GTI9300PARAM » History » Version 1
Denis 'GNUtoo' Carikli, 08/30/2020 03:43 PM
Initial import
| 1 | 1 | Denis 'GNUtoo' Carikli | h1. GTI9300PARAM |
|---|---|---|---|
| 2 | |||
| 3 | You can dump the PARAM partition for the Galaxy SIII (GT-I9300) like that: |
||
| 4 | <pre> |
||
| 5 | adb pull /dev/block/platform/dw_mmc/by-name/PARAM PARAM.img |
||
| 6 | </pre> |
||
| 7 | |||
| 8 | That file at first looks like a tar archive. |
||
| 9 | <pre> |
||
| 10 | $ file PARAM.img |
||
| 11 | PARAM.img: POSIX tar archive (GNU) |
||
| 12 | </pre> |
||
| 13 | |||
| 14 | And it indeed does contain a tarball: |
||
| 15 | <pre> |
||
| 16 | $ tar tvf PARAM.img |
||
| 17 | -rw-r--r-- se.infra/se.infra 3624 2013-11-28 13:33 adv-env.img |
||
| 18 | -rw-r--r-- se.infra/se.infra 42023 2013-11-28 13:33 ani_upload_1_kernel_panic.jpg |
||
| 19 | -rw-r--r-- se.infra/se.infra 39255 2013-11-28 13:33 ani_upload_2_cp_crash.jpg |
||
| 20 | -rw-r--r-- se.infra/se.infra 47443 2013-11-28 13:33 ani_upload_3_forced_upload.jpg |
||
| 21 | -rw-r--r-- se.infra/se.infra 10810 2013-11-28 13:33 ani_upload_4_hardware_reset.jpg |
||
| 22 | -rw-r--r-- se.infra/se.infra 11586 2013-11-28 13:33 ani_upload_4_smpl.jpg |
||
| 23 | -rw-r--r-- se.infra/se.infra 54151 2013-11-28 13:33 ani_upload_4_unknown_reset.jpg |
||
| 24 | -rw-r--r-- se.infra/se.infra 11495 2013-11-28 13:33 ani_upload_4_watchdog_reset.jpg |
||
| 25 | -rw-r--r-- se.infra/se.infra 12276 2013-11-28 13:33 ani_upload_4_wtsr.jpg |
||
| 26 | -rw-r--r-- se.infra/se.infra 9703 2013-11-28 13:33 ani_upload_4_wtsr_smpl.jpg |
||
| 27 | -rw-r--r-- se.infra/se.infra 12711 2013-11-28 13:33 ani_upload_5_user_fault.jpg |
||
| 28 | -rw-r--r-- se.infra/se.infra 19098 2013-11-28 13:33 ani_upload_6_hsic_disconnected.jpg |
||
| 29 | -rw-r--r-- se.infra/se.infra 84123 2013-11-28 13:33 download_error.jpg |
||
| 30 | -rw-r--r-- se.infra/se.infra 73061 2013-11-28 13:33 download.jpg |
||
| 31 | -rw-r--r-- se.infra/se.infra 64410 2013-11-28 13:33 logo.jpg |
||
| 32 | -rw-r--r-- se.infra/se.infra 37205 2013-11-28 13:33 lpm.jpg |
||
| 33 | -rw-r--r-- se.infra/se.infra 36572 2013-11-28 13:33 lpm_wireless.jpg |
||
| 34 | -rw-r--r-- se.infra/se.infra 91511 2013-11-28 13:33 secure_error.jpg |
||
| 35 | -rwxr-xr-x se.infra/se.infra 5851 2013-11-28 13:33 sud_0.jpg |
||
| 36 | -rwxr-xr-x se.infra/se.infra 2713 2013-11-28 13:33 sud_1.jpg |
||
| 37 | -rwxr-xr-x se.infra/se.infra 5634 2013-11-28 13:33 sud_2.jpg |
||
| 38 | -rwxr-xr-x se.infra/se.infra 6292 2013-11-28 13:33 sud_3.jpg |
||
| 39 | -rwxr-xr-x se.infra/se.infra 4604 2013-11-28 13:33 sud_4.jpg |
||
| 40 | -rwxr-xr-x se.infra/se.infra 5706 2013-11-28 13:33 sud_5.jpg |
||
| 41 | -rwxr-xr-x se.infra/se.infra 6792 2013-11-28 13:33 sud_6.jpg |
||
| 42 | -rwxr-xr-x se.infra/se.infra 3885 2013-11-28 13:33 sud_7.jpg |
||
| 43 | -rwxr-xr-x se.infra/se.infra 6826 2013-11-28 13:33 sud_8.jpg |
||
| 44 | -rwxr-xr-x se.infra/se.infra 6528 2013-11-28 13:33 sud_9.jpg |
||
| 45 | -rw-r--r-- se.infra/se.infra 168616 2013-11-28 13:33 warning.jpg |
||
| 46 | </pre> |
||
| 47 | |||
| 48 | The size of the PARAM.img file is exactly 8MiB: |
||
| 49 | <pre> |
||
| 50 | $ ls -lah PARAM.img |
||
| 51 | [...] 8.0M [...] PARAM.img |
||
| 52 | $ ls -la PARAM.img |
||
| 53 | [...] 8388608 [...] PARAM.img |
||
| 54 | </pre> |
||
| 55 | |||
| 56 | And we can get the size of the tarball with --totals: |
||
| 57 | <pre> |
||
| 58 | $ man tar |
||
| 59 | [...] |
||
| 60 | --totals[=SIGNAL] |
||
| 61 | Print total bytes after processing the archive. [...] |
||
| 62 | </pre> |
||
| 63 | |||
| 64 | For example: |
||
| 65 | <pre> |
||
| 66 | $ tar --totals -tf PARAM.img |
||
| 67 | adv-env.img |
||
| 68 | [many files] |
||
| 69 | warning.jpg |
||
| 70 | Total bytes read: 911360 (890KiB, 286MiB/s) |
||
| 71 | </pre> |
||
| 72 | |||
| 73 | So here the tarball terminates way beyond the end. |
||
| 74 | |||
| 75 | 911360 is 0xde800: |
||
| 76 | <pre> |
||
| 77 | $ python |
||
| 78 | [...] |
||
| 79 | >>> hex(911360) |
||
| 80 | '0xde800' |
||
| 81 | </pre> |
||
| 82 | |||
| 83 | But we still have things after the tarball: |
||
| 84 | <pre> |
||
| 85 | $ hexdump -C PARAM.img |
||
| 86 | 000dd4a0 05 00 14 00 50 07 ff d9 00 00 00 00 00 00 00 00 |....P...........| |
||
| 87 | 000dd4b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |
||
| 88 | * |
||
| 89 | 00700000 03 00 fe ca 00 01 00 00 00 00 00 00 00 00 00 00 |................| |
||
| 90 | 00700010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |
||
| 91 | * |
||
| 92 | 00700200 00 00 00 00 03 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......| |
||
| 93 | 00700210 00 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 |................| |
||
| 94 | 00700220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=| |
||
| 95 | 00700230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 34 00 00 |ram loglevel=4..| |
||
| 96 | 00700240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |
||
| 97 | * |
||
| 98 | 00700e20 00 00 00 00 00 00 00 00 ff ff ff ff ff ef 7f ff |................| |
||
| 99 | 00700e30 ff ff f7 ff ff ff f7 ff ff fe ff ff ff ff 7f ff |................| |
||
| 100 | 00700e40 fb ef ff ff ff fb ff df ff ff ff ff ff ff ff ff |................| |
||
| 101 | 00700e50 df bf ff ff 7f ef f7 ff f7 ff ff ff ff fe ff ff |................| |
||
| 102 | 00700e60 ff ff ff ff ef fb ff ef ff fb ff ff fd ff f7 ef |................| |
||
| 103 | 00700e70 ff ff ff ff f5 ff ff ff ff ff ff ff ff ff ff ff |................| |
||
| 104 | 00700e80 ff ff ff fe ff ef ff ff ff bf fd ff ff ff ff ff |................| |
||
| 105 | 00700e90 ff ff ff ff ff ff f7 fb ff ff ff eb ff ff ff eb |................| |
||
| 106 | 00700ea0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................| |
||
| 107 | 00700eb0 ff ff ff ff ff ff ff ff ff ff ff df ff ff ff ff |................| |
||
| 108 | 00700ec0 ff ff ff ff ff ff f7 ff ff ff ff ff ff ff ff ff |................| |
||
| 109 | 00700ed0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................| |
||
| 110 | 00700ee0 df ff ff ff ff ff ff ff ff ff ff ff ff ff d7 ff |................| |
||
| 111 | 00700ef0 ff ff ff af ff ff ff fe ff ff ff ff ff ff ff ff |................| |
||
| 112 | 00700f00 ff ef ff ff ff 7f ff ff ff df ff ff f7 ff ff ff |................| |
||
| 113 | 00700f10 ff ff ff ff ff ff ff ff ff ff ff ef ff ff f7 ff |................| |
||
| 114 | 00700f20 ff ff ff ff ff ff ff ff ff fe ef ff ff ef fb df |................| |
||
| 115 | 00700f30 ff ff ff ff ff fb ff ff ff ff ff ff ff ff ff ff |................| |
||
| 116 | 00700f40 ff ff f5 ff ff ff ff fb ff ff ff ff ff ff ff ff |................| |
||
| 117 | 00700f50 fb ff ff fb fd ff ff ff ff ff ff ff ff ff ff ff |................| |
||
| 118 | 00700f60 f7 ff ff ef f7 ff ff ef ff ff ff ff ff 9e ff fd |................| |
||
| 119 | 00700f70 ff ff ff ff fb ff ff de f3 fb ff ff ff ef df ff |................| |
||
| 120 | 00700f80 ff ff ff ff ff fb ff bf ff ff ff ff ff ff ff fd |................| |
||
| 121 | 00700f90 ff fe f7 fe ff eb ff ff ff fb ff ff df ff ff ff |................| |
||
| 122 | 00700fa0 df ff ff ff ff ff ff ff ff ff fb ff ff ff ff fb |................| |
||
| 123 | 00700fb0 ff ff ff df ff ff ff ff fe fe fe ff ff f7 ff ff |................| |
||
| 124 | 00700fc0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................| |
||
| 125 | 00700fd0 fd ff ff ff ff fd ff ff ff ff ff ff fe ff ff ff |................| |
||
| 126 | 00700fe0 ff ff df ff ff ff ff fb ff ff ff ff ff ff ff ff |................| |
||
| 127 | 00700ff0 ff f7 df ff ff ff ff ff ff ff ff ff ff ff ff ff |................| |
||
| 128 | 00701000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |
||
| 129 | * |
||
| 130 | 007ffc00 d4 ad 55 ff 52 e9 ed 4c f8 d1 9c 08 79 b6 e9 6c |..U.R..L....y..l| |
||
| 131 | 007ffc10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |
||
| 132 | * |
||
| 133 | 00800000 |
||
| 134 | </pre> |
||
| 135 | |||
| 136 | Questions: |
||
| 137 | * Can we ignore what is after the tarball and grow it to 8MiB? |
||
| 138 | * Does what's after contains encrypted data for the bootloader? |