firmware backup

[evaldas]

Just a few minutes ago finished the utility to backup whole phone flash contents to a file. This includes bootloader, kernel, filesystems etc. - everything. As I imagine the purpose of this utility is to exchange different firmware versions between compatible phones as raw binary file.

Few cases of use:

1. Personal backup - just to feel safe

2. Divide the whole flash image into different .bin files (how do you call it, CG?) and then reassemble into full .shx file (do we have any checksum algorithms?). By the way, I saw modified CG33 files, can you easily flash them without correct checkums?

3. Flash from inside of phone. It's possible and we use it with similar hardware, but still I'm afraid to try it Because I've got no USB console for boot loader yet, no serial console, no JTAG pins. Even flash chips are hidden under metal hood and I didn't try to look under it. Any ideas?


I'm not going to publish it now as still need to verify everything once more. Also if we are going to exchange firmwares, there's need to hide personal stuff - addressbook, sms, emails and other.

[maxx_730]

The checksums dont really matter, mff will complain but dont do anything else... There are programs which can calculate the checksums though, look on hofo for SHXCoDec... Great program. As for JTAG, aren't the papers available from intels site?

[evaldas]

Don't you think there are flash checksums which motorola uses internally? Not those SHX. As looking through the flash I saw few places with interesting hex code at the end of the partition/flash.
Of course this CPU supports JTAG, but are these pins easily accesible? I won't like the idea to intervent the phone with soldering-iron

[maxx_730]

I guess so, whats the point of JTAG if the pins aren't easily accesible? As for the checksums, read the attached file, its eyesonly_d's paper about the neptune lts chipset. Afaik the E680/A780 uses lte/lts for a780 witha intel processor. The vxxx/e398 do contain a built-in security chip which does some kind of check with the kernel part of the flash. This doesnt seem to be implemented in E680/A780 though, since so far we've been able to edit the rootfs etc without the phone erasing itself as in vxxx/e398.

[p4s2wd]

Just a few minutes ago finished the utility to backup whole phone flash contents to a file. This includes bootloader, kernel, filesystems etc. - everything. As I imagine the purpose of this utility is to exchange different firmware versions between compatible phones as raw binary file.

Few cases of use:

1. Personal backup - just to feel safe

2. Divide the whole flash image into different .bin files (how do you call it, CG?) and then reassemble into full .shx file (do we have any checksum algorithms?). By the way, I saw modified CG33 files, can you easily flash them without correct checkums?

3. Flash from inside of phone. It's possible and we use it with similar hardware, but still I'm afraid to try it Because I've got no USB console for boot loader yet, no serial console, no JTAG pins. Even flash chips are hidden under metal hood and I didn't try to look under it. Any ideas?


I'm not going to publish it now as still need to verify everything once more. Also if we are going to exchange firmwares, there's need to hide personal stuff - addressbook, sms, emails and other.

Hi, evaldas. Can u share ur utility here? 3ku!
I need the "bootloader, kernel, filesystems" from mobile. I know the CG33.smg,CG35.smg,CG36.smg is cramfs format file, so u can mount -t cramfs -o loop CG33.smg /mnt/ ,then u can tar and untar all the files from cramfs , then u can modify the system by yourself freely. And I know U can use PST to divide the shx by flashing mobile.

[cyph]

I've been trying to do that too. Unfortunately reading from /dev/mem keeps on segfaulting. Still trying to figure it out.

[evaldas]

Just finished. Test on A780 only. Works for me

The following is README.TXT included in archive

Firmware dump for A780/E680/i

Dumps MTD chip containing phone firmware to file. It does not dump trueffs
filesystems, so for full backup purpose you should dump them by hand:
dd if=/dev/tffsa of=/mmc/mmca1/backup/tffsa

If damaged, /dev/tffsb is restored by system automatically so you don't need
to dump it.

INSTRUCTIONS

unzip both mtdread.o and mtdread files and copy them to writable directory
in phone (/tmp, /diska or /mmc/mmca1).

telnet and login to phone:
telnet 192.168.1.2
goto to directory containing mtdread.o and mtdread:
# cd /tmp
load kernel module
# insmod mtdread.o
dump the firmware to file
# ./mtdread /mmc/mmca1/backup/mydump



OFFSETS

I'm not sure if E680/i uses the same mtd partitioning structure but this
applies to A780.

0x00000000-0x00020000 : mtd0 "Bootloader" : size=131072 (0x20000)
0x00020000-0x00100000 : mtd1 "Kernel" : size = 917504 (0xe0000)
0x00100000-0x01a00000 : HIDDEN size = 26214400 (0x1900000)
|
0x00100000-0x00120000 : |--- ????empty size=131072 (0x20000)
0x00120000-0x01a00000 : |--- roflash "rootfs" size=26083328 (0x18e0000)
0x01a00000-0x01a00000 : `--- roflash1 "NO-USE" size=0 (0x0)

0x01a00000-0x01f80000 : mtd2 "VFM_Filesystem" size = 5767168 (0x580000)
0x01f80000-0x01fc0000 : HIDDEN size = 262144 (0x40000)
|
0x01f80000-0x01fa0000 : |--- ????empty size=131072 (0x20000)
0x01fa0000-0x01fc0000 : `--- roflash2 "setup" size=131072 (0x20000)
0x01fc0000-0x01fe0000 : mtd3 "Logo" size = 131072 (0x20000)
0x01fe0000-0x02000000 : HIDDEN size = 131072 (0x20000)

[admin]

wad does this do?

[evaldas]

Read the first message, read README.TXT
I think provided enough information for you not to ask such questions

[p4s2wd]

Read the first message, read README.TXT
I think provided enough information for you not to ask such questions

Oh. my god, 3k evaldas for ur hard work, Ur tools is very usefully. It seemed u have 2.4.20_mvlcee30-mainstone kernel, and I look for it so long time, but cant find it. Can u share the kernel for us? I think we can do more work if we have the kernel file. 3ks again ^_^