[Q] HTC One M7 - PN07120 - .hex and .mbn Files for QPST - One (M7) Q&A, Help & Troubleshooting

Hi All,
I have a bricked HTC One with the QDLoader mode. Under Linux it shows as qualcomm usb modem converter hence I can't use the unbricking tool to revive my phone.
My phone is from US and I have zero support in my country for HTC.
When researched, I have came to know that if somehow I get hold of MPRG8064T.hex and 8064t_msimage.mbn and some other files, I can use QPST to revive my phone. Can the experts at XDA educate me with the possible solution(s) or point me to the files required.
Also as the same SoC is shared by the following devices, can I use the QPST files from any of these (are these files processor specific only)
HTC One Max
HTC One
Asus Padfone Infinity
LG Optimus G Pro
Oppo Find 5
Xiaomi Mi-2S
Samsung Galaxy S4 Active
Samsung Galaxy S4 I9505
ZTE Grand Memo
LG G Pad 8.3
Vivo Xplay
Oppo N1
LG GX
JiaYu S1
InFocus IN810
Oppo Find 5 Review
Amazon Fire TV
Panasonic Eluga P P-03E
Pantech Vega Iron InFocus IN815

D-r-e-a-m-e-r said:
Hi All,
I have a bricked HTC One with the QDLoader mode. Under Linux it shows as qualcomm usb modem converter hence I can't use the unbricking tool to revive my phone.
My phone is from US and I have zero support in my country for HTC.
When researched, I have came to know that if somehow I get hold of MPRG8064T.hex and 8064t_msimage.mbn and some other files, I can use QPST to revive my phone. Can the experts at XDA educate me with the possible solution(s) or point me to the files required.
Also as the same SoC is shared by the following devices, can I use the QPST files from any of these (are these files processor specific only)
HTC One Max
HTC One
Asus Padfone Infinity
LG Optimus G Pro
Oppo Find 5
Xiaomi Mi-2S
Samsung Galaxy S4 Active
Samsung Galaxy S4 I9505
ZTE Grand Memo
LG G Pad 8.3
Vivo Xplay
Oppo N1
LG GX
JiaYu S1
InFocus IN810
Oppo Find 5 Review
Amazon Fire TV
Panasonic Eluga P P-03E
Pantech Vega Iron InFocus IN815
Click to expand...
Click to collapse
it's more likely your motherboard is dead and your SOOL ...sorry

I am also in this dilemma with a friends phone, but it seems there is no clue about those files... Staying posted & subscribed if something arises...

D-r-e-a-m-e-r said:
I have a bricked HTC One with the QDLoader mode. Under Linux it shows as qualcomm usb modem converter hence I can't use the unbricking tool to revive my phone. [...] When researched, I have came to know that if somehow I get hold of MPRG8064T.hex and 8064t_msimage.mbn and some other files, I can use QPST to revive my phone. Can the experts at XDA educate me with the possible solution(s) or point me to the files required.
Click to expand...
Click to collapse
Poesini said:
I am also in this dilemma with a friends phone, but it seems there is no clue about those files... Staying posted & subscribed if something arises...
Click to expand...
Click to collapse
Me, too. I can't find MPRG8064T.bin/.hex anywhere.

G0DKING said:
Me, too. I can't find MPRG8064T.bin/.hex anywhere.
Click to expand...
Click to collapse
Actually I might be able to help hold on will be back in a few hours
Lol
I swear I saw those file on my desktop.
Sent from my SM-T320 using XDA Free mobile app

shawnsingh said:
Actually I might be able to help hold on will be back in a few hours
Lol
I swear I saw those file on my desktop.
Sent from my SM-T320 using XDA Free mobile app
Click to expand...
Click to collapse
You all should thank for this lol.
Found them going to post in 5 min
Sent from my SM-T320 using XDA Free mobile app
---------- Post added at 05:36 AM ---------- Previous post was at 05:31 AM ----------
MBN MSIMAGE FILE
https://drive.google.com/file/d/0B0j1tztDCRGtTnd4VXgxdTZzbkE/view?usp=sharing
MPRG FILE
https://drive.google.com/file/d/0B0j1tztDCRGtRmhELUtSRlctSmM/view?usp=sharing

shawnsingh said:
You all should thank for this lol.
Click to expand...
Click to collapse
For sure, man. I saw your first reply and immediately thought to myself, "Awesome! I definitely got to thank him when he uploads the files".

G0DKING said:
For sure, man. I saw your first reply and immediately thought to myself, "Awesome! I definitely got to thank him when he uploads the files".
Click to expand...
Click to collapse
Lol its all good hopefully QPST emmc program works for you
from my SM-T320 using XDA Free mobile app

It didn't work for me; I don't know if my setup is messed or if it's the wrong file, though.
@VBlack, can you let me know what's wrong?
[email protected]:/media/ubuntu/Flashdrive$ ./qdload.py MPRG8064.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
Traceback (most recent call last):
File "./qdload.py", line 815, in <module>
main()
File "./qdload.py", line 762, in main
tty = openTTY(args.ttyPort)
File "./qdload.py", line 174, in openTTY
tty = serial.Serial(port=tty_path, baudrate=115200)
File "/usr/lib/python2.7/dist-packages/serial/serialutil.py", line 261, in __init__
self.open()
File "/usr/lib/python2.7/dist-packages/serial/serialposix.py", line 278, in open
raise SerialException("could not open port %s: %s" % (self._port, msg))
serial.serialutil.SerialException: could not open port /dev/ttyUSB0: [Errno 13] Permission denied: '/dev/ttyUSB0'
Click to expand...
Click to collapse

G0DKING said:
It didn't work for me; I don't know if my setup is messed or if it's the wrong file, though.
@VBlack, can you let me know what's wrong?
Click to expand...
Click to collapse
As it is stated - you does not have enough permissions. You either should run script as sudo, or add your user to dialout group and relogin to Ubuntu.
Sent from my XT1080 using Tapatalk

VBlack said:
As it is stated - you does not have enough permissions. You either should run script as sudo, or add your user to dialout group and relogin to Ubuntu.
Sent from my XT1080 using Tapatalk
Click to expand...
Click to collapse
Hey VBlack would you know or can you help us figure out an unbrick method for the Droid RAZR m we are getting so close but can't make ends meet.
Sent from my SM-T320 using XDA Free mobile app

VBlack said:
As it is stated - you does not have enough permissions. You either should run script as sudo, or add your user to dialout group and relogin to Ubuntu.
Sent from my XT1080 using Tapatalk
Click to expand...
Click to collapse
Sorry about that, I ran it with permissions and it gave me the same error I got before with the MPRG file you supplied:
[email protected]:/media/ubuntu/USB$ sudo ./qdload.py MPRG8064.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
Sending MAGIC ...
Failed to read response.
Sending SBL Reset...
Failed to read response.
Done
Click to expand...
Click to collapse
To be clear, I have 3 different MPRG8064 files (2 .hex and 1 .bin) and all give me this same error. As an experiment, I ran ./qdload.py MPRG8064.bin with NO MRPG file in the folder: same error. Then I ran "./qdload.py MPRG" (i.e. no file number & extension): same error. At this point, I'm not even sure qdload.py is reading the MPRG file. Is there a change I can make to qdload.py to verify/make it show that it's recognizing & reading the MPRG file (i.e. a different error message from when it doesn't recognize the file to when it does but is the wrong .hex/.bin file for that device)?

G0DKING, try to run it like this:
./qdload.py --verbose MPRG8064.hex
If it couldn't read file there will be an python error with backtrace... If file is ok - it is just send it to device. .bin file should be converted to .hex using some bin2hex utility.

VBlack said:
G0DKING, try to run it like this:
./qdload.py --verbose MPRG8064.hex
If it couldn't read file there will be an python error with backtrace... If file is ok - it is just send it to device. .bin file should be converted to .hex using some bin2hex utility.
Click to expand...
Click to collapse
Done, the results for each of the 3 different MPRG8064.hex files, plus a non-existant MPRG0000.hex file, are the same:
[email protected]:/media/ubuntu/USB$ sudo ./qdload.py --verbose MPRG8064A.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
/dev/ttyUSB0
SENDING: 7e 06 4e 95 7e
Sending MAGIC ...
SENDING: 7e 01 51 43 4f 4d 20 66 61 73 74 20 64 6f 77 6e 6c 6f 61 64 20 70 72 6f 74 6f 63 6f 6c 20 68 6f 73 74 07 05 09 77 05 7e
Failed to read response.
Sending SBL Reset...
SENDING: 7e 0b ab 4e 7e
Failed to read response.
Done
[email protected]:/media/ubuntu/USB$ sudo ./qdload.py --verbose MPRG8064B.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
/dev/ttyUSB0
SENDING: 7e 06 4e 95 7e
Sending MAGIC ...
SENDING: 7e 01 51 43 4f 4d 20 66 61 73 74 20 64 6f 77 6e 6c 6f 61 64 20 70 72 6f 74 6f 63 6f 6c 20 68 6f 73 74 07 05 09 77 05 7e
Failed to read response.
Sending SBL Reset...
SENDING: 7e 0b ab 4e 7e
Failed to read response.
Done
[email protected]:/media/ubuntu/USB$ sudo ./qdload.py --verbose MPRG8064C.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
/dev/ttyUSB0
SENDING: 7e 06 4e 95 7e
Sending MAGIC ...
SENDING: 7e 01 51 43 4f 4d 20 66 61 73 74 20 64 6f 77 6e 6c 6f 61 64 20 70 72 6f 74 6f 63 6f 6c 20 68 6f 73 74 07 05 09 77 05 7e
Failed to read response.
Sending SBL Reset...
SENDING: 7e 0b ab 4e 7e
Failed to read response.
Done
[email protected]:/media/ubuntu/USB$ sudo ./qdload.py --verbose MPRG0000.hex
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: /dev/ttyUSB0
/dev/ttyUSB0
SENDING: 7e 06 4e 95 7e
Sending MAGIC ...
SENDING: 7e 01 51 43 4f 4d 20 66 61 73 74 20 64 6f 77 6e 6c 6f 61 64 20 70 72 6f 74 6f 63 6f 6c 20 68 6f 73 74 07 05 09 77 05 7e
Failed to read response.
Sending SBL Reset...
SENDING: 7e 0b ab 4e 7e
Failed to read response.
Done
Click to expand...
Click to collapse

Yes, Im' sorry. utility load files on-demand - so it is not even going to read it, because it is not get correct response initially. So your phone in some different state...

VBlack said:
Yes, Im' sorry. utility load files on-demand - so it is not even going to read it, because it is not get correct response initially. So your phone in some different state...
Click to expand...
Click to collapse
Is there a way to edit qdload.py so that it correctly loads the files needed?
Regarding my phone being "in some different state", can you elaborate on that?
I'm just wondering what my options are and what my next step should be in unbricking this phone.

So, since it is not Motorola phone - it could be another protocol,which is not supported by tool. You could try my test tool version with verbose printing - it could tell more about phone state...
http://pastebin.com/hPNaPp15
Sent from my XT1080 using Tapatalk

VBlack said:
So, since it is not Motorola phone - it could be another protocol,which is not supported by tool. You could try my test tool version with verbose printing - it could tell more about phone state...
http://pastebin.com/hPNaPp15
Sent from my XT1080 using Tapatalk
Click to expand...
Click to collapse
Looks like minor issues with the code:
[email protected]:/media/ubuntu/USB$ sudo ./qdload_1.2.2d.py --verbose MPRG8064A.hex
QDLoad utility version 1.2.2d (c) VBlack 2014
2-1
/dev/ttyUSB0
Found TTY port: /dev/ttyUSB0
/dev/ttyUSB0
Traceback (most recent call last):
File "./qdload_1.2.2d.py", line 943, in <module>
main()
File "./qdload_1.2.2d.py", line 888, in main
if isStageDBL(tty, images):
File "./qdload_1.2.2d.py", line 748, in isStageDBL
for image in images:
TypeError: 'NoneType' object is not iterable
Click to expand...
Click to collapse

You need to specify partition table file with -ptf to script, which contains at least sbl1.mbn
Sent from my XT1080 using Tapatalk

VBlack said:
You need to specify partition table file with -ptf to script, which contains at least sbl1.mbn
Sent from my XT1080 using Tapatalk
Click to expand...
Click to collapse
I need to do that to fix the qdload.py code?
And doesn't pulling those files require a rooted working identical device?

Related

[TUT] Flashing Himalaya from SD card

In nowadays HTC devices flashing from a SD card is a trivial task, just copy your ROM image to the card and boot it... Unfortunately, with elder devices, like with Himalaya for example, it's different - every image to be flashed have to have a special signature, which is individual not only for your device, but... for the given SD card aswell!
1. Getting a header.
How to get it? You have to make a backup of your actually flashed ROM. You'll need an USB cable and your device in a bootloader mode. Make a backup with below command:
Code:
password BOOTLOADER
Pass.
USB>d2s
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD:Detected one card
SD:ready for transfer OK
pc->drive.total_lba=F5800
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=2
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=1EB00000
SDCARDD2S+,cStoragePlatformType=FF
*******************************************************************************************************************************
Store image to SD/MMC card successful.
USB>
Done... but when you try to read this card, it shows it's not written in the meaning of a file - it's written sector by sector! Normally you would use ntrw for reading that into a normal file, but it has one major flaw: it dumps a whole card, so if you had 1GB card, you gonna get 1GB file... and that's why our beloved itsme wrote a small utility called psdread (and psdwrite, too), which I'm including in this tutorial.
Using this utility you have to read a header first. Assuming your card reader got a letter m: from your system (that's letter I have assigned to my card reader), just type:
Code:
c:>psdread.exe m: 0 0x19c
so you get something like this:
Code:
00000000: 48 49 4d 41 4c 41 59 41 53 20 20 20 20 20 20 20 HIMALAYAS
00000010: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
00000020: 31 2e 30 36 20 20 20 20 20 20 20 20 20 20 20 20 1.06
00000030: 78 7e a8 50 96 f5 45 3b 13 0d 89 0a 1c db ae 32 x~.P..E;.......2
00000040: 20 9a 50 ee 40 78 36 fd 12 49 32 f6 9e 7d 49 dc 1.P..x6..I2..}I.
00000050: ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22 .O..D.f.k.0.2;..
00000060: f6 22 91 9d e1 8b 1f da b0 ca 99 02 b9 72 9d 49 .............r.I
00000070: 2c 80 7e c5 99 d5 e9 80 b2 ea c9 cc dd 00 4c f2 ,.~...........L.
00000080: 53 41 30 30 e1 dc d6 ae 83 90 49 f1 f1 ff e9 eb SA00......I.....
00000090: b3 a6 db 1e 87 0c 3e 77 24 42 0d 1c 06 b7 47 de .......w$B....G.
000000a0: 6d 12 4d c8 43 2e cb a6 1f 03 5a 7d 09 38 25 1f m.M.C.....Z}.8%.
000000b0: 5d 9f d4 fc 96 f5 45 3b 13 0d 89 0a 1c d3 90 2d ].....E;.......-
000000c0: 48 9a 50 ee 40 78 36 fd 12 49 32 f6 9e 81 49 dc H.P..x6..I2...I.
000000d0: ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 3c 84 f2 87 .O..D.f.k.0.....
000000e0: 61 49 d1 4f 0a d8 16 e7 72 e6 bb 12 84 34 a6 77 aI.O....r....4.w
000000f0: 02 37 e4 97 2c 74 cb c9 12 68 33 74 9e ad 87 d5 .7..,t...h3t....
00000100: fa 16 bb 11 ad ae 24 88 79 fe 52 db 25 43 e5 3c ......$.y.R.%C..
00000110: b3 12 4d c8 43 bb 8b a6 1f 03 5a 7d 09 38 25 1f ..M.C.....Z}.8%.
00000120: 5d d4 cb fc 96 f5 45 3b 13 0d 89 0a 1c db ae 32 ].....E;.......2
00000130: 20 9a 50 ee 40 78 36 fd 12 49 32 f6 9e 7d 49 dc ..P..x6..I2..}I.
00000140: ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22 .O...D.f.k.0.2;.
00000150: f6 22 91 9d e1 8b 1f da b0 ca 99 02 b9 72 9d 49 .............r.I
00000160: 2c 80 7e c5 99 d5 e9 80 b2 ea c9 cc 53 bf 67 d6 ,.~.........S.g.
00000170: bf 14 d6 7e 2d dc 8e 66 83 ef 57 49 61 ff 69 8f ...~-..f..WIa.i.
00000180: 48 54 43 53 41 30 30 34 30 30 30 30 30 31 46 43 HTCSA004000001FC
00000190: 30 30 30 30 46 45 46 39 46 32 43 44 0000FEF9F2CD
Well, it could be the end of the first part of this tutorial, but let's make a full backup file. Let's take a look at the end of this block:
Code:
HTCS A0040000 01FC0000 FEF9F2CD
where:
A0040000 - location of your OS image in a device
01FC0000 - size of the actual OS (decimal 33292288 bytes)
FEF9F2CD - checksum
On the very end of the ROM image there're 4 bytes more (HTCE), so the size of the whole image would be: 19C + 1FC0000 + 4 = 0x1FC01A0 bytes total.
Now you can make your backup image with following commands:
Code:
c:\> psdread.exe m: 0 0x1FC01A0 os.img
While the header itself (needed for the next steps of this tutorial) will be created with:
Code:
c:\> psdread.exe m: 0 0x19c header.img
2. Getting a bare OS.nb file
While in nowadays kitchens a bare OS.nb file os normal, you probably haven't even seen this file... so how to get it?
Normal ROM image is in nk.nbf file, which is XOR-encoded actual image. Decode it with:
Code:
c:\> xda2nbftool.exe -x nk.nbf nk.nba 0x20040304
so you have nk.nba file now. You can dismantle it now with:
Code:
c:\> dump.exe -o 0x40040 -l 0x1FC0000 nk.nba os.nb
and you have your OS.nb
3. Making a flashing ready image file.
Putting this all to a final file is trivial... it's just our header + OS.nb:
Code:
c:\> type header.img > SD_img.img
c:\> type OS.nb >> SD_img.img
And in the end you get SD_img.img file, which you can transfer to your SD card with:
Code:
c:\> psdwrite m: SD_img.img
I'd like to recommend using some good hexeditor.. I recommend you really great freeware one, called HxD (you can get it here). It can even operate on disk images and disks themselves.
4. Flashing your device.
Well, this will be the most tough part...
Well, not really
Turn off your Himalaya (really! the best would be to put out your battery), put your SD card in and turn it on. It will display a message: "press power to flash". Just press the power button and wait until it finishes. YOU CAN'T ABORT THE PROCESS, DON'T TOUCH IT! GO AND MAKE YOURSELF A COFFEE OR TEA OR GO FOR A SMOKE!!!
and... that's it
happy flashing!
......
good work very thank's
Flashing Himalaya from SD card- Many thanks "utak3r"
Atlast !!!!!!!!!
u r my saviour ........
Many Many Thanks for the steps......
I been asking and waiting a proper procedure to flash from sd card especially for xda2.
I will give a try and see if am succeeding.
well actually my usb is broken that is the reason am looking to flash from sd card.
In that case, can anyone post a lasted stable rom which is already ready to flash from SD Card ?
should the same SD card should be used ?
will it not work if I copy the SD image to a different SD card and flash it?
Many thanks utak3r
WOW!!! amazing tut
Stickied it!
gopi159 said:
should the same SD card should be used ?
will it not work if I copy the SD image to a different SD card and flash it?
Click to expand...
Click to collapse
As I said it in this tut - the header is unique for every device and every SD card, so... no, you can't download some image and flash it, sorry. Your bootloader will say: "not allowed" and that's it.
I'm working now on getting this header from a device without a cable - will I succeed? I don't know, last time I tried (about 2 years ago) I failed...
i cant understand all this
can you explain how to flash a new rom with a sd card only without cable
abdelamine said:
i cant understand all this
can you explain how to flash a new rom with a sd card only without cable
Click to expand...
Click to collapse
You can do it only if you have this header I'm talking above. If you don't have it - no flashing, unfortunately.
Flashing from SD card
How long time to be need it for flashing from SD card?
did we can charging battery while flashing from SD Card?
because we have old device with a short period of prodigal battery condition
Well, I can't remember it now, but it's faster than flashing through a cable. It shouldn't be longer than 20 minutes AFAIR.
And no, there's no charging while in this mode...
utak3r said:
I'm working now on getting this header from a device without a cable - will I succeed? I don't know, last time I tried (about 2 years ago) I failed...
Click to expand...
Click to collapse
I wish You luck in this task!
I think, that there must be the way to generate SD header information.
And thanx for such good tutorial - now I can make SDImage without using of sdtool.pl
Avis said:
I wish You luck in this task!
I think, that there must be the way to generate SD header information.
Click to expand...
Click to collapse
well, thanks
As for now I can dump ROM, but with my way, so it doesn't contain this header... it has to be generated by bootloader. So probably I'll end with decompiling a bootloader code
HOW CAN I write password BOOTLOADER and where
hi utak3r,
on the first part of the tutorial, how can we get this header?
where can we actually put this code? is it on command prompt or on device?
thanks...
got it.. use hyperterminal...
abdelamine said:
HOW CAN I write password BOOTLOADER and where
Click to expand...
Click to collapse
while you're in bootloader mode connect with your hima with mtty... and that's where you can issue various commands.
easy
any have easy tool..????
my usb connector is really broken, is there any solution to do it without using a pc and usb connection?
thanks
You have Vista, XP???
same question
& i have xp & vista
utak3r said:
As I said it in this tut - the header is unique for every device and every SD card, so... no, you can't download some image and flash it, sorry. Your bootloader will say: "not allowed" and that's it.
I'm working now on getting this header from a device without a cable - will I succeed? I don't know, last time I tried (about 2 years ago) I failed...
Click to expand...
Click to collapse
Is every header really unique? let us say, there are 1000 hima, so there are 1000 different headers?
If the answer is not, maybe we can flash the device using only our SD card without the help of usb connection. someone may post their ready-made file then try to flash it, if fails, try another.
I just want to make a possibilty coz my usb connection was broken too.
you can go and try to collect few headers... but I really doubt

[Q] [IN DEVELOPMENT] Boot Loader downloader/uploader aka MotoGenius

Hi there.
I am working on program who can get and upload (flash) Boot Loader in bin format from Milestone and Droid devices.
Right now I have following working commands:
- connect to device
- send commands to device
- flash Boot Loader from specific address (partial flash)
- upload Boot Loader binary to device
What is not finished yet:
- get Boot Loader from device
- save Boot Loader
- cosmetic details
Screenshoot will be today here (or link to it as seems that I cannot upload picture)
Any suggestion is very welcome.
Cheers
EDIT: Screenshoot added (I can upload, sorry for confusion)
Good work, looking forward to seeing the final results.
Sent from my Droid using XDA App
I am getting loader but somehow in the middle of process phone freeze... lol
Must to investigate some debug code.
Sent from my Milestone using XDA App
Code:
RQVN
Code:
02 52 53 56 4e 1e 30 30 30 36 30 36 30 31 46 46
30 30 39 30 37 38 2c 30 30 30 36 30 36 30 31 46
46 30 30 39 30 37 38 2c 46 46 46 46 46 46 46 46
46 46 46 46 46 46 46 46 03
Code:
RQHV
Code:
01FF009078FFFFFF
Code:
RSVN
Code:
00060601FF009078
00060601FF009078
FFFFFFFFFFFFFFFF
Anyway, I think that in p2kmoto drivers or in usb lib's is problem, not in My code or in ezxflash (well, it is pretty old but anyway...)

[Tool][Test] Firmware Extractor

Hello
Not sure if this is the right place, but I don't think development is the right thread either as I simply need a one time tester and there is already a dev thread for the tool in Optimus Black Forums.
I have developed a tool that extracts LG's bin firmware. I extended it to extract tot files as well. As some of you might know the tot files splits some partitions up into multiple files. I already managed to extract the tot file into their various part, but I have only recently added the ability to merge the parts to it's partition
I don't have enough bandwidth to download one of your firmware files to test it so can someone please test the tool.
Heres the dev thread : link
Heres the git : link
You'll have to compile it with gcc/mingw. The tools name must be BinExtractor(.exe) or it won't remove the first argument (usually the tool path and then it will keep on showing the usage no matter what)
Run it with
Code:
BinExtractor -daph Path/To/Tot/File/firmware.tot
and see if it displays the header info. If that succeeds please test the extraction
Code:
BinExtractor -extract Path/To/Tot/File/firmware.tot
It should prompt you that it detected data blocks with identical names and ask you if you want to merge them. And you want to merge them . After it extracted the files can you please check that the various partitions that it extracted are correct.
To check the system partition mount or extract the system partition in Linux and in Windows use a tool like ext2read to check it.
If it fails with an error please post the results from -daph (and -extract if it happened there) and the first meg of the tot file you used.
If the partitions aren't extracted properly (or merged properly) and -daph succeeded please post just the output from -daph and in what way the output is faulty.
Thanks in advance.
Wow it moved out of page 1 already.
Bump.
It was ignored because the Nexus 4 doesn't use LG .bin files, it uses standard .img files.
Rusty! said:
It was ignored because the Nexus 4 doesn't use LG .bin files, it uses standard .img files.
Click to expand...
Click to collapse
Thanks for responding, but according to this: [Stock] Stock ROMs Collection US/CA/EU/AU
These files are in TOT format
Click to expand...
Click to collapse
And theres a DL link that I presume contains a tot file
LGE960AT-00-V10c-NXS-XX-OCT-25-2012-JVP15Q-USER+0
Click to expand...
Click to collapse
Can you please explain since the info I have atm is a bit contradictory.
Thanks for this xonar. Much appreciated.
Would anyone be able to compile a Windows binary for me and upload it please? Thanks.
Sent from my Nexus 4 using Tapatalk 2
efrant said:
Thanks for this xonar. Much appreciated.
Would anyone be able to compile a Windows binary for me and upload it please? Thanks.
Sent from my Nexus 4 using Tapatalk 2
Click to expand...
Click to collapse
I just compiled it with mingw, but it's not behaving as it's Linux counterpart.
If j is 1024 why isn't the output file 512kB ?!? (Tested with P970 bin)
Code:
for(j = 0; j < tmp.pent_arr[i].file_size; j++)
{
/*DO 512 BLOCK*/
fread(buff, sizeof(char), 512, f);
fwrite(buff, sizeof(char), 512, out);
}
fclose(out);
EDIT: Had a facepalm moment
Windows needs to specify reading and writing in binary. I'll give you exe in a moment.
EDIT2: I attached a zip with the exe inside.
To get it working in Windows I changed read access to binary everywhere theres a fopen and I initialized some thing to 0 as Windows unlike Linux doesn't start you of with a nice clean slate.
I'll push changes to git tomorrow morning to make it work on Windows aswel and from now on I'll actually test the windows exe on windows and not through wine.
Hope it works. I'm going to bed now.
xonar_ said:
I just compiled it with mingw, but it's not behaving as it's Linux counterpart.
If j is 1024 why isn't the output file 512kB ?!? (Tested with P970 bin)
Code:
for(j = 0; j < tmp.pent_arr[i].file_size; j++)
{
/*DO 512 BLOCK*/
fread(buff, sizeof(char), 512, f);
fwrite(buff, sizeof(char), 512, out);
}
fclose(out);
EDIT: Had a facepalm moment
Windows needs to specify reading and writing in binary. I'll give you exe in a moment.
EDIT2: I attached a zip with the exe inside.
To get it working in Windows I changed read access to binary everywhere theres a fopen and I initialized some thing to 0 as Windows unlike Linux doesn't start you of with a nice clean slate.
I'll push changes to git tomorrow morning to make it work on Windows aswel and from now on I'll actually test the windows exe on windows and not through wine.
Hope it works. I'm going to bed now.
Click to expand...
Click to collapse
Thanks so much. I'll try to give it a shot tomorrow. If it doesn't work, I guess I could always use cygwin.
Sent from my Nexus 4 using Tapatalk 2
Doesn't seem to work on Bell Optimus G:
Code:
BinExtractor.exe -extract "LGE973AT-00-V10f-BELL-CA-OCT-24-2012+0.tot"
Reading AP Header...
Unknown Magic Number at 0x8 : AF 33 BF DE
Writing Files...
Finished
Running the info command:
GPT HEADER
----------
Signature 45 46 49 20 50 41 52 54
Revision 65536
Header Size 92
CRC32 of Header B2 64 10 F5
Current Header LBA 1
Backup Header LBA 61071359
First Usable LBA 34
Last Usable LBA 61071326
Disk GUID 32 1B 10 98 E2 BB F2 4B A0 6E 2B B3 3D 00 0C 20
Start of Partition Entries 2
Number of Partition Entries 36
Size of Partition Entries 128
CRC32 of Partition Array 71 79 32 B7
PARTITION ENTRIES
-----------------
PARTITION ENTRY
---------------
Partition Type GUID A2 A0 D0 EB E5 B9 33 44 87 C0 68 B6 B7 26 99 C7
Unique Partition GUID 7B 6F 3E CF 28 B7 86 F3 6A AE 46 69 B1 BC 9A 08
First LBA 16384
Last LBA 147455
Attributes 8
Partition Name modem
PARTITION ENTRY
---------------
Partition Type GUID 2C BA A0 DE DD CB 05 48 B4 F9 F4 28 25 1C 3E 98
Unique Partition GUID BC D0 5B BC 05 A5 44 30 8E 88 59 5C 87 19 A1 08
First LBA 147456
Last LBA 148479
Attributes 0
Partition Name sbl1
PARTITION ENTRY
---------------
....
zivan56 said:
Doesn't seem to work on Bell Optimus G:
Code:
Unknown Magic Number at 0x8 : AF 33 BF DE
Click to expand...
Click to collapse
The tool doesn't support Bell OG yet. I made a guess at what the format could be but I can't say for certain that it will work. I'll push changes in a moment.
Someone tested it on another OG firmware, but it fails to mount the image with:
Code:
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
Code:
EXT4-fs (loop0): bad geometry: block count 389120 exceeds size of device (360576 blocks)
Click to expand...
Click to collapse
Can anyone give me the output from -dgpt with at&t OG or sprint OG?
or the first meg of the tot file of Nexus 4 or Bell OG along with -dgpt output?
EDIT: If possible use pastebin to display dgpt output as it might be fairly long.
I known what the problem is. Great thanks to SnowLeopardJB for testing and correspondence
The file that was being created doesn't have 'space' up until the end of the partitions. (It was left out since thats where it stops in the file) but on the actual disk still has 'space' after the last bit of data.
So it can be fixed with
Code:
#VAL is the value that is supposedly outside the device from the err msg
VAL=389120
#This will say already that size, but the file itself will change size
resize2fs system.img $VAL
#Not sure if this last step is then necessary
fsck.ext4 -f system.img
#Now you can mount is as any other partition :laugh:
I'll make the program add the 'space' and see if it produces a immediately mountable file.
I also totally changed the way it handles 44 DD 55 AA files for future flexibility and it's a step closer to being able to make it use predefined files as formats.
The latest version in git seems to extract the Bell Optimus G firmware properly now. I tried mounting the resulting radio image section and it worked fine, so I assume it knows the proper partition boundaries now.
Btw, I would recommend posting some instructions how to compile it. Not everyone is savvy enough to know how to use gcc.
Likewise, your program is hardcoded to look for its name when looking for parameters. Since there was no makefile it defaulted to a.out, which, the way it is coded, would never accept any parameters unless renamed to LGBinExtractor.
zivan56 said:
The latest version in git seems to extract the Bell Optimus G firmware properly now. I tried mounting the resulting radio image section and it worked fine, so I assume it knows the proper partition boundaries now.
Click to expand...
Click to collapse
Only merged partitions was affected by 'space' bug, plain extraction should have been correct for Bell OB after bb697c27e5. I haven't commited 'space' fix yet.
In retrospect using fseek to create 'space' between image parts might not have been such a good idea either and might also be causing problems.
zivan56 said:
Btw, I would recommend posting some instructions how to compile it. Not everyone is savvy enough to know how to use gcc.
Click to expand...
Click to collapse
Adding a makefile is on my todo list.
zivan56 said:
Likewise, your program is hardcoded to look for its name when looking for parameters. Since there was no makefile it defaulted to a.out, which, the way it is coded, would never accept any parameters unless renamed to LGBinExtractor.
Click to expand...
Click to collapse
Yea, not one of my better choices. I changed it to remove the first arg if it doesn't start with '-'.
Okay Merging partitions should work now. I'm waiting for confirmation then I'll ask mod to close the thread.
xonar_ said:
Okay Merging partitions should work now. I'm waiting for confirmation then I'll ask mod to close the thread.
Click to expand...
Click to collapse
Hello i'm try test with LG Optimus tag working:laugh:
Code:
AP HEADER
----------
Magic Number 44 DD 55 AA
Number of Partitions 32
PARTITION ENTRIES
-----------------
PARTITION ENTRY
------------
Data Block Name MODEM
Data Block ID 1
Size on File 47104
File Offset 0
Size on Disk 65537
Disk Offset 0
PARTITION ENTRY
------------
Data Block Name SBL1
Data Block ID 2
Size on File 1024
File Offset 47104
Size on Disk 2048
Disk Offset 65537
PARTITION ENTRY
------------
Data Block Name SBL2
Data Block ID 3
Size on File 1024
File Offset 48128
Size on Disk 2048
Disk Offset 67585
PARTITION ENTRY
------------
Data Block Name EXT
Data Block ID 4
Size on File 1024
File Offset 49152
Size on Disk 12287
Disk Offset 69633
PARTITION ENTRY
------------
Data Block Name RPM
Data Block ID 5
Size on File 1024
File Offset 50176
Size on Disk 16384
Disk Offset 81920
PARTITION ENTRY
------------
Data Block Name SBL3
Data Block ID 6
Size on File 2048
File Offset 51200
Size on Disk 16384
Disk Offset 98304
PARTITION ENTRY
------------
Data Block Name ABOOT
Data Block ID 7
Size on File 2048
File Offset 53248
Size on Disk 16384
Disk Offset 114688
PARTITION ENTRY
------------
Data Block Name BOOT
Data Block ID 8
Size on File 15360
File Offset 55296
Size on Disk 32768
Disk Offset 131072
PARTITION ENTRY
------------
Data Block Name TZ
Data Block ID 9
Size on File 1024
File Offset 70656
Size on Disk 16384
Disk Offset 163840
PARTITION ENTRY
------------
Data Block Name MODEM_ST1
Data Block ID 10
Size on File 0
File Offset 71680
Size on Disk 16384
Disk Offset 180224
PARTITION ENTRY
------------
Data Block Name MODEM_ST2
Data Block ID 11
Size on File 0
File Offset 71680
Size on Disk 16384
Disk Offset 196608
PARTITION ENTRY
------------
Data Block Name PERSIST
Data Block ID 12
Size on File 16384
File Offset 71680
Size on Disk 16384
Disk Offset 212992
PARTITION ENTRY
------------
Data Block Name RECOVERY
Data Block ID 13
Size on File 17408
File Offset 88064
Size on Disk 32768
Disk Offset 229376
PARTITION ENTRY
------------
Data Block Name MDM
Data Block ID 14
Size on File 57344
File Offset 105472
Size on Disk 65536
Disk Offset 262144
PARTITION ENTRY
------------
Data Block Name M9K_EFS1
Data Block ID 15
Size on File 0
File Offset 162816
Size on Disk 16384
Disk Offset 327680
PARTITION ENTRY
------------
Data Block Name M9K_EFS2
Data Block ID 16
Size on File 0
File Offset 162816
Size on Disk 16384
Disk Offset 344064
PARTITION ENTRY
------------
Data Block Name M9K_EFS3
Data Block ID 17
Size on File 0
File Offset 162816
Size on Disk 16384
Disk Offset 360448
PARTITION ENTRY
------------
Data Block Name FSG
Data Block ID 18
Size on File 0
File Offset 162816
Size on Disk 16384
Disk Offset 376832
PARTITION ENTRY
------------
Data Block Name SSD
Data Block ID 19
Size on File 0
File Offset 162816
Size on Disk 32768
Disk Offset 393216
PARTITION ENTRY
------------
Data Block Name BSP
Data Block ID 20
Size on File 0
File Offset 162816
Size on Disk 16384
Disk Offset 425984
PARTITION ENTRY
------------
Data Block Name BLB
Data Block ID 21
Size on File 0
File Offset 162816
Size on Disk 32768
Disk Offset 442368
PARTITION ENTRY
------------
Data Block Name TOMBSTONES
Data Block ID 22
Size on File 1024
File Offset 162816
Size on Disk 147456
Disk Offset 475136
PARTITION ENTRY
------------
Data Block Name DRM
Data Block ID 23
Size on File 0
File Offset 163840
Size on Disk 16384
Disk Offset 622592
PARTITION ENTRY
------------
Data Block Name FOTA
Data Block ID 24
Size on File 0
File Offset 163840
Size on Disk 49152
Disk Offset 638976
PARTITION ENTRY
------------
Data Block Name MISC
Data Block ID 25
Size on File 0
File Offset 163840
Size on Disk 16384
Disk Offset 688128
PARTITION ENTRY
------------
Data Block Name TZ_BKP
Data Block ID 26
Size on File 0
File Offset 163840
Size on Disk 16384
Disk Offset 704512
PARTITION ENTRY
------------
Data Block Name SYSTEM
Data Block ID 27
Size on File 1720320
File Offset 163840
Size on Disk 1720320
Disk Offset 720896
PARTITION ENTRY
------------
Data Block Name CACHE
Data Block ID 28
Size on File 0
File Offset 1884160
Size on Disk 655360
Disk Offset 2441216
PARTITION ENTRY
------------
Data Block Name WALLPAPER
Data Block ID 29
Size on File 0
File Offset 1884160
Size on Disk 16384
Disk Offset 3096576
PARTITION ENTRY
------------
Data Block Name USERDATA
Data Block ID 30
Size on File 0
File Offset 1884160
Size on Disk 4587520
Disk Offset 3112960
PARTITION ENTRY
------------
Data Block Name MPT
Data Block ID 31
Size on File 0
File Offset 1884160
Size on Disk 32768
Disk Offset 7700480
PARTITION ENTRY
------------
Data Block Name GROW
Data Block ID 32
Size on File 20480
File Offset 1884160
Size on Disk 21000000
Disk Offset 7733248
Code:
Reading AP Header...
Writing Files...
Writing File : 1-MODEM.img -- DONE --
Writing File : 2-SBL1.img -- DONE --
Writing File : 3-SBL2.img -- DONE --
Writing File : 4-EXT.img -- DONE --
Writing File : 5-RPM.img -- DONE --
Writing File : 6-SBL3.img -- DONE --
Writing File : 7-ABOOT.img -- DONE --
Writing File : 8-BOOT.img -- DONE --
Writing File : 9-TZ.img -- DONE --
Writing File : 10-MODEM_ST1.img -- DONE --
Writing File : 11-MODEM_ST2.img -- DONE --
Writing File : 12-PERSIST.img -- DONE --
Writing File : 13-RECOVERY.img -- DONE --
Writing File : 14-MDM.img -- DONE --
Writing File : 15-M9K_EFS1.img -- DONE --
Writing File : 16-M9K_EFS2.img -- DONE --
Writing File : 17-M9K_EFS3.img -- DONE --
Writing File : 18-FSG.img -- DONE --
Writing File : 19-SSD.img -- DONE --
Writing File : 20-BSP.img -- DONE --
Writing File : 21-BLB.img -- DONE --
Writing File : 22-TOMBSTONES.img -- DONE --
Writing File : 23-DRM.img -- DONE --
Writing File : 24-FOTA.img -- DONE --
Writing File : 25-MISC.img -- DONE --
Writing File : 26-TZ_BKP.img -- DONE --
Writing File : 27-SYSTEM.img -- DONE --
Writing File : 28-CACHE.img -- DONE --
Writing File : 29-WALLPAPER.img -- DONE --
Writing File : 30-USERDATA.img -- DONE --
Writing File : 31-MPT.img -- DONE --
Writing File : 32-GROW.img -- DONE --
Finished
PS : @xonar_ If you need any flash file LG pm me i have all files LG
---------- Post added at 01:25 AM ---------- Previous post was at 12:25 AM ----------
LG Optimus LTE2 F160 working
Code:
GPT HEADER
----------
Signature 45 46 49 20 50 41 52 54
Revision 65536
Header Size 92
CRC32 of Header 93 23 A2 52
Current Header LBA 1
Backup Header LBA 30535679
First Usable LBA 34
Last Usable LBA 30535646
Disk GUID 32 1B 10 98 E2 BB F2 4B A0 6E 2B B3 3D 00 0C 20
Start of Partition Entries 2
Number of Partition Entries 32
Size of Partition Entries 128
CRC32 of Partition Array 2A A9 B7 BD
PARTITION ENTRIES
-----------------
PARTITION ENTRY
---------------
Partition Type GUID A2 A0 D0 EB E5 B9 33 44 87 C0 68 B6 B7 26 99 C7
Unique Partition GUID 72 05 1F 0E 0C 89 89 B5 F4 D4 0E 5D 04 65 52 1E
First LBA 16384
Last LBA 147455
Attributes 8
Partition Name modem
PARTITION ENTRY
---------------
Partition Type GUID 2C BA A0 DE DD CB 05 48 B4 F9 F4 28 25 1C 3E 98
Unique Partition GUID 9A 00 DF 9C DE F9 95 65 62 3C 0F 15 D6 1A 75 6B
First LBA 147456
Last LBA 148479
Attributes 0
Partition Name sbl1
PARTITION ENTRY
---------------
Partition Type GUID AD 52 6B 8C 9E 8A 98 43 AD 09 AE 91 6E 53 AE 2D
Unique Partition GUID F1 EC 20 B2 C4 FA 8B FC 06 D2 4F 33 72 B6 0F D2
First LBA 148480
Last LBA 149503
Attributes 0
Partition Name sbl2
PARTITION ENTRY
---------------
Partition Type GUID DF 44 E0 05 F1 92 25 43 B6 9E 37 4A 82 E9 7D 6E
Unique Partition GUID A8 87 F8 53 B8 47 22 FA A9 2B 91 26 94 F6 19 2B
First LBA 149504
Last LBA 151551
Attributes 0
Partition Name sbl3
PARTITION ENTRY
---------------
Partition Type GUID CD FD 0F 40 E0 22 E7 47 9A 23 F1 6E D9 38 23 88
Unique Partition GUID 2A D1 EA 8A 29 76 F5 14 50 CD FA D5 2D 9F 41 26
First LBA 151552
Last LBA 152575
Attributes 0
Partition Name aboot
PARTITION ENTRY
---------------
Partition Type GUID 93 F7 8D 09 12 D7 3D 41 9D 4E 89 D7 11 77 22 28
Unique Partition GUID F7 5A 4B 53 B7 53 FB FF 4C F1 26 3A AD 9D C9 12
First LBA 152576
Last LBA 153599
Attributes 0
Partition Name rpm
PARTITION ENTRY
---------------
Partition Type GUID 86 7F 11 20 85 E9 57 43 B9 EE 37 4B C1 D8 48 7D
Unique Partition GUID 7A C9 D2 E5 B5 2A 04 6C BE 24 C7 AE 35 55 01 B2
First LBA 163840
Last LBA 188415
Attributes 8
Partition Name boot
PARTITION ENTRY
---------------
Partition Type GUID 7F AA 53 A0 B8 40 1C 4B BA 08 2F 68 AC 71 A4 F4
Unique Partition GUID F9 09 61 B9 4F 99 AF 89 FF C3 F3 16 99 B0 E3 A9
First LBA 196608
Last LBA 197631
Attributes 0
Partition Name tz
PARTITION ENTRY
---------------
Partition Type GUID 38 68 4A 00 2A 06 DF 44 81 52 4F 34 0C 05 22 5D
Unique Partition GUID BC 83 9C AC D5 BF F4 36 1C 0F D4 63 6F AD 23 07
First LBA 197632
Last LBA 197633
Attributes 0
Partition Name pad
PARTITION ENTRY
---------------
Partition Type GUID 3E 37 13 20 C4 1A 31 41 B0 F8 91 58 F9 65 4F 4F
Unique Partition GUID 46 F4 88 C2 2C 7A 4A AD 17 28 DD 70 10 8B BD AD
First LBA 197634
Last LBA 203777
Attributes 0
Partition Name modemst1
PARTITION ENTRY
---------------
Partition Type GUID 3E 37 13 20 C4 1A 31 41 B0 F8 91 58 F9 65 4F 4F
Unique Partition GUID 0A E8 2B 7F B8 CF 52 3E C2 7E 52 26 3E 03 B5 35
First LBA 203778
Last LBA 209921
Attributes 0
Partition Name modemst2
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 85 78 29 24 17 62 3D 36 A4 4B E9 47 10 87 AD 67
First LBA 212992
Last LBA 229375
Attributes 8
Partition Name sns
PARTITION ENTRY
---------------
Partition Type GUID 54 05 D3 6C 5D 5F EF 40 82 FE 10 92 35 9F 92 EE
Unique Partition GUID DC BF D4 C1 2E 63 5D 16 3F 45 88 4F 2A 36 86 3C
First LBA 229376
Last LBA 262143
Attributes 0
Partition Name misc
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 8E C6 02 A3 3F DC 79 98 12 7F 02 BE 38 F7 D4 6B
First LBA 262144
Last LBA 2359295
Attributes 8
Partition Name system
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID E2 F2 D0 8D 3E D2 D0 90 E9 45 09 EA 7E 8F 2C 97
First LBA 2359296
Last LBA 29589503
Attributes 8
Partition Name userdata
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID F7 2D 03 28 16 E8 78 07 D0 84 1B 08 6F 5B 6D 39
First LBA 29589504
Last LBA 29605887
Attributes 8
Partition Name persist
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 21 6C AF DC 30 3D D9 D9 3F AE 56 42 4C 0F 66 AC
First LBA 29605888
Last LBA 30146559
Attributes 8
Partition Name cache
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 26 4F D8 D1 AC 24 CC CA EA 7F E1 F0 E5 6C FD 61
First LBA 30146560
Last LBA 30294015
Attributes 0
Partition Name tombstones
PARTITION ENTRY
---------------
Partition Type GUID 86 7F 11 20 85 E9 57 43 B9 EE 37 4B C1 D8 48 7D
Unique Partition GUID BB 74 76 DD 1D 6B 07 56 23 FB 94 96 7A 52 0A DC
First LBA 30294016
Last LBA 30318591
Attributes 8
Partition Name recovery
PARTITION ENTRY
---------------
Partition Type GUID 3E 37 13 20 C4 1A 31 41 B0 F8 91 58 F9 65 4F 4F
Unique Partition GUID 7C 48 3D 02 F0 90 E3 39 F7 14 BA D1 D9 BD 76 C8
First LBA 30318592
Last LBA 30324735
Attributes 8
Partition Name fsg
PARTITION ENTRY
---------------
Partition Type GUID 42 E7 86 2C 5E 74 DD 4F BF D8 B6 A7 AC 63 87 72
Unique Partition GUID 9B 2F 13 2B 51 11 1E C2 30 66 A0 E7 08 BC BF DF
First LBA 30324736
Last LBA 30324751
Attributes 8
Partition Name ssd
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 75 44 C3 7D E2 05 C3 88 22 1B 8A 2D D1 D9 E4 FA
First LBA 30326784
Last LBA 30343167
Attributes 0
Partition Name drm
PARTITION ENTRY
---------------
Partition Type GUID AC 9C 14 00 9B ED 01 48 9A E9 6D F9 60 3A 18 27
Unique Partition GUID 55 D9 D2 33 14 1A 58 56 F8 47 15 23 E1 B9 A4 07
First LBA 30343168
Last LBA 30408703
Attributes 0
Partition Name fota
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 38 9D 3B B9 01 35 EA F7 BA 61 44 35 4F AE 2C 73
First LBA 30408704
Last LBA 30474239
Attributes 0
Partition Name mpt
PARTITION ENTRY
---------------
Partition Type GUID BB 51 9C 73 F9 7A 0A 45 88 49 FF 4F 3D 94 CC AF
Unique Partition GUID EB 58 E9 92 44 82 6E A3 9C 07 F8 60 1D 46 AB 8E
First LBA 30474240
Last LBA 30475263
Attributes 0
Partition Name tzbak
PARTITION ENTRY
---------------
Partition Type GUID 11 84 CC 6A A5 68 18 41 BA B0 07 FA 12 72 B4 9B
Unique Partition GUID 8C 02 6E 7C 87 46 63 0D 71 93 68 7C 2A 4A D8 73
First LBA 30475264
Last LBA 30476287
Attributes 0
Partition Name rpmbak
PARTITION ENTRY
---------------
Partition Type GUID 95 F5 3E 32 7A AF FA 4A 80 60 97 BE 72 84 1B B9
Unique Partition GUID 47 79 8A 0B 52 C4 79 9B 2A 90 81 4E FC A8 E0 77
First LBA 30476288
Last LBA 30477311
Attributes 0
Partition Name encrypt
PARTITION ENTRY
---------------
Partition Type GUID 73 75 D2 A7 3C A5 E7 4C 87 BC 4D 35 12 FF C8 64
Unique Partition GUID 96 9C 90 E9 54 25 10 09 5A B6 CB 7E D3 1E 79 1D
First LBA 30490624
Last LBA 30523391
Attributes 8
Partition Name reserved
PARTITION ENTRY
---------------
Partition Type GUID AF 3D C6 0F 83 84 72 47 8E 79 3D 69 D8 47 7D E4
Unique Partition GUID 88 8D 1A E1 EF BF 80 A7 58 89 13 B3 AF AD 5E A3
First LBA 30523392
Last LBA 30535646
Attributes 0
Partition Name grow
Q:\LG\LG-F160L>
Not work on my G
it forceclose when i try to use -daph
KhmerHacker said:
it forceclose when i try to use -daph
Click to expand...
Click to collapse
What firmware did you try it on?
Succes with your tools
Thanks xonar. with your tools, I successed with Optimus Vu F100L rom: F100L29j_00.kdz. But the tools ext2read you metioned cannot see the ext4 26-SYSTEM.img, but I mount in linux and get the right result as below
mkdir
mount -t ext4 -o loop 26-SYSTEM.img /tmp
thanks very, a question:
after I make change to the img file, how can I repacked the img to tot file? need a change the wdb dll wdh file also?
anyone can give help is wellcome.
flyhigher76 said:
Thanks xonar. with your tools, I successed with Optimus Vu F100L rom: F100L29j_00.kdz. But the tools ext2read you metioned cannot see the ext4 26-SYSTEM.img, but I mount in linux and get the right result as below
mkdir
mount -t ext4 -o loop 26-SYSTEM.img /tmp
Click to expand...
Click to collapse
Not sure why ext2read don't work
,but if it works in Linux it should be correct.
flyhigher76 said:
thanks very, a question:
after I make change to the img file, how can I repacked the img to tot file? need a change the wdb dll wdh file also?
anyone can give help is wellcome.
Click to expand...
Click to collapse
It's possible to recreate the tot file from the extracted partitions,but a mistake can make your phone Hard Bricked. I wouldn't recommend doing that.
change Optimus Vu Languge
xonar_ said:
Not sure why ext2read don't work
,but if it works in Linux it should be correct.
It's possible to recreate the tot file from the extracted partitions,but a mistake can make your phone Hard Bricked. I wouldn't recommend doing that.
Click to expand...
Click to collapse
I like the Optimus Vu very much, fot it's unique size and it's first-class panel display attract me. But unfortunately, it is not in Chinese, also when I make a call I must choose to call local or call Korea. I'm tired of this, so I want to have a custom system for my own. The difficult is that I cannot get control the /system for root fails many times, so I cannot change any apk and jar in /system. I hope I can modify the rom as I have do with galaxy note, and forturely find this thread.
I know tot format file since I own this optimus Vu, so I have no idea about this format. Can you give me some information about this format, like some website?
vmt.
flyhigher76 said:
I know tot format file since I own this optimus Vu, so I have no idea about this format. Can you give me some information about this format, like some website?
vmt.
Click to expand...
Click to collapse
Theres the source code of my tool.

[solved] Relocking S1 v37

@RO.maniac ask how to relock his v37 bootloader on another thread:
RO.maniac said:
I have a little situation here. on a D6603.
Was running LP, unlocked, andropluskernel, root, xposed. happy.
Relocked bootloader with flashtool.
Updated to N preview using xperia companion.
Unlocked bootloader with flashtool.
That new bootloader, nexus style, was telling me safe boot off and unlocked bootloader.
Wasn't satisfied with the lack of root on N preview, so I decided to go back to stock LP via Xperia Companion. Then I found out the lastest update Xperia would flash is MM. I said fine.
Tried to relock bootloader with flashtool, I got ok message but it didn't relock the bootloader. tried a lot of times, different pc, flashtool version, regenerated code. nothing. so no Xperia Companion - no big deal, I just have an obsession with latest official builds, since my main device is a Nexus5. oh, what a nice girl that is. and easy to undress.
flashed a LP .ftf, tried to relock bootloader, no success.
[...]
What the heck happened with the relocking of the bootloader??!!
I'm thinking it has something to do with the new bootloader from N preview which I was running when I unlocked it. Now it won't relock on any version.
Click to expand...
Click to collapse
The idea of this dev-thread is understanding why S1 v37 is not re-lockable and if there is a way to relock it or downgrade it then relock, without bricking the phone obviously.
@RO.maniac can you, please, provide
- the S1boot part of your cmdline,
- backups of your TA partition before, after upgrading the bootloader,
- any flashtool log?
Thanks in advance.
N preview TA backup & flashtool log
Here you have the flashtool log and two backups of the current TA partition. One is pulled with ADB and one is from TWRP.
https://drive.google.com/file/d/0B0YzIybNxHcQa3E0Q1JJZlBkUU0/view?usp=sharing - TWRP ver.
https://drive.google.com/file/d/0B0YzIybNxHcQRXR2MjQ0Y3UzOWM/view?usp=sharing - ADB ver.
I don't have a TA backup of my old bootloader.
https://drive.google.com/file/d/0B0YzIybNxHcQcWNMMUtWeF9RNFk/view?usp=sharing - flashtool log. Tried to relock three times.
https://drive.google.com/file/d/0B0YzIybNxHcQVk1CZ1RISmhLMWM/view?usp=sharing - current bootloader mode photo.
I am now running N Preview 3, rooted, permissive.
RO.maniac said:
Here you have the flashtool log and two backups of the current TA partition. One is pulled with ADB and one is from TWRP.
Click to expand...
Click to collapse
Thanks! And no worries for the old TA. Just we can't revert to old version without it.
Can you send me your s1boot partition and the cmdline part with 's1boot'?
Also can you provide me your oem unlock code? (I should be able to find it in your ta partition)
P.S. your name is in plain text in your flashtool log.
nailyk said:
Thanks! And no worries for the old TA. Just we can't revert to old version without it.
Can you send me your s1boot partition and the cmdline part with 's1boot'?
Also can you provide me your oem unlock code? (I should be able to find it in your ta partition)
P.S. your name is in plain text in your flashtool log.
Click to expand...
Click to collapse
My name is no secret.
I'm not familiar with pulling s1boot partition and the cmdline part with 's1boot'. Do you need anything more than the photo I just popped in the post? - oh, you mean the boot partition and the code in the photo. That s1 upfront blinded me.
https://drive.google.com/open?id=0B0YzIybNxHcQMGxSTUdtdzBzTjQ - boot TWRP backup
Unlock code: C88FB2FFCCE72540
RO.maniac said:
My name is no secret.
I'm not familiar with pulling s1boot partition and the cmdline part with 's1boot'. Do you need anything more than the photo I just popped in the post?
Unlock code: C88FB2FFCCE72540
Click to expand...
Click to collapse
Awesome! I miss the picture, sorry.
Your fastbootlog also says: S1_Boot_MSM8974AC_LA3.0_L_Hero_17 which make me doubt....
Never read this version before. and never seen the screen you post before....
For me, fastboot mode was only blue light.... on this bootloader version.
I will start re with this elements, thank you.
Do you know exactly when this Hero_L17 version get installed on your phone? Is it coming from a custom rom?
nailyk said:
Awesome! I miss the picture, sorry.
Your fastbootlog also says: S1_Boot_MSM8974AC_LA3.0_L_Hero_17 which make me doubt....
Never read this version before. and never seen the screen you post before....
For me, fastboot mode was only blue light.... on this bootloader version.
I will start re with this elements, thank you.
Do you know exactly when this Hero_L17 version get installed on your phone? Is it coming from a custom rom?
Click to expand...
Click to collapse
This is the bootloader mode from N preview. Just like the Nexus line. I was really surprised to see it just as on my Nexus5.
Other than stock LP and MM , the only custom rom I've had is RXSW 3.0 which is MM.
I think this Hero_L17 is coming with N preview.
This is what I may seem not to understand. When I flash a complete .ftf doesn't EVERYTHING change, including the bootloader?
You are asking like it's there for some time, surviving .ftf flashes.
---------- Post added at 06:19 PM ---------- Previous post was at 06:17 PM ----------
nailyk said:
Awesome! I miss the picture, sorry.
Your fastbootlog also says: S1_Boot_MSM8974AC_LA3.0_L_Hero_17 which make me doubt....
Never read this version before. and never seen the screen you post before....
For me, fastboot mode was only blue light.... on this bootloader version.
I will start re with this elements, thank you.
Do you know exactly when this Hero_L17 version get installed on your phone? Is it coming from a custom rom?
Click to expand...
Click to collapse
Also, you should watch my past posts here because I tend to edit them a lot and add things instead of writing a new reply. I will let go of this habit, I promise.
RO.maniac said:
This is what I may seem not to understand. When I flash a complete .ftf doesn't EVERYTHING change, including the bootloader?
You are asking like it's there for some time, surviving .ftf flashes.
Click to expand...
Click to collapse
afaik ftf files are almost the same that flashable zip files: partition binaries and script files.
To check that, some tools give you the ability of unpack ftf files.
So some ftf custom rom only flash kernel and system, some other flash everything on the phone. Some other add ta partitions modifying.
But as the full boot process is signed, maybe other process are in cause. That's why i'm digging on.
I hope i didn't miss the point. (my English is really bad )
RO.maniac said:
Also, you should watch my past posts here because I tend to edit them a lot and add things instead of writing a new reply. I will let go of this habit, I promise.
Click to expand...
Click to collapse
No worries, but as I'm really slow to write my answers I miss some edits From now I will double check
Your English is not that bad. Yes, you got the point and I got it about the .ftf files.
From what I can remember when I flashed a .ftf of N preview 3, the flashtool log listed everything, from boot to some TA. I'll do a backup and reflash just to check. Will post log.
---------- Post added at 07:20 PM ---------- Previous post was at 06:49 PM ----------
nailyk said:
afaik ftf files are almost the same that flashable zip files: partition binaries and script files.
To check that, some tools give you the ability of unpack ftf files.
So some ftf custom rom only flash kernel and system, some other flash everything on the phone. Some other add ta partitions modifying.
But as the full boot process is signed, maybe other process are in cause. That's why i'm digging on.
I hope i didn't miss the point. (my English is really bad )
Click to expand...
Click to collapse
https://drive.google.com/open?id=0B0YzIybNxHcQNVA3OTZCM2ZqTm8 - flashtool log of N preview 3 flash
You can continue this little study but just so you know, the screen just died on me. It started flicking all of a sudden and in under an hour is gave away for good. Now is backlit but no color.
So the test object is dead.
For the second time, after the main board water damage. I'm officially done with it. When my friend gets back in the country he'll find out his phone died again. ))
As I've said, my screen died. So I decided to dump the phone and cleaned my pc of flashtool, xperia companion and all that.
Some minutes ago I decided to try another flash because my mind was running scenarios about the facts before the screen just died. What happened exactly before: TWRP backup, updated flashtool at startup, flashed N preview 3, in order to get the log so I can see if that Hero7 bootloader is coming with N preview. And it is indeed.
Booted and the screen was flicking with white flashes on the edges. In a few minutes I saw a vertical black line and then it turned black, but backlight on.
Today I thought, what the hell, flash it again, maybe it's not a hw problem. But now I know it is
So I installed an older version of flashtool, 0.9.18.6, and flashed N preview. Still dead screen
But this version of flashtool RELOCKED my bootloader. I could see the code written to TA and I can flash with Xperia Companion. Too bad I don't have a screen.
One in all, just dump this discussion and everything about my friend's damned Z3. Just close the drawer, as I've done.
RO.maniac said:
https://drive.google.com/open?id=0B0YzIybNxHcQNVA3OTZCM2ZqTm8 - flashtool log of N preview 3 flash
Click to expand...
Click to collapse
I see from the github there is a branch 0.9.16 so that is a good idea to test with this version.
First, we see the ta block between your two tries are different. First try block n° 8B2, second try 8FD. I can't understand why (same version of flashtool used).
It take me a lot of time because that was not a hexadecimal place in the ta partition but an unit in the ta partition.
Investigations:
For memory, your unlock code is C88FB2FFCCE72540 (in hex: 43 38 38 46 42 32 46 46 43 43 45 37 32 35 34 30),
my unlock code is 481FD30094B6F2FC (in hex: 34 38 31 46 44 33 30 30 39 34 42 36 46 32 46 43)
If we look in the 8B2 unit we found that:
my ta partition after unlocking
Code:
[COLOR="Magenta"]B2 08 00 00[/COLOR] [COLOR="SeaGreen"]10 00 00 00[/COLOR] [COLOR="Blue"]C1 E9 F8 3B FF FF FF FF[/COLOR] 34 38 31 46 44 33 30 30 39 34 42 36 46 32 46 43
your ta partition after unlocking:
Code:
[COLOR="magenta"]B2 08 00 00[/COLOR] [COLOR="SeaGreen"]10 00 00 00[/COLOR] [COLOR="Blue"]C1 E9 F8 3B FF FF FF FF[/COLOR] 43 38 38 46 42 32 46 46 43 43 45 37 32 35 34 30
So our unlock code is present. Why it doesn't work?
If I take a look in my ta partition, before unlocking my bootloader, there is no 8b2 unit.
For the 8FD unit, i cannot find it.
So I cannot understand why your first try did not lock the bootloader. Maybe an issue with the usb cable and/or the booted mode, or just with the download of flashtool.
RO.maniac said:
You can continue this little study but just so you know, the screen just died on me. It started flicking all of a sudden and in under an hour is gave away for good. Now is backlit but no color.
So the test object is dead.
For the second time, after the main board water damage. I'm officially done with it. When my friend gets back in the country he'll find out his phone died again. ))
Click to expand...
Click to collapse
That's sad. I read some thread about dead backlights but not about screen. Did you think software cause this?
RO.maniac said:
As I've said, my screen died. So I decided to dump the phone and cleaned my pc of flashtool, xperia companion and all that.
Some minutes ago I decided to try another flash because my mind was running scenarios about the facts before the screen just died. What happened exactly before: TWRP backup, updated flashtool at startup, flashed N preview 3, in order to get the log so I can see if that Hero7 bootloader is coming with N preview. And it is indeed.
Booted and the screen was flicking with white flashes on the edges. In a few minutes I saw a vertical black line and then it turned black, but backlight on.
Today I thought, what the hell, flash it again, maybe it's not a hw problem. But now I know it is
So I installed an older version of flashtool, 0.9.18.6, and flashed N preview. Still dead screen
But this version of flashtool RELOCKED my bootloader. I could see the code written to TA and I can flash with Xperia Companion. Too bad I don't have a screen.
One in all, just dump this discussion and everything about my friend's damned Z3. Just close the drawer, as I've done.
Click to expand...
Click to collapse
Maybe it is just a connection problem between the motherboard and the screen. I read your other post so it maybe is 'just' a bad connection (cleaning or flyed-up)?
Anyway thanks a lot for your time, I learn a lot with information you provide! I will mostly help me for this project.
P.S.: don't forget I'm looking for a dev z3, broken screen is not a big deal for me Contact me privately if your friend is ok to sell that phone to me.
P.S.2: just for fun:
if you take a look in the (critical) 7DA ta unit it look like:
Code:
hexdump -C TA.img -s 0x0002073c -n 664
0002073c [COLOR="Magenta"]da 07 00 00[/COLOR] [COLOR="SeaGreen"]87 02 00 00[/COLOR] [COLOR="Blue"] c1 e9 f8 3b ff ff ff ff[/COLOR] |...........;....|
0002074c 73 eb 3d 40 59 80 18 1a 68 1a 33 84 5b a6 ad c3 |[email protected][...|
0002075c 45 d3 66 47 02 00 05 0a 02 00 00 00 0a db 37 24 |E.fG..........7$|
0002076c 02 0c b2 c4 85 f4 c9 6c 21 f1 84 33 29 4d 27 ff |.......l!..3)M'.|
0002077c 81 20 a3 65 b6 40 3c 80 16 c9 4a e3 1b 59 d6 54 |. [email protected]<...J..Y.T|
0002078c fa 50 37 82 f9 50 53 ce 1c dc aa fb 0b 98 96 e3 |.P7..PS.........|
0002079c 22 6a 02 00 00 00 0a d2 d9 95 24 b0 77 2b 91 59 |"j........$.w+.Y|
000207ac 59 f2 ee 30 a1 dc d9 88 c7 79 51 20 a2 19 73 0e |Y..0.....yQ ..s.|
000207bc 30 4c a1 29 94 4c 43 2b 8a cd 23 e9 3a 09 0b 03 |0L.).LC+..#.:...|
000207cc 06 74 6a 86 1f ce 97 ea 6c d0 b7 ba 00 90 4f 50 |.tj.....l.....OP|
000207dc 5f 49 44 3d 22 34 33 35 22 3b 4f 50 5f 4e 41 4d |_ID="435";OP_NAM|
000207ec 45 3d 22 43 75 73 74 6f 6d 69 7a 65 64 22 3b 43 |E="Customized";C|
000207fc 44 41 5f 4e 52 3d 22 31 32 38 38 2d 35 30 32 38 |DA_NR="1288-5028|
0002080c 22 3b 52 4f 4f 54 49 4e 47 5f 41 4c 4c 4f 57 45 |";ROOTING_ALLOWE|
0002081c 44 3d 22 31 22 3b 52 43 4b 5f 48 3d 22 46 41 45 |D="1";RCK_H="FAE|
0002082c 46 35 31 39 39 31 34 31 39 34 36 38 43 41 37 38 |F51991419468CA78|
0002083c 43 39 43 33 37 30 38 35 36 31 36 43 42 33 31 39 |C9C37085616CB319|
0002084c 42 39 46 36 36 45 30 35 30 45 34 33 31 38 34 37 |B9F66E050E431847|
0002085c 41 39 41 34 36 46 43 33 39 44 42 41 34 22 00 43 |A9A46FC39DBA4".C|
0002086c 53 45 52 56 45 52 49 44 3d 22 62 6d 63 73 65 63 |SERVERID="bmcsec|
0002087c 73 30 33 22 3b 41 55 54 48 43 45 52 54 3d 22 55 |s03";AUTHCERT="U|
0002088c 4e 4b 4e 4f 57 4e 22 3b 54 49 4d 45 53 54 41 4d |NKNOWN";TIMESTAM|
0002089c 50 3d 22 31 35 30 34 30 39 20 32 30 3a 33 31 3a |P="150409 20:31:|
000208ac 35 38 22 00 09 00 07 30 30 31 30 31 2d 2a 00 00 |58"....00101-*..|
000208bc 00 00 00 00 00 00 00 00 00 00 02 00 00 00 0a 4e |...............N|
000208cc d0 29 6b 2c bf 7b ec 14 0b bb 94 f5 9c fa 62 6a |.)k,.{........bj|
000208dc 1c 02 61 20 6d 79 f5 a7 3e ca c6 6e 30 69 30 f7 |..a my..>..n0i0.|
000208ec c3 a4 80 1e 60 bc ba e8 59 7d 5e 99 55 c4 47 e9 |....`...Y}^.U.G.|
000208fc f5 f5 58 be 02 00 00 00 0a 36 04 d9 c2 fd 86 a1 |..X......6......|
0002090c a1 3c 91 c1 d0 8d bb 35 ab a6 b1 10 f0 20 67 0e |.<.....5..... g.|
0002091c dc a5 62 dd 45 db 51 1e eb 6e f7 c6 95 58 f1 d4 |..b.E.Q..n...X..|
0002092c 39 73 5d 53 c5 22 14 b2 06 be 0c 01 ea 5f 02 00 |9s]S."......._..|
0002093c 00 00 0a 22 39 fe 4a f7 2e 93 6d a7 70 5d 3e 53 |..."9.J...m.p]>S|
0002094c a3 11 6c 96 70 84 18 20 3a 17 7b 00 05 63 1b fc |..l.p.. :.{..c..|
0002095c 6b 96 a4 e2 22 33 e2 05 7a 38 7b 72 81 60 ee ec |k..."3..z8{r.`..|
0002096c f9 da 55 c8 c1 81 e7 bd 02 00 00 00 0a cc 10 ff |..U.............|
0002097c a1 49 75 63 f3 c9 ee 40 fa d8 ac 09 65 b6 e6 dc |[email protected]|
0002098c a3 20 9c 57 33 bf 51 c3 ff 29 20 78 fa 57 2c 69 |. .W3.Q..) x.W,i|
0002099c a5 97 52 fc 33 fa 97 f6 3d 5d 38 89 e0 d7 34 1c |..R.3...=]8...4.|
000209ac 95 eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000209bc 00 00 14 57 0a e6 ee af 30 a1 e8 57 69 59 10 22 |...W....0..WiY."|
000209cc 6f 78 32 5c 5c f4 0b ff |ox2\\...|
000209d4
There is a RCK_H key. With the script provided here i enter your unlock code and the script answer that:
Code:
RCK_H="FAEF51991419468CA78C9C37085616CB319B9F66E050E431847A9A46FC39DBA4"
When you enter 'fastboot oem unlock <key>' the key is computed by s1 and compared to this information.

Identify your bootloader version:

While playing with AFTV2 tools quite a bit, I thought it'd be convenient to have some way to identify what bootloader version one has (given bricking implications & all). Doing checksums on the full TEE1 & UBOOT partitions is not very useful, because the empty area in the partitions may have junk, and that would impact the checksum. So something slightly different is needed.
Here is what I propose, one can read the first few bytes of TEE1 & UBOOT partitions, and then look at them with a hex editor. Fairly low tech, but there you go ... Unfortunately, "hexdump" is not present by default on Fire, so a few more manipulations are required. First, run this with adb (can also be read with AFTV2 tools):
Code:
adb shell
su
mkdir /sdcard/tmp/
dd if=/dev/block/mmcblk0p4 of=/sdcard/tmp/04_uboot.img
dd if=/dev/block/mmcblk0p9 of=/sdcard/tmp/09_tee1.img
cd /sdcard/tmp
md5 *.img
exit
exit
adb pull /sdcard/tmp
Then, with a hex editor (such as Frhed), look at the first few bytes of these images on your PC. On linux it's even easier, just do "cat -c 8 *.img | hexdump". You should see something like the following:
Code:
04_uboot.img: UBOOT: 88 16 88 58 [COLOR="Red"]b4 33 06 00[/COLOR] 4c 4b 00 00 "LK"
09_tee1.img: TEE1: 88 16 88 58 [COLOR="Red"]00 3c 10 00[/COLOR] 54 45 45 00 "TEE"
The 4 bytes in red are key to identify the version. Please see the table below for the data I've compiled so far. Let's add to it as more versions become available/known (if your combination is not listed, please post here):
Code:
UBOOT
d8 27 06 00 Unreleased, 5.0.0, (Build date Saturday, August 1, 2015, 10:39 PM GMT)
b4 33 06 00 5.2.2_053820 5.0.1
54 3f 06 00 5.2.2_055120 5.0.1
e4 3b 06 00 5.4.1_112720 5.1.1
38 34 06 00 5.4.2_168620 5.1.2
78 34 06 00 5.4.4_271020 5.1.4
b8 3c 06 00 5.5.2_153420 5.3.1.0
TEE1
00 3c 10 00 Unreleased, 5.0.0, (Build date Saturday, August 1, 2015, 10:39 PM GMT)
00 3c 10 00 5.2.2_053820 5.0.1
00 3c 10 00 5.2.2_055120 5.0.1
00 3c 10 00 5.4.1_112720 5.1.1
00 3c 10 00 5.4.2_168620 5.1.2
00 3c 10 00 5.4.4_271020 5.1.4
90 84 11 00 5.5.2_153420 5.3.1.0
@DoLooper, @kirito9, @sd_shadow, @Kramar111, @zeroepoch, @hwmod, @Tomsgt
unknown 5.0.1
Code:
UBOOT
54 3f 06 00 5.2.2_055120 5.0.1
TEE1
00 3c 10 00 5.2.2_055120 5.0.1
Fire originally with 5.1.3 - downgraded to 5.1.2 . uboot and tee1 are consistent with 5.1.2 .
fmc000 said:
Fire originally with 5.1.3 - downgraded to 5.1.2 . uboot and tee1 are consistent with 5.1.2 .
Click to expand...
Click to collapse
Indeed, when you downgraded, the bootloaders got overwritten and so you see 5.1.2 ! But luckily, this combination does not brick.
fmc000 said:
Fire originally with 5.1.3 - downgraded to 5.1.2 . uboot and tee1 are consistent with 5.1.2 .
Click to expand...
Click to collapse
bibikalka said:
Indeed, when you downgraded, the bootloaders got overwritten and so you see 5.1.2 ! But luckily, this combination does not brick.
Click to expand...
Click to collapse
Hence the 'special' procedure for upgrading FireOS while leaving the current bootloader intact. A standard sideload/OTA update refreshes bootloader, kernel, rom, etc.
Davey126 said:
Hence the 'special' procedure for upgrading FireOS while leaving the current bootloader intact.
Click to expand...
Click to collapse
In a strict sense, the procedure doesn't leave the bootloader intact - it first writes the newer version (which is part of the stock ROM) to later replace it back with the original one. And this "later" may be crucial - if in-between something bad happens (bad battery level, bad cable, power outage on the PC side), game over.
What's the ratio of successful vs. bricking here?
Unfortunately, nobody seems to have followed the path @Vlasp had suggested a year ago: to trim down stock ROMs to explicitly exclude bootloader files and install instructions (and possibly add su, and disable ota and ads). I understand that with FF we're no longer limited to signed ROMs, so this should be feasible, and scriptable for future ROM versions, no? (If I could extend days to 36 hours...)
steve8x8 said:
In a strict sense, the procedure doesn't leave the bootloader intact - it first writes the newer version (which is part of the stock ROM) to later replace it back with the original one. And this "later" may be crucial - if in-between something bad happens (bad battery level, bad cable, power outage on the PC side), game over.
Click to expand...
Click to collapse
True. Didn't expect a literal interpretation but appreciate the clarification and associated cautions for others.
steve8x8 said:
Unfortunately, nobody seems to have followed the path @Vlasp had suggested a year ago: to trim down stock ROMs to explicitly exclude bootloader files and install instructions (and possibly add su, and disable ota and ads).
Click to expand...
Click to collapse
This has been done for other Amazon devices (eg: 3rd gen HDX) but garnished little user interest as an alternative to custom ROMs. The misunderstanding/misuse of custom stock builds actually created bigger headaches and a few unfortunate bricks. Eventually the images stopped being maintained.
steve8x8 said:
If I could extend days to 36 hours...
Click to expand...
Click to collapse
Still searching for those elusive hours! . Same can be said for developers who struggle to maintain what is already out there. Witness the cracks in several custom ROMs that have not seen recent updates.
Great and easy way to identify bootloader version. Disappointed to find that I was on 5.3.1 bootloader, but at least I know now
Quick update (although useless since reading off the timestamps would require root which isn't available yet for 5.3.2.1 and higher - that's why I won't merge this into the checker tool yet):
Code:
fireOS-5.0.0/images/preloader.img: 20150728-232738
fireOS-5.0.1/images/preloader_prod.img: 20150730-164940
fireOS-5.1.1/images/preloader_prod.img: 20150923-180133
fireOS-5.0.1/images/preloader.img: 20150930-051243
fireOS-5.1.1/images/preloader.img: 20151202-052945
fireOS-5.1.2/images/preloader_prod.img: 20160120-094719
fireOS-5.1.4/images/preloader_prod.img: 20160217-183554
fireOS-5.1.2/images/preloader.img: 20160227-021828
fireOS-5.1.4/images/preloader.img: 20160506-045524
fireOS-5.3.1.0/images/preloader_prod.img: 20160603-023745
fireOS-5.3.2.0/images/preloader_prod.img: 20160603-023745
fireOS-5.3.1.0/images/preloader.img: 20160624-191357
fireOS-5.3.2.1/images/preloader_prod.img: 20161102-031807
fireOS-5.3.2.0/images/preloader.img: 20161104-214024
fireOS-5.3.2.1/images/preloader.img: 20161201-113631
fireOS-5.3.3.0/images/preloader_prod.img: 20170116-085533
fireOS-5.3.3.0/images/preloader.img: 20170328-012523
---------- Post added at 01:58 PM ---------- Previous post was at 01:11 PM ----------
Um, by the way, there had been reports that 5.1.3 had been rooted without downgrading to 5.1.2, if I remember correctly.
If that's your last FireOS version, may I ask you to run the bootloader tool and report back the result? Same for 5.1.2.1... Thanks
After an adventure in updating to 5.3.3.0 I have :
uboot : b0 99 0e 00
tee : not recognisable
The tablet boots, I can reload TWRP if needed but if I flash the previous bootloader I had 541 it bricks and I have to recover using the linux ISO. It looks like my tee1 partition is corrupted. Any advice on how to proceed would be good ! Thanks.
jpearn said:
After an adventure in updating to 5.3.3.0 I have :
uboot : b0 99 0e 00
tee : not recognisable
The tablet boots, I can reload TWRP if needed but if I flash the previous bootloader I had 541 it bricks and I have to recover using the linux ISO. It looks like my tee1 partition is corrupted. Any advice on how to proceed would be good ! Thanks.
Click to expand...
Click to collapse
Reflash the partition with DD?
Download the firmware update, rename it to *.zip from *.bin, and there should be something called TEE.img or something similar. Then push it to the device with "adb push /path/to/TEE.img /sdcard" Then, on the tablet or in adb shell, run 'dd if=/sdcard/TEE.img of=/dev/block/mmcblk0p9'
PorygonZRocks said:
Reflash the partition with DD?
Download the firmware update, rename it to *.zip from *.bin, and there should be something called TEE.img or something similar. Then push it to the device with "adb push /path/to/TEE.img /sdcard" Then, on the tablet or in adb shell, run 'dd if=/sdcard/TEE.img of=/dev/block/mmcblk0p9'
Click to expand...
Click to collapse
I thought this however I noted in the other gapps / root thread that it should be dd if=453_tee1.img of=/dev/block/mmcblk0p3
I'm on Ariel Fire 7 4th, so I guess the partitions are different ?
jpearn said:
I thought this however I noted in the other gapps / root thread that it should be dd if=453_tee1.img of=/dev/block/mmcblk0p3
I'm on Ariel Fire 7 4th, so I guess the partitions are different ?
Click to expand...
Click to collapse
Yes, they would be different. Make sure to use a TEE from the correct device, not one from this model.
jpearn said:
After an adventure in updating to 5.3.3.0 I have :
uboot : b0 99 0e 00
tee : not recognisable
The tablet boots, I can reload TWRP if needed but if I flash the previous bootloader I had 541 it bricks and I have to recover using the linux ISO. It looks like my tee1 partition is corrupted. Any advice on how to proceed would be good ! Thanks.
Click to expand...
Click to collapse
This thread pertains to the 5th gen Fire 7 (Ford) not the 4th gen HD 7 (Ariel).
Identifying the bootloader version is one thing, being able to decide whether a downgrade would result in a brick is another...
Is there a way, on a Fire 7 (5th), to extract the anti-r* "stepping numbers" from bootloader files/partitions that get compared with entries in RPMB (which is only accessible by the bootloader, but not the kernel)? This might save a lot of guesswork and bricks.
In lk.bin, there's "androidboot.rpmb_state=%d" right next to "androidboot.unlocked_kernel=true" and "androidboot.unlocked_kernel=false". Access seems to happen via device numbers.
OTOH, preloader_prod.img contains strings like "[RPMB] Invalid magic, re-creating..." and "[RPMB] RPMB provisioning disabled" or even a message about a skipped, invalid anti-r* state.
Too bad it seems to be impossible to watch the device boot at such an early stage. Half a MB of ARM code is not what I'd want to trace manually... extracting the preloader from its MTK wrapper seems to be the easiest part...
steve8x8 said:
Too bad it seems to be impossible to watch the device boot at such an early stage.
Click to expand...
Click to collapse
https://forum.xda-developers.com/am...bootloader-unlock-ideas-t3289721/post65585385 and some previous/next post
Thanks for the pointer to one of the missing links! Being able to track the messages down might limit the amount of machine code to be parsed...
uboot - 88 16 88 58 B8 3C 06 00 4C 4B 00 00 00 00 00
tee1 - 88 16 88 58 90 84 11 00 54 45 45 00 00 00 00
5.3.1, lol. whats a good rom for this amazon fire 5th gen?
2WR3505 said:
uboot - 88 16 88 58 B8 3C 06 00 4C 4B 00 00 00 00 00
tee1 - 88 16 88 58 90 84 11 00 54 45 45 00 00 00 00
5.3.1, lol. whats a good rom for this amazon fire 5th gen?
Click to expand...
Click to collapse
[ROM][AOSP] Fire Nexus ROM - LMY49M [22 JULY 2017] - XDA Developers
https://forum.xda-developers.com/amazon-fire/orig-development/rom-fire-nexus-rom-lmy49f-t3300714
[ROM] Lineage-12.1 [12 SEP 2017] - XDA Developers
https://forum.xda-developers.com/amazon-fire/orig-development/rom-lineage-12-1-t3639447
Thanks, i went with the nexus rom, it runs nicely

Categories

Resources