the bash script in the post before could be used for dumps which have no ecc data!
I think (because of this link, http://www.anandtech.com/show/4029/the- ... x-review/3 ) that the internal NAND controller of the SoC is using BCH ECC.
But can't try it, because my dump hasn't any ecc data at all.
think the suitable linux nand controller driver for the CE4150 can be found here:
http://git.kernel.org/?p=linux/kernel/g ... d/denali.c
NAND Flash question
Moderator: Revue Mod
Re: NAND Flash question
if you take the kernel.img for example out of an update (not the honeycomb one)
then the structure is as follows:
from 0x00 to 0x18 the pattern is equal, 3 bytes which looks like the total size (but a bit bigger !?!), then 0x1c to 0x47f is also equal!
The following pattern is maybe a hash or signing signature (should be signature) and is 0x100 big.
Afterwords ANDROID! follows which is magic pattern which is described here:
http://android.git.kernel.org/?p=platfo ... 3f;hb=HEAD
update:
most of this information can be also found here:
http://www.gtvhacker.com/index.php/Startup
then the structure is as follows:
from 0x00 to 0x18 the pattern is equal, 3 bytes which looks like the total size (but a bit bigger !?!), then 0x1c to 0x47f is also equal!
The following pattern is maybe a hash or signing signature (should be signature) and is 0x100 big.
Afterwords ANDROID! follows which is magic pattern which is described here:
http://android.git.kernel.org/?p=platfo ... 3f;hb=HEAD
update:
most of this information can be also found here:
http://www.gtvhacker.com/index.php/Startup
Re: NAND Flash question
it is possible to boot the kernel with qemu if the header is deleted
i also tried to boot the cefdk-logitech_ka3.bin included inside 439c26f6af05.mp-signed-ota_update-b39389.zip
but that doesn't work out of the box (deleted the first 0x480 bytes) as far as I see.
Inside this cefdk are strings contained, are they visible during boot or is it disabled?
the header of cefdk-logitech_ka3.bin has also a structure like kernel.img for example but not exactly the same.
is it known, what the number inside mbr means?
i my dump is written at 0x00:
0B B0 AD DE 0F 00 01 A9
and at 0x200:
DE 26 FA CB 9A 29 D6 2D CC F6 BA 09 B8
can someone confirm this, is it everywhere the same?
it is repeated with offset 0x40000 so this is available 8 times!
some pics of my setup:
http://i53.tinypic.com/mlktnk.jpg
http://i53.tinypic.com/2z3npmq.jpg
i also tried to boot the cefdk-logitech_ka3.bin included inside 439c26f6af05.mp-signed-ota_update-b39389.zip
but that doesn't work out of the box (deleted the first 0x480 bytes) as far as I see.
Inside this cefdk are strings contained, are they visible during boot or is it disabled?
the header of cefdk-logitech_ka3.bin has also a structure like kernel.img for example but not exactly the same.
is it known, what the number inside mbr means?
i my dump is written at 0x00:
0B B0 AD DE 0F 00 01 A9
and at 0x200:
DE 26 FA CB 9A 29 D6 2D CC F6 BA 09 B8
can someone confirm this, is it everywhere the same?
it is repeated with offset 0x40000 so this is available 8 times!
some pics of my setup:
http://i53.tinypic.com/mlktnk.jpg
http://i53.tinypic.com/2z3npmq.jpg
Re: NAND Flash question
Following your progess. I envy your desoldering toys and debugging tools. Lacking those tools, can't help (yet). I thought cefdk files were encrypted. Did you find they were still encrypted in NAND?
Re: NAND Flash question
The update: 439c26f6af05.mp-signed-ota_update-b39389.zip (a proper link can be found on the wiki) has an un-encrypted version of the boot-loader for pre-honeycomb. Honeycomb actually updates the boot-loader to handle the encrypted recovery, so the boot-loader pcgeil is working with is the one from 2.1. You can also find a copy of the un-encrypted boot-loader in memory by dumping /dev/mem. We actually should probably start a thread for people to discuss disassembling it.Chipster wrote:Following your progess. I envy your desoldering toys and debugging tools. Lacking those tools, can't help (yet). I thought cefdk files were encrypted. Did you find they were still encrypted in NAND?
Thanks,
Zenofex
Bitcoin donations can be sent to:
15mb6ER9gbujUXJABBd146W34FwWX2F1Lx
15mb6ER9gbujUXJABBd146W34FwWX2F1Lx
Re: NAND Flash question
So new version for splitting dump:
Info:
cefdk and mbr is repeated 8 times at (0x000000, 0x040000, 0x080000, 0x0C0000, 0x100000, 0x140000, 0x180000 and 0x1C0000)
fts and splash is repeated 4 times at (0x000000, 0x040000, 0x080000, 0x0C0000)
but fts is not exactly the same in my dump 0x200 to 0x20f after repetition changes
if anyone else has a dump, please validate my results
Update:
If you have UART you can get an mem-dump like this:
the difference between nand and mem dump is that at CEFDK and recovery address, i have at offset 0x200 13 bytes written (cefdk and recovery) and afterwords a shift of 12 bytes
(just checked first 0xffff maybe there is more like this) think that this are bad blocks maybe!
Code: Select all
#!/bin/bash
# copyright: pcgeil
# (c) 2011 progged for GTV revue
echo "progged for gtv revue by pcgeil (c) 2011"
echo "revision 0.1"
echo ""
dumpFile="nand.dump"
outputDir="dump"
outputName=${outputDir}"/test"
# bash check if directory exists
if [ -d $outputDir ]; then
echo "directory exists"
else
echo "directory does not exists, create now directory"
mkdir $outputDir
fi
if [ "0" = "0" ]; then
# dump mbr 0x00000000-0x00200000
dd if=$dumpFile of=${outputName}".mbr" count=8192 bs=256 > /dev/null 2>&1
# dump cefdk 0x00200000-0x00a00000
dd if=$dumpFile of=${outputName}".cefdk" count=32768 bs=256 skip=8192 > /dev/null 2>&1
# dump redboot 0x00a00000-0x00c00000
dd if=$dumpFile of=${outputName}".redboot" count=8192 bs=256 skip=40960 > /dev/null 2>&1
# dump cefdk-config 0x00c00000-0x00e00000
dd if=$dumpFile of=${outputName}".cefdk-config " count=8192 bs=256 skip=49152 > /dev/null 2>&1
# dump splash 0x01000000-0x01800000
dd if=$dumpFile of=${outputName}".splash" count=16384 bs=512 skip=32768 > /dev/null 2>&1
# dump fts 0x01800000-0x01900000
dd if=$dumpFile of=${outputName}".fts" count=2048 bs=512 skip=49152 > /dev/null 2>&1
# dump recovery 0x01900000-0x02d00000
dd if=$dumpFile of=${outputName}".recovery" count=40960 bs=512 skip=51200 > /dev/null 2>&1
# dump kernel 0x02d00000-0x03200000
dd if=$dumpFile of=${outputName}".kernel" count=10240 bs=512 skip=92160 > /dev/null 2>&1
# dump boot 0x03200000-0x07200000
dd if=$dumpFile of=${outputName}".boot" count=131072 bs=512 skip=102400 > /dev/null 2>&1
# dump system 0x07200000-0x1f200000
dd if=$dumpFile of=${outputName}".system" count=786432 bs=512 skip=233472> /dev/null 2>&1
# dump data 0x1f200000-0x3fa00000
dd if=$dumpFile of=${outputName}".data" count=1064960 bs=512 skip=1019904 > /dev/null 2>&1
# dump keystore 0x3fa00000-0x3ff00000
dd if=$dumpFile of=${outputName}".keystore" count=10240 bs=512 skip=2084864 > /dev/null 2>&1
# dump bbt 0x3ff00000-0x40000000
dd if=$dumpFile of=${outputName}".bbt" count=2048 bs=512 skip=2095104 > /dev/null 2>&1
echo "dump was splitted successfully"
fi
echo ""
echo "extract repetition out of files (mbr and cefdk)"
# extract repetition of cefdk and mbr (8 times)
for i in 0 1 2 3 4 5 6 7; do
#echo "$i"
dd if=${outputName}".cefdk" of=${outputName}"_"${i}".cefdk" skip=${i} count=1 bs=262144 > /dev/null 2>&1
dd if=${outputName}".mbr" of=${outputName}"_"${i}".mbr" skip=${i} count=1 bs=262144 > /dev/null 2>&1
done
echo "compare cefdk and mbr"
# compare extraction with each other (mbr and cefdk)
for i in 1 2 3 4 5 6 7; do
diff ${outputName}"_0.cefdk" ${outputName}"_"${i}".cefdk"
diff ${outputName}"_0.mbr" ${outputName}"_"${i}".mbr"
done
echo ""
echo "extract repetition out of files (splash and fts)"
# extract repetition of splash and fts (4 times)
for i in 0 1 2 3; do
#echo "$i"
dd if=${outputName}".fts" of=${outputName}"_"${i}".fts" skip=${i} count=1 bs=262144 > /dev/null 2>&1
dd if=${outputName}".splash" of=${outputName}"_"${i}".splash" skip=${i} count=1 bs=262144 > /dev/null 2>&1
done
echo "compare splash and fts"
# compare extraction with each other (splash and fts)
for i in 1 2 3; do
diff ${outputName}"_0.fts" ${outputName}"_"${i}".fts"
diff ${outputName}"_0.splash" ${outputName}"_"${i}".splash"
done
cefdk and mbr is repeated 8 times at (0x000000, 0x040000, 0x080000, 0x0C0000, 0x100000, 0x140000, 0x180000 and 0x1C0000)
fts and splash is repeated 4 times at (0x000000, 0x040000, 0x080000, 0x0C0000)
but fts is not exactly the same in my dump 0x200 to 0x20f after repetition changes
if anyone else has a dump, please validate my results
Update:
If you have UART you can get an mem-dump like this:
At 0x0F0000 you find the CEFDK and at 0x800000 the recovery#mount -w -t msdos /dev/sdb1 /sdcard
# dd if=/dev/mem of=/sdcard/test-mem.dump
/dev/mem: read error: Bad address
1572864+0 records in
1572864+0 records out
805306368 bytes transferred in 236.377 secs (3406872 bytes/sec
# sync
the difference between nand and mem dump is that at CEFDK and recovery address, i have at offset 0x200 13 bytes written (cefdk and recovery) and afterwords a shift of 12 bytes
(just checked first 0xffff maybe there is more like this) think that this are bad blocks maybe!
Re: NAND Flash question
This is a update for everyone who want to dump the NAND extern.
I did the first dump with dd, but that isn't very clever and good.
There exists a package mtd-utils which has nanddump included:
You can find that package here:
http://www.linux-mtd.infradead.org/
I will try this next month and hopefully I have till then some NANDs with 1Gbyte so I can try to clone the NAND.
If that is working I will try to boot some older CEFDK ...
I did the first dump with dd, but that isn't very clever and good.
There exists a package mtd-utils which has nanddump included:
Code: Select all
Usage: nanddump [OPTIONS] MTD-device
Dumps the contents of a nand mtd partition.
--help Display this help and exit
--version Output version information and exit
-a --forcebinary Force printing of binary data to tty
-c --canonicalprint Print canonical Hex+ASCII dump
-f file --file=file Dump to file
-l length --length=length Length
-n --noecc Read without error correction
-N --noskipbad Read without bad block skipping
-o --omitoob Omit oob data
-b --omitbad Omit bad blocks from the dump
-p --prettyprint Print nice (hexdump)
-q --quiet Don't display progress and status messages
-s addr --startaddress=addr Start address
http://www.linux-mtd.infradead.org/
I will try this next month and hopefully I have till then some NANDs with 1Gbyte so I can try to clone the NAND.
If that is working I will try to boot some older CEFDK ...
Re: NAND Flash question
Highly recommend, those of you who have hopped on the userdebug leak, to grab a backup of your nand.. and keep it somewhere safe.
use the nanddump tool thats provided.. or at least do a dd dump.
run the following: (should be paste-able into adb shell)
suck the files off of /sdcard/*.dd and keep them somewhere safe, and hopefully you'll never need them.
use the nanddump tool thats provided.. or at least do a dd dump.
run the following: (should be paste-able into adb shell)
Code: Select all
su
dd if=/dev/mtd/mtd0 > /sdcard/mtd0.dd
dd if=/dev/mtd/mtd1 > /sdcard/mtd1.dd
dd if=/dev/mtd/mtd2 > /sdcard/mtd2.dd
dd if=/dev/mtd/mtd3 > /sdcard/mtd3.dd
dd if=/dev/mtd/mtd4 > /sdcard/mtd4.dd
dd if=/dev/mtd/mtd5 > /sdcard/mtd5.dd
dd if=/dev/mtd/mtd6 > /sdcard/mtd6.dd
dd if=/dev/mtd/mtd7 > /sdcard/mtd7.dd
dd if=/dev/mtd/mtd8 > /sdcard/mtd8.dd
dd if=/dev/mtd/mtd9 > /sdcard/mtd9.dd
dd if=/dev/mtd/mtd10 > /sdcard/mtd10.dd
dd if=/dev/mtd/mtd11 > /sdcard/mtd11.dd
dd if=/dev/mtd/mtd12 > /sdcard/mtd12.dd
Re: NAND Flash question
Just to confirm - it does pull off the ECC data (with the correct flags), so the only issue is if you run into any bad blocks on your new nand, and managing to re-map them.pcgeil wrote:This is a update for everyone who want to dump the NAND extern.
I did the first dump with dd, but that isn't very clever and good.
There exists a package mtd-utils which has nanddump included:
You can find that package here:Code: Select all
Usage: nanddump [OPTIONS] MTD-device Dumps the contents of a nand mtd partition. --help Display this help and exit --version Output version information and exit -a --forcebinary Force printing of binary data to tty -c --canonicalprint Print canonical Hex+ASCII dump -f file --file=file Dump to file -l length --length=length Length -n --noecc Read without error correction -N --noskipbad Read without bad block skipping -o --omitoob Omit oob data -b --omitbad Omit bad blocks from the dump -p --prettyprint Print nice (hexdump) -q --quiet Don't display progress and status messages -s addr --startaddress=addr Start address
http://www.linux-mtd.infradead.org/
I will try this next month and hopefully I have till then some NANDs with 1Gbyte so I can try to clone the NAND.
If that is working I will try to boot some older CEFDK ...
Re: NAND Flash question
Do you know how the NAND flash is organized?
Does it have a standard filesystem, like ext3 with some partitions?
Sorry about the lame question, just trying to understand how the NAND looks like if I would like to reprogram it.
Thanks in advance.
Does it have a standard filesystem, like ext3 with some partitions?
Sorry about the lame question, just trying to understand how the NAND looks like if I would like to reprogram it.
Thanks in advance.