[TOOL] MTD-Utils

Search This thread

_n0p_

Senior Member
Apr 9, 2009
2,560
1,833
46
Kyiv
n0p.8bit.fm
Here, i've quickly compiled three MTD utils ( git://git.infradead.org/mtd-utils.git ):
nanddump, nandwrite, flash_erase
So far tested nanddump - works :), i was wandering what's inside
--
mtd3: 00040000 00020000 "LogFilter"
mtd4: 00300000 00020000 "oem_log"
--
Nothing interesting, actually.
--
nandwrite should enable you to write boot, recovery, system and firstboot right from android system (i don't think that it's good idea, but anyway).
--
Readme:
MTD-Utils 1.5
Please use with extreme caution!
--
Streak 5, dump example for recovery:
./nanddump /dev/mtd/mtd1 -f /sdcard/mtd1
--
Our layout:
cat /proc/mtd
dev: size erasesize name
mtd0: 00500000 00020000 "boot"
mtd1: 00600000 00020000 "recovery"
mtd2: 00600000 00020000 "recovery_bak"
mtd3: 00040000 00020000 "LogFilter"
mtd4: 00300000 00020000 "oem_log"
mtd5: 00100000 00020000 "splash"
mtd6: 10400000 00020000 "system"
mtd7: 08c00000 00020000 "userdata"
--
Have fun,
Sergei (_n0p_)

(tools attached)

--
I was able to switch recovery on the fly, having /sdcard/CWM.img (CWM port by TheManii) and /sdcard/SM.img (Old and trusty StreakMod):

/system/xbin/flash_erase /dev/mtd/mtd1 0 0
/system/xbin/nandwrite /dev/mtd/mtd1 /sdcard/CWM.img
Reboot, checked if works - it does :)

Back to StreakMod:
/system/xbin/flash_erase /dev/mtd/mtd1 0 0
/system/xbin/nandwrite /dev/mtd/mtd1 /sdcard/SM.img
 

Attachments

  • mtd-utils.zip
    308.4 KB · Views: 3,111
Last edited:

citric_acid

Senior Member
Sep 10, 2012
73
10
can you please guide how to flash this
should i flash this in streakmod recovery and will it wipe my current streakmod with cwm recovery ?
 

_n0p_

Senior Member
Apr 9, 2009
2,560
1,833
46
Kyiv
n0p.8bit.fm
This zip pack should not be flashed.
This tools can operate on (at least) Streak NAND flash partitions, i.e. read, erase, write.
It contains three android binaries - you should extract them and place, preferably, into /system/xbin
Change permissions on al this files to 755 - like:
chmod 755 nanddump
Now, you should be able to flash boot(kernel) and recovery right from working Android system.
I've given an example in first post.
hunderteins, if you reading this - would you give mtd5 from your device?
I have it empty and wander what image format it should have.
 
  • Like
Reactions: (InsertNameHere)

_n0p_

Senior Member
Apr 9, 2009
2,560
1,833
46
Kyiv
n0p.8bit.fm
Where is AMSS, DSP and stuff?

What do we have on NAND (my comments are in italic):

I/PrintK ( 1): <5>Creating 8 MTD partitions on "msm_nand":
54MB hole
I/PrintK ( 1): <5>0x000003600000-0x000003b00000 : "boot"
I/PrintK ( 1): <5>0x000003b00000-0x000004100000 : "recovery"
I/PrintK ( 1): <5>0x000004100000-0x000004700000 : "recovery_bak"
I/PrintK ( 1): <5>0x000004700000-0x000004740000 : "LogFilter"
I/PrintK ( 1): <5>0x000004740000-0x000004a40000 : "oem_log"
1MB hole
I/PrintK ( 1): <5>0x000004b40000-0x000004c40000 : "splash"
35MB hole
I/PrintK ( 1): <5>0x000007000000-0x000017400000 : "system"
I/PrintK ( 1): <5>0x000017400000-0x000030000000 : "userdata" (should be 0x000020000000)
W/PrintK ( 1): <4>mtd: partition "userdata" extends beyond the end of device "msm_nand" -- size truncated to 0x8c00000

According to this article:
http://forum.xda-developers.com/showthread.php?t=542688
this areas can be regained and hmmm, altered? :)
AMSS, DSP, service tag, provider lock and some other interesting stuff could be there!
 
  • Like
Reactions: (InsertNameHere)

hunderteins

Senior Member
Sep 7, 2009
192
349
hunderteins, if you reading this - would you give mtd5 from your device?
I have it empty and wander what image format it should have.

nice one. Thanks. But my mtd5 is 1048576 times 0xff.

What is the difference between

$ cat /dev/mtd/mtd5 > /sdcard/mtd5

and

$ nanddump /dev/mtd/mtd5 -f /sdcard/mtd5

?
 
  • Like
Reactions: _n0p_

TheManii

Wiki Admin / Inactive RC
Dec 8, 2010
3,585
1,651
flash_image should be the built in way of writing to mtd and raw emmc partitions, though we rarely ever discuss flash_image

try reading the raw nand at the beginning of it, thats where its stored on emmc devices, and there is unmapped space in the beginning
54mb should be approx enough shouldnt it? (not at pc to verify file sizes of the firmwares)

you could compare to the spro's map i guess, its an emmc device, but not a qisda one.
if i had the mapping for the "streak2 5" that would be the best to compare to, but i dont

is there any way to verify the mem locations are correct? i have the exact emmc layout for the s7/s10 because nvflash provides it if asked.
but there is no standardized tool for qualcomm chips, ill assume they're correct

also: at least on filesystems you should use dd and not cat for the fact that cat drops the final byte or something to that degree.
i dont recall if it applies to yaffs2 but it should for ext, it shouldnt matter for raw mtd partitions
 

_n0p_

Senior Member
Apr 9, 2009
2,560
1,833
46
Kyiv
n0p.8bit.fm
flash_image should be the built in way of writing to mtd and raw emmc partitions, though we rarely ever discuss flash_image
try reading the raw nand at the beginning of it, thats where its stored on emmc devices, and there is unmapped space in the beginning
54mb should be approx enough shouldnt it? (not at pc to verify file sizes of the firmwares)

You see, tools operate on logical partition level (i think flash_image is a userspace tool that uses mtd partitions, same as mtd-utils).
And kernel doesn't provide a raw device for NAND (i'd love to be wrong though).
I'll try tomorrow to supply kernel an MTD table via mtdparts parameter and check ow it goes.
 

hunderteins

Senior Member
Sep 7, 2009
192
349
flash_image should be the built in way of writing to mtd and raw emmc partitions, though we rarely ever discuss flash_image

also: at least on filesystems you should use dd and not cat for the fact that cat drops the final byte or something to that degree.
i dont recall if it applies to yaffs2 but it should for ext, it shouldnt matter for raw mtd partitions

mtd devices are character devices, dd works only on block devices.

I thought apply_patch is the first choice for writing into mtd from the commandline.

there should be a kernel option near mtd in menuconfig where you can setup the mtd-layout manually on the kernel commandline. Thats where I would tinker, when I wouldn't trust atag.
 
Last edited:

_n0p_

Senior Member
Apr 9, 2009
2,560
1,833
46
Kyiv
n0p.8bit.fm
Yes, " Command line partition table parsing" enabled in kernel.
Also, MTD seems to have enabled char read/write access, that makes MTD-Utils a bit obsolete :)
OK, i'll report if i'll find something interesting.
 

hunderteins

Senior Member
Sep 7, 2009
192
349
$ dumpatags /proc/atags
read 412 bytes from /proc/atags in buffer of size 10000
0000 - 0002:54410001 ATAG CORE flags=00000004 pagesize=54420005 rootdev=21000000
0008 - 0004:54420005 ATAG INITRD2 start=21000000 size=0002b4d3
0024 - 0004:54410002 ATAG MEM size=0e800000 start=20000000
0040 - 0004:54410002 ATAG MEM size=0fe00000 start=30000000
0056 - 0058:4d534d70unknown tag
0288 - 0022:54410009 ATAG CMDLINE androidboot.hardware=streak console=ttyMSM2,115200n8 androidboot.baseband=msm
0376 - 0004:afd137cbunknown tag
0392 - 0003:54410007 ATAG REVISION revision=00000016
 

_n0p_

Senior Member
Apr 9, 2009
2,560
1,833
46
Kyiv
n0p.8bit.fm
AMSS MTD partition:
Offset: 0x6C0000, Size: 0x1360000
DSP MTD partition:
Offset: 0x1A80000, Size: 0x1060000
--
Service Tag resides in area starting on 0x360000
--
AppsBoot:
Offset: 0x1A20000, Size: 0x60000
dbl:
Offset: 0x200, Size: 0x1E000
DT:
Offset: 0x620000, Size: 0xA0000
--
Unsure of fsbl and osbl - seems like it's data intermixed with bad blocks on my device.
--
Block from 0x4c40000 contains somewhat altered amss and dsp (maybe something else).
 
Last edited:

_n0p_

Senior Member
Apr 9, 2009
2,560
1,833
46
Kyiv
n0p.8bit.fm
StreakMod recovery.

Kind of side-effect from my test:
StreakMod with replaced kernel (Phoenix, +rotated matrix).
http://n0p.8bit.fm/streak/smd.img
Works in portrait mode (interesting, looks like out matrix was rotated in kernel for 270 in kernel)., no it's different static surface flinger.
 
Last edited:
  • Like
Reactions: hunderteins

TheManii

Wiki Admin / Inactive RC
Dec 8, 2010
3,585
1,651
Could you make a dump of dt? (and which version of DT you have)

DT obviously isnt straight flashed during a stock update, wonder how it's transformed on install.
 

TheManii

Wiki Admin / Inactive RC
Dec 8, 2010
3,585
1,651
Which kernel was it that you modded for this? (I mean the exact revision), did you upload it?

I'm keen on dumping everything and attempting to do a write up on it.

I've done a device fixing guide for the S7:
[Guide][Technical]Restoring your device specific data (including Service Tag)

Context: someone uploaded an nvflash dump that also included their device specific data (imei, service tag, etc)
and dozens of people ended up with cloned devices because they blindly flashed it without understanding nvflash.

I would like to do a feasability study to see if it would be possible to restore jtagged S5's (ie ones with blanked IMEI, service tags)
I'd need multiple dumps to compare the unique data, very least we'd be able to learn a thing or three.

I'm guessing that JTAG was always able to access these sections of the nand, and that they were writing bad data to it during restore
(as the jtaggers didnt have a good copy from a working s5?)



Your DT dump is definitely different from the raw DT.img, 366 and 407's DT only differ in their dates, they're more or less byte identical.
It's likely due to DT being "installed" and not mere "extracted" (ie DT_update on stock update)
 

_n0p_

Senior Member
Apr 9, 2009
2,560
1,833
46
Kyiv
n0p.8bit.fm
It's simply a kernel parameters, altering mtd partitions - and you can take them from smd.img I published earlier. There's three unkX partitions mapped to holes in nand layout.
Or I can build a cm7 kernel with this options.
--
Seems like contents or mtd partitions are crc checksummed. Anyway, having full amss and dsp dump should enable us to write'em right on rom flashing and that's good.
 

TheManii

Wiki Admin / Inactive RC
Dec 8, 2010
3,585
1,651
For the actual firmware files, it's not important as I'm mainly interested in analyzing the device unique data.

I dont believe the unique data has any checksums, as devices can still boot with blank IMEIs and service tags,
unless it also just so happens that they took that one instance into account.

The S7's data definitely isnt checksummed, but it's a rather different platform.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 16
    Here, i've quickly compiled three MTD utils ( git://git.infradead.org/mtd-utils.git ):
    nanddump, nandwrite, flash_erase
    So far tested nanddump - works :), i was wandering what's inside
    --
    mtd3: 00040000 00020000 "LogFilter"
    mtd4: 00300000 00020000 "oem_log"
    --
    Nothing interesting, actually.
    --
    nandwrite should enable you to write boot, recovery, system and firstboot right from android system (i don't think that it's good idea, but anyway).
    --
    Readme:
    MTD-Utils 1.5
    Please use with extreme caution!
    --
    Streak 5, dump example for recovery:
    ./nanddump /dev/mtd/mtd1 -f /sdcard/mtd1
    --
    Our layout:
    cat /proc/mtd
    dev: size erasesize name
    mtd0: 00500000 00020000 "boot"
    mtd1: 00600000 00020000 "recovery"
    mtd2: 00600000 00020000 "recovery_bak"
    mtd3: 00040000 00020000 "LogFilter"
    mtd4: 00300000 00020000 "oem_log"
    mtd5: 00100000 00020000 "splash"
    mtd6: 10400000 00020000 "system"
    mtd7: 08c00000 00020000 "userdata"
    --
    Have fun,
    Sergei (_n0p_)

    (tools attached)

    --
    I was able to switch recovery on the fly, having /sdcard/CWM.img (CWM port by TheManii) and /sdcard/SM.img (Old and trusty StreakMod):

    /system/xbin/flash_erase /dev/mtd/mtd1 0 0
    /system/xbin/nandwrite /dev/mtd/mtd1 /sdcard/CWM.img
    Reboot, checked if works - it does :)

    Back to StreakMod:
    /system/xbin/flash_erase /dev/mtd/mtd1 0 0
    /system/xbin/nandwrite /dev/mtd/mtd1 /sdcard/SM.img
    4
    Could you make a dump of dt?

    These are the raw zones/partitions from the nand of a unlocked streak (GAUSB1A130500).
    Fetched with jtag and split with QualcommDumpAnalyseV1.01.exe.
    The tar-file includes:

    • MIBIB.bin - dbl.mbn
    • SIM_SECURE.bin - imei, service tag? This one is populated.
    • FSBL.bin - fsbl.mbn
    • OSBL.bin - osbl.mbn
    • RESERVED.bin - modem boot?
    • DT.bin - same as DT.img (y3.752, Test Programms, Firmware Menu)
    • MSM.cmm - zone descriptions

    Have fun,
    hunderteins
    3
    I believe it's 407.
    http://n0p.8bit.fm/streak/DT.zip (zipped just for integrity)

    you can find out the version of your DT with the following steps:
    • when streak starts, press camera-button like you want to go into fastboot.
    • on that keyboard type *#301#
    • the bottom shows the version

    on my 5treak (407, with 369 BB and DSC over it) it shows:

    DT: y3.784 Build Date: Sep 22 2011, 00:27:22

    edit: same works in fastboot mode with

    Code:
    $ fastboot -i  0x413c getvar version
    version: DT:y3.784
    finished. total time: 0.004s
    3
    Unfortunately nanddump with --noecc fails with
    cannot read 2048 bytes ...
    error 22 (invalid argument)
    right from start.
    Maybe cat would do?
    3
    seems also a good idea to backup the efs2-nandpartition at [email protected](efs2)

    there is the command flash_image in streakmod recovery, that does pretty much the same as nandwrite, but it looks into /proc/mtd and translates the mibib-names into /dev/mtd/mtd%d
    Basically you can flash recovery.img from within recovery and test them with echo -n 'recovery' > /proc/loader && reboot

    same goes for dump_image in streakmod recovery. You can get the mtd-partitions with the mibib-names.

    fastboot seems to be a really risky tool. You can even erase or overwrite sim_secure, reserved and efs2.

    I have found two more memory-areas. nv and otp. nv seems where the IMEI is stored. OTP seems a PROM-like area where IMEI is stored, too. And I think they are the reason, you can't just flash sim_secure/reserved/efs2 from a dump of an other streak. amss checks the IMEI in OTP, nv and sim_secure where sim_secure seems interlinked with a passphrase in OTP. Got it from http://git.rot13.org/?p=huawei.git;a=commitdiff;h=3e70a93cdfb4c7d7ea32d04d3263827b752ccb00

    I think nv is the reason you find a button cell battery on the pcb of the streak.

    I'd appreciate a
    # dump_image efs2 /sdcard/efs2.img
    # dump_image reserved /sdcard/reserved.img
    # dump_image sim_secure /sdcard/sim_secure.img
    from streakmod recovery with mtdparts=msm_nand:[email protected](boot),[email protected](recovery),[email protected](recovery_bak),[email protected](LogFilter),[email protected](oem_log),[email protected](splash),[email protected](system),[email protected](userdata),[email protected](sim_secure),[email protected](reserved),[email protected](efs2)

    The missing 16MB between nanddump from inside the kernel and the JTAG seems to be the oob-data. You can get it with
    nanddump -o.