Related
Lesson learned, head hanging down... Oh well. I tried guy. Either ways that only REINFORCES that we all need to get together and share what we know! Hence this thread:
Time for us to come together and put all of our knowledge together. Every known exploit for our bootloader, kernel, rom, ect needs to be logged in one area. All our partitions / sizes / locations / offsets need to be logged. Any and all information that can be gleamed from out fxz/sbf's need to be logged.
I have my own root exploit I want to work on for 5.0 and below... If that time comes, I'll release that. For now I'll keep this updated
Planned todo in order :
safestrap (Will boost Dev's, makes testing roms a breeze!)
kexec (Now Dev's can start juggling kernels) (maybe even forcefully reduce original kernels memory use) (reclaiming resources?, turning off unneeded original kernels modules ect... why not full hijacking of original kernel? Can you write to ANY memory region? (See graphics buffer vulnerability below.....hmmm 5.0 and under "AIO root / kexc / safestrap"? )
cm kernel (Hopefully a Dev beats me to it, as I have next planned....)
5.0 and below root (via graphics buffer vulnerability) https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474
How to backup critical files/partitions
**Just tried this, some partitions/files are assumed to be read protected...
So far, looks like we got data. I'm pretty sure its the kind you'd want if there was a brickfix in the future... sometimes each device has its own signature required for easy brickfix... Mines backed up in three different places already*
http://forum.xda-developers.com/dro...-aio-information-thread-t3138839/post61435029
XT1254 WRITE PROTECT :
if you bothered to read the init.rc files, you'd see that you can hijack the boot system early enough to disable qe if you're bothered by write protection, since this happens on fs stage:
# arrange access to the overlay
exec /system/bin/checknmount -d -s -m -t ext4 -r /overlay/sysupdate /cache/overlay/sysupdate.simg /cache/overlay/sysupdate.jar
# use the overlay, if it is compatible
exec /system/bin/stacker -d -c -r -t overlayfs /system /overlay/sysupdate[/HIDE]
How to copy your /firmware/image/*.* easily. *****Just tried this, some partitions/files are assumed to be read protected...
with efs explorer
copy /firmware/image/ folder to /sdcard/firmware/
with PC in MTP mode copy /image/ folder to PC
So far, looks like we got data. I'm pretty sure its the kind you'd want if there was a brickfix in the future... sometimes each device has its own signature required for easy brickfix... Mines backed up in three different places
List of partitions/files copied : (Remember, I havn't had time to even look further, the first one I opened wasn't blanked out.)
[email protected]:/ $ cd firmware
[email protected]:/firmware $ cd image
[email protected]:/firmware/image $ ls
acdb.mbn
adsp.b00
adsp.b01
adsp.b02
adsp.b03
adsp.b04
adsp.b05
adsp.b06
adsp.b07
adsp.b08
adsp.b10
adsp.b11
adsp.b12
adsp.mbn
adsp.mdt
apps.mbn
bdwlan11.bin
bdwlan20.bin
cmnlib.b00
cmnlib.b01
cmnlib.b02
cmnlib.b03
cmnlib.mdt
dsp2.mbn
efs1.bin
efs2.bin
efs3.bin
isdbtmm.b00
isdbtmm.b01
isdbtmm.b02
isdbtmm.b03
isdbtmm.mdt
keymaster.b00
keymaster.b01
keymaster.b02
keymaster.b03
keymaster.mdt
mba.mbn
otp11.bin
otp20.bin
playready.b00
playready.b01
playready.b02
playready.b03
playready.mdt
prov.b00
prov.b01
prov.b02
prov.b03
prov.mdt
qdsp6sw.mbn
qwlan11.bin
qwlan20.bin
rpm.mbn
sampleapp.b00
sampleapp.b01
sampleapp.b02
sampleapp.b03
sampleapp.mdt
sbl1.mbn
securemm.b00
securemm.b01
securemm.b02
securemm.b03
securemm.mdt
tqs.b00
tqs.b01
tqs.b02
tqs.b03
tqs.mdt
tz.mbn
utf11.bin
utf20.bin
widevine.b00
widevine.b01
widevine.b02
widevine.b03
widevine.mdt
[email protected]:/firmware/image $
Partition Table:
? ? ? Total size flash location partition name size notes:
179 0 30535680 "mmcblk0 " 32GB Flash Chip
179 1 131072 mmcblk0p1 " modem" 0x0000000008000000
179 2 384 "mmcblk0p2 " ? Sbl1 0x0000000000060000
179 3 56 "mmcblk0p3 " ? Sdi 0x000000000000e000
179 4 16 "mmcblk0p4 " sec: 0x0000000000004000
179 5 32 mmcblk0p5 " ddr" 0x0000000000008000
179 6 1024 mmcblk0p6 " aboot" 0x0000000000100000
179 7 256 mmcblk0p7 " rpm" 0x0000000000040000
179 8 512 mmcblk0p8 ? Utags 0x0000000000080000 contains imei, take note of backup partition
179 9 500 mmcblk0p9 ? Tz 0x000000000007d000
179 10 3072 mmcblk0p10 " factorytune1" 0x0000000000300000
179 11 1084 mmcblk0p11 " padA" 0x000000000010f000
179 12 384 mmcblk0p12 sbl1bak: 0x0000000000060000
179 13 1024 mmcblk0p13 " abootBackup" 0x0000000000100000
179 14 256 mmcblk0p14 ?rpmBackup 0x0000000000040000
179 15 512 mmcblk0p15 ? utagsBackup 0x0000000000080000 backup
79 16 500 mmcblk0p16 ? tzBackup 0x000000000007d000
179 17 1024 mmcblk0p17 " mdm1m9kefs1" 0x0000000000100000
179 18 1024 mmcblk0p18 " mdm1m9kefs2" 0x0000000000100000
179 19 2620 mmcblk0p19 " padB" 0x000000000028f000
179 20 2048 mmcblk0p20 " logs" 0x0000000000200000
179 21 32768 mmcblk0p21 " persist" 0x0000000002000000
179 22 256 mmcblk0p22 " mdm1hob" 0x0000000000040000
179 23 32 mmcblk0p23 " mdm1dhob" 0x0000000000008000
179 24 1024 mmcblk0p24 ? Sp 0x0000000000100000
179 25 128 mmcblk0p25 " cid" 0x0000000000020000
179 26 3072 mmcblk0p26 " pds" 0x0000000000300000
179 27 8192 mmcblk0p27 " logo" 0x0000000000800000
179 28 11264 mmcblk0p28 ? Clogo 0x0000000000b00000
179 29 1024 mmcblk0p29 " misc" 0x0000000000100000
179 30 1632 mmcblk0p30 " padC" 0x0000000000198000
179 31 780 mmcblk0p31 " mdm1m9kefs3" 0x00000000000c3000
259 0 1 mmcblk0p32 " mdm1m9kefsc" 0x0000000000000400
259 1 8 mmcblk0p33 ? Ssd 0x0000000000002000
259 2 8192 mmcblk0p34 " kpan" 0x0000000000800000
259 3 16384 mmcblk0p35 " boot" 0x0000000001000000
259 4 16400 mmcblk0p36 " recovery" 0x0000000001004000
259 5 16416 mmcblk0p37 " factorytune2" 0x0000000001008000
259 6 1469392 mmcblk0p38 " cache" 0x0000000059af4000
259 7 3457024 mmcblk0p39 ? System 0x00000000d3000000
259 8 25309056 mmcblk0p40 ? Userdata 0x0000000608be0000
179 32 4096 mmcblk0 rpmb (Replay Protected Memory Block) RPMB is not a regular partition and a different command sequence(CMD6-->CMD23-->CMD25-->CMD23-->CMD18) as mentioned in JEDEC Standard No. 84-A441, is required to access it, then why mmc initialisation code is using the wrong command sequence(CMD6-->CMD23-->CMD18) to access it?
Old Partition table:
(bootloader) sdi.git: git=MBM-NG-V70.47-0-gf291c61
(bootloader) sbl1.git: git=MBM-NG-V70.47-0-ga007c2c
(bootloader) rpm.git: git=MBM-NG-V70.47-0-g66204d2
(bootloader) tz.git: git=MBM-NG-V70.47-0-g4cdbfd4
(bootloader) aboot.git: git=MBM-NG-V70.47-0-gc723802
(bootloader) partition-size:modem: 0x0000000008000000
(bootloader) partition-size:sbl1: 0x0000000000060000
(bootloader) partition-size:sdi: 0x000000000000e000
(bootloader) partition-size:sec: 0x0000000000004000
(bootloader) partition-size:ddr: 0x0000000000008000
(bootloader) partition-size:aboot: 0x0000000000100000
(bootloader) partition-size:rpm: 0x0000000000040000
(bootloader) partition-size:utags: 0x0000000000080000
(bootloader) partition-size:tz: 0x000000000007d000
(bootloader) partition-size:factorytune1: 0x0000000000300000
(bootloader) partition-sizeadA: 0x000000000010f000
(bootloader) partition-size:sbl1bak: 0x0000000000060000
(bootloader) partition-size:abootBackup: 0x0000000000100000
(bootloader) partition-size:rpmBackup: 0x0000000000040000
(bootloader) partition-size:utagsBackup: 0x0000000000080000
(bootloader) partition-size:tzBackup: 0x000000000007d000
(bootloader) partition-size:mdm1m9kefs1: 0x0000000000100000
(bootloader) partition-size:mdm1m9kefs2: 0x0000000000100000
(bootloader) partition-sizeadB: 0x000000000028f000
(bootloader) partition-size:logs: 0x0000000000200000
(bootloader) partition-sizeersist: 0x0000000002000000
(bootloader) partition-size:mdm1hob: 0x0000000000040000
(bootloader) partition-size:mdm1dhob: 0x0000000000008000
(bootloader) partition-size:sp: 0x0000000000100000
(bootloader) partition-size:cid: 0x0000000000020000
(bootloader) partition-sizeds: 0x0000000000300000
(bootloader) partition-size:logo: 0x0000000000800000
(bootloader) partition-size:clogo: 0x0000000000b00000
(bootloader) partition-size:misc: 0x0000000000100000
(bootloader) partition-sizeadC: 0x0000000000198000
(bootloader) partition-size:mdm1m9kefs3: 0x00000000000c3000
(bootloader) partition-size:mdm1m9kefsc: 0x0000000000000400
(bootloader) partition-size:ssd: 0x0000000000002000
(bootloader) partition-size:kpan: 0x0000000000800000
(bootloader) partition-size:boot: 0x0000000001000000
(bootloader) partition-size:recovery: 0x0000000001004000
(bootloader) partition-size:factorytune2: 0x0000000001008000
(bootloader) partition-size:cache: 0x0000000059af4000
(bootloader) partition-size:system: 0x00000000d3000000
(bootloader) partition-size:userdata: 0x0000000608be0000
cat_/proc/partitions
Start_______End address_____major__minor__#blocks_____name____partition name
?0x?0?0?0?0__0x?0?0?0?0?___179_____0___30535680__mmcblk0
?0x?0?0?0?0__0x?0?0?0?0?___179_____1_____131072__mmcblk0p1 modem
?0x?0?0?0?0__0x?0?0?0?0?___179_____2_____384__mmcblk0p2 sbl1
?0x?0?0?0?0__0x?0?0?0?0?___179_____3______56__mmcblk0p3 sdi
?0x?0?0?0?0__0x?0?0?0?0?___179_____4______16__mmcblk0p4 sec
?0x?0?0?0?0__0x?0?0?0?0?___179_____5______32__mmcblk0p5 ddr
?0x?0?0?0?0__0x?0?0?0?0?___179_____6____1024__mmcblk0p6 aboot
?0x?0?0?0?0__0x?0?0?0?0?___179_____7_____256__mmcblk0p7 rpm
?0x?0?0?0?0__0x?0?0?0?0?___179_____8_____512__mmcblk0p8 utags
?0x?0?0?0?0__0x?0?0?0?0?___179_____9_____500__mmcblk0p9 tz
?0x?0?0?0?0__0x?0?0?0?0?___179____10____3072__mmcblk0p10 factorytune1
?0x?0?0?0?0__0x?0?0?0?0?___179____11____1084__mmcblk0p11 padA
?0x?0?0?0?0__0x?0?0?0?0?___179____12_____384__mmcblk0p12 sbl1bak
?0x?0?0?0?0__0x?0?0?0?0?___179____13____1024__mmcblk0p13 abootBackup
?0x?0?0?0?0__0x?0?0?0?0?___179____14_____256__mmcblk0p14 rpmBackup
?0x?0?0?0?0__0x?0?0?0?0?___179____15_____512__mmcblk0p15 utagsBackup
?0x?0?0?0?0__0x?0?0?0?0?___179____16_____500__mmcblk0p16 tzBackup
?0x?0?0?0?0__0x?0?0?0?0?___179____17____1024__mmcblk0p17 mdm1m9kefs1
?0x?0?0?0?0__0x?0?0?0?0?___179____18____1024__mmcblk0p18 mdm1m9kefs2
?0x?0?0?0?0__0x?0?0?0?0?___179____19____2620__mmcblk0p19 padB
?0x?0?0?0?0__0x?0?0?0?0?___179____20____2048__mmcblk0p20 logs
?0x?0?0?0?0__0x?0?0?0?0?___179____21___32768__mmcblk0p21 persist
?0x?0?0?0?0__0x?0?0?0?0?___179____22_____256__mmcblk0p22 mdm1hob
?0x?0?0?0?0__0x?0?0?0?0?___179____23______32__mmcblk0p23 mdm1dhob
?0x?0?0?0?0__0x?0?0?0?0?___179____24____1024__mmcblk0p24 sp
?0x?0?0?0?0__0x?0?0?0?0?___179____25_____128__mmcblk0p25 cid
?0x?0?0?0?0__0x?0?0?0?0?___179____26____3072__mmcblk0p26 pds
?0x?0?0?0?0__0x?0?0?0?0?___179____27____8192__mmcblk0p27 logo
?0x?0?0?0?0__0x?0?0?0?0?___179____28___11264__mmcblk0p28 clogo
?0x?0?0?0?0__0x?0?0?0?0?___179____29____1024__mmcblk0p29 misc
?0x?0?0?0?0__0x?0?0?0?0?___179____30____1632__mmcblk0p30 padC
?0x?0?0?0?0__0x?0?0?0?0?___179____31_____780__mmcblk0p31 mdm1m9kefs3
?0x?0?0?0?0__0x?0?0?0?0?___259_____0_______1__mmcblk0p32 mdm1m9kefsc
?0x?0?0?0?0__0x?0?0?0?0?___259_____1_______8__mmcblk0p33 ssd
?0x?0?0?0?0__0x?0?0?0?0?___259_____2____8192__mmcblk0p34 kpan
?0x?0?0?0?0__0x?0?0?0?0?___259_____3___16384__mmcblk0p35 boot
?0x?0?0?0?0__0x?0?0?0?0?___259_____4___16400__mmcblk0p36 recovery
?0x?0?0?0?0__0x?0?0?0?0?___259_____5___16416__mmcblk0p37 factorytune2
?0x?0?0?0?0__0x?0?0?0?0?___259____6__1469392__mmcblk0p38 cache
?0x?0?0?0?0__0x?0?0?0?0?___259____7__3457024__mmcblk0p39 system
?0x?0?0?0?0__0x?0?0?0?0?___259____8_25309056__mmcblk0p40 userdata
?0x?0?0?0?0__0x?0?0?0?0?___179____32____4096__mmcblk0rpmb *"protected data"
* The "RPMB partition is special and can not be accessed
by normal eMMC read / write CMDs". It will cause a kernel error, buffer I/O error"
BOOTLOADER:
Aboot:
Snaipersky said:
interesting stuff regarding ABOOT. newandroidbook.com/Articles/aboot.html?s. I have a Dev MX13, so I'm just here for ideological reasons.
As I understand it, the Turbo's WP is handled by ABOOT. Now, Moto has a bad habit of altering the bootloader so that downgrading is infeasible, and increments it. So it is possible to alter ABOOT.
According to NAB, most of the time (barring cases such as Samsung and Amazon, so we shouldn't have an issue- SHOULD being key) This is secured by a signature check rather than hashing, and the signature is of a fixed size.
One can retrieve the signed image, and if rooted, retrieve the image, sans-signature. Now, if we have the file with and without the signature, could one not create a WP-less, unsigned ABOOT, and then manually paste the signature (Forge it?) in front of it? It would be binary editing, Which I think would be the main challenge.
Could we daisychain this with MoFo to create an effective bootloader unlock? It would be a rootable, system flashable, and without WP, should be able to take a custom recovery.
I may be talking out my *** here, but just my understanding of things.
Click to expand...
Click to collapse
do some disassembly of tz.mbn and find a vulnerability to be able to blow the unlocking qfuse (assuming the device isn't permalocked by SBD_EN qfuse Moto uses)
a known bootloader exploit:
version: MBM-NG-V70.47-0-gcXXXXXX
https://www.codeaurora.org/projects...unds-checking-when-flashing-sparse-images-cve
KNOWN VULNERABILITIES :
bypass's intended restrictions on cryptographic operations, via a long key name:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3100 -?? patched already?
https://www.exploit-db.com/docs/33864.pdf - ?? patched already?
Graphics buffer vulnerability :
https://packetstormsecurity.com/files/130778/Google-Android-Integer-Oveflow-Heap-Corruption.html
http://seclists.org/fulldisclosure/2015/Mar/63
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474
Safestrap :
safestrap/kexec. Safestrap can be changed to "reuse" certain existing partitions or emulate any of them.
/cache 2.3mb used......... 1.36GB FREE! can be used for /system
/firmware 77mb used ...... 45MB FREE! can be used for /cache
start by being able to load /system on to /cache
then look deeper into partitions for another one
or
go the create a Xgb file on the data partition and load it as a data partition
reserved for kexec
HARDWARE:
[/HIDE]Hardware-ish:
https://www.codeaurora.org/cgit/qui...r&id=82117399ba17ea60b7f771c641ff5b1c9283bdc9
https://www.codeaurora.org/cgit/qui...r&id=82117399ba17ea60b7f771c641ff5b1c9283bdc9
https://www.codeaurora.org/cgit/qui...r&id=82117399ba17ea60b7f771c641ff5b1c9283bdc9
https://www.codeaurora.org/cgit/qui...r&id=82117399ba17ea60b7f771c641ff5b1c9283bdc9
https://www.codeaurora.org/cgit/qui...=AU_LINUX_ANDROID_JB_3.2.1.3.04.03.00.176.156
http://forum.xda-developers.com/showthread.php?t=1914359
https://gitlab.com/k2wl/g2_kernel/commit/c3bbe60c733a17a2295241b558d8162b4c782154?view=parallel
http://forum.xda-developers.com/showthread.php?t=2136738
http://forum.xda-developers.com/showthread.php?t=1235219
https://github.com/dtsinc/DTS-Eagle...ob/master/arch/arm/boot/dts/qcom/apq8084.dtsi
http://pastebin.com/tX06Yp3q
http://forum.gsmhosting.com/vbb/f609/atf-drive-v12-30-update-19-may-2015-a-937102/index5.html
http://forum.xda-developers.com/showthread.php?t=1914359
http://faq.riffbox.org/content/10/5...emmc-efi_pit_mbr_ebr-partitioning-plugin.html
Qualcomm APQ8084 TLMM block
This binding describes the Top Level Mode Multiplexer block found in the
MSM8960 platform.
Please refer to ../gpio/gpio.txt and ../interrupt-controller/interrupts.txt for
a general description of GPIO and interrupt bindings.
Please refer to pinctrl-bindings.txt in this directory for details of the
common pinctrl bindings used by client devices, including the meaning of the
phrase "pin configuration node".
The pin configuration nodes act as a container for an arbitrary number of
subnodes. Each of these subnodes represents some desired configuration for a
pin, a group, or a list of pins or groups. This configuration can include the
mux function to select on those pin(s)/group(s), and various pin configuration
parameters, such as pull-up, drive strength, etc.
PIN CONFIGURATION NODES:
The name of each subnode is not important; all subnodes should be enumerated
and processed purely based on their content.
Each subnode only affects those parameters that are explicitly listed. In
other words, a subnode that lists a mux function but no pin configuration
parameters implies no information about any pin configuration parameters.
Similarly, a pin subnode that describes a pullup parameter implies no
information about e.g. the mux function.
The following generic properties as defined in pinctrl-bindings.txt are valid
to specify in a pin configuration subnode:
- pins:
Usage: required
Value type: <string-array>
Definition: List of gpio pins affected by the properties specified in
this subnode. Valid pins are:
gpio0-gpio146,
sdc1_clk,
sdc1_cmd,
sdc1_data
sdc2_clk,
sdc2_cmd,
sdc2_data
- function:
Usage: required
Value type: <string>
Definition: Specify the alternative function to be configured for the
specified pins. Functions are only valid for gpio pins.
Valid values are:
adsp_ext, audio_ref, blsp_i2c1, blsp_i2c2, blsp_i2c3,
blsp_i2c4, blsp_i2c5, blsp_i2c6, blsp_i2c7, blsp_i2c8,
blsp_i2c9, blsp_i2c10, blsp_i2c11, blsp_i2c12,
blsp_spi1, blsp_spi2, blsp_spi3, blsp_spi4, blsp_spi5,
blsp_spi6, blsp_spi7, blsp_spi8, blsp_spi9, blsp_spi10,
blsp_spi11, blsp_spi12, blsp_uart1, blsp_uart2, blsp_uart3,
blsp_uart4, blsp_uart5, blsp_uart6, blsp_uart7, blsp_uart8,
blsp_uart9, blsp_uart10, blsp_uart11, blsp_uart12,
blsp_uim1, blsp_uim2, blsp_uim3, blsp_uim4, blsp_uim5,
blsp_uim6, blsp_uim7, blsp_uim8, blsp_uim9, blsp_uim10,
blsp_uim11, blsp_uim12, cam_mclk0, cam_mclk1, cam_mclk2,
cam_mclk3, cci_async, cci_async_in0, cci_i2c0, cci_i2c1,
cci_timer0, cci_timer1, cci_timer2, cci_timer3, cci_timer4,
edp_hpd, gcc_gp1, gcc_gp2, gcc_gp3, gcc_obt, gcc_vtt,i
gp_mn, gp_pdm0, gp_pdm1, gp_pdm2, gp0_clk, gp1_clk, gpio,
hdmi_cec, hdmi_ddc, hdmi_dtest, hdmi_hpd, hdmi_rcv, hsic,
ldo_en, ldo_update, mdp_vsync, pci_e0, pci_e0_n, pci_e0_rst,
pci_e1, pci_e1_rst, pci_e1_rst_n, pci_e1_clkreq_n, pri_mi2s,
qua_mi2s, sata_act, sata_devsleep, sata_devsleep_n,
sd_write, sdc_emmc_mode, sdc3, sdc4, sec_mi2s, slimbus,
spdif_tx, spkr_i2s, spkr_i2s_ws, spss_geni, ter_mi2s, tsif1,
tsif2, uim, uim_batt_alarm
- bias-disable:
Usage: optional
Value type: <none>
Definition: The specified pins should be configued as no pull.
- bias-pull-down:
Usage: optional
Value type: <none>
Definition: The specified pins should be configued as pull down.
- bias-pull-up:
Usage: optional
Value type: <none>
Definition: The specified pins should be configued as pull up.
- output-high:
Usage: optional
Value type: <none>
Definition: The specified pins are configured in output mode, driven
high.
Not valid for sdc pins.
- output-low:
Usage: optional
Value type: <none>
Definition: The specified pins are configured in output mode, driven
low.
Not valid for sdc pins.
- drive-strength:
Usage: optional
Value type: <u32>
Definition: Selects the drive strength for the specified pins, in mA.
Valid values are: 2, 4, 6, 8, 10, 12, 14 and 16
Example:
tlmm: [email protected] {
compatible = "qcom,apq8084-pinctrl";
reg = <0xfd510000 0x4000>;
gpio-controller;
#gpio-cells = <2>;
interrupt-controller;
#interrupt-cells = <2>;
interrupts = <0 208 0>;
uart2: uart2-default {
mux {
pins = "gpio4", "gpio5";
function = "blsp_uart2";
};
tx {
pins = "gpio4";
drive-strength = <4>;
bias-disable;
};
rx {
pins = "gpio5";
drive-strength = <2>;
bias-pull-up;
};
};
};
APQ Memory... This may or may not match, as it was not pulled off a turbo.
soc: soc { };
memory {
#address-cells = <2>;
#size-cells = <2>;
qsecom_mem: [email protected] {
linux,reserve-contiguous-region;
reg = <0 0 0 0x1100000>;
label = "qseecom_mem";
};
secure_mem: [email protected] {
linux,reserve-contiguous-region;
reg = <0 0 0 0xfc00000>;
label = "secure_mem";
};
tz_apps_and_debug_mem: [email protected] {
linux,reserve-contiguous-region;
linux,reserve-region;
linux,remove-completely;
reg = <0x0 0xd400000 0x0 0x700000>;
label = "tz_apps_and_debug_mem";
};
peripheral_mem: [email protected] {
linux,reserve-contiguous-region;
linux,reserve-region;
linux,remove-completely;
reg = <0x0 0x0db00000 0x0 0x1d00000>;
label = "peripheral_mem";
};
external_image_mem: [email protected] {
linux,reserve-contiguous-region;
linux,reserve-region;
linux,remove-completely;
reg = <0x0 0x0f800000 0x0 0x800000>;
label = "external_image_mem";
};
};
};
reserved for qualcomm download mode and recovery / backdoor flashing info
www.github.com/jcsullins/qdloader
http://forum.xda-developers.com/showthread.php?t=2136738
RANDOM INFO :
USB:
ProductID's the XT1254 can present:
VendorID 22b8 (Motorola, this never changes)
ProductID
2ea4 - MTP mode, software install Off
2ea5 - MTP mode, USB debugging on
2ea6 - PTP mode
2ea7 - PTP mode, USB debugging on
2ea8 - MTP mode, software install On
2e24 - MTP mode, with USB tethering active
NOTE: It is not possible to enable software install in PTP mode, or with USB debugging turned on.
For Google to find them together: VIDID 22b8:2ea4 22b8:2ea5 22b8:2ea6 22b8:2ea7 22b8:2ea8
Credit : http://jamesmcrow.com/node/11
Just in case you need another post reserved - let me know and I can transfer this one to you.......
jerdog said:
Just in case you need another post reserved - let me know and I can transfer this one to you.......
Click to expand...
Click to collapse
Hey, I plan on making this a MONSTER thread of information... I WILL work on this phone like I did the ms910. I can only find faint hints on xda that I ever even owned the phone... I still have this though :
http://androidforums.com/threads/de...esteem-4g-lg-ms910.722075/page-3#post-5867057
and this :
https://github.com/saschaelble?tab=repositories
This will be my :
RANDOM INFO TO BE DIGESTED,
http://lwn.net/Articles/600110/ -hardware?
https://github.com/razrqcom-dev-team/android_device_motorola_quark -cm12 kernel github for xt1225!!
https://www.google.com/search?q=mmcblk0 rpmb&ie=utf-8&oe=utf-8
http://www.digitalinternals.com/mobile/android-mmc-mmcblk-partition-layout/259/
https://forums.oneplus.net/threads/solution-how-i-recovered-my-oneplus-one-from-hard-brick.184927/
http://forum.xda-developers.com/showthread.php?p=50336648#post50336648
https://github.com/gokulnatha/GT-I9...ation/devicetree/bindings/ocmem/msm-ocmem.txt
https://github.com/dtsinc/DTS-Eagle...ob/master/arch/arm/boot/dts/qcom/apq8084.dtsi
https://www.google.com/search?q=emmc_appsboot.mbn&ie=utf-8&oe=utf-8
I have finished unbrick for Motorola Droid Turbo, if I understand you correctly.
http://forum.xda-developers.com/droid-turbo/general/turbo-unbrick-t3139811
Continuing to peddle your warez and hacked up nonsense, even via PM, has earned you a nice vacation. Closing thread.
Before rooting, do backup your /boot and /system partitions via SPFT, as described here (whenever the post is filled in properly ) :
http://forum.xda-developers.com/r1-hd/how-to/backup-partitions-spft-rooting-t3426041
Since it's pretty tedious to run that for each and every partition, I propose to backup other ones after you get root. But note that copying the partitions back to the device is a lot quicker since all the necessary info can be preset in a scatter file !
I recommend that you follow other threads to get root, such as, for example, here :
http://forum.xda-developers.com/r1-hd/how-to/twrp-how-to-root-t3425677
Note, SuperSu will go for "systemless" root, and will patch boot.img. The original boot.img will be saved as /data/stock_boot_*.img.gz It's highly recommended that you backup this boot.img elsewhere (off the device if you did not manage to run SPFT beforehand), in order to be able to restore the device and accept the OTAs.
Some partitions will still be mounted, but I don't think it matters that much. Anyway, here is a list of what is usually mounted :
Code:
Filesystem Size Used Free Blksize
/dev 970.2M 84.0K 970.1M 4096
/sys/fs/cgroup 970.2M 12.0K 970.2M 4096
/mnt 970.2M 0.0K 970.2M 4096
/mnt/runtime/default/emulated 11.2G 522.4M 10.7G 4096
/mnt/runtime/read/emulated 11.2G 522.4M 10.7G 4096
/mnt/runtime/write/emulated 11.2G 522.4M 10.7G 4096
/system 2.5G 2.0G 516.5M 4096
/data 11.2G 522.4M 10.7G 4096
/cache 387.4M 988.0K 386.5M 4096
/protect_f 5.8M 60.0K 5.8M 4096
/protect_s 5.8M 56.0K 5.8M 4096
/nvdata 27.5M 2.2M 25.3M 4096
/storage 970.2M 0.0K 970.2M 4096
/storage/emulated 11.2G 522.4M 10.7G 4096
/su 90.5M 676.0K 89.8M 4096
To backup whatever partitions are out there, run these commands :
Code:
adb shell
su
mkdir /sdcard/images/
cd /sdcard/images
dd if=/dev/block/mmcblk0boot0 of=00_boot0.img
dd if=/dev/block/mmcblk0boot1 of=01_boot1.img
dd if=/dev/block/mmcblk0rpmb of=02_rpmb.img
dd if=/dev/block/mmcblk0 of=p0_pgpt.img bs=1024 count=512
dd if=/dev/block/mmcblk0p1 of=p1_proinfo.img
dd if=/dev/block/mmcblk0p2 of=p2_nvram.img
dd if=/dev/block/mmcblk0p3 of=p3_protect1.img
dd if=/dev/block/mmcblk0p4 of=p4_protect2.img
dd if=/dev/block/mmcblk0p5 of=p5_lk.img
dd if=/dev/block/mmcblk0p6 of=p6_para.img
dd if=/dev/block/mmcblk0p7 of=p7_boot.img
dd if=/dev/block/mmcblk0p8 of=p8_recovery.img
dd if=/dev/block/mmcblk0p9 of=p9_logo.img
dd if=/dev/block/mmcblk0p10 of=p10_expdb.img
dd if=/dev/block/mmcblk0p11 of=p11_seccfg.img
dd if=/dev/block/mmcblk0p12 of=p12_oemkeystore.img
dd if=/dev/block/mmcblk0p13 of=p13_secro.img
dd if=/dev/block/mmcblk0p14 of=p14_keystore.img
dd if=/dev/block/mmcblk0p15 of=p15_tee1.img
dd if=/dev/block/mmcblk0p16 of=p16_tee2.img
dd if=/dev/block/mmcblk0p17 of=p17_frp.img
dd if=/dev/block/mmcblk0p18 of=p18_nvdata.img
dd if=/dev/block/mmcblk0p19 of=p19_metadata.img
#dd if=/dev/block/mmcblk0p20 of=p20_system.img
#dd if=/dev/block/mmcblk0p21 of=p21_cache.img
#dd if=/dev/block/mmcblk0p22 of=p22_userdata.img
dd if=/dev/block/mmcblk0p23 of=p23_flashinfo.img
md5sum *.img
exit
exit
adb pull /sdcard/images
These are the files that you'll get
Code:
-rw-rw---- root sdcard_rw 4194304 2016-01-01 18:31 00_boot0.img
-rw-rw---- root sdcard_rw 4194304 2016-01-01 18:31 01_boot1.img
-rw-rw---- root sdcard_rw 0 2016-01-01 18:47 02_rpmb.img
-rw-rw---- root sdcard_rw 524288 2016-01-01 18:31 p0_pgpt.img
-rw-rw---- root sdcard_rw 3145728 2016-01-01 18:31 p1_proinfo.img
-rw-rw---- root sdcard_rw 5242880 2016-01-01 18:31 p2_nvram.img
-rw-rw---- root sdcard_rw 10485760 2016-01-01 18:31 p3_protect1.img
-rw-rw---- root sdcard_rw 10485760 2016-01-01 18:31 p4_protect2.img
-rw-rw---- root sdcard_rw 524288 2016-01-01 18:31 p5_lk.img
-rw-rw---- root sdcard_rw 524288 2016-01-01 18:31 p6_para.img
-rw-rw---- root sdcard_rw 16777216 2016-01-01 18:31 p7_boot.img
-rw-rw---- root sdcard_rw 16777216 2016-01-01 18:31 p8_recovery.img
-rw-rw---- root sdcard_rw 8388608 2016-01-01 18:31 p9_logo.img
-rw-rw---- root sdcard_rw 10485760 2016-01-01 18:31 p10_expdb.img
-rw-rw---- root sdcard_rw 524288 2016-01-01 18:31 p11_seccfg.img
-rw-rw---- root sdcard_rw 2097152 2016-01-01 18:31 p12_oemkeystore.img
-rw-rw---- root sdcard_rw 6291456 2016-01-01 18:31 p13_secro.img
-rw-rw---- root sdcard_rw 8388608 2016-01-01 18:31 p14_keystore.img
-rw-rw---- root sdcard_rw 5242880 2016-01-01 18:31 p15_tee1.img
-rw-rw---- root sdcard_rw 5242880 2016-01-01 18:31 p16_tee2.img
-rw-rw---- root sdcard_rw 1048576 2016-01-01 18:31 p17_frp.img
-rw-rw---- root sdcard_rw 33554432 2016-01-01 18:31 p18_nvdata.img
-rw-rw---- root sdcard_rw 38797312 2016-01-01 18:32 p19_metadata.img
-rw-rw---- root sdcard_rw 16777216 2016-01-01 18:32 p23_flashinfo.img
And this is another map of partitions to names :
Code:
lrwxrwxrwx root root 2016-01-01 17:30 boot -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2016-01-01 17:30 cache -> /dev/block/mmcblk0p21
lrwxrwxrwx root root 2016-01-01 17:30 expdb -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2016-01-01 17:30 flashinfo -> /dev/block/mmcblk0p23
lrwxrwxrwx root root 2016-01-01 17:30 frp -> /dev/block/mmcblk0p17
lrwxrwxrwx root root 2016-01-01 17:30 keystore -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 2016-01-01 17:30 lk -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2016-01-01 17:30 logo -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2016-01-01 17:30 metadata -> /dev/block/mmcblk0p19
lrwxrwxrwx root root 2016-01-01 17:30 nvdata -> /dev/block/mmcblk0p18
lrwxrwxrwx root root 2016-01-01 17:30 nvram -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2016-01-01 17:30 oemkeystore -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2016-01-01 17:30 para -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2016-01-01 17:30 proinfo -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2016-01-01 17:30 protect1 -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2016-01-01 17:30 protect2 -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2016-01-01 17:30 recovery -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2016-01-01 17:30 seccfg -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2016-01-01 17:30 secro -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 2016-01-01 17:30 system -> /dev/block/mmcblk0p20
lrwxrwxrwx root root 2016-01-01 17:30 tee1 -> /dev/block/mmcblk0p15
lrwxrwxrwx root root 2016-01-01 17:30 tee2 -> /dev/block/mmcblk0p16
lrwxrwxrwx root root 2016-01-01 17:30 userdata -> /dev/block/mmcblk0p22
And mount output :
Code:
rootfs / rootfs ro,seclabel 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
adb /dev/usb-ffs/adb functionfs rw,relatime 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,seclabel,relatime 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
pstore /sys/fs/pstore pstore rw,seclabel,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
/dev/fuse /mnt/runtime/default/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /mnt/runtime/read/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/fuse /mnt/runtime/write/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,resuid=10010,data=ordered 0 0
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/protect1 /protect_f ext4 rw,seclabel,nosuid,nodev,noatime,nodelalloc,noauto_da_alloc,commit=1,data=ordered 0 0
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/protect2 /protect_s ext4 rw,seclabel,nosuid,nodev,noatime,nodelalloc,noauto_da_alloc,commit=1,data=ordered 0 0
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/nvdata /nvdata ext4 rw,seclabel,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
tmpfs /storage tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
/dev/fuse /storage/emulated fuse rw,nosuid,nodev,noexec,noatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0
/dev/block/loop1 /su ext4 rw,seclabel,noatime,data=ordered 0 0
And partition sizes in blocks:
Code:
major minor #blocks name
7 0 1254 loop0
7 1 98304 loop1
179 0 15392768 mmcblk0
179 1 3072 mmcblk0p1
179 2 5120 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 10240 mmcblk0p4
179 5 512 mmcblk0p5
179 6 512 mmcblk0p6
179 7 16384 mmcblk0p7
179 8 16384 mmcblk0p8
179 9 8192 mmcblk0p9
179 10 10240 mmcblk0p10
179 11 512 mmcblk0p11
179 12 2048 mmcblk0p12
179 13 6144 mmcblk0p13
179 14 8192 mmcblk0p14
179 15 5120 mmcblk0p15
179 16 5120 mmcblk0p16
179 17 1024 mmcblk0p17
179 18 32768 mmcblk0p18
179 19 37888 mmcblk0p19
179 20 2736128 mmcblk0p20
179 21 409600 mmcblk0p21
179 22 12049920 mmcblk0p22
179 23 16384 mmcblk0p23
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 4096 mmcblk0boot0
And another great piece of info (borrowed from here, @ss2man44 ):
http://forum.xda-developers.com/showpost.php?p=67903154&postcount=619
(16 Gb Prime model)
Code:
> gdisk -l mmcblk0.img
GPT fdisk (gdisk) version 1.0.1
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Disk mmcblk0.img: 30785536 sectors, 14.7 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 23 entries
First usable sector is 1024, last usable sector is 30784511
Partitions will be aligned on 1024-sector boundaries
Total free space is 0 sectors (0 bytes)
Number Start (sector) End (sector) Size Code Name
1 1024 7167 3.0 MiB 0700 proinfo
2 7168 17407 5.0 MiB 0700 nvram
3 17408 37887 10.0 MiB 0700 protect1
4 37888 58367 10.0 MiB 0700 protect2
5 58368 59391 512.0 KiB 0700 lk
6 59392 60415 512.0 KiB 0700 para
7 60416 93183 16.0 MiB 0700 boot
8 93184 125951 16.0 MiB 0700 recovery
9 125952 142335 8.0 MiB 0700 logo
10 142336 162815 10.0 MiB 0700 expdb
11 162816 163839 512.0 KiB 0700 seccfg
12 163840 167935 2.0 MiB 0700 oemkeystore
13 167936 180223 6.0 MiB 0700 secro
14 180224 196607 8.0 MiB 0700 keystore
15 196608 206847 5.0 MiB 0700 tee1
16 206848 217087 5.0 MiB 0700 tee2
17 217088 219135 1024.0 KiB 0700 frp
18 219136 284671 32.0 MiB 0700 nvdata
19 284672 360447 37.0 MiB 0700 metadata
20 360448 5832703 2.6 GiB 0700 system
21 5832704 6651903 400.0 MiB 0700 cache
22 6651904 30751743 11.5 GiB 0700 userdata
23 30751744 30784511 16.0 MiB 0700 flashinfo
And finally, partitions with their starting address/length in HEX for the 16 Gb version (stuff everybody was waiting for ) :
Code:
Name Block_device Start_adr Length
pgpt mmcblk0 0x0 0x80000
proinfo mmcblk0p1 0x80000 0x300000
nvram mmcblk0p2 0x380000 0x500000
protect1 mmcblk0p3 0x880000 0xa00000
protect2 mmcblk0p4 0x1280000 0xa00000
lk mmcblk0p5 0x1c80000 0x80000
para mmcblk0p6 0x1d00000 0x80000
boot mmcblk0p7 0x1d80000 0x1000000
recovery mmcblk0p8 0x2d80000 0x1000000
logo mmcblk0p9 0x3d80000 0x800000
expdb mmcblk0p10 0x4580000 0xa00000
seccfg mmcblk0p11 0x4f80000 0x80000
oemkeystore mmcblk0p12 0x5000000 0x200000
secro mmcblk0p13 0x5200000 0x600000
keystore mmcblk0p14 0x5800000 0x800000
tee1 mmcblk0p15 0x6000000 0x500000
tee2 mmcblk0p16 0x6500000 0x500000
frp mmcblk0p17 0x6a00000 0x100000
nvdata mmcblk0p18 0x6b00000 0x2000000
metadata mmcblk0p19 0x8b00000 0x2500000
system mmcblk0p20 0xb000000 0xa7000000
cache mmcblk0p21 0xb2000000 0x19000000
userdata mmcblk0p22 0xcb000000 0x2df780000
flashinfo mmcblk0p23 0x3aa780000 0x1000000
sgpt mmcblk0s 0x3ab780000 0x80000
[COLOR="Red"]end end 0x3ab800000 0x0[/COLOR]
Great guide with lots of detail. Those partition mounts can be useful for porting ROMs.
nice post. I have pulled all the firmware off of my stock v6.4 and was wondering if you have a fully working Scatter file i can test in sp flash tool
Tomsgt said:
nice post. I have pulled all the firmware off of my stock v6.4 and was wondering if you have a fully working Scatter file i can test in sp flash tool
Click to expand...
Click to collapse
Unfortunately, I do not.
It can be made manually out of 2 outputs :
Code:
cat /proc/partitions
ls -l /dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name
A bit of Python would go a long way to make sure all addresses are correct. I am surprised there is not a tool like this out there ...
bibikalka said:
Unfortunately, I do not.
It can be made manually out of 2 outputs :
A bit of Python would go a long way to make sure all addresses are correct. I am surprised there is not a tool like this out there ...
Click to expand...
Click to collapse
Thanks have on that someone else already made but I don't know how to check it to make sure it is correct or not. I have never made a scatter before.
Tomsgt said:
Thanks have on that someone else already made but I don't know how to check it to make sure it is correct or not. I have never made a scatter before.
Click to expand...
Click to collapse
I am trying to kludge through with the conversions now. never done one before so its taking some time. I am getting hung up on the relation between the output of cat /proc/partitions that gives size in blocks and output of parted that has size in kB MB and GB. assuming kB to B *1024 then DEC to HEX the values all come out off by about 0.2% and i dont know if it is supposed to be rounded off.
mrmazak said:
I am trying to kludge through with the conversions now. never done one before so its taking some time. I am getting hung up on the relation between the output of cat /proc/partitions that gives size in blocks and output of parted that has size in kB MB and GB. assuming kB to B *1024 then DEC to HEX the values all come out off by about 0.2% and i dont know if it is supposed to be rounded off.
Click to expand...
Click to collapse
check out the scatter file i have here http://rootjunkysdl.com/files/?dir=Blu R1 HD Amazon the twrp scatter will work
Tomsgt said:
check out the scatter file i have here http://rootjunkysdl.com/files/?dir=Blu R1 HD Amazon the twrp scatter will work
Click to expand...
Click to collapse
It that the same one from @bullet25. Or is it another one. Because it has the same error in the user data and last three partitions. At the least these. Are what I can see
mrmazak said:
It that the same one from @bullet25. Or is it another one. Because it has the same error in the user data and last three partitions. At the least these. Are what I can see
Click to expand...
Click to collapse
Let me put some Python together, and I'll generate a table of first address/length, so we'd be able to check what the scatter file has.
mrmazak said:
It that the same one from @bullet25. Or is it another one. Because it has the same error in the user data and last three partitions. At the least these. Are what I can see
Click to expand...
Click to collapse
Yeah it was that one I just renamed it. I figured it had errors but I need a fully working one.
---------- Post added at 05:12 PM ---------- Previous post was at 05:12 PM ----------
bibikalka said:
Let me put some Python together, and I'll generate a table of first address/length, so we'd be able to check what the scatter file has.
Click to expand...
Click to collapse
That would be awesome.
mrmazak said:
It that the same one from @bullet25. Or is it another one. Because it has the same error in the user data and last three partitions. At the least these. Are what I can see
Click to expand...
Click to collapse
Tomsgt said:
Yeah it was that one I just renamed it. I figured it had errors but I need a fully working one.
---------- Post added at 05:12 PM ---------- Previous post was at 05:12 PM ----------
That would be awesome.
Click to expand...
Click to collapse
With some Python I was able to generate the addresses/lengths, and indeed, the existing scatter MT6735...test7.txt is OK for the most part. See post #1 for the updated partitions list with this info for the 16 Gb version. The only things that need to be fixed in MT6735...test7.txt are at the end, see the segment below (I cannot guarantee that the various words in this are fully correct, but the names/addresses are!). Not sure if flashinfo needs to be restored during a full reimage. But its address will change depending on the 8/16 Gb version.
Code:
- partition_index: SYS22
partition_name: cache
file_name: cache.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0xb2000000
physical_start_addr: 0xb2000000
partition_size: 0x19000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
- partition_index: SYS23
partition_name: userdata
file_name: userdata.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0xcb000000
physical_start_addr: 0xcb000000
partition_size: 0x2df780000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
- partition_index: SYS24
partition_name: flashinfo
file_name: flashinfo.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x3aa780000
physical_start_addr: 0x3aa780000
partition_size: 0x1000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
bibikalka said:
With some Python I was able to generate the addresses/lengths, and indeed, the existing scatter MT6735...test7.txt is OK for the most part. See post #1 for the updated partitions list with this info for the 16 Gb version. The only things that need to be fixed in MT6735...test7.txt are at the end, see the segment below (I cannot guarantee that the various words in this are fully correct, but the names/addresses are!). Not sure if flashinfo needs to be restored during a full reimage. But its address will change depending on the 8/16 Gb version.
Code:
- partition_index: SYS22
partition_name: cache
file_name: cache.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0xb2000000
physical_start_addr: 0xb2000000
partition_size: 0x19000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
- partition_index: SYS23
partition_name: userdata
file_name: userdata.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0xcb000000
physical_start_addr: 0xcb000000
partition_size: 0x2df780000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
- partition_index: SYS24
partition_name: flashinfo
file_name: flashinfo.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x3aa780000
physical_start_addr: 0x3aa780000
partition_size: 0x1000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
Click to expand...
Click to collapse
thanks i just updated my scatter
thats good. So are you gonna continue with the python script and maybe make some type of app with it?
I am not familiar with scatter files and spft that much so excuse me if this is completely wrong. But your numbers for the start and length do add up which seems correct. except that the flashinfo offset in the official update does not add up. So i looked at a couple other files I had found. (both from my other blu phone Life-one-X) and they also do not add up. (as in when I use a programmers calculator to add the hex). So as your numbers are correct I dont understand if the flashinfo is supposed to be mathematically in line or if it should be something else. Then that also leaves the sgpt partition in limbo after the flashinfo.
of course none of this should matter at the moment , i think, because both of these partitions are flagged in the scatter as not to be downloaded(flashed)
mrmazak said:
thats good. So are you gonna continue with the python script and maybe make some type of app with it?
I am not familiar with scatter files and spft that much so excuse me if this is completely wrong. But your numbers for the start and length do add up which seems correct. except that the flashinfo offset in the official update does not add up. So i looked at a couple other files I had found. (both from my other blu phone Life-one-X) and they also do not add up. (as in when I use a programmers calculator to add the hex). So as your numbers are correct I dont understand if the flashinfo is supposed to be mathematically in line or if it should be something else. Then that also leaves the sgpt partition in limbo after the flashinfo.
of course none of this should matter at the moment , i think, because both of these partitions are flagged in the scatter as not to be downloaded(flashed)
Click to expand...
Click to collapse
OK, good catch ! The thing is, my script is basically an automatic calculator, I use the output of the 2 commands, sort them semi-manually, and then run awk to extract names, addresses to be used with Python :
Code:
cat /proc/partitions
ls -l /dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name
...a bit of work, and in Python end up as:
pname=["proinfo","nvram","protect1","protect2","lk","para","boot","recovery","logo","expdb","seccfg","oemkeystore","secro","keystore","tee1","tee2","frp","nvdata","metadata","system","cache","userdata","flashinfo"]
pdev=["mmcblk0p1","mmcblk0p2","mmcblk0p3","mmcblk0p4","mmcblk0p5","mmcblk0p6","mmcblk0p7","mmcblk0p8","mmcblk0p9","mmcblk0p10","mmcblk0p11","mmcblk0p12","mmcblk0p13","mmcblk0p14","mmcblk0p15","mmcblk0p16","mmcblk0p17","mmcblk0p18","mmcblk0p19","mmcblk0p20","mmcblk0p21","mmcblk0p22","mmcblk0p23"]
psize=[3072,5120,10240,10240,512,512,16384,16384,8192,10240,512,2048,6144,8192,5120,5120,1024,32768,37888,2736128,409600,12049920,16384]
Then I add everything sequentially, and print it out (I realized I am missing pgpt chunk, need to read it directly from mmcblk0!).
I don't see "sgpt" partition anywhere in any of the Android outputs.
And, there is an easy way to find out if flashinfo address is correct, first dd the partition in Android, 2nd read it using the addresses/lengths in SPFT. If it matches, the addresses are correct by definition !
@mrmazak, @Tomsgt
I added pgpt and sgpt partitions to the list of addresses. I also read flashinfo via the SPFT, and compared to the one from dd, and it matched exactly. If I try to read past the last address I've counted, it gives me a read error, meaning the math is correct! Please see the section below for sgpt (16 Gb version of BLU R1 !!!)
Code:
- partition_index: SYS25
partition_name: sgpt
file_name: sgpt.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x3ab780000
physical_start_addr: 0x3ab780000
partition_size: 0x80000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
bibikalka said:
@mrmazak, @Tomsgt
I added pgpt and sgpt partitions to the list of addresses. I also read flashinfo via the SPFT, and compared to the one from dd, and it matched exactly. If I try to read past the last address I've counted, it gives me a read error, meaning the math is correct! Please see the section below for sgpt (16 Gb version of BLU R1 !!!)
Code:
- partition_index: SYS25
partition_name: sgpt
file_name: sgpt.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x3ab780000
physical_start_addr: 0x3ab780000
partition_size: 0x80000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
Click to expand...
Click to collapse
thanks for all the help
Brilliant
And finally, partitions with their starting address/length in HEX for the 16 Gb version (stuff everybody was waiting for ) :
Code:
Name Block_device Start_adr Length
pgpt mmcblk0 0x0 0x80000
proinfo mmcblk0p1 0x80000 0x300000
nvram mmcblk0p2 0x380000 0x500000
protect1 mmcblk0p3 0x880000 0xa00000
protect2 mmcblk0p4 0x1280000 0xa00000
lk mmcblk0p5 0x1c80000 0x80000
para mmcblk0p6 0x1d00000 0x80000
boot mmcblk0p7 0x1d80000 0x1000000
recovery mmcblk0p8 0x2d80000 0x1000000
logo mmcblk0p9 0x3d80000 0x800000
expdb mmcblk0p10 0x4580000 0xa00000
seccfg mmcblk0p11 0x4f80000 0x80000
oemkeystore mmcblk0p12 0x5000000 0x200000
secro mmcblk0p13 0x5200000 0x600000
keystore mmcblk0p14 0x5800000 0x800000
tee1 mmcblk0p15 0x6000000 0x500000
tee2 mmcblk0p16 0x6500000 0x500000
frp mmcblk0p17 0x6a00000 0x100000
nvdata mmcblk0p18 0x6b00000 0x2000000
metadata mmcblk0p19 0x8b00000 0x2500000
system mmcblk0p20 0xb000000 0xa7000000
cache mmcblk0p21 0xb2000000 0x19000000
userdata mmcblk0p22 0xcb000000 0x2df780000
flashinfo mmcblk0p23 0x3aa780000 0x1000000
sgpt mmcblk0s 0x3ab780000 0x80000
[COLOR="Red"]end end 0x3ab800000 0x0[/COLOR]
Click to expand...
Click to collapse
OK sir you are brilliant, if you ever have spare time on your hands to let me drill you with questions I'd love the chance. Secondly, before I go making things worse, and I apologize if this has been answered:
According to your partitions here the scatter I was trying to unbrick my phone with is just all wrong. Or am I misunderstanding how it translates into scatter, for example my first partition was preloader at 0x0 with a 40000 length. Assuming pgpt is the preloader, and the length is 80k, this could very possibly be why I'm getting brom 4032? So if I edited the scatter to use proper partitions, files, and dug through my working 16/2 and got proper backups to use this would be where to start with any unbrick? Or do I have no clue what I'm talking about here.
Persuasion89 said:
OK sir you are brilliant, if you ever have spare time on your hands to let me drill you with questions I'd love the chance. Secondly, before I go making things worse, and I apologize if this has been answered:
According to your partitions here the scatter I was trying to unbrick my phone with is just all wrong. Or am I misunderstanding how it translates into scatter, for example my first partition was preloader at 0x0 with a 40000 length. Assuming pgpt is the preloader, and the length is 80k, this could very possibly be why I'm getting brom 4032? So if I edited the scatter to use proper partitions, files, and dug through my working 16/2 and got proper backups to use this would be where to start with any unbrick? Or do I have no clue what I'm talking about here.
Click to expand...
Click to collapse
What's wrong with the existing scatter files out there ? Just use those ! The addresses do match what's posted here, so should not be any issue at all.
@bibikalka or @Tomsgt , quick question. Do either of you two happen to know if the device requires/uses a uboot image?
bullet25 said:
@bibikalka or @Tomsgt , quick question. Do either of you two happen to know if the device requires/uses a uboot image?
Click to expand...
Click to collapse
Of course ! It's in every OTA update, uboot.img, and sometimes, as lk.bin
This questions comes to me and i answer , so if someone could help me in this please :crying::crying::crying:
Rakesh1b said:
answer these questions first?
1.how did you hardbrick your potter?
2.were you updated to latest stock through ota before hardbrick?
3.how did you recover your potter imean what blankflash and gpt.bin,bootloader.img,recovery.img did you use ? the files we all have used or tried from this thread or any different files?
4.type"
fastboot getvar all
Click to expand...
Click to collapse
" in fastboot mode and provide details masking your serial and imei.
5.finally creating blankflash or gpt.bin,bootloader files is impossible,there are some signed images we cant tamper them if we they will not flash.
read this whole thread you will know what im talking about https://forum.xda-developers.com/moto-g4-plus/help/hard-bricked-fastboot-t3638497
Click to expand...
Click to collapse
sir i answer you questions one by one
Question 1 :
i try to upgrade kernal from 7.0 to 7.1 by using this firmware " addison_verizon_oem_vzw_user_7.1.1_NDNS26.118-23-12-3_3_release-keys-cid2_vzw" all command i used are perfect i give you the 2 step info
1) fastboot flash partition gpt.bin
target reported max download size of 536870912 bytes
sending 'partition' (45 KB)...
OKAY [ 0.008s]
writing 'partition'...
(bootloader) Validating 'gpt.default.xml'
(bootloader) Committing 'gpt.default.xml'
(bootloader) - flashing 'gpt_main0.bin' to 'partition:0'
(bootloader) Flashing primary GPT image...
(bootloader) Flashing backup GPT image...
OKAY [ 0.180s]
finished. total time: 0.196s
2) fastboot flash bootloader bootloader.img
target reported max download size of 536870912 bytes
sending 'bootloader' (5115 KB)...
OKAY [ 0.110s]
writing 'bootloader'...
(bootloader) Validating 'bootloader.default.xml'
(bootloader) Committing 'bootloader.default.xml'
(bootloader) - flashing 'emmc_appsboot.mbn' to 'aboot'
(bootloader) - flashing 'rpm.mbn' to 'rpm'
(bootloader) - flashing 'tz.mbn' to 'tz'
(bootloader) - flashing 'devcfg.mbn' to 'devcfg'
(bootloader) - flashing 'cmnlib.mbn' to 'cmnlib'
(bootloader) - flashing 'cmnlib64.mbn' to 'cmnlib64'
(bootloader) - flashing 'keymaster.mbn' to 'keymaster'
(bootloader) - flashing 'prov.mbn' to 'prov'
(bootloader) - flashing 'sbl1.mbn' to 'sbl1'
OKAY [ 0.375s]
finished. total time: 0.484s
Click to expand...
Click to collapse
you see here the gpt.bin pass and bootloader.img pass too
when i reboot the phone bootloader work fine but in logs say : " failed to load kernal"
after that i try to flash the potter firmware " POTTER_NPN25.137-92_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC.info"
i put the problems here
1) fastboot flash partition gpt.bin
target reported max download size of 536870912 bytes
sending 'partition' (45 KB)...
OKAY [ 0.016s]
writing 'partition'...
(bootloader) Validating 'gpt.default.xml'
(bootloader) Security version downgrade
(bootloader) Image primary_gpt failed validation
(bootloader) Preflash validation failed
(bootloader) Cancelling 'gpt.default.xml'
FAILED (remote failure)
finished. total time: 0.094s
2) fastboot flash bootloader bootloader.img
target reported max download size of 536870912 bytes
sending 'bootloader' (5115 KB)...
OKAY [ 0.119s]
writing 'bootloader'...
(bootloader) Validating 'bootloader.default.xml'
(bootloader) Security version downgrade
(bootloader) Image tz failed validation
(bootloader) Preflash validation failed
(bootloader) Security version downgrade
(bootloader) Image devcfg failed validation
(bootloader) Preflash validation failed
(bootloader) Cancelling 'bootloader.default.xml'
FAILED (remote failure)
finished. total time: 0.461s
3) fastboot flash recovery recovery.img
target reported max download size of 536870912 bytes
sending 'recovery' (20580 KB)...
OKAY [ 0.483s]
writing 'recovery'...
(bootloader) Image size exeeded partition limits
(bootloader) Preflash validation failed
FAILED (remote failure)
finished. total time: 0.494s
Click to expand...
Click to collapse
here is the 3 important problem when i try flash the Potter "POTTER_NPN25.137-92_cid50_subsidy-DEFAULT_regulatory-DEFAULT_CFC.info" and i try others Potter same problem
Question 2 :
It is not ota update
I install TRWP rom and find that i have 16 Mb size in recovery partition and the Potter Recovery.img need 20 Mb
so i use program called Parted to resize the partitions i delete recovery partition and try to make it again but i didn't know his type fat16 or fat36 or linux-swap or ext2 or ext4 .... so and i reboot to bootloader and opppps it is all black
i use blank flash of Moto Z2 play and it back to normal and the problem star the same the partition didn't change
Question 3 :
1) use blankflash of moto z2 play
2) after seeing bootloader run , i install trwp
3)you need to install Debloated+v1 zip here is the link : https://drive.google.com/file/d/12zo_EUgWb4g83t8IjLf9UyFmPGeBx7_G/view
----> copy the zip to phone then install it via TRWP
4) boot to system and it back work normal
Question 4 :
fastboot getvar all
(bootloader) version: 0.5
(bootloader) version-bootloader: moto-msm8953-C1.07
(bootloader) product: potter
(bootloader) board: potter
(bootloader) secure: yes
(bootloader) hwrev: P3B
(bootloader) radio: 3
(bootloader) storage-type: emmc
(bootloader) emmc: 32GB SKHYNIX HBG4a2 RV=08 PV=A5 FV=00000000000000A5
(bootloader) ram: 3GB SKHYNIX LP3 DIE=8Gb M5=06 M6=04 M7=00 M8=5F
(bootloader) cpu: MSM8953
(bootloader) serialno: ZY2243NCZK
(bootloader) cid: 0x0032
(bootloader) channelid: 0x40
(bootloader) uid: 7B3000D000000000000000000000
(bootloader) securestate: flashing_unlocked
(bootloader) iswarrantyvoid: yes
(bootloader) max-download-size: 536870912
(bootloader) reason: Reboot mode set to fastboot
(bootloader) imei: 351859081282935
(bootloader) meid:
(bootloader) date: 04-15-2017
(bootloader) sku: XT1685
(bootloader) battid:
(bootloader) iccid:
(bootloader) cust_md5:
(bootloader) max-sparse-size: 268435456
(bootloader) current-time: "Thu Jan 1 11:18: 1 UTC 1970"
(bootloader) ro.build.fingerprint[0]: motorola/potter_n/potter_n:7.0/NPN
(bootloader) ro.build.fingerprint[1]: 25.137-92/9:user/release-keys
(bootloader) poweroffalarm: 1
(bootloader) ro.build.version.full[0]: Blur_Version.25.281.9.potter.reta
(bootloader) ro.build.version.full[1]: il.en.US
(bootloader) ro.build.version.qcom: LA.UM.5.6.r1-01900-89xx.0
(bootloader) version-baseband: M8953_37.46.07.47R POTTER_EMEADSDS_CUST
(bootloader) kernel.version[0]: Linux version 3.18.31-perf-g4524a37 (hud
(bootloader) kernel.version[1]: [email protected]) (gcc version 4.9 201501
(bootloader) kernel.version[2]: 23 (prerelease) (GCC) ) #1 SMP PREEMPT M
(bootloader) kernel.version[3]: on Nov 20 09:32:29 CST 2017
(bootloader) sbl1.git: git=MBM-NG-VC1.07-0-g3b15bb0
(bootloader) rpm.git: git=MBM-NG-VC0.C0-1-g202d600
(bootloader) tz.git: git=283f623
(bootloader) devcfg.git: git=283f623
(bootloader) keymaster.git: git=283f623
(bootloader) cmnlib.git: git=283f623
(bootloader) cmnlib64.git: git=283f623
(bootloader) prov.git: git=283f623
(bootloader) aboot.git: git=MBM-NG-VC1.07-0-g9d7f987
(bootloader) qe: qe 1/1
(bootloader) frp-state: no protection (77)
(bootloader) ro.carrier: reteu
Click to expand...
Click to collapse
here my information
Question 5 :
i know we can't edit or modify gpt.bin and bootloader.img but we can change size partition from recovery mod by trwp but the others people work but at me not , and not that i give you step of what i did
1) adb shell
2) i copy the file parted to sbin
3) chmod +x parted
4) cd /dev/block
5)parted mmcblk0
6) write p
7) here is the partition list
1 131kB 655kB 524kB sbl1
2 655kB 918kB 262kB rpm
3 1180kB 3015kB 1835kB tz
4 3277kB 3342kB 65.5kB devcfg
5 3539kB 5112kB 1573kB aboot
6 5112kB 5374kB 262kB cmnlib
7 5374kB 5636kB 262kB cmnlib64
8 5636kB 5898kB 262kB keymaster
9 5898kB 6095kB 197kB prov
10 6160kB 6685kB 524kB sbl1bak
11 6685kB 6947kB 262kB rpmbak
12 7209kB 9044kB 1835kB tzbak
13 9306kB 9372kB 65.5kB devcfgbak
14 9568kB 11.1MB 1573kB abootbak
15 11.1MB 11.4MB 262kB cmnlibbak
16 11.4MB 11.7MB 262kB cmnlib64bak
17 11.7MB 11.9MB 262kB keymasterbak
18 11.9MB 12.1MB 197kB provbak
19 12.2MB 117MB 105MB ext4 modem
20 117MB 117MB 1024B fsc
21 117MB 117MB 8192B ssd
22 117MB 134MB 16.8MB ext4 dsp
23 134MB 134MB 32.8kB DDR
24 134MB 134MB 16.4kB sec
25 134MB 135MB 524kB utags
26 135MB 135MB 524kB utagsBackup
27 135MB 137MB 2097kB modemst1
28 137MB 139MB 2097kB modemst2
29 139MB 148MB 8389kB fsg
30 148MB 181MB 33.6MB ext4 persist
31 181MB 182MB 524kB frp
32 182MB 182MB 131kB cid
33 182MB 199MB 16.8MB logo
34 199MB 215MB 16.8MB carrier
35 215MB 216MB 524kB metadata
36 216MB 224MB 8389kB kpan
37 224MB 241MB 16.8MB boot
38 241MB 258MB 16.9MB recovery
39 258MB 259MB 1049kB misc
40 259MB 259MB 32.8kB limits
41 259MB 260MB 524kB mota
42 260MB 261MB 1049kB dip
43 261MB 261MB 524kB ext2 syscfg
44 261MB 263MB 2097kB logs
45 263MB 264MB 262kB apdp
46 264MB 264MB 262kB msadp
47 264MB 264MB 8192B dpo
48 264MB 268MB 4325kB padA
49 268MB 277MB 8389kB sp
50 277MB 285MB 8389kB hw
51 285MB 1091MB 805MB ext2 oem
52 1091MB 1359MB 268MB cache
53 1359MB 5654MB 4295MB ext2 system
54 5654MB 31.3GB 25.6GB userdata
Click to expand...
Click to collapse
so when i try to resize the parition recovery it , i deleted oem and recovery partition then i recreated them and add 5 mb to recovery but after i reboot phone got breaked and i use blankflash again and the size of partition didn't change
so if you can help me or contact the admin of the site please i need help to resize the recovery partition
i'm new here in this forum
bro your problem might be wrong formatted system and cache. see the above lines 51 285MB 1091MB 805MB ext2 oem---it should be ext4
52 1091MB 1359MB 268MB cache
53 1359MB 5654MB 4295MB ext2 system---it should be ext4
54 5654MB 31.3GB 25.6GB userdata it should be f2fs type formatted
may be you formatted your system partitions with wrong format type.
bro then try this type "fastboot erase all" it erases everything then do as i say once
1.flash "fastboot flash partition gpt.bin" (file to be used that you had used above the file of motoz play one https://drive.google.com/open?id=0B7X6bQHmiX_BY29Damx5ejEyX1U)
2.flash "fastboot flash bootloader bootloader.img"(file in the above given link)
3.flash "fastboot flash recovery recovery.img"(in the above link the files are there)
reboot bootloader then go to recovery mode it shows android error symbol then press power and then vol up then erase data,cache,and mount system then reboot to bootloader now flash "fastboot flash recovery twrp(latest 64bit) link http://moto-roms.netlib.re/twrp-3.2.1-1-potter.img
then see if boots to recovery if it went to recovery then wipe everything and do advanced wipe wipe cache ,system with ext4 format type and data with f2fs type format individually and now erase all items selected in the advanced wipe menu and factory reset then reboot to recovery and now copy the latest debloated stock rom or twrp flashable stock link https://forum.xda-developers.com/g5-plus/development/rom-twrp-flashable-stock-builds-t3675616
then flash it.
boot into os once evrything working fine now you can move to any custom rom .
TIP:i dont know if you have previous twrp backup of efs but if you have you are safe save a efs copy once every thing works fine.
ALL THE BEST.
Rakesh1b said:
bro your problem might be wrong formatted system and cache. see the above lines 51 285MB 1091MB 805MB ext2 oem---it should be ext4
52 1091MB 1359MB 268MB cache
53 1359MB 5654MB 4295MB ext2 system---it should be ext4
54 5654MB 31.3GB 25.6GB userdata it should be f2fs type formatted
may be you formatted your system partitions with wrong format type.
bro then try this type "fastboot erase all" it erases everything then do as i say once
1.flash "fastboot flash partition gpt.bin" (file to be used that you had used above the file of motoz play one https://drive.google.com/open?id=0B7X6bQHmiX_BY29Damx5ejEyX1U)
2.flash "fastboot flash bootloader bootloader.img"(file in the above given link)
3.flash "fastboot flash recovery recovery.img"(in the above link the files are there)
reboot bootloader then go to recovery mode it shows android error symbol then press power and then vol up then erase data,cache,and mount system then reboot to bootloader now flash "fastboot flash recovery twrp(latest 64bit) link http://moto-roms.netlib.re/twrp-3.2.1-1-potter.img
then see if boots to recovery if it went to recovery then wipe everything and do advanced wipe wipe cache ,system with ext4 format type and data with f2fs type format individually and now erase all items selected in the advanced wipe menu and factory reset then reboot to recovery and now copy the latest debloated stock rom or twrp flashable stock link https://forum.xda-developers.com/g5-plus/development/rom-twrp-flashable-stock-builds-t3675616
then flash it.
boot into os once evrything working fine now you can move to any custom rom .
TIP:i dont know if you have previous twrp backup of efs but if you have you are safe save a efs copy once every thing works fine.
ALL THE BEST.
Click to expand...
Click to collapse
Sorry bro but this not what i ask for , i asked for changeing partitions , this is all i done it and it work well all i need is to change partition recovery, and why moto g5 plus stay in deep freeze , i use gdisk and delete partition system and recreate it but after i reboot the phone everythink back old , the kernel didn't change anythink , why it happen to me , i need to resize the partitions , the gpt.bin i flashed are wrong... it steal 2 gb from my memory and put recovery partition size 16M this is not good bro, we should find way to change partitions , if you know any phone motorola can change partition link it to me , cause this is all phones motorola happen
My samsung A205 fails to initialize FMP, the smatphone with the bootloader unlocked.
I tried various kernels like Rippler, Eureka and physwizz versions in TWRP.
And several Roms
I can always see the same error in dmesg:
Code:
[ 2560.206443] [2: mmc-cmdqd/0: 1799] exynos-fmp fmp: exynos_fmp_config: Fail to work fmp config due to fips in error.
[ 2560.206474] [2: mmc-cmdqd/0: 1799] mmc0: cmdq_prep_tran_desc: failed to configure crypto engine. ret(-1)
[ 2560.206485] [2: mmc-cmdqd/0: 1799] mmc0: cmdq_request: failed to setup tx desc: -1
[ 2560.206535] I[2: ksoftirqd/2: 22] mmc0: mmc_blk_cmdq_complete_rq: txfr error: -1
[ 2560.206630] [2: kworker/2:2: 3612]
[ 2560.206630] [2: kworker/2:2: 3612]
[ 2560.206630] [2: kworker/2:2: 3612] =============== CQ RECOVERY START ======================
[ 2560.206630] [2: kworker/2:2: 3612]
[ 2560.206784] [2: kworker/2:2: 3612] [CQ] mmc0: SW RESET: 250
[ 2560.206794] [2: kworker/2:2: 3612] ----- cnt_recovery: 2743
[ 2560.206803] [2: kworker/2:2: 3612] ----- cnt_recovery_halt_pass: 2743
[ 2560.206812] [2: kworker/2:2: 3612] ----- cnt_recovery_halt_fail: 0
[ 2560.207055] [2: kworker/2:2: 3612] [CQ] mmc0:----- REQUEUE: tag 0 sector 32770, nr 2, retries 1
[ 2560.207181] [2: kworker/2:2: 3612] [CQ] mmc0: Enable after SW RESET
[ 2560.207198] [2: kworker/2:2: 3612]
While a well-functioning team shows:
Code:
[ 2.047718] [7: swapper/0: 1] exynos-fmp fmp: Exynos FMP Version: 1.3.2
[ 2.048316] [7: swapper/0: 1] exynos-fmp fmp: Found partno 32 for FMP test
[ 2.053900] [7: swapper/0: 1] exynos-fmp fmp: FIPS: self-tests for FMP aes-xts passed
[ 2.058193] [7: swapper/0: 1] exynos-fmp fmp: FIPS: self-tests for FMP aes-cbc passed
[ 2.058212] [7: swapper/0: 1] exynos-fmp fmp: FIPS: self-tests for FMP sha256 passed
[ 2.058246] [6: kworker/u16:3: 251] [SENSOR] stk3x3x_prox_cal: read_value = 10, (0xc0)
[ 2.058263] [7: swapper/0: 1] exynos-fmp fmp: FIPS: self-tests for UFSFMP hmac(sha256) passed
[ 2.058269] [7: swapper/0: 1] exynos-fmp fmp: exynos_fmp_fips_init: self-tests for FMP passed
[ 2.058751] [7: swapper/0: 1] FIPS(do_fmp_integrity_check): Integrity Check Passed
[ 2.058758] [7: swapper/0: 1] exynos-fmp fmp: exynos_fmp_fips_init: integrity check for FMP passed
[ 2.058868] [7: swapper/0: 1] exynos-fmp fmp: exynos_fmp_probe: Exynos FMP driver is proved
Documentation about FMP and FIPS:
Document 2016
Document 2020
What could i try?
because of that mistake cannot access the flash memory properly so it cannot start a full android system just start in TWRP.
tried compiling a kernel with FIPS options disabled, and it works I can see the capabilities of all partitions by starting TWRP in read-only mode. when I do it in read write mode it works unstable and restarts.
Exploring in the kernel source code I could see
arch/arm64/boot/dts/exynos/dtbo/exynos7885.dts
Code:
fmp_0: fmp {
compatible = "samsung,exynos-fmp";
exynos,host-type = "mmc";
exynos-host = <&dwmmc_0>;
exynos,block-type = "mmcblk0p";
exynos,fips-block_offset = <5>;
Mount the partition mmcblk0p5 (CPEFS) and I found it to be of type ext4 and empty.
Could someone give me a copy of that partition or show me what files it originally has inside?
Upgrade:
I discovered that the partition mmcblk0p4 (SEC EFS) is corrupt.
In mmcblk0p5 (CPEFS) I have these two hidden files:
Code:
.nv_core.bak
.nv_core.bak.md5
In mmcblk0p4 (SEC EFS) I have:
Code:
Battery
FactoryApp
TEE
adp_token
afc
cpk
imei
lost+found
lpm
lpm_boot.log
nfc
nxp
pfw_data
prov
prov_data
recovery
sec_efs
ssm
tee
umc
wv.keys
./Battery:
batt_capacity_max
./FactoryApp:
Sensorinfo
asoc
batt_after_manufactured
batt_cable_count
batt_discharge_level
batt_temp_charge
cisd_data
cisd_wc_data
factorymode
fdata
gyro_cal_data
hist_nv
keystr
max_current
max_temp
rtc_status
test_nv
./FactoryApp/Sensorinfo:
Accelerometer
Barometer
Gyroscope
Light
Magnetometer
Proximity
./TEE:
./adp_token:
./afc:
./cpk:
./imei:
factory.prop
mps_code.dat
omcnw_code.dat
./lost+found:
#27
#28
#29
#30
#31
#32
#33
#35
#36
#39
#40
#41
#42
#43
#44
#45
#46
#48
#49
#50
#51
#52
#53
#54
#55
#56
#57
#58
#59
#60
#61
#62
#63
#64
#65
#66
#67
#72
#74
#75
#76
#81
#82
#92
#93
#94
#95
#98
./lost+found/#40:
./lpm:
./nfc:
./nxp:
./pfw_data:
./prov:
issued.log
libdevkm.lock
./prov_data:
./recovery:
extra_history
history
prev_tmp_recovery.log
./sec_efs:
!SVC
SVC
SettingsBackup.json
nfc
skpm_FACTORY_OCF_ECC_P256
skpm_OTA_WB_TA_Downloader_RSA_2048
skpm_sk.dat
skpm_supported_list
ucm_ca_cert
./sec_efs/nfc:
./sec_efs/ucm_ca_cert:
./ssm:
./tee:
./umc:
BulkEnrollmentProfile
From what I see in lost+found I know I have lost files.
Unfortunately e2fsck does not repair my partition. I made a copy using dd and tried to repair that image from my Salckware on my desktop pc but without success.
It would be great if someone published a complete backup of the partitions obviously without MAC, IMEI, Serial Number, and Bluethoo address.
Who can help me:
I need a copy of the sec_efs partition
To do this, I had to run:
Code:
dd if=/dev/block/mmcblk0p4 of=/external_sd/secefs.img bs=4096
or at least the listing
Code:
ls -R -l > /external_sd/secefs.lst
I've been looking for a backup on the web for days but I haven't been successful so far. If you see any dumps of that paticion on the web, the download link will do me good.
Thanks
Cant you just install stock firmware using odin
physwizz said:
Cant you just install stock firmware using odin
Click to expand...
Click to collapse
Hello,
do not
This phone came with an error in which when turning on it showed a blue screen where it said update, then it failed and it was on screen:
Code:
E:[libfs_mgr]
E:[PDP] lstat /c____/pdp_b__ : 0 - No PDP scenario
and entered the recovery stock. where it said it couldn't mount / cache
if I put wipe cache it threw other errors and it was not corrected.
If I chose to start from the system it would be in a loop.
Initially it was with BIT 1 I updated it to BIT 8 using odin but the error persisted, I continued with the loop but (from what I search the web nobody solved it)
After a week of testing with different roms. On February 4, immediately took advantage of activating oem and unlocking the bootloader. When rebooting it did not turn on again but I was able to finish unlocking the bootloader and install TWRP 3.5 from physwizz.
When entering TWRP it does not allow multidisabler-samsung-3.1.zip
giving me an error. I could not mount the vendor partition nor any other. What's more, everything accused 0 MB
Using TWRP 3.3 in combination with the Eureka kernel I am able to mount some partitions.
After that I started to read the system logs to explore dmesg and there I realized that what is wrong is the FMP system
Reading the source code of the linux kernel I see that this works using the partition mmcblk0p5 (CPEFS).
Regarding CPEFS, note that in the PIT file it does not declare which file should be written to that partition.
Checking the other partitions I discover broken SEC_EFS.
I made a backup of what I could using tar and another with dd
and I tried to repair it using e2fsck but it was badly damaged
format it with the same original parameters and restore the files you rescue from backups.
Currently if I install an original rom with odin I get the same scenario.
loop and if I started I recovered the error:
Code:
E:[PDP] lstat /c____/pdp_b__ : 0 - No PDP scenario
NOTE: Now I am looking for a merge file. I understand what the factory uses. but I only found up to BIT 7 and my phone is in BIT 8.
Thank you
Excuse my english
sercari said:
Hello,
do not
This phone came with an error in which when turning on it showed a blue screen where it said update, then it failed and it showed on the screen:
Code:
E:[libfs_mgr]
E:[PDP] lstat /c____/pdp_b__ : 0 - No PDP scenario
and entered the recovery stock. where it said it couldn't mount / cache
if I put wipe cache it threw other errors and it was not corrected.
If I chose to start from the system it would be in a loop.
Initially it was with BIT 1 I updated it to BIT 8 using odin but the error persisted, I continued with the loop but (from what I search the web nobody solved it)
After a week of trying different roms. on february 4 it turned on immediately take advantage of activating oem and unlocking the bootloader. When rebooting it did not turn on again but I was able to finish unlocking the bootloader and install TWRP 3.5 from physwizz.
When entering TWRP it does not allow multidisabler-samsung-3.1.zip
giving me an error. I could not mount the vendor partition nor any other. What's more, everything accused 0 MB
Using TWRP 3.3 in combination with the Eureka kernel I managed to mount some partitions.
After that I started reading the system logs to explore dmesg and there I realized that what is wrong is the FMP system
Reading the source code of the linux kernel I see that this works using the partition mmcblk0p5 (CPEFS).
Regarding CPEFS, note that in the PIT file it does not declare which file should be written to that partition.
checking the other partitions I discover broken SEC_EFS.
I made a backup of what I pure using tar and another with dd
and I tried to repair it using e2fsck but it was badly damaged
Format it with the same original parameters and restore the files you rescue from the backups.
Currently if I install an original rom with odin I get the same scenario.
loop and if I started I recovered the error:
Code:
E:[PDP] lstat /c____/pdp_b__ : 0 - No PDP scenario
NOTE: Now I am looking for a merge file. I understand what the factory uses. but I only found up to BIT 7 and my phone is in BIT 8.
Thank you
Excuse my english
Click to expand...
Click to collapse
Go here
Crash Recovery for the Samsung Galaxy A20
Crash Recovery for the Samsung Galaxy A20 1. Be Prepared Most of us will suffer from a crash at some time. If you know how to fix it, you will have a lot less stress. There are certain files you need to keep in readiness. Always backup boot...
forum.xda-developers.com
physwizz said:
Go here
Crash Recovery for the Samsung Galaxy A20
Crash Recovery for the Samsung Galaxy A20 1. Be Prepared Most of us will suffer from a crash at some time. If you know how to fix it, you will have a lot less stress. There are certain files you need to keep in readiness. Always backup boot...
forum.xda-developers.com
Click to expand...
Click to collapse
Thank you, this guide is very good, unfortunately it does not solve my case. Disable_Dm-Verity_ForceEncrypt didn't work either.
The problem of my phone is with FMP = Flash Memory Protector
It fails to start FIPS because a file is probably missing or corrupt. I think that what would help me would be to see the list of files of those partitions to know their name and weight.
It would help me if you can create a text file on your external memory card and paste this content inside:
Code:
mkdir /secefs
mount /dev/block/mmcblk0p4 /secefs -o ro
cd /secefs
ls -a -R -l > /external_sd/secefs.lst
mkdir /efs
mount /dev/block/mmcblk0p3 /efs -o ro
cd /efs
ls -a -R -l > /external_sd/efs.lst
mkdir /cpefs
mount /dev/block/mmcblk0p5 /cpefs -o ro
cd /cpefs
ls -a -R -l > /external_sd/cpefs.lst
Or with this other you can make a backup:
Code:
dd if=/dev/block/mmcblk0p4 of=/external_sd/secefs.img
dd if=/dev/block/mmcblk0p3 of=/external_sd/efs.img
dd if=/dev/block/mmcblk0p5 of=/external_sd/cpefs.img
(suppose the file is called mkbl.txt)
finally run it from the TWRP terminal:
Code:
/external_sd/mkbl.txt
with that I would generate files in /external_sd/
NOTE: If you generate backup files, keep in mind that they contain IMEIs and addresses that are private to you. You could make a copy of the .img file, mount it from linux in a folder and edit the files that contain personal information. Or you can trust me and I can erase that personal information to make the files public.
On the other hand, in the case of the lists with ls, it does not include any personal information, only file names and weights
sercari said:
In mmcblk0p5 (CPEFS) I have these two hidden files:
Code:
.nv_core.bak
.nv_core.bak.md5
Click to expand...
Click to collapse
Confirmed cpefs that is mounted in / vendor / cpefs contains only these two files normally.
Code:
-rwx------ 1 radio radio 546304 feb 4 20:51 .nv_core.bak
-rwx------ 1 radio radio 32 feb 4 20:51 .nv_core.bak.md5
drwx------ 2 radio radio 4096 ene 1 2019 lost+found
I would only need to find out the content of the partition /dev/mccblk0p4 (sec_efs) which I think is not mounted anywhere when the system is running. for which it is necessary to mount it to be able to list its content. I wait if someone can help me.
Thanks to TBM13 from the telegram @Galaxy_A20_official group who shared with me the list of files and directories on their sec_efs partition.
Thanks to TOP who shared the list of files on his cpefs partition. Thanks to this I can continue investigating.
mmcblk0p4 (sec_efs):
Code:
.:
total 180
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 .
drwxr-xr-x 30 root root 0 2021-02-24 17:24 ..
drwxrwxr-x 2 radio system 4096 2019-01-01 12:00 Battery
drwxrwxr-x 3 system system 4096 2019-08-31 03:09 FactoryApp
drwxrwx--- 2 radio system 4096 2019-01-01 12:00 TEE
drwxr--r-- 2 system system 4096 2019-01-01 12:00 adp_token
drwx------ 2 system system 4096 2019-01-01 12:00 afc
drwxrwx--x 2 radio system 4096 2019-06-29 17:29 cpk
drwxrwxr-x 2 root radio 4096 2020-04-29 04:04 imei
drwx------ 2 root root 16384 2008-12-31 15:00 lost+found
drwxrwxr-x 2 system system 4096 2020-12-15 23:19 lpm
-rw-rw---- 1 root system 256 2020-12-15 23:19 lpm_boot.log
drwx------ 2 nfc nfc 4096 2019-01-01 12:00 nfc
drwxrwx--- 2 system audio 4096 2019-01-01 12:00 nxp
drwxrw---- 2 oem_5279 oem_5279 4096 2019-01-01 12:00 pfw_data
drwxrwx--- 2 system system 4096 2019-06-29 17:22 prov
drwxrwx--- 2 radio system 4096 2019-01-01 12:00 prov_data
drwxrwx--x 2 radio system 4096 2020-12-15 23:25 recovery
drwxrwxr-x 4 radio system 4096 2020-12-15 23:32 sec_efs
drwxrwx--- 2 system system 4096 2019-01-01 12:00 ssm
drwx------ 2 system system 4096 2019-01-01 12:00 tee
drwx------ 2 system system 4096 2019-08-31 01:46 umc
-rw-r--r-- 1 system system 168 2019-06-29 17:22 wv.keys
./Battery:
total 20
drwxrwxr-x 2 radio system 4096 2019-01-01 12:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
-rw-rw---- 1 system system 4 2021-02-21 02:58 batt_capacity_max
./FactoryApp:
total 132
drwxrwxr-x 3 system system 4096 2019-08-31 03:09 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
-rw------- 1 system system 28 2019-06-29 08:37 HwParamBattQR
-rw------- 1 system system 4876 2019-06-29 17:22 HwParamData
-rw------- 1 system system 824 2019-06-29 17:22 HwPartInform
drwx------ 2 system system 4096 2019-01-01 12:00 Sensorinfo
-rw-r----- 1 system log 3 2019-01-01 12:00 asoc
-rwxr--r-- 1 system system 1 2019-01-01 12:00 baro_delta
-rw-r----- 1 system system 2 2020-12-15 22:43 batt_after_manufactured
-rw------- 1 system system 4 2021-02-23 14:39 batt_cable_count
-rw-r----- 1 system system 6 2020-12-15 22:57 batt_discharge_level
-rw------- 1 system system 62 2021-02-24 17:10 batt_temp_charge
-rw------- 1 system system 1 2019-01-01 12:00 cable_detect_count_octa
-rw-rw---- 1 system system 195 2021-02-23 15:31 cisd_data
-rw-rw---- 1 system system 20 2019-01-01 12:00 cisd_wc_data
-rwxr--r-- 1 system system 13 2019-01-01 12:00 control_no
-rw------- 1 system system 2 2020-11-28 14:37 earjack_count
-rwxr--r-- 1 system system 2 2019-06-29 17:22 factorymode
-rwxrwxr-x 1 system radio 4 2019-01-01 12:00 fdata
-rw------- 1 system system 30 2021-02-24 13:06 gyro_cal_data
-rwxrwxr-x 1 system radio 0 2018-12-31 17:00 hist_nv
-rwxr--r-- 1 system system 2 2019-06-29 17:22 keystr
-rw------- 1 system system 5 2019-10-12 21:38 max_current
-rw------- 1 system system 4 2020-01-19 20:53 max_temp
-rwxr--r-- 1 system system 5 2019-06-29 17:29 mdnie
-rw------- 1 system system 1 2019-06-29 17:29 mdnie_ver
-rwxr--r-- 1 system system 5 2019-01-01 12:00 prepay
-rw------- 1 system system 1 2019-06-29 17:22 rtc_status
-rwxr--r-- 1 system system 11 2019-06-29 17:22 serial_no
-rwxrwxr-x 1 system radio 2000 2018-12-31 17:00 test_nv
./FactoryApp/Sensorinfo:
total 40
drwx------ 2 system system 4096 2019-01-01 12:00 .
drwxrwxr-x 3 system system 4096 2019-08-31 03:09 ..
-rw------- 1 system system 21 2019-01-01 12:00 Accelerometer
-rw------- 1 system system 4 2019-01-01 12:00 Barometer
-rw------- 1 system system 17 2019-01-01 12:00 Gyroscope
-rw------- 1 system system 4 2019-01-01 12:00 Light
-rw------- 1 system system 19 2019-01-01 12:00 Magnetometer
-rw------- 1 system system 31 2019-01-01 12:00 Proximity
./TEE:
total 16
drwxrwx--- 2 radio system 4096 2019-01-01 12:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
./adp_token:
total 16
drwxr--r-- 2 system system 4096 2019-01-01 12:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
./afc:
total 16
drwx------ 2 system system 4096 2019-01-01 12:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
./cpk:
total 20
drwxrwx--x 2 radio system 4096 2019-06-29 17:29 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
-rw-r--r-- 1 radio radio 920 2019-06-29 17:29 h2k.dat
./imei:
total 40
drwxrwxr-x 2 root radio 4096 2020-04-29 04:04 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
-rw------- 1 root root 96 2021-02-21 03:41 factory.prop
-rwxrwxr-x 1 radio system 3 2020-12-15 23:26 mps_code.dat
-rw-rw-r-- 1 radio root 3 2020-12-15 23:26 omcnw_code.dat
-rw-rw-r-- 1 radio root 3 2020-12-15 23:26 omcnw_code2.dat
-rwxrwxr-x 1 system radio 14 2019-06-29 17:22 prodcode.dat
-rw-rw-r-- 1 system system 4 2019-12-29 20:07 total_call_time
./lost+found:
total 28
drwx------ 2 root root 16384 2008-12-31 15:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
./lpm:
total 20
drwxrwxr-x 2 system system 4096 2020-12-15 23:19 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
-rw-rw---- 1 root system 85 2020-12-15 23:19 lpm_info.log
./nfc:
total 16
drwx------ 2 nfc nfc 4096 2019-01-01 12:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
./nxp:
total 16
drwxrwx--- 2 system audio 4096 2019-01-01 12:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
./pfw_data:
total 16
drwxrw---- 2 oem_5279 oem_5279 4096 2019-01-01 12:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
./prov:
total 20
drwxrwx--- 2 system system 4096 2019-06-29 17:22 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
-rw----r-- 1 system system 559 2019-09-01 00:28 issued.log
-rw-rw---- 1 system system 0 2019-01-01 12:00 libdevkm.lock
./prov_data:
total 16
drwxrwx--- 2 radio system 4096 2019-01-01 12:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
./recovery:
total 24
drwxrwx--x 2 radio system 4096 2020-12-15 23:25 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
-rw------- 1 root root 257 2020-12-15 23:25 extra_history
-rw------- 1 root root 2529 2020-12-15 23:25 history
./sec_efs:
total 76
-rw------- 1 system system 569 2020-12-15 23:12 !SVC
drwxrwxr-x 4 radio system 4096 2020-12-15 23:32 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
-rwx------ 1 root radio 0 2019-06-29 17:07 .ffw
-rw------- 1 system system 569 2020-12-15 23:12 SVC
-rw------- 1 system system 6655 2020-12-15 23:32 SettingsBackup.json
drwx------ 2 nfc nfc 4096 2019-01-01 12:00 nfc
-rw------- 1 system system 1517 2019-06-29 17:22 skpm_FACTORY_OCF_ECC_P256
-rw------- 1 system system 983 2019-09-01 00:29 skpm_OTA_WB_FIDO_Bound_FP_ECC_P256
-rw------- 1 system system 4104 2019-08-31 02:43 skpm_OTA_WB_TA_Downloader_RSA_2048
-rw------- 1 system system 3941 2019-08-31 02:43 skpm_sk.dat
-rw------- 1 system system 4711 2019-09-01 00:29 skpm_supported_list
drwx------ 2 system system 4096 2019-01-01 12:00 ucm_ca_cert
./sec_efs/nfc:
total 16
drwx------ 2 nfc nfc 4096 2019-01-01 12:00 .
drwxrwxr-x 4 radio system 4096 2020-12-15 23:32 ..
./sec_efs/ucm_ca_cert:
total 16
drwx------ 2 system system 4096 2019-01-01 12:00 .
drwxrwxr-x 4 radio system 4096 2020-12-15 23:32 ..
./ssm:
total 16
drwxrwx--- 2 system system 4096 2019-01-01 12:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
./tee:
total 16
drwx------ 2 system system 4096 2019-01-01 12:00 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
./umc:
total 20
drwx------ 2 system system 4096 2019-08-31 01:46 .
drwxrwx--x 21 system radio 4096 2019-08-31 01:46 ..
-rw------- 1 system system 1 2019-08-31 01:46 BulkEnrollmentProfile
Observing the list compare weight, permissions, owner and group of each file in /lost+found and I was able to deduce which file was and give it the corresponding location and name.
The only file I am missing is: /sec_efs/skpm_OTA_WB_FIDO_Bound_FP_ECC_P256
Someone has any idea about this file, apparently it is a key but I don't know if the phone should generate it automatically or how to get it.
I add that you do not know that the skpm_sk.dat file is blank. if I have it with a hex editor it is full of zeros
Thanks
Finally and mysteriously I boot into twrp allowing me to see all the partitions. (Only TWRP with full memory access would not start the system) Take advantage and I made a copy from partition 1 to 25 to and 31. Unfortunately I discovered that I have the partitions boot0, boot1, boot3, m9kefs, m9kefs2, m9kefs3, nad_fw, nad_refer blank.
UPDATE:
1- Get a copy of m9kefs1, 2 and 3 and I have them ok.
I need help. I flashed the wrong .img to userdata and now it refuses to be formated:
Code:
[email protected]:~$ fastboot -w
Erasing 'userdata' OKAY [ 55.085s]
/usr/lib/android-sdk/platform-tools/mke2fs failed with status 1
fastboot: error: Cannot generate image for userdata
I also tried:
Code:
[email protected]:~$ fastboot --force --disable-verification format:ext4:0x1987357000 userdata
Warning: userdata size is 0x1987357000, but 0x1987357000 was requested for formatting.
/usr/lib/android-sdk/platform-tools/mke2fs failed with status 1
fastboot: error: Cannot generate image for userdata
When I get all vars from each slot I get the following differences:
Code:
Slot a+b diff
Produced: 09/15/2022 03:39:14 PM
Mode: Differences, Ignoring Unimportant
Left file: /home/moe/a.txt Right file: /home/moe/b:txt
6 (bootloader) battery-voltage:4115 <> 6 (bootloader) battery-voltage:4087
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
11 (bootloader) partition-size:userdata: 0x1987 <> 11 (bootloader) partition-size:userdata: 0x1987357000
12 (bootloader) partition-type:system_a:ext4 12 (bootloader) partition-type:system_b:ext4
13 (bootloader) partition-size:system_a: 0x1000 13 (bootloader) partition-size:system_b: 0x100000000
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
33 (bootloader) current-slot:_a <> 33 (bootloader) current-slot:_b
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
37 (bootloader) slot-retry-count:_a:6 <> 37 (bootloader) slot-retry-count:_a:0
38 (bootloader) slot-unbootable:_a:no 38 (bootloader) slot-unbootable:_a:yes
--------------------------------------------------------------------------------------------------------
Any tips are welcomed. Thanks.
[Update]After flashing stock (*.032) ROM the phone will boot from slot a but I still get an error when attempting to format userdata:
Code:
[email protected]:~/Downloads/ph-1/032$ fastboot -w
Erasing 'userdata' OKAY [ 52.228s]
/usr/lib/android-sdk/platform-tools/mke2fs failed with status 1
fastboot: error: Cannot generate image for userdata
So far I have not seen any adverse effect on the phone operation, and Storage reports the right sizes. Still, what's going on here? How to fix it?