5,605,311 Members 38,587 Now Online
XDA Developers Android and Mobile Development Forum

[Important]Tegra2 SBF and other flashing stuff - 07/23/12

Tip us?
 
peetr_
Old
(Last edited by peetr_; 28th August 2012 at 10:25 PM.)
#1  
Recognized Contributor - OP
Thanks Meter 2092
Posts: 2,325
Join Date: Oct 2010
Default [Important]Tegra2 SBF and other flashing stuff - 07/23/12

***
If you have at least one sbf on your hard drive, read at least the first post here! Read everything and still not sure? Then you can ask, with providing some info about your software in phone (now and before) !

Even if you're unlocked, you need to know, which parts can be flashed and from what source you can use the cgs or dump files. Always check them first.

If you brick your phone with methods mentioned here, it's your responsibility.

But we are trying the opposite - unbrick your phone.
***

Before you flash anything, write down somewhere this info from Settings - About phone:
Baseband version
Build number
After you flash anything and it is working, write it down again.
If you want some easy help later, keep this info, it is important.

!!!
MAIN INFO (the most important):
sv0 = signature version 0
sv1 = signature version 1
sv2 = signature version 2
etc.

sv1 = 2.3.4 sbf, ota, derpunlock,etc... - CGs/partitions from 2.3.4_198_7 and less
sv2 = 2.3.5 sbf, ota, pudding 2.3.5, etc... - CGs/partitions from 2.3.5_254_12, 2.3.5_USC_19 and more

sv1 -> sv2 - possible, but it is the end of your unlocked bootloader days (end of custom kernels, recoveries and many custom roms)
sv2 -> sv1 - impossible !!!

always check with smgver program, before compiling sbf
!!!


After many hours of searching and playing with SBFs and RSD Lite, I found working tool for recompiling SBF superfiles. And I want to share my knowings.

I am not responsible for any damage. You must know, what you are doing.


First, before trying anything, you need to know that SBF files are just compiled CGxx.smg files, which are in many cases identical to partitions after flashed in your phone.
Something is already presented in this Atrix thread, as this phone is very similar.
Most of CGs are signed by Motorola and time to time, incoming new version of SBF, comes with new version of CGs signature. Mostly newer Android versions. These signature versions are known that they are switching the fuse, because once you flash higher version of CG, there is no way to flash the lower version back.


Recapitulation of SMGs:

RDL1 - Used for flashing CG5.smg - signed - always signature version 0
RDL3 - Flashes all other SMGs - signed - signature version incrementing
CG2 - ptable - not signed
CG3 - CDT.bin - something like - signed - signature version incrementing
CG5 - This is compiled from various mbn parts only for MBM6600 modem - partition, amss, cefs, dbl, osbl - not signed, but mbns are somehow secured
- MDM6600 is standalone unit with its own cpu, memory, bootloader, etc.
CG39 - configtable - signed - signature version incrementing
CG42 - Bootloader - signed - signature version incrementing
CG47 - Microboot - signed - signature version incrementing
CG56 - Boot logo - not signed
CG58 - Recovery emmc image (kernel and ramdisk.gz with recovery) - mmcblk0p10 - signed - signature version incrementing
CG59 - Boot emmc image (kernel and ramdisk.gz for system) - mmcblk0p11 - signed - signature version incrementing
CG60 - System image - mmcblk0p12 - signed - signature version incrementing only with sbf, but for some reason, signature is probably needed only for sbf flashing
CG61 - Webtop image - mmcblk0p13 - signed - same as CG60, but signature version checking software (SMGver) doesnīt see that, probably address doesnīt fit
CG62 - CDrom image - mmcblk0p14 - signed - signature version incrementing
CG65 - Preinstall image - mmcblk0p17 - not signed

Never forget to backup your /pds partition - mmcblk0p3, it's not part of any sbf.


Now to the creating of custom sbf:

It is a little complicated, because you first need to know, what do you want.
I am stuck unlocked, so I can flash any SMG signed with version 1 or not signed.
I cannot try this with locked bootloader signed with version 1, because of experiments with OTA.
I could try this with locked bootloader version 2, but it would close the door to unlocking.

So as first example, I create custom SBF of my Hybrid ROM, with TWRP recovery and Electrify boot.img.

First I need tools -
SBF Codec - tool for decompiling and compiling SMGs
SMG version - tool for checking version of SMG signature
I donīt take any credits for these easy and very good tools

Now I can take for example 198_7 SBF, that I have as base for my rom, open with SBF Codec and after a while, all SMGs will be in SMG folder next to my SBF Codec folder.

Now I can copy smgver.exe and ver.bat into SMG folder, open command line, navigate there to the SMG folder and run ver.bat. As I can see, these SMGs are mostly signed with version 1 or not signed, so there is nothing to worry about for me.

So now I need to know, which SMGs do I need and which do I want.

Always needed SMGs or the flash process will fail are:
CG2.smg
CG3.smg
CG39.smg
RDL3.smg
(donīt touch SBFData.dat and SBFHeader.hdr files)
The rest can be removed, except those wanted.

(If I want this SBF to unlock my bootloader, I just replace CG42.smg with the one from derpunlock.sbf)

Wanted SMGs are in my case - custom kernel, recovery and rom, so I will not remove:
CG58.smg
CG59.smg
CG60.smg
But I need those changed, so I need to get them from my phone as full partition dumps.

Dumping full partitions:
From running phone with adb shell and command -
dd if=/dev/block/mmcblk0p10 of=/sdcard/recovery.img
dd if=/dev/block/mmcblk0p11 of=/sdcard/boot.img
dd if=/dev/block/mmcblk0p12 of=/sdcard/system.img
Now I copy them from sdcard next to SMG folder and rename -
recovery.img -> CG58_0x000......smg
boot.img -> CG59_0x000......smg
system.img -> CG60_0x000......smg
And I overwrite those in SMG folder with these.

Now I can click on save button in SBF Codec tool and name the new sbf as I want.

I will do factory reset of my phone and flash over any unlocked rom based on 198_7 or 198_6 maybe 154_5, etc. SBF.

There is not much potential for unlocked bootloaders. As we have custom recovery flashing everything.

But the better from this comes on locked bootloaders.
In case of 2.3.4 softbrick, you donīt have to flash full SBF, root and install bootstrap.
You can just make your own SBF with custom rom (mof 2.3.5ish for locked for example), and in case of some system brick, just reflash your custom sbf without even wiping data and recover from brick after a few minutes. *updated info - still possible, but custom sbf with unlocked bootloader needed

And the best is, that you can make custom SBF for recovering from Photon 2.3.5 ota brick, with CG2, CG3, CG39, RDL3 with signature version 2, taken from USC Electrify 2.3.5 SBF and Photon 2.3.5 OTA system dump (CG60). *updated info - system dump no, we do not have any not modified sv2 system dump

You can probably install custom Webtop on locked 2.3.5. *updated info - webtop dump no, we do not have any not modified sv2 webtop dump, custom webtop no (maybe some optimized for bootstrap)

You cannot install AOSP roms on locked bootloader this way, because custom boot.img needed and you cannot sbf/fastboot flash custom modified CGs/partitions.

Do not try to flash radio this way, itīs not working. Locked or unlocked, always remove RDL1.smg and CG5.smg. *updated info - it works, but hex editing sbf header needed (0-767 byte)



*
Partition table - CG2 or ptable or PT
mmcblk0p1 - nvmotota - here goes bootloader with microboot (ap20bl.img) from ota updates, installing on first reboot after updating
mmcblk0p2 - CDT (codegoup description table - cdt.bin)
mmcblk0p3 - PDS (/pds)
mmcblk0p4 - EBR
mmcblk0p5 - SP
mmcblk0p6 - CID
mmcblk0p7 - MSC (misc) - empty
mmcblk0p8 - LOG (logo)
mmcblk0p9 - KPA (kernel panic)
mmcblk0p10 - SOS (recovery image)
mmcblk0p11 - LNX (boot image)
mmcblk0p12 - APP (system image)
mmcblk0p13 - OSH (webtop image)
mmcblk0p14 - CDR (cdrom image)
mmcblk0p15 - CAC (cache)
mmcblk0p16 - UDA (userdata)
mmcblk0p17 - PIA (preinstall image)
mmcblk0p18 - SDC (sdcard)
mmcblk0p19 - GPT (gpt)

*
Failed to boot 1 - bootloader/microboot partition problem
Failed to boot 2 - boot partition problem
Failed to boot 3 - recovery partition problem
Failed to boot 4 - system partition problem


Not modified signed boot.img and recovery.img dump from partition can be flashed with fastboot or sbf.

Dumped system.img looks like a problem to flash with fastboot or sbf, because to dump it, you must be rooted. Root = broken checksum = broken signature = failed to boot 4
___________________________________

Sony Xperia T owner

The Following 25 Users Say Thank You to peetr_ For This Useful Post: [ Click to Expand ]
 
mof9336
Old
#2  
Senior Member
Thanks Meter 301
Posts: 461
Join Date: Jun 2007

 
DONATE TO ME
Great information.

Sent from my MB855 using xda app-developers app
 
peetr_
Old
(Last edited by peetr_; 8th July 2012 at 10:34 PM.)
#3  
Recognized Contributor - OP
Thanks Meter 2092
Posts: 2,325
Join Date: Oct 2010
Proof of concept. :)

For those, that can be unlocked. Flash 198_7 sbf, you can boot into it, do factory reset in recovery, flash Hybrid unlocking rom with twrp recovery sbf.
There is nothing to lose, at worst, you can reflash 198_7 sbf.
___________________________________

Sony Xperia T owner

 
mof9336
Old
(Last edited by mof9336; 8th July 2012 at 11:17 PM.)
#4  
Senior Member
Thanks Meter 301
Posts: 461
Join Date: Jun 2007

 
DONATE TO ME
If no one wants to pony up Ill try this later.

So basicly someone with a new 2.3.5. updated system could create thier own sbf file so if they brick thier phone they could easily restore it to stock or whatever they created the sbf of. Is this correct?
 
peetr_
Old
#5  
Recognized Contributor - OP
Thanks Meter 2092
Posts: 2,325
Join Date: Oct 2010
Yes. This should be the main purpose. However I am not going to permanentely lock my phone, to try this. But from all my tests, I donīt see any reason, why this would not work. Electrify SBF is compiled from SMGs with signature version 2. OTA update bootloader and CDT.bin is version 2 signed too. For example, the main problem of pudding 2.3.5 is, that there is no pudding 2.3.5. It is Sunfire unlocked bootloader with version 1 signature, CG2.smg and CG39.smg with version 1 signature, CG3.smg and RDL3.smg with version 2 signature. It cannot be merged this way. RDL3 with version 2 most probably prevents flashing anything with version 1.
___________________________________

Sony Xperia T owner

 
bdotr
Old
(Last edited by bdotr; 9th July 2012 at 05:16 AM.)
#6  
Member
Thanks Meter 4
Posts: 47
Join Date: Apr 2011
Location: Seattle
How could I make a custom SBF for recovering from a brick?
 
ScottieRotten
Old
#7  
ScottieRotten's Avatar
Senior Member
Thanks Meter 21
Posts: 198
Join Date: Dec 2011
Location: Boston
Wonder if this would help those guys trying to figure out that unlocked magic photon that guy has?

Also wonder if some of this could develop a method to get around the 4G lock somehow...

Good stuff thanks for the info..

Sent from my MB855 using xda premium
Sprint note2 Rooted stock.

Dont thank me I am not your mother.
 
mof9336
Old
#8  
Senior Member
Thanks Meter 301
Posts: 461
Join Date: Jun 2007

 
DONATE TO ME
Quote:
Originally Posted by bdotr View Post
How could I make a custom SBF for recovering from a brick?
The sbf would have to be done prior to the brick.

Sent from my MB855 using xda app-developers app
 
peetr_
Old
#9  
Recognized Contributor - OP
Thanks Meter 2092
Posts: 2,325
Join Date: Oct 2010
How to recover system bricked 2.3.5 Photon? Someone should make SBF, test it and share.
I can make it and share, but I don't want to test it, because I am unlocked yet.
Ofcourse, there is still very low percent, that it won't boot, because no one tested that. But when it's not booting already, there is again nothing to lose.
___________________________________

Sony Xperia T owner

 
mof9336
Old
#10  
Senior Member
Thanks Meter 301
Posts: 461
Join Date: Jun 2007

 
DONATE TO ME
I've been playing around with this but im in the same boat as you. Im not going to perm lock my phone just to test this.

Tags
custom, partition, sbf, smg, tegra2
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes