G925v Analysis, Rooting, Dev Files & Implications - Verizon Samsung Galaxy S6 Edge

So it happened day before yesterday, 8-22-17 @ ~5:50 PM, my Verizon S6 Edge (G925VZKE [64GB]) bricked out. No LED Light, nothing on Screen, nothing as if actually Hard Bricked. No booting, No download Mode, nothing. But it's not fully hard bricked actually. When I plug the device into my PC, Windows will either pop and say the device malfunctioned or it will read as "Exynos7420". I'm not quite sure what to do about it at the moment, I've read [a little] about what to do with phones in this mode using a "USB_Down_Load_32bit"/Multidownloader. I believe it to be stuck in a Diagnostic Mode I'm not versed in. This all happened while I was in the ADB Root Shell (su:s0) while the device was powered off and charging.
I am making this thread here for any devs you would want to use the knowledge and files here, to take the project further. As I cannot currently use my device at all. And I won't be getting a replacement S6 Edge for at least a month, maybe two. I love the S6, and will still choose it over most devices. I've been dedicated to researching and posting about the Samsung Exynos7420 Hardware since September 2016. That was when I came up with the plan for The Greyhat Root Project. You may recall my other thread once in the Original Development Forum & now in General. If you search "Greyhat Root" in google. My thread will be the first result. It gained a lot of traction, very very quickly. But is now dead, and the mods probably hate me for making a new thread. But I'm not trying to put new news out there this time.
It focused on how to use Kali Linux and Metasploit. It also focused on the articles at the time that was new exploit & malware research, that boasted of the possibilities we've now come to know as the Vault7 leaks. There's probably a reason I was a victim of the malware myself and I took down most of the posts. Most of the good file and resources I posted to that thread were either flagged by end users or removed by google. The real treasure of that thread is lost to the internet now, as that was the only backup I had of some of the critical files needed for the process. If you actually look through my individual posts all over, you will find some juicy tidbits of knowledge spread around this site that I've not compiled into one. A lot of it is still over my head as it was then, and partly why I took it down then. But I've been chipping away at that knowledge base everday for 10 months going on a year now. It's possible to root this device if One can take the knowledge of how to leverage the news worthy exploits from the past 2 years into a single repo/application. "Android-InsecureBankv2" is one example of such a platform. But as a teaching platform, it is not configured to provide a SuperSu Root Solution out of the box. It would still require modification of someone else's codebase w/Learning Curve.
No I have not managed to find a way to unlock the bootloader because I do not have a copy of IDA Pro or the Hex Rays Decompiler, and if I did, I still wouldn't know to use them fully. But I have managed to find quite a number of very possible attack vectors, if I can get some serious developers to take my sentiments seriously. I proved that when the posts about dirtycow were largely ignored due to device interest, and then @droidvoider helped make some of my ideas possible with the "Greyhat Root Console" he made. Realistically at this point I only wish I were an Assembler. I'm only one guy trying to poke at a Hardware/Software Package created by multiple departments of people in a conglomerate corporation. I only bring people together. I do know that in order to disassemble the Exynos7420 sboot, you're going to need to understand U-Boot on Arm64. A Uboot version dating back to either January 2016 or August 2015. I say those two dates because, The 4BOG7 files on my device date to August 2015, the 4AOJ1 files, to January 2016. Project Zero (who does a lot of tests on the G925v btw), posted in February 2017 about they found a way to bypass the KASLR feature of the stock kernel. A Kernel I do believe we can still flash to the device. It didn't gain much attention I don't think at the time because it was only one piece to the puzzle. That exploit wasn't patched until January. I know it sounds bad when I say it like this but, what this device truly needs is a friendly Botnet-C&C-Style rootkit that has it's client and server controlled by a User-Controlled, SuperSu-Style management application. Yes, it would be a rootkit you would never want to have someone else in control of. But if SuperSu were controlled by someone else other than the end user at the time, it would be just as bad. It's just a different approach to a yet unpublished methodology.
*
** The Device I refer to is currently flashed with:
******
** Full 4 File Firmware: COMBINATION_VZW_FA50_G925VVRU4AOJ1_VZW4AOJ1_CL5133452_QB6486176_REV02_user_mid_noship.tar
** BL: G925VVRU4AOJ1 ENG sboot.bin
** AP Kernel: G925VVRU4BOG7 ENG Kernel
** TrustZone Type: t-base-tui (Filenames suggesting Mobicore present as well)
******
Trying to enter Recovery Mode with the Combo firmware, in my experience, typically sends the device into a Panic and boots into "Upload Mode" if it does not simply reboot. The combination firmware does not supply a recovery.img that I've found. And inorder to recover the ENG Combination Recovery, you would have to disassemble the OJ1 ENG sboot.bin in IDA Pro and pull it out.
During the initial boot the device will enter its own recovery mode for a moment while it does its erasing stage. I used "nand erase all, re-partition, F.Reset Time, Phone Bootloader Update options in ODIN. During this breif moment with the "Erasing..." text on-screen, the phone is available in ADB Devices and shows up in recovery mode. Meaning ADB Shell should be accesible in recovery. If that's possible that means the device keystore should be accessible as well. The Recovery images tend to be bigger because the signatures are stored in the recovery from what I've read. Can't dirtycow patch anything it can see if your shell can't change it?
Using those files, I have full su authority anytime I am in ADB Shell, the shell runs within the "su:s0" context, and not the "shell:s0" context. Any and All changes are possible through the shell. Writing a new partition Table to '/dev/block/platform/15570000.ufs/sdb' using the "partx" tool, is probably what broke my phone. So in theory installing SuperSu in System Mode should work much the same as it did on G95x S8/Plus I'm gathering. @dragoodwael was correct in supposing "sdb" to be the bootloader overall, as I do now too. Once the reboot command was issued, I lost the ability to do anything at all. All thats possible now, is to find a tool that will communicate with the driver my PC's Device Manager loaded for my phone.
Every boot.img I've unpacked using Android Image Kitchen specified that a signature of "SEAndroid Type was found". BUT, the only boot.img/Kernel that did not specify that it was an "SEAndroid Type" while being unpacked, is the Stock boot.img from the 4AOJ1 Combination Firmware. Out of the 7 boot images I've unpacked, AIK determined the OJ1 Combination boot.img did NOT have an SEAndroid Signature on it.
boot.imgs I've unpacked:
1. N920A - PB2 Eng boot.img
2. N920A - FA51 Combi - PH1 boot.img
3. N920A - FA51 Combi - PL1 boot.img
4. G925V - FA50 Combi - OG2 boot.img
5. G925V - FA50 Combi - OJ1 boot.img
6. G925V - OG7 Stock boot.img
7. G925V - OG7 ENG boot.img
I'm not quite sure what that means yet, but I do know that the zip file I have that contains the 4AOJ1 factory Binary is not a tar.md5 like usual, it is just a normal .tar. What I'd LOVE to know is, can the 4AOJ1 stock boot.img be unpacked, then repacked, and retain its flashable characteristic. Because AIK does not register a standard signature. Does that mean the Oj1 boot.img uses a different mechanism for signature verification than a standard user binary, or is it simply signed with publicly available signing keys? It's a good question, what is different about its signature compared to other stock signatures. Even if we don't understand the signatures fully.
I'm also aware of the fact, that the Combination firmware doesn't actually contain a recovery.img to flash. Probably why the Device goes into Upload Mode and Panics when trying to boot recovery after using "nand flash all" and/or "re-partition" in ODIN. But if there were a Recovery Image for the OJ1 firmware, I imagine it would not have an SEAndroid signature on it as well. So there must be something to that.
I wonder what would happen if you tried to flash the OJ1 boot.img to the recovery partition as recovery.img like in the "EasyRecowvery" project, while using the full factory binary.
Is it possible that the newer "ustar" tar format used by Samsung in ODIN packages, could be using the custom fields available in a ustar header block to hold at least part of the signing mechanism? I believe so. And I say it because on my Device, it runs the Odin3 Engine (v1.1203), which looks an aweful lot like ODIN v1.12.3. Besides the naming conventions used there, ODIN expects to send/receive images within tar archives. Specifically USTAR format tar archives. So if the ODIN Engine on the phone is anything like the PC Client application, it expects USTAR format Tar archives as well. If it expects to read in a USTAR Header block, there are custom fields possible in known locations of the official tar files. Which when parsed correctly, should lead to finding the extra data after the payload 7-Zip refers to when the tar.md5 files are extracted. I'm of the mind the "Star" utility and not the the "Tar" utility is what we should be using to create and modify ODIN firmware the way our OEM's do. That is hypothesis on my part yes, but I don't think I'm very far off base.
Here is a man page on the "ustar" utility I found interesting and extremely in-depth: ustar(1) - unique standard tape archiver - Linux man page
If you want to see a list of files involved in all of this research, please refer to this folder here: https://drive.google.com/open?id=0B_EcHdXbjhT_dDRneE56WUg3Mlk
It contains all the files I've mentioned except for the OJ1 Firmware itself. This is all I'm posting for today, it's a sad day indeed. But I have to gather the bookmarks again to post the links to articles.

Related

[Q] Porting Meego to the Tab, some Android noob questions before I start

Hi chaps,
I've just bought a Galaxy tab with plans to port Meego to the device.
I'm new to all the Android stuff, and tbh the myriad methods for doing this/that/the other and the relative lack of explanation of what's actually being done in these various methods/tools is quite confusing (and worrying).
So, if you'll bear with me, I have a few questions which are probably quite basic.
I've rooted my Tab using SuperOneClick, no problems there, I also understand that there is a leaked flashing tool called (Multi)Odin and an open source flashing tool called Heimdall. I understand adb.
So onto the questions:
Before I start messing about, how should I backup my existing firmware image? I see people talking about taking image dumps using dd, or Odin or Heimdall. What is the preferred method? And how should one then restore the device from these backups?
Alternatively is it possible to simply download the firmware directly from Samsung (I see links to later firmware, but really I'd be happy with what I have currently - P1000XXJK5 and FROYO.XWJJ7)?
I'm assuming that the best installation method would be to replace recovery, then I can add my own kernel and have it boot a rootfs mounted on the external SD card for example. Any thoughts?
I've seen one thread about people compiling their own kernels, with panics and the like which are solved by giving the full path to the initramfs extracted from the existing image. Any clues as to why the built version doesn't work? This is not so important as I can have a look at this when I build the Samsung source.
Is anyone looking at the bootloaders? Is there any information anywhere about them (as changing the bootloader to allow selection of the kernel to be booted would make life easier)?
Thanks for your patience!
Ok, so to partly answer myself, I see www dot samfirmware dot com has links to downloads of firmware images.
I'd really prefer to generate my own image of what's currently on the device rather than trusting a download site, but I guess it's better than nothing. Does anyone know how these images were generated anyway?
lardman said:
Ok, so to partly answer myself, I see www dot samfirmware dot com has links to downloads of firmware images.
I'd really prefer to generate my own image of what's currently on the device rather than trusting a download site, but I guess it's better than nothing. Does anyone know how these images were generated anyway?
Click to expand...
Click to collapse
Samfirmware get their images direct from Samsung insiders. They are not dumps.
If you want to dump from your device search "rotobackup" here in the dev forum.
Sent from my GT-P1000 using Tapatalk
alias_neo said:
Samfirmware get their images direct from Saunaing insiders. They are not dumps.
Click to expand...
Click to collapse
Ok that's reassuring.
alias_neo said:
If you want to dump from your device search "rotobackup" here in the dev forum.
Click to expand...
Click to collapse
Great, just what I was looking for, many thanks
So some more questions:
Any limit to the size of the kernel? Presumably just the size of the partition (which after extracting the image for backup seems to be a pretty large 15.4MB)?
What do all the .rc files in the raminitfs do? They are as follows: fota.rc, init.goldfish.rc, init.rc, init.smdkc110.rc, lpm.rc, recovery.rc
The init.rc is the normal init.rc file, so that's fine. Presumably the recovery.rc file is run if the bootloader detects that recovery mode is wanted (holding down keys during boot). The init.goldfish.rc? I guess this is to do with the emulator, though why it would be in a release image I don't know.
I assume that init.smdkc110.rc is automatically run somewhere along the line, though I don't see where it's started.
Any thoughts on lpm.rc and fota.rc? Are multiple .rc files run for the normal and recovery boots?
Thanks
lpm.rc is for low power mode that displays battery charging animation
goldfish is for running the rom under qemu.
backup your rom using rotobackup. compile samsung's kernel from sources, mix up default initramfs with meego's init scripts. pack all Meego stuff into loop mounted disk image. then flash zImage to kernel and your disk image to factoryfs using heimdall. I assume you have experience hacking N8xx/N900 and Maemo or Meego?
factoryfs is around 300MB so I think it should fit Meego and it (and kernel) can be easily restored with heimdall.
Thanks for the comprehensive reply
Yes I do have experience hacking Maemo/Meego, though have never really had to fiddle with init scripts before and this is as good a reason as any to learn.
I'd actually like to dual boot, so am modifying recovery.rc to bring up the Meego system on the external SD card.
Am just fiddling about building extra kernel modules now (needs btrfs for my image for example) and modifying the recovery.rc file.
Hmm, well I was all set to go and flash my new zImage and was looking for the heimdall command line, when I saw this at the top of one of the threads in this part of the forum (http://forum.xda-developers.com/showthread.php?t=870690):
Restoring to factory after using this process (you need using stock images):
heimdall flash --kernel stockzImage --recovery stockzImage --factoryfs factoryfs.rfs
Click to expand...
Click to collapse
Which has made me worry a bit that I've missed a recovery partition with its own kernel and wrongly assumed that the same kernel is used for both recovery and normal running, just with a different .rc file to be interpreted by init.
Any thoughts?
Do we trust the partition sizes reported here: http://forum.xda-developers.com/showpost.php?p=9471190&postcount=14
They seem very small for the kernel partition. I used RotoHammer's dd method to grab the contents of the partitions as a backup, so am assuming the sizes shown above are not correct (or represent something else?)
Going back to RECOVERY and ZIMAGE partitions - the ZIMAGE partition contains a recovery.rc, the question is really whether, even if they use the same zImage in both the ZIMAGE and RECOVERY partitions, the version in the RECOVERY partition is actually booted if recovery mode is selected (by holding the up volume key, etc.)? OTOH it may be that the RECOVERY partition is either empty or unused, has anyone tested specifically to see whether recovery.rc is run from the ZIMAGE partition?
Well I think I can answer my own question there, I flashed my modified kernel (modified recovery.rc) only to the KERNEL partition, and it boots normally if I don't touch anything, and just gets stuck on the first Samsung screen if I boot in recovery mode.
So it's doing something, I just can't tell what. Not sure if any kernel messages are getting lost behind that image, or perhaps they aren't even output to the framebuffer at all. I seem to remember seeing something about disabling the splashscreen so I'll go and have a look for that. Anyone got any other suggestions?
P.S. I also note there's a flash of screen corruption as the device starts up with my new kernel, I don't remember seeing that before. Is this a usual occurance?
I see from the Nexus S port that including adbd in the image seems to be the way to go for early messages, I'll need to generate a new Meego image and have another go later on.
Interesting, I can't see that I've done anything wrong, and my extra init shell script is not started. I am trying to use the "exec" keyword in recovery.rc to start a shell script which will pass control to the Meego rootfs. At the start of my shell script I start adbd (i.e. still within the initramfs), so I should be able to tell if it has started, and it doesn't appear to do so.
Therefore I did some Googling, and I've seen that in some cases the initramfs init does not implement the "exec" keyword (http://forum.samdroid.net/f9/new-init-exec-import-implemented-3280/). This is troublesome for me as it's what I'm trying to use, but at least would explain why I don't seem to leave the init process
I couldn't see the Samsung specific source for init anywhere, has anyone found any? I'm not happy to replace it using the standard Android source as I'm guessing there's code missing which allows the bootloader to tell init how the device was started so that it knows which of the .rc files to run. Has anyone looked into this?
Thanks
Looking at the code in that link it looks pretty straightforward, just a case of parsing the kernel command line (though I might just reverse engineer the existing init first to make sure I'm not missing anything).
Would still be easier to get the actual source code from Samsung, so I've emailed their Open Source group.
lardman said:
P.S. I also note there's a flash of screen corruption as the device starts up with my new kernel, I don't remember seeing that before. Is this a usual occurance?
Click to expand...
Click to collapse
I get it with CM
Does CM use a compressed initramfs? I'm using one of those and wondering if it's something to do with the (admittedly small) extra time required to move to init.
I don't have my Tab with me here, could someone post the output of /proc/cmdline please? You'll need to be root. Thanks.
Well it's booting you'll all be glad to hear.
More details to follow, but from memory the following were required:
Custom kernel to add btrfs support (as the image I'm booting is a btrfs partition on the external SD); kernel patch to allow compile-time cmdline to be added to the end of the bootloader cmdline (to enable console=tty0); replace Android init with init script to perform some basic setup then pivot_root to the Meego partition.
Next steps are to get the Meego system running usefully (which includes getting a terminal as currently I just have a login prompt but no way of inputting anything!) and also seeing whether I can get dual booting working with an Android system standard boot and Meego replacing the recovery boot.
Poor pic, but still: http://people.bath.ac.uk/enpsgp/Tab/PICT0040.JPG
Good stuff. Thanks for keeping us informed.
After you've got the groundwork for this done, how easy would it be to get Ubuntu running?
Try google http://lmgtfy.com/?q=ubuntu+on+galaxy+tab
Sent from my GT-P1000 using XDA App
brilldoctor said:
Try google http://lmgtfy.com/?q=ubuntu+on+galaxy+tab
Sent from my GT-P1000 using XDA App
Click to expand...
Click to collapse
That's using chroot, which I don't want. I want it running natively.
Sent from my Galaxy Tab

[HOW-TO/INFO] Bell FAQ [9-25-2011]

This is my attempt at a Bell FAQ, it is a work in progress.
Q. Why don't the instructions I found on how to do X not work?A. This is a development forum, sometimes things are written in shorthand assuming you know things you don't. At lot of things are specific to one carrier's phone or another. Sometimes things change and are now obsolete, something new was found, a better way of doing things, if you were not following it all along you are likely to be lost. Read between the lines, you are a human being with reasoning abilities, figure it out. ​Q. What should I do first?
A. Backup your phone. That means everything, especially your pds partition. Nandroid won't cut it and you have already modified your phone beyond the ability to get back if you can run it.
Ex. dd if=/dev/block/mmcblk0p3 of=/sdcard/backup/mmcblk0p3
Save your backup on your computer, create a zip of all the files, burn it off on cd/dvd, put it in a safety deposit box at your bank. Be prepared for bricking your phone. A lot of things mentioned in threads here are developed and tested for ATT phones, they may not work 100% on your phone.​Q. What is ADB?A. It stands for Android Debug Bridge or something like that. It is a program that runs on your computer that lets you talk to your phone using special commands. Your phone has to have adb enabled, it's a setting under application/development.
Ex. adb shell
This opens a linux shell connected to your phone. Linux is an operating system for computers, it is also used as the base for android phones.
Ex. adb install file.apk
Ex. adb push file /tmp
Ex. adb pull /tmp/file .​
Q. What is CWM recovery?A. Android phones come with a special boot configuration that allows for changes to the android system from a place outside the system. It is very corporate and does the job for official signed updates, but only Motorola and it's oems can sign the updates. Not much fun for us. CWM recovery is a replacement for the official recovery system that doesn't require signed updates.
You install CWM recovery using fastboot or moto-fastboot.​Q. What is unlocking the bootloader all about?A. It is the means of putting CWM recovery on your phone so you can install roms and other packages. It allows you to flash a partition with mods and have the phone not soft brick when you reboot. When the unlocked versions of the atrix bootloader were found it started a new round of mods. A lot of the threads prior to that are now obsolete.​Q. How do I unlock the bootloader?A. There is a huge thread already about this, see here.
WARNING: this is a permanent change to your phone.
Summary:
1. Download the archive
2. Extract the sbf inside, whatever it's called, that is the one to use.
3. Use linux sbf_flash or rsdlite from windows to install it.
3. fastboot oem unlock
4. Copy code fastboot spits out.
5. fastboot oem unlock code
6. fastboot reboot
You will see unlocked while booting and when you get into android you will have ~300MB of ram. This will need to be fixed. Also, you will lose all your data during the process, do a backup first.​Q. What is fastboot/moto-fastboot?A. It's a program to access the phone and do stuff, write phone partition images mostly. The stock one can only handle tiny system images, pretty useless for the Atrix, xda member eval- compiled the motorola version for us that can handle larger system images, do a search for moto-fastboot.
Ex. moto-fastboot flash recovery recovery.img.​Q. How do I fix the ram problem?A. I did up a CWM recovery zip to update the boot and recovery partitions to contain a kernel command line with the missing bit "[email protected]" added. See here.
There are other means of doing this, some boot images come prepackaged with the command line already embedded. There are ATT compiled kernels with a patch inside the kernel itself to do the same thing. You can search for those when you are ready to try things like custom ATT kernels on your phone.​Q. How do I root the phone?A. If you are unlocked and you have fastboot flashed a version of CWM recovery, it is trivial. By that I mean almost impossible for newbies to figure out.
It would go something like this:
1. Boot into CWM recovery.
2. use adb shell
3. adb push a su binary to the phone.
4. mount system as read write as /system
5. copy su binary to /system/bin
6. make sure it has the right permissions, 06755 mode , user root, group root.
7. unmount -l /system
8. when in android look on the market for Superuser.apk, install.
Every rooting method out there is all about putting su into /system/bin with 06755 permissions, most don't work anymore since Gingerbread. If you are looking for a simple, no brain involved solution, you are likely to get something working and also something else you didn't want like a replaced preinstall partition or an installed busybox with different functionality for some important system commands. (Busybox may be more up to date even, but if it doesn't do what is expected of the older version, it's still not good.)
Another way would be to create a CWM zip that simply puts the linux su binary in system with the correct permissions. Some info about creating your own can be found here. Doing this is more involved that just doing it manually, but it would be a good practice for getting into creating CWM updates.
Here is a link to a exploit someone did up to root the phone when running GB. Haven't tested it, and with an unlocked phone it is totally redundant, but it's nice that some found yet another security hole in the OS, seems similar in result to psneuter, so be sure to reboot the phone to fix the exploited system.
Seriously, if you are going to be reading or posting in the development section of xda for an android phone, take the 5 minutes to become familiar with adb and a few linux shell commands, it will save you hours of confusion and aggravation. If you fly blind trying things on your phone without understanding what you are doing you are eventually going to get into a place you can't get out of and need a new phone or REALLY have to struggle to understand things. You were warned. ​Q. How do I get back to stock?
A. You can't unless you have a backup of all your phone partitions and can update your radio and bootloader to be stock. Once you unlock your phone, it is recorded that you did so by blowing a physical fuse on the phone. This cannot be restored, you will need a new phone.
What does stock mean to you? When I bought my phone it had a certain radio, the bootloader couldn't be unlocked, the android system files had certain versions, etc. Beyond the android system there are 18 partitions that I know of on the phone, most phones do with 5-6. Every ota update or sbf files take the normal files and change them to something else, non android partitions get modified or replaced.
I have some solutions for getting close to stock, do a search for Gobstopper. There is one for Bell 2.2.2 and Bell 2.3.4, use one or the other. These attempt a full back to stock operation, that means the radio and bootloader will be stock, recovery will be stock as well. (All the partitions that are on the phone are written over with the ones that were on my phone when I bought it, with the exception of partitions 3 (pds), 15 (cache), 16 (data), and 18 (userdata or internal memory), factory reset clears cache and data, you don't want pds touched or internal memory.) Unlocked will no longer be displayed when you boot and you will no longer have CWM recovery installed. You will need to install the unlocked bootloader again and fastboot flash recovery again if stock is not what you wanted. (Your pds partition is not involved in this operation, so if you made changes to it, either directly or indirectly via a sbf this will not restore it, your pds partition contains individual phone information.)
More about sbf format here.​Q. What does the pds partition taste like?A. It's not really fit to eat. Now you know.
It is mmcblk0p3, a partition on your phone, it is mounted as /pds when android boots and contains a bunch of folders and files that nobody really understands fully but Motorola. Having a look at some of the files you will see things like your network physical address, bluetooth physical address. You will find threads where the display is all arsed up, cpu running at half speed, touch screen not working right, etc, all due to something going wrong with /pds. It is best to back it up and not mess with it. Restore it in an emergency. Maybe one day everything in there will be figured out, take a stab at it yourself.
See this thread by edgan for how to back up your pds partition.
See this thread by KeRmiT80 about attempting to fix your pds partition. Good motivation to see previous link.
​Q. I lost network data access after flashing X.
A. Check your APN list, if it's not a Bell firmware you are using, it probably doesn't have Bell's APN list. Scratch that, you don't know what that is or how to check it.
It stands for Access Point Name and a big list of them is stored on your phone in one big file (/system/etc/apns-conf.xml), each firmware has it's own version of it. Your phone will get two numbers from your carrier's phone network to do a look up in this list to figure out what configuration to use. So say it gets mcc 302, mcn 610, it will check the phone and look up 302, 610 in the file and read what it says there and use that config to try to connect. Now, another thing is that the phone knows what the home network is by these two numbers, embedded somewhere in the system. A foreign, non Bell carrier won't have Bell's numbers in there so your phone will think it's roaming. If you have roaming disabled, guess what, no data connection. Your carrier should be smart enough not to charge you for roaming, never had a problem with that, but you never know.
Here are the apn settings you can enter manually for your phone, see Bell's support link.
​Q. How do I get webtop over HDMI to work?
A. There are several threads on getting this to work on ATT phones and others, they are specific to the firmware being run on the phone. They involve copying two deodexed files to your system/app folder and replacing the ones already there. You will also need to clear your dalvik cache to get the new code recognized. They are DockService.apk and PortalApp.apk. If you are not deodexed then you also have to remove the .odex files for both.
Here is one thread for Gingerbread, in the zip there is one for ORFR that will get you to viewing the webtop on Bell GB, but applications don't load.
Here is another thread for Froyo that works, see the Bell specific bit in the OP. This does not work from Bell Gingerbread.​ To be continued...
Hoping the Mods sticky this
A link should be attached to the wiki as well. I will try to when I get home if it isn't done already.
shouldn't this be in general? or q&a?
Magnetox said:
shouldn't this be in general? or q&a?
Click to expand...
Click to collapse
Probably both. Most things referenced are in development.
Cheers!
Sent from my MB860 using xda premium
y2whisper said:
Hoping the Mods sticky this
A link should be attached to the wiki as well. I will try to when I get home if it isn't done already.
Click to expand...
Click to collapse
+1 this should be a sticky on either or both general or development...
cheers for this...this thread is going to help me with my youtube viewers BIG TIME!!
Very nice!
Keep it up NFHimself!
NFHimself said:
This is my attempt at a Bell FAQ, it is a work in progress.
Q. How do I root the phone?A. If you are unlocked and you have fastboot flashed a version of CWM recovery, it is trivial. By that I mean almost impossible for newbies to figure out.
It would go something like this:
1. Boot into CWM recovery.
2. use adb shell
3. adb push a su binary to the phone.
4. mount system as read write as /system
5. copy su binary to /system/bin
6. make sure it has the right permissions, 06755 mode , user root, group root.
7. unmount -l /system
8. when in android look on the market for Superuser.apk, install.
Every rooting method out there is all about putting su into /system/bin with 06755 permissions, most don't work anymore since Gingerbread. If you are looking for a simple, no brain involved solution, you are likely to get something working and also something else you didn't want like a replaced preinstall partition or an installed busybox with different functionality for some important system commands. (Busybox may be more up to date even, but if it doesn't do what is expected of the older version, it's still not good.)​ To be continued...
Click to expand...
Click to collapse
I used this method to root the stock Bell Gingerbread ROM. Works on an Atrix too. It's a quick download and easy for those people who may not be comfortable with the adb command line.
http://www.psouza4.com/Bionic/
thx
useful for newbies
but can you put some more details about returning to stock and explain the pds partition in details plz?
papakilo10 said:
I used this method to root the stock Bell Gingerbread ROM. Works on an Atrix too. It's a quick download and easy for those people who may not be comfortable with the adb command line.
http://www.psouza4.com/Bionic/
Click to expand...
Click to collapse
Had a look at the script in that one, should be fine, doesn't install a busybox or anything like that. I don't care for Superuser.apk in /system/app myself, but it won't harm anything having it there.
Cheers!
ytwytw said:
thx
useful for newbies
but can you put some more details about returning to stock and explain the pds partition in details plz?
Click to expand...
Click to collapse
I added a few things, anything in particular you wanted?
I am trying to avoid step by step tutorials or spoon feeding everything, so people who are lazy/careless will have to attempt to think for themselves. It just leads to more questions, more laziness, and bricked phones, and I don't have the time these days.
Cheers!

[DUAL-BOOT][RECOVERY] Ouya Boot Menu for Support of Kernel Image Chain-loading

Hello everyone! Just like others here, I've been somewhat spooked by our inability to enter Ouya's Recovery partition at the earliest stage of booting, meaning a bad flash of the Boot partition would leave the device inoperable. When I heard that Ouya's stock firmware updates were possibly bricking a few units out there, I decided to block updates on mine and see if I could transform the Boot partition such that it would become a logical extension of the bootloader. What I ended up with is something close to the "Ouya Safe Recovery" project, where a user should only need to flash Boot one additional time, along with chain-loading support as well.
Chain-loading in this case refers to the booting of ROM kernel images that reside as regular IMG files under the /sdcard and/or /system filesystems. With this capability it is possible to choose an image to run when the Ouya turns on. As an example, one may wish to set up a 2nd/test kernel+ramdisk image to use with your installed ROM, or he may wish to run Tuomas Kulve's Debian project from time-to-time without having to set up the USB cable for Fastboot mode. When dealing with distinctly different ROMs (not just alternate kernels), only one of them may install to the Ouya's built-in storage (e.g., /system); others must have been designed/created to use external storage.
An image for the Recovery partition is available along with the Boot. The former may be helpful if you wish to try out the boot menu before performing the flash of the Boot partition, or are generally okay with bouncing to Recovery before invoking a chain-load. Either of these may be tested from Fastboot mode, but do note that a successful chain-load requires that the image actually be flashed to the Ouya. (Otherwise it just reboots.) The ClockworkMod (CWM) recovery application is available on both images and is accessible from the boot menu.
Additional Information
There are a few things to consider when deciding if this approach makes sense for you:
- Users of the "Ouya Safe Recovery" project may want to stay put unless the dual-boot aspect is of interest. If so then it would be cleanest to choose my Boot image; the Recovery partition (your ROM image) could be left alone.
- The images here are not compatible with Ouya's stock firmware, due to the auto-update nature of Ouya's ROM. Either your flashed Boot image would get overwritten, or an installed non-Ouya Recovery might cause that update to hang. Therefore, you should be prepared to switch to one of the ROMs here at XDA. If you're currently on stock and don't want to switch right away, that's fine; we'll go over how to block updates for the time being.
- The Ouya CM10 ROM is nice in that it provides the IMG file separately, allowing us to handle it as we wish. However, the other ROMs end up placing their boot.img in the main ZIP. This is standard practice for other devices, but we need to be careful ensuring our Boot partition doesn't get reflashed as part of the ROM installation. Therefore, it would be necessary to investigate repackaging the ROM with an alternate updater-script prior to installation. See my StockPlus post on page 2 for more. (This shouldn't affect those who've opted for my Recovery image.)
This feature is based on CWM's initial ramdisk, and includes a new boot menu application that comes up prior to CWM itself. Basically, CWM shows up later if the menu application exits for any reason. The Ouya stock kernel (561) has also been compiled with HDMI's copy protection turned off, and includes two patch sets:
- KExec-HardBoot is the key to chain-loading on our platform. It overcomes standard KExec's lack of hardware reset (and thus failed execution) by triggering a reboot in the middle of the preparation of the new kernel. This ingenious system has been developed by Tasssadar and others over in the Nexus forums. (Be sure to enable CONFIG_TEGRA_HARDBOOT_RECOVERY if interested in compiling a Recovery kernel.)
- HDMI visual stability has been improved with a little hack of mine: a significant relaxing of a timer in the driver. (The latest Android source has corrected the instability with a significant design change, but my hack seems fine enough for this project.) Also picked up specific Android fixes in the area of Framebuffer double-buffering, as that needs to be working for CWM usability.
Installation
If you're on Ouya's stock firmware, then you should make sure that any future updates do not get applied. There is a project here ("Mod Collection For Ouya") that should help. I personally side-loaded the Baxy custom launcher to avoid Ouya's update environment. It is also likely necessary to stay out of the Ouya/Discover store if going the custom launcher route as I believe the store app can trigger an update.
At this point you can download your chosen image (Boot or Recovery) and unzip to get the IMG file. Boot your Ouya to a working Root/BusyBox environment (ROM or Recovery), and then transfer the IMG to the Ouya. (An example using ADB would be "adb push boot102513.img /sdcard/boot102513.img".)
Bring up the Ouya command prompt (e.g., "adb shell") and run these commands to get started:
su [command not present on CWM - that's okay]
cd /dev/block/platform/sdhci-tegra.3/by-name
ls
You should see the various 3-letter partition names from that last command. Your command prompt should also contain the "#" character to denote root-level access. This next step will save off your current ROM image, both because we may end up overwriting it, and because the saved file will end up as your main bootable kernel for the chain-loader. Run:
cat LNX > /sdcard/kernel.img
(If configured for "Ouya Safe Recovery," then replace the preceding "LNX" with "SOS".)
We are near the flashing stage. Check to make sure your Ouya has a reliable source of power, preferrably from an uninterruptable power supply. Recall that a bad flash of my boot image can leave the device inoperable, but I feel the risk is very low provided the following directions are heeded. Fortunately the flash process only takes a few seconds.
For the Boot image option, verify by running:
md5sum /sdcard/boot102513.img
Do not proceed unless you get "e4b1b1ad553e55ad0b2ce3fb8f5bf623".
Again for the Boot image option, flash to the Ouya by running:
dd if=/sdcard/boot102513.img of=LNX
For the Recovery image option, verify by running:
md5sum /sdcard/rcvy102513.img
Do not proceed unless you get "dda0811a7e8e82a7d4ad3fa4c3ae35e4".
Again for the Recovery image option, flash to the Ouya by running:
dd if=/sdcard/rcvy102513.img of=SOS
You may optionally verify (post-flash) by running "md5sum" on the partition name. Finish up with these commands:
sync
reboot
Usage / Configuration
The menu should come up, defaulting to "kernel.img" for the Boot image and "CWM" for Recovery. That default will then launch after ten seconds of inactivity. You may also briefly press the Ouya power button during the wait to advance through the options. The option list is 1) kernel.img, 2) kernelA1.img, 3) kernelA2.img, 4) CWM, and 5) Recovery Partition.
The defaults from above should be fine for most everyone, but it is possible to fine-tune them. An optional configuration file (/sdcard/bootmenu_b.cfg for Boot, /sdcard/bootmenu_r.cfg for Recovery) may be established to specify the default menu entry as well as the inactivity timeout. As an example, the following command would make Recovery start kernelA1.img after five seconds:
echo "2 5" > /sdcard/bootmenu_r.cfg
It is hoped that the menu would never hang. If it does, then waiting a full minute should allow CWM to start. Otherwise, it may be necessary to attach a wired/USB keyboard and type in the Alt-SysRq-X sequence, similar to Ctrl-Alt-Delete on a PC. The sequence might have to be done early on in the menu startup process, and should blink the Ouya light and place it in Fastboot mode.
The menu may unexpectedly place you in CWM, which would indicate an issue with a chain-load. The reason may be due to a missing or corrupt IMG file. Otherwise you should be able to determine why by checking /tmp/bootmenu.log against the attached source code.
---
I hope this project will be of help to others!
An additional support forum that everyone should be able to post at is available: http://forum.xda-developers.com/showthread.php?t=2450711.
Wow, really great. Thanks a lot for your effort
Gesendet von meinem One X+ mit Tapatalk
nchantmnt said:
Wow, really great. Thanks a lot for your effort
Click to expand...
Click to collapse
My pleasure, nchantmnt. Hope your new Ouya is helping you feel at home!
Yes im happy it already arrived, but after a second miscarriage and lots of stress because of a lawsuit with our neighbour i didn't have time nor nerves to play or code. Seriously this year sucks
Gesendet von meinem One X+ mit Tapatalk
nchantmnt said:
Yes im happy it already arrived, but after a second miscarriage and lots of stress because of a lawsuit with our neighbour i didn't have time nor nerves to play or code. Seriously this year sucks
Click to expand...
Click to collapse
Gosh, I'm very sorry to hear that. Do think ahead to the upcoming holiday season, and may it be a time to reflect and anticipate a fruitful 2014.
@Hal9k+1 - THANK YOU!
I was so nervous flashing CWM and StockPlus as there is no real way to fix things if something goes wrong. This should give people more confidence when flashing their Ouya.
I understand the process using ADB...my question is: can this be used from CWM somehow?
PS. I assume new kernel will always be flashable from CWM, the hack does not require 561 specifically.
Ipse_Tase said:
I understand the process using ADB...my question is: can this be used from CWM somehow?
Click to expand...
Click to collapse
Hi Ipse_Tase - I do hope the feature will be helpful to you and others.
As I think about your question, I suppose I could have have created a ZIP that would have been installed by CWM. Similarly I could have worked through some form of installation shell script. But for an important operation such as flashing, I prefer the one-at-a-time approach of the interactive shell.
Note that CWM does have an ADB service running with it. Your Ouya would show up as a different device while in CWM, so you'd need to enter Device Manager (Windows) and point the unknown device to the same ADB driver as used for the main ROM.
Alternatively you could skip ADB for this Ouya Boot Menu installation and set up an SSH server on your main ROM. I personally have installed "SSH Server" (Ice Cold Apps). I recall two screens to set up (does require the trackpad in cases), where I enabled automatic start on both, and also set the port number to 2222. After an Ouya reboot I had SSH/SCP capability and could use PuTTY/pscp from Windows.
Hal9k+1...fast reply, thank you.
Just to put my ever-so-senile brain at ease: so I run StockPlus 519r1, and WHILE in the ROM, I start ADB and follow your instructions .
OR...I enter CWM, make sure I get the right ADB drivers installed for THAT instance and go from there.
For a developer, I'm sure it's easier and more familiar to run ADB commands - for people like me (5%-over-the average-user) a CVM option to flash a zip and do all this would be more in-line with the abilities to hack.
I have rooted 4-5 devices so far and the only time I type any ADB commands is at root/unlock time - sometimes not even then (Nexus 4 and the Root Toolkit).
So if you ever consider creating a recovery flashable file, it would help many. Probably not me, as by then I would have done the ADB trick
Sounds like great work! I was hoping to implement something like this myself, but I haven't made any more time for OUYA-related development in a while (due to positive life events/busyness)
I will definitely take a look at your work when I have time!
~Troop
Ipse_Tase said:
Hal9k+1...fast reply, thank you.
Just to put my ever-so-senile brain at ease: so I run StockPlus 519r1, and WHILE in the ROM, I start ADB and follow your instructions .
OR...I enter CWM, make sure I get the right ADB drivers installed for THAT instance and go from there.
Click to expand...
Click to collapse
You got it! You don't need to worry about booting to the other partition prior to flashing. That is a given partition (LNX/SOS) is no longer being accessed once the image is booted. For CWM's ADB, you'd simply point Windows to the same INF file that you originally used. Hope this helps.
StockPlus Installation
Well, I finally retired this old stock 393 ROM I was on, and moved to StockPlus 519r2. I was not able to install it the normal way given my Boot image is in place here. So I ended up modifying "updater-script" under META-INF/com/google/android, and then repackaged prior to running the install procedure. I'm attaching my changed version in case it helps anyone, and please note that it makes StockPlus the main image (kernel.img).
(You'll need to right-click to save the attachment. Once done it will need to be renamed such that it does not include the ".txt" suffix.)
The Windows "7-Zip" utility is helpful for packaging. You may start by right-clicking the downloaded ZIP, then 7-Zip --> Extract to "OUYA_[...]". Enter the newly created directory, get to the updater-script, and replace it with mine. Now back up to the area with META-INF, system, and boot.img, still in the new directory. Select all three under Windows (Ctrl+Click), right click that area, and then 7-Zip --> Add to "OUYA_[...].zip". Be sure this new ZIP is the one that makes it to the Ouya.
Still haven't tried this out yet, but I hope to soon.
I missed out on news over the holidays though and just noticed this:
Announcing Ubuntu and Android dual boot developer preview
http://developer.ubuntu.com/2013/12/announcing-ubuntu-and-android-dual-boot-developer-preview/
I'm curious of their dual boot implementation and how it compares and if we can synergize with their approach, but haven't looked into the details of how theirs works yet (its sounds like it uses a custom recovery image, and they have the ability to trigger it to reboot into Ubuntu from an Android app and vice versa, which is cool)
It'd be awesome to be able to multi-boot an Ouya ROM, an Android ROM (CyanogenMod), and Ubuntu with that kind of ease.
EDIT: This may be more our speed though: (MultiROM)
http://forum.xda-developers.com/showthread.php?t=2011403
(did you pull anything from there? Sounds like they have a modified TWRP that can flash zips to the other ROM slots, which is something I was also hoping to implement)
~Troop
Thanks, Trooper. Good to see Ubuntu moving further along in the mobile world.
I briefly looked at MultiROM since it originated from the KExec-HardBoot work, but decided not to go in that direction. The main reason is that I decided not to pursue the setup/learning of an Android build environment, but also because it wasn't clear how I'd deal with our lack of a touchscreen and lack of volume up/down buttons. I ended up creating a small application that fits within Ouya's CWM framework and starts up before CWM itself; it monitors the power button for click events and writes to the framebuffer memory region using regular Linux calls.
I'm not too concerned about the dual-boot aspect of this new Ubuntu, but the lack of touchscreen could be a hindrance if mouse/keyboard were not a viable substitute. Whether this Ubuntu is designed to work from external storage is another question, since our /system and /data would be occupied by Android. But in general I think we could boot it from my framework, and if my Boot image were selected over the Recovery one, then the Ubuntu kernel could reside in Recovery and also be bootable from the Android side with the "reboot recovery" command.
Best of luck, and hope you'll have a chance to try it all!
accidental post please delete

[Q] XT890's Medfield SoC architecture

(I know this thread maybe should belong to Development forum, but I'm posting here since I don't have enough posts to discuss there yet)
I'm in the second year of Computer Science, being a dynamic/interpreted languages programmer for over 6 years now, C/C++ for 2 years.
I have a solid understanding on the x86 PC architecture: interrupts, buses, etc. I'm pretty good at basic x86 assembly... Been studying UEFI for over a month... Whatever.
I've lost the past couple hours searching but didn't find anything on the architecture of our device. Is the "Bootloader" here compared to a BIOS? Or is it like any PC bootloader (MS-DOS, Windows, Linux bootloaders). Is there anything like a BIOS at all or does the OS, once booted, manages all the hardware interrupts by itself? Can I use INT 10H on XT890? Is it ANYTHING close to the PC architecture?
PCI, ISA, (parallel and serial) "ports" managed by a chipset between the peripherals and the x86 core itself?
Ok, it's x86. Once the system has booted, we can call x86 instructions, ok... But what is under that? Is there any reference on this? How can I boot my own code, if it's not Linux?
I really got nowhere trying to learn about the architecture underneath Android and Motorola's Bootloader on Medfield. Found nothing on Intel nor Motorola websites. What am I doing wrong?
Thanks in advance!
I'm studying this myself but there is a lot that i need to learn. Check those to see if helps.
http://bootloader.wikidot.com/android
http://elinux.org/Android_Booting
http://www.ibm.com/developerworks/linux/library/l-linuxboot/
I would like more info about the RAZR I as well, considering it's the only mainstream phone with a x86 processor I'd expect more documentation about it, I am receiving a RAZR I soon.
For what I know, it's boot process is similar to other Android devices, it loads and decompresses a boot.img file that includes a ramdisk and the kernel, you should be able to load another non-linux OS by chainloading a secondary bootloader there, I honestly would like to see more development on the Razr i, specifically to get native Gnu-linux with x11 running
Using @thiagomtl's links, I was able to understand a little more about the Boot process. XT890 seems to have basically the same mechanics of the ARM ones, but x86 tuned.
However I'm yet to understand the differences between "normal" Linux bootstrapping and the Android Bootloader's one.
On a average legacy Linux box we have GRUB/LILO on the MBR. Making a hell of a simplification here: The user turns the PC on, BIOS does the POST and then loads whatever code is on the MBR. GRUB is a very small program there, which simply loads a driver for the storage device, loads vmlinuz and the f*ing ramdisk on the memory and executes it (effectively by simply pointing the IP to the address where the kernel is on the memory).
Samuelgames said:
I would like more info about the RAZR I as well, considering it's the only mainstream phone with a x86 processor I'd expect more documentation about it, I am receiving a RAZR I soon.
For what I know, it's boot process is similar to other Android devices, it loads and decompresses a boot.img file that includes a ramdisk and the kernel, you should be able to load another non-linux OS by chainloading a secondary bootloader there, I honestly would like to see more development on the Razr i, specifically to get native Gnu-linux with x11 running
Click to expand...
Click to collapse
But the Boot process is just a part of my original question. Ok, a important one, but a part.
What about the structure of the device? How it's all implemented? Is the display using plain old VESA VBE? Are the input devices PS/2? USB? Is the power implemented using ACPI standards? lol
As far as I'm concerned Atom SoC doesn't respect many industry standards for the architecture, even for those who run Windows 8, buttons on the Razr I should be naturally be defined as GPIO as the notification LED, I don't think the display respects VESA standards (SGX 540 can't even do scaling) but it should fallback to them at some extent depending on how you initialize the framebuffer.
All of this should be in the Motorola kernel, I haven't taken a look at it but I'll surely will once I get my phone
@Hazou, @YaPeL, @Omar-Avelar
you guys know anything about this?
Ok this is all i know about it by searching through the code and internet and by finding out myself (no sources included, just my memory). It's all linux, nothing like Windows.
Kernel:
We indeed are making a x86 kernel, but not for normal PC's. We use the mid-x86 implementation within the x86 code of the kernel. (arch/x86/platform/mid-x86) MID is the intel word for all the socs for mobile platforms intel is using. The normal upstream linux doesn't provide all the necessary code. And is has changed with the new android version 4.4.2 for our device.
Boot sequence:
The android devices use some sort of bootloader. Droidboot. Droidboot includes the fastboot commands and starts the bringup of the android system. You can read about it on the internet. In most devices (ARM) it is the first thing thats get called for.
Our intel device is a little different. Before the droidboot gets loaded the firmware of the device loads another OS. Also called POS (i think preprocessor OS, or something). Those gets updated with the dix and efwi(wrong name) files we got. The POS can be accessed by booting in the medfield download through the camera button, if i am correct. The POS then loads the droidboot which will in turn load the rest, like a linux device which loads from the bootloader.
The partition layout can be found in the gpt.bin. It can be flashed through fastboot and can change every partition afaik.
So the boot order is:
1. POS/RADIO
2. DROIDBOOT
3. BOOT.IMG is like linux. First the kernel then the ramdisk with the kernel modules.
4. ANDROID
To comment about the JB implementation.
We can build our own kernel and we can, if we want and take the time, upgrade the kernel to the newest version (for android is that 3.10, but we should be able to manage to go fully upstream 3.17). But that takes a lot of time.
I also noticed that, from what i heard, some kernel modules specific for our device has changed and now the kernel that we have can't load the new firmware files in 4.4. So we will need the next kernel from Moto to compile our own when 4.4.2 is released. Those changed are not upstream.
Hazou said:
The POS then loads the droidboot which will in turn load the rest, like a linux device which loads from the bootloader.
The partition layout can be found in the gpt.bin. It can be flashed through fastboot and can change every partition afaik.
So the boot order is:
1. POS/RADIO
2. DROIDBOOT
3. BOOT.IMG is like linux. First the kernel then the ramdisk with the kernel modules.
4. ANDROID
Click to expand...
Click to collapse
This is the most interesting part for hundreds of us. Is there a way we can find what sectors are used for the pos so we can possibly repair code corrupt?
I have a feeling the gpt is messed up so any amount of writing to the dnx or ifwi will be in the wrong location.
I can't find any information on this phone at all.
I think it's time I bought a spare mobo and dumped everything to compare a broken to working
Flacid Monkey said:
This is the most interesting part for hundreds of us. Is there a way we can find what sectors are used for the pos so we can possibly repair code corrupt?
I have a feeling the gpt is messed up so any amount of writing to the dnx or ifwi will be in the wrong location.
I can't find any information on this phone at all.
I think it's time I bought a spare mobo and dumped everything to compare a broken to working
Click to expand...
Click to collapse
If i am correct they are present on the partition layout of the phone. I just don't know wish ones are the right ones. Never looked good enough at that.
Also to repair the gpt and write the dnx or ofwi to the right location u need a dd command or flash command with the right parameters. The flash command most likely won't work because of the gpt partition and the DD command wont either because most of the time u don't have access to a recovery anymore.
But my knowledge about this is limited, so if u dare to put your phone on the line and have maybe the knowledge and skills to do what some people need, please do I can't and need my phone working
Hazou said:
If i am correct they are present on the partition layout of the phone. I just don't know wish ones are the right ones. Never looked good enough at that.
Also to repair the gpt and write the dnx or ofwi to the right location u need a dd command or flash command with the right parameters. The flash command most likely won't work because of the gpt partition and the DD command wont either because most of the time u don't have access to a recovery anymore.
But my knowledge about this is limited, so if u dare to put your phone on the line and have maybe the knowledge and skills to do what some people need, please do I can't and need my phone working
Click to expand...
Click to collapse
Skills/knowledge = limited. I'm no programmer but I take information in like a 100 petabyte SSD.
My phones knackered, I'm trying to fix it but it's not easy! If it's fixed, I'll break it again to make sure the fix works :good:
It's going to be a long road, there is zero success since the first report of code corrupt.
As you say, I need the right param. There's almost no information about it anywhere and what information is about is very fragmented.
I'll keep you updated
Flacid Monkey said:
Skills/knowledge = limited. I'm no programmer but I take information in like a 100 petabyte SSD.
My phones knackered, I'm trying to fix it but it's not easy! If it's fixed, I'll break it again to make sure the fix works :good:
It's going to be a long road, there is zero success since the first report of code corrupt.
As you say, I need the right param. There's almost no information about it anywhere and what information is about is very fragmented.
I'll keep you updated
Click to expand...
Click to collapse
I am almost certain it can be fixed as long as it is a software failure (some maybe have a hardware failure). As this seems one of them it should be fixable as long as your BL is unlocked. With a locked bootloader u don't stand any chance (nah, maybe with medfield flasher, but that one is also limited).
Take a look at the acer padphone or something. Dunno how it is called exactly. Is also uses the intel SOC and makes use of the medfield flasher.
I never had a phone thats corrupt so can't say much about it, but i can help with thinking my way through. If u have that problem can u boot in fastboot or is that even impossible? I know we can flash the POS and fastboot through xfstk. So with the right combination it should work. And if not we can try flash the modem as extra if that is possible. But do know it can hard-brick the device (modem, lowest thing of the device) of-course, aldo u don't have much choice now
Another thing, because fastboot (and even recovery) can flash the dix, ifwi and bootloader files. I 'assume' xfstk (that can also flash the ifwi, dix and bootloader) can flash the whole emmc with indeed the right parameters. We have the source code of the fastboot/recovery ifwi, dix and bootloader flasher. Also called update_osip.
So think it out, i will wait and see.
uart console
Has somebody tried to access a uart console on our razr-i? would be nice for debugging.
Intels datasheet says the board has 3 uart ports. http://ark.intel.com/products/70097
I hope one uart port can be accessed via usb or audio jack. Like on this device: http://forum.xda-developers.com/showthread.php?t=1081743
Or is it only possible with opening the phone and looking for jtag pins?

[TOOLS] Create unlock.img, fix boot.img, repack update.bin (for aboot

The attached archive includes 3 tools for those of you with .3.2.3.2 (or earlier) bootloaders.
Since other tools (and earlier version of these very tools) are available and working well,
this is mostly meant as an entry to an imaginary beauty contest. (JOKING!!!)
cuber.py
a generic gmpy2-free reimplementation of @vortox's signature.py
use this to generate your unlock.img
cuboot.py (uses cuber.py)
a Python-only reimplementation of @vortox's cuber
includes fixes to the kernel command-line and the device-tree
use this to convert a standard Amazon boot.img (>=.4.x.x)
upHDX (uses cuboot.py)
bash script to repack Amazon updates for TWRP
could be DANGEROUS, use with care
tested on Apollo for both 14.4.5.2 and 14.4.5.3
my unit is fully 14.4.5.3 now, except for aboot (which is 3.2.3.2)
should work on Thor as well
Those with bootloader .3.2.6 and lower can downgrade to .3.1.0
and upgrade the bootloader to the latest vulnerable version .3.2.3.2.
Those with .3.2.7 and higher appear to be out of luck with forged signatures, but I hear there's progress on rooting .4.5.2.
The python scripts have been tested on the following OS / Python combinations:
Windows: 2.7.9 and 3.4.3
Linux: 2.7.9 and 3.3.4
OSX: 2.6.? (cannot quite remember)
In addition to the tools themselves, I also included "educational" examples
(examples.sh for Linux/OSX, examples.bat for Windows).
These make use of the split.py script, which is otherwise unnecessary.
(The Windows example also shows that simply echoing your manfid/serial
combo to cuber.py -the way one does in Linux/OSX- won't work due to
the carriage-return character introduced by the echo command.
You'll need to handcraft a file matching the '0x%02x%08xn' format...)
Another batch file py..bat is meant as an extra aid for Windows users
to avoid trouble with setting paths and such. You should be able to simply
download and install your preferred Python version.
Open a command shell (cmd.exe), navigate to wherever you extracted the
archives, and type 'py PYTHON-SCRIPT ARGS' to run the Python scripts.
(This handholding intentionally does NOT work for the upHDX script.)
Hopefully, someone will find these simple tools useful.
EDIT: To unlock your bootloader (<=.3.2.3.2), you'll need adb and fastboot.
On Linux, most distributions package these separately. Look for android-tools-{adb,fastboot} or some such.
For Windows, you can get these from the official Android SDK (which is a **large** download,
with a lot more tools you won't need, if you don't already use them, but it's safe).
Alternatively, there's a very legit-looking project here an XDA, with a much smaller
download, fast install, and exactly the tools you need. I haven't used either... (-;
The actual unlock procedure is described here and here.
EDIT#2: I added another script 'cublock.py' to make unlock.img generation super easy both on Windows and Linux.
MD5( tools.zip) = c17fc91344bd3b4b040129a79a39741f
EDIT#3: Fixed issues with older versions of certain tools on Debian 7.
MD5( tools.zip) = 4f93ab667fd61db26c83675ce0bd6d9f
EDIT#4: Fixed a bug when 'cuber.py' is used directly from the command line.
MD5(tools.zip) = 67b4a6d65aa2b0aa3500b122c8a25290View attachment 3210856
XDA:DevDB Information
HDXtools, Tool/Utility for the Amazon Kindle Fire HDX 7" & 8.9"
Contributors
draxie
Version Information
Status: Alpha
Created 2015-03-13
Last Updated 2015-03-13
Thank for your works.
Can I use upHDX to remove bootloader, recovery from 4.5.3 and flash via TWRP?
Thanks
tuanda82 said:
Thank for your works.
Can I use upHDX to remove bootloader, recovery from 4.5.3 and flash via TWRP?
Thanks
Click to expand...
Click to collapse
Let's hope so. That's what I did, in any case.
I'm an adventurer; so, I ran './upHDX fw update-kindle-14.4.5.3_user_453011120.bin',
pushed the resulting update-kindle-14.4.5.3_user_453011120-upHDXfw.zip to my HDX 8.9
and installed it with TWRP.
Worked for me, but I cannot provide any guarantees, unfortunately.
It may be wise to omit 'fw', and doublecheck that you're happy with the contents of the
updater-script in the newly generated archive.
AND, -of course- make sure your bootloader version is at most .3.2.3.2!!!
draxie said:
Let's hope so. That's what I did, in any case.
I'm an adventurer; so, I ran './upHDX fw update-kindle-14.4.5.3_user_453011120.bin',
pushed the resulting update-kindle-14.4.5.3_user_453011120-upHDXfw.zip to my HDX 8.9
and installed it with TWRP.
Worked for me, but I cannot provide any guarantees, unfortunately.
It may be wise to omit 'fw', and doublecheck that you're happy with the contents of the
updater-script in the newly generated archive.
AND, -of course- make sure your bootloader version is at most .3.2.3.2!!!
Click to expand...
Click to collapse
Thanks. But your upHDX scripts is for linux user only. I am on Windows .
If you have time could you upload your xxxx_14.4.5.3_xxxx.zip? Thanks
draxie said:
The attached archive includes 3 tools for those of you with .3.2.3.2 (or earlier) bootloaders.
Since other tools (and earlier version of these very tools) are available and working well,
this is mostly meant as an entry to an imaginary beauty contest. (JOKING!!!)
cuber.py
a generic gmpy2-free reimplementation of @vortox's signature.py
use this to generate your unlock.img
cuboot.py (uses cuber.py)
a Python-only reimplementation of @vortox's cuber
includes fixes to the kernel command-line and the device-tree
use this to convert a standard Amazon boot.img (>=.4.x.x)
upHDX (uses cuboot.py)
bash script to repack Amazon updates for TWRP
could be DANGEROUS, use with care
tested on Apollo for both 14.4.5.2 and 14.4.5.3
my unit is fully 14.4.5.3 now, except for aboot (which is 3.2.3.2)
should work on Thor as well
Those with bootloader .3.2.6 and lower can downgrade to .3.1.0
and upgrade the bootloader to the latest vulnerable version .3.2.3.2.
Those with .3.2.7 and higher appear to be out of luck with forged signatures, but I hear there's progress on rooting .4.5.2.
The python scripts have been tested on the following OS / Python combinations:
Windows: 2.7.9 and 3.4.3
Linux: 2.7.9 and 3.3.4
OSX: 2.6.? (cannot quite remember)
In addition to the tools themselves, I also included "educational" examples
(examples.sh for Linux/OSX, examples.bat for Windows).
These make use of the split.py script, which is otherwise unnecessary.
(The Windows example also shows that simply echoing your manfid/serial
combo to cuber.py -the way one does in Linux/OSX- won't work due to
the carriage-return character introduced by the echo command.
You'll need to handcraft a file matching the '0x%02x%08x\n' format...)
Another batch file py..bat is meant as an extra aid for Windows users
to avoid trouble with setting paths and such. You should be able to simply
download and install your preferred Python version.
Open a command shell (cmd.exe), navigate to wherever you extracted the
archives, and type 'py PYTHON-SCRIPT ARGS' to run the Python scripts.
(This handholding intentionally does NOT work for the upHDX script.)
Hopefully, someone will find these simple tools useful.
EDIT: To unlock your bootloader (<=.3.2.3.2), you'll need adb and fastboot.
On Linux, most distributions package these separately. Look for android-tools-{adb,fastboot} or some such.
For Windows, you can get these from the official Android SDK (which is a **large** download,
with a lot more tools you won't need, if you don't already use them, but it's safe).
Alternatively, there's a very legit-looking project here an XDA, with a much smaller
download, fast install, and exactly the tools you need. I haven't used either... (-;
The actual unlock procedure is described here and here.
EDIT#2: I added another script 'cublock.py' to make unlock.img generation super easy both on Windows and Linux.
MD5( tools.zip) = c17fc91344bd3b4b040129a79a39741f
Click to expand...
Click to collapse
Thanks a lot for the good work but id like to let tell you that it will be great if you can explain all the entire work in layman's terms because there would be many people having hundreds of questions and concerns.
Just an advice if you feel worthy... No disrespect intended...
I would like it in layman terms...
And how to do it on Windows. This seems like confusion for me. I have no idea where to start.
I did it all in windows 8.1 64 bit edition.
With help from this post:
http://forum.xda-developers.com/showpost.php?p=58897784&postcount=67
get Python 2.7 for windows and install it >>https://www.python.org/download/releases/2.7/
btw I installed the 64 bit edition for both
get GMPY2 for Python 2.7 https://code.google.com/p/gmpy/downloads/list
Follow the post for step by step. I encountered some trouble with fast boot driver, I had to remove the driver and install a generic one I selected from windows then I manually installed it. Ran the fast boot command to unlock and I was unlocked. a lot easier than it looks.
Reckerr said:
I would like it in layman terms...
And how to do it on Windows. This seems like confusion for me. I have no idea where to start.
Click to expand...
Click to collapse
Appreciate it. Will attempt Saturday after a read through.
Works on Windows...
tuanda82 said:
Thanks. But your upHDX scripts is for linux user only. I am on Windows .
If you have time could you upload your xxxx_14.4.5.3_xxxx.zip? Thanks
Click to expand...
Click to collapse
Actually, I tested upHDX in Windows using Cygwin.
I had to select zip and unzip in the Archive group and python in the Python group
in the installer to get all the dependencies in place, and the only issue I faced was a few filename collisions
in the /system/media/audio/ringtones folder (case-sensitivity problem).
Code:
[COLOR="Lime"]>[/COLOR] diff -ru cygwin/ linux/
Only in linux/system/media/audio/ringtones: ANDROMEDA.ogg
Only in linux/system/media/audio/ringtones: CANISMAJOR.ogg
Only in linux/system/media/audio/ringtones: Hydra.ogg
Only in linux/system/media/audio/ringtones: PERSEUS.ogg
Only in linux/system/media/audio/ringtones: URSAMINOR.ogg
These could just be copied from the original update-*.bin after installation.
Reckerr said:
I would like it in layman terms...
And how to do it on Windows. This seems like confusion for me. I have no idea where to start.
Click to expand...
Click to collapse
If you could spell out what you mean by 'it', I might be able to help.
yujikaido79 said:
I did it all in windows 8.1 64 bit edition.
With help from this post:
http://forum.xda-developers.com/showpost.php?p=58897784&postcount=67
get Python 2.7 for windows and install it >>https://www.python.org/download/releases/2.7/
btw I installed the 64 bit edition for both
get GMPY2 for Python 2.7 https://code.google.com/p/gmpy/downloads/list
Follow the post for step by step. I encountered some trouble with fast boot driver, I had to remove the driver and install a generic one I selected from windows then I manually installed it. Ran the fast boot command to unlock and I was unlocked. a lot easier than it looks.
Click to expand...
Click to collapse
Of course, if you want to make it more difficult for yourself,
you can use the older version of my tool as well.
The new one is not limited to Python 2.7, but works on both current Python versions;
and does NOT require GMPY2.
Also, if you are looking to unlock your bootloader, the 'cublock.py' script is your friend.
You just pass in the manfid and serial (separately; no need to fuse them).
Whether you choose to install Python standalone or as part of Cygwin is up to you.
The latter also includes 'bash' and lets you convert the Amazon update to a TWRP-friendly ZIP.
draxie said:
Of course, if you want to make it more difficult for yourself, you can use the older version of ny tool as well.
The new one is not limited to Python 2.7, but works on both current Python versions; and does NOT require GMPY2.
Also, if you are looking to unlock your bootloader, the 'unlock.py' script is your friend.
You just pass in the manfid and serial (separately; no need to fuse them).
Whether you choose to install Python standalone or as part of Cygwin is up to you.
The latter also includes 'bash' and lets you convert the Amazon update to a TWRP-friendly ZIP.
Click to expand...
Click to collapse
I have Windows 7 and Nexus 2.0.5 with bootloader from http://forum.xda-developers.com/kin...p-flashable-3-2-3-bootloader-upgrade-t3025504 installed Python 2.7 and the adb and fastboot and driver package from post 1
Using
adb shell
cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial
And unlock.py and then
adb reboot-bootloader
And
Fastboot -i 0x1949 devices
fastboot -i 0x1949 flash unlock <unlock file>
fastboot -i 0x1949 reboot
IT was very easy, I only had some driver problems in fastboot mode
Uphdx don't work on debian 7
Bruder Torgen said:
I have Windows 7 and Nexus 2.0.5 with bootloader from http://forum.xda-developers.com/kin...p-flashable-3-2-3-bootloader-upgrade-t3025504 installed Python 2.7 and the adb and fastboot and driver package from post 1
Using
adb shell
cat /sys/block/mmcblk0/device/manfid
cat /sys/block/mmcblk0/device/serial
And unlock.py and then
adb reboot-bootloader
And
Fastboot -i 0x1949 devices
fastboot -i 0x1949 flash unlock <unlock file>
fastboot -i 0x1949 reboot
IT was very easy, I only had some driver problems in fastboot mode
Click to expand...
Click to collapse
FYI - followed this process on an identical environment with identical results. Struggled a bit more with Windows drivers; if you're having trouble this might help (posts 8-10).
im running this version 13.3.0.2 and im a newbe with kindle what should I do
benyo8990 said:
im running this version 13.3.0.2 and im a newbe with kindle what should I do
Click to expand...
Click to collapse
Welcome to the HDX forums. How to proceed depends on what you want to accomplish. Read through the various threads to see what is available and the effort required. If your goal is to root and/or install custom roms you MUST disconnect from WiFi as Amazon will attempt to upgrade your tablet to the lastest Fire OS. Should that happen your options will be severely limited.
Two words of caution:
1) Kindles are not like other devices. Tough to tame and easy to brick. If you approach modding with a casual attitude you'll probably end up with a non-recoverable brick. READ, READ, READ before doing anything. Ask questions when you are ready.
2) There are no tidy fail-safe tutorials for the HDX. There is work and risk involved. You have to do your homework first. No one is going to hold your hand (sorry for the lecture - just trying to set expectations early).
More info please!
dpeddi said:
Uphdx don't work on debian 7
Click to expand...
Click to collapse
Given that it worked for me even in Cygwin on Windows 7, this sounds odd.
Nevertheless, I'd appreciate more info on how it fails (and which flavor of Debian 7
you are using; so, that I have a chance to reproduce your issue).
UPDATE: Nevermind. I fired up a VM with Debian 7.8.0-amd64-standard,
and found out for myself. Apparently, 'df' in 'coreutils 8.13' used here
doesn't support the '--output' option; AND, python 2.7.3 is more strict
about the input types to 'unpack'. I fixed these and the script worked.
I'll post the new version in a second.
DF --optional not supported, $m seems to not be set
Thank you for posting this awesome tool. I am running 13.4.5.2 with a twrp recovery and the most recent available (without breaking twrp) kernel.
My question is, if worst case scenario happens and I try to use cygwin to upHDX, it does not work, but I think it did, and I install a partially working update, am I bricked? Or, will it just write over my kernel and recovery with no hope of going back. As I type this, I am thinking the answer is, both are possible, but thought I would ask before breaking things.
Sent from my KFTHWI using Tapatalk
[Edit] If you know what you are doing, this script is very helpful. I especially enjoy how it explains everything it does as it does it. So, you can see the files it changes. I used cygwin and it worked perfectly. If you understand the Unix command tools, it is a piece of cake. I do not mean to belittle the risk involved, it is significant, however, if you read what is happening, and know this worked, and can be assured there is no issue with your recovery, you can still roll back if something goes wrong. Do not take this comment as minimal risk, the risk is substantial, and you need to wipe to go back. One of my devices did not take the update well (My fault), and, I had to go back. These devices do not handle wipes well. So, the moral of the story.
-This is an excellent and versatile tool,
-There is significant risk
-If you do your research, follow directions, and meet the requirements, you can get success. Have your cake and eat it too on your terms!!
-With this tool, I have the most recent update, root, and twrp (Amazon apps work too).
Thanks again for the tools.
[/Edit]
lekofraggle said:
My question is, if worst case scenario happens and I try to use cygwin to upHDX, it does not work, but I think it did, and I install a partially working update, am I bricked? Or, will it just write over my kernel and recovery with no hope of going back. As I type this, I am thinking the answer is, both are possible, but thought I would ask before breaking things.
Click to expand...
Click to collapse
I saw you managed fine, but just in case anybody else wonders,
the script will bail at the first sign of error and you'll know it.
Of course, this won't guarantee that things cannot go wrong,
but minimizes the chances that they go unnoticed.
NOTE, HOWEVER that:
This has only been tested on 4.5.2 and 4.5.3; and, I would strongly recommend against blindly running it on newer releases (as the pattern matching that's being relied upon for what to throw away --including the anti-rollback fuse stuff-- might easily get broken with relatively minor changes.
A good sanity check is to unzip both the original update and the newly created "sanitized" version, and compare them (e.g. via a recursive diff) to doublecheck if the changes are sensible.

Categories

Resources