Related
HOWTO: Compile USB Host Enabled Kernel for the G1/Dream
Hi everyone,
I've got my new HTC Dream and I love it. It's my first Android based device. Now I'm running CyanogenMod 6 Rom.
So this is what I have:
Model number: HTC Dream
Andreoid ver: 2.2
Kermel ver: 2.6.34.5-cynogenmod
Mod version: CyanodenMod-6.0.0-DS
Build number: FRF91
I followed these guides to compile usb host enabled kernel. Please thank Andrew de Quincey, Sven Killig , Michael Mitchell and Frank Sposaro for their awesome work.
Preparing Android Build Environment
mkdir ~/cm-kernel-usbhost/
cd ~/cm-kernel-usbhost/
git clone git://github.com/CyanogenMod/cm-kernel.git
cd cm-kernel
git branch -r
git checkout --track -b cm-2.6.34 origin/android-msm-2.6.34
Patch the kernel source tree
wget http://sven.killig.de/android/N1/2.2/usb_host/android-kernel_msm-bca5320_Nexus-One_usb-host.patch
patch -p1 < android-kernel_msm-bca5320_Nexus-One_usb-host.patch
open ~/cm-kernel-usbhost/ cm-kernel /drivers/usb/host/ehci-msm7201.c and delete line 313
Export a variable for the ARM cross compiler
export CCOMPILER=~/android-ndk-r4b/build/prebuilt/linux-x86/arm-eabi-4.4.0/bin/arm-eabi-
Download kernel .config here and move to .config
Edit!: Use attached config file!
mv g1-cm-kern-2.6.34-usbhost.config .config
Then start the build:
make ARCH=arm CROSS_COMPILE=$CCOMPILER
At this point you should have a kernel stored in ~/cm-kernel-usbhost/cm-kernel/arch/arm/boot/zImage
Now, get the kernel on the phone:
I use fastboot to boot from RAM (not persistent)
~/android-sdk-linux_86/tools/fastboot boot arch/arm/boot/zImage
Look above at the output from the kernel build. The last thing completed is the module building (total = modpost). Notice the hierarchal structure of the compiled modules within the filesystem. Ex: /system/drivers/usb/core/usbcore.ko
Copy modules to sdcard
Now we need to load the modules into the running kernel.
Open a terminal emulator on the phone (connectbot also works, connect to local)
get root:
su
then load the usb core and ehci modules:
insmod /sdcard/usbcore.ko
insmod /sdcard/ehci-hcd.ko
You can download compiled kernel and modules here.
Hope that this guide will be helpful to newbies like me.
Regards,
Andy
NB!
This kernel currently disables USB mount and adb over USB.
usb-storage.ko module is loaded fine but when a usb flash drive is pluged-in the phone reboots itself.
You need a powered hub or Y-cable and USB A Female / A Female Adaptor to connect your usb devices.
Now wifi is working!
UPDATE: 11.12.2010
How to make an OTA package and switch between usb host and otg.
wget ww2.cs.fsu.edu/~mitchell/android/ZipBuilder.tar
tar -xvf ZipBuilder.tar
cd ZipBuilder
./builder.sh
rename update_signed.zip usbhost_signed.zip and copy it to sd card.
make a Nandorid backup and split boot.img using split_bootimg.pl
rename boot.img-kernel to zImage and copy it to ~/cm-kernel-usbhost/cm-kernel/arch/arm/boot/
than run ./builder.sh again
rename update_signed.zip to otg_signed.zip and copy it to sd card.
Now you can flash these zip from recovery.
Any luck with Sven's img?
Yes, I tried to boot Sven's zImage but without success.
So now I'm trying to compile android-msm-2.6.34 kernel pathced with Sven's patch file.
The patch was successfully applied but when I started compilling this error occured:
In file included from drivers/usb/host/ehci-hcd.c:1153:
drivers/usb/host/ehci-msm7201.c: In function 'usb_hcd_msm7201_probe':
drivers/usb/host/ehci-msm7201.c:313: error: 'struct msm_hsusb_platform_data' has no member named 'phy_shutdown'
I don't know how and where to add this member.
I'd appreciate some help.
Regards Andy
kodovoimeji said:
In file included from drivers/usb/host/ehci-hcd.c:1153:
drivers/usb/host/ehci-msm7201.c: In function 'usb_hcd_msm7201_probe':
drivers/usb/host/ehci-msm7201.c:313: error: 'struct msm_hsusb_platform_data' has no member named 'phy_shutdown'
Click to expand...
Click to collapse
This seems to be defined only in the Hero Kernel. Delete line 313.
Thank you very much for quick reply!!!
Now everything is OK!
I used fastboot to boot from RAM and then load the usb core and ehci modules.
And...yeeeeeeee now my G1 is usb host device!
I'm using Y-cable from my external HDD.
I must compile some modules like usb-storage and start testing.
My usb mouse works great with usbhid.ko.
Thank you again!
P.S. I'll update the first post soon!
That's Great~! I've found this for several months! Could you post your detailed tutorial for us? I think most G1 owner should want it. Maybe, you could make a special patch for the roms of CM 6, and everyone could update kernel more effortlessly.
Cheers!
Fox
I updated the first post and now you can download compiled kernel-2.6.34 and modules.
I tried usb-storage.ko but when I pluged my usb flash drive the phone reboot itself.
kodovoimeji said:
I tried usb-storage.ko but when I pluged my usb flash drive the phone reboot itself.
Click to expand...
Click to collapse
Is there something in /data/dontpanic directly after the reboot?
sonic74 said:
Is there something in /data/dontpanic directly after the reboot?
Click to expand...
Click to collapse
No, it's empty.
I load these modules: usbcore.ko, ehci-hcd.ko, usb-libusual.ko, usb-storage.ko.
Usb-storage.ko depends on usb-libusual.ko
I'm curious if it's possible to run my ACR122 contactless smartcard reader.
I installed Debian Leny and ACR drivers on sdcard as I do on my PC.
This is the output when I run dmesg:
[ 196.719024] msm_hsusb msm_hsusb: GetStatus port 1 status 80001803 POWER sig=j CSC CONNECT
[ 196.719573] hub 1-0:1.0: port 1: status 0101 change 0001
[ 196.819427] hub 1-0:1.0: state 7 ports 1 chg 0002 evt 0000
[ 196.820007] hub 1-0:1.0: port 1, status 0101, change 0000, 12 Mb/s
[ 196.939056] usb 1-1: new full speed USB device using msm_hsusb and address 2
[ 197.089111] usb 1-1: ep0 maxpacket = 8
[ 197.093750] usb 1-1: skipped 1 descriptor after interface
[ 197.095733] usb 1-1: default language 0x0409
[ 197.098724] usb 1-1: udev 2, busnum 1, minor = 1
[ 197.099426] usb 1-1: New USB device found, idVendor=072f, idProduct=90cc
[ 197.100280] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 197.100769] usb 1-1: Product: CCID USB Reader
[ 197.101593] usb 1-1: Manufacturer:
[ 197.106353] usb 1-1: usb_probe_device
[ 197.106872] usb 1-1: configuration #1 chosen from 1 choice
[ 197.108795] usb 1-1: adding 1-1:1.0 (config #1, interface 0)
[ 197.116180] drivers/usb/core/inode.c: creating file '002'
[ 197.117492] hub 1-0:1.0: state 7 ports 1 chg 0000 evt 0002
Click to expand...
Click to collapse
But I can't see it when I run lsusb.
This is the output of pcscdaemon:
00000000 pcscdaemon.c:280:main() pcscd set to foreground with debug send to stderr
00000336 debuglog.c:239: DebugLogSetLevel() debug level=debug
00018596 pcscdaemon.c:498:main() pcsc-lite 1.4.102 deamon ready
01416524 hotplug_libhal.c:460:HPRegisterForHotplugEvents() error: dbus_bus_get: org.freedesktop.DBus.Error.NoServer: Failed to connect to socket /var/run/dbus/system_bus_socket: Connection refused
00000244 pcscdaemon.c:517:main() SVCServiceRunLoop returned
00000091 pcscdaemon.c523:at_exit() cleaning /var/run/pcscd
Click to expand...
Click to collapse
kodovoimeji said:
Usb-storage.ko depends on usb-libusual.ko
Click to expand...
Click to collapse
Strange, I haven't seen this module yet.
kodovoimeji said:
But I can't see it when I run lsusb.
Click to expand...
Click to collapse
You have to do
Code:
mount -t usbfs none /proc/bus/usb
Hi again,
thanks for your help. It seems that usb-storage.ko depends on usb-libusual.ko only when this modul is selected. I compiled kernel with build-in usb-storage but no matter i do my phone reboots after I pluged-in a usb flash storage. /data/dontpanic is empty.
Code:
mount -t usbfs none /proc/bus/usb
Now I can use lsusb.
I looked at .config but didn't find something about smartcard reader so if I manage to sort out drivers in Debian will it start working?
Kind regards
Andy
Please reupload link to kernel and modul.
http://ifile.it/ekountp/G1-usbhost-kern-and-modul-2.6.34.rar
Hi, newbie here. I was wondering whether once you have this setup, you can read read raw data directly from the usb port like you could in linux via /dev/hidraw2 or something similar?
Hello again,
why doesn't the wifi module work with this kernel?
is there any body going well of this?
my G1 detected the keyboard and my external HDD, I input the command 'lsusb' and 'dmesg', it seems working well; but a few moment later, it gives the message like this "can't enumerate usb devices in port 1"...what's more, I'm a noob with kernel and driver, anybody who can tell me how could I access the HDD and make the keyboard working, thans
Hi again,
at first I used Michael Mitchell's config file but than I decided to make my own config file:
1.Retrieve a working kernel config from your phone:
adb pull /proc/config.gz
gunzip config.gz
mv config .config
2.Customize the kernel:
make ARCH=arm CROSS_COMPILE=$CCOMPILER menuconfig
And now with my config file wifi is working.
There are CONFIG_USB_HIDDEV and CONFIG_HIDRAW options. I have basic skills in Linux so I can't help you.
I tried to compile USB Gadget Support as a module but receive this error:
Code:
CC [M] drivers/usb/gadget/msm72k_udc.o
drivers/usb/gadget/msm72k_udc.c: In function 'usb_phy_reset':
drivers/usb/gadget/msm72k_udc.c:1017: warning: unused variable 'retries'
drivers/usb/gadget/msm72k_udc.c:1016: warning: unused variable 'ret'
drivers/usb/gadget/msm72k_udc.c:1015: warning: unused variable 'val'
drivers/usb/gadget/msm72k_udc.c: At top level:
drivers/usb/gadget/msm72k_udc.c:1299: error: redefinition of 'msm_hsusb_set_vbus_state'
arch/arm/mach-msm/include/mach/board.h:121: note: previous definition of 'msm_hsusb_set_vbus_state' was here
make[2]: *** [drivers/usb/gadget/msm72k_udc.o] Error 1
make[1]: *** [drivers/usb/gadget] Error 2
make: *** [drivers] Error 2
hello ;D
Could i get a 2708 (15mb hack kernel mod) kernel with usb host support,please?;>
thanks for work,and congratulations for great idea!
Yeah I want too 2708 kernel with USB Host
Hi guys, I'm trying to get this working on the latest version of CyanogenMod 6 but am having troubles... has anyone else done this who fancies helping me out?
thanks!
First you need to connect your phone without battery and then load usb driver windows, after install driver run bat file ,after few second ,phone repair done.
Good Luck !
http://www.mediafire.com/?4q5viaizn5zf9l0
pass: my username
-- OMAPFlash Introduction --
This document contains a description of a tool – OMAPFlash – that can be used to transfer binary images from a host PC to an OMAP based target
platform. The tool consists of four main components:
- a host application, called OMAPFlash Host
- a “second” loader, called OMAPFlash Second, specific to the platform with which OMAPFlash is used
- drivers for the memory devices of the platform
- a USB driver for the host PC, compatible with the OMAP device in use
The tool makes use of the OMAP ROM code mechanism for peripheral boot from either UART or USB to transfer OMAPFlash Second to the internal memory
of the OMAP device. Using OMAPFlash Second a device driver is then transferred to SDRAM for the memory device to which the binary transfer is to
take place. Finally a binary file can be transferred through OMAPFlash Second and the device driver to the memory device itself.
The communication protocol used between OMAPFlash Host and OMAPFlash Second is based on the Fastboot protocol used in the Android community – a
simple text based command-response protocol. Source code is available under a BSD-style license and may be used and modified for other platforms
freely as long as the license terms are observed.
-- Installation --
OMAPFlash comes as an installer for the Windows XP platform. Run the installer executable, OMAPFlashInstaller.msi, to install to the hard-drive of
the host PC. In some cases the installer will display a warning that a DLL has failed to register properly – should this happen, accept this and
press continue to complete the installation (it will not cause the tool to fail). The program is installed to the folder ‘c:\Program Files\Texas
Instruments\OMAPFlash’ and scripts are designed to be run from this path.
Uninstalling OMAPFlash can be done through the Windows XP control panel (Start – Control Panel – Add or Remove Programs). Select OMAPFlash and
press ‘Remove’.
-- Connections --
The physical connection between the target platform and the host PC can be either UART or USB based and the actual connector to use will depend on
the platform. In general the user manual for the platform should be consulted in order to identify the connectors to use for peripheral boot.
-- Drivers --
When using the software with a USB connection, drivers will need to be installed. This should only be necessary when connecting the board to the
host PC for the first time. There are two USB drivers included in the installed software – one for the OMAP device (always needed) and one for the
Android Fastboot protocol (only needed if OMAPFlash is used with target software acting as a Fastboot protocol enabled device). Windows should
detect when a USB driver is needed and ask for it – the drivers are located in the usb_drv_windows folder under the installation directory for
OMAPFlash.
For UART connectivity where UART communication is taking place of USB , a UART USB driver will be needed. This can be downloaded from
http://www.ftdichip.com/Drivers/VCP.htm. Whenever a new driver installation happens during a download attempt to a platform, the process will most
likely time out while the driver is being installed. Simply retry after the installation of the driver is completed.
-- Usage --
OMAPFlash Host is a command-line based application. It is currently available for Windows XP only and will run in a Windows command shell. The
application can take commands directly from the command line or via a script file (a more useful approach). The syntax for calling the tool is:
omapflash [ <option> ] <command>
or, if a script file is used:
omapflash @<file>
-- Options --
The tool has a number of options that can be used to control its overall behavior.
-com <port number>
By default OMAPFlash will try to communicate with the target platform using a USB serial link. This option will force OMAPFlash to use a UART for
serial communication and specify the host side COM-port to use.
-t <timeout>
By default the timeout for communication on the serial link is 5 seconds. This option allows control of the timeout value by specifying another
timeout value in seconds.
-p <platform>
This option is required by OMAPFlash and specifies the platform for which the download is to take place. The platform specified is a name tag that
allows OMAPFlash to identify the correct second loader to use. The tag typically identifies the platform type and the memory used with the OMAP
device present on the platform (“e.g. SDP_MDDR_HYNIX_4G). The tag is used to look up the second loader in a configuration file (omapflash2nd.txt)
in combination with an OMAP device identifier received from the platform during peripheral boot.
-omap <version>
This option is required by OMAPFlash if a peripheral boot sequence is used to transfer a second loader to a target platform. The option specifies
the OMAP generation used on the platform – without this option set, OMAPFlash will be unable to determine how to correctly perform the peripheral
boot sequence necessary for transfer of the second loader to the platform. The version number is a single digit integer (e.g. ‘3’ for an OMAP3xxx
based platform or ‘4’ for an OMAP4xxx based platform).
-2
This option controls whether OMAPFlash will try to use the ROM code peripheral boot sequence to transfer a second loader to internal RAM before
doing anything else. This option will be required for most scenarios where OMAPFlash is used but can be left out if OMAPFlash Host is interacting
with a second loader already running on a target platform.
-v
The ‘-v’ option controls whether OMAPFlash Host will run in verbose mode. If set, more information will be shown during the execution of the
flashing sequence. Note that this option should be set in order to see the target platform response to certain commands (e.g. ‘chips’).
-- Commands --
Commands are executed on the target platform. Any command is prefixed by the keyword ‘command’ and anything following this keyword will be passed directly to OMAPFlash Second by OMAPFlash Host without interpretation or modification. Typically the ‘verbose’ option should be used with commands in order to ensure that information returned from the platform will be shown on the console.
branch <device> <offset>
This command will cause OMAPFlash Second to make an unconditional branch to a memory mapped address. The device will typically be the SDRAM
handled by the OMAP SDRAM controller in this case, and the offset typically zero. The device ID must be one known by OMAPFlash Second and the
offset an integer within the address offset range valid for the device.
peek32 <address>
Get the register value of the register with the given address.
poke32 <address> <value>
Modify the register at the given address to the given value
peekpoke32 <address> <value> <mask>
Modify the register at the given address with the given value and mask
-- Flashing --
OMAPFlash Host is able to handle three basic procedures for accessing memory devices through the OMAPFlash Second loader. These procedures are used
to erase memory devices, transfer a binary file to a device or upload the device content to a binary file. In all cases, parameter values specifying
sizes or offsets are hexadecimal.
chip_erase <device>[@offset] <size>
This procedure is used to erase the content of a device, either for the whole device or for part of its address range. The ‘device’ identifier is
a string matching one of the devices available on the platform as listed from the ‘chips’ command – in other words, a device known to OMAPFlash
Second for the particular platform used (SDRAM is not a valid choice). If an ‘offset’ is used, the device erasure will start at the offset
specified. The offset will need to be compatible with the memory structure of the device in question – e.g. if the device has a block size of
40000h bytes, the offset will need to be a multiple of the block size. The ‘size’ specifies the number of bytes to erase – a value of zero has the
special meaning of “to the end of the device”, either starting at offset zero or at the specified ‘offset’ value, and can be used to erase the
entire device. Note that the typical erase functionality of a memory device is based on the erasure of blocks of memory – it may not make sense to
ask for erasure of a size that is not a multiple of the block size of the device.
chip_download <device>[@offset] <file>
In order to transfer a binary file to a device on the platform this procedure is used. The ‘device’ identifier is a string matching one of the
devices available on the platform. If an ‘offset’ is specified the binary will be downloaded to the device starting at the offset address
specified. Using an offset should be done with some caution, since the meaning of the offset value may be unclear for some device types (e.g. for
a NAND device the offset will be used without consideration of bad blocks present in the memory space preceding the offset address). The file to
be downloaded is specified by the ‘file’ parameter and must be a raw image.
chip_upload <device>[@offset] <size> <file>
In order to upload the content of a memory device this procedure is used. The ‘device’ identifier is a string matching one of the devices
available on the platform. If an ‘offset’ is specified content will be uploaded from the device starting at the offset address specified. As for
the ‘chip_download’ procedure the use of an offset should be done with caution. The ‘size’ parameter specifies the number of bytes to upload and
the ‘file’ parameter the file to which the uploaded data will be saved. Note that due to some limitations on the serial link, upload of data will
be considerably slower than download.
-- Examples --
The following examples are illustrations of the use of OMAPFlash. Sample scripts are available and installed with the tool.
-- Commands --
An example of a sequence making use of a command, including peripheral boot and download of OMAPFlash Second to the platform, could be:
omapflash -v -omap 3 -2 -p SDP_MDDR_HYNIX_4G -t 60 command peek32 6e00000
Once OMAPFlash Second is present on the platform, commands can be run with the requirement for renewed peripheral boot:
omapflash -v –p SDP_MDDR_HYNIX_4G command peek32 6e000000
-- Erase --
An example of the erasure of the content of a device on a platform could be (for NAND):
omapflash -omap 3 -2 -p SDP_MDDR_HYNIX_4G -t 60 chip_erase NAND 0
» OMAPFlash vX.X (MMM DD YYYY)
» Please turn off device
» Please turn on device
» Waiting for device
» Found device
» Searching 2nd for: SDP_MDDR_HYNIX_4G 363007 07 GP
» Loading second file Targets\2nd-Downloaders\dnld_startup_3630sdp_gp_hynix_4g.2nd
» Transferring second file to target (0x5FF8 bytes)
» Found device
» Waiting for 2nd
» Found 2nd
» Downloading driver
» Downloading 'Targets\Flash-Drivers\nand_onfi_16bit_8bit.bin'
» Sending data (11412 bytes) :::::::::::::::::::: [11412]
» Downloading complete
» Elapsed time: 0:00.343 (33271 bytes/s)
» End loading driver
» Erasing
Erase progress :::::::::::::::::::: [536870912]
» Elapsed time: 0:24.537
Additional information (e.g. bad block count, freed up memory and device information) may be available by including the verbose option:
omapflash -v -omap 3 -2 -p SDP_MDDR_HYNIX_4G -t 60 chip_erase NAND 0
» OMAPFlash vX.X (MMM DD YYYY)
» Please turn off device
» Please turn on device
» Waiting for device
» Found device
» Searching 2nd for: SDP_MDDR_HYNIX_4G 363007 07 GP
» Loading second file Targets\2nd-Downloaders\dnld_startup_3630sdp_gp_hynix_4g.2nd
» Transferring second file to target (0x5FF8 bytes)
» Found device
» Waiting for 2nd
» Found 2nd
» Downloading 'Targets\Flash-Drivers\nand_onfi_16bit_8bit.bin'
» Sending data (11412 bytes) :::::::::::::::::::: [11412]
Interface 'OMAPFLASH DRIVER v1'
Driver 'NAND ONFI 16/8 BIT'
NAND ONFIv2 VENDOR 0x2C MICRON
NAND 16 BIT DEVICE 0xBC MT29F4G16ABC
NAND 2048 BYTES/PAGE (SPARE 64)
NAND 64 PAGES/BLOCK (131072 BYTES/BLOCK)
NAND 4096 BLOCKS/UNIT (536870912 BYTES/UNIT)
NAND 512 MB TOTAL SIZE
NAND ONFI DRIVER INIT COMPLETE
» Downloading complete
» Elapsed time: 0:00.344 (33174 bytes/s)
» End loading driver
» Erasing
name=NAND address=0x28000000
Erasing to end of device starting at 0x28000000
Erase progress :::::::::::::::::::: [536870912]
NAND ERASED 535691264 BYTES FROM ADDRESS 0x28000000 (9 BAD BLOCKS)
» Elapsed time: 0:24.571
If OMAPFlash Second is already present and running on the platform, it is not necessary to perform an additional peripheral boot:
omapflash chip_erase –p SDP_MDDR_HYNIX_4G NAND 0
» OMAPFlash vX.X (MMM DD YYYY)
» Found device
» Downloading driver
» Downloading 'Targets\Flash-Drivers\nand_onfi_16bit_8bit.bin'
» Sending data (11412 bytes) :::::::::::::::::::: [11412]
» Downloading complete
» Elapsed time: 0:00.344 (33174 bytes/s)
» End loading driver
» Erasing
Erase progress :::::::::::::::::::: [536870912]
» Elapsed time: 0:24.580
-- Download --
An example of download of a binary image to a memory device could be:
omapflash -omap 3 -2 -p SDP_MDDR_HYNIX_4G -t 60 chip_download NAND .\test_data\pattern_10M.bin
» OMAPFlash vX.X (MMM DD YYYY)
» Please turn off device
» Please turn on device
» Waiting for device
» Found device
» Searching 2nd for: SDP_MDDR_HYNIX_4G 363007 07 GP
» Loading second file Targets\2nd-Downloaders\dnld_startup_3630sdp_gp_hynix_4g.2nd
» Transferring second file to target (0x5FF8 bytes)
» Found device
» Waiting for 2nd
» Found 2nd
» Downloading driver
» Downloading 'Targets\Flash-Drivers\nand_onfi_16bit_8bit.bin'
» Sending data (11412 bytes) :::::::::::::::::::: [11412]
» Downloading complete
» Elapsed time: 0:00.391 (29186 bytes/s)
» End loading driver
» Downloading
» Downloading '.\test_data\pattern_10M.bin'
» Sending data (10485760 bytes) :::::::::::::::::::: [10485760]
» Downloading complete
» Elapsed time: 0:35.095 (299593 bytes/s)
» Elapsed time: 0:35.334
-- Upload --
An example of uploading the content of a memory device from a platform could be:
omapflash -omap 3 -2 -p SDP_MDDR_HYNIX_4G -t 60 chip_upload NAND 40000 c:\temp\nand.bin
» OMAPFlash vX.X (MMM DD YYYY)
» Please turn off device
» Please turn on device
» Waiting for device
» Found device
» Searching 2nd for: SDP_MDDR_HYNIX_4G 363007 07 GP
» Loading second file Targets\2nd-Downloaders\dnld_startup_3630sdp_gp_hynix_4g.2nd
» Transferring second file to target (0x5FF8 bytes)
» Found device
» Waiting for 2nd
» Found 2nd
» Downloading driver
» Downloading 'Targets\Flash-Drivers\nand_onfi_16bit_8bit.bin'
» Sending data (11412 bytes) :::::::::::::::::::: [11412]
» Downloading complete
» Elapsed time: 0:00.344 (33174 bytes/s)
» End loading driver
» Uploading 'NAND'
Receiving data (262144 bytes) :::::::::::::::::::: [262144]
» Elapsed time: 0:32.440
» Saving 'c:\temp\nand.bin'
» OKAY
» Elapsed time: 0:16.493
-- Scripting - Download and Branch to SDRAM --
The following script will download a binary to SDRAM via USB and branch to it for execution of the downloaded image:
# OMAP3
-omap 3
# Timeout and other config
-t 60 -p SDP_MDDR_HYNIX_4G -2
# RAM Download
chip_download SDRAM exbin.bin
# Execute image from RAM
command branch SDRAM 0
Note that the branch address offset will depend on the binary - it will not always be zero. Store the script in a text file (e.g. usb_sdram.txt) and use it as an argument
to OMAPFlash:
omapflash @usb_sdram.txt
-- Linux Flashing to eMMC --
OMAPFlash does not support the flashing of a Linux file system to any memory device, including eMMC, since only RAW image downloads are supported. This means that the x-loader, boot loader and kernel can be transferred to eMMC by OMAPFlash as raw binaries, but not the file system used by the
Linux kernel. For flashing of the Linux kernel and file system, use U-Boot.
There are multiple options for transferring U-Boot to eMMC with OMAPFlash (note that eMMC is currently only supported for the OMAP4 based
platforms).
-- U-Boot Assisted U-Boot Flashing --
OMAPFlash supports the Fastboot protocol and there is a version of U-Boot available that can be used with the Fastboot protocol. With this version
of U-Boot it is possible to transfer binaries to eMMC via U-Boot. U-Boot is transferred to SDRAM and executed by OMAPFlash. Following this, U-Boot
is used to transfer binaries to eMMC by OMAPFlash by way of the Fastboot protocol. Do the following:
1) Copy the x-loader image (x-load.bin) to ‘c:\Program Files\Texas Instruments\OMAPFlash\ uboot\x-load.bin’
2) Copy the U-Boot image (u-boot.bin) to ‘c:\Program Files\Texas Instruments\OMAPFlash\uboot\u-boot.bin’
3) Connect USB and UART to the host PC (both are needed)
4) Start a terminal program (e.g. TeraTerm) with 115,200 baud, no parity, one stop bit, no flow control on what will be the UART connecting to
COM3 on the platform
5) Set the SYSBOOT options of the platform to peripheral boot from USB
6) Open a console and change location to ‘c:\Program Files\Texas Instruments\OMAPFlash’
7) Run ‘OMAPFlash @uboot_ram.txt’ in order to transfer U-Boot to SDRAM and execute it
8) Go to the terminal program and type ‘fastboot’ in order to activate the Fastboot protocol mode of U-Boot
9) Await that the OMAPFlash script finishes in the console window
10) Change the SYSBOOT options to boot from eMMC
11) Power cycle the board
Following this, U-Boot will be ready for commands via the terminal program and can be used to download kernel and file system.
-- U-Boot Flashing --
OMAPFlash supports the download of RAW binaries to eMMC via a native eMMC driver. The x-loader and U-Boot can be transferred to eMMC by OMAPFlash
directly. Do the following:
1) Copy the x-loader image (x-load.bin) to ‘c:\Program Files\Texas Instruments\OMAPFlash\ uboot\x-load.bin’
2) Copy the U-Boot image (u-boot.bin) to ‘c:\Program Files\Texas Instruments\OMAPFlash\uboot\u-boot.bin’
3) Connect USB and UART to the host PC (both are needed)
4) Start a terminal program (e.g. TeraTerm) with 115,200 baud, no parity, one stop bit, no flow control on what will be the UART connecting to
COM3 on the platform
5) Set the SYSBOOT options of the platform to peripheral boot from USB, eMMC
6) Open a console and change location to ‘c:\Program Files\Texas Instruments\OMAPFlash’
7) Run ‘OMAPFlash @uboot_emmc.txt’ in order to transfer x-loader and U-Boot to eMMC
8) Await that the OMAPFlash script finishes in the console window
Following this, U-Boot will be ready for commands via the terminal program and can be used to download kernel and file system.
moschino_luv said:
First you need to connect your phone without battery and then load usb driver windows, after install driver run bat file ,after few second ,phone repair done.
Good Luck !
http://www.mediafire.com/?4q5viaizn5zf9l0
pass: my username
Click to expand...
Click to collapse
Would this allow us to replace the locked bootloader on Chinese phones
Thanks for the great post..I ve been dealing with a dead galaxy nexus GT-I9250M canadian..the omap flash did not work for me.. and no other solution in the horizon..
I am trying to install the uart do I need to edit the driver to contain my pid vid and how can i have both the usb and the uart in this case.. my be with your expertise you could shed some lights for y the omap not working for me..
» OMAPFlash v4.15 (Aug 12 2011)
» -v
» Entering parameter file:Targets\Projects\tuna\omap4460_tuna_hs_pro.tx t at line
: 1
» -omap 4
» -t 36000
» -p OMAP4460_TUNA_8G_HS_PRO
» -2
» -rxtx_trace
» chip_download EMMC Targets\Projects\tuna\MLO_4460_HS_PRO
» chip_download EMMC Targets\Projects\tuna\sbl.img
» command cold_sw_reset
» Leaving parameter file:Targets\Projects\tuna\omap4460_tuna_hs_pro.tx t
» @Targets\Projects\tuna\omap4460_tuna_hs_pro.txt
» Looking for device (omap usb)
» Please turn on device
» Waiting for device (omap usb)
» Found device (omap usb)
» Requesting ASIC id
00130-000-TX 4 raw bytes: 03 00 03 F0 '????'
» AsicId items 05
» AsicId id 01 05 01 44 40 07 01
» AsicId secure_mode 13 02 01 00
» AsicId public_id 12 15 01 97 1E D2 40 84 FC E8 16 AA 20 26 62 0C 90 E0
83 26 88 80 7B
» AsicId root_key_hash 14 21 01 67 98 9B 35 54 CC 86 B4 67 32 47 05 36 74 E2
25 F0 9D A3 5C F4 59 B9 C9 3A 13 E0 B9 58 1E 5A BC
» AsicId checksum 15 09 01 22 9E 85 BA DC 58 74 BC
00130-001-TX 4 raw bytes: 02 00 03 F0 '????'
» Searching 2nd for: OMAP4460_TUNA_8G_HS_PRO 444007 01 HS
» Loading second file Targets/2nd-Downloaders/dnld_startup_omap4_hs_8g_es2.s2.si
gned.2nd.hs_pro
» Entering parameter filemapflash2nd.txt at line: 46
» -pheriphalboot_reopen
» Reading board configuration file Targets\Configurations\configuration_omap4460
_tuna_8g.txt
» Reading definition file .\targets\definitions\definitions_omap4.txt
» -board_config Targets\Configurations\configuration_omap4460_tuna _8g.txt
» Leaving parameter filemapflash2nd.txt
» Sending size of second file (0x000071B0 bytes)
00130-002-TX 4 raw bytes: B0 71 00 00 '?q??'
» Transferring second file to target (0x71B0 bytes)
00130-003-TX 29104 raw bytes: B0 1C 00 00 00 4D 00 00 00 00 00 00 00 00 00 00
'?????M??????????' ...
» Closing boot connection
» Waiting for device (omap usb)
» Found device (omap usb)
» Waiting for 2nd
00463-004-TX ACK
00571-005-RX: 4 raw bytes: 70 EC 8F 00 'p???'
» Unknown status message 'p???' during peripheral boot (waiting for 2nd)
Press any key to continue . . .
----------------------
Thanx in advance for your support
Thanx
thanks for the really hard work Bro
I really hope that no one need it and every body have a safe flashing
but it's really comforting to know that there is something to fix our phones just in case
have you tried it BTW?
dont work on win7
Very Useful at last
Means that you own a chinese bootloader locked I9100G. You can't flash any other bootloader than the chinese one.
I have seen this guide on nexus s somewhere but thanks to post here
Sent from my GT-I9100G using xda premium
s alali said:
dont work on win7
Click to expand...
Click to collapse
OP did say it's for XP. did you try using a virtual computer to work around that? try virtualbox
Using this tool may open the posibility for installing Windows 8. This video shows Windows 8 is running well on the TI OMAP 4430.
Your link is not downloadble. It limited by mediafire. My phone is dead and I want to fix it. I mistakenly re-partitioned with odin. Please help
tell me if you own a Chinese i9100g or international i9100 ... ?
Harchaoui said:
tell me if you own a Chinese i9100g or international i9100 ... ?
Click to expand...
Click to collapse
It was bought from uk...
ziaulh.ch said:
It was bought from uk...
Click to expand...
Click to collapse
use my GUIDE i mean this
[GUIDE]Switch between Chinese I9100G & international I9100G SafeWay
Help Needed-Karbonn A9 android 2.3.6
Hi dude, can you remove the password from the file because I cannot download it from mediafire it says encrypted
files limit exceeded. I need this file badly.
Unfortunately I bricked my karbonn A9. I used fastboot tools and by mistake I flashed APPSBL value to System(100)Data(284).mbn My karbonn a9 doesn't boot, no green screen and no red screen. when I try to boot by pressing power button its only jerking vibration and black screen but when I press power button and volume down - key it going to ENTRY QPTS DOWNLOAD mode, but when I press power button and volume up + key the phone is jerking little vibration and black screen not booting, any help would be apprecitated.
Thanks in Advance.
Cannot download the file mate!
Please urgently provide new link of it.
I need it badly for my friend.
Thank you.
Need alernate link
Hi, I have a Samsung Galaxy S2 T989 and i am having a problem mentioned as same. Could you please share an alternate link so that i could download.
moschino_luv said:
First you need to connect your phone without battery and then load usb driver windows, after install driver run bat file ,after few second ,phone repair done.
Good Luck !
http://www.mediafire.com/?4q5viaizn5zf9l0
pass: my username
Click to expand...
Click to collapse
link not working pleaze upload it again and make it public
Hello,
I bricked my KFHD and it is in a reset loop right now. I got a factory cable and plan to try repairing it via fastboot. I need your kind assistance with the proper commands to flash the stock ROM and get out of fastboot if needed. I know that there are instructions for doing so in the original KF but I am not sure that it applies.
Thanks.
samio2 said:
Hello,
I bricked my KFHD and it is in a reset loop right now. I got a factory cable and plan to try repairing it via fastboot. I need your kind assistance with the proper commands to flash the stock ROM and get out of fastboot if needed. I know that there are instructions for doing so in the original KF but I am not sure that it applies.
Thanks.
Click to expand...
Click to collapse
Please describe the "reset loop" you are experiencing.
Well at boot it detects something wrong and it prompts me either to reset or reboot. Regardless of what I choose it always returns me to the same prompt. Meanwhile there is no usb connectivity what so ever. I tried the 20 second hold on the power button but nothing changed
samio2 said:
Well at boot it detects something wrong and it prompts me either to reset or reboot. Regardless of what I choose it always returns me to the same prompt. Meanwhile there is no usb connectivity what so ever. I tried the 20 second hold on the power button but nothing changed
Click to expand...
Click to collapse
When choosing "reset" does it look like its doing anything or does it just reboot?
Hello!
Ive got the same Q.
Messed up preinstalled keyboard, added some apk to /system/app folder. Now my kindle acts very bad....
Default settings in device section doesn't help. I tried to copy update....bin file to kindleupdate folder but it doesn't help, kindle won't flash (as i've already have last ver)
So, is there any way to flash KHD in fastboot mode, or using update.zip file? Mayby have someth like [UTILITY] Kindle Fire Unbrick Utility V1.1! ?
Thx a lot
It starts resetting and a progress bar shows and completes in a couple of seconds. Then it reboots back to the same prompt
I doubt factory reset would help. If my experience is any indication, factory reset will not undo any changes you did to /system. If you messed it up before resetting, you'll still be messed up after.
I think I messed up the /system and I want to try to reflash it
the good news is once you disconnect the cable the device exits fastboot also it shows up as android adb interface in device manager. but I could not get adb to see it. don't know why. I used the same PC that I used to root it and a mac but could not get adb to see it.
samio2 said:
I think I messed up the /system and I want to try to reflash it
Click to expand...
Click to collapse
What were you doing in /system before the problem started?
Was trying to install Google play. Not sure where i messed up
Do you still have adb access?
The device shows up in the device manager. But adb can't see them
samio2 said:
The device shows up in the device manager. But adb can't see them
Click to expand...
Click to collapse
What does your device manager say?
on windows it said android adb deive (or interface). as for the mac it is the same case and I used the usb probe and here is the output
Code:
High Speed device @ 2 (0x26200000): ............................................. Composite device: "Tate-PVT-08"
Port Information: 0x001f
Captive
Attached to Root Hub
Internal Device
Connected
Enabled
Device Descriptor
Descriptor Version Number: 0x0200
Device Class: 0 (Composite)
Device Subclass: 0
Device Protocol: 0
Device MaxPacketSize: 64
Device VendorID/ProductID: 0x1949/0x0007 (Lab126)
Device Version Number: 0x0100
Number of Configurations: 1
Manufacturer String: 5 "Texas Instruments"
Product String: 1 "Tate-PVT-08"
Serial Number String: 2 "XXX"
Configuration Descriptor: ....................................... "Android Fastboot"
Length (and contents): 32
Raw Descriptor (hex) 0000: 09 02 20 00 01 01 03 C0 32 09 04 00 00 02 FF 42
Raw Descriptor (hex) 0010: 03 04 07 05 81 02 00 02 00 07 05 01 02 00 02 00
Unknown Descriptor 0020:
Number of Interfaces: 1
Configuration Value: 1
Attributes: 0xC0 (self-powered)
MaxPower: 100 ma
Interface #0 - Vendor-specific .............................................. "Android Fastboot"
Alternate Setting 0
Number of Endpoints 2
Interface Class: 255 (Vendor-specific)
Interface Subclass; 66 (Vendor-specific)
Interface Protocol: 3
Endpoint 0x81 - Bulk Input
Address: 0x81 (IN)
Attributes: 0x02 (Bulk no synchronization data endpoint)
Max Packet Size: 512
Polling Interval: 0 ( Endpoint never NAKs)
Endpoint 0x01 - Bulk Output
Address: 0x01 (OUT)
Attributes: 0x02 (Bulk no synchronization data endpoint)
Max Packet Size: 512
Polling Interval: 0 ( Endpoint never NAKs)
Device Qualifier Descriptor
Descriptor Version Number: 0x0200
Device Class 255 (Vendor-specific)
Device Subclass 255 (Vendor-specific)
Device Protocol 255
Device MaxPacketSize: 64
Number of Configurations: 1
bReserved: 0
Configuration Descriptor Device gave an error kIOReturnSuccess (0x0) when asked for first 4 bytes of descriptor
Configuration Descriptor Device gave an error kIOReturnSuccess (0x0) when asked for first 9 bytes of descriptor
Well, that's helpful. It says you're in fastboot. Try using fastboot to change your bootmode to either recovery or normal mode and see if you can get a different result.
Shouldn't adb recognize it to work with faatboot or are they separate?
how do change the bootmode? How to change it back?
I tried fastboot reboot but all i got is waiting for device message.
samio2 said:
Shouldn't adb recognize it to work with faatboot or are they separate?
how do change the bootmode? How to change it back?
I tried fastboot reboot but all i got is waiting for device message.
Click to expand...
Click to collapse
ADB and fastboot are completely separate.
Try "fastboot devices"
fastboot devices shows nothing for me
That's likely an issue with your drivers. Try reinstalling them. Or better yet, try the SoupKit and save yourself some hassle.
How can I connect CM10.1.3 Nook HD+ as an MTP device on Ubuntu 12.04 Acer Netbook/Chromebook?
I can connect on Windows 7 with same Nook HD+ on a Laptop
I am pretty sure thinks are messy unless an alias or link gets created under /media on the netbook
So I am hoping knowledgeable folks help me before I brick either the Netbook or NookHD+ or both
Note: the output from mtpdetect command is lengthy error 7 message was displayed 200 times it was repetetive so I edited it out
[email protected]:~$ sudo lsusb
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 04ca:3006 Lite-On Technology Corp.
Bus 001 Device 004: ID 064e:d251 Suyin Corp.
Bus 002 Device 003: ID 2080:0005 Barnes & Noble
[email protected]:~$ mtp-detect
Unable to read MTPZ public exponent from ~/.mtpz-data, MTPZ disabledlibmtp version: 1.1.5
Listing raw device(s)
Device 0 (VID=2080 and PID=0005) is UNKNOWN.
Please report this VID/PID and the device model to the libmtp development team
Found 1 device(s):
2080:0005 @ bus 2, dev 4
Attempting to connect device(s)
Android device detected, assigning default bug flags
Error 7: Found a bad handle, trying to ignore it.
Error 7: Found a bad handle, trying to ignore it.
USB low-level info:
Interface has a kernel driver attached.
bcdUSB: 14748
bDeviceClass: 3
bDeviceSubClass: 127
bDeviceProtocol: 0
idVendor: fc5f
idProduct: 3967
IN endpoint maxpacket: 512 bytes
OUT endpoint maxpacket: 512 bytes
Raw device info:
Bus location: 2
Device number: 4
Device entry info:
Vendor: (null)
Vendor id: 0x2080
Product: (null)
Vendor id: 0x0005
Device flags: 0x08008106
Device info:
Manufacturer: Barnes & Noble
Model: BN NookHD+
Device version: 1.0
Serial number: 3030420047364309
Vendor extension ID: 0x00000006
Vendor extension description: microsoft.com: 1.0; android.com: 1.0;
Detected object size: 64 bits
Extensions:
microsoft.com: 1.0
android.com: 1.0
Supported operations:
1001: get device info
1002: Open session
1003: Close session
1004: Get storage IDs
1005: Get storage info
1006: Get number of objects
1007: Get object handles
1008: Get object info
1009: Get object
100a: Get thumbnail
100b: Delete object
100c: Send object info
100d: Send object
1014: Get device property description
1015: Get device property value
1016: Set device property value
1017: Reset device property value
101b: Get partial object
9801: Get object properties supported
9802: Get object property description
9803: Get object property value
9804: Set object property value
9805: Get object property list
9810: Get object references
9811: Set object references
95c1: Unknown (95c1)
95c2: Unknown (95c2)
95c3: Unknown (95c3)
95c4: Unknown (95c4)
95c5: Unknown (95c5)
Events supported:
0x4002
0x4003
0x4004
0x4005
Device Properties Supported:
0xd401: Synchronization Partner
0xd402: Friendly Device Name
0x5003: Image Size
Playable File (Object) Types and Object Properties Supported:
3000: Undefined Type
3001: Association/Directory
3004: Text
3005: HTML
3008: MS Wave
3009: MP3
300b: MPEG
3801: JPEG
3802: TIFF EP
3804: BMP
3807: GIF
3808: JFIF
380b: PNG
380d: TIFF
b901: WMA
b902: OGG
b903: AAC
b982: MP4
b983: MP2
b984: 3GP
ba05: Abstract Audio Video Playlist
ba10: WPL Playlist
ba11: M3U Playlist
ba14: PLS Playlist
ba82: XMLDocument
b906: FLAC
Storage Devices:
StorageID: 0x00010001
StorageType: 0x0003 fixed RAM storage
FilesystemType: 0x0002 generic hierarchical
AccessCapability: 0x0000 read/write
MaxCapacity: 13607493632
FreeSpaceInBytes: 3942952960
FreeSpaceInObjects: 1073741824
StorageDescription: Internal storage
VolumeIdentifier: (null)
StorageID: 0x00020001
StorageType: 0x0004 removable RAM storage
FilesystemType: 0x0002 generic hierarchical
AccessCapability: 0x0000 read/write
MaxCapacity: 63816613888
FreeSpaceInBytes: 12730400768
FreeSpaceInObjects: 1073741824
StorageDescription: SD card
VolumeIdentifier: (null)
Special directories:
Default music folder: 0x00000077
Default playlist folder: 0xffffffff
Default picture folder: 0x0000007b
Default video folder: 0x0000b9d3
Default organizer folder: 0xffffffff
Default zencast folder: 0xffffffff
Default album folder: 0xffffffff
Default text folder: 0xffffffff
MTP-specific device properties:
Friendly name: (NULL)
Synchronization partner: (NULL)
libmtp supported (playable) filetypes:
Folder
Text file
HTML file
RIFF WAVE file
ISO MPEG-1 Audio Layer 3
MPEG video stream
JPEG file
BMP bitmap file
GIF bitmap file
JFIF file
Portable Network Graphics
TIFF bitmap file
Microsoft Windows Media Audio
Ogg container format
Advanced Audio Coding (AAC)/MPEG-2 Part 7/MPEG-4 Part 3
MPEG-4 Part 14 Container Format (Audio+Video Emphasis)
ISO MPEG-1 Audio Layer 2
Abstract Playlist file
XML file
Free Lossless Audio Codec (FLAC)
ERROR: Could not close session!
inep: usb_get_endpoint_status(): No such device
outep: usb_get_endpoint_status(): No such device
usb_clear_halt() on IN endpoint: No such device
usb_clear_halt() on OUT endpoint: No such device
usb_clear_halt() on INTERRUPT endpoint: No such device
OK.
And now I can not see it at all on lsusb
[email protected]:~$ sudo lsusb
[sudo] password for user:
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub SMILIES
Bus 001 Device 003: ID 04ca:3006 Lite-On Technology Corp.
Bus 001 Device 004: ID 064e:d251 Suyin Corp.
[WIP]Dissecting the bootloader aka: get rid of annoying "Your device is corrupt"
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
Code:
> adb shell
# dd if=/dev/block/bootdevice/by-name/abl_b of=/sdcard/img.abl_a
# <ctrl-D>
> adb pull /sdcard/img.abl_a
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
Code:
> binwalk -e img.abl_a
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
4488 0x1188 Certificate in DER format (x509 v3), header length: 4, sequence length: 1279
5771 0x168B Certificate in DER format (x509 v3), header length: 4, sequence length: 1133
6908 0x1AFC Certificate in DER format (x509 v3), header length: 4, sequence length: 1149
12408 0x3078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 487624 bytes
I am thinking that bytes 0...4487 is the real bootloader code, so:
Code:
> head --bytes=4488 img.abl_b > abc
> file abc
abc: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, corrupted section header size
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
Code:
> readelf abc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x9fa00000
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NULL 0x000000 0x00000000 0x00000000 0x00094 0x00000 0
NULL 0x001000 0x9fa30000 0x9fa30000 0x01988 0x02000 0x1000
LOAD 0x003000 0x9fa00000 0x9fa00000 0x30000 0x30000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
Elf file type is EXEC (Executable file)
Entry point 0x9fa00000
There are 3 program headers, starting at offset 52
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
foobar66 said:
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
I am thinking that bytes 0...4487 is the real bootloader code, so:
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
Click to expand...
Click to collapse
Wow! Excited to see this! Thanks
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
foobar66 said:
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
Code:
> adb shell
# dd if=/dev/block/bootdevice/by-name/abl_b of=/sdcard/img.abl_a
# <ctrl-D>
> adb pull /sdcard/img.abl_a
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
Code:
> binwalk -e img.abl_a
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
4488 0x1188 Certificate in DER format (x509 v3), header length: 4, sequence length: 1279
5771 0x168B Certificate in DER format (x509 v3), header length: 4, sequence length: 1133
6908 0x1AFC Certificate in DER format (x509 v3), header length: 4, sequence length: 1149
12408 0x3078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 487624 bytes
I am thinking that bytes 0...4487 is the real bootloader code, so:
Code:
> head --bytes=4488 img.abl_b > abc
> file abc
abc: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, corrupted section header size
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
Code:
> readelf abc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x9fa00000
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NULL 0x000000 0x00000000 0x00000000 0x00094 0x00000 0
NULL 0x001000 0x9fa30000 0x9fa30000 0x01988 0x02000 0x1000
LOAD 0x003000 0x9fa00000 0x9fa00000 0x30000 0x30000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
Elf file type is EXEC (Executable file)
Entry point 0x9fa00000
There are 3 program headers, starting at offset 52
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
Click to expand...
Click to collapse
Good job, if needed i can help with the checking
tech_head said:
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
Click to expand...
Click to collapse
abl.img is not the bootloader i guess.
tech_head said:
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
Click to expand...
Click to collapse
On other devices they've been able to swap this image with another one to "hide" the message, to "get rid of it".
Would we sweet if we could get rid of the unlocked bootloader message too.
dennisbednarz said:
Would we sweet if we could get rid of the unlocked bootloader message too.
Click to expand...
Click to collapse
+1
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
jacksummers said:
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
Click to expand...
Click to collapse
Different issue.
They are not trying to get rid of the red warning but the yellow warning for an unlocked BL.
On this phone, if you have a "red" warning you use the MSMDownload tool and go back factory including locking the BL.
This is a different case.
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
Code:
> lsusb
Bus 001 Device 034: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
And then:
Code:
> dmesg
[ 9395.999112] usb 1-1: new high-speed USB device number 34 using xhci_hcd
[ 9396.149376] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 9396.149380] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9396.149383] usb 1-1: Product: QUSB_BULK_CID:0402_SN:33B9DDAC
[ 9396.149386] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 9396.150184] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 9396.150372] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
foobar66 said:
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
Code:
> lsusb
Bus 001 Device 034: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
And then:
Code:
> dmesg
[ 9395.999112] usb 1-1: new high-speed USB device number 34 using xhci_hcd
[ 9396.149376] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 9396.149380] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9396.149383] usb 1-1: Product: QUSB_BULK_CID:0402_SN:33B9DDAC
[ 9396.149386] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 9396.150184] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 9396.150372] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
Click to expand...
Click to collapse
Use this https://forum.xda-developers.com/oneplus-6t/how-to/tool-6t-msmdownloadtool-v4-0-oos-9-0-5-t3867448
Should try for several times with instruction here
Question - when does device show red warning? When u disable dm verity?
I unlocked and rooted but only had yellow warning, but when i installed aosp gsi i had a red warning. Once of the step to install the rom was flashing vbmeta and disabling dm verity.
patelparth120595 said:
Question - when does device show red warning? When u disable dm verity?
I unlocked and rooted but only had yellow warning, but when i installed aosp gsi i had a red warning. Once of the step to install the rom was flashing vbmeta and disabling dm verity.
Click to expand...
Click to collapse
Disabled dm-verity caused red warning, i guess.
---------- Post added at 10:01 AM ---------- Previous post was at 09:58 AM ----------
foobar66 said:
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
And then:
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
Click to expand...
Click to collapse
Edited abl.img ? and flashed via recovery/fastboot ?
AnoopKumar said:
Edited abl.img ? and flashed via recovery/fastboot ?
Click to expand...
Click to collapse
No, just flashed using dd command in TWRP shell.
foobar66 said:
No, just flashed using dd command in TWRP shell.
Click to expand...
Click to collapse
Phone still dead ?
OK ... I managed to recover my phone !
A windows PC with the MSM program did the trick.
I am now back to stock 9.0.5
foobar66 said:
OK ... I managed to recover my phone !
A windows PC with the MSM program did the trick.
I am now back to stock 9.0.5
Click to expand...
Click to collapse
I assume that, there is nothing to do with the abl.img. Only thing we can do with it is change the default strings to a song lyric or something. abl.img is the uefi firmware i guess. Bootloader is using the images stored in the logo partition.
Gsi's flash without breaking verity if u flash to both slots. And totally format. Fastboot -w. The phone sees any changes to partitions as corruption and breaks verity, hence red warning.. if someone would be inclined to talk to invisiblek from the essential threads, he could tell u of a fix. The solution is not in abl. It's in the stock boot.img. if I had more time, I would help
---------- Post added at 02:52 PM ---------- Previous post was at 02:51 PM ----------
tech_head said:
Different issue.
They are not trying to get rid of the red warning but the yellow warning for an unlocked BL.
On this phone, if you have a "red" warning you use the MSMDownload tool and go back factory including locking the BL.
This is a different case.
Click to expand...
Click to collapse
No, they are talking about breaking verity also. Seems to be both messages, but more recently the broken verity message. Which there is two types, one u can boot from, one u cannot.
jacksummers said:
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
Click to expand...
Click to collapse
I would love that idea. That would be really nice to have on our device