Remove All Ads from XDA

mtd kernel driver hacks?

2,559 posts
Thanks Meter: 1,009
By bftb0, Senior Member on 15th December 2010, 10:39 AM
Post Reply Email Thread
Hi devs,

Are you aware of any work (for other Android phones, for instance), where an altered mtd kernel driver was used to allow (raw) root access anyplace within flash memory? (For example, maybe a raw pseudo-partition which overlaps all the other partitions?) The stock mtd driver creates devices in the kernel device tree only for specific partition slices (boot, system, recovery, data, cache) - for obvious safety and security reasons.

After all these months, I stumbled across this tonight

C:\foo>fastboot oem listpartition
INFO[radio]:(OTHER) block start=0, size=332 (42496 KB)
INFO[hboot]:(RAW) block start=333, size=6 (768 KB)
INFO[misc3]:(RAW) block start=339, size=2 (256 KB)
INFO[mfg]:(RAW) block start=341, size=2 (256 KB)
INFO[sp1]:(RAW) block start=343, size=6 (768 KB)
INFO[misc2]:(RAW) block start=349, size=3 (384 KB)
INFO[mfg2]:(RAW) block start=352, size=3 (384 KB)
INFO[recovery]:(RAW) block start=355, size=40 (5120 KB)
INFO[boot]:(RAW) block start=395, size=20 (2560 KB)
INFO[system]:(YAFFS) block start=415, size=1360 (179520 KB)
INFO[cache]:(YAFFS) block start=1775, size=1040 (137280 KB)
INFO[userdata]:(YAFFS) block start=2815, size=1276 (168432 KB)
INFO[misc]:(RAW) block start=4091, size=5 (640 KB)
INFO[microp]:(OTHER) block start=0, size=0 (0 KB)
INFO[nv]:(OTHER) block start=0, size=0 (0 KB)
INFO[tp-melfas]:(OTHER) block start=0, size=0 (0 KB)
OKAY [  0.071s]
finished. total time: 0.071s
I had never seen references in the Eris forums to the misc3, mfg, sp1, misc2, or mfg2 partitions - I suppose one or more are for boot images. Maybe interesting to boot a kernel image that had access to them, and have a peek at them?

16th December 2010, 02:58 PM |#2  
gnarlyc's Avatar
Retired Recognized Developer
Flag Raleigh, NC
Thanks Meter: 57
You are venturing into an area that is slightly beyond my current level of understanding. (Although we can all learn more.)

Is this even close to what you are looking for?

I'm thinking not, since they appear to be resizing the existing partitions, which doesn't seem to be quite what you are looking for.
16th December 2010, 07:07 PM |#3  
Senior Member
Flag San Diego, CA
Thanks Meter: 0
I was asking about this a while back to see if anyone was able to get read access to the splash1 (i'm guessing sp1) partition so we could dump the REAL original splash screen for people that needed to go back to full stock. This was basically the only thing that is left out of going to stock since the "original" boot image that I had used for the android skateboards in my post about changing the boot logo was just a resized version I found online somewhere which is slightly bigger than the original if you look closely. I had some info laying around somewhere but it was definitely something about people modifying the mtd drivers in the kernel to get this done.

Without the modified drivers there is no way to do a FULL nand dump at this point.
16th December 2010, 08:41 PM |#4  
OP Senior Member
Thanks Meter: 1,009
Originally Posted by gnarlyc

You are venturing into an area that is slightly beyond my current level of understanding. (Although we can all learn more.)

Is this even close to what you are looking for?

I'm thinking not, since they appear to be resizing the existing partitions, which doesn't seem to be quite what you are looking for.

Well, I'd seen that before - but THANK YOU - your post encouraged me to do a better job of searching, and I came up with this:

Awesome! It appears that no mtd kernel hack is needed - as long the Eris kernels we are using accept those parameters (obviously, a little additional work is needed to get the offsets correct for the Eris).

I knew that partitions could be resized - but I wasn't aware that you could add new partition definitions. If it works for the Eris, then cool. (I have to say - the G1/G2/Hero devs surely have turned over a lot of stones that have helped us.)

16th December 2010, 11:25 PM |#5  
roirraW "edor" ehT's Avatar
Recognized Contributor
Flag Columbus, OH
Thanks Meter: 4,661
Donate to Me
Mohahahhahahahaaha (rubbing hands together deviously). I smell either some interesting development or at least some interesting information coming out of this.
17th December 2010, 12:56 AM |#6  
OP Senior Member
Thanks Meter: 1,009
It's working.

More details later.
17th December 2010, 02:32 AM |#7  
OP Senior Member
Thanks Meter: 1,009
Flash Memory Map for the Eris:

radio       0x00000000 - 0x02980000   42,496     332          (3)
- gap! -    0x02980000 - 0x029a0000      128       1          (3)
hboot       0x029a0000 - 0x02a60000      768       6          (2)
misc3       0x02a60000 - 0x02aa0000      256       2          (5)
mfg         0x02aa0000 - 0x02ae0000      256       2          (6)
sp1         0x02ae0000 - 0x02ba0000      768       6          (4)
misc2       0x02ba0000 - 0x02c00000      384       3          (4)
mfg2        0x02c00000 - 0x02c60000      384       3          (4)
recovery    0x02c60000 - 0x03160000    5,120      40
boot        0x03160000 - 0x033e0000    2,560      20
system      0x033e0000 - 0x0dde0000  174,080    1360
cache       0x0dde0000 - 0x15fe0000  133,120    1040
userdata    0x15fe0000 - 0x1ff60000  163,328    1276
misc        0x1ff60000 - 0x20000000      640       5
( You can verify the above on your own phone with a combination of examining /proc/mtd, "dmesg" output immediately after the boot, and output of "fastboot oem listpartition" )

(1) Note all partitions are aligned to a 128-KB boundary (0x20000 - 18 bits)
Presumably this is why "fastboot oem listpartition" reports sizes in this unit

(2) Hboot images from HTC for the Eris have always been exactly 512 KB. Slack space is here,
but I found nothing but 0xFF's in the slack area.

(3) Attempting to dump the from this partition produces many, many error messages of the form:

mtd: MEMGETBADBLOCK returned -1 at 0x02940000 (errno=5)
mtd: MEMGETBADBLOCK returned -1 at 0x02960000 (errno=5)

(4) On my phone, dumps of partitions "sp1", "mfg2" and "misc2" produced un-interesting data blobs: all 0xFF's
Note that I have never flashed a custom boot splashscreen.

(5) Nearly "empty" - bytes not 0x00 or 0xFF are all string data (including CID)

(6) Contains "interesting" string data (including handset ID, manufacturing date, etc) and other binary data. Performing interesting handset operations and then recapturing a partition dump (before/after) and performing a binary diff could reveal strategic locations.


Most people have absolutely no business doing this - you have been warned.

Under no circumstances should you hand-type any of these addresses; a simple typo could lead to disaster.

fastboot -c " mtdparts=msm_nand:0x000a0000@0x1ff60000(misc),0x00500000@0x02c60000(recovery),0x00280000@0x03160000(boot),0x0aa00000@0x033e0000(system),0x08200000@0x0dde0000(cache),0x09f80000@0x15fe0000(userdata) " boot recovery-RA-Eris-v1.6.2.img
will produce the standard kernel partition mappings. Note the leading and trailing spaces in the quoted string - and that the order of appearance is critically important

You may append one or more** of the following, separated with commas as shown in the above (standard mapping) command.


** I performed individual boots adding only one non-standard partition, and can not guarantee that a disaster will not result if you try to append more than one - or all of them - in one boot.

You can verify the additional partitions have been kanged into the kernel's device tree with

adb shell cat /proc/mtd

and may dump individual partitions via the command "dump_image" (provided by Amon_RA in /sbin), as in the following example:

mount /sdcard
dump_image mfg /sdcard/part.mfg.img

17th December 2010, 08:02 AM |#8  
OP Senior Member
Thanks Meter: 1,009
If you just want to dump a specific Eris flash memory partition(s) off your phone, there is an even easier method. (Doh!)

- 1.49.2000 S-OFF bootloader is installed on your Eris.
- working device drivers on PC and fastboot utility


1) Connect via USB to your PC and put phone in FASTBOOT mode (Power up with Send+End)

2) Get the partition names listing using
fastboot oem listpartition
3) Using the following fastboot syntax, plug in the desired partition name (PNAME):
fastboot oem saveprt2sd PNAME -n PNAME.bin -a
for example, the "sp1" partition:
$ fastboot oem saveprt2sd sp1 -n sp1.bin -a
                              ... INFOSaveImageToSD partition file name:sp1
INFOSaveImageToSD output file name:sp1.bin
INFOsdcc_poll_status(): i=21
INFOCmd5 polling status timed out
INFOSD: CMD5 fail, rc=2 ..
INFO Searching free data sectors....
INFO [SAVE2SD] 131072 bytes saved.
INFO [SAVE2SD] 262144 bytes saved.
INFO [SAVE2SD] 393216 bytes saved.
INFO [SAVE2SD] 524288 bytes saved.
INFO [SAVE2SD] 655360 bytes saved.
INFO [SAVE2SD] 786432 bytes saved.
OKAY [  1.728s]
finished. total time: 1.728s

Yep, it really is that simple.

Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes