Hello everyone,
This is a AP.bin extractor
rewritten in plain C based on xonar_'s work and support both linux and win32
navossoc@xda introduced the "LGExtract.exe". the encrypyted/compressed kdz can be extracted/decrypted to AP.bin/CP.fls by LGExtract.exe
xonar_ made BIN/FLS extractor
http://forum.xda-developers.com/showthread.php?t=1879915
and release source(win32)
•http://forum.xda-developers.com/showpost.php?p=31432471&postcount=11 (original Java version by xonar_)
•http://forum.xda-developers.com/showpost.php?p=33426102&postcount=37 (win32 C port by navossoc)
•http://forum.xda-developers.com/showpost.php?p=34022349&postcount=141
Basically, the AP.bin file is plain raw file, the bootable images can be extracted by searching specific pattern "ANDROID!".
based on this work, I can figure out the AP.bin header information without searching specific pattern to extract boot.img/ext4 partitions/bootloader etc.
Usage
Download attached file. It include both win32 and linux binary and it's source(GPL).
• show AP.bin information
Code:
extract P990_AP.bin
• extract specific section
Code:
extract P990_AP.bin 3
• or extract all images
Code:
extract P990_AP.bin -1
TODO
• show filenames or partitions
References
mman-win32 is used to port win32 binary
• mman-win32 (GPLv2) by kutuzov - http://code.google.com/p/mman-win32/
• http://forum.xda-developers.com/showpost.php?p=34078601&postcount=148
ChangeLog
•*oops! no source change. just replace with working extract.exe (reported by spyrosk and Kostja_V)
Credits
• navossoc - the Author of LGExtract.exe and win32 C port of extractor.
• xonar_ - BIN/FLS extractor and it's java source.
This is a cool tool, wkpark, but I don't understand the difference to the already available tool here:
(it already does extract AP.bin files of the latest ICS leaks, dumping all the available partitions.
But I guess your tool does dump more things like header and bootloader? Could you please write the differences of those two tools?
Also it would be cool to get a tool which is capable of re-merging changed partitions (system.img, boot.img, recovery.img, cracked bootloader) again to a AP.bin --- would that possible? We could create Smartflah-Custom-ROMs then!)
Stefan Gündhör said:
This is a cool tool, wkpark, but I don't understand the difference to the already available tool here:
(it already does extract AP.bin files of the latest ICS leaks, dumping all the available partitions.
But I guess your tool does dump more things like header and bootloader? Could you please write the differences of those two tools?
Also it would be cool to get a tool which is capable of re-merging changed partitions (system.img, boot.img, recovery.img, cracked bootloader) again to a AP.bin --- would that possible? We could create Smartflah-Custom-ROMs then!)
Click to expand...
Click to collapse
as I already mentioned, just rewritten in plain C to make it more portable to support both linux and win32
and make it more unix friendly
and this tool print the exact address and size of images to make it possible to use "dd" to fix AP.bin without any specific tools
e.g.)
Code:
$ extract SU660_AP.bin
filesize: 939524096
[01] address=0x00100000 size=0x00300000
[02] address=0x00400000 size=0x00080000
[03] address=0x00480000 size=0x00180000
[04] address=0x00600000 size=0x20000000
[05] address=0x20600000 size=0x00800000
[06] address=0x20e00000 size=0x01400000
[07] address=0x22200000 size=0x15e00000
$ extract SU660_AP.bin 6 # 6 is recovery.img
...
$ dd if=cwm.img of=SU660_AP.bin bs=1024 seek=$(printf "%d" $((0x20e00000 / 1024))) conv=notrunc
now we got CWM injected AP.bin!
But currently you cant use this method for ICS firmwares
wkpark said:
as I already mentioned, just rewritten in plain C to make it more portable to support both linux and win32
and it is more unix friendly
Click to expand...
Click to collapse
Aaaah okay cool
What about the re-merging thing, do you think you could maybe look into that?
Edit: Ah I see you updated your post, thanks!
Simply awesome. Thanks wkpark!
Very good utility, bravo!
I have been able to decipher everything except partitions 1 and 2, in total there are 7 partitions
1. 01.img
2. 02.img
3. bootloader.img
4. boot.img
5. recovery.img
6. data.img
7. ext3_system.img
I have created a shell for Linux
Use
Copy the file P990_AP.bin into the AP_Toolkit folder /
Run menuen.sh or menues.sh
Look very useful! Tnx dude!
Homero2 said:
Very good utility, bravo!
I have been able to decipher everything except partitions 1 and 2, in total there are 7 partitions
1. 01.img
2. 02.img
3. bootloader.img
4. boot.img
5. recovery.img
6. data.img
7. ext3_system.img
I have created a shell for Linux
Use
Copy the file P990_AP.bin into the AP_Toolkit folder /
Run menuen.sh
Click to expand...
Click to collapse
I guess the order of images are not always the same,
the V30C of SU660 is somewhat different, so this script is not compatible with SU660
some images like as bootable images can be detected by the following method
the bootable images easily checked by dd
Code:
[ $(dd if=boot.img bs=1 count=8 2>/dev/null) = 'ANDROID!' ] && echo "this a is bootable image"
OK, actually the structure varies between models, I have checked that there are differences between P990 and SU660.
And within the same model varies structure?, I've tried several versions of P990 and it seems that the structure is maintained.
Homero2 said:
Very good utility, bravo!
I have been able to decipher everything except partitions 1 and 2, in total there are 7 partitions
1. 01.img
2. 02.img
3. bootloader.img
4. boot.img
5. recovery.img
6. data.img
7. ext3_system.img
I have created a shell for Linux
Use
Copy the file P990_AP.bin into the AP_Toolkit folder /
Run menuen.sh or menues.sh
Click to expand...
Click to collapse
If I remember well partition 1 is the bct file. I suppose that partition 2 has something to do with partition layout .
Sent from my LG-P990 using xda app-developers app
This is a new version, it is more complex than the previous version, also includes the BAT version for Window.
Forgive if there is any error in the Windows version, long time that I do not write anything serious for Windows.
In the menu you can choose the model (P990 or SU660)
Researching a bit I have seen that the 01.img portion is the star.bct, but...
The original file weighs in at 4.0kb, which is obtained with AP_Tool weighs 3.0 MB
With a hex editor I saw that the heading is:
Code:
32 DB 10 C0 A8 A2 5 C 3F 1B 17 34 84 15 57 C6
Looking for I found 7 headers, I extracted them and got 7 files which then I expose in the order found within the 01.img file
star_0.bct - 4.0Kb - this is good (exactly of 000 to FFF)
star_1.bct - 508.0Kb
star_2.bct to star_6.bct - 512.0Kb
Guys,
the extract exe in first post does not work properly. I think it doesn't extract the partitions at the right headers.
I extracted the V28g bin file and the system and data partitions when mounted are unreadable.
Using the extract2 (attached) the partitions are readable perfectly.
The sizes also, differ between the two set of partitions.
I felt I had to let you know.
spyrosk said:
Guys,
the extract exe in first post does not work properly. I think it doesn't extract the partitions at the right headers.
I extracted the V28g bin file and the system and data partitions when mounted are unreadable.
Using the extract2 (attached) the partitions are readable perfectly.
The sizes also, differ between the two set of partitions.
I felt I had to let you know.
Click to expand...
Click to collapse
Did you use the LG extract.exe or other tool to get the ap.bin?
It works perfectly with the lgextract.exe that's why I wrote this post
And why don't you attach your source code?
Isn't it modified extract.c?
Or just binary hacked executable
found at the navossoc's post?
The license of this source code is GPL but you didn't include modified source code in it.
Sent from my LG-P990 using xda app-developers app
wkpark said:
Did you use the LG extract.exe or other tool to get the ap.bin?
It works perfectly with the lgextract.exe that's why I wrote this post
And why don't you attach your source code?
Isn't it modified extract.c?
Or just binary hacked executable
found at the navossoc's post?
The license of this source code is GPL but you didn't include modified source code in it.
Sent from my LG-P990 using xda app-developers app
Click to expand...
Click to collapse
I did use LGExtract.exe to get the bin.
I just downloaded the binary in the first post of this thread. I didn't touch the source code.
The tool from OP doesn't work for me too. The extracted system.img size is 515mb, but should be 512, so it is not flashable via nvflash.
On the screenshot you can see, that files extracted using extract-v0.1 from the OP and extract2 from the http://forum.xda-developers.com/showpost.php?p=34100186&postcount=2 have different sizes.
spyrosk said:
Guys,
the extract exe in first post does not work properly. I think it doesn't extract the partitions at the right headers.
I extracted the V28g bin file and the system and data partitions when mounted are unreadable.
Using the extract2 (attached) the partitions are readable perfectly.
The sizes also, differ between the two set of partitions.
I felt I had to let you know.
Click to expand...
Click to collapse
Kostja_V said:
The tool from OP doesn't work for me too. The extracted system.img size is 515mb, but should be 512, so it is not flashable via nvflash.
On the screenshot you can see, that files extracted using extract-v0.1 from the OP and extract2 from the http://forum.xda-developers.com/showpost.php?p=34100186&postcount=2 have different sizes.
Click to expand...
Click to collapse
thankyou for your testing!!
confirmed !
my bad.. I uploaded not correctly patched win32 executable by mistake.
I just replace the old one with a working win32 binary.
Homero2 said:
Researching a bit I have seen that the 01.img portion is the star.bct, but...
The original file weighs in at 4.0kb, which is obtained with AP_Tool weighs 3.0 MB
With a hex editor I saw that the heading is:
Code:
32 DB 10 C0 A8 A2 5 C 3F 1B 17 34 84 15 57 C6
Looking for I found 7 headers, I extracted them and got 7 files which then I expose in the order found within the 01.img file
star_0.bct - 4.0Kb - this is good (exactly of 000 to FFF)
star_1.bct - 508.0Kb
star_2.bct to star_6.bct - 512.0Kb
Click to expand...
Click to collapse
the image 01(BCT) and 02(PT. Partition Table) are updated by the Smartflash or NVFlash automagically.
you can't even simply download(flash) the BCT/PT image at all
like as MBR and PT, the BCT also duplicated itself
@wkpark hi,
I bumped into the following issue, when I first had an idea making an option in AIO-Toolkit to switch between locked and yours unlocked new bootloader.
I extracted stock bootloader image with your bin extractor.
I also checked its md5 with a backed-up (by nvflash) one's (which was smartflashed) and are the same.
So far so good and your bin extractor works perfectly.
When I try to flash it, nvflash always stops here | 1507328/1572864 bytes sent
Do you have any idea why this happens?
Since the unlocked one is much smaller than the total size of the partition, I suppose stock one has about the same actual size.
Could you please make an image of the stock one for me (with its data only)? get the original from here
cause I don't know how to do it myself and actually I am on a leave and I don't have any linux pc available.
I'd like to give a try because now I am curious, why the cracked one can be flashed and the stock not.
Thank you in advance for your help
Cheers
spyrosk said:
@wkpark hi,
I bumped into the following issue, when I first had an idea making an option in AIO-Toolkit to switch between locked and yours unlocked new bootloader.
I extracted stock bootloader image with your bin extractor.
I also checked its md5 with a backed-up (by nvflash) one's (which was smartflashed) and are the same.
So far so good and your bin extractor works perfectly.
When I try to flash it, nvflash always stops here | 1507328/1572864 bytes sent
Do you have any idea why this happens?
Since the unlocked one is much smaller than the total size of the partition, I suppose stock one has about the same actual size.
Could you please make an image of the stock one for me (with its data only)? get the original from here
cause I don't know how to do it myself and actually I am on a leave and I don't have any linux pc available.
I'd like to give a try because now I am curious, why the cracked one can be flashed and the stock not.
Thank you in advance for your help
Cheers
Click to expand...
Click to collapse
Hi! I was facing the same problem like you. Open the bootloader.bin in a hex editor (WinHEX or any other hexeditor) and delet all the FF hex values from the end of the file. I hope it will work for you
Edit: I deleted the FF a valuses frrom the the backed up bootloader
Related
I'm starting this thread to document the work on creating a custom recovery image for the Tattoo.
The main goal is to provide a recovery image that will serve as the launchpad for flashing custom roms.
The Tattoo Custom Recovery Image will provide:
1) A way to use an update.zip signed with test-keys (already accomplished);
2) A way to perform a full backup of mtd2,mtd3,mtd4 and mtd5 (boot,system,cache and data).
3) A way to perform a full restore of the backup achieved by 2);
4) Adb support (already accomplished);
4.1) Adb shell support.
I'm open to input about using nandroid. Right now, without a S-OFF/ENG SPL this looks useless.
Also, if you have any other special need for recovery, please feel free to express it
Alpha release
Tattoo's Custom Recovery Image, Alpha Release
This first release includes:
- ADB enabled recovery
- ADB enabled root shell
- Accept update.zip signed with test keys
- All partitions mounted
- Custom recovery program (the last two options are stubs, not really working yet)
- Included in /sbin: busybox, flash_image and BART
- I've not used BART and, at the moment, cannot attest if it works or not.
- Backup script in /sbin/backup.sh
- Restore script in /sbin/restore.sh
With this custom recovery you can now do a full backup of your unit, by dumping the mtd block devices to your sdcard. Afterwards, you can use flash_image to recover your Tattoo to it's previous state.
I'm releasing this image as is. This is not a point-and-click recovery tool. If you don't know what you're doing, you can seriously damage your unit. The only reason I'm releasing this is in an effort to provide other devs with a way to easily recover their units, back to day-to-day configuration, while experimenting with them.
To flash:
Copy TCRI.alpha.img to /sdcard.
Run "flash_image recovery /sdcard/TCRI.alpha.img"
To reboot into recovery (quickest way)
adb reboot recovery
Please comment
thanks for you work
i try to flahs and get permission denied, do you know why?
flash_image: permission denied
chusen said:
i try to flahs and get permission denied, do you know why?
Click to expand...
Click to collapse
Partition remounted writeable from a fresh rebooted system with the tattoo-hack.ko module inserted??
But I'm sure you did that before because of:
I'm releasing this image as is. This is not a point-and-click recovery tool. If you don't know what you're doing...
Click to expand...
Click to collapse
;-)
-bm-
Thank you very much for your excellent job
Someone could install custom alpha recovery?
thx
@-bm-:yes I will try that way since the beginning. i mount with rw permissions /system and /data. i know is not a point-and-click recovery tool but i think i need more permissions but where?
Where did you guys get your flash_image binary from ?
The error you're getting is from flash_image, not from my recovery image.
I'll attach the flash_image I've been using to this post.
Please tell me if this solves your problem. You need tattoo-hack.ko module inserted, if you're using a release kernel.
Edit: You have the correct permissions in your flash_image binary, right ? After pushing it to the device, don't forget to chmod 755
It works I like drawing, jejeje.
Backup and Restore functionality appears to have no further
The adb root shell is perfect
Very good Work
for when the beta version? and the final version? lol
I try to dump the system userdata and boot.img and when i try to extract with unyasffs and i get this when i try to extract system.img
Code:
4 [main] unyaffs 3940 handle_exceptions: Exception: STATUS_ACCESS_VIOLATION
644 [main] unyaffs 3940 open_stackdumpfile: Dumping stack trace to unyaffs.exe.stackdump
and this with others
Code:
broken image file
Code:
[email protected]:~/Tattoo/images/boot/1$ ../../unpack.pl ./boot.1.img
Page size: 2048 (0x00000800)
Kernel size: 1899580 (0x001cfc3c)
Ramdisk size: 160952 (0x000274b8)
Second size: 0 (0x00000000)
Board name:
Command line: no_console_suspend=1 console=null
Writing boot.1.img-kernel ... complete.
Writing boot.1.img-ramdisk.gz ... complete.
528 blocks
[ boot.1.img-ramdisk.gz decompressed to boot.img-ramdisk ]
My image dumping script is OK
Take a look here: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images
The boot.img is not a yaffs2 image. It's a special format, comprised by a 2k header, a kernel image and a ramdisk.
The system.img is a yaffs2 image. From unyaffs's homepage: "Unyaffs is a program to extract files from a yaffs file system image. Now it can only extract images created by mkyaffs2image."
Chusen, I think it would be better to create a new thread for this, since it doesn't concern the custom recovery image directly.
Thank god for custom recovery!
Now we can really start cooking ROMs... gonna break out the tools tonight and get Android 1.6/2.1 sources ready to compile.
leon1984 said:
for when the beta version? and the final version? lol
Click to expand...
Click to collapse
You tell me
Next in line is to tie the backup/restore scripts to the UI, which won't be too hard.
Later, I may mess around with nandroid and bart, to see if they provide something more than my scripts.
Afterwards, when we have some custom roms available, I may create a downloader/updater option, to make it easier to install those.
Also, I'm taking requests for new features
suggestions about scripts
Excellent work, mainfram3. Thank you.
I have extracted the img file, and check backup.sh and restore.sh scripts. The code for checking sdcard remaining space is done. Here it is:
Code:
## TEST: Check free space in sdcard
NEED_KB="200000"
REM_KB=`du /sdcard | awk '{print $6}'`
if [ ${REM_KB%K} -lt $NEED_KB ]; then echo "Not enough space in /sdcard, exiting"; exit; fi
backup space min set to 200MB.
There is another suggestion about restore.sh. Because of backing up img to /sdcard/Backup, $1 might not be needed, right?
mainfram3 said:
Code:
[email protected]:~/Tattoo/images/boot/1$ ../../unpack.pl ./boot.1.img
Page size: 2048 (0x00000800)
Kernel size: 1899580 (0x001cfc3c)
Ramdisk size: 160952 (0x000274b8)
Second size: 0 (0x00000000)
Board name:
Command line: no_console_suspend=1 console=null
Writing boot.1.img-kernel ... complete.
Writing boot.1.img-ramdisk.gz ... complete.
528 blocks
[ boot.1.img-ramdisk.gz decompressed to boot.img-ramdisk ]
My image dumping script is OK
Take a look here: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images
The boot.img is not a yaffs2 image. It's a special format, comprised by a 2k header, a kernel image and a ramdisk.
The system.img is a yaffs2 image. From unyaffs's homepage: "Unyaffs is a program to extract files from a yaffs file system image. Now it can only extract images created by mkyaffs2image."
Chusen, I think it would be better to create a new thread for this, since it doesn't concern the custom recovery image directly.
Click to expand...
Click to collapse
and if you want to extract the boot.img here are the two scripts you need to fully extract the kernel(zImage) and ramdisk
split_bootimg.pl
and
extract-ramdisk.sh
they are attached below
jamezelle:
extract-ramdisk.sh missed #!, and the ramdisk zip file should be passed to $1 of this script.
mainfram3 said:
1) A way to use an update.zip signed with test-keys (already accomplished);
Click to expand...
Click to collapse
Hi mainfram3,
I don't want to jack your thread - could you add a little elaboration on this point, or provide a URL so I can learn a little more? The SPL on the phone (oem-78 or fastboot mode) accepts updates signed with the test key from the SDK? (Or some other key?) (On the Eris, the "rom.zip" files unpacked by the RUU are prepended with a mystery blob of 256 bytes - s'pose it could be a mic/sig, but if that's what it is, it don't appear to be in a standard DSA/RSA format, and those .zip files are not signed using the .apk/.jar manifest-signing method)
FYI here's an entertaining story of an epic fail in a related area. After reviewing the fastboot sources from the android tree, I decided that I wanted to spy on the (Windows) RUU update program by sniffing the USB bus - in particular to see if it was explicitly passing signatures in .sig files. (That's an undocumented command-line behavior in fastboot.)
Turns out that recent versions of libpcap and Wireshark allow for USB bus capture on Linux - and using the "usbmon" kernel module in Ubuntu 8.04 LTS, sniffing the USB (5k packet size) seems to work without hitch, even at USB 2.0 speeds. So I took it one step further, and installed WIn Xp SP3 in a QEMU VM on the Ubuntu machine, with the intention of running the RUU updater inside the Xp VM and sniffing the USB bus in the host OS (Linux) machine.
The result? QEMU/Win Xp VM can talk to the phone in either fastboot or adb mode, but bluescreens as soon as you start to move data at any appreciable rate. Doesn't seem to be dependent on whether monitoring is taking place. I might try putting the phone behind a cheapo USB 1.1 hub, and see if that helps, but for the moment I am stopped out on this hack.
bftb0
cn.fyodor said:
jamezelle:
extract-ramdisk.sh missed #!, and the ramdisk zip file should be passed to $1 of this script.
Click to expand...
Click to collapse
it works yea sorry about the
#/bin/sh
i didnt write the scripts btw
After releasing my custom recovery and boot images several people have messaged me about how to create these images.
First, you need to read this article, carefully: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images. It explains the format of these images. I suggest you try to extract the kernel and the ramdisk with a hex editor, as it will help you understand how the format works.
Afterwards, for convenience, you can use the two scripts provided in that page: unpack-bootimg.pl and repack-bootimg.pl.
You should now have two files, the kernel and the ramdisk.
Extract the contents of the ramdisk with:
Code:
gunzip -c ramdisk.cpio.gz | cpio -i
You can now proceed to alter what you wish, in the ramdisk.
For repacking, I use the tools provided in the Android 1.6 SDK. You need to download it from http://developer.htc.com/. After compiling the SDK, you should have (among others) these two tools: mkbootfs and mkbootimg.
To recreate the ramdisk, use the following command (assumes ramdisk in ramdisk folder):
Code:
mkbootfs ramdisk | gzip > ramdisk.gz
And now, to recreate the image:
Code:
mkbootfs [b]--base 0x2e00000[/b] --cmdline 'cmdline: no_console_suspend=1 console=null' --kernel kernel.gz --ramdisk ramdisk.gz -o my_new_boot_image.img
The only tricky part, and where I guess everyone is having problems, is with the --base 0x2e00000 option. This is the base address for the kernel and, without this, your Tattoo will hang at boot.
Do not try to create custom images unless you are fully aware of what you're doing. YOU CAN BRICK YOUR DEVICE
Best of luck
Thanks a lot mainfram3!
I'll base CoburnROM's boot.img off yours, and then we'll go from there.
All we need now is a how to on make your own system.img (either taking a RUU system and gutting the crap out of it or using one that a member has precompiled as a base) and we'll be set for cookin' ROMs with gas. Want fries with dat?
Thanks a million!
Cool! You have dispeled the clouds.
mf3: How did you know that base address of the kernel? I repacked the boot.img file without the option '--base xxx', that's why this one bricked my tattoo i think.
Thanks, you did the great job.
BTW, I break through this cloud by using HEX editor to comparing your image and mime and found that the kernel address, ramdisk address are different. But I don't know why... Would you mind to tell us why and how you find it??
huchengtw said:
Thanks, you did the great job.
BTW, I break through this cloud by using HEX editor to comparing your image and mime and found that the kernel address, ramdisk address are different. But I don't know why... Would you mind to tell us why and how you find it??
Click to expand...
Click to collapse
See at kernel sources at the file:
arch\arm\mach-msm\include\mach\memory.h
.....
/* physical offset of RAM */
#if defined(CONFIG_ARCH_MSM7225) || defined(CONFIG_ARCH_MSM7625)
#define PHYS_OFFSET UL(0x02E00000)
.....
I think there it is ......
cya
Well, actually I got the base address from looking at bootimg.h, to understand the structure of the header in the image files.
I then figured out the the kernel base address in the boot.img and recovery.img from the rom.zip (from the RUU) and compared it against the kernel address in the images I was creating. After that, I adjusted the arguments to mkbootimg so that it would generate a file with the same address as the originals.
i am trying to put together a recovery for the Sholes XT701. obviously i am missing this base offset because it hangs at boot. i was looking in the memory.h file and see the following but this is for the ram. where can i find the base offset for the kernel? that is what i need right?
Code:
#elif defined(CONFIG_MACH_SHOLES_UMTS) || defined(CONFIG_MACH_MAPPHONE)
#define PHYS_OFFSET UL(0x80C00000)
do you have a bootimg.h ? mainfram3 got his information from there...
Did you tried to put all in a rom.zip and replace the one that comes with Ruu WWE? IF the addresses are the same maybe it will flash your custom rom.
mainfram3 said:
Well, actually I got the base address from looking at bootimg.h, to understand the structure of the header in the image files.
I then figured out the the kernel base address in the boot.img and recovery.img from the rom.zip (from the RUU) and compared it against the kernel address in the images I was creating. After that, I adjusted the arguments to mkbootimg so that it would generate a file with the same address as the originals.
Click to expand...
Click to collapse
sorry,but how to create recovery.img?
is boot.img==recovery.img?
mainfram3 said:
And now, to recreate the image:
Code:
mkbootfs [b]--base 0x2e00000[/b] --cmdline 'cmdline: no_console_suspend=1 console=null' --kernel kernel.gz --ramdisk ramdisk.gz -o my_new_boot_image.img
Click to expand...
Click to collapse
Hi,
isn't it mkbootimg instead of mkbootfs to create an image?
Moreover, the script repack-bootimg.pl doesn't work for me. But your method using mkbootfs works well.
Thanks.
can an expert help me out? I have 2 recoveries, both of which can be flashed to my phone without any problem, except I have troubles using them.
Recovery X can be used without any problem, all the options work and I can perform nandroid backup and restore perfectly fine. However, it's missing the option to flash a custom rom from the memory card.
Recovery Y supports all the options, including the option to flash a custom rom from the memory card. However, it's not made specifically for my phone, which means that none of the buttons on my phone work. Therefore, I can only navigate through the options up or down, but I can't select it or go back.
My phone is a chinese clone btw, the brand is STAR A1000. That's why there aren't many properly made recoveries available for it. Anyway, since Recovery X works, I was wondering if someone could just compare the 2 recoveries and just change the button mappings on Recovery Y, as you can simply take the button mapping from Recovery X and that's it?
I dunno how to do it and don't wanna risk bricking my phone or anything, so if someone can kindly help me out that would be great.
I don't have this phone, but isn't there a keychars.pl file under /usr/"don't know the name anymore"/? there are files assigning an action to a pressed key - you just have to compare the keychars file from X and Y and change the Y keychars accordingly. Hope that helps, since I also never did this before.
Oh well I didn't know that
I dunno anything about creating a recovery or boot image. All I know is how to flash it and root the phone, i.e just the basic stuff.......
would you be able to help me compare the files and make the changes?
Here's the link to the files:
http://forum.xda-developers.com/attachment.php?attachmentid=740516&d=1317801095
http://forum.xda-developers.com/attachment.php?attachmentid=737495&d=1317534773
the first link is the recovery that is currently working for me, but doesn't have the option to flash a firmware from the memory card. It's a modified version of the ClockworkMod Recovery v4.0.0.5.
as for the 2nd link, please extract just the "a1000.img" recovery. My phone is the STAR A1000 and that's the recovery that contains all the options, except the buttons don't work on it. It's also in chinese but I can read it. So ya, I just need someone to remap the buttons that work in the "cw.img" recovery and copy that to the "a1000.img" recovery....
I ported my automatic boot image modifier from Linux/Ubuntu to Windows. As with the Ubuntu version, my auto-modifier redirects ROM filesystem mounts from emmc (internal memory) to SD card (external memory) in the boot image to more quickly boot a ROM hosted on SD.
Features
Simple, lightweight install. No need to separately install Cygwin and required packages.
As with the Ubuntu version, the boot image ramdisk directory is automatically modified to redirect filesystem mounts for /system, /cache and /data from emmc to SD card so you can quickly boot a ROM hosted on SD. No other changes are made, though the Perl code can be altered as necessary to further modify ramdisk.
Tested working on XP using NottachTrix 1.3.1 AT&T boot image file. For Win 7, you may need to tweak User Access Control (UAC) to launch Cygwin.
Note: The unpacker script is just a copy of “split_bootimg.pl“ found here: http://www.enck.org/tools.html (Thanks Bill.)
Instructions
1. Download cygwin-auto-modify-boot.zip (50MB) here: http://www.mediafire.com/?kz9fqzwznzizb1z
2. Unzip files to Windows c:\ . OR, if you already have a fully functioning c:\cygwin build that contains the Perl v5.14.2, cpio and gunzip binaries, you should only need to extract the directory: cygwin\home\modify-boot to c:\. In any event, you should backup your existing c:\cygwin directory prior to unzipping.
3. Copy the original boot image file (boot.img in this example) to c:\cygwin\home\modify-boot
4. Navigate to c:\cygwin and launch c:\cygwin\cygwin.bat . This opens a cygwin command window, and also generates a set of user configuration files if opened for the first time.
5. In the Cygwin command window, enter: cd ../modify-boot . Here is my directory listing after Cygwin configured my system:
6. In the Cygwin command window, enter the command: ./modify-boot.sh boot.img and press Enter at the prompts. For me, the entire process took ~30 seconds to modify a NottachTrix boot image.
If everything goes right, the system creates a “boot-repack.img” file based on the modified ramdisk and stores it in the modify-boot directory. Various log/debug data are presented on screen and stored in the modify-boot directory.
That’s all! From here you can “fastboot flash boot boot-repack.img” to boot your SD-based ROM, or store the modified image in a boot configuration directory. See http://forum.xda-developers.com/showthread.php?t=1645344
Please note: The size of my dev team has never exceeded one (me); yet I will try to field requests for help as I am able.
References and Credits
http://cygwin.com/install.html
http://www.enck.org/tools.html
http://forum.xda-developers.com/showthread.php?t=1630130
+++++
Linux/Ubuntu Version
Many have studied this excellent tutorial on how to unpack, modify and repack Android ROM boot images: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images. Its contents form a solid baseline for customizing ROM boot images and ROMs in general. Here I attempt to automate the process of modifying boot images.
Results thus far provide an efficient means of booting ROMs that are cloned to SD card (see my clone thread: http://forum.xda-developers.com/showthread.php?t=1764680 ), as shown in the example below.
modify-boot zip: http://www.mediafire.com/?luobv279pcv827k contains five files: three Perl scripts to unpack, modify and repack a boot image, the “mkbootimg” executable, and an executive batch file to run the three Perl scripts in sequence.
Boot image modifier script: modify-bootimg-atrix.pl features a useful example of how customizations can be pre-programmed by including code to redirect ROM filesystem mounts to SD card, thus enabling us to boot SD card-based ROMs --- almost on the fly.
Of course there are many references to customizing boot images, but to my knowledge this is the first published attempt to automate the process. And since there are some interesting projects related to hosting Perl on Android (see References below), I think it would be fun to develop a CWM-flashable zip (or similar tool) that loads a Perl script interpreter and then runs a pre-programmed boot image modifier --- all on phone, without computer aiding.
Preliminaries
Linux-based OS (Ubuntu 12.04 preferred --- it's still free)
Android SDK Platform Tools (includes adb and fastboot)
Perl (Ubuntu 12.04 includes Perl 5.14.2)
Example: Boot Neutrino V2.8 GT cloned to SD card
Suppose we have already cloned Neutrino V2.8 GT ROM (/system, /cache and /data) to SD card. To boot it:
1. Download modify-boot.zip: http://www.mediafire.com/?luobv279pcv827k to Desktop and extract directory: /modify-boot to ~/Desktop
2. Extract boot.img from Neutrino V2.8 GT ROM.zip and drop it in ./modify-boot
3. Open a terminal, get root and cd ~/Desktop/modify-boot
4. Enter: “sh ./modify-boot.sh boot.img” and follow prompts (Output file: boot-repack.img)
5. Boot to fastboot and connect phone to computer
6. fastboot flash boot boot-repack.img
7. fastboot reboot
Once phone is booted, we can run a sanity check by entering:
adb shell (access Android filesystems)
# mount
Results should include the highlighted device names for filesystem mounts:
Code:
[COLOR="Blue"]/dev/block/mmcblk1p2 on /system[/COLOR] type ext4 (rw,noatime,nodiratime,errors=continue,barrier=0,nobh,data=writeback,noauto_da_alloc,discard)
[COLOR="Blue"]/dev/block/mmcblk1p4 on /data[/COLOR] type ext4 (rw,nosuid,nodev,noatime,nodiratime,barrier=0,nobh,data=writeback,noauto_da_alloc,discard)
[COLOR="Blue"]/dev/block/mmcblk1p3 on /cache[/COLOR] type ext4 (rw,nosuid,nodev,noatime,nodiratime,errors=continue,barrier=0,nobh,data=writeback,noauto_da_alloc,discard)
We can now boot a cloned Neutrino V2.8 GT ROM from SD card, and/or save the modified boot image in a safe, visible location on SD card to configure dual boot (please see: http://forum.xda-developers.com/showthread.php?t=1645344 ). Or, we can roll the modified image into a flashable zip for a standalone boot push.
Standard disclaimers apply. In short, I am not responsible for any harm you or your phone may incur by using any or all of this material.
References
http://code.google.com/p/perldroid/
http://code.google.com/p/android-scripting/
http://forum.xda-developers.com/showthread.php?t=1585009
Credits
Many thanks to the Android Community Effort ( http://android-dls.com/wiki/index.php?title=Main_Page ), and to my friend and xda member ghost_og for his “mkbootimg” command-line fix that made boot image repacking work for Atrix.
Boot modifier script: modify-bootimg-atrix.pl includes logic to search both init.rc (Blur) and init.olympus.rc (CM) in ramdisk for ROM filesystem mounts.
Hi,
If you look at my Gobstopper for 2.3.6 I do exactly this kind of thing. I unpack the boot image into kernel and initramfs, modify init.rc, package it up again and flash back to boot. The binaries and source are included if you want to take a look.
Cheers!
Is it possible to modify partitions numbers? because i use different partitions because of webtop2sd and swap partition?
Adam
NFHimself said:
Hi,
If you look at my Gobstopper for 2.3.6 I do exactly this kind of thing. I unpack the boot image into kernel and initramfs, modify init.rc, package it up again and flash back to boot. The binaries and source are included if you want to take a look.
Cheers!
Click to expand...
Click to collapse
Elegant! Does it support multiple command lines? Also, does it support AT&T yet?
sendust7 said:
Elegant! Does it support multiple command lines? Also, does it support AT&T yet?
Click to expand...
Click to collapse
There is nothing Bell specific to it, static linked binaries so no rom dependence. It doesn't do anything about multiple command lines, no, the normal boot/recovery images have any at all, let alone multiple ones.
Cheers!
Is that right?
"5. Boot to fastboot and connect phone to computer
6. fastboot flash boot-repack.img
7. fastboot reboot"
Because my output is like this:
[email protected]:/home/gtmoraes/AtrixCM9/android-sdk-linux/platform-tools# ./fastboot flash boot-repack.img
unknown partition 'boot-repack.img'
error: cannot determine image filename for 'boot-repack.img'
[email protected]:/home/gtmoraes/AtrixCM9/android-sdk-linux/platform-tools#
and, of course, the boot-repack.img is in the same folder of fastboot
---
I've tried fastboot flash boot boot-repack.img. It softbricked
Reflashing the original boot.img de-bricked it without a hassle. Guess your solution is not compatible with Morrisoft CM7 ROM
GTMoraes said:
Is that right?
"5. Boot to fastboot and connect phone to computer
6. fastboot flash boot-repack.img
7. fastboot reboot"
Because my output is like this:
[email protected]:/home/gtmoraes/AtrixCM9/android-sdk-linux/platform-tools# ./fastboot flash boot-repack.img
unknown partition 'boot-repack.img'
error: cannot determine image filename for 'boot-repack.img'
[email protected]:/home/gtmoraes/AtrixCM9/android-sdk-linux/platform-tools#
and, of course, the boot-repack.img is in the same folder of fastboot
---
I've tried fastboot flash boot boot-repack.img. It softbricked
Reflashing the original boot.img de-bricked it without a hassle. Guess your solution is not compatible with Morrisoft CM7 ROM
Click to expand...
Click to collapse
Soft-brick is usually caused by one or more of the following:
1. The three ext partitions required to host ROM on SD card either do not exist, are not big enough or are corrupt.
2. The three ext partitions exist but no ROM is installed
3. ROM is not compatible with phone
4. User does not wait long enough for phone to boot after installing ROM. First boot usually takes 3 to 5 minutes as the phone is building cache. Subsequent boots should not take longer than a minute with a Class 4 or higher SD card.
And yes, the boot command should be: fastboot flash boot {boot-image}
Cheers
I ported my automatic boot image modifier from Linux/Ubuntu to Windows. As with the Ubuntu version, my auto-modifier redirects ROM filesystem mounts from emmc (internal memory) to SD card (external memory) in the boot image to more quickly boot a ROM hosted on SD.
Features
Simple, lightweight install. No need to separately install Cygwin and required packages.
As with the Ubuntu version, the boot image ramdisk directory is automatically modified to redirect filesystem mounts for /system, /cache and /data from emmc to SD card so you can quickly boot a ROM hosted on SD. No other changes are made, though the Perl code can be altered as necessary to further modify ramdisk.
Tested working on XP using NottachTrix 1.3.1 AT&T boot image file. For Win 7, you may need to tweak User Access Control (UAC) to launch Cygwin.
hi, the size from my original boot is 8 megas, after unpack and repack the size is 4.8 megas, and does not work, my boot is from motorola xt928, did you know why change the size,,thanks
Using CM10 from SD Card (Nottachtrix on internal)
For anyone looking to run Nottachtrix (or other rom) from internal memory and CM10 from external. You'll run into the same problem I did. The init.rc and init.olympus.rc files don't contain the partition information. You need to update the fstab.olympus file in the boot.img. I've attached mine for comparison. (note, after repartitioning my SD Card several times I ended up with a phantom partition (mmcblk1p4) therefore my data is actually on mmcblk1p5.
SD card partition sizes:
System: 340mb
Cache: 700mb
Data: 1.25gb
Additional notes about my partitioning experience:
The DD command in linux (and ADB) copies the entire partition exactly to the SD card's partition, therefore you lose space if you leave it this way. I used DD, but then used fsarchiver to backup all of the sd card's partitions, repartitioned the card again, and restored the partition info with fsarchiver. This made my SD card a lot cleaner and avoided wasting any space.
Everything's running great now. Thank you everyone who made dual booting possible!
Would this tool work on Desire HD?
Need some help. I pulled the boot.img created from ROM1 using copy-boot.img (until step 5 here) and when I ran modify-boot.sh on it, I got the below message:
Unpacking boot image...
Found a secondary file after the ramdisk image. According to the spec (mkbootimg.h) this file can exist, but this script is not designed to deal with this scenario.
So, I got the boot-NottachTrix-1.3.1-att-sd-ext.img file from this thread and fastboot flashed it, thinking it is already modified, but my phone didn't boot. Then I tried running modify-boot.sh on it and then realized that it has a binary that won't run on mac.
Could someone tell me if I am on the right track with the 2nd steps above so that I can get hold of a ubuntu machine? I tried running it on a puppy linux livecd and it didn't work.
Why didn't the first step work? Is the boot.img created by the copy-boot.sh not in the right format?
Update: I forgot to mention this, but I have NottachTrix 1.3.1 installed on emmc but the size of the boot.img extracted by copy-boot.sh doesn't match that of the one attached to the above link. The one linked is size 3440640 while the one copy-boot.sh created is of size 8388608. For now, I fastboot flashed the later and got back into ROM1. I meanwhile got a livecd boot of ubuntu and ran modify-boot.sh on the one I downloaded and it created boot-repack.img successfully, but I had no success booting with it either.
irha said:
Need some help. I pulled the boot.img created from ROM1 using copy-boot.img (until step 5 here) and when I ran modify-boot.sh on it, I got the below message:
Unpacking boot image...
Found a secondary file after the ramdisk image. According to the spec (mkbootimg.h) this file can exist, but this script is not designed to deal with this scenario.
So, I got the boot-NottachTrix-1.3.1-att-sd-ext.img file from this thread and fastboot flashed it, thinking it is already modified, but my phone didn't boot. Then I tried running modify-boot.sh on it and then realized that it has a binary that won't run on mac.
Could someone tell me if I am on the right track with the 2nd steps above so that I can get hold of a ubuntu machine? I tried running it on a puppy linux livecd and it didn't work.
Why didn't the first step work? Is the boot.img created by the copy-boot.sh not in the right format?
Update: I forgot to mention this, but I have NottachTrix 1.3.1 installed on emmc but the size of the boot.img extracted by copy-boot.sh doesn't match that of the one attached to the above link. The one linked is size 3440640 while the one copy-boot.sh created is of size 8388608. For now, I fastboot flashed the later and got back into ROM1. I meanwhile got a livecd boot of ubuntu and ran modify-boot.sh on the one I downloaded and it created boot-repack.img successfully, but I had no success booting with it either.
Click to expand...
Click to collapse
I have a newer thread: Dual Boot Atrix: Simplified and Standalone: http://forum.xda-developers.com/showthread.php?t=2124668
which presents my own custom standalone tools to do the following:
Partition SD card
Copy ROM from EMMC to SD
Flash boot image via Atrix Boot Emporium
Flash another ROM of choice to EMMC
No computer required.
On first boot, elapsed time from power-up to welcome screen can be several minutes --- especially for larger ROMs --- as the system is building cache.
Hope this helps
sendust7 said:
I have a newer thread: Dual Boot Atrix: Simplified and Standalone: http://forum.xda-developers.com/showthread.php?t=2124668
which presents my own custom standalone tools to do the following:
Partition SD card
Copy ROM from EMMC to SD
Flash boot image via Atrix Boot Emporium
Flash another ROM of choice to EMMC
No computer required.
On first boot, elapsed time from power-up to welcome screen can be several minutes --- especially for larger ROMs --- as the system is building cache.
Hope this helps
Click to expand...
Click to collapse
Thank you very much! I was able to directly go to the step 4, since I manually copied the partitions already and after verifying that I could boot into the sdcard, used the steps in the "Configuring Dual Boot" thread to get it switch between the two.
It looks like my sdcard is too slow to run android from it, so I will have to find another faster card
UPDATE 09/20/2016 - Root is now available for the SM-T285 (custom ROM and SM-T280 to follow) see post for details (http://forum.xda-developers.com/showpost.php?p=68777842&postcount=27)
After some work I've managed to debloat my Galaxy Tab A(6) 7.0 LTE (SM-T285/T280). We all know that with a locked bootloader we
can at least do customizations with the system partition:
Here is a simple guide with hopes that more people with the device can continue to allow for more ROM customizations:
Tools/Requirements:
================
- Ubuntu as my OS
- make sure you have adb installed and running (See the android developers guide on how to do this)
- Heimdall 1.4.1
- A copy of the stock firmware zip from samsung for your device
- 7zip to be able to unzip the firmware from above
- Android AOSP fsutils simg2img and make_ext4fs (Attached) (note that your make_ext4fs needs to be patched to be able to generate samsung patches easily see gist) for some reason samsung chose to use a slightly different sparse file layout for this device. Using the stock make_ext4fs to generate an image will cause heimdall ( ad Odin) to stop data uploads after the first packet stream.
Or if you still want to use stock make_ext4fs you can try using Chainfire's sgs4ext4fs and run this after you generate your system.img, I haven't tried this route personally myself.
Step By Step (Part 1 - Mount stock system.img for modification)
==========
1. Create a folder to do your work like samsing_kitchen for example. Place your
stock firmware package there
Code:
mkdir samsung_kitchen
cd samsung_kitchen
2. Extract your stock firmware's system.img using 7zip
Code:
7z x XTC-T285XXU0APCN-20160421170750.zip
7z x T285XXU0APCN_T285OLB0APC6_T285XXU0APCN_HOME.tar.md5
Should see a couple of image files, one of them is system.img.
3. Create mount point and convert from sparse image to mountable image and then mount it
Code:
mkdir system
simg2img system.img system.img.raw
sudo mount -t ext4 -o loop system.img.raw ./system
The contents of the system image should now be visible inside the system folder you
just created. You can now proceed to modifiying it (e.g. remove apps)
(Part 2 - Repackage image for flashing to device)
=================================================
DISCLAIMER: As always make sure you backup your important files in case
something goes wrong! I will not be responsible for any losses resulting from this
activity. Also this activity may void your warranty.
Prequisites:
- Make sure you have heimdall properly working.
- Make sure you have oem unlock. This should be visible in developer settings
To know if it is enabled/disable FRP protection should be disabled when you go
in Odin mode.
1. pull the file_contexts file from .your device ( or download the attached in this post).
Code:
adb pull file_contexts
on a connected device in developer mode. You will need this file so that the permissions are properly set when building the image
2. Exit from system back to your working folder (e.g. samsing_kitchen ) and run
the following:
Code:
sudo make_ext4fs -s -l 2147483648 -S file_contexts -a system new_system.img ./system
This should create a flashable image called new_system.img
3. Restart your SM-T285 into Odin Mode (Power-off, then hold home vol-down + power until Odin Mode shows up)
4. Flash using Heimdall
Code:
heimdall flash --SYSTEM new_system.img
Your device should automatically restart after this. If something goes wrong you can always flash the original system image back.
Making an ODIN flashable image
----------------------------------------
To create an image compatible with ODIN (tar.md5) make sure you have a copy of the stock image zip from samsung and extract (using 7zip) its contents to a folder:
An extracted file should look like this:
Code:
boot.img
cache.img
hidden.img
nvitem.bin
recovery.img
SPRDCP.img
SPRDGDSP.img
SPRDLTEDSP.img
SPRDWDSP.img
system.img
replace the stock system.img with the one you created from above:
Code:
cp ../new_system.img system.img
tar and md5 it:
Code:
tar -H ustar -c boot.img cache.img hidden.img recovery.img SPRDCP.img SPRDGDSP.img SPRDLTEDSP.img SPRDWDSP.img system.img >T285_CUSTOM.tar
md5sum -t T285_CUSTOM.tar > T285_CUSTOM.tar
mv T285_CUSTOM.tar T285_CUSTOM.tar.md5
as per ashyx this should also work as well:
Code:
tar -H ustar -c system.img > system.tar
md5sum -t system.tar > sytem.tar
mv system.tar system.tar.md5
Optionally Zip it if you want:
Code:
7z a T285_CUSTOM.zip T285_CUSTOM.tar.md5
This guide should work for the T280 as well, though I can't confirm it since I don't have access to that model.
Petition for samsung to unlock the device:
https://www.change.org/p/samsung-unlock-the-bootloader-for-the-samsung-galaxy-tab-a-7-0-2016?recruiter=286570213&utm_source=petitions_share&utm_medium=copylink
Custom ROM to enable move apps to sd (apps2sd like support):
http://forum.xda-developers.com/android/development/rom-samsung-galaxy-tab-7-0-lte-2016-sm-t3455788
@jedld
Nice guide, just a few things though.
I don't think it's really necessary to use the file contexts as we're building a system image and all permissions should remain intact.
Regarding the chunk size, Chainfire created sgs4ext4fs to deal with this, it just needs to be run afterwards on the sparse image to patch the headers.
What is the source for the make_ext4fs patch or did you create this patch?
Lastly some people may prefer to use ODIN to flash.
So maybe you could add to the guide that the image can be repacked into a ODIN flashable tar using 7-zip.
By the way the guide will work for the T280 too, so you may want to add that.
Thanks.
ashyx said:
@jedld
Nice guide, just a few things though.
I don't think it's really necessary to use the file contexts as we're building a system image and all permissions should remain intact.
Regarding the chunk size, Chainfire created sgs4ext4fs to deal with this, it just needs to be run afterwards on the sparse image to patch the headers.
What is the source for the make_ext4fs patch or did you create this patch?
Lastly some people may prefer to use ODIN to flash.
So maybe you could add to the guide that the image can be repacked into a ODIN flashable tar using 7-zip.
By the way the guide will work for the T280 too, so you may want to add that.
Thanks.
Click to expand...
Click to collapse
I don't think it's really necessary to use the file contexts as we're building a system image and all permissions should remain intact.
Click to expand...
Click to collapse
I remember encountering a boot loop without that, let me check again and I'll update the guide.
What is the source for the make_ext4fs patch or did you create this patch?
Click to expand...
Click to collapse
Just applied the following patch on latest aosp sources:
https://gist.github.com/jedld/4f388496bda03b349f5744f367749a67
There is a magic number used which I can't figure out, the value is different between SM-T285 ROMS coming from different regions.
Nice to hear about sgs4ext4fs though, probably wouldn't be able to know based on the problem I encountered that the tool also applies unless someone pointed it out.
https://www.change.org/p/samsung-unl...edium=copyLink
Petition for unlocked bootloader for samsung, please sign
http://samsung4android.ru/?ipub=422
any thoguth on this?
klemen241 said:
http://samsung4android.ru/?ipub=422
any thoguth on this?
Click to expand...
Click to collapse
ashyx already tried everything. CF-auto root requires an unlocked recovery, the tablet won't even accept a repacked recovery image. Besides the guy in the video wasn't even using a SM-T285, if you look closely the files he used were for the SM-T550.
klemen241 said:
https://www.change.org/p/samsung-unl...edium=copyLink
Petition for unlocked bootloader for samsung, please sign
Click to expand...
Click to collapse
link is broken though, you must have used the auto truncated link, use this instead:
https://www.change.org/p/samsung-un...edium=copylink&recuruit_context=copylink_long
What about those custom roms? As far as i can see we can use modified stock rom. Can we go anywhere with that? And can someone explain how to make external storage bigger with SD?
SM-T285M with locked bootloader - research ...
First, I have a SM-T285M which is a Galaxy Tab A6 7.0 LTE with a COO CSC. and is factory unlocked (UB as Samsung notates it these days. It's got North and South America LTE bands, and unfortunately it also has a locked bootloader just like the T285 and the T280.
Hear me out on this theory I have come up with ....
I recently stumbled across mention of Samsung pushing out an OTA at some point that broke root at the kernel level forever. I read Chainfire has created a patch that fixes this on some models. Unfortunately not the T28x's due to the locked BL.
While looking for stock ROMS, I discovered differences in the pit files and the size of hidden.img that occurred between 3/2016 and 4/2016 releases leading me to believe that's when they locked the bootloader and pushed the root killing kernel ota to the T285M. The hidden.img was shrunk to a little more than the boot.img and the PIT was modified beginning with the 4/26 release
My T285M was built on 4/7/2016 and now having the new pit and hidden.img, any attempts at ODIN flashing of the 3/23 factory rom (3/10 build) crashes out at hidden.img. I figure I will be unable to go back to the 3/10 build unless I use the pit for that 3/10 build - I'm not ready to play that deep on this .... yet, I don't even know if I am on to anything at this point. but maybe someone else wants to ....
Take a peek at the contents of the three released roms for the T285M in the capture below and if anyone thinks theres hope in getting to root by going back to 3/10 build and PIT I can point you to the three files for experimentation, or even better to get to chainfire if this is doable.
BTW jedid GREAT debloat for the T285. I'm using the system.img on my T285M , I hated Touchwiz so much, now all we need is root. see if these tell you anything.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
klemen241 said:
What about those custom roms? As far as i can see we can use modified stock rom. Can we go anywhere with that? And can someone explain how to make external storage bigger with SD?
Click to expand...
Click to collapse
There are a number of things we can already do with a custom system.img like debloat, enable universal sd r/w, customizing apps, probably theming and fonts are also possible. Hopefully more people can come up with mods.
Unfortunately we need root/unlocked boot.img to do important things to fix the weakness of this device like changing partition sizes, enable apps2sd support, xposed framework, having customizable cpu performance governors/overclocking etc.
TopTongueBarry said:
First, I have a SM-T285M which is a Galaxy Tab A6 7.0 LTE with a COO CSC. and is factory unlocked (UB as Samsung notates it these days. It's got North and South America LTE bands, and unfortunately it also has a locked bootloader just like the T285 and the T280.
Hear me out on this theory I have come up with ....
I recently stumbled across mention of Samsung pushing out an OTA at some point that broke root at the kernel level forever. I read Chainfire has created a patch that fixes this on some models. Unfortunately not the T28x's due to the locked BL.
While looking for stock ROMS, I discovered differences in the pit files and the size of hidden.img that occurred between 3/2016 and 4/2016 releases leading me to believe that's when they locked the bootloader and pushed the root killing kernel ota to the T285M. The hidden.img was shrunk to a little more than the boot.img and the PIT was modified beginning with the 4/26 release
My T285M was built on 4/7/2016 and now having the new pit and hidden.img, any attempts at ODIN flashing of the 3/23 factory rom (3/10 build) crashes out at hidden.img. I figure I will be unable to go back to the 3/10 build unless I use the pit for that 3/10 build - I'm not ready to play that deep on this .... yet, I don't even know if I am on to anything at this point. but maybe someone else wants to ....
Take a peek at the contents of the three released roms for the T285M in the capture below and if anyone thinks theres hope in getting to root by going back to 3/10 build and PIT I can point you to the three files for experimentation, or even better to get to chainfire if this is doable.
BTW jedid GREAT debloat for the T285. I'm using the system.img on my T285M , I hated Touchwiz so much, now all we need is root. see if these tell you anything.
Click to expand...
Click to collapse
i was wondering the same thing, if ther is any chance of unlocking it on earlier versions.
Also i sent email to samsung support again, maybe they will be sick of us begging and release the lock
klemen241 said:
i was wondering the same thing, if ther is any chance of unlocking it on earlier versions.
Also i sent email to samsung support again, maybe they will be sick of us begging and release the lock
Click to expand...
Click to collapse
http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=t285m
---------- Post added at 02:46 AM ---------- Previous post was at 02:36 AM ----------
TopTongueBarry said:
First, I have a SM-T285M which is a Galaxy Tab A6 7.0 LTE with a COO CSC. and is factory unlocked (UB as Samsung notates it these days. It's got North and South America LTE bands, and unfortunately it also has a locked bootloader just like the T285 and the T280.
Hear me out on this theory I have come up with ....
I recently stumbled across mention of Samsung pushing out an OTA at some point that broke root at the kernel level forever. I read Chainfire has created a patch that fixes this on some models. Unfortunately not the T28x's due to the locked BL.
While looking for stock ROMS, I discovered differences in the pit files and the size of hidden.img that occurred between 3/2016 and 4/2016 releases leading me to believe that's when they locked the bootloader and pushed the root killing kernel ota to the T285M. The hidden.img was shrunk to a little more than the boot.img and the PIT was modified beginning with the 4/26 release
My T285M was built on 4/7/2016 and now having the new pit and hidden.img, any attempts at ODIN flashing of the 3/23 factory rom (3/10 build) crashes out at hidden.img. I figure I will be unable to go back to the 3/10 build unless I use the pit for that 3/10 build - I'm not ready to play that deep on this .... yet, I don't even know if I am on to anything at this point. but maybe someone else wants to ....
Take a peek at the contents of the three released roms for the T285M in the capture below and if anyone thinks theres hope in getting to root by going back to 3/10 build and PIT I can point you to the three files for experimentation, or even better to get to chainfire if this is doable.
BTW jedid GREAT debloat for the T285. I'm using the system.img on my T285M , I hated Touchwiz so much, now all we need is root. see if these tell you anything.
Click to expand...
Click to collapse
UPDATE: I was able to get the 3/10 stock factory rom flashed without changing the pit. Replaced the hidden.img file in this rom with a renamed copy of the boot.img from the same rom. Flashing does fail in the very end, but it completes before failing so I simply rebooted immediately into Odin mode again to flash jedid's debloated system.img for the T285. Done this a couple times now and the device comes up just fine. About device and Phone Info Samsung confirm it is running the 3/10 build.
Bad news is the bootloader is locked in this build too. No hope unless someone can do something with the source. See prior post.
is open source same for t280? i have 280 not 285
klemen241 said:
is open source same for t280? i have 280 not 285
Click to expand...
Click to collapse
not sure how having the kernel source would help since we can't even change the kernel on the device which is kinda awkward for samsung. Besides I remember ashyx having compilation issues with spreadtrum kernel sources by samsung and not just for this device.
TopTongueBarry said:
http://opensource.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=t285m
---------- Post added at 02:46 AM ---------- Previous post was at 02:36 AM ----------
UPDATE: I was able to get the 3/10 stock factory rom flashed without changing the pit. Replaced the hidden.img file in this rom with a renamed copy of the boot.img from the same rom. Flashing does fail in the very end, but it completes before failing so I simply rebooted immediately into Odin mode again to flash jedid's debloated system.img for the T285. Done this a couple times now and the device comes up just fine. About device and Phone Info Samsung confirm it is running the 3/10 build.
Bad news is the bootloader is locked in this build too. No hope unless someone can do something with the source. See prior post.
Click to expand...
Click to collapse
I remember flashing an earlier build thinking the same thing and yep the bootloader is still locked. Aside from that I ran kingroot to see if there was anything exploitable... did'nt work. What I haven't tried is to see if superuser is disabled in this kernel though.
jedld said:
After some work I've managed to debloat my Galaxy Tab A(6) 7.0 LTE (SM-T285/T280). We all know that with a locked bootloader we
can at least do customizations with the system partition:
Here is a simple guide with hopes that more people with the device can continue to allow for more ROM customizations:
Tools/Requirements:
================
- Ubuntu as my OS
- make sure you have adb installed and running (See the android developers guide on how to do this)
- Heimdall 1.4.1
- A copy of the stock firmware zip from samsung for your device
- 7zip to be able to unzip the firmware from above
- Android AOSP fsutils simg2img and make_ext4fs (Attached) (note that your make_ext4fs needs to be patched to be able to generate samsung patches easily see gist) for some reason samsung chose to use a slightly different sparse file layout for this device. Using the stock make_ext4fs to generate an image will cause heimdall ( ad Odin) to stop data uploads after the first packet stream.
Or if you still want to use stock make_ext4fs you can try using Chainfire's sgs4ext4fs and run this after you generate your system.img, I haven't tried this route personally myself.
Step By Step (Part 1 - Mount stock system.img for modification)
==========
1. Create a folder to do your work like samsing_kitchen for example. Place your
stock firmware package there
Code:
mkdir samsung_kitchen
cd samsung_kitchen
2. Extract your stock firmware's system.img using 7zip
Code:
7z x XTC-T285XXU0APCN-20160421170750.zip
7z x T285XXU0APCN_T285OLB0APC6_T285XXU0APCN_HOME.tar.md5
Should see a couple of image files, one of them is system.img.
3. Create mount point and convert from sparse image to mountable image and then mount it
Code:
mkdir system
simg2img system.img system.img.raw
sudo mount -t ext4 -o loop system.img.raw ./system
The contents of the system image should now be visible inside the system folder you
just created. You can now proceed to modifiying it (e.g. remove apps)
(Part 2 - Repackage image for flashing to device)
=================================================
DISCLAIMER: As always make sure you backup your important files in case
something goes wrong! I will not be responsible for any losses resulting from this
activity. Also this activity may void your warranty.
Prequisites:
- Make sure you have heimdall properly working.
- Make sure you have oem unlock. This should be visible in developer settings
To know if it is enabled/disable FRP protection should be disabled when you go
in Odin mode.
1. pull the file_contexts file from .your device.
Code:
adb pull file_contexts
on a connected device in developer mode. You will need this file so that the permissions are properly set when building the image
2. Exit from system back to your working folder (e.g. samsing_kitchen ) and run
the following:
Code:
sudo make_ext4fs -s -l 2147483648 -S file_contexts -a system new_system.img ./system
This should create a flashable image called new_system.img
3. Restart your SM-T285 into Odin Mode (Power-off, then hold home vol-down + power until Odin Mode shows up)
4. Flash using Heimdall
Code:
heimdall flash --SYSTEM new_system.img
Your device should automatically restart after this. If something goes wrong you can always flash the original system image back.
Making an ODIN flashable image
----------------------------------------
To create an image compatible with ODIN (tar.md5) make sure you have a copy of the stock image zip from samsung and extract (using 7zip) its contents to a folder:
An extracted file should look like this:
Code:
boot.img
cache.img
hidden.img
nvitem.bin
recovery.img
SPRDCP.img
SPRDGDSP.img
SPRDLTEDSP.img
SPRDWDSP.img
system.img
replace the stock system.img with the one you created from above:
Code:
cp ../new_system.img system.img
tar and md5 it:
Code:
tar -H ustar -c boot.img cache.img hidden.img recovery.img SPRDCP.img SPRDGDSP.img SPRDLTEDSP.img SPRDWDSP.img system.img >T285_CUSTOM.tar
md5sum -t T285_CUSTOM.tar > T285_CUSTOM.tar
mv T285_CUSTOM.tar T285_CUSTOM.tar.md5
Optionally Zip it if you want:
Code:
7z a T285_CUSTOM.zip T285_CUSTOM.tar.md5
This guide should work for the T280 as well, though I can't confirm it since I don't have access to that model.
Click to expand...
Click to collapse
Anyway to do this on a windows machine?????
lohtse said:
Anyway to do this on a windows machine?????
Click to expand...
Click to collapse
Not sure though since you need to be able to mount an ext4 image, make modifications to it and then write it back. Plus the tools required to write the image back properly are only available in linux so I doubt there will be one for windows unless someone puts in effort to make something for it. The best I can do is to make a docker image where you can run it under windows with those tools if anyone is interested.
Just a note regarding the guide, it's not really necessary to add all the other partition images when creating the ODIN flashable tar.
All that is required is:
tar cvf system.tar system.img
jedld said:
Not sure though since you need to be able to mount an ext4 image, make modifications to it and then write it back. Plus the tools required to write the image back properly are only available in linux so I doubt there will be one for windows unless someone puts in effort to make something for it. The best I can do is to make a docker image where you can run it under windows with those tools if anyone is interested.
Click to expand...
Click to collapse
is there no way to create a set of files(zip etc) we windows users could flash using odin? would be a huge help if that could be done! also anyone have a link to a stock rom??
and finally I noticed that the US samsung site has a pdf manual for this tablet that refers to marshmallow!!!!!
http://www.samsung.com/us/business/support/owners/product/SM-T280NZWAXAR
lohtse said:
is there no way to create a set of files(zip etc) we windows users could flash using odin? would be a huge help if that could be done! also anyone have a link to a stock rom??
and finally I noticed that the US samsung site has a pdf manual for this tablet that refers to marshmallow!!!!!
http://www.samsung.com/us/business/support/owners/product/SM-T280NZWAXAR
Click to expand...
Click to collapse
I highly doubt this thing will get mm. [emoji52]
I found this tool that runs under Windows for extracting the Oreo system.img. Just put the system image into the program folder and run the convert.bat. The result is a system.ext4.img with could be opened and extracted with 7zip. You could also convert every other image like cust.img, boot.img, etc. But you have to rename every image to system.img. The convert.bat only works with this name.
Regards
You can just open a command prompt in the same folder as simg2img.exe and run:
simg2img.exe input_sparse.img raw_output.img
Then you can either use the included Ext2Explorer, or extract it using 7zip (this will not keep permissions/ownership).
You can not convert boot/recovery/ramdisk using this. Use Android Image Kitchen for that.
ante0 said:
You can just open a command prompt in the same folder as simg2img.exe and run:
simg2img.exe input_sparse.img raw_output.img
Then you can either use the included Ext2Explorer, or extract it using 7zip (this will not keep permissions/ownership).
You can not convert boot/recovery/ramdisk using this. Use Android Image Kitchen for that.
Click to expand...
Click to collapse
But cust.img worked without problems. Thought it works for every image from the firmware.
Coredown said:
But cust.img worked without problems. Thought it works for every image from the firmware.
Click to expand...
Click to collapse
system, vendor, cust, product, odm and version will convert fine.
For ramdisk/kernel/recovery partitions you need to use Android Image Kitchen as they're not sparse images.
ante0 said:
system, vendor, cust, product, odm and version will convert fine.
For ramdisk/kernel/recovery partitions you need to use Android Image Kitchen as they're not sparse images.
Click to expand...
Click to collapse
Alright, thanks for the information. I will give it a try.
It doesn't work for android 9 .img
D:\convert>simg2img.exe system.img raw_output.img
Bad magic
Edit: I've just extracted system.img with 7 zip
It Finally worked
other methods only extracted apps!