Related
Hi,
I have been looking at 100% safe ways to get 3-button combo to get to recover/download screen.
I started this by downloading as many i9000 firmwares that I could find, and comparing them with what was on my phone.
After reading many other threads, I have discovered that:
1) boot.bin is stored in /dev/bml1 and is the Primary Boot Loader.
2) Sbl.bin is stored in /dev/bml4 and is the Secondary Boot Loader.
I used the "md5sum" program found on most Linux systems to compare different "boot.bin" and "Sbl.bin".
e.g.
md5sum -b boot.bin
445491b1aec42fe35f3a2505c4e74295 *boot.bin
I have 2 i9000 phones both are network unlocked.
One has Orange firmware on it
Orange firmware (downloaded from web):
445491b1aec42fe35f3a2505c4e74295 *boot.bin (no efused)
5e4914239bcbf6c565129e5f1475b876 *Sbl.bin
Orange firmware (actually on the phone)
0ff5571ed2dd51385cb1a5303991a1aa *bml1.dump (boot.bin efused)
5e4914239bcbf6c565129e5f1475b876 *bml4.dump (Sbl.bin)
Eclair standard firmware (downloaded from the web)
445491b1aec42fe35f3a2505c4e74295 *boot.bin
754854f2e84400704b49cbe470cbd671 *Sbl.bin
Aries firmware (That comes with Froyo, and also the recommended 3-button fix firmware)
445491b1aec42fe35f3a2505c4e74295 *boot.bin
3b86755ff4b6568d48c3c8064767dba2 *Sbl.bin
So, to avoid bricking a phone, you have to have "compatible" Primary and Secondary boot loaders.
The boot loaders that come in standard firmware must be compatible.
What you can see from the above.
1) My Orange phone has efused firmware, 3-button does not work, and the only difference between that and the standard Orange firmware downloadable from the web is actually only the boot.bin
Orange firmware (actually on the phone)
0ff5571ed2dd51385cb1a5303991a1aa *bml1.dump (boot.bin efused)
5e4914239bcbf6c565129e5f1475b876 *bml4.dump (Sbl.bin)
Orange firmware (downloaded from web):
445491b1aec42fe35f3a2505c4e74295 *boot.bin (no efused)
5e4914239bcbf6c565129e5f1475b876 *Sbl.bin
So, here I should be able to flash only the second boot.bin file (4454...) and not have to do the Sbl.bin file, and this should not brick my phone because the resulting boot.bin and Sbl.bin combination is a compatible combination.
2) All the boot.bin non-efused files are identical from both Eclair and Froyo.
So, once I have the
445491b1aec42fe35f3a2505c4e74295 *boot.bin
installed, I can then select any of the following Sbl.bin files and they will be compatible.
5e4914239bcbf6c565129e5f1475b876 *Sbl.bin
754854f2e84400704b49cbe470cbd671 *Sbl.bin
3b86755ff4b6568d48c3c8064767dba2 *Sbl.bin
I can use heimdall in Linux, so I can flash individual boot.bin files quite easily.
I have not done any flashing yet, but I think this safe step by step approach to getting to a 3-button combo working solution is probably a lot safer than some other approaches found on the web.
It has the added advantage that we can document known good combinations, and thus, we can be 100% sure it will not brick the phone.
We can also allow users to check their bml1 and bml4 image currently on their phone, and then they can immediately find out if it is a known good pair of boot-loaders, or some new, unknown pair, so to be cautious as it might brick their phones.
I am waiting to get a usb micro connector so that I can make a jig with the 301K resistor, before I try to recover a 3-button combo working.
Can anyone see any flaws with my approach?
midas5 said:
Hi,
I have been looking at 100% safe ways to get 3-button combo to get to recover/download screen.
I started this by downloading as many i9000 firmwares that I could find, and comparing them with what was on my phone.
After reading many other threads, I have discovered that:
1) boot.bin is stored in /dev/bml1 and is the Primary Boot Loader.
2) Sbl.bin is stored in /dev/bml4 and is the Secondary Boot Loader.
I used the "md5sum" program found on most Linux systems to compare different "boot.bin" and "Sbl.bin".
e.g.
md5sum -b boot.bin
445491b1aec42fe35f3a2505c4e74295 *boot.bin
I have 2 i9000 phones both are network unlocked.
One has Orange firmware on it
Orange firmware (downloaded from web):
445491b1aec42fe35f3a2505c4e74295 *boot.bin (no efused)
5e4914239bcbf6c565129e5f1475b876 *Sbl.bin
Orange firmware (actually on the phone)
0ff5571ed2dd51385cb1a5303991a1aa *bml1.dump (boot.bin efused)
5e4914239bcbf6c565129e5f1475b876 *bml4.dump (Sbl.bin)
Eclair standard firmware (downloaded from the web)
445491b1aec42fe35f3a2505c4e74295 *boot.bin
754854f2e84400704b49cbe470cbd671 *Sbl.bin
Aries firmware (That comes with Froyo, and also the recommended 3-button fix firmware)
445491b1aec42fe35f3a2505c4e74295 *boot.bin
3b86755ff4b6568d48c3c8064767dba2 *Sbl.bin
So, to avoid bricking a phone, you have to have "compatible" Primary and Secondary boot loaders.
The boot loaders that come in standard firmware must be compatible.
What you can see from the above.
1) My Orange phone has efused firmware, 3-button does not work, and the only difference between that and the standard Orange firmware downloadable from the web is actually only the boot.bin
Orange firmware (actually on the phone)
0ff5571ed2dd51385cb1a5303991a1aa *bml1.dump (boot.bin efused)
5e4914239bcbf6c565129e5f1475b876 *bml4.dump (Sbl.bin)
Orange firmware (downloaded from web):
445491b1aec42fe35f3a2505c4e74295 *boot.bin (no efused)
5e4914239bcbf6c565129e5f1475b876 *Sbl.bin
So, here I should be able to flash only the second boot.bin file (4454...) and not have to do the Sbl.bin file, and this should not brick my phone because the resulting boot.bin and Sbl.bin combination is a compatible combination.
2) All the boot.bin non-efused files are identical from both Eclair and Froyo.
So, once I have the
445491b1aec42fe35f3a2505c4e74295 *boot.bin
installed, I can then select any of the following Sbl.bin files and they will be compatible.
5e4914239bcbf6c565129e5f1475b876 *Sbl.bin
754854f2e84400704b49cbe470cbd671 *Sbl.bin
3b86755ff4b6568d48c3c8064767dba2 *Sbl.bin
I can use heimdall in Linux, so I can flash individual boot.bin files quite easily.
I have not done any flashing yet, but I think this safe step by step approach to getting to a 3-button combo working solution is probably a lot safer than some other approaches found on the web.
It has the added advantage that we can document known good combinations, and thus, we can be 100% sure it will not brick the phone.
We can also allow users to check their bml1 and bml4 image currently on their phone, and then they can immediately find out if it is a known good pair of boot-loaders, or some new, unknown pair, so to be cautious as it might brick their phones.
I am waiting to get a usb micro connector so that I can make a jig with the 301K resistor, before I try to recover a 3-button combo working.
Can anyone see any flaws with my approach?
Click to expand...
Click to collapse
Why get complicated testing md5 in the first place these days ? You can't flash one bootloader via stock recovery as an update.zip, since the package is not signed and 3e will not accept it. To get back to Recovery 2e or CWM you need to be rooted and many are still afraid to do that.
Also, a JIG won't help you if you get the wrong/incompatible pair of bootloaders flashed.
I see that you are willing to use Heimdall for flashing the bootloaders .. so my advice is to flash both in a single run, in a tested combination.
See my signature thread for details.
boot.bin tests
Hi,
I tried flashing with heimdall the primary boot "boot.bin".
It turns out that there are two sections to boot.bin.
The first 16384 bytes are the IBL or Initial Boot Loader.
The rest (offset 16384 onwards) are the PBL or Primary Boot Loader.
heimdall seems to only really change the PBL and not change the IBL.
After flashing boot.bin with heimdall, some of the first 16 bytes of /dev/block/bml1 had changed, none of the bytes from 0x10 to 0x3fff changed.
All the bytes from 0x4000 to the end of bml1 had changed.
Multiple attempts to flash the same boot.bin file gave identical results.
So, this might explain some bricked phones if there is somehow a mismatch between the IBL and the PBL.
Luckily, I do not have a bricked phone yet.
I will do some tests with Sbl.bin or the Secondary Boot Loader next.
I will also do some tests with Odin, to see if it can change the IBL.
I think some work needs to be done to heimdall to permit it to write the IBL as well as the PBL.
For those interested, on my phone, the current IBL is half the size of the factory Eclair boot.bin version. I have no idea why. Does anyone know?
midas5 said:
Hi,
I tried flashing with heimdall the primary boot "boot.bin".
It turns out that there are two sections to boot.bin.
The first 16384 bytes are the IBL or Initial Boot Loader.
The rest (offset 16384 onwards) are the PBL or Primary Boot Loader.
heimdall seems to only really change the PBL and not change the IBL.
After flashing boot.bin with heimdall, some of the first 16 bytes of /dev/block/bml1 had changed, none of the bytes from 0x10 to 0x3fff changed.
All the bytes from 0x4000 to the end of bml1 had changed.
Multiple attempts to flash the same boot.bin file gave identical results.
So, this might explain some bricked phones if there is somehow a mismatch between the IBL and the PBL.
Luckily, I do not have a bricked phone yet.
I will do some tests with Sbl.bin or the Secondary Boot Loader next.
I will also do some tests with Odin, to see if it can change the IBL.
I think some work needs to be done to heimdall to permit it to write the IBL as well as the PBL.
For those interested, on my phone, the current IBL is half the size of the factory Eclair boot.bin version. I have no idea why. Does anyone know?
Click to expand...
Click to collapse
Interesting, let me know if you're able to write the IBL with Odin.
my answer . Flash bell canada firmware with bootloaders , and voila you have download mode .Also Orange Branded Galaxy S user , I flashed first via spoof kies a bell 2.1 with bootloaders , and since then I had the 3 button working . Now I am rocking on Doc Rom .
OmerX,
Are you able to post a copy of your bml1 and bml4, together the the boot.bin and Sbl.bin that you used when flashing the phone.
I can then compare them with other boot loader images and get a better idea as to what is going on.
I saw this on another post.
Maybe this is protecting the IBL?
Does anyone have the source code of the IBL/PBL/SBL ?
The S5PC110 manual had some discouraging information:
2.1.2.4 Authentication for Secure JTAG Operation
S5PC110 supports Secure JTAG by using authentication signal of cortexA8 and coresight system.
To set the secure JTAG mode can program Secure JTAG key e-fuse bit.
• [79:0]: Secure JTAG hash key
• [80]: Secure JTAG lock on - 0: non-protection, 1: protected by Secure JTAG
Before authentication, the debugger should access Secure JTAG module mapped in debugger register map.
On the Orange I9000, bml5 and bml8 are empty. (All 0xff)
So, it seems that the SBL2 and the RECOVERY kernel do not exist.
This could explain why bricks occur. If the download fails, the PBL is supposed to try and recover using SBL2 and the RECOVERY kernel.
As these "recover" options do not exist, it could explain the much more likely bricks occurring on Orange phones.
I think the next safest step on my Orange I9000 is to flash with heimdall to SBL2 and the RECOVERY kernel. I can then copy the bml5 and bml8 off the phone and verify that the flash is complete using md5sum -b.
Once I am happy that the SBL2 and RECOVERY kernel are in place, I can then do the risky replacement of SBL1 (bml4)
But, as I do not have the source code to PBL and SBL, I cannot be sure of the algorithm the boot code uses to choose which step to do next. I.e. How it chooses SBL or SBL2 ? How is chooses bml7 or bml8 for the kernel?
Can anyone help here?
again . Flash Bell canada 2.1 update 1 with bootloaders , and than you can flash with 3 button woring anything you want .
I'm looking through the contents of the Nexus factory images, and the OTAs available for download:
http://forum.xda-developers.com/nexus-4/general/ref-nexus-4-stock-ota-urls-t1971169
The factory images all seem pretty standard:
radio
bootloader
boot
recovery
system
userdata
However, looking at the KRT16S-from-JWR66Y OTA package, for example, it seems to contain updates to the misc, sbl2, sbl3, tz, rpm and aboot partitions.
So, if I only upgrade my phone with Factory Images, am I missing updates from the OTAs?
Nope, those are exist in bootloader.img, there is no ''missing'' partitions in factory image
Cool, that's good to know.
Are there any guides for breaking up the bootloader into it's constituent partitions? I've searched for "bootloader extract" and "bootloader deconstruct", but I haven't been able to find any threads.
As promised, the RAW or SERVICE FIRMWARE FOR ZE550KL
DISCLAIMER: I AM NOT RESPONSIBLE FOR ANY DAMAGE/HARM IF YOU FLASHED ANY FIRMWARES FROM THESE LINKS/POST BELOW.
BACKUP YOUR PHONE BEFORE FLASHING ANY FIRMWARE, EVEN IF THE FIRMWARE IS FROM ASUS!!!
BACKUP SCRIPT (PARTITION DUMP UNLOCK) is here:
http://forum.xda-developers.com/zen...de-unlock-bootloader-asus-unlock-app-t3405850
Changes from Android OS revisions, especially concerning encryption, efs, modems, wifi, gps could render corruption in partitions leading to phone failure. Backup always and do it often.
Note that this firmware is different from the usual firmware by Asus. It is used for servicing the phone, it restores ALL partition from factory EXCEPT for IMEI, S/NO, Mac address etc. Google account lock is ACTIVE in this firmware.
The firmware is used by Asus Flash Tool to restore your phone partitions. If by any chance, the restore is not successful using the tool, just unzip the file and flash manually (flashall_AFT.cmd)
You need this firmware if your partitions are totally corrupted (example if you cannot go into fastboot mode). Most of the time, bricked phones can be restored by flashing Asus stock recovery (recovery.img), then stock asus firmware. If that doesn't solve the bricking, then you will need the raw/service firmware.
The links are rare, hard to find, download before it is gone.
[firmware27]WW_ZE550KL_1.17.40.123 ... 04185904-secured-releaseAFT_QC.zip
https://drive.google.com/file/d/0B43Ue6xY9MmdOGxXZ2RRQUJrOWs/view
[firmware27]CSCimage_WW-ZE550KL-ZE600KL-1.21.2.230-fac-eng-20151116-signedAFT_QC.zip
https://drive.google.com/file/d/0B43Ue6xY9MmdY1E3ZGlIaEVOVjA/view
WW_ZE550KL_21.40.1220.1794_rel_user-20160722041335-secured-releaseAFT
cannot find the link anymore, could be from some gsm/russian forums
ORIGINAL SOURCE: got raw/service firmware for other zenfones as well
https://firmware27.blogspot.my/p/update-raw-firmware-asus.html
https://firmware27.blogspot.my/2014/12/file-raw-asus-zenfone.html
@pokipokipxorn
Can you restore the Imei?
I used the fastboot erase modemst1 and modemst2 command and lost my IMEI.
asus phones r crappy, no one ever shared the qcn files on the internet.
u can still recover the imei!!!! do not erase anything anymore!!! coz modemst1 modemst2 backup is stored on fsg & a few other files
backup everything now! using qpst, efs professional etc,
install stock recovery, downgrade to lowest asus stock rom, install as new.
http://gsmsociety.com/showthread.php?t=4329
backup script here
http://forum.xda-developers.com/zen...de-unlock-bootloader-asus-unlock-app-t3405850
WW_ZE550KL_21.40.1220.2179_rel_user-20170803162728-secured-releaseAFT this Firmware link
Firmware:- https://cloud.mail.ru/public/J94j/PKn2RWbwX
Tool:- https://cloud.mail.ru/public/ASP8/Md2VwfBX3
I have reasons to suspect one or more partitions on my 6p might be corrupted. It'd be really helpful if you could provide the md5 checksums of aboot hyp rpm sbl1 tz modem vendor partitions on your 6p.
These partitions are not device-specific, and it'd help me to confirm if mine are corrupted. I'm currently on latest bootloader (03.68), radio (03.81), and vendor (N2G48B). Thank you!
To produce the checksums (your devices needs to be rooted):
Code:
adb shell
su
cd /dev/block/platform/soc.0/f9824900.sdhci/by-name
md5sum aboot hyp rpm sbl1 tz modem vendor
Sample output:
Code:
40a124cf7639f2df76177caa928dcab8 aboot
ad078da30c62fa381d3ff4c4f2c777f2 hyp
dc89c49770ce82bd0f7c386502aeca65 rpm
616be46fc4194d7514ef7fb94df03cd5 sbl1
907f3159c87d7e90535cc6d8787678b8 tz
55593fba034c00fa9eafb110e5f240e1 modem
5f94e55262a83775ff0b5c8816d96e53 vendor
AncientDeveloper said:
I have reasons to suspect one or more partitions on my 6p might be corrupted. It'd be really helpful if you could provide the md5 checksums of aboot hyp rpm sbl1 tz modem vendor partitions on your 6p.
These partitions are not device-specific, and it'd help me to confirm if mine are corrupted. I'm currently on latest bootloader (03.68), radio (03.81), and vendor (N2G48B). Thank you!
To produce the checksums (your devices needs to be rooted):
Sample output:
Click to expand...
Click to collapse
dad3ecd226eb518d9b45a1613b0eedbf aboot
5d8af3eebdcf78916a2f38057d88531f hyp
efd09b18ba26d419228fb8d784223e84 rpm
1ddbbe3dbe4056595b4536237b3f2bd5 sbl1
31df78276a97b9e82b443ec83fb96c71 tz
18c647f962e81227439fba0130222b04 modem
43c5d48654c8f3a3f82c96d022610f67 vendor
DEVILOPS 007 said:
dad3ecd226eb518d9b45a1613b0eedbf aboot
5d8af3eebdcf78916a2f38057d88531f hyp
efd09b18ba26d419228fb8d784223e84 rpm
1ddbbe3dbe4056595b4536237b3f2bd5 sbl1
31df78276a97b9e82b443ec83fb96c71 tz
18c647f962e81227439fba0130222b04 modem
43c5d48654c8f3a3f82c96d022610f67 vendor
Click to expand...
Click to collapse
Thank you. Are you also on latest bootloader/radio/vendor?
AncientDeveloper said:
Thank you. Are you also on latest bootloader/radio/vendor?
Click to expand...
Click to collapse
I'm on the latest vendor but only just noticed the radio and bootloader updated to 3.84 and 3.73. I'm at work currently but once I get I home I'll fastboot flash them and get you an updated output.
DEVILOPS 007 said:
I'm on the latest vendor but only just noticed the radio and bootloader updated to 3.84 and 3.73. I'm at work currently but once I get I home I'll fastboot flash them and get you an updated output.
Click to expand...
Click to collapse
I just double checked the latest N2G48B factory image; the bootloader is still at 3.68, and radio is also still at 3.81. Are you on Nougat or O?
AncientDeveloper said:
I just double checked the latest N2G48B factory image; the bootloader is still at 3.68, and radio is also still at 3.81. Are you on Nougat or O?
Click to expand...
Click to collapse
Hey there I'm back. Sorry I've been really really busy. The most recent version of radio and bootloader is what I said. Type angler on androidfilehost and you'll see them. Also, I am on nougat. Here's my output from the newest available radio and bootloader.
10bf3cbfbedac4ba96c95b10b5920690 aboot
430c00ce1533d1ac4be7177ba99eac5f hyp
44653559a47bbe7e31979315c4f8a9eb rpm
2037924490d44cc5bd6bb437b22034bf sbl1
778cd737c4cd16950314b1ee3c9c774d tz
f5e413a7a13e3ac46984c7de763e25df modem
a6f4d11c37e34fe6678738a54aeb5434 vendor
Hello,
My Asus ze550kl m8916
Snapdragon 410 2gb/16gb model
is hardbrick
It is still in locked state
However, I have used QFIL using Test Point and managed to reach Fastboot Mode
When I flashed TWRP it always Reboot
I can flash all the firmwares files even in locked state using
Emmc RAW tool
But ai need the Working Dump flash file
Can anyone help me?
Download the EMMC Raw Tool
Boot into Download mode Q9006 mode) and dump the Firmware Only
this include
1.ASDF, SEC, sbl1, hyp, tz, aboot, adf, Asusfw, asusgpt1, 2, Asuskey, asuakey2, 3,4,5, boot, cache, config, ddr, devinfo, factory, fsc, gaps#1, keystorre, mbr-gpt-other, misc, modem, modemstr1, modrmstr2, oem, presist, persistent, recovery, splash, ssd,
You can dump all these files using emmc raw tool while in Q9006 Mode..
To be in q9006 mode just flash the wrong emmc_aboot to your phone
you'll be in q9006 mode
to get back on track install the correct emmc_aboot.mbn file again
OR
you can dump your Firmware using root
adb shell command
dd if=/dev/........ of=/sdcard
if u need help in How to dump these files to your memory card or internal storage, Reply I'll help u how to dump
Please send me the files after you're dump
Contact me on what app +918974796939 if u r willing to help me
Let's learn things together
Can anyone help me. with this?.?
Thanks a lot in advance
Just take it to service centre I think you got a flash lock on your partition (just assuming). I have a custom ROM so if you want I can send you the dump files.
Hello.
What are the test points you connected?