[Important]Tegra2 SBF and other flashing stuff - 07/23/12
If you have at least one sbf on your hard drive, read at least the first post here!
Read everything and still not sure? Then you can ask, with providing some info about your software in phone (now and before) !
Even if you're unlocked, you need to know, which parts can be flashed and from what source you can use the cgs or dump files. Always check them first.
If you brick your phone with methods mentioned here, it's your responsibility.
But we are trying the opposite - unbrick your phone.
Before you flash anything, write down somewhere this info from Settings - About phone:
After you flash anything and it is working, write it down again.
If you want some easy help later, keep this info, it is important.
MAIN INFO (the most important):
sv0 = signature version 0
sv1 = signature version 1
sv2 = signature version 2
sv1 = 2.3.4 sbf, ota, derpunlock,etc... - CGs/partitions from 2.3.4_198_7 and less
sv2 = 2.3.5 sbf, ota, pudding 2.3.5, etc... - CGs/partitions from 2.3.5_254_12, 2.3.5_USC_19 and more
sv1 -> sv2 - possible, but it is the end of your unlocked bootloader days (end of custom kernels, recoveries and many custom roms)
sv2 -> sv1 - impossible !!!
always check with smgver program, before compiling sbf
After many hours of searching and playing with SBFs and RSD Lite, I found working tool for recompiling SBF superfiles. And I want to share my knowings.
I am not responsible for any damage. You must know, what you are doing.
First, before trying anything, you need to know that SBF files are just compiled CGxx.smg files, which are in many cases identical to partitions after flashed in your phone.
Something is already presented in this Atrix thread, as this phone is very similar.
Most of CGs are signed by Motorola and time to time, incoming new version of SBF, comes with new version of CGs signature. Mostly newer Android versions. These signature versions are known that they are switching the fuse, because once you flash higher version of CG, there is no way to flash the lower version back.
Recapitulation of SMGs:
RDL1 - Used for flashing CG5.smg - signed - always signature version 0
RDL3 - Flashes all other SMGs - signed - signature version incrementing
CG2 - ptable - not signed
CG3 - CDT.bin - something like - signed - signature version incrementing
CG5 - This is compiled from various mbn parts only for MBM6600 modem - partition, amss, cefs, dbl, osbl - not signed, but mbns are somehow secured
- MDM6600 is standalone unit with its own cpu, memory, bootloader, etc.
CG39 - configtable - signed - signature version incrementing
CG42 - Bootloader - signed - signature version incrementing
CG47 - Microboot - signed - signature version incrementing
CG56 - Boot logo - not signed
CG58 - Recovery emmc image (kernel and ramdisk.gz with recovery) - mmcblk0p10 - signed - signature version incrementing
CG59 - Boot emmc image (kernel and ramdisk.gz for system) - mmcblk0p11 - signed - signature version incrementing
CG60 - System image - mmcblk0p12 - signed - signature version incrementing only with sbf, but for some reason, signature is probably needed only for sbf flashing
CG61 - Webtop image - mmcblk0p13 - signed - same as CG60, but signature version checking software (SMGver) doesnīt see that, probably address doesnīt fit
CG62 - CDrom image - mmcblk0p14 - signed - signature version incrementing
CG65 - Preinstall image - mmcblk0p17 - not signed
Never forget to backup your /pds partition - mmcblk0p3, it's not part of any sbf.
Now to the creating of custom sbf:
It is a little complicated, because you first need to know, what do you want.
I am stuck unlocked, so I can flash any SMG signed with version 1 or not signed.
I cannot try this with locked bootloader signed with version 1, because of experiments with OTA.
I could try this with locked bootloader version 2, but it would close the door to unlocking.
So as first example, I create custom SBF of my Hybrid ROM, with TWRP recovery and Electrify boot.img.
First I need tools -
- tool for decompiling and compiling SMGs
- tool for checking version of SMG signature
I donīt take any credits for these easy and very good tools
Now I can take for example 198_7 SBF, that I have as base for my rom, open with SBF Codec and after a while, all SMGs will be in SMG folder next to my SBF Codec folder.
Now I can copy smgver.exe and ver.bat into SMG folder, open command line, navigate there to the SMG folder and run ver.bat. As I can see, these SMGs are mostly signed with version 1 or not signed, so there is nothing to worry about for me.
So now I need to know, which SMGs do I need and which do I want.
Always needed SMGs
or the flash process will fail are:
(donīt touch SBFData.dat and SBFHeader.hdr files)
The rest can be removed, except those wanted.
(If I want this SBF to unlock my bootloader, I just replace CG42.smg with the one from derpunlock.sbf)
are in my case - custom kernel, recovery and rom, so I will not remove:
But I need those changed, so I need to get them from my phone as full partition dumps.
Dumping full partitions
From running phone with adb shell and command -
dd if=/dev/block/mmcblk0p10 of=/sdcard/recovery.img
dd if=/dev/block/mmcblk0p11 of=/sdcard/boot.img
dd if=/dev/block/mmcblk0p12 of=/sdcard/system.img
Now I copy them from sdcard next to SMG folder and rename -
recovery.img -> CG58_0x000......smg
boot.img -> CG59_0x000......smg
system.img -> CG60_0x000......smg
And I overwrite those in SMG folder with these.
Now I can click on save button in SBF Codec tool and name the new sbf as I want.
I will do factory reset of my phone and flash over any unlocked rom based on 198_7 or 198_6 maybe 154_5, etc. SBF.
There is not much potential for unlocked bootloaders. As we have custom recovery flashing everything.
But the better from this comes on locked bootloaders.
In case of 2.3.4 softbrick, you donīt have to flash full SBF, root and install bootstrap.
You can just make your own SBF with custom rom (mof 2.3.5ish for locked for example), and in case of some system brick, just reflash your custom sbf without even wiping data and recover from brick after a few minutes. *updated info
- still possible, but custom sbf with unlocked bootloader needed
And the best is, that you can make custom SBF for recovering from Photon 2.3.5 ota brick, with CG2, CG3, CG39, RDL3 with signature version 2, taken from USC Electrify 2.3.5 SBF and Photon 2.3.5 OTA system dump (CG60). *updated info
- system dump no, we do not have any not modified sv2 system dump
You can probably install custom Webtop on locked 2.3.5. *updated info
- webtop dump no, we do not have any not modified sv2 webtop dump, custom webtop no (maybe some optimized for bootstrap)
You cannot install AOSP roms on locked bootloader this way, because custom boot.img needed and you cannot sbf/fastboot flash custom modified CGs/partitions.
Do not try to flash radio this way, itīs not working. Locked or unlocked, always remove RDL1.smg and CG5.smg. *updated info
- it works, but hex editing sbf header needed (0-767 byte)
Partition table - CG2 or ptable or PT
mmcblk0p1 - nvmotota - here goes bootloader with microboot (ap20bl.img) from ota updates, installing on first reboot after updating
mmcblk0p2 - CDT (codegoup description table - cdt.bin)
mmcblk0p3 - PDS (/pds)
mmcblk0p4 - EBR
mmcblk0p5 - SP
mmcblk0p6 - CID
mmcblk0p7 - MSC (misc) - empty
mmcblk0p8 - LOG (logo)
mmcblk0p9 - KPA (kernel panic)
mmcblk0p10 - SOS (recovery image)
mmcblk0p11 - LNX (boot image)
mmcblk0p12 - APP (system image)
mmcblk0p13 - OSH (webtop image)
mmcblk0p14 - CDR (cdrom image)
mmcblk0p15 - CAC (cache)
mmcblk0p16 - UDA (userdata)
mmcblk0p17 - PIA (preinstall image)
mmcblk0p18 - SDC (sdcard)
mmcblk0p19 - GPT (gpt)
Failed to boot 1 - bootloader/microboot partition problem
Failed to boot 2 - boot partition problem
Failed to boot 3 - recovery partition problem
Failed to boot 4 - system partition problem
Not modified signed boot.img and recovery.img dump from partition can be flashed with fastboot or sbf.
Dumped system.img looks like a problem to flash with fastboot or sbf, because to dump it, you must be rooted. Root = broken checksum = broken signature = failed to boot 4