The rest of the images are behind this button:
Since the Nexus 2013 is now EOL for OTA updates, here are the highlights I just found for our final bootloader:
4 byte pp
search string 9C030000 00000000 01000000 09090900
offset 1187772 (311688 in aboot)
offset 3270044 (2393960 in aboot)
offset 3955364 (3079280 in aboot)
offset - (3167460 in aboot only)
search string 1C000000 00000000 01000000 24242400
offset 1127848 (251764 in aboot)
offset 1267360 (391276 in aboot)
offset 3102124 (2226040 in aboot)
Worth restating that the corresponding partition on-device containing the images, mmcblk0p12 (as mentioned several times by @makers_mark), is named aboot. When the device is locked, abootb (mmcblk0p19) is a byte-for-byte copy of aboot with the exception of the bootloader's lockstate storage area located near 5242368 with another "ANDROID-BOOT!". When unlocked this is also the case, and the only further change is at the lockstate offset.
Now.. to generate a replacement image and see about hacking it in...
I will make a lock image that has a long white line ,corresponding to their oblivious pixel, and replace it in all three spots. It will contain no more and no less data (no padding in testing scenarios). If you want to "dd" it to the partition or use otherwise "cough" mentions, then feel free. Very nice find there. I used a popular internet archive to get the source (thread) that I was referring to. The cough seems about the same caliber as far as knowledge and insight.
Let me know if you want me to make a 4.08 bootloader for you. I will not go off of your offsets, I will re-verify all that and quintuple check everything. You can do the same as well if you want to be extra sure. If that was the case we would have bianrily exact files. When I wrote this thread, the N7 was the only (and first) android that I owned. Hence it was not sacrificial to me, but an enjoyment that I couldn't just test like that. It is dead now (probably just the battery) and getting ready to set sail on an equitable distribution-end of life garbage cycle, or straight to the data recovery center for cheating wives who want to find any dirt they can to make themselves look better
Hmm, I'll have to check out the popular internet archives since perhaps the pictures, etc. would still be intact in their coughs..
I tried hacking the bootloader.img already and fastboot throws a "signature failed!" error, so it seems aboot is the only way to go.
I decided to get crazy with it so I already tried replacing the lock image with the new version in all 3 places in aboot and flashing it and it hard bricked my device. But not so hard that I couldn't recover it myself with some more poking around.
So it seems your original assessment may have been correct, or perhaps I was just a bit cavalier since the new lock image was shorter in data length than the old and required some minor 00 padding. Since I can reliably recover my device (tried it again by fully zeroing aboot), I'm definitely up for some more testing, and agree that a more methodic/scientific approach where the data is the same length (perhaps just changing a single pixel or something to start with) would probably be the best approach.
Attached is my aboot.img backup for you to modify and generate your tests.
You have done your research on the bootloader in question, and maximized efficiency in a recovery of a failed attempt. Good job!
One of the good things about RLE (pertaining to this particular scenario) is that you don't have to alter just one pixel to make the image size the same. That is actually really difficult based on the image. I was simply putting out there the random white dot at the bottom right of the lock as a "shove it" move, whereas the ideal way would be to move some pixels that do not go from a white/grey to another white/grey (or black/grey vice versa). The solution was obvious (after the fact):
|google splash bootloader nexus rle|
|Thread Tools||Search this Thread|