[TOOL] MTD-Utils

_n0p_

Senior Member
Apr 9, 2009
2,559
1,832
0
44
Kyiv
n0p.8bit.fm
Here, i've quickly compiled three MTD utils ( git://git.infradead.org/mtd-utils.git ):
nanddump, nandwrite, flash_erase
So far tested nanddump - works :), i was wandering what's inside
--
mtd3: 00040000 00020000 "LogFilter"
mtd4: 00300000 00020000 "oem_log"
--
Nothing interesting, actually.
--
nandwrite should enable you to write boot, recovery, system and firstboot right from android system (i don't think that it's good idea, but anyway).
--
Readme:
MTD-Utils 1.5
Please use with extreme caution!
--
Streak 5, dump example for recovery:
./nanddump /dev/mtd/mtd1 -f /sdcard/mtd1
--
Our layout:
cat /proc/mtd
dev: size erasesize name
mtd0: 00500000 00020000 "boot"
mtd1: 00600000 00020000 "recovery"
mtd2: 00600000 00020000 "recovery_bak"
mtd3: 00040000 00020000 "LogFilter"
mtd4: 00300000 00020000 "oem_log"
mtd5: 00100000 00020000 "splash"
mtd6: 10400000 00020000 "system"
mtd7: 08c00000 00020000 "userdata"
--
Have fun,
Sergei (_n0p_)

(tools attached)

--
I was able to switch recovery on the fly, having /sdcard/CWM.img (CWM port by TheManii) and /sdcard/SM.img (Old and trusty StreakMod):

/system/xbin/flash_erase /dev/mtd/mtd1 0 0
/system/xbin/nandwrite /dev/mtd/mtd1 /sdcard/CWM.img
Reboot, checked if works - it does :)

Back to StreakMod:
/system/xbin/flash_erase /dev/mtd/mtd1 0 0
/system/xbin/nandwrite /dev/mtd/mtd1 /sdcard/SM.img
 

Attachments

Last edited:

_n0p_

Senior Member
Apr 9, 2009
2,559
1,832
0
44
Kyiv
n0p.8bit.fm
This zip pack should not be flashed.
This tools can operate on (at least) Streak NAND flash partitions, i.e. read, erase, write.
It contains three android binaries - you should extract them and place, preferably, into /system/xbin
Change permissions on al this files to 755 - like:
chmod 755 nanddump
Now, you should be able to flash boot(kernel) and recovery right from working Android system.
I've given an example in first post.
hunderteins, if you reading this - would you give mtd5 from your device?
I have it empty and wander what image format it should have.
 
  • Like
Reactions: (InsertNameHere)

_n0p_

Senior Member
Apr 9, 2009
2,559
1,832
0
44
Kyiv
n0p.8bit.fm
Where is AMSS, DSP and stuff?

What do we have on NAND (my comments are in italic):

I/PrintK ( 1): <5>Creating 8 MTD partitions on "msm_nand":
54MB hole
I/PrintK ( 1): <5>0x000003600000-0x000003b00000 : "boot"
I/PrintK ( 1): <5>0x000003b00000-0x000004100000 : "recovery"
I/PrintK ( 1): <5>0x000004100000-0x000004700000 : "recovery_bak"
I/PrintK ( 1): <5>0x000004700000-0x000004740000 : "LogFilter"
I/PrintK ( 1): <5>0x000004740000-0x000004a40000 : "oem_log"
1MB hole
I/PrintK ( 1): <5>0x000004b40000-0x000004c40000 : "splash"
35MB hole
I/PrintK ( 1): <5>0x000007000000-0x000017400000 : "system"
I/PrintK ( 1): <5>0x000017400000-0x000030000000 : "userdata" (should be 0x000020000000)
W/PrintK ( 1): <4>mtd: partition "userdata" extends beyond the end of device "msm_nand" -- size truncated to 0x8c00000

According to this article:
http://forum.xda-developers.com/showthread.php?t=542688
this areas can be regained and hmmm, altered? :)
AMSS, DSP, service tag, provider lock and some other interesting stuff could be there!
 
  • Like
Reactions: (InsertNameHere)

hunderteins

Senior Member
Sep 7, 2009
192
349
0
hunderteins, if you reading this - would you give mtd5 from your device?
I have it empty and wander what image format it should have.
nice one. Thanks. But my mtd5 is 1048576 times 0xff.

What is the difference between

$ cat /dev/mtd/mtd5 > /sdcard/mtd5

and

$ nanddump /dev/mtd/mtd5 -f /sdcard/mtd5

?
 
  • Like
Reactions: _n0p_

TheManii

Wiki Admin / Recognized Contributor
Dec 8, 2010
3,585
1,649
0
flash_image should be the built in way of writing to mtd and raw emmc partitions, though we rarely ever discuss flash_image

try reading the raw nand at the beginning of it, thats where its stored on emmc devices, and there is unmapped space in the beginning
54mb should be approx enough shouldnt it? (not at pc to verify file sizes of the firmwares)

you could compare to the spro's map i guess, its an emmc device, but not a qisda one.
if i had the mapping for the "streak2 5" that would be the best to compare to, but i dont

is there any way to verify the mem locations are correct? i have the exact emmc layout for the s7/s10 because nvflash provides it if asked.
but there is no standardized tool for qualcomm chips, ill assume they're correct

also: at least on filesystems you should use dd and not cat for the fact that cat drops the final byte or something to that degree.
i dont recall if it applies to yaffs2 but it should for ext, it shouldnt matter for raw mtd partitions
 

_n0p_

Senior Member
Apr 9, 2009
2,559
1,832
0
44
Kyiv
n0p.8bit.fm
flash_image should be the built in way of writing to mtd and raw emmc partitions, though we rarely ever discuss flash_image
try reading the raw nand at the beginning of it, thats where its stored on emmc devices, and there is unmapped space in the beginning
54mb should be approx enough shouldnt it? (not at pc to verify file sizes of the firmwares)
You see, tools operate on logical partition level (i think flash_image is a userspace tool that uses mtd partitions, same as mtd-utils).
And kernel doesn't provide a raw device for NAND (i'd love to be wrong though).
I'll try tomorrow to supply kernel an MTD table via mtdparts parameter and check ow it goes.
 

hunderteins

Senior Member
Sep 7, 2009
192
349
0
flash_image should be the built in way of writing to mtd and raw emmc partitions, though we rarely ever discuss flash_image

also: at least on filesystems you should use dd and not cat for the fact that cat drops the final byte or something to that degree.
i dont recall if it applies to yaffs2 but it should for ext, it shouldnt matter for raw mtd partitions
mtd devices are character devices, dd works only on block devices.

I thought apply_patch is the first choice for writing into mtd from the commandline.

there should be a kernel option near mtd in menuconfig where you can setup the mtd-layout manually on the kernel commandline. Thats where I would tinker, when I wouldn't trust atag.
 
Last edited:

_n0p_

Senior Member
Apr 9, 2009
2,559
1,832
0
44
Kyiv
n0p.8bit.fm
Yes, " Command line partition table parsing" enabled in kernel.
Also, MTD seems to have enabled char read/write access, that makes MTD-Utils a bit obsolete :)
OK, i'll report if i'll find something interesting.
 

hunderteins

Senior Member
Sep 7, 2009
192
349
0
$ dumpatags /proc/atags
read 412 bytes from /proc/atags in buffer of size 10000
0000 - 0002:54410001 ATAG CORE flags=00000004 pagesize=54420005 rootdev=21000000
0008 - 0004:54420005 ATAG INITRD2 start=21000000 size=0002b4d3
0024 - 0004:54410002 ATAG MEM size=0e800000 start=20000000
0040 - 0004:54410002 ATAG MEM size=0fe00000 start=30000000
0056 - 0058:4d534d70unknown tag
0288 - 0022:54410009 ATAG CMDLINE androidboot.hardware=streak console=ttyMSM2,115200n8 androidboot.baseband=msm
0376 - 0004:afd137cbunknown tag
0392 - 0003:54410007 ATAG REVISION revision=00000016
 

_n0p_

Senior Member
Apr 9, 2009
2,559
1,832
0
44
Kyiv
n0p.8bit.fm
AMSS MTD partition:
Offset: 0x6C0000, Size: 0x1360000
DSP MTD partition:
Offset: 0x1A80000, Size: 0x1060000
--
Service Tag resides in area starting on 0x360000
--
AppsBoot:
Offset: 0x1A20000, Size: 0x60000
dbl:
Offset: 0x200, Size: 0x1E000
DT:
Offset: 0x620000, Size: 0xA0000
--
Unsure of fsbl and osbl - seems like it's data intermixed with bad blocks on my device.
--
Block from 0x4c40000 contains somewhat altered amss and dsp (maybe something else).
 
Last edited:

TheManii

Wiki Admin / Recognized Contributor
Dec 8, 2010
3,585
1,649
0
Could you make a dump of dt? (and which version of DT you have)

DT obviously isnt straight flashed during a stock update, wonder how it's transformed on install.
 

TheManii

Wiki Admin / Recognized Contributor
Dec 8, 2010
3,585
1,649
0
Which kernel was it that you modded for this? (I mean the exact revision), did you upload it?

I'm keen on dumping everything and attempting to do a write up on it.

I've done a device fixing guide for the S7:
[Guide][Technical]Restoring your device specific data (including Service Tag)

Context: someone uploaded an nvflash dump that also included their device specific data (imei, service tag, etc)
and dozens of people ended up with cloned devices because they blindly flashed it without understanding nvflash.

I would like to do a feasability study to see if it would be possible to restore jtagged S5's (ie ones with blanked IMEI, service tags)
I'd need multiple dumps to compare the unique data, very least we'd be able to learn a thing or three.

I'm guessing that JTAG was always able to access these sections of the nand, and that they were writing bad data to it during restore
(as the jtaggers didnt have a good copy from a working s5?)



Your DT dump is definitely different from the raw DT.img, 366 and 407's DT only differ in their dates, they're more or less byte identical.
It's likely due to DT being "installed" and not mere "extracted" (ie DT_update on stock update)
 

_n0p_

Senior Member
Apr 9, 2009
2,559
1,832
0
44
Kyiv
n0p.8bit.fm
It's simply a kernel parameters, altering mtd partitions - and you can take them from smd.img I published earlier. There's three unkX partitions mapped to holes in nand layout.
Or I can build a cm7 kernel with this options.
--
Seems like contents or mtd partitions are crc checksummed. Anyway, having full amss and dsp dump should enable us to write'em right on rom flashing and that's good.
 

TheManii

Wiki Admin / Recognized Contributor
Dec 8, 2010
3,585
1,649
0
For the actual firmware files, it's not important as I'm mainly interested in analyzing the device unique data.

I dont believe the unique data has any checksums, as devices can still boot with blank IMEIs and service tags,
unless it also just so happens that they took that one instance into account.

The S7's data definitely isnt checksummed, but it's a rather different platform.