Database Users

Boot Logo Wipeing

I know this is a pissed off issue by many of you but I want to use my archos as an industrial tablet.
I've made a fancy boot animation but there is still the Archos entertainment your way logo at early boot.
I read about it at an archos gen5 thread that with aos-tools and the famous flash binary the logo can be altere to another 800x480 logo by flashing with the 0x060000 starting address. Other threads said that this works no more so I turned to the data/customization way but here the early logo is problem for.
A solution could be to wipe out and to have animation only at late stage. Is it possible somehow?
br, sodjas

Update:
I successfully compiled the flash utility:
http://code.google.com/p/aos-tools/
But ran into the problem the it needs flashrw.ko module.
I found it on openAOS site but unfortunately it is compiled for gen5 armv5 the load fails with vermagic assert error.
I read on archosfans forum thread that flashrw.ko is non public and confidential thing but it only contains a bunch of ioctl calls.
I disassembled it and it showed that it is made of intel_flash_cmd.c file.
Could anyone help me how to get the flashrw.ko module for armv7-a?

Sad news modinfo shows:
alias: char-major-10-243
license: Proprietary
description: flashrw
author: Archos
depends:
vermagic: 2.6.10_mvl402 ARMv5 gcc-3.4
It is Proprietary

Hi sodjas,
you should do a little more research on this issue.
sodjas said:
I've made a fancy boot animation but there is still the Archos entertainment your way logo at early boot.
I read about it at an archos gen5 thread that with aos-tools and the famous flash binary the logo can be altere to another 800x480 logo by flashing with the 0x060000 starting address. Other threads said that this works no more so I turned to the data/customization way but here the early logo is problem for.
A solution could be to wipe out and to have animation only at late stage. Is it possible somehow?
Click to expand...
Click to collapse
As you started to point out, there are different bootlogos for the differnt stages on start-up.
1. bootloader logo
2. ramdisk bootlogo
3. Android logo (animated)
The logo inside Android could be easily removed or replaced (at least using Urukdroid).
Also the ramdisk logo could be modified with some technical skills (ramdisk needs to be rebuild and replaced).
Replacing the first hardcoded bootloader logo, is something for the freaks, but in fact it is possible.
First of all you'll need read/write access to the mtd block devices created by the kernel. This would require at least SDE or Urukdroid installation.
The Archos tablets use embedded MMC as persistant storage.
All partitions of this device are mounted as block devices and could be tweaked by directly accessing them (e.g. using dd for low level access).
One could start by reading some sectors of the first raw partition, examine the structure, do some disassembly and find the location where the bootloader logo is stored. Not sure if it could be deleted without changing some lines of code.
In fact this is an expert thing, if something goes wrong, you'll have a true brick .
There'd been some posts around covering this topic.
sodjas said:
Update:
I successfully compiled the flash utility:
http://code.google.com/p/aos-tools/
But ran into the problem the it needs flashrw.ko module.
I found it on openAOS site but unfortunately it is compiled for gen5 armv5 the load fails with vermagic assert error.
I read on archosfans forum thread that flashrw.ko is non public and confidential thing but it only contains a bunch of ioctl calls.
I disassembled it and it showed that it is made of intel_flash_cmd.c file.
Could anyone help me how to get the flashrw.ko module for armv7-a?
Click to expand...
Click to collapse
AFAIK, there's no need for this kernel module on gen8 devices.
The gen8 devices do not use any raw NOR flash or NAND devices.
All access to the eMMC is done with mtd kernel driver using the OMAP mmc interface.
BTW there might be some parts of storage used as hidden sectors, but this is a kernel thing only.
But back to topic:
In fact you'll need to find the bootlogo in raw data of the bootcode, determine the format and replace the raw blocks of memory.
Maybe you'll also need to tweak the security checks in bootcode as well, because checksum will change is the bootlogo is replaced.
Anyway it's slightly difficult to do so, but it's not impossible
Have fun,
scholbert

Lot of interesing information thank you, I'll check the hints out... The checksum thing sounds serious
Anyway, thank you very much for your answer it contains a lot interesting and useful things for me!
br, sodjas

Hi sodjas,
you're welcome!
This might be of interest to:
http://forum.xda-developers.com/showthread.php?t=1018260
This guy already made a disassembly of boot code.
http://forum.xda-developers.com/showthread.php?t=1214674
This guy wrote some tools for mmc low level access.
Maybe they might help you as well.
Keep on posting, this is an interesting topic
Regards,
scholbert

@sodjas:
Just being curious, why do you want the archos as an industrial PC?
I'M asking because we have bought a very cheap development board
http://embedded-computing.com/low-runs-main-line-linux-android
where you can install everything you want.
It is definately not as powerfull as the archos, but it costs less then half of it.
And if you search for OK6410 you will find others that even have the Android 2.3 for that.

@scholbert:
Thank you very much one more time , hope we can bring out something interesting
@fzelle:
The answer for this is the circumstance when you are at a software development deparment surrounded with high level software guys and have an interesting and impressing task to build an RFID enabled industrial terminal with WIFI capability and a platform where you can easly build fancy touch based UI-s in just 3 months then you made choices like these -> to have a proof of concept thing -> to prove that your software is unique and feasible to develop -> to be able to go to exhibitions to make this interesting to investors -> later it is more then possible that we will say somebody who has the experience in hw building: OK we have this HW build us a similar one from OEM parts bundled in an industrial box...
@both:
Thank you guys for replying, this is such a nice community!
br, sodjas

Hey Guys!
This is what I've done:
1. studied the linked threads by scholbert
2. used the extended aos-tools and successfully extracted .aos file
3. now I'm seeing a:
Code:
-rw-r--r-- 1 root root 432 2011-10-10 17:21 digest
drwxr-xr-x 2 root root 4096 2011-10-10 17:21 raw
-rw-r--r-- 1 root root 10 2011-10-10 17:20 repack.sh
drwxr-xr-x 3 root root 4096 2011-10-10 17:20 root
-rw-r--r-- 1 root root 10 2011-10-10 17:20 unpack.sh
structure.
If I understood right scholbert the ramdisk is under root/data/androidnerged.squeashfs.secure
How can I manipulate this part?
How can I rebuild the ramdisk?
If I understand correct the GPL released part is only the initramfs and the kernel itself...
Another question is that the most interesting thing here for me is the aos-fix tool
What is the:
Code:
--clear-signature Clear the signature out of a SIGN block, or a flash segment header.
part excatkly good for?
Sorry for the lots of questions, I'm still very green on low level
br, sodjas

One more thing:
I have the following structure under raw:
Code:
-rw-r--r-- 1 root root 264 2011-10-10 17:21 11_EXT2
-rw-r--r-- 1 root root 264 2011-10-10 17:21 15_EXT2
-rw-r--r-- 1 root root 8 2011-10-10 17:20 4_EXT0
-rw-r--r-- 1 root root 3264456 2011-10-10 17:20 7_MMCF
-rw-r--r-- 1 root root 2878728 2011-10-10 17:20 8_MMCF
I guess 7_ and 8_ MMCF files are the interesting ones...
Can I find a desc about these because in vitalif's thread about tweaking the bootloaders he tells about mmcblk0 / 1 ...
I also wasn't be able to find the hex parts found by scholbert when he linked vitalif's thread...
Still very confused but keep on learning
br, sodjas

Of course i understand that, i'm a sw dev for 25 years.
I was lucky to see that board before we had some similar needs as you have.
What do you use for the rfid part?

Hi sodjas,
it's late but i'll try to answer your questions
sodjas said:
This is what I've done:
1. studied the linked threads by scholbert
2. used the extended aos-tools and successfully extracted .aos file
3. now I'm seeing a:
Code:
-rw-r--r-- 1 root root 432 2011-10-10 17:21 digest
drwxr-xr-x 2 root root 4096 2011-10-10 17:21 raw
-rw-r--r-- 1 root root 10 2011-10-10 17:20 repack.sh
drwxr-xr-x 3 root root 4096 2011-10-10 17:20 root
-rw-r--r-- 1 root root 10 2011-10-10 17:20 unpack.sh
structure.
Click to expand...
Click to collapse
So this is the firmware structure before it is installed on the device.
The update process is done by the bootcode and there's not that much information about it and not much we could actually do with these files.
So you'd better have a look at the installed partitions and the way to modify thoose.
sodjas said:
If I understood right scholbert the ramdisk is under root/data/androidnerged.squeashfs.secure
How can I manipulate this part?
How can I rebuild the ramdisk?
If I understand correct the GPL released part is only the initramfs and the kernel itself...
Click to expand...
Click to collapse
No, the squashfs file is the final rootfs mounted as a loop device by the stock firmware.
It's possible to modify this file, but if you do the checksum won't match and you'll have to tweak bootcode to ignore security checking.
So in fact this is not very comfortable, but doable.
The ramdisk is the the cpio file archive also beeing updated and included in the update. Don't know the structure right now because it's on my linux laptop.
sodjas said:
Another question is that the most interesting thing here for me is the aos-fix tool
What is the:
Code:
--clear-signature Clear the signature out of a SIGN block, or a flash segment header.
part excatkly good for?
Click to expand...
Click to collapse
I don't know this tool and i guess it has been made for the older platforms.
sodjas said:
One more thing:
I have the following structure under raw:
Code:
-rw-r--r-- 1 root root 264 2011-10-10 17:21 11_EXT2
-rw-r--r-- 1 root root 264 2011-10-10 17:21 15_EXT2
-rw-r--r-- 1 root root 8 2011-10-10 17:20 4_EXT0
-rw-r--r-- 1 root root 3264456 2011-10-10 17:20 7_MMCF
-rw-r--r-- 1 root root 2878728 2011-10-10 17:20 8_MMCF
I guess 7_ and 8_ MMCF files are the interesting ones...
Can I find a desc about these because in vitalif's thread about tweaking the bootloaders he tells about mmcblk0 / 1 ...
Click to expand...
Click to collapse
Yeah, as i pointed out:
By extracting the update file you got an "external view" of the system.
After the firmware is placed on the device these files are flashed to eMMC and got mounted as block devices.
So it's little different then.
sodjas said:
I also wasn't be able to find the hex parts found by scholbert when he linked vitalif's thread...
Still very confused but keep on learning
Click to expand...
Click to collapse
It's a bit complicated to explain... but quite easy in the end.
You'll have to read out the partitions as raw blocks.
All the low level stuff is mounted as /dev/block/mmcblk0p1
Please read out first using the dd command.
It will give a file at about 32MByte, ands it's all cryptic binary format (rawfs and below).
So if you like to enter this, there's not much information here and you'll have to digg out pieces.
Maybe it's better to modify the higher level parts...
Anyway, the very first bootlogo is called banner. The format is unkown, at least to me, and you'll have ot understand the rawfs file structure used by Archos.
Attached you'll find the mounts of stock and Uruk firmware.
I know that this is little abstract right now, but i'll have to take some sleep
Have fun!
scholbert

@fzelle:
the rfid part is for workflow monitoring in glass houses. we would like to deploy N terminals in each house and the workers can check-in, define a task they are working on and after they've finished can check out... simple but all info is gathered on a central place and is in order to make easier planning/observing/and calculating financial/investment related things...
the only problem is the musb_hdrc.ko -> it is not picking the FTDI chip if its plugged-in with the OTG cable at the same time. It is a known issue but I still have a lots of problem here:
1. if a change musb_hdrc.ko to my instance musb_hdrc.ko in /lib/modules it is not working at all, if I check it with modinfo it is different than the one in the GPL release. I guess these files under /lib/modules are also proprietary
2. I degbugged around and saw that the state changes for musb only work well if you first attach the OTG micro which has a grounded 5th pin ->then the state goes to a_idle and then attach the FTDI chip -> this is a working scenario
3. If you attach the OTG with already connected FTDI then it stuck at b_idle mode...
I started a thread about this:
http://forum.xda-developers.com/showthread.php?t=1288522
but it seems the proprietary drivers will be the root of the problem here...
@scholbert:
a mininum thing I owe you is a beer a lot of useful infos here again I'll check around and come back if there are some updates.
thank you guys!
br, sodjas

Hi,
thanks for appreciating.
But stupid me, i forgot one thing...
Quoting myself:
Anyway, the very first bootlogo is called banner. The format is unkown, at least to me, and you'll have ot understand the rawfs file structure used by Archos.
Click to expand...
Click to collapse
So there's a kernel driver for rawfs of course
The rawfs parts got mounted to /mnt/rawfs and present themselfs as files (avboot, banner,...).
No need to fiddle with the raw binaries to investigate the structure.
You'll have to be root to access this directory.
I'll do some research about the file format of the banner file
EDIT:
O.K., here we go... it is a gz compressed file representing raw pixel data.
So in fact this is the very first boot logo!
Should be possible to import this file to gimp or something.
Don't know if it breaks the avboot security check if it get's replaced. So please be careful!
EDIT2:
I got a Archos 101 so filesize will vary on other platforms.
The pixel data is put into 32bit format so each pixel requires a 4-byte value.
On A101 the resulting file size is of the uncompressed banner file is 2457600 bytes -> 1024x600x4
The simple framebuffer inside avboot uses only the lower 24bit of 32bit pixel data.
The most significant byte of each pixel is always set to 0xFF (0xFF000000 written as MSB first)
To completely blank screen (delete archos logo) you'll need to blank out all pixel.
Pixel data should look like this:
Code:
0xFF000000 x 1024 x 600 (for A101)
0xFF000000 x 800 x 480 (for A70)
You might create such a file with a hex-editor or use some scripting.
Good luck with your USB driver stuff!
Regards,
scholbert

Update
I modified both mmcblk0 and mmcblk0p1, my tab is still booting.
The modification of /mnt/rawfs/banner directly was my idea too, but I'm still afraid of some parts
I pulled the banner file and on ubuntu I can list the content, but can't extract it, and there are lots of questions like:
1. The file inside banner is named i240x400 -> this means that it is a 240x400 image but it would be more logical that it is 400x240 based on how "Entertaiment your way " looks...
2. Ubuntu's file roller can't extract it
3. When I open it in hex editor it has some meta info at the start of the file
and a question at the end:
How did you uncompress your banner file? I always get errors, maybe I used wrong syntax...
br, sodjas

Hi Sodjas,
Let me jump in on this to complement your study:
First, a BIG WARNING: touching any of this without patching signature check will result in bricking device.
Second BIG WARNING: Vitalif's mmc offsets for bootloader patches are valid for his device only. Mine has completely different values, I presume there are multiple bootloader versions out there. If patch is incorrect, or not done in the right order, instant brick.
7_MMC and 8_MMC are indeed interesting parts, these are the kernel+initrd images for android and recovery.
As stated by scholbert, to get a better understanding, you should take a look at /mnt/rawfs:
You'll see few files there:
avboot (second stage bootloader)
init (normal boot android, kernel+initrd)
recovery (recovery boot, kernel+initrd)
custom (sde boot, kernel+initrd)
banner (boot logo as it seems)
7_MMCF is flashed to init
8_MMCF is flashed to recovery
Splitting these files into zImage+initrd.gz is quite easy, I can give you some hints if you want. But I don't think it would serve you much for what you're trying to do: what you want is changing bootloader logo, so your goal is avboot+banner.
But again, don't modify anything on mmc0 until you're sure of what you do. First bootloader checks avboot signature and avboot checks init and recovery signature for sure. Without patch, you'll brick your device.
I don't know if avboot checks banner file though.

Hi Letama,
Thank you for joining.
Yes sure you are right the values vitalif mentioned were on different addresses BUT occured only once in the whole binary for both binaries, so I tried my luck and I think it is working because after reboot I have mmcblk0 and mmcbl0p1 still with the patched content and the tab boots without any problem
If I'm right then now I can start playing with altering mmcblk0p1 content because I have patched verify_hash function. Am I right?
Two big questions still open for me:
1. How to modify banner in an efficient way?
2. I understand now I have two patched bootloader binaries and can dd them on any A70IT, am I right or the patching process needs to be done/ device? I suppose not.
Update 2
In the meantime I uncompressed it on win with 7-zip I see the content I should modify to 0xFF000000 but I'm still not sure how flush this to all 0xFF000000 because there is some meta info at start. And as second, how to compress it, maybe the gzip -9 i240x400 will do its job as it was described at Gen5 boot logo tutorial...
br, sodjas

sodjas said:
because there is some meta info at start.
br, sodjas
Click to expand...
Click to collapse
Sorry AFAIK, no metainfo, just the pure 0xAABBCCDD 32bit values as scholbert told me before, sorry for that
br, sodjas

I realized again I'm a fool, or just archos guys wanted to make a joke
1. the banner file is named i240x400 BUT
2. when you extract it you got a 1 536 000 bytes sized file
3. I used my awsome maths skills and found out that: 1 536 000 / 4 <byte> = 384000 / 800 <pixels> = 480
So the raw image size is 800x480 and no 240x480 as the file name indicates...
I just need to flush 0xFF000000 384000 times in a file I think.
br, sodjas

sodjas said:
Yes sure you are right the values vitalif mentioned were on different addresses BUT occured only once in the whole binary for both binaries, so I tried my luck and I think it is working because after reboot I have mmcblk0 and mmcbl0p1 still with the patched content and the tab boots without any problem
Click to expand...
Click to collapse
Yes, search pattern was the same for me too, only different offsets. Good thing that code didn't change.
sodjas said:
If I'm right then now I can start playing with altering mmcblk0p1 content because I have patched verify_hash function. Am I right?
Click to expand...
Click to collapse
I only modified init and recovery, but I guess they wouldn't implement a specific signature check for boot logo. I'm suspecting that there is no signature check at all on it but I never checked avboot for that.
sodjas said:
1. How to modify banner in an efficient way?
Click to expand...
Click to collapse
To modify init and recovery, I wrote a small app that directly open /dev/block/mmcblk0p1, seek for the right position (with some file signature check to be sure I'm doing it right) then write. I make sure that I don't write a bigger file than current ones and it works fine for init/recovery. I believe that archos flasher does the same as existing file sizes are bigger than the firmware dump file sizes.
For your needs, I don't know if you will have to adjust size in the rawfs directory entry and/or avboot. Rawfs is quite straightforward, you can take a look at linux driver if you need to adjust directory entry.
sodjas said:
2. I understand now I have two patched bootloader binaries and can dd them on any A70IT, am I right or the patching process needs to be done/ device? I suppose not.
Click to expand...
Click to collapse
A dd of mmcblk0 (not mmcblk0p1, you need also first bootloader) should do the trick if the hardware doesn't change and doesn't need a different bootloader. I think that there is multiple revisions of hardware out there, improper bootloader for a specific hardware revision could not boot.
Safest bet would be to write a small patcher that would check pattern and stop if you don't have a known bootloader.

[FIXED] Bricked and Not Sure on Options

I'm running low on options for what is wrong with this kindle fire, so maybe someone can point out something I am missing. My friend flashed google apps on it after they rooted and somehow something was botched and I've been playing doctor to it remotely over VNC and running commands on adb. Anyways, it's stuck at the splash screen and not booting and this is everything I've tried and all the information I've gathered:
1) reflashed the last updated boot.img from amazon in fastboot
2) reflashed the recovery.img in fastboot
3) verified the md5sum and permissions on every file & directory in /system (all check out okay).
4) Verified there are no files missing or added to anywhere in /system
5) cannot get it to rerun the update after pushing the update to /sdcard/kindleupdates (it ignores it despite it being there, either because of the condition of the tablet currently or the fact it's already updated).
After doing the above, the state of the device doesn't change a bit. Same errors, same slash screen.
Only idea I might have to what is wrong (but I have no idea how it would have happened) is the boot image (mmcblk0) is corrupted somehow (not to be confused with boot.img which has the kernel and ramdisk [mmcblk0p2]). If it is that, then flashing u-boot.bin might solve it, but I'm not sure how to do that exactly and would want to be sure since it could really screw things up.
Issues:
1) Stuck at the load splash screen
2) su will not work (says segmentation fault, etc), however running the temp root exploit manually will give back root for things I need and allow me to mount/unmount, etc.
3) lots of errors in log cat see the link (started at boot and ran a min or so): http://pastebin.com/LcXU3cxz
root method was zergRush : http://rootkindlefire.com/kindle-fire-root/how-to-root-kindle-fire/
partition sizes (from running cat /proc/partitions ):
179 0 7553032 mmcblk0
179 1 128 mmcblk0p1
179 2 256 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 196608 mmcblk0p4
179 5 16384 mmcblk0p5
179 6 65536 mmcblk0p6
179 7 10240 mmcblk0p7
179 8 5120 mmcblk0p8
179 9 524288 mmcblk0p9
179 10 1164288 mmcblk0p10
179 11 262144 mmcblk0p11
179 12 5254144 mmcblk0p12
Click to expand...
Click to collapse
If anyone can shed any light on what might be wrong or what else can be done, let me know.

Some problems I see.
I'm not as much an android expert as a linux one, but I went over your paste bin and here's a few of the lines that were of concern.
298: E/AndroidRuntime( 1397): *** FATAL EXCEPTION IN SYSTEM PROCESS: ConnectivityThread
Fatal exceptions are never good. After that, until line 334, you are getting error after error.
550 E/System ( 1443): Failure starting core service
568 E/SystemServer( 1443): Failure starting Input Manager Service
580 E/AndroidRuntime( 1443): *** FATAL EXCEPTION IN SYSTEM PROCESS: ConnectivityThread same error again as the first.
It looks like something is crashing dalvik, and right after that all loaded apks die.... I don't have a kindle yet, that's why I'm surfing these forums so I'm not sure if you can with the recovery. Is it possible to wipe the dalvik cache?

If you have fastboot setup run fastboot -w .. it takes a long time.. I guess you could cancel it halfway safely. It'll be enough to trigger the kindle recovery on reboot which will wipe your dalvik cache.
Actually if you can get root (without the broken su) try deleting /data/dalvik-cache then reboot

transfuntioner said:
If you have fastboot setup run fastboot -w .. it takes a long time.. I guess you could cancel it halfway safely. It'll be enough to trigger the kindle recovery on reboot which will wipe your dalvik cache.
Actually if you can get root (without the broken su) try deleting /data/dalvik-cache then reboot
Click to expand...
Click to collapse
wiping in fastboot took care of everything and did a reset on it. thanks!

How to fastboot with wipe?
Can you share with how to fastboot and wipe for factory reset (effectively)?

knitterb said:
Can you share with how to fastboot and wipe for factory reset (effectively)?
Click to expand...
Click to collapse
I mentioned to my friend they should write it up and post how to do it since it would be easier for them to describe the steps in more detail since they actually physically have a kindle fire and I do not; so I think they will be later. It's rather easy to do though once you have the steps (basically a handful of steps and the rest is waiting).
It should provide a recovery for anyone that bricks their tablets though.
EDIT: link for unbricking is up now: http://forum.xda-developers.com/showthread.php?t=1356257

yareally said:
I'm running low on options for what is wrong with this kindle fire, so maybe someone can point out something I am missing. My friend flashed google apps on it after they rooted and somehow something was botched and I've been playing doctor to it remotely over VNC and running commands on adb. Anyways, it's stuck at the splash screen and not booting and this is everything I've tried and all the information I've gathered:
1) reflashed the last updated boot.img from amazon in fastboot
2) reflashed the recovery.img in fastboot
3) verified the md5sum and permissions on every file & directory in /system (all check out okay).
4) Verified there are no files missing or added to anywhere in /system
5) cannot get it to rerun the update after pushing the update to /sdcard/kindleupdates (it ignores it despite it being there, either because of the condition of the tablet currently or the fact it's already updated).
After doing the above, the state of the device doesn't change a bit. Same errors, same slash screen.
Only idea I might have to what is wrong (but I have no idea how it would have happened) is the boot image (mmcblk0) is corrupted somehow (not to be confused with boot.img which has the kernel and ramdisk [mmcblk0p2]). If it is that, then flashing u-boot.bin might solve it, but I'm not sure how to do that exactly and would want to be sure since it could really screw things up.
Issues:
1) Stuck at the load splash screen
2) su will not work (says segmentation fault, etc), however running the temp root exploit manually will give back root for things I need and allow me to mount/unmount, etc.
3) lots of errors in log cat see the link (started at boot and ran a min or so): pastebin.com/LcXU3cxz
root method was zergRush : rootkindlefire.com/kindle-fire-root/how-to-root-kindle-fire/
partition sizes (from running cat /proc/partitions ):
If anyone can shed any light on what might be wrong or what else can be done, let me know.
Click to expand...
Click to collapse
It says you flashed the boot.img and recovery.img, I believe I have problems with those two areas on my kindle, are you able to give any tips on flashing those?

[HELP] mmcblk0p7 flashed with recovery.img

Hello, I think I have did a big mistake.
I was trying to install CWM via Terminal Emulator with this command:
dd if=/sdcard/cwm.img of=/dev/block/mmcblk0p7
Then I know what mmcblk0p7 was not the recovery partition, but it is a PER partition.
Until now, my device is still on because I didn't reboot/turn-off it. I'm afraid if I reboot it, then it will die because mmcblk0p7 was flashed with wrong image.
Does anybody know how to fix it, or is it safe if I reboot my device? It has been 4 days of no reboot until I'm sure it's ok for reboot.
Thanks in advance!

What exactly lies in the mmcblk0p7 partition?

MOVZX said:
Hello, I think I have did a big mistake.
I was trying to install CWM via Terminal Emulator with this command:
dd if=/sdcard/cwm.img of=/dev/block/mmcblk0p7
Then I know what mmcblk0p7 was not the recovery partition, but it is a PER partition.
Until now, my device is still on because I didn't reboot/turn-off it. I'm afraid if I reboot it, then it will die because mmcblk0p7 was flashed with wrong image.
Does anybody know how to fix it, or is it safe if I reboot my device? It has been 4 days of no reboot until I'm sure it's ok for reboot.
Thanks in advance!
Click to expand...
Click to collapse
PER - Per device provisioned data or per device calibration.
A cursory scout around XDA suggests this contains sensor calibration and such like.
http://forum.xda-developers.com/showthread.php?t=1739119
(edit: checkout the last posts by osm0sis - this guy knows his stuff when it comes to partitions).
I'm pretty sure it isn't the BOOTLOADER partition...
I would tentatively suggest you're OK for a reboot. I can't think of what else you can do, to be honest.
-----------
If you must flash a recovery using the dd command use the by-name syntax...
su
dd if=/sdcard/recovery.img of=/dev/block/platform/sdhci-tegra.3/by-name/SOS
Rgrds,
Ged.

@GedBlake
Thanks for the info. I was asking, because if it didn't vary from device to device I could probably dd up a backup of the partition and upload it here for the user to dd into his partition in his tablet.
That being said, I'll keep an eye on this thread for further consequences or the like.

@MOVZX
Please state whether you have a Grouper or Tilapia device, and the approximate manufacturing date, if known.
The PER partition is formatted as a FAT filesystem**. It seems to contain measurement data created during factory testing procedures. See here.
Note that there seem to be differences from device to device (compare the two posts in the above link). Here are the two critical questions:
1) What is the exact FAT format? (There are a couple of different FAT variants)
2) Does the bootloader read this partition during hardware initialization?
I seem to remember a thread here in the Nexus 7 forums where someone was claiming to adjust the ambient light sensor by altering a file in the PER partition. If that is correct, then indeed this partition *could* be critical to correct operation of the device.
I think you are being prudent about not rebooting. I also think that you should find someone to volunteer to give you a raw image dump (dd) from a device that is as close to yours as possible. Note that like many other devices, the N7 has hardware variants, and the PER partition seems to reflect that.
The calibration data for your device is now permanently lost, and you are the unfortunate experimenter who will find out the consequences of that.
**If you can not get someone to help you, the issue of the filesystem formatting can be solved by one of us by:
- raw dumping our PER partition, loopback mounting it, removing all files, unmounting it, and then giving that to you.
At least you would then have the correct filesystem formatting, but empty.
Also, please do a
dd bs=1024 of=/dev/null if=/dev/block/platform/sdhci-tegra.3/by-name/PER
to let us know what size your partition is.

@MOVZX
I did a little more poking around. What I had recalled about the lightsensor thing was users reporting mods to a setting in
/data/lightsensor/AL3010_Config.ini
not the file of the same name in the PER partition.
The file in PER (of this same name) appears to have the same value (1382) on my tablet in both the above location as well as the file in PER. I don't know if that really means anything though.
I looked through the ASCII strings in the bootloader image (v 4.18) to see if there was any evidence of the bootloader using the file names in the (intact) PER partition. There was no evidence of this happening whatsoever. Does that mean that the bootloader does not read the PER partition? No, but at least there is no direct evidence of that nature that it does. That is certainly hopeful for you.
I dumped my own PER partition to have a look at it. It is definitely FAT32, but probably was not created with a variant of 'mkdosfs' - more likely a BSD tool, as it has a "BSD 4.4" OEM name. I tried to erase/remove files from a copy of my PER image; unfortunately the linux "shred" utility doesn't really do it's job correctly. I failed trying to create an identical (blank) image using 'mkfs.vfat' - I couldn't get the FAT header data identical to the FAT32 headers in the from-the-factory image in the PER partition on my device.
None of this might be important, though. It is possible that the only reason that there is manufacturing data on the tablet is if Asus wanted to look at aging effects for units returned for RMA (or subjected to shake-n-bake testing).
good luck with your tablet - let us know how everything turns out.

bftb0 said:
@MOVZX
I did a little more poking around. What I had recalled about the lightsensor thing was users reporting mods to a setting in
/data/lightsensor/AL3010_Config.ini
not the file of the same name in the PER partition.
The file in PER (of this same name) appears to have the same value (1382) on my tablet in both the above location as well as the file in PER. I don't know if that really means anything though.
I looked through the ASCII strings in the bootloader image (v 4.18) to see if there was any evidence of the bootloader using the file names in the (intact) PER partition. There was no evidence of this happening whatsoever. Does that mean that the bootloader does not read the PER partition? No, but at least there is no direct evidence of that nature that it does. That is certainly hopeful for you.
I dumped my own PER partition to have a look at it. It is definitely FAT32, but probably was not created with a variant of 'mkdosfs' - more likely a BSD tool, as it has a "BSD 4.4" OEM name. I tried to erase/remove files from a copy of my PER image; unfortunately the linux "shred" utility doesn't really do it's job correctly. I failed trying to create an identical (blank) image using 'mkfs.vfat' - I couldn't get the FAT header data identical to the FAT32 headers in the from-the-factory image in the PER partition on my device.
None of this might be important, though. It is possible that the only reason that there is manufacturing data on the tablet is if Asus wanted to look at aging effects for units returned for RMA (or subjected to shake-n-bake testing).
good luck with your tablet - let us know how everything turns out.
Click to expand...
Click to collapse
Interesting stuff, bftb0, as always...
So what, in your opinion, is the worst case scenario?
If the bootloader is still accessible, couldn't the OP just fastboot flash back to stock?
(Assuming a simple reboot doesn't fix it).
Or does this not touch the PER partition? I would have thought that running the flash-all.* script would reset all partitions back to their default values.
I'm probably missing something here, so apologies - just a suggestion.
Rgrds,
Ged.

@GedBlake
The factory install procedure doesn't touch anything but the "usual suspects".
We sort of already know what the worst case is. As to whether to bootloader "needs" the PER partition or not, I don't really know. At this point my bet is that it does not, but that is purely an educated guess.
@MOVZX
I am attaching a "PER-empty.zip" file to this post. It is tiny because it is an almost empty FAT32 filesystem image (PER.img), so it compressed by nearly 100%. (When you unzip it, the "PER.img" image file should be 5,242,880 bytes, or 5120 kB) If you want to, feel free to un-zip it, and then flash the extracted "PER.img" file to the PER partition on your device.
Assuming you are using adb from your PC with the custom recovery still running:
Unzip PER-empty.zip, then
Code:
adb push PER.img /sdcard/PER.img
adb shell dd if=/sdcard/PER.img bs=1024 of=/dev/block/platform/sdhci-tegra.3/by-name/PER
What this will do is install an almost empty FAT32 filesystem which was created with the exact parameters used on my device. (I assume that your device also has a 5120 kB PER partition, but you have not replied.) The almost part is that I truncated every file in my image to zero length.
That's not much, but at least you will have a valid filesystem and most files of the correct name, even if they are zero length.
Note that once you have a filesystem in the PER partition, you are free to mount it using the custom recovery, and do whatever you please, e.g.:
Code:
adb shell mkdir /data/local/tmp/permount
adb shell mount -t vfat /dev/block/mmcblk0p7 /data/local/tmp/permount
adb shell
$ cd /data/local/tmp/permount
... do whatever you want in here...
$ sync
$ exit
adb shell umount /data/local/tmp/permount
adb shell rmdir /data/local/tmp/permount
good luck with your tablet - let us know how everything turns out.
.

I'm using Nexus 7 WiFi 16GB.
I almost have all the required files. The sensors and lightsensor directories were found mounted at /data/sensors and /data/lightsensor, so I copied it.
Here is the content of my sensors & lightsensore files:
lightsensor/AL3010_Config.ini
1476
Click to expand...
Click to collapse
sensors/AMI304_Config.ini
921368
2048 2048 2048
0 0 0
600 600 600
210 42 -256
0 0 0
0 0 0
103 100 101
0
Click to expand...
Click to collapse
sensors/KXTF9_Calibration.ini
1071 -1035 1034 -1030 -1097 1213
Click to expand...
Click to collapse
The FAT partitions is now Ok.
Now, I'm missing these files:
adc-rawdata.csv
ISN
KXTF9_Calibration.ini
prom-filter-rawdata.txt
rawdata.csv
rek-prom-rawdata.txt
SSN
Click to expand...
Click to collapse
I'm having no confidence to reboot this device yet

[GUIDE/INVESTIGATION] Back up your EFS

TL;DR ... please skip to the bottom for a step-by-step how-to.
It is still a bit of a mystery on how easy it is for someone to lose their EFS data (including baseband/IMEI). It has happened a few times (judging by the forum activity). Even for more reason, especially since this data cannot be replaced without warranty work, it is always best to protect yourself.
So I took the task of backing up all my partitions (some through TWRP, others through shell/dd), and then pulling the dd'd partitions to my PC. Best practice is to back up everything...there may be something else lost that you may need in the future.
My old theory (based on grep'ping the images) targeted p16 and p18. According to /dev/block/by-name, mmcblk0p16 translates to the APD partition (which is related to the demo program), and mmcblk0p18 the system partition ...
Code:
lrwxrwxrwx root root 2015-07-07 16:40 ADF -> /dev/block/mmcblk0p17
lrwxrwxrwx root root 2015-07-07 16:40 APD -> /dev/block/mmcblk0p16
lrwxrwxrwx root root 2015-07-07 16:40 boot -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2015-07-07 16:40 boot-one-shot -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2015-07-07 16:40 cache -> /dev/block/mmcblk0p15
lrwxrwxrwx root root 2015-07-07 16:40 config -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 2015-07-07 16:40 data -> /dev/block/mmcblk0p19
lrwxrwxrwx root root 2015-07-07 16:40 factory -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2015-07-07 16:40 fastboot -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2015-07-07 16:40 misc -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 2015-07-07 16:40 panic -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2015-07-07 16:40 persistent -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2015-07-07 16:40 ramdump -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2015-07-07 16:40 recovery -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2015-07-07 16:40 reserved -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2015-07-07 16:40 silentlake -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2015-07-07 16:40 splashscreen -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2015-07-07 16:40 system -> /dev/block/mmcblk0p18
lrwxrwxrwx root root 2015-07-07 16:40 userkeystore -> /dev/block/mmcblk0p8
...however, the location within system is elusive (no common files between the search terms, except "/system/usr/srec/en-US/hmm_symbols", which doesn't seem to count)...
...please note, I have redacted my IMEI segments for protection.
Code:
[email protected]:~/Build/ArchiKitchen-master/PROJECT_070815_181336$ grep -c -r -a abcd * | grep -v :0
system/lib/arm/libcrypto.so:1
system/lib/libstagefright.so:1
system/lib/libcrypto.so:1
system/tts/lang_pico/en-GB_kh0_sg.bin:1
system/tts/lang_pico/es-ES_zl0_sg.bin:1
system/app/ASUSBrowser/ASUSBrowser.apk:2
system/app/LiveWallpapers/LiveWallpapers.apk:1
system/priv-app/GmsCore/lib/x86/libsslwrapper_jni.so:1
system/priv-app/FileManager2/x86/FileManager2.odex:1
system/priv-app/AsusZenUIServices/x86/AsusZenUIServices.odex:1
system/usr/icu/icudt53l.dat:1
system/usr/srec/en-US/hmm_symbols:1
system/usr/xt9/databases/ldb/ZHsbUNps_GB18030_xt9_big.ldb:1
system/bin/wpa_supplicant:1
system/bin/hostapd:1
[email protected]:~/Build/ArchiKitchen-master/PROJECT_070815_181336$ grep -c -r -a efgh * | grep -v :0
system/etc/security/cacerts/ccc52f49.0:1
system/etc/catalog/V1_7260/audiocomms_config/parameter-framework/Settings/Audio/AudioConfigurableDomains.xml:35
system/etc/catalog/V1_DSDA/audiocomms_config/parameter-framework/Settings/Audio/AudioConfigurableDomains.xml:29
system/framework/x86/boot.oat:1
system/usr/srec/en-US/hmm_symbols:1
system/usr/xt9/databases/ldb/ENubUN_xt9.ldb:1
system/usr/xt9/databases/ldb/ESusUN_xt9.ldb:1
system/vendor/lib/libWVStreamControlAPI_L1.so:1
[email protected]:~/Build/ArchiKitchen-master/PROJECT_070815_181336$ grep -c -r -a ijkl * | grep -v :0
system/etc/security/cacerts/d16a5865.0:2
system/tts/lang_pico/en-GB_kh0_sg.bin:1
system/app/MYuppyHK_Medium/MYuppyHK_Medium.apk:6
system/app/YouTube/YouTube.apk:1
system/app/Newsstand/x86/Newsstand.odex:1
system/usr/srec/en-US/hmm_symbols:1
system/usr/xt9/databases/ldb/ITusUN_xt9.ldb:1
[email protected]:~/Build/ArchiKitchen-master/PROJECT_070815_181336$
Just recently, user noviardi did a real world test with two devices...one with a working baseband, the other with a borked EFS. Noviardi managed to get device number two working by cloning p14 (also known as the config partition). Please note there are consequences, that with this solution, only one device can be "online" at a time, or the functioning IMEI will get blacklisted (then neither devices will have cell access). Which is the least of the problems. Hence, why I do not share my EFS data (neither should anyone else), or even snippets.
So, if you want to back up your EFS for personal resuce, your best shot is to back up the mmcblk0p14 / Config partition. But if you are paranoid (like me ), might as well back up everything.
Here's how to do it:
Connect the device to your PC
Turn on USB debugging (if not already)
From your PC, fire up a terminal/command prompt
Type "adb shell" (without the quotes - may need to add "sudo" to the front depending on your situation)
Run these commands:
Code:
su
dd if=/dev/block/mmcblk0p14 of=/storage/MicroSD/mmcblk0p14.img
Repeat the last line for any other partitions to back up (changing both numbers)
Type "exit", press enter (and repeat to close adb shell)
Run the following command:
Code:
adb pull /storage/MicroSD/mmcblk0p14.img .
Repeat for any other partitions to copy to your PC
Close out terminal, unplug USB cable.
Also, there is at least one version of TWRP (TheSSJ's release) that will back up your Config partition for you, as Config is also responsible for connectivity issues (not related to IMEI) switching between ROM's.
Hope this helps on how to protect your IMEI, with a big thanks to noviardi.

Mines showing that too..emei of abcdefgh........and not number sometimes...its weird.

pato2015 said:
Mines showing that too..emei of abcdefgh........and not number sometimes...its weird.
Click to expand...
Click to collapse
I clarified my text above.
I masked my IMEI (with abcd...) in the code boxes as I did not want even part of my IMEI known (for personal security reasons). My actual terminal I used the numbers in groups of four obtained from dialing *#06#.
If you are getting letters after dialing *#06#, I must ask - can you dial out? Did you do any modifications to the phone since you got it (e.g. root, unlock bootloader, etc)?

joel.maxuel said:
I clarified my text above.
I masked my IMEI (with abcd...) in the code boxes as I did not want even part of my IMEI known (for personal security reasons). My actual terminal I used the numbers in groups of four obtained from dialing *#06#.
If you are getting letters after dialing *#06#, I must ask - can you dial out? Did you do any modifications to the phone since you got it (e.g. root, unlock bootloader, etc)?
Click to expand...
Click to collapse
Im still on stock due , i join the asus beta program on going ....change imei only appears abcd change imei only appears during when im on recovery mode...when pound number sign asterisk it imei appears the original imei on my side.

pato2015 said:
Im still on stock due , i join the asus beta program on going ....change imei only appears abcd change imei only appears during when im on recovery mode...when pound number sign asterisk it imei appears the original imei on my side.
Click to expand...
Click to collapse
Doesn't sound corrupted then, just boatloader is being protective.
Or at worst, bug in boatloader.
Sent from my ASUS ZenFone 2

I haven't heard of any easier way or any potential issues, but as always, better safe than sorry with this stuff .

Hi,
I tried to copy the blocks from a terminal emulator on the device itself, and it took a long time and I cancelled it. How big are the blocks, and how long should the copy take?

BobboVilla said:
Hi,
I tried to copy the blocks from a terminal emulator on the device itself, and it took a long time and I cancelled it. How big are the blocks, and how long should the copy take?
Click to expand...
Click to collapse
mmcblk0p16 is about 300MB, so will take a couple minutes (one to dd it, the other to adb pull it). mmcblk0p18 (which I don't think carries EFS as I was able to grep the individual files in the system partition and no common files came up) is ~2.3GB and will (probably) take over 10 minutes.
Also, my procedure above assumes you have a MicroSD card inserted. Don't know the outcome if one ran the commands without one (probably an out of space error).

joel.maxuel said:
mmcblk0p16 is about 300MB, so will take a couple minutes (one to dd it, the other to adb pull it). mmcblk0p18 (which I don't think carries EFS as I was able to grep the individual files in the system partition and no common files came up) is ~2.3GB and will (probably) take over 10 minutes.
Also, my procedure above assumes you have a MicroSD card inserted. Don't know the outcome if one ran the commands without one (probably an out of space error).
Click to expand...
Click to collapse
Thanks. Although I'm not an android developer, I am a programmer, so I can understand code/scripting, and I realized that the command assumed I had an SD card .
I'll do it again and this time let it finish .

mmmm i tried this procedure (also used for oneplus one) and works well.
Type "adb shell" (without the quotes - may need to add "sudo" to the front depending on your situation)
Run these commands for backup efs:
su
dd if=/dev/block/mmcblk0p10 of=/sdcard/modemst1.bin bs=512
dd if=/dev/block/mmcblk0p11 of=/sdcard/modemst2.bin bs=512
Modemst1.bin and Modemst2.bin are saved in internal storage
for restore use fastboot
fastboot flash modemst1 modemst1.bin
fastboot flash modemst2 modemst2.bin
Bye.

fosseperme said:
mmmm i tried this procedure (also used for oneplus one) and works well.
Type "adb shell" (without the quotes - may need to add "sudo" to the front depending on your situation)
Run these commands for backup efs:
su
dd if=/dev/block/mmcblk0p10 of=/sdcard/modemst1.bin bs=512
dd if=/dev/block/mmcblk0p11 of=/sdcard/modemst2.bin bs=512
Modemst1.bin and Modemst2.bin are saved in internal storage
for restore use fastboot
fastboot flash modemst1 modemst1.bin
fastboot flash modemst2 modemst2.bin
Bye.
Click to expand...
Click to collapse
Keep in mind that procedure backs up "reserved" and "panic" for this device, as this one does not have modemst1/2 partitions.
It is still a hunting match.
Sent from my ASUS_Z00AD

if I could get a copy of mmcblk0p16 ? whether it is contained individual device's IMEI number ?

omgwtf19924 said:
if I could get a copy of mmcblk0p16 ? whether it is contained individual device's IMEI number ?
Click to expand...
Click to collapse
I wouldn't recommend that. Because it is the phone's unique identity like someone's fingerprints, services like cell providers will have difficulty distinguishing one from the other, and I think the policy in that case is to shut both devices down (blacklist the IMEI). So now, you would have two unusable devices.
I got your PM also, reconstructing that partition (that is your EFS) is a taboo topic, mostly because it is illegal in many countries. I wouldn't recommend that either.
Best course of action is servicing. Even if you voided your warranty, ASUS won't say no, it's just be prepared to pay (more). Of course, in this case you could pretend the warranty is still good, go back to unrooted stock, and play unaware...
Just curious, how did you hurt your IMEI? Just to see if there is a pattern of events that can cause that (and ultimately be prevented for someone else).

This happened so that, for some time I could not enter into a standard recovery, update your phone through the built-in program ended in failure, and at the entrance to recovery tried to update the phone and soon jumped mistake. Restore factory settings did not help, full unroot nothing distance, upload the new system did not help ... at the end I installed a temporary CWM used for root and reformatted /factory , /config, /cache, /ADP, /ADF and probably in one of them sat a match for IMEI ... oh well, I contacted ASUS service center and wait for a response. Currently, it is not detected SIM1 and SIM2 work and logs on to the network, both have the same IMEI and should have separate.
EDIT: Phone service reported to ASUS, after returning once the makings copies of files on the future ...

efs problem....help
i lost my asus zenfone 2 ze550ml's efs file so its showing only one dummy imei number,
But i have system backup which i took using temporary recovery
tell me if there is a way to recover efs from system backup?
thanks.
i havnt unlocked bootloader yet!

psurve01 said:
i lost my asus zenfone 2 ze550ml's efs file so its showing only one dummy imei number,
But i have system backup which i took using temporary recovery
tell me if there is a way to recover efs from system backup?
thanks.
i havnt unlocked bootloader yet!
Click to expand...
Click to collapse
I'm pretty sure it's the APD (mmcblk0p16) partition at this point.
You can try to restore system, I just don't think it would be fruitful.
Always curious with this sort of thing, what (do you think) happened that you lost your EFS?

The actual partition that keep imei is on mmcblk0p14 named Config
i got 2 phone with one dead baseband chip to tried out.
the mmcblk0p16 that you mention doesn't contain imei at all..
best luck

noviardi said:
The actual partition that keep imei is on mmcblk0p14 named Config
i got 2 phone with one dead baseband chip to tried out.
the mmcblk0p16 that you mention doesn't contain imei at all..
best luck
Click to expand...
Click to collapse
I was considering this one a while back. There was just no search matches to back that theory up.
If you have successfully revived one EFS with the partition (#14) from the other device, that not only makes sense with the problems I have had with config in the past, also means we have something more solid to go by than just block searches.
Will update in a little bit, with attribution. Thanks!

OfficerJimLahey said:
I was considering this one a while back. There was just no search matches to back that theory up.
If you have successfully revived one EFS with the partition (#14) from the other device, that not only makes sense with the problems I have had with config in the past, also means we have something more solid to go by than just block searches.
Will update in a little bit, with attribution. Thanks!
Click to expand...
Click to collapse
yes sir.
as we now confirmed that the imei is containing in the #14..
let hope some expert will extract the importance imei from that 64mb partition..
the backup command should be
adb shell
su
dd if=/dev/block/mmcblk0p14 of=/storage/MicroSD/mmcblk0p14.img
and restore whole 14 partition from the adb shell
with this command
adb shell
su
dd if=/storage/MicroSD/mmcblk0p14.img of=/dev/block/mmcblk0p14

Recently I tried to root the phone and successfully did it via CWM Temporary Recovery.
I used Exposed Framework, Intelli3G module, greenify etc. My phone was running well except I needed to turn flight mode on and off each time after booting or restarting my phone to get network on sim 1. But it was going well until one day when there was a new OTA update available. I just had forgotten the issue of OTA update on a rooted device.
After updating my rooted device it went into bootlops. I am not so geeky so I was looking for a solution. Then I restored a previous NANDROID backup via CWM but the it was showing error after restoration when the device rebooted.
So then again I went to CWM recovery mode and FORMATTED ALL THE PARTITIONS INCLUDING EFSthen I flashed some downgraded recovery.img, droidboot.img etc and updated my phone with the lattest official stock firmware via CWM
I was lucky to unbrick my phone as it started well
But then the real problem started
THERE'S NO NETWORK ON SIM 1
I reflashed my phone but it was same then I took it to a servicing store they said I have IMEI problem in my phone, the phone is now in the servicing shop,
Isn't there any way to restore my imei???
How about Zenfone Rescue tool kit(by Aztech)??

H873 Unlocking Progress

The last few weeks I have been reverse engineering this model in Ghidra looking for hint's on how to unlock the bootloader of this device, I have tried many methods and have come up short. First thing I would like to mention the unlock.bin is most definitely stored in the misc partition after a factory reset, Most interestingly the unlock able variants store the unlock.bin in its complete form ready for unlock once transferred to a new hex document with a length of 0x3FE, In misc this key is stored between 0x6C004 and 0x6C218. That being said on the locked variant it is also recorded to misc only when booting from a us997 aboot but unlike the unlocked variant it is encrypted the cert being written to misc is that of aboot and starts with UNLOCK_RSA_020 which can be extracted from aboot with binwalk. Theoretically by cross flashing images from other devices it is possible to trick it into writing the key to misc. What I need to know is I understand the unlock key is stored in rpmb protected memory only accessible by trustzone, would it be possible to chroot a linux distro on top of system and mount secure world without complete trustzone privilege? I have temp root and it is possible to make it persistent by modifying system but unfortunately system is not referenced in /proc/mounts it is only occasionally mountable in rw for a fraction of a second. This is easily bypassed by passing temp root and starting a system mount app with the am command in root. Also If I were to make a full backup of mmcblk0 would secure world be contained in such a backup or is it accessed via spi? Any help is appreciated thank you in advanced.

SpliffWellington said:
The last few weeks I have been reverse engineering this model in Ghidra looking for hint's on how to unlock the bootloader of this device, I have tried many methods and have come up short. First thing I would like to mention the unlock.bin is most definitely stored in the misc partition after a factory reset, Most interestingly the unlock able variants store the unlock.bin in its complete form ready for unlock once transferred to a new hex document with a length of 0x3FE, In misc this key is stored between 0x6C004 and 0x6C218. That being said on the locked variant it is also recorded to misc only when booting from a us997 aboot but unlike the unlocked variant it is encrypted the cert being written to misc is that of aboot and starts with UNLOCK_RSA_020 which can be extracted from aboot with binwalk. Theoretically by cross flashing images from other devices it is possible to trick it into writing the key to misc. What I need to know is I understand the unlock key is stored in rpmb protected memory only accessible by trustzone, would it be possible to chroot a linux distro on top of system and mount secure world without complete trustzone privilege? I have temp root and it is possible to make it persistent by modifying system but unfortunately system is not referenced in /proc/mounts it is only occasionally mountable in rw for a fraction of a second. This is easily bypassed by passing temp root and starting a system mount app with the am command in root. Also If I were to make a full backup of mmcblk0 would secure world be contained in such a backup or is it accessed via spi? Any help is appreciated thank you in advanced.
Click to expand...
Click to collapse
Hey. While I can't help you, because I don't know about all that, I just wanted to let you know that we're all rooting for you (pun intended). That said, how's progress going? Is it close to completion, or has the project been shut down?

SpliffWellington said:
The last few weeks I have been reverse engineering this model in Ghidra looking for hint's on how to unlock the bootloader of this device, I have tried many methods and have come up short. First thing I would like to mention the unlock.bin is most definitely stored in the misc partition after a factory reset, Most interestingly the unlock able variants store the unlock.bin in its complete form ready for unlock once transferred to a new hex document with a length of 0x3FE, In misc this key is stored between 0x6C004 and 0x6C218. That being said on the locked variant it is also recorded to misc only when booting from a us997 aboot but unlike the unlocked variant it is encrypted the cert being written to misc is that of aboot and starts with UNLOCK_RSA_020 which can be extracted from aboot with binwalk. Theoretically by cross flashing images from other devices it is possible to trick it into writing the key to misc. What I need to know is I understand the unlock key is stored in rpmb protected memory only accessible by trustzone, would it be possible to chroot a linux distro on top of system and mount secure world without complete trustzone privilege? I have temp root and it is possible to make it persistent by modifying system but unfortunately system is not referenced in /proc/mounts it is only occasionally mountable in rw for a fraction of a second. This is easily bypassed by passing temp root and starting a system mount app with the am command in root. Also If I were to make a full backup of mmcblk0 would secure world be contained in such a backup or is it accessed via spi? Any help is appreciated thank you in advanced.
Click to expand...
Click to collapse
Hey! Though you probably already have root, on the off-chance you don't, use this temp root! Hope this helps you out. Just make sure to rollback to Android 8, follow the guide, and read the posts. Should work fine on H873.
https://forum.xda-developers.com/lg...-as993-wip-t3908213/post80908533#post80908533