• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!
Search This thread

realbbb

Senior Member
Dec 22, 2011
273
363
Amazon Fire TV
Samsung Galaxy Tab S
hi Pepper,

attached the zip with F926U1 and F926B pit files.
XAA for F926U1
XSP for F926B
XAA is using Q2Q_USA_SINGLEW.pit
XSP is using Q2Q_EUR_OPENX.pit

Newer PIT files have a number of signature variables that are currently of interest: firmware build, qkey, continent, csc, and srp
Q2Q_USA_SINGLEW.pit - F926U1UEU1AUG8, QKEY0, NA, XAA, SRPUA13A001
Q2Q_EUR_OPENX.pit - F926BXXU1AUG8, QKEY1, EUR, XX, SRPUC12A001

As you can see the firmware builds are now embedded in the pit. Currently that does not stop things. Neither does the continent or csc code currently stop things. However, that is not the case when the qkey and srp differ (coincidence?).

So far I have seen QKEY and SRP being different always results in "Re-Partition operation failed". Would like to hear about one or the other being the only one being different to cause a fail (who knows at this point, never seen it). Though they may always change when the other changes?

Considering that this detail is in the signature of the latest firmware components (not just PIT), this could make things exceedingly difficult in the future. Especially if sam has the checking done on the phone side and not odin. eol


realbbb
Heavy Float
 

jemfalor

Senior Member
Newer PIT files have a number of signature variables that are currently of interest: firmware build, qkey, continent, csc, and srp
Q2Q_USA_SINGLEW.pit - F926U1UEU1AUG8, QKEY0, NA, XAA, SRPUA13A001
Q2Q_EUR_OPENX.pit - F926BXXU1AUG8, QKEY1, EUR, XX, SRPUC12A001

As you can see the firmware builds are now embedded in the pit. Currently that does not stop things. Neither does the continent or csc code currently stop things. However, that is not the case when the qkey and srp differ (coincidence?).

So far I have seen QKEY and SRP being different always results in "Re-Partition operation failed". Would like to hear about one or the other being the only one being different to cause a fail (who knows at this point, never seen it). Though they may always change when the other changes?

Considering that this detail is in the signature of the latest firmware components (not just PIT), this could make things exceedingly difficult in the future. Especially if sam has the checking done on the phone side and not odin. eol


realbbb
Heavy Float
hi realbbb,

thanks for the analysis and info. seems like sam has the upperhand now, restricting phones regionally.

i supposed this is their method of keeping cost price low while maintaining profit margin. like how Nintendo have their peripherals using Bluetooth tech but not labeling as such to avoid royalties.

if flashing variant stock rom is difficult in future, may have to venture into rooting once again.
 

mffu

Senior Member
May 9, 2006
120
9
US
I just discovered that Fold3 doesn't have CDMA portion enabled in the radio whereas S21 being on the same 888 chipset does. Would it be possible to tweak Odin to be able to flash radios made for the same chipsets? (e. g flash AP from S21 on Fold3)
 

realbbb

Senior Member
Dec 22, 2011
273
363
Amazon Fire TV
Samsung Galaxy Tab S
I just discovered that Fold3 doesn't have CDMA portion enabled in the radio whereas S21 being on the same 888 chipset does. Would it be possible to tweak Odin to be able to flash radios made for the same chipsets? (e. g flash AP from S21 on Fold3)
The modem is in CP.

It has been years since I have frankenstein'd firmware. A pieced together firmware may work? And as long as download mode is available, one can flash back to stock (keeping security levels the same). Do let us know of your success or failure.

Have you checked with the xda thread for the fold3?

I may need to obtain a testing phone to work out if this can be patched in odin. Time will tell.


Realbbb
Cleverly Frogged
 
  • Like
Reactions: mffu

jemfalor

Senior Member
The modem is in CP.

It has been years since I have frankenstein'd firmware. A pieced together firmware may work? And as long as download mode is available, one can flash back to stock (keeping security levels the same). Do let us know of your success or failure.

Have you checked with the xda thread for the fold3?

I may need to obtain a testing phone to work out if this can be patched in odin. Time will tell.


Realbbb
Cleverly Frogged
hi Realbbb,

didn't know this can be done. everywhere i read, everyone was saying you have to flash everything.

hopefully this can be done. i too believe it's possible as long as the required files are not distributed across the binaries, AP, BL etc.

any idea where esim is located? while extracting the binaries, i see esim in the extraction.

I'm sure the snapdragon 888 x60 modem supports every 5g bands just restricted regionally via configuration. the omission of esim in US models can be activated via some software.

apk comparison between xaa and xsp firmware, respectively.
 

Attachments

  • IMG-20210909-WA0000.jpg
    IMG-20210909-WA0000.jpg
    52.6 KB · Views: 39
  • Like
Reactions: mffu

mffu

Senior Member
May 9, 2006
120
9
US
The modem is in CP.

It has been years since I have frankenstein'd firmware. A pieced together firmware may work? And as long as download mode is available, one can flash back to stock (keeping security levels the same). Do let us know of your success or failure.

Have you checked with the xda thread for the fold3?

I may need to obtain a testing phone to work out if this can be patched in odin. Time will tell.


Realbbb
Cleverly Frogged
I misstated, the modem is CP. Last night I compared both file sizes for unlocked (U1) phones: S21's CP showed 62,361mb and Fold3's - 61,611mb. I used the PIT from the unlocked Fold3 (Q2Q_USA_SINGLEW.pit) along with CP from the unlocked S21 Ultra (SM-G998U1) and dared to flash them together. The result was "RQT CLOSE !!
I used to flash different radios from the same chipsets before and was successful in doing so., however it was a good while ago.
 

Attachments

  • Odin error.png
    Odin error.png
    58.7 KB · Views: 25
Last edited:

jemfalor

Senior Member
I misstated, the modem is CP. Last night I compared both file sizes for unlocked (U1) phones: S21's CP showed 62,361mb and Fold3's - 61,611mb. I used the PIT from the unlocked Fold3 (Q2Q_USA_SINGLEW.pit) along with CP from the unlocked S21 Ultra (SM-G998U1) and dared to flash them together. The result was "FAIL! (Auth). I used to flash different radios from the same chipsets before and was successful in doing so., however it was a good while ago. Definitely, patching Odin to bypass the (Auth) would help if is even possible.
really hope it has something to do with odin and not the phone.
 
  • Like
Reactions: mffu

realbbb

Senior Member
Dec 22, 2011
273
363
Amazon Fire TV
Samsung Galaxy Tab S
I misstated, the modem is CP. Last night I compared both file sizes for unlocked (U1) phones: S21's CP showed 62,361mb and Fold3's - 61,611mb. I used the PIT from the unlocked Fold3 (Q2Q_USA_SINGLEW.pit) along with CP from the unlocked S21 Ultra (SM-G998U1) and dared to flash them together. The result was "RQT CLOSE !!
I used to flash different radios from the same chipsets before and was successful in doing so., however it was a good while ago.

Why flash pit? Isn't the fold3 a legit u1?

The modem partition already exists in the stock firmware. Flash the s21 cp by its' lonesome. Resulting Odin output? Using original or patched odin? Try both.

Could just place the modem.bin in a tar without a md5. Original odin should reject. What is the patched odin output?


REALBBB
Tower Deep
 

mffu

Senior Member
May 9, 2006
120
9
US
Why flash pit? Isn't the fold3 a legit u1?

The modem partition already exists in the stock firmware. Flash the s21 cp by its' lonesome. Resulting Odin output? Using original or patched odin? Try both.

Could just place the modem.bin in a tar without a md5. Original odin should reject. What is the patched odin output?


REALBBB
Tower Deep
Thanks Realbbb! with Modem.bin only I can't get passed the "File Analysis". See attached.
 

Attachments

  • Odin-file analysis.png
    Odin-file analysis.png
    21.4 KB · Views: 21
Last edited:

jemfalor

Senior Member
Why flash pit? Isn't the fold3 a legit u1?

The modem partition already exists in the stock firmware. Flash the s21 cp by its' lonesome. Resulting Odin output? Using original or patched odin? Try both.

Could just place the modem.bin in a tar without a md5. Original odin should reject. What is the patched odin output?


REALBBB
Tower Deep
i'm thinking, is there really a need to repartition?? where does CSC flash to? is it system partition or user partition?

i'm thinking of flashing only CP and HOME_CSC. will this work??
hmm, seems CSC is not so straight forward. just had a look inside. attempt flashing CP alone.
 
Last edited:

realbbb

Senior Member
Dec 22, 2011
273
363
Amazon Fire TV
Samsung Galaxy Tab S
i'm thinking, is there really a need to repartition?? where does CSC flash to? is it system partition or user partition?

CSC contains a pit. It will modify the flash layout (ie re-partition).


i'm thinking of flashing only CP and HOME_CSC. will this work??
hmm, seems CSC is not so straight forward. just had a look inside. attempt flashing CP alone.

Home is csc without a pit. home will attempt to flash the components to the current partition layout.


realbbb
Slick Bench
 
  • Like
Reactions: mffu

jemfalor

Senior Member
CSC contains a pit. It will modify the flash layout (ie re-partition).




Home is csc without a pit. home will attempt to flash the components to the current partition layout.


realbbb
Slick Bench
thanks realbbb. current partition layout may not be enough for it since the AP and CSC is considerably larger in size, 900mb more. CP seems good =D. smaller in size than U1.

from your previous post, you mentioned flashing CP "lonesome" i would take it as alone excluding AP, BL and CSC. will attempt flash after backup!!
 
  • Like
Reactions: mffu

jemfalor

Senior Member
nope. same error as @mffu

<OSM> Enter CS for MD5..
<OSM> Check MD5.. Do not unplug the cable..
<OSM> Please wait..
<OSM> Checking MD5 finished Sucessfully..
<OSM> Leave CS..
<ID:0/005> Added!!
<ID:0/005> Odin engine v(ID:3.1401)..
<ID:0/005> File analysis..
<ID:0/005> Total Binary size: 96 M
<ID:0/005> SetupConnection..
<ID:0/005> Initialzation..
<ID:0/005> Get PIT for mapping..
<ID:0/005> Firmware update start..
<ID:0/005> NAND Write Start!!
<ID:0/005> SingleDownload.
<ID:0/005> modem.bin
<ID:0/005> RQT_CLOSE !!
<ID:0/005>
<ID:0/005> Complete(Write) operation failed.
<OSM> All threads completed. (succeed 0 / failed 1)
<ID:0/005> Removed!!
 
  • Like
Reactions: mffu

jemfalor

Senior Member
could it be the odin version or samsung usb driver?

CP_F926U1UEU1AUG8_CP19729400_CL22146001_QB41581084_REV00_user_low_ship_MULTI_CERT.tar.md5

CP_F926BXXU1AUG8_CP19728596_CL22146001_QB41578985_REV00_user_low_ship_MULTI_CERT.tar.md5

could it be due to the bold version? the CP i'm flashing has a lower value.

flashing alone requires unlocked bootloader??

should i flash the new firmware instead?
SM-F926BAustralia2021-08-11F926BTBU1AUGB11

or

SM-F926BUnknown2021-09-05F926BXXU1AUHF11

or

SM-F926BVietnam2021-08-11F926BTBU1AUGB11
vietnam would be good. read that it has call recording and samsung pay
*update* nope still the same. even with the new CSC, i'm getting the same error.
CSC_OMC_OXT_F926BOXT1AUGB_CL22146001_QB41871774_REV00_user_low_ship_MULTI_CERT.tar.md5

<ID:0/005> Added!!
<ID:0/005> Odin engine v(ID:3.1401)..
<ID:0/005> File analysis..
<ID:0/005> Total Binary size: 11121 M
<ID:0/005> SetupConnection..
<ID:0/005> Initialzation..
<ID:0/005> Set PIT file..
<ID:0/005> DO NOT TURN OFF TARGET!!
<ID:0/005>
<ID:0/005> Re-Partition operation failed.
<OSM> All threads completed. (succeed 0 / failed 1)
<ID:0/005> Removed!!

using back the first firmware i wanted to flash previously, selecting only CP and HOME_CSC, i'm getting this error now.

<ID:0/005> Added!!
<ID:0/005> Odin engine v(ID:3.1401)..
<ID:0/005> File analysis..
<ID:0/005> skip file list for home binary
<ID:0/005> Home Binary Download
<ID:0/005> Total Binary size: 1060 M
<ID:0/005> SetupConnection..
<ID:0/005> Initialzation..
<ID:0/005> Get PIT for mapping..
<ID:0/005> Firmware update start..
<ID:0/005> NAND Write Start!!
<ID:0/005> SingleDownload.
<ID:0/005> modem.bin
<ID:0/005> cache.img
<ID:0/005> FAIL! (Auth)
<ID:0/005>
<ID:0/005> Complete(Write) operation failed.
<OSM> All threads completed. (succeed 0 / failed 1)
<ID:0/005> Removed!!


this time, will be trying F926B CP and F926U1 HOME_CSC
*update* nope still the same.

<ID:0/005> Added!!
<ID:0/005> Odin engine v(ID:3.1401)..
<ID:0/005> File analysis..
<ID:0/005> skip file list for home binary
<ID:0/005> Home Binary Download
<ID:0/005> Total Binary size: 250 M
<ID:0/005> SetupConnection..
<ID:0/005> Initialzation..
<ID:0/005> Get PIT for mapping..
<ID:0/005> Firmware update start..
<ID:0/005> NAND Write Start!!
<ID:0/005> SingleDownload.
<ID:0/005> modem.bin
<ID:0/005> cache.img
<ID:0/005> FAIL! (Auth)
<ID:0/005>
<ID:0/005> Complete(Write) operation failed.
<OSM> All threads completed. (succeed 0 / failed 1)

looking back at the logs above, we can see it did manage to write modem.bin over to the phone, except that it failed when it starts to write CSC contents.

Auth seems to suggest some form of authorization needed??

someone provided a solution to "FAIL! (Auth)"
nope, it doesn't work.. same error.

could be this reason,
 
Last edited:
  • Like
Reactions: mffu

jemfalor

Senior Member
seems like before ODIN is able to load the binary, it verifies the binary by checking the filename.

if you were to rename
CP_F926BXXU1AUG8_CP19728596_CL22146001_QB41578985_REV00_user_low_ship_MULTI_CERT.tar.md5
to
CP_F926U1UEU1AUG8_CP19729400_CL22146001_QB41581084_REV00_user_low_ship_MULTI_CERT.tar.md5

it will popup an error with message "md5 error! Binary is invalid"

tried extracting lz4 to modem.bin then tarring it to somename.tar
same error.
<ID:0/005> Added!!
<ID:0/005> Odin engine v(ID:3.1401)..
<ID:0/005> File analysis..
<ID:0/005> Total Binary size: 96 M
<ID:0/005> SetupConnection..
<ID:0/005> Initialzation..
<ID:0/005> Get PIT for mapping..
<ID:0/005> Firmware update start..
<ID:0/005> NAND Write Start!!
<ID:0/005> SingleDownload.
<ID:0/005> modem.bin
<ID:0/005> RQT_CLOSE !!
<ID:0/005>
<ID:0/005> Complete(Write) operation failed.
<OSM> All threads completed. (succeed 0 / failed 1)
 
Last edited:
  • Like
Reactions: mffu

jemfalor

Senior Member
i figured, the first step is to analyze cache.img file since it's the smallest binary of them all and for some reason the phone is able to reject the binary if it doesn't match with some internal validation logic.

1631338637851.png


if we could figure a way to re-sign the binary. whoever familiar, pls help.

i'm not sure if we could simply replace them.
offset 0x0 296 bytes, some consistent headers and some bytes are so consistent which appears to be file signature.
offset 0x338

i believe if there is validation, it probably would break with error.

validation of the boot images is probably in the bootloader
 
Last edited:
  • Like
Reactions: mffu

Top Liked Posts

  • There are no posts matching your filters.
  • 202
    For those looking for a modified, modded, or patched odin that is a newer build than all the fake and renamed prince comsy 3.12.3 versions floating around.

    I patch recent Odin versions to offer similar functionality to the princecomsy; in that it ignores both the sha256 fails and the model mismatches.
    - Developed and successfully tested for my verizon samsung s8 g950u to g950u1 and combination firmware packages.
    - Confirmed working on an unlocked S9+ g965U1 to VZW g965u
    - additional confirmation: G950w from G950u
    - able to flash T727R4 firmware to T727V
    - confirmed working with S21 5G from G991U to G991U1
    - flashed G998U VZW to G998U1 XAA

    Ignores and bypasses the below stop conditions:
    "FAIL! Model mismatch fail" (all PatcheD versions)
    "FAIL! SHA256 is invalid" (all PatcheD versions)
    "FAIL! Blocked carrier" (PatcheD versions >= 3.14.1)

    Be careful flashing!

    +20180313 - Added Stock odin 3.13.1 sourced from pedant87 / Added PatcheD odin v3.13.1
    +20191211 - Added PatcheD v3.13.3 and original 3.13.3 for windows, Merry Christmas!
    +2020???? - Added the only clean and original v3.14.1 for windows
    +20200216 - Added ModdeD/PatcheD 3.14.1 for windows! Supports newer phone flashing methods. A new check method for a carrier flash halt has been removed!

    Caution #1 - There are many stock/mod/patch copies floating around the internet with redirected links and other misleading claims and changes. The XDA links below are the only source for clean originals and the original 3B files.
    Caution #2 - There is a hoax 3.14.4 version of odin floating about. It appears to be version 3.14.1; same filesize, has internal resource modifications to report newer than 3.14.1, and often includes a known cloud-based client-server communication dll (cpprest141_2_10.dll). I suggest that it be avoided. It adds no additional functionality over 3.14.1.


    When you donate, and this work was helpful to you, do consider donating to this effort by using the DONATE HERE link. Thanks for your support!

    ¡BBB!
    Walking Domestic
    9
    Hey mate,
    Just a quick question / concern .. Just ran an analysis on your file here -> link
    While I can't see too many differences after unzipping your exe and running a comparison with a hex editor against your original odin you provided .. still the online analysis results do make me ask the question
    "please explain?"
    Online analysis of your original odin provided is here -> link

    Please note that Eudummy did not run reverse it on the OP attached executable file. The sha256, executable type, and file size do not match the file he tested at his provided link. I am wondering why he would test a different file with the same filename? Just a plug for reverse it? Anywho... To help calm others...

    The patches/changes are:
    Operationally I patched as indicated in the OP (encryption and model fails).
    All other changes are visual. ie. main graphic bar, version code, and url text/address.

    That is it. Simple and has helped many to flash their phones!


    ¡realBBB!
    Not Your Mate
    6
    Thanks. I wanted to firmware back to G950w from G950u using Oreo and found it. Really appreciate your hard work
    5
    Thanks, thought my firmware was bad since it wouldn't flash with the previous odin. This worked perfect. I used this to flash my galaxy s9+ from U1 to VZW.
    5
    Added 3.13.3 3B Patched to the OP. Merry Christmas!


    realBBB
    Tix Under