[TUT] How to make a custom ROM for Samsung ATIV S

[-W_O_L_F-]

This tutorial is about making a custom ROM for ATIV S or any other Samsung WP8 phone.

Samsung ROM files:

• .wp8 - main file with OS and boot
• .csc - file with regional info
• .smd - ROM for WP7 devices

All those files have (almost) the same format. I call it SMD. Old .smd file can be unpacked using this instruction, back in time smd-tool was made for it, but format changed slightly. This process was only tested on ATIV S.

CSC
.csc files aren't flashed to device, those are just containers for MBN files. And MBN files are copied to DPP during flashing process.

AS ALWAYS YOU ARE MAKING THIS ON YOUR OWN RISK! AND GOOD LUCK

Tutorial contents
Basic:

1. Making custom CSC (.mbn)
2. Extracting SMD
3. How to work with "packed" partitions
4. What to edit in ROM
5. Packing SMD

Advanced:

• Making CSC from MBN
• Making developer ROM

 

[-W_O_L_F-]

Making custom CSC (.mbn)

Software

• sam-tools
• Any tool for mounting drive images (OSFMount)
• MBN Creator

MBN Creator is a kitchen itself. It has some limitations, but creating MBNs with MBN Creator is very easy. This method is described in the end.

Unpacking CSC files

Official CSCs come in .csc files. Use smd-tool to unpack file.csc to csc_dump folder:

smd-tool /u file.csc /d csc_dump

Now mount DPP.bin and copy CSC.mbn file from it. Unmount DPP then.

\Samsung\CSC\CSC.mbn

Now use mbn-tool to extract files from csc.mbn to mbn_dump folder:

mbn-tool /u csc.mbn /d mbn_dump

Every folder in mbn_dump is for one CSC code. There are 4 files inside every folder (AUT for ex.):

• SS_AUT.ini - init values for welcome screen (first boot). Language, region, timezone and carrier.
• SS_AUT.reg - registry file.
• SS_AUT_AppInstall.provxml - PROVXML file with (and only) install app instructions.
• SS_AUT_CSC.xml - PROVXML file.

Warning! There is a size limit for any file ~50KB. MBN itself is limited to DPP free space.

Packing MBN

mbn-tool /p mbn_dump /f my.mbn /ver I8750OXXCMK2 /subver OXX

CSC version (I8750OXXCMK2) should be greater or equal to your ROM version. Otherwise it will be ignored. DOC2 CSC will work on CMK2 ROM, but not vice versa!
Warning! Official DNI and DOC ROMs don't support custom MBNs.

Using MBN Creator

You can apply predefined tweaks from 1st tab or add your own directly into files. Last tab contains MBN file properties. MBN Creator is limited to only one CSC code.
You can check your work in

MBN Creator temp

folder. Output file is CSC.mbn.

Flashing MBN with MBN Creator

1. Reboot phone into Download Mode
2. Connect to PC and install drivers
3. Copy or create CSC.mbn file
4. Press Flash, Scan
5. Choose CSC code and press Flash
6. All done. Reset phone. Perform HR if MBN didn't apply.

Warning! MBN Creator can't flash files larger than 64KB.

Flashing MBN with stock Downloader

1. Open .wp8 and .mbn files
2. Check "Select" and uncheck everything but "CSC"
3. If flasher asks you about something click NO

 

[-W_O_L_F-]

Extracting SMD

Software

• sam-tools
• Any tool for mounting drive images (OSFMount)

Unpack

Unpack file.wp8 to dump folder

smd-tool /u file.wp8 /d dump

Output example:

Partition name   NAND off N size   ROM off  R size   Part. ID Type     Status
GPT              00000000 00000800 00200C00 0000FC00 00000000 00000000 [  OK  ]
SECURE           00000800 00000800 00210800 00000400 00000001 00000000 [  OK  ]
DPP              00001000 00004000 00210C00 00800000 00000002 00000000 [  OK  ]
SBL1             00008000 00000BB7 00A10C00 0016A400 00000003 00000000 [  OK  ]
SBL2 P           00009000 00000BB7 00B7B000 0016A400 00000004 00000000 [  OK  ]
SBL3             0000A000 00000FFF 00CE5400 001F8000 00000005 00000000 [  OK  ]
UEFI S           0000B000 00001387 00EDD400 00207C00 00000006 00000000 [  OK  ]
RPM              0000D000 000003E7 010E5000 0006E400 00000007 00000000 [  OK  ]
TZ               0000E000 000003E7 01153400 0006E400 00000008 00000000 [  OK  ]
WINSECAPP        0000F000 000003FF 011C1800 0007E000 00000009 00000000 [  OK  ]
PLAT             0001A000 00003FFF 0123F800 00742800 0000000A 00000000 [  OK  ]
EFIESP           00020000 0001FFFF 01982000 0094A400 0000000B 00000000 [  OK  ]
MMOS             00046000 0002403F 022CC400 0440B800 0000000C 00000000 [  OK  ]
MainOS           0006C000 004B295F 066D7C00 61F20000 0000000D EACCE221 [  OK  ]
Data             00520000 01838FFF 685F7C00 02920000 0000000E EACCE221 [  OK  ]

Output files:

• header - header of SMD
• GPT - partition table
• PLAT, EFIESP, MMOS - partitions with FAT file system
• MainOS and Data - NTFS partitions
• other files - bootloader and other low level stuff

DPP partition isn't flashed to phone. In wp8 file it's empty.
EACCE221 means that partition is packed.

 

[-W_O_L_F-]

How to work with "packed" partitions

Software

• sam-tools
• Any tool for mounting drive images (OSFMount)

Unpack

Large zero areas are cut off from those partitions. image-rebase can restore such files.

image-rebase /u MainOS.bin /o MainOS.img

You can now mount and edit MainOS.img.
Warning! Data partition is very large and almost empty.

Pack

First of all slice image file:

image-rebase /s MainOS.img /z 2048

This command will cut off zero areas larger than 2048 sectors (1MB).
MainOS.img.xml is a template file.

Now you can glue files together using template:

image-rebase /p MainOS.bin /t MainOS.img.xml

 

[-W_O_L_F-]

What to edit in ROM

CSCMgr

This service applies MBN file. The idea is to downgrade it to CMK2 (GDR3) version. To do so replace those files:

• system32\CSCMgr.dll
• system32\CSCMgrSvc.dll
• system32\drivers\CSCMgrSvc.dll (yes, it's a copy)

FCRouter

This service is used by Samsung system tools to perform actions with high privileges. Files:

• system32\FCRouter.dll
• system32\FCRouterProxy.dll
• system32\drivers\FCRouter.dll
• system32\drivers\FCDriver.dll

Registry hives

system32\config

You can edit those hive as you want. But HR will destroy all you work.

OSRepack

It a simple tool to work with packages on mounted partitions. Available here.

SDelete

There is a tool called SDelete which can fill all free space on a drive with zeros.

sdelete -z X:

Very useful for non-developer ROMs.

 

[-W_O_L_F-]

Packing SMD

Software

• sam-tools
• Hex editor (HxD)

Pack MainOS image

image-rebase /s MainOS.img /z 2048
image-rebase /p MainOS.bin /t MainOS.img.xml

Prepare SMD header

It's not really a header but a first part of file. This file can be used as template for your later work. It contains all partitions except MainOS.

smd-tool /info file.wp8

This command will give you some info about SMD file structure. Open it in hex editor and copy all data up to MainOS ROM offset to a new file. Add Data.bin to this new file.
There are some structures at the start of file. For example:

4D 61 69 6E 4F 53 00 00 00 00 00 00 00 00 00 00
00 C0 06 00 5F 29 4B 00 00 7C FF 08 00 0E AD 61
1F 1F 1F 1F 00 00 00 00 21 E2 CC EA 00 00 00 00
2B C2 5E C9 6A 2F 0B E1 6F 1C 95 FC 49 FF E9 FD

Start and length are colored.
Warning! Those numbers are little endian (12345678 = 78 56 34 12)
Replace Data Start with MainOS Start. You can use Ctrl+C & Ctrl+B (copy and paste with replace).
Replace MainOS Start with length of this (template) file.
Save file.

Adding MainOS

Add MainOS.img to your template.
Replace MainOS Length with length (in bytes) of MainOS.bin file.
Replace 16 bytes at offset 0x50 with zeros.
Count MD5 hash of the file (HxD can do it) and write it at 0x50 (^C & ^B).
Save this file as .wp8

You can check numbers you entered with following command:

smd-tool /info custom.wp8

Warning! This .wp8 file can only be flashed with Downloader v3.54

 

[-W_O_L_F-]

Making CSC from MBN

Software

• Hex editor (HxD)

Pack

Open CSC file in HxD.
At 0x00A00C00 it has MBN file contents.
Replace it with your MBN and fill rest of the CSC with zeros.
Warning! This file can't be unpacked with this instruction because FAT is broken. You can unpack it manually.
Correct MD5 as you did for WP8 file.

Warning! This CSC can fool Downloader but not phone. New CSCMgr will still ignore custom MBN.

 

[-W_O_L_F-]

Making developer ROM

Such ROMs can be directly mounted with OSFMount.
This command will pseudo slice MainOS.img:

image-rebase /s MainOS.img /z 4000000

Entire partition will be in one piece.
If you pack SMD with this file you can mount it and edit without repacking SMD.
In OSFMount enter offset equal to MainOS ROM offset + 0x1000.
Don't forget to recalculate MD5 after edit.

 

[Heathcliff74]

OMG, WOLF! People tell me that my tutorials are too long. But you are a true match for me!! :highfive:

Congrats on this great achievement! :victory:

 

[G.moe]

Wow! Huge thanks for rewriting these tutorials in English; I wasn't expecting you to do it so soon! Can't wait to play around and to see what others come up with.

 

[spavlin]

I play around with the replacement of files FC Router + WP8 Diag on my GT-I8750 (from the SM-W750V, SPH-I800, SGH-I187, SGH-T899M), in the end everything works.
Powered mode Smart Download.

 

[-W_O_L_F-]

so I could be possible to use ATIV S version of CSCMgr on SE. And SE then will have custom MBN

 

[G.moe]

Yea, that's what I gathered from the info as well. Unfortunately I won't have time to try this out for another 4-7 days but I'll let you know if I do. And if you (or anyone else) feels like whipping it up and you need someone to try it, shoot me a PM.

 

[-W_O_L_F-]

Added info about sdelete and OSRepack to "What to edit in ROM"

 

[-W_O_L_F-]

I have an idea to record full process of ROM making and upload it on Youtube. Will it be useful?

Added poll.