Better Mobile App

{WIP} N950U Bootloader Unlocking (Build) / EDL Rom / SD-Card Booting {msm8998} - Samsung Galaxy Note 8 ROMs, Kernels, Recoveries, &

I think it's time to get this party started.
There is hope ->> Initial Analysis​
I have built a spreadsheet that takes a hexdump of the GPT tables and decodes them.
This provides the means of generating the Partition.xml and Rawprogram.xml.
Also one can learn alot by analyzing the GPT.
With the ability to generate the partition.xml it can then be converted to partitions.txt that the Dragon-Board db_boot_tools (mksdcard) can be used to burn the SD Card.
The ability to build the rawprogram.xml also provides us the opportunity to build EDL roms and flash them using the emmcdl.exe or the QDL download tool for dragonboard.
This means we can build unbrick roms / anything we want and flash it in edl mode unrestricted.
Currently there is available the Factory Samsung EDL Recovery Files for Boot Loader Rev 2.
https://www.needrom.com/download/unbrick-samsung-qualcom-9008-files/
I have looked at them and they are legitimate.
Analyzing the GPT tables included in the EDL package I can determine that these are Standard Qualcomm Bootloaders that operate on a Standard QC partition table.
My theory is that being standard Qualcomm Images the bootloader is unlockable by standard Qualcomm method.
The board_info partition. As seen here.
https://alephsecurity.com/2018/01/22/qualcomm-edl-2/
Another great resource is everything for the dragonboard 820c. Its the same chipset.
A ton of available source code is at our disposal.
In a nutshell because i dont have a lot of time to get into details at the moment.
I ran my first SD Card Test.
Simply burned the Dragonboard 820c SD Rescue image to a sd card.
https://www.96boards.org/documentat...board820c/installation/board-recovery.md.html
To my surprise if you insert this SD Card into the device and boot into download mode.
You will see FRP=OFF.
This proves my theory that the possibility of booting a full system on a sd card is real.
The sd card is read early in the boot chain.
I have to investigate and see exactly how this is setting frp off.
This partition table has the FRP partition.
The note 8 uses the persist partition for the frp switch.
So how the sd card is turing FRP off is the question I am working on answering at the moment.
I can conclude.
The device is definitely reading partitions off the SD Card.
It is beating the FRP lock out of the box.
This means either the stock bootloaders have functionality built in to look for the FRP partition that normally is not present on our devices. Meaning the stock bootloaders can read other partitions of the sd card.
Or somewhere in the boot chain one or more of the dragonboard bootloaders are executing off the sd card.
If that is the case Hope is very Great for us. Dragonboard has available the LK source code that we can modify and build.
Dragonboard also has pre-compiled bootloaders specifically for booting on sd card that we can use.
Also the samsung bootloaders in the EDL files are very promising.
If we can build the aosp system to go with the edl bootloaders ( If they are unlockable ) were golden.
If the Dragonboard Bootloaders are executing on the sd card were even more golden.
If this is the case we can even use the dragonboard 820c AOSP build ( includes sources )
All we really should need to change would relate to hardware differences.
Seems crazy but there is no rational explanation as to how the sd card turns FRP off other than the possibility of somewhere in the boot chain the drangonboard BL is executed on the sdcard.
Unless like i said the samsung bootloaders have the stock qualcomm functionality as well.
Either way you look at it. We defeated the FRP protection by flashing a sdcard and booting with the sdcard in the device. That is enough proof in itself that there is hope.
It would be superb if some of the other Samsung Devs, Like the samfail team would climb on board to work on some of this. I am very skilled in some aspects and in other aspects i could use some help.
Either way give me a couple months and we will be there.
My only question is has anyone ever been actually paid by Samsung for finding Exploits?
From what ive read on there site it says $200,000 K or more for a bootloader unlock.
Makes me wonder if I should be sharing this information with anyone.
But money aside...thats what samsung wants. There using greed against us. They don't want us to work together.
I will be getting into some very deep presentations of my work as time provides.
That way the community can learn and help on this exciting journey.
Damm I still can't believe it turned FRP off. :silly:
Just goes to show ya. Don't doubt it till you try it no matter how far out it may seem. :highfive:

Always follow A String Theory
No pun intended.
A lot can be determined by running the strings command on a elf file. It's sorta google for developers.
Lets take a quick Look.
From the xbl.elf in the edl package.
This is our boot sequence.
SEC Image Loaded, Delta
XBLRamDump Image Loaded, Delta
PMIC Image Loaded, Delta
APDP Image Loaded, Delta
QSEE Dev Config Image Loaded, Delta
QSEE Image Loaded, Delta
QHEE Image Loaded, Delta
RPM Image Loaded, Delta
STI Image Loaded, Delta
ABL Image Loaded, Delta
APPSBL Image Loaded, Delta
DDR Training Image Loaded, Delta
What can we boot from.
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/QcomPkg/XBLLoader/boot_pbl_v2.c
PBL, Start
bootable_media_detect_entry, Start
bootable_media_detect_success, Start
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/QcomPkg/XBLLoader/boot_hash.c
DDR Frequency, %d MHz
PBL Patch Ver: %d
Core 0 Frequency, %d MHz
Boot Interface:
NAND
eMMC
SDCARD
None
Unknown
Locked or Unlocked
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/QcomPkg/XBLLoader/boot_logger.c
Secure Boot:
%s @ 0x%08x = 0x%016llx
%s @ 0x%08x = 0x%08x
Boot Config
JTAG ID
OEM ID
Serial Number
OEM Config Row 0
OEM Config Row 1
Feature Config Row 0
Feature Config Row 1
Raw PTE Row 3
Raw PTE Row 0
Load addresses. Re-Base if you have an IDA.
/home/dpi/qb5_8814/workspace/GREATQLTE_USA_SINGLE/nhlos/boot_images/Build/Msm8998LA_Core/RELEASE_CLANG38LINUX/AARCH64/QcomPkg/XBLCore/XBLCore/DEBUG/Sec.dll
[Config]
Version = 3
MaxMemoryRegions = 64
[MemoryMap]
# EFI_RESOURCE_ EFI_RESOURCE_ATTRIBUTE_ EFI_MEMORY_TYPE ARM_REGION_ATTRIBUTE_
#MemBase, MemSize, MemLabel(32 Char.), BuildHob, ResourceType, ResourceAttribute, MemoryType, CacheAttributes
#--------------------- DDR -----
0x80000000, 0x05800000, "Kernel", AddMem, SYS_MEM, SYS_MEM_CAP, Reserv, WRITE_BACK_XN
0x86000000, 0x00200000, "SMEM", AddMem, MEM_RES, UNCACHEABLE, Reserv, UNCACHED_UNBUFFERED_XN
0x94000000, 0x09400000, "DXE Heap", AddMem, SYS_MEM, SYS_MEM_CAP, Conv, WRITE_BACK_XN
0x9D400000, 0x02400000, "Display Reserved", AddMem, MEM_RES, SYS_MEM_CAP, MaxMem, WRITE_BACK_XN
0x9F800000, 0x00200000, "FV Region", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FA00000, 0x00200000, "ABOOT FV", AddMem, SYS_MEM, SYS_MEM_CAP, Reserv, WRITE_BACK_XN
0x9FC00000, 0x00300000, "UEFI FD", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK
0x9FF00000, 0x0008C000, "SEC Heap", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FF8C000, 0x00001000, "CPU Vectors", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK
0x9FF8D000, 0x00003000, "MMU PageTables", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FF90000, 0x00040000, "UEFI Stack", AddMem, SYS_MEM, SYS_MEM_CAP, BsData, WRITE_BACK_XN
0x9FFD0000, 0x00027000, "DBI Dump", AddMem, SYS_MEM, SYS_MEM_CAP, RtData, WRITE_BACK_XN
0x9FFF7000, 0x00008000, "Log Buffer", AddMem, SYS_MEM, SYS_MEM_CAP, RtData, WRITE_BACK_XN
0x9FFFF000, 0x00001000, "Info Blk", AddMem, SYS_MEM, SYS_MEM_CAP, RtData, WRITE_BACK_XN
[RegisterMap]
#--------------------- Other -----
0x14680000, 0x00040000, "IMEM Base", NoHob, MMAP_IO, INITIALIZED, Conv, NS_DEVICE
0x146BF000, 0x00001000, "IMEM Cookie Base", AddDev, MMAP_IO, INITIALIZED, Conv, NS_DEVICE
0x16000000, 0x01000000, "QDSS_STM", AddDev, MMAP_IO, INITIALIZED, Conv, NS_DEVICE
#--------------------- Register --
0x00620000, 0x00020000, "UFS_RUMI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00070000, 0x00010000, "BOOT_CONFIG", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00100000, 0x000B0000, "GCC CLK CTL", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00778000, 0x00008000, "RPM MSG RAM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00780000, 0x00007000, "SECURITY CONTROL", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x00790000, 0x00010000, "PRNG_CFG_PRNG", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010A3000, 0x00001000, "MPM2_SLP_CNTR", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AA000, 0x00001000, "MPM2_TSENS0", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AB000, 0x00001000, "MPM2_TSENS0_TM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AC000, 0x00001000, "MPM2_PSHOLD", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AD000, 0x00001000, "MPM2_TSENS1", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x010AE000, 0x00001000, "MPM2_TSENS1_TM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01C00000, 0x00007000, "PCIE WRAPPER AHB", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01DA0000, 0x00020000, "UFS UFS REGS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01DC0000, 0x00040000, "CRYPTO0 CRYPTO", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x01FC0000, 0x00026000, "TCSR_TCSR_REGS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x03400000, 0x00C00000, "TLMM CSR", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x08000000, 0x02800000, "PMIC ARB SPMI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x05065000, 0x00009000, "GPUCC", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x06000000, 0x00100000, "QDSS_QDSS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x06400000, 0x00200000, "HMSS_QLL", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0A800000, 0x0011B000, "USB30_PRIM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0A920000, 0x00010000, "USB_RUMI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0C000000, 0x00200000, "PERIPH_SS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0C800000, 0x00800000, "MMSS", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17900000, 0x00030000, "QTIMER", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17A00000, 0x00010000, "APCS_GIC500_GICD", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17B00000, 0x00100000, "APCS_GIC500_GICR", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x17800000, 0x00100000, "APCS_CC", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x1B000000, 0x01000000, "PCIE WRAPPER AXI", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x0502A000, 0x00002000, "GPMU_BLOCK0", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x05026000, 0x00002000, "GPMU_DRAM", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
0x05030000, 0x00002000, "GPU_ISENSE", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE
[ConfigParameters]
# Update count if more than default 30 entries #
ConfigParameterCount = 52
So at a minimum we can see that this bootloader can boot from sd-card. The address table shows where things are loading in memory. This is good for disassembling the elf files.
I really think the sd card can get us a way in.

The Goal
In the end this is the boot sequence we would like to see.
If you looked at the strings in the previous post you will recognize some of the information here.
================================================================================
Successful boot sequence
================================================================================
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.0-00301
S - IMAGE_VARIANT_STRING=M8996LAB
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu68
S - Boot Interface: UFS
S - Secure Boot: Off
S - Boot Config @ 0x00076044 = 0x000001c9
S - JTAG ID @ 0x000760f4 = 0x4003e0e1
S - OEM ID @ 0x000760f8 = 0x00000000
S - Serial Number @ 0x00074138 = 0x2e8844ce
S - OEM Config Row 0 @ 0x00074188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x00074190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000741a0 = 0x0050000010000100
S - Feature Config Row 1 @ 0x000741a8 = 0x00fff00001ffffff
S - Core 0 Frequency, 1228 MHz
B - 0 - PBL, Start
B - 10412 - bootable_media_detect_entry, Start
B - 47480 - bootable_media_detect_success, Start
B - 47481 - elf_loader_entry, Start
B - 49027 - auth_hash_seg_entry, Start
B - 49129 - auth_hash_seg_exit, Start
B - 82403 - elf_segs_hash_verify_entry, Start
B - 84905 - PBL, End
B - 86955 - SBL1, Start
B - 182969 - usb: hs_phy_nondrive_start
B - 183305 - usb: PLL lock success - 0x3
B - 186294 - usb: hs_phy_nondrive_finish
B - 190442 - boot_flash_init, Start
D - 30 - boot_flash_init, Delta
B - 197548 - sbl1_ddr_set_default_params, Start
D - 30 - sbl1_ddr_set_default_params, Delta
B - 205509 - boot_config_data_table_init, Start
D - 200659 - boot_config_data_table_init, Delta - (60 Bytes)
B - 410713 - CDT Version:3,Platform ID:24,Major ID:1,Minor ID:0,Subtype:0
B - 415410 - Image Load, Start
D - 22570 - PMIC Image Loaded, Delta - (37272 Bytes)
B - 437980 - pm_device_init, Start
B - 443744 - PON REASONM0:0x200000061 PM1:0x200000021
B - 480161 - PM_SET_VAL:Skip
D - 40016 - pm_device_init, Delta
B - 482083 - pm_driver_init, Start
D - 2928 - pm_driver_init, Delta
B - 488671 - pm_sbl_chg_init, Start
D - 91 - pm_sbl_chg_init, Delta
B - 495442 - vsense_init, Start
D - 0 - vsense_init, Delta
B - 505171 - Pre_DDR_clock_init, Start
D - 396 - Pre_DDR_clock_init, Delta
B - 509045 - ddr_initialize_device, Start
B - 512766 - 8996 v3.x detected, Max frequency = 1.8 GHz
B - 522373 - ddr_initialize_device, Delta
B - 522404 - DDR ID, Rank 0, Rank 1, 0x6, 0x300, 0x300
B - 526247 - Basic DDR tests done
B - 594994 - clock_init, Start
D - 274 - clock_init, Delta
B - 598349 - Image Load, Start
D - 4331 - QSEE Dev Config Image Loaded, Delta - (46008 Bytes)
B - 603808 - Image Load, Start
D - 5338 - APDP Image Loaded, Delta - (0 Bytes)
B - 612409 - usb: UFS Serial - 2f490ecf
B - 616801 - usb: fedl, vbus_low
B - 620431 - Image Load, Start
D - 55418 - QSEE Image Loaded, Delta - (1640572 Bytes)
B - 675849 - Image Load, Start
D - 2013 - SEC Image Loaded, Delta - (4096 Bytes)
B - 683413 - sbl1_efs_handle_cookies, Start
D - 457 - sbl1_efs_handle_cookies, Delta
B - 691892 - Image Load, Start
D - 14396 - QHEE Image Loaded, Delta - (254184 Bytes)
B - 706319 - Image Load, Start
D - 14061 - RPM Image Loaded, Delta - (223900 Bytes)
B - 721111 - Image Load, Start
D - 3233 - STI Image Loaded, Delta - (0 Bytes)
B - 727913 - Image Load, Start
D - 34709 - APPSBL Image Loaded, Delta - (748716 Bytes)
B - 762713 - SBL1, End
D - 680028 - SBL1, Delta
S - Flash Throughput, 94000 KB/s (2959024 Bytes, 31250 us)
S - DDR Frequency, 1017 MHz
Android Bootloader - UART_DM Initialized!!!
[0] BUILD_VERSION=
[0] BUILD_DATE=16:07:51 - Nov 17 2017
[0] welcome to lk
[10] platform_init()
[10] target_init()
[10] RPM GLink Init
[10] Opening RPM Glink Port success
[10] Opening SSR Glink Port success
[20] Glink Connection between APPS and RPM established
[20] Glink Connection between APPS and RPM established
[40] UFS init success
[80] Qseecom Init Done in Appsbl
[80] secure app region addr=0x86600000 size=0x2200000[90] TZ App region notif returned with status:0 addr:86600000 size:35651584
[100] TZ App log region register returned with status:0 addr:916d4000 size:4096
[100] Qseecom TZ Init Done in Appsbl
[120] Loading cmnlib done
[120] qseecom_start_app: Loading app keymaster for the first time
[150] <8>keymaster: ""KEYMASTER Init ""
[160] Selected panel: none
Skip panel configuration
[160] pm8x41_get_is_cold_boot: cold boot
[170] boot_verifier: Device is in ORANGE boot state.
[180] Device is unlocked! Skipping verification...
[180] Loading (boot) image (348160): start
[190] Loading (boot) image (348160): done
[190] use_signed_kernel=1, is_unlocked=1, is_tampered=0.
[200] Your device has been unlocked and cant be trusted.
Wait for 5 seconds before proceeding
[5200] mdtp: mdtp_img loaded
[5210] mdtp: is_test_mode: test mode is set to 1
[5210] mdtp: read_metadata: SUCCESS
[5230] LK SEC APP Handle: 0x1
[5230] Return value from recv_data: 14
[5240] Return value from recv_data: 14
[5250] Return value from recv_data: 14
[5260] DTB Total entry: 1, DTB version: 3
[5260] Using DTB entry 0x00000123/00000000/0x00000018/0 for device 0x00000123/00030001/0x00010018/0
[5270] cmdline: androidboot.bootdevice=624000.ufshc androidboot.verifiedbootstate=orange androidboot.veritymode=enforcing androidboot.serialno=2f490ecf androidboot.baseband=apq mdss_mdp.panel=0
[5290] Updating device tree: start
[5290] Updating device tree: done
[5290] Return value from recv_data: 14
[5300] RPM GLINK UnInit
[5300] Qseecom De-Init Done in Appsbl
[5300] booting linux @ 0x80080000, ramdisk @ 0x82200000 (0), tags/device tree @ 0x82000000
[5310] Jumping to kernel via monitor
U-Boot 2017.11-00145-ge895117 (Nov 29 2017 - 10:04:06 +0100)
Qualcomm-DragonBoard 820C
DRAM: 3 GiB
PSCI: v1.0
MMC: [email protected]: 0
In: [email protected]
Out: [email protected]
Err: [email protected]
Net: Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot: 0
switch to partitions #0, OK
mmc0 is current device
Scanning mmc 0:1...
Found /extlinux/extlinux.conf
Retrieving file: /extlinux/extlinux.conf
433 bytes read in 71 ms (5.9 KiB/s)
1: nfs root
Retrieving file: /uImage
19397184 bytes read in 2024 ms (9.1 MiB/s)
append: root=/dev/nfs rw nfsroot=192.168.1.2:/db820c/rootfs,v3,tcp rootwait ip=dhcp consoleblank=0 console=tty0 console=ttyMSM0,115200n8 earlyprintk earlycon=msm_serial_dm,0x75b0000 androidboot.bootdevice=624000.ufshc androidboot.verifiedbootstate=orange androidboot.ver0
Retrieving file: /apq8096-db820c.dtb
38134 bytes read in 37 ms (1005.9 KiB/s)
## Booting kernel from Legacy Image at 95000000 ...
Image Name: Dragonboard820c
Image Type: AArch64 Linux Kernel Image (uncompressed)
Data Size: 19397120 Bytes = 18.5 MiB
Load Address: 80080000
Entry Point: 80080000
Specifically what we want to accomplish.
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.1.0-00301
S - IMAGE_VARIANT_STRING=M8996LAB
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu68
S - Boot Interface: UFS
S - Secure Boot: Off
S - Boot Config @ 0x00076044 = 0x000001c9
S - JTAG ID @ 0x000760f4 = 0x4003e0e1
S - OEM ID @ 0x000760f8 = 0x00000000
S - Serial Number @ 0x00074138 = 0x2e8844ce
S - OEM Config Row 0 @ 0x00074188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x00074190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000741a0 = 0x0050000010000100
S - Feature Config Row 1 @ 0x000741a8 = 0x00fff00001ffffff
S - Core 0 Frequency, 1228 MHz
B - 0 - PBL, Start
B - 10412 - bootable_media_detect_entry, Start
B - 47480 - bootable_media_detect_success, Start
If we can set this the bootloader is unlocked.
Boot Config @ 0x00076044 = 0x000001c9
From our xbl.elf strings.
Secure Boot:
%s @ 0x%08x = 0x%016llx
%s @ 0x%08x = 0x%08x
Boot Config
JTAG ID
OEM ID
Serial Number
OEM Config Row 0
OEM Config Row 1
Feature Config Row 0
Feature Config Row 1
0x00070000, 0x00010000, "BOOT_CONFIG", AddDev, MMAP_IO, UNCACHEABLE, MmIO, NS_DEVICE

BigCountry907 said:
This partition table has the FRP partition.
Click to expand...
Click to collapse
The actual FRP partition in this SD recovery image is empty. And so are a bunch of other ones; they all seem to be blanked out with 00s. Maybe they are used for mounting the images? But in that case, what would be responsible for mounting them? I think one of the partitions that actually has an ELF header might be worth looking at.

The sdcard image is for the dragonboard to boot into fastboot mode.
So you are correct. Most of the partitions are empty.
The bootloaders are present on the sdcard.
I havent determined if they are running or not.
The only byte that matters on the FRP partition is the last byte.
00 = FRP Lock Off
01= FRP Lock On.
If you install Liveboot then the log files on bootup are saved.
Looking in that log I can see the sdcard partitions are being mounted.
If you
cat /proc/mounts
You will see many are mounted.
This was just an initial test to see if the sd card would get read on boot.
It does so now im working on building a card with the V2 samfail installed.
My hope is to boot a full system off of the sdcard.
Then development can be done without touching the UFS.
If we can get the bootloaders to run off the sdcard as well this will open a huge door for us.
I will let you know how it goes with my next test.

The thing that is significant thus far is the fact that booting with the sdcard IS SETTING frp LOCK TO OFF.
The normal Samsung Note 8 partition scheme uses Persist and Persistent partition for setting the FRP on or off.
If both persist and persistent are ZERO then FRP = off.
So the stock bootloader will read partitions that are (whitelisted) and verified to be Qualcomm Unique GUID Type.
Possibly even boot a bootloader that is not signed by Samsung but signed by Qualcomm.
If Qualcomm signed bootloaders will run then we can actually compile sign and boot our own bootloader.
Here is how.
https://www.96boards.org/documentation/consumer/dragonboard/dragonboard820c/guides/
Building the SD rescue image
The scripts to build the SD rescue image can be found here:
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader-dragonboard820c.yaml,
where we defined the script parameters and variables
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader/dragonboard820c/builders.sh:
where the actual commands are being executed.
Same Chip so we can use the source code.

I will attach here the first revision of my GPT Decoder Spreadsheet.
It takes the GPT which is the UFS Partition Table and decodes it.
Once the GPT is decoded we can use it to make the following.
Rawprogram.xml >> used for flashing in EDL Mode like emmcdl.exe or dragonboard "QDL"
Partition.xml >> used for making GPT files and the Rawprogram.xml and is used by qualcomm tools like Ptool.py Msp.py ext.
Partitions.txt >> used for flashing sd cards or writable devices using mksdcard script.
So essentially the GPT is the foundation of everything. The GPT is what the samsung .PIT files write.
You can pull the GPT off the device using the shell.
Here are the commands.
The MAIN GPT. Tables
The main GPT is the first 24kb of each device block on the UFS (ie sda, sdb, sdc, sdd)
Code:
adb shell
su
dd if=/dev/block/sda of=/sdcard/gpt_main0.bin bs=1024 count=24
dd if=/dev/block/sdb of=/sdcard/gpt_main1.bin bs=1024 count=24
dd if=/dev/block/sdc of=/sdcard/gpt_main2.bin bs=1024 count=24
dd if=/dev/block/sdd of=/sdcard/gpt_main3.bin bs=1024 count=24
The BACKUP GPT. Tables
The backup GPT is the last 20kb of each device block on the UFS (ie sda, sdb, sdc, sdd)
So the start address of the backup gpt is total size in kb of disk - 20kb.
To get the skip= number you have to take the total kb of the disk and subtract 20 kb from it.
This is for the U2 bootloader.
Code:
adb shell
su
dd if=/dev/block/sda of=/sdcard/backup-sda-gpt.bin bs=1 skip=63916978176
dd if=/dev/block/sdb of=/sdcard/backup-sdb-gpt.bin bs=1 skip=4173824
dd if=/dev/block/sdc of=/sdcard/backup-sdc-gpt.bin bs=1 skip=4173824
dd if=/dev/block/sdd of=/sdcard/backup-sdd-gpt.bin bs=1 skip=62894080
We will be needing someone to pull the GPT tables from all the bootloader versions except for U2.
I am on U2 and this spreadsheet is for U2.
I will need the other GPT tables to build the unbrick for other bootloader versions.
Look at the spreadsheet and the different sheets in it.
You will get an Idea of how it works.
I use formulas and link to the pasted GPT tables to decode them.
This spreadsheet still needs work so some of the data is manually edited at this time.
But for U2 bootloader rev this spreadsheet is correct.
Use open office to use or look at this spreadsheet. << ITS FREE
Use 7z to unzip the files

NEW possibly very Exciting Discovery.
Don't get too excited because i need to verify but from what i see.
In the AP_N950USQS2BQK2_CL12461033_QB15680825_REV00_user_low_ship_MULTI_CERT_meta
There is a folder called meta-data.
In that folder there is a password protected zip called FOTA.
The password is fotatest1234
I see everything in there is to sign files.

Now what im thinking is related to my first ever android hack several years back.
By generating my own .pk8 and .pem keypair I figured out how to dump the publick key into the keyform used to verify the signature of ota zip packages to flash in a stock recovery.
By taking the key dump and replacing it in the recovery /res/keys.
The group of files in the above mentioned zip file is for signing packages and boot and recovery image.
I believe if I can find where the publick half of the keypair for verifying the boot signature I can replace it and sign my boot and recovery with my own keys. The bootloader still verifies the signature but it passes because its verifying my public half of the keypair against a file signed by my keypair.
I might know already where the certificate is. I need to pull out a old tool.
I wrote this shell script years ago for this very purpose. I think its broken slightly. I was working on it and never finished.
But if you know shell code the errors are easy enough to fix.
The setup will work. Its posted here.
https://drive.google.com/file/d/0B8jitdIyh2NtMHo4Q1ZLbFk3aEE/view
There are a couple of threads I wrote about it.
https://androidforums.com/threads/root-rom-recovery-r-d.975147/
Quick Ho to
make a folder in the home dir called auto-key
unzip the file in there
Signing the zip will work with this.
Just use the keys i sent along in the package.
Only thing is if the recovery.img is alot newer you might have to use the new boot tools.
I havent written them in the software yet.
Under the folder boot in auto-key
Put your recovery.img in the boot folder
cd ~/auto-key/boot
type
./mkboot recovery.img new-ramdisk
that will unpack the recovery.
open the new-ramdisk folder
go to /res in the new-ramdisk
there is a file called keys
delete it
go to the the keys folder in auto-key
~./auto-key2/keys/factorykey/res/e-0x3
copy the keys file to the
new-ramdisk/res folder
cd
cd ~/auto-key/boot
type
./mkboot new-ramdisk patched-recovery.img
it will repack the recovery
Then you have to flash patched-recovery.img to the recovery mmcblk of your device.
You will have to use the dd command in adb if you can.
Not sure what type of access you have with the bootloop.
example command may work for you
just make sure that the patched-recovery.img is in the dir that shell is cd to.
then type
adb push patched-recovery.img /storage/sdcard0
or
adb push patched-recovery.img /storage/sdcard1
whichever one is your sd card.
then type
adb shell
su
dd if=/storage/sdcard0/patched-recovery.img of=/dev/block/mmcblk0p?? "make after the p your correct partition for recovery"
To sign files put them in the tosign folder in the auto-key folder
only 1 file ata a time can be in that folder
run akey.sh
select sign files
select option 1 in the sign files menu.
You will find the signed zip in /auto-key/output.
If you need more help let me know
Now Im not saying do all of that. But im saying Im pretty sure I might be able to use this same process to self sign our boot and recovery images. Then we don't need a bootloader unlock.
Our custom boot and recovery will be certified samsung official.
Just a lot to work on now. The sdcard and now the signing project.
Now were starting to have some real fun.

Sorry to be off topic i hope the sanfail team is on board with u

One more writeup about the recovery signature hack
What happens is that the stock recovery checks the public part of the key pair against a file in the recovery.img ram disk. Usually /res/keys. You can locate this call in one of the recovery log files located in the /cache. When you get your device the /res/keys that is in the ramdisk is generated by the manufacture keyset therefore limiting the update.zip to be signed with the manufacturer keys.
So I have tested and found a way to change that. Like I said I have tested and it works. If you pull your stock recovery image or get it from a factory update.
Take that recovery.img and split it into the seperate kernel and ramdisk.
Extract or mount the ramdisk -cpio.
Generate your own set of private keys using the same public exponent as the factory rom.
Example and probably most common: Exponent: 3 (0x3)
Example: Releasekey.x509.pem and Releaseke.pk8 generated with Exponent: 3 (0x3)
Take the new keys and use DumpPublicKey.jar to create a new keys file.
Replace the /res/keys file with the one created from your keys.
Repack the ramdisk.
Repack the recovery.img using the correct offsets.
Either flash the new recovery.img to the device or use fastboot to boot it.
Example: fastboot boot recovery.img
Now take an update.zip and edit the updaterscript so that it will fail at an assert / unless you actually want to flash the update.
Sign the update zip using your .x509.pem and .pk8 keypair. You have to use the signapk.jar with the -w option else it wont work.
It will pass the signature verification of the recovery for sure.
We just did the same thing that the manufacturer does with there keys.
I dont anticipate any problems with the bootloader because the new recovery.img is identical to the original recovery.img except for the /res/key is your key.
The boot loader isn't checking that key "that i know of" so it doesn't know anything is different.
And that is how to load any update you want. You sign it with your own key. You make the recovery.img /res/keys with the matching keys.
Now if you are a developer you could probably figure out how to do all of the above.
Otherwise there is a lot more to it than it seems.

Even if you were able to flash system images, would they still not have to be stock(ish)? Would you not still have to go through the whole rigamarole of obtaining combo bootloaders and disabling dm-verity? What about rebuilding a kernel that is kexec enabled and flashing over the recovery partition to chainload another kernel? Would the bootloader not check the signature since it's already been 'signed'?

BigCountry907 said:
My only question is has anyone ever been actually paid by Samsung for finding Exploits?
From what ive read on there site it says $200,000 K or more for a bootloader unlock.
Makes me wonder if I should be sharing this information with anyone.
But money aside...thats what samsung wants. There using greed against us. They don't want us to work together.
I will be getting into some very deep presentations of my work as time provides.
That way the community can learn and help on this exciting journey.
Damm I still can't believe it turned FRP off. :silly:
Just goes to show ya. Don't doubt it till you try it no matter how far out it may seem. :highfive:
Click to expand...
Click to collapse
i just got paid for a exploit i reported to samsung back in may lol.. it was rated a high vuln.. it was for msm8998 chipsets on 7.0 (only tested on vzw tab s3)
I was listed on sept. security bulletin even lol.. i got 2500$ (1950$ after korea n us taxes n fees n w.e else.)
The exploit (without going into details) allowed flashing a modified partition and executing scripts/commands in init context.. the patch basically said they blocked or removed all init scripts lol
i never reported SamPWND.. it wouldnt be elig anyways bcuz it uses leaked eng firmware with the exploits
if ur sdcard trick does disable frp you cant report it now since u already posted publicly lol

BigCountry907 said:
The thing that is significant thus far is the fact that booting with the sdcard IS SETTING frp LOCK TO OFF.
The normal Samsung Note 8 partition scheme uses Persist and Persistent partition for setting the FRP on or off.
If both persist and persistent are ZERO then FRP = off.
So the stock bootloader will read partitions that are (whitelisted) and verified to be Qualcomm Unique GUID Type.
Possibly even boot a bootloader that is not signed by Samsung but signed by Qualcomm.
If Qualcomm signed bootloaders will run then we can actually compile sign and boot our own bootloader.
Here is how.
https://www.96boards.org/documentation/consumer/dragonboard/dragonboard820c/guides/
Building the SD rescue image
The scripts to build the SD rescue image can be found here:
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader-dragonboard820c.yaml,
where we defined the script parameters and variables
https://git.linaro.org/ci/job/configs.git/tree/lt-qcom-bootloader/dragonboard820c/builders.sh:
where the actual commands are being executed.
Same Chip so we can use the source code.
Click to expand...
Click to collapse
isnt the note 8 msm8998? the dragonboard strings u posted are for the older msm8996 chipset as well as they are for lab purposes.. theres quite a few differences even without taking into consideration the chipsets are different...
one being samsung.. samsung takes qualcomms firmware/source and customizes the crap out of it.. disabling/removing fastboot, implementing the odin protocol etc etc
i dont think the sdcard approach is viable.. secure boot is enabled and the partitions u speak of flashed to an sdcard are not signed appropriately so the device wouldnot boot up if it was in fact trying to run off the sdcard..
even in edl, edl doesnt per say let the phone boot unsigned firmware.. its merely a flashing mechanism.. so it will allow you to flash just about anything if using signed programmers and everything else is proper but if that firmware is not signed the device will not boot due to secure boot..
the private key is burned into hardware at the factory..
with that being said, i would look at the non volatile partitions that arent required to be signed and see if theres anything there that we can modify to help in unlocking the bl.. partitions like param, or steady or misc etc etc that we could modify and flash in edl and still boot as its not checked for integrity if that makes sense lol
partitions like misc.. on combo you can do in shell "setprop sys.boot_mode ffbm" and itll write ffbm-01 to the misc partition then boot into a special diagnostic mode which you can even see it in the last kmsg/boot logs.. maybe theres a boot mode or somethin similar that turns boot from sdcard on?
dunno bout newer devices but s7 and s6 etc. the unlockable sd variants use crom.apk (their bls have a crom lock)... pushing req libs with root and running logcat while running crom it writes a "KIWIBIRD" flag to the steady partition then when device boots it reads it and bl is unlocked..
On newer locked sd devices theres an eng mode.. theres an eng cert that gets flashed in odin that i believe writes to stead or param, not sure lol but u get the point..
just trying to say theres other routes to look at that i think would be more viable.
i spent close to a year messin with edl on msm8998 (s8+ g955u), it is a viable way in if u can figure it out.. unsigned firmware like boot.img, recovery.img and the usual partitions never booted for me.. always secure check fail even when flashing with edl..
theres an old read but decent and somewhat related to sdcard.. samsung devices used to have an option in odin called t. flash that was supposed to flash the stuff in odin to an sdcard in the device.. i think he crafted a boot.img then tflashed stock or somethin like that lol.. it was yearsago so surely patched unless sammy goofed and quitely re-enabled it lol

to add after reviewing further, the dragonboard 820c is closest to snapdragon 820 which was in the S7 devices.. or similar to msm8996.. note 8 was msm8998 or closer to snapdragon 830? if that exists lol

Rip

dazemc said:
Even if you were able to flash system images, would they still not have to be stock(ish)? Would you not still have to go through the whole rigamarole of obtaining combo bootloaders and disabling dm-verity? What about rebuilding a kernel that is kexec enabled and flashing over the recovery partition to chainload another kernel? Would the bootloader not check the signature since it's already been 'signed'?
Click to expand...
Click to collapse
I'm not saying to do the recovery.img mod.
I'm saying use that as a template to be able to sign our own boot and recovery images.
First
Generating custom signing keys
The following openssl commands generate all the keys we need. Execute them line-by-line rather than copying the whole block, as you will be asked for input.
Code:
# private key
openssl genrsa -f4 -out verifiedboot.pem 2048
openssl pkcs8 -in verifiedboot.pem -topk8 -outform DER -out verifiedboot.pk8 -nocrypt
# public key
openssl req -new -x509 -sha256 -key verifiedboot.pem -out verifiedboot.x509.pem
openssl x509 -outform DER -in verifiedboot.x509.pem -out verifiedboot.x509.der
Second
Signing the boot image
Using the BootSignature.jar file sign the boot image using the keys generated above
If we look in that fota.zip
the path is /fota/OTA/tools
We have a boot_signer.sh and BootSignature.jar
Looking in the boot signer script we see.
#! /bin/sh
# Start-up script for BootSigner
BOOTSIGNER_HOME=`dirname "$0"`
BOOTSIGNER_HOME=`dirname "$BOOTSIGNER_HOME"`
java -Xmx512M -jar "$BOOTSIGNER_HOME"/framework/BootSignature.jar "[email protected]"
So to sign the boot image our command would be.
Code:
java -Xmx512M -jar BootSignature.jar /boot boot.img verifiedboot.pk8 verifiedboot.x509.der boot_signed.img
To check the signature
Code:
java -jar BootSignature.jar -verify boot_signed.img
Now if we had Samsungs .pk8 and samsungs .x509.der things would be easy.
The .x509.der we can get off the device its got to be in the ramdisk.
But the .pk8 is the private key and usually we can't get that.
The thing is maybe we can.
The variable "[email protected]" has to be these keys and if the boot.img is getting signed on the device after a patch or update then its hiding somwhere. If we can find that we can sign our own boot.img and the device will say there samsung official.
The other option is where I was talking about what I did to the recovery image.
Some Where there is the KEY used to verify to boot.img signature.
In the case of the recovery and flashing update zips it it the /res/keys found in the ramdisk.
The /res/keys is a dumped form of the keypair made by using dumpkey.jar also found in the /fota/OTA/tools.
By running dumpkey.jar against our custom signing keys we get the form of the key used in /res/keys.
If the boot.img signature scheme used the same method all we need to know is where the equivalent /res/keys is at and replace it with ours.
It could very well be in the ramdisk.
For me to make this work what i need to know is where is the KEY that is used to verify the boot.img signature.
Or if we can get the "[email protected]" variable output in the boot_signer script then we will have both keys.
I highly doubt but it could be possible there hard coded in the BootSignature.jar thats in the fota folder.
It would be helpful if I had a copy of any OTA Update that someone pulled off a device before they installed the update. Preferably a full update from one android version to the next like going from N to O
MY Questions are.
Anyone out there have a copy of a OTA Update?
Anyone know the location of the KEY used to verify the Boot signature?
Has anyone installed an update and seen the update package unpack / repack and sign the boot.img or any log refering to the verification of the boot signature.
If the update unpacked the boot then it had to sign it.
Hopefully you understand now what direction I am headed in with Auto-Key script.
All the code to manipulate the keys I have written in the akey.sh already.
If we can sign our own boot and recovery we don't need to unlock the bootloader.
My final question is
Is the Kernel signed also? Or since the DM-Verity days are they only relying on the boot.img signature.

elliwigy said:
i just got paid for a exploit i reported to samsung back in may lol.. it was rated a high vuln.. it was for msm8998 chipsets on 7.0 (only tested on vzw tab s3)
I was listed on sept. security bulletin even lol.. i got 2500$ (1950$ after korea n us taxes n fees n w.e else.)
The exploit (without going into details) allowed flashing a modified partition and executing scripts/commands in init context.. the patch basically said they blocked or removed all init scripts lol
i never reported SamPWND.. it wouldnt be elig anyways bcuz it uses leaked eng firmware with the exploits
if ur sdcard trick does disable frp you cant report it now since u already posted publicly lol
Click to expand...
Click to collapse
I wasn't thinking of reporting the FRP trick.
There are a ton of ways to accomplish the same thing.
If you
Code:
dd if=/dev/zero /dev/block/sda5
and
Code:
dd if=/dev/zero /dev/block/sda12
Well FRP lock = off.
I just hate the Idea of someone using my work to profit from samsung.
I love for people to use my work and to contribute to it to help everyone.
So screw the money I just want to help.
Cool to know that you did get paid though.

elliwigy said:
isnt the note 8 msm8998? the dragonboard strings u posted are for the older msm8996 chipset as well as they are for lab purposes.. theres quite a few differences even without taking into consideration the chipsets are different...
Click to expand...
Click to collapse
This is the main reason I like the Samsung EDL Bootloaders.
one being samsung.. samsung takes qualcomms firmware/source and customizes the crap out of it.. disabling/removing fastboot, implementing the odin protocol etc etc
Click to expand...
Click to collapse
The EDL package is QUALCOMM. It lacks the Samsung Customization.
If it is possible to take those bootloaders that are signed and build the rest of the android system its hard to tell what we could end up with. Maybe the bootloaders in the EDL have the ability to be unlocked by the normal Qualcomm method that utilizez the DEVINFO partition that is present on our devices.
Have you looked at that yet?
Code:
greatqlte:/ # hexdump -C -v /sdcard/devinfo.img
00000000 41 4e 44 52 4f 49 44 2d 42 4f 4f 54 21 01 01 00 |ANDROID-BOOT!...|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Looks Pretty Familiar.
Bootloader Unlocking
For some devices, such as several Xiaomi ones, partition flashing is sufficient for being able to unlock the Android Bootloader (which disables the verification of the rest of the chain):
[Primary Bootloader (PBL)]
|
`---NORMAL BOOT---.
[Secondary Bootloader (SBL)]
|-.
| [Applications Bootloader (ABOOT)]
| `-.
| [boot.img]
| |-- Linux Kernel
| `-- initramfs
| `-.
| [system.img]
|
`-[TrustZone]
The bootloader locking bit of such devices is held in the devinfo partition, parsed by the Android Bootloader.
Attackers can simply flip the lock bit, to load an arbitrary boot image. This will not cause any factory reset.
Reading devinfo using our framework prior to the attack yields the following output:
> hexdump devinfo.bin
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00 ANDROID-BOOT!...
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Setting 1 at offsets 0x10, 0x18, and flashing the modified devinfo will unlock the bootloader:
No im not saying that Ive tested this yet. But it is a possibility.
My guess is that the EDL bootloaders that Lack Samsung Customization including KNOX might and I say again Might read the devinfo partition.
It is there for some reason. So the Question is Why??? What does it do.
That is the reason for my interest in the EDL Firmware.
Code:
i dont think the sdcard approach is viable.. secure boot is enabled and the partitions u speak of flashed to an sdcard are not signed appropriately so the device wouldnot boot up if it was in fact trying to run off the sdcard.
Again this is misinterpretation.
I'm not saying we are going to run the dragonboard firmware on our devices.
If you know the dragonboard tools some of them are very useful.
It is proven already the sd card can indeed influence the devices operation.
Basically I am utilizing some dragonboard tools to replicate what odin does to the sdcard when you use T-FLASH.
The sd card is very viable and a great means of testing. BUT also a lot of work.
Dragonboard 820 is as close to the actual source code we are going to get right now.
If you dig down in the bootloaders you will find many reference to msm8996 source code.
The msm8996 and msm8998 share a lot.
And Little Kernel is Little Kernel.
Liarno has good source trees that are for building LK with different functions.
If we can unlock the bootloader and run our own LK thats sure where id start.
Also for understanding how LK works and the different functions what better of a source than a very well documented one.
I actually have quite a bit of Leaked Qualcomm Source Code. Its a bit older but still very viable.
More than enough to understand how the security mechanisms work if you really dig into it.
partitions like misc.. on combo you can do in shell "setprop sys.boot_mode ffbm" and itll write ffbm-01 to the misc partition then boot into a special diagnostic mode which you can even see it in the last kmsg/boot logs.. maybe theres a boot mode or somethin similar that turns boot from sdcard on?
Click to expand...
Click to collapse
Thank You very much for pointing this out.
There are uses for that for sure.
The sd card working or not working to accomplish anything all depends on how the samsung and the EDL bootloaders are written.
THEY DO SUPPORT THE SD.
I'm just looking for that one quirk that gets us a way in.
Its like looking for a needle in a haystack.
Its never expected to be there and found entirely by mistake. After you step on it.
If you don't play in the haystack you will never step on the needle.
Thank you again for your insight. If you have any other knowledge of things like that it all helps.
Maybe that is a way to trigger the SD.
The process of debating always leads to something.
Like setprop sys.boot_mode ffbm.
If everyone shares there finds eventually putting them all together gets something accomplished.

pbedard said:
Rip
Click to expand...
Click to collapse
RIP what?
This party is just getting started.
Pay attention.....you might be surprised how much you can learn.

Related

I have successful compiled the exFAT userspace driver from http://code.google.com/p/exfat/ together with libfuse.
So we are theoretically able to mount every exFAT formatted drive (connected via OTG and also the external sdcard, BUT THIS IS NOT YET FULL TESTED).
This howto is far away from being perfect. Also my english isn't perfect - sorry. Feel free to send me corrections.
@Mods: I think it's a development-related thread. If this is not your mind, please move it to the right section - thank you very much (and also for your continuously work in the "background").
* For updates please have a look in the footer of this post, I forgot to reserve a second "post space" *
Please be very careful! I am not responsible for any damage or lost data on your phone or storage. I have tested this on my phone with a connected card reader and with the "external" sdcard
(Galaxy S2, usually mounted at /sdcard/external_sd).
ATTENTION:
I have discovered one "big" problem that must be solved before all other things and I NEED PERHAPS SOME HELP!
Binaries attached read update no. 2:
After every reboot the exFAT partition will be damaged WITHOUT modification of the vold.fstab config, so don't use a card or drive with important data on it.
This has to do with the automount function of the "New Volume Manager Daemon" Vold.
I suspect that the daemon wants to mount the exFAT volume as FAT32 read/write and overwrites the first bytes of the the first block. I will check this.
It doesn't matter if it's the "external" card or a connected drive/sdcard reader.
The problem:
dd if=/dev/block/mmcblk1p1 of=/sdcard/exfat_ok.bin count=1 bs=1024
hexdump -C /sdcard/exfat_ok.bin
the correct hex:
00000000h: EB 76 90 45 58 46 41 54 20 20 20 (three bytes and then the string EXFAT plus three spaces. This is the recognition string for the exfat-utils (exactly 8 bytes)
dd if=/dev/block/mmcblk1p1 of=/sdcard/exfat_not_ok.bin count=1 bs=1024
hexdump -C /sdcard/exfat_not_ok.bin
after a reboot of the phone the string changes to
00000000h: 52 52 61 41 58 46 41 54 20 20 20 (four new bytes at the beginning -> AXFAT, the recognition of the partition fails) I think no more changes are made.
This is not in relation to the exFAT tools or the FUSE library, the "damage" happens before!
Beside that, the exFAT card seems to be usable and after manually mount to /sdcard/external_sd the card can be activated (under settings - memory) - Sorry I have a german GUI...
STOP READING HERE IF YOU DON'T WANT TO PLAY WITH YOUR DATA ON THE EXFAT PARTITION!
There is no long term experience with this. Don't try it if you don't have some skills with Linux and Android. Make a full backup!
You have been warned...
[Q] Why exFAT and not using ext2/3/4 or any other file system?
[A] I don't know. It's your decision. exFAT is developed mainly for flash memory and could be used "out of the box" with newer windows versions and Mac OS X in contrast to ext2/3/4.
Sadly there is no good extX windows driver out available.
exFAT also supports XDHC card from 32 GB upwards. See http://en.wikipedia.org/wiki/ExFAT for more details.
XDHC cards are reported to work with the SG2.
This makes it interesting for micro sdcards greater than 32 GB (if your are lucky and have one) and for large files (greater than 4 GB), like video files.
Note: FAT32 is of course able to address more than 32 GB, but not "official".
There are many disadvantages as well, read the article.
[Q] Is it free and/or free to use?
[A] Once again, I don't know exactly. Tuxera http://www.tuxera.com/ has an agreement (licence program) with Microsoft and announced an exFAT driver for Android, but I couldn't find a free downloadable (source) package.
The driver is probably free to use but not free to distribute and until now not released.
The exFAT project on Google Project Hosting is licensed under GNU GPL v3, so we will and can use it free. But it's still in beta stage.
[Q] What do I need?
[A] A rooted Android phone with a suitable kernel and fuse support, take siyah (because it a good kernel). I have only a Samsung Galaxy S2, that's because the thread is here.
Enough free memory. Installed busybox. Access via adb shell or a ssh-terminal connection (QuickSSHd or SSHDroid from the market).
An other option is to use a terminal window on the phone.
[Q] What could be possible?
[A]
automatically mount the OTG drive with util-linux-ng or vold or something like that (needs support from kernel or ROM)
replace the FAT32 partition of the "external" sdcard (external_sd) with exFAT (needs support from both kernel and ROM I think)
OK, let's start...
First option, the harder way (you need a linux machine for this): Compiling the driver and utils
Download the CodeSourcery Toolchain/Crosscompiler for ARM EABI for Linux from https://sourcery.mentor.com/sgpp/lite/arm/portal/[email protected]=lite (tested with 2011.03-41, I saw a newer untested version Sourcery G++ Lite 2011.03-42)
Install the compiler on your linux box with (for example) sh ./arm-2011.03-41-arm-none-linux-gnueabi.bin, the installer will asking you a few questions, it should be easy.
Download latest stable fuse (fuse-2.8.6.tar.gz) from http://fuse.sourceforge.net/
Download fuse-exfat (exfat-utils-0.9.5.tar.gz and fuse-exfat-0.9.5.tar.gz) from http://code.google.com/p/exfat/ or use my prepared packages with the Makefiles
Prepare the cross compiler, this is my example script, please change the path (CROSS_PATH) to the CodeSourcery binaries and the CROSS_ROOT path
Make a directory (CROSS_ROOT) for the libraries and the headers, ex.:
/android/src/cross/lib
/android/src/cross/include
---- File prepare_codesourcery.sh
#!/bin/bash
export CROSS_PATH=/android/CodeSourcery
export CROSS_ROOT=/android/src/cross
export ARCH=arm
export PATH="$CROSS_PATH:$PATH"
# version 2011.03-41-arm-none-linux-gnueabi
export CROSS_COMPILE="$CROSS_PATH/bin/arm-none-linux-gnueabi-"
export CFLAGS=' -I$CROSS_ROOT/include -g -O2 -static -march=armv6 -mfpu=neon -mfloat-abi=softfp'
export LDFLAGS=' -L$CROSS_PATH/arm-none-linux-gnueabi/libc/lib -L$CROSS_ROOT/lib -Wl,--whole-archive -lpthread -lrt -ldl -Wl,--no-whole-archive'
export CC="$CROSS_PATH/bin/arm-none-linux-gnueabi-gcc"
----
Export the setup:
. ./prepare_codesourcery.sh
Check the path with
arm-none-linux-gnueabi-gcc -v
Compile libfuse
./configure --host=arm-linux --enable-util --enable-lib --disable-mtab --enable-static=yes --enable-shared=no
make
copy the static libraries libfuse.a and libulockmgr.a from fuse-2.8.6/lib/.libs to $CROSS_ROOT/lib
copy the headers (.h-files) from fuse-2.8.6/include to $CROSS_ROOT/include
c) and d) is not really necessary, but is used for the flags to find the headers and libs, see the file prepare_codesourcery.sh above.
Compile fuse-exfat
I had no luck with SCons (a substitution for make) to cross compile for ARM, so I created some Makefiles to build fuse-exfat and exfat-utils, see attachement
Note: the next step is not necessary, libexfat is also included in exfat-utils if you use the attached source package:
Use your downloaded sources package and copy the Makefiles from my packages to every directory or use my source packages
In fuse-exfat/fuse-exfat-0.9.5 run make
Compile exfat-utils
In fuse-exfat/exfat run make
Note: If you get errors like strip: "Unable to recognise the format of the input file" then you have to symlink arm strip to strip temporary with
ln -s $CROSS_PATH/bin/arm-none-linux-gnueabi-strip $CROSS_PATH/bin/strip
so arm-strip is used instead of strip from your linux dist
Second option: Download the binaries
1.-9. Don't care about it...
Copy all binaries to your phone. They are big but "portable" because of the static build. You can use adb or any other method. The files must be executable, so place them for example in /system/xbin or /data/ and chmod them 755
Connect an empty hard drive, empty pen drive or a card reader with an empty sdcard to the phone with an OTG cable. The drive should only contain a prepared partition (don't care about the file system).
But you can also create a partition with fdisk on the phone, if your busybox installation is useable.
Check the connection of the USB devices with
lsusb
or something like that
Check the partitions with
cat /proc/partitions
You have to see a new partition like sdc1. The partition is visible under /dev/block/platform/s3c_otghcd/sdc1
Create a new exFAT partition with
mkexfatfs /dev/block/platform/s3c_otghcd/sdc1
Check the type of partition with
fdisk -l /dev/block/platform/s3c_otghcd/sdc
(you should see it as "HPFS/NTFS")
Make a new directory ex.
mkdir /data/exfat
for the mount point
Mount the new exFAT partition read/write with
mount.exfat-fuse -o rw /dev/block/platform/s3c_otghcd/sdc1 /data/exfat
to mount point /data/exfat or any other path
or for testing with
mount.exfat-fuse -o ro /dev/block/platform/s3c_otghcd/sdc1 /data/exfat
readonly
To unmount the device use
sync
umount /data/exfat
Thanks to gokhanmoral for his great kernel, tolis626 and olifee (members of this forum) to give me the idea of doing this, unknown devs from http://repository.timesys.com/ for a example Makefile to bypass
the unwieldy "SCons". I wasn't able to use it for cross compiling because of tons of parameters and variables, my shame...
Links:
exFAT (GPL): http://code.google.com/p/exfat/wiki/QuckStartGuide (it's not a typo)
Some informations: http://en.wikipedia.org/wiki/ExFAT
SiyahKernel: http://forum.xda-developers.com/showthread.php?t=1263838
exFAT Makefile: http://repository.timesys.com/buildsources/f/fuse-exfat/fuse-exfat-0.9.5/fuse-exfat-0.9.5-make.patch
CodeSourcery: https://sourcery.mentor.com/sgpp/lite/arm/portal/[email protected]=lite
FUSE (Filesystem in Userspace): http://fuse.sourceforge.net/
Update no. 1 | 01/12/2011
I think I made one step forward: It's vold as I can see.
I have commented out the block for the external_sd in /system/etc/vold.fstab
# external sdcard
#{
# ums_path = /sys/devices/platform/usb_mass_storage/lun1/file
# asec = enable
#}
#dev_mount sdcard1 /mnt/sdcard/external_sd auto /devices/platform/s3c-sdhci.2/mmc_host/mmc1
Now after new rebooting the partition is not damaged and I was able to mount it as expected at /sdcard/external_sd.
The disadvantage is now is that the system cannot recognize the card as a regular sdcard and the memory part in settings is greyed out.
It's like the card is not insert for the ROM, nevertheless the directories are shown in a file explorer like "root explorer" (with free/used values and I could edit a text file with a build-in editor)
Update no. 2 | 05/12/2011
I am now sure after some (more) tests, it's the vold daemon.
To mount a exfat volume, the configuration /system/etc/vold.fstab needs modification.
DO NOT MOUNT A VOLUME WITHOUT MODIFICATION
vold (version 2) is locked to VFAT/FAT32 volumes. Earlier versions had support for ext(2/3/4 ???) volumes too, this was removed by Google and/or Samsung (don't know).
Sadly I can't find a documentation for vold2 and I am stuck here. Because for replacing the "external_sd" from FAT32 to exFAT it's also necessary that vold2 recognizes the card correctly. (Because of the "asec" mounts for Apps2SD).
Perhaps it's possible to map this mounts to the internal sdcard (setting asec = enable in vold.fstab), but I haven't tried this yet.
Conclusion: It's possible to mount such exFAT volume with some restrictions and with modification of the vold.fstab.
Specs:
/data/bin/dumpexfat /dev/block/mmcblk1p1
dumpexfat 0.9.5
Volume label
Volume serial number 0xb965fe93
FS version 1.0
Sector size 512
Cluster size 32768
Sectors count 25173456
Free sectors 25169728
Clusters count 393284
Free clusters 393277
First sector 0
FAT first sector 128
FAT sectors count 3136
First cluster sector 3264
Root directory cluster 5
Volume state 0x0000
FATs count 1
Drive number 0x80
Allocated space 0%
Please no questions about the values, there is a second ext4 partition on the card...
So the configuration in vold.fstab and perhaps some other files have to be changed. I have nearly no knowledge with "void". Is a expert out there?
From command line a short speed test shows this result (no other GUI test possible in the moment):
/data/bin/hdparm -tT /dev/block/mmcblk1p1
/dev/block/mmcblk1p1:
Timing cached reads: 228 MB in 2.01 seconds = 113.27 MB/sec
Timing buffered disk reads: 36 MB in 3.02 seconds = 11.92 MB/sec
Card: Patriot 16 GB Class 10, no OC

RESERVED
Reserved...

Did you test the overhead of a FUSE filesystem on Android? As far I know the performance may be sub-optimal because of the overhead of using a filesystem on userspace mode. The Tuxera driver uses kernel mode and is very optimized, but as far I know it's only for OEM's that want to license the module for their devices.
Anyway, very interesting, mainly because exFAT is the default filesystem for SDXC.

z3r0n3 said:
Did you test the overhead of a FUSE filesystem on Android? As far I know the performance may be sub-optimal because of the overhead of using a filesystem on userspace mode. The Tuxera driver uses kernel mode and is very optimized, but as far I know it's only for OEM's that want to license the module for their devices.
Anyway, very interesting, mainly because exFAT is the default filesystem for SDXC.
Click to expand...
Click to collapse
No, I have not tested this. It will be one of the next steps if there is a solution for the problem I wrote about. In the moment I don't know if it's kernel related, rom/vold related or anything other. But I think it should have less overhead than NTFS in userspace, surely more than FAT32. Please read the comments about speed at http://code.google.com/p/exfat/updates/list And yes, the Tuxera driver is not for us "end users". Perhaps Samsung will give us a present in the next official ROM release

z3r0n3 said:
Did you test the overhead of a FUSE filesystem on Android? As far I know the performance may be sub-optimal because of the overhead of using a filesystem on userspace mode. The Tuxera driver uses kernel mode and is very optimized, but as far I know it's only for OEM's that want to license the module for their devices.
Anyway, very interesting, mainly because exFAT is the default filesystem for SDXC.
Click to expand...
Click to collapse
I also did not test it . However, it should be comparable to a desktop machine (taking the slower CPU into account). My NTFS-3G experience for several years has shown it is actually pretty fast, but takes up a lot of CPU time if high fragmentation is present. Nevertheless, I think the throughput (with our devices CPU) will still be much higher than writing to SD-card in most cases.
And yes, although Linus said FUSE-filesystems are just toys, http://www.spinics.net/lists/linux-fsdevel/msg46078.html, they are very fast and stable toys in my experience.
I think we will not see an open-source kernel-module for exFAT / NTFS-3G in the near future. For one, there is the licensing-issue (which will be much more of a problem if it is included in the kernel-sources / can be built against them), and on the other hand, it always took some YEARS time until a new filesystem was reliable enough to warrant an accepted kernel module. After all, btrfs is just becoming widely accepted and stable after 4 years of development (and a shorter time in-kernel). And this is expected to be the next-gen filesystem for linux, and as such the focus of development. With the correct mount-options, it should also be nice to SD-cards . Maybe there will be some time to try it when kernel 3.1 (with the 'stable' version) comes to our phones.
So for the next years, the FUSE-solution is the best we can get, and for Android, the most compatible one across kernels and devices (it only needs a kernel-dependent kernel-module in addition to whats cooking here, after all). The perfomance graphs by Tuxera on their site even show that their fuse-exFAT is faster than in-kernel FAT, so I guess we should not worry about performance even with the open-source beta implementation. Maybe battery life could be an issue if CPU-usage spikes when copying large files, that might be worth some testing.
I'm personally not switching to exFAT in the near future, but will watch this thread and might do some experiments in some weeks when I have more time .
Thanks for the good work, smitna!

olifee said:
I also did not test it . However, it should be comparable to a desktop machine (taking the slower CPU into account). My NTFS-3G experience for several years has shown it is actually pretty fast, but takes up a lot of CPU time if high fragmentation is present. Nevertheless, I think the throughput (with our devices CPU) will still be much higher than writing to SD-card in most cases.
And yes, although Linus said FUSE-filesystems are just toys, http://www.spinics.net/lists/linux-fsdevel/msg46078.html, they are very fast and stable toys in my experience.
I think we will not see an open-source kernel-module for exFAT / NTFS-3G in the near future. For one, there is the licensing-issue (which will be much more of a problem if it is included in the kernel-sources / can be built against them), and on the other hand, it always took some YEARS time until a new filesystem was reliable enough to warrant an accepted kernel module. After all, btrfs is just becoming widely accepted and stable after 4 years of development (and a shorter time in-kernel). And this is expected to be the next-gen filesystem for linux, and as such the focus of development. With the correct mount-options, it should also be nice to SD-cards . Maybe there will be some time to try it when kernel 3.1 (with the 'stable' version) comes to our phones.
So for the next years, the FUSE-solution is the best we can get, and for Android, the most compatible one across kernels and devices (it only needs a kernel-dependent kernel-module in addition to whats cooking here, after all). The perfomance graphs by Tuxera on their site even show that their fuse-exFAT is faster than in-kernel FAT, so I guess we should not worry about performance even with the open-source beta implementation. Maybe battery life could be an issue if CPU-usage spikes when copying large files, that might be worth some testing.
I'm personally not switching to exFAT in the near future, but will watch this thread and might do some experiments in some weeks when I have more time .
Thanks for the good work, smitna!
Click to expand...
Click to collapse
I have some bad experiences with NTFS-3g on my netbook. Trying to transfer a large number of files from my netbook (running Arch Linux) to my external HDD (that is NTFS) and the transfer was slow and my CPU time are always on 100%. That's why I asked if it was tested, because I don't really know if FUSE is suitable for embedded devices. But yeah, the only way to know is to test, and it's still too early for that .
But licensing is really a issue? I know that Linux have module to read a NTFS partition (but not write, this is why we have NTFS-3g) and there was some work for a read-only module for exFAT too (sadly, it didn't get much attention).
Anyway, I'm not switching for exFAT too anyway and I don't know how they aprove exFAT as the default filesystem on SDXC cards, but it's important anyway and will be critical somewhere in the future to have support to this filesystem.

First of all, thanks for your work on this. I was shocked to discover that my SGS2 wouldn't support any filesystems that support large files on external sdcards. I was able to get your solution working in the sense that I could format an sdcard with exfat, mount it, write to it, and unmount it. Awesome! I am having one serious problem though: After editing the vold.fstab and rebooting, I get constant FCs after trying to install any APKs. It doesn't matter if I have my external_sd mounted or not. And these are not apps that are trying to install to the sdcard. Any ideas?
I've got the AT&T version of the SGS2 (i777), but I'm running Siyah's latest kernel. The FCs just say it's the media process.

dildano said:
First of all, thanks for your work on this. I was shocked to discover that my SGS2 wouldn't support any filesystems that support large files on external sdcards. I was able to get your solution working in the sense that I could format an sdcard with exfat, mount it, write to it, and unmount it. Awesome! I am having one serious problem though: After editing the vold.fstab and rebooting, I get constant FCs after trying to install any APKs. It doesn't matter if I have my external_sd mounted or not. And these are not apps that are trying to install to the sdcard. Any ideas?
I've got the AT&T version of the SGS2 (i777), but I'm running Siyah's latest kernel. The FCs just say it's the media process.
Click to expand...
Click to collapse
Sorry for my later answer!
This should be nevertheless a problem with the app2sd service and I have no solution for this. My thread here is only a howto, nothing for the "daily to use"...
I also don't know why there is no other selectable alternative file system for "us users" to use for the external card by default and not FAT32.
The media service depends on the vold daemon to my knowledge. So I cannot recomment this for the default external sdcard, because of the media service scans. If you want to store larger files (e.g. video files), you should better split your sdcard in one FAT32 partition and an additional ext2/3/4 partition. On this partition there is no 4 GB limit. The "media scanner" will not scan the files (videos etc.) on the partition, but you can choose the videos from your favorite player with the file chooser.
Hope this helps you a little bit.

Thanks for the response. I was actually trying out multiple partitions over the weekend to no avail. Granted, I was trying a combination of FAT32 and NTFS. It would actually work for a while until the NTFS partition would appear to get corrupted. I thought about ext2, but my understanding is that Samsung somehow disabled ext* support for external SD cards. Is that not the case? Anyway, I'm surprised that more folks haven't caught onto your work here because storing large files seems to be a fairly common issue for SGS2 users.

dildano said:
Thanks for the response. I was actually trying out multiple partitions over the weekend to no avail. Granted, I was trying a combination of FAT32 and NTFS. It would actually work for a while until the NTFS partition would appear to get corrupted. I thought about ext2, but my understanding is that Samsung somehow disabled ext* support for external SD cards. Is that not the case? Anyway, I'm surprised that more folks haven't caught onto your work here because storing large files seems to be a fairly common issue for SGS2 users.
Click to expand...
Click to collapse
I am using an ext3 partition with deactivated journalling and noatime option on the sdcard since months without problems. Of course I have also a FAT32 partition on the card to stay compatible with vold and media scanner. With a start script it is mounted after every phone restart.

OK, I must have misunderstood. So is it just that vold will not allow us to automatically mount ext* partitions? I'll try it with a script as soon as I can get some time. Thanks.

I would like to try this, for use connecting my camera which has a exfat formatted sdxc card in it via OTG. But have a couple questions since I can't test at this moment.
1: Do the binaries work on a ICS build (Siyah Kernel) or do they need updated?
2: Do I have to make any vold.fstab changes to prevent FS damage when using a OTG cable or is that just external sd?
3: If I have to make the changes will other devices (not memory) work normal without manual interaction?

shadowofdarkness said:
I would like to try this, for use connecting my camera which has a exfat formatted sdxc card in it via OTG. But have a couple questions since I can't test at this moment.
1: Do the binaries work on a ICS build (Siyah Kernel) or do they need updated?
2: Do I have to make any vold.fstab changes to prevent FS damage when using a OTG cable or is that just external sd?
3: If I have to make the changes will other devices (not memory) work normal without manual interaction?
Click to expand...
Click to collapse
Hello, I am still on GB, but I guess it should work on ICS too.
If ICS (or better the vold daemon) has not changed its behavior you have to modify vold.fstab to prevent damages. To do this, you have to disable automounting the exfat OTG device (commenting out the part for OTG and reboot). The other partitions (internal and external memory should work like before). Then mount your camera card manually. But be very careful with your data/pictures!

Hello, I'm working on an HTC Mazaa with Windows Phone and inside a partition I've found several times the EXFAT header, so I'm trying to mount it, but looks like it's EXFAT 2.0, while your implementation covers only 1.0.
Do you know if it's somehow possible to mount EXFAT 2.0? On Windows, on Linux, modifying your tool, whatever!
Here's the header:
Code:
012f7400 eb 76 90 45 58 46 41 54 20 20 20 00 00 00 00 00 |.v.EXFAT .....|
012f7410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
012f7440 00 00 00 00 00 00 00 00 00 1b 00 00 00 00 00 00 |................|
012f7450 20 00 00 00 36 00 00 00 8c 00 00 00 74 1a 00 00 | ...6.......t...|
012f7460 02 00 00 00 94 01 eb 07 00 02 10 00 09 00 02 80 |................|
012f7470 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
012f7480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
012f75f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
012f7600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
012f77f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
012f7800
Thanks!

WhiteTrap said:
Hello, I'm working on an HTC Mazaa with Windows Phone and inside a partition I've found several times the EXFAT header, so I'm trying to mount it, but looks like it's EXFAT 2.0, while your implementation covers only 1.0.
Do you know if it's somehow possible to mount EXFAT 2.0? On Windows, on Linux, modifying your tool, whatever!
Here's the header:
Code:
012f7400 eb 76 90 45 58 46 41 54 20 20 20 00 00 00 00 00 |.v.EXFAT .....|
012f7410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
012f7440 00 00 00 00 00 00 00 00 00 1b 00 00 00 00 00 00 |................|
012f7450 20 00 00 00 36 00 00 00 8c 00 00 00 74 1a 00 00 | ...6.......t...|
012f7460 02 00 00 00 94 01 eb 07 00 02 10 00 09 00 02 80 |................|
012f7470 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
012f7480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
012f75f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
012f7600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
012f77f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
012f7800
Thanks!
Click to expand...
Click to collapse
I don't think that I can give you a good answer, sorry. It's not my tool, it's the exFAT driver from http://code.google.com/p/exfat/, the latest is fuse-exfat-0.9.7.tar.gz and I don't see any notes for a "version 2" in the ChangeLog. Are you really sure about the version? If there is a version 2, I guess it's more than only a change to the header.
I recommend you to post the question in the mailing list https://groups.google.com/group/exfat?hl=en. It is rumored that exFAT works natively on the new S3, but I don't know if this will be true and I have strong doubts that Samsung will release the sources of the driver.

smitna said:
I don't think that I can give you a good answer, sorry. It's not my tool, it's the exFAT driver from http://code.google.com/p/exfat/, the latest is fuse-exfat-0.9.7.tar.gz and I don't see any notes for a "version 2" in the ChangeLog. Are you really sure about the version? If there is a version 2, I guess it's more than only a change to the header.
I recommend you to post the question in the mailing list https://groups.google.com/group/exfat?hl=en. It is rumored that exFAT works natively on the new S3, but I don't know if this will be true and I have strong doubts that Samsung will release the sources of the driver.
Click to expand...
Click to collapse
It's fuse-exfat itself that says the version is 2.0. I'll try on the ML, but looks like there are big differences. If I make fuse-exfat ignore the fact that it's 2.0 it says that there are 2 FAT, which I think non-banal modifications to the implementation.
Thanks!

Seems that exFAT 2.0 is (or is very similar to) TexFAT.

I just wanted to say thanks I just tested this and the binaries works great on ICS 4.0.3 (LPG) using Siyah Kernel.
I plugged in my Panasonic Lumix TS2 digital camera with a 64GB sdxc card and was able to mount it fine on my S II with a OTG cable.

shadowofdarkness said:
I just wanted to say thanks I just tested this and the binaries works great on ICS 4.0.3 (LPG) using Siyah Kernel.
I plugged in my Panasonic Lumix TS2 digital camera with a 64GB sdxc card and was able to mount it fine on my S II with a OTG cable.
Click to expand...
Click to collapse
Fine and thanks for sharing your experience! It's good to hear that the driver is useful for you.

I have galaxy s3 and the 64 gb exfat formatted card works on the stock rom of it.
But when i switch to custom rom which are not based on galaxy s3 own stock rom the card stops working.
No other rom beside galaxy s3's own come with exfat driver. so i was wondering if i use this in custom rom as for now its Cyanogenmod 10, would this mod of yours work?
please let me know.
thanks.

I ran the following command while ssh'ed into my Atrix 4G and do not understand why it contains only ff's or 00's for entire partition (no executable code)???
dd if=/dev/block/mmcblk0p1 of=bootloader_mmcblk0p1.img
/mnt/sdcard-ext/root_recovery_orig # uname -a
Linux localhost 2.6.32.9 #3 SMP PREEMPT Thu Sep 22 10:52:13 CST 2011 armv7l GNU/Linux
/mnt/sdcard-ext/root_recovery_orig # ls -al
total 40193
----rwxr-x 1 system sdcard_r 3670016 Nov 30 10:37 bootloader_mmcblk0p1.img
scp'ed bootloader_mmcblk0p1.img to my linux box and ran the following commands:
# hexdump -C bootloader_mmcblk0p1.img
00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00380000
# strings bootloader_mmcblk0p1.img
NO Strings found because entire partition only contains ff or 00
Follows is the strings command on the dd'ed boot.img for a sanity check.
# strings boot.img | less
ANDROID!p
-- System halted
ran out of input data
Malloc error
Out of memory
incomplete literal tree
incomplete distance tree
bad gzip magic numbers
internal error, invalid method
Input is encrypted
Multi part input
Input has invalid flags
invalid compressed format (err=1)
invalid compressed format (err=2)
out of memory
invalid compressed format (other)
crc error
length error
Uncompressing Linux...
done, booting the kernel.
NOTE: remainder of strings command output not shown.....
Questions:
/dev/block/mmcblk0p1 is the bootloader partition?
If so, why does it appear to not have any executable code?
Is dd being tricked in some way and NOT actually getting the content of partition 1?
If so, is there anyway to dd the actual content of partition 1?
Somewhat off topic but related questions:
Assuming the bootloader is signed where is the PKI public key/Digital Certificate/Digital Signature/hashing algorithm stored on the phone? How are they protected?
Is there a pre-bootloader that checks the Digital Signature of the bootloader partition? If so, where is the pre-bootloader located? How is it protected from tampering?
Regards, Ron

Is the bootloader available via busybox dd from the phone?
I sure would like to examine/backup the content of the Motorola Atrix 4g delivered bootloader code. Is there any way of getting a copy of it from the phone using DD (or any other method from a rooted/NOT unlocked phone)?? I thought at least part of the bootloader was in partition 1 of the on board EMMC NAND flash /dev/block/mmcblk0p1?? It appears the bootloader code is either NOT in partition 1 or DD is NOT allowed to access the code. I am basically trying to understand what happens in the VERY first stages of the boot process after power on (in detail).
Signed Confused, Ron
PS, I assume some of the developers (with great knowledge) views this forum from time to time?

Hi
I just changed some stuff like images in a kernel using Android Kernel Kitchen 0.3.1.
Now I wanna test my changes.
My questions is->
What are worst case scenarios possible?
I am ready to go for boot loops and etc. but are there any consequences that may cause real hard brick of my phone? (Like---> it will never start again! or you need to take it to service center for repair!)?

Jaskaran498 said:
Hi
I just changed some stuff like images in a kernel using Android Kernel Kitchen 0.3.1.
Now I wanna test my changes.
My questions is->
What are worst case scenarios possible?
I am ready to go for boot loops and etc. but are there any consequences that may cause real hard brick of my phone? (Like---> it will never start again! or you need to take it to service center for repair!)?
Click to expand...
Click to collapse
What you can expect are boot loops, inability to get even see the boot splash, non-working wifi/ USB / touch / camera/ anything that needs a driver, random reboots. Personal experience: yesterday I was playing with changing part of the initramfs without changing the whole boot.img. It turns out that I needed to update the header size and checksum. Without this, it would hang for some seconds and then reboot (or not start at all). This was all fixable from recovery.
What can happen if you are not careful is a brick because you flash the wrong partition. Otherwise, you can always enter recovery mode and flash the kernel (for the i9300, it is mmcblk0p5). If you are not sure, look for the magic ANDROID! header:
Code:
# dd bs=64 count=1 if=/dev/block/mmcblk0p5 2>/dev/null | hexdump -C
00000000 41 4e 44 52 4f 49 44 21 80 bc 44 00 00 80 00 40 |[email protected]|
00000010 2e 1e 05 00 00 00 00 41 00 00 00 00 00 00 f0 40 |[email protected]|
00000020 00 01 00 40 00 08 00 00 00 00 00 00 00 00 00 00 |[email protected]|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040
So, the absolute worst-case scenario is when you accidentally flash the wrong partition. If you picked your EFS partition and do not have a backup, then your IMEI and stuff are gone.
Note: be sure not to wipe your recovery partition (mmcblk0p6), that requires you restore the recovery using download mode (I have not experienced this yet).

Lekensteyn said:
What you can expect are boot loops, inability to get even see the boot splash, non-working wifi/ USB / touch / camera/ anything that needs a driver, random reboots. Personal experience: yesterday I was playing with changing part of the initramfs without changing the whole boot.img. It turns out that I needed to update the header size and checksum. Without this, it would hang for some seconds and then reboot (or not start at all). This was all fixable from recovery.
What can happen if you are not careful is a brick because you flash the wrong partition. Otherwise, you can always enter recovery mode and flash the kernel (for the i9300, it is mmcblk0p5). If you are not sure, look for the magic ANDROID! header:
Code:
# dd bs=64 count=1 if=/dev/block/mmcblk0p5 2>/dev/null | hexdump -C
00000000 41 4e 44 52 4f 49 44 21 80 bc 44 00 00 80 00 40 |[email protected]|
00000010 2e 1e 05 00 00 00 00 41 00 00 00 00 00 00 f0 40 |[email protected]|
00000020 00 01 00 40 00 08 00 00 00 00 00 00 00 00 00 00 |[email protected]|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040
So, the absolute worst-case scenario is when you accidentally flash the wrong partition. If you picked your EFS partition and do not have a backup, then your IMEI and stuff are gone.
Note: be sure not to wipe your recovery partition (mmcblk0p6), that requires you restore the recovery using download mode (I have not experienced this yet).
Click to expand...
Click to collapse
Kk, thanks.
But what do i do if it does not start at all like u said (what i want is that it should at least be able start in recovery or download if possible).
Since its my first time messing with kernel, i am total n00b then

If it cannot proceed to the "normal" boot, then get into recovery by holding Volume Up + Power + Home for ten seconds while booting (I usually do that when I see the Samsung logo end release when it has restarted, showing the logo again (about ten seconds).
From there, use Install from zip (if you have a "update zip" that contains boot.img and some metadata) or (what I do) use adb push to put the image in /tmp/. Then use dd to write the boot image. Example (I use Linux):
Code:
laptop$ adb push boot-new.img /tmp/boot.img
laptop$ adb shell
# cat /tmp/boot.img > /dev/block/mmcblk0p5
Just in case of hardware failure, I also verify the md5sum:
Code:
laptop$ md5sum boot-new.img
laptop$ du -b boot-new.img # determine file size, say 1234
(android) # dd if=/dev/block/mmcblk0p5 bs=1234 count=1 | md5sum
The two outputs must match, otherwise something went wrong (unlikely, but still).

Lekensteyn said:
If it cannot proceed to the "normal" boot, then get into recovery by holding Volume Up + Power + Home for ten seconds while booting (I usually do that when I see the Samsung logo end release when it has restarted, showing the logo again (about ten seconds).
From there, use Install from zip (if you have a "update zip" that contains boot.img and some metadata) or (what I do) use adb push to put the image in /tmp/. Then use dd to write the boot image. Example (I use Linux):
Code:
laptop$ adb push boot-new.img /tmp/boot.img
laptop$ adb shell
# cat /tmp/boot.img > /dev/block/mmcblk0p5
Just in case of hardware failure, I also verify the md5sum:
Code:
laptop$ md5sum boot-new.img
laptop$ du -b boot-new.img # determine file size, say 1234
(android) # dd if=/dev/block/mmcblk0p5 bs=1234 count=1 | md5sum
The two outputs must match, otherwise something went wrong (unlikely, but still).
Click to expand...
Click to collapse
I know all this but what i m saying is that can there be conditions where neither i will be able to boot recovery nor download (even by volume+power+home method)?

Unless you do really stupid things like overwriting /dev/block/mmcblk0 or other partitions on http://cleanimport.xda/index.php?threads/2362743/, you will be safe.

Jaskaran498 said:
I know all this but what i m saying is that can there be conditions where neither i will be able to boot recovery nor download (even by volume+power+home method)?
Click to expand...
Click to collapse
Recovery has it's own kernel. It doesn't use the one you're modifying
-----------------------
Sent via tapatalk.
I do NOT reply to support queries over PM. Please keep support queries to the Q&A section, so that others may benefit

Hi all,
For some reason I want to modify the bootloader on my device(Lenovo Zuk Z2 plus, which has SnapDragon 820, MSM8996). I have research a little bit and got a snippet of assembly code that I believe appears in the bootloader, and I hope to replace.
So I believe the xbl.elf file in the stock ROM, which is to be flashed by QPST, is the bootloader I hope to hack. My plan:
1. Interpret the file xbl.elf
2. find the snippet of code I hope to replace
3. replace the snippet of binary with some cooler binary.
So here is the result of `readelf -a xbl.elf`:
Code:
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: AArch64
Version: 0x1
Entry point address: 0x6213f10
Start of program headers: 64 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 17
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
NULL 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000003f8 0x0000000000000000 0
NULL 0x0000000000001000 0x0000000085eec000 0x0000000085eec000
0x0000000000001b48 0x0000000000002000 1000
LOAD 0x0000000000003000 0x0000000006208000 0x0000000006208000
0x00000000000567b4 0x00000000000567b4 R E 10000
LOAD 0x00000000000597c0 0x000000000625f000 0x000000000625f000
0x0000000000009a58 0x0000000000009a58 RW 10000
LOAD 0x0000000000063220 0x000000000626a000 0x000000000626a000
0x0000000000000000 0x00000000000052a8 RW 10000
LOAD 0x0000000000063220 0x0000000085e00000 0x0000000085e00000
0x0000000000000000 0x0000000000024da0 RW 10000
LOAD 0x0000000000063220 0x0000000006680000 0x0000000006680000
0x00000000000029d0 0x00000000000029d0 R E 10000
LOAD 0x0000000000065bf0 0x0000000006683000 0x0000000006683000
0x0000000000000694 0x0000000000000694 RW 10000
LOAD 0x0000000000066290 0x000000000021e000 0x000000000021e000
0x0000000000005e54 0x0000000000005e54 R E 10000
LOAD 0x000000000006c0f0 0x00000000066a2000 0x00000000066a2000
0x0000000000000000 0x0000000000012400 RW 10000
LOAD 0x000000000006c0f0 0x0000000085e80000 0x0000000085e80000
0x00000000000282ee 0x00000000000282ee R E 10000
LOAD 0x00000000000943e0 0x0000000085ec0000 0x0000000085ec0000
0x000000000002b9a0 0x000000000002b9a0 RW 10000
LOAD 0x00000000000bfd80 0x0000000085eb0000 0x0000000085eb0000
0x0000000000000000 0x00000000000099e8 RW 10000
LOAD 0x00000000000bfd80 0x0000000080200000 0x0000000080200000
0x00000000000f0000 0x00000000000f0000 RWE 1000
LOAD 0x00000000001afd80 0x0000000000207000 0x0000000000207000
0x000000000000ebe1 0x000000000000ebe1 R E 10000
LOAD 0x00000000001be970 0x0000000000217800 0x0000000000217800
0x00000000000004c8 0x00000000000004c8 RW 10000
LOAD 0x00000000001bee40 0x0000000000219800 0x0000000000219800
0x0000000000000000 0x00000000000001d0 RW 10000
There is no dynamic section in this file.
There are no relocations in this file.
The decoding of unwind sections for machine type AArch64 is not currently supported.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
So as you can see, this elf file is quite uncommon. Anyone has any idea how to interpret this file? Thanks!

Solved
Nevermind, I simply regard this file as binary and disemble it:
aarch64-linux-gnu-objdump -b binary -D xbl.elf -maarch64
And the assembly is crystally clear!

In the spirit of the old TriangleAway here is how you can make the "FC N" disappear from your unlocked bootloader screen. The N is a number that gets bumped every time you "fastboot flash". This method requires a root shell, if you have busybox installed (e.g. from the Magisk module) it can done 100% on phone. Could help you out if you ever need warrantee service, or just don't like seeing the bootloader count how many times you've messed with the phone.
Code:
OnePlus7TProNR:/sdcard # dd if=/dev/block/by-name/param of=param.dd
2048+0 records in
2048+0 records out
1048576 bytes (1.0 M) copied, 0.017794 s, 56 M/s
# xxd -g 1 param.dd > param.xxd
Now use an editor (vim, nano, whatever) to look for this line in the file:
Code:
00003420: 00 00 00 00 01 00 00 00 01 00 00 00 17 00 00 00 ................
The flash counter is stored in the first non-zero bytes. Change them to zero like this:
Code:
00003420: 00 00 00 00 00 00 00 00 01 00 00 00 17 00 00 00 ................
Finally, flash the partition back, and voila, the "FC" line is gone from the bootloader. Note, these steps would have to be repeated every time you fastboot flash something.
Code:
OnePlus7TProNR:/sdcard # dd if=/dev/block/by-name/param of=param.dd
2048+0 records in
2048+0 records out
1048576 bytes (1.0 M) copied, 0.017794 s, 56 M/s
# xxd -r param.xxd > param-0.dd
# dd if=param-0.dd of=/dev/block/by-name/param

Wait....so does this get rid of the unlocked bootloader screen altogether?

lendawg said:
Wait....so does this get rid of the unlocked bootloader screen altogether?
Click to expand...
Click to collapse
No. Once you've used a "fastboot flash" command, you'll see a line on the bootloader/fastboot screen that says "FC 1".
If you fastboot flash something else, it increases to "FC 2" and so on. I think it persists even if you re-lock the bootloader as an indicator to the manufacturer and carrier that you've messed with your phone, and how many times.
This technique will make that counter go away, making it easier to re-lock the bootloader and make the phone appear unmodified, in case you ever need warrantee service.

There used to be a tool called "Triangle Away" that did something similar a few years ago, but it isn't supported anymore. But this technique does the same thing, you can read more about it here:
https://forum.xda-developers.com/galaxy-s2/orig-development/2014-01-15-triangleaway-v3-26-t1494114

This is just to remove the counter . Any warranty work will probably still be denied seeing you phone is on record as unlocked bootloader when you submit for the unlock.bin. And I'm sure the well I got the unlock.bin but never used it line will not work lol