Related
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
4.2 - SD
Due to numerous requests, I ported my NAND build to be used also with SD, booting it via MAGDLR or WindowsMobile (Haret)
...: FEATURES :...
1.84 base Deodexed and Zipaligned
RMNET/PPP Selectable via config.txt (boot via WMO only PPP)
Multilanguage and full chinese handwriting support.
Rooted (SU app + SU binaries)
AdFree
AutoAPNs
5mpx camera with face recognition + 800*400 camcorder
HSDPA, GPS, Bluethoot, WiFi all working
% battery icon and status bar icons changed (use original framework-res.apk to go back to stock attached in 2nd post)
fonts changed (use original fonts to go back to stock attached in 2nd post)
[*]Enhanced Shutdown Menu
[*]WiFi MAC Fixed
Working HTC-SENSE.COM, HTC-HUB, HTC-LIKES
Working HTC Headsets using my kernel
Working notification LEDs
[*]Working Streaming Video
[*]Working Flash Player, No more browser crash
Support config.txt to tweak boot options
Modified shutdown android process to cleanly unmount data partition and avoid data corruption.
EXT3 Filesystems to improve data safety and speed.
Personal tweaks to I/O to have the most fast full hd build you ever seen
Fast, Fast, FAST!....... FAST!
Tweaked to be stable, battery efficient and good for daily use.
.
REMOVED APPS (you can install them from market or use the package in second post):
AdobeReader.apk
Facebook.apk
GoogleMaps.apk
Quickoffice.apk
SoundHound_freemium.apk
Street.apk
Talk.apk
Twitter.apk
VoiceCommander.apk
YouTube.apk
Click to expand...
Click to collapse
...: WHAT IS NOT WORKING :...
HTC E-Reader (removed)
Weather could be buggy for someone. If its so for you, try the fix in second post
Click to expand...
Click to collapse
...: CHANGELOG :...
Code:
4.2 - 21 MAR 11
- Fixed Flash player in websites via modified app to not let the market to update it (credits: cmyxlgo)
- Fixed Camera, now no more FC in sharing (credit: aread22, pyrorob)
- Updated ad-free
- Improved data stability
- Improved ppp
- Cleaned system from unuseful stuff
- Optimized and zipaligned again
- Updated to Rafpigna 1.9 OC Kernel, with EB support
4.1 - 12 MAR 11
New base TELUS 1.84.661.1
new kernel rafpigna 1.8 OC
updated gmail
updated market
updated flash player so you will have no more erros (dont let the market to update it!)
updated busybox to 1.18 stable
modified init and init.log to have better debug informations
zip align of all apps on boot to improve speed, ram, and battery drain
updated some driver and libs for better stability
updated all languages including Serbian and handwriting languages
MMS sizes 300kb, 600kb, 1024kb (default 300kb, choose size in the sms settings)
reduced freeze a bit when installing apps from the market
some other small fixes and tweaks I forgot
Reverted to radio drivers from 3.2 for better data stability
Fixed a typo in init causing some issues with data and booting
Fixed some drivers dependencies
Some fixes on some parts of the system to improve stability and speed.
Some other small fixes
3.2.2 - 02 MAR 11
Fixed path issues
3.2.1 - 02 MAR 11
Tweaked booting process to be more compatible
added possibility to change wifi mac address
added another method to boot from a different folder
fixed update installations
3.2 -> first release
Click to expand...
Click to collapse
...: REQUIREMENTS :...
MAGDLR 1.13 or WINDOWS MOBILE
FAT partition as first partition and PRIMARY on sd card, otherwise will not boot
A little bit of brain to read the instructions and dont post questions until you did at least a search in the thread
Click to expand...
Click to collapse
Quadrant @ stock speed ---- Quadrant @ 1,5ghz
(click on the images for bigger size)
...: INSTRUCTIONS :...
Apart from the below instruction you can see also the COLOSSUS_R tutorial HERE
Download the build 7z file
Extract the whole "Android" folder in the root of your sd card. This means you have to extract not only the files inside the folder, but the folder itself!
If you are coming from a previous version and you want to keep your data and settings, dont overwrite the userdata.img file and keep your old one.
Create, inside the folder, a config.txt file based on your needs (see below for instructions). If you dont create one, the default values will be used. Anyway you can create it also on second or any next boot. Some users experienced boot issues with config.txt created with windows notepad. Try to use Notepad++ and select "Conver end line character" to UNIX in the "Edit" menu, before save.
When creating txt files, make sure your Windows is setted up to show extensions also for known files. Otherwise will happen that you will create files like "something.txt.txt" because you dont see the last .txt
If it will not boot after you follow the instructions, read post 3
FOR WINDOWS MOBILE BOOT:
First of all modify the config.txt file in your build folder, with wince=1 or you will be stuck at bootscreen.
Boot Windows Mobile, open file exploer, browse to your sd card and the android folder, tap on CLRCAD.exe (nothing will happen) then on HARET.EXE and wait the boot
First boot will take about 5-10 minutes depending on your sd card speed.
If you hear the bootsound more than one time, you have boot-loop.. something has gone wrong. Read again the instructions, check the md5/sha1 of downloaded file, start all again from scratch.
Once you see the unlock screen, dont touch your phone for 5 minutes.
After the 5 minutes, unlock the screen, do your setup.
When on the sense home screen, wait again 5 minutes without touching anything.
long press on the power button and shutdown the phone
Boot again
Again wait 5 minutes on the lock screen, then unlock it.
Go in settings -> audio -> and disable audible touch tones to avoid robo voice or phone freezes.
Enjoy.
If you want to change the build folder from "Android" to "Anythingelse" just open the startup.txt and add this line: set cmdline "rel_path=YourFolderName"
Folder name must not contains special charactes like . , ! | and so on...
FOR MAGDLR BOOT
Please note: If you want to change the build folder from "Android" to anything else just create a "rafdroid.txt" file on your sd root with the following text inside it: rel_path=YourFolderName
Folder name must not contains special charactes like . , ! | and so on...
Boot in MAGDLR powering on your phone while you press the power button until MAGDLR appears.
Select "SERVICES"
Select "BOOT SETTINGS"
Select "AD SD Dir"
Select the "ANDROID" folder or the folder where you dropped the rom.
Now select "BOOT AD SD" and wait boot
If you hear the bootsound more than one time, you have boot-loop.. something has gone wrong. Read again the instructions, check the md5/sha1 of downloaded file, start all again from scratch.
Once you see the unlock screen, dont touch your phone for 5 minutes.
After the 5 minutes, unlock the screen, do your setup.
When on the sense home screen, wait again 5 minutes without touching anything.
long press on the power button and shutdown the phone
Boot again
Again wait 5 minutes on the lock screen, then unlock it.
Go in settings -> audio -> and disable audible touch tones to avoid robo voice or phone freezes.
Enjoy.
Click to expand...
Click to collapse
...: CONFIG.TXT :...
A config.txt is included in the build folder. It has currently only the "wince=0" option, so you have to change it according to your needs.
Some users experienced boot issues if they create/modify the config.txt file using Windows Notepad. If you have the build not booting, try to use Notepad++ (google for it) and, before saving the file, goes in "Edit" menu, then select "Convert end-line carachter" and select "UNIX"
Also check the you are displaying file extensions. This because if you file extensions are hidden, you will create a config.txt.txt file that will not be read by the system and you will be stuck at boot.
Those are the options you can specify in the file:
gps_zone=[your country]
check http://www.pool.ntp.org/zone/@ for country codes (example: it for italy, us for usa.. and so on...)
wince=[1 or 0]
1 to boot the build via windows mobile
0 to boot the build via magdlr
default is 0
if you try to boot via winmo or magdlr without setting properly this parameter, the build will not boot.
ppp_mode=[1 or 0]
1 to enable PPP
0 to enable RMNET.
Default is 0
If wince=1 default ppp_mode will be 1
old_light_driver=[1 or 0]
0 to use the new light driver (working notification leds, button backlight control)
1 to use the old light driver (no notifications leds, buttons will go off after 10 seconds)
default is 0
auto_btn_backlight=[1 or 0]
1 to have the buttons backlight going off/on with the screen
0 to have the buttons backlight going off after 10 seconds from when the last button is pressed
default is 1
this work only if old_light_driver=0
wifi_mac_change=[1 or 0]
1 tells the system that you will need to change the wifi mac address to a custom one
0 tells the system that you will use the wifi mac address based on device hardware
custom_wifi_mac=yy:yy:yy:yy:yy:yy
here you have to write the wifi mac address you want.
This is needed, and will work, only if you specify wifi_mac_change=1
If you not write any mac address here, the default 00:11:22:33:44:55 will be used
Just an example on how a file could look:
Code:
gps_zone=it
ppp_mode=0
wince=0
old_light_driver=0
auto_btn_backlight=1
Click to expand...
Click to collapse
...: TIPS :...
Robot voice - known issue - disable audible touch tones and no more robot voice.
On every boot an "init.log" is created under your Android folder. Post this file if you have boot loops or booting issues, this will help debug and to solve the issue.
I modified the whole android shutdown process to avoid any data corruption. Please always choose SHUTDOWN instead of REBOOT!!! In this way you wil never have data loss or corruption!!!! Also if in my instructions or somewhere you read "reboot your phone" always SHUTDOWN then power it up again!
Click to expand...
Click to collapse
...: DOWNLOADS :...
Please, if you respect my work, dont upload this file on any other mirror or host, always put the original link in any forum or web page where you are going to post it.
Since the new base, a fresh install is suggested (means dont use the old userdata.img)
You can try to install on old userdata.img just copying all files from the zip except the userdata.img but you can have bugs, issues and loose some functionalities of the new update.
To keep al the bugfixing a FRESH installation is suggested. If you experience any bug not reported in the first post, try a fresh install (new userdata.img) and see if it happens again.
RAFDROID HD 4.2 SD -> DOWNLOAD HERE
MD5: D55FB4F671A79842B9D2618462526BE9
SHA1: 2F38F6F44F91AB54B9F6CA61A2987DF6405AE256
CRC32: 33021A3E
Old versions:
RAFDROID HD 4.1 SD -> DOWNLOAD HERE
MD5: CBDF69DF2382401E0EFFD6031B00D563
SHA1: B879A08475A32CAFB4C392E4B9EEE676FCC93E17
CRC32: 414635DA
RAFDROID HD 3r2f2 SD -> http://www.multiupload.com/HA3TRFQD9S
MD5: BE39664A7F6B4FD40DD614F0EA4FD2B3
SHA1: F508BB2D72ECDDFAF94A379601D964E62917DFFF
CRC32: FF766DAA
Click to expand...
Click to collapse
...: CREDITS THANKS :...
Cotulla and DFT for making all this possible
Darkstone - Special thanks to him for his big help
Rajko,atoore,ocm,Cass,Markinus, LeTama, cedesmith, domineus, imilka, crawlingcity, Sergio76, cmylxgo, dandiest, tytung
rmk40 for the modded su app/bin
All the testers of my NAND build and the themers kurniawan77 and dandsta34
Everyone else I forgot and a lot of other people on #htc-linux-chat
Click to expand...
Click to collapse
...: DONATIONS :...
I'm putting a lot of time in this, nights without sleeping, downloading, flashing, reflashing..So, if you like my work and appreciate it, and you want to buy me a coffe or a beer for chilling out, I will appreciate it you can do this here DONATE otherwise a click on the "thanks" button is still a good idea
Click to expand...
Click to collapse
...: KERNEL :...
My kernel is capable of Overclock up to 1.5Ghz. Anyway overlcock at you risk. I'm not responsible if you will blow your phone
You are free to use any kernel you want. Just make sure to put all the relevant system files (like modules) in the "root" folder structure under Android folder (look following post for instructions)
This build is tested to work properly with my kernel. I will not reply to any issue using other kernels.
You can find my kernel thread here: http://forum.xda-developers.com/showthread.php?t=940823
Click to expand...
Click to collapse
...: AndroidApps installation instruction and filesystem installation instructions :...
If you want to automatically install any app during boot, you can create a folder "AndroidApps" under the Android folder and put the apk there. The apps will be installed during next boot. Please dont do this on first boot because some times can give issues. The folder will be automatically deleted after the apps are installed
If you want to change any system files, you can create a "root" folder under your Android folder. In this "root" folder you have to replicate the structure of the system folders. Example: you want to change the gps.conf file that is in the following path: /system/etc/gps.conf you have to create this folder structure: "root -> system -> etc" and in the last folder (etc) you have to put your modified gps.conf file.Durin boot it will be copied and the folder deleted. Use this method if you want to change kernel and you need to push the new modules.. in that case the folder structure will be "root -> system -> lib -> modules" and here all the modules files.
Click to expand...
Click to collapse
...: Updates :...
Download the zip update that you want to apply
extract the whole "update" and "root" folders in the "Android" folder. This means looking in the Android folder you will have two subfolders "root" and "update" (in some cases the "update" folder is not present in the zip... no needed)
boot the build
FOR 4.X Version ONLY!
Standard Font: -> http://www.multiupload.com/A2V1QT48DI
RafDroid Font -> http://www.multiupload.com/VWNIIH9P2X
Standard Framework (taskbar icons) -> http://www.multiupload.com/YZALGSEPS6http://hotfile.com/dl/109974758/9fa3c11/SD_update_stock_4rX_framework.7z.html
Rafdroid Framwork (taskbar icons) -> http://www.multiupload.com/OOYO7UZKXE
Removed Apps: extract the whole folder in your Android folder and boot-> http://www.multiupload.com/GUS146P63W
Weather fix (if your weather doesn't update or it's buggy) -> http://www.multiupload.com/IF5FD2784R
FOR 3.X Version ONLY!
Standard Font: -> http://www.multiupload.com/A2V1QT48DI
RafDroid Font -> http://www.multiupload.com/VWNIIH9P2X
Standard Framework (taskbar icons) -> http://www.multiupload.com/JAA3K6VLJM
Rafdroid Framwork (taskbar icons) -> http://www.multiupload.com/77TLLYZEHD
Removed Apps: extract the whole folder in your Android folder and boot http://www.multiupload.com/LWIZC71LPJ
Click to expand...
Click to collapse
To do list (all those things will be uploaded on sunday night CET )
Provide zips for stock font and stock framework/status bar
Provide zips for themes like in the screenshots
Provide zip of removed apps
Check if this works with WP7 partitioned sd card
Do you have problems in booting?
check that your first partition is fat32
check that your fat partition and all other partitions (example the ones created by wp7) are primary partitions.
follow this tips, thanks to zarathustrax -> http://forum.xda-developers.com/showpost.php?p=11688635&postcount=52
if nothing above works, consider to format your sd card with panasonic sd formatter, using "full erase" method. You can find the tool as attachment in the bottom of this post.
check that you have config.txt inside your build folder
check that you are editing/creating the config.txt with a unix compatible text editor like notepad++ (read the config.txt instruction in post 1 to understand how to use)
if you changed the build folder name (example: from Android to RafdroidSomething) make sure you have a "rafdroid.txt" file in your sd card root and in it you have a line rel_path="RafdroidSomething"
if still no luck, try to post your problem but dont forget to post:
- are you using wmo or magldr?
- how is your config.txt?
- did you keep the enclosed userdata.img or changed with your own?
- are you using the included kernel (zimage)?
- a "init.log" file inside the android folder is created? If yes, post it!
- did you copy the "whole" android folder, including the folder itself, on the root of sd card?
- did you changed the folder name?
More info you will provide, more possibility you have that i or someone else can give you the solution to your issues.
Click to expand...
Click to collapse
...: FAQ :...
q) Can you provide a mirror for the downloads
a) I'm sorry but the answer is "no". I pay hotfile every month and the downloads give me the possibility to pay it. I dont do this for money, but I also dont want to waste my money
q) My phone sometimes freeze and I have to reboot.
a) Go in Settings -> Audio -> disable audible touch tones. this will solve the issue in most of the cases.
q) During/after boot a window appears with "System process not respoding". What I have to do?
a) This is caused from the new audio driver I used. The new audio driver has better phone stability and no robo voice. You have two choices: 1) Click on "wait" and all will be fine OR 2) download the "old_acdb_file.zip" and flash it via recovery. In this way you will not have the error anymore but you will start having robo voice on first call (you can avoid this disabling audible touch tones) and could happen that your phone freezes when receiving a call. It's your choiche. I preferred the "window error" one because for me is more important to have a working phone than an error window appearing at boot.
q) I have robo voice when I make a call
a) To avoid this, disable "audible touch tones" from the "settings -> audio" menu. You will have no-more robo voice also if you reboot.
a) During the robo-voice call, enable the speaker, then disable it. You will have no more robo-voice until next reboot.
q) I have very low audio during calls
a) During the call, enable the speaker, then disable it. You will have loud volume until next reboot.
q) after boot I see only a white screen with a green htc logo
a) just wait. It can take fro 5 up to 20 minutes depending on your sd card. There are no issue. The build booted fine, it's just copying all the files to SD. This will happen only on first installation.
q) I'm having high battery drain
a) Try reboot. Try disabling gps in location. As you can see from the screenshot I have 4mA with WIFI active! Also be careful. If during google account setup you choose to backup/restore all your data, the sync process will be dramatic heavy because it has to reinstall all your apps. It could need a couple of hours to settle. Also high battery drain could be caused by SD. try another one.
q) It's really laggy!!!!
a) as all Desire HD builds this is BIG! This needs at least 10-15 minutes after boot to be usable. Then try to use it for 5-6 hours.. and do a couple of reboots.. you will see that the speed will improve. After 24 hours of use and 4-5 rebots this will be really fast.
q) It lags when I'll install apps?
a) yes a little. Just to say: I have a desire hd... it lags also in the same case.. very few.. but the lag is there.. so it's an issue form desire hd base.
q) I have no GPS or the fix is really slow
a) Firs fixt can take up to 5 minutes. just wait.You can edit the config.txt gps_zone= to your country. See here for the right strings http://www.pool.ntp.org/zone/@ if this not solves, try use QuickGps from the market to download a-gps data.
q) Can I unmount the SD while in use or connect the phone as mass storage to my pc while in use?
a) No. Is dangerous for your files
q) It not boots
a) partition again and format again your sd card. follow the guide linked in the first post. post your init.log file for help
q) I have no data/3G/HSDPA
a) probably you have to set your apn manually. google it for tips on how to do and what settings are need for your carrier
q) How do I remove BOOTSOUND / How do I change bootanim
a) bootsound and bootanim are located in /system/customize/resource
Just delete android_audio.mp3 if you dont want sound
q) I have wake up lag
a) It's an issue that devs are trying to solve. It's not related to the build itself. In the Q&A Forum there is a thread about this problem. HERE, HERE,....
q) I have issues in flash during web brosing, the browser force closes
a) If you have issues with flash videos on website, you need an older flash version. Check this post. Thanks to Jayedamina http://forum.xda-developers.com/show...&postcount=280
Click to expand...
Click to collapse
...............
--- last one for me... just in case... ---
Wow, this is awesome.. thanks for showing the SD crowd a little love! downloading now
Really nice to see your HD build on SD.
Thanks!
rafpigna, your hd builds are maybe the best desire hd based builds for hd2
i'm very glad that you've ported it for running from magldr, thanks
Thank's !
Downloaded it,setting up right now
booted just fine .
Data working fine,arows are not working. EDIT:fine after restart !)
Thank's for the SD build !
finally see you here in SD builds, one of my favorite chief. Thank Raf.
Oh my God if i can only send a beer through package! You rock my HD2
Thanks Raf, how to restore stock font?
Master chief ! many thanks from sd lovers !
Thanks for the ROM mate..
I have read alot about its NAND version and about its wonderful performance..
Just tried it now ( SD/WinMo/No MAGLDR ), it ran well on me test card ( 8GB ), but when I tried it on me main 16 GB card, it just stucks on the first boot screen.. looks like it has something to do with SD partitionning..
P.S. both cards were unpartitionned...
Cheers...
jaguaralani said:
Thanks for the ROM mate..
I have read alot about its NAND version and about its wonderful performance..
Just tried it now ( SD/WinMo/No MAGLDR ), it ran well on me test card ( 8GB ), but when I tried it on me main 16 GB card, it just stucks on the first boot screen.. looks like it has something to do with SD partitionning..
P.S. both cards were unpartitionned...
Cheers...
Click to expand...
Click to collapse
Your init.log of unsuccessful boot would help me to find if there is an issue
Sent from my Desire HD using XDA App
Unfortunately,on WinMo boot, no fires hangs on the screenshot RAFDROID and nothing else for over 20 minutes.
What can I do?
init.log:
Code:
e2fsck on loop0
/dev/block/loop0: clean, 1492/25600 files, 95127/102400 blocks
e2fsck on loop1
/dev/block/loop1: clean, 11/65536 files, 12644/262144 blocks
Available space on partitions:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/block/mmcblk0p1 7774208 3071040 4703168 40% /bootsdcard
/dev/block/loop0 403144 374052 8612 98% /system
/dev/block/loop1 1032088 34088 945572 3% /data
Mounted partitions:
rootfs on / type rootfs (rw)
proc on /proc type proc (rw,relatime)
none on /dbgfs type debugfs (rw,relatime)
/dev/block/mmcblk0p1 on /bootsdcard type vfat (rw,noatime,nodiratime,fmask=0111,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)
/dev/block/loop0 on /system type ext3 (rw,noatime,nodiratime,errors=continue,data=writeback)
/dev/block/loop1 on /data type ext4 (rw,nosuid,nodev,noatime,nodiratime,barrier=1,data=ordered,noauto_da_alloc)
checking loop0
tune2fs 1.41.3 (12-Oct-2008)
Filesystem volume name: <none>
Last mounted on: <not available>
Filesystem UUID: 4e17b557-ed30-42e8-9160-b39a0a76896e
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super large_file
Filesystem flags: signed_directory_hash
Default mount options: (none)
Filesystem state: clean
Errors behavior: Continue
Filesystem OS type: Linux
Inode count: 25600
Block count: 102400
Reserved block count: 5120
Free blocks: 7273
Free inodes: 24108
First block: 0
Block size: 4096
Fragment size: 4096
Reserved GDT blocks: 24
Blocks per group: 32768
Fragments per group: 32768
Inodes per group: 6400
Inode blocks per group: 400
Filesystem created: Sat Feb 26 07:02:59 2011
Last mount time: Sat Feb 26 17:51:04 2011
Last write time: Sat Feb 26 17:51:04 2011
Mount count: 2
Maximum mount count: 21
Last checked: Sat Feb 26 07:02:59 2011
Check interval: 15552000 (6 months)
Next check after: Thu Aug 25 07:02:59 2011
Reserved blocks uid: 0 (user root)
Reserved blocks gid: 0 (group root)
First inode: 11
Inode size: 256
Required extra isize: 28
Desired extra isize: 28
Journal inode: 8
Default directory hash: half_md4
Directory Hash Seed: d4b9346e-8363-420c-ab55-c2296936941e
Journal backup: inode blocks
checking loop1
tune2fs 1.41.3 (12-Oct-2008)
Filesystem volume name: <none>
Last mounted on: <not available>
Filesystem UUID: deefdaf7-4c6e-4e21-bc36-a6b0e4c4300f
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super large_file
Filesystem flags: signed_directory_hash
Default mount options: (none)
Filesystem state: clean
Errors behavior: Continue
Filesystem OS type: Linux
Inode count: 65536
Block count: 262144
Reserved block count: 13107
Free blocks: 249500
Free inodes: 65525
First block: 0
Block size: 4096
Fragment size: 4096
Reserved GDT blocks: 63
Blocks per group: 32768
Fragments per group: 32768
Inodes per group: 8192
Inode blocks per group: 512
Filesystem created: Sat Feb 26 02:55:15 2011
Last mount time: Sat Feb 26 17:51:06 2011
Last write time: Sat Feb 26 17:51:06 2011
Mount count: 1
Maximum mount count: 34
Last checked: Sat Feb 26 02:55:15 2011
Check interval: 15552000 (6 months)
Next check after: Thu Aug 25 02:55:15 2011
Reserved blocks uid: 0 (user root)
Reserved blocks gid: 0 (group root)
First inode: 11
Inode size: 256
Required extra isize: 28
Desired extra isize: 28
Journal inode: 8
Default directory hash: half_md4
Directory Hash Seed: 5b971090-c3f1-4206-8a0d-392e2f5fe4c1
Journal backup: inode blocks
gps_zone
pl
ppp_mode
0
sd_boost
wince
0
old_light_driver
0
auto_btn_backlight
0
+++++++ GPS ZONE CHANGED +++++++
+++++++ MAGLDR MODE ACTIVATED +++++++
+++++++ RMNET MODE ACTIVATED +++++++
+++++++ BTN BACKLIGHT AUTO-OFF ACTIVATED (echo 1) +++++++
rafpigna said:
Your init.log of unsuccessful boot would help me to find if there is an issue
Sent from my Desire HD using XDA App
Click to expand...
Click to collapse
My Pleasure !
Thanks....
but it did not initiate any init.log !!!
and this was me config.txt
gps_zone=uk
ppp_mode=1
wince=1
old_light_driver=0
auto_btn_backl
Have realy been waiting for this - so thanks rafpigna.
Just wating for "Provide zips for stock font" ;-)
jaguaralani said:
My Pleasure !
Thanks....
but it did not initiate any init.log !!!
and this was me config.txt
gps_zone=uk
ppp_mode=1
wince=1
old_light_driver=0
auto_btn_backl
Click to expand...
Click to collapse
If there is no log means SD card is not mounted. Are you using wp7 or wm?
Sent from my Desire HD using XDA App
rafpigna said:
If there is no log means SD card is not mounted. Are you using wp7 or wm?
Sent from my Desire HD using XDA App
Click to expand...
Click to collapse
WM 6.5>>>>>>>>>>>
>>>> In a post further down, I have released a updated zip file which contains the 2ndihkvc program as well as its source as well as few support scripts to allow experimentation with this mechanism of multiple user spaces <<<<
Hi All
I have been following the below thread, as well as working on my own on some of the concepts. You can get the details till now from my posts in the below thread.
http://forum.xda-developers.com/showthread.php?t=1378886
I was not able to get the SETREGS to succeed in setting PC required for the current/existing 2nd-init logic, nor wait was waiting to lock the process, SO I tried a new and simpler alternate method for triggering/execve the init process a 2nd time using only POKE and it seems to have succeeded. I am guessing this based on my nooktablet having got messed up and it keeps rebooting again and again when it reaches my logic potentially. I have to restore back to factory settings and try afresh in the morning (Well it is almost morning ;-) now here) with few more debug messages to pin point it fully.
The code I am injecting directly into init process is in the attached txt file which is actually a .s (assembly file). (NOTE: Currently I am not handling environment variables, not sure if that is causing my boot to keep looping).
In turn the logic to hijack the init process and inject the code is as simple as
Step1) PTRACE_ATTACH
Step2) PTRACE_GETREGS
Step3) PTRACE_POKETEXT (Regs.ARM_pc, code to inject)
Step4) PTRACE_CONT
Step5) PTRACE_DETACH
I will upload the code in a day or two - however the jist of the logic is above, if anyone wants to experiment on their own.
NOTE: The code is very simple and experimental and expects the pc address to be known before hand to massage the .s file appropriately.
NOTE: The above algo with the corresponding .s file is still EXPERIMENTAL and also requires additional shell scripts to get access to the boot flow to trigger the hijack. And the current code will break the nooktab booting, so don't experiment this logic and the .s file unless you know what you are doing.
NOTE: I am not that much into Custom Roms etc, so don't expect anything much shortly wrt Custom Roms etc, this is just a experimentation for myself and to feel happy inspite of BN removing some useful features like sideloading as well as forcing a signed bootloader on everyone.
can you make a 2-init zip like on the milestone
http://forum.xda-developers.com/showthread.php?t=998425
because then the devs can go on and make a recovery
Bit more exploration with init hijacking - 2ndihkvc src package for EXPERIMENTATION
Hi,
NOTE: Source code package is attached with this message. However this is WIP and provided for anyone wanting to EXPERIMENT on their own parallel to me. Because I think the basic logic is done now. It is more of cleaning up the init rc files and or killing some additional tasks before restarting init or some such things HOPEFULLY (NO harm in hoping and being positive . HOWEVER NOTE that the current version will loop your boot and fail. I have put a timed triggering logic to try and reduce the risk, check out the documents in the package, but it can factory reset or worst case wipe your partitions and render the nooktab dead.
After yesterdays initial init hijacking, I have cleaned up the .s file so that it passes the Args properly as well as added the environment variables set by Android by default. Also the ptrace code I have updated to do relocation (using a simple custom table) of injected code. Also rather than a minimal ptrace code, I have put a bit more full fledged one with my logic as well as skrilax's logic as well as reg dumping and few other stuff to help experimenters.
In turn I have cross verified, that init is actually getting restarted and it is running thro the scripts and setting up the properties as specified by my modified default.prop as well as in the process rerunning all the commands/services/prgs.
However some where beyond rild/vold sequence it seems to be blocking and looping the boot. Also I had modified the init a bit, have to check that also once later.
Enjoy and experiment
NOTE: Not sure how to avoid having to put the same message in two threads. I created this thread only becasue the original thread was in the wrong category (i.e non development), when it should have been in development also.
This is interesting. I have minimal experience with assembly, none of it ARM. I would like to help, if possible. I appreciate the work you have put into this. I'm really hoping to be able to have CM7 on this tablet eventually.
Sent from my BNTV250 using xda premium
Potentially working Alternate Userspace in uSD using 2ndihkvc
Hi All,
I have updated my 2ndihkvc package a bit more and now you can boot into a ALTERNATE Android user space in uSD (NOTE: Userspace only and not kernel - locked bootloader doesn't allow alternate kernel).
For this you require to copy your required android /system and /data partitions into a MicroSD card in its 2nd and 3rd partitions which should be ext4 (specified in the init.omap4430.rc file in 2ndihkvc directory).
NOTE: Best way of getting a working /system and /data partitions is to ==> After rooting your Nook and removing all unwanted Apps/Junk, make a copy of the /system partition from eMMC to uSD. Same for /data/partition. Then you can copy what ever additional applications you want in this uSD based Android /system/app or /data/app partition. Thus you can have different sets of Android user space in different uSD cards.
Follow the instructions in INSTALL file for experimenting this on your rooted NookTab. BUT REMEMBER IT IS STILL EXPERIMENTAL. ALSO as a SAFETY FEATURE, as of now it will boot into this ALTERNATE MODE (in uSD) only when the current HOUR is specified in the start2ndihkvc.sh file appropriately. Otherwise it tries to boot into the your normal Andorid system in eMMC. This should hopefull CATCH any mistake, BUT THIS IS NOT GUARENTEED AND THIS IS A DANGEROUS THING TO EXPERIMENT, UNLESS YOU KNOW WHAT YOU ARE DOING.
NOTE: One time it did reboot from my alternate android system, I haven't debugged this yet, as it has not occured after it (Well I have tried only once more) so cann't say one way or the other yet. But definitely, there are some corner cases.
NOTE: If something gets messed up or if something is different or even if there is some corner case in my code, which I haven't handled yet, it may MESS UP your NOOK TAB so EXPERIMENT WITH THIS only if you know how to recover on your own, provided the NOOKTAB is recoverable (90% should be, but NO GAURENTEE).
Now the BRAVE HEARTS can experiment and Enjoy a alternate Andorid system in uSD card.
NOTE: With this one should be able to boot into any Custom ROM after suitable updation of the scripts in my zip file, as well as by copying their /system and /data/ partitions into uSD 2nd and 3rd partitions. AS long AS that Custome ROM doesn't have any specific kernel requirements.
BYPASS Kernel and Ramdisk check for People with UART ACCESS
Hi,
NOTE: THis is based on a initial look at the source code and then the objdump of u-boot.bin. I haven't cross checked this yet, because for now I haven't opened up the nooktab for uart access yet. Also this assumes by default booti command is used for booting in BN uboot. If some one wants to use bootm, then a different location requires to be patched wrt the image loading security check.
If you are a lucky ;-) person working with opened up NookTab with UART access, then basically replacing the memory contents of these two offsets with NOP will 90% BYPASS the security check successfully and allow you to boot a MODIFIED KERNEL or RAMDISK as required.
All offsets specified Assuming u-boot is loaded at 0 (adjust for the actual address where u-boot.bin is loaded, haven't looked into that yet).
Check for Security check of Kernel image is at
[ORIG] 0x48c0 => bne 0x48d8 (0x1a00.0004)
Make this a NOP by overwriting using uboot memory write command to
[MODI] 0x48c0 => mov r0, r0 (0xe1a0.0000)
Check for Security check of RAMDisk image is at
[ORIG] 0x4928 => bne 0x4958 (1a00.000a)
Make this a NOP by overwriting with
[MODI] 0x4928 => mov r0, r0 (0xe1a0.0000)
Someone (Hi Adamoutler, maybe you) with opened up NookTab can try this and tell me if it worked or not.
NOTE: you have to add up the actual u-boot load address to the offsets specified.
UPDATE1: It appears the load address is either
Possibility 1) 0x80e8.0000 OR
Possibility 2) 0x80e8.0000-0x120 (More likely).
Have to dig thro bit more, but one of these two will potentially work.
So that means to NOP RAMDisk security check the offset is
Possibility 1 ==> 0x80e8.0000+0x4928
Possibility 2 ==> 0x80e8.0000-0x120+0x4928 (More likely)
Best is to cross check if the resultant address contains the BNE instruction bytes specified above.
Same concept applies for the Kernel security check Nopping offset.
NOTE: It appears there is a 0x120 size header before the actual u-boot.bin code starts and in turn, when I did the objdump, it included the 0x120 bytes of header also assumed as code. And inturn the full (including the header) u-boot.bin or for that matter the u-boot from emmc seems to load into 0x80e8.0000-0x120.
UPDATE 2:
Code around the locations to be noped to help identify the same in memory, in case my offset calculations are wrong
48b4: eb0030f1 bl 0x10c80
48b8: e59d3010 ldr r3, [sp, #16]
48bc: e3530000 cmp r3, #0
48c0: 1a000004 bne 0x48d8
48c4: e59f0104 ldr r0, [pc, #260] ; 0x49d0
48c8: e594100c ldr r1, [r4, #12]
48cc: e5942008 ldr r2, [r4, #8]
48d0: eb0015db bl 0xa044
............
491c: eb0030d7 bl 0x10c80
4920: e59d3010 ldr r3, [sp, #16]
4924: e3530000 cmp r3, #0
4928: 1a00000a bne 0x4958
492c: e59f00a4 ldr r0, [pc, #164] ; 0x49d8
4930: e5941014 ldr r1, [r4, #20]
4934: e5942010 ldr r2, [r4, #16]
4938: eb0015c1 bl 0xa044
UPDATE 3: ... for a rainy day in future ;-)
UPDATE 4: For maximum success, first try a changed RAMDisk rather than Changed Kernel. If Changed Ramdisk works then try Changed Kernel (THere is one more thing in Code, which I am not sure if it will impact a modified kernel or not yet, only way is to experiment).
How can I run 2ndihkvc just to load a new default.prop using the existing userspace? What I did so far was to remount / in rw, updated default.prop, pushed 2ndihkvc to /data/local/, changed permissions to 755 and executed. Here is the output
Code:
# ./2ndihkvc -p 1 -w 0 -c 0 -m 2
INFO:2ndihkvc:v30Dec_2020:
INFO:2ndihkvc: Tracing process with pid = 1
INFO:2ndihkvc: NewPrg = /init
WARN: RESPECT_WAIT disabled
WARN: Mode = MODE_INJECT_HKVC2
INFO: ContType = CONTINUE
INFO:2ndihkvc:PTRACE: Attached to (1)
INFO:2ndihkvc: Giving 2 secs to the likely traced process
ERROR:2ndihkvc:WAIT:Failed (No child processes)
INFO:2ndihkvc:hkvc2: InjectAddr (Regs->ARM_pc) = 0xffff0520
INFO:2ndihkvc:hkvc2: /init found at offset 0x100
INFO:2ndihkvc:hkvc2:ProgramToExecute: /init replaced with /init
INFO:2ndihkvc:hkvc2: At offset 0x208 relocating from 0x100 to 0xffff0620
INFO:2ndihkvc:hkvc2: At offset 0x200 relocating from 0x208 to 0xffff0728
INFO:2ndihkvc:hkvc2: At offset 0x280 relocating from 0x288 to 0xffff07a8
INFO:2ndihkvc:hkvc2: At offset 0x288 relocating from 0x300 to 0xffff0820
INFO:2ndihkvc:hkvc2: At offset 0x28c relocating from 0x307 to 0xffff0827
INFO:2ndihkvc:hkvc2: At offset 0x290 relocating from 0x312 to 0xffff0832
ERROR:PTRACE:POKE failed at location ffff0520
INFO:2ndihkvc:PTRACE: Continue/SingleStep ...
INFO:2ndihkvc: Detaching...
ERROR:2ndihkvc:PTRACE: Failed DETACH (No such process)
#
Do I need to push your init to /system/2ndihkvc/init? I am just trying to play around with it and Adam's BHT just to see what I can do them. Thanks.
Hi Brianf21,
As specified in the INSTALL file with in my zip
Copy my 2ndihkvc.zip file to /data/local/tmp
Then mount /system in rw mode.
Next unzip 2ndihkvc.zip into /system. It should create 2ndihkvc folder.
Next run ./install.sh from with in 2ndihkvc folder.
This will setup the boot process to start into 2ndihkvc. And it inturn will restart init with new set of init.*.rc as well as default.prop files.
Have a look at the 2ndihkvc folder, it already contains a default.prop file. If you want to change anything in default.prop then do the changes in this default.prop in /system/2ndihkvc folder.
Also remember to change the time check in start2ndihkvc.sh file in /system/2ndihkvc folder to the current hour, when you will be experimenting. Otherwise, it will not run 2ndihkvc, but continue with the normal Android init flow.
Cross check my INSTALL file once again for the details/steps to setup 2ndihkvc.
Once you have done the above. When you restart your system, it will trigger 2ndihkvc as required and the default.prop will be the new one which you would have edited/updated in /system/2ndihkvc/ folder.
NOTE: Looking at the address, it seems like you had tried 2ndihkvc once before in the same session. Try following the install step specified above/In the 2ndihkvc zip file and see. There is a minimally modified version of init.omap4430.rc and default.prop already in the 2ndihkvc folder, modify those if you want to modify them. This is because start2ndihkvc.sh will copy these files from /system/2ndihkvc/ folder when it is run to restart init.
I will have to read more, to avoid setting up system and data up on an sdcard. Once the setup is done, will it always hijack init for every following boot until it is removed or only one reboot? i am just to get a clearer picture of what's going on, I wanted to just see the hijack of init work independently of the other processes.. I kind of like to break things down into parts so I can get a better understanding of the entire process. Thanks for the work you've out in so far.
hkvc said:
Hi Brian21,
As specified in the INSTALL file with in my zip
Copy my 2ndihkvc.zip file to /data/local/tmp
Then mount /system in rw mode.
Next unzip 2ndihkvc.zip into /system. It should create 2ndihkvc folder.
Next run ./install.sh from with in 2ndihkvc folder.
This will setup the boot process to start into 2ndihkvc. And it inturn will restart init with new set of init.*.rc as well as default.prop files.
Have a look at the 2ndihkvc folder, it already contains a default.prop file. If you want to change anything in default.prop then do the changes in this default.prop in /system/2ndihkvc folder.
Also remember to change the time check in start2ndihkvc.sh file in /system/2ndihkvc folder to the current hour, when you will be experimenting. Otherwise, it will not run 2ndihkvc, but continue with the normal Android init flow.
Cross check my INSTALL file once again for the details/steps to setup 2ndihkvc.
Once you have done the above. When you restart your system, it will trigger 2ndihkvc as required and the default.prop will be the new one which you would have edited/updated in /system/2ndihkvc/ folder.
NOTE: Looking at the address, it seems like you had tried 2ndihkvc once before in the same session. Try following the install step specified above/In the 2ndihkvc zip file and see. There is a minimally modified version of init.omap4430.rc and default.prop already in the 2ndihkvc folder, modify those if you want to modify them. This is because start2ndihkvc.sh will copy these files from /system/2ndihkvc/ folder when it is run to restart init.
Click to expand...
Click to collapse
brianf21 said:
I will have to read more, to avoid setting up system and data up on an sdcard. Once the setup is done, will it always hijack init for every following boot until it is removed or only one reboot? i am just to get a clearer picture of what's going on, I wanted to just see the hijack of init work independently of the other processes.. I kind of like to break things down into parts so I can get a better understanding of the entire process. Thanks for the work you've out in so far.
Click to expand...
Click to collapse
If all you are interested is run 2ndihkvc with a modified default.prop but no other modification (i.e no uSD /system and /data partitions), then
a) overwrite the init.omap4430.rc in /system/2ndihkvc with the one in / . However if you have already booted into a system with 2ndihkvc then in /data/local/tmp.
Or if required you can directly edit the init.omap4430.rc in /system/2ndihkvc and update the mount commands in there to mount from emmc instead of uSD.
b) Remove the 2 lines in restart-userspace.sh corresponding to mount -o move ....
This will allow you to boot into a system with a modified default.prop but no other change from a runtime perspective (unless I have forgotten something).
Also 2ndihkvc will be applied each time boot into NookTab provided the current hour matches the hour set in start2ndihkvc.sh. Once the current hour no longer matches the hour set in the sh file, it will boot into the normal BN Nooktab environment.
NOTE: I purposefully modified the init.omap4430.rc file to replace the /system and /data from emmc to uSD, so that if someone is experimenting something, he doesn't corrupt the emmc easily as long as he doesn't become root user. HOWEVER with root access emmc can still get corrupted if one is not careful, because eMMC is still available and mounted.
tried but rebooted few times until factory reset kicked in
Hi,
ok. maybe a bit too optimistic, but I compiled ICS for pandaboard and put the system to sd card (partition 1 ext4 empty, partion 2 ext4 system with panda stuff, partion 3 data, partition 4 empty).
I hit adb reboot and the device booted a few times until it restored factory. Uff.
Is there a way without serial console to see what happens?
There's also small glitch in install.sh. It doesn't find init.rc in /system/2ndihkvc.
Rgds,
Chris
chrmhoffmann said:
Hi,
The device booted a few times until it restored factory. Uff.
Click to expand...
Click to collapse
If it's counting boots like the Nook Color you can stop it by running this (if the rom partition is mounted at /rom-- it's p2 on nc and I guess p5 on nt).
chrmhoffmann said:
Hi,
ok. maybe a bit too optimistic, but I compiled ICS for pandaboard and put the system to sd card (partition 1 ext4 empty, partion 2 ext4 system with panda stuff, partion 3 data, partition 4 empty).
I hit adb reboot and the device booted a few times until it restored factory. Uff.
Is there a way without serial console to see what happens?
There's also small glitch in install.sh. It doesn't find init.rc in /system/2ndihkvc.
Rgds,
Chris
Click to expand...
Click to collapse
Hi,
The missing init.rc is not a glitch, I purposefully left it out while packaging, so that one doesn't modify it drastically and botch up the boot. init.4430.rc is the only thing required to change the mount partitions.
Also if you are using my default start2ndihkvc.sh script, then it has a time check, so while xperimenting if you have goofed up. Just let the time you have set in this script pass by (i.e don't power on), then it will automatically go back to the stock NT boot, thus avoiding the factory reset.
I can't seem to get the boot.img file to unpack, regardless of what tool I use or what os. I typically get the results below. the long term goal is to edit the boot.img to allow the next7p to use ext3 /system as opposed to cramfs, and give full read/write. It has been done by Wendal Chen on a different but similar tablet. (Both are rk29xx tablets.)
Any help would be appreciated.
I have been able to create a "custom" rom, which has root and SU, but you cannot write to the /system.
the boot.img from my custom rom is 598k The boot.img pulled from the tablet
is 4096K i get the same issues from both.
Code:
Welcome to the ZTE Racer kitchen by TigTex!
If you aren't using Windows XP, you might need to run this as admin
Make sure you have boot.img on the same folder as this file
Press 1 to decompress the ramdisk and kernel from boot.img
Press 2 to build the boot.img from the ramdisk folder and boot.img-kerne
Press q to exit
Type 1,2 or q and press ENTER: 1
Android Magic not found in boot.img. Giving up.
******kernel and ramdisk extracted!******
* Kernel is the "boot.img-kernel" file *
* Ramdisk is on gzip + cpio *
* YOU CAN ONLY EDIT RAMDISK ON LINUX *
* original img backed up as oldboot.img *
*****************************************
Press 1 to decompress the ramdisk and kernel from boot.img
Press 2 to build the boot.img from the ramdisk folder and boot.img-kerne
Press q to exit
Type 1,2 or q and press ENTER:
Ok so let's try the android kitchen
Here is the show boot.img information
Code:
Working folder's boot.img information
-------------------------------------
Kernel Size : 559903 bytes
Kernel Base Address : 0x00000000
Ramdisk Size : 2090599168 bytes
Ramdisk Load Address : 0x65545c0b
Second Stage Size : 779876570 bytes
Second Stage Load Address : 0xe1906573
Page Size : 84348953 bytes
ASCIIZ Product Name : (None)
Command Line: (None)
Press Enter to continue
And now the attempt to extract first using w option...
Code:
Working folder found
Android header not found at start of boot.img
Warning: Android header not located anywhere in boot.img
Kernel found at offset 84348953 in boot.img
Making folder BOOT-EXTRACTED ...
Extracting kernel ...
Extracting ramdisk ...
Error: No ramdisk folder found!
Press Enter to continue
Ok so lets try the other option in the menu.
Code:
Press Enter to continue
Android header not found at start of boot.img
Warning: Android header not located anywhere in boot.img
Kernel found at offset 84348953 in boot.img
Extracting kernel ...
Extracting ramdisk ...
Error: No ramdisk folder found!
Contents of bootimg_010612_234100:
total 0
-rw-r--r-- 1 0 2012-01-06 23:41 zImage
Press Enter to continue
The zImage file it writes is 0k in size.
Here is the first line from the boot.img looking at it in the hexeditor.
Code:
00000000 4b 52 4e 4c 3a 93 08 00 1f 8b 08 00 00 00 00 00 KRNL:"...<......
From what I have read the kernel is supposedly starting at 1f 8b.....
getting the error that the Ramdisk is not there, it is almost like it is not a complete boot.img file. More so if I look at boot.img in a hexeditor and lookup that address. (Sigh) I keep plugging away.
any help is appreciated.
Dochoppy said:
I can't seem to get the boot.img file to unpack, regardless of what tool I use or what os. I typically get the results below. the long term goal is to edit the boot.img to allow the next7p to use ext3 /system as opposed to cramfs, and give full read/write. It has been done by Wendal Chen on a different but similar tablet. (Both are rk29xx tablets.)
Any help would be appreciated.
I have been able to create a "custom" rom, which has root and SU, but you cannot write to the /system.
the boot.img from my custom rom is 598k The boot.img pulled from the tablet
is 4096K i get the same issues from both.
Code:
Welcome to the ZTE Racer kitchen by TigTex!
If you aren't using Windows XP, you might need to run this as admin
Make sure you have boot.img on the same folder as this file
Press 1 to decompress the ramdisk and kernel from boot.img
Press 2 to build the boot.img from the ramdisk folder and boot.img-kerne
Press q to exit
Type 1,2 or q and press ENTER: 1
Android Magic not found in boot.img. Giving up.
******kernel and ramdisk extracted!******
* Kernel is the "boot.img-kernel" file *
* Ramdisk is on gzip + cpio *
* YOU CAN ONLY EDIT RAMDISK ON LINUX *
* original img backed up as oldboot.img *
*****************************************
Press 1 to decompress the ramdisk and kernel from boot.img
Press 2 to build the boot.img from the ramdisk folder and boot.img-kerne
Press q to exit
Type 1,2 or q and press ENTER:
Ok so let's try the android kitchen
Here is the show boot.img information
Code:
Working folder's boot.img information
-------------------------------------
Kernel Size : 559903 bytes
Kernel Base Address : 0x00000000
Ramdisk Size : 2090599168 bytes
Ramdisk Load Address : 0x65545c0b
Second Stage Size : 779876570 bytes
Second Stage Load Address : 0xe1906573
Page Size : 84348953 bytes
ASCIIZ Product Name : (None)
Command Line: (None)
Press Enter to continue
And now the attempt to extract first using w option...
Code:
Working folder found
Android header not found at start of boot.img
Warning: Android header not located anywhere in boot.img
Kernel found at offset 84348953 in boot.img
Making folder BOOT-EXTRACTED ...
Extracting kernel ...
Extracting ramdisk ...
Error: No ramdisk folder found!
Press Enter to continue
Ok so lets try the other option in the menu.
Code:
Press Enter to continue
Android header not found at start of boot.img
Warning: Android header not located anywhere in boot.img
Kernel found at offset 84348953 in boot.img
Extracting kernel ...
Extracting ramdisk ...
Error: No ramdisk folder found!
Contents of bootimg_010612_234100:
total 0
-rw-r--r-- 1 0 2012-01-06 23:41 zImage
Press Enter to continue
The zImage file it writes is 0k in size.
Here is the first line from the boot.img looking at it in the hexeditor.
Code:
00000000 4b 52 4e 4c 3a 93 08 00 1f 8b 08 00 00 00 00 00 KRNL:"...<......
From what I have read the kernel is supposedly starting at 1f 8b.....
getting the error that the Ramdisk is not there, it is almost like it is not a complete boot.img file. More so if I look at boot.img in a hexeditor and lookup that address. (Sigh) I keep plugging away.
any help is appreciated.
Click to expand...
Click to collapse
Dsixda's kitchen has this feature, (un/re-pack) boot.img built in. Makes for very easy editing. Also helps for making your ROM.
Sent from my PC36100 using xda premium
jamieg71 said:
Dsixda's kitchen has this feature, (un/re-pack) boot.img built in. Makes for very easy editing. Also helps for making your ROM.
Sent from my PC36100 using xda premium
Click to expand...
Click to collapse
That's what he said he used, but the kitchen does not support boot.img of his device's format. A lot of the cheaper tablets use a special format but I have seen Wiki guides on how they are built and extracted.
Any chance you know a link to one of the guides? I will also start searching on like tablets.
Dochoppy said:
Any chance you know a link to one of the guides? I will also start searching on like tablets.
Click to expand...
Click to collapse
Google for the "cmp738a" by Craig. It's a really ****ty tablet that I owned for one day. It uses cramfs like yours, and there are some links on how to unpack and create a ROM. Use terms like "cmp738a unpack ROM"
Dsixda: First thanks for your kitchen tool really it is a great piece of work, I am sure you are under appreciated for it.
After you told me to do some searches I did, then I looked back over everything I had been reading.
I can say I feel like an idiot. I was letting the big picture blot out the details so to speak.
Almost literally all I had to do was remove 3-4 bytes from the header, and ungzip the file...cpio etc etc.
I was stuck in the train of thought that I had to "unpack the boot.img" file first, then ungzip it...
Dochoppy said:
Dsixda: First thanks for your kitchen tool really it is a great piece of work, I am sure you are under appreciated for it.
After you told me to do some searches I did, then I looked back over everything I had been reading.
I can say I feel like an idiot. I was letting the big picture blot out the details so to speak.
Almost literally all I had to do was remove 3-4 bytes from the header, and ungzip the file...cpio etc etc.
I was stuck in the train of thought that I had to "unpack the boot.img" file first, then ungzip it...
Click to expand...
Click to collapse
You mean it's like any other boot.img except for the extra bytes at the beginning and a different header (instead of "ANDROID!" - the actual header the kitchen looks for)?
Well yes and no. The kitchen still does not extract the boot.img correctly, zImage is created as a 0k file, and the ramdisk is still not extracted.
Ok I am still missing something here.
Ok I am still missing something here.
dsixda-
Could you take a look at the boot.img file and tell me what I may be missing?
http://www.mediafire.com/?n9an9o5vmjida1c
I would appreciate it very much.
Dochoppy said:
Ok I am still missing something here.
dsixda-
Could you take a look at the boot.img file and tell me what I may be missing?
http://www.mediafire.com/?n9an9o5vmjida1c
I would appreciate it very much.
Click to expand...
Click to collapse
It's not going to work in the kitchen, what are you trying to do? It is missing the "ANDROID!" magic header and the rest of the file is in a garbled format. You'll need to Google for the solution for your device. I can't offer much help, sorry.
I understand that much. When you do a file boot.img command in linux it just comes back as DATA.
I'm not so much concerned with being able to use the kitchen on it as just being able to unpack and pack the file correctly, and completely.
Thanks for taking a peak at it.
Can you upload to dropbox and let me know. I was working on an experimental tool to do this, so an unknown device would be good to check.. I might be some time in getting back to you though
Sent from my HTC Desire using Tapatalk
Droidzone-
Drop box link
http://dl.dropbox.com/u/56600275/boot.img
Media fire link if that doesn't work.
http://www.mediafire.com/?n9an9o5vmjida1c
Thanks for taking a peak.
Could you also provide the full name of the tablet, manufacturer, and possibly a link to the device?
The tablet in question is the nextbook 7 premium
marketed in the US by E-fun. Website is www.nextbookusa.com
on the front of the page there is a link to the latest firmware which the current version of DocHoppy Rom is based on.
Thanks again for taking a peak at it.
I know this much, the boot.img file it's self once unpacked from the update.img file
is a gziped cpio file, with odd header and footer bits. I have been able to unpack the file (removing header info to make it gzip recognizable), and then using 7zip of all things to unpack the cpio portion. That is where I get hung up at. I need to unpack it correctly so it can be rebuilt correctly. By doing it the way I have, you can't rebuild the file properly.
Update:
After alot of research, and trial and error, I was able to correctly unpack and repack the boot.img. I flashed the repack to my tablet, and successfully booted.
Next step is to modify init.rc and convert /system to ext3.
I will keep you posted.
Do document what you did so that it helps someone else later
Sent from my HTC Desire using Tapatalk
I'm having a similar problem, posted about here. I don't understand why the Android magic number isn't making it into my kernel. I thought the kernel compile would be straightforward, but sheesh...
Dochoppy said:
Update:
After alot of research, and trial and error, I was able to correctly unpack and repack the boot.img. I flashed the repack to my tablet, and successfully booted.
Next step is to modify init.rc and convert /system to ext3.
I will keep you posted.
Click to expand...
Click to collapse
Hi, i am trying to extract a boot.img without the Android header too. What have you done to extract it?
Regards.
I'm working on my first ROM that is based on the "stock" Samsung firmware. I am used to messing around with AOSP and CM ROMs where there's a nice flashable ZIP with a boot.img in it. Working from the "stock" Samsung image has been less clean.
My device is a Samsung SGH-T869 (the T-Mobile version of the Galaxy Tab 7.0 Plus).
I began with the file T869TMBLG7_T869UVLG7_T869UVLG7_HOME.tar.md5, which is the newest firmware available for this device.
I am able to extract the image using 7-zip, which gives me the error "There is no correct record at the end of archive", but otherwise appears to extract perfectly.
Extracted files include:
-boot.bin
-cache.img
-factoryfs.img
-hidden.img
-modem.bin
-param.lfs
-recovery.img
-Sbl.bin
-zImage
These files are enough to give Android Kitchen something to start with, but AK is complaining about the lack of a boot.img, plus I want to do some ramdisk tweaking. I have been researching this for hours, and I get the impression that what I need is in there, just in a proprietary format. I have installed KernelKitchen, which I guess I can use to build boot.img from zImage and a ramdisk, I'm just not sure where to go from here.
I also tried dumping ADB (dd if=/dev/block/mmcblk0pX of=/sdcard/boot.img, tried all partitions one by one).
I also looked at a backup made via CWM 6 of the 'stock' untouched ROM running on my tab. My backup contains:
-boot.img
-cache.ext4.dup
-data.ext4.dup
-nandroid.md5
-recovery.img
-system.ext4.dup
So far, no success. The various imgs I have pulled are all treated as invalid by Android Kitchen and also split_bootimg.pl by William Enck. When running that nice Perl script I get the error "Android Magic not found".
My general first goal is a cleaned up stock ROM which has been deodexed, zipaligned, with insecure boot enabled, and of course, root.I would like to also do a sweet custom boot image and boot animation, but I believe its best to start with a solid foundation before jumping into the other stuff. Any suggestions, XDA gang? Somewhere in that mix did I get the actual boot.img but Samsung uses a weird header? Or something else?
Rename file.tar.md5 to file.tar and unzip
Find an updater-script of custom based stock rom and you get "name' of kernel partition
Sent from my X10i using xda app-developers app
xSkArx said:
Rename file.tar.md5 to file.tar and unzip
Find an updater-script of custom based stock rom and you get "name' of kernel partition
Sent from my X10i using xda app-developers app
Click to expand...
Click to collapse
Your first instruction (to "rename and unzip") makes no difference at all.
The second suggestion seems like it may be useful.
From the CM9 flash script I found that /dev/block/mmcblk0p5 is the boot partition.
I am not sure what's wrong with the boot.img I am pulling.
Here's my command session:
Code:
adb shell
su
dd if=dev/block/mmcblk0p5 of=/mnt/sdcard/boot.img
exit
adb pull /mnt/sdcard/boot.img
I attached the resulting file. I looked at it a bit in a hex editor but I'm not sure what I'm lookin for...
DivinityCycle said:
Your first instruction (to "rename and unzip") makes no difference at all.
The second suggestion seems like it may be useful.
From the CM9 flash script I found that /dev/block/mmcblk0p5 is the boot partition.
I am not sure what's wrong with the boot.img I am pulling.
Here's my command session:
Code:
adb shell
su
dd if=dev/block/mmcblk0p5 of=/mnt/sdcard/boot.img
exit
adb pull /mnt/sdcard/boot.img
I attached the resulting file. I looked at it a bit in a hex editor but I'm not sure what I'm lookin for...
Click to expand...
Click to collapse
It seems that you managed to extract a kernel image (zImage). What you are looking for is an image starting with the signature "ANDROID!".
What do you see if you enter the following command?
Code:
$ cat /proc/mtd
It should read something similar to:
Code:
dev: size erasesize name
mtd0: xxxxxxxx xxxxxxxx "system"
...
DivinityCycle said:
Your first instruction (to "rename and unzip") makes no difference at all.
The second suggestion seems like it may be useful.
From the CM9 flash script I found that /dev/block/mmcblk0p5 is the boot partition.
I am not sure what's wrong with the boot.img I am pulling.
Here's my command session:
Code:
adb shell
su
dd if=dev/block/mmcblk0p5 of=/mnt/sdcard/boot.img
exit
adb pull /mnt/sdcard/boot.img
I attached the resulting file. I looked at it a bit in a hex editor but I'm not sure what I'm lookin for...
Click to expand...
Click to collapse
My first instruction is to get boot.bin without error when unzip it.
With the boot.img that you attached try this http://forum.xda-developers.com/showthread.php?t=1849666
Sent from my X10i using xda app-developers app
You are probably going to have to trim some extra data off the front of your boot.img so that the tool finds the needed Hex address. If you haven't already I'd pull the applicable scripts out of dsixda's kitchen and see how he handles it.
k02a said:
It seems that you managed to extract a kernel image (zImage). What you are looking for is an image starting with the signature "ANDROID!".
What do you see if you enter the following command?
Code:
$ cat /proc/mtd
It should read something similar to:
Code:
dev: size erasesize name
mtd0: xxxxxxxx xxxxxxxx "system"
...
Click to expand...
Click to collapse
I'm pretty sure you're after the partitions. However, there's no /proc/mtd on the SGH-T869 running stock.
Code:
[email protected]:/proc # cat partitions
cat partitions
major minor #blocks name
179 0 15388672 mmcblk0
179 1 20480 mmcblk0p1
179 2 1280 mmcblk0p2
179 3 1280 mmcblk0p3
179 4 8192 mmcblk0p4
179 5 8192 mmcblk0p5
179 6 8192 mmcblk0p6
179 7 204800 mmcblk0p7
259 0 16384 mmcblk0p8
259 1 786432 mmcblk0p9
259 2 13791232 mmcblk0p10
259 3 524288 mmcblk0p11
259 4 8192 mmcblk0p12
179 8 30318592 mmcblk1
179 9 30317568 mmcblk1p1
When looking at /proc/mounts, I see that partitions 1, 4, 7, 9, and 10 are all mounted. I'm also relatively certain that mmcblk1 is the microSD card slot, based on its size (I've got a 32GB card installed at the moment).
So, ruling those out, we're left with:
Code:
major minor #blocks name
179 2 1280 mmcblk0p2
179 3 1280 mmcblk0p3
179 5 8192 mmcblk0p5
179 6 8192 mmcblk0p6
259 0 16384 mmcblk0p8
259 3 524288 mmcblk0p11
259 4 8192 mmcblk0p12
I have already extracted the first 8 partitions and tried running each through Android Kitchen's boot.img unpack tool without success. The script fails to locate the ANDROID header within any of the files. I'm guessing Samsung uses some sort of custom header, because if it works perfectly fine, why not mess with it?
I've searched through a few of the files with XVI32 for "ANDROID" but didn't get any hits.
As posted earlier, other ROMs flash boot.img to mmcblk0p5 so I'm pretty sure that's the right space.
Any hints on an application I can use to analyze the dump and locate the offsets where the header and ramdisk are inside it?
Update. In my research I have come across this article:
http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images
It wasn't directly helpful but it did give me a key idea: "Find the Magic Number for a GZ archive and you'll find the ramdisk inside the raw image"
As per http://www.garykessler.net/library/file_sigs.html, the "Magic Number" for a GZ archive is 1F 8B 08. The first article only mentions "look for a bunch of zeros and then 1F 8B." That never occurs in my dumped file, and the number 1F 8B occurs 65 times. However, "1F 8B 08" only occurs once in the entire file, indicating the spot where the header and kernel end and the ramdisk begins.
I deleted everything before 1F 8B 08 and saved the result as ramdisk.gz.
Then, I threw the resulting file onto one of my Linux boxes and used the following commands to extract:
Code:
mkdir ramdisk
cd ramdisk
gunzip < ../ramdisk.gz | cpio -i --make-directories
ls
(results of ls command here:)
data init.goldfish.rc lpm.rc ueventd.goldfish.rc
default.prop init.rc proc ueventd.rc
dev init.smdk4210.rc sbin ueventd.smdk4210.rc
fota.rc init.smdk4210.usb.rc sys vendor
init lib system
I did this stuff in a command terminal connected over Putty, and I got a ton of crazy output during extraction, mostly the line "cpio: Malformed number" over and over.
My next planned task is to take 3 boot.img dumps from my tablet and them compare MD5s on all 3 dumps, to ensure I got a "good" copy.
I imagine this is largely unnecessary, but I've learned from working on other embedded devices that you can't be too careful about raw reads / writes.
I'm pretty sure now that I have extracted the ramdisk I am OK. The factory firmware has zImage as a discrete file, so I'm pretty sure I can use either Android Kitchen or Kernel Kitchen to repack the stuff into a "normal" boot.img.
I'll post my results here, since there may be like one other person interested in doing ROMs for the T869
Just a little update, the md5sums on ALL of my various dumps matched.
By that I mean CWM's backup and all the various dumps I did via ADB (using the dd command) all match.
md5sum for this firmware's boot.img appears to be 1e4367954524901c7dfff14b02023163
Interesting and a great research!
I look forward to see more of your progressive work.
Sent from my Xperia Arc via Tapatalk 2
---------- Post added 11th October 2012 at 12:00 AM ---------- Previous post was 10th October 2012 at 11:39 PM ----------
DivinityCycle said:
As per http://www.garykessler.net/library/file_sigs.html, the "Magic Number" for a GZ archive is 1F 8B 08. The first article only mentions "look for a bunch of zeros and then 1F 8B." That never occurs in my dumped file, and the number 1F 8B occurs 65 times. However, "1F 8B 08" only occurs once in the entire file, indicating the spot where the header and kernel end and the ramdisk begins.
I deleted everything before 1F 8B 08 and saved the result as ramdisk.gz.
Then, I threw the resulting file onto one of my Linux boxes and used the following commands to extract:
Click to expand...
Click to collapse
According to RFC1952, the gzip header only contains two bytes (ID1, ID2), while the third byte (CM) normally seems to be set to 0x08 (deflate) - so you did the right thing to include the third byte.
http://tools.ietf.org/html/rfc1952
Sent from my Xperia Arc via Tapatalk 2
k02a said:
Interesting and a great research!
I look forward to see more of your progressive work.
Sent from my Xperia Arc via Tapatalk 2
Hell yeah, I'm surprised at how much I've achieved, since today has been pretty busy at work. I use Putty, WinSCP, and SplashTop to access my home machines from the office, and I've got an ADB command line connection to my tab on my workstation here, so I've been able to get a lot done.
My current task is reverse-engineering dsixda's scripts that do the task of taking apart the boot.img. I should have looked at them before, they're well-written and self-documented. It's looking like I'll have to figure out the weird offsets Samsung is using (already half done) and then I can tweak the scripts so they'll probably be able to unpack / repack the image.
If I'm building a stock ROM do the offsets and header have to all be the same on my modified boot.img? I would assume so, but I'm new to this
I only want to modify the ramdisk a bit, no kernel tweaks.
Click to expand...
Click to collapse
After much searching, it looks Samsung's boot.imgs sometimes simply have no header at all, so like the first chunk is the kernel, and the second is the ramdisk. I'm gonna test out unpacking ramdisk, making the changes I need, repacking it, and then combining the two chunks back together for flashing.
Will post results
DivinityCycle said:
After much searching, it looks Samsung's boot.imgs sometimes simply have no header at all, so like the first chunk is the kernel, and the second is the ramdisk. I'm gonna test out unpacking ramdisk, making the changes I need, repacking it, and then combining the two chunks back together for flashing.
Will post results
Click to expand...
Click to collapse
I took a new look at your boot.img today.
Besides the gzip header at address 0000:4634 (which you found), I also noticed that there are 256 (0x100) bytes at 007f:fc00.
Any clue about this?
DivinityCycle said:
I'm working on my first ROM that is based on the "stock" Samsung firmware. I am used to messing around with AOSP and CM ROMs where there's a nice flashable ZIP with a boot.img in it. Working from the "stock" Samsung image has been less clean.
My device is a Samsung SGH-T869 (the T-Mobile version of the Galaxy Tab 7.0 Plus).
I began with the file T869TMBLG7_T869UVLG7_T869UVLG7_HOME.tar.md5, which is the newest firmware available for this device.
I am able to extract the image using 7-zip, which gives me the error "There is no correct record at the end of archive", but otherwise appears to extract perfectly.
Extracted files include:
-boot.bin
-cache.img
-factoryfs.img
-hidden.img
-modem.bin
-param.lfs
-recovery.img
-Sbl.bin
-zImage
These files are enough to give Android Kitchen something to start with, but AK is complaining about the lack of a boot.img, plus I want to do some ramdisk tweaking. I have been researching this for hours, and I get the impression that what I need is in there, just in a proprietary format. I have installed KernelKitchen, which I guess I can use to build boot.img from zImage and a ramdisk, I'm just not sure where to go from here.
I also tried dumping ADB (dd if=/dev/block/mmcblk0pX of=/sdcard/boot.img, tried all partitions one by one).
I also looked at a backup made via CWM 6 of the 'stock' untouched ROM running on my tab. My backup contains:
-boot.img
-cache.ext4.dup
-data.ext4.dup
-nandroid.md5
-recovery.img
-system.ext4.dup
So far, no success. The various imgs I have pulled are all treated as invalid by Android Kitchen and also split_bootimg.pl by William Enck. When running that nice Perl script I get the error "Android Magic not found".
My general first goal is a cleaned up stock ROM which has been deodexed, zipaligned, with insecure boot enabled, and of course, root.I would like to also do a sweet custom boot image and boot animation, but I believe its best to start with a solid foundation before jumping into the other stuff. Any suggestions, XDA gang? Somewhere in that mix did I get the actual boot.img but Samsung uses a weird header? Or something else?
Click to expand...
Click to collapse
Feel free to use my updater-script in the scorched kernel thread. The updater works for ics boot images. just remove the parts about copying lib files and setting permissions ... and remove the lib files from the zip. they are specific to the kernel. a stock kernel will break if those lib files are copied to /system/lib/modules.
Oh, and you can get the boot image easily in CWM by doing a backup of the stock rom and grabbing it from the clockworkmod folder on the sdcard.
merwin said:
Feel free to use my updater-script in the scorched kernel thread. The updater works for ics boot images. just remove the parts about copying lib files and setting permissions ... and remove the lib files from the zip. they are specific to the kernel. a stock kernel will break if those lib files are copied to /system/lib/modules.
Oh, and you can get the boot image easily in CWM by doing a backup of the stock rom and grabbing it from the clockworkmod folder on the sdcard.
Click to expand...
Click to collapse
As posted earlier in this thread, I pulled a boot.img from a CWM backup, but that was back before I knew how to do anything useful with it yet.
The md5sum of the CWM-generated backup boot.img matches the dumps I did over ADB using the dd command, so they're different ways to get the same end result. I have a pretty good understanding of the syntax used in the CWM flashable ZIPs. My rough plan was to first build a "restore to stock boot.img" flashable zip (so I can fix it if I make my tab unbootable ), then experiment with building my own boot.img and flashing it using the same methods. The only thing that'll be different about the "flash modded boot.img" and "flash stock boot.img" is the actual boot.img file included in the zip. Didn't get a chance to do it while off work last night, but should be able to knock it out today.
k02a said:
I took a new look at your boot.img today.
Besides the gzip header at address 0000:4634 (which you found), I also noticed that there are 256 (0x100) bytes at 007f:fc00.
Any clue about this?
Click to expand...
Click to collapse
Your guess is probably better than mine, honestly. I would think that second address is actually within the 'ramdisk' part of things, so that seems pretty odd. I'm a relative noob when it comes to hex stuff, as that's a couple levels down from where I usually operate with computers
If I unpack, modify, and repack the ramdisk, any suggestions on the 'best' way to reattach the header/kernel to it?
k02a said:
I took a new look at your boot.img today.
Besides the gzip header at address 0000:4634 (which you found), I also noticed that there are 256 (0x100) bytes at 007f:fc00.
Any clue about this?
Click to expand...
Click to collapse
Following up on this earlier point, it looks like there are a few more regions within the 8 MB file than I initially saw.
I use XVI32, so the addresses I found are formatting as such.
it seems like the following is the layout of the file contents:
Part 1 - $000000 to $004633 = 17.5 KB header?
Part 2 - $004634 to $4768A6 = 4.44 MB ramdisk (?)
Part 3 - $4768A7 to $7FFBFF = 3.53 MB of zero padding
Part 4 - $7FFC00 to $7FFCFF = 241 bytes footer
Part 5 - $7FFD00 to $7FFFFF = 768 bytes of zero padding
My initial attempt to unpack / repack the image of course made the device unbootable. My "restore" flashable zip worked as expected, so I'm now able to mess around with this stuff with relative ease.
I'm still getting a bunch of weird crap in my terminal when extracting the ramdisk. The command I am running is gunzip -c ../ramdisk.gz | cpio -i run within the directory where I want the files to extract. Both under Cygwin in Windows and under Ubuntu Server, I get tons of "cpio: Malformed number" followed by garbage. Under Ubuntu Server, despite this weird output, the files actually DO appear to extract and I get 1.65 MB of unpacked files, all in the expected format and directory structure.
Under Cygwin it didn't extract at all.
I'll continue to mess around but for your hacky fun, I have attached the parts all split up and then packed into a single ZIP.
Post if you have any ideas. I'm gonna try and repack the ramdisk and then re-assemble the whole thing. The repacked ramdisk will be smaller, but I'll just fill in the empty spot with zero padding so that the footer still ends up at the same address. We'll see if that works
Quite interesting result so far...
I wonder if there are some documentation on the data structure of the footer information floating around in public, and secondly if the offset is static.
Speaking of padding zeros. Maybe the number of trailing zeroes depends on the payload size and the page size (evenly divided by given page size), which is the case for e. g. boot.img?
Sent from my Xperia Arc via Tapatalk 2
k02a said:
Quite interesting result so far...
I wonder if there are some documentation on the data structure of the footer information floating around in public, and secondly if the offset is static.
Speaking of padding zeros. Maybe the number of trailing zeroes depends on the payload size and the page size (evenly divided by given page size), which is the case for e. g. boot.img?
Sent from my Xperia Arc via Tapatalk 2
Click to expand...
Click to collapse
It will take some experimentation to see how picky the boot loader is. I have been sidetracked today by actual work (imagine that!) and also I have been working on exhaustively cataloging and documenting the contents of the stock ROM, particularly /system/app. Cutting the Samsung bloat has been challenging only in that there's so much stuff to remove
I just had a brainstorm: I'm going to examine the boot.img from the CM9 and CM10 ROMs for the T869. After all, both of them are accepted by the bootloader, so those two and the "stock" boot.img must share some common properties, which one would think would be the "key" stuff to make the boot.img work.
The boot.imgs from CM9 and CM10 both lack any useful "handles" to try and understand their contents.
I'm uncertain how else to proceed.
I have tried creating a modified ramdisk archive, then padding out the rest of the space with zeros so that the various pieces of boot.img fall at the same location, but no success.
I'm beginning to think everything about the Samsung boot.img is weird. I was able to locate the boot logo, but its located in the ramdisk at /sbin/fota.png.
I've been knocking away on this for like a week now, and I'm beginning to think maybe it ain't worth it. All this so I can get insecure boot and maybe a modified boot image? Freakin Samsung
I am not sure, it is technically possible...
But at the moment, all ROMs need SD card for installation and usage...
But I think, we can make it also possible to use our Waves without SD...
Maybe we can modify waves, that Odin or Flash tool can hanlde our Waves...
Let's collect some thoughts...!
For Odin you need change Bootloader...
If you don't know what Bootloader is... check this out:
http://forum.xda-developers.com/showthread.php?t=897468
SBL from I9000 for instance... (but then other problems or more problems)
I have tested few SBL with Odin and S8500... long time ago...
But you need JTAG or this:
http://forum.xda-developers.com/showthread.php?t=1250270
NOT support nor finished solution... only "concept"...
WARNING! You can Hardbrick your S8500...
Same warning for S8530...
About ""Flash tool""...
If FOTA would support read from 512 MB OneNAND... you could copy zImage + ROM to this memory instead 2 GB moviNAND...
With Multiloader... and WaveRemaker created files...
And don't forget since bada 2... Samsung kastrierte moviNAND to same size...
but S8500 have more memory as S8530...
If I remember correct... 90 MB unused in S8500...
Unsere Boo.L Experten sind alle... gelangweilt... haben "wichtigeres" zu tun...
Somit wird es auch extrem schwer... FOTA neue Kunststücke beizubringen...
Weil dazu mußt Du den Bootloader BL3 halbwegs begriffen haben...
Siehe das:
http://forum.xda-developers.com/samsung-tizen/bada-android/fboot-fota-noob-edition-t2821156
Best Regards
Edit 1.
Here ""evidence""/example for Odin with S8500:
http://forum.xda-developers.com/showpost.php?p=44993772&postcount=49
Somewhere else I have tested more SBLs from different Android handsets with similar CPU...
adfree said:
About ""Flash tool""...
If FOTA would support read from 512 MB OneNAND... you could copy zImage + ROM to this memory instead 2 GB moviNAND...
With Multiloader... and WaveRemaker created files...
Click to expand...
Click to collapse
Could you please explain step by step how to prepare this file for multiloader with zImage(boot.img) inside?
Rebellos, many time ago said that it possible to read RAW(binary) file from OneNAND via FOTA
Could you please explain step by step how to prepare this file for multiloader with zImage(boot.img) inside?
Click to expand...
Click to collapse
Also long time ago.
Will try to find my old posts.
For S8500/S8530 it should be easy to use .PFS file... made via WaveRemaker...
But PFS writes into 2 GB moviNAND not 512 MB OneNAND...
For OneNAND we could add zImage to RC1 or RC2 or replace instead...
Need to check reserved space for partitions...
http://forum.xda-developers.com/showpost.php?p=37698018&postcount=10
Hmmm.
If bada not needed... then we could create template RC1...
with 10 MB or something in this direction... and place zImage easily with WinHex into same address...
So in FOTA it could read from correct address in OneNAND...
Best Regards
Edit 1.
For zImage on 2 GB moviNAND with PFS inside...
http://forum.xda-developers.com/showpost.php?p=50254876&postcount=408
This Folder for instance:
Code:
Media/zImage
And for RC1 template I need little bit time... 1 or 2 days... maybe faster...
in last ROMs MoviNAND is fully "busy" by android.
Correct way is OneNand
Also it will be good to save bada offline charger, i don't remember correctly where is located images for it in RC1 or RC2, like bada splash screen and pictured with for offline charger
Correct way is OneNand
Click to expand...
Click to collapse
Okidoki, then we should take RC1 for tests...
S8500 flash and load from:
Code:
0x1980 0000
I need few minutes, because I must charge my test S8500... before I flash something...
Also it will be good to save bada offline charger, i don't remember correctly where is located images for it in RC1 or RC2, like bada splash screen and pictured with for offline charger
Click to expand...
Click to collapse
RC2 have 1 Picture as Placeholder for Charger... before apps_compressed.bin is fully loaded and executed...
If someone is able to create FOTA with loading from address 0x1980 0000 zImage... then we could use every other address...
But before for faster tests should 10 MB empty RC1 be enough...
Ehm... 16 MB... easier length...
QMD Header is not mandatory... if I remember correct...
MD5 Check for Multiloader disabled...
File without zImage yet, but easy replace 0x0 with content of zImage...
Result should be... zImage at address 0x1980 0000 in OneNAND...
File not tested yet, because charging battery...
Later I will try to flash self... then report if my S8500 explode...
Best Regards
@volk204 can you tell me what we'll gain changing location of boot.img(zImage)? Only place or something about performance or etc.?
hero355 said:
@volk204 can you tell me what we'll gain changing location of boot.img(zImage)? Only place or something about performance or etc.?
Click to expand...
Click to collapse
Nothing for performance.
We just remove dependency from SD card
Code:
Download Start Ch[0]
Rsrc1 16777.2KB OK[6.7s]
All files complete[7.4s]
7 seconds for 16 MB RC1...
...
Testresult via PM...
Best Regards
Edit 1.
Short logged via UART...
Code:
Hangs at:
[PAM: ] OneNAND physical base address : 0xb0000000
[PAM: ] OneNAND virtual base address : 0xb0000000
[PAM: ] FSR_PAM_InitNANDController Success!!
[PAM: ] --FSR_PAM_Init
bl3_info_block 1 age = 1
bl3_info_block 2 not found, BL3_1 Loading
+-------------------------------+
| Bootloader Shadowing FINISHED |
+-------------------------------+
Launch Image at 0x42080000
[BOOT_V1.0 (Jan 5 2012, 19:08:14)]
SelectBootingMode: H/W...0xe.
[BOOT] ARMCLK: 400000 KHz, MSYSHCLK 200000 KHz,MSYSPCLK: 100000 KHz, [BOOT] DSYSHCLK 166750 KHz,DSYSPCLK: 83375 KHz,PSYSHCLK: 133400 KHz, PSYSPCLK: 66700 KHz,SYSCON_A2M: 200000 KHz
+++FIMD_Drv_INITIALIZE
FIMD_Drv_ChangeMode: MDNIE_MODE
Frame Rate:62 SCLK_FIMD:133400 kHz ClkDiv:4
S6E63M0 : LDI_Pentile_Set_Change Pentile_Value =6c
---FIMD_Drv_INITIALIZE
---FIMD_Drv_SetWinOnOff(WIN4:1)
LCD initialize Finished
Flash_Unlock failed
Poweron status - 20
FSA9480 0x03 Register = 1
FSA9480 0x0A Register = 0
FSA9480 0x0B Register = 8
FSA9480 0x07 Register = 1c
[B]SelectBootingMode: Boot Mode = 1...[/B]
Info from Rebellos:
<Rebellos> To read from oneNAND you need Flash_Read_Data
<Rebellos> protype of it would be...
<Rebellos> uint32_t Flash_Read_Data(void* buf, uint32_t addr, uint32_t size);
<Rebellos> It should be easily detectable by mijoma's tool
<Rebellos> (you can change void* to char* or any pointer type that suits you)
<Volk204> Rebellos, do i need something like OneNand_Init before?
<Rebellos> No. Onenand is already initialized by BL3 (since FOTA is being read from there)
I will try to add it in FOTA later, or maybe someone else
edit1:
8500:
unsigned long c_Flash_Read_Data[] = { 0xf5bd478f, 0 };
8530:
unsigned long c_Flash_Read_Data[] = { 0x7dc705fa, 0 };
I can test tomorrow morning
I am not sure that it is correct but
Modified Fota.c http://pastebin.com/S62SMwnH
Test FOTA: https://yadi.sk/d/OMvi6FwMa2HgL i tried to test, but kernel don't start, output is ok, probably i incorrect flashed rc1 with boot.img.
Maybe someone will play with it
P.S. modified rc1 kill bada offline charger
volk204 said:
I am not sure that it is correct but
Modified Fota.c http://pastebin.com/S62SMwnH
Test FOTA: https://yadi.sk/d/OMvi6FwMa2HgL i tried to test, but kernel don't start, output is ok, probably i incorrect flashed rc1 with boot.img.
Maybe someone will play with it
P.S. modified rc1 kill bada offline charger
Click to expand...
Click to collapse
Maybe some parts of charger located there, maybe we don't need to fully empty rc1 with boot.img, just deleting unneeded ui parts can work.
In RC1 can only be few Pics...
But they are for apps_compressed.bin... So only animation is not visible...
Charging at all should work...
Later we can add Pics and copy zImage to other position...
But priority is to start zImage from address 0x1980 0000...
Need few minutes for test... then report...
Best Regards
Edit 1.
First attempt...
I see on Display...
Mounted partitions
Copied kernel from onennand
Init Modem
Boot in Normal Mode
Copied kernel to boot
Wait!
I have taken older zImage... Now I am waiting...
Will test with empty RC1 and RC1 with zImage inside... to check if textoutput is static or really detected zImage...
Later more...
Edit 2.
Textoutput is static but work. :good:
Same result with my attached empty RC1.
@volk204
Your FOTA work. :good:
Congratulation!
Zimage content should be at 0x0...
Header QMD must be overwritten...
Now we could change location of zImage... for instance... take full RC1 and add zImage at end of content, before last 1024 Byte
Depend on size of RC1...
But then 0x1980 0000 is wrong/obsolete...
Also we could create minor/small/slim RC1... with only few MB for charger Animation... if somebody need...
If someone need, I could upload my RC1 template... but for now I am tooo lazy to attach 6 MB... upload...
Edit 3.
If I remember correct... smallest RC1 was 7 MB or less 10 MB... to start bada...
My tests long time ago...
With FOTA from volk204 this RC1 boot zImage from 512 MB OneNAND.
:good:
Inside older kernel, not latest... only for test...
You can compare textoutput between this RC1 and my empty template:
http://forum.xda-developers.com/showpost.php?p=54892518&postcount=6
Same text, but this one really load and execute zImage from OneNAND.
Thanx.
Best Regards
adfree said:
Textoutput is static but work. :good:
Same result with my attached empty RC1.
@volk204
Your FOTA work. :good:
Congratulation!
Zimage content should be at 0x0...
Header QMD must be overwritten...
Now we could change location of zImage... for instance... take full RC1 and add zImage at end of content, before last 1024 Byte
Depend on size of RC1...
But then 0x1980 0000 is wrong/obsolete...
Also we could create minor/small/slim RC1... with only few MB for charger Animation... if somebody need...
Click to expand...
Click to collapse
I will replace textoutput by bada splash (Sasung Wave picture) from rc2
so if FOTA stuck on this picture, need to reflash kernel, we can't do anything more for debug
0x1980 0000 is easy to change, no problem, and probably it is different for wave and wave 2
I will push sources to github later, maybe today
and about charger, i see only picture from rc2 and then reboot in 5-10 sec, so it not work at all
Okidoki.
Later I could do some tests with zImage at end of RC1...
So RC1 is original + zImage...
Need some time...
Best Regards
i pushed sources on github:
https://github.com/Badadroid/android_bootable_wave-fboot/tree/android_onenand
TextOuput replaced by Bada splash screen,
If FOTA stuck on this picture more than 15-20 sec - something wrong with kernel
OneNand address for 8500: https://github.com/Badadroid/androi.../blob/android_onenand/FBOOT_S8500_b2x.lds#L28
OneNand address for 8530: https://github.com/Badadroid/androi.../blob/android_onenand/FBOOT_S8530_b2x.lds#L28
looks like rsrc1 address for 8530 is 0x36000000
Compiled FOTA for wave and wave 2 is in attachments
Edit:
for offline charger we need PshRsrcBmpIdleAni.rbm from rc1
rc1 with only PshRsrcBmpIdleAni.rbm attached, flashed and charger work
now need to create template with this file inside and boot.img inside and count memory address for boot.img, but i don't know how to do it
First look at charger.rc1...
Content ends at 0x0014 0000
We could make this area bigger... 0x0020 0000
And add zImage at this address...
So for FOTA new entry point is 0x1980 0000 + 0x0020 0000 =
19A0 0000
Theory... I can make tests only later...
Need to do some other things now...
Best Regards
adfree said:
First look at charger.rc1...
Content ends at 0x0014 0000
We could make this area bigger... 0x0020 0000
And add zImage at this address...
So for FOTA new entry point is 0x1980 0000 + 0x0020 0000 =
19A0 0000
Theory... I can make tests only later...
Need to do some other things now...
Best Regards
Click to expand...
Click to collapse
tested and working
fota with start in 0x19A00000 is in attachments
offline charger also work
Edit
Attached rsrc template for 8500 with charger inside, just add boot.img in 0x00200000
@adfree, could you please create empty rsrc1 template ~16mb for wave 2 (8530)?
And could you please re-check onenand adress for wave2?
in multiloader i see 0x36000000, but Rebellos marked it as 0x03600000 in kernel sources https://github.com/Badadroid/androi...i_nand/drivers/mtd/onenand/samsung_wave.h#L47