GTI9300PARAM » History » Revision 15
Revision 14 (Denis 'GNUtoo' Carikli, 01/31/2022 08:36 PM) → Revision 15/19 (Denis 'GNUtoo' Carikli, 01/31/2022 08:50 PM)
{{toc}}
h1. GTI9300PARAM
h2. Structure
| Start (included) | End (included) | Content |
| 0x000000 | 0x0de800 - 1 | [[GTI9300PARAM#Tarball|Tarball]] |
| around 0x000228 | ? | [[GTI9300PARAM#Kernel command line|Kernel command line]] |
| 0x700204 | 0x700204 | [[GTI9300PARAM#USB switch|USB switch]]
@0x00@: MODEM USB routed to the USB connector
@0x01@: SOC USB routed to the USB connector |
| 0x700208 | 0x700208 | [[GTI9300PARAM#Modem debug level|Modem debug level]]
@LO@: Modem debug level set to @LOW@
@MI@: Modem debug level set to @MEDIUM@
@HI@: Modem debug level set to @HIGH@ |
| 0x7FFC00 | 0x7FFC0F | [[GTI9300PARAM#Modem debug level|checksum]] |
h2. Tarball
You can dump the PARAM partition for the Galaxy SIII (GT-I9300) like that:
<pre>
adb pull /dev/block/platform/dw_mmc/by-name/PARAM PARAM.img
</pre>
That file at first looks like a tar archive.
<pre>
$ file PARAM.img
PARAM.img: POSIX tar archive (GNU)
</pre>
And it indeed does contain a tarball:
<pre>
$ tar tvf PARAM.img
-rw-r--r-- se.infra/se.infra 3624 2013-11-28 13:33 adv-env.img
-rw-r--r-- se.infra/se.infra 42023 2013-11-28 13:33 ani_upload_1_kernel_panic.jpg
-rw-r--r-- se.infra/se.infra 39255 2013-11-28 13:33 ani_upload_2_cp_crash.jpg
-rw-r--r-- se.infra/se.infra 47443 2013-11-28 13:33 ani_upload_3_forced_upload.jpg
-rw-r--r-- se.infra/se.infra 10810 2013-11-28 13:33 ani_upload_4_hardware_reset.jpg
-rw-r--r-- se.infra/se.infra 11586 2013-11-28 13:33 ani_upload_4_smpl.jpg
-rw-r--r-- se.infra/se.infra 54151 2013-11-28 13:33 ani_upload_4_unknown_reset.jpg
-rw-r--r-- se.infra/se.infra 11495 2013-11-28 13:33 ani_upload_4_watchdog_reset.jpg
-rw-r--r-- se.infra/se.infra 12276 2013-11-28 13:33 ani_upload_4_wtsr.jpg
-rw-r--r-- se.infra/se.infra 9703 2013-11-28 13:33 ani_upload_4_wtsr_smpl.jpg
-rw-r--r-- se.infra/se.infra 12711 2013-11-28 13:33 ani_upload_5_user_fault.jpg
-rw-r--r-- se.infra/se.infra 19098 2013-11-28 13:33 ani_upload_6_hsic_disconnected.jpg
-rw-r--r-- se.infra/se.infra 84123 2013-11-28 13:33 download_error.jpg
-rw-r--r-- se.infra/se.infra 73061 2013-11-28 13:33 download.jpg
-rw-r--r-- se.infra/se.infra 64410 2013-11-28 13:33 logo.jpg
-rw-r--r-- se.infra/se.infra 37205 2013-11-28 13:33 lpm.jpg
-rw-r--r-- se.infra/se.infra 36572 2013-11-28 13:33 lpm_wireless.jpg
-rw-r--r-- se.infra/se.infra 91511 2013-11-28 13:33 secure_error.jpg
-rwxr-xr-x se.infra/se.infra 5851 2013-11-28 13:33 sud_0.jpg
-rwxr-xr-x se.infra/se.infra 2713 2013-11-28 13:33 sud_1.jpg
-rwxr-xr-x se.infra/se.infra 5634 2013-11-28 13:33 sud_2.jpg
-rwxr-xr-x se.infra/se.infra 6292 2013-11-28 13:33 sud_3.jpg
-rwxr-xr-x se.infra/se.infra 4604 2013-11-28 13:33 sud_4.jpg
-rwxr-xr-x se.infra/se.infra 5706 2013-11-28 13:33 sud_5.jpg
-rwxr-xr-x se.infra/se.infra 6792 2013-11-28 13:33 sud_6.jpg
-rwxr-xr-x se.infra/se.infra 3885 2013-11-28 13:33 sud_7.jpg
-rwxr-xr-x se.infra/se.infra 6826 2013-11-28 13:33 sud_8.jpg
-rwxr-xr-x se.infra/se.infra 6528 2013-11-28 13:33 sud_9.jpg
-rw-r--r-- se.infra/se.infra 168616 2013-11-28 13:33 warning.jpg
</pre>
The size of the PARAM.img file is exactly 8MiB:
<pre>
$ ls -lah PARAM.img
[...] 8.0M [...] PARAM.img
$ ls -la PARAM.img
[...] 8388608 [...] PARAM.img
</pre>
And we can get the size of the tarball with --totals:
<pre>
$ man tar
[...]
--totals[=SIGNAL]
Print total bytes after processing the archive. [...]
</pre>
For example:
<pre>
$ tar --totals -tf PARAM.img
adv-env.img
[many files]
warning.jpg
Total bytes read: 911360 (890KiB, 286MiB/s)
</pre>
So here the tarball terminates way before the end of the PARAM.img file.
911360 is 0xde800:
<pre>
$ python
[...]
>>> hex(911360)
'0xde800'
</pre>
But we still have things after the tarball:
<pre>
$ hexdump -C PARAM.img
000dd4a0 05 00 14 00 50 07 ff d9 00 00 00 00 00 00 00 00 |....P...........|
000dd4b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00700000 03 00 fe ca 00 01 00 00 00 00 00 00 00 00 00 00 |................|
00700010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00700200 00 00 00 00 03 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......|
00700210 00 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 |................|
00700220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=|
00700230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 34 00 00 |ram loglevel=4..|
00700240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00700e20 00 00 00 00 00 00 00 00 ff ff ff ff ff ef 7f ff |................|
00700e30 ff ff f7 ff ff ff f7 ff ff fe ff ff ff ff 7f ff |................|
00700e40 fb ef ff ff ff fb ff df ff ff ff ff ff ff ff ff |................|
00700e50 df bf ff ff 7f ef f7 ff f7 ff ff ff ff fe ff ff |................|
00700e60 ff ff ff ff ef fb ff ef ff fb ff ff fd ff f7 ef |................|
00700e70 ff ff ff ff f5 ff ff ff ff ff ff ff ff ff ff ff |................|
00700e80 ff ff ff fe ff ef ff ff ff bf fd ff ff ff ff ff |................|
00700e90 ff ff ff ff ff ff f7 fb ff ff ff eb ff ff ff eb |................|
00700ea0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................|
00700eb0 ff ff ff ff ff ff ff ff ff ff ff df ff ff ff ff |................|
00700ec0 ff ff ff ff ff ff f7 ff ff ff ff ff ff ff ff ff |................|
00700ed0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................|
00700ee0 df ff ff ff ff ff ff ff ff ff ff ff ff ff d7 ff |................|
00700ef0 ff ff ff af ff ff ff fe ff ff ff ff ff ff ff ff |................|
00700f00 ff ef ff ff ff 7f ff ff ff df ff ff f7 ff ff ff |................|
00700f10 ff ff ff ff ff ff ff ff ff ff ff ef ff ff f7 ff |................|
00700f20 ff ff ff ff ff ff ff ff ff fe ef ff ff ef fb df |................|
00700f30 ff ff ff ff ff fb ff ff ff ff ff ff ff ff ff ff |................|
00700f40 ff ff f5 ff ff ff ff fb ff ff ff ff ff ff ff ff |................|
00700f50 fb ff ff fb fd ff ff ff ff ff ff ff ff ff ff ff |................|
00700f60 f7 ff ff ef f7 ff ff ef ff ff ff ff ff 9e ff fd |................|
00700f70 ff ff ff ff fb ff ff de f3 fb ff ff ff ef df ff |................|
00700f80 ff ff ff ff ff fb ff bf ff ff ff ff ff ff ff fd |................|
00700f90 ff fe f7 fe ff eb ff ff ff fb ff ff df ff ff ff |................|
00700fa0 df ff ff ff ff ff ff ff ff ff fb ff ff ff ff fb |................|
00700fb0 ff ff ff df ff ff ff ff fe fe fe ff ff f7 ff ff |................|
00700fc0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb |................|
00700fd0 fd ff ff ff ff fd ff ff ff ff ff ff fe ff ff ff |................|
00700fe0 ff ff df ff ff ff ff fb ff ff ff ff ff ff ff ff |................|
00700ff0 ff f7 df ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
00701000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
007ffc00 d4 ad 55 ff 52 e9 ed 4c f8 d1 9c 08 79 b6 e9 6c |..U.R..L....y..l|
007ffc10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00800000
</pre>
Questions:
* Can we ignore what is after the tarball and grow it to 8MiB?
* Does what's after contains encrypted data for the bootloader?
h3. adv_env.img
Here's the content of the adv-env.img file:
<pre>
$ hexdump -C adv-env.img
00000000 03 00 fe ca 00 01 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000200 04 00 00 00 01 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=|
00000230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 34 00 00 |ram loglevel=4..|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000e20 00 00 00 00 00 00 00 00 |........|
00000e28
</pre>
Questions:
* Why are the kernel parameters repeated again after the end of the tarball?
* Where are the updated kernel parameters stored?
* Are the default and in-use kernel parameters stored at different location?
h2. Kernel command line
*Default kernel command line*: @console=ram loglevel=4@
Test:
* change to @console=ram loglevel=8@ through the bootloader setenv command
* run saveenv
* reboot and validate that it's really changed with printenv
* observe the results on the filesystem
See [[MidasBootloader]] for more details on how to change the command line parameters.
After changing the environment variable, we still have loglevel=4 in the adv-env.img file that is in the tarball:
adv-env.img
<pre>
$ hexdump -C adv-env.img
00000000 03 00 fe ca 00 01 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000200 04 00 00 00 01 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=|
00000230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 34 00 00 |ram loglevel=4..|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000e20 00 00 00 00 00 00 00 00 |........|
00000e28
</pre>
So these must be the default parameters.
And the actual kernel parameters were instead saved after the tarball:
<pre>
$ hexdump PARAM.img
*
00700200 00 00 00 00 03 00 00 00 4c 4f 00 00 00 00 00 00 |........LO......|
00700210 00 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 |................|
00700220 00 00 00 00 00 00 00 00 63 6f 6e 73 6f 6c 65 3d |........console=|
00700230 72 61 6d 20 6c 6f 67 6c 65 76 65 6c 3d 38 00 00 |ram loglevel=8..|
00700240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
</pre>
*Results:*
* Since the s-boot 4.0 bootloader on several Exynos 4412 devices (GT-I9300, GT-I9305, GT-N7100, GT-N7105) doesn't take into account the boot.img kenrel parameters, we can then try to change them by editing the PARAM.img after the tarball.
* There is valuable info after the tarball => don't make the tarball grow too much.
h2. USB switch
On a GT-I9300, if I set the address @0x00700204@ to @00@, it switch to the USB to the modem's USB, and @Bus 002 Device 095: ID 1519:0020 Comneon HSIC Device@ appears when connecting the GT-I9300 to a computer.
When I set it back to @01@, I can have ADB again.
Here's the diff:
<pre>
$ vbindiff PARAM.img PARAM.img.new
PARAM.img
0070 0204: 00 00 00 00 4C 4F 00 00 00 00 00 00 00 00 00 00 ....LO.. ........
0070 0214: 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0224: 00 00 00 00 63 6F 6E 73 6F 6C 65 3D 72 61 6D 20 ....cons ole=ram
0070 0234: 6C 6F 67 6C 65 76 65 6C 3D 38 00 00 00 00 00 00 loglevel =8......
0070 0244: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0254: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0264: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0274: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0284: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0294: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02A4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02B4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02C4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02D4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02E4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02F4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
PARAM.img.new
0070 0204: 01 00 00 00 4C 4F 00 00 00 00 00 00 00 00 00 00 ....LO.. ........
0070 0214: 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0224: 00 00 00 00 63 6F 6E 73 6F 6C 65 3D 72 61 6D 20 ....cons ole=ram
0070 0234: 6C 6F 67 6C 65 76 65 6C 3D 38 00 00 00 00 00 00 loglevel =8......
0070 0244: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0254: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0264: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0274: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0284: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0294: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02A4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02B4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02C4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02D4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02E4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02F4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
┌──────────────────────────────────────────────────────────────────────────────┐
│Arrow keys move F find RET next difference ESC quit T move top │
│C ASCII/EBCDIC E edit file G goto position Q quit B move bottom │
└──────────────────────────────────────────────────────────────────────────────┘
</pre>
At the next boot the s-boot bootloader will then configure the USB switch to connect to the modem USB.
You can also get that behavior with the stock OS if you go to the phone application and enter @*#7284#@ and set @USB@ to
@MODEM@ and then click on the @SAVE and RESET@ button. It will then reboot the phone automatically.
Note that in both case (when doing it manually with Replicant or through the stock OS):
* ADB will not work anymore in Replicant, the recovery and the stock OS
* Heimdall may not work anymore
so you need a plan to be able to recovery from it.
If you run the stock OS, you can't count on recoveries as it tend to replace them the recoveries with its own recovery, but you can still use @*#7284#@ to change @USB@ back to @PDA@ instead of @MODEM@.
With Replicant, you can enable the terminal, adb and root for adb and applications in the developers settings, and once that is done, through the terminal application you can get root with @su@ and then type the following command to enable adb again:
<pre>
echo PDA > /sys/devices/virtual/sec/switch/usb_sel
</pre>
as this command is temporary (until the next reboot), you'll have to edit again the @PARAM@ partition and copy the modified @PARAM@ image to the @PARAM@ partition with @dd@.
h2. Modem debug level
In the stock OS, if we go to the phone application and dial @*#9900#@ and change the @Debug Level Enabled@ (@LOW@ @MEDIUM@ and @HIGH@ are available), the PARAM partition will be modified (and then the phone will be rebooted):
Here we switched the setting from @LOW@ to @MEDIUM@, and it produces a difference at @0x700208@:
<pre>
$ vbindiff low-2/PARAM.img medium-2/PARAM.img
low-2/PARAM.img
0070 0208: 4C 4F 00 00 00 00 00 00 00 00 00 00 03 00 00 00 LO...... ........
0070 0218: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0228: 63 6F 6E 73 6F 6C 65 3D 72 61 6D 20 6C 6F 67 6C console= ram logl
0070 0238: 65 76 65 6C 3D 38 00 00 00 00 00 00 00 00 00 00 evel=8.. ........
0070 0248: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0258: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0268: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0278: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0298: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02A8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02B8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02C8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02D8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02E8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02F8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
medium-2/PARAM.img
0070 0208: 4D 49 00 00 00 00 00 00 00 00 00 00 03 00 00 00 MI...... ........
0070 0218: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0228: 63 6F 6E 73 6F 6C 65 3D 72 61 6D 20 6C 6F 67 6C console= ram logl
0070 0238: 65 76 65 6C 3D 38 00 00 00 00 00 00 00 00 00 00 evel=8.. ........
0070 0248: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0258: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0268: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0278: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0298: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02A8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02B8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02C8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02D8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02E8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02F8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
┌──────────────────────────────────────────────────────────────────────────────┐
│Arrow keys move F find RET next difference ESC quit T move top │
│C ASCII/EBCDIC E edit file G goto position Q quit B move bottom │
└──────────────────────────────────────────────────────────────────────────────┘
</pre>
And here's what happens when switching from @MEDIUM@ to @HIGH@:
<pre>
$ vbindiff medium-2/PARAM.img high-1/PARAM.img
medium-2/PARAM.img
0070 0200: 00 00 00 00 01 00 00 00 4D 49 00 00 00 00 00 00 ........ MI......
0070 0210: 00 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 ........ ........
0070 0220: 00 00 00 00 00 00 00 00 63 6F 6E 73 6F 6C 65 3D ........ console=
0070 0230: 72 61 6D 20 6C 6F 67 6C 65 76 65 6C 3D 38 00 00 ram logl evel=8..
0070 0240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
high-1/PARAM.img
0070 0200: 00 00 00 00 01 00 00 00 48 49 00 00 00 00 00 00 ........ HI......
0070 0210: 00 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 ........ ........
0070 0220: 00 00 00 00 00 00 00 00 63 6F 6E 73 6F 6C 65 3D ........ console=
0070 0230: 72 61 6D 20 6C 6F 67 6C 65 76 65 6C 3D 38 00 00 ram logl evel=8..
0070 0240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
0070 02F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
┌──────────────────────────────────────────────────────────────────────────────┐
│Arrow keys move F find RET next difference ESC quit T move top │
│C ASCII/EBCDIC E edit file G goto position Q quit B move bottom │
└──────────────────────────────────────────────────────────────────────────────┘
</pre>
Unfortunately in both cases, it also changes what appears to be a checksum:
<pre>
$ vbindiff medium-2/PARAM.img high-1/PARAM.img
medium-2/PARAM.img
007F FC00: 0D 4D 03 C0 FD 5C A8 D1 2B 14 25 76 03 51 C5 27 .M...\.. +.%v.Q.'
007F FC10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
high-1/PARAM.img
007F FC00: 67 39 08 85 9C 4A FE B8 65 47 9C C8 BB 95 DF B7 g9...J.. eG......
007F FC10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FC90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCA0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCB0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCC0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCD0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCE0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
007F FCF0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
┌──────────────────────────────────────────────────────────────────────────────┐
│Arrow keys move F find RET next difference ESC quit T move top │
│C ASCII/EBCDIC E edit file G goto position Q quit B move bottom │
└──────────────────────────────────────────────────────────────────────────────┘
</pre>
To capture that I had to :
* Set the desired setting (through the phone application after dialing @$*#9900#@ and let it reboot
* then shut down the phone
* Then boot into the download mode
* then flash a Replicant recovery with root to @BOOT@ (do not flash it to RECOVERY)
* Then to dump the PARAM partition
* Then to reboot to the bootloader
* Then to flash back the stock OS BOOT
If for some reason I rebooted to the RECOVERY partition, the setting would be changed back to @LOW@ (this was verified by dialing @*#9900#@ and then looking at the setting value without changing it).
h2. See also
* The [[AcademicPapersAndPresentations#Forensics-acquisition-Analysis-and-circumvention-of-samsung-secure-boot-enforced-common-criteria-mode|Forensics acquisition - Analysis and circumvention of samsung secure boot enforced common criteria mode]] paper has some information about the PARAM partition but it's mostly interested in MDM settings