[DISCUSSION] [MODEM/RADIO] NON-HLOS Reverse Engineering

[DISCUSSION] [MODEM/RADIO] NON-HLOS Reverse Engineering - ONE General

Hey Guys,
I've been doing some research and I've found quite a few interesting things with the modem for the OnePlus One, firstly I've found that the NON-HLOS.bin is actually a FAT file system that can be mounted, inside I've found the following files.
==========================================
-rwxr-xr-x. 1 root root 500 Apr 2 2015 adsp.b00
-rwxr-xr-x. 1 root root 488 Apr 2 2015 adsp.b01
-rwxr-xr-x. 1 root root 1 Apr 2 2015 adsp.b02
-rwxr-xr-x. 1 root root 5097872 Apr 2 2015 adsp.b03
-rwxr-xr-x. 1 root root 1332541 Apr 2 2015 adsp.b04
-rwxr-xr-x. 1 root root 1099162 Apr 2 2015 adsp.b05
-rwxr-xr-x. 1 root root 680 Apr 2 2015 adsp.b06
-rwxr-xr-x. 1 root root 936550 Apr 2 2015 adsp.b07
-rwxr-xr-x. 1 root root 120 Apr 2 2015 adsp.b08
-rwxr-xr-x. 1 root root 698928 Apr 2 2015 adsp.b09
-rwxr-xr-x. 1 root root 201008 Apr 2 2015 adsp.b10
-rwxr-xr-x. 1 root root 11700 Apr 2 2015 adsp.b11
-rwxr-xr-x. 1 root root 6105 Apr 2 2015 adsp.b12
-rwxr-xr-x. 1 root root 988 Apr 2 2015 adsp.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 cmnlib.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 cmnlib.b01
-rwxr-xr-x. 1 root root 111720 Apr 2 2015 cmnlib.b02
-rwxr-xr-x. 1 root root 4416 Apr 2 2015 cmnlib.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 cmnlib.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 isdbtmm.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 isdbtmm.b01
-rwxr-xr-x. 1 root root 24692 Apr 2 2015 isdbtmm.b02
-rwxr-xr-x. 1 root root 104 Apr 2 2015 isdbtmm.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 isdbtmm.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 keymaste.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 keymaste.b01
-rwxr-xr-x. 1 root root 18324 Apr 2 2015 keymaste.b02
-rwxr-xr-x. 1 root root 208 Apr 2 2015 keymaste.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 keymaste.mdt
-rwxr-xr-x. 1 root root 295824 Apr 2 2015 mba.b00
-rwxr-xr-x. 1 root root 84 Apr 2 2015 mba.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 mc_v2.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 mc_v2.b01
-rwxr-xr-x. 1 root root 131072 Apr 2 2015 mc_v2.b02
-rwxr-xr-x. 1 root root 12 Apr 2 2015 mc_v2.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 mc_v2.mdt
-rwxr-xr-x. 1 root root 916 Apr 2 2015 modem.b00
-rwxr-xr-x. 1 root root 904 Apr 2 2015 modem.b01
-rwxr-xr-x. 1 root root 4052 Apr 2 2015 modem.b02
-rwxr-xr-x. 1 root root 81920 Apr 2 2015 modem.b03
-rwxr-xr-x. 1 root root 177176 Apr 2 2015 modem.b06
-rwxr-xr-x. 1 root root 49500 Apr 2 2015 modem.b08
-rwxr-xr-x. 1 root root 48420 Apr 2 2015 modem.b09
-rwxr-xr-x. 1 root root 103384 Apr 2 2015 modem.b11
-rwxr-xr-x. 1 root root 110820 Apr 2 2015 modem.b12
-rwxr-xr-x. 1 root root 1590612 Apr 2 2015 modem.b13
-rwxr-xr-x. 1 root root 20748656 Apr 2 2015 modem.b14
-rwxr-xr-x. 1 root root 663520 Apr 2 2015 modem.b15
-rwxr-xr-x. 1 root root 139264 Apr 2 2015 modem.b16
-rwxr-xr-x. 1 root root 5376 Apr 2 2015 modem.b17
-rwxr-xr-x. 1 root root 8055360 Apr 2 2015 modem.b18
-rwxr-xr-x. 1 root root 3457568 Apr 2 2015 modem.b19
-rwxr-xr-x. 1 root root 73968 Apr 2 2015 modem.b22
-rwxr-xr-x. 1 root root 417451 Apr 2 2015 modem.b23
-rwxr-xr-x. 1 root root 5911268 Apr 2 2015 modem.b24
-rwxr-xr-x. 1 root root 953536 Apr 2 2015 modem.b25
-rwxr-xr-x. 1 root root 1820 Apr 2 2015 modem.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 playread.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 playread.b01
-rwxr-xr-x. 1 root root 134244 Apr 2 2015 playread.b02
-rwxr-xr-x. 1 root root 608 Apr 2 2015 playread.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 playread.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 tqs.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 tqs.b01
-rwxr-xr-x. 1 root root 786132 Apr 2 2015 tqs.b02
-rwxr-xr-x. 1 root root 159744 Apr 2 2015 tqs.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 tqs.mdt
-rwxr-xr-x. 1 root root 372 Apr 2 2015 wcnss.b00
-rwxr-xr-x. 1 root root 360 Apr 2 2015 wcnss.b01
-rwxr-xr-x. 1 root root 12596 Apr 2 2015 wcnss.b02
-rwxr-xr-x. 1 root root 61440 Apr 2 2015 wcnss.b04
-rwxr-xr-x. 1 root root 3084380 Apr 2 2015 wcnss.b06
-rwxr-xr-x. 1 root root 56 Apr 2 2015 wcnss.b07
-rwxr-xr-x. 1 root root 786432 Apr 2 2015 wcnss.b08
-rwxr-xr-x. 1 root root 41468 Apr 2 2015 wcnss.b09
-rwxr-xr-x. 1 root root 732 Apr 2 2015 wcnss.mdt
-rwxr-xr-x. 1 root root 180 Apr 2 2015 widevine.b00
-rwxr-xr-x. 1 root root 168 Apr 2 2015 widevine.b01
-rwxr-xr-x. 1 root root 156596 Apr 2 2015 widevine.b02
-rwxr-xr-x. 1 root root 908 Apr 2 2015 widevine.b03
-rwxr-xr-x. 1 root root 348 Apr 2 2015 widevine.mdt
==========================================
Running file on all of these files I receive:
adsp.b00: ELF 32-bit LSB executable, QUALCOMM DSP6, version 1 (SYSV), dynamically linked, interpreter *empty*, stripped
adsp.b01: data
adsp.b02: very short file (no magic)
adsp.b03: data
adsp.b04: data
adsp.b05: data
adsp.b06: PDP-11 UNIX/RT ldp
adsp.b07: data
adsp.b08: data
adsp.b09: data
adsp.b10: data
adsp.b11: data
adsp.b12: data
adsp.mdt: ELF 32-bit LSB executable, QUALCOMM DSP6, version 1 (SYSV), dynamically linked, interpreter *empty*, stripped
cmnlib.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
cmnlib.b01: data
cmnlib.b02: GeoSwath RDF
cmnlib.b03: data
cmnlib.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
isdbtmm.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
isdbtmm.b01: data
isdbtmm.b02: data
isdbtmm.b03: data
isdbtmm.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
keymaste.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
keymaste.b01: data
keymaste.b02: data
keymaste.b03: data
keymaste.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
mba.b00: data
mba.mdt: ELF 32-bit LSB executable, QUALCOMM DSP6, version 1 (SYSV), statically linked, corrupted section header size
mc_v2.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
mc_v2.b01: data
mc_v2.b02: data
mc_v2.b03: ASCII text, with no line terminators
mc_v2.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
modem.b00: ELF 32-bit LSB executable, QUALCOMM DSP6, version 1 (SYSV), statically linked, stripped
modem.b01: data
modem.b02: data
modem.b03: data
modem.b06: data
modem.b08: data
modem.b09: data
modem.b11: data
modem.b12: data
modem.b13: data
modem.b14: data
modem.b15: data
modem.b16: data
modem.b17: data
modem.b18: data
modem.b19: data
modem.b22: MMDF mailbox
modem.b23: data
modem.b24: data
modem.b25: data
modem.mdt: ELF 32-bit LSB executable, QUALCOMM DSP6, version 1 (SYSV), statically linked, stripped
playread.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
playread.b01: data
playread.b02: data
playread.b03: data
playread.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
tqs.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
tqs.b01: data
tqs.b02: data
tqs.b03: data
tqs.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
wcnss.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
wcnss.b01: data
wcnss.b02: data
wcnss.b04: data
wcnss.b06: data
wcnss.b07: data
wcnss.b08: data
wcnss.b09: data
wcnss.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
widevine.b00: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
widevine.b01: data
widevine.b02: data
widevine.b03: data
widevine.mdt: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
==========================================
Now, I've been trying to discover how Qualcomm enforces things like NV write protection, so as an example I've used the IMEI number as its write protected.
Putting the phone into Qualcomm's DIAG mode and launching RF NV Manager, when I try and edit the IMEI Number and click "Write NV" I receive the following:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
So from the above image I've found the name of the IMEI property is: NV_UE_IMEI_I
Running strings through the mounted NON-HLOS directory came up with the following:
----------------
modem.b18: Read NV_UE_IMEI_I (%d) to NV failed.
modem.b18: Write NV_UE_IMEI_I[0] (%d) to NV failed.
==========================================
Hmm, okay, modem.b18 looks to have strings referencing such action, looking at the header of this file I recieve the following:
==========================================
00000000 24 00 00 00 00 00 00 00 41 4d 53 53 00 00 00 00 |$.......AMSS....|
==========================================
After some googeling it looks like AMSS stands for Advanced Mobile Subscriber Software according to: http://www.acronymfinder.com/Advanced-Mobile-Subscriber-Software-(Qualcomm)-(AMSS).html
So this "modem.b18" file looks to be pretty interesting in terms of NV Protection, so I rna binwalk on the file and came up with the following:
==========================================
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
15276 0x3BAC Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/mproc/smd/src/smd_dsm_mem
32076 0x7D4C Unix path: /node/core/cpu/latency/usec
40808 0x9F68 CRC32 polynomial table, little endian
44904 0xAF68 CRC32 polynomial table, big endian
118861 0x1D04D Unix path: /nv/item_files/modem/nas/roaming_policy_back
121432 0x1DA58 Unix path: /nvm/alpha/item_file/time/%s
124252 0x1E55C gzip compressed data, NULL date (1970-01-01 00:00:00)
127283 0x1F133 POSIX tar archive, owner user name: "_size", owner group name: "c"
269101 0x41B2D Neighborly text, "NeighborBmsk | wfwTcCfgInfo.shadowCellInShoBmsk) == 0) failed"
539266 0x83A82 Neighborly text, "neighbor cell CGI request(SIB1 decode)). max_num_rb_ca0=%d max_num_rb_ca1=%d num_rb_ca1=%d "
552073 0x86C89 Unix path: /modem/fw/lte/meas_ttl_ftl/src/lte_LL1_meas_ttl_ftl_main.c %u
553105 0x87091 Unix path: /modem/fw/lte/meas_ttl_ftl/src/lte_LL1_meas_ttl_ftl_ncell.c %u
928051 0xE2933 Certificate in DER format (x509 v3), header length: 4, sequence length: 2360
928298 0xE2A2A Certificate in DER format (x509 v3), header length: 4, sequence length: 2410
928324 0xE2A44 Certificate in DER format (x509 v3), header length: 4, sequence length: 2465
928402 0xE2A92 Certificate in DER format (x509 v3), header length: 4, sequence length: 2516
1618849 0x18B3A1 Unix path: /nv/item_files/conf/mcpm.conf
1619065 0x18B479 Unix path: /nv/item_files/modem/utils/mcpm/mcpm_nv_pwrdbg_cfg
1619159 0x18B4D7 Unix path: /nv/item_files/modem/utils/mcpm/mcpm_nv_cfg_src
1624136 0x18C848 Unix path: /node/mcpm/vdd/mss
1642544 0x191030 Unix path: /nv/item_files/modem/utils/mcpm/ut_results.txt
1656085 0x194515 Unix path: /nv/item_files/CoreCpu/CoreAll/Startup/Algorithm.txt datalen %d
1660936 0x195808 Unix path: /nv/item_files/modem/utils/mcpm/mcpm_ut_efs_scenario.txt
1674069 0x198B55 Unix path: /nv/item_files/modem/utils/a2/a2_pc
1679019 0x199EAB Unix path: /nv/item_files/conf/lte_a2.conf
1682872 0x19ADB8 Unix path: /nv/item_files/modem/utils/a2/enable_zuc_debug
1684052 0x19B254 Unix path: /nv/item_files/modem/utils/cfm/cfm_cpu_monitor_cfg
2086962 0x1FD832 Unix path: /nv/item_files/modem/nas/csg_support_configuration
2103480 0x2018B8 CRC32 polynomial table, little endian
2136200 0x209888 Unix path: /nv/item_files/modem/mmode/sms_only
2139448 0x20A538 Unix path: /nv/item_files/modem/mmode/sms_only
2139484 0x20A55C Unix path: /nv/item_files/modem/mmode/ue_usage_setting
2139528 0x20A588 Unix path: /nv/item_files/modem/mmode/voice_domain_pref
2139573 0x20A5B5 Unix path: /nv/item_files/modem/mmode/sms_domain_pref
2139616 0x20A5E0 Unix path: /nv/item_files/modem/mmode/lte_disable_duration
2139664 0x20A610 Unix path: /nv/item_files/modem/mmode/n_min_MO_call_soft_retry
2139716 0x20A644 Unix path: /nv/item_files/modem/mmode/n_maxSIB8
2139753 0x20A669 Unix path: /nv/item_files/modem/mmode/sms_mandatory
2139794 0x20A692 Unix path: /nv/item_files/modem/mmode/lte_bandpref
2139834 0x20A6BA Unix path: /nv/item_files/modem/mmode/tds_bandpref
2139874 0x20A6E2 Unix path: /nv/item_files/modem/mmode/device_mode
2139913 0x20A709 Unix path: /nv/item_files/mcs/mtf/cp_mutex_tracking_enabled
2139962 0x20A73A Unix path: /nv/item_files/modem/mmode/sd/loc_base_bsr_mcc_list
2140014 0x20A76E Unix path: /nv/item_files/modem/mmode/supplement_service_domain_pref
2140072 0x20A7A8 Unix path: /nv/item_files/modem/mmode/sms_over_s102
2140113 0x20A7D1 Unix path: /nv/item_files/modem/mmode/operator_name
2140154 0x20A7FA Unix path: /nv/item_files/modem/mmode/qmss_enabled
2140194 0x20A822 Unix path: /nv/item_files/modem/mmode/sd/1xcsfb_ecbm_status
2140243 0x20A853 Unix path: /nv/item_files/modem/mmode/get_net_auto_mode
2140288 0x20A880 Unix path: /nv/item_files/modem/mmode/custom_emerg_info
2140333 0x20A8AD Unix path: /nv/item_files/modem/mmode/manufacturer_name
2140378 0x20A8DA Unix path: /nv/item_files/modem/mmode/manufacturer_code
2140423 0x20A907 Unix path: /nv/item_files/modem/mmode/device_model
2140463 0x20A92F Unix path: /nv/item_files/modem/mmode/sw_version
2140501 0x20A955 Unix path: /nv/item_files/modem/mmode/cu_imsi
2140536 0x20A978 Unix path: /nv/item_files/modem/mmode/cmcc_imsi
2140573 0x20A99D Unix path: /nv/item_files/modem/mmode/imsi_mcc
2140609 0x20A9C1 Unix path: /nv/item_files/modem/mmode/imsi_min1
2140646 0x20A9E6 Unix path: /nv/item_files/modem/mmode/imsi_min2
2140683 0x20AA0B Unix path: /nv/item_files/modem/mmode/imsi_11_12
2140721 0x20AA31 Unix path: /nv/item_files/modem/mmode/reg_status
2140759 0x20AA57 Unix path: /nv/item_files/modem/mmode/mid_call_srvcc_info
2140806 0x20AA86 Unix path: /nv/item_files/modem/mmode/lte_do_irat_duration
2140854 0x20AAB6 Unix path: /nv/item_files/modem/mmode/volte_sr_control
2140898 0x20AAE2 Unix path: /nv/item_files/modem/mmode/extend_lte_disable_duration
2140953 0x20AB19 Unix path: /nv/item_files/modem/mmode/sd/manual_search_in_wrlf
2141005 0x20AB4D Unix path: /nv/item_files/modem/mmode/sd/1xcsfb_call_end_opt
2141055 0x20AB7F Unix path: /nv/item_files/modem/mmode/sd/buffer_int_srv_lost
2141105 0x20ABB1 Unix path: /nv/item_files/modem/mmode/scan_scope_rule
2141205 0x20AC15 Unix path: /nv/item_files/modem/mmode
2162755 0x210043 Neighborly text, "neighboring_cell_infoterface"
2163056 0x210170 Unix path: /nv/item_files/modem/mmode/tui/csg_search_sel_config
2172948 0x212814 Unix path: /nv/item_files/modem/mmode/qmi/tib_timer
2280344 0x22CB98 Unix path: /nv/item_files/modem/mmode/sd
2280645 0x22CCC5 Unix path: /nv/item_files/modem/mmode/sd/sdssscr_timers
2296124 0x23093C Unix path: /nv/item_files/modem/nas/exclude_old_lai_type_field
2302296 0x232158 Unix path: /nvm/alpha/modem/nas/lte_nas_eps_loci_Subscription01
2304028 0x23281C Unix path: /nv/item_files/modem/nas/geran_cap
2304063 0x23283F Unix path: /nv/item_files/modem/nas/lte_nas_lsti_config
2304108 0x23286C Unix path: /nv/item_files/modem/nas/lte_nas_ue_sec_capability
2304159 0x23289F Unix path: /nv/item_files/modem/nas/lte_nas_temp_fplmn_backoff_time
2304216 0x2328D8 Unix path: /nv/item_files/modem/nas/drx_cn_coeff_s1
2304257 0x232901 Unix path: /nv/item_files/modem/nas/exclude_ptmsi_type_field
2304307 0x232933 Unix path: /nv/item_files/modem/nas/exclude_old_lai_type_field
2304359 0x232967 Unix path: /nv/item_files/modem/nas/nas_lai_change_force_lau_for_emergency
2304423 0x2329A7 Unix path: /nv/item_files/modem/nas/nas_srvcc_support
2304466 0x2329D2 Unix path: /nv/item_files/modem/nas/mobility_management_for_voims_feature
2304529 0x232A11 Unix path: /nv/item_files/modem/nas/nas_config_feature
2304573 0x232A3D Unix path: /nv/item_files/modem/nas/aggression_management
2304620 0x232A6C Unix path: /nv/item_files/modem/nas/csg_support_configuration
2304671 0x232A9F Unix path: /nv/item_files/modem/nas/nas_l2g_srvcc_support
2304718 0x232ACE Unix path: /nv/item_files/modem/nas/tighter_capability
2304762 0x232AFA Unix path: /nv/item_files/modem/nas/nas_nv_classmark_ie
2304807 0x232B27 Unix path: /nv/item_files/modem/nas/sglte_nas_nv_config
2304852 0x232B54 Unix path: /nv/item_files/modem/nas/mm_backoff_remaining_info
2304903 0x232B87 Unix path: /nv/item_files/modem/nas/mm_backoff_remaining_info_subscription01
2304969 0x232BC9 Unix path: /nv/item_files/modem/nas/gmm_drx_cn_coeff_s1
2305014 0x232BF6 Unix path: /nv/item_files/modem/nas/isr
2305043 0x232C13 Unix path: /nv/item_files/modem/nas/emm_combined_proc
2305086 0x232C3E Unix path: /nv/item_files/modem/nas/avoid_guti_nas_security_check
2305141 0x232C75 Unix path: /nv/item_files/modem/nas/is_accepted_on_lte
2305186 0x232CA2 Unix path: /nv/item_files/conf/nas_mm.conf
2318399 0x23603F Unix path: /nv/item_files/modem/nas/gmm_drx_cn_coeff_s1
2329012 0x2389B4 Unix path: /nvm/alpha/modem/nas/lte_nas_emm_eps_native_context_Subscription01
2368472 0x2423D8 Unix path: /nv/item_files/modem/data/3gpp/global_throttling
2371696 0x243070 Unix path: /nv/item_files/modem/nas/vpmln_Subscription01
2379116 0x244D6C Unix path: /nv/item_files/modem/nas/ignore_uplmn
2379154 0x244D92 Unix path: /nv/item_files/modem/nas/imsi_switch
2379191 0x244DB7 Unix path: /nv/item_files/modem/nas/ehplmn
2379223 0x244DD7 Unix path: /nv/item_files/modem/nas/ehplmn_Subscription01
2379270 0x244E06 Unix path: /nv/item_files/modem/nas/ehplmn_Subscription02
2379317 0x244E35 Unix path: /nv/item_files/modem/nas/efrplmnsi_select_rplmn_after_hplmn
2379377 0x244E71 Unix path: /nv/item_files/modem/nas/forced_irat
2379414 0x244E96 Unix path: /nv/item_files/modem/nas/tdscdma_op_plmn_list
2379460 0x244EC4 Unix path: /nv/item_files/modem/nas/max_validate_sim_counter
2379510 0x244EF6 Unix path: /nv/item_files/modem/nas/t3245_timer
2379547 0x244F1B Unix path: /nv/item_files/modem/nas/t3245_timer_test
2379589 0x244F45 Unix path: /nv/item_files/modem/nas/efnas_config
2379627 0x244F6B Unix path: /nv/item_files/modem/nas/lpm_power_off
2379666 0x244F92 Unix path: /nv/item_files/modem/nas/reg_nv_items
2379704 0x244FB8 Unix path: /nv/item_files/modem/nas/vplmn
2379735 0x244FD7 Unix path: /nv/item_files/modem/nas/vpmln_Subscription01
2379781 0x245005 Unix path: /nv/item_files/modem/nas/ota_plmn_list
2379820 0x24502C Unix path: /nv/item_files/modem/nas/ota_plmn_list_Subscription01
2379874 0x245062 Unix path: /nv/item_files/modem/nas/ota_plmn_list_Subscription02
2379928 0x245098 Unix path: /nv/item_files/modem/nas/max_validate_sim_counter_Subscription01
2379993 0x2450D9 Unix path: /nv/item_files/modem/nas/max_validate_sim_counter_Subscription02
2380058 0x24511A Unix path: /nv/item_files/modem/nas/t3245_timer_Subscription01
2380110 0x24514E Unix path: /nv/item_files/modem/nas/t3245_timer_Subscription02
2380162 0x245182 Unix path: /nv/item_files/modem/nas/t3245_timer_test_Subscription01
2380219 0x2451BB Unix path: /nv/item_files/modem/nas/t3245_timer_test_Subscription02
2380276 0x2451F4 Unix path: /nv/item_files/modem/nas/efnas_config_Subscription02
2380329 0x245229 Unix path: /nv/item_files/modem/nas/efnas_config_Subscription01
2380382 0x24525E Unix path: /nv/item_files/modem/nas/ehplmn_Subscription03
2380429 0x24528D Unix path: /nv/item_files/modem/nas/ehplmn_Subscription04
2380476 0x2452BC Unix path: /nv/item_files/modem/nas/ehplmn_Subscription05
2380524 0x2452EC Unix path: /nv/item_files/conf/reg.conf
2388768 0x247320 Unix path: /nv/item_files/data/3gpp/ds_3gpp_multi_pdn_same_apn
2398084 0x249784 Unix path: /nv/item_files/modem/nas/roaming_policy_manager
2399600 0x249D70 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_phone_events.c
2400952 0x24A2B8 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_rat_capability.c
2402691 0x24A983 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_serving_system.c
2403391 0x24AC3F Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_set.c
2403796 0x24ADD4 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_sglte.c
2405068 0x24B2CC Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_timer.c
2405649 0x24B511 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_uim.c
2406472 0x24B848 XML document, version: "1.0"
2409544 0x24C448 XML document, version: "1.0"
2412177 0x24CE91 XML document, version: "1.0"
2414817 0x24D8E1 XML document, version: "1.0"
2428426 0x250E0A XML document, version: "1.0"
2445983 0x25529F XML document, version: "1.0"
2454264 0x2572F8 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_call_events.c
2454672 0x257490 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/mmcp/policyman/src/policyman_lang.c
2477930 0x25CF6A Unix path: /nv/item_files/modem/sms/mo_on_data_channel
2477974 0x25CF96 Unix path: /nv/item_files/modem/sms/enable_fdn_control
2478018 0x25CFC2 Unix path: /nv/item_files/modem/sms/store_to_sim_if_nv_full
2478067 0x25CFF3 Unix path: /nv/item_files/ims/qipcall_1xsmsandvoice
2478108 0x25D01C Unix path: /nv/item_files/modem/sms/telecom_smsp_fallback
2478155 0x25D04B Unix path: /nv/item_files/modem/sms/sms_rety_limit
2478195 0x25D073 Unix path: /nv/item_files/modem/sms/disable_lte_cb_dup_detection
2478249 0x25D0A9 Unix path: /nv/item_files/modem/sms/disable_pres_bc_alert
2478296 0x25D0D8 Unix path: /nv/item_files/modem/sms/cs_domain_fallback
2479896 0x25D718 Unix path: /nv/item_files/conf/wms.conf
2520837 0x267705 Unix path: /nv/item_files/cdma/1xcp/so73_cop0_supported
2522992 0x267F70 Unix path: /nv/item_files/conf/mc.conf
2577576 0x2754A8 Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/1x/mux/src/txccommon.c
2580976 0x2761F0 Unix path: /nv/item_files/modem/1x/device_only_dtx_params
2600608 0x27AEA0 Unix path: /nv/item_files/modem/1x/zz2_2_thresh
2609179 0x27D01B Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00216-M8974AAAAANAZM-1.8590.1_20141109_222100/b/modem_proc/1x/srch/src/common/srch
2643620 0x2856A4 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00216-M8974AAAAANAZM-1.8590.1_20141109_222100/b/modem_proc/1x/srch/src/irat/srch_1
3043613 0x2E711D Minix filesystem, V1, big endian, 15872 zones
4343588 0x424724 Unix path: /core/buses/icb/arb
4371547 0x42B45B Unix path: /work/home/jenkins/Daily_14001_env_pvt/MODEM/MSM8974.LA.4.0.2/msm8974/modem_proc/core/kernel/dlpager/src/dlpager_main.c:108 ret
4373870 0x42BD6E Unix path: /dev/core/mproc/ipc_router
4377059 0x42C9E3 Unix path: /node/core/cpu/bus
4382947 0x42E0E3 Unix path: /nv/item_files/therm_monitor/config.ini
4388268 0x42F5AC Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/crypto/environm
4388848 0x42F7F0 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/crypto/shared/s
4390088 0x42FCC8 SHA256 hash constants, little endian
4390952 0x430028 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/crypto/shared/s
4412692 0x435514 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/crypto/shared/s
4420004 0x4371A4 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/sfs/shared/src/
4423696 0x438010 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/sfs/shared/src/
4425522 0x438732 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/smecom/ixutil/e
4426560 0x438B40 Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00194-M8974AAAAANAZM-1_20140922_114854/b/modem_proc/core/securemsm/x509/shared/src
4438825 0x43BB29 Unix path: /nv/item_files/clock/clock_mss.ini
4457591 0x440477 Unix path: /node/core/bus/uart/pnocclk
4639460 0x46CAE4 Unix path: /nv/item_files/wcdma/l1/srch/wl1_srch_e1d_nv
4642188 0x46D58C Unix path: /nv/item_files/conf/wl1_srch_e1d_nv.conf
4648100 0x46ECA4 Unix path: /nv/item_files/wcdma/idle/w_idle_mode_opt
4660952 0x471ED8 Unix path: /nv/item_files/wcdma/l1utils/wl1_dsr_mode
4661972 0x4722D4 Unix path: /nv/item_files/wcdma/irat/wl1_atuner_config
4695666 0x47A672 Unix path: /nv/item_files/wcdma/rxd/wl1_rxd_rscp_thresh
4699576 0x47B5B8 Unix path: /nv/item_files/conf/wl1_rxd.conf
4727852 0x48242C Unix path: /local/mnt/workspace/CRMBuilds/MPSS.DI.3.0.c6-00241-M8974AAAAANAZM-1_20150120_025837/b/modem_proc/wcdma/l1/offline/src/mcalwcdma
4736620 0x48466C Unix path: /nv/item_files/wcdma/fet/wl1_fet_control
4739552 0x4851E0 Unix path: /nv/item_files/wcdma/cme/wcdma_cme_opts
4741766 0x485A86 Unix path: /nv/item_files/conf/wl1_cme.conf
---------------- SNIP TOO LONG ----------------
If anyone's interested I'll update the whole output
Cheers Guys

Fascinating. Never thought of mounting it!
Real Data mining

Appreciate it

Hey Guys,
Little update.
The specific Hexagon Baseband version I have running in my OnePlus One is: QDSP6V5A however I can't load any of the files into IDA as the plugin only support V4. Perhaps I could have the baseband load remote gdb and do some live debugging.
If anyone has successfully loaded these files into IDA please let me know, I'd love to start messing with flow control of NV (Full NV Write Permission)

Hey Guys,
Another little update, I've managed to combine all of the modem.b00-25 files into a single ELF file, that now successfully opens in IDA:
Graph view:
However when I get down to my string of interest IDA seems to get confused:
If anyone can shed some light on this that would be awesome!

Very interesting! This may give us an open baseband implementation for android in the future.
Any news?

Rbn3D said:
Very interesting! This may give us an open baseband implementation for android in the future.
Any news?
Click to expand...
Click to collapse
Hey Rbn3D,
Indeed it may, however it looks like the only real way to map something like OsmocomBB to the QDSP6v* would rely on a Qualcomm leak containing everything about the QDSP6. I think the time and resources to reverse engineer something like this would be too much. But leaked documentation could make it possible.
I think its pretty crazy this hasn't been done yet. The baseband does so much and we know next to nothing about it, if I were the NSA this is where I'd hide my back door.
The other main hurdle is the fact that the bootloader checks the modem partition. If you change one bit, the phone will fail to boot, I think the verification is done in TrustZone/TZ on the SoC.
From an anti-theft standpoint this would be awesome, you could potentially SIM lock your specific SIM. And network locked phones would be a thing of the past.
Unsupported LTE/3G bands would also become accessible/modifiable, perhaps even TX/RX power, then again this is properly why they have this locked down.
If any vendors are watching, make everything open source! I'd buy a phone with open source baseband and bootloader in a heartbeat.

I did a google search for the documentation you were looking for regarding QDSP6 and came across this page: http://forum.gsmhosting.com/vbb/f83/qdsp6-qualcomm-hexxagon-few-questions-datasheet-needed-1820478/
It has a link to download a pdf, but I don't know if that's what you're looking for.

chikin said:
I did a google search for the documentation you were looking for regarding QDSP6 and came across this page: http://forum.gsmhosting.com/vbb/f83/qdsp6-qualcomm-hexxagon-few-questions-datasheet-needed-1820478/
It has a link to download a pdf, but I don't know if that's what you're looking for.
Click to expand...
Click to collapse
Yeah something like this, however we still have that first hurdle, even if we begin trying to implement osmocomBB we'd need a way for the device to load the modified baseband firmware without signature verification, you find how to do that we could begin testing.
You would have also network unlocked basically all phones that use Qualcomm as its my understanding that all network lock implementations are at the baseband, if someone can figure out how to bypass signature verification we could begin patching the baseband, as I said before verification is performed in TrustZone, there are exploits available for TZ but I'm not sure how you'd use one to skip modem verification.

Hi,
It's easy to disable this verification by ram patching the modem radio. To be able to do this you need to find some exploit within the TrustZone. Once that found you can patch in the modem radio ram and enable this way restricted NV fields writing. Also is very possible that the modem radio to be mapped at diff addr then the one from elf and in order to have some success i suggest you to look some arm based elf for the needed radio procs to be patched since the code is same but different compiler used. Anyway good luck . It wont be easy
P.S: Public trustzone exploits are available to public (ex. integer overflow bug, tzbsp_es_is_available bug, tzbsp_oem_svc bugs)
P.S1: What you discovered is know for years to some of us

For experiement sake and to possibly get us further. Would it be possible to flash the non-hlos.bin onto another similar phone? Im not sure how much device specific code that non-hlos contains but I was thinking about grabbing 2 phones, one with band20 and one without band20, both have same AMP and RF chip (or very similar) and then exchange files between to see if it will learn us anything.
Any comments/thoughts?
For reference sake ive collected info about a few devices
oppo find 7
AMP sky77629-21
RF Not sure
lenovo zuk z1
AMP sky77633-11
RF WTR1625L
mi4
AMP AVAGO ACPM-7600
RF WTR1625L
redmi 3
AMP sky77643
AMP sky77916
RF WTR4905
xperia z3
AMP sky77629-13
AMP sky77753
RF WTR1625L
1+1
AMP sky77629-21
RF WTR1625L
mi5
AMP sky77646
RF WTR3925

There was a comment from one of the bods at one plus that the original modems were oppo modems.
If that is true then on theory a find 7 modern could work
But I suspect it would be likely to cause serious issues

QCOM modem leaked sources.
Type in google/bing: "AU_LINUX_ANDROID_LNX.LA.3.5.3.4.04.04.02.113.008_msm8610_LNX.LA.3.5.3.4__release_AU"

Hi,
I own a ZUK Z1 and found the information, that Moto X 2nd Gen (CN version aka xt1085 with LTE B20) has the same AMP/RF combination. Unfortunately xt1085 is a single SIM device, so I worry if the 2nd SIM on my Z1 will work after flashing.
Anyone out there owning a xt1085 and willing ro dump the necesdary files?

Hi guys,
I am interested in this. I was thinking that at least for Xiaomi, non-hlos.bin is not the only thing to care about. See this post about qcn
https://xiaomi.eu/community/threads/solve-problem-with-4g-lte-sim1-redmi-phones.33900/
Any thought?

pakidermo5000 said:
Hi guys,
I am interested in this. I was thinking that at least for Xiaomi, non-hlos.bin is not the only thing to care about. See this post about qcn
https://xiaomi.eu/community/threads/solve-problem-with-4g-lte-sim1-redmi-phones.33900/
Any thought?
Click to expand...
Click to collapse
I'll have a look at it in more depth later on. But he appears to be pushing a hacked modem?

fards said:
I'll have a look at it in more depth later on. But he appears to be pushing a hacked modem?
Click to expand...
Click to collapse
Yes, it seems that it is the other way round of what we are looking here. Basically the shop sent the phone with a hacked qcn file that unabled the connections to LTE bands. And they looked for the right qcn file to flash it so as to have LTE.
My point was that, maybe it is not enough to modify the nvram values, maybe it is also needed to modify the qcn file so as to enable some of the bands?
And, second point. If the shop could hack the qcn, it means it is possible without having the source code, right?

pakidermo5000 said:
Yes, it seems that it is the other way round of what we are looking here. Basically the shop sent the phone with a hacked qcn file that unabled the connections to LTE bands. And they looked for the right qcn file to flash it so as to have LTE.
My point was that, maybe it is not enough to modify the nvram values, maybe it is also needed to modify the qcn file so as to enable some of the bands?
And, second point. If the shop could hack the qcn, it means it is possible without having the source code, right?
Click to expand...
Click to collapse
Ah I read it as the ship has flashed restricted one from off a Chinese phone.
Will look later on when not rushing about

An interesting development on the B20 front, it appears that there is an official release of a Mi5 and other models with B20 active, in Poland. Hopefully this will provide some leads on the .qcn file front to getting additional bands enabled.
See XDA Developers thread titled [Work in Progress] Trying to Unlock Bands (Including B20) post #357 (http://forum.xda-developers.com/showpost.php?p=68828828&postcount=357)
Cheers,
GM

(dylanger) said:
Hey Guys,
Another little update, I've managed to combine all of the modem.b00-25 files into a single ELF file, that now successfully opens in IDA:
Click to expand...
Click to collapse
What did you use to do that? I found this thread while stumbling around trying to find a way to port Keymaster firmware to a similar device without one.
http://forum.xda-developers.com/lg-g2/orig-development/porting-keymaster-firmware-t3473350
.

Related

SQUAT failed to open index file

Hi,
everytime I try to connect to my Postfix Server (with Cyrus IMAP) I get the following "error"
Code:
/var/log/mail.log
Apr 21 02:49:47 h137XXXX cyrus/imap[11563]: accepted connection
Apr 21 02:49:51 h137XXXX cyrus/imap[11563]: client id: "vendor" "Microsoft" "os" "Windows Mobile" "os-version" "5.2" "os-revision" "0.7.2" "guid" "294b479XXXXb91003c10fcXXXXb5f4a20a657c09"
Apr 21 02:49:52 h137XXXX cyrus/imap[11562]: seen_db: user XXX opened /var/lib/cyrus/user/c/XXX.seen
Apr 21 02:49:52 h137XXXX cyrus/imap[11562]: open: user XXX opened INBOX
Apr 21 02:49:53 h137XXXX cyrus/imap[11563]: login: 16.106.113.82.net.de.o2.com [82.113.106.16] XXX plaintext User logged in
Apr 21 02:49:54 h137XXXX cyrus/imap[11562]: SQUAT failed to open index file
Apr 21 02:49:54 h137XXXX cyrus/imap[11562]: SQUAT failed
Any idea what is going wrong? Using a Prophet with Windows Mobile 6 (Shadow 1.0).
I know its more or less a Linux question, but an XDA is involved
(/usr/lib/cyrus/bin/reconstruct -r user.XXX - had no effect at all)

Nd help premission.xml

Hi i Need a Original premission.xml file for my One M9+
from System/etc/premissions/premission.xml

__vexx__ said:
Hi i Need a Original premission.xml file for my One M9+
from System/etc/premissions/premission.xml
Click to expand...
Click to collapse
Hi
No permission.xml in my stock system.
[[email protected] ~]# cd /oracle/M9pw_system
[[email protected] M9pw_system]# cd etc
[[email protected] etc]# cd permissions/
[[email protected] permissions]# ll
total 216
-rw-r--r--. 1 root root 830 Jun 12 18:14 android.hardware.bluetooth_le.xml
-rw-r--r--. 1 root root 820 Jun 12 18:14 android.hardware.bluetooth.xml
-rw-r--r--. 1 root root 1052 Jun 12 18:14 android.hardware.camera.flash-autofocus.xml
-rw-r--r--. 1 root root 1096 Jun 12 18:14 android.hardware.camera.xml
-rw-r--r--. 1 root root 880 Jun 12 18:14 android.hardware.consumerir.xml
-rw-r--r--. 1 root root 927 Jun 12 18:14 android.hardware.faketouch.xml
-rw-r--r--. 1 root root 885 Jun 12 18:14 android.hardware.location.gps.xml
-rw-r--r--. 1 root root 841 Jun 12 18:14 android.hardware.microphone.xml
-rw-r--r--. 1 root root 840 Jun 12 18:14 android.hardware.nfc.hce.xml
-rw-r--r--. 1 root root 873 Jun 12 18:14 android.hardware.nfc.xml
-rw-r--r--. 1 root root 824 Jun 12 18:14 android.hardware.sensor.accelerometer.xml
-rw-r--r--. 1 root root 804 Jun 12 18:14 android.hardware.sensor.compass.xml
-rw-r--r--. 1 root root 806 Jun 12 18:14 android.hardware.sensor.gyroscope.xml
-rw-r--r--. 1 root root 816 Jun 12 18:14 android.hardware.sensor.light.xml
-rw-r--r--. 1 root root 815 Jun 12 18:14 android.hardware.sensor.proximity.xml
-rw-r--r--. 1 root root 818 Jun 12 18:14 android.hardware.sensor.stepcounter.xml
-rw-r--r--. 1 root root 811 Jun 12 18:14 android.hardware.sensor.stepdetector.xml
-rw-r--r--. 1 root root 881 Jun 12 18:14 android.hardware.telephony.gsm.xml
-rw-r--r--. 1 root root 1076 Jun 12 18:14 android.hardware.touchscreen.multitouch.distinct.xml
-rw-r--r--. 1 root root 1144 Jun 12 18:14 android.hardware.touchscreen.multitouch.jazzhand.xml
-rw-r--r--. 1 root root 1035 Jun 12 18:14 android.hardware.touchscreen.multitouch.xml
-rw-r--r--. 1 root root 909 Jun 12 18:14 android.hardware.touchscreen.xml
-rw-r--r--. 1 root root 975 Jun 12 18:14 android.hardware.usb.accessory.xml
-rw-r--r--. 1 root root 868 Jun 12 18:14 android.hardware.usb.host.xml
-rw-r--r--. 1 root root 843 Jun 12 18:14 android.hardware.wifi.direct.xml
-rw-r--r--. 1 root root 829 Jun 12 18:14 android.hardware.wifi.xml
-rw-r--r--. 1 root root 1050 Jun 12 18:14 android.software.live_wallpaper.xml
-rw-r--r--. 1 root root 883 Jun 12 18:14 android.software.sip.voip.xml
-rw-r--r--. 1 root root 829 Jun 12 18:14 android.software.sip.xml
-rw-r--r--. 1 root root 748 Jun 12 18:14 android.software.webview.xml
-rw-r--r--. 1 root root 828 Jun 12 18:14 com.android.location.provider.xml
-rw-r--r--. 1 root root 820 Jun 12 18:14 com.android.mediadrm.signer.xml
-rw-r--r--. 1 root root 828 Jun 12 18:14 com.android.media.remotedisplay.xml
-rw-r--r--. 1 root root 810 Jun 12 18:14 com.android.nfc_extras.xml
-rw-r--r--. 1 root root 189 Jun 12 18:14 com.dsi.ant.antradio_library.xml
-rw-r--r--. 1 root root 816 Jun 12 18:14 com.google.android.maps.xml
-rw-r--r--. 1 root root 835 Jun 12 18:14 com.google.android.media.effects.xml
-rw-r--r--. 1 root root 261 Jun 12 18:14 com.google.widevine.software.drm.xml
-rw-r--r--. 1 root root 801 Jun 12 18:14 com.htc.key.dap.xml
-rw-r--r--. 1 root root 772 Jun 12 18:14 com.htc.sensor.autocalibration.xml
-rw-r--r--. 1 root root 794 Jun 12 18:14 com.htc.sensor.hallsensor.xml
-rw-r--r--. 1 root root 740 Jun 12 18:14 com.htc.sensor.sensorhub.xml
-rw-r--r--. 1 root root 1252 Jun 12 18:14 com.htc.software.market.xml
-rw-r--r--. 1 root root 751 Jun 12 18:14 com.htc.voicedictation_c.xml
-rw-r--r--. 1 root root 172 Jun 12 18:14 com.mediatek.effect.xml
-rw-r--r--. 1 root root 814 Jun 12 18:14 com.nxp.mifare.xml
-rw-r--r--. 1 root root 3986 Jun 12 18:14 handheld_core_hardware.xml
-rw-r--r--. 1 root root 2502 Jun 12 18:14 htcsenseframework.xml
-rw-r--r--. 1 root root 10812 Jun 12 18:14 media_codecs.xml
-rw-r--r--. 1 root root 824 Jun 12 18:14 org.simalliance.openmobileapi.xml
-rw-r--r--. 1 root root 7111 Jun 12 18:14 platform.xml
[[email protected] permissions]# ll per*
ls: cannot access per*: No such file or directory

From CAF/MSM8974 to Omni

Hallo,
i'm trying to build Omni for I9506/ks01lte. How can i achieve a list of present hardware so i know which drivers are needed? There is no 'lshw' binary or '/proc/device-tree' on my current CM13 image and I'm not sure how to gather a reliable hardware map to start searching for drivers. Are unknown detected devices listed in dmesg?
Looking at find7op kernel dts files it seems they injected some older stuff (most files include copyright from 2014). I guess they've taken that from stock. But how did they know what to pick in the first place?
My first milestone is setting up a vanilla caf msm8974 defconfig kernel with boot interrupted 'bootable/recovery' image. This should bring up a minimal system with adb i think.

DualJoe said:
Hallo,
i'm trying to build Omni for I9506/ks01lte. How can i achieve a list of present hardware so i know which drivers are needed? There is no 'lshw' binary or '/proc/device-tree' on my current CM13 image and I'm not sure how to gather a reliable hardware map to start searching for drivers. Are unknown detected devices listed in dmesg?
Looking at find7op kernel dts files it seems they injected some older stuff (most files include copyright from 2014). I guess they've taken that from stock. But how did they know what to pick in the first place?
My first milestone is setting up a vanilla caf msm8974 defconfig kernel with boot interrupted 'bootable/recovery' image. This should bring up a minimal system with adb i think.
Click to expand...
Click to collapse
General idea is - Try to determine which CAF tag the OEM derived their source from. Sometimes (not Samsung) the vendor is nice and tells you where they started.
Otherwise, you typically determine from https://codeaurora.org/xwiki/bin/QAEP/release which tags correspond to your chipset and the Android version of the OEM source
e.g. back in the Oppo find7 days, we started with (if I recall correctly) msm8974 and Android version 04.03.00 or something like that.
It takes a bit of work to check out a CAF tag, drop the source on it, and come up with a metric of "how much changed" - some people use "lines of code in the patch" others use "physical size of the resulting patch" - Someone else wrote a script that automated this, I don't have a link on hand though.
Once you determine the closest CAF tag to the OEM source - check that out, drop the OEM source on it, then commit the changes. Then work on splitting the diff up into smaller digestible chunks, usually by path.
Then apply these chunks to a new CAF tag, reading through everything and making a judgement call on what changes are needed/what aren't. Can be harder with Samsung as they make a lot of unnecessary changes.
https://github.com/Entropy512/kernel_find7_reference/commits/oppo_kernel - diffchunked Oppo find7 kernel, start point was LNX.LA.3.2.5-00210-8x74.0
https://github.com/Entropy512/kernel_find7_reference/tree/kk_3.5_oppo - initial effort to rebase onto CAF kk_3.5 tag (this was the chosen CAF baseline back then)
NOTE: Over the years, Max has stripped out even more "unneeded ****" over time.

Thanks. I somewhat hoped for a more "sorted" sub-vendor patches approach but looks like the world is not yet ready for that. Will give it a shot anyway.
There are more than 30 branches (LA.BF.1.1.1) for 5.0.1 in CAF repo though and Samsung were so nice and cleared/unified all file dates in their kernel. I already wasted too much time in trying to find some place to identify the kernel somehow. Without any success though.
I think i will do as you said and compare everything starting in the middle of the branches and try to see in which direction i have to go dependent on 'diff' difference. Its 100MB download per CAF kernel and 2x500MB comparison data. I will test with 'diff -r folder1 folder2'.

Looks like its LA.BF.1.1.1_rb1.1 for Samsung-I9506XXUDOJ2 (Android 5.0.1).
Code:
git init
git remote add git://codeaurora.org/quic/la/kernel/msm
git fetch --depth 1 origin '+refs/heads/LA.BF.1.1.1*:refs/heads/LA.BF.1.1.1*'
# '--depth 1' strips commit history (for smaller download)
git checkout LA.BF.1.1.1_rb1.1
git checkout -b LA.BF.1.1.1_rb1.1-Samsung-overlay
(copy/overwrite Samsung kernel into worktree)
git add -A
git commit -m 'LA.BF.1.1.1_rb1.1-Samsung-I9506XXUDOJ2 kernel overlay'
GLOBIGNORE="*"; for i in $(git branch); do if [[ ! "$i" = "*" ]]; then echo "$i"; git diff --diff-filter=M "$i"..LA.BF.1.1.1_rb1.1-Samsung-overlay > ../"$i".txt; fi; done
# The active branch is marked with asterisk that globs to filenames. The 'if' handles that.
$ ls -lSr --block-size=K
total 196716K
drwxrwxr-x+ 1 User None 0K Mar 27 22:08 msm
-rw-rw-r--+ 1 User None 6408K Mar 27 22:29 LA.BF.1.1.1_rb1.1.txt
-rw-rw-r--+ 1 User None 6415K Mar 27 22:30 LA.BF.1.1.1_rb1.3.txt
-rw-rw-r--+ 1 User None 6422K Mar 27 22:29 LA.BF.1.1.1.c2.txt
-rw-rw-r--+ 1 User None 6432K Mar 27 22:30 LA.BF.1.1.1_rb1.4.txt
-rw-rw-r--+ 1 User None 6432K Mar 27 22:31 LA.BF.1.1.1_rb1.7.txt
-rw-rw-r--+ 1 User None 6433K Mar 27 22:30 LA.BF.1.1.1_rb1.6.txt
-rw-rw-r--+ 1 User None 6433K Mar 27 22:31 LA.BF.1.1.1_rb1.8.txt
-rw-rw-r--+ 1 User None 6453K Mar 27 22:31 LA.BF.1.1.1_rb1.9.txt
-rw-rw-r--+ 1 User None 6461K Mar 27 22:29 LA.BF.1.1.1_rb1.10.txt
-rw-rw-r--+ 1 User None 6470K Mar 27 22:29 LA.BF.1.1.1.c1_rb1.txt
-rw-rw-r--+ 1 User None 6485K Mar 27 22:29 LA.BF.1.1.1_rb1.12.txt
-rw-rw-r--+ 1 User None 6500K Mar 27 22:29 LA.BF.1.1.1.c1_rb1.2.txt
-rw-rw-r--+ 1 User None 6501K Mar 27 22:29 LA.BF.1.1.1.c1_rb1.1.txt
-rw-rw-r--+ 1 User None 6503K Mar 27 22:29 LA.BF.1.1.1_rb1.13.txt
-rw-rw-r--+ 1 User None 6510K Mar 27 22:29 LA.BF.1.1.1_rb1.14.txt
-rw-rw-r--+ 1 User None 6552K Mar 27 22:29 LA.BF.1.1.1_rb1.15.txt
-rw-rw-r--+ 1 User None 6555K Mar 27 22:30 LA.BF.1.1.1_rb1.16.txt
-rw-rw-r--+ 1 User None 6556K Mar 27 22:30 LA.BF.1.1.1_rb1.17.txt
-rw-rw-r--+ 1 User None 6570K Mar 27 22:29 LA.BF.1.1.1.c3.txt
-rw-rw-r--+ 1 User None 6577K Mar 27 22:30 LA.BF.1.1.1_rb1.18.txt
-rw-rw-r--+ 1 User None 6606K Mar 27 22:30 LA.BF.1.1.1_rb1.19.txt
-rw-rw-r--+ 1 User None 6634K Mar 27 22:30 LA.BF.1.1.1_rb1.20.txt
-rw-rw-r--+ 1 User None 6639K Mar 27 22:30 LA.BF.1.1.1_rb1.21.txt
-rw-rw-r--+ 1 User None 6653K Mar 27 22:30 LA.BF.1.1.1_rb1.22.txt
-rw-rw-r--+ 1 User None 6655K Mar 27 22:30 LA.BF.1.1.1_rb1.23.txt
-rw-rw-r--+ 1 User None 6663K Mar 27 22:30 LA.BF.1.1.1_rb1.24.txt
-rw-rw-r--+ 1 User None 6696K Mar 27 22:30 LA.BF.1.1.1_rb1.25.txt
-rw-rw-r--+ 1 User None 6714K Mar 27 22:30 LA.BF.1.1.1_rb1.26.txt
-rw-rw-r--+ 1 User None 6714K Mar 27 22:29 LA.BF.1.1.1.c5.txt
-rw-rw-r--+ 1 User None 7020K Mar 27 22:29 LA.BF.1.1.1.c4.txt
Click to expand...
Click to collapse

DualJoe said:
Thanks. I somewhat hoped for a more "sorted" sub-vendor patches approach but looks like the world is not yet ready for that. Will give it a shot anyway.
There are more than 30 branches (LA.BF.1.1.1) for 5.0.1 in CAF repo though and Samsung were so nice and cleared/unified all file dates in their kernel. I already wasted too much time in trying to find some place to identify the kernel somehow. Without any success though.
I think i will do as you said and compare everything starting in the middle of the branches and try to see in which direction i have to go dependent on 'diff' difference. Its 100MB download per CAF kernel and 2x500MB comparison data. I will test with 'diff -r folder1 folder2'.
Click to expand...
Click to collapse
If you grab CAF's git repo, it contains all branches and you can switch between them with "git checkout".
Process is something, sort-of, like:
git checkout <candidate tag> - should be able to just use the tag right from the releases page
extract Samsung tarball onto the checked out source
git diff > somefile
Look at size of somefile - Note, somewhere someone has a script that automates this whole thing and I think does it by analyzing lines of code change instead of diff patch size
I forget the sequence of git commands to pretty much clean the tree - you can do a "git diff" without committing FYI.
Repeat the above steps for each candidate
You might be able to, instead, drop the Samsung source somewhere, tag it, then diff the Samsung source's tag and the CAF tag with something like
git diff <tag1> <tag2>
eliminating the need to repeatedly drop the source onto a tag.

[Desbrick xt890] Solution to service required code corrupt

Hello, this solves service required code corrupt
Download:
Debrick-intel_blank_flash.7z.zip MD5: ea90220f2a6f080c960dcf6254463b89
Extract Debrick-intel_blank_flash.7z.zip
Extract Debrick-intel_blank_flash.7z
Contents of the folder Debrick-intel_blank_flash
Code:
-rw-r--r-- 1 621 sep 26 2014 1RSD_BlankFlash.xml
drwxr-xr-x 2 4096 abr 8 2016 Driver
-rw-r--r-- 1 1781 sep 26 2014 PFT_BlankFlash.xml
-rw-r--r-- 1 66528 sep 26 2014 dnx_firmware.bin
-rw-r--r-- 1 18073088 sep 26 2014 droidboot.img.POS.bin
-rw-r--r-- 1 8413938 sep 26 2014 droidboot.unsigned_raw
-rw-r--r-- 1 1937660 sep 26 2014 ifwi_firmware.bin
-rw-r--r-- 1 2874 ene 13 19:29 intel_blank_flash.bat
-rwxr-xr-x 1 2302 ene 13 22:32 intel_blank_flash.sh
-rw-r--r-- 1 43008 jun 22 2009 libgcc_s_dw2-1.dll
-rw-r--r-- 1 11362 ene 10 2009 mingwm10.dll
-rw-r--r-- 1 66528 sep 26 2014 osr_dnx_firmware.bin
-rwxr-xr-x 1 260 ene 13 19:52 sec_xfstk.sh
-rw-r--r-- 1 880 ago 11 2014 soft_fuse.bin
-rw-r--r-- 1 155648 ene 12 13:01 wdapi1140.dll
-rw-r--r-- 1 1377280 feb 12 2013 xfstk-dldr-api.dll
-rw-r--r-- 1 1292288 feb 12 2013 xfstk-dldr-solo.exe
From Windows
1) We enter the folder Debrick-intel_blank_flash
Install drivers "iSocUSB-Driver-Setup-1.0.4.exe" found in the "Driver" subfolder.
2) Run "intel_blank_flash.bat"
And we turn on the phone while connected to your computer
That should fix your brikck phone.
From GNU / Linux
First way:
1) Install Phone Flash Tool Lite
https://01.org/node/2463
(Depending on your favorite distribution)
2) Link "xfstkFlashTool" from the folder where you installed /usr/local/bin
3) We mark the script as executable
Code:
Chmod + x sec_xfstk.sh
and we execute it sec_xfstk.sh
And we turn on the phone while connected to your computer
Second way:
1) we install xfstk
https://sourceforge.net/projects/xfstk/
2) We connect "xfstk-dldr-solo" from the folder where we installed /usr/local/bin
3) We mark the script as executable
Code:
Chmod + x intel_blank_flash.sh
and we execute it intel_blank_flash.sh
And we turn on the phone while connected to your computer
This repairs the service required code corrupt. the best debrick for motorola razer i (xt890).
Finally flashing with rsd-lite or fastboot with the version of your favorite rom
Sorry for my English
a greetings

Hello! thank you for the magnificient support... but...
I tried your script...
few times it failed, but finally that makes me going into the bootloader.
BUT after that, i was unable to flash anything. I tried with RSD lite and also manual fastboot from stock firmware.
I decided to try tomorrow so i selected "power off". Now the phone is dead. Neither the green led nor the message "service required code corrupt" shows up. Now it's a total brick

ok it discharged. now when i turn on it goes on bootloader but these messages are displayed:
Esip signature missing
E:invalid GPT partition gpt_main
E: not found osip header
E:mismatched osii detected
E: no valid GPT existed
invalid mbr partition os type 0x 0
failed to load GPT partitions no any partition found!
E: no PDS partition found!
How to proceed? every try of using fastboot to load something fails...
Thankyou...

yostyle said:
ok it discharged. now when i turn on it goes on bootloader but these messages are displayed:
Esip signature missing
E:invalid GPT partition gpt_main
E: not found osip header
E:mismatched osii detected
E: no valid GPT existed
invalid mbr partition os type 0x 0
failed to load GPT partitions no any partition found!
E: no PDS partition found!
How to proceed? every try of using fastboot to load something fails...
Thankyou...
Click to expand...
Click to collapse
I GOT THE SOLUTION YAYYYYY
i was able to flash only th gpt.bin contained in the ota update file found here in the forum (that is Blur_Version.91.2.26001.XT890.Retail.en.EU)
after that i flashed (skipping the GPT part) the files contained in 9.8.2I-50_SMI-29_S7_USASMI01UKE1021.0R_USASMIJBRTGB_P007_A005_S1FF_fb that i found at https://firmware.center/firmware/
THANK TO YOU I HAVE MY PHONE ALIVE! :good::good::good::good:

Samsung S7 Edge get Kernel

Rooted my S7 Edge with TRWP and than Magisk. Installed no-verity-opt-encrypt
With TRWP backup the /boot partition to get the kernel.
Extracted Kernel from boot.emmc.win-zImage
But somehow it seems to be encrypted:
file piggy.gz
piggy.gz: gzip compressed data, reserved method, ASCII, has comment, encrypted, last modified: Fri Aug 29 04:58:08 2014, from Unix
Binwalk of boot.emmc.win
binwalk boot.emmc.win
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Android bootimg, kernel size: 33088224 bytes, kernel addr: 0x10008000, ramdisk size: 4568278 bytes, ramdisk addr: 0x11000000, product name: "SRPOI30A002KU"
98608 0x18130 SHA256 hash constants, little endian
10778624 0xA47800 ELF, 64-bit LSB shared object, version 1 (SYSV)
11118744 0xA9A898 Linux kernel version "3.18.91-14843133-QB22482885 ([email protected]) (gcc version 4.9.x 20150123 (prerelease) (GCC) ) #1 SMP PREEMPT Fri Mar 8 20:10:42 KS"
11134976 0xA9E800 ELF, 64-bit LSB shared object, version 1 (SYSV)
11579493 0xB0B065 VxWorks symbol table, big endian, first entry: [type: initialized data, code address: 0x653, symbol address: 0x95]
11656285 0xB1DC5D Boot section Start 0x42424208 End 0x3F0C3642
11756712 0xB364A8 CRC32 polynomial table, little endian
12160137 0xB98C89 eCos RTOS string reference: "ecos_booster_init"
12160161 0xB98CA1 eCos RTOS string reference: "ecos_booster_request_pm_qos"
12160193 0xB98CC1 eCos RTOS string reference: "ecos_booster_start"
12160217 0xB98CD9 eCos RTOS string reference: "ecos_booster_stop"
18124065 0x1148D21 Unix path: /arch/arm64/include/asm/mmu_context.h
18158729 0x1151489 Unix path: /proc/sys/kernel/hung_task_timeout_secs" disables this message.
18170028 0x11540AC Unix path: /arch/arm64/include/asm/pgalloc.h
18352359 0x11808E7 Unix path: /video/fbdev/exynos/decon_8890/vpp/vpp_drv.c
18386508 0x1188E4C Unix path: /video/fbdev/core/fb_draw.h
18407996 0x118E23C Unix path: /video/fbdev/exynos/decon_8890/panels/mdnie_lite.c
18492989 0x11A2E3D Unix path: /devices/svc/AP/SVC_AP, %s
18513733 0x11A7F45 Unix path: /gpu/arm/t8xx/r22p0/mali_kbase_device.c
18519916 0x11A976C Unix path: /gpu/arm/t8xx/r22p0/mali_kbase_mmu.c
18520935 0x11A9B67 Unix path: /gpu/arm/t8xx/r22p0/mali_kbase_ctx_sched.c
18521431 0x11A9D57 Unix path: /gpu/arm/t8xx/r22p0/mali_kbase_jd.c
18522957 0x11AA34D Unix path: /gpu/arm/t8xx/r22p0/mali_kbase_softjobs.c
18569941 0x11B5AD5 Unix path: /gpu/arm/t8xx/r22p0/mali_kbase_mem_pool.c
18572728 0x11B65B8 Unix path: /gpu/arm/t8xx/r22p0/thirdparty/mali_kbase_mmap.c
18576383 0x11B73FF Unix path: /gpu/arm/t8xx/r22p0/platform/exynos/gpu_pmqos.c
18576608 0x11B74E0 Unix path: /gpu/arm/t8xx/r22p0/platform/exynos/gpu_dvfs_handler.c
18576773 0x11B7585 Unix path: /gpu/arm/t8xx/r22p0/platform/exynos/gpu_dvfs_api.c
18577870 0x11B79CE Unix path: /gpu/arm/t8xx/r22p0/platform/exynos/gpu_dvfs_governor.c
18581964 0x11B89CC Unix path: /gpu/arm/t8xx/r22p0/backend/gpu/mali_kbase_debug_job_fault_backend.c
18582277 0x11B8B05 Unix path: /gpu/arm/t8xx/r22p0/backend/gpu/mali_kbase_jm_as.c
18583494 0x11B8FC6 Unix path: /gpu/arm/t8xx/r22p0/backend/gpu/mali_kbase_jm_rb.c
18584867 0x11B9523 Unix path: /gpu/arm/t8xx/r22p0/backend/gpu/mali_kbase_pm_metrics.c
18603634 0x11BDE72 Unix path: /lib/firmware/updates/3.18.91-14843133-QB22482885
18677025 0x11CFD21 Unix path: /net/wireless/bcmdhd4359/dhd_common.c
18680100 0x11D0924 Unix path: /vendor/etc/wifi/bcmdhd_clm.blob
18683090 0x11D14D2 Unix path: /net/wireless/bcmdhd4359/dhd_ip.c
18685738 0x11D1F2A Unix path: /data/misc/conn/.psm.info
18686150 0x11D20C6 Unix path: /data/misc/conn/.ant.info
18686683 0x11D22DB Unix path: /data/misc/conn/.rsdb.info
18686839 0x11D2377 Unix path: /data/misc/conn/.logtrace.info
18686917 0x11D23C5 Unix path: /data/misc/conn/.bustxglom.info
18688096 0x11D2860 Unix path: /data/misc/conn/.wifiver.info
18692932 0x11D3B44 Unix path: /vendor/etc/wifi/nvram_net.txt
18701027 0x11D5AE3 Unix path: /data/misc/conn/.memdump.info
18701530 0x11D5CDA Unix path: /data/log/wifi/debug_dump_USER
18701809 0x11D5DF1 Unix path: /data/misc/conn/.assert.info
18707379 0x11D73B3 Unix path: /data/misc/conn/roml.map
18707837 0x11D757D Unix path: /net/wireless/bcmdhd4359/dhd_linux_wq.c
18708607 0x11D787F Unix path: /net/wireless/bcmdhd4359/aiutils.c
18711282 0x11D82F2 Unix path: /net/wireless/bcmdhd4359/bcmutils.c
18713539 0x11D8BC3 Unix path: /net/wireless/bcmdhd4359/bcmwifi_channels.c
18714469 0x11D8F65 Unix path: /net/wireless/bcmdhd4359/sbutils.c
18714815 0x11D90BF Unix path: /net/wireless/bcmdhd4359/siutils.c
18733557 0x11DD9F5 Unix path: /net/wireless/bcmdhd4359/wl_cfg80211.c
18736653 0x11DE60D Unix path: /net/wireless/bcmdhd4359/wl_cfg80211.h
18763284 0x11E4E14 Unix path: /net/wireless/bcmdhd4359/wl_cfgp2p.c
18766177 0x11E5961 Unix path: /net/wireless/bcmdhd4359/dhd_linux_platdev.c
18766838 0x11E5BF6 Unix path: /net/wireless/bcmdhd4359/hnd_pktq.c
18767907 0x11E6023 Unix path: /net/wireless/bcmdhd4359/dhd_debug.c
18771481 0x11E6E19 Unix path: /data/misc/conn/.cid.info
18774922 0x11E7B8A Unix path: /net/wireless/bcmdhd4359/dhd_pcie.c
18785819 0x11EA61B Unix path: /net/wireless/bcmdhd4359/dhd_pcie_linux.c
18787945 0x11EAE69 Unix path: /net/wireless/bcmdhd4359/pcie_core.c
18789598 0x11EB4DE Unix path: /net/wireless/bcmdhd4359/dhd_msgbuf.c
18805073 0x11EF151 Unix path: /net/wireless/bcmdhd4359/bcmxtlv.c
18806994 0x11EF8D2 Unix path: /net/wireless/bcmdhd4359/dhd_custom_exynos.c
18818455 0x11F2597 Unix path: /sys/bus/usb/devices/X-XX/power/level"
18843474 0x11F8752 PARity archive data - file number 20549
18863904 0x11FD720 Unix path: /S70/S75/505V/F505/F707/F717/P8
18871011 0x11FF2E3 Unix path: /usb/gadget/function/u_serial.c
18872811 0x11FF9EB Unix path: /drivers/usb/gadget/udc/../function/f_accessory.c
18874331 0x11FFFDB Unix path: /drivers/usb/gadget/udc/../function/f_mass_storage.c
18880147 0x1201693 Unix path: /drivers/usb/gadget/udc/../function/u_ether.c
18900213 0x12064F5 Unix path: /sdcard/Firmware/TOUCHKEY/abov_fw.bin
18903633 0x1207251 Unix path: /sdcard/Firmware/TOUCHKEY/fw.bin
18917541 0x120A8A5 Unix path: /sdcard/Firmware/TSP/lsi.bin
18931437 0x120DEED Unix path: /sdcard/Firmware/TSP/stm.fw
19017368 0x1222E98 Unix path: /media/platform/exynos/fimc-is2/fimc-is-mem.c
19081116 0x123279C Unix path: /data/media/0/fimc_is_fw.bin
19086726 0x1233D86 Unix path: /data/media/0/reload/r1e2l3o4a5d.key
19086804 0x1233DD4 Unix path: /data/media/0/i1s2p3s4r.key
19088293 0x12343A5 Unix path: /data/media/0/1q2w3e4r.key
19088346 0x12343DA Unix path: /data/media/0/dump
19088446 0x123443E Unix path: /data/media/0/dump/eeprom_cal.bin
19089012 0x1234674 Unix path: /data/media/0/CamFW_Main.bin
19090892 0x1234DCC Unix path: /data/media/0/dump/from_cal.bin
19157110 0x1245076 Unix path: /switch/../../sound/soc/samsung/jack_arizona.c
19198780 0x124F33C Unix path: /sys/firmware/devicetree/base
19284143 0x12640AF Unix path: /gud/gud-exynos8890/MobiCoreDriver/admin.c
19285134 0x126448E Unix path: /gud/gud-exynos8890/MobiCoreDriver/client.c
19288442 0x126517A Unix path: /gud/gud-exynos8890/MobiCoreDriver/mmu.c
19289630 0x126561E Unix path: /gud/gud-exynos8890/MobiCoreDriver/user.c
19290207 0x126585F eCos RTOS string reference: "ecos boost policy:%d"
19290355 0x12658F3 eCos RTOS string reference: "ecos_booster_stop failed. err:%d"
19321110 0x126D116 Unix path: /sys/class/sec/sec_key/certify_hall_detect
19323928 0x126DC18 Unix path: /sensorhub/brcm/bbdpl/bcm_gps_spi.c
19325230 0x126E12E Unix path: /sensorhub/brcm/bbdpl/bbd_rpc_lh.c
19464870 0x12902A6 Neighborly text, "NeighborSolicitss"
19464887 0x12902B7 Neighborly text, "NeighborAdvertisementscmp6OutMsgs"
19486291 0x1295653 Neighborly text, "NeighborhHWMPactivePathTimeout"
19549135 0x12A4BCF mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
19584679 0x12AD6A7 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
20110944 0x132DE60 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
30514688 0x1D19E00 CRC32 polynomial table, little endian
31611145 0x1E25909 Windows CE image header, image start: 0x34323038, image length: 1144341553
31636270 0x1E2BB2E ASCII cpio archive (SVR4 with CRC) file name: "220FFF7B7FF012840F0F7800120", file name length: "0x0F0F8800", file size: "0x210020FA"
31731098 0x1E42D9A ASCII cpio archive (SVR4 with no CRC), file name: "403902081000A2900F27580DFE801F006275773734C73", file name length: "0xE9684018", file size: "0x18338B5"
32096978 0x1E9C2D2 ISO 9660 CD-ROM filesystem data, version 1.0, volume name: "DB4846FFF79CFD322801DA02270AE04846FFF7",
32221252 0x1EBA844 ASCII cpio archive (SVR4 with no CRC), file name: "400F1EE", file name length: "0xE600AF19", file size: "0x03207070"
33091584 0x1F8F000 gzip compressed data, from Unix, NULL date (1970-01-01 00:00:00)
37484346 0x23BF73A MySQL MISAM compressed data file Version 7
37693439 0x23F27FF GPG key trust database version 48
37700759 0x23F4497 GPG key trust database version 48
37705655 0x23F57B7 GPG key trust database version 48
37705723 0x23F57FB GPG key trust database version 48
37705791 0x23F583F GPG key trust database version 48
37822916 0x24121C4 Unix path: /sys/class/scsi_host/host0/transferred_cnt
37886195 0x24218F3 GPG key trust database version 48
37893599 0x24235DF GPG key trust database version 48
37898495 0x24248FF GPG key trust database version 48
37898563 0x2424943 GPG key trust database version 48
37898631 0x2424987 GPG key trust database version 48
38015668 0x24412B4 Unix path: /sys/class/scsi_host/host0/transferred_cnt
Used unpackbootimg to get the zImage
unpackbootimg -i boot.emmc.win -o .
and than
grep -P -a -b -m 1 --only-matching '\x5D\x00\x00' boot.emmc.win-zImage | cut -f 1 -d :
dd if=./boot.emmc.win-zImage of=piggy.gz bs=1 skip=323568
Questions:
1) Is my Kernel encrypted?
2) How to decrypt it?
3) I want to find some symbols, hence I need the kernel image
Thanks,

Database Users

welcome