Better Mobile App

[DONE] NOP based Boot security chain FULL BYPASS with UART access

>>> With UART access NookTab Secure BOOT Chain as been FULLY BROKEN, Custom Kernel and Custom Ramdisk have been succesfully run on NookTab, Look towards 2nd page or so for full info <<<
Hi,
Few days back I had got an idea to try and see if we can BYPASS the boot security chain by replacing the bootloader in memory, because NOOKTAB allows UART ACCESS to UBOOT.
My initial thought was to use a replacement UBOOT without Security checks. However on further thought, as UBOOT has memory access commands, I realised the simpler solution is to edit the UBOOT code directly in memory from UBOOT prompt itself.
In turn I had posted the concept and the commands to try and do the same on the below two threads, for people to try. However as no one seems to have tried it yet, I myself opened up the my NookTab and connected the UART signals and am continuing my experiments and the initial results are promising.
FINDING1: The MShield security logic doesn't mind if one modifies the UBOOT CODE. I was able to NOP the security check result logic check and the code continued to boot.
Next I have to try a modified RAMDisk and see it works fully.
My earlier posts on this can be got from these two threads
http://forum.xda-developers.com/showthread.php?t=1378886
http://forum.xda-developers.com/showthread.php?t=1418172
For someone interested in experimenting with this below are the commands to try on UART of NOOKTAB.
uboot Command summary
---------------------------------------
md.l address_in_Hex ---------- To cross check the memory content before overwriting (should match what I have mentioned as ORIG)
mw.l address_in_Hex 4ByteValueInHex -------------- To modify the given address location with new value
md.l address_in_Hex -------------- To cross check that the new value you have written has come properly.
Command sequence for Ramdisk check bypassing
-----------------------------------------------------------------------------
UBOOTPROMT> md.l 80e84808 ----- This should show 1a00000a
NOTE: I have verified that the 2nd possibility mentioned in my earlier post i.e 0x80e8.0000-0x120 is the load address to use to calculate the offsets.
next run
UBOOTPROMPT> mw.l 80e84808 e1a00000 ------------- This modify with NOP
Next run
UBOOTPROMPT> md.l 80e84808 ------ should show e1a00000
Next if you have updated the recovery.img with new ramdisk into /recovery partition RUN
UBOOTPROMPT> mmcinit 1; booti mmc1 recovery
HOWEVER instead if you have updated the flashing_boot.img file with new ramdisk in microSD then RUN
UBOOTPROMPT> mmcinit 0; fatload mmc 0:1 0x81000000 flashing_boot.img; booti 0x81000000
Now it should boot with out giving a signature error.
NOTE1: I have verified that changing the contents of UBOOT (i.e NOPing) in itself doesn't lock the ARM, next I have to try a updated ramdisk and see what happens. If you ask me It should work, fingers crossed, I will try and update.
NOTE2: In any android img file at offset 0x10 (i.e 16) the ramdisk size is stored as a 4 byte (long) value. Cross verify first that the original img and the ramdisk size at offset 0x10 in it matches the original ramdisk. Then update the 0x10 offset of new img file with new ramdisk's size.
NOTE3: kernel security check bypass address = '0x80e847a0'

[REPOSTING OLD, CONCEPT] BYPASS Kernel and Ramdisk check for People with UART ACCESS
**************************
>>> This was my original post to the other two threads on this concept, I have put this here for completeness. The load address confusion which I had is already resolved <<<
****************************
Hi,
NOTE: THis is based on a initial look at the source code and then the objdump of u-boot.bin. I haven't cross checked this yet, because for now I haven't opened up the nooktab for uart access yet. Also this assumes by default booti command is used for booting in BN uboot. If some one wants to use bootm, then a different location requires to be patched wrt the image loading security check.
If you are a lucky ;-) person working with opened up NookTab with UART access, then basically replacing the memory contents of these two offsets with NOP will 90% BYPASS the security check successfully and allow you to boot a MODIFIED KERNEL or RAMDISK as required.
All offsets specified Assuming u-boot is loaded at 0 (adjust for the actual address where u-boot.bin is loaded, haven't looked into that yet).
Check for Security check of Kernel image is at
[ORIG] 0x48c0 => bne 0x48d8 (0x1a00.0004)
Make this a NOP by overwriting using uboot memory write command to
[MODI] 0x48c0 => mov r0, r0 (0xe1a0.0000)
Check for Security check of RAMDisk image is at
[ORIG] 0x4928 => bne 0x4958 (1a00.000a)
Make this a NOP by overwriting with
[MODI] 0x4928 => mov r0, r0 (0xe1a0.0000)
Someone (Hi Adamoutler, maybe you) with opened up NookTab can try this and tell me if it worked or not.
NOTE: you have to add up the actual u-boot load address to the offsets specified.
UPDATE1: It appears the load address is either
Possibility 1) 0x80e8.0000 OR
Possibility 2) 0x80e8.0000-0x120 (More likely).
Have to dig thro bit more, but one of these two will potentially work.
So that means to NOP RAMDisk security check the offset is
Possibility 1 ==> 0x80e8.0000+0x4928
Possibility 2 ==> 0x80e8.0000-0x120+0x4928 (More likely)
Best is to cross check if the resultant address contains the BNE instruction bytes specified above.
Same concept applies for the Kernel security check Nopping offset.
NOTE: It appears there is a 0x120 size header before the actual u-boot.bin code starts and in turn, when I did the objdump, it included the 0x120 bytes of header also assumed as code. And inturn the full (including the header) u-boot.bin or for that matter the u-boot from emmc seems to load into 0x80e8.0000-0x120.
UPDATE 2:
Code around the locations to be noped to help identify the same in memory, in case my offset calculations are wrong
48b4: eb0030f1 bl 0x10c80
48b8: e59d3010 ldr r3, [sp, #16]
48bc: e3530000 cmp r3, #0
48c0: 1a000004 bne 0x48d8
48c4: e59f0104 ldr r0, [pc, #260] ; 0x49d0
48c8: e594100c ldr r1, [r4, #12]
48cc: e5942008 ldr r2, [r4, #8]
48d0: eb0015db bl 0xa044
............
491c: eb0030d7 bl 0x10c80
4920: e59d3010 ldr r3, [sp, #16]
4924: e3530000 cmp r3, #0
4928: 1a00000a bne 0x4958
492c: e59f00a4 ldr r0, [pc, #164] ; 0x49d8
4930: e5941014 ldr r1, [r4, #20]
4934: e5942010 ldr r2, [r4, #16]
4938: eb0015c1 bl 0xa044
UPDATE 3: ... for a rainy day in future ;-)
UPDATE 4: For maximum success, first try a changed RAMDisk rather than Changed Kernel. If Changed Ramdisk works then try Changed Kernel (THere is one more thing in Code, which I am not sure if it will impact a modified kernel or not yet, only way is to experiment).
UPDATE 5: I have cross verified on the target with UART access and the 2nd possibility mentioned above wrt load address is what is correct.

android img header structure for reference
from tools/mkbootimg/bootimg.h
#define BOOT_MAGIC "ANDROID!"
#define BOOT_MAGIC_SIZE 8
#define BOOT_NAME_SIZE 16
#define BOOT_ARGS_SIZE 512
struct boot_img_hdr
{
unsigned char magic[BOOT_MAGIC_SIZE];
unsigned kernel_size; /* size in bytes */
unsigned kernel_addr; /* physical load addr */
unsigned ramdisk_size; /* size in bytes */
unsigned ramdisk_addr; /* physical load addr */
unsigned second_size; /* size in bytes */
unsigned second_addr; /* physical load addr */
unsigned tags_addr; /* physical addr for kernel tags */
unsigned page_size; /* flash page size we assume */
unsigned unused[2]; /* future expansion: should be 0 */
unsigned char name[BOOT_NAME_SIZE]; /* asciiz product name */
unsigned char cmdline[BOOT_ARGS_SIZE];
unsigned id[8]; /* timestamp / checksum / sha1 / etc */
};

PARTIAL SUCCESS BYPASSING SEC CHECK using NOP
Hi
By BYPASSING both the Kernel and Ramdisk checks using NOPs, I am able to run the kernel (not modified, but repackaged, so bypassed Kernel sec check) and modified ramdisk.
However either
a) I seem to have done something wrong OR
b) Secure boot chain is doing something internally before passing control to uboot during kernel sec check, which is different between a successful call and a bad call.
Because the kernel crashes after control passes to it, almost immidiately.
NOTE: Have to try with only ramdisk change ...
The UART Dump of my run is given below.
OMAP44XX SDP # booti 0x81000000
[ERROR] [SEC_ENTRY] Call to Secure HAL failed!
kernel @ 80088000 (2689312)
[ERROR] [SEC_ENTRY] Call to Secure HAL failed!
ramdisk @ 81080000 (513429)
Initrd start : 81080000 , Initrd end : 810fd475Acclaim Board.
Starting kernel ...
undefined instruction
pc : [<800886e4>] lr : [<80e930c0>]
sp : 80e3fac4 ip : 00028f05 fp : 80eabe44
r10: 810fd475 r9 : 80eb1fb8 r8 : 80e3ffdc
r7 : 80088000 r6 : 00000000 r5 : 80e3ffb4 r4 : 80eb1fb8
r3 : 00000000 r2 : 80000100 r1 : 00000e18 r0 : 00000000
Flags: nZCv IRQs off FIQs on Mode SVC_32
Resetting CPU ...
NOTE: This requires UART access to NookTab.
UPDATE 1: I found one mistake in that the unpack tool was always using a fixed size 2048 for page size rather than 4096 in the BN recovery.img, I fixed it and repackaged the new set of files and now even thou success eludes me, I find that this time it didn't give a SEC ERROR for my modified ramdisk !?!?!? But it was slower with the checks this time.
OMAP44XX SDP # booti 0x81000000
kernel @ 80088000 (2687264)
[ERROR] [SEC_ENTRY] Call to Secure HAL failed!
ramdisk @ 81080000 (513416)
Initrd start : 81080000 , Initrd end : 810fd468Acclaim Board.
Starting kernel ...

SUCCESS SUCCESS SUCCESS with Modified Ramdisk
Hi All,
SHORT form for impatient people
-------------------------------------------------
OMAP44XX SDP # mmcinit 0; fatload mmc 0:1 0x81000000 new.recovery.img;
OMAP44XX SDP # md.l 80e84808 1; md.l 80e847a0 1; mw.l 80e84808 e1a00000; md.l 80e84808 1; md.l 80e847a0 1
OMAP44XX SDP # booti 0x81000000
LONG form for people who want bit more details
---------------------------------------------------------------------
I have been able to boot into a modified recovery image using my NOP based BYPASS logic for secure boot chain.
What I learnt in the process are
a) Secure boot chain logic doesn't bother if we change the UBoot / XYZ code space Key to any logic using/manipulating the memory of the NookTab from uboot.
b) The Android img images for BN NookTab contain
b.1) The standard 2K Android header (nothing special from BN in this).
However NOTE that pagesize is 4096 and a good base address (picked from recovery.img of factory.zip) is 0x80080000
b.2) The Kernel and the Ramdisk images with in the android img file in turn contain 0x120 Byte headers individually
b.3) The Secure Boot chain seems to be particular about these 0x120 byte headers
Even for my modified ramdisk, I had to use the original ramdisks' BN Header. Otherwise the security check seemed to take a hell lot of time most of the time and the end results were touchy (Have to debug this further ..., ALSO THERE IS THE OPTION OF AVOIDING THE SEC_ENTRY call in the FIRST PLACE ITSELF TO TRY AND BYPASS THIS, IF REQUIRED, I have to experiment this later).
So if one is using a tool which searchs for the GZIP MAGIC to decide where to split the img file into strictly two parts consisting of
dump_1) Android_Image_Header+Kernel_BNHeader+Kernel+Ramdisk_BNHeader and
dump_2) Ramdisk file
are fine.
However if one is using a program which uses the Android image header structure to dump the contents need to be careful to extract the BN header from the corresponding ramdisk file and then after manipulating/modifying the ramdisk file, RE PREPEND the BN header back to the ramdisk. Before clubing/joining all the files together.
Or tools which assume wrong pagesize (some I found used 2K page size instead of picking from android header) or which split the constituents into individual parts intelligently (which by the way will discard the BN Header potentially) will have to be MODIFIED before using.
I ended up writing my own c code to dump using Android header and inturn use shell script to extract the BN Header for safe keeping before merging everything back later. I will post the code and simple shell scripts in a day or two.
BELOW is the OUTPUT OF MY SUCESSFUL RUN with MODIFIED RAMDISK
--------------------------------------------------------------------------------------------------------------------
OMAP44XX SDP # mmcinit 0; fatload mmc 0:1 0x81000000 new.hdr.img;
3207168 bytes read
OMAP44XX SDP # md.l 80e84808 1; md.l 80e847a0 1; mw.l 80e84808 e1a00000; md.l 80e84808 1; md.l 80e847a0 1
80e84808: 1a00000a ....
80e847a0: 1a000004 ....
80e84808: e1a00000 ....
80e847a0: 1a000004 ....
OMAP44XX SDP # booti 0x81000000
kernel @ 80088000 (2682952)
[ERROR] [SEC_ENTRY] Call to Secure HAL failed!
ramdisk @ 81080000 (513707)
Initrd start : 81080000 , Initrd end : 810fd58bAcclaim Board.
Starting kernel ...
Linux version 2.6.35.7 ([email protected]) (gcc version 4.4.1 (Sourcery G++ Lite 2010q1-202) ) #1 SMP PREEMPT Fri Nov 11 12:35:42 PST 1
CPU: ARMv7 Processor [411fc093] revision 3 (ARMv7), cr=10c53c7f
CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: OMAP4430 ACCLAIM
Memory policy: ECC disabled, Data cache writealloc
...........

That all looks very good and sounds extremely promising
So in the realms of being able to boot modified roms where does this put us?

Uses of this method and its merits/demerits or needs/no needs
Hi Celtic/All,
*** The only places I see a meaningful use for this is mentioned towards the end, otherwise, I am working on this mainly for the fun of exploration. In most other cases where one thinks one needs this, I can tell you It can be achieved with out this, except for some exotic things which don't affect majority of users ***
My thoughts on ROMs with different complexities
------------------------------------------------------------------------
If a modified ROM is not using (doesn't need) custom Kernel or custom Ramdisk, then my 2ndihkvc or any other working 2nd-init method is the simple and straight forward way of doing a custom rom.
If it however requires a custom Ramdisk, then this NOP based BYPASS method will allow one to achieve the same. However I don't see any need for anyone to use a custom ramdisk. If someone is using a custom ramdisk, It can be 98% modified to use the generic 2nd-init method and in case of NookTab my simple 2ndihkvc method (As documented in my other thread, the default 2nd-init logic fails on NookTab as it uses ONE too many PTRACE calls).
If it requires a custom Kernel then with bit more work on this I don't see why a Custom kernel cann't be booted.
However if you ask me, we don't gain much with a custom kernel or ramdisk, which cann't be achieved using root access and or module loading support in default kernel, and inturn REMEMBER that both of these can be done on NookTab today (i.e 1. Root access and 2. Module loading).
Also NOTE that this requires UART access.
*** ONE PLACE WHERE THIS CAN HELP *** is, with BN 1.4.1 firmware, which has blocked the current rooting method If I am not wrong (Unless someone has found a way to break it recently, which I have missed). For 1.4.1, with this, we can boot into a specific custom recovery image and modify the /system partition, such that we put su and SuperUser back into it under /system/bin (with proper chmod settings) and /system/app, so that we can gain Root access again, on rebooting into the NookTAB normally after this change.
*** Another place *** is when the device is very old and the new kernel can bring in some feature missing badly in a very old device. Again in many of these cases, if one puts sufficient effort the feature may be back portable and or injectable into a older kernel using the module route.
REMEMBER IN LINUX - KERNEL MODULE IS SAME AS KERNEL as far as PRIVILAGES are concerned, as it stands TODAY, all LIMITS IF ANY are ARTIFICIAL.
HOPE THAT HELPS

I love reading these threads even though I don't fully understand everything going on in the code parts.
I'm interested in custom kernels because as far as I know there's no way to get ICS running on the Tab without one.
Nexus S 4G 4.0.3

I honestly dont know much about creating custom ROM's but I have been wondering why every thinks that we have to have the bootloader unlocked before we can get any type of custom ROM. I have a Moto X2. The bootloader is not and never will be unlocked but I am running a really sweet custom ROM on it. I know from other android phones that a ROM is possible with a locked bootloader.
My point is...I am glad to see someone working around this and taking the next step. I was wondering if DEV's have almost given up on the NT. Thank you for your work!

Rooting 1.4.1
hkvc said:
... BN 1.4.1 firmware, which has blocked the current rooting method If I am not wrong (Unless someone has found a way to break it recently, which I have missed).
Click to expand...
Click to collapse
See my method at http://forum.xda-developers.com/showthread.php?t=1413734 (since Dec 27)
Note that my method starts with either a rooted or (preferably) unrooted copy of 1.4.0, roots it if necessary, modifies it slightly, updates to 1.4.1, and then regains root. Requires ADB/USB access.

POTENTIAL SUCCESS with CUSTOM KERNEL (INDIRECT METHOD)
Hi All,
In SHORT for impatient
---------------------------------
OMAP44XX SDP # mmcinit 0; fatload mmc 0:1 0x81000000 new.hdr.img;
OMAP44XX SDP # md.l 80e84794 1; md.l 80e847fc 1; mw.l 80e84794 e1a00000; mw.l 80e847fc e1a00000; md.l 80e84794 1; md.l 80e847fc 1
OMAP44XX SDP # md.l 80e84808 1; md.l 80e847a0 1; mw.l 80e84808 e1a00000; mw.l 80e847a0 e1a00000; md.l 80e84808 1; md.l 80e847a0 1
OMAP44XX SDP # booti 0x81000000
(c) HKVC, GPL ;-)
The sufficient minimal Details
-------------------------------------
I have verified that NOT CALLING SEC_ENTRY calls, with in uboot, related to kernel and ramdisk check keeps things smooth. That should mean the FLOOD GATES are POTENTIALLY OPEN for CUSTOM KERNELs with UART ACCESS.
This requires few additional NOPs compared to what I had originally specified (My original set of NOPs had some issue with Kernel booting, which I have to debug later, however this work around seems to resolve it - I don't want to delve more into this than what I have already specified here, unless Secure Bootloader people get any ideas ;-).
UART Boot Dump/log
-------------------------
OMAP44XX SDP # mmcinit 0; fatload mmc 0:1 0x81000000 new.hdr.img;
3207168 bytes read
OMAP44XX SDP # md.l 80e84794 1; md.l 80e847fc 1; mw.l 80e84794 e1a00000; mw.l 80e847fc e1a00000; md.l 80e84794 1; md.l 80e847fc 1
80e84794: eb0030f1 .0..
80e847fc: eb0030d7 .0..
80e84794: e1a00000 ....
80e847fc: e1a00000 ....
OMAP44XX SDP # md.l 80e84808 1; md.l 80e847a0 1; mw.l 80e84808 e1a00000; mw.l 80e847a0 e1a00000; md.l 80e84808 1; md.l 80e847a0 1
80e84808: 1a00000a ....
80e847a0: 1a000004 ....
80e84808: e1a00000 ....
80e847a0: e1a00000 ....
OMAP44XX SDP # booti 0x81000000
kernel @ 80088000 (2682952)
ramdisk @ 81080000 (513707)
Initrd start : 81080000 , Initrd end : 810fd58bAcclaim Board.
Starting kernel ...
Linux version 2.6.35.7 ([email protected]) (gcc version 4.4.1 (Sourcery G++ Lite 2010q1-202) ) #1 SMP PREEMPT Fri Nov 11 12:35:42 PST 2011
CPU: ARMv7 Processor [411fc093] revision 3 (ARMv7), cr=10c53c7f
CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: OMAP4430 ACCLAIM
Memory policy: ECC disabled, Data cache writealloc
On node 0 totalpages: 245760

And if the merge bootloader of the nook color and from nook tablet, compare it and try to create one substitution?

DeanGibson said:
See my method at http://forum.xda-developers.com/showthread.php?t=1413734 (since Dec 27)
Note that my method starts with either a rooted or (preferably) unrooted copy of 1.4.0, roots it if necessary, modifies it slightly, updates to 1.4.1, and then regains root. Requires ADB/USB access.
Click to expand...
Click to collapse
Hi DeanGibson,
Thanks for your efforts on that. It should help people who get bumped into 1.41 by BN.
HOWEVER Do note that if the uSD based MLO and u-boot.bin gets loaded first before the ones in eMMC by the internal boot rom of the Omap (Should be the case based on what Pokey had mentioned sometime back, I haven't cross checked myself yet, as I have been busy with these stuff which I am looking into). Then what ever (except for one cavet - which I wont mention here) BN may do in a future update, with the UART based u-boot method which I have mentioned in this thread, one will always be able to get root access to the device.

OMG hkvc, between you, DG, and AO how can the NT win?
You guys are monsters! (in a good way)

Ok, little explaining before questioning is I'm not a tech guy. But from the all post of hkvc in this thread, the understanding that we can access more space in 16GB internal storage and custom ROM/kernel is on the way is correct?

camapghe said:
Ok, little explaining before questioning is I'm not a tech guy. But from the all post of hkvc in this thread, the understanding that we can access more space in 16GB internal storage and custom ROM/kernel is on the way is correct?
Click to expand...
Click to collapse
This requires repartitioning the drive, which we are not at this time confident, that it will not brick your nook by doing so. (This double negative actually is making a positive: Repartitioning might brick your nook.)
This hardware modification has nothing to do with accessing more of the space as that is entirely a software remedy. We're just not confident about how hard the Nook looks at the primary partition table.

SUCCESS SUCCESS SUCCESS with CUSTOM Kernel+ CUSTOM Ramdisk, UART NOP BYPASS
Hi All,
As I had mentioned yesterday/today early morning, By bypassing the SEC_ENTRY check I was able to run stock kernel with out any problem. And as I had mentioned then even thou it is a indirect way of verifying possibility of custom kernels, it should still open the flood gate for custom kernels (with UART access for NoW ;-).
Now I have actually verified by RUNNING a CUSTOM Kernel which I compiled along with a CUSTOM Ramdisk (with adb enabled - look at last few lines), which you can know from
a) the kernel version line while booting, which contains the machine used for compiling (Obviously I have redacted part of my name ;-),
b) as well as the size of the kernel and ramdisk images which is different from the stock img files, because this contains both a custom kernel as well as custom ramdisk from me.
SO IT IS SUCCESS with CUSTOM KERNELS+ CUSTOM RAMDISKS, using the uboot commands which I had mentioned in my older post.
UART DUMP including UBoot commands
--------------------------------------------------
OMAP44XX SDP # mmcinit 0; fatload mmc 0:1 0x81000000 new.kr.img;
4157440 bytes read
OMAP44XX SDP # md.l 80e84794 1; md.l 80e847fc 1; mw.l 80e84794 e1a00000; mw.l 80e847fc e1a00000; md.l 80e84794 1; md.l 80e847fc 1
80e84794: eb0030f1 .0..
80e847fc: eb0030d7 .0..
80e84794: e1a00000 ....
80e847fc: e1a00000 ....
OMAP44XX SDP # md.l 80e84808 1; md.l 80e847a0 1; mw.l 80e84808 e1a00000; mw.l 80e847a0 e1a00000; md.l 80e84808 1; md.l 80e847a0 1
80e84808: 1a00000a ....
80e847a0: 1a000004 ....
80e84808: e1a00000 ....
80e847a0: e1a00000 ....
OMAP44XX SDP # booti 0x81000000
kernel @ 80088000 (2693828)
ramdisk @ 81080000 (1455055)
Initrd start : 81080000 , Initrd end : 811e32afAcclaim Board.
Starting kernel ...
Linux version 2.6.35.7 ([email protected]) (gcc version 4.5.4 (Ubuntu/Linaro 4.5.3-9ubuntu1) ) #1 SMP PREEMPT Wed Jan 4 02:43:18 IST 2012
CPU: ARMv7 Processor [411fc093] revision 3 (ARMv7), cr=10c53c7f
CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: OMAP4430 ACCLAIM
Memory policy: ECC disabled, Data cache writealloc
On node 0 totalpages: 245760
..... Chopped ...............
omapfb omapfb: Unknown ioctl 0x40044620
init: Unable to open persistent property directory /data/property errno: 2
enabling adb
adb_open
android_usb gadget: high speed config #1: android
SO ALL OF YOU out there ITHCING to experiment with Custom Kernels and What not, Go ahead and enjoy the freedom to do so on NOOK TABLET (with UART access for NoW ;-)

My Android Img file manipulation scripts including few older ones by others.
Hi,
I am attaching the simple C program and the scripts which I use for extracting BN Android Imgs consisting of
a) Dumping the individual sections of Android img
b) Allow seperating the header from the actual Kernel or Ramdisk
c) Allow concatenating (This is kind of dummy, but required to take care of u-boot logic of loading) the old header with new Kernel or Ramdisk
d) Pass proper arguments to recreate the Android IMG file.
Also I have attached some of the other open source tools which I started with originally, but due to few things here and there and also to get maximum flexibility I moved to my own set of scripts and program.

recovery img with simple ramdisk with ADB and Root shell on Adb and console
Hi,
Attached is a recovery.img file with the standard Kernel from NookTab and a modified Ramdisk which has support for
a) ADB shell
b) Root shell access (Both ADB and Console)
c) Console is enabled in UART.
Note that the sh on the ramdisk is renamed busybox with a symbolic link called busybox pointing to this sh.
go into /system/bin and run
busybox --install /system/bin
So that you have the standard commands available on the recovery shell.
Also remember to run
export PATH=/system/bin:$PATH

I am following this thread, Congrats on your findings and thanks for your time you spent on it.

How to open recovery.img file

Hello, i want to edit some files in a recovery.img file but i cant open the .img file. Can anybody tell me how to open .img files?
Thanks in advance.
Sent from my GT-I9001 using XDA Premium App

martijn.vanpoorten said:
Hello, i want to edit some files in a recovery.img file but i cant open the .img file. Can anybody tell me how to open .img files?
Thanks in advance.
Sent from my GT-I9001 using XDA Premium App
Click to expand...
Click to collapse
Well, it depends of its internal format, can be samsung stock firmware format or not. You know it visually because is named factoryfs.img or system.img or either includes ext3 or ext4 or similar. Other times its yaffs filesystem.
Check here:
[HOW TO][Windows]Extract Deodex Sign and Zipalign an official ROM
From the Android device you can use AppExtractor or Nandroid Browser if it is in the proper filesystem format.

I think you must have a source for the recovery.img.

PhoneM96 said:
I think you must have a source for the recovery.img.
Click to expand...
Click to collapse
Not to just extract it.

scandiun said:
Well, it depends of its internal format, can be samsung stock firmware format or not. You know it visually because is named factoryfs.img or system.img or either includes ext3 or ext4 or similar. Other times its yaffs filesystem.
Check here:
[HOW TO][Windows]Extract Deodex Sign and Zipalign an official ROM
From the Android device you can use AppExtractor or Nandroid Browser if it is in the proper filesystem format.
Click to expand...
Click to collapse
Thanks for the info and pointing me into a direction, i will read the posts you added

scandiun said:
Not to just extract it.
Click to expand...
Click to collapse
PhoneM96 said:
I think you must have a source for the recovery.img.
Click to expand...
Click to collapse
I already have the recovery.img file i need. I only need to open it and see if i can make some changes to some files regarding the height and width. It looks like the version is build for an 7.1 tab

martijn.vanpoorten said:
I already have the recovery.img file i need. I only need to open it and see if i can make some changes to some files regarding the height and width. It looks like the version is build for an 7.1 tab
Click to expand...
Click to collapse
He means the source code of the img file, not the img. We already take for granted you already have it. Did you finally extract it?

scandiun said:
He means the source code of the img file, not the img. We already take for granted you already have it. Did you finally extract it?
Click to expand...
Click to collapse
Nope, still didn't extract it.
Here is what i have: recovery.tar.md5 I can open the file with winrar and extract the content and end up with the recovery.img file. How can i open the .img file and extract the content. I want to see what's inside and if i can edit the files, i want to learn more about it.

rename the md5 to tar and open it with winrar or peazip.

scandiun said:
He means the source code of the img file, not the img. We already take for granted you already have it. Did you finally extract it?
Click to expand...
Click to collapse
scandiun said:
rename the md5 to tar and open it with winrar or peazip.
Click to expand...
Click to collapse
I know that if when i rename .tar.md5 to just .tar i can use winrar to open the file. When the file is open i see a recovery.img file then i extrract the recovery.img to my desktop. How can i open the recovery.img file? I want to extract the content of the recovery.img file so i can see how it works and what is inside the recovery.img

martijn.vanpoorten said:
I know that if when i rename .tar.md5 to just .tar i can use winrar to open the file. When the file is open i see a recovery.img file then i extrract the recovery.img to my desktop. How can i open the recovery.img file? I want to extract the content of the recovery.img file so i can see how it works and what is inside the recovery.img
Click to expand...
Click to collapse
Try Diskinternals Linux Reader and mount the image with cntrol+m

This is exactly I want to do too. I only have the recovery.img but I want to modify the height and wight of it, because it designed for 7" and I want it to 10"... I managed to open it but looks like we need the source because I haven't found anything about it.

scandiun said:
Try Diskinternals Linux Reader and mount the image with cntrol+m
Click to expand...
Click to collapse
I can't open the file with DiskInternals Linux Reader.

Gaboros said:
This is exactly I want to do too. I only have the recovery.img but I want to modify the height and wight of it, because it designed for 7" and I want it to 10"... I managed to open it but looks like we need the source because I haven't found anything about it.
Click to expand...
Click to collapse
We are looking for the same thing
Another thing that would be nice is when the option to boot into recovery or download mode is added to the shutdown menu. I have CM9 on my phone and that has these options. It's very usefull ...

Try this script under linux or windows (you need perl installed) and see if you get "Android Magic not found" error.
[ADVANCED] How To Mod: BOOT & RECOVERY
Firmware Multi-booting
split_bootimg.pl
Code:
#!/usr/bin/perl
######################################################################
#
# File : split_bootimg.pl
# Author(s) : William Enck <[email protected]>
# Description : Split appart an Android boot image created
# with mkbootimg. The format can be found in
# android-src/system/core/mkbootimg/bootimg.h
#
# Thanks to alansj on xda-developers.com for
# identifying the format in bootimg.h and
# describing initial instructions for splitting
# the boot.img file.
#
# Last Modified : Tue Dec 2 23:36:25 EST 2008
# By : William Enck <[email protected]>
#
# Copyright (c) 2008 William Enck
#
######################################################################
use strict;
use warnings;
# Turn on print flushing
$|++;
######################################################################
## Global Variables and Constants
my $SCRIPT = __FILE__;
my $IMAGE_FN = undef;
# Constants (from bootimg.h)
use constant BOOT_MAGIC => 'ANDROID!';
use constant BOOT_MAGIC_SIZE => 8;
use constant BOOT_NAME_SIZE => 16;
use constant BOOT_ARGS_SIZE => 512;
# Unsigned integers are 4 bytes
use constant UNSIGNED_SIZE => 4;
# Parsed Values
my $PAGE_SIZE = undef;
my $KERNEL_SIZE = undef;
my $RAMDISK_SIZE = undef;
my $SECOND_SIZE = undef;
######################################################################
## Main Code
&parse_cmdline();
&parse_header($IMAGE_FN);
=format (from bootimg.h)
** +-----------------+
** | boot header | 1 page
** +-----------------+
** | kernel | n pages
** +-----------------+
** | ramdisk | m pages
** +-----------------+
** | second stage | o pages
** +-----------------+
**
** n = (kernel_size + page_size - 1) / page_size
** m = (ramdisk_size + page_size - 1) / page_size
** o = (second_size + page_size - 1) / page_size
=cut
my $n = int(($KERNEL_SIZE + $PAGE_SIZE - 1) / $PAGE_SIZE);
my $m = int(($RAMDISK_SIZE + $PAGE_SIZE - 1) / $PAGE_SIZE);
my $o = int(($SECOND_SIZE + $PAGE_SIZE - 1) / $PAGE_SIZE);
my $k_offset = $PAGE_SIZE;
my $r_offset = $k_offset + ($n * $PAGE_SIZE);
my $s_offset = $r_offset + ($m * $PAGE_SIZE);
(my $base = $IMAGE_FN) =~ s/.*\/(.*)$/$1/;
my $k_file = $base . "-kernel";
my $r_file = $base . "-ramdisk.gz";
my $s_file = $base . "-second.gz";
# The kernel is always there
print "Writing $k_file ...";
&dump_file($IMAGE_FN, $k_file, $k_offset, $KERNEL_SIZE);
print " complete.\n";
# The ramdisk is always there
print "Writing $r_file ...";
&dump_file($IMAGE_FN, $r_file, $r_offset, $RAMDISK_SIZE);
print " complete.\n";
# The Second stage bootloader is optional
unless ($SECOND_SIZE == 0) {
print "Writing $s_file ...";
&dump_file($IMAGE_FN, $s_file, $s_offset, $SECOND_SIZE);
print " complete.\n";
}
######################################################################
## Supporting Subroutines
=header_format (from bootimg.h)
struct boot_img_hdr
{
unsigned char magic[BOOT_MAGIC_SIZE];
unsigned kernel_size; /* size in bytes */
unsigned kernel_addr; /* physical load addr */
unsigned ramdisk_size; /* size in bytes */
unsigned ramdisk_addr; /* physical load addr */
unsigned second_size; /* size in bytes */
unsigned second_addr; /* physical load addr */
unsigned tags_addr; /* physical addr for kernel tags */
unsigned page_size; /* flash page size we assume */
unsigned unused[2]; /* future expansion: should be 0 */
unsigned char name[BOOT_NAME_SIZE]; /* asciiz product name */
unsigned char cmdline[BOOT_ARGS_SIZE];
unsigned id[8]; /* timestamp / checksum / sha1 / etc */
};
=cut
sub parse_header {
my ($fn) = @_;
my $buf = undef;
open INF, $fn or die "Could not open $fn: $!\n";
binmode INF;
# Read the Magic
read(INF, $buf, BOOT_MAGIC_SIZE);
unless ($buf eq BOOT_MAGIC) {
die "Android Magic not found in $fn. Giving up.\n";
}
# Read kernel size and address (assume little-endian)
read(INF, $buf, UNSIGNED_SIZE * 2);
my ($k_size, $k_addr) = unpack("VV", $buf);
# Read ramdisk size and address (assume little-endian)
read(INF, $buf, UNSIGNED_SIZE * 2);
my ($r_size, $r_addr) = unpack("VV", $buf);
# Read second size and address (assume little-endian)
read(INF, $buf, UNSIGNED_SIZE * 2);
my ($s_size, $s_addr) = unpack("VV", $buf);
# Ignore tags_addr
read(INF, $buf, UNSIGNED_SIZE);
# get the page size (assume little-endian)
read(INF, $buf, UNSIGNED_SIZE);
my ($p_size) = unpack("V", $buf);
# Ignore unused
read(INF, $buf, UNSIGNED_SIZE * 2);
# Read the name (board name)
read(INF, $buf, BOOT_NAME_SIZE);
my $name = $buf;
# Read the command line
read(INF, $buf, BOOT_ARGS_SIZE);
my $cmdline = $buf;
# Ignore the id
read(INF, $buf, UNSIGNED_SIZE * 8);
# Close the file
close INF;
# Print important values
printf "Page size: %d (0x%08x)\n", $p_size, $p_size;
printf "Kernel size: %d (0x%08x)\n", $k_size, $k_size;
printf "Ramdisk size: %d (0x%08x)\n", $r_size, $r_size;
printf "Second size: %d (0x%08x)\n", $s_size, $s_size;
printf "Board name: $name\n";
printf "Command line: $cmdline\n";
# Save the values
$PAGE_SIZE = $p_size;
$KERNEL_SIZE = $k_size;
$RAMDISK_SIZE = $r_size;
$SECOND_SIZE = $s_size;
}
sub dump_file {
my ($infn, $outfn, $offset, $size) = @_;
my $buf = undef;
open INF, $infn or die "Could not open $infn: $!\n";
open OUTF, ">$outfn" or die "Could not open $outfn: $!\n";
binmode INF;
binmode OUTF;
seek(INF, $offset, 0) or die "Could not seek in $infn: $!\n";
read(INF, $buf, $size) or die "Could not read $infn: $!\n";
print OUTF $buf or die "Could not write $outfn: $!\n";
close INF;
close OUTF;
}
######################################################################
## Configuration Subroutines
sub parse_cmdline {
unless ($#ARGV == 0) {
die "Usage: $SCRIPT boot.img\n";
}
$IMAGE_FN = $ARGV[0];
}

Here is my method for it.
First I used this tools.
http://www.mediafire.com/?9pllpht41e62d77
It is not my work, so sorry for reupolading but I didn't found the source!
Rename the recovery.img to boot.img (basically it was designed for this, but they the same) and put it there. And use the tool for unpack it for kernel and ramdisk.gz file.
Then You have to unpack it in linux (if I know well it is the best to do it there because if the filesystem)
For example:
"gunzip -c boot.img-ramdisk.gz | cpio -i"
It will unpack it, you have to do the necessarily changes. Than repack it:
"find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz"
Note this is pack the whole folder when you run it.
Then you just need to pack them back to img file.
But as I said I didn't found anything in connection with the resolution. It is quit sad because the recovery is working in my device but it designed for smaller screen and everything is display wrong.
It would be great if anyone know something about how to fix this without the source code, or someone could help me how to port the CWM from the original source.

This could help a bit to. But you got to mod the files a bit to you're device.
http://forum.xda-developers.com/showthread.php?t=1494036

[email protected] said:
This could help a bit to. But you got to mod the files a bit to you're device.
http://forum.xda-developers.com/showthread.php?t=1494036
Click to expand...
Click to collapse
Sorry for the late reply,
Thanks for the link and i will take a look at it again. I noticed that the best way is to use Linux. I had to reinstall Ubuntu firts but now it's all good to go

thanks man
Sent from my Nokia 5110 using Tapsilog and Kape

Beer Brand said:
thanks man
Sent from my Nokia 5110 using Tapsilog and Kape
Click to expand...
Click to collapse
i will be back to this soon..
Sent from my Transformer TF101 using Tapatalk HD

[Q] Galaxy Trend GT-S7560 bootloops after replaced digitizer

Hello guys!
So I have the Samsung Galaxy Trend GT-S7560 phone stuck on bootloop after replacing broken touchscreen digitizer (and yes, I triple-checked the all the connectors).
I can get into the 'download mode' which is nice. So I tried to reflash the kernel and although I compiled the zImage, I've no idea what to do with it further. Extra details and motivation follows...
I've seen some vague claims on the Web that flashing GT-S7562 firmware on GT-S7560 fixes this (but may introduce different bugs), and I tried to investigate this further.
I fetched the source code from opensource.samsung.com for both GT-S7560 and GT-S7562.
I assumed this might be different drivers for touchscreens in kernel configuration, but there is insignificant change in configurations.
Code:
$ diff -u kernel-S756{0,2}/arch/arm/configs/kyle02_defconfig
--- kernel-S7560/arch/arm/configs/kyle02_defconfig 2013-05-29 05:14:53.000000000 +0300
+++ kernel-S7562/arch/arm/configs/kyle02_defconfig 2012-10-19 03:06:01.000000000 +0300
@@ -217,7 +217,6 @@
CONFIG_SENSORS_BMA222=y
CONFIG_SENSORS_BMA222E=y
CONFIG_SENSORS_CORE=y
-CONFIG_SENSORS_KXTJ2=y
CONFIG_PROXIMITY_SENSOR=y
CONFIG_ANDROID_PMEM=y
CONFIG_SCSI=y
@@ -245,7 +244,6 @@
# CONFIG_INPUT_MOUSE is not set
CONFIG_INPUT_TOUCHSCREEN=y
CONFIG_TOUCHSCREEN_MELFAS_KYLE=y
-CONFIG_TOUCHSCREEN_MELFAS_KYLE_G2=y
# CONFIG_TOUCHSCREEN_ZINITIX_AMAZING is not set
CONFIG_TOUCHSCREEN_ATMEL_MAXTOUCH=n
CONFIG_TOUCHSCREEN_SYNAPTICS_RMI4_I2C=n
Although there is some difference in code, but I haven't spotted the relevant parts yet.
Since the source I have is most likely newer (tagged S7560XXBMK2), I thought I could try to flash it unmodified and hope it contains the fix already. I compiled the zImage but I wonder what do I do with it now.
I got a partition dump from phone with Heimdall (Linux equivalent of Odin), but none says 'KERNEL' (as I expected it would).
Code:
$ heimdall print-pit | sed -nE '/^---/{N;N;N;N;N;N;N;N;N;N;N;s/^--- Entry #([0-9]+).*Partition Name: ([^\n]*).*Flash Filename: ([^\n]*)/\1: \2 \(\3\)/p}'
0: CFG_DATA (qcsblhd_cfgdata.mbn)
1: QCSBL (qcsbl.mbn)
2: FAT (fat.bin)
3: EBR_START (partition.bin)
4: OEMSBL (oemsbl)
5: APPSBL (appsbl)
6: SSD ()
7: APPS (boot.img)
8: MODEM_ST1 ()
9: MODEM_ST2 ()
10: PERSIST (persist.img.ext4)
11: RECOVERY (recovery.img)
12: PARAMETER (parameter.img)
13: SECURE ()
14: PIT (pit.bin)
15: SYSTEM (system.img.ext4)
16: CACHE (cache.img.ext4)
17: MD5 (md5.img)
18: EFS (efs.img.ext4)
19: IMG_BACKUP ()
20: MISC ()
21: HIDDEN (hidden.img.ext4)
22: UMS ()
23: MODEM_BKP ()
24: USERDATA (userdata.img.ext4)
25: MBR (mbr.img)
26: EBR (ebr.img)
27: GROW ()
So where do I put zImage?
Am I actually moving in right direction?

[Q][SOLVED] How to solve " make_f2fs " problem on mac custom rom builds?

I'm using Mac OS X Yosemite(10.10.5) on my Dell Inspiron N5110 Notebook(Hackintosh)
And recently, i tried to build CM 12.1 for memul(HTC One Mini 2).
I got several problems which only occurs on Mac OS.
I googled errors that i got. Unfortunately, many unexperienced developers couldn't solve some of the errors but they got same problems as me.
By the way, I'm not that experienced as well.
So i decided to dig in to the problems/errors in order to solve them and get a installable zip file for my device.
And now i hope, i can shed light onto your problems as well. So you can solve the errors and get a installable zip build on Mac OS X too.
Problem & Errors
##########################
PROBLEM : We can't use make_f2fs command on Macs
UNDERSTANDING IT : The command is not supported on Mac OS, but works under linux.
You will probably get errors like shown below.
1 - No rule to make target ' out/host/darwin-x86/bin/make_f2fs', needed by
Error example;
No rule to make target `/Volumes/CM/out/host/darwin-x86/bin/make_f2fs', needed by `/Volumes/CM/out/target/product/deviceName/obj/PACKAGING/systemimage_intermediates/system.img'. Stop.
Click to expand...
Click to collapse
####################################################
2- line XX: make_f2fs: command not found
Error example;
/Volumes/CM/out/host/darwin-x86/bin/mkf2fsuserimg.sh: line 31: make_f2fs: command not found
Traceback (most recent call last):
File "./build/tools/releasetools/add_img_to_target_files", line 376, in <module>
main(sys.argv[1:])
File "./build/tools/releasetools/add_img_to_target_files", line 370, in main
AddImagesToTargetFiles(args[0])
File "./build/tools/releasetools/add_img_to_target_files", line 339, in AddImagesToTargetFiles
AddUserdata(output_zip)
File "./build/tools/releasetools/add_img_to_target_files", line 185, in AddUserdata
assert succ, "build userdata.img image failed"
AssertionError: build userdata.img image failed
make: *** [/Volumes/CM/out/target/product/memul/obj/PACKAGING/target_files_intermediates/cm_memul-target_files-95fd807476.zip] Error 1
make: *** Deleting file `/Volumes/CM/out/target/product/memul/obj/PACKAGING/target_files_intermediates/cm_memul-target_files-95fd807476.zip'
Click to expand...
Click to collapse
##########################
How To Fix
##########################
1- We should change some codes in device tree in order to solve "No rule to make target ' out/host/darwin-x86/bin/make_f2fs', needed by "
Step 1 : Go to your device tree folder (e.g. CM12_source/device/htc/memul/)
Step 2: Open BoardConfig.mk file in editor
Step 3: Find the line which includes f2fs
The line should be looking like that :
TARGET_USERIMAGES_USE_F2FS := true
Click to expand...
Click to collapse
Step 4: Change the line to;
ifeq ($(HOST_OS),linux)
TARGET_USERIMAGES_USE_F2FS := true
else
TARGET_USERIMAGES_USE_F2FS := false
endif
Click to expand...
Click to collapse
So, when we use that device-tree on linux the builds won't be affected of f2fs changes on device-tree.
But, for mac f2fs stuff will be disabled.(And that will solve the first problem)
##########################
2- You will get the second error when the building process almost finished.
It will try to do something with f2fs but obviously command doesn't exist.
NOTE THIS SOLUTION IS TEMPORARY, YOU SHOULD APPLY THIS FIX AGAIN WHEN YOU START BUILDING FROM SCRATCH
Step 1 : Go to that folder in your source directory "CM12_SourceFolder/out/host/darwin-x86/bin/"
Step 2 : You will see "mkf2fsuserimg.sh" file in that directory. Open it in editor.
Step 3 : mkf2fsuserimg.sh file contains something like below
#!/bin/bash
#
# To call this script, make sure make_f2fs is somewhere in PATH
function usage() {
cat<<EOT
Usage:
${0##*/} OUTPUT_FILE SIZE
EOT
}
echo "in mkf2fsuserimg.sh PATH=$PATH"
if [ $# -lt 2 ]; then
usage
exit 1
fi
OUTPUT_FILE=$1
SIZE=$2
shift; shift
if [ -z $SIZE ]; then
echo "Need size of filesystem"
exit 2
fi
MAKE_F2FS_CMD="make_f2fs -l $SIZE $OUTPUT_FILE"
echo $MAKE_F2FS_CMD
$MAKE_F2FS_CMD
if [ $? -ne 0 ]; then
exit 4
fi
Click to expand...
Click to collapse
Step 4 : Add Comment tag( #*) all of the lines in it except usage() function
Note : Adding Comment tag means putting hashtag before the lines, so we will make the required lines ineffective when the building process run the file
So the file should be looking like this (all of the usage function is still there and uncommented, be careful) :
#!/bin/bash
#
# To call this script, make sure make_f2fs is somewhere in PATH
function usage() {
cat<<EOT
Usage:
${0##*/} OUTPUT_FILE SIZE
EOT
}
#echo "in mkf2fsuserimg.sh PATH=$PATH"
#if [ $# -lt 2 ]; then
# usage
# exit 1
#fi
#OUTPUT_FILE=$1
#SIZE=$2
#shift; shift
#if [ -z $SIZE ]; then
# echo "Need size of filesystem"
# exit 2
#fi
#MAKE_F2FS_CMD="make_f2fs -l $SIZE $OUTPUT_FILE"
#echo $MAKE_F2FS_CMD
#$MAKE_F2FS_CMD
#if [ $? -ne 0 ]; then
# exit 4
#fi
Click to expand...
Click to collapse
Step 5 : And done, start the building process again with make command. The problems/errors should be solved.
NOTES FOR OTHER DEVELOPERS :
1 - I left usage function uncommented maybe something else calls it, i'm not sure.
2- Maybe /"Volumes/CM/out/host/darwin-x86/bin/mkf2fsuserimg.sh" fix can be made permanent for all builds by editing "cm12_source/system/extras/f2fs_utils/mkf2fsuserimg.sh" file. But i'm not sure.

Hp sy sprt di cloen dng seseorang data sy di hp semua di salin alamt wab sy pun di salin dng program mereka,, gimana memulihkan nya kembali

Hp sy sprt di cloen dng seseorang data sy di hp semua di salin alamt wab sy pun di salin dng program mereka ,, gimana cara nya kembali

Question Issues signing custom ROM for Pixel 6 Pro / raven

I'm following the instructions here for creating a signed build. The goal is to re-lock the device using a self signed key. Yes I've read all the reasons this isn't worth the trouble, just assume I have a good reason to do so. Zero issues creating and running my custom ROM. However, when I run the 'sign_target_files_apks' script it fails with the following message 'AssertionError: Failed to find vendor.img'. It failed even when I tried it on an unmodified build. I've also pulled the most recent source code and the issue still persists.
Summary of checking out and building the ROM:
repo init -u https://android.googlesource.com/platform/manifest -b android-13.0.0_r16 --depth=1
repo sync -j1 --fail-fast
wget https://dl.google.com/dl/android/aosp/google_devices-raven-tq1a.221205.011-428bd924.tgz
tar -xzf google_devices-raven-tq1a.221205.011-428bd924.tgz
./extract-google_devices-raven.sh
source build/envsetup.sh
lunch aosp_raven-user
m droid -j28
make dist
sign_target_files_apks -o --default_key_mappings ~/.android-certs out/dist/*-target_files-*.zip signed-target_files.zip
Click to expand...
Click to collapse
I've verified that vendor.img exists:
unzip ../out/dist/aosp_raven-target_files-eng.pja.zip
find . | grep 'vendor.img'
./IMAGES/vendor.img
Click to expand...
Click to collapse
I've attached a copy of the full stdout, but here's the last bit where it died:
++++ super_empty ++++
2022-12-17 21:56:35 - build_super_image.py - INFO : Building super image from info dict...
2022-12-17 21:56:35 - common.py - INFO : Running: "/home/pja/aosp/pro6/out/host/linux-x86/bin/lpmake --metadata-size 65536 --super-name super --metadata-slots 3 --virtual-ab --device super:8531214336 --group google_dynamic_partitions_a:8527020032 --group google_dynamic_partitions_b:8527020032 --partition system_a:readonly:0:google_dynamic_partitions_a --partition system_b:readonly:0:google_dynamic_partitions_b --partition system_ext_a:readonly:0:google_dynamic_partitions_a --partition system_ext_b:readonly:0:google_dynamic_partitions_b --partition product_a:readonly:0:google_dynamic_partitions_a --partition product_b:readonly:0:google_dynamic_partitions_b --partition vendor_a:readonly:0:google_dynamic_partitions_a --partition vendor_b:readonly:0:google_dynamic_partitions_b --partition vendor_dlkm_a:readonly:0:google_dynamic_partitions_a --partition vendor_dlkm_b:readonly:0:google_dynamic_partitions_b --sparse --output /tmp/targetfiles-d9ug1nap/IMAGES/super_empty.img"
2022-12-17 21:56:35 - build_super_image.py - INFO : Done writing image /tmp/targetfiles-d9ug1nap/IMAGES/super_empty.img
2022-12-17 21:56:35 - add_img_to_target_files.py - INFO :
++++ radio ++++
Traceback (most recent call last):
File "/home/pja/aosp/pro6/out/host/linux-x86/bin/sign_target_files_apks/internal/stdlib/runpy.py", line 196, in _run_module_as_main
File "/home/pja/aosp/pro6/out/host/linux-x86/bin/sign_target_files_apks/internal/stdlib/runpy.py", line 86, in _run_code
File "/home/pja/aosp/pro6/out/host/linux-x86/bin/sign_target_files_apks/__main__.py", line 12, in <module>
File "/home/pja/aosp/pro6/out/host/linux-x86/bin/sign_target_files_apks/internal/stdlib/runpy.py", line 196, in _run_module_as_main
File "/home/pja/aosp/pro6/out/host/linux-x86/bin/sign_target_files_apks/internal/stdlib/runpy.py", line 86, in _run_code
File "/home/pja/aosp/pro6/out/host/linux-x86/bin/sign_target_files_apks/sign_target_files_apks.py", line 1610, in <module>
File "/home/pja/aosp/pro6/out/host/linux-x86/bin/sign_target_files_apks/sign_target_files_apks.py", line 1603, in main
File "/home/pja/aosp/pro6/out/host/linux-x86/bin/sign_target_files_apks/add_img_to_target_files.py", line 1090, in main
File "/home/pja/aosp/pro6/out/host/linux-x86/bin/sign_target_files_apks/add_img_to_target_files.py", line 1006, in AddImagesToTargetFiles
File "/home/pja/aosp/pro6/out/host/linux-x86/bin/sign_target_files_apks/add_img_to_target_files.py", line 628, in CheckAbOtaImages
AssertionError: Failed to find vendor.img
Click to expand...
Click to collapse
Thanks in advance for any help!

Are you using a prebuilt vendor.img?

I believe vendor.img is being rebuilt from the extracted files in google_devices-raven-tq1a.221205.011-428bd924.tgz that create the aosp/vendor/ directory.
ls -lh $ANDROID_PRODUCT_OUT | grep 'vendor.img'
-rw-r--r-- 1 pja pja 534M Dec 24 11:19 vendor.img
Click to expand...
Click to collapse

Hm. That Vendor image might also need to be signed by ur personal signing key? And also check to make sure that ur directory paths are relevant in both syntax and filesystem and terminal

NonStickAtom785 said:
Hm. That Vendor image might also need to be signed by ur personal signing key? And also check to make sure that ur directory paths are relevant in both syntax and filesystem and terminal
Click to expand...
Click to collapse
Yeah I'm fairly sure it needs to be signed by the personal key and I think the script is designed to do that. My current working theory is that Google tweaked the directory structure around and did not update the script since everything appears to be where it should be. Think I'm going to need to bite the bullet and dig into the python code with a debugger and figure out what's going on.