Related
Seeing as that even the weakest PDA (like mine) runs a 200Mhz processor and the RAM isnt half bad. Would it be possible to run a stripped down version of XP or '98 on a PDA. I got the idea when I came across a compact usb version of XP. that runs straight out the flashdrive. Handy for recovery,etc. How big a leap would it be to port it to a PDA?
Edit: It works via emulation (slowly),work under way on an embedded version,but to keep us occupied in the meanwhile there a '95 and a '98 roms you can run from the storage card. Check post 21 (or thereabout)for instructions and files.
Coming across some interesting devices out there, if anybody has any detailed info please let me know. Link is HERE
I'm afraid it would be very big leap, as PDA processor is not x86 compatible, someone has to port it or create an emulator for it. And then new driver will be needed for the touch screen.
your 200 mhz cpu is able to emulate 386 sx 16(well, almost..) , and thats all about that...
no win lol.
Have you tried a little program called eXPerience? it'll be on google under 'Digital eXPerience' gives an XP look to your ppc, taskbar icons wallpaper etc ;-)
nothin said:
your 200 mhz cpu is able to emulate 386 sx 16(well, almost..) , and thats all about that...
no win lol.
Click to expand...
Click to collapse
That's kind of cool actually. You could run windows 3.1(1) on it.
Supposedly you can run Windows 95/98 on a pocket pc. I never really had a good reason to try it.
http://www.pocketgamer.org/showthread.php?s=&threadid=3660
There is emulator Bochs. You can look pictures in serbian forum: http://www.elitesecurity.org/t302711-Bochs-Windows-SE-Aero-Interface-Vista
for XP: http://www.elitesecurity.org/t302249-Evolution-of-Bochs-Microsoft-Windows-XP-na-Pocket-PC-ju
http://bochs.sourceforge.net/
Could this be something??
http://bochs.sourceforge.net/
I am not skilled enough to see through it - but it might be possible to do an XP on a PDA??
ninjaz said:
There is emulator Bochs. You can look pictures in serbian forum: http://www.elitesecurity.org/t302711-Bochs-Windows-SE-Aero-Interface-Vista
for XP: http://www.elitesecurity.org/t302249-Evolution-of-Bochs-Microsoft-Windows-XP-na-Pocket-PC-ju
Click to expand...
Click to collapse
Are you able to translate the Serbian page, so we can find out if/how to do it??
Vukile said:
Seeing as that even the weakest PDA (like mine) runs a 200Mhz processor and the RAM isnt half bad. Would it be possible to run a stripped down version of XP or '98 on a PDA. I got the idea when I came across a compact usb version of XP. that runs straight out the flashdrive. Handy for recovery,etc. How big a leap would it be to port it to a PDA?
Click to expand...
Click to collapse
ihihihhihiihh
ninjaz said:
There is emulator Bochs. You can look pictures in serbian forum: http://www.elitesecurity.org/t302711-Bochs-Windows-SE-Aero-Interface-Vista
for XP: http://www.elitesecurity.org/t302249-Evolution-of-Bochs-Microsoft-Windows-XP-na-Pocket-PC-ju
Click to expand...
Click to collapse
I think that the photos are only themes for windows mobile and you are able to put some shortcuts in pocketpc's "desktop" with wisbar advance desktop....
The start menu has been done with wisbar advance...
Nothing else...
Well - you might be right - or not. According to this: http://intimate.handhelds.org/screens.html you see and IPAQ running BOCHS - and it claims to be possible to run x86 OS...
I dont know if its true but I will try to digg deeper.
Lets seek the limits
Look at the picture....
It has been done with Wisbar Advance + Wisbar Advance Desktop......
Very Nice.....
Well, qemu is currently being ported to arm, and it's much faster than bochs, which is a bit outdated. It might not be very fast, but, who knows ?
Wait and see...
[ ignore this ,i deleted thing.. ]
flaviopac said:
Look at the picture....
It has been done with Wisbar Advance + Wisbar Advance Desktop......
Very Nice.....
Click to expand...
Click to collapse
I am still not convinced that you are right. Look at the posts in the serbian forum - i dont understand it but... well lets wait and see - and hope that someone here can translate it.
Možda ste na (Link) Windows Desktop forumu videli da sam se počeo baviti modifikacijama Windows-a. Razočaran, zbog toga što ne mogu da pokrenem Windows Vistu u rezoluciju 640x480, odlučio sam da modifikujem Windows 98SE da izgleda kao Vista. Rezultati su bili odlični i ubrzo je nastala Vista98. Detalji OS-a:
- Modifikovan Shell
- Modifikovan Kernel32.dll
- Boot Time : 8-10s (128MB Rama, 400MHz procesor, QEMU emulator)
- Izmenjen BootScreen
- Animirane, transparentne ikone
- Staje lepo u 140MB
I try to translate, my english is bad. This is tutorial for windows 95.
Whats need:
Pocket PC with VGA screen (or QVGA with Nydot Virtual Display)-
Bochs version 2.3.5 (new) (1.6 MB)
Windows 95 - Bochs image (89 MB)
Total Commander CE (600 kB)
Pocket Console (120 kB)
SE_VGA (optional with VGA device or ozVGA for WM5)
BOCHSRC.TXT
VGAKEY (donateware)
1. Download Pocket Console i install in INTERNAL MEMORY!!!
2. Download SE_VGA (VGA uređaj)/Nydot Virual Display (QVGA) and install.
3. Download Total Commander and install.
3a. Download VGA_KEY and install in INTERNAL MEMORY!
4. Download BOCHSRC.txt and copy to root / ( /bochsrc.txt).
5. Download Bochs 2.3.5 unzip, and copy on /SD Card/Bochs/
( /SD Card/Bochs/<content of archive>)
6. Download Windows 95 image (win95.img) i and copy on /SD Card/Bochs ( /SD Card/Bochs/ win95.img)
7. Go to ozVGA (SE_VGA) and turn on Real VGA mod. Turn on Landscape mod. After restart go to total commander and start bochs.exe in sotrage card\bochs. Show up black window with character fly over.
8. Press 6 and Enter and emulation start. Turn VGAKEY i press two times button Fn after F12 (turn on mouse) and F5 (optional, full screen).
8a. wait 1-5 min . If show some error, just press Enter
9. Go to Settings>Personal>Buttons and add some button to be <Input Menu>. When press some button keyboard show up.
Link with screenshots: http://www.elitesecurity.org/t297199-0#1795518
Martinhdk said:
I am still not convinced that you are right. Look at the posts in the serbian forum - i dont understand it but... well lets wait and see - and hope that someone here can translate it.
Možda ste na (Link) Windows Desktop forumu videli da sam se počeo baviti modifikacijama Windows-a. Razočaran, zbog toga što ne mogu da pokrenem Windows Vistu u rezoluciju 640x480, odlučio sam da modifikujem Windows 98SE da izgleda kao Vista. Rezultati su bili odlični i ubrzo je nastala Vista98. Detalji OS-a:
- Modifikovan Shell
- Modifikovan Kernel32.dll
- Boot Time : 8-10s (128MB Rama, 400MHz procesor, QEMU emulator)
- Izmenjen BootScreen
- Animirane, transparentne ikone
- Staje lepo u 140MB
Click to expand...
Click to collapse
Waiting for someone who can translate it.......
ninjaz said:
I try to translate, my english is bad. This is tutorial for windows 95.
Whats need:
Pocket PC with VGA screen (or QVGA with Nydot Virtual Display)-
Bochs version 2.3.5 (new) (1.6 MB)
Windows 95 - Bochs image (89 MB)
Total Commander CE (600 kB)
Pocket Console (120 kB)
SE_VGA (optional with VGA device or ozVGA for WM5)
BOCHSRC.TXT
VGAKEY (donateware)
1. Download Pocket Console i install in INTERNAL MEMORY!!!
2. Download SE_VGA (VGA uređaj)/Nydot Virual Display (QVGA) and install.
3. Download Total Commander and install.
3a. Download VGA_KEY and install in INTERNAL MEMORY!
4. Download BOCHSRC.txt and copy to root / ( /bochsrc.txt).
5. Download Bochs 2.3.5 unzip, and copy on /SD Card/Bochs/
( /SD Card/Bochs/<content of archive>)
6. Download Windows 95 image (win95.img) i and copy on /SD Card/Bochs ( /SD Card/Bochs/ win95.img)
7. Go to ozVGA (SE_VGA) and turn on Real VGA mod. Turn on Landscape mod. After restart go to total commander and start bochs.exe in sotrage card\bochs. Show up black window with character fly over.
8. Press 6 and Enter and emulation start. Turn VGAKEY i press two times button Fn after F12 (turn on mouse) and F5 (optional, full screen).
8a. wait 1-5 min . If show some error, just press Enter
9. Go to Settings>Personal>Buttons and add some button to be <Input Menu>. When press some button keyboard show up.
Link with screenshots: http://www.elitesecurity.org/t297199-0#1795518
Click to expand...
Click to collapse
ok, so you launched win, and?
i did this >3 yrs ago and now, in 2008 there's STILL no point in doing this.
argue w/ me, if you think i am wrong.
realize, that HTC is killing ppc idea, not extending it.
realize this.
samsung cpus, omap cpus, rich small people.
Ok... nice... XP on Pocket
Well... all this work to see the splash screen on pocket? No, thanks Takes too much time to load and it´s unusable...
Originally posted by blagus.
To start and organize X8 bootloader bypassing, and to leave X10 developers to focus entirely on X10 cracking, I've made this thread to keep track of progress and for developers to share info.
What has to be done:
Compile splboot as kernel module - addresses have to be modified for X8 - work in progress
Compile miniloader for MSM7227 - hopefully done by nobodyAtall
Make boot.img with zImage and ramdisk for X8 - work in progress
Developers (alphabetical):
Asdoos - splboot and miniloader
Bin4ry - side help and tips
Blagus - boot.img mostly
Chumby_666 - mood-lifter in IRC and tools provider
nobodyAtall - splboot.ko - miniloader
Progress (sorted by time):
splboot.ko - compiled by nobodyAtall - needs tweaking
miniloader - compiled by nobodyAtall - unknown does it need further modifications or not
boot.img - work in progress
Experiments:
# insmod splboot.ko
Loads without errors.
insmod splboot - OK
cat miniloader - OK
cat boot.img from X10 - few high-ASCII characters appear, plus "Invalid length", phone freezes, adb shell freezes, phone reboots after ~30 seconds
If nothing, at least a proof that something was tried to load into memory, and invalid length caused freeze - meaning that splboot was most probably compiled and loaded correctly.
After further tests, looks like something's wrong in splboot - probably allocated memory is too small
How to boot:
Get splboot.ko, miniloader, boot.img and run.sh
Push splboot to /system/lib/modules, rest to /system/kernel (mkdir /system/kernel).
execute this from adb: # sh /system/kernel/run.sh
Best regards
Originally posted by blagus.
Important: AS SUGGESTED BY DEVELOPERS, PLEASE USE STOCK 2.1.1.A.0.6. FLASH IT WITH FlashTool, GET FILES FROM MY Mediafire FOLDER.
All files (splboot, miniloader, boot.img, etc.) will be uploaded to this Mediafire folder.
If you compiled something and want to share it, attach it here and I'll upload it to Mediafire to have everything in one place.
cat /proc/iomem with addresses needed to modify splboot and miniloader - X8:
Code:
$ cat /proc/iomem
00200000-0d8fffff : System RAM
0022b000-006e3fff : Kernel text
006e4000-00813733 : Kernel data
02900000-02afffff : kgsl_phys_memory
0d200000-0d8fffff : Crash kernel
0d9e0000-0d9fffff : ram_console
a0000000-a001ffff : kgsl_reg_memory
a0000000-a001ffff : kgsl
a0200000-a0200fff : msm_serial_hs.0
a0400000-a0400fff : msm_sdcc.1
a0500000-a0500fff : TIWLAN_SDIO.2
a0800000-a08003ff : msm_hsusb
a0800000-a08003ff : msm_hsusb_periphera
a0800000-a08003ff : msm_hsusb_host.0
a0800000-a08003ff : msm_hsusb_otg
a0800000-a08003ff : msm_otg
a0a00000-a0a007ff : msm_nand_phys
a9900000-a9900fff : msm_i2c.0
a9900000-a9900fff : msm_i2c
a9c00000-a9c00fff : msm_serial.2
a9c00000-a9c00fff : msm_serial
aa200000-aa2effff : mdp
aa300000-aa300fff : tssc
aa600000-aa600fff : pmdh
Run cat /proc/mtd to find addresses needed to make boot.img. Different for X10, X8, X10 Mini (Pro).
How to make boot.img:
Download build_bootimg.zip, extract. If you're on Linux, run makeit.sh, if on Windows, run makeit.bat
Don't forget that mkbootimg's cmdline needs tweaking. Read README.txt included to find out more.
Also, to make ramdisk, place files in ramdisk-folder and execute following:
Code:
mkbootfs ./ramdisk-folder > ramdisk
This will give you cpio ramdisk archive. gzip it and you're done. Name it ramdisk.gz.
If you like my post, thank me!
Excuse me if it sounds lame
but what is splboot.ko all about
i understand its a kernel module but what is its usage...
To be honest, I don't really know how you guys do it but what I do know is that what you guys do it so awesome!! THANK YOU TO EVERY LAST ONE OF THE DEV TEAM for all the countless time and quality effort that you put into the work you give to us stupid people that can't even program a TV properly!!
x10 mini is my 2nd phone with locked bootloader and my first phone is milestone with locked botoader now hoping for the best that these devs will break the bootloader
is bootloader encrypted. if so is there any any knowledge of the algorithm used. or is the password available in sony ericsson software update or update package. will brute force attack work. if so how to get access to kernel.
Is there some news?
Castore said:
Is there some news?
Click to expand...
Click to collapse
Nah none for now, but Blagus is working really hard!
good to see the progress.
i always thought its not possible to crack the bootloader but it seems like you are going to do it
Wussiwuh said:
good to see the progress.
i always thought its not possible to crack the bootloader but it seems like you are going to do it
Click to expand...
Click to collapse
Technically they aren't trying to crack the bootloader, but bypassing it.
Sent from my X10mini using XDA App
thanks for the post. NIce to see develoment from the front row. 1 class
the_laser said:
Greetings.
warning.
if you are not developer, please quit reading that post.
wait for user friendly tool with one big button.
here ( View attachment 712577 ) is toolset to permanently "unlock" semcboot of msm7227 semc phones.
that means, you can use own kernel and so on.
steps,precautions, etc.
unpack archive to any directory.
if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.
now, if your phone unlocked officially:
flash phone with standard 2.0,2.1 android firmware,because kernel mapper module compiled for "2.6.29" kernel.
of course, enable "usb debugging"
run msm7227_semc.cmd,
( if you want, examine it before run, it is pretty straightforward. )
you will get similar output
Code:
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
1743 KB/s (585731 bytes in 0.328s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights.
192 KB/s (3087 bytes in 0.015s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
504 KB/s (8064 bytes in 0.015s)
Second, we need to write semcboot ;)
1130 KB/s (596916 bytes in 0.515s)
successfully wrote 0003ff00
Press any key to continue . . .
bingo, your phone now has unlocked bootloader.
if your phone unlocked by setool2 software, use msm7227_setool2.cmd
if your phone unlocked by 3rd-party software other than setool2, do not run anything -
it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
hopefully, mizerable flea and mOxImKo will release something similar for your phone.
okay, now about other details.
1.
unlocked bootloader require unlocked loader, yep ?
loader\loader.sin is special unlocked loader, which will be accepted ONLY after your "unlock" semcboot with previous steps.
to distinguish unlocked semcboot and original semcboot, first letter in version tag of semcboot output will be lower case, i. e. "r8A029"
( same applies for loader version tag )
so, all that stuff with signatures are not for us, so i removed them - loader will ignore signature part of SIN file.
2.
we should make SIN file somehow, right ?
for that i prepared "dumb" bin2sin utility.
[input] - is input binary file.
[partition info]
android implementation on s1 semc qualcomm phones based on partitions,so we MUST define it for our file.
you can get required partition info from standard semc sin files, it is first 0x10 bytes of DATA, right after header, i.e.
[type] - partition type, 9 - partition without spare, 0xA - partition with spare.
kernel partition is partition without spare.
if that parameter omitted, type = 9
[block size] - nand block size, if omitted, it is standard size 0x20000
there is example in sinTools\example_build.cmd
3.
kernel should be prepared specially to be accepted by semcboot.
for that there is tool bin2elf.
we need 2 segments:
segment 1 is unpacked linux kernel image, i.e.
( e10/kernel/arch/arm/boot/Image )
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x00208000
attributes for image 0x0
segment 2 is ramdisk.
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x01000000
set attributes for ramdisk 0x80000000, that is extremly important.
there is simple kernel example in sinTools\example_build.cmd
ps.
@blagus:
NAND MPU disabler has only one relation to rFoNe - he took it from setool2, together with entire idea for msm7227 bypass.
your 6-wings friend with many nicks done exactly same.
NAND MPU has nothing to do with memory firewall, so it will not help with kexec things, however, who will care now.
Click to expand...
Click to collapse
I was on x8 forums and i found this!!! It looks very interesting!!!
Can someone explain me what is it good for?
Sorry for my bad english
ChavitoArg said:
Can someone explain me what is it good for?
Sorry for my bad english
Click to expand...
Click to collapse
It allows you to boot custom linux kernels.
DustArma said:
It allows you to boot custom linux kernels.
Click to expand...
Click to collapse
I just made the_laser ¨tuto¨
successfully wrote 0003ff00, i succesfully unlock my bootloader? Is there any way to confirm that? i have to do somethin else?
Sorry for the questions and for my bad english.
ChavitoArg said:
I just made the_laser ¨tuto¨
successfully wrote 0003ff00, i succesfully unlock my bootloader? Is there any way to confirm that? i have to do somethin else?
Sorry for the questions and for my bad english.
Click to expand...
Click to collapse
probably. try flashing dKernel to find out for sure.
http://theteamk.x10.mx/index.php?topic=153.0
The Team K Developers have started the work on fota to end the prolonged wait of android on wave 525.developers r requested to please post some codings so that the project can be completed soon.please keep dis thread development focussed and clean.
After a lot of research the forum users have found the brcm2133.elf and wave 525 fota which can be decoded using IDA PRO DISASSEMBLER.
Anyone who can help can come forward and help
Thanks
I HAVE FOUND BCM21331.elf IN SAMSUNG CORBY s3653w FIRMWARE FILE. THERE IS ALSO WEBKIT.elf. DOWNLOAD IT FROM HERE(it is contained in firmware):
Click to expand...
Click to collapse
Please.
Need BCM21331.elf for study...
Where to download?
You can write PM. :angel:
Thanx in advance.
Best Regards
adfree said:
Please.
Need BCM21331.elf for study...
Where to download?
You can write PM. :angel:
Thanx in advance.
Best Regards
Click to expand...
Click to collapse
http://mediafire.com/?uxhiu82ffwcrvue
u can download brcm21331 from the above link.it is present in the SAMSUNG CORBY s3653w FIRMWARE FILE
Thanks
It seems BCM21331.elf of S3653WDXJG2 is apps_compressed.bin... not Bootfiles...
http://forum.xda-developers.com/showthread.php?t=1325713
Code:
ELF_MAP
BCM21331.csi 9 MB
BCM21331.elf 327 MB
BCM21331.map 125 MB
BCM21331.sym 41 KB
WEBKIT.elf 167 MB
Seen from S3850... but no valid Downloadlink...
Best Regards
reply
adfree said:
It seems BCM21331.elf of S3653WDXJG2 is apps_compressed.bin... not Bootfiles...
http://forum.xda-developers.com/showthread.php?t=1325713
Code:
ELF_MAP
BCM21331.csi 9 MB
BCM21331.elf 327 MB
BCM21331.map 125 MB
BCM21331.sym 41 KB
WEBKIT.elf 167 MB
Seen from S3850... but no valid Downloadlink...
Best Regards
Click to expand...
Click to collapse
i didnt understand
did mediafire say that the download link was not valid
anyway i will upload the elf file today( i have downloaded it )
i dont think that the elf file is apps compressed.bin
u can check it out yourself after i upload the file
Thanks
request
i also request the moderators and administrators to make this thread sticky
Thanks
anyway i will upload the elf file today( i have downloaded it )
Click to expand...
Click to collapse
NO. Thank you.
I have this file. :angel:
But this is apps_compressed.bin... NOT Bootloader and it is only 1 file of 3 or 4 files...
Missing, because maybe helpfull...
Code:
BCM21331.csi
BCM21331.map
BCM21331.sym
So it is maybe less helpfull to find correct ""FOTA values"" to make such output + more...
http://forum.xda-developers.com/showthread.php?t=1496729
Best Regards
i am not really well versed with the coding
do u need BCM21331.csi
BCM21331.map
BCM21331.sym files ?
Thanks
anyway here is the brcm21331.elf for all other devs
http://d-h.st/VMs
Thanks
devs please help and contribute to this thread
i am using ida pro to decode the brcm21331.elf but need help on how to use this software
Thanks
Again...
Check this Thread...
http://forum.xda-developers.com/showthread.php?t=1496729
From S8500...
Code:
#include "BL3.h"
unsigned long c_[B]MemMMUCacheEnable[/B][] = { [COLOR="Red"]0xaab9f874,[/COLOR] 0 };
unsigned long c_[B]disp_FOTA_Init[/B][] = { [COLOR="Red"]0xbfab9174[/COLOR], 0 };
unsigned long c_[B]disp_FOTA_Printf[/B][] = { [COLOR="Red"]0xb69c410b[/COLOR], 0 };
unsigned long c_[B]OemSysGetSystemInfo[/B][] = { [COLOR="Red"]0xc3ac31a5[/COLOR], 0 };
unsigned long *fun_crc[i_endMarker] = {c_MemMMUCacheEnable,
c_disp_FOTA_Init,
c_disp_FOTA_Printf,
c_OemSysGetSystemInfo
};
This is what you need to find... MINIMUM.
This what we can find in BL3_univ.elf + BL3_univ.map
These files are from BOOTLOADER...
BCM21331.elf is ELF file of apps_compressed.bin...
You can NOT find this text in BCM21331.elf
Code:
MemMMUCacheEnable
disp_FOTA_Init
disp_FOTA_Printf
OemSysGetSystemInfo
So I am pretty sure... 51 % that BCM21331.elf is WRONG file to find correct values...
Anyway. With study of BCM21331.elf maybe someone can better understand how SHP/MOCHA Security etc. work...
Good luck.
Best Regards
adfree said:
Again...
Check this Thread...
http://forum.xda-developers.com/showthread.php?t=1496729
From S8500...
Code:
#include "BL3.h"
unsigned long c_[B]MemMMUCacheEnable[/B][] = { [COLOR="Red"]0xaab9f874,[/COLOR] 0 };
unsigned long c_[B]disp_FOTA_Init[/B][] = { [COLOR="Red"]0xbfab9174[/COLOR], 0 };
unsigned long c_[B]disp_FOTA_Printf[/B][] = { [COLOR="Red"]0xb69c410b[/COLOR], 0 };
unsigned long c_[B]OemSysGetSystemInfo[/B][] = { [COLOR="Red"]0xc3ac31a5[/COLOR], 0 };
unsigned long *fun_crc[i_endMarker] = {c_MemMMUCacheEnable,
c_disp_FOTA_Init,
c_disp_FOTA_Printf,
c_OemSysGetSystemInfo
};
This is what you need to find... MINIMUM.
This what we can find in BL3_univ.elf + BL3_univ.map
These files are from BOOTLOADER...
BCM21331.elf is ELF file of apps_compressed.bin...
You can NOT find this text in BCM21331.elf
Code:
MemMMUCacheEnable
disp_FOTA_Init
disp_FOTA_Printf
OemSysGetSystemInfo
So I am pretty sure... 51 % that BCM21331.elf is WRONG file to find correct values...
Anyway. With study of BCM21331.elf maybe someone can better understand how SHP/MOCHA Security etc. work...
Good luck.
Best Regards
Click to expand...
Click to collapse
Thanks for the clarification.
In the FOTA editing,are you guys using asm coding language ?
What minimum do i need to find?
Thanks
This whole thread and idea is wrong at this moment. FOTA exploit has been confirmed to work only for bootloaders of S8500 and S8530. There is no clue if there's such security flaw present in 525 - ergo, you should start with looking for security hole, and then writing exploit to utilise it instead of writing exploit without even knowing if there's anything to exploit literally.
FOTA exploit has been confirmed to work only for bootloaders of S8500 and S8530. There is no clue if there's such security flaw present in 525 - ergo, you should start with looking for security hole...
Click to expand...
Click to collapse
We all know it was looooooong way between first text output and later magic things with FOTA for S8500 and S8530... like zImage start for Android and so on...
http://forum.xda-developers.com/showthread.php?t=1020444
Short look into GT-S5250_Training_Manual_SW.ppt
1.
FOTA file used...
Code:
bplib_S5250OpenEuropeSlav.fota
Chance "high" to generate text ouput. :angel:
1.1
Broadcom Mobile Trace Terminal
Click to expand...
Click to collapse
Not found yet... maybe same like WinComm...
2.
Btw...
_uart_bootloader
Code:
boot1a.img
boot1b.img
boot2.img
onenandboot_4k.img
What is this? Found in
Code:
S5250XEJI4.rar
S5250XEJI6.rar
I have NO Broadcom devices for tests... also NOT in future...
Find your own solution, with your own way...
Best Regards
P.S.:
If way found for zImage start... you need your own/new Broadcom team...
Sorry.
Thank you everyone for any input you are giving
Rebellos thank u very much that fact was an eye opner
I will be really grateful to u guys if you can tell me on how u guys came to know the security loophole.Any kind of help is greatly acknowleged.Again I would like to thank adsfree and rebellos for their contributions to this thread and the facts
I've made a 20 minutes exercise - I downloaded bootfiles from S5250 (S5250XXJK2) and disassembled boot2.img using a guess that the bootloader is loaded at 83E00000. Easily found FOTA code similar to S8500. The binary is loaded from flash address 07E00000 to RAM 85200000 and executed there if the BPDZ marker is available (apps and fota file is checked as well), just as in S8500. The difference is switch arm32 and thumb mode.
In the attachment I've provide a sample fota file along with asm sources. That's all I can help. There's so much more things to be handled since this moment, but it's your job if you are to be capable of continuing any porting project. Please be aware that this is a hopeless task and you do it for fun and exploring. A finished port is not likely to be ever achieved unless you have a device with exactly same board (not only microcontroller, but display, radio, camera, wifi, sensors, etc) as another android device.
canu guys tell me how u decoded boot2.img
i mean using which software and how did u get the code
please help
Thanks
Maybe you could try what mijoma attached...
S5250_src.zip
Especially this file:
S5250_fota_base.fota
Feedback help if it work or not...
Best Regards
u did not understand what i said
i asked how u decoded boot2.img and using which software and how did you get the code
u did not understand what i said
Click to expand...
Click to collapse
Few answers are given...
Now mijoma offered FIRST solution for testing...
S5250_fota_base.fota
Now waiting for someones test feedback...
mijoma has NO broadcom device for testing...
Me too...
So you or other S5250 users...
I have also asked in German Thread...
http://www.handy-faq.de/forum/samsu...sion_download_freigegeben-11.html#post2541317
I can also not seen here in your Thread test result...
http://androbada525.hj.cx/index.php/topic,153.15.html
Best Regards
Hello guys how to emulate a custom ROM on SDK FOR testing ROM
Thanks and sorry for my English is very bad
Enviado desde mi Galaxy Nexus usando Tapatalk 2
Originally Posted by Perceval from Hyrule View Post
** Currently writing this, please wait !
Hello there,
here is a new tutorial I'm sure you'll like. As usual it took me LOTS of work to get all info and make this to work, so now I share it with you and show how to run custom ROMs within Android SDK Emulator.
Please note it's mainly for XPERIA X10, but process is the same for other Android-powered devices. It will show you the process for Linux.
1. Download the latest Android SDK.
2. Open the archive, and copy the folder android-sdk-linux-x86 to a safe place. You can also rename it to an easier name. Example : I placed it in ~/Home and renamed it androidsdk.
3. Go to the SDK folder, then in the folder Tools/. Double-click on Android and choose Run.
4. Go to Available packages, and choose to install (choose at your will !)
Android SDK Tools, revision 8
Android SDK Platform-tools, revision 1
SDK Platform Android {VERSION(S) YOU WANT} (!) You need at least one Platform. For X10, you can download 1.6, 2.1. You can also add 2.2, 2.3.
Once it's done, close the window.
5. Download Xperia X10 add-on for SDK. (?) Read the PDF add-on guide, it is helpful !
Copy the folder (from the archive) XPERIA-X10_r1 inside the folder add-ons of your Android SDK folder ({androidsdk}/add-ons/).
6. Run terminal, go to your Android SDK folder, then in tools folder, and run
Code:
./android list target
.
Note the id number of the Android you want to develop (ie for me, Android 2.3 is
Code:
id: 3 or "android-9"
). (?) You might also want to note the name ("android-X") as it might be useful later.
7. Now, create AVD (a profile for emulator). Usual command (assuming you are INSIDE the /tools/ folder !) is
Code:
android create avd -n NAMEYOUWANT -t {ID}
So, for us, it will be
Code:
./android create avd -n myx10 -t 3
8. To generate the AVD, you will be prompted several info. Type these for Xperia X10 :
Create custom hardware profile : yes
SD Card support : yes
Asbstracted LCD density : 160 (correct if I'm wrong ?)
DPad support : no (?)
Accelerometer : yes
Max camera pixels (H) : 3264
Cache partition size : 66 (?)
Audio playback : yes
Trackball : no (?)
Max cam pixels (V) : 2448
Camera support : yes
Battery support : yes
Touch screen : yes
Audio record : yes
GPS : yes
Cache partition : yes
Keyboard : no
heap size : 32
RAM : 280
GSM Modem : yes
(?) I recommend you to create one profile for each Android version you want to run (so : you just have to change the ID, and create same profile). If you don't, you won't be able to run custom ROMs using other versions of Android (ie your AVD profile is 2.3 and you run a 2.1 custom ROM).
9. Done ! Take your custom ROM (downloaded, compiled... In this case, files are in {YourAndroidRepoFolder}/out/target/product/generic/. It comes with about 3 files, including a file called system.img. Copy this file into the folder (hidden) .android/myx10{In fact, the name you've chosen earlier "NAMEYOUWANT"}.avd/
10. Run terminal, go to Android SDK folder/tools/ (if you didn't close your current terminal, you're already in and run this command to run emulator WITH your custom ROM :
Code:
./emulator -avd myx10{again the "NAMEYOUWANT" you've chosen before}
Wait and enjoy !
(?) First boot is long - it's NORMAL. Just like on a real device, the OS will be cached and will work faster and faster.
Click to expand...
Click to collapse
Look over this,it should help you.
Source
Thanks man
Enviado desde mi Galaxy Nexus usando Tapatalk 2
[Q&A] [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery
Q&A for [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery
Some developers prefer that questions remain separate from their main development thread to help keep things organized. Placing your question within this thread will increase its chances of being answered by a member of the community or by the developer.
Before posting, please use the forum search and read through the discussion thread for [TOOL][UTILITY] Carliv Image Kitchen for Android - unpack/repack boot-recovery. If you can't find an answer, post it here, being sure to give as much information as possible (firmware version, steps to reproduce, logcat if available) so that you can get help.
Thanks for understanding and for helping to keep XDA neat and tidy!
This looks like a really great tool but I'm having troubles with it.
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a MTK image with regular script?
If so, please use unpack_MTK_img script. ERROR!
>> Exit script
when I use MTK it says
Unpacking the ramdisk....
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a regular image with MTK script?
If so, please use unpack_img script. ERROR!
>> Exit script
this is for the LG Optimus F3 Boot.img from Team Win 2.8.0.0
is there any way to extract this puppy?
Code:
Printing information for "boot.img"
Android image info utility by [email protected]
Header:
Magic : ANDROID!
Magic offset : 0x00000000
Page_size : 2048 (0x00000800)
Base address : 0x80200000
Kernel address : 0x80208000
Kernel size : 7602936 (0x007402f8)
Kernel offset : 0x00008000
Ramdisk address : 0x88f108f0
Ramdisk size : 2048 (0x00000800)
Ramdisk offset : 0x08d108f0
Second address : 0x81100000
Tags address : 0x80200100
Tags offset : 0x00000100
Cmdline : 'androidboot.hardware=fx3s user_debug=31 vmalloc=308M'
Id : 46c3c0e3d52bc3f86497ddd8f07eae74643c5f0e
Successfully printed all informations for boot.img
HappyRoms said:
This looks like a really great tool but I'm having troubles with it.
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a MTK image with regular script?
If so, please use unpack_MTK_img script. ERROR!
>> Exit script
when I use MTK it says
Unpacking the ramdisk....
gzip: ../boot.img-ramdisk.gz: not in gzip format
cpio: premature end of archive
Your ramdisk archive is corrupt. Are you trying to unpack a regular image with MTK script?
If so, please use unpack_img script. ERROR!
>> Exit script
this is for the LG Optimus F3 Boot.img from Team Win 2.8.0.0
is there any way to extract this puppy?
Code:
Printing information for "boot.img"
Android image info utility by [email protected]
Header:
Magic : ANDROID!
Magic offset : 0x00000000
Page_size : 2048 (0x00000800)
Base address : 0x80200000
Kernel address : 0x80208000
Kernel size : 7602936 (0x007402f8)
Kernel offset : 0x00008000
Ramdisk address : 0x88f108f0
Ramdisk size : 2048 (0x00000800)
Ramdisk offset : 0x08d108f0
Second address : 0x81100000
Tags address : 0x80200100
Tags offset : 0x00000100
Cmdline : 'androidboot.hardware=fx3s user_debug=31 vmalloc=308M'
Id : 46c3c0e3d52bc3f86497ddd8f07eae74643c5f0e
Successfully printed all informations for boot.img
Click to expand...
Click to collapse
Can you attach that image here, to take a look? It sounds like there is no ramdisk in it. There are some phones that doesn't have ramdisks in boot images.
carliv said:
Can you attach that image here, to take a look? It sounds like there is no ramdisk in it. There are some phones that doesn't have ramdisks in boot images.
Click to expand...
Click to collapse
Sure thing, just remove .zip from the file name, had to do that as it only allows 8Mb img uploads
I'm trying to edit the boot so that I might be able to make the external SD into the data drive, is this even possible or am I wasting my time?
Thanks!
HappyRoms said:
Sure thing, just remove .zip from the file name, had to do that as it only allows 8Mb img uploads
I'm trying to edit the boot so that I might be able to make the external SD into the data drive, is this even possible or am I wasting my time?
Thanks!
Click to expand...
Click to collapse
Ok, I see... Your image is "lokified". In order to use my tool you need to "de-lokify" it first, then after modding you need to "re-lokify" it back. Some infos here and here. It may be many other infos but I didn't have time to do a full search; you have to do it for yourself.
Some LG and Samsung devices have that "Loki" thing and you need to deal with it. Maybe when I'll have a phone like that I'll make an automated process for it, but now I haven't and I can't work "in blind".
I don't know what to say about your last question... I'm not even sure what you're talking about.
carliv said:
Ok, I see... Your image is "lokified". In order to use my tool you need to "de-lokify" it first, then after modding you need to "re-lokify" it back. Some infos here and here. It may be many other infos but I didn't have time to do a full search; you have to do it for yourself.
Some LG and Samsung devices have that "Loki" thing and you need to deal with it. Maybe when I'll have a phone like that I'll make an automated process for it, but now I haven't and I can't work "in blind".
I don't know what to say about your last question... I'm not even sure what you're talking about.
Click to expand...
Click to collapse
Awesome, thanks!
basically, the LG Optimus F3 comes with too little memory built in, there's a program that mounts an external SD's second partition as a data folder, but even still it runs out of internal memory or won't install apps larger than the internal memory because the "System" partition still has little room.
so the goal was to edit the boot so it will boot using an external SD directly as the system drive, it would read it's maximum memory available as whatever the external SD's maximum is.
this would solve the problem, if it works, if not then it'll probably just brick the phone :good:
I just wanted to update and say thanks. This helped out great! I was able to successfully boot /data from my external SD card as desired, however, my card is only a class 2 so it won't be a good idea until I upgrade it to a class 10.
Lg Optimus F3 comes with very little internal storage, which was giving me a headache, so I wanted to make the phone boot using an external SD as the /data partition.
after following your tip, I unloki'd the boot image and used your Carliv Image Kitchen to extract the contents, edited the fstab and edited out the original code: "/dev/block/platform/msm_sdcc.1/by-name/userdata /data" telling it to mount /data on the /dev/block/mmcblk1p2 instead.
after repacking and re-loking and flashing the .img it had some problems, for some reason it was just booting to a black screen, so I used dd from the team win terminal to copy the /dev/block/platform/msm_sdcc.1/by-name/userdata over to the /dev/block/mmcblk1p2, and it worked!
being a class 2, it booted slowly and responded slowly but works none the less.
to be sure there was no problem with partition size, being how I used dd to mirror userdata over to the sdcard, I ran gparted in linux and resized the partition smaller, then larger to full size (just in case)
thanks for your wonderful tool and for pointing me in the right direction.
help sir carliv please
I was trying to install cm12 using carliv touch recovery 3.3 for kit kat on my alcatel pop d3 but it failed now my phone is stuck and wont turn on
what version of cm can that recovery install??????
DONTEGO said:
I was trying to install cm12 using carliv touch recovery 3.3 for kit kat on my alcatel pop d3 but it failed now my phone is stuck and wont turn on
what version of cm can that recovery install??????
Click to expand...
Click to collapse
The answer is already in your question:
I was trying to install cm12 using carliv touch recovery 3.3 for kit kat....
Click to expand...
Click to collapse
As I already posted in recovery's thread, it will work with kitkat kernels. Some people port it to lollipop but I never recommended that.
So to answer clearly cm11 because cm12 means lollipop, or it will work with any other kitkat based ROM if your phone has any kitkat kernel released.
You need to ask the one who released that cm12 for your phone to provide a matching recovery along.
Now you probably need to reflash the phone with SPFlashTools.
ok thanks a whole lot but im having another issue the sd card is now only readable by my phone how do i go about copying a rom to it whenever i plug it into the pc it doesnt come up
DONTEGO said:
ok thanks a whole lot but im having another issue the sd card is now only readable by my phone how do i go about copying a rom to it whenever i plug it into the pc it doesnt come up
Click to expand...
Click to collapse
im trying to install Mystic_OS_v4DL750.zip does it require a gapps package?
Can some one port ne a recovery for xolo era 4g
Sent from my Hacked_Era_4G using Tapatalk
Is it able to unpack stock recovery?
---------- Post added at 03:25 AM ---------- Previous post was at 03:23 AM ----------
Raakib Zargar said:
Can some one port ne a recovery for xolo era 4g
Sent from my Hacked_Era_4G using Tapatalk
Click to expand...
Click to collapse
Which chipset?
Hi there... I woul like to ask if this tool works for Helio x20 cpu's... (Mt6797 - Leagoo T10) because I'm trying to extract the stock recovery but having trouble with the ramdisk... It says "compression used unknown..." I've seen it mentioned in the discussion some times but the explanation was to use the 1. Metod ??? I'm using the windows 1.1 version and I really don't see any other method to use (start bat, r, 1 recovery.img, , 1 unpack image, error....) I'm just installing Ubuntu to see the difference but would be grateful for some advise... Thanks.
Since main Carlive Image Kitchen thread has been closed in 2017 all the util builds have been lost for some unknown reason. Dev claimed he have personal problems and adviced users to help each other.
I've found latest official version 1.3 builds and publish them here for practical and historic reasons. This util mentioned in a various manuals so people will look for it for a long time then. Old Linux modded version by yuweng is also added for completeness.
View attachment CarlivImageKitchen_Windows_v1.3.zip
View attachment CarlivImageKitchen_Windows_x64_v1.3.zip
View attachment CarlivImageKitchen-Linux_v1.3.zip
View attachment CarlivImageKitchen-Linux_x64_v1.3.zip
View attachment CarlivImageKitchen-Linux-DnD-yuweng.zip
Furthermore user FOV5 @ 4pda.ru forums have modded latest 1.3 version a few times so I do publish here his latest modded version 1.5B3 (12-Jan-2018)
Changes history:
- v1.4: Support for some non-standard kernel images (e.g. LibreELEC and similar).
- v1.5B1:
- Removed 'Boot' and 'Recovery' prefixes from file names while unpacking Boot/Recovery images. This is due to ability to easily compare whole Boot and Recovery folders after unpacking.
- Added optional experimental AmLogic core unpacking. This could be helpful to patch storage media layout when device partition build into the core.
- v1.5B2: Fixed 32 bit app crash after core unpacking. A few other small non critical fixes.
- v1.5B3:
- New while core slitting, parameters like Name, Load Address and Entry Point are preserved.
- Fixed: New app will try to pack core only when all the 4 kernel parts are found in the unpacking folder. If core unpacking process some kind failed, one or more kernel.* files will be missing, so repack process will use original core instead of trying to assemble broken one.
View attachment CarlivImageKitchen_Windows_v1.5B3.7z
If you have any questions related to this modded app version look for FOV5 user at 4pda.ru forums and ask him (I don't know does he speak any langs except Russian, online translators available anyway. There is also Russian numeric captcha problem for non-Russian speakers when loggin in to that forums, sorry guys). I do not often use this app and occasionally visit XDA, so I can't support this product in a professional manner. Help each other guys!