How to flash the G1

JesusFreke · Nov 6, 2008

WARNING: Following these instructions may brick your phone, void your warranty and kill your dog. You don't want your dog to die do you?

Once I got root access on my G1, I've been messing around with trying to build reflash the recovery partition. That project is still in progress, but I have learned a bit about how to flash the various partitions on the G1.

First things first, you have to have root access. See this thread.

There are 6 mtd devices or partitions on the G1, mtd0-mtd5. They are located at /dev/mtd. You can use the /system/bin/flash_image tool to flash an image to any of these.

The syntax for the flash_image tool is:

Code:

# flash_image
usage: flash_image partition file.img
#

You can see a list of partition names and which device they are associated with by doing a "cat /proc/mtd".

Code:

#cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00020000 "misc"
mtd1: 00500000 00020000 "recovery"
mtd2: 00280000 00020000 "boot"
mtd3: 04380000 00020000 "system"
mtd4: 04380000 00020000 "cache"
mtd5: 04ac0000 00020000 "userdata"
#

These should all be self explanatory, except maybe "misc", which just appears to have a few string values.. Not really sure what it's used for..

Before you do any erasing or writing, it's a "really good idea" (tm) to make backups of each of these. Even if you don't plan on writing to them. I had accidentally erased the bootloader partition (typed mtd0 instead of mtd1), which I'm fairly sure would have bricked my phone if I had tried to reboot it. Ugh! Luckily, I had created a backup earlier, so I was able to restore it. (And then was nervous as heck when I tried to reboot it... "Please boot up! Please boot up!")

To create the backups:

Code:

# cat /dev/mtd/mtd0 > /sdcard/mtd0.img
# cat /dev/mtd/mtd1 > /sdcard/mtd1.img
# cat /dev/mtd/mtd2 > /sdcard/mtd2.img
# cat /dev/mtd/mtd3 > /sdcard/mtd3.img
# cat /dev/mtd/mtd4 > /sdcard/mtd4.img
# cat /dev/mtd/mtd5 > /sdcard/mtd4.img
#

Now you can use flash_image to write the new image.

Code:

#flash_image recovery /system/recovery.img
#

And that's how it's done.

Update: You normally don't need to erase the flash before you write, as long as you don't corrupt the flash first, by trying to "cat" an image directly to the mtd device, like I did

. If you get a lot of ECC errors when you use flash_image then you need to erase it

Code:

# cat /dev/zero > /dev/mtd/mtd1
write: No space left on device
#

On a related note, Based on my experience so far, the recovery partition is not critical to booting the G1. When I first tried this, I used flash_image to write a new image without erasing the partition first, and it corrupted it pretty good. When I tried to boot the G1 into recovery mode (power+home), it would go to the bootloader screen instead. But it would boot into normal mode just fine.

Additionally, I've verified that the device will boot into recovery mode if you screw up the boot partition (mtd2). So as long as you at least have a good recovery image *or* a good boot image, you should be able to get back in business. Just don't try to update both at the same time.

Even so.. be careful, and don't come crying to me when you brick your phone. Or if your dog dies. You don't want your dog to die do you?

staulkor · Nov 6, 2008

Excellent work!

So if misc is the boot loader, it looks like it is roughly 266k. If you can dump it, have you tried to "open" the image and see if you can see files?

Now you have given me more ideas

blues · Nov 6, 2008

readonly sdcard?

When I run: cat /dev/mtd/mtd1 > /sdcard/mtd1.img

I got this:
cannot create /sdcard/mtd1.img: read-only file system

I know I am root...

JesusFreke · Nov 6, 2008

staulkor said:
So if misc is the boot loader, it looks like it is roughly 266k. If you can dump it, have you tried to "open" the image and see if you can see files?

Actually, now that I look at it.. I'm not positive that mtd0 is the bootloader. There's not much data there at all. Just a few strings in the beginning, then lots of nothing. Mostly all FFs, with a few blocks of 00s thrown in. It doesn't look like there's any code at all, so it can't be the bootloader.

Chainfire · Nov 6, 2008

Nice work. How about the signing? Does the image you flash have to be correctly signed this way?

JesusFreke · Nov 6, 2008

blues said:
When I run: cat /dev/mtd/mtd1 > /sdcard/mtd1.img

I got this:
cannot create /sdcard/mtd1.img: read-only file system

I know I am root...

Do you have the sdcard mounted for USB access? If so, just unplug the usb cable and plug it back in. (don't select "mount" in the usb notification thingy that pops up)

JesusFreke · Nov 6, 2008

Chainfire said:
Nice work. How about the signing? Does the image you flash have to be correctly signed this way?

Nope. This is a raw write directly to the flash device. The whole signing thing is only applicable to the OTA updates (or Update.zip style update).

But the other project I'm working on is to rebuild the recovery mode and disable the signature check for OTA/update.zip updates.

RyeBrye · Nov 6, 2008

If you check out the SDK and build the open-source version for the phone, it builds a custom recovery-image that accepts only things signed with the testkeys - which is cool. Since the test keys are in the directory, you can easily resign the images yourself.

I know a guy who has done this now. I'll do it when I get a chance.

There are two proprietary files that you have to suck off the device in addition to the ones that the "extract_files" script in the android build pulls off - I sent in a patch to fix this but who knows if they'll apply it or not (I thnk they think that the crap in the msm7k dir will do something)

What I'm wondering is if we can write an update mode that will backup the contents of the /cache and /data to the SDCard - then erase the three partitions - then recreate /data as a huge partition and leave only 10 or 15 megs for /cache - because... well.. /cache is worthless since OTA updates aren't gonna happen to our phones anymore anyway. It would be nice to get an extra 40 megs for app storage.

staulkor · Nov 6, 2008

JesusFreke said:
Actually, now that I look at it.. I'm not positive that mtd0 is the bootloader. There's not much data there at all. Just a few strings in the beginning, then lots of nothing. Mostly all FFs, with a few blocks of 00s thrown in. It doesn't look like there's any code at all, so it can't be the bootloader.

I just looked at my dumped mtd0.img and I see a few interesting strings:

T-MOB010
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage

And then a mountain of FFs, lol

blues · Nov 6, 2008

You are right. I am on XP machine. So I disabled the usb storage, and it works fine

JesusFreke said:
Nope. This is a raw write directly to the flash device. The whole signing thing is only applicable to the OTA updates (or Update.zip style update).

But the other project I'm working on is to rebuild the recovery mode and disable the signature check for OTA/update.zip updates.

It works for me now.

JesusFreke · Nov 6, 2008

RyeBrye said:
If you check out the SDK and build the open-source version for the phone, it builds a custom recovery-image that accepts only things signed with the testkeys - which is cool. Since the test keys are in the directory, you can easily resign the images yourself.

Yep, that's exactly what I'm doing. I'm planning on posting a recovery.img for others to use, since trying to build the thing from scratch is a pain, and takes forever.

RyeBrye said:
There are two proprietary files that you have to suck off the device in addition to the ones that the "extract_files" script in the android build pulls off - I sent in a patch to fix this but who knows if they'll apply it or not (I thnk they think that the crap in the msm7k dir will do something)

I assume you're talking about libaudio.so and librpc.so?

RyeBrye said:
What I'm wondering is if we can write an update mode that will backup the contents of the /cache and /data to the SDCard - then erase the three partitions - then recreate /data as a huge partition and leave only 10 or 15 megs for /cache - because... well.. /cache is worthless since OTA updates aren't gonna happen to our phones anymore anyway. It would be nice to get an extra 40 megs for app storage.

Good idea. Even better would be if we could put the installed apps and all data on the sdcard.. But that would probably be a harder modification than just resizing the partitions.

cmonex · Nov 6, 2008

staulkor said:
I just looked at my dumped mtd0.img and I see a few interesting strings:

T-MOB010
DeviceWarmBoot
CE Serial InUse
Debug Cable Ena
CE USB InUse
ClearAutoImage

And then a mountain of FFs, lol

that partition is the config partition, standard HTC stuff.

T-MOB010 is your CID (carrier ID, spl checks this when flashing NBH), but it is only a backup copy of it, the real CID is in radio part of nand (protected!).
and the rest is just config stuff for SPL and radio. (yes HTC uses strings to set these configs - SPL reads the strings from specific nand addresses and decides what to do)

cmonex · Nov 6, 2008

JesusFreke said:
On a related note, Based on my experience so far, the recovery partition is not critical to booting the G1. When I first tried this, I used flash_image to write a new image without erasing the partition first, and it corrupted it pretty good. When I tried to boot the G1 into recovery mode (power+home), it would go to the bootloader screen instead. But it would boot into normal mode just fine.

very nice stuff! have you been able to reflash a recovery.img then to fix the corruption?

and you are right about the boot order... it's : radio bootloader -> SPL (that tricolour screen is SPL mode) -> boot.img or recovery.img.
(if boot.img then the OS loads)

JesusFreke · Nov 6, 2008

cmonex said:
very nice stuff! have you been able to reflash a recovery.img then to fix the corruption?

Yep. I screwed up the recovery partition and rebooted, and wasn't able to boot into recovery mode. It just went into SPL mode when I tried. Then I normal booted and re-flashed with the original recovery.img and rebooted, and was able to boot into recovery mode.

Thanks for the info on the boot order. I didn't realize the radio image was used for booting, I figured it was just firmware for the 3G chip or something.

I'm getting close to being able to apply my own update.zip style update. I've been able to reflash the recovery partition with a custom built recovery image that skips the signature verification. I'm having a touch of trouble getting it to actually install an update.zip though. It keeps saying "update script not found", even though there is a "META-INF/com/google/android/update-script" file in the zip. Arg! Anyways.. I'm in the process of tracking the issue down. More to come!

staulkor · Nov 6, 2008

cmonex said:
that partition is the config partition, standard HTC stuff.

T-MOB010 is your CID (carrier ID, spl checks this when flashing NBH), but it is only a backup copy of it, the real CID is in radio part of nand (protected!).
and the rest is just config stuff for SPL and radio. (yes HTC uses strings to set these configs - SPL reads the strings from specific nand addresses and decides what to do)

Ah! Excellent info.

JesusFreke · Nov 6, 2008

I was finally able to get the rebuilt recovery tool to work. The problem with the update.zip was due to the fact that the zip was built in windows, so it had the wrong path separators. It was looking for META-INF/com/google/android/update-script, but the zip file contained META-INF\com\google\android\update-script

After switching the slashes around in a hex editor, it installed the update no problem.

Next, I was tempted to try to flash the boot partition. I was somewhat sure that I would be able to recover from a bad boot flash, with my nifty new recovery tool. But after reading about the guy that bricked his phone (over in the root thread), I was a bit scared.

But I finally went ahead and decided to give it a try. You only live once, right?

So I opened up a root console, and just wiped the boot partition clean. "cat /dev/zero > /dev/mtd/mtd2" and rebooted. Palms sweaty.. breathing hard.. shaking.. Powered the phone on (without holding down home), and it comes up to the recovery tool. So far so good. Then I ran the update on the sdcard - it was a smallish update I had created before hand that just flashed the original boot image back to mtd2. Update runs fine.. phone reboots....

And it boots up normally.

yes!

*takes a big sigh of relief*

So now I can mess around with the boot partition, and know that I have that recovery tool safety net.

And now. It's time to sleep. *head hits the keyboard*

humble · Nov 6, 2008

very cinematic

good job mate!

staulkor · Nov 6, 2008

Very nice work

Chainfire · Nov 6, 2008

Congrats on the successful flash!

alansj · Nov 6, 2008

strings in mda1.img include:

Code:

ANDROID!
no_console_suspend=1
 -- System halted
ran out of input data
Malloc error
Memory error
Out of memory
incomplete literal tree
incomplete distance tree
bad gzip magic numbers
internal error, invalid method
Input is encrypted
Multi part input
Input has invalid flags
invalid compressed format (err=1)
invalid compressed format (err=2)
out of memory
invalid compressed format (other)
crc error
length error
Uncompressing Linux...
 done, booting the kernel.

What are these images? Are they filesystem images that you could theoretically mount? If so, what filesystem (I haven't gotten anything to work).

How to flash the G1

Inactive Recognized Developer

Senior Member

Member

Inactive Recognized Developer

Moderator Emeritus / Senior Recognized Developer

Inactive Recognized Developer

Inactive Recognized Developer

Member

Senior Member

Member

Inactive Recognized Developer

Retired Recognized Developer

Retired Recognized Developer

Inactive Recognized Developer

Senior Member

Inactive Recognized Developer

Senior Member

Senior Member

Moderator Emeritus / Senior Recognized Developer

Member

Similar threads