Better Mobile App

[WIP] Open source RTL support for Android

I am working on an open source RTL support for Android and I need help testing...
I have attached a normal app (that should work on any Android 1.5 and up) that runs my method before calling drawText.
The purpose is to make drawText call to it so it will support BiDi.
It reads a file called /sdcard/test.txt from which it gets the test string.
It does not support newlines.
Try it and tell me what you think.
The reason I don't publish the source yet is because knowing how it works would prevent it from being tested properly.
I hope I'm putting this in the right forum...

Hebrew Supported...
Is it also, support the font for Hebrew?
Because in ver 2.1, the have Hebrew but sometimes you see square or ? signs.

TheAgent1982 said:
Is it also, support the font for Hebrew?
Because in ver 2.1, the have Hebrew but sometimes you see square or ? signs.
Click to expand...
Click to collapse
The fonts exist, there's no work necessary on them, you have to push them to the device and that's it...

biditest with Android 2.2 FroYo (FRF50) Arabic test.txt
I tested with Android 2.2 FroYo (FRF50)
without /sdcard/test.txt and with my own text
I don't know about the Hebrew, the Arabic text are not joined (re-shaped) correctly

dudyk said:
The fonts exist, there's no work necessary on them, you have to push them to the device and that's it...
Click to expand...
Click to collapse
I have TP2 running Android 2.1 .
So, any idea how to do it?

Thanks for writing an open source BiDi support.
I did a very short test:
1. It did not render the whole line of text.
2. It looks like it has problems when switching from one language to another. E.g. the closing bracket after the hebrew word is rendered as open.
I attached the original text files and screen shots.
In addition I attache a screen shot of TxtPad Light and how it is rendered there.
TheAgent1982 said:
Is it also, support the font for Hebrew?
Because in ver 2.1, the have Hebrew but sometimes you see square or ? signs.
Click to expand...
Click to collapse
This might be a problem of character encoding.
I did a test with a UTF-8 file and a Hebrew ISO 8859-8. The first rendered the letters correct but the second showed only question marks. (See picture)
As alternative keyboard I recommend using either AnySoftKeyboard or SmartKeyboard.

It is in CM-5.0.8, with a fix on the issue list.

Dear Dudy,
Will your fix work for 2.1 as well? Can you give directions how to apply it to other ROMs? I own an HTC Desire, and would love to implement the fix. So far I just have the common StaticLayout fix.
Thanks,
Ron
EDIT: More specifically, it would be great if you can tell us which files to take from the CM update with the help of baksmali and smali in order to graft them into other distros. That's the way I implanted StaticLayout.smali in MoDaCo roms.

CM 5.0.8 is 2.1. It should apply to any 2.1/2.2 rom, just take my 4 commits from CM's git from framework base repository.

dudyk said:
CM 5.0.8 is 2.1. It should apply to any 2.1/2.2 rom, just take my 4 commits from CM's git from framework base repository.
Click to expand...
Click to collapse
Thanks for the reply, Dudy. I'll be more specific about what I am trying to do: I am trying to pull the files with your patches from the CM-5.0.8 ROM without compiling anything.
With the StaticLayout fix, I used baksmali and smali to disassemble the classes.dex from framework.jar and replace StaticLayout.smali. This worked.
When I look at the page github.com/dudyk/android_frameworks_base/commit/1b0aca31c3e03a5a323276cd15a8df4203a1792c - the one with your commits (is that the right one?) I cannot figure out all the files that I would need to replace. Sorry, I am not a programmer...
I can pretty much figure out that all the files preceeded by core/java/android/ will be found with their exact names in the classes.dex from framework.jar. But I have no idea where to locate the compiled files that resulted from AndroidGraphics2D, the three Canvas files and the ResourceTypes.
If you can point me at the right direction I'll be able to convert a script that was used for the StaticLayout fix so that anyone with a Mac or Linux would be able to easily implement your fix to any none-odexed distro.
Thanks so much in advance!

you didn't add U+0600 support in your Canvas.java @ cyanogen's git

PapaDocta said:
you didn't add U+0600 support in your Canvas.java @ cyanogen's git
Click to expand...
Click to collapse
Why do you say that? I tested for U0590 to U07B1, isn't that enough?

my bad.. i don't know how i overlooked the U07B1.... it's more than enough

Dear Dudy, I really need your help.
Back in the old days (a month ago), before your wonderful work, the best fix we had was Omri Baumer's StaticLayout fix. I was able to use the baksmali and the smali utilities to extract the smali file from framework.jar of CM, and graft it into ANY phone. Another user on the iAndroid forums created a script that automated everything.
I wanted to do the same with your fix. So I compiled a vanilla 2.1 and then applied only your patches, manually, and recompiled. I used baksmali to disassemble all the framework files, and discovered that the changed files were:
android/graphics/Canvas.smali
android/graphics/Canvas$EdgeType.smali
android/graphics/Canvas$VertexMode.smali
android/text/Layout.smali
android/text/SpannableStringBuilder.smali
android/text/Styled.smali
android/widget/TextView$CharWrapper.smali
The two additional Canvas files were tagged as changed, but no textual difference is evident. So altogether we are talking about 5 files that ideally would be easily grafted into ANY device running 2.1, without recompilation.
The problem was that the new Canvas.smali file caused boot loops on my HTC Desire. Logcat caught this:
Code:
D/AndroidRuntime( 103): --- registering native functions ---
W/dalvikvm( 103): Unable to register: not native: Landroid/graphics/Canvas;.drawText (Ljava/lang/String;FFLandroid/graphics/Paint;)V
E/JNIHelp ( 103): RegisterNatives failed for 'android/graphics/Canvas'
E/AndroidRuntime( 103): Unable to register all android natives
This did NOT happen when I tried the vanilla Canvas.smali. So it must be something in your patches. If you can help me figure out how to fix this, your fix will be easily implemented into any un-odexed 2.1 device. The script is all reworked and ready... Just this problem needs ironing out.
Thanks so much - for your wonderful work, and for taking the time to read this.
Ron

ClassicalDude said:
I wanted to do the same with your fix. So I compiled a vanilla 2.1 and then applied only your patches, manually, and recompiled. I used baksmali to disassemble all the framework files, and discovered that the changed files were:
android/graphics/Canvas.smali
android/graphics/Canvas$EdgeType.smali
android/graphics/Canvas$VertexMode.smali
android/text/Layout.smali
android/text/SpannableStringBuilder.smali
android/text/Styled.smali
android/widget/TextView$CharWrapper.smali
The two additional Canvas files were tagged as changed, but no textual difference is evident. So altogether we are talking about 5 files that ideally would be easily grafted into ANY device running 2.1, without recompilation.
The problem was that the new Canvas.smali file caused boot loops on my HTC Desire. Logcat caught this:
Code:
D/AndroidRuntime( 103): --- registering native functions ---
W/dalvikvm( 103): Unable to register: not native: Landroid/graphics/Canvas;.drawText (Ljava/lang/String;FFLandroid/graphics/Paint;)V
E/JNIHelp ( 103): RegisterNatives failed for 'android/graphics/Canvas'
E/AndroidRuntime( 103): Unable to register all android natives
This did NOT happen when I tried the vanilla Canvas.smali. So it must be something in your patches. If you can help me figure out how to fix this, your fix will be easily implemented into any un-odexed 2.1 device. The script is all reworked and ready... Just this problem needs ironing out.
Thanks so much - for your wonderful work, and for taking the time to read this.
Ron
Click to expand...
Click to collapse
My changes add a native method (a C++ one) to the sources, from what I know, it is in the dex file, but maybe smali's files do not extract it, or extract it differently.
I never tried to disassemble files in android and reassemble them, so I have no idea how to help you besides describing the changes to you.
P.S.
Do you think that HebVillian is using my fix this way? I believe that I'm the first to fix this for ROMs above 2.0 (BTW, it's in the froyo branch of CM as well).

I don't know about HebVillain. The maker of the rom was made aware of the way I patched StaticLayout, so it may well be. Perhaps he also read your thread and applied the actual patches...
I noticed that in one of your commits:
http://github.com/dudyk/android_fra...0aca31c3e03a5a323276cd15a8df4203a1792c#diff-5
You added "native" to drawText. It is exactly the function in that line that is throwing the error on boot - about not being native. I tried recompiling with that particular change reversed, but it did not make a difference. Can you investigate the matter? Perhaps the way the Nexus 1 boots is different than that of other devices, and the checks are not as strict. If this is indeed a code problem, perhaps it needs to be addressed for the patch to be viable for other devices.
Take everything I say with a grain of salt - I am no programmer. Just following what I read and understand.

I have no idea if this helps, but googling the words
android registernatives
results in quite a few technical posts complaining about similar problems...

I am sorry for being a nag. But I hope I am getting closer to the source of the problem.
The Android emulator was able to boot up just fine with the patches applied. The logcat stated at the beginning of the runtime:
Code:
D/AndroidRuntime( 29): >>>>>>>>>>>>>> AndroidRuntime START <<<<<<<<<<<<<<
D/AndroidRuntime( 29): CheckJNI is ON
I/ ( 30): ServiceManager: 0xad08
D/AudioHardwareInterface( 30): setMode(NORMAL)
I/CameraService( 30): CameraService started: pid=30
The very same smali files, when applied to the HTC Desire's framework, generated the native error I quoted before. But logcat shows that the beginning of its runtime is indeed different:
Code:
D/AndroidRuntime( 197): >>>>>>>>>>>>>> AndroidRuntime START <<<<<<<<<<<<<<
D/AndroidRuntime( 197): CheckJNI is OFF
D/dalvikvm( 197): Precise GC configured ON
D/dalvikvm( 197): creating instr width table
I/dalvikvm( 197): mlock: /data/dalvik-cache/[email protected]@[email protected], fd=7
So - how do we make the Desire, or any other device, turn on CheckJNI and turn off precise GC?
EDIT: In one of CM's change logs it was written that Precise GC was turned off because of its memory consumption. I am just assuming that this is indeed the cause for my problems. How can we check it?

CheckJNI and Precise GC don't matter.
Repatched and recompiled 2.2 source. The emulator runs beautifully with or without JNI checks. My HTC desire, with a 2.2 rom, still complains about the same function not being native.
The port dudyk did to Omri Baumer's patch works partially - the numbers are not reversed, but the whole line is aligned to the left (with hebrew text appearing to the left of the number, instead of the right).
I have no idea what else to do or to check.

i tried the latest cm6 nightly build and still it won't align Arabic RTL correctly.. it aligns it as LTR and there no reshaping as well....

[INFO] Progress of Bootloader cracking!

Originally posted by blagus.
To start and organize X8 bootloader bypassing, and to leave X10 developers to focus entirely on X10 cracking, I've made this thread to keep track of progress and for developers to share info.
What has to be done:
Compile splboot as kernel module - addresses have to be modified for X8 - work in progress
Compile miniloader for MSM7227 - hopefully done by nobodyAtall
Make boot.img with zImage and ramdisk for X8 - work in progress
Developers (alphabetical):
Asdoos - splboot and miniloader
Bin4ry - side help and tips
Blagus - boot.img mostly
Chumby_666 - mood-lifter in IRC and tools provider
nobodyAtall - splboot.ko - miniloader
Progress (sorted by time):
splboot.ko - compiled by nobodyAtall - needs tweaking
miniloader - compiled by nobodyAtall - unknown does it need further modifications or not
boot.img - work in progress
Experiments:
# insmod splboot.ko
Loads without errors.
insmod splboot - OK
cat miniloader - OK
cat boot.img from X10 - few high-ASCII characters appear, plus "Invalid length", phone freezes, adb shell freezes, phone reboots after ~30 seconds
If nothing, at least a proof that something was tried to load into memory, and invalid length caused freeze - meaning that splboot was most probably compiled and loaded correctly.
After further tests, looks like something's wrong in splboot - probably allocated memory is too small
How to boot:
Get splboot.ko, miniloader, boot.img and run.sh
Push splboot to /system/lib/modules, rest to /system/kernel (mkdir /system/kernel).
execute this from adb: # sh /system/kernel/run.sh
Best regards

Originally posted by blagus.
Important: AS SUGGESTED BY DEVELOPERS, PLEASE USE STOCK 2.1.1.A.0.6. FLASH IT WITH FlashTool, GET FILES FROM MY Mediafire FOLDER.
All files (splboot, miniloader, boot.img, etc.) will be uploaded to this Mediafire folder.
If you compiled something and want to share it, attach it here and I'll upload it to Mediafire to have everything in one place.
cat /proc/iomem with addresses needed to modify splboot and miniloader - X8:
Code:
$ cat /proc/iomem
00200000-0d8fffff : System RAM
0022b000-006e3fff : Kernel text
006e4000-00813733 : Kernel data
02900000-02afffff : kgsl_phys_memory
0d200000-0d8fffff : Crash kernel
0d9e0000-0d9fffff : ram_console
a0000000-a001ffff : kgsl_reg_memory
a0000000-a001ffff : kgsl
a0200000-a0200fff : msm_serial_hs.0
a0400000-a0400fff : msm_sdcc.1
a0500000-a0500fff : TIWLAN_SDIO.2
a0800000-a08003ff : msm_hsusb
a0800000-a08003ff : msm_hsusb_periphera
a0800000-a08003ff : msm_hsusb_host.0
a0800000-a08003ff : msm_hsusb_otg
a0800000-a08003ff : msm_otg
a0a00000-a0a007ff : msm_nand_phys
a9900000-a9900fff : msm_i2c.0
a9900000-a9900fff : msm_i2c
a9c00000-a9c00fff : msm_serial.2
a9c00000-a9c00fff : msm_serial
aa200000-aa2effff : mdp
aa300000-aa300fff : tssc
aa600000-aa600fff : pmdh
Run cat /proc/mtd to find addresses needed to make boot.img. Different for X10, X8, X10 Mini (Pro).
How to make boot.img:
Download build_bootimg.zip, extract. If you're on Linux, run makeit.sh, if on Windows, run makeit.bat
Don't forget that mkbootimg's cmdline needs tweaking. Read README.txt included to find out more.
Also, to make ramdisk, place files in ramdisk-folder and execute following:
Code:
mkbootfs ./ramdisk-folder > ramdisk
This will give you cpio ramdisk archive. gzip it and you're done. Name it ramdisk.gz.
If you like my post, thank me!

Excuse me if it sounds lame
but what is splboot.ko all about
i understand its a kernel module but what is its usage...

To be honest, I don't really know how you guys do it but what I do know is that what you guys do it so awesome!! THANK YOU TO EVERY LAST ONE OF THE DEV TEAM for all the countless time and quality effort that you put into the work you give to us stupid people that can't even program a TV properly!!

x10 mini is my 2nd phone with locked bootloader and my first phone is milestone with locked botoader now hoping for the best that these devs will break the bootloader

is bootloader encrypted. if so is there any any knowledge of the algorithm used. or is the password available in sony ericsson software update or update package. will brute force attack work. if so how to get access to kernel.

Is there some news?

Castore said:
Is there some news?
Click to expand...
Click to collapse
Nah none for now, but Blagus is working really hard!

good to see the progress.
i always thought its not possible to crack the bootloader but it seems like you are going to do it

Wussiwuh said:
good to see the progress.
i always thought its not possible to crack the bootloader but it seems like you are going to do it
Click to expand...
Click to collapse
Technically they aren't trying to crack the bootloader, but bypassing it.
Sent from my X10mini using XDA App

thanks for the post. NIce to see develoment from the front row. 1 class

the_laser said:
Greetings.
warning.
if you are not developer, please quit reading that post.
wait for user friendly tool with one big button.
here ( View attachment 712577 ) is toolset to permanently "unlock" semcboot of msm7227 semc phones.
that means, you can use own kernel and so on.
steps,precautions, etc.
unpack archive to any directory.
if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.
now, if your phone unlocked officially:
flash phone with standard 2.0,2.1 android firmware,because kernel mapper module compiled for "2.6.29" kernel.
of course, enable "usb debugging"
run msm7227_semc.cmd,
( if you want, examine it before run, it is pretty straightforward. )
you will get similar output
Code:
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
1743 KB/s (585731 bytes in 0.328s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights.
192 KB/s (3087 bytes in 0.015s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
504 KB/s (8064 bytes in 0.015s)
Second, we need to write semcboot ;)
1130 KB/s (596916 bytes in 0.515s)
successfully wrote 0003ff00
Press any key to continue . . .
bingo, your phone now has unlocked bootloader.
if your phone unlocked by setool2 software, use msm7227_setool2.cmd
if your phone unlocked by 3rd-party software other than setool2, do not run anything -
it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
hopefully, mizerable flea and mOxImKo will release something similar for your phone.
okay, now about other details.
1.
unlocked bootloader require unlocked loader, yep ?
loader\loader.sin is special unlocked loader, which will be accepted ONLY after your "unlock" semcboot with previous steps.
to distinguish unlocked semcboot and original semcboot, first letter in version tag of semcboot output will be lower case, i. e. "r8A029"
( same applies for loader version tag )
so, all that stuff with signatures are not for us, so i removed them - loader will ignore signature part of SIN file.
2.
we should make SIN file somehow, right ?
for that i prepared "dumb" bin2sin utility.
[input] - is input binary file.
[partition info]
android implementation on s1 semc qualcomm phones based on partitions,so we MUST define it for our file.
you can get required partition info from standard semc sin files, it is first 0x10 bytes of DATA, right after header, i.e.
[type] - partition type, 9 - partition without spare, 0xA - partition with spare.
kernel partition is partition without spare.
if that parameter omitted, type = 9
[block size] - nand block size, if omitted, it is standard size 0x20000
there is example in sinTools\example_build.cmd
3.
kernel should be prepared specially to be accepted by semcboot.
for that there is tool bin2elf.
we need 2 segments:
segment 1 is unpacked linux kernel image, i.e.
( e10/kernel/arch/arm/boot/Image )
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x00208000
attributes for image 0x0
segment 2 is ramdisk.
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x01000000
set attributes for ramdisk 0x80000000, that is extremly important.
there is simple kernel example in sinTools\example_build.cmd
ps.
@blagus:
NAND MPU disabler has only one relation to rFoNe - he took it from setool2, together with entire idea for msm7227 bypass.
your 6-wings friend with many nicks done exactly same.
NAND MPU has nothing to do with memory firewall, so it will not help with kexec things, however, who will care now.
Click to expand...
Click to collapse
I was on x8 forums and i found this!!! It looks very interesting!!!

Can someone explain me what is it good for?
Sorry for my bad english

ChavitoArg said:
Can someone explain me what is it good for?
Sorry for my bad english
Click to expand...
Click to collapse
It allows you to boot custom linux kernels.

DustArma said:
It allows you to boot custom linux kernels.
Click to expand...
Click to collapse
I just made the_laser ¨tuto¨
successfully wrote 0003ff00, i succesfully unlock my bootloader? Is there any way to confirm that? i have to do somethin else?
Sorry for the questions and for my bad english.

ChavitoArg said:
I just made the_laser ¨tuto¨
successfully wrote 0003ff00, i succesfully unlock my bootloader? Is there any way to confirm that? i have to do somethin else?
Sorry for the questions and for my bad english.
Click to expand...
Click to collapse
probably. try flashing dKernel to find out for sure.

Work on FOTA starts for AndroBada525......your help required

http://theteamk.x10.mx/index.php?topic=153.0
The Team K Developers have started the work on fota to end the prolonged wait of android on wave 525.developers r requested to please post some codings so that the project can be completed soon.please keep dis thread development focussed and clean.
After a lot of research the forum users have found the brcm2133.elf and wave 525 fota which can be decoded using IDA PRO DISASSEMBLER.
Anyone who can help can come forward and help
Thanks

I HAVE FOUND BCM21331.elf IN SAMSUNG CORBY s3653w FIRMWARE FILE. THERE IS ALSO WEBKIT.elf. DOWNLOAD IT FROM HERE(it is contained in firmware):
Click to expand...
Click to collapse
Please.
Need BCM21331.elf for study...
Where to download?
You can write PM. :angel:
Thanx in advance.
Best Regards

adfree said:
Please.
Need BCM21331.elf for study...
Where to download?
You can write PM. :angel:
Thanx in advance.
Best Regards
Click to expand...
Click to collapse
http://mediafire.com/?uxhiu82ffwcrvue
u can download brcm21331 from the above link.it is present in the SAMSUNG CORBY s3653w FIRMWARE FILE
Thanks

It seems BCM21331.elf of S3653WDXJG2 is apps_compressed.bin... not Bootfiles...
http://forum.xda-developers.com/showthread.php?t=1325713
Code:
ELF_MAP
BCM21331.csi 9 MB
BCM21331.elf 327 MB
BCM21331.map 125 MB
BCM21331.sym 41 KB
WEBKIT.elf 167 MB
Seen from S3850... but no valid Downloadlink...
Best Regards

reply
adfree said:
It seems BCM21331.elf of S3653WDXJG2 is apps_compressed.bin... not Bootfiles...
http://forum.xda-developers.com/showthread.php?t=1325713
Code:
ELF_MAP
BCM21331.csi 9 MB
BCM21331.elf 327 MB
BCM21331.map 125 MB
BCM21331.sym 41 KB
WEBKIT.elf 167 MB
Seen from S3850... but no valid Downloadlink...
Best Regards
Click to expand...
Click to collapse
i didnt understand
did mediafire say that the download link was not valid
anyway i will upload the elf file today( i have downloaded it )
i dont think that the elf file is apps compressed.bin
u can check it out yourself after i upload the file
Thanks

request
i also request the moderators and administrators to make this thread sticky
Thanks

anyway i will upload the elf file today( i have downloaded it )
Click to expand...
Click to collapse
NO. Thank you.
I have this file. :angel:
But this is apps_compressed.bin... NOT Bootloader and it is only 1 file of 3 or 4 files...
Missing, because maybe helpfull...
Code:
BCM21331.csi
BCM21331.map
BCM21331.sym
So it is maybe less helpfull to find correct ""FOTA values"" to make such output + more...
http://forum.xda-developers.com/showthread.php?t=1496729
Best Regards

i am not really well versed with the coding
do u need BCM21331.csi
BCM21331.map
BCM21331.sym files ?
Thanks

anyway here is the brcm21331.elf for all other devs
http://d-h.st/VMs
Thanks

devs please help and contribute to this thread
i am using ida pro to decode the brcm21331.elf but need help on how to use this software
Thanks

Again...
Check this Thread...
http://forum.xda-developers.com/showthread.php?t=1496729
From S8500...
Code:
#include "BL3.h"
unsigned long c_[B]MemMMUCacheEnable[/B][] = { [COLOR="Red"]0xaab9f874,[/COLOR] 0 };
unsigned long c_[B]disp_FOTA_Init[/B][] = { [COLOR="Red"]0xbfab9174[/COLOR], 0 };
unsigned long c_[B]disp_FOTA_Printf[/B][] = { [COLOR="Red"]0xb69c410b[/COLOR], 0 };
unsigned long c_[B]OemSysGetSystemInfo[/B][] = { [COLOR="Red"]0xc3ac31a5[/COLOR], 0 };
unsigned long *fun_crc[i_endMarker] = {c_MemMMUCacheEnable,
c_disp_FOTA_Init,
c_disp_FOTA_Printf,
c_OemSysGetSystemInfo
};
This is what you need to find... MINIMUM.
This what we can find in BL3_univ.elf + BL3_univ.map
These files are from BOOTLOADER...
BCM21331.elf is ELF file of apps_compressed.bin...
You can NOT find this text in BCM21331.elf
Code:
MemMMUCacheEnable
disp_FOTA_Init
disp_FOTA_Printf
OemSysGetSystemInfo
So I am pretty sure... 51 % that BCM21331.elf is WRONG file to find correct values...
Anyway. With study of BCM21331.elf maybe someone can better understand how SHP/MOCHA Security etc. work...
Good luck.
Best Regards

adfree said:
Again...
Check this Thread...
http://forum.xda-developers.com/showthread.php?t=1496729
From S8500...
Code:
#include "BL3.h"
unsigned long c_[B]MemMMUCacheEnable[/B][] = { [COLOR="Red"]0xaab9f874,[/COLOR] 0 };
unsigned long c_[B]disp_FOTA_Init[/B][] = { [COLOR="Red"]0xbfab9174[/COLOR], 0 };
unsigned long c_[B]disp_FOTA_Printf[/B][] = { [COLOR="Red"]0xb69c410b[/COLOR], 0 };
unsigned long c_[B]OemSysGetSystemInfo[/B][] = { [COLOR="Red"]0xc3ac31a5[/COLOR], 0 };
unsigned long *fun_crc[i_endMarker] = {c_MemMMUCacheEnable,
c_disp_FOTA_Init,
c_disp_FOTA_Printf,
c_OemSysGetSystemInfo
};
This is what you need to find... MINIMUM.
This what we can find in BL3_univ.elf + BL3_univ.map
These files are from BOOTLOADER...
BCM21331.elf is ELF file of apps_compressed.bin...
You can NOT find this text in BCM21331.elf
Code:
MemMMUCacheEnable
disp_FOTA_Init
disp_FOTA_Printf
OemSysGetSystemInfo
So I am pretty sure... 51 % that BCM21331.elf is WRONG file to find correct values...
Anyway. With study of BCM21331.elf maybe someone can better understand how SHP/MOCHA Security etc. work...
Good luck.
Best Regards
Click to expand...
Click to collapse
Thanks for the clarification.
In the FOTA editing,are you guys using asm coding language ?
What minimum do i need to find?
Thanks

This whole thread and idea is wrong at this moment. FOTA exploit has been confirmed to work only for bootloaders of S8500 and S8530. There is no clue if there's such security flaw present in 525 - ergo, you should start with looking for security hole, and then writing exploit to utilise it instead of writing exploit without even knowing if there's anything to exploit literally.

FOTA exploit has been confirmed to work only for bootloaders of S8500 and S8530. There is no clue if there's such security flaw present in 525 - ergo, you should start with looking for security hole...
Click to expand...
Click to collapse
We all know it was looooooong way between first text output and later magic things with FOTA for S8500 and S8530... like zImage start for Android and so on...
http://forum.xda-developers.com/showthread.php?t=1020444
Short look into GT-S5250_Training_Manual_SW.ppt
1.
FOTA file used...
Code:
bplib_S5250OpenEuropeSlav.fota
Chance "high" to generate text ouput. :angel:
1.1
Broadcom Mobile Trace Terminal
Click to expand...
Click to collapse
Not found yet... maybe same like WinComm...
2.
Btw...
_uart_bootloader
Code:
boot1a.img
boot1b.img
boot2.img
onenandboot_4k.img
What is this? Found in
Code:
S5250XEJI4.rar
S5250XEJI6.rar
I have NO Broadcom devices for tests... also NOT in future...
Find your own solution, with your own way...
Best Regards
P.S.:
If way found for zImage start... you need your own/new Broadcom team...
Sorry.

Thank you everyone for any input you are giving
Rebellos thank u very much that fact was an eye opner
I will be really grateful to u guys if you can tell me on how u guys came to know the security loophole.Any kind of help is greatly acknowleged.Again I would like to thank adsfree and rebellos for their contributions to this thread and the facts

I've made a 20 minutes exercise - I downloaded bootfiles from S5250 (S5250XXJK2) and disassembled boot2.img using a guess that the bootloader is loaded at 83E00000. Easily found FOTA code similar to S8500. The binary is loaded from flash address 07E00000 to RAM 85200000 and executed there if the BPDZ marker is available (apps and fota file is checked as well), just as in S8500. The difference is switch arm32 and thumb mode.
In the attachment I've provide a sample fota file along with asm sources. That's all I can help. There's so much more things to be handled since this moment, but it's your job if you are to be capable of continuing any porting project. Please be aware that this is a hopeless task and you do it for fun and exploring. A finished port is not likely to be ever achieved unless you have a device with exactly same board (not only microcontroller, but display, radio, camera, wifi, sensors, etc) as another android device.

canu guys tell me how u decoded boot2.img
i mean using which software and how did u get the code
please help
Thanks

Maybe you could try what mijoma attached...
S5250_src.zip
Especially this file:
S5250_fota_base.fota
Feedback help if it work or not...
Best Regards

u did not understand what i said
i asked how u decoded boot2.img and using which software and how did you get the code

u did not understand what i said
Click to expand...
Click to collapse
Few answers are given...
Now mijoma offered FIRST solution for testing...
S5250_fota_base.fota
Now waiting for someones test feedback...
mijoma has NO broadcom device for testing...
Me too...
So you or other S5250 users...
I have also asked in German Thread...
http://www.handy-faq.de/forum/samsu...sion_download_freigegeben-11.html#post2541317
I can also not seen here in your Thread test result...
http://androbada525.hj.cx/index.php/topic,153.15.html
Best Regards

Make Android flashable without SD card

I am not sure, it is technically possible...
But at the moment, all ROMs need SD card for installation and usage...
But I think, we can make it also possible to use our Waves without SD...
Maybe we can modify waves, that Odin or Flash tool can hanlde our Waves...
Let's collect some thoughts...!

For Odin you need change Bootloader...
If you don't know what Bootloader is... check this out:
http://forum.xda-developers.com/showthread.php?t=897468
SBL from I9000 for instance... (but then other problems or more problems)
I have tested few SBL with Odin and S8500... long time ago...
But you need JTAG or this:
http://forum.xda-developers.com/showthread.php?t=1250270
NOT support nor finished solution... only "concept"...
WARNING! You can Hardbrick your S8500...
Same warning for S8530...
About ""Flash tool""...
If FOTA would support read from 512 MB OneNAND... you could copy zImage + ROM to this memory instead 2 GB moviNAND...
With Multiloader... and WaveRemaker created files...
And don't forget since bada 2... Samsung kastrierte moviNAND to same size...
but S8500 have more memory as S8530...
If I remember correct... 90 MB unused in S8500...
Unsere Boo.L Experten sind alle... gelangweilt... haben "wichtigeres" zu tun...
Somit wird es auch extrem schwer... FOTA neue Kunststücke beizubringen...
Weil dazu mußt Du den Bootloader BL3 halbwegs begriffen haben...
Siehe das:
http://forum.xda-developers.com/samsung-tizen/bada-android/fboot-fota-noob-edition-t2821156
Best Regards
Edit 1.
Here ""evidence""/example for Odin with S8500:
http://forum.xda-developers.com/showpost.php?p=44993772&postcount=49
Somewhere else I have tested more SBLs from different Android handsets with similar CPU...

adfree said:
About ""Flash tool""...
If FOTA would support read from 512 MB OneNAND... you could copy zImage + ROM to this memory instead 2 GB moviNAND...
With Multiloader... and WaveRemaker created files...
Click to expand...
Click to collapse
Could you please explain step by step how to prepare this file for multiloader with zImage(boot.img) inside?
Rebellos, many time ago said that it possible to read RAW(binary) file from OneNAND via FOTA

Could you please explain step by step how to prepare this file for multiloader with zImage(boot.img) inside?
Click to expand...
Click to collapse
Also long time ago.
Will try to find my old posts.
For S8500/S8530 it should be easy to use .PFS file... made via WaveRemaker...
But PFS writes into 2 GB moviNAND not 512 MB OneNAND...
For OneNAND we could add zImage to RC1 or RC2 or replace instead...
Need to check reserved space for partitions...
http://forum.xda-developers.com/showpost.php?p=37698018&postcount=10
Hmmm.
If bada not needed... then we could create template RC1...
with 10 MB or something in this direction... and place zImage easily with WinHex into same address...
So in FOTA it could read from correct address in OneNAND...
Best Regards
Edit 1.
For zImage on 2 GB moviNAND with PFS inside...
http://forum.xda-developers.com/showpost.php?p=50254876&postcount=408
This Folder for instance:
Code:
Media/zImage
And for RC1 template I need little bit time... 1 or 2 days... maybe faster...

in last ROMs MoviNAND is fully "busy" by android.
Correct way is OneNand
Also it will be good to save bada offline charger, i don't remember correctly where is located images for it in RC1 or RC2, like bada splash screen and pictured with for offline charger

Correct way is OneNand
Click to expand...
Click to collapse
Okidoki, then we should take RC1 for tests...
S8500 flash and load from:
Code:
0x1980 0000
I need few minutes, because I must charge my test S8500... before I flash something...
Also it will be good to save bada offline charger, i don't remember correctly where is located images for it in RC1 or RC2, like bada splash screen and pictured with for offline charger
Click to expand...
Click to collapse
RC2 have 1 Picture as Placeholder for Charger... before apps_compressed.bin is fully loaded and executed...
If someone is able to create FOTA with loading from address 0x1980 0000 zImage... then we could use every other address...
But before for faster tests should 10 MB empty RC1 be enough...
Ehm... 16 MB... easier length...
QMD Header is not mandatory... if I remember correct...
MD5 Check for Multiloader disabled...
File without zImage yet, but easy replace 0x0 with content of zImage...
Result should be... zImage at address 0x1980 0000 in OneNAND...
File not tested yet, because charging battery...
Later I will try to flash self... then report if my S8500 explode...
Best Regards

@volk204 can you tell me what we'll gain changing location of boot.img(zImage)? Only place or something about performance or etc.?

hero355 said:
@volk204 can you tell me what we'll gain changing location of boot.img(zImage)? Only place or something about performance or etc.?
Click to expand...
Click to collapse
Nothing for performance.
We just remove dependency from SD card

Code:
Download Start Ch[0]
Rsrc1 16777.2KB OK[6.7s]
All files complete[7.4s]
7 seconds for 16 MB RC1...
...
Testresult via PM...
Best Regards
Edit 1.
Short logged via UART...
Code:
Hangs at:
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] FSR_PAM_InitNANDController Success!!
[PAM: ] --FSR_PAM_Init
bl3_info_block 1 age = 1
bl3_info_block 2 not found, BL3_1 Loading
+-------------------------------+
| Bootloader Shadowing FINISHED |
+-------------------------------+
Launch Image at 0x42080000
[BOOT_V1.0 (Jan 5 2012, 19:08:14)]
SelectBootingMode: H/W...0xe.
[BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz
+++FIMD_Drv_INITIALIZE
FIMD_Drv_ChangeMode: MDNIE_MODE
Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4
S6E63M0 : LDI_Pentile_Set_Change Pentile_Value =6c
---FIMD_Drv_INITIALIZE
---FIMD_Drv_SetWinOnOff(WIN4:1)
LCD initialize Finished
Flash_Unlock failed
Poweron status - 20
FSA9480 0x03 Register = 1
FSA9480 0x0A Register = 0
FSA9480 0x0B Register = 8
FSA9480 0x07 Register = 1c
[B]SelectBootingMode: Boot Mode = 1...[/B]

Info from Rebellos:
<Rebellos> To read from oneNAND you need Flash_Read_Data
<Rebellos> protype of it would be...
<Rebellos> uint32_t Flash_Read_Data(void* buf, uint32_t addr, uint32_t size);
<Rebellos> It should be easily detectable by mijoma's tool
<Rebellos> (you can change void* to char* or any pointer type that suits you)
<Volk204> Rebellos, do i need something like OneNand_Init before?
<Rebellos> No. Onenand is already initialized by BL3 (since FOTA is being read from there)
I will try to add it in FOTA later, or maybe someone else
edit1:
8500:
unsigned long c_Flash_Read_Data[] = { 0xf5bd478f, 0 };
8530:
unsigned long c_Flash_Read_Data[] = { 0x7dc705fa, 0 };

I can test tomorrow morning

I am not sure that it is correct but
Modified Fota.c http://pastebin.com/S62SMwnH
Test FOTA: https://yadi.sk/d/OMvi6FwMa2HgL i tried to test, but kernel don't start, output is ok, probably i incorrect flashed rc1 with boot.img.
Maybe someone will play with it
P.S. modified rc1 kill bada offline charger

volk204 said:
I am not sure that it is correct but
Modified Fota.c http://pastebin.com/S62SMwnH
Test FOTA: https://yadi.sk/d/OMvi6FwMa2HgL i tried to test, but kernel don't start, output is ok, probably i incorrect flashed rc1 with boot.img.
Maybe someone will play with it
P.S. modified rc1 kill bada offline charger
Click to expand...
Click to collapse
Maybe some parts of charger located there, maybe we don't need to fully empty rc1 with boot.img, just deleting unneeded ui parts can work.

In RC1 can only be few Pics...
But they are for apps_compressed.bin... So only animation is not visible...
Charging at all should work...
Later we can add Pics and copy zImage to other position...
But priority is to start zImage from address 0x1980 0000...
Need few minutes for test... then report...
Best Regards
Edit 1.
First attempt...
I see on Display...
Mounted partitions
Copied kernel from onennand
Init Modem
Boot in Normal Mode
Copied kernel to boot
Wait!
I have taken older zImage... Now I am waiting...
Will test with empty RC1 and RC1 with zImage inside... to check if textoutput is static or really detected zImage...
Later more...
Edit 2.
Textoutput is static but work. :good:
Same result with my attached empty RC1.
@volk204
Your FOTA work. :good:
Congratulation!
Zimage content should be at 0x0...
Header QMD must be overwritten...
Now we could change location of zImage... for instance... take full RC1 and add zImage at end of content, before last 1024 Byte
Depend on size of RC1...
But then 0x1980 0000 is wrong/obsolete...
Also we could create minor/small/slim RC1... with only few MB for charger Animation... if somebody need...
If someone need, I could upload my RC1 template... but for now I am tooo lazy to attach 6 MB... upload...
Edit 3.
If I remember correct... smallest RC1 was 7 MB or less 10 MB... to start bada...
My tests long time ago...

With FOTA from volk204 this RC1 boot zImage from 512 MB OneNAND.
:good:
Inside older kernel, not latest... only for test...
You can compare textoutput between this RC1 and my empty template:
http://forum.xda-developers.com/showpost.php?p=54892518&postcount=6
Same text, but this one really load and execute zImage from OneNAND.
Thanx.
Best Regards

adfree said:
Textoutput is static but work. :good:
Same result with my attached empty RC1.
@volk204
Your FOTA work. :good:
Congratulation!
Zimage content should be at 0x0...
Header QMD must be overwritten...
Now we could change location of zImage... for instance... take full RC1 and add zImage at end of content, before last 1024 Byte
Depend on size of RC1...
But then 0x1980 0000 is wrong/obsolete...
Also we could create minor/small/slim RC1... with only few MB for charger Animation... if somebody need...
Click to expand...
Click to collapse
I will replace textoutput by bada splash (Sasung Wave picture) from rc2
so if FOTA stuck on this picture, need to reflash kernel, we can't do anything more for debug
0x1980 0000 is easy to change, no problem, and probably it is different for wave and wave 2
I will push sources to github later, maybe today
and about charger, i see only picture from rc2 and then reboot in 5-10 sec, so it not work at all

Okidoki.
Later I could do some tests with zImage at end of RC1...
So RC1 is original + zImage...
Need some time...
Best Regards

i pushed sources on github:
https://github.com/Badadroid/android_bootable_wave-fboot/tree/android_onenand
TextOuput replaced by Bada splash screen,
If FOTA stuck on this picture more than 15-20 sec - something wrong with kernel
OneNand address for 8500: https://github.com/Badadroid/androi.../blob/android_onenand/FBOOT_S8500_b2x.lds#L28
OneNand address for 8530: https://github.com/Badadroid/androi.../blob/android_onenand/FBOOT_S8530_b2x.lds#L28
looks like rsrc1 address for 8530 is 0x36000000
Compiled FOTA for wave and wave 2 is in attachments
Edit:
for offline charger we need PshRsrcBmpIdleAni.rbm from rc1
rc1 with only PshRsrcBmpIdleAni.rbm attached, flashed and charger work
now need to create template with this file inside and boot.img inside and count memory address for boot.img, but i don't know how to do it

First look at charger.rc1...
Content ends at 0x0014 0000
We could make this area bigger... 0x0020 0000
And add zImage at this address...
So for FOTA new entry point is 0x1980 0000 + 0x0020 0000 =
19A0 0000
Theory... I can make tests only later...
Need to do some other things now...
Best Regards

adfree said:
First look at charger.rc1...
Content ends at 0x0014 0000
We could make this area bigger... 0x0020 0000
And add zImage at this address...
So for FOTA new entry point is 0x1980 0000 + 0x0020 0000 =
19A0 0000
Theory... I can make tests only later...
Need to do some other things now...
Best Regards
Click to expand...
Click to collapse
tested and working
fota with start in 0x19A00000 is in attachments
offline charger also work
Edit
Attached rsrc template for 8500 with charger inside, just add boot.img in 0x00200000
@adfree, could you please create empty rsrc1 template ~16mb for wave 2 (8530)?
And could you please re-check onenand adress for wave2?
in multiloader i see 0x36000000, but Rebellos marked it as 0x03600000 in kernel sources https://github.com/Badadroid/androi...i_nand/drivers/mtd/onenand/samsung_wave.h#L47

[Q&A] [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery

[Q&A] [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery
Q&A for [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery
Some developers prefer that questions remain separate from their main development thread to help keep things organized. Placing your question within this thread will increase its chances of being answered by a member of the community or by the developer.
Before posting, please use the forum search and read through the discussion thread for [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery. If you can't find an answer, post it here, being sure to give as much information as possible (firmware version, steps to reproduce, logcat if available) so that you can get help.
Thanks for understanding and for helping to keep XDA neat and tidy!

This looks like a really great tool but I'm having troubles with it.
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a MTK image with regular script?
If so, please use unpack_MTK_img script. ERROR!
>> Exit script
when I use MTK it says
Unpacking the ramdisk....
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a regular image with MTK script?
If so, please use unpack_img script. ERROR!
>> Exit script
this is for the LG Optimus F3 Boot.img from Team Win 2.8.0.0
is there any way to extract this puppy?
Code:
Printing information for "boot.img"
Android image info utility by [email protected]
Header:
Magic : ANDROID!
Magic offset : 0x00000000
Page_size : 2048 (0x00000800)
Base address : 0x80200000
Kernel address : 0x80208000
Kernel size : 7602936 (0x007402f8)
Kernel offset : 0x00008000
Ramdisk address : 0x88f108f0
Ramdisk size : 2048 (0x00000800)
Ramdisk offset : 0x08d108f0
Second address : 0x81100000
Tags address : 0x80200100
Tags offset : 0x00000100
Cmdline : 'androidboot.hardware=fx3s user_debug=31 vmalloc=308M'
Id : 46c3c0e3d52bc3f86497ddd8f07eae74643c5f0e
Successfully printed all informations for boot.img

HappyRoms said:
This looks like a really great tool but I'm having troubles with it.
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a MTK image with regular script?
If so, please use unpack_MTK_img script. ERROR!
>> Exit script
when I use MTK it says
Unpacking the ramdisk....
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a regular image with MTK script?
If so, please use unpack_img script. ERROR!
>> Exit script
this is for the LG Optimus F3 Boot.img from Team Win 2.8.0.0
is there any way to extract this puppy?
Code:
Printing information for "boot.img"
Android image info utility by [email protected]
Header:
Magic : ANDROID!
Magic offset : 0x00000000
Page_size : 2048 (0x00000800)
Base address : 0x80200000
Kernel address : 0x80208000
Kernel size : 7602936 (0x007402f8)
Kernel offset : 0x00008000
Ramdisk address : 0x88f108f0
Ramdisk size : 2048 (0x00000800)
Ramdisk offset : 0x08d108f0
Second address : 0x81100000
Tags address : 0x80200100
Tags offset : 0x00000100
Cmdline : 'androidboot.hardware=fx3s user_debug=31 vmalloc=308M'
Id : 46c3c0e3d52bc3f86497ddd8f07eae74643c5f0e
Successfully printed all informations for boot.img
Click to expand...
Click to collapse
Can you attach that image here, to take a look? It sounds like there is no ramdisk in it. There are some phones that doesn't have ramdisks in boot images.

carliv said:
Can you attach that image here, to take a look? It sounds like there is no ramdisk in it. There are some phones that doesn't have ramdisks in boot images.
Click to expand...
Click to collapse
Sure thing, just remove .zip from the file name, had to do that as it only allows 8Mb img uploads
I'm trying to edit the boot so that I might be able to make the external SD into the data drive, is this even possible or am I wasting my time?
Thanks!

HappyRoms said:
Sure thing, just remove .zip from the file name, had to do that as it only allows 8Mb img uploads
I'm trying to edit the boot so that I might be able to make the external SD into the data drive, is this even possible or am I wasting my time?
Thanks!
Click to expand...
Click to collapse
Ok, I see... Your image is "lokified". In order to use my tool you need to "de-lokify" it first, then after modding you need to "re-lokify" it back. Some infos here and here. It may be many other infos but I didn't have time to do a full search; you have to do it for yourself.
Some LG and Samsung devices have that "Loki" thing and you need to deal with it. Maybe when I'll have a phone like that I'll make an automated process for it, but now I haven't and I can't work "in blind".
I don't know what to say about your last question... I'm not even sure what you're talking about.

carliv said:
Ok, I see... Your image is "lokified". In order to use my tool you need to "de-lokify" it first, then after modding you need to "re-lokify" it back. Some infos here and here. It may be many other infos but I didn't have time to do a full search; you have to do it for yourself.
Some LG and Samsung devices have that "Loki" thing and you need to deal with it. Maybe when I'll have a phone like that I'll make an automated process for it, but now I haven't and I can't work "in blind".
I don't know what to say about your last question... I'm not even sure what you're talking about.
Click to expand...
Click to collapse
Awesome, thanks!
basically, the LG Optimus F3 comes with too little memory built in, there's a program that mounts an external SD's second partition as a data folder, but even still it runs out of internal memory or won't install apps larger than the internal memory because the "System" partition still has little room.
so the goal was to edit the boot so it will boot using an external SD directly as the system drive, it would read it's maximum memory available as whatever the external SD's maximum is.
this would solve the problem, if it works, if not then it'll probably just brick the phone :good:

I just wanted to update and say thanks. This helped out great! I was able to successfully boot /data from my external SD card as desired, however, my card is only a class 2 so it won't be a good idea until I upgrade it to a class 10.
Lg Optimus F3 comes with very little internal storage, which was giving me a headache, so I wanted to make the phone boot using an external SD as the /data partition.
after following your tip, I unloki'd the boot image and used your Carliv Image Kitchen to extract the contents, edited the fstab and edited out the original code: "/dev/block/platform/msm_sdcc.1/by-name/userdata /data" telling it to mount /data on the /dev/block/mmcblk1p2 instead.
after repacking and re-loking and flashing the .img it had some problems, for some reason it was just booting to a black screen, so I used dd from the team win terminal to copy the /dev/block/platform/msm_sdcc.1/by-name/userdata over to the /dev/block/mmcblk1p2, and it worked!
being a class 2, it booted slowly and responded slowly but works none the less.
to be sure there was no problem with partition size, being how I used dd to mirror userdata over to the sdcard, I ran gparted in linux and resized the partition smaller, then larger to full size (just in case)
thanks for your wonderful tool and for pointing me in the right direction.

help sir carliv please
I was trying to install cm12 using carliv touch recovery 3.3 for kit kat on my alcatel pop d3 but it failed now my phone is stuck and wont turn on
what version of cm can that recovery install??????

DONTEGO said:
I was trying to install cm12 using carliv touch recovery 3.3 for kit kat on my alcatel pop d3 but it failed now my phone is stuck and wont turn on
what version of cm can that recovery install??????
Click to expand...
Click to collapse
The answer is already in your question:
I was trying to install cm12 using carliv touch recovery 3.3 for kit kat....
Click to expand...
Click to collapse
As I already posted in recovery's thread, it will work with kitkat kernels. Some people port it to lollipop but I never recommended that.
So to answer clearly cm11 because cm12 means lollipop, or it will work with any other kitkat based ROM if your phone has any kitkat kernel released.
You need to ask the one who released that cm12 for your phone to provide a matching recovery along.
Now you probably need to reflash the phone with SPFlashTools.

ok thanks a whole lot but im having another issue the sd card is now only readable by my phone how do i go about copying a rom to it whenever i plug it into the pc it doesnt come up

DONTEGO said:
ok thanks a whole lot but im having another issue the sd card is now only readable by my phone how do i go about copying a rom to it whenever i plug it into the pc it doesnt come up
Click to expand...
Click to collapse
im trying to install Mystic_OS_v4DL750.zip does it require a gapps package?

Can some one port ne a recovery for xolo era 4g
Sent from my Hacked_Era_4G using Tapatalk

Is it able to unpack stock recovery?
---------- Post added at 03:25 AM ---------- Previous post was at 03:23 AM ----------
Raakib Zargar said:
Can some one port ne a recovery for xolo era 4g
Sent from my Hacked_Era_4G using Tapatalk
Click to expand...
Click to collapse
Which chipset?

Hi there... I woul like to ask if this tool works for Helio x20 cpu's... (Mt6797 - Leagoo T10) because I'm trying to extract the stock recovery but having trouble with the ramdisk... It says "compression used unknown..." I've seen it mentioned in the discussion some times but the explanation was to use the 1. Metod ??? I'm using the windows 1.1 version and I really don't see any other method to use (start bat, r, 1 recovery.img, , 1 unpack image, error....) I'm just installing Ubuntu to see the difference but would be grateful for some advise... Thanks.

Since main Carlive Image Kitchen thread has been closed in 2017 all the util builds have been lost for some unknown reason. Dev claimed he have personal problems and adviced users to help each other.
I've found latest official version 1.3 builds and publish them here for practical and historic reasons. This util mentioned in a various manuals so people will look for it for a long time then. Old Linux modded version by yuweng is also added for completeness.
View attachment CarlivImageKitchen_Windows_v1.3.zip
View attachment CarlivImageKitchen_Windows_x64_v1.3.zip
View attachment CarlivImageKitchen-Linux_v1.3.zip
View attachment CarlivImageKitchen-Linux_x64_v1.3.zip
View attachment CarlivImageKitchen-Linux-DnD-yuweng.zip
Furthermore user FOV5 @ 4pda.ru forums have modded latest 1.3 version a few times so I do publish here his latest modded version 1.5B3 (12-Jan-2018)
Changes history:
- v1.4: Support for some non-standard kernel images (e.g. LibreELEC and similar).
- v1.5B1:
- Removed 'Boot' and 'Recovery' prefixes from file names while unpacking Boot/Recovery images. This is due to ability to easily compare whole Boot and Recovery folders after unpacking.
- Added optional experimental AmLogic core unpacking. This could be helpful to patch storage media layout when device partition build into the core.
- v1.5B2: Fixed 32 bit app crash after core unpacking. A few other small non critical fixes.
- v1.5B3:
- New while core slitting, parameters like Name, Load Address and Entry Point are preserved.
- Fixed: New app will try to pack core only when all the 4 kernel parts are found in the unpacking folder. If core unpacking process some kind failed, one or more kernel.* files will be missing, so repack process will use original core instead of trying to assemble broken one.
View attachment CarlivImageKitchen_Windows_v1.5B3.7z
If you have any questions related to this modded app version look for FOV5 user at 4pda.ru forums and ask him (I don't know does he speak any langs except Russian, online translators available anyway. There is also Russian numeric captcha problem for non-Russian speakers when loggin in to that forums, sorry guys). I do not often use this app and occasionally visit XDA, so I can't support this product in a professional manner. Help each other guys!