump from the following version -4.2.2-SU1-15-3 trying to unbrick my device and i need certain files from that version thanks been trying to do this for a while and no one seems to wanna help out
mr_verystock said:
It's worth trying. And plus, you never know what you can find if you try...
Click to expand...
Click to collapse
I think You can get all you need from the original FXZ file.
You can get all the bootloader partitions from the motoboot.img, see my post here.
Additionally You can extract the system partition with the simg2img tool from here, but this would be the original, not the rootet image,so You would need to insert the su binary by yourself.
pizmak said:
I think You can get all you need from the original FXZ file.
You can get all the bootloader partitions from the motoboot.img, see my post here.
Additionally You can extract the system partition with the simg2img tool from here, but this would be the original, not the rootet image,so You would need to insert the su binary by yourself.
Click to expand...
Click to collapse
If this is the method it would've been done already... But no, motoboot.img cannot be extracted for all it's worth. It has aboot, gpt, and many other parts we need to create a complete set of unbricking and/or bootloader-necessary files.
happysteve11c said:
question is it possible to get a system dump from the following version -4.2.2-SU1-15-3 trying to unbrick my device and i need certain files from that version thanks been trying to do this for a while and no one seems to wanna help out
Click to expand...
Click to collapse
Sigh... I wish, my friend. I know what you want, but nobody's willing to provide it because of. @CrashXXL is nice enough to provide the unbricking files but nobody is willing to dump for SU1.
mr_verystock said:
If this is the method it would've been done already... But no, motoboot.img cannot be extracted for all it's worth. It has aboot, gpt, and many other parts we need to create a complete set of unbricking and/or bootloader-necessary files.
Click to expand...
Click to collapse
it actually is as easy as this, the motoboot.img file is just the bootloader partition images put into one file plus a 1024 bytes header. I have extracted these image and compared them with the dumps from my own phone and they are identical, so this motoboot is not compressed or encrypted.
If You still do not believe me just check for yourself, dump for example the aboot partition from your phone and compare it with the motoboot image from the FXZ file for your firmware version, I think you will find the aboot image inside the motoboot image at some 512bytes aligned offset (you can get the offset from the header, see the description in my post linked above)
Edit: I have added my code I wrote to extract the motoboot image to this thread
happysteve11c said:
question is it possible to get a system dump from the following version -4.2.2-SU1-15-3 trying to unbrick my device and i need certain files from that version thanks been trying to do this for a while and no one seems to wanna help out
Click to expand...
Click to collapse
Not sure if you or anyone can do anything with it but I have a twrp backup of the boot and system from su1-15. Let me know if anyone wants it.
Sent from my XT1080 using XDA Free mobile app
@mr_verystock are you still working on this?
Yes, I'm working on it. But I'm dealing with school, along with patching up a broken computer which I am planning to use for my daily driver. So currently I'm installing Linux, to do a mbn split.
Oh, and I kinda messed up my Droid Maxx while doing this... Don't worry, it's a backup, I have a Droid Mini as main.
WOHOO!!!!!!!!!
Is it rooted?
What version of Android are you on?
Ya still working on this?
Hey man. I have a (probably useless) Droid Mini "dev" edition (on su6-7). Today, I will be receiving a droid maxx on 4.4 (idk if its 19.5.3 or 19.6.3 yet) and i will be unlocking it with sunshine. if you still need files/help, i can help. (when you do start work on this again). my sincere hope, aside from a bootloader unlock for the folks on 4.4.4) is that somehow this will help the Turbo folks. (mofo root is good, but bl unlock is better). let me know if and when i can help man.
Hey, yeah, please let me know if you need anything once you get started again. I have a droid ultra that I just bought off groupon for $80.
YYUSSSSSSSSSS!!!!!!!!!!!!!!!!!!!!! Thank you VERY MUCH!!!!
Great thing I have a Droid Mini. Can you dump cid.mbn for 4.4? That's the file I want to mess with currently after you unlocked.
me or him, broheim?
edit: duh, me. ill have it pulled and uploaded tomorrow around noon
Is it uploaded to a hosting site or not?
i never saw any reply dude. i can upload what i have...but my mini is on 4.4.4. i have a maxx on 4.4, but no dice on that build. i thought for a moment i was crazy. if it helps you to have either or both, i will pull them right now and throw up a link to my drive.
Hm... I can't do anything with the 4.4.4 one, I'll take the Maxx on 4.4 cid.mbn. Sorry if there were any confusion!!!

Possible way to self-sign Recovery and Rom's on S7, Just need some help.

Hey, I noticed while looking through the Stock Firmware AP file, that in meta-data/fota.zip there are .jar files that have to do with package signing. Only issue is that the zip is password protected. If someone has the Compute power and skills to decrypt a zip and look at the jar files and ****, maybe we could find a way to sign our own TWRP recoveries and roms. Just a thought, i'll post a link to the fota.zip file i was talking about in a bit if anyone wants to take a crack at it. (Google drive is taking forever to upload cause of AT&T's ****ty DSL speeds, sorry)
Download Link: htt*ps:/*/drive.*google*.com/file/*d/0B9tb-svjqaVD*b3Y0V0tXR3drSzA/vie*w?usp=sharing (Remove all *'s from link, stupid 10 post until you can post links limitation)
Thanks,
Lavavex
Did you saw this Thread?
https://forum.xda-developers.com/an...signing-boot-images-android-verified-t3600606
About fota.zip...
Did you heard about plain text attack?
In few Seconds... minutes done... no password required but you can unpack.
Best Regards
Yesterday I have download this fota.zip... and yes... same password as for instance from my prior test with:
SM-J330F and 1 more...
Here are the 3 keys to decrypt if somebody want try...
Code:
2b4d493c
6142b289
1b7024aa
Code:
Key0
Key1
Key2
I have used Advanced Archive Password Recovery from elcomsoft...
Best Regards
adfree said:
Yesterday I have download this fota.zip... and yes... same password as for instance from my prior test with:
SM-J330F and 1 more...
Here are the 3 keys to decrypt if somebody want try...
Code:
2b4d493c
6142b289
1b7024aa
Code:
Key0
Key1
Key2
I have used Advanced Archive Password Recovery from elcomsoft...
Best Regards
Click to expand...
Click to collapse
Which will allow unpacking of the above zip? I thought it needed a zip password.
osm0sis said:
Which will allow unpacking of the above zip? I thought it needed a zip password.
Click to expand...
Click to collapse
We never found the Password... but for Decryption you need only these 3 Keys...
They can be easily found in few Minutes... with the right Tool...
Code:
2b4d493c
6142b289
1b7024aa
Here Key0 Key1 Key2 for Samsungs fota.zip...
This is really no rocket science...
Simple read about plain-text attack...
You can see all filenames...
You can see all filesizes etc...
Many files are floating around the Internet... to create ZIP for attack...
Then result is in few Minutes possible... :angel:
Use these 3 Keys in Tool:
Code:
Advanced Archive Password Recovery
And try self to unpack...
Best Regards
Edit 1.
Screenshot added...
Then maybe more clear...
Trial Version have mabye limtations... but to see it work... it is enough to play with trial.
@adfree or to anyone who can answer.
Quick question, what are the legal limitations to what is going on here? I may or not have a file from inside the fota.zip, but will sharing it put me in the legal wrong? If it is within the legal boundaries, I'd be happy to upload it for anyone to take a look at, but I don't want to land on the wrong side of the law by doing so. Please do let me know, as this is the most exciting development we've had when it comes to bootloader unlocking in a while. Also, it seems as though we can't view the entirety of the contents of the fota.zip with the trial version of the zip extraction tool mentioned in this thread, so if someone with more knowledge about this can confirm we could unlock our bootloaders with the contents of the zip (based on what is currently known about this), I'd be happy to bite the bullet of paying for the premium version given we can do this within the boundaries of the law.
Thanks.
1.
Maybe you can answer your question self...
Samsung PROTECTED this ZIP with password.
2.
IMHO it is Kernel related...
Yeah I know... Boot is every irritating...
But it is not sboot.bin related...
3.
About decrypting all files...
There are floating around Command Line Tool...
Code:
pkcrack
Try to Google it...
I have not tried...
I am 1 click Button user...
Best Regards
zipdecrypt from the pkcrack package plus those 3 keys worked flawlessly. :good:
Edit: Crazy number of utilities in this zip, but no script to run them all, and a lot of references to external files. No smoking gun like a "sbootimg_signer" binary or anything to make their proprietary footer signature, and no Samsung signature files.
the password for that zip is fotatest1234
Correct. All fota zips passwords are fotatest1234
Drdra3 said:
Correct. All fota zips passwords are fotatest1234
Click to expand...
Click to collapse
@lavavex , @osm0sis
Yes it is, but now the question still to be answered is, do the tools within the fota.zip file, actually work for legitimately repacking the boot/recovery image? Because in the fota.zip I checked from Android Pie's release it mentioned the "user/test-keys" and very much so had all of the compiled tools to actually patch a system and create and ADB flashable zip for stock recovery.
Could we technically make a signed sideloadable update.zip if the the update package was created on the device itself? The scripts included, along with the updated compiled binary tools, really do seem to be the Toolkit we've been looking for but have overlooked. I haven't tested it out fully, but I'm still reading about how to proceed. It isn't just the S7 either. So are the tools customized to the device, the android branch, or the bootloader?
Delgoth said:
@lavavex , @osm0sis
Yes it is, but now the question still to be answered is, do the tools within the fota.zip file, actually work for legitimately repacking the boot/recovery image? Because in the fota.zip I checked from Android Pie's release it mentioned the "user/test-keys" and very much so had all of the compiled tools to actually patch a system and create and ADB flashable zip for stock recovery.
Could we technically make a signed sideloadable update.zip if the the update package was created on the device itself? The scripts included, along with the updated compiled binary tools, really do seem to be the Toolkit we've been looking for but have overlooked. I haven't tested it out fully, but I'm still reading about how to proceed. It isn't just the S7 either. So are the tools customized to the device, the android branch, or the bootloader?
Click to expand...
Click to collapse
Presumably what I previously said still stands:
osm0sis said:
Crazy number of utilities in this zip, but no script to run them all, and a lot of references to external files. No smoking gun like a "sbootimg_signer" binary or anything to make their proprietary footer signature, and no Samsung signature files.
Click to expand...
Click to collapse

Categories

Resources