mtd kernel driver hacks?

Search This thread

bftb0

Senior Member
Feb 5, 2010
2,594
1,041
Hi devs,

Are you aware of any work (for other Android phones, for instance), where an altered mtd kernel driver was used to allow (raw) root access anyplace within flash memory? (For example, maybe a raw pseudo-partition which overlaps all the other partitions?) The stock mtd driver creates devices in the kernel device tree only for specific partition slices (boot, system, recovery, data, cache) - for obvious safety and security reasons.

After all these months, I stumbled across this tonight

Code:
C:\foo>fastboot oem listpartition
                              ... 
INFO[radio]:(OTHER) block start=0, size=332 (42496 KB)
INFO[hboot]:(RAW) block start=333, size=6 (768 KB)
INFO[misc3]:(RAW) block start=339, size=2 (256 KB)
INFO[mfg]:(RAW) block start=341, size=2 (256 KB)
INFO[sp1]:(RAW) block start=343, size=6 (768 KB)
INFO[misc2]:(RAW) block start=349, size=3 (384 KB)
INFO[mfg2]:(RAW) block start=352, size=3 (384 KB)
INFO[recovery]:(RAW) block start=355, size=40 (5120 KB)
INFO[boot]:(RAW) block start=395, size=20 (2560 KB)
INFO[system]:(YAFFS) block start=415, size=1360 (179520 KB)
INFO[cache]:(YAFFS) block start=1775, size=1040 (137280 KB)
INFO[userdata]:(YAFFS) block start=2815, size=1276 (168432 KB)
INFO[misc]:(RAW) block start=4091, size=5 (640 KB)
INFO[microp]:(OTHER) block start=0, size=0 (0 KB)
INFO[nv]:(OTHER) block start=0, size=0 (0 KB)
INFO[tp-melfas]:(OTHER) block start=0, size=0 (0 KB)
OKAY [  0.071s]
finished. total time: 0.071s

I had never seen references in the Eris forums to the misc3, mfg, sp1, misc2, or mfg2 partitions - I suppose one or more are for boot images. Maybe interesting to boot a kernel image that had access to them, and have a peek at them?


bftb0
 

gnarlyc

Retired Recognized Developer
Feb 20, 2010
441
57
Raleigh, NC
You are venturing into an area that is slightly beyond my current level of understanding. (Although we can all learn more.)

Is this even close to what you are looking for?

http://xdaforums.com/showthread.php?t=754805

I'm thinking not, since they appear to be resizing the existing partitions, which doesn't seem to be quite what you are looking for.
 

sickbox

Senior Member
Dec 18, 2009
253
0
San Diego, CA
I was asking about this a while back to see if anyone was able to get read access to the splash1 (i'm guessing sp1) partition so we could dump the REAL original splash screen for people that needed to go back to full stock. This was basically the only thing that is left out of going to stock since the "original" boot image that I had used for the android skateboards in my post about changing the boot logo was just a resized version I found online somewhere which is slightly bigger than the original if you look closely. I had some info laying around somewhere but it was definitely something about people modifying the mtd drivers in the kernel to get this done.

Without the modified drivers there is no way to do a FULL nand dump at this point.
 
Last edited:

bftb0

Senior Member
Feb 5, 2010
2,594
1,041
You are venturing into an area that is slightly beyond my current level of understanding. (Although we can all learn more.)

Is this even close to what you are looking for?

http://xdaforums.com/showthread.php?t=754805

I'm thinking not, since they appear to be resizing the existing partitions, which doesn't seem to be quite what you are looking for.

Well, I'd seen that before - but THANK YOU - your post encouraged me to do a better job of searching, and I came up with this:

http://xdaforums.com/showthread.php?t=542688

[SIZE=+2]Awesome![/SIZE] It appears that no mtd kernel hack is needed - as long the Eris kernels we are using accept those parameters (obviously, a little additional work is needed to get the offsets correct for the Eris).

I knew that partitions could be resized - but I wasn't aware that you could add new partition definitions. If it works for the Eris, then cool. (I have to say - the G1/G2/Hero devs surely have turned over a lot of stones that have helped us.)


bftb0
 

bftb0

Senior Member
Feb 5, 2010
2,594
1,041
Flash Memory Map for the Eris:
Code:
PARTITION   START        END          SIZE(1KB)  SIZE(128KB)  NOTES

radio       0x00000000 - 0x02980000   42,496     332          (3)
- gap! -    0x02980000 - 0x029a0000      128       1          (3)
hboot       0x029a0000 - 0x02a60000      768       6          (2)
misc3       0x02a60000 - 0x02aa0000      256       2          (5)
mfg         0x02aa0000 - 0x02ae0000      256       2          (6)
sp1         0x02ae0000 - 0x02ba0000      768       6          (4)
misc2       0x02ba0000 - 0x02c00000      384       3          (4)
mfg2        0x02c00000 - 0x02c60000      384       3          (4)
recovery    0x02c60000 - 0x03160000    5,120      40
boot        0x03160000 - 0x033e0000    2,560      20
system      0x033e0000 - 0x0dde0000  174,080    1360
cache       0x0dde0000 - 0x15fe0000  133,120    1040
userdata    0x15fe0000 - 0x1ff60000  163,328    1276
misc        0x1ff60000 - 0x20000000      640       5
( You can verify the above on your own phone with a combination of examining /proc/mtd, "dmesg" output immediately after the boot, and output of "fastboot oem listpartition" )


(1) Note all partitions are aligned to a 128-KB boundary (0x20000 - 18 bits)
Presumably this is why "fastboot oem listpartition" reports sizes in this unit

(2) Hboot images from HTC for the Eris have always been exactly 512 KB. Slack space is here,
but I found nothing but 0xFF's in the slack area.

(3) Attempting to dump the from this partition produces many, many error messages of the form:

mtd: MEMGETBADBLOCK returned -1 at 0x02940000 (errno=5)
mtd: MEMGETBADBLOCK returned -1 at 0x02960000 (errno=5)

(4) On my phone, dumps of partitions "sp1", "mfg2" and "misc2" produced un-interesting data blobs: all 0xFF's
Note that I have never flashed a custom boot splashscreen.

(5) Nearly "empty" - bytes not 0x00 or 0xFF are all string data (including CID)

(6) Contains "interesting" string data (including handset ID, manufacturing date, etc) and other binary data. Performing interesting handset operations and then recapturing a partition dump (before/after) and performing a binary diff could reveal strategic locations.


[SIZE=+1]HOW-TO[/SIZE]

Most people have absolutely no business doing this - you have been warned.


Under no circumstances should you hand-type any of these addresses; a simple typo could lead to disaster.

Code:
fastboot -c " mtdparts=msm_nand:0x000a0000@0x1ff60000(misc),0x00500000@0x02c60000(recovery),0x00280000@0x03160000(boot),0x0aa00000@0x033e0000(system),0x08200000@0x0dde0000(cache),0x09f80000@0x15fe0000(userdata) " boot recovery-RA-Eris-v1.6.2.img

will produce the standard kernel partition mappings. Note the leading and trailing spaces in the quoted string - and that the order of appearance is critically important

You may append one or more** of the following, separated with commas as shown in the above (standard mapping) command.

0x02980000@0x00000000(radio)
0x000c0000@0x029a0000(hboot)
0x00040000@0x02a60000(misc3)
0x00040000@0x02aa0000(mfg)
0x000c0000@0x02ae0000(sp1)
0x00060000@0x02ba0000(misc2)
0x00060000@0x02c00000(mfg2)

** I performed individual boots adding only one non-standard partition, and can not guarantee that a disaster will not result if you try to append more than one - or all of them - in one boot.

You can verify the additional partitions have been kanged into the kernel's device tree with

adb shell cat /proc/mtd

and may dump individual partitions via the command "dump_image" (provided by Amon_RA in /sbin), as in the following example:

mount /sdcard
dump_image mfg /sdcard/part.mfg.img



bftb0
 
Last edited:

bftb0

Senior Member
Feb 5, 2010
2,594
1,041
If you just want to dump a specific Eris flash memory partition(s) off your phone, there is an even easier method. (Doh!)

Prerequisites:
- 1.49.2000 S-OFF bootloader is installed on your Eris.
- working device drivers on PC and fastboot utility

Steps:

1) Connect via USB to your PC and put phone in FASTBOOT mode (Power up with Send+End)

2) Get the partition names listing using
Code:
fastboot oem listpartition

3) Using the following fastboot syntax, plug in the desired partition name (PNAME):
Code:
fastboot oem saveprt2sd PNAME -n PNAME.bin -a

for example, the "sp1" partition:
Code:
$ fastboot oem saveprt2sd sp1 -n sp1.bin -a
                              ... INFOSaveImageToSD partition file name:sp1
INFOSaveImageToSD output file name:sp1.bin
INFOCmd5 CMD_TIMEOUT
INFOsdcc_poll_status(): i=21
INFOCmd5 polling status timed out
INFOSD: CMD5 fail, rc=2 ..
INFOSD 2.0
INFOHC card
INFO Searching free data sectors....
INFO [SAVE2SD] 131072 bytes saved.
INFO [SAVE2SD] 262144 bytes saved.
INFO [SAVE2SD] 393216 bytes saved.
INFO [SAVE2SD] 524288 bytes saved.
INFO [SAVE2SD] 655360 bytes saved.
INFO [SAVE2SD] 786432 bytes saved.
INFO [SAVE2SD] Done.
OKAY [  1.728s]
finished. total time: 1.728s


Yep, it really is that simple.


bftb0